ML15335A512
| ML15335A512 | |
| Person / Time | |
|---|---|
| Site: | Monticello  |
| Issue date: | 11/20/2015 |
| From: | Northern States Power Co, Xcel Energy |
| To: | Office of Nuclear Reactor Regulation |
| Shared Package | |
| ML15335A486 | List: |
| References | |
| L-MT-15-088 | |
| Download: ML15335A512 (36) | |
Similar Documents at Monticello | |
|---|---|
Category:Manual
 Jun Jul Aug Sep Oct Nov Dec 2024 Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec 2025 Feb Mar Apr 2013 2014 2015 2016 2017 2018 2019 2020 2021 2022 2023 2024 2025 2026 2027 2028 2029 2030 2031 2032 2033 2034 2035  Loading...Category:Technical Specification Oct Nov Dec 2024 Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec 2025 Feb Mar Apr May Jun Jul Aug 2013 2014 2015 2016 2017 2018 2019 2020 2021 2022 2023 2024 2025 2026 2027 2028 2029 2030 2031 2032 2033 2034 2035 Loading...Category:Bases Change Oct Nov Dec 2024 Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec 2025 Feb Mar Apr May Jun Jul Aug 2013 2014 2015 2016 2017 2018 2019 2020 2021 2022 2023 2024 2025 2026 2027 2028 2029 2030 2031 2032 2033 2034 2035 Loading... |
L-MT-24-014, Offsite Dose Calculation Manual, Revision 9
Text
ECCS Instrumentation B 3.3.5.1 Monticello B 3.3.5.1-1 Revision No. 38 B 3.3 INSTRUMENTATION B 3.3.5.1 Emergency Core Cooling System (ECCS) Instrumentation BASES BACKGROUND The purpose of the ECCS instrumentation is to initiate appropriate responses from the systems to ensure that the fuel is adequately cooled in the event of a design basis accident or transient.
For most anticipated operational occurrences and Design Basis Accidents (DBAs), a wide range of dependent and independent parameters are monitored.
The ECCS instrumentation actuates core spray (CS), low pressure coolant injection (LPCI), high pressure coolant injection (HPCI),
Automatic Depressurization System (ADS), and the emergency diesel generators (EDGs). The equipment involved with each of these systems is described in the Bases for LCO 3.5.1, "ECCS - Operating," and LCO 3.8.1, "AC Sources - Operating."
Core Spray System The CS System may be initiated by either automatic or manual means, although manual initiation requires manipulation of individual pump and valve control switches. Automatic initiation occurs for conditions of Reactor Vessel Water Level - Low Low or Drywell Pressure - High. The Reactor Vessel Water Level - Low Low initiation signal is generated coincident with Reactor Steam Dome Pressure - Low (Pump Permissive) or if the Reactor Vessel Water Level - Low Low signal is sustained for 18 minutes (Refs. 7 and 8). The Reactor Vessel Water Level - Low Low variable is monitored by four redundant transmitters, connected to four trip units. The outputs of the four trip units are connected to relays whose contacts are directed to two trip systems and the logic in each trip system is arranged in a one-out-of-two taken twice logic. The Drywell Pressure -
High variable is monitored by four redundant pressure switches. The outputs of the switches are connected to relays whose contacts are directed to two trip systems and the logic in each trip system is arranged in a one-out-of-two taken twice logic. The Reactor Steam Dome Pressure
- Low (Pump Permissive) variable is monitored by two redundant switches. The outputs of the switches are connected to relays whose contacts are directed to two trip systems and the logic in each trip system is arranged in a one-out-of-two logic. Each trip system will delay CS pump start and valve logic on low low reactor vessel water level until reactor steam dome pressure has fallen to a value below the CS Systems maximum design pressure. The Reactor Steam Dome Pressure Permissive - Bypass Timer (Pump Permissive) variable is developed by two redundant time delay relays. A time delay relay is
ECCS Instrumentation B 3.3.5.1 Monticello B 3.3.5.1-2 Revision No. 38 BASES BACKGROUND (continued) located in each trip system and a contact associated with this relay (one-out-of-one logic for each trip system) will bypass the Reactor Steam Dome Pressure - Low (Pump Permissive) after the timer has timed out.
The CS pumps start and valve logic will receive the high drywell pressure signals without delay. The Reactor Steam Dome Pressure - Low (Injection Permissive) variable is monitored by two redundant pressure switches. The outputs of the switches are connected to relays whose contacts input into two trip systems. Each trip system is arranged in a one-out-of-two logic. Each trip system will delay CS injection valve actuation logic until reactor steam dome pressure has fallen to a value below the CS Systems maximum design pressure regardless of the initiation signal. Each trip system will open the associated CS subsystem valves.
Upon receipt of an initiation signal, the CS pumps are started in approximately 15 seconds after AC power is available. The Core Spray Pump Start - Time Delay Relay Function for each CS pump is developed by one time delay relay. The time delay relay starts when there is a LOCA signal present and power is available on the associated 4.16 kV essential bus. After the time delay relay times out, the associated CS pump starts.
The CS test line isolation valve, which is also a primary containment isolation valve (PCIV), is closed on a CS initiation signal to allow full system flow assumed in the accident analyses and maintain primary containment isolated in the event CS is not operating.
Low Pressure Coolant Injection System The LPCI is an operating mode of the Residual Heat Removal (RHR)
System, with two LPCI subsystems. The LPCI subsystems may be initiated by automatic or manual means, although manual initiation requires manipulation of individual pump and valve control switches.
Automatic initiation occurs for conditions of Reactor Vessel Water Level -
Low Low, Drywell Pressure - High, or both. The Reactor Vessel Water Level - Low Low initiation signal is generated coincident with Reactor Steam Dome Pressure - Low (Pump Permissive) or if the Reactor Vessel Water Level - Low Low signal is sustained for 18 minutes (Refs. 7 and 8).
The Reactor Vessel Water Level - Low Low variable is monitored by four redundant transmitters, connected to four trip units. The outputs of the four trip units are connected to relays whose contacts are directed to two trip systems and the logic in each trip system is arranged in a one-out-of-two taken twice logic. The Drywell Pressure - High variable is monitored by four redundant pressure switches. The outputs of the switches are connected to relays whose contacts are directed to two trip systems and the logic in each trip system is arranged in a one-out-of-two taken twice
ECCS Instrumentation B 3.3.5.1 Monticello B 3.3.5.1-3 Revision No. 38 BASES BACKGROUND (continued) logic. The Reactor Steam Dome Pressure - Low (Pump Permissive) variable is monitored by two redundant switches. The outputs of the switches are connected to relays whose contacts are directed to two trip systems and the logic in each trip system is arranged in a one-out-of-two logic. Each trip system will delay LPCI pump start and valve logic on low low reactor vessel water level until reactor steam dome pressure has fallen to a value below the LPCI Systems maximum design pressure.
The Reactor Steam Dome Pressure Permissive - Bypass Timer (Pump Permissive) variable is developed by two redundant time delay relays. A time delay relay is located in each trip system and a contact associated with this relay (one-out-of-one logic for each trip system) will bypass the Reactor Steam Dome Pressure - Low (Pump Permissive) after the timer has timed out. The LPCI pumps start and valve logic will receive the high drywell pressure signals without delay. The Reactor Steam Dome Pressure - Low (Injection Permissive) variable is monitored by two redundant pressure switches. The outputs of the switches are connected to relays whose contacts input into two trip systems. Each trip system is arranged in a one-out-of-two logic. Each trip system will delay LPCI injection valve actuation logic until reactor steam dome pressure has fallen to a value below the LPCI Systems maximum design pressure regardless of the initiation signal. Each trip system will open the associated LPCI subsystem valves.
Upon receipt of an initiation signal, the LPCI pumps are automatically started (pumps A and B approximately 5 seconds after AC power is available and pumps C and D approximately 10 seconds after AC power is available). The Low Pressure Coolant Injection Pump Start - Time Delay Relay Function for each LPCI pump is developed by four time delay relays. Each time delay relay will start when there is a LOCA signal present and power is available on the associated 4.16 kV essential bus.
After a time delay relay times out, a signal is sent to start the associated LPCI pump. The outputs of the time delay relays are arranged in a one-out-of-two taken twice logic for each LPCI pump.
Each LPCI subsystem's discharge flow is monitored by a flow switch.
When a pump is running and discharge flow is low enough so that pump overheating may occur, the respective minimum flow return line valve is opened after an approximate 10 second time delay. If flow is above the minimum flow setpoint, the valve is automatically closed to allow the full system flow assumed in the analyses.
The RHR test line suppression pool cooling isolation valve, suppression pool spray isolation valves, and containment spray isolation valves (which are also PCIVs) are also closed on a LPCI initiation signal to allow the full system flow assumed in the accident analyses and maintain primary containment isolated in the event LPCI is not operating.
ECCS Instrumentation B 3.3.5.1 Monticello B 3.3.5.1-4 Revision No. 38 BASES BACKGROUND (continued)
The LPCI System initiation logic also contains LPCI Loop Select Logic whose purpose is to identify and direct LPCI flow to the unbroken recirculation loop if a Design Basis Accident (DBA) occurs. The LPCI Loop Select Logic is initiated upon the receipt of either a Reactor Vessel Water Level - Low Low signal or a Drywell Pressure - High signal, as discussed previously. When initiated, the LPCI Loop Select Logic first determines recirculation pump operation by sensing the differential pressure (dp) between the suction and discharge of each pump. There are four dp switches monitoring each recirculation loop that are, in turn, connected to relays whose contacts are connected to two trip systems.
The dp switches will trip when the dp across the pump is greater than a predetermined value. The contacts are arranged in a one-out-of-two taken twice logic for each recirculation pump. If the logic senses that either pump is not running, i.e., single loop operation, then a trip signal is sent to both recirculation pumps to eliminate the possibility of pipe breaks being masked by the operating recirculation pump pressure. However, the pump trip signal is delayed approximately 0.5 seconds to ensure that at least one pump is off since the break detection sensitivity is greater with both pumps running. If a pump trip signal is generated, reactor steam dome pressure must drop to a specified value before the logic will continue. This adjusts the selection time to optimize sensitivity and still ensure that LPCI injection is not unnecessarily delayed. The reactor steam dome pressure is sensed by four pressure switches that are, in turn, connected to relays whose contacts are connected to two trip systems. The contacts are arranged in a one-out-of-two taken twice logic. After the satisfaction of this pressure requirement or if both recirculation pumps indicate they are running, a 2 second time delay is provided to allow momentum effects to establish the maximum differential pressure for loop selection. Selection of the unbroken recirculation loop is then initiated. This is done by comparing the absolute pressure of the two recirculation riser loops. The broken loop is indicated by a lower pressure than the unbroken loop. The loop with the higher pressure is then used for LPCI injection. If, after a small time delay (approximately 0.5 seconds), the pressure in loop A is not indicating higher than loop B, the logic will provide a signal to close the B recirculation loop discharge valve, open the LPCI injection valve to the B recirculation loop and close the LPCI injection valve to the A recirculation loop. This is the "default" choice in the LPCI Loop Select Logic. If recirculation loop A pressure indicates higher than loop B pressure (> 1 psig), the recirculation discharge valve in loop A is closed, the LPCI injection valve to loop A is signaled to open and the LPCI injection valve to loop B is signaled to close. The four dp switches that provide input to this portion of the logic detect the pressure difference between the corresponding risers to the jet pumps in each recirculation loop. The four dp switches are connected to relays whose contacts are connected to two trip systems. The contacts in each trip system are arranged in a one-out-of-two taken twice logic.
ECCS Instrumentation B 3.3.5.1 Monticello B 3.3.5.1-5 Revision No. 38 BASES BACKGROUND (continued)
There are two redundant trip systems in the LPCI Loop Select Logic. The complete logic in each trip system must actuate for operation of the LPCI Loop Select Logic.
High Pressure Coolant Injection System The HPCI System may be initiated by either automatic or manual means.
Automatic initiation occurs for conditions of Reactor Vessel Water Level -
Low Low or Drywell Pressure - High. The Reactor Vessel Water Level -
Low Low variable is monitored by four redundant transmitters, which are, in turn, connected to four trip units. The outputs of the trip units are connected to relays whose contacts are arranged in a one-out-of-two taken twice logic. The Drywell Pressure - High variable is monitored by four switches. The outputs of the switches are connected to relays whose contacts are arranged in a one-out-of-two taken twice logic.
The HPCI pump discharge flow is monitored by a flow switch. When an initiation signal is present (Reactor Vessel Water Level - Low Low or Drywell Pressure - High) and discharge flow is low enough so that pump overheating may occur, the minimum flow return line valve is opened.
The valve is automatically closed if flow is above the minimum flow setpoint to allow the full system flow assumed in the accident analysis.
The HPCI test line return valves to the condensate storage tanks (CSTs) are closed upon receipt of a HPCI initiation signal to allow the full system flow assumed in the accident analysis.
The HPCI System also monitors the water levels in the two CSTs and the suppression pool because these are the two sources of water for HPCI operation. Reactor grade water in the CSTs is the normal source. Upon receipt of a HPCI initiation signal, the CST suction valve is automatically signaled to open (it is normally in the open position) unless both suppression pool suction valves are open. If the water level in any CST falls below a preselected level, first the suppression pool suction valves automatically open, and then the CST suction valve automatically closes.
Two level switches are used to detect low water level in the CST (one on each CST). Either switch can cause the suppression pool suction valves to open and the CST suction valve to close. The suppression pool suction valves also automatically open and the CST suction valve closes if high water level is detected in the suppression pool (one-out-of-two logic). To prevent losing suction to the pump, the suction valves are interlocked so that one suction path must be open before the other automatically closes.
The HPCI System provides makeup water to the reactor until the reactor vessel water level reaches the Reactor Vessel Water Level - High trip, at
ECCS Instrumentation B 3.3.5.1 Monticello B 3.3.5.1-6 Revision No. 38 BASES BACKGROUND (continued) which time the HPCI turbine trips, which causes the turbine's stop valve to close. The logic is two-out-of-two to provide high reliability of the HPCI System. The HPCI System automatically restarts if a Reactor Vessel Water Level - Low Low signal is subsequently received.
Automatic Depressurization System The ADS may be initiated by either automatic or manual means, although manual initiation requires manipulation of each individual ADS valve control switch. Automatic initiation occurs when signals indicating Reactor Vessel Water Level - Low Low and CS or LPCI Pump Discharge Pressure - High are all present and the ADS Initiation Timer has timed out. There are two transmitters that monitor Reactor Vessel Water Level
- Low Low in each of the two ADS trip systems. Each of these transmitters connects to a trip unit, which then drives a relay whose contacts form the initiation logic.
Each ADS trip system includes a time delay between satisfying the initiation logic and the actuation of the ADS valves. The ADS Initiation Timer time delay setpoint is chosen to be long enough that the HPCI has sufficient operating time to recover to a level above Low Low, yet not so long that the LPCI and CS Systems are unable to adequately cool the fuel if the HPCI fails to maintain that level. An alarm in the control room is annunciated when either of the timers is timing. Resetting the ADS initiation signals resets the ADS Initiation Timers.
The ADS also monitors the discharge pressures of the four LPCI pumps and the two CS pumps. Each ADS trip system includes two discharge pressure permissive switches from all CS and LPCI pumps. However, only the switches from the pumps in the associated division are required to be OPERABLE for each trip system (i.e., Division 1 CS A and LPCI subsystems A and C input to ADS trip system A, and Division 2 CS B and LPCI subsystems B and D input to ADS trip system B). The signals are used as a permissive for ADS actuation, indicating that there is a source of core coolant available once the ADS has depressurized the vessel.
Any one of the six low pressure pumps is sufficient to permit automatic depressurization.
The ADS logic in each trip system is arranged in two strings. Each string has a contact from Reactor Vessel Water Level - Low Low. Each string also has a contact that represents a CS or LPCI pump discharge pressure signal. All contacts in both logic strings must close and the ADS initiation timer must time out to initiate an ADS trip system. Either the A or B trip system will cause all the ADS relief valves to open. The Reactor Vessel Water Level - Low Low signal in one string will seal in once both the Reactor Vessel Water Level - Low Low signal and the
ECCS Instrumentation B 3.3.5.1 Monticello B 3.3.5.1-7 Revision No. 38 BASES BACKGROUND (continued) associated CS or LPCI pump discharge pressure signal is present. The other Reactor Vessel Water Level - Low Low signal in the other string will seal in once both the Reactor Vessel Water Level - Low Low signal and the associated CS or LPCI pump discharge pressure signal is present and the ADS Initiation timer has timed out. The signals can be manually reset.
Manual inhibit switches are provided in the control room for the ADS; however, their function is not required for ADS OPERABILITY (provided ADS is not inhibited when required to be OPERABLE).
Emergency Diesel Generators (EDGs)
The EDGs may be initiated by either automatic or manual means.
Automatic initiation occurs for conditions of Reactor Vessel Water Level -
Low Low or Drywell Pressure - High. The EDGs are also initiated upon loss of voltage signals. (Refer to the Bases for LCO 3.3.8.1, "Loss of Power (LOP) Instrumentation," for a discussion of these signals.) The Reactor Vessel Water Level - Low Low variable is monitored by four redundant transmitters, which are, in turn, connected to four trip units.
The outputs of the four trip units are connected to relays whose contacts are directed to two trip systems and the logic in each trip system is arranged in a one-out-of-two taken twice logic to initiate both EDGs. The Drywell Pressure - High variable is monitored by four switches. The outputs of the switches are connected to relays whose contacts are directed to two trip systems and the logic in each trip system is arranged in a one-out-of-two taken twice logic to initiate both EDGs. The EDGs receive their initiation signals from the CS System initiation logic. The EDGs can also be started manually from the control room and locally from the associated EDG room. Upon receipt of a loss of coolant accident (LOCA) initiation signal, each EDG is automatically started, is ready to load in approximately 10 seconds, and will run in standby conditions (rated voltage and speed, with the EDG output breaker open).
The EDGs will only energize their respective 4.16 kV essential buses if a loss of offsite power occurs (Refer to Bases for LCO 3.3.8.1).
APPLICABLE The actions of the ECCS are explicitly assumed in the safety analyses of SAFETY Reference 1. The ECCS is initiated to preserve the integrity of the fuel ANALYSES, LCO, cladding by limiting the post LOCA peak cladding temperature to less and APPLICABILITY than the 10 CFR 50.46 limits.
ECCS instrumentation satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii).
Certain instrumentation Functions are retained for other reasons and are described below in the individual Functions discussion.
ECCS Instrumentation B 3.3.5.1 Monticello B 3.3.5.1-8 Revision No. 38 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
The OPERABILITY of the ECCS instrumentation is dependent upon the OPERABILITY of the individual instrumentation channel Functions specified in Table 3.3.5.1-1. Each Function must have a required number of OPERABLE channels, with their setpoints within the specified Allowable Values, where appropriate. The actual setpoint is calibrated consistent with applicable setpoint methodology assumptions.
Table 3.3.5.1-1 is modified by two footnotes. Footnote (a) is added to clarify that the associated functions are required to be OPERABLE in MODES 4 and 5 only when their supported ECCS are required to be OPERABLE per LCO 3.5.2, ECCS - Shutdown. Footnote (b) is added to show that certain ECCS instrumentation Functions also perform EDG initiation.
Allowable Values are specified for each ECCS Function specified in the Table. Nominal trip setpoints are specified in the setpoint calculations.
The nominal setpoints are selected to ensure that the setpoints do not exceed the Allowable Value between CHANNEL CALIBRATIONS.
Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor vessel water level), and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g., trip unit) changes state. The analytic limits are derived from the limiting values of the process parameters obtained from the safety analysis. The Allowable Values and nominal trip setpoints (NTSP) are derived, using the General Electric setpoint methodology guidance, as specified in the Monticello setpoint methodology. The Allowable Values are derived from the analytic limits. The difference between the analytic limit and the Allowable Value allows for channel instrument accuracy, calibration accuracy, process measurement accuracy, and primary element accuracy. The margin between the Allowable Value and the NTSP allows for instrument drift that might occur during the established surveillance period. Two separate verifications are performed for the calculated NTSP. The first, a Spurious Trip Avoidance Test, evaluates the impact of the NTSP on plant availability. The second verification, an LER Avoidance Test, calculates the probability of avoiding a Licensee Event Report (or exceeding the Allowable Value) due to instrument drift. These two verifications are statistical evaluations to provide additional assurance of the acceptability of the NTSP and may require changes to the NTSP. Use of these methods and verifications provides the assurance that if the setpoint is found conservative to the Allowable Value during surveillance testing, the instrumentation would
ECCS Instrumentation B 3.3.5.1 Monticello B 3.3.5.1-9 Revision No. 38 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) have provided the required trip function by the time the process reached the analytic limit for the applicable events.
In general, the individual Functions are required to be OPERABLE in the MODES or other specified conditions that may require ECCS (or EDG) initiation to mitigate the consequences of a design basis transient or accident. To ensure reliable ECCS and EDG function, a combination of Functions is required to provide primary and secondary initiation signals.
The specific Applicable Safety Analyses, LCO, and Applicability discussions are listed below on a Function by Function basis.
Core Spray and Low Pressure Coolant Injection Systems 1.a, 2.a. Reactor Vessel Water Level - Low Low Low reactor pressure vessel (RPV) water level indicates that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. The low pressure ECCS and associated EDGs are initiated at Low Low to ensure that core spray and flooding functions are available to prevent or minimize fuel damage. The Reactor Vessel Water Level - Low Low is one of the Functions assumed to be OPERABLE and capable of initiating the ECCS during the transients analyzed in Reference 2. In addition, the Reactor Vessel Water Level - Low Low Function is directly assumed in the analysis of the recirculation line break (Ref. 1). The core cooling function of the ECCS, along with the scram action of the Reactor Protection System (RPS),
ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.
Reactor Vessel Water Level - Low Low signals are initiated from four level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel.
The Reactor Vessel Water Level - Low Low Allowable Value is chosen to allow time for the low pressure core flooding systems to activate and provide adequate cooling.
Four channels of CS Reactor Vessel Water Level - Low Low Function are only required to be OPERABLE when CS and the EDGs are required to be OPERABLE to ensure that no single instrument failure can preclude CS and EDG initiation. Four channels of the LPCI Reactor Vessel Water Level - Low Low Function are only required to be OPERABLE when LPCI is required to be OPERABLE to ensure that no single instrument failure can preclude LPCI initiation. Per Footnote (a) to Table 3.3.5.1-1, these
ECCS Instrumentation B 3.3.5.1 Monticello B 3.3.5.1-10 Revision No. 38 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
ECCS Functions are only required to be OPERABLE in MODES 4 and 5 whenever the associated ECCS is required to be OPERABLE per LCO 3.5.2. Refer to LCO 3.5.1 and LCO 3.5.2 for Applicability Bases for the low pressure ECCS subsystems; LCO 3.8.1, "AC Sources -
Operating," and LCO 3.8.2, "AC Sources - Shutdown," for Applicability Bases for the EDGs.
1.b, 2.b. Drywell Pressure - High High pressure in the drywell could indicate a break in the reactor coolant pressure boundary (RCPB). The low pressure ECCS and associated EDGs are initiated upon receipt of the Drywell Pressure - High Function in order to minimize the possibility of fuel damage. The Drywell Pressure -
High Function, along with the Reactor Water Level - Low Low Function, is directly assumed in the analysis of the recirculation line break (Ref. 1).
The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.
High drywell pressure signals are initiated from four pressure switches that sense drywell pressure. The Allowable Value was selected to be as low as possible and be indicative of a LOCA inside primary containment.
The Drywell Pressure - High Function is required to be OPERABLE when the ECCS or EDG is required to be OPERABLE in conjunction with times when the primary containment is required to be OPERABLE. Thus, four channels of the CS and LPCI Drywell Pressure - High Functions are required to be OPERABLE in MODES 1, 2, and 3 to ensure that no single instrument failure can preclude ECCS and EDG initiation. In MODES 4 and 5, the Drywell Pressure - High Functions are not required, since there is insufficient energy in the reactor to pressurize the primary containment to Drywell Pressure - High setpoint. Refer to LCO 3.5.1 for Applicability Bases for the low pressure ECCS subsystems and to LCO 3.8.1 for Applicability Bases for the EDGs.
1.c, 2.c. Reactor Steam Dome Pressure - Low (Injection Permissive)
Low reactor steam dome pressure signals are used as permissives for the low pressure ECCS subsystems. This ensures that, prior to opening the injection valves of the low pressure ECCS subsystems, the reactor pressure has fallen to a value below these subsystems' maximum design pressure. The Reactor Steam Dome Pressure - Low (Injection Permissive) is one of the Functions assumed to be OPERABLE and capable of permitting initiation of the ECCS during the transients analyzed in Reference 2. In addition, the Reactor Steam Dome Pressure - Low (Injection Permissive) Function is directly assumed in the analysis of the
ECCS Instrumentation B 3.3.5.1 Monticello B 3.3.5.1-11 Revision No. 38 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) recirculation line break (Ref. 1). The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.
The Reactor Steam Dome Pressure - Low (Injection Permissive) signals are initiated from two pressure switches (shared by both CS and LPCI) that sense the reactor dome pressure.
The Allowable Value is low enough to prevent overpressurizing the equipment in the low pressure ECCS, but high enough to ensure that the ECCS injection prevents the fuel peak cladding temperature from exceeding the limits of 10 CFR 50.46.
Two channels of CS Reactor Steam Dome Pressure - Low (Injection Permissive) Function are only required to be OPERABLE when CS is required to be OPERABLE to ensure that no single instrument failure can preclude CS initiation. Two channels of the LPCI Reactor Steam Dome Pressure - Low (Injection Permissive) Function are only required to be OPERABLE when LPCI is required to be OPERABLE to ensure that no single instrument failure can preclude LPCI initiation. Per Footnote (a) to Table 3.3.5.1-1, these ECCS Functions are only required to be OPERABLE in MODES 4 and 5 whenever the associated ECCS is required to be OPERABLE per LCO 3.5.2. Refer to LCO 3.5.1 and LCO 3.5.2 for Applicability Bases for the low pressure ECCS subsystems.
1.d, 2.d. Reactor Steam Dome Pressure - Low (Pump Permissive)
Low reactor steam dome pressure signals are used as permissives for the low pressure ECCS subsystems. These channels delay CS and LPCI pump starts on Reactor Vessel Water Level - Low Low until reactor steam dome pressure is below the setpoint. This ensures that, prior to starting the pumps of the low pressure ECCS subsystems, the reactor pressure has fallen to a value below these subsystems' maximum design pressure.
The Reactor Steam Dome Pressure - Low (Pump Permissive) is one of the Functions assumed to be OPERABLE and capable of permitting initiation of the ECCS during the transients analyzed in References 1 and 3. In addition, the Reactor Steam Dome Pressure - Low Function is directly assumed in the analysis of the recirculation line break (Ref. 2).
The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.
The Reactor Steam Dome Pressure - Low signals are initiated from two pressure switches (shared by both CS and LPCI) that sense the reactor dome pressure.
ECCS Instrumentation B 3.3.5.1 Monticello B 3.3.5.1-12 Revision No. 38 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
The Allowable Value is high enough to ensure that the ECCS injection prevents the fuel peak cladding temperature from exceeding the limits of 10 CFR 50.46.
Two channels of CS Reactor Steam Dome Pressure - Low (Pump Permissive) Function are only required to be OPERABLE when the CS is required to be OPERABLE to ensure that no single instrument failure can preclude CS initiation. Two channels of LPCI Reactor Steam Dome Pressure - Low (Pump Permissive) Function are only required to be OPERABLE when the LPCI is required to be OPERABLE to ensure that no single instrument failure can preclude LPCI initiation. Per Footnote (a) to Table 3.3.5.1-1, these ECCS Functions are only required to be OPERABLE in MODES 4 and 5 whenever the associated ECCS is required to be OPERABLE per LCO 3.5.2. Refer to LCO 3.5.1 and LCO 3.5.2 for Applicability Bases for the low pressure ECCS subsystems.
1.e, 2.e. Reactor Steam Dome Pressure - Bypass Timer (Pump Permissive)
Low reactor steam dome pressure signals are used as permissives for the low pressure ECCS subsystems. The Bypass Timer channels allow the CS and LPCI pumps to start on Reactor Vessel Water Level - Low Low after the time delay times out, even if the reactor steam dome pressure is above its permissive setpoint. This ensures that, starting the pumps of the low pressure ECCS subsystems will occur on a Reactor Vessel Water Level - Low Low signal after an 18 minute time delay (Refs. 7 and 8). The Reactor Steam Dome Pressure - Time Delay (Pump Permissive) is one of the Functions assumed to be OPERABLE and capable of permitting initiation of the ECCS during the transients analyzed in References 1 and 3. The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.
The Reactor Steam Dome Pressure - Bypass Timer (Pump Permissive) signals are initiated from four time delay relays.
The Allowable Value is long enough to provide sufficient time for the operator to inhibit any unnecessary ADS actuation, yet short enough to limit the peak cladding temperature to less than 2200°F.
Two channels of CS Reactor Steam Dome Pressure - Bypass Timer (Pump Permissive) Function are only required to be OPERABLE when the CS is required to be OPERABLE to ensure that no single instrument failure can preclude CS initiation. Two channels of LPCI Reactor Steam Dome Pressure - Bypass Timer (Pump Permissive) Function are only required to be OPERABLE when the LPCI is required to be OPERABLE
ECCS Instrumentation B 3.3.5.1 Monticello B 3.3.5.1-13 Revision No. 38 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) to ensure that no single instrument failure can preclude LPCI initiation.
Per Footnote (a) to Table 3.3.5.1-1, these ECCS Functions are only required to be OPERABLE in MODES 4 and 5 whenever the associated ECCS is required to be OPERABLE per LCO 3.5.2. Refer to LCO 3.5.1 and LCO 3.5.2 for Applicability Bases for the low pressure ECCS subsystems.
1.f, 2.f. Core Spray and Low Pressure Coolant Injection Pump Start -
Time Delay Relay The purpose of the time delay relays is to stagger the start of the CS and LPCI pumps that are in each of Divisions 1 and 2, thus limiting the starting transients on the 4.16 kV essential buses. The CS and LPCI Pump Start - Time Delay Relays are assumed to be OPERABLE in the accident and transient analyses requiring ECCS initiation. That is, the analyses assume that the pumps will initiate when required and excess loading will not cause failure of the power sources.
There are two CS Pump Start - Time Delay Relay channels, one in each of the CS pump start logic circuits. While each CS pump time delay relay is dedicated to a single pump start logic, a single failure of a CS Pump Start - Time Delay Relay channel could result in the failure of the three low pressure ECCS pumps, powered from the same 4.16 kV essential bus, to perform their intended function (e.g., as in the case where two ECCS pumps on one 4.16 kV essential bus start simultaneously due to an inoperable time delay relay). This still leaves three of the six low pressure ECCS pumps OPERABLE; thus, the single failure criterion is met (i.e., loss of one instrument does not preclude ECCS initiation).
Sixteen Low Pressure Coolant Injection Pump Start - Time Delay Relay channels, four in each of the LPCI pump start logic circuits, are required to be OPERABLE to ensure that no single instrument failure can preclude the associated LPCI pump start. The Allowable Values for the CS and LPCI Pump Start - Time Delay Relays are chosen short enough so that ECCS operation is not degraded.
Each CS and LPCI Pump Start - Time Delay Relay Function is required to be OPERABLE only when the associated ECCS subsystem is required to be OPERABLE. Per Footnote (a) to Table 3.3.5.1-1, these ECCS Functions are only required to be OPERABLE in MODES 4 and 5 whenever the associated ECCS is required to be OPERABLE per LCO 3.5.2. Refer to LCO 3.5.1 and LCO 3.5.2 for Applicability Bases for the LPCI subsystems.
ECCS Instrumentation B 3.3.5.1 Monticello B 3.3.5.1-14 Revision No. 38 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) 2.g. Low Pressure Coolant Injection Pump Discharge Flow - Low (Bypass)
The minimum flow instruments are provided to protect the associated LPCI pump from overheating when the pump is operating and the associated injection valve is not fully open. The minimum flow line valve is opened when low flow is sensed, and the valve is automatically closed when the flow rate is adequate to protect the pump. The LPCI Pump Discharge Flow - Low (Bypass) Function is assumed to be OPERABLE and capable of closing the minimum flow valves to ensure that the LPCI flows assumed during the transients and accidents analyzed in References 1 and 2 are met. The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.
One flow switch per LPCI pump is used to detect the associated subsystems' flow rates. The logic is arranged such that each switch causes its associated minimum flow valve to open. The logic will close the minimum flow valve once the closure setpoint is exceeded. The LPCI minimum flow valves are time delayed such that the valves will not open for 10 seconds after the pump start. This delay can reduce the reactor vessel inventory loss (to the suppression pool) during the startup of the RHR pump while aligned in the shutdown cooling mode, since it provides time (prior to opening the minimum flow valve) to manually increase RHR flow above the minimum flow closure setpoint. The LPCI Pump Discharge Flow - Low (Bypass) Allowable Values are high enough to ensure that the pump flow rate is sufficient to protect the pump, yet low enough to ensure that the closure of the minimum flow valve is initiated to allow full flow into the core.
Each channel of LPCI Pump Discharge Flow - Low (Bypass) Function (four LPCI channels) is only required to be OPERABLE when the associated LPCI pump is required to be OPERABLE to ensure that no single instrument failure can preclude the LPCI function. Per Footnote (a) to Table 3.3.5.1-1, this LPCI Function is only required to be OPERABLE in MODES 4 and 5 whenever the associated LPCI pump is required to be OPERABLE per LCO 3.5.2. Refer to LCO 3.5.1 and LCO 3.5.2 for Applicability Bases for the LPCI subsystems.
ECCS Instrumentation B 3.3.5.1 Monticello B 3.3.5.1-15 Revision No. 38 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) 2.h, 2.k. Reactor Steam Dome Pressure - Low (Break Detection) and Reactor Steam Dome Pressure - Time Delay Relay (Break Detection)
The purpose of the Reactor Steam Dome Pressure - Low (Break Detection) and Reactor Steam Dome Pressure - Time Delay Relay (Break Detection) Functions are to optimize the LPCI Loop Select Logic sensitivity if the logic previously actuated recirculation pump trips. This is accomplished by preventing the logic from continuing on to the unbroken loop selection activity until reactor steam dome pressure has dropped below a specified value. These Functions are only required to be OPERABLE for the DBA LOCA analysis, i.e., if the break location is in the recirculation system suction piping (Ref. 2). For a DBA LOCA, the analysis assumes that the LPCI Loop Select Logic successfully identifies and directs LPCI flow to the unbroken recirculation loop so that core reflooding is accomplished in time to ensure that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. For other LOCA events, (i.e., non-DBA recirculation system pipe breaks), or other RPV pipe breaks the success of the Loop Select Logic is less critical than for the DBA.
Reactor Steam Dome Pressure - Low (Break Detection) signals are initiated from four pressure switches that sense the reactor steam dome pressure. Reactor Steam Dome Pressure - Time Delay Relay (Break Detection) signals are initiated from two time delay relays.
The Reactor Steam Dome Pressure - Low (Break Detection) Allowable Value is chosen to allow for coastdown of any recirculation pump which has just tripped, thus optimizing the sensitivity of the LPCI Loop Select Logic while ensuring that LPCI injection is not delayed. The Reactor Steam Dome Pressure - Time Delay Relay (Break Detection) Allowable Value is chosen to allow momentum effects to establish the maximum differential pressure for break detection.
Four channels of the Reactor Steam Dome Pressure - Low (Break Detection) Function and two channels of the Reactor Steam Dome Pressure - Time Delay Relay (Break Detection) Function are only required to be OPERABLE in MODES 1, 2, and 3 to ensure that no single failure can prevent the LPCI Loop Select Logic from successfully selecting the unbroken recirculation loop for LPCI injection. These Functions are not required to be OPERABLE in MODES 4 and 5 because, in those MODES, the loop for selection is controlled by plant operating procedures, which ensure an OPERABLE LPCI flow path.
ECCS Instrumentation B 3.3.5.1 Monticello B 3.3.5.1-16 Revision No. 38 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) 2.i, 2.l. Recirculation Pump Differential Pressure - High (Break Detection) and Recirculation Pump Differential Pressure - Time Delay Relay (Break Detection)
Recirculation pump differential pressure signals are used by the LPCI Loop Select Logic to determine if either recirculation pump is running. If either pump is not running, i.e., single loop operation, the logic, after a short time delay, sends a trip signal to both recirculation pumps. This is necessary to eliminate the possibility of small pipe breaks being masked by a running recirculation pump. These Functions are only required to be OPERABLE for the DBA LOCA analysis, i.e., if the break location is in the recirculation system suction piping (Ref. 2). For a DBA LOCA, the analysis assumes that the LPCI Loop Select Logic successfully identifies and directs LPCI flow to the unbroken recirculation loop so that core reflooding is accomplished in time to ensure that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. For other LOCA events (i.e., non-DBA recirculation system pipe breaks or other RPV pipe breaks), the success of the Loop Select Logic is less critical than for the DBA.
Recirculation Pump Differential Pressure - High (Break Detection) signals are initiated from eight differential pressure switches, four of which sense the pressure differential between the suction and discharge of each recirculation pump. Recirculation Pump Differential Pressure - Time Delay Relay (Break Detection) signals are initiated by two time delay relays.
The Recirculation Pump Differential Pressure - High (Break Detection)
Allowable Value is chosen to be as low as possible, while still maintaining the ability to differentiate between a running and non-running recirculation pump. Recirculation Pump Differential Pressure - Time Delay Relay (Break Detection) Allowable Value is chosen to allow enough time to determine the status of the operating conditions of the recirculation pumps.
Eight channels of the Recirculation Pump Differential Pressure - High (Break Detection) Function and two channels of the Recirculation Pump Differential Pressure - Time Delay Relay (Break Detection) Function are only required to be OPERABLE in MODES 1, 2, and 3 to ensure that no single failure can prevent the LPCI Loop Select Logic from successfully determining if either recirculation pump is running. This Function is not required to be OPERABLE in MODES 4 and 5 because, in those MODES, the loop for selection is controlled by plant operating procedures, which ensure an OPERABLE LPCI flow path.
ECCS Instrumentation B 3.3.5.1 Monticello B 3.3.5.1-17 Revision No. 38 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) 2.j, 2.m. Recirculation Riser Differential Pressure - High (Break Detection) and Recirculation Riser Differential Pressure - Time Delay Relay (Break Detection)
Recirculation riser differential pressure signals are used by the LPCI Loop Select Logic to determine which, if any, recirculation loop is broken. This is accomplished by comparing the pressure of the two recirculation loops.
A broken loop will be indicated by a lower pressure than an unbroken loop. The loop with the higher pressure is then selected, after a short delay, for LPCI injection. If neither loop is broken, the logic defaults to injecting into the "B" recirculation loop. These Functions are only required to be OPERABLE for the DBA LOCA analysis, i.e., if the break location is in the recirculation system suction piping (Ref. 2). For a DBA LOCA, the analysis assumes that the LPCI Loop Select Logic successfully identifies and directs LPCI flow to the unbroken recirculation loop, so that core reflooding is accomplished in time to ensure that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.
For other LOCA events, (i.e., non-DBA recirculation system pipe breaks),
or other RPV pipe breaks, the success of the Loop Select Logic is less critical than for the DBA.
Recirculation Riser Differential Pressure - High (Break Detection) signals are initiated from four differential pressure switches that sense the pressure differential between the A recirculation loop riser and the B recirculation loop riser. If, after a small time delay, the pressure in loop A is not indicating higher than loop B pressure, the logic will select the B loop for injection. If recirculation loop A pressure is indicating higher than loop B pressure, the logic will select the A loop for LPCI injection.
Recirculation Riser Differential Pressure - Time Delay - Relay (Break Detection) signals are initiated by two time delay relays.
The Recirculation Riser Differential Pressure - High (Break Detection)
Allowable Value is chosen to be as low as possible, while still maintaining the ability to differentiate between a broken and unbroken recirculation loop. The Recirculation Riser Differential Pressure - Time Delay Relay (Break Detection) Allowable Value is chosen to provide a sufficient amount of time to determine which loop is broken.
Four channels of the Recirculation Riser Differential Pressure - High (Break Detection) Function and two channels of the Recirculation Riser Differential Pressure - Time Delay Relay (Break Detection) Function are only required to be OPERABLE in MODES 1, 2, and 3 to ensure that no single failure can prevent the LPCI Loop Select Logic from successfully
ECCS Instrumentation B 3.3.5.1 Monticello B 3.3.5.1-18 Revision No. 38 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) selecting the unbroken recirculation loop for LPCI injection. This Function is not required to be OPERABLE in MODES 4 and 5 because, in those MODES, the loop for selection is controlled by plant operating procedures, which ensure an OPERABLE LPCI flow path.
HPCI System 3.a. Reactor Vessel Water Level - Low Low Low RPV water level indicates that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, the HPCI System is initiated at Low Low to maintain level above the top of the active fuel. The Reactor Vessel Water Level -
Low Low is one of the Functions assumed to be OPERABLE and capable of initiating HPCI during the transients analyzed in Reference 2.
Additionally, the Reactor Vessel Water Level - Low Low Function associated with HPCI along with the Drywell Pressure - High Function is directly assumed in the analysis of the recirculation line break (Ref. 1).
The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.
Reactor Vessel Water Level - Low Low signals are initiated from four level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel.
The Reactor Vessel Water Level - Low Low Allowable Value is high enough such that for complete loss of feedwater flow when the reactor vessel is isolated, the Reactor Core Isolation Cooling (RCIC) System flow with HPCI assumed to fail will be sufficient to avoid injection of low pressure ECCS.
Four channels of Reactor Vessel Water Level - Low Low Function are required to be OPERABLE only when HPCI is required to be OPERABLE to ensure that no single instrument failure can preclude HPCI initiation.
Refer to LCO 3.5.1 for HPCI Applicability Bases.
ECCS Instrumentation B 3.3.5.1 Monticello B 3.3.5.1-19 Revision No. 38 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) 3.b. Drywell Pressure - High High pressure in the drywell could indicate a break in the RCPB. The HPCI System is initiated upon receipt of the Drywell Pressure - High Function in order to minimize the possibility of fuel damage. The Drywell Pressure - High Function, along with the Reactor Vessel Water Level -
Low Low Function, is directly assumed in the analysis of the recirculation line break (Ref. 1). The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.
High drywell pressure signals are initiated from four pressure switches that sense drywell pressure. The Allowable Value was selected to be as low as possible to be indicative of a LOCA inside primary containment.
Four channels of the Drywell Pressure - High Function are required to be OPERABLE when HPCI is required to be OPERABLE to ensure that no single instrument failure can preclude HPCI initiation. Refer to LCO 3.5.1 for the Applicability Bases for the HPCI System.
3.c. Reactor Vessel Water Level - High High RPV water level indicates that sufficient cooling water inventory exists in the reactor vessel such that there is no danger to the fuel.
Therefore, the Reactor Vessel Water Level - High signal is used to trip the HPCI turbine to prevent overflow into the main steam lines (MSLs). The Reactor Vessel Water Level - High Function is not assumed in the accident and transient analyses. It was retained since it is a potentially significant contributor to risk.
Reactor Vessel Water Level - High signals for HPCI are initiated from two level transmitters from the narrow range water level measurement instrumentation. Both signals are required in order to close the HPCI turbine's stop valve. This ensures that no single instrument failure can preclude HPCI initiation. The Reactor Vessel Water Level - High Allowable Value is chosen to prevent flow from the HPCI System from overflowing into the MSLs.
Two channels of Reactor Vessel Water Level - High Function are required to be OPERABLE only when HPCI is required to be OPERABLE. Refer to LCO 3.5.1 for HPCI Applicability Bases.
ECCS Instrumentation B 3.3.5.1 Monticello B 3.3.5.1-20 Revision No. 38 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) 3.d. Condensate Storage Tank Level - Low Low level in a CST indicates the unavailability of an adequate supply of makeup water from this normal source. Normally the suction valves between HPCI and the CSTs are open and, upon receiving a HPCI initiation signal, water for HPCI injection would be taken from all aligned CSTs. However, if the water level in any CST falls below a preselected level, first the suppression pool suction valves automatically open, and then the CST suction valve automatically closes. This ensures that an adequate supply of makeup water is available to the HPCI pump. To prevent losing suction to the pump, the suction valves are interlocked so that the suppression pool suction valves must be open before the CSTs suction valve automatically closes. The Function is implicitly assumed in the accident and transient analyses (which take credit for HPCI) since the analyses assume that the HPCI suction source is the suppression pool.
Condensate Storage Tank Level - Low signals are initiated from two level switches (normally one associated with each CST). The logic is arranged such that either level switch can cause the suppression pool suction valves to open and the CSTs suction valve to close. The Condensate Storage Tank Level - Low Function Allowable Value is high enough to ensure adequate pump suction head while water is being taken from the CSTs. The Allowable Value is referenced from the bottom of the tank.
Two channels of the Condensate Storage Tank Level - Low Function are required to be OPERABLE only when HPCI is required to be OPERABLE to ensure that no single instrument failure can preclude HPCI swap to suppression pool source. Refer to LCO 3.5.1 for HPCI Applicability Bases.
3.e. Suppression Pool Water Level - High Excessively high suppression pool water could result in the loads on the suppression pool exceeding design values should there be a blowdown of the reactor vessel pressure through the safety/relief valves. Therefore, signals indicating high suppression pool water level are used to transfer the suction source of HPCI from the CSTs to the suppression pool to eliminate the possibility of HPCI continuing to provide additional water from a source outside containment. To prevent losing suction to the pump, the suction valves are interlocked so that the suppression pool suction valves must be open before the CSTs suction valve automatically closes. This Function is implicitly assumed in the accident and transient analyses (which take credit for HPCI) since the analyses assume that the HPCI suction source is the suppression pool.
ECCS Instrumentation B 3.3.5.1 Monticello B 3.3.5.1-21 Revision No. 38 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
Suppression Pool Water Level - High signals are initiated from two level switches. The logic is arranged such that either switch can cause the suppression pool suction valves to open and the CSTs suction valve to close. The Allowable Value for the Suppression Pool Water Level - High Function is chosen to ensure that HPCI will be aligned for suction from the suppression pool before the water level reaches the point at which suppression pool design loads would be exceeded.
Two channels of Suppression Pool Water Level - High Function are required to be OPERABLE only when HPCI is required to be OPERABLE to ensure that no single instrument failure can preclude HPCI swap to suppression pool source. Refer to LCO 3.5.1 for HPCI Applicability Bases.
3.f. High Pressure Coolant Injection Pump Discharge Flow - Low (Bypass)
The minimum flow instruments are provided to protect the HPCI pump from overheating when the pump is operating and the associated injection valve is not fully open. The minimum flow line valve is opened when low flow is sensed, and the valve is automatically closed when the flow rate is adequate to protect the pump. The High Pressure Coolant Injection Pump Discharge Flow - Low (Bypass) Function is assumed to be OPERABLE and capable of closing the minimum flow valve to ensure that the ECCS flow assumed during the transients and accidents analyzed in References 1 and 2 are met. The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.
One flow switch is used to detect the HPCI System's flow rate. The logic is arranged such that the switch causes the minimum flow valve to open.
The logic will close the minimum flow valve once the closure setpoint is exceeded.
The High Pressure Coolant Injection Pump Discharge Flow - Low (Bypass) Allowable Value is high enough to ensure that pump flow rate is sufficient to protect the pump, yet low enough to ensure that the closure of the minimum flow valve is initiated to allow full flow into the core.
One channel is required to be OPERABLE when the HPCI is required to be OPERABLE. Refer to LCO 3.5.1 for HPCI Applicability Bases.
ECCS Instrumentation B 3.3.5.1 Monticello B 3.3.5.1-22 Revision No. 38 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
Automatic Depressurization System 4.a, 5.a. Reactor Vessel Water Level - Low Low Low RPV water level indicates that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, ADS receives one of the signals necessary for initiation from this Function. The Reactor Vessel Water Level - Low Low is one of the Functions assumed to be OPERABLE and capable of initiating the ADS during the accident analyzed in Reference 1. The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.
Reactor Vessel Water Level - Low Low signals are initiated from four level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Four channels of Reactor Vessel Water Level - Low Low Function are required to be OPERABLE only when ADS is required to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation. Two channels input to ADS trip system A, while the other two channels input to ADS trip system B. Refer to LCO 3.5.1 for ADS Applicability Bases.
The Reactor Vessel Water Level - Low Low Allowable Value is chosen to allow time for the low pressure core flooding systems to initiate and provide adequate cooling.
4.b, 5.b. Automatic Depressurization System Initiation Timer The purpose of the Automatic Depressurization System Initiation Timer is to delay depressurization of the reactor vessel to allow the HPCI System time to maintain reactor vessel water level. Since the rapid depressurization caused by ADS operation is one of the most severe transients on the reactor vessel, its occurrence should be limited. By delaying initiation of the ADS Function, the operator is given the chance to monitor the success or failure of the HPCI System to maintain water level, and then to decide whether to allow ADS to automatically initiate or to delay or inhibit ADS initiation. The Automatic Depressurization System Initiation Timer Function is assumed to be OPERABLE for the accident analyses of Reference 1 that require ECCS initiation and assume failure of the HPCI System.
ECCS Instrumentation B 3.3.5.1 Monticello B 3.3.5.1-23 Revision No. 38 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
There are two Automatic Depressurization System Initiation Timer relays, one in each of the two ADS trip systems. The Allowable Value for the Automatic Depressurization System Initiation Timer is chosen so that there is still time after depressurization for the low pressure ECCS subsystems to provide adequate core cooling.
Two channels of the Automatic Depressurization System Initiation Timer Function are only required to be OPERABLE when the ADS is required to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation. One channel inputs to ADS trip system A, while the other channel inputs to ADS trip system B. Refer to LCO 3.5.1 for ADS Applicability Bases.
4.c, 4.d, 5.c, 5.d. Core Spray and Low Pressure Coolant Injection Pump Discharge Pressure - High The Pump Discharge Pressure - High signals from the CS and LPCI pumps are used as permissives for ADS initiation, indicating that there is a source of low pressure cooling water available once the ADS has depressurized the vessel. Pump Discharge Pressure - High is one of the Functions assumed to be OPERABLE and capable of permitting ADS initiation during the events analyzed in Reference 1 with an assumed HPCI failure. For these events the ADS depressurizes the reactor vessel so that the low pressure ECCS can perform the core cooling functions.
This core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.
Pump discharge pressure signals are initiated from twelve pressure switches, two on the discharge side of each of the six low pressure ECCS pumps. In order to generate an ADS permissive in one trip system, it is necessary that only one pump (both channels for the pump) indicate the high discharge pressure condition. The Pump Discharge Pressure - High Allowable Value is less than the pump discharge pressure when the pump is operating in a full flow mode and high enough to avoid any condition that results in a discharge pressure permissive when the CS and LPCI pumps are aligned for injection and the pumps are not running.
The actual operating point of this function is not assumed in any transient or accident analysis.
Twelve channels of Core Spray and Low Pressure Coolant Injection Pump Discharge Pressure - High Function are only required to be OPERABLE when the ADS is required to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation. Two CS
ECCS Instrumentation B 3.3.5.1 Monticello B 3.3.5.1-24 Revision No. 38 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) channels associated with CS pump A and four LPCI channels associated with LPCI pumps A and C are required for trip system A. Two CS channels associated with CS pump B and four LPCI channels associated with LPCI pumps B and D are required for trip system B. Refer to LCO 3.5.1 for ADS Applicability Bases.
ACTIONS A Note has been provided to modify the ACTIONS related to ECCS instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition discovered to be inoperable or not within limits will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable ECCS instrumentation channels provide appropriate compensatory measures for separate inoperable Condition entry for each inoperable ECCS instrumentation channel.
A.1 Required Action A.1 directs entry into the appropriate Condition referenced in Table 3.3.5.1-1. The applicable Condition referenced in the Table is Function dependent. Each time a channel is discovered inoperable, Condition A is entered for that channel and provides for transfer to the appropriate subsequent Condition.
B.1, B.2, and B.3 Required Actions B.1 and B.2 are intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in redundant automatic initiation capability being lost for the feature(s). Required Action B.1 features would be those that are initiated by Functions 1.a, 1.b, 2.a, 2.b, 2.f, 2.h, and 2.k (i.e., low pressure ECCS and associated EDG). The Required Action B.2 system would be HPCI. For Required Action B.1, redundant automatic initiation capability is lost if: (a) two or more Function 1.a channels are inoperable and untripped such that both trip systems lose initiation capability; (b) two or more Function 2.a channels are inoperable and untripped such that both trip systems lose initiation capability; (c) two or more Function 1.b channels are inoperable and untripped such that both trip systems lose initiation capability; (d) two or more Function 2.b channels are inoperable
ECCS Instrumentation B 3.3.5.1 Monticello B 3.3.5.1-25 Revision No. 38 BASES ACTIONS (continued) and untripped such that both trip systems lose initiation capability; (e) two or more Function 2.f channels are inoperable and untripped such that one or more pumps in both LPCI subsystems lose initiation (i.e., time delay) capability; (f) two or more Function 2.h channels are inoperable and untripped such that both trip systems lose initiation capability; or (g) two Function 2.k channels are inoperable and untripped. For low pressure ECCS, since each inoperable channel would have Required Action B.1 applied separately (refer to ACTIONS Note), each inoperable channel would only require the affected portion of the associated system of low pressure ECCS and EDGs to be declared inoperable. However, since channels in both associated low pressure ECCS subsystems (e.g., both CS subsystems) are inoperable and untripped, and the Completion Times started concurrently for the channels in both subsystems, this results in the affected portions in the associated low pressure ECCS and EDGs being concurrently declared inoperable.
For Required Action B.2, redundant automatic initiation capability is lost if two Function 3.a or two Function 3.b channels are inoperable and untripped in the same trip system (a trip system in this case is defined as channels associated with the parallel level in the logic arrangement).
In this situation (loss of redundant automatic initiation capability), the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> allowance of Required Action B.3 is not appropriate and the feature(s) associated with the inoperable, untripped channels must be declared inoperable within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. As noted (Note 1 to Required Action B.1), Required Action B.1 is only applicable in MODES 1, 2, and 3.
In MODES 4 and 5, the specific initiation time of the low pressure ECCS is not assumed and the probability of a LOCA is lower. Thus, a total loss of initiation capability for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> (as allowed by Required Action B.3) is allowed during MODES 4 and 5. There is no similar Note provided for Required Action B.2 since HPCI instrumentation is not required in MODES 4 and 5; thus, a Note is not necessary. Notes are also provided (Note 2 to Required Action B.1 and the Note to Required Action B.2) to delineate which Required Action is applicable for each Function that requires entry into Condition B if an associated channel is inoperable.
This ensures that the proper loss of initiation capability check is performed.
The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action B.1, the Completion Time only begins upon discovery that a redundant feature in the same system (e.g., both CS subsystems) cannot be automatically initiated due to inoperable, untripped channels within the same Function as described in the paragraph above. For Required Action B.2, the Completion Time
ECCS Instrumentation B 3.3.5.1 Monticello B 3.3.5.1-26 Revision No. 38 BASES ACTIONS (continued) only begins upon discovery that the HPCI System cannot be automatically initiated due to two inoperable, untripped channels for the associated Function in the same trip system. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.
Because of the diversity of sensors available to provide initiation signals and the redundancy of the ECCS design, an allowable out of service time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> has been shown to be acceptable (Ref. 3) to permit restoration of any inoperable channel to OPERABLE status. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action B.3. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue.
Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in an initiation or as in the case where placing an inoperable channel in trip would result in an immediate initiation without time delay when an initiation signal is received), Condition H must be entered and its Required Action taken.
C.1 and C.2 Required Action C.1 is intended to ensure that appropriate actions are taken if multiple, inoperable channels within the same Function result in redundant automatic initiation capability being lost for the feature(s).
Required Action C.1 features would be those that are initiated by Functions 1.c, 1.d, 1.e, 1.f, 2.c, 2.d, 2.e, 2.i, 2.j, 2.l, and 2.m (i.e., low pressure ECCS). Redundant automatic initiation capability is lost if:
(a) two Function 1.c channels are inoperable; (b) two Function 2.c channels are inoperable; (c) two Function 1.d channels are inoperable; (d) two Function 2.d channels are inoperable; (e) two Function 1.e channels are inoperable; (f) two Function 2.e channels are inoperable; (g) two Function 1.f channels are inoperable; (h) two or more Function 2.i channels, associated with a recirculation pump are inoperable such that both trip systems lose initiation capability; (i) two or more Function 2.j channels are inoperable such that both trip systems lose initiation capability; (j) two Function 2.l channels are inoperable; or (k) two Function 2.m channels are inoperable. Since each inoperable channel would have Required Action C.1 applied separately (refer to ACTIONS Note), each inoperable channel would only require the affected portion
ECCS Instrumentation B 3.3.5.1 Monticello B 3.3.5.1-27 Revision No. 38 BASES ACTIONS (continued) of the associated system to be declared inoperable. However, since channels for both low pressure ECCS subsystems are inoperable (e.g.,
both CS subsystems), and the Completion Times started concurrently for the channels in both subsystems, this results in the affected portions in both subsystems being concurrently declared inoperable. For these Functions the affected portions are the associated low pressure ECCS pumps.
In this situation (loss of redundant automatic initiation capability), the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> allowance of Required Action C.2 is not appropriate and the feature(s) associated with the inoperable channels must be declared inoperable within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. As noted (Note 1), Required Action C.1 is only applicable in MODES 1, 2, and 3. In MODES 4 and 5, the specific initiation time of the ECCS is not assumed and the probability of a LOCA is lower. Thus, a total loss of automatic initiation capability for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> (as allowed by Required Action C.2) is allowed during MODES 4 and 5.
Note 2 states that Required Action C.1 is only applicable for Functions 1.c, 1.d, 1.e, 1.f, 2.c, 2.d, 2.e, 2.i, 2.j, 2.l, and 2.m. Required Action C.1 is not applicable to Function 3.c (which also requires entry into this Condition if a channel in this Function is inoperable), since the loss of one channel results in a loss of the Function (two-out-of-two logic). This loss was considered during the development of Reference 3 and considered acceptable for the 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> allowed by Required Action C.2.
The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action C.1, the Completion Time only begins upon discovery that the same feature in both subsystems (e.g., both CS subsystems) cannot be automatically initiated due to inoperable channels within the same Function as described in the paragraph above. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration of channels.
Because of the diversity of sensors available to provide initiation signals and the redundancy of the ECCS design, an allowable out of service time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> has been shown to be acceptable (Ref. 3) to permit restoration of any inoperable channel to OPERABLE status. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, Condition H must be entered and its
ECCS Instrumentation B 3.3.5.1 Monticello B 3.3.5.1-28 Revision No. 38 BASES ACTIONS (continued)
Required Action taken. The Required Actions do not allow placing the channel in trip since this action would either cause the initiation or it would not necessarily result in a safe state for the channel in all events.
D.1, D.2.1, and D.2.2 Required Action D.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in a complete loss of automatic component initiation capability for the HPCI System. Automatic component initiation capability is lost if two Function 3.d channels or two Function 3.e channels are inoperable and untripped. In this situation (loss of automatic suction swap), the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> allowance of Required Actions D.2.1 and D.2.2 is not appropriate and the HPCI System must be declared inoperable within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> after discovery of loss of HPCI initiation capability. As noted, Required Action D.1 is only applicable if the HPCI pump suction is not aligned to the suppression pool, since, if aligned, the Function is already performed.
The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action D.1, the Completion Time only begins upon discovery that the HPCI System cannot be automatically aligned to the suppression pool due to two inoperable, untripped channels in the same Function. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.
Because of the diversity of sensors available to provide initiation signals and the redundancy of the ECCS design, an allowable out of service time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> has been shown to be acceptable (Ref. 3) to permit restoration of any inoperable channel to OPERABLE status. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action D.2.1 or the suction source must be aligned to the suppression pool per Required Action D.2.2. Placing the inoperable channel in trip performs the intended function of the channel (shifting the suction source to the suppression pool). Performance of either of these two Required Actions will allow operation to continue. If Required Action D.2.1 or D.2.2 is performed, measures should be taken to ensure that the HPCI System piping remains filled with water.
Alternately, if it is not desired to perform Required Actions D.2.1
ECCS Instrumentation B 3.3.5.1 Monticello B 3.3.5.1-29 Revision No. 38 BASES ACTIONS (continued) and D.2.2 (e.g., as in the case where shifting the suction source could drain down the HPCI suction piping), Condition H must be entered and its Required Action taken.
E.1 and E.2 Required Action E.1 is intended to ensure that appropriate actions are taken if multiple, inoperable channels within the Low Pressure Coolant Injection Pump Discharge Flow - Low (Bypass) Function results in redundant automatic initiation capability being lost for the feature(s). For Required Action E.1, the features would be those that are initiated by Function 2.g (i.e., LPCI). Redundant automatic initiation capability is lost if one or more Function 2.g channels associated with pumps in LPCI subsystem A and one or more Function 2.g channels associated with pumps in LPCI subsystem B are inoperable. Since each inoperable channel would have Required Action E.1 applied separately (refer to ACTIONS Note), each inoperable channel would only require the affected LPCI pump to be declared inoperable. However, since channels for more than one LPCI pump are inoperable, and the Completion Times started concurrently for the channels of the LPCI pumps, this results in the affected ECCS pumps being concurrently declared inoperable.
In this situation (loss of redundant automatic initiation capability), the 7 day allowance of Required Action E.2 is not appropriate and the subsystem associated with each inoperable channel must be declared inoperable within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. As noted (Note 1 to Required Action E.1),
Required Action E.1 is only applicable in MODES 1, 2, and 3. In MODES 4 and 5, the specific initiation time of the ECCS is not assumed and the probability of a LOCA is lower. Thus, a total loss of initiation capability for 7 days (as allowed by Required Action E.2) is allowed during MODES 4 and 5. A Note is also provided (Note 2 to Required Action E.1) to delineate that Required Action E.1 is only applicable to the LPCI Function. Required Action E.1 is not applicable to HPCI Function 3.f since the loss of one channel results in a loss of the Function (one-out-of-one logic). This loss was considered during the development of Reference 3 and considered acceptable for the 7 days allowed by Required Action E.2. The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock."
ECCS Instrumentation B 3.3.5.1 Monticello B 3.3.5.1-30 Revision No. 38 BASES ACTIONS (continued)
For Required Action E.1, the Completion Time only begins upon discovery that a redundant feature in the same system (i.e., both LPCI subsystems) cannot be automatically initiated due to inoperable channels within the same Function as described in the paragraph above. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration of channels.
If the instrumentation that controls the pump minimum flow valve is inoperable, such that the valve will not automatically open, extended pump operation with no injection path available could lead to pump overheating and failure. If there were a failure of the instrumentation, such that the valve would not automatically close, a portion of the pump flow could be diverted from the reactor vessel injection path, causing insufficient core cooling. These consequences can be averted by the operator's manual control of the valve, which would be adequate to maintain ECCS pump protection and required flow. Furthermore, other ECCS pumps would be sufficient to complete the assumed safety function if no additional single failure were to occur. The 7 day Completion Time of Required Action E.2 to restore the inoperable channel to OPERABLE status is reasonable based on the remaining capability of the associated ECCS subsystems, the redundancy available in the ECCS design, and the low probability of a DBA occurring during the allowed out of service time. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, Condition H must be entered and its Required Action taken. The Required Actions do not allow placing the channel in trip since this action would not necessarily result in a safe state for the channel in all events.
F.1 and F.2 Required Action F.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within similar ADS trip system A and B Functions result in redundant automatic initiation capability being lost for the ADS. Redundant automatic initiation capability is lost if one Function 4.a channel and one Function 5.a channel are inoperable and untripped.
In this situation (loss of automatic initiation capability), the 96 hour0.00111 days <br />0.0267 hours <br />1.587302e-4 weeks <br />3.6528e-5 months <br /> or 8 day allowance, as applicable, of Required Action F.2 is not appropriate and all ADS valves must be declared inoperable within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> after discovery of loss of ADS initiation capability.
ECCS Instrumentation B 3.3.5.1 Monticello B 3.3.5.1-31 Revision No. 38 BASES ACTIONS (continued)
The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action F.1, the Completion Time only begins upon discovery that the ADS cannot be automatically initiated due to inoperable, untripped channels within similar ADS trip system Functions as described in the paragraph above. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.
Because of the diversity of sensors available to provide initiation signals and the redundancy of the ECCS design, an allowable out of service time of 8 days has been shown to be acceptable (Ref. 3) to permit restoration of any inoperable channel to OPERABLE status if both HPCI and RCIC are OPERABLE. If either HPCI or RCIC is inoperable, the time is shortened to 96 hours0.00111 days <br />0.0267 hours <br />1.587302e-4 weeks <br />3.6528e-5 months <br />. If the status of HPCI or RCIC changes such that the Completion Time changes from 8 days to 96 hours0.00111 days <br />0.0267 hours <br />1.587302e-4 weeks <br />3.6528e-5 months <br />, the 96 hours0.00111 days <br />0.0267 hours <br />1.587302e-4 weeks <br />3.6528e-5 months <br /> begins upon discovery of HPCI or RCIC inoperability. However, the total time for an inoperable, untripped channel cannot exceed 8 days. If the status of HPCI or RCIC changes such that the Completion Time changes from 96 hours0.00111 days <br />0.0267 hours <br />1.587302e-4 weeks <br />3.6528e-5 months <br /> to 8 days, the "time zero" for beginning the 8 day "clock" begins upon discovery of the inoperable, untripped channel. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action F.2. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue.
Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in an initiation), Condition H must be entered and its Required Action taken.
G.1 and G.2 Required Action G.1 is intended to ensure that appropriate actions are taken if multiple, inoperable channels within similar ADS trip system Functions result in automatic initiation capability being lost for the ADS.
Automatic initiation capability is lost if either: (a) one Function 4.b channel and one Function 5.b channel are inoperable; or (b) a combination of Functions 4.c, 4.d, 5.c, and 5.d channels are inoperable such that channels associated with five or more low pressure ECCS pumps are inoperable.
ECCS Instrumentation B 3.3.5.1 Monticello B 3.3.5.1-32 Revision No. 38 BASES ACTIONS (continued)
In this situation (loss of automatic initiation capability), the 96 hour0.00111 days <br />0.0267 hours <br />1.587302e-4 weeks <br />3.6528e-5 months <br /> or 8 day allowance, as applicable, of Required Action G.2 is not appropriate, and all ADS valves must be declared inoperable within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> after discovery of loss of ADS initiation capability.
The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action G.1, the Completion Time only begins upon discovery that the ADS cannot be automatically initiated due to inoperable channels within similar ADS trip system Functions as described in the paragraph above. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.
Because of the diversity of sensors available to provide initiation signals and the redundancy of the ECCS design, an allowable out of service time of 8 days has been shown to be acceptable (Ref. 3) to permit restoration of any inoperable channel to OPERABLE status if both HPCI and RCIC are OPERABLE (Required Action G.2). If either HPCI or RCIC is inoperable, the time shortens to 96 hours0.00111 days <br />0.0267 hours <br />1.587302e-4 weeks <br />3.6528e-5 months <br />. If the status of HPCI or RCIC changes such that the Completion Time changes from 8 days to 96 hours0.00111 days <br />0.0267 hours <br />1.587302e-4 weeks <br />3.6528e-5 months <br />, the 96 hours0.00111 days <br />0.0267 hours <br />1.587302e-4 weeks <br />3.6528e-5 months <br /> begins upon discovery of HPCI or RCIC inoperability. However, the total time for an inoperable channel cannot exceed 8 days. If the status of HPCI or RCIC changes such that the Completion Time changes from 96 hours0.00111 days <br />0.0267 hours <br />1.587302e-4 weeks <br />3.6528e-5 months <br /> to 8 days, the "time zero" for beginning the 8 day "clock" begins upon discovery of the inoperable channel. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, Condition H must be entered and its Required Action taken. The Required Actions do not allow placing the channel in trip since this action would not necessarily result in a safe state for the channel in all events.
H.1 With any Required Action and associated Completion Time not met, the associated feature(s) may be incapable of performing the intended function, and the supported feature(s) associated with inoperable untripped channels must be declared inoperable immediately.
ECCS Instrumentation B 3.3.5.1 Monticello B 3.3.5.1-33 Revision No. 38 BASES SURVEILLANCE As noted in the beginning of the SRs, the SRs for each ECCS REQUIREMENTS instrumentation Function are found in the SRs column of Table 3.3.5.1-1.
The Surveillances are modified by a Note to indicate that when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> as follows: (a) for Functions 3.c and 3.f; and (b) for Functions other than 3.c and 3.f provided the associated Function or redundant Function maintains ECCS initiation capability. Upon completion of the Surveillance, or expiration of the 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. A channel that is shared between both trip systems is considered one channel. This Note is based on the reliability analysis (Ref. 3) assumption of the average time required to perform channel surveillance. That analysis demonstrated that the 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> testing allowance does not significantly reduce the probability that the ECCS will initiate when necessary.
SR 3.3.5.1.1 Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK guarantees that undetected outright channel failure is limited to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.
Agreement criteria are determined by the plant staff, based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit.
The Frequency is based upon operating experience that demonstrates channel failure is rare. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the channels required by the LCO.
ECCS Instrumentation B 3.3.5.1 Monticello B 3.3.5.1-34 Revision No. 38 BASES SURVEILLANCE REQUIREMENTS (continued)
SR 3.3.5.1.2, SR 3.3.5.1.5 and SR 3.3.5.1.9 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the channel will perform the intended function. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL FUNCTIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions.
Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology.
The Frequency of 92 days for SR 3.3.5.1.2 is based on the reliability analyses of Reference 3. The Frequency of 12 months for SR 3.3.5.1.5 is based on the known reliability of the equipment and the multichannel redundancy available, and has been shown to be acceptable through operating experience. The Frequency of 24 months for SR 3.3.5.1.9 is based on the known reliability of the equipment and the multichannel redundancy available, and has been shown to be acceptable through operating experience.
SR 3.3.5.1.3 Calibration of trip units provides a check of the actual trip setpoints. The channel must be declared inoperable if the trip setting is discovered to be less conservative than the Allowable Value specified in Table 3.3.5.1-1. If the trip setting is discovered to be less conservative than accounted for in the appropriate setpoint methodology, but is not beyond the Allowable Value, the channel performance is still within the requirements of the plant safety analyses. Under these conditions, the setpoint must be readjusted to be equal to or more conservative than the setting accounted for in the appropriate setpoint methodology.
The Frequency of 92 days is based on the reliability analysis of Reference 3.
SR 3.3.5.1.4, SR 3.3.5.1.6, and SR 3.3.5.1.7 A CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL
ECCS Instrumentation B 3.3.5.1 Monticello B 3.3.5.1-35 Revision No. 38 BASES SURVEILLANCE REQUIREMENTS (continued)
CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations consistent with the plant specific setpoint methodology.
The Frequency of SR 3.3.5.1.4 is based upon the assumption of a 92 day calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis. The Frequency of SR 3.3.5.1.6 is based upon the assumption of a 12 month calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis.
The Frequency of SR 3.3.5.1.7 is based upon the assumption of a 24 month calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis, and for Function 2.j, a revised minimum detectable break area for the LPCI loop select logic (Refs. 5 and 6).
The SR 3.3.5.1.4 annotation in Table 3.3.5.1-1 for Functions 1.c, 1.d, 2.c, 2.d, 4.c, 4.d, 5.c, and 5.d has been modified by two Notes. The SR 3.3.5.1.7 annotation in Table 3.3.5.1-1 for Function 2.j has also been modified by these same two Notes. The first Note requires evaluation of channel performance for the condition where the as-found setting for the channel is outside its as-found tolerance but conservative with respect to the Allowable Value. Evaluation of instrument performance will verify that the instrument will continue to behave in accordance with design basis assumptions. The purpose of the assessment is to ensure confidence in the instrument performance prior to returning the instrument to service.
These channels will also be identified in the Corrective Action Program.
In accordance with procedures, entry into the Corrective Action Program will require review and documentation of the condition of OPERABILITY.
The second Note requires the setting for the instrument be returned to within the as-left tolerance of the nominal trip setpoint. This will ensure that sufficient margin to the Safety Limit and /or Analytical Limit is maintained. If the setting for the instrument cannot be returned to within the as-left tolerance of the nominal trip setpoint, then the instrument channel shall be declared inoperable. The second Note also requires that the nominal trip setpoint and the methodology for calculating the as-left and the as-found tolerances be in a document controlled under 10 CFR 50.59 (i.e., Technical Requirements Manual (Ref. 4)).
SR 3.3.5.1.8 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required initiation logic for a specific channel. The system functional testing performed in LCO 3.5.1, LCO 3.5.2, LCO 3.8.1, and LCO 3.8.2 overlaps this Surveillance to provide complete testing of the assumed safety function.
ECCS Instrumentation B 3.3.5.1 Monticello B 3.3.5.1 Last Revision No. 38 BASES SURVEILLANCE REQUIREMENTS (continued)
The 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. Operating experience has shown that these components usually pass the Surveillance when performed at the 24 month Frequency.
REFERENCES
- 1.
USAR, Section 14.7.2.
- 2.
USAR, Chapter 14.
- 3.
NEDC-30936-P-A, "BWR Owners' Group Technical Specification Improvement Analyses for ECCS Actuation Instrumentation, Parts 1 and 2," December 1988.
- 4.
Technical Requirements Manual.
- 5.
GE-NE-0000-0052-3113-P-R0, SAFER/GESTR ECCS-LOCA Analysis - LPCI Loop Selection Detectable Break Area, September 2006.
- 6.
Amendment No. 161, Monticello Nuclear Generating Plant -
Issuance of Amendment Regarding Recirculation Riser Differential Pressure (TAC No. MD6864), dated April 7, 2009. (ADAMS Accession No. ML083040608)
- 7.
Calculation 03-036, Revision 2, Instrument Setpoint Calculation Reactor Low Pressure Permissive Bypass Timer
- 8.
Amendment No. 176, Monticello Nuclear Generating Plant - Issuance of Amendment No. 176 to Renewed Facility Operating License Regarding Extended Power Uprate, (ADAMS Accession No. ML13316C459)
ECCS Instrumentation B 3.3.5.1 Monticello B 3.3.5.1-1 Revision No. 38 B 3.3 INSTRUMENTATION B 3.3.5.1 Emergency Core Cooling System (ECCS) Instrumentation BASES BACKGROUND The purpose of the ECCS instrumentation is to initiate appropriate responses from the systems to ensure that the fuel is adequately cooled in the event of a design basis accident or transient.
For most anticipated operational occurrences and Design Basis Accidents (DBAs), a wide range of dependent and independent parameters are monitored.
The ECCS instrumentation actuates core spray (CS), low pressure coolant injection (LPCI), high pressure coolant injection (HPCI),
Automatic Depressurization System (ADS), and the emergency diesel generators (EDGs). The equipment involved with each of these systems is described in the Bases for LCO 3.5.1, "ECCS - Operating," and LCO 3.8.1, "AC Sources - Operating."
Core Spray System The CS System may be initiated by either automatic or manual means, although manual initiation requires manipulation of individual pump and valve control switches. Automatic initiation occurs for conditions of Reactor Vessel Water Level - Low Low or Drywell Pressure - High. The Reactor Vessel Water Level - Low Low initiation signal is generated coincident with Reactor Steam Dome Pressure - Low (Pump Permissive) or if the Reactor Vessel Water Level - Low Low signal is sustained for 18 minutes (Refs. 7 and 8). The Reactor Vessel Water Level - Low Low variable is monitored by four redundant transmitters, connected to four trip units. The outputs of the four trip units are connected to relays whose contacts are directed to two trip systems and the logic in each trip system is arranged in a one-out-of-two taken twice logic. The Drywell Pressure -
High variable is monitored by four redundant pressure switches. The outputs of the switches are connected to relays whose contacts are directed to two trip systems and the logic in each trip system is arranged in a one-out-of-two taken twice logic. The Reactor Steam Dome Pressure
- Low (Pump Permissive) variable is monitored by two redundant switches. The outputs of the switches are connected to relays whose contacts are directed to two trip systems and the logic in each trip system is arranged in a one-out-of-two logic. Each trip system will delay CS pump start and valve logic on low low reactor vessel water level until reactor steam dome pressure has fallen to a value below the CS Systems maximum design pressure. The Reactor Steam Dome Pressure Permissive - Bypass Timer (Pump Permissive) variable is developed by two redundant time delay relays. A time delay relay is
ECCS Instrumentation B 3.3.5.1 Monticello B 3.3.5.1-2 Revision No. 38 BASES BACKGROUND (continued) located in each trip system and a contact associated with this relay (one-out-of-one logic for each trip system) will bypass the Reactor Steam Dome Pressure - Low (Pump Permissive) after the timer has timed out.
The CS pumps start and valve logic will receive the high drywell pressure signals without delay. The Reactor Steam Dome Pressure - Low (Injection Permissive) variable is monitored by two redundant pressure switches. The outputs of the switches are connected to relays whose contacts input into two trip systems. Each trip system is arranged in a one-out-of-two logic. Each trip system will delay CS injection valve actuation logic until reactor steam dome pressure has fallen to a value below the CS Systems maximum design pressure regardless of the initiation signal. Each trip system will open the associated CS subsystem valves.
Upon receipt of an initiation signal, the CS pumps are started in approximately 15 seconds after AC power is available. The Core Spray Pump Start - Time Delay Relay Function for each CS pump is developed by one time delay relay. The time delay relay starts when there is a LOCA signal present and power is available on the associated 4.16 kV essential bus. After the time delay relay times out, the associated CS pump starts.
The CS test line isolation valve, which is also a primary containment isolation valve (PCIV), is closed on a CS initiation signal to allow full system flow assumed in the accident analyses and maintain primary containment isolated in the event CS is not operating.
Low Pressure Coolant Injection System The LPCI is an operating mode of the Residual Heat Removal (RHR)
System, with two LPCI subsystems. The LPCI subsystems may be initiated by automatic or manual means, although manual initiation requires manipulation of individual pump and valve control switches.
Automatic initiation occurs for conditions of Reactor Vessel Water Level -
Low Low, Drywell Pressure - High, or both. The Reactor Vessel Water Level - Low Low initiation signal is generated coincident with Reactor Steam Dome Pressure - Low (Pump Permissive) or if the Reactor Vessel Water Level - Low Low signal is sustained for 18 minutes (Refs. 7 and 8).
The Reactor Vessel Water Level - Low Low variable is monitored by four redundant transmitters, connected to four trip units. The outputs of the four trip units are connected to relays whose contacts are directed to two trip systems and the logic in each trip system is arranged in a one-out-of-two taken twice logic. The Drywell Pressure - High variable is monitored by four redundant pressure switches. The outputs of the switches are connected to relays whose contacts are directed to two trip systems and the logic in each trip system is arranged in a one-out-of-two taken twice
ECCS Instrumentation B 3.3.5.1 Monticello B 3.3.5.1-3 Revision No. 38 BASES BACKGROUND (continued) logic. The Reactor Steam Dome Pressure - Low (Pump Permissive) variable is monitored by two redundant switches. The outputs of the switches are connected to relays whose contacts are directed to two trip systems and the logic in each trip system is arranged in a one-out-of-two logic. Each trip system will delay LPCI pump start and valve logic on low low reactor vessel water level until reactor steam dome pressure has fallen to a value below the LPCI Systems maximum design pressure.
The Reactor Steam Dome Pressure Permissive - Bypass Timer (Pump Permissive) variable is developed by two redundant time delay relays. A time delay relay is located in each trip system and a contact associated with this relay (one-out-of-one logic for each trip system) will bypass the Reactor Steam Dome Pressure - Low (Pump Permissive) after the timer has timed out. The LPCI pumps start and valve logic will receive the high drywell pressure signals without delay. The Reactor Steam Dome Pressure - Low (Injection Permissive) variable is monitored by two redundant pressure switches. The outputs of the switches are connected to relays whose contacts input into two trip systems. Each trip system is arranged in a one-out-of-two logic. Each trip system will delay LPCI injection valve actuation logic until reactor steam dome pressure has fallen to a value below the LPCI Systems maximum design pressure regardless of the initiation signal. Each trip system will open the associated LPCI subsystem valves.
Upon receipt of an initiation signal, the LPCI pumps are automatically started (pumps A and B approximately 5 seconds after AC power is available and pumps C and D approximately 10 seconds after AC power is available). The Low Pressure Coolant Injection Pump Start - Time Delay Relay Function for each LPCI pump is developed by four time delay relays. Each time delay relay will start when there is a LOCA signal present and power is available on the associated 4.16 kV essential bus.
After a time delay relay times out, a signal is sent to start the associated LPCI pump. The outputs of the time delay relays are arranged in a one-out-of-two taken twice logic for each LPCI pump.
Each LPCI subsystem's discharge flow is monitored by a flow switch.
When a pump is running and discharge flow is low enough so that pump overheating may occur, the respective minimum flow return line valve is opened after an approximate 10 second time delay. If flow is above the minimum flow setpoint, the valve is automatically closed to allow the full system flow assumed in the analyses.
The RHR test line suppression pool cooling isolation valve, suppression pool spray isolation valves, and containment spray isolation valves (which are also PCIVs) are also closed on a LPCI initiation signal to allow the full system flow assumed in the accident analyses and maintain primary containment isolated in the event LPCI is not operating.
ECCS Instrumentation B 3.3.5.1 Monticello B 3.3.5.1-4 Revision No. 38 BASES BACKGROUND (continued)
The LPCI System initiation logic also contains LPCI Loop Select Logic whose purpose is to identify and direct LPCI flow to the unbroken recirculation loop if a Design Basis Accident (DBA) occurs. The LPCI Loop Select Logic is initiated upon the receipt of either a Reactor Vessel Water Level - Low Low signal or a Drywell Pressure - High signal, as discussed previously. When initiated, the LPCI Loop Select Logic first determines recirculation pump operation by sensing the differential pressure (dp) between the suction and discharge of each pump. There are four dp switches monitoring each recirculation loop that are, in turn, connected to relays whose contacts are connected to two trip systems.
The dp switches will trip when the dp across the pump is greater than a predetermined value. The contacts are arranged in a one-out-of-two taken twice logic for each recirculation pump. If the logic senses that either pump is not running, i.e., single loop operation, then a trip signal is sent to both recirculation pumps to eliminate the possibility of pipe breaks being masked by the operating recirculation pump pressure. However, the pump trip signal is delayed approximately 0.5 seconds to ensure that at least one pump is off since the break detection sensitivity is greater with both pumps running. If a pump trip signal is generated, reactor steam dome pressure must drop to a specified value before the logic will continue. This adjusts the selection time to optimize sensitivity and still ensure that LPCI injection is not unnecessarily delayed. The reactor steam dome pressure is sensed by four pressure switches that are, in turn, connected to relays whose contacts are connected to two trip systems. The contacts are arranged in a one-out-of-two taken twice logic. After the satisfaction of this pressure requirement or if both recirculation pumps indicate they are running, a 2 second time delay is provided to allow momentum effects to establish the maximum differential pressure for loop selection. Selection of the unbroken recirculation loop is then initiated. This is done by comparing the absolute pressure of the two recirculation riser loops. The broken loop is indicated by a lower pressure than the unbroken loop. The loop with the higher pressure is then used for LPCI injection. If, after a small time delay (approximately 0.5 seconds), the pressure in loop A is not indicating higher than loop B, the logic will provide a signal to close the B recirculation loop discharge valve, open the LPCI injection valve to the B recirculation loop and close the LPCI injection valve to the A recirculation loop. This is the "default" choice in the LPCI Loop Select Logic. If recirculation loop A pressure indicates higher than loop B pressure (> 1 psig), the recirculation discharge valve in loop A is closed, the LPCI injection valve to loop A is signaled to open and the LPCI injection valve to loop B is signaled to close. The four dp switches that provide input to this portion of the logic detect the pressure difference between the corresponding risers to the jet pumps in each recirculation loop. The four dp switches are connected to relays whose contacts are connected to two trip systems. The contacts in each trip system are arranged in a one-out-of-two taken twice logic.
ECCS Instrumentation B 3.3.5.1 Monticello B 3.3.5.1-5 Revision No. 38 BASES BACKGROUND (continued)
There are two redundant trip systems in the LPCI Loop Select Logic. The complete logic in each trip system must actuate for operation of the LPCI Loop Select Logic.
High Pressure Coolant Injection System The HPCI System may be initiated by either automatic or manual means.
Automatic initiation occurs for conditions of Reactor Vessel Water Level -
Low Low or Drywell Pressure - High. The Reactor Vessel Water Level -
Low Low variable is monitored by four redundant transmitters, which are, in turn, connected to four trip units. The outputs of the trip units are connected to relays whose contacts are arranged in a one-out-of-two taken twice logic. The Drywell Pressure - High variable is monitored by four switches. The outputs of the switches are connected to relays whose contacts are arranged in a one-out-of-two taken twice logic.
The HPCI pump discharge flow is monitored by a flow switch. When an initiation signal is present (Reactor Vessel Water Level - Low Low or Drywell Pressure - High) and discharge flow is low enough so that pump overheating may occur, the minimum flow return line valve is opened.
The valve is automatically closed if flow is above the minimum flow setpoint to allow the full system flow assumed in the accident analysis.
The HPCI test line return valves to the condensate storage tanks (CSTs) are closed upon receipt of a HPCI initiation signal to allow the full system flow assumed in the accident analysis.
The HPCI System also monitors the water levels in the two CSTs and the suppression pool because these are the two sources of water for HPCI operation. Reactor grade water in the CSTs is the normal source. Upon receipt of a HPCI initiation signal, the CST suction valve is automatically signaled to open (it is normally in the open position) unless both suppression pool suction valves are open. If the water level in any CST falls below a preselected level, first the suppression pool suction valves automatically open, and then the CST suction valve automatically closes.
Two level switches are used to detect low water level in the CST (one on each CST). Either switch can cause the suppression pool suction valves to open and the CST suction valve to close. The suppression pool suction valves also automatically open and the CST suction valve closes if high water level is detected in the suppression pool (one-out-of-two logic). To prevent losing suction to the pump, the suction valves are interlocked so that one suction path must be open before the other automatically closes.
The HPCI System provides makeup water to the reactor until the reactor vessel water level reaches the Reactor Vessel Water Level - High trip, at
ECCS Instrumentation B 3.3.5.1 Monticello B 3.3.5.1-6 Revision No. 38 BASES BACKGROUND (continued) which time the HPCI turbine trips, which causes the turbine's stop valve to close. The logic is two-out-of-two to provide high reliability of the HPCI System. The HPCI System automatically restarts if a Reactor Vessel Water Level - Low Low signal is subsequently received.
Automatic Depressurization System The ADS may be initiated by either automatic or manual means, although manual initiation requires manipulation of each individual ADS valve control switch. Automatic initiation occurs when signals indicating Reactor Vessel Water Level - Low Low and CS or LPCI Pump Discharge Pressure - High are all present and the ADS Initiation Timer has timed out. There are two transmitters that monitor Reactor Vessel Water Level
- Low Low in each of the two ADS trip systems. Each of these transmitters connects to a trip unit, which then drives a relay whose contacts form the initiation logic.
Each ADS trip system includes a time delay between satisfying the initiation logic and the actuation of the ADS valves. The ADS Initiation Timer time delay setpoint is chosen to be long enough that the HPCI has sufficient operating time to recover to a level above Low Low, yet not so long that the LPCI and CS Systems are unable to adequately cool the fuel if the HPCI fails to maintain that level. An alarm in the control room is annunciated when either of the timers is timing. Resetting the ADS initiation signals resets the ADS Initiation Timers.
The ADS also monitors the discharge pressures of the four LPCI pumps and the two CS pumps. Each ADS trip system includes two discharge pressure permissive switches from all CS and LPCI pumps. However, only the switches from the pumps in the associated division are required to be OPERABLE for each trip system (i.e., Division 1 CS A and LPCI subsystems A and C input to ADS trip system A, and Division 2 CS B and LPCI subsystems B and D input to ADS trip system B). The signals are used as a permissive for ADS actuation, indicating that there is a source of core coolant available once the ADS has depressurized the vessel.
Any one of the six low pressure pumps is sufficient to permit automatic depressurization.
The ADS logic in each trip system is arranged in two strings. Each string has a contact from Reactor Vessel Water Level - Low Low. Each string also has a contact that represents a CS or LPCI pump discharge pressure signal. All contacts in both logic strings must close and the ADS initiation timer must time out to initiate an ADS trip system. Either the A or B trip system will cause all the ADS relief valves to open. The Reactor Vessel Water Level - Low Low signal in one string will seal in once both the Reactor Vessel Water Level - Low Low signal and the
ECCS Instrumentation B 3.3.5.1 Monticello B 3.3.5.1-7 Revision No. 38 BASES BACKGROUND (continued) associated CS or LPCI pump discharge pressure signal is present. The other Reactor Vessel Water Level - Low Low signal in the other string will seal in once both the Reactor Vessel Water Level - Low Low signal and the associated CS or LPCI pump discharge pressure signal is present and the ADS Initiation timer has timed out. The signals can be manually reset.
Manual inhibit switches are provided in the control room for the ADS; however, their function is not required for ADS OPERABILITY (provided ADS is not inhibited when required to be OPERABLE).
Emergency Diesel Generators (EDGs)
The EDGs may be initiated by either automatic or manual means.
Automatic initiation occurs for conditions of Reactor Vessel Water Level -
Low Low or Drywell Pressure - High. The EDGs are also initiated upon loss of voltage signals. (Refer to the Bases for LCO 3.3.8.1, "Loss of Power (LOP) Instrumentation," for a discussion of these signals.) The Reactor Vessel Water Level - Low Low variable is monitored by four redundant transmitters, which are, in turn, connected to four trip units.
The outputs of the four trip units are connected to relays whose contacts are directed to two trip systems and the logic in each trip system is arranged in a one-out-of-two taken twice logic to initiate both EDGs. The Drywell Pressure - High variable is monitored by four switches. The outputs of the switches are connected to relays whose contacts are directed to two trip systems and the logic in each trip system is arranged in a one-out-of-two taken twice logic to initiate both EDGs. The EDGs receive their initiation signals from the CS System initiation logic. The EDGs can also be started manually from the control room and locally from the associated EDG room. Upon receipt of a loss of coolant accident (LOCA) initiation signal, each EDG is automatically started, is ready to load in approximately 10 seconds, and will run in standby conditions (rated voltage and speed, with the EDG output breaker open).
The EDGs will only energize their respective 4.16 kV essential buses if a loss of offsite power occurs (Refer to Bases for LCO 3.3.8.1).
APPLICABLE The actions of the ECCS are explicitly assumed in the safety analyses of SAFETY Reference 1. The ECCS is initiated to preserve the integrity of the fuel ANALYSES, LCO, cladding by limiting the post LOCA peak cladding temperature to less and APPLICABILITY than the 10 CFR 50.46 limits.
ECCS instrumentation satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii).
Certain instrumentation Functions are retained for other reasons and are described below in the individual Functions discussion.
ECCS Instrumentation B 3.3.5.1 Monticello B 3.3.5.1-8 Revision No. 38 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
The OPERABILITY of the ECCS instrumentation is dependent upon the OPERABILITY of the individual instrumentation channel Functions specified in Table 3.3.5.1-1. Each Function must have a required number of OPERABLE channels, with their setpoints within the specified Allowable Values, where appropriate. The actual setpoint is calibrated consistent with applicable setpoint methodology assumptions.
Table 3.3.5.1-1 is modified by two footnotes. Footnote (a) is added to clarify that the associated functions are required to be OPERABLE in MODES 4 and 5 only when their supported ECCS are required to be OPERABLE per LCO 3.5.2, ECCS - Shutdown. Footnote (b) is added to show that certain ECCS instrumentation Functions also perform EDG initiation.
Allowable Values are specified for each ECCS Function specified in the Table. Nominal trip setpoints are specified in the setpoint calculations.
The nominal setpoints are selected to ensure that the setpoints do not exceed the Allowable Value between CHANNEL CALIBRATIONS.
Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor vessel water level), and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g., trip unit) changes state. The analytic limits are derived from the limiting values of the process parameters obtained from the safety analysis. The Allowable Values and nominal trip setpoints (NTSP) are derived, using the General Electric setpoint methodology guidance, as specified in the Monticello setpoint methodology. The Allowable Values are derived from the analytic limits. The difference between the analytic limit and the Allowable Value allows for channel instrument accuracy, calibration accuracy, process measurement accuracy, and primary element accuracy. The margin between the Allowable Value and the NTSP allows for instrument drift that might occur during the established surveillance period. Two separate verifications are performed for the calculated NTSP. The first, a Spurious Trip Avoidance Test, evaluates the impact of the NTSP on plant availability. The second verification, an LER Avoidance Test, calculates the probability of avoiding a Licensee Event Report (or exceeding the Allowable Value) due to instrument drift. These two verifications are statistical evaluations to provide additional assurance of the acceptability of the NTSP and may require changes to the NTSP. Use of these methods and verifications provides the assurance that if the setpoint is found conservative to the Allowable Value during surveillance testing, the instrumentation would
ECCS Instrumentation B 3.3.5.1 Monticello B 3.3.5.1-9 Revision No. 38 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) have provided the required trip function by the time the process reached the analytic limit for the applicable events.
In general, the individual Functions are required to be OPERABLE in the MODES or other specified conditions that may require ECCS (or EDG) initiation to mitigate the consequences of a design basis transient or accident. To ensure reliable ECCS and EDG function, a combination of Functions is required to provide primary and secondary initiation signals.
The specific Applicable Safety Analyses, LCO, and Applicability discussions are listed below on a Function by Function basis.
Core Spray and Low Pressure Coolant Injection Systems 1.a, 2.a. Reactor Vessel Water Level - Low Low Low reactor pressure vessel (RPV) water level indicates that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. The low pressure ECCS and associated EDGs are initiated at Low Low to ensure that core spray and flooding functions are available to prevent or minimize fuel damage. The Reactor Vessel Water Level - Low Low is one of the Functions assumed to be OPERABLE and capable of initiating the ECCS during the transients analyzed in Reference 2. In addition, the Reactor Vessel Water Level - Low Low Function is directly assumed in the analysis of the recirculation line break (Ref. 1). The core cooling function of the ECCS, along with the scram action of the Reactor Protection System (RPS),
ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.
Reactor Vessel Water Level - Low Low signals are initiated from four level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel.
The Reactor Vessel Water Level - Low Low Allowable Value is chosen to allow time for the low pressure core flooding systems to activate and provide adequate cooling.
Four channels of CS Reactor Vessel Water Level - Low Low Function are only required to be OPERABLE when CS and the EDGs are required to be OPERABLE to ensure that no single instrument failure can preclude CS and EDG initiation. Four channels of the LPCI Reactor Vessel Water Level - Low Low Function are only required to be OPERABLE when LPCI is required to be OPERABLE to ensure that no single instrument failure can preclude LPCI initiation. Per Footnote (a) to Table 3.3.5.1-1, these
ECCS Instrumentation B 3.3.5.1 Monticello B 3.3.5.1-10 Revision No. 38 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
ECCS Functions are only required to be OPERABLE in MODES 4 and 5 whenever the associated ECCS is required to be OPERABLE per LCO 3.5.2. Refer to LCO 3.5.1 and LCO 3.5.2 for Applicability Bases for the low pressure ECCS subsystems; LCO 3.8.1, "AC Sources -
Operating," and LCO 3.8.2, "AC Sources - Shutdown," for Applicability Bases for the EDGs.
1.b, 2.b. Drywell Pressure - High High pressure in the drywell could indicate a break in the reactor coolant pressure boundary (RCPB). The low pressure ECCS and associated EDGs are initiated upon receipt of the Drywell Pressure - High Function in order to minimize the possibility of fuel damage. The Drywell Pressure -
High Function, along with the Reactor Water Level - Low Low Function, is directly assumed in the analysis of the recirculation line break (Ref. 1).
The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.
High drywell pressure signals are initiated from four pressure switches that sense drywell pressure. The Allowable Value was selected to be as low as possible and be indicative of a LOCA inside primary containment.
The Drywell Pressure - High Function is required to be OPERABLE when the ECCS or EDG is required to be OPERABLE in conjunction with times when the primary containment is required to be OPERABLE. Thus, four channels of the CS and LPCI Drywell Pressure - High Functions are required to be OPERABLE in MODES 1, 2, and 3 to ensure that no single instrument failure can preclude ECCS and EDG initiation. In MODES 4 and 5, the Drywell Pressure - High Functions are not required, since there is insufficient energy in the reactor to pressurize the primary containment to Drywell Pressure - High setpoint. Refer to LCO 3.5.1 for Applicability Bases for the low pressure ECCS subsystems and to LCO 3.8.1 for Applicability Bases for the EDGs.
1.c, 2.c. Reactor Steam Dome Pressure - Low (Injection Permissive)
Low reactor steam dome pressure signals are used as permissives for the low pressure ECCS subsystems. This ensures that, prior to opening the injection valves of the low pressure ECCS subsystems, the reactor pressure has fallen to a value below these subsystems' maximum design pressure. The Reactor Steam Dome Pressure - Low (Injection Permissive) is one of the Functions assumed to be OPERABLE and capable of permitting initiation of the ECCS during the transients analyzed in Reference 2. In addition, the Reactor Steam Dome Pressure - Low (Injection Permissive) Function is directly assumed in the analysis of the
ECCS Instrumentation B 3.3.5.1 Monticello B 3.3.5.1-11 Revision No. 38 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) recirculation line break (Ref. 1). The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.
The Reactor Steam Dome Pressure - Low (Injection Permissive) signals are initiated from two pressure switches (shared by both CS and LPCI) that sense the reactor dome pressure.
The Allowable Value is low enough to prevent overpressurizing the equipment in the low pressure ECCS, but high enough to ensure that the ECCS injection prevents the fuel peak cladding temperature from exceeding the limits of 10 CFR 50.46.
Two channels of CS Reactor Steam Dome Pressure - Low (Injection Permissive) Function are only required to be OPERABLE when CS is required to be OPERABLE to ensure that no single instrument failure can preclude CS initiation. Two channels of the LPCI Reactor Steam Dome Pressure - Low (Injection Permissive) Function are only required to be OPERABLE when LPCI is required to be OPERABLE to ensure that no single instrument failure can preclude LPCI initiation. Per Footnote (a) to Table 3.3.5.1-1, these ECCS Functions are only required to be OPERABLE in MODES 4 and 5 whenever the associated ECCS is required to be OPERABLE per LCO 3.5.2. Refer to LCO 3.5.1 and LCO 3.5.2 for Applicability Bases for the low pressure ECCS subsystems.
1.d, 2.d. Reactor Steam Dome Pressure - Low (Pump Permissive)
Low reactor steam dome pressure signals are used as permissives for the low pressure ECCS subsystems. These channels delay CS and LPCI pump starts on Reactor Vessel Water Level - Low Low until reactor steam dome pressure is below the setpoint. This ensures that, prior to starting the pumps of the low pressure ECCS subsystems, the reactor pressure has fallen to a value below these subsystems' maximum design pressure.
The Reactor Steam Dome Pressure - Low (Pump Permissive) is one of the Functions assumed to be OPERABLE and capable of permitting initiation of the ECCS during the transients analyzed in References 1 and 3. In addition, the Reactor Steam Dome Pressure - Low Function is directly assumed in the analysis of the recirculation line break (Ref. 2).
The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.
The Reactor Steam Dome Pressure - Low signals are initiated from two pressure switches (shared by both CS and LPCI) that sense the reactor dome pressure.
ECCS Instrumentation B 3.3.5.1 Monticello B 3.3.5.1-12 Revision No. 38 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
The Allowable Value is high enough to ensure that the ECCS injection prevents the fuel peak cladding temperature from exceeding the limits of 10 CFR 50.46.
Two channels of CS Reactor Steam Dome Pressure - Low (Pump Permissive) Function are only required to be OPERABLE when the CS is required to be OPERABLE to ensure that no single instrument failure can preclude CS initiation. Two channels of LPCI Reactor Steam Dome Pressure - Low (Pump Permissive) Function are only required to be OPERABLE when the LPCI is required to be OPERABLE to ensure that no single instrument failure can preclude LPCI initiation. Per Footnote (a) to Table 3.3.5.1-1, these ECCS Functions are only required to be OPERABLE in MODES 4 and 5 whenever the associated ECCS is required to be OPERABLE per LCO 3.5.2. Refer to LCO 3.5.1 and LCO 3.5.2 for Applicability Bases for the low pressure ECCS subsystems.
1.e, 2.e. Reactor Steam Dome Pressure - Bypass Timer (Pump Permissive)
Low reactor steam dome pressure signals are used as permissives for the low pressure ECCS subsystems. The Bypass Timer channels allow the CS and LPCI pumps to start on Reactor Vessel Water Level - Low Low after the time delay times out, even if the reactor steam dome pressure is above its permissive setpoint. This ensures that, starting the pumps of the low pressure ECCS subsystems will occur on a Reactor Vessel Water Level - Low Low signal after an 18 minute time delay (Refs. 7 and 8). The Reactor Steam Dome Pressure - Time Delay (Pump Permissive) is one of the Functions assumed to be OPERABLE and capable of permitting initiation of the ECCS during the transients analyzed in References 1 and 3. The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.
The Reactor Steam Dome Pressure - Bypass Timer (Pump Permissive) signals are initiated from four time delay relays.
The Allowable Value is long enough to provide sufficient time for the operator to inhibit any unnecessary ADS actuation, yet short enough to limit the peak cladding temperature to less than 2200°F.
Two channels of CS Reactor Steam Dome Pressure - Bypass Timer (Pump Permissive) Function are only required to be OPERABLE when the CS is required to be OPERABLE to ensure that no single instrument failure can preclude CS initiation. Two channels of LPCI Reactor Steam Dome Pressure - Bypass Timer (Pump Permissive) Function are only required to be OPERABLE when the LPCI is required to be OPERABLE
ECCS Instrumentation B 3.3.5.1 Monticello B 3.3.5.1-13 Revision No. 38 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) to ensure that no single instrument failure can preclude LPCI initiation.
Per Footnote (a) to Table 3.3.5.1-1, these ECCS Functions are only required to be OPERABLE in MODES 4 and 5 whenever the associated ECCS is required to be OPERABLE per LCO 3.5.2. Refer to LCO 3.5.1 and LCO 3.5.2 for Applicability Bases for the low pressure ECCS subsystems.
1.f, 2.f. Core Spray and Low Pressure Coolant Injection Pump Start -
Time Delay Relay The purpose of the time delay relays is to stagger the start of the CS and LPCI pumps that are in each of Divisions 1 and 2, thus limiting the starting transients on the 4.16 kV essential buses. The CS and LPCI Pump Start - Time Delay Relays are assumed to be OPERABLE in the accident and transient analyses requiring ECCS initiation. That is, the analyses assume that the pumps will initiate when required and excess loading will not cause failure of the power sources.
There are two CS Pump Start - Time Delay Relay channels, one in each of the CS pump start logic circuits. While each CS pump time delay relay is dedicated to a single pump start logic, a single failure of a CS Pump Start - Time Delay Relay channel could result in the failure of the three low pressure ECCS pumps, powered from the same 4.16 kV essential bus, to perform their intended function (e.g., as in the case where two ECCS pumps on one 4.16 kV essential bus start simultaneously due to an inoperable time delay relay). This still leaves three of the six low pressure ECCS pumps OPERABLE; thus, the single failure criterion is met (i.e., loss of one instrument does not preclude ECCS initiation).
Sixteen Low Pressure Coolant Injection Pump Start - Time Delay Relay channels, four in each of the LPCI pump start logic circuits, are required to be OPERABLE to ensure that no single instrument failure can preclude the associated LPCI pump start. The Allowable Values for the CS and LPCI Pump Start - Time Delay Relays are chosen short enough so that ECCS operation is not degraded.
Each CS and LPCI Pump Start - Time Delay Relay Function is required to be OPERABLE only when the associated ECCS subsystem is required to be OPERABLE. Per Footnote (a) to Table 3.3.5.1-1, these ECCS Functions are only required to be OPERABLE in MODES 4 and 5 whenever the associated ECCS is required to be OPERABLE per LCO 3.5.2. Refer to LCO 3.5.1 and LCO 3.5.2 for Applicability Bases for the LPCI subsystems.
ECCS Instrumentation B 3.3.5.1 Monticello B 3.3.5.1-14 Revision No. 38 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) 2.g. Low Pressure Coolant Injection Pump Discharge Flow - Low (Bypass)
The minimum flow instruments are provided to protect the associated LPCI pump from overheating when the pump is operating and the associated injection valve is not fully open. The minimum flow line valve is opened when low flow is sensed, and the valve is automatically closed when the flow rate is adequate to protect the pump. The LPCI Pump Discharge Flow - Low (Bypass) Function is assumed to be OPERABLE and capable of closing the minimum flow valves to ensure that the LPCI flows assumed during the transients and accidents analyzed in References 1 and 2 are met. The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.
One flow switch per LPCI pump is used to detect the associated subsystems' flow rates. The logic is arranged such that each switch causes its associated minimum flow valve to open. The logic will close the minimum flow valve once the closure setpoint is exceeded. The LPCI minimum flow valves are time delayed such that the valves will not open for 10 seconds after the pump start. This delay can reduce the reactor vessel inventory loss (to the suppression pool) during the startup of the RHR pump while aligned in the shutdown cooling mode, since it provides time (prior to opening the minimum flow valve) to manually increase RHR flow above the minimum flow closure setpoint. The LPCI Pump Discharge Flow - Low (Bypass) Allowable Values are high enough to ensure that the pump flow rate is sufficient to protect the pump, yet low enough to ensure that the closure of the minimum flow valve is initiated to allow full flow into the core.
Each channel of LPCI Pump Discharge Flow - Low (Bypass) Function (four LPCI channels) is only required to be OPERABLE when the associated LPCI pump is required to be OPERABLE to ensure that no single instrument failure can preclude the LPCI function. Per Footnote (a) to Table 3.3.5.1-1, this LPCI Function is only required to be OPERABLE in MODES 4 and 5 whenever the associated LPCI pump is required to be OPERABLE per LCO 3.5.2. Refer to LCO 3.5.1 and LCO 3.5.2 for Applicability Bases for the LPCI subsystems.
ECCS Instrumentation B 3.3.5.1 Monticello B 3.3.5.1-15 Revision No. 38 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) 2.h, 2.k. Reactor Steam Dome Pressure - Low (Break Detection) and Reactor Steam Dome Pressure - Time Delay Relay (Break Detection)
The purpose of the Reactor Steam Dome Pressure - Low (Break Detection) and Reactor Steam Dome Pressure - Time Delay Relay (Break Detection) Functions are to optimize the LPCI Loop Select Logic sensitivity if the logic previously actuated recirculation pump trips. This is accomplished by preventing the logic from continuing on to the unbroken loop selection activity until reactor steam dome pressure has dropped below a specified value. These Functions are only required to be OPERABLE for the DBA LOCA analysis, i.e., if the break location is in the recirculation system suction piping (Ref. 2). For a DBA LOCA, the analysis assumes that the LPCI Loop Select Logic successfully identifies and directs LPCI flow to the unbroken recirculation loop so that core reflooding is accomplished in time to ensure that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. For other LOCA events, (i.e., non-DBA recirculation system pipe breaks), or other RPV pipe breaks the success of the Loop Select Logic is less critical than for the DBA.
Reactor Steam Dome Pressure - Low (Break Detection) signals are initiated from four pressure switches that sense the reactor steam dome pressure. Reactor Steam Dome Pressure - Time Delay Relay (Break Detection) signals are initiated from two time delay relays.
The Reactor Steam Dome Pressure - Low (Break Detection) Allowable Value is chosen to allow for coastdown of any recirculation pump which has just tripped, thus optimizing the sensitivity of the LPCI Loop Select Logic while ensuring that LPCI injection is not delayed. The Reactor Steam Dome Pressure - Time Delay Relay (Break Detection) Allowable Value is chosen to allow momentum effects to establish the maximum differential pressure for break detection.
Four channels of the Reactor Steam Dome Pressure - Low (Break Detection) Function and two channels of the Reactor Steam Dome Pressure - Time Delay Relay (Break Detection) Function are only required to be OPERABLE in MODES 1, 2, and 3 to ensure that no single failure can prevent the LPCI Loop Select Logic from successfully selecting the unbroken recirculation loop for LPCI injection. These Functions are not required to be OPERABLE in MODES 4 and 5 because, in those MODES, the loop for selection is controlled by plant operating procedures, which ensure an OPERABLE LPCI flow path.
ECCS Instrumentation B 3.3.5.1 Monticello B 3.3.5.1-16 Revision No. 38 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) 2.i, 2.l. Recirculation Pump Differential Pressure - High (Break Detection) and Recirculation Pump Differential Pressure - Time Delay Relay (Break Detection)
Recirculation pump differential pressure signals are used by the LPCI Loop Select Logic to determine if either recirculation pump is running. If either pump is not running, i.e., single loop operation, the logic, after a short time delay, sends a trip signal to both recirculation pumps. This is necessary to eliminate the possibility of small pipe breaks being masked by a running recirculation pump. These Functions are only required to be OPERABLE for the DBA LOCA analysis, i.e., if the break location is in the recirculation system suction piping (Ref. 2). For a DBA LOCA, the analysis assumes that the LPCI Loop Select Logic successfully identifies and directs LPCI flow to the unbroken recirculation loop so that core reflooding is accomplished in time to ensure that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. For other LOCA events (i.e., non-DBA recirculation system pipe breaks or other RPV pipe breaks), the success of the Loop Select Logic is less critical than for the DBA.
Recirculation Pump Differential Pressure - High (Break Detection) signals are initiated from eight differential pressure switches, four of which sense the pressure differential between the suction and discharge of each recirculation pump. Recirculation Pump Differential Pressure - Time Delay Relay (Break Detection) signals are initiated by two time delay relays.
The Recirculation Pump Differential Pressure - High (Break Detection)
Allowable Value is chosen to be as low as possible, while still maintaining the ability to differentiate between a running and non-running recirculation pump. Recirculation Pump Differential Pressure - Time Delay Relay (Break Detection) Allowable Value is chosen to allow enough time to determine the status of the operating conditions of the recirculation pumps.
Eight channels of the Recirculation Pump Differential Pressure - High (Break Detection) Function and two channels of the Recirculation Pump Differential Pressure - Time Delay Relay (Break Detection) Function are only required to be OPERABLE in MODES 1, 2, and 3 to ensure that no single failure can prevent the LPCI Loop Select Logic from successfully determining if either recirculation pump is running. This Function is not required to be OPERABLE in MODES 4 and 5 because, in those MODES, the loop for selection is controlled by plant operating procedures, which ensure an OPERABLE LPCI flow path.
ECCS Instrumentation B 3.3.5.1 Monticello B 3.3.5.1-17 Revision No. 38 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) 2.j, 2.m. Recirculation Riser Differential Pressure - High (Break Detection) and Recirculation Riser Differential Pressure - Time Delay Relay (Break Detection)
Recirculation riser differential pressure signals are used by the LPCI Loop Select Logic to determine which, if any, recirculation loop is broken. This is accomplished by comparing the pressure of the two recirculation loops.
A broken loop will be indicated by a lower pressure than an unbroken loop. The loop with the higher pressure is then selected, after a short delay, for LPCI injection. If neither loop is broken, the logic defaults to injecting into the "B" recirculation loop. These Functions are only required to be OPERABLE for the DBA LOCA analysis, i.e., if the break location is in the recirculation system suction piping (Ref. 2). For a DBA LOCA, the analysis assumes that the LPCI Loop Select Logic successfully identifies and directs LPCI flow to the unbroken recirculation loop, so that core reflooding is accomplished in time to ensure that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.
For other LOCA events, (i.e., non-DBA recirculation system pipe breaks),
or other RPV pipe breaks, the success of the Loop Select Logic is less critical than for the DBA.
Recirculation Riser Differential Pressure - High (Break Detection) signals are initiated from four differential pressure switches that sense the pressure differential between the A recirculation loop riser and the B recirculation loop riser. If, after a small time delay, the pressure in loop A is not indicating higher than loop B pressure, the logic will select the B loop for injection. If recirculation loop A pressure is indicating higher than loop B pressure, the logic will select the A loop for LPCI injection.
Recirculation Riser Differential Pressure - Time Delay - Relay (Break Detection) signals are initiated by two time delay relays.
The Recirculation Riser Differential Pressure - High (Break Detection)
Allowable Value is chosen to be as low as possible, while still maintaining the ability to differentiate between a broken and unbroken recirculation loop. The Recirculation Riser Differential Pressure - Time Delay Relay (Break Detection) Allowable Value is chosen to provide a sufficient amount of time to determine which loop is broken.
Four channels of the Recirculation Riser Differential Pressure - High (Break Detection) Function and two channels of the Recirculation Riser Differential Pressure - Time Delay Relay (Break Detection) Function are only required to be OPERABLE in MODES 1, 2, and 3 to ensure that no single failure can prevent the LPCI Loop Select Logic from successfully
ECCS Instrumentation B 3.3.5.1 Monticello B 3.3.5.1-18 Revision No. 38 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) selecting the unbroken recirculation loop for LPCI injection. This Function is not required to be OPERABLE in MODES 4 and 5 because, in those MODES, the loop for selection is controlled by plant operating procedures, which ensure an OPERABLE LPCI flow path.
HPCI System 3.a. Reactor Vessel Water Level - Low Low Low RPV water level indicates that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, the HPCI System is initiated at Low Low to maintain level above the top of the active fuel. The Reactor Vessel Water Level -
Low Low is one of the Functions assumed to be OPERABLE and capable of initiating HPCI during the transients analyzed in Reference 2.
Additionally, the Reactor Vessel Water Level - Low Low Function associated with HPCI along with the Drywell Pressure - High Function is directly assumed in the analysis of the recirculation line break (Ref. 1).
The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.
Reactor Vessel Water Level - Low Low signals are initiated from four level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel.
The Reactor Vessel Water Level - Low Low Allowable Value is high enough such that for complete loss of feedwater flow when the reactor vessel is isolated, the Reactor Core Isolation Cooling (RCIC) System flow with HPCI assumed to fail will be sufficient to avoid injection of low pressure ECCS.
Four channels of Reactor Vessel Water Level - Low Low Function are required to be OPERABLE only when HPCI is required to be OPERABLE to ensure that no single instrument failure can preclude HPCI initiation.
Refer to LCO 3.5.1 for HPCI Applicability Bases.
ECCS Instrumentation B 3.3.5.1 Monticello B 3.3.5.1-19 Revision No. 38 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) 3.b. Drywell Pressure - High High pressure in the drywell could indicate a break in the RCPB. The HPCI System is initiated upon receipt of the Drywell Pressure - High Function in order to minimize the possibility of fuel damage. The Drywell Pressure - High Function, along with the Reactor Vessel Water Level -
Low Low Function, is directly assumed in the analysis of the recirculation line break (Ref. 1). The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.
High drywell pressure signals are initiated from four pressure switches that sense drywell pressure. The Allowable Value was selected to be as low as possible to be indicative of a LOCA inside primary containment.
Four channels of the Drywell Pressure - High Function are required to be OPERABLE when HPCI is required to be OPERABLE to ensure that no single instrument failure can preclude HPCI initiation. Refer to LCO 3.5.1 for the Applicability Bases for the HPCI System.
3.c. Reactor Vessel Water Level - High High RPV water level indicates that sufficient cooling water inventory exists in the reactor vessel such that there is no danger to the fuel.
Therefore, the Reactor Vessel Water Level - High signal is used to trip the HPCI turbine to prevent overflow into the main steam lines (MSLs). The Reactor Vessel Water Level - High Function is not assumed in the accident and transient analyses. It was retained since it is a potentially significant contributor to risk.
Reactor Vessel Water Level - High signals for HPCI are initiated from two level transmitters from the narrow range water level measurement instrumentation. Both signals are required in order to close the HPCI turbine's stop valve. This ensures that no single instrument failure can preclude HPCI initiation. The Reactor Vessel Water Level - High Allowable Value is chosen to prevent flow from the HPCI System from overflowing into the MSLs.
Two channels of Reactor Vessel Water Level - High Function are required to be OPERABLE only when HPCI is required to be OPERABLE. Refer to LCO 3.5.1 for HPCI Applicability Bases.
ECCS Instrumentation B 3.3.5.1 Monticello B 3.3.5.1-20 Revision No. 38 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) 3.d. Condensate Storage Tank Level - Low Low level in a CST indicates the unavailability of an adequate supply of makeup water from this normal source. Normally the suction valves between HPCI and the CSTs are open and, upon receiving a HPCI initiation signal, water for HPCI injection would be taken from all aligned CSTs. However, if the water level in any CST falls below a preselected level, first the suppression pool suction valves automatically open, and then the CST suction valve automatically closes. This ensures that an adequate supply of makeup water is available to the HPCI pump. To prevent losing suction to the pump, the suction valves are interlocked so that the suppression pool suction valves must be open before the CSTs suction valve automatically closes. The Function is implicitly assumed in the accident and transient analyses (which take credit for HPCI) since the analyses assume that the HPCI suction source is the suppression pool.
Condensate Storage Tank Level - Low signals are initiated from two level switches (normally one associated with each CST). The logic is arranged such that either level switch can cause the suppression pool suction valves to open and the CSTs suction valve to close. The Condensate Storage Tank Level - Low Function Allowable Value is high enough to ensure adequate pump suction head while water is being taken from the CSTs. The Allowable Value is referenced from the bottom of the tank.
Two channels of the Condensate Storage Tank Level - Low Function are required to be OPERABLE only when HPCI is required to be OPERABLE to ensure that no single instrument failure can preclude HPCI swap to suppression pool source. Refer to LCO 3.5.1 for HPCI Applicability Bases.
3.e. Suppression Pool Water Level - High Excessively high suppression pool water could result in the loads on the suppression pool exceeding design values should there be a blowdown of the reactor vessel pressure through the safety/relief valves. Therefore, signals indicating high suppression pool water level are used to transfer the suction source of HPCI from the CSTs to the suppression pool to eliminate the possibility of HPCI continuing to provide additional water from a source outside containment. To prevent losing suction to the pump, the suction valves are interlocked so that the suppression pool suction valves must be open before the CSTs suction valve automatically closes. This Function is implicitly assumed in the accident and transient analyses (which take credit for HPCI) since the analyses assume that the HPCI suction source is the suppression pool.
ECCS Instrumentation B 3.3.5.1 Monticello B 3.3.5.1-21 Revision No. 38 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
Suppression Pool Water Level - High signals are initiated from two level switches. The logic is arranged such that either switch can cause the suppression pool suction valves to open and the CSTs suction valve to close. The Allowable Value for the Suppression Pool Water Level - High Function is chosen to ensure that HPCI will be aligned for suction from the suppression pool before the water level reaches the point at which suppression pool design loads would be exceeded.
Two channels of Suppression Pool Water Level - High Function are required to be OPERABLE only when HPCI is required to be OPERABLE to ensure that no single instrument failure can preclude HPCI swap to suppression pool source. Refer to LCO 3.5.1 for HPCI Applicability Bases.
3.f. High Pressure Coolant Injection Pump Discharge Flow - Low (Bypass)
The minimum flow instruments are provided to protect the HPCI pump from overheating when the pump is operating and the associated injection valve is not fully open. The minimum flow line valve is opened when low flow is sensed, and the valve is automatically closed when the flow rate is adequate to protect the pump. The High Pressure Coolant Injection Pump Discharge Flow - Low (Bypass) Function is assumed to be OPERABLE and capable of closing the minimum flow valve to ensure that the ECCS flow assumed during the transients and accidents analyzed in References 1 and 2 are met. The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.
One flow switch is used to detect the HPCI System's flow rate. The logic is arranged such that the switch causes the minimum flow valve to open.
The logic will close the minimum flow valve once the closure setpoint is exceeded.
The High Pressure Coolant Injection Pump Discharge Flow - Low (Bypass) Allowable Value is high enough to ensure that pump flow rate is sufficient to protect the pump, yet low enough to ensure that the closure of the minimum flow valve is initiated to allow full flow into the core.
One channel is required to be OPERABLE when the HPCI is required to be OPERABLE. Refer to LCO 3.5.1 for HPCI Applicability Bases.
ECCS Instrumentation B 3.3.5.1 Monticello B 3.3.5.1-22 Revision No. 38 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
Automatic Depressurization System 4.a, 5.a. Reactor Vessel Water Level - Low Low Low RPV water level indicates that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, ADS receives one of the signals necessary for initiation from this Function. The Reactor Vessel Water Level - Low Low is one of the Functions assumed to be OPERABLE and capable of initiating the ADS during the accident analyzed in Reference 1. The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.
Reactor Vessel Water Level - Low Low signals are initiated from four level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Four channels of Reactor Vessel Water Level - Low Low Function are required to be OPERABLE only when ADS is required to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation. Two channels input to ADS trip system A, while the other two channels input to ADS trip system B. Refer to LCO 3.5.1 for ADS Applicability Bases.
The Reactor Vessel Water Level - Low Low Allowable Value is chosen to allow time for the low pressure core flooding systems to initiate and provide adequate cooling.
4.b, 5.b. Automatic Depressurization System Initiation Timer The purpose of the Automatic Depressurization System Initiation Timer is to delay depressurization of the reactor vessel to allow the HPCI System time to maintain reactor vessel water level. Since the rapid depressurization caused by ADS operation is one of the most severe transients on the reactor vessel, its occurrence should be limited. By delaying initiation of the ADS Function, the operator is given the chance to monitor the success or failure of the HPCI System to maintain water level, and then to decide whether to allow ADS to automatically initiate or to delay or inhibit ADS initiation. The Automatic Depressurization System Initiation Timer Function is assumed to be OPERABLE for the accident analyses of Reference 1 that require ECCS initiation and assume failure of the HPCI System.
ECCS Instrumentation B 3.3.5.1 Monticello B 3.3.5.1-23 Revision No. 38 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
There are two Automatic Depressurization System Initiation Timer relays, one in each of the two ADS trip systems. The Allowable Value for the Automatic Depressurization System Initiation Timer is chosen so that there is still time after depressurization for the low pressure ECCS subsystems to provide adequate core cooling.
Two channels of the Automatic Depressurization System Initiation Timer Function are only required to be OPERABLE when the ADS is required to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation. One channel inputs to ADS trip system A, while the other channel inputs to ADS trip system B. Refer to LCO 3.5.1 for ADS Applicability Bases.
4.c, 4.d, 5.c, 5.d. Core Spray and Low Pressure Coolant Injection Pump Discharge Pressure - High The Pump Discharge Pressure - High signals from the CS and LPCI pumps are used as permissives for ADS initiation, indicating that there is a source of low pressure cooling water available once the ADS has depressurized the vessel. Pump Discharge Pressure - High is one of the Functions assumed to be OPERABLE and capable of permitting ADS initiation during the events analyzed in Reference 1 with an assumed HPCI failure. For these events the ADS depressurizes the reactor vessel so that the low pressure ECCS can perform the core cooling functions.
This core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.
Pump discharge pressure signals are initiated from twelve pressure switches, two on the discharge side of each of the six low pressure ECCS pumps. In order to generate an ADS permissive in one trip system, it is necessary that only one pump (both channels for the pump) indicate the high discharge pressure condition. The Pump Discharge Pressure - High Allowable Value is less than the pump discharge pressure when the pump is operating in a full flow mode and high enough to avoid any condition that results in a discharge pressure permissive when the CS and LPCI pumps are aligned for injection and the pumps are not running.
The actual operating point of this function is not assumed in any transient or accident analysis.
Twelve channels of Core Spray and Low Pressure Coolant Injection Pump Discharge Pressure - High Function are only required to be OPERABLE when the ADS is required to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation. Two CS
ECCS Instrumentation B 3.3.5.1 Monticello B 3.3.5.1-24 Revision No. 38 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) channels associated with CS pump A and four LPCI channels associated with LPCI pumps A and C are required for trip system A. Two CS channels associated with CS pump B and four LPCI channels associated with LPCI pumps B and D are required for trip system B. Refer to LCO 3.5.1 for ADS Applicability Bases.
ACTIONS A Note has been provided to modify the ACTIONS related to ECCS instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition discovered to be inoperable or not within limits will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable ECCS instrumentation channels provide appropriate compensatory measures for separate inoperable Condition entry for each inoperable ECCS instrumentation channel.
A.1 Required Action A.1 directs entry into the appropriate Condition referenced in Table 3.3.5.1-1. The applicable Condition referenced in the Table is Function dependent. Each time a channel is discovered inoperable, Condition A is entered for that channel and provides for transfer to the appropriate subsequent Condition.
B.1, B.2, and B.3 Required Actions B.1 and B.2 are intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in redundant automatic initiation capability being lost for the feature(s). Required Action B.1 features would be those that are initiated by Functions 1.a, 1.b, 2.a, 2.b, 2.f, 2.h, and 2.k (i.e., low pressure ECCS and associated EDG). The Required Action B.2 system would be HPCI. For Required Action B.1, redundant automatic initiation capability is lost if: (a) two or more Function 1.a channels are inoperable and untripped such that both trip systems lose initiation capability; (b) two or more Function 2.a channels are inoperable and untripped such that both trip systems lose initiation capability; (c) two or more Function 1.b channels are inoperable and untripped such that both trip systems lose initiation capability; (d) two or more Function 2.b channels are inoperable
ECCS Instrumentation B 3.3.5.1 Monticello B 3.3.5.1-25 Revision No. 38 BASES ACTIONS (continued) and untripped such that both trip systems lose initiation capability; (e) two or more Function 2.f channels are inoperable and untripped such that one or more pumps in both LPCI subsystems lose initiation (i.e., time delay) capability; (f) two or more Function 2.h channels are inoperable and untripped such that both trip systems lose initiation capability; or (g) two Function 2.k channels are inoperable and untripped. For low pressure ECCS, since each inoperable channel would have Required Action B.1 applied separately (refer to ACTIONS Note), each inoperable channel would only require the affected portion of the associated system of low pressure ECCS and EDGs to be declared inoperable. However, since channels in both associated low pressure ECCS subsystems (e.g., both CS subsystems) are inoperable and untripped, and the Completion Times started concurrently for the channels in both subsystems, this results in the affected portions in the associated low pressure ECCS and EDGs being concurrently declared inoperable.
For Required Action B.2, redundant automatic initiation capability is lost if two Function 3.a or two Function 3.b channels are inoperable and untripped in the same trip system (a trip system in this case is defined as channels associated with the parallel level in the logic arrangement).
In this situation (loss of redundant automatic initiation capability), the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> allowance of Required Action B.3 is not appropriate and the feature(s) associated with the inoperable, untripped channels must be declared inoperable within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. As noted (Note 1 to Required Action B.1), Required Action B.1 is only applicable in MODES 1, 2, and 3.
In MODES 4 and 5, the specific initiation time of the low pressure ECCS is not assumed and the probability of a LOCA is lower. Thus, a total loss of initiation capability for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> (as allowed by Required Action B.3) is allowed during MODES 4 and 5. There is no similar Note provided for Required Action B.2 since HPCI instrumentation is not required in MODES 4 and 5; thus, a Note is not necessary. Notes are also provided (Note 2 to Required Action B.1 and the Note to Required Action B.2) to delineate which Required Action is applicable for each Function that requires entry into Condition B if an associated channel is inoperable.
This ensures that the proper loss of initiation capability check is performed.
The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action B.1, the Completion Time only begins upon discovery that a redundant feature in the same system (e.g., both CS subsystems) cannot be automatically initiated due to inoperable, untripped channels within the same Function as described in the paragraph above. For Required Action B.2, the Completion Time
ECCS Instrumentation B 3.3.5.1 Monticello B 3.3.5.1-26 Revision No. 38 BASES ACTIONS (continued) only begins upon discovery that the HPCI System cannot be automatically initiated due to two inoperable, untripped channels for the associated Function in the same trip system. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.
Because of the diversity of sensors available to provide initiation signals and the redundancy of the ECCS design, an allowable out of service time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> has been shown to be acceptable (Ref. 3) to permit restoration of any inoperable channel to OPERABLE status. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action B.3. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue.
Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in an initiation or as in the case where placing an inoperable channel in trip would result in an immediate initiation without time delay when an initiation signal is received), Condition H must be entered and its Required Action taken.
C.1 and C.2 Required Action C.1 is intended to ensure that appropriate actions are taken if multiple, inoperable channels within the same Function result in redundant automatic initiation capability being lost for the feature(s).
Required Action C.1 features would be those that are initiated by Functions 1.c, 1.d, 1.e, 1.f, 2.c, 2.d, 2.e, 2.i, 2.j, 2.l, and 2.m (i.e., low pressure ECCS). Redundant automatic initiation capability is lost if:
(a) two Function 1.c channels are inoperable; (b) two Function 2.c channels are inoperable; (c) two Function 1.d channels are inoperable; (d) two Function 2.d channels are inoperable; (e) two Function 1.e channels are inoperable; (f) two Function 2.e channels are inoperable; (g) two Function 1.f channels are inoperable; (h) two or more Function 2.i channels, associated with a recirculation pump are inoperable such that both trip systems lose initiation capability; (i) two or more Function 2.j channels are inoperable such that both trip systems lose initiation capability; (j) two Function 2.l channels are inoperable; or (k) two Function 2.m channels are inoperable. Since each inoperable channel would have Required Action C.1 applied separately (refer to ACTIONS Note), each inoperable channel would only require the affected portion
ECCS Instrumentation B 3.3.5.1 Monticello B 3.3.5.1-27 Revision No. 38 BASES ACTIONS (continued) of the associated system to be declared inoperable. However, since channels for both low pressure ECCS subsystems are inoperable (e.g.,
both CS subsystems), and the Completion Times started concurrently for the channels in both subsystems, this results in the affected portions in both subsystems being concurrently declared inoperable. For these Functions the affected portions are the associated low pressure ECCS pumps.
In this situation (loss of redundant automatic initiation capability), the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> allowance of Required Action C.2 is not appropriate and the feature(s) associated with the inoperable channels must be declared inoperable within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. As noted (Note 1), Required Action C.1 is only applicable in MODES 1, 2, and 3. In MODES 4 and 5, the specific initiation time of the ECCS is not assumed and the probability of a LOCA is lower. Thus, a total loss of automatic initiation capability for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> (as allowed by Required Action C.2) is allowed during MODES 4 and 5.
Note 2 states that Required Action C.1 is only applicable for Functions 1.c, 1.d, 1.e, 1.f, 2.c, 2.d, 2.e, 2.i, 2.j, 2.l, and 2.m. Required Action C.1 is not applicable to Function 3.c (which also requires entry into this Condition if a channel in this Function is inoperable), since the loss of one channel results in a loss of the Function (two-out-of-two logic). This loss was considered during the development of Reference 3 and considered acceptable for the 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> allowed by Required Action C.2.
The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action C.1, the Completion Time only begins upon discovery that the same feature in both subsystems (e.g., both CS subsystems) cannot be automatically initiated due to inoperable channels within the same Function as described in the paragraph above. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration of channels.
Because of the diversity of sensors available to provide initiation signals and the redundancy of the ECCS design, an allowable out of service time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> has been shown to be acceptable (Ref. 3) to permit restoration of any inoperable channel to OPERABLE status. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, Condition H must be entered and its
ECCS Instrumentation B 3.3.5.1 Monticello B 3.3.5.1-28 Revision No. 38 BASES ACTIONS (continued)
Required Action taken. The Required Actions do not allow placing the channel in trip since this action would either cause the initiation or it would not necessarily result in a safe state for the channel in all events.
D.1, D.2.1, and D.2.2 Required Action D.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in a complete loss of automatic component initiation capability for the HPCI System. Automatic component initiation capability is lost if two Function 3.d channels or two Function 3.e channels are inoperable and untripped. In this situation (loss of automatic suction swap), the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> allowance of Required Actions D.2.1 and D.2.2 is not appropriate and the HPCI System must be declared inoperable within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> after discovery of loss of HPCI initiation capability. As noted, Required Action D.1 is only applicable if the HPCI pump suction is not aligned to the suppression pool, since, if aligned, the Function is already performed.
The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action D.1, the Completion Time only begins upon discovery that the HPCI System cannot be automatically aligned to the suppression pool due to two inoperable, untripped channels in the same Function. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.
Because of the diversity of sensors available to provide initiation signals and the redundancy of the ECCS design, an allowable out of service time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> has been shown to be acceptable (Ref. 3) to permit restoration of any inoperable channel to OPERABLE status. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action D.2.1 or the suction source must be aligned to the suppression pool per Required Action D.2.2. Placing the inoperable channel in trip performs the intended function of the channel (shifting the suction source to the suppression pool). Performance of either of these two Required Actions will allow operation to continue. If Required Action D.2.1 or D.2.2 is performed, measures should be taken to ensure that the HPCI System piping remains filled with water.
Alternately, if it is not desired to perform Required Actions D.2.1
ECCS Instrumentation B 3.3.5.1 Monticello B 3.3.5.1-29 Revision No. 38 BASES ACTIONS (continued) and D.2.2 (e.g., as in the case where shifting the suction source could drain down the HPCI suction piping), Condition H must be entered and its Required Action taken.
E.1 and E.2 Required Action E.1 is intended to ensure that appropriate actions are taken if multiple, inoperable channels within the Low Pressure Coolant Injection Pump Discharge Flow - Low (Bypass) Function results in redundant automatic initiation capability being lost for the feature(s). For Required Action E.1, the features would be those that are initiated by Function 2.g (i.e., LPCI). Redundant automatic initiation capability is lost if one or more Function 2.g channels associated with pumps in LPCI subsystem A and one or more Function 2.g channels associated with pumps in LPCI subsystem B are inoperable. Since each inoperable channel would have Required Action E.1 applied separately (refer to ACTIONS Note), each inoperable channel would only require the affected LPCI pump to be declared inoperable. However, since channels for more than one LPCI pump are inoperable, and the Completion Times started concurrently for the channels of the LPCI pumps, this results in the affected ECCS pumps being concurrently declared inoperable.
In this situation (loss of redundant automatic initiation capability), the 7 day allowance of Required Action E.2 is not appropriate and the subsystem associated with each inoperable channel must be declared inoperable within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. As noted (Note 1 to Required Action E.1),
Required Action E.1 is only applicable in MODES 1, 2, and 3. In MODES 4 and 5, the specific initiation time of the ECCS is not assumed and the probability of a LOCA is lower. Thus, a total loss of initiation capability for 7 days (as allowed by Required Action E.2) is allowed during MODES 4 and 5. A Note is also provided (Note 2 to Required Action E.1) to delineate that Required Action E.1 is only applicable to the LPCI Function. Required Action E.1 is not applicable to HPCI Function 3.f since the loss of one channel results in a loss of the Function (one-out-of-one logic). This loss was considered during the development of Reference 3 and considered acceptable for the 7 days allowed by Required Action E.2. The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock."
ECCS Instrumentation B 3.3.5.1 Monticello B 3.3.5.1-30 Revision No. 38 BASES ACTIONS (continued)
For Required Action E.1, the Completion Time only begins upon discovery that a redundant feature in the same system (i.e., both LPCI subsystems) cannot be automatically initiated due to inoperable channels within the same Function as described in the paragraph above. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration of channels.
If the instrumentation that controls the pump minimum flow valve is inoperable, such that the valve will not automatically open, extended pump operation with no injection path available could lead to pump overheating and failure. If there were a failure of the instrumentation, such that the valve would not automatically close, a portion of the pump flow could be diverted from the reactor vessel injection path, causing insufficient core cooling. These consequences can be averted by the operator's manual control of the valve, which would be adequate to maintain ECCS pump protection and required flow. Furthermore, other ECCS pumps would be sufficient to complete the assumed safety function if no additional single failure were to occur. The 7 day Completion Time of Required Action E.2 to restore the inoperable channel to OPERABLE status is reasonable based on the remaining capability of the associated ECCS subsystems, the redundancy available in the ECCS design, and the low probability of a DBA occurring during the allowed out of service time. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, Condition H must be entered and its Required Action taken. The Required Actions do not allow placing the channel in trip since this action would not necessarily result in a safe state for the channel in all events.
F.1 and F.2 Required Action F.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within similar ADS trip system A and B Functions result in redundant automatic initiation capability being lost for the ADS. Redundant automatic initiation capability is lost if one Function 4.a channel and one Function 5.a channel are inoperable and untripped.
In this situation (loss of automatic initiation capability), the 96 hour0.00111 days <br />0.0267 hours <br />1.587302e-4 weeks <br />3.6528e-5 months <br /> or 8 day allowance, as applicable, of Required Action F.2 is not appropriate and all ADS valves must be declared inoperable within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> after discovery of loss of ADS initiation capability.
ECCS Instrumentation B 3.3.5.1 Monticello B 3.3.5.1-31 Revision No. 38 BASES ACTIONS (continued)
The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action F.1, the Completion Time only begins upon discovery that the ADS cannot be automatically initiated due to inoperable, untripped channels within similar ADS trip system Functions as described in the paragraph above. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.
Because of the diversity of sensors available to provide initiation signals and the redundancy of the ECCS design, an allowable out of service time of 8 days has been shown to be acceptable (Ref. 3) to permit restoration of any inoperable channel to OPERABLE status if both HPCI and RCIC are OPERABLE. If either HPCI or RCIC is inoperable, the time is shortened to 96 hours0.00111 days <br />0.0267 hours <br />1.587302e-4 weeks <br />3.6528e-5 months <br />. If the status of HPCI or RCIC changes such that the Completion Time changes from 8 days to 96 hours0.00111 days <br />0.0267 hours <br />1.587302e-4 weeks <br />3.6528e-5 months <br />, the 96 hours0.00111 days <br />0.0267 hours <br />1.587302e-4 weeks <br />3.6528e-5 months <br /> begins upon discovery of HPCI or RCIC inoperability. However, the total time for an inoperable, untripped channel cannot exceed 8 days. If the status of HPCI or RCIC changes such that the Completion Time changes from 96 hours0.00111 days <br />0.0267 hours <br />1.587302e-4 weeks <br />3.6528e-5 months <br /> to 8 days, the "time zero" for beginning the 8 day "clock" begins upon discovery of the inoperable, untripped channel. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action F.2. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue.
Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in an initiation), Condition H must be entered and its Required Action taken.
G.1 and G.2 Required Action G.1 is intended to ensure that appropriate actions are taken if multiple, inoperable channels within similar ADS trip system Functions result in automatic initiation capability being lost for the ADS.
Automatic initiation capability is lost if either: (a) one Function 4.b channel and one Function 5.b channel are inoperable; or (b) a combination of Functions 4.c, 4.d, 5.c, and 5.d channels are inoperable such that channels associated with five or more low pressure ECCS pumps are inoperable.
ECCS Instrumentation B 3.3.5.1 Monticello B 3.3.5.1-32 Revision No. 38 BASES ACTIONS (continued)
In this situation (loss of automatic initiation capability), the 96 hour0.00111 days <br />0.0267 hours <br />1.587302e-4 weeks <br />3.6528e-5 months <br /> or 8 day allowance, as applicable, of Required Action G.2 is not appropriate, and all ADS valves must be declared inoperable within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> after discovery of loss of ADS initiation capability.
The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action G.1, the Completion Time only begins upon discovery that the ADS cannot be automatically initiated due to inoperable channels within similar ADS trip system Functions as described in the paragraph above. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.
Because of the diversity of sensors available to provide initiation signals and the redundancy of the ECCS design, an allowable out of service time of 8 days has been shown to be acceptable (Ref. 3) to permit restoration of any inoperable channel to OPERABLE status if both HPCI and RCIC are OPERABLE (Required Action G.2). If either HPCI or RCIC is inoperable, the time shortens to 96 hours0.00111 days <br />0.0267 hours <br />1.587302e-4 weeks <br />3.6528e-5 months <br />. If the status of HPCI or RCIC changes such that the Completion Time changes from 8 days to 96 hours0.00111 days <br />0.0267 hours <br />1.587302e-4 weeks <br />3.6528e-5 months <br />, the 96 hours0.00111 days <br />0.0267 hours <br />1.587302e-4 weeks <br />3.6528e-5 months <br /> begins upon discovery of HPCI or RCIC inoperability. However, the total time for an inoperable channel cannot exceed 8 days. If the status of HPCI or RCIC changes such that the Completion Time changes from 96 hours0.00111 days <br />0.0267 hours <br />1.587302e-4 weeks <br />3.6528e-5 months <br /> to 8 days, the "time zero" for beginning the 8 day "clock" begins upon discovery of the inoperable channel. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, Condition H must be entered and its Required Action taken. The Required Actions do not allow placing the channel in trip since this action would not necessarily result in a safe state for the channel in all events.
H.1 With any Required Action and associated Completion Time not met, the associated feature(s) may be incapable of performing the intended function, and the supported feature(s) associated with inoperable untripped channels must be declared inoperable immediately.
ECCS Instrumentation B 3.3.5.1 Monticello B 3.3.5.1-33 Revision No. 38 BASES SURVEILLANCE As noted in the beginning of the SRs, the SRs for each ECCS REQUIREMENTS instrumentation Function are found in the SRs column of Table 3.3.5.1-1.
The Surveillances are modified by a Note to indicate that when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> as follows: (a) for Functions 3.c and 3.f; and (b) for Functions other than 3.c and 3.f provided the associated Function or redundant Function maintains ECCS initiation capability. Upon completion of the Surveillance, or expiration of the 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. A channel that is shared between both trip systems is considered one channel. This Note is based on the reliability analysis (Ref. 3) assumption of the average time required to perform channel surveillance. That analysis demonstrated that the 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> testing allowance does not significantly reduce the probability that the ECCS will initiate when necessary.
SR 3.3.5.1.1 Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK guarantees that undetected outright channel failure is limited to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.
Agreement criteria are determined by the plant staff, based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit.
The Frequency is based upon operating experience that demonstrates channel failure is rare. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the channels required by the LCO.
ECCS Instrumentation B 3.3.5.1 Monticello B 3.3.5.1-34 Revision No. 38 BASES SURVEILLANCE REQUIREMENTS (continued)
SR 3.3.5.1.2, SR 3.3.5.1.5 and SR 3.3.5.1.9 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the channel will perform the intended function. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL FUNCTIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions.
Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology.
The Frequency of 92 days for SR 3.3.5.1.2 is based on the reliability analyses of Reference 3. The Frequency of 12 months for SR 3.3.5.1.5 is based on the known reliability of the equipment and the multichannel redundancy available, and has been shown to be acceptable through operating experience. The Frequency of 24 months for SR 3.3.5.1.9 is based on the known reliability of the equipment and the multichannel redundancy available, and has been shown to be acceptable through operating experience.
SR 3.3.5.1.3 Calibration of trip units provides a check of the actual trip setpoints. The channel must be declared inoperable if the trip setting is discovered to be less conservative than the Allowable Value specified in Table 3.3.5.1-1. If the trip setting is discovered to be less conservative than accounted for in the appropriate setpoint methodology, but is not beyond the Allowable Value, the channel performance is still within the requirements of the plant safety analyses. Under these conditions, the setpoint must be readjusted to be equal to or more conservative than the setting accounted for in the appropriate setpoint methodology.
The Frequency of 92 days is based on the reliability analysis of Reference 3.
SR 3.3.5.1.4, SR 3.3.5.1.6, and SR 3.3.5.1.7 A CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL
ECCS Instrumentation B 3.3.5.1 Monticello B 3.3.5.1-35 Revision No. 38 BASES SURVEILLANCE REQUIREMENTS (continued)
CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations consistent with the plant specific setpoint methodology.
The Frequency of SR 3.3.5.1.4 is based upon the assumption of a 92 day calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis. The Frequency of SR 3.3.5.1.6 is based upon the assumption of a 12 month calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis.
The Frequency of SR 3.3.5.1.7 is based upon the assumption of a 24 month calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis, and for Function 2.j, a revised minimum detectable break area for the LPCI loop select logic (Refs. 5 and 6).
The SR 3.3.5.1.4 annotation in Table 3.3.5.1-1 for Functions 1.c, 1.d, 2.c, 2.d, 4.c, 4.d, 5.c, and 5.d has been modified by two Notes. The SR 3.3.5.1.7 annotation in Table 3.3.5.1-1 for Function 2.j has also been modified by these same two Notes. The first Note requires evaluation of channel performance for the condition where the as-found setting for the channel is outside its as-found tolerance but conservative with respect to the Allowable Value. Evaluation of instrument performance will verify that the instrument will continue to behave in accordance with design basis assumptions. The purpose of the assessment is to ensure confidence in the instrument performance prior to returning the instrument to service.
These channels will also be identified in the Corrective Action Program.
In accordance with procedures, entry into the Corrective Action Program will require review and documentation of the condition of OPERABILITY.
The second Note requires the setting for the instrument be returned to within the as-left tolerance of the nominal trip setpoint. This will ensure that sufficient margin to the Safety Limit and /or Analytical Limit is maintained. If the setting for the instrument cannot be returned to within the as-left tolerance of the nominal trip setpoint, then the instrument channel shall be declared inoperable. The second Note also requires that the nominal trip setpoint and the methodology for calculating the as-left and the as-found tolerances be in a document controlled under 10 CFR 50.59 (i.e., Technical Requirements Manual (Ref. 4)).
SR 3.3.5.1.8 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required initiation logic for a specific channel. The system functional testing performed in LCO 3.5.1, LCO 3.5.2, LCO 3.8.1, and LCO 3.8.2 overlaps this Surveillance to provide complete testing of the assumed safety function.
ECCS Instrumentation B 3.3.5.1 Monticello B 3.3.5.1 Last Revision No. 38 BASES SURVEILLANCE REQUIREMENTS (continued)
The 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. Operating experience has shown that these components usually pass the Surveillance when performed at the 24 month Frequency.
REFERENCES
- 1.
USAR, Section 14.7.2.
- 2.
USAR, Chapter 14.
- 3.
NEDC-30936-P-A, "BWR Owners' Group Technical Specification Improvement Analyses for ECCS Actuation Instrumentation, Parts 1 and 2," December 1988.
- 4.
Technical Requirements Manual.
- 5.
GE-NE-0000-0052-3113-P-R0, SAFER/GESTR ECCS-LOCA Analysis - LPCI Loop Selection Detectable Break Area, September 2006.
- 6.
Amendment No. 161, Monticello Nuclear Generating Plant -
Issuance of Amendment Regarding Recirculation Riser Differential Pressure (TAC No. MD6864), dated April 7, 2009. (ADAMS Accession No. ML083040608)
- 7.
Calculation 03-036, Revision 2, Instrument Setpoint Calculation Reactor Low Pressure Permissive Bypass Timer
- 8.
Amendment No. 176, Monticello Nuclear Generating Plant - Issuance of Amendment No. 176 to Renewed Facility Operating License Regarding Extended Power Uprate, (ADAMS Accession No. ML13316C459)