Text

Submittal of Technical Specification Bases (TSB) Change
	ML11192A056
Person / Time
Site:	Oconee
Issue date:	06/30/2011
From:	Gillespie T; Duke Energy Carolinas
To:	; Document Control Desk, Office of Nuclear Reactor Regulation
References
	Download: ML11192A056 (149)
	v • d • e

7-Duke 1-Energy.

T. PRESTON GILLESPIE, JR.

Vice President Oconee Nuclear Station Duke Energy ONO VP / 7800 Rochester Hwy.

Seneca, SC 29672 864-873-4478 864-873-4208 fax T. Gillespie@duke-energy. com June 30, 2011 U. S. Nuclear Regulatory Commission Washington, D. C. 20555 Attention: Document Control Desk

Subject:

Duke Energy Carolinas, LLC Oconee Nuclear Station Docket Numbers 50-269, 270, and 287 Technical Specification Bases (TSB) Change On June 3, 2011, Station Management approved revisions to TSB 3.3.1, 3.3.3, 3.3.4, 3.3.5, 3.3.6, and 3.3.7, to be consistent with the Technical Specification (TS) changes associated with the RPS/ESPS digital upgrade approved by the NRC by letter dated January 28, 2010, (Amendments Nos. 366, 368 & 367). contains the new TSB pages, Attachment 2 contains the marked up version of the TSB pages.

If additional information is needed, please contact Boyd Shingleton at (864)873-4716.

Sincerely, T. Preston Gillespie, Jr.

Vice President Oconee Nuclear Station www.duke-energy.comr

U. S. Nuclear Regulatory Commission June 30, 2011 Page 2 cc:

Mr. John Stang Office of Nuclear Reactor Regulation U.S. Nuclear Regulatory Commission Mail Stop 0-8 G9A Washington, DC 20555 Mr. Victor McCree, Regional Administrator U.S. Nuclear Regulatory Commission, Region II Marquis One Tower 245 Peachtree Center Ave., NE, Suite 1200 Atlanta, GA 30303-1257 Andy Sabisch Senior Resident Inspector Oconee Nuclear Station Susan E. Jenkins, Manager Radioactive & Infectious Waste Management SC Dept. of Health and Env. Control 2600 Bull St.

Columbia, SC 29201

RPS Instrumentation B 3.3.1 B 3.3 INSTRUMENTATION B 3.3.1 Reactor Protective System (RPS) Instrumentation BASES BACKGROUND Note: To clearly differentiate text applicable only to Unit(s) with the RPS digital upgrade complete, the text applicable only to that design is led with a qualifier and italicized. Likewise, the text applicable only to Unit(s) that have not been upgraded is led with a qualifier and bolded. Otherwise, the text applies to both designs.

The RPS initiates a reactor trip to protect against violating the core fuel design limits and the Reactor Coolant System (RCS) pressure boundary during anticipated transients. By tripping the reactor, the RPS also assists the Engineered Safeguards (ES) Systems in mitigating accidents.

The protective and monitoring systems have been designed to assure safe operation of the reactor. This is achieved by specifying limiting safety system settings (LSSS) in terms of parameters directly monitored by the RPS, as well as the LCOs on other reactor system parameters and equipment performance.

The LSSS, defined in this Specification as the Allowable Value, in conjunction with the LCOs, establishes the threshold for protective system action to prevent exceeding acceptable limits during accidents or transients.

During anticipated transients, which are those events expected to occur one or more times during the unit's life, the acceptable limit is:

a.

The departure from nucleate boiling ratio (DNBR) shall be maintained above the Safety Limit (SL) value;

b.

Fuel centerline melt shall not occur; and

c.

The RCS pressure SL of 2750 psia shall not be exceeded.

Maintaining the parameters within the above values ensures that the offsite dose will be within the 10 CFR 20 and 10 CFR 100 criteria during anticipated transients. Accidents are events that are analyzed even though they are not expected to occur during the unit's life. The acceptable limit during accidents is that the offsite dose shall be maintained within reference 10 CFR 100 limits. Meeting the acceptable dose limit for an accident category is considered having acceptable consequences for that event.

OCONEE UNITS 1, 2, & 3 B 3.3.1 -1 BASES REVISION DATED 06/03/11 I

RPS Instrumentation B 3.3.1 BASES BACKGROUND RPS Overview (continued)

The RPS consists of four separate redundant protective channels that receive inputs of neutron flux, RCS pressure, RCS flow, RCS temperature, RCS pump status, reactor building (RB) pressure, main feedwater (MFW) pump turbines status, and main turbine status.

Figure 7.1 of UFSAR, Chapter 7 (Ref. 1), shows the arrangement of a typical RPS protective channel. A protective channel is composed of measurement channels, a manual trip channel, a reactor trip component (RTC), and a control rod drive (CRD) trip device. LCO 3.3.1 provides requirements for the individual measurement channels. These channels encompass all equipment and electronics from the point at which the measured parameter is sensed through the bistable relay contacts (or processor output trip devices for Unit(s) with the RPS digital upgrade complete) in the trip string. LCO 3.3.2, "Reactor Protective System (RPS)

Manual Reactor Trip," LCO 3.3.3, "Reactor Protective System (RPS) -

Reactor Trip Component (RTC)," and LCO 3.3.4, "Control Rod Drive (CRD)

Trip Devices," discuss the remaining RPS elements.

The RPS instrumentation measures critical unit parameters and compares these to predetermined setpoints. For Unit(s) with the RPS digital upgrade not complete, if the setpoint is exceeded, a channel trip signal is generated. The generation of any two trip signals in any of the four RPS channels will result in the trip of the reactor.

For Unit(s) with the RPS digital upgrade complete, if the setpoint for a parameter input to a single channel (for example, the RC high pressure input to Channel A) is exceeded, a channel trip does not occur. Due to the inter-channel communication, all 4 RPS channels recognize that this parameter input has been exceeded for one channel. However, due to the 2. MINI2. MAX logic within the system, the same parameter input setpoint for one of the other three channels must be exceeded before channel trips occur. Again, due to the inter-channel communication, all 4 RPS channels will then trip since the 2.MIN/2.MAX condition has been satisfied.

The RTS consists of four AC Trip Breakers arranged in two parallel combinations of two breakers each. Each path provides independent power to the CRD motors. Either path can provide sufficient power to operate all CRD's. Two separate power paths to the CRD's ensure that a single failure that opens one path will not cause an unwanted reactor trip.

OCONEE UNITS 1, 2, & 3 B 3.3.1-2 BASES REVISION DATED 06/03/11 I

RPS Instrumentation B 3.3.1 BASES BACKGROUND RPS Overview (continued)

For Unit(s) with the RPS digital upgrade complete, the RPS consists of four independent protective channels (A, B, C, and D). Each RPS protective channel contains the sensor input modules, a protective channel computer, output modules, four hardwired (energized during power operations) reactor trip relays (RTRs) (A, B, C, and D) and their associated 120 VAC contacts (closed when RTR is energized). Protective channel A controls the channel A RTR and also controls the A RTR in channels B, C, and D.

Likewise, channels B, C and D control the respective RTR in each of the four channels. Each energized RTR (A, B, C, and D) in each RPS channel A, B, C, and D maintains two closed 120 VAC contacts. One contact from each RTR is configured in two separate redundant output trip actuation logic schemes. Each output trip actuation logic scheme contains a contact from each of the four RTRs in the four channels. This configuration results in a two-out-of-four coincidence reactor trip logic. If any channel protective set initiates a trip signal, the respective four RTRs (one in each of the four channels) de-energize and open the respective contacts. The outputs from the RTR contacts interrupt the 120 VAC power to the CRD trip devices.

For Unit(s) with the RPS digital upgrade complete, three of the four RPS protective channel computers (A, B, and C) also perform a redundant Engineered Safeguards Protective System (ESPS) logic function.

Therefore, three of the four RPS protective channels calculate both RPS and ESPS functions, and the fourth RPS channel D calculates only RPS functions. See Technical Specification Bases section B 3.3.5 for additional discussion of the ESPS protective channels and the duplicated ESPS functions performed by the RPS protective channels.

For Unit(s) with the RPS digital upgrade not complete, the RPS consists of four independent protective channels, each containing a reactor trip module (RTM). The RTM receives signals from its own measurement channels that indicate a protective channel trip is required. The RTM transmits this signal to its own two-out-of-four trip logic and to the two-out-of-four logic of the RTMs in the other three RPS channels.

Whenever any two RPS channels transmit channel trip signals, the RTM logic in each channel actuates to remove 120 VAC power from its associated CRD trip device.

The reactor is tripped by opening the reactor trip breakers.

OCONEE UNITS 1, 2, & 3 B 3.3.1-3 BASES REVISION DATED 06/03/11 I

RPS Instrumentation B 3.3.1 BASES BACKGROUND RPS Overview (continued)

For Unit(s) with the RPS digital upgrade not complete, there are three bypasses: a shutdown bypass, a dummy bistable and an RPS channel bypass (or manual bypass). Shutdown bypass allows the withdrawal of safety rods for SDM availability and rapid negative reactivity insertion during unit cooldowns or heatups. The dummy bistable is used to bypass one or more functions (bistable trips) associated with one RPS Channel. The RPS Channel bypass allows one entire RPS channel to be taken out of service for maintenance and testing. Test circuits in the trip strings allow complete testing of all RPS trip functions.

For Unit(s) with the RPS digital upgrade complete, there are three bypasses: shutdown bypass, manual bypass, and channel trip function bypass. The shutdown bypass and the manual bypass are initiated by use of a keyswitch located in the respective RPS channel cabinet. The Shutdown bypass allows the withdrawal of safety rods for SDM availability and rapid negative reactivity insertion during unit cooldowns or heatups.

The manual bypass allows putting a complete RPS channel into bypass for maintenance activities. This includes the planned power-down of the bypassed RPS channel computer. If the complete RPS channel is powered down, the manual bypass condition cannot be maintained. That RPS channel output signal goes to "trip" and the manual bypass Unit Statalarm window will not illuminate. The channel trip function bypass allows an individual channel trip function in any RPS channel to be bypassed through the use of the RPS screens of the Graphical Service Monitor (GSM). The GSM is located on the Service Unit.

The RPS operates from the instrumentation channels discussed next. The specific relationship between measurement channels and protective channels differs from parameter to parameter. Three basic configurations are used:

a.

Four completely redundant measurements (e.g., reactor coolant flow) with one channel input to each protective channel;

b.

Four channels that provide similar, but not identical, measurements (e.g., power range nuclear instrumentation where each RPS channel monitors a different quadrant), with one channel input to each protective channel; and

c.

Redundant measurements with combinational trip logic inside the protective channels and the combined output provided to each protective channel (e.g., main feedwater pump turbines trip instrumentation).

OCONEE UNITS 1, 2, & 3 B 3.3.1-4 BASES REVISION DATED 06/03/11

RPS Instrumentation B 3.3.1 BASES BACKGROUND RPS Overview (continued)

These arrangements and the relationship of instrumentation channels to trip Functions are discussed next to assist in understanding the overall effect of instrumentation channel failure.

Power Rangqe Nuclear Instrumentation Power Range Nuclear Instrumentation channels provide inputs to the following trip Functions:

1.

Nuclear Overpower

a.

Nuclear Overpower - High Setpoint;

b.

Nuclear Overpower-Low Setpoint;

7.

Reactor Coolant Pump to Power;

8.

Nuclear Overpower Flux/Flow Imbalance;

9.

Main Turbine Trip (Hydraulic Fluid Pressure); and

10.

Loss of Main Feedwater (LOMFW) Pump Turbines (Hydraulic Oil Pressure).

The power range instrumentation has four linear level channels, one for each core quadrant. Each channel feeds one RPS protective channel.

Each channel originates in a detector assembly containing two uncompensated ion chambers. The ion chambers are positioned to represent the top half and bottom half of the core. The individual currents from the chambers are fed to individual linear amplifiers. The summation of the top and bottom is the total reactor power. The difference of the top minus the bottom neutron signal is the measured AXIAL POWER IMBALANCE for the associated core quadrant.

OCONEE UNITS 1, 2, & 3 B 3.3.1-5 BASES REVISION DATED 06/03/11 I

RPS Instrumentation B 3.3.1 BASES BACKGROUND Reactor Coolant System Outlet Temperature (continued)

The Reactor Coolant System Outlet Temperature provides input to the following Functions:

2.

RCS High Outlet Temperature; and

5.

RCS Variable Low Pressure.

The RCS Outlet Temperature is measured by two resistance temperature detection elements in each hot leg, for a total of four. One temperature detection element is associated with each protective channel.

Reactor Coolant System Pressure The Reactor Coolant System Pressure provides input to the following Functions:

3.

RCS High Pressure;

4.

RCS Low Pressure;

5.

RCS Variable Low Pressure; and

11.

Shutdown Bypass RCS High Pressure.

The RPS inputs of reactor coolant pressure are provided by two pressure transmitters in each hot leg, for a total of four. One sensor is associated with each protective channel.

Reactor Building Pressure The Reactor Building Pressure measurements provide input only to the Reactor Building High Pressure trip, Function 6. There are four RB High Pressure sensors, one associated with each protective channel.

OCONEE UNITS 1, 2, & 3 B 3.3.1-6 BASES REVISION DATED 06/03/11 I

RPS Instrumentation B 3.3.1 BASES BACKGROUND Reactor Coolant Pump Power Monitorinq (continued)

Reactor coolant pump power monitors are inputs to the Reactor Coolant Pump to Power trip, Function 7. Each RCP has a RCP Power Monitor (RCPPM), which monitors the electrical power and breaker status of each pump motor to determine if it is running. Each RCPPM provides inputs to all four RPS channels.

Reactor Coolant System Flow The Reactor Coolant System Flow measurements are an input to the Nuclear Overpower Flux/Flow Imbalance trip, Function 8. The reactor coolant flow inputs to the RPS are provided by eight high accuracy differential pressure transmitters, four on each loop, which measure flow through calibrated flow tubes. One flow input in each loop is associated with each protective channel.

Main Turbine Hydraulic Fluid Pressure Main Turbine Hydraulic Fluid Pressure is an input to the Main Turbine Trip (Hydraulic Fluid Pressure) reactor trip, Function 9. Each of the four protective channels receives turbine status information from one of the four pressure switches monitoring main turbine hydraulic fluid pressure. Each protective channel continuously monitors the status of the contact inputs and initiates an RPS trip when a main turbine trip is indicated.

Feedwater Pump Turbine Hydraulic Oil Pressure Feedwater Pump Turbine Hydraulic Oil Pressure is an input to the Loss of Main Feedwater Pumps (Hydraulic Oil Pressure) trip, Function 10.

Hydraulic Oil pressure is measured by four switches on each feedwater pump turbine. One switch on each pump turbine is associated with each protective channel.

Each RPS channel receives a contact input from both Feedwater Pump Turbines (A and B) Hydraulic Oil Pressure switches. When the switches from both turbines indicate that the associated Turbine Hydraulic Oil Pressure is low (turbine has tripped), a reactor trip signal is initiated on that channel.

OCONEE UNITS 1, 2, & 3 B 3.3.1-7 BASES REVISION DATED 06/03/11 I

RPS Instrumentation B 3.3.1 BASES BACKGROUND RPS Bypasses (continued)

For Unit(s) with the RPS digital upgrade not complete, the RPS is designed with three types of bypasses: dummy bistable, channel bypass (or manual bypass) and shutdown bypass. For Unit(s) with the RPS digital upgrade complete, the RPS is designed with three types of bypasses: shutdown bypass, manual bypass and channel trip function bypass.

Each bypass is discussed next.

Dummy Bistable (Not applicable to Unit(s) with RPS digital upgrade complete)

The dummy bistable is used to bypass one or more functions (bistable trips) associated with one RPS Channel. A dummy bistable is used if a parameter in an RPS channel fails and causes that channel to trip.

Dummy bistables may be used in only one RPS channel at a time. Also, if an RPS channel is bypassed, no other RPS channel may contain a dummy bistable. Inserting a dummy bistable in the place of a failed (tripped) bistable allows the RPS channels to be reset, thus allowing the remainder of the functions in that RPS channel to be returned to service.

This is more conservative than manually bypassing the entire RPS channel. For an RPS channel with a dummy bistable installed, only the affected function(s) is inoperable. The installation of the STAR hardware in the nuclear overpower flux/flow imbalance trip string requires the use of jumpers to bypass the trip string. The installation of these jumpers does not require the removal of the STAR processor module; therefore, the protective channel is not forced into a tripped condition.

Channel Bypass (Not applicable to Unit(s) with RPS digital upgrade complete)

A channel bypass (or manual bypass) provision is provided to allow for maintenance and testing of the RPS. The use of channel bypass keeps the protective channel trip relay energized regardless of the status of the instrumentation channel bistable relay contacts. To place a protective channel in channel bypass, the other three channels must not be in channel bypass or otherwise inoperable (e.g., a dummy bistable installed). This can be verified by observing alarmslindicator lights. This is administratively controlled by having only one manual bypass key available for each unit. All RPS trips are reduced to a two-out-of-three logic in channel bypass.

OCONEE UNITS 1, 2, & 3 B 3.3.1-8 BASES REVISION DATED 06/03/11 - I

RPS Instrumentation B 3.3.1 BASES BACKGROUND Shutdown Bypass (continued)

During unit cooldown and heatup, it is desirable to leave the safety rods at least partially withdrawn to provide shutdown capabilities in the event of unusual positive reactivity additions (moderator dilution, etc.).

However, the unit is also depressurized as coolant temperature is decreased. If the safety rods are withdrawn and coolant pressure is decreased, an RCS Low Pressure trip will occur at 1800 psig and the rods will fall into the core. To avoid this, the protective system allows the operator to bypass the low pressure trip and maintain shutdown capabilities. During the cooldown and depressurization, the safety rods are inserted prior to the low pressure trip of 1800 psig. The RCS pressure is decreased to less than 1720 psig, then each RPS channel is placed in shutdown bypass.

A shutdown bypass signal is provided by the operator from the shutdown bypass keyswitch (status shall be indicated by a light). This action bypasses the RCS Low Pressure trip, Nuclear Overpower Flux/Flow Imbalance trip, Reactor Coolant Pump to Power trip, and the RCS Variable Low Pressure trip, and inserts a new RCS High Pressure, 1720 psig trip.

The operator can now withdraw the safety rods for additional rapidly insertable negative reactivity.

The insertion of the new high pressure trip performs two functions. First, with a trip setpoint of 1720 psig, the bistable (or processor output trip device for Unit(s) with the RPS digital upgrade complete) prevents operation at normal system pressure, 2155 psig, with a portion of the RPS bypassed. The second function is to ensure that the bypass is removed prior to normal operation. When the RCS pressure is increased during a unit heatup, the safety rods are inserted prior to reaching 1720 psig. The shutdown bypass is removed, which returns the RPS to normal, and system pressure is increased to greater than 1800 psig. The safety rods are then withdrawn and remain at the full out condition for the rest of the heatup.

OCONEE UNITS 1, 2, & 3 B 3.3.1-9 BASES REVISION DATED 06/03/11 I

RPS Instrumentation B 3.3.1 BASES BACKGROUND Shutdown Bypass (continued)

For Unit(s) with the RPS digital upgrade not complete: In addition to the Shutdown Bypass RCS High Pressure trip, the high flux trip setpoint is administratively reduced to <5% RTP prior to placing the RPS in shutdown bypass. This provides a backup to the Shutdown Bypass RCS High Pressure trip and allows low power physics testing while preventing the generation of any significant amount of power.

For Unit(s) with the RPS digital upgrade complete: In addition to the Shutdown Bypass RCS High Pressure trip, the High Flux Reactor Trip setpoint is automatically lowered to less than 5% when the operator closes the shutdown bypass keyswitch. This provides a backup to the Shutdown Bypass RCS High Pressure trip and allows testing while preventing the generation of any significant amount of power.

Manual Bypass (Applicable only to Unit(s) with RPS digital upgrade complete)

The RPS Manual Bypass allows putting the complete RPS channel into bypass for maintenance activities. Placing the RPS channel in bypass does not power-down the computer. If it is necessary to power-down the computer for one channel, the Manual Bypass keyswitch is used to keep the four RTRs associated with the respective channel energized while the channel computer is powered down. To place a protective channel in manual bypass, the other three channels must not be in manual bypass or otherwise inoperable (e.g., a channel trip function in bypass).

The RPS Manual Bypass status information is sent to the Unit Statalarm panel (hardwired output of the RPS Channel computer and in parallel as a hardwired signal from a keyswitch contact in case the computer is powered down) and is sent to the plant Operator Aid Computer (OAC) via a gateway.

If the complete RPS cabinet is powered down, the Manual Bypass condition cannot be maintained. That RPS channel output signal goes to "trip" and the Manual Bypass Unit Statalarm window will not illuminate.

Channel Trip Function Bypass (Applicable only to Unit(s) with RPS digital upgrade complete)

An individual Channel Trip Function Bypass allows placing one trip function in bypass for maintenance activities through the RPS GSM screens. This allows the remaining trip functions in the channel to remain operable while the channel input device for the affected channel is inoperable. Operation to put functions in bypass is administratively OCONEE UNITS 1, 2, & 3 B 3.3.1-10 BASES REVISION DATED 06/03/11 I

RPS Instrumentation B 3.3.1 BASES BACKGROUND Channel Trio Function Bypass (Applicable only to Unit(s) with RPS digital upgrade complete) (continued) controlled since there is no interlock to prevent placing functions in multiple channels in bypass. Channel trip functions may be placed in bypass in only one RPS channel at a time.

Parameter Chanqe Enable Mode (Applicable only to Unit(s) with RPS digital upgrade complete)

Parameter Change Enable Mode allows each RPS instrument input channel processor to be placed in different operating modes through the use of the Parameter Change Enable keyswitches and commands from the Service Unit. Each protective channel has a keyswitch located in that channel's cabinet pair.

Placing RPS Channels A, B, or C in Parameter Change Enable Mode through the use of the "Parameter Change Enable" keyswitch will also place the corresponding ESPS Channels A1, B1 or Cl in Parameter Change Enable Mode.

When a keyswitch is placed from the normal Operating Mode position to the Parameter Change Enable Mode position:

The processors continue with normal operation.

A permissive is provided that allows the Service Unit to be used to change the operating mode of the processors associated with that keyswitch.

With the keyswitch in the Parameter Change Enable Position the following modes of operation are allowed for processors:

Normal Operation - with permissive for operating mode change.

Parameterization - allows changes to specific parameters (example placing a parameter into a tripped condition or performing Reactor Trip Relay testing).

Function Test - for disabling the application function and forcing output signal for testing purposes (normally not used).

Diagnostics - for downloading new application software.

The Function Test and Diagnostics modes result in the processor ceasing its cyclic processing of the application functions. Entry into these modes first requires entry into Parameterization mode and setting a separate parameter.

When a keyswitch is placed in the Parameter Change Enable Mode Position for any activity, the affected processor shall first be declared out of service. In addition to declaring the processor out of service (1) the affected RPS OCONEE UNITS 1, 2, & 3 B 3.3.1 -11 BASES REVISION DATED 06/03/11 I

RPS Instrumentation B 3.3.1 BASES BACKGROUND Parameter Change Enable Mode (Applicable only to Unit(s) with RPS digital upgrade complete) (continued) channel shall be bypassed and (2) either the affected ESPS input channel (Al, BI, or Cl) shall be tripped OR the ESPS Set 1 voters shall be placed in Bypass for the following activities:

Loading or revising the software in a processor.

Changing parameters via the RPS High Flux Trip (Variable Setpoint) screen at the Service Unit.

Changing parameters via the RPS Flux/Flow/Imbalance Parameters screen at the Service Unit.

Only one RPS channel at a time is allowed to be placed into Parameter Change Enable Mode Position for these activities.

Each Parameter Change Enable keyswitch status information is sent to the Statalarm panel and to the OAC via the Gateway.

RPS Parameter Change Enable keyswitches are administratively controlled (there are no hardware or software interlocks between channels).

Module Interlock and Test Trip Relay (Not applicable to Unit(s) with RPS digital upgrade complete)

Each channel and each trip module is capable of being individually tested. When a module is placed into the test mode, it causes the test trip relay to open and to indicate an RPS channel trip. Under normal conditions, the channel to be tested is placed in bypass before a module is tested. Each trip module is electrically interlocked to the other three trip modules. Removal of a trip module will indicate a tripped channel in the remaining trip modules.

Trip Setpoints/Allowable Value The Allowable Value and trip setpoint are based on the analytical limits stated in UFSAR, Chapter 15 (Ref. 2). The selection of the Allowable Value and associated trip setpoint is such that adequate protection is provided when all sensor and processing time delays are taken into account. To allow for calibration tolerances, instrumentation uncertainties, instrument drift, and severe environment errors for those RPS channels that must function in harsh environments as defined by 10 CFR 50.49 (Ref. 3), the Allowable Values specified in Table 3.3.1-1 in the accompanying LCO are conservative with respect to the analytical limits to OCONEE UNITS 1, 2, & 3 B 3.3.1-12 BASES REVISION DATED 06/03/11 I

RPS Instrumentation B 3.3.1 BASES BACKGROUND Trip Setpoints/Allowable Value (continued) account for all known uncertainties for each channel. The actual trip setpoint entered into the bistable (or processor output trip device for Unit(s) with the RPS digital upgrade complete) is more conservative than that specified by the Allowable Value to account for changes in random measurement errors detectable by a CHANNEL FUNCTIONAL TEST (or CHANNEL CALIBRATION for Unit(s) with the RPS digital upgrade complete). A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. All field sensors and signal processing equipment for these channels are assumed to operate within the allowances of these uncertainty magnitudes. The trip setpoints are the nominal values at which the bistables (or processor output trip devices for Unit(s) with the RPS digital upgrade complete) are set. Any bistable (or processor output trip device for Unit(s) with the RPS digital upgrade complete) is considered to be properly adjusted when the "as left" value is within the band for CHANNEL CALIBRATION accuracy. A detailed description of the methodology used to determine the Allowable Value and associated uncertainties is provided in Reference 4.

Setpoints in conjunction with the Allowable Value ensure that the limits of Chapter 2.0, "Safety Limits," in the Technical Specifications are not violated during anticipated transients and that the consequences of accidents will be acceptable, providing the unit is operated from within the LCOs at the onset of the anticipated transient or accident and the equipment functions as designed. Note that in LCO 3.3.1 the Allowable Values listed in Table 3.3.1-1 for Functions 1 through 8 and 11 are the LSSS.

For Unit(s) with the RPS digital upgrade not complete, each channel is tested online to verify that the setpoint accuracy is within the specified allowance requirements. Once a designated channel is taken out of service for testing, a simulated signal is injected in place of the field instrument signal. Surveillances for the channels are specified in the SR section.

For Unit(s) with the RPS digital upgrade complete, each channel is tested online by manually retrieving the software setpoint to ensure it has been entered correctly. Signals into the system (from the field instrument or at the protective system cabinet) are applied during the channel calibration to ensure that the instrumentation is within the specified allowance requirements.

OCONEE UNITS 1, 2, & 3 B 3.3.1-13 BASES REVISION DATED 06/03/11 I

RPS Instrumentation B 3.3.1 BASES (continued)

APPLICABLE Each of the analyzed accidents and transients that require a reactor trip to SAFETY ANALYSES, meet the acceptance criteria can be detected by one or more RPS LCO, and Functions. The accident analysis contained in the UFSAR, Chapter 15 APPLICABILITY (Ref. 2), takes credit for most RPS trip Functions. Functions not specifically credited in the accident analysis were qualitatively credited in the safety analysis and the NRC staff approved licensing basis for the unit.

These Functions are high RB pressure, turbine trip, and loss of main feedwater. These Functions may provide protection for conditions that do,not require dynamic transient analysis to demonstrate Function performance. These Functions also serve as backups to Functions that were credited in the safety analysis.

The LCO requires all instrumentation performing an RPS Function to be OPERABLE. Failure of any instrument renders the affected channel(s) inoperable and reduces the reliability of the affected Functions. The three channels of each Function in Table 3.3.1-1 of the RPS instrumentation shall be OPERABLE during its specified Applicability to ensure that a reactor trip will be actuated if needed. Additionally, during shutdown bypass with any CRD trip breaker closed, the applicable RPS Functions must also be available. This ensures the capability to trip the withdrawn CONTROL RODS exists at all times that rod motion is possible. The trip Function channels specified in Table 3.3.1-1 are considered OPERABLE when all channel components necessary to provide a reactor trip are functional and in service for the required MODE or Other Specified Condition listed in Table 3.3.1-1.

Only the Allowable Values are specified for each RPS trip Function in the LCO. Nominal trip setpoints are specified in the setpoint calculations. The nominal setpoints are selected to ensure that the setpoint measured by CHANNEL FUNCTIONAL TESTS (or CHANNEL CALIBRATIONS for Unit(s) with the RPS digital upgrade complete) does not exceed the Allowable Value. A trip setpoint found less conservative than the nominal trip setpoint, but within its Allowable Value, is considered OPERABLE with respect to the uncertainty allowances assumed for the applicable surveillance interval provided that operation, testing and subsequent calibration are consistent with the assumptions of the setpoint calculations.

Each Allowable Value specified is more conservative than instrument uncertainties appropriate to the trip Function. These uncertainties are defined in Reference 4.

For most RPS Functions, the Allowable Value in conjunction with the nominal trip setpoint ensure that the departure from nucleate boiling (DNB),

center line fuel melt, or RCS pressure SLs are not challenged. Cycle specific values for use during operation are contained in the COLR.

OCONEE UNITS 1, 2, & 3 B 3.3.1-14 BASES REVISION DATED 06/03/11 I

RPS Instrumentation B 3.3.1 BASES APPLICABLE Certain RPS trips function to indirectly protect the SLs by detecting specific SAFETY ANALYSES, conditions that do not immediately challenge SLs but will eventually lead to LCO, and challenge if no action is taken. These trips function to minimize the unit APPLICABILITY transients caused by the specific conditions. The Allowable Value for these (continued)

Functions is selected at the minimum deviation from normal values that will indicate the condition, without risking spurious trips due to normal fluctuations in the measured parameter.

The safety analyses applicable to each RPS Function are discussed next.

1.

Nuclear Overpower

a.

Nuclear Overpower -

High Setpoint The Nuclear Overpower - High Setpoint trip provides protection for the design thermal overpower condition based on the measured out of core neutron leakage flux.

The Nuclear Overpower - High Setpoint trip initiates a reactor trip when the neutron power reaches a predefined setpoint at the design overpower limit. Because THERMAL POWER lags the neutron power, tripping when the neutron power reaches the design overpower will limit THERMAL POWER to prevent exceeding acceptable fuel damage limits.

Thus, the Nuclear Overpower - High Setpoint trip protects against violation of the DNBR and fuel centerline melt SLs.

However, the RCS Variable Low Pressure, and Nuclear Overpower Flux/Flow Imbalance, provide more direct protection. The role of the Nuclear Overpower - High Setpoint trip is to limit reactor THERMAL POWER below the highest power at which the other two trips are known to provide protection.

The Nuclear Overpower - High Setpoint trip also provides transient protection for rapid positive reactivity excursions during power operations. These events include the rod withdrawal accident and the rod ejection accident. By providing a trip during these events, the Nuclear Overpower -

High Setpoint trip protects the unit from excessive power levels and also serves to limit reactor power to prevent violation of the RCS pressure SL.

Rod withdrawal accident analyses cover a large spectrum of reactivity insertion rates (rod worths), which exhibit slow and rapid rates of power increases. At high reactivity insertion OCONEE UNITS 1, 2, & 3 B 3.3.1-15 BASES REVISION DATED 06/03/11 I

RPS Instrumentation B 3.3.1 BASES APPLICABLE

b.

Nuclear Overpower-High Setpoint (continued)

SAFETY ANALYSES, LCO, and rates, the Nuclear Overpower - High Setpoint trip provides the APPLICABILITY primary protection. At low reactivity insertion rates, the high pressure trip provides primary protection.

b.

Nuclear Overpower - Low Setpoint When initiating shutdown bypass, the Nuclear Overpower -

Low Setpoint trip must be reduced to _< 5% RTP. The low power setpoint, in conjunction with the lower Shutdown Bypass RCS High Pressure setpoint, ensure that the unit is protected from excessive power conditions when other RPS trips are bypassed.

The setpoint Allowable Value was chosen to be as low as practical and still lie within the range of the out of core instrumentation.

2.

RCS High Outlet Temperature The RCS High Outlet Temperature trip, in conjunction with the RCS Low Pressure and RCS Variable Low Pressure trips, provides protection for the DNBR SL. A trip is initiated whenever the reactor vessel outlet temperature approaches the conditions necessary for DNB. Portions of each RCS High Outlet Temperature trip channel are common with the RCS Variable Low Pressure trip. The RCS High Outlet Temperature trip provides steady state protection for the DNBR SL.

The RCS High Outlet Temperature trip limits the maximum RCS temperature to below the highest value for which DNB protection by the Variable Low Pressure trip is ensured. The trip setpoint Allowable Value is selected to ensure that a trip occurs before hot leg temperatures reach the point beyond which the RCS Low Pressure and Variable Low Pressure trips are analyzed. Above the high temperature trip, the variable low pressure trip need not provide protection, because the unit would have tripped already. The setpoint Allowable Value does not reflect errors induced by harsh environmental conditions that the equipment is expected to experience because the trip is not required to mitigate accidents that create harsh conditions in the RB.

OCONEE UNITS 1, 2, & 3 B 3.3.1-16 BASES REVISION DATED 06/03/11 I

RPS Instrumentation B 3.3.1 BASES APPLICABLE'

3.

RCS High Pressure SAFETY ANALYSES, LCO, and The RCS High Pressure trip works in conjunction with the APPLICABILITY pressurizer and main steam relief valves to prevent RCS (continued) overpressurization, thereby protecting the RCS High Pressure SL.

The RCS High Pressure trip has been credited in the transient analysis calculations for slow positive reactivity insertion transients (rod withdrawal transients and moderator dilution). The rod withdrawal transient covers a large spectrum of reactivity insertion rates and rod worths that exhibit slow and rapid rates of power increases. At high reactivity insertion rates, the Nuclear Overpower

- High Setpoint trip provides the primary protection. At low reactivity insertion rates, the RCS High Pressure trip provides the primary protection.

The setpoint Allowable Value is selected to ensure that the RCS High Pressure SL is not challenged during steady state operation or slow power increasing transients. The setpoint Allowable Value does not reflect errors induced by harsh environmental conditions because the equipment is not required to mitigate accidents that create harsh conditions in the RB.

4.

RCS Low Pressure The RCS Low Pressure trip, in conjunction with the RCS High Outlet Temperature and Variable Low Pressure trips, provides protection for the DNBR SL. A trip is initiated whenever the system pressure approaches the conditions necessary for DNB. The RCS Low Pressure trip provides DNB low pressure limit for the RCS Variable Low Pressure trip.

The RCS Low Pressure setpoint Allowable Value is selected to ensure that a reactor trip occurs before RCS pressure is reduced below the lowest point at which the RCS Variable Low Pressure trip is analyzed. The RCS Low Pressure trip provides protection for primary system depressurization events and has been credited in the accident analysis calculations for small break loss of coolant accidents (LOCAs). Harsh RB conditions created by small break LOCAs cannot affect performance of the RCS pressure sensors and transmitters within the time frame for a reactor trip. Therefore, degraded environmental conditions are not considered in the Allowable Value determination.

OCONEE UNITS 1, 2, & 3 B 3.3.1-17 BASES REVISION DATED 06/03/11 I

RPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

5.

RCS Variable Low Pressure The RCS Variable Low Pressure trip, in conjunction with the RCS High Outlet Temperature and RCS Low Pressure trips, provides protection for the DNBR SL. A trip is initiated whenever the system parameters of pressure and temperature approach the conditions necessary for DNB. The RCS Variable Low Pressure trip provides a floating low pressure trip based on the RCS High Outlet Temperature within the range specified by the RCS High Outlet Temperature and RCS Low Pressure trips.

The RCS Variable Low Pressure setpoint Allowable Value is selected to ensure that a trip occurs when temperature and pressure approach the conditions necessary for DNB while operating in a temperature pressure region constrained by the low pressure and high temperature trips. The RCS Variable Low Pressure trip is assumed for transient protection in the main steam line break analysis. The setpoint allowable value does not include errors induced by the harsh environment, because the trip actuates prior to the harsh environment.

6.

Reactor Building High Pressure The Reactor Building High Pressure trip provides an early indication of a high energy line break (HELB) inside the RB. By detecting changes in the RB pressure, the RPS can provide a reactor trip before the other system parameters have varied significantly. Thus, this trip acts to minimize accident consequences. It also provides a backup for RPS trip instruments exposed to an RB HELB environment.

The Allowable Value for RB High Pressure trip is set at the lowest value consistent with avoiding spurious trips during normal operation.

The electronic components of the RB High Pressure trip are located in an area that is not exposed to high temperature steam environments during HELB transients inside containment. The components are exposed to high radiation conditions. Therefore, the determination of the setpoint Allowable Value accounts for errors induced by the high radiation.

7.

Reactor Coolant PumD to Power The Reactor Coolant Pump to Power trip provides protection for changes in the reactor coolant flow due to the loss of multiple RCPs.

Because the flow reduction lags loss of power indications due to the OCONEE UNITS 1, 2, & 3 B 3.3.1-18 BASES REVISION DATED 06/03/11 I

RPS Instrumentation B 3.3.1 BASES APPLICABLE

7.

Reactor Coolant Pump to Power (continued)

SAFETY ANALYSES, LCO, and inertia of the RCPs, the trip initiates protective action earlier than a APPLICABILITY trip based on a measured flow signal.

The Reactor Coolant Pump to Power trip has been credited in the accident analysis calculations for the loss of more than two RCPs.

The Allowable Value for the Reactor Coolant Pump to Power trip setpoint is selected to prevent normal power operation unless at least three RCPs are operating. Each reactor coolant pump has an RCPPM, which monitors the electrical power and breaker status of each pump motor to determine if the pump is running. Each RCPPM provides inputs to all four RPS channels. The RCPPM will initiate a reactor trip if fewer than three reactor coolant pumps are operating and reactor power is greater than approximately 2%

rated full power.

8.

Nuclear Overpower Flux/Flow Imbalance The Nuclear Overpower Flux/Flow Imbalance trip provides steady state protection for the power imbalance SLs. A reactor trip is initiated prior to the core power, AXIAL POWER IMBALANCE, and reactor coolant flow conditions exceeding the DNB or fuel centerline temperature limits.

This trip supplements the protection provided by the Reactor Coolant Pump to Power trip, through the power to flow ratio, for loss of reactor coolant flow events. The power to flow ratio provides direct protection for the DNBR SL for the loss of one or more RCPs and for locked RCP rotor accidents.

The power to flow ratio of the Nuclear Overpower Flux/Flow Imbalance trip also provides steady state protection to prevent reactor power from exceeding the allowable power when the primary system flow rate is less than full four pump flow. Thus, the power to flow ratio prevents overpower conditions similar to the Nuclear Overpower trip. This protection ensures that during reduced flow conditions the core power is maintained below that required to begin DNB.

The Allowable Value is selected to ensure that a trip occurs when the core power, axial power peaking, and reactor coolant flow conditions indicate an approach to DNB or fuel'centerline temperature limits.

By measuring reactor coolant flow and by tripping only when conditions approach an SL, the unit can operate with the loss of one OCONEE UNITS 1, 2, & 3 B 3.3.1-19 BASES REVISION DATED 06/03/11 1

RPS Instrumentation B 3.3.1 BASES APPLICABLE

8.

Nuclear Overpower Flux/Flow Imbalance (continued)

SAFETY ANALYSES, LCO, and pump from a four pump initial condition at power levels at least as APPLICABILITY low as approximately 80% RTP. The Allowable Value for the Function, including the upper limits of the Function are given in the unit COLR because the cycle specific core peaking changes affect the Allowable Value.

9.

Main Turbine Trip (Hydraulic Fluid Pressure)

The Main Turbine Trip Function trips the reactor when the main turbine is lost at high power levels. The Main Turbine Trip Function provides an early reactor trip in anticipation of the loss of heat sink associated with a turbine trip. The Main Turbine Trip Function was added to the B&W designed units in accordance with NUREG-0737 (Ref. 5) following the Three Mile Island Unit 2 accident. The trip lowers the probability of an RCS power operated relief valve (PORV) actuation for turbine trip cases. This trip is activated at higher power levels, thereby limiting the range through which the Integrated Control System must provide an automatic runback on a turbine trip.

Each of the four turbine hydraulic fluid pressure switches feeds one protective channel that continuously monitors the status of the contacts.

For the Main Turbine Trip (Hydraulic Fluid Pressure), the Allowable Value of 800 psig is selected to provide a trip whenever main turbine hydraulic fluid pressure drops below the normal operating range.

This trip is bypassed at power levels < 30% RTP for unit startup.

The turbine trip is not required to protect against events that can create a harsh environment in the turbine building. Therefore, errors induced by harsh environments are not included in the determination of the setpoint Allowable Value.

10.

Loss of Main Feedwater Pump Turbines (Hydraulic Oil Pressure)

The Loss of Main Feedwater Pump Turbines (Hydraulic Oil Pressure) trip provides a reactor trip at high power levels when both MFW pump turbines are lost. The trip provides an early reactor trip in anticipation of the loss of heat sink associated with the LOMF.

This trip was added in accordance with NUREG-0737 (Ref. 5) following the Three Mile Island Unit 2 accident. This trip provides a reactor trip at high power levels for a LOMF to minimize challenges to the PORV.

OCONEE UNITS 1, 2, & 3 B 3.3.1-20 BASES REVISION DATED 06/03/11 I

RPS Instrumentation B 3.3.1 BASES APPLICABLE

10.

Loss of Main Feedwater Pump Turbines (Hydraulic Oil Pressure SAFETY ANALYSES, (continued)

LCO, and APPLICABILITY For the feedwater pump turbine hydraulic oil pressure, the Allowable Value of 75 psig is selected to provide a trip whenever feedwater pump turbine hydraulic oil pressure drops below the normal operating range. This trip is bypassed at power levels < 2% RTP for unit startup. The Loss of Main Feedwater Pump Turbines (Hydraulic Oil Pressure) trip is not required to protect against events that can create a harsh environment in the turbine building. Therefore, errors caused by harsh environments are not included in the determination of the setpoint Allowable Value.

I

11.

Shutdown Bypass RCS High Pressure The RPS Shutdown Bypass RCS High Pressure is provided to allow for withdrawing -the CONTROL RODS prior to reaching the normal RCS Low Pressure trip setpoint. The shutdown bypass provides trip protection during deboration and RCS heatup by allowing the operator to at least partially withdraw the safety groups of CONTROL RODS. This makes their negative reactivity available to terminate inadvertent reactivity excursions. Use of the shutdown bypass trip requires that the neutron power trip setpoint be reduced to 5% of full power or less. The Shutdown Bypass RCS High Pressure trip forces a reactor trip to occur whenever the unit switches from power operation to shutdown bypass or vice versa. This ensures that the CONTROL RODS are all inserted before power operation can begin.

The operator is required to remove the shutdown bypass, reset the Nuclear Overpower - High Power trip setpoint, and again withdraw the safety group rods before proceeding with startup.

Accidents analyzed in the UFSAR, Chapter 15 (Ref. 2), do not describe events that occur during shutdown bypass operation, because the consequences of these events are enveloped by the events presented in the UFSAR.

During shutdown bypass operation with the Shutdown Bypass RCS High Pressure trip active with a setpoint of _< 1720 psig and the Nuclear Overpower - Low Setpoint set at or below 5% RTP, the trips listed below can be bypassed. Under these conditions, the Shutdown Bypass RCS High Pressure trip and the Nuclear Overpower - Low Setpoint trip act to prevent unit conditions from reaching a point where actuation of these Functions is necessary.

la.

Nuclear Overpower - High Setpoint; OCONEE UNITS 1, 2, & 3 B 3.3.1-21 BASES REVISION DATED 06/03/11 I

RPS Instrumentation B 3.3.1 BASES APPLICABLE

11.

Shutdown Bypass RCS Hiqh Pressure (continued)

SAFETY ANALYSES, LCO, and

3.

RCS High Pressure; APPLICABILITY

4.

RCS Low Pressure;

5.

RCS Variable Low Pressure;

7.

Reactor Coolant Pump to Power; and

8.

Nuclear Overpower Flux/Flow Imbalance.

The Shutdown Bypass RCS High Pressure Function's Allowable Value is selected to ensure a trip occurs before producing THERMAL POWER.

General Discussion The RPS satisfies Criterion 3 of 10 CFR 50.36 (Ref. 7). In MODES 1 and 2, the following trips shall be OPERABLE because the reactor can be critical in these MODES. These trips are designed to take the reactor subcritical to maintain the SLs during anticipated transients and to assist the ESPS in providing acceptable consequences during accidents.

1 a.

Nuclear Overpower - High Setpoint;

2.

RCS High Outlet Temperature;

-3.

RCS High Pressure;

4.

RCS Low Pressure;

5.

RCS Variable Low Pressure;

6.

Reactor Building High Pressure;

7.

Reactor Coolant Pump to Power; and

8.

Nuclear Overpower Flux/Flow Imbalance.

Functions 1 a, 3, 4, 5, 7, and 8 just listed may be bypassed in MODE 2 when RCS pressure is below 1720 psig, provided the Shutdown Bypass RCS High Pressure and the Nuclear Overpower - Low setpoint trip are placed in operation. Under these conditions, the Shutdown Bypass RCS High Pressure trip and the Nuclear Overpower - Low setpoint trip act to prevent unit conditions from reaching a point where actuation of these Functions is necessary.

OCONEE UNITS 1, 2, & 3 B 3.3.1-22 BASES REVISION DATED 06/03/11

RPS Instrumentation B 3.3.1 BASES APPLICABLE General Discussion (continued)

SAFETY ANALYSES, LCO, and The Main Turbine Trip (Hydraulic Fluid Pressure) Function is required to be APPLICABILITY OPERABLE in MODE 1 at > 30% RTP. The Loss of Main Feedwater Pump Turbines (Hydraulic Oil Pressure) Function is required to be OPERABLE in MODE 1 and in MODE 2 at Ž> 2% RTP. For operation below these power levels, these trips are not necessary to minimize challenges to the PORVs as required by NUREG-0737 (Ref. 5).

Because the safety function of the RPS is to trip the CONTROL RODS, the RPS is not required to be OPERABLE in MODE 3, 4, or 5 if either the reactor trip breakers are open, or the CRD System is incapable of rod withdrawal. Similarly, the RPS is not required to be OPERABLE in MODE 6 because the CONTROL RODS are normally decoupled from the CRDs.

However, in MODE 2, 3, 4, or 5, the Shutdown Bypass RCS High Pressure and Nuclear Overpower - Low setpoint trips are required to be OPERABLE if the CRD trip breakers are closed and the CRD System is capable of rod withdrawal. Under these conditions, the Shutdown Bypass RCS High Pressure and Nuclear Overpower - Low setpoint trips are sufficient to prevent an approach to conditions that could challenge SLs.

ACTIONS Conditions A and B are applicable to all RPS protective Functions. If a channel's trip setpoint is found nonconservative with respect to the required Allowable Value in Table 3.3.1-1, or the transmitter, instrument loop, signal processing electronics or bistable (or processor output trip device for Unit(s) with the RPS digital upgrade complete) is found inoperable, the channel must be declared inoperable and Condition A entered immediately.

When an RPS channel is manually tripped, the functions that were inoperable prior to tripping remain inoperable. Other functions in the same channel that were OPERABLE prior to tripping remain OPERABLE.

A. 1 For Required Action A. 1, if one or more Functions in a required protective channel becomes inoperable, the affected protective channel must be placed in trip.

For Unit(s) with the RPS digital upgrade not complete, this Required Action places all RPS Functions in a one-out-of-two logic configuration.

The "non-required" channel is placed in bypass when the required inoperable channel is placed in trip to prevent bypass of a second required channel. In this configuration, the RPS can still perform its OCONEE UNITS 1, 2, & 3 B 3.3.1-23 BASES REVISION DATED 06/03/11 I

RPS Instrumentation B 3.3.1 BASES ACTIONS A.1 (continued) safety functions in the presence of a random failure of any single Channel. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time is sufficient time to perform Required Action A.1.

For Unit(s) with the RPS digital upgrade complete, placing the affected Function in trip places only the affected Function in each required channel in a one-out-of-two logic configuration. If the same function in another channel exceeds the setpoint, all channels will trip. In this configuration, the RPS can still perform its safety function in the presence of a random failure of any single Channel. The 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Completion Time is justified based on the continuous monitoring and signal validation being performed and is sufficient time to place a Function in trip. If the individual Function cannot be placed in trip, the Operator can trip the affected channel with the use of the Manual Trip Keyswitch until such time that the Function can be placed in trip. This places all RPS Functions in a one-out-of-two logic configuration.

B.1 Required Action B.1 directs entry into the appropriate Condition referenced in Table 3.3.1-1. The applicable Condition referenced in the table is Function dependent. If the Required Action and the associated Completion Time of Condition A are not met or if more than two channels are inoperable, Condition B is entered to provide for transfer to the appropriate subsequent Condition.

C.1 and C.2 If the Required Action and associated Completion Time of Condition A are not met and Table 3.3.1-1 directs entry into Condition C, the unit must be brought to a MODE in which the specified RPS trip Functions are not required to be OPERABLE. The allowed Completion Time of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and to open all CRD trip breakers without challenging unit systems.

D. 1 If the Required Action and associated Completion Time of Condition A are not met and Table 3.3.1-1 directs entry into Condition D, the unit must be brought to a MODE in which the specified RPS trip Functions are not OCONEE UNITS 1, 2, & 3 B 3.3.1-24 BASES REVISION DATED 06/03/11 I

RPS Instrumentation B 3.3.1 BASES ACTIONS D.1 (continued) required to be OPERABLE. To achieve this status, all CRD trip breakers must be opened. The allowed Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is reasonable, based on operating experience, to open CRD trip breakers without challenging unit systems.

E. 1 If the Required Action and associated Completion Time of Condition A are not met and Table 3.3.1-1 directs entry into Condition E, the unit must be brought to a MODE in which the specified RPS trip Function is not required to be OPERABLE. To achieve this status, THERMAL POWER must be reduced < 30% RTP. The allowed Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is reasonable, based on operating experience, to reach 30% RTP from full power conditions in an orderly manner without challenging unit systems.

F. 1 If the Required Action and associated Completion Time of Condition A are not met and Table 3.3.1-1 directs entry into Condition F, the unit must be brought to a MODE in which the specified RPS trip Function is not required to be OPERABLE. To achieve this status, THERMAL POWER must be reduced < 2% RTP. The allowed Completion Time of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is reasonable, based on operating experience, to reach 2% RTP from full power conditions in an orderly manner without challenging unit systems.

SURVEILLANCE The SRs for each RPS Function are identified by the SRs REQUIREMENTS column of Table 3.3.1-1 for that Function. Most Functions are subject to CHANNEL CHECK, CHANNEL FUNCTIONAL TEST, and CHANNEL CALIBRATION testing.

The SRs are modified by a Note. The Note directs the reader to Table 3.3.1-1 to determine the correct SRs to perform for each RPS Function.

SR 3.3.1.1 Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months ensures that a gross failure of instrumentation has not occurred.

OCONEE UNITS 1, 2, & 3 B 3.3.1-25 BASES REVISION DATED 06/03/11 I

RPS Instrumentation B 3.3.1 BASES SURVEILLANCE SR 3.3.1.1 (continued)

REQUIREMENTS A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. CHANNEL CHECK will detect gross channel failure; therefore, it is key in verifying that the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined based on a combination of the channel instrument uncertainties, including isolation, indication, and readability. If a channel is outside the criteria, it may be an indication that the transmitter or the signal processing equipment has drifted outside its limit. If the channels are within the criteria, it is an indication that the channels are OPERABLE. If the channels are normally off scale during times when surveillance is required, the CHANNEL CHECK will only verify that they are off scale in the same direction.

The Frequency of performing a manual CHANNEL CHECK, equivalent to once every shift, is based on operating experience that demonstrates channel failure is rare. Since the probability of two random failures in redundant channels in any 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months period is extremely low, the CHANNEL CHECK minimizes the chance of loss of protective function due to failure of redundant channels. The CHANNEL CHECK supplements less formal but more frequent checks of channel OPERABILITY during normal operational use of the displays associated with the LCO's required channels.

For Functions that trip on a combination of several measurements, such as the Nuclear Overpower Flux/Flow Imbalance Function, the CHANNEL CHECK must be performed on each input.

For Unit(s) with the digital RPS complete, the CHANNEL CHECK requirement is met automatically. The digital RPS provides continuous online automatic monitoring of each of the input signals in each channel, performs signal online validation against required acceptance criteria, and provides hardware functional validation. If any protective channel input signal is identified to be in the failure status, this condition is alarmed on the Unit Statalarm and input to the plant OAC. Immediate notification of the failure status is provided to the Operations staff.

OCONEE UNITS 1, 2, & 3 B 3.3.1-26 C BASES REVISION DATED 06/03/11 I

RPS Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.1.2 This SR is the performance of a heat balance calibration for the power range channels every 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months when reactor power is > 15% RTP. The heat balance calibration consists of a comparison of the results of the calorimetric with the power range channel output. The outputs of the power range channels are normalized to the calorimetric. If the calorimetric exceeds the Nuclear Instrumentation System (NIS) channel output by > 2%

RTP, the NIS is not declared inoperable but must be adjusted. If the NIS channel cannot be properly adjusted, the channel is declared inoperable. A Note clarifies that this Surveillance is required to be performed only if reactor power is > 15% RTP and that 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months is allowed for performing the first Surveillance after reaching 15% RTP. At lower power levels, calorimetric data are less accurate.

The power range channel's output shall be adjusted consistent with the calorimetric results if the calorimetric exceeds the power range channel's output by > 2% RTP. The value of 2% is adequate because this value is assumed in the safety analyses of UFSAR, Chapter 15 (Ref. 2). These checks and, if necessary, the adjustment of the power range channels ensure that channel accuracy is maintained within the analyzed error margins. The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Frequency is adequate, based on unit operating experience, which demonstrates the change in the difference between the power range indication and the calorimetric results rarely exceeds a small fraction of 2% in any 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months period. Furthermore, the control room operators monitor redundant indications and alarms to detect deviations in channel outputs.

SR 3.3.1.3 A comparison of power range nuclear instrumentation channels against incore detectors shall be performed at a 31 day Frequency when reactor power is > 15% RTP. A Note clarifies that 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months is allowed for performing the first Surveillance after reaching 15% RTP. If the absolute value of imbalance error is _> 2% RTP, the power range channel is not inoperable, but an adjustment of the measured imbalance to agree with the incore measurements is necessary. The Imbalance error calculation is adjusted for conservatism by applying a correlation slope (CS) value to the error calculation formula. This ensures that the value of the APIO is > API1.

The CS value is listed in the COLR and is cycle dependent. If the power range channel cannot be properly recalibrated, the channel is declared inoperable. The calculation of the Allowable Value envelope assumes a difference in out of core to incore measurements of 2.0%. Additional inaccuracies beyond those that are measured are also included in the setpoint envelope calculation. The 31 day Frequency is adequate, OCONEE UNITS 1, 2, & 3 B 3.3.1-27 BASES REVISION DATED 06/03/11 I

RPS Instrumentation B 3.3.1 BASES SURVEILLANCE SR 3.3.1.3 (continued)

REQUIREMENTS considering that long term drift of the excore linear amplifiers is small and burnup of the detectors is slow. Also, the excore readings are a strong function of the power produced in the peripheral fuel bundles, and do not represent an integrated reading across the core. The slow changes in neutron flux during the fuel cycle can also be detected at this interval.

SR 3.3.1.4 The SR is modified by a Note indicating that it is not applicable to Unit(s) with the RPS digital upgrade complete.

A CHANNEL FUNCTIONAL TEST is performed on each required RPS channel to ensure that the entire channel will perform the intended function. Setpoints must be found within the Allowable Values specified in Table 3.3.1-1. Any setpoint adjustment shall be consistent with the assumptions of the current uncertainty analysis.

The as found and as left values must also be recorded and reviewed for consistency with the assumptions of the surveillance interval extension analysis. The requirements for this review are outlined in BAW-10167 (Ref. 6).

The Frequency of 45 days on a STAGGERED TEST BASIS is consistent with the calculations of Reference 6 that indicate the RPS retains a high level of reliability for this test interval.

SR 3.3.1.5 The SR is modified by a Note indicating that it is only applicable to Unit(s) with the RPS digital upgrade complete. This SR manually retrieves the software setpoints and verifies they are correct. The proper functioning of the processor portion of the channel is continuously checked by an automatic cyclic self monitoring. Verification of field instrument setpoints is not required by this surveillance. This surveillance does not apply to the Reactor Building Pressure Function because it consists of pressure switches which provide a contact status to the system and there is no software setpoint to verify.

The Frequency of 92 days is considered adequate since software is not subject to drift and the SR is only verifying that the setpoint was not incorrectly set.

OCONEE UNITS 1, 2, & 3 B 3.3.1-28 BASES REVISION DATED 06/03/11 I

RPS Instrumentation B 3.3.1 BASES SURVEILLANCE SR 3.3.1.6 REQUIREMENTS (continued)

The SR is modified by a Note indicating that it is only applicable to Unit(s) with the RPS digital upgrade complete. This SR requires manual actuation of the output channel interposing relays to demonstrate OPERABILITY of the relays. The proper functioning of the processor portion of the channel is continuously checked by an automatic cyclic self monitoring.

The Frequency of 92 days is considered adequate based on operating experience that demonstrates the rarity of more than one channel's relay failing within the same interval.

SR 3.3.1.7 A Note to the Surveillance indicates that neutron detectors are excluded from CHANNEL CALIBRATION. This Note is necessary because of the difficulty in generating an appropriate detector input signal. Excluding the detectors is acceptable because the principles of detector operation ensure virtually instantaneous response.

A CHANNEL CALIBRATION is a complete check of the instrument channel, including the sensor. The test verifies that the channel responds to the measured parameter within the necessary range and accuracy.

CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drift to ensure that the instrument channel remains operational between successive tests. CHANNEL CALIBRATION shall find that measurement errors and bistable (or processor output trip device for Unit(s) with the RPS digital upgrade complete) setpoint errors are within the assumptions of the uncertainty analysis. Whenever a sensing element is replaced, the CHANNEL CALIBRATION of the resistance temperature detectors (RTD) sensors is accomplished by an inplace cross calibration that compares the other sensing elements with the recently installed sensing element.

The 18 month frequency for the CHANNEL CALIBRATION is based on design capabilities and reliability of the digital RPS. Since the CHANNEL FUNCTIONAL TEST is a part of the CHANNEL CALIBRATION a separate SR is not required. The digital RPS software performs a continuous online automated cross channel check, separately for each channel, and continuous online signal error detection and validation. The protection system also performs continuous online hardware monitoring.

The CHANNEL CALIBRATION essentially validates the self monitoring function and checks for a small set of failure modes that are undetectable by the self monitoring function.

OCONEE UNITS 1, 2, & 3 B 3.3.1-29 BASES REVISION DATED 06/03/11

RPS Instrumentation B 3.3.1 BASES SURVEILLANCE SR 3.3.1.7 (continued)

REQUIREMENTS For Unit(s) with the RPS digital upgrade complete, the digital processors shall be rebooted as part of the calibration. This verifies that the software and setpoints have not changed. Signals into the system (from the field instrument or at the protective system cabinet) are applied during the channel calibration to ensure that the instrumentation is within the specified allowance requirements. This, in combination with ensuring the setpoints are entered into the software correctly per SR 3.3.1.5, verifies the setpoints are within the Allowable Values.

The Frequency is justified by the assumption of an 18 month calibration interval in the determination of the magnitude of equipment drift in the uncertainty analysis. For Unit(s) with the digital upgrade complete, the 18 month calibration interval is also justified by the reliability of components whose failure modes are not automatically detected or indicated.

REFERENCES

1.

UFSAR, Chapter 7.

2.

UFSAR, Chapter 15.

3.

10 CFR 50.49.

4.

EDM-102, "Instrument Setpoint/Uncertainty Calculations."

5.

NUREG-0737, "Clarification of TMI Action Plan Requirements,"

November 1979.

6.

BAW-10167, May 1986.

7.

10 CFR 50.36.

OCONEE UNITS 1, 2, & 3 B 3.3.1-30 BASES REVISION DATED 06/03/11

RPS-RTC B 3.3.3 B 3.3 INSTRUMENTATION B 3.3.3 Reactor Protective System (RPS) -

Reactor Trip Component (RTC)

BASES BACKGROUND Note: To clearly differentiate text applicable only to Unit(s) with the RPS digital upgrade complete, the text applicable only to that design is led with a qualifier and italicized. Likewise, the text applicable only to Unit(s) that have not been upgraded is led with a qualifier and bolded. Otherwise, the text applies to both designs.

The RPS consists of four independent protection channels, each containing an RTC. Figure 7.1 of UFSAR, Chapter 7 (Ref. 1), shows a typical RPS protection channel and the relationship of the RTC to the RPS instrumentation, manual trip, and CONTROL ROD drive (CRD) trip devices.

For Unit(s) with the RPS digital upgrade not complete, the RTC is a Reactor Trip Module (RTM). The RTM receives bistable trip signals from the functions in its own channel and channel trip signals from the other three RPS RTMs.

For Unit(s) with the RPS digital upgrade complete, the RTC is made up of two digital output modules and four Reactor Trip Relays (RTR) all contained within the respective RPS channel's cabinet. The RTC receives a channel trip signal in its own channel and channel trip signals from the digital output modules in the other three RPS channels.

Whenever any two RPS channels transmit channel trip signals, the RTC logic in each channel actuates to remove 120 VAC power from its associated CRD trip devices.

The RPS trip scheme consists of series contacts that are operated by bistables for Unit(s) with the RPS digital upgrade not complete or processor output trip devices for Unit(s) with the RPS digital upgrade complete.

For Units with the RPS digital upgrade not complete, during normal unit operations, all contacts are closed and the RTC channel trip relay remains energized. However, if any trip parameter exceeds its setpoint, its associated contact opens, which de-energizes the channel trip relay.

OCONEE UNITS 1, 2, & 3 B 3.3.3-1 BASES REVISION DATED 06/03/11

]

RPS -RTC B 3.3.3 BASES BACKGROUND When an RTC channel trip relay de-energizes, several things occur:

(continued)

a.

Each of the four (4) output logic relays "informs" its associated RPS channel that a reactor trip signal has occurred in the tripped RPS channel;

b.

The contacts in the trip device circuitry, powered by the tripped channel, open, but the trip device remains energized through the closed contacts from the other RTCs. (This condition exists in each RPS - RTC. Each RPS - RTC controls power to a trip device.); and

c.

The contact in parallel with the channel reset switch opens and the trip is sealed in. To re-energize the channel trip relay, the channel reset switch must be depressed after the trip condition has cleared.

When the second RPS channel senses a reactor trip condition, the output logic relays for the second channel de-energize and open contacts that supply power to the trip devices. With contacts opened by two separate RPS channels, power to the trip devices is interrupted and the CONTROL RODS fall into the core.

For Units with the RPS digital upgrade complete, during normal unit operations, the digital output modules maintain the RTRs energized.

However, if an RPS channel initiates a trip signal, the digital output modules in that RPS channel will de-energize the reactor trip relay in that RPS channel and the associated RTR in each of the other three RPS channels.

When an RPS channel provides a trip signal, the digital output modules in that RPS channel de-energize RTRs such that the following occurs:

a.

Each of the four (4) RTRs driven by that RPS channel's digital output modules "informs" its associated RPS channel that a reactor trip signal has occurred in the tripped RPS channel;

b.

The contacts in the trip device circuitry, powered by the tripped channel, open, but the trip device remains energized through the closed contacts from the RTRs of the other RTCs. (This condition exists in each RPS - RTC. Each RPS - RTC controls power to a trip device.)

When the second RPS channel senses a reactor trip condition, the RTRs driven by the digital output modules for the second channel de-energize and open contacts that supply power to the trip devices. With contacts opened by two separate RPS channels, power to the trip devices is interrupted and the CONTROL RODS fall into the core.

OCONEE UNITS 1,2, & 3 B 3.3.3-2 BASES REVISION DATED 06/03/11 OCONEE UNITS 1, 2, & 3 B 3.3.3-2 BASES REVISION DATED 06/03/11

RPS - RTC B 3.3.3 BASES

Background

(continued)

A minimum of two out of four RTCs must sense a trip condition to cause a reactor trip.

For Unit(s) with the RPS digital upgrade not complete, because the bistable relay contacts for each function are in series with the channel trip relays, two channel trips caused by different trip functions can result in a reactor trip.

For Unit(s) with the RPS digital upgrade complete, because of the interchannel communication and 2. MIN/2. MAX (for analog inputs) and two-out-of-four (for binary inputs), an RPS channel will not provide a trip signal to its RTC until trip conditions are satisfied in at least two RPS channels for the same trip function.

For Unit(s) with the RPS digital upgrade complete, the contacts of the four reactor trip relays in each RPS Channel cabinet are wired in a two-out-of-four logic scheme. For Units with the RPS digital upgrade not complete, the contacts of the four output relays within an RTM are wired in a two-out-of-four logic scheme. The relays de-energize to de-energize the Control Rod Drive Breaker undervoltage circuit wired to that channel and cause the shunt trip coil monitoring the circuit to be energized. Either de-energizing the undervoltage circuit or energizing the shunt trip circuit trips the CRD breaker.

APPLICABLE Transient and accident analyses rely on a reactor trip for protection of SAFETY ANALYSES reactor core integrity, reactor coolant pressure boundary integrity, and reactor building OPERABILITY. A reactor trip must occur when needed to prevent accident conditions from exceeding those calculated in the accident analyses. More detailed descriptions of the applicable accident analyses are found in the bases for each of the RPS trip Functions in LCO 3.3.1, "Reactor Protective System (RPS) Instrumentation."

The RTCs satisfy Criterion 3 of 10 CFR 50.36 (Ref. 2).

LCO LCO 3.3.3 requires all four RTCs to be OPERABLE. Failure of any RTC renders a portion of the RPS inoperable.

An OPERABLE RTC must be able to receive and interpret trip signals from OPERABLE RPS channels and to open its associated trip device.

OCONEE UNITS 1, 2, & 3 B 3.3.3-3 BASES REVISION DATED 06/03/11

RPS - RTC B 3.3.3 BASES LCO (continued)

The requirement of four RTCs to be OPERABLE ensures that a minimum of two RTCs will remain OPERABLE if a single failure has occurred in one RTC and if a second RTC is out of service. This two-out-of-four trip logic also ensures that a single RTC failure will not cause an unwanted reactor trip.

Violation of this LCO could result in a trip signal not causing a reactor trip when needed.

APPLICABILITY The RTCs are required to be OPERABLE in MODES 1 and 2. They are also required to be OPERABLE in MODES 3, 4, and 5 if any CRD trip breakers are in the closed position and the CRD System is capable of rod withdrawal. The RTCs are designed to ensure a reactor trip would occur, if needed. This condition can exist in all of these MODES; therefore, the RTCs must be OPERABLE.

ACTIONS A.1.1, A.1.2. and A.2 When an RTC is inoperable, the associated CRD trip breaker must then be placed in a condition that is equivalent to a tripped condition for the RTC.

Required Action A.1.1 or Required Action A.1.2 requires this either by tripping the CRD trip breaker or by removing power to the CRD trip device.

Tripping one RTC or removing power opens one of the CRD trip devices, which will result in the loss of one of the parallel power supplies. Power to hold CONTROL RODS in position is still provided via the parallel CRD power supply. Therefore, a reactor trip will not occur until a second protection channel trips.

Required Action A.2 requires that the inoperable RTC be removed from the cabinet to ensure the trip signal is registered in the other channels.

Required Action A.2 is modified by a Note indicating that this action is not applicable to Unit(s) with the RPS digital upgrade complete.

Physical removal of the inoperable RTC is not necessary as the trip signal is registered in the other channels by interchannel communications. This action causes the electrical interlocks to indicate a tripped channel in the remaining three RTCs. Operation in this condition is allowed indefinitely because the actions put the RPS into a one-out-of-three configuration. The I hour Completion Time is sufficient time to perform the Required Actions.

OCONEE UNITS 1, 2, & 3 B 3.3.3-4 BASES REVISION DATED 06/03/11 OCONEE UNITS 1, 2, & 3 B 3.3.3-4 BASES REVISION DATED 06103/11

RPS - RTC B 3.3.3 BASES ACTIONS B.1, B.2.1, and B.2.2 (continued)

Condition B applies if two or more RTCs are inoperable or if the Required Action and associated Completion Time of Condition A are not met in MODE 1, 2, or 3. In this case, the unit must be placed in a MODE in which the LCO does not apply. This is done by placing the unit in at least MODE 3 with all CRD trip breakers open or with power from all CRD trip breakers removed within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . The allowed Completion Time of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging unit systems.

C.1 and C.2 Condition C applies if two or more RTCs are inoperable or if the Required Action and associated Completion Time of Condition A are not met in MODE 4 or 5. In this case, the unit must be placed in a MODE in which the LCO does not apply. This is done by opening all CRD trip breakers or removing power from all CRD trip breakers. The allowed Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is reasonable, based on operating experience, to open all CRD trip breakers or remove power from all CRD trip breakers without challenging unit systems.

SURVEILLANCE SR 3.3.3.1 REQUIREMENTS The SRs include performance of a CHANNEL FUNCTIONAL TEST every 31 days. This test shall verify the OPERABILITY of the RTC and its ability to receive and properly respond to channel trip and reactor trip signals.

The Frequency of 31 days is based on operating experience, which has demonstrated that failure of more than one channel of a given function in any 31 day interval is a rare event.

This testing is normally performed on a rotational basis, with one RTC being tested each week. Testing one RTC each week reduces the likelihood of the same systematic test errors being introduced into each redundant RTC.

OCONEE UNITS 1, 2, & 3 B 3.3.3-5 BASES REVISION DATED 06/03/11

RPS - RTC B 3.3.3 BASES (continued)

REFERENCES

1.

UFSAR, Chapter 7.

2.

10 CFR 50.36.

OCONEE UNITS 1, 2, & 3 B 3.3.3-6 BASES REVISION DATED 06/03/11 I

CRD Trip Devices B 3.3.4 B 3.3 INSTRUMENTATION B 3.3.4 Control Rod Drive (CRD) Trip Devices BASES BACKGROUND The Reactor Protective System (RPS) contains multiple CRD trip devices in the form of four AC trip breakers. The system has two separate paths (or channels), with each path having two AC breakers in series. In either case, each path provides independent power to the CRDs. Also, in either case, either path can provide sufficient power to operate the entire CRD System.

Figure 7.1, UFSAR, Chapter 7 (Ref. 1), illustrates the configuration of Reactor Protection System (RPS) Reactor Trip Components (RTC's) and the trip breakers. To trip the reactor, power to the CRDs must be removed. Loss of power causes the CRD mechanisms to release the CONTROL RODS, which then fall by gravity into the core.

Power to CRDs is supplied from two separate sources through the AC trip circuit breakers. These breakers are designated A, B, C, and D. Their undervoltage (trip) coils are powered by RPS channels A, B, C, and D, respectively and their shunt (trip) coils are actuated by RPS channels A, B, C, and D, respectively. From the circuit breakers, the CRD power travels through voltage regulators and stepdown transformers. These devices in turn supply redundant buses that feed the Single Rod Power Supplies (SRPS).

Two AC breakers (A and C) are in series to feed one redundant train of the SRPS, whereas the other two series AC breakers (B and D) feed the other redundant train of the SRPS. The minimum required logic required to cause a reactor trip is the opening of a circuit breaker in each parallel path to the SRPS. This is known as a one-out-of-two taken twice logic. The following examples illustrate the operation of the reactor trip circuit breakers.

a. If the A or C circuit breaker opens, input power to one train of the SRPS's is lost.

b. If in addition, the B or D circuit breaker opens, input power to the other train of the SRPS's is lost, which will result in the dropping of all rods (except APSR's) into the core.

For Unit(s) with the RPS digital upgrade not complete, the logic developed within the RPS RTCs will result in all AC breakers tripping if any two RPS channels receive a trip signal.

OCONEE UNITS 1, 2, & 3 B 3.3.4-1 BASES REVISION DATED 06/03/11

CRD Trip Devices B 3.3.4 BASES BACKGROUND (continued)

For Unit(s) with the RPS digital upgrade complete, the reactor trip relays located in RPS Channel A cabinet provide the two-out-of-four relay logic to trip CRD breaker A, relays in RPS B cabinet trip CRD breaker B, relays in RPS C cabinet trip CRD breaker C, and relays in RPS D cabinet trip CRD breaker D. If two or more channels of RPS indicate a valid software trip logic condition (two-out-of-four), the binary outputs will de-energize the trip relays associated with those channels in all RPS cabinets, tripping all four CRD breakers resulting in a reactor trip.

APPLICABLE Accident analyses rely on a reactor trip for protection of reactor core SAFETY ANALYSES integrity, reactor coolant pressure boundary integrity, and reactor building OPERABILITY. A reactor trip must occur when needed to prevent accident consequences from exceeding those calculated in the accident analyses. The CONTROL ROD position limits ensure that adequate rod worth is available upon reactor trip to shut down the reactor to the required SDM. Further, OPERABILITY of the CRD trip devices ensures that all CONTROL RODS will trip when required. More detailed descriptions of the applicable accident analyses are found in the Bases for each of the individual RPS trip Functions in LCO 3.3.1, "Reactor Protective System (RPS) Instrumentation."

The CRD trip devices satisfy Criterion 3 of CFR 50.36 (Ref. 2).

LCO The LCO requires all of the specified CRD trip devices to be OPERABLE.

Failure of any required CRD trip device renders a portion of the RPS inoperable and reduces the reliability of the affected Functions. Without reliable CRD reactor trip circuit breakers and associated support circuitry, a reactor trip may not reliably occur when initiated either automatically or manually.

All required CRD trip devices shall be OPERABLE to ensure that the reactor remains capable of being tripped any time it is critical.

OPERABILITY is defined as the CRD trip device being able to receive a reactor trip signal and to respond to this trip signal by interrupting power to the CRDs. Both of the CRD trip breaker's diverse trip devices and the breaker itself must be functioning properly for the breaker to be OPERABLE.

Requiring all breakers to be OPERABLE ensures that at least one device in each of the two power paths to the CRDs will remain OPERABLE even with a single failure.

OCONEE UNITS 1, 2, & 3 B 3.3.4-2 BASES REVISION DATED 06/03/11 I

CRD Trip Devices B 3.3.4 BASES (continued)

APPLICABILITY The CRD trip devices shall be OPERABLE in MODES 1 and 2, and in MODES 3, 4, and 5 when any CRD trip breaker is in the closed position and the CRD System is capable of rod withdrawal.

The CRD trip devices are designed to ensure that a reactor trip would occur if needed. Since this condition can exist in all of these MODES, the CRD trip devices shall be OPERABLE.

ACTIONS A Note has been added to the ACTIONS indicating separate Condition entry is allowed for each CRD trip device.

A.1 and A.2 Condition A represents reduced redundancy in the CRD trip Function.

Condition A applies when one diverse trip Function (undervoltage or shunt trip device) is inoperable in one or more CRD trip breaker(s).

If one of the diverse trip Functions on a CRD trip breaker becomes inoperable, actions must be taken to preclude the inoperable CRD trip device from preventing a reactor trip when needed. This is done by manually tripping the inoperable CRD trip breaker or by removing power from the inoperable CRD trip breaker. Either of these actions places the affected CRDs in a one-out-of-two trip configuration, which precludes a single failure from preventing a reactor trip. The 48 hour5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months Completion Time has been shown to be acceptable through operating experience.

B.1 and B.2 Condition B represents a loss of redundancy for the CRD trip Function.

Condition B applies when both diverse trip Functions are inoperable in one or more trip breaker(s).

Required Action B.1 and Required Action B.2 are the same as Required Action A.1 and Required Action A.2, but the Completion Time is shortened.

The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time allowed to trip or remove power from the CRD trip breaker allows the operator to take all the appropriate actions for the inoperable breaker and still ensures that the risk involved is acceptable.

OCONEE UNITS 1, 2, & 3 B 3.3.4-3 BASES REVISION DATED 06/03/11 I

CRD Trip Devices B 3.3.4 BASES ACTIONS (continued)

C.1, C.2.1, and C.2.2 With the Required Action and associated Completion Time of Condition A or B not met in MODE 1, 2, or 3, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to MODE 3, with all CRD trip breakers open or with power from all CRD trip breakers removed within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . The allowed Completion Time of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging unit systems.

D.1 and D.2 With the Required Action and associated Completion Time of Condition A or B not met in MODE 4 or 5, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, all CRD trip breakers must be opened or power from all CRD trip breakers removed within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months .

The allowed Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is reasonable, based on operating experience, to open all CRD trip breakers or remove power from all CRD trip breakers without challenging unit systems.

SURVEILLANCE SR 3.3.4.1 REQUIREMENTS SR 3.3.4.1 is to perform a CHANNEL FUNCTIONAL TEST every 31 days.

This test verifies the OPERABILITY of the trip devices by actuation of the end devices. Also, this test independently verifies the undervoltage and shunt trip mechanisms of the trip breakers. The Frequency of 31 days is based on operating experience, which has demonstrated that failure of more than one channel of a given function in any 31 day interval is a rare event.

REFERENCES

1.

UFSAR, Chapter 7.

2.

10 CFR 50.36.

OCONEE UNITS 1, 2, & 3 B 3.3.4-4 BASES REVISION DATED 06/03/11 I

ESPS Input Instrumentation B 3.3.5 B 3.3 INSTRUMENTATION B 3.3.5 Engineered Safeguards Protective System (ESPS) Input Instrumentation BASES BACKGROUND Note: To clearly differentiate text applicable only to Unit(s) with the ESPS digital upgrade complete, the text applicable only to that design is led with a qualifier and italicized. Likewise, the text applicable only to Unit(s) that have not been upgraded is led with a qualifier and bolded. Otherwise, the text applies to both designs.

The ESPS initiates necessary safety systems, based on the values of selected unit Parameters, to protect against violating core design limits and to mitigate accidents.

ESPS actuates the following systems:

High Pressure Injection (HPI);

Low Pressure Injection (LPI);

0 Reactor Building (RB) cooling; RB Spray; RB Isolation; and 0

Keowee Hydro Unit Emergency Start.

The ESPS operates in a distributed manner to initiate the appropriate systems. The ESPS does this by determining the need for actuation in each of three input channels monitoring each actuation Parameter. Once the need for actuation is determined, the condition is transmitted to automatic actuation output logic channels, which perform the two-out-of-three logic to determine the actuation of each end device. Each end device has its own automatic actuation logic, although all automatic actuation output logic channels take their signals from the same bistable (or processor output trip device for Unit(s) with the ESPS digital upgrade complete) in each channel for each Parameter.

OCONEE UNITS 1, 2, & 3 B 3.3.5-1 BASES REVISION DATED 06/03/11

ESPS Input Instrumentation B 3.3.5 BASES BACKGROUND Four Parameters are used for actuation:

(continued)

Low Reactor Coolant System (RCS) Pressure; Low Low RCS Pressure; High RB Pressure; and High High RB Pressure.

LCO 3.3.5 covers only the input instrumentation channels that measure these Parameters. These channels include all intervening equipment necessary to produce actuation before the measured process Parameter exceeds the limits assumed by the accident analysis. This includes sensors, bistable devices (or processor output trip devices for Unit(s) with the ESPS digital upgrade complete), operational bypass circuitry, and output relays (or voter input for Unit(s) with the ESPS digital upgrade complete). LCO 3.3.6, "Engineered Safeguards Protective System (ESPS) Manual Initiation," and LCO 3.3.7, "Engineered Safeguards Protective System (ESPS) Automatic Actuation Output Logic Channels,"

provide requirements on the manual initiation and automatic actuation output logic Functions.

For Unit(s) with the ESPS digital upgrade not complete, the ESPS contains three input channels. Each input channel provides input to output logic channels that initiate equipment with a two-out-of-three logic on each output logic channel. Each input channel includes inputs from one input instrumentation channel of Low RCS Pressure, Low Low RCS Pressure, High RB Pressure, and High High RB Pressure. If an input channel setpoint is exceeded, an input channel trip signal is generated.

Automatic actuation output logic channels combine the three input channel trips to actuate the individual Engineered Safeguards (ES) components needed to initiate each ES System. Figure 7.5 of UFSAR, Chapter 7 (Ref. 1), illustrates how input instrumentation channel trips combine to cause automatic actuation output logic channel trips.

For Unit(s) with the ESPS digital upgrade complete, there are three input channels. The ESPS Protective Channels A, B and C are made up of two independent subsystems - one subsystem is installed in the ESPS cabinets and is designated A2, B2, and C2. The other independent and redundant subsystem is installed in the RPS cabinets and is designated A1, B1, and C1. This subsystem uses the RPS protective channels (A, B, and C) computers. The ESPS input signals are not redundant for the two subsystems. The same input signals are fed to ESPS subsystems 1 and 2. The ESPS subsystems are fully redundant with the OCONEE UNITS 1, 2, & 3 B 3.3.5-2 BASES REVISION DATED 06/03/11 I

ESPS Input Instrumentation B 3.3.5 BASES BACKGROUND exception of the shared inputs. Each of these two independent (continued)

ESPS subsystems is fully capable of performing all required protective actions.

The three ESPS channel computers in each subsystem are interconnected via fiber optic data links, in a way that enables the exchange of data and signal online validation, before the calculation of trip functions. If the setpoint for a single input channel (for example, the RB High pressure input to Channel A) is exceeded, a channel trip statalarm is actuated but a channel trip signal is not sent to the automatic actuation output logic channel. Since the two ES subsystems share inputs, this condition will be sensed by both Channel A 1 and A2. Also, due to the inter-channel communication, all 3 ES channels in each subsystem recognize that this input channel setpoint has been exceeded for one channel. However, due to the 2.MIN/2.MAX logic within the system, the same input channel setpoint for one of the other three channels must be exceeded before channel trip signals are sent to the automatic actuation output logic channels. Again, due to the inter-channel communication, all 3 ES channels will then generate trip signals since the 2. MIN/2. MAX condition has been satisfied. The ESPS output actuation signals are sent from ESPS protective channels A, B and C to the ESPS actuation computers (Voters) via fiber optic data links. Figure 7.5 UFSAR, Chapter 7 (Ref. 1),

illustrates how input instrumentation channel trips combine to cause automatic actuation output logic channel trips.

The following matrix identifies the input instrumentation (measurement) channels and the Automatic Actuation Output Logic Channels actuated by each.

Output Actuated RCS RCS RB RB Logic Channels Systems/

PRESS PRESS PRESS PRESS Functions LOW LOW HIGH HIGH LOW HIGH 1 and 2 HPI and RB Non-Essential X

X Isolation, Keowee Emergency Start, Load Shed and Standby Breaker Input, and Keowee Standby Bus Feeder Breaker Input 3 and 4 LPI X

X 5 and 6 RB Cooling and RB X

Essential isolation 7 and 8 RB Spray X

OCONEE UNITS 1, 2, & 3 B 3.3.5-3 BASES REVISION DATED 06/03/11

ESPS Input Instrumentation B 3.3.5 BASES BACKGROUND (continued)

The ES equipment is generally divided between the two redundant actuation output logic channels. The division of the equipment between the two actuation output logic channels is based on the equipment redundancy and function and is accomplished in such a manner that the failure of one of the actuation output logic channels and the related safeguards equipment will not inhibit the overall ES Functions. Redundant ES pumps are controlled from separate and independent actuation output logic channels with some exceptions (e.g., HPI B pump which is actuated by both).

The actuation of ES equipment is also available by manual actuation switches located on the control room console.

The ESPS, in conjunction with the actuated equipment, provides protective functions necessary to mitigate accidents, specifically the loss of coolant accident (LOCA) and main steam line break (MSLB) events. The ESPS relies on the OPERABILITY of the automatic actuation output logic for each component to perform the actuation of the selected systems of LCO 3.3.7.

Engineered Safeguards Protective System Bypasses No provisions are made for maintenance bypass of ESPS instrumentation channels. Operational bypass of certain input parameters is necessary to allow accident recovery actions to continue and, for some input parameters, to allow unit shutdown without spurious ESPS actuation.

The ESPS RCS pressure instrumentation channel design allows Manual Bypass when reactor pressure is below the point at which the low and low low pressure trips are required to be OPERABLE. Once permissive conditions are sensed, the RCS pressure trips may be manually bypassed.

Bypasses are automatically removed when bypass permissive conditions are exceeded. This bypass provides an operational provision only outside the Applicability for this parameter, and provides no safety function.

For Unit(s) with the ESPS digital upgrade complete, there are two redundant subsystems. The same input signal is fed to each subsystem.

In subsystem 1, channels A1, B1, and C1 provide the input to Voter 1 Odd and Voter I Even. In subsystem 2, channels A2, B2, and C2 provide input to Voter 2 Odd and Voter 2 Even. Either subsystem provides the full complement of Voters. This allows for a Manual (maintenance) Bypass of one complete subsystem, or portion of a subsystem, without entering into an LCO Condition.

I I

OCONEE UNITS 1, 2, & 3 B 3.3.5-4 BASES REVISION DATED 06/03/11

ESPS Input Instrumentation B 3.3.5 BASES BACKGROUND Parameter Change Enable Mode (applicable only to Unit(s) with ESPS (continued) digital upgrade complete)

The ESPS Instrument Input Channel A2, B2, and C2 processors can each be placed in different operating modes through the use of the "Parameter Change Enable" keyswitches and commands from the Service Unit. Each protective channel A2, B2,and C2 has a keyswitch located in that channel's cabinet pair.

Placing ESPS Channels A1, B1 or C1 in Parameter Change Enable Mode through the use of the "Parameter Change Enable" keyswitch located in the corresponding RPS cabinet will also place the corresponding RPS Channels A, B, or C in Parameter Change Enable Mode.

When a keyswitch is placed from the normal Operating Mode position to the Parameter Change Enable Mode position:

The processors continue with normal operation.

A permissive is provided that allows the Service Unit to be used to change the operating mode of the processors associated with that keyswitch.

With the keyswitch in the Parameter Change Enable Position the following modes of operation are allowed for processors:

Normal Operation - with permissive for operating mode change.

Parameterization - allows changes to specific parameters (example placing a parameter into a tripped condition or performing Go/NoGo testing).

OCONEE UNITS 1, 2, & 3 B 3.3.5-5 BASES REVISION DATED 06/03/11

ESPS Input Instrumentation B 3.3.5 BASES BACKGROUND Parameter Change Enable Mode (applicable only to Unit(s) with ESPS digital upgrade complete) (continued)

Function Test - for disabling the application function and forcing output signal for testing purposes (normally not used).

Diagnostics - for downloading new application software.

The Function Test and Diagnostics modes result in the processor ceasing its cyclic processing of the application functions. Entry into these modes first requires entry into Parameterization mode and setting a separate parameter.

When a keyswitch is placed in the Parameter Change Enable Mode Position for any activity, the affected processor shall first be declared out of service. In addition to declaring the processor out of service, when loading or revising software in a processor, the affected ESPS input shall be tripped OR the associated ESPS voters shall be placed in Bypass. If this activity is being performed on an ES Input Channel in subsystem 1, the associated RPS channel shall also be placed in manual bypass. Only one ESPS channel at a time is allowed to be placed into Parameter Change Enable Mode Position for software loading/revision.

Each Parameter Change Enable keyswitch status information is sent to the Statalarm panel and to the OAC via the TXS Gateway.

ESPS Parameter Change Enable keyswitches are administratively controlled (there are no hardware or software interlocks between channels).

Reactor Coolant System Pressure The RCS pressure is monitored by three independent pressure transmitters located in the RB. These transmitters are separate from the transmitters that provide inputs to the Reactor Protective System (RPS). The output of each transmitter terminates in an input isolation module in the ESPS, which provides individually isolated output pressure signals. Each of the pressure signals generated by these transmitters is monitored by four bistables (or two independent digital processing systems, with three ESPS input logic channels and three RPS/ESPS input logic channels for Unit(s) with the ESPS digital upgrade complete) to provide two trip signals, at > 1590 psig and > 500 psig, and two bypass permissive signals, at < 1750 psig and < 900 psig.

OCONEE UNITS 1, 2, & 3 B 3.3.5-6 BASES REVISION DATED 06/03/11 I

ESPS Input Instrumentation B 3.3.5 BASES BACKGROUND Reactor Coolant System Pressure (continued)

For Unit(s) with the ESPS digital upgrade not complete, the outputs of the three bistables, associated with the low RCS pressure 1590 psig trip drive relays in two sets of identical and independent channels. These two sets of HPI channels each use a two-out-of-three coincidence network for HPI Actuation. The outputs of the three bistables associated with the Low Low RCS Pressure 500 psig trip drive relays in two sets of identical and independent channels. These two sets of LPI channels each use a two-out-of-three coincidence network for LPI Actuation.

For Unit(s) with the ESPS digital upgrade complete, the outputs of the three logic processor channels in each of the two processing subsystems (ESPS and RPS/ESPS) generate an output trip signal to its associated independent actuation train Voters (Odd and Even) when the second minimum pressure signal of any of the three input channels falls below the Low RCS pressure setpoint. This will initiate an actuation of the Voter Output Channels I and 2 (HPI Actuation). The outputs of the input logic processors in each processing system also generate an output trip signal to its associated independent actuation train Voters (Odd and Even) when the second minimum pressure signal of the three input channels falls below the Low Low RCS pressure setpoint. This will initiate an actuation of the Voter Output Channels 3 and 4 (LPI Actuation).

Reactor Building Pressure For Unit(s) with the ESPS digital upgrade not complete, there are three independent RB pressure transmitters. The output of each transmitter terminates in an input isolation module in the ESPS, which provides individually isolated output pressure signals. One isolated output of each pressure measurement goes to the unit computer for monitoring RB Pressure. One output of each pressure measurement goes to a bistable which initiates action when its high RB pressure trip point is exceeded. Each input isolation amplifier module contains an analog meter for indicating the measured pressure. Each of the three bistables has contact outputs that are combined in series with the output of the HPI and LPI System bistables as previously described.

OCONEE UNITS 1, 2, & 3 B 3.3.5-7 BASES REVISION DATED 06/03/11 I

ESPS Input Instrumentation B 3.3.5 BASES BACKGROUND Reactor Building Pressure (continued)

For Unit(s) with the ESPS digital upgrade complete, there are three independent RB pressure transmitters. The outputs of the three logic processor channels in each of the two processing subsystems (ESPS and RPS/ESPS) generate an output trip signal to its associated independent actuation train Voters (Odd and Even) when the second maximum pressure signal of any of the three input channels increases above the High RB pressure setpoint. This will initiate an actuation of Voter Output Channels 5 and 6 (RB Cooling Actuation and RB Essential Isolation). The outputs of the three high RB pressure processor output trip devices also trip Voter Output Channels 1, 2, 3 and 4 to initiate HPI and LPI.

The ESPS channels of the RB Spray System are formed by two separate two-out-of-three logic networks with the active elements originating in six RB pressure sensing pressure switches. One two-out-of-three network actuates Channel 7 and the other two-out-of-three network actuates Channel 8. Either of the two networks is capable of initiating the required protective action.

Trip Setpoints and Allowable Values Trip setpoints are the nominal value at which the bistables (or processor output trip devices for Unit(s) with the ESPS digital upgrade complete) are set. Any bistable (or processor output trip devices for Unit(s) with the ESPS digital upgrade complete) is considered to be properly adjusted when the "as left" value is within the band for CHANNEL CALIBRATION accuracy.

OCONEE UNITS 1, 2, & 3 B 3.3.5-8 BASES REVISION DATED 06/03/11

ESPS Input Instrumentation B 3.3.5 BASES BACKGROUND Trip Setpoints and Allowable Values (continued)

The trip setpoints used in the bistables (or processor output trip devices for Unit(s) with the ESPS digital upgrade complete) are selected such that adequate protection is provided when all sensor and processing time delays are taken into account. To allow for calibration tolerances, instrumentation uncertainties, instrument drift, and severe environment induced errors for those ESPS channels that must function in harsh environments as defined by 10 CFR 50.49 (Ref. 2), the Allowable Values specified in Table 3.3.5-1 in the accompanying LCO are conservatively adjusted with respect to the analytical limits. A detailed description of the methodology used to calculate the trip setpoints and associated uncertainties is provided in Reference 3. The actual trip setpoint entered into the bistable (or processor output trip device for Unit(s) with the ESPS digital upgrade complete) is more conservative than that specified by the Allowable Value to account for changes in random measurement errors detectable by a CHANNEL FUNCTIONAL TEST (or CHANNEL CALIBRATION for Unit(s) with the ESPS digital upgrade complete). A channel is inoperable if its actual trip setpoint is not within its required Allowable Value.

Setpoints, in accordance with the Allowable Values, ensure that the consequences of accidents will be acceptable, providing the unit is operated from within the LCOs at the onset of the accident and the equipment functions as designed.

For Unit(s) with the ESPS digital upgrade not complete, each channel is tested online to verify that the setpoint accuracy is within the specified allowance requirements. Once a designated channel is taken out of service for testing, a simulated signal may be injected in place of the field instrument signal.

For Unit(s) with the ESPS digital upgrade complete, each channel is tested online by manually retrieving the software setpoint to ensure it has been entered correctly. Signals into the system (from the field instrument or at the protective system cabinet) are applied during the channel calibration to ensure that the instrumentation is within the specified allowance requirements.

APPLICABLE The following ESPS Functions have been assumed within the accident SAFETY ANALYSES analyses.

High Pressure Iniection The ESPS actuation of HPI has been assumed for core cooling in the LOCA analysis and is credited with boron addition in the MSLB analysis.

OCONEE UNITS 1, 2, & 3 B 3.3.5-9 BASES REVISION DATED 06/03/11

ESPS Input Instrumentation B 3.3.5 BASES APPLICABLE Low Pressure Injection SAFETY ANALYSES (continued)

The ESPS actuation of LPI has been assumed for large break LOCAs.

Reactor Buildinq Spray, Reactor Building Cooling, and Reactor Building Isolation The ESPS actuation of the RB coolers and RB Spray have been credited in RB analysis for LOCAs, both for RB performance and equipment environmental qualification pressure and temperature envelope definition.

Accident dose calculations have credited RB Isolation and RB Spray.

Keowee Hydro Unit Emergency Start The ESPS initiated Keowee Hydro Unit Emergency Start has been included in the design to ensure that emergency power is available throughout the limiting LOCA scenarios.

The small break LOCA analyses assume a conservative 48 second delay time for the actuation of HPI and LPI in UFSAR, Chapter 15 (Ref. 4). The large break LOCA analyses assume LPI flow starts in 38 seconds while full LPI flow does not occur until 36 seconds later, or 74 seconds total (Ref. 4). This delay time includes allowances for Keowee Hydro Unit starting, Emergency Core Cooling Systems (ECCS) pump starts, and valve openings. Similarly, the RB Cooling, RB Isolation, and RB Spray have been analyzed with delays appropriate for the entire system analyzed.

Accident analyses rely on automatic ESPS actuation for protection of the core'temperature and containment pressure limits and for limiting off site dose levels following an accident. These include LOCA, and MSLB events that result in RCS inventory reduction or severe loss of RCS cooling.

The ESPS channels satisfy Criterion 3 of 10 CFR 50.36 (Ref. 5).

LCO The LCO requires three input channels of ESPS instrumentation for each Parameter in Table 3.3.5-1 to be OPERABLE in each ESPS automatic actuation output logic channel. Failure of any instrument renders the affected input channel(s) inoperable and reduces the reliability of the affected Functions. For Unit(s) with the ESPS digital upgrade complete, there are two redundant ESPS subsystems each having three input channels. Only one subsystem is required to be OPERABLE.

OCONEE UNITS 1, 2, & 3 B 3.3.5-10 BASES REVISION DATED 06/03/11

ESPS Input Instrumentation B 3.3.5 BASES LCO (continued)

Only the Allowable Value is specified for each ESPS Function in the LCO. Nominal trip setpoints are specified in the setpoint calculations. The nominal trip setpoints are selected to ensure the setpoints measured by CHANNEL FUNCTIONAL TESTS or CHANNEL CALIBRATIONS do not exceed the Allowable Value if the bistable (or processor output trip devices for Unit(s) with the ESPS digital upgrade complete) is performing as required. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable provided that operation and testing are consistent with the assumptions of the setpoint calculations. Each Allowable Value specified is more conservative than the analytical limit assumed in the safety analysis to account for instrument uncertainties appropriate to the trip Parameter. These uncertainties are defined in Reference 3.

The values for operating bypass removal functions are stated in the Applicable MODES or Other Specified Condition column of Table 3.3.5-1.

Three ESPS input instrumentation channels shall be OPERABLE to ensure that a single failure in one input channel will not result in loss of the ability to automatically actuate the required safety systems.

The bases for the LCO on ESPS Parameters include the following.

Three input channels of RCS Pressure-Low, RCS Pressure-Low Low, RB Pressure-High and RB Pressure-High High are required OPERABLE. For Unit(s) with the ESPS digital upgrade not complete, each input channel includes a sensor, trip bistable, bypass bistable, bypass relays, and output relays. For Unit(s) with the ESPS digital upgrade complete, each channel includes a sensor, input isolation modules, interchannel communication modules and processor output trip devices.

Failures that affect the ability to bypass an input channel do not render the input channel inoperable since the input channel is still capable of performing its safety function, i.e., this is not a safety related bypass function.

I I

APPLICABILITY Three input channels of ESPS instrumentation for each of the following Parameters shall be OPERABLE.

1.

Reactor Coolant System Pressure - Low The RCS Pressure - Low actuation Parameter shall be OPERABLE during operation at or above 1750 psig. This OCONEE UNITS 1, 2, & 3 B 3.3.5-11 BASES REVISION DATED 06/03/11

ESPS Input Instrumentation B 3.3.5 BASES APPLICABILITY

1.

Reactor Coolant System Pressure - Low (continued) requirement ensures the capability to automatically actuate safety systems and components during conditions indicative of a LOCA or secondary unit overcooling. Below 1750 psig, the low RCS Pressure actuation Parameter can be bypassed to avoid actuation during normal unit cooldowns when safety systems actuations are not required.

The allowance for the bypass is consistent with the transition of the unit to a lower energy state, providing greater margins to safety limits. The unit response to any event, given that the reactor is already tripped, will be less severe and allows sufficient time for operator action to provide manual safety system actuations. This is even more appropriate during unit heatups when the primary system and core energy content is low, prior to power operation.

In MODES 5 and 6, there is adequate time for the operator to evaluate unit conditions and respond by manually starting individual systems, pumps, and other equipment to mitigate the consequences of an abnormal condition or accident. RCS pressure and temperature are very low, and many ES components are administratively controlled or otherwise prevented from actuating to prevent inadvertent overpressurization of unit systems.

2.

Reactor Coolant System Pressure - Low Low The RCS Pressure - Low Low actuation Parameter shall be OPERABLE during operation above 900 psig. This requirement ensures the capability to automatically actuate safety systems and components during conditions indicative of a LOCA or secondary unit overcooling. Below 900 psig, the low low RCS Pressure actuation Parameter can be bypassed to avoid actuation during normal unit cooldowns when safety system actuations are not required.

The allowance for the bypass is consistent with the transition of the unit to a lower energy state, providing greater margins to safety limits. The unit response to any event, given that the reactor is already tripped, will be less severe and allows sufficient time for operator action to provide manual safety system actuations. This is even more appropriate during unit heatups when the primary system and core energy content is low, prior to power operation.

OCONEE UNITS 1, 2, & 3 B 3.3.5-12 BASES REVISION DATED 06/03/11

ESPS Input Instrumentation B 3.3.5 BASES APPLICABILITY

2.

Reactor Coolant System Pressure - Low Low (continued)

In MODES 5 and 6, there is adequate time for the operator to evaluate unit conditions and respond by manually starting individual systems, pumps, and other equipment to mitigate the consequences of an abnormal condition or accident. RCS pressure and temperature are very low, and many ES components are administratively controlled or otherwise prevented from actuating to prevent inadvertent overpressurization of unit systems.

3, 4.

Reactor Building Pressure - High and Reactor Building Pressure -High High The RB Pressure - High and RB Pressure - High High actuation Functions of ESPS shall be OPERABLE in MODES 1, 2, 3, and 4 when the potential for a HELB exists. In MODES 5 and 6, the unit conditions are such that there is insufficient energy in the primary and secondary systems to raise the containment pressure to either the RB Pressure - High or RB Pressure - High High actuation setpoints. Furthermore, in MODES 5 and 6, there is adequate time for the operator to evaluate unit conditions and respond by manually starting individual systems, pumps, and other equipment to mitigate the consequences of an abnormal condition or accident.

RCS pressure and temperature are very low and many ES components are administratively controlled or otherwise prevented from actuating to prevent inadvertent overpressunzation of unit systems.

ACTIONS Required Actions A and B apply to all ESPS input instrumentation Parameters listed in Table 3.3.5-1.

A Note has been added to the ACTIONS indicating separate Condition entry is allowed for each Parameter.

If an input channel's trip setpoint is found nonconservative with respect to the Allowable Value, or the transmitter, instrument loop, signal processing electronics, or ESPS bistable (or input isolation modules, inter-channel communication modules and processor output trip devices for Unit(s) with the ESPS digital upgrade complete) is found inoperable, then all affected functions provided by that input channel should be declared inoperable and the unit must enter the Conditions for the particular protective Parameter affected.

OCONEE UNITS 1, 2, & 3 B 3.3.5-13 BASES REVISION DATED 06/03/11 I

ESPS Input Instrumentation B 3.3.5 BASES ACTIONS A._1 (continued)

Condition A applies when one input channel becomes inoperable in one or more Parameters. If one ESPS input instrument channel is inoperable, placing it in a tripped condition leaves the system in a one-out-of-two condition for actuation. Thus, if another input channel were to fail, the ESPS instrumentation could still perform its actuation functions. For Unit(s) with the ESPS digital upgrade not complete, this action is completed when all of the affected output relays are tripped and can normally be accomplished by tripping the affected bistables.

The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time is sufficient time to perform the Required Action.

For Unit(s) with the ESPS digital upgrade complete, this can be accomplished two ways: (1) by placing an input logic channel (A, B or C) in trip with the associated Manual Trip keyswitch (the input Manual Trip channel keyswitch trips all ESPS functions in the channel), or (2) tripping the individual input parameter functional software through the interactive Graphical Service Monitor dialog screen. The 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Completion Time is justified based on the continuous monitoring and signal validation being performed and is sufficient time to place a Parameter in trip. If the Parameter cannot be placed in trip, the Operator can trip the affected channel with the use of the Manual Trip keyswitch until such time that the individual parameter can be placed in trip.

B.1. B.2.1, B.2.2, and B.2.3 Condition B applies when the Required Action and associated Completion Time of Condition A are not met or when one or more parameters have two or more inoperable input channels. If Condition B applies, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and, for the RCS Pressure-Low Parameter, to

< 1750 psig, for the RCS Pressure-Low Low Parameter, to < 900 psig, and for the RB Pressure-High Parameter and RB Pressure-High High Parameter, to MODE 5 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

OCONEE UNITS 1, 2, & 3 B 3.3.5-14 BASES REVISION DATED 06/03/11

ESPS Input Instrumentation B 3.3.5 BASES SURVEILLANCE The ESPS Parameters listed in Table 3.3.5-1 are subject to REQUIREMENTS CHANNEL CHECK, CHANNEL FUNCTIONAL TEST, and CHANNEL CALIBRATION.

SR 3.3.5.1 Performance of the CHANNEL CHECK every 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months ensures that a gross failure of instrumentation has not occurred.

A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that input instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two input instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. CHANNEL CHECK will detect gross channel failure; therefore, it is key in verifying that the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined, based on a combination of the channel instrument uncertainties, including isolation, indication, and readability. If a channel is outside the criteria, it may be an indication that the transmitter or the signal processing equipment has drifted outside its limit.

The Frequency for a manual CHANNEL CHECK, equivalent to every shift, is based on operating experience that demonstrates channel failure is rare. Since the probability of two random failures in redundant channels in any 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months period is extremely low, the CHANNEL CHECK minimizes the chance of loss of protective function due to failure of redundant channels. The CHANNEL CHECK supplements less formal, but potentially more frequent, checks of channel operability during normal operational use of the displays associated with the LCO's required channels.

For Unit(s) with the digital ESPS complete, the CHANNEL CHECK requirement is met automatically. The digital ESPS provides continuous online automatic monitoring of each of the input signals in each channel, performs signal online validation against required acceptance criteria, and provides hardware functional validation. If any protective channel input signal is identified to be in the failure status, this condition is alarmed on the Unit Statalarm and input to the plant OAC. Immediate notification of the failure status is provided to the Operations staff OCONEE UNITS 1, 2, & 3 B 3.3.5-15 BASES REVISION DATED 06/03/11 I

ESPS Input Instrumentation B 3.3.5 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.5.2 The SR is modified by a Note indicating that it is only applicable to Unit(s) with the ESPS digital upgrade complete. This SR manually retrieves the software setpoints and verifies they are correct. The proper functioning of the processor portion of the channel is continuously checked by automatic cyclic self monitoring. The proper functioning of the processor portion of the channel is continuously checked by automatic cyclic self monitoring. Verification of field instrument setpoints is not required by this surveillance. This surveillance does not apply to the Reactor Building Pressure High High parameter because it consists of pressure switches which provide a contact status to the system and there is no software setpoint to verify.

The Frequency of 92 days is considered adequate since software is not subject to drift and the SR is only verifying that the setpoint was not incorrectly set.

SR 3.3.5.3 The SR is modified by a Note indicating that it is not applicable to Unit(s) with the ESPS digital upgrade complete.

A CHANNEL FUNCTIONAL TEST is performed on each required ESPS input channel to ensure the entire channel, including the bypass function, will perform the intended functions. Any setpoint adjustment shall be consistent with the assumptions of the current unit specific uncertainty analysis.

The Frequency of 92 days is based on operating experience, with regard to channel OPERABILITY and drift, which demonstrates that failure of more than one channel of a given function in any 92 day interval is a rare event.

SR 3.3.5.4 CHANNEL CALIBRATION is a complete check of the input instrument channel, including the sensor. The test verifies that the channel responds to a measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drift to ensure that the instrument channel remains operational between successive tests. CHANNEL CALIBRATION assures that measurement errors and bistable (or processor output trip device for Unit(s) with the ESPS digital upgrade complete) setpoint errors are within OCONEE UNITS 1, 2, & 3 B 3.3.5-16 BASES REVISION DATED 06/03/11

ESPS Input Instrumentation B 3.3.5 BASES SURVEILLANCE SR 3.3.5.4 (continued)

REQUIREMENTS the assumptions of the unit specific uncertainty analysis. CHANNEL CALIBRATIONS must be performed consistent with the assumptions of the uncertainty analysis.

The 18 month frequency for the CHANNEL CALIBRATION is based on design capabilities and reliability of the digital ESPS. Since the CHANNEL FUNCTIONAL TEST is a part of the CHANNEL CALIBRATION a separate SR is not required. The digital ESPS software performs a continuous online automated cross channel check, separately for each channel, and continuous online signal error detection and validation. The protection system also performs continuous online hardware monitoring. The CHANNEL CALIBRATION essentially validates the self monitoring function and checks for a small set of failure modes that are undetectable by the self monitoring function.

For Unit(s) with the ESPS digital upgrade complete, the digital processors shall be rebooted as part of the calibration. This verifies that the software has not changed. Signals into the system (from the field instrument or at the protective system cabinet) are applied during the channel calibration to ensure that the instrumentation is within the specified allowance requirements. This, in combination with ensuring the setpoints are entered into the software correctly per SR 3.3.5.2, verifies the setpoints are within the Allowable Values.

This Frequency is justified by the assumption of an 18 month calibration interval to determine the magnitude of equipment drift in the uncertainty analysis. For Unit(s) with the digital upgrade complete, the 18 month calibration interval is justified by the reliability of components whose failure modes are not automatically detected or indicated.

REFERENCES

1.

UFSAR, Chapter 7.

2.

10 CFR 50.49.

3.

EDM-102, "Instrument Setpoint/Uncertainty Calculations."

4.

UFSAR, Chapter 15.

5.

10 CFR 50.36.

OCONEE UNITS 1, 2, & 3 B 3.3.5-17 BASES REVISION DATED 06/03/11

ESPS Manual Initiation B 3.3.6 B 3.3 INSTRUMENTATION B 3.3.6 Engineered Safeguards Protective System (ESPS) Manual Initiation BASES BACKGROUND Note: To clearly differentiate text applicable only to Unit(s) with the RPS digital upgrade complete, the text applicable only to that design is led with a qualifier and italicized. Likewise, the text applicable only to Unit(s) that have not been upgraded is led with a qualifier and bolded. Otherwise, the text applies to both designs.

The ESPS manual initiation capability allows the operator to actuate ESPS Functions from the main control room in the absence of any other initiation condition. This ESPS manual initiation capability is provided in the event the operator determines that an ESPS Function is needed and has not been automatically actuated. Furthermore, the ESPS manual initiation capability allows operators to rapidly initiate Engineered Safeguards (ES)

Functions.

LCO 3.3.6 covers only the system level manual initiation of these Functions. LCO 3.3.5, "Engineered Safeguards Protective System (ESPS)

Input Instrumentation," and LCO 3.3.7, "Engineered Safeguards Protective System (ESPS) Automatic Actuation Output Logic Channels," provide requirements on the portions of the ESPS that automatically initiate the Functions described earlier.

The ESPS manual initiation Function relies on the OPERABILITY of the automatic actuation output logic channels (LCO 3.3.7) to perform the actuation of the systems. A manual trip push button is provided on the control room console for each of the automatic actuation output logic channels. Operation of the push button energizes relays whose contacts perform a logical "OR" function with the automatic actuation.

For Unit(s) with the ESPS digital upgrade not complete, the ESPS manual initiation channel is defined as the instrumentation between the console switch and the automatic actuation output logic channel, which actuates the end devices. For Unit(s) with the ESPS digital upgrade complete, the ESPS manual initiation portion of the ESPS system is defined as the instrumentation between the control console Trip/Reset switches and the relay output (RO) relays which actuate the end devices. Other means of manual initiation, such as controls for individual ES devices, may be available in the control room and other unit locations. These alternative means are not required by this LCO, nor may they be credited to fulfill the requirements of this LCO.

OCONEE UNITS 1, 2, & 3 B 3.3.6-1 BASES REVISION DATED 06/03/11 I

ESPS Manual Initiation B 3.3.6 BASES BACKGROUND (continued)

For Unit(s) with the ESPS digital upgrade complete, a manual actuation of the ESPS actuation functions shall be capable of being initiated from the main control board Trip/Reset pushbutton switches. Individual pushbuttons are provided for High Pressure Injection and Reactor Building (RB) Non-Essential Isolation (Channels I and 2), Low Pressure Injection and Low Pressure Service Water Actuation (Channels 3 and 4),

RB Cooling and RB Essential Isolation (Channels 5 and 6), and RB Spray (Channels 7 and 8). The manual actuation is independent of the ESPS automatic actuation signal and is capable of actuating all channel related actuation field components regardless of any failures of the automatic signal. Initiation of the manual actuation portion of ESPS will also input an actuation signal to the automatic system to provide input to the automatic system indicating that a manual actuation has occurred.

APPLICABLE SAFETY ANALYSES The ESPS, in conjunction with the actuated equipment, provides protective functions necessary to mitigate accidents, specifically, the loss of coolant accident and steam line break events.

The ESPS manual initiation ensures that the control room operator can rapidly initiate ES Functions. The manual initiation trip Function is required as a backup to automatic trip functions and allows operators to initiate ESPS whenever any parameter is rapidly trending toward its trip setpoint.

The ESPS manual initiation functions satisfy Criterion 3 of 10 CFR 50.36 (Ref. 1).

LCO Two ESPS manual initiation channels of each ESPS Function shall be OPERABLE whenever conditions exist that could require ES protection of the reactor or RB. Two OPERABLE channels ensure that no single random failure will prevent system level manual initiation of any ESPS Function. The ESPS manual initiation Function allows the operator to initiate protective action prior to automatic initiation or in the event the automatic initiation does not occur.

OCONEE UNITS 1, 2, & 3 B 3.3.6-2 BASES REVISION DATED 06/03/11 I

ESPS Manual Initiation B 3.3.6 BASES LCO (continued)

The required Function is provided by two associated channels as indicated in the following table:

Function Associated Channels HPI and RB Non-Essential 1 & 2 Isolation, Keowee Emergency Start, Load Shed and Standby Breaker Input, and Keowee Standby Bus Feeder Breaker Input LPI 3&4 RB Cooling and RB Essential 5 & 6 isolation RB Spray 7 & 8 APPLICABILITY The ESPS manual initiation Functions shall be OPERABLE in MODES 1 and 2, and in MODES 3 and 4 when the associated engineered safeguard equipment is required to be OPERABLE. The manual initiation channels are required because ES Functions are designed to provide protection in these MODES. ESPS initiates systems that are either reconfigured for decay heat removal operation or disabled while in MODES 5 and 6.

Accidents in these MODES are slow to develop and would be mitigated by manual operation of individual components. Adequate time is available to evaluate unit conditions and to respond by manually operating the ES components, if required.

ACTIONS A Note has been added to the ACTIONS indicating separate Condition entry is allowed for each ESPS manual initiation Function.

A.1 Condition A applies when one manual initiation channel of one or more ESPS Functions becomes inoperable. Required Action A.1 must be taken to restore the channel to OPERABLE status within the next 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . The Completion Time of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months is based on operating experience and administrative controls, which provide alternative means of ESPS Function initiation via individual component controls. The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time is generally consistent with the allowed outage time for the safety systems actuated by ESPS.

OCONEE UNITS 1, 2, & 3 B 3.3.6-3 BASES REVISION DATED 06/03/11

ESPS Manual Initiation B 3.3.6 BASES ACTIONS B.1 and B.2 (continued)

With the Required Action and associated Completion Time not met, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and to MODE 5 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required MODES from full power conditions in an orderly manner and without challenging unit systems.

SURVEILLANCE REQUIREMENTS SR 3.3.6.1 This SR requires the performance of a CHANNEL FUNCTIONAL TEST of the ESPS manual initiation. This test verifies that the initiating circuitry is OPERABLE and will actuate the automatic actuation output logic channels.

The 18 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a unit outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. This Frequency is demonstrated to be sufficient, based on operating experience, which shows these components usually pass the Surveillance when performed on the 18 month Frequency.

REFERENCES

1.

10 CFR 50.36.

OCONEE UNITS 1, 2, & 3 B 3.3.6-4 BASES REVISION DATED 06/03/11

ESPS Automatic Actuation Output Logic Channels B 3.3.7 B 3.3 INSTRUMENTATION B 3.3.7 Engineered Safeguards Protective System (ESPS) Automatic Actuation Output Logic Channels BASES BACKGROUND Note: To clearly differentiate text applicable only to Unit(s) with the RPS digital upgrade complete, the text applicable only to that design is led with a qualifier and italicized. Likewise, the text applicable only to Unit(s) that have not been upgraded is led with a qualifier and bolded. Otherwise, the text applies to both designs.

For Unit(s) with the ESPS digital upgrade not complete, the automatic actuation output logic channels are defined as the instrumentation from the buffers of the ESPS input instrument channels through the unit controllers that actuate ESPS equipment For Unit(s) with the ESPS digital upgrade complete, the automatic actuation output logic channels are defined as the Voters, the output relays and associated contacts. For Unit(s) with the ESPS digital upgrade complete, the Voters are used to provide an output signal to the output relays for the LP-1 interlock. Since LP-1 is not an ES valve, any inoperability of the ESPS associated with this particular function would require no action by TS 3.3.7. Each of the components actuated by the ESPS Functions is associated with one or more automatic actuation output logic channels. If two-out-of-three ESPS input instrumentation channels indicate a trip, or if channel level manual initiation occurs, the automatic actuation output logic channel is activated and the associated equipment is actuated. The purpose of requiring OPERABILITY of the ESPS automatic actuation output logic channels is to ensure that the Functions of the ESPS can be automatically initiated in the event of an accident. Automatic actuation of some Functions is necessary to prevent the unit from exceeding the Emergency Core Cooling Systems (ECCS) limits in 10 CFR 50.46 (Ref. 1). It should be noted that OPERABLE automatic actuation output logic channels alone will not ensure that each Function can be activated; the input instrumentation channels and actuated equipment associated with each Function must also be OPERABLE to ensure that the Functions can be automatically initiated during an accident.

LCO 3.3.7 covers only the automatic actuation output logic channels that initiates these Functions. LCO 3.3.5, "Engineered Safeguards Protective System (ESPS) Input Instrumentation," and LCO 3.3.6, "Engineered Safeguards Protective System (ESPS) Manual Initiation," provide requirements on the input instrumentation and manual initiation channels that feed into the automatic actuation output logic channels.

OCONEE UNITS 1, 2, & 3 B 3.3.7-1 BASES REVISION DATED 06/03/11 I

ESPS Automatic Actuation Output Logic Channels B 3.3.7 BASES BACKGROUND For Unit(s) with the ESPS digital upgrade complete, the ESPS Protective (continued)

Channels (computers) A, B, and C are implemented on two independent and redundant subsystems. One subsystem, containing channels AZ B2, and C2, uses the ESPS protective channel computers, which are installed in the ESPS cabinets. The other sub-system, containing independent and redundant channels A1, B1, and C1, uses the RPS protective channel computers, which are installed in the RPS cabinets.

Each of the independent ESPS and ESPS/RPS protective channel function output signals are sent to two redundant digital actuation Voter Sets each comprised of an Odd and Even Voter. The Odd Voter is associated with ESPS Automatic Actuation Output Logic Channels 1, 3, 5, and 7 while the Even Voter is associated with Channels 2, 4, 6, and 8.

One of the Odd and Even Voter sets (Voter 2) performs the two-out-of-three voting for the actuation signals coming from the ESPS protective channels; the other independent and redundant Odd and Even Voter set (Voter 1) performs the two-out-of-three voting for the actuation signals coming from the ESPS/RPS sets. The independent and redundant ESPS protective safety actuation functions are duplicated in the ESPS and ESPS/RPS subsystems The ESPS, in conjunction with the actuated equipment, provides protective functions necessary to mitigate accidents, specifically, the loss of coolant accident (LOCA) and main steam line break (MSLB) events. The ESPS relies on the OPERABILITY of the automatic actuation logic for each component to perform the actuation of the selected systems.

The small break LOCA analyses assume a conservative 48 second delay time for the actuation of High Pressure Injection (HPI) in UFSAR, Chapter 15 (Ref. 2). The large break LOCA analyses assume Low Pressure Injection (LPI) flow starts in 38 seconds while full LPI flow does not occur until 36 seconds later, or 74 seconds total (Ref. 2). This delay time includes allowances for Keowee Hydro Unit startup and loading, ECCS pump starts, and valve openings. Similarly, the Reactor Building (RB)

Cooling, RB Isolation, and RB Spray have been analyzed with delays appropriate for the entire system.

The ESPS automatic initiation of Engineered Safeguards (ES) Functions to mitigate accident conditions is assumed in the accident analysis and is required to ensure that consequences of analyzed events do not exceed the accident analysis predictions. Automatically actuated features include HPI, LPI, RB Cooling, RB Spray, and RB Isolation.

OCONEE UNITS 1, 2, & 3 B 3.3.7-2 BASES REVISION DATED 06/03/11

ESPS Automatic Actuation Output Logic Channels B 3.3.7 BASES BACKGROUND Engineered Safequards Protective System Bypasses (continued)

For Unit(s) with the ESPS digital upgrade complete, there are two redundant subsystems. The same analog input signal is fed to each subsystem. In subsystem 1, channels Al, B1, and C1 provide the input to Voter I Odd and Voter I Even. In subsystem 2, channels A2, B2, and C2 provide input to Voter 2 Odd and Voter 2 Even. Either subsystem provides the full complement of Voters. This allows for a Manual (maintenance) Bypass of one complete subsystem, or portion of a subsystem, without entering into an LCO Condition. While one Voter or a set of Voters are bypassed, the ESPS function is provided by the redundant ESPS subsystem.

Placing a Voter in Manual Bypass is implemented by keyswitches located in the respective ESPS Actuation cabinets. If an ESPS Voter is placed in Manual Bypass, all automatic ESPS actuation functions from that specific Voter are disabled. However, a manual ESPS trip is still available for Operator action to initiate the ESPS safety actuation functions. Only one Manual Bypass keyswitch for the two Odd Voters (Voter 1 Odd or Voter 2 Odd) and one Manual Bypass keyswitch for the two Even Voters (Voter I Even or Voter 2 Even) is allowed to be placed in Manual Bypass at a time. Placing an ESPS Voter in Manual Bypass is administratively controlled. The ESPS Manual Bypass keyswitch status information is sent to the Unit control room Statalarm panel and sent to the plant Operator Aid Computer (OA C).

Parameter Change Enable Mode (applicable only to Unit(s) with ESPS digital upgrade complete)

ESPS Voters for subsystems I and 2 and Status processors can be placed in a parameter change enable mode through the use of the Parameter Change Enable keyswitches. One keyswitch will place Odd Voter I and the Odd Component Status processor in Parameter Change Enable Mode. One keyswitch will place Even I Voter and the Even Component Status processor in Parameter Change Enable Mode. Odd Voter 2 and Even Voter 2 each have their own keyswitch that can be used to place each processor in Parameter Change Enable Mode.

When a keyswitch is placed from the normal Operating Mode position to the Parameter Change Enable Mode position:

The processors continue with normal operation.

A permissive is provided that allows the Service Unit to be used to change the operating mode of the processors associated with that keyswitch.

OCONEE UNITS 1, 2, & 3 B 3.3.7-3 BASES REVISION DATED 06/03/11

ESPS Automatic Actuation Output Logic Channels B 3.3.7 BASES BACKGROUND Parameter Change Enable Mode (applicable only to Unit(s) with ESPS digital upgrade complete) (continued)

With the keyswitch in the Parameter Change Enable Position the following modes of operation are allowed for processors:

Normal Operation - with permissive for operating mode change.

Parameterization - allows changes to specific parameters (example placing a parameter into a tripped condition or performing Go/NoGo testing).

Function Test - for disabling the application function and forcing output signal for testing purposes (normally not used).

Diagnostics - for downloading new application software.

The Function Test and Diagnostics modes result in the processor ceasing its cyclic processing of the application functions. Entry into these modes first requires entry into Parameterization mode and setting a separate parameter.

When a keyswitch is placed in the Parameter Change Enable Mode Position for any activity, the affected processor shall first be declared out of service. In addition to declaring the processor out of service, when loading or revising software in a processor, the affected ESPS voter (Set 1 or Set 2) shall be placed in Bypass. Only one ESPS voter at a time is allowed to be placed into Parameter Change Enable Mode Position for software loading/revision.

Each Parameter Change Enable keyswitch status information is sent to the Statalarm panel and to the OAC via the Gateway.

ESPS Parameter Change Enable keyswitches are administratively controlled (there are no hardware or software interlocks between channels).

OCONEE UNITS 1, 2, & 3 B 3.3.7-4 BASES REVISION DATED 06/03/11

ESPS Automatic Actuation Output Logic Channels B 3.3.7 BASES (continued)

APPLICABLE Accident analyses rely on automatic ESPS actuation for protection of the SAFETY ANALYSES core and RB and for limiting off site dose levels following an accident. The automatic actuation output logic is an integral part of the ESPS..

The ESPS automatic actuation output logic channels satisfy Criterion 3 of 10 CFR 50.36 (Ref. 3).

LCO The automatic actuation output logic channels are required to be OPERABLE whenever conditions exist that could require ES protection of the reactor or the RB. This ensures automatic initiation of the ES required to mitigate the consequences of accidents.

For Unit(s) with the ESPS digital upgrade complete, the ESPS automatic actuation output logic channels are comprised of two independent and redundant subsystems. Only one of the independent subsystems is required to be OPERABLE.

The required Function is provided by two associated output channels as indicated in the following table:

Function Associated Channels HPI and RB Non-Essential 1 & 2 Isolation, Keowee Emergency Start, Load Shed and Standby Breaker Input, and Keowee Standby Bus Feeder Breaker Input LPI 3&4 RB Cooling and RB Essential 5 & 6 isolation RB Spray 7&8 I

OCONEE UNITS 1, 2, & 3 B 3.3.7-5 BASES REVISION DATED 06/03/11

ESPS Automatic Actuation Output Logic Channels B 3.3.7 I BASES (continued)

APPLICABILITY The automatic actuation output logic channels shall be OPERABLE in MODES 1 and 2 and in MODES 3 and 4 when the associated engineered safeguard equipment is required to be OPERABLE, because ES Functions are designed to provide protection in these MODES. Automatic actuation in MODE 5 or 6 is not required because the systems initiated by the ESPS are either reconfigured for decay heat removal operation or disabled.

Accidents in these MODES are slow to develop and would be mitigated by manual operation of individual components. Adequate time is available to evaluate unit conditions and respond by manually operating the ES components, if required.

ACTIONS A Note has been added to the ACTIONS indicating separate Condition entry is allowed for each ESPS automatic actuation output logic channel.

A.1 and A.2 When one or more automatic actuation output logic channels are inoperable, the associated component(s) can be placed in their engineered safeguard configuration. Required Action A.1 is equivalent to the automatic actuation output logic channel performing its safety function ahead of time.

In some cases, placing the component in its engineered safeguard configuration would violate unit safety or operational considerations. In these cases, the component status should not be changed, but the supported system component must be declared inoperable. Conditions which would preclude the placing of a component in its engineered safeguard configuration include, but are not limited to, violation of system separation, activation of fluid systems that could lead to thermal shock, or isolation of fluid systems that are normally functioning. The Completion Time of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months is based on operating experience and reflects the urgency associated with the inoperability of a safety system component.

Required Action A.2 requires declaring the associated components of the affected supported systems inoperable, since the true effect of automatic actuation output logic channel failure is inoperability of the supported system. The Completion Time of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months is based on operating experience and reflects the urgency associated with the inoperability of a safety system component. A combination of Required Actions A.1 and A.2 may be used for different components associated with an inoperable automatic actuation output logic channel.

I OCONEE UNITS 1, 2, & 3 B 3.3.7-6 BASES REVISION DATED 06/03/11

ESPS Automatic Actuation Output Logic Channels B 3.3.7 BASES (continued)

SURVEILLANCE SR 3.3.7.1 REQUIREMENTS The SR is modified by a Note indicating that it is only applicable to Unit(s) with the ESPS digital upgrade complete. This SR requires manual actuation of the output channel interposing relays (referred to as Ro relays) to demonstrate OPERABILITY of the relays. The proper functioning of the processor portion of the channel is continuously checked by automatic cyclic self monitoring.

The Frequency of 92 days is considered adequate based on operating experience that demonstrates the rarity of more than one channel's relay failing within the same interval.

SR 3.3.7.2 SR 3.3.7.2 is the performance of a CHANNEL FUNCTIONAL TEST on a 92 day Frequency for Unit(s) with the ESPS digital upgrade not complete and an 18 month Frequency for Unit(s) with the ESPS digital upgrade complete. For Unit(s) with the ESPS digital upgrade complete, the functional test consists of rebooting the digital processors. This verifies that the software has not changed.

For Unit(s) with the ESPS digital upgrade not complete, the 92 day Frequency is based on operating experience that demonstrates the rarity of more than one channel failing within the same interval.

For Unit(s) with the ESPS digital upgrade complete, the 18 month Frequency is based on the design capabilities and reliability of the digital ESPS. The digital ESPS software performs a continuous online automated cross channel check, separately for each channel, and continuous online signal error detection and validation. The protection system also performs continual online hardware monitoring. The CHANNEL FUNCTIONAL TEST essentially validates the self monitoring function and checks for a small set of failure modes that are undetectable by the self monitoring function. The reliability of components whose failure modes are not automatically detected or indicated also supports a test frequency of 18 months.

REFERENCES

1.

10 CFR 50.46.

2.

UFSAR, Chapter 15.

3.

10 CFR 50.36.

OCONEE UNITS 1, 2, & 3 B 3.3.7-7 BASES REVISION DATED 06/03/11

TABLE OF CONTENTS B 2.0 S A F ET Y LIM IT S (S Ls).....................................................................................

B 2.1.1-1 B 2.1.1 R eactor C ore S Ls............................................................................

B 2.1.1-1 B 2.1.2 Reactor Coolant System (RCS) Pressure SL................................

B 2.1.2-1 B 3.0 LIMITING CONDITION FOR OPERATION (LCO) APPLICABILITY............. B 3.0-1 B 3.0 SURVEILLANCE REQUIREMENT (SR) APPLICABILITY............................

B 3.0-12 B 3.1 REACTIVITY CONTROL SYSTEMS......................................................

B 3.1.1-1 B 3.1.1 SHUTDOWN MARGIN (SDM).......................................................

B 3.1.1-1 B 3.1.2 R eactivity Balance...........................................................................

B 3.1.2-1 B 3.1.3 Moderator Temperature Coefficient (MTC)....................................

B 3.1.3-1 B 3.1.4 CONTROL ROD Group Alignment Limits......................................

B 3.1.4-1 B 3.1.5 Safety Rod Position Lim its............................................................. B 3.1.5-1 B 3.1.6 AXIAL POWER SHAPING ROD (APSR) Alignment Limits........... B 3.1.6-1 B 3.1.7 Position Indicator C hannels............................................................

B 3.1.7-1 B 3.1.8 PHYSICS TESTS Exceptions-MODE 2......................................

B 3.1.8-1 B 3.2 POW ER DISTRIBUTIO N LIM ITS...........................................................

B 3.2.1-1 B 3.2.1 Regulating Rod Position Lim its.......................................................

B 3.2.1-1 B 3.2.2 AXIAL POWER IMBALANCE Operating Limits.............................

B 3.2.2-1 B 3.2,3 QUADRANT POWER TILT (QPT).................................................

B 3.2.3-1 B 3.3 IN ST R U M E N TA T IO N..............................................................................

B 3.3.1-1 B 3.3,1 Reactor Protective System (RPS) Instrumentation........................

B 3.3.1-1 B 3.3,2 Reactor Protective System (RPS) Manual Reactor T rip..............................................................

............................. B 3.3.2 -1 B 3.3,3 Reactor Protective System (RPS) - Reactor Trip C om ponent o

B 3.3.3-1 B 3.3,4 (RTC Control Rod Drive (CRD) Trip Devices...........................................

B 3.3.4-1 B 3.3,5 Enngiered Safeguards Protective System (ESPS) input

.[- A ral Instrum entation............................................................

B 3.3.5-1 B 3.3,6 Engineered Safeguards Protective System (ESPS)

M a n ua l In itia tio n........................................................................

B 3.3.6 -1 B 3.3,7 Eniered Safeguards Protective System (ESPS)

Lbtd Automatic ActuatioZi ogic Channels.

utu B 3.3.7-1 B 3.3,8 Post Accident Monitoring (PAM) Instrumentation..........................

B 3.3.8-1 B 3.3,9 Source Range Neutron Flux...........................................................

B 3.3.9-1 B 3.3.10 W ide Range Neutron Flux...............................................................

B 3.3.10-1 B 3.3.11 Automatic Feedwater Isolation System (AFIS) Instrumentation.... B 3.3.11-1 B 3.3,12 Automatic Feedwater isolation System (AFIS) Manual Initiation... B 3.3.12-1 OCONEE UNITS 1, 2, & 3 i

[An 4 ndm'nt 32ý, 3*/0, 3/0 BA7 SBASES CHANGE DATED

TABLE OF CONTENTS B 3.3 INSTRUMENTATION (continued)

B 3.3.13 Automatic Feedwater Isolation System (AFIS) Digital C h a n n e ls...................................................................................

B 3.3.1 3 -1 B 3.3.14 Emergency Feedwater (EFW) Pump Initiation C irc u itry.....................................................................................

B 3.3.14 -1 B 3.3.15 Turbine Stop Valves (TSV) Closure................................................

B 3.3.15-1 B 3.3.16 Reactor Building (RB) Purge Isolation -H igh R adiation..........................................................

B 3.3.16-1 B 3.3.17 Emergency Power Switching Logic (EPSL) Automatic T ransfer F unction......................................................................

B 3.3.17-1 B 3.3.18 Emergency Power Switching Logic (EPSL) Voltage S ensing C ircuits........................................................................

B 3.3.18-1 B 3.3.19 Emergency Power Switching Logic (EPSL) 230 kV Switchyard Degraded Grid Voltage P rotection (D G V P )....................................................................

B 3.3.19-1 B 3.3.20 Emergency Power Switching Logic (EPSL) CT-5 Degraded Grid Voltage Protection (DGVP)..............................

B 3.3.20-1 B 3.3.21 Emergency Power Switching Logic (EPSL) Keowee Em ergency Start Function........................................................

B 3.3.21-1 B 3.3.22 Emergency Power Switching Logic (EPSL) Manual Keowee Emergency Start Function..........................................

B 3.3.22-1 B 3.3.23 Main Feeder Bus Monitor Panel (MFBMP)....................................

B 3.3.23-1 B 3.3.24 N ot U sed..........................................................................................

B 3.3.24 -1 B 3.3.2 5 N ot U sed..........................................................................................

B 3.3.2 5-1 B 3.3.2 6 N o t U se d..........................................................................................

B 3.3.2 6 -1 B 3.3.2 7 N o t U se d..........................................................................................

B 3.3.2 7 -1 B 3.3.28 Low Pressure Service Water (LPSW) Standby Pump Auto-S ta rt C ircu itry........................................................

B 3.3.2 8-1 OCONEE UNITS 1, 2, & 3 ii

[Am/ndm t 336/336, 3 7]

I BASES CHANGE DATED I

RPS Instrumentation B 3.3.1 Note: To clearly differentiate text applicable only to Unit(s) with the RPS digital upgrade B 3.3 INSTRUMENTATION complete, the text applicable only to that design is led with a qualifier and italicized.

B 3.3.1 Reactor Protective System (RPS) Instrumentation Likewise, the text applicable only to U hit(s) that have not been upgraded is led with a qualifier and bolded. Otherwise, the text BASES applies to both designs.

BACKGROUND The RPS initiates a reactor trip to protect against violating the core fuel design limits and the Reactor Coolant System (RCS) pressure boundary during anticipated transients. By tripping the reactor, the RPS also assists the Engineered Safeguards (ES) Systems in mitigating accidents.

The protective and monitoring systems have been designed to assure safe operation of the reactor. This is achieved by specifying limiting safety system settings (LSSS) in terms of parameters directly monitored by the RPS, as well as the LCOs on other reactor system parameters and equipment performance.

The LSSS, defined in this Specification as the Allowable Value, in conjunction with the LCOs, establishes the threshold for protective system action to prevent exceeding acceptable limits during accidents or transients.

During anticipated transients, which are those events expected to occur one or more times during the unit's life, the acceptable limit is:

a.

The departure from nucleate boiling ratio (DNBR) shall be maintained above the Safety Limit (SL) value;

b.

Fuel centerline melt shall not occur; and

c.

The RCS pressure SL of 2750 psia shall not be exceeded.

Maintaining the parameters within the above values ensures that the offsite dose will be within the 10 CFR 20 and 10 CFR 100 criteria during anticipated transients. -]

'"*Accidents are events that are analyzed even though they are not expected to occur during the unit's life. The acceptable limit during accidents is that the offsite dose shall be maintained within reference 10 CFR 100 limits.

Meeting the acceptable dose limit for an accident category is considered having acceptable consequences for that event.

OCONEE UNITS 1,2, & 3 B 3.3.1-1 BASES REVISION DATED 5/ 5/ 6

RPS Instrumentation B 3.3.1 BASES BACKGROUND (continued)

RPS Overview (or processor output trip devices for Unit(s) with the RPS digital upgrade complete)

The RPS consists of four separate redundant protective channels that receive inputs of neutron flux, RCS pressure, RCS flow, RCS temperature, turbines CS pump status, reactor building (RB) pressure, main feedwater (MFW) puml'status, and urbine status.

ma Figure 7.1 of ý,(Fig e 7.1 nd 7/1.aj UFSAR, Chapter 7 (Ref. 1), shows the arrangement l-of a typical RPS protective channel. A protective channel is composed of a

measuremenYchannels, a manual trip channel, tor #iP mod le a

and ontrol rod drive (CRD) trip device@) LCO 3.3.1 provides req.uirements for the individual measurement channels. These channels reactor trip encompass all equipment and electronics from the point at which tie component (RTC) measured parameter is sensed through the bistable relay contact In the trip string. LCO 3.3.2, "Reactor Protective System (RPS)Manual Reactor rip " LCO 3.3.3, "Reactor Protective System (RPS) - Re ctor -Yrip Mod/lle

_M

," and LCO 3.3.4, "tntrol Od Drive (CRD) Trip Devices," discuss the Reactor Trip remaining RPS elements.

Component (RTC)

The RPS instrumentation measures critical unit parameters and compares these to predetermined setpoints.

the setpoint is exceeded, a channel For Uniital wth the trip signal is generated. The generation of any two trip signals in any of the RPS digital upgrade four RPS channels will result in the trip of the reactor.

n pFoir Unit(s) wil the Control Rocy/Drive Control System (CRDCS) di itili For Unit(s) with the RPS digital upgrade complete, if the setpoint for a parameter input to a single channel (for example, the RC high pressure input to Channel A) is exceeded, a channel trip does not occur. Due to the inter-channel communication, all 4 RPS channels recognize that this parameter input has been exceeded for one channel.

However, due to the 2.MIN/2.MAX logic within the system, the same parameter input setpoint for one of the other three channels must be exceeded before channel trips occur. Again, due to the inter-channel communication, all 4 RPS channels will then trip since the 2.MIN/2.MAX condition has been satisfied.

upgrade not omplete, the Re ctor Trip System ( TS) contains mull ple neda th i

e Re te CRD trip d vices; two AC tri breakers, two DC rip breaker pairs, nd eight DR A

D d

b c

es tw n

bn electronic rip assembly (E relays. The sys em has two sepa.rýte paths f

c io Ily i :

s.

wo

.te y p t I

I ETA) re Fhe sys em I`

r (or chan els) with each p th having one AC reaker in seri w

a pair of 0

c uI ctic0 ach h ha

ý s

p t r i s0 DC bre kers and functio ally in series with f ur ETA relays in rallel.

ect i

AC reakE les w t 0vith f u r ETý E/achath provides ind t endent power to e CRDs. Either p th can

ýr f

ctio e C RD er p th g r ic C (rip prov e sufficient pow r to operate all CR s. Two separate ower paths to r

0a r

t the RDs ensure th a single failure th opens one path

'I not cause an I0 ic ffI p I

,\\,u anted reactor tr' t Fo/Unit(s) witVlhe CRD00 digital updrade corD'lete,1,*e RTS consists of four AC Trip Breakers arranged in two parallel combinations of two breakers each. Each path provides independent power to the CRD motors. Either path can provide sufficient power to operate all CRD's.

Two separate power paths to the CRD's ensure that a single failure that opens one path will not cause an unwanted reactor trip.

OCONEE UNITS 1, 2, & 3 B 3.3.1-2 BASES REVISION DATED 5/ 5/ 6

INSERT A FOR BASES 3.3.1 (page B 3.3.1-2)

For Unit(s) with the RPS digital upgrade complete, the RPS consists of four independent protective channels (A, B, C, and D). Each RPS protective channel contains the sensor input modules, a protec'tive channel computer, output modules, four hardwired (energized during power operations) reactor trip relays (RTRs) (A, B, C, and D) and their associated 120 VAC contacts (closed when RTR is energized). Protective channel A controls the channel A RTR and also controls the A RTR in channels B, C, and D. Likewise, channels B, C and D control the respective RTR in each of the four channels. Each energized RTR (A, B, C, and D) in each RPS channel A, B, C, and D maintains two closed 120 VAC contacts. One contact from each RTR is configured in two separate redundant output trip actuation logic schemes. Each output trip actuation logic scheme contains a contact from each of the four RTRs in the four channels. This configuration results in a two-out-of-four coincidence reactor trip logic. If any channel protective set initiates a trip signal, the respective four RTRs (one in each of the four channels) de-energize and open the respective contacts. The outputs from the RTR contacts interrupt the 120 VAC power to the CRD trip devices.

For Unit(s) with the RPS digital upgrade complete, three of the four RPS protective channel computers (A, B, and C) also perform a redundant Engineered Safeguards Protective System (ESPS) logic function. Therefore, three of the four RPS protective channels calculate both RPS and ESPS functions, and the fourth RPS channel D calculates only RPS functions. See Technical Specification Bases section B 3.3.5 for additional discussion of the ESPS protective channels and the duplicated ESPS functions performed by the RPS protective channels.

a reactor trip RPS Instrumentation module (RTM)

B 3.3.1 BASES BACKGROUND RPS Overview (continued)

For Unit(s) with the

{he RPS consists of four independent protective channels, each containing RPS digital upgrade RM. The RTM receives signals from its own measurement channels not complete, that indicate a protective channel trip is required. The RTM transmits this signal to its own two-out-of-four trip logic and to the two-out-of-four logic of the RTMs in the other three RPS channels. Whenever any two RPS channels transmit channel trip signals, the RTM logic in each channel actuates to remove 120 VAC power from its associated CRD trip device.

[For Unit(s) wth the CRDCS di ial upgrade not c plete, the rea tor is tripped by pening circuit bre ers and energizi g ETA relays t t interrupt the contr power supply to e CRDs. Six br kers are install d to increas reliability and all

/w testing of the tri system. A one ut-of-two taken ice logic is use to interrupt power o the rods.

For Unit(s) with the For J'nits(s) with Re CRDCS di ital upqrade/complete,ýe reactor is RPS digital upgrade tripped by opening the reactor trip breakers.

not complete, there are

""[Tl RPS/has hree bypasses: a shutdown bypass, a dummy bistable and an RPS channel bypas,* Shutdown bypass allows the withdrawal of safety r m a

rods for SDM availability and rapid negative reactivity insertion during unit (or manual bypass)

/

cooldowns or heatups. The dummy bistable is used to bypass one or more functions (bistable trips) associated with one RPS Channel. The RPS Channel bypass allows one entire RPS channel to be taken out of service for maintenance and testing. Test circuits in the trip strings allow complete INSERT testing of all RPS trip functions.

The RPS operates from the instrumentation channels discussed next. The specific relationship between measurement channels and protective channels differs from parameter to parameter. Three basic configurations are used:

a.

Four completely redundant measurements (e.g., reactor coolant flow) with one channel input to each protective channel;

b.

Four channels that provide similar, but not identical, measurements (e.g., power range nuclear instrumentation where each RPS channel monitors a different quadrant), with one channel input to each protective channel; and Jie C.

Redundant measurements with combinational trip logic 04e

ý j the protective channels and the combined output provided to each protective channel (e.g., main feedwater pump rip instrumentation).

Oturbines r OCONEE UNITS 1, 2, & 3 B 3.3.1-3 BASES REVISION DATED [(5/ 5/ 6

INSERT B FOR BASES 3.3.1 (page B 3.3.1-3)

For Unit(s) with the RPS digital upgrade complete, there are three bypasses: shutdown bypass, manual bypass, and channel trip function bypass. The shutdown bypass and the manual bypass are initiated by use of a keyswitch located in the respective RPS channel cabinet. The Shutdown bypass allows the withdrawal of safety rods for SDM availability and rapid negative reactivity insertion during unit cooldowns or heatups. The manual bypass allows putting a complete RPS channel into bypass for maintenance activities. This includes the planned power-down of the bypassed RPS channel computer. If the complete RPS channel is powered down, the manual bypass condition cannot be maintained. That RPS channel output signal goes to "trip" and the manual bypass Unit Statalarm window will not illuminate. The channel trip function bypass allows an individual channel trip function in any RPS channel to be bypassed through the use of the RPS screens of the Graphical Service Monitor (GSM). The GSM is located on the Service Unit.

RPS Instrumentation B 3.3.1 BASES BACKGROUND RPS Overview (continued)

These arrangements and the relationship of instrumentation channels to trip Functions are discussed next to assist in understanding the overall effect of instrumentation channel failure.

Power Ranae Nuclear Instrumentation Power Range Nuclear Instrumentation channels provide inputs to the following trip Functions:

1.

Nuclear Overpower

a.

Nuclear Overpower - High Setpoint;

b.

Nuclear Overpower-Low Setpoint;

7.

Reactor Coolant Pump to Power;

8.

Nuclear Overpower Flux/Flow Imbalance;

9.

Main Turbine Trip (Hydraulic Fluid Pressure); and Turbines

10.

Loss of Main Feedwater (LOMFW) PumiHydraulic Oil Pressure).

The power range instrumentation has four linear level channels, one for each core quadrant. Each channel feeds one RPS protective channel.

Each channel originates in a detector assembly containing two uncompensated ion chambers. The ion chambers are positioned to represent the top half and bottom half of the core. The individual currents from the chambers are fed to individual linear amplifiers. The summation of the top and bottom is the total reactor power. The difference of the top minus the bottom neutron signal is the measured AXIAL POWER IMBALANCE for the associated core quadrant.

OCONEE UNITS 1, 2, & 3 B 3.3.1-4 BASES REVISION DATED

RPS Instrumentation B 3.3.1 BASES BACKGROUND (continued)

Reactor Coolant System Outlet Temperature The Reactor Coolant System Outlet Temperature provides input to the following Functions:

2.

RCS High Outlet Temperature; and temperature detection

5.

RCS Variable Low Pressure.

The RCS Outlet Temperature is measured by two resistance elements in each hot leg, for a total of four. One temperature te ors associated with each protective channel.

detection element Reactor Coolant System Pressure The Reactor Coolant System Pressure provides input to the following Functions:

3.

RCS High Pressure;

4.

RCS Low Pressure;

5.

RCS Variable Low Pressure; and

11.

Shutdown Bypass RCS High Pressure.

The RPS inputs of reactor coolant pressure are provided by two pressure transmitters in each hot leg, for a total of four. One sensor is associated with each protective channel.

Reactor Building Pressure The Reactor Building Pressure measurements provide input only to the Reactor Building High Pressure trip, Function 6. There are four RB High Pressure sensors, one associated with each protective channel.

OCONEE UNITS 1, 2, & 3 B 3.3.1-5 BASES REVISION DATED 5/ 5/(6

RPS Instrumentation B 3.3.1 BASES BACKGROUND (continued)

Reactor Coolant Pump Power Monitorinlg Reactor coolant pump power monitors are inputs to the Reactor Coolant Pump to Power trip, Function 7. Each RCP,[o eratin cuirent, andkoltaqe e has a RCP Power Monitor (RCPPM),

which monitors the electrical pump and breaker status of each pump motor to determine if it is running. Each RCPPM provides inputs to all four RPS channels.

r is m asured y four 96rre t trans rmers a four pote ial transf mers dri yng four nderp wer elays.

ach po er monitori channel/onsists ofi arnder wer r.av

,n nl2nnel.fnr.ach numn sassociate with each Rlotectr chan0Sel.

F Reactor Coolant System Flow The Reactor Coolant System Flow measurements are an input to the Nuclear Overpower Flux/Flow Imbalance trip, Function 8. The reactor coolant flow inputs to the RPS are provided by eight high accuracy differential pressure transmitters, four on each loop, which measure flow through calibrated flow tubes. One flow input in each loop is associated with each protective channel.

Main Turbine{A omat/c Sto/Oil ressure t]

hydraulic fluid Main Turbin A oma c Sto/Oil ressure is an input to the Main Turbine Trip (Hydraulic Fluid Pressure) reactor trip, Function 9.

ach of the four protective channels receives turbine status information om one of the four pressure switches monitoring main turbine u ma ' sto oil ressure. An oo~en indication will be provided to the RPS on a turbine trip.

on ct (Vuff/er/ir ach protective channel continuously monitor he status of the contact inputs and initiat n RPS trip when a main urbine trip is indicated.

Es Turbine Feedwater Pu ydraulic Oil Pressure turbine Feedwater Pump ydraulic Oil Pressure is an input to the Los of Main Feedwater Pumps (Hydraulic Oil Pressure) trip, Function 10.

ydraulic Oil pressure is measured by four switches on each feedwater pump# One switch on each pump, con gc ted in -,ries wi switchdn thEoV r rVW

[*is associated with each protective channel.

Each RPS channel receives a contact input from both Feedwater Pump Turbines (A and B) Hydraulic Oil Pressure switches.

When the switches from both turbines indicate that the associated Turbine Hydraulic Oil Pressure is low (turbine has tripped), a reactor trip signal is initiated on that channel.

OCONEE UNITS 1, 2, & 3 B 3.3.1-6 BASES REVISION DATED 5/ 5/ 6

RPS Instrumentation B 3.3.1 BASES For Unit(s) with the RPS digital upgrade complete, the RPS is designed with three types of bypasses: shutdown bypass, manual bypass and channel trip BACKGROUND RPS Bypasses function bypass.

(cntnud)jhe RPS is designed with three types of bypasses: dummy bistable, For Unit(s) with the RPS channel bypass nd shutdown bypass.

digital upgrade not comdlete.

The du my bi table pr vides a ethod placin one or m /re functio s in

comolete, a ~RP~protec/tv~e char).nl in a ya c/conditio, the char /el bypas provi des a *ethod of placing ý11 Functi~ns in o/n RPS pro ective ch nnel. in (or anua bypss)a b ipasse0'cOnditiO, and s~dw *pass pr videsan/to fIevn th safety ods wit rawn doring coo own an depress uization of the FS. E'h bypass is discussed next.

(Not applicable to Unit(s) with RPS Dummy Bistable digital upgrade complete)

The dummy bistable is used to bypass one or more functions (bistable trips) associated with one RPS Channel. A dummy bistable is used if a parameter in an RPS channel fails and causes that channel to trip. Dummy bistables may be used in only one RPS channel at a time. Also, if an RPS channel is bypassed, no other RPS channel may contain a dummy bistable.

Inserting a dummy bistable in the place of a failed (tripped) bistable allows the RPS channels to be reset, thus allowing the remainder of the functions in that RPS channel to be returned to service. This is more conservative than manually bypassing the entire RPS channel. For an RPS channel with a dummy bistable installed, only the affected function(s) is inoperable. The installation of the STAR hardware in the nuclear overpower flux/flow imbalance trip string requires the use of jumpers to bypass the trip string.

The installation of these jumpers does not require the removal of the STAR processor module, therefore, the protective phannel is not forced into a tripped condition.

VJ (Not applicable to Unit(s) with RPS digital upgrade Channel Bypass 4-complete)

(or manual bypass)

I A channel bypassprovision is provided to allow for maintenance and testing of the RPS. The use of channel bypass keeps the protective channel trelay energized regardless of the status of the instrumentation channel t theJbistable relay contacts. To place a protective channel in channel bypass, the other three channels must not be in channel bypass or otherwise inoperable (e.g., a dummy bistable installed). This can be verified by observing alarms/indicator lights. This is administratively controlled by having only one manual bypass key available for each unit.

All RPS trips are reduced to a two-out-of-three logic in channel bypass.

OCONEE UNITS 1, 2, & 3 B 3.3.1-7 BASES REVISION DATED 15/(

RPS Instrumentation B 3.3.1 BASES BACKGROUND (continued)

Shutdown Bypass During unit cooldown and heatup, it is desirable to leave the safety rods at least partially withdrawn to provide shutdown capabilities in the event of unusual positive reactivity additions, (moderator dilution, etc.).

A shutdown bypass signal is provided by the operator from (or processor output trip signal for Unit(s) with the RPS digital upgrade complete)

I However, the unit is also depressurized as coolant temperature is decreased. If the safety rods are withdrawn and coolant pressure is decreased, an RCS Low Pressure trip will occur at 1800 psig and the rods will fall into the core. To avoid this, the protective system allows the operator to bypass the low pressure trip and maintain shutdown capabilities. During the cooldown and depressurization, the safety rods are inserted prior to the low pressure trip of 1800 psig. The RCS pressure is decreased to less than 1720 psig, then each RPS channel is placed in shutdown bypass.

Delete space In shutdonpv,,.,.

normal y ";osed/*

contact opens when th oper0ator eleses the shutdown bypass keswitch (status shall be indicated by a light). This action bypasses the RCS Low Pressure trip, Nuclear Overpower Flux/Flow Imbalance trip, Reactor Coolant Pump to Power trip, and the RCS Variable Low Pressure trip, and inserts a new RCS High ressure, 1720 psig trip. The operator can now withdraw the safety rods for a a idly insertable negative reactivity.

The insertion of the new high pre erforms two functions. First, with a trip setpoint of 1720 psig, the bistabl revents operation at normal system pressure, 2155 psig, with a portion of the RPS bypassed. The second function is to ensure that the bypass is removed prior to normal operation. When the RCS pressure is increased during a unit heatup, the safety rods are inserted prior to reaching 1720 psig. The shutdown bypass is removed, which returns the RPS to normal, and system pressure is increased to greater than 1800 psig. The safety rods are then withdrawn and remain at the full out condition for the rest of the heatup.

In addition to the Shutdown Bypass RCS High Pressure trip, the high flux trip setpoint is administratively reduced to _< 5% RTP prior to placing the RPS in shutdown bypass. This provides a backup to the Shutdown Bypass RCS High Pressure trip and allows low power physics testing while preventing the generation of any significant amount of power.

For Unit(s) with the RPS digital upgrade not complete:

For Unit(s) with the RPS digital upgrade complete: In addition to the Shutdown Bypass RCS High Pressure trip, the High Flux Reactor Trip set point is automatically lowered to less than 5% when the operator closes the shutdown bypass keyswitch. This provides a backup to the Shutdown Bypass RCS High Pressure trip and allows testing while preventing the generation of any significant amount of power.

INSERT C

IINSERT C OCONEE UNITS 1, 2, & 3 B 3.3.1-8 BASES REVISION DATED5*567]

INSERT C FOR BASES 3.3.1 (page B 3.3.1-8)

Manual Bypass (Applicable only to Unit(s) with RPS digital upgrade complete)

The RPS Manual Bypass allows putting the complete RPS channel into bypass for maintenance activities. Placing the RPS channel in bypass does not power-down the computer. If it is necessary to power-down the computer for one channel, the Manual Bypass keyswitch is used to keep the four RTRs associated with the respective channel energized while the channel computer is powered down.

The RPS Manual Bypass status information is sent to the Unit Statalarm panel (hardwired output of the RPS Channel computer and in parallel as a hardwired signal from a keyswitch contact in case the computer is powered down) and is sent to the plant Operator Aid Computer (OAC) via a gateway.

If the complete RPS cabinet is powered down, the Manual Bypass condition cannot be maintained. That RPS channel output signal goes to "trip" and the Manual Bypass Unit Statalarm window will not illuminate.

Channel Trip Function Bypass (Applicable only to Unit(s) with RPS digital upgrade complete)

An individual Channel Trip Function Bypass allows placing one trip function in bypass for maintenance activities through the RPS GSM screens. This allows the remaining trip functions in the channel to remain operable while the channel input device for the affected channel is inoperable. Operation to put functions in bypass is administratively controlled since there is no interlock to prevent placing functions in multiple channels in bypass.

Parameter Chanqe Enable Mode (Applicable only to Unit(s) with RPS digital upgrade complete)

Parameter Change Enable Mode allows each RPS instrument input channel processor to be placed in different operating modes through the use of the Parameter Change Enable keyswitches and commands from the Service Unit. Each protective channel has a keyswitch located in that channel's cabinet pair.

Placing RPS Channels A, B, or C in Parameter Change Enable Mode through the use of the "Parameter Change Enable" keyswitch will also place the corresponding ESPS Channels Al, B1 or C1 in Parameter Change Enable Mode.

When a keyswitch is placed from the normal Operating Mode position to the Parameter Change Enable Mode position:

The processors continue with normal operation.

A permissive is provided that allows the Service Unit to be used to change the operating mode of the processors associated with that keyswitch.

INSERT C FOR BASES 3.3.1 (page B 3.3.1-8) (continued)

With the keyswitch in the Parameter Change Enable Position the following modes of operation are allowed for processors:

Normal Operation - with permissive for operating mode change.

" Parameterization - allows changes to specific parameters (example placing a parameter into a tripped condition or performing Reactor Trip Relay testing).

Function Test - for disabling the application function and forcing output signal for testing purposes (normally not used).

Diagnostics - for downloading new application software.

The Function Test and Diagnostics modes result in the processor ceasing its cyclic processing of the application functions. Entry into these modes first requires entry into Parameterization mode and setting a separate parameter.

When a keyswitch is placed in the Parameter Change Enable Mode Position, the affected processor shall first be declared out of service. In addition to declaring the processor out of service (1) the affected RPS channel shall be bypassed and (2) either the affected ESPS input channel (Al, B1, or Cl) shall be tripped OR the ESPS Set 1 voters shall be placed in Bypass for the following activities:

Loading or revising the software in a processor.

Changing parameters via the RPS High Flux Trip (Variable Setpoint) screen at the Service Unit. Changing parameters via the RPS Flux/Flow/Imbalance Parameters screen at the Service Unit.

Only one RPS channel at a time is allowed to be placed into Parameter Change Enable Mode Position for these activities.

Each Parameter Change Enable keyswitch status information is sent to the Statalarm panel and to the OAC via the Gateway.

RPS Parameter Change Enable keyswitches are administratively controlled (there are no hardware or software interlocks between channels).

RPS Instrumentation B 3.3.1 BASES BACKGROUND (continued)

(Not applicable to Unit(s) with RPS Module Interlock and Test Trip Relay

digital upgrade complete)

Each channel and each trip module is capable of being individually tested.

When a module is placed into the test mode, it causes the test trip relay to open and to indicate an RPS channel trip. Under normal conditions, the channel to be tested is placed in bypass before a module is tested. Each trip module is electrically interlocked to the other three trip modules.

Removal of a trip module will indicate a tripped channel in the remaining trip modules.

(or CHANNEL CALIBRATION for Unit(s) with the RPS digital upgrade complete)

Trip Setpoints/Allowable Value (or processor out trip device for Uni with the RPS digit upgrade complete The Allowable Value and trip setpoint are based on the analytical limits stated in UFSAR, Chapter 15 (Ref. 2). The selection of the Allowable Value and associated trip setpoint is such that adequate protection is provided when all sensor and processing time delays are taken into account. To allow for calibration tolerances, instrumentation uncertainties, instrument drift, and severe environment errors for those RPS channels that must function in harsh environments as defined by 10 CFR 50.49 (Ref. 3), the Allowable Values specified in Table 3.3.1-1 in the accompanying LCO are/

)ut conservative with respect to the analytical limits to account for all known t(s) uncertainties for each channel. The actual trip setpoint entered into the al bistable is more conservative thai that specified by the Allowable Value t account for changes in random measurement errors detectable by a CHANNEL FUNCTIONAL TEST. One examp!

~ ~

~-if wn the. gu.4.

,e illan^o

,.. c..........= A channel is n h f t.

t;l trip setpoint is not within its required Allowable Value.

All field sensors and signal processing equipment for these chann7s are assumed to operate within the allowances of these uncertainty gnitudes.

ut The trip setpoints are the nominal values at which the bistabl are set.

it(s)

Any bistable is considered to be proporly adjusted when th "as left" value al is within the band for CHANNEL CALIBRATION accuracy. A detailed description of the methodology used to determine the Allowable Value, trip setpoints, and associated uncertainties is provided irý Rpfer nce (or processor outp trip devices for Un with the RPS digit upgrade complete conjunction c

Setpoints in' cor an 'e with the Allowable Value ensure that the limits of Chapter 2.0, "Safety Limits," in the Technical Specifications are not violated during anticipated transients and that the consequences of accidents will be acceptable, providing the unit is operated from within the LCOs at the onset of the anticipated transient or accident and the equipment functions as designed. Note that in LCO 3.3.1 the Allowable Values listed in Table 3.3.1-1 for Functions 1 through 8 and 11 are the LSSS.

OCONEE UNITS 1, 2, & 3 B 3.3.1-9 BASES REVISION DATED[5//)

RPS Instrumentation B 3.3.1 BASES BACKGROUND Trip Setpoints/Allowable Value (continued)

For Unit(s) with

]--*ach channel can be tested online to verify that the setpoint accuracy is the RPS digital within the specified allowance requirements. Once a designated channel is upgrade not taken out of service for testing, a simulated signal is injected in place of the

complete, field instrument signal. Surveillances for the channels are specified in the SR section.

APPLICABLE Each of the analyzed accidents and transients that require a reactor trip to SAFETY ANALYSES, meet the acceptance criteria can be detected by one or more RPS LCO, and Functions. The accident analysis contained in the UFSAR, Chapter 15 APPLICABILITY (Ref. 2), takes credit for most RPS trip Functions. Functions not specifically For Unit(s) with the RPS credited in the accident analysis were qualitatively credited in the safety digital upgrade analysis and the NRC staff approved licensing basis for the unit. These r

complete, each channel Functions are high RB pressure, turbine trip, and loss of main feedwater.

is tested online by These Functions may provide protection for conditions that do not require manually retrieving the dynamic transient analysis to demonstrate Function performance. These software set point to Functions also serve as backups to Functions that were credited in the ensure it has been safety analysis.

entered correctly.

The LCO requires all instrumentation performing an RPS Function to be Signals into the system OPERABLE. Failure of any instrument renders the affected channel(s)

(from the field instrument or at the protective inoperable and reduces the reliability of the affected Functions. The three system cabinet) are channels of each Function in Table 3.3.1 - 1 of the RPS instrumentation applied during the shall be OPERABLE during its specified Applicability to ensure that a channel calibration to reactor trip will be actuated if needed. Additionally, during shutdown ensure that the bypass with any CRD trip breaker closed, the applicable RPS Functions instrumentation is within must also be available. This ensures the capability to trip the withdrawn the specified allowance CONTROL RODS exists at all times that rod motion is possible. The trip requirements.

Function channels specified in Table 3.3.1 - 1 are considered OPERABLE when all channel components necessary to provide a reactor trip are functional and in service for the required MODE or Other Specified Condition listed in Table 3.3.1-1.

(or CHANNEL Only the Allowable Values are specified for each RPS trip Function in the CALIBRATION for Unit(s)

LCO. Nominal trip setpoints are specified in the setpoint calculations. The with the RPS digital nominal setpoints are selected to ensure that the setpoint measured by upgrade complete)

-CHANNEL FUNCTIONAL TESTSVdoes not exceed the Allowable Valuef.J

{_the

_______e s__*__

A trip setpoint found less conservative than the nominal trip setpoint, but within its Allowable Value, is considered OPERABLE with respect to the uncertainty allowances assumed for the applicable surveillance interval provided that operation, testing and subsequent calibration are consistent with the assumptions of the setpoint calculations. Each Allowable Value specified is more OCONEE UNITS 1, 2, & 3 B 3.3.1-10 BASES REVISION DATED 5/ 5/ 6

RPS Instrumentation B 3.3.1 BASES APPLICABLE conservative than instrument uncertainties appropriate to the trip Function.

SAFETY ANALYSES, These uncertainties are defined in Reference 4.

LCO, and APPLICABILITY For most RPS Functions, the Allowable Value in conjunction with the (continued) nominal trip setpoint ensure that the departure from nucleate boiling (DNB),

center line fuel melt, or RCS pressure SLs are not challenged. Cycle specific values for use during operation are contained in the COLR.

Certain RPS trips function to indirectly protect the SLs by detecting specific conditions that do not immediately challenge SLs but will eventually lead to challenge if no action is taken. These trips function to minimize the unit transients caused by the specific conditions. The Allowable Value for these Functions is selected at the minimum deviation from normal values that will indicate the condition, without risking spurious trips due to normal fluctuations in the measured parameter.

The Allowable Values for bypass removal Functions are stated in the Applicable MODE or Other Specified Condition column of Table 3.3.1 - 1.

The safety analyses applicable to each RPS Function are discussed next.

1.

Nuclear Overpower

a.

Nuclear Overpower -

High Setpoint The Nuclear Overpower - High Setpoint trip provides protection for the design thermal overpower condition based on the measured out of core neutron leakage flux.

The Nuclear Overpower - High Setpoint trip initiates a reactor trip when the neutron power reaches a predefined setpoint at the design overpower limit. Because THERMAL POWER lags the neutron power, tripping when the neutron power reaches the design overpower will limit THERMAL POWER to prevent exceeding acceptable fuel damage limits.

Thus, the Nuclear Overpower - High Setpoint trip protects against violation of the DNBR and fuel centerline melt SLs.

However, the RCS Variable Low Pressure, and Nuclear Overpower Flux/Flow Imbalance, provide more direct protection. The role of the Nuclear Overpower - High Setpoint trip is to limit reactor THERMAL POWER below the highest power at which the other two trips are known to provide protection.

OCONEE UNITS 1, 2, & 3 B 3.3.1 -11 BASES REVISION DATED

/5673

RPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

The Nuclear Overpower - High Setpoint trip also provides transient protection for rapid positive reactivity excursions during power operations. These events include the rod withdrawal accident and the rod ejection accident. By providing a trip during these events, the Nuclear Overpower -

High Setpoint trip protects the unit from excessive power levels and also serves to limit reactor power to prevent violation of the RCS pressure SL.

Rod withdrawal accident analyses cover a large spectrum of reactivity insertion rates (rod worths), which exhibit slow and rapid rates of power increases. At high reactivity insertion rates, the Nuclear Overpower - High Setpoint trip provides the primary protection. At low reactivity insertion rates, the high pressure trip provides primary protection.

b.

Nuclear Overpower - Low Setpoint Prior to initiating shutdown bypass, the Nuclear Overpower - Low Setpoint trip must be reduced to _< 5% RTP.

The low power setpoint, in conjunction with the lower Shutdown Bypass RCS High Pressure setpoint, ensure that the unit is protected from excessive power conditions when other RPS trips are bypassed.

The setpoint Allowable Value was chosen to be as low as practical and still lie within the range of the out of core instrumentation.

2.

RCS Higqh Outlet Temperature The RCS High Outlet Temperature trip, in conjunction with the RCS Low Pressure and RCS Variable Low Pressure trips, provides protection for the DNBR SL. A trip is initiated whenever the reactor vessel outlet temperature approaches the conditions necessary for DNB. Portions of each RCS High Outlet Temperature trip channel are common with the RCS Variable Low Pressure trip. The RCS High Outlet Temperature trip provides steady state protection for the DNBR SL.

The RCS High Outlet Temperature trip limits the maximum RCS temperature to below the highest value for which DNB protection by the Variable Low Pressure trip is ensured. The trip setpoint OCONEE UNITS 1, 2, & 3 B83.3.1-12 BASES REVISION DATED

RPS Instrumentation B 3.3.1 BASES APPLICABLE

2.

RCS High Outlet Temperature (continued)

SAFETY ANALYSES, LCO, and Allowable Value is selected to ensure that a trip occurs before hot leg APPLICABILITY temperatures reach the point beyond which the RCS Low Pressure and Variable Low Pressure trips are analyzed. Above the high temperature trip, the variable low pressure trip need not provide protection, because the unit would have tripped already. The setpoint Allowable Value does not reflect errors induced by harsh environmental conditions that the equipment is expected to experience because the trip is not required to mitigate accidents that create harsh conditions in the RB.

3.

RCS High Pressure The RCS High Pressure trip works in conjunction with the pressurizer and main steam relief valves to prevent RCS overpressurization, thereby protecting the RCS High Pressure SL The RCS High Pressure trip has been credited in the transient analysis calculations for slow positive reactivity insertion transients (rod withdrawal transients and moderator dilution). The rod withdrawal transient covers a large spectrum of reactivity insertion rates and rod worths that exhibit slow and rapid rates of power increases. At high reactivity insertion rates, the Nuclear Overpower -

High Setpoint trip provides the primary protection. At low reactivity insertion rates, the RCS High Pressure trip provides the primary protection.

The setpoint Allowable Value is selected to ensure that the RCS High Pressure SL is not challenged during steady state operation or slow power increasing transients. The setpoint Allowable Value does not reflect errors induced by harsh environmental conditions because the equipment is not required to mitigate accidents that create harsh conditions in the RB.

4.

RCS Low Pressure The RCS Low Pressure trip, in conjunction with the RCS High Outlet Temperature and Variable Low Pressure trips, provides protection for the DNBR SL. A trip is initiated whenever the system pressure approaches the conditions necessary for DNB. The RCS Low Pressure trip provides DNB low pressure limit for the RCS Variable Low Pressure trip.

OCONEE UNITS 1, 2, & 3 B 3.3.1-13 BASES REVISION DATEC[I5/6

RPS Instrumentation B 3.3.1 BASES APPLICABLE

4.

RCS Low Pressure (continued)

SAFETY ANALYSES, LCO, and The RCS Low Pressure setpoint Allowable Value is selected to APPLICABILITY ensure that a reactor trip occurs before RCS pressure is reduced (continued) below the lowest point at which the RCS Variable Low Pressure trip is analyzed. The RCS Low Pressure trip provides protection for primary system depressurization events and has been credited in the accident analysis calculations for small break loss of coolant accidents (LOCAs). Harsh RB conditions created by small break LOCAs cannot affect performance of the RCS pressure sensors and transmitters within the time frame for a reactor trip. Therefore, degraded environmental conditions are not considered in the Allowable Value determination.

5.

RCS Variable Low Pressure The RCS Variable Low Pressure trip, in conjunction with the RCS High Outlet Temperature and RCS Low Pressure trips, provides protection for the DNBR SL. A trip is initiated whenever the system parameters of pressure and temperature approach the conditions necessary for DNB. The RCS Variable Low Pressure trip provides a floating low. pressure trip based on the RCS High Outlet Temperature within the range specified by the RCS High Outlet Temperature and RCS Low Pressure trips.

The RCS Variable Low Pressure setpoint Allowable Value is selected to ensure that a trip occurs when temperature and pressure approach the conditions necessary for DNB while operating in a temperature pressure region constrained by the low pressure and high temperature trips. The RCS Variable Low Pressure trip is assumed for transient protection in the main steam line break analysis. The setpoint allowable value does not include errors induced by the harsh environment, because the trip actuates prior to the harsh environment.

6.

Reactor Building Hi-gh Pressure The Reactor Building High Pressure trip provides an early indication of a high energy line break (HELB) inside the RB. By detecting changes in the RB pressure, the RPS can provide a reactor trip before the other system parameters have varied significantly. Thus, this trip acts to minimize accident consequences. It also provides a backup for RPS trip instruments exposed to an RB HELB environment.

OCONEE UNITS 1, 2, & 3 B 3.3.1-14 BASES REVISION DATED

RPS Instrumentation B 3.3.1 BASES APPLICABLE

6.

Reactor Building High Pressure (continued)

SAFETY ANALYSES, LCO, and The Allowable Value for RB High Pressure trip is set at the lowest APPLICABILITY value consistent with avoiding spurious trips during normal operation.

(continued)

The electronic components of the RB High Pressure trip are located in an area that is not exposed to high temperature steam environments during HELB transients inside containment. The components are exposed to high radiation conditions. Therefore, the determination of the setpoint Allowable Value accounts for errors induced by the high radiation.

7.

Reactor Coolant Pump to Power Each reactor coolant pump has an RCPPM, which monitors the electrical power and breaker status of each pump motor to determine if the pump is running.

Each RCPPM provides inputs to all four RPS channels. The RCPPM will initiate a reactor trip if fewer than three reactor coolant pumps are operating and reactor power is greater than approximately 2% rated full power.

The Reactor Coolant Pump to Power trip provides protection for changes in the reactor coolant flow due to the loss of multiple RCPs.

Because the flow reduction lags loss of power indications due to the inertia of the RCPs, the trip initiates protective action earlier than a trip based on a measured flow signal.

The Reactor Coolant Pump to Power trip has been credited in the accident analysis calculations for the loss of more than two RCPs.

The Allowable Value for the Reactor Coolant Pump to Power trip setpoint is selected to prevent nom l*w r o rationn tnlps..s at lip. n.st three RCPs, are operating. RCI: statud is monitoled by power

/ j 4ransduce s on each puý p.These r/*laystindicate a loss n

an R1, on unde ower. Th

/drower s)ptpoint is s lected to r/elia blyPr on loss//f voltage to t~e RC's. N. ither the r actor pow r nor t~e pump/power setpoi* account for nstrument tion error cause by hars environment because th trip Funct n is not r quired 0 re ond to event that could c eate harsh nvironme ts aro nd the e,luipment.

/

//

8.

Nuclear Overpower Flux/Flow Imbalance The Nuclear Overpower Flux/Flow Imbalance trip provides steady state protection for the power imbalance SLs. A reactor trip is initiated prior to the core power, AXIAL POWER IMBALANCE, and reactor coolant flow conditions exceeding the DNB or fuel centerline temperature limits.

OCONEE UNITS 1, 2, & 3 B 3.3.1-15 BASES REVISION DATED 5/.5/ 6

RPS Instrumentation B 3.3.1 BASES APPLICABLE

8.

Nuclear Overpower Flux/Flow Imbalance (continued)

SAFETY ANALYSES, LCO, and This trip supplements the protection provided by the Reactor Coolant APPLICABILITY Pump to Power trip, through the power to flow ratio, for loss of reactor coolant flow events. The power to flow ratio provides direct protection for the DNBR SL for the loss of one or more RCPs and for locked RCP rotor accidents.

The power to flow ratio of the Nuclear Overpower Flux/Flow Imbalance trip also provides steady state protection to prevent reactor power from exceeding the allowable power when the primary system flow rate is less than full four pump flow. Thus, the power to flow ratio prevents overpower conditions similar to the Nuclear Overpower trip. This protection ensures that during reduced flow conditions the core power is maintained below that required to begin DNB.

The Allowable Value is selected to ensure that a trip occurs when the core power, axial power peaking, and reactor coolant flow conditions indicate an approach to DNB or fuel centerline temperature limits. By measuring reactor coolant flow and by tripping only when conditions approach an SL, the unit can operate with the loss of one pump from a four pump initial condition at power levels at least as low as approximately 80% RTP. The Allowable Value for the Function, including the upper limits of the Function are given in the unit COLR because the cycle specific core peaking changes affect the Allowable Value.

9.

Main Turbine Trip (Hydraulic Fluid Pressure)

The Main Turbine Trip Function trips the reactor when the main turbine is lost at high power levels. The Main Turbine Trip Function provides an early reactor trip in anticipation of the loss of heat sink associated with a turbine trip. The Main Turbine Trip Function was added to the B&W designed units in accordance with NUREG-0737 (Ref. 5) following the Three Mile Island Unit 2 accident. The trip lowers the probability of an RCS power operated relief valve (PORV) actuation for turbine trip cases. This trip is activated at higher power levels, thereby limiting the range through which the Integrated Control System must provide an automatic runback on a turbine trip.

Each of the four turbine hydraulic fluid pressure switches feeds one protective channel buff drs hat continuously monitor~he status of the contacts.

OCONEE UNITS 1, 2, & 3 B 3.3.1-16 BASES REVISION DATED

RPS Instrumentation B 3.3.1 BASES APPLICABLE

9.

Main Turbine Trip (Hydraulic Fluid Pressure) (continued)

SAFETY ANALYSES, LCO, and For the Main Turbine Trip (Hydraulic Fluid Pressure) bita le the APPLICABILITY Allowable Value of 800 psig is selected to provide a trip whenever (continued) main turbine hydraulic fluid pressure drops below the normal operating range. To ensure that the trip is enabled as required by the LCO, the reactor power bypass is set with an Allowable Value of 30% RTP. The turbine trip is not required to protect against events that can create a harsh environment in the turbine building.

Therefore, errors induced by harsh environments are not included in the determination of the setpoint Allowable Value.

10.

Loss of Main Feedwater Pumpse Hydraulic Oil Pressure) tul The Loss of Main Feedwater Pumps Hydraulic Oil Pressure) trip provides a reactor trip at high power levels when both MFW pumps are lost. The trip provides an early reactor trip in anticipation of the loss of heat sink associated with the LOMF. This trip was added in accordance with NUREG-0737 (Ref. 5) following the Three Mile Island Unit 2 accident. This trip provides a reactor trip at high power levels for a LOMF to minimize challenges to the PORV.

turbine For the feedwater pump~hydraulic oil pressure I

, the Allowable Value of 75 psig is selected to provide a trip whenever feedwater pump ydraulic oil pressure drops below the normal operating range. To ensure that the trip is enabled as required by the LCO, the reactor power bypass is set with an Allowable Value of 2% RTP. The Loss of Main Feedwater Pumps (Hydraulic Oil Pressure) trip is not required to protect against events that can create a harsh environment in the turbine building. Therefore, errors caused by harsh environments are not included in the determination of the setpoint Allowable Value.

11.

Shutdown Bypass RCS High Pressure The RPS Shutdown Bypass RCS High Pressure is provided to allow for withdrawing the CONTROL RODS prior to reaching the normal RCS Low Pressure trip setpoint. The shutdown bypass provides trip protection during deboration and RCS heatup by allowing the operator to at least partially withdraw the safety groups of CONTROL RODS. This makes their negative reactivity available to terminate inadvertent reactivity excursions. Use of the shutdown bypass trip OCONEE UNITS 1, 2, & 3 B 3.3.1-17 BASES REVISION DATED

/2/

RPS Instrumentation B 3.3.1 BASES APPLICABLE

11.

Shutdown Bypass RCS High Pressure (continued)

SAFETY ANALYSES, LCO, and requires that the neutron power trip setpoint be reduced to 5% of full APPLICABILITY power or less. The Shutdown Bypass RCS High Pressure trip forces a reactor trip to occur whenever the unit switches from power operation to shutdown bypass or vice versa. This ensures that the CONTROL RODS are all inserted before power operation can begin.

The operator is required to remove the shutdown bypass, reset the Nuclear Overpower - High Power trip setpoint, and again withdraw the safety group rods before proceeding with startup.

Accidents analyzed in the UFSAR, Chapter 15 (Ref. 2), do not describe events that occur during shutdown bypass operation, because the consequences of these events are enveloped by the events presented in the UFSAR.

During shutdown bypass operation with the Shutdown Bypass RCS High Pressure trip active with a setpoint of < 1720 psig and the Nuclear Overpower - Low Setpoint set at or below 5% RTP, the trips listed below can be bypassed. Under these conditions, the Shutdown Bypass RCS High Pressure trip and the Nuclear Overpower - Low Setpoint trip act to prevent unit conditions from reaching a point where actuation of these Functions is necessary.

[

Nuclear Overpower - High Setpoint;

3.

RCS High Pressure;

4.

RCS Low Pressure;

5.

RCS Variable Low Pressure;

7.

Reactor Coolant Pump to Power; and

8.

Nuclear Overpower Flux/Flow Imbalance.

The Shutdown Bypass RCS High Pressure Function's Allowable Value is selected to ensure a trip occurs before producing THERMAL POWER.

OCONEE UNITS 1, 2, & 3 B 3.3.1-18 BASES REVISION DATED

/2/

RPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

General Discussion The RPS satisfies Criterion 3 of 10 CFR 50.36(Ref.

. In MODES 1 and 2, the following trips shall be OPERABLE because the reactor can be critical in these MODES. These trips are designed to take the reactor subcritical to maintain the SLs during anticipated transients and to assist the ESPS in providing acceptable consequences during accidents.

1 a.

Nuclear Overpower - High Setpoint;

2.

RCS High Outlet Temperature;

3.

RCS High Pressure;

4.

RCS Low Pressure;

5.

RCS Variable Low Pressure;

6.

Reactor Building High Pressure;

7.

Reactor Coolant Pump to Power; and 8..

8.

Nuclear Overpower Flux/Flow Imbalance.

Fu~nctions 3, 4, 5, 7, and 8 just listed may be bypassed in MODE 2 when RCS pressure is below 1720 psig, provided the Shutdown Bypass RCS High Pressure and the Nuclear Overpower - Low setpoint trip are placed in operation. Under these conditions, the Shutdown Bypass RCS High Pressure trip and the Nuclear Overpower - Low setpoint trip act to prevent unit conditions from reaching a point where actuation of these Functions is necessary.

The Main Turbine Trip (Hydraulic Fluid Pressure) Function is required to be Tur s REEABLE in MODE 1 at _> 30% RTP. The Loss of Main Feedwater Turbines j

Pumps Hydraulic Oil Pressure) Function is required to be OPERABLE in MODE 1 and in MODE 2 at > 2% RTP.

nases esent6 in BAW-1893 l(Re. 6) ha e shov"n that r operation below these power levels, these trips are not necessary to minimize challenges to the PORVs as required by NUREG-0737 (Ref. 5).

Because the safety function of the RPS is to trip the CONTROL RODS, the RPS is not required to be OPERABLE in MODE 3, 4, or 5 if either the reactor trip breakers are open, or the CRD System is incapable of rod withdrawal. Similarly, the RPS is not required to be OPERABLE in MODE 6 because the CONTROL RODS are normally decoupled from the CRDs.

OCONEE UNITS 1, 2, & 3 B 3.3.1-19 BASES REVISION DATED

/2/

RPS Instrumentation B 3.3.1 BASES APPLICABLE General Discussion (continued)

SAFETY ANALYSES, LCO, and However, in MODE 2, 3, 4, or 5, the Shutdown Bypass RCS High Pressure APPLICABILITY and Nuclear Overpower - Low setpoint trips are required to be OPERABLE (or processor output I

if the CRD trip breakers are closed and the CRD System is capable of rod trip signal for Unit(s) withdrawal. Under these conditions, the Shutdown Bypass RCS High with the RPS digital Pressure and Nuclear Overpower - Low setpoint trips are sufficient to upgrade complete) prevent an approach to conditions that could challenge SLs.

ACTIONS Conditions A and B are applicable to all RPS protective Functions. If a channel's trip setpoint is found nonconservative with respect to the required Alowable Value in Table 3.3.1-1, or the transmitter, instrument loop, signal For Unit(s) with the RPS processing electronics or bistabl

s found inoperable, the channel must be digital upgrade complete, declared inoperable and Condition A entered immediately.

placing the affected Function in trip places only the When an RPS channel is manually tripped, the functions that were affected Function in each inoperable prior to tripping remain inoperable. Other functions in the same channel in a one-out-of-two channel that were OPERABLE prior to tripping remain OPERABLE.

logic configuration. If the same function in another

[start new paragraph] For Unit(s) with channel exceeds the A..1 the RPS diaital uoarade not coml1ete.

setpoint, all channels will trip.

In this configuration, the For Required Action A.1, if one or more Functions in a required protective RPS can still perform its channel becoines inoperable, the affected protective channel must be safety functions in the placed in trip.,'ihis Required Action places all RPS Functions in a one-out-presence of a random failure of any single Channel. The 4 of-two logic configuration. The "non-required" channel is placed in bypass hour Completion Time is when the required inoperable channel is placed in trip to prevent bypass of justified based on the a second required channel. In this configuration, the RPS can still perform continuous monitoring and its safety functions in the presence of a random failure of any single signal validation being Channel. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time is sufficient time to perform performed and is sufficient Required Action A.1.

time to place a Function in trip. If the individual Function cannot be placed in trip, the B._1 Operator can trip the affected channel with the use of the Required Action B.1 directs entry into the appropriate Condition referenced Manual Trip Keyswitch until in Table 3.3.1-1. The applicable Condition referenced in the table is can be placed in trip. This Function dependent. If the Required Action and the associated Completion places all RPS Functions in a Time of Condition A are not met or if more than two channels are one-out-of-two logic inoperable, Condition B is entered to provide for transfer to the appropriate subsequent Condition.

OCONEE UNITS 1, 2, & 3 B 3.3.1-20 BASES REVISION DATED

RPS Instrumentation B 3.3.1 BASES ACTIONS C.1 and C.2 (continued)

If the Required Action and associated Completion Time of Condition A are not met and Table 3.3.1-1 directs entry into Condition C, the unit must be brought to a MODE in which the specified RPS trip Functions are not required to be OPERABLE. The allowed Completion Time of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and to open all CRD trip breakers without challenging unit systems.

D.1I If the Required Action and associated Completion Time of Condition A are not met and Table 3.3.1-1 directs entry into Condition D, the unit must be brought to a MODE in which the specified RPS trip Functions are not required to be OPERABLE. To achieve this status, all CRD trip breakers must be opened. The allowed Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is reasonable, based on operating experience, to open CRD trip breakers without challenging unit systems.

E.1 If the Required Action and associated Completion Time of Condition A are not met and Table 3.3.1-1 directs entry into Condition E, the unit must be brought to a MODE in which the specified RPS trip Function is not required to be OPERABLE. To achieve this status, THERMAL POWER must be reduced < 30% RTP. The allowed Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is reasonable, based on operating experience, to reach 30% RTP from full power conditions in an orderly manner without challenging unit systems.

F.1 If the Required Action and associated Completion Time of Condition A are not met and Table 3.3.1-1 directs entry into Condition F, the unit must be brought to a MODE in which the specified RPS trip Function is not required to be OPERABLE. To achieve this status, THERMAL POWER must be reduced < 2% RTP. The allowed Completion Time of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is reasonable, based on operating experience, to reach 2% RTP from full power conditions in an orderly manner without challenging unit systems.

OCONEE UNITS 1, 2, & 3 B3.3.1-21 BASES REVISION DATED

RPS Instrumentation B 3.3.1 BASES (continued)

SURVEILLANCE REQUIREMENTS The SRs for each RPS Function are identified by the SRs column of Table 3.3.1-1 for that Function. Most Functions are subject to CHANNEL CHECK, CHANNEL FUNCTIONAL TEST, and CHANNEL CALIBRATION testing.

The SRs are modified by a Note. The Note directs the reader to Table 3.3.1-1 to determine the correct SRs to perform for each RPS Function.

SR 3.3.1.1 Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months ensures that a gross failure of instrumentation has not occurred.

CHANNEL CHECK is INSERT D normally a comparison of the parameter indicated on one channel to a (start new similar parameter on other channels. It is based on the assumption that paragraph instrument channels monitoring the same parameter should read after insert) approximately the same value. Significant deviations between two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. CHANNEL CHECK will detect gross channel failure; therefore, it is key in verifying that the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

of performing a manual CHANNEL CHECK Agreement criteria are determined based on a combination of the channel instrument uncertainties, including isolation, indication, and readability. If a channel is outside the criteria, it may be an indication that the transmitter or the signal processing equipment has drifted outside its limit. If the channels are within the criteria, it is an indication that the channels are OPERABLE.

If the channels are normally off scale during times when surveillance is required, the CHANNEL CHECK will only verify that they are off scale in the same direction. Off scale low current loop channels are verified to be reading at the bottom of the range and not failed downscale.

The Frequenc, equivalent to once every shift, is based on operating experience that demonstrates channel failure is rare. Since the probability of two random failures in redundant channels in any 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months period is extremely low, the CHANNEL CHECK minimizes the chance of loss of protective function due to failure of redundant channels. The CHANNEL CHECK supplements less formal but more frequent checks of channel OPERABILITY during normal operational use of the displays associated with the LCO's required channels.

For Functions that trip on a combination of several measurements, such as the Nuclear Overpower Flux/Flow Imbalance Function, the CHANNEL CHECK must be performed on each input.

OCONEE UNITS 1, 2, & 3 B 3.3.1-22 BASES REVISION DATED

/2/

INSERT D FOR BASES 3.3.1 (page B 3.3.1-22)

For Unit(s) with the digital RPS complete, the CHANNEL CHECK requirement is met automatically. The digital RPS provides continuous online automatic monitoring of each of the input signals in each channel, performs signal online validation against required acceptance criteria, and provides hardware functional validation. If any protective channel input signal is identified to be in the failure status, this condition is alarmed on the Unit Statalarm and input to the plant OAC. Immediate notification of the failure status is provided to the Operations staff.

RPS Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.1.2 This SR is the performance of a heat balance calibration for the power range channels every 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months when reactor power is > 15% RTP. The heat balance calibration consists of a comparison of the results of the calorimetric with the power range channel output. The outputs of the power range channels are normalized to the calorimetric. If the calorimetric exceeds the Nuclear Instrumentation System (NIS) channel output by _Ž 2%

RTP, the NIS is not declared inoperable but must be adjusted. If the NIS channel cannot be properly adjusted, the channel is declared inoperable. A Note clarifies that this Surveillance is required to be performed only if reactor power is > 15% RTP and that 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months is allowed for performing the first Surveillance after reaching 15% RTP. At lower power levels, calorimetric data are less accurate.

The power range channel's output shall be adjusted consistent with the calorimetric results if the calorimetric exceeds the power range channel's output by _Ž 2% RTP. The value of 2% is adequate because this value is assumed in the safety analyses of UFSAR, Chapter 15 (Ref. 2). These checks and, if necessary, the adjustment of the power range channels ensure that channel accuracy is maintained within the analyzed error margins. The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Frequency is adequate, based on unit operating experience, which demonstrates the change in the difference between the power ranje indication and the calorimetric results rarely exceeds a small fraction of 2% in any 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months period. Furthermore, the control room operators monitor redundant indications and alarms to detect deviations in channel outputs.

SR 3.3.1.3 A comparison of power range nuclear instrumentation channels against incore detectors shall be performed at a 31 day Frequency when reactor power is _> 15% RTP. A Note clarifies that 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months is allowed for performing the first Surveillance after reaching 15% RTP. If the absolute value of imbalance error is >_ 2% RTP, the power range channel is not inoperable, but an adjustment of the measured imbalance to agree with the incore measurements is necessary. The Imbalance error calculation is adjusted for conservatism by applying a correlation slope (CS) value to the error calculation formula. This ensure'that the value of the APIo is > API1.

The CS value is listed in the COLR and is cycle dependent. If the power range channel cannot be properly recalibrated, the channel is declared inoperable. The calculation of the Allowable Value envelope assumes a OCONEE UNITS 1, 2, & 3 B 3.3.1-23 BASES REVISION DATED I55//6

RPS Instrumentation B 3.3.1 BASES (continued)

SURVEILLANCE REQUIREMENTS SR 3.3.1.3 (continued) difference in out of core to incore measurements of 2.0%. Additional inaccuracies beyond those that are measured are also included in the setpoint envelope calculation. The 31 day Frequency is adequate, considering that long term drift of the excore linear amplifiers is small and burnup of the detectors is slow. Also, the excore readings are a strong function of the power produced in the peripheral fuel bundles, and do not represent an integrated reading across the core. The slow changes in neutron flux during the fuel cycle can also be detected at this interval.

The SR is modified by a Note indicating that it is not applicable to Unit(s) with the RPS digital SR 3.3.1.4 upgrade complete.

A CHANNEL FUNCTIONAL TEST is performed on each required RPS channel to ensure that the entire channel will perform the intended function.

Setpoints must be found within the Allowable Values specified in Table uncertainty 3.1-1. Any setpoint adjustment shall be consistent with the assumptions of the curren s poi t nalysis.

I INSERT E

-ý The as found and as left values must also be recorded and reviewed for consistency with the assumptions of the surveillance interval extension analysis. The requirements for this review are outlined in BAW-1 0167 (Ref.

7).

6 The Frequency of 45 days on a TAGGERED TEST BASIS is consistent with the calculations of Reference that indicate the RPS retains a high level of reliability for this test interval.

S R 3.3. 1]*'

A Note to the Surveillance indicates that neutron detectors are excluded from CHANNEL CALIBRATION. This Note is necessary because of the difficulty in generating an appropriate detector input signal. Excluding the detectors is acceptable because the principles of detector operation ensure virtually instantaneous response.

OCONEE UNITS 1, 2, & 3 B 3.3.1-24 BASES REVISION DATED

/2/

INSERT E FOR BASES 3.3.1 (page B 3.3.1-24)

SR 3.3.1.5 The SR is modified by a Note indicating that it is only applicable to Unit(s) with the RPS digital upgrade complete. This SR manually retrieves the software setpoints and verifies they are correct. The proper functioning of the processor portion of the channel is continuously checked by an automatic cyclic self monitoring. Verification of field instrument setpoints is not required by this surveillance. This surveillance does not apply to the Reactor Building Pressure Function because it consists of pressure switches which provide a contact status to the system and there is no software setpoint to verify.

The Frequency of 92 days is considered adequate since software is not subject to drift and the SR is only verifying that the setpoint was not incorrectly set.

SR 3.3.1.6 The SR is modified by a Note indicating that it is only applicable to Unit(s) with the RPS digital upgrade complete. This SR requires manual actuation of the output channel interposing relays to demonstrate OPERABILITY of the relays. The proper functioning of the processor portion of the channel is continuously checked by an automatic cyclic self monitoring.

The Frequency of 92 days is considered adequate based on operating experience that demonstrates the rarity of more than one channel's relay failing within the same interval.

(or processor output trip signal for Unit(s) with the RPS digital upgrade complete)

RPS Instrumentation B 3.3.1 W

BASES (continued)

SURVEILLANCE REQUIREMENTS INSERT F SR 3.3.1 (continued)

A CHANNEL CALIBRATION is a complete check of the instrument channel, including the sensor. The test verifies that the channel responds to the measured parameter within the necessary range and accuracy.

CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drift to ensure that the instrument channel remains operational between successive tests. CHANNEL CALIBRATION shall find that measurement errors nd bistableietpoint errors are within the assumptions of the setpoint anaIlA.

GHIAIEL CALBRATIO.NS mu-st be pe.'fGermed sensing element is replac d, the nex euiied CHANNEL CALIBRATION of the resistance temperat re detectors (RTD)sensors is accolihdb add an inplace cross calibratio that compares the other sensing elements witS-blank the recently installed sensi element.

space The Frequency is justified b the assumption of an 18 month calibration interval in the determination f the magnitude of equipment drift in the

[tpnai ysis.,

uncertainty REFERENCES 1

1.

UFSAR, Chapter 7.

2.

UFSAR, Chapter 15.

3.

10 CFR 50.49.

For Unit(s) with the digital upgrade complete, the 18 month calibration interval is also justified by the reliability of components whose failure modes are not automatically detected or indicated.

4.

EDM-1 02, "Instrument Setpoint/Uncertainty Calculations."

5.

NUREG-0737, "Clarification of TMI Action Plan Requirements,"

November 1979.

r L 6.

/'AW-1893 Basis for Faising Armi/g Threshod for Ant--c)ating j Reactor T/i n Turbiy~e Tri, Oc er 1985./

7 BAW-10167, May 1986.

10 CFR 50.36.

OCONEE UNITS 1, 2, & 3 B 3.3.1-25 BASES REVISION DATED5/5/6111

INSERT F FOR BASES 3.3.1 (page B 3.3.1-25)

The 18 month frequency for the CHANNEL CALIBRATION is based on design capabilities and reliability of the digital RPS. Since the CHANNEL FUNCTIONAL TEST is a part of the CHANNEL CALIBRATION a separate SR is not required. The digital RPS software performs a continuous online automated cross channel check, separately for each channel, and continuous online signal error detection and validation. The protection system also performs continuous online hardware monitoring. The CHANNEL CALIBRATION essentially validates the self monitoring function and checks for a small set of failure modes that are undetectable by the self monitoring function.

For Unit(s) with the RPS digital upgrade complete, the digital processors shall be rebooted as part of the calibration. This verifies that the software has not changed. Signals into the system (from the field instrument or at the protective system cabinet) are applied during the channel calibration to ensure that the instrumentation is within the specified allowance requirements.

This, in combination with ensuring the setpoints are entered into the software correctly per SR 3.3.1.5, verifies the setpoints are within the Allowable Values.

Note: To clearly differentiate text applicable only to Unit(s) with the RPS digital upgrade complete, the text applicable only to that design is led with a qualifier and italicized. Likewise, the text applicable only to Unit(s) that have not been upgraded is led with a qualifier and bolded. Otherwise, the text applies to both designs. [start new paragraph)

RTC Iý:J RPS - ok B 3.3.3 1 Reactor Trip Component (RTC)

B 3.3 INSTRUMENTATION

/

B 3.3.3 Reactor Protective System (RPS),

Start new paragraph

. i BASE BACK4 For Unit(s) digital upgra complete, th Reactor Trip (RTM)

S~

<GROUND

-The RPS consists off ur independent protection channels, each containing SFigure 7.1 UFSAR, Chapter 7 (Ref. l)_shows a typical RPS RTC protection channel and the relationship ofthF to the RPS instrumentation, manual trip, and CONTROL ROD drive (CRD) trip devices.

vith the RPS The RTPA receives bistable trip signals from the functions in its own channel and channel trip signals from the other three RPS - RTf~s. The ide not i RTM Viovides ese si als to itýown t0o-outof-four ip log, and e

..,RTC isan cha el trip sidnal I......

out-of-.1our IQ ic of s

Start ne, ModuleI L0.1 For Unit(s) with the RPS digital upgrade complete, the RTC is made up of two digital output modules and four Reactor Trip Relays (RTR) all contained within the respective RPS channel's cabinet.

The RTC receives a channel trip signal in its own channel and channel trip signals from the digital output modules in the other three RPS channels.

h echnver any two RPS channels transmit channel trip signals, the [

l]cpic in each channel actuates to remove.V120 VAC power from its assoc'.iate~d GRD [rip devices.

RTC For Units with the RPS dilital upqrade not complete, R

The RPS trip scheme consists of series contacts that are operated by bistab -e Vuring normal unit operations, all contacts are closed and the 816*_Jchannel trip relay remains energized. However, if any trip parameter exceeds its setpoint, its associated contact opens, which de-enerqizes the channel trip relay.

for Unit(s) with the RPS digital upgrade not complete or processor output

-trip devices for Unit(s) with the RPS digital upgrade complete.

When anF channel trip relay de-energizes, several ings occur:

a.

ach of the four (4) output logic relays "informs" its associated RPS channel that a reactor trip signal has occurred in the tripped RPS channel; b

The contacts in the trip device circuitry, powered by the tripped channel, open, but the trip device remains energized through the losed contacts trom tne otne

. (This condition exists in each SRP§ -ýg:p. Each RPS -

controls power to a trip device.);

nd RTC

c.

The contact in parallel with the channel reset switch opens and the

trip is sealed in. To re-energize the channel trip relay, the channel reset switch must be depressed after the trip condition has cleared.

When the second RPS channel senses a reactor trip condition, the output logic relays for the second channel de-energize and open contacts that supply power to the trip devices. With contacts opened by two separate RPS channels, power to the trip devices is interrupted and the CONTROL RODS fall into the core.

INSERT A OCONEE UNITS 1, 2, & 3 B 3.3.3-1 BASES REVISION DATED I

INSERT A FOR BASES 3.3.3 (page B 3.3.3-1)

For Units with the RPS digital upgrade complete, during normal unit operations, the digital output modules maintain the RTRs energized. However, if an RPS channel initiates a trip signal, the digital output modules in that RPS channel will de-energize the reactor trip relay in that RPS channel and the associated RTR in each of the other three RPS channels.

When an RPS channel provides a trip signal, the digital output modules in that RPS channel de-energize RTRs such that the following occurs:

a.

Each of the four (4) RTRs driven by that RPS channel's digital output modules "informs" its associated RPS channel that a reactor trip signal has occurred in the tripped RPS channel;

b.

The contacts in the trip device circuitry, powered by the tripped channel, open, but the trip device remains energized through the closed contacts from the RTRs of the other RTCs. (This condition exists in each RPS - RTC. Each RPS - RTC controls power to a trip device.)

When the second RPS channel senses a reactor trip condition, the RTRs driven by the digital output modules for the second channel de-energize and open contacts that supply power to the trip devices. With contacts opened by two separate RPS channels, power to the trip devices is interrupted and the CONTROL RODS fall into the core.

RPS RTC 3.3.3 S

BASES (continued)

(Start new BACKGROUND para.)

(continued)

For Unit(s) with the RPS digital upgrade not complete, RTC A minimum of two out of four T

must sense a trip condition to cause a reactor tri Isobecause the stable relay contacts for each function are in series with the channel trip relays, two channel trips caused by different trip functions can result in a reactor trip.

u APPLICABLE SAFETY ANALYSES Transient and accident analyses rely on a reactor trip for protection of reactor core integrity, reactor coolant pressure boundary integrity, and reactor building OPERABILITY. A reactor trip must occur when needed to prevent accident conditions from exceeding those calculated in the accident analyses. More detailed descriptions of the applicable accident analyses are found in the bases for each of the RPS trip Functions in LCO 3.3.1, "Reactor Protective System (RPS) Instrumentation."

(until the RTC is put in Manual Bypass for Unit(s) with RPS The

[

satisfy Criterion 3 of 10 CFR 50.36 (Ref. 2).

digital upgrade complete)

F kBLE. Failure of any LCO inoper An OPERABL1flJmust e able to receive and interpret trip signals from (itsp Nn and/ the OPER LE RPS channels and to open its associated trip device.

RTCs The re uirement f four I to be OPERABLE ensures that a minimum of two will remain OPERABLE if a single failure has occurred in one PT and if a secon T

is out of service. This two-out-of-four trip logic so ensures that a singl-ailure will not cause an unwanted reactor trip. Violation of this LCO could result in a trip signal not causing a reactor trip when needed.

APPLICABILITY TheT are required to be OPERABLE in MODES 1 and 2. They are soso required to be OPERABLE in MODES 3, 4, and 5 if any CRD trip breakers are in the closed position and the CRD System is capable of rod RT/s withdrawal. The s are designed to ensure a reactor trip would occur, if trneeded. This condition can exist in all of these MODES; therefore, the T

must be OPERABLE.

OCONEE UNITS 1, 2, & 3 B 3.3.3-2 BASES REVISION DATED I/04

INSERT B FOR BASES 3.3.3 (page B 3.3.3-2)

For Unit(s) with the RPS digital upgrade complete, because of the interchannel communication and 2.MiN/2.MAX (for analog inputs) and two-out-of-four (for binary inputs), an RPS channel will not provide a trip signal to its RTC until trip conditions are satisfied in at least two RPS channels for the same trip function.

For Unit(s) with the RPS digital upgrade complete, the contacts of the four reactor trip relays in each RPS Channel cabinet are wired in a two-out-of-four logic scheme. For Units with the RPS digital upgrade not complete, the contacts of the four output relays within an RTM are wired in a two-out-of-four logic scheme. The relays de-energize to de-energize the Control Rod Drive Breaker undervoltage circuit wired to that channel and cause the shunt trip coil monitoring the circuit to be energized. Either de-energizing the undervoltage circuit or energizing the shunt trip circuit trips the CRD breaker.

RPS -

RTC 3.3.3 BASES (continued)

ACTI(DNS RTC A.1.1, A.1.2, andA.2 I RTO

/ When an inoperable, the associated CRD trip breaker mustt placed in a condition that is equivalent to a tripped condition for theI Required Action A.1.1 or Required Action A.1.2 requires this either by tripping the CRD trio breaker or by removing Dower to the CRD trip device.

For Unit with the C trol Rod Dri Control Syst In (CRDCS) igital upgra not comple, tripping on RTM or remo ng power op ns one set

ko C:21-tr~nrlvi*

nr I IIIt W )

ith Ih *.Rn)C*

igtalijq

,,nn r-nmphe m,lt/

ripping on or removing power opens one of the CRD trip devices, which will result in the loss of one of the parallel power supplies te-the digital CRDCS. Power to hold CONTROL RODS in position is still provided' '

via the parallel ýRD triid evicels) (for Urns) hvitlqthe CRDOS digqit*

]

Supg/r,*de no tomplet(/ or]CRD power supply tfol/nit s) vMth the DC

[.d'i, jtal upg-(ade corn lete)J Therefore, a reactor trip will not occur until a second protection channel trips.

J-2o ýns-irehe ripsigal s rpose - inthQothr canijEF--euired Action A.2 requires that the inoperable T

be removed from the cabine.

This action causes the electrical interlocks to indicate a tripped channel in SRTCs the remaining threeFTWý. Operation in this condition is allowed indefinitely because the actions put the RPS into a one-out-of-three configuration. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time is sufficient time to perform the B.1, B.2.1, and B.2.2 Condition B applies if two or more s are inoperable or if the Required Action and associated Completion 'ime of Condition A are not met in MODE 1, 2, or 3. In this case, the unit must be placed in a MODE in which the LCO does not apply. This is done by placing the unit in at least MODE 3 with all CRD trip breakers open or with power from all CRD trip breakers removed within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . The allowed Completion Time of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging unit systems.

-I Required Action A.2 is modified by a Note indicating that this action is not applicable to Unit(s) with the RPS digital upgrade complete. Physical removal of the inoperable RTC is not necessary as the trip signal is registered in the other channels by interchannel communications.

OCONEE UNITS 1, 2, & 3 B 3.3.3-3 SBASES REVISION DATED I

RPT -K33.

BASES ACTIONS (continued)

C.1 and C.2 RTCs Condition C applies if two or more s are inoperable or if the Required Action and associated Completion Time of Condition A are not met in MODE 4 or 5. In this case, the unit must be placed in a MODE in which the LCO does not apply. This is done by opening all CRD trip breakers or removing power from all CRD trip breakers. The allowed Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is reasonable, based on operating experience, to open all CRD trip breakers or remove power from all CRD trip breakers without challenging unit systems.

SURVEILLANCE REQUIREMENTS SR 3.3.3.1 The SRs include performance of a CHANNEL FUNCTIONAL TEST eve 31 days. This test shall verify the OPERABILITY of the and its ability to receive and properly respond to channel trip and reactor trip signals. t The Frequency of 31 days is based on operating experience, which has TC demonstrated that failure of more than one channel of a given function in any 31 day interval is a rare event.

This t in i-..is normally performed on a rotational This testing

-'basis, with one being tested each week. Testing one ac W e reduces the likelihood of the same systematic test errors being introduced into each redundant RTM.

REFERENCES

1.

UFSAR, Chapter 7.

2.

10 CFR 50.36.

OCONEE UNITS 1, 2, & 3 B 3.3.3-4 BASES REVISION DATED I

CRD Trip Devices B 3.3.4 B 3.3 INSTRUMENTATION B 3.3.4 Control Rod Drive (CRD) Trip Devices devices in the form of BASES I

BACKGROUND The Reactor Protect*v se (RPS) contains multiple CRVti,*

u~fuid c*ml~ cib d

tr,'p reaKers,/o 5 irip'bre 'er Iirs; *'

(t ele~r r i~ti

/se lly(iA) relay 'for Uni ~s) wit )the 91D/

/B rad not,mpl1 te. /ot rUni s) with e.CRD RTB u grad' nott lp~e hess)mh**to *eParate/paths (g chann/Is), vith e ch palhiwi ain* one C, br/akei inI ser' s with:

pair of *C breakers *nd fu/hctionallly seisfo ir ET/ relay 'in par lei. For Ynit(s) *ith tl CR /IDFTB.,

upfade Ubomplite, lhe sy'stem has two separate paths (or channels),wt each path having two AC breakers in series. In either case, each path provides independent power to the CRDs. Also, in either case, either path can provide sufficient power to operate the entire CRD System.

3,fpg/ad*'co~pLjteJ Figure 7.1, UFSAR, the confiauration of Reactor Protection-and their shunt (trip) coils are actuated by RPS channels A, B, C, and D, respectively trip the reactor, power to the CRDs must be removed. Loss of power causes the CRD mechanisms to release the CONTROL RODS, which then fall by gravity into the core.

Power to CRDs is supplied from two separate sources through the AC trip circuit breakers. eFlar anit eo) wtthranAsformer sp.FoUcpJte these breakers are designated A, B, C, and U4Itfh eir undervoltage (trip) coils are powered by RPS channels A, B, Q, and D,_respectjvely~qFof Unjt.(s) 1 w ith e C J?./R /T43 u p/ ade, ot c onf lete,,t:*

e b~r a er. r-d si nat, A B,

ajt /d t ber u pdervzfage tk coil-.6-pow-er-byZE*

h'n~

a/ nd 3,r.peci lv From the circuit breakers, the CRD power travetls through voltage regulators and stepdown transformers. Foýr(s OCONEE UNITS 1,2, & 3 B 3.3.4-1

[Am *dmen/tN/os. 34/,

343,,ý1*42 BASES REVISION DATED

CRD Trip Devices B 3.34 Supplies I

BASES BACKGROUND (continued)

Wthyihý C/k[,I/R/fB/uorýd9ýcg(mjýleyejýese devices in tur supply t

tu redundant bu feed the Single Rod Power (SRP ).

For ni s I

e D/

upgra e not c

plete, ese tu un nt se at d t DC

ýWer s pplie and he aux 0

r -qi innh __qs i

h the D/RT upgr e not omplet,the C power su lies r tify th Cinpu and pply wer to Id t safety ds in th ir full ithdr n posit n.

e oft redun nt p er sour es pplie phas the o er, ase ithepha being ergized i suffic nt to Id the r. T o bre ers are cat on the utput of e ch 0 er sup y. Eac brea er con ols half f the ower to wo of the our ety ro groups The nderv age tri coils n the circuit br akers the tput o ne the!

r es i controll by RPS annel The er tw rea rs ar ontroll by Sch el D.

F Unit(

with e CR /RTB grad not co lete, in a dition to e DC ower pplie the r unda buse also su ply power o the r ulating 1rd, SR d au dary p0 r su plies. T ese pow suppli contain sili n co rolled ctifier SC that ar gated o nd off t provide p

er t, and r me wer fm the ases of e CRD echanis s.

he g ing c trol si al fo es S s is sup ied thro gh the ci sed cont ct of e ET elay. Th ontacts e referr to as E ndF co actors, and con olled b e C and RPSannels r specti ly.

The lowin pplie to Unit with th RD/R upgrad not c plet The bre er and C break s are in eries in e oft pow su lies;

ereas, e redun nt AC eaker a DC b akers re in Sries i e oth power s ply to t CONT L RO S. T logic equir d to ca ea react r trip is t eopenin ofaci uit b ker eac of the r dundant ; wer su lies. (T pair o DC ci uit b akers he out t of the p wer suP ly are tr ted as ne br ker) his i own a a one-ou -of-two t en twic ogic.

e foil ing ampl illustra the oper tion of t ereactor rip circ brea rs.

.If the AC cir it break opens:

1 the in power associ ed D pow supply s lost, nd

2. th CR su ly from e ass ciate power urce i lost.

OCONEE UNITS 1,2, & 3 B 3.3.4-2

[ AmyrmentNos. 34/,343V,/&42 1' BASES REVISION DATED

CRD Trip Devices B 3.3.4 BASES BACKGROUND (continued)

b.

I the DC ircuit rea er(s) a d F cont ctors o en:

1. t eou utofthe pow rsupply'

lost, d

Z2.

he the F cont ctor op ns, SC gating owe is lo t.

(T 1r foUdwinfapp6s t nitý4 wirthte/5 R AT B~pcard'e cm

e: I Two AC breakers (A and C) are in series to feed one redundant train of the SRPS, whereas the other two series AC breakers (B and D) feed the other redundant train of the SRPS. The minimum required logic required to cause a reactor trip is the opening of a circuit breaker in each parallel path to the SRPS. This is known as a one-out-of-two taken twice logic. The following examples illustrate the operation of the reactor trip circuit breakers.

For Unit(s) with the RPS digital upgrade not

complete,

a.

If the A or C circuit breaker openj*nput power to one train of the SRPS's is lost.

RTCs

b.

If in addition, the B or D circuit breaker open in t power to the other train of the SRPS's is lost, which will resu in the dropping of all rods (except APSR's) into the core.

'-ý

/he logic developed within the RPS Reactor Trip Me*dues will result in all AC breakers tripping if any two RPS channels receive a trip signal.

For Unit(s) with the RPS digital upgrade complete, the reactor trip relays located in RPS Channel A cabinet provide the two-out-of-four relay logic to trip CRD breaker A, relays in RPS B cabinet trip CRD breaker B, relays in RPS C cabinet trip CRD breaker C, and relays in RPS D cabinet trip CRD breaker D. If two or more channels of RPS indicate a valid software trip logic condition (two-out-of-four), the binary outputs will de-energize the trip relays associated with those channels in all RPS cabinets, tripping all four CRD breakers resulting in a reactor trip.

I OCONEE UNITS 1, 2, & 3 B 3.3.4-3

{Am,e1fdmeny~io 3ýy4'$343,Zg 3421 BASES REVISION DATED

CRD Trip Devices B 3.3.4 BASES BACKGROUND contac in t e trip ogic f ea ch nei's r actor tri modu (RT )o n

(continued) causi g an nde ota eto ach ipbre er. All trip brea ers a d req a

tact rs o n, an power is remov d fro all RD m

hani in.

1 ro s fall to t e core esultin in a re ctor ip.

APPLICABLE Accident analyses rely on a reactor trip for protection of reactor core SAFETY ANALYSES integrity, reactor coolant pressure boundary integrity, and reactor building OPERABILITY. A reactor trip must occur when needed to prevent accident consequences from exceeding those calculated in the accident analyses. The CONTROL ROD position limits ensure that adequate rod worth is available upon reactor trip to shut down the reactor to the required SDM. Further,, OPERABILITY of the CRD trip devices ensures that all CONTROL RODS will trip when required. More detailed descriptions of the applicable accident analyses are found in the Bases for each of the individual RPS trip Functions in LCO 3.3.1, "Reactor Protective System (RPS) Instrumentation."

The CRD trip devices satisfy Criterion 3 of CFR 50.36 (Ref. 2).

LCO The LCO requires all of the specified CRD trip devices to be OPERABLE.

Failure of any required CRD trip device renders a portion of the RPS inoperable and reduces the reliability of the affected Functions. Without reliable CRD reactor trip circuit breakers and associated support circuitry, a reactor trip may not reliably occur when initiated either automatically or manually.

All required CRD trip devices shall be OPERABLE to ensure that the reactor remains capable of being tripped any time it is critical.

OPERABILITY is defined as the CRD trip device being able to receive a reactor trip signal and to respond to this trip signal by interrupting power to the CRDs. Both of the CRD trip breaker's diverse trip devices and the breaker itself must be functioning properly for the breaker to be OPERABLE.

For Uni s) w' th CR RTB pgr de not omplete, both A r ays associ ted ith e ch o the t ree r/gulati g rod gr ps an the o

A relay ass ciate wit the xili pow supply ust b OP AB to sati'fy th LC

. Th ET relay asso atedwit theA SIR wer upply OCONEE UNITS 1,2, & 3 B 3.3.4-4 r Am/emenA'os. 3/fK343,/3421 3

I BASES REVISION DATED

CRD Trip Devices B 3.3.4 BASES LCO ar notr quir to *OP RA E be use th ePSR are t d igned (continued) fall'i to te co up in* tion/oa reacto rip.

Requiring all breakers ard F1T/*re s fo rt(sYv0 t15e LII Wpg'a gLt't,,0MVle't0)l to be OPERABLE ensures that at least one device in each of the two power paths to the CRDs will remain OPERABLE even with a single failure.

APPLICABILITY The CRD trip devices shall be OPERABLE in MODES 1 and 2, and in MODES 3, 4, and 5 when any CRD trip breaker is in the closed position and the CRD System is capable of rod withdrawal.

The CRD trip devices are designed to ensure that a reactor trip would occur if needed. Since this condition can exist in all of these MODES, the CRD trip devices shall be OPERABLE.

ACTIONS A Note has been added to the ACTIONS indicating separate Condition entry is allowed for each CRD trip device.

A.1 and A.2 Condition A represents reduced redundancy in the CRD trip Function.

[/1 Inifs~im ti' b

IVIT.*,,*rg!Ar. nv~nIP4p ICondition A applies wh Sone diverse trip Function (undervoltage or shunt trip device) is inoperable in one or more CRD trip breaker(s).

For Unit ) wit the RD/ TB gra e not c mplete, onditi A a plie when:

/One iver e tri Fun ion ( nderv tage or s unt tri devi e) is o

inerabl in o e or ore RD tri breake s) or b eake pair; or 0 eOdi rse p F ctio is ino rable inn oth D trip reak rs soci ted ith o e pro ective hannel.

n this se, e inn perable

/ p F ctio doe not eed to e the saie for oth b eake s.

If,,on,f the diverse tron F,nti,,nc* orn 2r C')

"P k

hrehkerft i ir irl Ui~t swi thýCD B

dn co pl e)bebitprb actions must be taken to preclude the inoperable CRD trip device from preventing a reactor trip when needed. This is done by manually tripping OCONEE UNITS 1, 2, & 3 B 3.3.4-5 Am/"/dmen/ios. 3/41( 343,X42] I BASES REVISION DATED

CRD Trip Devices B 3.3.4 BASES ACTIONS A.1 and A.2 (continued) the inoperable CRD trip breaker or by removing power from the inoperable CRD trip breaker. Either of these actions places the affected CRDs in a one-out-of-two trip configuration, which precludes a single failure from preventing a reactor trip. The 48 hour5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months Completion Time has been shown to be acceptable through operating experience.

B.1 and B.2 Condition B represents a loss of redundancy for the CRD trip Function.

Condition B applies when both diverse trip Functions are inoperable in one r-or more trip breaker(s )

a r air or n s i

Required Action B.1 and Required Action B.2 are the same as Required Action A.1 and Required Action A.2, but the Completion Time is shortened.

The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time allowed to trip or remove power from the CRD trip breaker allows the operator to take all the appropriate actions for the inoperable breaker and still ensures that the risk involved is acceptable.

d*

C..

C C.2.1, and C.2.2 or V

Required Action and associated Completion Time of Condition B

rnot met in MODE 1, 2, or 3, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to MODE 3, with all CRD trip breakers open or with power from all CRD trip breakers removed within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . The allowed Completion Time OCONEE UNITS 1,2, & 3 B 3.3.4-6 L

Am 34 343 3 4 2 j 3

I BASES REVISION DATED

CRD Trip Devices B 3.3.4 BASES (continued)

ACTIONS of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging unit systems.

// /]*---LD_.landD.2r With the Required Action and associated Com~pletion Time of Condition Ae.

B--T-Inot met in MODE 4 or 5, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, all CRD trip breakers must be opened or power from all CRD trip breakers removed within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months . The allowed Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is reasonable, based on operating experience, to open all CRD trip breakers or remove power from all CRD trip breakers without challenging unit systems.

SURVEILLANCE SR 3.3.4.1 REQUIREMENTS SR 3.3.4.1 is to perform a CHANNEL FUNCTIONAL TEST every 31 days.

This test verifies the OPERABILITY of the trip devices by actuation of the end devices. Also, this test independently verifies the undervoltage and shunt trip mechanisms of the trip breakers. The Frequency of 31 days is based on operating experience, which has demonstrated that failure of more than one channel of a given function in any 31 day interval is a rare event.

REFERENCES

1.

UFSAR, Chapter 7.

2.

10 CFR 50.36.

OCONEE UNITS 1, 2, & 3 B 3.3.4-7

[

Ame/dment$Aos. 34, 343,X342 I I BASES REVISION DATED y

ESP g Instrumentation B 3.3.5 B 3,3 INSTRUMENTATION B 3,3.5 Engineered Safeguards Protective System (ESPS) al g Instrumentation BASES BACKGROUND Note: To clearly differentiate text applicable only to Unit(s) with the ESPS digital upgrade complete, the text applicable only to that design is led with a qualifier and italicized.

Likewise, the text applicable only to Unit(s) that have not been upgraded is led with a qualifier and bolded. Otherwise, the text applies to The ESPS initiates necessary safety systems, based on the values of selected unit Parameters, to protect against violating core design limits and to mitigate accidents.

ESPS actuates the following systems:

0 High~lessureAjection (HPI);

0 Low 0ressureAjection (LPI);

0 Reactor,uilding (RB) cooling; RB Spray; a

RB Isolation; and Keowee Hydro Unit Emergency Start.

both design I.

The ESPS operates in a distributed manner to initiate the appropriate systems. The ESPS does this by determining the need for actuation in each of three gchannels monitoring each actuation Parameter. Once the need for actuation is determined, the condition is transmitted to I automatic actuationogic channels, which perform the two-out-of-three logic to determine the actuation of each end device. Each end device has its own automatic actuation logic, although all dig@TJomatic actuation logic channels take their signals from the same bistable in ea h channel for each I

O~tD~t Parameter.

(or processor output trip Four Parameters are used for actuation:

device for Unit(s) with the ESPS digital upgrade Low Reactor Coolant System (RCS) Pressure; complete)

Low Low RCS Pressure; High RB Pressure; and High High RB Pressure.

OCONEE UNITS 1, 2, & 3 B 3.3.5-1 I BASES REVISION DATED Amjidment NO. 338, 339X339 J

(or voter input for Unit(s) with the ESPS digital upgrade complete)

ESPS al g Instrumentation (or processor output trip devices for Unit(s)

Input 'B

.3.

BASES with the ESPS digital upgrade complete) inp~ut BACKGROUND \\LCO 3.3.5 covers only the

rchannels that measure (continued) these Parameters. These channels include all intervening equipment I

necessary to produce actuation before the measured process Parameter exceeds the limits assumed by the accident analysis. This includes sensors, bistable devicest operational bypass circuitry, and output relay LCO 3.3.6, "Engineered Safeguards Protective System (ESPS) Manual Initiation"."and LCO 3.3.7, "Engineered Safe uards Protective System output (ESPS Automatic Actuation L-ogic Channels,'!provide requirements on the man andgEJa tomatic actuatioo logic Functions.

h cSPS con ains ree 11 g

nels. Each al g channel provides If an input For Unit*s) input t gi I logic channels at-I't initiate ea ipment with a two-out-of-three channel with the ESPS o

ii l1aic-channel. Each agchannel includes inputs setpoint is digital upgrade from one a al

s*trumentation channel of Low RCS Pressure, ow Low

exceeded, not complete, RCS Pressure, Hich RB Pressure, and High High RB Pressure.

gi I an input tomatic actuationlogic channels combine the three a

el tri s trip signal to actuate the individual Engineered Safeguards (ES) components needed s

to initiate each ES S stem. Figure 7.5 UFSAR, Chapter 7 (Ref. 1),

generated.

automatic actuation illustrates how a al.q strumentation hannel trips combine to cause outputa-c cig a logic channel trips.

f INSERT A n

"I-The following matrix identifies the al g instrumentation (measurement) cchannels and thet utomatic Actuatio ogic Channels actuated by each.

Output

-61 Actuated RCS RCS RB RB Logic Channels Systems/

PRESS PRESS PRESS PRESS Functions LOW LOW HIGH HIGH LOW HIGH 1 and 2 HPI and RB Non-Essential x

x Isolation, Keowee Emergency Start, Load Shed and Standby Breaker Input, and Keowee Standby Bus Feeder Breaker Input 3and4 LPntB se a1 x

x I,.soloon/

5 and 6 RB Cooling and RB x

Essential isolation 7 and 8 RB Spray x

The ES equipment is generally divided between the two redundant iactuationogic channels. The division of the equipment between the two output C ý Iactuatior logic channels is based on the equipment redundancy and OCONEE UNITS 1, 2, & 3 B 3.3.5-2 A m d,'ment N

. 338, 339, 339 I BASES REVISION DATED K

INSERT A for B 3.3.5 (page B 3.3.5-2)

For Unit(s) with the ESPS digital upgrade complete, there are three input channels. The ESPS Protective Channels A, B and C are made up of two independent subsystems - one subsystem is installed in the ESPS cabinets and is designated A2, B2, and C2. The other independent and redundant subsystem is installed in the RPS cabinets and is designated Al, B1, and C1. This subsystem uses the RPS protective channels (A, B, and C) computers. The ESPS input signals are not redundant for the two subsystems. The same analog input signals are fed to ESPS subsystems 1 and 2. The ESPS subsystems are fully redundant with the exception of the shared analog inputs. Each of these two independent ESPS subsystems is fully capable of performing all required protective actions.

The three ESPS channel computers in each subsystem are interconnected via fiber optic data links, in a way that enables the exchange of data and signal online validation, before the calculation of trip functions. If the setpoint for a single input channel (for example, the RB High pressure input to Channel A) is exceeded, a channel trip statalarm is actuated but a channel trip signal is not sent to the automatic actuation output logic channel. Since the two ES subsystems share inputs, this condition will be sensed by both Channel Al and A2. Also, due to the inter-channel communication, all 3 ES channels in each subsystem recognize that this input channel setpoint has been exceeded for one channel. However, due to the 2.MAX/2.MIN logic within the system, the same input channel setpoint for one of the other three channels must be exceeded before channel trip signals are sent to the automatic actuation output logic channels. Again, due to the inter-channel communication, all 3 ES channels will then generate trip signals since the 2.MAX/2.MIN condition has been satisfied. The ESPS output actuation signals are sent from ESPS protective channels A, B and C to the ESPS actuation computers (Voters) via fiber optic data links. Figure 7.5 UFSAR, Chapter 7 (Ref. 1), illustrates how input instrumentation channel trips combine to cause automatic actuation output logic channel trips.

ESPS *'Ij*1nstrumentation B 3.3.5 BASES n u BACKGROUND function and is accomplished in such a manner that the failure of one of the (continued) i actuation ogic channels and the related safeguards equipment will

Z not inhibit the overall ES Functions. Redundant ES pumps are controlled output from separate and independent @

ctuationiogic channels with s

exceptio HPI B pump which is actuated by bot 4

(The actuation of ES equipment is also available by manual actuation Is I

switches located on the control room console Fr/(Skan-lI The ESPS, in conjunction with the actuated equipment, provides protective functions necessary to mitigate accidents, specifically the loss of coolant accident (LOCA) and main steam line break (MSLB) events. The ESPS relies on the OPERABILITY of the automatic actuatioynlogic for each component to perform the actuation of the selected" ystems of LCO 3.3.7.

output Engineered Safeguards Protective System Bypasses input parameters No provisions are made for maintenance bypas n f ESPS instrumentation channels. Operational bypass of certain ýlnn Is is necessarto allo accident recovery actions to continue and, for some nn§sto allow unit shutdown without spurious ESPS actuation.

design The ESPS RCS pressure instrumentation channelf Inclue permi sive bi ables/'ha allo Aanual Vypass when reactor pressure is below the psoin at w ich the low and low low pressure trips are required to be OPERABLE. Once permissive conditions are sensed, the RCS pressure trips may be manually bypassed. Bypasses are automatically removed when bypass permissive conditions are exceeded. This bypass provides an operational provision only outside the Applicability for this parameter, and provides no safety function.

NSERT B

-J Reactor Coolant System Pressure I I The RCS pressure is monitored by three independent pressure transmitters provide inputs located in the RB. These transmitters are separate from the transmitters to tha e l

the Reactor Protective System (RPS). F_,'ch of tk/e res re si n en ted b ese tra mitters imoni red b our bist4 bles k provide two trip signals, at _> 1590 psig and > 500 psig, and two bypass permissive signals, at < 1750 psig and < 900 psig.

nates in an input isolation individually isolated output ure signals generated by these The output of each transmitter termi module in the ESPS, which provides pressure signals. Each of the pressu transmitters is monitored by four bistables (or two independent digital processing systems, with three ESPS input logic channels and three RPS/ESPS input logic channels for Unit(s) with the ESPS diaital uoarade comolete)

OCONEE UNITS 1, 2, & 3 B 3.3.5-3

[Ampridment Nos%"300, 300,X'300 I BASES REVISION DATED

INSERT B for B 3.3.5 (page B 3.3.5-3)

For Unit(s) with the ESPS digital upgrade complete, there are duplicated ESPS channels and Voters. In subsystem 1, channels Al, B1, and C1 provide the input to Voter 1 Odd and Voter 1 Even. In subsystem 2, channels A2, B2, and C2 provide input to Voter 2 Odd and Voter 2 Even.

Either subsystem provides the full complement of Voters. This allows for a Manual (maintenance) Bypass of one complete subsystem, or portion of a subsystem, without entering into an LCO Condition.

Parameter Change Enable Mode (applicable only to Unit(s) with ESPS digital upgrade complete)

The ESPS Instrument Input Channel A2, B2, and C2 processors can each be placed in different operating modes through the use of the "Parameter Change Enable" keyswitches and commands from the Service Unit. Each protective channel A2, B2,and C2 has a keyswitch located in that channel's cabinet pair.

Placing ESPS Channels Al, B1 or C1 in Parameter Change Enable Mode through the use of the "Parameter Change Enable" keyswitch located in the corresponding RPS cabinet will also place the corresponding RPS Channels A, B, or C in Parameter Change Enable Mode.

When a keyswitch is placed from the normal Operating Mode position to the Parameter Change Enable Mode position:

The processors continue with normal operation.

A permissive is provided that allows the Service Unit to be used to change the operating mode of the processors associated with that keyswitch.

INSERT B for B 3.3.5 (page B 3.3.5-3)(continued)

With the keyswitch in the Parameter Change Enable Position the following modes of operation are allowed for processors:

Normal Operation - with permissive for operating mode change.

Parameterization - allows changes to specific parameters (example placing a parameter into a tripped condition or performing Go/NoGo testing).

Function Test - for disabling the application function and forcing output signal for testing purposes (normally not used).

Diagnostics - for downloading new application software.

The Function Test and Diagnostics modes result in the processor ceasing its cyclic processing of the application functions. Entry into these modes first requires entry into Parameterization mode and setting a separate parameter.

When a keyswitch is placed in the Parameter Change Enable Mode Position, the affected processor shall first be declared out of service. In addition to declaring the processor out of service, when loading or revising software in a processor, the affected ESPS input shall be tripped OR the associated ESPS voters shall be placed in Bypass. If this activity is being performed on an ES Input Channel in subsystem 1, the associated RPS channel shall also be placed in manual bypass. Only one ESPS channel at a time is allowed to be placed into Parameter Change Enable Mode Position for software loading/revision.

Each Parameter Change Enable keyswitch status information is sent to the Statalarm panel and to the OAC via the Gateway.

ESPS Parameter Change Enable keyswitches are administratively controlled (there are no hardware or software interlocks between channels).

For Unit(s) with the ESPS digital upgrade not complete, there are three independent RB pressure transmitters. The output of each transmitter terminates in an input isolation module in the ESPS, which provides individually isolated output pressure signals. One isolated output of each pressure measurement goes to the unit computer for monitoring RB Pressure.

ESPS *--**1Jnstrumentation I

pu B 3.

3.5 BACKGROUND

Reactor Coolant System Pressure (continued)

For Unit(s) with the he outputs of the three bistables, associated with the low RCS pressuref{7j ESPS digital upgrade 1590 psigi trip drive relays in two sets of identical and independent not complete

.channels. These two sets of HPI channels each use a two-out-of-three coincidence network for HPI Actuation. The outputs of the three bistables associated with the Low Low RCS Pressure 500 psig trip drive relays in two sets of identical and independent channels. These two sets of LPI channels each use a two-out-of-three coincidence networkefor LPI Actuation."'The *utputs of the ree Low Lo**RCS PressuY6eIbistables7 al Io i tril he dr te r/elays in the c~oesponding Hc1 Actuation annel as/

LPi evio u s Id es cri be d.

INSERT C Reactor Building Pressure here a three React r Building pr ssure sensory The output each enso terminates in n input isola on amplifier, ýhich provides ndividually sol ed out uts.

e isolated ou ut of each pr)6ssure measu /ement goesI INSERT D to fie unit compubr for monitoriyg.j One output of each pressure measurement goes to a bistable which initiates action when its high building I

.trip point is exceeded. Each input isolation amplifier module RB contains an analog meter for indicating the measured pressure. Each of the three bistables has contact outputs that are combined in series with the

\\

output of the High an{: Lo/Pressu/e InjectioX/Systeq §listables as

'* ~~previously described.

P t

The outputs pfhe three bistab s are brought together in two identic/al"two--

out-of-thr Tecoincidence Iogi* which provide ty/

ESPS channes/Ete of the t 6channels is ind /endently capable7 f initiating the requred prot;'tive action..

1 One two-out-of-three network actuates Channel 7 and the other two-out-of-three network actuates Channel 8.

The ESPS hannels of the Re/ctor/Buildgpray System are formed by two i nti al two-out-of-three qloic networks with the active e emen s originating in six[P actoiBuiing ressure sensing pressure switches.--

h.fhree ndeperent pre sure s itches co/taining n rmally o en cont cts7 fom/ ne proective cl nnel* two-out- -three log"c inputs. Three o er/

de tical pressure s tches rom the two-out-of-t ree loai inputs of the

[scon prtctive O_(annel/ Either of the two{ prpect~e chpfinnErsjis capable of initiating the required protective action.

networks OCONEE UNITS 1, 2, & 3 B 3.3.5-4 (Am~~Imn NoX300, 300X,300I BASES REVISION DATED

INSERT C for B 3.3.5 (page B 3.3.5-4)

For Unit(s) with the ESPS digital upgrade complete, the outputs of the three logic processor channels in each of the two processing subsystems (ESPS and RPS/ESPS) generate an output trip signal to its associated independent actuation train Voters (Odd and Even) when the second minimum pressure signal of any of the three input channels falls below the Low RCS pressure setpoint. This will initiate an actuation of the Voter Output Channels 1 and 2 (HPI Actuation).

The outputs of the input logic processors in each processing system also generate an output trip signal to its associated independent actuation train Voters (Odd and Even) when the second minimum pressure signal of the three input channels falls below the Low Low RCS pressure setpoint. This will initiate an actuation of the Voter Output Channels 3 and 4 (LPI Actuation).

INSERT D for B 3.3.5 (page B 3.3.5-4)

For Unit(s) with the ESPS digital upgrade complete, there are three independent RB pressure transmitters. The outputs of the three logic processor channels in each of the two processing subsystems (ESPS and RPS/ESPS) generate an output trip signal to its associated independent actuation train Voters (Odd and Even) when the second maximum pressure signal of any of the three input channels increases above the High RB pressure setpoint. This will initiate an actuation of Voter Output Channels 5 and 6 (RB Cooling Actuation and RB Essential Isolation).

The outputs of the three high RB pressure processor output trip devices also trip Voter Output Channels 1, 2, 3 and 4 to initiate HPI and LPI.

S(or processor output trip devices j....*

ESPS Iutnstrumentation for Unit(s) with the ESPS digital B 3.3.5 upgrade complete)

Inp BASES BACKGROUND TrpStonsand Allowable Values (continued)

Trip setpoints are the nominal value at which the bistables re set. Any (or processor bistabi is considered to be properly adjusted when the "as left" value is output trip within the band for CHANNEL CALIBRATION accuracy.

device for Unit(s) with the The trip setpoints used in the bistables are selected such that adequate ESPS digital protection is provided when all sensor and processing time delays are upgrade taken into account. To allow for calibration tolerances, instrumentation complete) uncertainties, instrument drift, and severe environment induced errors for those ESPS channels that must function in harsh environments as defined by 10 CFR 50.49 (Ref. 2), the Allowable Values specified in Table 3.3.5-1 in the accompanying LCO are conservatively adjusted with respect to the analytical limits. A detailed description of the methodology used to calculate the trip setpoints and associated uncertainties is Ii provided injý Reference 3. The actual nominal trip setpoint entered into (or CHANNEL the bistabl is more conservative than that specified by the Allowable CALIBRATION for Unit(s)

Value to adcount tor changes in random measurement errors detectable (or with the ESPS digital by a CHANNEL FUNCTIONAL TES. A channel is inoperable if its actual processor upgrade complete) trip setpoint is not within its required Allowable Value.

output trip devices Setpoints, in accordance with the Allowable Values, ensure that the for Unit(s) consequences of accidents will be acceptable, providing the unit is with the operated from within the LCOs at the onset of the accident and the ESPS For Unit(s) with the equipment functions as designed.

digital ESPS digital upgrade is upgrade not complete, 9'ach channel aiirtested online to verify that the setpoint accuracy is complete) within the specified allowance requirements. Once a designated channc INSERT Dis taken out of service for testing, a simulated signal may be injected in place of the field instrument signal.

APPLICABLE The following ESPS Functions have been assumed within the accident SAFETY ANALYSES analyses.

High Pressure Injection The ESPS actuation of HPI has been assumed for core cooling in the LOCA analysis and is credited with boron addition in the MSLB analysis.

Low Pressure Iniection The ESPS actuation of LPI has been assumed for large break LOCAs.

OCONEE UNITS 1,2, & 3 B 3.3.5-5 BASES REVISION DATED

INSERT D1 for B 3.3.5 (page B 3.3.5-5)

For Unit(s) with the ESPS digital upgrade complete, each channel is tested online by manually retrieving the software setpoint to ensure it has been entered correctly. Signals into the system (from the field instrument or at the protective system cabinet) are applied during the channel calibration to ensure that the instrumentation is within the specified allowance requirements

ESPS al g Instrumentation B 3.3.5 Input BASES APPLICABLE Reactor Building Spray, Reactor Building Cooling, and SAFETY ANALYSES Reactor Building Isolation (continued)

The ESPS actuation of the RB coolers and RB Spray have been credited in RB analysis for LOCAs, both for RB performance and equipment environmental qualification pressure and temperature envelope definition.

Accident dose calculations have credited RB Isolation and RB Spray.

Keowee Hydro Unit Emergency Start The ESPS initiated Keowee Hydro Unit Emergency Start has been included in the design to ensure that emergency power is available throughout the limiting LOCA scenarios.

36 74 The small break LOCA analyses assu e a conservative 4 second delay time for the actuation of HPI and LPI i, UFSAR, Chapter (Ref. 4). The large break LOCA analyses assum lPI flow starts in 3 seconds while full LPI flow does not occur until econds later, o seconds total (Ref. 4). This delay time includes allowances for Keowee Hydro Unit starting, Emergency Core Cooling Systems (ECCS) pump starts, and valve openings. Similarly, the RB Cooling, RB Isolation, and RB Spray have been analyzed with delays appropriate for the entire system analyzed.

Accident analyses rely on automatic ESPS actuation for protection of the core temperature and containment pressure limits and for limiting off site dose levels following an accident. These include LOCA, and MSLB events that result in RCS inventory reduction or severe loss of RCS cooling.

The ESPS.channels satisfy Criterion 3 of 10 CFR 50.36 (Ref. 5).

LCO The LCO requires three a

channels of ESPS instrumentation for eachParameter in Table 3.3-. 1to be OPERABLE in each ESPS S

automatic actuation ogic chanrel. Failure of any instrument renders the affected

ýa channel(s) nop-rable and reduces the reliability of the affected Functions.

For Unit(s) with the ESPS digital upgrade complete, there are two redundant ESPS subsystems each having three input channels. Only one subsystem is required to be OPERABLE.

OCONEE UNITS 1, 2, & 3 B 3.3.5-6 Am dment No338, 338,,X339 BASES REVISION DATED K

PS jInstrumentation B 3.3.5 Input LCO Only the Allowable Value is specifi for each ESPS Function in the (continued)

LCO. Nominal trip setpoints are sp cified in the setpoint calculations. The nominal trip setpoints are selected fo ensure the setpoints measured by (or processor output CHANNEL FUNCTIONAL TESTSIo not exceed the Allowable Value if the trip devices for bistable*s performing as required. Operation with a trip setpoint less Unit(s) with the conservative than the nominal trip setpoint, but within its Allowable Value, is ESPS digital acceptable provided that operation and testing are consistent with the upgrade complete) assumptions of the setpoint calculations. Each Allowable Value specified is more conservative than the analytical limit assumed in the safety analysis to account for instrument uncertainties appropriate to the trip Parameter.

For Ulnit(s) with the These uncertainties are defined in Reference 3.

ESPS digital upgrade complete, each channel includes a The Allowable Values for bypass removal functions are stated in the Applicable MODES or Other Specified Condition column of Table 3.3.5-module comm module output

, Iput *o *UL.U on es, interchannel unication es and processor Three a g instrumentation channels shall be OPERABLE to trip devices.

ensure that a single failure in one a al g channel will not result in loss of the ability to automatically actuat e required safety systems.

input The bases for the LCO on ESPS Parameters include the following.

lit(s) with Three agchannels of RCS Pressure-Low, RCS Pressure-Low Low

PS digital

\\RB Pressure-High jacB,Pressure-High High are required OPERABL*E de not Each analo an i

I des a sensor, trip bistable, bypass bistablei

ete,

\\

bypass relays, and output relays. Failure of a bypl~ssbista,1le or bpas*

rc&

4chat an arv~log charnel cannot/6e bylhassed, dales not

\\

/dp t.K*. *rCl g channel inoperable since the analog channel is still

\\

p b e of performing its safety function, i.e., this is not a safety related ypass function.

APPLICABILITY Three

, channels of ESPS instrumentation for each of the following P-arameters snali be UtL-tN/-bLt.I

[start new paragraph]

Failures that affect the ability to bypass an input channel do

1.

Reactor Coolant System Pressure - Low The RCS Pressure - Low actuation Parameter shall be OPERABLE during operation at or above 1750 psig. This requirement ensures the capability to automatically actuate safety systems and components during conditions indicative of a LOCA or secondary unit overcooling. Below 1750 psig, the low RCS Pressure actuation Parameter can be bypassed to avoid actuation during normal unit cooldowns when safety systems actuations are not required.

OCONEE UNITS 1, 2, & 3

ESPS jInstrumentation B 3.3.5 BASES APPLICABILITY

1.

Reactor Coolant System Pressure - Low (continued)

The allowance for the bypass is consistent with the transition of the unit to a lower energy state, providing greater margins to safety limits. The unit response to any event, given that the reactor is already tripped, will be less severe and allows sufficient time for operator action to provide manual safety system actuations. This is even more appropriate during unit heatups when the primary system and core energy content is low, prior to power operation.

In MODES 5 and 6, there is adequate time for the operator to evaluate unit conditions and respond by manually starting individual systems, pumps, and other equipment to mitigate the consequences of an abnormal condition or accident. RCS pressure and temperature are very low, and many ES components are administratively controlled or otherwise prevented from actuating to prevent inadvertent overpressurization of unit systems.

2.

Reactor Coolant System Pressure - Low Low The RCS Pressure - Low Low actuation Parameter shall be OPERABLE during operation above 900 psig. This requirement ensures the capability to automatically actuate safety systems and components during conditions indicative of a LOCA or secondary unit overcooling. Below 900 psig, the low low RCS Pressure actuation Parameter can be bypassed to avoid actuation during normal unit cooldowns when safety system actuations are not required.

The allowance for the bypass is consistent with the transition of the unit to a lower energy state, providing greater margins to safety limits. The unit response to any event, given that the reactor is already tripped, will be less severe and allows sufficient time for operator action to provide manual safety system actuations. This is even more appropriate during unit heatups when the primary system and core energy content is low, prior to power operation.

In MODES 5 and 6, there is adequate time for the operator to evaluate unit conditions and respond by manually starting individual systems, pumps, and other equipment to mitigate the OCONEE UNITS 1, 2, & 3

ESPS a

Instrumentation B 3.3.5 Input BASES APPLICABILITY

2.

Reactor Coolant System Pressure - Low Low (continued) consequences of an abnormal condition or accident. RCS pressure and temperature are very low, and many ES components are administratively controlled or otherwise prevented from actuating to prevent inadvertent overpressurization of unit systems.

3, 4.

Reactor Building Pressure - High and Reactor Building Pressure -High High The RB Pressure - High and RB Pressure - High High actuation Functions of ESPS shall be OPERABLE in MODES 1, 2, 3, and 4 when the potential for a HELB exists. In MODES 5 and 6, the unit conditions are such that there is insufficient energy in the primary and secondary systems to raise the containment pressure to either the RB Pressure - High or RB Pressure - High High actuation setpoints. Furthermore, in MODES 5 and 6, there is adequate time for the operator to evaluate unit conditions and respond by manually starting individual systems, pumps, and other equipment to mitigate the consequences of an abnormal condition or accident.

RCS pressure and temperature are very low and many ES components are administratively controlled or otherwise prevented from actuating to prevent inadvertent overpressurization of unit systems.

ACTIONS Required Actions A and B apply to all ESPS instrumentation Parameters listed in Table 3.3.5-1.

A Note has been added to the ACTIONS indicating separate Condition ntr i aloed for each Parameter.

If an a[

channel's trip setpoint is found nonconservative with respect to the Allowable Value, or the transmitter, instrument loop, signal processing electronics, or ESPS bistable is fou d inoperable, then all affected functions provided by that analo'g*

t should be declared inoperable and the unit must enter the Conditions for the particular protective Parameter affected.

(or input isolation modules, inter-channel communication modules and processor output trip devices for Unit(s) with the ESPS digital upgrade complete)

OCONEE UNITS 1, 2, & 3

For Unit(s) with the ESPS digital upgrade not complete, ESPS al g Instrumentation B 3.3.5 Input BASES ACTIONS A.1 input (continued)

Condition A applies when one jchanne becomes inoperable in one or more Parameters. If one ESPS r-instrument channel is inoperable, placing it in a tripped condition leaves the system in a one-For Unit(s) with the ESPS digital out-of-two condition for actuation. Thus, if another channel were upgrade complete, this can be t

hESPS instrumentation could still perform its actuation placingcman inputlogic channely(A, B functions.,his action is completed when all of the affected output relay or C) in trip with the associated are tripped. This c rmally be accomplished by tripping the affected Manual Trip keyswitch (the input bistables.

Manual Trip channel keyswitch trips and all ESPS functions in the channel) or The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time is sufficient time to perform the Required (2) tripping the individual input Action.

parameter functional software through the interactive Graphical Service Monitor dialog screen. The S

n r

4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Completion Time is justified B.1, B.2.1, B.2.2, and B.2.3 based on the continuous monitoring afterthissentence and signal validation being Condition B applies when the Required Action and associated performed and is sufficient time to Completion Time of Condition A are not met or when one or place a Parameter in trip. If the Parameter cannot be placed in trip, parameters have two or more inoperable

a.

hannels. If Condition the Operator can trip the affected B applies, the unit must be brought to a MODE in which the LCO does channel with the use of the Manual not apply. To achieve this status, the unit must be brought to at least Trip keyswitch until such time that MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and, for the RCS Pressure-Low Parameter, to the individual parameter can be

< 1750 psig, for the RCS Pressure-Low Low Parameter, to < 900 psig, placed in trip, and for the RB Pressure-High Parameter and RB Pressure-High High Parameter, to MODE 5 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

SURVEILLANCE The ESPS Parameters listed in Table 3.3.5-1 are subject to REQUIREMENTS CHANNEL CHECK, CHANNEL FUNCTIONAL TEST, and CHANNEL CALIBRATION. The operational bypasses associated with each RCS Pressure ESPS instrumentation channel are also subject to these SRs to ensure OPERABILITY of the ESPS instrumentation channel.

INSERT E (start new SR 3.3.5.1 paragraph after insert)

Performance of the CHANNEL CHECK every 12 hiturs ensures that a gross failure of instrumentation has not occurred.

CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels: It is based on the assumption that OCONEE UNITS 1,2, & 3 B 3.3.5-10

[Ame ment No7.300, 300, 300 BASES REVISION DATED K

INSERT E for B 3.3.5 (page B 3.3.5-10)

For Unit(s) with the digital ESPS complete, the CHANNEL CHECK requirement is met automatically. The digital ESPS provides continuous online automatic monitoring of each of the input signals in each channel, performs signal online validation against required acceptance criteria, and provides hardware functional validation. If any protective channel input signal is identified to be in the failure status, this condition is alarmed on the Unit Statalarm and input to the plant OAC. Immediate notification of the failure status is provided to the Operations staff.

ESPS

lnstrumentation B 3.3.5 BASES SURVEILLANCE REQUIREMENTS SR 3.3.5.1 (continued) instrument channels monitoring the same parameter should read a

oimately the same value. Significant deviations between the two j

instrument channels could be an indication of excessive InefrI I" m

nt drift in rinn nf thp rhhnnninl tr nf cnmathinn xi,*n mrm corinv e

C CHANNEL CHECK will detect gross channel failure; therefore, it is key in verifying that the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined, based on a combination of the channel instrument uncertainties, including isolation, indication, and readability. If a channel is outside the criteria, it may be an indication that the transmitter or the signal processing equipment has drifted outside its limit.

for a manual CHANNEL CHECK The FrequencY, equivalent to every shift, is based on operating experience that demonstrates channel failure is rare. Since the probability of two random failures in redundant channels in any 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months period is extremely low, the CHANNEL CHECK minimizes the chance of loss of protective function due to failure of redundant channels. The CHANNEL CHECK supplements less formal, but potentially more frequent, checks of channel operability during normal operational use of the displays associated with the LCO's required channels.

S The SR is modified by a Note indicating that it is not applicable R 3 to Unit(s) with the ESPS digital upgrade complete.

A CHANNEL FUNCTIONAL TEST is performed on each required ESPS channel to ensure the entire channel, including the bypass function, will perform the intended functions. Any setpoint adjustment shall be consistent with the assumptions of the current unit specific s tp nt analysis.

uncertainty The Frequency of 92 days is based on operating experience, with regard to channel OPERABILITY and drift, which demonstrates that failure of more than one channel of a given function in any 92 day interval is a rare event.

SR 3.3.5.2 The SR is modified by a Note indicating that it is only applicable to Unit(s) with the ESPS digital upgrade complete. This SR manually retrieves the software setpoints and verifies they are correct. The proper functioning of the processor portion of the channel is continuously checked by automatic cyclic self monitoring. Verification of field instrument set points is not required by this surveillance. This surveillance does not apply to the Reactor Building Pressure High High parameter because it consists of pressure switches which provide a contact status to the system and there is no software set point to verify.

The Frequency of 92 days is considered adequate since software is not subject to drift and the SR is only verifying that the setpoint was not incorrectly set.

OCONEE UNITS 1, 2, & 3 B 3.3.5-11

[ Armeo'dment Npi6321, 321X~322 I BASES REVISION DATED

ESPS al g Instrumentation B 3.3.5 BASES SURVEILLANCE SR 3.3.5 input REQUIREMENTS (continued)

CHANNEL CALIBRATION is a complete check of the a al g instrument channel, including the sensor. The test verifies that the channel responds to a measured parameter within the necessary range and accuracy.

CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drift to ensure that the instrument channel remains operational between successive tests. CHANNEL CALIBRATION assures that measurement errors and bistable setpbint errors are within the assumptions of the unit specific setpoint anal ANNEL CALIBRATIONS must be erformed consistent with the assum ons of the setpoint analysis.

INSERT F This Frequency is jus ii n

month calibration interval to determine the magnitude of equipment drift in analysis.

REFERENCES 1.

UFSAR, Chapter/7.

2.

10 CFR 50.49.

3.

EDM-102, "Instrument Setpoint/Uncertainty Calculations."

4.

UFSAR, Chapter 15.

5.

10 CFR 50.36.

(or processor output trip device for Unit(s) with the ESPS digital upgrade complete)

For Unit(s) with the digital upgrade complete, the 18 month calibration interval is justified by the reliability of components whose failure modes are not automatically detected or indicated.

OCONEE UNITS 1, 2, & 3 B 3.3.5-12

( A~ei*dment NpK300, 30OX,300 J BASES REVISIONDATED

INSERT F for B 3.3.5 (page B 3.3.5-12)

The 18 month frequency for the CHANNEL CALIBRATION is based on design capabilities and reliability of the digital ESPS. Since the CHANNEL FUNCTIONAL TEST is a part of the CHANNEL CALIBRATION a separate SR is not required. The digital ESPS software performs a continuous online automated cross channel check, separately for each channel, and continuous online signal error detection and validation. The protection system also performs continuous online hardware monitoring. The CHANNEL CALIBRATION essentially validates the self monitoring function and checks for a small set of failure modes that are undetectable by the self monitoring function.

For Unit(s) with the ESPS digital upgrade complete, the digital processors shall be rebooted as part of the calibration. This verifies that the software has not changed. Signals into the system (from the field instrument or at the protective system cabinet) are applied during the channel calibration to ensure that the instrumentation is within the specified allowance requirements.

This, in combination with ensuring the setpoints are entered into the software correctly per SR 3.3.5.2, verifies the setpoints are within the Allowable Values.

ESPS Manual Initiation B 3.3.6 Note: To clearly differentiate text applicable only to Unit(s) with the RPS digital upgrade complete, the text applicable only to that design is led with a qualifier and italicized.

B 3.3 INSTRUMENTATION Likewise, the text applicable only to Unit(s) that have not been upgraded is led with a qualifier and bolded. Otherwise, the text applies to both designs.

B 3.3.6 Engineered Safeguards rotective System (ESPS) Manual Initiation BASES BACKGROUND The ESPS manual initiation capability allows the operator to actuate ESPS Functions from the main control room in the absence of any other initiation condition. This ESPS manual initiation capability is provided in the event the operator determines that an ESPS Function is needed and has not been automatically actuated. Furthermore, the ESPS manual initiation capability allows operators to rapidly initiate Engineered Safeguards (ES)

Functions.

LCO 3.3.6 covers only the system level manual initiation of these Functions. LCO 3.3.5, "Engineered Safeguards Protective System (ESPS)

Input F

I-lnstrumentation," and LCO 3.3.7, "Engineered Safeguards Protective System (ESPS) D*iitYIAutomatic Actuation ogic Channels,"

provide requirements on the poions of the ESPS that utomatically initiate the Functions described earlier.

Output The ESPS manual initiation Function relies on the OPERABILITY of the i*

automatic actuation1ogic channels (LCO 3.3.7) to perform the actuation of the systems. A manual trippush button is provided on the control room console for each of the lit llautomatic actuation ogic channels. Operation of the push button energizes relays whose contacts output perform a logical "OR" function with the automatic actuation.

For Unit(s) with the ESPS digital upgrade not

-"he ESPS manual initiation channel is defined as the instrumentation comolete.

between the console switch and theF4 automatic actuation ogic channel, which actuates the end devices. Other means of manual initiation,

such as controls for individual ES devices, may be available in the control room and other unit locations. These alternative means are not required by IN A

this LCO, nor may they be credited to fulfill the requirements of this LCO.

APPLICABLE The ESPS, in conjunction with the actuated equipment, provides protective SAFETY ANALYSES functions necessary to mitigate accidents, specifically, the loss of coolant accident and steam line break events.

IFor Unit(s) with the ESPS digital upgrade complete, the ESPS manual initiation portion of the ESPS system is defined as the instrumentation between the control console Trip/Reset switches and the relay output (RO) relays which actuate the end devices.

OCONEE UNITS1, 2,&3 B3.3.6-1 A

ndmjnt Noh. 30ý, 30,& 3)

BASES REVISION DATEDr

INSERT A for B 3.3.6 (page B 3.3.6-1)

For Unit(s) with the ESPS digital upgrade complete, a manual actuation of the ESPS actuation functions shall be capable of being initiated from the main control board Trip/Reset pushbutton switches. Individual pushbuttons are provided for High Pressure Injection and Reactor Building (RB) Non-Essential Isolation (Channels 1 and 2), Low Pressure Injection and Low Pressure Service Water Actuation (Channels 3 and 4), RB Cooling and RB Essential Isolation (Channels 5 and 6), and RB Spray (Channels 7 and 8). The manual actuation is independent of the ESPS automatic actuation signal and is capable of actuating all channel related actuation field components regardless of any failures of the automatic signal. Initiation of the manual actuation portion of ESPS will also input an actuation signal to the automatic system to provide input to the automatic system indicating that a manual actuation has occurred.

ESPS Manual Initiation B 3.3.6 BASES APPLICABLE The ESPS manual initiation ensures that the control room operator can SAFETY ANALYSES rapidly initiate ES Functions. The manual initiation trip Function is required (continued) as a backup to automatic trip functions and allows operators to initiate ESPS whenever any parameter is rapidly trending toward its trip setpoint.

The ESPS manual initiation functions satisfy Criterion 3 of 10 CFR 50.36 (Ref. 1).

LCO Two ESPS manual initiation channels of each ESPS Function shall be OPERABLE whenever conditions exist that could require ES protection of the reactor or RB. Two OPERABLE channels ensure that no single random failure will prevent system level manual initiation of any ESPS Function. The ESPS manual initiation Function allows the operator to initiate protective action prior to automatic initiation or in the event the automatic initiation does not occur.

The required Function is provided by two associated channels as indicated in the following table:

Function Associated Channels HPI and RB Non-Essential 1 & 2 Isolation, Keowee Emergency Start, Load Shed and Standby Breaker Input, and Keowee Standby Bus Feeder Breaker Input LPI 3 & 4 RB Cooling and RB Essential 5 & 6 isolation RB Spray 7 & 8 APPLICABILITY The ESPS manual initiation Functions shall be OPERABLE in MODES 1 and 2, and in MODES 3 and 4 when the associated engineered safeguard equipment is required to be OPERABLE. The manual initiation channels are required because ES Functions are designed to provide protection in these MODES. ESPS initiates systems that are either reconfigured for decay heat removal operation or disabled while in MODES 5 and 6.

Accidents in these MODES are slow to develop and would be mitigated by manual operation of individual components. Adequate time is available to evaluate unit conditions and to respond by manually operating the ES components, if required.

OCONEE UNITS 1, 2, & 3 B 3.3.6-2

ýA/end/ent Ios. 3 #, 33#& 3/9 ]1 BASES REVISION DATED

ESPS Manual Initiation B 3.3.6 BASES (continued)

ACTIONS A Note has been added to the ACTIONS indicating separate Condition entry is allowed for each ESPS manual initiation Function.

A.. 1 Condition A applies when one manual initiation channel of one or more ESPS Functions becomes inoperable. Required Action A.1 must be taken to restore the channel to OPERABLE status within the next 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . The Completion Time of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months is based on operating experience and administrative controls, which provide alternative means of ESPS Function initiation via individual component controls. The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time is generally consistent with the allowed outage time for the safety systems actuated by ESPS.

B.1 and B.2 With the Required Action and associated Completion Time not met, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and to MODE 5 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required MODES from full power conditions in an orderly manner and without challenging unit systems.

SURVEILLANCE REQUIREMENTS SR 3.3.6.1 output This SR requires the performance of a CHANNEL FU CTIONAL TEST of the ESPS manual initiation. This test verifies that the initiating circuitry is OPERABLE and will actuate the automatic actuation ogic channels. The 18 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a unit outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. This Frequency is demonstrated to be sufficient, based on operating experience, which shows these components usually pass the Surveillance when performed on the 18 month Frequency.

REFERENCES

1.

10OCFR 50.36.

OCONEE UNITS 1, 2, & 3 B 3.3.6-3 (A/end/lent N/s. 30X, 302K & 3/

II BASES REVISION DATED r

Note: To clearly differentiate text applicable only to Unit(s) with the RPS digital upgrade complete, the text applicable only to that design is led with a qualifier and italicized. Likewise, the text applicable only to Unit(s) that have not been upgraded is led with a qualifier and bolded. Otherwise, the text aoplies to both designs.

Output ESPS Automatic gal Actuatio ogic Chtaunnels B 3.3.7 1

For Unit(s) with the ESPS digital B 3.3 INSTRUMENTATION upgrade not complete, B 3.3.7 Engineered Safeguards Protective ystem(ESPS) C7Automatic Actuation*ogic Channels Output BASES Foutput BACKGROUND N

e utomatic actuatio logic channels ir instrumentation from the buffers of the ESPS I

strument channels through the unit controllers that actuate ESPS equipment.

ach of te compomner.

actuated by the\\ESPS Functions is associated with one or moreWl utomatic actuatio-nogic channels. If two-out-of-three ESPS output instrumentation channels indicate a trip, or if channel level manual Lutinitiation occurs, the &

iutomatic actuation Jogic channel is activated and the associated equipment is actuated. The purpose of requiring OPERABILITY of the ESPS Yfjikautomatic actuationtogic channels is to ensure that the Functions of the ESPS can be automatically initiated in the event of an accident. Automatic actuation of some Functions is necessary to prevent the unit from exceeding the Emergency Core Cooling Systems (ECCS) limits in 10 CFR 50.46 (Ref. 1). It should be noted that OPERABLE~I~automatic actuation~o ic channels alone will not ensure that each Function can be activated; the aI I strumentation channels and actuated equipment associated with each Function must also be OPERABLE to ensure that the Functions can be automatically initiated during an accident.

LCO 3.3.7 covers only the lutomatic actuationlogic channels that initiates these Functions. LCO 3.3.5, "Engineered Safeguards Protective Input System (EsPsfýý Instrumentation," and LCO 3.3.6, "Engineered Safeguards Protective System (ESPS) Manual Initiation," provide rfaquirements on the.algg *instrumentation and manual initiation channels feeito i th he i it I utomatic actuation 1ogic channels.

The ESPS, in conjunction with the actuated equipment, provides protective Zfunctions necessary to mitigate accidents, specifically, the loss of coolant INSERT B accident (LOCA) and main steam line break (MSLB) events. The ESPS relies on the OPERABILITY of the automatic actuation logic for each component to perform the actuation of the selected systems.

The small break LOCA analyses assum a conservative 48 second delay time for the actuation ofJ~gh p;essure *jection (HPI) in UFSAR, Chapter 15 (Ref. 2). The large break LOCA analyses assume [ow starts in 38 seconds while full LPI flow does not occur until 36 second ater, or 74 seconds total (Ref. 2). This delay time includes allowances or Keowee Low Pressure Injection (LPI)

OCONEE UNITS 1, 2, & 3 B 3.3.7-1 BASES REVISION DATED I

INSERT A for B 3.3.7 (page B 3.3.7-1)

For Unit(s) with the ESPS digital upgrade complete, the automatic actuation output logic channels are defined as the Voters, the output relays and associated contacts. For Unit(s) with the ESPS digital upgrade complete, the Voters are used to provide an output signal to the output relays for the LP-1 interlock. Since LP-1 is not an ES valve, any inoperability of the ESPS associated with this particular function would require no action by TS 3.3.7.

INSERT B for B 3.3.7 (page B 3.3.7-1)

For Unit(s) with the ESPS digital upgrade complete, the ESPS Protective Channels (computers)

A, B, and C are implemented on two independent and redundant subsystems. One subsystem, containing channels A2, B2, and C2, uses the ESPS protective channel computers, which are installed in the ESPS cabinets. The other subsystem, containing independent and redundant channels Al, 81, and C1, uses the RPS protective channel computers, which are installed in the RPS cabinets.

Each of the independent ESPS and ESPS/RPS protective channel function output signals are sent to two redundant digital actuation Voter Sets each comprised of an.Odd and Even Voter.

The Odd Voter is associated with ESPS Automatic Actuation Output Logic Channels 1, 3, 5, and 7 while the Even Voter is associated with Channels 2, 4, 6, and 8. One of the Odd and Even Voter sets (Voter 2) performs the two-out-of-three voting for the actuation signals coming from the ESPS protective channels; the other independent and redundant Odd and Even Voter set (Voter 1) performs the two-out-of-three voting for the actuation signals coming from the ESPS/RPS set. The independent and redundant ESPS protective safety actuation functions are duplicated in the ESPS and ESPS/RPS subsystems.

ESPS Automati4V* il ctuatio Logic Channels

~B 3.3.7 Output BASES BACKGROUND Hydro Unit startup and loading, ECCS pump starts, and valve openings.

(continued)

Similarly, theactorb iilding (RB) Cooling, RB Isolation, and RB Spray have been analyzed with delays appropriate for the entire system.

The ESPS automatic initiation of Engineered Safeguards (ES) Functions to mitigate accident conditions is assumed in the accident analysis and is required to ensure that consequences of analyzed events do not exceed the accident analysis predictions. Automatically actuated features include INSERT C HPI, LPI, RB Cooling, RB Spray, and RB Isolation.

APPLICABLE Accident analyses rely on automatic ESPS actuation for protection of the SAFETY ANALYSES core and RB and for limiting off site dose levels following an accident. The WýJutomatic actuatior logic is an integral part of the ESPS.

The ESPS *.utomatic-, ctuation logic channels satisfy Criterion 3 of 10 CFR 50.36 (Ref. 3).

]

output LCO The automatic actuationlgic channels are required to be/

OPERABLE whenever conditions exist that could require ES protection of the reactor or the RB. This ensures automatic initiation of the ES required to mitigate the consequences of accidents.

The required Function is provided by two associated i I hannels as For Unit(is) with the ESPS "it~ni't~lInr' d.¢nm l

indicated in the following table:

the ESPS automatic actuation output logic channels are comprised of two independent and redundant subsystems.

Only one of the independent subsystems is required to be OPERABLE.

Function Associated Channels HPI and RB Non-Essential 1 & 2 Isolation, Keowee Emergency Start, Load Shed and Standby Breaker Input, and Keowee Standby Bus Feeder Breaker Input LPI ýnd WEssentiaj. o'lation 3 & 4 RB Cooling and RB Essential 5 & 6 isolation RB Spray 7 & 8 OCONEE UNITS 1, 2, & 3

INSERT Cfor B 3.3.7 (page B 3.3.7-2)

Engineered Safeguards Protective System Bypasses For Unit(s) with the ESPS digital upgrade complete, there are two redundant subsystems.

The same analog input signal is fed to each subsystem. In subsystem 1, channels Al, B1, and C1 provide the input to Voter 1 Odd and Voter 1 Even. In subsystem 2, channels A2, B2, and C2 provide input to Voter 2 Odd and Voter 2 Even. Either subsystem provides the full complement of Voters. This allows for a Manual (maintenance) Bypass of one complete subsystem, or portion of a subsystem, without entering into an LCO Condition. While one Voter or a set of Voters are bypassed, the ESPS function is provided by the redundant ESPS subsystem.

Placing a Voter in Manual Bypass is implemented by keyswitches located in the respective ESPS Actuation cabinets. If an ESPS Voter is placed in Manual Bypass, all automatic ESPS actuation functions from that specific Voter are disabled. However, a manual ESPS trip is still available for Operator action to initiate the ESPS safety actuation functions. Only one Manual Bypass keyswitch for the two Odd Voters (Voter 1 Odd or Voter 2 Odd) and one Manual Bypass keyswitch for the two Even Voters (Voter 1 Even or Voter 2 Even) is allowed to be placed in Manual Bypass at a time. Placing an ESPS Voter in Manual Bypass is administratively controlled. The ESPS Manual Bypass keyswitch status information is sent to the Unit control room Statalarm panel and sent to the plant Operator Aid Computer (OAC).

Parameter Change Enable Mode (applicable only to Unit(s) with ESPS digital upgrade complete)

ESPS Voters for subsystems 1 and 2 and Status processors can be placed in a parameter change enable mode through the use of the Parameter Change Enable keyswitches. One keyswitch will place Odd Voter 1 and the Odd Component Status processor in Parameter Change Enable Mode. One keyswitch will place Even 1 Voter and the Even Status Component Status processor in Parameter Change Enable Mode. Odd Voter 2 and Even Voter 2 each have their own keyswitch that can be used to place each processor in Parameter Change Enable Mode.

When a keyswitch is placed from the normal Operating Mode position to the Parameter Change Enable Mode position:

The processors continue with normal operation.

A permissive is provided that allows the Service Unit to be used to change the operating mode of the processors associated with that keyswitch.

With the keyswitch in the Parameter Change Enable Position the following modes of operation are allowed for processors:

Normal Operation - with permissive for operating mode change.

o Parameterization - allows changes to specific parameters (example placing a parameter into a tripped condition or performing Go/NoGo testing).

o Function Test - for disabling the application function and forcing output signal for testing purposes (normally not used).

Diagnostics - for downloading new application software.

The Function Test and Diagnostics modes result in the processor ceasing its cyclic processing of the application functions. Entry into these modes first requires entry into Parameterization mode and setting a separate parameter.

When a keyswitch is placed in the Parameter Change Enable Mode Position, the affected processor shall first be declared out of service. In addition to declaring the processor out of service, when loading or revising software in a processor, the affected ESPS voter (Set 1 or Set 2) shall be placed in Bypass. Only one ESPS voter at a time is allowed to be placed into Parameter Change Enable Mode Position.

Each Parameter Change Enable keyswitch status information is sent to the Statalarm panel and to the OAC via the Gateway.

ESPS Parameter Change Enable keyswitches are administratively controlled (there are no hardware or software interlocks between channels).

ESPS Automatic Actuatior Logic Channels utput OI B 3.3.7 ouptOtu BASES (continued)

APPLICABILITY The~automatic actuatiorogic channels shall be OPERABLE in MODES 1 and 2 and in MODES 3 and 4 when the associated engineered safeguard equipment is required to be OPERABLE, because ES Functions are designed to provide protection in these MODES. Automatic actuation in MODE 5 or 6 is not required because the systems initiated by the ESPS are either reconfigured for decay heat removal operation or disabled.

Accidents in these MODES are slow to develop and would be mitigated by manual operation of individual components. Adequate time is available to evaluate unit conditions and respond by manually operating the ES components, if required.

ACTIONS A Note has been added to the ACTIONS indicating separate Condition entry is allowed for each ESPSt lutomatic actuation logic channel.

A.1 and A.2 output When one or more 99ýutomatic actuation ogic channels are inoperable, the associated component(s) can be placed in their en igered safeguard configuration. Required Action A.1 is equivalent to the i0tayj automatic actuation ogic channel performing its safety function ahead of time.

output In some cases, placing the component in its engineered safeguard configuration would violate unit safety or operational considerations. In these cases, the component status should not be changed, but the supported system component must be declared inoperable. Conditions which would preclude the placing of a component in its engineered safeguard configuration include, but are not limited to, violation of system separation, activation of fluid systems that could lead to thermal shock, or isolation of fluid systems that are normally functioning. The Completion Time of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months is based on operating experience and reflects the urgency associated with the inoperability of a safety system component.

Required Action A.2 requires declaring the associated components of the affected supported systems inoperable, since the true effect of output automatic actuation 'ogic channel failure is inoperability of the suppo d

system. The Completion Time of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months is based on operating experience 7and reflects the urgency associated with the inoperability of a safety system component. A combination of Required Actions A.1 and A.2 may be used for different components associated with an inoperable I utomatic actuation ogic channel.

OCONEE UNITS 1, 2, & 3 B 3.3.7-3 BASES REVISION DATED I

ESPS Automatic *Actuatio Logic Channels B 3.3.7 Output BASES (continued)

SURVEILLANCE REQUIREMENTS REFERENCES 22 for Unit(s) with the ESPS digital upgrade not complete and an 8 month SR 3.7 Frequency for Unit(s) with the ESPS digital upgrade complete.

SR 3.3.

s the erformance of a CHANNEL FUNCTIONAL TEST on a 92 day Freauencv..

test mo trat that ea dig al a oma'c

[ac~ac~tion Ioc4"*"chan*.

Pr'Jc.**f,,lfrformi

,~

tw-qucfth~

Ih"J/

comWations eve 92 days hest imu tes eTre red onpe/out-ofin hrence otht ldic citeuit d vefries th a one c I

[op~ratioriof the aýAomati~iacý'atiorfloigici~heFreqF-uency is based on

/

operating experience that demonstrates the'it omore than one cha ne I /

failing within the same 92 day i*--

"7 L!

ay_

1.

10 CFR 50.46.

2.

UFSAR, Chapter 15.

3.

10 CFR 50.36.

For Unit(s) with the ESPS digital upgrade complete, the functional test consists of I rebooting the digital processors. This verifies that the software has not changed. [start new paragraph] For Unit(s) with the ESPS digital upgrade not complete, For Unit(s) with the ESPS digital upgrade complete, the 18 month Frequency is based on the design capabilities and reliability of the new digital ESPS. The digital ESPS software performs a continuous online automated cross channel check, separately for each channel, and continuous online signal error detection and validation. The protection system also performs continual online hardware monitoring. The CHANNEL FUNCTIONAL TEST essentially validates the self monitoring function and checks for a small set of failure modes that are undetectable by the self monitoring function. The reliability of components whose failure modes are not automatically detected or indicated also supports a test frequency of 18 months I

SR 3.3.7.1 The SR is modified by a Note indicating that it is only applicable to Unit(s) with the ESPS digital upgrade complete. This SR requires manual actuation of the output channel interposing relays to (referred to as Ro relays) demonstrate OPERABILITY of the relays. The proper functioning of the processor portion of the channel is continuously checked by automatic cyclic self monitoring.

The Frequency of 92 days is considered adequate based on operating experience that demonstrates the rarity of more than one channel's relay failing within the same interval.

OCONEE UNITS 1, 2, & 3 B 3.3.7-4 I Am/ndment No/. 345, 347,/

346 11 BASES REVISION DATED

ML11192A056

Contents

Text

Subject:

Background

3.5 BACKGROUND

Navigation menu

ML11192A056

Text

Subject:

Background

3.5 BACKGROUND

Navigation menu

Search