ML23067A175

From kanterella
Jump to navigation Jump to search
Rev. 18 to Technical Specification, Bases Change, Chapter 3.3, Instrumentation
ML23067A175
Person / Time
Site: Callaway Ameren icon.png
Issue date: 12/29/2022
From:
Union Electric Co, Ameren Missouri
To:
Office of Nuclear Reactor Regulation
Shared Package
ML23067A139 List: ... further results
References
ULNRC-06782
Download: ML23067A175 (1)
v  d  e


Text

CHAPTER TABLE OF CONTENTS CHAPTER B 3.3 INSTRUMENTATION Section Page B 3.3.1 Reactor Trip System (RTS) Instrumentation ................................................B 3.3.1-1 BACKGROUND ......................................................................................B 3.3.1-1 APPLICABLE SAFETY ANALYSES, LCO, AND APPLICABILITY .......B 3.3.1-7 ACTIONS .............................................................................................B 3.3.1-36 SURVEILLANCE REQUIREMENTS ....................................................B 3.3.1-52 REFERENCES .....................................................................................B 3.3.1-66 B 3.3.2 Engineered Safety Feature Actuation System (ESFAS) Instrumentation .....B 3.3.2-1 BACKGROUND ......................................................................................B 3.3.2-1 APPLICABLE SAFETY ANALYSES, LCO, AND APPLICABILITY ........B 3.3.2-6 ACTIONS .............................................................................................B 3.3.2-48 SURVEILLANCE REQUIREMENTS .......................................................B 3.3.2-61 REFERENCES ......................................................................................B 3.3.2-69 B 3.3.3 Post Accident Monitoring (PAM) Instrumentation ........................................B 3.3.3-1 BACKGROUND .......................................................................................B 3.3.3-1 APPLICABLE SAFETY ANALYSES .......................................................B 3.3.3-3 LCO .........................................................................................................B 3.3.3-3 APPLICABILITY ....................................................................................B 3.3.3-12 ACTIONS ..............................................................................................B 3.3.3-12 SURVEILLANCE REQUIREMENTS .....................................................B 3.3.3-14 REFERENCES ......................................................................................B 3.3.3-16 B 3.3.4 Remote Shutdown System ...........................................................................B 3.3.4-1 BACKGROUND .......................................................................................B 3.3.4-1 APPLICABLE SAFETY ANALYSES .......................................................B 3.3.4-2 LCO .........................................................................................................B 3.3.4-2 APPLICABILITY ......................................................................................B 3.3.4-3 ACTIONS ................................................................................................B 3.3.4-3 SURVEILLANCE REQUIREMENTS .......................................................B 3.3.4-4 REFERENCES ........................................................................................B 3.3.4-6 CALLAWAY PLANT 3.3-i

CHAPTER TABLE OF CONTENTS (Continued)

Section Page B 3.3.5 Loss of Power (LOP) Diesel Generator (DG) Start Instrumentation ............B 3.3.5-1 BACKGROUND .......................................................................................B 3.3.5-1 APPLICABLE SAFETY ANALYSES .......................................................B 3.3.5-3 LCO .........................................................................................................B 3.3.5-3 APPLICABILITY ......................................................................................B 3.3.5-4 ACTIONS ................................................................................................B 3.3.5-4 SURVEILLANCE REQUIREMENTS .......................................................B 3.3.5-6 REFERENCES ........................................................................................B 3.3.5-8 B 3.3.6 Containment Purge Isolation Instrumentation ..............................................B 3.3.6-1 BACKGROUND .......................................................................................B 3.3.6-1 APPLICABLE SAFETY ANALYSES .......................................................B 3.3.6-1 LCO .........................................................................................................B 3.3.6-2 APPLICABILITY ......................................................................................B 3.3.6-3 ACTIONS ................................................................................................B 3.3.6-4 SURVEILLANCE REQUIREMENTS .......................................................B 3.3.6-6 REFERENCES ........................................................................................B 3.3.6-8 B 3.3.7 Control Room Emergency Ventilation System (CREVS) Actuation Instrumentation ............................................................................................B 3.3.7-1 BACKGROUND .......................................................................................B 3.3.7-1 APPLICABLE SAFETY ANALYSES .......................................................B 3.3.7-1 LCO .........................................................................................................B 3.3.7-2 APPLICABILITY ......................................................................................B 3.3.7-4 ACTIONS ................................................................................................B 3.3.7-4 SURVEILLANCE REQUIREMENTS .......................................................B 3.3.7-7 REFERENCES ......................................................................................B 3.3.7-10 B 3.3.8 Emergency Exhaust System (EES) Actuation Instrumentation ....................B 3.3.8-1 BACKGROUND .......................................................................................B 3.3.8-1 APPLICABLE SAFETY ANALYSES ......................................................B 3.3.8-1 LCO ........................................................................................................B 3.3.8-1 APPLICABILITY ......................................................................................B 3.3.8-3 ACTIONS ...............................................................................................B 3.3.8-3 SURVEILLANCE REQUIREMENTS .......................................................B 3.3.8-5 REFERENCES .......................................................................................B 3.3.8-8 3.3-ii

CHAPTER TABLE OF CONTENTS (Continued)

Section Page B 3.3.9 Boron Dilution Mitigation System (BDMS) ...................................................B 3.3.9-1 BACKGROUND ......................................................................................B 3.3.9-1 APPLICABLE SAFETY ANALYSES ......................................................B 3.3.9-2 LCO ........................................................................................................B 3.3.9-2 APPLICABILITY ......................................................................................B 3.3.9-3 ACTIONS ................................................................................................B 3.3.9-5 SURVEILLANCE REQUIREMENTS .......................................................B 3.3.9-7 REFERENCES ......................................................................................B 3.3.9-10 3.3-iii

LIST OF TABLES Number Title B 3.3.1-1 RTS Instrumentation B 3.3.2-1 ESFAS Instrumentation CALLAWAY PLANT 3.3.1-1

RTS Instrumentation B 3.3.1 B 3.3 INSTRUMENTATION B 3.3.1 Reactor Trip System (RTS) Instrumentation BASES BACKGROUND The RTS initiates a unit shutdown, based on the values of selected unit parameters, to protect against violating the core fuel design limits and Reactor Coolant System (RCS) pressure boundary during anticipated operational occurrences (AOOs) and to assist the Engineered Safety Features (ESF) Systems in mitigating accidents.

The protection and monitoring systems have been designed to assure safe operation of the reactor. This is achieved by specifying limiting safety system settings (LSSS) in terms of parameters directly monitored by the RTS, as well as specifying LCOs on other reactor system parameters and equipment performance.

The LSSS, defined in this specification as the Allowable Values except for Trip Functions 14.a and 14.b in Technical Specification Table 3.3.1-1 (the Nominal Trip Setpoint defines the limiting safety system setting for these Trip Functions), in conjunction with the LCOs, establish the threshold for protective system action to prevent exceeding acceptable limits during Design Basis Accidents (DBAs).

During AOOs, which are those events expected to occur one or more times during the unit life, the acceptable limits are:

1. The Departure from Nucleate Boiling Ratio (DNBR) shall be maintained above the DNBR limit;
2. Fuel centerline melt shall not occur; and
3. The RCS pressure Safety Limit (SL) of 2735 psig shall not be exceeded.

Operation within the SLs of Specification 2.0, "Safety Limits (SLs)," also maintains the above values and assures that offsite dose will be within the 10 CFR 50 and 10 CFR 100 criteria during AOOs.

Accidents are events that are analyzed even though they are not expected to occur during the unit life. The acceptable limit during accidents is that offsite dose shall be maintained within an acceptable fraction of 10 CFR 100 limits. Different accident categories are allowed a different fraction of these limits, based on probability of occurrence.

(continued)

CALLAWAY PLANT B 3.3.1-1 Revision 15

RTS Instrumentation B 3.3.1 BASES BACKGROUND Meeting the acceptable dose limit for an accident category is considered (continued) having acceptable consequences for that event.

The RTS instrumentation is segmented into four distinct but interconnected modules as described in FSAR, Chapter 7 (Ref. 1), and as identified below:

1. Field transmitters or process sensors: provide a measurable electronic signal based upon the physical characteristics of the parameter being measured;
2. Signal Process Control and Protection System, including 7300 Process Protection System, Nuclear Instrumentation System (NIS), field contacts, and protection channel sets: provides signal conditioning, bistable setpoint comparison, process algorithm actuation, compatible electrical signal output to protection system devices, and control board/control room/miscellaneous indications;
3. Solid State Protection System (SSPS), including input, logic, and output bays: initiates proper unit shutdown and/or ESF actuation in accordance with the defined logic, which is based on the bistable outputs from the signal process control and protection system; and
4. Reactor trip switchgear, including reactor trip breakers (RTBs) and bypass breakers: provides the means to interrupt power to the control rod drive mechanisms (CRDMs) and allows the rod cluster control assemblies (RCCAs), or "rods," to fall into the core and shut down the reactor. The bypass breakers allow testing of the RTBs at power.

Field Transmitters or Sensors To meet the design demands for redundancy and reliability, more than one, and often as many as four, field transmitters or sensors are used to measure unit parameters. To account for the calibration tolerances and instrument drift, which are assumed to occur between calibrations, statistical allowances are provided in the Nominal Trip Setpoints and Allowable Values. The OPERABILITY of each transmitter or sensor can be evaluated when its "as found" calibration data are compared against its documented acceptance criteria.

(continued)

CALLAWAY PLANT B 3.3.1-2 Revision 15

RTS Instrumentation B 3.3.1 BASES BACKGROUND Signal Process Control and Protection System (continued)

Generally, three or four channels of process control equipment are used for the signal processing of unit parameters measured by the field instruments. The process control equipment provides signal conditioning, comparable output signals for instruments located on the main control board, and comparison of measured input signals with setpoints established by safety analyses. If the measured value of a unit parameter exceeds the predetermined setpoint, an output from a bistable is forwarded to the SSPS for decision evaluation. Channel separation is maintained up to and through the input bays. However, not all unit parameters require four channels of sensor measurement and signal processing. Some unit parameters provide input only to the SSPS, while others provide input to the SSPS, the main control board, the unit computer, and one or more control systems.

Generally, if a parameter is used only for input to the protection circuits, three channels with a two-out-of-three logic are sufficient to provide the required reliability and redundancy. If one channel fails in a direction that would not result in a partial Function trip, the Function is still OPERABLE with a two-out-of-two logic. If one channel fails, such that a partial Function trip occurs, a trip will not occur and the Function is still OPERABLE with a one-out-of-two logic.

Generally, if a parameter is used for input to the SSPS and a control function, four channels with a two-out-of-four logic are sufficient to provide the required reliability and redundancy. The circuit must be able to withstand both an input failure to the control system, which may then require the protection function actuation, and a single failure in the other channels providing the protection function actuation. Again, a single failure will neither cause nor prevent the protection function actuation.

These requirements are described in IEEE-279-1971 (Ref. 3). The actual number of channels required for each unit parameter is specified in Reference 1.

Two logic channels are required to ensure no single random failure of a logic channel will disable the RTS. The logic channels are designed such that testing required while the reactor is at power may be accomplished without causing trip.

(continued)

CALLAWAY PLANT B 3.3.1-3 Revision 15

RTS Instrumentation B 3.3.1 BASES BACKGROUND Nominal Trip Setpoints and Allowable Values (continued)

The Nominal Trip Setpoints are the values at which the bistables are set.

Any bistable is considered to be properly adjusted when the "as left" value is within the two-sided tolerance band for rack calibration accuracy.

The Nominal Trip Setpoints listed in Table B 3.3.1-1 and used in the bistables are based on the analytical limits stated in Reference 2. The selection of these Nominal Trip Setpoints is such that adequate protection is provided when all sensor and processing time delays are taken into account. To allow for calibration tolerances, instrumentation uncertainties, instrument drift, and harsh environment errors for those RTS channels that must function in harsh environments as defined by 10 CFR 50.49 (Ref. 4),

the Nominal Trip Setpoints specified in Table B 3.3.1-1 are conservatively adjusted with respect to the analytical limits. A detailed description of the methodology used to calculate the Nominal Trip Setpoints, including their explicit uncertainties, is provided in Reference 6. The methodology used to calculate the Nominal Trip Setpoints for Functions 14.a and 14.b in Table B 3.3.1-1 is described in Reference 19. This is the same basic square-root-sum-of-squares (SRSS) methodology described in References 6 and 20 (Reference 20 was reviewed and approved by NRC in support of Callaway Amendment 125 dated April 13, 1998), but with the inclusion of refinements to better reflect plant calibration practices and equipment performance. These refinements include the incorporation of a sensor reference accuracy term to address repeatability effects when performing a single pass calibration (i.e., one up and one down pass at several points verifies linearity and hysteresis, but not repeatability). In addition, sensor and rack error terms for calibration accuracy and drift are grouped in the Channel Statistical Allowance equation with their dependent M&TE terms, then combined with the other independent error terms using the SRSS methodology. The actual Nominal Trip Setpoint entered into the bistable is more conservative than that specified by the Allowable Value to account for changes in random measurement errors detectable by a COT. If the measured setpoint does not exceed the Allowable Value, the bistable is considered OPERABLE.

Setpoints in accordance with the Allowable Value ensure that design limits are not violated during AOOs (and that the consequences of DBAs will be acceptable, providing the unit is operated from within the LCOs at the onset of the AOO or DBA and the equipment functions as designed). Note that in the accompanying LCO 3.3.1, the Allowable Values of Table 3.3.1-1 are the LSSS except for Trip Functions 14.a and 14.b (the Nominal Trip Setpoint defines the LSSS for these Trip Functions).

(continued)

CALLAWAY PLANT B 3.3.1-4 Revision 15

RTS Instrumentation B 3.3.1 BASES BACKGROUND Nominal Trip Setpoints and Allowable Values (continued)

Each channel of the process control equipment can be tested on line to verify that the signal or setpoint accuracy is within the specified allowance requirements. Once a designated channel is taken out of service for testing, a simulated signal is injected in place of the field instrument signal.

The process equipment for the channel in test is then tested, verified, and calibrated. SRs for the channels are specified in the SRs section.

The Allowable Values listed in Table 3.3.1-1 in the accompanying LCO, except for Functions 14.a and 14.b, are based on the methodology described in Reference 6, and reviewed in support of Amendments 15, 43, 57, 84, 102, and 125, which incorporates all of the known uncertainties applicable for each channel. The Allowable Values for Functions 14.a and 14.b in the accompanying LCO are based on the Nominal Trip Setpoints and are determined by subtracting the rack calibration accuracy from the Nominal Trip Setpoint. The magnitudes of these uncertainties are factored into the determination of each Nominal Trip Setpoint. All field sensors and signal processing equipment for these channels are assumed to operate within the allowances of these uncertainty magnitudes.

Solid State Protection System The SSPS equipment is used for the decision logic processing of outputs from the signal processing equipment bistables. To meet the redundancy requirements, two trains of SSPS, each performing the same functions, are provided. If one train is taken out of service for maintenance or test purposes, the second train will provide reactor trip and/or ESF actuation for the unit. If both trains are taken out of service or placed in test, a reactor trip will result. Each train is packaged in its own cabinet for physical and electrical separation to satisfy separation and independence requirements. The system has been designed to trip in the event of a loss of power, directing the unit to a safe shutdown condition.

The SSPS performs the decision logic for actuating a reactor trip or ESF actuation, generates the electrical output signal that will initiate the required trip or actuation, and provides the status, permissive, and annunciator output signals to the main control room of the unit.

The bistable outputs from the signal processing equipment are sensed by the SSPS equipment and combined into logic matrices that represent combinations indicative of various unit upset and accident transients. If a required logic matrix combination is completed, the system will initiate a reactor trip or send actuation signals via master and slave relays to those components whose aggregate Function best serves to alleviate the (continued)

CALLAWAY PLANT B 3.3.1-5 Revision 15

RTS Instrumentation B 3.3.1 BASES BACKGROUND Solid State Protection System (continued) condition and restore the unit to a safe condition. Examples are given in the Applicable Safety Analyses, LCO, and Applicability sections of this Bases.

Reactor Trip Switchgear The RTBs are in the electrical power supply line from the control rod drive motor generator set power supply to the CRDMs. Opening of the RTBs interrupts power to the CRDMs, which allows the shutdown rods and control rods to fall into the core by gravity. Each RTB is equipped with a bypass breaker to allow testing of the RTB while the unit is at power.

During normal operation the output from the SSPS is a voltage signal that energizes the undervoltage coils in the RTBs and bypass breakers, if in use. When the required logic matrix combination is completed, the SSPS output voltage signal is removed, the undervoltage coils are de-energized, the breaker trip lever is actuated by the de-energized undervoltage coil, and the RTBs and bypass breakers are tripped open. This allows the shutdown rods and control rods to fall into the core. In addition to the de-energization of the undervoltage coils, each reactor trip breaker is also equipped with an automatic shunt trip device that is energized to trip the breaker open upon receipt of a reactor trip signal from the SSPS. Either the undervoltage coil or the shunt trip mechanism is sufficient by itself, thus providing a diverse trip mechanism.

The decision logic matrix Functions are described in the functional diagrams included in Reference 1. In addition to the reactor trip or ESF, these diagrams also describe the various "permissive interlocks" that are associated with unit conditions.

Each train has a built in testing device that can test the decision logic matrix Functions and the actuation devices while the unit is at power.

When any one train is taken out of service for testing, the other train is capable of providing unit monitoring and protection until the testing has been completed. The testing device is semiautomatic to minimize testing time.

(continued)

CALLAWAY PLANT B 3.3.1-6 Revision 15

RTS Instrumentation B 3.3.1 BASES (Continued)

APPLICABLE The RTS functions to maintain the applicable Safety Limits during all SAFETY AOOs and mitigates the consequences of DBAs in all MODES in which ANALYSES, the Rod Control System is capable of rod withdrawal or one or more rods LCO, AND are not fully inserted.

APPLICABILITY Each of the analyzed accidents and transients can be detected by one or more RTS Functions. The accident analysis described in Reference 2 takes credit for most RTS trip Functions. RTS trip Functions not specifically credited in the accident analysis are qualitatively credited in the safety analysis and the NRC staff approved licensing basis for the unit.

These RTS trip Functions may provide protection for conditions that do not require dynamic transient analysis to demonstrate Function performance.

They may also serve as backups to RTS trip Functions that were credited in the accident analysis.

The LCO requires all instrumentation performing an RTS Function, listed in Table 3.3.1-1 in the accompanying LCO, to be OPERABLE. Failure of any instrument renders the affected channel(s) inoperable and reduces the reliability of the affected Functions. The Allowable Value column for Trip Functions 14.a, Steam Generator Water Level - Low Low (Adverse Containment Environment), and 14.b, Steam Generator Water Level - Low Low (Normal Containment Environment) in TS Table 3.3.1-1 is modified by two Notes. If the as-found instrument channel setpoint for either of these specific Trip Function's channels is found to be outside the two-sided as-found test acceptance criteria band on either side of the Nominal Trip Setpoint, even if the as-found setting is conservative with respect to the Allowable Value, Note 1 requires that an assessment of channel performance shall be performed prior to returning the channel to service.

The evaluation of channel performance will verify that the channel will continue to behave in accordance with design basis assumptions. The purpose of the assessment is to ensure confidence in the channel performance prior to returning the channel to service. An initial assessment shall be performed by the technician performing the surveillance who will evaluate the channel's ability to maintain a stable setpoint within the calibration tolerance band. The return of this channel to service shall require the approval of on-shift supervision after a review of the surveillance test results and the technician's initial assessment.

In addition, the affected channel shall be addressed under the corrective action program, including that program's evaluation completion time requirements.

Note 2 requires the instrument channel setpoint for a channel in these Trip Functions to be reset to a value within the as-left setpoint tolerance band for that channel on either side of the Nominal Trip Setpoint, or to a (continued)

CALLAWAY PLANT B 3.3.1-7 Revision 15

RTS Instrumentation B 3.3.1 BASES APPLICABLE value that is more conservative than the Nominal Trip Setpoint. One SAFETY example of a situation where the latter was used is discussed in ANALYSES, Amendment 157. The conservative direction is indicated by the direction LCO, AND of the inequality sign applied to the Nominal Trip Setpoint in Bases Table APPLICABILITY B 3.3.1-1. Setpoint restoration and post-test verification assure that the (continued) assumptions in the plant setpoint methodology (Reference 19) are satisfied in order to protect the safety analysis limits. Note 2 preserves the safety analysis limits. If the channel can not be reset to a value within its as-left setpoint tolerance band, or to a value that is more conservative than the Nominal Trip Setpoint if required based on plant conditions, the channel shall be declared inoperable and the applicable Required Actions are taken. The methodology used to determine the as-found test acceptance criteria band and the as-left setpoint tolerance band is based on the square-root-sum-of-squares (SRSS) of the tolerances applicable to the instrument loop or sub-loop constituents being tested and is discussed in Reference 21.

For channels that have a history of proper performance, an out-of-tolerance condition may be a 5% statistical outlier which is to be expected for a setpoint methodology that is based on maintaining a 95% probability with a 95% confidence level of proper performance. If the channel performance evaluation demonstrates this to be the case, the as-found and as-left setpoint data will be trended and no further evaluation would be performed until the next CHANNEL OPERATIONAL TEST.

All as-found and as-left setpoint data for these specific Trip Functions obtained during CHANNEL OPERATIONAL TESTS shall be trended to demonstrate that the rack drift assumptions used in the plant setpoint methodology are valid. If the trending evaluation determines that a channel is performing inconsistent with the uncertainty allowances applicable to the periodic surveillance test being performed (e.g., whether it be a COT, CHANNEL CALIBRATION, etc.), the channel shall be evaluated under the corrective action program. If the channel is not capable of performing its specified safety function, it shall be declared inoperable.

The LCO generally requires OPERABILITY of three or four channels in each instrumentation Function, two channels of Manual Reactor Trip in each logic Function, and two trains in each Automatic Trip Logic Function.

Four OPERABLE instrumentation channels in a two-out-of-four configuration are required when one RTS channel is also used as a control system input. This configuration accounts for the possibility of the shared channel failing in such a manner that it creates a transient that requires RTS action. In this case, the RTS will still provide protection, even with a random failure of one of the other three protection channels.

(continued)

CALLAWAY PLANT B 3.3.1-8 Revision 15

RTS Instrumentation B 3.3.1 BASES APPLICABLE Three operable instrumentation channels in a two-out-of-three SAFETY configuration are generally required when there is no potential for control ANALYSES, system and protection system interaction that could simultaneously create LCO, AND a need for RTS trip and disable one RTS channel. The two-out-of-three APPLICABILITY and two-out-of-four configurations allow one channel to be tripped during (continued) maintenance or testing without causing a reactor trip. In cases where an inoperable channel is placed in the tripped condition indefinitely to satisfy the Required Action of an LCO, the logic configurations are reduced to one-out-of-two and one-out-of-three where tripping of an additional channel, for any reason, would result in a reactor trip. To allow for surveillance testing or setpoint adjustment of other channels while in this condition, several Required Actions allow the inoperable channel to be bypassed. Bypassing the inoperable channel creates a two-out-of-two or two-out-of-three logic configuration allowing a channel to be tripped for testing without causing a reactor trip. Specific exceptions to the above general philosophy exist and are discussed below.

Reactor Trip System Functions The safety analyses and OPERABILITY requirements applicable to each RTS Function are discussed below:

1. Manual Reactor Trip The Manual Reactor Trip ensures that the control room operator can initiate a reactor trip at any time by using either of two reactor trip switches in the control room. A Manual Reactor Trip accomplishes the same results as any one of the automatic trip Functions. It is used by the reactor operator to shut down the reactor whenever any parameter is rapidly trending toward its Trip Setpoint.

The LCO requires two Manual Reactor Trip channels to be OPERABLE. Each channel is controlled by a manual reactor trip switch. Each channel activates the reactor trip breaker in both trains. Two independent channels are required to be OPERABLE so that no single random failure will disable the Manual Reactor Trip Function.

(continued)

CALLAWAY PLANT B 3.3.1-9 Revision 15

RTS Instrumentation B 3.3.1 BASES APPLICABLE 1. Manual Reactor Trip (continued)

SAFETY ANALYSES, In MODE 1 or 2, manual initiation of a reactor trip must be LCO, AND OPERABLE. These are the MODES in which the shutdown rods APPLICABILITY and/or control rods are partially or fully withdrawn from the core. In MODE 3, 4, or 5, the manual initiation Function must also be OPERABLE if one or more shutdown rods or control rods are withdrawn or the Rod Control System is capable of withdrawing the shutdown rods or the control rods. In this condition, inadvertent control rod withdrawal (automatic rod withdrawal is no longer available) is possible. In MODE 3, 4, or 5, manual initiation of a reactor trip does not have to be OPERABLE if the Rod Control System is not capable of withdrawing the shutdown rods or control rods and if all rods are fully inserted. If the rods cannot be withdrawn from the core and all of the rods are fully inserted, there is no need to be able to trip the reactor. In MODE 6, neither the shutdown rods nor the control rods are permitted to be withdrawn and the CRDMs are disconnected from the control rods and shutdown rods. Therefore, the manual initiation Function is not required.

2. Power Range Neutron Flux The NIS power range detectors are located external to the reactor vessel and measure neutrons leaking from the core. The NIS power range detectors provide input to the Rod Control System and the Steam Generator (SG) Water Level Control System.

Therefore, the actuation logic must be able to withstand an input failure to the control system, which may then require the protection function actuation, and a single failure in the other channels providing the protection function actuation. Note that this Function also provides a signal to prevent rod withdrawal prior to initiating a reactor trip. Limiting further rod withdrawal may terminate the transient and eliminate the need to trip the reactor.

a. Power Range Neutron Flux - High The Power Range Neutron Flux - High trip Function ensures that protection is provided, from all power levels, against a positive reactivity excursion leading to DNB during power operations and will prevent fuel melting, providing protection for the safety limit on linear heat rate.

(continued)

CALLAWAY PLANT B 3.3.1-10 Revision 15

RTS Instrumentation B 3.3.1 BASES APPLICABLE a. Power Range Neutron Flux - High (continued)

SAFETY ANALYSES, These excursions can be caused by an uncontrolled RCCA LCO, AND bank withdrawal, rod ejection, or reductions in RCS APPLICABILITY temperature.

The LCO requires all four of the Power Range Neutron Flux

- High channels to be OPERABLE (two-out-of-four trip logic). The Trip Setpoint is 109% RTP.

In MODE 1 or 2, when a positive reactivity excursion could occur, the Power Range Neutron Flux - High trip must be OPERABLE. This Function will terminate the reactivity excursion and shut down the reactor prior to reaching a power level that could damage the fuel. In MODE 3 (with any RCS cold leg temperature < 500°F), 4, 5, or 6, the NIS power range detectors cannot accurately detect neutron levels. In MODES 3, 4, 5, or 6, the Power Range Neutron Flux - High does not have to be OPERABLE because the reactor is shut down and reactivity excursions into the power range are extremely unlikely. Other RTS Functions and administrative controls provide protection against reactivity additions when in MODE 3, 4, 5, or 6.

b. Power Range Neutron Flux - Low The LCO requirement for the Power Range Neutron Flux -

Low trip Function ensures that protection is provided against a positive reactivity excursion, such as an uncontrolled RCCA bank withdrawal or rod ejection, from low power or subcritical conditions.

The LCO requires all four of the Power Range Neutron Flux

- Low channels to be OPERABLE (two-out-of-four trip logic). The Trip Setpoint is 25% RTP.

In MODE 1, below the Power Range Neutron Flux (P-10 setpoint); and in MODE 2 with keff 1.0; and in MODE 2 with keff < 1.0, and all RCS cold leg temperatures 500°F, and the RCS boron concentration less than or equal to the all-rods-out (ARO) critical boron concentration, and the Rod Control System capable of rod withdrawal or one or more rods not fully inserted; and in MODE 3 with all RCS cold leg temperatures 500°F, and the RCS boron concentration less than or equal to the ARO critical boron concentration, and the Rod Control System capable of rod withdrawal or one or more rods not fully inserted, the Power Range (continued)

CALLAWAY PLANT B 3.3.1-11 Revision 15

RTS Instrumentation B 3.3.1 BASES APPLICABLE b. Power Range Neutron Flux - Low (continued)

SAFETY ANALYSES, Neutron Flux- Low trip must be OPERABLE. This Function LCO, AND may be manually blocked by the operator when two out of APPLICABILITY four power range channels are greater than 10% RTP (P-10 setpoint). This Function is automatically unblocked when three out of four power range channels are below the P-10 setpoint. Above the P-10 setpoint, positive reactivity excursions are mitigated by the Power Range Neutron Flux- High trip Function.

The Power Range Neutron Flux - Low trip Function does not have to be OPERABLE in MODE 2 with the reactor subcritical (keff < 1.0) and any combination of one or more of the following specified conditions in the Applicability, nor does this trip Function have to be OPERABLE in MODE 3 with any combination of one or more of the following specified conditions in the Applicability:

  • any RCS cold leg temperature < 500°F, or
  • RCS boron concentration greater than the ARO critical boron concentration, or
  • Rod Control System incapable of rod withdrawal and all rods fully inserted.

Accident analysis acceptance criteria with the reactor subcritical, and any RCS cold leg temperature < 500°F, and with the Rod Control System capable of rod withdrawal are satisfied by virtue of the RCS boration requirements of LCO 3.1.9, RCS Boron Limitations < 500°F. Acceptance criteria are satisfied, and the protection provided by the Power Range Neutron Flux - Low trip Function is not required, if the RCS boron concentration is greater than the ARO critical boron concentration or the Rod Control System is rendered incapable of rod withdrawal per the requirements of LCO 3.1.9.

In addition, in MODE 3 (with any RCS cold leg temperature

< 500°F, or the RCS sufficiently borated, or the RCCA bank withdrawal event precluded per the specified conditions of footnote (i) in Table 3.3.1-1), 4, 5, or 6, the Power Range Neutron Flux - Low trip Function does not have to be (continued)

CALLAWAY PLANT B 3.3.1-12 Revision 15

RTS Instrumentation B 3.3.1 BASES APPLICABLE b. Power Range Neutron Flux - Low (continued)

SAFETY ANALYSES, OPERABLE because the reactor is shut down and the NIS LCO, AND power range detectors cannot accurately detect neutron APPLICABILITY levels in this range. Other RTS trip Functions and administrative controls provide protection against positive reactivity excursions in these MODES and specified conditions in the Applicability.

3. Power Range Neutron Flux Rate The Power Range Neutron Flux Rate trip uses the same channels as discussed for Function 2 above.

Power Range Neutron Flux - High Positive Rate The Power Range Neutron Flux - High Positive Rate trip Function ensures that protection is provided against rapid increases in neutron flux that are characteristic of an RCCA drive rod housing rupture and the accompanying ejection of the RCCA. This Function compliments the Power Range Neutron Flux - High and Low Setpoint trip Functions to ensure that the criteria are met for a rod ejection from the power range. This Function also provides protection for the uncontrolled RCCA bank withdrawal at power event.

The LCO requires all four of the Power Range Neutron Flux - High Positive Rate channels to be OPERABLE (two-out-of-four trip logic). The Trip Setpoint is 4.25% RTP with a time constant 2 seconds.

In MODE 1 or 2, when there is a potential to add a large amount of positive reactivity from a rod ejection accident (REA), the Power Range Neutron Flux- High Positive Rate trip must be OPERABLE.

In MODE 3, 4, 5, or 6, the Power Range Neutron Flux- High Positive Rate trip Function does not have to be OPERABLE because other RTS trip Functions and administrative controls will provide protection against positive reactivity excursions. Also, since only the shutdown banks may be withdrawn in MODE 3, 4, or 5, the remaining complement of control bank worth ensures a sufficient degree of SDM in the event of an REA. In MODE 6, no rods are withdrawn and the SDM is increased during refueling operations. The reactor vessel head is also removed or the closure bolts are detensioned preventing any pressure buildup. In (continued)

CALLAWAY PLANT B 3.3.1-13 Revision 15

RTS Instrumentation B 3.3.1 BASES APPLICABLE Power Range Neutron Flux - High Positive Rate (continued)

SAFETY ANALYSES, addition, the NIS power range detectors cannot accurately detect LCO, AND neutron levels when RCS temperatures are less than 500°F.

APPLICABILITY

4. Intermediate Range Neutron Flux The Intermediate Range Neutron Flux trip Function ensures that protection is provided against an uncontrolled RCCA bank rod withdrawal accident from a subcritical condition during startup (automatic rod withdrawal is no longer available). This trip Function provides redundant protection to the Power Range Neutron Flux - Low Setpoint trip Function. The NIS intermediate range detectors are located external to the reactor vessel and measure neutrons leaking from the core. The NIS intermediate range detectors do not provide any input to control systems. Note that this Function also provides a signal to prevent rod withdrawal prior to initiating a reactor trip. Limiting further rod withdrawal may terminate the transient and eliminate the need to trip the reactor.

The LCO requires two channels of Intermediate Range Neutron Flux to be OPERABLE. Two OPERABLE channels are sufficient to ensure no single random failure will disable this trip Function (one-out-of-two trip logic). The Trip Setpoint is 25% RTP.

Because this trip Function is important only during startup, there is generally no need to disable channels for testing while the Function is required to be OPERABLE. Therefore, a third channel is unnecessary.

In MODE 1 below the P-10 setpoint, and in MODE 2 above the P-6 setpoint, when there is a potential for an uncontrolled RCCA bank withdrawal accident during reactor startup, the Intermediate Range Neutron Flux trip must be OPERABLE. Above the P-10 setpoint, the Power Range Neutron Flux - High Setpoint trip and the Power Range Neutron Flux - High Positive Rate trip provide core protection for an uncontrolled RCCA bank withdrawal accident. In MODE 2 below the P-6 setpoint, the Source Range Neutron Flux trip Function provides the primary core protection for reactivity accidents. In MODE 3, 4, or 5, the Intermediate Range Neutron Flux trip does not have to be OPERABLE. In MODE 3 with all RCS cold leg temperatures 500°F, and the RCS boron concentration less than or equal to the ARO critical boron concentration, and the Rod Control System capable of rod (continued)

CALLAWAY PLANT B 3.3.1-14 Revision 15

RTS Instrumentation B 3.3.1 BASES APPLICABLE 4. Intermediate Range Neutron Flux (continued)

SAFETY ANALYSES, withdrawal or one or more rods not fully inserted, the Power Range LCO, AND Neutron Flux - Low trip Function provides protection for an APPLICABILITY uncontrolled RCCA bank withdrawal or control rod ejection event from low power or subcritical conditions.

With the Rod Control System capable of rod withdrawal in MODE 3 (with any RCS cold leg temperature < 500°F), MODE 4, or MODE 5, LCO 3.1.9, RCS Boron Limitations < 500°F, requires that the RCS boron concentration be greater than the all-rods-out (ARO) critical boron concentration to ensure that sufficient SHUTDOWN MARGIN is available if an uncontrolled RCCA bank withdrawal event were to occur. In MODE 6, all rods are fully inserted and the core has a required increased SDM. Also, the NIS intermediate range detectors cannot detect neutron levels present during lower temperatures.

5. Source Range Neutron Flux The LCO requirement for the Source Range Neutron Flux trip Function ensures that protection is provided against an uncontrolled RCCA bank withdrawal accident from a subcritical condition during startup (automatic rod withdrawal is no longer available). This trip Function provides redundant protection to the Power Range Neutron Flux- Low and Intermediate Range Neutron Flux trip Functions. In MODES 3, 4, and 5, administrative controls also prevent the uncontrolled manual withdrawal of rods. The NIS source range detectors are located external to the reactor vessel and measure neutrons leaking from the core. The NIS source range detectors do not provide any inputs to control systems. The source range trip is the only RTS automatic protection function required in MODES 3 (with any RCS cold leg temperature

< 500°F), 4, and 5 with the Rod Control System capable of rod withdrawal or one or more rods not fully inserted.

In MODE 3 with all RCS cold leg temperatures 500°F, and the RCS boron concentration less than or equal to the ARO critical boron concentration, and the Rod Control System capable of rod withdrawal or one or more rods not fully inserted, the Power Range Neutron Flux - Low trip Function provides protection for an uncontrolled RCCA bank withdrawal or control rod ejection event from low power or subcritical conditions.

(continued)

CALLAWAY PLANT B 3.3.1-15 Revision 15

RTS Instrumentation B 3.3.1 BASES APPLICABLE 5. Source Range Neutron Flux (continued)

SAFETY ANALYSES, With the Rod Control System capable of rod withdrawal in MODE 3 LCO, AND (with any RCS cold leg temperature < 500°F), MODE 4, or MODE APPLICABILITY 5, LCO 3.1.9, RCS Boron Limitations < 500°F, requires that the RCS boron concentration be greater than the all-rods-out (ARO) critical boron concentration to ensure that sufficient SHUTDOWN MARGIN (SDM) is available if an uncontrolled RCCA bank withdrawal event were to occur. The safety analyses do not take explicit credit for the Source Range Neutron Flux trip Function as a primary trip to mitigate an uncontrolled RCCA bank withdrawal event or control rod ejection occurring from low power or subcritical conditions since this trip Function is not tested for its response time under SR 3.3.1.16. LCO 3.1.9, RCS Boron Limitations < 500°F, assures that sufficient SDM is available if an uncontrolled RCCA bank withdrawal were to occur while the plant is operating within the LCOs Applicability and specified conditions.

The LCO requires two channels of Source Range Neutron Flux to be OPERABLE. Two OPERABLE channels are sufficient to ensure no single random failure will disable this trip Function. This Function uses one-out-of-two trip logic. The Trip Setpoint is 1.0 E5 cps. The outputs of the Function to RTS logic are not required OPERABLE in MODE 6 or when all rods are fully inserted and the Rod Control System is incapable of rod withdrawal.

The Source Range Neutron Flux trip Function provides protection for uncontrolled control rod withdrawal from subcritical and control rod ejection events. In MODE 2, credit is also taken for a reactor trip being initiated by this trip function to alert the control room operators to manually mitigate an inadvertent boron dilution event.

In MODE 2 when below the P-6 setpoint, the Source Range Neutron Flux trip must be OPERABLE. Above the P-6 setpoint, the Intermediate Range Neutron Flux trip and the Power Range Neutron Flux-Low trip will provide core protection for reactivity accidents. Above the P-6 setpoint, the NIS source range neutron flux reactor trip may be manually blocked. When the source range trip is blocked, the high voltage to the detectors is also removed.

In MODES 3, 4, and 5 with the Rod Control System capable of rod withdrawal or one or more rods not fully inserted, the Source Range Neutron Flux trip Function must also be OPERABLE. If the Rod Control System is capable of rod withdrawal, the Source Range Neutron Flux trip must be OPERABLE to provide core protection against a rod withdrawal accident. If the Rod Control System is not capable of rod withdrawal, and all rods are fully (continued)

CALLAWAY PLANT B 3.3.1-16 Revision 15

RTS Instrumentation B 3.3.1 BASES APPLICABLE 5. Source Range Neutron Flux (continued)

SAFETY ANALYSES, inserted in MODES 3, 4, and 5, the source range detectors are not LCO, AND required to trip the reactor. However, their monitoring Function APPLICABILITY must be OPERABLE to monitor core neutron levels and provide inputs to the BDMS as addressed in LCO 3.3.9, "Boron Dilution Mitigation System (BDMS)," to protect against inadvertent reactivity changes that may occur as a result of events like an uncontrolled boron dilution. The requirements for the NIS source range detectors in MODE 6 are addressed in LCO 3.9.3, "Nuclear Instrumentation."

6. Overtemperature T The Overtemperature T trip Function is provided to ensure that the design limit DNBR is met. This trip Function also limits the range over which the Overpower T trip Function must provide protection. The inputs to the Overtemperature T trip include pressure, coolant temperature, axial power distribution, and reactor power as indicated by loop T assuming full reactor coolant flow.

Protection from violating the DNBR limit is assured for those transients that are slow with respect to delays from the core to the measurement system. The Overtemperature T trip Function uses each loop's T as a measure of reactor power and is compared with a setpoint that is automatically varied with the following parameters:

  • reactor coolant average temperature - the Trip Setpoint is varied to correct for changes in coolant density and specific heat capacity with changes in coolant temperature;
  • pressurizer pressure - the Trip Setpoint is varied to correct for changes in system pressure; and
  • axial power distribution f(I) - the Trip Setpoint is varied to account for imbalances in the axial power distribution as detected by the NIS upper and lower power range detectors. If axial peaks are greater than the design limits, as indicated by the difference between the upper and lower NIS power range detectors, the Trip Setpoint is reduced.

Dynamic compensation is included for system piping delays from the core to the temperature measurement system.

(continued)

CALLAWAY PLANT B 3.3.1-17 Revision 15

RTS Instrumentation B 3.3.1 BASES APPLICABLE 6. Overtemperature T (continued)

SAFETY ANALYSES, To and T, as used in the Overtemperature T trip, represent the LCO, AND 100% RTP values as measured by the plant for each loop. For the APPLICABILITY startup of a refueled core until reset to actual measured values (at 90-100% RTP), To is initially set at a value which is conservatively lower than the last measured 100% RTP To for each loop. Setting To and T to the measured value of To and T normalizes each loops Overtemperature T trip to the RCS loop conditions existing at the time of measurement, thus the trip reflects the equivalent full power conditions assumed for the OTT trip in the accident analyses. These differences in vessel T and Tavg can result from several factors, two of them being measured RCS loop flows greater than Minimum Measured Flow and asymmetric power distributions between quadrants. While RCS loop flows are not expected to change, radial power redistribution between quadrants may occur resulting in small changes in loop-specific vessel T and Tavg values. Accurate determination of the loop-specific vessel T and Tavg values are made when performing the Incore/

Excore recalibration under steady state conditions (i.e., power distributions not affected by xenon or other transient conditions).

The time constants used in the lag compensation of measured T (3) and measured Tavg (6) are set at 0 seconds. This setting corresponds to the 7300 NLL card values used for lag compensation of these signals. Safety analyses that credit Overtemperature T for protection must account for these field adjustable lag cards as well as all other first order lag contributions (i.e., the combined RTD/thermowell response time and the scoop transport delay and thermal lag). The safety analyses use a total first order lag of less than or equal to 6 seconds.

The Overtemperature T trip Function is calculated for each loop as described in Note 1 of Table 3.3.1-1 with values as specified in the COLR. Trip occurs if Overtemperature T is indicated in two loops. The pressure and temperature signals are used for other control functions; thus, the actuation logic must be able to withstand an input failure to the control system, which may then require the protection function actuation, and a single failure in the other channels providing the protection function actuation. Note that this Function also provides a signal to generate a turbine runback prior to reaching the Trip Setpoint. A turbine runback will reduce turbine power and reactor power, either through automatic (continued)

CALLAWAY PLANT B 3.3.1-18 Revision 15

RTS Instrumentation B 3.3.1 BASES APPLICABLE 6. Overtemperature T (continued)

SAFETY ANALYSES, rod insertion or through operator action. A reduction in power will LCO, AND normally alleviate the Overtemperature T condition and may APPLICABILITY prevent a reactor trip.

The LCO requires all four channels of the Overtemperature T trip Function to be OPERABLE (two-out-of-four trip logic). Note that the Overtemperature T Function receives input from channels shared with other RTS Functions. Failures that affect multiple Functions require entry into the Conditions applicable to all affected Functions.

In MODE 1 or 2, the Overtemperature T trip must be OPERABLE to prevent DNB. In MODE 3, 4, 5, or 6, this trip Function does not have to be OPERABLE because the reactor is not operating and there is insufficient heat production to be concerned about DNB.

7. Overpower T The Overpower T trip Function ensures that protection is provided to ensure the integrity of the fuel (i.e., no fuel pellet melting and less than 1% cladding strain) under all possible overpower conditions. This trip Function also limits the required range of the Overtemperature T trip Function and provides a backup to the Power Range Neutron Flux - High Setpoint trip. The Overpower T trip Function ensures that the allowable heat generation rate (kW/ft) of the fuel is not exceeded. The Overpower T trip also provides protection to mitigate the consequences of small steamline breaks, as reported in Reference 11, and the decrease in feedwater temperature event (Ref. 13). It uses the T of each loop as a measure of reactor power with a setpoint that is automatically varied with the following parameters:
  • reactor coolant average temperature - the Trip Setpoint is varied to correct for changes in coolant density and specific heat capacity with changes in coolant temperature; and

including dynamic compensation for the delays between the core and the temperature measurement system.

o and T", as used in the Overpower T trip, represent the 100%

RTP values as measured by the plant for each loop. For the startup of a refueled core until reset to actual measured values (at 90-100% RTP), To is initially set at a value which is conservatively (continued)

CALLAWAY PLANT B 3.3.1-19 Revision 15

RTS Instrumentation B 3.3.1 BASES APPLICABLE 7. Overpower T (continued)

SAFETY ANALYSES, lower than the last measured 100% RTP To for each loop. Setting LCO, AND To and T" to the measured value of To and T" normalizes each APPLICABILITY loops Overpower T trip to the RCS loop conditions existing at the time of measurement, thus the trip reflects the equivalent full power conditions assumed for the OPT trip in the accident analyses.

These differences in vessel T and Tavg can result from several factors, two of them being measured RCS loop flows greater than Minimum Measured Flow and asymmetric power distributions between quadrants. While RCS loop flows are not expected to change, radial power redistribution between quadrants may occur resulting in small changes in loop-specific vessel T and Tavg values. Accurate determination of the loop-specific vessel T and Tavg values are made when performing the Incore/Excore recalibration under steady state conditions (i.e., power distributions not affected by xenon or other transient conditions).

The time constants used in the lag compensation of measured T (3) and measured Tavg (6) are set at 0 seconds. This setting corresponds to the 7300 NLL card values used for lag compensation of these signals. Safety analyses that credit Overpower T for protection must account for these field adjustable lag cards as well as all other first order lag contributions (i.e., the combined RTD/ thermowell response time and the scoop transport delay and thermal lag). The safety analyses use a total first order lag of less than or equal to 6 seconds.

The Overpower T trip Function is calculated for each loop as per Note 2 of Table 3.3.1-1 with values as specified in the COLR. Trip occurs if Overpower T is indicated in two loops. The actuation logic must be able to withstand an input failure to the control system, which may then require the protection function actuation, and a single failure in the remaining channels providing the protection function actuation. Note that this Function also provides a signal to generate a turbine runback prior to reaching the Trip Setpoint. A turbine runback will reduce turbine power and reactor power. A reduction in power will normally alleviate the Overpower T condition and may prevent a reactor trip.

The LCO requires four channels of the Overpower T trip Function to be OPERABLE (two-out-of-four trip logic). Note that the Overpower T trip Function receives input from channels shared with other RTS Functions. Failures that affect multiple Functions (continued)

CALLAWAY PLANT B 3.3.1-20 Revision 15

RTS Instrumentation B 3.3.1 BASES APPLICABLE 7. Overpower T (continued)

SAFETY ANALYSES, require entry into the Conditions applicable to all affected LCO, AND Functions.

APPLICABILITY In MODE 1 or 2, the Overpower T trip Function must be OPERABLE. These are the only times that enough heat is generated in the fuel to be concerned about the heat generation rates and overheating of the fuel. In MODE 3, 4, 5, or 6, this trip Function does not have to be OPERABLE because the reactor is not operating and there is insufficient heat production to be concerned about fuel overheating and fuel damage.

8. Pressurizer Pressure The same sensors provide input to the Pressurizer Pressure - High and - Low trips and the Overtemperature T trip. The Pressurizer Pressure channels are also used to provide input to the Pressurizer Pressure Control System; thus, the actuation logic must be able to withstand an input failure to the control system, which may then require the protection function actuation, and a single failure in the other channels providing the protection function actuation.
a. Pressurizer Pressure - Low The Pressurizer Pressure - Low trip Function ensures that protection is provided against violating the DNBR limit due to low pressure.

The LCO requires four channels of Pressurizer Pressure -

Low to be OPERABLE (two-out-of-four trip logic). The Trip Setpoint is 1885 psig.

In MODE 1, when DNB is a major concern, the Pressurizer Pressure - Low trip must be OPERABLE. This trip Function is automatically enabled on increasing power by the P-7 interlock (NIS power range P-10 or turbine impulse pressure greater than 10% of full power equivalent (P-13)).

On decreasing power, this trip Function is automatically blocked below P-7. Below the P-7 setpoint, there is insufficient heat production to generate DNB conditions.

(continued)

CALLAWAY PLANT B 3.3.1-21 Revision 15

RTS Instrumentation B 3.3.1 BASES APPLICABLE b. Pressurizer Pressure - High SAFETY ANALYSES, The Pressurizer Pressure - High trip Function ensures that LCO, AND protection is provided against overpressurizing the RCS.

APPLICABILITY This trip Function operates in conjunction with the (continued) pressurizer PORVs and safety valves to prevent RCS overpressure conditions.

The LCO requires four channels of Pressurizer Pressure -

High to be OPERABLE (two-out-of-four trip logic). The Trip Setpoint is 2385 psig.

The Pressurizer Pressure - High Allowable Value is selected to be below the pressurizer safety valve actuation pressure and above the power operated relief valve (PORV) setting. This setting minimizes challenges to safety valves while avoiding unnecessary reactor trip for those pressure increases that can be controlled by the PORVs.

In MODE 1 or 2, the Pressurizer Pressure - High trip must be OPERABLE to help prevent RCS overpressurization and minimize challenges to the PORVs and safety valves.

In MODE 3, 4, 5, or 6, the Pressurizer Pressure - High trip Function does not have to be OPERABLE because transients that could cause an overpressure condition will be slow to occur. Therefore, the operator will have sufficient time to evaluate unit conditions and take corrective actions. Additionally, low temperature overpressure protection systems provide overpressure protection when the temperature of one or more RCS loops is below 275°F.

9. Pressurizer Water Level - High The Pressurizer Water Level - High trip Function provides a backup signal for the Pressurizer Pressure - High trip and also provides protection against water relief through the pressurizer safety valves. These valves are designed to pass steam in order to achieve their design energy removal rate. A reactor trip is actuated prior to the pressurizer becoming water solid. The LCO requires three channels of Pressurizer Water Level - High to be OPERABLE (two-out-of-three trip logic). The Trip Setpoint is 92% of instrument span. The pressurizer level channels are used as input to the Pressurizer Level Control System. A fourth channel is not required to address control/protection interaction concerns. The (continued)

CALLAWAY PLANT B 3.3.1-22 Revision 15

RTS Instrumentation B 3.3.1 BASES APPLICABLE 9. Pressurizer Water Level - High (continued)

SAFETY ANALYSES, level channels do not actuate the safety valves, and the high LCO, AND pressure reactor trip is set below the safety valve setting.

APPLICABILITY Therefore, with the slow rate of charging available, pressure overshoot due to level channel failure cannot cause the safety valve to lift before reactor high pressure trip.

In MODE 1, when there is a potential for overfilling the pressurizer, the Pressurizer Water Level - High trip must be OPERABLE. This trip Function is automatically enabled on increasing power by the P-7 interlock. On decreasing power, this trip Function is automatically blocked below P-7. Below the P-7 setpoint, transients that could raise the pressurizer water level will be slow and the operator will have sufficient time to evaluate unit conditions and take corrective actions.

10. Reactor Coolant Flow - Low The Reactor Coolant Flow - Low trip Function ensures that protection is provided against violating the DNBR limit due to low flow in one or more RCS loops, while avoiding reactor trips due to normal variations in loop flow. Above the P-7 setpoint, the reactor trip on low flow in two or more RCS loops is automatically enabled.

Above the P-8 setpoint, a loss of flow in any RCS loop will actuate a reactor trip. Each RCS loop has three flow detectors to monitor flow. The flow signals are not used for any control system input.

The LCO requires three Reactor Coolant Flow - Low channels per loop to be OPERABLE in MODE 1 above P-7 (two-out-of-three trip logic). The Trip Setpoint is 90% of indicated loop flow.

At the beginning of each cycle the plant will normalize the RCS flow transmitters during zero power, normal operating pressure, normal operating temperature (NOP/NOT) conditions such that they indicate at 100% flow in each respective loop. This normalization is then verified prior to exceeding 75% of RATED THERMAL POWER and again after reaching full power following a refueling outage when suitable plant conditions are established.

The bistables for the low RCS flow trip Function are calibrated separately to verify that they are set at the Nominal Trip Setpoint of 90% of indicated loop flow. The Nominal Trip Setpoint is based on the loop-specific normalized flow input (i.e., the indicated loop flow) from each of the three RCS flow transmitters per RCS loop.

(continued)

CALLAWAY PLANT B 3.3.1-23 Revision 15

RTS Instrumentation B 3.3.1 BASES APPLICABLE 10. Reactor Coolant Flow - Low (continued)

SAFETY ANALYSES, In MODE 1 above the P-8 setpoint, a loss of flow in one RCS loop LCO, AND could result in DNB conditions in the core because of the higher APPLICABILITY power level. In MODE 1 below the P-8 setpoint and above the P-7 setpoint, a loss of flow in two or more loops is required to actuate a reactor trip because of the lower power level and the greater margin to the design limit DNBR. Below the P-7 setpoint, all reactor trips on low flow are automatically blocked since there is insufficient heat production to generate DNB conditions.

11. Not used.
12. Undervoltage Reactor Coolant Pumps The Undervoltage RCP reactor trip Function ensures that protection is provided against violating the DNBR limit due to a loss of flow in two or more RCS loops. There is one potential transformer (PT), with a primary to secondary ratio of 14400:120, connected in parallel with the 13.8 kV power supply (PA system) to each RCP motor at the motor side of the supply breaker. Each PT secondary side is connected to an undervoltage relay and time delay relay, as well as a separate underfrequency relay. The undervoltage relays provide output signals to the SSPS which trips the reactor, if permissive P-7 issatisfied (i.e., greater than 10% of rated thermal power), when the voltage at one out of two RCP motors on both PA system buses drops below 10584 Vac (corresponding to 88.2 Vac at the undervoltage relay). The time delay relay prevents spurious trips caused by transient voltage perturbations. This trip Function will generate a reactor trip before the Reactor Coolant Flow - Low Trip Setpoint is reached.

The LCO requires two Undervoltage RCP channels per bus to be OPERABLE, a total of four channels. The Trip Setpoint is 10,584 Vac.

In MODE 1 above the P-7 setpoint, the Undervoltage RCP trip must be OPERABLE. Below the P-7 setpoint, all reactor trips on loss of flow are automatically blocked since the core is not producing sufficient power to generate DNB conditions. Above the P-7 setpoint, the reactor trip on Undervoltage-RCPs is automatically enabled.

(continued)

CALLAWAY PLANT B 3.3.1-24 Revision 15

RTS Instrumentation B 3.3.1 BASES APPLICABLE 13. Underfrequency Reactor Coolant Pumps SAFETY ANALYSES, The Underfrequency RCP reactor trip Function ensures that LCO, AND protection is provided against violating the DNBR limit due to a APPLICABILITY loss of flow in two or more RCS loops from a major network (continued) frequency disturbance. An underfrequency condition will slow down the pumps, thereby reducing their coastdown time following a pump trip. An adequate coastdown time is required so that reactor heat can be removed immediately after reactor trip. There is one potential transformer (PT), with a primary to secondary ratio of 14400:120, connected in parallel with the 13.8 kV power supply (PA system) to each RCP motor at the motor side of the supply breaker. Each PT secondary side is connected to an undervoltage relay and time delay relay, as well as a separate underfrequency relay. The underfrequency relays provide output signals to the SSPS which trips the reactor, if permissive P-7 issatisfied (i.e.,

greater than 10% of rated thermal power), when the frequency at one out of two RCP motors on both PA system buses drops below 57.2 Hz. The time delay set on the underfrequency relay prevents spurious trips caused by transient frequency perturbations. This trip Function will generate a reactor trip before the Reactor Coolant Flow - Low Trip Setpoint is reached.

The LCO requires two Underfrequency RCP channels per bus to be OPERABLE, a total of four channels. The Trip Setpoint is 57.2 Hz.

In MODE 1 above the P-7 setpoint, the Underfrequency RCP trip must be OPERABLE. Below the P-7 setpoint, all reactor trips on loss of flow are automatically blocked since the core is not producing sufficient power to generate DNB conditions. Above the P-7 setpoint, the reactor trip on Underfrequency-RCPs is automatically enabled.

14. Steam Generator Water Level - Low Low The SG Water Level - Low Low trip Function ensures that protection is provided against a loss of heat sink and actuates the AFW System prior to uncovering the SG tubes. The SGs are the heat sink for the reactor. In order to act as a heat sink, the SGs must contain a minimum amount of water. A narrow range low low level in any SG is indicative of a loss of heat sink for the reactor.

The level transmitters also provide input to the SG Level Control System. Therefore, the actuation logic must be able to withstand an input failure to the control system, which may then require the protection function actuation, and a single failure in the other (continued)

CALLAWAY PLANT B 3.3.1-25 Revision 15

RTS Instrumentation B 3.3.1 BASES APPLICABLE 14. Steam Generator Water Level - Low Low (continued)

SAFETY ANALYSES, channels providing the protection function actuation. This LCO, AND Function also performs the ESFAS function of starting the AFW APPLICABILITY pumps on low low SG level. As discussed in Reference 7, the SG Water Level - Low Low trip function has been modified to allow a lower Trip Setpoint under normal containment environmental conditions. The EAM circuitry reduces the potential for inadvertent trips via the Environmental Allowance Modifier (EAM), enabled on containment pressure exceeding its setpoint as listed in Table B 3.3.1-1. Because the SG Water Level transmitters (d/p cells) are located inside containment, they may experience adverse environmental conditions due to a feedline break. The EAM function is used to monitor the presence of adverse containment conditions (elevated pressure) and enables the Steam Generator Water Level - Low Low (Adverse) trip setpoint to reflect the increased transmitter uncertainties due to this harsh environment.

The EAM enables a lower Steam Generator Water Level - Low Low (Normal) trip setpoint when these conditions are not present, thus allowing more margin to trip for normal operating conditions.

If the EAM trip function has inoperable required channels, it is acceptable to place the inoperable channels in the tripped condition and continue operation. Placing the inoperable channels in the trip mode enables the Steam Generator Water Level - Low Low (Adverse) function, for the EAM. If the Steam Generator Water Level - Low Low (Normal) trip function has an inoperable required channel, the inoperable channel must be tripped, subject to the LCO Applicability footnote.

The LCO requires four channels of SG Water Level - Low Low per SG to be OPERABLE because these channels are shared between protection and control. All SG Water Level - Low Low reactor trip Functions use two-out-of-four logic. As with other protection functions, the single failure criterion applies. The Trip Setpoints for the SG Water Level - Low Low (Adverse Containment Environment) and (Normal Containment Environment) bistables are 21.0% and 17.0% of narrow range span, respectively. The Trip Setpoint for the Containment Pressure - Environmental Allowance Modifier bistables is 1.5 psig.

In MODE 1 or 2, when the reactor requires a heat sink, the SG Water Level - Low Low trip must be OPERABLE. The SG Water Level - Low Low (Normal Containment Environment) channels do not provide protection when the Containment Pressure -

(continued)

CALLAWAY PLANT B 3.3.1-26 Revision 15

RTS Instrumentation B 3.3.1 BASES APPLICABLE 14. Steam Generator Water Level - Low Low (continued)

SAFETY ANALYSES, Environmental Allowance Modifier (EAM) channels in the same LCO, AND protection sets are tripped since that enables the SG Water Level -

APPLICABILITY Low Low (Adverse Containment Environment) channels with a higher water level trip setpoint. As such, the SG Water Level -

Low Low (Normal Containment Environment) channels need not be OPERABLE when the Containment Pressure - EAM channels in the same protection sets are tripped, as discussed in a footnote to Table 3.3.1-1. The normal source of water for the SGs is provided by the turbine-driven Main Feedwater (MFW) Pumps (not safety related). The MFW Pumps (PAE01A and PAE01B) are only in operation in MODE 1 or 2. The AFW System is the safety-related source of water to ensure that the SGs remain the heat sink for the reactor. During normal startups and shutdowns the MFW System or AFW System provides feedwater to maintain SG level.

In MODE 3, 4, 5, or 6, the SG Water Level - Low Low Reactor Trip Function does not have to be OPERABLE because the reactor is not operating or even critical (see LCO 3.3.2, "Engineered Safety Feature Actuation System (ESFAS) Instrumentation," for Applicability of SG Water Level - Low Low ESFAS Functions).

15. Not used.
16. Turbine Trip
a. Turbine Trip - Low Fluid Oil Pressure The Turbine Trip - Low Fluid Oil Pressure trip Function anticipates the loss of heat removal capabilities of the secondary system following a turbine trip. This trip Function acts to minimize the pressure/temperature transient on the reactor. Any turbine trip from a power level below the P-9 setpoint, 50% power, will not actuate a reactor trip. Three pressure switches monitor the control oil pressure in the Turbine Electrohydraulic Control System. A low pressure condition sensed by two-out-of-three pressure switches will actuate a reactor trip. These pressure switches do not provide any input to the control system. The unit is designed to withstand a complete loss of load and not sustain core damage or challenge the RCS pressure limitations. Core protection is provided by the Pressurizer Pressure - High trip Function and RCS integrity is ensured by the pressurizer safety valves.

(continued)

CALLAWAY PLANT B 3.3.1-27 Revision 15

RTS Instrumentation B 3.3.1 BASES APPLICABLE The LCO requires three channels of Turbine Trip - Low SAFETY Fluid Oil Pressure to be OPERABLE in MODE 1 above ANALYSES, P-9. The Trip Setpoint is 598.94 psig.

LCO, AND APPLICABILITY Below the P-9 setpoint, a turbine trip does not actuate a reactor trip. In MODE 2, 3, 4, 5, or 6, there is no potential for a turbine trip, and the Turbine Trip - Low Fluid Oil Pressure trip Function does not need to be OPERABLE.

b. Turbine Trip - Turbine Stop Valve Closure The Turbine Trip - Turbine Stop Valve Closure trip Function anticipates the loss of heat removal capabilities of the secondary system following a turbine trip. The trip Function anticipates the loss of secondary heat removal capability that occurs when the stop valves close. Tripping the reactor in anticipation of loss of secondary heat removal acts to minimize the pressure and temperature transient on the reactor. Any turbine trip from a power level below the P-9 setpoint, 50% power, will not actuate a reactor trip. This trip Function will not and is not required to operate in the presence of a single channel failure. The unit is designed to withstand a complete loss of load and not sustain core damage or challenge the RCS pressure limitations. Core protection is provided by the Pressurizer Pressure - High trip Function, and RCS integrity is ensured by the pressurizer safety valves. This trip Function is diverse to the Turbine Trip - Low Fluid Oil Pressure trip Function. Each turbine stop valve is equipped with one limit switch that inputs to the RTS. If all four limit switches indicate that the stop valves are all closed, a reactor trip is initiated.

The Allowable Value for this Function is set to assure channel trip occurs when the associated stop valve is completely closed.

The LCO requires four Turbine Trip - Turbine Stop Valve Closure channels, one per valve, to be OPERABLE in MODE 1 above P-9. All four channels must trip to cause reactor trip. The Trip Setpoint is 1% open.

Below the P-9 setpoint, a load rejection can be accommodated by the Steam Dump and Reactor Control Systems. In MODE 2, 3, 4, 5, or 6, there is no potential for a load rejection, and the Turbine Trip - Turbine Stop Valve Closure trip Function does not need to be OPERABLE.

(continued)

CALLAWAY PLANT B 3.3.1-28 Revision 15

RTS Instrumentation B 3.3.1 BASES APPLICABLE 17. Safety Injection Input from Engineered Safety Feature Actuation SAFETY System

ANALYSES, LCO, AND The SI Input from ESFAS ensures that if a reactor trip has not APPLICABILITY already been generated by the RTS, the ESFAS automatic actuation logic will initiate a reactor trip upon any automatic signal that initiates SI. This is a condition of acceptability for the LOCA.

However, other transients and accidents take credit for varying levels of ESF performance and rely upon rod insertion, except for the most reactive rod that is assumed to be fully withdrawn, to ensure reactor shutdown. Therefore, a reactor trip is initiated every time an SI signal is present.

Trip Setpoint and Allowable Values are not applicable to this Function. The SI Input is provided by logic in the SSPS circuitry of ESFAS. Therefore, there is no measurement signal with which to associate an LSSS.

The LCO requires two trains of SI Input from ESFAS to be OPERABLE in MODE 1 or 2.

A reactor trip is initiated every time an SI signal is present.

Therefore, this trip Function must be OPERABLE in MODE 1 or 2, when the reactor is critical. In MODE 3, 4, 5, or 6, the reactor is not critical, and this trip Function does not need to be OPERABLE.

18. Reactor Trip System Interlocks Reactor protection interlocks are provided to ensure reactor trips are in the correct configuration for the current unit status. They back up operator actions to ensure protection system Functions are not bypassed during unit conditions under which the safety analysis assumes the Functions are not bypassed. Therefore, the interlock Functions do not need to be OPERABLE when the associated reactor trip functions are outside the applicable MODES. These are:
a. Intermediate Range Neutron Flux, P-6 The Intermediate Range Neutron Flux, P-6 interlock is actuated when any NIS intermediate range channel goes approximately one decade above the minimum channel reading. If both channels drop below the setpoint, the permissive will automatically be defeated. The LCO (continued)

CALLAWAY PLANT B 3.3.1-29 Revision 15

RTS Instrumentation B 3.3.1 BASES APPLICABLE 18. Reactor Trip System Interlocks (continued)

SAFETY ANALYSES, requirement for the P-6 interlock ensures that the following LCO, AND Functions are performed:

APPLICABILITY

  • on increasing power, the P-6 interlock allows the manual block of the NIS Source Range, Neutron Flux reactor trip. This prevents a premature block of the source range trip and allows the operator to ensure that the intermediate range is OPERABLE prior to leaving the source range. When the source range trip is blocked, the high voltage to the detectors is also removed;
  • on decreasing power, the P-6 interlock automatically energizes the NIS source range detectors and enables the NIS Source Range Neutron Flux reactor trip; and
  • on increasing power, the P-6 interlock provides a backup block signal to the source range flux multiplication circuit. Normally, this Function is manually blocked by the control room operator during the reactor startup.

The LCO requires two channels of Intermediate Range Neutron Flux, P-6 interlock to be OPERABLE in MODE 2 when below the P-6 interlock setpoint (one-out-of-two trip logic). The Trip Setpoint is 1.0 E-10 amps.

Above the P-6 interlock setpoint, the NIS Source Range Neutron Flux reactor trip will be blocked, and this Function will no longer be necessary. In MODE 3, 4, 5, or 6, the P-6 interlock does not have to be OPERABLE because the NIS Source Range is providing core protection.

b. Low Power Reactor Trips Block, P-7 The Low Power Reactor Trips Block, P-7 interlock is actuated by input from either the Power Range Neutron Flux, P-10, or the Turbine Impulse Chamber Pressure, P-13 interlock. The LCO requirement for the P-7 interlock ensures that the following Functions are performed:

(continued)

CALLAWAY PLANT B 3.3.1-30 Revision 15

RTS Instrumentation B 3.3.1 BASES APPLICABLE 18. Reactor Trip System Interlocks (continued)

SAFETY ANALYSES, (1) on increasing power, the P-7 interlock automatically LCO, AND enables reactor trips on the following Functions:

APPLICABILITY

  • Pressurizer Pressure - Low;
  • Pressurizer Water Level - High;
  • Undervoltage RCPs; and
  • Underfrequency RCPs.

These reactor trips are only required when operating above the P-7 setpoint (10% power). The reactor trips provide protection against violating the DNBR limit. Below the P-7 setpoint, the RCS is capable of providing sufficient natural circulation without any RCP running.

(2) on decreasing power, the P-7 interlock automatically blocks reactor trips on the following Functions:

  • Pressurizer Pressure - Low;
  • Pressurizer Water Level - High;
  • Undervoltage RCPs; and
  • Underfrequency RCPs.
b. Low Power Reactor Trips Block, P-7 (continued)

Allowable Values are not applicable to the P-7 interlock because it is a logic Function and thus has no parameter with which to associate an LSSS.

(continued)

CALLAWAY PLANT B 3.3.1-31 Revision 15

RTS Instrumentation B 3.3.1 BASES APPLICABLE The P-7 interlock is a logic Function with train and not SAFETY channel identity. Therefore, the LCO requires one channel ANALYSES, per train of Low Power Reactor Trips Block, P-7 interlock to LCO, AND be OPERABLE in MODE 1.

APPLICABILITY The low power trips are blocked below the P-7 setpoint and unblocked above the P-7 setpoint. In MODE 2, 3, 4, 5, or 6, this Function does not have to be OPERABLE because the interlock performs its Function when power level drops below 10% power, which is in MODE 1.

c. Power Range Neutron Flux, P-8 The Power Range Neutron Flux, P-8 interlock is actuated at 48% power as determined by two-out-of-four NIS power range detectors. The P-8 interlock automatically enables the Reactor Coolant Flow - Low reactor trip on low flow in one or more RCS loops on increasing power. The LCO requirement for this trip Function ensures that protection is provided against a loss of flow in any RCS loop that could result in DNB conditions in the core when greater than 48% power. On decreasing power, the reactor trip on low flow in any loop is automatically blocked (low flow in two or more loops will initiate a reactor trip above the P-7 interlock).

The LCO requires four channels of Power Range Neutron Flux, P-8 interlock to be OPERABLE in MODE 1 (two-out-of-four trip logic). The Trip Setpoint is 48% RTP.

In MODE 1, a loss of flow in one RCS loop could result in DNB conditions, so the Power Range Neutron Flux, P-8 interlock must be OPERABLE. In MODE 2, 3, 4, 5, or 6, this Function does not have to be OPERABLE because the core is not producing sufficient power to be concerned about DNB conditions.

(continued)

CALLAWAY PLANT B 3.3.1-32 Revision 15

RTS Instrumentation B 3.3.1 BASES APPLICABLE 18. Reactor Trip System Interlocks (continued)

SAFETY ANALYSES, d. Power Range Neutron Flux, P-9 LCO, AND APPLICABILITY The Power Range Neutron Flux, P-9 interlock is actuated at 50% power as determined by two-out-of-four NIS power range detectors. The LCO requirement for this Function ensures that the Turbine Trip - Low Fluid Oil Pressure and Turbine Trip - Turbine Stop Valve Closure reactor trips are enabled above the P-9 setpoint. Above the P-9 setpoint, a turbine trip will cause a load rejection beyond the capacities of the Steam Dump and Reactor Control Systems. A reactor trip is automatically initiated on a turbine trip when it is above the P-9 setpoint, to minimize the transient on the reactor.

The LCO requires four channels of Power Range Neutron Flux, P-9 interlock to be OPERABLE in MODE 1 (two-out-of-four trip logic). The Trip Setpoint is 50% RTP.

In MODE 1, a turbine trip could cause a load rejection beyond the capacities of the Steam Dump and Reactor Control Systems, so the Power Range Neutron Flux interlock must be OPERABLE. In MODE 2, 3, 4, 5, or 6, this Function does not have to be OPERABLE because the reactor is not at a power level sufficient to have a load rejection beyond the capacities of the Steam Dump and Reactor Control Systems.

e. Power Range Neutron Flux, P-10 The Power Range Neutron Flux, P-10 interlock is actuated at 10% power, as determined by two-out-of-four NIS power range detectors. If power level falls below 10% RTP on 3 of 4 channels, the nuclear instrument trips will be automatically unblocked. The LCO requirement for the P-10 interlock ensures that the following Functions are performed:
  • on increasing power, the P-10 interlock allows the operator to manually block the Intermediate Range Neutron Flux reactor trip. Note that blocking the reactor trip also blocks the signal to prevent rod withdrawal; (continued)

CALLAWAY PLANT B 3.3.1-33 Revision 15

RTS Instrumentation B 3.3.1 BASES APPLICABLE e. Power Range Neutron Flux, P-10 (continued)

SAFETY ANALYSES,

  • on increasing power, the P-10 interlock allows the LCO, AND operator to manually block the Power Range APPLICABILITY Neutron Flux - Low reactor trip;
  • on increasing power, the P-10 interlock automatically provides a backup signal to block the Source Range Neutron Flux reactor trip, and also to de-energize the NIS source range detectors;
  • the P-10 interlock provides one of the two inputs to the P-7 interlock; and
  • on decreasing power, the P-10 interlock automatically enables the Power Range Neutron Flux - Low reactor trip and the Intermediate Range Neutron Flux reactor trip (and rod stop).

The LCO requires four channels of Power Range Neutron Flux, P-10 interlock to be OPERABLE in MODE 1 or 2 (two-out-of-four trip logic). The Trip Setpoint is 10% RTP.

OPERABILITY in MODE 1 ensures the Function is available to perform its decreasing power Functions in the event of a reactor shutdown. This Function must be OPERABLE in MODE 2 to ensure that core protection is provided during a startup or shutdown by the Power Range Neutron Flux - Low and Intermediate Range Neutron Flux reactor trips. In MODE 3, 4, 5, or 6, this Function does not have to be OPERABLE because the reactor is not at power and the Source Range Neutron Flux reactor trip provides core protection.

f. Turbine Impulse Pressure, P-13 The Turbine Impulse Pressure, P-13 interlock is actuated when the pressure in the first stage of the high pressure turbine is greater than 10% of the full power pressure. The full power pressure corresponds to the first stage pressure at 100% RTP. The interlock is determined by one-out-of-two pressure detectors. The LCO requirement for this Function ensures that one of the inputs to the P-7 interlock is available.

(continued)

CALLAWAY PLANT B 3.3.1-34 Revision 15

RTS Instrumentation B 3.3.1 BASES APPLICABLE f. Turbine Impulse Pressure, P-13 (continued)

SAFETY ANALYSES, The LCO requires two channels of Turbine Impulse LCO, AND Pressure, P-13 interlock to be OPERABLE in MODE 1 APPLICABILITY (one-out-of-two trip logic). The Trip Setpoint is 10% of Turbine Power.

The Turbine Impulse Pressure, P-13 interlock must be OPERABLE when the turbine generator is operating. The interlock Function is not required OPERABLE in MODE 2, 3, 4, 5, or 6 because the turbine generator is not operating.

19. Reactor Trip Breakers This trip Function applies to the RTBs exclusive of individual trip mechanisms. The LCO requires two OPERABLE trains of trip breakers. A trip breaker train consists of all trip breakers associated with a single RTS logic train that are racked in, closed, and capable of supplying power to the Rod Control System. Thus, the train may consist of the main breaker or main breaker and opposite train bypass breaker, depending upon the system configuration. Two OPERABLE trains ensure no single random failure can disable the RTS trip capability.

These trip Functions must be OPERABLE in MODE 1 or 2 when the reactor is critical. In MODE 3, 4, or 5, these RTS trip Functions must be OPERABLE when the Rod Control System is capable of rod withdrawal or one or more rods are not fully inserted.

20. Reactor Trip Breaker Undervoltage and Shunt Trip Mechanisms The LCO requires both the Undervoltage and Shunt Trip Mechanisms to be OPERABLE for each RTB that is in service.

The trip mechanisms are not required to be OPERABLE for trip breakers that are open, racked out, incapable of supplying power to the Rod Control System, or declared inoperable under Function 19 above. OPERABILITY of both trip mechanisms on each breaker ensures that no single trip mechanism failure will prevent opening any breaker on a valid signal.

These trip Functions must be OPERABLE in MODE 1 or 2 when the reactor is critical. In MODE 3, 4, or 5, these RTS trip Functions must be OPERABLE when the Rod Control System is capable of rod withdrawal or one or more rods are not fully inserted.

(continued)

CALLAWAY PLANT B 3.3.1-35 Revision 15

RTS Instrumentation B 3.3.1 BASES APPLICABLE 21. Automatic Trip Logic SAFETY ANALYSES, The LCO requirement for the RTBs (Functions 19 and 20) and LCO, AND Automatic Trip Logic (Function 21) ensures that means are APPLICABILITY provided to interrupt the power to allow the rods to fall into the (continued) reactor core. Each RTB is equipped with an undervoltage coil and a shunt trip coil to trip the breaker open when needed. Each RTB is equipped with a bypass breaker to allow testing of the trip breaker while the unit is at power. The reactor trip signals generated by the RTS Automatic Trip Logic cause the RTBs and associated bypass breakers to open and shut down the reactor.

The LCO requires two trains of RTS Automatic Trip Logic to be OPERABLE. Having two OPERABLE channels ensures that random failure of a single logic channel will not prevent reactor trip.

These trip Functions must be OPERABLE in MODE 1 or 2 when the reactor is critical. In MODE 3, 4, or 5, these RTS trip Functions must be OPERABLE when the Rod Control System is capable of rod withdrawal or one or more rods are not fully inserted.

The RTS instrumentation satisfies Criterion 3 of 10CFR50.36(c)(2)(ii).

ACTIONS A Note has been added to the ACTIONS to clarify the application of Completion Time rules. The Conditions of this Specification may be entered independently for each Function listed in Table 3.3.1-1.

In the event a channel's Trip Setpoint is found nonconservative with respect to the Allowable Value, or the transmitter, instrument loop, signal processing electronics, or bistable is found inoperable, then all affected Functions provided by that channel must be declared inoperable and the LCO Condition(s) entered for the protection Function(s) affected. When the Required Channels in Table 3.3.1-1 are specified on a per loop, per SG, per bus, or per train basis, then the Condition may be entered separately for each loop, SG, bus, or train.

When the number of inoperable channels in a trip Function exceed those specified in one or other related Conditions associated with a trip Function, then the unit is outside the safety analysis. Therefore, LCO 3.0.3 must be immediately entered if applicable in the current MODE of operation.

(continued)

CALLAWAY PLANT B 3.3.1-36 Revision 15

RTS Instrumentation B 3.3.1 BASES ACTIONS A.1 (continued)

Condition A applies to all RTS protection Functions. Condition A addresses the situation where one or more required channels or trains for one or more Functions are inoperable at the same time. The Required Action is to refer to Table 3.3.1-1 and to take the Required Actions for the protection functions affected. The Completion Times are those from the referenced Conditions and Required Actions.

B.1 and B.2 Condition B applies to the Manual Reactor Trip in MODE 1 or 2. This action addresses the train orientation of the RTS for this Function. With one channel inoperable, the inoperable channel must be restored to OPERABLE status within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />. In this Condition, the remaining OPERABLE channel is adequate to perform the safety function.

The Completion Time of 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> is reasonable considering that there are two automatic actuation trains and another manual initiation channel OPERABLE, and the low probability of an event occurring during this interval.

If the Manual Reactor Trip Function cannot be restored to OPERABLE status within the allowed 48 hour5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> Completion Time, the unit must be brought to a MODE in which the requirement does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 6 additional hours (54 hours6.25e-4 days <br />0.015 hours <br />8.928571e-5 weeks <br />2.0547e-5 months <br /> total time). The 6 additional hours to reach MODE 3 is reasonable, based on operating experience, to exit the Applicability from full power operation in an orderly manner and without challenging unit systems. With the unit in MODE 3, Condition C is entered if the Manual Reactor Trip Function has not been restored and the Rod Control System is capable of rod withdrawal or one or more rods are not fully inserted.

C.1, C.2.1, and C.2.2 Condition C applies to the following reactor trip Functions in MODE 3, 4, or 5 with the Rod Control System capable of rod withdrawal or one or more rods not fully inserted:

  • RTBs;
  • RTB Undervoltage and Shunt Trip Mechanisms; and (continued)

CALLAWAY PLANT B 3.3.1-37 Revision 15

RTS Instrumentation B 3.3.1 BASES ACTIONS C.1, C.2.1, and C.2.2 (continued)

This action addresses the train orientation of the RTS for these Functions.

With one channel or train inoperable, the inoperable channel or train must be restored to OPERABLE status within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />. If the affected Function(s) cannot be restored to OPERABLE status within the allowed 48 hour5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> Completion Time, the unit must be placed in a MODE in which the requirement does not apply. To achieve this status, action must be initiated within the same 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> to fully insert all rods and the Rod Control System must be rendered incapable of rod withdrawal within the next hour (e.g., by de-energizing all CRDMs, by opening the RTBs, or de-energizing the motor generator (MG) sets). The additional hour for the latter provides sufficient time to accomplish the action in an orderly manner. With the rods fully inserted and the Rod Control System incapable of rod withdrawal, these Functions are no longer required.

The Completion Time is reasonable considering that in this Condition, the remaining OPERABLE train is adequate to perform the safety function, and given the low probability of an event occurring during this interval.

Risk assessments performed pursuant to LCO 3.0.4.b should consider the desirability of enabling the Rod Control System or allowing one or more rods to be other than fully inserted in MODES 3, 4, or 5 while one train of Function 19 (one RTB train), Function 20 (one trip mechanism for one RTB), or Function 21 (one SSPS logic train) is inoperable and the Reactor Trip System is degraded. The risk assessment should assure that LCO 3.1.9, RCS Boron Limitations < 500°F, is met prior to enabling the Rod Control System or allowing one or more rods to be other than fully inserted in MODES 3, 4, or 5.

D.1.1, D.1.2, and D.2 Condition D applies to the Power Range Neutron Flux - High trip Function.

With one of the NIS power range detectors inoperable, 1/4 of the radial power distribution monitoring capability is lost. Therefore, SR 3.2.4.2 must be performed (Required Action D.1.1) within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> of THERMAL POWER exceeding 75% RTP and once per 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> thereafter. If reactor power decreases to 75% RTP, the measurement of both Completion Times for Required Action D.1.1 stops and SR 3.2.4.2 is no longer required. Completion Time tracking recommences upon reactor power (continued)

CALLAWAY PLANT B 3.3.1-38 Revision 15

RTS Instrumentation B 3.3.1 BASES ACTIONS D.1.1, D.1.2, and D.2 (continued) exceeding 75% RTP. Calculating QPTR every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> compensates for the lost monitoring capability due to the inoperable NIS power range channel and allows continued plant operation at power levels > 75% RTP.

At power levels 75% RTP, operation of the core with radial power distributions beyond the design limits, at a power level where DNB conditions may exist, is prevented.

Required Action D.1.1 has been modified by a Note which only requires SR 3.2.4.2 to be performed if the Power Range Neutron Flux input to QPTR becomes inoperable. Failure of a component in the Power Range Neutron Flux Channel which renders the High Flux Trip Function inoperable may not affect the capability to monitor QPTR. As such, determining QPTR using core power distribution measurement information once per 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> may not be necessary.

The NIS power range detectors provide input to the Rod Control System and the SG Water Level Control System and, therefore, have a two-out-of-four trip logic. A known inoperable channel must be placed in the tripped condition. This results in a partial trip condition requiring only one-out-of-three logic for actuation. The 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> allowed to place the inoperable channel in the tripped condition is justified in Reference 17.

As an alternative to the above Actions, the plant must be placed in a MODE where this Function is no longer required OPERABLE.

Seventy-eight (78) hours are allowed to place the plant in MODE 3. The 78-hour Completion Time includes 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> for channel corrective maintenance, and an additional 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> for the MODE reduction as required by Required Action D.2. This is a reasonable time, based on operating experience, to reach MODE 3 from full power in an orderly manner and without challenging plant systems. If Required Actions cannot be completed within their allowed Completion Times, LCO 3.0.3 must be entered.

The Required Actions have been modified by a Note that allows placing the inoperable channel in the bypassed condition for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> while performing routine surveillance testing of other channels. The Note also allows placing the inoperable channel in the bypassed condition to allow setpoint adjustments of other channels when required to reduce the setpoint in accordance with other Technical Specifications. The 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> time limit is justified in Reference 17.

(continued)

CALLAWAY PLANT B 3.3.1-39 Revision 15

RTS Instrumentation B 3.3.1 BASES ACTIONS E.1 and E.2 (continued)

Condition E applies to the following reactor trip Functions:

  • Power Range Neutron Flux - Low;
  • Overtemperature T;
  • Overpower T;
  • Power Range Neutron Flux - High Positive Rate;
  • Pressurizer Pressure - High;
  • SG Water Level - Low Low (Adverse Containment Environment);

and

  • SG Water Level - Low Low (Normal Containment Environment).

A known inoperable channel must be placed in the tripped condition within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. Placing the channel in the tripped condition results in a partial trip condition requiring only one-out-of-two logic for actuation of the two-out-of-three trips and one-out-of-three logic for actuation of the two-out-of-four trips. The 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> allowed to place the inoperable channel in the tripped condition is justified in Reference 17.

If the inoperable channel cannot be placed in the tripped condition within the specified Completion Time, the unit must be placed in a MODE where these Functions are not required OPERABLE. An additional 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is allowed to place the unit in MODE 3. Six hours is a reasonable time, based on operating experience, to place the unit in MODE 3 from full power in an orderly manner and without challenging unit systems.

The Required Actions have been modified by a Note that allows placing the inoperable channel in the bypassed condition for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> while performing routine surveillance testing of the other channels. The 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> time limit is justified in Reference 17.

F.1 and F.2 Condition F applies to the Intermediate Range Neutron Flux trip when THERMAL POWER is above the P-6 setpoint and below the P-10 setpoint and one channel is inoperable. Above the P-6 setpoint and below the P-10 setpoint, the NIS intermediate range detectors perform the monitoring and protection functions. If THERMAL POWER is greater (continued)

CALLAWAY PLANT B 3.3.1-40 Revision 15

RTS Instrumentation B 3.3.1 BASES ACTIONS F.1 and F.2 (continued) than the P-6 setpoint but less than the P-10 setpoint, 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is allowed to reduce THERMAL POWER below the P-6 setpoint or increase THERMAL POWER above the P-10 setpoint. The NIS Intermediate Range Neutron Flux channels must be OPERABLE when the power level is above the capability of the source range, P-6, and below the capability of the power range, P-10. If THERMAL POWER is greater than the P-10 setpoint, the NIS power range detectors perform the monitoring and protection functions and the intermediate range is not required. The Completion Times allow for a slow and controlled power adjustment above P-10 or below P-6 and take into account the redundant capability afforded by the redundant OPERABLE channel, the overlap of the Power Range detectors, and the low probability of another intermediate range channel failure during this period. This action does not require the inoperable channel to be tripped because the Function uses one-out-of-two logic. Tripping one channel would trip the reactor. Thus, the Required Actions specified in this Condition are only applicable when channel failure does not result in reactor trip.

G.1 and G.2 Condition G applies to two inoperable Intermediate Range Neutron Flux trip channels in MODE 2 when THERMAL POWER is above the P-6 setpoint and below the P-10 setpoint. Required Actions specified in this Condition are only applicable when channel failures do not result in reactor trip. Above the P-6 setpoint and below the P-10 setpoint, the NIS intermediate range detectors perform the monitoring and protection functions. With no intermediate range channels OPERABLE, the Required Actions are to suspend operations involving positive reactivity additions immediately. This will preclude any power level increase since there are no OPERABLE Intermediate Range Neutron Flux channels.

The operator must also reduce THERMAL POWER below the P-6 setpoint within two hours. This may require the use of the NIS source range channels or the neutron flux channels discussed in LCO 3.3.3, "Post Accident Monitoring (PAM) Instrumentation," with action to reduce power below the count rate equivalent to the P-6 setpoint.

Below P-6, the Source Range Neutron Flux channels will be able to monitor the core power level. The Completion Time of 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> will allow a slow and controlled power reduction to less than the P-6 setpoint and takes into account the low probability of occurrence of an event during this period that may require the protection afforded by the NIS Intermediate Range Neutron Flux trip.

(continued)

CALLAWAY PLANT B 3.3.1-41 Revision 15

RTS Instrumentation B 3.3.1 BASES ACTIONS G.1 and G.2 (continued)

Required Action G.1 is modified by a Note to indicate that normal plant control operations that individually add limited positive reactivity (i.e.,

temperature or boron concentration fluctuations associated with RCS inventory management or temperature control) are not precluded by this Action, provided the SDM limits specified in the COLR are met and the requirements of LCOs 3.1.5, 3.1.6, and 3.4.2 are met.

H.1 Not used.

I.1 Condition I applies to one inoperable Source Range Neutron Flux trip channel when in MODE 2 below the P-6 setpoint. With the unit in this Condition, below P-6, the NIS source range performs the monitoring and protection functions. With one of the two channels inoperable, operations involving positive reactivity additions shall be suspended immediately.

This will preclude any power escalation. With only one source range channel OPERABLE, core protection is severely reduced and any actions that add positive reactivity to the core must be suspended immediately.

Required Action I.1 is modified by a Note to indicate that normal plant control operations that individually add limited positive reactivity (i.e.,

temperature or boron concentration fluctuations associated with RCS inventory management or temperature control) are not precluded by this Action, provided the SDM limits specified in the COLR are met, the requirements of LCOs 3.1.5, 3.1.6, and 3.4.2 are met, and the initial and critical boron concentration assumptions in FSAR Section 15.4.6 (Ref. 16) are satisfied. See LCO 3.3.9, Boron Dilution Mitigation System, for requirements related to the mitigation of inadvertent boron dilution events.

J.1 Condition J applies to two inoperable Source Range Neutron Flux trip channels when in MODE 2 below the P-6 setpoint or in MODE 3, 4, or 5 with the Rod Control System capable of rod withdrawal or one or more rods not fully inserted. With the unit in this Condition, below P-6, the NIS source range performs the monitoring and protection functions. With both (continued)

CALLAWAY PLANT B 3.3.1-42 Revision 15

RTS Instrumentation B 3.3.1 BASES ACTIONS J.1 (continued) source range channels inoperable, the Reactor Trip Breakers (RTBs) must be opened immediately. With the RTBs open, the core is in a more stable condition.

K.1, K.2.1, and K.2.2 Condition K applies to one inoperable source range channel in MODE 3, 4, or 5 with the Rod Control System capable of rod withdrawal or one or more rods not fully inserted. With the unit in this Condition, below P-6, the NIS source range performs the monitoring and protection functions.

With one of the source range channels inoperable, 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> is allowed to restore it to an OPERABLE status. If the channel cannot be returned to an OPERABLE status, action must be initiated within the same 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> to fully insert all rods. One additional hour is allowed to place the Rod Control System in a condition incapable of rod withdrawal (e.g., by de-energizing all CRDMs, by opening the RTBs, or de-energizing the motor generator (MG) sets). Once these ACTIONS are completed, the core is in a more stable condition. The allowance of 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> to restore the channel to OPERABLE status, and the additional hour to place the Rod Control System in a condition incapable of rod withdrawal, are reasonable considering the other source range channel remains OPERABLE to perform the safety function and given the low probability of an event occurring during this interval. Normal plant control operations that individually add limited positive reactivity (i.e., temperature or boron concentration fluctuations associated with RCS inventory management or temperature control) are permitted provided the SDM limits specified in the COLR are met and the initial and critical boron concentration assumptions in FSAR Section 15.4.6 (Ref. 16) are satisfied. See LCO 3.3.9, Boron Dilution Mitigation System, for requirements related to the mitigation of inadvertent boron dilution events.

L.1, L.2, and L.3 Not used.

(continued)

CALLAWAY PLANT B 3.3.1-43 Revision 15

RTS Instrumentation B 3.3.1 BASES ACTIONS M.1 and M.2 (continued)

Condition M applies to the following reactor trip Functions:

  • Pressurizer Pressure - Low;
  • Pressurizer Water Level - High;
  • Undervoltage RCPs; and
  • Underfrequency RCPs.

With one channel inoperable, the inoperable channel must be placed in the tripped condition within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. For the Pressurizer Pressure - Low, Pressurizer Water Level - High, Undervoltage RCPs, and Underfrequency RCPs trip Functions, placing the channel in the tripped condition when above the P-7 setpoint results in a partial trip condition requiring only one additional channel to initiate a reactor trip. For the Reactor Coolant Flow

- Low trip Function, placing the channel in the tripped condition when above the P-8 setpoint results in a partial trip condition requiring only one additional channel in the same loop to initiate a reactor trip. For the Reactor Coolant Flow - Low trip Function, two tripped channels in two RCS loops are required to initiate a reactor trip when below the P-8 setpoint and above the P-7 setpoint. These Functions do not have to be OPERABLE below the P-7 setpoint because there are no loss of flow trips below the P-7 setpoint. There is insufficient heat production to generate DNB conditions below the P-7 setpoint. The 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> allowed to place the channel in the tripped condition is justified in Reference 17. An additional 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is allowed to reduce THERMAL POWER to below P-7 if the inoperable channel cannot be restored to OPERABLE status or placed in trip within the specified Completion Time.

Allowance of this time interval takes into consideration the redundant capability provided by the remaining redundant OPERABLE channels, and the low probability of occurrence of an event during this period that may require the protection afforded by the Functions associated with Condition M.

The Required Actions have been modified by a Note that allows placing the inoperable channel in the bypassed condition for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> while performing routine surveillance testing of the other channels. The 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> time limit is justified in Reference 17.

(continued)

CALLAWAY PLANT B 3.3.1-44 Revision 15

RTS Instrumentation B 3.3.1 BASES ACTIONS N.1 and N.2 (continued)

Not used.

O.1 and O.2 Condition O applies to the Turbine Trip - Low Fluid Oil Pressure trip Function. With one channel inoperable, the inoperable channel must be placed in the tripped condition within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. If placed in the tripped condition, this results in a partial trip condition requiring only one additional channel to initiate a reactor trip. If the channel cannot be restored to OPERABLE status or placed in the tripped condition, then power must be reduced below the P-9 setpoint within the next 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />.

The 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> allowed to place the inoperable channel in the tripped condition and the 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> allowed for reducing power are justified in the Reference 17.

Required Actions have been modified by a Note that allows placing an inoperable channel in the bypassed condition for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> while performing routine surveillance testing of the other channels. The 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> time limit is justified in Reference 17.

P.1 and P.2 Condition P applies to the Turbine Trip - Turbine Stop Valve Closure trip Function. With one or more channel(s) inoperable, the inoperable channel(s) must be placed in the tripped condition within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. For the Turbine Trip - Turbine Stop Valve Closure trip Function, four of four channels are required to initiate a reactor trip; hence, more than one channel may be placed in trip. If the channels cannot be restored to OPERABLE status or placed in the tripped condition, then power must be reduced below the P-9 setpoint within the next 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />. The 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> allowed to place the inoperable channels in the tripped condition and the 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> allowed for reducing power are justified in Reference 17.

Q.1 and Q.2 Condition Q applies to the SI Input from ESFAS reactor trip and the RTS Automatic Trip Logic in MODES 1 and 2. These actions address the train orientation of the RTS for these Functions. With one train inoperable, 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> are allowed to restore the train to OPERABLE status (Required Action Q.1) or the unit must be placed in MODE 3 within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.

(continued)

CALLAWAY PLANT B 3.3.1-45 Revision 15

RTS Instrumentation B 3.3.1 BASES ACTIONS Q.1 and Q.2 (continued)

The Completion Time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> (Required Action Q.1) is reasonable considering that in this Condition, the remaining OPERABLE train is adequate to perform the safety function and given the low probability of an event during this interval. The 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> allowed to restore the inoperable train to OPERABLE status is justified in Reference 17. The Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> (Required Action Q.2) is reasonable, based on operating experience, to reach MODE 3 from full power in an orderly manner and without challenging unit systems.

The Required Actions have been modified by a Note that allows bypassing one train up to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> for surveillance testing, provided the other train is OPERABLE.

Consistent with the requirement in Reference 17 to include Tier 2 insights into the decision-making process before taking equipment out of service, restrictions on concurrent removal of certain equipment when a logic train is inoperable for maintenance are included (note that these restrictions do not apply when a logic train is being tested under the 4-hour bypass Note of Condition Q). Entry into Condition Q is not a typical, pre-planned evolution during power operation, other than for surveillance testing.

Since Condition Q is typically entered due to equipment failure, it follows that some of the following restrictions may not be met at the time of Condition Q entry. If this situation were to occur during the 24-hour Completion Time of Required Action Q.1, the Configuration Risk Management Program will assess the emergent condition and direct activities to restore the inoperable logic train and exit Condition Q or fully implement these restrictions or perform a plant shutdown, as appropriate from a risk management perspective. The following restrictions will be observed:

  • To preserve LOCA mitigation capability, one complete ECCS train that can be actuated automatically must be maintained when a logic train is inoperable for maintenance.
  • To preserve reactor trip and safeguards actuation capability, activities that cause master relays or slave relays in the available train to be unavailable and activities that cause analog channels to (continued)

CALLAWAY PLANT B 3.3.1-46 Revision 15

RTS Instrumentation B 3.3.1 BASES ACTIONS Q.1 and Q.2 (continued) be unavailable should not be scheduled when a logic train is inoperable for maintenance.

  • Activities on electrical systems (e.g., AC and DC power) and cooling systems (e.g., essential service water and component cooling water) that support the systems or functions listed in the first three bullets should not be scheduled when a logic train is inoperable for maintenance. That is, one complete train of a function that supports a complete train of a function noted above must be available.

R.1 and R.2 Condition R applies to the RTBs in MODES 1 and 2. These actions address the train orientation of the RTS for the RTBs. With one train inoperable, 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> are allowed for train corrective maintenance to restore the train to OPERABLE status or the unit must be placed in MODE 3 within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. The 24-hour Completion Time is justified in Reference 18. The shutdown Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable, based on operating experience, to reach MODE 3 from full power in an orderly manner and without challenging unit systems.

Placing the unit in MODE 3 results in Condition C entry if one RTB train is inoperable and the Rod Control System is capable of rod withdrawal or one or more rods are not fully inserted.

The Required Actions have been modified by a Note. The Note allows one train to be bypassed for up to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> for surveillance testing, provided the other train is OPERABLE. The 4-hour time limit is justified in Reference 18.

Consistent with the requirement in Reference 18 to include Tier 2 insights into the decision-making process before taking equipment out of service, restrictions on concurrent removal of certain equipment when a RTB train is inoperable for maintenance are included (note that these restrictions do not apply when a RTB train is being tested under the 4-hour bypass Note of Condition R). Entry into Condition R is not a typical, pre-planned evolution during power operation, other than for surveillance testing.

Since Condition R is typically entered due to equipment failure, it follows that some of the following restrictions may not be met at the time of (continued)

CALLAWAY PLANT B 3.3.1-47 Revision 15

RTS Instrumentation B 3.3.1 BASES ACTIONS R.1 and R.2 (continued)

Condition R entry. If this situation were to occur during the 24-hour Completion Time of Required Action R.1, the Configuration Risk Management Program will assess the emergent condition and direct activities to restore the inoperable RTB train and exit Condition R or fully implement these restrictions or perform a plant shutdown, as appropriate from a risk management perspective. The following restrictions will be observed:

  • The probability of failing to trip the reactor on demand will increase when a RTB train is removed from service, therefore, systems designed for mitigating an ATWS event should be maintained available. RCS pressure relief (pressurizer PORVs and safeties),

auxiliary feedwater flow (for RCS heat removal), AMSAC, and turbine trip are important to alternate ATWS mitigation. Therefore, activities that degrade the availability of the auxiliary feedwater system, RCS pressure relief system (pressurizer PORVS and safety valves), AMSAC, or turbine trip should not be scheduled when a RTB train is inoperable for maintenance.

  • Due to the increased dependence on the available reactor trip train when one logic train or one RTB train is inoperable for maintenance, activities that degrade other components of the RTS, including master relays or slave relays, and activities that cause analog channels to be unavailable, should not be scheduled when a logic train or a RTB train is inoperable for maintenance.
  • Activities on electrical systems (e.g., AC and DC power) and cooling systems (e.g., essential service water) that support the systems or functions listed in the first two bullets should not be scheduled when a RTB train is inoperable for maintenance. That is, one complete train of a function that supports a complete train of a function noted above must be available.

S.1 and S.2 Condition S applies to the P-6 and P-10 interlocks. With one or more required channel(s) inoperable, the associated interlock must be verified to be in its required state for the existing unit condition within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> or the unit must be placed in MODE 3 within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. Verifying the interlock status manually, e.g., by observation of the associated permissive annunciator window, accomplishes the interlock's Function.

The Completion Time of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> is based on operating experience and the (continued)

CALLAWAY PLANT B 3.3.1-48 Revision 15

RTS Instrumentation B 3.3.1 BASES ACTIONS S.1 and S.2 (continued) minimum amount of time allowed for manual operator actions. The Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable, based on operating experience, to reach MODE 3 from full power in an orderly manner and without challenging unit systems. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> and 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> Completion Times are equal to the time allowed by LCO 3.0.3 for shutdown actions in the event of a complete loss of RTS Function.

T.1 and T.2 Condition T applies to the P-7, P-8, P-9, and P-13 interlocks. With one or more required channel(s) inoperable, the associated interlock must be verified to be in its required state for the existing unit condition within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> or the unit must be placed in MODE 2 within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.

These actions are conservative for the case where power level is being raised. Verifying the interlock status manually, e.g., by observation of the associated permissive annunciator window, accomplishes the interlock's Function. The Completion Time of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> is based on operating experience and the minimum amount of time allowed for manual operator actions. The Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable, based on operating experience, to reach MODE 2 from full power in an orderly manner and without challenging unit systems.

U.1 and U.2 Condition U applies to the RTB Undervoltage and Shunt Trip Mechanisms, or diverse trip features, in MODES 1 and 2. With one of the diverse trip features inoperable, it must be restored to an OPERABLE status within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> or the unit must be placed in a MODE where the requirement does not apply. This is accomplished by placing the unit in MODE 3 within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> (54 hours6.25e-4 days <br />0.015 hours <br />8.928571e-5 weeks <br />2.0547e-5 months <br /> total time). The Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is a reasonable time, based on operating experience, to reach MODE 3 from full power in an orderly manner and without challenging unit systems.

With the unit in MODE 3, Condition C is entered if the inoperable trip mechanism has not been restored and the Rod Control System is capable of rod withdrawal or one or more rods are not fully inserted. The affected (continued)

CALLAWAY PLANT B 3.3.1-49 Revision 15

RTS Instrumentation B 3.3.1 BASES ACTIONS U.1 and U.2 (continued)

RTB shall not be bypassed while one of the diverse features is inoperable except for the time required to perform maintenance to restore the inoperable trip mechanism to OPERABLE status.

The Completion Time of 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> for Required Action U.1 is reasonable considering that in this Condition there is one remaining diverse trip feature for the affected RTB, and one OPERABLE RTB capable of performing the safety function and given the low probability of an event occurring during this interval.

V.1, V.2.1, V.2.2.1, V.2.2.2, and V.2.3 Condition V applies to one inoperable Power Range Neutron Flux - Low channel in MODE 1 below the P-10 setpoint and in MODE 2 with keff 1.0.

The inoperable channel must be placed in the tripped condition within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. Placing the channel in the tripped condition results in a partial trip status requiring only a one-out-of-three logic for actuation of this reactor trip function. The 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> to place the inoperable channel in the tripped condition is justified in Reference 17.

The Required Action is modified by a Note. The Note allows placing an inoperable channel in the bypassed condition for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> while performing routine surveillance testing of the other channels. The 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> time limit is justified in Reference 17.

If the inoperable channel can not be placed in the tripped condition within the specified 72-hour Completion Time, the plant must be placed in MODE 2 with keff < 1.0 within 78 hours9.027778e-4 days <br />0.0217 hours <br />1.289683e-4 weeks <br />2.9679e-5 months <br />. In addition, within 78 hours9.027778e-4 days <br />0.0217 hours <br />1.289683e-4 weeks <br />2.9679e-5 months <br /> action must be initiated to either fully insert all rods and make the Rod Control System incapable of rod withdrawal (e.g., by de-energizing all CRDMs, by opening the RTBs, or de-energizing the motor generator (MG) sets) or to initiate boration of the RCS to greater than the all-rods-out (ARO) critical boron concentration. Required Actions V.2.2.1 and V.2.2.2 would preclude an uncontrolled RCCA bank withdrawal accident from occurring. Required Action V.2.3 would provide sufficient SHUTDOWN MARGIN if an uncontrolled RCCA bank withdrawal event were to occur.

W.1 and W.2 Not used.

(continued)

CALLAWAY PLANT B 3.3.1-50 Revision 15

RTS Instrumentation B 3.3.1 BASES ACTIONS X.1 and X.2 (continued)

Condition X applies to the Environmental Allowance Modifier (EAM) circuitry for the SG Water Level - Low Low trip Function in MODES 1 and 2. With one or more EAM channel(s) inoperable, they must be placed in the tripped condition within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. Placing an EAM channel in trip automatically enables the SG Water Level - Low Low (Adverse Containment Environment) bistable for that protection channel, with its higher SG level Trip Setpoint (a higher trip setpoint means a reactor trip would occur sooner). The Completion Time of 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> is based on Reference 17. If the inoperable channel cannot be placed in the tripped condition within the specified Completion Time, the unit must be placed in a MODE where this Function is not required to be OPERABLE. An additional six hours is allowed to place the unit in MODE 3.

Y.1 Condition Y applies to one inoperable Power Range Neutron Flux - Low channel in MODE 2 with keff < 1.0, and all RCS cold leg temperatures 500°F, and the RCS boron concentration less than or equal to the all-rods-out (ARO) critical boron concentration, and the Rod Control System capable of rod withdrawal or one or more rods not fully inserted. Condition Y also applies to one inoperable Power Range Neutron Flux - Low channel in MODE 3 with all RCS cold leg temperatures 500°F, and the RCS boron concentration less than or equal to the ARO critical boron concentration, and the Rod Control System capable of rod withdrawal or one or more rods not fully inserted. The inoperable channel must be placed in the tripped condition within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. Placing the channel in the tripped condition results in a partial trip status requiring only a one-out-of-three logic for actuation of this reactor trip function. The 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> to place the inoperable channel in the tripped condition is justified in Reference 17.

The Required Action is modified by a Note. The Note allows placing an inoperable channel in the bypassed condition for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> while performing routine surveillance testing of the other channels. The 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> time limit is justified in Reference 17.

Z.1.1, Z.1.2, and Z.2 Condition Z applies when the Required Action and associated Completion Time of Condition Y is not met or if two or more channels in the Power Neutron Flux - Low trip Function are inoperable when the plant is (continued)

CALLAWAY PLANT B 3.3.1-51 Revision 15

RTS Instrumentation B 3.3.1 BASES ACTIONS Z.1.1, Z.1.2, and Z.2 (continued) operating with the MODES and specified conditions in the Applicability discussed above under Condition Y.

If the inoperable channel can not be placed in the tripped condition within the specified 72-hour Completion Time, or if two or more channels are inoperable, action must be initiated to fully insert all rods and to make the Rod Control System incapable of rod withdrawal (e.g., by de-energizing all CRDMs, by opening the RTBs, or de-energizing the motor generator (MG) sets). These actions will preclude an uncontrolled RCCA bank withdrawal accident from occurring.

If the inoperable channel cannot be placed in the tripped condition within the specified 72-hour Completion Time, or if two or more channels are inoperable, an alternate action is to initiate boration of the RCS to greater than the all-rods-out (ARO) critical boron concentration. Borating the RCS to greater than ARO critical boron concentration would provide sufficient SHUTDOWN MARGIN if an uncontrolled RCCA bank withdrawal event were to occur.

SURVEILLANCE The SRs for each RTS Function are identified by the SRs column of REQUIREMENTS Table 3.3.1-1 for that Function.

A Note has been added stating that Table 3.3.1-1 determines which SRs apply to which RTS Functions.

Note that each channel of process protection supplies both trains of the RTS. When testing Channel I, Train A and Train B must be examined.

Similarly, Train A and Train B must be examined when testing Channel II, Channel III, and Channel IV. The CHANNEL CALIBRATIONs and COTs are performed in a manner that is consistent with the assumptions used in analytically calculating the required channel accuracies.

SR 3.3.1.1 Performance of the CHANNEL CHECK ensures that gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two (continued)

CALLAWAY PLANT B 3.3.1-52 Revision 15

RTS Instrumentation B 3.3.1 BASES SURVEILLANCE SR 3.3.1.1 (continued)

REQUIREMENTS instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying that the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the unit staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.3.1.2 SR 3.3.1.2 compares the calorimetric heat balance calculation to the power range channel output. If the calorimetric heat balance calculation results exceed the power range channel output by more than +2% RTP, the power range channel is not declared inoperable, but must be adjusted.

The power range channel output shall be adjusted consistent with the calorimetric heat balance calculation results if the calorimetric calculation exceeds the power range channel output by more than +2% RTP. If the power range channel output cannot be properly adjusted, the channel is declared inoperable.

If the calorimetic is performed at part-power (<40% RTP), adjusting the power range channel indication in the increasing power direction will assure a reactor trip below the power range high safety analysis limit (SAL) of 118% RTP in FSAR Table 15.0-4 (Reference 10). Making no adjustment to the power range channel in the decreasing power direction due to a part-power calorimetric assures a reactor trip consistent with the safety analyses.

This allowance does not preclude making indicated power adjustments, if desired, when the calorimetric heat balance calculation power is less than the power range channel output. To provide close agreement between indicated power and to preserve operating margin, the power range channels are normally adjusted when operating at or near full power during steady-state conditions. However, discretion must be exercised if (continued)

CALLAWAY PLANT B 3.3.1-53 Revision 15

RTS Instrumentation B 3.3.1 BASES SURVEILLANCE SR 3.3.1.2 (continued)

REQUIREMENTS the power range channel output is adjusted in the decreasing power direction due to a part-power calorimetric (<40% RTP). This action could introduce a non-conservative bias at higher power levels which could delay an NIS reactor trip until power is above the power range high SAL.

The cause of the non-conservative bias is the decreased accuracy of the calorimetric at reduced power conditions. The primary error contributor to the instrument uncertainty for a secondary side power calorimetric measurement is the feedwater flow measurement, which is determined by a P measurement across a feedwater venturi. While the measurement uncertainty remains constant in P span as power decreases, when translated into flow the uncertainty increases as a square term. Thus, a 1% flow error at 100% power can approach a 10% flow error at 30% RTP even though the P error has not changed. To assure a reactor trip below the power range high SAL, the power range neutron flux - high trip setpoint is first set at 85% RTP prior to adjusting the power range channel output in the decreasing power direction whenever the calorimetric power is 20% RTP and <40% RTP. To assure a reactor trip below the power range high SAL, the power range neutron flux - high trip setpoint is first set a 70% RTP prior to adjusting the power range channel output in the decreasing power direction whenever the calorimetric power is 15% RTP and <20% RTP. Adjustments in the increasing power direction do not require a prior decrease in the trip setpoint. Following a plant shutdown, it is permissible to reduce the power range neutron flux - high trip setpoint prior to startup. This would anticipate the potential need for a decreasing power direction adjustment, thereby obviating the need to suspend power escalation for the purpose of first reducing the trip setpoint. Before the power range neutron flux -

high trip setpoint is re-set to its nominal full power value ( 109% RTP),

the power range channel calibration must be confirmed based on a calorimetric performed at 40% RTP.

The Note to SR 3.3.1.2 clarifies that this Surveillance is required only if the reactor power is 15% RTP and that 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> are allowed for performing the first Surveillance after reaching 15% RTP. A power level of 15% RTP is chosen based on plant stability, i.e., automatic rod control capability (manual rod control is normally used at Callaway) and the turbine generator synchronized to the grid. The 24-hour allowance after increasing THERMAL POWER above 15% RTP provides a reasonable time to attain a scheduled power plateau, establish the requisite conditions, perform the required calorimetric measurement, and make any required adjustments in a controlled, orderly manner and without introducing the potential for extended operation at high power levels with instrumentation that has not been verified to be OPERABLE for subsequent use.

(continued)

CALLAWAY PLANT B 3.3.1-54 Revision 15

RTS Instrumentation B 3.3.1 BASES SURVEILLANCE SR 3.3.1.2 (continued)

REQUIREMENTS The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

In addition, control room operators periodically monitor redundant indications and alarms to detect deviations in channel outputs.

SR 3.3.1.3 SR 3.3.1.3 compares the incore system to the NIS channel output. If the absolute difference is 2%, the NIS channel is still OPERABLE, but must be readjusted. The excore NIS channel shall be adjusted if the absolute difference between the incore and excore AFD is 2%. The purpose of the comparison is to check for differences that result from core power distribution changes that may have occurred since the last required adjustment or incore-excore calibration (SR 3.3.1.6). If the NIS channel cannot be properly readjusted, the channel is declared inoperable. This Surveillance is performed to verify the f(I) input to the Overtemperature T Function.

The Note to SR 3.3.1.3 clarifies that the Surveillance is required only if reactor power is 50% RTP and that 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is allowed for performing the first Surveillance after reaching 50% RTP. This Note allows power ascensions and associated testing to be conducted in a controlled and orderly manner, at conditions that provide acceptable results and without introducing the potential for extended operation at high power levels with instrumentation that has not been verified to be OPERABLE for subsequent use. Due to such effects as shadowing from the relatively deep control rod insertion and, to a lesser extent, the axially-dependent radial leakage which varies with power level, the relationship between the incore and excore indications of axial flux difference (AFD) at lower power levels is variable. Thus, it is acceptable to defer the calibration of the excore AFD against the incore AFD until more stable conditions are attained (i.e., withdrawn control rods and a higher power level). The AFD is used as an input to the Overtemperature T reactor trip function and for assessing compliance with LCO 3.2.3, "AXIAL FLUX DIFFERENCE."

Due to the DNB benefits gained by administratively restricting the power level to 50% RTP, no limits on AFD are imposed below 50% RTP by LCO 3.2.3; thus, the proposed change is consistent with the LCO 3.2.3 requirements below 50% RTP. Similarly, sufficient DNB margins are realized through operation below 50% RTP that the intended function of the Overtemperature T reactor trip function is maintained, even though (continued)

CALLAWAY PLANT B 3.3.1-55 Revision 15

RTS Instrumentation B 3.3.1 BASES SURVEILLANCE SR 3.3.1.3 (continued)

REQUIREMENTS the excore AFD indication may not exactly match the incore AFD indication. Based on plant operating experience, 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is a reasonable time frame to limit operation above 50% RTP while completing the procedural steps associated with the surveillance in an orderly manner.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.3.1.4 SR 3.3.1.4 is the performance of a TADOT. This test shall verify OPERABILITY by actuation of the end devices. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable TADOT of a relay. This is acceptable because all of the other required contacts of the relay are verified periodically by other Technical Specifications and non-Technical Specifications tests.

The RTB test shall include separate verification of the undervoltage and shunt trip mechanisms. Independent verification of RTB undervoltage and shunt trip Function is not required for the bypass breakers. No capability is provided for performing such a test at power. The independent test for bypass breakers is included in SR 3.3.1.14. The bypass breaker test shall include a local manual shunt trip only. A Note has been added to indicate that this test must be performed on the bypass breaker prior to placing it in service.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.3.1.5 SR 3.3.1.5 is the performance of an ACTUATION LOGIC TEST. The SSPS is tested, using the semiautomatic tester. The train being tested is placed in the bypassed condition, thus preventing inadvertent actuation.

Through the semiautomatic tester, all possible logic combinations, withand without applicable permissives, are tested for each protection function, including operation of the P-7 permissive which is a logic function only.

The Surveillance Frequency is based on operating experience, equipment (continued)

CALLAWAY PLANT B 3.3.1-56 Revision 15

RTS Instrumentation B 3.3.1 BASES SURVEILLANCE SR 3.3.1.5 (continued)

REQUIREMENTS (continued) reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.3.1.6 SR 3.3.1.6 is a calibration of the excore channels to the incore channels.

If the measurements do not agree, the excore channels are not declared inoperable but must be calibrated to agree with the incore power distribution measurements. The incore power distribution measurements can be obtained using the movable incore detectors or an OPERABLE power distribution monitoring system (PDMS) (Reference 22). If the excore channels cannot be adjusted, the channels are declared inoperable. This Surveillance is performed to verify the f(I) input to the Overtemperature T Function. Determination of the loop-specific vessel T and Tavg values should be made when performing this calibration, under steady state conditions (T0 and T' [T" for Overpower T] when at 100% RTP).

A Note modifies SR 3.3.1.6. The Note states that this Surveillance is required only if reactor power is 75% RTP and that 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> after achieving equilibrium conditions with THERMAL POWER 75% RTP is allowed for performing the first surveillance. Equilibrium conditions are achieved when the core is sufficiently stable at intended operating conditions to obtain a power distribution measurement.

The SR is deferred until a scheduled testing plateau above 75% RTP is attained during a power ascension. During a typical power ascension, it is usually necessary to control the axial flux difference at lower power levels through control rod insertion. After equilibrium conditions are achieved at the specified power plateau, a power distribution measurement must be taken and the required data collected. The data is typically analyzed and the appropriate excore calibrations completed within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> after achieving equilibrium conditions. An additional time allowance of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is provided during which the effects of equipment failures may be remedied and any required re-testing may be performed.

The allowance of 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> after equilibrium conditions are attained at the testing plateau provides sufficient time to allow power ascensions and associated testing to be conducted in a controlled and orderly manner at conditions that provide acceptable results and without introducing the potential for extended operation at high power levels with instrumentation that has not been verified to be OPERABLE for subsequent use.

(continued)

CALLAWAY PLANT B 3.3.1-57 Revision 15

RTS Instrumentation B 3.3.1 BASES SURVEILLANCE SR 3.3.1.6 (continued)

REQUIREMENTS The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.3.1.7 SR 3.3.1.7 is the performance of a COT.

A COT is performed on each required channel to ensure the channel will perform the intended Function. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL OPERATIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified periodically by other Technical Specifications and non-Technical Specifications tests.

Setpoints must be within the Allowable Values specified in Table 3.3.1-1.

SR 3.3.1.7 is modified by two Notes. Note 1 provides a 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> delay in the requirement to perform this Surveillance for source range instrumentation when entering MODE 3 from MODE 2. This Note allows a normal shutdown to proceed without a delay for testing in MODE 2 and for a short time in MODE 3 until the Applicability is exited and SR 3.3.1.7 is no longer required to be performed. If the unit is to be in MODE 3 with the Rod Control System capable of rod withdrawal of one or more rods not fully inserted for > 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, this Surveillance must be performed prior to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> after entry into MODE 3. Note 2 requires that the COT for the source range instrumentation shall include verification by observation of the associated permissive annunciator window that the P-6 and P-10 interlocks are in their required state for the existing unit conditions.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.3.1.8 SR 3.3.1.8 is the performance of a COT as described in SR 3.3.1.7, and it is modified by the same Note which states that this test shall include verification that the P-6 and P-10 interlocks are in their required state for (continued)

CALLAWAY PLANT B 3.3.1-58 Revision 15

RTS Instrumentation B 3.3.1 BASES SURVEILLANCE SR 3.3.1.8 (continued)

REQUIREMENTS (continued) the existing unit conditions by observation of the associated permissive annunciator window.

A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL OPERATIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified periodically by other Technical Specifications and non-Technical Specifications tests.

The Frequency is modified by a Note that allows this surveillance to be satisfied if it has been performed within the frequency specified in the Surveillance Frequency Control Program prior to reactor startup, 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> after reducing power below P-10, and four hours after reducing power below P-6, as discussed below. The Frequency of "prior to reactor startup" ensures this surveillance is performed prior to critical operations and applies to the source, intermediate and power range low instrument channels. The Frequency of "12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> after reducing power below P-10" (applicable to intermediate and power range low channels) and "4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> after reducing power below P-6" (applicable to source range channels) allows a normal shutdown to be completed and the unit removed from the MODE of Applicability for this surveillance without a delay to perform the testing required by this surveillance. The Frequency thereafter applies if the plant remains in the MODE of Applicability after the initial performances of prior to reactor startup, 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> after reducing power below P-10, and four hours after reducing power below P-6.

The MODE of Applicability for this surveillance is < P-10 for the power range low and intermediate range channels and < P-6 for the source range channels. If power is to be maintained < P-10 for more than 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> or

< P-6 for more than 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, then the testing required by this surveillance must be performed prior to the expiration of the 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> or 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> limit, as applicable. These time limits are reasonable, based on operating experience, to complete the required testing or place the unit in a MODE where this surveillance is no longer required. This test ensures that the NIS source, intermediate, and power range low channels are OPERABLE prior to taking the reactor critical and after reducing power into the applicable MODE (< P-10 or < P-6) for the periods discussed above. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

(continued)

CALLAWAY PLANT B 3.3.1-59 Revision 15

RTS Instrumentation B 3.3.1 BASES SURVEILLANCE SR 3.3.1.9 REQUIREMENTS (continued) SR 3.3.1.9 is the performance of a TADOT. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable TADOT of a relay. This is acceptable because all of the other required contacts of the relay are verified periodically by other Technical Specifications and non-Technical Specifications tests.

This SR is modified by a Note that excludes verification of setpoints from the TADOT. Setpoint verification is accomplished during the CHANNEL CALIBRATION.

SR 3.3.1.10 CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor. The test verifies that the channel responds to a measured parameter within the necessary range and accuracy.

CHANNEL CALIBRATIONS must be performed consistent with the assumptions of the setpoint methodology.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.3.1.10 is modified by a Note stating that this test shall include verification that the time constants are adjusted to the prescribed values where applicable. This does not include verification of time delay relays.

These are verified via response time testing per SR 3.3.1.16. See the discussion of To in the Applicable Safety Analyses for the Overtemperature T and Overpower T trip functions. Whenever an RTD is replaced in Function 6 or 7, the next required CHANNEL CALIBRATION of the RTDs is accomplished by an inplace cross calibration that compares the other sensing elements with the recently installed sensing element.

The CHANNEL CALIBRATION of Function 6, Overtemperature T, includes the axial flux difference penalty circuitry in the 7300 Process Protection System cabinets, but does not include the power range neutron detectors. SR 3.3.1.11 and its Notes 1 and 3 govern the (continued)

CALLAWAY PLANT B 3.3.1-60 Revision 15

RTS Instrumentation B 3.3.1 BASES SURVEILLANCE SR 3.3.1.10 (continued)

REQUIREMENTS performance and timing of the power range neutron detector plateau voltage verification.

Although not required for any safety function, the CHANNEL CALIBRATION of Function 10, Reactor Coolant Flow-Low, will ensure proper performance and normalization of the RCS flow indicators.

SR 3.3.1.11 SR 3.3.1.11 is the performance of a CHANNEL CALIBRATION, as described in SR 3.3.1.10. This SR is modified by three Notes. Note 1 states that neutron detectors are excluded from the CHANNEL CALIBRATION. Neutron detectors are excluded from the CHANNEL CALIBRATION because it is impractical to set up a test that demonstrates and adjusts neutron detector response to known values of the parameter (neutron flux) that the channel monitors. Note 1 applies to the source range proportional counters, intermediate range ion chambers, and power range ion chambers in the Nuclear Instrumentation System (NIS). Note 2 states that this test shall include verification that the time constants are adjusted to the prescribed values where applicable. Detector plateau curves are obtained, evaluated, and compared to manufacturers data for the intermediate and power range neutron detectors. The testing of the source range neutron detectors consists of obtaining integral bias curves, evaluating those curves, and comparing the curves to previous data.

Note 3 states that the power and intermediate range detector plateau voltage verification is not required to be current until 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> after achieving equilibrium conditions with THERMAL POWER 95% RTP.

Equilibrium conditions are achieved when the core is sufficiently stable at intended operating conditions to perform a meaningful detector plateau voltage verification. The allowance of 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> after equilibrium conditions are attained at the testing plateau provides sufficient time to allow power ascension testing to be conducted in a controlled and orderly manner at conditions that provide acceptable results and without introducing the potential for extended operation at high power levels with instrumentation that has not been verified to be OPERABLE for subsequent use. The source range integral bias curves are obtained under the conditions that apply during a plant outage.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program. The conditions for obtaining the source range integral bias curves and the power and intermediate range detector plateau voltages are described above. The other remaining portions of the (continued)

CALLAWAY PLANT B 3.3.1-61 Revision 15

RTS Instrumentation B 3.3.1 BASES SURVEILLANCE SR 3.3.1.11 (continued)

REQUIREMENTS CHANNEL CALIBRATIONS may be performed either during a plant outage or during plant operation.

SR 3.3.1.12 Not used.

SR 3.3.1.13 SR 3.3.1.13 is the performance of a COT of RTS interlocks. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL OPERATIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified periodically by other Technical Specifications and non-Technical Specifications tests.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.3.1.14 SR 3.3.1.14 is the performance of a TADOT of the Manual Reactor Trip, the SI Input from ESFAS, and the Reactor Trip Bypass Breaker undervoltage trip mechanisms. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable TADOT of a relay. This is acceptable because all of the other required contacts of the relay are verified periodically by other Technical Specifications and non-Technical Specifications tests.

The Manual Reactor Trip TADOT shall independently verify the OPERABILITY of the undervoltage and shunt trip handswitch contacts for both the Reactor Trip Breakers and Reactor Trip Bypass Breakers. The Reactor Trip Bypass Breaker test shall include testing of the automatic undervoltage trip mechanism.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

(continued)

CALLAWAY PLANT B 3.3.1-62 Revision 15

RTS Instrumentation B 3.3.1 BASES SURVEILLANCE SR 3.3.1.14 (continued)

REQUIREMENTS The SR is modified by a Note that excludes verification of setpoints from the TADOT. The Functions affected have no setpoints associated with them.

SR 3.3.1.15 SR 3.3.1.15 is the performance of a TADOT of Turbine Trip Functions. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable TADOT of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions. This TADOT is performed prior to exceeding the P-9 interlock whenever the unit has been in MODE 3. This Surveillance is not required if it has been performed within the previous 31 days. Verification of the Trip Setpoint does not have to be performed for this Surveillance.

Performance of this test will ensure that the turbine trip Function is OPERABLE prior to exceeding the P-9 interlock.

SR 3.3.1.16 SR 3.3.1.16 verifies that the individual channel actuation response times are less than or equal to the maximum values assumed in the accident analysis. Response time verification acceptance criteria are included in Reference 8. No credit was taken in the safety analyses for those channels with response times listed as N.A. No response time testing requirements apply where N.A. is listed in Reference 8. Individual component response times are not modeled in the analyses. The analyses model the overall or total elapsed time, from the point at which the parameter exceeds the trip setpoint value at the sensor until loss of stationary gripper coil voltage (at which point the rods are free to fall).

The safety analyses include the sum of the following response time components:

(a) Process delay times (e.g., scoop transport delay and thermal lag associated with the narrow range RCS RTDs used in the OTT and OPT functions) which are not testable; (b) Sensing circuitry delay time from the time the trip setpoint is reached at the sensor until a reactor trip is generated by the SSPS; (continued)

CALLAWAY PLANT B 3.3.1-63 Revision 15

RTS Instrumentation B 3.3.1 BASES SURVEILLANCE SR 3.3.1.16 (continued)

REQUIREMENTS (c) Any intentional time delay set into the trip circuitry (e.g.,

undervoltage relay time delay, NLL cards (lag, lead/lag, rate/lag) and NPL cards (PROM logic cards for trip time delay) associated with the OTT and OPT trip functions, and NLL cards (lead/lag) associated with the low pressurizer pressure reactor trip function) to add margin or prevent spurious trip signals; (d) For the undervoltage RCP trip function, back EMF delay from the time of the loss of the bus voltage until the back EMF voltage generated by the bus loads has decayed; (e) The time delay for the reactor trip breakers to open; and (f) The time delay for the control rod drive stationary gripper coil voltage to decay and the rod control cluster assembly (RCCA) grippers to mechanically release making the rods free to fall (i.e.,

gripper release time).

For channels that include dynamic transfer functions (e.g., lag, lead/lag, rate/lag, etc.), the response time verification is performed with the time constants set at their nominal values. Time constants are verified during the performance of SR 3.3.1.10 and SR 3.3.1.11. The response time may be verified by a series of overlapping tests, or other verification (e.g.,

Ref. 9 and Ref. 15), such that the entire response time is verified.

Response time may be verified by actual response time tests in any series of sequential, overlapping, or total channel measurements, or by the summation of allocated sensor, signal processing, and actuation logic response times with actual response time tests on the remainder of the channel. Allocations for sensor response times may be obtained from:

1) historical records based on acceptable response time tests (hydraulic, noise, or power interrupt tests); (2) inplace, onsite, or offsite (e.g. vendor) test measurements; or (3) utilizing vendor engineering specifications.

WCAP-13632-P-A, Revision 2, "Elimination of Pressure Sensor Response Time Testing Requirements," provides the basis andmethodology for using allocated sensor response times in the overall verification of the channel response time for specific sensors identified in the WCAP. Response time verification for other sensor types must be demonstrated by test.

WCAP-14036-P-A, Revision 1, Elimination of Periodic Protection Channel Response Time Tests, provides the basis and methodology for using allocated signal processing and actuation logic response times in the (continued)

CALLAWAY PLANT B 3.3.1-64 Revision 15

RTS Instrumentation B 3.3.1 BASES SURVEILLANCE SR 3.3.1.16 (continued)

REQUIREMENTS overall verification of the protection system channel response time. The allocations for sensor, signal conditioning, and actuation logic response times must be verified prior to placing the component in operational service and re-verified following maintenance that may adversely affect response time. In general, electrical repair work does not impact response time provided the parts used for repair are of the same type and value.

Specific components identified in References 9 and 15 may be replaced without verification testing. One example where response time could be affected is replacing the sensing assembly of a transmitter.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program. Response time verification for the functions listed in References 8 and 10 includes testing of the response time for the reactor trip breakers to open (identified as item (e) in the above description of the safety analysis response time components).

Another component of the overall RTS response time verification for the functions listed in References 8 and 10 is the gripper release time which is described in item (f) in the above description of the safety response time components. This is the time for the control and shutdown rod drive stationary gripper coil voltage to decay and the RCCA grippers to mechanically release, thereby rendering the control and shutdown rods free to fall.

SR 3.1.4.3 verifies the rod drop time from the beginning of decay of stationary fripper coil voltage to dashpot entry. The end point of the RTS response time definition, i.e., until loss of stationary gripper coil voltage, is less discernible and would overlap a portion of the total rod drop time verified in SR 3.1.4.3. However, the gripper release time may conservatively be quantified as the time from when the reactor trip breaker opens until the time when rod movement is first detected.

Some portions of the response time testing cannot be performed during unit operation because equipment operation is required to measure response times.

SR 3.3.1.16 is modified by a Note stating that neutron detectors are excluded from RTS RESPONSE TIME testing. This Note is necessary because of the difficulty in generating an appropriate detector input signal.

Excluding the detectors is acceptable because the principles of detector operation ensure a virtually instantaneous response. Response time of the neutron flux signal portion of the channel shall be verified from detector output or input to the first electronic component in the channel.

(continued)

CALLAWAY PLANT B 3.3.1-65 Revision 15

RTS Instrumentation B 3.3.1 BASES REFERENCES 1. FSAR, Chapter 7.

2. FSAR, Chapter 15.
3. IEEE-279-1971.
4. 10 CFR 50.49.
5. Callaway OL Amendment No. 17 dated September 8, 1986.
6. Callaway Setpoint Methodology Report, SNP (UE)-565 dated May 1, 1984.
7. Callaway OL Amendment No. 43 dated April 14, 1989.
8. FSAR Section 16.3, Table 16.3-1.
9. WCAP-13632-P-A, Revision 2, "Elimination of Pressure Sensor Response Time Testing Requirements," January 1996.
10. FSAR Table 15.0-4.
11. WCAP-9226-P-A, "Reactor Core Response to Excessive Secondary Steam Releases," Revision 1, February 1998.
12. Deleted.
13. FSAR Section 15.1.1.
14. RFR - 18637A.
15. WCAP-14036-P-A, Revision 1, Elimination of Periodic Protection Channel Response Time Tests, October 1998.
16. FSAR Section 15.4.6.
17. WCAP-14333-P-A, Revision 1, "Probabilistic Risk Analysis of the RPS and ESFAS Test Times and Completion Times," October 1998.
18. WCAP-15376-P-A, Revision 1, "Risk-Informed Assessment of the RTS and ESFAS Surveillance Test Intervals and Reactor Trip Breaker Test and Completion Times," March 2003.
19. Westinghouse letter SCP-04-90 dated August 27, 2004.

(continued)

CALLAWAY PLANT B 3.3.1-66 Revision 15

RTS Instrumentation B 3.3.1 BASES REFERENCE 20. ULNRC-03748 dated February 27, 1998.

(continued)

21. IDP-ZZ-0017.
22. WCAP-12472-P-A, BEACON Core Monitoring and Operations Support System, August 1994.
23. WCAP-12472-P-A, Addendum 1-A CALLAWAY PLANT B 3.3.1-67 Revision 15

RTS Instrumentation B 3.3.1 Table B 3.3.1-1 RTS Instrumentation (Page 1 of 3)

FUNCTION NOMINAL TRIP SETPOINT (a)

1. Manual Reactor Trip N.A.
2. Power Range Neutron Flux
a. High 109% RTP
b. Low 25% RTP
3. Power Range Neutron Flux Rate - High 4.25% RTP with time Positive Rate constant 2 sec.
4. Intermediate Range Neutron Flux 25% RTP
5. Source Range Neutron Flux 1.0E5 CPS
6. Overtemperature T See Table 3.3.1-1 Note 1.
7. Overpower T See Table 3.3.1-1 Note 2.
8. Pressurizer Pressure
a. Low 1885 psig
b. High 2385 psig
9. Pressurizer Water Level - High 92% of instrument span
10. Reactor Coolant Flow - Low 90% of indicated loop flow (continued)

(a) The inequality sign only indicates conservative direction. The as-left value will be within a two-sided calibration tolerance band on either side of the nominal value. This also applies to the Overtemperature T and Overpower T K values per Reference 14.

CALLAWAY PLANT B 3.3.1-68 Revision 15

RTS Instrumentation B 3.3.1 Table B 3.3.1-1 RTS Instrumentation (Page 2 of 3)

FUNCTION NOMINAL TRIP SETPOINT (a)

11. Not used
12. Undervoltage RCPs 10,584 Vac
13. Underfrequency RCPs 57.2 Hz
14. Steam Generator (SG) Water Level Low-Low
a. Steam Generator Water Level 21.0% of narrow range Low-Low (Adverse Containment instrument span Environment)
b. Steam Generator Water Level 17.0 % of narrow range Low-Low (Normal Containment instrument span Environment)
c. Not used.
d. Containment Pressure - 1.5 psig Environmental Allowance Modifier
15. Not used.

(continued)

(a) The inequality sign only indicates conservative direction. The as-left value will be within a two-sided calibration tolerance band on either side of the nominal value. This also applies to the Overtemperature T and Overpower T K values per Reference 14.

CALLAWAY PLANT B 3.3.1-69 Revision 15

RTS Instrumentation B 3.3.1 Table B 3.3.1-1 RTS Instrumentation (Page 3 of 3)

FUNCTION NOMINAL TRIP SETPOINT (a)

16. Turbine Trip
a. Low Fluid Oil Pressure 598.94 psig
b. Turbine Stop Valve Closure 1% open
17. Safety Injection (SI) Input from N.A.

Engineered Safety Feature Actuation System (ESFAS)

18. Reactor Trip System Interlocks
a. Intermediate Range Neutron Flux, 1.0E-10 amps P-6
b. Low Power Reactor Trips Block, N.A.

P-7

c. Power Range Neutron Flux, P-8 48% RTP
d. Power Range Neutron Flux, P-9 50% RTP
e. Power Range Neutron Flux, P-10 10% RTP
f. Turbine Impulse Pressure, P-13 10% Turbine Power
19. Reactor Trip Breakers N.A.
20. Reactor Trip Breaker Undervoltage and N.A.

Shunt Trip Mechanisms

21. Automatic Trip Logic N.A.

(a)

The inequality sign only indicates conservative direction. The as-left value will be within a two-sided calibration tolerance band on either side of the nominal value. This also applies to the Overtemperature T and Overpower T K values per Reference 14.

CALLAWAY PLANT B 3.3.1-70 Revision 15

ESFAS Instrumentation B 3.3.2 B 3.3 INSTRUMENTATION B 3.3.2 Engineered Safety Feature Actuation System (ESFAS) Instrumentation BASES BACKGROUND The ESFAS initiates necessary safety systems, based on the values of selected unit parameters, to protect against violating core design limits and the Reactor Coolant System (RCS) pressure boundary, and to mitigate accidents.

The ESFAS instrumentation is segmented into three distinct but interconnected modules as identified below:

  • Field transmitters or process sensors and instrumentation: provide a measurable electronic signal based on the physical characteristics of the parameter being measured;
  • Signal processing equipment including 7300 Process Protection System, field contacts, and protection channel sets: provide signal conditioning, bistable setpoint comparison, process algorithm actuation, compatible electrical signal output to protection system devices, and control board/control room/miscellaneous indications; and
  • Solid State Protection System (SSPS) including input, logic, and output bays and Balance of Plant (BOP) ESFAS circuitry: initiate the proper unit shutdown or engineered safety feature (ESF) actuation in accordance with the defined logic and based on the bistable outputs from the signal process control and protection system.

Field Transmitters or Sensors To meet the design demands for redundancy and reliability, more than one, and often as many as four, field transmitters or sensors are used to measure unit parameters. In many cases, field transmitters or sensors that input to the ESFAS are shared with the Reactor Trip System (RTS).

In some cases, the same channels also provide control system inputs. To account for calibration tolerances and instrument drift, which are assumed to occur between calibrations, statistical allowances are provided in the Nominal Trip Setpoint and Allowable Values. The OPERABILITY of each transmitter or sensor can be evaluated when its "as found" calibration data are compared against its documented acceptance criteria.

(continued)

CALLAWAY PLANT B 3.3.2-1 Revision 16

ESFAS Instrumentation B 3.3.2 BASES BACKGROUND Signal Processing Equipment (continued)

Generally, three or four channels of process control equipment are used for the signal processing of unit parameters measured by the field instruments. The process control equipment provides signal conditioning, comparable output signals for instruments located on the main control board, and comparison of measured input signals with setpoints established by safety analyses. If the measured value of a unit parameter exceeds the predetermined setpoint, an output from a bistable is forwarded to the SSPS for decision evaluation. Channel separation is maintained up to and through the input bays. However, not all unit parameters require four channels of sensor measurement and signal processing. Some unit parameters provide input only to the SSPS, while others provide input to the SSPS, the main control board, the unit computer, and one or more control systems.

Generally, if a parameter is used only for input to the protection circuits, three channels with a two-out-of-three logic are sufficient to provide the required reliability and redundancy. If one channel fails in a direction that would not result in a partial Function trip, the Function is still OPERABLE with a two-out-of-two logic. If one channel fails such that a partial Function trip occurs, a trip will not occur and the Function is still OPERABLE with a one-out-of-two logic.

Generally, if a parameter is used for input to the SSPS and a control function, four channels with a two-out-of-four logic are sufficient to provide the required reliability and redundancy. The circuit must be able to withstand both an input failure to the control system, which may then require the protection function actuation, and a single failure in the other channels providing the protection function actuation. Again, a single failure will neither cause nor prevent the protection function actuation.

These requirements are described in IEEE-279-1971 (Ref. 4). The actual number of channels required for each unit parameter is specified in Reference 2.

Nominal Trip Setpoints and Allowable Values The Nominal Trip Setpoints are the values at which the bistables are set.

Any bistable is considered to be properly adjusted when the "as left" value is within the two-sided tolerance band for rack calibration accuracy.

(continued)

CALLAWAY PLANT B 3.3.2-2 Revision 16

ESFAS Instrumentation B 3.3.2 BASES BACKGROUND Nominal Trip Setpoints and Allowable Values (continued)

The Nominal Trip Setpoints listed in Table B 3.3.2-1 and used in the bistables are based on the analytical limits stated in Reference 3. The selection of these Nominal Trip Setpoints is such that adequate protection is provided when all sensor and processing time delays are taken into account. To allow for calibration tolerances, instrumentation uncertainties, instrument drift, and harsh environment errors for those ESFAS channels that must function in harsh environments as defined by 10 CFR 50.49 (Ref. 5), the Nominal Trip Setpoints specified in Table B 3.3.2-1 are conservatively adjusted with respect to the analytical limits. A detailed description of the methodologies used to calculate the Nominal Trip Setpoints, including their explicit uncertainties, is provided in Reference 6.

The methodology used to calculate the Nominal Trip Setpoints for Functions 1.e, 4.e(1), 5.c, 5.e.(1), 5.e.(2), 6.d.(1), and 6.d.(2) in Table B 3.3.3.2-1 is described in Reference 20. This is the same basic square-root-sum-of-squares (SRSS) methodology described in References 6 and 21 (Reference 21 was reviewed and approved by NRC in support of Callaway Amendment 125 dated April 13, 1998), but with the inclusion of refinements to better reflect plant calibration practices and equipment performance. These refinements include the incorporation of a sensor reference accuracy term to address repeatability effects when performing a single pass calibration (i.e., one up and one down pass at several points verifies linearity and hysteresis, but not repeatability). In addition, sensor and rack error terms for calibration accuracy and drift are grouped in the Channel Statistical Allowance equation with their dependent M&TE terms, then combined with the other independent error terms using the SRSS methodology. The BOP methodology used for Function 6.h is a similar square-root-sum-of-squares (SRSS) methodology as used for the RTS setpoints. The actual Nominal Trip Setpoint entered into the bistable is more conservative than that specified by the Allowable Value to account for changes in random measurement errors detectable by a COT. If the measured setpoint does not exceed the Allowable Value, the bistable is considered OPERABLE.

Setpoints in accordance with the Allowable Value ensure that the consequences of Design Basis Accidents (DBAs) will be acceptable, providing the unit is operated from within the LCOs at the onset of the DBA and the equipment functions as designed.

Each channel can be tested on line to verify that the signal processing equipment and setpoint accuracy is within the specified allowance requirements. Once a designated channel is taken out of service for testing, a simulated signal is injected in place of the field instrument signal.

The process equipment for the channel in test is then tested, (continued)

CALLAWAY PLANT B 3.3.2-3 Revision 16

ESFAS Instrumentation B 3.3.2 BASES BACKGROUND Nominal Trip Setpoints and Allowable Values (continued) verified, and calibrated. SRs for the channels are specified in the SR section.

The Allowable Values listed in Table 3.3.2-1 in the accompanying LCO, except for Functions 1.e, 4.e.(1), 5.c, 5.e.(1), 5.e.(2), 6.d.(1), and 6.d.(2),.are based on the methodologies described in Reference 6, which incorporate all of the known uncertainties applicable for each channel.

The Allowable Values for Functions 1.e, 4.e.(1), 5.c, 5.e.(1), 5.e.(2),

6.d.(1), and 6.d.(2) in the accompanying LCO are based on the Nominal Trip Setpoints and are determined by subtracting (for low setpoint trips) or adding (for high setpoint trips) the rack calibration accuracy from/to the Nominal Trip Setpoint. The magnitudes of these uncertainties are factored into the determination of each Nominal Trip Setpoint. All field sensors and signal processing equipment for these channels are assumed to operate within the allowances of these uncertainty magnitudes.

Solid State Protection System The SSPS equipment is used for the decision logic processing of outputs from the signal processing equipment bistables. To meet the redundancy requirements, two trains of SSPS, each performing the same functions, are provided. If one train is taken out of service for maintenance or test purposes, the second train will provide ESF actuation for the unit. If both trains are taken out of service or placed in test, a reactor trip will result.

Each train is packaged in its own cabinet for physical and electrical separation to satisfy separation and independence requirements.

The SSPS performs the decision logic for most ESF equipment actuation; generates the electrical output signals that initiate the required actuation; and provides the status, permissive, and annunciator output signals to the main control room of the unit.

The bistable outputs from the signal processing equipment are sensed by the SSPS equipment and combined into logic matrices that represent combinations indicative of various transients. If a required logic matrix combination is completed, the system will send actuation signals via master and slave relays to those components whose aggregate Function best serves to alleviate the condition and restore the unit to a safe condition. Examples are given in the Applicable Safety Analyses, LCO, and Applicability sections of this Bases.

Each SSPS train has a built in testing device that can automatically test the decision logic matrix functions and the actuation devices while the unit (continued)

CALLAWAY PLANT B 3.3.2-4 Revision 16

ESFAS Instrumentation B 3.3.2 BASES BACKGROUND Solid State Protection System (continued) is at power. When any one train is taken out of service for testing, the other train is capable of providing unit monitoring and protection until the testing has been completed. The testing device is semiautomatic to minimize testing time.

The actuation of ESF components is accomplished through master and slave relays. The SSPS energizes the master relays appropriate for the condition of the unit. Each master relay then energizes one or more slave relays, which then cause actuation of the end devices. The master and slave relays are routinely tested to ensure operation. The test of the master relays energizes the relay, which then operates the contacts and applies a low voltage to the associated slave relays. The low voltage is not sufficient to actuate the slave relays but only demonstrates signal path continuity. The SLAVE RELAY TEST actuates the devices if their operation will not interfere with continued unit operation. For the latter case, actual component operation is prevented by the SLAVE RELAY TEST circuit, and slave relay contact operation is verified by a continuity check of the circuit containing the slave relay.

Balance of Plant (BOP) ESFAS The BOP ESFAS processes signals from SSPS, signal processing equipment (e.g., LSELS), and plant radiation monitors to actuate certain ESF equipment. There are two redundant trains of BOP ESFAS (separation groups 1 and 4), and a third separation group (separation group 2) to actuate the Turbine Driven Auxiliary Feedwater pump and reposition automatic valves (turbine steam supply valves, turbine trip and throttle valve) as required. The separation group 2 BOP-ESFAS cabinet is considered to be part of the end device (the Turbine Driven Auxiliary Feedwater pump) and its OPERABILITY is addressed under LCO 3.7.5, "Auxiliary Feedwater (AFW) System." The redundant trains provide actuation for the Motor Driven Auxiliary Feedwater pumps (and reposition automatic valves as required, i.e., steam generator blowdown and sample line isolation valves, ESW supply valves, CST supply valves),

Containment Purge Isolation, Control Room Emergency Ventilation, and Emergency Exhaust Actuation functions.

The BOP ESFAS has a built-in automatic test insertion (ATI) feature which continuously tests the system logic. Any fault detected during the testing causes an alarm on the main control room overhead annunciator system to alert operators to the problem. Local indication shows the test step where the fault was detected.

(continued)

CALLAWAY PLANT B 3.3.2-5 Revision 16

ESFAS Instrumentation B 3.3.2 BASES (Continued)

APPLICABLE Each of the analyzed accidents can be detected by one or more ESFAS SAFETY Functions. One of the ESFAS Functions is the primary actuation signal ANALYSES, for that accident. An ESFAS Function may be the primary actuation LCO, AND signal for more than one type of accident. An ESFAS Function may also APPLICABILITY be a secondary, or backup, actuation signal for one or more other accidents. For example, Pressurizer Pressure - Low is a primary actuation signal for small loss of coolant accidents (LOCAs) and a backup actuation signal for steam line breaks (SLBs) outside containment. Functions such as manual initiation, not specifically credited in the accident safety analysis, are qualitatively credited. These Functions may provide protection for conditions that do not require dynamic transient analysis to demonstrate Function performance. These Functions may also serve as backups to Functions that were credited in the accident analysis (Ref. 3).

The LCO requires all instrumentation performing an ESFAS Function to be OPERABLE. Failure of any instrument renders the affected channel(s) inoperable and reduces the reliability of the affected Functions. The Allowable Value column for Functions 1.e (Safety Injection on Steam Line Pressure - Low), 4.e.1 (Steam Line Isolation on Steam Line Pressure -

Low), 5.c (Turbine Trip and Feedwater Isolation on Steam Generator Water Level - High High), 5.e.1 (Feedwater Isolation on Steam Generator Water Level - Low Low (Adverse Containment Environment)), 5.e.2 (Feedwater Isolation on Steam Generator Water Level - Low Low (Normal Containment Environment)), 6.d.1 (Auxiliary Feedwater Actuation on Steam Generator Water Level - Low Low (Adverse Containment Environment)), and 6.d.2 (Auxiliary Feedwater Actuation on Steam Generator Water Level - Low Low (Normal Containment Environment)) in TS Table 3.3.2-1 is modified by two Notes. If the as-found instrument channel setpoint for any of these specific Function's channels is found to be outside the two-sided as-found test acceptance criteria band on either side of the Nominal Trip Setpoint, even if the as-found setting is conservative with respect to the Allowable Value, Note 1 requires that an assessment of channel performance shall be performed prior to returning the channel to service. The evaluation of channel performance will verify that the channel will continue to behave in accordance with design basis assumptions. The purpose of the assessment is to ensure confidence in the channel performance prior to returning the channel to service. An initial assessment shall be performed by the technician performing the surveillance who will evaluate the channel's ability to maintain a stable setpoint within the calibration tolerance band. The return of this channel to service shall require the approval of on-shift supervision after a review of the surveillance test results and the technician's initial assessment.

(continued)

CALLAWAY PLANT B 3.3.2-6 Revision 16

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE In addition, the affected channel shall be addressed under the corrective SAFETY action program, including that program's evaluation completion time ANALYSES, requirements.

LCO, AND APPLICABILITY Note 2 requires the instrument channel setpoint for a channel in these (continued) Functions to be reset to a value within the as-left setpoint tolerance band for that channel on either side of the Nominal Trip Setpoint, or to a value that is more conservative than the Nominal Trip Setpoint. One example of a situation where the latter was used is discussed in Amendment 157.

The conservative direction is indicated by the direction of the inequality sign applied to the Nominal Trip Setpoint in Bases Table B 3.3.2-1.

Setpoint restoration and post-test verification assure that the assumptions in the plant setpoint methodology (Reference 20) are satisfied in order to protect the safety analysis limits. Note 2 preserves the safety analysis limits. If the channel can not be reset to a value within its as-left setpoint tolerance band, or to a value that is more conservative than the Nominal Trip Setpoint if required based on plant conditions, the channel shall be declared inoperable and the applicable Required Actions are taken. The methodology used to determine the as-found test acceptance criteria band and the as-left setpoint tolerance band is based on the square-root-sum-of- squares (SRSS) of the tolerances applicable to the instrument loop or sub-loop constituents being tested and is discussed in Reference 22.

For channels that have a history of proper performance, an out-of-tolerance condition may be a 5% statistical outlier which is to be expected for a setpoint methodology that is based on maintaining a 95% probability with a 95% confidence level of proper performance. If the channel performance evaluation demonstrates this to be the case, the as-found and as-left setpoint data will be trended and no further evaluation would be performed until the next CHANNEL OPERATIONAL TEST.

All as-found and as-left setpoint data for these specific Functions obtained during CHANNEL OPERATIONAL TESTS shall be trended to demonstrate that the rack drift assumptions used in the plant setpoint methodology are valid. If the trending evaluation determines that a channel is performing inconsistent with the uncertainty allowances applicable to the periodic surveillance test being performed (e.g., whether it be a COT, CHANNEL CALIBRATION, etc.), the channel shall be evaluated under the corrective action program. If the channel is not capable of performing its specified safety function, it shall be declared inoperable.

The LCO generally requires OPERABILITY of three or four channels in each instrumentation function and two channels in each logic and manual (continued)

CALLAWAY PLANT B 3.3.2-7 Revision 16

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE initiation function. The two-out-of-three and the two-out-of-four SAFETY configurations allow one channel to be tripped during maintenance or ANALYSES, testing without causing an ESFAS initiation. In cases where an LCO, AND inoperable channel is placed in the tripped condition indefinitely to satisfy APPLICABILITY the Required Action of an LCO, the logic configurations are reduced to (continued) one-out-of-two and one-out-of-three where tripping of an additional channel, for any reason, would result in an ESFAS initiation. To allow for surveillance testing or setpoint adjustment of other channels while in this condition, several Required Actions allow the inoperable channel to be bypassed. Bypassing the inoperable channel creates a two-out-of-two or two-out-of-three logic configuration allowing a channel to be tripped for testing without causing an ESFAS initiation. Two logic or manual initiation channels are required to ensure no single random failure disables the ESFAS.

The required channels of ESFAS instrumentation provide unit protection in the event of any of the analyzed accidents. ESFAS protection functions are as follows:

1. Safety Injection Safety Injection (SI) provides two primary functions:
1. Primary side water addition to ensure maintenance or recovery of reactor vessel water level (coverage of the active fuel for heat removal, clad integrity, and for limiting peak clad temperature to < 2200°F); and
2. Boration to ensure recovery and maintenance of SDM (keff < 1.0).

These functions are necessary to mitigate the effects of high energy line breaks (HELBs) both inside and outside of containment. The SI signal is also used to initiate other Functions such as:

  • Phase A Isolation;

CALLAWAY PLANT B 3.3.2-8 Revision 16

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE 1. Safety Injection (continued)

SAFETY ANALYSES,

  • Isolation of SG blowdown and sample lines; LCO, AND APPLICABILITY
  • Emergency DG start;
  • Initiation of LSELS LOCA sequencer;
  • Containment Cooling;
  • Emergency Exhaust System in the LOCA (SIS) mode;
  • Start of ESW and CCW pumps; and
  • Hydrogen mixing fans start in slow speed.

These other functions ensure:

  • Isolation of nonessential systems through containment penetrations;
  • Trip of the turbine and reactor to limit power generation;
  • Isolation of main feedwater (MFW) to limit secondary side mass losses;
  • Start of AFW to ensure secondary side cooling capability;
  • Isolation of SG blowdown and sample lines to limit uncontrolled SG blowdown;
  • Enabling ECCS suction from the refueling water storage tank (RWST) switchover on low-low 1 RWST level to ensure continued cooling via use of the containment recirculation sumps;
  • Emergency loads for LOCA are properly sequenced and powered;
  • Containment cooling to preserve containment integrity; (continued)

CALLAWAY PLANT B 3.3.2-9 Revision 16

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE 1. Safety Injection (continued)

SAFETY ANALYSES,

  • Emergency Exhaust System operation in the LOCA (SIS)

LCO, AND mode to maintain the auxiliary building at a negative APPLICABILITY pressure and filter its exhaust;

  • Start of ESW and CCW to service safety-related systems; and
  • Hydrogen mixing fans start in slow speed to protect the mixing fan motors.
a. Safety Injection - Manual Initiation The LCO requires one channel per train to be OPERABLE.

The operator can initiate SI at any time by using either of two switches in the control room. This action will cause actuation of all components in the same manner as any of the automatic actuation signals.

The LCO for the Manual Initiation Function ensures the proper amount of redundancy is maintained in the manual ESFAS actuation circuitry to ensure the operator has manual ESFAS initiation capability.

Each channel consists of one switch and the interconnecting wiring to the actuation logic cabinet. Each switch actuates both trains. This configuration does not allow testing at power.

b. Safety Injection - Automatic Actuation Logic and Actuation Relays (SSPS)

This LCO requires two trains to be OPERABLE. Actuation logic consists of all circuitry housed within the actuation subsystems, including the initiating relay contacts responsible for actuating the ESF equipment.

Manual and automatic initiation of SI must be OPERABLE in MODES 1, 2, and 3. In these MODES, there is sufficient energy in the primary and secondary systems to warrant automatic initiation of ESF systems. Manual Initiation is also required in MODE 4 even though automatic actuation is not required. In this MODE, adequate time is available to manually actuate required components in the event of a (continued)

CALLAWAY PLANT B 3.3.2-10 Revision 16

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE b. Safety Injection - Automatic Actuation Logic and Actuation SAFETY Relays (SSPS) (continued)

ANALYSES, LCO, AND DBA, but because of the large number of components APPLICABILITY actuated on a SI, actuation is simplified by the use of the manual actuation switches. Automatic actuation logic and actuation relays must be OPERABLE in MODE 4 to support system level manual initiation.

These Functions are not required to be OPERABLE in MODES 5 and 6 because there is adequate time for the operator to evaluate unit conditions and respond by manually starting individual systems, pumps, and other equipment to mitigate the consequences of an abnormal condition or accident. Unit pressure and temperature are very low and many ESF components are administratively locked out or otherwise prevented from actuating to prevent inadvertent overpressurization of unit systems.

c. Safety Injection - Containment Pressure - High 1 This signal provides protection against the following accidents:
  • SLB inside containment;
  • Feed line break inside containment.

Containment Pressure - High 1 provides no input to any control functions. Thus, three OPERABLE channels are sufficient to satisfy protective requirements with a two-out-of-three logic. The transmitters (d/p cells) and electronics are located outside of containment with the sensing line (high pressure side of the transmitter) located inside containment.

Thus, the high pressure Function will not experience any adverse environmental conditions and the Trip Setpoint reflects only steady state instrument uncertainties. The Trip Setpoint is 3.5 psig.

Containment Pressure - High 1 must be OPERABLE in MODES 1, 2, and 3 when there is sufficient energy in the primary and secondary systems to pressurize the (continued)

CALLAWAY PLANT B 3.3.2-11 Revision 16

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE c. Safety Injection - Containment Pressure - High 1 SAFETY (continued)

ANALYSES, LCO, AND containment following a pipe break. In MODES 4, 5, APPLICABILITY and 6, there is insufficient energy in the primary or secondary systems to pressurize the containment.
d. Safety Injection - Pressurizer Pressure - Low This signal provides protection against the following accidents:
  • Inadvertent opening of a steam generator (SG) atmospheric steam dump valve or safety valve;
  • SLB;
  • A spectrum of rod cluster control assembly ejection accidents (rod ejection);
  • Inadvertent opening of a pressurizer PORV or safety valve;
  • SG Tube Rupture.

The pressurizer pressure channels provide both control and protection functions: input to the Pressurizer Pressure Control System, reactor trip, SI, and automatic PORV actuation. Therefore, the actuation logic must be able to withstand both an input failure to control system, which may then require the protection function actuation, and a single failure in the other channels providing the protection function actuation. Thus, four OPERABLE channels are required to satisfy the requirements with a two-out-of-four logic.

The transmitters are located inside containment, with the taps in the vapor space region of the pressurizer, and thus possibly experiencing adverse environmental conditions (LOCA, SLB inside containment, rod ejection). Therefore, the Trip Setpoint reflects the inclusion of both steady state and adverse environment instrument uncertainties. The Trip Setpoint is 1849 psig.

(continued)

CALLAWAY PLANT B 3.3.2-12 Revision 16

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE d. Safety Injection - Pressurizer Pressure - Low (continued)

SAFETY ANALYSES, This Function must be OPERABLE in MODES 1, 2, and 3 LCO, AND (above P-11 and below P-11 unless the Safety Injection -

APPLICABILITY Pressurizer Pressure - Low Function is blocked) to mitigate the consequences of an HELB inside containment. This signal may be manually blocked by the operator below the P-11 setpoint. Automatic SI actuation below this pressure setpoint is then performed by the Containment Pressure -

High 1 signal.

This Function is not required to be OPERABLE in MODE 3 below the P-11 setpoint. Other ESF functions are used to detect accident conditions and actuate the ESF systems in this MODE. In MODES 4, 5, and 6, this Function is not needed for accident detection and mitigation.

e. Safety Injection - Steam Line Pressure Steam Line Pressure - Low Steam Line Pressure - Low provides protection against the following accidents:
  • SLB;
  • Feed line break; and
  • Inadvertent opening of an SG atmospheric steam dump valve or an SG safety valve.

Steam Line Pressure - Low provides no input to any control functions. Thus, three OPERABLE channels on each steam line are sufficient to satisfy the protective requirements with a two-out-of-three logic on each steam line.

With the transmitters located inside Area 5 (the steam tunnel), it is possible for them to experience adverse environmental conditions during a secondary side break. Therefore, the Trip Setpoint reflects both steady state and adverse environment instrument uncertainties. The Trip Setpoint is 615 psig.

(continued)

CALLAWAY PLANT B 3.3.2-13 Revision 16

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE e. Steam Line Pressure - Low (continued)

SAFETY ANALYSES, This Function is anticipatory in nature and has a LCO, AND lead/lag ratio of 50/5.

APPLICABILITY Steam Line Pressure - Low must be OPERABLE in MODES 1, 2, and 3 (above P-11 and below P-11 unless the Safety Injection - Steam Line Pressure - Low Function is blocked) when a secondary side break or stuck open valve could result in the rapid depressurization of the steam lines.

This signal may be manually blocked by the operator below the P-11 setpoint. Below P-11, feed line break is not a concern. Inside containment SLB will be terminated by automatic SI actuation via Containment Pressure - High 1, and outside containment SLB will be terminated by the Steam Line Pressure - Negative Rate - High signal for steam line isolation. This Function is not required to be OPERABLE in MODE 4, 5, or 6 because there is insufficient energy in the secondary side of the unit to have a significant effect on required plant equipment.

2. Containment Spray Containment Spray provides three primary functions:
1. Lowers containment pressure and temperature after an HELB in containment;
2. Reduces the amount of radioactive iodine in the containment atmosphere; and
3. Adjusts the pH of the water in the containment recirculation sumps after a large break LOCA, in conjunction with the Recirculation Fluid pH Control (RFPC) system.

These functions are necessary to:

  • Ensure the pressure boundary integrity of the containment structure;
  • Limit the release of radioactive iodine to the environment in the event of a failure of the containment structure; and (continued)

CALLAWAY PLANT B 3.3.2-14 Revision 16

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE 2. Containment Spray (continued)

SAFETY ANALYSES,

  • Minimize corrosion of the components and systems inside LCO, AND containment following a LOCA.

APPLICABILITY The containment spray actuation signal starts the containment spray pumps and aligns the discharge of the pumps to the containment spray nozzle headers in the upper levels of containment. Water is initially drawn from the RWST by the containment spray pumps. When the RWST reaches the low-low 2 level setpoint, the spray pump suctions are manually realigned to the containment recirculation sumps if continued containment spray is required. Containment spray is actuated by Containment Pressure-High 3.

a. Containment Spray - Manual Initiation The operator can initiate containment spray at any time from the control room by simultaneously turning two containment spray actuation switches in the same train.

Because an inadvertent actuation of containment spray could have such serious consequences, two switches must be turned simultaneously to initiate containment spray.

There are two sets of two switches each in the control room. Simultaneously turning the two switches in either set will actuate containment spray in both trains in the same manner as the automatic actuation signal. Two Manual Initiation switches in each train are required to be OPERABLE to ensure no single failure disables the Manual Initiation Function. Note that Manual Initiation of containment spray also actuates Phase B containment isolation.

b. Containment Spray - Automatic Actuation Logic and Actuation Relays (SSPS)

Automatic actuation logic and actuation relays consist of the same features and operate in the same manner as described for ESFAS Function 1.b.

Manual and automatic initiation of containment spray must be OPERABLE in MODES 1, 2, and 3 when there is a potential for an accident to occur, and sufficient energy in the primary or secondary systems to pose a threat to containment integrity due to overpressure conditions.

Manual initiation is also required in MODE 4, even though (continued)

CALLAWAY PLANT B 3.3.2-15 Revision 16

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE b. Containment Spray - Automatic Actuation Logic and SAFETY Actuation Relays (SSPS) (continued)

ANALYSES, LCO, AND automatic actuation is not required. In this MODE, APPLICABILITY adequate time is available to manually actuate required components in the event of a DBA. However, because of the large number of components actuated on a containment spray, actuation is simplified by the use of the manual actuation switches. Automatic actuation logic and actuation relays must be OPERABLE in MODE 4 to support system level manual initiation. In MODES 5 and 6, there is insufficient energy in the primary and secondary systems to result in containment overpressure. In MODES 5 and 6, there is also adequate time for the operators to evaluate unit conditions and respond, to mitigate the consequences of abnormal conditions by manually starting individual components.
c. Containment Spray - Containment Pressure This signal provides protection against a LOCA or an SLB inside containment. The transmitters (d/p cells) are located outside of containment with the sensing line (high pressure side of the transmitter) located inside containment. The transmitters and electronics are located outside of containment. Thus, they will not experience any adverse environmental conditions and the Trip Setpoint reflects only steady state instrument uncertainties. The Trip Setpoint is 27.0 psig.

This is one of the only Functions that requires the bistable output to energize to perform its required action (see also ESFAS Function 7.b). It is not desirable to have a loss of power actuate containment spray, since the consequences of an inadvertent actuation of containment spray could be serious. Note that this Function also has the inoperable channel placed in bypass rather than trip to decrease the probability of an inadvertent actuation.

Four channels are used in a two-out-of-four logic configuration. This configuration is called the Containment Pressure-High 3 Setpoint. Additional redundancy is warranted because this Function is energize to trip.

Containment Pressure-High 3 must be OPERABLE in MODES 1, 2, and 3 when there is sufficient energy in the primary and secondary sides to pressurize the containment (continued)

CALLAWAY PLANT B 3.3.2-16 Revision 16

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE c. Containment Spray - Containment Pressure (continued)

SAFETY ANALYSES, following a pipe break. In MODES 4, 5, and 6, there is LCO, AND insufficient energy in the primary and secondary sides to APPLICABILITY pressurize the containment and reach the Containment Pressure-High 3 setpoint.

3. Containment Isolation Containment Isolation provides isolation of the containment atmosphere, and all process systems that penetrate containment, from the environment. This Function is necessary to prevent or limit the release of radioactivity to the environment in the event of a large break LOCA.

There are two separate Containment Isolation signals, Phase A and Phase B. Phase A isolation isolates all automatically isolable process lines, except component cooling water (CCW), at a relatively low containment pressure indicative of primary or secondary system leaks. For these types of events, forced circulation cooling using the reactor coolant pumps (RCPs) and SGs is the preferred (but not required) method of decay heat removal. Since CCW is required to support RCP operation, not isolating CCW on the low pressure Phase A signal enhances unit safety by allowing operators to use forced RCS circulation to cool the unit. Isolating CCW on the low pressure signal may force the use of feed and bleed cooling, which could prove more difficult to control.

Phase A containment isolation is actuated automatically by SI, or manually via the automatic actuation logic. All process lines penetrating containment, with the exception of CCW, are isolated.

CCW is not isolated at this time to permit continued operation of the RCPs with cooling water flow to the thermal barrier heat exchangers, motor air coolers, and upper and lower bearing coolers. All process lines not equipped with remote operated isolation valves are manually closed, or otherwise isolated, prior to reaching MODE 4.

Manual Phase A Containment Isolation is accomplished by either of two switches in the control room. Either switch actuates both trains. Manual or automatic actuation of Phase A Containment Isolation also actuates Containment Purge Isolation.

The Phase B signal isolates CCW. This occurs at a relatively high containment pressure that is indicative of a large break LOCA or (continued)

CALLAWAY PLANT B 3.3.2-17 Revision 16

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE 3. Containment Isolation (continued)

SAFETY ANALYSES, an SLB. For these events, forced circulation using the RCPs is no LCO, AND longer desirable. Isolating the CCW at the higher pressure does APPLICABILITY not pose a challenge to the containment boundary because the CCW System is a closed loop inside containment. Although some system components do not meet all of the ASME Code requirements applied to the containment itself, the system is continuously pressurized to a pressure greater than the Phase B setpoint. Thus, routine operation demonstrates the integrity of the system pressure boundary for pressures exceeding the Phase B setpoint. Furthermore, because system pressure exceeds the Phase B setpoint, any system leakage prior to initiation of Phase B isolation would be into containment. Therefore, the combination of CCW System design and Phase B isolation ensures the CCW System is not a potential path for radioactive release from containment.

Phase B containment isolation is actuated by Containment Pressure - High 3, or manually, via the automatic actuation logic, as previously discussed. For containment pressure to reach a value high enough to actuate Containment Pressure - High 3, a large break LOCA or SLB must have occurred and containment spray must have been actuated. RCP operation will no longer be required and CCW to the RCPs is, therefore, no longer necessary.

The RCPs can be operated with seal injection flow alone and without CCW flow to the thermal barrier heat exchanger.

Manual Phase B Containment Isolation is accomplished by the same switches that actuate Containment Spray. When the two switches in either set are turned simultaneously, Phase B Containment Isolation and Containment Spray will be actuated in both trains.

a. Containment Isolation - Phase A Isolation (1) Phase A Isolation - Manual Initiation Manual Phase A Containment Isolation is actuated by either of two switches in the control room. Either switch actuates both trains.

(continued)

CALLAWAY PLANT B 3.3.2-18 Revision 16

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE a. Containment Isolation - Phase A Isolation (continued)

SAFETY ANALYSES, (2) Phase A Isolation - Automatic Actuation Logic and LCO, AND Actuation Relays (SSPS)

APPLICABILITY Automatic Actuation Logic and Actuation Relays consist of the same features and operate in the same manner as described for ESFAS Function 1.b.

Manual and automatic initiation of Phase A Containment Isolation must be OPERABLE in MODES 1, 2, and 3, when there is a potential for an accident to occur. Manual initiation is also required in MODE 4 even though automatic actuation is not required. In this MODE, adequate time is available to manually actuate required components in the event of a DBA, but because of the large number of components actuated on a Phase A Containment Isolation, actuation is simplified by the use of the manual actuation switches. Automatic actuation logic and actuation relays must be OPERABLE in MODE 4 to support system level manual initiation. In MODES 5 and 6, there is insufficient energy in the primary or secondary systems to pressurize the containment to require Phase A Containment Isolation. There also is adequate time for the operator to evaluate unit conditions and manually actuate individual isolation valves in response to abnormal or accident conditions.

(3) Phase A Isolation - Safety Injection Phase A Containment Isolation is also initiated by all Functions that initiate SI.

The Phase A Containment Isolation requirements for these Functions are the same as the requirements for their SI function. Therefore, the Instead, Function 1, SI, is referenced for all requirements are not repeated in Table 3.3.2-1.

Instead, Function 1, SI, is referenced for all initiating Functions and requirements.

b. Containment Isolation - Phase B Isolation Phase B Containment Isolation is accomplished by Manual Initiation, Automatic Actuation Logic and Actuation Relays, and by Containment Pressure channels (the same (continued)

CALLAWAY PLANT B 3.3.2-19 Revision 16

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE b. Containment Isolation - Phase B Isolation (continued)

SAFETY ANALYSES, channels that actuate Containment Spray, Function 2).

LCO, AND The Containment Pressure trip of Phase B Containment APPLICABILITY Isolation is energized to trip in order to minimize the potential of spurious trips that may damage the RCPs.

(1) Phase B Isolation - Manual Initiation (2) Phase B Isolation - Automatic Actuation Logic and Actuation Relays (SSPS)

Manual and automatic initiation of Phase B containment isolation must be OPERABLE in MODES 1, 2, and 3, when there is a potential for an accident to occur. Manual initiation is also required in MODE 4 even though automatic actuation is not required. In this MODE, adequate time is available to manually actuate required components in the event of a DBA. However, because of the large number of components actuated on a Phase B containment isolation, actuation is simplified by the use of the manual actuation switches. Automatic actuation logic and actuation relays must be OPERABLE in MODE 4 to support system level manual initiation. In MODES 5 and 6, there is insufficient energy in the primary or secondary systems to pressurize the containment to require Phase B containment isolation. There also is adequate time for the operator to evaluate unit conditions and manually actuate individual isolation valves in response to abnormal or accident conditions.

(3) Phase B Isolation - Containment Pressure The basis for containment pressure MODE applicability and the Trip Setpoint are as discussed for ESFAS Function 2.c above.

4. Steam Line Isolation Isolation of the main steam lines provides protection in the event of an SLB inside or outside containment. Rapid isolation of the steam lines will limit the steam break accident to the blowdown (continued)

CALLAWAY PLANT B 3.3.2-20 Revision 16

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE 4. Steam Line Isolation (continued)

SAFETY ANALYSES, from one SG, at most. For an SLB upstream of the main steam LCO, AND isolation valves (MSIVs) main steam isolation valve bypass valves APPLICABILITY (MSIVBVs), and the main steam low point drain isolation valves (MSLPDIVs), inside or outside of containment, closure of the MSIVs limits the accident to the blowdown from only the affected SG. For an SLB downstream of the MSIVs, closure of the MSIVs terminates the accident as soon as the steam lines depressurize.

Steam Line Isolation also mitigates the effects of a feed line break and ensures a source of steam for the turbine - driven AFW pump during a feed line break.

a. Steam Line Isolation - Manual Initiation Manual initiation of Steam Line Isolation can be accomplished from the control room. There are two pushbuttons in the control room and either pushbutton can initiate action to immediately close all MSIVs. The LCO requires two channels to be OPERABLE.
b. Steam Line Isolation - Automatic Actuation Logic and Actuation Relays (SSPS)

Automatic actuation logic and actuation relays in the SSPS consist of the same features and operate in the same manner as described for ESFAS Function 1.b.

c. Steam Line Isolation - Automatic Actuation Logic and Actuation Relays (MSFIS)

As discussed in Reference 13, the Main Steam and Feedwater Isolation System (MSFIS) includes three redundant programmable logic controllers (PLCs) per logic train, arranged in a two-out-of-three voting configuration for each train. The three PLCs in each train operate in parallel, each receiving all of the input signals. Each of the outputs from each PLC drives a relay. The relay contacts are arranged in a two-out-of-three voting scheme, requiring that at least two PLCs agree upon the output before that train can initiate an isolation function. Each train requires a minimum of two PLCs to be OPERABLE.

Manual and automatic initiation of steam line isolation must be OPERABLE when there is sufficient energy in the RCS and SGs to have an SLB or other accident. This could result in the release of (continued)

CALLAWAY PLANT B 3.3.2-21 Revision 16

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE 4. Steam Line Isolation (continued)

SAFETY ANALYSES, significant quantities of energy and cause a cooldown of the LCO, AND primary system. Steam Line Isolation Functions 4.a, Manual APPLICABILITY Initiation, 4.b, Automatic Actuation Logic and Actuation Relays (SSPS), 4.d, Containment Pressure - High 2 and 4.e(1), Steam Line Pressure - Low must be OPERABLE in MODE 1 with no exceptions. Functions 4.a, 4.b, 4.d, and 4.e.(1) must also be OPERABLE in MODE 2 and MODE 3 (except that Function 4.e.(1) is required in MODE 3 above P-11and below P-11 unless safety injection on low steam line pressure is blocked) except when:

1. All MSIVs are closed and de-activated:

AND

2. All MSIVBVs are:

2.a Closed and de-activated; or 2.b Closed and isolated by a closed manual valve; or 2.c Isolated by two closed manual valves.

AND

3. All MSLPDIVs are:

3.a Closed and de-activated; or 3.b Closed and isolated by a closed manual valve; or 3.c Isolated by two closed manual valves.

Steam Line Isolation Function 4.c, Automatic Actuation Logic and Actuation Relays (MSFIS), must be OPERABLE in MODE 1 with no exceptions. Function 4.c must also be OPERABLE in MODE 2 and MODE 3 except when all MSIVs are closed and de-activated.

Steam Line Isolation Function 4.e.(2), Steam Line Pressure -

Negative Rate - High, must be OPERABLE in MODE 3 below P-11 (except while blocked below P-11 when safety injection on low steam line pressure is not blocked) except when:

1. All MSIVs are closed and de-activated; AND (continued)

CALLAWAY PLANT B 3.3.2-22 Revision 16

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE 4. Steam Line Isolation (continued)

SAFETY ANALYSES, 2. All MSIVBVs are:

LCO, AND APPLICABILITY 2.a Closed and de-activated; or 2.b Closed and isolated by a closed manual valve; or 2.c Isolated by two closed manual valves.

AND

3. All MSLPDIVs are:

3.a Closed and de-activated; or 3.b Closed and isolated by a closed manual valve; or 3.c Isolated by two closed manual valves.

When these valves are in the above (flow path isolated) configuration, there is no requirement to have an OPERABLE actuation signal through Functions 4.a, 4.b, 4.c, 4.d, and 4.e since all the valves are already performing their specified safety function.

In MODES 4, 5, and 6, there is insufficient energy in the RCS and SGs to experience an SLB or other accident releasing significant quantities of energy.

d. Steam Line Isolation - Containment Pressure - High 2 This Function actuates closure of the MSIVs in the event of a LOCA or an SLB inside containment to maintain at least one unfaulted SG as a heat sink for the reactor, and to limit the mass and energy release to containment. The transmitters (d/p cells) are located outside containment with the sensing line (high pressure side of the transmitter) located inside containment. Containment Pressure -

High 2 provides no input to any control functions. Thus, three OPERABLE channels are sufficient to satisfy protective requirements with two-out-of-three logic. The transmitters and electronics are located outside of containment. Thus, they will not experience any adverse environmental conditions, and the Trip Setpoint reflects only steady state instrument uncertainties. The Trip Setpoint is 17.0 psig.

Containment Pressure - High 2 must be OPERABLE when there is sufficient energy in the primary and secondary side to pressurize the containment following a pipe break. This (continued)

CALLAWAY PLANT B 3.3.2-23 Revision 16

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE d. Steam Line Isolation - Containment Pressure - High 2 SAFETY (continued)

ANALYSES, LCO, AND would cause a significant increase in the containment APPLICABILITY pressure, thus allowing detection and closure of the MSIVs.

In MODE 4, the increase in containment pressure following a pipe break would occur over a relatively long time period such that manual action could reasonably be expected to provide protection and ESFAS Function 4.d need not be OPERABLE. In MODES 5 and 6, there is not enough energy in the primary and secondary sides to pressurize the containment to the Containment Pressure - High 2 setpoint.

e. Steam Line Isolation - Steam Line Pressure (1) Steam Line Pressure - Low Steam Line Pressure - Low provides closure of the MSIVs in the event of an SLB to maintain at least one unfaulted SG as a heat sink for the reactor, and to limit the mass and energy release to containment. This Function provides closure of the MSIVs in the event of a feed line break to ensure a supply of steam for the turbine driven AFW pump.

Steam Line Pressure - Low was discussed previously under SI Function 1.e and the Trip Setpoint is the same.

Steam Line Pressure - Low Function must be OPERABLE when a secondary side break or stuck open valve could result in the rapid depressurization of the steam lines. This signal may be manually blocked by the operator below the P-11 setpoint. If not blocked below P-11, the function must be OPERABLE. When blocked, an inside containment SLB will be terminated by automatic actuation via Containment Pressure - High 2. Stuck valve transients and outside containment SLBs will be terminated by the Steam Line Pressure - Negative Rate - High signal for Steam Line Isolation below P-11 when SI has been manually blocked. This Function is not required to be OPERABLE in (continued)

CALLAWAY PLANT B 3.3.2-24 Revision 16

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE (1) Steam Line Pressure - Low (continued)

SAFETY ANALYSES, MODES 4, 5, and 6 because there is insufficient LCO, AND energy in the secondary side of the unit to have a APPLICABILITY significant effect on required plant equipment.

(2) Steam Line Pressure - Negative Rate - High Steam Line Pressure - Negative Rate - High provides closure of the MSIVs for an SLB when less than the P-11 setpoint, to maintain at least one unfaulted SG as a heat sink for the reactor, and to limit the mass and energy release to containment.

When the operator manually blocks the Steam Line Pressure - Low main steam isolation signal when less than the P-11 setpoint, the Steam Line Pressure - Negative Rate - High signal is automatically enabled. Steam Line Pressure -

Negative Rate - High provides no input to any control functions. Thus, three OPERABLE channels on each steam line are sufficient to satisfy requirements with a two-out-of-three logic.

Steam Line Pressure - Negative Rate - High must be OPERABLE when a secondary side break or stuck open valve could result in the rapid depressurization of the steam line(s). In MODES 1 and 2, and in MODE 3, when above the P-11 setpoint, this signal is automatically disabled and the Steam Line Pressure - Low signal is automatically enabled. In MODES 4, 5, and 6, there is insufficient energy in the primary and secondary sides to have an SLB or other accident that would result in a release of significant enough quantities of energy to cause a cooldown of the RCS.

While the transmitters may experience elevated ambient temperatures due to an SLB, the trip function is based on rate of change, not the absolute accuracy of the indicated steam pressure.

Therefore, the Trip Setpoint reflects only steady state instrument uncertainties. The Trip Setpoint is (continued)

CALLAWAY PLANT B 3.3.2-25 Revision 16

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE (2) Steam Line Pressure - Negative Rate - High SAFETY (continued)

ANALYSES, LCO, AND 100 psi with a rate/lag controller time constant APPLICABILITY 50 seconds.
5. Turbine Trip and Feedwater Isolation The primary functions of the Turbine Trip and Feedwater Isolation signals are to prevent damage to the turbine due to water in the steam lines and to stop the excessive flow of feedwater into the SGs. These Functions are necessary to mitigate the effects of a high water level in the SGs, which could result in carryover of water into the steam lines and excessive cooldown of the primary system. The SG high water level is due to excessive feedwater flows.

The Function is actuated when the level in any SG exceeds the high high setpoint and performs the following functions:

  • Trips the MFW pumps (PAE01A and PAE01B), closing the pump discharge valves; and

With the exception of feedwater isolation, these listed functions, which are actuated by SG Water Level - High High or by an SI signal, are not credited in the safety analysis. The RTS also initiates a turbine trip signal whenever a reactor trip (P-4) is generated. In the event of SI, the unit is taken off line and the turbine generator must be tripped. The MFW System is also taken out of operation and the AFW System is automatically started. The SI signal was previously discussed.

While the above discussion applies to both turbine trip and feedwater isolation in response to excessive feedwater in MODES 1 and 2, feedwater isolation on SG low-low level is required for events in MODES 1, 2, and 3 where the assurance of AFW delivery to the intact steam generators is paramount in the accident analysis. The analyses for the Loss of Non-Emergency AC Power, Loss of Normal Feedwater, and Feedwater System Pipe Break events credit feedwater isolation on SG low-low level.

Given the location of the feedwater check valves inside (continued)

CALLAWAY PLANT B 3.3.2-26 Revision 16

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE 5. Turbine Trip and Feedwater Isolation (continued)

SAFETY ANALYSES, containment downstream of the point where AFW connects to the LCO, AND main feedwater piping, closure of the main feedwater isolation APPLICABILITY valves (MFIVs) is required to assure AFW flow is not diverted.

a. Turbine Trip and Feedwater Isolation - Automatic Actuation Logic and Actuation Relays (SSPS)

Automatic Actuation Logic and Actuation Relays in the SSPS consist of the same features and operate in the same manner as described for ESFAS Function 1.b.

b. Feedwater Isolation - Automatic Actuation Logic and Actuation Relays (MSFIS)

Automatic Actuation Logic and Actuation Relays in the MSFIS consist of the same features and operate in the same manner as described for ESFAS Function 4.c.

c. Turbine Trip and Feedwater Isolation - Steam Generator Water Level - High High (P-14)

This signal provides protection against excessive feedwater flow. The ESFAS SG water level instruments provide input to the SG Water Level Control System. Therefore, the actuation logic must be able to withstand both an input failure to the control system (which may then require the protection function actuation) and a single failure in the other channels providing the protection function actuation.

Thus, four OPERABLE channels per SG are required to satisfy the requirements with a two-out-of-four logic in any SG resulting in actuation signal generation.

The transmitters (d/p cells) are located inside containment.

However, the events that this Function protects against cannot cause a severe environment in containment.

Therefore, the Trip Setpoint reflects only steady state instrument uncertainties. The Trip Setpoint is 91.0% of narrow range span.

(continued)

CALLAWAY PLANT B 3.3.2-27 Revision 16

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE 5. Turbine Trip and Feedwater Isolation (continued)

SAFETY ANALYSES, d. Turbine Trip and Feedwater Isolation - Safety Injection LCO, AND APPLICABILITY Turbine Trip and Feedwater Isolation are also initiated by all Functions that initiate SI. The Feedwater Isolation Function requirements for these Functions are the same as the requirements for their SI function. Therefore, the requirements are not repeated in Table 3.3.2-1. Instead Function 1, SI, is referenced for all initiating functions and requirements., with the stipulation that the Applicability exceptions of Footnate (j) also apply to Function 5.d.

e. Feedwater Isolation - Steam Generator Water Level - Low Low SG Water Level - Low Low provides protection against a loss of heat sink by ensuring the isolation of normal feedwater and AFW delivery to the steam generators.

Given the location of the feedwater line check valves inside containment downstream of the point where AFW connects to the main feedwater piping, closure of the MFIVs is required to assure AFW flow is not diverted. A feedwater line break or a loss of MFW (i.e., loss of both PAE01A and PAE01B) would result in a loss of SG water level. SG Water Level - Low Low provides input to the SG Water Level Control System. Therefore, the actuation logic must be able to withstand both an input failure to the control system, which may then require a protection function actuation, and a single failure in the other channels providing the protection function actuation. Thus, four OPERABLE channels are required to satisfy the requirements with two-out-of-four logic (the Environmental Allowance Modifier (EAM) function also uses a two-out-of-four logic). Two-out-of-four low level signals in any SG initiates feedwater isolation. As discussed in Reference 11, the SG Water Level - Low Low trip Function has been modified to allow a lower Trip Setpoint under normal containment environmental conditions.

The EAM circuitry reduces the potential for inadvertent trips via the EAM, enabled on containment pressure exceeding its setpoint as listed in Table B 3.3.2-1. Because the SG Water Level transmitters (d/p cells) are located inside (continued)

CALLAWAY PLANT B 3.3.2-28 Revision 16

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE e. Feedwater Isolation - Steam Generator Water Level - Low SAFETY Low (continued)

ANALYSES, LCO, AND containment, they may experience adverse environmental APPLICABILITY conditions due to a feedline break. The EAM function is used to monitor the presence of adverse containment conditions (elevated pressure) and enables the Steam Generator Water Level - Low Low (Adverse) trip setpoint to reflect the increased transmitter uncertainties due to this harsh environment. The EAM enables a lower Steam Generator Water Level - Low Low (Normal) trip setpoint when these conditions are not present, thus allowing more margin to trip for normal operating conditions. If the EAM trip function has inoperable required channels, it is acceptable to place the inoperable channels in the tripped condition and continue operation. Placing the inoperable channels in the trip mode enables the Steam Generator Water Level - Low Low (Adverse) Function, for the EAM. If the Steam Generator Water Level - Low Low (Normal) trip Function has an inoperable required channel, the inoperable channel must be tripped, subject to the LCO Applicability footnote.

The SG Water Level - Low Low Trip Setpoints are chosen to reflect both steady state and adverse environment instrument behavior. The Trip Setpoints for the Steam Generator Water Level - Low Low (Adverse Containment Environment) and (Normal Containment Environment) bistables are 21.0% and 17.0% of narrow range span, respectively. The Trip Setpoint for the Containment Pressure - Environmental Allowance Modifier bistables is 1.5 psig.

Turbine Trip and Feedwater Isolation Function 5.a, Automatic Actuation Logic and Actuation Relays (SSPS), and Feedwater Isolation Function 5.e, SG Water Level - Low, Low, must be OPERABLE in MODE 1, MODE 2, and MODE 3 except when:

1. All MFIVs are closed and de-activated; AND (continued)

CALLAWAY PLANT B 3.3.2-29 Revision 16

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE 5. Turbine Trip and Feedwater Isolation (continued)

SAFETY ANALYSES, 2. All MFRVs are:

LCO, AND APPLICABILITY 2.a Closed and de-activated, or 2.b Closed and isolated by a closed manual valve; AND

3. All MFRVBVs are:

3.a Closed and de-activated, or 3.b Closed and isolated by a closed manual valve, or 3.c Isolated by two closed manual valves.

Turbine Trip and Feedwater Isolation Function 5.b, Automatic Actuation Logic and Actuation Relays (MSFIS), must be OPERABLE in MODE 1, MODE 2, and MODE 3 except when all MFIVs are closed and de-activated.

Turbine Trip and Feedwater Isolation Function 5.c, SG Water Level

- High High, must be OPERABLE in MODE 1 and MODE 2 except when:

1. All MFIVs are closed and de-activated; AND
2. All MFRVs are:

2.a Closed and de-activated, or 2.b Closed and isolated by a closed manual valve; AND

3. All MFRVBVs are:

3.a Closed and de-activated, or 3.b Closed and isolated by a closed manual valve, or 3.c Isolated by two closed manual valves.

When these valves are in the above (flow path isolated) configurations, there is no requirement to have an OPERABLE actuation signal through Functions 5.a, 5.b, 5.c, 5.d, and 5.e since all the valves are already performing their specified safety function.

(continued)

CALLAWAY PLANT B 3.3.2-30 Revision 16

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE 5. Turbine Trip and Feedwater Isolation (continued)

SAFETY ANALYSES, In MODES 3, 4, 5, and 6, Function 5.c is not required to be LCO, AND OPERABLE. In MODES 4, 5, and 6, Functions 5.a, 5.b, and 5.e APPLICABILITY are not required to be OPERABLE. For Function 5.d, the provisions of Function 1 apply in addition to the Applicability exceptions for Footnote (j) which are the same as discussed above for the Functions 5.a, 5.c, and 5.e.

The SG Water Level - Low Low (Normal Containment Environment) channels do not provide protection when the Containment Pressure - Environmental Allowance Modifier (EAM) channels in the same protection sets are tripped since that enables the SG Water Level - Low Low Adverse Containment Environment) channels with a higher water level trip setpoint. As such, the SG Water Level - Low Low (Normal Containment Environment) channels need not be OPERABLE when the Containment Pressure - EAM channels in the same protection sets are tripped, as discussed in a footnote to Table 3.3.2-1.

6. Auxiliary Feedwater The AFW System is designed to provide a secondary side heat sink for the reactor in the event that the MFW System is not available. The system has two motor driven pumps and a turbine driven pump, making it available during normal unit operation, during a loss of AC power, a loss of MFW (i.e., loss of both PAE01A and PAE01B), and during a Feedwater System pipe break. The normal source of water for the AFW System is the condensate storage tank (CST). A loss of suction pressure, coincident with an auxiliary feedwater actuation signal (AFAS), will automatically realign the pump suctions to the safety related Essential Service Water (ESW) System. The AFW System is aligned so that upon a pump start, flow is initiated to the respective SGs immediately.
a. Auxiliary Feedwater - Manual Initiation Manual initiation of Auxiliary Feedwater can be accomplished from the control room. Each of the three AFW pumps has a pushbutton for manual AFAS initiation.

The LCO requires three channels to be OPERABLE.

(continued)

CALLAWAY PLANT B 3.3.2-31 Revision 16

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE 6. Auxiliary Feedwater (continued)

SAFETY ANALYSES, b. Auxiliary Feedwater - Automatic Actuation Logic and LCO, AND Actuation Relays (SSPS)

APPLICABILITY Automatic actuation logic and actuation relays consist of the same features and operate in the same manner as described for ESFAS Function 1.b.

c. Auxiliary Feedwater - Automatic Actuation Logic and Actuation Relays (BOP ESFAS)

Automatic actuation logic and actuation relays consist of similar features and operate in a similar manner as described for SSPS in ESFAS Function 1.b.

d. Auxiliary Feedwater - Steam Generator Water Level -

Low Low SG Water Level - Low Low provides protection against a loss of heat sink. A feed line break, inside or outside of containment, or a loss of MFW (i.e., loss of both PAE01A and PAE01B), would result in a loss of SG water level. SG Water Level - Low Low provides input to the SG Water Level Control System. Therefore, the actuation logic must be able to withstand both an input failure to the control system, which may then require a protection function actuation, and a single failure in the other channels providing the protection function actuation. Thus, four OPERABLE channels are required to satisfy the requirements with two-out-of-four logic (the Environmental Allowance Modifier (EAM) function also uses a two-out-of-four logic). Two-out-of-four low level signals in any SG starts the motor-driven AFW pumps; in two SGs starts the turbine-driven AFW pump. As discussed in Reference 11, the SG Water Level - Low Low trip Function has been modified to allow a lower Trip Setpoint under normal containment environmental conditions.

The EAM circuitry reduces the potential for inadvertent trips via the EAM, enabled on containment pressure exceeding its setpoint as listed in Table B 3.3.2-1.

Because the SG Water Level transmitters (d/p cells) are located inside containment, they may experience adverse environmental conditions due to a feedline break. The (continued)

CALLAWAY PLANT B 3.3.2-32 Revision 16

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE d. Auxiliary Feedwater - Steam Generator Water Level -

SAFETY Low Low (continued)

ANALYSES, LCO, AND EAM function is used to monitor the presence of adverse APPLICABILITY containment conditions (elevated pressure) and enables the Steam Generator Water Level - Low Low (Adverse) trip setpoint to reflect the increased transmitter uncertainties due to this harsh environment. The EAM enables a lower Steam Generator Water Level - Low Low (Normal) trip setpoint when these conditions are not present, thus allowing more margin to trip for normal operating conditions. If the EAM trip function has inoperable required channels, it is acceptable to place the inoperable channels in the tripped condition and continue operation. Placing the inoperable channels in the trip mode enables the Steam Generator Water Level -

Low Low (Adverse) Function, for the EAM. If the Steam Generator Water Level - Low Low (Normal) trip Function has an inoperable required channel, the inoperable channel must be tripped, subject to the LCO Applicability footnote.

The Trip Setpoint reflects the inclusion of both steady state and adverse environment instrument uncertainties. The Trip Setpoints for the SG Water Level - Low Low (Adverse Containment Environment) and (Normal Containment Environment) bistables are 21.0% and 17.0% of narrow range span, respectively. The Trip Setpoint for the Containment Pressure - Environmental Allowance Modifier bistables is 1.5 psig.

e. Auxiliary Feedwater - Safety Injection An SI signal starts the motor driven AFW pumps. The AFW initiation functions are the same as the requirements for their SI function. Therefore, the requirements are not repeated in Table 3.3.2-1. Instead, Function 1, SI, is referenced for all initiating functions and requirements.
f. Auxiliary Feedwater - Loss of Offsite Power The loss of offsite power (LOP) is detected by a voltage drop on each ESF bus. The LOP is sensed and processed by the circuitry for LOP DG Start (Load Shedder and (continued)

CALLAWAY PLANT B 3.3.2-33 Revision 16

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE f. Auxiliary Feedwater - Loss of Offsite Power (continued)

SAFETY ANALYSES, Emergency Load Sequencer) and fed to BOP ESFAS by LCO, AND relay actuation. Loss of power to either ESF bus will start APPLICABILITY the turbine - driven AFW pump, to ensure the intact SGs contain enough water to serve as the heat sink for removing reactor decay heat and the stored thermal energy of the reactor coolant system following the reactor trip, and automatically isolate the SG blowdown and sample lines.

In addition, once the diesel generators are started and up to speed, the motor - driven AFW pumps will be sequentially loaded onto the diesel generator buses.

Functions 6.a through 6.f must be OPERABLE in MODES 1, 2, and 3 to ensure that the SGs remain the heat sink for the reactor. SG Water Level - Low Low in any operating SG will cause the motor - driven AFW pumps to start. The system is aligned so that upon a start of the pump, water immediately begins to flow to the SGs. SG Water Level - Low Low in any two operating SGs will cause the turbine - driven pump to start. The SG Water Level - Low Low (Normal Containment Environment) channels do not provide protection when the Containment Pressure - Environmental Allowance Modifier (EAM) channels in the same protection sets are tripped since that enables the SG Water Level - Low Low (Adverse Containment Environment) channels with a higher water level trip setpoint. As such, the SG Water Level - Low Low (Normal Containment Environment) channels need not be OPERABLE when the Containment Pressure - EAM channels in the same protection sets are tripped, as discussed in a footnote to Table 3.3.2-1. These Functions do not have to be OPERABLE in MODES 5 and 6 because there is not enough heat being generated in the reactor to require the SGs as a heat sink. In MODE 4, AFW actuation does not need to be OPERABLE because either AFW or residual heat removal (RHR) will be available to remove decay heat or sufficient time is available to manually place either system in operation.

(continued)

CALLAWAY PLANT B 3.3.2-34 Revision 16

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE 6. Auxiliary Feedwater (continued)

SAFETY ANALYSES, g. Auxiliary Feedwater - Trip of All Main Feedwater (MFW)

LCO, AND Pumps APPLICABILITY A Trip of all MFW pumps (PAE01A and PAE01B) is an indication of a loss of MFW and the subsequent need for some method of removing decay heat and the stored thermal energy of the reactor coolant system to bring the reactor back to no load temperature and pressure. Each turbine-driven MFW pump is equipped with two pressure switches (one in separation group 1 and one in separation group 4) on the oil line for the speed control system. A low pressure signal from either of these pressure switches indicates a trip of that pump. Four channels, with two OPERABLE channels per pump, satisfy redundancy requirements. The separation group 1 low pressure signals are driven from pressure switches FCPSL0025 and FCPSL0125 and the separation group 4 low pressure signals are driven from pressure switches FCPSL0026 and FCPSL0126. Signal actuation requires that both channels in a given separation group (one on each MFW pump) be in the tripped condition. If one or both channels in a separation group are inoperable, then the motor-driven AFW actuation signal from that separation group is unavailable.

The four Required Channels for Function 6.g are modified by footnotes (u) and (w). Footnotes (u) and (w) allow a conditional redefinition of channel OPERABILITY requirements such that normal plant operating evolutions do not require TS Condition entries. There are times during the Applicability of Function 6.g when footnote (u) allows an exception during the startup of the second MFW pump when one MFW pump is in operation supplying feedwater to the SGs and the second MFW pump turbine control circuitry is reset and that pump is not supplying feedwater to the SGs. If the channels associated with the operating MFW pump are OPERABLE and the channels associated with the reset MFW pump turbine controls are in the tripped condition, footnote (u) allows an exception whereby the OPERABILITY requirement of four Required Channels is met. Similarly, footnote (w) allows an exception during the removal of the first MFW pump from service when one (continued)

CALLAWAY PLANT B 3.3.2-35 Revision 16

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE g. Auxiliary Feedwater - Trip of All Main Feedwater Pumps SAFETY (continued)

ANALYSES, LCO, AND MFW pump is in operation supplying feedwater to the SGs APPLICABILITY and the second MFW pump turbine control circiutry is reset and that pump is not supplying feedwater to the SGs. If the channels associated with the operating MFW pump are OPERABLE and the channels associated with the reset MFW pump turbine control circuitry are in the tripped condition, the OPERABILITY requirement of four Required Channels is met. When both MFW pumps are in operation supplying feedwater to the SGs, footnotes (u) and (w) no longer apply. A trip of all MFW pumps (PAE01A and PAE01B) starts the motor- driven AFW pumps to ensure that the intact SGs are available with water to act as the heat sink for the reactor.

Function 6.g must be OPERABLE in MODES 1 and 2. This ensures that the intact SGs are provided with water to serve as the heat sink to remove reactor decay heat and the stored thermal energy of the reactor coolant system in the event of an accident. In MODES 3, 4, and 5, the turbine-driven MFW pumps may be normally shut down, and thus pump trip is not indicative of a condition requiring automatic AFW initiation.

Footnote (n) of Table 3.3.2-1 allows the blocking of this ESFAS function in MODE 2 just before shutdown of the last operating turbine-driven main feedwater pump and the restoration of this trip function just after the first turbine-driven main feedwater pump is put into service following its startup trip test. This limits the potential for inadvertent AFW actuations during normal startups and shutdowns.

Footnote (v) allows an exception such that the removal of the first of two operating MFW pumps from service may be performed without trip jumpers per new footnote (v1) or with trip jumpers installed per new footnote (v2).

Footnote (v) allows an exception to the LCO Applicability requirements in MODES 1 and 2. During the removal of the first of two operating MFW pumps from service, when one MFW pump is in operation supplying feedwater to the SGs and the second MFW pump turbine control circuitry is reset (continued)

CALLAWAY PLANT B 3.3.2-36 Revision 16

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE g. Auxiliary Feedwater - Trip of All Main Feedwater Pumps SAFETY (continued)

ANALYSES, LCO, AND and that pump is not supplying feedwater to the SGs, APPLICABILITY Function 6.g is unavailable until the channels associated with the reset MFW pump turbine control circuitry (one in each separation group) are placed in the tripped condition.

There is no Condition to enter in LCO 3.3.2 which corresponds to this operating state which is encountered at least once every operating cycle. Footnote (v1) provides an exception to entering LCO 3.0.3 for up to 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> for the channels associated with the first MFW pump to be removed from service. This 1-hour period of ESFAS Function 6.g unavailability is justified given the low likelihood of occurrence of an event requiring actuation of the motor-driven AFW pumps during this short time period, the diversity of other actuation signals that are credited in the accident analyses such as low-low steam genertor water level and safety injection, and the heightened operator awareness that accompanies this evolution.

A turbine-driven MFW pump is in service when the pumps stop valves are open, the governor control valves are either in manual or automatic control, and feedwater is being supplied to the steam generators.

One cause of multiple channel inoperability which requires the application of footnote (u) occurs routinely during normal plant operation. A single turbine-driven MFW pump may be in service in MODE 1 at reduced power levels if the other turbine-driven MFW pump has not yet been placed into service during power ascension or has been removed from service for maintenance. Prior to placing a turbine-driven MFW pump into service, the status of its turbine control circuitry is changed from tripped to reset via its Trip/Reset handswitch (FCHIS0018 or FCHIS0118) such that the two oil pressure switch channels on that turbine-driven MFW pump experience the high oil pressures indicative of an operating pump prior to that turbine-driven MFW pump providing feedwater flow to the steam generators. In this status, the turbine-driven MFW pump that is not yet in service would not satisfy the AFW start function actuation logic if the operating turbine-driven MFW pump were to trip at this time since it takes one tripped (continued)

CALLAWAY PLANT B 3.3.2-37 Revision 16

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE g. Auxiliary Feedwater - Trip of All Main Feedwater Pumps SAFETY (continued)

ANALYSES, LCO, AND channel on each turbine-driven MFW pump in the same APPLICABILITY separation group to initiate an auxiliary feedwater actuation signal. Therefore, with one turbine-driven MFW pump turbine in reset, footnote (u) is applied for two inoperable oil pressure channels on that turbine-driven MFW pump. This footnote imposes a partial AFW actuation status (or partial trip) on the plant.

This ESFAS function is an anticipatory start signal for which no credit is taken in any accident or transient analysis. The safety analyses credit actuation of the motor-driven AFW pumps upon a low-low steam generator water level signal in any steam generator and after a safety injection signal.

h. Auxiliary Feedwater - Pump Suction Transfer on Suction Pressure - Low A low pressure signal in the AFW pump suction line protects the AFW pumps against a loss of the normal supply of water for the pumps, the CST. Three pressure switches are located on the AFW pump suction line from the CST. A low pressure signal sensed by any two of the three switches coincident with an auxiliary feedwater actuation signal will cause the emergency supply of water for the pumps to be aligned. ESW (safety grade) is automatically lined up to supply the AFW pumps to ensure an adequate supply of water for the AFW System to maintain the intact SGs as the heat sink for reactor removing decay heat and the stored thermal energy of the reactor coolant system.

Since the detectors are located in an area not affected by HELBs or high radiation, they will not experience any adverse environmental conditions and the Trip Setpoint reflects only steady state instrument uncertainties. The Trip Setpoint is 21.71 psia.

This Function must be OPERABLE in MODES 1, 2, and 3 to ensure a safety grade supply of water for the AFW System to maintain the SGs as the heat sink for the reactor.

This Function does not have to be OPERABLE in MODES 5 and 6 because there is not enough heat being (continued)

CALLAWAY PLANT B 3.3.2-38 Revision 16

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE h. Auxiliary Feedwater - Pump Suction Transfer on Suction SAFETY Pressure - Low (continued)

ANALYSES, LCO, AND generated in the reactor to require the SGs as a heat sink.

APPLICABILITY In MODE 4, AFW automatic suction transfer does not need to be OPERABLE because RHR will already be in operation, or sufficient time is available to place RHR in operation, to remove decay heat.

7. Automatic Switchover to Containment Sump At the end of the injection phase of a LOCA, the RWST will be nearly empty. Continued cooling must be provided by the ECCS to remove decay heat. The source of water for the RHR pumps is automatically switched to the containment recirculation sumps.

The low head residual heat removal (RHR) pumps and containment spray pumps draw the water from the containment recirculation sumps, the RHR pumps pump the water through the RHR heat exchanger, inject the water back into the RCS, and supply the cooled water to the other ECCS pumps. Switchover from the RWST to the containment sumps must occur before the RWST empties to prevent damage to the RHR pumps and a loss of core cooling capability. For similar reasons, switchover must not occur before there is sufficient water in the containment sumps to support ESF pump suction.

a. Automatic Switchover to Containment Sump - Automatic Actuation Logic and Actuation Relays (SSPS)

Automatic actuation logic and actuation relays consist of the same features and operate in the same manner as described for ESFAS Function 1.b.

b. Automatic Switchover to Containment Sump - Refueling Water Storage Tank (RWST) Level - Low Low Coincident With Safety Injection During the injection phase of a LOCA, the RWST is the source of water for all ECCS pumps. A low low level in the RWST coincident with an SI signal provides protection against a loss of water for the ECCS pumps and indicates the end of the injection phase of the LOCA. The RWST is equipped with four level transmitters. These transmitters provide no control functions. Therefore, a two-out-of-four logic is adequate to initiate the protection function (continued)

CALLAWAY PLANT B 3.3.2-39 Revision 16

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE b. Automatic Switchover to Containment Sump - Refueling SAFETY Water Storage Tank (RWST) Level - Low Low Coincident ANALYSES, With Safety Injection (continued)

LCO, AND APPLICABILITY actuation. Although only three channels would be sufficient, a fourth channel has been added for increased reliability.

The RWST - Low Low Trip Setpoint is selected to ensure switchover occurs before the RWST empties, to prevent ECCS pump damage.

The transmitters are located in an area not affected by HELBs or post accident high radiation. Thus, they will not experience any adverse environmental conditions and the Trip Setpoint reflects only steady state instrument uncertainties. The Trip Setpoint is 36% of span.

Automatic switchover occurs only if the RWST low low level signal is coincident with SI. This prevents accidental switchover during normal operation. Accidental switchover could damage ECCS pumps if they are attempting to take suction from an empty sump. The automatic switchover Function requirements for the SI Functions are the same as the requirements for their SI function. Therefore, the requirements are not repeated in Table 3.3.2-1. Instead, Function 1, SI, is referenced for all initiating Functions and requirements.

This Function must be OPERABLE in MODES 1, 2, 3, and 4 when there is a potential for a LOCA to occur, to ensure a continued supply of water for the ECCS pumps.

This Function is not required to be OPERABLE in MODES 5 and 6 because there is adequate time for the operator to evaluate unit conditions and respond by manually starting systems, pumps, and other equipment to mitigate the consequences of an abnormal condition or accident. System pressure and temperature are very low and many ESF components are administratively locked out or otherwise prevented from actuating to prevent inadvertent overpressurization of unit systems.

(continued)

CALLAWAY PLANT B 3.3.2-40 Revision 16

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE 8. Engineered Safety Feature Actuation System Interlocks SAFETY ANALYSES, To allow some flexibility in unit operations, several interlocks are LCO, AND included as part of the ESFAS. These interlocks permit the APPLICABILITY operator to block some signals, automatically enable other (continued) signals, prevent some actions from occurring, and cause other actions to occur. The interlock Functions back up manual actions to ensure bypassable functions are in operation under the conditions assumed in the safety analyses.

a. Engineered Safety Feature Actuation System Interlocks -

Reactor Trip, P-4 The P-4 interlock is enabled when a reactor trip breaker (RTB) and its associated bypass breaker are open.

Manual reset of SI following a 60 second time delay, in conjunction with P-4, generates an automatic SI block.

This Function allows operators to take manual control of SI systems after the initial phase of injection is complete.

Once SI is blocked, automatic actuation of SI cannot occur until the RTBs have been manually closed.

The functions of the P-4 interlock are:

  • Isolates MFW with coincident low Tavg;
  • Prevents automatic reactuation of SI after a manual reset of SI;
  • Allows arming of the steam dump valves and transfers the steam dump from the load rejection Tavg controller to the plant trip controller; and
  • Prevents opening of the MFW isolation valves if they were closed on SI or SG Water Level - High High.

Each of the above Functions is interlocked with P-4 to avert or reduce the continued cooldown of the RCS following a reactor trip. An excessive cooldown of the RCS following a reactor trip could cause an insertion of positive reactivity with a subsequent increase in core power. To avoid such a situation, the noted Functions have been interlocked with P-4 as part of the design of the unit control (continued)

CALLAWAY PLANT B 3.3.2-41 Revision 16

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE a. Engineered Safety Feature Actuation System Interlocks -

SAFETY Reactor Trip, P-4 (continued)

ANALYSES, LCO, AND and protection system. The feedwater isolation function on APPLICABILITY P-4 with coincident low Tavg may be blocked using a bypass switch to prevent undue cycling of the FWIVs and AFW pumps.

None of the noted Functions serves a mitigation function in the unit licensing basis safety analyses. Only the turbine trip Function is explicitly assumed since it is an immediate consequence of the reactor trip Function. Neither turbine trip, nor any of the other four Functions associated with the reactor trip signal, is required to show that the unit licensing basis safety analysis acceptance criteria are met.

The RTB position switches that provide input to the P-4 interlock only function to energize or de-energize or open or close contacts. Therefore, this Function has no adjustable trip setpoint with which to associate a Trip Setpoint and Allowable Value.

This Function must be OPERABLE in MODES 1, 2, and 3 when the reactor may be critical or approaching criticality.

b. Engineered Safety Feature Actuation System Interlocks -

Pressurizer Pressure, P-11 The P-11 interlock permits a normal unit cooldown and depressurization without actuation of SI or main steam line isolation. With two-out-of-three pressurizer pressure channels (discussed previously) less than the P-11 setpoint, the operator can manually block the Pressurizer Pressure - Low and Steam Line Pressure - Low SI signals and the Steam Line Pressure - Low steam line isolation signal (previously discussed). When the Steam Line Pressure - Low steam line isolation signal is manually blocked, a main steam isolation signal on Steam Line Pressure - Negative Rate - High is automatically enabled.

This provides protection for an SLB by closure of the MSIVs. With two-out-of-three pressurizer pressure channels above the P-11 setpoint, the Pressurizer Pressure

- Low and Steam Line Pressure - Low SI signals and the Steam Line Pressure - Low steam line isolation (continued)

CALLAWAY PLANT B 3.3.2-42 Revision 16

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE b. Engineered Safety Feature Actuation System Interlocks -

SAFETY Pressurizer Pressure, P-11 (continued)

ANALYSES, LCO, AND signal are automatically enabled. The operator can also APPLICABILITY enable these trips by use of the respective manual unblock (reset) buttons. When the Steam Line Pressure - Low steam line isolation signal is enabled, the main steam isolation on Steam Line Pressure - Negative Rate - High is disabled. The Trip Setpoint reflects only steady state instrument uncertainties. The Trip Setpoint is 1970 psig.

This Function must be OPERABLE in MODES 1, 2, and 3 to allow an orderly cooldown and depressurization of the unit without the actuation of SI or main steam isolation.

This Function does not have to be OPERABLE in MODE 4, 5, or 6 because system pressure must already be below the P-11 setpoint for the requirements of the heatup and cooldown curves to be met.

9. Automatic Pressurizer PORV Actuation For the inadvertent ECCS actuation at power event (a Condition II event), the safety analysis (Ref. 15) credits operator actions from the main control room to terminate flow from the normal charging pump (NCP) and to open both PORV block valves (assumed to initially be closed) and assure the availability of at least one PORV for automatic pressure relief. Analysis results indicate that water relief through the pressurizer safety valves, which could result in the Condition II event degrading into a Condition III event if the safety valves did not reseat, is precluded if operator actions are taken within the times assumed in the Reference 15 analysis to terminate NCP flow and to assure at least one PORV is available for automatic pressure relief. The assumed operator action times conservatively bound the times measured during simulator exercises. Therefore, automatic PORV operation is an assumed safety function in MODES 1, 2, and 3. The PORVs are equipped with automatic actuation circuitry and manual control capability. The PORVs are considered OPERABLE in either the automatic or manual mode, as long as the automatic actuation circuitry is OPERABLE and the PORVs can be made available for automatic pressure relief by timely operator actions (Ref. 15) to open the associated block valves (if closed) and to assure the PORV handswitches are in the automatic operation position. The automatic mode is the preferred configuration, as this provides the required pressure relieving capability without reliance on operator actions.

(continued)

CALLAWAY PLANT B 3.3.2-43 Revision 16

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE 9. Automatic Pressurizer PORV Actuation (continued)

SAFETY ANALYSES, a. Automatic Pressurizer PORV Actuation - Automatic LCO, AND Actuation Logic and Actuation Relays (SSPS)

APPLICABILITY Automatic actuation logic and actuation relays consist of the same features and operate in the same manner as described for Function 1.b, except that the LCO is not applicable in MODE 4 as discussed below for Function 9.b.

b. Automatic Pressurizer PORV Actuation - Pressurizer Pressure - High This signal provides protection against an inadvertent ECCS actuation at power event. Pressurizer pressure provides both control and protection functions: input to the Pressurizer Pressure Control System, reactor trip, SI, and automatic PORV actuation. Therefore, the actuation logic must be able to withstand both an input failure to the control system, which may then require the protection function actuation, and a single failure in the other channels providing the protection function actuation. Thus, four OPERABLE channels are required to satisfy the requirements with a two-out-of-four opening logic. The Trip Setpoint is 2335 psig.

The automatic PORV opening logic is satisfied when two-out-of-four (2/4) pressurizer pressure channels exceed their setpoint. Continued operation is allowed with one inoperable channel in the tripped condition. In this case, the automatic opening logic would revert to one-out-of-three (1/3). A single failure (e.g., failed bistable card) in one of the remaining three channels could result in both PORVs opening and remaining open since the automatic closure logic requires three-out-of-four (3/4) channels to reset, which could not be satisfied with two inoperable channels. However, this event can be terminated by PORV block valve closure and the consequences of this event are bounded by the analysis of a stuck open pressurizer safety valve in Reference 16. Therefore, automatic PORV closure is not a required safety function and the OPERABILITY requirements are satisfied by four OPERABLE pressurizer pressure channels.

Consistent with the Applicability of LCO 3.4.11, Pressurizer PORVs, the LCO for Function 9 is not (continued)

CALLAWAY PLANT B 3.3.2-44 Revision 16

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE b. Automatic Pressurizer PORV Actuation - Pressurizer SAFETY Pressure - High (continued)

ANALYSES, LCO, AND applicable in MODE 4 when both pressure and core APPLICABILITY energy are decreased and transients that could cause an overpressure condition will be slow to occur. This is also consistent with the Applicability of Functions 1.c, 1.d, and 1.e. LCO 3.4.12 addresses automatic PORV actuation instrumentation requirements in MODES 4 (with any RCS cold leg temperature 275°F), 5, and 6 with the reactor vessel head in place.
10. Steam Generator Blowdown and Sample Line Isolation The accident analyses assume that the steam generators are isolated after the steam generator blowdown and sample line isolation valves receive an isolation signal. The postulated accidents include the main steam line break (MSLB), the feedwater line break (FWLB), and steam generator tube rupture (SGTR).

These analyses consider the transient effects on the primary and secondary systems as well as the potential containment pressure and temperature impact on the containment design bases. Further discussions of these design basis accidents can be found in the FSAR, Chapters 6 and 15.

The steam generator blowdown and sample line isolation valves close to terminate the blowdown from the faulted steam generator and isolate the intact steam generators.

Following receipt of the steam line isolation signal (SLIS) and auxiliary feedwater actuation signal (AFAS), the intact steam generators are assumed to be isolated except for the steam supply valves to the turbine-driven auxiliary feedwater pump. In addition to the valves governed by LCO 3.7.2, Main Steam Isolation Valves, Main Steam Isolation Valve Bypass Valves, and Main Steam Low Point Drain Isolation Valves, and LCO 3.7.3, Main Feedwater Isolation Valves, Main Feedwater Regulating Valves, and Main Feedwater Regulating Valve Bypass Valves, the analysis assumptions require that the valves governed by LCO 3.7.19, Secondary Side Isolation Valves, are closed and the steam generator chemical injection flow path is isolated. Function 10 in LCO 3.3.2 covers the actuation instrumentation associated with the steam generator blowdown system isolation valves (SGBSIVs) and the steam generator blowdown system sample isolation valves (SGBSSIVs).

(continued)

CALLAWAY PLANT B 3.3.2-45 Revision 16

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE 10. Steam Generator Blowdown and Sample Line Isolation SAFETY (continued)

ANALYSES, LCO, AND The SGBSIVs prevent uncontrolled blowdown from more than one APPLICABILITY steam generator and isolate nonsafety-related portions from the safety-related portions of the system. These valves are air-operated globe valves which fail closed. For emergency closure, either of two safety-related solenoid valves is de-energized to dump air supplied to the valve accuator. The electrical solenoid valves are energized from separate Class 1E sources and are tripped upon receipt of a steam generator blowdown safety injection signal (SGBSIS) signal.

The SGBSSIVs prevent uncontrolled blowdown from more than one steam generator and isolate the nonsafety-related portions from the safety-related portions of the system. The SGBSSIVs are solenoid-operated globe valve which fail closed. The inside containment solenoid valves are energized from separate Class 1E sources from the outside containment solenoid valves. These valves are also closed upon receipt of an SGBSIS signal.

a. Manual Initiation Manual initiation of the motor-driven auxiliary feedwater (MDAFW) pumps can be accomplished from the control room. This also sends a signal in that separation group to the SGBSIS (isolation signal). Both of the motor-driven AFW pumps have a pushbutton for manual AFAS initiation.

The LCO requires two trains (one per MDAFW pump) to be OPERABLE.

b. Automatic Actuation Logic and Actuation Relays (BOP-ESFAS)

Automatic actuation logic and actuation relays consist of the same features and operate in the same manner as described for Function 6.c, except that the LCO has an Applicability exception when the isolation function is otherwise satisfied, as discussed below.

c. Safety Injection The SGBSIS (isolation signal) to these valves is initiated by all the Functions that initiate safety injection (SI). The input requirements for Function 10.c are the same as the (continued)

CALLAWAY PLANT B 3.3.2-46 Revision 16

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE c. Safety Injection (continued)

SAFETY ANALYSES, requirements for the SI function, except that the LCO has LCO, AND additional Applicability exceptions when the isolation APPLICABILITY function is otherwise satisfied, as discussed below.

Therefore, the other requirements are not repeated in Table 3.3.2-1. Instead, Function 1, SI, is referenced for all other initiating functions and requirements.

d. Loss of Offsite Power The loss of offsite power (LOP) is detected by a voltage drop on each ESF bus. The LOP is sensed and processed by the circuitry for LOP DG Start (Load Shedder and Emergency Load Sequencer) and fed to BOP ESFAS by relay actuation. Loss of power to either ESF bus will initiate the SGBSIS (isolation signal) to these valves.

Functions 10.a through 10.d must be OPERABLE in MODES 1, 2, and 3, when there is significant mass and energy in the RCS and steam generators. When the SGBSIVs and the SGBSSIVs are closed or isolated, they are performing the specified safety function of isolating the plants secondary side.

Exceptions to the Applicability are allowed for the SGBSIVs and the SGBSSIVs when isolation of the potential flow path is assured, such as when these valves are closed and de-activated, or when they are closed and isolated by a closed manual valve, or when the flow path is isolated by a combination of closed manual valves(s) and closed and de-activated automatic valve(s). An air-operated SGBSIV is de-activated when power and air are removed from its actuation solenoid valves, and a solenoid-operated SGBSSIV is de-activated when power is removed from its associated solenoid valve.

In MODE 4, 5, or 6, the steam generator energy is low. Therefore, these valves are not required for isolation of potential high energy secondary system pipe breaks in these MODES.

The actuation logic for these valves is shown on FSAR Figure 7.3-1, sheet 2.

The ESFAS instrumentation satisfies Criterion 3 of 10CFR50.36(c)(2)(ii).

(continued)

CALLAWAY PLANT B 3.3.2-47 Revision 16

ESFAS Instrumentation B 3.3.2 BASES (Continued)

ACTIONS A Note has been added in the ACTIONS to clarify the application of Completion Time rules. The Conditions of this Specification may be entered independently for each Function listed on Table 3.3.2-1.

In the event a channel's Trip Setpoint is found nonconservative with respect to the Allowable Value, or the transmitter, instrument loop, signal processing electronics, or bistable is found inoperable, then all affected Functions provided by that channel must be declared inoperable and the LCO Condition(s) entered for the protection Function(s) affected. When the Required Channels in Table 3.3.2-1 are specified on a per steam line, per SG, per pump, etc., basis, then the Condition may be entered separately for each steam line, SG, pump, etc., as appropriate.

When the number of inoperable channels in a trip function exceed those specified in one or other related Conditions associated with a trip function, then the unit is outside the safety analysis. Therefore, LCO 3.0.3 should be immediately entered if applicable in the current MODE of operation.

A.1 Condition A applies to all ESFAS protection functions.

Condition A addresses the situation where one or more channels or trains for one or more Functions are inoperable at the same time. The Required Action is to refer to Table 3.3.2-1 and to take the Required Actions for the protection functions affected. The Completion Times are those from the referenced Conditions and Required Actions.

B.1, B.2.1, and B.2.2 Condition B applies to manual initiation of:

  • Phase A Isolation; and
  • Phase B Isolation.

This action addresses the train orientation of the SSPS for the functions listed above. If a channel or train is inoperable, 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> are allowed to return it to an OPERABLE status. Note that for containment spray and (continued)

CALLAWAY PLANT B 3.3.2-48 Revision 16

ESFAS Instrumentation B 3.3.2 BASES ACTIONS B.1, B.2.1, and B.2.2 (continued)

Phase B isolation, failure of one or both channels in one train renders the train inoperable. Condition B, therefore, encompasses both situations.

The specified Completion Time is reasonable considering that there are two automatic actuation trains and another manual initiation train OPERABLE for each Function, and the low probability of an event occurring during this interval. If the channel or train cannot be restored to OPERABLE status, the unit must be placed in a MODE in which the LCO does not apply. This is done by placing the unit in at least MODE 3 within an additional 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> (54 hours6.25e-4 days <br />0.015 hours <br />8.928571e-5 weeks <br />2.0547e-5 months <br /> total time) and in MODE 5 within an additional 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br /> (84 hours9.722222e-4 days <br />0.0233 hours <br />1.388889e-4 weeks <br />3.1962e-5 months <br /> total time). The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

C.1, C.2, C.3.1, and C.3.2 Condition C applies to the automatic actuation logic and actuation relays for the following functions:

  • Phase A Isolation;
  • Phase B Isolation; and
  • Automatic Switchover to Containment Sump.

This action addresses the train orientation of the SSPS and the master and slave relays. Containment Isolation Phase A is the primary signal to ensure closing of the containment purge supply and exhaust valves. If one Phase A train is inoperable, operation may continue as long as the Required Action to place and maintain containment purge supply and exhaust valves in their closed position is met. Required Action C.1 is modified by a Note that this Action is only required if Containment Phase A Isolation (Function 3.a.(2)) is inoperable. If one train is inoperable, 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> are allowed to restore the train to OPERABLE status. The 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> allowed for restoring the inoperable train to OPERABLE status is justified in Reference 18. The specified Completion Time is reasonable considering that there is another train OPERABLE, and the low probability of an event occurring during this interval. If the (continued)

CALLAWAY PLANT B 3.3.2-49 Revision 16

ESFAS Instrumentation B 3.3.2 BASES ACTIONS C.1, C.2, C.3.1, and C.3.2 (continued) train cannot be restored to OPERABLE status, the unit must be placed in a MODE in which the LCO does not apply. This is done by placing the unit in at least MODE 3 within an additional 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> (30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br /> total time) and in MODE 5 within an additional 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br /> (60 hours6.944444e-4 days <br />0.0167 hours <br />9.920635e-5 weeks <br />2.283e-5 months <br /> total time). The Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

The Required Actions are modified by a Note that allows one train to be bypassed for up to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> for surveillance testing, provided the other train is OPERABLE. This allowance is based on the reliability analysis assumption of Reference 8 that 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> is the average time required to perform train surveillance.

Consistent with the requirement in Reference 18 to include Tier 2 insights into the decision-making process before taking equipment out of service, restrictions on concurrent removal of certain equipment when a logic train is inoperable for maintenance are included (note that these restrictions do not apply when a logic train is being tested under the 4-hour bypass Note of Condition C). Entry into Condition C is not a typical, pre-planned evolution during power operation, other than for surveillance testing.

Since Condition C is typically entered due to equipment failure, it follows that some of the following restrictions may not be met at the time of Condition C entry. If this situation were to occur during the 24-hour Completion Time of Required Action C.2, the Configuration Risk Management Program will assess the emergent condition and direct activities to restore the inoperable logic train and exit Condition C or fully implement these restrictions or perform a plant shutdown, as appropriate from a risk management perspective. The following restrictions will be observed:

  • To preserve LOCA mitigation capability, one complete ECCS train that can be actuated automatically must be maintained when a logic train is inoperable for maintenance.

(continued)

CALLAWAY PLANT B 3.3.2-50 Revision 16

ESFAS Instrumentation B 3.3.2 BASES ACTIONS C.1, C.2, C.3.1, and C.3.2 (continued)

  • To preserve reactor trip and safeguards actuation capability, activities that cause master relays or slave relays in the available train to be unavailable and activities that cause analog channels to be unavailable should not be scheduled when a logic train is inoperable for maintenance.
  • Activities on electrical systems (e.g., AC and DC power) and cooling systems (e.g., essential service water and component cooling water) that support the systems or functions listed in the first three bullets should not be scheduled when a logic train is inoperable for maintenance. That is, one complete train of a function that supports a complete train of a function noted above must be available.

D.1, D.2.1, and D.2.2 Condition D applies to:

  • Containment Pressure - High 1;
  • Pressurizer Pressure - Low;
  • Steam Line Pressure - Low;
  • Containment Pressure - High 2;
  • Steam Line Pressure - Negative Rate - High;
  • SG Water Level - Low Low (Adverse Containment Environment);
  • SG Water Level - Low Low (Normal Containment Environment);

and

  • Pressurizer Pressure - High.

If one channel is inoperable, 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> are allowed to restore the channel to OPERABLE status or to place it in the tripped condition. Generally this Condition applies to functions that operate on two-out-of-three logic (excluding Pressurizer Pressure - Low, Pressurizer Pressure - High, and SG Water Level - Low Low (Adverse and Normal Containment Environment)). Therefore, failure of one channel (i.e., with the bistable not tripped) places the Function in a two-out-of-two configuration. The inoperable channel must be tripped to place the Function in a (continued)

CALLAWAY PLANT B 3.3.2-51 Revision 16

ESFAS Instrumentation B 3.3.2 BASES ACTIONS D.1, D.2.1, and D.2.2 (continued) one-out-of-two configuration that satisfies redundancy requirements. The 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> allowed to restore the channel to OPERABLE status or to place it in the tripped condition is justified in Reference 18.

Failure to restore the inoperable channel to OPERABLE status or place it in the tripped condition within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> requires the unit be placed in MODE 3 within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and MODE 4 within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.

The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. In MODE 4, these Functions are no longer required OPERABLE.

The Required Actions are modified by a Note that allows the inoperable channel to be bypassed for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for surveillance testing of other channels. The 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> allowed for testing are justified in Reference 18.

E.1, E.2.1, and E.2.2 Condition E applies to:

  • Containment Phase B Isolation Containment Pressure - High 3.

None of these signals has input to a control function. Thus, two-out-of-three logic is necessary to meet acceptable protective requirements. However, a two-out-of-three design would require tripping a failed channel. This is undesirable because a single failure would then cause spurious containment spray initiation. Spurious spray actuation is undesirable because of the cleanup problems presented. Therefore, these channels are designed with two-out-of-four logic so that a failed channel may be bypassed rather than tripped. Note that one channel may be bypassed and still satisfy the single failure criterion. Furthermore, with one channel bypassed, a single instrumentation channel failure will not spuriously initiate containment spray.

To avoid the inadvertent actuation of containment spray and Phase B containment isolation, the inoperable channel should not be placed in the tripped condition. Instead it is bypassed. Restoring the channel to OPERABLE status, or placing the inoperable channel in the bypassed (continued)

CALLAWAY PLANT B 3.3.2-52 Revision 16

ESFAS Instrumentation B 3.3.2 BASES ACTIONS E.1, E.2.1, and E.2.2 (continued) condition within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, is sufficient to assure that the Function remains OPERABLE and minimizes the time that the Function may be in a partial trip condition (assuming the inoperable channel has failed high). The Completion Time is further justified based on the low probability of an event occurring during this interval. Failure to restore the inoperable channel to OPERABLE status, or place it in the bypassed condition within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, requires the unit be placed in MODE 3 within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and MODE 4 within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. In MODE 4, these Functions are no longer required OPERABLE.

The Required Actions are modified by a Note that allows one additional channel to be bypassed for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for surveillance testing. Placing a second channel in the bypassed condition for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for testing purposes is acceptable based on the results of Reference 18.

F.1, F.2.1, and F.2.2 Condition F applies to:

  • Manual Initiation of Steam Line Isolation; and
  • P-4 Interlock.

For the Manual Initiation and the P-4 Interlock Functions, this action addresses the train orientation of the SSPS. If a channel or train is inoperable, 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> are allowed to return it to OPERABLE status. The specified Completion Time is reasonable considering the nature of these Functions, the available redundancy, and the low probability of an event occurring during this interval. If the Function cannot be returned to OPERABLE status, the unit must be placed in MODE 3 within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and MODE 4 within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power in an orderly manner and without challenging unit systems. In MODE 4, the unit does not have any analyzed transients or conditions that require the explicit use of the protection functions noted above.

(continued)

CALLAWAY PLANT B 3.3.2-53 Revision 16

ESFAS Instrumentation B 3.3.2 BASES ACTIONS G.1, G.2.1, and G.2.2 (continued)

Condition G applies to the automatic actuation logic and actuation relays (SSPS) for the Steam Line Isolation, Turbine Trip and Feedwater Isolation, and AFW actuation Functions.

The action addresses the train orientation of the actuation logic for these functions. If one train is inoperable, 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> are allowed to restore the train to OPERABLE status. The 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> allowed for restoring the inoperable train to OPERABLE status is justified in Reference 18. The Completion Time for restoring a train to OPERABLE status is reasonable considering that there is another train OPERABLE, and the low probability of an event occurring during this interval. If the train cannot be returned to OPERABLE status, the unit must be brought to MODE 3 within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and MODE 4 within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. Placing the unit in MODE 4 removes all requirements for OPERABILITY of the protection channels and actuation functions. In this MODE, the unit does not have analyzed transients or conditions that require the explicit use of the protection functions noted above.

The Required Actions are modified by a Note that allows one train to be bypassed for up to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> for surveillance testing provided the other train is OPERABLE. This allowance is based on the reliability analysis (Reference 8) assumption that 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> is the average time required to perform train surveillance.

Consistent with the requirement in Reference 18 to include Tier 2 insights into the decision-making process before taking equipment out of service, restrictions on concurrent removal of certain equipment when a logic train is inoperable for maintenance are included (note that these restrictions do not apply when a logic train is being tested under the 4-hour bypass Note of Condition G). Entry into Condition G is not a typical, pre-planned evolution during power operation, other than for surveillance testing.

Since Condition G is typically entered due to equipment failure, it follows that some of the following restrictions may not be met at the time of Condition G entry. If this situation were to occur during the 24-hour Completion Time of Required Action G.1, the Configuration Risk Management Program will assess the emergent condition and direct activities to restore the inoperable logic train and exit Condition G or fully implement these restrictions or perform a plant shutdown, as appropriate from a risk management perspective. The following restrictions will be observed:

(continued)

CALLAWAY PLANT B 3.3.2-54 Revision 16

ESFAS Instrumentation B 3.3.2 BASES ACTIONS G.1, G.2.1, and G.2.2 (continued)

  • To preserve LOCA mitigation capability, one complete ECCS train that can be actuated automatically must be maintained when a logic train is inoperable for maintenance.
  • To preserve reactor trip and safeguards actuation capability, activities that cause master relays or slave relays in the available train to be unavailable and activities that cause analog channels to be unavailable should not be scheduled when a logic train is inoperable for maintenance.
  • Activities on electrical systems (e.g., AC and DC power) and cooling systems (e.g., essential service water and component cooling water) that support the systems or functions listed in the first three bullets should not be scheduled when a logic train is inoperable for maintenance. That is, one complete train of a function that supports a complete train of a function noted above must be available.

H.1 Condition H applies to the automatic logic and actuation relays (SSPS) for the Automatic Pressurizer PORV Actuation Function.

The Required Action addresses the impact on the ability to mitigate an inadvertent ECCS actuation at power event that requires the availability of at least one pressurizer PORV for automatic pressure relief. With one or more automatic actuation logic trains inoperable, the associated pressurizer PORV(s) must be declared inoperable immediately. This requires that Condition B or E of LCO 3.4.11, Pressurizer PORVs, be entered immediately depending on the number of PORVs inoperable.

The Required Action is modified by a Note that allows one train to be bypassed for up to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> for surveillance testing provided the other train is OPERABLE. This allowance is based on the reliability analysis (Refs. 8 and 13) assumption that 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> is the average time required to perform channel surveillance.

(continued)

CALLAWAY PLANT B 3.3.2-55 Revision 16

ESFAS Instrumentation B 3.3.2 BASES ACTIONS I.1 and I.2 (continued)

Condition I applies to:

  • SG Water Level - High High (P-14).

If one channel is inoperable, 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> are allowed to restore the channel to OPERABLE status or to place it in the tripped condition. If placed in the tripped condition, the Function is then in a partial trip condition where one-out-of-three logic will result in actuation. The 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> Completion Time is justified in Reference 18. Failure to restore the inoperable channel to OPERABLE status or place it in the tripped condition within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> requires the unit to be placed in MODE 3 within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. The allowed Completion Time of Required Action I.2 is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging unit systems. In MODE 3, this Function is no longer required OPERABLE.

The Required Actions are modified by a Note that allows the inoperable channel to be bypassed for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for surveillance testing of other channels. The 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> allowed to place the inoperable channel in the tripped condition, and the 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> allowed for an inoperable channel to be in the bypassed condition for testing, are justified in Reference 18.

J.1 and J.2 Condition J applies to the AFW pump start on trip of all MFW pumps (PAE01A and PAE01B).

This action addresses the train orientation of the BOP ESFAS for the auto start function of the AFW System on loss of all MFW pumps (PAE01A and PAE01B). The OPERABILITY of the AFW System must be assured by providing automatic start of the AFW System pumps.

Condition J applies if one channel is inoperable. If Condition J is entered, 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> are allowed to place the inoperable channel in the tripped condition. This Completion Time is consistent with Reference 23. If the channel cannot be tripped within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, 6 additional hours are allowed to place the unit in MODE 3. The allowed Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging unit systems. In MODE 3, the unit does not have any analyzed transients or conditions that require the explicit use of the protection function noted above. The Required Actions are modified by a Note that allows one (continued)

CALLAWAY PLANT B 3.3.2-56 Revision 16

ESFAS Instrumentation B 3.3.2 BASES ACTIONS J.1 and J.2 (continued) inoperable channel to be bypassed for up to 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> for surveillance testing of other channels.

K.1, K.2.1, and K.2.2 Condition K applies to:

  • RWST Level - Low Low Coincident with Safety Injection.

RWST Level - Low Low Coincident With SI provides actuation of switchover to the containment recirculation sumps. Note that this Function requires the bistables to energize to perform their required action. The failure of up to two channels will not prevent the operation of this Function.

This Action Statement limits the duration that an RWST level channel could be inoperable in the tripped condition in order to limit the probability for automatic switchover to an empty containment sump upon receipt of an inadvertent safety injection signal (SIS), coincident with a single failure of another RWST level channel, or for premature switchover to the sump after a valid SIS. This sequence of events would start the RHR pumps, open the containment sump RHR suction valves and, after meeting the sump suction valve open position interlock, the RWST RHR suction valves would close. The 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> restoration time for an inoperable channel is consistent with that given in other Technical Specifications affecting RHR operability, e.g., for one ECCS train inoperable and for one diesel generator inoperable.

The Completion Times are justified in References 8 and 18. If the channel cannot be returned to OPERABLE status within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, the unit must be brought to MODE 3 within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and MODE 5 within the next 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. In MODE 5, the unit does not have any analyzed transients or conditions that require the explicit use of the protection function noted above. The Required Actions are modified by a Note that allows placing an inoperable channel in the bypassed condition for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for surveillance testing of other channels. This bypass allowance is justified in Reference 18.

(continued)

CALLAWAY PLANT B 3.3.2-57 Revision 16

ESFAS Instrumentation B 3.3.2 BASES ACTIONS L.1, L.2.1, and L.2.2 (continued)

Condition L applies to the P-11 interlock.

With one or more required channel(s) inoperable, the operator must verify that the interlock is in the required state for the existing unit condition by observation of the associated permissive annunciator window. This action manually accomplishes the function of the interlock. Determination must be made within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time is equal to the time allowed by LCO 3.0.3 to initiate shutdown actions in the event of a complete loss of ESFAS function. If the interlock is not in the required state (or placed in the required state) for the existing unit condition, the unit must be placed in MODE 3 within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and MODE 4 within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. Placing the unit in MODE 4 removes all requirements for OPERABILITY of this interlock.

M.1 and M.2 Condition M applies to the AFW pump start on trip of all MFW pumps (PAE01A and PAE01B).

This action addresses the train orientation of the BOP ESFAS for the auto start function of the AFW System on loss of all MFW pumps (PAE01A and PAE01B). The OPERABILITY of the AFW System must be assured by providing automatic start of the AFW System pumps.

Condition M applies if two channels are inoperable and the motor-driven AFW actuation function is maintained from one actuation train, i.e., if two channels out of the four total channels are inoperable but are in the same separation group. If Condition M is entered, 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> are allowed to place the inoperable channels in the tripped condition.

If one channel per MFW pump is inoperable, but the Condition is limited to the same separation group, the actuation function remains available. As shown on FSAR Figure 7.3-1, sheet 2 (Ref. 2), satisfying the trip logic requires the presence of a low oil pressure signal in the same separation group on each MFW pump. For example, an inoperable separation group 1 channel on one MFW pump coincident with an inoperable separation group 1 on the other MFW pump would leave the separation group 4 channels available to perform the actuation function. Therefore, Condition M covers either of the following situations:

(continued)

CALLAWAY PLANT B 3.3.2-58 Revision 16

ESFAS Instrumentation B 3.3.2 BASES ACTIONS M.1 and M.2 (continued)

The wording of Condition M and the 24-hour Completion Time are consistent with Reference 23.

If the channels cannot be tripped in 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, 6 additional hours are allowed to place the unit in MODE 3. The allowed Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging unit systems. In MODE 3, the unit does not have any analyzed transients or conditions that require the explicit use of the protection function noted above.

N.1, N.2.1, and N.2.2 Condition N applies to the Environmental Allowance Modifier (EAM) circuitry for the SG Water Level - Low Low trip Functions in MODES 1, 2, and 3. With one or more EAM channel(s) inoperable, they must be placed in the tripped condition within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. Placing an EAM channel in trip automatically enables the SG Water Level - Low Low (Adverse Containment Environment) bistable for that protection channel, with its higher SG level Trip Setpoint (a higher trip setpoint means a feedwater isolation or an AFW actuation would occur sooner). The Completion Time of 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> is based on Reference 18. If the inoperable channel cannot be placed in the tripped condition within the specified Completion Time, the unit must be placed in a MODE where this Function is not required to be OPERABLE. The unit must be placed in MODE 3 within an additional six hours and in MODE 4 within the following six hours.

O.1 and O.2 Condition O applies to the Auxiliary Feedwater Pump Suction Transfer on Suction Pressure - Low trip Function. The Condensate Storage Tank is the highly reliable and preferred suction source for the AFW pumps. This function has a two-out-of-three trip logic. Therefore, continued operation is allowed with one inoperable channel until the performance of the next COT on one of the other channels, as long as the inoperable channel is placed in trip within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.

(continued)

CALLAWAY PLANT B 3.3.2-59 Revision 16

ESFAS Instrumentation B 3.3.2 BASES ACTIONS P.1 and P.2 (continued)

Condition P applies to the Auxiliary Feedwater Manual Initiation trip Function and the Steam Generator Blowdown and Sample Line Isolation Valve Actuation Function 10.a. The associated auxiliary feedwater pump(s) and the associated steam generator blowdown and sample line isolation valve(s) must be declared inoperable immediately when one or more channel(s) or train(s) is inoperable. Refer to LCO 3.7.5, Auxiliary Feedwater (AFW) System, and to LCO 3.7.19, Secondary Side Isolation Valves.

Q.1, Q.2.1, and Q.2.2 Condition Q applies to the Auxiliary Feedwater and Steam Generator Blowdown and Sample Line Isolation Valve Actuation Function 10.b Balance of Plant ESFAS automatic actuation logic and actuation relays. If one train is inoperable, 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> are allowed to restore the train to OPERABLE status. The 24-hour Completion Time for restoring the inoperable train to OPERABLE status is justified in Reference 23. The specified Completion Time is reasonable considering that there is another OPERABLE train and the low probability of an event occurring during this interval. If the inoperable train cannot be restored to OPERABLE status within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, the unit must be brought to MODE 3 within 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br /> and MODE 4 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br /> (Example 1.3-1 explains the independence of these Completion Times). The Required Actions are modified by a Note that allows one train to be bypassed for up to 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> for surveillance testing provided the other train is OPERABLE.

R.1, R.2.1, and R.2.2 Condition R applies to the Auxiliary Feedwater Loss of Offsite Power trip Function and the Steam Generator Blowdown and Sample Line Isolation Valve Actuation Function 10.d. With the inoperability of one or both train(s), 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> are allowed to return the train(s) to OPERABLE status.

The specified Completion Time is reasonable considering this Function is associated with the turbine driven auxiliary feedwater pump (TDAFP) and the ESFAS Function 10 valves, the available redundancy provided by the motor driven auxiliary feedwater pumps and other isolation valves, and the low probability of an event occurring during this interval. If the Function cannot be returned to OPERABLE status, the unit must be placed in MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and in MODE 4 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> (Example 1.3-1 explains the independence of these Completion Times). The allowed Completion Times are reasonable, based on operating experience, to (continued)

CALLAWAY PLANT B 3.3.2-60 Revision 16

ESFAS Instrumentation B 3.3.2 BASES ACTIONS R.1, R.2.1, and R.2.2 (continued) reach the required unit conditions from full power in an orderly manner and without challenging unit systems. In MODE 4, the unit does not have any analyzed transients or conditions that require this equipment for mitigation.

S.1, S.2.1, and S.2.2 Condition S applies to the MSFIS automatic logic and actuation relays.

The action addresses the train orientation of the actuation logic for these functions. If one train is inoperable, 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> are allowed to restore the train to OPERABLE status. The Completion Time for restoring a train to OPERABLE status is reasonable considering that there is another train OPERABLE, and the low probability of an event occurring during this interval. If the train cannot be returned to OPERABLE status, the unit must be brought to MODE 3 within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and MODE 4 within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. Placing the unit in MODE 4 removes all requirements for OPERABILITY of the protective function. In this MODE, the unit does not have analyzed transients or conditions that require the explicit use of the protection function noted above.

The Required Actions are modified by a Note that allows one train to be bypassed for up to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> for surveillance testing provided the other train is OPERABLE. This allowance is based on the reliability analysis (Reference 13) assumption that 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> is the average time required to perform channel surveillance.

SURVEILLANCE The SRs for each ESFAS Function are identified by the SRs column of REQUIREMENTS Table 3.3.2-1.

A Note has been added to clarify that Table 3.3.2-1 determines which SRs REQUIREMENTS apply to which ESFAS Functions.

Note that each channel of process protection supplies both trains of the ESFAS. When testing channel I, train A and train B must be examined.

Similarly, train A and train B must be examined when testing channel II, channel III, and channel IV. The CHANNEL CALIBRATION and COTs are performed in a manner that is consistent with the assumptions used in analytically calculating the required channel accuracies.

(continued)

CALLAWAY PLANT B 3.3.2-61 Revision 16

ESFAS Instrumentation B 3.3.2 BASES SURVEILLANCE SR 3.3.2.1 REQUIREMENTS (continued) Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the unit staff, based on a combination of the channel instrument uncertainties, including indication and reliability. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.3.2.2 SR 3.3.2.2 is the performance of an ACTUATION LOGIC TEST, using the semiautomatic tester. The train being tested is placed in the bypassed condition, thus preventing inadvertent actuation. Through the semiautomatic tester, all possible logic combinations, with and without applicable permissives, are tested for each protection function. In addition, the master relay coil is pulse tested for continuity. This verifies that the logic modules are OPERABLE and that there is an intact voltage signal path to the master relay coils. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.3.2.3 SR 3.3.2.3 is the performance of an ACTUATION LOGIC TEST using the BOP ESFAS automatic tester. The continuity check does not have to be performed, as explained in the Note. This SR is applied to the balance of (continued)

CALLAWAY PLANT B 3.3.2-62 Revision 16

ESFAS Instrumentation B 3.3.2 BASES SURVEILLANCE SR 3.3.2.3 (continued)

REQUIREMENTS plant actuation logic and relays that do not have circuits installed to perform the continuity check. In addition, SR 3.3.2.3 is the performance of an ACTUATION LOGIC TEST of the MSFIS PLC actuation logic, initiated from the SSPS slave relays. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.3.2.4 SR 3.3.2.4 is the performance of a MASTER RELAY TEST. The MASTER RELAY TEST is the energizing of the master relay, verifying contact operation and a low voltage continuity check of the slave relay coil. Upon master relay contact operation, a low voltage is injected to the slave relay coil. This voltage is insufficient to pick up the slave relay, but large enough to demonstrate signal path continuity. The time allowed for the testing (4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />) is justified in Reference 8. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.3.2.5 SR 3.3.2.5 is the performance of a COT.

A COT is performed on each required channel to ensure the channel will perform the intended Function. Setpoints must be found within the Allowable Values specified in Table 3.3.2-1. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL OPERATIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified periodically by other Technical Specifications and non-Technical Specifications tests.

The setpoint shall be left set consistent with the assumptions of the current unit specific setpoint methodology.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

(continued)

CALLAWAY PLANT B 3.3.2-63 Revision 16

ESFAS Instrumentation B 3.3.2 BASES SURVEILLANCE SR 3.3.2.6 REQUIREMENTS (continued) SR 3.3.2.6 is the performance of a SLAVE RELAY TEST. The SLAVE RELAY TEST is the energizing of the slave relays. Contact operation is verified in one of two ways. Actuation equipment that may be operated in the design mitigation mode is either allowed to function or is placed in a condition where the relay contact operation can be verified without operation of the equipment. Actuation equipment that may not be operated in the design mitigation mode is prevented from operation by the SLAVE RELAY TEST circuit. For this latter case, contact operation is verified by a continuity check of the circuit containing the slave relay. The SLAVE RELAY TEST of relay K620 does not include the circuitry associated with the main feedwater pump trip solenoids since that circuitry serves no required safety function. The SR is modified by a Note that excludes slave relays K602, K620, K622, and K741, which are included in testing required by SR 3.3.2.13, as well as slave relay K750, which is included in testing required by SR 3.3.2.14. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.3.2.7 SR 3.3.2.7 is the performance of a TADOT. This test is a check of the AFW pump start on Loss of Offsite Power trip Function and the Steam Generator Blowdown and Sample Line Isolation Valve Actuation Function 10.d. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable TADOT of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions or as otherwise specified within the SFCP described in TS 5.5.18. The trip actuating devices tested within the scope of SR 3.3.2.7 are the LSELS output relays and BOP ESFAS separation groups 1 and 4 logic associated with the automatic start of the turbine driven auxiliary feedwater pump and closure of the steam generator blowdown isolation valves and sample line isolation valves on an ESF bus undervoltage condition. The SR is modified by a Note that excludes verification of setpoints for relays. The trip actuating devices tested have no associated setpoint.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

(continued)

CALLAWAY PLANT B 3.3.2-64 Revision 16

ESFAS Instrumentation B 3.3.2 BASES SURVEILLANCE SR 3.3.2.8 REQUIREMENTS (continued) SR 3.3.2.8 is the performance of a TADOT. This test is a check of the Manual Actuation Functions, AFW pump start on trip of all MFW pumps (PAE01A and PAE01B), and manual generation of an SGBSIS (Function 10.a). The Manual Safety Injection TADOT shall independently verify OPERABILITY of the undervoltage and shunt trip handswitch contacts for both the Reactor Trip Breakers and Reactor Trip Bypass Breakers as well as the contacts for safety injection actuation. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable TADOT of a relay. This is acceptable because all of the other required contacts of the relay are verified periodically by other Technical Specifications and non-Technical Specifications tests. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program. The SR is modified by a Note that excludes verification of setpoints during the TADOT for manual initiation Functions.

The manual initiation Functions have no associated setpoints. The Note exclusion does not explicitly apply to the AFW pump start on trip of both turbine-driven MFW pumps; however, the TADOT test procedures for that Function do not require the verification of a nominal trip setpoint or allowable value since none have ever been specified in the Technical Specifications for that anticipatory actuation signal which is not credited in any accident or transient analysis.

SR 3.3.2.9 SR 3.3.2.9 is the performance of a CHANNEL CALIBRATION.

CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor. The test verifies that the channel responds to a measured parameter within the necessary range and accuracy.CHANNEL CALIBRATIONS must be performed consistent with the assumptions of Reference 6.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

This SR is modified by a Note stating that this test should include verification that the time constants are adjusted to the prescribed values where applicable. This does not include verification of time delay relays.

These are verified via response time testing per SR 3.3.2.10.

(continued)

CALLAWAY PLANT B 3.3.2-65 Revision 16

ESFAS Instrumentation B 3.3.2 BASES SURVEILLANCE SR 3.3.2.9 (continued)

REQUIREMENTS The portion of the automatic PORV actuation circuitry required for COMS is calibrated in accordance with SR 3.4.12.9.

SR 3.3.2.10 This SR verifies the individual channel ESF RESPONSE TIMES are less than or equal to the maximum values assumed in the accident analysis.

Response time verification acceptance criteria are included in Reference 9. No credit was taken in the safety analyses for those channels with response times listed as N.A. No response time testing requirements apply where N.A. is listed in Reference 9. Individual component response times are not modeled in the analyses. The analyses model the overall or total elapsed time, from the point at which the parameter exceeds the trip setpoint value at the sensor, to the point at which the equipment in both trains reaches the required functional state (e.g., pumps at rated discharge pressure, valves in full open or closed position). The safety analyses include the sum of the following response time components:

a. Sensing circuitry delay time from the time the trip setpoint is reached at the sensor until an ESFAS actuation signal is generated by the SSPS (response time testing associated with LSELS and BOP-ESFAS is discussed under SR 3.3.5.4, SR 3.3.6.6, SR 3.3.7.6, and SR 3.3.8.6);
b. Any intentional time delay set into the trip circuitry (e.g., NLL cards (lead/lag) associated with the steam line pressure high negative rate trip function) to add margin or prevent spurious trip signals; and
c. The time for the final actuation devices to reach the required functional state (e.g., valve stroke time, pump or fan spin-up time).

For channels that include dynamic transfer functions (e.g., lag, lead/lag, rate/lag, etc.), the response time verification is performed with the time constants set at their nominal values. Time constants are verified during the performance of SR 3.3.2.9. The response time may be verified by a series of overlapping tests, or other verification (e.g., Ref. 10 and Ref. 14), such that the entire response time is verified.

(continued)

CALLAWAY PLANT B 3.3.2-66 Revision 16

ESFAS Instrumentation B 3.3.2 BASES SURVEILLANCE SR 3.3.2.10 (continued)

REQUIREMENTS Response time may be verified by actual response time tests in any series of sequential, overlapping, or total channel measurements, or by the summation of allocated sensor, signal processing, and actuation logic response times with actual response time tests on the remainder of the channel. Allocations for sensor response times may be obtained from:

(1) historical records based on acceptable response time tests (hydraulic, noise, or power interrupt tests); (2) inplace, onsite, or offsite (e.g. vendor) test measurements; or (3) utilizing vendor engineering specifications.

WCAP-13632-P-A Revision 2, "Elimination of Pressure Sensor Response Time Testing Requirements," provides the basis and methodology for using allocated sensor response times in the overall verification of the channel response time for specific sensors identified in the WCAP.

Response time verification for other sensor types must be demonstrated by test.

WCAP-14036-P-A, Revision 1, "Elimination of Periodic Protection Channel Response Time Tests," provides the basis and methodology for using allocated signal processing and actuation logic response time in the overall verification of the protection system channel response time.

The allocations for sensor, signal conditioning, and actuation logic response times must be verified prior to placing the component in operational service and re-verified following maintenance that may adversely affect response time. In general, electrical repair work does not impact response time provided the parts used for repair are of the same type and value. Specific components identified in References 10 and 14 may be replaced without verification testing. One example where response time could be affected is replacing the sensing assembly of a transmitter.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

This SR is modified by a Note that clarifies that the turbine driven AFW pump is tested within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> after reaching 900 psig in the SGs.

SR 3.3.2.11 SR 3.3.2.11 is the performance of a TADOT for the P-4 Reactor Trip Interlock. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable TADOT of a relay.

(continued)

CALLAWAY PLANT B 3.3.2-67 Revision 16

ESFAS Instrumentation B 3.3.2 BASES SURVEILLANCE SR 3.3.2.11 (continued)

REQUIREMENTS This is acceptable because all of the other required contacts of the relay are verified periodically by other Technical Specifications and non-Technical Specifications tests. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

The SR is modified by a Note that excludes verification of setpoints during the TADOT. The Function tested has no associated setpoint. This TADOT does not include the circuitry associated with steam dump operation since it is control grade circuitry.

SR 3.3.2.12 SR 3.3.2.12 is the performance of a COT on ESFAS Function 6.h, "AFW Pump Suction Transfer on Suction Pressure - Low." A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL OPERATIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests.

A COT is performed to ensure the channel will perform the intended Function. Setpoints must be found within the Allowable Values specified in Table 3.3.2-1.

The setpoint shall be left set consistent with the assumptions of the current unit specific setpoint methodology.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.3.2.13 SR 3.3.2.13 is the performance of a SLAVE RELAY TEST as described in SR 3.3.2.6, except that SR 3.3.2.13 has a Note specifying that it applies only to slave relays K602, K622, K624, K630, K740, and K741. These slave relays are tested with a Frequency specified in the Surveillance (continued)

CALLAWAY PLANT B 3.3.2-68 Revision 16

ESFAS Instrumentation B 3.3.2 BASES SURVEILLANCE SR 3.3.2.13 (continued)

REQUIREMENTS Frequency Control Program and prior to entering MODE 4 for Functions 1.b, 3.a.(2), and 7.a whenever the unit has been in MODE 5 or 6 for

> 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, if not performed within the previous 92 days (Reference 12).

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.3.2.14 SR 3.3.2.14 is the performance of a SLAVE RELAY TEST as described in SR 3.3.2.6, except that SR 3.3.2.14 has a Note specifying that it applies only to slave relay K750. The slave relay is tested with a Frequency specified in the Surveillance Frequency Control Program and prior to entering MODE 3 for Functions 5.a and 9.a whenever the unit has been in MODE 5 or 6 for > 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, if not performed within the previous 92 days.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program. Testing slave relay K750 at power would result in opening the PORVs and depressurizing the RCS. If the PORV block valves are closed, there is not enough pressure to open the PORVs.

REFERENCES 1. FSAR, Chapter 6.

2. FSAR, Chapter 7.
3. FSAR, Chapter 15.
4. IEEE-279-1971.
5. 10 CFR 50.49.
6. Callaway Setpoint Methodology Report (NSSS), SNP (UE)-565 dated May 1, 1984, and Callaway Instrument Loop Uncertainty Estimates (BOP), J-U-GEN.
7. Not used.
8. Callaway OL Amendment No. 64 dated October 9, 1991.
9. FSAR Section 16.3, Table 16.3-2.

(continued)

CALLAWAY PLANT B 3.3.2-69 Revision 16

ESFAS Instrumentation B 3.3.2 BASES REFERENCES 10. WCAP-13632-P-A, Revision 2, "Elimination of Pressure Sensor (continued) Response Time Testing Requirements," January 1996.

11. Callaway OL Amendment No. 43 dated April 14, 1989.
12. SLNRC 84-0038 dated February 27, 1984.
13. Callaway OL Amendment No. 117 dated October 1, 1996.
14. WCAP-14036-P-A, Revision 1, "Elimination of Periodic Protection Channel Response Time Tests," October 1998.
15. FSAR, Section 15.5.1.
16. FSAR, Section 15.6.1.
17. Letter from Mel Gray (NRC) to Garry L. Randolph (UE), "Revision 20 of the Inservice Testing Program for Callaway Plant, Unit 1 (TAC No. MA4469)," dated March 19, 1999.
18. WCAP-14333-P-A, Revision 1, "Probabilistic Risk Analysis of the RPS and ESFAS Test Times and Completion Times," October 1998.
19. WCAP-15376-P-A, Revision 1, "Risk-Informed Assessment of the RTS and ESFAS Surveillance Test Intervals and Reactor Trip Breaker Test and Completion Times," March 2003.
20. Westinghouse letter SCP-04-90 dated August 27, 2004.
21. ULNRC-03748 dated February 27, 1998.
22. IDP-ZZ-00017.
23. Callaway License Amendment 201, dated July 28, 2011.

CALLAWAY PLANT B 3.3.2-70 Revision 16

ESFAS Instrumentation B 3.3.2 Table B 3.3.2-1 ESFAS Instrumentation (Page 1 of 5)

FUNCTION NOMINAL TRIP SETPOINT (a)

1. Safety Injection
a. Manual Initiation N.A.
b. Automatic Actuation Logic and N.A.

Actuation Relays (SSPS)

c. Containment Pressure - High 1 3.5 psig
d. Pressurizer Pressure - Low 1849 psig
e. Steam Line Pressure - Low 615 psig
2. Containment Spray
a. Manual Initiation N.A.
b. Automatic Actuation Logic and N.A.

Actuation Relays (SSPS)

c. Containment Pressure High-3 27.0 psig
3. Containment Isolation
a. Phase A Isolation (1). Manual Initiation N.A.

(2). Automatic Actuation Logic and N.A.

Actuation Relays (SSPS)

(3). Safety Injection See Function 1 (Safety Injection).

(continued)

(a) The inequality sign only indicates conservative direction. The as-left value will be within a two-sid-ed calibration tolerance band on either side of the nominal value.

CALLAWAY PLANT B 3.3.2-71 Revision 16

ESFAS Instrumentation B 3.3.2 Table B 3.3.2-1 ESFAS Instrumentation (Page 2 of 5)

FUNCTION NOMINAL TRIP SETPOINT (a)

b. Phase B Isolation (1). Manual Initiation N.A.

(2). Automatic Actuation Logic and N.A.

Actuation Relays (SSPS)

(3). Containment Pressure High-3 27.0 psig

4. Steam Line Isolation
a. Manual Initiation N.A.
b. Automatic Actuation Logic and N.A.

Actuation Relays (SSPS)

c. Automatic Actuation Logic and N.A.

Actuation Relays (MSFIS)

d. Containment Pressure - High 2 17.0 psig
e. Steam Line Pressure (1). Low 615 psig (2). Negative Rate - High 100 psi with a rate/lag controller time constant 50 sec.

(continued)

(a) The inequality sign only indicates conservative direction. The as-left value will be within a two-sid-ed calibration tolerance band on either side of the nominal value.

CALLAWAY PLANT B 3.3.2-72 Revision 16

ESFAS Instrumentation B 3.3.2 Table B 3.3.2-1 ESFAS Instrumentation (Page 3 of 5)

FUNCTION NOMINAL TRIP SETPOINT (a)

5. Turbine Trip and Feedwater Isolation
a. Automatic Actuation Logic and N.A.

Actuation Relays (SSPS)

b. Automatic Actuation Logic and N.A.

Actuation Relays (MSFIS)

c. SG Water Level - High High (P-14) 91.0% of narrow range instrument span
d. Safety Injection See Function 1 (Safety Injection).
e. SG Water Level Low-Low See Function 6.d, SG Water Level Low-Low.
6. Auxiliary Feedwater
a. Manual Initiation N.A.
b. Automatic Actuation Logic and N.A.

Actuation Relays (SSPS)

c. Automatic Actuation Logic and N.A.

Actuation Relays (BOP ESFAS)

d. SG Water Level - Low Low (1). Steam Generator Water Level - 21.0% of narrow range Low Low (Adverse instrument span Containment Environment)

(continued)

(a) The inequality sign only indicates conservative direction. The as-left value will be within a two-sid-ed calibration tolerance band on either side of the nominal value.

CALLAWAY PLANT B 3.3.2-73 Revision 16

ESFAS Instrumentation B 3.3.2 Table B 3.3.2-1 ESFAS Instrumentation (Page 4 of 5)

FUNCTION NOMINAL TRIP SETPOINT (a)

d. SG Water Level - Low Low (continued)

(2). Steam Generator Water 17.0% of narrow range Level - Low Low instrument span (Normal Containment Environment)

(3). Not used.

(4). Containment Pressure - 1.5 psig Environmental Allowance Modifier

e. Safety Injection See Function 1 (Safety Injection).
f. Loss of Offsite Power N.A.
g. Trip of all Main Feedwater Pumps N.A.
h. Auxiliary Feedwater Pump Suction 21.71 psia Transfer on Suction Pressure - Low (continued)

(a) The inequality sign only indicates conservative direction. The as-left value will be within a two-sid-ed calibration tolerance band on either side of the nominal value.

CALLAWAY PLANT B 3.3.2-74 Revision 16

ESFAS Instrumentation B 3.3.2 Table B 3.3.2-1 ESFAS Instrumentation (Page 5 of 5)

FUNCTION NOMINAL TRIP SETPOINT (a)

7. Automatic Switchover to Containment Sump
a. Automatic Actuation Logic and N.A.

Actuation Relays (SSPS)

b. Refueling Water Storage Tank 36%

(RWST) Level - Low Low Coincident with Safety Injection See Function 1 (Safety Injection).

8. ESFAS Interlocks
a. Reactor Trip, P-4 N.A.
b. Pressurizer Pressure, P-11 1970 psig
9. Automatic Pressurizer PORV Actuation
a. Automatic Actuation Logic and N.A.

Actuation Relays (SSPS)

b. Pressurizer Pressure - High 2335 psig (a) The inequality sign only indicates conservative direction. The as-left value will be within a two-sid-ed calibration tolerance band on either side of the nominal value CALLAWAY PLANT B 3.3.2-75 Revision 16

PAM Instrumentation B 3.3.3 B 3.3 INSTRUMENTATION B 3.3.3 Post Accident Monitoring (PAM) Instrumentation BASES BACKGROUND The primary purpose of the PAM instrumentation is to display unit variables that provide information required by the control room operators during accident situations. This information provides the necessary support for the operator to take the manual actions for which no automatic control is provided and that are required for safety systems to accomplish their safety functions for Design Basis Accidents (DBAs).

The OPERABILITY of the accident monitoring instrumentation ensures that there is sufficient information available on selected unit parameters to monitor and to assess unit status and behavior following an accident.

The availability of accident monitoring instrumentation is important so that responses to corrective actions can be observed and the need for, and magnitude of, further actions can be determined. These essential instruments are identified by References 1 through 4, addressing the recommendations of Regulatory Guide 1.97 (Ref. 5) as required by Supplement 1 to NUREG-0737 (Ref. 6).

The instrument channels required to be OPERABLE by this LCO include two classes of parameters identified during unit specific implementation of Regulatory Guide 1.97 as Type A variables or non-Type A, Category 1 variables that meet Criterion 4 of 10CFR50.36(c)(2)(ii).

Type A variables are included in this LCO because they provide the primary information required for the control room operator to take specific manually controlled actions for which no automatic control is provided, and that are required for safety systems to accomplish their safety functions for DBAs.

Selected non-Type A Category 1 variables are deemed risk significant because they are needed to:

  • Determine whether other systems important to safety are performing their intended functions;
  • Provide information to the operators that will enable them to determine the likelihood of a gross breach of the barriers to radioactivity release; and (continued)

CALLAWAY PLANT B 3.3.3-1 Revision 15

PAM Instrumentation B 3.3.3 BASES BACKGROUND

  • Provide information regarding the potential release of radioactive (continued) materials to allow for early indication of the need to initiate action necessary to protect the public, and to estimate the magnitude of any impending threat.

These key variables are identified by References 1 through 4. These analyses identify the unit specific Type A and required non-Type A, Category 1 variables to be included in this specification and provide justification for deviating from the NRC proposed list of Category 1 variables.

Type A variables at Callaway include:

RCS Hot Leg Temperature (Wide Range);

RCS Cold Leg Temperature (Wide Range);

RCS Pressure (Wide Range);

Containment Normal Sump Water Level; Containment Pressure (Normal Range);

Steam Line Pressure; Containment Radiation Level (High Range);

Pressurizer Water Level; Steam Generator (SG) Water Level (Narrow Range); and Refueling Water Storage Tank (RWST) Level.

The required non-Type A, Category 1 variables include:

Neutron Flux; Reactor Vessel Level Indicating System (RVLIS);

SG Water Level (Wide Range); and Core Exit Temperature.

(continued)

CALLAWAY PLANT B 3.3.3-2 Revision 15

PAM Instrumentation B 3.3.3 BASES BACKGROUND In addition, Auxiliary Feedwater Flow Rate is a required non-Type A, (continued) Category 2 variable. These variables are considered essential to the operator for accident management.

The specific instrument Functions listed in Table 3.3.3-1 are discussed in the LCO section.

APPLICABLE The PAM instrumentation ensures the operability of Regulatory SAFETY Guide 1.97 Type A and required non-Type A Category 1 variables so that ANALYSES the control room operating staff can:

  • Perform the diagnosis specified in the emergency operating procedures (these variables are restricted to preplanned actions for the primary success path of DBAs), e.g., loss of coolant accident (LOCA);
  • Take the specified, pre-planned, manually controlled actions, for which no automatic control is provided, and that are required for safety systems to accomplish their safety function;
  • Determine whether systems important to safety are performing their intended functions;
  • Determine the likelihood of a gross breach of the barriers to radioactivity release;
  • Determine if a gross breach of a barrier has occurred; and
  • Initiate action necessary to protect the public and to estimate the magnitude of any impending threat.

PAM instrumentation that meets the definition of Type A in Regulatory Guide 1.97 satisfies Criterion 3 of 10CFR50.36(c)(2)(ii). The required Category 1, non-Type A instrumentation must be retained in TS because it is intended to assist operators in minimizing the consequences of accidents. Therefore, these Category 1, non-Type A variables are important for reducing public risk.

LCO The PAM instrumentation LCO provides OPERABILITY requirements for Regulatory Guide 1.97 Type A instrumentation, which provide information required by the control room operators to perform certain manual actions specified in the unit Emergency Operating Procedures. These manual actions ensure that a system can accomplish its safety function, and are (continued)

CALLAWAY PLANT B 3.3.3-3 Revision 15

PAM Instrumentation B 3.3.3 BASES LCO credited in the safety analyses. Additionally, this LCO addresses required (continued) Regulatory Guide 1.97 instruments that have been designated Category 1, non-Type A.

The OPERABILITY of the PAM instrumentation ensures there is sufficient information available on selected unit parameters to monitor and assess unit status following an accident. This capability is consistent with the recommendations of References 1 through 4.

LCO 3.3.3 requires two OPERABLE channels for most Functions. Two OPERABLE channels ensure no single failure prevents operators from getting the information necessary for them to determine the safety status of the unit, and to bring the unit to and maintain it in a safe condition following an accident. Redundancy of the two instrument trains of the RVLIS is not compromised by having a shared upper reactor vessel tap since it is not conceivable that the tap will fail either from plugging or breaking. Freedom from plugging is enhanced by 1) use of stainless steel connections which preclude corrosion products, and 2) absence of mechanisms, such as flow, for concentrating boric acid. It is also inconceivable that the tap will break because it is in a protected area.

Even if the shared tap does fail, it should be recognized that RVLIS is not a protection system initiating automatic action, but a monitoring system with adequate backup monitoring such as by core exit thermocouples for operator correlation.

OPERABILITY of two channels allows a CHANNEL CHECK during the post accident phase to confirm the validity of displayed information.

Two instrument functions, SG Water Level (Wide Range) and AFW Flow Rate, have one indication per steam generator. Redundancy is provided with multiple steam generators.

Table 3.3.3-1 provides a list of variables identified by the unit specific Regulatory Guide 1.97 (Refs. 1 through 4) analyses.

Category 1 variables are required to meet Regulatory Guide 1.97 Category 1 (Ref. 5) design and qualification requirements for seismic and environmental qualification, single failure criterion, utilization of emergency standby power, immediately accessible display, continuous readout, and recording of display. Certain recorders driven by the accident monitoring instrumentation channels are described in Reference 7 as meeting requirements of Regulatory Guide 1.97 and are considered license commitments. The recorders are in place and should be operational; however, they are not covered in the Technical Specifications. These instrumentation channels shall not be declared (continued)

CALLAWAY PLANT B 3.3.3-4 Revision 15

PAM Instrumentation B 3.3.3 BASES LCO inoperable if their associated recorder fails to meet surveillance test (continued) requirements. However, every reasonable effort should be expended to maintain these recorders in service. The definitions for CHANNEL CHECK, COT, and CHANNEL CALIBRATION do not include recorders and required operator actions can be accomplished if other indication is provided and OPERABLE. The above discussion does not apply to Neutron Flux.

Listed below are discussions of the specified instrument Functions listed in Table 3.3.3-1.

1. Neutron Flux Neutron Flux indication is a Category 1 variable provided to verify reactor shutdown. Indication must cover the full range of flux that may occur post accident. To meet the requirement for two channels displaying neutron flux indication over the range required by Reference 5, SENI0060B and SENIR0061 (wide range pen only) must be OPERABLE.

Neutron flux is used for accident diagnosis, verification of subcriticality, and diagnosis of positive reactivity insertion events.

2, 3. Reactor Coolant System (RCS) Hot and Cold Leg Temperatures (Wide Range)

RCS Hot and Cold Leg Temperatures (Wide Range) are Type A, Category 1 variables provided for verification of core cooling and long term surveillance.

RCS hot and cold leg temperatures provide input to the core subcooling monitor or may be used to manually determine RCS subcooling margin. RCS subcooling margin is used to determine whether to terminate safety injection (SI), if still in progress, or reinitiate SI if it has been stopped. RCS subcooling margin is also used for unit stabilization and cooldown control.

In addition, RCS cold leg temperature is used in conjunction with RCS hot leg temperature to verify the unit conditions necessary to establish natural circulation in the RCS.

Each of the four hot legs and each of the four cold legs has one wide range, thermowell-mounted RTD. These are separate from (continued)

CALLAWAY PLANT B 3.3.3-5 Revision 15

PAM Instrumentation B 3.3.3 BASES LCO 2, 3. Reactor Coolant System (RCS) Hot and Cold Leg Temperatures (Wide Range) (continued) the narrow range RTDs providing inputs to the Reactor Trip System. The wide range channels provide indication over a range of 0°F to 700°F. Loops 1 and 2 have hot and cold leg wide range Class 1E temperature indications in the main control room.

4. Reactor Coolant System Pressure (Wide Range)

RCS wide range pressure is a Type A, Category 1 variable provided for verification of core cooling and long term surveillance of RCS integrity.

RCS pressure is used to verify delivery of SI flow to RCS from at least one train when the RCS pressure is below the pump shutoff head. RCS pressure is also used to verify closure of manually closed pressurizer spray line valves and pressurizer power operated relief valves (PORVs).

In addition to these verifications, RCS pressure is used for determining RCS subcooling margin. RCS subcooling margin is used to determine whether to terminate SI, if still in progress, or reinitiate SI if it has been stopped. RCS pressure can also be used:

  • to determine whether to terminate actuated SI or to reinitiate stopped SI;
  • to determine when to reset SI and shut off low head SI;
  • to manually restart low head SI;
  • to make a determination on the nature of the accident in progress and where to go next in the procedure.

RCS subcooling margin is also used for unit stabilization and cooldown control.

RCS pressure is also related to three decisions about depressurization. They are:

(continued)

CALLAWAY PLANT B 3.3.3-6 Revision 15

PAM Instrumentation B 3.3.3 BASES LCO 4. Reactor Coolant System Pressure (Wide Range) (continued)

  • to determine whether to proceed with primary system depressurization;
  • to verify termination of depressurization; and
  • to determine whether to close accumulator isolation valves during a controlled cooldown/ depressurization.

A final use of RCS pressure is to determine whether to operate the pressurizer heaters.

RCS pressure is a Type A variable because the operator uses this indication to monitor the cooldown of the RCS following a steam generator tube rupture (SGTR) or small break LOCA. Operator actions to maintain a controlled cooldown, such as adjusting steam generator (SG) pressure or level, would use this indication.

Furthermore, RCS pressure is one factor that may be used in decisions to terminate RCP operation.

5. Reactor Vessel Level Indicating System (RVLIS)

Reactor Vessel Level is a Category 1 variable provided for verification and long term surveillance of core cooling. It is also used for accident diagnosis and to determine reactor coolant inventory adequacy.

The Reactor Vessel Level Indicating System provides an indication of reactor vessel level from the bottom of the reactor vessel to the top of the reactor during natural circulation conditions and an indication of reactor core and internals pressure drop for any combination of operating RCPs.

6. Containment Normal Sump Water Level Containment Normal Sump Water Level is a Type A, Category 1 variable provided for verification and long term surveillance of RCS integrity.

Containment Normal Sump Water Level is used for event identification.

(continued)

CALLAWAY PLANT B 3.3.3-7 Revision 15

PAM Instrumentation B 3.3.3 BASES LCO 7. Containment Pressure (Normal Range)

(continued)

Containment Pressure (Normal Range) is a Type A, Category 1 variable provided for verification of RCS and containment OPERABILITY.

Containment pressure is used to verify whether closure of main steam isolation valves (MSIVs) is required (at High-2) and whether containment spray and Phase B isolation are required when containment pressure High-3 is reached.

8. Steam Line Pressure Steam Line Pressure is a Type A, Category 1 variable for event diagnosis and natural circulation. It is a variable for determining if a secondary pipe rupture has occurred. This indication is provided to aid the operator in determining the faulted steam generator and to verify natural circulation.
9. Containment Radiation Level (High Range), GTRIC0059 and GTRIC0060 (or GTRR0060)

Containment Radiation Level is a Type A, Category 1 variable provided to monitor for the potential of significant radiation releases and to provide release assessment for use by operators in determining the need to invoke site emergency plans.

Containment radiation level is used to determine if a high energy line break (HELB) has occurred, and whether the event is inside or outside of containment. The radiation monitor identification "RIC" refers to the RM-23 on panel SP067. Chart recorder GTRR0060 may be used to satisfy this specification in lieu of GTRIC0060.

Per FSAR SP 18.2.12.1, for accidents involving temperature transients in containment, these monitors are not capable of meeting the RG 1.97 system accuracy requirements below 25 R/hr.

These monitors do not support FSAR described design basis functions below 25 R/hr, but may be utilized for redundant indication and verification purposes, as needed.

10. Not used (continued)

CALLAWAY PLANT B 3.3.3-8 Revision 15

PAM Instrumentation B 3.3.3 BASES LCO 11. Pressurizer Water Level (continued)

Pressurizer Water Level is a Type A, Category 1 variable used to determine whether to terminate SI, if still in progress, or to reinitiate SI if it has been stopped. Knowledge of pressurizer water level is also used to verify the unit conditions necessary to establish natural circulation in the RCS and to verify that the unit is maintained in a safe shutdown condition.

12. Steam Generator Water Level (Wide Range)

SG Water Level (Wide Range) is a Category 1 variable provided to monitor SG dryout and as a criterion for establishing feed and bleed cooling of the RCS.

SG Water Level (Wide Range) is used to:

  • verify that the intact SGs are an adequate heat sink for the reactor;
  • determine the nature of the accident in progress (e.g.,

verify SGTR overfill); and

  • verify unit conditions for termination of SI during secondary unit HELBs outside containment.

The wide range water level indicator for each steam generator is located in the main control room. Wide range steam generator level measurement meets the intent of the single failure criterion for Category 1 variables by virtue of independent, diverse variables. In the emergency procedures, auxiliary feedwater (AFW) flow, reactor coolant pressure, and reactor coolant temperature indications are diverse variables which are used to determine whether adequate core cooling is provided in the absence of wide range level indication for a steam generator. The design limitation of having one wide range level indicator, in conjunction with one AFW flow indicator, per steam generator is consistent with NUREG-0737 Item II.E.1.2 for Westinghouse plants (see FSAR Section 18.2.8.1). It is noted that wide range SG level is not a Type A variable.

(continued)

CALLAWAY PLANT B 3.3.3-9 Revision 15

PAM Instrumentation B 3.3.3 BASES LCO 13. Steam Generator Water Level (Narrow Range)

(continued)

Steam Generator Water Level (Narrow Range) is a Type A, Category 1 variable for Steam Generator Tube Rupture event diagnosis and SI termination.

SG Water Level (Narrow Range) is used to:

  • identify the faulted SG following a tube rupture;
  • determine the nature of the accident in progress (e.g.,

verify an SGTR); and

  • verify unit conditions for termination of SI during secondary unit HELBs outside containment.

14, 15, 16, 17. Core Exit Temperature Core exit temperature is a Category 1 variable which provides for verification and long term surveillance of core cooling.

An evaluation was made in support of Reference 5 of the minimum number of valid core exit thermocouples (CETs) necessary for measuring core cooling. The evaluation determined the reduced complement of CETs necessary to detect initial core recovery and trend the ensuing core heatup. The evaluations account for core nonuniformities, including incore effects of the radial decay power distribution, excore effects of condensate runback in the hot legs, and nonuniform inlet temperatures. Based on these evaluations, adequate core cooling is ensured with two valid core exit temperature channels per quadrant with two CETs per required channel. Core exit temperature is used to determine whether to terminate SI, if still in progress, or to reinitiate SI if it has been stopped. Core exit temperature is also used for unit stabilization and cooldown control.

Two OPERABLE channels of core exit temperature are required in each quadrant to provide indication of radial distribution of the coolant temperature rise across representative regions of the core.

Reference 8 discusses the conformance of the thermocouple/core cooling monitor system to NUREG - 0737 Item II.F.2 Attachment 1, approved by NRC in Reference 9.

(continued)

CALLAWAY PLANT B 3.3.3-10 Revision 15

PAM Instrumentation B 3.3.3 BASES LCO 14, 15, 16, 17. Core Exit Temperature (continued)

Two sets of two thermocouples ensure a single failure will not disable the ability to determine the radial temperature gradient.

18. Auxiliary Feedwater Flow Rate AFW Flow Rate is a Category 2 variable provided to monitor operation of decay heat removal via the SGs.

The AFW Flow to each SG is determined from a differential pressure measurement calibrated for a range of 0 to 2E5 lbm/hr (0 gpm to 400 gpm). Each differential pressure transmitter provides an input to a control room indicator and the unit computer. Since the primary indication used by the operator during an accident is the control room indicator, the PAM specification deals specifically with this portion of the instrument channel.

AFW flow is used three ways:

  • to verify delivery of AFW flow to the SGs;
  • to determine whether to terminate SI if still in progress, in conjunction with SG water level (narrow range); and
  • to regulate AFW flow so that the SG tubes remain covered.

AFW flow is also used by the operator to verify that the AFW System is delivering the correct flow to each SG. However, the primary indication used by the operator to ensure an adequate inventory is SG level.

The AFW flow rate indicator for each SG is located in the main control room. Each of the four flow indicators is powered by a different separation group. Since only two of four SGs are required to establish a heat sink for the RCS, flow indication to at least two intact SGs is assured even if a single failure is assumed.

Section 22 of the SER, NUREG-0830, specifically accepted the response to NUREG-0737 Item II.E.1.2 Part 2 for AFW flow rate indication and also noted that wide range SG level is provided.

Additional discussion is found in FSAR Sections 10.4.9 and 18.2.8. It is noted that AFW flow rate indication is not a Type A variable nor is it RG 1.97 Category 1.

(continued)

CALLAWAY PLANT B 3.3.3-11 Revision 15

PAM Instrumentation B 3.3.3 BASES LCO 19. Refueling Water Storage Tank (RWST) Level (continued)

Refueling Water Storage Tank Level is a Type A variable for determining switchover of ECCS and containment spray to the containment recirculation sumps. This level indication is provided for the operators to assist in monitoring and ensuring an adequate supply of water for safety injection and containment spray. Table 2 of Reference 5 requires all plant-specific Type A variables to meet Category 1 design and qualification criteria; however, RWST Level is specifically identified in that same table as a Type D Category 2 variable. In this specific case, as discussed in Sections 7A.3.1 and 7A.3.6 of Reference 1 and in Section 3.2 of Reference 2, the requirements of Category 1 are met.

APPLICABILITY The PAM instrumentation LCO is applicable in MODES 1, 2, and 3.

These variables are related to the diagnosis and pre-planned actions required to mitigate DBAs. The applicable DBAs are assumed to occur in MODES 1, 2, and 3. In MODES 4, 5, and 6, unit conditions are such that the likelihood of an event that would require PAM instrumentation is low; therefore, the PAM instrumentation is not required to be OPERABLE in these MODES.

ACTIONS A Note has been added in the ACTIONS to clarify the application of Completion Time rules. The Conditions of this Specification may be entered independently for each Function listed on Table 3.3.3-1. The Completion Time(s) of the inoperable channel(s) of a Function will be tracked separately for each Function starting from the time the Condition was entered for that Function. When the Required Channels in Table 3.3.3-1 are specified on a per SG basis, then the Condition may be entered separately for each SG.

A.1 Condition A applies when one or more Functions have one required channel that is inoperable. Required Action A.1 requires restoring the inoperable channel to OPERABLE status within 30 days. The 30 day Completion Time is based on operating experience and takes into account the remaining OPERABLE channel(s), the passive nature of the instrument (no critical automatic action is assumed to occur from these instruments), and the low probability of an event requiring PAM instrumentation during this interval. Implementation of an alternate (continued)

CALLAWAY PLANT B 3.3.3-12 Revision 15

PAM Instrumentation B 3.3.3 BASES ACTIONS A.1 (continued) method of monitoring is required prior to expiration of the Completion Time.

B.1 Condition B applies when the Required Action and associated Completion Time for Condition A are not met. This Required Action specifies initiation of actions in Specification 5.6.8, which requires a written report to be submitted to the NRC within the following 14 days. Implementation of an alternate method of monitoring is required in lieu of a shutdown requirement since alternative actions are identified before loss of functional capability, and given the likelihood of unit conditions that would require information provided by this instrumentation.

C.1 Condition C applies when one or more Functions have two or more inoperable required channels (i.e., two or more channels inoperable in the same Function). Required Action C.1 requires restoring all but one channel in the Function(s) to OPERABLE status within 7 days. The Completion Time of 7 days is based on the relatively low probability of an event requiring PAM instrument operation and the availability of alternate means to obtain the required information. Implementation of an alternate method of monitoring is required prior to expiration of the Completion Time. Continuous operation with two or more required channels inoperable in a Function is not acceptable because the alternate indications may not fully meet all performance qualification requirements applied to the PAM instrumentation. Therefore, requiring restoration of all but one inoperable channel of the Function limits the risk that the PAM Function will be in a degraded condition should an accident occur.

D.1 Condition E applies when the Required Action and associated Completion Time of Condition C is not met. Required Action D.1 requires entering the appropriate Condition referenced in Table 3.3.3-1 for the channel immediately. The applicable Condition referenced in the Table is Function dependent. Each time an inoperable channel has not met the Required Action of Condition C, and the associated Completion Time has expired, (continued)

CALLAWAY PLANT B 3.3.3-13 Revision 15

PAM Instrumentation B 3.3.3 BASES ACTIONS D.1 (continued)

Condition D is entered for that channel and provides for transfer to the appropriate subsequent Condition.

E.1 and E.2 If the Required Action and associated Completion Time of Condition C is not met and Table 3.3.3-1 directs entry into Condition E, the unit must be brought to a MODE where the requirements of this LCO do not apply. To achieve this status, the unit must be brought to at least MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and MODE 4 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />.

The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

F.1 Alternate means of monitoring Reactor Vessel Level Indicating System and Containment Radiation Level (High Range) have been developed.

These alternate means may be temporarily used if the normal PAM channel cannot be restored to OPERABLE status within the allotted time.

If these alternate means are used, the Required Action is not to shut down the unit but rather to follow the directions of Specification 5.6.8, in the Administrative Controls section of the TS. Monitoring the core exit thermocouples, pressurizer level indication (BB-LI-0459A, -0460A, or

-0461), and RCS subcooling monitor indication (BB-TI-1390A or B) provide an alternate means for RVLIS. These three parameters provide diverse information to verify there is adequate core cooling. When Containment Radiation Level (High Range) monitors (GTRIC0059 and GTRIC0060 or GTRR0060) are inoperable, the area radiation monitors inside containment are used as an alternate method below 10 R/hr, and portable survey equipment with the capability to detect gamma radiation over the range 1E-03 to 1E+04 R/hr is used above 10 R/hr.

SURVEILLANCE A Note has been added to the SR Table to clarify that SR 3.3.3.1 and REQUIREMENTS SR 3.3.3.2 apply to each PAM instrumentation Function in Table 3.3.3-1.

(continued)

CALLAWAY PLANT B 3.3.3-14 Revision 15

PAM Instrumentation B 3.3.3 BASES SURVEILLANCE SR 3.3.3.1 REQUIREMENTS (continued) Performance of the CHANNEL CHECK ensures that a gross instrumentation failure has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION. The RM-23 unit display for loop GTR-0059, and either the RM-23 unit display or the GTRR0060 recorder for loop GTR-0060, must be used to perform the CHANNEL CHECK of the Containment Radiation Level (High Range) monitors.

Agreement criteria are determined by the unit staff, based on a combination of the channel instrument uncertainties, including isolation, indication, and readability. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit. If the channels are within the criteria, it is an indication that the channels are OPERABLE.

As specified in the SR, a CHANNEL CHECK is only required for those channels that are normally energized.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.3.3.2 CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor. The test verifies that the channel responds to a measured parameter within the necessary range and accuracy. This SR is modified by a Note that excludes neutron detectors. Neutron detectors are excluded from the CHANNEL CALIBRATION because it is impractical to set up a test that demonstrates and adjusts neutron detector response to known values of the parameter (neutron flux) that the channel monitors.

The Note applies to the Gamma-Metrics fission chambers associated with the indicators discussed in the LCO Bases. Containment Radiation Level (High Range) CHANNEL CALIBRATION may consist of an electronic calibration of the channel, not including the detector, for range decades above 10R/hr and a one point calibration check of the detector below (continued)

CALLAWAY PLANT B 3.3.3-15 Revision 15

PAM Instrumentation B 3.3.3 BASES SURVEILLANCE SR 3.3.3.2 (continued)

REQUIREMENTS 10R/hr with an installed or portable gamma source. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program. During performance of the CHANNEL CALIBRATION for the Containment Radiation Level (High Range) monitors, verification of the RM-23 unit display and alarm functions is required. In addition, recorder GTRR0060 is included in the CHANNEL CALIBRATION of loop GTR-0060. Radiation monitor inaccuracies resulting from the effects of thermally induced currents are considered as part of the monitor design inputs and do not apply to CHANNEL CALIBRATION activities performed under normal plant conditions.

Whenever an RTD is replaced in Functions 2 or 3, the next required CHANNEL CALIBRATION of the RTDs is accomplished by an inplace cross calibration that compares the other sensing elements with the recently installed sensing element. Whenever a core exit thermocouple is replaced in Functions 14, 15, 16, or 17, the next required CHANNEL CALIBRATION of the core exit thermocouples is accomplished by an inplace cross calibration that compares the other sensing elements with the recently installed sensing element.

REFERENCES 1. FSAR Appendix 7A.

2. NRC Letter, "Callaway Plant, Unit 1 - Emergency Response Capability - Conformance to Regulatory Guide 1.97, Revision 2,"

B.J. Youngblood to D.F. Schnell, dated April 10, 1985.

3. ULNRC-3023 dated May 20, 1994.
4. Callaway OL Amendment No. 103 dated October 20, 1995.
5. Regulatory Guide 1.97, Rev. 2, December 1980.
6. NUREG-0737, Supplement 1, "TMI Action Items."
7. FSAR Section 7A.3.3.
8. FSAR Section 18.2.13.
9. NUREG-0830, Callaway SER Section 22, TMI Item II.F.2 and SER Supplements 3 and 4.

CALLAWAY PLANT B 3.3.3-16 Revision 15

Remote Shutdown System B 3.3.4 B 3.3 INSTRUMENTATION B 3.3.4 Remote Shutdown System BASES BACKGROUND The Remote Shutdown System provides the control room operator with sufficient instrumentation and controls to place and maintain the unit in a safe shutdown condition from a location other than the control room. This capability is necessary to protect against the possibility that the control room becomes inaccessible. A safe shutdown condition is defined as MODE 3. With the unit in MODE 3, the Auxiliary Feedwater (AFW)

System and the steam generator (SG) atmospheric steam dump valves (ASDs) can be used to remove core decay heat and meet all safety requirements. The long term supply of water for the AFW System and the ability to borate the Reactor Coolant System (RCS) from outside the control room allows extended operation in MODE 3.

If the control room becomes inaccessible, the operators can establish control at the auxiliary shutdown panel (ASP) and place and maintain the unit in MODE 3. Not all controls and necessary transfer switches are located at the auxiliary shutdown panel. Some controls and transfer switches will have to be operated locally at the switchgear, motor control panels, or other local stations. The unit automatically reaches MODE 3 following a unit shutdown and can be maintained safely in MODE 3 for an extended period of time.

The OPERABILITY of the required remote shutdown controls and the following instrumentation functions ensures there is sufficient information available on selected unit parameters to place and maintain the unit in MODE 3 should the control room become inaccessible:

TOTAL NO.

OF READOUT FUNCTION CHANNELS LOCATION

1. Source Range Neutron Flux 2 Auxiliary Shutdown Panel
2. Reactor Trip Breaker Position 1/RTB Reactor Trip Switchgear
3. Pressurizer Pressure 1 Auxiliary Shutdown Panel
4. RCS Wide Range Pressure 2 Auxiliary Shutdown Panel (continued)

CALLAWAY PLANT B 3.3.4-1 Revision 12

Remote Shutdown System B 3.3.4 BASES BACKGROUND (continued)

TOTAL NO.

OF READOUT FUNCTION CHANNELS LOCATION

5. RCS Hot Leg Temperature 2 Auxiliary Shutdown Panel
6. RCS Cold Leg Temperature 4 Auxiliary Shutdown Panel
7. SG Pressure 2/SG Auxiliary Shutdown Panel
8. SG Level 2/SG Auxiliary Shutdown Panel
9. AFW Flow Rate 4 Auxiliary Shutdown Panel
10. Reactor Coolant Pump Breaker Position 1/pump 13.8-kV Switchgear
11. AFW Suction Pressure 3 Auxiliary Shutdown Panel
12. Pressurizer Level 2 Auxiliary Shutdown Panel APPLICABLE The Remote Shutdown System is required to provide equipment at SAFETY appropriate locations outside the control room with a capability to ANALYSES promptly shut down and maintain the unit in a safe condition in MODE 3.

The criteria governing the design and specific system requirements of the Remote Shutdown System are located in 10 CFR 50, Appendix A, GDC 3 and GDC 19 (Ref. 1) and 10 CFR 50.48(c) (Ref. 2).

The Remote Shutdown System satisfies Criterion 4 of 10CFR50.36(c)(2)(ii).

LCO The Remote Shutdown System LCO provides the OPERABILITY requirements of the instrumentation and required ASP controls necessary to place and maintain the unit in MODE 3 from a location other than the control room. The instrumentation required is listed in Table 3.3.4-1 in the accompanying LCO. The required ASP controls are described in FSAR Section 7.4.3.1.1 and are listed in FSAR Table 7.4-1. The remote shutdown controls not located at the ASP are described in FSAR Section 7.4.3.1.2 and are excluded from the requirements of this LCO.

(continued)

CALLAWAY PLANT B 3.3.4-2 Revision 12

Remote Shutdown System B 3.3.4 BASES LCO The controls, instrumentation, and transfer switches are required for:

(continued)

  • Core reactivity control (initial and long term);
  • RCS pressure control;
  • RCS inventory control.

A Function of the Remote Shutdown System is OPERABLE if the required number of channels needed to support the Remote Shutdown System Function identified in Table 3.3.4-1 are OPERABLE.

The remote shutdown instruments and required ASP controls covered by this LCO do not need to be energized to be considered OPERABLE. This LCO is intended to ensure the instruments and controls will be OPERABLE if unit conditions require that the Remote Shutdown System be placed in operation.

APPLICABILITY The Remote Shutdown System LCO is applicable in MODES 1, 2, and 3.

This is required so that the unit can be placed and maintained in MODE 3 for an extended period of time from a location other than the control room.

This LCO is not applicable in MODE 4, 5, or 6. In these MODES, the facility is already subcritical and in a condition of reduced RCS energy.

Under these conditions, considerable time is available to restore the remote shutdown instruments and required ASP controls if control room instruments or controls become unavailable.

ACTIONS A Note has been added to the ACTIONS to clarify the application of Completion Time rules. Separate Condition entry is allowed for each Function listed on Table 3.3.4-1 and for each required ASP control. The Completion Time(s) of the inoperable channel(s)/train(s) of a Function will be tracked separately for each Function starting from the time the (continued)

CALLAWAY PLANT B 3.3.4-3 Revision 12

Remote Shutdown System B 3.3.4 BASES ACTIONS Condition was entered for that Function. When the Required Channels in (continued) Table 3.3.4-1 are specified on a per trip breaker, per SG, or per pump basis, then the Condition may be entered separately for each trip breaker, SG, or pump as appropriate.

A.1 Condition A addresses the situation where one or more required Functions of the Remote Shutdown System listed in Table 3.3.4-1 or one or more required ASP controls are inoperable.

The Required Action is to restore the required Functions and ASP controls to OPERABLE status within 30 days. The Completion Time is based on operating experience and the low probability of an event that would require evacuation of the control room.

B.1 and B.2 If the Required Action and associated Completion Time of Condition A are not met, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and to MODE 4 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

SURVEILLANCE SR 3.3.4.1 REQUIREMENTS Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying that the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the unit staff, based on a combination of the channel instrument uncertainties, including indication (continued)

CALLAWAY PLANT B 3.3.4-4 Revision 12

Remote Shutdown System B 3.3.4 BASES SURVEILLANCE SR 3.3.4.1 (continued)

REQUIREMENTS and readability. If the channels are within the criteria, it is an indication that the channels are OPERABLE. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit. For the RTB Position and the RCP Breaker Position Functions, this surveillance requirement is met by verifying the actual position at the associated switchgear to the main control board indications.

As specified in the Surveillance, a CHANNEL CHECK is only required for those channels which are normally energized. The Westinghouse NIS source range neutron flux channel is not normally energized.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.3.4.2 SR 3.3.4.2 verifies each required Remote Shutdown System ASP control circuit and transfer switch performs the intended function. This verification is performed from the auxiliary shutdown panel. Operation of the equipment from the auxiliary shutdown panel is not necessary. The Surveillance can be satisfied by performance of a continuity check. This will ensure that if the control room becomes inaccessible, the unit can be placed and maintained in MODE 3 from the auxiliary shutdown panel. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

The Note allows entry into and operation in MODE 3 prior to performing the SR for the turbine driven AFW pump (Ref. 3). This allows testing the associated ASP controls in MODE 3.

SR 3.3.4.3 CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. The test verifies that the channel responds to a measured parameter within the necessary range and accuracy.

(continued)

CALLAWAY PLANT B 3.3.4-5 Revision 12

Remote Shutdown System B 3.3.4 BASES SURVEILLANCE SR 3.3.4.3 (continued)

REQUIREMENTS (continued) The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

The Notes exclude the source range neutron flux detectors and reactor trip breaker and RCP breaker position indications from the CHANNEL CALIBRATION. Neutron detectors are excluded from the CHANNEL CALIBRATION because it is impractical to set up a test that demonstrates and adjusts neutron detector response to known values of the parameter (neutron flux) that the channel monitors. Depending on which source range channel is used to satisfy the LCO, Note 1 applies to the source range proportional counter in the Nuclear Instrumentation System (NIS) associated with indicator SENI0031C or to the Gamma-Metrics fission chamber associated with indicator SENI0061X. As discussed in the Bases for SR 3.3.1.11, the CHANNEL CALIBRATION of the Westinghouse NIS source range channel consists of obtaining on integral bias curve, evaluating that curve, and comparing it to previous data.

Whenever an RTD is replaced in Function 5 or 6, the next required CHANNEL CALIBRATION of the RTDs is accomplished by an inplace cross calibration that compares the other sensing elements with the recently installed sensing element.

REFERENCES 1. 10 CFR 50, Appendix A, GDC 3 and GDC 19.

2. 10 CFR 50.48(c).
3. Callaway OL Amendments No. 45 dated May 16, 1989 and 108 dated March 11, 1996.

CALLAWAY PLANT B 3.3.4-6 Revision 12

LOP DG Start Instrumentation B 3.3.5 B 3.3 INSTRUMENTATION B 3.3.5 Loss of Power (LOP) Diesel Generator (DG) Start Instrumentation BASES BACKGROUND The DGs provide a source of emergency power when offsite power is either unavailable or is insufficiently stable to allow safe unit operation. If a loss of voltage condition occurs at the 4.16 kV ESF buses, undervoltage protection provided by the load shedder and emergency load sequencer (LSELS) will (Ref. 1):

a. Trip the 4.16 kV preferred normal and alternate bus feeder breakers to remove the deficient power source to protect the Class 1E equipment from damage;
b. Shed all loads from the bus except the Class 1E 480 Vac load centers and ECCS centrifugal charging pumps to prepare the buses for re-energization; and
c. Generate an LOP DG start signal.

There are two sets of undervoltage protection circuits, one for each 4.16 kV NB system bus. Each set consists of a loss of voltage and degraded voltage Function. Four potential transformers on each bus provide the necessary input voltages to the protective devices used to perform these functions. The undervoltage protection circuits are described in FSAR Section 8.3.1.1.3 (Ref. 1).

Four instantaneous undervoltage relays with an associated time delay are provided for each 4.16 kV Class 1E system bus for detecting a loss of bus voltage. The outputs are combined in a two-out-of-four logic to generate an LOP signal if the voltage is below approximately 70% for 1 second (nominal delay). The time delay prevents undesirable trips arising from transient undervoltage conditions.

Four degraded voltage bistables with associated time delays are provided for each 4.16 kV Class 1E system bus for detecting a sustained degraded voltage condition. Once the bistable has actuated, a timer in the LSELS circuitry provides an 8 second time delay to avoid false actuation on large motor starts other than an RCP. There are four of these 8-second timers per bus, one for each degraded voltage channel. The bistable outputs are then combined in a two-out-of-four logic to generate a degraded voltage signal if the voltage is below approximately 90%. Once the two-out-of-four logic is satisfied, contacts in the bus feeder breaker trip circuits close to arm the tripping circuitry. If a safety injection signal (SIS)

(continued)

CALLAWAY PLANT B 3.3.5-1 Revision 14

LOP DG Start Instrumentation B 3.3.5 BASES BACKGROUND were to occur concurrently with or after the arming of the tripping circuitry, (continued) the bus feeder breaker would open immediately, a bus undervoltage would be sensed, and a LOP signal would be generated. Should the degraded voltage condition occur in a non-accident condition (no SIS present), an additional 111 second time delay is provided. These time delays are specific to the feeder breakers (2 per bus). If the degraded voltage condition is not alleviated in the overall 119 seconds (nominal delay), the bus feeder breaker is tripped.

Trip Setpoints and Allowable Values The Trip Setpoints and associated time delays used in the relays are based on References 1, 2, and 6. The selection of these Trip Setpoints is such that adequate protection is provided when all sensor and processing time delays are taken into account.

The actual nominal Trip Setpoint entered into the relays is normally still more conservative than that required by the Allowable Value. If the measured setpoint does not exceed the Allowable Value, the relay is considered OPERABLE.

Setpoints adjusted in accordance with the Allowable Value ensure that the consequences of accidents will be acceptable, provided the unit is operated from within the LCOs at the onset of the accident and that the equipment functions as designed.

Allowable Values and nominal Trip Setpoints are specified for each Function in SR 3.3.5.3. The nominal setpoints are selected to ensure that the setpoint measured by the surveillance procedure does not exceed the Allowable Value if the relay is performing as required. If the measured setpoint does not exceed the Allowable Value, the relay is considered OPERABLE. Operation with a Trip Setpoint less conservative than the nominal Trip Setpoint, but within the Allowable Value, is acceptable provided that operation and testing is consistent with the assumptions of the setpoint calculation. Each Allowable Value and Trip Setpoint specified is more conservative than the analytical limit assumed in the transient and accident analyses in order to account for instrument uncertainties appropriate to the trip function. These uncertainties are defined in setpoint calculations, as typified by Reference 3 for the degraded voltage channels.

(continued)

CALLAWAY PLANT B 3.3.5-2 Revision 14

LOP DG Start Instrumentation B 3.3.5 BASES (Continued)

APPLICABLE The LOP DG start instrumentation is required for the Engineered Safety SAFETY Features (ESF) Systems to function in any accident with a loss of offsite ANALYSES power or degraded power system. This instrumentation provides for the shedding and sequencing of safety-related loads in addition to sending a start signal to the emergency DGs. This instrumentation also provides for the protection of safety-related equipment against damage and the effects of inadvertent operation of overcurrent protection throughout its train.

Without this instrumentation, grid disturbances could result in tripped circuit breakers, blown fuses, and relay lockouts throughout the system (see the discussion in Reference 6). For this reason, the allowed outage time for multiple inoperable channels is restricted to that of the LSELS in LCOs 3.8.1 and 3.8.2. The design basis of the LOP DG start instrumentation is that of the ESF Actuation System (ESFAS).

Accident analyses credit the loading of the DG based on the loss of offsite power during a loss of coolant accident (LOCA). The actual DG start has historically been associated with the ESFAS actuation. The DG loading has been included in the delay time associated with each safety system component requiring DG supplied power following a loss of offsite power.

The analyses assume a non-mechanistic DG loading, which does not explicitly account for each individual component of loss of power detection and subsequent actions.

The required channels of LOP DG start instrumentation, in conjunction with the ESF systems powered from the DGs, provide unit protection in the event of any of the analyzed accidents discussed in Reference 2, in which a loss of offsite power is assumed.

The delay times assumed in the safety analysis for the ESF equipment include the 12 second DG start delay, and the appropriate sequencing delay, if applicable. The response times for ESFAS actuated equipment in Reference 5 include the appropriate DG loading and sequencing delay.

The LOP DG start instrumentation channels satisfy Criterion 3 of 10CFR50.36(c)(2)(ii).

LCO The LCO for LOP DG start instrumentation requires that four channels per 4.16 kV NB system bus of both the loss of voltage and degraded voltage Functions shall be OPERABLE in MODES 1, 2, 3, and 4 when the LOP DG start instrumentation supports safety systems associated with the ESFAS. In MODES 5 and 6 and during movement of irradiated fuel assemblies, the four channels must be OPERABLE whenever the associated DG is required to be OPERABLE. Loss of the LOP DG Start Instrumentation Function could result in the operation of circuit breakers, (continued)

CALLAWAY PLANT B 3.3.5-3 Revision 14

LOP DG Start Instrumentation B 3.3.5 BASES LCO fuses, and lockout relays throughout the associated train and in the delay (continued) of safety systems initiation when required. This could lead to unacceptable consequences during accidents. During the loss of offsite power, the DG powers the motor driven auxiliary feedwater pumps which are automatically started after expiration of the appropriate time delay by the LSELS. Failure of these pumps to start would leave only the turbine driven pump, started by the BOP ESFAS directly upon receipt of a loss of voltage signal from the LSELS output relays, as well as an increased potential for a loss of decay heat removal through the secondary system. OPERABILITY of the Load Shedder and Emergency Load Sequencer is addressed in LCO 3.8.1, "AC Sources - Operating,"

and LCO 3.8.2, "AC Sources - Shutdown."

Reference 4 discusses the closure of tie breaker 52NG0116 between 480 Vac buses NG01 and NG03 or tie breaker 52NG0216 between 480 Vac buses NG02 and NG04 to repair failed or degraded equipment.

Closure of an NG tie breaker in MODES 1, 2, 3, or 4 is not to be used for the performance of routine preventive maintenance work. Closure of the tie breaker will render all four degraded voltage channels for the associated 4.16 kV bus inoperable resulting in Condition B entry.

APPLICABILITY The LOP DG Start Instrumentation Functions are required in MODES 1, 2, 3, and 4 because ESF Functions are designed to provide protection in these MODES. Actuation in MODES 5 and 6 and during movement of irradiated fuel assemblies is required whenever the required DG must be OPERABLE so that it can perform its function on an LOP or degraded power to the vital bus.

ACTIONS In the event a channel's Trip Setpoint is found nonconservative with respect to the Allowable Value, or the channel is found inoperable, then the function that channel provides must be declared inoperable and the LCO Condition entered for the particular protection function affected.

Because the required channels are specified on a per bus basis, the Condition may be entered separately for each bus as appropriate.

A Note has been added in the ACTIONS to clarify the application of Completion Time rules. The Conditions of this Specification may be entered independently for each Function listed in the LCO. The Completion Time(s) of the inoperable channel(s) of a Function will be tracked separately for each Function starting from the time the Condition was entered for that Function.

(continued)

CALLAWAY PLANT B 3.3.5-4 Revision 14

LOP DG Start Instrumentation B 3.3.5 BASES ACTIONS A.1 (continued)

Condition A applies to the LOP DG start Functions with one loss of voltage or one degraded voltage channel per bus inoperable.

If one channel is inoperable, Required Action A.1 requires that channel to be placed in trip within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. With a channel in trip, the LSELS is configured to provide a one-out-of-three logic to initiate a trip of the incoming offsite power, shed ESF bus loads, and generate an LOP DG start signal.

A Note is added to allow bypassing an inoperable channel for up to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> for surveillance testing of other channels. This allowance is made where bypassing the channel does not cause an actuation and where at least two other channels are monitoring that parameter.

The specified Completion Time and time allowed for bypassing one channel are reasonable considering the Function remains fully OPERABLE on every bus and the low probability of an event occurring during these intervals.

B.1 Condition B applies when more than one loss of voltage or more than one degraded voltage channel per bus are inoperable. The associated load shedder and emergency load sequencer (LSELS) must be declared inoperable immediately when:

a. More than one loss of voltage or more than one degraded voltage channel per bus are inoperable; or
b. The Required Action and associated Completion Time of Condition A are not met.

Once in this Condition the affected instrument function (loss of voltage or degraded voltage) may no longer be single failure proof or may no longer be functional for the affected bus. In this case, operation in the MODE of Applicability must be limited. Condition B requires that the associated load shedder and emergency load sequencer (LSELS) be immediately declared inoperable. This action is appropriate because the affected instrument channels (loss of voltage or degraded voltage) are inputs to the LSELS and rely on LSELS circuits to perform their required actuations. Since the actuation logic and actuation relays for the loss of power instruments (turbine driven AFW pump start via the BOP ESFAS, (continued)

CALLAWAY PLANT B 3.3.5-5 Revision 14

LOP DG Start Instrumentation B 3.3.5 BASES ACTIONS B.1 (continued) motor driven AFW pumps start via the LSELS, and diesel generator start) are an integral part of the LSELS, an inoperable LSELS may also prevent the loss of power instruments from performing their intended functions.

The Completion Time of Required Action F.2 in LCO 3.8.1, "AC Sources -

Operating," should allow ample time to repair most failures during MODES 1-4 and takes into account the low probability of an event requiring an LOP DG start occurring during this interval. When the associated DG is required to be OPERABLE in MODES 5 and 6 and during movement of irradiated fuel assemblies, the Completion Time of Required Action C.1 in LCO 3.8.2, "AC Sources - Shutdown," is consistent with the required times for actions requiring prompt attention.

SURVEILLANCE SR 3.3.5.1 REQUIREMENTS Tie breakers 52NG0116 and 52NG0216 shall be verified open.

Reference 4 discusses the closure of tie breaker 52NG0116 between 480 Vac buses NG01 and NG03 or tie breaker 52NG0216 between 480 Vac buses NG02 and NG04 to repair failed or degraded equipment.

Closure of an NG tie breaker in MODES 1, 2, 3, or 4 is not to be used for the performance of routine preventive maintenance work. Closure of the tie breaker will render all four degraded voltage channels for the associated 4.16 kV bus inoperable resulting in Condition B entry.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.3.5.2 SR 3.3.5.2 is the performance of a TADOT. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable TADOT of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions. The test checks trip devices that provide loss of voltage and degraded voltage input to the LSELS logic circuits. For these tests, the Trip Setpoints are verified and adjusted as necessary.

(continued)

CALLAWAY PLANT B 3.3.5-6 Revision 14

LOP DG Start Instrumentation B 3.3.5 BASES SURVEILLANCE SR 3.3.5.2 (continued)

REQUIREMENTS The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

The SR is modified by a Note that excludes verification of time delays from the TADOT. Verification of the time delays for the loss of voltage and degraded voltage functions is only performed as part of the CHANNEL CALIBRATION (SR 3.3.5.3).

SR 3.3.5.3 SR 3.3.5.3 is the performance of a CHANNEL CALIBRATION.

The setpoints, as well as the response to a loss of voltage and a degraded voltage test, shall include a single point verification that the trip occurs within the required time delay. Verification of the time delays for undervoltage relays (1 second nominal) in the loss of voltage function (NB01011271DG, NB01131272DG, NB01161274DG, NB01171273DG, NB02011274DG, NB02101271DG, NB02161272DG, and NB02171273DG), for LSELS timers (8 seconds nominal) in the degraded voltage function (NFKS5000A&B, NFKS5001A&B, NFKS5002A&B, and NFKS5003A&B), and for time delay relays (111 seconds nominal) in the degraded voltage function (NB62RP139TDENB01, NB62RP139TDENB02, NB62RP140TDENB03, and NB62RP140TDENB04) is performed during the CHANNEL CALIBRATION.

CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor. The test verifies that the channel responds to a measured parameter within the necessary range and accuracy.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.3.5.4 SR 3.3.5.4 is the performance of the required response time verification on those functions with time limits provided in Reference 5. The Surveillance Frequency is based on operating experience, equipment (continued)

CALLAWAY PLANT B 3.3.5-7 Revision 14

LOP DG Start Instrumentation B 3.3.5 BASES (Continued)

SR 3.3.5.4 (continued) reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. FSAR, Section 8.3.1.1.3.

2. FSAR, Chapter 15.
3. Callaway OL Amendment No. 74 dated December 16, 1992.
4. Callaway OL Amendment No. 99 dated April 18, 1995.
5. FSAR Table 16.3-2.
6. NRC Branch Technical Position PSB-1.

CALLAWAY PLANT B 3.3.5-8 Revision 14

Containment Purge Isolation Instrumentation B 3.3.6 B 3.3 INSTRUMENTATION B 3.3.6 Containment Purge Isolation Instrumentation BASES BACKGROUND The containment purge system includes two subsystems: the shutdown purge system and the mini-purge system. Containment purge isolation instrumentation closes the containment isolation valves in the mini-purge system and the shutdown purge system. This action isolates the containment atmosphere from the environment to minimize releases of radioactivity in the event of an accident. The mini-purge system is typically used during reactor operation, but may have limited use during plant conditions other than reactor operation. The shutdown purge system is used when the reactor is shutdown.

Containment purge isolation initiates on an automatic or manual safety injection (SI) signal through the Containment Isolation - Phase A Function, or by manual actuation of Phase A Isolation. The Bases for LCO 3.3.2, "Engineered Safety Feature Actuation System (ESFAS) Instrumentation,"

discuss these modes of initiation.

Two gaseous radiation monitoring channels are also provided as input to the containment purge isolation. The two channels measure gaseous radiation in a sample of the containment purge exhaust. Since the purge exhaust monitors constitute a sampling system, various components such as sample line valves and sample pumps are required to support monitor OPERABILITY.

Each of the purge systems has inner and outer containment isolation valves in its supply and exhaust ducts. A high radiation signal from either of the two radiation monitoring channels initiates containment purge isolation, which closes both inner and outer containment isolation valves in the Mini-purge System and the Shutdown Purge System. These systems are described in the Bases for LCO 3.6.3, "Containment Isolation Valves."

APPLICABLE The safety analyses assume that the containment remains intact with SAFETY penetrations unnecessary for core cooling isolated early in the event.

ANALYSES The isolation of the containment mini-purge isolation valves has not been analyzed mechanistically in the fuel handling accident (reactor building case) dose calculations, although rapid isolation is assumed. The containment purge isolation gaseous radiation channels act as backup to the Phase A isolation signal to ensure closing of the purge supply and exhaust valves.

(continued)

CALLAWAY PLANT B 3.3.6-1 Revision 11

Containment Purge Isolation Instrumentation B 3.3.6 BASES APPLICABLE In the postulated fuel handling accident, the dose calculations performed SAFETY in support of Reference 5 (for allowing the personnel airlock to be open ANALYSES during CORE ALTERATIONS and during movement of irradiated fuel (continued) assemblies within containment) do not assume automatic containment purge isolation. (See also the Bases for LCO 3.9.4, "Containment Penetrations.") Containment isolation ensures meeting the containment leakage rate assumptions of the safety analyses, and ensures that the calculated accidental offsite radiological doses are below 10 CFR 100 (Ref. 1) limits.

Containment mini-purge isolation has been analyzed mechanistically (isolation within 11 seconds) in the large break LOCA dose calculations (Reference 6). Automatic isolation of the containment mini-purge valves is also assumed in the minimum containment pressure analysis for ECCS performance capability, as described in the FSAR (Reference 7). The effect of having the containment mini-purge system in operation at the onset of the most limiting case (i.e., a double-ended cold leg guillotine break), followed by assumed automatic isolation of the containment purge exhaust and supply lines, is addressed in the analysis by increasing the assumed containment volume. Consequently, the response time (11 seconds) assumed for the automatic isolation of the mini-purge system determines the adjustment made to the containment volume in the analysis.

The containment purge isolation instrumentation satisfies Criterion 3 of 10CFR50.36(c)(2)(ii).

LCO The LCO requirements ensure that the instrumentation necessary to initiate Containment Purge Isolation, listed in Table 3.3.6-1, is OPERABLE.

1. Manual Initiation The LCO requires two channels OPERABLE. The operator can initiate Containment Purge Isolation at any time by using either of two push buttons in the control room.

The LCO for Manual Initiation ensures the proper amount of redundancy is maintained in the manual actuation circuitry to ensure the operator has manual initiation capability.

(continued)

CALLAWAY PLANT B 3.3.6-2 Revision 11

Containment Purge Isolation Instrumentation B 3.3.6 BASES LCO 1. Manual Initiation (continued)

Each channel consists of one push button (SAHS0011, SAHS0015) and the interconnecting wiring to the actuation logiccabinet as well as the BOP ESFAS output actuation relays needed to effect a manual containment purge isolation.

2. Automatic Actuation Logic and Actuation Relays (BOP ESFAS)

The LCO requires two trains of Automatic Actuation Logic and Actuation Relays OPERABLE to ensure that no single random failure can prevent automatic actuation of containment purge isolation.

Automatic Actuation Logic and Actuation Relays (BOP ESFAS) consist of the same features and operate in the same manner as described for ESFAS Function 6.c, Auxiliary Feedwater.

3. Containment Purge Exhaust Radiation - Gaseous The LCO specifies two required Containment Purge Exhaust Radiation - Gaseous channels (GTRE0022 and GTRE0033) to ensure that the radiation monitoring instrumentation necessary to initiate Containment Purge Isolation remains OPERABLE.

For sampling systems, channel OPERABILITY involves more than OPERABILITY of the channel electronics. OPERABILITY also requires correct valve lineups and sample pump operation, as well as detector OPERABILITY, since these supporting features are necessary for trip to occur under the conditions assumed by the safety analyses.

4. Containment Isolation - Phase A Containment Purge Isolation is also initiated by all Table 3.3.2-1 Functions that initiate Containment Isolation - Phase A. Therefore, the requirements are not repeated in Table 3.3.6-1. Instead, refer to LCO 3.3.2, Function 3.a, for all initiating Functions and requirements.

APPLICABILITY The Manual Initiation, Automatic Actuation Logic and Actuation Relays (BOP ESFAS), and Containment Purge Exhaust Radiation - Gaseous (continued)

CALLAWAY PLANT B 3.3.6-3 Revision 11

Containment Purge Isolation Instrumentation B 3.3.6 BASES APPLICABILITY Functions are required OPERABLE in MODES 1, 2, 3, and 4. The (continued) Containment Isolation - Phase A Function is required to be OPERABLE as directed by LCO 3.3.2, Function 3.a. The Containment Purge Manual Initiation Function, is also required OPERABLE during CORE ALTERATIONS or movement of irradiated fuel assemblies within containment. During CORE ALTERATIONS or during movement of irradiated fuel assemblies within containment, automatic actuation functions of the containment purge isolation gaseous radiation channels are not required to be OPERABLE.

The automatic actuation logic and actuation relays for the Containment Purge Exhaust Radiation - Gaseous channels (GTRE0022 and GTRE0033) are not required to be OPERABLE during CORE ALTERATIONS or during the movement of irradiated fuel assemblies within containment, except for those BOP ESFAS output actuation relays needed to effect a manual containment purge isolation. If required, the containment purge isolation can be initiated manually from the control room.

In MODES 1,2,3,4 and the other conditions discussed above, the potential exists for an accident that could release fission product radioactivity into containment. Therefore, the containment purge isolation instrumentation must be OPERABLE in these MODES.

While in MODES 5 and 6 without CORE ALTERATIONS or irradiated fuel movement within containment in progress, the containment purge isolation instrumentation need not be OPERABLE since the potential for radioactive releases is minimized and operator action is sufficient to ensure post accident offsite doses are maintained within the limits of Reference 1.

ACTIONS The most common cause of channel inoperability is outright failure or drift of the bistable or process module sufficient to exceed the tolerance allowed by unit specific calibration procedures. Typically, the drift is found to be small and results in a delay of actuation rather than a total loss of function. This determination is generally made during the performance of a COT, when the process instrumentation is set up for adjustment to bring it within specification. If the measured Trip Setpoint is less conservative than the tolerance specified by the calibration procedure, the channel must be declared inoperable immediately and the appropriate Condition entered.

A Note has been added to the ACTIONS to clarify the application of Completion Time rules. The Conditions of this Specification may be entered independently for each Function listed in Table 3.3.6-1. The (continued)

CALLAWAY PLANT B 3.3.6-4 Revision 11

Containment Purge Isolation Instrumentation B 3.3.6 BASES ACTIONS Completion Time(s) of the inoperable channel(s)/ train(s) of a Function (continued) will be tracked separately for each Function starting from the time the Condition was entered for that Function.

A.1 Condition A applies to the failure of one containment purge isolation gaseous radiation monitor channel. Since two containment purge exhaust gaseous radiation monitor channels are required to meet single failure criteria, the failed channel must be restored to OPERABLE status.

The 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> allowed to restore the affected channel is justified by the low likelihood of events occurring during this interval, and recognition that the remaining channel will respond.

B.1 Condition B applies to all Containment Purge Isolation Functions and addresses the train orientation of the BOP ESFAS actuation logic and actuation relays for these Functions. It also addresses the failure of both gaseous radiation monitoring channels, or the inability to restore a single failed gaseous radiation monitoring channel to OPERABLE status in the time allowed for Required Action A.1.

If one or more trains or manual initiation channels are inoperable, both gaseous radiation monitoring channels are inoperable, or the Required Action and associated Completion Time of Condition A are not met, operation may continue as long as the Required Action to place and maintain containment purge supply and exhaust valves in their closed position is met.

A Note is added stating that Condition B is only applicable in MODE 1, 2, 3, or 4.

Required Action B.1 is modified by a Note to allow containment mini-purge supply and exhaust valves that have been closed to satisfy Required Action B.1 to be opened intermittently under administrative controls, provided Table 3.3.6-1 Function 2 and 4 are OPERABLE. Opening these valves allows the containment to be vented for pressure control when necessary. The administrative controls consist of designating a control room operator to rapidly close the valves (or verify that they are automatically closed) when a need for system isolation is indicated. With containment purge radiation monitoring instrumentation inoperable, the provision requiring OPERABILITY of Table 3.3.6-1 Functions 2 and 4 (continued)

CALLAWAY PLANT B 3.3.6-5 Revision 11

Containment Purge Isolation Instrumentation B 3.3.6 BASES SURVEILLANCE B.1 (continued)

REQUIREMENTS (continued) ensures that the mini-purge supply and exhaust valves can be automatically closed by the Phase A isolation signal.

C.1 and C.2 Condition C applies to the Manual Initiation Function. If one or more manual initiation channels are inoperable, operation may continue as long as the Required Action to place and maintain containment purge supply and exhaust valves in their closed position is met or the applicable Conditions of LCO 3.9.4, "Containment Penetrations," are met for each valve made inoperable by failure of isolation instrumentation. The Completion Time for these Required Actions is Immediately.

A Note states that Condition C is applicable during CORE ALTERATIONS or during movement of irradiated fuel assemblies within containment.

SURVEILLANCE A Note has been added to the SR Table to clarify that Table 3.3.6-1 REQUIREMENTS determines which SRs apply to which Containment Purge Isolation Functions.

SR 3.3.6.1 Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the unit staff, based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit.

(continued)

CALLAWAY PLANT B 3.3.6-6 Revision 11

Containment Purge Isolation Instrumentation B 3.3.6 BASES SURVEILLANCE SR 3.3.6.1 (continued)

REQUIREMENTS The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.3.6.2 SR 3.3.6.2 is the performance of an ACTUATION LOGIC TEST using the BOP ESFAS automatic tester. The continuity check does not have to be performed, as explained in the Note. This SR is applied to the balance of plant actuation logic and relays that do not have circuits installed to perform the continuity check. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.3.6.3 A COT is performed on each required containment purge exhaust gaseous radiation monitor channel to ensure the channel will perform the intended Function. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL OPERATIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified periodically by other Technical Specifications and non-Technical Specifications tests. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program. This test verifies the capability of the instrumentation to provide the containment purge system isolation.

The setpoint shall be left within the two-sided calibration tolerance band on either side of the nominal value.

SR 3.3.6.4 SR 3.3.6.4 is the performance of a TADOT. This test is a check of the Manual Initiation Function. Each Manual Initiation channel is tested through the BOP ESFAS logic. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable TADOT of a relay.

(continued)

CALLAWAY PLANT B 3.3.6-7 Revision 11

Containment Purge Isolation Instrumentation B 3.3.6 BASES SURVEILLANCE SR 3.3.6.4 (continued)

REQUIREMENTS The SR is modified by a Note that excludes verification of setpoints during the TADOT. The channels tested have no setpoints associated with them.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.3.6.5 CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor. The test verifies that the channel responds to a measured parameter within the necessary range and accuracy.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.3.6.6 SR 3.3.6.6 is the performance of the required response time verification on those functions with time limits provided in Reference 3. The Surveillance Frequency is based on operating experience, equipmentreliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. 10 CFR 100.11.

2. NUREG-1366, July 22, 1993.
3. FSAR Table 16.3-2.
4. Callaway OL Amendment No. 20 dated April 10, 1987.
5. Callaway OL Amendment No. 114 dated July 15, 1996.
6. FSAR Section 15.6.5.4.1.4.
7. FSAR Section 6.2.1.5.

CALLAWAY PLANT B 3.3.6-8 Revision 11

CREVS Actuation Instrumentation B 3.3.7 B 3.3 INSTRUMENTATION B 3.3.7 Control Room Emergency Ventilation System (CREVS) Actuation Instrumentation BASES BACKGROUND The CREVS provides an enclosed control room environment from which the unit can be operated following an uncontrolled release of radioactivity.

During normal operation, the Control Building Ventilation System provides control room ventilation. Upon receipt of an actuation signal, the CREVS initiates filtered ventilation and pressurization of the control room. This system is described in the Bases for LCO 3.7.10, "Control Room Emergency Ventilation System (CREVS)."

The actuation instrumentation consists of two gaseous radiation channels in the control room air intake. A high radiation signal from either of these channels will initiate both trains of the CREVS. Since the radiation monitors include an air sampling system, various components such as sample line valves and sample pumps are required to support monitor OPERABILITY. The control room operator can also initiate CREVS trains by manual switches in the control room. The CREVS is also actuated by a Phase A Isolation signal, a Fuel Building Ventilation Isolation signal (FBVIS), or a high radiation signal from the containment purge exhaust gaseous radiation channels. The Phase A Isolation Function is discussed in LCO 3.3.2, "Engineered Safety Feature Actuation System (ESFAS)

Instrumentation."

APPLICABLE The control room must be kept habitable for the operators stationed there SAFETY during accident recovery and post accident operations.

ANALYSES The CREVS acts to terminate the supply of unfiltered outside air to the control room, initiate filtration, and pressurize the control room. These actions are necessary to ensure the control room is kept habitable for the operators stationed there during accident recovery and post accident operations by minimizing the radiation exposure of control room personnel.

In MODES 1, 2, 3, and 4, (MODE 4 is subject to LCO 3.3.2, Function 3.a),

the gaseous radiation channel actuation of the CREVS is a backup for the Phase A Isolation signal actuation. This ensures initiation of the CREVS during a loss of coolant accident or steam generator tube rupture.

During CORE ALTERATIONS or during movement of irradiated fuel assemblies within containment, the gaseous radiation channel actuation of the CREVS is the primary means to ensure control room habitability in the (continued)

CALLAWAY PLANT B 3.3.7-1 Revision 11

CREVS Actuation Instrumentation B 3.3.7 BASES APPLICABLE event of a fuel handling accident inside containment. No control room SAFETY habitablilty mitigation is required for the waste gas decay tank rupture ANALYSES accident. There are no safety analyses that take credit for CREVS (continued) actuation upon high containment purge exhaust radiation. A FBVIS is credited to protect the control room in the event of a design basis fuel handling accident (FHA) inside the fuel building.

Sources of control room ventilation isolation signal (CRVIS) initiation which are remote from the Control Room intake louvers are not response time tested. The FHA dose analysis credits a FBVIS for actuating a CRVIS following a Fuel Handling Accident in the Fuel Building. Due to the remote location of the Fuel Building exhaust radiation monitors relative to the Control Room intake louvers, the FBVIS will isolate the Control Room prior to the post-accident radioactive plume reaching the Control Room intake louvers. The channels associated with GGRE0027 and GGRE0028, which monitor the Fuel Building ventilation exhaust, are not response time tested with respect to control room isolation and mitigation of control room doses. However, those channels are response time tested per SR 3.3.8.6 with respect to placing the Emergency Exhaust System in the FBVIS mode for the mitigation of offsite radiological consequences.

Similarly, for a LOCA, the analysis credits a time zero Control Room isolation. A Safety Injection signal initiates a Containment Isolation Phase A, which initiates a CRVIS. This function is also credited for isolating the Control Room prior to the post-accident radioactive plume reaching the Control Room intake louvers.

For a Fuel Handling Accident within Containment, GKRE0004 and GKRE0005 are credited for initiating a CRVIS. These monitors are not remote from the Control Room intake louvers. They are downstream of the Control Room intake. Therefore, a specific response time is modeled, and a response time Surveillance Requirement is imposed for this CRVIS function.

The CREVS actuation instrumentation satisfies Criterion 3 of 10CFR50.36(c)(2)(ii).

LCO The LCO requirements ensure that instrumentation necessary to initiate the CREVS is OPERABLE.

(continued)

CALLAWAY PLANT B 3.3.7-2 Revision 11

CREVS Actuation Instrumentation B 3.3.7 BASES LCO 1. Manual Initiation (continued)

The LCO requires two channels OPERABLE. The operator can initiate the CREVS at any time by using either of two push buttons in the control room.

The LCO for Manual Initiation ensures the proper amount of redundancy is maintained in the manual actuation circuitry to ensure the operator has manual initiation capability.

Each channel consists of one push button and the interconnecting wiring to the actuation logic cabinet.

2. Automatic Actuation Logic and Actuation Relays (BOP ESFAS)

The LCO requires two trains of Actuation Logic and Relays OPERABLE to ensure that no single random failure can prevent automatic actuation of control room ventilation isolation.

Automatic Actuation Logic and Actuation Relays (BOP ESFAS) consist of the same features and operate in the same manner as described for ESFAS Function 6.c, Auxiliary Feedwater.

3. Control Room Radiation - Control Room Air Intake The LCO specifies two required Control Room Radiation Monitor -

Control Room Air Intake gaseous channels (GKRE0004 and GKRE0005) to ensure that the radiation monitoring instrumentation necessary to initiate the CREVS remains OPERABLE.

For sampling systems, channel OPERABILITY involves more than OPERABILITY of channel electronics. OPERABILITY also requires correct valve lineups and sample pump operation, as well as detector OPERABILITY, since these supporting features are necessary for trip to occur under the conditions assumed by the safety analyses. The required radiation monitors' OPERABILITY is not dependent on forced flow in the control room supply duct.

GKRE0004 and GKRE0005 OPERABILITY is not dependent on the status of GKHZ0013D/0057A/0150/0151, SGK02, or CGK01A and B. GKRE0004 and GKRE0005 may be considered OPERABLE with CREVS in the CRVIS mode of operation.

(continued)

CALLAWAY PLANT B 3.3.7-3 Revision 11

CREVS Actuation Instrumentation B 3.3.7 BASES LCO 4. Containment Isolation - Phase A (continued)

Control Room Ventilation Isolation is also initiated by all Table 3.3.2-1 Functions that initiate Containment Isolation - Phase A.

Therefore, the requirements are not repeated in Table 3.3.7-1.

Instead, refer to LCO 3.3.2, Function 3.a, for all initiating Functions and requirements.

5. Fuel Building Exhaust Radiation - Gaseous Control Room Ventilation Isolation is also initiated by high radiation in the fuel building detected by Fuel Building Exhaust Radiation - Gaseous channels (GGRE0027 and GGRE0028).

The requirements are not repeated in Table 3.3.7-1. Instead, refer to LCO 3.3.8 for all initiating Functions and requirements.

APPLICABILITY The Manual Initiation, Automatic Actuation Logic and Actuation Relays (BOP ESFAS), and Control Room Radiation - Control Room Air Intake Functions must be OPERABLE in MODES 1, 2, 3, and 4, during CORE ALTERATIONS, or during movement of irradiated fuel assemblies within containment. During CORE ALTERATIONS or during movement of irradiated fuel assemblies within containment, these Functions assure the generation of a CRVIS on detection of high gaseous activity in the event of a fuel handling accident within containment.

During movement of irradiated fuel assemblies in the fuel building, the Fuel Building Exhaust Radiation - Gaseous channels (GGRE0027 and GGRE0028) assure the generation of a CRVIS on detection of high gaseous activity in the event of a fuel handling accident in the fuel building. Since this FBVIS-initiated CRVIS requires Function 2 of Table 3.3.7-1 to complete the actuation circuit, and since manual CRVIS actuation provides back-up, Functions 1 and 2 of Table 3.3.7-1 must also be OPERABLE during movement of irradiated fuel assemblies in the fuel building.

The Containment Isolation - Phase A Function is required to be OPERABLE as directed by LCO 3.3.2, Function 3.a. The Fuel Building Exhaust Radiation - Gaseous Function is required to be OPERABLE as directed by LCO 3.3.8, Functions 1, 2, and 3.

ACTIONS The most common cause of channel inoperability is outright failure or drift of the bistable or process module sufficient to exceed the tolerance allowed by the unit specific calibration procedures. Typically, the drift is (continued)

CALLAWAY PLANT B 3.3.7-4 Revision 11

CREVS Actuation Instrumentation B 3.3.7 BASES ACTIONS found to be small and results in a delay of actuation rather than a total loss (continued) of function. This determination is generally made during the performance of a COT, when the process instrumentation is set up for adjustment to bring it within specification. It the measured Trip Setpoint is less conservative than the tolerance specified by the calibration procedure, the channel must be declared inoperable immediately and the appropriate Condition entered.

A Note has been added to the ACTIONS indicating that separate Condition entry is allowed for each Function. The Conditions of this Specification may be entered independently for each Function listed in Table 3.3.7-1 in the accompanying LCO. The Completion Time(s) of the inoperable channel(s)/train(s) of a Function will be tracked separately for each Function starting from the time the Condition was entered for that Function.

Placing a CREVS train(s) in the CRVIS mode of operation isolates the unfiltered outside air intake and unfiltered exhaust dampers, and aligns the system for recirculation of the control room air through HEPA filters and charcoal adsorbers. This mode of operation also initiates pressurization and filtered ventilation of the air supply to the control room.

Further discussion of the CRVIS mode of operation may be found in the Bases for LCO 3.7.10, "Control Room Emergency Ventilation System (CREVS)," and in Reference 1.

A.1 Condition A applies to CREVS Functions 1, 2, and 3 (i.e., the actuation logic train Function of the BOP ESFAS, the gaseous radiation monitor channel Function, and the manual initiation channel Function).

If one channel or train is inoperable, or one gaseous radiation monitor channel is inoperable, 7 days are permitted to restore it to OPERABLE status. The 7 day Completion Time is the same as is allowed if one train of the mechanical portion of the system is inoperable. The basis for this Completion Time is the same as provided in LCO 3.7.10. If the channel/

train cannot be restored to OPERABLE status, one CREVS train must be placed in the Control Room Ventilation Isolation Signal (CRVIS) mode of operation. This accomplishes the actuation instrumentation Function and places the unit in a conservative mode of operation.

(continued)

CALLAWAY PLANT B 3.3.7-5 Revision 11

CREVS Actuation Instrumentation B 3.3.7 BASES ACTIONS B.1.1, B.1.2, and B.2 (continued)

Condition B applies to the failure of two CREVS actuation logic trains (BOP ESFAS) or two manual initiation channels. Condition B is modified by a Note stating this Condition is not applicable to Function 3.

Function 3 in Table 3.3.7-1 applies to the Control Room Radiation -

Control Room Air Intake gaseous channels. The first Required Action is to place one CREVS train in the CRVIS mode of operation immediately.

This accomplishes the actuation instrumentation Function that has been lost and places the unit in a conservative mode of operation. The applicable Conditions and Required Actions of LCO 3.7.10 must also be entered immediately for one CREVS train made inoperable by the inoperable actuation instrumentation. This ensures appropriate limits are placed upon train inoperability as discussed in the Bases for LCO 3.7.10.

Alternatively, both trains may be placed in the CRVIS mode immediately.

This ensures the CREVS function is performed even in the presence of a single failure.

C.1.1, C.1.2, and C.2 Condition C applies to the failure of both gaseous radiation monitoring channels. The first Required Action is to enter the applicable Conditions and Required Actions of LCO 3.7.10 immediately for one CREVS train made inoperable by the inoperable actuation instrumentation. This ensures appropriate limits are placed upon train inoperability as discussed in the Bases for LCO 3.7.10. One CREVS train must also be placed in the CRVIS mode of operation within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. This accomplishes the actuation instrumentation Function that has been lost and places the unit in a conservative mode of operation. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time allows for activities such as changing sample filters on the OPERABLE channel while in Condition A, which requires entry into Condition C.

Alternatively, both trains may be placed in the CRVIS mode within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />.

This ensures the CREVS function is performed even in the presence of a single failure.

D.1 and D.2 Condition D applies when the Required Action and associated Completion Time for Conditions A, B, or C have not been met and the unit is in MODE 1, 2, 3 or 4. The unit must be brought to a MODE in which the (continued)

CALLAWAY PLANT B 3.3.7-6 Revision 11

CREVS Actuation Instrumentation B 3.3.7 BASES ACTIONS D.1 and D.2 (continued)

LCO requirements are not applicable. To achieve this status, the unit must be brought to MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and MODE 5 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />.

The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

E.1 and E.2 Condition E applies when the Required Action and associated Completion Time for Conditions A, B, or C have not been met during CORE ALTERATIONS or when irradiated fuel assemblies are being moved.

Movement of irradiated fuel assemblies and CORE ALTERATIONS must be suspended immediately to reduce the risk of accidents that would require CREVS actuation. This does not preclude movement of a component to a safe position.

SURVEILLANCE A Note has been added to the SR Table to clarify that Table 3.3.7-1 REQUIREMENTS determines which SRs apply to which CREVS Actuation Functions.

SR 3.3.7.1 Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the unit staff, based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit.

(continued)

CALLAWAY PLANT B 3.3.7-7 Revision 11

CREVS Actuation Instrumentation B 3.3.7 BASES SURVEILLANCE SR 3.3.7.1 (continued)

REQUIREMENTS The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

Either the RM-11 or RM-23 displays may be used to perform the CHANNEL CHECK for the Control Room Radiation - Control Room Air Intake gaseous channels (GKRE0004 and GKRE0005).

SR 3.3.7.2 A COT is performed on each required control room air intake gaseous radiation monitor channel to ensure the channel will perform the intended function. This test verifies the capability of the instrumentation to provide the CREVS actuation. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL OPERATIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified periodically by other Technical Specifications and non-Technical Specifications tests. The setpoints shall be left within the two-sided calibration tolerance band on either side of the nominal value. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.3.7.3 SR 3.3.7.3 is the performance of an ACTUATION LOGIC TEST using the BOP ESFAS automatic tester. The continuity check does not have to be performed, as explained in the Note. This SR is applied to the balance of plant actuation logic and relays that do not have circuits installed to perform the continuity check. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.3.7.4 SR 3.3.7.4 is the performance of a TADOT. This test is a check of the Manual Initiation Function. Each Manual Initiation channel is tested through the BOP ESFAS logic. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable (continued)

CALLAWAY PLANT B 3.3.7-8 Revision 11

CREVS Actuation Instrumentation B 3.3.7 BASES SURVEILLANCE SR 3.3.7.4 (continued)

REQUIREMENTS TADOT of a relay. This is acceptable because all of the other required contacts of the relay are verified periodically by other Technical Specifications and non-Technical Specifications tests.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program. The SR is modified by a Note that excludes verification of setpoints during the TADOT. The channels tested have no setpoints associated with them.

SR 3.3.7.5 CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor. The test verifies that the channel responds to a measured parameter within the necessary range and accuracy.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.3.7.6 SR 3.3.7.6 is the performance of the required response time verification on those functions with time limits provided in Reference 2. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.3.7.6 is modified by a Note stating that the radiation monitor detectors are excluded from ESF RESPONSE TIME testing. The Note is necessary because of the difficulty associated with generating an appropriate radiation monitor detector input signal. Excluding the detectors is acceptable because the principles of detector operation ensure a virtually instantaneous response.

(continued)

CALLAWAY PLANT B 3.3.7-9 Revision 11

CREVS Actuation Instrumentation B 3.3.7 BASES (Continued)

REFERENCES 1. FSAR Section 7.3.4 and Table 7.3-8.

2. FSAR Table 16.3-2.

CALLAWAY PLANT B 3.3.7-10 Revision 11

EES Actuation Instrumentation B 3.3.8 B 3.3 INSTRUMENTATION B 3.3.8 Emergency Exhaust System (EES) Actuation Instrumentation BASES BACKGROUND The EES ensures that radioactive materials in the fuel building atmosphere following a fuel handling accident are filtered and adsorbed prior to exhausting to the environment. The system is described in the Bases for LCO 3.7.13, "Emergency Exhaust System." The system initiates filtered exhaust from the fuel building following receipt of a fuel building ventilation isolation signal (FBVIS), initiated manually or automatically upon a high radiation signal (gaseous).

High gaseous radiation, monitored by two channels, provides an FBVIS.

Both EES trains are initiated by high radiation detected by either channel.

Each channel contains a gaseous monitor. High radiation detected by either monitor initiates fuel building isolation, starts the EES, and initiates a CRVIS. These actions function to prevent exfiltration of contaminated air by initiating filtered exhaust, which imposes a negative pressure on the fuel building. Since the radiation monitors include an air sampling system, various components such as sample line valves and sample pumps are required to support monitor OPERABILITY. In the FBVIS mode, each train is capable of maintaining the fuel building at a negative pressure of less than or equal to 0.25 inches water gauge relative to the outside atmosphere.

The EES is also actuated in the LOCA (SIS) mode as described in the Bases for LCO 3.3.2, "ESFAS Instrumentation."

APPLICABLE The EES ensures that radioactive materials in the fuel building SAFETY atmosphere following a fuel handling accident are filtered and adsorbed ANALYSES prior to being exhausted to the environment as discussed in Reference 1.

This action reduces the radioactive content in the fuel building exhaust following a fuel handling accident so that offsite doses remain within the limits specified in 10 CFR 100 (Ref. 2) and control room habitability is maintained.

The EES actuation instrumentation satisfies Criterion 3 of 10CFR50.36(c)(2)(ii).

LCO The LCO requirements ensure that instrumentation necessary to initiate the EES is OPERABLE.

(continued)

CALLAWAY PLANT B 3.3.8-1 Revision 11

EES Actuation Instrumentation B 3.3.8 BASES LCO 1. Manual Initiation (continued)

The LCO requires two channels OPERABLE. The operator can initiate the EES at any time by using either of two push buttons in the control room.

The LCO for Manual Initiation ensures the proper amount of redundancy is maintained in the manual actuation circuitry to ensure the operator has manual initiation capability.

Each channel consists of one push button and the interconnecting wiring to the actuation logic cabinet.

2. Automatic Actuation Logic and Actuation Relays (BOP ESFAS)

The LCO requires two trains of Actuation Logic and Relays OPERABLE to ensure that no single random failure can prevent automatic actuation. This consists of the same features and operates in the same manner as described for ESFAS Function 6.c, Auxiliary Feedwater.

3. Fuel Building Exhaust Radiation - Gaseous The LCO specifies two required Fuel Building Exhaust Radiation

-Gaseous channels (GGRE0027 and GGRE0028) to ensure that the radiation monitoring instrumentation necessary to initiate the FBVIS and CRVIS remains OPERABLE.

For sampling systems, channel OPERABILITY involves more than OPERABILITY of channel electronics. OPERABILITY also requires correct valve lineups, sample pump operation, and detector OPERABILITY, since these supporting features are necessary for actuation to occur under the conditions assumed by the safety analyses. The required radiation monitors remain OPERABLE if one or both Emergency Exhaust System trains are inoperable or following a Fuel Building Ventilation Isolation Signal (FBVIS). Both required radiation monitors remain OPERABLE if the normal Fuel Building exhaust flow is isolated.

The submersion dose rate basis for the nominal Trip Setpoint is specified for the gaseous monitors in the LCO. The nominal Trip Setpoint accounts for instrument uncertainties.

(continued)

CALLAWAY PLANT B 3.3.8-2 Revision 11

EES Actuation Instrumentation B 3.3.8 BASES (Continued)

APPLICABILITY The manual and automatic EES initiation must be OPERABLE when moving irradiated fuel assemblies in the fuel building to ensure the EES operates to remove fission products associated with a fuel handling accident and isolate control room ventilation.

High radiation initiation of the FBVIS must be OPERABLE during movement of irradiated fuel assemblies in the fuel building to ensure automatic initiation of the EES and a CRVIS when the potential for a fuel handling accident exists.

ACTIONS The most common cause of channel inoperability is outright failure or drift of the bistable or process module sufficient to exceed the tolerance allowed by unit specific calibration procedures. Typically, the drift is found to be small and results in a delay of actuation rather than a total loss of function. This determination is generally made during the performance of a COT, when the process instrumentation is set up for adjustment to bring it within specification. If the measured Trip Setpoint is less conservative than the tolerance specified by the calibration procedure, the channel must be declared inoperable immediately and the appropriate Condition entered.

LCO 3.0.3 is not applicable while in MODE 5 or 6. However, since irradiated fuel assembly movement can occur in MODE 1, 2, 3, or 4, the ACTIONS have been modified by a Note stating that LCO 3.0.3 is not applicable. If moving irradiated fuel assemblies while in MODE 5 or 6, LCO 3.0.3 would not specify any action. If moving irradiated fuel assemblies while in MODE 1, 2, 3, or 4, the fuel movement is independent of reactor operations. Entering LCO 3.0.3, while in MODE 1, 2, 3, or 4 would require the unit to be shutdown unnecessarily.

A second Note has been added to the ACTIONS to clarify the application of Completion Time rules. The Conditions of this Specification may be entered independently for each Function listed in Table 3.3.8-1 in the accompanying LCO. The Completion Time(s) of the inoperable channel(s)/train(s) of a Function will be tracked separately for each Function starting from the time the Condition was entered for that Function.

Placing a EES train(s) in the FBVIS mode of operation isolates normal air discharge from the fuel building and initiates filtered exhaust, imposing a negative pressure on the fuel building. Further discussion of the FBVIS mode of operation may be found in the Bases for LCO 3.7.13, "Emergency Exhaust System (EES)," and in Reference 3.

(continued)

CALLAWAY PLANT B 3.3.8-3 Revision 11

EES Actuation Instrumentation B 3.3.8 BASES ACTIONS A.1 (continued)

Condition A applies to the actuation logic train Function of the BOP ESFAS, the gaseous radiation monitor channel Function, and the manual initiation channel Function. Condition A applies to the failure of a single actuation logic train, gaseous radiation monitor channel, or manual initiation channel. If one channel or train is inoperable, or one gaseous radiation monitor channel is inoperable, a period of 7 days is allowed to restore it to OPERABLE status. If the channel or train cannot be restored to OPERABLE status, one EES train must be placed in the FBVIS mode of operation and one CREVS train must be placed in the CRVIS mode. This accomplishes the actuation instrumentation Function and places the unit in a conservative mode of operation. The 7 day Completion Time is the same as is allowed if one train of the mechanical portion of the system is inoperable. The basis for this time is the same as that provided in LCO 3.7.13.

B.1.1, B.1.2, and B.2 Condition B applies to the failure of two EES actuation logic trains (BOP ESFAS) or two manual initiation channels. Condition B is modified by a Note stating this Condition is not applicable to Function 3. Function 3 in Table 3.3.8-1 covers the Fuel Building Exhaust Radiation - Gaseous channels. The first Required Action is to place one EES train in the FBVIS mode of operation and one CREVS train in the CRVIS mode of operation immediately. This accomplishes the actuation instrumentation Function that has been lost and places the unit in a conservative mode of operation. The applicable Conditions and Required Actions of LCO 3.7.13 must also be entered immediately for one EES train made inoperable and the applicable Conditions and Required Actions of LCO 3.7.10 must be entered immediately for one CREVS train made inoperable by the inoperable actuation instrumentation. This ensures appropriate limits are placed on train inoperability as discussed in the Bases for LCO 3.7.13 and LCO 3.7.10.

Alternatively, both EES trains may be placed in the FBVIS mode and both CREVS trains in the CRVIS mode immediately. This ensures the EES function is performed even in the presence of a single failure.

C.1.1, C.1.2, and C.2 Condition C applies to the failure of both gaseous radiation monitoring channels. The first Required Action is to enter the applicable Conditions (continued)

CALLAWAY PLANT B 3.3.8-4 Revision 11

EES Actuation Instrumentation B 3.3.8 BASES ACTIONS C.1.1, C.1.2, and C.2 (continued) and Required Actions of LCO 3.7.13 immediately for one EES train made inoperable and the applicable Conditions and Required Actions of LCO 3.7.10 must be entered immediately for one CREVS train made inoperable by the inoperable actuation instrumentation. This ensures appropriate limits are placed upon train inoperability as discussed in the Bases for LCO 3.7.13 and LCO 3.7.10. One EES train must also be placed in the FBVIS mode of operation and one CREVS train in the CRVIS mode of operation within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. This accomplishes the actuation instrumentation Function that has been lost and places the unit in a conservative mode of operation. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time allows for activities such as changing sample filters on the OPERABLE channel while in Condition A, which requires entry into Condition C.

Alternatively, both EES trains may be placed in the FBVIS mode and both CREVS trains in the CRVIS mode within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. This ensures the EES function is performed even in the presence of a single failure.

D.1 Condition D applies when the Required Action and associated Completion Time for Conditions A, B, or C have not been met and irradiated fuel assemblies are being moved in the fuel building. Movement of irradiated fuel assemblies in the fuel building must be suspended immediately to eliminate the potential for events that could require EES actuation. This does not preclude movement of a fuel assembly to a safe position.

SURVEILLANCE A Note has been added to the SR Table to clarify that Table 3.3.8-1 REQUIREMENTS determines which SRs apply to which EES Actuation Functions.

SR 3.3.8.1 Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the (continued)

CALLAWAY PLANT B 3.3.8-5 Revision 11

EES Actuation Instrumentation B 3.3.8 BASES SURVEILLANCE SR 3.3.8.1 (continued)

REQUIREMENTS instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the unit staff, based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

Either the RM-11 or RM-23 displays may be used to perform the CHANNEL CHECK for the Fuel Building Exhaust Radiation - Gaseous channels (GGRE0027 and GGRE0028).

SR 3.3.8.2 A COT is performed on each required fuel building exhaust gaseous radiation monitor channel to ensure the channel will perform the intended function. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL OPERATIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified periodically by other Technical Specifications and non-Technical Specifications tests. This test verifies the capability of the instrumentation to provide the EES actuation.

The setpoints shall be left within the two-sided calibration tolerance band on either side of the nominal value. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.3.8.3 SR 3.3.8.3 is the performance of an ACTUATION LOGIC TEST. All possible logic combinations are tested for each protection function. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program. The SR is modified by a Note stating that (continued)

CALLAWAY PLANT B 3.3.8-6 Revision 11

EES Actuation Instrumentation B 3.3.8 BASES SURVEILLANCE SR 3.3.8.3 (continued)

REQUIREMENTS the continuity check may be excluded. This SR is applied to the balance of plant actuation logic and relays that do not have circuits installed to perform the continuity check.

SR 3.3.8.4 SR 3.3.8.4 is the performance of a TADOT. This test is a check of the Manual Initiation Function. Each Manual Initiation channel is tested through the BOP ESFAS logic. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable TADOT of a relay. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program. The SR is modified by a Note that excludes verification of setpoints during the TADOT. The channels tested have no setpoints associated with them.

SR 3.3.8.5 CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor. The test verifies that the channel responds to a measured parameter within the necessary range and accuracy. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.3.8.6 SR 3.3.8.6 is the performance of the required response time verification on those functions with time limits provided in Reference 4. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.3.8.6 is modified by a Note stating that the radiation monitor detectors are excluded from ESF RESPONSE TIME testing. The Note is necessary because of the difficulty associated with generating an appropriate radiation monitor detector input signal. Excluding the detectors is acceptable because the principles of detector operation ensure a virtually instantaneous response.

(continued)

CALLAWAY PLANT B 3.3.8-7 Revision 11

EES Actuation Instrumentation B 3.3.8 BASES (Continued)

REFERENCES 1. FSAR Section 15.7.4.

2. 10 CFR 100.11.
3. FSAR Section 7.3.3 and Table 7.3-5.
4. FSAR Table 16.3-2.

CALLAWAY PLANT B 3.3.8-8 Revision 11

BDMS B 3.3.9 B 3.3 INSTRUMENTATION B 3.3.9 Boron Dilution Mitigation System (BDMS)

BASES BACKGROUND The primary purpose of the BDMS is to mitigate the consequences of the inadvertent addition of unborated primary grade water into the Reactor Coolant System (RCS) when the plant is in MODES 2 (below P-6 setpoint), 3, 4, and 5. The addition of unborated primary grade water into the RCS results in boron dilution and a potential for an inadvertent boron dilution event. Other potential boron dilution sources have been identified.

An inadvertent boron dilution path is created when flushing the Chemical and Volume Control system (CVCS) letdown gamma radiation detector, SJRE001, with unborated reactor makeup water. Boron dilution may also be accomplished by removing boron from the CVCS stream prior to RCS return using the ion exchange capability of the CVCS resin vessels. The CVCS resin vessels include the resin vessels of its subsystem, the boron thermal regeneration system.

As described in TS 3.9.2 Bases, plant reactivity management requirements preclude inadvertent boron dilution events, while permitting planned boron dilution evolutions (necessary for plant operations) performed under administrative controls.

The BDMS utilizes two channels of source range instrumentation. Each source range channel provides a signal to its microprocessor, which continuously records the counts per minute. At the end of each discrete one-minute interval, an algorithm compares the average counts per minute value (flux rate) of that 1 minute interval with the average counts per minute value for the previous nine, 1 minute intervals. If the flux rate during a 1 minute interval is greater than or equal to 1.7 times the flux rate during any of the prior nine 1 minute intervals, the BDMS provides a signal to initiate mitigating actions.

Upon detection of a flux multiplication by either source range instrumentation train, an alarm is sounded to alert the operator and valve movement is automatically initiated to terminate the dilution and start boration. Valves (BNLCV0112D, BNLCV0112E) that isolate the refueling water storage tank (RWST) are opened to supply borated water to the suction of the ECCS centrifugal charging pumps, and valves (BGLCV0112B, BGLCV0112C) which isolate the Volume Control Tank are closed to terminate the dilution.

(continued)

CALLAWAY PLANT B 3.3.9-1 Revision 14

BDMS B 3.3.9 BASES (Continued)

APPLICABLE The BDMS senses abnormal increases in source range counts per minute SAFETY (flux rate) and actuates VCT and RWST valves to mitigate the ANALYSES consequences of an inadvertent boron dilution event as described in Reference 1. The accident analyses rely on automatic BDMS actuation to mitigate the consequences of inadvertent boron dilution events in MODES 3, 4, and 5. The MODE 2 analysis in Reference 1 credits the source range reactor trip function, in conjunction with operator action. The operation of one RCS loop in MODES 2 (below P-6 setpoint), 3, 4, and 5 provides adequate flow to ensure mixing, prevent stratification, and produce gradual reactivity changes during RCS boron concentration reductions. The reactivity change rate associated with boron reduction will, therefore, be within the transient mitigation capability of the BDMS.

With no reactor coolant loop in operation in the above MODES, boron dilutions must be terminated and all dilution sources isolated (see Condition C). The boron dilution analysis in these MODES takes credit for the mixing volume associated with having at least one reactor coolant loop in operation.

The event is successfully terminated after the volume of water from the normally closed RWST suction isolation valves to the RCS via the normal charging flow path is purged and inadvertent criticality is avoided. The primary success path for mitigation is fulfilled when the VCT suction path is isolated; however, the analysis also accounts for the volume of CVCS piping from the RWST to the RCS that must be purged since its boron content is dependent on time in cycle life and may itself represent a dilution source.

The BDMS satisfies Criterion 3 of 10CFR50.36(c)(2)(ii).

LCO LCO 3.3.9 provides the requirements for OPERABILITY of the instrumentation that provides control room indication of core neutron levels, and that mitigates the consequences of a boron dilution event. Two redundant trains are required to be OPERABLE to provide protection against single failure. In addition, LCO 3.3.9 requires that one RCS loop shall be in operation.

Because the BDMS utilizes the source range instrumentation in its detection system, the OPERABILITY of that portion of the detection system is also part of the OPERABILITY of the Reactor Trip System. The flux multiplication algorithm, the alarms, and signals to the motor control centers for the suction valves all must be OPERABLE for a train in the system to be considered OPERABLE. As required for this LCO, the BDMS extends to, and includes, the RWST suction isolation valves (continued)

CALLAWAY PLANT B 3.3.9-2 Revision 14

BDMS B 3.3.9 BASES LCO (BNLCV0112D, E) and the VCT suction isolation valves (BGLCV0112B, (continued) C).

With insufficient RCS mixing volume, i.e. no RCS loop in operation, Condition C must be entered.

APPLICABILITY The BDMS must be OPERABLE in MODES 2 (below P-6 setpoint), 3, 4, and 5 because the safety analysis identifies this system as the primary means to mitigate an inadvertent boron dilution of the RCS in MODES 3, 4, and 5 and the P-6 setpoint establishes the point at which RTS protection is shifted to the intermediate range neutron flux channels.

The BDMS OPERABILITY requirements are not applicable in MODES 1 and 2 (above P-6 setpoint) because an inadvertent boron dilution would be terminated by Overtemperature T or operator action as discussed in Reference 1. The Overtemperature T trip Function is discussed in LCO 3.3.1, "RTS Instrumentation."

In MODE 6, an inadvertent dilution event is precluded by locked valves for unborated reactor makeup water (BGV0178 and BGV0601), CVCS resin vessels configured with resin for dilution during normal operation (BG8522A, BG8522B, BGV0039, BGV0043, BGV0051, and BGV0055),

and the purge line used during flushing of CVCS letdown radiation monitor (SJV0703) that isolate the RCS from the potential sources of unborated water (according to LCO 3.9.2, "Unborated Water Source Isolation Valves").

The Applicability is modified by a Note that allows the boron dilution flux multiplication signal to be blocked during subcritical physics testing, during control bank movement in MODE 2 (below the P-6 setpoint), during control bank movement in MODE 3, or during shutdown bank movement in MODE

3. The BDMS function may be blocked just prior to shutdown bank withdrawal in MODE 3 using switches SEHS0011 and SEHS0012 on the main control board. After the shutdown banks are fully withdrawn, the BDMS function will be restored (unblocked) until just prior to control bank withdrawal, at which point the BDMS function may again be blocked using SEHS0011 and SEHS0012 and by placing the two-phi module normal/test switches in the test position at the NIS racks (SEIN0031A and SEIN0032A). MODE 2 is administratively declared just prior to the commencement of control bank withdrawal even though keff should not yet be greater than or equal to 0.99 at that time. After the P-6 setpoint is exceeded, this LCO is no longer applicable. Blocking the flux multiplication signal is acceptable during the above evolutions based on (continued)

CALLAWAY PLANT B 3.3.9-3 Revision 14

BDMS B 3.3.9 BASES APPLICABILITY the heightened operator awareness and reactivity management (continued) administrative controls in place.

Administrative controls require operator awareness during all reactivity manipulations. These administrative controls include:

  • Reactivity management briefs of the control room operations staff (typically conducted at the beginning of each shift);
  • Use of self-verification techniques by all licensed operators performing core reactivity manipulations;
  • Peer checks for all reactivity manipulations during routine operations and for all positive reativity additions during transient or off-normal operations;
  • Off-normal procedures are available that address reactor makeup control system (RCMS) malfunctions and potential loss of shutdown margin (SDM);
  • Criticality is anticipated anytime the shutdown banks are being withdrawn, and when RCS boron dilution is in progress, and when the control banks are being withdrawn;
  • RCS boron dilutions are not performed after control bank withdrawal has been initiated until the reactor is critical and stabilized with an intermediate flux nuclear instrumentation system (NIS) reading of 1E-08 amps; and
  • A senior reactor operator (SRO) is designated as the reactivity management SRO. Positive reactivity additions are added by only one method during the approach to criticality.

During any and all rod motion, operators monitor all available indications of nuclear power. During RCS boron concentration change evolutions, operators observe the various indications and alarms provided in the RMCS design for monitoring proper system operation as discussed in FSAR Section 15.4.6 (Reference 1).

Under the revised LCO Applicability Note, the BDMS function would be blocked during subcritical physics testing which either directly involves rod movement or is performed at the same time as such testing, and the BDMS function would also be blocked during a rod withdrawal approach to criticality. Testing activities to be performed with the BDMS function blocked include:

(continued)

CALLAWAY PLANT B 3.3.9-4 Revision 14

BDMS B 3.3.9 BASES APPLICABILITY

Reference:

Union Electric letter ULNRC-03131 dated January 19, 1995);

  • Digital rod position indication (DRPI) testing over the full indicated range of rod travel per SR 3.1.7.1 and FSAR Section 16.1.3.1.1;
  • Subcritical Physics Testing with Subcritical Rod Worth Measurement (SRWM) which encompasses testing described in FSAR Section 4.3.2.2.8 as well as the Core Reactivity and beginning of life (BOL) upper limit Moderator Temperature Coefficient (MTC) surveillances of SR 3.1.2.1 and SR 3.1.3.1, respectively. Subcritical Physics Testing includes brief periods of static rod conditions but primarily involves testing that requires rod movement.

Under the revised LCO Applicability Note the BDMS function would be enabled during the following testing activities which do not require rod movement:

  • Verification that the estimated critical position (ECP) is within the COLR limits per SR 3.1.6.1;
  • Verification that the RCS boron concentration is greater than all-rods-out critical concentration per SR 3.1.9.1.

ACTIONS The most common cause of channel inoperability is outright failure or drift of the bistable or process module sufficient to exceed the tolerance allowed by the unit specific calibration procedure. Typically, the drift is found to be small and results in a delay of actuation rather than a total loss of function. This determination of setpoint drift is generally made during the performance of a COT when the process instrumentation is set up for adjustment to bring it to within specification. If the Trip Setpoint is less conservative than the tolerance specified by the calibration procedure, the channel must be declared inoperable immediately and the appropriate Condition entered.

(continued)

CALLAWAY PLANT B 3.3.9-5 Revision 14

BDMS B 3.3.9 BASES ACTIONS A.1 (continued)

With one train of the BDMS inoperable, Required Action A.1 requires that the inoperable train must be restored to OPERABLE status within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. In this Condition, the remaining BDMS train is adequate to provide protection. The 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> Completion Time is based on the BDMS Function and is consistent with Engineered Safety Feature Completion Times for loss of one redundant train. Also, the remaining OPERABLE train provides continuous indication of core power status to the operator, has an alarm function, and sends a signal to both trains of the BDMS to assure system actuation.

B.1, B.2, B.3.1, and B.3.2 With two trains inoperable, or the Required Action and associated Completion Time of Condition A not met, the initial action (Required Action B.1) is to suspend all operations involving positive reactivity additions immediately. This includes withdrawal of control or shutdown rods and intentional boron dilution.

Required Action B.2 verifies the SDM according to SR 3.1.1.1 within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> and once per 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> thereafter. This action is intended to confirm that no unintended boron dilution has occurred while the BDMS was inoperable, and that the required SDM has been maintained. The specified Completion Time takes into consideration sufficient time for the initial determination of SDM and other information available in the control room related to SDM.

Required Action B.3.1 requires valves listed in the LCO Bases for LCO 3.9.2, Unborated Water Source Isolation Valves, to be closed and secured to prevent the flow of unborated water into the RCS. An inadvertent dilution event is precluded by locked valves for unborated reactor makeup water (BGV0178 and BGV0601), CVCS resin vessels configured with resin for dilution during normal operation (BG8522A, BG8522B, BGV0039, BGV0043, BGV0051, and BGV0055), and the purge line used during flushing of CVCS letdown radiation monitor (SJV0703) that isolate the RCS from potential source of unborated water. Once it is recognized that two trains of the BDMS are inoperable, the operators will be aware of the possibility of a boron dilution, and the 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> Completion Time is adequate to complete the requirements of LCO 3.9.2. The recurring 31 day verification of Required Action B.3.2 ensures these valves remain closed for an extended Condition B entry.

(continued)

CALLAWAY PLANT B 3.3.9-6 Revision 14

BDMS B 3.3.9 BASES ACTIONS B.1, B.2, B.3.1, and B.3.2 (continued)

Required Action B.1 is modified by a Note which permits plant temperature changes provided the temperature change is accounted for in the calculated SDM. Introduction of temperature changes, including temperature increases when a positive MTC exists, must be evaluated to ensure they do not result in a loss of required SDM.

C.1 and C.2 Condition C is entered with no RCS loop in operation. The operation of one RCS loop provides adequate flow to ensure mixing, prevent stratification, and produce gradual reactivity changes during RCS boron concentration reductions. The reactivity change rate associated with boron reduction will, therefore, be within the transient mitigation capability of the Boron Dilution Mitigation System (BDMS). With no reactor coolant loop in operation, all dilution sources must be isolated. The boron dilution analysis takes credit for the mixing volume associated with having at least one reactor coolant loop in operation.

Required Action C.1 requires that valves listed in the LCO Bases for LCO 3.9.2, Unborated Water Source Isolation Valves, be closed and secured to prevent the flow of unborated water into the RCS. An inadvertent dilution event is precluded by locked valves for unborated reactor makeup water (BGV0178 and BGV0601), CVCS resin vessels configured with resin for dilution during normal operation (BG8522A, BG8522B, BGV0039, BGV0043, BGV0051, and BGV0055), and the purge line used during flushing of CVCS letdown radiation monitor (SJV0703) that isolate the RCS from potential source of unborated water. The 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> Completion Time is adequate to perform these local valve manipulations. The recurring 31 day verification of Required Action C.2 ensures these valves remain closed and secured for an extended Condition C entry.

SURVEILLANCE The BDMS trains are subject to a CHANNEL CHECK, valve closure in REQUIREMENTS MODE 5, COT, CHANNEL CALIBRATION, and Response Time Testing. In addition, the requirement to verify one RCS loop in operation is subject to periodic surveillance.

SR 3.3.9.1 Performance of the CHANNEL CHECK ensures that gross failure of source range instrumentation has not occurred.

(continued)

CALLAWAY PLANT B 3.3.9-7 Revision 14

BDMS B 3.3.9 BASES SURVEILLANCE SR 3.3.9.1 (continued)

REQUIREMENTS A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious.

A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying that the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the unit staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.3.9.2 SR 3.3.9.2 requires that valve BGV0178 be closed and secured prior to entry into MODE 5. LCO 3.9.2, Unborated Water Source Isolation Valves, requires that this valve also be closed and secured in MODE 6.

Closing BGV0178 satisfies the boron dilution accident analysis assumption that flow orifice BGFO0010 limits the dilution flow rate to no more than 150 gpm in MODE 5. This Surveillance demonstrates that the valve is closed through a system walkdown. SR 3.3.9.2 is modified by a Note stating that it is only required to be performed in MODE 5. This Note requires that the surveillance be performed prior to entry into MODE 5 and in accordance with the Frequency specified in the Surveillance Frequency Control Program. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.3.9.3 SR 3.3.9.3 requires the performance of a COT, to ensure that each train of the BDMS and associated trip setpoints are fully operational. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This (continued)

CALLAWAY PLANT B 3.3.9-8 Revision 14

BDMS B 3.3.9 BASES SURVEILLANCE SR 3.3.9.3 (continued)

REQUIREMENTS clarifies what is an acceptable CHANNEL OPERATIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified periodically by other Technical Specifications and non-Technical Specifications tests. This test shall include verification that the boron dilution flux multiplication setpoint is equal to or less than an increase of 1.7 times the count rate within a 10 minute period. The 1.7 flux multiplication setpoint is a nominal value. SR 3.3.9.3 is met if the measured setpoint is within a two-sided calibration tolerance band on either side of the nominal value. SR 3.3.9.3 is modified by a Note that provides a 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> delay in the requirement to perform this Surveillance after reducing power below the P-6 interlock. This Note allows a delay in the performance of the COT to reflect the delay allowed for the source range channels. If the plant is to remain below the P-6 setpoint for more than 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, this Surveillance must be performed prior to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> after reducing power below the P-6 setpoint. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.3.9.4 SR 3.3.9.4 is the performance of a CHANNEL CALIBRATION. CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor. The test verifies that the channel responds to a measured parameter within the necessary range and accuracy. The SR is modified by a Note that neutron detectors are excluded from the CHANNEL CALIBRATION. Neutron detectors are excluded from the CHANNEL CALIBRATION because it is impractical to set up a test that demonstrates and adjusts neutron detector response to known values of the parameter (neutron flux) that the channel monitors. The Note applies to the source range proportional counters in the Nuclear Instrumentation System (NIS).

The testing of the source range neutron detectors consists of obtaining integral bias curves, evaluating those curves, and comparing the curves previous data. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.3.9.5 SR 3.3.9.5 is the performance of a response time test to verify that, on a simulated or actual boron dilution flux multiplication signal, the centrifugal (continued)

CALLAWAY PLANT B 3.3.9-9 Revision 14

BDMS B 3.3.9 BASES SURVEILLANCE SR 3.3.9.5 (continued)

REQUIREMENTS (continued) charging pump suction valves (BNLCV0112D, BNLCV0112E) from the RWST open and the CVCS volume control tank discharge valves (BGLCV0112B, BGLCV0112C) close in the required time of 30 seconds to reflect the analysis requirements of Reference 1.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.3.9.6 SR 3.3.9.6 requires verification that one RCS loop is in operation.

Verification may include flow rate, temperature, or pump status monitoring, which help ensure that forced flow is providing adequate mixing. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. FSAR, Section 15.4.6.

2. Callaway OL Amendment 165.

CALLAWAY PLANT B 3.3.9-10 Revision 14

Retrieved from "https://kanterella.com/w/index.php?title=ML23067A175&oldid=3646898"