ML19066A405
| ML19066A405 | |
| Person / Time | |
|---|---|
| Site: | Vogtle  |
| Issue date: | 02/22/2019 |
| From: | - No Known Affiliation |
| To: | |
| References | |
| Download: ML19066A405 (178) | |
Text
Vogtle PEmails From: Agee, Stephanie Y. <SYAGEE@southernco.com>
Sent: Friday, February 22, 2019 4:47 PM To: Patel, Chandu; Habib, Donald Cc: Sparkman, Wesley A.; Pareez Golub; Hirmanpour, Bob; Arafeh, Yasmeen N.
Subject:
[External_Sender] Transmittal of Information for March 7th Pre-submittal Meeting re:
PMS TS Surveillance LAR - non-proprietary information Attachments: 20190307_SVP_SV0_005408_Affidavit and Req for Withholding.pdf; 20190307
_ND-19-0168_Non Prop Enclosures.pdf; 20190307_PMS TS Surveillance LAR_PSM Presentation.pdf This message provides the non-Proprietary Information that will be used for the Pre-submittal Meeting on the Protection and Safety Monitoring (PMS) Technical Specifications (TS) Surveillance License Amendment Request (LAR) LAR-19-001 (also, referred to as LAR 220).
The following non-proprietary information is provided:
- 20190307_ND-19-0168_Non Prop Enclosures (draft Enclosures) o Enclosure 1 - Draft Request for License Amendment Regarding Protection and Monitoring System Surveillance Requirement Reduction Technical Specification Revision o Enclosure 6 - Draft Proposed Changes to the Licensing Bases Documents
- 20190307_PMS TS Surveillance LAR_PSM Presentation.pdf (provides the slides that will be presented during the March 7th meeting)
- 20190307_SVP_SV0_005408_Affidavit and Req for Withholding.pdf (supports the request to withhold proprietary information from the Public)
The attachments to this message may be provided to the Public prior to the March 7th meeting.
SNC has provided the Proprietary information in a separate email, for distribution to NRC Staff in preparation of the meeting.
Please contact Mr. Wesley A. Sparkman at (205) 992-5061 or Stephanie Agee at (205) 992-7556 if you have any questions/comments regarding this information.
Stephanie Agee Licensing Engineer Nuclear Development Regulatory Affairs Phone: 205-992-7556 l syagee@southernco.com 1
Hearing Identifier: Vogtle_COL_Docs_Public Email Number: 425 Mail Envelope Properties (BN6PR04MB0754BF3B7C79F480DEAEB827B97F0)
Subject:
[External_Sender] Transmittal of Information for March 7th Pre-submittal Meeting re: PMS TS Surveillance LAR - non-proprietary information Sent Date: 2/22/2019 4:46:55 PM Received Date: 2/22/2019 4:48:06 PM From: Agee, Stephanie Y.
Created By: SYAGEE@southernco.com Recipients:
"Sparkman, Wesley A." <WASPARKM@southernco.com>
Tracking Status: None "Pareez Golub" <pareez.golub@excelservices.com>
Tracking Status: None "Hirmanpour, Bob" <X2BHIRMA@SOUTHERNCO.COM>
Tracking Status: None "Arafeh, Yasmeen N." <YNARAFEH@southernco.com>
Tracking Status: None "Patel, Chandu" <Chandu.Patel@nrc.gov>
Tracking Status: None "Habib, Donald" <Donald.Habib@nrc.gov>
Tracking Status: None Post Office: BN6PR04MB0754.namprd04.prod.outlook.com Files Size Date & Time MESSAGE 1497 2/22/2019 4:48:06 PM 20190307_SVP_SV0_005408_Affidavit and Req for Withholding.pdf 653669 20190307_ND-19-0168_Non Prop Enclosures.pdf 2762236 20190307_PMS TS Surveillance LAR_PSM Presentation.pdf 616222 Options Priority: Standard Return Notification: No Reply Requested: No Sensitivity: Normal Expiration Date:
Recipients Received:
February 22, 2019 SVP_SV0_005408 Page 1 of 354 February 22, 2019 SVP_SV0_005408 Page 2 of 354 February 22, 2019 SVP_SV0_005408 Page 3 of 354 3 CAW-19-4870 (1) I am Manager, AP1000 Licensing, Westinghouse Electric Company LLC (Westinghouse), and as such, I have been specifically delegated the function of reviewing the proprietary information sought to be withheld from public disclosure in connection with nuclear power plant licensing and rule making proceedings, and am authorized to apply for its withholding on behalf of Westinghouse.
(2) I am making this Affidavit in conformance with the provisions of 10 CFR Section 2.390 of the Nuclear Regulatory Commissions (Commissions) regulations and in conjunction with the Westinghouse Application for Withholding Proprietary Information from Public Disclosure accompanying this Affidavit.
(3) I have personal knowledge of the criteria and procedures utilized by Westinghouse in designating information as a trade secret, privileged or as confidential commercial or financial information.
(4) Pursuant to the provisions of paragraph (b)(4) of Section 2.390 of the Commissions regulations, the following is furnished for consideration by the Commission in determining whether the information sought to be withheld from public disclosure should be withheld.
(i) The information sought to be withheld from public disclosure is owned and has been held in confidence by Westinghouse.
(ii) The information is of a type customarily held in confidence by Westinghouse and not customarily disclosed to the public. Westinghouse has a rational basis for determining the types of information customarily held in confidence by it and, in that connection, utilizes a system to determine when and whether to hold certain types of information in confidence. The application of that system and the substance of that system constitute Westinghouse policy and provide the rational basis required.
Under that system, information is held in confidence if it falls in one or more of several types, the release of which might result in the loss of an existing or potential competitive advantage, as follows:
(a) The information reveals the distinguishing aspects of a process (or component, structure, tool, method, etc.) where prevention of its use by any of February 22, 2019 SVP_SV0_005408 Page 4 of 354 4 CAW-19-4870 Westinghouses competitors without license from Westinghouse constitutes a competitive economic advantage over other companies.
(b) It consists of supporting data, including test data, relative to a process (or component, structure, tool, method, etc.), the application of which data secures a competitive economic advantage (e.g., by optimization or improved marketability).
(c) Its use by a competitor would reduce his expenditure of resources or improve his competitive position in the design, manufacture, shipment, installation, assurance of quality, or licensing a similar product.
(d) It reveals cost or price information, production capacities, budget levels, or commercial strategies of Westinghouse, its customers or suppliers.
(e) It reveals aspects of past, present, or future Westinghouse or customer funded development plans and programs of potential commercial value to Westinghouse.
(f) It contains patentable ideas, for which patent protection may be desirable.
(iii) There are sound policy reasons behind the Westinghouse system which include the following:
(a) The use of such information by Westinghouse gives Westinghouse a competitive advantage over its competitors. It is, therefore, withheld from disclosure to protect the Westinghouse competitive position.
(b) It is information that is marketable in many ways. The extent to which such information is available to competitors diminishes the Westinghouse ability to sell products and services involving the use of the information.
(c) Use by our competitor would put Westinghouse at a competitive disadvantage by reducing his expenditure of resources at our expense.
February 22, 2019 SVP_SV0_005408 Page 5 of 354 5 CAW-19-4870 (d) Each component of proprietary information pertinent to a particular competitive advantage is potentially as valuable as the total competitive advantage. If competitors acquire components of proprietary information, any one component may be the key to the entire puzzle, thereby depriving Westinghouse of a competitive advantage.
(e) Unrestricted disclosure would jeopardize the position of prominence of Westinghouse in the world market, and thereby give a market advantage to the competition of those countries.
(f) The Westinghouse capacity to invest corporate assets in research and development depends upon the success in obtaining and maintaining a competitive advantage.
(iv) The information is being transmitted to the Commission in confidence and, under the provisions of 10 CFR Section 2.390, is to be received in confidence by the Commission.
(v) The information sought to be protected is not available in public sources or available information has not been previously employed in the same original manner or method to the best of our knowledge and belief.
(vi) The proprietary information sought to be withheld in this submittal is that which is appropriately marked in APP-GW-GLY-166, NRC Pre-Submittal Meeting Materials for LAR-220 (Proprietary), for submittal to the Commission, being transmitted by Southern Nuclear Company letter. The proprietary information as submitted by Westinghouse is that associated with Protection and Safety Monitoring System (PMS) Technical Specification simplification project, and may be used only for that purpose.
(a) This information is part of that which will enable Westinghouse to manufacture and deliver products to utilities based on proprietary designs.
(b) Further, this information has substantial commercial value as follows:
February 22, 2019 SVP_SV0_005408 Page 6 of 354 6 CAW-19-4870 (i) Westinghouse plans to sell the use of similar information to its customers for the purpose of licensing of new nuclear power stations.
(ii) Westinghouse can sell support and defense of industry guidelines and acceptance criteria for plant-specific applications.
(iii) The information requested to be withheld reveals the distinguishing aspects of a methodology which was developed by Westinghouse.
Public disclosure of this proprietary information is likely to cause substantial harm to the competitive position of Westinghouse because it would enhance the ability of competitors to provide similar technical evaluation justifications and licensing defense services for commercial power reactors without commensurate expenses. Also, public disclosure of the information would enable others to use the information to meet NRC requirements for licensing documentation without purchasing the right to use the information.
The development of the technology described in part by the information is the result of applying the results of many years of experience in an intensive Westinghouse effort and the expenditure of a considerable sum of money.
In order for competitors of Westinghouse to duplicate this information, similar technical programs would have to be performed and a significant manpower effort, having the requisite talent and experience, would have to be expended.
Further the deponent sayeth not.
February 22, 2019 SVP_SV0_005408 Page 7 of 354 Enclosure 2 - Proprietary Information Notice and Copyright Notice PROPRIETARY INFORMATION NOTICE Transmitted herewith are proprietary and non-proprietary versions of a document, furnished to the NRC in connection with requests for generic and/or plant-specific review and approval.
In order to conform to the requirements of 10 CFR 2.390 of the Commissions regulations concerning the protection of proprietary information so submitted to the NRC, the information which is proprietary in the proprietary versions is contained within brackets, and where the proprietary information has been deleted in the non-proprietary versions, only the brackets remain (the information that was contained within the brackets in the proprietary versions having been deleted). The justification for claiming the information so designated as proprietary is indicated in both versions by means of lower case letters (a) through (f) located as a superscript immediately following the brackets enclosing each item of information being identified as proprietary or in the margin opposite such information. These lower case letters refer to the types of information Westinghouse customarily holds in confidence identified in Sections (4)(ii)(a) through (4)(ii)(f) of the Affidavit accompanying this transmittal pursuant to 10 CFR 2.390(b)(1).
COPYRIGHT NOTICE The reports transmitted herewith each bear a Westinghouse copyright notice. The NRC is permitted to make the number of copies of the information contained in these reports which are necessary for its internal use in connection with generic and plant-specific reviews and approvals as well as the issuance, denial, amendment, transfer, renewal, modification, suspension, revocation, or violation of a license, permit, order, or regulation subject to the requirements of 10 CFR 2.390 regarding restrictions on public disclosure to the extent such information has been identified as proprietary by Westinghouse, copyright protection notwithstanding. With respect to the non-proprietary versions of these reports, the NRC is permitted to make the number of copies beyond those necessary for its internal use which are necessary in order to have one copy available for public viewing in the appropriate docket files in the public document room in Washington, DC and in local public document rooms as may be required by NRC regulations if the number of copies submitted is insufficient for this purpose. Copies made by the NRC must include the copyright notice in all instances and the proprietary notice if the original was identified as proprietary.
Southern Nuclear Operating Company ND-19-0168 Enclosure 1 Vogtle Electric Generating Plant (VEGP) Units 3 and 4 Request for License Amendment Regarding Protection and Monitoring System Surveillance Requirement Reduction Technical Specification Revision (Publicly Available Information)
(This Enclosure consists of 34 pages, including this cover page)
ND-19-0168 Request for License Amendment Regarding Protection and Monitoring System Surveillance Requirement Reduction Technical Specification Revision (Publicly Available Information)
Table of Contents
- 1.
SUMMARY
DESCRIPTION
- 2. DETAILED DESCRIPTION
- 3. TECHNICAL EVALUATION
- 4. REGULATORY EVALUATION 4.1. Applicable Regulatory Requirements/Criteria 4.2. Precedent 4.3. Significant Hazards Consideration 4.4. Conclusions
- 5. ENVIRONMENTAL CONSIDERATIONS
- 6. REFERENCES Page 2 of 34
ND-19-0168 Request for License Amendment Regarding Protection and Monitoring System Surveillance Requirement Reduction Technical Specification Revision (Publicly Available Information)
Pursuant to 10 CFR 52.98(c) and in accordance with 10 CFR 50.90, Southern Nuclear Operating Company (SNC) requests an amendment to the combined licenses (COLs) for Vogtle Electric Generating Plant (VEGP) Units 3 and 4 (License Numbers NPF-91 and NPF-92, respectively).
The requested amendment proposes changes to VEGP Units 3 and 4 COL Appendix A, Technical Specifications (TS).
- 1.
SUMMARY
DESCRIPTION The following activities are proposed:
- 1. The Surveillance Requirements (SRs) requiring a manual Channel Check to be performed on Protection and Safety Monitoring System (PMS) components are proposed to be removed from the TS.
- 2. The SRs requiring a manual Channel Operational Tests (COTs) to be performed on PMS components are proposed to be removed from the TS.
- 3. The SRs requiring a manual Actuation Logic Tests (ALTs) to be performed on PMS components (excluding the Automatic Depressurization System (ADS) and In-Containment Refueling Water Storage Tank (IRWST) injection blocking device) are proposed to be removed from the TS.
- 4. The SRs requiring a manual Actuation Logic Output Tests (ALOTs) to be performed on PMS components are proposed to be removed from the TS.
- 5. The approach for satisfying the reactor trip and Engineered Safety Feature Actuation System (ESFAS) response time SRs is changed. The current approach for satisfying the PMS response time surveillance tests is to perform response time tests on the PMS equipment. The proposed method is to use allocated response times for the PMS equipment in lieu of testing. The reactor trip and ESFAS response time definitions allow an exception to testing if the response times can be verified via a previously reviewed and approved NRC methodology. This activity seeks NRC approval for the methodology outlined in this license amendment request. If approved, the Bases will be updated to allow for allocated values to be used for the PMS equipment to support the overall response time test SRs. Text is also added to describe where the PMS equipment allocated values can be found.
The SRs throughout the TS are renumbered to support changes 1, 2, 3 and 4. Associated Bases changes are also made for the TS changes proposed above. This includes rewording the Background description of the PMS self-diagnostic test features in Bases 3.3.1 and 3.3.8 to more clearly align with the changes described above. The Bases surveillance requirement descriptions for TS SR 3.3.4 and TS SR 3.3.6 are revised to acknowledge that certain functions have no SRs due to self-checking features continuously monitoring logic OPERABILITY.
None of the activities change any PMS software or hardware. The activity credits the PMS self-Page 3 of 34
ND-19-0168 Request for License Amendment Regarding Protection and Monitoring System Surveillance Requirement Reduction Technical Specification Revision (Publicly Available Information)
(LAR-19-001) diagnostic test features already part of the approved PMS design and uses these existing self-diagnostic features to justify the removal of redundant manual PMS surveillance tests.
- 2. DETAILED DESCRIPTION The Protection and Safety Monitoring System Overview The Protection and Safety Monitoring System (PMS) is the AP1000 plant safety-related I&C system. The PMS provides detection of off-nominal conditions and actuation of appropriate safety-related functions necessary to achieve and maintain the plant in a safe shutdown condition.
The PMS consists of four redundant divisions, designated A, B, C, and D. Four redundant divisions are provided to satisfy single failure criteria and improve plant availability. The PMS is based on the Common Qualified (Common Q) platform, as described in WCAP-16097-P-A Revision 3 (as modified by changes provided in WCAP-15927, Revision 7). The Common Q platform consists, in part, of the Advant Controller 160 (AC160) with PM646A processor module, input and output (I/O) cards, Advant Fieldbus (AF100) communication, and High Speed Link (HSL) communication.
The PMS performs the necessary safety-related signal acquisition, calculations, setpoint comparison, coincidence logic, reactor trip and engineered safety feature actuation system (ESFAS) functions, and component control functions to achieve and maintain the plant in a safe shutdown condition. The PMS is designed to permit periodic testing and its components contain maintenance, test, and self-diagnostic functions to verify the proper operation of the system.
PMS Architecture Each division consists, in part, of the components listed below. Figure 1 and Figure 2 of Enclosure 2 provides a graphical view of the PMS and how the various components interface with each other. Each subsystem communicates with the other subsystems in the division via an independent data bus to prevent propagation of failures and to enhance availability. Each subsystem is implemented in a separate card chassis (or sub-rack).
x Bistable Processor Logic (BPL)
[
INSERT 1
]a,c Page 4 of 34
ND-19-0168 Request for License Amendment Regarding Protection and Monitoring System Surveillance Requirement Reduction Technical Specification Revision (Publicly Available Information)
[
INSERT 1 continued
]a,c Page 5 of 34
ND-19-0168 Request for License Amendment Regarding Protection and Monitoring System Surveillance Requirement Reduction Technical Specification Revision (Publicly Available Information)
[
INSERT 1 continued
]a,c PMS Response Time Requirements As discussed in UFSAR Subsection 7.1.2.7, the PMS processes field inputs from sensors to accomplish protective functions (i.e., reactor trip signals and engineered safeguard feature actuation signals). A protective function is initiated when the relevant field inputs from the sensors reach a predefined setpoint. A setpoint value is selected to initiate a protective function for the plant to adequately respond to the accident scenario. Once the setpoint is reached, the PMS processes the input and generates a signal to the actuation device. The actuation device, such as circuit breakers or relays, directly controls the motive power to the actuated equipment used to accomplish the protective function.
Protective functions must be accomplished within a certain time period from when a setpoint is reached to ensure that the actions put the plant into a safe state. The required time response for the protective function is the maximum allowable time period assumed the accident analysis for the given protective function. Response times are tested and/or verified for the relevant protective functions as part of the Technical Specification surveillance program.
PMS Failure Modes and Effects Analysis Overview The PMS failure modes and effects analysis (FMEA) is documented in WCAP-16438, Revision 3 (as modified by the changes provided in UFSAR Appendix 7A.4). Per WCAP-16438 and UFSAR Sections 7.2.2.1 and 7.3.2.2.1, the PMS FMEA examines failures of the major PMS components and concludes that the protection system maintains its safety functions during single point failures.
For each postulated failure, the PMS FMEA assigns a fault classification to reach a safety conclusion. Through the process of examining the relevant failure modes and making a final safety determination for each failure with the given fault classifications, it is concluded that the AP1000 protection system maintains its safety functions during single point failures.
Page 6 of 34
ND-19-0168 Request for License Amendment Regarding Protection and Monitoring System Surveillance Requirement Reduction Technical Specification Revision (Publicly Available Information)
Common Q and PMS Self-Diagnostics Overview The PMS and Common Q Platform components are designed with self-diagnostic features, as described in WCAP-16675 Section 6.1 and the Background section of TS Bases 3.3.1 and 3.3.8.
The self-diagnostic tests are built into the safety equipment and consist of numerous automatic checks to validate that the equipment and software are performing their functions correctly.
The following information provides a summary of the diagnostic functions within the PMS, per WCAP-16675, Section 6.1:
x Processor Modules and I/O Modules A variety of self-test diagnostic and supervision functions are performed by the PMS processors and I/O modules to continuously monitor their operations. Each of the modules has its own diagnostic functions. The processor module monitors the system as a whole by collecting all the diagnostic information and checking the consistency of the hardware configuration with the application software currently installed.
The functions of the processors are monitored during power-up and during normal operations.
The diagnostic routines continue checking operation without delaying or influencing the execution of the processor functions. Each subsystem processor module (e.g., BPL, LCL, ILP processor modules) is monitored by the use of background diagnostics for the processor and I/O module faults. Failures in I/O modules are first detected by the individual module, which then passes failure status information to the processor where it is stored and acted upon. The supervision functions of the equipment are subdivided into the following groups:
- 1. Problem detection
- 2. Signaling the nature of the problem
- 3. Automatic reaction to the problem
[
INSERT 2 a,c
]
x Communication Modules The purpose of the AF100 bus communication modules is to provide communication between subsystems (e.g., BPL, LCL, ILP, MTP, ITP). The communications modules are individually supervised by their own internal diagnostics and additional run-time diagnostics. In addition, the processor module performs continuous background diagnostics of the communications modules and automatically detects errors during operation. The processor module contains the error messages in the error buffer for system troubleshooting.
As is stated in the Bases, to the extent possible, PMS testing is accomplished with the continuous self-diagnostic features.
PMS Surveillance Requirement Testing The PMS is periodically manually tested by the operations staff according to the Surveillance Requirements (SRs) in the Technical Specifications (TS). This includes testing from the sensor Page 7 of 34
ND-19-0168 Request for License Amendment Regarding Protection and Monitoring System Surveillance Requirement Reduction Technical Specification Revision (Publicly Available Information)
(LAR-19-001) inputs of the PMS to the actuated equipment. Verification of the signal processing algorithms is made by manually injecting test signals (either by hardware or software signal injection) and observing the results up to, and including, the attainment of a channel partial trip or actuation signal.
Specifically, the TS require the following tests to be performed on the PMS at various frequencies:
Channel Calibration, Channel Operational Test (COT), Actuation Logic Test (ALT), Actuation Logic Output Test (ALOT), Channel Check, Trip Actuating Device Operational Test (TADOT), and Response Time Tests. This series of overlapping tests are used to verify the operability of all the devices in the PMS channel required for channel operability. Figure 3 and Figure 4 of Enclosure 2 provides a high-level graphical representation of the parts of the PMS channel covered by each test. Figure 3 shows the overlapping manual testing for ESFAS functions and Figure 4 shows the overlapping manual testing for the reactor trip functions. Additional information for each test is provided in Table 2 of the Technical Evaluation.
AP1000 Technical Specification Update to Account for Digital I&C Design Features The PMS is based on the Common Q platform, which is a digital I&C system. However, the Vogtle 3 & 4 TS for the PMS are based on the Westinghouse Standard Technical Specifications (NUREG-1431), which was written for analog protection systems.
In addition, the PMS digital components contain internal self-diagnostic features continuously verifying the correct functionality and operability of the component. As discussed in WCAP-16097-P-A, Revision 3 (as modified by changes provided in WCAP-15927, Revision 7) and WCAP-16675, Revision 6.1, the PMS and the Common Q platform contain internal self-diagnostics with the ability to identify internal faults and alert operators of any potential failures.
In many instances, the internal self-diagnostics are capable of identifying the same operability issues as those identified by the manual surveillance tests. This includes identifying faults impacting the response time of the PMS components.
Due to the duration of each surveillance test and the frequency at which they are required, the PMS current surveillance tests would require one division of the PMS to be inoperable for extended periods of time. Therefore, fully leveraging the continuous, self-diagnostic testing features of the PMS would reduce the scope and frequency of manual TS surveillance testing.
Doing so would increase safety by lowering operational risk associated with human performance errors, reduce the duration of the PMS being at less than full redundancy, reduce resources necessary to perform surveillance testing, and save substantial operational costs while still meeting the applicable regulations.
Proposed Licensing Basis Changes Table 1 below contains a brief description of the specific changes being proposed by this LAR.
The Technical Specification Bases changes are being provided for information purposes only.
Page 8 of 34
ND-19-0168 Enclosure 1 Request for License Amendment Regarding Protection and Monitoring System Surveillance Requirement Reduction Technical Specification Revision (Publicly Available Information)
Table 1: Summary of Licensing Basis Changes Section Brief Description of Impact UFSAR Appendix 1A - Conformance with Regulatory A description is added to describe conformance with Guides IEEE 338 to align with crediting self-diagnostic test features in lieu of manual surveillance tests.
UFSAR Subsection 7.3.2.2.6 - Capability for Sensor Changed to take credit for the self-diagnostics as part of Checks and Equipment Test and Calibration of the the basis for acceptability of the ESFAS functions.
Engineered Safety Features Actuation (Paragraphs 5.7 and 6.5 of IEEE 603-1991)
UFSAR Appendix 7A.5 (WCAP-15776) - WCAP- Section 3.13 is revised to align the text with the actual 15776, Safety Criteria for the AP1000 IEEE 603 requirements from IEEE 603 Section 5.7 and Instrumentation and Control Systems, April 2002 with crediting self-diagnostics in lieu of manual surveillances. Specifically, IEEE 603 Section 5.7 requires the protection system to be designed with the capability to test and calibrate the system. IEEE 603 does not require the manual performance of any specific test.
UFSAR Appendix 7A.8 (WCAP-16675) - WCAP- Section 2.2.5 is revised to require the protection system 16675-P and WCAP-16675-NP, AP1000 Protection to be designed with the capability to test and calibrate and Safety Monitoring System Architecture Technical the system, consistent with IEEE 603 Section 5.7 and Report with crediting self-diagnostics in lieu of manual surveillances. Specifically, IEEE 603 Section 5.7 requires the protection system to be designed with the capability to test and calibrate the system. IEEE 603 does not require the manual performance of any specific test.
Section 6 and 6.2 are revised to say that both self-diagnostics and on-line verification tests are used to verify the safety system is capable of performing its intended safety function.
TS Section 1.1 - Definitions Definition for ALOT is deleted TS SR 3.3.1.1 - Channel Check of RTS SR Deleted Instrumentation
- TS SR 3.3.2.1 - Channel Check of RTS SR SR Deleted Instrumentation*
TS SR 3.3.3.1 - Channel Check of RTS IR SR Deleted Instrumentation*
TS SR 3.3.8.1 - Channel Check of ESFAS SR Deleted Instrumentation*
TS SR 3.3.10.1 - Channel Check of ESFAS RCS Hot SR Deleted Leg Level Instrumentation*
Page 9 of 34
ND-19-0168 Enclosure 1 Request for License Amendment Regarding Protection and Monitoring System Surveillance Requirement Reduction Technical Specification Revision (Publicly Available Information)
Table 1: Summary of Licensing Basis Changes Section Brief Description of Impact TS SR 3.3.11.1 - Channel Check of ESFAS Startup SR Deleted Feedwater Flow Instrumentation*
TS SR 3.3.13.1 - Channel Check of ESFAS Main SR Deleted Control Room Isolation, Air Supply Initiation, and Electrical Load De-energization*
TS SR 3.3.14.1 - Channel Check of Spent Fuel Pool SR Deleted Level Instrumentation*
TS SR 3.3.17.1 - Channel Check of PAM SR Deleted Instrumentation*
TS SR 3.3.20.1 - Channel Check of ADS and IRWST SR Deleted Injection Blocking Device*
TS SR 3.9.3.1 - Channel Check of Nuclear SR Deleted Instrumentation*
TS SR 3.1.8.1 - COT for Physics Test Exceptions - SR Deleted Mode 2*
TS SR 3.3.1.6 - COT for RTS Instrumentation* SR Deleted TS SR 3.3.1.7 - COT for RTS Instrumentation* SR Deleted TS SR 3.3.2.2 - COT for RTS SR Instrumentation* SR Deleted TS SR 3.3.3.2 - COT for RTS IR Instrumentation* SR Deleted TS SR 3.3.8.2 - COT for ESFAS Instrumentation* SR Deleted TS SR 3.3.10.2 - COT for ESFAS RCS Hot Leg Level SR Deleted Instrumentation*
TS SR 3.3.11.2 - COT for ESFAS Startup Feedwater SR Deleted Flow Instrumentation*
TS SR 3.3.13.2 - COT for ESFAS Main Control Room SR Deleted Isolation, Air Supply Initiation, and Electrical Load De-energization*
TS SR 3.3.14.2 - COT for ESFAS Spent Fuel Pool SR Deleted Level Instrumentation*
SR 3.3.20.3 - COT for ADS and IRWST Injection SR Deleted Blocking Device Page 10 of 34
ND-19-0168 Enclosure 1 Request for License Amendment Regarding Protection and Monitoring System Surveillance Requirement Reduction Technical Specification Revision (Publicly Available Information)
Table 1: Summary of Licensing Basis Changes Section Brief Description of Impact TS SR 3.3.4.1 - ALT for RTS ESFAS Instrumentation* SR Deleted, Note within SR table and Table 3.3.4-1 edited to account for reduction in SRs.
TS SR 3.3.6.1 - ALT for RTS Automatic Trip Logic* SR Deleted TS SR 3.3.15.1 - ALT for ESFAS Actuation Logic - SR Deleted Operating TS SR 3.3.15.2 - ALOT for ESFAS Actuation Logic - SR Deleted Operating TS SR 3.3.16.1 - ALT for ESFAS Actuation Logic - SR Deleted Shutdown TS SR 3.3.16.2 - ALOT for ESFAS Actuation Logic - SR Deleted Shutdown*
TS LCO 3.3.19 Condition C.1 - Condition which Condition Deleted requires the performance of an ALT*
TS Section 5.5.14 - Setpoint Program The reference to COT is deleted.
TS Bases associated with SR 3.3.1.11, SR 3.3.2.4, An allowance is made in the Bases to use allocated SR 3.3.3.4, SR 3.3.8.4, SR 3.3.10.4, SR 3.3.11.4, SR PMS equipment values for the response time 3.3.13, and SR 3.3.14.4. Surveillance Requirement surveillances in lieu of testing.
section for Bases 3.3.2 and 3.3.3.
Note: current SR numbers are referenced, not the proposed renumbered SRs.
TS Bases associated with SR 3.1.9.3 and 3.6.3.5. These SRs require a simulated or actual actuation signal be sent to the CVS containment isolation valves.
A statement is added to require the actual or simulated actuation signal to be processed through the CIM. This verifies the Operability of the circuit from the CIM to the CVS containment isolation valve and satisfies a portion of the scope of ALOT.
- Indicates SRs that were renumbered within the TS and changes/additions to the associated Bases, as applicable. In addition to changes associated with specific SRs, the Bases changes include edits related to the PMS self-diagnostics in the Background section of Bases 3.3.1 and 3.3.8.
Page 11 of 34
ND-19-0168 Request for License Amendment Regarding Protection and Monitoring System Surveillance Requirement Reduction Technical Specification Revision (Publicly Available Information)
- 3. TECHNICAL EVALUATION Manual Surveillance Testing Requirements The PMS is periodically manually tested by the operations staff according to the SRs in the TS.
This testing of the protection system is governed by Regulatory Guide 1.118 Revision 3, which provides a method acceptable to the NRC staff for complying with the underlying regulations associated with periodic testing.
This activity does not propose a change to any PMS software or hardware. Therefore, the PMS is still designed in such a way as to permit periodic testing during operation. These design features will continue to be used to manually test the PMS as part of the AP1000 TS surveillance program in accordance with IEEE 338-1987, and COL Appendix A. However, as stated above, select PMS surveillance tests are proposed to be removed from the surveillance program within the TS because they are fully covered by self-diagnostic tests. The self-diagnostic tests, their capability to adequately test the protection system, and their relation to the regulations and standards above will be addressed below.
Self-Diagnostic Overlap with Manual Surveillance Testing Evaluation An evaluation was performed to compare the manual PMS surveillance tests included in the TS with the PMS self-diagnostic tests. The evaluation included the following general process:
x [
INSERT 3
] a,c A summary of the evaluation of each manual surveillance test and the available self-diagnostic tests is included in Table 2 below. In Table 2, the surveillance tests applicable to the PMS are listed, along with the applicable SR number and a test description. A high-level description of the self-diagnostic coverage for each manual surveillance test is provided. A summary conclusion is made for each surveillance test based on the associated evaluation.
Most of the SRs associated with PMS Channel Checks, COTs, ALTs and ALOTs are deleted based on the information in Table 2. With a few exceptions addressed in Table 2, it is shown that the self-diagnostic tests can detect the same failures as would be detected by the Channel Check, Page 12 of 34
ND-19-0168 Request for License Amendment Regarding Protection and Monitoring System Surveillance Requirement Reduction Technical Specification Revision (Publicly Available Information)
COT, and ALT surveillance tests. In addition, though the Response Time Tests will be retained as a surveillance requirement, it is determined to be unnecessary to periodically test the response time of the PMS equipment. An allocated value for the PMS equipment is proposed to be used in lieu of a test in order to support the overall Response Time Test measurement. With an exception addressed in Table 2 at the end of this section, it is shown that the self-diagnostic tests would capture any credible failure resulting in slower response times.
Overview of Self-Diagnostic Testing Features
[
INSERT 4
]a,c Improved Reliability, Safety, and Operability of Self-Diagnostics The self-diagnostics are a reliable and superior alternative to manual surveillance tests. The self-diagnostics tests are automatically and continuously executed. This is in contrast to the manual tests which are executed every 92 days or 24 months, per the surveillance test program.
Therefore, the self-diagnostics tests are executed more frequently than the manual tests. In addition, the self-diagnostics tests do not reduce the redundancy of the safety system. The PMS remains at full system redundancy during the self-diagnostic tests, unlike the manual surveillance Page 13 of 34
ND-19-0168 Request for License Amendment Regarding Protection and Monitoring System Surveillance Requirement Reduction Technical Specification Revision (Publicly Available Information)
(LAR-19-001) tests which require the system to be at less than full redundancy. Because the surveillance tests are accomplished by the operator, they have a higher probability of a human error adversely impacting the operation of the safety system than the self-diagnostic tests which are inherently less prone to error than a human operator. This is supported by the fact that the self-diagnostics have gone through a rigorous design life-cycle process.
[
INSERT 5
]
A survey was performed on a fleet of nuclear reactors in one country which uses the Common Q platform. For these nuclear reactors, no AC160 failures were identified by surveillance tests.
Qualification of AC160 Self-Diagnostics The AC160 diagnostics were commercially dedicated to the same standards as the rest of the AC160 system software. In 2000, the NRC issued a safety evaluation report (ML003740165) on the Common Q Topical Report (CENP-396-P, Rev. 01 which is the predecessor to WCAP-16097-P-A). In the safety evaluation report the NRC acknowledged receipt of Westinghouse document GWKF 700 777, "Design and Life Cycle Evaluation Report on Previously-Developed Software in ABB AC160, I/O Modules and Tool Software" Rev. 02 (February 22, 2000), in support of the commercial dedication of the AC160. The safety evaluation report stated the, AC160 PDS
[Previously Developed Software] is composed of the AC160 software, S600 I/O Module(s) software, and ABB Tool software. The evaluation is based on the requirements specified in International Electrotechnical Commission (IEC) standard IEC-60880, "Software for Computers in the Safety Systems of Nuclear Power Stations." IEC 60880 is referenced in IEEE 7-4.3.2-2003, "IEEE Standard Criteria for Digital Computers in Safety Systems of Nuclear Power Generating Stations." IEC 60880 is comparable to IEEE 7-4.3.2-2003, and the staff has found standard IEC 880 to be an acceptable equivalent.
The Design and Lifecycle Evaluation (DLCE) applies to all aspects of the PDS including the system software that executes the nuclear application program and the diagnostics integrated with the system software. In other words, the same software quality approach applied to both aspects of the system software. Therefore, the Common Q Platform diagnostics were developed using a rigorous process which was accepted by the NRC.
The Common Q hardware diagnostics were designed and qualified similar to the software. They were tested in conjunction with the firmware and software they interface with. They were subjected to equipment qualification, which included testing to demonstrate environmental qualification, seismic qualification, and electromagnetic compatibility qualification. In addition, the Common Q hardware was commercially dedicated. Hardware changes are evaluated, and the hardware is requalified if the changes require it.
The NRC staff concluded that the design of the Common Q platform, including its diagnostic functions, meets the relevant NRC regulatory requirements and is acceptable for safety-related instrumentation and control applications in nuclear power plants.
These same diagnostics were reviewed by the NRC staff in relation to the Palo Verde Nuclear Generating Station Core Protection Calculator System Technical Specifications. The NRC concluded, per the safety evaluation of the Palo Verde Nuclear Generating Station (PVNGS)
Core Protection Calculator System (ML0330303630) in allowing for extended surveillance testing Page 14 of 34
ND-19-0168 Request for License Amendment Regarding Protection and Monitoring System Surveillance Requirement Reduction Technical Specification Revision (Publicly Available Information)
(LAR-19-001) frequencies, the NRC staff found that the diagnostics to be employed on the Common Q system are more extensive and have more coverage than in the legacy system.
Using self-diagnostics is also consistent with the Background sections of Bases 3.3.1 and 3.3.8 which state that PMS testing will be accomplished with continuous system self-checking features, to the extent practical. This text is enhanced throughout the Bases to clearly identify how the self-diagnostics are relied upon in lieu of manual surveillance tests and to ensure the self-diagnostics cannot be changed in such a way as to invalidate how they are currently used to confirm system operability.
Similarly, the PMS, including its application-specific self-diagnostics, was developed under a formal life-cycle process per COL Appendix C ITAAC Table No. 2.5.02.11 and 2.5.02.12.
Therefore, the PMS and Common Q self-diagnostic equipment relied upon to test system operability has been developed using project life-cycles which included specific processes for conceptual design activities, requirements development, design activities, implementation, testing, and commercial dedication.
Page 15 of 34
ND-19-0168 Enclosure 1 Request for License Amendment Regarding Protection and Monitoring System Surveillance Requirement Reduction Technical Specification Revision (Publicly Available Information)
Table 2 - Summary of the Manual Surveillance Tests and Self-Diagnostic Tests for the PMS Components Test Name Relevant Test Description Summary of PMS Self-Diagnostics and Redundant Surveillance (PMS) SRs Test Coverage Evaluation Channel 3.3.1.8 Definition: A channel calibration shall be the adjustment, as Not applicable for this activity. Calibration will continue to be a manual 3.3.1.9 Calibration necessary, of the channel output such that it responds within the surveillance test.
3.3.2.3 3.3.3.3 necessary range and accuracy to known values of the parameter that 3.3.8.3 the channel monitors. The channel calibration shall encompass all 3.3.10.3 devices in the channel required for operability.
3.3.11.3 Calibration of instrument channels with resistance temperature 3.3.13.3 3.3.14.3 detector (RTD) or thermocouple sensors may consist of an in place 3.3.17.2 qualitative assessment of sensor behavior and normal calibration of 3.3.20.4 the remaining adjustable devices in the channel. The channel 3.4.1.4 calibration may be performed by means of any series of sequential, 3.4.9.3 overlapping, or total channel steps.
3.9.3.2 Page 16 of 34
ND-19-0168 Enclosure 1 Request for License Amendment Regarding Protection and Monitoring System Surveillance Requirement Reduction Technical Specification Revision (Publicly Available Information)
Channel 3.3.1.1 Definition: A qualitative assessment, by observation, of channel The PMS performs continuous channel comparison on specific sensor values Check 3.3.2.1 behavior. This test includes a comparison of the channel indication across all four divisions. This includes intra-channel and inter-channel 3.3.3.1 and status to other indications or statuses derived from independent comparison checks. This self-diagnostic test is described in WCAP-16675 3.3.8.1 instrument channels measuring the same parameter. Section 6.2.
3.3.10.1 3.3.11.1 Test Overview: The manual Channel Check identifies if a component x [
3.3.13.1 has failed by comparing all four divisions redundant instrument input 3.3.14.1 values (inter-channel check) and comparing the redundant BPL 3.3.17.1 measurements within a division (intra-channel check). This test checks INSERT 6 3.3.20.1 for a significant deviation that may indicate a gross channel failure.
3.9.3.1 This is accomplished by visual comparison of the indicators at the ]
MTP and noting if a pre-defined difference exists between the highest The PMS self-diagnostic test verifies the same information verified by the and lowest indicator. manual Channel Check test, per SV0-PMS-AR-001, Appendix D. Therefore, PMS Components Covered: The data from the process sensor the PMS Channel Checks can be eliminated.
passes to the A/D converter within the BPL and is displayed on the A graphical representation of the self-diagnostic channel check test is shown MTP. in Figure 5 of Enclosure 2.
Page 17 of 34
ND-19-0168 Enclosure 1 Request for License Amendment Regarding Protection and Monitoring System Surveillance Requirement Reduction Technical Specification Revision (Publicly Available Information)
Channel 3.1.8.1 Definition: Injection of a simulated or actual signal into the channel as The PMS self-diagnostic tests have been shown to adequately test the Operational 3.3.1.6 close to the sensor as practicable to verify channel operability. operability of the same PMS components tested as part of the manual COTs Test (COT) 3.3.1.7 Includes adjustments, as necessary, of the required alarm, interlock, in all the SRs listed except SR 3.3.20.3, which is addressed below. The 3.3.2.2 and trip setpoints such that the setpoints are within the necessary internal fault detected by the diagnostic initiates the necessary visual and 3.3.3.2 range and accuracy. audible annunciation in the main control room so that the operator can take 3.3.8.2 the appropriate action.
3.3.10.2 Test Overview: The COT for all PMS SRs except 3.3.20.3 is satisfied 3.3.11.2 by manually injecting a simulated digital signal at the MTP and x The PM646A Common Q Platform diagnostics are evaluated in SV0-3.3.13.2 verifying that the BPL actuates as expected. This includes: PMS-AR-001 Table A-1 and Table A-2. The diagnostics are shown to 3.3.14.2 x Manually entering a signal value for the input to the function cover the applicable processor module failure modes in SV0-PMS-AR-3.3.20.3 being tested 001 Table C-1.
x Executing the function with the test input value x The CI631 Module Common Q Platform diagnostics are evaluated in SV0-PMS-AR-001 Table A-3. The diagnostics are shown to cover the x Monitoring the function outputs to determine if the response to applicable processor module failure modes in SV0-PMS-AR-001 Table the test input value is correct.
C-3.
The COT for the ADS and IRWST injection blocking device (SR x The BIOB Common Q Platform diagnostics are evaluated in SV0-PMS-3.3.20.3) confirms the device is capable of unblocking on low CMT AR-001 Table A-4. The diagnostics are shown to cover the applicable level. Contrary to this, the ALT for the device (SR 3.3.20.5) confirms processor module failure modes in SV0-PMS-AR-001 Table C-2.
it is capable of unblocking for each of the blocking device inputs (i.e., x Diagnostics covering the HSLs are shown in SV0-PMS-AR-001 Table A-remote shutdown room transfer switch, block/unblock switch, battery 1 and Table A-2 (note: HSL diagnostics are a subset of the PM646A charger under-voltage, and CMT level low). diagnostics). The diagnostics are shown to cover the applicable HSL PMS Components Covered: The BPL processor modules, CI631 failure modes in SV0-PMS-AR-001 Table C-1.
module, BIOB, and the HSL equipment connecting the BPL to the LCL The COT for the ADS and IRWST injection blocking can be eliminated. The are used to process the digital test injection signal. In addition, the ALT on the ADS and IRWST injection blocking device fully covers the ADS and IRWST injection blocking device is covered via 3.3.20.3. component and completely overlaps the COT which only partially tests the A graphical representation of the equipment covered by the COT device. [
surveillance test is shown in Figure 6 of Enclosure 2. INSERT 7
]a,c Therefore, the COT associated with the ADS and IRWST injection blocking device can be eliminated.
In summary, the PMS self-diagnostics adequately test the components tested as part of the COT (except for SR 3.3.20.3) and, therefore, the COT can be eliminated. In addition, the COT for the ADS and IRWST injection blocking device (i.e., SR 3.3.20.3) can be eliminated because the ALT performed on the device is adequate.
Page 18 of 34
ND-19-0168 Enclosure 1 Request for License Amendment Regarding Protection and Monitoring System Surveillance Requirement Reduction Technical Specification Revision (Publicly Available Information)
Actuation 3.3.4.1 Definition: The application of various simulated or actual input The PMS self-diagnostic tests have been shown to adequately test the Logic Test 3.3.6.1 combinations in conjunction with each possible interlock logic state operability of the same PMS components tested as part of the manual ALTs, (ALT) 3.3.15.1 required for operability of a logic circuit and the verification of the except for two instances that are addressed below. The internal fault detected 3.3.16.1 required logic output. by the diagnostic initiates the necessary visual and audible annunciation in the 3.3.20.5 main control room so that the operator can take the appropriate action.
Test Overview: The ALT surveillance tests include separate tests for the reactor trip system logic (SR 3.3.6.1), ESF system logic (SR x The PM646A Common Q Platform diagnostics are evaluated in SV0-3.3.15.1, SR 3.3.16.1), ESF generated reactor trip actuation logic (SR PMS-AR-001 Table A-1 and Table A-2. The diagnostics are shown to 3.3.4.1), and the ADS and IRWST injection blocking device logic (SR cover the applicable processor module failure modes in SV0-PMS-AR-3.3.20.5). The ALT for the ADS / IRWST injection blocking device 001 Table C-1.
(SR.3.3.20.5) is not applicable to this activity because it will continue to x The CI631 Module Common Q Platform diagnostics are evaluated in be included as a manual surveillance test within the Technical SV0-PMS-AR-001 Table A-3. The diagnostics are shown to cover the Specifications. applicable processor module failure modes in SV0-PMS-AR-001 Table For the reactor trip system logic ALT (SR 3.3.6.1), the injected signal C-3.
goes from the LCL to the reactor trip matrix logic, via the DO630 x The BIOB Common Q Platform diagnostics are evaluated in SV0-PMS-module. Proper function is verified using the digital output display to AR-001 Table A-4. The diagnostics are shown to cover the applicable check the current flow through the appropriate reactor trip matrix processor module failure modes in SV0-PMS-AR-001 Table C-2.
termination unit ITP monitoring resistors, and thereafter using the x Diagnostics covering the HSLs are shown in SV0-PMS-AR-001 Table A-DO630 status indicators. 1 and Table A-2 (note: HSL diagnostics are a subset of the PM646A diagnostics). The diagnostics are shown to cover the applicable HSL For the ESF system logic ALT (SR 3.3.15.1 and SR 3.3.16.1), the failure modes in SV0-PMS-AR-001 Table C-1.
injected signal goes from the LCL to the ILP (via the HSLs).
x The self-diagnostics are shown to cover the applicable DO630 failure Confirmation that the system is functioning properly is obtained by modes in SV0-PMS-AR-001 Table C-6.
monitoring that the correct ESF system level actuation signals are received by the ILP component control processor modules. The components not fully covered by self-diagnostic tests include the DO630 module and the reactor trip matrix termination unit. However, these The signal path for the ESF generated reactor trip actuation logic (SR components are also tested every 92 days as part of the TADOT associated 3.3.4.1) is almost entirely covered by the other two tests described with SR 3.3.7.1. Any failure that would be detected in these components by above. The only aspect of the safety path associated with this the ALT will also be detected by the TADOT.
surveillance tests not covered by the other two surveillance tests is the communications over the BIOB between the ESFAS processor module In summary, the PMS self-diagnostics for the components tested as part of the and the reactor trip processor module. ALT and the existing TADOT associated with SR 3.3.7.1 together provide complete coverage for the components tested as part of the ALT. Therefore, it PMS Components Covered:
is concluded that the ALT is unnecessary and can be deleted from the TS x Reactor trip system logic ALT: RT LCL processor modules, (except for SR 3.3.20.5).
communication processor modules, CI631, BIOB, DO630, reactor trip matrix termination unit Page 19 of 34
ND-19-0168 Request for License Amendment Regarding Protection and Monitoring System Surveillance Requirement Reduction Technical Specification Revision (Publicly Available Information)
(LAR-19-001) x ESF system logic ALT: ESF LCL processor modules, communication processor modules, CI631, BIOB, HSL equipment, ILP component control processor module x ESF generated reactor trip actuation logic ALT: RT and ESF LCL processor modules, communication processor modules, CI631, BIOB, DO630, reactor trip matrix termination unit, BIOB between the ESF and RT processor modules.
A graphical representation of the equipment covered by the ALT surveillance test is shown in Figure 7 and Figure 8 of Enclosure 2.
Page 20 of 34
ND-19-0168 Enclosure 1 Request for License Amendment Regarding Protection and Monitoring System Surveillance Requirement Reduction Technical Specification Revision (Publicly Available Information)
Actuation 3.3.15.2 Definition: The application of simulated or actual logic signals and The PMS self-diagnostic tests have been shown to adequately test the Logic Output 3.3.16.2 the verification of the required component actuation output signals operability of the same PMS components tested as part of the manual ALOT, Test (ALOT) up to, but not including, the actuated device. The test may be except for the CIM output circuitry to various valves addressed below. The internal fault detected by the diagnostic initiates the necessary visual and performed by means of any series of sequential, overlapping, or audible annunciation in the main control room so that the operator can take the total steps. appropriate action.
Test Overview: The ALOT demonstrates that both redundant x The PM646A Common Q Platform diagnostics are evaluated in SV0-PMS-signal paths from the inputs to the ILPs through the CIM logic and AR-001 Table A-1 and Table A-2. The diagnostics are shown to cover the CIM output driver circuits (ILP to actuator test) in the ESF Actuation applicable processor module failure modes in SV0-PMS-AR-001 Table C-1.
Subsystem Logic process injected LCL system actuation signals for x The CI631 Module Common Q Platform diagnostics are evaluated in SV0-the applicable actuation Function. During this test, a signal is sent PMS-AR-001 Table A-3. The diagnostics are shown to cover the applicable back to the MTP subsystem to determine if the CIM two-out-of-two processor module failure modes in SV0-PMS-AR-001 Table C-3.
logic was satisfied and a component control signal was sent to the x The BIOB Common Q Platform diagnostics are evaluated in SV0-PMS-AR-actuated device. 001 Table A-4. The diagnostics are shown to cover the applicable processor PMS Components Covered: ILP processor modules, ILP CI631, module failure modes in SV0-PMS-AR-001 Table C-2.
ILP BIOB, HSL, Double Wide Transition Panels and Single Wide x Diagnostics covering the HSLs (ILP to/from SRNC) are shown in SV0-PMS-Transition Panels, CIM and SRNC, and the Squib Valve Termination AR-001 Table H.4-2 and Table H.4-3. The diagnostics are shown to cover Unit. the applicable HSL failure modes in SV0-PMS-AR-001 Table C-1.
A graphical representation of the equipment covered by the ALOT x The SRNC diagnostics are evaluated in SV0-PMS-AR-001 Table H.4-4. The surveillance test is shown in Figure 10 of Enclosure 2. Note that the diagnostics are shown to cover the applicable SRNC failure modes in SV0-PMS-AR-001 Table H.4-5.
ADS and IRWST blocking device and digital inputs (e.g., DI621) are x The CIM diagnostics are evaluated in SV0-PMS-AR-001 Table H.4-6. The included on this figure for completeness, but are not within the diagnostics are shown to cover some CIM failure modes in SV0-PMS-AR-scope of the ALOT. 001 Table H.4-7. The CIM self-diagnostic tests do not cover the operability of the circuitry between the CIM output and the subset of valves identified in Table 3. However, the operability of these circuits is covered by other surveillance testing as discussed in Table 3.
x Any postulated faults within the DWTP and SWTP will be detected by either the SRNC or the CIM self-diagnostics.
x The Squib Valve Termination Unit contains no self-diagnostics. The only postulated failure mode for this component is covered by other surveillance testing. See Table 3 below.
In summary, the PMS self-diagnostics for the components tested as part of the ALOT and the existing surveillance requirements identified in Table 3 together provide complete coverage for the components tested as part of the ALOT.
Therefore, it is concluded that the ALOT is unnecessary and can be deleted from the TS.
Page 21 of 34
ND-19-0168 Enclosure 1 Request for License Amendment Regarding Protection and Monitoring System Surveillance Requirement Reduction Technical Specification Revision (Publicly Available Information)
TADOT 3.3.1.10 Definition: The operation of the trip actuating device. The TADOT Not applicable for this activity. The TADOT will continue to be a manual 3.3.5.1 adjusts, as necessary, the trip actuating device so that it actuates at surveillance test.
3.3.7.1 the required setpoint within the necessary accuracy.
3.3.9.1 3.3.12.1 3.3.18.4 3.3.20.6 Page 22 of 34
ND-19-0168 Enclosure 1 Request for License Amendment Regarding Protection and Monitoring System Surveillance Requirement Reduction Technical Specification Revision (Publicly Available Information)
Response 3.3.1.11 Definition: A test of the response time for a reactor trip and See section below on Response Time Testing - Summary of PMS Self-Time Test 3.3.2.4 engineered safety feature protection channel. The response time may Diagnostics and Redundant Surveillance Test Coverage Evaluation.
3.3.3.4 be measured by means of any series of sequential, overlapping, or 3.3.4.2 total steps so that the entire response time is measured. In lieu of 3.3.8.4 measurement, response time may be verified for selected components 3.3.10.4 provided that the components and methodology for verification have 3.3.11.4 been previously reviewed and approved by the NRC.
3.3.13.4 3.3.14.4 Test Overview: Response time tests verify that the individual reactor trip and ESFAS channel/division actuation response times, from sensor to actuating device, are less than or equal to the maximum values assumed in the accident analysis. This activity focuses specifically on the PMS equipment portion of the protection path and not the sensor or the actuating device.
PMS Components Covered: Figure 1 in Enclosure 2 shows the signal paths taken for PMS reactor trips and ESF actuations. In each case, the signal comes into the BPL processor module from an actual or simulated signal (e.g., process sensor) and the applicable I/O module (i.e., DP620, AI688, AI687, or DI621 module). NIS signals go through the applicable I/O module. The relevant NIS components for the response time testing include the source range preamplifier, intermediate range preamplifier, and the Intermediate Range Signal Processing Module (IRPM) and the Power Range Processing Module (PRPM) within the Nuclear Instrumentation System Processing Assembly.
The reactor trip inputs then pass through the reactor trip PMs in the LCL, the DO630 module, the reactor trip matrix termination unit, then to the reactor trip switchgear under-voltage and shunt trip mechanisms.
The ESF actuation inputs pass through the ESF PMs in the LCL, the ILP, SRNC, and the CIM. In each case, the signal path passes through the HSLs, PIOB, and the CI631 module. The response time of this signal path is measured to ensure it is less than the maximum allowable response time assumed in the accident analysis.
Page 23 of 34
ND-19-0168 Enclosure 1 Request for License Amendment Regarding Protection and Monitoring System Surveillance Requirement Reduction Technical Specification Revision (Publicly Available Information)
Table 3: Surveillance Requirements Redundant to ALOT Scope Tested Valve TS SR TS SR Text Evaluation PXS-PL-V118A/B - SR 3.5.6.9 Verify continuity of the SR 3.5.6.9 verifies the Operability of the circuit from Containment IRWST - Operating circuit from the the CIM to the containment recirculation squib Recirculation Protection Logic valves (i.e., PXS-PL-V118A/B). Therefore, this Isolation Valves SR 3.5.7.1 IRWST - Cabinets to each IRWST component surveillance test verifies the Operability Shutdown, Mode 5 injection and of the CIM output up to this valve and satisfies this containment portion of the existing ALOT.
SR 3.5.8.4 IRWST - recirculation squib valve Shutdown, Mode 6 on an actual or simulated actuation signal.
PXS-PL-V120A/B - SR 3.5.6.9 See evaluation of PXS- See evaluation of PXS-PL-V118A/B - Containment Containment IRWST - Operating PL-V118A/B - Recirculation Isolation Valves above.
Recirculation Containment Isolation Valves SR 3.5.7.1 IRWST - Recirculation Isolation Shutdown, Mode 5 Valves above.
Shutdown, Mode 6 PXS-PL-V123A/B - SR 3.5.6.9 Verify continuity of the SR 3.5.6.9 verifies the Operability of the circuit from IRWST Injection IRWST - Operating circuit from the the CIM to the IRWST injection squib valves (i.e.,
Isolation Valves Protection Logic PXS-PL-V123A/B). Therefore, this component SR 3.5.7.1 IRWST - Cabinets to each IRWST surveillance test verifies the Operability of the CIM Shutdown, Mode 5 injection and output up to this valve and satisfies this portion of containment the existing ALOT.
SR 3.5.8.4 IRWST - recirculation squib valve Shutdown, Mode 6 on an actual or simulated actuation signal.
PXS-PL-V125A/B - SR 3.5.6.9 See evaluation of PXS- See evaluation of PXS-PL-V123A/B - IRWST IRWST Injection IRWST - Operating PL-V123A/B - IRWST injection squib valves above.
Isolation Valves injection squib valves SR 3.5.7.1 IRWST - above.
Shutdown, Mode 5 SR 3.5.8.4 IRWST -
Shutdown, Mode 6 RCS-PL- SR 3.4.11.5 Verify continuity of the SR 3.4.11.5 verifies the Operability of the circuit V004A/B/C/D - ADS - Operating circuit from the from the CIM to the ADS stage 4 squib valves (i.e.,
Fourth Stage ADS Protection RCS-PL-V004A/B/C/D). Therefore, this component Depressurization SR 3.4.13.1 Logic Cabinets to each surveillance test verifies the Operability of the CIM Valves ADS - Shutdown stage 4 ADS valve. output up to this valve and satisfies this portion of RCS Intact the existing ALOT.
SR 3.4.13.2 ADS - Shutdown, RCS Open Page 24 of 34
ND-19-0168 Enclosure 1 Request for License Amendment Regarding Protection and Monitoring System Surveillance Requirement Reduction Technical Specification Revision (Publicly Available Information)
Tested Valve TS SR TS SR Text Evaluation PXS-PL-V002A/B - SR 3.5.2.3 Verify each CMT inlet Per UFSAR Table 6.3-1, the CMT inlet isolation CMT Inlet Isolation CMTs - Operating isolation valve is fully valves (PXS-PL-V002A/B) are normally open and Valves open. the actuation position is open. SR 3.5.2.3 requires SR 3.5.3.1 the operator to verify the valve is fully open every CMTs - Shutdown, 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. Per SR 3.5.2.3 and SR 3.5.3.1, these RCS Intact valves are required to be open in Modes 1, 2, 3, and 4, and in Mode 5 with the RCS not vented. An alarm is annunciated in the main control room if the CMT inlet isolation valves are not fully open.
Furthermore, these valves are exercised every 24 months as part of the inservice test program, per UFSAR Table 3.9-16 and TS Section 5.5.3. The testing uses the component interface module to exercise the valve. Therefore, any failure of the circuit from the CIM up to the valve would be detected by the inservice test program.
CVS-PL-V092 - SR 3.6.3.5 Verify each automatic SR 3.6.3.5 requires the operator to verify this valve Containment Containment containment isolation can actuate to the isolated position on an actual or Isolation Actuation / Isolation Valves valve that is not locked, simulated ESF actuation signal. A statement is Zinc Injection to sealed or otherwise added to the Bases of SR 3.6.3.5 to require the RCS Valve secured in position, actual or simulated actuation signal to be actuates to the isolation processed through the CIM. This verifies the position on an actual or Operability of the circuit from the CIM to the CVS simulated actuation containment isolation valve (i.e., CVS-PL-V092).
signal. Therefore, this component surveillance test verifies the Operability of the CIM outputs up to this valve and satisfies this portion of the existing ALOT.
CVS-PL-V136A/B - SR 3.1.9.3 Verify each CVS SR 3.1.9.3 requires the operator to verify this valve DWS Isolation CVS Demineralized demineralized water can actuate to the isolated position on an actual or Valves Water isolation valve actuates simulated ESF actuation signal. statement is added Isolation Valves and to the isolation position to the Bases of SR 3.1.9.3 to require the actual or Makeup on an actual or simulated actuation signal to be processed through Line Isolation simulated actuation the CIM. This verifies the Operability of the circuit Valves signal. from the CIM to the CVS containment isolation valves (i.e., CVS-PL-V136A/A). Therefore, this component surveillance test verifies the Operability of the CIM outputs up to this valve and satisfies this portion of the existing ALOT.
Response Time Testing - Summary of PMS Self-Diagnostics and Redundant Surveillance Test Coverage Evaluation
[
INSERT 8
]a,c Figure 9 of Enclosure 2 provides a Page 25 of 34
ND-19-0168 Request for License Amendment Regarding Protection and Monitoring System Surveillance Requirement Reduction Technical Specification Revision (Publicly Available Information)
(LAR-19-001) simplified diagram of the response time signal path. A summary of the evaluation for each component is provided below:
x AI687 / AI688 - The diagnostics for these modules are shown to adequately detect the potential failure modes resulting in slower response times, per SV0-PMS-AR-001 Section G.4.2.2. The input filters within these modules are also evaluated [
INSERT 9
]a,c Therefore, the degradation of resistance and capacitance within the input filters will not adversely impact response times, per SV0-PMS-AR-001 Section G.4.2.4.
x DI621 - [ INSERT 10 ]a,c Therefore, no response time testing is necessary, per SV0-PMS-AR-001 Section G.4.2.1. See discussion above on input filters.
x DP620 - The diagnostics for this module are shown to adequately detect the potential failure modes resulting in slower response times, per SV0-PMS-AR-001 Section G.4.2.3.
See discussion above on input filters.
x Source Range Preamplifier - [---------------------------------------------------------------------------
INSERT 11
]a,c.
x Intermediate Range Preamplifiers - [
INSERT 12
.]a,c x Intermediate Range Signal Processing Module (IRPM) - [
INSERT 13
.]a,c x Power Range Processing Module (PRPM) - [..
INSERT 14 ..]a,c x PM646A - The PM646A Common Q Platform diagnostics are evaluated in SV0-PMS-AR-001 Table A-1 and Table A-2. The diagnostics are shown to cover the applicable processor module failure modes in SV0-PMS-AR-001 Table C-1. None of the failure Page 26 of 34
ND-19-0168 Request for License Amendment Regarding Protection and Monitoring System Surveillance Requirement Reduction Technical Specification Revision (Publicly Available Information)
(LAR-19-001) modes identified in this table can lead to a lag in response time that would not be detected by a PMS diagnostic. [
INSERT 15
.]a,c x The CI631 Module Common Q Platform diagnostics are evaluated in SV0-PMS-AR-001 Table A-3. The diagnostics are shown to cover the applicable processor module failure modes in SV0-PMS-AR-001 Table C-3. None of the failure modes identified in this table can lead to a lag in response time that would not be detected by a PMS diagnostic.
x BIOB - [
INSERT 16
____________________________]a,c x HSL - Diagnostics covering the HSL functionality are shown in SV0-PMS-AR-001 Table A-1 and Table A-2 (note: HSL diagnostics are a subset of the PM646A diagnostics). The diagnostics are shown to cover the applicable HSL failure modes in SV0-PMS-AR-001 Table C-1. [
INSERT 17 ]a,c x [
INSERT 18
]a,c x RTM TU - The RTM TU diagnostics are evaluated in SV0-PMS-AR-001 Table C-7. The diagnostics are shown to cover the applicable processor module failure modes in SV0-PMS-AR-001 Table C-1. None of the RTM TU failure modes can lead to a lag in response time that would not be detected by a PMS diagnostic or during other functional testing, such as TADOT.
Page 27 of 34
ND-19-0168 Request for License Amendment Regarding Protection and Monitoring System Surveillance Requirement Reduction Technical Specification Revision (Publicly Available Information)
(LAR-19-001) x CIM/SRNC- [
INSERT 19
]a,c In summary, allocated times can be used for PMS components as part of the reactor trip and ESF response time testing in lieu of testing. The PMS self-diagnostics, other functional tests (e.g.,
TADOT), and the doubling of worst-case relay operating times address the credible failures that could lead to longer response times.
Summary The proposed changes would revise COL Appendix A TS information to revise Sections 3.1, 3.2, 3.3, 3.9, and 5.5.14 as follows:
x The SRs requiring a manual Channel Checks, COTs, ALTs and ALOTs to be performed on PMS components are proposed to be removed from the TS.
x The approach for satisfying the reactor trip and ESFAS response time SRs is changed.
The current approach for satisfying the PMS response time surveillance tests is to perform a response time tests on the PMS equipment. The proposed method is to use allocated response times for the PMS equipment in lieu of testing. The reactor trip and ESFAS response time definitions allow an exception to testing if the response times can be verified via a previously reviewed and approved NRC methodology. This activity seeks NRC approval for the methodology outlined in this license amendment request. If approved, the Bases will be updated to allow for allocated values to be used for the PMS equipment to support the overall response time test SRs. Text is also added to describe where the PMS equipment allocated values can be found.
x The SRs throughout the TS are renumbered to support the above changes. Associated Bases changes are also made for the TS changes proposed above. This includes rewording the Background description of the PMS self-diagnostic test features in TS Bases 3.3.1 and 3.3.8 to more clearly align with the changes described above and explicitly state that self-diagnostics are used in lieu of manual surveillance tests, to the extent possible. The TS Bases surveillance requirement description for TS SR 3.3.4 and TS SR 3.3.6 is revised to acknowledge that certain functions have no SRs due to self-checking features continuously monitoring logic OPERABILITY.
None of the activities change any PMS software or hardware. The activity credits the PMS self-diagnostic test features already part of the approved PMS design and uses these existing self-diagnostic features to justify the removal of redundant manual PMS surveillance tests.
- 4. REGULATORY EVALUATION 4.1 Applicable Regulatory Requirements/Criteria A review was performed to determine which of the regulations and industry guidance documents discussed above are specifically applicable to the self-diagnostics. It is Page 28 of 34
ND-19-0168 Request for License Amendment Regarding Protection and Monitoring System Surveillance Requirement Reduction Technical Specification Revision (Publicly Available Information)
(LAR-19-001) concluded that the self-diagnostics adhere to those requirements or, if not directly applicable, satisfy the intent of requirement.
These regulations include the following:
x General Design Criteria (GDC) 18, "Inspection and Testing of Electric Power Systems of 10 CFR 50 Appendix A - GDC 18 requires, in part, that electric power systems important to safety be designed to permit periodic testing, including periodic testing of the performance of the components of the system and the system as a whole. This activity does not propose any change to the PMS design. The PMS continues to be designed to permit periodic testing during plant operation. This activity credits the PMS self-diagnostics in certain instances in lieu of manual surveillance tests. The PMS self-diagnostics are design features which periodically and continuously test the system during plant operations, which is consistent with GDC 18.
x GDC 21, Protection System Reliability and Testability of 10 CFR 50 Appendix A -
GDC 21 requires, in part, that the protection system be designed to permit its periodic testing during reactor operation, including a capability to test channels independently to determine failures and losses of redundancy that may have occurred. This activity does not propose any change to the PMS design. The PMS continues to be designed to permit periodic testing during plant operation. This activity credits the PMS self-diagnostics in certain instances in lieu of manual surveillance tests. The self-diagnostics are a reliable and superior alternative to manual surveillance tests. The self-diagnostics tests are automatically and continuously executed. Therefore, the self-diagnostics tests are executed more frequently than the manual tests. In addition, the self-diagnostics tests do not reduce the redundancy of the safety system. The PMS remains at full system redundancy during the self-diagnostic tests, unlike the manual surveillance tests which require the system to be at less than full redundancy.
Therefore, compliance with GDC 21 is not changed.
x Criterion XI, "Test Control," of 10 CFR 50 Appendix B - Criterion XI requires, in part, that a test program be established to ensure that all testing, including operational testing required to demonstrate that systems and components will perform satisfactorily in service, is identified and performed in accordance with written test procedures. The AP1000 surveillance test program continues to meet this requirement. The self-diagnostic tests support this requirement in that it is part of the overall suite of tests available to the PMS used to verify the PMS is performing satisfactorily while in-service. While performing the tests in accordance with test procedures is not directly applicable to self-diagnostic testing, the self-diagnostics execute in a specific, well-defined sequence and respond to given test failures in a predictable way, as shown in the evaluation summarized above.
x Similar to GDC 18 and GDC 21, IEEE 603-1991 requires the protection system to have the capability for testing and calibration during power operations while retaining the capability of the safety systems to accomplish their safety functions. The protection system needs to be capable of performing the tests described in IEEE 338-1987. As stated above, this activity does not propose any change to the PMS design, and the self-diagnostics support this requirement. Though not always necessary due to self-diagnostic coverage, the AP1000 PMS is capable of performing the tests as described in IEEE 338-1987.
Page 29 of 34
ND-19-0168 Request for License Amendment Regarding Protection and Monitoring System Surveillance Requirement Reduction Technical Specification Revision (Publicly Available Information)
(LAR-19-001) x According to UFSAR Appendix 1A requires testing to be in accordance with Regulatory Guide 1.118 Revision 3 and IEEE 338-1987. Regulatory Guide 1.118 and IEEE 338-1987 provide guidance specifically for periodic testing included as part of the surveillance program. It defines the scope of periodic testing as including functional tests and checks, calibration verification, and time response measurements, as required, to verify the safety system performs to meet the design safety function. IEEE 338-1987 does not define how to determine what is required to be part of the manual surveillance program but provides guidance for those tests within the surveillance program. The self-diagnostic tests are not part of the surveillance program and, therefore, the requirements in IEEE 338-1987 Section 6 are not directly applicable. In addition, IEEE 338-1987 is largely written specifically for manual testing and, therefore, the guidance does not explicitly address self-diagnostic testing features.
IEEE 338-1987 Section 5, item 8 addresses the automatic test features and programmable digital computer used within the surveillance program and the need to meet the requirements in the standard for these items. Even though the self-diagnostics are not part of the surveillance program, they do support the basis of the standard (i.e., IEEE 338-1987 Section 4) in that they continuously and periodically check the system to verify operability. The self-diagnostic tests also support the design requirements included in the standard (i.e., IEEE 338-1987 Section 5) in the following ways:
x The self-diagnostics support the requirement to have a system designed to be testable.
x The self-diagnostics permit the independent testing of redundant channels while maintaining the capability of these systems to respond to actual signals.
x The self-diagnostics are designed to provide overlap testing in that the diagnostics cover all relevant PMS components, including multiple diverse diagnostics covering the same PMS equipment.
4.2 Precedent No precedent is identified.
4.3 Significant Hazards Consideration The proposed changes would revise COL Appendix A TS information to revise Sections 3.1, 3.2, 3.3, 3.9, and 5.5.14 as follows:
- 1. The SRs requiring a manual Channel Check to be performed on PMS components are proposed to be removed from the TS.
- 2. The SRs requiring a manual COT to be performed on PMS components are proposed to be removed from the TS.
- 3. The SRs requiring a manual ALT to be performed on PMS components (excluding the ADS and IRWST injection blocking device) are proposed to be removed from the TS.
Page 30 of 34
ND-19-0168 Request for License Amendment Regarding Protection and Monitoring System Surveillance Requirement Reduction Technical Specification Revision (Publicly Available Information)
- 4. The SRs requiring a manual ALOT to be performed on PMS components are proposed to be removed from the TS.
- 5. The approach for satisfying the reactor trip and ESFAS response time SRs is changed. The current approach for satisfying the PMS response time surveillance tests is to perform a response time tests on the PMS equipment. The proposed method is to use allocated response times for the PMS equipment in lieu of testing.
The reactor trip and ESFAS response time definitions allow an exception to testing if the response times can be verified via a previously reviewed and approved NRC methodology. This activity seeks NRC approval for the methodology outlined in this license amendment request. If approved, the Bases will be updated to allow for allocated values to be used for the PMS equipment to support the overall response time test SRs. Text is also added to describe where the PMS equipment allocated values can be found.
The SRs throughout the TS are renumbered to support changes 1, 2, 3 and 4. Associated Bases changes are also made for the TS changes proposed above. This includes rewording the Background description of the PMS self-diagnostic test features in Bases 3.3.1 and 3.3.8 to more clearly align with the changes described above and explicitly state that self-diagnostics are used in lieu of manual surveillance tests, to the extent possible.
The Bases surveillance requirement description for TS SR 3.3.4 and TS SR 3.3.6 is revised to acknowledge that certain functions have no SRs due to self-checking features continuously monitoring logic OPERABILITY.
As previously stated, none of the activities change any PMS software or hardware. The activity credits the PMS self-diagnostic test features already part of the approved PMS design and uses these existing self-diagnostic features to justify the removal of redundant manual PMS surveillance tests.
An evaluation to determine whether or not a significant hazards consideration is involved with the proposed amendment was completed by focusing on the three standards set forth in 10 CFR 50.92, Issuance of amendment, as discussed below:
4.3.1 Does the proposed amendment involve a significant increase in the probability or consequences of an accident previously evaluated?
Response: No.
The proposed changes do not affect the safety limits as described in the plant-specific Technical Specifications. In addition, the limiting safety system settings and limiting control settings continue to be met with the proposed changes to the plant-specific Technical Specifications surveillance requirements. The proposed changes do not adversely affect the operation of any systems or equipment that initiate an analyzed accident or alter any structures, systems, and components (SSCs) accident initiator or initiating sequence of events.
The proposed changes do not result in any increase in probability of an analyzed accident occurring and maintain the initial conditions and operating limits required by the accident analysis, and the analyses of normal operation and anticipated operational occurrences, so that the consequences of postulated accidents are not changed.
Page 31 of 34
ND-19-0168 Request for License Amendment Regarding Protection and Monitoring System Surveillance Requirement Reduction Technical Specification Revision (Publicly Available Information)
Therefore, the requested amendment does not involve a significant increase in the probability or consequences of an accident previously evaluated.
4.3.2 Does the proposed amendment create the possibility of a new or different kind of accident from any accident previously evaluated?
Response: No.
The proposed changes do not affect the safety limits as described in the plant-specific Technical Specifications. In addition, the limiting safety system settings and limiting control settings continue to be met with the proposed changes to the plant-specific Technical Specifications limiting conditions for operation, applicability, actions, and surveillance requirements. The proposed changes do not affect the operation of any systems or equipment that may initiate a new or different kind of accident or alter any SSC such that a new accident initiator or initiating sequence of events is created.
These proposed changes do not adversely affect any other SSC design functions or methods of operation in a manner that results in a new failure mode, malfunction, or sequence of events that affect safety-related or nonsafety-related equipment. Therefore, this activity does not allow for a new fission product release path, result in a new fission product barrier failure mode, or create a new sequence of events that results in significant fuel cladding failures.
Therefore, the requested amendment does not create the possibility of a new or different kind of accident from any accident previously evaluated.
4.3.3 Does the proposed amendment involve a significant reduction in a margin of safety?
Response: No.
The proposed changes do not affect the safety limits as described in the plant-specific Technical Specifications. In addition, the limiting safety system settings and limiting control settings continue to be met with the proposed changes to the plant-specific Technical Specifications limiting conditions for operation, applicability, actions, and surveillance requirements. The proposed changes do not affect the initial conditions and operating limits required by the accident analysis, and the analyses of normal operation and anticipated operational occurrences, so that the acceptance limits specified in the UFSAR are not exceeded. The proposed changes satisfy the same safety functions in accordance with the same requirements as stated in the UFSAR. These changes do not adversely affect any design code, function, design analysis, safety analysis input or result, or design/safety margin.
No safety analysis or design basis acceptance limit/criterion is challenged or exceeded by the proposed changes, and no margin of safety is reduced.
Therefore, the requested amendment does not involve a significant reduction in a margin of safety.
Page 32 of 34
ND-19-0168 Request for License Amendment Regarding Protection and Monitoring System Surveillance Requirement Reduction Technical Specification Revision (Publicly Available Information)
Based on the above, it is concluded that the proposed amendment does not involve a significant hazards consideration under the standards set forth in 10 CFR 50.92(c), and, accordingly, a finding of no significant hazards consideration is justified.
4.4 Conclusions Based on the considerations discussed above, (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) such activities will be conducted in compliance with the Commissions regulations, and (3) the issuance of the amendment will not be inimical to the common defense and security or to the health and safety of the public. Therefore, it is concluded that the requested amendment does not involve a significant hazards consideration under the standards set forth in 10 CFR 50.92(c), and, accordingly, a finding of no significant hazards consideration is justified.
- 5. ENVIRONMENTAL CONSIDERATIONS The proposed changes would revise COL Appendix A TS information to revise Sections 3.1, 3.2, 3.3, 3.9, and 5.5.14 as follows:
x The SRs requiring a manual Channel Checks, COTs, ALTs and ALOTs to be performed on PMS components are proposed to be removed from the TS.
x The approach for satisfying the reactor trip and ESFAS response time SRs is changed.
The current approach for satisfying the PMS response time surveillance tests is to perform a response time tests on the PMS equipment. The proposed method is to use allocated response times for the PMS equipment in lieu of testing. The reactor trip and ESFAS response time definitions allow an exception to testing if the response times can be verified via a previously reviewed and approved NRC methodology. This activity seeks NRC approval for the methodology outlined in this license amendment request. If approved, the Bases will be updated to allow for allocated values to be used for the PMS equipment to support the overall response time test SRs. Text is also added to describe where the PMS equipment allocated values can be found.
x The SRs throughout the TS are renumbered to support the above changes. Associated Bases changes are also made for the TS changes proposed above. This includes rewording the Background description of the PMS self-diagnostic test features in TS Bases 3.3.1 and 3.3.8 to more clearly align with the changes described above and explicitly state that self-diagnostics are used in lieu of manual surveillance tests, to the extent possible. The TS Bases surveillance requirement description for TS SR 3.3.4 and TS SR 3.3.6 is revised to acknowledge that certain functions have no SRs due to self-checking features continuously monitoring logic OPERABILITY.
None of the activities change any PMS software or hardware. The activity credits the PMS self-diagnostic test features already part of the approved PMS design and uses these existing self-diagnostic features to justify the removal of redundant manual PMS surveillance tests.
A review has determined that the proposed changes require an amendment to the COL.
However, a review of the anticipated construction and operational effects of the Page 33 of 34
ND-19-0168 Request for License Amendment Regarding Protection and Monitoring System Surveillance Requirement Reduction Technical Specification Revision (Publicly Available Information)
(LAR-19-001) requested amendment has determined that the requested amendment meets the eligibility criteria for categorical exclusion set forth in 10 CFR 51.22(c)(9), in that:
(i) There is no significant hazards consideration.
As documented in Section 4.3, Significant Hazards Consideration, of this license amendment request, an evaluation was completed to determine whether or not a significant hazards consideration is involved by focusing on the three standards set forth in 10 CFR 50.92, Issuance of amendment. The Significant Hazards Consideration determined that (1) the requested amendment does not involve a significant increase in the probability or consequences of an accident previously evaluated; (2) the requested amendment does not create the possibility of a new or different kind of accident from any accident previously evaluated; and (3) the requested amendment does not involve a significant reduction in a margin of safety. Therefore, it is concluded that the requested amendment does not involve a significant hazards consideration under the standards set forth in 10 CFR 50.92(c), and accordingly, a finding of no significant hazards consideration is justified.
(ii) There is no significant change in the types or significant increase in the amounts of any effluents that may be released offsite.
The proposed change is unrelated to any aspect of plant construction or operation that would introduce any change to effluent types (e.g., effluents containing chemicals or biocides, sanitary system effluents, and other effluents), or affect any plant radiological or non-radiological effluent release quantities. Furthermore, the proposed change does not affect any effluent release path or diminish the functionality of any design or operational features that are credited with controlling the release of effluents during plant operation.
Therefore, it is concluded that the requested amendment does not involve a significant change in the types or a significant increase in the amounts of any effluents that may be released offsite.
(iii) There is no significant increase in individual or cumulative occupational radiation exposure.
The proposed changes in the requested amendment do not affect or alter any walls, floors, or other structures that provide shielding. Plant radiation zones and controls under 10 CFR 20 preclude a significant increase in occupational radiation exposure. Therefore, the proposed amendment does not involve a significant increase in individual or cumulative occupational radiation exposure.
Based on the above review of the requested amendment, it has been determined that anticipated construction and operational effects of the requested amendment do not involve (i) a significant hazards consideration, (ii) a significant change in the types or significant increase in the amounts of any effluents that may be released offsite, or (iii) a significant increase in individual or cumulative occupational radiation exposure. Accordingly, the requested amendment meets the eligibility criteria for categorical exclusion set forth in 10 CFR 51.22(c)(9). Therefore, pursuant to 10 CFR 51.22(b), an environmental impact statement or environmental assessment of the proposed exemption is not required.
- 6. REFERENCES None.
Page 34 of 34
Southern Nuclear Operating Company ND-19-0168 Enclosure 6 Vogtle Electric Generating Plant (VEGP) Units 3 and 4 Proposed Changes to the Licensing Bases Documents (LAR-19-001)
Additions identified in blue text Deletions identified by red strikethrough text
- *
- indicates omitted existing text not shown (This Enclosure consists of 24 pages, including this cover page)
ND-19-0168 Proposed Changes to the Licensing Bases Documents (LAR-19-001) x Revise COL Appendix A Technical Specification 1.1 Definitions as follows:
ACTUATION LOGIC OUTPUT An ACTUATION LOGIC OUTPUT TEST shall be the TEST application of simulated or actual logic signals and the verification of the required component actuation output signals up to, but not including, the actuated device. The ACTUATION LOGIC OUTPUT TEST may be performed by means of any series of sequential, overlapping, or total steps.
x Revise COL Appendix A Technical Specification 3.1.8 PHYSICS TESTS Exceptions -
MODE 2 as follows:
SURVEILLANCE REQUIREMENTS SURVEILLANCE FREQUENCY SR 3.1.8.1 Perform a COT on power range neutron flux and Prior to initiation of intermediate range neutron flux channels per PHYSICS TESTS SR 3.3.1.6, SR 3.3.1.7, and SR 3.3.3.2.
SR 3.1.8.21 Verify the RCS lowest loop average temperature is 30 minutes 541°F.
SR 3.1.8.32 Verify THERMAL POWER is 5% RTP. 30 minutes SR 3.1.8.43 Verify SDM is within the limits specified in the COLR. 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Page 2 of 27
ND-19-0168 Proposed Changes to the Licensing Bases Documents (LAR-19-001) x Revise COL Appendix A Technical Specification 3.2.3 AXIAL FLUX DIFFERENCE (AFD)
(Constant Axial Offset Control (CAOC) Methodology) as follows:
- NOTES -
- 1. The AFD shall be considered outside the target band when two or more OPERABLE excore channels indicate AFD to be outside the target band.
- 2. With THERMAL POWER 50% RTP, penalty deviation time shall be accumulated on the basis of a 1 minute penalty deviation for each 1 minute of power operation with AFD outside the target band.
- 3. With THERMAL POWER < 50% RTP and > 15% RTP, penalty deviation time shall be accumulated on the basis of a 0.5 minute penalty deviation for each 1 minute of power operation with AFD outside the target band.
- 4. A total of 16 hours1.851852e-4 days <br />0.00444 hours <br />2.645503e-5 weeks <br />6.088e-6 months <br /> of operation may be accumulated with AFD outside the target band without penalty deviation time during surveillance of Power Range Neutron Flux channels in accordance with SR 3.3.1.54, provided AFD is maintained within acceptable operation limits.
Page 3 of 27
ND-19-0168 Proposed Changes to the Licensing Bases Documents (LAR-19-001) x Revise COL Appendix A Technical Specification 3.3.1 Reactor Trip System (RTS)
Instrumentation as follows:
SURVEILLANCE REQUIREMENTS
- NOTE -
Refer to Table 3.3.1-1 to determine which SRs apply for each RTS Function.
SURVEILLANCE FREQUENCY SR 3.3.1.1 Perform CHANNEL CHECK. 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> SR 3.3.1.21 -----------------------------------------------------------------------
- NOTES -
- 1. Required to be met within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> after reaching 15% RTP.
- 2. If the calorimetric heat balance is 15% RTP, and if the nuclear instrumentation channel indicated power is:
- a. lower than the calorimetric measurement by
> 5% RTP, then adjust the nuclear instrumentation channel upward to match the calorimetric measurement.
- b. higher than the calorimetric measurement, then no adjustment is required.
Compare results of calorimetric heat balance to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> nuclear instrument channel output.
Page 4 of 27
ND-19-0168 Proposed Changes to the Licensing Bases Documents (LAR-19-001)
SURVEILLANCE REQUIREMENTS (continued)
SURVEILLANCE FREQUENCY SR 3.3.1.32 -----------------------------------------------------------------------
- NOTES -
- 1. Adjust the conversion factor, T°, in the T power calculation (qT) if absolute difference between qT and the calorimetric measurement is > 3% RTP.
- 2. Required to be met within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> after reaching 50% RTP.
- 3. If the calorimetric heat balance is < 70% RTP, and if qT is:
- a. lower than the calorimetric measurement by
> 5%, then adjust T° to match the calorimetric measurement.
- b. higher than the calorimetric measurement, then no adjustment is required.
Compare results of calorimetric heat balance to the 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> T power calculation (qT) output.
SR 3.3.1.43 -----------------------------------------------------------------------
- NOTES -
- 1. Adjust nuclear instrument channel in PMS if absolute difference is 1.5% AFD.
- 2. Required to be met within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> after reaching 20% RTP.
Compare results of the incore detector measurements 31 effective full to nuclear instrument channel AXIAL FLUX power days DIFFERENCE. (EFPD)
SR 3.3.1.54 -----------------------------------------------------------------------
- NOTE -
Required to be met within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> after reaching 50% RTP.
Calibrate excore channels to agree with incore 92 EFPD detector measurements.
Page 5 of 27
ND-19-0168 Proposed Changes to the Licensing Bases Documents (LAR-19-001)
SURVEILLANCE REQUIREMENTS (continued)
SURVEILLANCE FREQUENCY SR 3.3.1.6 Perform COT in accordance with Setpoint Program. 92 days SR 3.3.1.7 -----------------------------------------------------------------------
- NOTE -
Only required to be performed when not performed within previous 92 days.
Perform COT in accordance with Setpoint Program. Prior to reactor startup AND 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> after reducing power below P-10 AND 92 days thereafter SR 3.3.1.85 -----------------------------------------------------------------------
- NOTE -
This Surveillance shall include verification that the time constants are adjusted to within limits.
Perform CHANNEL CALIBRATION in accordance 24 months with Setpoint Program.
SR 3.3.1.96 -----------------------------------------------------------------------
- NOTE -
Neutron detectors are excluded from CHANNEL CALIBRATION.
Perform CHANNEL CALIBRATION in accordance 24 months with Setpoint Program.
Page 6 of 27
ND-19-0168 Proposed Changes to the Licensing Bases Documents (LAR-19-001)
SURVEILLANCE REQUIREMENTS (continued)
SURVEILLANCE FREQUENCY SR 3.3.1.107 -----------------------------------------------------------------------
- NOTE -
Verification of setpoint is not required.
Perform TADOT. 24 months SR 3.3.1.118 -----------------------------------------------------------------------
- NOTE -
Neutron detectors are excluded from response time testing.
Verify RTS RESPONSE TIME is within limits. 24 months on a STAGGERED TEST BASIS Page 7 of 27
ND-19-0168 Proposed Changes to the Licensing Bases Documents (LAR-19-001)
Table 3.3.1-1 (page 1 of 2)
Reactor Trip System Instrumentation APPLICABLE MODES OR OTHER SPECIFIED REQUIRED SURVEILLANCE FUNCTION CONDITIONS CHANNELS CONDITIONS REQUIREMENTS
- 1. Power Range Neutron Flux
- a. High Setpoint 1,2 4 D SR 3.3.1.1 SR 3.3.1.21 SR 3.3.1.6 SR 3.3.1.96 SR 3.3.1.118
- b. Low Setpoint 1(a),2 4 D SR 3.3.1.1 SR 3.3.1.7 SR 3.3.1.96 SR 3.3.1.118
- 2. Power Range Neutron Flux High 1,2 4 D SR 3.3.1.6 Positive Rate SR 3.3.1.96 SR 3.3.1.118
- 3. Overtemperature T 1,2 4 (2/loop) D SR 3.3.1.1 SR 3.3.1.32 SR 3.3.1.43 SR 3.3.1.54 SR 3.3.1.6 SR 3.3.1.85 SR 3.3.1.118
- 4. Overpower T 1,2 4 (2/loop) D SR 3.3.1.1 SR 3.3.1.32 SR 3.3.1.43 SR 3.3.1.54 SR 3.3.1.6 SR 3.3.1.85 SR 3.3.1.118
- 5. Pressurizer Pressure
- a. Low 2 Setpoint 1(b) 4 E SR 3.3.1.1 SR 3.3.1.6 SR 3.3.1.85 SR 3.3.1.118
- b. High 2 Setpoint 1,2 4 D SR 3.3.1.1 SR 3.3.1.6 SR 3.3.1.85 SR 3.3.1.118
- 6. Pressurizer Water Level - High 3 1(b) 4 E SR 3.3.1.1 SR 3.3.1.6 SR 3.3.1.85 SR 3.3.1.118 (a) Below the P-10 (Power Range Neutron Flux) interlocks.
(b) Above the P-10 (Power Range Neutron Flux) interlock.
Page 8 of 27
ND-19-0168 Proposed Changes to the Licensing Bases Documents (LAR-19-001)
Table 3.3.1-1 (page 2 of 2)
Reactor Trip System Instrumentation APPLICABLE MODES OR OTHER SPECIFIED REQUIRED SURVEILLANCE FUNCTION CONDITIONS CHANNELS CONDITIONS REQUIREMENTS
- 7. Reactor Coolant Flow - Low 2 1(b) 4 per hot leg E SR 3.3.1.1 SR 3.3.1.32 SR 3.3.1.6 SR 3.3.1.85 SR 3.3.1.118
- 8. Reactor Coolant Pump (RCP) 1,2 4 per RCP D SR 3.3.1.1 Bearing Water Temperature - SR 3.3.1.6 High 2 SR 3.3.1.85 SR 3.3.1.118
- 9. RCP Speed - Low 2 1(b) 4 (1/pump) E SR 3.3.1.1 SR 3.3.1.6 SR 3.3.1.85 SR 3.3.1.118
- 10. Steam Generator (SG) Narrow 1,2 4 per SG D SR 3.3.1.1 Range Water Level - Low 2 SR 3.3.1.6 SR 3.3.1.85 SR 3.3.1.118
- 11. Steam Generator (SG) Narrow 1,2(c) 4 per SG D SR 3.3.1.1 Range Water Level - High 3 SR 3.3.1.6 SR 3.3.1.85 SR 3.3.1.118
- 12. Passive Residual Heat Removal 1,2 4 per valve D SR 3.3.1.107 Actuation SR 3.3.1.118 (b) Above the P-10 (Power Range Neutron Flux) interlock.
(c) Above the P-11 (Pressurizer Pressure) interlock.
Page 9 of 27
ND-19-0168 Proposed Changes to the Licensing Bases Documents (LAR-19-001) x Revise COL Appendix A Technical Specification 3.3.2 Reactor Trip System (RTS) Source Range Instrumentation as follows:
SURVEILLANCE REQUIREMENTS SURVEILLANCE FREQUENCY SR 3.3.2.1 Perform CHANNEL CHECK. 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> Page 10 of 27
ND-19-0168 Proposed Changes to the Licensing Bases Documents (LAR-19-001)
SURVEILLANCE REQUIREMENTS (continued)
SURVEILLANCE FREQUENCY SR 3.3.2.2 -----------------------------------------------------------------------
- NOTES -
- 1. Only required to be performed when not performed within previous 92 days.
- 2. Not required to be performed prior to entering MODE 3 from MODE 2 until 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> after entry into MODE 3.
Perform COT in accordance with Setpoint Program. Prior to reactor startup AND 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> after reducing power below P-6 AND 92 days thereafter SR 3.3.2.31 -----------------------------------------------------------------------
- NOTE -
Neutron detectors are excluded from CHANNEL CALIBRATION.
Perform CHANNEL CALIBRATION in accordance 24 months with Setpoint Program.
SR 3.3.2.42 -----------------------------------------------------------------------
- NOTE -
Neutron detectors are excluded from response time testing.
Verify RTS RESPONSE TIME is within limits. 24 months on a STAGGERED TEST BASIS Page 11 of 27
ND-19-0168 Proposed Changes to the Licensing Bases Documents (LAR-19-001) x Revise COL Appendix A Technical Specification 3.3.3 Reactor Trip System (RTS)
Intermediate Range Instrumentation as follows:
SURVEILLANCE REQUIREMENTS SURVEILLANCE FREQUENCY SR 3.3.3.1 Perform CHANNEL CHECK. 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> SR 3.3.3.2 -----------------------------------------------------------------------
- NOTE -
Only required to be performed when not performed within previous 92 days.
Perform COT in accordance with Setpoint Program. Prior to reactor startup AND 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> after reducing power below P-10 AND 92 days thereafter SR 3.3.3.31 -----------------------------------------------------------------------
- NOTE -
Neutron detectors are excluded from CHANNEL CALIBRATION.
Perform CHANNEL CALIBRATION in accordance 24 months with Setpoint Program.
SR 3.3.3.42 -----------------------------------------------------------------------
- NOTE -
Neutron detectors are excluded from response time testing.
Verify RTS RESPONSE TIME is within limits. 24 months on a STAGGERED TEST BASIS Page 12 of 27
ND-19-0168 Proposed Changes to the Licensing Bases Documents (LAR-19-001) x Revise COL Appendix A Technical Specification 3.3.4 Reactor Trip System (RTS)
Engineered Safety Feature Actuation System (ESFAS) Instrumentation as follows:
SURVEILLANCE REQUIREMENTS
- NOTE -
Refer to Table 3.3.4-1 to determine which SRs apply for each RTS ESFAS FunctionRTS ESFAS Function the SR applies to.
SURVEILLANCE FREQUENCY SR 3.3.4.1 Perform ACTUATION LOGIC TEST. 92 days SR 3.3.4.21 Verify RTS RESPONSE TIME is within limit. 24 months on a STAGGERED TEST BASIS Table 3.3.4-1 (page 1 of 1)
Reactor Trip System Engineered Safety Feature Actuation System Instrumentation APPLICABLE MODES OR OTHER SPECIFIED SURVEILLANCE FUNCTION CONDITIONS REQUIRED CHANNELS REQUIREMENTS
- 1. Safeguards Actuation Input from 1,2 4 SR 3.3.4.1 Engineered Safety Feature Actuation SR 3.3.4.2 System - Automatic
- 2. ADS Stages 1, 2, and 3 Actuation Input 1,2,3(a),4(a),5(a) 4 SR 3.3.4.1N/A from Engineered Safety Feature Actuation System - Automatic
- 3. Core Makeup Tank Actuation Input 1,2,3(a),4(a),5(a) 4 SR 3.3.4.1N/A from Engineered Safety Feature Actuation System - Automatic (a) With Plant Control System capable of rod withdrawal or one or more rods not fully inserted.
Page 13 of 27
ND-19-0168 Proposed Changes to the Licensing Bases Documents (LAR-19-001) x Revise COL Appendix A Technical Specification 3.3.6 Reactor Trip System (RTS)
Automatic Trip Logic as follows:
SURVEILLANCE REQUIREMENTS SURVEILLANCE FREQUENCY SR 3.3.6.1 Perform ACTUATION LOGIC TEST. 92 days There are no SRs x Revise COL Appendix A Technical Specification 3.3.8 Engineered Safety Feature Actuation System (ESFAS) Instrumentation as follows:
SURVEILLANCE REQUIREMENTS SURVEILLANCE FREQUENCY SR 3.3.8.1 Perform CHANNEL CHECK. 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> SR 3.3.8.2 Perform CHANNEL OPERATIONAL TEST (COT) in 92 days accordance with Setpoint Program.
SR 3.3.8.31 -----------------------------------------------------------------------
- NOTE -
This surveillance shall include verification that the time constants are adjusted to within limits.
Perform CHANNEL CALIBRATION in accordance 24 months with Setpoint Program.
SR 3.3.8.42 -----------------------------------------------------------------------
- NOTE -
Not applicable to Function 1.a.
Verify ESF RESPONSE TIME is within limit. 24 months on a STAGGERED TEST BASIS Page 14 of 27
ND-19-0168 Proposed Changes to the Licensing Bases Documents (LAR-19-001) x Revise COL Appendix A Technical Specification 3.3.10 Engineered Safety Feature Actuation System (ESFAS) Reactor Coolant System (RCS) Hot Leg Level Instrumentation as follows:
SURVEILLANCE REQUIREMENTS SURVEILLANCE FREQUENCY SR 3.3.10.1 Perform CHANNEL CHECK. 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> SR 3.3.10.2 Perform CHANNEL OPERATIONAL TEST (COT) in 92 days accordance with Setpoint Program.
SR 3.3.10.31 -----------------------------------------------------------------------
- NOTE -
This surveillance shall include verification that the time constants are adjusted to within limits.
Perform CHANNEL CALIBRATION in accordance 24 months with Setpoint Program.
SR 3.3.10.42 Verify ESF RESPONSE TIME is within limit. 24 months on a STAGGERED TEST BASIS Page 15 of 27
ND-19-0168 Proposed Changes to the Licensing Bases Documents (LAR-19-001) x Revise COL Appendix A Technical Specification 3.3.11 Engineered Safety Feature Actuation System (ESFAS) Startup Feedwater Flow Instrumentation as follows:
SURVEILLANCE REQUIREMENTS SURVEILLANCE FREQUENCY SR 3.3.11.1 Perform CHANNEL CHECK. 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> SR 3.3.11.2 Perform CHANNEL OPERATIONAL TEST (COT) in 92 days accordance with Setpoint Program.
SR 3.3.11.31 -----------------------------------------------------------------------
- NOTE -
This surveillance shall include verification that the time constants are adjusted to within limits.
Perform CHANNEL CALIBRATION in accordance 24 months with Setpoint Program.
SR 3.3.11.42 Verify ESF RESPONSE TIME is within limit. 24 months on a STAGGERED TEST BASIS Page 16 of 27
ND-19-0168 Proposed Changes to the Licensing Bases Documents (LAR-19-001) x Revise COL Appendix A Technical Specification 3.3.13 Engineered Safety Feature Actuation System (ESFAS) Main Control Room Isolation, Air Supply Initiation, and Electrical Load De-energization as follows:
SURVEILLANCE REQUIREMENTS SURVEILLANCE FREQUENCY SR 3.3.13.1 Perform CHANNEL CHECK. 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> SR 3.3.13.2 Perform CHANNEL OPERATIONAL TEST (COT) in 92 days accordance with Setpoint Program.
SR 3.3.13.31 -----------------------------------------------------------------------
- NOTE -
This surveillance shall include verification that the time constants are adjusted to within limits.
Perform CHANNEL CALIBRATION in accordance 24 months with Setpoint Program.
SR 3.3.13.42 Verify ESF RESPONSE TIME is within limit. 24 months on a STAGGERED TEST BASIS Page 17 of 27
ND-19-0168 Proposed Changes to the Licensing Bases Documents (LAR-19-001) x Revise COL Appendix A Technical Specification 3.3.14 Engineered Safety Feature Actuation System (ESFAS) In-containment Refueling Water Storage Tank (IRWST) and Spent Fuel Pool Level Instrumentation as follows:
SURVEILLANCE REQUIREMENTS SURVEILLANCE FREQUENCY SR 3.3.14.1 Perform CHANNEL CHECK. 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> SR 3.3.14.2 Perform CHANNEL OPERATIONAL TEST (COT) in 92 days accordance with Setpoint Program.
SR 3.3.14.31 -----------------------------------------------------------------------
- NOTE -
This surveillance shall include verification that the time constants are adjusted to within limits.
Perform CHANNEL CALIBRATION in accordance 24 months with Setpoint Program.
SR 3.3.14.42 Verify ESF RESPONSE TIME is within limit. 24 months on a STAGGERED TEST BASIS Page 18 of 27
ND-19-0168 Proposed Changes to the Licensing Bases Documents (LAR-19-001) x Revise COL Appendix A Technical Specification 3.3.15 Engineered Safety Feature Actuation System (ESFAS) Actuation Logic - Operating as follows:
SURVEILLANCE REQUIREMENTS SURVEILLANCE FREQUENCY SR 3.3.15.1 Perform ACTUATION LOGIC TEST on ESF 92 days on a Coincidence Logic. STAGGERED TEST BASIS SR 3.3.15.2 Perform ACTUATION LOGIC OUTPUT TEST on ESF 24 months Actuation.
SR 3.3.15.31 -----------------------------------------------------------------------
- NOTE -
Only required to be met when all four cold leg temperatures are > 275°F.
Verify pressurizer heater circuit breakers trip open on 24 months an actual or simulated actuation signal.
SR 3.3.15.42 Verify reactor coolant pump breakers trip open on an 24 months actual or simulated actuation signal.
SR 3.3.15.53 Verify main feedwater and startup feedwater pump 24 months breakers trip open on an actual or simulated actuation signal.
SR 3.3.15.64 -----------------------------------------------------------------------
- NOTE -
Only required to be met in MODES 1 and 2.
24 months Verify auxiliary spray and purification line isolation valves actuate to the isolation position on an actual or simulated actuation signal.
Page 19 of 27
ND-19-0168 Proposed Changes to the Licensing Bases Documents (LAR-19-001) x Revise COL Appendix A Technical Specification 3.3.16 Engineered Safety Feature Actuation System (ESFAS) Actuation Logic - Shutdown as follows:
SURVEILLANCE REQUIREMENTS SURVEILLANCE FREQUENCY SR 3.3.16.1 Perform ACTUATION LOGIC TEST on ESF 92 days on a Coincidence Logic. STAGGERED TEST BASIS SR 3.3.16.2 Perform ACTUATION LOGIC OUTPUT TEST on ESF 24 months Actuation.
SR 3.3.16.31 -----------------------------------------------------------------------
- NOTE -
Only required to be met in MODE 5.
Verify reactor coolant pump breakers trip open on an 24 months actual or simulated actuation signal.
SR 3.3.16.42 -----------------------------------------------------------------------
- NOTES -
- 1. Not required to be met in MODE 5 above the P-12 (Pressurizer Level) interlock.
- 2. Not required to be met in MODE 6 with water level > 23 feet above the top of the reactor vessel flange.
Verify CVS letdown isolation valves actuate to the 24 months isolation position on an actual or simulated actuation signal.
Page 20 of 27
ND-19-0168 Proposed Changes to the Licensing Bases Documents (LAR-19-001) x Revise COL Appendix A Technical Specification 3.3.17 Post Accident Monitoring (PAM)
Instrumentation as follows:
SURVEILLANCE REQUIREMENTS
- NOTE -
SR 3.3.17.1 and SR 3.3.17.2 applyapplies to each PAM instrumentation Function in Table 3.3.17-1.
SURVEILLANCE FREQUENCY SR 3.3.17.1 Perform CHANNEL CHECK for each required 31 days instrumentation channel that is normally energized.
SR 3.3.17.21 -----------------------------------------------------------------------
- NOTE -
Neutron detectors are excluded from CHANNEL CALIBRATION.
Perform CHANNEL CALIBRATION. 24 months x Revise COL Appendix A Technical Specification 3.3.19 Diverse Actuation System (DAS)
Manual Controls as follows:
ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME C. Required Action and C.1 Perform SRs 3.3.15.1 and Once per 31 days on a associated Completion 3.3.16.1, as applicable. STAGGERED TEST Time of Condition A not BASIS met for inoperable DAS manual actuation AND control other than reactor trip. C.21 Restore all controls to Prior to entering OPERABLE status. MODE 2 following next MODE 5 entry Page 21 of 27
ND-19-0168 Proposed Changes to the Licensing Bases Documents (LAR-19-001) x Revise COL Appendix A Technical Specification 3.3.20 Automatic Depressurization System (ADS) and In-containment Refueling Water Storage Tank (IRWST) Injection Blocking Device as follows:
SURVEILLANCE REQUIREMENTS
- NOTE -
Refer to Table 3.3.20-1 to determine which SRs apply for each ADS and IRWST Injection Blocking Device Function.
SURVEILLANCE FREQUENCY SR 3.3.20.1 Perform CHANNEL CHECK. 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> SR 3.3.20.21 Verify each ADS and IRWST Injection Block switch is 7 days in the unblock position.
SR 3.3.20.3 Perform CHANNEL OPERATIONAL TEST (COT) in 92 days accordance with Setpoint Program.
SR 3.3.20.42 Perform CHANNEL CALIBRATION in accordance 24 months with Setpoint Program.
SR 3.3.20.53 Perform ACTUATION LOGIC TEST of ADS and 24 months IRWST Injection Blocking Devices.
SR 3.3.20.64 -----------------------------------------------------------------------
- NOTE -
Verification of setpoint not required.
Perform TRIP ACTUATING DEVICE OPERATIONAL 24 months TEST (TADOT) of ADS and IRWST Injection Block manual switches.
SR 3.3.20.75 The following SRs of Specification 3.5.2, Core In accordance with Makeup Tanks (CMTs) - Operating are applicable for applicable SRs each CMT:
SR 3.5.2.3 SR 3.5.2.6 SR 3.5.2.7 Page 22 of 27
ND-19-0168 Proposed Changes to the Licensing Bases Documents (LAR-19-001)
Table 3.3.20-1 (page 1 of 1)
ADS and IRWST Injection Blocking Device APPLICABLE MODES REQUIRED OR OTHER SPECIFIED CHANNELS PER SURVEILLANCE FUNCTION CONDITIONS DIVISION REQUIREMENTS
- 1. Core Makeup Tank Level for 1,2,3,4(b) 2 SR 3.3.20.1 (a)
Automatic Unblocking SR 3.3.20.3 SR 3.3.20.42 SR 3.3.20.53 SR 3.3.20.75
- 2. ADS and IRWST Injection 1,2,3,4(b) 1 SR 3.3.20.53 Block Switches for Manual SR 3.3.20.64 Unblocking 4(c),5,6 1 SR 3.3.20.21 SR 3.3.20.53 SR 3.3.20.64 (a) Not required to be OPERABLE with associated divisional ADS and IRWST Injection Block switch in the unblock position.
(b) With the Reactor Coolant System (RCS) not being cooled by the Normal Residual Heat Removal System (RNS).
(c) With the RCS being cooled by the RNS.
Page 23 of 27
ND-19-0168 Proposed Changes to the Licensing Bases Documents (LAR-19-001) x Revise COL Appendix A Technical Specification 3.9.3 Nuclear Instrumentation as follows:
SURVEILLANCE REQUIREMENTS SURVEILLANCE FREQUENCY SR 3.9.3.1 Perform a CHANNEL CHECK. 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> SR 3.9.3.21 -----------------------------------------------------------------------
- NOTE-Neutron detectors are excluded from CHANNEL CALIBRATION.
Perform CHANNEL CALIBRATION. 24 months x Revise COL Appendix A Technical Specification 5.5.14 Setpoint Program (SP) as follows:
- c. For each Technical Specification required automatic protection instrumentation function, performance of a CHANNEL CALIBRATION or CHANNEL OPERATIONAL TEST (COT) surveillance in accordance with the Setpoint Program shall include the following:
- 1. The as-found value of the instrument channel trip setting shall be compared with the previously recorded as-left value.
- i. If the as-found value of the instrument channel trip setting differs from the previously recorded as-left value by more than the pre-defined test acceptance criteria band (i.e., the specified AFT),
then the instrument channel shall be evaluated to verify that it is functioning in accordance with its design basis before declaring the surveillance requirement met and returning the instrument channel to service. An Instrument Channel is determined to be functioning in accordance with its design basis if it can be set to within the ALT.
This as-found condition shall be entered into the plants corrective action program.
ii. If the as-found value of the instrument channel trip setting is less conservative than the specified AFT, the surveillance requirement is not met and the instrument channel shall be immediately declared inoperable.
Page 24 of 27
ND-19-0168 Proposed Changes to the Licensing Bases Documents (LAR-19-001) x Revise UFSAR Appendix 1A, Conformance With Regulatory Guides, as follows:
AP1000/
Criteria Referenced FSAR Section Criteria Position Clarification/Summary Descirption of Exceptions Reg. Guide 1.118, Rev. 3, 4/95 - Periodic Testing of Electric Power and Protection Systems General IEEE Std. Conforms Guidelines apply to safety-related dc power systems. Since the 338-1987 AP1000 has no safety-related ac power sources, the guidelines do not apply to the AP1000 ac power sources.
The types of tests described in IEEE 338 Section 6.3 are not all applicable to the protection and safety monitoring system. In certain instances, the self-diagnostics included within the protection and safety monitoring system are used to verify that the safety system is capable of meeting its designed safety function in lieu of manual testing as part of the surveillance program.
Specifically, channel checks, logic system function tests, and response time tests are not manually performed on the protection and safety monitoring system equipment as part of the AP1000 surveillance program. In these cases, selfdiagnostic test features continuously monitor the system.
Functional tests are only performed on the PMS equipment that do not have complete self-diagnostic coverage. The Technical Specifications provide the necessary manual functional testing requirements in these instances (e.g., ALT and TADOT).
Channel calibration verification tests are included in the AP1000 surveillance program.
x Revise UFSAR 7.3.2.2.6 Capability for Sensor Checks and Equipment Test and Calibration of the Engineered Safety Features Actuation (Paragraphs 5.7 and 6.5 of IEEE 603-1991) as follows:
During reactor operation, the basis for acceptability of engineered safety features actuation is includes the successful completion of the overlapping tests performed on the protection and safety monitoring system. Process indications are used to verify operability of sensors.
Page 25 of 27
ND-19-0168 Proposed Changes to the Licensing Bases Documents (LAR-19-001) x Add the sections below to 7A.5 WCAP-15776, Safety Criteria for the AP1000 Instrumentation and Control Systems, April 2002 as follows:
x Revise Section 3.13, Conformance to the Requirements to Provide Capability for Test and Calibration (Paragraph 5.7 of IEEE 603-1991) as follows:
Capability for testing and calibrating channels and devices used to derive the final system output signal from the various channel signals is provided. Testing from the sensor inputs of the PMS through to the actuated equipment is can be accomplished through a series of overlapping sequential tests with the majority of the tests capable of being performed with the plant at full power. Where testing final equipment at power would upset plant operation or damage equipment, provisions are made to test the equipment at reduced power or when the reactor is shut down.
Each division of the PMS includes a test subsystem. The test subsystem provides the capability for verification of the setpoint values and other constants, and verification that proper signals appear at other locations in the system.
Verification of the signal processing algorithms is made can be accomplished by exercising the test signal sources (either by hardware or software signal injection) and observing the results up to, and including, the attainment of a channel partial trip or actuation signal at the power interface. When required for the test, the tester places the voting logic associated with the channel function under test in bypass.
The capability for overlapping test sequence continues by inputting digital test signals at the output side of the threshold functions, in combinations necessary to verify the voting logic. Some of the input combinations to the coincidence logic cause outputs such as reactor trips and engineered safety feature (ESF) initiation. The reactor trip circuit breaker arrangement is a two-out-of-four logic configuration, such that the tripping of the two circuit breakers associated with one division does not cause a reactor trip. To reduce wear on the breakers through excessive tripping, and to avoid a potential plant trip resulting from a single failure while testing is in progress, the test sequence is designed so that actual opening of the trip breakers is only required when the breaker itself is being tested.
Page 26 of 27
ND-19-0168 Proposed Changes to the Licensing Bases Documents (LAR-19-001) x Add the sections below to 7A.8, WCAP-16675-P and WCAP-16675-NP, AP1000 Protection and Safety Monitoring System Architecture Technical Report, as follows:
[
INSERT 20
]a,c x Revise Section 6, Maintenance, Testing, and Calibration as follows:
Maintenance and testing of the PMS consists of two types of tests: self-diagnostic tests and on-line verification tests. The self-diagnostic tests are built into the AC160 equipment and consist of numerous automatic checks to validate that the equipment and software are performing their functions correctly. Self-diagnostics, as well as on-line On-line verification tests are that can be manually initiated are used to verify that the safety system is capable of performing its intended safety function.
x Revise Section 6.2, On-line Verification Tests as follows:
Via the MTP in conjunction with the ITP, the I&C technician can perform manually initiated on-line verification tests to exercise the safety system logic and hardware to verify proper system operation. The ITP and the MTP also provide support for the detection and annunciation of faults by self-diagnostics. Within each PMS division, the ITP interfaces with the NI subsystem, BPL subsystem, LCL subsystem, ILP subsystem, MTP, and the RTCB initiation relays to monitor and test the operational state of the PMS. The ITP together with the MTP provides support for on-line self-diagnostics and testing for the verification of PMS operability overall on-line verification testing.
Page 27 of 27
Southern Nuclear Operating Company ND-19-0168 Enclosure 7 Vogtle Electric Generating Plant (VEGP) Units 3 and 4 Conforming Changes to the Technical Specification Bases (For Information Only)
Additions are identified in blue underlined text Deletions are identified by red strikethrough text (This Enclosure consists of 98 pages, including this cover page)
ND-19-0168 Technical Specifications Bases PHYSICS TESTS Exceptions - MODE 2 B 3.1.8 BASES SURVEILLANCE SR 3.1.8.1 REQUIREMENTS The power range and intermediate range neutron detectors must be verified to be OPERABLE in MODE 2 by LCO 3.3.1 Reactor Trip System (RTS) Instrumentation and LCO 3.3.3, Reactor Trip System (RTS)
Intermediate Range Instrumentation. A CHANNEL OPERATIONAL TEST is performed on each power range neutron flux (Table 3.3.1-1 Functions 1 and 2) and intermediate range neutron flux (LCO 3.3.3) channel prior to initiation of the PHYSICS TESTS. This will ensure that the RTS is properly aligned to provide the required degree of core protection during the performance of the PHYSICS TESTS.
SR 3.1.8.21 Verification that the RCS lowest loop Tavg is 541°F will ensure that the unit is not operating in a condition that could invalidate the safety analyses. Verification of the RCS temperature at a Frequency of Draft D
30 minutes during the performance of the PHYSICS TESTS will provide assurance that the initial conditions of the safety afety analyses analy are not violated violated.
SR 3.1.8.3 32 3.1.8.32 Verification n that the THERMAL POWER is 5% RTP will w ensure that the plant is not operating in a condition that could invalidat th safety invalidate the V ation of the THERMAL POWER analyses. Verification WER at a Fre Frequency of 30 minutes during the performance of the PHYSICS TEST TESTS will ensure that the initial conditions of the safety analyses are not violated.
SR 3.1.8.43 The SDM is verified by performing a reactivity balance calculation, considering the following reactivity effects:
- b. Control bank position;
- c. RCS average temperature;
- d. Fuel burnup based on gross thermal energy generation;
- e. Xenon concentration;
- f. Samarium concentration; and
- g. Isothermal temperature coefficient (ITC).
VEGP Units 3 and 4 B 3.1.8 - 6 Revision 45 Page 2 of 98
ND-19-0168 Technical Specifications Bases CVS Demineralized Water Isolation Valves and Makeup Line Isolation Valves B 3.1.9 BASES SURVEILLANCE SR 3.1.9.1 REQUIREMENTS Verification that the CVS demineralized water isolation valves and makeup line isolation valves stroke closed demonstrates that the valves can perform their safety related function. The Frequency is in accordance with the Inservice Testing Program.
SR 3.1.9.2 Verification that the closure time of each RCS makeup isolation valve is less than that assumed in the safety analysis (i.e., < 30 seconds), is performed by measuring the time required for each valve to close on an actual or simulated actuation signal. The ACTUATION LOGIC OUTPUT TEST provides overlap with this Surveillance. The Frequency is in accordance with the Inservice Testing Program.
Drafft Draft SR 3.1.9.3 This SRR verifies verif that each CVS demineralized ed water isolation isola is valve actuates too the correct position on an actual or simulated actuation signal.
The actual or simulated actuation signal is processed through tthro the componentt interface interface module to verify the continuity between betwe the output of be component nt interface module and the valve.
valve.The va The ACTUA ACTUATION TUATI A LOGIC OUTPUT T TEST TES provides prov ove overlap with th this Surveillance Surveillance. T The Frequency of 24 months is based on the need to perform this surveillance surveil during i d iin which periods hi h th l t iis shutdown the plant h td ffor refueling f li tto prevent any upsets of plant operation.
REFERENCES 1. FSAR Chapter 15, Accident Analysis.
VEGP Units 3 and 4 B 3.1.9 - 4 Revision 27 Page 3 of 98
ND-19-0168 Technical Specifications Bases AFD (CAOC Methodology)
B 3.2.3 BASES LCO (continued)
Figure B 3.2.3-1 shows a typical target band and typical AFD acceptable operation limits.
The LCO is modified by four Notes. Note 1 states the conditions necessary for declaring the AFD outside of the target band. Notes 2 and 3 describe how the cumulative penalty deviation time is calculated. It is intended that the unit is operated with the AFD within the target band about the target flux difference. However, during rapid THERMAL POWER reductions, control bank motion may cause the AFD to deviate outside the target band at reduced THERMAL POWER levels. This deviation does not affect the xenon distribution sufficiently to change the envelope of peaking factors that may be reached on a subsequent return to RTP with the AFD within the target band, provided the time duration of the deviation is limited. Accordingly, while THERMAL POWER is 50% RTP and < 90% RTP (i.e., Part b of this LCO), a 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> cumulative Draft penalty deviation time, cumulative during the preceding 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, is allowed during which the unit may be operated outside th the target band, but within the acceptable operation limits provided in the th COLR C (Note 2).
This penalty alty time is accumulated at the rate of 1 minute for ffo each 1 minute of operatingg time within the power range of Part b of this L LCO (i.e.,
THERMAL POWER 50% RTP). The cumulative penalty pena time is the sum of penalty times from Parts b and c of this LCO.
LCO For THERMAL POWER levels >15% RTP and < 50% % RTP RT (i.e., Part c of thi LCO),
this LCO) deviations d i ti of the AFD outside of the target are less significant.
Note 3 allows the accumulation of 1/2 minute penalty deviation time per 1 minute of actual time outside the target band and reflects this reduced significance. With THERMAL POWER 15% RTP, AFD is not a significant parameter in the assumptions used in the safety analysis and therefore requires no limits. Because the xenon distribution produced at THERMAL POWER levels less than RTP does affect the power distribution as power is increased, unanalyzed xenon and power distribution is prevented by limiting the accumulation penalty deviation time.
For surveillance of the Power Range Neutron Flux channels performed according to SR 3.3.1.54, Note 4 allows deviation outside the target band for 16 hours1.851852e-4 days <br />0.00444 hours <br />2.645503e-5 weeks <br />6.088e-6 months <br /> and no penalty deviation time accumulated. Some deviation in the AFD is required for doing the NIS calibration with the incore detector system. This calibration is performed every 92 effective full power days (EFPD).
VEGP Units 3 and 4 B 3.2.3 - 4 Revision 28 Page 4 of 98
ND-19-0168 Technical Specifications Bases RTS Instrumentation B 3.3.1 BASES BACKGROUND (continued)
Reactor Trip Initiation Logic The Reactor Trip Matrix (RTM) acts as an interface between the LCL subsystems and the RTBs. The RTM receives contact inputs from the LCL subsystems and performs the logic to determine if a division will issue a reactor trip command.
Each PMS division contains two redundant RTMs; one is configured as a ST matrix and the other a UV matrix. The combination of the two forms the complete RTM for a given division. If the ST logic is satisfied, the RTB ST coils are energized, opening both RTBs in the division. If the UV logic is satisfied, the RTB UV coils are de-energized, opening both RTBs in the division.
The PMS boundary ends at the interposing relay contacts of the RTMs.
Draft Dra Manual RT A manual reactor trip is initiated from the MCR by redundant redunda redu momentary switches. The switches directly control the power from th the RTM logic, actuating the he UV and ST attachments in all four divisions divisions.
Nominal Triprip Setpoint Setpoi (NTS) S)
The NTS is the nominal value at which the trip output is set.
s Any trip output is considered to be properly adjusted when the as-left as value is within the band for CHANNEL CALIBRATION (i.e., +/- rack calibration accuracy).
The trip setpoints used in the trip output are based on the Safety Analysis Limits stated in Reference 2. The determination of these NTSs is such that adequate protection is provided when all sensor and processing time delays are taken into account. To allow for calibration tolerances, instrument drift, and severe environment errors for those RTS channels that must function in harsh environments as defined by 10 CFR 50.49 (Ref. 5), the NTSs specified in the SP are conservative with respect to the Safety Analysis Limits. A detailed description of the methodology used to calculate the NTSs, including their explicit uncertainties, is provided in the Westinghouse Setpoint Methodology for Protection Systems (Ref. 3).
The as-left tolerance and as-found tolerance band methodology is provided in the SP. The as-found OPERABILITY limit for the purpose of the CHANNEL OPERATIONAL TEST (COT) is defined as the as-left limit about the NTS (i.e., +/- rack calibration accuracy).
VEGP Units 3 and 4 B 3.3.1 - 8 Revision 43 Page 5 of 98
ND-19-0168 Technical Specifications Bases RTS Instrumentation B 3.3.1 BASES BACKGROUND (continued)
The NTSs listed in the SP are based on the methodology described in Reference 3, which incorporates all of the known uncertainties applicable for each channel. The magnitudes of these uncertainties are factored into the determination of each NTS. All field sensors and signal processing equipment for these channels are assumed to operate within the allowances of these uncertainty magnitudes. Transmitter and signal processing equipment calibration tolerances and drift allowances must be specified in plant calibration procedures, and must be consistent with the values used in the setpoint methodology.
The OPERABILITY of each transmitter or sensor can be evaluated when its as-found calibration data are compared against the as-left data and are shown to be within the setpoint methodology assumptions. The basis of the setpoints is described in References 2 and 3. Trending of calibration results is required by the program description in Technical Specifications 5.5.14.d.
Draft raft a Note that tthe as as-left
-left and as-found tolerancess listed in tthe SP define the OPERABILITY limits for a channel during a periodic CHANNEL CH CHA CALIBRATIONTIO orr COT that requires trip setpoint verificati verificat verification.
The Protection ction and S Safety afety MMonitoring onitoring S System ystem m testing features feat fe are designed to allow for complete functional function testing sting by using us a combination of systemm self sel self-checking
-checking eck and nd manual teststes testsfeatures, features, atures, functional func functio testing features, and other testing features features.
featu res.. Successf Successful functional functiona ctiona testing consists of verifying that the capability of the system to performpe the safety function has not failed or degraded. For hardware functions this would involve verifying that the hardware components and connections have not failed or degraded. Since software does not degrade, software functional testing involves verifying that the software code has not changed and that the software code is executing. To the extent possible, Protection and Safety Monitoring System functional testing will be accomplished with continuous system self-checking features in lieu of manual surveillance tests. As a result, some functions do not have surveillance requirements and the continuous functional testing features.
The Protection and Safety Monitoring System incorporates continuous system self-checking features wherever practical. Self-checking features include on-line diagnostics for the computer system and the hardware and communications tests. Faults detected by the self-checking features are alarmed in the main control room. These self-checking tests do not interfere with normal system operation.
In addition to the self-checking features, the system includes functional testing features. Functional testing features include continuous functional testing features and manually initiated functional testing features. To the VEGP Units 3 and 4 B 3.3.1 - 9 Revision 43 Page 6 of 98
ND-19-0168 Technical Specifications Bases RTS Instrumentation B 3.3.1 BASES BACKGROUND (continued) extent practical, functional testing features are designed not to interfere with normal system operation.
In addition to the system self-checking features and functional testing features, other test features Manual tests are included for those parts of the system which are not tested with self-checking features or functional testing features. These test features allow for instruments/sensor checks,. This includes manual functional checks, calibration verification, response time testing, setpoint verification and component testing. The test features again include a combination of continuous testing features and manual testing features.
All of the tests testing features are designed so that the duration of the testing is as short as possible. The manual testsTesting features are designed so that the actual logic is not modified. To prevent unwanted actuation, the teststesting features are designed with either the capability D ft Draft to bypass a Function during testing and/or limit the number of signals allowed to be placed in test at one time.
APPLICABLE The RTS functions unctions to maintain compliance with the SLs d during all AOOs SAFETY and mitigates tes the consequences of DBAs in all MODES in which the ANALYSES, LCOs,, RTBs are closed.
clos TY and APPLICABILITY Each of the analyzed accidents and transients which requ require reactor trip can be detected by one of more RTS Functions Functions. The accident acc analysis described in Reference 2 takes credit for most RTS trip Functions. RTS trip Functions not specifically credited in the accident analysis were qualitatively credited in the safety analysis and the NRC staff approved licensing basis for the plant. These RTS trip Functions may provide protection for conditions which do not require dynamic transient analysis to demonstrate function performance. These RTS trip Functions may also serve as backups to RTS trip Functions that were credited in the accident analysis.
Permissive and interlock functions are based upon the associated protection function instrumentation. Because they do not have to operate in adverse environmental conditions, the trip settings of the permissive and interlock functions use the normal environment, steady-state instrument uncertainties of the associated protection function instrumentation. This results in OPERABILITY criteria (i.e., as-found tolerance and as-left tolerance) that are the same as the associated protection function sensor and process rack modules. The NTSs for permissives and interlocks are based on the associated protection function OPERABILITY requirements; i.e., permissives and interlocks VEGP Units 3 and 4 B 3.3.1 - 10 Revision 43 Page 7 of 98
ND-19-0168 Enclosure 7 Technical Specifications Bases RTS Instrumentation B 3.3.1 BASES ACTIONS (continued) more channels are inoperable for a Function, thermal power must be reduced to below the P-10 interlock; a condition in which the LCO does not apply. The allowed Completion Time is reasonable, based on operating experience, to reach the specified condition from full power conditions in an orderly manner and without challenging plant systems.
SURVEILLANCE The SRs for each RTS Function are identified in the SRs column of REQUIREMENTS Table 3.3.1-1 for that Function.
A Note has been added to the SR table stating that Table 3.3.1-1 determines which SRs apply to which RTS Functions.
The CHANNEL CALIBRATION and COT areis performed in a manner that is consistent with the assumptions used in analytically calculating the required channel accuracies. In lieu of measurement, the response time Draft Draf Draft ft for the protection and safety monitoring system equipment is based on allocated values.
values. The overall response time may be determined deter de by a series of overlapping tests and allocated values such that th thet entire response time is measuredFor measured r channels that include dynamic dyna transfer functions, such as, lag, lead/lag, rate/lag, the response tim time test may be performed with the transfer function set to one, one, with the resulting res measured response time compared to the appropriate FSA FSAR Chapter 7 F
response time (Ref. 1 1).
). Alternately, ernately, the response time test t can be performed with the time constants set to their nominal valuevalu provided the required response time is analytically calculated assuming the time constants are set at their nominal values. The response time may be measured by a series of overlapping tests such that the entire response time is measured.
SR 3.3.1.1 Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> ensures that gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or of even something more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying that the instrumentation continues to operate properly between each CHANNEL CALIBRATION.
VEGP Units 3 and 4 B 3.3.1 - 26 Revision 43 Page 8 of 98
ND-19-0168 Enclosure 7 Technical Specifications Bases RTS Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)
The Frequency is based on operating experience that demonstrates that channel failure is rare. Automated operator aids may be used to facilitate the performance of the CHANNEL CHECK.
Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment have drifted outside their corresponding limits.
SR 3.3.1.21 ThisSR 3.3.1.2 compares the calorimetric heat balance to the nuclear instrumentation channel output every 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. If the calorimetric measurement at 15% RTP, differs from the nuclear instrument channel output by > 5% RTP, the nuclear instrument channel is not declared Draft ra inoperable, but must be adjusted. If the nuclear instrument channel output cannot be properly adjusted, the channel is decla declared declare inoperable.
Two Notess modify T mo this SR 3.3.1.2 3.3.1.2.
1.2.. The first Note clarifies that t this Surveillance is required only if if reactor power is 15% RTP and that 1 hours1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> is allowed for performing the first Surveillance aft 12 after reaching 1
15% RTP. At lower power levels the calorimetric data from fr feedwater measurements are less accurate.
flow venturi measure accurate. The T second eco Note is required because, because, at power levels 15% RTP RTP, P, calorimetric uncertainty miscalibration of the and control rod insertion create the potential for miscalibra nuclear instrumentation channel. Therefore, if the calorimetric heat measurement is 15% RTP, and if the nuclear instrumentation channel indicated power is lower than the calorimetric measurement by
> 5% RTP, then the nuclear instrumentation channel shall be adjusted upward to match the calorimetric measurement. No nuclear instrumentation channel adjustment is required if the nuclear instrumentation channel is higher than the calorimetric measurement.
The Frequency of every 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is adequate based on plant operating experience, considering instrument reliability and operating history data for instrument drift.
Together, these factors demonstrate the change in the absolute difference between nuclear instrumentation and heat balance calculated powers rarely exceeds 5% RTP in any 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> period.
In addition, main control room operators periodically monitor redundant indications and alarms to detect deviations in channel outputs.
VEGP Units 3 and 4 B 3.3.1 - 27 Revision 43 Page 9 of 98
ND-19-0168 Enclosure 7 Technical Specifications Bases RTS Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)
SR 3.3.1.32 This SR 3.3.1.3 compares the calorimetric heat balance to the calculated T power (qT) in each Division every 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. If the calorimetric measurement between 70% and 100% RTP, differs from the calculated T power by > 3% RTP, the Function is not declared inoperable, but the conversion factor, T°, must be adjusted. If T° cannot be properly adjusted, the Function is declared inoperable in the affected Division(s).
Three Notes modify this SR 3.3.1.3. The first Note indicates that T° shall be adjusted consistent with the calorimetric results if the absolute difference between the calculated T power and the calorimetric measurement between 70% and 100% RTP is > 3% RTP.
The second Note clarifies that this Surveillance is required only if reactor power is 50% RTP and that 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is allowed for performing the first Draft Surveillance after reaching 50% RTP. At lower power levels, the calorimetric data from feedwater flow venturi measurem measuremen measurements are less accurate.. The accurate Th calculated T power is normallyally stable (less (l likely to need adjustment or to be grossly affected by changes in the corecor loading pattern than the nuclear instrumentation),
instrumentation), and its calibration calibratio should not be unnecessarily altered by a possibly inaccurate calorime calorimetric measurement at low power.
The third Note is required because at power levels below 70%, 7 non-conservative calorimetric uncertainty creates the potential for non conse onse adjustment of the T° conversion factor, in cases where the calculated T power would be reduced to match the calorimetric power. Therefore, if the calorimetric heat measurement is less than 70% RTP, and if the calculated T power is lower than the calorimetric measurement by > 5%,
then the T° conversion factor shall be adjusted so that the calculated T power matches the calorimetric measurement. No T° conversion factor adjustment is required if the calculated T power is higher than the calorimetric measurement.
The Frequency of every 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is based on plant operating experience, considering instrument reliability and the limited effects of fuel burnup and rod position changes on the accuracy of the calculated T power.
VEGP Units 3 and 4 B 3.3.1 - 28 Revision 43 Page 10 of 98
ND-19-0168 Enclosure 7 Technical Specifications Bases RTS Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)
SR 3.3.1.43 This SR 3.3.1.4 compares the AXIAL FLUX DIFFERENCE determined using the incore system to the nuclear instrument channel AXIAL FLUX DIFFERENCE every 31 effective full power days (EFPD) and adjusts the excore nuclear instrument channel if the absolute difference between the incore and excore AFD is 1.5% AFD.
Each nuclear instrument channel is calibrated to an average weighted peripheral AFD, which accounts for the fact that neutron leakage from the peripheral fuel assemblies nearest each excore detector will have the largest effect on the channel response. This calibration method reduces the effect of changes in the radial power distribution, caused by either burnup or control rod motion, on the channel AFD calibration. The calibration method is consistent with the development of the f(I) penalty functions for the overpower T and overtemperature T functions, which Draft af are made a function of the same average weighted peripheral AFD (i.e., the AF AFD used in determining the f(I) f(I) penalty enalty is calcu ca calculated using the same radial weighting factors as are used to calibrate th the excore e detector nuclear instrument channels). The incore AFD used as the th basis for comparison when performing this SR 3.3.1.4 is also calcu calculated calcul in the same weighted peripheral manner.
If the absolute difference differe is 1.5%
1 % AFD 1.5 FD the nuclear instrument ins instrum channel is still OPERABLE, but must be readjusted. If the nuclear instrument ins channel cannot be properly readjusted, readjusted the channel is dec declared inoperable. This surveillance is performed to verify the f(I) input to the overpower T and overtemperature T functions.
Two Notes modify this SR 3.3.1.4. The first Note indicates that the excore nuclear instrument channel shall be adjusted if the absolute difference between the incore and excore AFD is 1.5% AFD. Note 2 clarifies that the Surveillance is required only if reactor power is 20%
RTP and that 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is allowed for performing the first Surveillance after reaching 20% RTP. Below 20% RTP, the design of the incore detector system, low core power density, and detector accuracy make use of the incore detectors inadequate for use as a reference standard for comparison to the excore channels.
The Frequency of every 31 EFPD is adequate based on plant operating experience, considering instrument reliability and operating history data for instrument drift. Also, the slow changes in neutron flux during the fuel cycle can be detected during this interval.
VEGP Units 3 and 4 B 3.3.1 - 29 Revision 43 Page 11 of 98
ND-19-0168 Enclosure 7 Technical Specifications Bases RTS Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)
SR 3.3.1.54 This SR 3.3.1.5 is a calibration of the excore channels to the incore channels. If the measurements do not agree, the excore channels are not declared inoperable but must be adjusted to agree with the incore detector measurements. If the excore channels cannot be adjusted, the channels are declared inoperable. This Surveillance is performed to verify the f(I) input to the overtemperature T Function.
A Note modifies this SR 3.3.1.5. The Note states that this Surveillance is required only if reactor power is > 50% RTP and that 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is allowed for performing the first surveillance after reaching 50% RTP.
The Frequency of 92 EFPD is adequate based on industry operating experience, considering instrument reliability and operating history data for instrument drift.
D Draft SR 3.3.1.6 3.3.1.6 S 3.3.1.
SR 3.3.1.6 6 is the performance of a CHANNEL OPERATIO OPERATIONAL TEST (COT) every 92 days.
days. The SR 3.3.1.
3 3.3.1.6 3 1 6 testing is performed in accordance with the SP. If the actual setting of the channel is found to be outside the w
as-found a
as -found tolerance, lerance, the channel is considered inoperable.
inoperab This condition of the channel will be further evaluated during performa performance of the SR.
This evaluation will consist of resetting the channel setpoint setpoin to the NTS (within the allowed tolerance) tolerance), and evaluating the channel channel channels response. If the channel is functioning as required and is expected to pass the next surveillance, then the channel is OPERABLE and can be restored to service at the completion of the surveillance. After the surveillance is completed, the channel as-found condition will be entered into the Corrective Action Program for further evaluation.
A COT is performed on each required channel to provide reasonable assurance that the entire channel will perform the intended Function.
A test subsystem is provided with the Protection and Safety Monitoring System to aid the plant staff in performing the COT. The test subsystem is designed to allow for complete functional testing by using a combination of system self checking features, functional testing features, and other testing features. Successful functional testing consists of verifying that the capability of the system to perform the safety function has not failed or degraded.
VEGP Units 3 and 4 B 3.3.1 - 30 Revision 43 Page 12 of 98
ND-19-0168 Enclosure 7 Technical Specifications Bases RTS Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)
For hardware functions this would involve verifying that the hardware components and connections have not failed or degraded. Generally this verification includes a comparison of the outputs from two or more redundant subsystems or channels.
Since software does not degrade, software functional testing involves verifying that the software code has not changed and that the software code is executing.
To the extent possible, Protection and Safety Monitoring System functional testing is accomplished with continuous system self-checking features and the continuous functional testing features. The COT shall include a review of the operation of the test subsystem to verify the completeness and adequacy of the results.
If the COT cannot be completed using the built-in test subsystem, either D ft Draft because of failures in the test subsystem or failures in redundant channel hardware used for functional testing, the COT can be pe perfo performed using portable test eequipment.
Interlocks implicitly required to support the Function's OPERABILITY OPE are also addressed by this COT. This portion of the COT ensu en ensures the associated Function is not bypassed when required to be b enabled.
e This can be accomplished by ensuring the interlocks are calibrated calibra cali properly in accordance with the SP. If the interlock is not automaticall automatically functioning as designed, designed the condition is entered into the Corrective Action Ac Program and appropriate OPERABILITY evaluations performed for the affected Function. The affected Functions OPERABILITY can be met if the interlock is manually enforced to properly enable the affected Function.
When an interlock is not supporting the associated Functions OPERABILITY at the existing plant conditions, the affected Function's channels must be declared inoperable and appropriate ACTIONS taken.
This test frequency of 92 days is justified based on Reference 6 and the use of continuous diagnostic test features, such as deadman timers, cross-check of redundant channels, memory checks, numeric coprocessor checks, and tests of timers, counters and crystal time bases, which will report a failure within the Protection and Safety Monitoring System cabinets to the operator within 10 minutes of a detectable failure.
During the COT, the Protection and Safety Monitoring System cabinets in the division under test may be placed in bypass.
VEGP Units 3 and 4 B 3.3.1 - 31 Revision 43 Page 13 of 98
ND-19-0168 Enclosure 7 Technical Specifications Bases RTS Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)
SR 3.3.1.7 SR 3.3.1.7 is the performance of a COT as described in SR 3.3.1.6(which refers to this test as an RTCOT), except it is modified by a Note that allows this surveillance to be satisfied if it has been performed within the previous 92 days. The test is performed in accordance with the SP. If the actual setting of the channel is found to be outside the as-found tolerance, the channel is considered inoperable. This condition of the channel will be further evaluated during performance of the SR. This evaluation will consist of resetting the channel setpoint to the NTS (within the allowed tolerance), and evaluating the channels response. If the channel is functioning as required and is expected to pass the next surveillance, then the channel is OPERABLE and can be restored to service at the completion of the surveillance. After the surveillance is completed, the channel as-found condition will be entered into the Corrective Action Program for further evaluation.
D ft Draft Interlocks implicitly required to support the Function's OPERABILITY OPE O are also addressed by this COT. This portion of the COT ensu en ensures the associated Function is not bypassed when required to be enabled.
e This can be accomplished by ensuring the interlocks are calibrated calibra properly in accordance with the SP. If the interlock is not automatic automaticall automatically functioning as designed, the condition is entered into the Corrective Action Ac Program and appropriate OPERABILITY evaluations performed ffor the affected Function. ThThe affected ected Function Functionss OPERABILITY can be m met if the interlock is manually enforced to properly enable the affect affected Function.
When an interlock is not supporting the associated Functions OPERABILITY at the existing plant conditions, the affected Function's channels must be declared inoperable and appropriate ACTIONS taken.
The Frequency of prior to reactor startup ensures this surveillance is performed prior to critical operations and applies to the source, intermediate and power range low instrument channels. The Frequency of 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> after reducing power below P-10 allows a normal shutdown to be completed and the unit removed from the MODE of Applicability for this surveillance without a delay to perform the testing required by this surveillance. The Frequency of every 92 days thereafter applies if the plant remains in the MODE of Applicability after the initial performances of prior to reactor startup and four hours after reducing power below P-10.
The MODE of Applicability for this surveillance is < P-10 for the power range low channels. Once the unit is in MODE 3, this surveillance is no longer required. If power is to be maintained < P-10 for more than 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, then the testing required by this surveillance must be performed VEGP Units 3 and 4 B 3.3.1 - 32 Revision 43 Page 14 of 98
ND-19-0168 Enclosure 7 Technical Specifications Bases RTS Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued) prior to the expiration of the 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> limit. Four hours is a reasonable time to complete the required testing or place the unit in a MODE where this surveillance is no longer required. This test ensures that the NIS power range low channels are OPERABLE prior to taking the reactor critical and after reducing power into the applicable MODE (< P-10) for periods
> 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />.
SR 3.3.1.85 A CHANNEL CALIBRATION is performed every 24 months, or approximately at every refueling. CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor. The test verifies that the channel responds to a measured parameter within the necessary range and accuracy.
The test is performed in accordance with the SP. If the actual setting of Draft the channel is found to be outside the as-found tolerance, the channel is considered inoperable. This condition of the channel willw be b further evaluated during performance of the SR. This evaluatio w consist of evaluation will resetting the channel setpoint to the NTS (within the allowe allow tolerance),
allowed and evaluati ng the channel response. If the channel is fun evaluating functioning as required and is expected to pass the next surveillance, then the the channel is OPERABLE and can be restored to service at the com comp completion of the surveillance. After the surveillance is completed completed, the chan channel as-found ch condition will be entered into the Corrective Action Program for further evaluation evaluation. Transmitter calibration must be performed consistent con with the assumptions of the setpoint methodology. The differences between the current as-found values and the previous as-left values must be consistent with the transmitter drift allowance used in the setpoint methodology.
The setpoint methodology requires that 30 months drift be used (1.25 times the surveillance calibration interval, 24 months).
Interlocks implicitly required to support the Function's OPERABILITY are also addressed by this CHANNEL CALIBRATION. This portion of the CHANNEL CALIBRATION ensures the associated Function is not bypassed when required to be enabled. This can be accomplished by ensuring the interlocks are calibrated properly in accordance with the SP.
If the interlock is not automatically functioning as designed, the condition is entered into the Corrective Action Program and appropriate OPERABILITY evaluations performed for the affected Function. The affected Functions OPERABILITY can be met if the interlock is manually enforced to properly enable the affected Function. When an interlock is not supporting the associated Functions OPERABILITY at the existing VEGP Units 3 and 4 B 3.3.1 - 33 Revision 43 Page 15 of 98
ND-19-0168 Enclosure 7 Technical Specifications Bases RTS Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued) plant conditions, the affected Function's channels must be declared inoperable and appropriate ACTIONS taken.
This SR 3.3.1.8 is modified by a Note stating that this test shall include verification that the time constants are adjusted to within limits where applicable.
SR 3.3.1.96 This SR 3.3.1.9 is the performance of a CHANNEL CALIBRATION every 24 months. This SR is modified by a Note stating that neutron detectors are excluded from the CHANNEL CALIBRATION. The test is performed in accordance with the SP. If the actual setting of the channel is found to be outside the as-found tolerance, the channel is considered inoperable.
This condition of the channel will be further evaluated during performance Draft of the SR. This evaluation will consist of resetting the channel setpoint to the NTS (within the allowed tolerance), and evaluating tthe channels response. If tthe channel is functioning as required quired and is e expected to pass the next surveillance, then the channel is OPERABLE and can be restored to service at the completion of the surveillance. A After the surveillance is completed, the channel as a -found und conditio as-found condition will w be entered iinto nto the Corrective rrective Action Program for further evaluation.
evaluation The CHANNEL CALIBRATION for the power range neutro neutron detectors consists of a normalization of the detectors based on a powpower calorimetric and flux map performed above 20% RTP. Below 20% RTP, the design of the incore detector system, low core power density, and detector accuracy make use of the incore detectors inadequate for use as a reference standard for comparison to the excore channels.
Interlocks implicitly required to support the Function's OPERABILITY are also addressed by this CHANNEL CALIBRATION. This portion of the CHANNEL CALIBRATION ensures the associated Function is not bypassed when required to be enabled. This can be accomplished by ensuring the interlocks are calibrated properly in accordance with the SP.
If the interlock is not automatically functioning as designed, the condition is entered into the Corrective Action Program and appropriate OPERABILITY evaluations performed for the affected Function. The affected Functions OPERABILITY can be met if the interlock is manually enforced to properly enable the affected Function. When an interlock is not supporting the associated Functions OPERABILITY at the existing plant conditions, the affected Function's channels must be declared inoperable and appropriate ACTIONS taken.
VEGP Units 3 and 4 B 3.3.1 - 34 Revision 43 Page 16 of 98
ND-19-0168 Enclosure 7 Technical Specifications Bases RTS Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)
The 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. Operating experience has shown these components usually pass the Surveillance when performed on the 24 month Frequency.
SR 3.3.1.107 This SR 3.3.1.10 is the performance of a TADOT of the Passive Residual Heat Removal Actuation valve position indicator contact inputs. This TADOT is performed every 24 months.
The Frequency is based on the known reliability of the Function and the multichannel redundancy available, and has been shown to be acceptable through operating experience.
D The SR is m modified by a Note that e excludes xcludes verification erification of setpoints s from the TADOT. The Functions affected have no setpoints associateda ass with t
them.
SR 3.3.1.118 S 3.3.1.11 18 This SR 3.3.1.
T 3.3.1.11
.3.1.11 verifies that the individual channel/divisio channel/division channel/divi actuation response times are less than or equal to the maximum values val assumed in the accident analysis.
analysis Response Time testing criteria are included i in Reference 1.
In lieu of measurement, the response time for the protection and safety monitoring system equipment is based on allocated values. The overall response time may be determined by a series of overlapping tests and allocated values such that the entire response time is measured For channels that include dynamic transfer Functions (e.g., lag, lead/lag, rate/lag, etc.), the response time test may be performed with the transfer Function set to one, with the resulting measured response time compared to the appropriate FSAR Chapter 7 response time. Alternately, the response time test can be performed with the time constants set to their nominal value, provided the required response time is analytically calculated assuming the time constants are set at their nominal values.
The response time may be measured by a series of overlapping tests such that the entire response time is measured.
VEGP Units 3 and 4 B 3.3.1 - 35 Revision 43 Page 17 of 98
ND-19-0168 Enclosure 7 Technical Specifications Bases RTS Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)
Response time may be verified by actual response time tests in any series of sequential, overlapping or total channel measurements, or by the summation of allocated sensor, signal processing and actuation logic response times with actual response time tests on the remainder of the channel. Allocations for signal processing and actuation logic response times may be obtained from the protection and safety monitoring system functional requirements. Allocations for sensor response times may be obtained from: (1) historical records based on acceptable response time tests (hydraulic, noise, or power interrupt tests), (2) in place, onsite, or offsite (e.g. vendor) test measurements, or (3) utilizing vendor engineering specifications. WCAP-13632-P-A, Revision 2, Elimination of Pressure Sensor Response Time Testing Requirements (Ref. 8),
provides the basis and methodology for using allocated sensor response times in the overall verification of the channel response time for specific sensors identified in the WCAP. Response time verification for other sensor types must be demonstrated by test.
Draft The Passive Residual Heat Removal (PRHR) Actuation Function Fu RTS RESPONSE TIME is the time interval between input of a PRHR P discharge valve not not-fully-closed ot--fully fully--closed position feedback signal a and the loss of gripper coil voltage. The RTS RESPONSE TIME for the P PRHR actuation does not include testing actuation of the discharge valve valves by EFSAS signa because instrumentation signals ause it cannot be tested if an a ESFAS E function (e.g., CMT Actuation) has already caused a reactor trip trip..
Each division response must be verified every 2 24 months nths o on a STAGGERED TEST BASIS (i.e., all four Protection Channel Sets would be tested after 96 months). Response times cannot be determined during plant operation because equipment operation is required to measure response times. Experience has shown that these components usually pass this surveillance when performed on a refueling frequency.
Therefore, the Frequency was concluded to be acceptable from a reliability standpoint.
The SR 3.3.1.11 is modified by a note indicating that neutron detectors may be excluded from RTS RESPONSE TIME testing. This Note is necessary because of the difficulty in generating an appropriate detector input signal. Excluding the detectors is acceptable because the principles of detector operation ensure a virtually instantaneous response.
VEGP Units 3 and 4 B 3.3.1 - 36 Revision 43 Page 18 of 98
ND-19-0168 Technical Specifications Bases RTS Source Range Instrumentation B 3.3.2 BASES ACTIONS (continued)
E.1 and E.2 Condition E is entered when the Required Action and associated Completion Time of Condition D is not met. If three of the four required source range instrumentation channels are not restored to OPERABLE status within the allowed Completion Time, Required Action E.1 requires that action be initiated to fully insert all rods within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />, and Required Action E.2 requires that the PLS be placed in a condition incapable of rod withdrawal within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. The allowed Completion Time is reasonable, based on operating experience, to reach the specified condition in an orderly manner and without challenging plant systems.
F.1 Condition F addresses the situation where three or more source range Draft Draft Draf aff aft instrumentation channels are inoperable. With three or more channels inoperable, single failure criterion cannot be met and th the reactor trip breakers must mu be opened immediately.
immediately.
SURVEILLANCE The CHANNEL NEL CALIBRATION CALIBRA CALI ATION and COT CO are e is performed orm in a manner REQUIREMENTS that is consistent sistent with the assumptions used in analytic analytically calculating the analyticall required channel accuracies. For channels that include includ dynamic d transfer functions, such as, lag, lead/lag, rate/lag, the response time tim test may be performed with the transfer function set to one one, In lieu eu of measurement, m
the response time for the protection and safety monitoring system equipment is based on allocated values. The overall response time may be determined by a series of overlapping tests and allocated values such that the entire response time is measured, with the resulting measured response time compared to the appropriate FSAR Chapter 7 response time (Ref. 1). Alternately, the response time test can be performed with the time constants set to their nominal value provided the required response time is analytically calculated assuming the time constants are set at their nominal values. The response time may be measured by a series of overlapping tests such that the entire response time is measured.
SR 3.3.2.1 Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> ensures that gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two instrument channels could be an indication of excessive instrument drift in VEGP Units 3 and 4 B 3.3.2 - 4 Revision 39 Page 19 of 98
ND-19-0168 Technical Specifications Bases RTS Source Range Instrumentation B 3.3.2 BASES ACTIONS (continued) one of the channels or of even something more serious. A CHANNEL BASES SURVEILLANCE REQUIREMENTS (continued)
CHECK will detect gross channel failure; thus, it is key to verifying that the instrumentation continues to operate properly between each CHANNEL CALIBRATION. Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment have drifted outside their corresponding limits.
D f Draft The Frequency is based on operating experience that demonstrates that channel failure is rare. Automated operatorp aids mayy be used to facilitate the perform performance of the CHANNEL CHECK.
SR 3.3.2.2 2 SR 3.3.2.2 is the performance of a COT. COT T The he testing is performed pe in accordance ce with the SP.
SPP. Iff the actual setting of the channel cha chann is found to be outside the as-found as a -found und tolerance, ance, the channel is considered consider inoperable.
This condition of the channel will will be further evaluated during dur performance off the th SR.
SR Thi This evaluation l ti will ill consist i t off resetting tti the th channel h setpoint to the NTS (within the allowed tolerance), and evaluating the channels response. If the channel is functioning as required and is expected to pass the next surveillance, then the channel is OPERABLE and can be restored to service at the completion of the surveillance. After the surveillance is completed, the channel as-found condition will be entered into the Corrective Action Program for further evaluation.
A COT is performed on each required channel to provide reasonable assurance that the entire channel will perform the intended Function.
A test subsystem is provided with the protection and safety monitoring system to aid the plant staff in performing the COT. The test subsystem is designed to allow for complete functional testing by using a combination of system self checking features, functional testing features, and other testing features. Successful functional testing consists of verifying that the capability of the system to perform the safety function has not failed or degraded.
For hardware functions this would involve verifying that the hardware components and connections have not failed or degraded. Generally this VEGP Units 3 and 4 B 3.3.2 - 5 Revision 39 Page 20 of 98
ND-19-0168 Technical Specifications Bases RTS Source Range Instrumentation B 3.3.2 BASES SURVEILLANCE REQUIREMENTS (continued) verification includes a comparison of the outputs from two or more redundant subsystems or channels.
Since software does not degrade, software functional testing involves verifying that the software code has not changed and that the software code is executing.
To the extent possible, protection and safety monitoring system functional testing is accomplished with continuous system self-checking features and the continuous functional testing features. The COT shall include a review of the operation of the test subsystem to verify the completeness and adequacy of the results.
If the COT cannot be completed using the built-in test subsystem, either because of failures in the test subsystem or failures in redundant channel D
Draft hardware used for functional testing, the COT can be performed using portable te test equipment.
Interlockss implicitly required to support the Function's OPOPERABILITY are also addressed ssed by this COT.
COT. This portion of the COT ensures ens the associated Function is not bypassed when required to be enabled. This can be accomplished complished by ensuring the interlocks are calibr calibrated ca properly in accordance ce with the SP.
SPP. Iff the interlock is not automatically automat automatica functioning as designed, the condition is entered into the Corrective Action Acti Program and appropriate OPERABILITY OPERABILITY evaluations performed for the affected Function. The affected Functions OPERABILITY can be met if the interlock is manually enforced to properly enable the affected Function.
When an interlock is not supporting the associated Functions OPERABILITY at the existing plant conditions, the affected Function's channels must be declared inoperable and appropriate ACTIONS taken.
This test frequency of 92 days is justified based on Reference 2 (which refers to this test as RTCOT) and the use of continuous diagnostic test features, such as deadman timers, cross-check of redundant channels, memory checks, numeric coprocessor checks, and tests of timers, counters and crystal time bases, which will report a failure within the protection and safety monitoring system cabinets to the operator within 10 minutes of a detectable failure.
SR 3.3.2.2 is modified by two Notes. The first Note allows this surveillance to be satisfied if it has been performed within the previous 92 days. The second Note provides a 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> delay in the requirement to perform this Surveillance when entering MODE 3 from MODE 2. This note allows a normal shutdown to proceed without a delay for testing in MODE 2 and for a short time in MODE 3 until the RTBs are open and SR 3.3.2.2 is no longer required to be performed. If the unit is to be in VEGP Units 3 and 4 B 3.3.2 - 6 Revision 39 Page 21 of 98
ND-19-0168 Technical Specifications Bases RTS Source Range Instrumentation B 3.3.2 BASES SURVEILLANCE REQUIREMENTS (continued)
MODE 3 with the RTBs closed for a time greater than 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, this Surveillance must be performed prior to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> after entry into MODE 3.
The Frequency of prior to reactor startup ensures this surveillance is performed prior to critical operations. The Frequency of 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> after reducing power below P-6 allows a normal shutdown to be completed and the unit removed from the MODE of Applicability for this surveillance without a delay to perform the testing required by this surveillance. The Frequency of every 92 days thereafter applies if the plant remains in the MODE of Applicability after the initial performances of prior to reactor startup and four hours after reducing power below P-6. The MODE of Applicability for this surveillance is < P-6. If power is to be maintained
< P-6 for more than 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, then the testing required by this surveillance must be performed prior to the expiration of the 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> limit. Four hours is a reasonable time to complete the required testing or place the unit in a Draft Draft Draf D
MODE where this surveillance is no longer required. This test ensures that the NIS source, range instrumentation channels ar are O OPERABLE prior tto o taking the reactor critical and after reducing power in into the applicable MODE (< P- P-6)
- 6) for periods > 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />.
During the COT, COT COT, the protection and safety monitoring system ssyst cabinets in the division n under test may be placed in bypass.
bypas SR 3.3.
3.3.2.31 3.3.2.
2.3 31 This SR 3.3.2.3 is the performance of a CHANNEL CALIBRATION every 24 months. This SR is modified by a Note stating that neutron detectors are excluded from the CHANNEL CALIBRATION. The test is performed in accordance with the SP. If the actual setting of the channel is found to be outside the as-found tolerance, the channel is considered inoperable.
This condition of the channel will be further evaluated during performance of the SR. This evaluation will consist of resetting the channel setpoint to the NTS (within the allowed tolerance), and evaluating the channels response. If the channel is functioning as required and is expected to pass the next surveillance, then the channel is OPERABLE and can be restored to service at the completion of the surveillance. After the surveillance is completed, the channel as-found condition will be entered into the Corrective Action Program for further evaluation.
The CHANNEL CALIBRATION for the source range neutron detectors consists of obtaining the preamp discriminator curves, evaluating those curves, and comparing the curves to the manufacturers data.
VEGP Units 3 and 4 B 3.3.2 - 7 Revision 39 Page 22 of 98
ND-19-0168 Technical Specifications Bases RTS Source Range Instrumentation B 3.3.2 BASES SURVEILLANCE REQUIREMENTS (continued)
Interlocks implicitly required to support the Function's OPERABILITY are also addressed by this CHANNEL CALIBRATION. This portion of the CHANNEL CALIBRATION ensures the associated Function is not bypassed when required to be enabled. This can be accomplished by ensuring the interlocks are calibrated properly in accordance with the SP.
If the interlock is not automatically functioning as designed, the condition is entered into the Corrective Action Program and appropriate OPERABILITY evaluations performed for the affected Function. The Functions OPERABILITY can be met if the interlock is manually enforced to properly enable the affected Function. When an interlock is not supporting the associated Functions OPERABILITY at the existing plant conditions, the affected Function's channels must be declared inoperable and appropriate ACTIONS taken.
The 24 month Frequency is based on the need to perform this Draft D
Surveillance under the conditions that apply during a plant outage and the potential for fo an unplanned transient if the Surveillance urveillance were we performed with the reactor reac at power.
power. Operating experienceence has shown show s these components nts usually pass the Surveillance when performe performed on the 24 month Frequency.
Frequency quency..
SR 3.3.2.4 3.3.2.42 42 This SR 3.3.2.4 3.3 verifies that the individual individu channel hannel actuation actuat response times are less than or equal to the maximum values assu assumed in the accident analysis. Response Time testing criteria are included in Reference 1.
For channels that include dynamic transfer Functions (e.g., lag, lead/lag, rate/lag, etc.), the response time test may be performed with the transfer Function set to one,In lieu of measurement, the response time for the protection and safety monitoring system equipment is based on allocated values. The overall response time may be determined by a series of overlapping tests and allocated values such that the entire response time is measured, with the resulting measured response time compared to the appropriate FSAR Chapter 7 response time. Alternately, the response time test can be performed with the time constants set to their nominal value, provided the required response time is analytically calculated assuming the time constants are set at their nominal values. The response time may be measured by a series of overlapping tests such that the entire response time is measured.
Response time may be verified by actual response time tests in any series of sequential, overlapping or total channel measurements, or by the summation of allocated sensor, signal processing and actuation logic response times with actual response time tests on the remainder of the VEGP Units 3 and 4 B 3.3.2 - 8 Revision 39 Page 23 of 98
ND-19-0168 Technical Specifications Bases RTS Source Range Instrumentation B 3.3.2 BASES SURVEILLANCE REQUIREMENTS (continued) channel.
Draft VEGP Units 3 and 4 B 3.3.2 - 9 Revision 39 Page 24 of 98
ND-19-0168 Technical Specifications Bases RTS Source Range Instrumentation B 3.3.2 BASES SURVEILLANCE REQUIREMENTS (continued)
Each channel response must be verified every 24 months on a STAGGERED TEST BASIS (i.e., all four Protection Channel Sets would be tested after 96 months). Response times cannot be determined during plant operation because equipment operation is required to measure response times. Experience has shown that these components usually pass this surveillance when performed on a refueling frequency.
Therefore, the Frequency was concluded to be acceptable from a reliability standpoint.
This SR 3.3.2.4 is modified by a note exempting neutron detectors from RTS RESPONSE TIME testing. This Note is necessary because of the difficulty in generating an appropriate detector input signal. Excluding the detectors is acceptable because the principles of detector operation ensure a virtually instantaneous response.
Draft Draft REFERENCES 1. FSAR Chapter 7.0, Instrumentation and d Controls.
Controls
- 2. APP-GW-GSC-020, APP-GW GW-GSC 020, Technical SC-020, T Technical Completion Time and chnical Specification Comple Surveillance illance Frequency Justification.
VEGP Units 3 and 4 B 3.3.2 - 10 Revision 39 Page 25 of 98
ND-19-0168 Technical Specifications Bases RTS Intermediate Range Instrumentation B 3.3.3 BASES ACTIONS (continued) intermediate range instrumentation channels inoperable, three of the four required channels must be restored to OPERABLE status prior to increasing THERMAL POWER above the P-6 setpoint. With the unit in this condition, below P-6, the Source Range Neutron Flux channels perform the monitoring and protection functions.
D.1, D.2, and D.3 Condition D addresses the situation where three or more intermediate range instrumentation channels are inoperable. With three or more channels inoperable, operations involving positive reactivity addition must be suspended immediately. This will preclude any power level increase since there are insufficient OPERABLE Intermediate Range channels to adequately monitor power escalation. In addition, THERMAL POWER must be reduced below the P-6 interlock setpoint within 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />, and the Draft Draft aff aft plant must be placed in MODE 3 within 7 hours8.101852e-5 days <br />0.00194 hours <br />1.157407e-5 weeks <br />2.6635e-6 months <br />. The allowed Completion Times for Required Actions D.2 and D.3 are reasonabl reasonable, based on operating experience, ex experience, to reach the specified condition from full power conditionss in an orderly manner and without challenging p plant systems.
SURVEILLANCE The CHANNEL NNEL CALIBRATION CALIBRA CAL ATION ON and COT CO are e is performed orm in a manner REQUIREMENTS that is consistent nsistent with the assumptions assum assumptions used in analytically analytic analyticall calculating the required channel accuracies. For channels that include dynamicd transfer functions, such as, lag, lead/lag, rate/lag, the response time tim test may be performed with the transfer function set to oneIn lieu of measurement, the response time for the protection and safety monitoring system equipment is based on allocated values. The overall response time may be determined by a series of overlapping tests and allocated values such that the entire response time is measured, with the resulting measured response time compared to the appropriate FSAR Chapter 7 response time (Ref. 1). Alternately, the response time test can be performed with the time constants set to their nominal value provided the required response time is analytically calculated assuming the time constants are set at their nominal values. The response time may be measured by a series of overlapping tests such that the entire response time is measured.
VEGP Units 3 and 4 B 3.3.3 - 4 Revision 1 Page 26 of 98
ND-19-0168 Technical Specifications Bases RTS Intermediate Range Instrumentation B 3.3.3 BASES SURVEILLANCE REQUIREMENTS (continued)
SR 3.3.3.1 Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> ensures that gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or of even something more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying that the instrumentation continues to operate properly between each CHANNEL CALIBRATION.
D ft Dr Draft Draf Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, in including indication inclu and readability.
readability adabili . If a channel is outside the criteria, it may m be an indication that the sensor ensor or the signal processing equipment have d drifted outside their corresponding sponding limits.
limits The Frequency uency is based on operating experience that dem demonstrates that channel failure is rare.
rar Automated tomated operator aids may be b used u to facilitate the performance of the CHANNEL CHEC CHECK.
SR 3.3.3.2 SR 3.3.3.2 is the performance of a COT. The testing is performed in accordance with the SP. If the actual setting of the channel is found to be outside the as-found tolerance, the channel is considered inoperable.
This condition of the channel will be further evaluated during performance of the SR. This evaluation will consist of resetting the channel setpoint to the NTS (within the allowed tolerance), and evaluating the channels response. If the channel is functioning as required and is expected to pass the next surveillance, then the channel is OPERABLE and can be restored to service at the completion of the surveillance. After the surveillance is completed, the channel as-found condition will be entered into the Corrective Action Program for further evaluation.
A COT is performed on each required channel to provide reasonable assurance that the entire channel will perform the intended Function.
A test subsystem is provided with the protection and safety monitoring system to aid the plant staff in performing the COT. The test subsystem is designed to allow for complete functional testing by using a combination VEGP Units 3 and 4 B 3.3.3 - 5 Revision 1 Page 27 of 98
ND-19-0168 Technical Specifications Bases RTS Intermediate Range Instrumentation B 3.3.3 of system self checking features, functional testing features, and other testing features. Successful functional testing consists of verifying that the capability of the system to perform the safety function has not failed or degraded.
For hardware functions this would involve verifying that the hardware components and connections have not failed or degraded. Generally this verification includes a comparison of the outputs from two or more redundant subsystems or channels.
Since software does not degrade, software functional testing involves verifying that the software code has not changed and that the software code is executing.
To the extent possible, protection and safety monitoring system functional testing is accomplished with continuous system self-checking features and the continuous functional testing features. The COT shall include a review of the operation of the test subsystem to verify the completeness and adequacy of the results.
D aft Dr Draft ft If the COT cannot be completed using the built-built built-in
-in test ssub subsystem, either because of failures in the test subsystem or failures in red redundant channel hardware used for functional testing, the COT can be perf performed per using portable testst eq equipment.
e uipment.
pment.
Interlocks implicitly required to support the Function's OPOPERABILITY O are also addressed ressed by this COT.
COT. This portion of the COT ensures ens e the associated Function is not bypassed when required to be enabled. This can be accomplished by ensuring the interlocks are calibrated calibr properly in accordance with the SP. If the interlock is not automatically functioning as designed, the condition is entered into the Corrective Action Program and appropriate OPERABILITY evaluations performed for the affected Function. The affected Functions OPERABILITY can be met if the interlock is manually enforced to properly enable the affected Function.
When an interlock is not supporting the associated Functions OPERABILITY at the existing plant conditions, the affected Function's channels must be declared inoperable and appropriate ACTIONS taken.
This test frequency of 92 days is justified based on Reference 2 (which refers to this test as RTCOT) and the use of continuous diagnostic test features, such as deadman timers, cross-check of redundant channels, memory checks, numeric coprocessor checks, and tests of timers, counters and crystal time bases, which will report a failure within the protection and safety monitoring system cabinets to the operator within 10 minutes of a detectable failure.
SR 3.3.3.2 is modified by a Note. The Note allows this surveillance to be satisfied if it has been performed within 92 days of the Frequencies prior to reactor startup and four hours after reducing power below P-10. The Frequency of prior to reactor startup ensures this surveillance is VEGP Units 3 and 4 B 3.3.3 - 6 Revision 1 Page 28 of 98
ND-19-0168 Technical Specifications Bases RTS Intermediate Range Instrumentation B 3.3.3 performed prior to critical operations and applies to the source, intermediate and power range low instrument channels. The Frequency of 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> after reducing power below P-10 allows a normal shutdown to be completed and the unit removed from the MODE of Applicability for this surveillance without a delay to perform the testing required by this surveillance. The Frequency of every 92 days thereafter applies if the plant remains in the MODE of Applicability after the initial performances of prior to reactor startup and four hours after reducing power below P-10. The MODE of Applicability for this surveillance is
< P-10. Once the unit is in MODE 3, this surveillance is no longer required. If power is to be maintained < P-10 for more than 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, then the testing required by this surveillance must be performed prior to the expiration of the 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> limit. Four hours is a reasonable time to complete the required testing or place the unit in a MODE where this surveillance is no longer required. This test ensures that the NIS intermediate range instrumentation channels are OPERABLE prior to taking the reactor critical and after reducing power into the applicable MODE (< P-10) for Draft Draf D ft periods > 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />.
During the COT, COT C T, the protection and safety monitoring system syst s cabinets in the division on under test may be placed in bypass.
SR 3.3.3.3 3.3.3.31 31 This SR 3.3.
3.3.3.3 3 is s the performance of a CHANNEL CALIBCA CALIBRATION every 24 months. This SR is modified by a No Note stating that ne neutron detectors are excluded from the CHANNEL CALIB CALIBRA ATION TIO CALIBRATION. The he te test is performed in accordance with the SP. If the actual setting of the channel is found to be outside the as-found tolerance, the channel is considered inoperable.
This condition of the channel will be further evaluated during performance of the SR. This evaluation will consist of resetting the channel setpoint to the NTS (within the allowed tolerance), and evaluating the channels response. If the channel is functioning as required and is expected to pass the next surveillance, then the channel is OPERABLE and can be restored to service at the completion of the surveillance. After the surveillance is completed, the channel as-found condition will be entered into the Corrective Action Program for further evaluation.
The CHANNEL CALIBRATION for the intermediate range neutron detectors consists of obtaining the detector plateau curves, evaluating those curves, and comparing the curves to the manufacturers data.
Interlocks implicitly required to support the Function's OPERABILITY are also addressed by this CHANNEL CALIBRATION. This portion of the CHANNEL CALIBRATION ensures the associated Function is not bypassed when required to be enabled. This can be accomplished by VEGP Units 3 and 4 B 3.3.3 - 7 Revision 1 Page 29 of 98
ND-19-0168 Technical Specifications Bases RTS Intermediate Range Instrumentation B 3.3.3 ensuring the interlocks are calibrated properly in accordance with the SP.
If the interlock is not automatically functioning as designed, the condition is entered into the Corrective Action Program and appropriate OPERABILITY evaluations performed for the affected Function. The affected Functions OPERABILITY can be met if the interlock is manually enforced to properly enable the affected Function. When an interlock is not supporting the associated Functions OPERABILITY at the existing plant conditions, the affected Function's channels must be declared inoperable and appropriate ACTIONS taken.
The 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. Operating experience has shown these components usually pass the Surveillance when performed on the 24 month Frequency.
SR 3.3.3.42 Drraft Draft This SR 3.3.3.4 verifies that the individual channel actuation response times are less than or equal to the maximum values as assumed assu in the accident ana analysis. Response T Time included in ime testing criteria are inc Reference e 1.
For channelsels that include dynamic transfer Functions (e.g (e.g.,
( lag, lead/lag, rate/lag, etc.),
tc.), the response time test may be performed performe with w the transfer Function set to one, one,In lieu of measurement, the respon response time for the protection and safety monitoring system equipment is bas based on allocated values. The overall response time may be determined values determined by a series of overlapping tests and allocated values such that the entire response time is measured, with the resulting measured response time compared to the appropriate FSAR Chapter 7 response time. Alternately, the response time test can be performed with the time constants set to their nominal value, provided the required response time is analytically calculated assuming the time constants are set at their nominal values. The response time may be measured by a series of overlapping tests such that the entire response time is measured.
Response time may be verified by actual response time tests in any series of sequential, overlapping or total channel measurements, or by the summation of allocated sensor, signal processing and actuation logic response times with actual response time tests on the remainder of the channel.
VEGP Units 3 and 4 B 3.3.3 - 8 Revision 1 Page 30 of 98
ND-19-0168 Technical Specifications Bases RTS Intermediate Range Instrumentation B 3.3.3 BASES SURVEILLANCE REQUIREMENTS (continued)
Each channel response must be verified every 24 months on a STAGGERED TEST BASIS (i.e., all four Protection Channel Sets would be tested after 96 months). Response times cannot be determined during plant operation because equipment operation is required to measure response times. Experience has shown that these components usually pass this surveillance when performed on a refueling frequency.
Therefore, the Frequency was concluded to be acceptable from a reliability standpoint.
This SR 3.3.3.4 is modified by a note exempting neutron detectors from RTS RESPONSE TIME testing. This Note is necessary because of the difficulty in generating an appropriate detector input signal. Excluding the detectors is acceptable because the principles of detector operation ensure a virtually instantaneous response.
Draft Draft REFERENCES 1. FSAR Chapter 7.0, Instrumentation and d Controls.
Controls
- 2. APP-GW-GSC-020, APP-GW GW-GSC 020, Technical SC-020, Technical Specification Completion T Comple Time and Surveillance illance Frequency Justification.
VEGP Units 3 and 4 B 3.3.3 - 9 Revision 1 Page 31 of 98
ND-19-0168 Technical Specifications Bases RTS ESFAS Instrumentation B 3.3.4 BASES ACTIONS (continued) within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />, and Required Action D.2 requires that the Plant Control System be placed in a condition incapable of rod withdrawal within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the specified condition in an orderly manner and without challenging plant systems.
SURVEILLANCE The SRs for each RTS ESFAS Function are identified in the SRs column REQUIREMENTS of Table 3.3.4-1 for that Function. A Note has been added to the SR table stating that Table 3.3.4-1 determines which SRs apply to which RTS ESFAS Functions. RTS ESFAS Function the SR applies to. Function 2 and Function 3 in Table 3.3.4-1 have no surveillance requirements due to self-checking features continuously monitoring logic OPERABILITY.
Faults detected by the self-checking features are alarmed in the main control room.
D ft Draft SR 3.3.4.1 SR 3.3.4.1 3.3.4.1 is the performance of a ACTUATION LOGIC TEST T every 92 days.
An ACTUATION TION LOGIC TEST is performed formed on each required re requ channel to provide reasonable asonable assurance that the entire channel will w perform the intended Function. This testest demonstrates that the Local Loc Coincidence Logic (LCL) process module that performs the ESF actuation actua functions for safeguards actuation, ADS Stages 1, 2, and 3 actuation, and a CMT actuation also sends a digital signal to the LCL process modules that perform reactor trip actuation functions. That digital signal is sent by way of the global memory feature of the communications interface module.
The reactor trip process modules then combine this signal with those from the BPL channel voting logic to generate the outputs sent to the Reactor Trip Switchgear Interface Logic.
A test subsystem is provided with the protection and safety monitoring system to aid the plant staff in performing the ACTUATION LOGIC TEST.
The test subsystem is designed to allow for complete functional testing by using a combination of system self checking features, functional testing features, and other testing features. Successful functional testing consists of verifying that the capability of the system to perform the safety function has not failed or degraded.
For hardware functions this would involve verifying that the hardware components and connections have not failed or degraded. Generally this verification includes a comparison of the outputs from two or more redundant subsystems or channels.
VEGP Units 3 and 4 B 3.3.4 - 4 Revision 39 Page 32 of 98
ND-19-0168 Technical Specifications Bases RTS ESFAS Instrumentation B 3.3.4 BASES SURVEILLANCE REQUIREMENTS (continued)
Since software does not degrade, software functional testing involves verifying that the software code has not changed and that the software code is executing.
To the extent possible, protection and safety monitoring system functional testing is accomplished with continuous system self-checking features and the continuous functional testing features. The ACTUATION LOGIC TEST shall include a review of the operation of the test subsystem to verify the completeness and adequacy of the results.
If the ACTUATION LOGIC TEST cannot be completed using the built-in test subsystem, either because of failures in the test subsystem or failures in redundant channel hardware used for functional testing, the ACTUATION LOGIC TEST can be performed using portable test equipment.
D ft Dra Draft This test frequency of 92 days is justified based on Reference 1 (which refers to this test as an RTCOT) and the use of contin continuous diagnostic continuo test features, such as deadman timers, cross-check cross-check of red cross- redundant channels, memory checks, numeric coprocessor checks, and tests of timers, counters unters and crystal time bases, which will report a failure within the protection ion and safety monitoring system cabinets to th the operator within 10 minutes of a detectable failure.
failure During performance of the ACTUATION ACTUA ATION LOGIC TEST TEST, T, the protection and safety monitoring system cabinets in the division under te test may be placed in bypass.
SR 3.3.4.21 This SR 3.3.4.2 verifies that the individual channel actuation response times are less than or equal to the maximum values assumed in the accident analysis. Response time testing criteria are included in Reference 21.
The response time may be measured by any series of sequential, overlapping, or total channel measurements such that the entire response time is measured. This SR 3.3.4.2 measures the response time for the generation of a reactor trip signal from the Safeguards Actuation Input from ESFAS Automatic channels. SR 3.3.8.42 measures the ESF RESPONSE TIME for the generation of the safeguards signal itself.
Response time may be verified by actual response time tests or by the summation of allocated response times, where approved, with actual response time tests on the remainder of the channel.
VEGP Units 3 and 4 B 3.3.4 - 5 Revision 39 Page 33 of 98
ND-19-0168 Technical Specifications Bases RTS ESFAS Instrumentation B 3.3.4 BASES SURVEILLANCE REQUIREMENTS (continued)
Each channel response must be verified every 24 months on a STAGGERED TEST BASIS (i.e., all four Protection Channel Sets would be tested after 96 months). Response times cannot be determined during plant operation because equipment operation is required to measure response times. Experience has shown that these components usually pass this surveillance when performed on a refueling frequency.
Therefore, the Frequency was concluded to be acceptable from a reliability standpoint.
REFERENCES 1. APP-GW-GSC-020, Technical Specification Completion Time and Surveillance Frequency Justification.
- 21. FSAR Chapter 7.0, "Instrumentation and Controls.
Draft VEGP Units 3 and 4 B 3.3.4 - 6 Revision 39 Page 34 of 98
ND-19-0168 Technical Specifications Bases RTS Automatic Trip Logic B 3.3.6 BASES ACTIONS (continued)
B.1 Condition B addresses the situation where the Required Action and associated Completion Time of Condition A is not met, or there are three or more divisions inoperable in MODE 1 or 2. Required Action B.1 directs that the plant must be placed in MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. The allowed Completion Time is reasonable, based on operating experience, to reach the specified condition from full power conditions in an orderly manner and without challenging plant systems.
C.1 Condition C addresses the situation where one or two RTS Automatic Trip Logic divisions are inoperable in MODE 3, 4, or 5. With one or two divisions inoperable, the Required Action is to restore three of four divisions to OPERABLE status within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />. Restoring all channels Draft D
but one to OPERABLE status ensures that a single failure will not prevent the protective protect function, nor will it cause the protective function function, func f (with the exception of a limited number of PMS component failures). failures failu The 48 hour5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> Completion on Time is considered reasonable since the protective prote prot function will still function.
ctio D.1 and D. .2 D.2 Condition D addresses the situation where the Required Action A and associated Completion Complet Time Time e of Condition C is not met, met or three or more RTS Automatic Trip Logic divisions are inoperable in MODE 3, 4, or 5.
Required Action D.1 requires that action be initiated to fully insert all control rods within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />, and Required Action D.2 requires that the Plant Control System be placed in a condition incapable of rod withdrawal within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the specified condition in an orderly manner and without challenging plant systems.
SURVEILLANCE SR 3.3.6.1TS 3.3.6 has no surveillance requirements due to self-REQUIREMENTS checking features continuously monitoring logic OPERABILITY. Logic failure, identified by the self-checking features, is annunciated.
SR 3.3.6.1 is the performance of an ACTUATION LOGIC TEST every 92 days.
An ACTUATION LOGIC TEST is performed on each channel to provide reasonable assurance that the entire channel will perform the intended Function. The test demonstrates that the Local Coincidence Logic (LCL) performs the required coincidence logic using injected, partial trip signals and communicates reactor trip signals to the Reactor Trip Switchgear VEGP Units 3 and 4 B 3.3.6 - 2 Revision 39 Page 35 of 98
ND-19-0168 Technical Specifications Bases RTS Automatic Trip Logic B 3.3.6 Interface Logic.
BASES SURVEILLANCE REQUIREMENTS (continued)
The LCL to Reactor Trip Matrix (RTM) test provides verification of proper operation of the LCL Reactor Trip (RT) Processor Module (PM) voting logic and digital outputs. Test signals are injected into the voting logic of one of the four redundant LCL RT PMs. Injecting the correct combination of test signals, simulating the partial trip signals from the eight redundant BPL PMs, satisfies the voting logic and actuates the undervoltage and shunt trip outputs of the associated digital output (DO) module. The LCL to RTM test provides overlap with the Reactor Trip Digital Output (RTDO) to Reactor Trip Circuit Breaker (RTCB) test in SR 3.3.7.1 (TADOT). Each RT PM can be individually tested and its output monitored at the RTM without tripping any of the reactor trip breakers.
A test subsystem is provided with the protection and safety monitoring system to aid the plant staff in performing the ACTUATION LOGIC TEST.
D ft Dra Draft The test subsystem is designed to allow for complete functional testing by using a com combination of system self checking features, functional fun testing features, and other testing features. Successful functio functional testing functiona consists of verifying that the capability of the system to peperform the safety function hasas not failed or degraded.
For hardwareare functions functio thiss would involve verifying that tha the th hardware componentsents and connections have not failed or degraded degrad degraded. Generally this verification includes a comparison of the outputs from two or more redundant subsystems or channels channels.
Since software does not degrade, software functional testing involves verifying that the software code has not changed and that the software code is executing.
To the extent possible, protection and safety monitoring system functional testing is accomplished with continuous system self-checking features and the continuous functional testing features. The ACTUATION LOGIC TEST shall include a review of the operation of the test subsystem to verify the completeness and adequacy of the results.
If the ACTUATION LOGIC TEST cannot be completed using the built-in test subsystem, either because of failures in the test subsystem or failures in redundant channel hardware used for functional testing, the ACTUATION LOGIC TEST can be performed using portable test equipment.
VEGP Units 3 and 4 B 3.3.6 - 3 Revision 39 Page 36 of 98
ND-19-0168 Technical Specifications Bases RTS Automatic Trip Logic B 3.3.6 BASES SURVEILLANCE REQUIREMENTS (continued)
This test frequency of 92 days is justified based on Reference 1 (which refers to this test as RTCOT) and the use of continuous diagnostic test features, such as deadman timers, cross-check of redundant channels, memory checks, numeric coprocessor checks, and tests of timers, counters and crystal time bases, which will report a failure within the protection and safety monitoring system cabinets to the operator within 10 minutes of a detectable failure.
During the ACTUATION LOGIC TEST, the protection and safety monitoring system cabinets in the division under test may be placed in bypass.
REFERENCES 1. APP-GW-GSC-020, Technical Specification Completion Time and Surveillance Frequency Justification.None Draft VEGP Units 3 and 4 B 3.3.6 - 4 Revision 39 Page 37 of 98
ND-19-0168 Technical Specifications Bases ESFAS Instrumentation B 3.3.8 BASES BACKGROUND (continued)
CMT is below a predetermined setpoint. Additionally, one switch for each division is provided in the Main Control Room (MCR) to allow the operators to manually clear the ADS and IRWST blocks.
The ADS and IRWST injection blocking device design uses conventional analog components that do not rely on software. The ADS and IRWST injection blocking device outputs provide CIM inputs for ADS stage 1, 2, and 3 MOVs, and the ADS Stage 4 and IRWST injection squib valves.
The ADS and IRWST injection blocking device outputs block any attempt to open the ADS and IRWST injection valves from the PMS Integrated Logic Processors.
Nominal Trip Setpoints (NTSs)
The NTS is the nominal value at which the trip output is set. Any trip output is considered to be properly adjusted when the as-left value is Draft within the band for CHANNEL CALIBRATION, i.e., +/- rack calibration accuracy..
accuracy The trip setpoints etpoints used in the trip output are based on the Safety Analysis Limits stated ed in Reference 2. The determination of these NTSs is such that adequate ate protection is provided when all sensor and a processing time delays are taken into account. T To oa llow for calibration tole allow tolerances, instrumentnt drift, and severe environment errors for those thos ESFAS channels that must function in harsh environments as defined by 10 CFR 50.49 (Ref 4) the NTSs specified in the SP are conservative w (Ref. 4), with respect to the Safety Analysis Limits. A detailed description of the methodology used to calculate the NTSs, including their explicit uncertainties, is provided in the Westinghouse Setpoint Methodology for Protection Systems (Ref. 6).
The as-left tolerance and as-found tolerance band methodology is provided in the SP. The as-found OPERABILITY limit for the purpose of the CHANNEL OPERATIONAL TEST (COT) is defined as the as-left limit about the NTS (i.e., +/- rack calibration accuracy).
The NTSs listed in the SP are based on the methodology described in Reference 6, which incorporates all of the known uncertainties applicable for each channel. The magnitudes of these uncertainties are factored into the determination of each NTS. All field sensors and signal processing equipment for these channels are assumed to operate within the allowances of these uncertainty magnitudes. Transmitter and signal processing equipment calibration tolerances and drift allowances must be specified in plant calibration procedures, and must be consistent with the values used in the setpoint methodology.
VEGP Units 3 and 4 B 3.3.8 - 9 Revision 44 Page 38 of 98
ND-19-0168 Technical Specifications Bases ESFAS Instrumentation B 3.3.8 BASES BACKGROUND (continued)
The OPERABILITY of each transmitter or sensor can be evaluated when its as-found calibration data are compared against the as-left data and are shown to be within the setpoint methodology assumptions. The basis of the setpoints is described in References 2 and 6. Trending of calibration results is required by the program description in Technical Specification 5.5.14.d.
Note that the as-left and as-found tolerances listed in the SP define the OPERABILITY limits for a channel during a periodic CHANNEL CALIBRATION, CHANNEL OPERATIONAL TESTS, or a TRIP ACTUATING DEVICE OPERATIONAL TEST that requires trip setpoint verification.
The protection and safety monitoring system testing features are designed to allow for complete functional testing by using a combination of system self-checking and manual testsfeatures, functional testing Draft raft features, and other testing features. Successful functional testing consists of verifying that the capability of the system to pe perform the safety function has not failed or degraded. For hardware rdware functions func functio this would involve verifying erifying that the hardware components and connections conn have not failed or degraded.
degr egraded.
aded. Since software does not degrade, softwareso sof functional testing involves olves verifying that the software code has not no changed c and that the softwarere code is executing. T To o the extent possible, possible protection pr and safety monitoring system sy func functional testing will be accomp cco accomplished with continuous system self-checking sself-checking ecking features feature in lieu of manual manua surveillance ttests.
tests t As a result, result some functions do not have surveillance surveillanc requirementsand the continuous functional testing features.
The protection and safety monitoring system incorporates continuous system self-checking features wherever practical. Self-checking features include on-line diagnostics for the computer system and the hardware and communications tests. Faults detected by the self-checking features are alarmed in the main control room. These self-checking tests do not interfere with normal system operation.
In addition to the self-checking features, the system includes functional testing features. Functional testing features include continuous functional testing features and manually initiated functional testing features. To the extent practical, functional testing features are designed not to interfere with normal system operation.
In addition to the system self-checking features and functional testing features, other test featuresManual tests are included for those parts of the system which are not tested with self-checking features. This includes manual functional checks, or functional testing features. These test features allow for instruments/sensor checks, calibration verification, response time testing, setpoint verification and component testing. The VEGP Units 3 and 4 B 3.3.8 - 10 Revision 44 Page 39 of 98
ND-19-0168 Technical Specifications Bases ESFAS Instrumentation B 3.3.8 BASES BACKGROUND (continued) test features again include a combination of continuous testing features and manual testing features.
All of the teststesting features are designed so that the duration of the testing is as short as possible. Testing featuresThe manual tests are designed so that the actual logic is not modified. To prevent unwanted actuation, the testing featurestests are designed with either the capability to bypass a Function during testing and/or limit the number of signals allowed to be placed in test at one time.
APPLICABLE Each of the analyzed accidents can be detected by one or more ESFAS SAFETY Functions. One of the ESFAS Functions is the primary actuation signal ANALYSES, LCOs, for that accident. An ESFAS Function may be the primary actuation and APPLICABILITY signal for more than one type of accident. An ESFAS Function may also be a secondary, or backup, actuation signal for one or more other Draft accidents. For example, Pressurizer Pressure - Low 3 is a primary (LO (LOCA and a backup actuation signal for small loss of coolant accidents (LOCAs) actuation signal for steam line breaks (SLBs) outside cont c containment.
Functionss such as manual initiation not specifically credited credite in the afety analysis are qualitatively credited in the ssa accident safety safety analysis and the NRC RC staff approved licensing basis for the plant.
plan These conditions which do not require Functions may provide protection for conditions dynamicc transient analysis to demonstrate Function performance.
pe perfo These m also Functions may so serve as backups to Functions that werew credited in th accident the id t analysis l i (Ref (Ref. 2) 2).
Permissive and interlock functions are based upon the associated protection function instrumentation. Because they do not have to operate in adverse environmental conditions, the trip settings of the permissive and interlock functions use the normal environment, steady-state instrument uncertainties of the associated protection function instrumentation. This results in OPERABILITY criteria (i.e., as-found tolerance and as-left tolerance) that are the same as the associated protection function sensor and process rack modules. The NTSs for permissives and interlocks are based on the associated protection function OPERABILITY requirements; i.e., permissives and interlocks performing enabling functions must be set to occur prior to the specified trip setting of the associated protection function.
The LCO requires all instrumentation performing an ESFAS Function, listed in Table 3.3.8-1 in the accompanying LCO, to be OPERABLE. The as-left and as-found tolerances specified in the SP define the OPERABILITY limits for a channel during the CHANNEL CALIBRATION or CHANNEL OPERATIONAL TEST (COT). As such, the as-left and as-found tolerances differ from the NTS by plus or minus the PMS rack VEGP Units 3 and 4 B 3.3.8 - 11 Revision 44 Page 40 of 98
ND-19-0168 Technical Specifications Bases ESFAS Instrumentation B 3.3.8 BASES ACTIONS (continued)
The primary means of opening a containment air flow path is by establishing a VFS air flow path into containment. Manual actuation and maintenance as necessary to open a purge supply, purge exhaust, or vacuum relief flow path are available means to open a containment air flow path. In addition, opening of a spare penetration is an acceptable means to provide the necessary flow path. Opening of an equipment hatch or a containment airlock is acceptable. Containment air flow paths opened must comply with LCO 3.6.7, Containment Penetrations.
The 44 hour5.092593e-4 days <br />0.0122 hours <br />7.275132e-5 weeks <br />1.6742e-5 months <br /> Completion Time is reasonable for opening a containment air flow path in an orderly manner.
SURVEILLANCE The following SRs apply to each ESFAS Instrumentation Function in REQUIREMENTS Table 3.3.8-1.
D ft Draft SR 3.3.8.1 Performanc of the CHANNEL Performance L CHECK once ce every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> ho ensures that a gross failure of instrumentation has not occurred. A CH CHANNEL CHECK is a comparison arison of the parameter indicated on one chann channel to a similar parameter on other channels. It is based on the th assump assumption sum that instrumentt channels monitoring the same parameter sho should s read approximately mately the same value. Significant deviations bet between the two instrument channels could be an indication of excessive iinstrument drift in one of the channels or even something something more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.
Agreement criteria are determined by the plant staff, based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the match criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside their corresponding limits.
The Surveillance Frequency is based on operating experience that demonstrates that channel failure is rare. Automated operator aids may be used to facilitate performance of the CHANNEL CHECK.
VEGP Units 3 and 4 B 3.3.8 - 53 Revision 44 Page 41 of 98
ND-19-0168 Technical Specifications Bases ESFAS Instrumentation B 3.3.8 BASES SURVEILLANCE REQUIREMENTS (continued)
SR 3.3.8.2 SR 3.3.8.2 is the performance of a CHANNEL OPERATIONAL TEST (COT) every 92 days. The test is performed in accordance with the SP. If the actual setting of the channel is found to be outside the as-found tolerance, the channel is considered inoperable. This condition of the channel will be further evaluated during performance of the SR.
This evaluation will consist of resetting the channel setpoint to the NTS (within the allowed tolerance), and evaluating the channels response. If the channel is functioning as required and is expected to pass the next surveillance, then the channel is OPERABLE and can be restored to service at the completion of the surveillance. After the surveillance is completed, the channel as-found condition will be entered into the Corrective Action Program for further evaluation.
A COT is performed on each required channel to provide reasonable D
Draft assurance that the entire channel will perform the intended ESF Function Function.
A test subsystem bsystem is provided with the protection and safesafety monitoring system to aid the plant staff in performing the COT.
COT T. The test subsystem is designeded to allow for complete functional testing by us using a combinationion of system self self-self-checking
-checking features, func functional tion testing features, tional and otherer testing features. Successful functional testing testi consists of verifying that the capability of the system to perform the ssafety function has not failed or dedegraded degraded.
For hardware functions this would involve verifying that the hardware components and connections have not failed or degraded. Generally this verification includes a comparison of the outputs from two or more redundant subsystems or channels.
Since software does not degrade, software functional testing involves verifying that the software code has not changed and that the software code is executing.
To the extent possible, protection and safety monitoring system functional testing is accomplished with continuous system self-checking features and the continuous functional testing features. The COT shall include a review of the operation of the test subsystem to verify the completeness and adequacy of the results.
VEGP Units 3 and 4 B 3.3.8 - 54 Revision 44 Page 42 of 98
ND-19-0168 Technical Specifications Bases ESFAS Instrumentation B 3.3.8 BASES SURVEILLANCE REQUIREMENTS (continued)
If the COT cannot be completed using the built-in test subsystem, either because of failures in the test subsystem or failures in redundant channel hardware used for functional testing, the COT can be performed using portable test equipment.
Interlocks implicitly required to support the Function's OPERABILITY are also addressed by this COT. This portion of the COT ensures the associated Function is not bypassed when required to be enabled. This can be accomplished by ensuring the interlocks are calibrated properly in accordance with the SP. If the interlock is not automatically functioning as designed, the condition is entered into the Corrective Action Program and appropriate OPERABILITY evaluations performed for the affected Function. The affected Functions OPERABILITY can be met if the interlock is manually enforced to properly enable the affected Function.
When an interlock is not supporting the associated Functions OPERABILITY at the existing plant conditions, the affected Function's Draft D ft channels must be declared inoperable and appropriate ACTIONS taken.
The 92 day Frequency is based on Reference Th nce 5 and tthe use of continuousus diagnostic test features, such as deadman tim timers, ti cross-check ck of redundant channels, memory checks, numeric num nu coprocessorsor checks, and tests of timers, counters and crystal cr time bases, which will report a failure within the integrated protection protect cabinets to the operator.
or.
During the t COT, COT T the protection and safety monitoring system sys cabinets in the division under test may be placed in bypass.
SR 3.3.8.31 This SR 3.3.8.3 is the performance of a CHANNEL CALIBRATION every 24 months or approximately at every refueling. CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor and the integrated protection cabinets (IPC). The test is performed in accordance with the SP. If the actual setting of the channel is found to be outside the as-found tolerance, the channel is considered inoperable. This condition of the channel will be further evaluated during performance of the SR. This evaluation will consist of resetting the channel setpoint to the NTS (within the allowed tolerance), and VEGP Units 3 and 4 B 3.3.8 - 55 Revision 44 Page 43 of 98
ND-19-0168 Technical Specifications Bases ESFAS Instrumentation B 3.3.8 BASES SURVEILLANCE REQUIREMENTS (continued) evaluating the channels response. If the channel is functioning as required and is expected to pass the next surveillance, then the channel is OPERABLE and can be restored to service at the completion of the surveillance. After the surveillance is completed, the channel as-found condition will be entered into the Corrective Action Program for further evaluation. Transmitter calibration must be performed consistent with the assumptions of the setpoint methodology. The difference between the current as-found values and the previous as-left values must be consistent with the transmitter drift allowance used in the setpoint methodology.
Interlocks implicitly required to support the Function's OPERABILITY are also addressed by this CHANNEL CALIBRATION. This portion of the CHANNEL CALIBRATION ensures the associated Function is not bypassed when required to be enabled. This can be accomplished by ensuring the interlocks are calibrated properly in accordance with the SP.
Draft If the interlock is not automatically functioning as designed, the condition is entered into the Corrective Action Program m and appropriate approp app OPERABILITY evaluations performed for the affected Fu Function. The affected Functions Funct un ion nss OPERABILITY can be met if the interlock inter inte is manually enforced to properly enable the affected Function. When Whe an interlock is rtin the not supporting he associated Functions Function OPERABILITY PERABILIT at the existing ditions, the affected Function's channels must plant conditions, mus be b declared able and appropriate ACTIONS taken.
inoperable The setpoint methodology requires that that 30 months drift be b used (1.25 times the surveillance calibration interval, 24 months).
The Frequency is based on operating experience and consistency with the refueling cycle.
This Surveillance Requirement is modified by a Note. The Note states that this test should include verification that the time constants are adjusted to within limits where applicable.
SR 3.3.8.42 This SR ensures the individual channel ESF RESPONSE TIME is less than or equal to the maximum value assumed in the accident analysis.
Individual component response times are not modeled in the analyses.
The analyses model the overall or total elapsed time, from the point at which the parameter exceeds the NTS value at the sensor, to the point at which the equipment reaches the required functional state (e.g., valves in full open or closed position).
VEGP Units 3 and 4 B 3.3.8 - 56 Revision 44 Page 44 of 98
ND-19-0168 Technical Specifications Bases ESFAS Instrumentation B 3.3.8 BASES SURVEILLANCE REQUIREMENTS (continued)
For channels that include dynamic transfer functions (e.g., lag, lead/lag, rate/lag, etc.), the response time test may be performed with the transfer functions set to oneIn lieu of measurement, the response time for the protection and safety monitoring system equipment is based on allocated values. The overall response time may be determined by a series of overlapping tests and allocated values such that the entire response time is measured with the resulting measured response time compared to the appropriate FSAR Chapter 7 (Ref. 1) response time. Alternately, the response time test can be performed with the time constants set to their nominal value provided the required response time is analytically calculated assuming the time constants are set at their nominal values.
The response time may be measured by a series of overlapping tests such that the entire response time is measured.
Response time may be verified by actual response time tests in any series of sequential, overlapping or total channel measurements, or by Draft the summation of allocated sensor, signal processing and actuation logic response times with actual response time tests on the remainder re of the channel. Allocations Al Allocat ions for signal processing and actuation actuat logic response times mayay be obtained from the protection and safety monitoring m
mo system functional requirements. Allocations for sensor response times may be obtained from:
rom (1) historical records based on accept acceptabl acceptable response time tests (hydraulic, draulic, noise, or power interrupt tests), (2) in pla place, onsite, or offsite (e.g., vendor) test measurements, or (3)
(3 utilizing zin vendor v
engineering specifications. WCAP-13632-P-A, WCAP WCAP--13632 136 -P-P-A,
-A, Revision 2, Elimination of Pressure Sensor Response Time TestingT ti Requirements Req iremen (Ref. 7),
Requiremen provides the basis and methodology for using allocated sensor response times in the overall verification of the channel response time for specific sensors identified in the WCAP. Response time verification for other sensor types must be demonstrated by test.
ESF RESPONSE TIME tests are conducted on a 24 month STAGGERED TEST BASIS. Testing of the devices, which make up the bulk of the response time, is included in the testing of each channel. The final actuation device in one train is tested with each channel. Therefore, staggered testing results in response time verification of these devices every 24 months. The 24 month Frequency is consistent with the typical refueling cycle and is based on unit operating experience, which shows that random failures of instrumentation components causing serious response time degradation, but not channel failure, are infrequent occurrences.
The Surveillance Requirement is modified by a Note: Not applicable to Function 1.a for Containment Pressure - Low. The exception is appropriate because the Containment Pressure - Low signal provides an interlock function for the containment vacuum relief valves manual VEGP Units 3 and 4 B 3.3.8 - 57 Revision 44 Page 45 of 98
ND-19-0168 Technical Specifications Bases ESFAS Instrumentation B 3.3.8 initiation function and does not directly actuate any ESF.
Draft VEGP Units 3 and 4 B 3.3.8 - 58 Revision 44 Page 46 of 98
ND-19-0168 Technical Specifications Bases ESFAS RCS Hot Leg Level Instrumentation B 3.3.10 BASES SURVEILLANCE SR 3.3.10.1 REQUIREMENTS Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or even something more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.
Agreement criteria are determined by the plant staff, based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the match criteria, it may be an Draft D
indication that the sensor or the signal processing equipment has drifted outside the their corresponding limits.
The Surveillance veillance Frequency is based on operating experience exper that demonstrates ates that channel failure is rare. Automated operator ope op aids may be used to o facilitate performance of the CHANNEL CHAN L CHECCH CHECK.
SR 3.3.10.2 10.2 SR 3.3.10.2 3 3 10 2 is the performance of a CHANNEL OPERATIONAL OPERA OPERAT AT TEST (COT) every 92 days. The test is performed in accordance with the SP. If the actual setting of the channel is found to be outside the as-found tolerance, the channel is considered inoperable. This condition of the channel will be further evaluated during performance of the SR. This evaluation will consist of resetting the channel setpoint to the NTS (within the allowed tolerance), and evaluating the channels response. If the channel is functioning as required and is expected to pass the next surveillance, then the channel is OPERABLE and can be restored to service at the completion of the surveillance. After the surveillance is completed, the channel as-found condition will be entered into the Corrective Action Program for further evaluation.
A COT is performed on each required channel to provide reasonable assurance that the entire channel will perform the intended engineered safety features (ESF) Function.
VEGP Units 3 and 4 B 3.3.10 - 5 Revision 23 Page 47 of 98
ND-19-0168 Technical Specifications Bases ESFAS RCS Hot Leg Level Instrumentation B 3.3.10 BASES SURVEILLANCE REQUIREMENTS (continued)
A test subsystem is provided with the protection and safety monitoring system to aid the plant staff in performing the COT. The test subsystem is designed to allow for complete functional testing by using a combination of system self-checking features, functional testing features, and other testing features. Successful functional testing consists of verifying that the capability of the system to perform the safety function has not failed or degraded.
For hardware functions this would involve verifying that the hardware components and connections have not failed or degraded. Generally this verification includes a comparison of the outputs from two or more redundant subsystems or channels.
Since software does not degrade, software functional testing involves verifying that the software code has not changed and that the software D ft Dra Draft code is executing.
To the extent possible, protection and safety monitorin monitoring ssystem functional testing is accomplished with continuous system self-checking self self--chec features and the continuous ontinuous functional testing features.
featurres. The COT shall include a review of the he operation of the test subsystem to verify the completeness and adequacy uacy of the results.
If the COT cannot be completed using the buil built built-in
-in test est su sub subsystem, either because of failures in the test subsystem or failures failu fa res in redundant red channel hardware used for functional testing, the COT can be performed using portable test equipment.
Interlocks implicitly required to support the Function's OPERABILITY are also addressed by this COT. This portion of the COT ensures the associated Function is not bypassed when required to be enabled. This can be accomplished by ensuring the interlocks are calibrated properly in accordance with the SP. If the interlock is not automatically functioning as designed, the condition is entered into the Corrective Action Program and appropriate OPERABILITY evaluations performed for the affected Function. The affected Functions OPERABILITY can be met if the interlock is manually enforced to properly enable the affected Function.
When an interlock is not supporting the associated Functions OPERABILITY at the existing plant conditions, the affected Function's channels must be declared inoperable and appropriate ACTIONS taken.
VEGP Units 3 and 4 B 3.3.10 - 6 Revision 23 Page 48 of 98
ND-19-0168 Technical Specifications Bases ESFAS RCS Hot Leg Level Instrumentation B 3.3.10 BASES SURVEILLANCE REQUIREMENTS (continued)
The 92 day Frequency is based on Reference 3 and the use of continuous diagnostic test features, such as deadman timers, cross-check of redundant channels, memory checks, numeric coprocessor checks, and tests of timers, counters and crystal time bases, which will report a failure within the integrated protection cabinets to the operator.
During the COT, the protection and safety monitoring system cabinets in the division under test may be placed in bypass.
SR 3.3.10.31 This SR 3.3.10.3 is the performance of a CHANNEL CALIBRATION every 24 months or approximately at every refueling. CHANNEL CALIBRATION is a complete check of the instrument loop, including the Draft sensor and the integrated protection cabinets (IPC). The test is performed in accordance with the SP. SPP. Iff the e actual setting set of the channel is found to beb outside the as-found as-found tolerance, ce, the channel channe chan is considered inoperable.le. This condition of the channel will be further evaluated e during performance ce of the SR. This his evaluation will consist of resetting re res the channel setpoint tolerance),
etpoint to the NTS (within the allowed toleran toleranc e and evaluating the channels els respo response. Iff the channel is functioning as a required r and is expected d to pass the next surveillance, then the channel chann is OPERABLE and can be restored to service at the completion of the su surveillance. After the surveillance surv iss completed, completed the channel as as-found found condition cond will be entered into the Corrective Action Program for further evaluation.
Transmitter calibration must be performed consistent with the assumptions of the setpoint methodology. The difference between the current as-found values and the previous as-left values must be consistent with the transmitter drift allowance used in the setpoint methodology.
Interlocks implicitly required to support the Function's OPERABILITY are also addressed by this CHANNEL CALIBRATION. This portion of the CHANNEL CALIBRATION ensures the associated Function is not bypassed when required to be enabled. This can be accomplished by ensuring the interlocks are calibrated properly in accordance with the SP.
If the interlock is not automatically functioning as designed, the condition is entered into the Corrective Action Program and appropriate OPERABILITY evaluations performed for the affected Function. The affected Functions OPERABILITY can be met if the interlock is manually enforced to properly enable the affected Function. When an interlock is not supporting the associated Functions OPERABILITY at the existing plant conditions, the affected Function's channels must be declared inoperable and appropriate ACTIONS taken.
VEGP Units 3 and 4 B 3.3.10 - 7 Revision 23 Page 49 of 98
ND-19-0168 Technical Specifications Bases ESFAS RCS Hot Leg Level Instrumentation B 3.3.10 BASES SURVEILLANCE REQUIREMENTS (continued)
The setpoint methodology requires that 30 months drift be used (1.25 times the surveillance calibration interval, 24 months).
The Frequency is based on operating experience and consistency with the refueling cycle.
This Surveillance Requirement is modified by a Note. The Note states that this test should include verification that the time constants are adjusted to within limits.
SR 3.3.10.42 This SR ensures the individual channel ESF RESPONSE TIME is less than or equal to the maximum value assumed in the accident analysis.
Individual component response times are not modeled in the analyses.
Drraft Draft The analyses model the overall or total elapsed time, from the point at which the parameter exceeds the NTS value e at the senso se sensor, to the point at which the equipment eq reaches the required functional sstat reaches state (e.g., valves in full open or closed position).
positio For channels (e.g.,
els that include dynamic transfer functions (e.g
( lag, lead/lag, rate/lag, etc.),
tc.), the response time test may be performed performe w with the transfer functionss set to one oneIn lieu of measurement, the response respon time for the protection and safety monitoring system equipment is ba based on allocated values. The overall response time may be determined by a series of values overlapping tests and allocated values such that the entire response time is measured with the resulting measured response time compared to the appropriate FSAR Chapter 7 (Ref. 2) response time. Alternately, the response time test can be performed with the time constants set to their nominal value provided the required response time is analytically calculated assuming the time constants are set at their nominal values.
The response time may be measured by a series of overlapping tests such that the entire response time is measured.
Response time may be verified by actual response time tests in any series of sequential, overlapping or total channel measurements, or by the summation of allocated sensor, signal processing and actuation logic response times with actual response time tests on the remainder of the channel. Allocations for signal processing and actuation logic response times may be obtained from the protection and safety monitoring system functional requirements. Allocations for sensor response times may be obtained from: (1) historical records based on acceptable response time tests (hydraulic, noise, or power interrupt tests), (2) in place, onsite, or offsite (e.g., vendor) test measurements, or (3) utilizing vendor engineering specifications. WCAP-13632-P-A, Revision 2, Elimination of Pressure Sensor Response Time Testing Requirements (Ref. 6),
VEGP Units 3 and 4 B 3.3.10 - 8 Revision 23 Page 50 of 98
ND-19-0168 Technical Specifications Bases ESFAS RCS Hot Leg Level Instrumentation B 3.3.10 BASES SURVEILLANCE REQUIREMENTS (continued) provides the basis and methodology for using allocated sensor response times in the overall verification of the channel response time for specific sensors identified in the WCAP. Response time verification for other sensor types must be demonstrated by test.
Draft VEGP Units 3 and 4 B 3.3.10 - 9 Revision 23 Page 51 of 98
ND-19-0168 Technical Specifications Bases ESFAS RCS Hot Leg Level Instrumentation B 3.3.10 BASES SURVEILLANCE REQUIREMENTS (continued)
ESF RESPONSE TIME tests are conducted on a 24 month STAGGERED TEST BASIS. Testing of the devices, which make up the bulk of the response time, is included in the testing of each channel. The final actuation device in one train is tested with each channel. Therefore, staggered testing results in response time verification of these devices every 24 months. The 24 month Frequency is consistent with the typical refueling cycle and is based on unit operating experience, which shows that random failures of instrumentation components causing serious response time degradation, but not channel failure, are infrequent occurrences.
REFERENCES 1. FSAR Chapter 15.0, Accident Analysis.
- 2. FSAR Chapter 7.0, Instrumentation and Controls.
Draft
- 3. APP-GW-GSC-020, APP Technical T Specification Completion cation Comple Com Time and Surveillance Frequency Justification.
Surveil
- 4. APP-GW-GLR-004, APP- -GW GW-GLR 004, Rev.
GLR--004 Rev. 0, AP1000 Shutdown Eva Evaluation Report, July 2002.
200 2002.
- 5. FSAR AR Chapter 19.0, Probabilistic Risk Assessment Assessment, Assessm Appen Appendix 19E, 9E, Shutdown Evaluation.
- 6. WCAP-13632-P-A (Proprietary) and WCAP-13787-A (Non-Proprietary), Revision 2, Elimination of Pressure Sensor Response Time Testing Requirements, January 1996.
VEGP Units 3 and 4 B 3.3.10 - 10 Revision 23 Page 52 of 98
ND-19-0168 Technical Specifications Bases ESFAS Startup Feedwater Flow Instrumentation B 3.3.11 BASES ACTIONS (continued)
In the event a channels as-found condition is outside the as-found tolerance described in the Setpoint Program, or the channel is not functioning as required, or the transmitter, instrument loop, signal processing electronics, or ESF output associated with a specific Function is found inoperable, then all affected Functions provided by that channel must be declared inoperable and the LCO Condition(s) entered for the particular protection Function(s) affected.
A.1 With one or more startup feedwater lines with one startup feedwater channel inoperable, the inoperable channel must be placed in a trip condition within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. If one channel is tripped, the interlock condition is satisfied. The specified Completion Time is reasonable considering the time required to complete this action.
Draft D
B.1 B .1 and B.2 If the Required quire Action ction and associated Completion Time of o Condition A is not met or iff one or more startup feedwater lines has two channels inoperable,, the plant must be placed in a MODE in which wh the LCO does not apply. This is accomplished by placing the plant in MODE MO 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> andnd in MODE 4 with the RCS beingb cooled by the RNS within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. The allowed Completion Completio Times mes are reasonable, based Times ba on operating experience, to reach the required plant conditio conditions from full power conditions in an orderly manner without challenging plant systems.
SURVEILLANCE SR 3.3.11.1 REQUIREMENTS Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or even something more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.
VEGP Units 3 and 4 B 3.3.11 - 2 Revision 16 Page 53 of 98
ND-19-0168 Technical Specifications Bases ESFAS Startup Feedwater Flow Instrumentation B 3.3.11 BASES SURVEILLANCE REQUIREMENTS (continued)
Agreement criteria are determined by the plant staff, based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the match criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside their corresponding limits.
The Surveillance Frequency is based on operating experience that demonstrates that channel failure is rare. Automated operator aids may be used to facilitate performance of the CHANNEL CHECK.
SR 3.3.11.2 SR 3.3.11.2 is the performance of a CHANNEL OPERATIONAL TEST (COT) every 92 days. The test is performed in accordance with the SP. If the actual setting of the channel is found to be outside the as-found D ft Draft Draf tolerance, the channel is considered inoperable. This condition of the channel will be further evaluated during performance o of th the SR. This evaluation will w consist of resetting resetting the channel nel setpoint setpoin to the NTS (within the alloweded tolerance), and evaluating the channels resp response. If the channel is functioning as required and is expected to pas pass the next surveillance, ce, then the channel is OPERABLE and can be restored to service at the completion of the surveillance. After the surveillance su is completed, ed, the channel as-found as as--found condition will be entered ente into the Corrective Action Program for further evaluation.
evaluatio A COT is performed on each required channel to provide reasonable assurance that the entire channel will perform the intended engineered safety features (ESF) function.
A test subsystem is provided with the protection and safety monitoring system to aid the plant staff in performing the COT. The test subsystem is designed to allow for complete functional testing by using a combination of system self-checking features, functional testing features, and other testing features. Successful functional testing consists of verifying that the capability of the system to perform the safety function has not failed or degraded.
For hardware functions this would involve verifying that the hardware components and connections have not failed or degraded. Generally this verification includes a comparison of the outputs from two or more redundant subsystems or channels.
Since software does not degrade, software functional testing involves verifying that the software code has not changed and that the software code is executing.
VEGP Units 3 and 4 B 3.3.11 - 3 Revision 16 Page 54 of 98
ND-19-0168 Technical Specifications Bases ESFAS Startup Feedwater Flow Instrumentation B 3.3.11 BASES SURVEILLANCE REQUIREMENTS (continued)
To the extent possible, protection and safety monitoring system functional testing is accomplished with continuous system self-checking features and the continuous functional testing features. The COT shall include a review of the operation of the test subsystem to verify the completeness and adequacy of the results.
If the COT cannot be completed using the built-in test subsystem, either because of failures in the test subsystem or failures in redundant channel hardware used for functional testing, the COT can be performed using portable test equipment.
The 92 day Frequency is based on Reference 2 and the use of continuous diagnostic test features, such as deadman timers, cross-check of redundant channels, memory checks, numeric coprocessor checks, and tests of timers, counters and crystal time bases, Draf D r ft which will report a failure within the BPL subsystems to the operator.
During the COT, COT C T, the protection and safety monitoring system sys s cabinets in the division on under test may be placed in bypass.
3.3.11.31
.31 This SR 3.3.
3.3.11.3 1 is the performance of a CHANNEL C CAL CALIBRATION every 24 months or approximately at every refueling. CHANNE CHANNEL CALIBRATION CALIBRA A iss a complete check of the instrument loop, loo including the sensor and the BPL subsystems. The test is performed in accordance with the SP. If the actual setting of the channel is found to be outside the as-found tolerance, the channel is considered inoperable. This condition of the channel will be further evaluated during performance of the SR.
This evaluation will consist of resetting the channel setpoint to the NTS (within the allowed tolerance), and evaluating the channels response. If the channel is functioning as required and is expected to pass the next surveillance, then the channel is OPERABLE and can be restored to service at the completion of the surveillance. After the surveillance is completed, the channel as-found condition will be entered into the Corrective Action Program for further evaluation. Transmitter calibration must be performed consistent with the assumptions of the setpoint methodology. The difference between the current as-found values and the previous as-left values must be consistent with the transmitter drift allowance used in the setpoint methodology.
VEGP Units 3 and 4 B 3.3.11 - 4 Revision 16 Page 55 of 98
ND-19-0168 Technical Specifications Bases ESFAS Startup Feedwater Flow Instrumentation B 3.3.11 BASES SURVEILLANCE REQUIREMENTS (continued)
The setpoint methodology requires that 30 months drift be used (1.25 times the surveillance calibration interval, 24 months).
The Frequency is based on operating experience and consistency with the refueling cycle.
This Surveillance Requirement is modified by a Note. The Note states that this test should include verification that the time constants are adjusted to within limits where applicable.
SR 3.3.11.42 This SR ensures the individual channel ESF RESPONSE TIME is less than or equal to the maximum values assumed in the accident analysis.
Individual component response times are not modeled in the analyses.
Drraft Draft The analyses model the overall or total elapsed time, from the point at which the parameter exceeds the NTS value e at the senso se sensor, to the point at which the equipment reaches the required functional sstat state (e.g., valves in full open or closed position).
positio For channels (e.g.,
els that include dynamic transfer functions (e.g
( lag, lead/lag, rate/lag, etc.),
tc.), the response time test may be performed performe with w the transfer functionss set to one oneIn lieu of measurement, the response respon time for the protection and safety monitoring system equipment is ba based on allocated values. The overall response time may be determined by a series of values overlapping tests and allocated values such that the entire response time is measured with the resulting measured response time compared to the appropriate FSAR Chapter 7 (Ref. 2) response time. Alternately, the response time test can be performed with the time constants set to their nominal value provided the required response time is analytically calculated assuming the time constants are set at their nominal values.
The response time may be measured by a series of overlapping tests such that the entire response time is measured.
Response time may be verified by actual response time tests in any series of sequential, overlapping or total channel measurements, or by the summation of allocated sensor, signal processing and actuation logic response times with actual response time tests on the remainder of the channel. Allocations for signal processing and actuation logic response times may be obtained from the protection and safety monitoring system functional requirements. Allocations for sensor response times may be obtained from: (1) historical records based on acceptable response time tests (hydraulic, noise, or power interrupt tests), (2) in place, onsite, or offsite (e.g., vendor) test measurements, or (3) utilizing vendor engineering specifications. WCAP-13632-P-A, Revision 2, Elimination of Pressure Sensor Response Time Testing Requirements (Ref. 4),
VEGP Units 3 and 4 B 3.3.11 - 5 Revision 16 Page 56 of 98
ND-19-0168 Technical Specifications Bases ESFAS Startup Feedwater Flow Instrumentation B 3.3.11 provides the basis and methodology for using allocated sensor response times in the overall verification of the channel response time for specific sensors identified in the WCAP. Response time verification for other sensor types must be demonstrated by test.
Draft VEGP Units 3 and 4 B 3.3.11 - 6 Revision 16 Page 57 of 98
ND-19-0168 Technical Specifications Bases ESFAS Startup Feedwater Flow Instrumentation B 3.3.11 BASES SURVEILLANCE REQUIREMENTS (continued)
ESF RESPONSE TIME tests are conducted on a 24 month STAGGERED TEST BASIS. Testing of the devices, which make up the bulk of the response time, is included in the testing of each channel. The final actuation device in one train is tested with each channel. Therefore, staggered testing results in response time verification of these devices every 24 months. The 24 month Frequency is consistent with the typical refueling cycle and is based on unit operating experience, which shows that random failures of instrumentation components causing serious response time degradation, but not channel failure, are infrequent occurrences.
REFERENCES 1. FSAR Chapter 15.0, Accident Analysis.
- 2. FSAR Chapter 7.0, Instrumentation and Controls.
Draft Draft
- 3. APP-GW-GSC-020, APP Technical T Specification Completion cation Comple Com Time and Surveillance Frequency Justification.
Surveil
- 4. WCAP-13632-P-A WCAPAP--13632 -P-A (Proprietary) and WCAP-13787-A 13632-P-A WCAP-WCAP 13787 13787-A (Non-Proprietary),
(Non--Proprietary)
Proprieta , Revision Pressure Sensor evision 2, Elimination of Pre Press
Response
ponse Time Tim T Testing esting ng Requirements, January 19 1996.
VEGP Units 3 and 4 B 3.3.11 - 7 Revision 16 Page 58 of 98
ND-19-0168 Technical Specifications Bases ESFAS Main Control Room Isolation, Air Supply Initiation, and Electrical Load De-energization B 3.3.13 BASES SURVEILLANCE SR 3.3.13.1 REQUIREMENTS Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or even something more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.
Agreement criteria are determined by the plant staff, based on a combination of the channel instrument uncertainties, including indication Draft D ft and readability. If a channel is outside the match criteria, it may be an indication that the sensor or the signal processing equ equipment has drifted equipm outside tside their corresponding limits.
The Surveillance illance Frequency is based on operating exper experience that demonstrates ates thatat channel failure is rare.
rar Automated operator ope o aids may be used to o facilitate performance of the CHANNEL CHAN L CHEC CH CHECK.
SR 3.3.13 3.3.
3.3.13.2 13.2 SR 3.3.13.2 is the performance of a CHANNEL OPERATIONAL TEST (COT) every 92 days. The test is performed in accordance with the SP. If the actual setting of the channel is found to be outside the as-found tolerance, the channel is considered inoperable. This condition of the channel will be further evaluated during performance of the SR. This evaluation will consist of resetting the channel setpoint to the NTS (within the allowed tolerance), and evaluating the channels response. If the channel is functioning as required and is expected to pass the next surveillance, then the channel is OPERABLE and can be restored to service at the completion of the surveillance. After the surveillance is completed, the channel as-found condition will be entered into the Corrective Action Program for further evaluation.
A COT is performed on each required channel to provide reasonable assurance that the entire channel will perform the intended engineered safety features (ESF) function.
VEGP Units 3 and 4 B 3.3.13 - 4 Revision 24 Page 59 of 98
ND-19-0168 Technical Specifications Bases ESFAS Main Control Room Isolation, Air Supply Initiation, and Electrical Load De-energization B 3.3.13 BASES SURVEILLANCE REQUIREMENTS (continued)
A test subsystem is provided with the protection and safety monitoring system to aid the plant staff in performing the COT. The test subsystem is designed to allow for complete functional testing by using a combination of system self-checking features, functional testing features, and other testing features. Successful functional testing consists of verifying that the capability of the system to perform the safety function has not failed or degraded.
For hardware functions this would involve verifying that the hardware components and connections have not failed or degraded. Generally this verification includes a comparison of the outputs from two or more redundant subsystems or channels.
Since software does not degrade, software functional testing involves D
Draft Dra verifying that the software code has not changed and that the software code is ex executing.
To the extent xtent possible, protection and safety monitoring ssystem functional testing is accomplished with continuous system self-checking self self--chec features and the continuous ntinuous functional testing features. The CO COT shall include a review of the operation of the test subsystem to verify the completeness and adequacy quacy of the results.
If the COT cannot be completed using the buil built built-in
-in test st sub subsystem, either because of failures in the test subsystem or failures in redundant channel hardware used for functional testing, the COT can be performed using portable test equipment.
The 92 day Frequency is based on Reference 3 and the use of continuous diagnostic test features, such as deadman timers, cross-check of redundant channels, memory checks, numeric coprocessor checks, and tests of timers, counters and crystal time bases, which will report a failure within the integrated protection cabinets to the operator.
During the COT, the Protection and Safety Monitoring System cabinets in the division under test may be placed in bypass.
VEGP Units 3 and 4 B 3.3.13 - 5 Revision 24 Page 60 of 98
ND-19-0168 Technical Specifications Bases ESFAS Main Control Room Isolation, Air Supply Initiation, and Electrical Load De-energization B 3.3.13 BASES SURVEILLANCE REQUIREMENTS (continued)
SR 3.3.13.31 This SR 3.3.13.3 is the performance of a CHANNEL CALIBRATION every 24 months or approximately at every refueling. CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor and the integrated protection cabinets (IPC). The test is performed in accordance with the SP. If the actual setting of the channel is found to be outside the as-found tolerance, the channel is considered inoperable. This condition of the channel will be further evaluated during performance of the SR.
This evaluation will consist of resetting the channel setpoint to the NTS (within the allowed tolerance), and evaluating the channels response. If the channel is functioning as required and is expected to pass the next surveillance, then the channel is OPERABLE and can be restored to service at the completion of the surveillance. After the surveillance is Draft completed, the channel as-found condition will be entered into the Corrective Action Program for further evaluation. ation. Transmitter Transm Tran calibration must be performed consistent with the assumptions of the setpoint methodologyogy.. The difference between the current as methodology. as-
-foun fou values and as-found the previousus as-left a
as-left eft values must be consistent with the transmitter tra drift allowance used in the setpoint methodology methodology..
The setpoint point methodology requires that that 30 months drift drif be b used (1.25 times the surveillance calibration calibration interval, 24 month months).
The Frequency is based on operating experience and consistency with the refueling cycle.
This Surveillance Requirement is modified by a Note. The Note states that this test should include verification that the time constants are adjusted to within limits where applicable.
SR 3.3.13.42 This SR ensures the individual channel ESF RESPONSE TIME is less than or equal to the maximum value assumed in the accident analysis.
Individual component response times are not modeled in the analyses.
The analyses model the overall or total elapsed time, from the point at which the parameter exceeds the NTS value at the sensor, to the point at which the equipment reaches the required functional state (e.g., valves in full open or closed position).
VEGP Units 3 and 4 B 3.3.13 - 6 Revision 24 Page 61 of 98
ND-19-0168 Technical Specifications Bases ESFAS Main Control Room Isolation, Air Supply Initiation, and Electrical Load De-energization B 3.3.13 BASES SURVEILLANCE REQUIREMENTS (continued)
For channels that include dynamic transfer functions (e.g., lag, lead/lag, rate/lag, etc.), the response time test may be performed with the transfer functions set to oneIn lieu of measurement, the response time for the protection and safety monitoring system equipment is based on allocated values. The overall response time may be determined by a series of overlapping tests and allocated values such that the entire response time is measured with the resulting measured response time compared to the appropriate FSAR Chapter 7 (Ref. 1) response time. Alternately, the response time test can be performed with the time constants set to their nominal value provided the required response time is analytically calculated assuming the time constants are set at their nominal values.
The response time may be measured by a series of overlapping tests such that the entire response time is measured.
Draft Dr Response time may be verified by actual response time tests in any series of sequential, overlapping or total channel measureme measurements or by the measurements, summation of o allocated sensor, sensorr, signal processing essing and actuation ac logic response times with actual response time tests on the remainder rem re of the channel. Allocations for signal processing and actuation logic response times may be obtained from the protection and safety mo monitoring system functional requirements.
requireme Allocations for sensor response respon times may be obtained d from:
from (1) 1) historical records based on acceptable accepta response time ttests ests (hydraulic, noise, or power interrupt tests tests), (2) in pla place, onsite, or offsite ff it (e.g.,
(e g vendor) dor) test measurements measurements, or (3 (3) utilizing ng vee vendor engineering specifications. WCAP-13632-P-A, Revision 2, Elimination of Pressure Sensor Response Time Testing Requirements (Ref. 4),
provides the basis and methodology for using allocated sensor response times in the overall verification of the channel response time for specific sensors identified in the WCAP. Response time verification for other sensor types must be demonstrated by test.
ESF RESPONSE TIME tests are conducted on a 24 month STAGGERED TEST BASIS. Testing of the devices, which make up the bulk of the response time, is included in the testing of each channel. The final actuation device in one train is tested with each channel. Therefore, staggered testing results in response time verification of these devices every 24 months. The 24 month Frequency is consistent with the typical refueling cycle and is based on unit operating experience, which shows that random failures of instrumentation components causing serious response time degradation, but not channel failure, are infrequent occurrences.
VEGP Units 3 and 4 B 3.3.13 - 7 Revision 24 Page 62 of 98
ND-19-0168 Technical Specifications Bases ESFAS IRWST and Spent Fuel Pool Level Instrumentation B 3.3.14 BASES ACTIONS (continued)
Refueling Water Storage Tank (IRWST) - Shutdown, MODE 6) to dictate the required measures. The IRWST LCO(s) provide appropriate Required Actions for the inoperability of the IRWST and Spent Fuel Pool Level Instrumentation. This action is in accordance with LCO 3.0.6, which requires that the applicable Conditions and Required Actions for the IRWST declared inoperable shall be entered in accordance with LCO 3.0.2.
SURVEILLANCE SR 3.3.14.1 REQUIREMENTS Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that D ft Draft f instrument channels monitoring the same parameter should read approximately the same value. Significant deviations b between the two betw instrument channels could be an indication of excessiv excessive ininstrument drift in one of thee channels or even somesomething thing more serious. A C CHANNEL CHECK willll detect gross channel failure; thus, it is key to verifying the instrumentation ation continues to operate properly between ea each CHANNEL CALIBRATION.
ATION Agreement criteria are determined by the plant staff, bas based on a base combination of the channel instrument uncertainties, inclu including indication and readability. If a channel is outside the match criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside their corresponding limits.
The Surveillance Frequency is based on operating experience that demonstrates that channel failure is rare. Automated operator aids may be used to facilitate performance of the CHANNEL CHECK.
SR 3.3.14.2 SR 3.3.14.2 is the performance of a CHANNEL OPERATIONAL TEST (COT) every 92 days. The test is performed in accordance with the SP. If the actual setting of the channel is found to be outside the as-found tolerance, the channel is considered inoperable. This condition of the channel will be further evaluated during performance of the SR. This evaluation will consist of resetting the channel setpoint to the NTS (within the allowed tolerance), and evaluating the channels response. If the VEGP Units 3 and 4 B 3.3.14 - 4 Revision 44 Page 63 of 98
ND-19-0168 Technical Specifications Bases ESFAS IRWST and Spent Fuel Pool Level Instrumentation B 3.3.14 BASES SURVEILLANCE REQUIREMENTS (continued) channel is functioning as required and is expected to pass the next surveillance, then the channel is OPERABLE and can be restored to service at the completion of the surveillance. After the surveillance is completed, the channel as-found condition will be entered into the Corrective Action Program for further evaluation.
A COT is performed on each required channel to provide reasonable assurance that the entire channel will perform the intended engineered safety features (ESF) Function.
A test subsystem is provided with the protection and safety monitoring system to aid the plant staff in performing the COT. The test subsystem is designed to allow for complete functional testing by using a combination of system self-checking features, functional testing features, and other testing features. Successful functional testing consists of verifying that D
Dra Draft the capability of the system to perform the safety function has not failed or degraded.
For hardware ware functions this would involve verifying that th tthe hardware components nts and connections have not failed or degraded degraded.
degrade Generally this verification n includes a comparison of the outputs from two or more redundantt subsystems or channels.
Since software does not degrade, software functional tes testing involves verifying that the software code has not changed and tha that the software code is executing.
To the extent possible, protection and safety monitoring system functional testing is accomplished with continuous system self-checking features and the continuous functional testing features. The COT shall include a review of the operation of the test subsystem to verify the completeness and adequacy of the results.
If the COT cannot be completed using the built-in test subsystem, either because of failures in the test subsystem or failures in redundant channel hardware used for functional testing, the COT can be performed using portable test equipment.
The 92 day Frequency is based on Reference 2 and the use of continuous diagnostic test features, such as deadman timers, cross-check of redundant channels, memory checks, numeric coprocessor checks, and tests of timers, counters and crystal time bases, which will report a failure within the integrated protection cabinets to the operator.
VEGP Units 3 and 4 B 3.3.14 - 5 Revision 44 Page 64 of 98
ND-19-0168 Technical Specifications Bases ESFAS IRWST and Spent Fuel Pool Level Instrumentation B 3.3.14 BASES SURVEILLANCE REQUIREMENTS (continued)
During the COT, the protection and safety monitoring system cabinets in the division under test may be placed in bypass.
SR 3.3.14.31 This SR 3.3.14.3 is the performance of a CHANNEL CALIBRATION every 24 months or approximately at every refueling. CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor and the integrated protection cabinets (IPC). The test is performed in accordance with the SP. If the actual setting of the channel is found to be outside the as-found tolerance, the channel is considered inoperable. This condition of the channel will be further evaluated during performance of the SR. This evaluation will consist of resetting the channel setpoint to the NTS (within the allowed tolerance), and evaluating the channels response. If the channel is functioning as required and is Draft expected to pass the next surveillance, then the channel is OPERABLE and can beb restored restored to service at the completion etion of the surveillance.
su After the surveillance is completed, the channel as-found as-found condition as- co cond will be entered into nto the Corrective Correctiv Action Program for further evaluation.
eva ev Transmitterer calibration must be performed consistent with the assumptions ns of the setpoint methodology.
methodology methodolo . The difference differe between the current as-found ass-found values and the previous as-left as-as-left values value must m be consistent ent with the transmitter drift allowance used in thet setpoint methodolog methodology methodology..
The setpoint methodology requires that 30 months drift be used (1.25 times the surveillance calibration interval, 24 months).
The Frequency is based on operating experience and consistency with the refueling cycle.
This Surveillance Requirement is modified by a Note. The Note states that this test shall include verification that the time constants are adjusted to within limits where applicable.
SR 3.3.14.42 This SR ensures the individual channel ESF RESPONSE TIME is less than or equal to the maximum value assumed in the accident analysis.
Individual component response times are not modeled in the analyses.
The analyses model the overall or total elapsed time, from the point at which the parameter exceeds the NTS value at the sensor, to the point at which the equipment reaches the required functional state (e.g., valves in full open or closed position).
VEGP Units 3 and 4 B 3.3.14 - 6 Revision 44 Page 65 of 98
ND-19-0168 Technical Specifications Bases ESFAS IRWST and Spent Fuel Pool Level Instrumentation B 3.3.14 BASES SURVEILLANCE REQUIREMENTS (continued)
For channels that include dynamic transfer functions (e.g., lag, lead/lag, rate/lag, etc.), the response time test may be performed with the transfer functions set to oneIn lieu of measurement, the response time for the protection and safety monitoring system equipment is based on allocated values. The overall response time may be determined by a series of overlapping tests and allocated values such that the entire response time is measured with the resulting measured response time compared to the appropriate FSAR Chapter 7 (Ref. 2) response time. Alternately, the response time test can be performed with the time constants set to their nominal value provided the required response time is analytically calculated assuming the time constants are set at their nominal values.
The response time may be measured by a series of overlapping tests such that the entire response time is measured.
Draft Dr Response time may be verified by actual response time tests in any series of sequential, overlapping or total channel meas measurements, measur or by the summation summat of allocated sensor, sensorr, signal processing and actuation logic response e times with actual response time test testss on the remainder rem re of the channel. Allocations for signal processing and actuation logic response times may be obtained from the protection and safety mo monitoring system functional requirements.
requireme Allocations for sensor response respon times may be obtained d from:
from (1)1) historical records based on acceptable accepta response time tests (hydraulic, noise, or power interrupt tests place, onsite, or tests), (2) in pla ff it (e.g.,
offsite ( g vendor)
(e d test measurements, measurements easurements or (3) ng vvendor (3 utilizing engineering specifications. WCAP-13632-P-A, Revision 2, Elimination of Pressure Sensor Response Time Testing Requirements (Ref. 4),
provides the basis and methodology for using allocated sensor response times in the overall verification of the channel response time for specific sensors identified in the WCAP. Response time verification for other sensor types must be demonstrated by test.
ESF RESPONSE TIME tests are conducted on a 24 month STAGGERED TEST BASIS. Testing of the devices, which make up the bulk of the response time, is included in the testing of each channel. The final actuation device in one train is tested with each channel. Therefore, staggered testing results in response time verification of these devices every 24 months. The 24 month Frequency is consistent with the typical refueling cycle and is based on unit operating experience, which shows that random failures of instrumentation components causing serious response time degradation, but not channel failure, are infrequent occurrences.
VEGP Units 3 and 4 B 3.3.14 - 7 Revision 44 Page 66 of 98
ND-19-0168 Technical Specifications Bases ESFAS Actuation Logic
- Operating B 3.3.15 BASES SURVEILLANCE SR 3.3.15.1 REQUIREMENTS SR 3.3.15.1 is the performance of an ACTUATION LOGIC TEST on the ESF Coincidence Logic. The ACTUATION LOGIC TEST demonstrates that the ESF Local Coincidence Logic (LCL subsystems) performs the required coincidence logic using injected, partial actuation signals and communicates system actuation signals to the ILP inputs in the ESF Actuation Subsystem Logic ((Integrated Logic Cabinets (ILCs)). The ESF LCL subsystems within a division are tested every 92 days on a STAGGERED TEST BASIS.
A test subsystem is provided with the Protection and Safety Monitoring System to aid the plant staff in performing the ACTUATION LOGIC TEST.
The test subsystem is designed to allow for complete functional testing by using a combination of system self-checking features, functional testing features, and other testing features. Successful functional testing consists of verifying that the capability of the system to perform the safety D ft Dra Draft function has not failed or degraded.
For hardware hardware functions this would involve verifying tha that th the hardware components nts and connections have not failed or degraded degraded. Generally this verification includes a comparison of the outputs from two or more redundant subsystems or channels.
Since software ftware does not degrade, egrade, software functional testing test t involves verifying that the software code has not changed and that the software code is executing executing.
To the extent possible, Protection and Safety Monitoring System functional testing is accomplished with continuous system self-checking features and the continuous functional testing features. The ACTUATION LOGIC TEST shall include a review of the operation of the test subsystem to verify the completeness and adequacy of the results.
If the ACTUATION LOGIC TEST cannot be completed using the built-in test subsystem, either because of failures in the test subsystem or failures in redundant channel hardware used for functional testing, the ACTUATION LOGIC TEST can be performed using portable test equipment.
The LCL to ILP test feature provides verification of proper operation of the ESF LCL process modules (PMs), high speed link (HSL) communication, and ILP PMs. The test signal is injected at the ESF LCL PM and monitored at the ILP PMs. The ACTUATION LOGIC TEST provides overlap with the ACTUATION LOGIC OUTPUT TEST in SR 3.3.15.2 by verifying communication of system actuation signals from the ESF Local Coincidence Logic to the ESF Actuation Subsystem ILPs.
VEGP Units 3 and 4 B 3.3.15 - 3 Revision 27 Page 67 of 98
ND-19-0168 Technical Specifications Bases ESFAS Actuation Logic
- Operating B 3.3.15 BASES SURVEILLANCE REQUIREMENTS (continued)
Interlocks implicitly required to support the Function's OPERABILITY are also addressed by this ACTUATION LOGIC TEST. This portion of the ACTUATION LOGIC TEST ensures the associated Function is not bypassed when required to be enabled. This can be accomplished by ensuring the interlocks are calibrated properly in accordance with the SP.
If the interlock is not automatically functioning as designed, the condition is entered into the Corrective Action Program and appropriate OPERABILITY evaluations performed for the affected Function. The affected Functions OPERABILITY can be met if the interlock is manually enforced to properly enable the affected Function. When an interlock is not supporting the associated Functions OPERABILITY at the existing plant conditions, the affected Function's channels must be declared inoperable and appropriate ACTIONS taken.
The Frequency of every 92 days on a STAGGERED TEST BASIS D ft Draft Dra provides a complete test of all four divisions once per year. This frequency fr requency is adequate based on the inherentinherent nt high reliability reliabili relia of the solid state devices which comprise this equipment; the addit additional reliability addition provided by the redundant subsystems; and the use of co continuous diagnostic test features, such as deadman timers, memor memory memo checks, numeric coprocessor coprocesso oprocessor checks,ks, cross-check cross check of redundant redundan subsystems, s and tests of timers, mers, counters, and crystal time basis, which wil will report a failure within these ese cabinets to the operator operator..
SR 3 3.3.15.2 3 15 2 SR 3.3.15.2 is the performance of an ACTUATION LOGIC OUTPUT TEST (ALOT) on the ESF Actuation. The ALOT demonstrates that both of the redundant signal paths from the inputs to the ILPs through the CIM logic and CIM output driver circuits (ILP to actuator test) in the ESF Actuation Subsystem Logic process injected LCL system actuation signals for the applicable actuation Function. During this test, a signal is sent back to the Maintenance and Test Panel (MTP) subsystem to determine if the CIM 2oo2 logic was satisfied and a component control signal was sent to the actuated device. As such, the ALOT may be performed in conjunction with other testing (e.g., automatic actuation Surveillance Requirements which verify correct valve positioning on an actual or simulated actuation signal).
VEGP Units 3 and 4 B 3.3.15 - 4 Revision 27 Page 68 of 98
ND-19-0168 Technical Specifications Bases ESFAS Actuation Logic
- Operating B 3.3.15 BASES SURVEILLANCE REQUIREMENTS (continued)
The CIM can be allowed to actuate its end device in this test. There are certain end devices that are not expected to be actuated, such as the squib valves (ADS Stage 4 squib valves tested under SR 3.4.11.5, IRWST injection and recirculation squib valves tested under SR 3.5.6.9) and the following passive core cooling system motor-operated valves:
! Both accumulator discharge line motor-operated valves;
! Both in-containment refueling water storage tank gravity injection line motor-operated valves; and
! The passive residual heat removal heat exchanger inlet line motor-operated valve.
These motor-operated valves are normally in their required (open)
Draft Dr D ft safeguards position, they have redundant position indications and alarms, and they also a receive confirmatory open open actuation uation signals.
signals sign These motor-operated valves have their power removed and locked ou out, and Surveillance ce Requirements that verify proper position and power lockout.
The ESF Actuation Subsystem Logic (ILPs and CIMs) within wit a division is tested every ery 24 months.
mon SR 3.3.15.31 3.3.
3.3.15.
15.31 This SR 3.3.15.3 demonstrates that the pressurizer heater circuit breakers trip open in response to an actual or simulated actuation signal.
The ACTUATION LOGIC OUTPUT TEST provides overlap with this Surveillance. The OPERABILITY of the motor control center breakers is checked by opening these breakers using the Plant Control System. The ACTUATION LOGIC TEST also verifies that within the Plant Control System, signals from each division of the protection and safety monitoring system are voted two-out-of-four and the result is used to open the pressurizer heater circuits.
The ACTUATION LOGIC TEST also verifies the OPERABILITY of the pressurizer heater load center circuit breakers located between the load centers and the motor control centers for each of the five pressurizer heater groups. This is demonstrated by testing from the Division A CIM outputs to ensure the load center breakers trip open.
VEGP Units 3 and 4 B 3.3.15 - 5 Revision 27 Page 69 of 98
ND-19-0168 Technical Specifications Bases ESFAS Actuation Logic
- Operating B 3.3.15 BASES SURVEILLANCE REQUIREMENTS (continued)
The Frequency of 24 months is based on the need to perform this surveillance during periods in which the plant is shutdown for refueling to prevent any upsets of plant operation. This Frequency is adequate based on the use of multiple circuit breakers to prevent the failure of any single circuit breaker from disabling the function and that all circuit breakers are tested.
This Surveillance Requirement is modified by a Note that states that the SR is only required to be met when all four cold leg temperatures are
> 275°F.
SR 3.3.15.42 This SR 3.3.15.4 demonstrates that the RCP breakers trip open in response to an actual or simulated actuation signal. The ACTUATION Draft D r LOGIC OUTPUT TEST provides overlap with this Surveillance.
The Frequency of 24 months is based on the need to per perform this nce during periods in which the plant is shutdown surveillance shutdow for refueling to prevent anyny upsets of plant operation.
SR 3.3.15.53 3.3.15.
5.5 53 This SR 3.3.15.5 3.3 demonstrates that the mainin feedwater and a startup feedwater pump breakers trip open in respons response to an n act actual or simulated actuation signal. The ACTUATION LOGIC OUTPUT TEST provides overlap with this Surveillance .
The Frequency of 24 months is based on the need to perform this surveillance during periods in which the plant is shutdown for refueling to prevent any upsets of plant operation.
VEGP Units 3 and 4 B 3.3.15 - 6 Revision 27 Page 70 of 98
ND-19-0168 Technical Specifications Bases ESFAS Actuation Logic
- Operating B 3.3.15 BASES SURVEILLANCE REQUIREMENTS (continued)
SR 3.3.15.64 This SR 3.3.15.6 demonstrates that the auxiliary spray and purification line isolation valves actuate to the isolation position in response to an actual or simulated actuation signal. The ACTUATION LOGIC OUTPUT TEST provides overlap with this Surveillance.
The Frequency of 24 months is based on the need to perform this surveillance during periods in which the plant is shutdown for refueling to prevent any upsets of plant operation.
This Surveillance Requirement is modified by a Note that states that the SR is only required to be met in MODES 1 and 2.
Draft D ft REFERENCES 1. FSAR Chapter 15.0, Accident Analysis.
VEGP Units 3 and 4 B 3.3.15 - 7 Revision 27 Page 71 of 98
ND-19-0168 Technical Specifications Bases ESFAS Actuation Logic
- Shutdown B 3.3.16 BASES ACTIONS (continued)
Completion Times are reasonable, based on operating experience, to reach the required plant conditions in an orderly manner without challenging plant systems.
Required Action C.2 minimizes the consequences of a loss of decay heat removal event by optimizing conditions for RCS cooling in MODE 6 using IRWST injection. Additionally, the potential for a criticality event is minimized by suspension of positive reactivity additions.
D.1 If the Required Action and associated Completion Time of Condition A is not met during movement of irradiated fuel assemblies, or one or more ESFAS actuation logic Functions within two or more divisions are inoperable, the plant must be placed in a condition in which the likelihood Draft Draft and consequences of an event are minimized. Required Action D.1 requires immediately im suspending movement of irradiated irradiat fuel assemblies.
This Th i required action suspends activities with potential ffor releasing radioactivity vity that mi might ght enter the Main Control Room. This Thi Th action does not precludede the movement of fuel to a safe position.
SURVEILLANCE SR 3.3.16.16.1 REQUIREMENTS SR 3.3.16.1 is the performance of an ACTUATION LOGIC TEST on the ESF Coincidence Logic. The ACTUATION LOGIC TEST demonstrates that the ESF Local Coincidence Logic (LCL subsystems) performs the required coincidence logic using injected, partial actuation signals and communicates system actuation signals to the ILP inputs in the ESF Actuation Subsystem Logic (Integrated Logic Cabinets (ILCs)). The ESF LCL subsystems within a division are tested every 92 days on a STAGGERED TEST BASIS.
A test subsystem is provided with the Protection and Safety Monitoring System to aid the plant staff in performing the ACTUATION LOGIC TEST.
The test subsystem is designed to allow for complete functional testing by using a combination of system self-checking features, functional testing features, and other testing features. Successful functional testing consists of verifying that the capability of the system to perform the safety function has not failed or degraded.
VEGP Units 3 and 4 B 3.3.16 - 4 Revision 44 Page 72 of 98
ND-19-0168 Technical Specifications Bases ESFAS Actuation Logic
- Shutdown B 3.3.16 BASES SURVEILLANCE REQUIREMENTS (continued)
For hardware functions this would involve verifying that the hardware components and connections have not failed or degraded. Generally this verification includes a comparison of the outputs from two or more redundant subsystems or channels.
Since software does not degrade, software functional testing involves verifying that the software code has not changed and that the software code is executing.
To the extent possible, Protection and Safety Monitoring System functional testing is accomplished with continuous system self-checking features and the continuous functional testing features. The ACTUATION LOGIC TEST shall include a review of the operation of the test subsystem to verify the completeness and adequacy of the results.
D ft Draft f If the ACTUATION LOGIC TEST cannot be completed using the built-in test subsystem, either because of failures in the test subs subsystem su or failures in redundant channel hardware used for functional test testing testing, the ACTUATION ION LOGIC TEST can be performed using porta portable test equipment..
The LCL to o ILP test feature provides verification of pro proper operation of the ESF LCL process modules (PMs), high speed link (HSL) (HS ccommunication, and ILP PMs. The test signal is injected at the ESF LCL PM P and monitored at the ILP PMs. The ACTUATION LOGIC TEST TES provides overlap with the ACTUATION LOGIC OUTPUT TEST in SR 3.3.16.2 by verifying communication of system actuation signals from the ESF Local Coincidence Logic to the ESF Actuation Subsystem ILPs.
Interlocks implicitly required to support the Function's OPERABILITY are also addressed by this ACTUATION LOGIC TEST. This portion of the ACTUATION LOGIC TEST ensures the associated Function is not bypassed when required to be enabled. This can be accomplished by ensuring the interlocks are calibrated properly in accordance with the SP.
If the interlock is not automatically functioning as designed, the condition is entered into the Corrective Action Program and appropriate OPERABILITY evaluations performed for the affected Function. The affected Functions OPERABILITY can be met if the interlock is manually enforced to properly enable the affected Function. When an interlock is not supporting the associated Functions OPERABILITY at the existing plant conditions, the affected Function's channels must be declared inoperable and appropriate ACTIONS taken.
VEGP Units 3 and 4 B 3.3.16 - 5 Revision 44 Page 73 of 98
ND-19-0168 Technical Specifications Bases ESFAS Actuation Logic
- Shutdown B 3.3.16 BASES SURVEILLANCE REQUIREMENTS (continued)
The Frequency of every 92 days on a STAGGERED TEST BASIS provides a complete test of all four divisions once per year. This frequency is adequate based on the inherent high reliability of the solid state devices which comprise this equipment; the additional reliability provided by the redundant subsystems; and the use of continuous diagnostic test features, such as deadman timers, memory checks, numeric coprocessor checks, cross-check of redundant subsystems, and tests of timers, counters, and crystal time basis, which will report a failure within these cabinets to the operator.
SR 3.3.16.2 SR 3.3.16.2 is the performance of an ACTUATION LOGIC OUTPUT TEST (ALOT) on the ESF Actuation. The ALOT demonstrates that both of the redundant signal paths from the inputs to the ILPs through the CIM logic Draft D ft and CIM output driver circuits (ILP to actuator test) in the ESF Actuation Subsystem Logic process injected LCL system actuation actuatio signals for the applicable actuation Function. During this test, a signa signal is sent back to the Maintenancence and Test Panel (MTP) subsystem to determine determ if the CIM 2oo2 logic wawas satisfied atisfied and a component control signal w was sent to the actuated device.
evice. As such, the ALOT may be performed performe in conjunction with other testing (e.g., automatic actuation Surveillance Surveillanc Requirements R
which verify erify correct valve positioning on an actual or si simulated simu actuation signal).
The CIM can be allowed to actuate its end device in this test. There are certain end devices that are not expected to be actuated, such as the squib valves (ADS Stage 4 squib valves tested under SR 3.4.11.5, IRWST injection and recirculation squib valves tested under SR 3.5.6.9) and the following passive core cooling system motor-operated valves:
x Both accumulator discharge line motor-operated valves; x Both in-containment refueling water storage tank gravity injection line motor-operated valves; and x The passive residual heat removal heat exchanger inlet line motor-operated valve.
These motor-operated valves are normally in their required (open) safeguards position, they have redundant position indications and alarms, and they also receive confirmatory open actuation signals. These motor-operated valves have their power removed and locked out, and Surveillance Requirements that verify proper position and power lockout.
VEGP Units 3 and 4 B 3.3.16 - 6 Revision 44 Page 74 of 98
ND-19-0168 Technical Specifications Bases ESFAS Actuation Logic
-- Shutdown B 3.3.16 BASES SURVEILLANCE REQUIREMENTS (continued)
The ESF Actuation Subsystem Logic (ILPs and CIMs) within a division is tested every 24 months.
SR 3.3.16.31 This SR 3.3.16.3 demonstrates that the RCP breakers trip open in response to an actual or simulated actuation signal. The ACTUATION LOGIC OUTPUT TEST provides overlap with this Surveillance. The Frequency of 24 months is based on the need to perform this surveillance during periods in which the plant is shutdown for refueling to prevent any upsets of plant operation. The SR is modified by a Note stating that the SR is only required to be met in MODE 5.
SR 3.3.16.42 Draft Dra ft This SR 3.3.16.4 demonstrates that the CVS letdown isolation valves actuate to the isolation position in response to an an actual actua or o simulated actuation signal.
sig The ACTUATION LOGIC OUTPUT TEST T TES provides overlap with this Surveillance.
The Frequency ency of 24 months is based ono the e need to perform perf p this surveillance ce during periods in which the plant is shutdo shutdown to prevent any upsets off plant operation.
oper The SR is modified by a Note stating that the SR is not re required to be met in MODE 5 above the P-12 (Pressurizer Level) interlock. A second Note states that the SR is not required to be met in MODE 6 with water level 23 feet above the top of the reactor vessel flange VEGP Units 3 and 4 B 3.3.16 - 7 Revision 44 Page 75 of 98
ND-19-0168 Technical Specifications Bases PAM Instrumentation B 3.3.17 BASES ACTIONS (continued)
E.1 and E.2 If the Required Action and associated Completion Time of Condition C are not met for the Functions in Table 3.3.17-1, the plant must be placed in a MODE in which the LCO does not apply. This is done by placing the plant in at least MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and MODE 4 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />.
The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.
SURVEILLANCE The following SRs apply to each PAM instrumentation function in REQUIREMENTS Table 3.3.17-1:
SR 3.3.17.1 D ft Draft Performance of the CHANNEL CHECK once everyy 31 days verifies that a gross instrumentation failure has not occurred. A CHANNEL CHANN CHECK is a CHA comparison rison of the parameter indicated on one channel channe to a similar parameterr on other channels. It is based on the assumpt assumption that instrument channels monitoring monitoring the same parameter should shou read sh approximately tely the same value. Significant deviations betwbetween b the two instrumentt channels could be an indication of excessive excessiv in instrument drift in one of the channels or of something even more serious.
serious CHANNEL CHECK willwil detect ct gross channel failure; thus, it is key to verifying that the instrumentation continues to operate properly between each CHANNEL CALIBRATION. The high radiation instrumentation should be compared to similar plant instruments located throughout the plant.
Agreement criteria are determined by the unit staff, based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the match criteria, it may be an indication that the sensor or the signal-processing equipment has drifted outside its limit. If the channels are within the match criteria, it is an indication that the channels are OPERABLE.
As specified in the SR, a CHANNEL CHECK is only required for those channels that are normally energized.
The Frequency of 31 days is based on operating experience with regard to channel OPERABILITY and drift, which demonstrates that failure of more than one channel of a given function in any 31 day interval is rare.
The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of those displays associated with the required channels of this LCO.
VEGP Units 3 and 4 B 3.3.17 - 9 Revision 33 Page 76 of 98
ND-19-0168 Technical Specifications Bases PAM Instrumentation B 3.3.17 BASES SURVEILLANCE REQUIREMENTS (continued)
SR 3.3.17.21 A CHANNEL CALIBRATION is performed every 24 months, or approximately at every refueling. CHANNEL CALIBRATION is a complete check of the instrument loop including the sensor. The test verifies that the channel responds to the measured parameter with the necessary range and accuracy. This SR is modified by a Note that excludes neutron detectors. The calibration method for neutron detectors is specified in the Bases of LCO 3.3.3, "Reactor Trip System (RTS)
Intermediate Range Instrumentation. RTD and Thermocouple channels are to be calibrated in place using cross-calibration techniques. The Frequency is based on operating experience and consistency with the typical industry refueling cycle.
REFERENCES 1. Regulatory Guide 1.97, Rev. 3, Instrumentation for Light-Water Draft Draft Cooled Nuclear Power Plants to Assess Plant and Environs Conditions Cond Accident, During and Following an Accident, U.S Nuclear cident, U.S. N Regulat Regulatory Commission.
VEGP Units 3 and 4 B 3.3.17 - 10 Revision 33 Page 77 of 98
ND-19-0168 Technical Specifications Bases DAS Manual Controls B 3.3.19 BASES ACTIONS (continued)
B.1 and B.2 Condition B applies when Required Action A cannot be completed for the DAS manual reactor trip control within the required completion time of 30 days.
Required Action B.1 requires SR 3.3.7.1, Perform TADOT for the reactor trip breakers, to be performed once per 31 days, instead of once every 92 days. Condition A of Example 1.3-6 illustrates the use of the Completion Time for Required Action B.1. The initial performance of SR 3.3.7.1 on the first division (since it is performed on a STAGGERED TEST BASIS) must be completed within 31 days of entering Condition B.
The normal surveillance test frequency requirements for SR 3.3.7.1 must still be satisfied while performing SR 3.3.7.1 for Required Action B.1. The predominant failure requiring the DAS manual reactor trip control is common-mode failure of the reactor trip breakers. This change in Draft surveillance frequency for testing the reactor trip breakers increases the likelihood that a common-mode common-mode failure of the e reactor trip tr breakers b would be detected while the DAS manual reactor trip control is inoperable.
in This reduces thehe likelihood that a diverse manual reactor trip is i required. It is not required d to perform a TADOT TADOT for the manual actuation control. The manual reactor actor trip control is very simple, highly reliable, reliabl anda does not use software are in the circuitry.
circuitry. Although the DAS manua manual cocontrols are non-Class ss 1E, they have been shown to to be PRA PRA riskk important impo im as discussed in Reference 1. The impact of an inoperable D DAS manual control is compensated for by increasing the reactor trip b breaker surveillance frequency from once every 92 days to once every 31 days.
Action B.2 requires that the inoperable DAS manual reactor trip control be restored to OPERABLE status prior to entering MODE 2 following any plant shutdown to MODE 5 while the control is inoperable. This ACTION is provided to ensure that all DAS manual controls are restored to OPERABLE status following the next plant shutdown.
C.1 and C.2 Condition C applies when Required Action A cannot be completed for any DAS manual actuation control (other than reactor trip) within the required completion time of 30 days.
Required Action C.1 requires SR 3.3.15.1, Perform ACTUATION LOGIC TEST, and SR 3.3.16.1, "Perform ACTUATION LOGIC TEST," as applicable, to be performed once per 31 days, instead of once every 92 days. Condition A of Example 1.3-6 illustrates the use of the Completion Time for Required Action C.1. The initial performance of VEGP Units 3 and 4 B 3.3.19 - 3 Revision 1 Page 78 of 98
ND-19-0168 Technical Specifications Bases DAS Manual Controls B 3.3.19 BASES ACTIONS (continued)
SR 3.3.15.1 and SR 3.3.16.1 on the first division (since it is performed on a STAGGERED TEST BASIS) must be completed within 31 days of entering Condition C. The normal surveillance test frequency requirements for SR 3.3.15.1 and SR 3.3.16.1 must still be satisfied while performing SR 3.3.15.1 and SR 3.3.16.1 for Required Action C.1. The predominant failure requiring the DAS manual actuation control is common-mode failure of the PMS actuation logic software or hardware.
This change in surveillance frequency for actuation logic testing increases the likelihood that a common-mode failure of the PMS actuation logic from either cause would be detected while any DAS manual actuation control is inoperable. This reduces the likelihood that a diverse component actuation is required. It is not required to perform a TADOT for the manual actuation control device since the manual actuation control devices are very simple and highly reliable. Although the DAS manual controls are non-Class 1E, they have been shown to be PRA risk important as discussed in Reference 1. The impact of an inoperable DAS Draft D ft manual control is compensated for by increasing the automatic actuation surveillance surveil lance frequency from once every 92 days to once onc every e 31 days.
Action C.21 C.2 21 requires that the inoperable DAS manual actu actuation act control(s) be restored d to OPERABLE status prior to entering MODE 2 following any plant shutdown own to MODE 5 while the control is inoperable.
inoperable era This ACTION is providedd to ensure that all DAS manual controls are restored res to OPERABLE BLE status following the next plant shutdown.
D.1 D 1 anddDD.22 Condition D is entered if the Required Action associated with Condition B or C is not met within the required Completion Time.
Required Actions D.1 and D.2 ensure that the plant is placed in a condition where the probability and consequences of an event are minimized. The allowed Completion Times are reasonable based on plant operating experience, for reaching the required plant conditions from full power conditions in an orderly manner, without challenging plant systems.
SURVEILLANCE SR 3.3.19.1 REQUIREMENTS SR 3.3.19.1 is the performance of a TADOT of the DAS manual trip and actuation controls for the specified safety-related equipment. This TADOT is performed every 24 months.
VEGP Units 3 and 4 B 3.3.19 - 4 Revision 1 Page 79 of 98
ND-19-0168 Technical Specifications Bases ADS and IRWST Injection Blocking Device B 3.3.20 BASES ACTIONS (continued)
A.1 Condition A addresses the situation where one or more divisions of ADS and IRWST Injection Blocking Device(s) is inoperable (e.g., one or both CMT level channels in one or more divisions inoperable when required, or ADS and IRWST Injection Block in one or more divisions not unblocked when required). In this condition, the component interface module (CIM) in the affected division is required to be unblocked in the affected division within 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />. The ADS and IRWST Injection Block manual switches may be utilized to implement the unblock. The 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> is reasonable based on the low probability of an event occurring during this interval.
B.1 Draft If the Required Action and associated Completion Time of Condition A is not met the th affected ADS and IRWST R on valves must injection m mu be declared inoperable immediately.
immediately. Declaring the affected im cted valves inoperable allows valves ino the supported orted system Actions (i.e., for ADS S and IRWST IRW ST inoperable in valves) to dictate the required measures. The ADS and/or and/o IRWST LCO(s) provide appropriate propriate actions for the inoperable components.
component This action is compon in accordance nce with LCO 3.0.6, which requires that the applicable app Conditions ns and Required Req Actio forr valves declared inoperable Actions inop in shall be entered enter ed in accordance with LCO 3.0.2.3.0.2.
SURVEILLANCE The SRs for each ADS and IRWST Injection Blocking Device Function REQUIREMENTS are identified in the SRs column of Table 3.3.20-1 for that Function.
A Note has been added to the SR table stating that Table 3.3.20-1 determines which SRs apply to which ADS and IRWST Injection Blocking Device Function.
SR 3.3.20.1 Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> ensures that a gross failure of required instrumentation has not occurred. A CHANNEL CHECK is a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or even something more serious. A CHANNEL VEGP Units 3 and 4 B 3.3.20 - 4 Revision 15 Page 80 of 98
ND-19-0168 Technical Specifications Bases ADS and IRWST Injection Blocking Device B 3.3.20 BASES SURVEILLANCE REQUIREMENTS (continued)
CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.
Agreement criteria are determined by the plant staff, based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the match criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside their corresponding limits.
The Surveillance Frequency is based on operating experience that demonstrates that channel failure is rare. Automated operator aids may be used to facilitate performance of the CHANNEL CHECK.
SR 3.3.20.21 Verification that Verification t the position of each ADS andnd IR IRWST RWST Inje IInjection Block switch is in the th unblock unblock position is required when less than th two CMTs are required ed to be OPERABLE. This assures the actuation actuatio of ADS and IRWST injection ection is not blocked when there may be reduce red reduced or no capability for automatic unblocking from CMT level. Th The 7 day Frequency ate considering the availability of main control room is adequate ro status monitoring of the block signal.
SR 3.3.20.3 SR 3.3.20.3 is the performance of a CHANNEL OPERATIONAL TEST (COT) every 92 days. The test is performed in accordance with the TS 5.5.14, Setpoint Program (SP). If the actual setting of the channel is found to be outside the as-found tolerance, the channel is considered inoperable. This condition of the channel will be further evaluated during performance of the SR. This evaluation will consist of resetting the channel setpoint to the nominal trip setpoint (NTS) (within the allowed tolerance), and evaluating the channels response. If the channel is functioning as required and is expected to pass the next surveillance, then the channel is OPERABLE and can be restored to service at the completion of the surveillance. After the surveillance is completed, the channel as-found condition will be entered into the Corrective Action Program for further evaluation.
VEGP Units 3 and 4 B 3.3.20 - 5 Revision 15 Page 81 of 98
ND-19-0168 Technical Specifications Bases ADS and IRWST Injection Blocking Device B 3.3.20 BASES SURVEILLANCE REQUIREMENTS (continued)
A COT is performed on each required channel to provide reasonable assurance that the entire channel will perform the intended engineered safety features (ESF) Function. Successful functional testing consists of verifying that the capability of the system to perform the safety function has not failed or degraded.
The 92 day Frequency is based on Reference 3.
SR 3.3.20.42 This SR 3.3.20.4 is the performance of a CHANNEL CALIBRATION every 24 months or approximately at every refueling. CHANNEL CALIBRATION is a complete check of the instrument loop. The test is performed in accordance with the SP. If the actual setting of the channel Draft is found to be outside the as-found tolerance, the channel is considered inoperable This condition of the channel willll be further inoperable. furthe evaluated e during performance of the SR. This evaluation will consist of resetting res the channel setpoint to the NTS (within the allowed tolerance tolerance), and evaluating the channels els response. Iff the channel is functioning as rre required and is expected to o pass the next surveillance, then the channel chann is OPERABLE and can be e restored to service at the completion of the surveillance.
su After the surveillance eillance is completed, the channel as-found as-as-found condition co cond will be entered into the Corrective Action Program for further evaluation.
eva Transmitter calibration must be performed consistent with the assumptions of the setpoint methodology. The difference between the current as-found values and the previous as-left values must be consistent with the transmitter drift allowance used in the setpoint methodology.
The setpoint methodology requires that 30 months drift be used (1.25 times the surveillance calibration interval, 24 months).
The Frequency is based on operating experience and consistency with the refueling cycle.
SR 3.3.20.53 This SR 3.3.20.5 is the performance of an ACTUATION LOGIC TEST for unblocking. This test, in conjunction with ESF ACTUATION LOGIC TEST (i.e., SR 3.3.15.1 and SR 3.3.16.1), overlaps the ADS and IRWST injection functional tests (i.e., SR 3.4.11.4, SR 3.4.11.5, and SR 3.5.6.9) that verify actuation on an actual or simulated actuation signal, to provide complete testing of the assumed safety function.
VEGP Units 3 and 4 B 3.3.20 - 6 Revision 15 Page 82 of 98
ND-19-0168 Technical Specifications Bases ADS and IRWST Injection Blocking Device B 3.3.20 BASES SURVEILLANCE REQUIREMENTS (continued)
The Frequency of 24 months is based on the need to perform this SR during periods in which the plant is shut down for refueling to prevent any additional risks associated with inadvertent operation of the ADS and IRWST injection valves.
SR 3.3.20.64 This SR 3.3.20.6 is the performance of a TADOT of the of required ADS and IRWST Injection Block manual switch. This TADOT is performed every 24 months.
The Frequency is based on the known reliability of manual switch Functions and has been shown to be acceptable through operating experience.
Draft D r The SR is modified by a Note that states verification of setpoint se is not required, since these functions have no setpoint assocassociated associat with them.
3.3.20.75 SR 3.3.20. 0.7 75 This SR 3.3.20.7
.3.20.7 requires performance of LCO 3.5.2 Sur S Surveillances associateded ensuring CMT CMTsTs are capable of injecting to the RCS. CMT injection supports OPERABILITY of the ADS S and IRWST RWST Injection IR ing Devices Blocking Block Devicess for automatic unblocking. both CMTs are unblocking If one or bot inoperable for injection, all four divisions of ADS and IRWST Injection Blocking Devices are inoperable. Therefore, SRs 3.5.2.3, 3.5.2.6, and 3.5.2.7 are required to be met. See the corresponding Bases for LCO 3.5.2 for a discussion of each Surveillance and its Frequency.
REFERENCES 1. FSAR Chapter 15.0, Accident Analysis.
- 2. FSAR Chapter 7.0, Instrumentation and Controls.
- 3. WCAP-10271, Evaluation of Surveillance Frequencies and Out of Service Times for the Reactor Protection Instrumentation System, June 1996 Supplement 2.
VEGP Units 3 and 4 B 3.3.20 - 7 Revision 15 Page 83 of 98
ND-19-0168 Technical Specifications Bases ADS - Operating B 3.4.11 BASES SURVEILLANCE SR 3.4.11.1 REQUIREMENTS Each ADS stage 4 isolation motor operated valve must be verified to be open every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. Note that these valves receive confirmatory open signals. The Surveillance Frequency is acceptable considering valve position is manually monitored in the control room.
SR 3.4.11.2 This Surveillance requires verification that each ADS stage 1, 2, 3 valve strokes to its fully open position. Note that this surveillance is performed during shutdown conditions.
The Surveillance Frequency for demonstrating valve OPERABILITY references the Inservice Testing Program.
SR 3.4.11.3 Draft This Surveillance requires verification that each ADS stage 4 squib valve is OPERABLE in accordance with the Inservice TestingTesting Program.
P The OPERABILITY references the Surveillance Frequency for verifying valve OPERABILI Inservice T esting Program Testing Program.
The squib valves will be tested in accordance with the ASME AS OM Code (Ref. 5). The applic applicable ASME SME OM Code squib valve req rrequirements are specified in paragraph paragra ISTC TC 4.6, Inservice Tests Tests for Ca Categ Category D Explosively Actuated Valves.
Valves.
es. The requirements require requi ments ents include actuation a of a sample of the installed valves each 2 years and periodic rreplacement of charges.
SR 3.4.11.4 This SR verifies that each Stage 1, 2, and 3 ADS valve actuate to the correct position on an actual or simulated actuation signal. The ESFAS ACTUATION LOGIC OUTPUT TEST and ADS and IRWST injection blocking device ACTUATION LOGIC TEST provides overlap with this Surveillance.
The Frequency of 24 months is based on the need to perform this surveillance during periods in which the plant is shutdown for refueling to prevent any upsets of plant operation.
VEGP Units 3 and 4 B 3.4.11 - 5 Revision 23 Page 84 of 98
ND-19-0168 Technical Specifications Bases ADS - Operating B 3.4.11 BASES SURVEILLANCE REQUIREMENTS (continued)
SR 3.4.11.5 This SR verifies that each Stage 4 ADS valve can actuate to the correct position on an actual or simulated actuation signal. The ESFAS ACTUATION LOGIC OUTPUT TEST and ADS and IRWST injection blocking device ACTUATION LOGIC TEST provides overlap with this Surveillance. The OPERABILITY of the squib valves is checked by performing a continuity check of the circuit from the Protection Logic Cabinets to the squib valve.
This Surveillance is modified by a Note that excludes squib valve actuation as a requirement for this Surveillance to be met. This is acceptable because the design of the squib actuated valve was selected for this application because of its very high reliability. The OPERABILITY of squib actuated valves is verified by the Inservice Test Program for squib actuated valves.
Draft D raft The Frequency of 24 months is based on the need to p perf perform this surveillance during periods periods in which the plant nt is shutdown shutdo for refueling to prevent anyny upsets of plant operation.
REFERENCES 1. FSARR Section 6.3, Passive Core Cooling System.
System
- 2. FSAR Section 15.6, Decrease in Reactor Coolant Inventory.
In
- 3. AP1000 Probabilistic Risk Assessment, Appendix A.
- 4. FSAR Section 3.9.6, Inservice Testing of Pumps and Valves.
VEGP Units 3 and 4 B 3.4.11 - 6 Revision 23 Page 85 of 98
ND-19-0168 Technical Specifications Bases CMTs - Operating B 3.5.2 BASES SURVEILLANCE REQUIREMENTS (continued)
The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Frequency is based on the expected low rate of gas accumulation and the availability of control room indication.
SR 3.5.2.5 Verification every 7 days that the boron concentration in each CMT is within the required limits ensures that the reactivity control from each CMT, assumed in the safety analysis, will be available as required. The 7 day Frequency is adequate to promptly identify changes which could occur from mechanisms such as in-leakage.
SR 3.5.2.6 Verification that the redundant outlet isolation valves are OPERABLE by stroking the valves open ensures that each CMT will function as designed when these valves are actuated. Prior to opening the outlet isolation Draftt D
valves, the inlet isolation valve should be closed temporarily. Closing the inlet isolation valve ensures that the CMT contents will no not be diluted or heated by flow from the RCS. Upon completion of the test, tes the inlet isolation valves must be opened. The Surveillance FrequFrequency references the inservicece testing requirements.
SR 3.5.2.7 7 This SR verifies that CMT outlet isolation valve actuates tto the correct position on an actual or simulated actuation signal sig signal. The AACTUATION LOGIC OUTPUT TEST provides overlap with this Surveillance. The Frequency of 24 months is based on the need to perform this surveillance during periods in which the plant is shutdown for refueling to prevent any upsets of plant operation.
SR 3.5.2.8 This SR requires performance of a system performance test of each CMT to verify flow capabilities. The system performance test demonstrates that the CMT injection line resistance assumed in DBA analyses is maintained. Although the likelihood that system performance would degrade with time is low, it is considered prudent to periodically verify system performance. The System Level Operability Testing Program provides specific test requirements and acceptance criteria.
VEGP Units 3 and 4 B 3.5.2 - 7 Revision 23 Page 86 of 98
ND-19-0168 Technical Specifications Bases PRHR HX - Operating B 3.5.4 BASES SURVEILLANCE REQUIREMENTS (continued)
SR 3.5.4.5 Verification is required to confirm that power is removed from the motor operated PRHR HX inlet isolation valve every 31 days. Removal of power from this valve reduces the likelihood that the valve will be inadvertently closed as a result of a fire. The 31 day Frequency is acceptable considering the frequent surveillance of valve position and that the valve has a confirmatory open signal.
SR 3.5.4.6 Verification that both air operated PRHR HX outlet valves stroke open and both IRWST gutter isolation valves stroke closed ensures that the PRHR HX will actuate on command, with return flow from the gutter to the IRWST. Since these valves are redundant, if one valve is inoperable, the system can function at 100% capacity. Verification requires the actual Draft D
operation of each valve to move it to its safe position. The Surveillance Frequency is provided in the Inservice Testing Program Program.
SR 3.5.4.7 4.7 This surveillance llance requires visual inspection of the IR IRWST RWST gutter and downspoutt screens to verifyy that the return flow to the IRWST IR RW will not be restricted by debris. A Frequency equency of 24 months is adequate adequa adeq since there are no known sources of debris with which the gutter or downspout d
screens could become restricted.
SR 3.5.4.8 This SR verifies that both PRHR HX air operated outlet isolation valves and both IRWST gutter isolation valves actuate to the correct position on an actual or simulated actuation signal. The ACTUATION LOGIC OUTPUT TEST provides overlap with this Surveillance. The Frequency of 24 months is based on the need to perform this surveillance during periods in which the plant is shutdown for refueling to prevent any upsets of plant operation.
VEGP Units 3 and 4 B 3.5.4 - 7 Revision 32 Page 87 of 98
ND-19-0168 Technical Specifications Bases IRWST - Operating B 3.5.6 BASES SURVEILLANCE REQUIREMENTS (continued)
SR 3.5.6.8 This Surveillance requires verification that each IRWST injection and each containment recirculation squib valve is OPERABLE in accordance with the Inservice Testing Program. The Surveillance Frequency for verifying valve OPERABILITY references the Inservice Testing Program.
The squib valves will be tested in accordance with the ASME OM Code (Ref. 4). The applicable ASME OM Code squib valve requirements are specified in paragraph ISTC 4.6, Inservice Tests for Category D Explosively Actuated Valves. The requirements include actuation of a sample of the installed valves each 2 years and periodic replacement of charges.
SR 3.5.6.9 D ft This SR ensures that each IRWST injection and containment recirculation squib valve valv can actuate to the correct position on on an actual actu or simulated ac actuation sig signal. The ESFAS F ACTUATIONA LOGIC OUOUTP OUTPUT TEST, and ADS and IRWST IR RW T injection blocking device ACTUATION ACTUA ATION LOGIC L TEST, provides overlap verl with this Surveillance. The OPERABILITY OPERABILIT of the squib valves is checked hecked by performing a continuity check of the t circuit from the Protection Logic Cabinets to the squib valve. The Frequency Freque Freq of 24 months iss based on the need to perform this surveillance surveillan during periods in which the plant is shutdown for refueling to prevent any upsets of plant operation operation.
SR 3.5.6.10 Visual inspection is required each 24 months to verify that the IRWST screens and the containment recirculation screens are not restricted by debris. A Frequency of 24 months is adequate, since there are no known sources of debris with which these screens could become restricted.
SR 3.5.6.11 This SR requires performance of a system inspection and performance test of the IRWST injection and recirculation flow paths to verify system flow capabilities. The system inspection and performance test demonstrates that the IRWST injection and recirculation capabilities assumed in accident analyses is maintained. Although the likelihood that system performance would degrade with time is low, it is considered prudent to periodically verify system performance. The System Level Operability Testing Program provides specific test requirements and acceptance criteria.
VEGP Units 3 and 4 B 3.5.6 - 8 Revision 44 Page 88 of 98
ND-19-0168 Technical Specifications Bases Containment Isolation Valves B 3.6.3 BASES SURVEILLANCE REQUIREMENTS (continued)
SR 3.6.3.5 Automatic containment isolation valves close on their respective ESF signal to prevent leakage of radioactive material from containment following a DBA. The actual or simulated actuation signal is processed through the component interface module to verify the continuity between the output of component interface module and the valve. This SR ensures that each automatic containment isolation valve will actuate to its isolation position on its respective ESF signal. The ACTUATION LOGIC OUTPUT TEST provides overlap with this Surveillance. This surveillance is not required for valves that are locked, sealed, or otherwise secured in the required position under administrative controls. The 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. Operating experience has shown that these components usually Draft D raft pass this Surveillance when performed at the 24 month Frequency.
Therefore, thethe Frequency was concluded to be acceptable acceptabl accepta from a reliability stan standpoint.
REFERENCES 1. FSAR Section 6.2, Containment Systems.
Systems
naly 3.
3 NUREG-1449, NU NUREG 49 Shutdown and Low Power Operation at Commercial 1449 Nuclear Power Plants in the United States.
VEGP Units 3 and 4 B 3.6.3 - 8 Revision 30 Page 89 of 98
ND-19-0168 Technical Specifications Bases PCS B 3.6.6 BASES SURVEILLANCE SR 3.6.6.1 REQUIREMENTS This surveillance requires verification that the PCCWST water temperature is within the limits assumed in the accident analyses. The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Frequency is adequate to identify a temperature change that would approach the temperature limits since the PCCWST is large and temperature variations are slow.
SR 3.6.6.2 Verification that the cooling water volume is above the required minimum ensures that a sufficient supply is available for containment cooling.
Since the cooling water volume is normally stable and low level is indicated by a main control room alarm, a 7 day Frequency is appropriate and has been shown to be acceptable in similar applications.
SR 3.6.6.3 Draft Verifying the correct alignment of manual, power operated, and automatic valves, excluding ex check valves, in the PCS flow papath prov p
provides assurance that the proper flow paths exist for system operation. This T SR does not apply to valves valve that hat are locked, sealed, or otherwise secu secured in position since these e were verified to be in the correct position prior prio to being secured. This SR does not require any testing or valve manipulation.
m Rather, r it involves nvolves verification, through control room instrumentation ins instru or a system walkdown, that valves capable of potentially being be mispositioned are in the correct position. The 31 day Frequency is appropriate appr because the valves are operated under administrative control control, and an improper valve position would only affect a single flow path. This Frequency has been shown to be acceptable through operating experience.
SR 3.6.6.4 This SR requires verification that each automatic isolation valve actuates to its correct position upon receipt of an actual or simulated actuation signal. The ACTUATION LOGIC OUTPUT TEST provides overlap with this Surveillance. This Surveillance is not required for valves that are locked, sealed, or otherwise secured in the required position under administrative controls. The 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillances were performed with the reactor at power. The 24 month Frequency is also acceptable based on consideration of the design reliability of the equipment.
VEGP Units 3 and 4 B 3.6.6 - 7 Revision 39 Page 90 of 98
ND-19-0168 Technical Specifications Bases Vacuum Relief Valves B 3.6.9 BASES SURVEILLANCE REQUIREMENTS (continued)
SR 3.6.9.3 This SR ensures that each vacuum relief motor operated valve will actuate to the open position on an actual or simulated actuation signal.
The ACTUATION LOGIC OUTPUT TEST provides overlap with this Surveillance. The Frequency of 24 months is based on the need to perform this surveillance during periods in which the plant is shutdown for refueling to prevent any upsets of plant operations.
REFERENCES 1. FSAR subsection 6.2.1.1.4, External Pressure Analysis.
- 3. FSAR subsection 9.4.7, Containment Air Filtration System.
Draft VEGP Units 3 and 4 B 3.6.9 - 5 Revision 23 Page 91 of 98
ND-19-0168 Technical Specifications Bases Main Steam Line Flow Path Isolation Valves B 3.7.2 BASES SURVEILLANCE REQUIREMENTS (continued) closure when the unit is generating power. As the alternate downstream valves are not tested at power, they are exempt from the ASME OM Code (Ref. 6) requirements during operation in MODE 1 or 2.
The Frequency is in accordance with the Inservice Testing Program.
This test is conducted in MODE 3 with the unit at operating temperature and pressure. This SR is modified by a Note that allows entry into and operation in MODE 3 prior to performing the SR. This allows a delay of testing until MODE 3, to establish conditions consistent with those under which the acceptance criterion was generated.
SR 3.7.2.3 Verifying that the isolation time of each MSIV bypass and steam line drain Draft D
valve is within limits is required to demonstrate OPERABILITY. The isolation time test ensures that the valve will isolate in a time ti period less than or equal to that assumed in the safety analysis. The T isolation times are specified fied in FSAR SAR Section 6.2.3 (Ref.
(R 7) 7) and Frequency Frequen of this SR is in accordancence with the Inservice T esting Program.
Testing Program SR 3.7.2.4 4 This SR ensures that each MSIV bypass and steam line d drain valve will actuate to its isolation position on an actual or simulated a actuation signal.
The ACTUATION LOGIC OUTPUT TEST provides overlap with this Surveillance. The 24 month Frequency is based on the need to perform this Surveillance during periods in which the plant is shutdown for refueling to prevent any upsets of plant operation.
REFERENCES 1. FSAR Section 10.3, Main Steam System.
- 2. FSAR Section 10.4, Other Features of Steam and Power Conversion Systems.
- 3. FSAR Section 6.2.1, Containment Functional Design.
- 4. FSAR Section 15.1, Increase in Heat Removal by Secondary System.
- 5. NUREG-138, Issue 1, Staff Discussion of Fifteen Technical Issues Listed in Attachment to November 3, 1976 Memorandum from Director NRR to NRR Staff.
VEGP Units 3 and 4 B 3.7.2 - 9 Revision 39 Page 92 of 98
ND-19-0168 Technical Specifications Bases MFIVs and MFCVs B 3.7.3 BASES ACTIONS (continued) function. The 8 hour9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> Completion Time is a reasonable amount of time to complete the actions required to close the MFIV, or MFCV, which includes performing a controlled plant shutdown. The Completion Time is reasonable based on operating experience to reach MODE 2 with the MFIV or MFCV closed, from full-power conditions in an orderly manner and without challenging plant systems.
C.1, C.2, and C.3 If the MFIVs and MFCVs cannot be restored to OPERABLE status, or the affected flow paths cannot be isolated within the associated Completion Time, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the plant must be placed in at least MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />, in MODE 4 with the normal residual heat removal system in service within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, and in MODE 5 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. The allowed Completion Times are reasonable, based on operating D ft Draft experience, to reach the required unit conditions from full power conditions in an orderly manner and without challengin p challenging plant systems.
SURVEILLANCE SR 3.7.3.1 1 REQUIREMENTS This SR verifies erifies that the closure time of each MFIV and M MFCV is 5.0 seconds, onds, on an actual or simulated actuation signal.
signal sign The MFIV and MFC MF MFCV CV isolation times are assumed in the accident and co containment analyses The ACTUATION analyses. ACTUA CT ATION N LOGIC OUTPUT TEST prov provides overlap with this Surveillance. This Surveillance is normally performed upon returning the unit to operation following a refueling outage. These valves should not be tested at power, since even a part stroke exercise increases the risk of a valve closure when the unit is generating power. This is consistent with the ASME OM Code (Ref. 2) quarterly stroke requirements during operation in MODE 1 or 2.
The Frequency is in accordance with the Inservice Testing Program.
The test is conducted in MODE 3 with the unit at operating temperature and pressure. This SR is modified by a Note that allows entry into and operation in MODE 3 prior to performing the SR. This allows a delay of testing until MODE 3, to establish conditions consistent with those under which the acceptance criterion was generated.
REFERENCES 1. FSAR Section 10.4.7, Condensate and Feedwater System.
VEGP Units 3 and 4 B 3.7.3 - 4 Revision 23 Page 93 of 98
ND-19-0168 Technical Specifications Bases VES B 3.7.6 BASES SURVEILLANCE REQUIREMENTS (continued)
SR 3.7.6.3 Standby systems should be checked periodically to ensure that they function properly. As the environment and normal operating conditions on this system are not too severe, testing VES once every month provides an adequate check of the system. The 31 day Frequency is based on the reliability of the equipment and the availability of system redundancy.
SR 3.7.6.4 VES air header isolation valves are required to be verified open at 31 day intervals. This SR is designed to ensure that the pathways for supplying breathable air to the MCRE are available should loss of VBS occur.
These valves should be closed only during required testing or maintenance of downstream components, or to preclude complete depressurization of the system should the VES isolation valves in the air Draft D
delivery line open inadvertently or begin to leak.
3.7.6.5 5 Verification n that the air quality of the air storage tanks tanks meets me mee the requirements nts of Appendix C, Table T C-1 of ASHRAE C-1 SHRAE Standard Stand Sta 62 (Ref. 4) with a pressure ssure dew point of 40°F at 3400 p psig iss requ re required every 92 days. If air has not been added to the air storage tanks ta tank since the previous verification, verification may be accomplished by confirmation of the acceptability of the previous surveillance results along with examination of the documented record of air makeup. The purpose of ASHRAE Standard 62 states: This standard specifies minimum ventilation rates and indoor air quality that will be acceptable to human occupants and are intended to minimize the potential for adverse health effects. Verification of the initial air quality (in combination with the other surveillances) ensures that breathable air is available for 11 MCRE occupants for at least 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. Confirmation of the pressure dew point verifies that water has not formed in the line, eliminating the potential for freezing at the pressure regulating valve during VES operation. In addition, the dry air allows the MCRE to remain below the maximum relative humidity to support the 90°F WBGT required for human factors performance.
SR 3.7.6.6 Verification that the VBS isolation valves and the Sanitary Drainage System (SDS) isolation valves are OPERABLE and will actuate upon demand is required every 24 months to ensure that the MCRE can be isolated upon loss of VBS operation. The ACTUATION LOGIC OUTPUT TEST provides overlap with this Surveillance.
VEGP Units 3 and 4 B 3.7.6 - 12 Revision 24 Page 94 of 98
ND-19-0168 Technical Specifications Bases VES B 3.7.6 BASES SURVEILLANCE REQUIREMENTS (continued)
SR 3.7.6.11 This SR verifies that the required VES testing is performed in accordance with the Ventilation Filter Testing Program (VFTP). The VES filter tests are in accordance with Regulatory Guide 1.52 (Ref. 7). The VFTP includes testing the performance of the HEPA filter, charcoal adsorber efficiency, minimum flow rate, and physical properties of the activated charcoal. Specific test frequencies and additional information are discussed in detail in the VFTP.
SR 3.7.6.12 Verification that the MCR load shed function actuates on an actual or simulated signal from each PMS Division is required every 24 months to confirm that the non-safety stage 1 and stage 2 MCR heat loads can be de-energized by the VES actuation signal within the required time. The D
ACTUATION LOGIC OUTPUT TEST provides overlap with this Surveillan Surveillance. The 24 month Frequency is based ased on the th need n to perform this Surveillance under the conditions that apply during a plant outage to minimize the potential for adversely affecting MCR opera operat operations.
SR 3.7.6.13 3 Verification on that the main VES air delivery isolation valves valv actuate on an actual or simulated signal to the correct position is require required every 24 months to confirm that the VES operates as assumed in the safety analysis. The ACTUATION LOGIC OUTPUT TEST provides overlap with this Surveillance. The 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage to minimize adversely affecting MCR operations.
REFERENCES 1. FSAR Section 6.4, Main Control Room Habitability Systems.
- 2. FSAR Section 9.5.1, Fire Protection System.
- 3. Regulatory Guide 1.196, Control Room Habitability at Light-Water Nuclear Power Reactors.
- 4. ASHRAE Standard 62-1989, Ventilation for Acceptable Indoor Air Quality.
- 5. NEI 99-03, Control Room Habitability Assessment, June 2001.
VEGP Units 3 and 4 B 3.7.6 - 14 Revision 24 Page 95 of 98
ND-19-0168 Technical Specifications Bases Startup Feedwater Isolation and Control Valves B 3.7.7 BASES SURVEILLANCE SR 3.7.7.1 REQUIREMENTS This surveillance requires verification in accordance with the Inservice Testing Program to assure that each startup feedwater isolation and control valve is OPERABLE. The Surveillance Frequency is provided in the Inservice Testing Program.
SR 3.7.7.2 This SR ensures that each startup feedwater isolation valve and startup feedwater control valve will actuate to its isolation position on an actual or simulated actuation signal. The ACTUATION LOGIC OUTPUT TEST provides overlap with this Surveillance.
The 24 month Frequency is based on the need to perform this Surveillance during periods in which the plant is shutdown for refueling to prevent any upsets of plant operation.
Draft Draft REFERENCES 1.
1 FSAR Section 10.4.9, Startup Feedwater System.
System VEGP Units 3 and 4 B 3.7.7 - 4 Revision 39 Page 96 of 98
ND-19-0168 Technical Specifications Bases SG Isolation Valves B 3.7.10 BASES SURVEILLANCE REQUIREMENTS (continued)
SR 3.7.10.2 Verifying that the isolation time of each PORV block valve and SG blowdown isolation valve is within limits is required to demonstrate OPERABILITY. The isolation time test ensures that the valve will isolate in a time period less than or equal to that assumed in the safety analysis.
The isolation times are specified in Section 6.2.3 (Ref. 4) and Frequency of this SR is in accordance with the Inservice Testing Program.
SR 3.7.10.3 This Surveillance verifies that each SG PORV, SG PORV block valve, and SG blowdown isolation valve actuates to the isolation position on an actual or simulated actuation signal. The ACTUATION LOGIC OUTPUT TEST provides overlap with this Surveillance.
Draft D raft The Frequency of 24 months is based on the need to perform this Surveillance during periods in which the plant is shutdo shutdown for refueling to prevent any upsets of plant operation.
REFERENCES 1. FSAR Section 10.3.2.2.3, Power-Operated Power-Power-Operated Operate Atmospheric Atmosph mo Relief Valves.
s.
- 2. FSAR Section 10.4.8, Steam Steam Generator Blowdown System.
S
- 3. Regulatory Guide 1.177, 8/98, An Approach for Plant-Specific, Risk-Informed Decisionmaking: Technical Specifications.
- 4. FSAR Section 6.2.3, "Containment Isolation System."
VEGP Units 3 and 4 B 3.7.10 - 6 Revision 23 Page 97 of 98
ND-19-0168 Technical Specifications Bases Nuclear Instrumentation B 3.9.3 BASES SURVEILLANCE SR 3.9.3.1 REQUIREMENTS SR 3.9.3.1 is the performance of a CHANNEL CHECK, which is the comparison of the indicated parameter values monitored by each of these instruments. It is based on the assumption that the two indication channels should be consistent for the existing core conditions. Changes in core geometry due to fuel loading can result in significant differences between the source range channels, however each channel should be consistent with its local conditions.
The Frequency of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is consistent with the CHANNEL CHECK Frequency specified for these same instruments in LCO 3.3.2, Reactor Trip System (RTS) Instrumentation and LCO 3.3.8, Engineered Safety Feature Actuation System (ESFAS) Instrumentation, Function 17.
SR 3.9.3.21 This SR 3.9.3.2 is the performance of a CHANNEL CALIBRATION every Draft 24 months. This SR is modified by a Note stating that neutron detectors are excluded exclude from the CHANNEL CALIBRATION.
CALIBRAATION. The CHANNEL CH CALIBRARATION ATION for the source range neutron flux monitors CALIBRATION monit consisting of obtaining the detector plateau or preamp discriminator curves, cu evaluating those curves, es, and comparing the curves to the manufacturers manufa manufactu data. The 24 month Frequency is based on the need to perform this t Surveillance under the conditions that apply during a plant outage.
o outage.
- e. Operating Op experience nce has shown these components usually pass the th Surveillance when performed perfo Frequency.
Frequen at a 24 month Frequency.
REFERENCES 1. FSAR Chapter 15, Accident Analysis.
- 2. FSAR Section 14.2.7.1, Initial Fuel Loading.
VEGP Units 3 and 4 B 3.9.3 - 3 Revision 39 Page 98 of 98
PMS TS Surveillance LAR Pre-Submittal Meeting March 7, 2019
Meeting Purpose
- Discuss the proposed changes to the VEGP 3&4 PMS TS surveillance requirements (SRs) (LAR-19-001)
- Removal of manual Channel Checks, Channel Operational Checks (COTs),
Actuation Logic Tests (ALTs) and Actuation Logic Output Tests (ALOTs)
- Revision of the approach for Engineered Safety Feature Actuation System (ESFAS) Response Time Testing (RTT)
- Receive and address Staff feedback
Purpose of Request
- VEGP Units 3 & 4 instrumentation Technical Specifications (TS) based on Standard TS for analog protection systems
- Protection and Safety Monitoring System (PMS) uses the Westinghouse Common Q platform which is a digital platform
- Described in NRC - generically approved WCAP-16097-P-A SER)
Purpose of Request
- Current PMS TS SRs were not designed for a digital protection system
- Self-diagnostic capabilities of a digital protection system provide sufficient testing to assure that the necessary quality of systems and components is maintained, that facility operation will be within safety limits, and that the limiting conditions for operation will be met
- This allows for elimination of select VEGP TS PMS surveillance tests and the revision of the approach to RTT
Purpose of Request Fully leveraging the continuous, self-diagnostic testing features of the PMS digital protection system to reduce the scope/frequency of manual TS surveillance testing would:
- 1. Increase safety by lowering operational risk associated with human performance errors
- 2. Reduce the duration of how long the PMS is at less than full redundancy
- 3. Reduce resources necessary to perform surveillances, and
- 4. Save substantial operational costs and still meet regulation
Purpose of Request
- VEGP LAR-19-001 proposes to revise/eliminate select PMS TS SR manual testing by crediting digital self-diagnostic features
- Analysis was performed that evaluated whether the self-diagnostic features could replace the current surveillance tests
- Analysis shows that the self-diagnostics provide continuous coverage
Credit PMS Self-diagnosis Crediting continuous self-diagnostic features allow for the elimination of the PMS manual surveillance testing required for TS compliance:
- Elimination of Channel Check
- Elimination of Channel Operational Tests (COTs)
- Elimination of Actuation Logic Test (ALT)
- Elimination of Actuation Logic Output Test (ALOT)
- Revision of the approach for Response Time Testing
PMS SR Testing PMS equipment functionality maintained by:
- Remaining manual TS surveillance testing
- Continuously running, hardware and software self-diagnostic features
Proposed Licensing Basis Changes
- Proposed Licensing Basis Changes - Enclosure 6 (Technical Specification and UFSAR Changes)
- Additional Proprietary Licensing Basis Changes - Enclosure 3
- Proposed Licensing Basis Changes - Enclosure 7
- (Technical Specification Bases)
Questions & Discussion