Text

TSTF-493, Revision 0, Clarify Application of Setpoint Methodology for LSSS Functions.
	ML060270503
Person / Time
Issue date:	01/27/2006
From:	Crowthers M, Infanger P, Sparkman W, Woods B; BWR Owners Group, Technical Specifications Task Force, Westinghouse Owners Group
To:	; Document Control Desk, Office of Nuclear Reactor Regulation
References
	TSTF-06-03 TSTF-493, Rev 0
	Download: ML060270503 (238)
	v • d • e

TECHNICAL SPECIFICATIONS TASK FORCE TSTF A JOINT OWNERS GROUP ACTIVITY January 27, 2006 TSTF-06-03 U. S. Nuclear Regulatory Commission Attn: Document Control Desk Washington, DC 20555-0001

SUBJECT:

TSTF-493, Revision 0, "Clarify Application of Setpoint Methodology for LSSS Functions"

Dear Sir or Madam:

Enclosed for NRC review is Revision 0 of TSTF-493, "Clarify Application of Setpoint Methodology for LSSS Functions."

TSTF-493 was developed to address NRC concerns that the technical specification requirements for Limiting Safety System Settings may not be fully in compliance with 10 CFR 50.36. This Traveler was developed at the request of the NRC in cooperation with the Nuclear Energy Institute Setpoint Methodology Task Force.

It is our understanding that any NRC actions related to this Traveler will not be subject to review fees. If this is incorrect, please inform us immediately and do not review this Traveler.

Should you have any questions, please do not hesitate to contact us.

Wesley Sparkman (WOG/W) Michael Crowthers (BWROG)

Brian Woods (WOG/CE) Paul Infanger (WOG/B&W)

Enclosure cc: Thomas H. Boyce, Technical Specifications Section, NRC David E. Roth, Technical Specifications Section, NRC Michael A. Schoppman, NEI 11921 Rockville Pike, Suite 100, Rockville, MD 20852 Phone: 301-984-4400, Fax: 301-984-7600 Email: tstf@excelservices.com Administered by EXCEL Services Corporation

BWROG-107, Rev. 0 TSTF-493, Rev. 0 Technical Specification Task Force Improved Standard Technical Specifications Change Traveler Clarify Application of Setpoint Methodology for LSSS Functions NUREGs Affected: 1430 1431 1432 1433 1434 Classification: 1) Technical Change Recommended for CLIIP?: Yes Correction or Improvement: Not Applicable NRC Fee Status: Exempt Benefit: Improves Bases Industry

Contact:

Mike Crowthers, (610) 774-7766, mhcrowthers@pplweb.com See attached.

Revision History OG Revision 0 Revision Status: Active Revision Proposed by: BWROG Revision

Description:

Original Issue Owners Group Review Information Date Originated by OG: 07-Nov-05 Owners Group Comments The traveler was revised based on comments provided at a joint WOG/BWROG meeting held on December 14, 2005 in Marco Island, Florida and other comments.

Owners Group Resolution: Approved Date: 06-Jan-06 TSTF Review Information TSTF Received Date: 07-Nov-05 Date Distributed for Review 07-Nov-05 OG Review Completed: BWOG WOG CEOG BWROG TSTF Comments:

Discussed with all OGs on December 12, 2005. Revised to address comments.

TSTF Resolution: Approved Date: 23-Jan-06 NRC Review Information NRC Received Date: 27-Jan-06 27-Jan-06 Traveler Rev. 3. Copyright (C) 2005, EXCEL Services Corporation. Use by EXCEL Services associates, utility clients, and the U.S. Nuclear Regulatory Commission is granted. All other use without written permission is prohibited.

BWROG-107, Rev. 0 TSTF-493, Rev. 0 Affected Technical Specifications Bkgnd 3.3.1 Bases RPS Instrumentation NUREG(s)- 1430 Only S/A 3.3.1 Bases RPS Instrumentation NUREG(s)- 1430 Only LCO 3.3.1 RPS Instrumentation NUREG(s)- 1430 Only Change

Description:

Table 3.3.1-1 Action 3.3.1 Bases RPS Instrumentation NUREG(s)- 1430 Only SR 3.3.1 Bases RPS Instrumentation NUREG(s)- 1430 Only SR 3.3.1.3 Bases RPS Instrumentation NUREG(s)- 1430 Only SR 3.3.1.4 Bases RPS Instrumentation NUREG(s)- 1430 Only SR 3.3.1.5 Bases RPS Instrumentation NUREG(s)- 1430 Only Bkgnd 3.3.5 Bases ESFAS Instrumentation NUREG(s)- 1430 Only S/A 3.3.5 Bases ESFAS Instrumentation NUREG(s)- 1430 Only LCO 3.3.5 ESFAS Instrumentation NUREG(s)- 1430 Only Change

Description:

Table 3.3.5-1 LCO 3.3.5 Bases ESFAS Instrumentation NUREG(s)- 1430 Only Action 3.3.5 Bases ESFAS Instrumentation NUREG(s)- 1430 Only SR 3.3.5 Bases ESFAS Instrumentation NUREG(s)- 1430 Only SR 3.3.5.2 Bases ESFAS Instrumentation NUREG(s)- 1430 Only SR 3.3.5.3 Bases ESFAS Instrumentation NUREG(s)- 1430 Only Bkgnd 3.3.1 Bases RTS Instrumentation NUREG(s)- 1431 Only S/A 3.3.1 Bases RTS Instrumentation NUREG(s)- 1431 Only LCO 3.3.1 RTS Instrumentation NUREG(s)- 1431 Only Change

Description:

Table 3.3.1-1 SR 3.3.1 Bases RTS Instrumentation NUREG(s)- 1431 Only SR 3.3.1.7 Bases RTS Instrumentation NUREG(s)- 1431 Only SR 3.3.1.10 Bases RTS Instrumentation NUREG(s)- 1431 Only SR 3.3.1.11 Bases RTS Instrumentation NUREG(s)- 1431 Only Bkgnd 3.3.2 Bases ESFAS Instrumentation NUREG(s)- 1431 Only S/A 3.3.2 Bases ESFAS Instrumentation NUREG(s)- 1431 Only 27-Jan-06 Traveler Rev. 3. Copyright (C) 2005, EXCEL Services Corporation. Use by EXCEL Services associates, utility clients, and the U.S. Nuclear Regulatory Commission is granted. All other use without written permission is prohibited.

BWROG-107, Rev. 0 TSTF-493, Rev. 0 LCO 3.3.2 ESFAS Instrumentation NUREG(s)- 1431 Only Change

Description:

Table 3.3.2-1 SR 3.3.2 Bases ESFAS Instrumentation NUREG(s)- 1431 Only SR 3.3.2.5 Bases ESFAS Instrumentation NUREG(s)- 1431 Only SR 3.3.2.9 Bases ESFAS Instrumentation NUREG(s)- 1431 Only Bkgnd 3.3.1 Bases RPS Instrumentation - Operating (Analog) NUREG(s)- 1432 Only Bkgnd 3.3.1 Bases RPS Instrumentation - Operating (Digital)) NUREG(s)- 1432 Only S/A 3.3.1 Bases RPS Instrumentation - Operating (Analog) NUREG(s)- 1432 Only S/A 3.3.1 Bases RPS Instrumentation - Operating (Digital)) NUREG(s)- 1432 Only LCO 3.3.1 RPS Instrumentation - Operating (Analog) NUREG(s)- 1432 Only Change

Description:

Table 3.3.1-1 LCO 3.3.1 RPS Instrumentation - Operating (Digital)) NUREG(s)- 1432 Only Change

Description:

Table 3.3.1-1 LCO 3.3.1 Bases RPS Instrumentation - Operating (Analog) NUREG(s)- 1432 Only LCO 3.3.1 Bases RPS Instrumentation - Operating (Digital)) NUREG(s)- 1432 Only Action 3.3.1 Bases RPS Instrumentation - Operating (Digital)) NUREG(s)- 1432 Only SR 3.3.1 Bases RPS Instrumentation - Operating (Analog) NUREG(s)- 1432 Only SR 3.3.1 Bases RPS Instrumentation - Operating (Digital)) NUREG(s)- 1432 Only SR 3.3.1.4 Bases RPS Instrumentation - Operating (Analog) NUREG(s)- 1432 Only SR 3.3.1.5 Bases RPS Instrumentation - Operating (Analog) NUREG(s)- 1432 Only SR 3.3.1.7 Bases RPS Instrumentation - Operating (Digital)) NUREG(s)- 1432 Only SR 3.3.1.8 Bases RPS Instrumentation - Operating (Analog) NUREG(s)- 1432 Only SR 3.3.1.8 Bases RPS Instrumentation - Operating (Digital)) NUREG(s)- 1432 Only SR 3.3.1.10 Bases RPS Instrumentation - Operating (Digital)) NUREG(s)- 1432 Only Bkgnd 3.3.4 Bases ESFAS Instrumentation (Analog) NUREG(s)- 1432 Only LCO 3.3.4 ESFAS Instrumentation (Analog) NUREG(s)- 1432 Only Change

Description:

Table 3.3.5-1 LCO 3.3.4 Bases ESFAS Instrumentation (Analog) NUREG(s)- 1432 Only Action 3.3.4 Bases ESFAS Instrumentation (Analog) NUREG(s)- 1432 Only 27-Jan-06 Traveler Rev. 3. Copyright (C) 2005, EXCEL Services Corporation. Use by EXCEL Services associates, utility clients, and the U.S. Nuclear Regulatory Commission is granted. All other use without written permission is prohibited.

BWROG-107, Rev. 0 TSTF-493, Rev. 0 SR 3.3.4 Bases ESFAS Instrumentation (Analog) NUREG(s)- 1432 Only SR 3.3.4.1 Bases ESFAS Instrumentation (Analog) NUREG(s)- 1432 Only SR 3.3.4.2 Bases ESFAS Instrumentation (Analog) NUREG(s)- 1432 Only SR 3.3.4.4 Bases ESFAS Instrumentation (Analog) NUREG(s)- 1432 Only Bkgnd 3.3.5 Bases ESFAS Instrumentation (Digital) NUREG(s)- 1432 Only LCO 3.3.5 ESFAS Instrumentation (Digital) NUREG(s)- 1432 Only Change

Description:

Table 3.3.5-1 LCO 3.3.5 Bases ESFAS Instrumentation (Digital) NUREG(s)- 1432 Only Action 3.3.5 Bases ESFAS Instrumentation (Digital) NUREG(s)- 1432 Only SR 3.3.5 Bases ESFAS Instrumentation (Digital) NUREG(s)- 1432 Only SR 3.3.5.2 Bases ESFAS Instrumentation (Digital) NUREG(s)- 1432 Only SR 3.3.5.3 Bases ESFAS Instrumentation (Digital) NUREG(s)- 1432 Only Bkgnd 3.3.1.1 Bases RPS Instrumentation NUREG(s)- 1433 Only S/A 3.3.1.1 Bases RPS Instrumentation NUREG(s)- 1433 Only LCO 3.3.1.1 RPS Instrumentation NUREG(s)- 1433 Only Change

Description:

Table 3.3.1.1-1 SR 3.3.1.1 Bases RPS Instrumentation NUREG(s)- 1433 Only SR 3.3.1.1.8 Bases RPS Instrumentation NUREG(s)- 1433 Only SR 3.3.1.1.9 Bases RPS Instrumentation NUREG(s)- 1433 Only Bkgnd 3.3.1.1 Bases RPS Instrumentation NUREG(s)- 1434 Only S/A 3.3.1.1 Bases RPS Instrumentation NUREG(s)- 1434 Only LCO 3.3.1.1 RPS Instrumentation NUREG(s)- 1434 Only Change

Description:

Table 3.3.1.1-1 SR 3.3.1.1 Bases RPS Instrumentation NUREG(s)- 1434 Only SR 3.3.1.1.8 RPS Instrumentation NUREG(s)- 1434 Only SR 3.3.1.1.9 Bases RPS Instrumentation NUREG(s)- 1434 Only 27-Jan-06 Traveler Rev. 3. Copyright (C) 2005, EXCEL Services Corporation. Use by EXCEL Services associates, utility clients, and the U.S. Nuclear Regulatory Commission is granted. All other use without written permission is prohibited.

TSTF-493, Rev. 0 1.0 Description The proposed change revises the Surveillance Requirements on the reactor trip and engineered safety features (ESF) instrumentation to address NRC concerns that the technical specification requirements for Limiting Safety System Settings (LSSS) may not be fully in compliance with the intent of 10 CFR 50.36. While the industry does not agree with the NRC's position, this Traveler represents a compromise agreement to address the NRC's concerns.

2.0 Proposed Change The proposed change revises the Improved Standard Technical Specifications (ISTS) NUREGs as described below.

The reactor trip and ESF instrumentation specifications in NUREG-1430, -1432, -1433, and

-1434 (B&W, CE, BWR/4 and BWR/6 NSSS designs) specify the Allowable Value. This is referred to as the "single column" format. The following specifications are affected:

NUREG-1430 (B&W) 3.3.1, Reactor Protection System (RPS) Instrumentation 3.3.5, Engineered Safety Feature Actuation System (ESFAS) Instrumentation NUREG-1432 (CE) 3.3.1, Reactor Protective System (RPS) Instrumentation - Operating (Analog) 3.3.4, Engineered Safety Features Actuation System (ESFAS) Instrumentation (Analog) 3.3.1, Reactor Protective System (RPS) Instrumentation - Operating (Digital) 3.3.5, Engineered Safety Features Actuation System (ESFAS) Instrumentation (Digital)

NUREG-1433 (BWR/4) 3.3.1.1, Reactor Protection System (RPS) Instrumentation NUREG-1434 (BWR/6) 3.3.1.1, Reactor Protection System (RPS) Instrumentation The Reactor Trip System (RTS) and ESFAS Specifications in NUREG-1431 (Westinghouse NSSS design) specify the Allowable Value and, optionally, the Trip Setpoint. This is referred to as the "multiple column" format. The following specifications are affected:

NUREG-1431 (Westinghouse) 3.3.1, Reactor Trip System (RTS) Instrumentation 3.3.2, Engineered Safety Feature Actuation System (ESFAS) Instrumentation For the above specifications, two Notes are added to the Surveillance Requirements for an example Function in the Surveillance Requirements column in the specification's Function table.

(If the Function table does not have a Surveillance Requirements column, the Notes are added to the Allowable Value column.) The actual Functions and Specifications to which the Notes apply will vary by plant. In plant-specific applications, the Notes are added only to those Functions determined by the licensee to be a Limiting Safety System Setting that protects Safety Limits associated with the fuel and reactor coolant system integrity. The Notes are only applied to those Functions that provide the primary protection assumed in the Safety Analysis Page 1

TSTF-493, Rev. 0 The two Notes are:

Note 1: If the as-found channel setpoint is conservative with respect to the Allowable Value but outside its predefined as-found tolerance, then the channel shall be evaluated to verify that it is functioning as required before returning the channel to service.

Note 2: The instrument channel setpoint shall be reset to a value that is within the as-left tolerance of the [Limiting Trip Setpoint] or of a value that is more conservative than the

[Limiting Trip Setpoint]; otherwise, the channel shall be declared inoperable. The

[Limiting Trip Setpoint] and the methodology used to determine the as-found tolerance and the as-left tolerance are specified in a document controlled under 10 CFR 50.59.

In NUREG-1431, which has a [Limiting Trip Setpoint (LTSP)] Column, the last sentence of Note 2 may not be required and is bracketed in Insert 3, which applies to NUREG-1431. If the [LTSP]

is specified in the Technical Specifications, any change to the [LTSP] requires prior NRC review and approval. As a result, it is not necessary for the methodology to be specified in a document controlled under 10 CFR 50.59.

The Notes are added to the CHANNEL CALIBRATION Surveillance Requirements and surveillances that verify the setpoint of trip units in NUREG-1433 and NUREG-1434, CHANNEL CALIBRATIONS, CHANNEL OPERATIONAL TESTS, and TRIP ACTUATING DEVICE OPERATIONAL TESTS in NUREG-1431, and CHANNEL CALIBRATIONS and CHANNEL FUNCTIONAL TESTS in NUREG-1432 and NUREG-1430.

The Bases are revised to indicate that the [LTSP] is the Limiting Safety System Setting and that the Allowable Value defines the limit of OPERABILITY as the least conservative value that the

[LTSP] can have during testing. The Bases are also revised to require that the [LTSP] and the methodology for calculating the as-left and as-found tolerances be documented in a document controlled under 10 CFR 50.59, such as the UFSAR.

The requirement for the LSSS to be in the Technical Specifications is met by specifying that the Allowable Value in the Specifications is the least conservative value that the [LTSP] can have during testing along with requiring that the [LTSP] and the methodology for determining the as-found and as-left tolerances must be in a document controlled under 10 CFR 50.59, such as the UFSAR.

The TS will specify that the [LTSP] and the methodology for determining the as-found and as-left tolerances must be in a document controlled under 10 CFR 50.59. The Bases use the bracketed phrase, "[a document controlled under 10 CFR 50.59]" and the licensee will insert the name of the plant-specific document that contains the information. Placing the name of the document directly in the TS was considered but was not adopted because 1) placing the name of the document in the TS would confuse whether the document was incorporated by reference and controlled under 10 CFR 50.90, 2) would prevent licensees from exercising appropriate control of the document's title and location of the information under 10 CFR 50.59, 3) is consistent with the ITS format and content rules, and 4) prevents the need to expend unnecessary licensee and NRC resources to revise the TS should the document name change.

There is another plant specific presentation for plants whose Technical Specifications contain both the [Nominal Trip Setpoint] and the Allowable Value. Notes 1 and 2 may be added to the

[Nominal Trip Setpoint] column heading in the specification's Function table. For single column plants (including Westinghouse NSSS plants that use the single column format), Notes 1 and 2 Page 2

TSTF-493, Rev. 0 may be added to the Allowable Value column heading. This format applies the restrictions in Notes 1 and 2 to all Functions, regardless of whether the Functions are LSSS Functions.

3.0 Background

The reactor trip system initiates a reactor trip or scram when selected unit parameters exceed limiting values in order to prevent violation of the reactor fuel and reactor coolant system (RCS) design limits. The reactor fuel and RCS design limits are determined considering a range of Anticipated Operational Occurrences (AOOs). The ESF instrumentation systems initiate plant safety systems when selected unit parameters exceed limiting values in order to prevent violation of the reactor fuel and RCS design limits and to mitigate accidents.

The reactor trip system and ESF instrumentation have been designed to assure safe operation of the reactor. This is achieved by specifying LSSS in terms of parameters directly monitored by the reactor trip system, as well as specifying Limiting Conditions for Operation (LCOs) on other plant parameters and equipment.

10 CFR 50.36(c)(1) states:

(1) Safety limits, limiting safety system settings, and limiting control settings. (i)(A) Safety limits for nuclear reactors are limits upon important process variables that are found to be necessary to reasonably protect the integrity of certain of the physical barriers that guard against the uncontrolled release of radioactivity. If any safety limit is exceeded, the reactor must be shut down. ...

(ii)(A) Limiting safety system settings for nuclear reactors are settings for automatic protective devices related to those variables having significant safety functions. Where a limiting safety system setting is specified for a variable on which a safety limit has been placed, the setting must be so chosen that automatic protective action will correct the abnormal situation before a safety limit is exceeded. If, during operation, it is determined that the automatic safety system does not function as required, the licensee shall take appropriate action, which may include shutting down the reactor. ...

The transient analysis calculations model AOOs to determine the plant parameter limits that must not be exceeded in order to ensure the reactor fuel and RCS safety limits are not exceeded and that transients are mitigated. These analysis assumptions are called the "analytical limits."

The "Allowable Value" is more conservative than the analytical limit to account for all known channel and process errors that can not be confirmed during Surveillance testing. If during testing, the actual instrumentation point of actuation is less conservative than the Allowable Value, the channel is inoperable.

The "Trip Setpoint" is more conservative than the Allowable Value and is the value to which the instrument channel is adjusted to actuate during periodic testing and adjustment. It is impossible to set a physical instrument channel to an exact value, so a calibration tolerance is established around the trip setpoint. Therefore, the trip setpoint is considered a nominal value and the instrument adjustment is considered successful if the as-left instrument actuation point is within the calibration tolerance (a range of values around the nominal trip setpoint).

Page 3

TSTF-493, Rev. 0 The [LTSP] is the Analytical Limit minus the Total Loop Uncertainty.

The Total Loop Uncertainty is the appropriate combination of all known error terms for the channel instruments.

The Nominal Trip Setpoint (NTSP) is the Analytical Limit minus the Total Loop Uncertainty with margin added to the Total Loop Uncertainty. The NTSP is always equal to or more conservative than the LTSP. The term LTSP is bracketed throughout the proposed changes so that plants may use the NTSP instead of the LTSP.

In September 2002, during review of a plant-specific license amendment request, the NRC expressed a concern that the Allowable Values calculated using the industry standard ISA-S67.04-1994 Part II "Methodologies for the Determination of Setpoints for Nuclear Safety-Related Instrumentation" could be non-conservative depending upon the evaluation of instrument performance history and the as-left requirements of the calibration procedures. In the intervening period, the industry and the NRC have worked together to develop requirements that will ensure that instrument channels will actuate as assumed in the accident analysis. The complete history is described in Appendix A.

The NRC determined that seven concepts needed to be addressed to ensure the instrument channels will function as required. These are addressed in this Traveler as follows:

1. The [LTSP] must be calculated consistent with the plant-specific methodology. The [LTSP]

is the expected value for the trip. The as-left and as-found values may be less conservative than the [LTSP] by predefined tolerances (which were factored into the trip setpoint calculation). This concept will be contained in the revised Bases discussion, and a Note will be added to the Technical Specifications to allow for as-found and as-left values less conservative than the LTSP.

2. The as-found trip setpoint must be verified to be within predefined double-sided limits that are based on the actual expected errors between calibrations. Finding the as-found trip setpoint outside these limits warrants additional evaluation and potential corrective action, as necessary, to ensure continued performance of the specified safety function. Normally, the as-found tolerance will be equivalent to the errors verified during the surveillance (e.g.

setting tolerance, drift, and measurement and test equipment (M&TE) accuracy/errors). The methodology for calculating the as-found tolerance will be contained in a document controlled under 10 CFR 50.59, such as the UFSAR. The requirement to find the trip setpoint (during required surveillance testing) within the predefined limits will be added in a Note to the Technical Specifications.

3. The Nominal Trip Setpoint must be reset or left within the as-left tolerance at the end of every surveillance that requires setpoint verification. The ability to reset the setpoint represents continued confidence that the channel can perform its intended safety function.

The requirement to reset the channel to within the as-left tolerance will be added in a Note to the Technical Specifications. The methodology for calculating the as-left tolerance will be contained in a document controlled under 10 CFR 50.59. The first three concepts are combined into the two proposed Notes to be added to the Specifications.

4. The Nominal Trip Setpoint may be set more conservative than the LTSP. If the Nominal Trip Setpoint is set more conservative than the LTSP, the as-found and as-left tolerances will be Page 4

TSTF-493, Rev. 0 maintained around the more conservative Nominal Trip Setpoint. This clarification will be added in a discussion in the Bases.

5. The Allowable Value (defined as the least conservative as-found surveillance value) defines the maximum possible value for process measurement at which the Analytical Limit is protected. The Allowable Value verifies that the Analytical Limit and Safety Limit are still protected at the time of the surveillance. Since OPERABILITY of the instrument channel is determined at the time of the surveillance performance, the fact that the tested trip point occurred conservative to the Allowable Value ensures that at that point in time the channel would have functioned to protect the Analytical Limit and is OPERABLE. With the implementation of these concepts, calculation of the Allowable Value using any of the ISA S67.04 Part II methods is acceptable. The Allowable Value will be documented in the Technical Specifications. This is in accordance with the normal rules of the Improved Standard Technical Specifications and is consistent with current practices.

6. For those Westinghouse NSSS plants whose plant-specific Technical Specifications contain Allowable Value and Nominal Trip Setpoint columns, the Trip Setpoint identified in the Technical Specifications is expected to be the [LTSP] for the channel. This does not require a change to the Technical Specifications. This point is clarified in the Bases.

7. When a channels as-found value is conservative to the Allowable Value but outside the as-found tolerance, the channel may be degraded and may not conform to the assumptions in the design basis calculation. Prior to returning the channel to service, there shall be a determination utilizing available information to ensure that the channel can perform as expected. For example, this determination may include an evaluation of magnitude of change per unit time, response of instrument for reset, previous history, etc., to provide confidence that the channel will perform its specified safety function. This determination, combined with resetting the trip setpoint to within the as-left tolerance, permits the channel to be returned to service.

The revised Bases also require that when a channels as-found value is outside the as-found tolerance, the degraded instrument must be entered into the licensees corrective action program. The corrective action program evaluation is expected to be performed promptly to validate the determination that was performed prior to returning the channel to service and to confirm that the channel is OPERABLE and performing as expected. The licensees corrective action program will be used to track or trend degraded but OPERABLE instruments.

4.0 Technical Analysis There are two Notes added to the Technical Specifications to address the concepts defined above.

Note 1 states:

If the as-found channel setpoint is conservative with respect to the Allowable Value but outside its predefined as-found tolerance, then the channel shall be evaluated to verify that it is functioning as required before returning the channel to service.

Setpoint calculations determine a [LTSP] based on protection of the Analytical Limit (AL) which ensures that trips will occur prior to the process parameter exceeding the Safety Limit as required by values used in the Safety Analysis calculations. These setpoint calculations usually Page 5

TSTF-493, Rev. 0 also calculate a limit of change expected (as-found tolerance) between performance of the surveillance tests that confirm the trip setpoint value. The least conservative value of the setpoint expected during testing is defined as the Allowable Value. Finding a plant setting less conservative than the Allowable Value (AV) indicates that there may not be sufficient margin to the AL to protect the Safety Limit. Current Channel Calibration, Trip Unit Calibration, COT, and TADOT (with setpoint verification) surveillance tests verify that the instrument channel trip is conservative to the AV. When the measured as-found setpoint is non-conservative with respect to the AV, the channel is inoperable.

Verification that the trip setting is conservative to the AV when a Surveillance is performed does not necessarily verify proper operation of the channel instruments in the future. When channel performance is outside the performance predicted by the plant setpoint calculations, the design basis for the channel may not be met, and proper operation of the channel at a future time of demand is not assured. Note 1 will formalize the establishment of an as-found tolerance for each appropriate channel. This as-found tolerance will exist around the [LTSP] or around any more conservative setpoint that the plant chooses to implement. The tolerance will ensure that channel operation is consistent with the assumptions or design inputs used in the setpoint calculations and that there is a high confidence of future acceptable channel performance.

Since the tolerance will be two sided, changes in channel performance that are conservative with respect to the AV will also be detected and evaluated for impact on expected performance.

Implementation of this change will require calculation of an as-found tolerance. Many plants currently use a two sided as-found tolerance in the procedures that verify the setpoint. This same two sided allowance may be sufficient to satisfy Note 1. However, the as-found tolerance must be small enough to detect abnormal channel performance conditions. Whether the measured setpoint is within the as-found tolerance is determined by calculating the difference between the current as-found value and the Nominal Trip Setpoint. Another alternative is to determine the difference between the current as-found setpoint and the as-left value from the previous surveillance. The methodology used must be stated in the document controlled under 10 CFR 50.59 as described above.

Note 2 states:

The instrument channel setpoint shall be reset to a value that is within the as-left tolerance of the [Limiting Trip Setpoint] or of a value that is more conservative than the

[Limiting Trip Setpoint]; otherwise, the channel shall be declared inoperable. The

[Limiting Trip Setpoint] and the methodology used to determine the as-found tolerance and the as-left tolerance are specified in a document controlled under 10 CFR 50.59.

Setpoint calculations assume that the plant setpoint is left at the [LTSP] within a specific as-left tolerance (e.g. 25 psig + 2 psig). A tolerance is necessary because no device perfectly measures the process. Additionally, it is not possible to read and adjust a setting to an absolute value due to the readability and/or accuracy of the test instruments or the ability to adjust potentiometers. The as-left tolerance is normally as small as possible considering the tools and ALARA concerns of the calibration. The as-left tolerance is always considered in the setpoint calculation. Failure to set the actual plant trip setpoint to the [LTSP] (or more conservative than the [LTSP]), and within the as-left tolerance, would invalidate the assumptions in the setpoint calculation because any subsequent instrument drift would not start from the expected as-left setpoint.

Page 6

TSTF-493, Rev. 0 The NRC is concerned that some plants may have used as-left tolerances much larger than necessary for proper reading and adjustment of the channels. In this situation, the large tolerances could prevent or mask detection of instrument degradation or failure. However, large as-left tolerances do have the advantage of minimizing the times that a channel must be adjusted, and provide a true indication of long term instrument performance if trended using as-found minus as-left techniques.

Implementation of this change may require recalculation of the as-left tolerance for some channels to ensure that realistic values are used that do not mask instrument performance.

For technical specifications with an [LTSP] column (as shown in NUREG-1431), the last sentence of Note 2 is bracketed and may not need to be included. If the [LTSP] is specified in the Technical Specifications, any change to the [LTSP] requires prior NRC review and approval.

As a result, it is not necessary for the methodology to be specified in a document controlled under 10 CFR 50.59.

The following changes are made to the Bases.

The term " [Limiting Trip Setpoint]" is added as generic terminology for the setpoint value calculated by means of the plant-specific setpoint methodology documented in a document controlled under 10 CFR 50.59, such as the UFSAR. Where additional margin is added between the Analytical Limit and trip setpoint the standard terminology of Nominal Trip Setpoint should be used. The trip setpoint (field setting) may be more conservative than the Limiting or Nominal Trip Setpoint, but for the purpose of Technical Specifications compliance with 10 CFR 50.36, the plant-specific setpoint term for the [Limiting Trip Setpoint] must be contained in a document controlled under 10 CFR 50.59, such as the UFSAR. The brackets indicate plant-specific terms may be substituted.

The [LTSP] is defined as the Limiting Safety System Setting in accordance with 10 CFR 50.36.

The requirement that the LSSS be in the Technical Specifications is satisfied by the Allowable Value in single column format ITS, combined with the requirement for the [LTSP] and the methodology for the as-found and as-left tolerances being contained in the UFSAR or another document controlled by 10 CFR 50.59. Since the Allowable Value is the least conservative value that the setpoint can have during surveillance testing, this is also the OPERABILITY limit.

In the Applicable Safety Analysis, LCO, and Applicability sections of the Bases, a statement is added to identify each LSSS function as defined in 10 CFR 50.36.

A statement is also added to the Surveillance Requirements section of the Bases to discuss the Notes added to the Technical Specifications tables.

In several of the NUREGs, the ESF instrumentation Bases are changed to add discussions similar to the reactor trip system Bases discussion describing the use of [LTSP] and Allowable Values. These changes are made to provide consistent discussions for each revised Technical Specification.

Page 7

TSTF-493, Rev. 0 Scope of Applicability:

Licensees may apply Notes 1 and 2 to all Functions in the affected specifications or selectively apply the Notes only to the surveillances applied to those Functions that are LSSS. The LSSS definition encompasses only those functions which directly protect the Safety Limits for the reactor core and for Reactor Coolant System pressure.

This change applies to those Functions considered to be an LSSS protecting a Safety Limit in accordance with 10 CFR 50.36. This selection varies on a plant-specific basis. The Notes are not applied to non-LSSS Functions or to LSSS Functions which are not trendable for drift.

Mechanical devices such as limit switches, float switches, and proximity detectors are not calibrated in the traditional sense and do not have as-left or as-found conditions that would indicate drift of the component setpoint. These devices are considered not trendable and the Notes are not required to be applied to Functions that utilize these devices.

An example Function is defined as an LSSS for each affected Specification:

NUREG-1430 (B&W) 3.3.1, Reactor Protection System (RPS) Instrumentation

1. Nuclear Overpower -

a. High Setpoint 3.3.5, Engineered Safety Feature Actuation System (ESFAS) Instrumentation

1. Reactor Coolant System Pressure - Low Setpoint NUREG-1431 (Westinghouse) 3.3.1, Reactor Trip System (RTS) Instrumentation

2. Power Range Neutron Flux

a. High 3.3.2, Engineered Safety Feature Actuation System (ESFAS) Instrumentation

1. Safety Injection

c. Containment Pressure - High 1 NUREG-1432 (CE) 3.3.1, Reactor Protective System (RPS) Instrumentation - Operating (Analog)

1. Variable High Power Trip 3.3.4, Engineered Safety Features Actuation System (ESFAS) Instrumentation (Analog)

1. Safety Injection Actuation Signal (SIAS)

a. Containment Pressure - High 3.3.1, Reactor Protective System (RPS) Instrumentation - Operating (Digital)

1. Linear Power Level - High 3.3.5, Engineered Safety Features Actuation System (ESFAS) Instrumentation (Digital)

1. Safety Injection Actuation Signal

a. Containment Pressure - High Page 8

TSTF-493, Rev. 0 NUREG-1433 (BWR/4) 3.3.1.1, Reactor Protection System (RPS) Instrumentation

2. Average Power Range Monitors

c. Fixed Neutron Flux - High NUREG-1434 (BWR/6) 3.3.1.1, Reactor Protection System (RPS) Instrumentation

2. Average Power Range Monitors

c. Fixed Neutron Flux - High Definition of LSSS:

The Technical Specifications Bases previously defined the Allowable Value as representing the LSSS in the Specifications since this is the value that verified that the Analytical Limit is protected during surveillance testing. However, it has been determined that the [LTSP] is the LSSS since calculation of the [LTSP] considers all known errors and the appropriate combination of these errors. This setting ensures that the Safety Limit is protected. The Allowable Value may still be the only value included in the Technical Specifications to indicate the maximum value that the LSSS may have during testing. However, the [LTSP] and the methodologies used to calculate the as-left and as-found tolerances must be contained in a document controlled under 10 CFR 50.59, such as the UFSAR.

The Bases are revised to indicate that the [LTSP] is the LSSS in accordance with 10 CFR 50.36. The [LTSP] is not required to be used or identified in the Specifications. However, if the

[LTSP] is not used or identified in the Specifications, the [LTSP] must be documented in a document controlled under 10 CFR 50.59, such as the UFSAR. Additionally, to ensure proper use of the Allowable Value, Nominal Trip Setpoints and actual plant trip setpoints, the methodology for calculating the as-left and as-found tolerances, as discussed above, must also be included in a document controlled under 10 CFR 50.59, such as the UFSAR. It is acceptable to document the [LTSP] and the methodologies in other documents controlled under 10 CFR 50.59. Licensee's adopting this change must commit to the incorporation of this information into a document controlled under 10 CFR 50.59, such as the UFSAR.

Reviewer's Notes are added to the Bases indicating that the term "Limiting Trip Setpoint" may be replaced by a plant specific term in the Specifications and in the Bases. In cases in which additional margin is added between the Analytical Limit and the trip setpoint, the term "Nominal Trip Setpoint" is preferred. In cases in which no additional margin is added, the preferred term is "Limiting Trip Setpoint."

The Bases state that a determination of the functionality of the instrument must be performed prior to returning the channel to service (within the capabilities of the technician performing the testing) when the channel is found conservative with respect to the Allowable Value but outside the predefined tolerance (as-found tolerance). This determination will consider whether the instrument is degraded or capable of being reset and performing its specified safety function. If the channel is determined to be performing as expected (i.e., the channel can be adjusted to within the as-left tolerance and is determined to be functioning normally based on the determination performed prior to returning the channel to service), the licensee must also perform an independent prompt verification of instrument functionality.

During the process of verification of the setpoint there are three possible results. First, the setpoint is found within the as-left tolerance; the results are recorded in the procedure and, from Page 9

TSTF-493, Rev. 0 the Technical Specification perspective, no further actions are required. Second, the setpoint is found non-conservative to the Allowable Value; the channel is inoperable until the setpoint is reset to the [Limiting Trip Setpoint] (within the as-left tolerance), and evaluations necessary to return the channel to service are completed. Third, the setpoint is found conservative to the Allowable Value but outside the as-found tolerance. In this case the setpoint is reset to the

[LTSP] and the channel's response evaluated. If the channel is operating as expected, the channel can be restored to service at the completion of the surveillance. A prompt verification of the channels condition will be performed after the surveillance. After the surveillance is completed, the channel's as-found condition will be entered into the Corrective Action Program for further evaluation. If the channel is not operating as expected, the channel is inoperable.

5.0 Regulatory Analysis 5.1 No Significant Hazards Consideration The TSTF has evaluated whether or not a significant hazards consideration is involved with the proposed generic change by focusing on the three standards set forth in 10 CFR 50.92, "Issuance of amendment," as discussed below:

1. Does the proposed change involve a significant increase in the probability or consequences of an accident previously evaluated?

Response: No.

The proposed change revises and clarifies the requirements for instrumentation to ensure the instrumentation will actuate as assumed in the accident analysis. As a result, the proposed change will not increase the probability of an accident previously evaluated as the change will ensure the instruments act in the manner assumed in the previous evaluations.

The proposed change will not increase the consequences of an accident previously evaluated as the change will ensure the instruments act in the manner assumed in the previous evaluations.

Therefore, the proposed change does not involve a significant increase in the probability or consequences of an accident previously evaluated.

2. Does the proposed change create the possibility of a new or different kind of accident from any accident previously evaluated?

Response: No.

No new or different accidents result from utilizing the proposed change. The change does not involve a physical alteration of the plant (i.e., no new or different type of equipment will be installed) or a change in the methods governing normal plant operation. In addition, the change does not impose any new or different requirements. The change does not alter assumptions made in the safety analysis. The proposed change is consistent with the safety analysis assumptions.

Therefore, the proposed change does not create the possibility of a new or different kind of accident from any accident previously evaluated.

Page 10

TSTF-493, Rev. 0

3. Does the proposed change involve a significant reduction in a margin of safety?

Response: No.

The proposed change revises and clarifies the requirements for instrumentation to ensure the instrumentation will actuate as assumed in the accident analysis. No change is made to the accident analysis assumptions and no margin of safety is reduced as part of this change.

Therefore, the proposed change does not involve a significant reduction in a margin of safety.

Based on the above, the TSTF concludes that the proposed change presents no significant hazards consideration under the standards set forth in 10 CFR 50.92(c), and, accordingly, a finding of "no significant hazards consideration" is justified.

5.2 Applicable Regulatory Requirements/Criteria Title 10 of the Code of Federal Regulations, Part 50.36, requires plant Technical Specifications to contain LSSS that automatically actuate to protect the plant safety limits. The proposed change revises and clarifies the Technical Specifications to ensure this requirement is met.

In conclusion, based on the considerations discussed above, (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) such activities will be conducted in compliance with the Commissions regulations, and (3) the approval of the proposed change will not be inimical to the common defense and security or to the health and safety of the public.

6.0 Environmental Consideration A review has determined that the proposed change would change a requirement with respect to installation or use of a facility component located within the restricted area, as defined in 10 CFR 20, or would change an inspection or surveillance requirement. However, the proposed change does not involve (i) a significant hazards consideration, (ii) a significant change in the types or significant increase in the amounts of any effluents that may be released offsite, or (iii) a significant increase in individual or cumulative occupational radiation exposure. Accordingly, the proposed change meets the eligibility criterion for categorical exclusion set forth in 10 CFR 51.22(c)(9). Therefore, pursuant to 10 CFR 51.22(b), no environmental impact statement or environmental assessment need be prepared in connection with the proposed change.

7.0 References

1. 10 CFR 50.55a(h), "Protection and Safety Systems"

2. ANSI/IEEE Std 279, "Criteria for Protection Systems for Nuclear Power Generating Stations"

3. 10 CFR 50 Appendix B, Criterion XI, "Test Control," and XII, "Control of Measuring and Test Equipment" Page 11

TSTF-493, Rev. 0

4. 10 CFR 50 Appendix A, General Design Criterion (GDC) 13, "Instrumentation and Control"

5. 10 CFR 50 Appendix A, GDC 20, "Protection System Functions"

6. 10 CFR 50.36(c)(1)(ii)(A), "Technical Specifications, LSSS requirements"

7. Reg. Guide 1.105, "Instrument Setpoints for Safety Systems," Rev. 2

8. Draft Reg. Guide DG-1045, proposed revision 3 to Reg. Guide 1.105, "Instrument Setpoints for Safety Systems"

9. ISA-S67.04 Part I, "Setpoints for Nuclear Safety-Related Instrumentation Used in Nuclear Power Plants"

10. ISA-S67.04, Part II, Methodologies for the Determination of Setpoints for Nuclear Safety-Related Instrumentation"

11. Regulatory Guide 1.153, "Criteria for Power, Instrumentation, and Control Portions of Safety Systems"

12. IEEE Std 603, "IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations" Page 12

TSTF-493, Rev. 0 INSERTS INSERT 1:

If the as-found channel setpoint is conservative with respect to the Allowable Value but outside its predefined as-found tolerance, then the channel shall be evaluated to verify that it is functioning as required before returning the channel to service.

INSERT 2:

The instrument channel setpoint shall be reset to a value that is within the as-left tolerance of the [Limiting Trip Setpoint] or of a value that is more conservative than the [Limiting Trip Setpoint]; otherwise, the channel shall be declared inoperable. The [Limiting Trip Setpoint] and the methodology used to determine the as-found tolerance and the as-left tolerance are specified in a document controlled under 10 CFR 50.59.

INSERT 3:

The instrument channel setpoint shall be reset to a value that is within the as-left tolerance of the [Limiting Trip Setpoint] or of a value that is more conservative than the [Limiting Trip Setpoint]; otherwise, the channel shall be declared inoperable. [The [Limiting Trip Setpoint] and the methodology used to determine the as-found tolerance and the as-left tolerance are specified in a document controlled under 10 CFR 50.59.]

Page 13

TSTF-493, Rev. 0 RPS Instrumentation 3.3.1 Table 3.3.1-1 (page 1 of 2)

Reactor Protection System Instrumentation APPLICABLE CONDITIONS MODES OR REFERENCED OTHER FROM SPECIFIED REQUIRED SURVEILLANCE ALLOWABLE FUNCTION CONDITIONS ACTION C.1 REQUIREMENTS VALUE

1. Nuclear Overpower -

a. High Setpoint 1,2(a),3(db) D SR 3.3.1.1 [104.9]% RTP SR 3.3.1.2 SR 3.3.1.4[(c) (d)]

SR 3.3.1.5[(c) (d)]

SR 3.3.1.6

b. Low Setpoint 2(be),3(be) E SR 3.3.1.1 5% RTP SR 3.3.1.4 4(be),5(be) SR 3.3.1.5 SR 3.3.1.6

2. RCS High Outlet 1,2 D SR 3.3.1.1 [618]°F Temperature SR 3.3.1.4 SR 3.3.1.5

3. RCS High Pressure 1,2(a),3(bd) D SR 3.3.1.1 [2355] psig SR 3.3.1.4 SR 3.3.1.5 SR 3.3.1.6

4. RCS Low Pressure 1,2(a) D SR 3.3.1.1 [1800] psig SR 3.3.1.4 SR 3.3.1.5 SR 3.3.1.6

5. RCS Variable Low Pressure 1,2(a) D SR 3.3.1.1 ([11.59]

Tout -

SR 3.3.1.4 [5037.8]) psig SR 3.3.1.5

6. Reactor Building High 1,2,3(fc) D SR 3.3.1.1 [4] psig Pressure SR 3.3.1.4 SR 3.3.1.5 (a) When not in shutdown bypass operation.

(b) With any CRD trip breaker in the closed position, the CRD System capable of rod withdrawal, and not in shutdown bypass operation.

(c) [INSERT 1]

(d) [INSERT 2]

(be) During shutdown bypass operation with any CRD trip breaker in the closed position and the CRD System capable of rod withdrawal.

BWOG STS 3.3.1-4 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation 3.3.1 (cf) With any CRD trip breaker in the closed position and the CRD System capable of rod withdrawal.

(d) With any CRD trip breaker in the closed position, the CRD System capable of rod withdrawal, and not in shutdown bypass operation.

BWOG STS 3.3.1-5 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation 3.3.1 Table 3.3.1-1 (page 2 of 2)

Reactor Protection System Instrumentation APPLICABLE CONDITIONS MODES OR REFERENCED OTHER FROM SPECIFIED REQUIRED SURVEILLANCE ALLOWABLE FUNCTION CONDITIONS ACTION C.1 REQUIREMENTS VALUE

7. Reactor Coolant Pump to 1,2(a) D SR 3.3.1.1 [5]% RTP with 2 pumps Power SR 3.3.1.4 operating SR 3.3.1.5 SR 3.3.1.6

8. Nuclear Overpower RCS 1,2(a) D SR 3.3.1.1 Nuclear Overpower RCS Flow and Measured AXIAL SR 3.3.1.3 Flow and AXIAL POWER POWER IMBALANCE SR 3.3.1.4 IMBALANCE setpoint SR 3.3.1.5 envelope in COLR SR 3.3.1.6

9. Main Turbine Trip (Control [45]% RTP F SR 3.3.1.1 [45] psig Oil Pressure) SR 3.3.1.4 SR 3.3.1.5

10. Loss of Main Feedwater [15]% RTP G SR 3.3.1.1 [55] psig Pumps (Control Oil SR 3.3.1.4 Pressure) SR 3.3.1.5

11. Shutdown Bypass RCS High 2(eb),3(be),4(be) E SR 3.3.1.1 [1720] psig Pressure 5(be) SR 3.3.1.4 SR 3.3.1.5 (a) When not in shutdown bypass operation.

(be) During shutdown bypass operation with any CRD trip breakers in the closed position and the CRD System capable of rod withdrawal.

BWOG STS 3.3.1-6 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 ESFAS Instrumentation 3.3.5 Table 3.3.5-1 (page 1 of 1)

Engineered Safety Feature Actuation System Instrumentation APPLICABLE MODES OR OTHER SPECIFIED ALLOWABLE PARAMETER CONDITIONS VALUE

1. Reactor Coolant System Pressure - Low [1800] psig [1600] psig[(a) (b)]

Setpoint (HPI Actuation, RB Isolation, RB Cooling, EDG Start)

2. Reactor Coolant System Pressure - Low Low [900] psig [400] psig Setpoint (HPI Actuation, LPI Actuation, RB Isolation, RB Cooling)

3. Reactor Building (RB) Pressure - High 1,2,3,4 [5] psig Setpoint (HPI Actuation, LPI Actuation, RB Isolation, RB Cooling)

4. Reactor Building Pressure - High High 1,2,3,4 [30] psig Setpoint (RB Spray Actuation)

(a) [INSERT 1]

(b) [INSERT 2]

BWOG STS 3.3.5-4 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation B 3.3.1 B 3.3 INSTRUMENTATION B 3.3.1 Reactor Protection System (RPS) Instrumentation BASES BACKGROUND The RPS initiates a reactor trip to protect against violating the core fuel design limits and the Reactor Coolant System (RCS) pressure boundary during anticipated operational occurrences (AOOs). By tripping the reactor, the RPS also assists the Engineered Safety Feature (ESF)

Systems in mitigating accidents.

The protection and monitoring systems have been designed to assure safe operation of the reactor. This is achieved by specifying limiting safety system settings (LSSS) in terms of parameters directly monitored by the RPS, as well as the LCOs on other reactor system parameters and equipment performance.

Technical Specifications are required by 10 CFR 50.36 to contain LSSS defined by the regulation as "...settings for automatic protective devices...so chosen that automatic protective actions will correct the abnormal situation before a Safety Limit (SL) is exceeded." The AnalyticAnalytical Limit is the limit of the process variable at which a safety action is initiated, as established by the safety analysis, to ensure that a SL is not exceeded. Any automatic protection action that occurs on reaching the AnalyticAnalytical Limit therefore ensures that the SL is not exceeded. However, in practice, the actual settings for automatic protective devices must be chosen to be more conservative than the AnalyticAnalytical Limit to account for instrument loop uncertainties related to the setting at which the automatic protective action would actually occur.

REVIEWER'S NOTE ------------------------------------

The term "Limiting Trip Setpoint (LTSP)" is generic terminology for the setpoint value calculated by means of the plant-specific setpoint methodology documented in [a document controlled under 10 CFR 50.59]. The term Limiting Trip Setpoint indicates that no additional margin has been added between the Analytical Limit and the calculated trip setting. Where margin is added between the Analytical Limit and trip setpoint, the standard terminology of Nominal Trip Setpoint (NTSP) should be used. The trip setpoint (field setting) may be more conservative than the Limiting or Nominal Trip Setpoint, but for the purpose of compliance with 10 CFR 50.36, the plant-specific term for the Limiting Trip Setpoint must be cited in Note d of Table 3.3.1-1. The brackets indicate plant-specific terms may apply, as reviewed and approved by the NRC. In some cases, replacing the LTSP with NTSP will also require the revision of the relationship discussion for Allowable Value (AV).

BWOG STS B 3.3.1-1 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation B 3.3.1 Licensees are to insert the name of the document(s) controlled under 10 CFR 50.59 that contains the [LTSP] values and the methodology for calculating the as-left and as-found tolerances for the phrase "[a document controlled under 10 CFR 50.59]" throughout these Bases.

The [trip setpointLimiting Trip Setpoint (LTSP)] is a predetermined setting for a protective device chosen to ensure automatic actuation prior to the process variable reaching the AnalyticAnalytical Limit and thus ensuring that the SL would not be exceeded. As such, the [trip setpointLTSP]

accounts for uncertainties in setting the device (e.g., calibration),

uncertainties in how the device might actually perform (e.g., repeatability),

changes in the point of action of the device over time (e.g., drift during surveillance intervals), and any other factors which may influence its actual performance (e.g., harsh accident environments). In this manner, the [LTSP]trip setpoint ensuresplays an important role in ensuring that SLs are not exceeded. As such, the trip setpoint[LTSP] meets the definition of an LSSS (Ref. 1). and could be used to meet the requirement that they be contained in the Technical Specifications. If the setting of the protective device does not protect a Safety Limit, the [LTSP] is not an LSSS.

BWOG STS B 3.3.1-2 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation B 3.3.1 BASES BACKGROUND (continued)

Technical Specifications contain values related to the OPERABILITY of equipment required for safe operation of the facility. OPERABLE is defined in Technical Specifications as "...being capable of performing its safety function(s)." For automatic protective devices, the required safety function is to ensure that a SL is not exceeded and therefore the LSSS as defined by 10 CFR 50.36 is the same as the OPERABILITY limit for these devices. However, use of the [LTSP]trip setpoint to define OPERABILITY in Technical Specifications and its corresponding designation as the LSSS required by 10 CFR 50.36 would be an overly restrictive requirement if it were applied as an OPERABILITY limit for the "as-found" value of a protective device setting during a Surveillance. This would result in Technical Specification compliance problems, as well as reports and corrective actions required by the rule which are not necessary to ensure safety. For example, an automatic protective device with a setting that has been found to be different from the trip setpoint[LTSP] due to some drift of the setting may still be OPERABLE since drift is to be expected. This expected drift would have been specifically accounted for in the setpoint methodology for calculating the [LTSP]trip setpoint and thus the automatic protective action would still have ensured that the SL would not be exceeded with the "as-found" setting of the protective device. Therefore, the device would still be OPERABLE since it would have performed its safety function and the only corrective action required would be to reset the device to the trip setpoint[LTSP] to account for further drift during the next surveillance interval.

Use of the [LTSP] trip setpoint to define "as-found" OPERABILITY and its designation as the LSSS under the expected circumstances described above would result in actions required by both the rule and Technical Specifications that are clearly not warranted. However, there is also some point beyond which the device would have not been able to perform its function due, for example, to greater than expected drift. This value needs to be specified in the Technical Specifications in order to define OPERABILITY of the devices and is designated as the Allowable Value which, as stated above, is the least conservative value for the LSSS during testing. For LSSS functions, the actual [LTSP] value and the methodology for calculating the as-left and as-found tolerances will be maintained in [a document controlled under 10 CFR 50.59].

The Allowable Value specified in Table 3.3.1-1 serves asis the least conservative value that the [LTSP] ( LSSS) can have when tested such that a channel is OPERABLE if the trip setpoint[LTSP] is found conservative with respect tonot to exceed the Allowable Value during the CHANNEL FUNCTIONAL TEST (CFT). As such, the Allowable Value differs from the trip setpoint by an amount primarily equal to the expected instrument loop uncertainties, BWOG STS B 3.3.1-3 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation B 3.3.1 BASES BACKGROUND (continued)

As such, the Allowable Value differs from the [trip setpointLTSP] by an amount primarily [greater than or] equal to the expected instrument loop channel uncertainties,suchuncertainties, such as drift, during the surveillance interval. In this manner, the actual setting of the device will still meet the LSSS definition and ensure that a SL is not exceeded at any given point of time as long as the device has not drifted beyond that expected during the surveillance interval. Note that, although the channel is OPERABLE under these circumstances, the [LTSP] must be left adjusted to a value within the established [LTSP] as-left tolerance, in accordance with uncertainty assumptions (as-left criteria), and confirmed to be operating within the statistical allowances of the uncertainty terms assigned (as-found criteria). If the actual setting of the device is found to have exceededbe non-conservative with respect to the Allowable Value, the device would be considered inoperable from a Technical Specification perspective. This requires corrective action including those actions required by 10 CFR 50.36 when automatic protective devices do not function as required. Note that, although the channel is OPERABLE under these circumstances, the trip setpoint should be left adjusted to a value within the established trip setpoint calibration tolerance band, in accordance with uncertainty assumptions stated in the referenced setpoint methodology (as-left criteria), and confirmed to be operating within the statistical allowances of the uncertainty terms assigned.

During AOOs, which are those events expected to occur one or more times during the unit's life, the acceptable limits are:

a. The departure from nucleate boiling ratio (DNBR) shall be maintained above the SL value,

b. Fuel centerline melt shall not occur, and

c. The RCS pressure SL of 2750 psia shall not be exceeded.

Maintaining the parameters within the above values ensures that the offsite dose will be within the 10 CFR 20 and 10 CFR 100 criteria during AOOs.

Accidents are events that are analyzed even though they are not expected to occur during the unit's life. The acceptable limit during accidents is that the offsite dose shall be maintained within 10 CFR 100 limits. Meeting the acceptable dose limit for an accident category is considered having acceptable consequences for that event. However, these values and their associated [LTSPs] are not considered to be LSSS as defined in 10 CFR 50.36.

BWOG STS B 3.3.1-4 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation B 3.3.1 BASES BACKGROUND (continued)

However, the unit is also depressurized as coolant temperature is decreased. If the safety rods are withdrawn and coolant pressure is decreased, an RCS Low Pressure trip will occur at 1800 psig and the rods will fall into the core. To avoid this, the protection system allows the operator to bypass the low pressure trip and maintain shutdown capabilities. During the cooldown and depressurization, the safety rods are inserted prior to the low pressure trip of 1800 psig. The RCS pressure is decreased to less than 1720 psig, then each RPS channel is placed in shutdown bypass.

In shutdown bypass, a normally closed contact opens and the operator closes the shutdown bypass key switch. This action bypasses the RCS Low Pressure trip, Nuclear Overpower RCS Flow and Measured AXIAL POWER IMBALANCE trip, Reactor Coolant Pump to Power trip, and the RCS Variable Low Pressure trip, and inserts a new RCS High Pressure, 1720 psig trip. The operator can now withdraw the safety rods for additional SDM.

The insertion of the new high pressure trip performs two functions. First, with a trip setpoint[LTSP] of 1720 psig, the bistable prevents operation at normal system pressure, 2155 psig, with a portion of the RPS bypassed.

The second function is to ensure that the bypass is removed prior to normal operation. When the RCS pressure is increased during a unit heatup, the safety rods are inserted prior to reaching 1720 psig. The shutdown bypass is removed, which returns the RPS to normal, and system pressure is increased to greater than 1800 psig. The safety rods are then withdrawn and remain at the full out condition for the rest of the heatup.

In addition to the Shutdown Bypass RCS High Pressure trip, the high flux trip setpoint[LTSP] is administratively reduced to 5% RTP while the RPS is in shutdown bypass. This provides a backup to the Shutdown Bypass RCS High Pressure trip and allows low temperature physics testing while preventing the generation of any significant amount of power.

Module Interlock and Test Trip Relay Each channel and each trip module is capable of being individually tested. When a module is placed into the test mode, it causes the test trip relay to open and to indicate an RPS channel trip. Under normal conditions, the channel to be tested is placed in bypass before a module is tested.

BWOG STS B 3.3.1-10 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation B 3.3.1 BASES BACKGROUND (continued)

[Limiting Trip Setpoints]/Allowable Value The trip setpoints[Limiting Trip Setpoints] are the normal values at which the bistables are set. Any bistable is considered to be properly adjusted when the "as-left" value is within the band for CHANNEL CALIBRATION accuracy (i.e., +/- [rack calibration + comparator setting accuracy]).

The [LTSPstrip setpoints us] used in the bistables are based on the analytical limits stated in FSAR, Chapter [14] (Ref. 3). The selection of these trip setpoint[LTSPs]s is such that adequate protection is provided when all sensor and processing time delays are taken into account. To allow for calibration tolerances, instrumentation uncertainties, instrument drift, and severe environment errors for those RPS channels that must function in harsh environments as defined by 10 CFR 50.49 (Ref. 4), the Allowable Values specified in Table 3.3.1-1 in the accompanying LCO are conservatively adjusted with respect to the analytical limits. A detailed description of the methodology used to calculate the trip setpoint[LTSPs]s, including their explicit uncertainties, is provided in "[Unit Specific Setpoint Methodology]" (Ref. 5). The actual nominal trip setpoint entered into the bistable is more conservative than that specified by the Allowable Value to account for changes in random measurement errors detectable by a CHANNEL FUNCTIONAL TEST. One example of such a change in measurement error is drift during the Surveillance Frequency.

A channel is inoperable if its actual trip setpoint is nonnot within conservative with respect to its required Allowable Value.

[Limiting Trip Setpoints] in accordance with the Allowable Value ensure that the limits of Chapter 2.0, "Safety Limits," in the Technical Specifications are not violated during AOOs and that the consequences of DBAs will be acceptable, providing the unit is operated from within the LCOs at the onset of the AOO or DBA and the equipment functions as designed. Note that in LCO 3.3.1 the Allowable Values listed in Table 3.3.1-1 are the least conservative value for the LSSS during CHANNEL FUNCTIONAL TESTING.

Each channel can be tested online to verify that the signal and setpoint

[LTSP] accuracy are within the specified allowance requirements of Reference 5. Once a designated channel is taken out of service for testing, a simulated signal is injected in place of the field instrument signal. The process equipment for the channel in test is then tested, verified, and calibrated. Surveillances for the channels are specified in the SR section.

BWOG STS B 3.3.1-11 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation B 3.3.1 BASES BACKGROUND (continued)

The Allowable Values listed in Table 3.3.1-1 are based on the methodology described in "[Unit Specific Setpoint Methodology]" (Ref. 5),

which incorporates all of the known uncertainties applicable for each channel. The magnitudes of those uncertainties are factored into the determination of each trip setpoint[LTSP]. All field sensors and signal processing equipment for these channels are assumed to operate within the allowances of these uncertainty magnitudes.

APPLICABLE Each of the analyzed accidents and transients can be detected by one SAFETY or more RPS Functions. The accident analysis contained in Reference 6 ANALYSES, LCO, takes credit for most RPS trip Functions. Functions not specifically and APPLICABILITY credited in the accident analysis were qualitatively credited in the safety analysis and the NRC staff approved licensing basis for the unit. These Functions are high RB pressure, high temperature, turbine trip, and loss of main feedwater. These Functions may provide protection for conditions that do not require dynamic transient analysis to demonstrate Function performance. These Functions also serve as backups to Functions that were credited in the safety analysis.

The LCO requires all instrumentation performing an RPS Function to be OPERABLE. Failure of any instrument renders the affected channel(s) inoperable and reduces the reliability of the affected Functions. The four channels of each Function in Table 3.3.1-1 of the RPS instrumentation shall be OPERABLE during its specified Applicability to ensure that a reactor trip will be actuated if needed. Additionally, during shutdown bypass with any CRD trip breaker closed, the applicable RPS Functions must also be available. This ensures the capability to trip the withdrawn CONTROL RODS exists at all times that rod motion is possible. The trip Function channels specified in Table 3.3.1-1 are considered OPERABLE when all channel components necessary to provide a reactor trip are functional and in service for the required MODE or Other Specified Condition listed in Table 3.3.1-1.

Required Actions allow maintenance (protection channel) bypass of individual channels, but the bypass activates interlocks that prevent operation with a second channel bypass. Bypass effectively places the unit in a two-out-of-three logic configuration that can still initiate a reactor trip, even with a single failure within the system.

BWOG STS B 3.3.1-12 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Only the Allowable Values are specified for each RPS trip Function in the LCO. Nominal trip setpoints are specified in the unit specific setpoint calculations . The [LTSP] and the methodologies for calculation of the as-left and as-found tolerances are described in [a document controlled under 10 CFR 50.59]. The nominal setpoints[LTSPs] are selected to ensure that the setpoint[LTSP] measured by CHANNEL FUNCTIONAL TESTS does not exceed the Allowable Value if the bistable is performing as required. Operation with a trip setpoint less conservative than the nominal trip setpoint[LTSP], but conservative with respect to within its Allowable Value, is acceptable provided that operation and testing are consistent with the assumptions of the unit specific setpoint calculations and the as found setpoint is within the as-found tolerance. Each Allowable Value specified is more conservative than instrument uncertainties appropriate to the trip Function. These uncertainties are defined in the "[Unit Specific Setpoint Methodology]" (Ref. 5).

For most RPS Functions, the trip setpoint[LTSP] Allowable Value is to ensure that the departure from nucleate boiling (DNB) or RCS pressure SLs are not challenged. Cycle specific figures for use during operation are contained in the COLR.

Certain RPS trips function to indirectly protect the SLs by detecting specific conditions that do not immediately challenge SLs but will eventually lead to challenge if no action is taken. These trips function to minimize the unit transients caused by the specific conditions. The Allowable Value for these Functions is selected at the minimum deviation from normal values that will indicate the condition, without risking spurious trips due to normal fluctuations in the measured parameter.

These Allowable Values and their associated [LTSPs] are not considered to be LSSS as defined in 10 CFR 50.36.

The Allowable Values for bypass removal Functions are stated in the Applicable MODE or Other Specified Condition column of Table 3.3.1-1.

The safety analyses applicable to each RPS Function are discussed next.

1. Nuclear Overpower

a. Nuclear Overpower - High Setpoint The Nuclear Overpower - High Setpoint trip provides protection for the design thermal overpower condition based on the measured out of core fast neutron leakage flux.

BWOG STS B 3.3.1-13 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

The Nuclear Overpower - High Setpoint trip initiates a reactor trip when the neutron power reaches a predefined setpoint [LTSP] at the design overpower limit. Because THERMAL POWER lags the neutron power, tripping when the neutron power reaches the design overpower will limit THERMAL POWER to a maximum value of the design overpower. Thus, the Nuclear Overpower -

High Setpoint trip protects against violation of the DNBR and fuel centerline melt SLs. However, the RCS Variable Low Pressure, and Nuclear Overpower RCS Flow and Measured AXIAL POWER IMBALANCE, provide more direct protection. The role of the Nuclear Overpower - High Setpoint trip is to limit reactor THERMAL POWER below the highest power at which the other two trips are known to provide protection.

The Nuclear Overpower - High Setpoint trip also provides transient protection for rapid positive reactivity excursions during power operations. These events include the rod withdrawal accident, the rod ejection accident, and the steam line break accident. By providing a trip during these events, the Nuclear Overpower - High Setpoint trip protects the unit from excessive power levels and also serves to reduce reactor power to prevent violation of the RCS pressure SL.

Rod withdrawal accident analyses cover a large spectrum of reactivity insertion rates (rod worths), which exhibit slow and rapid rates of power increases. At high reactivity insertion rates, the Nuclear Overpower - High Setpoint trip provides the primary protection. At low reactivity insertion rates, the high pressure trip provides primary protection.

The specified Allowable Value is selected to ensure that a trip occurs before reactor power exceeds the highest point at which the RCS Variable Low Pressure and the Nuclear Overpower RCS Flow and Measured AXIAL POWER IMBALANCE trips are analyzed to provide protection against DNB and fuel centerline melt. The Allowable Value does not account for harsh environment induced errors, because the trip will actuate prior to degraded environmental conditions being reached. [The Nuclear Overpower - High Setpoint Trip Function is credited in the safety analysis for protection during a thermal overpower event, and is therefore considered to be a LSSS as defined in 10 CFR 50.36.]

BWOG STS B 3.3.1-14 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

In MODE 3 when not operating in shutdown bypass but with any CRD trip breaker in the closed position and the CRD System capable of rod withdrawal, the Nuclear Overpower-High Setpoint trip and the RCS High Pressure trip are required to be OPERABLE.

Two other Functions are required to be OPERABLE during portions of MODE 1. These are the Main Turbine Trip (Control Oil Pressure) and the Loss of Main Feedwater Pumps (Control Oil Pressure) trip. These Functions are required to be OPERABLE above [45]% RTP and

[15]% RTP, respectively. Analyses presented in BAW-1893 (Ref. 8) have shown that for operation below these power levels, these trips are not necessary to minimize challenges to the PORVs as required by NUREG-0737 (Ref. 7).

Because the only safety function of the RPS is to trip the CONTROL RODS, the RPS is not required to be OPERABLE in MODE 3, 4, or 5 if the reactor trip breakers are open, or the CRD System is incapable of rod withdrawal. Similarly, the RPS is not required to be OPERABLE in MODE 6 when the CONTROL RODS are decoupled from the CRDs.

However, in MODE 2, 3, 4, or 5, the Shutdown Bypass RCS High Pressure and Nuclear Overpower - Low setpoint trips are required to be OPERABLE if the CRD trip breakers are closed and the CRD System is capable of rod withdrawal. Under these conditions, the Shutdown Bypass RCS High Pressure and Nuclear Overpower - Low setpoint trips are sufficient to prevent an approach to conditions that could challenge SLs.

ACTIONS Conditions A, B, and C are applicable to all RPS protection Functions. If a channel's trip setpoint[LTSP] is found nonconservativenon-conservative with respect to the required Allowable Value in Table 3.3.1-1, or the transmitter, instrument loop, signal processing electronics or bistable is found inoperable, the channel must be declared inoperable and Condition A or Conditions A and B entered immediately.

When the number of inoperable channels in a trip Function exceed those specified in the related Conditions associated with a trip Function, then the unit is outside the safety analysis. Therefore, LCO 3.0.3 must be immediately entered if applicable in the current MODE of operation.

BWOG STS B 3.3.1-23 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation B 3.3.1 BASES ACTIONS (continued)

G.1 If the Required Action and associated Completion Time of Condition A or B are not met and Table 3.3.1-1 directs entry into Condition G, the unit must be brought to a MODE in which the specified RPS trip Function is not required to be OPERABLE. To achieve this status, THERMAL POWER must be reduced < [15]% RTP. The allowed Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is reasonable, based on operating experience, to reach

[15]% RTP from full power conditions in an orderly manner without challenging plant systems.

SURVEILLANCE The SRs for each RPS Function are identified by the SRs column of REQUIREMENTS Table 3.3.1-1 for that Function. Most Functions are subject to CHANNEL CHECK, CHANNEL FUNCTIONAL TEST, CHANNEL CALIBRATION, and RPS RESPONSE TIME testing.

The SRs are modified by a Note. The [first] Note directs the reader to Table 3.3.1-1 to determine the correct SRs to perform for each RPS Function.

REVIEWERS NOTE-----------------------------------

The CHANNEL FUNCTIONAL TEST Frequencies are based on approved topical reports. For a licensee to use these times, the licensee must justify the Frequencies as required by the NRC Staff SER for the topical report.

REVIEWERS NOTE --------------------------------------

The Notes in Table 3.3.1-1 requiring reset of the channel to a predefined as-left tolerance and the verification of the as-found tolerance are only associated with LSSS values. Therefore, the Notes may be placed at the top of the column in the Table and applied to all Functions, or the Notes may be applied to specific SRs in the SR column only.

SR 3.3.1.1 Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. CHANNEL BWOG STS B 3.3.1-26 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)

Nuclear Instrumentation System (NIS) channel output is > [2]% RTP, the NIS is not declared inoperable but must be adjusted. If the NIS channel cannot be properly adjusted, the channel is declared inoperable. Note 2 clarifies that this Surveillance is required only if reactor power is 15% RTP and that 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months is allowed for performing the first Surveillance after reaching 15% RTP. At lower power levels, calorimetric data are inaccurate.

The power range channel's output shall be adjusted consistent with the calorimetric results if the absolute difference between the calorimetric and the power range channel's output is > [2]% RTP. The value of [2]% is adequate because this value is assumed in the safety analyses of FSAR, Chapter [14] (Ref. 3). These checks and, if necessary, the adjustment of the power range channels ensure that channel accuracy is maintained within the analyzed error margins. The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Frequency is adequate, based on unit operating experience, which demonstrates the change in the difference between the power range indication and the calorimetric results rarely exceeds a small fraction of [2]% in any 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months period.

Furthermore, the control room operators monitor redundant indications and alarms to detect deviations in channel outputs.

SR 3.3.1.3 A comparison of power range nuclear instrumentation channels against incore detectors shall be performed at a 31 day Frequency when reactor power is > 15% RTP. The SR is modified by two Notes. Note 2 clarifies that 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months is allowed for performing the first Surveillance after reaching 15% RTP. Note 1 states if the absolute difference between the power range and incore measurements is [2]% RTP, the power range channel is not inoperable, but an adjustment of the measured imbalance to agree with the incore measurements is necessary. If the power range channel cannot be properly recalibrated, the channel is declared inoperable. The calculation of the Allowable Value envelope assumes a difference in out of core to incore measurements of 2.5%. Additional inaccuracies beyond those that are measured are also included in the setpoint[LTSP] envelope calculation. The 31 day Frequency is adequate, considering that long term drift of the excore linear amplifiers is small and burnup of the detectors is slow. Also, the excore readings are a strong function of the power produced in the peripheral fuel bundles, and do not represent an integrated reading across the core. The slow changes in neutron flux during the fuel cycle can also be detected at this interval.

BWOG STS B 3.3.1-29 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.1.4 A CHANNEL FUNCTIONAL TEST is performed on each required RPS channel to ensure that the entire channel will perform the intended function. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL FUNCTIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions. Setpoints [LTSPs] must be found within the Allowable Values specified in Table 3.3.1-1. Any setpoint[LTSP] adjustment shall be consistent with the assumptions of the current unit specific setpoint analysis.

The as-found and as-left values must also be recorded and reviewed for consistency with the assumptions of the surveillance interval extension analysis. The requirements for this review are outlined in BAW-10167 (Ref. 10).

The Frequency of [45] days on a STAGGERED TEST BASIS is consistent with the calculations of Reference 9 that indicate the RPS retains a high level of reliability for this test interval.

SR 3.3.1 4 for selected Functions is modified by two Notes as identified in Table 3.3.1-1. The selected Functions are those Functions that are LSSS and whose instruments are not mechanical devices (i.e. limit switches, float switches, and proximity detectors). Mechanical devices are excluded since it is not possible to trend these devices and develop as-left or as-found limits in the same manner as other instrumentation. The first Note requires evaluation of channel performance for the condition where the as-found setting for the channel setpoint is outside its as-found tolerance but conservative with respect to the Allowable Value.

Evaluation of instrument performance will verify that the instrument will continue to behave in accordance with design-basis assumptions. The purpose of the assessment is to ensure confidence in the instrument performance prior to returning the instrument to service. These channels will also be identified in the Corrective Action Program. In accordance with procedures, entry into the Corrective Action Program will require review and documentation of the condition for OPERABILITY. The second Note requires that the as-left setting for the instrument be returned to within the as-left tolerance of the [LTSP]. This will ensure that sufficient margin to the Safety Limit and/or Analytical Limit is maintained.

If the as-left instrument setting cannot be returned to a setting within the as-left tolerance, then the instrument channel shall be declared inoperable. The second Note also requires that the [LTSP] and the BWOG STS B 3.3.1-30 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation B 3.3.1 methodology for calculating the as-left and the as-found tolerances be in

[a document controlled under 10 CFR 50.59].

SR 3.3.1.5 A Note to the Surveillance indicates that neutron detectors are excluded from CHANNEL CALIBRATION. This Note is necessary because of the difficulty in generating an appropriate detector input signal. Excluding the detectors is acceptable because the principles of detector operation ensure a virtually instantaneous response.

A CHANNEL CALIBRATION is a complete check of the instrument channel, including the sensor. The test verifies that the channel responds to the measured parameter within the necessary range and accuracy.

CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drift to ensure that the instrument channel remains operational between successive tests. CHANNEL CALIBRATION shall find that measurement errors and bistable setpoint[LTSP] errors are within the assumptions of the unit specific setpoint analysis. CHANNEL CALIBRATIONS must be performed consistent with the assumptions of the unit specific setpoint analysis.

BWOG STS B 3.3.1-31 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)

Whenever a sensing element is replaced, the next required CHANNEL CALIBRATION of the resistance temperature detectors (RTD) sensors is accomplished by an inplace cross calibration that compares the other sensing elements with the recently installed sensing element.

The Frequency is justified by the assumption of an [18] month calibration interval in the determination of the magnitude of equipment drift in the setpoint[LTSP] analysis.

SR 3.3.1.5 for selected Functions is modified by two Notes as identified in Table 3.3.1-1. The selected Functions are those Functions that are LSSS and whose instruments are not mechanical devices (i.e. limit switches, float switches, and proximity detectors). Mechanical devices are excluded since it is not possible to trend these devices and develop as-left or as-found limits in the same manner as other instrumentation. The first Note requires evaluation of channel performance for the condition where the as-found setting for the channel setpoint is outside its as-found tolerance but conservative with respect to the Allowable Value.

Evaluation of instrument performance will verify that the instrument will continue to behave in accordance with design-basis assumptions. The purpose of the assessment is to ensure confidence in the instrument performance prior to returning the instrument to service. These channels will also be identified in the Corrective Action Program. In accordance with procedures, entry into the Corrective Action Program will require review and documentation of the condition for OPERABILITY. The second Note requires that the as-left setting for the instrument be returned to within the as-left tolerance of the [LTSP]. This will ensure that sufficient margin to the Safety Limit and/or Analytical Limit is maintained.

If the as-left instrument setting cannot be returned to a setting within the as-left tolerance, then the instrument channel shall be declared inoperable. The second Note also requires that the [LTSP] and the methodology for calculating the as-left and the as-found tolerances be in

[a document controlled under 10 CFR 50.59].

SR 3.3.1.6 This SR verifies individual channel actuation response times are less than or equal to the maximum values assumed in the accident analysis.

Individual component response times are not modeled in the analyses.

The analyses model the overall, or total, elapsed time from the point at which the parameter exceeds the analytical limit at the sensor to the point of rod insertion. Response time testing acceptance criteria for this unit are included in Reference 2.

BWOG STS B 3.3.1-32 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 ESFAS Instrumentation B 3.3.5 B 3.3 INSTRUMENTATION B 3.3.5 Engineered Safety Feature Actuation System (ESFAS) Instrumentation BASES BACKGROUND The ESFAS initiates necessary safety systems, based on the values of selected unit Parameters, to protect against violating core design limits and reactor coolant pressure boundary and to mitigate accidents. This is achieved by specifying limiting safety system settings (LSSS) in terms of parameters directly monitored by the ESFAS, as well as LCOs on other system parameters and equipment performance.

Technical Specifications are required by 10 CFR 50.36 to contain LSSS defined by the regulation as "...settings for automatic protective devices...so chosen that automatic protective actions will correct the abnormal situation before a Safety Limit (SL) is exceeded." The Analytical Limit is the limit of the process variable at which a safety action is initiated, as established by the safety analysis, to ensure that a SL is not exceeded. Any automatic protection action that occurs on reaching the Analytical Limit therefore ensures that the SL is not exceeded.

However, in practice, the actual settings for automatic protective devices must be chosen to be more conservative than the Analytical Limit to account for instrument loop uncertainties related to the setting at which the automatic protective action would actually occur.

REVIEWER'S NOTE ------------------------------------

The term "Limiting Trip Setpoint (LTSP)" is generic terminology for the setpoint value calculated by means of the plant-specific setpoint methodology documented in [a document controlled under 10 CFR 50.59]. The term Limiting Trip Setpoint indicates that no additional margin has been added between the Analytical Limit and the calculated trip setting. Where margin is added between the Analytical Limit and trip setpoint, the standard terminology of Nominal Trip Setpoint (NTSP) should be used. The trip setpoint (field setting) may be more conservative than the Limiting or Nominal Trip Setpoint, but for the purpose of compliance with 10 CFR 50.36, the plant-specific term for the Limiting Trip Setpoint must be cited in Note b of Table 3.3.5-1. The brackets indicate plant-specific terms may apply, as reviewed and approved by the NRC. In some cases, replacing the LTSP with NTSP will also require the revision of the relationship discussion for Allowable Value (AV).

Licensees are to insert the name of the document(s) controlled under 10 CFR 50.59 that contains the [LTSP] values and the methodology for calculating the as-left and as-found tolerances for the phrase "[a document controlled under 10 CFR 50.59]" throughout these Bases.

BWOG STS B 3.3.5-1 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 ESFAS Instrumentation B 3.3.5 The [Limiting Trip Setpoint( LTSP)] is a predetermined setting for a protective device chosen to ensure automatic actuation prior to the process variable reaching the Analytical Limit and thus ensuring that the SL would not be exceeded. As such, the [LTSP] accounts for uncertainties in setting the device (e.g., calibration), uncertainties in how the device might actually perform (e.g., repeatability), changes in the point of action of the device over time (e.g., drift during surveillance intervals), and any other factors which may influence its actual performance (e.g., harsh accident environments). In this manner, the

[LTSP] ensures that SLs are not exceeded. As such, the [LTSP] meets the definition of an LSSS (Ref. 1). If the setting of the protective device does not protect a Safety Limit, the [LTSP] is not an LSSS.

Technical Specifications contain values related to the OPERABILITY of equipment required for safe operation of the facility. OPERABLE is defined in Technical Specifications as "...being capable of performing its safety function(s)." However, use of the [LTSP] to define OPERABILITY in Technical Specifications would be an overly restrictive requirement if it were applied as an OPERABILITY limit for the "as-found" value of a protective device setting during a Surveillance. This would result in Technical Specification compliance problems, as well as reports and corrective actions required by the rule which are not necessary to ensure safety. For example, an automatic protective device with a setting that has been found to be different from the [LTSP] due to some drift of the setting may still be OPERABLE since drift is to be expected. This expected drift would have been specifically accounted for in the setpoint methodology for calculating the [LTSP] and thus the automatic protective action would still have ensured that the SL would not be exceeded with the "as-found" setting of the protective device. Therefore, the device would still be OPERABLE since it would have performed its safety function and the only corrective action required would be to reset the device to the [LTSP] to account for further drift during the next surveillance interval.

Use of the [LTSP] to define "as-found" OPERABILITY under the expected circumstances described above would result in actions required by both the rule and Technical Specifications that are clearly not warranted.

However, there is also some point beyond which the device would have not been able to perform its function due, for example, to greater than expected drift. This value needs to be specified in the Technical Specifications in order to define OPERABILITY of the devices and is designated as the Allowable Value which is the least conservative value for the LSSS during testing. For LSSS functions, the actual [LTSP] value and the methodology for calculating the as-left and as-found tolerances will be maintained in [a document controlled under 10 CFR 50.59]. [].

The Allowable Value specified in Table 3.3.5-1 is the least conservative value that the [LTSP] ( LSSS) can have when tested such that a channel is OPERABLE if the [LTSP] is found conservative with respect to the BWOG STS B 3.3.5-2 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 ESFAS Instrumentation B 3.3.5 Allowable Value during the CHANNEL FUNCTIONAL TEST (CFT). As such, the Allowable Value differs from the [LTSP] by an amount [greater than or] equal to the expected instrument channel uncertainties, such as drift, during the surveillance interval. In this manner, the actual setting of the device will ensure that a SL is not exceeded at any given point of time as long as the device has not drifted beyond that expected during the surveillance interval. Note that, although the channel is OPERABLE under these circumstances, the [LTSP] must be left adjusted to a value within the established [LTSP] as-left tolerance, in accordance with uncertainty assumptions (as-left criteria), and confirmed to be operating within the statistical allowances of the uncertainty terms assigned (as-found criteria). If the actual setting of the device is found to be non-conservative with respect to the Allowable Value, the device would be considered inoperable from a Technical Specification perspective. This requires corrective action including those actions required by 10 CFR 50.36 when automatic protective devices do not function as required.

During AOOs, which are those events expected to occur one or more times during the plant life, the acceptable limits are:

The departure from nucleate boiling ratio (DNBR) shall be maintained above the Safety Limit (SL) value to prevent departure from nucleate boiling,

Fuel centerline melting shall not occur, and

The Reactor Coolant System (RCS) pressure SL of 2750 psia shall not be exceeded.

Maintaining the parameters within the above values ensures that the offsite dose will be within the 10 CFR 50 (Ref. 2) and 10 CFR 100 (Ref. 3) criteria during AOOs.

Accidents are events that are analyzed even though they are not expected to occur during the plant life. The acceptable limit during accidents is that the offsite dose shall be maintained within an acceptable fraction of 10 CFR 100 (Ref. 3) limits. Different accident categories allow a different fraction of these limits based on probability of occurrence.

Meeting the acceptable dose limit for an accident category is considered having acceptable consequences for that event. However, these values and their associated LTSPs are not considered to be LSSS as defined in 10 CFR 50.36.

ESFAS actuates the following systems:

High pressure injection (HPI) Actuation,

Low pressure injection (LPI) Actuation, BWOG STS B 3.3.5-3 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 ESFAS Instrumentation B 3.3.5 BASES BACKGROUND (continued)

[Limiting Trip Setpoints] and Allowable Values

[Limiting Trip setpoints (LTSPs)] are the nominal value at which the bistables are set. Any bistable is considered to be properly adjusted when the "as-left" value is within the band for CHANNEL CALIBRATION accuracy (i.e., +/- [rack calibration + comparator setting accuracy]).

The [LTSPs] trip setpoints used in the bistables are based on the analytical limits stated in Figure [ ], FSAR, Chapter [7] (Ref. 1). The selection of these [LTSPs]trip setpoints is such that adequate protection is provided when all sensor and processing time delays are taken into account. To allow for calibration tolerances, instrumentation uncertainties, instrument drift, and severe environment induced errors for those ESFAS channels that must function in harsh environments as defined by 10 CFR 50.49 (Ref. 2), the Allowable Values specified in Table 3.3.5-1 in the accompanying LCO are conservatively adjusted with respect to the analytical limits. A detailed description of the methodology used to calculate the [LTSPs]trip setpoints, including their explicit uncertainties, is provided in the "Unit Specific Setpoint Methodology" (Ref. 3). The actual nominal trip setpoint entered into the bistable is more conservative than that specified by the Allowable Value to account for changes in random measurement errors detectable by a CHANNEL FUNCTIONAL TEST. One example of such a change in measurement error is drift during the surveillance interval. A channel is inoperable if its actual trip setpoint is not withinnon-conservative with respect to its required Allowable Value.

[Limiting Trip Setpoints], in accordance with the Allowable Values, ensure that the consequences of DBAs will be acceptable, providing the unit is operated from within the LCOs at the onset of the DBA and the equipment functions as designed. Note that in LCO 3.3.5 the Allowable Values listed in Table 3.3.5-1 are the least conservative value for the LSSS during CHANNEL FUNCTIONAL TESTING Each channel can be tested online to verify that the setpoint [LTSP]

accuracy is within the specified allowance requirements of Reference 3.

Once a designated channel is taken out of service for testing, a simulated signal is injected in place of the field instrument signal. The process equipment for the channel in test is then tested, verified, and calibrated.

BWOG STS B 3.3.5-9 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 ESFAS Instrumentation B 3.3.5 BASES BACKGROUND (continued)

The Allowable Values listed in Table 3.3.5-1 are based on the methodology described in FSAR, Chapter [14] (Ref. 4), which incorporates all of the known uncertainties applicable for each channel.

The magnitudes of these uncertainties are factored into the determination of each trip setpoint[LTSP]. All field sensors and signal processing equipment for these channels are assumed to operate within the allowances of these uncertainty magnitudes.

REVIEWERS NOTE-----------------------------------

The ESFAS LCOs in the BWOG Standard Technical Specifications are based on a system representative of the Crystal River Unit 3 design.

As discussed earlier, this arrangement involves measurement channels shared among all actuation functions, with separate actuation logic channels for each actuated component. In this arrangement, multiple components are affected by each instrumentation channel failure, but a single automatic actuation logic failure affects only one component. The organization of BWOG STS ESFAS LCOs reflects the described logic arrangement by identifying instrumentation requirements on an instrumentation channel rather than on a protective function basis. This greatly simplifies delineation of ESFAS LCOs. Furthermore, the LCO requirements on instrumentation channels, automatic actuation logics, and manual initiation are specified separately to reflect the different impact each has on ESFAS OPERABILITY.

APPLICABLE The following ESFAS Functions have been assumed within the accident SAFETY analyses.

ANALYSES High Pressure Injection The ESFAS actuation of HPI has been assumed for core cooling in the LOCA analysis and is credited with boron addition in the SLB analysis.

Low Pressure Injection The ESFAS actuation of LPI has been assumed for large break LOCAs.

BWOG STS B 3.3.5-10 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 ESFAS Instrumentation B 3.3.5 BASES LCO (continued)

Only the Allowable Value is specified for each ESFAS Function in the LCO. Nominal trip setpoint[LTSPs] are specified in the unit specific setpoint calculations. The nominal trip setpoint[LTSPs] are selected to ensure the setpoints measured by CHANNEL FUNCTIONAL TESTS do not exceed the Allowable Value if the bistable is performing as required.

Operation with a trip setpoint less conservative than the nominal trip setpoint[LTSP], but within its Allowable Value, is acceptable provided that operation and testing are consistent with the assumptions of the unit specific setpoint calculations and the LTSP is within the as-found tolerance. Each Allowable Value specified is more conservative than the analytical limit assumed in the safety analysis to account for instrument uncertainties appropriate to the trip Parameter. These uncertainties are defined in the "Unit Specific Setpoint Methodology" (Ref. 3).

The Allowable Values for bypass removal functions are stated in the Applicable MODES or Other Specified Condition column of Table 3.3.5-1.

Three ESFAS instrumentation channels shall be OPERABLE in each ESFAS train to ensure that a single failure in one channel will not result in loss of the ability to automatically actuate the required safety systems.

The bases for the LCO on ESFAS Parameters include the following.

Reactor Coolant System Pressure Three channels each of RCS Pressure - Low and RCS Pressure - Low Low are required OPERABLE in each train. Each channel includes a sensor, trip bistable, bypass bistable, bypass relays, output relays, and block timers. The analog portion of each pressure channel is common to both trains of both RCS Pressure Parameters. Therefore, failure of one analog channel renders one channel of the low pressure and low low pressure Functions in each train inoperable. The bistable portions of the channels are Function and train specific. Therefore, a bistable failure renders only one Function in one train inoperable. Failure of a bypass bistable or bypass circuitry, such that a trip channel cannot be bypassed, does not render the channel inoperable. Output relays and block timer relays are train specific but may be shared among Parameters.

Therefore, output or block timer relay failure renders all affected Functions in one train inoperable.

BWOG STS B 3.3.5-12 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 ESFAS Instrumentation B 3.3.5 BASES LCO (continued)

1. Reactor Coolant System Pressure - Low Setpoint The RCS Pressure - Low Setpoint is based on HPI actuation for small break LOCAs. The setpoint ensures that the HPI will be actuated at a pressure greater than or equal to the value assumed in accident analyses plus the instrument uncertainties. The maximum value assumed for the setpoint of the RCS Pressure - Low trip of HPI in safety analyses is 1480 psig. The setpoint for the low RCS and Allowable Value of [1600] psig for the low pressure Parameter is selected to ensure actuation occurs when actual RCS pressure is above 1480 psig. The RCS Pressure instrumentation must function while subject to the severe environment created by a LOCA.

Therefore, the trip setpoint [LTSP] Allowable Value accounts for severe environment induced errors. [The RCS Pressure - Low Function is credited in the safety analysis for the protection for the DNBR SL, and is therefore considered to be a LSSS as defined in 10 CFR 50.36.]

To ensure the RCS Pressure - Low trip is not bypassed when required to be OPERABLE by the safety analysis, each channel's bypass removal bistable must be set with an Allowable Value of

[1800] psig. The bypass removal does not need to function for accidents initiated from RCS Pressures below the bypass removal setpoint. Therefore, the bypass removal setpoint Allowable Value need not account for severe environment induced errors.

2. Reactor Coolant System Pressure - Low Low Setpoint The RCS Pressure - Low Low Setpoint LPI actuation occurs in sufficient time to ensure LPI flow prior to the emptying of the core flood tanks during a large break LOCA. The Allowable Value of

[400] psig ensures sufficient overlap of the core flood tank flow and the LPI flow to keep the reactor vessel downcomer full during a large break LOCA. The RCS Pressure instrumentation must function while subject to the severe environment created by a LOCA. Therefore, the trip setpoint Allowable Value accounts for severe environment induced errors.

To ensure the RCS Pressure - Low Low trip is not bypassed when assumed OPERABLE by the safety analysis, each channel's bypass removal bistable must be set with an Allowable Value of [900] psig.

The bypass removal does not need to function for accidents initiated by RCS Pressure below the bypass removal setpoint. Therefore, the bypass removal setpoint Allowable Value need not account for severe environment induced errors.

BWOG STS B 3.3.5-13 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 ESFAS Instrumentation B 3.3.5 BASES APPLICABILITY (continued)

In MODES 5 and 6, there is adequate time for the operator to evaluate unit conditions and respond by manually starting individual systems, pumps, and other equipment to mitigate the consequences of an abnormal condition or accident. Plant pressure and temperature are very low, and many ESF components are administratively locked out or otherwise prevented from actuating to prevent inadvertent overpressurization of unit systems.

3. 4. Reactor Building Pressure - High and Reactor Building Pressure -

High High Setpoints The RB Pressure - High and RB Pressure - High High actuation Functions of ESFAS shall be OPERABLE in MODES 1, 2, 3, and 4 when the potential for a HELB exists. In MODES 5 and 6, the unit conditions are such that there is insufficient energy in the primary and secondary systems to raise the containment pressure to either the RB Pressure - High or RB Pressure - High High Setpoints.

Furthermore, in MODES 5 and 6, there is adequate time for the operator to evaluate unit conditions and respond by manually starting individual systems, pumps, and other equipment to mitigate the consequences of an abnormal condition or accident. Plant pressure and temperature are very low and many ESF components are administratively locked out or otherwise prevented from actuating to prevent inadvertent overpressurization of unit systems.

ACTIONS Required Actions A and B apply to all ESFAS instrumentation Parameters listed in Table 3.3.5-1.

A Note has been added to the ACTIONS indicating separate Condition entry is allowed for each Parameter.

If a channel's trip setpoint[LTSP] is found nonconservativenon-conservative with respect to the Allowable Value, or the transmitter, instrument loop, signal processing electronics, or ESFAS bistable is found inoperable, then all affected functions provided by that channel should be declared inoperable and the unit must enter the Conditions for the particular protection Parameter affected.

When the number of inoperable channels in a trip Parameter exceeds those specified, then the unit is outside the safety analysis. Therefore, LCO 3.0.3 shall be immediately entered if applicable in the current MODE of operation.

BWOG STS B 3.3.5-16 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 ESFAS Instrumentation B 3.3.5 BASES ACTIONS (continued)

A.1 Condition A applies when one channel becomes inoperable in one or more Parameters. If one ESFAS channel is inoperable, placing it in a tripped condition leaves the system in a one-out-of-two condition for actuation. Thus, if another channel were to fail, the ESFAS instrumentation could still perform its actuation functions. This action is completed when all of the affected output relays and block timers are tripped. This can normally be accomplished by tripping the affected bistables or tripping the individual output relays and block timers. [At this unit, the specific output relays associated with each ESFAS instrumentation channel are listed in the following document:]

The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time is sufficient time to perform the Required Action.

B.1, B.2.1, B.2.2, and B.2.3 Condition B applies when Required Action A.1 is not met within the required Completion Time or when one or more parameters have more than one inoperable channel. If Condition B applies, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and, for the RCS Pressure - Low Setpoint, to < [1800] psig, for the RCS Pressure - Low Low Setpoint, to < [900] psig, and for the RB Pressure High Setpoint and High High Setpoint, to MODE 5 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

SURVEILLANCE All ESFAS Parameters listed in Table 3.3.5-1 are subject to CHANNEL REQUIREMENTS CHECK, CHANNEL FUNCTIONAL TEST, CHANNEL CALIBRATION, and response time testing. The operational bypasses associated with each ESFAS instrumentation channel are also subject to these SRs to ensure OPERABILITY of the ESFAS instrumentation channel.

REVIEWERS NOTE --------------------------------------

The Notes in Table 3.3.5-1 requiring reset of the channel to a predefined as-left tolerance and the verification of the as-found tolerance are only associated with LSSS values. Therefore, the Notes may be placed at the top of the column in the Table and applied to all Functions, or the Notes may be applied to specific Allowable Values in the Allowable Value column only.

BWOG STS B 3.3.5-17 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 ESFAS Instrumentation B 3.3.5 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.5.1 Performance of the CHANNEL CHECK every 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. CHANNEL CHECK will detect gross channel failure; therefore, it is key in verifying that the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the unit staff, based on a combination of the channel instrument uncertainties, including isolation, indication, and readability. If a channel is outside the criteria, it may be an indication that the transmitter or the signal processing equipment has drifted outside its limit. If the channels are normally off scale during times when surveillance is required, the CHANNEL CHECK will only verify that they are off scale in the same direction. Off scale low current loop channels are verified to be reading at the bottom of the range and not failed downscale.

The Frequency, about once every shift, is based on operating experience that demonstrates channel failure is rare. Since the probability of two random failures in redundant channels in any 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months period is extremely low, the CHANNEL CHECK minimizes the chance of loss of protective function due to failure of redundant channels. The CHANNEL CHECK supplements less formal, but more frequent, checks of channel operability during normal operational use of the displays associated with the LCO's required channels.

SR 3.3.5.2 A Note defines a channel as being OPERABLE for up to 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months while bypassed for Surveillance testing provided the remaining two ESFAS channels are OPERABLE or tripped. The Note allows channel bypass for testing without defining it as inoperable, although during this time period it cannot initiate ESFAS. This allowance is based on the inability to perform the Surveillance in the time permitted by the Required Actions. Eight hours is the average time required to perform the Surveillance. It is not acceptable to routinely remove channels from service for more than 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months to perform required Surveillance testing.

BWOG STS B 3.3.5-18 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 ESFAS Instrumentation B 3.3.5 BASES SURVEILLANCE REQUIREMENTS (continued)

A CHANNEL FUNCTIONAL TEST is performed on each required ESFAS channel to ensure the entire channel will perform the intended functions.

A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL FUNCTIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions. Any setpoint adjustment shall be consistent with the assumptions of the current unit specific setpoint analysis.

The Frequency of 31 days is based on unit operating experience, with regard to channel OPERABILITY and drift, which demonstrates that failure of more than one channel of a given function in any 31 day interval is a rare event.

SR 3.3.5 2 for selected Functions is modified by two Notes as identified in Table 3.3.5-1. The selected Functions are those Functions that are LSSS and whose instruments are not mechanical devices (i.e. limit switches, float switches, and proximity detectors). Mechanical devices are excluded since it is not possible to trend these devices and develop as-left or as-found limits in the same manner as other instrumentation. The first Note requires evaluation of channel performance for the condition where the as-found setting for the channel setpoint is outside its as-found tolerance but conservative with respect to the Allowable Value.

Evaluation of instrument performance will verify that the instrument will continue to behave in accordance with design-basis assumptions. The purpose of the assessment is to ensure confidence in the instrument performance prior to returning the instrument to service. These channels will also be identified in the Corrective Action Program. In accordance with procedures, entry into the Corrective Action Program will require review and documentation of the condition for OPERABILITY. The second Note requires that the as-left setting for the instrument be returned to within the as-left tolerance of the [LTSP]. This will ensure that sufficient margin to the Safety Limit and/or Analytical Limit is maintained.

If the as-left instrument setting cannot be returned to a setting within the as-left tolerance, then the instrument channel shall be declared inoperable. The second Note also requires that the [LTSP] and the methodology for calculating the as-left and the as-found tolerances be in

[a document controlled under 10 CFR 50.59].

SR 3.3.5.3 CHANNEL CALIBRATION is a complete check of the instrument channel, including the sensor. The test verifies that the channel responds to a measured parameter within the necessary range and accuracy.

BWOG STS B 3.3.5-19 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 ESFAS Instrumentation B 3.3.5 CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drift to ensure that the instrument channel remains operational between successive tests. CHANNEL CALIBRATION shall find that measurement errors and bistable setpoint errors are within the assumptions of the unit specific setpoint analysis. CHANNEL CALIBRATIONS must be performed consistent with the assumptions of the unit specific setpoint analysis.

This Frequency is justified by the assumption of an [18] month calibration interval to determine the magnitude of equipment drift in the setpoint analysis.

SR 3.3.5.3 for selected Functions is modified by two Notes as identified in Table 3.3.5-1. The selected Functions are those Functions that are LSSS and whose instruments are not mechanical devices (i.e. limit switches, float switches, and proximity detectors). Mechanical devices are excluded since it is not possible to trend these devices and develop as-left or as-found limits in the same manner as other instrumentation. The first Note requires evaluation of channel performance for the condition where the as-found setting for the channel setpoint is outside its as-found tolerance but conservative with respect to the Allowable Value.

Evaluation of instrument performance will verify that the instrument will continue to behave in accordance with design-basis assumptions. The purpose of the assessment is to ensure confidence in the instrument performance prior to returning the instrument to service. These channels will also be identified in the Corrective Action Program. In accordance with procedures, entry into the Corrective Action Program will require review and documentation of the condition for OPERABILITY. The second Note requires that the as-left setting for the instrument be returned to within the as-left tolerance of the [LTSP]. This will ensure that sufficient margin to the Safety Limit and/or Analytical Limit is maintained.

If the as-left instrument setting cannot be returned to a setting within the as-left tolerance, then the instrument channel shall be declared inoperable. The second Note also requires that the [LTSP] and the methodology for calculating the as-left and the as-found tolerances be in

[a document controlled under 10 CFR 50.59].

SR 3.3.5.4 SR 3.3.5.4 ensures that the ESFAS actuation channel response times are less than or equal to the maximum times assumed in the accident analysis. The response time values are the maximum values assumed in the safety analyses. Individual component response times are not modeled in the analyses. Response time testing acceptance criteria for this unit are included in Reference 1. The analyses model the overall or total elapsed time from the point at which the parameter exceeds the BWOG STS B 3.3.5-20 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RTS Instrumentation 3.3.1 Table 3.3.1-1 (page 1 of 7)

Reactor Trip System Instrumentation APPLICABLE MODES OR OTHER [NOMINALLIMIT (lj)

SPECIFIED REQUIRED SURVEILLANCE ALLOWABLE ING FUNCTION CONDITIONS CHANNELS CONDITIONS REQUIREMENTS VALUE TRIP SETPOINT]

1. Manual Reactor Trip 1,2 2 B SR 3.3.1.14 NA NA (a) (a) (a) 2 C SR 3.3.1.14 NA NA 3 ,4 ,5

2. Power Range Neutron Flux

a. High 1,2 4 D SR 3.3.1.1 [111.2]% RTP [109]% RTP SR 3.3.1.2 SR 3.3.1.7[(b)

(c)]

SR 3.3.1.11[(b)

(c)]

SR 3.3.1.16

b. Low (bd) 4 E SR 3.3.1.1 [27.2]% RTP [25]% RTP 1 ,2 SR 3.3.1.8 SR 3.3.1.11 SR 3.3.1.16

3. Power Range Neutron Flux Rate

a. High Positive 1,2 4 E SR 3.3.1.7 [6.8]% RTP [5]% RTP with Rate SR 3.3.1.11 with time time constant constant [2] sec

[2] sec

b. High Negative 1,2 4 E SR 3.3.1.7 [6.8]% RTP [5]% RTP with Rate SR 3.3.1.11 with time time constant SR 3.3.1.16 constant [2] sec

[2] sec

4. Intermediate Range (bd) (ce) 2 F,G SR 3.3.1.1 [31]% RTP [25]% RTP 1 ,2 Neutron Flux SR 3.3.1.8 SR 3.3.1.11 (a) With Rod Control System capable of rod withdrawal or one or more rods not fully inserted.

(b) [INSERT 1]

(c) [INSERT 3]

(bd) Below the P-10 (Power Range Neutron Flux) interlocks.

(ce) Above the P-6 (Intermediate Range Neutron Flux) interlocks.

REVIEWERS NOTE--------------------------------------------------------------------------------------

(jl) Unit specific implementations may contain only Allowable Value depending on Setpoint Study methodology used by the unit.

WOG STS 3.3.1-15 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RTS Instrumentation 3.3.1 Table 3.3.1-1 (page 2 of 7)

Reactor Trip System Instrumentation APPLICABLE MODES OR OTHER [LIMITING (jl)

SPECIFIED REQUIRED SURVEILLANCE ALLOWABLE NOMINAL FUNCTION CONDITIONS CHANNELS CONDITIONS REQUIREMENTS VALUE TRIP SETPOINT]

5. Source Range (df) 2 H,I SR 3.3.1.1 [1.4 E5] cps [1.0 E5] cps 2

Neutron Flux SR 3.3.1.8 SR 3.3.1.11 SR 3.3.1.16 (a) (a) (a) 2 I,J SR 3.3.1.1 [1.4 E5] cps [1.0 E5] cps 3 ,4 ,5 SR 3.3.1.7 SR 3.3.1.11 SR 3.3.1.16

6. Overtemperature T 1,2 [4] E SR 3.3.1.1 Refer to Refer to SR 3.3.1.3 Note 1 (Page Note 1 (Page SR 3.3.1.6 3.3.1-19) 3.3.1-19)

SR 3.3.1.7 SR 3.3.1.12 SR 3.3.1.16

7. Overpower T 1,2 [4] E SR 3.3.1.1 Refer to Refer to SR 3.3.1.7 Note 2 (Page Note 2 (Page SR 3.3.1.12 3.3.1-20) 3.3.1-20)

SR 3.3.1.16

8. Pressurizer Pressure (fh)

a. Low 1 [4] K SR 3.3.1.1 [1886] psig [1900] psig SR 3.3.1.7 SR 3.3.1.10 SR 3.3.1.16

b. High 1,2 [4] E SR 3.3.1.1 [2396] psig [2385] psig SR 3.3.1.7 SR 3.3.1.10 SR 3.3.1.16 (eg)

9. Pressurizer Water 1 3 K SR 3.3.1.1 [93.8]% [92]%

Level - High SR 3.3.1.7 SR 3.3.1.10 (fh)

10. Reactor Coolant 1 3 per loop K SR 3.3.1.1 [89.2]% [90]%

Flow - Low SR 3.3.1.7 SR 3.3.1.10 SR 3.3.1.16 (a) With Rod Control System capable of rod withdrawal or one or more rods not fully inserted.

(df) Below the P-6 (Intermediate Range Neutron Flux) interlocks.

(eg) Above the P-7 (Low Power Reactor Trips Block) interlock.

(fh) Above the P-8 (Power Range Neutron Flux) interlock.

REVIEWERS NOTE--------------------------------------------------------------------------------------

(jl) Unit specific implementations may contain only Allowable Value depending on Setpoint Study methodology used by the unit.

WOG STS 3.3.1-16 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RTS Instrumentation 3.3.1 Table 3.3.1-1 (page 3 of 7)

Reactor Trip System Instrumentation APPLICABLE MODES OR OTHER [LIMITING (jl)

SPECIFIED REQUIRED SURVEILLANCE ALLOWABLE NOMINAL FUNCTION CONDITIONS CHANNELS CONDITIONS REQUIREMENTS VALUE TRIP SETPOINT]

11. Reactor Coolant Pump (RCP) Breaker Position (fh)

a. Single Loop 1 1 per RCP L SR 3.3.1.14 NA NA (gi)

b. Two Loops 1 1 per RCP M SR 3.3.1.14 NA NA (eg)

12. Undervoltage RCPs 1 [3] per bus K SR 3.3.1.9 [4760] V [4830] V SR 3.3.1.10 SR 3.3.1.16 (eg)

13. Underfrequency 1 [3] per bus K SR 3.3.1.9 [57.1] Hz [57.5] Hz RCPs SR 3.3.1.10 SR 3.3.1.16

14. Steam Generator 1,2 [4 per SG] E SR 3.3.1.1 [30.4]% [32.3]%

(SG) Water Level - SR 3.3.1.7 Low Low SR 3.3.1.10 SR 3.3.1.16

15. SG Water Level - 1,2 2 per SG E SR 3.3.1.1 [30.4]% [32.3]%

Low SR 3.3.1.7 SR 3.3.1.10 SR 3.3.1.16 Coincident with 1,2 2 per SG E SR 3.3.1.1 [42.5]% full [40]% full Steam SR 3.3.1.7 steam flow at steam flow at Flow/Feedwater Flow SR 3.3.1.10 RTP RTP SR 3.3.1.16 Mismatch

16. Turbine Trip (hj)

a. Low Fluid Oil 1 3 N SR 3.3.1.10 [750] psig [800] psig Pressure SR 3.3.1.15 (hj)

b. Turbine Stop 1 4 N SR 3.3.1.10 [1]% open [1]% open Valve Closure SR 3.3.1.15 (eg) Above the P-7 (Low Power Reactor Trips Block) interlock.

(fh) Above the P-8 (Power Range Neutron Flux) interlock.

(gi) Above the P-7 (Low Power Reactor Trips Block) interlock and below the P-8 (Power Range Neutron Flux) Interlock (hj) Above the P-9 (Power Range Neutron Flux) interlock.

REVIEWERS NOTE--------------------------------------------------------------------------------------

(jl) Unit specific implementations may contain only Allowable Value depending on Setpoint Study methodology used by the unit.

WOG STS 3.3.1-17 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RTS Instrumentation 3.3.1 Table 3.3.1-1 (page 4 of 7)

Reactor Trip System Instrumentation APPLICABLE MODES OR OTHER [LIMITING (jl)

SPECIFIED REQUIRED SURVEILLANCE ALLOWABLE NOMINAL FUNCTION CONDITIONS CHANNELS CONDITIONS REQUIREMENTS VALUE TRIP SETPOINT]

17. Safety Injection (SI) 1,2 2 trains O SR 3.3.1.14 NA NA Input from Engineered Safety Feature Actuation System (ESFAS)

18. Reactor Trip System Interlocks (df)

a. Intermediate 2 2 Q SR 3.3.1.11 [6E-11] amp [1E-10] amp Range Neutron SR 3.3.1.13 Flux, P-6

b. Low Power 1 1 per train R SR 3.3.1.5 NA NA Reactor Trips Block, P-7

c. Power Range 1 4 R SR 3.3.1.11 [50.2]% RTP [48]% RTP Neutron Flux, SR 3.3.1.13 P-8

d. Power Range 1 4 R SR 3.3.1.11 [52.2]% RTP [50]% RTP Neutron Flux, SR 3.3.1.13 P-9

e. Power Range 1,2 4 Q SR 3.3.1.11 [7.8]% RTP [10]% RTP Neutron Flux, SR 3.3.1.13 and [12.2]%

P-10 RTP

f. Turbine Impulse 1 2 R [SR 3.3.1.1] [12.2]% 10]% turbine Pressure, P-13 SR 3.3.1.10 turbine power power SR 3.3.1.13

19. Reactor Trip (ik) 1,2 2 trains P SR 3.3.1.4 NA NA Breakers (RTBs)

(a) (a) (a) 3 ,4 ,5 2 trains C SR 3.3.1.4 NA NA (a) With Rod Control System capable of rod withdrawal or one or more rods not fully inserted.

(df) Below the P-6 (Intermediate Range Neutron Flux) interlocks.

(ik) Including any reactor trip bypass breakers that are racked in and closed for bypassing an RTB.

REVIEWERS NOTE--------------------------------------------------------------------------------------

(jl) Unit specific implementations may contain only Allowable Value depending on Setpoint Study methodology used by the unit.

WOG STS 3.3.1-18 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RTS Instrumentation 3.3.1 Table 3.3.1-1 (page 5 of 7)

Reactor Trip System Instrumentation APPLICABLE MODES OR OTHER [LIMITING (jl)

SPECIFIED REQUIRED SURVEILLANCE ALLOWABLE NOMINAL FUNCTION CONDITIONS CHANNELS CONDITIONS REQUIREMENTS VALUE TRIP SETPOINT]

20. Reactor Trip Breaker 1,2 1 each per S SR 3.3.1.4 NA NA Undervoltage and RTB Shunt Trip (a) (a) (a)

Mechanisms 3 ,4 ,5 1 each per C SR 3.3.1.4 NA NA RTB

21. Automatic Trip Logic 1,2 2 trains O SR 3.3.1.5 NA NA (a) (a) (a) 3 ,4 ,5 2 trains C SR 3.3.1.5 NA NA (a) With Rod Control System capable of rod withdrawal or one or more rods not fully inserted.

REVIEWERS NOTE--------------------------------------------------------------------------------------

(bd) With Rod Control System capable of rod withdrawal or one or more rods not fully inserted.

(jl) Unit specific implementations may contain only Allowable Value depending on Setpoint Study methodology used by the unit.

WOG STS 3.3.1-19 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 ESFAS Instrumentation 3.3.2 Table 3.3.2-1 (page 1 of 8)

Engineered Safety Feature Actuation System Instrumentation APPLICABLE MODES OR OTHER [LIMITING (jl)

SPECIFIED REQUIRED SURVEILLANCE ALLOWABLE NOMINAL FUNCTION CONDITIONS CHANNELS CONDITIONS REQUIREMENTS VALUE TRIP SETPOINT]

1. Safety Injection

a. Manual Initiation 1,2,3,4 2 B SR 3.3.2.8 NA NA

b. Automatic 1,2,3,4 2 trains C SR 3.3.2.2 NA NA Actuation Logic SR 3.3.2.4 and Actuation SR 3.3.2.6 Relays

c. Containment 1,2,3 3 D SR 3.3.2.1 [3.86] psig [3.6] psig

[(a)

Pressure - SR 3.3.2.5 (b)]

High 1 SR 3.3.2.9 [(a)

(b)]

SR 3.3.2.10

d. Pressurizer (ac) [3] D SR 3.3.2.1 [1839] psig [1850] psig 1,2,3 Pressure - Low SR 3.3.2.5 SR 3.3.2.9 SR 3.3.2.10

e. Steam Line Pressure

[(ac)] (bd) (bd)

(1) Low 1,2,3 3 per D SR 3.3.2.1 [635] psig [675] psig steam line SR 3.3.2.5 SR 3.3.2.9 SR 3.3.2.10 (2) High 1,2,3 3 per D [SR 3.3.2.1] [106] psig [97] psig Differential steam line SR 3.3.2.5 Pressure SR 3.3.2.9 Between SR 3.3.2.10 Steam Lines (a) [INSERT 1]

(b) [INSERT 3]

(ac) Above the P-11 (Pressurizer Pressure) interlock.

(bd) Time constants used in the lead/lag controller are t1 [50] seconds and t2 [5] seconds.

REVIEWER'S NOTE---------------------------------------------------------------------

(jl) Unit specific implementations may contain only Allowable Value depending on Setpoint Study methodology used by the unit.

WOG STS 3.3.2-9 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 ESFAS Instrumentation 3.3.2 Table 3.3.2-1 (page 2 of 8)

Engineered Safety Feature Actuation System Instrumentation APPLICABLE MODES OR OTHER [LIMITING (jl)

SPECIFIED REQUIRED SURVEILLANCE ALLOWABLE NOMINAL FUNCTION CONDITIONS CHANNELS CONDITIONS REQUIREMENTS VALUE TRIP SETPOINT]

1. Safety Injection (ce)

f. High Steam Flow 1,2,3 2 per D SR 3.3.2.1 (df) (eg) in Two Steam steam line SR 3.3.2.5 Lines SR 3.3.2.9 SR 3.3.2.10 (ce)

Coincident with 1,2,3 1 per loop D SR 3.3.2.1 [550.6]°F [553]°F Tavg - Low Low SR 3.3.2.5 SR 3.3.2.9 SR 3.3.2.10 (ce)

g. High Steam Flow 1,2,3 2 per D SR 3.3.2.1 (df) (eg) in Two Steam steam line SR 3.3.2.5 Lines SR 3.3.2.9 SR 3.3.2.10 (ce) (bd)

Coincident with 1,2,3 1 per D SR 3.3.2.1 [635] [675] psig Steam Line steam line SR 3.3.2.5 psig Pressure - Low SR 3.3.2.9 SR 3.3.2.10

2. Containment Spray

a. Manual Initiation 1,2,3,4 2 per train, B SR 3.3.2.8 NA NA 2 trains NA NA

b. Automatic 1,2,3,4 2 trains C SR 3.3.2.2 Actuation Logic SR 3.3.2.4 and Actuation SR 3.3.2.6 Relays

c. Containment 1,2,3 4 E SR 3.3.2.1 [12.31] psig [12.05] psig Pressure High - SR 3.3.2.5 3 (High High) SR 3.3.2.9 SR 3.3.2.10 (ce) Above the P-12 (Tavg - Low Low) interlock.

(df) Less than or equal to a function defined as P corresponding to [44]% full steam flow below [20]% load, and P increasing linearly from [44]% full steam flow at [20]% load to [114]% full steam flow at [100]% load, and P corresponding to [114]% full steam flow above 100% load.

(eg) Less than or equal to a function defined as P corresponding to [40]% full steam flow between [0]% and [20]% load and then a P increasing linearly from [40]% steam flow at [20]% load to [110]% full steam flow at [100]% load.

REVIEWER'S NOTE---------------------------------------------------------------------

(jl) Unit specific implementations may contain only Allowable Value depending on Setpoint Study methodology used by the unit.

WOG STS 3.3.2-10 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 ESFAS Instrumentation 3.3.2 Table 3.3.2-1 (page 3 of 8)

Engineered Safety Feature Actuation System Instrumentation APPLICABLE MODES OR OTHER [LIMITING (jl)

SPECIFIED REQUIRED SURVEILLANCE ALLOWABLE NOMINAL FUNCTION CONDITIONS CHANNELS CONDITIONS REQUIREMENTS VALUE TRIP SETPOINT]

2. Containment Spray

d. Containment 1,2,3 [3] sets of E SR 3.3.2.1 [12.31] psig [12.05] psig Pressure High - [2] SR 3.3.2.5 3 (Two Loop SR 3.3.2.9 SR 3.3.2.10 Plants)

3. Containment Isolation

a. Phase A Isolation (1) Manual 1,2,3,4 2 B SR 3.3.2.8 NA NA Initiation (2) Automatic 1,2,3,4 2 trains C SR 3.3.2.2 NA NA Actuation Logic SR 3.3.2.4 and Actuation SR 3.3.2.6 Relays (3) Safety Injection Refer to Function 1 (Safety Injection) for all initiation functions and requirements.

b. Phase B Isolation (1) Manual 1,2,3,4 2 per train, B SR 3.3.2.8 NA NA Initiation 2 trains (2) Automatic 1,2,3,4 2 trains C SR 3.3.2.2 NA NA Actuation Logic SR 3.3.2.4 and Actuation SR 3.3.2.6 Relays (3) Containment 1,2,3 [4] E SR 3.3.2.1 [12.31] psig [12.05] psig Pressure High SR 3.3.2.5

- 3 (High High) SR 3.3.2.9 SR 3.3.2.10

REVIEWER'S NOTE---------------------------------------------------------------------

(jl) Unit specific implementations may contain only Allowable Value depending on Setpoint Study methodology used by the unit.

WOG STS 3.3.2-11 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 ESFAS Instrumentation 3.3.2 Table 3.3.2-1 (page 4 of 8)

Engineered Safety Feature Actuation System Instrumentation APPLICABLE MODES OR OTHER [LIMITING (jl)

SPECIFIED REQUIRED SURVEILLANCE ALLOWABLE NOMINAL FUNCTION CONDITIONS CHANNELS CONDITIONS REQUIREMENTS VALUE TRIP SETPOINT]

4. Steam Line Isolation (hj) (hj)

a. Manual Initiation 1,2 ,3 2 F SR 3.3.2.8 NA NA (hj) (hj)

b. Automatic 1,2 ,3 2 trains G SR 3.3.2.2 NA NA Actuation Logic SR 3.3.2.4 and Actuation SR 3.3.2.6 Relays (hj) (hj)

c. Containment 1, 2 ,3 [4] D SR 3.3.2.1 [6.61] psig [6.35] psig Pressure - High SR 3.3.2.5 2 SR 3.3.2.9 SR 3.3.2.10

d. Steam Line Pressure (hj) (ac) (hj)

(1) Low 1, 2 ,3 3 per D SR 3.3.2.1 [635](bd) psig [675](bd) psig steam line SR 3.3.2.5 SR 3.3.2.9 SR 3.3.2.10 (fh) (hj)

(2) Negative Rate 3 3 per D SR 3.3.2.1 [121.6](gi) psi [110](gi) psi

- High steam line SR 3.3.2.5 SR 3.3.2.9 SR 3.3.2.10 (ac) Above the P-11 (Pressurizer Pressure) interlock.

(bd) Time constants used in the lead/lag controller are t1 [50] seconds and t2 [5] seconds.

(fh) Below the P-11 (Pressurizer Pressure) interlock.

(gi) Time constant utilized in the rate/lag controller is [50] seconds.

(hj) Except when all MSIVs are closed and [de-activated].

REVIEWER'S NOTE---------------------------------------------------------------------

(jl) Unit specific implementations may contain only Allowable Value depending on Setpoint Study methodology used by the unit.

WOG STS 3.3.2-12 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 ESFAS Instrumentation 3.3.2 Table 3.3.2-1 (page 5 of 8)

Engineered Safety Feature Actuation System Instrumentation APPLICABLE MODES OR OTHER [LIMITING (jl)

SPECIFIED REQUIRED SURVEILLANCE ALLOWABLE NOMINAL FUNCTION CONDITIONS CHANNELS CONDITIONS REQUIREMENTS VALUE TRIP SETPOINT]

4. Steam Line Isolation (hj) (hj)

e. High Steam Flow 1, 2 ,3 2 per D SR 3.3.2.1 (df) (eg) in Two Steam steam line SR 3.3.2.5 Lines SR 3.3.2.9 SR 3.3.2.10 (hj) (ce) (hj)

Coincident with 1, 2 ,3 1 per loop D SR 3.3.2.1 [550.6]°F [553]°F Tavg - Low Low SR 3.3.2.5 SR 3.3.2.9 SR 3.3.2.10 (hj) (hj)

f. High Steam Flow 1, 2 ,3 2 per D SR 3.3.2.1 (df) (eg) in Two Steam steam line SR 3.3.2.5 Lines SR 3.3.2.9 SR 3.3.2.10 (hj) (hj)

Coincident with 1,2, 3 1 per D SR 3.3.2.1 [635](bd) psig [675](bd) psig Steam Line steam line SR 3.3.2.5 Pressure - Low SR 3.3.2.9 SR 3.3.2.10 (hj) (hj)

g. High Steam Flow 1,2 ,3 2 per D SR 3.3.2.1 [25]% of full [ ] full steam steam line SR 3.3.2.5 steam flow at no flow at no SR 3.3.2.9 load steam load steam SR 3.3.2.10 pressure pressure Coincident with Refer to Function 1 (Safety Injection) for all initiation functions and requirements.

Safety Injection and (hj) (ce) (hj)

Coincident with 1,2 ,3 [2] per D SR 3.3.2.1 [550.6]°F [553]°F Tavg - Low Low loop SR 3.3.2.5 SR 3.3.2.9 SR 3.3.2.10 (bd) Time constants used in the lead/lag controller are t1 [50] seconds and t2 [5] seconds.

(ce) Above the P-12 (Tavg - Low Low) interlock.

(df) Less than or equal to a function defined as P corresponding to [44]% full steam flow below [20]% load, P increasing linearly from [44]% full steam flow at [20]% load to [114]% full steam flow at [100]% load, and P corresponding to [114]% full steam flow above 100% load.

(eg) Less than or equal to a function defined as P corresponding to [40]% full steam flow between [0]% and [20]% load and then a P increasing linearly from [40]% steam flow at [20]% load to [110]% full steam flow at [100]% load.

(hj) Except when all MSIVs are closed and [de-activated].

REVIEWER'S NOTE---------------------------------------------------------------------

(jl) Unit specific implementations may contain only Allowable Value depending on Setpoint Study methodology used by the unit.

WOG STS 3.3.2-13 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 ESFAS Instrumentation 3.3.2 Table 3.3.2-1 (page 6 of 8)

Engineered Safety Feature Actuation System Instrumentation APPLICABLE MODES OR OTHER [LIMITING (jl)

SPECIFIED REQUIRED SURVEILLANCE ALLOWABLE NOMINAL FUNCTION CONDITIONS CHANNELS CONDITIONS REQUIREMENTS VALUE TRIP SETPOINT]

4. Steam Line Isolation (hj) (hj)

h. High High Steam 1,2 ,3 2 per D SR 3.3.2.1 [130]% of full [ ] of full steam Flow steam line SR 3.3.2.5 steam flow at full flow at full SR 3.3.2.9 load steam load steam SR 3.3.2.10 pressure pressure Coincident with Refer to Function 1 (Safety Injection) for all initiation functions and requirements.

Safety Injection

5. Turbine Trip and Feedwater Isolation (ik) (ik)

a. Automatic 1, 2 , [3] 2 trains H[G] SR 3.3.2.2 NA NA Actuation Logic SR 3.3.2.4 and Actuation SR 3.3.2.6 Relays (ik) (ik)

b. SG Water Level - 1,2 ,[3] [3] per SG I[D] SR 3.3.2.1 [84.2]% [82.4]%

High High (P-14) SR 3.3.2.5 SR 3.3.2.9 SR 3.3.2.10

c. Safety Injection Refer to Function 1 (Safety Injection) for all initiation functions and requirements.

6. Auxiliary Feedwater

a. Automatic 1,2,3 2 trains G SR 3.3.2.2 NA NA Actuation Logic SR 3.3.2.4 and Actuation SR 3.3.2.6 Relays (Solid State Protection System)

b. Automatic 1,2,3 2 trains G SR 3.3.2.3 NA NA Actuation Logic and Actuation Relays (Balance of Plant ESFAS)

(hj) Except when all MSIVs are closed and [de-activated].

(ik) Except when all MFIVs, MFRVs, [and associated bypass valves] are closed and [de-activated] [or isolated by a closed manual valve].

REVIEWER'S NOTE---------------------------------------------------------------------

(jl) Unit specific implementations may contain only Allowable Value depending on Setpoint Study methodology used by the unit.

WOG STS 3.3.2-14 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 ESFAS Instrumentation 3.3.2 Table 3.3.2-1 (page 7 of 8)

Engineered Safety Feature Actuation System Instrumentation APPLICABLE MODES OR OTHER [LIMITING (jl)

SPECIFIED REQUIRED SURVEILLANCE ALLOWABLE NOMINAL FUNCTION CONDITIONS CHANNELS CONDITIONS REQUIREMENTS VALUE TRIP SETPOINT]

6. Auxiliary Feedwater

c. SG Water Level - 1,2,3 [3] per SG D SR 3.3.2.1 [30.4]% [32.2]%

Low Low SR 3.3.2.5 SR 3.3.2.9 SR 3.3.2.10

d. Safety Injection Refer to Function 1 (Safety Injection) for all initiation functions and requirements.

e. Loss of Offsite 1,2,3 3] per bus F SR 3.3.2.7 [2912] V with [2975] V with Power SR 3.3.2.9 0.8 sec time 0.8 sec time SR 3.3.2.10 delay delay

f. Undervoltage 1,2 [3] per bus I SR 3.3.2.7 [69]% bus [70]% bus Reactor Coolant SR 3.3.2.9 voltage voltage Pump SR 3.3.2.10

g. Trip of all Main 1,2 [2] per J SR 3.3.2.8 [ ] psig [ ] psig Feedwater pump SR 3.3.2.9 Pumps SR 3.3.2.10

h. Auxiliary 1,2,3 [2] F SR 3.3.2.1 [20.53] [psia] [ ] [psia]

Feedwater Pump SR 3.3.2.7 Suction Transfer SR 3.3.2.9 on Suction Pressure - Low

7. Automatic Switchover to Containment Sump

a. Automatic 1,2,3,4 2 trains C SR 3.3.2.2 NA NA Actuation Logic SR 3.3.2.4 and Actuation SR 3.3.2.6 Relays

b. Refueling Water 1,2,3,4 4 K SR 3.3.2.1 [15]% and [ ]% and [ ]%

Storage Tank SR 3.3.2.5 [ ]%

(RWST) Level - SR 3.3.2.9 SR 3.3.2.10 Low Low Coincident with Refer to Function 1 (Safety Injection) for all initiation functions and requirements.

Safety Injection

REVIEWER'S NOTE---------------------------------------------------------------------

(jl) Unit specific implementations may contain only Allowable Value depending on Setpoint Study methodology used by the unit.

WOG STS 3.3.2-15 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 ESFAS Instrumentation 3.3.2 Table 3.3.2-1 (page 8 of 8)

Engineered Safety Feature Actuation System Instrumentation APPLICABLE MODES OR OTHER [LIMITING (jl)

SPECIFIED REQUIRED SURVEILLANCE ALLOWABLE NOMINAL FUNCTION CONDITIONS CHANNELS CONDITIONS REQUIREMENTS VALUE TRIP SETPOINT]

7. Automatic Switchover to Containment Sump

c. RWST Level - 1,2,3,4 4 K SR 3.3.2.1 [15]% [18]%

Low Low SR 3.3.2.5 SR 3.3.2.9 SR 3.3.2.10 Coincident with Refer to Function 1 (Safety Injection) for all initiation functions and requirements.

Safety Injection and Coincident with 1,2,3,4 4 K SR 3.3.2.1 [30] in. above [ ] in. above Containment SR 3.3.2.5 el. [703] ft el. [ ]ft Sump Level - SR 3.3.2.9 SR 3.3.2.10 High

8. ESFAS Interlocks

a. Reactor Trip, P-4 1,2,3 1 per train, F SR 3.3.2.11 NA NA 2 trains

b. Pressurizer 1,2,3 3 L SR 3.3.2.1 [1996] psig [ ] psig Pressure, P-11 SR 3.3.2.5 SR 3.3.2.9

c. Tavg - Low Low, 1,2,3 [1] per L SR 3.3.2.1 [550.6]°F [553]° F P-12 loop SR 3.3.2.5 SR 3.3.2.9

REVIEWER'S NOTE---------------------------------------------------------------------

(jl) Unit specific implementations may contain only Allowable Value depending on Setpoint Study methodology used by the unit.

WOG STS 3.3.2-16 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RTS Instrumentation B 3.3.1 B 3.3 INSTRUMENTATION B 3.3.1 Reactor Trip System (RTS) Instrumentation BASES BACKGROUND The RTS initiates a unit shutdown, based on the values of selected unit parameters, to protect against violating the core fuel design limits and Reactor Coolant System (RCS) pressure boundary during anticipated operational occurrences (AOOs) and to assist the Engineered Safety Features (ESF) Systems in mitigating accidents.

The protection and monitoring systems have been designed to assure safe operation of the reactor. This is achieved by specifying limiting safety system settings (LSSS) in terms of parameters directly monitored by the RTS, as well as specifying LCOs on other reactor system parameters and equipment performance.

Technical Specifications are required by 10 CFR 50.36 to contain LSSS defined by the regulation as "...settings for automatic protective devices...so chosen that automatic protective action will correct the abnormal situation before a Safety Limit (SL) is exceeded." The AnalyticAnalytical Limit is the limit of the process variable at which a safety action is initiated, as established by the safety analysis, to ensure that a SL is not exceeded. Any automatic protection action that occurs on reaching the AnalyticAnalytical Limit therefore ensures that the SL is not exceeded. However, in practice, the actual settings for automatic protective devices must be chosen to be more conservative than the AnalyticAnalytical Limit to account for instrument loop uncertainties related to the setting at which the automatic protective action would actually occur.

REVIEWER'S NOTE ------------------------------------

The term "Limiting Trip Setpoint (LTSP)" is generic terminology for the setpoint value calculated by means of the plant-specific setpoint methodology documented in [a document controlled under 10 CFR 50.59]. The term Limiting Trip Setpoint indicates that no additional margin has been added between the Analytical Limit and the calculated trip setting. Where margin is added between the Analytical Limit and trip setpoint, the standard terminology of Nominal Trip Setpoint (NTSP) should be used. The trip setpoint (field setting) may be more conservative than the Limiting or Nominal Trip Setpoint. Where the

[LTSP] is not documented in a column in Table 3.3.1-1 for the purpose of compliance with 10 CFR 50.36, the plant-specific term for the Limiting Trip Setpoint must be cited in Note c of Table 3.3.1-1. The brackets indicate plant-specific terms may apply, as reviewed and approved by the NRC. In some cases, replacing the LTSP with NTSP will also require the revision of the relationship discussion for Allowable Value (AV).

WOG STS B 3.3.1-1 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RTS Instrumentation B 3.3.1 Licensees are to insert the name of the document(s) controlled under 10 CFR 50.59 that contains the [LTSP] values and the methodology for calculating the as-left and as-found tolerances for the phrase "[a document controlled under 10 CFR 50.59]" throughout these Bases.

The trip setpoint [Limiting Trip Setpoint (LTSP)] is a predetermined setting for a protective device chosen to ensure automatic actuation prior to the process variable reaching the Analytical Limit and thus ensuring that the SL would not be exceeded. As such, the trip setpoint [LTSP] accounts for uncertainties in setting the device (e.g., calibration), uncertainties in how the device might actually perform (e.g., repeatability), changes in the point of action of the device over time (e.g., drift during surveillance intervals), and any other factors which may influence its actual performance (e.g., harsh accident environments). In this manner, the

[LTSP] trip setpoint plays an important role in ensuring ensures that SLs are not exceeded. As such, the [LTSP] trip setpoint meets the definition of an LSSS (Ref. 1) and could be used to meet the requirement that they be contained in the Technical Specifications. If the setting of the protective device does not protect a Safety Limit, the LTSP is not an LSSS.

BASES BACKGROUND (continued)

Technical Specifications contain values related to the OPERABILITY of equipment required for safe operation of the facility. OPERABLE is defined in Technical Specifications as "...being capable of performing its safety functions(s)." For automatic protective devices, the required safety function is to ensure that a SL is not exceeded and therefore the LSSS as defined by 10 CFR 50.36 is the same as the OPERABILITY limit for these devices. However, use of the trip setpoint[LTSP] to define OPERABILITY in Technical Specifications and its corresponding designation as the LSSS required by 10 CFR 50.36 would be an overly restrictive requirement if it were applied as an OPERABILITY limit for the "as -found" value of a protective device setting during a surveillance. This would result in Technical Specification compliance problems, as well as reports and corrective actions required by the rule which are not necessary to ensure safety. For example, an automatic protective device with a setting that has been found to be different from the trip setpoint[LTSP] due to some drift of the setting may still be OPERABLE since drift is to be expected. This expected drift would have been specifically accounted for in the setpoint methodology for calculating the trip setpoint[LTSP] and thus the automatic protective action would still have ensured that the SL would not be exceeded with the "as -found" setting of the protective device. Therefore, the device would still be OPERABLE since it would have performed its safety function and the only corrective action required would be to reset the device to the trip setpoint[LTSP] to account for further drift during the next surveillance interval.

WOG STS B 3.3.1-2 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RTS Instrumentation B 3.3.1 Use of the trip setpoint[LTSP] to define "as -found" OPERABILITY and its designation as the LSSS under the expected circumstances described above would result in actions required by both the rule and Technical Specifications that are clearly not warranted. However, there is also some point beyond which the device would have not been able to perform its function due, for example, to greater than expected drift. This value needs to be specified in the Technical Specifications in order to define OPERABILITY of the devices and is designated as the Allowable Value which, as stated above, is the same asleast conservative value for the LSSS during testing. The actual [LTSP] and the methodology for calculating the as-left and as-found tolerances will be maintained in [a document controlled under 10 CFR 50.59].

The Allowable Value specified in Table 3.3.1-1 serves asis the least conservative value that the [LTSP] (LSSS) can have when tested, such that a channel is OPERABLE if the trip setpoint[LTSP] is found notconservative with respect to exceed the Allowable Value during the CHANNEL OPERATIONAL TEST (COT). As such, the Allowable Value differs from the trip setpoint[LTSP] by an amount primarily[greater than or]

equal to the expected instrument loopchannel uncertainties, such as drift, during the surveillance interval. In this manner, the actual setting of the device will still meet the LSSS definition and ensure that a SL WOG STS B 3.3.1-3 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RTS Instrumentation B 3.3.1 BASES BACKGROUND (continued) is not exceeded at any given point of time as long as the device has not drifted beyond that expected during the surveillance interval. Note that, although the channel is "OPERABLE" under these circumstances, the trip setpoint should[LTSP] must be left adjusted to a value within the established trip setpoint calibration as-left tolerance band,, in accordance with uncertainty assumptions stated in the referenced setpoint methodology (as-left criteria), and confirmed to be operating within the statistical allowances of the uncertainty terms assigned (as-found criteria). If the actual setting of the device is found to have exceeded the be nonconservative with respect to the Allowable Value, the device would be considered inoperable from a technical specification perspective. This requires corrective action including those actions required by 10 CFR 50.36 when automatic protective devices do not function as required.

[ Note: Alternatively, a Technical Specification format incorporating an Allowable Value only column may be proposed by a licensee. In this case the trip setpoint value of Table 3.3.1-1 is located in the Technical Specification Bases or in a licensee-controlled document outside the Technical Specification. In this case, for LSSS functions, the [LTSP]

value of Table 3.3.1-1 and the methodologies used to calculate the as-found and as-left tolerances must be specified in [a document controlled under 10 CFR 50.59]. Changes to the actual plant trip setpointsetpoint or [LTSP] value would be controlled by 10 CFR 50.59 or administratively as appropriate, and adjusted per the setpoint methodology and applicable surveillance requirements. At their option, the licensee may include the trip setpoint in Table 3.3.1-1 as shown, or as suggested by the licensees' setpoint methodology or license. ] If the setting of the protective device does not protect a Safety Limit, the [LTSP] is not an LSSS.]

During AOOs, which are those events expected to occur one or more times during the unit life, the acceptable limits are:

1. The Departure from Nucleate Boiling Ratio (DNBR) shall be maintained above the Safety Limit (SL) value to prevent departure from nucleate boiling (DNB),

2. Fuel centerline melt shall not occur, and

3. The RCS pressure SL of 2750 psia shall not be exceeded.

Operation within the SLs of Specification 2.0, "Safety Limits (SLs)," also maintains the above values and assures that offsite dose will be within the 10 CFR 50 and 10 CFR 100 criteria during AOOs.

WOG STS B 3.3.1-4 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RTS Instrumentation B 3.3.1 BASES BACKGROUND (continued)

The RTS instrumentation is segmented into four distinct but interconnected modules as illustrated in Figure [ ], FSAR, Chapter [7]

(Ref. 2), and as identified below:

1. Field transmitters or process sensors: provide a measurable electronic signal based upon the physical characteristics of the parameter being measured,

2. Signal Process Control and Protection System, including Analog Protection System, Nuclear Instrumentation System (NIS), field contacts, and protection channel sets: provides signal conditioning, bistable setpoint comparison, process algorithm actuation, compatible electrical signal output to protection system devices, and control board/control room/miscellaneous indications,

3. Solid State Protection System (SSPS), including input, logic, and output bays: initiates proper unit shutdown and/or ESF actuation in accordance with the defined logic, which is based on the bistable outputs from the signal process control and protection system, and

4. Reactor trip switchgear, including reactor trip breakers (RTBs) and bypass breakers: provides the means to interrupt power to the control rod drive mechanisms (CRDMs) and allows the rod cluster control assemblies (RCCAs), or "rods," to fall into the core and shut down the reactor. The bypass breakers allow testing of the RTBs at power.

Field Transmitters or Sensors To meet the design demands for redundancy and reliability, more than one, and often as many as four, field transmitters or sensors are used to measure unit parameters. To account for the calibration tolerances and instrument drift, which are assumed to occur between calibrations, statistical allowances are provided in the trip setpoint[LTSP] and Allowable Values. The OPERABILITY of each transmitter or sensor is determined by either "as-found" calibration data evaluated during the CHANNEL CALIBRATION or by qualitative assessment of field transmitter or sensor as related to the channel behaviour observed during performance of the CHANNEL CHECK.

WOG STS B 3.3.1-6 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RTS Instrumentation B 3.3.1 BASES BACKGROUND (continued)

Signal Process Control and Protection System Generally, three or four channels of process control equipment are used for the signal processing of unit parameters measured by the field instruments. The process control equipment provides signal conditioning, comparable output signals for instruments located on the main control board, and comparison of measured input signals with setpoints[LTSPs]

established by safety analyses. These setpoints[LTSPs] are defined in FSAR, Chapter [7] (Ref. 2), Chapter [6] (Ref. 3), and Chapter [15]

(Ref. 4). If the measured value of a unit parameter exceeds the predetermined setpoint[LTSPs] , an output from a bistable is forwarded to the SSPS for decision evaluation. Channel separation is maintained up to and through the input bays. However, not all unit parameters require four channels of sensor measurement and signal processing. Some unit parameters provide input only to the SSPS, while others provide input to the SSPS, the main control board, the unit computer, and one or more control systems.

Generally, if a parameter is used only for input to the protection circuits, three channels with a two-out-of-three logic are sufficient to provide the required reliability and redundancy. If one channel fails in a direction that would not result in a partial Function trip, the Function is still OPERABLE with a two-out-of-two logic. If one channel fails, such that a partial Function trip occurs, a trip will not occur and the Function is still OPERABLE with a one-out-of-two logic.

Generally, if a parameter is used for input to the SSPS and a control function, four channels with a two-out-of-four logic are sufficient to provide the required reliability and redundancy. The circuit must be able to withstand both an input failure to the control system, which may then require the protection function actuation, and a single failure in the other channels providing the protection function actuation. Again, a single failure will neither cause nor prevent the protection function actuation.

These requirements are described in IEEE-279-1971 (Ref. 5). The actual number of channels required for each unit parameter is specified in Reference 2.

Two logic channels are required to ensure no single random failure of a logic channel will disable the RTS. The logic channels are designed such that testing required while the reactor is at power may be accomplished without causing trip. Provisions to allow removing logic channels from service during maintenance are unnecessary because of the logic system's designed reliability.

WOG STS B 3.3.1-7 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RTS Instrumentation B 3.3.1 BASES BACKGROUND (continued)

Allowable Values and RTS Setpoints The trip setpointsLimiting Trip Setpoints [LTSPs] used in the bistables are based on the analytical limits stated in Reference 2. The selection of these trip setpoints[LTSPs] is such that adequate protection is provided when all sensor and processing time delays are taken into account. To allow for calibration tolerances, instrumentation uncertainties, instrument drift, and severe environment errors for those RTS channels that must function in harsh environments as defined by 10 CFR 50.49 (Ref. 6), the Allowable Values specified in Table 3.3.1-1 in the accompanying LCO are conservative with respect to the analytical limits. A detailed description of the methodology used to calculate the Allowable Values and trip setpoints[LTSPs], including their explicit uncertainties, is provided in the "RTS/ESFAS Setpoint Methodology Study" (Ref. 7) which incorporates all of the known uncertainties applicable to each channel. The magnitudes of these uncertainties are factored into the determination of each trip setpoint [LTSP] and corresponding Allowable Value. The trip setpoint[LTSP] entered into the bistable is more conservative than that specified by the Allowable Value (LSSS) to account for measurement errors detectable by the COT. The Allowable Value serves as the Technical Specification OPERABILITY limit for the purpose of the COT.

One example of such a change in measurement error is drift during the surveillance interval. If the measured setpoint does not exceed [LTSP] is conservative to the Allowable Value, the bistable is considered OPERABLE. Note that, although a channel is OPERABLE under these circumstances, the setpoint must be left adjusted to within the established as-left criteria and confirmed to be operating within the statistical allowances of the uncertainty terms assigned.

The trip setpoint[LTSP] is the value at which the bistable is set and is the expected value to be achieved during calibration. The trip setpoint[LTSP]

value ensures the LSSS and the safety analysis limits are met for the surveillance interval selected when a channel is adjusted based on stated channel uncertainties. Any bistable is considered to be properly adjusted when the "as -left" setpoint value is within the band for CHANNEL CALIBRATION uncertainty allowance (i.e., +/- rack calibration +

comparator setting uncertainties). The trip setpoint[LTSP] value is therefore considered a "nominal" value (i.e., expressed as a value without inequalities) for the purposes of COT and CHANNEL CALIBRATION.

[Limiting Trip setpointsSetpoints] consistent with the requirements of the Allowable Value ensure that SLs are not violated during AOOs (and that the consequences of DBAs will be acceptable, providing the unit is operated from within the LCOs at the onset of the AOO or DBA and the equipment functions as designed).

WOG STS B 3.3.1-8 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RTS Instrumentation B 3.3.1 BASES BACKGROUND (continued)

During normal operation the output from the SSPS is a voltage signal that energizes the undervoltage coils in the RTBs and bypass breakers, if in use. When the required logic matrix combination is completed, the SSPS output voltage signal is removed, the undervoltage coils are de-energized, the breaker trip lever is actuated by the de-energized undervoltage coil, and the RTBs and bypass breakers are tripped open.

This allows the shutdown rods and control rods to fall into the core. In addition to the de-energization of the undervoltage coils, each breaker is also equipped with a shunt trip device that is energized to trip the breaker open upon receipt of a reactor trip signal from the SSPS. Either the undervoltage coil or the shunt trip mechanism is sufficient by itself, thus providing a diverse trip mechanism.

The decision logic matrix Functions are described in the functional diagrams included in Reference 3. In addition to the reactor trip or ESF, these diagrams also describe the various "permissive interlocks" that are associated with unit conditions. Each train has a built in testing device that can automatically test the decision logic matrix Functions and the actuation devices while the unit is at power. When any one train is taken out of service for testing, the other train is capable of providing unit monitoring and protection until the testing has been completed. The testing device is semiautomatic to minimize testing time.

APPLICABLE The RTS functions to maintain the SLs during all AOOs and mitigates SAFETY the consequences of DBAs in all MODES in which the Rod Control ANALYSES, LCO, System is capable of rod withdrawal or one or more rods are not fully and APPLICABILITY inserted.

Each of the analyzed accidents and transients can be detected by one or more RTS Functions. The accident analysis described in Reference 4 takes credit for most RTS trip Functions. RTS trip Functions not specifically credited in the accident analysis are may be qualitatively credited in the safety analysis and the NRC staff approved licensing basis for the unit. However, qualitatively credited or backup functions are not LSSS for Safety Limits. These RTS trip Functions may provide protection for conditions that do not require dynamic transient analysis to demonstrate Function performance. They may also serve as backups to RTS trip Functions that were credited in the accident analysis.

The LCO requires all instrumentation performing an RTS Function, listed in Table 3.3.1-1 in the accompanying LCO, to be OPERABLE. A channel is OPERABLE with a trip setpoint[LTSP] value outside its calibration tolerance band provided the trip setpoint[LTSP] "as-found" value does not exceedis conservative with respect to its WOG STS B 3.3.1-10 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) associated Allowable Value and provided the trip setpoint[LTSP] "as-left" value is adjusted to a value within the "as-left" calibration tolerance band of the Nominal Trip Setpoint.[LTSP]. A trip setpoint may be set more conservative than the Nominal Trip Setpoint[LTSP] as necessary in response to plant conditions. Failure of any instrument renders the affected channel(s) inoperable and reduces the reliability of the affected Functions.

The LCO generally requires OPERABILITY of four or three channels in each instrumentation Function, two channels of Manual Reactor Trip in each logic Function, and two trains in each Automatic Trip Logic Function.

Four OPERABLE instrumentation channels in a two-out-of-four configuration are required when one RTS channel is also used as a control system input. This configuration accounts for the possibility of the shared channel failing in such a manner that it creates a transient that requires RTS action. In this case, the RTS will still provide protection, even with random failure of one of the other three protection channels.

Three OPERABLE instrumentation channels in a two-out-of-three configuration are generally required when there is no potential for control system and protection system interaction that could simultaneously create a need for RTS trip and disable one RTS channel. The two-out-of-three and two-out-of-four configurations allow one channel to be tripped during maintenance or testing without causing a reactor trip. Specific exceptions to the above general philosophy exist and are discussed below.

Reactor Trip System Functions The safety analyses and OPERABILITY requirements applicable to each RTS Function are discussed below:

1. Manual Reactor Trip The Manual Reactor Trip ensures that the control room operator can initiate a reactor trip at any time by using either of two reactor trip switches in the control room. A Manual Reactor Trip accomplishes the same results as any one of the automatic trip Functions. It is used by the reactor operator to shut down the reactor whenever any parameter is rapidly trending toward its Trip Setpoint.

The LCO requires two Manual Reactor Trip channels to be OPERABLE. Each channel is controlled by a manual reactor trip switch. Each channel activates the reactor trip breaker in both trains.

Two independent channels are required to be OPERABLE so that no single random failure will disable the Manual Reactor Trip Function.

WOG STS B 3.3.1-12 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

In MODE 1 or 2, manual initiation of a reactor trip must be OPERABLE. These are the MODES in which the shutdown rods and/or control rods are partially or fully withdrawn from the core. In MODE 3, 4, or 5, the manual initiation Function must also be OPERABLE if one or more shutdown rods or control rods are withdrawn or the Rod Control System is capable of withdrawing the shutdown rods or the control rods. In this condition, inadvertent control rod withdrawal is possible. In MODE 3, 4, or 5, manual initiation of a reactor trip does not have to be OPERABLE if the Rod Control System is not capable of withdrawing the shutdown rods or control rods and if all rods are fully inserted. If the rods cannot be withdrawn from the core, or all of the rods are inserted, there is no need to be able to trip the reactor. In MODE 6, neither the shutdown rods nor the control rods are permitted to be withdrawn and the CRDMs are disconnected from the control rods and shutdown rods.

Therefore, the manual initiation Function is not required.

2. Power Range Neutron Flux The NIS power range detectors are located external to the reactor vessel and measure neutrons leaking from the core. The NIS power range detectors provide input to the Rod Control System and the Steam Generator (SG) Water Level Control System. Therefore, the actuation logic must be able to withstand an input failure to the control system, which may then require the protection function actuation, and a single failure in the other channels providing the protection function actuation. Note that this Function also provides a signal to prevent automatic and manual rod withdrawal prior to initiating a reactor trip. Limiting further rod withdrawal may terminate the transient and eliminate the need to trip the reactor.

a. Power Range Neutron Flux - High The Power Range Neutron Flux - High trip Function ensures that protection is provided, from all power levels, against a positive reactivity excursion leading to DNB during power operations.

These can be caused by rod withdrawal or reductions in RCS temperature.

The LCO requires all four of the Power Range Neutron Flux -

High channels to be OPERABLE.

WOG STS B 3.3.1-13 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

In MODE 1 or 2, when a positive reactivity excursion could occur, the Power Range Neutron Flux - High trip must be OPERABLE.

This Function will terminate the reactivity excursion and shut down the reactor prior to reaching a power level that could damage the fuel. In MODE 3, 4, 5, or 6, the NIS power range detectors cannot detect neutron levels in this range. In these MODES, the Power Range Neutron Flux - High does not have to be OPERABLE because the reactor is shut down and reactivity excursions into the power range are extremely unlikely. Other RTS Functions and administrative controls provide protection against reactivity additions when in MODE 3, 4, 5, or 6. [The Power Range Neutron Flux - High trip Function is credited in the safety analysis for a positive reactivity excursion in MODE 1 or 2, and is therefore considered to be an LSSS as defined in 10 CFR 50.36.]

b. Power Range Neutron Flux - Low The LCO requirement for the Power Range Neutron Flux - Low trip Function ensures that protection is provided against a positive reactivity excursion from low power or subcritical conditions.

The LCO requires all four of the Power Range Neutron Flux -

Low channels to be OPERABLE.

In MODE 1, below the Power Range Neutron Flux (P-10 setpoint), and in MODE 2, the Power Range Neutron Flux - Low trip must be OPERABLE. This Function may be manually blocked by the operator when two out of four power range channels are greater than approximately 10% RTP (P-10 setpoint). This Function is automatically unblocked when three out of four power range channels are below the P-10 setpoint.

Above the P-10 setpoint, positive reactivity additions are mitigated by the Power Range Neutron Flux - High trip Function.

In MODE 3, 4, 5, or 6, the Power Range Neutron Flux - Low trip Function does not have to be OPERABLE because the reactor is shut down and the NIS power range detectors cannot detect neutron levels in this range. Other RTS trip Functions and administrative controls provide protection against positive reactivity additions or power excursions in MODE 3, 4, 5, or 6.

WOG STS B 3.3.1-14 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

a. Reactor Coolant Pump Breaker Position (Single Loop)

The RCP Breaker Position (Single Loop) trip Function ensures that protection is provided against violating the DNBR limit due to a loss of flow in one RCS loop. The position of each RCP breaker is monitored. If one RCP breaker is open above the P-8 setpoint, a reactor trip is initiated. This trip Function will generate a reactor trip before the Reactor Coolant Flow - Low (Single Loop) Trip Setpoint is reached.

The LCO requires one RCP Breaker Position channel per RCP to be OPERABLE. One OPERABLE channel is sufficient for this trip Function because the RCS Flow - Low trip alone provides sufficient protection of unit SLs for loss of flow events. The RCP Breaker Position trip serves only to anticipate the low flow trip, minimizing the thermal transient associated with loss of a pump.

This Function measures only the discrete position (open or closed) of the RCP breaker, using a position switch. Therefore, the Function has no adjustable trip setpoint with which to associate an LSSS.

In MODE 1 above the P-8 setpoint, when a loss of flow in any RCS loop could result in DNB conditions in the core, the RCP Breaker Position (Single Loop) trip must be OPERABLE. In MODE 1 below the P-8 setpoint, a loss of flow in two or more loops is required to actuate a reactor trip because of the lower power level and the greater margin to the design limit DNBR.

b. Reactor Coolant Pump Breaker Position (Two Loops)

The RCP Breaker Position (Two Loops) trip Function ensures that protection is provided against violating the DNBR limit due to a loss of flow in two or more RCS loops. The position of each RCP breaker is monitored. Above the P-7 setpoint and below the P-8 setpoint, a loss of flow in two or more loops will initiate a reactor trip. This trip Function will generate a reactor trip before the Reactor Coolant Flow - Low (Two Loops) Trip Setpoint is reached.

WOG STS B 3.3.1-24 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

The LCO requires one RCP Breaker Position channel per RCP to be OPERABLE. One OPERABLE channel is sufficient for this Function because the RCS Flow - Low trip alone provides sufficient protection of unit SLs for loss of flow events. The RCP Breaker Position trip serves only to anticipate the low flow trip, minimizing the thermal transient associated with loss of an RCP.

This Function measures only the discrete position (open or closed) of the RCP breaker, using a position switch. Therefore, the Function has no adjustable trip setpoint[LTSP] with which to associate an LSSS.

In MODE 1 above the P-7 setpoint and below the P-8 setpoint, the RCP Breaker Position (Two Loops) trip must be OPERABLE.

Below the P-7 setpoint, all reactor trips on loss of flow are automatically blocked since no conceivable power distributions could occur that would cause a DNB concern at this low power level. Above the P-7 setpoint, the reactor trip on loss of flow in two RCS loops is automatically enabled. Above the P-8 setpoint, a loss of flow in any one loop will actuate a reactor trip because of the higher power level and the reduced margin to the design limit DNBR.

12. Undervoltage Reactor Coolant Pumps The Undervoltage RCPs reactor trip Function ensures that protection is provided against violating the DNBR limit due to a loss of flow in two or more RCS loops. The voltage to each RCP is monitored.

Above the P-7 setpoint, a loss of voltage detected on two or more RCP buses will initiate a reactor trip. This trip Function will generate a reactor trip before the Reactor Coolant Flow - Low (Two Loops)

Trip Setpoint is reached. Time delays are incorporated into the Undervoltage RCPs channels to prevent reactor trips due to momentary electrical power transients.

The LCO requires three Undervoltage RCPs channels (one per phase) per bus to be OPERABLE.

In MODE 1 above the P-7 setpoint, the Undervoltage RCP trip must be OPERABLE. Below the P-7 setpoint, all reactor trips on loss of flow are automatically blocked since no conceivable power distributions could occur that would cause a DNB concern at this low WOG STS B 3.3.1-25 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RTS Instrumentation B 3.3.1 BASES ACTIONS (continued)

S.1 and S.2 Condition S applies to the RTB Undervoltage and Shunt Trip Mechanisms, or diverse trip features, in MODES 1 and 2. With one of the diverse trip features inoperable, it must be restored to an OPERABLE status within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months or the unit must be placed in a MODE where the requirement does not apply. This is accomplished by placing the unit in MODE 3 within the next 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months (54 hours6.25e-4 days 0.015 hours 8.928571e-5 weeks 2.0547e-5 months total time). The Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is a reasonable time, based on operating experience, to reach MODE 3 from full power in an orderly manner and without challenging unit systems. With the unit in MODE 3, ACTION C would apply to any inoperable RTB trip mechanism. The affected RTB shall not be bypassed while one of the diverse features is inoperable except for the time required to perform maintenance to one of the diverse features. The allowable time for performing maintenance of the diverse features is 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months for the reasons stated under Condition P.

The Completion Time of 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months for Required Action S.1 is reasonable considering that in this Condition there is one remaining diverse feature for the affected RTB, and one OPERABLE RTB capable of performing the safety function and given the low probability of an event occurring during this interval.

SURVEILLANCE -----------------------------------REVIEWERS NOTE-----------------------------------

REQUIREMENTS In Table 3.3.1-1, Functions 11.a and 11.b were not included in the generic evaluations approved in either WCAP-10271, as supplemented, or WCAP-14333. In order to apply the WCAP-10271, as supplemented, and WCAP-14333 TS relaxations to plant specific Functions not evaluated generically, licensees must submit plant specific evaluations for NRC review and approval.

REVIEWERS NOTE --------------------------------------

The Notes in Table 3.3.1-1 requiring reset of the channel to a predefined as-left tolerance and the verification of the as-found tolerance are only associated with LSSS values. Therefore, the Notes may be placed at the top of the column in the Table and applied to all Functions, or the Notes may be applied to specific SRs in the SR column only.

WOG STS B 3.3.1-52 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RTS Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.1.7 SR 3.3.1.7 is the performance of a COT every 184 days.

A COT is performed on each required channel to ensure the entire channel will perform the intended Function. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable COT of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions.

[Limiting Trip Setpoints] must be within conservative with respect to the Allowable Values specified in Table 3.3.1-1.

The difference between the current " as -found" values and the previous test "as -left" values must be consistent with the drift allowance used in the setpoint methodology. The setpoint shall be left set consistent with the assumptions of the current unit specific setpoint methodology.

The "as -found " and "as -left" values must also be recorded and reviewed for consistency with the assumptions of Reference 9.

SR 3.3.1.7 is modified by a Note that provides a 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months delay in the requirement to perform this Surveillance for source range instrumentation when entering MODE 3 from MODE 2. This Note allows a normal shutdown to proceed without a delay for testing in MODE 2 and for a short time in MODE 3 until the RTBs are open and SR 3.3.1.7 is no longer required to be performed. If the unit is to be in MODE 3 with the RTBs closed for > 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months this Surveillance must be performed prior to 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months after entry into MODE 3.

The Frequency of 184 days is justified in Reference 9.

WOG STS B 3.3.1-58 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RTS Instrumentation B 3.3.1 SR 3.3.1.7 for selected Functions is modified by two Notes as identified in Table 3.3.1-1. The selected Functions are those Functions that are LSSS and whose instruments are not mechanical devices (i.e. limit switches, float switches, and proximity detectors). Mechanical devices are excluded since it is not possible to trend these devices and develop as-left or as-found limits in the same manner as other instrumentation. The first Note requires evaluation of channel performance for the condition where the as-found setting for the channel setpoint is outside its as-found tolerance but conservative with respect to the Allowable Value.

Evaluation of instrument performance will verify that the instrument will continue to behave in accordance with design-basis assumptions. The purpose of the assessment is to ensure confidence in the instrument performance prior to returning the instrument to service. These channels will also be identified in the Corrective Action Program. In accordance with procedures, entry into the Corrective Action Program will require review and documentation of the condition for OPERABILITY. The second Note requires that the as-left setting for the instrument be returned to within the as-left tolerance of the [LTSP]. This will ensure that sufficient margin to the Safety Limit and/or Analytical Limit is maintained.

If the as-left instrument setting cannot be returned to a setting within the as-left tolerance, then the instrument channel shall be declared inoperable.

REVIEWERS NOTE-----------------------------------

The following sentence and the corresponding bracketed sentence in Note (c) in Table 3.3.1-1 are not required in plant-specific technical specifications which include a [Limiting Trip Setpoint] column in Table 3.3.1-1.

The second Note also requires that the [LTSP] and the methodology for calculating the as-left and the as-found tolerances be in [a document controlled under 10 CFR 50.59].

BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.1.8 SR 3.3.1.8 is the performance of a COT as described in SR 3.3.1.7, except it is modified by a Note that this test shall include verification that the P-6 and P-10 interlocks are in their required state for the existing unit condition. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable COT of a relay.

This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions. The Frequency is modified by a Note that allows this surveillance to be satisfied if it has been performed within 184 days of the WOG STS B 3.3.1-59 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RTS Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.1.11 SR 3.3.1.11 is the performance of a CHANNEL CALIBRATION, as described in SR 3.3.1.10, every [18] months. This SR is modified by a Note stating that neutron detectors are excluded from the CHANNEL CALIBRATION. The CHANNEL CALIBRATION for the power range neutron detectors consists of a normalization of the detectors based on a power calorimetric and flux map performed above 15% RTP. The CHANNEL CALIBRATION for the source range and intermediate range neutron detectors consists of obtaining the detector plateau or preamp discriminator curves, evaluating those curves, and comparing the curves to the manufacturer's data. This Surveillance is not required for the NIS power range detectors for entry into MODE 2 or 1, and is not required for the NIS intermediate range detectors for entry into MODE 2, because the unit must be in at least MODE 2 to perform the test for the intermediate range detectors and MODE 1 for the power range detectors. The

[18] month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. Operating experience has shown these components usually pass the Surveillance when performed on the [18] month Frequency.

SR 3.3.1.11 for selected Functions is modified by two Notes as identified in Table 3.3.1-1. The selected Functions are those Functions that are LSSS and whose instruments are not mechanical devices (i.e. limit switches, float switches, and proximity detectors). Mechanical devices are excluded since it is not possible to trend these devices and develop as-left or as-found limits in the same manner as other instrumentation.

The first Note requires evaluation of channel performance for the condition where the as-found setting for the channel setpoint is outside its as-found tolerance but conservative with respect to the Allowable Value.

Evaluation of instrument performance will verify that the instrument will continue to behave in accordance with design-basis assumptions. The purpose of the assessment is to ensure confidence in the instrument performance prior to returning the instrument to service. These channels will also be identified in the Corrective Action Program. In accordance with procedures, entry into the Corrective Action Program will require review and documentation of the condition for OPERABILITY. The second Note requires that the as-left setting for the instrument be returned to within the as-left tolerance of the [LTSP]. This will ensure that sufficient margin to the Safety Limit and/or Analytical Limit is maintained.

If the as-left instrument setting cannot be returned to a setting within the as-left tolerance, then the instrument channel shall be declared inoperable.

WOG STS B 3.3.1-62 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RTS Instrumentation B 3.3.1

REVIEWERS NOTE-----------------------------------

The following sentence and the corresponding bracketed sentence in Note (c) in Table 3.3.1-1 are not required in plant-specific technical specifications which include a [Limiting Trip Setpoint] column in Table 3.3.1-1.

The second Note also requires that the [LTSP] and the methodology for calculating the as-left and the as-found tolerances be in [a document controlled under 10 CFR 50.59].

SR 3.3.1.12 SR 3.3.1.12 is the performance of a CHANNEL CALIBRATION, as described in SR 3.3.1.10, every [18] months. This SR is modified by a Note stating that this test shall include verification of the RCS resistance temperature detector (RTD) bypass loop flow rate. Whenever a sensing element is replaced, the next required CHANNEL CALIBRATION of the resistance temperature detectors (RTD) sensors is accomplished by an inplace cross calibration that compares the other sensing elements with the recently installed sensing element.

This test will verify the rate lag compensation for flow from the core to the RTDs.

The Frequency is justified by the assumption of an 18 month calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis.

WOG STS B 3.3.1-63 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 B 3.3 INSTRUMENTATION B 3.3.2 Engineered Safety Feature Actuation System (ESFAS) Instrumentation BASES BACKGROUND The ESFAS initiates necessary safety systems, based on the values of selected unit parameters, to protect against violating core design limits and the Reactor Coolant System (RCS) pressure boundary, and to mitigate accidents. This is achieved by specifying limiting safety system settings (LSSS) in terms of parameters directly monitored by the ESFAS, as well as specifying LCOs on other system parameters and equipment performance.

Technical Specifications are required by 10 CFR 50.36 to contain LSSS defined by the regulation as "...settings for automatic protective devices...so chosen that automatic protective action will correct the abnormal situation before a Safety Limit (SL) is exceeded." The Analytical Limit is the limit of the process variable at which a safety action is initiated, as established by the safety analysis, to ensure that a SL is not exceeded. Any automatic protection action that occurs on reaching the Analytical Limit therefore ensures that the SL is not exceeded.

However, in practice, the actual settings for automatic protective devices must be chosen to be more conservative than the Analytical Limit to account for instrument loop uncertainties related to the setting at which the automatic protective action would actually occur.

REVIEWER'S NOTE ----------------------------------

The term "Limiting Trip Setpoint (LTSP)" is generic terminology for the setpoint value calculated by means of the plant-specific setpoint methodology documented in [a document controlled under 10 CFR 50.59]. The term Limiting Trip Setpoint indicates that no additional margin has been added between the Analytical Limit and the calculated trip setting. Where margin is added between the Analytical Limit and trip setpoint, the standard terminology of Nominal Trip Setpoint (NTSP) should be used. The trip setpoint (field setting) may be more conservative than the Limiting or Nominal Trip Setpoint. Where the [LTSP] is not documented in a column in Table 3.3.2-1 for the purpose of compliance with 10 CFR 50.36, the plant-specific term for the Limiting Trip Setpoint must be cited in Note c of Table 3.3.2-1. The brackets indicate plant-specific terms may apply, as reviewed and approved by the NRC. In some cases, replacing the LTSP with NTSP will also require the revision of the relationship discussion for Allowable Value (AV). Licensees are to insert the name of the document(s) controlled under 10 CFR 50.59 that contains the [LTSP] values and the methodology for calculating the as-left and as-found tolerances for the phrase "[a document controlled under 10 CFR 50.59]" throughout these Bases.

WOG STS B 3.3.2-1 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 The [Limiting Trip Setpoint (LTSP)] is a predetermined setting for a protective device chosen to ensure automatic actuation prior to the process variable reaching the Analytical Limit and thus ensuring that the SL would not be exceeded. As such, the [LTSP] accounts for uncertainties in setting the device (e.g., calibration), uncertainties in how the device might actually perform (e.g., repeatability), changes in the point of action of the device over time (e.g., drift during surveillance intervals), and any other factors which may influence its actual performance (e.g., harsh accident environments). In this manner, the

[LTSP] ensures that SLs are not exceeded. As such, the [LTSP] meets the definition of an LSSS (Ref. 1) and meets the requirement that the LSSS be contained in the Technical Specifications. If the setting of the protective device does not protect a Safety Limit, the LTSP is not an LSSS.

BASES BACKGROUND (continued)

Technical Specifications contain values related to the OPERABILITY of equipment required for safe operation of the facility. OPERABLE is defined in Technical Specifications as "...being capable of performing its safety functions(s)." However, use of the [LTSP] to define OPERABILITY in Technical Specifications would be an overly restrictive requirement if it were applied as an OPERABILITY limit for the "as-found" value of a protective device setting during a surveillance. This would result in Technical Specification compliance problems, as well as reports and corrective actions required by the rule which are not necessary to ensure safety. For example, an automatic protective device with a setting that has been found to be different from the [LTSP] due to some drift of the setting may still be OPERABLE since drift is to be expected. This expected drift would have been specifically accounted for in the setpoint methodology for calculating the [LTSP] and thus the automatic protective action would still have ensured that the SL would not be exceeded with the "as-found" setting of the protective device. Therefore, the device would still be OPERABLE since it would have performed its safety function and the only corrective action required would be to reset the device to the [LTSP] to account for further drift during the next surveillance interval.

Use of the [LTSP] to define "as-found" OPERABILITY under the expected circumstances described above would result in actions required by both the rule and Technical Specifications that are clearly not warranted.

However, there is also some point beyond which the device would have not been able to perform its function due, for example, to greater than expected drift. This value needs to be specified in the Technical Specifications in order to define OPERABILITY of the devices and is designated as the Allowable Value which is the least conservative value for the LSSS during testing. The actual [LTSP] and the methodology for calculating the as-left and as-found tolerances will be maintained in [a document controlled under 10 CFR 50.59].

WOG STS B 3.3.2-2 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 The Allowable Value specified in Table 3.3.2-1 is the least conservative value that the [LTSP] (LSSS) can have when tested, such that a channel is OPERABLE if the [LTSP] is found conservative with respect to the Allowable Value during the CHANNEL OPERATIONAL TEST (COT). As such, the Allowable Value differs from the [LTSP] by an amount [greater than or] equal to the expected instrument channel uncertainties, such as drift, during the surveillance interval. In this manner, the actual setting of the device will ensure that a SL BASES BACKGROUND (continued) is not exceeded at any given point of time as long as the device has not drifted beyond that expected during the surveillance interval. Note that, although the channel is OPERABLE under these circumstances, the

[LTSP] must be left adjusted to a value within the as-left tolerance, in accordance with uncertainty assumptions stated in the referenced setpoint methodology (as-left criteria), and confirmed to be operating within the statistical allowances of the uncertainty terms assigned (as-found criteria). If the actual setting of the device is found to be nonconservative with respect to the Allowable Value, the device would be considered inoperable from a technical specification perspective. This requires corrective action including those actions required by 10 CFR 50.36 when automatic protective devices do not function as required.

[Note: Alternatively, a Technical Specification format incorporating an Allowable Value only column may be proposed by a licensee. In this case, for the LSSS functions, the [LTSP] value of Table 3.3.2-1 and the methodologies used to calculate the as-found and as-left tolerances must be specified in [a document controlled under 10 CFR 50.59]. Changes to the actual plant trip setpoint or [LTSP] value would be controlled by 10 CFR 50.59 or administratively as appropriate, and adjusted per the setpoint methodology and applicable surveillance requirements. If the setting of the protective device does not protect a Safety Limit, the LTSP is not an LSSS.]

The ESFAS instrumentation is segmented into three distinct but interconnected modules as identified below:

Field transmitters or process sensors and instrumentation: provide a measurable electronic signal based on the physical characteristics of the parameter being measured,

Signal processing equipment including analog protection system, field contacts, and protection channel sets: provide signal conditioning, bistable setpoint comparison, process algorithm actuation, compatible electrical signal output to protection system WOG STS B 3.3.2-3 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 devices, and control board/control room/miscellaneous indications, and

Solid State Protection System (SSPS) including input, logic, and output bays: initiates the proper unit shutdown or engineered safety feature (ESF) actuation in accordance with the defined logic and based on the bistable outputs from the signal process control and protection system.

The Allowable Value in conjunction with the trip setpoint and LCO establishes the threshold for ESFAS action to prevent exceeding acceptable limits such that the consequences of Design Basis Accidents (DBAs) will be acceptable. The Allowable Value is considered a limiting value such that a channel is OPERABLE if the setpoint is found not to exceed the Allowable Value during the CHANNEL OPERATIONAL TEST (COT). Note that, although a channel is "OPERABLE" under these circumstances, the ESFAS setpoint must be left adjusted to within the established calibration tolerance band of the ESFAS setpoint in accordance with the uncertainty assumptions stated in the referenced setpoint methodology, (as-left criteria) and confirmed to be operating within the statistical allowances of the uncertainty terms assigned.

WOG STS B 3.3.2-4 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2

""BASES BACKGROUND (continued)

Field Transmitters or Sensors To meet the design demands for redundancy and reliability, more than one, and often as many as four, field transmitters or sensors are used to measure unit parameters. In many cases, field transmitters or sensors that input to the ESFAS are shared with the Reactor Trip System (RTS).

In some cases, the same channels also provide control system inputs.

To account for calibration tolerances and instrument drift, which are assumed to occur between calibrations, statistical allowances are provided in the Trip Setpoint[LTSP] and Allowable Values. The OPERABILITY of each transmitter or sensor is determined by either "as-found" calibration data evaluated during the CHANNEL CALIBRATION or by qualitative assessment of field transmitter or sensor, as related to the channel behavior observed during performance of the CHANNEL CHECK.

Signal Processing Equipment Generally, three or four channels of process control equipment are used for the signal processing of unit parameters measured by the field instruments. The process control equipment provides signal conditioning, comparable output signals for instruments located on the main control board, and comparison of measured input signals with setpoints[LTSPs]

established by safety analyses. These setpoints[LTSPs] are defined in FSAR, Chapter [6] (Ref. 1), Chapter [7] (Ref. 2), and Chapter [15]

(Ref. 3). If the measured value of a unit parameter exceeds the predetermined setpoint[LTSP], an output from a bistable is forwarded to the SSPS for decision evaluation. Channel separation is maintained up to and through the input bays. However, not all unit parameters require four channels of sensor measurement and signal processing. Some unit parameters provide input only to the SSPS, while others provide input to the SSPS, the main control board, the unit computer, and one or more control systems.

Generally, if a parameter is used only for input to the protection circuits, three channels with a two-out-of-three logic are sufficient to provide the required reliability and redundancy. If one channel fails in a direction that would not result in a partial Function trip, the Function is still OPERABLE with a two-out-of-two logic. If one channel fails such that a partial Function trip occurs, a trip will not occur and the Function is still OPERABLE with a one-out-of- two logic.

WOG STS B 3.3.2-5 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES BACKGROUND (continued)

Generally, if a parameter is used for input to the SSPS and a control function, four channels with a two-out-of-four logic are sufficient to provide the required reliability and redundancy. The circuit must be able to withstand both an input failure to the control system, which may then require the protection function actuation, and a single failure in the other channels providing the protection function actuation. Again, a single failure will neither cause nor prevent the protection function actuation.

These requirements are described in IEEE-279-1971 (Ref. 4). The actual number of channels required for each unit parameter is specified in Reference 2.

Allowable Values and ESFAS Setpoints The trip setpointsLimiting Trip Setpoint [LTSPs] used in the bistables are based on the analytical limits stated in Reference 2. The selection of these trip setpoints[LTSPs] is such that adequate protection is provided when all sensor and processing time delays are taken into account. To allow for calibration tolerances, instrumentation uncertainties, instrument drift, and severe environment errors for those ESFAS channels that must function in harsh environments as defined by 10 CFR 50.49 (Ref. 5), the Allowable Values specified in Table 3.3.2-1 in the accompanying LCO are conservative with respect to the analytical limits. A detailed description of the methodology used to calculate the Allowable Values and ESFAS setpoints[LTSPs] including their explicit uncertainties, is provided in the plant specific setpoint methodology study (Ref. 6) which incorporates all of the known uncertainties applicable to each channel.

The magnitudes of these uncertainties are factored into the determination of each ESFAS setpoint[LTSP] and corresponding Allowable Value. The nominal ESFAS setpoint [LTSP] entered into the bistable is more conservative than that specified by the Allowable Value to account for measurement errors detectable by the COT. The Allowable Value serves as the Technical Specification OPERABILITY limit for the purpose of the COT. One example of such a change in measurement error is drift during the surveillance interval. If the measured setpoint does not exceed the Allowable Value, the bistable is considered OPERABLE. Note that, although a channel is OPERABLE under these circumstances, the setpoint must be left adjusted to within the established as-left criteria and confirmed to be operating within the statistical allowances of the uncertainty terms assigned.

The ESFAS setpoints[LTSPs] are the values at which the bistables are set and is the expected value to be achieved during calibration. The ESFAS setpoint[LTSP] value ensures the safety analysis limits are met WOG STS B 3.3.2-6 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 for the surveillance interval selected when a channel is adjusted based on stated BASES BACKGROUND (continued) channel uncertainties. Any bistable is considered to be properly adjusted when the "as-left" setpoint[LTSP] value is within the bandas-left tolerance.

for CHANNEL WOG STS B 3.3.2-7 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES BACKGROUND (continued)

CALIBRATION uncertainty allowance (i.e., +/- rack calibration tolerance+

comparator setting uncertainties).).. The ESFAS setpoint[LTSP] value is therefore considered a "nominal value" (i.e., expressed as a value without inequalities) for the purposes of the COT and CHANNEL CALIBRATION.

Setpoints adjusted consistent with the requirements of the Allowable Value ensure that the consequences of Design Basis Accidents (DBAs) will be acceptable, providing the unit is operated from within the LCOs at the onset of the DBA and the equipment functions as designed.

Each channel can be tested on line to verify that the signal processing equipment and setpoint[LTSP] accuracy is within the specified allowance requirements of Reference 2. Once a designated channel is taken out of service for testing, a simulated signal is injected in place of the field instrument signal. The process equipment for the channel in test is then tested, verified, and calibrated. SRs for the channels are specified in the SR section.

Solid State Protection System The SSPS equipment is used for the decision logic processing of outputs from the signal processing equipment bistables. To meet the redundancy requirements, two trains of SSPS, each performing the same functions, are provided. If one train is taken out of service for maintenance or test purposes, the second train will provide ESF actuation for the unit. If both trains are taken out of service or placed in test, a reactor trip will result.

Each train is packaged in its own cabinet for physical and electrical separation to satisfy separation and independence requirements.

The SSPS performs the decision logic for most ESF equipment actuation; generates the electrical output signals that initiate the required actuation; and provides the status, permissive, and annunciator output signals to the main control room of the unit.

The bistable outputs from the signal processing equipment are sensed by the SSPS equipment and combined into logic matrices that represent combinations indicative of various transients. If a required logic matrix combination is completed, the system will send actuation signals via master and slave relays to those components whose aggregate Function best serves to alleviate the condition and restore the unit to a safe condition. Examples are given in the Applicable Safety Analyses, LCO, and Applicability sections of this Bases.

WOG STS B 3.3.2-8 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES BACKGROUND (continued)

Each SSPS train has a built in testing device that can automatically test the decision logic matrix functions and the actuation devices while the unit is at power. When any one train is taken out of service for testing, the other train is capable of providing unit monitoring and protection until the testing has been completed. The testing device is semiautomatic to minimize testing time.

The actuation of ESF components is accomplished through master and slave relays. The SSPS energizes the master relays appropriate for the condition of the unit. Each master relay then energizes one or more slave relays, which then cause actuation of the end devices. The master and slave relays are routinely tested to ensure operation. The test of the master relays energizes the relay, which then operates the contacts and applies a low voltage to the associated slave relays. The low voltage is not sufficient to actuate the slave relays but only demonstrates signal path continuity. The SLAVE RELAY TEST actuates the devices if their operation will not interfere with continued unit operation. For the latter case, actual component operation is prevented by the SLAVE RELAY TEST circuit, and slave relay contact operation is verified by a continuity check of the circuit containing the slave relay.

REVIEWERS NOTE------------------------------------------

No one unit ESFAS incorporates all of the Functions listed in Table 3.3.2-1. In some cases (e.g., Containment Pressure - High 3, Function 2.c), the Table reflects several different implementations of the same Function. Typically, only one of these implementations are used at any specific unit.

APPLICABLE Each of the analyzed accidents can be detected by one or more ESFAS SAFETY Functions. One of the ESFAS Functions is the primary actuation signal ANALYSES, LCO, for that accident. An ESFAS Function may be the primary actuation and APPLICABILITY signal for more than one type of accident. An ESFAS Function may also be a secondary, or backup, actuation signal for one or more other accidents. For example, Pressurizer Pressure - Low is a primary actuation signal for small loss of coolant accidents (LOCAs) and a backup actuation signal for steam line breaks (SLBs) outside containment.

Functions such as manual initiation, not specifically credited in the accident safety analysis, are qualitatively credited in the safety analysis and the NRC staff approved licensing basis for the unit. However, qualitatively credited or backup functions are not LSSS for Safety Limits.

These Functions may provide protection for conditions that do not require dynamic transient analysis to demonstrate Function performance. These Functions may also serve as backups to Functions that were credited in the accident analysis (Ref. 3).

WOG STS B 3.3.2-9 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

The LCO requires all instrumentation performing an ESFAS Function to be OPERABLE. A channel is OPERABLE with a trip setpoint[LTSP]

value outside its calibration tolerance band provided the trip setpoint "as-found" value does not exceed is conservative with respect to its associated Allowable Value and provided the trip setpoint[LTSP] "as-left" value is adjusted to a value within the calibration tolerance band of the Nominal Trip Setpoint.[LTSP]. A trip setpoint may be set more conservative than the Nominal Trip Setpoint[LTSP] as necessary in response to plant conditions. Failure of any instrument renders the affected channel(s) inoperable and reduces the reliability of the affected Functions.

The LCO generally requires OPERABILITY of four or three channels in each instrumentation function and two channels in each logic and manual initiation function. The two-out-of-three and the two-out-of-four configurations allow one channel to be tripped during maintenance or testing without causing an ESFAS initiation. Two logic or manual initiation channels are required to ensure no single random failure disables the ESFAS.

The required channels of ESFAS instrumentation provide unit protection in the event of any of the analyzed accidents. ESFAS protection functions are as follows:

1. Safety Injection Safety Injection (SI) provides two primary functions:

1. Primary side water addition to ensure maintenance or recovery of reactor vessel water level (coverage of the active fuel for heat removal, clad integrity, and for limiting peak clad temperature to

< 2200°F), and

2. Boration to ensure recovery and maintenance of SDM (keff< 1.0).

WOG STS B 3.3.2-10 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) pressure and temperature are very low and many ESF components are administratively locked out or otherwise prevented from actuating to prevent inadvertent overpressurization of unit systems.

c. Safety Injection - Containment Pressure - High 1 This signal provides protection against the following accidents:

SLB inside containment,

LOCA, and

Feed line break inside containment.

Containment Pressure - High 1 provides no input to any control functions. Thus, three OPERABLE channels are sufficient to satisfy protective requirements with a two-out-of-three logic. The transmitters (d/p cells) and electronics are located outside of containment with the sensing line (high pressure side of the transmitter) located inside containment.

Thus, the high pressure Function will not experience any adverse environmental conditions and the Trip Setpoint[LTSP]

reflects only steady state instrument uncertainties.

Containment Pressure - High 1 must be OPERABLE in MODES 1, 2, and 3 when there is sufficient energy in the primary and secondary systems to pressurize the containment following a pipe break. In MODES 4, 5, and 6, there is insufficient energy in the primary or secondary systems to pressurize the containment. [The Safety Injection - Containment Pressure -

High 1 Function is credited in the safety analysis for LOCA, Steam Line Break inside containment, and Feed Line Break inside containment, and is therefore considered to be a LSSS as defined in 10 CFR 50.36.]

d. Safety Injection - Pressurizer Pressure - Low This signal provides protection against the following accidents:

Inadvertent opening of a steam generator (SG) relief or safety valve,

SLB, WOG STS B 3.3.2-13 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES SURVEILLANCE ----------------------------REVIEWERS NOTE------------------------------------------

REQUIREMENTS In Table 3.3.2-1, Functions 7.b and 7.c were not included in the generic evaluations approved in either WCAP-10271, as supplemented, or WCAP-14333. In order to apply the WCAP-10271, as supplemented, and WCAP-14333 TS relaxations to plant specific Functions not evaluated generically, licensees must submit plant specific evaluations for NRC review and approval.

REVIEWERS NOTE -------------------------------------------

The Notes in Table 3.3.2-1 requiring reset of the channel to a predefined as-left tolerance and the verification of the as-found tolerance are only associated with LSSS values. Therefore, the Notes may be placed at the top of the column in the Table and applied to all Functions, or the Notes may be applied to specific SRs in the SR column only.

The SRs for each ESFAS Function are identified by the SRs column of Table 3.3.2-1.

A Note has been added to the SR Table to clarify that Table 3.3.2-1 determines which SRs apply to which ESFAS Functions.

Note that each channel of process protection supplies both trains of the ESFAS. When testing channel I, train A and train B must be examined.

Similarly, train A and train B must be examined when testing channel II, channel III, and channel IV (if applicable). The CHANNEL CALIBRATION and COTs are performed in a manner that is consistent with the assumptions used in analytically calculating the required channel accuracies.

REVIEWERS NOTE-----------------------------------------

Certain Frequencies are based on approved topical reports. In order for a licensee to use these times, the licensee must justify the Frequencies as required by the staff SER for the topical report.

SR 3.3.2.1 Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the WOG STS B 3.3.2-53 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.2.4 SR 3.3.2.4 is the performance of a MASTER RELAY TEST. The MASTER RELAY TEST is the energizing of the master relay, verifying contact operation and a low voltage continuity check of the slave relay coil. Upon master relay contact operation, a low voltage is injected to the slave relay coil. This voltage is insufficient to pick up the slave relay, but large enough to demonstrate signal path continuity. This test is performed every 92 days on a STAGGERED TEST BASIS. The time allowed for the testing (4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months ) is justified in Reference 11. The Frequency of 92 days is justified in Reference 9.

SR 3.3.2.5 SR 3.3.2.5 is the performance of a COT.

A COT is performed on each required channel to ensure the entire channel will perform the intended Function. Setpoints must be found within the Allowable Values specified in Table Table 3.3.2-1-1. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable COT of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions.

The difference between the current "as -found" values and the previous test "as -left" values must be consistent with the drift allowance used in the setpoint methodology. The setpoint[LTSP] shall be left set consistent with the assumptions of the current unit specific setpoint methodology.

The "as -found" and "as -left" values must also be recorded and reviewed for consistency with the assumptions of Reference 6.

The Frequency of 184 days is justified in Reference 11.

WOG STS B 3.3.2-56 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 SR 3.3.2.5 for selected Function trip units is modified by two Notes as identified in Table 3.3.2-1. The selected Functions are those Functions that are LSSS and whose instruments are not mechanical devices (i.e.

limit switches, float switches, and proximity detectors). Mechanical devices are excluded since it is not possible to trend these devices and develop as-left or as-found limits in the same manner as other instrumentation. The first Note requires evaluation of channel performance for the condition where the as-found setting for the channel setpoint is outside its as-found tolerance but conservative with respect to the Allowable Value. Evaluation of instrument performance will verify that the instrument will continue to behave in accordance with design-basis assumptions. The purpose of the assessment is to ensure confidence in the instrument performance prior to returning the instrument to service.

These channels will also be identified in the Corrective Action Program.

In accordance with procedures, entry into the Corrective Action Program will require review and documentation of the condition for OPERABILITY.

The second Note requires that the as-left setting for the instrument be returned to within the as-left tolerance of the [LTSP]. This will ensure that sufficient margin to the Safety Limit and/or Analytical Limit is maintained.

If the as-left instrument setting cannot be returned to a setting within the as-left tolerance, then the instrument channel shall be declared inoperable.

REVIEWERS NOTE-----------------------------------

The following sentence and the corresponding bracketed sentence in Note (b) in Table 3.3.2-1 are not required in plant-specific technical specifications which include a [Limiting Trip Setpoint] column in Table 3.3.2-1.

The second Note also requires that the [LTSP] and the methodology for calculating the as-left and the as-found tolerances be in [a document controlled under 10 CFR 50.59].

BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.2.6 SR 3.3.2.6 is the performance of a SLAVE RELAY TEST. The SLAVE RELAY TEST is the energizing of the slave relays. Contact operation is verified in one of two ways. Actuation equipment that may be operated in the design mitigation MODE is either allowed to function, or is placed in a condition where the relay contact operation can be verified without operation of the equipment. Actuation equipment that may not be operated in the design mitigation MODE is prevented from operation by the SLAVE RELAY TEST circuit. For this latter case, contact operation is verified by a continuity check of the circuit containing the slave relay.

This test is performed every [92] days. The Frequency is adequate, WOG STS B 3.3.2-57 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.2.8 SR 3.3.2.8 is the performance of a TADOT. This test is a check of the Manual Actuation Functions and AFW pump start on trip of all MFW pumps. It is performed every [18] months. Each Manual Actuation Function is tested up to, and including, the master relay coils. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable TADOT of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions. In some instances, the test includes actuation of the end device (i.e., pump starts, valve cycles, etc.). The Frequency is adequate, based on industry operating experience and is consistent with the typical refueling cycle. The SR is modified by a Note that excludes verification of setpoints during the TADOT for manual initiation Functions. The manual initiation Functions have no associated setpoints.

SR 3.3.2.9 SR 3.3.2.9 is the performance of a CHANNEL CALIBRATION.

A CHANNEL CALIBRATION is performed every [18] months, or approximately at every refueling. CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor. The test verifies that the channel responds to measured parameter within the necessary range and accuracy.

CHANNEL CALIBRATIONS must be performed consistent with the assumptions of the unit specific setpoint methodology. The difference between the current "as -found" values and the previous test "as -left" values must be consistent with the drift allowance used in the setpoint methodology.

The Frequency of [18] months is based on the assumption of an

[18] month calibration interval in the determination of the magnitude of equipment drift in the setpoint methodology.

This SR is modified by a Note stating that this test should include verification that the time constants are adjusted to the prescribed values where applicable.

SR 3.3.2.9 for selected Function trip units is modified by two Notes as identified in Table 3.3.2-1. The selected Functions are those Functions WOG STS B 3.3.2-59 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 that are LSSS and whose instruments are not mechanical devices (i.e.

limit switches, float switches, and proximity detectors). Mechanical devices are excluded since it is not possible to trend these devices and develop as-left or as-found limits in the same manner as other instrumentation. The first Note requires evaluation of channel performance for the condition where the as-found setting for the channel setpoint is outside its as-found tolerance but conservative with respect to the Allowable Value. Evaluation of instrument performance will verify that the instrument will continue to behave in accordance with design-basis assumptions. The purpose of the assessment is to ensure confidence in the instrument performance prior to returning the instrument to service.

These channels will also be identified in the Corrective Action Program.

In accordance with procedures, entry into the Corrective Action Program will require review and documentation of the condition for OPERABILITY.

The second Note requires that the as-left setting for the instrument be returned to within the as-left tolerance of the [LTSP]. This will ensure that sufficient margin to the Safety Limit and/or Analytical Limit is maintained.

If the as-left instrument setting cannot be returned to a setting within the as-left tolerance, then the instrument channel shall be declared inoperable.

REVIEWERS NOTE-----------------------------------

The following sentence and the corresponding bracketed sentence in Note (b) in Table 3.3.2-1 are not required in plant-specific technical specifications which include a [Limiting Trip Setpoint] column in Table 3.3.2-1.

The second Note also requires that the [LTSP] and the methodology for calculating the as-left and the as-found tolerances be in [a document controlled under 10 CFR 50.59].

WOG STS B 3.3.2-60 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation - Operating (Analog) 3.3.1 Table 3.3.1-1 (page 1 of 2)

Reactor Protective System Instrumentation APPLICABLE MODES OR OTHER SPECIFIED SURVEILLANCE FUNCTION CONDITIONS REQUIREMENTS ALLOWABLE VALUE

1. Variable High 1, 2 SR 3.3.1.1 [10]% RTP above current Power Trip SR 3.3.1.2 THERMAL POWER but not SR 3.3.1.3 < [30]% RTP nor > [107]% RTP

[(a) (b)]

SR 3.3.1.4 SR 3.3.1.5[(a) (b)]

SR 3.3.1.8[(a) (b)]

SR 3.3.1.9

2. Power Rate of 1, 2 SR 3.3.1.1 [2.6] dpm (ac)

Change - High SR 3.3.1.6 SR 3.3.1.7 SR 3.3.1.8

3. Reactor Coolant 1, 2 SR 3.3.1.1 [95]%

(bd)

Flow - Low SR 3.3.1.4 SR 3.3.1.7 SR 3.3.1.8 SR 3.3.1.9

4. Pressurizer 1, 2 SR 3.3.1.1 [2400] psia Pressure - High SR 3.3.1.4 SR 3.3.1.8 SR 3.3.1.9

5. Containment 1, 2 [SR 3.3.1.1] [4.0] psig Pressure - High SR 3.3.1.4 SR 3.3.1.8 SR 3.3.1.9

6. Steam Generator 1, 2 SR 3.3.1.1 [685] psia (ce)

Pressure - Low SR 3.3.1.4 SR 3.3.1.7 SR 3.3.1.8 SR 3.3.1.9 (a) [INSERT 1]

(b) [INSERT 2]

(ac) Trip may be bypassed when THERMAL POWER is < [1E-4]% RTP or > [13]% RTP. Bypass shall be automatically removed when THERMAL POWER is [1E-4]% RTP and [13]% RTP.

(bd) Trips may be bypassed when THERMAL POWER is < [1E-4]%. Bypass shall be automatically removed when THERMAL POWER is [1E-4]% RTP. During testing pursuant to LCO 3.4.17, RCS Loops - Test Exceptions, trips may be bypassed below 5% RTP. Bypass shall be automatically removed when THERMAL POWER is 5% RTP.

(ec) Trip may be bypassed when steam generator pressure is < [785] psig. Bypass shall be automatically removed when steam generator pressure is [785] psig.

CEOG STS 3.3.1-6 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation - Operating (Analog) 3.3.1 Table 3.3.1-1 (page 2 of 2)

Reactor Protective System Instrumentation APPLICABLE MODES OR OTHER SPECIFIED SURVEILLANCE FUNCTION CONDITIONS REQUIREMENTS ALLOWABLE VALUE 7a. Steam Generator A 1, 2 SR 3.3.1.1 [24.7]%

Level - Low SR 3.3.1.4 SR 3.3.1.8 SR 3.3.1.9 7b. Steam Generator B 1, 2 SR 3.3.1.1 [24.7]%

Level - Low SR 3.3.1.4 SR 3.3.1.8 SR 3.3.1.9 (df) (eg)

[8. Axial Power 1 SR 3.3.1.1 Figure 3.3.1-3 ]

Distribution - High SR 3.3.1.2 SR 3.3.1.3 SR 3.3.1.4 SR 3.3.1.5 SR 3.3.1.7 SR 3.3.1.8 SR 3.3.1.9 9a. Thermal 1, 2 SR 3.3.1.1 Figures 3.3.1-1 and 3.3.1-2 Margin/Low SR 3.3.1.2 Pressure SR 3.3.1.3 (bd)

(TM/LP) SR 3.3.1.4 SR 3.3.1.5 SR 3.3.1.7

[SR 3.3.1.8]

SR 3.3.1.9

[9b. Steam Generator 1, 2 SR 3.3.1.1 [135] psid ]

Pressure SR 3.3.1.4 (bd)

Difference SR 3.3.1.8 SR 3.3.1.9

10. Loss of Load 1(fd) (eg) SR 3.3.1.6 [800] psig (turbine stop valve SR 3.3.1.7 control oil pressure) SR 3.3.1.8 (bd) Trips may be bypassed when THERMAL POWER is < [1E-4]%. Bypass shall be automatically removed when THERMAL POWER is [1E-4]% RTP. During testing pursuant to LCO 3.4.17, trips may be bypassed below 5% RTP. Bypass shall be automatically removed when THERMAL POWER is 5% RTP.

(df) Trip is not applicable and may be bypassed when THERMAL POWER is < [15]% RTP. Bypass shall be automatically removed when THERMAL POWER is [15]% RTP.

(eg) Trip is only applicable in MODE 1 [15]% RTP.

CEOG STS 3.3.1-7 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 ESFAS Instrumentation (Analog) 3.3.4 Table 3.3.4-1 (page 1 of 2)

Engineered Safety Features Actuation System Instrumentation SURVEILLANCE ALLOWABLE FUNCTION MODES REQUIREMENTS VALUE

1. Safety Injection Actuation Signal (SIAS)

a. Containment Pressure - High 1,2,3 SR 3.3.4.1 [19.0] psia

[(a) (b)]

SR 3.3.4.2 SR 3.3.4.4[(a) (b)]

SR 3.3.4.5 (ac)

b. Pressurizer Pressure - Low 1,2,3 SR 3.3.4.1 [1687] psia SR 3.3.4.2 SR 3.3.4.3 SR 3.3.4.4 SR 3.3.4.5 (bd)

2. Containment Spray Actuation Signal

a. Containment Pressure - High 1,2,3 SR 3.3.4.1 [19.0] psia SR 3.3.4.2 SR 3.3.4.4 SR 3.3.4.5

3. Containment Isolation Actuation Signal

a. Containment Pressure - High 1,2,3 SR 3.3.4.1 [19.0] psia SR 3.3.4.2 SR 3.3.4.4 SR 3.3.4.5

[ b. Containment Radiation - High 1,2,3 SR 3.3.4.1 [2x Background] ]

SR 3.3.4.2 SR 3.3.4.4 SR 3.3.4.5 (a) [INSERT 1]

(b) [INSERT 2]

(ca) Pressurizer Pressure - Low may be manually bypassed when pressurizer pressure is < [1800] psia. The bypass shall be automatically removed whenever pressurizer pressure is [1800] psia.

[ (bd) SIAS is also required as a permissive to initiate containment spray. ]

CEOG STS 3.3.4-4 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 ESFAS Instrumentation (Analog) 3.3.4 Table 3.3.4-1 (page 2 of 2)

Engineered Safety Features Actuation System Instrumentation SURVEILLANCE ALLOWABLE FUNCTION MODES REQUIREMENTS VALUE

4. Main Steam Isolation Signal (ec) (fd) (fd)

a. Steam Generator Pressure - Low 1,2 ,3 SR 3.3.4.1 [495] psig SR 3.3.4.2 SR 3.3.4.3 SR 3.3.4.4 SR 3.3.4.5

5. Recirculation Actuation Signal

a. Refueling Water Tank Level -- Low 1,2,3 [SR 3.3.4.1] [ 24 inches and SR 3.3.4.2 30] inches above SR 3.3.4.4 tank bottom SR 3.3.4.5

6. Auxiliary Feedwater Actuation Signal (AFAS)

a. Steam Generator A Level -- Low 1,2,3 SR 3.3.4.1 [45.7] %

SR 3.3.4.2 SR 3.3.4.4 SR 3.3.4.5

b. Steam Generator B Level -- Low 1,2,3 SR 3.3.4.1 [45.7] %

SR 3.3.4.2 SR 3.3.4.4 SR 3.3.4.5

c. Steam Generator Pressure Difference - 1,2,3 SR 3.3.4.1 [48.3] psid High (A > B) or (B > A) SR 3.3.4.2 SR 3.3.4.4 SR 3.3.4.5 (ce) Steam Generator Pressure - Low may be manually bypassed when steam generator pressure is < [785] psia.

The bypass shall be automatically removed whenever steam generator pressure is [785] psia.

(df) Only the Main Steam Isolation Signal (MSIS) Function and the Steam Generator Pressure - Low and Containment Pressure - High signals are not required to be OPERABLE when all associated valves isolated by the MSIS Function are closed and [de-activated].

CEOG STS 3.3.4-5 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation - Operating (Analog)

B 3.3.1 B 3.3 INSTRUMENTATION B 3.3.1 Reactor Protective System (RPS) Instrumentation - Operating (Analog)

BASES BACKGROUND The Reactor Protective System (RPS) initiates a reactor trip to protect against violating the core specified acceptable fuel design limits and breaching the reactor coolant pressure boundary (RCPB) during anticipated operational occurrences (AOOs). By tripping the reactor, the RPS also assists the Engineered Safety Features (ESF) systems in mitigating accidents.

The protection and monitoring systems have been designed to ensure safe operation of the reactor. This is achieved by specifying limiting safety system settings (LSSS) in terms of parameters directly monitored by the RPS, as well as LCOs on other reactor system parameters and equipment performance.

Technical Specifications are required by 10 CFR 50.36 to contain LSSS defined by the regulation as "...settings for automatic protective devices...so chosen that automatic protective actions will correct the abnormal situation before a Safety Limit (SL) is exceeded." The AnalyticAnalytical Limit is the limit of the process variable at which a safety action is initiated, as established by the safety analysis, to ensure that a SL is not exceeded. Any automatic protection action that occurs on reaching the AnalyticAnalytical Limit therefore ensures that the SL is not exceeded. However, in practice, the actual settings for automatic protective devices must be chosen to be more conservative than the AnalyticAnalytical Limit to account for instrument loop uncertainties related to the setting at which the automatic protective action would actually occur.

REVIEWER'S NOTE ------------------------------------

The term "Limiting Trip Setpoint (LTSP)" is generic terminology for the setpoint value calculated by means of the plant-specific setpoint methodology documented in [a document controlled under 10 CFR 50.59]. The term Limiting Trip Setpoint indicates that no additional margin has been added between the Analytical Limit and the calculated trip setting. Where margin is added between the Analytical Limit and trip setpoint, the standard terminology of Nominal Trip Setpoint (NTSP) should be used. The trip setpoint (field setting) may be more conservative than the Limiting or Nominal Trip Setpoint, but for the purpose of compliance with 10 CFR 50.36, the plant-specific term for the Limiting Trip Setpoint must be cited in Note b of Table 3.3.1-1. The brackets indicate plant-specific terms may apply, as reviewed and approved by the NRC. In some cases, replacing the LTSP with NTSP will also require the revision of the relationship discussion for Allowable Value (AV).

CEOG STS B 3.3.1-1 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation - Operating (Analog)

B 3.3.1 Licensees are to insert the name of the document(s) controlled under 10 CFR 50.59 that contains the [LTSP] values and the methodology for calculating the as-left and as-found tolerances for the phrase "[a document controlled under 10 CFR 50.59]" throughout these Bases.

The [Limiting Trip Setpoint (LTSP)] trip setpoint is a predetermined setting for a protective device chosen to ensure automatic actuation prior to the process variable reaching the AnalyticAnalytical Limit and thus ensuring that the SL would not be exceeded. As such, the trip setpoint[LTSP]

accounts for uncertainties in setting the device (e.g., calibration),

uncertainties in how the device might actually perform (e.g., repeatability),

changes in the point of action of the device over time (e.g., drift during surveillance intervals), and any other factors which may influence its actual performance (e.g., harsh accident environments). In this manner, the trip setpoint[LTSP] ensuresplays an important role in ensuring that SLs are not exceeded. As such, the trip setpoint[LTSP] meets the definition of an LSSS (Ref. 1) and could be used to meet the requirement that the be contained in the Technical Specifications. If the setting of the protective device does not protect a Safety Limit, the [LTSP] is not an LSSS.

BASES BACKGROUND (continued)

Technical Specifications contain values related to the OPERABILITY of equipment required for safe operation of the facility. OPERABLE is defined in Technical Specifications as "...being capable of performing its safety function(s)." For automatic protective devices, the required safety function is to ensure that a SL is not exceeded and therefore the LSSS as defined by 10 CFR 50.36 is the same as the OPERABILITY limit for these devices. However, use of the trip setpoint[LTSP] to define OPERABILITY in Technical Specifications and its corresponding designation as the LSSS required by 10 CFR 50.36 would be an overly restrictive requirement if it were applied as an OPERABILITY limit for the "as-found" value of a protective device setting during a Surveillance. This would result in Technical Specification compliance problems, as well as reports and corrective actions required by the rule which are not necessary to ensure safety. For example, an automatic protective device with a setting that has been found to be different from the trip setpoint[LTSP] due to some drift of the setting may still be OPERABLE since drift is to be expected. This expected drift would have been specifically accounted for in the setpoint methodology for calculating the trip setpoint[LTSP] and thus the automatic protective action would still have ensured that the SL would not be exceeded with the ""as-found"" setting of the protective device. Therefore, the device would still be OPERABLE since it would have performed its safety function and the only corrective action required would be to reset the device to the trip setpoint[LTSP] to account for further drift during the next surveillance interval.

CEOG STS B 3.3.1-2 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation - Operating (Analog)

B 3.3.1 Use of the trip setpoint[LTSP] to define "as-found" OPERABILITY and its designation as the LSSS under the expected circumstances described above would result in actions required by both the rule and Technical Specifications that are clearly not warranted. However, there is also some point beyond which the device would have not been able to perform its function due, for example, to greater than expected drift. This value needs to be specified in the Technical Specifications in order to define OPERABILITY of the devices and is designated as the Allowable Value which, as stated above, is the same as the LSSS. which is the least conservative value for the LSSS during testing. For LSSS functions, the actual [LTSP] value and the methodology for calculating the as-left and as-found tolerances will be maintained in [a document controlled under 10 CFR 50.59].

The Allowable Valuable specified in Table 3.3.1-1 is the least conservative value that the serves as the[LTSP] (LSSS) can have when tested, such that a channel is OPERABLE if the trip setpoint[LTSP] is found not to exceed theconservative with respect to the Allowable Value during the CHANNEL FUNCTIONAL TEST (CFT). As such, the Allowable Value differs from the trip setpoint[LTSP] by an amount primarily [greater than or] equal to the expected instrument loop channel uncertainties, such as drift, during the surveillance interval. In this manner, the actual setting of the device will still meet the LSSS definition and ensure that a SL is not exceeded at any given point of time as long as the device has BASES BACKGROUND (continued) not drifted beyond that expected during the surveillance interval. Note that, although the channel is OPERABLE under these circumstances, the

[LTSP] must be left adjusted to a value within the established [LTSP] as-left tolerance, in accordance with uncertainty assumptions (as-left criteria), and confirmed to be operating within the statistical allowances of the uncertainty terms assigned (as-found criteria). If the actual setting of the device is found to have exceededto be non-conservative with respect to the Allowable Value, the device would be considered inoperable from a Technical Specification perspective. This requires corrective action including those actions required by 10 CFR 50.36 when automatic protective devices do not function as required. Note that, although the channel is OPERABLE under these circumstances, the trip setpoint should be left adjusted to a value within the established trip setpoint calibration tolerance band, The [LTSP] and the methodologies for calculation of the as-left and as-found tolerances are described in [a document controlled under 10 CFR 50.59]. in accordance with uncertainty assumptions stated in the referenced setpoint methodology (as-left criteria), and confirmed to be operating within the statistical allowances of the uncertainty terms assigned.

CEOG STS B 3.3.1-3 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation - Operating (Analog)

B 3.3.1 BASES BACKGROUND (continued)

Four identical measurement channels, designated channels A through D, with electrical and physical separation are provided for each parameter used in the direct generation of trip signals. These are designated channels A through D. Measurement channels provide input to one or more RPS bistables within the same RPS channel. In addition, some measurement channels may also be used as inputs to Engineered Safety Features Actuation System (ESFAS) bistables, and most provide indication in the control room. Measurement channels used as an input to the RPS are never used for control functions.

When a channel monitoring a parameter exceeds a predetermined setpoint, indicating an unsafe condition, the bistable monitoring the parameter in that channel will trip. Tripping two or more channels of bistables monitoring the same parameter de-energizes Matrix Logic, which in turn de-energizes the Initiation Logic. This causes all eight RTCBs to open, interrupting power to the control element assemblies (CEAs), allowing them to fall into the core.

Three of the four measurement and bistable channels are necessary to meet the redundancy and testability of GDC 21 in 10 CFR 50, Appendix A (Ref. 2). The fourth channel provides additional flexibility by allowing one channel to be removed from service (trip channel bypass) for maintenance or testing while still maintaining a minimum two-out-of-three logic. Thus, even with a channel inoperable, no single additional failure in the RPS can either cause an inadvertent trip or prevent a required trip from occurring.

Since no single failure will either cause or prevent a protective system actuation, and no protective channel feeds a control channel, this arrangement meets the requirements of IEEE Standard 279-1971 (Ref. 4).

Many of the RPS trips are generated by comparing a single measurement to a fixed bistable setpoint[LTSP]. Certain Functions, however, make use of more than one measurement to provide a trip. The following trips use multiple measurement channel inputs:

Steam Generator Level - Low This trip uses the lower of the two steam generator levels as an input to a common bistable.

CEOG STS B 3.3.1-6 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation - Operating (Analog)

B 3.3.1 BASES BACKGROUND (continued)

Steam Generator Pressure - Low This trip uses the lower of the two steam generator pressures as an input to a common bistable.

Variable High Power Trip (VHPT) - High The VHPT uses Q power as its only input. Q power is the higher of NI power and T power. It has a trip setpoint that tracks power levels downward so that it is always within a fixed increment above current power, subject to a minimum value.

On power increases, the trip setpoint [Limiting Trip Setpoint] remains fixed unless manually reset, at which point it increases to the new setpoint, a fixed increment above Q power at the time of reset, subject to a maximum value. Thus, during power escalation, the trip setpoint[LTSP] must be repeatedly reset to avoid a reactor trip.

Thermal Margin/Low Pressure (TM/LP) and Steam Generator Pressure Difference Q power is only one of several inputs to the TM/LP trip. Other inputs include internal ASI and cold leg temperature based on the higher of two cold leg resistance temperature detectors. The TM/LP trip setpoint is a complex function of these inputs and represents a minimum acceptable RCS pressure to be compared to actual RCS pressure in the TM/LP trip unit.

Steam generator pressure is also an indirect input to the TM/LP trip via the Steam Generator Pressure Difference. This Function provides a reactor trip when the secondary pressure in either steam generator exceeds that of the other generator by greater than a fixed amount. The trip is implemented by biasing the TM/LP trip setpoint upward so as to ensure TM/LP trip if an asymmetric steam generator transient is detected.

Axial Power Distribution (APD) - High Q Power and ASI are inputs to the APD trip. The APD trip setpoint is a function of Q power, being more restrictive at higher power levels.

It provides a reactor trip if actual ASI exceeds the APD trip setpoint.

CEOG STS B 3.3.1-7 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation - Operating (Analog)

B 3.3.1 BASES BACKGROUND (continued)

Bistable Trip Units Bistable trip units, mounted in the RPS cabinet, receive an analog input from the measurement channels, compare the analog input to trip setpoints, and provide contact output to the Matrix Logic. They also provide local trip indication and remote annunciation.

There are four channels of bistable trip units, designated A through D, for each RPS Function, one for each measurement channel. Bistable output relays de-energize when a trip occurs.

The contacts from these bistable relays are arranged into six coincidence matrices, comprising the Matrix Logic. If bistables monitoring the same parameter in at least two channels trip, the Matrix Logic will generate a reactor trip (two-out-of-four logic).

Some of the RPS measurement channels provide contact outputs to the RPS, so the comparison of an analog input to a trip setpoint is not necessary. In these cases, the bistable trip unit is replaced with an auxiliary trip unit. The auxiliary trip units provide contact multiplication so the single input contact opening can provide multiple contact outputs to the coincidence logic as well as trip indication and annunciation.

Trips employing auxiliary trip units include the Loss of Load trip and the APD - High trip. The Loss of Load trip is a contact input from the Electro Hydraulic Control System control oil pressure on each of the four high pressure stop valves.

The APD trip, described above, is a complex function in which the actual trip comparison is performed within the CPC. Therefore the APD - High trip unit employs a contact input from the CPC.

All RPS trips, with the exception of the Loss of Load trip, generate a pretrip alarm as the trip setpoint is approached.

The trip setpoints used in the bistable trip units are based on the analytical limits stated in Reference 5. The selection of these trip setpoints is such that adequate protection is provided when all sensor and processing time delays are taken into account. To allow for calibration tolerances, instrumentation uncertainties, instrument drift, and severe environment errors - for those RPS channels that must function in harsh environments, as defined by 10 CFR 50.49 (Ref. 6) - Allowable Values specified in Table 3.3.1-1, in the accompanying LCO, are CEOG STS B 3.3.1-8 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation - Operating (Analog)

B 3.3.1 BASES BACKGROUND (continued) conservatively adjusted with respect to the analytical limits. A detailed description of the methodology used to calculate the trip setpoints, including their explicit uncertainties, is provided in the "Plant Protection System Selection of Trip Setpoint Values" (Ref. 7). The nominal trip setpoint[LTSP] entered into the bistable is normally still more conservative than that specified by the Allowable Value, to account for changes in random measurement errors detectable by a CHANNEL FUNCTIONAL TEST. One example of such a change in measurement error is drift during the interval between surveillances. A channel is inoperable if its actual as-found setpoint is not conservative with respect to within its required Allowable Value.

Setpoints [Limiting Trip Setpoints] in accordance with the Allowable Value will ensure that SLs of Chapter 2.0 are not violated during AOOs and the consequences of DBAs will be acceptable, providing the plant is operated from within the LCOs at the onset of the AOO or DBA and the equipment functions as designed.

Note that in the accompanying LCO 3.3.1, the Allowable Values of Table 3.3.1-1 are the least conservative value the LSSS can have when tested such that a channel is operable if the [LTSP] is found conservative with respect to the Allowable Value. .

RPS Logic The RPS Logic, addressed in LCO 3.3.3, consists of both Matrix and Initiation Logic and employs a scheme that provides a reactor trip when bistables in any two out of the four channels sense the same input parameter trip. This is called a two-out-of-four trip logic. This logic and the RTCB configuration are shown in Figure B 3.3.1-1.

Bistable relay contact outputs from the four channels are configured into six logic matrices. Each logic matrix checks for a coincident trip in the same parameter in two bistable channels. The matrices are designated the AB, AC, AD, BC, BD, and CD matrices to reflect the bistable channels being monitored. Each logic matrix contains four normally energized matrix relays. When a coincidence is detected, consisting of a trip in the same Function in the two channels being monitored by the logic matrix, all four matrix relays de-energize.

The matrix relay contacts are arranged into trip paths, with one of the four matrix relays in each matrix opening contacts in one of the four trip paths.

Each trip path provides power to one of the four normally energized RTCB control relays (K1, K2, K3, and K4). The trip paths thus each have six contacts in series, one from each matrix, and perform a logical OR CEOG STS B 3.3.1-9 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation - Operating (Analog)

B 3.3.1 BASES APPLICABLE SAFETY ANALYSES (continued)

Excess load (inadvertent opening of a steam generator ADV),

RCS depressurization (inadvertent safety or power operated relief valves (PORVs) opening),

Steam generator tube rupture, and

LOCA accident.

The first two events are AOOs, and fuel integrity is maintained.

The third and fourth are accidents, and limited fuel damage may occur although only the LOCA is expected to result in fuel damage. The trip is initiated whenever the RCS pressure signal drops below a minimum value (Pmin) or a computed value (Pvar) as described below, whichever is higher. The computed value is a Function Q power, ASI, as determined from the axially split excore detectors, reactor inlet (cold leg) temperature, and the number of RCPs operating.

The minimum value of reactor coolant flow rate, the maximum TQ, and the maximum CEA deviation permitted for continuous operation are assumed in the generation of this trip Function. In addition, CEA group sequencing in accordance with LCO 3.1.6, "Regulating Control Element Assembly (CEA) Insertion Limits,"

is assumed. Finally, the maximum insertion of CEA banks that can occur during any AOO prior to a VHPT is assumed.

b. Steam Generator Pressure Difference The Steam Generator Pressure Difference provides protection for those AOOs associated with secondary system malfunctions that result in asymmetric primary coolant temperatures. The most limiting event is closure of a single main steam isolation valve. Steam Generator Pressure Difference is provided by comparing the secondary pressure in both steam generators in the TM/LP calculator. If the pressure in either exceeds that in the other by the trip setpoint[LTSP], a TM/LP trip will result.

CEOG STS B 3.3.1-17 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation - Operating (Analog)

B 3.3.1 BASES APPLICABLE SAFETY ANALYSES (continued)

Loss of Load and APD - High bypass removal. The Loss of Load and APD - High trips are automatically bypassed when at < 15% RTP as sensed by the power range NI Level 1 bistable. The bypass is automatically removed by this bistable above the setpoint. This same bistable is used to bypass the Power Rate of Change - High trip.

Steam Generator Pressure - Low bypass removal. The Steam Generator Pressure - Low trip is manually enabled below the pretrip setpoint. The permissive is removed, and the bypass automatically removed, when the Steam Generator Pressure - Low pretrip clears.

The RPS instrumentation satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii).

LCO The LCO requires all instrumentation performing an RPS Function to be OPERABLE. Failure of any required portion of the instrument channel renders the affected channel(s) inoperable and reduces the reliability of the affected Functions. The specific criteria for determining channel OPERABILITY differ slightly between Functions. These criteria are discussed on a Function by Function basis below.

Actions allow maintenance (trip channel) bypass of individual channels, but the bypass activates interlocks that prevent operation with a second channel in the same Function bypassed. Plants are restricted to 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months in a trip channel bypass condition before either restoring the Function to four channel operation (two-out-of-four logic) or placing the channel in trip (one-out-of-three logic). At plants where adequate channel to channel independence has been demonstrated, specific exceptions may be approved by the NRC staff to permit one of the two-out-of-four channels to be bypassed for an extended period of time.

Only the Allowable Values are specified for each RPS trip Function in the LCO. [Nominal trip setpointsLimiting Trip Setpoints and the methodologies to calculate the as-left and as-found tolerances are specified in [a document controlled under 10 CFR 50.59]. the plant specific setpoint calculations. The [nominal setpointsLTSP] are selected to ensure the setpoints measured by CHANNEL FUNCTIONAL TESTS do not exceedare conservative with respect theto the Allowable Value if the bistable is performing as required. Operation with a trip setpoint trip setpoint less conservative than the Limiting Trip Setpoint nominal trip setpoint, but conservative with respect to within its Allowable Value,Value is acceptable, provided that operation and testing are consistent with the assumptions of the plant specific setpoint calculations. Each Allowable Value specified is more conservative than the analytical limit assumed in the safety analysis in order to account for instrument uncertainties appropriate to the trip Function. These uncertainties are defined in the "Plant Protection System Selection of Trip Setpoint Values" (Ref. 7).

CEOG STS B 3.3.1-19 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation - Operating (Analog)

B 3.3.1 BASES LCO (continued)

The following Bases for each trip Function identify the above RPS trip Function criteria items that are applicable to establish the trip Function OPERABILITY.

1. Variable High Power Trip (VHPT) - High This LCO requires all four channels of the VHPT to be OPERABLE in MODES 1 and 2.

The Allowable Value is high enough to provide an operating envelope that prevents unnecessary Linear Power Level - High reactor VHPT -

High trips during normal plant operations. The Allowable Value is low enough for the system to maintain a margin to unacceptable fuel cladding damage should a CEA ejection accident occur. [The Variable High Power Trip - High trip Function is credited in the safety analysis for a CEA ejection event, excess load, excess feedwater heat removal, CEA ejection event and Main steam line break (outside containment), and is therefore considered to be a LSSS as defined in 10 CFR 50.36.]

The VHPT setpoint [LTSP] is operator adjustable and can be set at a fixed increment above the indicated THERMAL POWER level.

Operator action is required to increase the trip setpoint[LTSP] as THERMAL POWER is increased. The trip setpoint[LTSP] is automatically decreased as THERMAL POWER decreases. The trip setpoint[LTSP] has a maximum and a minimum setpoint.

Adding to this maximum value the possible variation in trip setpoint[LTSP] due to calibration and instrument errors, the maximum actual steady state THERMAL POWER level at which a trip would be actuated is 112% RTP, which is the value used in the safety analyses.

To account for these errors, the safety analysis minimum value is 40% RTP. The 10% step is a maximum value assumed in the safety analysis. There is no uncertainty applied to the step.

2. Power Rate of Change - High This LCO requires four channels of Power Rate of Change - High to be OPERABLE in MODES 1 and 2, as well as in MODES 3, 4, and 5 when the RTCBs are closed and the CEA Drive System is capable of CEA withdrawal.

The high power rate of change trip serves as a backup to the administratively enforced startup rate limit. The Function is not CEOG STS B 3.3.1-20 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation - Operating (Analog)

B 3.3.1 addressed in footnotes to the table. Exceptions to this APPLICABILITY are:

The APD - High Trip and Loss of Load are only applicable in MODE 1 15% RTP because they may be automatically bypassed at

< 15% RTP, where they are no longer needed.

The Power Rate of Change - High trip, RPS Logic, RTCBs, and Manual Trip are also required in MODES 3, 4, and 5, with the RTCBs closed, to provide protection for boron dilution and CEA withdrawal events. The Power Rate of Change - High trip in these lower MODES is addressed in LCO 3.3.2, ""Reactor Protective System (RPS) Instrumentation - Shutdown."" The RPS Logic in MODES 1, 2, 3, 4, and 5 is addressed in LCO 3.3.3.

Most trips are not required to be OPERABLE in MODES 3, 4, and 5. In MODES 3, 4, and 5, the emphasis is placed on return to power events.

The reactor is protected in these MODES by ensuring adequate SDM.

ACTIONS The most common causes of channel inoperability are outright failure or drift of the bistable or process module sufficient to exceed the tolerance allowed by the plant specific setpoint analysis. Typically, the drift is found to be small and results in a delay of actuation rather than a total loss of function. This determination is generally made during the performance of a CHANNEL FUNCTIONAL TEST when the process instrument is set up for adjustment to bring it to within specification. If the trip setpoint is less non-conservative with respect to the than the Allowable Value in Table 3.3.1-1, the channel is declared inoperable immediately, and the appropriate Condition(s) must be entered immediately.

In the event a channel's trip setpoint[LTSP is found non-conservative with respect to the Allowable Value, or the transmitter, instrument loop, signal processing electronics, or RPS bistable trip unit is found inoperable, then all affected Functions provided by that channel must be declared inoperable, and the plant must enter the Condition for the particular protection Function affected.

When the number of inoperable channels in a trip Function exceeds that specified in any related Condition associated with the same trip Function, then the plant is outside the safety analysis. Therefore, LCO 3.0.3 is immediately entered if applicable in the current MODE of operation.

CEOG STS B 3.3.1-26 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation - Operating (Analog)

B 3.3.1 BASES ACTIONS (continued)

G.1 Condition G is entered when the Required Action and associated Completion Time of Conditions A, B, C, D, E, or F are not met.

If the Required Actions associated with these Conditions cannot be completed within the required Completion Times, the reactor must be brought to a MODE in which the Required Actions do not apply. The allowed Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months to be in MODE 3 is reasonable, based on operating experience, for reaching the required MODE from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE The SRs for any particular RPS Function are found in the SR column of REQUIREMENTS Table 3.3.1-1 for that Function. Most Functions are subject to CHANNEL CHECK, CHANNEL FUNCTIONAL TEST, CHANNEL CALIBRATION, and response time testing.

REVIEWERS NOTE-----------------------------------

In order for a plant to take credit for topical reports as the basis for justifying Frequencies, topical reports must be supported by an NRC staff SER that establishes the acceptability of each topical report for that plant (Ref. 9).

REVIEWERS NOTE -----------------------------------

The Notes in Table 3.3.1-1 requiring reset of the channel to a predefined as-left tolerance and the verification of the as-found tolerance are only associated with LSSS values. Therefore, the Notes may be placed at the top of the column in the Table and applied to all Functions, or the Notes may be applied to specific SRs in the SR column only.

SR 3.3.1.1 Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months ensures that gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying that the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

CEOG STS B 3.3.1-30 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation - Operating (Analog)

B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.1.3 It is necessary to calibrate the excore power range channel upper and lower subchannel amplifiers such that the internal ASI used in the TM/LP and APD - High trips reflects the true core power distribution as determined by the incore detectors. A Note to the Frequency indicates the Surveillance is required within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months after THERMAL POWER is

[20]% RTP. Uncertainties in the excore and incore measurement process make it impractical to calibrate when THERMAL POWER is

< [20]% RTP. The Completion Time of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months allows time for plant stabilization, data taking, and instrument calibration. If the excore detectors are not properly calibrated to agree with the incore detectors, power is restricted during subsequent operations because of increased uncertainty associated with using uncalibrated excore detectors. The 31 day Frequency is adequate, based on operating experience of the excore linear amplifiers and the slow burnup of the detectors. The excore readings are a strong function of the power produced in the peripheral fuel bundles and do not represent an integrated reading across the core.

Slow changes in neutron flux during the fuel cycle can also be detected at this Frequency.

SR 3.3.1.4 A CHANNEL FUNCTIONAL TEST is performed on each RPS instrument channel, except Loss of Load and Power Rate of Change, every [92] days to ensure the entire channel will perform its intended function when needed. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL FUNCTIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions.

In addition to power supply tests, The RPS CHANNEL FUNCTIONAL TEST consists of three overlapping tests as described in Reference 8.

These tests verify that the RPS is capable of performing its intended function, from bistable input through the RTCBs. They include:

CEOG STS B 3.3.1-32 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation - Operating (Analog)

B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)

Bistable Tests The bistable setpoint [LTSP] must be found to trip within the Allowable Values specified in the LCO and left set consistent with the assumptions of the plant specific setpoint analysis (Ref. 7). As-found and as-left values must also be recorded and reviewed for consistency with the assumptions of the frequency extension analysis. The requirements for this review are outlined in Reference 10.

A test signal is superimposed on the input in one channel at a time to verify that the bistable trips within the specified tolerance around the setpoint. This is done with the affected RPS channel trip channel bypassed. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint analysis.

SR 3.3.1.4 for selected Functions is modified by two Notes as identified in Table 3.3.1-1. The selected Functions are those Functions that are LSSS and whose instruments are not mechanical devices (i.e. limit switches, float switches, and proximity detectors). Mechanical devices are excluded since it is not possible to trend these devices and develop as-left or as-found limits in the same manner as other instrumentation. The first Note requires evaluation of channel performance for the condition where the as-found setting for the channel setpoint is outside its as-found tolerance but conservative with respect to the Allowable Value.

Evaluation of instrument performance will verify that the instrument will continue to behave in accordance with design-basis assumptions. The purpose of the assessment is to ensure confidence in the instrument performance prior to returning the instrument to service. These channels will also be identified in the Corrective Action Program. In accordance with procedures, entry into the Corrective Action Program will require review and documentation of the condition for OPERABILITY. The second Note requires that the as-left setting for the instrument be returned to within the as-left tolerance of the [LTSP]. This will ensure that sufficient margin to the Safety Limit and/or Analytical Limit is maintained.

If the as-left instrument setting cannot be returned to a setting within the as-left tolerance, then the instrument channel shall be declared inoperable. The second Note also requires that the [LTSP] and the methodology for calculating the as-left and the as-found tolerances be in

[a document controlled under 10 CFR 50.59].

Matrix Logic Tests Matrix Logic tests are addressed in LCO 3.3.3. This test is performed one matrix at a time. It verifies that a coincidence in the two input channels for each Function removes power from the matrix relays.

CEOG STS B 3.3.1-33 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation - Operating (Analog)

B 3.3.1 During testing, power is applied to the matrix relay test coils and prevents the matrix relay contacts from assuming their de-energized state. This test will detect any short circuits around the bistable contacts in the coincidence logic, such as may be caused by faulty bistable relay or trip channel bypass contacts.

Trip Path Tests Trip Path (Initiation Logic) tests are addressed in LCO 3.3.3. These tests are similar to the Matrix Logic tests, except that test power is withheld from one matrix relay at a time, allowing the initiation circuit to de-energize, opening the affected set of RTCBs. The RTCBs must then be closed prior to testing the other three initiation circuits, or a reactor trip may result.

The Frequency of [92] days is based on the reliability analysis presented in topical report CEN-327, "RPS/ESFAS Extended Test Interval Evaluation" (Ref. 10).

CEOG STS B 3.3.1-34 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation - Operating (Analog)

B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.1.5 A CHANNEL CALIBRATION of the excore power range channels every 92 days ensures that the channels are reading accurately and within tolerance. The Surveillance verifies that the channel responds to a measured parameter within the necessary range and accuracy.

CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drift between successive calibrations to ensure that the channel remains operational between successive tests. CHANNEL CALIBRATIONS must be performed consistent with the plant specific setpoint analysis.

The as foundas-found and as leftas-left values must also be recorded and reviewed for consistency with the assumptions of the frequency extension analysis. The requirements for this review are outlined in Reference [10].

A Note is added stating that the neutron detectors are excluded from CHANNEL CALIBRATION because they are passive devices with minimal drift and because of the difficulty of simulating a meaningful signal. Slow changes in detector sensitivity are compensated for by performing the daily calorimetric calibration (SR 3.3.1.2) and the monthly linear subchannel gain check (SR 3.3.1.3). In addition, associated control room indications are continuously monitored by the operators.

SR 3.3.1.5 for selected Functions is modified by two Notes as identified in Table 3.3.1-1. The selected Functions are those Functions that are LSSS and whose instruments are not mechanical devices (i.e. limit switches, float switches, and proximity detectors). Mechanical devices are excluded since it is not possible to trend these devices and develop as-left or as-found limits in the same manner as other instrumentation.

The first Note requires evaluation of channel performance for the condition where the as-found setting for the channel setpoint is outside its as-found tolerance but conservative with respect to the Allowable Value.

Evaluation of instrument performance will verify that the instrument will continue to behave in accordance with design-basis assumptions. The purpose of the assessment is to ensure confidence in the instrument performance prior to returning the instrument to service. These channels will also be identified in the Corrective Action Program. In accordance with procedures, entry into the Corrective Action Program will require review and documentation of the condition for OPERABILITY. The second Note requires that the as-left setting for the instrument be returned to within the as-left tolerance of the [LTSP]. This will ensure that sufficient margin to the Safety Limit and/or Analytical Limit is maintained.

If the as-left instrument setting cannot be returned to a setting within the as-left tolerance, then the instrument channel shall be declared inoperable. The second Note also requires that the [LTSP] and the CEOG STS B 3.3.1-35 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation - Operating (Analog)

B 3.3.1 methodology for calculating the as-left and the as-found tolerances be in

[a document controlled under 10 CFR 50.59].

The Frequency of 92 days is acceptable, based on plant operating experience, and takes into account indications and alarms available to the operator in the control room.

SR 3.3.1.6 A CHANNEL FUNCTIONAL TEST on the Loss of Load and Power Rate of Change channels is performed prior to a reactor startup to ensure the entire channel will perform its intended function if required. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL FUNCTIONAL TEST of a relay.

This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions. The Loss of Load pressure sensor cannot be tested during reactor operation without closing the high pressure TSV, which would result in a turbine trip or reactor trip. The Power Rate of Change - High trip Function is required during startup operation and is bypassed when shut down or > 15% RTP.

CEOG STS B 3.3.1-36 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation - Operating (Analog)

B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.1.7 SR 3.3.1.7 is a CHANNEL FUNCTIONAL TEST similar to SR 3.3.1.4, except SR 3.3.1.7 is applicable only to bypass Functions and is performed once within 92 days prior to each startup. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL FUNCTIONAL TEST of a relay.

This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions. Proper operation of bypass permissives is critical during plant startup because the bypasses must be in place to allow startup operation and must be removed at the appropriate points during power ascent to enable certain reactor trips. Consequently, the appropriate time to verify bypass removal function OPERABILITY is just prior to startup.

The allowance to conduct this test within 92 days of startup is based on the reliability analysis presented in topical report CEN-327, ""RPS/ESFAS Extended Test Interval Evaluation"" (Ref. 10). Once the operating bypasses are removed, the bypasses must not fail in such a way that the associated trip Function gets inadvertently bypassed. This feature is verified by the trip Function CHANNEL FUNCTIONAL TEST, SR 3.3.1.4.

Therefore, further testing of the bypass function after startup is unnecessary.

SR 3.3.1.8 SR 3.3.1.8 is the performance of a CHANNEL CALIBRATION every

[18] months.

CHANNEL CALIBRATION is a complete check of the instrument channel including the sensor. The Surveillance verifies that the channel responds to a measured parameter within the necessary range and accuracy.

CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drift between successive calibrations to ensure that the channel remains operational between successive tests. CHANNEL CALIBRATIONS must be performed consistent with the plant specific setpoint analysis.

The as foundas-found and as leftas-left values must also be recorded and reviewed for consistency with the assumptions of the frequency extension analysis. The requirements for this review are outlined in Reference [10].

SR 3.3.1.8 for selected Functions is modified by two Notes as identified in Table 3.3.1-1. The selected Functions are those Functions that are LSSS CEOG STS B 3.3.1-37 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation - Operating (Analog)

B 3.3.1 and whose instruments are not mechanical devices (i.e. limit switches, float switches, and proximity detectors). Mechanical devices are excluded since it is not possible to trend these devices and develop as-left or as-found limits in the same manner as other instrumentation.

The first Note requires evaluation of channel performance for the condition where the as-found setting for the channel setpoint is outside its as-found tolerance but conservative with respect to the Allowable Value.

Evaluation of instrument performance will verify that the instrument will continue to behave in accordance with design-basis assumptions. The purpose of the assessment is to ensure confidence in the instrument performance prior to returning the instrument to service. These channels will also be identified in the Corrective Action Program. In accordance with procedures, entry into the Corrective Action Program will require review and documentation of the condition for OPERABILITY. The second Note requires that the as-left setting for the instrument be returned to within the as-left tolerance of the [LTSP]. This will ensure that sufficient margin to the Safety Limit and/or Analytical Limit is maintained.

If the as-left instrument setting cannot be returned to a setting within the as-left tolerance, then the instrument channel shall be declared inoperable. The second Note also requires that the [LTSP] and the methodology for calculating the as-left and the as-found tolerances be in

[a document controlled under 10 CFR 50.59].

The Frequency is based upon the assumption of an 18 month calibration interval for the determination of the magnitude of equipment drift.

CEOG STS B 3.3.1-38 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 ESFAS Instrumentation (Analog)

B 3.3.4 B 3.3 INSTRUMENTATION B 3.3.4 Engineered Safety Features Actuation System (ESFAS) Instrumentation (Analog)

BASES BACKGROUND The ESFAS initiates necessary safety systems, based upon the values of selected unit parameters, to protect against violating core design limits and the Reactor Coolant System (RCS) pressure boundary and to mitigate accidents. This is achieved by specifying limiting safety system settings (LSSS), where they exist, in terms of parameters directly monitored by the ESFAS as well as LCOs on other reactor system parameters and equipment performance.

Technical Specifications are required by 10 CFR 50.36 to contain LSSS defined by the regulation as "...settings for automatic protective devices...so chosen that automatic protective actions will correct the abnormal situation before a Safety Limit (SL) is exceeded." The Analytical Limit is the limit of the process variable at which a safety action is initiated, as established by the safety analysis, to ensure that a SL is not exceeded. Any automatic protection action that occurs on reaching the Analytical Limit therefore ensures that the SL is not exceeded.

However, in practice, the actual settings for automatic protective devices must be chosen to be more conservative than the Analytical Limit to account for instrument loop uncertainties related to the setting at which the automatic protective action would actually occur.

REVIEWER'S NOTE ------------------------------------

The term "Limiting Trip Setpoint (LTSP)" is generic terminology for the setpoint value calculated by means of the plant-specific setpoint methodology documented in [a document controlled under 10 CFR 50.59]. The term Limiting Trip Setpoint indicates that no additional margin has been added between the Analytical Limit and the calculated trip setting. Where margin is added between the Analytical Limit and trip setpoint, the standard terminology of Nominal Trip Setpoint (NTSP) should be used. The trip setpoint (field setting) may be more conservative than the Limiting or Nominal Trip Setpoint, but for the purpose of compliance with 10 CFR 50.36, the plant-specific term for the Limiting Trip Setpoint must be cited in Note b of Table 3.3.4-1. The brackets indicate plant-specific terms may apply, as reviewed and approved by the NRC. In some cases, replacing the LTSP with NTSP will also require the revision of the relationship discussion for Allowable Value (AV).

Licensees are to insert the name of the document(s) controlled under 10 CFR 50.59 that contains the [LTSP] values and the methodology for calculating the as-left and as-found tolerances for the phrase "[a document controlled under 10 CFR 50.59]" throughout these Bases.

CEOG STS B 3.3.4-1 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 ESFAS Instrumentation (Analog)

B 3.3.4 The [Limiting Trip Setpoint (LTSP)] is a predetermined setting for a protective device chosen to ensure automatic actuation prior to the process variable reaching the Analytical Limit and thus ensuring that the SL would not be exceeded. As such, the [LTSP] accounts for uncertainties in setting the device (e.g., calibration), uncertainties in how the device might actually perform (e.g., repeatability), changes in the point of action of the device over time (e.g., drift during surveillance intervals), and any other factors which may influence its actual performance (e.g., harsh accident environments). In this manner, the

[LTSP] ensures that SLs are not exceeded. As such, the [LTSP] meets the definition of an LSSS (Ref. 1). If the setting of the protective device does not protect a Safety Limit, the [LTSP] is not an LSSS.

Technical Specifications contain values related to the OPERABILITY of equipment required for safe operation of the facility. OPERABLE is defined in Technical Specifications as "...being capable of performing its safety function(s)." However, use of the [LTSP] to define OPERABILITY in Technical Specifications would be an overly restrictive requirement if it were applied as an OPERABILITY limit for the "as-found" value of a protective device setting during a Surveillance. This would result in Technical Specification compliance problems, as well as reports and corrective actions required by the rule which are not necessary to ensure safety. For example, an automatic protective device with a setting that has been found to be different from the [LTSP] due to some drift of the setting may still be OPERABLE since drift is to be expected. This expected drift would have been specifically accounted for in the setpoint methodology for calculating the [LTSP] and thus the automatic protective action would still have ensured that the SL would not be exceeded with the "as-found" setting of the protective device. Therefore, the device would still be OPERABLE since it would have performed its safety function and the only corrective action required would be to reset the device to the [LTSP] to account for further drift during the next surveillance interval.

Use of the [LTSP] to define "as-found" OPERABILITY under the expected circumstances described above would result in actions required by both the rule and Technical Specifications that are clearly not warranted.

However, there is also some point beyond which the device would have not been able to perform its function due, for example, to greater than expected drift. This value needs to be specified in the Technical Specifications in order to define OPERABILITY of the devices and is designated as the Allowable Value which is the least conservative value for the LSSS during testing. For LSSS functions, the actual [LTSP] value and the methodology for calculating the as-left and as-found tolerances will be maintained in [a document controlled under 10 CFR 50.59].

The Allowable Valuable specified in Table 3.3.4-1 is the least conservative value that the [LTSP] (LSSS) can have when tested, such CEOG STS B 3.3.4-2 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 ESFAS Instrumentation (Analog)

B 3.3.4 that a channel is OPERABLE if the [LTSP] is found conservative with respect to the Allowable Value during the CHANNEL FUNCTIONAL TEST (CFT). As such, the Allowable Value differs from the [LTSP] by an amount [greater than or] equal to the expected instrument channel uncertainties, such as drift, during the surveillance interval. In this manner, the actual setting of the device will ensure that a SL is not exceeded at any given point of time as long as the device has BASES BACKGROUND (continued) not drifted beyond that expected during the surveillance interval. Note that, although the channel is OPERABLE under these circumstances, the

[LTSP] must be left adjusted to a value within the established [LTSP] as-left tolerance, in accordance with uncertainty assumptions (as-left criteria), and confirmed to be operating within the statistical allowances of the uncertainty terms assigned (as-found criteria). If the actual setting of the device is found to be non-conservative with respect to the Allowable Value, the device would be considered inoperable from a Technical Specification perspective. This requires corrective action including those actions required by 10 CFR 50.36 when automatic protective devices do not function as required.

The ESFAS contains devices and circuitry that generate the following signals when the monitored variables reach levels that are indicative of conditions requiring protective action:

1. Safety Injection Actuation Signal (SIAS),

2. Containment Spray Actuation Signal (CSAS),

3. Containment Isolation Actuation Signal (CIAS),

4. Main Steam Isolation Signal (MSIS),

5. Recirculation Actuation Signal (RAS), and

6. Auxiliary Feedwater Actuation Signal (AFAS).

Equipment actuated by each of the above signals is identified in the FSAR (Ref. 1).

Each of the above ESFAS actuation systems is segmented into four sensor subsystems and two actuation subsystems. Each sensor subsystem includes measurement channels and bistables. The actuation subsystems include two logic subsystems for sequentially loading the diesel generators.

CEOG STS B 3.3.4-3 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 ESFAS Instrumentation (Analog)

B 3.3.4 Each of the four sensor subsystem channels monitors redundant and independent process measurement channels. Each sensor is monitored by at least one bistable. The bistable associated with each ESFAS Function will trip when the monitored variable exceeds the trip setpoint[LTSP]. When tripped, the sensor subsystems provide outputs to the two actuation subsystems.

CEOG STS B 3.3.4-4 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 ESFAS Instrumentation (Analog)

B 3.3.4 BASES BACKGROUND (continued)

In order to take full advantage of the four channel design, adequate channel to channel independence must be demonstrated, and approved by the NRC staff. Plants not currently licensed as to credit four channel independence that may desire this capability must have approval of the NRC staff documented by an NRC Safety Evaluation Report (Ref. 3).

Adequate channel to channel independence includes physical and electrical independence of each channel from the others. Furthermore, each channel must be energized from separate inverters and station batteries. Plants not demonstrating four channel independence may operate in a two-out-of-three logic configuration for 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months .

Since no single failure will either cause or prevent a protective system actuation and no protective channel feeds a control channel, this arrangement meets the requirements of IEEE Standard 79-1971 (Ref. 4).

Bistable Trip Units Bistable trip units receive an analog input from the measurement channels, compare the analog input to trip setpoints, and provide contact output to the Actuation Logic. They also provide local trip indication and remote annunciation.

There are four channels of bistables, designated A through D, for each ESF Function, one for each measurement channel. In cases where two ESF Functions share the same input and trip setpoint (e.g., containment pressure input to CSAS, CIAS, and SIAS and a Pressurizer Pressure -

Low input to the RPS and SIAS), the same bistable may be used to satisfy both Functions.

The [trip setpoints and Allowable Values used in the bistables are based on the analytical limits stated in Reference 5. The selection of these trip setpoints is such that adequate protection is provided when all sensor and processing time delays are taken into account. To allow for calibration tolerances, instrumentation uncertainties, instrument drift, and severe environment effects, for those ESFAS channels that must function in harsh environments as defined by 10 CFR 50.49 (Ref. 6), Allowable Values specified in Table 3.3.4-1, in the accompanying LCO, are conservatively adjusted with respect to the analytical limits. A detailed description of the method used to calculate the trip setpoints, including their explicit uncertainties, is provided in the "Plant Protection System Selection of Trip Setpoint Values" (Ref. 7). The actual nominal trip

[LTSP]

CEOG STS B 3.3.4-6 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 ESFAS Instrumentation (Analog)

B 3.3.4 BASES BACKGROUND (continued) setpoint entered into the bistable is normally still more conservative than that specified by the Allowable Value to account for changes in random measurement errors detectable by a CHANNEL FUNCTIONAL TEST. If the measured setpoint is conservative with respect to does not exceed the Allowable Value, the bistable is considered OPERABLE.

Setpoints [LTSPs] in accordance with the Allowable Value will ensure that Safety Limits of Chapter 2.0, "SAFETY LIMITS (SLs)," are not violated during anticipated operational occurrences (AOOs) and that the consequences of Design Basis Accidents (DBAs) will be acceptable, providing the plant is operated from within the LCOs at the onset of the AOO or DBA and the equipment functions as designed.

ESFAS Logic It is possible to change the two-out-of-four ESFAS logic to a two-out-of-three logic for a given input parameter in one channel at a time by disabling one channel input to the logic. Thus, the bistables will function normally, producing normal trip indication and annunciation, but ESFAS actuation will not occur since the bypassed channel is effectively removed from the coincidence logic. Trip channel bypassing can be simultaneously performed on any number of parameters in any number of channels, providing each parameter is bypassed in only one channel at a time. At some plants an interlock prevents simultaneous trip channel bypassing of the same parameter in more than one channel. Trip channel bypassing is normally employed during maintenance or testing.

ESFAS Logic is addressed in LCO 3.3.5.

APPLICABLE Each of the analyzed accidents can be detected by one or more ESFAS SAFETY Functions. One of the ESFAS Functions is the primary actuation signal ANALYSES for that accident. An ESFAS Function may be the primary actuation signal for more than one type of accident. An ESFAS Function may also be a secondary, or backup, actuation signal for one or more other accidents. Functions such as Manual Initiation, not specifically credited in the accident analysis, serve as backups to Functions and are part of the NRC approved licensing basis for the plant.

ESFAS protective Functions are as follows:

CEOG STS B 3.3.4-7 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 ESFAS Instrumentation (Analog)

B 3.3.4 BASES LCO The LCO requires all channel components necessary to provide an ESFAS actuation to be OPERABLE.

The Bases for the LCO on ESFAS Functions are:

1. Safety Injection Actuation Signal

a. Containment Pressure - High This LCO requires four channels of SIAS Containment Pressure

- High to be OPERABLE in MODES 1, 2, and 3.

The Allowable Value for this trip is set high enough to allow for small pressure increases in containment expected during normal operation (i.e., plant heatup) and is not indicative of an offnormal condition. The setting is low enough to initiate the ESF Functions when an offnormal condition is indicated. This allows the ESF systems to perform as expected in the accident analyses to mitigate the consequences of the analyzed accidents. [The Containment Pressure - High trip Function is credited in the safety analysis for LOCA, Main Steam Line breaks and Feedwater Line breaks, and is therefore considered to be a LSSS as defined in 10 CFR 50.36.]

b. Pressurizer Pressure - Low This LCO requires four channels of SIAS Pressurizer Pressure -

Low to be OPERABLE in MODES 1, 2, and 3.

The Allowable Value for this trip is set low enough to prevent actuating the SIAS during normal plant operation and pressurizer pressure transients. The setting is high enough that with a LOCA or MSLB it will actuate to perform as expected, mitigating the consequences of the accidents.

The Pressurizer Pressure - Low trip may be blocked when pressurizer pressure is reduced during controlled plant shutdowns. This block is permitted below 1800 psia, and block permissive responses are annunciated in the control room. This allows for a controlled depressurization of the RCS, while maintaining administrative control of ESF protection. From a blocked condition, the block will be automatically removed as pressurizer pressure increases above 1800 psia, as sensed by two of the four sensor subsystems, in accordance with the bypass philosophy of removing bypasses when the enabling conditions are no longer satisfied.

CEOG STS B 3.3.4-10 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 ESFAS Instrumentation (Analog)

B 3.3.4 BASES APPLICABILITY (continued)

The ESFAS Actuation Logic must be OPERABLE in the same MODES as the automatic and Manual Trip. In MODE 4, only the portion of the ESFAS logic responsible for the required Manual Trip must be OPERABLE.

In MODES 5 and 6, ESFAS initiated systems are either reconfigured or disabled for shutdown cooling operation. Accidents in these MODES are slow to develop and would be mitigated by manual operation of individual components.

ACTIONS The most common cause of channel inoperability is outright failure or drift of the bistable or process module sufficient to exceed the tolerance allowed by the plant specific setpoint analysis.

Typically, the drift is small and results in a delay of actuation rather than a total loss of function. Determination of setpoint drift is generally made during the performance of a CHANNEL FUNCTIONAL TEST when the process instrument is set up for adjustment to bring it to within specification. If the actual plant trip setpoint is not within conservative with respect to the Allowable Value in Table 3.3.4-1, the channel is inoperable and the appropriate Condition(s) are entered.

In the event a channel's trip setpoint[LTSP] is found nonconservative with respect to the Allowable Value in Table 3.3.4-1, or the sensor, instrument loop, signal processing electronics, or ESFAS bistable is found inoperable, then all affected Functions provided by that channel must be declared inoperable and the plant must enter the Condition statement for the particular protection Function affected.

When the number of inoperable channels in a trip Function exceeds those specified in any related Condition associated with the same trip Function, then the plant is outside the safety analysis. Therefore, LCO 3.0.3 should be immediately entered if applicable in the current MODE of operation.

A Note has been added to clarify the application of the Completion Time rules. The Conditions of this Specification may be entered independently for each Function in Table 3.3.4-1. Completion Times for the inoperable channel of a Function will be tracked separately.

CEOG STS B 3.3.4-17 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 ESFAS Instrumentation (Analog)

B 3.3.4 BASES ACTIONS (continued)

F.1 and F.2 If the Required Actions and associated Completion Times of Condition A, B, C, D, or E are not met, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and to MODE 4 within

[12] hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE The SRs for any particular ESFAS Function are found in the SRs column REQUIREMENTS of Table 3.3.4-1 for that Function. Most functions are subject to CHANNEL CHECK, CHANNEL FUNCTIONAL TEST, CHANNEL CALIBRATION, and response time testing.

REVIEWERS NOTE-----------------------------------

In order for a unit to take credit for topical reports as the basis for justifying Frequencies, topical reports should be supported by an NRC staff Safety Evaluation Report that establishes the acceptability of each topical report for that unit.

REVIEWERS NOTE --------------------------------------

The Notes in Table 3.3.4-1 requiring reset of the channel to a predefined as-left tolerance and the verification of the as-found tolerance are only associated with LSSS values. Therefore, the Notes may be placed at the top of the column in the Table and applied to all Functions, or the Notes may be applied to specific Surveillance Requirements in the Surveillance Requirement column only.

SR 3.3.4.1 Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

CEOG STS B 3.3.4-22 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 ESFAS Instrumentation (Analog)

B 3.3.4 BASES SURVEILLANCE REQUIREMENTS (continued) times when Surveillance is required, the CHANNEL CHECK will only verify that they are off scale in the same direction. Offscale low current loop channels are verified to be reading at the bottom of the range and not failed downscale.

The Frequency of about once every shift is based on operating experience that demonstrates channel failure is rare. Since the probability of two random failures in redundant channels in any 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months period is extremely low, the CHANNEL CHECK minimizes the chance of loss of protective function due to failure of redundant channels. The CHANNEL CHECK supplements less formal, but more frequent, checks of CHANNEL OPERABILITY during normal operational use of displays associated with the LCO required channels.

SR 3.3.4.2 A CHANNEL FUNCTIONAL TEST is performed every [92] days to ensure the entire channel will perform its intended function when needed. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL FUNCTIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions.

The CHANNEL FUNCTIONAL TEST tests the individual sensor subsystems using an analog test input to each bistable.

A test signal is superimposed on the input in one channel at a time to verify that the bistable trips within the specified tolerance around the setpoint. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint analysis.

The as-found and as-left values must also be recorded and reviewed for consistency with the assumptions of the surveillance interval extension analysis. The requirements for this review are outlined in Reference [8].

SR 3.3.4.2 for selected Functions is modified by two Notes as identified in Table 3.3.4-1. The selected Functions are those Functions that are LSSS and whose instruments are not mechanical devices (i.e. limit switches, float switches, and proximity detectors). Mechanical devices are excluded since it is not possible to trend these devices and develop as-left or as-found limits in the same manner as other instrumentation.

CEOG STS B 3.3.4-24 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 ESFAS Instrumentation (Analog)

B 3.3.4 The first Note requires evaluation of channel performance for the condition where the as-found setting for the channel setpoint is outside its as-found tolerance but conservative with respect to the Allowable Value.

Evaluation of instrument performance will verify that the instrument will continue to behave in accordance with design-basis assumptions. The purpose of the assessment is to ensure confidence in the instrument performance prior to returning the instrument to service. These channels will also be identified in the Corrective Action Program. In accordance with procedures, entry into the Corrective Action Program will require review and documentation of the condition for OPERABILITY. The second Note requires that the as-left setting for the instrument be returned to within the as-left tolerance of the [LTSP]. This will ensure that sufficient margin to the Safety Limit and/or Analytical Limit is maintained.

If the as-left instrument setting cannot be returned to a setting within the as-left tolerance, then the instrument channel shall be declared inoperable. The second Note also requires that the [LTSP] and the methodology for calculating the as-left and the as-found tolerances be in

[a document controlled under 10 CFR 50.59].

CEOG STS B 3.3.4-25 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 ESFAS Instrumentation (Analog)

B 3.3.4 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.4.3 SR 3.3.4.3 is a CHANNEL FUNCTIONAL TEST similar to SR 3.3.4.2, except 3.3.4.3 is performed within 92 days prior to startup and is only applicable to bypass Functions. These include the Pressurizer Pressure -

Low bypass and the MSIS Steam Generator Pressure - Low bypass. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL FUNCTIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions.

The CHANNEL FUNCTIONAL TEST for proper operation of the bypass removal Functions is critical during plant heatups because the bypasses may be in place prior to entering MODE 3 but must be removed at the appropriate points during plant startup to enable the ESFAS Function.

Consequently, just prior to startup is the appropriate time to verify bypass removal Function OPERABILITY. Once the bypasses are removed, the bypasses must not fail in such a way that the associated ESFAS Function is inappropriately bypassed. This feature is verified by the appropriate ESFAS Function CHANNEL FUNCTIONAL TEST.

The allowance to conduct this Surveillance within 92 days of startup is based upon the reliability analysis presented in topical report CEN-327, "RPS/ESFAS Extended Test Interval Evaluation" (Ref. 9).

SR 3.3.4.4 CHANNEL CALIBRATION is a complete check of the instrument channel, including the sensor. The Surveillance verifies that the channel responds to a measured parameter within the necessary range and accuracy.

CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drift between successive calibrations to ensure that the channel remains operational between successive surveillances.

CHANNEL CALIBRATIONS must be performed consistent with the plant specific setpoint analysis.

The as-found and as-left values must also be recorded and reviewed for consistency with the assumptions of the extension analysis. The requirements for this review are outlined in Reference [8].

CEOG STS B 3.3.4-26 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 ESFAS Instrumentation (Analog)

B 3.3.4 BASES SURVEILLANCE REQUIREMENTS (continued)

The Frequency is based upon the assumption of an [18] month calibration interval for the determination of the magnitude of equipment drift in the setpoint analysis.

SR 3.3.4.4 for selected Function trip units is modified by two Notes as identified in Table 3.3.4-1. The selected Functions are those Functions that are LSSS and whose instruments are not mechanical devices (i.e.

limit switches, float switches, and proximity detectors). Mechanical devices are excluded since it is not possible to trend these devices and develop as-left or as-found limits in the same manner as other instrumentation. The first Note requires evaluation of channel performance for the condition where the as-found setting for the channel setpoint is outside its as-found tolerance but conservative with respect to the Allowable Value. Evaluation of instrument performance will verify that the instrument will continue to behave in accordance with design-basis assumptions. The purpose of the assessment is to ensure confidence in the instrument performance prior to returning the instrument to service.

These channels will also be identified in the Corrective Action Program.

In accordance with procedures, entry into the Corrective Action Program will require review and documentation of the condition for OPERABILITY.

The second Note requires that the as-left setting for the instrument be returned to within the as-left tolerance of the [LTSP]. This will ensure that sufficient margin to the Safety Limit and/or Analytical Limit is maintained.

If the as-left instrument setting cannot be returned to a setting within the as-left tolerance, then the instrument channel shall be declared inoperable. The second Note also requires that the [LTSP] and the methodology for calculating the as-left and the as-found tolerances be in

[a document controlled under 10 CFR 50.59].

SR 3.3.4.5 This Surveillance ensures that the train actuation response times are the maximum values assumed in the safety analyses. Individual component response times are not modeled in the analyses. The analysis models the overall or total elapsed time, from the point at which the parameter exceeds the trip setpoint value at the sensor to the point at which the equipment in both trains reaches the required functional state (e.g.,

pumps at rated discharge pressure, valves in full open or closed position).

Response time testing acceptance criteria are included in Reference 3.

The test may be performed in one measurement or in overlapping segments, with verification that all components are measured.

REVIEWERS NOTE-----------------------------------

CEOG STS B 3.3.4-27 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation - Operating (Digital) 3.3.1 Table 3.3.1-1 (page 1 of 3)

Reactor Protective System Instrumentation APPLICABLE MODES OR OTHER SPECIFIED SURVEILLANCE FUNCTION CONDITIONS REQUIREMENTS ALLOWABLE VALUE

1. Linear Power Level - High 1,2 SR 3.3.1.1 [111.3]% RTP SR 3.3.1.4 SR 3.3.1.6

[(a) (b)]

SR 3.3.1.7 SR 3.3.1.8 [(a) (b)]

SR 3.3.1.10 [(a) (b)]

SR 3.3.1.14 (ca)

2. Logarithmic Power Level - High 2 SR 3.3.1.1 [.96]%

SR 3.3.1.7 SR 3.3.1.10 SR 3.3.1.13 SR 3.3.1.14

3. Pressurizer Pressure - High 1,2 SR 3.3.1.1 [2389] psia SR 3.3.1.7 SR 3.3.1.10 SR 3.3.1.14 (dc)

4. Pressurizer Pressure - Low 1,2 SR 3.3.1.1 [1763] psig SR 3.3.1.7 SR 3.3.1.10 SR 3.3.1.13 SR 3.3.1.14

5. Containment Pressure - High 1,2 SR 3.3.1.1 [3.14] psig SR 3.3.1.7 SR 3.3.1.10 SR 3.3.1.14

6. Steam Generator #1 Pressure - 1,2 SR 3.3.1.1 [711] psia Low SR 3.3.1.7 SR 3.3.1.10 SR 3.3.1.14 (a) [INSERT 1]

(b) [INSERT 2]

(ac) Bypass may be enabled when logarithmic power is > [1E-4]% and shall be capable of automatic removal whenever logarithmic power is > [1E-4]%. Bypass shall be removed prior to reducing logarithmic power to a value [1E-4]%. Trip may be manually bypassed during physics testing pursuant to LCO 3.4.17, "RCS Loops

- Test Exceptions."

(b) Not used.

(cd) The setpoint may be decreased to a minimum value of [300] psia, as pressurizer pressure is reduced, provided the margin between pressurizer pressure and the setpoint is maintained [400] psi. Bypass may be enabled when pressurizer pressure is < [500] psia and shall be capable of automatic removal whenever pressurizer pressure is < [500] psia. Bypass shall be removed prior to raising pressurizer pressure to a value CEOG STS 3.3.1-7 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation - Operating (Digital) 3.3.1 Table 3.3.1-1 (page 2 of 3)

Reactor Protective System Instrumentation APPLICABLE MODES OR OTHER SPECIFIED SURVEILLANCE FUNCTION CONDITIONS REQUIREMENTS ALLOWABLE VALUE

7. Steam Generator #2 Pressure -- 1,2 SR 3.3.1.1 [711] psia Low SR 3.3.1.7 SR 3.3.1.10 SR 3.3.1.14

8. Steam Generator #1 Level - Low 1,2 SR 3.3.1.1 [24.23]%

SR 3.3.1.7 SR 3.3.1.10 SR 3.3.1.14

9. Steam Generator #2 Level - Low 1,2 SR 3.3.1.1 [24.23]%

SR 3.3.1.7 SR 3.3.1.10 SR 3.3.1.14

[ 10. Reactor Coolant Flow, Steam 1,2 SR 3.3.1.1 Ramp: [0.231]

Generator #1 - Low (ed) SR 3.3.1.7 psid/sec.

SR 3.3.1.10 Floor: [12.1] psid

[SR 3.3.1.13] Step: [7.231] psid ]

SR 3.3.1.14

[ 11. Reactor Coolant Flow, Steam 1,2 SR 3.3.1.1 Ramp: [0.231]

Generator #2 - Low (ed) SR 3.3.1.7 psid/sec.

SR 3.3.1.10 Floor: [12.1] psid

[SR 3.3.1.13] Step: [7.231] psid ]

SR 3.3.1.14

[ 12. Loss of Load (turbine stop valve 1 SR 3.3.1.9 [100] psig ]

(fe) control oil pressure) SR 3.3.1.10

[SR 3.3.1.13]

(de) Bypass may be enabled when logarithmic power is < [1E-04]% and shall be capable of automatic removal whenever logarithmic power is < [1E-4]%. Bypass shall be removed prior to raising logarithmic power to a value [1E-4]%. During testing pursuant to LCO 3.4.17, bypass may be enabled when THERMAL POWER is

< [5]% RTP and shall be capable of automatic removal whenever THERMAL POWER is < [5]% RTP. Bypass shall be removed above 5% RTP.

(ef) Bypass may be enabled when THERMAL POWER is < [55]% RTP and shall be capable of automatic removal whenever THERMAL POWER is < [55]% RTP. Bypass shall be removed prior to raising THERMAL POWER to a value [55]% RTP.

CEOG STS 3.3.1-9 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation - Operating (Digital) 3.3.1 Table 3.3.1-1 (page 3 of 3)

Reactor Protective System Instrumentation APPLICABLE MODES OR OTHER SPECIFIED SURVEILLANCE FUNCTION CONDITIONS REQUIREMENTS ALLOWABLE VALUE (de)

13. Local Power Density - High 1,2 SR 3.3.1.1 [21.0] kW/ft SR 3.3.1.2 SR 3.3.1.3 SR 3.3.1.4 SR 3.3.1.5 SR 3.3.1.7 SR 3.3.1.10 SR 3.3.1.11 SR 3.3.1.12 SR 3.3.1.13 SR 3.3.1.14

14. Departure From Nucleate Boiling 1,2 SR 3.3.1.1 [1.31]

(de)

Ratio (DNBR) - Low SR 3.3.1.2 SR 3.3.1.3 SR 3.3.1.4 SR 3.3.1.5 SR 3.3.1.7 SR 3.3.1.10 SR 3.3.1.11 SR 3.3.1.12 SR 3.3.1.13 SR 3.3.1.14 (de) Bypass may be enabled when logarithmic power is < [1E-04]% and shall be capable of automatic removal whenever logarithmic power is < [1E-4]%. Bypass shall be removed prior to raising logarithmic power to a value [1E-4]%. During testing pursuant to LCO 3.4.17, bypass may be enabled when THERMAL POWER is

< [5]% RTP and shall be capable of automatic removal whenever THERMAL POWER is < [5]% RTP. Bypass shall be removed above 5% RTP.

CEOG STS 3.3.1-10 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 ESFAS Instrumentation (Digital) 3.3.5 Table 3.3.5-1 (page 1 of 2)

Engineered Safety Features Actuation System Instrumentation APPLICABLE MODES OR OTHER SPECIFIED FUNCTION CONDITIONS ALLOWABLE VALUE (a)

1. Safety Injection Actuation Signal

[(b) (c)]

a. Containment Pressure - High 1,2,3 [3.14] psig (bd)

b. Pressurizer Pressure - Low 1,2,3 [1763] psia

2. Containment Spray Actuation Signal

a. Containment Pressure -- High High 1,2,3 [16.83] psia

b. Automatic SIAS 1,2,3 NA

3. Containment Isolation Actuation Signal

a. Containment Pressure -- High 1,2,3 [3.14] psig (db)

b. Pressurizer Pressure - Low 1,2,3 [1763] psia

4. Main Steam Isolation Signal (ce) (df)

a. Steam Generator Pressure - Low 1,2 ,3(df) [711] psig

b. Containment Pressure - High 1,2(df),3(df) [3.14] psig

5. Recirculation Actuation Signal

a. Refueling Water Storage Tank Level - 1,2,3 [ 17.73 and 19.27]%

Low (a) Automatic SIAS also initiates a Containment Cooling Actuation Signal (CCAS).

(b) [INSERT 1]

(c) [INSERT 2]

(bd) The setpoint may be decreased to a minimum value of [300] psia, as pressurizer pressure is reduced, provided the margin between pressurizer pressure and the setpoint is maintained [400] psia. Trips may be bypassed when pressurizer pressure is < [400] psia. Bypass shall be automatically removed when pressurizer pressure is [500] psia. The setpoint shall be automatically increased to the normal setpoint as pressurizer pressure is increased.

(ec) The setpoint may be decreased as steam pressure is reduced, provided the margin between steam pressure and the setpoint is maintained [200] psig. The setpoint shall be automatically increased to the normal setpoint as steam pressure is increased.

(df) The Main Steam Isolation Signal (MSIS) Function (Steam Generator Pressure - Low and Containment Pressure - High signals) is not required to be OPERABLE when all associated valves isolated by the MSIS Function are closed and [de-activated].

CEOG STS 3.3.5-4 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation - Operating (Digital)

B 3.3.1 B 3.3 INSTRUMENTATION B 3.3.1 Reactor Protective System (RPS) Instrumentation - Operating (Digital)

BASES BACKGROUND The Reactor Protective System (RPS) initiates a reactor trip to protect against violating the core specified acceptable fuel design limits and breaching the reactor coolant pressure boundary (RCPB) during anticipated operational occurrences (AOOs). By tripping the reactor, the RPS also assists the Engineered Safety Features (ESF) systems in mitigating accidents.

The protection and monitoring systems have been designed to ensure safe operation of the reactor. This is achieved by specifying limiting safety system settings (LSSS) in terms of parameters directly monitored by the RPS, as well as LCOs on other reactor system parameters and equipment performance.

Technical Specifications are required by 10 CFR 50.36 to contain LSSS defined by the regulation as "...settings for automatic protective devices...so chosen that automatic protective actions will correct the abnormal situation before a Safety Limit (SL) is exceeded." The AnalyticAnalytical Limit is the limit of the process variable at which a safety action is initiated, as established by the safety analysis, to ensure that a SL is not exceeded. Any automatic protection action that occurs on reaching the AnalyticAnalytical Limit therefore ensures that the SL is not exceeded. However, in practice, the actual settings for automatic protective devices must be chosen to be more conservative than the AnalyticAnalytical Limit to account for instrument loop uncertainties related to the setting at which the automatic protective action would actually occur.

REVIEWER'S NOTE ------------------------------------

The term "Limiting Trip Setpoint (LTSP)" is generic terminology for the setpoint value calculated by means of the plant-specific setpoint methodology documented in [a document controlled under 10 CFR 50.59]. The term Limiting Trip Setpoint indicates that no additional margin has been added between the Analytical Limit and the calculated trip setting. Where margin is added between the Analytical Limit and trip setpoint, the standard terminology of Nominal Trip Setpoint (NTSP) should be used. The trip setpoint (field setting) may be more conservative than the Limiting or Nominal Trip Setpoint, but for the purpose of compliance with 10 CFR 50.36, the plant-specific term for the Limiting Trip Setpoint must be cited in Note b of Table 3.3.1-1. The brackets indicate plant-specific terms may apply, as reviewed and approved by the NRC. In some cases, replacing the LTSP with NTSP will also require the revision of the relationship discussion for Allowable Value (AV).

CEOG STS B 3.3.1-1 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation - Operating (Digital)

B 3.3.1 Licensees are to insert the name of the document(s) controlled under 10 CFR 50.59 that contains the [LTSP] values and the methodology for calculating the as-left and as-found tolerances for the phrase "[a document controlled under 10 CFR 50.59]" throughout these Bases.

The [Limiting Trip Setpoint (LTSP)] trip setpoint is a predetermined setting for a protective device chosen to ensure automatic actuation prior to the process variable reaching the AnalyticAnalytical Limit and thus ensuring that the SL would not be exceeded. As such, the trip setpoint

[LTSP] accounts for uncertainties in setting the device (e.g., calibration),

uncertainties in how the device might actually perform (e.g., repeatability),

changes in the point of action of the device over time (e.g., drift during surveillance intervals), and any other factors which may influence its actual performance (e.g., harsh accident environments). In this manner, the trip setpoint [LTSP] ensuresplays an important role in ensuring that SLs are not exceeded. As such, the trip setpoint [LTSP] meets the definition of an LSSS (Ref. 1). andcould be used to meet the requirement that the be contained in the Technical Specifications.If the setting of the protective device does not protect a Safety Limit, the [LTSP]

is not an LSSS.

BASES BACKGROUND (continued)

Technical Specifications contain values related to the OPERABILITY of equipment required for safe operation of the facility. OPERABLE is defined in Technical Specifications as "...being capable of performing its safety function(s)." For automatic protective devices, the required safety function is to ensure that a SL is not exceeded and therefore the LSSS as defined by 10 CFR 50.36 is the same as the OPERABILITY limit for these devices. However, use of the trip setpoint [LTSP] to define OPERABILITY in Technical Specifications and its corresponding designation as the LSSS required by 10 CFR 50.36 would be an overly restrictive requirement if it were applied as an OPERABILITY limit for the "as-found" value of a protective device setting during a Surveillance. This would result in Technical Specification compliance problems, as well as reports and corrective actions required by the rule which are not necessary to ensure safety. For example, an automatic protective device with a setting that has been found to be different from the trip setpoint

[LTSP] due to some drift of the setting may still be OPERABLE since drift is to be expected. This expected drift would have been specifically accounted for in the setpoint methodology for calculating the trip setpoint

[LTSP] and thus the automatic protective action would still have ensured that the SL would not be exceeded with the "as-found" setting of the protective device. Therefore, the device would still be OPERABLE since it would have performed its safety function and the only corrective action CEOG STS B 3.3.1-2 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation - Operating (Digital)

B 3.3.1 required would be to reset the device to the trip setpoint [LTSP] to account for further drift during the next surveillance interval.

Use of the trip setpoint [LTSP] to define "as-found" OPERABILITY and its designation as the LSSS under the expected circumstances described above would result in actions required by both the rule and Technical Specifications that are clearly not warranted. However, there is also some point beyond which the device would have not been able to perform its function due, for example, to greater than expected drift. This value needs to be specified in the Technical Specifications in order to define OPERABILITY of the devices and is designated as the Allowable Value which, as stated above, is the same as the LSSS. which is the least conservative value for the LSSS during testing. For LSSS functions, the actual [LTSP] value and the methodology for calculating the as-left and as-found tolerances will be maintained in [a document controlled under 10 CFR 50.59].

The Allowable Valuable specified in Table 3.3.1-1 is the least conservative value that theserves as the [LTSP] (LSSS) can have when tested such that a channel is OPERABLE if the trip setpoint [LTSP] is found not to exceed theconservative with respect to the Allowable Value during the CHANNEL FUNCTIONAL TEST (CFT). As such, the Allowable Value differs from the trip setpoint [LTSP] by an amount primarily [greater than or equal to the expected instrument loop channel uncertainties, such as drift, during the surveillance interval. In this manner, the actual setting of the device will still meet the LSSS definition and ensure that a SL is not exceeded at any given point of time as long as the device has not drifted beyond that expected during the BASES BACKGROUND (continued) surveillance interval. Note that, although the channel is OPERABLE under these circumstances, the [LTSP] must be left adjusted to a value within the as-left tolerance, and confirmed to be operating within the statistical allowances of the uncertainty terms assigned (as-found). If the actual setting of the device is found to have exceededto be non-conservative with respect theto the Allowable Value the device would be considered inoperable from a Technical Specification perspective. This requires corrective action including those actions required by 10 CFR 50.36 when automatic protective devices do not function as required. Note that, although the channel is OPERABLE under these circumstances, the trip setpoint should be left adjusted to a value within the established trip setpoint calibration tolerance band, in accordance with uncertainty assumptions stated in the referenced setpoint methodology (as-left criteria), and confirmed to be operating within the statistical allowances of the uncertainty terms assigned.

During AOOs, which are those events expected to occur one or more times during the plant life, the acceptable limits are:

CEOG STS B 3.3.1-3 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation - Operating (Digital)

B 3.3.1 BASES BACKGROUND (continued)

Each CEA has two separate reed switch assemblies mounted outside the RCPB. Each of the two CEACs receives CEA position input from one of the two reed switch position transmitters on each CEA, so that the position of all CEAs is independently monitored by both CEACs.

CEACs are addressed in LCO 3.3.3.

Bistable Trip Units Bistable trip units, mounted in the Plant Protection System (PPS) cabinet, receive an analog input from the measurement channels. They compare the analog input to trip setpoints and provide contact output to the Matrix Logic. They also provide local trip indication and remote annunciation.

There are four channels of bistables, designated A, B, C, and D, for each RPS parameter, one for each measurement channel. Bistables de-energize when a trip occurs, in turn de-energizing bistable relays mounted in the PPS relay card racks.

The contacts from these bistable relays are arranged into six coincidence matrices, comprising the Matrix Logic. If bistables monitoring the same parameter in at least two channels trip, the Matrix Logic will generate a reactor trip (two-out-of-four logic).

Some measurement channels provide contact outputs to the PPS. In these cases, there is no bistable card, and opening the contact input directly de-energizes the associated bistable relays. These include the Loss of Load trip and the CPC generated DNBR - Low and LPD - High trips.

The trip setpoints used in the bistables are based on the analytical limits derived from the accident analysis (Ref. 6). The selection of these trip setpoints is such that adequate protection is provided when all sensor and processing time delays are taken into account. To allow for calibration tolerances, instrumentation uncertainties, instrument drift, and severe environment errors for those RPS channels that must function in harsh environments as defined by 10 CFR 50.49 (Ref. 7), Allowable Values specified in Table 3.3.1-1, in the accompanying LCO, are CEOG STS B 3.3.1-8 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation - Operating (Digital)

B 3.3.1 BASES BACKGROUND (continued) conservatively adjusted with respect to the analytical limits. A detailed description of the methodology used to calculate the trip setpoints, including their explicit uncertainties, is provided in "Plant Protection System Selection of Trip Setpoint Values" (Ref. 8). The nominal trip setpoint[LTSP] entered into the bistable is normally still more conservative than that specified by the Allowable Value to account for changes in random measurement errors detectable by a CHANNEL FUNCTIONAL TEST. One example of such a change in measurement error is drift during the interval between surveillances. A channel is inoperable if its actual setpoint is not withinnon-conservative with respect to its Allowable Value.

[Limiting Trip Setpoints]Setpoints in accordance with the Allowable Value will ensure that SLs of Chapter 2.0, "SAFETY LIMITS (SLs)," are not violated during AOOs, and the consequences of DBAs will be acceptable, providing the plant is operated from within the LCOs at the onset of the AOO or DBA and the equipment functions as designed.

Note that in LCO 3.3.1, the Allowable Values of Table 3.3.1-1 are the least conservative value the LSSS can have when tested such that a channel is OPERABLE if the [LTSP] is found conservative with respect to the Allowable Value.

Functional testing of the entire RPS, from bistable input through the opening of individual sets of RTCBs, can be performed either at power or shutdown and is normally performed on a quarterly basis. Nuclear instrumentation, the CPCs, and the CEACs can be similarly tested.

FSAR, Section [7.2] (Ref. 9), provides more detail on RPS testing.

Processing transmitter calibration is normally performed on a refueling basis.

RPS Logic The RPS Logic, addressed in LCO 3.3.4, consists of both Matrix and Initiation Logic and employs a scheme that provides a reactor trip when bistables in any two of the four channels sense the same input parameter trip. This is called a two-out-of-four trip logic.

Bistable relay contact outputs from the four channels are configured into six logic matrices. Each logic matrix checks for a coincident trip in the same parameter in two bistable channels. The matrices are designated the AB, AC, AD, BC, BD, and CD matrices to reflect the bistable channels being monitored. Each logic matrix contains four normally energized matrix relays. When a coincidence is detected, consisting of a trip in the same Function in the two channels being monitored by the logic matrix, all four matrix relays de-energize.

CEOG STS B 3.3.1-9 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation - Operating (Digital)

B 3.3.1 BASES LCO The LCO requires all instrumentation performing an RPS Function to be OPERABLE. Failure of any required portion of the instrument channel renders the affected channel(s) inoperable and reduces the reliability of the affected Functions.

Actions allow maintenance (trip channel) bypass of individual channels, but the bypass activates interlocks that prevent operation with a second channel in the same Function bypassed. With one channel in each Function trip channel bypassed, this effectively places the plant in a two-out-of-three logic configuration in those Functions.

Only the Allowable Values are specified for each RPS trip Function in the LCO. [Limiting Trip Setpoints and the methodologies to calculate the as-left and as-found tolerances Nominal trip setpoints are specified in the[a document controlled under 10 CFR 50.59]. plant specific setpoint calculations. The nominal setpoints are selected to ensure the setpoints measured by CHANNEL FUNCTIONAL TESTS do not exceedare conservative with respect to the Allowable Value if the bistable is performing as required. Operation with a plant trip setpoint less conservative than the nominal trip setpoint[LTSP], but conservative with respect to within its Allowable Value, is acceptable, provided that operation and testing are consistent with the assumptions of the plant specific setpoint calculations. A channel is inoperable if its actual trip setpoint is not within non-conservative with respect to its required Allowable Value. Each Allowable Value specified is more conservative than the analytical limit assumed in the safety analysis in order to account for instrument uncertainties appropriate to the trip Function. These uncertainties are defined in the "Plant Protection System Selection of Trip Setpoint Values" (Ref. 8).

The Bases for the individual Function requirements are as follows:

1. Linear Power Level - High This LCO requires all four channels of Linear Power Level - High to be OPERABLE in MODES 1 and 2.

The Allowable Value is high enough to provide an operating envelope that prevents unnecessary Linear Power Level - High reactor trips during normal plant operations. The Allowable Value is low enough for the system to maintain a margin to unacceptable fuel cladding damage should a CEA ejection accident occur. [The Linear Power Level - High trip Function is credited in the safety analysis for a uncontrolled CEA Withdrawal from Low Power, uncontrolled CEA Withdrawal at Power and CEA ejection, and is therefore considered to be a LSSS as defined in 10 CFR 50.36.]

2. Logarithmic Power Level - High CEOG STS B 3.3.1-19 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation - Operating (Digital)

B 3.3.1 5% RTP to allow special testing without generating a reactor trip.

The Linear Power Level - High trip setpoint is reduced, so as to provide protection during testing.

Interlocks/Bypasses The LCO on bypass permissive removal channels requires that the automatic bypass removal feature of all four operating bypass channels be OPERABLE for each RPS Function with an operating bypass in the MODES addressed in the specific LCO for each Function. All four bypass removal channels must be OPERABLE to ensure that none of the four RPS channels are inadvertently bypassed.

This LCO applies to the bypass removal feature only. If the bypass enable Function is failed so as to prevent entering a bypass condition, operation may continue. In the case of the Logarithmic Power Level -

High trip (Function 2), the absence of a bypass will limit maximum power to below the trip setpoint.

The interlock function Allowable Values are based upon analysis of functional requirements for the bypassed Functions. These are discussed above as part of the LCO discussion for the affected Functions.

BASES APPLICABILITY Most RPS trips are required to be OPERABLE in MODES 1 and 2 because the reactor is critical in these MODES. The reactor trips are designed to take the reactor subcritical, which maintains the SLs during AOOs and assists the ESFAS in providing acceptable consequences during accidents. Most trips are not required to be OPERABLE in MODES 3, 4, and 5. In MODES 3, 4, and 5, the emphasis is placed on return to power events. The reactor is protected in these MODES by ensuring adequate SDM. Exceptions to this are:

The Logarithmic Power Level - High trip, RPS Logic RTCBs, and Manual Trip are required in MODES 3, 4, and 5, with the RTCBs closed, to provide protection for boron dilution and CEA withdrawal events.

The Logarithmic Power Level - High trip in these lower MODES is addressed in LCO 3.3.2. The Logarithmic Power Level - High trip is bypassed prior to MODE 1 entry and is not required in MODE 1. The RPS Logic in MODES 1, 2, 3, 4, and 5 is addressed in LCO 3.3.4.

ACTIONS The most common causes of channel inoperability are outright failure or drift of the bistable or process module sufficient to exceed the tolerance allowed by the plant specific setpoint analysis. Typically, the drift is found to be small and results in a delay of actuation rather than a total loss of function. This determination is generally made during the performance of a CHANNEL FUNCTIONAL TEST when the process instrument is set up for adjustment to bring it to within specification. If the trip setpoint [LTSP]

CEOG STS B 3.3.1-25 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation - Operating (Digital)

B 3.3.1 is less non-cconservative than with respect theto the Allowable Value in Table 3.3.1-1, the channel is declared inoperable immediately, and the appropriate Condition(s) must be entered immediately.

In the event a channel's trip setpoint [LTSP] is found non-conservative with respect to the Allowable Value, or the transmitter, instrument loop, signal processing electronics, or RPS bistable trip unit is found inoperable, then all affected functions provided by that channel must be declared inoperable, and the unit must enter the Condition for the particular protection Function affected.

When the number of inoperable channels in a trip Function exceeds that specified in any related Condition associated with the same trip Function, then the plant is outside the safety analysis. Therefore, LCO 3.0.3 is immediately entered if applicable in the current MODE of operation.

CEOG STS B 3.3.1-26 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation - Operating (Digital)

B 3.3.1 BASES ACTIONS (continued)

One of the two inoperable channels will need to be restored to operableOPERABLE status prior to the next required CHANNEL FUNCTIONAL TEST, because channel surveillance testing on an OPERABLE channel requires that the OPERABLE channel be placed in bypass. However, it is not possible to bypass more than one RPS channel, and placing a second channel in trip will result in a reactor trip.

Therefore, if one RPS channel is in trip and a second channel is in bypass, a third inoperable channel would place the unit in LCO 3.0.3.

C.1, C.2.1, and C.2.2 Condition C applies to one automatic bypass removal channel inoperable.

If the inoperable bypass removal channel for any bypass channel cannot be restored to OPERABLE status within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months , the associated RPS channel may be considered OPERABLE only if the bypass is not in effect.

Otherwise, the affected RPS channel must be declared inoperable, as in Condition A, and the affected automatic trip channel placed in bypass or trip. The bypass removal channel and the automatic trip channel must be repaired prior to entering MODE 2 following the next MODE 5 entry. The Bases for the Required Actions and required Completion Times are consistent with Condition A.

D.1 and D.2 Condition D applies to two inoperable automatic bypass removal channels. If the bypass removal channels for two operating bypasses cannot be restored to OPERABLE status within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months , the associated RPS channel may be considered OPERABLE only if the bypass is not in effect. Otherwise, the affected RPS channels must be declared inoperable, as in Condition B, and the bypass either removed or one automatic trip channel placed in bypass and the other in trip within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months .

The restoration of one affected bypassed automatic trip channel must be completed prior to the next CHANNEL FUNCTIONAL TEST, or the plant must shut down per LCO 3.0.3 as explained in Condition B.

CEOG STS B 3.3.1-28 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation - Operating (Digital)

B 3.3.1 BASES ACTIONS (continued)

If the Required Actions associated with these Conditions cannot be completed within the required Completion Time, the reactor must be brought to a MODE where the Required Actions do not apply. The allowed Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is reasonable, based on operating experience, for reaching the required MODE from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE The SRs for any particular RPS Function are found in the SR column of REQUIREMENTS Table 3.3.1-1 for that Function. Most Functions are subject to CHANNEL CHECK, CHANNEL FUNCTIONAL TEST, CHANNEL CALIBRATION, and response time testing.

REVIEWERS NOTE-----------------------------------

In order for a plant to take credit for topical reports as the basis for justifying Frequencies, topical reports must be supported by an NRC staff SER that establishes the acceptability of each topical report for that unit.

REVIEWERS NOTE -----------------------------------

The Notes in Table 3.3.1-1 requiring reset of the channel to a predefined as-left tolerance and the verification of the as-found tolerance are only associated with LSSS values. Therefore, the Notes may be placed at the top of the column in the Table and applied to all Functions, or the Notes may be applied to specific SRs in the SR column only.

SR 3.3.1.1 Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months ensures that gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying that the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the transmitter or the signal processing equipment has drifted outside its limits.

CEOG STS B 3.3.1-30 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation - Operating (Digital)

B 3.3.1 The 31 day Frequency is adequate because the demonstrated long term drift of the instrument channels is minimal.

BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.1.7 A CHANNEL FUNCTIONAL TEST on each channel except Loss of Load, power range neutron flux, and logarithmic power level channels is performed every 92 days to ensure the entire channel will perform its intended function when needed. The SR is modified by two Notes.

Note 1 is a requirement to verify the correct CPC addressable constant values are installed in the CPCs when the CPC CHANNEL FUNCTIONAL TEST is performed. Note 2 allows the CHANNEL FUNCTIONAL TEST for the Logarithmic Power Level - High channels to be performed 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months after logarithmic power drops below 1E-4% and is required to be performed only if the RTCBs are closed.

In addition to power supply tests, the RPS CHANNEL FUNCTIONAL TEST consists of three overlapping tests as described in Reference 9.

These tests verify that the RPS is capable of performing its intended function, from bistable input through the RTCBs. They include:

Bistable Tests A test signal is superimposed on the input in one channel at a time to verify that the bistable trips within the specified tolerance around the setpoint. This is done with the affected RPS channel trip channel bypassed. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint analysis.

The as-found and as-left values must also be recorded and reviewed for consistency with the assumptions of the interval between surveillance interval extension analysis. The requirements for this review are outlined in Reference [10].

Matrix Logic Tests Matrix Logic tests are addressed in LCO 3.3.4. This test is performed one matrix at a time. It verifies that a coincidence in the two input channels for each Function removes power from the matrix relays.

During testing, power is applied to the matrix relay test coils and prevents the matrix relay contacts from assuming their de-energized state. This test will detect any short circuits around the bistable contacts in the coincidence logic, such as may be caused by faulty bistable relay or trip channel bypass contacts.

CEOG STS B 3.3.1-33 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation - Operating (Digital)

B 3.3.1 SR 3.3.1.7 for selected Functions is modified by two Notes as identified in Table 3.3.1-1. The selected Functions are those Functions that are LSSS and whose instruments are not mechanical devices (i.e. limit switches, float switches, and proximity detectors). Mechanical devices are excluded since it is not possible to trend these devices and develop as-left or as-found limits in the same manner as other instrumentation. The first Note requires evaluation of channel performance for the condition where the as-found setting for the channel setpoint is outside its as-found tolerance but conservative with respect to the Allowable Value.

Evaluation of instrument performance will verify that the instrument will continue to behave in accordance with design-basis assumptions. The purpose of the assessment is to ensure confidence in the instrument performance prior to returning the instrument to service. These channels will also be identified in the Corrective Action Program. In accordance with procedures, entry into the Corrective Action Program will require review and documentation of the condition for OPERABILITY. The second Note requires that the as-left setting for the instrument be returned to within the as-left tolerance of the [LTSP]. This will ensure that sufficient margin to the Safety Limit and/or Analytical Limit is maintained.

If the as-left instrument setting cannot be returned to a setting within the as-left tolerance, then the instrument channel shall be declared inoperable. The second Note also requires that the [LTSP] and the methodology for calculating the as-left and the as-found tolerances be in

[a document controlled under 10 CFR 50.59].

CEOG STS B 3.3.1-34 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation - Operating (Digital)

B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)

Trip Path Tests Trip path (Initiation Logic) tests are addressed in LCO 3.3.4. These tests are similar to the Matrix Logic tests, except that test power is withheld from one matrix relay at a time, allowing the initiation circuit to de-energize, thereby opening the affected set of RTCBs. The RTCBs must then be closed prior to testing the other three initiation circuits, or a reactor trip may result.

The Frequency of 92 days is based on the reliability analysis presented in topical report CEN-327, "RPS/ESFAS Extended Test Interval Evaluation" (Ref. 10).

The CPC and CEAC channels and excore nuclear instrumentation channels are tested separately.

The excore channels use preassigned test signals to verify proper channel alignment. The excore logarithmic channel test signal is inserted into the preamplifier input, so as to test the first active element downstream of the detector.

The power range excore test signal is inserted at the drawer input, since there is no preamplifier.

The quarterly CPC CHANNEL FUNCTIONAL TEST is performed using software. This software includes preassigned addressable constant values that may differ from the current values. Provisions are made to store the addressable constant values on a computer disk prior to testing and to reload them after testing. A Note is added to the Surveillance Requirements to verify that the CPC CHANNEL FUNCTIONAL TEST includes the correct values of addressable constants. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL FUNCTIONAL TEST of a relay.

This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions.

CEOG STS B 3.3.1-35 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation - Operating (Digital)

B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.1.8 A Note indicates that neutron detectors are excluded from CHANNEL CALIBRATION. A CHANNEL CALIBRATION of the power range neutron flux channels every 92 days ensures that the channels are reading accurately and within tolerance (Ref. 10). The Surveillance verifies that the channel responds to a measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drift between successive calibrations to ensure that the channel remains operational between successive tests.

CHANNEL CALIBRATIONS must be performed consistent with the plant specific setpoint analysis.

The as-found and as-left values must also be recorded and reviewed for consistency with the assumptions of the interval between surveillance interval extension analysis. The requirements for this review are outlined in Reference 10. Operating experience has shown this Frequency to be satisfactory. The detectors are excluded from CHANNEL CALIBRATION because they are passive devices with minimal drift and because of the difficulty of simulating a meaningful signal. Slow changes in detector sensitivity are compensated for by performing the daily calorimetric calibration (SR 3.3.1.4) and the monthly linear subchannel gain check (SR 3.3.1.6). In addition, the associated control room indications are monitored by the operators.

SR 3.3.1.8 for selected Functions is modified by two Notes as identified in Table 3.3.1-1. The selected Functions are those Functions that are LSSS and whose instruments are not mechanical devices (i.e. limit switches, float switches, and proximity detectors). Mechanical devices are excluded since it is not possible to trend these devices and develop as-left or as-found limits in the same manner as other instrumentation.

The first Note requires evaluation of channel performance for the condition where the as-found setting for the channel setpoint is outside its as-found tolerance but conservative with respect to the Allowable Value.

Evaluation of instrument performance will verify that the instrument will continue to behave in accordance with design-basis assumptions. The purpose of the assessment is to ensure confidence in the instrument performance prior to returning the instrument to service. These channels will also be identified in the Corrective Action Program. In accordance with procedures, entry into the Corrective Action Program will require review and documentation of the condition for OPERABILITY. The second Note requires that the as-left setting for the instrument be returned to within the as-left tolerance of the [LTSP]. This will ensure that sufficient margin to the Safety Limit and/or Analytical Limit is maintained.

If the as-left instrument setting cannot be returned to a setting within the as-left tolerance, then the instrument channel shall be declared CEOG STS B 3.3.1-36 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation - Operating (Digital)

B 3.3.1 inoperable. The second Note also requires that the [LTSP] and the methodology for calculating the as-left and the as-found tolerances be in

[a document controlled under 10 CFR 50.59].

[ SR 3.3.1.9 The characteristics and Bases for this Surveillance are as described for SR 3.3.1.7. This Surveillance differs from SR 3.3.1.7 only in that the CHANNEL FUNCTIONAL TEST on the Loss of Load functional unit is only required above 55% RTP. When above 55% and the trip is in effect, the CHANNEL FUNCTIONAL TEST will ensure the channel will perform its equipment protective function if needed. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL FUNCTIONAL TEST of a relay.

This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions. The Note allowing 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months after reaching 55% RTP is necessary for Surveillance performance. This Surveillance cannot be performed below 55% RTP, since the trip is bypassed. ]

CEOG STS B 3.3.1-37 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation - Operating (Digital)

B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.1.10 SR 3.3.1.10 is the performance of a CHANNEL CALIBRATION every

[18] months.

CHANNEL CALIBRATION is a complete check of the instrument channel including the sensor. The Surveillance verifies that the channel responds to a measured parameter within the necessary range and accuracy.

CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drift between successive calibrations to ensure that the channel remains operational between successive tests. CHANNEL CALIBRATIONS must be performed consistent with the plant specific setpoint analysis.

The as-found and as-left values must also be recorded and reviewed for consistency with the assumptions of the surveillance interval extension analysis. The requirements for this review are outlined in Reference [10].

The Frequency is based upon the assumption of an [18] month calibration interval for the determination of the magnitude of equipment drift in the setpoint analysis as well as operating experience and consistency with the typical [18] month fuel cycle.

The Surveillance is modified by a Note to indicate that the neutron detectors are excluded from CHANNEL CALIBRATION because they are passive devices with minimal drift and because of the difficulty of simulating a meaningful signal. Slow changes in detector sensitivity are compensated for by performing the daily calorimetric calibration (SR 3.3.1.4) and the monthly linear subchannel gain check (SR 3.3.1.6).

SR 3.3.1.10 for selected Functions is modified by two Notes as identified in Table 3.3.1-1. The selected Functions are those Functions that are LSSS and whose instruments are not mechanical devices (i.e. limit switches, float switches, and proximity detectors). Mechanical devices are excluded since it is not possible to trend these devices and develop as-left or as-found limits in the same manner as other instrumentation.

The first Note requires evaluation of channel performance for the condition where the as-found setting for the channel setpoint is outside its as-found tolerance but conservative with respect to the Allowable Value.

Evaluation of instrument performance will verify that the instrument will continue to behave in accordance with design-basis assumptions. The purpose of the assessment is to ensure confidence in the instrument performance prior to returning the instrument to service. These channels will also be identified in the Corrective Action Program. In accordance with procedures, entry into the Corrective Action Program will require review and documentation of the condition for OPERABILITY. The CEOG STS B 3.3.1-38 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation - Operating (Digital)

B 3.3.1 second Note requires that the as-left setting for the instrument be returned to within the as-left tolerance of the [LTSP]. This will ensure that sufficient margin to the Safety Limit and/or Analytical Limit is maintained.

If the as-left instrument setting cannot be returned to a setting within the as-left tolerance, then the instrument channel shall be declared inoperable. The second Note also requires that the [LTSP] and the methodology for calculating the as-left and the as-found tolerances be in

[a document controlled under 10 CFR 50.59].

SR 3.3.1.11 Every [18] months, a CHANNEL FUNCTIONAL TEST is performed on the CPCs. The CHANNEL FUNCTIONAL TEST shall include the injection of a signal as close to the sensors as practicable to verify OPERABILITY including alarm and trip Functions. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL FUNCTIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions.

CEOG STS B 3.3.1-39 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 ESFAS Instrumentation (Digital)

B 3.3.5 B 3.3 INSTRUMENTATION B 3.3.5 Engineered Safety Features Actuation System (ESFAS) Instrumentation (Digital)

BASES BACKGROUND The ESFAS initiates necessary safety systems, based upon the values of selected unit parameters, to protect against violating core design limits and the Reactor Coolant System (RCS) pressure boundary during anticipated operational occurrences (AOOs) and ensures acceptable consequences during accidents. This is achieved by specifying limiting safety system settings (LSSS) in terms of parameters directly monitored by the ESFAS, as well as LCOs on other system parameters and equipment performance.

Technical Specifications are required by 10 CFR 50.36 to contain LSSS defined by the regulation as "...settings for automatic protective devices...so chosen that automatic protective actions will correct the abnormal situation before a Safety Limit (SL) is exceeded." The Analytical Limit is the limit of the process variable at which a safety action is initiated, as established by the safety analysis, to ensure that a SL is not exceeded. Any automatic protection action that occurs on reaching the Analytical Limit therefore ensures that the SL is not exceeded.

However, in practice, the actual settings for automatic protective devices must be chosen to be more conservative than the Analytical Limit to account for instrument loop uncertainties related to the setting at which the automatic protective action would actually occur.

REVIEWER'S NOTE ------------------------------------

The term "Limiting Trip Setpoint (LTSP)" is generic terminology for the setpoint value calculated by means of the plant-specific setpoint methodology documented in [a document controlled under 10 CFR 50.59]. The term Limiting Trip Setpoint indicates that no additional margin has been added between the Analytical Limit and the calculated trip setting. Where margin is added between the Analytical Limit and trip setpoint, the standard terminology of Nominal Trip Setpoint (NTSP) should be used. The trip setpoint (field setting) may be more conservative than the Limiting or Nominal Trip Setpoint, but for the purpose of compliance with 10 CFR 50.36, the plant-specific term for the Limiting Trip Setpoint must be cited in Note c of Table 3.3.5-1. The brackets indicate plant-specific terms may apply, as reviewed and approved by the NRC. In some cases, replacing the LTSP with NTSP will also require the revision of the relationship discussion for Allowable Value (AV).

Licensees are to insert the name of the document(s) controlled under 10 CFR 50.59 that contains the [LTSP] values and the methodology for calculating the as-left and as-found tolerances for the phrase "[a document controlled under 10 CFR 50.59]" throughout these Bases.

CEOG STS B 3.3.5-1 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 ESFAS Instrumentation (Digital)

B 3.3.5 The [Limiting Trip Setpoint (LTSP)] is a predetermined setting for a protective device chosen to ensure automatic actuation prior to the process variable reaching the Analytical Limit and thus ensuring that the SL would not be exceeded. As such, the [LTSP] accounts for uncertainties in setting the device (e.g., calibration), uncertainties in how the device might actually perform (e.g., repeatability), changes in the point of action of the device over time (e.g., drift during surveillance intervals), and any other factors which may influence its actual performance (e.g., harsh accident environments). In this manner, the

[LTSP] ensures that SLs are not exceeded. As such, the [LTSP] meets the definition of an LSSS (Ref. 1). If the setting of the protective device does not protect a Safety Limit, the [LTSP] is not an LSSS.

Technical Specifications contain values related to the OPERABILITY of equipment required for safe operation of the facility. OPERABLE is defined in Technical Specifications as "...being capable of performing its safety function(s)." However, use of the [LTSP] to define OPERABILITY in Technical Specifications would be an overly restrictive requirement if it were applied as an OPERABILITY limit for the "as-found" value of a protective device setting during a Surveillance. This would result in Technical Specification compliance problems, as well as reports and corrective actions required by the rule which are not necessary to ensure safety. For example, an automatic protective device with a setting that has been found to be different from the [LTSP] due to some drift of the setting may still be OPERABLE since drift is to be expected. This expected drift would have been specifically accounted for in the setpoint methodology for calculating the [LTSP] and thus the automatic protective action would still have ensured that the SL would not be exceeded with the "as-found" setting of the protective device. Therefore, the device would still be OPERABLE since it would have performed its safety function and the only corrective action required would be to reset the device to the [LTSP] to account for further drift during the next surveillance interval.

Use of the [LTSP] to define "as-found" OPERABILITY under the expected circumstances described above would result in actions required by both the rule and Technical Specifications that are clearly not warranted.

However, there is also some point beyond which the device would have not been able to perform its function due, for example, to greater than expected drift. This value needs to be specified in the Technical Specifications in order to define OPERABILITY of the devices and is designated as the Allowable Value which is the least conservative value for the LSSS during testing. For LSSS functions, the actual [LTSP] value and the methodology for calculating the as-left and as-found tolerances will be maintained in [a document controlled under 10 CFR 50.59].

The Allowable Valuable specified in Table 3.3.5-1 is the least conservative value that the [LTSP] (LSSS) can have when tested such CEOG STS B 3.3.5-2 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 ESFAS Instrumentation (Digital)

B 3.3.5 that a channel is OPERABLE if the [LTSP] is found conservative with respect to the Allowable Value during the CHANNEL FUNCTIONAL TEST (CFT). As such, the Allowable Value differs from the [LTSP] by an amount [greater than or equal to the expected instrument channel uncertainties, such as drift, during the surveillance interval. In this manner, the actual setting of the device will ensure that a SL is not exceeded at any given point of time as long as the device has not drifted beyond that expected during the surveillance interval. Note that, although the channel is OPERABLE under these circumstances, the [LTSP] must be left adjusted to a value within the as-left tolerance, and confirmed to be operating within the statistical allowances of the uncertainty terms assigned (as-found). If the actual setting of the device is found to be non-conservative with respect to the Allowable Value the device would be considered inoperable from a Technical Specification perspective. This requires corrective action including those actions required by 10 CFR 50.36 when automatic protective devices do not function as required.

The ESFAS contains devices and circuitry that generate the following signals when monitored variables reach levels that are indicative of conditions requiring protective action:

1. Safety Injection Actuation Signal (SIAS), Containment Cooling Actuation Signal (CCAS) (actuated by an automatic SIAS),

2. Containment Spray Actuation Signal (CSAS),

3. Containment Isolation Actuation Signal (CIAS),

4. Main Steam Isolation Signal (MSIS),

5. Recirculation Actuation Signal (RAS), and 6, 7. Emergency Feedwater Actuation Signal (EFAS).

Equipment actuated by each of the above signals is identified in the FSAR (Ref. 1).

Each of the above ESFAS instrumentation systems is segmented into three interconnected modules. These modules are:

Measurement channels,

Bistable trip units, and

ESFAS Logic:

- Matrix Logic,

- Initiation Logic (trip paths), and CEOG STS B 3.3.5-3 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 ESFAS Instrumentation (Digital)

B 3.3.5 BASES BACKGROUND (continued)

REVIEWERS NOTE-----------------------------------

In order to take full advantage of the four channel design, adequate channel to channel independence must be demonstrated and approved by the NRC staff. Plants not currently licensed to credit four channel independence that may desire this capability must have approval of the NRC staff, documented by an NRC Safety Evaluation Report (Ref. 3).

Adequate channel to channel independence includes physical and electrical independence of each channel from the others. Furthermore, each channel must be energized from separate inverters and station batteries. Plants that have demonstrated adequate channel to channel independence may operate in two-out-of-three logic configuration, with one channel removed from service, until following the next MODE 5 entry.

Plants not demonstrating four channel independence can only operate for 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months with one channel inoperable (Ref. 3).

Since no single failure will either cause or prevent a protective system actuation, and no protective channel feeds a control channel, this arrangement meets the requirements of IEEE Standard 279-1971 (Ref. 4).

Bistable Trip Units Bistable trip units, mounted in the Plant Protection System (PPS) cabinet, receive an analog input from the measurement channels, compare the analog input to trip setpoints[LTSPs], and provide contact output to the Matrix Logic for each ESFAS Function. They also provide local trip indication and remote annunciation.

There are four channels of bistables, designated A through D, for each ESFAS Function, one for each measurement channel. In cases where two ESF Functions share the same input and trip setpoint (e.g.,

containment pressure input to CIAS and SIAS), the same bistable may be used to satisfy both Functions. Similarly, bistables may be shared between the RPS and ESFAS (e.g., Pressurizer Pressure - Low input to the RPS and SIAS). Bistable output relays de-energize when a trip occurs, in turn de-energizing bistable relays mounted in the PPS relay card racks.

The contacts from these bistable relays are arranged into six coincidence matrices, comprising the Matrix Logic. If bistables monitoring the same parameter in at least two channels trip, the Matrix Logic will generate an ESF actuation (two-out-of-four logic).

CEOG STS B 3.3.5-6 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 ESFAS Instrumentation (Digital)

B 3.3.5 BASES BACKGROUND (continued)

The trip setpoints and Allowable Values used in the bistables are based on the analytical limits stated in Reference 5. The selection of these trip setpoints is such that adequate protection is provided when all sensor and processing time delays are taken into account. To allow for calibration tolerances, instrumentation uncertainties, instrument drift, and severe environment effects, for those ESFAS channels that must function in harsh environments as defined by 10 CFR 50.49 (Ref. 6), Allowable Values specified in Table 3.3.5-1, in the accompanying LCO, are conservatively adjusted with respect to the analytical limits. A detailed description of the methodology used to calculate the trip setpoints, including their explicit uncertainties, is provided in the "Plant Protection System Selection of Trip Setpoint Values" (Ref. 7). The actual nominal trip setpoint[LTSP] entered into the bistable is normally still more conservative than that specified by the Allowable Value to account for changes in random measurement errors detectable by a CHANNEL FUNCTIONAL TEST. A channel is inoperable if its actual trip setpoint is not withinconservative with respect to its required Allowable Value.

Setpoints [LTSPs] in accordance with the Allowable Value will ensure that Safety Limits of LCO Section 2.0, "Safety Limits," are not violated during AOOs and the consequences of Design Basis Accidents (DBAs) will be acceptable, providing the plant is operated from within the LCOs at the onset of the AOO or DBA and the equipment functions as designed.

Functional testing of the ESFAS, from the bistable input through the opening of initiation relay contacts in the ESFAS Actuation Logic, can be performed either at power or at shutdown and is normally performed on a quarterly basis. FSAR, Section [7.2] (Ref. 8), provides more detail on ESFAS testing. Process transmitter calibration is normally performed on a refueling basis. SRs for the channels are specified in the Surveillance Requirements section.

ESFAS Logic The ESFAS Logic, consisting of Matrix, Initiation and Actuation Logic, employs a scheme that provides an ESF actuation of both trains when bistables in any two of the four channels sense the same input parameter trip. This is called a two-out-of-four trip logic.

CEOG STS B 3.3.5-7 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 ESFAS Instrumentation (Digital)

B 3.3.5 BASES LCO (continued)

1. Safety Injection Actuation Signal

a. Containment Pressure - High This LCO requires four channels of Containment Pressure - High to be OPERABLE in MODES 1, 2, and 3.

The Containment Pressure - High signal is shared among the SIAS (Function 1), CIAS (Function 3), and MSIS (Function 4).

The Allowable Value for this trip is set high enough to allow for small pressure increases in containment expected during normal operation (i.e., plant heatup) and is not indicative of an abnormal condition. The setting is low enough to initiate the ESF Functions when an abnormal condition is indicated. This allows the ESF systems to perform as expected in the accident analyses to mitigate the consequences of the analyzed accidents. [The Containment Pressure - High trip Function is credited in the safety analysis for LOCA, Main Steam Line breaks and Feedwater Line breaks, and is therefore considered to be a LSSS as defined in 10 CFR 50.36.]

b. Pressurizer Pressure - Low This LCO requires four channels of Pressurizer Pressure - Low to be OPERABLE in MODES 1 and 2.

The Allowable Value for this trip is set low enough to prevent actuating the ESF Functions (SIAS and CIAS) during normal plant operation and pressurizer pressure transients. The setting is high enough that, with the specified accidents, the ESF systems will actuate to perform as expected, mitigating the consequences of the accident.

The Pressurizer Pressure - Low trip setpoint, which provides SIAS, CIAS, and RPS trip, may be manually decreased to a floor value of 300 psia to allow for a controlled cooldown and depressurization of the RCS without causing a reactor trip, CIAS, or SIAS. The margin between actual pressurizer pressure and the trip setpoint must be maintained less than or equal to the specified value (400 psia) to ensure a reactor trip, CIAS, and SIAS will occur if required during RCS cooldown and depressurization.

CEOG STS B 3.3.5-13 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 ESFAS Instrumentation (Digital)

B 3.3.5 BASES APPLICABILITY (continued)

In MODES 4, 5, and 6, automatic actuation of these Functions is not required because adequate time is available to evaluate plant conditions and respond by manually operating the ESF components if required, as addressed by LCO 3.3.6.

Several trips have operating bypasses, discussed in the preceding LCO section. The interlocks that allow these bypasses shall be OPERABLE whenever the RPS Function they support is OPERABLE.

ACTIONS The most common causes of channel inoperability are outright failure or drift of the bistable or process module sufficient to exceed the tolerance allowed by the plant specific setpoint analysis. Typically, the drift is found to be small and results in a delay of actuation rather than a total loss of function. Determination of setpoint drift is generally made during the performance of a CHANNEL FUNCTIONAL TEST when the process instrument is set up for adjustment to bring it to within specification.

In the event a channel's trip setpoint[LTSP] is found nonconservative with respect to the Allowable Value, or the transmitter, instrument loop, signal processing electronics, or ESFAS bistable is found inoperable, then all affected Functions provided by that channel must be declared inoperable and the LCO Condition entered for the particular protection Function affected.

When the number of inoperable channels in a trip Function exceeds those specified in any related Condition associated with the same trip Function, then the plant is outside the safety analysis. Therefore, LCO 3.0.3 should be entered immediately, if applicable in the current MODE of operation.

A Note has been added to the ACTIONS. The Note has been added to clarify the application of the Completion Time rules. The Conditions of this Specification may be entered independently for each Function. The Completion Time for the inoperable channel of a Function will be tracked separately for each Function starting from the time the Condition was entered for that Function.

A.1 and A.2 Condition A applies to the failure of a single channel of one or more input parameters in the following ESFAS Functions:

1. Safety Injection Actuation Signal Containment Pressure - High Pressurizer Pressure - Low CEOG STS B 3.3.5-22 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 ESFAS Instrumentation (Digital)

B 3.3.5 BASES ACTIONS (continued)

2. Containment Spray Actuation Signal Containment Pressure - High High Automatic SIAS

3. Containment Isolation Actuation Signal Containment Pressure - High Pressurizer Pressure - Low

4. Main Steam Isolation Signal Steam Generator Pressure - Low Containment Pressure - High

5. Recirculation Actuation Signal Refueling Water Storage Tank Level -

Low

6. Emergency Feedwater Actuation Signal SG #1 (EFAS-1) Steam Generator Level - Low SG Pressure Difference - High Steam Generator Pressure - Low

7. Emergency Feedwater Actuation Signal SG #2 (EFAS-2) Steam Generator Level - Low SG Pressure Difference - High Steam Generator Pressure - Low ESFAS coincidence logic is normally two-out-of-four.

If one ESFAS channel is inoperable, startup or power operation is allowed to continue, providing the inoperable channel is placed in bypass or trip within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months (Required Action A.1).

The Completion Time of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months allotted to restore, bypass, or trip the channel is sufficient to allow the operator to take all appropriate actions for the failed channel and still ensures that the risk involved in operating with the failed channel is acceptable.

The failed channel must be restored to OPERABLE status prior to entering MODE 2 following the next MODE 5 entry. With a channel bypassed, the coincidence logic is now in a two-out-of-three configuration. In this configuration, common cause failure of dependent channels cannot prevent trip. The Completion Time of prior to entering MODE 2 following the next MODE 5 entry is based on adequate channel to channel independence, which allows a two-out-of-three channel operation, since no single failure will cause or prevent a reactor trip.

CEOG STS B 3.3.5-23 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 ESFAS Instrumentation (Digital)

B 3.3.5 BASES ACTIONS (continued)

E.1 and E.2 If the Required Actions and associated Completion Times of Condition A, B, C, or D cannot be met, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and to MODE 4 within

[12] hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE REQUIREMENTS

REVIEWERS NOTE --------------------------------------

The Notes in Table 3.3.5-1 requiring reset of the channel to a predefined as-left tolerance and the verification of the as-found tolerance are only associated with LSSS values. Therefore, the Notes may be placed at the top of the column in the Table and applied to all Functions, or the Notes may be applied to specific Allowable Values in the Allowable Value column only.

SR 3.3.5.1 Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit. If the channels are within the criteria, it is an indication that the channels are OPERABLE.

The Frequency, about once every shift, is based on operating experience that demonstrates channel failure is rare. Since the probability of two random failures in redundant channels in any 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months period is low, the CHANNEL CHECK minimizes the chance of loss of protective function CEOG STS B 3.3.5-26 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 ESFAS Instrumentation (Digital)

B 3.3.5 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.5.2 A CHANNEL FUNCTIONAL TEST is performed every 92 days to ensure the entire channel will perform its intended function when needed. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL FUNCTIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions.

The CHANNEL FUNCTIONAL TEST is part of an overlapping test sequence similar to that employed in the RPS. This sequence, consisting of SR 3.3.5.2, SR 3.3.6.1, and SR 3.3.6.2, tests the entire ESFAS from the bistable input through the actuation of the individual subgroup relays.

These overlapping tests are described in Reference 1. SR 3.3.5.2 and SR 3.3.6.1 are normally performed together and in conjunction with ESFAS testing. SR 3.3.6.2 verifies that the subgroup relays are capable of actuating their respective ESF components when de-energized.

These tests verify that the ESFAS is capable of performing its intended function, from bistable input through the actuated components.

SRs 3.3.6.1 and 3.3.6.2 are addressed in LCO 3.3.6. SR 3.3.5.2 includes bistable tests.

A test signal is superimposed on the input in one channel at a time to verify that the bistable trips within the specified tolerance around the setpoint. This is done with the affected RPS trip channel bypassed. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint analysis.

The as-found and as-left values must also be recorded and reviewed for consistency with the assumptions of the surveillance interval extension analysis. The requirements for this review are outlined in Reference [9].

SR 3.3.5.2 for selected Function trip units is modified by two Notes as identified in Table 3.3.5-1. The selected Functions are those Functions that are LSSS and whose instruments are not mechanical devices (i.e.

limit switches, float switches, and proximity detectors). Mechanical devices are excluded since it is not possible to trend these devices and develop as-left or as-found limits in the same manner as other instrumentation. The first Note requires evaluation of channel performance for the condition where the as-found setting for the channel setpoint is outside its as-found tolerance but conservative with respect to the Allowable Value. Evaluation of instrument performance will verify that CEOG STS B 3.3.5-28 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 ESFAS Instrumentation (Digital)

B 3.3.5 the instrument will continue to behave in accordance with design-basis assumptions. The purpose of the assessment is to ensure confidence in the instrument performance prior to returning the instrument to service.

These channels will also be identified in the Corrective Action Program.

In accordance with procedures, entry into the Corrective Action Program will require review and documentation of the condition for OPERABILITY.

The second Note requires that the as-left setting for the instrument be returned to within the as-left tolerance of the [LTSP]. This will ensure that sufficient margin to the Safety Limit and/or Analytical Limit is maintained.

If the as-left instrument setting cannot be returned to a setting within the as-left tolerance, then the instrument channel shall be declared inoperable. The second Note also requires that the [LTSP] and the methodology for calculating the as-left and the as-found tolerances be in

[a document controlled under 10 CFR 50.59].

CEOG STS B 3.3.5-29 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 ESFAS Instrumentation (Digital)

B 3.3.5 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.5.3 CHANNEL CALIBRATION is a complete check of the instrument channel including the detector and the bypass removal functions. The Surveillance verifies that the channel responds to a measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drift between successive calibrations to ensure that the channel remains operational between successive surveillances. CHANNEL CALIBRATIONS must be performed consistent with the plant specific setpoint analysis.

The as-found and as-left values must also be recorded and reviewed for consistency with the assumptions of the surveillance interval extension analysis. The requirements for this review are outlined in Reference [9].

The [18] month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power.

SR 3.3.5.3 for selected Function trip units is modified by two Notes as identified in Table 3.3.5-1. The selected Functions are those Functions that are LSSS and whose instruments are not mechanical devices (i.e.

limit switches, float switches, and proximity detectors). Mechanical devices are excluded since it is not possible to trend these devices and develop as-left or as-found limits in the same manner as other instrumentation. The first Note requires evaluation of channel performance for the condition where the as-found setting for the channel setpoint is outside its as-found tolerance but conservative with respect to the Allowable Value. Evaluation of instrument performance will verify that the instrument will continue to behave in accordance with design-basis assumptions. The purpose of the assessment is to ensure confidence in the instrument performance prior to returning the instrument to service.

These channels will also be identified in the Corrective Action Program.

In accordance with procedures, entry into the Corrective Action Program will require review and documentation of the condition for OPERABILITY.

The second Note requires that the as-left setting for the instrument be returned to within the as-left tolerance of the [LTSP]. This will ensure that sufficient margin to the Safety Limit and/or Analytical Limit is maintained.

If the as-left instrument setting cannot be returned to a setting within the as-left tolerance, then the instrument channel shall be declared inoperable. The second Note also requires that the [LTSP] and the methodology for calculating the as-left and the as-found tolerances be in

[a document controlled under 10 CFR 50.59].

CEOG STS B 3.3.5-30 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation 3.3.1.1 Table 3.3.1.1-1 (page 2 of 4)

Reactor Protection System Instrumentation APPLICABLE CONDITIONS MODES OR REQUIRED REFERENCED OTHER CHANNELS FROM SPECIFIED PER TRIP REQUIRED SURVEILLANCE ALLOWABLE FUNCTION CONDITIONS SYSTEM ACTION D.1 REQUIREMENTS VALUE

2. Average Power Range Monitors

c. Fixed Neutron Flux - 1 [2] F SR 3.3.1.1.1 [120]% RTP High SR 3.3.1.1.2 SR 3.3.1.1.6 SR 3.3.1.1.7

[(c)

SR 3.3.1.1.9 (d)]

SR 3.3.1.1.13 SR 3.3.1.1.15

[ d. Downscale 1 [2] F SR 3.3.1.1.6 [3]% RTP ]

SR 3.3.1.1.7 SR 3.3.1.1.13

e. Inop 1,2 [2] G SR 3.3.1.1.6 NA SR 3.3.1.1.7 SR 3.3.1.1.13

3. Reactor Vessel Steam 1,2 [2] G SR 3.3.1.1.1 [1054] psig Dome Pressure - High SR 3.3.1.1.7

[SR 3.3.1.1.8]

SR 3.3.1.1.11 SR 3.3.1.1.13 SR 3.3.1.1.15

4. Reactor Vessel Water 1,2 [2] G SR 3.3.1.1.1 [10] inches Level - Low, Level 3 SR 3.3.1.1.7

[SR 3.3.1.1.8]

SR 3.3.1.1.11 SR 3.3.1.1.13 SR 3.3.1.1.15

5. Main Steam Isolation 1 [8] F SR 3.3.1.1.7 [10]% closed Valve - Closure SR 3.3.1.1.11 SR 3.3.1.1.13 SR 3.3.1.1.15

6. Drywell Pressure - High 1,2 [2] G SR 3.3.1.1.1 [1.92] psig SR 3.3.1.1.7

[SR 3.3.1.1.8]

SR 3.3.1.1.11 SR 3.3.1.1.13 (c) [INSERT 1]

(d) [INSERT 2]

BWR/4 STS 3.3.1.1-7 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation B 3.3.1.1 B 3.3 INSTRUMENTATION B 3.3.1.1 Reactor Protection System (RPS) Instrumentation BASES BACKGROUND The RPS initiates a reactor scram when one or more monitored parameters exceed their specified limits, to preserve the integrity of the fuel cladding and the Reactor Coolant System (RCS) and minimize the energy that must be absorbed following a loss of coolant accident (LOCA). This can be accomplished either automatically or manually.

The protection and monitoring functions of the RPS have been designed to ensure safe operation of the reactor. This is achieved by specifying limiting safety system settings (LSSS) in terms of parameters directly monitored by the RPS, as well as LCOs on other reactor system parameters and equipment performance. Technical Specifications are required by 10 CFR 50.36 to contain LSSS defined by the regulation as

"...settings for automatic protective devices...so chosen that automatic protective actions will correct the abnormal situation before a Safety Limit (SL) is exceeded." The Analytical Limit is the limit of the process variable at which a safety action is initiated, as established by the safety analysis, to ensure that a SL is not exceeded. Any automatic protection action that occurs on reaching the Analytical Limit therefore ensures that the SL is not exceeded. However, in practice, the actual settings for automatic protective devices must be chosen to be more conservative than the AnalyticAnalytical Limit to account for instrument loop uncertainties related to the setting at which the automatic protective action would actually occur.

REVIEWER'S NOTE ----------------------------------

The term "Limiting Trip Setpoint (LTSP)" is generic terminology for the setpoint value calculated by means of the plant-specific setpoint methodology documented in [a document controlled under 10 CFR 50.59]. The term Limiting Trip Setpoint indicates that no additional margin has been added between the Analytical Limit and the calculated trip setting. Where margin is added between the Analytical Limit and trip setpoint, the standard terminology of Nominal Trip Setpoint (NTSP) should be used. The trip setpoint (field setting) may be more conservative than the Limiting or Nominal Trip Setpoint, but for the purpose of compliance with 10 CFR 50.36, the plant-specific term for the Limiting Trip Setpoint must be cited in Note d of Table 3.3.1.1-1. The brackets indicate plant-specific terms may apply, as reviewed and approved by the NRC. In some cases, replacing the LTSP with NTSP will also require the revision of the relationship discussion for Allowable Value (AV). Licensees are to insert the name of the document(s) controlled under 10 CFR 50.59 that contains the [LTSP] values and the methodology for calculating the as-left and as-found tolerances for the BWR/4 STS B 3.3.1.1-1 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation B 3.3.1.1 phrase "[a document controlled under 10 CFR 50.59]" throughout these Bases.

BASES BACKGROUND (continued)

The [Limiting Trip Setpoint (LTSP)]trip setpoint is a predetermined setting for a protective device chosen to ensure automatic actuation prior to the process variable reaching the Analytical Limit and thus ensuring that the SL would not be exceeded. As such, the [LTSP] trip setpoint accounts for uncertainties in setting the device (e.g., calibration), uncertainties in how the device might actually perform (e.g., repeatability), changes in the point of action of the device over time (e.g., drift during surveillance intervals), and any other factors which may influence its actual performance (e.g., harsh accident environments). In this manner, the

[LTSP] trip setpoint ensures plays an important role in ensuring that SLs are not exceeded. As such, the [LTSP] trip setpoint meets the definition of an LSSS (Ref. 1). and could be used to meet the requirement that they the LSSS be contained in the Technical Specifications. If the setting of the protective device does not protect a Safety Limit, the [LTSP] is not an LSSS.

Technical Specifications contain values related to the OPERABILITY of equipment required for safe operation of the facility. OPERABLE is defined in Technical Specifications as ""...being capable of performing its safety function(s)."" For automatic protective devices, the required safety function is to ensure that a SL is not exceeded and therefore the [LTSP]

is the LSSS as defined by 10 CFR 50.36. is the same as the OPERABILITY limit for these devices. However, use of the [trip setpoint LTSP] to define OPERABILITY in Technical Specifications and its corresponding designation as the LSSS required by 10 CFR 50.36 would be an overly restrictive requirement if it were applied as an OPERABILITY limit for the "as-found" value of a protective device setting during a Surveillance. This would result in Technical Specification compliance problems, as well as reports and corrective actions required by the rule which are not necessary to ensure safety. For example, an automatic protective device with a setting that has been found to be different from the trip setpoint[LTSP] due to some drift of the setting may still be OPERABLE since drift is to be expected. This expected drift would have been specifically accounted for in the setpoint methodology for calculating the trip setpoint[LTSP] and thus the automatic protective action would still have ensured that the SL would not be exceeded with the "as-found" setting of the protective device. Therefore, the device would still be OPERABLE since it would have performed its safety function and the only corrective action required would be to reset the device to the trip setpoint[LTSP] to account for further drift during the next surveillance interval.

BWR/4 STS B 3.3.1.1-2 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation B 3.3.1.1 Use of the [LTSP] trip setpoint to define "as-found" OPERABILITY and its designation as the LSSS under the expected circumstances described above would result in actions required by both the rule and Technical Specifications that are clearly not warranted. However, there is also some point beyond which the device would have not been able to perform its function due, for example, to greater than expected drift. This value needs to be specified in the Technical Specifications in order to define OPERABILITY of the devices and is designated as the Allowable Value which, as stated above, is the same as the least conservative value for the LSSS during testing. For LSSS functions, the actual [LTSP] value and the methodology for calculating the as-left and as-found tolerances will be maintained in [a document controlled under 10 CFR 50.59].

The Allowable Valuable specified in Table 3.3.1.1-1 serves asis the least conservative value ofthat the [LTSP] (LSSS) can have when tested such that a channel is OPERABLE if the setpoint is found conservative with respect to the Allowable Value during the CHANNEL CALIBRATION.

Note that, although a channel is OPERABLE under these circumstances, the setpoint must be left adjusted to a value within the as-left tolerance of the [LTSP] and confirmed to be operating within the statistical allowances of the uncertainty terms assigned in the setpoint calculation. channel is OPERABLE if the trip setpoint is found not to exceed the Allowable Value.

As such, the Allowable Value differs from the trip setpoint[LTSP] by an amount primarily equal to [or greater than] the as-found tolerance value.

expected instrument loop uncertainties, such as drift, during the surveillance interval. In this BASES BACKGROUND (continued) manner, the actual setting of the device will still meet the LSSS definition and ensure that a SL is not exceeded at any given point of time as long as the device has not drifted beyond that expected during the surveillance interval. If the actual setting of the device is found to be non-conservative with respect to the is found to have exceeded the Allowable Value, the device would be considered inoperable from a Technical Specification perspective. This requires corrective action including those actions required by 10 CFR 50.36 when automatic protective devices do not function as required. Note that, although the channel is "OPERABLE" under these circumstances, the trip setpoint should be left adjusted to a value within the established trip setpoint calibration tolerance band, in accordance with uncertainty assumptions stated in the referenced setpoint methodology (as-left criteria), and confirmed to be operating within the statistical allowances of the uncertainty terms assigned.

The RPS, as shown in the FSAR, Figure [ ] (Ref. 2), includes sensors, relays, bypass circuits, and switches that are necessary to cause initiation BWR/4 STS B 3.3.1.1-3 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation B 3.3.1.1 of a reactor scram. Functional diversity is provided by monitoring a wide range of dependent and independent parameters. The input parameters to the scram logic are from instrumentation that monitors reactor vessel water level, reactor vessel pressure, neutron flux, main steam line isolation valve position, turbine control valve (TCV) fast closure, trip oil pressure low, turbine stop valve (TSV) position, drywell pressure, and scram discharge volume (SDV) water level, as well as reactor mode switch in shutdown position and manual scram signals. There are at least four redundant sensor input signals from each of these parameters (with the exception of the reactor mode switch in shutdown scram signal).

Most channels include electronic equipment (e.g., trip units) that compares measured input signals with pre-established setpoints. When the setpoint is exceeded, the channel output relay actuates, which then outputs an RPS trip signal to the trip logic. Table B 3.3.1.1-1 summarizes the diversity of sensors capable of initiating scrams during anticipated operating transients typically analyzed.

The RPS is comprised of two independent trip systems (A and B) with two logic channels in each trip system (logic channels A1 and A2, B1 and B2) as shown in Reference 2. The outputs of the logic channels in a trip system are combined in a one-out-of-two logic so that either channel can trip the associated trip system. The tripping of both trip systems will produce a reactor scram. This logic arrangement is referred to as a one-out-of-two taken twice logic. Each trip system can be reset by use of a reset switch. If a full scram occurs (both trip systems trip), a relay prevents reset of the trip systems for 10 seconds after the full scram signal is received. This 10 second delay on reset ensures that the scram function will be completed.

BASES BACKGROUND (continued)

Two scram pilot valves are located in the hydraulic control unit for each control rod drive (CRD). Each scram pilot valve is solenoid operated, with the solenoids normally energized. The scram pilot valves control the air supply to the scram inlet and outlet valves for the associated CRD. When either scram pilot valve solenoid is energized, air pressure holds the scram valves closed and, therefore, both scram pilot valve solenoids must be de-energized to cause a control rod to scram. The scram valves control the supply and discharge paths for the CRD water during a scram.

One of the scram pilot valve solenoids for each CRD is controlled by trip system A, and the other solenoid is controlled by trip system B. Any trip of trip system A in conjunction with any trip in trip system B results in de-energizing both solenoids, air bleeding off, scram valves opening, and control rod scram.

The backup scram valves, which energize on a scram signal to depressurize the scram air header, are also controlled by the RPS.

Additionally, the RPS System controls the SDV vent and drain valves BWR/4 STS B 3.3.1.1-4 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation B 3.3.1.1 such that when both trip systems trip, the SDV vent and drain valves close to isolate the SDV.

APPLICABLE The actions of the RPS are assumed in the safety analyses of SAFETY References 2, 3, and 4. The RPS initiates a reactor scram when ANALYSES, LCO, monitored parameter values exceed the and APPLICABILITY Allowable Values, specified by the setpoint methodology and listed in Table 3.3.1.1-1 to preserve the integrity of the fuel cladding, the reactor coolant pressure boundary (RCPB), and the containment by minimizing the energy that must be absorbed following a LOCA.

RPS instrumentation satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii).

Functions not specifically credited in the accident analysis are retained for the overall redundancy and diversity of the RPS as required by the NRC approved licensing basis.

The OPERABILITY of the RPS is dependent on the OPERABILITY of the individual instrumentation channel Functions specified in Table 3.3.1.1-1.

Each Function must have a required number of OPERABLE channels per RPS trip system, with their setpoints conservative with respect to thewithin the specified Allowable Value, where appropriate. The actual setpoint is calibrated consistent with applicable setpoint methodology assumptions. Each channel must also respond within its assumed response time.

BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Allowable Values are specified for each RPS Function specified in the Table 3.3.1.1-1. [Limiting Trip Setpoints] are specified in [a document controlled under 10 CFR 50.59].the setpoint calculations. The nominal setpoints[LTSPs] are selected to ensure that the actual setpoints are conservative with respect to the do not exceed the Allowable Value between successive CHANNEL CALIBRATIONS. Operation with a trip setpoint less conservative than theits nominal trip setpoint,[LTSP] but conservative with respect to its within its Allowable Value, is acceptable.

A channel is inoperable if its actual trip setpoint is non-conservative with respect tonot within its required Allowable Value.

[Limiting Trip SetpointsTrip setpoin] are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor vessel water level), and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g., trip unit) changes state. The analytic limits are derived from the limiting values of the process parameters obtained from the safety analysis. The Allowable Values are derived from the analytic limits, corrected for calibration, process, and some of the instrument errors. The trip setpoints[LTSPs] are then BWR/4 STS B 3.3.1.1-5 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation B 3.3.1.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) 2.c. Average Power Range Monitor Fixed Neutron Flux - High The APRM channels provide the primary indication of neutron flux within the core and respond almost instantaneously to neutron flux increases.

The Average Power Range Monitor Fixed Neutron Flux - High Function is capable of generating a trip signal to prevent fuel damage or excessive RCS pressure. For the overpressurization protection analysis of Reference 5, the Average Power Range Monitor Fixed Neutron Flux -

High Function is assumed to terminate the main steam isolation valve (MSIV) closure event and, along with the safety/relief valves (S/RVs),

limits the peak reactor pressure vessel (RPV) pressure to less than the ASME Code limits. The control rod drop accident (CRDA) analysis (Ref. 6) takes credit for the Average Power Range Monitor Fixed Neutron Flux - High Function to terminate the CRDA.

The APRM System is divided into two groups of channels with three APRM channels inputting to each trip system. The system is designed to allow one channel in each trip system to be bypassed. Any one APRM channel in a trip system can cause the associated trip system to trip.

Four channels of Average Power Range Monitor Fixed Neutron Flux -

High with two channels in each trip system arranged in a one-out-of- two logic are required to be OPERABLE to ensure that no single instrument failure will preclude a scram from this Function on a valid signal. In addition, to provide adequate coverage of the entire core, at least 11 LPRM inputs are required for each APRM channel, with at least two LPRM inputs from each of the four axial levels at which the LPRMs are located.

The Allowable Value is based on the Analytical Limit assumed in the CRDA analyses.

The Average Power Range Monitor Fixed Neutron Flux - High Function is required to be OPERABLE in MODE 1 where the potential consequences of the analyzed transients could result in the SLs (e.g., MCPR and RCS pressure) being exceeded and is therefore, considered an LSSS as defined by 10 CFR 50.36. Although the Average Power Range Monitor Fixed Neutron Flux - High Function is assumed in the CRDA analysis, which is applicable in MODE 2, the Average Power Range Monitor Neutron Flux - High, Setdown Function conservatively bounds the assumed trip and, together with the assumed IRM trips, provides adequate protection. Therefore, the Average Power Range Monitor Fixed Neutron Flux - High Function is not required in MODE 2.

BWR/4 STS B 3.3.1.1-12 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation B 3.3.1.1 BASES SURVEILLANCE REQUIREMENTS (continued)

REVIEWERS NOTE ---------------------------------

The Notes in Table 3.3.1.1-1 requiring reset of the channel to a predefined as-left tolerance and the verification of the as-found tolerance are only associated with LSSS values. Therefore, the Notes may be placed at the top of the column in the Table and applied to all Functions, or the Notes may be applied to specific SRs in the SR column only.

As noted at the beginning of the SRs, the SRs for each RPS instrumentation Function are located in the SRs column of Table 3.3.1.1-1.

The Surveillances are modified by a Note to indicate that when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months , provided the associated Function maintains RPS trip capability. Upon completion of the Surveillance, or expiration of the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Ref. 4) assumption of the average time required to perform channel Surveillance. That analysis demonstrated that the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months testing allowance does not significantly reduce the probability that the RPS will trip when necessary.

SR 3.3.1.1.1 Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift on one of the channels or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit.

BASES BWR/4 STS B 3.3.1.1-25 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation B 3.3.1.1 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.1.1.7 and SR 3.3.1.1.10 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended function. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL FUNCTIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology. The 92 day Frequency of SR 3.3.1.1.7 is based on the reliability analysis of Reference 10.

The 18 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. Operating experience has shown that these components usually pass the Surveillance when performed at the 18 month Frequency.

SR 3.3.1.1.8 The calibration of trip units provides a check of the actual trip setpoints.

The channel must be declared inoperable if the trip setting is discovered to be less conservative than the Allowable Value specified in Table 3.3.1.1-1. If the trip setting is discovered to be less conservative than accounted for in the appropriate setpoint methodology, but is not non-conservative with respect to the Allowable Value, the channel performance is still within the requirements of the plant safety analysis.

Under these conditions, the setpoint must be readjusted to the [LTSP]

within the as-left tolerance as accounted for in the appropriate setpoint methodology.

The Frequency of 92 days for SR 3.3.1.1.8 is based on the reliability analysis of Reference 10.

BWR/4 STS B 3.3.1.1-29 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation B 3.3.1.1 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.1.1.9 and SR 3.3.1.1.11 A CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies that the channel responds to the measured parameter within the necessary range and accuracy.

CHANNEL CALIBRATION leaves the channel adjusted to the [LTSP]

within the as-left tolerance to account for instrument drifts between successive calibrations consistent with the plant specific setpoint methodology.

Note 1 states that neutron detectors are excluded from CHANNEL CALIBRATION because they are passive devices, with minimal drift, and because of the difficulty of simulating a meaningful signal. Changes in neutron detector sensitivity are compensated for by performing the 7 day calorimetric calibration (SR 3.3.1.1.2) and the 1000 MWD/T LPRM calibration against the TIPs (SR 3.3.1.1.6). A second Note is provided that requires the APRM and IRM SRs to be performed within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months of entering MODE 2 from MODE 1. Testing of the MODE 2 APRM and IRM Functions cannot be performed in MODE 1 without utilizing jumpers, lifted leads, or movable links. This Note allows entry into MODE 2 from MODE 1 if the associated Frequency is not met per SR 3.0.2. Twelve hours is based on operating experience and in consideration of providing a reasonable time in which to complete the SR.

The Frequency of SR 3.3.1.1.9 is based upon the assumption of a 184 day calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis. The Frequency of SR 3.3.1.1.11 is based upon the assumption of an 18 month calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis.

SR 3.3.1.1.9 for selected Functions is modified by two Notes as identified in Table 3.3.1.1-1. The selected Functions are those Functions that are LSSS and whose instruments are not mechanical devices (i.e. limit switches, float switches, and proximity detectors). Mechanical devices are excluded since it is not possible to trend these devices and develop as-left or as-found limits in the same manner as other instrumentation.

The first Note requires evaluation of channel performance for the condition where the as-found setting for the channel is outside its as-found tolerance but conservative with respect to the Allowable Value.

Evaluation of instrument performance will verify that the instrument will continue to behave in accordance with design-basis assumptions. The purpose of the assessment is to ensure confidence in the instrument performance prior to returning the instrument to service. These channels will also be identified in the Corrective Action Program. In accordance with procedures, entry into the Corrective Action Program will require review and documentation of the condition for OPERABILITY. The BWR/4 STS B 3.3.1.1-30 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation B 3.3.1.1 second Note requires that the as-left setting for the instrument be returned to within the as-left tolerance of the [LTSP]. This will ensure that sufficient margin to the Safety Limit and/or Analytical Limit is maintained.

If the as-left instrument setting cannot be returned to a setting within the as-left tolerance, then the instrument channel shall be declared inoperable. The second Note also requires that the [LTSP] and the methodology for calculating the as-left and the as-found tolerances be in

[a document controlled under 10 CFR 50.59].

SR 3.3.1.1.12 The Average Power Range Monitor Flow Biased Simulated Thermal Power - High Function uses an electronic filter circuit to generate a signal proportional to the core THERMAL POWER from the APRM neutron flux signal. This filter circuit is representative of the fuel heat transfer dynamics that produce the relationship between the neutron flux and the core THERMAL POWER. The Surveillance filter time constant must be verified to be 7 seconds to ensure that the channel is accurately reflecting the desired parameter.

The Frequency of 18 months is based on engineering judgment considering the reliability of the components.

BWR/4 STS B 3.3.1.1-31 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation 3.3.1.1 Table 3.3.1.1-1 (page 2 of 4)

Reactor Protection System Instrumentation APPLICABLE CONDITIONS MODES OR REQUIRED REFERENCED OTHER CHANNELS FROM SPECIFIED PER TRIP REQUIRED SURVEILLANCE ALLOWABLE FUNCTION CONDITIONS SYSTEM ACTION D.1 REQUIREMENTS VALUE

2. Average Power Range Monitors (Continued)

c. Fixed Neutron Flux - 1 [3] G SR 3.3.1.1.1 [120]% RTP High SR 3.3.1.1.2 SR 3.3.1.1.6 SR 3.3.1.1.7

[(c)

SR 3.3.1.1.9 (d)]

SR 3.3.1.1.13 SR 3.3.1.1.15

d. Inop 1,2 [3] H SR 3.3.1.1.6 NA SR 3.3.1.1.7 SR 3.3.1.1.13

3. Reactor Vessel Steam 1,2 [2] H SR 3.3.1.1.1 [1079.7] psig Dome Pressure - High SR 3.3.1.1.7

[SR 3.3.1.1.8]

SR 3.3.1.1.11 SR 3.3.1.1.13 SR 3.3.1.1.15

4. Reactor Vessel Water 1,2 [2] H SR 3.3.1.1.1 [10.8] inches Level - Low, Level 3 SR 3.3.1.1.7

[SR 3.3.1.1.8]

SR 3.3.1.1.11 SR 3.3.1.1.13 SR 3.3.1.1.15

5. Reactor Vessel Water 25% RTP [2] F SR 3.3.1.1.1 [54.1] inches Level - High, Level 8 SR 3.3.1.1.7

[SR 3.3.1.1.8]

SR 3.3.1.1.11 SR 3.3.1.1.13 SR 3.3.1.1.15

6. Main Steam Isolation 1 [8] G SR 3.3.1.1.9 [7]% closed Valve - Closure SR 3.3.1.1.11 SR 3.3.1.1.13 SR 3.3.1.1.15 (c) [INSERT 1]

(d) [INSERT 2]

BWR/6 STS 3.3.1.1-7 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation B 3.3.1.1 B 3.3 INSTRUMENTATION B 3.3.1.1 Reactor Protection System (RPS) Instrumentation BASES BACKGROUND The RPS initiates a reactor scram when one or more monitored parameters exceed their specified limit, to preserve the integrity of the fuel cladding and the Reactor Coolant System (RCS), and minimize the energy that must be absorbed following a loss of coolant accident (LOCA). This can be accomplished either automatically or manually.

The protection and monitoring functions of the RPS have been designed to ensure safe operation of the reactor. This is achieved by specifying limiting safety system settings (LSSS) in terms of parameters directly monitored by the RPS, as well as LCOs on other reactor system parameters, and equipment performance. Technical Specifications are required by 10 CFR 50.36 to contain LSSS defined by the regulation as

"...settings for automatic protective devices...so chosen that automatic protective action will correct the abnormal situation before a Safety Limit (SL) is exceeded." The AnalyticAnalytical Limit is the limit of the process variable at which a safety action is initiated, as established by the safety analysis, to ensure that a SL is not exceeded. Any automatic protection action that occurs on reaching the AnalyticAnalytical Limit therefore ensures that the SL is not exceeded. However, in practice, the actual settings for automatic protective devices must be chosen to be more conservative than the AnalyticAnalytical Limit to account for instrument loop uncertainties related to the setting at which the automatic protective action would actually occur.

REVIEWER'S NOTE ------------------------------------

The term "Limiting Trip Setpoint (LTSP)" is generic terminology for the setpoint value calculated by means of the plant-specific setpoint methodology documented in [a document controlled under 10 CFR 50.59]. The term Limiting Trip Setpoint indicates that no additional margin has been added between the Analytical Limit and the calculated trip setting. Where margin is added between the Analytical Limit and trip setpoint, the standard terminology of Nominal Trip Setpoint (NTSP) should be used. The trip setpoint (field setting) may be more conservative than the Limiting or Nominal Trip Setpoint, but for the purpose of compliance with 10 CFR 50.36, the plant-specific term for the Limiting Trip Setpoint must be cited in Note d of Table 3.3.1.1-1. The brackets indicate plant-specific terms may apply, as reviewed and approved by the NRC. In some cases, replacing the LTSP with NTSP will also require the revision of the relationship discussion for Allowable Value (AV). Licensees are to insert the name of the document(s) controlled under 10 CFR 50.59 that contains the [LTSP] values and the methodology for calculating the as-left and as-found tolerances for the BWR/6 STS B 3.3.1.1-1 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation B 3.3.1.1 phrase "[a document controlled under 10 CFR 50.59]" throughout these Bases.

BASES BACKGROUND (continued)

The trip setpoint [Limiting Trip Setpoint (LTSP)] is a predetermined setting for a protective device chosen to ensure automatic actuation prior to the process variable reaching the Analytical Limit and thus ensuring that the SL would not be exceeded. As such, the trip setpoint [LTSP] accounts for uncertainties in setting the device (e.g., calibration), uncertainties in how the device might actually perform (e.g., repeatability), changes in the point of action of the device over time (e.g., drift during surveillance intervals), and any other factors which may influence its actual performance (e.g., harsh accident environments). In this manner, the trip setpoint [LTSP] ensuresplays an important role in ensuring that SLs are not exceeded. As such, the trip setpoint [LTSP] meets the definition of an LSSS (Ref. 1). and could be used to meets the requirement that they the LSSS be contained in the Technical Specifications. If the setting of the protective device does not protect a Safety Limit, the [LTSP] is not an LSSS.

Technical Specifications contain values related to the OPERABILITY of equipment required for safe operation of the facility. OPERABLE is defined in Technical Specifications as "...being capable of performing its safety function(s)." For automatic protective devices, the required safety function is to ensure that a SL is not exceeded and therefore the [LTSP]

is the LSSS, as defined by 10 CFR 50.36. Tis the same as the OPERABILITY limit for these devices. However, use of the trip setpoint

[LTSP] to define OPERABILITY in Technical Specifications and its corresponding designation as the LSSS required by 10 CFR 50.36 would be an overly restrictive requirement if it were applied as an OPERABILITY limit for the "as-found" value of a protective device setting during a Surveillance. This would result in Technical Specification compliance problems, as well as reports and corrective actions required by the rule which are not necessary to ensure safety. For example, an automatic protective device with a setting that has been found to be different from the trip setpoint [LTSP] due to some drift of the setting may still be OPERABLE since drift is to be expected. This expected drift would have been specifically accounted for in the setpoint methodology for calculating the trip setpoint [LTSP] and thus the automatic protective action would still have ensured that the SL would not be exceeded with the "as-found" setting of the protective device. Therefore, the device would still be OPERABLE since it would have performed its safety function and the only corrective action required would be to reset the device to the trip setpoint

[LTSP] to account for further drift during the next surveillance interval.

BWR/6 STS B 3.3.1.1-2 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation B 3.3.1.1 Use of the trip setpoint [LTSP] to define "as-found" OPERABILITY and its designation as the LSSS under the expected circumstances described above would result in actions required by both the rule and Technical Specifications that are clearly not warranted. However, there is also some point beyond which the device would have not been able to perform its function due, for example, to greater than expected drift. This value needs to be specified in the Technical Specifications in order to define OPERABILITY of the BASES BACKGROUND (continued) devices and is designated as the Allowable Value which, as stated above, is the the same as theleast conservative value for the LSSS during testing. For LSSS functions, the actual [LTSP] value and the methodology for calculating the as-left and as-found tolerances will be maintained in [a document controlled under 10 CFR 50.59].

The Allowable Valuable Value specified in Table 3.3.1.1-1 serves asis the least conservative value that the [LTSP] of the (LSSS) can have when tested such that a channel is OPERABLE if the setpoint is found conservative with respect to the Allowable Value during the CHANNEL CALIBRATION. Note that, although a channel is OPERABLE under these circumstances, the setpoint must be left adjusted to a value within the established as-left tolerance of the [LTSP] and confirmed to be operating within the statistical allowances of the uncertainty terms assigned in the setpoint calculation. As such, the Allowable Value differs from the trip setpoint [LTSP] by an amount primarily equal to [or greater than] the expected instrument loop uncertainties, such as drift, during the surveillance interval.as-found tolerance value. In this manner, the actual setting of the device will still meet the LSSS definition and ensure that a SL is not exceeded at any given point of time as long as the device has not drifted beyond that expected during the surveillance interval. If the actual setting of the device is found non-conservative with respect to the is found to have exceeded the Allowable Value the device would be considered inoperable from a Technical Specification perspective. This requires corrective action including those actions required by 10 CFR 50.36 when automatic protective devices do not function as required. Note that, although the channel is "OPERABLE" under these circumstances, the trip setpoint should be left adjusted to a value within the established trip setpoint calibration tolerance band, in accordance with uncertainty assumptions stated in the referenced setpoint methodology (as-left criteria), and confirmed to be operating within the statistical allowances of the uncertainty terms assigned.

The RPS, as shown in the FSAR, Figure [ ] (Ref. 2), includes sensors, relays, bypass circuits, and switches that are necessary to cause initiation BWR/6 STS B 3.3.1.1-3 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation B 3.3.1.1 BASES APPLICABLE The actions of the RPS are assumed in the safety analyses of SAFETY References 3, 4, and 5. The RPS initiates a reactor scram when and APPLICABILITY ANALYSES, LCO, monitored parameter values is non-conservative with respect to the Allowable Values specified by the setpoint methodology and listed in Table 3.3.1.1-1 to preserve the integrity of the fuel cladding, the reactor coolant pressure boundary (RCPB), and the containment by minimizing the energy that must be absorbed following a LOCA.

RPS instrumentation satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii).

Functions not specifically credited in the accident analysis are retained for the overall redundancy and diversity of the RPS as required by the NRC approved licensing basis.

The OPERABILITY of the RPS is dependent on the OPERABILITY of the individual instrumentation channel Functions specified in Table 3.3.1.1-1.

Each Function must have a required number of OPERABLE channels per RPS trip system, with their setpoints conservative with respect to within the specified Allowable Value, where appropriate. The actual setpoint is calibrated consistent with applicable setpoint methodology assumptions.

Each channel must also respond within its assumed response time.

Allowable Values are specified for each RPS Function specified in the Table 3.3.1.1-1.. Nominal trip setpoint[Limiting Trip Setpoints]s are specified in the setpoint calculations[a document controlled under 10 CFR 50.59 such as the UFSAR]. The nominal setpoints[LTSPs] are selected to ensure that the actual setpoints are conservative with respect to the do not exceed the Allowable Value between successive CHANNEL CALIBRATIONS. Operation with a trip setpoint less conservative than the nominal trip setpoint[LTSP], but conservative with respect to its within its Allowable Value, is acceptable. A channel is inoperable if its actual trip setpoint is is non-conservative with respect to its required Allowable Value.

Trip setpoint[Limiting Trip Setpoints]s are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor vessel water level), and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g., trip unit) changes state. The analytic limits are derived from the limiting values of the process parameters obtained from the safety analysis. The Allowable Values are derived from the analytic limits, corrected for calibration, process, and some of the instrument errors. The trip setpoints[LTSPs] are then determined, accounting for the remaining instrument errors (e.g., drift).

The trip setpoints derived in this manner provide adequate protection because instrumentation uncertainties, process effects, calibration tolerances, instrument drift, and severe environment errors (for channels that must function in harsh environments as defined by 10 CFR 50.49) are accounted for.

BWR/6 STS B 3.3.1.1-6 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation B 3.3.1.1 High Function will provide a scram signal before the Average Power Range Monitor Flow Biased Simulated Thermal Power - High Function setpoint is exceeded.

The APRM System is divided into two groups of channels with four APRM inputs to each trip system. The system is designed to allow one channel in each trip system to be bypassed. Any one Average Power Range Monitor channel in a trip system can cause the associated trip system to trip. Six channels of Average Power Range Monitor Flow Biased Simulated Thermal Power - High, with three channels in each trip system arranged in one-out-of-three logic, are required to be OPERABLE to ensure that no single instrument failure will preclude a scram from this Function on a valid signal. In addition, to provide adequate coverage of the entire core, at least 11 LPRM inputs are required for each APRM channel, with at least two LPRM inputs from each of the four axial levels at which the LPRMs are located. Each APRM channel receives one total drive flow signal representative of total core flow. The recirculation loop drive flow signals are generated by eight flow units. One flow unit from each recirculation loop is provided to each APRM channel.

Total drive flow is determined by each APRM by summing up the flow signals provided to the APRM from the two recirculation loops.

The clamped Allowable Value is based on analyses that take credit for the Average Power Range Monitor Flow Biased Simulated Thermal Power - High Function for the mitigation of the loss of feedwater heater event. The THERMAL POWER time constant of < 7 seconds is based on the fuel heat transfer dynamics and provides a signal that is proportional to the THERMAL POWER.

The Average Power Range Monitor Flow Biased Simulated Thermal Power - High Function is required to be OPERABLE in MODE 1 when there is the possibility of generating excessive THERMAL POWER and potentially exceeding the SL applicable to high pressure and core flow conditions (MCPR SL). During MODES 2 and 5, other IRM and APRM Functions provide protection for fuel cladding integrity.

BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) 2.c. Average Power Range Monitor Fixed Neutron Flux - High The APRM channels provide the primary indication of neutron flux within the core and respond almost instantaneously to neutron flux increases.

The Average Power Range Monitor Fixed Neutron Flux - High Function is capable of generating a trip signal to prevent fuel damage or excessive RCS pressure. For the overpressurization protection analysis of Reference 3, the Average Power Range Monitor Fixed Neutron Flux -

High Function is assumed to terminate the main steam isolation valve BWR/6 STS B 3.3.1.1-11 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation B 3.3.1.1 (MSIV) closure event and, along with the safety/relief valves (S/RVs),

limits the peak reactor pressure vessel (RPV) pressure to less than the ASME Code limits. The control rod drop accident (CRDA) analysis (Ref. 8) takes credit for the Average Power Range Monitor Fixed Neutron Flux - High Function to terminate the CRDA.

The APRM System is divided into two groups of channels with four APRM channels inputting to each trip system. The system is designed to allow one channel in each trip system to be bypassed. Any one APRM channel in a trip system can cause the associated trip system to trip. Six channels of Average Power Range Monitor Fixed Neutron Flux - High with three channels in each trip system arranged in a one-out-of-three logic are required to be OPERABLE to ensure that no single instrument failure will preclude a scram from this Function on a valid signal. In addition, to provide adequate coverage of the entire core, at least 11 LPRM inputs are required for each APRM channel, with at least two LPRM inputs from each of the four axial levels at which the LPRMs are located.

The Allowable Value is based on the Analytical Limit assumed in the CRDA analyses.

The Average Power Range Monitor Fixed Neutron Flux - High Function is required to be OPERABLE in MODE 1 where the potential consequences of the analyzed transients could result in the SLs (e.g., MCPR and RCS pressure) being exceeded and is therefore, considered an LSSS as defined by 10 CFR 50.36. Although the Average Power Range Monitor Fixed Neutron Flux - High Function is assumed in the CRDA analysis that is applicable in MODE 2, the Average Power Range Monitor Neutron Flux

- High, Setdown Function conservatively bounds the assumed trip and, together with the assumed IRM trips, provides adequate protection.

Therefore, the Average Power Range Monitor Fixed Neutron Flux - High Function is not required in MODE 2.

BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) 2.d. Average Power Range Monitor - Inop This signal provides assurance that a minimum number of APRMs are OPERABLE. Anytime an APRM mode switch is moved to any position other than Operate, an APRM module is unplugged, the electronic operating voltage is low, or the APRM has too few LPRM inputs (< 11), an inoperative trip signal will be received by the RPS, unless the APRM is bypassed. Since only one APRM in each trip system may be bypassed, only one APRM in each trip system may be inoperable without resulting in BWR/6 STS B 3.3.1.1-12 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation B 3.3.1.1 BASES SURVEILLANCE -----------------------------------REVIEWERS NOTE-----------------------------------

REQUIREMENTS Certain Frequencies are based on approved topical reports. In order for a licensee to use these Frequencies, the licensee must justify the Frequencies as required by the staff SER for the topical report.

REVIEWERS NOTE -----------------------------------

The Notes in Table 3.3.1.1-1 requiring reset of the channel to a predefined as-left tolerance and the verification of the as-found tolerance are only associated with LSSS values. Therefore, the Notes may be placed at the top of the column in the Table and applied to all Functions, or the Note may be applied to specific SRs in the SR column only.

As noted at the beginning of the SRs, the SRs for each RPS instrumentation Function are located in the SRs column of Table 3.3.1.1-1.

The Surveillances are modified by a Note to indicate that, when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months , provided the associated Function maintains trip capability. Upon completion of the Surveillance, or expiration of the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the RPS reliability analysis (Ref. 10) assumption of the average time required to perform channel surveillance. That analysis demonstrated that the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months testing allowance does not significantly reduce the probability that the RPS will trip when necessary.

SR 3.3.1.1.1 Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift on one of the channels or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

BWR/6 STS B 3.3.1.1-26 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation B 3.3.1.1 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.1.1.7 and SR 3.3.1.1.10 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended function. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL FUNCTIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology. The 92 day Frequency of SR 3.3.1.1.7 is based on the reliability analysis of Reference 10.

The 18 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. Operating experience has shown that these components usually pass the Surveillance when performed at the 18 month Frequency.

SR 3.3.1.1.8 The calibration of trip units provides a check of the actual trip setpoints.

The channel must be declared inoperable if the trip setting is discovered to be less conservative than the Allowable Value specified in Table 3.3.1.1-1. If the trip setting is discovered to be less conservative than accounted for in the appropriate setpoint methodology, but is not beyond the non-conservative with respect to the Allowable Value, the channel performance is still within the requirements of the plant safety analysis. Under these conditions, the setpoint must be readjusted to the

[LTSP] within the as-left tolerance as to be equal to or more conservative than accounted for in the appropriate setpoint methodology.

The Frequency of 92 days for SR 3.3.1.1.8 is based on the reliability analysis of Reference 10.

SR 3.3.1.1.9 and SR 3.3.1.1.11 A CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured BWR/6 STS B 3.3.1.1-30 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation B 3.3.1.1 parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to the [LTSP] within the as-left tolerance to account for instrument drifts between successive calibrations consistent with the plant specific setpoint methodology.

BWR/6 STS B 3.3.1.1-31 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 RPS Instrumentation B 3.3.1.1 BASES SURVEILLANCE REQUIREMENTS (continued)

Note 1 states that neutron detectors are excluded from CHANNEL CALIBRATION because of the difficulty of simulating a meaningful signal.

Changes in neutron detector sensitivity are compensated for by performing the 7 day calorimetric calibration (SR 3.3.1.1.2) and the 1000 MWD/T LPRM calibration against the TIPs (SR 3.3.1.1.6). A second Note is provided that requires the APRM and IRM SRs to be performed within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months of entering MODE 2 from MODE 1. Testing of the MODE 2 APRM and IRM Functions cannot be performed in MODE 1 without utilizing jumpers, lifted leads, or movable links. This Note allows entry into MODE 2 from MODE 1 if the associated Frequency is not met per SR 3.0.2. Twelve hours is based on operating experience and in consideration of providing a reasonable time in which to complete the SR.

The Frequency of SR 3.3.1.1.9 is based upon the assumption of a 184 day calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis. The Frequency of SR 3.3.1.1.11 is based on the assumption of an 18 month calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis.

SR 3.3.1.1.9 for selected Functions is modified by two Notes as identified in Table 3.3.1.1-1. The selected Functions are those Functions that are LSSS and whose instruments are not mechanical devices (i.e. limit switches, float switches, and proximity detectors). Mechanical devices are excluded since it is not possible to trend these devices and develop as-left or as-found limits in the same manner as other instrumentation.

The first Note requires evaluation of channel performance for the condition where the as-found setting for the channel is outside its as-found tolerance but conservative with respect to the Allowable Value.

Evaluation of instrument performance will verify that the instrument will continue to behave in accordance with design-basis assumptions. The purpose of the assessment is to ensure confidence in the instrument performance prior to returning the instrument to service. These channels will also be identified in the Corrective Action Program. In accordance with procedures, entry into the Corrective Action Program will require review and documentation of the condition for OPERABILITY. The second Note requires that the as-left setting for the instrument be returned to within the as-left tolerance of the [LTSP]. This will ensure that sufficient margin to the Safety Limit and/or Analytical Limit is maintained.

If the as-left instrument setting cannot be returned to a setting within the as-left tolerance, then the instrument channel shall be declared inoperable. The second Note also requires that the [LTSP] and the methodology for calculating the as-left and the as-found tolerances be in

[a document controlled under 10 CFR 50.59].

SR 3.3.1.1.12 BWR/6 STS B 3.3.1.1-32 Rev. 3.0, 03/31/04

TSTF-493, Rev. 0 Appendix A Issue History

TSTF-493, Rev. 0 September 27, 2002 On September 27, 2002, the NRC issued a Request For Additional Information (RAI)

Regarding R. E. Ginna Nuclear Power Plant (Ginna) License Amendment Request To Revise The Safety Limits And Instrumentation Setpoints (Tac No. Mb4789) (ADAMS Accession No. ML022200294). This RAI discussed several topics including the following questions relative to the Ginna Setpoint Methodology:

9. Per RG&E Engineering Procedure EP-3-S-0505, Rev. 1, "Instrument Setpoint/Loop Accuracy Calculation Methodology," you indicate that ANSI/ISA-RP67.04-Part II, Figure 6, Method 3 is used to determine the allowable value. The use of Method 3 requires, under certain circumstances, that a check calculation be performed. The check calculation should provide assurance that the purpose of the allowable value is satisfied by providing a large enough margin to account for those uncertainties not measured during the channel operability test as described below.

Check Calculation Methodology (See RAI original for formulas)

Per RG&E procedure EP-3-S-0505, the allowable value is calculated using the following arithmetic approach:

AV = AL - TLU+ COT According to ANS/ISA-RP67.04 - Part II, if the arithmetic approach is used to determine the allowable value versus the square root sum of squares (SRSS) approach, then the check calculation as outlined above should be performed. The only exception to this requirement is if your allowable value was calculated using the SRSS approach, i.e.,

AV= (TLU2 - COT2)1/2 AL which is the setpoint methodology defined by Figure 6, Method 2. These two expressions for the allowable value (AV) are not equivalent and care must be taken whenever terms are removed from the radical sign. Given the information discussed above, please provide justification as to why the check calculation for the safety injection setpoint using Method 3 was not performed in accordance with ANS/ISA-RP67.04-Part II.

10. Did the setpoint calculations use ANSI/ISA-RP67.04-Part II, Figure 6, Method 3 for each of the functions listed in Table 3.3.1-1 and Table 3.3.2-1?

11. Please confirm that your setpoint calculation methodology meets the 95/95 confidence level requirement.

November 20, 2002 As a follow-up to the NRC RAI, representatives of the Rochester Gas and Electric Corporation met with the members of the Nuclear Regulatory Commission (NRC) staff in Rockville, Maryland on November 20, 2002. The purpose of the meeting was to discuss RG& Es proposed response to the NRCs RAI dated September 27, 2002 (ADAMS Accession No. ML022200294). This meeting resulted in the utility confirming that the NRC did not agree with the Ginna application of ISA-S67.04 Part II Method 3 for the Page A.1

TSTF-493, Rev. 0 calculation of Allowable Values. Talks continued between Ginna and the NRC for the next several months with no agreement on changes to the Ginna submittal that would satisfy the NRC.

June 16, 2003 On June 16, 2003 NRC representatives attended and made a presentation to the ISA S67.04 subcommittee. This presentation stated that the use of Method 3, for the calculation of Allowable Values (identified in 67.04 Part II, a recommended practice document not formally approved or referenced by the NRC) could result in non-conservative Allowable Values for the Technical Specifications.

In response to the June 16 2003 NRC presentation, the ISA 67.04 subcommittee appointed a subcommittee to meet with the NRC and clarify the ISA position on the development of Allowable Values using any of the ISA 67.04 Part II methodologies. In addition, the ISA 67.04 subcommittee also responded with the following letter:

"Analytical Limit Issue - Synopsis ISA Standard SP67.04.2000 and its associated recommended practice, RP67.04.2000, endorse a statistical method of combining the uncertainties associated with instrumentation accuracy. The underlying basis for this method involves the low probability of finding a large number of random uncertainty terms all at their greatest value at once.

There are many reasons why 67.04 has determined that these uncertainties may be random. Some include (1) variations in component values, such as random resistance variations in a group of 10% resistors, (2) variations in ambient conditions, such as temperature, voltage, and frequency, (3) variations in the way modules of the same type react to ambient conditions due to component variations, such as differing positive or negative temperature coefficients, (4) variations in the way modules of different types react to ambient conditions, (5) random time related drift, and (6) variations over the range - the actual uncertainty varies depending on the point of measurement between 0 and 100% span.

When a large number of random and independent uncertainties are combined, the standard recommends a Square-Root-Sum-Squares (SRSS) combinational technique. When either randomness or independence are not present, the standard recommends combining the uncertainties using plain addition. This combinational technique - a mix of SRSS and straight addition - has been used to determine both setpoints and allowable values for most plants in the United States.

They are firmly based in statistics and neither the NRC or the industry has issue with the general approach.

For setpoint determination, all the uncertainty terms are combined, resulting in a Total Loop Uncertainty (TLU). The trip setpoint is required to be at least one TLU from the Analytical Limit, the value at which the analysis assumes a trip will occur.

Neither the industry nor the NRC has any issues with the combinational method using SRSS to determine the setpoint. For example, if the analytical limit was 100 and the TLU was 10, the setpoint would have to be no greater than 90.

Page A.2

TSTF-493, Rev. 0 For allowable value determination, the most common industry approach is to combine all the uncertainty terms that would be expected to affect the setpoint at the time of the surveillance test - the tested uncertainties. The allowable value is then the setpoint plus the value of the tested uncertainties. To continue the example, if the tested uncertainties were 6, the allowable value would be setpoint

+ tested uncertainty = 90 + 6 = 96.

It is possible to combine all the terms NOT used to determine the allowable value.

This can be thought of as the 'untested uncertainties' - the uncertainties that cannot be observed during the surveillance test. Since the surveillance test is usually done during normal plant conditions and is limited to the instrument cabinet, these terms would include accident effects, radiation effects, and uncertainties associated with field mounted equipment. To continue the example, if all terms were random and independent, the untested uncertainty would be 8, since TLU = SRSS (tested uncertainties, untested uncertainties) = SRSS (6, 8) =

10.

Here is where the NRC takes exception to the industry standard method. They contend that once the loop performance is measured in the surveillance test, it can no longer be treated as random and independent. They contend that simply addition must be used to combine the tested uncertainties and the untested uncertainties. In the example above, the tested uncertainty of 6 and the untested uncertainty of 8 would yield a TLU of 14.

The impact of this approach is that most setpoints in nuclear plant protection systems will be found to be non-conservative. There appear to be three basic alternatives Justify smaller uncertainties - reduce the 6 or the 8 so their sum is 10 Reanalyze to show less conservative analytical limits - increase the 100 to 104 - or Move the setpoints - from 90 down to 86.

The subcommittee believes that this is an improper application of the relevant statistics; the surveillance test is only a snapshot, and the uncertainties associated with ambient conditions continue to randomly vary. The subcommittee also believes that trying to separate out the random factors that do not vary will prove an incredibly complex task, with a separate and distinct uncertainty curve over the range of interest for every loop in the plant, a curve that will have to be revised if any module is changed out or significantly altered."

August 13, 2003 On August 13, 2003, a meeting was held between the NRC and the ISA 67.04 subcommittee members regarding application of options 1, 2, and 3 in determination of allowable values. The following is a summary of the meeting from the perspective of the ISA 67.04 subcommittee. The attachments have been removed from the ISA summary but are available in the NRCs public document room attached to the NRCs summary.

ATTENDEES Page A.3

TSTF-493, Rev. 0 NRC STAFF ISA COMMITTEE OTHER / PUBLIC Hukam Garg Jerry Voss Mike Schoppman Evangelos C. Ron Jarrett Don Woodland Marinos Dr. William D Ted Quinn Mark Flaherty Beckner Carl Shulton John Guider Don Hoffman Bob Clark Rick Tuley Jerry Mauck Tom Boice Jim Snelson Dan Laurie Mike Eidson Cliff Doutt Robert Fredricksen Refer to the Attendance Sign-In List.

[PDF document removed]

INTRODUCTIONS / PURPOSE This meeting provided a forum to discuss the applicability of ISA 67.04 recommended practice methods 1, 2, & 3 for determination of allowable values.

NRC STAFF PRESENTATION BY HUKAM GARG Refer to "NRC's Perspective On Allowable Value."

[PDF document removed]

KEY POINTS & DISCUSSION 10 CFR 50.36 defines the Limiting Safety System Setting (LSSS) as the automatic setting chosen to correct an abnormal condition before safety limit is exceeded.

ITS Bases define Allowable Value (AV) to be equivalent to LSSS.

ITS Bases require the "as left" trip setpoint (TSP) to be within the band for channel calibration uncertainty allowance.

A protection channel is operable if the TSP is found not to exceed the AV.

ISA recommended practice provides three methods to calculate AV.

NRC finds Methods 1 & 2 acceptable because the margin between AV & AL is the same.

NRC is concerned with Method 3 because there may not be sufficient margin between the AV and the AL to account for all other uncertainties not measured during a test.

Page A.4

TSTF-493, Rev. 0 NRC finds Method 3 unacceptable because the AV calculation method permits an "as found" trip setpoint to be too high before declaring the instrument inoperable.

ISA 67.04 takes issue with the final sentence on the NRC conclusion slide about the technical acceptance of using an SRSS method vs. combination of SRSS and algebraic method to establish the AV.

ISA COMMITTEE PRESENTATION BY JERRY VOSS Refer to "ISA S67.04 Methods of Determining Trip Setpoints and Allowable Values."

[PDF document removed]

KEY POINTS & DISCUSSION 10 CFR 50.36 defines LSSS; consensus industry standard ISA S67.04 provides methods to determine TSP & AV; RG 1.105 endorses ISA S67.04; and TS list TSP

/ AV.

Must consider all known uncertainties (i.e., errors) when establishing a TSP.

SRSS method is used to determine Total Loop Uncertainty (TLU) and establish a TSP that protects the respective AL.

Calculated AVs should be based on measurement errors associated with periodic test.

ISA Recommended Practice (RP) 67.04.02 provides three options to determine AV.

For a given instrument channel: Methods 2 & 3 will calculate the same TSP, and the Method 1 setpoint will be more limiting with respect to operating margin.

With respect to the TSP, all three methods meet or exceed the 95% probability limits and are therefore acceptable.

For a given instrument channel: Methods 1 & 2 will calculate the same AV, and the Method 3 calculated AV will be more limiting with respect to the AL.

With respect to AV, Methods 1 & 3 result in an AV that will be satisfied during surveillance with a 95% probability, and Method 2 results in an AV will be satisfied during surveillance with less than a 68% probability.

The algebraic difference between the AV & the AL is not a direct defense of the AL The TSP protects the AL.

During surveillance testing the AV: validates an error contribution assumption; confirms the TSP, and serves as the LSSS.

Page A.5

TSTF-493, Rev. 0 As long as the AV is not exceeded, the channel is OPERABLE.

The errors between AV & AL are not part of the LSSS as defined by 10 CFR 50.36.

NRC noted that the Staff has a long internal / external history related to defining the TSP or the AV as the LSSS. The Staff maintains that the AV is the LSSS.

ISA noted that many plants still define the TSP as the LSSS; however, this issue was not discussed further.

NRC is concerned that Method 3 does not have the same conservatisms as Method 2.

ISA indicated that most plants use Method 3 because the error allowances associated with AV derivation are known much better.

NRC stated there is a long debate over TSP vs. AV; i.e., there is a functional or performance issue vs. an OPERABILITY issue.

NRC believes the allowance of Method 3 is based on performance and not from a design point of view.

ISA reviewed Channel Calibration vs. Channel Functional Test and Channel Check, and also the incremental values used to develop the TLU (ref. Fig. 1 Region A).

ISA indicated that data from periodic surveillance tests are used to validate error assumptions such as drift and that such assumptions may be based on design specifications or statistical evaluation of performance data.

ISA noted that plants were required by NRC SE conditions to ensure that actual rack drift was less than setpoint calculation error assumptions when COT frequency was changed from monthly to quarterly.

NRC indicated that there is nothing in the Tech Spec that says you cannot leave the TSP within but close to the Allowable Value.

ISA emphasized that the as-left TSP should be within the channel (or module) calibration tolerance following surveillance and calibration. (This is an explicit requirement for Westinghouse ITS plants via the COT.)

Mr. Hoffman covered the importance of AV with respect to Improved STS Section 3.0 OPERABILITY requirements, and indicated that the channel should not be left near the AV or outside the calibration tolerance (ref. Fig. 1 Region E).

NRC noted that we stated that the setpoint methodology would be reviewed for the plants, but that defining the AV as part of the Tech Specs did not require the NSSS Owners groups to submit the methodologies for review.

Page A.6

TSTF-493, Rev. 0 Mr. Hoffman noted that both WOG and BWROG submitted their methodologies as part of the overall review and that NRC has generically reviewed the topical reports for Westinghouse and GE.

NRC asked ISA what would be the actual change in TSPs if Method 2 was used (i.e., would this change real numbers or is this an academic argument)?

NRC asked ISA what would be the plant impact in terms of work if Method 2 was used?

ISA indicated that the impacts are real and significant. A change to the method for establishing AV would necessitate revision of all RTS and ESFAS setpoint uncertainty calculations. The revised AVs would require changes to TSPs which would squeeze plant operating and/or safety analyses margins. Any setpoint change would require assessment of safety analyses impacts and performance of new control system analyses. All TSP and AV changes would require revision of supporting scaling calculations and implementation procedures; i.e., all RTS and ESFAS surveillance and calibration procedures would be impacted. Each plant would have to submit licensing amendment requests to change the plant Tech Specs.

CONCLUSION With regard to the resolution of the NRC Staff concerns with ISA 67.04 recommended practice Method 3, no agreement was reached. The NRC maintains that ISA Method 3 may not provide sufficient margin between the AV and AL. ISA maintains that the Method 3 is technically valid and that the TSP protects the AL. ISA also notes that each licensee is responsible for establishing and maintaining the plant specific TSP & AV used in protection systems and that the NRC has approved all TSP & AV values listed in the current plant Technical Specifications.

MEETING ACTION ITEM The NRC requested cost estimate information to change from Method 3 to Method 2 or 1 for calculation of Tech Spec AV.

ISA RESPONSE TO MEETING ACTION ITEM ISA representatives collected information from several representative plants on August 14 & 15, 2003. Based on consideration of the potential impacts on RTS, ESFAS & LOP DG Start instrumentation channels, setpoint uncertainty calculations, scaling calculations, plant calibration & surveillance procedures, TSP

& AL values, safety analyses, control system analyses, FSAR, and Technical Specifications, the estimated cost ranged from about $500,000 to $1,000,000 per plant site.

The following is a summary of the August 13 2003 meeting from the perspective of the NRC.

Page A.7

TSTF-493, Rev. 0 On August 13, 2003, NRC staff met with members of ISA 67.04 Committee and other industry groups in Rockville, Maryland to discuss instrument setpoint methodology recommended in ISA S67.04 standard and used by licensees for determining protection system instrumentation setpoints. Part II of the standard, not endorsed by the staff, includes three methods for calculating allowable values, which represents the limiting safety system settings (LSSS), as required by 10CFR50.36. Methods 1 and 2 determine values that are sufficiently conservative and acceptable to the staff. Method 3, however, used by some licensee does not appear to provide an acceptable degree of conservatism and it is of concern to the staff. ISA and the industry group believe that instrument channel operational testing and plant procedures provide assurance that trip setpoints will be maintained at appropriate levels. Furthermore, ISA maintains that the LSSS is represented by the trip setpoint and protect the analytical limit. The staff maintains that allowable values represent the LSSS and should be used for determining instrument operability as defined in the Standard Technical Specification. No resolution was reached during the meeting. The NRC staff also requested ISA to provide cost estimate information to change from method 3 to method 1 or 2 for calculating allowable value. Following the meeting ISA indicated that the cost estimate based on the information provided by several representative plant site ranges from $5000,000 to $1,000,000 per plant site. A list of the attendees is given in enclosure 1, and the copy of the handout provided by the ISA and by the NRC staff is given in enclosure 2 (ADAMS Accession No. Ml032300040).

October 8-9, 2003 On October 8-9, 2003 a series of meetings was held on the subject of ISA-67.04. A pre-meeting was held at Excel Services Corporation offices in Rockville Maryland on the morning of October 8. A public meeting with NRC was held in the afternoon. A post-meeting was held at NEI on the morning of October 9. A summary of all three meetings is below:

I. NEI Pre-Meeting (10/8/03, 9 a.m. - Noon)

The NRR Electrical and I&C Branch consider Method 3 in ISA-RP67.04 to be non-conservative. This is the method by which (1) a "square root of the sum of the squares" (SRSS) statistical combination of "measured error" and "unmeasured error" is used to determine a setpoint to protect an "analytical limit", and (2) measured error is added to the setpoint to establish a Tech Spec "allowable value" for use in periodic surveillance testing of instrument drift. The NRC believes that Method 3 may, in some cases, leave insufficient margin between the allowable value and the analytical limit. The NRC's concern adversely affects the review of License Amendment Requests (LARs) that are based in whole or in part on Method 3.

In late September, NRC called NEI to request NEI participation in the resolution of the NRC's concern.

A public meeting between NRC and NEI was scheduled for 1 p.m. on October 8, 2003.

A pre-meeting was held on the morning of October 8 so NEI could present its strategy for the NRC meeting and to conduct a dry run of its presentation.

Page A.8

TSTF-493, Rev. 0

The pre-meeting established the primary objectives for the afternoon meeting, which were (1) request that NRC provide industry with a precise "problem statement" that documents the bases for their position, (2) request that, in the short term, plant-specific LARs that are consistent with the "current licensing basis" (CLB) be approved, and (3) begin developing an action plan for resolving the long term NRC concern with Method 3.

II. NRC Public Meeting (10/8/03, 1 - 3:30 p.m.)

The NRR Reactor Operations Branch (Tech Spec section) presented its position on the issue of whether the allowable value or the trip setpoint can be used as the "limiting safety system setting" (LSSS) in accordance with 10 CFR 50.36(c)(1)(ii)(A) - see NRC Handout. NRC considers the LSSS issue to be separate from the technical concern with Method 3. In addition, NRC agrees that the issues are generic and that there are no immediate safety concerns.

NRC agreed to provide a written description of their concern (including basis) within approximately 30 days.

Industry's request that NRC accept CLBs and approve pending "Method 3 LARs" was tabled for further discussion at future meetings.

NEI will be the point-of-contact between NRC and Industry for resolution of the issue. The NEI contact is Mike Schoppman (202-739-8011, mas@nei.org).

The NRC contacts are Hukam Garg for technical matters (301-415-2929) and Carl Schulten for Tech Spec matters (301-415-1192).

A follow-up meeting was scheduled for the morning of November 14th with a pre-meeting hosted by NEI to be held on the afternoon of November 13th.

ACTION ITEMS:

- NEI provide NRC with a list of plants that use Method 3 (Schoppman -

11/14/03).

- NEI provide NRC with a breakdown of estimated costs associated with a change in setpoint methodology (Schoppman - 11/14/03).

- NEI provide NRC with examples of other issue resolutions that can be used as precedent in drafting a resolution plan for this issue (Schoppman - 11/14/03).

- NRC provide NEI with a written description of their concern (Marinos/Beckner - 11/7/03; if possible by 10/31/03).

- NRC/NEI schedule a follow-up public meeting (Schoppman - 11/14/03 -

DONE).

III. NEI Post-Meeting (10/9/03, 8 - 11 a.m.)

The group requested that NEI form a Task Force to address this issue.

NEI agreed to prepare a special distribution list separate from the ISA-67.04 list-server distribution list. The purpose is to provide a degree of confidentiality as NEI prepares for public NRC meetings

The group agreed to prepare a "position paper" in preparation for the next meeting with NRC. The paper will include a Licensing/Tech Specs section and a Technical section.

Page A.9

TSTF-493, Rev. 0

The definition of Allowable Value in the Improved Tech Specs may be affected by the resolution to this issue.

NEI will discuss the issue with NRC management.

ACTION ITEMS:

- NEI propose Task Force makeup (Schoppman - 10/19/03 - DONE -

Setpoint Methods Task Force (SMTF)).

- NEI prepare special distribution list (Schoppman - 10/19/03 - DONE.

- Prepare a position paper. Inputs are due to NEI by 10/31/03 if possible. Inputs received between 10/31 and 11/14 will be used to prepare for the 11/14/03 NRC meeting. Inputs received after 11/14/03 will be factored into future drafts of the position paper. (Bob Fredricksen provided a first-draft technical input by e-mail dated 10/14/03; licensing/Tech Spec input is being prepared by Don Hoffman, Rick Tuley, and Jack Stringfellow.)

- NEI/NRC management discussions (Alex Marion - 11/13/03).

The NRC provided the following summary of the October 8, 2003 Meeting:

On October 8 2003, members of the U. S. Nuclear Regulatory Commission (NRC) met with representatives of industry and the Nuclear Energy Institute (NEI) to discuss staff concerns that margins for instrument setpoints were potentially being reduced because of the use of a non-conservative methodology. A list of those attending the meeting is in Attachment 1, NRC presentation material is in Attachment 2 (ADAMS Accession No. ML032820399), and presentation material used by NEI is in Attachment 3 (ADAMS Accession No. ML032820184). The staff' s Statement of Concern for Method 3 of independent safety analysis (ISA)

Standard 67. 04 Part II, provided after the meeting, is in Attachment 4 (ADAMS Accession No. ML032960002).

Mr. William Beckner, of the NRC, began the meeting by presenting an overview of the concern and stated that the staff was seeking NEI and industry assistance in evaluating the concern before embarking on a regulatory course of action. He said the concern was not directly related to the issue of whether the Allowable Value or the Trip Setpoint is used to represent the Limiting Safety System Settings required to be in technical specifications. That issue had been extensively discussed with industry. He indicated that the current concern involves the adequacy of the setpoint methodology used to determine the values and that the use of a particular methodology could introduce non-conservatism that would be of concern in issues such as amendment requests for large power uprates.

Mr. Alex Marion, of NEI, responded that industry understood that the staff had a concern and that industry wanted to know clearly what the staff's concern with Method 3 in ISA-RP67 was. He noted that the attendance of industry at this meeting was an indication of the level of interest of industry. He expressed that industry believed it would be inappropriate for the NRC to hold up approval of license amendment requests that used approved methodologies while the NRC sought a generic resolution of this concern. He said industry hoped to agree with the staff on a resolution strategy that was fair to industry.

Page A.10

TSTF-493, Rev. 0 Mr. Evangelos Marinos, of the NRC, clarified that the recent license amendment request the staff had concerns with was not using an NRC approved methodology.

While the staff had prepared an evaluation of its concerns for that request, the evaluation was not issued because the licensee had withdrawn its request. He said that Method 3 is not considered conservative by the staff and that power uprates take away some of the margin in the determination of setpoints.

Mr. Michael Schoppman, of NEI, then presented the information in Attachment 3.

He stated that the goal of industry for this meeting was to identify the issue and to establish a resolution process. He discussed the history of technical specifications for instrumentation and the role ISA-S67. 04 and Regulatory Guide 1.105 had in the development of those technical specifications. He said industry needed a precise statement of the technical issue that was the NRC' s concern. The NRC stated that the issue had been described at the recent meeting of the NRC with the Instrumentation, Systems, and Automation Society but agreed that the NRC should provide industry with a written statement of the issue. The staff said it would provide a written statement to industry in a month or less.

Jerry Burford, of Entergy, observed that the staff had, in the past, approved license amendment requests, that were consistent with the plant's licensing basis, while a resolution of a concern was developed noting that the resolution of the concern could require a change to the license amendment.

The NRC asked industry for examples and industry agreed to provide examples in about two weeks. The NRC also asked that industry provide an outline of the potential impacts of the staff's concern. Industry stated that it was working towards developing this. In summary, industry said it needed a clear statement of the technical issue and NRC agreed to provide a write-up of the issue to industry.

Industry agreed to provide NRC examples of license amendment requests where the request was not held up pending resolution of a potential generic concern.

Industry and the NRC agreed that it would be most effective to work together to achieve a resolution of the issue.

The following written summary was provided after the 10/8/2003 NRC Public Meeting to satisfy an ACTION ITEM to provide a written problem statement. This was the first actual written problem statement provided to the utilities by the NRC.

"Staffs Statement of Concern on Method 3 of ISA Standard 67.04 Part II The industry position is that technical specification (TS) Allowable Values (AVs) are used during periodic surveillances to demonstrate channel operability by validating the respective trip setpoint (TSP). In addition, the TSP protects the Analytical Limit, and therefore the Safety Limits in plant safety analyses. The TS periodic tests used to validate instrument channel uncertainties are the Channel Operational Test (COT) and Channel Calibration (non-COT) tests. These tests are used to establish operability of different components of an instrument channel. The staff concern is that the industry position on the relationship of the TSP to the AV does not address underlying assumptions of TS operability and setpoint methodologies to validate non-COT uncertainties.

Page A.11

TSTF-493, Rev. 0 Specifically, the underlying assumption for the non-COT uncertainty is that there will be a 95/95 confidence that instrument readings are conservative with respect to the Analytical Limits. The non-COT uncertainty must be accounted for in the safety margin at all times. Method 3 invalidates the non-COT uncertainty assumptions by setting the AV closer to the Analytical Limit and thereby the Safety Limit. Thus it does not preserve the safety margin by accounting for the total non-COT uncertainties. This is because AVs calculated using Method 3 set the AV at a value which assumes that all of the COT uncertainties are accounted for verifying the operability of the TSP, independent of the non-COT uncertainty, even though the two uncertainties were previously combined to establish the total channel uncertainty used to establish the TSP. Therefore, the staff does not believe that AVs calculated using Method 3 establish instrument channel operability limits that preserve the 95/95 confidence that structures, systems and components will be actuated to perform their intended safety function(s)."

The NRC notified NEI on 11/07/03 that the 11/14/03 meeting to discuss instrument setpoint methodology would have to be postponed. The NRC was unsuccessful in developing a consensus position within the NRC staff.

An alternative date was not identified.

November 13-14, 2003 The Setpoint Methods Task Force (SMTF) met on November 13-14, 2003. Below are the highlights from the meeting.

Meeting Highlights:

NRR managers plan to meet internally in November to sort through diverging staff opinions on this issue. NEI expects NRR to request a public meeting in December 2003 or January 2004.

NEI/SMTF is preparing a letter and a White Paper for submittal to NRC. The letter will request that this issue be resolved as a Generic Issue, with a corresponding task action plan and schedule. Pending generic resolution, open License Amendment Requests (LARs) should be reviewed against the plant-specific licensing basis. In other words, if the plant-specific Licensing Basis is Method 3, it remains acceptable unless and until a generic resolution finds to the contrary.

The October ISA meeting in Houston noted that (1) it is the responsibility of each licensee to use Method 3 as intended for it to remain statistically valid, (2) the type of plant-specific Tech Spec contributes to the NRC concern, (3) the ISA is not prepared to concede that Method 3 is invalid, and (4) the ISA might consider, at most, clarifying language in the 67.04 "recommended practice" document.

The SMTF provided comments on Technical Paper Draft E and prepared an outline of a Licensing Paper.

Final drafts of each paper are due to NEI by 11/30.

Page A.12

TSTF-493, Rev. 0

NEI will merge inputs and forward a final draft paper to the SMTF, the NSSS Owners Groups, and the NEI Licensing Action Task Force (LATF).

NEI will prepare a final paper, including a final round SMTF review/telecon, and submit to NRC by 12/31. This date may need to be moved up if NRC wants a meeting in mid-December. An important objective is to have an NEI letter/paper to NRC before the NRC/NEI public meeting.

NRC/NEI communications about the public meeting date will be the subject of separate e-mail correspondence.

NEI is advising NSSS Owners Group chairmen of this issue by copy of this meeting summary.

The meeting also resulted in discussion about a TS revision, submitted by EXELON, to add channel checks for some new instrumentation in the temperature leak detection world. Previously these channel checks could not be submitted under a Tech Spec revision, but can be now. Summary of discussion on the use of ISA Method 3 as it relates to the EXELON amendment request is listed below.

The NRC stated that it is not accepting new license amendments using ISA Method 3. Since the instrument change involves a license amendment, the NRC stated it is unwilling to accept the change when it knows that Method 3 was used to confirm the AV of the new instruments. The NRC believes that Method 3 does not provide adequate margin for drift that could result in exceeding the analytical limit. Thus, they would be remiss in approving an amendment in which the analytical limit would not be protected, even if the amendment doesn't specifically involve the setpoints.

EXELON stated that this amendment does not involve changing the AV, and thus Method 3 should not be an issue. EXELON also stated that our approved setpoint methodology would allow us to change instruments and AVs under 50.59, as long as a license amendment is not required. Also, use of another method could potentially be beyond the scope of the EXELON setpoint methodology approved by the NRC. EXELON asked if the NRC had considered the impact on the use of Method 3 under 50.59. The NRC personnel present stated they had not specifically considered this, but expected that this would covered under whatever formal document the NRC issues on this topic. The Project Manager stated that they are considering various options, including a Generic Letter.

The NRC stated that Method 3 allows for a check calculation using another method to confirm that the Method 3 result is adequate. They asked if we had performed this confirmatory calculation. The EXELON person present could not confirm this, although based on previous conversations it is doubtful that this was performed.

Finally, the NRC stated that the agency position against Method 3 is now fairly firm and will not change, including the application to cases in which Method 3 is not specifically involved in the amendment. The technical reviewers also stated that we can expect a similar question on the HPCS AV amendment request.

Page A.13

TSTF-493, Rev. 0 November 14, 2003 There was an NRC/NEI (Holden/Marion) Telecom on 11/14/03 discussing the Method 3 topic outside the NEI SMTF meeting. The following summary is provided for this telecom:

The NRR management team will be meeting on this issue next week. Mr. Holden said NRC will be sending NEI a letter documenting their concern. He was not aware of Enclosure 4 (Statement of Concern) contained in the NRC summary of the October 8 meeting between NRC and NEI. That summary is dated October 28, 2003 (ADAMS Accession Number ML033030193).

After the NRC management meeting, Mr. Holden will advise NEI of a prospective meeting date at NRC. It is possible that NRC may wish to have the meeting during the first week of December. If so, it accelerates our schedule for preparing an NEI White Paper. Alex or I will advise you as soon as we learn more about the prospective NRC/NEI meeting date.

December 5, 2003 NEI submitted a letter to NRC transmitting the NEI task force document (Technical White Paper) with the following discussion:

"The purpose of this letter is twofold. First, it addresses licensing-process issues associated with NRC review of License Amendment Requests (LARs) pertaining to trip setpoints and allowable values for safety related instrumentation. Second, it addresses technical issues pertaining to the determination of trip setpoints and allowable values using ISA-S67.04-1994, "Setpoints for Nuclear Safety-Related Instrumentation," and allowable values using Method 3 of ISA-RP67.04-1994, "Methodologies for the Determination of Setpoints for Nuclear Safety-Related Instrumentation." Regulatory endorsement of ISA-S67.04-1994 is contained in Regulatory Guide 1.105, Revision 3, "Setpoints for Safety-Related Instrumentation."

With respect to license amendments, a number of licensees have been informed by their NRC project managers that the staff does not plan to review LARs based on ISA-RP67.04 Method 3, even if that method is the current licensing basis for protection system instrumentation setpoints and allowable values (which is the case for approximately 75 domestic nuclear units). This licensing approach is having a significant effect on licensee plans and schedules for implementing operational and safety improvements. We believe that changing from one setpoint methodology to another will impact plant operating and/or safety margins at an average estimated cost of $1,000,000 per site. Consistent with NRC regulations and regulatory guidance, NEI requests that the staff process setpoint-related LARs in accordance with plant-specific licensing bases pending generic resolution of NRC concerns with Method 3.

With respect to technical issues, NEI, through its Setpoint Methods Task Force (SMTF), is prepared to work with NRC to resolve generic concerns with ISA-RP67.04 Method 3. During a public meeting held on October 8th, we requested Page A.14

TSTF-493, Rev. 0 that NRC provide a "problem statement" to support the issue-resolution process.

Subsequently, the SMTF has prepared the enclosed Technical White Paper to provide the industry perspective on the regulatory requirements and technical bases associated with the trip setpoint and allowable value determination process for protection system instrumentation. The paper finds that the setpoint and allowable value determination requirements defined by ISA-S67.04-1994 are acceptable and that the allowable value Method 3 guidance provided by ISA-RP67.04-1994 is acceptable. The paper concludes that licensee use of setpoints and allowable values established using these requirements and guidance does not raise any safety issues. NRC comments on the Technical White Paper are requested as soon as practicable."

The white paper justified the use of ISA 67.04 Part II Method 3 for the development of Allowable Values.

January 21, 2004 The NRC gave a status report on the setpoints issue at the January 21, 2004 Licensing Action Task Force meeting. The following summarizes that status report:

- An NRC response to the 12/5/03 NEI/SMTF letter and white paper is ready to be signed this week, next week for sure. The letter maps out a two-part process for going forward. NRC management characterized the use of industry white papers as very helpful in focusing people on the various aspects of an issue (in this case -

statistics, Tech Specs, regulations, margin, etc.).

- Part 1 --- There were 18 license amendment requests (LARs) on hold due to ISA-RP67.04 Method 3 implications. NRC tech staff reviews have either restarted or will restart for all these LARs. Licensees should see SEs within 3 to 6 weeks. The use of Method 3 is no longer considered a disqualifier. The first SE that is issued will be sent to NEI so we can distribute it to industry. Until we see the first SE, it is best not to speculate on how it will be worded.

- Part 2 --- The SEs will contain language about a new generic safety issue (GSI) that will be opened to define, evaluate, and resolve NRC tech-staff concerns, because these concerns have not gone away. In the long term this could lead to further Tech Spec changes, Reg. Guide changes, margin changes, or rule changes (50.36). NRC agreed that a licensing white paper would be a good vehicle for a "back & forth" exchange between the NRC tech staff and industry on how to resolve the generic issue. Again, until we see the GSI, I don't want to speculate about its wording.

February 2, 2004 NEI provided an update on February 2, 2004 in response to the NRC status report given at the January 21, 2004 Licensing Action Task Force meeting as follows:

The NRC letter in response to the NEI/SMTF 12/05/03 Technical White Paper (TWP) is ready to be signed by Eric Leeds, Assistant Director, NRR Division of Licensing Project Management (DLPM). Other issues have distracted Mr. Leeds, so Page A.15

TSTF-493, Rev. 0 as of this morning it had not been signed. As soon as it is signed, the NRC lead Project Manager (Chris Grattan) will put a copy in ADAMS and fax a copy to me.

NRC still wants a meeting on February 26, 2004, so I think the SMTF should plan for a pre-meeting on the afternoon of February 25 at NEI. I expect the 2/26 meeting to be free form and probing; i.e., Q&A about the language in the TWP and the NRC letter response, status at NRC of the 18 stalled LARS, what the GSI might look like, and when the GSI might be issued. We on our end need to strategize the Licensing White Paper (LWP) scope and schedule. We need to craft the LWP carefully, so it won't be ready by 2/25. Also, we need to discuss whether it is better to send it before NRC drafts a GSI, or after.

February 4, 2004 NEI provided additional updates on February 4, 2004 in response to the NRC status report given at the January 21, 2004 Licensing Action Task Force meeting as follows:

Chris Gratton, the Lead NRR PM for the setpoints issue, is scheduling a public meeting with the SMTF for the morning of February 26, 2004. The purpose is to re-engage on this issue by establishing a "current situation," how we got here, and where we go next. The focus documents are our 12/5/03 white paper and NRC's response, which as of today is still on NRC management's desk (Eric Leeds) waiting for signature. The number of "on hold" amendments has been reduced from 18 to about 6. Several of the 18 were rationalized by NRC as not really about Method 3, so the reviews have been re-started. Some others were re-started because the licensees agreed to use Method 2 for the applications in question. NRR Projects is working with the I&C Branch to get the others re-started. Of course, these numbers do not include those licensees that may be holding up submittals because of the uncertainty surrounding this issue.

February 20, 2004 The NRC issued a letter on February 20, 2004 to NEI (ML040500688) stating that the NRC would consider the views in the NEI technical report (in the December 5, 2003 NEI to NRC letter). The NRC letter also stated that the NRC staff concluded that the use of Method 3, as described in ISA 67.04 Part II, "Setpoints for Nuclear Safety Related Instrumentation Used in Nuclear Power Plants", does not raise significant generic concerns that would prevent the issuance of the amendments currently under review by the staff. While the NRC staff proceeds with the review of the current licensing actions, longer-term actions to resolve its programmatic and technical concerns with Method 3 will be addressed in an action plan. The NRC staff plans to address this issue with the Nuclear Energy Institute, Instrument Society of America and other interested stakeholders to develop a long-term resolution.

February 26, 2004 Listed below is a summary of NRC/NEI Meeting on Safety-Related Instrument Setpoints and Allowable Values held on February 26, 2004.

NRC Agenda:

Page A.16

TSTF-493, Rev. 0

Introductions

Discussion of NEI White Paper "ISA S67.04 Methods for Determining Trip Setpoints and Allowable Values for Safety-Related Instrumentation"

Opportunity for public comment

Future activities/adjournment Meeting Highlights:

Representatives from the NEI Setpoint Methods Task Force (SMTF) gave a detailed presentation (attached) on the basis and conclusions of the NEI White Paper. Mike Eidson (Southern Nuclear) and Bob Fredricksen (Exelon) were the primary presenters.

NRC staff agrees that its concerns about ISA-RP67.04 Method 3 do not represent a safety or compliance issue.

NRC staff will pursue generic resolution of its concerns, probably by using the internal NRC guidelines in NRR Operating Instruction LIC-400, "Procedures for Controlling the Development of New and Revised Generic Requirements for Power Reactor Licensees."

The NRR Division of Licensing Project Management will work with the NRR Electrical and I&C Branch to develop standardized wording for Safety Evaluations that approve license amendments related to the use of Method

3. Such standardized wording is needed until resolution of the generic issue is documented and implemented.

NEI is considering additional white papers.

Follow-up Topics:

Standard language in NRC Safety Evaluations (pending generic issue resolution).

Generic issue resolution via NRR Operating Instruction LIC-400 (including a technical problem statement).

Safety analysis methods and the derivation of "safety limit" and "analytical limit."

Basis of the ISA RP67.04 Method 3 check calculation and when a check calculation is needed.

Process by which a licensee may change a trip setpoint without changing the allowable value via a license amendment (for Method 1, 2, or 3 plants with single column technical specifications that list the allowable value as a limiting safety system setting).

March 4, 2004 On March 4, 2004 LaSalle station received an SER for an Allowable Value change. The following is an excerpt from the NRCs technical evaluation in the SER.

Page A.17

TSTF-493, Rev. 0

3.0 TECHNICAL EVALUATION

(Excerpt)

During recent reviews of proposed license amendments associated with changes to the LSSSs, the staff has identified a concern regarding Method 3. The concern relates to the manner in which uncertainties not addressed in periodic testing are accounted for in the establishment of the Allowable Values. Of particular concern are uncertainties associated with instruments excluded from channel operational testing, such as instruments located inside the containment building and tested only during outages. Failure to properly account for these uncertainties could result in Allowable Values that do not provide adequate assurance that associated SLs will not be violated. The NRC staff is currently working toward resolution of this generic concern.

The licensee's proposed change to TS Table 3.3 .5.1-1, Function 3.e for LSCS is based on use of Method 3. However, the staff has concluded that the generic concern does not apply to the proposed changes because the instruments involved are process-actuated switches and so there are no instruments excluded from channel operational tests. Therefore, the staff finds that there is reasonable assurance that the proposed change will not result in violation of any SL, and that the proposed change is acceptable.

Based on the review of licensee's regulatory and technical analyses in support of the proposed license amendment, the staff concludes that the proposed TS change is in accordance with the current licensing basis and is, therefore, acceptable. The staff's conclusion does not signify that the generic concern discussed above is resolved for LSCS. The licensee may be subject to further actions in the future as this generic concern is resolved.

March 23, 2004 On March 23, 2004, the NRC staff issued the following internal memo for short-term actions on the use of Method 3:

TO: Brian W. Sheron, FROM: Ledyard B. Marsh, Director /RA/

Richard J. Barrett, Director Bruce A. Boger, Director /RA/

SUBJECT:

DECISION ON SHORT-TERM ACTIONS REGARDING THE USE OF ISA-RP67.04-1994, PART II SETPOINT METHOD 3 The purpose of this memorandum is to document the staffs decision on the appropriate short-term actions necessary to continue the review of licensing actions that involve the Page A.18

TSTF-493, Rev. 0 modification of instrumentation setpoints. The specific decision discussed herein is consistent with the discussion of the status of the setpoint methodology review described in the memorandum to you, dated February 5, 2004, from Eric J. Leeds, Deputy Director, Division of Licensing Project Management.

On January 9 and January 22, 2004, the NRC staff briefed the Leadership Team (LT) on the proposed short-term actions regarding the industrys proposed use of one of the methods used by licensees in determining instrument loop allowable values (AVs) as described in ISA-RP67.04-1994, Part II, "Methodologies for the Determination of Setpoints for Nuclear Safety-Related Instrumentation." Specifically, the staff has raised concerns regarding whether Method 3 (M3) in ISA-RP67.04 provides an adequate methodology for establishing the operability limit for the instrument loop. The NRC staff is currently reviewing several license amendments that requested changes to values in the technical specifications (TS) that were determined using M3. Review of the M3 portion of these amendments had been suspended pending a decision on the use of M3.

On December 19, 2003, a meeting of Office of Nuclear Reactor Regulation senior managers and staff members was held to determine the course of action necessary to restart the review of the licensing actions with M3 issues. Based on that meeting, the staff was directed to develop a position paper that would justify the interim use of M3 and to develop longer-term plans to address the underlying issues associated with determining Limiting Safety System Settings (LSSS) as required by Title 10 of the Code of Federal Regulations, Section 50.36, "Technical Specifications."

Previous to the December 19, 2003, meeting, the staff had determined that the M3 issue did not raise immediate safety concerns that would prevent the issuance of an amendment if the proposed TS changes were found to be otherwise acceptable.

Upon completion of the position paper, the LT was to reconvene and review the staffs plan to proceed with the review of the M3 licensing actions.

On January 9, 2004, the LT and cognizant staff members met to discuss the position paper. Based on those discussions, the staff generally agreed that, with minor modification, the position paper outlined an acceptable safety basis for the use of M3 until a long-term solution to the issue could be developed and implemented. At the conclusion of this meeting, the technical staff was tasked with selecting a lead plant from those with M3-based changes and developing the draft safety evaluation (SE) using the basis outlined in the position paper.

On January 22, 2004, the staff briefed the LT on the status of the M3 short-term action plan. The staff reported that it was unable to develop a generic SE to address the M3 concern that could be applied (i.e., could be used as a template) to many of the plants with M3-based changes due to the plant-specific nature of the issue. The staff proposed and the LT agreed that for plants requesting setpoint and allowable value changes to their TS that are derived using M3, the following three bases should be cited as reasons why the staff does not have an immediate safety concern with the proposed methodology. The LT also agreed that the SE should acknowledge the NRC staffs concern that LSSSs (AVs) calculated using M3 may not establish a TS operability limit that ensures the AL would not be exceeded and state that the NRC staff has the issue under review.

Page A.19

TSTF-493, Rev. 0

since the total loop uncertainty accounts for all uncertainties associated with the instrument loop, there is reasonable assurance that the trip setpoint will provide protective action prior to a safety limit (SL) being exceeded.

there is conservatism in the analyses used to determine the analytical limit (AL), as well as the SL.

the staff is not aware of any event where instrument loops have exceeded the SL based on periodic surveillance testing.

The LT concluded, for the reason specified above, that there is sufficient conservatism in the analyses used to determine the AL such that as-found instrument setpoints that fall within the AVs determined by M3 would not result in an SL being exceeded, and therefore, the method used to determine the trip setpoints meets the 10 CFR 50.36 requirements. The LT also concluded that licensees could continue to calculate AVs using M3 until a long-term resolution is implemented. The NRC staffs expectation for setting the AV is given in Regulatory Guide 1.105, "Setpoints for Safety-Related Instrumentation," Regulatory Position C.4, which states:

"The allowable value is the limiting value that the trip setpoint can have when tested periodically, beyond which the instrument channel is considered inoperable and the corrective action must be taken in accordance with the technical specifications."

During the development of the draft SE, Division of System Safety and Analysis (DSSA) staff developed a more comprehensive discussion of the basis for the second bullet above. The meeting participants reviewed the expanded DSSA basis and decided that the following discussion did not need to be included in each SE issued for an M3 setpoint change, but that it should be documented in this memorandum:

"These analyses are approved by the staff against the criteria of Title 10 of the Code of Federal Regulations, Section 50.46, which requires that they be conservative or account for uncertainties in the evaluation method. The result provides significant margin when establishing setpoints for safety system actuation. The AL is established as a conservative value below the SL in order to ensure margin in the trip setpoint."

At the conclusion of the meeting, the participants agreed that the short-term actions described above regarding the use of M3 in the determination of LSSS AVs was an acceptable method to address the staffs concerns with the use of M3 in the short term. The meeting participants also agreed that staff members from DSSA and the Division of Regulatory Improvement Programs would concur on any SEs where the staff uses these short-term actions to address M3 issues until the issuance of this memorandum documenting the decision to use this basis. The long-term actions to address issues with the use of M3 in the determination of LSSS AVs will be addressed separately. The staff has been directed to use the Directors Quarterly Status Report to develop and track those long-term actions.

Page A.20

TSTF-493, Rev. 0 April 21, 2004 A meeting was held on April 21, 2004 in which the NRC staff summarized the setpoints issue with the Licensing Action Task Force. The summary is listed below:

1. In the near term, NRC intends to use a pending Ginna safety evaluation (SE) to provide "standard wording" for SEs addressing Method 3 (open item).

2. The NRC technical branch has not yet obtained consensus on a long-term "problem statement" (open item).

3. The NRC has not provided NEI with any plan for follow-up via a long-term "generic safety issue" (open item).

4. The NRC wants a public meeting in June to discuss industry safety analysis practices and their relationship to safety limits and analytical limits. The SMTF does not wish to support a meeting without having received a problem statement from NRC and without having had sufficient time to prepare (about 6 weeks). NEI is in contact with NRC on this matter (open item).

June 17, 2004 On June 17 2004, the NRC issued "Problem Statement on the Use of Instrumentation, Systems and Automation Society (ISA) Standard ISA 67.04 Part II. "METHODOLOGY FOR THE DETERMINATION OF SETPOINTS FOR NUCLEAR SAFETY-RELATED INSTRUMENTATION. METHOD 3.

The NRC staff was concerned that there may be instances where an instrument channel is believed to be operable following a periodic surveillance (e.g., CFT, COT), even though the channel may not meet the definition of operability because the process parameter being measured may exceed the AL assumed in the plants safety analysis should an accident occur without initiating the required action. This is probable because Method 3, the calculation method used by some licensees to determine the value by which those licensees determine the operability of instrument loops, does not fully account for the uncertainties that are not addressed during periodic surveillances. Under the conditions described above, if the instrument channel is not declared inoperable, the NRC is concerned that licensees may not take appropriate actions to correct the problem, as discussed in 10 CFR 50.36. For these reasons, Method 3 should not be used to calculate AVs where the AV is used as an LSSS.

The problem statement was issued in advance of a June 23, 2004 meeting between NEI and NRC. As far as NEI was concerned, the meeting with NRC was restricted to a general discussion of safety analysis techniques and their relationship to safety limits. There was to be no discussion on the part of NEI/vendor attendees on the region of ISA interest below the analytical limit.

There will be no formal presentation by NEI.

Page A.21

TSTF-493, Rev. 0 June 23, 2004 Meeting with NRC (9am - noon, 6/23/04)

The NRC staff (Garg & Rebstock) made a presentation during the meeting. This presentation supplements the NRC problem statement that was published last on the use of Method 3. The presentation defined new terms and discussed the unacceptability of using Method 3 to develop Allowable Values. The presentation was unexpected and the NEI audience was not prepared to understand the impacts of the presentation.

Following the NRC staff presentation, the Westinghouse attendees described typical conservatisms and margins inherent in their non-LOCA methodology. A copy of the Westinghouse talking points is attached. These were not handed out at the meeting.

The Westinghouse presentation was made in seminar fashion using the whiteboard in the NRC meeting room to talk the staff through safety analysis techniques used by Westinghouse to establish safety limits and derive analytical limits (i.e., the region above the analytical limit). The processes by which licensees establish trip setpoints and allowable values (i.e., the region below the analytical limit) were not discussed.

The following is an NRC EEIB provided summary from the June 23, 2004 meeting:

The presentation by NRC/NRR/DE/EEIB-I&C was based upon the slides contained in the PowerPointXP presentation file AVPresentation-40621.ppt.

Copies of the slides were distributed to attendees, to the extent available. The slides have been converted to Adobe Acrobat format (with minor formatting adjustments) and have been posted in ADAMS as ML041810346 (AVPresentation-40624.pdf). The slides detailing the content and interpretation of 10CFR50.36 were omitted from the presentation in the interest of saving time. After the title, introduction, and setpoint graphic slides (#s 1-3),

the presenter jumped directly to the 10CFR50.36 summary slide (#9). The audience, in particular, the NEI and Westinghouse representatives, indicated that they accepted the points on the summary slide and that detailing their development was not necessary. Also in the interest of saving time some explanatory points on slides prior to the "The Math" section (that is, prior to

25) were not addressed explicitly but rather left for the audience to read for themselves. No objection or dissent was raised regarding this practice.

A question was raised from the floor requesting further clarification of Epilogue 1 (#41 & 42). This relates to a non-intuitive situation in which a channel that is behaving as expected should nevertheless be declared inoperable because the Analytical Limit is in jeopardy. It was reiterated, as indicated on the slides, that the need to protect the AL supersedes the fact that the channel is behaving as expected, and that the cause of this situation is rooted in the use of Square Root of the Sum of the Squares to combine the COT and nCOT uncertainties in the derivation of the limiting setpoint. SRSS is clearly acceptable from a statistical point of view for combining COT and nCOT in the absence of a priori information, but it does not leave enough margin between SP and AL to accommodate nCOT when the conditional probability of failure is to be assessed following the determination of an As-Found setpoint in excess of the Method 2 Allowable Value even though that As-Found setpoint may be within the expected deviation from As-Left.

Page A.22

TSTF-493, Rev. 0 Representatives from Westinghouse made a brief presentation concerning plant safety analyses and the application of Analytical Limits. They did not provide any notes or handouts. In the course of the presentation and repeatedly in subsequent discussions, they stated explicitly that although there is margin both in the Analytical Limits assumed in the analyses and in the designated Safety Limits, which the analyses show to be protected, they have never attempted themselves nor have they ever encountered any attempt to quantify and use this margin. They indicated that they would consider it inappropriate to permit violation of the AL without a rigorous analysis that demonstrated that such violation would in fact be tolerable. They said that it is their practice to assume that the AL is a hard and inviolate limit.

July 26, 2004 An NRC/SMTF Meeting was held at NRC on July 26, 2004. The following is a summary of the meeting and additional actions by the SMTF.

Paul Rebstock repeated the presentation he gave at the 6/23/04 NRC/NEI meeting.

Mike Schoppman followed with a discussion of the points in the NEI handout. The floor was then opened for Q&A. This part of the meeting helped improve the NRC staffs understanding of typical setpoint practices at an operating plant.

At approximately 3 p.m., Rich Barrett (Director, NRR Division of Engineering) requested time for the NRC staff to caucus privately. They returned in about 20 minutes, and Rich made the following summary remarks:

NRC "has heard our concerns" re what the SMTF considers to be a flawed assumption in the second paragraph on page two of the NRCs 6/17/04 Problem Statement (" that once a COT/CFT is performed, the instrument uncertainties are a measured value and cannot be treated as a random variable of instrument uncertainty. Licensees should consider the results of the COT/CFT as a bias and should add the results to uncertainties not measured by COT/CFT.").

It was very useful for NRC staff to hear from so many licensees about how they handle Trip Setpoints (TSPs) and Allowable Values (AVs).

NRC considers plants that use Method 3 to be safe.

But there remains a challenge with respect to what constitutes compliance with the definition of LSSS in 10 CFR 50.36. If, as the SMTF claims, the TSP (and not the AV) is the real LSSS and the AV is a "representation" of the TSP for Tech Spec surveillance purposes, then that position needs to be reconciled within the context of the standard tech specs.

At this point, the NRC has not determined the next phase of this issue. It could become a GSI, or a TSTF Traveler, or even a 50.36 rulemaking.

July 27, 2004 NEI contracted MPR Associates to performing an independent evaluation of the primary references on this issue, which are: (1) the NEI/SMTF Technical White Paper dated December 5, 2003, (2) the NRC Problem Statement dated June 17, 2004, and (3) the NRC Presentation first given on June 23, 2004. MPR was requested to perform Page A.23

TSTF-493, Rev. 0 modeling of the channel calibration process considering the assumptions and discussion in the references.

August 30, 2004 Based on discussions with NRC representatives during the July 26, 2004 meeting, Ginna submitted a revised LAR (based on NRC comments) to resolve the Method 3 issue as it applied to Ginna for a major submittal. This revised LAR replaced the Allowable Value column with an LSSS column and added note a to the LSSS column stating:

a) A channel is OPERABLE when both of the following conditions are met:

1. The absolute difference between the as-found Trip Setpoint (TSP) and the previous as-left TSP is within the COT Acceptance Criteria. The COT Acceptance Criteria is defined as:

las-found TSP - previous as-left TSPl =< COT uncertainty The COT uncertainty shall not include the calibration tolerance.

2. The as-left TSP is within the established calibration tolerance band about the nominal TSP. The nominal TSP is the desired setting and shall not exceed the Limiting Safety System Setting (LSSS). The LSSS and the established calibration tolerance band are defined in accordance with the Ginna Instrument Setpoint Methodology. The channel is considered operable even if the as-left TSP is non-conservative with respect to the LSSS provided that the as-left TSP is within the established calibration tolerance band.

August 30, 2004 MPR completed the independent review of the NEI and NRC positions discussed in the associated reference documents. Monti-Carlo simulations were run to verify the acceptably of Allowable Values generated using either Method 2 or 3. The following is excerpted from the MPR report:

"At the request of NEI, MPR independently reviewed ISA-RP67. 04 instrument channel setpoint methods to address NRC concerns with one of the methods (Method 3) currently used by many nuclear utilities. The NRC position is that Method 3 of the ISA Recommended Practices does not ensure that plant Safety Limits are protected at a high level of assurance.

Based on reviews of both the NRC and industry positions in this matter and on independent calculations we performed, we conclude that ISA Method 3 Page A.24

TSTF-493, Rev. 0 provides adequate protection. The bases of our conclusion are provided in the enclosure and attached calculation."

January 27, 2005 The Setpoints issue was discussed briefly at the NRC/NEI Licensing Action Task Force (LATF) meeting at NRC headquarters on January 27, 2005. Ed Hackett (NRC Division of Licensing Project Management) made the following points:

- NRC senior management (Brian Sheron) has directed staff to have a firm resolution plan no later than March 31, 2005.

- John Nakoski has the NRC lead for coordinating the resolution plan.

- NRC will set up a management meeting with NRC in March.

- The MPR independent review was very helpful in clarifying industry practices and margins.

- NRC sees long-term resolution by means of Tech Specs.

- NRC is not asking industry to change its setpoint methodology.

March 11, 2005 The NRC staff hosted a public meeting with the NEI Setpoint Methods Task Force (SMTF) on March 11, 2005, to discuss the status of NRCs review of issues pertaining to the use of the Instrumentation, Systems, and Automation Society (ISA) Recommended Practice, ISA RP67.04, Part II, Method 3. Although consensus on the acceptability of Method 3 for determining Technical Specification allowable values was not achieved during the meeting, both the NRC and SMTF representatives expressed the opinion that a generic, method-independent resolution is feasible.

The NEI SMTF proposed the following approach:

1. We will support development of a Tech Spec Task Force (TSTF) Traveler that (a) specifically addresses resetting automatic trip setpoints for limited safety system settings (i.e., the LSSS defined in 10 CFR 50.36) to within the calibration tolerance, and (b) describes how setpoint methodologies are applied in practice to verify component operability. For PWRs, this includes the reactor trip system (RTS) and engineered safety feature actuation system (ESFAS) trip setpoints. For BWRs, this includes the Reactor Protection System (RPS) and emergency core cooling system (ECCS) trip setpoints. The details will be provided in a TSTF submittal to NRC, currently scheduled for June 2005.

2. The TSTF Traveler will be based on current methods and terminology. We continue to maintain that all methods currently in use are acceptable. A supplement to my letter to you (same subject) dated December 17, 2004, is enclosed.

3. The final resolution should be implemented by means of the consolidated line item improvement process (CLIIP).

4. Pending generic resolution, we respectfully request that NRC withdraw all Requests for Additional Information (RAIs) on licensing amendment requests (LARs) that involve allowable values based on ISA Method 3. In Page A.25

TSTF-493, Rev. 0 the interim, NRC safety evaluations should be performed in accordance with the plant-specific licensing bases. License amendments can be issued conditional on implementation of the final generic resolution.

March 31, 2005 On March 31 2005, the NRC provided a response to the three outstanding SMTF letters (11/29/04, 12/17/04, 3/18/05). The following are excerpted NRC letter highlights:

NRC agrees that a TSTF Traveler can be used to address the issue. A June 2005 submittal date is acceptable. NRC supports the use of CLIIP to implement the final TSTF.

The scope of the TSTF should be "plant-specific systems that could be included within the scope of systems covered by 10 CFR 50.36(c)(1)(II)(A)." It seems they dont want to explicitly limit the scope of systems covered by a generic solution because to do so might not bound all plant-specific licensing bases.

NRC will not hold up any reviews of setpoint LARs based on Method 3; however, the RAIs will not go away. Any RAI conditioned on modifying Method 3 will be replaced with a RAI focused on compliance with 50.36. The replacement RAI will ask for two commitments and one Tech Spec:

- commitment to adopt the final TSTF

- commitment to assess operability

- a reset footnote in TS for the setpoint(s) in question NRC intends to issue a RIS to document the staffs position on how 50.36 relates to LSSS and periodic testing/calibration. NRC may issue additional generic correspondence as the issue resolution proceeds.

This NRC letter confirmed that the main focus of the NRC was not on compliance to 10 CFR 50.36. Additionally, since this was a compliance issue, a backfit evaluation was not required.

May 18, 2005 Based on the NRC position and additional discussions with specific NRC personnel, a concepts document was developed. This document proposed specific actions and notes to respond the NRCs compliance concerns and to define operability for instrument channels in TS.

NEI letter to NRC (Marion to Lyons). This letter documented what NEI believed to be NRCs position on setpoints, based on dialogue between the Tech Spec Task Force and NRCs Tech Spec Section. NRC continues to mischaracterize this letter as an "NEI proposal."

May 18, 2005 Page A.26

TSTF-493, Rev. 0 Mr. James E. Lyons Deputy Director, Division of Licensing Project Management Office of Nuclear Reactor Regulation U.S. Nuclear Regulatory Commission Washington, DC 20555-0001

SUBJECT:

Instrumentation, Systems, and Automation Society S67.04 Methods for Determining Trip Setpoints and Allowable Values for Safety-Related Instrumentation The enclosed information is provided in response to your letter to me (same subject) dated March 31, 2005. It was developed by the NEI Setpoint Methods Task Force (SMTF) and represents what we believe to be a reasonable and responsive approach to resolution of the setpoints issue.

We request that NRC confirm that the concepts discussed in the enclosure provide a satisfactory basis for issue resolution. We further request an NRC/SMTF working meeting on either June 2nd or 3rd, 2005, to discuss the concepts and their translation to the Technical Specifications.

Industry has spent considerable time and effort working with NRC staff to develop a generic resolution of the setpoints issue that addresses NRC concerns. The SMTF is coordinating this generic resolution to ensure that all plants are aware of the generic issue and its potential impact. It is essential that the generic issue resolution process be applied to this TSTF and its implementation. Therefore, we request that NRC withdraw all requests for additional information (RAIs) that require operability determinations based on previous as-left conditions. It is important that NRC permit licensees with open LARs, and licensees that plan to submit LARs prior to the implementation of the generic resolution, to commit to evaluating the TSTF for plant-specific implementation after it has been approved and published by NRC.

If you have questions or require additional information, please contact me at 202.739.8080 (am@nei.org) or Mike Schoppman at 202.739.8011 (mas@nei.org).

Sincerely, Alexander Marion Enclosure c: Dr. B. W. Sheron, NRC Mr. M. E. Mayfield, NRC Mr. C. I. Grimes, NRC Mr. L. B. Marsh, NRC Dr. E. M. Hackett, NRC Mr. J. A. Nakoski, NRC Mr. W. D. Reckley, NRC Licensing Action Task Force Steering Group, NEI Setpoint Methods Task Force, NEI Page A.27

TSTF-493, Rev. 0 Enclosure Introduction The NEI Setpoint Methods Task Force (SMTF) has developed a set of concepts that will be used to prepare a Technical Specification Task Force (TSTF) Traveler for submittal to NRC. The SMTF believes that the concepts are responsive to the NRC letter dated March 31, 2005 (J. Lyons to A. Marion), on the subject of safety-related instrument setpoints and allowable values. These concepts represent a pathway toward resolution of NRC concerns about the calculation methodologies specified in ISA RP67.04. The concepts will be applied to limiting safety system setting (LSSS) values linked to safety limits as defined in 10 CFR 50.36 (typically a subset of RPS/ECCS or RTS/ESFAS).

Background

The NRC concern about the use of ANSI/ISA RP67.04 Method 3 for the calculation of allowable values has transitioned into a discussion about compliance with 10 CFR 50.36. It is our understanding that NRC plans to issue a corresponding Regulatory Issue Summary (RIS) in approximately three weeks.

The RIS is expected to inform addressees of the NRC position on the requirements of Title 10 of the Code of Federal Regulations, Section 50.36, "Technical Specifications." We understand that the RIS will require no action or written response, and that any licensee action in direct response to the RIS will be strictly voluntary. The NRC staff has indicated that final resolution of the setpoints issue can be achieved without its being considered a backfit under 10 CFR 50.109. Once the RIS has been issued, the NRC has indicated that a follow-up Generic Letter may be issued to request that licensees provide information on their methods of assuring compliance with 10 CFR 50.36. During discussions with NRR staff and with NRC supervisors at the section chief level, several concepts have been identified that are of critical importance to NRC reviewers. The NRC believes that these concepts must be addressed to comply with 10 CFR 50.36.

The concepts described below address two basic NRC issues to facilitate compliance to 10 CFR 50.36. The first issue is ensuring that the Safety Limit is protected by an appropriately determined calculated trip setpoint that has an appropriate reset requirement. Following a surveillance that demonstrates that the instrument is operable, the NRC staff expects that the as-left instrument setting will be returned to the trip setpoint established to protect the Safety Limit (i.e., returned to either the Limiting Trip Setpoint, or a Nominal Trip Setpoint that is more conservative than the Limiting Trip Setpoint).

The second issue is ensuring that operability and expected performance are confirmed during performance of the surveillance tests. Using the rules of Technical Specifications (TS), OPERABILITY is confirmed at the time of Page A.28

TSTF-493, Rev. 0 surveillance performance. In the current NUREGS for Standard Technical Specifications, this OPERABILITY verification is based on a single value (i.e., the Allowable Value) for single-column TS. Demonstration that a channel actually performs its intended safety function conservatively with respect to this value indicates that the channel is operable at the time of the test. Satisfactory performance of the surveillance requirement confirms that if an actual demand had required the channel to actuate it would have actuated to prevent the Analytical Limit and Safety Limit from being exceeded. The NRCs major concern is performance outside the expected range, in which case satisfactory completion of the surveillance requirement does not necessarily provide confidence that an instrument channel will continue to perform its intended safety function. The verification of expected instrument performance provides a level of confidence that the channel will continue to perform correctly during actual demand situations.

The following concepts will be applied in the proposed TSTF to address the NRC concerns:

1. TS Note and Bases - The Limiting Trip Setpoint shall be calculated consistent with the plant-specific methodology. The Limiting Trip Setpoint is the expected value for the trip. The as-left and as-found values may be less conservative than the Limiting Trip Setpoint by predefined tolerances (which were factored into the TSP calculation). This concept will be contained in the revised Bases discussion, and a note will be added to the TS to allow for as-found and as-left values less conservative than the Limiting Trip Setpoint, if identified in the TS.

This concept is related to the NRCs Trip Setpoint/Limiting Safety System Setting concern.

2. TS Note and Bases - The as-found trip setpoint must be verified within predefined limits (double-sided limits) based on the actual expected errors between calibrations. Exceeding the as-found limit may warrant additional evaluation and potential corrective action as necessary to ensure continued performance of the specified safety function. Normally the as-found predefined acceptance criteria will be equivalent to the errors verified during the surveillance (e.g. setting tolerance, drift, and M&TE). The methodology for calculating as-found predefined limits will be contained in the revised Bases discussion. The requirement to find the trip setpoint (during required surveillance testing) within the predefined limits will be added in a note to the TS. This concept is related to the NRCs operability concern.

3. TS Note - Reset or leave the Nominal Trip Setpoint within the reference accuracy or setting tolerance at the end of every surveillance that requires setpoint verification. The ability to reset the setpoint represents continued confidence that the channel can perform its intended safety function. The requirement to reset to the as-left tolerance will be added in a note to the TS.

This concept is related to the NRCs Trip Setpoint/Limiting Safety System Setting concern.

4. TS Note and Bases - The Nominal Trip Setpoint may be set more conservative than the Limiting Trip Setpoint. If the Nominal Trip Setpoint is set more conservative than the Limiting Trip Setpoint, the predefined limits for as-found and as-left values will be maintained around the more conservative Nominal Page A.29

TSTF-493, Rev. 0 Trip Setpoint. This clarification will be added in a note to the TS and a discussion in the Bases. This concept recognizes TS requirements, operational flexibility, and current plant practices.

5. Bases - While the predefined as-found tolerance band provides one definition of operability, the Allowable Value (defined as the least conservative as-found surveillance value) still defines the maximum possible value for process measurement at which the Analytical Limit is protected. The Allowable Value verifies that the Analytical Limit and Safety Limit are still protected at the time of the surveillance. Since OPERABILITY is determined at the time of performance, the fact that the tested trip point occurred conservative to the Allowable Value ensures that at that point in time the instrument would have functioned to protect the Analytical Limit. With the implementation of these concepts, calculation of the Allowable Value using any of the ISA S67.04 methods is acceptable. The Allowable Value will be documented in the TS.

This concept is related to the NRCs operability concern, but minimizes licensing changes. It is in accordance with the normal rules of the improved Standard Technical Specifications and is consistent with current practices.

6. Bases - Utilities may choose to maintain multiple column TS. However, the Trip Setpoint identified in the TS is expected to be the Limiting Trip Setpoint for the channel. The Limiting Trip Setpoint, if used, will be documented in the TS.

This concept, which minimizes licensing changes, is in accordance with the normal rules of the improved Standard Technical Specifications and is consistent with current practices. The Bases will be clarified to provide these options.

7. Concept - not in Bases (may be a part of the TSTF traveler) -

a. When a channels as-found value is outside the predefined tolerance range, the channel is declared inoperable. In this case the channel does not conform to the design-basis calculation. Since the results of the surveillance do not confirm operation within the assumed design limits, there shall be an immediate determination utilizing available information to ensure confidence of performance before the channel is declared operable. For example, this determination may include an evaluation of previous history, magnitude of change per unit time, response of instrument for reset, etc., to provide confidence that the channel is functional. The determination must conclude that the channel will perform its specified safety function. This determination, combined with resetting the trip setpoint, permits the channel to be declared operable and returned to service (i.e., declared OPERABLE).

Although the specifics of the "immediate determination" process as described above will not be included in the TS or the Bases, we anticipate that NRC will expect licensees to include a commitment in setpoint-related License Amendment Requests (LARs) to implement a corresponding process. This concept is related to the NRCs operability determination concern.

b. Any degraded instrument must be entered into the licensees "corrective action program" (or equivalent). A prompt determination is Page A.30

TSTF-493, Rev. 0 expected to validate the immediate determination (normally conducted within about 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months ). The overall operability determination process continues to be updated as additional information becomes available.

The prompt determination may consider factors such as:

i. Is this a single out-of-tolerance condition for this instrument, or are there previous historical occurrences; ii. Is the instruments response repeatable; iii. Are there any reasonable explanations for the out-of-tolerance condition, such as:

Extreme or seasonal ambient environmental changes (temperature, pressure, etc.)

Human Performance or M&TE errors during the current calibration (or previous calibrations)

First-time implementation of calibration with better M&TE

First-time pressure set or deformation on a diaphragm (for a newly installed instrument)

Induced errors due to response time variations of the calibration input (for example, a thermal dispersion level measurement has a faster response time going from dry to wet than from wet to dry)

Known physical characteristic changes due to environment (for example, a JFET transistor junction getting smaller due to continuous high temperatures)

A 5% statistical outlier

The uncertainty calculation has not modeled the instrument correctly, and there is usage margin that can be used to protect the AL Although the specifics of the "prompt determination" process as described above will not be included in the TS or the Bases, we anticipate that NRC will expect licensees to include a commitment in setpoint-related License Amendment Requests (LARs) to implement a corresponding process. This concept is related to the NRCs operability determination concern.

c. The licensees "corrective action program" (or equivalent) is used to track degraded but OPERABLE instruments. It will define the need and threshold for trending. The plant must have confidence that abnormal conditions will be identified, tracked, and appropriate action taken. The trending process will not be included in the TS, but will be used to support corrective actions associated with inoperability based on as-found values outside of tolerance. Although the specifics of the trending process as described above will not be included in the TS or the Bases, we anticipate that NRC will expect licensees to include a commitment in setpoint-related License Amendment Requests (LARs) to implement a corresponding process. This concept is related to the NRCs operability determination concern.

Page A.31

TSTF-493, Rev. 0 June 2, 2005 During the June 02 2005 NRC/SMTF meeting, SMTF presented its position on the setpoints issue. The presentation was conducted as a working meeting, with free interchange of comments between NRC and the SMTF during the presentation.

The presentation explained seven concepts that NEI and the SMTF are prepared to sponsor in a TSTF Traveler for NRC review:

1. Limiting Trip Setpoint

2. As-found Trip Setpoint

3. Reset Setpoint

4. Limiting vs. Nominal

5. Allowable Value

6. Single-column vs. Multiple-column TS

7. Operability The first six concepts are identical to those described in NEIs letter to NRC (Marion to Lyons) dated May 18, 2005. Concept seven was modified from what appears in the letter (see SMTF presentation for the June 2 meeting).

SMTF Concerns At the beginning of the meeting, the SMTF highlighted two main concerns:

1. Operability framework (Concept 7 in the presentation)

2. NRC Requests for Additional Information (RAIs) filed against plant-specific License Amendment Requests (LARs)

OPERABILITY FRAMEWORK - The issue is the timing of the operability determination when the results of a surveillance test are outside a predefined tolerance range. NRC felt that the instrument must be declared inoperable and the LCO entered, even after reset, until an "immediate determination" is completed to confirm that the instrument is either "operable" or "degraded but operable." The SMTF explained the detailed field procedure that is followed by the technician (i.e., communicate suspect results to control room, troubleshoot the problem, take action to verify loop functionality, reset the instrument, and enter the condition in the "corrective action program"). NRC attendees seemed to accept this as an acceptable "immediate determination" process to verify instrument functionality such that reset would be sufficient and the LCO would not have to be entered.

PLANT-SPECIFIC RAIs - The SMTF reiterated its preference for handling this issue via the generic-issue resolution process and not the plant-specific RAI process. NRC attendees seemed willing to limit the RAIs to (1) calling for an interim TS note to require reset of Page A.32

TSTF-493, Rev. 0 the instrument(s) in the scope of the LAR if they are found outside a predefined tolerance range, and (2) calling for a commitment to consider the final TSTF after it is approved by NRC. The SMTF would not object if the RAIs are limited to these two items.

A resolution path was outlined for these concerns during the meeting.

NRC Caucus NRC offered four options for a TSTF Traveler:

1. Single-column Allowable Value (AV) designated as the Limiting Safety System Setting (LSSS). Only ISA Method 1 or 2 can be used in this option.

2. Single-column calculated (limiting) Trip Setpoint (LTSP) designated as the LSSS. Adding margin is acceptable, but the number must be in Tech Specs (TS). Including a second AV column is acceptable.

Licensees must commit to the "Ginna deviation limit" TS, or equivalent.

3. Single-column AV, but NOT designated as LSSS.

The LSSS would be the LTSP and would be maintained outside TS (incorporated by reference).

This option would require OGC concurrence.

4. Status quo. Single-column AV based on Method 3.

NRC has safety concern with this option (thus, it is not really an option).

NOTE: On June 3 2005, NRC sent an e-mail to NEI containing a variant of Option 3:

3. (Variant) Single-column AV, derived by any Method, designated the "as-found LSSS." When necessary, reset to the nominal trip setpoint (NTSP), which may also be the limiting trip setpoint (LTSP). Put LTSP (or a description of how to calculate the LTSP) in a TS footnote. Assess operability at each test (put a commitment to do so in a TS footnote, with details in Bases or other licensee controlled document).

Final Remarks by NEI

NRC staff has accepted Method 3 for the last 10-15 years. This has been documented in SERs, ACRS minutes, and reaffirmed to Page A.33

TSTF-493, Rev. 0 disposition an earlier DPO/DPV. NRC has the right to change regulatory position, but there has to be a demonstrated basis with a nexus to safety or compliance. This has not been shown.

Several utilities are giving serious consideration to submitting backfit appeals.

Industry is frustrated that efforts to be responsive to NRC concerns have not moved this issue closer toward resolution because we always regress to a discussion of the acceptability of ISA Method 3.

Industry provided a technical paper and an independent statistical analysis demonstrating the acceptability of Method 3, but we keep coming back to the NRC staffs little-documented opinion that Method 3 is unacceptable.

NRC not yet demonstrated to our satisfaction a basis for a safety case or a compliance issue.

June 30, 2005 NEI letter to NRC (Coyle to Dyer). This letter clarifies NEIs proposal as "reset only."

June 30, 2005 Mr. James E. Dyer Director, Office of Nuclear Reactor Regulations U.S. Nuclear Regulatory Commission Washington, DC 20555-0001

Dear Mr. Dyer:

Following up on our recent discussion concerning instrument setpoint methodologies, the industry has agreed to include a provision in each plants Technical Specifications for resetting an instrument when the "as found" setting is outside a predetermined tolerance band. This would be applicable to plants that currently use Method 3 as described in Instrumentation, Systems and Automation Society (ISA) Recommended Practice, S67.04. For Pressurized Water Reactor (PWR) plants, this includes the reactor trip system (RTS) and engineered safety features actuation System (ESFAS) trip setpoints. For Boiling Water Reactor (BWR) plants, this includes the Reactor Protection System (RPS) and the emergency core cooling system (ECCS) trip setpoints. From discussions with your staff the industrys current understanding is that Method 3, with this reset provision, addresses NRCs concerns with continued use of ISA Method 3.

A Technical Specification Task Force (TSTF) Traveler is under development with the Nuclear Steam Supply System (NSSS) Owners Groups. We anticipate the traveler will be submitted to NRC for review and approval in mid-August. Since this is a straightforward change, we envision Page A.34

TSTF-493, Rev. 0 final resolution to be documented via the consolidated line item improvement process (CLIIP) by the end of this year.

If you have any questions, please contact me at 202.739.8112; mtc@nei.org or Alex Marion at 202.739.8080; am@nei.org.

Sincerely, Michael T. Coyle c: Dr. Brian W. Sheron August 23, 2005 NRC letter to NEI (Boger to Marion). This letter describes concepts acceptable to the NRC to ensure compliance with 10 CFR 50.36. It goes well beyond NEIs June 30 proposal.

August 23, 2005 Mr. Alexander Marion Senior Director, Engineering Nuclear Generation Division Nuclear Energy Institute 1776 I Street, Suite 400 Washington, DC 20006-3708

SUBJECT:

INSTRUMENTATION, SYSTEMS, AND AUTOMATION SOCIETY (ISA) S67.04 METHODS FOR DETERMINING TRIP SETPOINTS AND ALLOWABLE VALUES FOR SAFETY-RELATED INSTRUMENTATION

Dear Mr. Marion:

The purpose of this letter is to respond to the information provided to the U.S. Nuclear Regulatory Commission (NRC) staff in your letter of May 18, 2005, during a public meeting on June 2, 2005, with the Nuclear Energy Institute (NEI) Setpoint Methods Task Force (SMTF), and in Mr. Michael Coyles letter of June 30, 2005. This information discusses instrument settings and the technical specifications (TSs) required for limiting safety system settings (LSSSs) related to plant safety limits (SLs). In the letter dated May 18, 2005, the NEI SMTF proposed seven concepts that could be used in the development of a Technical Specification Task Force (TSTF) change traveler that would address these issues generically. These concepts were clarified during the public meeting on June 2, 2005, and are further clarified in this letter.

Page A.35

TSTF-493, Rev. 0 The NRC staff believes that implementation of these concepts as described in this letter will satisfactorily address both the staffs and industrys concerns with instrument settings, and ensure compliance with Part 50 of Title 10 of the Code of Federal Regulations (10 CFR) section 50.36, "Technical Specifications." The staff does not anticipate further changes to these concepts, and intends to follow them in its current reviews of plant-specific license amendment requests. The staff believes that the NEI SMTF should incorporate these concepts into the TSTF that is planned to be submitted to NRC in late September 2005.

During the June 2, 2005, public meeting, the NRC staff and the NEI SMTF reached agreement on five of the seven concepts discussed in the letter of May 18, 2005. Specifically, agreement was reached on concept 1 ([limiting]

trip setpoint (TSP)); concept 2 (as-found trip setpoint), with a minor change that exceeding the predefined test acceptance criteria band "must" (vice "may") require additional evaluation; concept 3 (reset setpoint), and concept 6 (single-column vs. multiple-column TS). The staff and industry reached tentative agreement on concept 4 (limiting TSP vs. nominal TSP),

but adjourned the meeting in disagreement on concept 5 (allowable value).

Following the meeting, the staff developed an additional option for concept 5 that is acceptable to satisfy the requirements of 10 CFR 50.36. These agreements are discussed in more detail in Enclosure 1.

Subsequently, Mr. Coyles letter of June 30, 2005, to Mr. James Dyer (NRC) appeared to limit the scope of the concepts to be incorporated into the TSTF to only "resetting an instrument when the as found setting is outside a predetermined tolerance band," and to tie the resolution to Method 3 as described in ISA-RP67.04-1994, Part II, "Methodologies for the Determination of Setpoints for Nuclear Safety-Related Instrumentation."

Mr. Coyles letter stated that this was industrys current understanding based on discussions with the NRC staff. We agree that Mr. Coyles statement resolves many of the staffs concerns. However, it does not capture all of the concepts discussed in your May 18, 2005, letter, as clarified in the June 2 public meeting and the subsequent discussions that are documented in Enclosure 1. For example Mr. Coyles statement does not address concept 2 (as-found trip setpoint), which states that, if the as-found TSP exceeds the predefined test acceptance criteria band during periodic surveillances, additional evaluation and potential corrective action is warranted as necessary to ensure continued performance of the specified safety function. The NRC staff believes that implementation of all of the concepts is required to address the requirements of 10 CFR 50.36(c)(1)(ii)(A), and to address staff and industry concerns with instrument settings, including allowing continued use of Method 3 by licensees.

During the June 2 meeting, the NEI SMTF requested that the NRC staff provide additional information regarding its concerns with the analysis on Method 3 conducted by MPR Associates, which was provided to the staff in your letter of December 17, 2004. This additional information is in .

Page A.36

TSTF-493, Rev. 0 The NRC staff intends to issue a generic communication in the near future to document and facilitate implementation of the concepts in this letter. The staff intends to reference the TSTF in the generic communication, provided it is submitted in a timely manner and accurately implements the concepts.

In the interim, the staff intends to continue to process plant specific licensing amendment requests (LARs) consistent with the concepts. In the letter of May 18, NEI requested that the staff withdraw all requests for additional information for LARs associated with operability of instrument settings. As stated above, the staff believes that implementation of all of the concepts is required to address the requirements of 10 CFR 50.36. The staff believes that licensee responses to the RAIs that include TS requirements, which implement the concepts, described in the Enclosure to your May 18, 2005, letter (as discussed in Enclosure 1 of this letter) will be acceptable. A discussion related to NRC staff requests for additional information is provided in Enclosure 3.

The NRC staff points of contact for this issue are Mr. Tom Boyce and Mr.

Christopher Gratton. Mr. Boyce may be reached at 301-415-0184 or email at thb@nrc.gov; Mr. Gratton may be reached at 301-415-1055 or email at cxg1@nrc.gov.

Sincerely, Bruce A. Boger, Director Division of Inspection Program Management Office of Nuclear Reactor Regulation

Enclosures:

As stated cc: James Dyer, NRR Brian Sheron, ADPT Michael Mayfield, DE Dave Matthews, DRIP Tad Marsh, DLPM Jim Lyons, DSSA Mike Schoppman, NEI Enclosure 1 Agreements on Concepts in the NEI Letter of May 18, 2005 In a letter to Mr. James Lyons (NRC) of May 18, 2005, the Nuclear Energy Institute (NEI), based upon information developed by the Setpoint Methods Task Force (SMTF), proposed seven concepts that could be used in the development of a Technical Specification Task Force (TSTF) change traveler that would address issues regarding instrument setpoint and plant Technical Specifications (TS) generically.

Page A.37

TSTF-493, Rev. 0 During the June 2, 2005, public meeting, the NRC staff and the NEI SMTF reached agreement on five of the seven concepts discussed in the letter of May 18, 2005. Specifically, agreement was reached on concept 1 ([limiting]

trip setpoint (TSP)); concept 2 (as-found trip setpoint), with a minor change that exceeding the predefined test acceptance criteria band "must" (vice "may") require additional evaluation; concept 3 (reset setpoint), and concept 6 (single-column vs. multiple-column TS).

For concept 4 (limiting TSP vs. nominal TSP), the NRC staff agreed that a nominal TSP may be established that is more conservative than the limiting TSP. When a nominal TSP is used, the NRC staff agreed that the as-left TSP must be set to within the setting tolerance of the nominal TSP consistent with its agreement on concept 3. However, the NRC staff questioned the idea that the predefined test acceptance criteria band for as-found values be maintained around the nominal TSP versus the previous as-left TSP. As expressed during the meeting, the NRC staffs view was that these predefined test acceptance criteria bands should be based on the as-left TSP from the most recently completed surveillance.

Basing the predefined test acceptance criteria band on the previous as-left TSP ensures that the assumptions in the uncertainty analysis used to determine the limiting TSP remain unchanged.

During the meeting, the SMTF indicated that because of the small setting tolerance used when setting the TSP for the instrument channel, there would be little effect on the predefined test acceptance criteria band by using the nominal TSP versus the previous as-left TSP. The SMTF indicated that it would provide the NRC staff with information supporting this position. The NRC staff acknowledged that the use of the nominal TSP was acceptable provided detection of performance problems would be as effective as if the previous as-left TSP were used.

For concept 5 (allowable value), there was disagreement and extended discussions regarding the methodology used to calculate the allowable value designated as the limiting safety system setting (LSSS) in TS. The NRC staff proposed several options for follow-on discussion to resolve the issue, but the SMTF did not agree that any of these were an appropriate resolution. The staff agreed to reconsider the NEI SMTF proposal to retain a single column TS format that uses allowable values (AVs) determined using any of the three methods described in ISA-RP67.04, Part II-1994, "Methodologies for the Determination of Setpoints for Nuclear Safety-Related Instrumentation."

Subsequently, the NRC staff developed an additional option for concept 5 that it found acceptable to satisfy the requirements of Part 50 of Title 10 of the Code of Federal Regulations (10 CFR) section 50.36. The option retained the concept of the AV based in a single column TS format, and the AV could be determined based on any of the methodologies in ISA-RP67.04, Part II-1994. Under this option, the instrument channel must be reset to within the setting tolerance of the nominal TSP, which may also be the limiting TSP, but is usually more conservative, and the capability of the instrument channel to function as required within the predefined test Page A.38

TSTF-493, Rev. 0 acceptance criteria band (consistent with concept 4) must be assessed.

Further, the AV is an operability limit for the channel, and would not be designated as the LSSS. The LSSS would be the limiting TSP which accounts for the credible uncertainties associated with the instrument channel.

The specifics on how to designate the LSSS in TSs should be developed as part of a TSTF implementing these concepts. The concepts call for the limiting TSP to be the LSSS, vice the AV. Since 10 CFR 50.36 requires that the LSSS be included in the TS, either the limiting TSP value or a reference to the method for determining the limiting TSP value needs to be specified in the TS. The value or the description of the factors used to determine the value would be determined consistent with a licensees current setpoint methodology. The method of determining the limiting TSP, the as-found instrument channel setpoint acceptance criteria band, and the as-left instrument channel setpoint tolerance band would be specified in the Updated Final Safety Analysis Report (UFSAR) or a document incorporated into the UFSAR such as the technical requirements manual.

Significant discussions were held during the June 2 meeting regarding concept 7 (operability). As clarified below, the NRC staff and the NEI SMTF agreed on concept 7:

1. If the as-found TSP is found to be non-conservative with respect the the AV specified in the TSs, the channel is required to be declared inoperable and the associated TS action statement must be followed.

2. If the as-found TSP is found to be conservative with respect to the AV, and outside the predefined test acceptance criteria band, but the licensee is able to determine that the instrument channel is functioning as required and the licensee can reset the channel to within the setting tolerance of the limiting TSP, or a value more conservative than the limiting TSP, then the licensee may consider the channel to be operable. If the licensee cannot determine that the instrument channel is functioning as required, the channel is required to be declared inoperable and the associated TS actions must be followed.

3. If the as-found TSP is outside the predefined test acceptance criteria band, the condition must be entered into the licensees corrective action program for further evaluation.

Enclosure 2 NRC Staff comments on MPR Associates Analysis on Method 3 An area of discussion between the NRC staff and the Setpoint Methods Task Force (SMTF) relates to the analysis on Method 3 conducted by MPR Associates provided in the NEI letter of December 17, 2004. In that letter, it Page A.39

TSTF-493, Rev. 0 is stated "[t]he independent review (enclosed) concludes that ISA Method 3 provides adequate protection." The overall conclusion of the MPR Associates analysis is best summed up by the last paragraph of the paper:

Safety channel operability is monitored and maintained both through periodic, measurement based surveillance testing and recalibration. The Analytical Limit [AL] is protected by the trip setpoint, not the Allowable Value, and the setpoint drift is, in practice, kept small by a tight recalibration tolerance band.

Because of this and our Monte Carlo simulation results, we have no concern that the use of ISA Method 3 for establishing the Allowable Value for surveillance tests leads to a generic safety concern.

The NRC staff agrees with the conclusion that the AL is protected by resetting the instrument trip setpoint (TSP) at, or more conservative than, the limiting setpoint (LSP) during surveillance testing and recalibration. The MPR report mathematically supports the staff and industry agreement that a properly-derived LSP ensures adequate protection of the AL if the channel setpoint is returned to the LSP at the beginning of each test interval. Note that each Monte Carlo simulation trial in the report begins with the channel setpoint equal to the LSP. This is based on the fact that the LSP accounts for the credible uncertainties associated with the instrument channel (e.g., total loop uncertainty).

However, the NRC staff notes that licensees with allowable value (AV) based technical specifications (TSs) do not currently have a regulatory requirement for the licensee to reset the instrument to the LSP (within a specified tolerance). Since licensees are not required to control the instrument setting based on the LSP, they could potentially leave an instrument setpoint set at the AV after periodic operational testing or calibration. This would not be consistent with the assumption of the MPR Associates analysis (in which the instrument was reset to the LSP that accounts for the credible uncertainties at the beginning of each monte carlo simulation). The staff understands from your input that resetting is consistent with typical industry practices. However, without a clear regulatory requirement to reset the instrument to the LSP, the NRC staff assumes in its regulatory decision making process that the AV becomes the de facto worst-case setpoint and therefore, the total loop uncertainty must be added to the AV when assessing whether the instrument is capable of protecting the SL.

Stated in more analytical terms, since the report assumes instruments are reset to a nominal setpoint, it does not analyze the influence of instruments where as-left setpoints can vary up to the AV. Therefore, it does not yield a quantitative assessment of the effectiveness of AVs determined either using Method 2 (AV2) or Method 3 (AV3) by themselves as a limiting value for the protection of the AL. Because the as-found setpoint is permitted to vary stochastically around a nominal setpoint, rather than being fixed at the AV being investigated, many trials are deemed successful in support of the AV when, in fact, the as-found value is unrelated to the AV. This artificially Page A.40

TSTF-493, Rev. 0 inflates the fraction of trials that appear to be successful, and, therefore, dilutes the assessment of the fraction that fail. Trials having as-found values that are not equal to the AV do not test the AV and should not be counted at all. The resulting statistics therefore apply to the efficacy of the combination of LSP and AV together in the protection of the AL, rather than to the efficacy of the AV itself. Those statistics relate to the overall probability that the channel will protect the AL (absent hardware failures).

Applying the 95/95 criterion to this overall effectiveness statistic, rather than just to the AV effectiveness statistic, would constitute acceptance of a significant increase in the overall likelihood of failure to protect the AL.

The report confirms that an AV based on AV2 provides more certain protection of the AL than does AV3, and therefore that AV2 is more conservative than AV; however, it does not demonstrate the effectiveness of either AV2 or AV3 in protecting the AL.

Enclosure 3 License Amendment Requests for changes to TS Setpoint Allowable Values In the NEI letter of May 18, 2005, the NRC staff was requested to withdraw all requests for additional information (RAIs) for licensing action requests (LARs) associated with operability of instrument settings. The staff believes that demonstration of the operability of instruments is required to ensure compliance with the requirements of Part 50 of Title 10 of the Code of Federal Regulations (10 CFR) section 50.36(c)(3) which requires that TS surveillances demonstrate that the plant is operating within its safety limits.

Verification that the instrument is functioning as required is an integral part of this periodic testing. In addition, Section 50.36(c)(1)(ii)(A), which discusses the requirements for limiting safety system settings (LSSS),

states that "If, during operation, it is determined that the automatic safety system equipment does not function as required (emphasis added), the licensee shall take appropriate action, which may include shutting down the reactor." This latter requirement is unique to automatic safety system equipment.

The staffs position is that simply resetting an instrument whose setpoint is found outside the predefined test acceptance criteria band back to its nominal setpoint and entering the data into a corrective action program, without a prompt evaluation of the condition, is not sufficient to determine the operability of the instrument that is being placed back into service. This is because an instrument may be degraded or fail due to conditions other than statistical variations in uncertainties, including drift. The staff and the NEI SMTF reached agreement on this issue during the June 2 meeting as part of Concept 2 (as-found trip setpoint) of the May 18, 2005, letter. This letter states that, if the as-found TSP exceeds a predefined test acceptance criteria band during periodic surveillances, additional evaluation and potential corrective action "is" (emphasis added) warranted (a change from Page A.41

TSTF-493, Rev. 0 "may be warranted" was agreed to during the meeting) as necessary to ensure continued performance of the specified safety function.

Incorporating this requirement into TS provides reasonable assurance that at the next surveillance the as-found value of the TSP will continue to protect plant safety limits.

Concept 7 (Operability) discusses factors that could be considered in this evaluation. It should be noted that, although the TS would contain a note to verify that the as-found TSP was within the predefined test acceptance criteria band and that exceeding the limits would warrant additional evaluation, the detailed discussion of the evaluation process and the factors to be considered would not be required in either the TS or the Bases, and that the process for evaluation is consistent with the guidance that has recently been developed by the staff and the NEI Operability Determination Process Task Force as part of the effort to revise the operability guidance in Generic Letter 91-18.

More broadly, the staff will continue to issue RAIs similar to those in the enclosure to its letter to NEI from James Lyons (NRC) dated March 31, 2005, (Agencywide Documents Access and Management Systems, Accession No. ML050870008) for LARs that change LSSSs, but do not include the TS requirements described above for the LSSSs. This information is necessary in order for the NRC staff to determine whether the LAR complies with NRC rules and regulations, a finding needed to support the issuance of the LAR. The staff believes that licensee responses to the RAIs that include TS requirements which implement the concepts described in the Enclosure to the May 18, 2005, letter (as discussed in Enclosure 1 of this letter) will be acceptable. One of the RAIs requested that the licensee provide a brief description of the methodology used to determine its setpoints. The purpose of this request was to solicit information from the licensee to determine whether TSPs were calculated in a manner that accounted for credible uncertainties associated with the instrument channel. This could be accomplished by referring to Regulatory Guide 1.105, "Setpoints for Safety-Related Instrumentation," or an NRC approved plant-specific setpoint methodology. In addition, a predefined test acceptance criteria band should be developed consistent with the assumptions and uncertainties associated with the tested portion of the instrument channel and the determination of the TSP calculated to protect the safety limits. This information is necessary for the NRC staff to conclude that the TSP provides reasonable assurance that the safety limits will be protected, a finding necessary to support issuance of the LAR.

Page A.42

TSTF-493, Rev. 0 September 7, 2005 NRC letter to NEI (Heiland to Schoppman). The letter contains a standard position on TS footnotes and Bases pertaining to setpoint LARs. It is guidance to reviewers and PMs and is intended to stabilize the NRC response to setpoint LARs in the near term.

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D. C. 20555-0001 September 7, 2005 NEI Setpoint Methods Task Force c/o Mr. Michael A. Schoppman Nuclear Energy Institute 1776 I Street, N. W.

Suite 400 Washington, DC 20006-3708

Dear Mr. Schoppman:

SUBJECT:

TECHNICAL SPECIFICATION FOR ADDRESSING ISSUES RELATED TO SETPOINT ALLOWABLE VALUES

Reference:

Bruce A. Boger (NRC) letter to A. Marion (NEI),

"INSTRUMENTATION SYSTEMS, AND AUTOMATION SOCIETY (ISA) S67.04 METHODS FOR DETERMINING TRIP SETPOINTS AND ALLOWABLE VALUES FOR SAFETY-RELATED INSTRUMENTATION " dated August 23 2005 In the reference letter, the Nuclear Regulatory Commission (NRC) staff responded to the Nuclear Energy Institute (NEI) Setpoint Methods Task Force (SMTF) issues on instrument settings and the technical specifications (TSs) required for limiting safety system settings related to plant safety limits. The letter also clarified the staff positions on the seven concepts proposed by the NEI SMTF that could be used in the development of a Technical Specification Task Force (TSTF) change traveler for addressing these issues generically. Enclosed are draft changes to plant TSs that are acceptable to the NRC staff for implementing the concepts in the reference letter related to setpoint allowable values for safety related instrumentation. The staff intends to use these TSs in its reviews of plant-specific license amendment requests and in its review of the TSTF.

Page A.43

TSTF-493, Rev. 0 Specifically, Part A provides two notes that apply to setpoint verification surveillances needed to address instrument trip setpoint allowable value issues, and Part B is a check list that provides the TS Bases content for the two notes in Part A. We believe that the TS Notes and the discussion of the content for the related TS Bases will satisfactorily address both the NRC staffs and industry s concerns with instrument settings, and ensure compliance with Title 10 of the Code of Federal Regulations (10 CFR)

Section 50.36, "Technical Specifications.

Please contact Carl Schulten at (301) 415- 1192 or e-mail css1@nrc.gov if you have any questions or need further information.

Sincerely, Patrick L. Hiland, Chief Reactor Operations Branch Division of Inspection Program Management Office of Nuclear Reactor Regulation

Enclosure:

As stated cc w/encl: D, Hoffman, EXCEL J. Voss, EXCEL TECHNICAL SPECIFICATIONS FOR LICENSE AMENDMENT REQUESTS RELATED TO SETPOINT ALLOWABLE VALUES FOR SAFETY-RELATED INSTRUMENTATION A. Technical Specification (TS) Notes for SMTF Agreement Concepts Note 1: If the as-found channel setpoint is conservative with respect to the Allowable Value but outside its predefined as-found acceptance criteria band, then the channel shall be evaluated to verify that it is functioning as required before returning the channel to service. If the as-found instrument channel setpoint is not conservative with respect to the Allowable Value, the channel shall be declared inoperable.

Note 2: The instrument channel setpoint shall be reset to a value that is within the as-left tolerance of the (Limiting Trip Setpoint*, or a value that is more conservative than the Limiting Trip Setpoint); otherwise , the channel shall be declared inoperable. The (Limiting Trip Setpoint) and the methodology** used to determine the (Limiting Trip Setpoint), the predefined as-found acceptance criteria band

, and the as-left setpoint tolerance band are specified in the UFSAR (or Bases) (or a document incorporated into the UFSAR such as the technical requirements manual).

Page A.44

TSTF-493, Rev. 0

Reviewers Note: the words "Limiting Trip Setpoint" are generic terminology for the setpoint value calculated by means of the plant-specific setpoint methodology documented in the UFSAR, or Bases, or a document incorporated into the UFSAR such as the technical requirements manual. The nominal Trip Setpoint (field setting) may use a setting value that is more conservative than the Limiting Trip Setpoint, but for the purpose of TS compliance with 10 CFR 50. ,

the plant-specific setpoint term for the Limiting Trip Setpoint must be cited in Note 2. The brackets indicate plant-specific terms may apply, as reviewed and approved by the NRC staff.

- The NRC staff will review and approve the methodology supporting the requested changes in the LAR.

B. Check List for Development of TS Using SMTF Agreement Concepts The items that follow are intended for the review of plant-specific license amendment requests for changes to TS setpoint Allowable Values. The TS Bases shall be included with the license amendment application and will be reviewed by the NRC staff, to ensure consistency with the TS and design bases for the plant.

1. Note 1 and Note 2 above pertain to setpoint verification surveillances for instrument functions on which a safety limit has been placed. In accordance with 10 CFR 50.36 these functions are limiting safety system settings (LSSS). Note and 2 can be incorporated into LCO surveillances or the notes can be used as footnotes to surveillances listed in the instrumentation tables for specific functions.

2. The TS Bases shall contain a statement that the Limiting Trip Setpoint is based on the calculated total loop uncertainty per the plant-specific methodology documented in the UFSAR (or a document incorporated into the UFSAR such as the technical requirements manual). Regulatory Guide 1.105, " Setpoints for Safety-Related Instrumentation" provides an acceptable methodology.

3. The TS Bases shall include a statement that the Limiting Trip Setpoint is the LSSS required by 10 CFR 50.36. The TS Bases for Note 1 and Note 2 shall explain the basis for the notes including why the notes are applicable to specific instrument functions. The revised Bases shall include a discussion about entering degraded instrument channels into the plant-specific corrective action program. Degraded instruments are those that are not functioning as required.

4. As an alternative to a license commitment (reference: NRC Page A.45

TSTF-493, Rev. 0 letter dated March 31, 2005 from J. Lyons to A. Marion (NEI)) to assess the operability of tested instrumentation for meeting Note 1, the TS Bases may include discussion regarding the evaluation of a channel to verify that it is functioning as required before returning the channel to service when the channel's as-found channel setpoint is found to be conservative with respect to the Allowable Value, but outside its as-found predefined acceptance criteria band. This establishes a TS Bases presentation that is consistent with agreement concept 7 of NEI letter dated May 18, 2005 from A. Marion to J. Lyons (NRC). In general, operability of instruments is treated as outlined below:

1) If the as-found TSP is found to be non-conservative with respect to the AV specified in TSs, the channel is declared inoperable and the associated TS action statement must be followed.

2) If the as-found TSP is found to be conservative with respect to the AV, and outside the as-found predefined acceptance criteria band, but the licensee is able to determine that the instrument channel is functioning as required and the licensee can reset the channel to within the setting tolerance of the limiting TSP or a value more conservative than the limiting TSP, then the licensee may consider the channel to be operable. If the licensee cannot determine that the instrument channel is functioning as required, the channel is declared inoperable and the associated TS actions must be followed.

3) If the as-found TSP is outside the as-found predefined acceptance criteria band the condition must be entered into the licensees corrective action program for further evaluation.

September 8, 2005 Summary of SMTF telecom on September 8, 2005.

Telecon

Participants:

Ed Weinkam (NMC), Bill Sotos (STP/ISA), Bob Fredricksen (Exelon), Don Woodlan (STARS), Don Hoffman (Excel/TSTF), Jerry Voss (Excel/ISA), Chris Kerr (Exelon), Patrick Simpson (Exelon), Ron Jarrett (TVA), Tony Langley (TVA), Tim Byam (Exelon), Mike Eidson (SNC), Pete Kokolakis (Entergy North), Jim Andrachek (Westinghouse), Dave Willis (APS), Alex Marion (NEI),

Mike Schoppman (NE), three representatives at Diablo Canyon, and one representative at Monticello.

Telecon Objectives:

Page A.46

TSTF-493, Rev. 0 (1) Discuss NRCs 8/23/05 Boger letter (attached)

(2) Discuss NRCs 9/8/05 Hiland letter (attached)

(3) Discuss near-term and long-term options (4) Schedule next telecon Highlights:

NRC is determined to increase its enforcement authority with respect to reset and operability of LSSS instrumentation. This appears to be a Branch position that NRC management and OGC are willing to accept, i.e.,

it is bottom-up rather than top-down.

The SMTF has concerns in three areas: technical, process, and Tech Specs. For technical issues, SMTF is supporting ISA; for process issues, SMTF is supporting the LATFs Generic Issues Management (GIM) team; for Tech Spec issues, SMTF is supporting the Tech Spec Task Force (TSTF).

Potential hard spots with the NRC position are (a) as-found/as-left acceptance criteria, (b) post-test treatment of instrument operability, (c) cant use AV as LSSS, and (d) scope of applicability beyond LSSS instruments. We do not have a concern with reset.

Few if any licensees are in a position to resist new TS footnotes on reset and operability, especially when they pertain to important License Amendment Requests (LARs) such as uprates or extending cycle length.

This increases the need for a near-term NRC/SMTF consensus to stabilize NRC reviewer treatment of setpoint LARS. The TSTF has developed separate Traveler options for the current SMTF position of "reset only" and for the NRC staffs position described in their two most recent letters (attached).

With respect to hard spot (a), NRC has not taken its "deviation limit" concept off the table. ISA (Fredricksen) is preparing a position paper and will likely need a meeting with NRC to discuss scope and as-found tolerance band.

A revised ISA standard is at least nine (9) months from publication. It has been approved by subcommittee. Additional steps before publication are 67.04 committee approval, ISA board approval, and public comment.

The TSTF has recovered the history describing which LSSS are linked to safety limits.

The SMTF needs to absorb the most recent NRC letter received 9/8/05 before the next telecon.

The SMTF will remain an active task force for the following reasons: (a) participate in TSTF Traveler comments, (b) avoid sending a capitulation message to NRC, (c) act as coordinating point of contact with ISA, Owners Groups, TSTF, and NRC, and (d) prepare response to anticipated NRC Page A.47

TSTF-493, Rev. 0 generic communications on setpoints.

The next telecon to discuss follow-up options (see below) is scheduled for September 15 at 11 am Eastern. Call 719-955-1361, passcode 261971.

Options:

Technical Options 3/4 SMTF prepare a formal technical position 3/4 SMTF rely on ISA standard and position paper as its technical position

Process Options 3/4 SMTF prepare a generic backfit claim (NRC is using a new/different compliance position/interpretation) 3/4 Refer process concerns to the LATF GIM Team for follow-up

TSTF Traveler Options 3/4 No Traveler 3/4 Reset footnote only (current position) 3/4 Reset footnote + operability footnote (stop short of Hiland letter) 3/4 Reset footnote + operability footnote (conform to Hiland letter)

September 15, 2005 Summary of SMTF telecom on September 15, 2005.

Participants:

Willis, Fredricksen, Kerr, Woodlan, Hoffman, Voss, Rogers, Eidson, Stringfellow, Sotos, Jarrett, Schoppman, Marion

References:

1. Summary of SMTF Telecon on 9/8/05

2. NRC letter (Hiland) to SMTF dated 9/7/05 Discussion of Technical Options:

Option 1 - SMTF prepare a formal technical position Option 2 - SMTF rely on ISA standard and position paper as its technical position Consensus - Do both.

Schoppman prepare a draft letter to NRC (technical and process position statement). Distribute it in September for SMTF review.

ISA revise the Standard and Recommended Practice documents. The Standard revision is ~8-9 months away. The companion RP revision has just begun.

Fredricksen prepare a position paper (setpoint performance testing).

Distribute it in September for SMTF review. It will be a program document Page A.48

TSTF-493, Rev. 0 to address the technique of performing a surveillance test. It will provide details on how to develop acceptable performance criteria. It will describe how test results are to be treated by the licensee's organization (I&C technicians, engineering department, operations department, licensing department). It is not intended for Tech Specs or Bases.

Discussion of Process Options:

Option 1 - SMTF prepare a generic position statement or backfit claim Option 2 - SMTF refer process concerns to the NEI LATF Generic Issues Management (GIM) Team for follow-up Consensus - Do both.

SMTF stay involved in the short term discussions with NRC on the setpoints issue.

Defer to NEI for long-term strategy within the broader context of GIM.

Discussion of Traveler Options:

Option 1 - No Traveler Option 2 - Reset footnote (per NEI 6/30/05 letter to NRC)

Option 3 - Reset footnote + operability footnote that stops short of the 9/7/05 NRC letter, i.e., develop a new approach consistent with ISA but not tied to NRC letter Option 4 - Reset footnote + operability footnote that is consistent with the SMTF's understanding of the 9/7/05 NRC letter Consensus - Option 4. Develop a forward-looking TSTF Traveler. The second footnote should use the terminology "performance test" rather than "operability." Performance testing guidance should be placed in a licensing basis document, not the Tech Specs.

Submit Traveler to NRC by the end of November 2005.

1. draft to SMTF and TSTF chairpersons

2. draft to WOG and BWROG

3. finalize Traveler

4. submit to NRC Additional Notes:

The SMTF consensus is to try to work with NRC within the framework of the NRC's 9/7/05 letter.

There is a difference between (i) a permanent, resilient revision to the improved STS (i.e., "doing the right thing"), and (ii) a compromise revision to the iSTS that frees the LAR hostages (i.e., "doing the practical thing").

We have chosen (b) in the near term.

The TSTF believes that the scope issue (i.e., which LSSS instruments should be subject to the new TS footnotes) can be resolved generically during review of the Traveler.

NEI will advise the BWROG of issue status and request their input.

Page A.49

TSTF-493, Rev. 0

NEI will work with the NEI General Counsel to determine NRC OGC's role in the staff's [new] position on compliance with 10 CFR 50.36(c)(1)(ii)(A).

Further dialogue will be needed with NRC to document agreements on definitions and implementation details.

Follow-up NRC/NEI Telecon @ 2:30 p.m. on 9/15/05:

Participants:

Coyle, Marion, & Schoppman for NEI. Boger, Hiland, & Schulten for NRC.

NEI advised NRC that the SMTF supports submittal of a TSTF Traveler that is consistent with the intent of NEI's 5/18/05 letter to NRC and the SMTF's reading of the intent of NRC's 9/7/05 letter to the SMTF. In addition, NEI advised NRC of the SMTF position on the following four points:

1. The scope of 10 CFR 50.36(c)(1)(ii)(A) 10 CFR 50.36(c)(1)(ii)(A) states, in part, "Where a limiting safety system setting is specified for a variable on which a safety limit has been placed, the setting must be so chosen that automatic protective action will correct the abnormal situation before a safety limit is exceeded." The SMTF interpretation strictly limits the scope to LSSS instruments documented in the plant-specific design basis as protecting safety limits.

2. The meaning of the double-asterisk footnote1 in the NRC 9/7/05 letter NRC-approved methods documented in the plant-specific licensing basis should not be subject to re-review at the sole discretion of the technical reviewer(s). The SMTF would consider such treatment a backfit under 10 CFR 50.109.

3. The role of the ISA Position Paper The paper will represent the ISA/SMTF position with respect to setpoint performance testing. The SMTF intends to treat the paper as explanatory programmatic information, not as a requirement or criteria document.

4. The need for another public meeting The SMTF supports additional meetings if they will help end the setpoint disagreements between licensees and the NRC staff to our mutual satisfaction.

1 The NRC staff will review and approve the methodology supporting the requested changes in the LAR.

Page A.50

TSTF-06-03, TSTF-493, Revision 0, Clarify Application of Setpoint Methodology for LSSS Functions.

Contents

Text

SUBJECT:

Dear Sir or Madam:

Contact:

Description:

Description:

Description:

Description:

Description:

Description:

Description:

Description:

Description:

Description:

Description:

3.0 Background

3.0 TECHNICAL EVALUATION

SUBJECT:

SUBJECT:

Background

Dear Mr. Dyer:

SUBJECT:

Dear Mr. Marion:

Enclosures:

Dear Mr. Schoppman:

SUBJECT:

Reference:

Enclosure:

Participants:

Participants:

References:

Participants:

Navigation menu

TSTF-06-03, TSTF-493, Revision 0, Clarify Application of Setpoint Methodology for LSSS Functions.

Text

SUBJECT:

Dear Sir or Madam:

Contact:

Description:

Description:

Description:

Description:

Description:

Description:

Description:

Description:

Description:

Description:

Description:

3.0 Background

3.0 TECHNICAL EVALUATION

SUBJECT:

SUBJECT:

Background

Dear Mr. Dyer:

SUBJECT:

Dear Mr. Marion:

Enclosures:

Dear Mr. Schoppman:

SUBJECT:

Reference:

Enclosure:

Participants:

Participants:

References:

Participants:

Navigation menu

Search