ONS-2015-006, Technical Specification (TS) Bases Change: Difference between revisions

From kanterella
Jump to navigation Jump to search
(Created page by program invented by StriderTol)
(Created page by program invented by StriderTol)
 
(One intermediate revision by the same user not shown)
Line 3: Line 3:
| issue date = 01/29/2015
| issue date = 01/29/2015
| title = Technical Specification (TS) Bases Change
| title = Technical Specification (TS) Bases Change
| author name = Batson S L
| author name = Batson S
| author affiliation = Duke Energy Carolinas, LLC
| author affiliation = Duke Energy Carolinas, LLC
| addressee name =  
| addressee name =  
Line 16: Line 16:


=Text=
=Text=
{{#Wiki_filter:DUKE Scott L. Batson Vice President ENE LRGYIOconee Nuclear Station Duke Energy ONOIVP 1 7800 Rochester Hwy Seneca, SC 29672 10 CFR 50.36 o: 864.873.3274 f 864.873.4208 ONS-2015-006 Scott.Batson@duke-energy.com January 29, 2015 ATTN: Document Control Desk U.S. Nuclear Regulatory Commission 11555 Rockville Pike Rockville,.
{{#Wiki_filter:DUKE ENE  LRGYIOconee Vice President Scott L. Batson Nuclear Station Duke Energy ONOIVP 17800 Rochester Hwy Seneca, SC 29672 10 CFR 50.36                                           o: 864.873.3274 f 864.873.4208 ONS-2015-006                                                                           Scott.Batson@duke-energy.com January 29, 2015 ATTN: Document Control Desk U.S. Nuclear Regulatory Commission 11555 Rockville Pike Rockville,. Maryland 20852
Maryland 20852  


==Subject:==
==Subject:==
Duke Energy Carolinas, LLC Oconee Nuclear Station
Duke Energy Carolinas, LLC Oconee Nuclear Station Docket Numbers 50-269, 50-270, and 50-287 Technical Specification (TS) Bases Change Please find attached changes to the Oconee Nuclear Station (ONS) TS Bases. These changes were processed in accordance with the provisions of Technical Specification 5.5
10 CFR 50, Appendix G (Ref. 1), requires the establishment of P/T limits for material fracture toughness requirements of the RCPB materials.
10 CFR 50, Appendix G (Ref. 1), requires the establishment of P/T limits for material fracture toughness requirements of the RCPB materials.
Reference 1 requires an adequate margin to brittle failure during normal operation, anticipated operational occurrences, and system hydrostatic tests. It mandates the use of the American Society of Mechanical Engineers (ASME), Boiler and Pressure Vessel Code, Section III, Appendix G (Ref. 2).Linear elastic fracture mechanics (LEFM) methodology is used to determine the stresses and material toughness at locations within the RCPB. The LEFM methodology follows the guidance given by 10 CFR 50, Appendix G; ASME Code, Section III, Appendix G; and Regulatory Guide 1.99 (Ref. 3).OCONEE UNITS 1, 2, & 3 B 3.4.3-1 BASES REVISION DATED 01/14/15 1 RCS P/T Limits B 3.4.3 BASES BACKGROUND Material toughness properties of the ferritic materials of the reactor (continued) vessel are determined in accordance with ASTM E 185 (Ref. 4), and additional reactor vessel requirements.
Reference 1 requires an adequate margin to brittle failure during normal operation, anticipated operational occurrences, and system hydrostatic tests. It mandates the use of the American Society of Mechanical Engineers (ASME), Boiler and Pressure Vessel Code, Section III, Appendix G (Ref. 2).
These properties are then evaluated in accordance with Reference 2.The actual shift in the nil ductility reference temperature (RTNDT) of the vessel material will be established periodically by evaluating the irradiated reactor vessel material specimens, in accordance with ASTM E 185 (Ref. 5) and Appendix H of 10 CFR 50 (Ref. 5). The operating P/T limit curves will be adjusted, as necessary, based on the evaluation findings and the recommendations of Reference 2.The P/T limit curves are composite curves established by superimposing limits derived from stress analyses of those portions of the reactor vessel and head that are the most restrictive.
Linear elastic fracture mechanics (LEFM) methodology is used to determine the stresses and material toughness at locations within the RCPB. The LEFM methodology follows the guidance given by 10 CFR 50, Appendix G; ASME Code, Section III, Appendix G; and Regulatory Guide 1.99 (Ref. 3).
At any specific pressure, temperature, and temperature rate of change, one location within the reactor vessel will dictate the most restrictive limit. Across the span of the P/T limit curves, different locations are more restrictive, and, thus, the curves are composites of the most restrictive regions.The heatup curve represents a different set of restrictions than the cooldown curve because the directions of the thermal gradients through the vessel wall are reversed.
OCONEE UNITS 1, 2, & 3                     B 3.4.3-1       BASES REVISION DATED 01/14/15         1
The thermal gradient reversal alters the location of the tensile stress between the outer and inner walls.The calculation to generate the LH testing curve uses different safety factors (per Ref. 2) than the heatup and cooldown curves.The P/T limit curves and associated temperature rate of change limits are developed in conjunction with stress analyses for large numbers of operating cycles and provide conservative margins to nonductile failure.Although created to provide limits for these specific normal operations, the curves also can be used to determine if an evaluation is necessary for an abnormal transient.
 
As stated in the tables associated with this LCO, reactor coolant (RC)temperature is cold leg temperature if one or more RC pumps are in operation; otherwise, it is the LPI cooler outlet temperature.
RCS P/T Limits B 3.4.3 BASES BACKGROUND       Material toughness properties of the ferritic materials of the reactor (continued)     vessel are determined in accordance with ASTM E 185 (Ref. 4), and additional reactor vessel requirements. These properties are then evaluated in accordance with Reference 2.
An analysis examined the effects of initiating flow through a previously idle LPI train (i.e. either placing a train of LPI in operation or swapping from one train to the other) when none of the RC pumps are operating.
The actual shift in the nil ductility reference temperature (RTNDT) of the vessel material will be established periodically by evaluating the irradiated reactor vessel material specimens, in accordance with ASTM E 185 (Ref. 5) and Appendix H of 10 CFR 50 (Ref. 5). The operating P/T limit curves will be adjusted, as necessary, based on the evaluation findings and the recommendations of Reference 2.
The analysis assumed the initial temperature of the fluid entering the vessel to be the lowest expected temperature in an idle LPI cooler. As RC fluid is pumped through the system and returns to the reactor vessel, the temperature increases to a "stable" value. The duration of the temperature excursion is dependent on LPI flow and volume of the piping system. This analysis has determined that the brief temperature excursion caused by the fluid initially in the idle LPI train can be accommodated if, at the time the LPI header is put in service, the RCS pressure is less than 295 psig (Instrument Uncertainty Adjusted).
The P/T limit curves are composite curves established by superimposing limits derived from stress analyses of those portions of the reactor vessel and head that are the most restrictive. At any specific pressure, temperature, and temperature rate of change, one location within the reactor vessel will dictate the most restrictive limit. Across the span of the P/T limit curves, different locations are more restrictive, and, thus, the curves are composites of the most restrictive regions.
This value is less limiting than the OCONEE UNITS 1, 2, & 3 B 3.4.3-2 BASES REVISION DATED 01/14/15 I RCS P/T Limits B 3.4.3 BAS ES BACKGROUND (continued)
The heatup curve represents a different set of restrictions than the cooldown curve because the directions of the thermal gradients through the vessel wall are reversed. The thermal gradient reversal alters the location of the tensile stress between the outer and inner walls.
LPI initiation pressure limit imposed by procedures to protect the LPI system from overpressure.
The calculation to generate the LH testing curve uses different safety factors (per Ref. 2) than the heatup and cooldown curves.
The brief temperature excursion does not place the reactor vessel outside of the bounds of the stress analyses.The criticality limit curve includes the Reference 1 requirement that it be 40°F above the heatup curve or the cooldown curve, and not less than the minimum permissible temperature for LH testing. However, the criticality curve is not operationally limiting; a more restrictive limit exists in LCO 3.4.2, "RCS Minimum Temperature for Criticality." The consequence of violating the LCO limits is that the RCS has been operated under conditions that can result in brittle failure of the RCPB, possibly leading to a nonisolable leak or loss of coolant accident.
The P/T limit curves and associated temperature rate of change limits are developed in conjunction with stress analyses for large numbers of operating cycles and provide conservative margins to nonductile failure.
In the event these limits are exceeded, an evaluation must be performed to determine the effect on the structural integrity of the RCPB components.
Although created to provide limits for these specific normal operations, the curves also can be used to determine if an evaluation is necessary for an abnormal transient.
The ASME Code, Section XI, Appendix E (Ref. 6) provides a recommended methodology for evaluating an operating event that causes an excursion outside the limits.APPLICABLE SAFETY ANALYSES The P/T limits are not derived from accident analyses.
As stated in the tables associated with this LCO, reactor coolant (RC) temperature is cold leg temperature if one or more RC pumps are in operation; otherwise, it is the LPI cooler outlet temperature. An analysis examined the effects of initiating flow through a previously idle LPI train (i.e. either placing a train of LPI in operation or swapping from one train to the other) when none of the RC pumps are operating. The analysis assumed the initial temperature of the fluid entering the vessel to be the lowest expected temperature in an idle LPI cooler. As RC fluid is pumped through the system and returns to the reactor vessel, the temperature increases to a "stable" value. The duration of the temperature excursion is dependent on LPI flow and volume of the piping system. This analysis has determined that the brief temperature excursion caused by the fluid initially in the idle LPI train can be accommodated if, at the time the LPI header is put in service, the RCS pressure is less than 295 psig (Instrument Uncertainty Adjusted). This value is less limiting than the OCONEE UNITS 1, 2, & 3                     B 3.4.3-2       BASES REVISION DATED 01/14/15       I
They are prescribed during normal operation to avoid encountering pressure, temperature, and temperature rate of change conditions that might cause undetected flaws to propagate and cause nonductile failure of the RCPB, an unanalyzed condition.
 
Reference 1 establishes the methodology for determining the P/T limits. Since the P/T limits are not derived from any accident analysis, there are no acceptance limits related to the P/T limits.Rather, the P/T limits are acceptance limits themselves since they preclude operation in an unanalyzed condition.
RCS P/T Limits B 3.4.3 BAS ES BACKGROUND       LPI initiation pressure limit imposed by procedures to protect the LPI (continued)      system from overpressure. The brief temperature excursion does not place the reactor vessel outside of the bounds of the stress analyses.
RCS P/T limits satisfy Criterion 2 of 10 CFR 50.36 (Ref. 7).LCO The three elements of this LCO are: a. The limit curves for heatup and cooldown, b. Limits on the rate of change of temperature, and c. Allowable RC pump combinations.
The criticality limit curve includes the Reference 1 requirement that it be 40°F above the heatup curve or the cooldown curve, and not less than the minimum permissible temperature for LH testing. However, the criticality curve is not operationally limiting; a more restrictive limit exists in LCO 3.4.2, "RCS Minimum Temperature for Criticality."
The LCO is modified by three Notes. Note 1 states that for leak tests of the RCS and leak tests of connected systems where RCS pressure and temperature are controlling, the RCS may be pressurized to the limits of the specified figures. Note 2 states that for thermal steady state hydro tests required by ASME Section XI RCS may be pressurized to the limits Specification 2.1.2 and the specified figures. The limits on the rate of change of reactor coolant temperature RCS P/T Limits are the same ones OCONEE UNITS 1, 2, & 3 B 3.4.3-3 BASES REVISION DATED 01/14/15 I RCS P/T Limits B 3.4.3 BASES LCO used for normal heatup and cooldown operations.
The consequence of violating the LCO limits is that the RCS has been operated under conditions that can result in brittle failure of the RCPB, possibly leading to a nonisolable leak or loss of coolant accident. In the event these limits are exceeded, an evaluation must be performed to determine the effect on the structural integrity of the RCPB components.
Note 3 states the RCS (continued)
The ASME Code, Section XI, Appendix E (Ref. 6) provides a recommended methodology for evaluating an operating event that causes an excursion outside the limits.
P/T limits are not applicable to the pressurizer.
APPLICABLE       The P/T limits are not derived from accident analyses. They are SAFETY ANALYSES prescribed during normal operation to avoid encountering pressure, temperature, and temperature rate of change conditions that might cause undetected flaws to propagate and cause nonductile failure of the RCPB, an unanalyzed condition. Reference 1 establishes the methodology for determining the P/T limits. Since the P/T limits are not derived from any accident analysis, there are no acceptance limits related to the P/T limits.
The LCO limits apply to all components of the RCS, except the pressurizer.
Rather, the P/T limits are acceptance limits themselves since they preclude operation in an unanalyzed condition.
These limits define allowable operating regions and permit a large number of operating cycles while providing a wide margin to nonductile failure.Table 3.4.3-1 includes temperature rate of change limits with allowable pump combinations for RCS heatup while Table 3.4.3-2 includes temperature rate of change limits with allowable pump combinations for RCS cooldown.
RCS P/T limits satisfy Criterion 2 of 10 CFR 50.36 (Ref. 7).
The breakpoints between temperature rate of change limits in these two tables are selected to limit reactor vessel thermal gradients to acceptable limits. The breakpoint between allowable pump combinations was selected based on operational requirements and are used to determine the change of RCS pressure associated with the change in number of operating reactor coolant pumps.The limits for the rate of change of temperature control the thermal gradient through the vessel wall and are used as inputs for calculating the heatup, cooldown, and LH P/T limit curves. Thus, the LCO for the rate of change of temperature restricts stresses caused by thermal gradients and also ensures the validity of the P/T limit curves.The limits on allowable RC pump combinations controls the pressure differential between the vessel wall and the pressure measurement point and are used as inputs for calculating the heatup, cooldown and LH P/T limit curves. Thus, the LCO for the allowable RC pump combinations restricts the pressure at the vessel wall and ensures the validity of the P/T limit curves.Heatup and Cooldown Rate limits are specified in TS Table 3.4.3-1"Operational Requirements for Unit Heatup" and TS Table 3.4.3-2"Operational Requirements for Unit Cooldown." These limits are specified as a change in temperature for "any" time period. As such, the Heatup or Cooldown period is a rolling period and is required to be considered at any point in time, i.e., the beginning, middle, or end of the period under evaluation.
LCO               The three elements of this LCO are:
This action is required to ensure the heatup or cooldown rate limit meets design limits.The LPI cooler outlet temperature during the brief period of stabilization does not need to be considered when determining heatup or cooldown rates or RCS P/T conditions when an LPI train is placed in operation with no operating RCPs. The period of stabilization is the time required to fully displace the stagnant fluid in the idle LPI train. The time required for LCO stabilization is a function of LPI flow rate. Operating procedures control both placing a train of LPI in service and swapping trains of LPI to limit the duration of the temperature transient to a value that has been shown to be acceptable.
: a.       The limit curves for heatup and cooldown,
OCONEE UNITS 1, 2, & 3 B 3.4.3-4 BASES REVISION DATED 01/14/15 I RCS P/T Limits B 3.4.3 BASES LCO (continued)
: b.       Limits on the rate of change of temperature, and
Violating the LCO limits places the reactor vessel outside of the bounds of the stress analyses and can increase stresses in other RCPB components.
: c.       Allowable RC pump combinations.
The consequences depend on several factors, as follows: a. The severity of the departure from the allowable operating P/T regime or the severity of the rate of change of temperature;
The LCO is modified by three Notes. Note 1 states that for leak tests of the RCS and leak tests of connected systems where RCS pressure and temperature are controlling, the RCS may be pressurized to the limits of the specified figures. Note 2 states that for thermal steady state hydro tests required by ASME Section XI RCS may be pressurized to the limits Specification 2.1.2 and the specified figures. The limits on the rate of change of reactor coolant temperature RCS P/T Limits are the same ones OCONEE UNITS 1, 2, & 3                     B 3.4.3-3       BASES REVISION DATED 01/14/15           I
: b. The length of time the limits were violated (longer violations allow the temperature gradient in the thick vessel walls to become more pronounced);
 
and c. The existences, sizes, and orientations of flaws in the vessel material.APPLICABILITY The RCS P/T limits Specification provides a definition of acceptable operation for prevention of nonductile failure in accordance with 10 CFR 50, Appendix G (Ref. 1). Although the P/T limits were developed to provide guidance for operation during heatup or cooldown (MODES 3, 4, and 5) or LH testing, their applicability is at all times in keeping with the concern for nonductile failure. The limits do not apply to the pressurizer.
RCS P/T Limits B 3.4.3 BASES LCO               used for normal heatup and cooldown operations. Note 3 states the RCS (continued)     P/T limits are not applicable to the pressurizer.
During MODES 1 and 2, other Technical Specifications provide limits for operation that can be more restrictive than or can supplement these P/T limits. LCO 3.4.1, "RCS Pressure, Temperature, and Flow Departure from Nucleate Boiling (DNB) Limits"; LCO 3.4.2, "RCS Minimum Temperature for Criticality";
The LCO limits apply to all components of the RCS, except the pressurizer. These limits define allowable operating regions and permit a large number of operating cycles while providing a wide margin to nonductile failure.
and Safety Limit (SL) 2.1, "SLs," also provide operational restrictions for pressure and temperature and maximum pressure.MODES 1 and 2 are above the temperature range of concern for nonductile failure, and stress analyses have been performed for normal maneuvering profiles, such as power ascension or descent.ACTIONS A.1 and A.2 Operation outside the P/T limits during MODE 1, 2, 3, or 4 must be corrected so that the RCPB is returned to a condition that has been verified by stress analyses.The 30 minute Completion Time reflects the urgency of restoring the parameters to within the analyzed range. Most violations will not be severe, and the activity can be accomplished in this time in a controlled manner.Besides restoring operation to within limits, an evaluation is required to determine if RCS operation can continue.
Table 3.4.3-1 includes temperature rate of change limits with allowable pump combinations for RCS heatup while Table 3.4.3-2 includes temperature rate of change limits with allowable pump combinations for RCS cooldown. The breakpoints between temperature rate of change limits in these two tables are selected to limit reactor vessel thermal gradients to acceptable limits. The breakpoint between allowable pump combinations was selected based on operational requirements and are used to determine the change of RCS pressure associated with the change in number of operating reactor coolant pumps.
The evaluation must verify the RCPB integrity remains acceptable and must be completed before continuing operation.
The limits for the rate of change of temperature control the thermal gradient through the vessel wall and are used as inputs for calculating the heatup, cooldown, and LH P/T limit curves. Thus, the LCO for the rate of change of temperature restricts stresses caused by thermal gradients and also ensures the validity of the P/T limit curves.
Several methods may be used, including comparison with pre-analyzed transients in the stress analyses, new analyses, or inspection of the components.
The limits on allowable RC pump combinations controls the pressure differential between the vessel wall and the pressure measurement point and are used as inputs for calculating the heatup, cooldown and LH P/T limit curves. Thus, the LCO for the allowable RC pump combinations restricts the pressure at the vessel wall and ensures the validity of the P/T limit curves.
The evaluation must be OCONEE UNITS 1, 2, & 3 B 3.4.3-5 BASES REVISION DATED 01/14/15 I RCS P/T Limits B 3.4.3 BASES ACTIONS A.1 and A.2 (continued) completed, documented, and approved in accordance with established plant procedures and administrative controls.ASME Code, Section XI, Appendix E (Ref. 6) may be used to support the evaluation.
Heatup and Cooldown Rate limits are specified in TS Table 3.4.3-1 "Operational Requirements for Unit Heatup" and TS Table 3.4.3-2 "Operational Requirements for Unit Cooldown." These limits are specified as a change in temperature for "any" time period. As such, the Heatup or Cooldown period is a rolling period and is required to be considered at any point in time, i.e., the beginning, middle, or end of the period under evaluation. This action is required to ensure the heatup or cooldown rate limit meets design limits.
However, its use is restricted to evaluation of the vessel beltline.
The LPI cooler outlet temperature during the brief period of stabilization does not need to be considered when determining heatup or cooldown rates or RCS P/T conditions when an LPI train is placed in operation with no operating RCPs. The period of stabilization is the time required to fully displace the stagnant fluid in the idle LPI train. The time required for LCO stabilization is a function of LPI flow rate. Operating procedures control both placing a train of LPI in service and swapping trains of LPI to limit the duration of the temperature transient to a value that has been shown to be acceptable.
The evaluation must extend to all components of the RCPB.The 72 hour Completion Time is reasonable to accomplish the evaluation.
OCONEE UNITS 1, 2, & 3                     B 3.4.3-4       BASES REVISION DATED 01/14/15         I
The evaluation for a mild violation is possible within this time, but more severe violations may require special, event specific stress analyses or inspections.
 
A favorable evaluation must be completed before continuing to operate.Condition A is modified by a Note requiring Required Action A.2 to be completed whenever the Condition is entered. The Note emphasizes the need to perform the evaluation of the effects of the excursion outside the allowable limits. Restoration alone per Required Action A.1 is insufficient because higher than analyzed stresses may have occurred and may have affected the RCPB integrity.
RCS P/T Limits B 3.4.3 BASES LCO               Violating the LCO limits places the reactor vessel outside of the bounds of (continued)      the stress analyses and can increase stresses in other RCPB components. The consequences depend on several factors, as follows:
B.1 and B.2 If a Required Action and associated Completion Time of Condition A are not met, the unit must be brought to a lower MODE because: (a) the RCS remained in an unacceptable pressure and temperature region for an extended period of increased stress, or (b) a sufficiently severe event caused entry into an unacceptable region. Either possibility indicates a need for more careful examination of the event, best accomplished with the RCS at reduced pressure and temperature.
: a.       The severity of the departure from the allowable operating P/T regime or the severity of the rate of change of temperature;
With reduced pressure and temperature conditions, the possibility of propagation of undetected flaws is decreased.
: b.       The length of time the limits were violated (longer violations allow the temperature gradient in the thick vessel walls to become more pronounced); and
: c.       The existences, sizes, and orientations of flaws in the vessel material.
APPLICABILITY     The RCS P/T limits Specification provides a definition of acceptable operation for prevention of nonductile failure in accordance with 10 CFR 50, Appendix G (Ref. 1). Although the P/T limits were developed to provide guidance for operation during heatup or cooldown (MODES 3, 4, and 5) or LH testing, their applicability is at all times in keeping with the concern for nonductile failure. The limits do not apply to the pressurizer.
During MODES 1 and 2, other Technical Specifications provide limits for operation that can be more restrictive than or can supplement these P/T limits. LCO 3.4.1, "RCS Pressure, Temperature, and Flow Departure from Nucleate Boiling (DNB) Limits"; LCO 3.4.2, "RCS Minimum Temperature for Criticality"; and Safety Limit (SL) 2.1, "SLs," also provide operational restrictions for pressure and temperature and maximum pressure.
MODES 1 and 2 are above the temperature range of concern for nonductile failure, and stress analyses have been performed for normal maneuvering profiles, such as power ascension or descent.
ACTIONS           A.1 and A.2 Operation outside the P/T limits during MODE 1, 2, 3, or 4 must be corrected so that the RCPB is returned to a condition that has been verified by stress analyses.
The 30 minute Completion Time reflects the urgency of restoring the parameters to within the analyzed range. Most violations will not be severe, and the activity can be accomplished in this time in a controlled manner.
Besides restoring operation to within limits, an evaluation is required to determine if RCS operation can continue. The evaluation must verify the RCPB integrity remains acceptable and must be completed before continuing operation. Several methods may be used, including comparison with pre-analyzed transients in the stress analyses, new analyses, or inspection of the components. The evaluation must be OCONEE UNITS 1, 2, & 3                     B 3.4.3-5       BASES REVISION DATED 01/14/15         I
 
RCS P/T Limits B 3.4.3 BASES ACTIONS           A.1 and A.2 (continued) completed, documented, and approved in accordance with established plant procedures and administrative controls.
ASME Code, Section XI, Appendix E (Ref. 6) may be used to support the evaluation. However, its use is restricted to evaluation of the vessel beltline. The evaluation must extend to all components of the RCPB.
The 72 hour Completion Time is reasonable to accomplish the evaluation.
The evaluation for a mild violation is possible within this time, but more severe violations may require special, event specific stress analyses or inspections. A favorable evaluation must be completed before continuing to operate.
Condition A is modified by a Note requiring Required Action A.2 to be completed whenever the Condition is entered. The Note emphasizes the need to perform the evaluation of the effects of the excursion outside the allowable limits. Restoration alone per Required Action A.1 is insufficient because higher than analyzed stresses may have occurred and may have affected the RCPB integrity.
B.1 and B.2 If a Required Action and associated Completion Time of Condition A are not met, the unit must be brought to a lower MODE because: (a) the RCS remained in an unacceptable pressure and temperature region for an extended period of increased stress, or (b) a sufficiently severe event caused entry into an unacceptable region. Either possibility indicates a need for more careful examination of the event, best accomplished with the RCS at reduced pressure and temperature. With reduced pressure and temperature conditions, the possibility of propagation of undetected flaws is decreased.
If the required restoration activity cannot be accomplished within 30 minutes, Required Action B.1 and Required Action B.2 must be implemented to reduce pressure and temperature.
If the required restoration activity cannot be accomplished within 30 minutes, Required Action B.1 and Required Action B.2 must be implemented to reduce pressure and temperature.
If the required evaluation for continued operation cannot be accomplished within 72 hours, or the results are indeterminate or unfavorable, action must proceed to reduce pressure and temperature as specified in Required Actions B.1 and B.2. A favorable evaluation must be completed and documented before returning to operating pressure and temperature conditions.
If the required evaluation for continued operation cannot be accomplished within 72 hours, or the results are indeterminate or unfavorable, action must proceed to reduce pressure and temperature as specified in Required Actions B.1 and B.2. A favorable evaluation must be completed and documented before returning to operating pressure and temperature conditions. However, if the favorable evaluation is accomplished while reducing pressure and temperature conditions, a return to power operation may be considered without completing Required Action B.2.
However, if the favorable evaluation is accomplished while reducing pressure and temperature conditions, a return to power operation may be considered without completing Required Action B.2.Pressure and temperature are reduced by bringing the unit to MODE 3 within 12 hours and to MODE 5 within 36 hours. The allowed Completion OCONEE UNITS 1, 2, & 3 B 3.4.3-6 BASES REVISION DATED 01/14/15 I RCS P/T Limits B 3.4.3 BASES ACTIONS B.1 and B.2 (continued)
Pressure and temperature are reduced by bringing the unit to MODE 3 within 12 hours and to MODE 5 within 36 hours. The allowed Completion OCONEE UNITS 1, 2, & 3                   B 3.4.3-6         BASES REVISION DATED 01/14/15         I
Times are reasonable, based on operating experience, to reach the required MODE from full power conditions in an orderly manner and without challenging unit systems.C.1 and C.2 Actions must be initiated immediately to correct operation outside of the P/T limits at times other than MODE 1, 2, 3, or 4, so that the RCPB is returned to a condition that has been verified acceptable by stress analysis.The immediate Completion Time reflects the urgency of initiating action to restore the parameters to within the analyzed range. Most violations will not be severe, and the activity can be accomplished within this time in a controlled manner.In addition to restoring operation to within limits, an evaluation is required to determine if RCS operation can continue.
 
The evaluation must verify that the RCPB integrity remains acceptable and must be completed prior to entry into MODE 4. Several methods may be used, including comparison with pre-analyzed transients in the stress analysis, or inspection of the components.
RCS P/T Limits B 3.4.3 BASES ACTIONS           B.1 and B.2 (continued)
ASME Code, Section Xl, Appendix E (Ref. 6), may also be used to support the evaluation.
Times are reasonable, based on operating experience, to reach the required MODE from full power conditions in an orderly manner and without challenging unit systems.
However, its use is restricted to evaluation of the vessel beltline.Condition C is modified by a Note requiring Required Action C.2 to be completed whenever the Condition is entered. The Note emphasizes the need to perform the evaluation of the effects of the excursion outside the allowable limits. Restoration alone, per Required Action C.1, is insufficient because higher than analyzed stresses may have occurred and may have affected RCPB integrity.
C.1 and C.2 Actions must be initiated immediately to correct operation outside of the P/T limits at times other than MODE 1, 2, 3, or 4, so that the RCPB is returned to a condition that has been verified acceptable by stress analysis.
SURVEILLANCE SR 3.4.3.1 REQUIREMENTS Verification that operation is within limits is required when RCS pressure or temperature conditions are undergoing planned changes.The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.Surveillance for heatup, cooldown, or LH testing may be discontinued when the definition given in the relevant plant procedure for ending the activity is satisfied.
The immediate Completion Time reflects the urgency of initiating action to restore the parameters to within the analyzed range. Most violations will not be severe, and the activity can be accomplished within this time in a controlled manner.
OCONEE UNITS 1, 2, & 3 B 3.4.3-7 BASES REVISION DATED 01/14/15 I RCS P/T Limits B 3.4.3 BASES SURVEILLANCE REQUIREMENTS SR 3.4.3.1 (continued)
In addition to restoring operation to within limits, an evaluation is required to determine if RCS operation can continue. The evaluation must verify that the RCPB integrity remains acceptable and must be completed prior to entry into MODE 4. Several methods may be used, including comparison with pre-analyzed transients in the stress analysis, or inspection of the components.
This SR is modified by a Note that requires this SR to be performed only during system heatup, cooldown, and LH testing.REFERENCES 1.2.3.4.5.6.7.10 CFR 50, Appendix G.ASME, Boiler and Pressure Vessel Code, Section III, Appendix G.Regulatory Guide 1.99, Revision 2, May 1988.ASTM E 185-82, July 1982.10 CFR 50, Appendix H.ASME, Boiler and Pressure Vessel Code, Section Xl, Appendix E.10 CFR 50.36.OCONEE UNITS 1, 2, & 3 B 3.4.3-8 BASES REVISION DATED 01/14/15 I RPS Instrumentation B 3.3.1 B 3.3 INSTRUMENTATION B 3.3.1 Reactor Protective System (RPS) Instrumentation BASES BACKGROUND The RPS initiates a reactor trip to protect against violating the core fuel design limits and the Reactor Coolant System (RCS) pressure boundary during anticipated transients.
ASME Code, Section Xl, Appendix E (Ref. 6), may also be used to support the evaluation. However, its use is restricted to evaluation of the vessel beltline.
By tripping the reactor, the RPS also assists the Engineered Safeguards (ES) Systems in mitigating accidents.
Condition C is modified by a Note requiring Required Action C.2 to be completed whenever the Condition is entered. The Note emphasizes the need to perform the evaluation of the effects of the excursion outside the allowable limits. Restoration alone, per Required Action C.1, is insufficient because higher than analyzed stresses may have occurred and may have affected RCPB integrity.
SURVEILLANCE     SR 3.4.3.1 REQUIREMENTS Verification that operation is within limits is required when RCS pressure or temperature conditions are undergoing planned changes.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
Surveillance for heatup, cooldown, or LH testing may be discontinued when the definition given in the relevant plant procedure for ending the activity is satisfied.
OCONEE UNITS 1, 2, & 3                     B 3.4.3-7       BASES REVISION DATED 01/14/15         I
 
RCS P/T Limits B 3.4.3 BASES SURVEILLANCE     SR 3.4.3.1   (continued)
REQUIREMENTS This SR is modified by a Note that requires this SR to be performed only during system heatup, cooldown, and LH testing.
REFERENCES       1.     10 CFR 50, Appendix G.
: 2. ASME, Boiler and Pressure Vessel Code, Section III, Appendix G.
: 3.      Regulatory Guide 1.99, Revision 2, May 1988.
: 4. ASTM E 185-82, July 1982.
: 5.      10 CFR 50, Appendix H.
: 6. ASME, Boiler and Pressure Vessel Code, Section Xl, Appendix E.
: 7.      10 CFR 50.36.
OCONEE UNITS 1, 2, &3                   B 3.4.3-8       BASES REVISION DATED 01/14/15       I
 
RPS Instrumentation B 3.3.1 B 3.3 INSTRUMENTATION B 3.3.1 Reactor Protective System (RPS) Instrumentation BASES BACKGROUND           The RPS initiates a reactor trip to protect against violating the core fuel design limits and the Reactor Coolant System (RCS) pressure boundary during anticipated transients. By tripping the reactor, the RPS also assists the Engineered Safeguards (ES) Systems in mitigating accidents.
The protective and monitoring systems have been designed to assure safe operation of the reactor. This is achieved by specifying limiting safety system settings (LSSS) in terms of parameters directly monitored by the RPS, as well as the LCOs on other reactor system parameters and equipment performance.
The protective and monitoring systems have been designed to assure safe operation of the reactor. This is achieved by specifying limiting safety system settings (LSSS) in terms of parameters directly monitored by the RPS, as well as the LCOs on other reactor system parameters and equipment performance.
The LSSS, defined in this Specification as the Allowable Value, in conjunction with the LCOs, establishes the threshold for protective system action to prevent exceeding acceptable limits during accidents or transients.
The LSSS, defined in this Specification as the Allowable Value, in conjunction with the LCOs, establishes the threshold for protective system action to prevent exceeding acceptable limits during accidents or transients.
During anticipated transients, which are those events expected to occur one or more times during the unit's life, the acceptable limit is: a. The departure from nucleate boiling ratio (DNBR) shall be maintained above the Safety Limit (SL) value;b. Fuel centerline melt shall not occur; and c. The RCS pressure SL of 2750 psia shall not be exceeded.Maintaining the parameters within the above values ensures that the offsite dose will be within the 10 CFR 20 and 10 CFR 100 criteria during anticipated transients.
During anticipated transients, which are those events expected to occur one or more times during the unit's life, the acceptable limit is:
Accidents are events that are analyzed even though they are not expected to occur during the unit's life. The acceptable limit during accidents is that the offsite dose shall be maintained within reference 10 CFR 100 limits. Meeting the acceptable dose limit for an accident category is considered having acceptable consequences for that event.OCONEE UNITS 1, 2, & 3 B 3.3.1 -1 12/10/14 1 RPS Instrumentation B 3.3.1 BASES BACKGROUND RPS Overview (continued)
: a.     The departure from nucleate boiling ratio (DNBR) shall be maintained above the Safety Limit (SL) value;
The RPS consists of four separate redundant protective channels that receive inputs of neutron flux, RCS pressure, RCS flow, RCS temperature, RCS pump status, reactor building (RB) pressure, main feedwater (MFW)pump turbines status, and main turbine status.Figure 7.1 of UFSAR, Chapter 7 (Ref. 1), shows the arrangement of a typical RPS protective channel. A protective channel is composed of measurement channels, a manual trip channel, a reactor trip component (RTC), and a control rod drive (CRD) trip device. LCO 3.3.1 provides requirements for the individual measurement channels.
: b.       Fuel centerline melt shall not occur; and
These channels encompass all equipment and electronics from the point at which the measured parameter is sensed through the processor output trip devices in the trip string. LCO 3.3.2, "Reactor Protective System (RPS) Manual Reactor Trip," LCO 3.3.3, "Reactor Protective System (RPS) -Reactor Trip Component (RTC)," and LCO 3.3.4, "Control Rod Drive (CRD) Trip Devices," discuss the remaining RPS elements.The RPS instrumentation measures critical unit parameters and compares these to predetermined setpoints.
: c.     The RCS pressure SL of 2750 psia shall not be exceeded.
If the setpoint for a parameter input to a single channel (for example, the RC high pressure input to Channel A) is exceeded, a channel trip does not occur. Due to the inter-channel communication, all 4 RPS channels recognize that this parameter input has been exceeded for one channel.However, due to the 2.MIN/2.MAX logic within the system, the same parameter input setpoint for one of the other three channels must be exceeded before channel trips occur. Again, due to the inter-channel communication, all 4 RPS channels will then trip since the 2.MIN/2.MAX condition has been satisfied.
Maintaining the parameters within the above values ensures that the offsite dose will be within the 10 CFR 20 and 10 CFR 100 criteria during anticipated transients. Accidents are events that are analyzed even though they are not expected to occur during the unit's life. The acceptable limit during accidents is that the offsite dose shall be maintained within reference 10 CFR 100 limits. Meeting the acceptable dose limit for an accident category is considered having acceptable consequences for that event.
The RTS consists of four AC Trip Breakers arranged in two parallel combinations of two breakers each. Each path provides independent power to the CRD motors. Either path can provide sufficient power to operate all CRD's. Two separate power paths to the CRD's ensure that a single failure that opens one path will not cause an unwanted reactor trip.The RPS consists of four independent protective channels (A, B, C, and D).Each RPS protective channel contains the sensor input modules, a protective channel computer, output modules, four hardwired (energized during power operations) reactor trip relays (RTRs) (A, B, C, and D) and their associated 120 VAC contacts (closed when RTR is energized).
OCONEE UNITS 1, 2, & 3                   B 3.3.1 -1                                         12/10/14 1
OCONEE UNITS 1, 2, & 3 B 3.3.1-2 12/10/14 1 RPS Instrumentation B 3.3.1 BASES BACKGROUND RPS Overview (continued)
 
Protective channel A controls the channel A RTR and also controls the A RTR in channels B, C, and D. Likewise, channels B, C and D control the respective RTR in each of the four channels.
RPS Instrumentation B 3.3.1 BASES BACKGROUND       RPS Overview (continued)
Each energized RTR (A, B, C, and D) in each RPS channel A, B, C, and D maintains two closed 120 VAC contacts.
The RPS consists of four separate redundant protective channels that receive inputs of neutron flux, RCS pressure, RCS flow, RCS temperature, RCS pump status, reactor building (RB) pressure, main feedwater (MFW) pump turbines status, and main turbine status.
One contact from each RTR is configured in two separate redundant output trip actuation logic schemes. Each output trip actuation logic scheme contains a contact from each of the four RTRs in the four channels.
Figure 7.1 of UFSAR, Chapter 7 (Ref. 1), shows the arrangement of a typical RPS protective channel. A protective channel is composed of measurement channels, a manual trip channel, a reactor trip component (RTC), and a control rod drive (CRD) trip device. LCO 3.3.1 provides requirements for the individual measurement channels. These channels encompass all equipment and electronics from the point at which the measured parameter is sensed through the processor output trip devices in the trip string. LCO 3.3.2, "Reactor Protective System (RPS) Manual Reactor Trip," LCO 3.3.3, "Reactor Protective System (RPS) - Reactor Trip Component (RTC)," and LCO 3.3.4, "Control Rod Drive (CRD) Trip Devices," discuss the remaining RPS elements.
This configuration results in a two-out-of-four coincidence reactor trip logic. If any channel protective set initiates a trip signal, the respective four RTRs (one in each of the four channels) de-energize and open the respective contacts.
The RPS instrumentation measures critical unit parameters and compares these to predetermined setpoints.
The outputs from the RTR contacts interrupt the 120 VAC power to the CRD trip devices.Three of the four RPS protective channel computers (A, B, and C) also perform a redundant Engineered Safeguards Protective System (ESPS)logic function.
If the setpoint for a parameter input to a single channel (for example, the RC high pressure input to Channel A) is exceeded, a channel trip does not occur. Due to the inter-channel communication, all 4 RPS channels recognize that this parameter input has been exceeded for one channel.
Therefore, three of the four RPS protective channels calculate both RPS and ESPS functions, and the fourth RPS channel D calculates only RPS functions.
However, due to the 2.MIN/2.MAX logic within the system, the same parameter input setpoint for one of the other three channels must be exceeded before channel trips occur. Again, due to the inter-channel communication, all 4 RPS channels will then trip since the 2.MIN/2.MAX condition has been satisfied.
See Technical Specification Bases section B 3.3.5 for additional discussion of the ESPS protective channels and the duplicated ESPS functions performed by the RPS protective channels.The reactor is tripped by opening the reactor trip breakers.There are three bypasses:
The RTS consists of four AC Trip Breakers arranged in two parallel combinations of two breakers each. Each path provides independent power to the CRD motors. Either path can provide sufficient power to operate all CRD's. Two separate power paths to the CRD's ensure that a single failure that opens one path will not cause an unwanted reactor trip.
shutdown bypass, manual bypass, and channel I trip function bypass. The shutdown bypass and the manual bypass are initiated by use of a keyswitch located in the respective RPS channel cabinet. The Shutdown bypass allows the withdrawal of safety rods for SDM availability and rapid negative reactivity insertion during unit cooldowns or heatups. The manual bypass allows putting a complete RPS channel into bypass for maintenance activities.
The RPS consists of four independent protective channels (A, B, C, and D).
This includes the planned power-down of the bypassed RPS channel computer.
Each RPS protective channel contains the sensor input modules, a protective channel computer, output modules, four hardwired (energized during power operations) reactor trip relays (RTRs) (A, B, C, and D) and their associated 120 VAC contacts (closed when RTR is energized).
If the complete RPS channel is powered down, the manual bypass condition cannot be maintained.
OCONEE UNITS 1, 2, & 3                 B 3.3.1-2                                       12/10/14 1
That RPS channel output signal goes to "trip" and the manual bypass Unit Statalarm window will not illuminate.
 
The channel trip function bypass allows an individual channel trip function in any RPS channel to be bypassed through the use of the RPS screens of the Graphical Service Monitor (GSM). The GSM is located on the Service Unit.The RPS operates from the instrumentation channels discussed next. The specific relationship between measurement channels and protective channels differs from parameter to parameter.
RPS Instrumentation B 3.3.1 BASES BACKGROUND       RPS Overview (continued)
Three basic configurations are used: OCONEE UNITS 1, 2, & 3 B 3.3.1-3 12/10/14 1 RPS Instrumentation B 3.3.1 BASES BACKGROUND RPS Overview (continued)
Protective channel A controls the channel A RTR and also controls the A RTR in channels B, C, and D. Likewise, channels B, C and D control the respective RTR in each of the four channels. Each energized RTR (A, B, C, and D) in each RPS channel A, B, C, and D maintains two closed 120 VAC contacts. One contact from each RTR is configured in two separate redundant output trip actuation logic schemes. Each output trip actuation logic scheme contains a contact from each of the four RTRs in the four channels. This configuration results in a two-out-of-four coincidence reactor trip logic. Ifany channel protective set initiates a trip signal, the respective four RTRs (one in each of the four channels) de-energize and open the respective contacts. The outputs from the RTR contacts interrupt the 120 VAC power to the CRD trip devices.
: a. Four completely redundant measurements (e.g., reactor coolant flow) with one channel input to each protective channel;b. Four channels that provide similar, but not identical, measurements (e.g., power range nuclear instrumentation where each RPS channel monitors a different quadrant), with one channel input to each protective channel; and c. Redundant measurements with combinational trip logic inside the protective channels and the combined output provided to each protective channel (e.g., main feedwater pump turbines trip instrumentation).
Three of the four RPS protective channel computers (A, B, and C) also perform a redundant Engineered Safeguards Protective System (ESPS) logic function. Therefore, three of the four RPS protective channels calculate both RPS and ESPS functions, and the fourth RPS channel D calculates only RPS functions. See Technical Specification Bases section B 3.3.5 for additional discussion of the ESPS protective channels and the duplicated ESPS functions performed by the RPS protective channels.
These arrangements and the relationship of instrumentation channels to trip Functions are discussed next to assist in understanding the overall effect of instrumentation channel failure.Power Range Nuclear Instrumentation Power Range Nuclear Instrumentation channels provide inputs to the following trip Functions:
The reactor is tripped by opening the reactor trip breakers.
: 1. Nuclear Overpower a. Nuclear Overpower  
There are three bypasses: shutdown bypass, manual bypass, and channel               I trip function bypass. The shutdown bypass and the manual bypass are initiated by use of a keyswitch located in the respective RPS channel cabinet. The Shutdown bypass allows the withdrawal of safety rods for SDM availability and rapid negative reactivity insertion during unit cooldowns or heatups. The manual bypass allows putting a complete RPS channel into bypass for maintenance activities. This includes the planned power-down of the bypassed RPS channel computer. If the complete RPS channel is powered down, the manual bypass condition cannot be maintained. That RPS channel output signal goes to "trip" and the manual bypass Unit Statalarm window will not illuminate. The channel trip function bypass allows an individual channel trip function in any RPS channel to be bypassed through the use of the RPS screens of the Graphical Service Monitor (GSM). The GSM is located on the Service Unit.
-High Setpoint;b. Nuclear Overpower  
The RPS operates from the instrumentation channels discussed next. The specific relationship between measurement channels and protective channels differs from parameter to parameter. Three basic configurations are used:
-Low Setpoint;7. Reactor Coolant Pump to Power;8. Nuclear Overpower Flux/Flow Imbalance;
OCONEE UNITS 1, 2, & 3               B 3.3.1-3                                           12/10/14 1
: 9. Main Turbine Trip (Hydraulic Fluid Pressure);
 
and 10. Loss of Main Feedwater (LOMFW) Pump Turbines (Hydraulic Oil Pressure).
RPS Instrumentation B 3.3.1 BASES BACKGROUND       RPS Overview (continued)
OCONEE UNITS 1, 2, & 3 B 3.3.1-4 12/10/14 1 RPS Instrumentation B 3.3.1 BASES BACKGROUND Power Range Nuclear Instrumentation (continued)
: a.     Four completely redundant measurements (e.g., reactor coolant flow) with one channel input to each protective channel;
The power range instrumentation has four linear level channels, one for each core quadrant.
: b.     Four channels that provide similar, but not identical, measurements (e.g., power range nuclear instrumentation where each RPS channel monitors a different quadrant), with one channel input to each protective channel; and
Each channel feeds one RPS protective channel.Each channel originates in a detector assembly containing two uncompensated ion chambers.
: c.     Redundant measurements with combinational trip logic inside the protective channels and the combined output provided to each protective channel (e.g., main feedwater pump turbines trip instrumentation).
The ion chambers are positioned to represent the top half and bottom half of the core. The individual currents from the chambers are fed to individual linear amplifiers.
These arrangements and the relationship of instrumentation channels to trip Functions are discussed next to assist in understanding the overall effect of instrumentation channel failure.
The summation of the top and bottom is the total reactor power. The difference of the top minus the bottom neutron signal is the measured AXIAL POWER IMBALANCE for the associated core quadrant.Reactor Coolant System Outlet Temperature The Reactor Coolant System Outlet Temperature provides input to the following Functions:
Power Range Nuclear Instrumentation Power Range Nuclear Instrumentation channels provide inputs to the following trip Functions:
: 2. RCS High Outlet Temperature; and 5. RCS Variable Low Pressure.The RCS Outlet Temperature is measured by two resistance temperature detection elements in each hot leg, for a total of four. One temperature detection element is associated with each protective channel.Reactor Coolant System Pressure The Reactor Coolant System Pressure provides input to the following Functions:
: 1.     Nuclear Overpower
: 3. RCS High Pressure;4. RCS Low Pressure;5. RCS Variable Low Pressure; and 11. Shutdown Bypass RCS High Pressure.The RPS inputs of reactor coolant pressure are provided by two pressure transmitters in each hot leg, for a total of four. One sensor is associated with each protective channel.OCONEE UNITS 1, 2, & 3 B 3.3.1-5 12/10/14 1 RPS Instrumentation B 3.3.1 BASES BACKGROUND Reactor Building Pressure (continued)
: a.       Nuclear Overpower - High Setpoint;
The Reactor Building Pressure measurements provide input only to the Reactor Building High Pressure trip, Function 6. There are four RB High Pressure sensors, one associated with each protective channel.Reactor Coolant Pump Power Monitoring Reactor coolant pump power monitors are inputs to the Reactor Coolant Pump to Power trip, Function 7. Each RCP has a RCP Power Monitor (RCPPM), which monitors the electrical power and breaker status of each pump motor to determine if it is running. Each RCPPM provides inputs to all four RPS channels.Reactor Coolant System Flow The Reactor Coolant System Flow measurements are an input to the Nuclear Overpower Flux/Flow Imbalance trip, Function 8. The reactor coolant flow inputs to the RPS are provided by eight high accuracy differential pressure transmitters, four on each loop, which measure flow through calibrated flow tubes. One flow input in each loop is associated with each protective channel.Main Turbine Hydraulic Fluid Pressure Main Turbine Hydraulic Fluid Pressure is an input to the Main Turbine Trip (Hydraulic Fluid Pressure) reactor trip, Function 9. Each of the four protective channels receives turbine status information from one of the four pressure switches monitoring main turbine hydraulic fluid pressure.
: b.       Nuclear Overpower - Low Setpoint;
Each protective channel continuously monitors the status of the contact inputs and initiates an RPS trip when a main turbine trip is indicated.
: 7.     Reactor Coolant Pump to Power;
Feedwater Pump Turbine Hydraulic Oil Pressure Feedwater Pump Turbine Hydraulic Oil Pressure is an input to the Loss of Main Feedwater Pumps (Hydraulic Oil Pressure) trip, Function 10.Hydraulic Oil pressure is measured by four switches on each feedwater pump turbine. One switch on each pump turbine is associated with each protective channel.OCONEE UNITS 1, 2, & 3 B 3.3.1-6 12/10/14 1 RPS Instrumentation B 3.3.1 BASES BACKGROUND Feedwater Pump Turbine Hydraulic Oil Pressure (continued)
: 8.     Nuclear Overpower Flux/Flow Imbalance;
Each RPS channel receives a contact input from both Feedwater Pump Turbines (A and B) Hydraulic Oil Pressure switches.
: 9.     Main Turbine Trip (Hydraulic Fluid Pressure); and
When the switches from both turbines indicate that the associated Turbine Hydraulic Oil Pressure is low (turbine has tripped), a reactor trip signal is initiated on that channel.RPS Bypasses The RPS is designed with three types of bypasses:
: 10. Loss of Main Feedwater (LOMFW) Pump Turbines (Hydraulic Oil Pressure).
shutdown bypass, manual bypass and channel trip function bypass.Each bypass is discussed next.Shutdown Bypass During unit cooldown and heatup, it is desirable to leave the safety rods at least partially withdrawn to provide shutdown capabilities in the event of unusual positive reactivity additions (moderator dilution, etc.).However, the unit is also depressurized as coolant temperature is decreased.
OCONEE UNITS 1, 2, & 3               B 3.3.1-4                                       12/10/14 1
If the safety rods are withdrawn and coolant pressure is decreased, an RCS Low Pressure trip will occur at 1800 psig and the rods will fall into the core. To avoid this, the protective system allows the operator to bypass the low pressure trip and maintain shutdown capabilities.
 
During the cooldown and depressurization, the safety rods are inserted prior to the low pressure trip of 1800 psig. The RCS pressure is decreased to less than 1720 psig, then each RPS channel is placed in shutdown bypass.A shutdown bypass signal is provided by the operator from the shutdown bypass keyswitch (status shall be indicated by a light). This action bypasses the RCS Low Pressure trip, Nuclear Overpower Flux/Flow Imbalance trip, Reactor Coolant Pump to Power trip, and the RCS Variable Low Pressure trip, and inserts a new RCS High Pressure, 1720 psig trip.The operator can now withdraw the safety rods for additional rapidly insertable negative reactivity.
RPS Instrumentation B 3.3.1 BASES BACKGROUND       Power Range Nuclear Instrumentation (continued)
The insertion of the new high pressure trip performs two functions.
The power range instrumentation has four linear level channels, one for each core quadrant. Each channel feeds one RPS protective channel.
First, with a trip setpoint of 1720 psig, the processor output trip device prevents operation at normal system pressure, 2155 psig, with a portion of the RPS bypassed.
Each channel originates in a detector assembly containing two uncompensated ion chambers. The ion chambers are positioned to represent the top half and bottom half of the core. The individual currents from the chambers are fed to individual linear amplifiers. The summation of the top and bottom is the total reactor power. The difference of the top minus the bottom neutron signal is the measured AXIAL POWER IMBALANCE for the associated core quadrant.
The second function is to ensure that the bypass is removed prior to normal operation.
Reactor Coolant System Outlet Temperature The Reactor Coolant System Outlet Temperature provides input to the following Functions:
When the RCS pressure is increased during a OCONEE UNITS 1, 2, & 3 B 3.3.1-7 12/10/14 1 RPS Instrumentation B 3.3.1 BASES BACKGROUND Shutdown Bypass (continued) unit heatup, the safety rods are inserted prior to reaching 1720 psig. The shutdown bypass is removed, which returns the RPS to normal, and system pressure is increased to greater than 1800 psig. The safety rods are then withdrawn and remain at the full out condition for the rest of the heatup.In addition to the Shutdown Bypass RCS High Pressure trip, the High Flux Reactor Trip setpoint is automatically lowered to less than 5% when the operator closes the shutdown bypass keyswitch.
: 2. RCS High Outlet Temperature; and
This provides a backup to the Shutdown Bypass RCS High Pressure trip and allows testing while preventing the generation of any significant amount of power.Manual Bypass The RPS Manual Bypass allows putting the complete RPS channel into bypass for maintenance activities.
: 5. RCS Variable Low Pressure.
Placing the RPS channel in bypass does not power-down the computer.
The RCS Outlet Temperature is measured by two resistance temperature detection elements in each hot leg, for a total of four. One temperature detection element is associated with each protective channel.
If it is necessary to power-down the computer for one channel, the Manual Bypass keyswitch is used to keep the four RTRs associated with the respective channel energized while the channel computer is powered down. To place a protective channel in manual bypass, the other three channels must not be in manual bypass or otherwise inoperable (e.g., a channel trip function in bypass).The RPS Manual Bypass status information is sent to the Unit Statalarm panel (hardwired output of the RPS Channel computer and in parallel as a hardwired signal from a keyswitch contact in case the computer is powered down) and is sent to the plant Operator Aid Computer (OAC) via a gateway.If the complete RPS cabinet is powered down, the Manual Bypass condition cannot be maintained.
Reactor Coolant System Pressure The Reactor Coolant System Pressure provides input to the following Functions:
That RPS channel output signal goes to"trip" and the Manual Bypass Unit Statalarm window will not illuminate.
: 3. RCS High Pressure;
: 4. RCS Low Pressure;
: 5. RCS Variable Low Pressure; and
: 11. Shutdown Bypass RCS High Pressure.
The RPS inputs of reactor coolant pressure are provided by two pressure transmitters in each hot leg, for a total of four. One sensor is associated with each protective channel.
OCONEE UNITS 1, 2, & 3               B 3.3.1-5                                         12/10/14 1
 
RPS Instrumentation B 3.3.1 BASES BACKGROUND       Reactor Building Pressure (continued)
The Reactor Building Pressure measurements provide input only to the Reactor Building High Pressure trip, Function 6. There are four RB High Pressure sensors, one associated with each protective channel.
Reactor Coolant Pump Power Monitoring Reactor coolant pump power monitors are inputs to the Reactor Coolant Pump to Power trip, Function 7. Each RCP has a RCP Power Monitor (RCPPM), which monitors the electrical power and breaker status of each pump motor to determine if it is running. Each RCPPM provides inputs to all four RPS channels.
Reactor Coolant System Flow The Reactor Coolant System Flow measurements are an input to the Nuclear Overpower Flux/Flow Imbalance trip, Function 8. The reactor coolant flow inputs to the RPS are provided by eight high accuracy differential pressure transmitters, four on each loop, which measure flow through calibrated flow tubes. One flow input in each loop is associated with each protective channel.
Main Turbine Hydraulic Fluid Pressure Main Turbine Hydraulic Fluid Pressure is an input to the Main Turbine Trip (Hydraulic Fluid Pressure) reactor trip, Function 9. Each of the four protective channels receives turbine status information from one of the four pressure switches monitoring main turbine hydraulic fluid pressure. Each protective channel continuously monitors the status of the contact inputs and initiates an RPS trip when a main turbine trip is indicated.
Feedwater Pump Turbine Hydraulic Oil Pressure Feedwater Pump Turbine Hydraulic Oil Pressure is an input to the Loss of Main Feedwater Pumps (Hydraulic Oil Pressure) trip, Function 10.
Hydraulic Oil pressure is measured by four switches on each feedwater pump turbine. One switch on each pump turbine is associated with each protective channel.
OCONEE UNITS 1, 2, & 3               B 3.3.1-6                                       12/10/14 1
 
RPS Instrumentation B 3.3.1 BASES BACKGROUND       Feedwater Pump Turbine Hydraulic Oil Pressure (continued)
Each RPS channel receives a contact input from both Feedwater Pump Turbines (A and B) Hydraulic Oil Pressure switches. When the switches from both turbines indicate that the associated Turbine Hydraulic Oil Pressure is low (turbine has tripped), a reactor trip signal is initiated on that channel.
RPS Bypasses The RPS is designed with three types of bypasses: shutdown bypass, manual bypass and channel trip function bypass.
Each bypass is discussed next.
Shutdown Bypass During unit cooldown and heatup, it is desirable to leave the safety rods at least partially withdrawn to provide shutdown capabilities in the event of unusual positive reactivity additions (moderator dilution, etc.).
However, the unit is also depressurized as coolant temperature is decreased. Ifthe safety rods are withdrawn and coolant pressure is decreased, an RCS Low Pressure trip will occur at 1800 psig and the rods will fall into the core. To avoid this, the protective system allows the operator to bypass the low pressure trip and maintain shutdown capabilities. During the cooldown and depressurization, the safety rods are inserted prior to the low pressure trip of 1800 psig. The RCS pressure is decreased to less than 1720 psig, then each RPS channel is placed in shutdown bypass.
A shutdown bypass signal is provided by the operator from the shutdown bypass keyswitch (status shall be indicated by a light). This action bypasses the RCS Low Pressure trip, Nuclear Overpower Flux/Flow Imbalance trip, Reactor Coolant Pump to Power trip, and the RCS Variable Low Pressure trip, and inserts a new RCS High Pressure, 1720 psig trip.
The operator can now withdraw the safety rods for additional rapidly insertable negative reactivity.
The insertion of the new high pressure trip performs two functions. First, with a trip setpoint of 1720 psig, the processor output trip device prevents operation at normal system pressure, 2155 psig, with a portion of the RPS bypassed. The second function is to ensure that the bypass is removed prior to normal operation. When the RCS pressure is increased during a OCONEE UNITS 1, 2, & 3                 B 3.3.1-7                                         12/10/14 1
 
RPS Instrumentation B 3.3.1 BASES BACKGROUND       Shutdown Bypass (continued) unit heatup, the safety rods are inserted prior to reaching 1720 psig. The shutdown bypass is removed, which returns the RPS to normal, and system pressure is increased to greater than 1800 psig. The safety rods are then withdrawn and remain at the full out condition for the rest of the heatup.
In addition to the Shutdown Bypass RCS High Pressure trip, the High Flux Reactor Trip setpoint is automatically lowered to less than 5% when the operator closes the shutdown bypass keyswitch. This provides a backup to the Shutdown Bypass RCS High Pressure trip and allows testing while preventing the generation of any significant amount of power.
Manual Bypass The RPS Manual Bypass allows putting the complete RPS channel into bypass for maintenance activities. Placing the RPS channel in bypass does not power-down the computer. If it is necessary to power-down the computer for one channel, the Manual Bypass keyswitch is used to keep the four RTRs associated with the respective channel energized while the channel computer is powered down. To place a protective channel in manual bypass, the other three channels must not be in manual bypass or otherwise inoperable (e.g., a channel trip function in bypass).
The RPS Manual Bypass status information is sent to the Unit Statalarm panel (hardwired output of the RPS Channel computer and in parallel as a hardwired signal from a keyswitch contact in case the computer is powered down) and is sent to the plant Operator Aid Computer (OAC) via a gateway.
Ifthe complete RPS cabinet is powered down, the Manual Bypass condition cannot be maintained. That RPS channel output signal goes to "trip" and the Manual Bypass Unit Statalarm window will not illuminate.
Channel Trip Function Bypass An individual Channel Trip Function Bypass allows placing one trip function in bypass for maintenance activities through the RPS GSM screens. This allows the remaining trip functions in the channel to remain operable while the channel input device for the affected channel is inoperable.
Channel Trip Function Bypass An individual Channel Trip Function Bypass allows placing one trip function in bypass for maintenance activities through the RPS GSM screens. This allows the remaining trip functions in the channel to remain operable while the channel input device for the affected channel is inoperable.
Operation to put functions in bypass is administratively controlled since there is no interlock to prevent placing functions in multiple channels in bypass. Channel trip functions may be placed in bypass in only one RPS channel at a time.OCONEE UNITS 1, 2, & 3 B 3.3.1-8 12/10/14 1 RPS Instrumentation B 3.3.1 BASES BACKGROUND Parameter Change Enable Mode (continued)
Operation to put functions in bypass is administratively controlled since there is no interlock to prevent placing functions in multiple channels in bypass. Channel trip functions may be placed in bypass in only one RPS channel at a time.
Parameter Change Enable Mode allows each RPS instrument input channel processor to be placed in different operating modes through the use of the Parameter Change Enable keyswitches and commands from the Service Unit. Each protective channel has a keyswitch located in that channel's cabinet pair.Placing RPS Channels A, B, or C in Parameter Change Enable Mode through the use of the "Parameter Change Enable" keyswitch will also place the corresponding ESPS Channels Al, B1 or Cl in Parameter Change Enable Mode.When a keyswitch is placed from the normal Operating Mode position to the Parameter Change Enable Mode position:* The processors continue with normal operation.
OCONEE UNITS 1, 2, & 3               B 3.3.1-8                                         12/10/14 1
 
RPS Instrumentation B 3.3.1 BASES BACKGROUND       Parameter Change Enable Mode (continued)
Parameter Change Enable Mode allows each RPS instrument input channel processor to be placed in different operating modes through the use of the Parameter Change Enable keyswitches and commands from the Service Unit. Each protective channel has a keyswitch located in that channel's cabinet pair.
Placing RPS Channels A, B, or C in Parameter Change Enable Mode through the use of the "Parameter Change Enable" keyswitch will also place the corresponding ESPS Channels Al, B1 or Cl in Parameter Change Enable Mode.
When a keyswitch is placed from the normal Operating Mode position to the Parameter Change Enable Mode position:
* The processors continue with normal operation.
* A permissive is provided that allows the Service Unit to be used to change the operating mode of the processors associated with that keyswitch.
* A permissive is provided that allows the Service Unit to be used to change the operating mode of the processors associated with that keyswitch.
With the keyswitch in the Parameter Change Enable Position the following modes of operation are allowed for processors:
With the keyswitch in the Parameter Change Enable Position the following modes of operation are allowed for processors:
* Normal Operation  
* Normal Operation - with permissive for operating mode change.
-with permissive for operating mode change.* Parameterization  
* Parameterization - allows changes to specific parameters (example placing a parameter into a tripped condition or performing Reactor Trip Relay testing).
-allows changes to specific parameters (example placing a parameter into a tripped condition or performing Reactor Trip Relay testing).* Function Test -for disabling the application function and forcing output signal for testing purposes (normally not used).* Diagnostics  
* Function Test - for disabling the application function and forcing output signal for testing purposes (normally not used).
-for downloading new application software.The Function Test and Diagnostics modes result in the processor ceasing its cyclic processing of the application functions.
* Diagnostics - for downloading new application software.
Entry into these modes first requires entry into Parameterization mode and setting a separate parameter.
The Function Test and Diagnostics modes result in the processor ceasing its cyclic processing of the application functions. Entry into these modes first requires entry into Parameterization mode and setting a separate parameter.
When a keyswitch is placed in the Parameter Change Enable Mode Position for any activity, the affected processor shall first be declared out of service. In addition to declaring the processor out of service (1) the affected RPS channel shall be bypassed and (2) either the affected ESPS input channel (Al, B1, or Cl) shall be tripped OR the ESPS Set 1 voters shall be placed in Bypass for the following activities:
When a keyswitch is placed in the Parameter Change Enable Mode Position for any activity, the affected processor shall first be declared out of service. In addition to declaring the processor out of service (1) the affected RPS channel shall be bypassed and (2) either the affected ESPS input channel (Al, B1, or Cl) shall be tripped OR the ESPS Set 1 voters shall be placed in Bypass for the following activities:
* Loading or revising the software in a processor." Changing parameters via the RPS High Flux Trip (Variable Setpoint) screen at the Service Unit.OCONEE UNITS 1, 2, & 3 B 3.3.1-9 12/10/14 1 RPS Instrumentation B 3.3.1 BASES BACKGROUND Parameter Change Enable Mode (continued)
* Loading or revising the software in a processor.
Changing parameters via the RPS Flux/Flow/Imbalance Parameters screen at the Service Unit.Only one RPS channel at a time is allowed to be placed into Parameter Change Enable Mode Position for these activities.
                      " Changing parameters via the RPS High Flux Trip (Variable Setpoint) screen at the Service Unit.
Each Parameter Change Enable keyswitch status information is sent to the Statalarm panel and to the OAC via the Gateway.RPS Parameter Change Enable keyswitches are administratively controlled (there are no hardware or software interlocks between channels).
OCONEE UNITS 1, 2, & 3               B 3.3.1-9                                         12/10/14 1
 
RPS Instrumentation B 3.3.1 BASES BACKGROUND       Parameter Change Enable Mode           (continued)
Changing parameters via the RPS Flux/Flow/Imbalance Parameters screen at the Service Unit.
Only one RPS channel at a time is allowed to be placed into Parameter Change Enable Mode Position for these activities.
Each Parameter Change Enable keyswitch status information is sent to the Statalarm panel and to the OAC via the Gateway.
RPS Parameter Change Enable keyswitches are administratively controlled (there are no hardware or software interlocks between channels).
Trip Setpoints/Allowable Value The Allowable Value and trip setpoint are based on the analytical limits stated in UFSAR, Chapter 15 (Ref. 2). The selection of the Allowable Value and associated trip setpoint is such that adequate protection is provided when all sensor and processing time delays are taken into account. To allow for calibration tolerances, instrumentation uncertainties, instrument drift, and severe environment errors for those RPS channels that must function in harsh environments as defined by 10 CFR 50.49 (Ref. 3), the Allowable Values specified in Table 3.3.1-1 in the accompanying LCO are conservative with respect to the analytical limits to account for all known uncertainties for each channel. The actual trip setpoint entered into the processor output trip device is more conservative than that specified by the Allowable Value to account for changes in random measurement errors detectable by a CHANNEL CALIBRATION.
Trip Setpoints/Allowable Value The Allowable Value and trip setpoint are based on the analytical limits stated in UFSAR, Chapter 15 (Ref. 2). The selection of the Allowable Value and associated trip setpoint is such that adequate protection is provided when all sensor and processing time delays are taken into account. To allow for calibration tolerances, instrumentation uncertainties, instrument drift, and severe environment errors for those RPS channels that must function in harsh environments as defined by 10 CFR 50.49 (Ref. 3), the Allowable Values specified in Table 3.3.1-1 in the accompanying LCO are conservative with respect to the analytical limits to account for all known uncertainties for each channel. The actual trip setpoint entered into the processor output trip device is more conservative than that specified by the Allowable Value to account for changes in random measurement errors detectable by a CHANNEL CALIBRATION.
A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. All field sensors and signal processing equipment for these channels are assumed to operate within the allowances of these uncertainty magnitudes.
A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. All field sensors and signal processing equipment for these channels are assumed to operate within the allowances of these uncertainty magnitudes. The trip setpoints are the nominal values at which the processor output trip devices are set. Any processor output trip device is considered to be properly adjusted when the "as left" value is within the band for CHANNEL CALIBRATION accuracy. A detailed description of the methodology used to determine the Allowable Value and associated uncertainties is provided in Reference 4.
The trip setpoints are the nominal values at which the processor output trip devices are set. Any processor output trip device is considered to be properly adjusted when the "as left" value is within the band for CHANNEL CALIBRATION accuracy.
Setpoints in conjunction with the Allowable Value ensure that the limits of Chapter 2.0, "Safety Limits," in the Technical Specifications are not violated during anticipated transients and that the consequences of accidents will be acceptable, providing the unit is operated from within the LCOs at the onset of the anticipated transient or accident and the equipment functions OCONEE UNITS 1, 2, & 3             B 3.3.1 -10                                           12/10/14 1
A detailed description of the methodology used to determine the Allowable Value and associated uncertainties is provided in Reference 4.Setpoints in conjunction with the Allowable Value ensure that the limits of Chapter 2.0, "Safety Limits," in the Technical Specifications are not violated during anticipated transients and that the consequences of accidents will be acceptable, providing the unit is operated from within the LCOs at the onset of the anticipated transient or accident and the equipment functions OCONEE UNITS 1, 2, & 3 B 3.3.1 -10 12/10/14 1 RPS Instrumentation B 3.3.1 BASES BACKGROUND Trip Setpoints/Allowable Value (continued) as designed.
 
Note that in LCO 3.3.1 the Allowable Values listed in Table 3.3.1-1 for Functions 1 through 8 and 11 are the LSSS.With the exception of the RB High Pressure function, each channel is tested online by manually retrieving the software setpoint to ensure it has been entered correctly.
RPS Instrumentation B 3.3.1 BASES BACKGROUND       Trip Setpoints/Allowable Value (continued) as designed. Note that in LCO 3.3.1 the Allowable Values listed in Table 3.3.1-1 for Functions 1 through 8 and 11 are the LSSS.
Signals into the system (from the field instrument or at the protective system cabinet) are applied during the channel calibration to ensure that the instrumentation is within the specified allowance requirements.
With the exception of the RB High Pressure function, each channel is tested online by manually retrieving the software setpoint to ensure it has been entered correctly. Signals into the system (from the field instrument or at the protective system cabinet) are applied during the channel calibration to ensure that the instrumentation is within the specified allowance requirements.
APPLICABLE Each of the analyzed accidents and transients that require a reactor trip to SAFETY ANALYSES, meet the acceptance criteria can be detected by one or more RPS LCO, and Functions.
APPLICABLE       Each of the analyzed accidents and transients that require a reactor trip to SAFETY ANALYSES, meet the acceptance criteria can be detected by one or more RPS LCO, and         Functions. The accident analysis contained in the UFSAR, Chapter 15 APPLICABILITY     (Ref. 2), takes credit for most RPS trip Functions. Functions not specifically credited in the accident analysis were qualitatively credited in the safety analysis and the NRC staff approved licensing basis for the unit.
The accident analysis contained in the UFSAR, Chapter 15 APPLICABILITY (Ref. 2), takes credit for most RPS trip Functions.
These Functions are high RB pressure, turbine trip, and loss of main feedwater. These Functions may provide protection for conditions that do not require dynamic transient analysis to demonstrate Function performance. These Functions also serve as backups to Functions that were credited in the safety analysis.
Functions not specifically credited in the accident analysis were qualitatively credited in the safety analysis and the NRC staff approved licensing basis for the unit.These Functions are high RB pressure, turbine trip, and loss of main feedwater.
The LCO requires all instrumentation performing an RPS Function to be OPERABLE. Failure of any instrument renders the affected channel(s) inoperable and reduces the reliability of the affected Functions. The three channels of each Function in Table 3.3.1-1 of the RPS instrumentation shall be OPERABLE during its specified Applicability to ensure that a reactor trip will be actuated if needed. Additionally, during shutdown bypass with any CRD trip breaker closed, the applicable RPS Functions must also be available. This ensures the capability to trip the withdrawn CONTROL RODS exists at all times that rod motion is possible. The trip Function channels specified in Table 3.3.1-1 are considered OPERABLE when all channel components necessary to provide a reactor trip are functional and in service for the required MODE or Other Specified Condition listed in Table 3.3.1-1.
These Functions may provide protection for conditions that do not require dynamic transient analysis to demonstrate Function performance.
Only the Allowable Values are specified for each RPS trip Function in the LCO. Nominal trip setpoints are specified in the setpoint calculations. The nominal setpoints are selected to ensure that the setpoint measured by CHANNEL CALIBRATIONS does not exceed the Allowable Value. A trip setpoint found less conservative than the nominal trip setpoint, but within its Allowable Value, is considered OPERABLE with respect to the uncertainty allowances assumed for the applicable surveillance interval provided that OCONEE UNITS 1, 2, & 3               B 3.3.1 -11                                       12/10/14 1
These Functions also serve as backups to Functions that were credited in the safety analysis.The LCO requires all instrumentation performing an RPS Function to be OPERABLE.
 
Failure of any instrument renders the affected channel(s) inoperable and reduces the reliability of the affected Functions.
RPS Instrumentation B 3.3.1 BASES APPLICABLE       operation, testing and subsequent calibration are consistent with the SAFETY ANALYSES, assumptions of the setpoint calculations. Each Allowable Value specified is LCO, and         more conservative than instrument uncertainties appropriate to the trip APPLICABILITY     Function. These uncertainties are defined in Reference 4.
The three channels of each Function in Table 3.3.1-1 of the RPS instrumentation shall be OPERABLE during its specified Applicability to ensure that a reactor trip will be actuated if needed. Additionally, during shutdown bypass with any CRD trip breaker closed, the applicable RPS Functions must also be available.
(continued)
This ensures the capability to trip the withdrawn CONTROL RODS exists at all times that rod motion is possible.
For most RPS Functions, the Allowable Value in conjunction with the nominal trip setpoint ensure that the departure from nucleate boiling (DNB),
The trip Function channels specified in Table 3.3.1-1 are considered OPERABLE when all channel components necessary to provide a reactor trip are functional and in service for the required MODE or Other Specified Condition listed in Table 3.3.1-1.Only the Allowable Values are specified for each RPS trip Function in the LCO. Nominal trip setpoints are specified in the setpoint calculations.
center line fuel melt, or RCS pressure SLs are not challenged. Cycle specific values for use during operation are contained in the COLR.
The nominal setpoints are selected to ensure that the setpoint measured by CHANNEL CALIBRATIONS does not exceed the Allowable Value. A trip setpoint found less conservative than the nominal trip setpoint, but within its Allowable Value, is considered OPERABLE with respect to the uncertainty allowances assumed for the applicable surveillance interval provided that OCONEE UNITS 1, 2, & 3 B 3.3.1 -11 12/10/14 1 RPS Instrumentation B 3.3.1 BASES APPLICABLE operation, testing and subsequent calibration are consistent with the SAFETY ANALYSES, assumptions of the setpoint calculations.
Certain RPS trips function to indirectly protect the SLs by detecting specific conditions that do not immediately challenge SLs but will eventually lead to challenge if no action is taken. These trips function to minimize the unit transients caused by the specific conditions. The Allowable Value for these Functions is selected at the minimum deviation from normal values that will indicate the condition, without risking spurious trips due to normal fluctuations in the measured parameter.
Each Allowable Value specified is LCO, and more conservative than instrument uncertainties appropriate to the trip APPLICABILITY Function.
The safety analyses applicable to each RPS Function are discussed next.
These uncertainties are defined in Reference 4.(continued)
: 1. Nuclear Overpower
For most RPS Functions, the Allowable Value in conjunction with the nominal trip setpoint ensure that the departure from nucleate boiling (DNB), center line fuel melt, or RCS pressure SLs are not challenged.
: a. Nuclear Overpower - High Setpoint The Nuclear Overpower - High Setpoint trip provides protection for the design thermal overpower condition based on the measured out of core neutron leakage flux.
Cycle specific values for use during operation are contained in the COLR.Certain RPS trips function to indirectly protect the SLs by detecting specific conditions that do not immediately challenge SLs but will eventually lead to challenge if no action is taken. These trips function to minimize the unit transients caused by the specific conditions.
The Nuclear Overpower - High Setpoint trip initiates a reactor trip when the neutron power reaches a predefined setpoint at the design overpower limit. Because THERMAL POWER lags the neutron power, tripping when the neutron power reaches the design overpower will limit THERMAL POWER to prevent exceeding acceptable fuel damage limits.
The Allowable Value for these Functions is selected at the minimum deviation from normal values that will indicate the condition, without risking spurious trips due to normal fluctuations in the measured parameter.
Thus, the Nuclear Overpower - High Setpoint trip protects against violation of the DNBR and fuel centerline melt SLs.
The safety analyses applicable to each RPS Function are discussed next.1. Nuclear Overpower a. Nuclear Overpower  
However, the RCS Variable Low Pressure, and Nuclear Overpower Flux/Flow Imbalance, provide more direct protection. The role of the Nuclear Overpower - High Setpoint trip is to limit reactor THERMAL POWER below the highest power at which the other two trips are known to provide protection.
-High Setpoint The Nuclear Overpower  
The Nuclear Overpower - High Setpoint trip also provides transient protection for rapid positive reactivity excursions OCONEE UNITS 1, 2, & 3                 B 3.3.1-12                                         12/10/14 1
-High Setpoint trip provides protection for the design thermal overpower condition based on the measured out of core neutron leakage flux.The Nuclear Overpower  
 
-High Setpoint trip initiates a reactor trip when the neutron power reaches a predefined setpoint at the design overpower limit. Because THERMAL POWER lags the neutron power, tripping when the neutron power reaches the design overpower will limit THERMAL POWER to prevent exceeding acceptable fuel damage limits.Thus, the Nuclear Overpower  
RPS Instrumentation B 3.3.1 BASES APPLICABLE             a. Nuclear Overpower - High Setpoint (continued)
-High Setpoint trip protects against violation of the DNBR and fuel centerline melt SLs.However, the RCS Variable Low Pressure, and Nuclear Overpower Flux/Flow Imbalance, provide more direct protection.
SAFETY ANALYSES, LCO, and                     during power operations. These events include the rod APPLICABILITY               withdrawal accident and the rod ejection accident. By providing a trip during these events, the Nuclear Overpower -
The role of the Nuclear Overpower  
High Setpoint trip protects the unit from excessive power levels and also serves to limit reactor power to prevent violation of the RCS pressure SL.
-High Setpoint trip is to limit reactor THERMAL POWER below the highest power at which the other two trips are known to provide protection.
Rod withdrawal accident analyses cover a large spectrum of reactivity insertion rates (rod worths), which exhibit slow and rapid rates of power increases. At high reactivity insertion rates, the Nuclear Overpower - High Setpoint trip provides the primary protection. At low reactivity insertion rates, the high pressure trip provides primary protection.
The Nuclear Overpower  
: b. Nuclear Overpower - Low Setpoint When initiating shutdown bypass, the Nuclear Overpower -
-High Setpoint trip also provides transient protection for rapid positive reactivity excursions OCONEE UNITS 1, 2, & 3 B 3.3.1-12 12/10/14 1 RPS Instrumentation B 3.3.1 BASES APPLICABLE
Low Setpoint trip must be reduced to _<5% RTP. The low power setpoint, in conjunction with the lower Shutdown Bypass RCS High Pressure setpoint, ensure that the unit is protected from excessive power conditions when other RPS trips are bypassed.
: a. Nuclear Overpower  
The setpoint Allowable Value was chosen to be as low as practical and still lie within the range of the out of core instrumentation.
-High Setpoint (continued)
: 2. RCS High Outlet Temperature The RCS High Outlet Temperature trip, in conjunction with the RCS Low Pressure and RCS Variable Low Pressure trips, provides protection for the DNBR SL. A trip is initiated whenever the reactor vessel outlet temperature approaches the conditions necessary for DNB. Portions of each RCS High Outlet Temperature trip channel are common with the RCS Variable Low Pressure trip. The RCS High Outlet Temperature trip provides steady state protection for the DNBR SL.
SAFETY ANALYSES, LCO, and during power operations.
The RCS High Outlet Temperature trip limits the maximum RCS temperature to below the highest value for which DNB protection by the Variable Low Pressure trip is ensured. The trip setpoint Allowable Value is selected to ensure that a trip occurs before hot leg temperatures reach the point beyond which the RCS Low Pressure OCONEE UNITS 1, 2, & 3             B 3.3.1-13                                           12/10/14 1
These events include the rod APPLICABILITY withdrawal accident and the rod ejection accident.
 
By providing a trip during these events, the Nuclear Overpower  
RPS Instrumentation B 3.3.1 BASES APPLICABLE       2. RCS High Outlet Temperature (continued)
-High Setpoint trip protects the unit from excessive power levels and also serves to limit reactor power to prevent violation of the RCS pressure SL.Rod withdrawal accident analyses cover a large spectrum of reactivity insertion rates (rod worths), which exhibit slow and rapid rates of power increases.
SAFETY ANALYSES, LCO, and               and Variable Low Pressure trips are analyzed. Above the high APPLICABILITY         temperature trip, the variable low pressure trip need not provide protection, because the unit would have tripped already. The setpoint Allowable Value does not reflect errors induced by harsh environmental conditions that the equipment is expected to experience because the trip is not required to mitigate accidents that create harsh conditions in the RB.
At high reactivity insertion rates, the Nuclear Overpower  
: 3. RCS High Pressure The RCS High Pressure trip works in conjunction with the pressurizer and main steam relief valves to prevent RCS overpressurization, thereby protecting the RCS High Pressure SL.
-High Setpoint trip provides the primary protection.
The RCS High Pressure trip has been credited in the transient analysis calculations for slow positive reactivity insertion transients (rod withdrawal transients and moderator dilution). The rod withdrawal transient covers a large spectrum of reactivity insertion rates and rod worths that exhibit slow and rapid rates of power increases. At high reactivity insertion rates, the Nuclear Overpower
At low reactivity insertion rates, the high pressure trip provides primary protection.
                      - High Setpoint trip provides the primary protection. At low reactivity insertion rates, the RCS High Pressure trip provides the primary protection.
: b. Nuclear Overpower  
The setpoint Allowable Value is selected to ensure that the RCS High Pressure SL is not challenged during steady state operation or slow power increasing transients. The setpoint Allowable Value does not reflect errors induced by harsh environmental conditions because the equipment is not required to mitigate accidents that create harsh conditions in the RB.
-Low Setpoint When initiating shutdown bypass, the Nuclear Overpower  
: 4. RCS Low Pressure The RCS Low Pressure trip, in conjunction with the RCS High Outlet Temperature and Variable Low Pressure trips, provides protection for the DNBR SL. A trip is initiated whenever the system pressure approaches the conditions necessary for DNB. The RCS Low Pressure trip provides DNB low pressure limit for the RCS Variable Low Pressure trip.
-Low Setpoint trip must be reduced to _< 5% RTP. The low power setpoint, in conjunction with the lower Shutdown Bypass RCS High Pressure setpoint, ensure that the unit is protected from excessive power conditions when other RPS trips are bypassed.The setpoint Allowable Value was chosen to be as low as practical and still lie within the range of the out of core instrumentation.
The RCS Low Pressure setpoint Allowable Value is selected to ensure that a reactor trip occurs before RCS pressure is reduced below the lowest point at which the RCS Variable Low Pressure trip is analyzed. The RCS Low Pressure trip provides protection for OCONEE UNITS 1, 2, & 3             B 3.3.1-14                                           12/10/14 1
: 2. RCS High Outlet Temperature The RCS High Outlet Temperature trip, in conjunction with the RCS Low Pressure and RCS Variable Low Pressure trips, provides protection for the DNBR SL. A trip is initiated whenever the reactor vessel outlet temperature approaches the conditions necessary for DNB. Portions of each RCS High Outlet Temperature trip channel are common with the RCS Variable Low Pressure trip. The RCS High Outlet Temperature trip provides steady state protection for the DNBR SL.The RCS High Outlet Temperature trip limits the maximum RCS temperature to below the highest value for which DNB protection by the Variable Low Pressure trip is ensured. The trip setpoint Allowable Value is selected to ensure that a trip occurs before hot leg temperatures reach the point beyond which the RCS Low Pressure OCONEE UNITS 1, 2, & 3 B 3.3.1-13 12/10/14 1 RPS Instrumentation B 3.3.1 BASES APPLICABLE
 
: 2. RCS High Outlet Temperature (continued)
RPS Instrumentation B 3.3.1 BASES APPLICABLE       4. RCS Low Pressure (continued)
SAFETY ANALYSES, LCO, and and Variable Low Pressure trips are analyzed.
SAFETY ANALYSES, LCO, and               primary system depressurization events and has been credited in APPLICABILITY         the accident analysis calculations for small break loss of coolant accidents (LOCAs). Harsh RB conditions created by small break LOCAs cannot affect performance of the RCS pressure sensors and transmitters within the time frame for a reactor trip. Therefore, degraded environmental conditions are not considered in the Allowable Value determination.
Above the high APPLICABILITY temperature trip, the variable low pressure trip need not provide protection, because the unit would have tripped already. The setpoint Allowable Value does not reflect errors induced by harsh environmental conditions that the equipment is expected to experience because the trip is not required to mitigate accidents that create harsh conditions in the RB.3. RCS High Pressure The RCS High Pressure trip works in conjunction with the pressurizer and main steam relief valves to prevent RCS overpressurization, thereby protecting the RCS High Pressure SL.The RCS High Pressure trip has been credited in the transient analysis calculations for slow positive reactivity insertion transients (rod withdrawal transients and moderator dilution).
: 5. RCS Variable Low Pressure The RCS Variable Low Pressure trip, in conjunction with the RCS High Outlet Temperature and RCS Low Pressure trips, provides protection for the DNBR SL. A trip is initiated whenever the system parameters of pressure and temperature approach the conditions necessary for DNB. The RCS Variable Low Pressure trip provides a floating low pressure trip based on the RCS High Outlet Temperature within the range specified by the RCS High Outlet Temperature and RCS Low Pressure trips.
The rod withdrawal transient covers a large spectrum of reactivity insertion rates and rod worths that exhibit slow and rapid rates of power increases.
The RCS Variable Low Pressure setpoint Allowable Value is selected to ensure that a trip occurs when temperature and pressure approach the conditions necessary for DNB while operating in a temperature pressure region constrained by the low pressure and high temperature trips. The RCS Variable Low Pressure trip is assumed for transient protection in the main steam line break analysis. The setpoint allowable value does not include errors induced by the harsh environment, because the trip actuates prior to the harsh environment.
At high reactivity insertion rates, the Nuclear Overpower-High Setpoint trip provides the primary protection.
: 6. Reactor Building High Pressure The Reactor Building High Pressure trip provides an early indication of a high energy line break (HELB) inside the RB. By detecting changes in the RB pressure, the RPS can provide a reactor trip before the other system parameters have varied significantly. Thus, this trip acts to minimize accident consequences. It also provides a backup for RPS trip instruments exposed to an RB HELB environment.
At low reactivity insertion rates, the RCS High Pressure trip provides the primary protection.
The setpoint Allowable Value is selected to ensure that the RCS High Pressure SL is not challenged during steady state operation or slow power increasing transients.
The setpoint Allowable Value does not reflect errors induced by harsh environmental conditions because the equipment is not required to mitigate accidents that create harsh conditions in the RB.4. RCS Low Pressure The RCS Low Pressure trip, in conjunction with the RCS High Outlet Temperature and Variable Low Pressure trips, provides protection for the DNBR SL. A trip is initiated whenever the system pressure approaches the conditions necessary for DNB. The RCS Low Pressure trip provides DNB low pressure limit for the RCS Variable Low Pressure trip.The RCS Low Pressure setpoint Allowable Value is selected to ensure that a reactor trip occurs before RCS pressure is reduced below the lowest point at which the RCS Variable Low Pressure trip is analyzed.
The RCS Low Pressure trip provides protection for OCONEE UNITS 1, 2, & 3 B 3.3.1-14 12/10/14 1 RPS Instrumentation B 3.3.1 BASES APPLICABLE
: 4. RCS Low Pressure (continued)
SAFETY ANALYSES, LCO, and primary system depressurization events and has been credited in APPLICABILITY the accident analysis calculations for small break loss of coolant accidents (LOCAs). Harsh RB conditions created by small break LOCAs cannot affect performance of the RCS pressure sensors and transmitters within the time frame for a reactor trip. Therefore, degraded environmental conditions are not considered in the Allowable Value determination.
: 5. RCS Variable Low Pressure The RCS Variable Low Pressure trip, in conjunction with the RCS High Outlet Temperature and RCS Low Pressure trips, provides protection for the DNBR SL. A trip is initiated whenever the system parameters of pressure and temperature approach the conditions necessary for DNB. The RCS Variable Low Pressure trip provides a floating low pressure trip based on the RCS High Outlet Temperature within the range specified by the RCS High Outlet Temperature and RCS Low Pressure trips.The RCS Variable Low Pressure setpoint Allowable Value is selected to ensure that a trip occurs when temperature and pressure approach the conditions necessary for DNB while operating in a temperature pressure region constrained by the low pressure and high temperature trips. The RCS Variable Low Pressure trip is assumed for transient protection in the main steam line break analysis.
The setpoint allowable value does not include errors induced by the harsh environment, because the trip actuates prior to the harsh environment.
: 6. Reactor Building High Pressure The Reactor Building High Pressure trip provides an early indication of a high energy line break (HELB) inside the RB. By detecting changes in the RB pressure, the RPS can provide a reactor trip before the other system parameters have varied significantly.
Thus, this trip acts to minimize accident consequences.
It also provides a backup for RPS trip instruments exposed to an RB HELB environment.
The Allowable Value for RB High Pressure trip is set at the lowest value consistent with avoiding spurious trips during normal operation.
The Allowable Value for RB High Pressure trip is set at the lowest value consistent with avoiding spurious trips during normal operation.
The electronic components of the RB High Pressure trip are located in an area that is not exposed to high temperature steam environments during HELB transients inside containment.
The electronic components of the RB High Pressure trip are located in an area that is not exposed to high temperature steam environments during HELB transients inside containment. The OCONEE UNITS 1, 2, & 3             B 3.3.1-15                                       12/10/14 1
The OCONEE UNITS 1, 2, & 3 B 3.3.1-15 12/10/14 1 RPS Instrumentation B 3.3.1 BASES APPLICABLE
 
: 6. Reactor Building High Pressure (continued)
RPS Instrumentation B 3.3.1 BASES APPLICABLE       6. Reactor Building High Pressure (continued)
SAFETY ANALYSES, LCO, and components are exposed to high radiation conditions.
SAFETY ANALYSES, LCO, and               components are exposed to high radiation conditions. Therefore, the APPLICABILITY         determination of the setpoint Allowable Value accounts for errors induced by the high radiation.
Therefore, the APPLICABILITY determination of the setpoint Allowable Value accounts for errors induced by the high radiation.
: 7. Reactor Coolant Pump to Power The Reactor Coolant Pump to Power trip provides protection for changes in the reactor coolant flow due to the loss of multiple RCPs.
: 7. Reactor Coolant Pump to Power The Reactor Coolant Pump to Power trip provides protection for changes in the reactor coolant flow due to the loss of multiple RCPs.Because the flow reduction lags loss of power indications due to the inertia of the RCPs, the trip initiates protective action earlier than a trip based on a measured flow signal.The Reactor Coolant Pump to Power trip has been credited in the accident analysis calculations for the loss of more than two RCPs.The Allowable Value for the Reactor Coolant Pump to Power trip setpoint is selected to prevent normal power operation unless at least three RCPs are operating.
Because the flow reduction lags loss of power indications due to the inertia of the RCPs, the trip initiates protective action earlier than a trip based on a measured flow signal.
Each reactor coolant pump has an RCPPM, which monitors the electrical power and breaker status of each pump motor to determine if the pump is running. Each RCPPM provides inputs to all four RPS channels.
The Reactor Coolant Pump to Power trip has been credited in the accident analysis calculations for the loss of more than two RCPs.
The RCPPM will initiate a reactor trip if fewer than three reactor coolant pumps are operating and reactor power is greater than approximately 2%rated full power.8. Nuclear Overpower Flux/Flow Imbalance The Nuclear Overpower Flux/Flow Imbalance trip provides steady state protection for the power imbalance SLs. A reactor trip is initiated prior to the core power, AXIAL POWER IMBALANCE, and reactor coolant flow conditions exceeding the DNB or fuel centerline temperature limits.This trip supplements the protection provided by the Reactor Coolant Pump to Power trip, through the power to flow ratio, for loss of reactor coolant flow events. The power to flow ratio provides direct protection for the DNBR SL for the loss of one or more RCPs and for locked RCP rotor accidents.
The Allowable Value for the Reactor Coolant Pump to Power trip setpoint is selected to prevent normal power operation unless at least three RCPs are operating. Each reactor coolant pump has an RCPPM, which monitors the electrical power and breaker status of each pump motor to determine if the pump is running. Each RCPPM provides inputs to all four RPS channels. The RCPPM will initiate a reactor trip if fewer than three reactor coolant pumps are operating and reactor power is greater than approximately 2%
The power to flow ratio of the Nuclear Overpower Flux/Flow Imbalance trip also provides steady state protection to prevent reactor power from exceeding the allowable power when the primary system flow rate is less than full four pump flow. Thus, the power to flow ratio prevents overpower conditions similar to the Nuclear OCONEE UNITS 1, 2, & 3 B 3.3.1-16 12/10/14 1 RPS Instrumentation B 3.3.1 BASES APPLICABLE
rated full power.
: 8. Nuclear Overpower Flux/Flow Imbalance (continued)
: 8. Nuclear Overpower Flux/Flow Imbalance The Nuclear Overpower Flux/Flow Imbalance trip provides steady state protection for the power imbalance SLs. A reactor trip is initiated prior to the core power, AXIAL POWER IMBALANCE, and reactor coolant flow conditions exceeding the DNB or fuel centerline temperature limits.
SAFETY ANALYSES, LCO, and Overpower trip. This protection ensures that during reduced flow APPLICABILITY conditions the core power is maintained below that required to begin DNB.The Allowable Value is selected to ensure that a trip occurs when the core power, axial power peaking, and reactor coolant flow conditions indicate an approach to DNB or fuel centerline temperature limits.By measuring reactor coolant flow and by tripping only when conditions approach an SL, the unit can operate with the loss of one pump from a four pump initial condition at power levels at least as low as approximately 80% RTP. The Allowable Value for the Function, including the upper limits of the Function are given in the unit COLR because the cycle specific core peaking changes affect the Allowable Value.9. Main Turbine Trip (Hydraulic Fluid Pressure)The Main Turbine Trip Function trips the reactor when the main turbine is lost at high power levels. The Main Turbine Trip Function provides an early reactor trip in anticipation of the loss of heat sink associated with a turbine trip. The Main Turbine Trip Function was added to the B&W designed units in accordance with NUREG-0737 (Ref. 5) following the Three Mile Island Unit 2 accident.
This trip supplements the protection provided by the Reactor Coolant Pump to Power trip, through the power to flow ratio, for loss of reactor coolant flow events. The power to flow ratio provides direct protection for the DNBR SL for the loss of one or more RCPs and for locked RCP rotor accidents.
The trip lowers the probability of an RCS power operated relief valve (PORV)actuation for turbine trip cases. This trip is activated at higher power levels, thereby limiting the range through which the Integrated Control System must provide an automatic runback on a turbine trip.Each of the four turbine hydraulic fluid pressure switches feeds one protective channel that continuously monitors the status of the contacts.For the Main Turbine Trip (Hydraulic Fluid Pressure), the Allowable Value of 800 psig is selected to provide a trip whenever main turbine hydraulic fluid pressure drops below the normal operating range.This trip is bypassed at power levels < 30% RTP for unit startup.The turbine trip is not required to protect against events that can create a harsh environment in the turbine building.
The power to flow ratio of the Nuclear Overpower Flux/Flow Imbalance trip also provides steady state protection to prevent reactor power from exceeding the allowable power when the primary system flow rate is less than full four pump flow. Thus, the power to flow ratio prevents overpower conditions similar to the Nuclear OCONEE UNITS 1, 2, & 3               B 3.3.1-16                                           12/10/14 1
Therefore, errors induced by harsh environments are not included in the determination of the setpoint Allowable Value.OCONEE UNITS 1, 2, & 3 B 3.3.1-17 12/10/14 1 RPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
 
: 10. Loss of Main Feedwater PumD Turbines (Hydraulic Oil Pressure)The Loss of Main Feedwater Pump Turbines (Hydraulic Oil Pressure) trip provides a reactor trip at high power levels when both MFW pump turbines are lost. The trip provides an early reactor trip in anticipation of the loss of heat sink associated with the LOMF.This trip was added in accordance with NUREG-0737 (Ref. 5)following the Three Mile Island Unit 2 accident.
RPS Instrumentation B 3.3.1 BASES APPLICABLE       8. Nuclear Overpower Flux/Flow Imbalance (continued)
This trip provides a reactor trip at high power levels for a LOMF to minimize challenges to the PORV.For the feedwater pump turbine hydraulic oil pressure, the Allowable Value of 75 psig is selected to provide a trip whenever feedwater pump turbine hydraulic oil pressure drops below the normal operating range. This trip is bypassed at power levels < 2% RTP for unit startup. The Loss of Main Feedwater Pump Turbines (Hydraulic Oil Pressure) trip is not required to protect against events that can create a harsh environment in the turbine building.
SAFETY ANALYSES, LCO, and               Overpower trip. This protection ensures that during reduced flow APPLICABILITY         conditions the core power is maintained below that required to begin DNB.
Therefore, errors caused by harsh environments are not included in the determination of the setpoint Allowable Value.11. Shutdown Bypass RCS High Pressure The RPS Shutdown Bypass RCS High Pressure is provided to allow for withdrawing the CONTROL RODS prior to reaching the normal RCS Low Pressure trip setpoint.
The Allowable Value is selected to ensure that a trip occurs when the core power, axial power peaking, and reactor coolant flow conditions indicate an approach to DNB or fuel centerline temperature limits.
The shutdown bypass provides trip protection during deboration and RCS heatup by allowing the operator to at least partially withdraw the safety groups of CONTROL RODS. This makes their negative reactivity available to terminate inadvertent reactivity excursions.
By measuring reactor coolant flow and by tripping only when conditions approach an SL, the unit can operate with the loss of one pump from a four pump initial condition at power levels at least as low as approximately 80% RTP. The Allowable Value for the Function, including the upper limits of the Function are given in the unit COLR because the cycle specific core peaking changes affect the Allowable Value.
Use of the shutdown bypass trip requires that the neutron power trip setpoint be reduced to 5% of full power or less. The Shutdown Bypass RCS High Pressure trip forces a reactor trip to occur whenever the unit switches from power operation to shutdown bypass or vice versa. This ensures that the CONTROL RODS are all inserted before power operation can begin.The operator is required to remove the shutdown bypass, reset the Nuclear Overpower  
: 9. Main Turbine Trip (Hydraulic Fluid Pressure)
-High Power trip setpoint, and again withdraw the safety group rods before proceeding with startup.Accidents analyzed in the UFSAR, Chapter 15 (Ref. 2), do not describe events that occur during shutdown bypass operation, because the consequences of these events are enveloped by the events presented in the UFSAR.OCONEE UNITS 1, 2, & 3 B 3.3.1-18 12/10/14 1 RPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY
The Main Turbine Trip Function trips the reactor when the main turbine is lost at high power levels. The Main Turbine Trip Function provides an early reactor trip in anticipation of the loss of heat sink associated with a turbine trip. The Main Turbine Trip Function was added to the B&W designed units in accordance with NUREG-0737 (Ref. 5) following the Three Mile Island Unit 2 accident. The trip lowers the probability of an RCS power operated relief valve (PORV) actuation for turbine trip cases. This trip is activated at higher power levels, thereby limiting the range through which the Integrated Control System must provide an automatic runback on a turbine trip.
: 11. Shutdown Bypass RCS High Pressure (continued)
Each of the four turbine hydraulic fluid pressure switches feeds one protective channel that continuously monitors the status of the contacts.
During shutdown bypass operation with the Shutdown Bypass RCS High Pressure trip active with a setpoint of < 1720 psig and the Nuclear Overpower  
For the Main Turbine Trip (Hydraulic Fluid Pressure), the Allowable Value of 800 psig is selected to provide a trip whenever main turbine hydraulic fluid pressure drops below the normal operating range.
-Low Setpoint set at or below 5% RTP, the trips listed below can be bypassed.
This trip is bypassed at power levels < 30% RTP for unit startup.
Under these conditions, the Shutdown Bypass RCS High Pressure trip and the Nuclear Overpower  
The turbine trip is not required to protect against events that can create a harsh environment in the turbine building. Therefore, errors induced by harsh environments are not included in the determination of the setpoint Allowable Value.
-Low Setpoint trip act to prevent unit conditions from reaching a point where actuation of these Functions is necessary.
OCONEE UNITS 1, 2, & 3             B 3.3.1-17                                         12/10/14 1
1 a. Nuclear Overpower  
 
-High Setpoint;3. RCS High Pressure;4. RCS Low Pressure;5. RCS Variable Low Pressure;7. Reactor Coolant Pump to Power; and 8. Nuclear Overpower Flux/Flow Imbalance.
RPS Instrumentation B 3.3.1 BASES APPLICABLE       10. Loss of Main Feedwater PumD Turbines (Hydraulic Oil Pressure)
The Shutdown Bypass RCS High Pressure Function's Allowable Value is selected to ensure a trip occurs before producing THERMAL POWER.General Discussion The RPS satisfies Criterion 3 of 10 CFR 50.36 (Ref. 7). In MODES 1 and 2, the following trips shall be OPERABLE because the reactor can be critical in these MODES. These trips are designed to take the reactor subcritical to maintain the SLs during anticipated transients and to assist the ESPS in providing acceptable consequences during accidents.
SAFETY ANALYSES, LCO, and              The Loss of Main Feedwater Pump Turbines (Hydraulic Oil APPLICABILITY          Pressure) trip provides a reactor trip at high power levels when both (continued)          MFW pump turbines are lost. The trip provides an early reactor trip in anticipation of the loss of heat sink associated with the LOMF.
1 a. Nuclear Overpower  
This trip was added in accordance with NUREG-0737 (Ref. 5) following the Three Mile Island Unit 2 accident. This trip provides a reactor trip at high power levels for a LOMF to minimize challenges to the PORV.
-High Setpoint;2. RCS High Outlet Temperature;
For the feedwater pump turbine hydraulic oil pressure, the Allowable Value of 75 psig is selected to provide a trip whenever feedwater pump turbine hydraulic oil pressure drops below the normal operating range. This trip is bypassed at power levels < 2% RTP for unit startup. The Loss of Main Feedwater Pump Turbines (Hydraulic Oil Pressure) trip is not required to protect against events that can create a harsh environment in the turbine building. Therefore, errors caused by harsh environments are not included in the determination of the setpoint Allowable Value.
: 3. RCS High Pressure;4. RCS Low Pressure;5. RCS Variable Low Pressure;6. Reactor Building High Pressure;OCONEE UNITS 1, 2, & 3 B 3.3.1-19 12/10/14 1 RPS Instrumentation B 3.3.1 BASES APPLICABLE General Discussion (continued)
: 11. Shutdown Bypass RCS High Pressure The RPS Shutdown Bypass RCS High Pressure is provided to allow for withdrawing the CONTROL RODS prior to reaching the normal RCS Low Pressure trip setpoint. The shutdown bypass provides trip protection during deboration and RCS heatup by allowing the operator to at least partially withdraw the safety groups of CONTROL RODS. This makes their negative reactivity available to terminate inadvertent reactivity excursions. Use of the shutdown bypass trip requires that the neutron power trip setpoint be reduced to 5% of full power or less. The Shutdown Bypass RCS High Pressure trip forces a reactor trip to occur whenever the unit switches from power operation to shutdown bypass or vice versa. This ensures that the CONTROL RODS are all inserted before power operation can begin.
SAFETY ANALYSES, LCO, and 7. Reactor Coolant Pump to Power; and APPLICABILITY
The operator is required to remove the shutdown bypass, reset the Nuclear Overpower - High Power trip setpoint, and again withdraw the safety group rods before proceeding with startup.
Accidents analyzed in the UFSAR, Chapter 15 (Ref. 2), do not describe events that occur during shutdown bypass operation, because the consequences of these events are enveloped by the events presented in the UFSAR.
OCONEE UNITS 1, 2, & 3             B 3.3.1-18                                         12/10/14 1
 
RPS Instrumentation B 3.3.1 BASES APPLICABLE       11. Shutdown Bypass RCS High Pressure (continued)
SAFETY ANALYSES, LCO, and                  During shutdown bypass operation with the Shutdown Bypass RCS APPLICABILITY            High Pressure trip active with a setpoint of < 1720 psig and the Nuclear Overpower - Low Setpoint set at or below 5% RTP, the trips listed below can be bypassed. Under these conditions, the Shutdown Bypass RCS High Pressure trip and the Nuclear Overpower - Low Setpoint trip act to prevent unit conditions from reaching a point where actuation of these Functions is necessary.
1a. Nuclear Overpower - High Setpoint;
: 3.     RCS High Pressure;
: 4.     RCS Low Pressure;
: 5.     RCS Variable Low Pressure;
: 7.     Reactor Coolant Pump to Power; and
: 8.     Nuclear Overpower Flux/Flow Imbalance.
The Shutdown Bypass RCS High Pressure Function's Allowable Value is selected to ensure a trip occurs before producing THERMAL POWER.
General Discussion The RPS satisfies Criterion 3 of 10 CFR 50.36 (Ref. 7). In MODES 1 and 2, the following trips shall be OPERABLE because the reactor can be critical in these MODES. These trips are designed to take the reactor subcritical to maintain the SLs during anticipated transients and to assist the ESPS in providing acceptable consequences during accidents.
1a. Nuclear Overpower - High Setpoint;
: 2.     RCS High Outlet Temperature;
: 3.     RCS High Pressure;
: 4.     RCS Low Pressure;
: 5. RCS Variable Low Pressure;
: 6. Reactor Building High Pressure; OCONEE UNITS 1, 2, & 3               B 3.3.1-19                                         12/10/14 1
 
RPS Instrumentation B 3.3.1 BASES APPLICABLE       General Discussion (continued)
SAFETY ANALYSES, LCO, and                 7. Reactor Coolant Pump to Power; and APPLICABILITY
: 8. Nuclear Overpower Flux/Flow Imbalance.
: 8. Nuclear Overpower Flux/Flow Imbalance.
Functions la, 3, 4, 5, 7, and 8 just listed may be bypassed in MODE 2 when RCS pressure is below 1720 psig, provided the Shutdown Bypass RCS High Pressure and the Nuclear Overpower  
Functions la, 3, 4, 5, 7, and 8 just listed may be bypassed in MODE 2 when RCS pressure is below 1720 psig, provided the Shutdown Bypass RCS High Pressure and the Nuclear Overpower - Low setpoint trip are placed in operation. Under these conditions, the Shutdown Bypass RCS High Pressure trip and the Nuclear Overpower - Low setpoint trip act to prevent unit conditions from reaching a point where actuation of these Functions is necessary.
-Low setpoint trip are placed in operation.
The Main Turbine Trip (Hydraulic Fluid Pressure) Function is required to be OPERABLE in MODE 1 at &#x17d;_30% RTP. The Loss of Main Feedwater Pump Turbines (Hydraulic Oil Pressure) Function is required to be OPERABLE in MODE 1 and in MODE 2 at __2% RTP. For operation below these power levels, these trips are not necessary to minimize challenges to the PORVs as required by NUREG-0737 (Ref. 5).
Under these conditions, the Shutdown Bypass RCS High Pressure trip and the Nuclear Overpower  
Because the safety function of the RPS is to trip the CONTROL RODS, the RPS is not required to be OPERABLE in MODE 3, 4, or 5 if either the reactor trip breakers are open, or the CRD System is incapable of rod withdrawal. Similarly, the RPS is not required to be OPERABLE in MODE 6 because the CONTROL RODS are normally decoupled from the CRDs.
-Low setpoint trip act to prevent unit conditions from reaching a point where actuation of these Functions is necessary.
However, in MODE 2, 3, 4, or 5, the Shutdown Bypass RCS High Pressure and Nuclear Overpower - Low setpoint trips are required to be OPERABLE if the CRD trip breakers are closed and the CRD System is capable of rod withdrawal. Under these conditions, the Shutdown Bypass RCS High Pressure and Nuclear Overpower - Low setpoint trips are sufficient to prevent an approach to conditions that could challenge SLs.
The Main Turbine Trip (Hydraulic Fluid Pressure)
ACTIONS           Conditions A and B are applicable to all RPS protective Functions. If a channel's trip setpoint is found nonconservative with respect to the required Allowable Value in Table 3.3.1-1, or the transmitter, instrument loop, signal processing electronics or processor output trip device is found inoperable, the channel must be declared inoperable and Condition A entered immediately.
Function is required to be OPERABLE in MODE 1 at _ 30% RTP. The Loss of Main Feedwater Pump Turbines (Hydraulic Oil Pressure)
When an RPS channel is manually tripped, the functions that were inoperable prior to tripping remain inoperable. Other functions in the same channel that were OPERABLE prior to tripping remain OPERABLE.
Function is required to be OPERABLE in MODE 1 and in MODE 2 at __ 2% RTP. For operation below these power levels, these trips are not necessary to minimize challenges to the PORVs as required by NUREG-0737 (Ref. 5).Because the safety function of the RPS is to trip the CONTROL RODS, the RPS is not required to be OPERABLE in MODE 3, 4, or 5 if either the reactor trip breakers are open, or the CRD System is incapable of rod withdrawal.
OCONEE UNITS 1, 2, & 3               B 3.3.1-20                                       12/10/14 1
Similarly, the RPS is not required to be OPERABLE in MODE 6 because the CONTROL RODS are normally decoupled from the CRDs.However, in MODE 2, 3, 4, or 5, the Shutdown Bypass RCS High Pressure and Nuclear Overpower  
 
-Low setpoint trips are required to be OPERABLE if the CRD trip breakers are closed and the CRD System is capable of rod withdrawal.
RPS Instrumentation B 3.3.1 BASES ACTIONS           A._1 (continued)
Under these conditions, the Shutdown Bypass RCS High Pressure and Nuclear Overpower  
For Required Action A.1, if one or more Functions in a required protective channel becomes inoperable, the affected protective channel must be placed in trip.
-Low setpoint trips are sufficient to prevent an approach to conditions that could challenge SLs.ACTIONS Conditions A and B are applicable to all RPS protective Functions.
Placing the affected Function in trip places only the affected Function in each required channel in a one-out-of-two logic configuration. Ifthe same function in another channel exceeds the setpoint, all channels will trip. In this configuration, the RPS can still perform its safety function in the presence of a random failure of any single Channel. The 4 hour Completion Time is justified based on the continuous monitoring and signal validation being performed and is sufficient time to place a Function in trip. If the individual Function cannot be placed in trip, the Operator can trip the affected channel with the use of the Manual Trip Keyswitch until such time that the Function can be placed in trip. This places all RPS Functions in a one-out-of-two logic configuration.
If a channel's trip setpoint is found nonconservative with respect to the required Allowable Value in Table 3.3.1-1, or the transmitter, instrument loop, signal processing electronics or processor output trip device is found inoperable, the channel must be declared inoperable and Condition A entered immediately.
B.1 Required Action B.1 directs entry into the appropriate Condition referenced in Table 3.3.1-1. The applicable Condition referenced in the table is Function dependent. Ifthe Required Action and the associated Completion Time of Condition A are not met or if more than two channels are inoperable, Condition B is entered to provide for transfer to the appropriate subsequent Condition.
When an RPS channel is manually tripped, the functions that were inoperable prior to tripping remain inoperable.
C.1 and C.2 If the Required Action and associated Completion Time of Condition A are not met and Table 3.3.1-1 directs entry into Condition C, the unit must be brought to a MODE in which the specified RPS trip Functions are not required to be OPERABLE. The allowed Completion Time of 12 hours is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and to open all CRD trip breakers without challenging unit systems.
Other functions in the same channel that were OPERABLE prior to tripping remain OPERABLE.OCONEE UNITS 1, 2, & 3 B 3.3.1-20 12/10/14 1 RPS Instrumentation B 3.3.1 BASES ACTIONS A._1 (continued)
D..1 Ifthe Required Action and associated Completion Time of Condition A are not met and Table 3.3.1-1 directs entry into Condition D, the unit must be brought to a MODE in which the specified RPS trip Functions are not OCONEE UNITS 1, 2, & 3               B 3.3.1-21                                       12/10/14 1
For Required Action A.1, if one or more Functions in a required protective channel becomes inoperable, the affected protective channel must be placed in trip.Placing the affected Function in trip places only the affected Function in each required channel in a one-out-of-two logic configuration.
 
If the same function in another channel exceeds the setpoint, all channels will trip. In this configuration, the RPS can still perform its safety function in the presence of a random failure of any single Channel. The 4 hour Completion Time is justified based on the continuous monitoring and signal validation being performed and is sufficient time to place a Function in trip. If the individual Function cannot be placed in trip, the Operator can trip the affected channel with the use of the Manual Trip Keyswitch until such time that the Function can be placed in trip. This places all RPS Functions in a one-out-of-two logic configuration.
RPS Instrumentation B 3.3.1 BASES ACTIONS           D.1 (continued) required to be OPERABLE. To achieve this status, all CRD tdp breakers must be opened. The allowed Completion Time of 6 hours is reasonable, based on operating experience, to open CRD tdp breakers without challenging unit systems.
B.1 Required Action B.1 directs entry into the appropriate Condition referenced in Table 3.3.1-1. The applicable Condition referenced in the table is Function dependent.
E.1 If the Required Action and associated Completion Time of Condition A are not met and Table 3.3.1-1 directs entry into Condition E, the unit must be brought to a MODE in which the specified RPS trip Function is not required to be OPERABLE. To achieve this status, THERMAL POWER must be reduced < 30% RTP. The allowed Completion Time of 6 hours is reasonable, based on operating experience, to reach 30% RTP from full power conditions in an orderly manner without challenging unit systems.
If the Required Action and the associated Completion Time of Condition A are not met or if more than two channels are inoperable, Condition B is entered to provide for transfer to the appropriate subsequent Condition.
F.1 If the Required Action and associated Completion Time of Condition A are not met and Table 3.3.1-1 directs entry into Condition F, the unit must be brought to a MODE in which the specified RPS trip Function is not required to be OPERABLE. To achieve this status, THERMAL POWER must be reduced < 2% RTP. The allowed Completion Time of 12 hours is reasonable, based on operating experience, to reach 2% RTP from full power conditions in an orderly manner without challenging unit systems.
C.1 and C.2 If the Required Action and associated Completion Time of Condition A are not met and Table 3.3.1-1 directs entry into Condition C, the unit must be brought to a MODE in which the specified RPS trip Functions are not required to be OPERABLE.
SURVEILLANCE     The SRs for each RPS Function are identified by the SRs column of REQUIREMENTS     Table 3.3.1-1 for that Function. Most Functions are subject to CHANNEL CHECK, CHANNEL FUNCTIONAL TEST, and CHANNEL CALIBRATION testing.
The allowed Completion Time of 12 hours is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and to open all CRD trip breakers without challenging unit systems.D..1 If the Required Action and associated Completion Time of Condition A are not met and Table 3.3.1-1 directs entry into Condition D, the unit must be brought to a MODE in which the specified RPS trip Functions are not OCONEE UNITS 1, 2, & 3 B 3.3.1-21 12/10/14 1 RPS Instrumentation B 3.3.1 BASES ACTIONS D.1 (continued) required to be OPERABLE.
The SRs are modified by a Note. The Note directs the reader to Table 3.3.1-1 to determine the correct SRs to perform for each RPS Function.
To achieve this status, all CRD tdp breakers must be opened. The allowed Completion Time of 6 hours is reasonable, based on operating experience, to open CRD tdp breakers without challenging unit systems.E.1 If the Required Action and associated Completion Time of Condition A are not met and Table 3.3.1-1 directs entry into Condition E, the unit must be brought to a MODE in which the specified RPS trip Function is not required to be OPERABLE.
SR 3.3.1.1 Performance of the CHANNEL CHECK once every 12 hours ensures that a gross failure of instrumentation has not occurred.
To achieve this status, THERMAL POWER must be reduced < 30% RTP. The allowed Completion Time of 6 hours is reasonable, based on operating experience, to reach 30% RTP from full power conditions in an orderly manner without challenging unit systems.F.1 If the Required Action and associated Completion Time of Condition A are not met and Table 3.3.1-1 directs entry into Condition F, the unit must be brought to a MODE in which the specified RPS trip Function is not required to be OPERABLE.
OCONEE UNITS 1, 2, & 3               B 3.3.1-22                                       12/10/14 1
To achieve this status, THERMAL POWER must be reduced < 2% RTP. The allowed Completion Time of 12 hours is reasonable, based on operating experience, to reach 2% RTP from full power conditions in an orderly manner without challenging unit systems.SURVEILLANCE The SRs for each RPS Function are identified by the SRs column of REQUIREMENTS Table 3.3.1-1 for that Function.
 
Most Functions are subject to CHANNEL CHECK, CHANNEL FUNCTIONAL TEST, and CHANNEL CALIBRATION testing.The SRs are modified by a Note. The Note directs the reader to Table 3.3.1-1 to determine the correct SRs to perform for each RPS Function.SR 3.3.1.1 Performance of the CHANNEL CHECK once every 12 hours ensures that a gross failure of instrumentation has not occurred.OCONEE UNITS 1, 2, & 3 B 3.3.1-22 12/10/14 1 RPS Instrumentation B 3.3.1 BASES SURVEILLANCE SR 3.3.1.1 (continued)
RPS Instrumentation B 3.3.1 BASES SURVEILLANCE       SR 3.3.1.1 (continued)
REQUIREMENTS A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels.
REQUIREMENTS A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. CHANNEL CHECK will detect gross channel failure; therefore, it is key in verifying that the instrumentation continues to operate properly between each CHANNEL CALIBRATION.
It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. CHANNEL CHECK will detect gross channel failure; therefore, it is key in verifying that the instrumentation continues to operate properly between each CHANNEL CALIBRATION.
Agreement criteria are determined based on a combination of the channel instrument uncertainties, including isolation, indication, and readability. If a channel is outside the criteria, it may be an indication that the transmitter or the signal processing equipment has drifted outside its limit. If the channels are within the criteria, it is an indication that the channels are OPERABLE. If the channels are normally off scale during times when surveillance is required, the CHANNEL CHECK will only verify that they are off scale in the same direction.
Agreement criteria are determined based on a combination of the channel instrument uncertainties, including isolation, indication, and readability.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program. The CHANNEL CHECK supplements less formal but more frequent checks of channel OPERABILITY during normal operational use of the displays associated with the LCO's required channels.
If a channel is outside the criteria, it may be an indication that the transmitter or the signal processing equipment has drifted outside its limit. If the channels are within the criteria, it is an indication that the channels are OPERABLE.
For Functions that trip on a combination of several measurements, such as the Nuclear Overpower Flux/Flow Imbalance Function, the CHANNEL CHECK must be performed on each input.
If the channels are normally off scale during times when surveillance is required, the CHANNEL CHECK will only verify that they are off scale in the same direction.
The CHANNEL CHECK requirement is met automatically. The digital RPS provides continuous online automatic monitoring of each of the input signals in each channel, performs signal online validation against required acceptance criteria, and provides hardware functional validation.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program. The CHANNEL CHECK supplements less formal but more frequent checks of channel OPERABILITY during normal operational use of the displays associated with the LCO's required channels.For Functions that trip on a combination of several measurements, such as the Nuclear Overpower Flux/Flow Imbalance Function, the CHANNEL CHECK must be performed on each input.The CHANNEL CHECK requirement is met automatically.
If any protective channel input signal is identified to be in the failure status, this condition is alarmed on the Unit Statalarm and input to the plant OAC. Immediate notification of the failure status is provided to the Operations staff.
The digital RPS provides continuous online automatic monitoring of each of the input signals in each channel, performs signal online validation against required acceptance criteria, and provides hardware functional validation.
OCONEE UNITS 1, 2, & 3               B 3.3.1-23                                         12/10/14 1
If any protective channel input signal is identified to be in the failure status, this condition is alarmed on the Unit Statalarm and input to the plant OAC. Immediate notification of the failure status is provided to the Operations staff.OCONEE UNITS 1, 2, & 3 B 3.3.1-23 12/10/14 1 RPS Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)
 
SR 3.3.1.2 This SR is the performance of a heat balance calibration for the power range channels when reactor power is > 15% RTP. The heat balance calibration consists of a comparison of the results of the calorimetric with the power range channel output. The outputs of the power range channels are normalized to the calorimetric.
RPS Instrumentation B 3.3.1 BASES SURVEILLANCE     SR 3.3.1.2 REQUIREMENTS (continued)    This SR is the performance of a heat balance calibration for the power range channels when reactor power is > 15% RTP. The heat balance calibration consists of a comparison of the results of the calorimetric with the power range channel output. The outputs of the power range channels are normalized to the calorimetric. If the calorimetric exceeds the Nuclear Instrumentation System (NIS) channel output by > 2% RTP, the NIS is not declared inoperable but must be adjusted. Ifthe NIS channel cannot be properly adjusted, the channel is declared inoperable. A Note clarifies that this Surveillance is required to be performed only if reactor power is >_15%
If the calorimetric exceeds the Nuclear Instrumentation System (NIS) channel output by > 2% RTP, the NIS is not declared inoperable but must be adjusted.
RTP and that 24 hours is allowed for performing the first Surveillance after reaching 15% RTP. At lower power levels, calorimetric data are less accurate.
If the NIS channel cannot be properly adjusted, the channel is declared inoperable.
The power range channel's output shall be adjusted consistent with the calorimetric results if the calorimetric exceeds the power range channel's output by _>2% RTP. The value of 2% is adequate because this value is assumed in the safety analyses of UFSAR, Chapter 15 (Ref. 2). These checks and, if necessary, the adjustment of the power range channels ensure that channel accuracy is maintained within the analyzed error margins. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
A Note clarifies that this Surveillance is required to be performed only if reactor power is >_ 15%RTP and that 24 hours is allowed for performing the first Surveillance after reaching 15% RTP. At lower power levels, calorimetric data are less accurate.The power range channel's output shall be adjusted consistent with the calorimetric results if the calorimetric exceeds the power range channel's output by _> 2% RTP. The value of 2% is adequate because this value is assumed in the safety analyses of UFSAR, Chapter 15 (Ref. 2). These checks and, if necessary, the adjustment of the power range channels ensure that channel accuracy is maintained within the analyzed error margins. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR 3.3.1.3 A comparison of power range nuclear instrumentation channels against incore detectors shall be performed when reactor power is _> 15% RTP. A Note clarifies that 24 hours is allowed for performing the first Surveillance after reaching 15% RTP. If the absolute value of imbalance error is >_ 2%RTP, the power range channel is not inoperable, but an adjustment of the measured imbalance to agree with the incore measurements is necessary.
SR 3.3.1.3 A comparison of power range nuclear instrumentation channels against incore detectors shall be performed when reactor power is _>15% RTP. A Note clarifies that 24 hours is allowed for performing the first Surveillance after reaching 15% RTP. Ifthe absolute value of imbalance error is >_2%
The Imbalance error calculation is adjusted for conservatism by applying a correlation slope (CS) value to the error calculation formula. This ensures that the value of the APIo is > API,. The CS value is listed in the COLR and is cycle dependent.
RTP, the power range channel is not inoperable, but an adjustment of the measured imbalance to agree with the incore measurements is necessary.
If the power range channel cannot be properly recalibrated, the channel is declared inoperable.
The Imbalance error calculation is adjusted for conservatism by applying a correlation slope (CS) value to the error calculation formula. This ensures that the value of the APIo is > API,. The CS value is listed in the COLR and is cycle dependent. If the power range channel cannot be properly recalibrated, the channel is declared inoperable. The calculation of the Allowable Value envelope assumes a difference in out of core to incore measurements of 2.0%. Additional inaccuracies beyond those that are measured are also included in the setpoint envelope calculation.
The calculation of the Allowable Value envelope assumes a difference in out of core to incore measurements of 2.0%. Additional inaccuracies beyond those that are measured are also included in the setpoint envelope calculation.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.OCONEE UNITS 1, 2, & 3 B 3.3.1-24 12/10/14 1 RPS Instrumentation B 3.3.1 BASES SURVEILLANCE SR 3.3.1.4 REQUIREMENTS (continued)
OCONEE UNITS 1, 2, & 3               B 3.3.1-24                                         12/10/14 1
This SR has been deleted.SR 3.3.1.5 This SR manually retrieves the software setpoints and verifies they are correct. The proper functioning of the processor portion of the channel is continuously checked by an automatic cyclic self monitoring.
 
Verification of field instrument setpoints is not required by this surveillance.
RPS Instrumentation B 3.3.1 BASES SURVEILLANCE     SR 3.3.1.4 REQUIREMENTS (continued)     This SR has been deleted.
This surveillance does not apply to the Reactor Building Pressure Function because it consists of pressure switches which provide a contact status to the system and there is no software setpoint to verify.The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR 3.3.1.6 This SR requires manual actuation of the output channel interposing relays to demonstrate OPERABILITY of the relays. The proper functioning of the processor portion of the channel is continuously checked by an automatic cyclic self monitoring.
SR 3.3.1.5 This SR manually retrieves the software setpoints and verifies they are correct. The proper functioning of the processor portion of the channel is continuously checked by an automatic cyclic self monitoring. Verification of field instrument setpoints is not required by this surveillance. This surveillance does not apply to the Reactor Building Pressure Function because it consists of pressure switches which provide a contact status to the system and there is no software setpoint to verify.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR 3.3.1.7 A Note to the Surveillance indicates that neutron detectors are excluded from CHANNEL CALIBRATION.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
This Note is necessary because of the difficulty in generating an appropriate detector input signal. Excluding the detectors is acceptable because the principles of detector operation ensure virtually instantaneous response.A CHANNEL CALIBRATION is a complete check of the instrument channel, including the sensor. The test verifies that the channel responds to the measured parameter within the necessary range and accuracy.CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drift to ensure that the instrument channel remains operational between successive tests. CHANNEL CALIBRATION shall find that OCONEE UNITS 1, 2, & 3 B 3.3.1-25 12/10/14 1 RPS Instrumentation B 3.3.1 BASES SURVEILLANCE SR 3.3.1.7 (continued)
SR 3.3.1.6 This SR requires manual actuation of the output channel interposing relays to demonstrate OPERABILITY of the relays. The proper functioning of the processor portion of the channel is continuously checked by an automatic cyclic self monitoring.
REQUIREMENTS measurement errors and processor output trip device setpoint errors are within the assumptions of the uncertainty analysis.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
Whenever a sensing element is replaced, the CHANNEL CALIBRATION of the resistance temperature detectors (RTD) sensors is accomplished by an inplace cross calibration that compares the other sensing elements with the recently installed sensing element.Since the CHANNEL FUNCTIONAL TEST is a part of the CHANNEL CALIBRATION a separate SR is not required.
SR 3.3.1.7 A Note to the Surveillance indicates that neutron detectors are excluded from CHANNEL CALIBRATION. This Note is necessary because of the difficulty in generating an appropriate detector input signal. Excluding the detectors is acceptable because the principles of detector operation ensure virtually instantaneous response.
The digital RPS software performs a continuous online automated cross channel check, separately for each channel, and continuous online signal error detection and validation.
A CHANNEL CALIBRATION is a complete check of the instrument channel, including the sensor. The test verifies that the channel responds to the measured parameter within the necessary range and accuracy.
The protection system also performs continuous online hardware monitoring.
CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drift to ensure that the instrument channel remains operational between successive tests. CHANNEL CALIBRATION shall find that OCONEE UNITS 1, 2, & 3               B 3.3.1-25                                       12/10/14 1
The CHANNEL CALIBRATION essentially validates the self monitoring function and checks for a small set of failure modes that are undetectable by the self monitoring function.The digital processors shall be rebooted as part of the calibration.
 
This verifies that the software has not changed. Signals into the system (from the field instrument or at the protective system cabinet) are applied during the channel calibration to ensure that the instrumentation is within the specified allowance requirements.
RPS Instrumentation B 3.3.1 BASES SURVEILLANCE     SR 3.3.1.7 (continued)
This, in combination with ensuring the setpoints are entered into the software correctly per SR 3.3.1.5, verifies the setpoints are within the Allowable Values.The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.REFERENCES
REQUIREMENTS measurement errors and processor output trip device setpoint errors are within the assumptions of the uncertainty analysis. Whenever a sensing element is replaced, the CHANNEL CALIBRATION of the resistance temperature detectors (RTD) sensors is accomplished by an inplace cross calibration that compares the other sensing elements with the recently installed sensing element.
: 1. UFSAR, Chapter 7.2. UFSAR, Chapter 15.3. 10 CFR 50.49.4. EDM-1 02, "Instrument Setpoint/Uncertainty Calculations." 5. NUREG-0737, "Clarification of TMI Action Plan Requirements," November 1979.6. BAW-10167, May 1986.7. 10 CFR 50.36.OCONEE UNITS 1, 2, & 3 B 3.3.1-26 12/10/14 1 RPS -RTC B 3.3.3 B 3.3 INSTRUMENTATION B 3.3.3 Reactor Protective System (RPS) -Reactor Trip Component (RTC)BASES BACKGROUND The RPS consists of four independent protection channels, each containing an RTC. Figure 7.1 of UFSAR, Chapter 7 (Ref. 1), shows a typical RPS protection channel and the relationship of the RTC to the RPS instrumentation, manual trip, and CONTROL ROD drive (CRD) trip devices.The RTC is made up of two digital output modules and four Reactor Trip Relays (RTR) all contained within the respective RPS channel's cabinet.The RTC receives a channel trip signal in its own channel and channel trip signals from the digital output modules in the other three RPS channels.Whenever any two RPS channels transmit channel trip signals, the RTC logic in each channel actuates to remove 120 VAC power from its associated CRD trip devices.The RPS trip scheme consists of processor output trip devices.During normal unit operations, the digital output modules maintain the RTRs energized.
Since the CHANNEL FUNCTIONAL TEST is a part of the CHANNEL CALIBRATION a separate SR is not required. The digital RPS software performs a continuous online automated cross channel check, separately for each channel, and continuous online signal error detection and validation. The protection system also performs continuous online hardware monitoring. The CHANNEL CALIBRATION essentially validates the self monitoring function and checks for a small set of failure modes that are undetectable by the self monitoring function.
However, if an RPS channel initiates a trip signal, the digital output modules in that RPS channel will de-energize the reactor trip relay in that RPS channel and the associated RTR in each of the other three RPS channels.When an RPS channel provides a trip signal, the digital output modules in that RPS channel de-energize RTRs such that the following occurs: a. Each of the four (4) RTRs driven by that RPS channel's digital output modules "informs" its associated RPS channel that a reactor trip signal has occurred in the tripped RPS channel;b. The contacts in the trip device circuitry, powered by the tripped channel, open, but the trip device remains energized through the closed contacts from the RTRs of the other RTCs. (This condition exists in each RPS -RTC. Each RPS -RTC controls power to a trip device.)OCONEE UNITS 1, 2, & 3 B 3.3.3-1 12/10/14 1 RPS -RTC B 3.3.3 BASES BACKGROUND (continued)
The digital processors shall be rebooted as part of the calibration. This verifies that the software has not changed. Signals into the system (from the field instrument or at the protective system cabinet) are applied during the channel calibration to ensure that the instrumentation is within the specified allowance requirements. This, in combination with ensuring the setpoints are entered into the software correctly per SR 3.3.1.5, verifies the setpoints are within the Allowable Values.
When the second RPS channel senses a reactor trip condition, the RTRs driven by the digital output modules for the second channel de-energize and open contacts that supply power to the trip devices. With contacts opened by two separate RPS channels, power to the trip devices is interrupted and the CONTROL RODS fall into the core.A minimum of two out of four RTCs must sense a trip condition to cause a reactor trip.Because of the interchannel communication and 2.MIN/2.MAX (for analog inputs) and two-out-of-four (for binary inputs), an RPS channel will not provide a trip signal to its RTC until trip conditions are satisfied in at least two RPS channels for the same trip function.The contacts of the four reactor trip relays in each RPS Channel cabinet are wired in a two-out-of-four logic scheme. The relays de-energize to de-energize the Control Rod Drive Breaker undervoltage circuit wired to that channel and cause the shunt trip coil monitoring the circuit to be energized.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
Either de-energizing the undervoltage circuit or energizing the shunt trip circuit trips the CRD breaker.I APPLICABLE Transient and accident analyses rely on a reactor trip for protection of SAFETY ANALYSES reactor core integrity, reactor coolant pressure boundary integrity, and reactor building OPERABILITY.
REFERENCES       1.       UFSAR, Chapter 7.
A reactor trip must occur when needed to prevent accident conditions from exceeding those calculated in the accident analyses.
: 2.       UFSAR, Chapter 15.
More detailed descriptions of the applicable accident analyses are found in the bases for each of the RPS trip Functions in LCO 3.3.1, "Reactor Protective System (RPS) Instrumentation." The RTCs satisfy Criterion 3 of 10 CFR 50.36 (Ref. 2).LCO LCO 3.3.3 requires all four RTCs to be OPERABLE.
: 3.       10 CFR 50.49.
Failure of any RTC renders a portion of the RPS inoperable.
: 4.       EDM-1 02, "Instrument Setpoint/Uncertainty Calculations."
An OPERABLE RTC must be able to receive and interpret trip signals from OPERABLE RPS channels and to open its associated trip device.The requirement of four RTCs to be OPERABLE ensures that a minimum of two RTCs will remain OPERABLE if a single failure has occurred in one RTC and if a second RTC is out of service. This two-out-of-four trip logic also ensures that a single RTC failure will not cause an unwanted reactor trip.Violation of this LCO could result in a trip signal not causing a reactor trip when needed.I OCONEE UNITS 1, 2, & 3 B 3.3.3-2 12/10/14 1 RPS -RTC B 3.3.3 BASES (continued)
: 5.       NUREG-0737, "Clarification of TMI Action Plan Requirements,"
APPLICABILITY The RTCs are required to be OPERABLE in MODES 1 and 2. They are also required to be OPERABLE in MODES 3, 4, and 5 if any CRD trip breakers are in the closed position and the CRD System is capable of rod withdrawal.
November 1979.
The RTCs are designed to ensure a reactor trip would occur, if needed. This condition can exist in all of these MODES; therefore, the RTCs must be OPERABLE.ACTIONS A.1 and A.2 When an RTC is inoperable, the associated CRD trip breaker must then be placed in a condition that is equivalent to a tripped condition for the RTC.Required Action A.1 or Required Action A.2 requires this either by tripping the CRD trip breaker or by removing power to the CRD trip device. Tripping one RTC or removing power opens one of the CRD trip devices, which will result in the loss of one of the parallel power supplies.
: 6.       BAW-10167, May 1986.
Power to hold CONTROL RODS in position is still provided via the parallel CRD power supply. Therefore, a reactor trip will not occur until a second protection channel trips.B.1, B.2.1. and B.2.2 Condition B applies if two or more RTCs are inoperable or if the Required Action and associated Completion Time of Condition A are not met in MODE 1, 2, or 3. In this case, the unit must be placed in a MODE in which the LCO does not apply. This is done by placing the unit in at least MODE 3 with all CRD trip breakers open or with power from all CRD trip breakers removed within 12 hours. The allowed Completion Time of 12 hours is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging unit systems.C.1 and C.2 Condition C applies if two or more RTCs are inoperable or if the Required Action and associated Completion Time of Condition A are not met in MODE 4 or 5. In this case, the unit must be placed in a MODE in which the LCO does not apply. This is done by opening all CRD trip breakers or removing power from all CRD trip breakers.
: 7.       10 CFR 50.36.
The allowed Completion Time of 6 hours is reasonable, based on operating experience, to open all CRD trip breakers or remove power from all CRD trip breakers without challenging unit systems.OCONEE UNITS 1, 2, & 3 B 3.3.3-3 i-2/1-0/14 I
OCONEE UNITS 1, 2, & 3               B 3.3.1-26                                       12/10/14 1
RPS -RTC B 3.3.3 BASES (continued)
 
SURVEILLANCE REQUIREMENTS SR 3.3.3.1 The SRs include performance of a CHANNEL FUNCTIONAL TEST. This test shall verify the OPERABILITY of the RTC and its ability to receive and properly respond to channel trip and reactor trip signals.The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.This testing is normally performed on a rotational basis. Testing in this manner reduces the likelihood of the same systematic test errors being introduced into each redundant RTC.REFERENCES
RPS - RTC B 3.3.3 B 3.3 INSTRUMENTATION B 3.3.3 Reactor Protective System (RPS) - Reactor Trip Component (RTC)
: 1. UFSAR, Chapter 7.2. 10 CFR 50.36.OCONEE UNITS 1, 2, & 3 B 3.3.3-4 12/10/14 1 CRD Trip Devices B 3.3.4 B 3.3 INSTRUMENTATION B 3.3.4 Control Rod Drive (CRD) Trip Devices BASES BACKGROUND The Reactor Protective System (RPS) contains multiple CRD trip devices in the form of four AC trip breakers.
BASES BACKGROUND           The RPS consists of four independent protection channels, each containing an RTC. Figure 7.1 of UFSAR, Chapter 7 (Ref. 1), shows a typical RPS protection channel and the relationship of the RTC to the RPS instrumentation, manual trip, and CONTROL ROD drive (CRD) trip devices.
The system has two separate paths (or channels), with each path having two AC breakers in series. In either case, each path provides independent power to the CRDs. Also, in either case, either path can provide sufficient power to operate the entire CRD System.Figure 7.1, UFSAR, Chapter 7 (Ref. 1), illustrates the configuration of Reactor Protection System (RPS) Reactor Trip Components (RTC's) and the trip breakers.
The RTC is made up of two digital output modules and four Reactor Trip Relays (RTR) all contained within the respective RPS channel's cabinet.
To trip the reactor, power to the CRDs must be removed. Loss of power causes the CRD mechanisms to release the CONTROL RODS, which then fall by gravity into the core.Power to CRIs is supplied from two separate sources through the AC trip circuit breakers.
The RTC receives a channel trip signal in its own channel and channel trip signals from the digital output modules in the other three RPS channels.
These breakers are designated A, B, C, and D. Their undervoltage (trip) coils are powered by RPS channels A, B, C, and D, respectively and their shunt (trip) coils are actuated by RPS channels A, B, C, and D, respectively.
Whenever any two RPS channels transmit channel trip signals, the RTC logic in each channel actuates to remove 120 VAC power from its associated CRD trip devices.
From the circuit breakers, the CRD power travels through voltage regulators and stepdown transformers.
The RPS trip scheme consists of processor output trip devices.
These devices in turn supply redundant buses that feed the Single Rod Power Supplies (SRPS).Two AC breakers (A and C) are in series to feed one redundant train of the SRPS, whereas the other two series AC breakers (B and D) feed the other redundant train of the SRPS. The minimum required logic required to cause a reactor trip is the opening of a circuit breaker in each parallel path to the SRPS. This is known as a one-out-of-two taken twice logic. The following examples illustrate the operation of the reactor trip circuit breakers.a. If the A or C circuit breaker opens, input power to one train of the SRPS's is lost.b. If in addition, the B or D circuit breaker opens, input power to the other train of the SRPS's is lost, which will result in the dropping of all rods (except APSR's) into the core.OCONEE UNITS 1, 2, & 3 B 3.3.4-1 12/10/14 1 CRD Trip Devices B 3.3.4 BASES BACKGROUND (continued)
During normal unit operations, the digital output modules maintain the RTRs energized. However, if an RPS channel initiates a trip signal, the digital output modules in that RPS channel will de-energize the reactor trip relay in that RPS channel and the associated RTR in each of the other three RPS channels.
The reactor trip relays located in RPS Channel A cabinet provide the two-out-of-four relay logic to trip CRD breaker A, relays in RPS B cabinet trip CRD breaker B, relays in RPS C cabinet trip CRD breaker C, and relays in RPS D cabinet trip CRD breaker D. If two or more channels of RPS indicate a valid software trip logic condition (two-out-of-four), the binary outputs will de-energize the trip relays associated with those channels in all RPS cabinets, tripping all four CRD breakers resulting in a reactor trip.I APPLICABLE SAFETY ANALYSES Accident analyses rely on a reactor trip for protection of reactor core integrity, reactor coolant pressure boundary integrity, and reactor building OPERABILITY.
When an RPS channel provides a trip signal, the digital output modules in that RPS channel de-energize RTRs such that the following occurs:
A reactor trip must occur when needed to prevent accident consequences from exceeding those calculated in the accident analyses.
: a.       Each of the four (4) RTRs driven by that RPS channel's digital output modules "informs" its associated RPS channel that a reactor trip signal has occurred in the tripped RPS channel;
The CONTROL ROD position limits ensure that adequate rod worth is available upon reactor trip to shut down the reactor to the required SDM. Further, OPERABILITY of the CRD trip devices ensures that all CONTROL RODS will trip when required.
: b.       The contacts in the trip device circuitry, powered by the tripped channel, open, but the trip device remains energized through the closed contacts from the RTRs of the other RTCs. (This condition exists in each RPS - RTC. Each RPS - RTC controls power to a trip device.)
More detailed descriptions of the applicable accident analyses are found in the Bases for each of the individual RPS trip Functions in LCO 3.3.1, "Reactor Protective System (RPS) Instrumentation." The CRD trip devices satisfy Criterion 3 of CFR 50.36 (Ref. 2).LCO The LCO requires all of the specified CRD trip devices to be OPERABLE.Failure of any required CRD trip device renders a portion of the RPS inoperable and reduces the reliability of the affected Functions.
OCONEE UNITS 1, 2, & 3                     B 3.3.3-1                                         12/10/14 1
Without reliable CRD reactor trip circuit breakers and associated support circuitry, a reactor trip may not reliably occur when initiated either automatically or manually.All required CRD trip devices shall be OPERABLE to ensure that the reactor remains capable of being tripped any time it is critical.OPERABILITY is defined as the CRD trip device being able to receive a reactor trip signal and to respond to this trip signal by interrupting power to the CRDs. Both of the CRD trip breaker's diverse trip devices and the breaker itself must be functioning properly for the breaker to be OPERABLE.Requiring all breakers to be OPERABLE ensures that at least one device in each of the two power paths to the CRDs will remain OPERABLE even with a single failure.OCONEE UNITS 1, 2, & 3 B83.3.4-2 12/10/14 1 CRD Trip Devices B 3.3.4 BASES (continued)
 
APPLICABILITY The CRD trip devices shall be OPERABLE in MODES 1 and 2, and in MODES 3, 4, and 5 when any CRD trip breaker is in the closed position and the CRD System is capable of rod withdrawal.
RPS - RTC B 3.3.3 BASES BACKGROUND       When the second RPS channel senses a reactor trip condition, the RTRs (continued)    driven by the digital output modules for the second channel de-energize and open contacts that supply power to the trip devices. With contacts opened by two separate RPS channels, power to the trip devices is interrupted and the CONTROL RODS fall into the core.
The CRD trip devices are designed to ensure that a reactor trip would occur if needed. Since this condition can exist in all of these MODES, the CRD trip devices shall be OPERABLE.ACTIONS A Note has been added to the ACTIONS indicating separate Condition entry is allowed for each CRD trip device.A.1 and A.2 Condition A represents reduced redundancy in the CRD trip Function.Condition A applies when one diverse trip Function (undervoltage or shunt trip device) is inoperable in one or more CRD trip breaker(s).
A minimum of two out of four RTCs must sense a trip condition to cause a reactor trip.
If one of the diverse trip Functions on a CRD trip breaker becomes inoperable, actions must be taken to preclude the inoperable CRD trip device from preventing a reactor trip when needed. This is done by manually tripping the inoperable CRD trip breaker or by removing power from the inoperable CRD trip breaker. Either of these actions places the affected CRDs in a one-out-of-two trip configuration, which precludes a single failure from preventing a reactor trip. The 48 hour Completion Time has been shown to be acceptable through operating experience.
Because of the interchannel communication and 2.MIN/2.MAX (for                     I analog inputs) and two-out-of-four (for binary inputs), an RPS channel will not provide a trip signal to its RTC until trip conditions are satisfied in at least two RPS channels for the same trip function.
B.1 and B.2 Condition B represents a loss of redundancy for the CRD trip Function.Condition B applies when both diverse trip Functions are inoperable in one or more trip breaker(s).
The contacts of the four reactor trip relays in each RPS Channel cabinet are wired in a two-out-of-four logic scheme. The relays de-energize to de-energize the Control Rod Drive Breaker undervoltage circuit wired to that channel and cause the shunt trip coil monitoring the circuit to be energized. Either de-energizing the undervoltage circuit or energizing the shunt trip circuit trips the CRD breaker.
APPLICABLE       Transient and accident analyses rely on a reactor trip for protection of SAFETY ANALYSES reactor core integrity, reactor coolant pressure boundary integrity, and reactor building OPERABILITY. A reactor trip must occur when needed to prevent accident conditions from exceeding those calculated in the accident analyses. More detailed descriptions of the applicable accident analyses are found in the bases for each of the RPS trip Functions in LCO 3.3.1, "Reactor Protective System (RPS) Instrumentation."
The RTCs satisfy Criterion 3 of 10 CFR 50.36 (Ref. 2).
LCO               LCO 3.3.3 requires all four RTCs to be OPERABLE. Failure of any RTC renders a portion of the RPS inoperable.
An OPERABLE RTC must be able to receive and interpret trip signals from OPERABLE RPS channels and to open its associated trip device.
The requirement of four RTCs to be OPERABLE ensures that a minimum of two RTCs will remain OPERABLE if a single failure has occurred in one RTC and if a second RTC is out of service. This two-out-of-four trip logic also ensures that a single RTC failure will not cause an unwanted reactor trip.
Violation of this LCO could result in a trip signal not causing a reactor trip when needed.
I OCONEE UNITS 1, 2, & 3                 B 3.3.3-2                                           12/10/14 1
 
RPS - RTC B 3.3.3 BASES (continued)
APPLICABILITY     The RTCs are required to be OPERABLE in MODES 1 and 2. They are also required to be OPERABLE in MODES 3, 4, and 5 ifany CRD trip breakers are in the closed position and the CRD System is capable of rod withdrawal. The RTCs are designed to ensure a reactor trip would occur, if needed. This condition can exist in all of these MODES; therefore, the RTCs must be OPERABLE.
ACTIONS           A.1 and A.2 When an RTC is inoperable, the associated CRD trip breaker must then be placed in a condition that is equivalent to a tripped condition for the RTC.
Required Action A.1 or Required Action A.2 requires this either by tripping the CRD trip breaker or by removing power to the CRD trip device. Tripping one RTC or removing power opens one of the CRD trip devices, which will result in the loss of one of the parallel power supplies. Power to hold CONTROL RODS in position is still provided via the parallel CRD power supply. Therefore, a reactor trip will not occur until a second protection channel trips.
B.1, B.2.1. and B.2.2 Condition B applies if two or more RTCs are inoperable or if the Required Action and associated Completion Time of Condition A are not met in MODE 1, 2, or 3. In this case, the unit must be placed in a MODE in which the LCO does not apply. This is done by placing the unit in at least MODE 3 with all CRD trip breakers open or with power from all CRD trip breakers removed within 12 hours. The allowed Completion Time of 12 hours is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging unit systems.
C.1 and C.2 Condition C applies if two or more RTCs are inoperable or if the Required Action and associated Completion Time of Condition A are not met in MODE 4 or 5. In this case, the unit must be placed in a MODE in which the LCO does not apply. This is done by opening all CRD trip breakers or removing power from all CRD trip breakers. The allowed Completion Time of 6 hours is reasonable, based on operating experience, to open all CRD trip breakers or remove power from all CRD trip breakers without challenging unit systems.
OCONEE UNITS 1, 2, & 3               B 3.3.3-3                                         i-2/1-0/14 I
 
RPS - RTC B 3.3.3 BASES (continued)
SURVEILLANCE     SR 3.3.3.1 REQUIREMENTS The SRs include performance of a CHANNEL FUNCTIONAL TEST. This test shall verify the OPERABILITY of the RTC and its ability to receive and properly respond to channel trip and reactor trip signals.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
This testing is normally performed on a rotational basis. Testing in this manner reduces the likelihood of the same systematic test errors being introduced into each redundant RTC.
REFERENCES       1.     UFSAR, Chapter 7.
: 2.       10 CFR 50.36.
OCONEE UNITS 1, 2, & 3                 B 3.3.3-4                                     12/10/14 1
 
CRD Trip Devices B 3.3.4 B 3.3 INSTRUMENTATION B 3.3.4 Control Rod Drive (CRD) Trip Devices BASES BACKGROUND           The Reactor Protective System (RPS) contains multiple CRD trip devices in the form of four AC trip breakers. The system has two separate paths (or channels), with each path having two AC breakers in series. In either case, each path provides independent power to the CRDs. Also, in either case, either path can provide sufficient power to operate the entire CRD System.
Figure 7.1, UFSAR, Chapter 7 (Ref. 1), illustrates the configuration of Reactor Protection System (RPS) Reactor Trip Components (RTC's) and the trip breakers. To trip the reactor, power to the CRDs must be removed. Loss of power causes the CRD mechanisms to release the CONTROL RODS, which then fall by gravity into the core.
Power to CRIs is supplied from two separate sources through the AC trip circuit breakers. These breakers are designated A, B, C, and D. Their undervoltage (trip) coils are powered by RPS channels A, B, C, and D, respectively and their shunt (trip) coils are actuated by RPS channels A, B, C, and D, respectively. From the circuit breakers, the CRD power travels through voltage regulators and stepdown transformers. These devices in turn supply redundant buses that feed the Single Rod Power Supplies (SRPS).
Two AC breakers (A and C) are in series to feed one redundant train of the SRPS, whereas the other two series AC breakers (B and D)feed the other redundant train of the SRPS. The minimum required logic required to cause a reactor trip is the opening of a circuit breaker in each parallel path to the SRPS. This is known as a one-out-of-two taken twice logic. The following examples illustrate the operation of the reactor trip circuit breakers.
: a. Ifthe A or C circuit breaker opens, input power to one train of the SRPS's is lost.
: b. If in addition, the B or D circuit breaker opens, input power to the other train of the SRPS's is lost, which will result in the dropping of all rods (except APSR's) into the core.
OCONEE UNITS 1, 2, & 3                   B 3.3.4-1                                           12/10/14 1
 
CRD Trip Devices B 3.3.4 BASES BACKGROUND       The reactor trip relays located in RPS Channel A cabinet provide the             I (continued)      two-out-of-four relay logic to trip CRD breaker A, relays in RPS B cabinet trip CRD breaker B, relays in RPS C cabinet trip CRD breaker C, and relays in RPS D cabinet trip CRD breaker D. Iftwo or more channels of RPS indicate a valid software trip logic condition (two-out-of-four), the binary outputs will de-energize the trip relays associated with those channels in all RPS cabinets, tripping all four CRD breakers resulting in a reactor trip.
APPLICABLE       Accident analyses rely on a reactor trip for protection of reactor core SAFETY ANALYSES integrity, reactor coolant pressure boundary integrity, and reactor building OPERABILITY. A reactor trip must occur when needed to prevent accident consequences from exceeding those calculated in the accident analyses. The CONTROL ROD position limits ensure that adequate rod worth is available upon reactor trip to shut down the reactor to the required SDM. Further, OPERABILITY of the CRD trip devices ensures that all CONTROL RODS will trip when required. More detailed descriptions of the applicable accident analyses are found in the Bases for each of the individual RPS trip Functions in LCO 3.3.1, "Reactor Protective System (RPS) Instrumentation."
The CRD trip devices satisfy Criterion 3 of CFR 50.36 (Ref. 2).
LCO               The LCO requires all of the specified CRD trip devices to be OPERABLE.
Failure of any required CRD trip device renders a portion of the RPS inoperable and reduces the reliability of the affected Functions. Without reliable CRD reactor trip circuit breakers and associated support circuitry, a reactor trip may not reliably occur when initiated either automatically or manually.
All required CRD trip devices shall be OPERABLE to ensure that the reactor remains capable of being tripped any time it is critical.
OPERABILITY is defined as the CRD trip device being able to receive a reactor trip signal and to respond to this trip signal by interrupting power to the CRDs. Both of the CRD trip breaker's diverse trip devices and the breaker itself must be functioning properly for the breaker to be OPERABLE.
Requiring all breakers to be OPERABLE ensures that at least one device in each of the two power paths to the CRDs will remain OPERABLE even with a single failure.
OCONEE UNITS 1, 2, & 3                 B83.3.4-2                                           12/10/14 1
 
CRD Trip Devices B 3.3.4 BASES (continued)
APPLICABILITY     The CRD trip devices shall be OPERABLE in MODES 1 and 2, and in MODES 3, 4, and 5 when any CRD trip breaker is in the closed position and the CRD System is capable of rod withdrawal.
The CRD trip devices are designed to ensure that a reactor trip would occur if needed. Since this condition can exist in all of these MODES, the CRD trip devices shall be OPERABLE.
ACTIONS           A Note has been added to the ACTIONS indicating separate Condition entry is allowed for each CRD trip device.
A.1 and A.2 Condition A represents reduced redundancy in the CRD trip Function.
Condition A applies when one diverse trip Function (undervoltage or shunt trip device) is inoperable in one or more CRD trip breaker(s).
Ifone of the diverse trip Functions on a CRD trip breaker becomes inoperable, actions must be taken to preclude the inoperable CRD trip device from preventing a reactor trip when needed. This is done by manually tripping the inoperable CRD trip breaker or by removing power from the inoperable CRD trip breaker. Either of these actions places the affected CRDs in a one-out-of-two trip configuration, which precludes a single failure from preventing a reactor trip. The 48 hour Completion Time has been shown to be acceptable through operating experience.
B.1 and B.2 Condition B represents a loss of redundancy for the CRD trip Function.
Condition B applies when both diverse trip Functions are inoperable in one or more trip breaker(s).
Required Action B.1 and Required Action B.2 are the same as Required Action A.1 and Required Action A.2, but the Completion Time is shortened.
Required Action B.1 and Required Action B.2 are the same as Required Action A.1 and Required Action A.2, but the Completion Time is shortened.
The 1 hour Completion Time allowed to trip or remove power from the CRD trip breaker allows the operator to take all the appropriate actions for the inoperable breaker and still ensures that the risk involved is acceptable.
The 1 hour Completion Time allowed to trip or remove power from the CRD trip breaker allows the operator to take all the appropriate actions for the inoperable breaker and still ensures that the risk involved is acceptable.
OCONEE UNITS 1, 2, & 3 B 3.3.4-3 12/10/14 1 CRD Trip Devices B 3.3.4 BASES ACTIONS (continued)
OCONEE UNITS 1, 2, & 3               B 3.3.4-3                                         12/10/14 1
C.1, C.2.1, and C.2.2 With the Required Action and associated Completion Time of Condition A or B not met in MODE 1, 2, or 3, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to MODE 3, with all CRD trip breakers open or with power from all CRD trip breakers removed within 12 hours. The allowed Completion Time of 12 hours is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging unit systems.D.1 and D.2 With the Required Action and associated Completion Time of Condition A or B not met in MODE 4 or 5, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, all CRD trip breakers must be opened or power from all CRD trip breakers removed within 6 hours.The allowed Completion Time of 6 hours is reasonable, based on operating experience, to open all CRD trip breakers or remove power from all CRD trip breakers without challenging unit systems.SURVEILLANCE SR 3.3.4.1 REQUIREMENTS SR 3.3.4.1 is to perform a CHANNEL FUNCTIONAL TEST. This test verifies the OPERABILITY of the trip devices by actuation of the end devices. Also, this test independently verifies the undervoltage and shunt trip mechanisms of the trip breakers.
 
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.REFERENCES
CRD Trip Devices B 3.3.4 BASES ACTIONS           C.1, C.2.1, and C.2.2 (continued)
: 1. UFSAR, Chapter 7.2. 10 CFR 50.36.OCONEE UNITS 1, 2, & 3 B 3.3.4-4 12/10/14 1 ESPS Input Instrumentation B 3.3.5 B 3.3 INSTRUMENTATION B 3.3.5 Engineered Safeguards Protective System (ESPS) Input Instrumentation BASES BACKGROUND The ESPS initiates necessary safety systems, based on the values of selected unit Parameters, to protect against violating core design limits and to mitigate accidents.
With the Required Action and associated Completion Time of Condition A or B not met in MODE 1, 2, or 3, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to MODE 3, with all CRD trip breakers open or with power from all CRD trip breakers removed within 12 hours. The allowed Completion Time of 12 hours is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging unit systems.
I ESPS actuates the following systems:* High Pressure Injection (HPI);* Low Pressure Injection (LPI);* Reactor Building (RB) cooling;* RB Spray;0 RB Isolation; and* Keowee Hydro Unit Emergency Start.The ESPS operates in a distributed manner to initiate the appropriate systems. The ESPS does this by determining the need for actuation in each of three input channels monitoring each actuation Parameter.
D.1 and D.2 With the Required Action and associated Completion Time of Condition A or B not met in MODE 4 or 5, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, all CRD trip breakers must be opened or power from all CRD trip breakers removed within 6 hours.
Once the need for actuation is determined, the condition is transmitted to automatic actuation output logic channels, which perform the two-out-of-three logic to determine the actuation of each end device. Each end device has its own automatic actuation logic, although all automatic actuation output logic channels take their signals from the same processor output trip device in each channel for each Parameter.
The allowed Completion Time of 6 hours is reasonable, based on operating experience, to open all CRD trip breakers or remove power from all CRD trip breakers without challenging unit systems.
SURVEILLANCE     SR 3.3.4.1 REQUIREMENTS SR 3.3.4.1 is to perform a CHANNEL FUNCTIONAL TEST. This test verifies the OPERABILITY of the trip devices by actuation of the end devices. Also, this test independently verifies the undervoltage and shunt trip mechanisms of the trip breakers. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
REFERENCES         1.     UFSAR, Chapter 7.
: 2.       10 CFR 50.36.
OCONEE UNITS 1, 2, & 3               B 3.3.4-4                                         12/10/14 1
 
ESPS Input Instrumentation B 3.3.5 B 3.3 INSTRUMENTATION B 3.3.5 Engineered Safeguards Protective System (ESPS) Input Instrumentation BASES BACKGROUND         The ESPS initiates necessary safety systems, based on the values of             I selected unit Parameters, to protect against violating core design limits and to mitigate accidents.
ESPS actuates the following systems:
* High Pressure Injection (HPI);
* Low Pressure Injection (LPI);
* Reactor Building (RB) cooling;
* RB Spray; 0       RB Isolation; and
* Keowee Hydro Unit Emergency Start.
The ESPS operates in a distributed manner to initiate the appropriate systems. The ESPS does this by determining the need for actuation in each of three input channels monitoring each actuation Parameter. Once the need for actuation is determined, the condition is transmitted to automatic actuation output logic channels, which perform the two-out-of-three logic to determine the actuation of each end device. Each end device has its own automatic actuation logic, although all automatic actuation output logic channels take their signals from the same processor output trip device in each channel for each Parameter.
Four Parameters are used for actuation:
Four Parameters are used for actuation:
* Low Reactor Coolant System (RCS) Pressure;0 Low Low RCS Pressure;* High RB Pressure; and* High High RB Pressure.I OCONEE UNITS 1, 2, & 3 B 3.3.5-1 12/10/14 1 ESPS Input Instrumentation B 3.3.5 BASES BACKGROUND LCO 3.3.5 covers only the input instrumentation channels that measure (continued) these Parameters.
* Low Reactor Coolant System (RCS) Pressure; 0       Low Low RCS Pressure;
These channels include all intervening equipment necessary to produce actuation before the measured process Parameter exceeds the limits assumed by the accident analysis.
* High RB Pressure; and
This includes sensors, processor output trip devices, operational bypass circuitry, and voter input. LCO 3.3.6, "Engineered Safeguards Protective System (ESPS) Manual Initiation," and LCO 3.3.7, "Engineered Safeguards Protective System (ESPS) Automatic Actuation Output Logic Channels," provide requirements on the manual initiation and automatic actuation output logic Functions.
* High High RB Pressure.
There are three input channels.
I OCONEE UNITS 1, 2, & 3                 B 3.3.5-1                                         12/10/14 1
The ESPS Protective Channels A, B and C are made up of two independent subsystems  
 
-one subsystem is installed in the ESPS cabinets and is designated A2, B2, and C2. The other independent and redundant subsystem is installed in the RPS cabinets and is designated Al, B1, and Cl. This subsystem uses the RPS protective channels (A, B, and C) computers.
ESPS Input Instrumentation B 3.3.5 BASES BACKGROUND       LCO 3.3.5 covers only the input instrumentation channels that measure (continued)   these Parameters. These channels include all intervening equipment necessary to produce actuation before the measured process Parameter exceeds the limits assumed by the accident analysis. This includes sensors, processor output trip devices, operational bypass circuitry, and voter input. LCO 3.3.6, "Engineered Safeguards Protective System (ESPS) Manual Initiation," and LCO 3.3.7, "Engineered Safeguards Protective System (ESPS) Automatic Actuation Output Logic Channels,"
The ESPS input signals are not redundant for the two subsystems.
provide requirements on the manual initiation and automatic actuation output logic Functions.
The same input signals are fed to ESPS subsystems 1 and 2. The ESPS subsystems are fully redundant with the exception of the shared inputs. Each of these two independent ESPS subsystems is fully capable of performing all required protective actions.The three ESPS channel computers in each subsystem are interconnected via fiber optic data links, in a way that enables the exchange of data and signal online validation, before the calculation of trip functions.
There are three input channels. The ESPS Protective Channels A, B and C are made up of two independent subsystems - one subsystem is installed in the ESPS cabinets and is designated A2, B2, and C2. The other independent and redundant subsystem is installed in the RPS cabinets and is designated Al, B1, and Cl. This subsystem uses the RPS protective channels (A, B, and C) computers. The ESPS input signals are not redundant for the two subsystems. The same input signals are fed to ESPS subsystems 1 and 2. The ESPS subsystems are fully redundant with the exception of the shared inputs. Each of these two independent ESPS subsystems is fully capable of performing all required protective actions.
If the setpoint for a single input channel (for example, the RB High pressure input to Channel A) is exceeded, a channel trip statalarm is actuated but a channel trip signal is not sent to the automatic actuation output logic channel. Since the two ES subsystems share inputs, this condition will be sensed by both Channel Al and A2. Also, due to the inter-channel communication, all 3 ES channels in each subsystem recognize that this input channel setpoint has been exceeded for one channel. However, due to the 2.MIN/2.MAX logic within the system, the same input channel setpoint for one of the other three channels must be exceeded before channel trip signals are sent to the automatic actuation output logic channels.
The three ESPS channel computers in each subsystem are interconnected via fiber optic data links, in a way that enables the exchange of data and signal online validation, before the calculation of trip functions. If the setpoint for a single input channel (for example, the RB High pressure input to Channel A) is exceeded, a channel trip statalarm is actuated but a channel trip signal is not sent to the automatic actuation output logic channel. Since the two ES subsystems share inputs, this condition will be sensed by both Channel Al and A2. Also, due to the inter-channel communication, all 3 ES channels in each subsystem recognize that this input channel setpoint has been exceeded for one channel. However, due to the 2.MIN/2.MAX logic within the system, the same input channel setpoint for one of the other three channels must be exceeded before channel trip signals are sent to the automatic actuation output logic channels. Again, due to the inter-channel communication, all 3 ES channels will then generate trip signals since the 2.MIN/2.MAX condition has been satisfied. The ESPS output actuation signals are sent from ESPS protective channels A, B and C to the ESPS actuation computers (Voters) via fiber optic data links. Figure 7.5 UFSAR, Chapter 7 (Ref. 1), illustrates how input instrumentation channel trips combine to cause automatic actuation output logic channel trips.
Again, due to the inter-channel communication, all 3 ES channels will then generate trip signals since the 2.MIN/2.MAX condition has been satisfied.
OCONEE UNITS 1, 2, & 3               B 3.3.5-2                                       12/10/14 1
The ESPS output actuation signals are sent from ESPS protective channels A, B and C to the ESPS actuation computers (Voters) via fiber optic data links. Figure 7.5 UFSAR, Chapter 7 (Ref. 1), illustrates how input instrumentation channel trips combine to cause automatic actuation output logic channel trips.OCONEE UNITS 1, 2, & 3 B 3.3.5-2 12/10/14 1 ESPS Input Instrumentation B 3.3.5.BASES BACKGROUND (continued)
 
The following matrix identifies the input instrumentation (measurement) channels and the Automatic Actuation Output Logic Channels actuated by each.Output Actuated RCS RCS RB RB Logic Channels Systems/ PRESS PRESS PRESS PRESS Functions LOW LOW HIGH HIGH LOW HIGH 1 and 2 HPI and RB Non-Essential X X Isolation, Keowee Emergency Start, Load Shed and Standby Breaker Input, and Keowee Standby Bus Feeder Breaker Input 3 and 4 LPI X X 5 and 6 RB Cooling and RB X Essential isolation 7 and 8 RB Spray X The ES equipment is generally divided between the two redundant actuation output logic channels.
ESPS Input Instrumentation B 3.3.5
The division of the equipment between the two actuation output logic channels is based on the equipment redundancy and function and is accomplished in such a manner that the failure of one of the actuation output logic channels and the related safeguards equipment will not inhibit the overall ES Functions.
.BASES BACKGROUND       The following matrix identifies the input instrumentation (measurement)
Redundant ES pumps are controlled from separate and independent actuation output logic channels with some exceptions (e.g., HPI B pump which is actuated by both).The actuation of ES equipment is also available by manual actuation switches located on the control room console.The ESPS, in conjunction with the actuated equipment, provides protective functions necessary to mitigate accidents, specifically the loss of coolant accident (LOCA) and main steam line break (MSLB) events. The ESPS relies on the OPERABILITY of the automatic actuation output logic for each component to perform the actuation of the selected systems of LCO 3.3.7.OCONEE UNITS 1, 2, & 3 B 3.3.5-3 12/10/14 1 ESPS Input Instrumentation B 3.3.5 BASES BACKGROUND Engineered Safeguards Protective System Bypasses (continued)
(continued)      channels and the Automatic Actuation Output Logic Channels actuated by each.
No provisions are made for maintenance bypass of ESPS instrumentation channels.
Output               Actuated         RCS     RCS       RB         RB Logic Channels           Systems/         PRESS PRESS     PRESS       PRESS Functions         LOW   LOW       HIGH       HIGH LOW                   HIGH 1 and 2     HPI and RB Non-Essential   X                 X Isolation, Keowee Emergency Start, Load Shed and Standby Breaker Input, and Keowee Standby Bus Feeder Breaker Input 3 and 4                 LPI                     X         X 5 and 6       RB Cooling and RB                           X Essential isolation 7 and 8             RB Spray                                         X The ES equipment is generally divided between the two redundant actuation output logic channels. The division of the equipment between the two actuation output logic channels is based on the equipment redundancy and function and is accomplished in such a manner that the failure of one of the actuation output logic channels and the related safeguards equipment will not inhibit the overall ES Functions. Redundant ES pumps are controlled from separate and independent actuation output logic channels with some exceptions (e.g., HPI B pump which is actuated by both).
Operational bypass of certain input parameters is necessary to allow accident recovery actions to continue and, for some input parameters, to allow unit shutdown without spurious ESPS actuation.
The actuation of ES equipment is also available by manual actuation switches located on the control room console.
The ESPS RCS pressure instrumentation channel design allows Manual Bypass when reactor pressure is below the point at which the low and low low pressure trips are required to be OPERABLE.
The ESPS, in conjunction with the actuated equipment, provides protective functions necessary to mitigate accidents, specifically the loss of coolant accident (LOCA) and main steam line break (MSLB) events. The ESPS relies on the OPERABILITY of the automatic actuation output logic for each component to perform the actuation of the selected systems of LCO 3.3.7.
Once permissive conditions are sensed, the RCS pressure trips may be manually bypassed.Bypasses are automatically removed when bypass permissive conditions are exceeded.
OCONEE UNITS 1, 2, & 3                 B 3.3.5-3                                       12/10/14 1
This bypass provides an operational provision only outside the Applicability for this parameter, and provides no safety function.There are two redundant subsystems.
 
The same input signal is fed to each subsystem.
ESPS Input Instrumentation B 3.3.5 BASES BACKGROUND       Engineered Safeguards Protective System Bypasses (continued)
In subsystem 1, channels Al, B1, and Cl provide the input to Voter 1 Odd and Voter 1 Even. In subsystem 2, channels A2, B2, and C2 provide input to Voter 2 Odd and Voter 2 Even. Either subsystem provides the full complement of Voters. This allows for a Manual (maintenance)
No provisions are made for maintenance bypass of ESPS instrumentation channels. Operational bypass of certain input parameters is necessary to allow accident recovery actions to continue and, for some input parameters, to allow unit shutdown without spurious ESPS actuation.
Bypass of one complete subsystem, or portion of a subsystem, without entering into an LCO Condition.
The ESPS RCS pressure instrumentation channel design allows Manual Bypass when reactor pressure is below the point at which the low and low low pressure trips are required to be OPERABLE. Once permissive conditions are sensed, the RCS pressure trips may be manually bypassed.
Parameter Change Enable Mode The ESPS Instrument Input Channel A2, B2, and C2 processors can each be placed in different operating modes through the use of the"Parameter Change Enable" keyswitches and commands from the Service Unit. Each protective channel A2, B2,and C2 has a keyswitch located in that channel's cabinet pair.Placing ESPS Channels Al, B1 or Cl in Parameter Change Enable Mode through the use of the "Parameter Change Enable" keyswitch located in the corresponding RPS cabinet will also place the corresponding RPS Channels A, B, or C in Parameter Change Enable Mode.When a keyswitch is placed from the normal Operating Mode position to the Parameter Change Enable Mode position:* The processors continue with normal operation.
Bypasses are automatically removed when bypass permissive conditions are exceeded. This bypass provides an operational provision only outside the Applicability for this parameter, and provides no safety function.
There are two redundant subsystems. The same input signal is fed to each subsystem. In subsystem 1, channels Al, B1, and Cl provide the input to Voter 1 Odd and Voter 1 Even. In subsystem 2, channels A2, B2, and C2 provide input to Voter 2 Odd and Voter 2 Even. Either subsystem provides the full complement of Voters. This allows for a Manual (maintenance) Bypass of one complete subsystem, or portion of a subsystem, without entering into an LCO Condition.
Parameter Change Enable Mode The ESPS Instrument Input Channel A2, B2, and C2 processors can each be placed in different operating modes through the use of the "Parameter Change Enable" keyswitches and commands from the Service Unit. Each protective channel A2, B2,and C2 has a keyswitch located in that channel's cabinet pair.
Placing ESPS Channels Al, B1 or Cl in Parameter Change Enable Mode through the use of the "Parameter Change Enable" keyswitch located in the corresponding RPS cabinet will also place the corresponding RPS Channels A, B, or C in Parameter Change Enable Mode.
When a keyswitch is placed from the normal Operating Mode position to the Parameter Change Enable Mode position:
* The processors continue with normal operation.
* A permissive is provided that allows the Service Unit to be used to change the operating mode of the processors associated with that keyswitch.
* A permissive is provided that allows the Service Unit to be used to change the operating mode of the processors associated with that keyswitch.
OCONEE UNITS 1, 2, & 3 B 3.3.5-4 12/10/14 1 ESPS Input Instrumentation B 3.3.5 BASES BACKGROUND Parameter Change Enable Mode (continued)
OCONEE UNITS 1, 2, & 3               B 3.3.5-4                                         12/10/14 1
 
ESPS Input Instrumentation B 3.3.5 BASES BACKGROUND       Parameter Change Enable Mode (continued)
With the keyswitch in the Parameter Change Enable Position the following modes of operation are allowed for processors:
With the keyswitch in the Parameter Change Enable Position the following modes of operation are allowed for processors:
* Normal Operation  
* Normal Operation - with permissive for operating mode change.
-with permissive for operating mode change.* Parameterization  
* Parameterization - allows changes to specific parameters (example placing a parameter into a tripped condition or performing Go/NoGo testing).
-allows changes to specific parameters (example placing a parameter into a tripped condition or performing Go/NoGo testing).* Function Test -for disabling the application function and forcing output signal for testing purposes (normally not used).* Diagnostics  
* Function Test - for disabling the application function and forcing output signal for testing purposes (normally not used).
-for downloading new application software.The Function Test and Diagnostics modes result in the processor ceasing its cyclic processing of the application functions.
* Diagnostics - for downloading new application software.
Entry into these modes first requires entry into Parameterization mode and setting a separate parameter.
The Function Test and Diagnostics modes result in the processor ceasing its cyclic processing of the application functions. Entry into these modes first requires entry into Parameterization mode and setting a separate parameter.
When a keyswitch is placed in the Parameter Change Enable Mode Position for any activity, the affected processor shall first be declared out of service. In addition to declaring the processor out of service, when loading or revising software in a processor, the affected ESPS input shall be tripped OR the associated ESPS voters shall be placed in Bypass. If this activity is being performed on an ES Input Channel in subsystem 1, the associated RPS channel shall also be placed in manual bypass. Only one ESPS channel at a time is allowed to be placed into Parameter Change Enable Mode Position for software loading/revision.
When a keyswitch is placed in the Parameter Change Enable Mode Position for any activity, the affected processor shall first be declared out of service. In addition to declaring the processor out of service, when loading or revising software in a processor, the affected ESPS input shall be tripped OR the associated ESPS voters shall be placed in Bypass. If this activity is being performed on an ES Input Channel in subsystem 1, the associated RPS channel shall also be placed in manual bypass. Only one ESPS channel at a time is allowed to be placed into Parameter Change Enable Mode Position for software loading/revision.
Each Parameter Change Enable keyswitch status information is sent to the Statalarm panel and to the OAC via the TXS Gateway.ESPS Parameter Change Enable keyswitches are administratively controlled (there are no hardware or software interlocks between channels).
Each Parameter Change Enable keyswitch status information is sent to the Statalarm panel and to the OAC via the TXS Gateway.
Reactor Coolant System Pressure The RCS pressure is monitored by three independent pressure transmitters located in the RB. These transmitters are separate from the transmitters that provide inputs to the Reactor Protective System (RPS). The output of each transmitter terminates in an input isolation module in the ESPS, which provides individually isolated output pressure signals. Each of the pressure signals generated by these transmitters is monitored by two independent digital processing systems, with three ESPS input logic channels and three RPS/ESPS input logic channels to provide two trip OCONEE UNITS 1, 2, & 3 B 3.3.5-5 12/10/14 1 ESPS Input Instrumentation B 3.3.5 BASES BACKGROUND Reactor Coolant System Pressure (continued) signals, at,>_ 1590 psig and _ 500 psig, and two bypass permissive signals, at _< 1750 psig and _< 900 psig.The outputs of the three logic processor channels in each of the two processing subsystems (ESPS and RPS/ESPS) generate an output trip signal to its associated independent actuation train Voters (Odd and Even) when the second minimum pressure signal of any of the three input channels falls below the Low RCS pressure setpoint.
ESPS Parameter Change Enable keyswitches are administratively controlled (there are no hardware or software interlocks between channels).
This will initiate an actuation of the Voter Output Channels 1 and 2 (HPI Actuation).
Reactor Coolant System Pressure The RCS pressure is monitored by three independent pressure transmitters located in the RB. These transmitters are separate from the transmitters that provide inputs to the Reactor Protective System (RPS). The output of each transmitter terminates in an input isolation module in the ESPS, which provides individually isolated output pressure signals. Each of the pressure signals generated by these transmitters is monitored by two independent digital processing systems, with three ESPS input logic channels and three RPS/ESPS input logic channels to provide two trip OCONEE UNITS 1, 2, & 3                 B 3.3.5-5                                       12/10/14 1
The outputs of the input logic processors in each processing system also generate an output trip signal to its associated independent actuation train Voters (Odd and Even) when the second minimum pressure signal of the three input channels falls below the Low Low RCS pressure setpoint.
 
This will initiate an actuation of the Voter Output Channels 3 and 4 (LPI Actuation).
ESPS Input Instrumentation B 3.3.5 BASES BACKGROUND       Reactor Coolant System Pressure (continued) signals, at,>_ 1590 psig and &#x17d;_500 psig, and two bypass permissive signals, at _<1750 psig and _<900 psig.
Reactor Building Pressure There are three independent RB pressure transmitters.
The outputs of the three logic processor channels in each of the two processing subsystems (ESPS and RPS/ESPS) generate an output trip signal to its associated independent actuation train Voters (Odd and Even) when the second minimum pressure signal of any of the three input channels falls below the Low RCS pressure setpoint. This will initiate an actuation of the Voter Output Channels 1 and 2 (HPI Actuation). The outputs of the input logic processors in each processing system also generate an output trip signal to its associated independent actuation train Voters (Odd and Even) when the second minimum pressure signal of the three input channels falls below the Low Low RCS pressure setpoint. This will initiate an actuation of the Voter Output Channels 3 and 4 (LPI Actuation).
The outputs of the three logic processor channels in each of the two processing subsystems (ESPS and RPS/ESPS) generate an output trip signal to its associated independent actuation train Voters (Odd and Even) when the second maximum pressure signal of any of the three input channels increases above the High RB pressure setpoint.
Reactor Building Pressure There are three independent RB pressure transmitters. The outputs of the three logic processor channels in each of the two processing subsystems (ESPS and RPS/ESPS) generate an output trip signal to its associated independent actuation train Voters (Odd and Even) when the second maximum pressure signal of any of the three input channels increases above the High RB pressure setpoint. This will initiate an actuation of Voter Output Channels 5 and 6 (RB Cooling Actuation and RB Essential Isolation). The outputs of the three high RB pressure processor output trip devices also trip Voter Output Channels 1, 2, 3 and 4 to initiate HPI and LPI.
This will initiate an actuation of Voter Output Channels 5 and 6 (RB Cooling Actuation and RB Essential Isolation).
The ESPS channels of the RB Spray System are formed by two separate two-out-of-three logic networks with the active elements originating in six RB pressure sensing pressure switches. One two-out-of-three network actuates Channel 7 and the other two-out-of-three network actuates Channel 8. Either of the two networks is capable of initiating the required protective action.
The outputs of the three high RB pressure processor output trip devices also trip Voter Output Channels 1, 2, 3 and 4 to initiate HPI and LPI.The ESPS channels of the RB Spray System are formed by two separate two-out-of-three logic networks with the active elements originating in six RB pressure sensing pressure switches.
Trip Setpoints and Allowable Values Trip setpoints are the nominal value at which the processor output trip devices are set. Any processor output trip device is considered to be properly adjusted when the "as left" value is within the band for CHANNEL CALIBRATION accuracy.
One two-out-of-three network actuates Channel 7 and the other two-out-of-three network actuates Channel 8. Either of the two networks is capable of initiating the required protective action.Trip Setpoints and Allowable Values Trip setpoints are the nominal value at which the processor output trip devices are set. Any processor output trip device is considered to be properly adjusted when the "as left" value is within the band for CHANNEL CALIBRATION accuracy.OCONEE UNITS 1, 2, & 3 B 3.3.5-6 12/10/14 1 ESPS Input Instrumentation B 3.3.5 BASES BACKGROUND Trip Setpoints and Allowable Values (continued)
OCONEE UNITS 1, 2, & 3               B 3.3.5-6                                       12/10/14 1
The trip setpoints used in the processor output trip devices are selected such that adequate protection is provided when all sensor and processing time delays are taken into account. To allow for calibration tolerances, instrumentation uncertainties, instrument drift, and severe environment induced errors for those ESPS channels that must function in harsh environments as defined by 10 CFR 50.49 (Ref. 2), the Allowable Values specified in Table 3.3.5-1 in the accompanying LCO are conservatively adjusted with respect to the analytical limits. A detailed description of the methodology used to calculate the trip setpoints and associated uncertainties is provided in Reference
 
: 3. The actual trip setpoint entered into the processor output trip device is more conservative than that specified by the Allowable Value to account for changes in random measurement errors detectable by a CHANNEL CALIBRATION.
ESPS Input Instrumentation B 3.3.5 BASES BACKGROUND       Trip Setpoints and Allowable Values (continued)
A channel is inoperable if its actual trip setpoint is not within its required Allowable Value.Setpoints, in accordance with the Allowable Values, ensure that the consequences of accidents will be acceptable, providing the unit is operated from within the LCOs at the onset of the accident and the equipment functions as designed.With the exception of Reactor Building Pressure -High High function, each channel is tested online by manually retrieving the software setpoint I to ensure it has been entered correctly.
The trip setpoints used in the processor output trip devices are selected such that adequate protection is provided when all sensor and processing time delays are taken into account. To allow for calibration tolerances, instrumentation uncertainties, instrument drift, and severe environment induced errors for those ESPS channels that must function in harsh environments as defined by 10 CFR 50.49 (Ref. 2), the Allowable Values specified in Table 3.3.5-1 in the accompanying LCO are conservatively adjusted with respect to the analytical limits. A detailed description of the methodology used to calculate the trip setpoints and associated uncertainties is provided in Reference 3. The actual trip setpoint entered into the processor output trip device is more conservative than that specified by the Allowable Value to account for changes in random measurement errors detectable by a CHANNEL CALIBRATION. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value.
Signals into the system (from the field instrument or at the protective system cabinet) are applied during the channel calibration to ensure that the instrumentation is within the specified allowance requirements.
Setpoints, in accordance with the Allowable Values, ensure that the consequences of accidents will be acceptable, providing the unit is operated from within the LCOs at the onset of the accident and the equipment functions as designed.
The Reactor Building Pressure -High High actuation channel does not have software setpoints; it is actuated by a pressure switch that provides contact status only.APPLICABLE The following ESPS Functions have been assumed within the accident SAFETY ANALYSES analyses.High Pressure Iniection The ESPS actuation of HPI has been assumed for core cooling in the LOCA analysis and is credited with boron addition in the MSLB analysis.Low Pressure Iniection The ESPS actuation of LPI has been assumed for large break LOCAs.OCONEE UNITS 1, 2, & 3 B 3.3.5-7 12/10/14 1 ESPS Input Instrumentation B 3.3.5 BASES APPLICABLE Reactor Buildinq Spray, Reactor Buildinq Cooling, and SAFETY ANALYSES Reactor Building Isolation (continued)
With the exception of Reactor Building Pressure - High High function, each channel is tested online by manually retrieving the software setpoint       I to ensure it has been entered correctly. Signals into the system (from the field instrument or at the protective system cabinet) are applied during the channel calibration to ensure that the instrumentation is within the specified allowance requirements. The Reactor Building Pressure - High High actuation channel does not have software setpoints; it is actuated by a pressure switch that provides contact status only.
APPLICABLE       The following ESPS Functions have been assumed within the accident SAFETY ANALYSES analyses.
High Pressure Iniection The ESPS actuation of HPI has been assumed for core cooling in the LOCA analysis and is credited with boron addition in the MSLB analysis.
Low Pressure Iniection The ESPS actuation of LPI has been assumed for large break LOCAs.
OCONEE UNITS 1, 2, & 3               B 3.3.5-7                                           12/10/14 1
 
ESPS Input Instrumentation B 3.3.5 BASES APPLICABLE       Reactor Buildinq Spray, Reactor Buildinq Cooling, and SAFETY ANALYSES Reactor Building Isolation (continued)
The ESPS actuation of the RB coolers and RB Spray have been credited in RB analysis for LOCAs, both for RB performance and equipment environmental qualification pressure and temperature envelope definition.
The ESPS actuation of the RB coolers and RB Spray have been credited in RB analysis for LOCAs, both for RB performance and equipment environmental qualification pressure and temperature envelope definition.
Accident dose calculations have credited RB Isolation and RB Spray.Keowee Hydro Unit Emergency Start The ESPS initiated Keowee Hydro Unit Emergency Start has been included in the design to ensure that emergency power is available throughout the limiting LOCA scenarios.
Accident dose calculations have credited RB Isolation and RB Spray.
The small break LOCA analyses assume a conservative 48 second delay time for the actuation of HPI and LPI in UFSAR, Chapter 15 (Ref. 4). The large break LOCA analyses assume LPI flow starts in 38 seconds while full LPI flow does not occur until 36 seconds later, or 74 seconds total (Ref. 4). This delay time includes allowances for Keowee Hydro Unit starting, Emergency Core Cooling Systems (ECCS) pump starts, and valve openings.
Keowee Hydro Unit Emergency Start The ESPS initiated Keowee Hydro Unit Emergency Start has been included in the design to ensure that emergency power is available throughout the limiting LOCA scenarios.
Similarly, the RB Cooling, RB Isolation, and RB Spray have been analyzed with delays appropriate for the entire system analyzed.Accident analyses rely on automatic ESPS actuation for protection of the core temperature and containment pressure limits and for limiting off site dose levels following an accident.
The small break LOCA analyses assume a conservative 48 second delay time for the actuation of HPI and LPI in UFSAR, Chapter 15 (Ref. 4). The large break LOCA analyses assume LPI flow starts in 38 seconds while full LPI flow does not occur until 36 seconds later, or 74 seconds total (Ref. 4). This delay time includes allowances for Keowee Hydro Unit starting, Emergency Core Cooling Systems (ECCS) pump starts, and valve openings. Similarly, the RB Cooling, RB Isolation, and RB Spray have been analyzed with delays appropriate for the entire system analyzed.
These include LOCA, and MSLB events that result in RCS inventory reduction or severe loss of RCS cooling.The ESPS channels satisfy Criterion 3 of 10 CFR 50.36 (Ref. 5).LCO The LCO requires three input channels of ESPS instrumentation for each Parameter in Table 3.3.5-1 to be OPERABLE in each ESPS automatic actuation output logic channel. Failure of any instrument renders the affected input channel(s) inoperable and reduces the reliability of the affected Functions.
Accident analyses rely on automatic ESPS actuation for protection of the core temperature and containment pressure limits and for limiting off site dose levels following an accident. These include LOCA, and MSLB events that result in RCS inventory reduction or severe loss of RCS cooling.
There are two redundant ESPS subsystems each having three input channels.
The ESPS channels satisfy Criterion 3 of 10 CFR 50.36 (Ref. 5).
Only one subsystem is required to be OPERABLE.OCONEE UNITS 1, 2, & 3 B 3.3.5-8 12/10/14 1 ESPS Input Instrumentation B 3.3.5 BASES LCO (continued)
LCO               The LCO requires three input channels of ESPS instrumentation for each Parameter in Table 3.3.5-1 to be OPERABLE in each ESPS automatic actuation output logic channel. Failure of any instrument renders the affected input channel(s) inoperable and reduces the reliability of the affected Functions. There are two redundant ESPS subsystems each having three input channels. Only one subsystem is required to be OPERABLE.
Only the Allowable Value is specified for each ESPS Function in the LCO. Nominal trip setpoints are specified in the setpoint calculations.
OCONEE UNITS 1, 2, & 3               B 3.3.5-8                                       12/10/14 1
The nominal trip setpoints are selected to ensure the setpoints measured by CHANNEL FUNCTIONAL TESTS or CHANNEL CALIBRATIONS do not exceed the Allowable Value if the processor output trip device is performing as required.
 
Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable provided that operation and testing are consistent with the assumptions of the setpoint calculations.
ESPS Input Instrumentation B 3.3.5 BASES LCO               Only the Allowable Value is specified for each ESPS Function in the (continued)      LCO. Nominal trip setpoints are specified in the setpoint calculations. The nominal trip setpoints are selected to ensure the setpoints measured by CHANNEL FUNCTIONAL TESTS or CHANNEL CALIBRATIONS do not exceed the Allowable Value if the processor output trip device is performing as required. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable provided that operation and testing are consistent with the assumptions of the setpoint calculations. Each Allowable Value specified is more conservative than the analytical limit assumed in the safety analysis to account for instrument uncertainties appropriate to the trip Parameter. These uncertainties are defined in Reference 3.
Each Allowable Value specified is more conservative than the analytical limit assumed in the safety analysis to account for instrument uncertainties appropriate to the trip Parameter.
The values for operating bypass removal functions are stated in the Applicable MODES or Other Specified Condition column of Table 3.3.5-1.
These uncertainties are defined in Reference 3.The values for operating bypass removal functions are stated in the Applicable MODES or Other Specified Condition column of Table 3.3.5-1.Three ESPS input instrumentation channels shall be OPERABLE to ensure that a single failure in one input channel will not result in loss of the ability to automatically actuate the required safety systems.The bases for the LCO on ESPS Parameters include the following.
Three ESPS input instrumentation channels shall be OPERABLE to ensure that a single failure in one input channel will not result in loss of the ability to automatically actuate the required safety systems.
Three input channels of RCS Pressure-Low, RCS Pressure-Low Low, RB Pressure-High and RB Pressure-High High are required OPERABLE.
The bases for the LCO on ESPS Parameters include the following.
Each channel includes a sensor, input isolation modules, interchannel communication modules and processor output trip devices.Failures that affect the ability to bypass an input channel do not render the input channel inoperable since the input channel is still capable of performing its safety function, i.e., this is not a safety related bypass function.APPLICABILITY Three input channels of ESPS instrumentation for each of the following Parameters shall be OPERABLE.1. Reactor Coolant System Pressure -Low The RCS Pressure -Low actuation Parameter shall be OPERABLE during operation at or above 1750 psig. This requirement ensures the capability to automatically actuate safety systems and components during conditions indicative of a LOCA or secondary unit overcooling.
Three input channels of RCS Pressure-Low, RCS Pressure-Low Low, RB Pressure-High and RB Pressure-High High are required OPERABLE. Each channel includes a sensor, input isolation modules, interchannel communication modules and processor output trip devices.
Below 1750 psig, the low RCS Pressure actuation Parameter can be bypassed to avoid actuation during normal unit cooldowns when safety systems actuations are not required.OCONEE UNITS 1, 2, & 3 B 3.3.5-9 12/10/14 1 ESPS Input Instrumentation B 3.3.5 BASES APPLICABILITY
Failures that affect the ability to bypass an input channel do not render the input channel inoperable since the input channel is still capable of performing its safety function, i.e., this is not a safety related bypass function.
: 1. Reactor Coolant System Pressure -Low (continued)
APPLICABILITY     Three input channels of ESPS instrumentation for each of the following Parameters shall be OPERABLE.
The allowance for the bypass is consistent with the transition of the unit to a lower energy state, providing greater margins to safety limits. The unit response to any event, given that the reactor is already tripped, will be less severe and allows sufficient time for operator action to provide manual safety system actuations.
: 1. Reactor Coolant System Pressure - Low The RCS Pressure - Low actuation Parameter shall be OPERABLE during operation at or above 1750 psig. This requirement ensures the capability to automatically actuate safety systems and components during conditions indicative of a LOCA or secondary unit overcooling. Below 1750 psig, the low RCS Pressure actuation Parameter can be bypassed to avoid actuation during normal unit cooldowns when safety systems actuations are not required.
This is even more appropriate during unit heatups when the primary system and core energy content is low, prior to power operation.
OCONEE UNITS 1, 2, & 3               B 3.3.5-9                                         12/10/14 1
In MODES 5 and 6, there is adequate time for the operator to evaluate unit conditions and respond by manually starting individual systems, pumps, and other equipment to mitigate the consequences of an abnormal condition or accident.
 
RCS pressure and temperature are very low, and many ES components are administratively controlled or otherwise prevented from actuating to prevent inadvertent overpressurization of unit systems.2. Reactor Coolant System Pressure -Low Low The RCS Pressure -Low Low actuation Parameter shall be OPERABLE during operation above 900 psig. This requirement ensures the capability to automatically actuate safety systems and components during conditions indicative of a LOCA or secondary unit overcooling.
ESPS Input Instrumentation B 3.3.5 BASES APPLICABILITY     1. Reactor Coolant System Pressure - Low (continued)
Below 900 psig, the low low RCS Pressure actuation Parameter can be bypassed to avoid actuation during normal unit cooldowns when safety system actuations are not required.The allowance for the bypass is consistent with the transition of the unit to a lower energy state, providing greater margins to safety limits. The unit response to any event, given that the reactor is already tripped, will be less severe and allows sufficient time for operator action to provide manual safety system actuations.
The allowance for the bypass is consistent with the transition of the unit to a lower energy state, providing greater margins to safety limits. The unit response to any event, given that the reactor is already tripped, will be less severe and allows sufficient time for operator action to provide manual safety system actuations. This is even more appropriate during unit heatups when the primary system and core energy content is low, prior to power operation.
This is even more appropriate during unit heatups when the primary system and core energy content is low, prior to power operation.
In MODES 5 and 6, there is adequate time for the operator to evaluate unit conditions and respond by manually starting individual systems, pumps, and other equipment to mitigate the consequences of an abnormal condition or accident. RCS pressure and temperature are very low, and many ES components are administratively controlled or otherwise prevented from actuating to prevent inadvertent overpressurization of unit systems.
OCONEE UNITS 1, 2, & 3 B 3.3.5-10 12/10/14 1 ESPS Input Instrumentation B 3.3.5 BASES APPLICABILITY
: 2. Reactor Coolant System Pressure - Low Low The RCS Pressure - Low Low actuation Parameter shall be OPERABLE during operation above 900 psig. This requirement ensures the capability to automatically actuate safety systems and components during conditions indicative of a LOCA or secondary unit overcooling. Below 900 psig, the low low RCS Pressure actuation Parameter can be bypassed to avoid actuation during normal unit cooldowns when safety system actuations are not required.
: 2. Reactor Coolant System Pressure -Low Low (continued)
The allowance for the bypass is consistent with the transition of the unit to a lower energy state, providing greater margins to safety limits. The unit response to any event, given that the reactor is already tripped, will be less severe and allows sufficient time for operator action to provide manual safety system actuations. This is even more appropriate during unit heatups when the primary system and core energy content is low, prior to power operation.
In MODES 5 and 6, there is adequate time for the operator to evaluate unit conditions and respond by manually starting individual systems, pumps, and other equipment to mitigate the consequences of an abnormal condition or accident.
OCONEE UNITS 1, 2, & 3             B 3.3.5-10                                       12/10/14 1
RCS pressure and temperature are very low, and many ES components are administratively controlled or otherwise prevented from actuating to prevent inadvertent overpressurization of unit systems.3, 4. Reactor Building Pressure -High and Reactor Building Pressure -High High The RB Pressure -High and RB Pressure -High High actuation Functions of ESPS shall be OPERABLE in MODES 1, 2, 3, and 4 when the potential for a HELB exists. In MODES 5 and 6, the unit conditions are such that there is insufficient energy in the primary and secondary systems to raise the containment pressure to either the RB Pressure -High or RB Pressure -High High actuation setpoints.
 
Furthermore, in MODES 5 and 6, there is adequate time for the operator to evaluate unit conditions and respond by manually starting individual systems, pumps, and other equipment to mitigate the consequences of an abnormal condition or accident.RCS pressure and temperature are very low and many ES components are administratively controlled or otherwise prevented from actuating to prevent inadvertent overpressurization of unit systems.ACTIONS Required Actions A and B apply to all ESPS input instrumentation Parameters listed in Table 3.3.5-1.A Note has been added to the ACTIONS indicating separate Condition entry is allowed for each Parameter.
ESPS Input Instrumentation B 3.3.5 BASES APPLICABILITY     2.       Reactor Coolant System Pressure - Low Low (continued)
If an input channel's trip setpoint is found nonconservative with respect to the Allowable Value, or the transmitter, instrument loop, signal processing electronics, or ESPS input isolation modules, inter-channel communication modules and processor output trip devices are found inoperable, then all affected functions provided by that input channel should be declared inoperable and the unit must enter the Conditions for the particular protective Parameter affected.OCONEE UNITS 1, 2, & 3 B 3.3.5-11 12/10/14 1 ESPS Input Instrumentation B 3.3.5 BASES ACTIONS A..1 (continued)
In MODES 5 and 6, there is adequate time for the operator to evaluate unit conditions and respond by manually starting individual systems, pumps, and other equipment to mitigate the consequences of an abnormal condition or accident. RCS pressure and temperature are very low, and many ES components are administratively controlled or otherwise prevented from actuating to prevent inadvertent overpressurization of unit systems.
Condition A applies when one input channel becomes inoperable in one or more Parameters.
3, 4.     Reactor Building Pressure - High and Reactor Building Pressure -High High The RB Pressure - High and RB Pressure - High High actuation Functions of ESPS shall be OPERABLE in MODES 1, 2, 3, and 4 when the potential for a HELB exists. In MODES 5 and 6, the unit conditions are such that there is insufficient energy in the primary and secondary systems to raise the containment pressure to either the RB Pressure - High or RB Pressure - High High actuation setpoints. Furthermore, in MODES 5 and 6, there is adequate time for the operator to evaluate unit conditions and respond by manually starting individual systems, pumps, and other equipment to mitigate the consequences of an abnormal condition or accident.
If one ESPS input instrument channel is inoperable, placing it in a tripped condition leaves the system in a one-out-of-two condition for actuation.
RCS pressure and temperature are very low and many ES components are administratively controlled or otherwise prevented from actuating to prevent inadvertent overpressurization of unit systems.
Thus, if another input channel were to fail, the ESPS instrumentation could still perform its actuation functions.
ACTIONS             Required Actions A and B apply to all ESPS input instrumentation Parameters listed in Table 3.3.5-1.
This can be accomplished two ways: (1) by placing an input logic channel (A, B or C) in trip with the associated Manual Trip keyswitch (the input Manual Trip channel keyswitch trips all ESPS functions in the channel), or (2) tripping the individual input parameter functional software through the interactive Graphical Service Monitor dialog screen. The 4 hour Completion Time is justified based on the continuous monitoring and signal validation being performed and is sufficient time to place a Parameter in trip. If the Parameter cannot be placed in trip, the Operator can trip the affected channel with the use of the Manual Trip keyswitch until such time that the individual parameter can be placed in trip.B.1, B.2.1. B.2.2. and B.2.3 Condition B applies when the Required Action and associated Completion Time of Condition A are not met or when one or more parameters have two or more inoperable input channels.
A Note has been added to the ACTIONS indicating separate Condition entry is allowed for each Parameter.
If Condition B applies, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 12 hours and, for the RCS Pressure-Low Parameter, to< 1750 psig, for the RCS Pressure-Low Low Parameter, to < 900 psig, and for the RB Pressure-High Parameter and RB Pressure-High High Parameter, to MODE 5 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.OCONEE UNITS 1, 2, & 3 B 3.3.5-12 12/10/14 1 ESPS Input Instrumentation B 3.3.5 BASES SURVEILLANCE The ESPS Parameters listed in Table 3.3.5-1 are subject to REQUIREMENTS CHANNEL CHECK, CHANNEL FUNCTIONAL TEST, and CHANNEL CALIBRATION.
If an input channel's trip setpoint is found nonconservative with respect to the Allowable Value, or the transmitter, instrument loop, signal processing electronics, or ESPS input isolation modules, inter-channel communication modules and processor output trip devices are found inoperable, then all affected functions provided by that input channel should be declared inoperable and the unit must enter the Conditions for the particular protective Parameter affected.
SR 3.3.5.1 Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred.A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels.
OCONEE UNITS 1, 2, & 3               B 3.3.5-11                                       12/10/14 1
It is based on the assumption that input instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two input instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. CHANNEL CHECK will detect gross channel failure; therefore, it is key in verifying that the instrumentation continues to operate properly between each CHANNEL CALIBRATION.
 
Agreement criteria are determined, based on a combination of the channel instrument uncertainties, including isolation, indication, and readability.
ESPS Input Instrumentation B 3.3.5 BASES ACTIONS           A..1 (continued)
If a channel is outside the criteria, it may be an indication that the transmitter or the signal processing equipment has drifted outside its limit.The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program. The CHANNEL CHECK supplements less formal, but potentially more frequent, checks of channel operability during normal operational use of the displays associated with the LCO's required channels.The CHANNEL CHECK requirement is met automatically.
Condition A applies when one input channel becomes inoperable in one or more Parameters. Ifone ESPS input instrument channel is inoperable, placing it in a tripped condition leaves the system in a one-out-of-two condition for actuation. Thus, if another input channel were to fail, the ESPS instrumentation could still perform its actuation functions.
The digital ESPS provides continuous online automatic monitoring of each of the input signals in each channel, performs signal online validation against required acceptance criteria, and provides hardware functional validation.
This can be accomplished two ways: (1) by placing an input logic channel (A, B or C) in trip with the associated Manual Trip keyswitch (the input Manual Trip channel keyswitch trips all ESPS functions in the channel), or (2) tripping the individual input parameter functional software through the interactive Graphical Service Monitor dialog screen. The 4 hour Completion Time is justified based on the continuous monitoring and signal validation being performed and is sufficient time to place a Parameter in trip. If the Parameter cannot be placed in trip, the Operator can trip the affected channel with the use of the Manual Trip keyswitch until such time that the individual parameter can be placed in trip.
If any protective channel input signal is identified to be in the failure status, this condition is alarmed on the Unit Statalarm and input to the plant OAC. Immediate notification of the failure status is provided to the Operations staff.OCONEE UNITS 1, 2, & 3 B 3.3.5-13 12/10/14 1 ESPS Input Instrumentation B 3.3.5 BASES SURVEILLANCE REQUIREMENTS (continued)
B.1, B.2.1. B.2.2. and B.2.3 Condition B applies when the Required Action and associated Completion Time of Condition A are not met or when one or more parameters have two or more inoperable input channels. If Condition B applies, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 12 hours and, for the RCS Pressure-Low Parameter, to
SR 3.3.5.2 The SR is modified by a Note indicating that it is not applicable to the Reactor Building Pressure -High High parameter.
                    < 1750 psig, for the RCS Pressure-Low Low Parameter, to < 900 psig, and for the RB Pressure-High Parameter and RB Pressure-High High Parameter, to MODE 5 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.
This surveillance does not apply to the Reactor Building Pressure High High parameter because it consists of pressure switches which provide a contact status to the system and there is no software setpoint to verify. This SR manually retrieves the software setpoints and verifies they are correct.The proper functioning of the processor portion of the channel is continuously checked by automatic cyclic self monitoring.
OCONEE UNITS 1, 2, & 3               B 3.3.5-12                                       12/10/14 1
The proper functioning of the processor portion of the channel is continuously checked by automatic cyclic self monitoring.
 
Verification of field instrument setpoints is not required by this surveillance.
ESPS Input Instrumentation B 3.3.5 BASES SURVEILLANCE       The ESPS Parameters listed in Table 3.3.5-1 are subject to REQUIREMENTS       CHANNEL CHECK, CHANNEL FUNCTIONAL TEST, and CHANNEL CALIBRATION.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR 3.3.5.3 This SR has been deleted.SR 3.3.5.4 CHANNEL CALIBRATION is a complete check of the input instrument channel, including the sensor. The test verifies that the channel responds to a measured parameter within the necessary range and accuracy.
SR 3.3.5.1 Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred.
CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drift to ensure that the instrument channel remains operational between successive tests. CHANNEL CALIBRATION assures that measurement errors and processor output trip device setpoint errors are within the assumptions of the unit specific uncertainty analysis.CHANNEL CALIBRATIONS must be performed consistent with the assumptions of the uncertainty analysis.Since the CHANNEL FUNCTIONAL TEST is a part of the CHANNEL CALIBRATION a separate SR is not required.
A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that input instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two input instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. CHANNEL CHECK will detect gross channel failure; therefore, it is key in verifying that the instrumentation continues to operate properly between each CHANNEL CALIBRATION.
The digital ESPS software performs a continuous online automated cross channel check, separately for each channel, and continuous online signal error detection and validation.
Agreement criteria are determined, based on a combination of the channel instrument uncertainties, including isolation, indication, and readability. If a channel is outside the criteria, it may be an indication that the transmitter or the signal processing equipment has drifted outside its limit.
The protection system also performs continuous online hardware monitoring.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program. The CHANNEL CHECK supplements less formal, but potentially more frequent, checks of channel operability during normal operational use of the displays associated with the LCO's required channels.
The CHANNEL CALIBRATION essentially validates the self monitoring function and checks for a small set of failure modes that are undetectable by the self monitoring function.I I OCONEE UNITS 1, 2, & 3 B 3.3.5-14 12/10/14 1 ESPS Input Instrumentation B 3.3.5 BASES SURVEILLANCE SR 3.3.5.4 (continued)
The CHANNEL CHECK requirement is met automatically. The digital ESPS provides continuous online automatic monitoring of each of the input signals in each channel, performs signal online validation against required acceptance criteria, and provides hardware functional validation.
REQUIREMENTS The digital processors shall be rebooted as part of the calibration.
Ifany protective channel input signal is identified to be in the failure status, this condition is alarmed on the Unit Statalarm and input to the plant OAC. Immediate notification of the failure status is provided to the Operations staff.
This verifies that the software has not changed. Signals into the system (from the field instrument or at the protective system cabinet) are applied during the channel calibration to ensure that the instrumentation is within the specified allowance requirements.
OCONEE UNITS 1, 2, & 3                 B 3.3.5-13                                         12/10/14 1
This, in combination with ensuring the setpoints are entered into the software correctly per SR 3.3.5.2, verifies the setpoints are within the Allowable Values.The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.REFERENCES
 
: 1. UFSAR, Chapter 7.2. 10 CFR 50.49.3. EDM-102, "Instrument Setpoint/Uncertainty Calculations." 4. UFSAR, Chapter 15.5. 10 CFR 50.36.OCONEE UNITS 1, 2, & 3 B 3.3.5-15 12/10/14 1 ESPS Manual B 3.3 INSTRUMENTATION B 3.3.6 Engineered Safeguards Protective System (ESPS) Manual Initiation BASES Initiation B 3.
ESPS Input Instrumentation B 3.3.5 BASES SURVEILLANCE     SR 3.3.5.2 REQUIREMENTS (continued)    The SR is modified by a Note indicating that it is not applicable to the Reactor Building Pressure - High High parameter. This surveillance does not apply to the Reactor Building Pressure High High parameter because it consists of pressure switches which provide a contact status to the system and there is no software setpoint to verify. This SR manually retrieves the software setpoints and verifies they are correct.
The proper functioning of the processor portion of the channel is continuously checked by automatic cyclic self monitoring. The proper functioning of the processor portion of the channel is continuously checked by automatic cyclic self monitoring. Verification of field instrument setpoints is not required by this surveillance.                     I The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
SR 3.3.5.3 This SR has been deleted.
SR 3.3.5.4 CHANNEL CALIBRATION is a complete check of the input instrument channel, including the sensor. The test verifies that the channel responds to a measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drift to ensure that the instrument channel remains operational between successive tests. CHANNEL CALIBRATION assures that measurement errors and processor output trip device setpoint errors       I are within the assumptions of the unit specific uncertainty analysis.
CHANNEL CALIBRATIONS must be performed consistent with the assumptions of the uncertainty analysis.
Since the CHANNEL FUNCTIONAL TEST is a part of the CHANNEL CALIBRATION a separate SR is not required. The digital ESPS software performs a continuous online automated cross channel check, separately for each channel, and continuous online signal error detection and validation. The protection system also performs continuous online hardware monitoring. The CHANNEL CALIBRATION essentially validates the self monitoring function and checks for a small set of failure modes that are undetectable by the self monitoring function.
OCONEE UNITS 1, 2, & 3               B 3.3.5-14                                         12/10/14 1
 
ESPS Input Instrumentation B 3.3.5 BASES SURVEILLANCE     SR 3.3.5.4 (continued)
REQUIREMENTS The digital processors shall be rebooted as part of the calibration. This verifies that the software has not changed. Signals into the system (from the field instrument or at the protective system cabinet) are applied during the channel calibration to ensure that the instrumentation is within the specified allowance requirements. This, in combination with ensuring the setpoints are entered into the software correctly per SR 3.3.5.2, verifies the setpoints are within the Allowable Values.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
REFERENCES         1. UFSAR, Chapter 7.
: 2.     10 CFR 50.49.
: 3. EDM-102, "Instrument Setpoint/Uncertainty Calculations."
: 4. UFSAR, Chapter 15.
: 5. 10 CFR 50.36.
OCONEE UNITS 1, 2, & 3               B 3.3.5-15                                         12/10/14 1
 
ESPS Manual Initiation B 3.3.6 B 3.3 INSTRUMENTATION B 3.3.6 Engineered Safeguards Protective System (ESPS) Manual Initiation BASES BACKGROUND          The ESPS manual initiation capability allows the operator to actuate ESPS Functions from the main control room in the absence of any other initiation condition. This ESPS manual initiation capability is provided in the event the operator determines that an ESPS Function is needed and has not been automatically actuated. Furthermore, the ESPS manual initiation capability allows operators to rapidly initiate Engineered Safeguards (ES)
Functions.
LCO 3.3.6 covers only the system level manual initiation of these Functions. LCO 3.3.5, "Engineered Safeguards Protective System (ESPS)
Input Instrumentation," and LCO 3.3.7, "Engineered Safeguards Protective System (ESPS) Automatic Actuation Output Logic Channels," provide requirements on the portions of the ESPS that automatically initiate the Functions described earlier.
The ESPS manual initiation Function relies on the OPERABILITY of the automatic actuation output logic channels (LCO 3.3.7) to perform the actuation of the systems. A manual trip push button is provided on the control room console for each of the automatic actuation output logic channels. Operation of the push button energizes relays whose contacts perform a logical "OR" function with the automatic actuation.
The ESPS manual initiation portion of the ESPS system is defined as the instrumentation between the control console Trip/Reset switches and the relay output (RO) relays which actuate the end devices. Other means of manual initiation, such as controls for individual ES devices, may be available in the control room and other unit locations. These alternative means are not required by this LCO, nor may they be credited to fulfill the requirements of this LCO.
OCONEE UNITS 1, 2, & 3                  B 3.3.6-1                                        12/10/14 1
 
ESPS Manual Initiation B 3.3.6 BASES BACKGROUND      A manual actuation of the ESPS actuation functions shall be capable of (continued)      being initiated from the main control board Trip/Reset pushbutton switches. Individual pushbuttons are provided for High Pressure Injection and Reactor Building (RB) Non-Essential Isolation (Channels 1 and 2),
Low Pressure Injection and Low Pressure Service Water Actuation (Channels 3 and 4), RB Cooling and RB Essential Isolation (Channels 5 and 6), and RB Spray (Channels 7 and 8). The manual actuation is independent of the ESPS automatic actuation signal and is capable of actuating all channel related actuation field components regardless of any failures of the automatic signal. Initiation of the manual actuation portion of ESPS will also input an actuation signal to the automatic system to provide input to the automatic system indicating that a manual actuation has occurred.
APPLICABLE      The ESPS, in conjunction with the actuated equipment, provides protective SAFETY ANALYSES functions necessary to mitigate accidents, specifically, the loss of coolant accident and steam line break events.
The ESPS manual initiation ensures that the control room operator can rapidly initiate ES Functions. The manual initiation trip Function is required as a backup to automatic trip functions and allows operators to initiate ESPS whenever any parameter is rapidly trending toward its trip setpoint.
The ESPS manual initiation functions satisfy Criterion 3 of 10 CFR 50.36 (Ref. 1).
LCO              Two ESPS manual initiation channels of each ESPS Function shall be OPERABLE whenever conditions exist that could require ES protection of the reactor or RB. Two OPERABLE channels ensure that no single random failure will prevent system level manual initiation of any ESPS Function. The ESPS manual initiation Function allows the operator to initiate protective action prior to automatic initiation or in the event the automatic initiation does not occur.
OCONEE UNITS 1, 2, & 3                B 3.3.6-2                                            12/10/14 1
 
ESPS Manual Initiation B 3.3.6 BASES LCO              The required Function is provided by two associated channels. as indicated (continued)      in the following table:
Function                                      Associated Channels HPI and RB Non-Essential                              1 &2 Isolation, Keowee Emergency Start, Load Shed and Standby Breaker Input, and Keowee Standby Bus Feeder Breaker Input.
LPI                                                  33&4 RB Cooling and RB Essential                          5 &6 isolation RB Spray                                              7 &8 APPLICABILITY    The ESPS manual initiation Functions shall be OPERABLE in MODES 1 and 2, and in MODES 3 and 4 when the associated engineered safeguard equipment is required to be OPERABLE. The manual initiation channels are required because ES Functions are designed to provide protection in these MODES. ESPS initiates systems that are either reconfigured for decay heat removal operation or disabled while in MODES 5 and 6.
Accidents in these MODES are slow to develop and would be mitigated by manual operation of individual components. Adequate time is available to evaluate unit conditions and to respond by manually operating the ES components, if required.
ACTIONS          A Note has been added to the ACTIONS indicating separate Condition entry is allowed for each ESPS manual initiation Function.
A..I Condition A applies when one manual initiation channel of one or more ESPS Functions becomes inoperable. Required Action A. I must be taken to restore the channel to OPERABLE status within the next 72 hours. The Completion Time of 72 hours is based on operating experience and administrative controls, which provide alternative means of ESPS Function initiation via individual component controls. The 72 hour Completion Time is generally consistent with the allowed outage time for the safety systems actuated by ESPS.
OCONEE UNITS 1, 2, & 3                  B 3.3.6-3                                      12/10/14 1
 
ESPS Manual Initiation B 3.3.6 BASES ACTIONS          B.1 and B.2 (continued)
With the Required Action and associated Completion Time not met, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 12 hours and to MODE 5 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required MODES from full power conditions in an orderly manner and without challenging unit systems.
SURVEILLANCE      SR 3.3.6.1 REQUIREMENTS This SR requires the performance of a CHANNEL FUNCTIONAL TEST of the ESPS manual initiation. This test verifies that the initiating circuitry is OPERABLE and will actuate the automatic actuation output logic channels.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
Failure of reactor building purge valves PR-1, 2, 3, 4, 5, 6 to close following a design basis event would cause a significant increase in the radioactive release because of the large containment leakage path introduced by these 48 inch purge lines. Because of their large size, the 48 inch purge valves are not qualified for automatic closure from their open position under accident conditions. Therefore, the 48 inch purge valves are maintained sealed closed (SR 3.6.3.1) in MODES 1, 2, 3, and 4 to ensure the containment boundary is maintained (Reference 2). Since they are sealed closed in all modes where the Engineered Safeguards system is required operable, testing of these reactor building purge valves is not required per SR 3.3.6.1.
REFERENCES        1. 10 CFR 50.36.
: 2.      NUREG 0737, Section I1.E.4.2.6.
OCONEE UNITS 1, 2, & 3                B 3.3.6-4                                          12/10/14 1
 
ESPS Automatic Actuation Output Logic Channels B 3.3.7 B 3.3 INSTRUMENTATION B 3.3.7 Engineered Safeguards Protective System (ESPS) Automatic Actuation Output Logic Channels BASES BACKGROUND          The automatic actuation output logic channels are defined as the Voters, the output relays and associated contacts. The Voters are used to provide an output signal to the output relays for the LP-1 interlock. Since LP-1 is not an ES valve, any inoperability of the ESPS associated with this particular function would require no action by TS 3.3.7. Each of the components actuated by the ESPS Functions is associated with one or more automatic actuation output logic channels. If two-out-of-three ESPS input instrumentation channels indicate a trip, or if channel level manual initiation occurs, the automatic actuation output logic channel is activated and the associated equipment is actuated. The purpose of requiring OPERABILITY of the ESPS automatic actuation output logic channels is to ensure that the Functions of the ESPS can be automatically initiated in the event of an accident. Automatic actuation of some Functions is necessary to prevent the unit from exceeding the Emergency Core Cooling Systems (ECCS) limits in 10 CFR 50.46 (Ref. 1). It should be noted that OPERABLE automatic actuation output logic channels alone will not ensure that each Function can be activated; the input instrumentation channels and actuated equipment associated with each Function must also be OPERABLE to ensure that the Functions can be automatically initiated during an accident.
LCO 3.3.7 covers only the automatic actuation output logic channels that initiates these Functions. LCO 3.3.5, "Engineered Safeguards Protective System (ESPS) Input Instrumentation," and LCO 3.3.6, "Engineered Safeguards Protective System (ESPS) Manual Initiation," provide requirements on the input instrumentation and manual initiation channels that feed into the automatic actuation output logic channels.
The ESPS Protective Channels (computers) A, B, and C are                        I implemented on two independent and redundant subsystems. One subsystem, containing channels A2, B2, and C2, uses the ESPS protective channel computers, which are installed in the ESPS cabinets.
The other sub-system, containing independent and redundant channels Al, B1, and Cl, uses the RPS protective channel computers, which are installed in the RPS cabinets.
OCONEE UNITS 1, 2, & 3                B 3.3.7-1                                          12/10/14 1


==3.6 BACKGROUND==
ESPS Automatic Actuation Output Logic Channels B 3.3.7 BASES BACKGROUND        Each of the independent ESPS and ESPS/RPS protective channel (continued)    function output signals are sent to two redundant digital actuation Voter Sets each comprised of an Odd and Even Voter. The Odd Voter is associated with ESPS Automatic Actuation Output Logic Channels 1, 3, 5, and 7 while the Even Voter is associated with Channels 2, 4, 6, and 8. One of the Odd and Even Voter sets (Voter 2) performs the two-out-of-three voting for the actuation signals coming from the ESPS protective channels; the other independent and redundant Odd and Even Voter set (Voter 1) performs the two-out-of-three voting for the actuation signals coming from the ESPS/RPS sets. The independent and redundant ESPS protective safety actuation functions are duplicated in the ESPS and ESPS/RPS subsystems.
The ESPS, in conjunction with the actuated equipment, provides protective functions necessary to mitigate accidents, specifically, the loss of coolant accident (LOCA) and main steam line break (MSLB) events. The ESPS relies on the OPERABILITY of the automatic actuation logic for each component to perform the actuation of the selected systems.
The small break LOCA analyses assume a conservative 48 second delay time for the actuation of High Pressure Injection (HPI) in UFSAR, Chapter 15 (Ref. 2). The large break LOCA analyses assume Low Pressure Injection (LPI) flow starts in 38 seconds while full LPI flow does not occur until 36 seconds later, or 74 seconds total (Ref. 2). This delay time includes allowances for Keowee Hydro Unit startup and loading, ECCS pump starts, and valve openings. Similarly, the Reactor Building (RB)
Cooling, RB Isolation, and RB Spray have been analyzed with delays appropriate for the entire system.
The ESPS automatic initiation of Engineered Safeguards (ES) Functions to mitigate accident conditions is assumed in the accident analysis and is required to ensure that consequences of analyzed events do not exceed the accident analysis predictions. Automatically actuated features include HPI, LPI, RB Cooling, RB Spray, and RB Isolation.
OCONEE UNITS 1, 2, & 3              B 3.3.7-2                                          12/10/14 1


The ESPS manual initiation capability allows the operator to actuate ESPS Functions from the main control room in the absence of any other initiation condition.
ESPS Automatic Actuation Output Logic Channels B 3.3.7 BASES BACKGROUND       Engineered Safeguards Protective System Bypasses (continued)
This ESPS manual initiation capability is provided in the event the operator determines that an ESPS Function is needed and has not been automatically actuated.
Furthermore, the ESPS manual initiation capability allows operators to rapidly initiate Engineered Safeguards (ES)Functions.
LCO 3.3.6 covers only the system level manual initiation of these Functions.
LCO 3.3.5, "Engineered Safeguards Protective System (ESPS)Input Instrumentation," and LCO 3.3.7, "Engineered Safeguards Protective System (ESPS) Automatic Actuation Output Logic Channels," provide requirements on the portions of the ESPS that automatically initiate the Functions described earlier.The ESPS manual initiation Function relies on the OPERABILITY of the automatic actuation output logic channels (LCO 3.3.7) to perform the actuation of the systems. A manual trip push button is provided on the control room console for each of the automatic actuation output logic channels.
Operation of the push button energizes relays whose contacts perform a logical "OR" function with the automatic actuation.
The ESPS manual initiation portion of the ESPS system is defined as the instrumentation between the control console Trip/Reset switches and the relay output (RO) relays which actuate the end devices. Other means of manual initiation, such as controls for individual ES devices, may be available in the control room and other unit locations.
These alternative means are not required by this LCO, nor may they be credited to fulfill the requirements of this LCO.OCONEE UNITS 1, 2, & 3 B 3.3.6-1 12/10/14 1 ESPS Manual Initiation B 3.3.6 BASES BACKGROUND (continued)
A manual actuation of the ESPS actuation functions shall be capable of being initiated from the main control board Trip/Reset pushbutton switches.
Individual pushbuttons are provided for High Pressure Injection and Reactor Building (RB) Non-Essential Isolation (Channels 1 and 2), Low Pressure Injection and Low Pressure Service Water Actuation (Channels 3 and 4), RB Cooling and RB Essential Isolation (Channels 5 and 6), and RB Spray (Channels 7 and 8). The manual actuation is independent of the ESPS automatic actuation signal and is capable of actuating all channel related actuation field components regardless of any failures of the automatic signal. Initiation of the manual actuation portion of ESPS will also input an actuation signal to the automatic system to provide input to the automatic system indicating that a manual actuation has occurred.APPLICABLE SAFETY ANALYSES The ESPS, in conjunction with the actuated equipment, provides protective functions necessary to mitigate accidents, specifically, the loss of coolant accident and steam line break events.The ESPS manual initiation ensures that the control room operator can rapidly initiate ES Functions.
The manual initiation trip Function is required as a backup to automatic trip functions and allows operators to initiate ESPS whenever any parameter is rapidly trending toward its trip setpoint.The ESPS manual initiation functions satisfy Criterion 3 of 10 CFR 50.36 (Ref. 1).LCO Two ESPS manual initiation channels of each ESPS Function shall be OPERABLE whenever conditions exist that could require ES protection of the reactor or RB. Two OPERABLE channels ensure that no single random failure will prevent system level manual initiation of any ESPS Function.
The ESPS manual initiation Function allows the operator to initiate protective action prior to automatic initiation or in the event the automatic initiation does not occur.OCONEE UNITS 1, 2, & 3 B 3.3.6-2 12/10/14 1 ESPS Manual Initiation B 3.3.6 BASES LCO (continued)
The required Function is provided by two associated channels.
as indicated in the following table: Function Associated Channels HPI and RB Non-Essential 1 &2 Isolation, Keowee Emergency Start, Load Shed and Standby Breaker Input, and Keowee Standby Bus Feeder Breaker Input.LPI 33&4 RB Cooling and RB Essential 5 & 6 isolation RB Spray 7 & 8 APPLICABILITY The ESPS manual initiation Functions shall be OPERABLE in MODES 1 and 2, and in MODES 3 and 4 when the associated engineered safeguard equipment is required to be OPERABLE.
The manual initiation channels are required because ES Functions are designed to provide protection in these MODES. ESPS initiates systems that are either reconfigured for decay heat removal operation or disabled while in MODES 5 and 6.Accidents in these MODES are slow to develop and would be mitigated by manual operation of individual components.
Adequate time is available to evaluate unit conditions and to respond by manually operating the ES components, if required.ACTIONS A Note has been added to the ACTIONS indicating separate Condition entry is allowed for each ESPS manual initiation Function.A..I Condition A applies when one manual initiation channel of one or more ESPS Functions becomes inoperable.
Required Action A. I must be taken to restore the channel to OPERABLE status within the next 72 hours. The Completion Time of 72 hours is based on operating experience and administrative controls, which provide alternative means of ESPS Function initiation via individual component controls.
The 72 hour Completion Time is generally consistent with the allowed outage time for the safety systems actuated by ESPS.OCONEE UNITS 1, 2, & 3 B 3.3.6-3 12/10/14 1 ESPS Manual Initiation B 3.3.6 BASES ACTIONS B.1 and B.2 (continued)
With the Required Action and associated Completion Time not met, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 12 hours and to MODE 5 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required MODES from full power conditions in an orderly manner and without challenging unit systems.SURVEILLANCE SR 3.3.6.1 REQUIREMENTS This SR requires the performance of a CHANNEL FUNCTIONAL TEST of the ESPS manual initiation.
This test verifies that the initiating circuitry is OPERABLE and will actuate the automatic actuation output logic channels.The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.Failure of reactor building purge valves PR-1, 2, 3, 4, 5, 6 to close following a design basis event would cause a significant increase in the radioactive release because of the large containment leakage path introduced by these 48 inch purge lines. Because of their large size, the 48 inch purge valves are not qualified for automatic closure from their open position under accident conditions.
Therefore, the 48 inch purge valves are maintained sealed closed (SR 3.6.3.1) in MODES 1, 2, 3, and 4 to ensure the containment boundary is maintained (Reference 2). Since they are sealed closed in all modes where the Engineered Safeguards system is required operable, testing of these reactor building purge valves is not required per SR 3.3.6.1.REFERENCES
: 1. 10 CFR 50.36.2. NUREG 0737, Section I1.E.4.2.6.
OCONEE UNITS 1, 2, & 3 B 3.3.6-4 12/10/14 1 ESPS Automatic Actuation Output Logic Channels B 3.3.7 B 3.3 INSTRUMENTATION B 3.3.7 Engineered Safeguards Protective System (ESPS) Automatic Actuation Output Logic Channels BASES BACKGROUND The automatic actuation output logic channels are defined as the Voters, the output relays and associated contacts.
The Voters are used to provide an output signal to the output relays for the LP-1 interlock.
Since LP-1 is not an ES valve, any inoperability of the ESPS associated with this particular function would require no action by TS 3.3.7. Each of the components actuated by the ESPS Functions is associated with one or more automatic actuation output logic channels.
If two-out-of-three ESPS input instrumentation channels indicate a trip, or if channel level manual initiation occurs, the automatic actuation output logic channel is activated and the associated equipment is actuated.
The purpose of requiring OPERABILITY of the ESPS automatic actuation output logic channels is to ensure that the Functions of the ESPS can be automatically initiated in the event of an accident.
Automatic actuation of some Functions is necessary to prevent the unit from exceeding the Emergency Core Cooling Systems (ECCS) limits in 10 CFR 50.46 (Ref. 1). It should be noted that OPERABLE automatic actuation output logic channels alone will not ensure that each Function can be activated; the input instrumentation channels and actuated equipment associated with each Function must also be OPERABLE to ensure that the Functions can be automatically initiated during an accident.LCO 3.3.7 covers only the automatic actuation output logic channels that initiates these Functions.
LCO 3.3.5, "Engineered Safeguards Protective System (ESPS) Input Instrumentation," and LCO 3.3.6, "Engineered Safeguards Protective System (ESPS) Manual Initiation," provide requirements on the input instrumentation and manual initiation channels that feed into the automatic actuation output logic channels.The ESPS Protective Channels (computers)
A, B, and C are implemented on two independent and redundant subsystems.
One subsystem, containing channels A2, B2, and C2, uses the ESPS protective channel computers, which are installed in the ESPS cabinets.The other sub-system, containing independent and redundant channels Al, B1, and Cl, uses the RPS protective channel computers, which are installed in the RPS cabinets.I OCONEE UNITS 1, 2, & 3 B 3.3.7-1 12/10/14 1 ESPS Automatic Actuation Output Logic Channels B 3.3.7 BASES BACKGROUND (continued)
Each of the independent ESPS and ESPS/RPS protective channel function output signals are sent to two redundant digital actuation Voter Sets each comprised of an Odd and Even Voter. The Odd Voter is associated with ESPS Automatic Actuation Output Logic Channels 1, 3, 5, and 7 while the Even Voter is associated with Channels 2, 4, 6, and 8. One of the Odd and Even Voter sets (Voter 2) performs the two-out-of-three voting for the actuation signals coming from the ESPS protective channels;the other independent and redundant Odd and Even Voter set (Voter 1)performs the two-out-of-three voting for the actuation signals coming from the ESPS/RPS sets. The independent and redundant ESPS protective safety actuation functions are duplicated in the ESPS and ESPS/RPS subsystems.
The ESPS, in conjunction with the actuated equipment, provides protective functions necessary to mitigate accidents, specifically, the loss of coolant accident (LOCA) and main steam line break (MSLB) events. The ESPS relies on the OPERABILITY of the automatic actuation logic for each component to perform the actuation of the selected systems.The small break LOCA analyses assume a conservative 48 second delay time for the actuation of High Pressure Injection (HPI) in UFSAR, Chapter 15 (Ref. 2). The large break LOCA analyses assume Low Pressure Injection (LPI) flow starts in 38 seconds while full LPI flow does not occur until 36 seconds later, or 74 seconds total (Ref. 2). This delay time includes allowances for Keowee Hydro Unit startup and loading, ECCS pump starts, and valve openings.
Similarly, the Reactor Building (RB)Cooling, RB Isolation, and RB Spray have been analyzed with delays appropriate for the entire system.The ESPS automatic initiation of Engineered Safeguards (ES) Functions to mitigate accident conditions is assumed in the accident analysis and is required to ensure that consequences of analyzed events do not exceed the accident analysis predictions.
Automatically actuated features include HPI, LPI, RB Cooling, RB Spray, and RB Isolation.
OCONEE UNITS 1, 2, & 3 B 3.3.7-2 12/10/14 1 ESPS Automatic Actuation Output Logic Channels B 3.3.7 BASES BACKGROUND Engineered Safeguards Protective System Bypasses (continued)
There are two redundant subsystems.
There are two redundant subsystems.
The same analog input signal is fed to each subsystem.
The same analog input signal is fed to each subsystem. In subsystem 1, channels Al, B1, and Cl provide the input to Voter 1 Odd and Voter 1 Even. In subsystem 2, channels A2, B2, and C2 provide input to Voter 2 Odd and Voter 2 Even.
In subsystem 1, channels Al, B1, and Cl provide the input to Voter 1 Odd and Voter 1 Even. In subsystem 2, channels A2, B2, and C2 provide input to Voter 2 Odd and Voter 2 Even.Either subsystem provides the full complement of Voters. This allows for a Manual (maintenance)
Either subsystem provides the full complement of Voters. This allows for a Manual (maintenance) Bypass of one complete subsystem, or portion of a subsystem, without entering into an LCO Condition. While one Voter or a set of Voters are bypassed, the ESPS function is provided by the redundant ESPS subsystem.
Bypass of one complete subsystem, or portion of a subsystem, without entering into an LCO Condition.
Placing a Voter in Manual Bypass is implemented by keyswitches located in the respective ESPS Actuation cabinets. If an ESPS Voter is placed in Manual Bypass, all automatic ESPS actuation functions from that specific Voter are disabled. However, a manual ESPS trip is still available for Operator action to initiate the ESPS safety actuation functions. Only one Manual Bypass keyswitch for the two Odd Voters (Voter 1 Odd or Voter 2 Odd) and one Manual Bypass keyswitch for the two Even Voters (Voter 1 Even or Voter 2 Even) is allowed to be placed in Manual Bypass at a time. Placing an ESPS Voter in Manual Bypass is administratively controlled. The ESPS Manual Bypass keyswitch status information is sent to the Unit control room Statalarm panel and sent to the plant Operator Aid Computer (OAC).
While one Voter or a set of Voters are bypassed, the ESPS function is provided by the redundant ESPS subsystem.
Parameter Chan-ge Enable Mode ESPS Voters for subsystems 1 and 2 and Status processors can be placed in a parameter change enable mode through the use of the Parameter Change Enable keyswitches. One keyswitch will place Odd Voter 1 and the Odd Component Status processor in Parameter Change Enable Mode. One keyswitch will place Even 1 Voter and the Even Component Status processor in Parameter Change Enable Mode. Odd Voter 2 and Even Voter 2 each have their own keyswitch that can be used to place each processor in Parameter Change Enable Mode.
Placing a Voter in Manual Bypass is implemented by keyswitches located in the respective ESPS Actuation cabinets.
When a keyswitch is placed from the normal Operating Mode position to the Parameter Change Enable Mode position:
If an ESPS Voter is placed in Manual Bypass, all automatic ESPS actuation functions from that specific Voter are disabled.
* The processors continue with normal operation.
However, a manual ESPS trip is still available for Operator action to initiate the ESPS safety actuation functions.
Only one Manual Bypass keyswitch for the two Odd Voters (Voter 1 Odd or Voter 2 Odd) and one Manual Bypass keyswitch for the two Even Voters (Voter 1 Even or Voter 2 Even) is allowed to be placed in Manual Bypass at a time. Placing an ESPS Voter in Manual Bypass is administratively controlled.
The ESPS Manual Bypass keyswitch status information is sent to the Unit control room Statalarm panel and sent to the plant Operator Aid Computer (OAC).Parameter Chan-ge Enable Mode ESPS Voters for subsystems 1 and 2 and Status processors can be placed in a parameter change enable mode through the use of the Parameter Change Enable keyswitches.
One keyswitch will place Odd Voter 1 and the Odd Component Status processor in Parameter Change Enable Mode. One keyswitch will place Even 1 Voter and the Even Component Status processor in Parameter Change Enable Mode. Odd Voter 2 and Even Voter 2 each have their own keyswitch that can be used to place each processor in Parameter Change Enable Mode.When a keyswitch is placed from the normal Operating Mode position to the Parameter Change Enable Mode position:* The processors continue with normal operation.
* A permissive is provided that allows the Service Unit to be used to change the operating mode of the processors associated with that keyswitch.
* A permissive is provided that allows the Service Unit to be used to change the operating mode of the processors associated with that keyswitch.
OCONEE UNITS 1, 2, & 3 B 3.3.7-3 12/10/14 1 ESPS Automatic Actuation Output Logic Channels B 3.3.7 BASES BACKGROUND Parameter Change Enable Mode (continued)
OCONEE UNITS 1, 2, & 3             B 3.3.7-3                                         12/10/14 1
 
ESPS Automatic Actuation Output Logic Channels B 3.3.7 BASES BACKGROUND       Parameter Change Enable Mode (continued)
With the keyswitch in the Parameter Change Enable Position the following modes of operation are allowed for processors:
With the keyswitch in the Parameter Change Enable Position the following modes of operation are allowed for processors:
* Normal Operation  
* Normal Operation - with permissive for operating mode change.
-with permissive for operating mode change.* Parameterization  
* Parameterization - allows changes to specific parameters (example placing a parameter into a tripped condition or performing Go/NoGo testing).
-allows changes to specific parameters (example placing a parameter into a tripped condition or performing Go/NoGo testing).* Function Test -for disabling the application function and forcing output signal for testing purposes (normally not used).* Diagnostics  
* Function Test - for disabling the application function and forcing output signal for testing purposes (normally not used).
-for downloading new application software.The Function Test and Diagnostics modes result in the processor ceasing its cyclic processing of the application functions.
* Diagnostics - for downloading new application software.
Entry into these modes first requires entry into Parameterization mode and setting a separate parameter.
The Function Test and Diagnostics modes result in the processor ceasing its cyclic processing of the application functions. Entry into these modes first requires entry into Parameterization mode and setting a separate parameter.
When a keyswitch is placed in the Parameter Change Enable Mode Position for any activity, the affected processor shall first be declared out of service. In addition to declaring the processor out of service, when loading or revising software in a processor, the affected ESPS voter (Set 1 or Set 2) shall be placed in Bypass. Only one ESPS voter at a time is allowed to be placed into Parameter Change Enable Mode Position for software loading/revision.
When a keyswitch is placed in the Parameter Change Enable Mode Position for any activity, the affected processor shall first be declared out of service. In addition to declaring the processor out of service, when loading or revising software in a processor, the affected ESPS voter (Set 1 or Set 2) shall be placed in Bypass. Only one ESPS voter at a time is allowed to be placed into Parameter Change Enable Mode Position for software loading/revision.
Each Parameter Change Enable keyswitch status information is sent to the Statalarm panel and to the OAC via the Gateway.ESPS Parameter Change Enable keyswitches are administratively controlled (there are no hardware or software interlocks between channels).
Each Parameter Change Enable keyswitch status information is sent to the Statalarm panel and to the OAC via the Gateway.
APPLICABLE Accident analyses rely on automatic ESPS actuation for protection of the SAFETY ANALYSES core and RB and for limiting off site dose levels following an accident.
ESPS Parameter Change Enable keyswitches are administratively controlled (there are no hardware or software interlocks between channels).
The automatic actuation output logic is an integral part of the ESPS.The ESPS automatic actuation output logic channels satisfy Criterion 3 of 10 CFR 50.36 (Ref. 3).OCONEE UNITS 1, 2, & 3 B 3.3.7-4 12/10/14 1 ESPS Automatic Actuation Output Logic Channels B 3.3.7 BASES (continued)
APPLICABLE       Accident analyses rely on automatic ESPS actuation for protection of the SAFETY ANALYSES core and RB and for limiting off site dose levels following an accident. The automatic actuation output logic is an integral part of the ESPS.
LCO The automatic actuation output logic channels are required to be OPERABLE whenever conditions exist that could require ES protection of the reactor or the RB. This ensures automatic initiation of the ES required to mitigate the consequences of accidents.
The ESPS automatic actuation output logic channels satisfy Criterion 3 of 10 CFR 50.36 (Ref. 3).
The ESPS automatic actuation output logic channels are comprised of two independent and redundant subsystems.
OCONEE UNITS 1, 2, & 3             B 3.3.7-4                                           12/10/14 1
Only one of the independent subsystems is required to be OPERABLE.The required Function is provided by two associated output channels as indicated in the following table: Function Associated Channels HPI and RB Non-Essential 1 & 2 Isolation, Keowee Emergency Start, Load Shed and Standby Breaker Input, and Keowee Standby Bus Feeder Breaker Input LPI 3 & 4 RB Cooling and RB Essential 5 & 6 isolation RB Spray 7 & 8 I APPLICABILITY The automatic actuation output logic channels shall be OPERABLE in MODES 1 and 2 and in MODES 3 and 4 when the associated engineered safeguard equipment is required to be OPERABLE, because ES Functions are designed to provide protection in these MODES. Automatic actuation in MODE 5 or 6 is not required because the systems initiated by the ESPS are either reconfigured for decay heat removal operation or disabled.Accidents in these MODES are slow to develop and would be mitigated by manual operation of individual components.
 
Adequate time is available to evaluate unit conditions and respond by manually operating the ES components, if required.OCONEE UNITS 1, 2, & 3 B 3.3.7-5 12/10/14 1 ESPS Automatic Actuation Output Logic Channels B 3.3.7 BASES ACTIONS A Note has been added to the ACTIONS indicating separate Condition entry is allowed for each ESPS automatic actuation output logic channel.A.1 and A.2 When one or more automatic actuation output logic channels are inoperable, the associated component(s) can be placed in their engineered safeguard configuration.
ESPS Automatic Actuation Output Logic Channels B 3.3.7 BASES (continued)
Required Action A.1 is equivalent to the automatic actuation output logic channel performing its safety function ahead of time.In some cases, placing the component in its engineered safeguard configuration would violate unit safety or operational considerations.
LCO               The automatic actuation output logic channels are required to be OPERABLE whenever conditions exist that could require ES protection of the reactor or the RB. This ensures automatic initiation of the ES required to mitigate the consequences of accidents.
In these cases, the component status should not be changed, but the supported system component must be declared inoperable.
The ESPS automatic actuation output logic channels are comprised of           I two independent and redundant subsystems. Only one of the independent subsystems is required to be OPERABLE.
Conditions which would preclude the placing of a component in its engineered safeguard configuration include, but are not limited to, violation of system separation, activation of fluid systems that could lead to thermal shock, or isolation of fluid systems that are normally functioning.
The required Function is provided by two associated output channels as indicated in the following table:
The Completion Time of 1 hour is based on operating experience and reflects the urgency associated with the inoperability of a safety system component.
Function                                   Associated Channels HPI and RB Non-Essential                             1&2 Isolation, Keowee Emergency Start, Load Shed and Standby Breaker Input, and Keowee Standby Bus Feeder Breaker Input LPI                                                   3 &4 RB Cooling and RB Essential                         5&6 isolation RB Spray                                             7 &8 APPLICABILITY     The automatic actuation output logic channels shall be OPERABLE in MODES 1 and 2 and in MODES 3 and 4 when the associated engineered safeguard equipment is required to be OPERABLE, because ES Functions are designed to provide protection in these MODES. Automatic actuation in MODE 5 or 6 is not required because the systems initiated by the ESPS are either reconfigured for decay heat removal operation or disabled.
Required Action A.2 requires declaring the associated components of the affected supported systems inoperable, since the true effect of automatic actuation output logic channel failure is inoperability of the supported system. The Completion Time of 1 hour is based on operating experience and reflects the urgency associated with the inoperability of a safety system component.
Accidents in these MODES are slow to develop and would be mitigated by manual operation of individual components. Adequate time is available to evaluate unit conditions and respond by manually operating the ES components, if required.
A combination of Required Actions A.1 and A.2 may be used for different components associated with an inoperable automatic actuation output logic channel.OCONEE UNITS 1, 2, & 3 B 3.3.7-6 12/10/14 1 ESPS Automatic Actuation Output Logic Channels B 3.3.7 BASES SURVEILLANCE SR 3.3.7.1 REQUIREMENTS This SR requires manual actuation of the output channel interposing relays (referred to as Ro relays) to demonstrate OPERABILITY of the relays. The proper functioning of the processor portion of the channel is continuously checked by automatic cyclic self monitoring.
OCONEE UNITS 1, 2, & 3             B 3.3.7-5                                         12/10/14 1
Failure of reactor building purge valves PR-1, 2, 3, 4, 5, 6 to close following a design basis event would cause a significant increase in the radioactive release because of the large containment leakage path introduced by these 48 inch purge lines. Because of their large size, the 48 inch purge valves are not qualified for automatic closure from their open position under accident conditions.
 
Therefore, the 48 inch purge valves are maintained sealed closed (SR 3.6.3.1) in MODES 1, 2, 3, and 4 to ensure the containment boundary is maintained (Reference 4). Since they are sealed closed in all modes where the Engineered Safeguards system is required operable, testing of these reactor building purge valves is not required per SR 3.3.7.1.The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR 3.3.7.2 SR 3.3.7.2 is the performance of a CHANNEL FUNCTIONAL TEST. The functional test consists of rebooting the digital processors.
ESPS Automatic Actuation Output Logic Channels B 3.3.7 BASES ACTIONS           A Note has been added to the ACTIONS indicating separate Condition entry is allowed for each ESPS automatic actuation output logic channel.
This verifies that the software has not changed.Failure of reactor building purge valves PR-1, 2, 3, 4, 5, 6 to close following a design basis event would cause a significant increase in the radioactive release because of the large containment leakage path introduced by these 48 inch purge lines. Because of their large size, the 48 inch purge valves are not qualified for automatic closure from their open position under accident conditions.
A.1 and A.2 When one or more automatic actuation output logic channels are inoperable, the associated component(s) can be placed in their engineered safeguard configuration. Required Action A.1 is equivalent to the automatic actuation output logic channel performing its safety function ahead of time.
Therefore, the 48 inch purge valves are maintained sealed closed (SR 3.6.3.1) in MODES 1, 2, 3, and 4 to ensure the containment boundary is maintained (Reference 4). Since they are sealed closed in all modes where the Engineered Safeguards system is required operable, testing of these reactor building purge valves is not required per SR 3.3.7.2.OCONEE UNITS 1, 2, & 3 B 3.3.7-7 12/10/14 1 ESPS Automatic Actuation Output Logic Channels B 3.3.7 BASES SURVEILLANCE REQUIREMENTS SR 3.3.7.2 (continued)
In some cases, placing the component in its engineered safeguard configuration would violate unit safety or operational considerations. In these cases, the component status should not be changed, but the supported system component must be declared inoperable. Conditions which would preclude the placing of a component in its engineered safeguard configuration include, but are not limited to, violation of system separation, activation of fluid systems that could lead to thermal shock, or isolation of fluid systems that are normally functioning. The Completion Time of 1 hour is based on operating experience and reflects the urgency associated with the inoperability of a safety system component.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.The digital ESPS software performs a continuous online automated cross channel check, separately for each channel, and continuous online signal error detection and validation.
Required Action A.2 requires declaring the associated components of the affected supported systems inoperable, since the true effect of automatic actuation output logic channel failure is inoperability of the supported system. The Completion Time of 1 hour is based on operating experience and reflects the urgency associated with the inoperability of a safety system component. A combination of Required Actions A.1 and A.2 may be used for different components associated with an inoperable automatic actuation output logic channel.
The protection system also performs continual online hardware monitoring.
OCONEE UNITS 1, 2, & 3               B 3.3.7-6                                           12/10/14 1
The CHANNEL FUNCTIONAL TEST essentially validates the self monitoring function and checks for a small set of failure modes that are undetectable by the self monitoring function.REFERENCES
 
: 1. 10 CFR 50.46.2. UFSAR, Chapter 15.3. 10 CFR 50.36.4. NUREG 0737, Section II.E.4.2.6.
ESPS Automatic Actuation Output Logic Channels B 3.3.7 BASES SURVEILLANCE     SR 3.3.7.1 REQUIREMENTS This SR requires manual actuation of the output channel interposing relays (referred to as Ro relays) to demonstrate OPERABILITY of the relays. The proper functioning of the processor portion of the channel is continuously checked by automatic cyclic self monitoring.
OCONEE UNITS 1, 2, & 3 B 3.3.7-8 12/10/14 1 LPSW RB Waterhammer Prevention Circuitry B 3.3.27 B 3.3 INSTRUMENTATION B 3.3.27 Low Pressure Service Water (LPSW) Reactor Building (RB) Waterhammer Prevention Circuitry BASES BACKGROUND NRC Generic Letter 96-06 identified three issues of concern relative to effects of fluid in piping following postulated design basis events. One area of concern is the cooling water system piping serving the containment air coolers. The Low Pressure Service Water (LPSW) system provides cooling water to the safety related Reactor Building Cooling Units (RBCUs), non-safety related Reactor Building Auxiliary Cooling Units (RBACs) and non-safety related Reactor Coolant Pump Motor (RCPM) coolers. There is a possibility of waterhammer in the LPSW piping inside containment during either a Loss-of-Coolant Accident (LOCA) or a Main Steam Line Break (MSLB) concurrent with a loss of off-site power (LOOP) without means to prevent waterhammer.
Failure of reactor building purge valves PR-1, 2, 3, 4, 5, 6 to close following a design basis event would cause a significant increase in the radioactive release because of the large containment leakage path introduced by these 48 inch purge lines. Because of their large size, the 48 inch purge valves are not qualified for automatic closure from their open position under accident conditions. Therefore, the 48 inch purge valves are maintained sealed closed (SR 3.6.3.1) in MODES 1, 2, 3, and 4 to ensure the containment boundary is maintained (Reference 4). Since they are sealed closed in all modes where the Engineered Safeguards system is required operable, testing of these reactor building purge valves is not required per SR 3.3.7.1.
The LPSW RB Waterhammer Prevention System (WPS) is composed of check valves, active pneumatic discharge isolation valves, and active controllable vacuum breaker valves. The LPSW RB Waterhammer Prevention Circuitry isolates LPSW to the RBCUs, RBACs and RCPM coolers any time the LPSW header pressure decreases significantly, such as during a LOOP event or LPSW pump failure during normal operations.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
The isolation function prevents and/or minimizes the potential waterhammers in the associated piping. The LPSW RB Waterhammer Prevention Circuitry will also re-establish flow to the containment air coolers following WPS actuation once the LPSW system has repressurized.
SR 3.3.7.2 SR 3.3.7.2 is the performance of a CHANNEL FUNCTIONAL TEST. The functional test consists of rebooting the digital processors. This verifies that the software has not changed.
The RBCU fans and RBCU cooling water motor operated return valves are Engineered Safeguards (ES) features.
Failure of reactor building purge valves PR-1, 2, 3, 4, 5, 6 to close following a design basis event would cause a significant increase in the radioactive release because of the large containment leakage path introduced by these 48 inch purge lines. Because of their large size, the 48 inch purge valves are not qualified for automatic closure from their open position under accident conditions. Therefore, the 48 inch purge valves are maintained sealed closed (SR 3.6.3.1) in MODES 1, 2, 3, and 4 to ensure the containment boundary is maintained (Reference 4). Since they are sealed closed in all modes where the Engineered Safeguards system is required operable, testing of these reactor building purge valves is not required per SR 3.3.7.2.
On an ES actuation, these valves open. The LPSW RB Waterhammer Prevention Pneumatic Discharge Isolation Valves are designed to close on low LPSW supply header pressure and re-open when the LPSW supply header pressure is restored.
OCONEE UNITS 1, 2, & 3             B 3.3.7-7                                           12/10/14 1
The LPSW RB Waterhammer Prevention Controllable Vacuum Breaker Valves are designed to open on low LPSW pressure and re-close when LPSW pressure is restored.The LPSW RB Waterhammer Prevention Pneumatic Discharge Isolation Valves fail open on loss of instrument air. During normal operation, a control solenoid valve in the instrument air supply to each OCONEE UNITS 1, 2, & 3 B 3.3.27-1 12/10114 1 LPSW RB Waterhammer Prevention Circuitry B 3.3.27 BASES BACKGROUND (continued)
 
LPSW RB Waterhammer Prevention Pneumatic Discharge Isolation Valve is energized to vent air from the actuator to maintain the isolation valves in the open position.
ESPS Automatic Actuation Output Logic Channels B 3.3.7 BASES SURVEILLANCE     SR 3.3.7.2 (continued)
On loss of two of four of the analog input signals for the LPSW RB Waterhammer Prevention Isolation Circuitry, the 3-way control solenoid valve is de-energized to align the air accumulator with the pneumatic operator; thereby closing the LPSW RB Waterhammer Prevention Pneumatic Discharge Isolation Valve(s).
REQUIREMENTS The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
LPSW RB Waterhammer Prevention Controllable Vacuum Breaker Valves are located downstream of the pneumatic discharge isolation valves. The LPSW RB Waterhammer Prevention Controllable Vacuum Breaker Valves are normally closed. They open simultaneously with the closing of the LPSW RB Waterhammer Prevention Pneumatic Discharge Isolation Valves in order to break vacuum in the return header by energizing the control solenoid valve.The LPSW RB Waterhammer Prevention Circuitry contains four analog sensor channels and two digital actuation logic channels.
The digital ESPS software performs a continuous online automated cross channel check, separately for each channel, and continuous online signal error detection and validation. The protection system also performs continual online hardware monitoring. The CHANNEL FUNCTIONAL TEST essentially validates the self monitoring function and checks for a small set of failure modes that are undetectable by the self monitoring function.
Only three analog sensor channels are required to support OPERABILITY.
REFERENCES       1.     10 CFR 50.46.
Each analog sensor channel contains a safety grade pressure transmitter and current switch. The two digital actuation logic channels consist of safety grade relays in a two-out-of-two logic configuration.
: 2.     UFSAR, Chapter 15.
The actuation of the LPSW RB Waterhammer Prevention Circuitry requires two of the three required LPSW pressure signals supplied from the LPSW header pressure transmitters.
: 3.     10 CFR 50.36.
APPLICABLE SAFETY ANALYSES In a LOOP event, the LPSW RB Waterhammer Prevention Circuitry isolates the cooling water flow to the RBCUs, RBACs and RCPM cooler on low LPSW supply header pressure prior to LPSW pump restart to prevent waterhammers.
: 4.     NUREG 0737, Section II.E.4.2.6.
The LPSW RB Waterhammer Prevention Circuitry will also re-establish flow to the containment air coolers following WPS actuation once the LPSW system has repressurized.
OCONEE UNITS 1, 2, & 3             B 3.3.7-8                                       12/10/14 1
Isolating and re-establishing the LPSW flowpath ensures that Containment Integrity and Containment Heat Removal functions are maintained.
 
The RBCU Fans presently have a 3 minute delay to re-start following ES activation.
LPSW RB Waterhammer Prevention Circuitry B 3.3.27 B 3.3 INSTRUMENTATION B 3.3.27 Low Pressure Service Water (LPSW) Reactor Building (RB) Waterhammer Prevention Circuitry BASES BACKGROUND         NRC Generic Letter 96-06 identified three issues of concern relative to effects of fluid in piping following postulated design basis events. One area of concern is the cooling water system piping serving the containment air coolers. The Low Pressure Service Water (LPSW) system provides cooling water to the safety related Reactor Building Cooling Units (RBCUs), non-safety related Reactor Building Auxiliary Cooling Units (RBACs) and non-safety related Reactor Coolant Pump Motor (RCPM) coolers. There is a possibility of waterhammer in the LPSW piping inside containment during either a Loss-of-Coolant Accident (LOCA) or a Main Steam Line Break (MSLB) concurrent with a loss of off-site power (LOOP) without means to prevent waterhammer.
LPSW flow will be restored to the RBCUs prior to the RBCU fan restart. This ensures the Containment Heat Removal function is unaffected.
The LPSW RB Waterhammer Prevention System (WPS) is composed of check valves, active pneumatic discharge isolation valves, and active controllable vacuum breaker valves. The LPSW RB Waterhammer Prevention Circuitry isolates LPSW to the RBCUs, RBACs and RCPM coolers any time the LPSW header pressure decreases significantly, such as during a LOOP event or LPSW pump failure during normal operations. The isolation function prevents and/or minimizes the potential waterhammers in the associated piping. The LPSW RB Waterhammer Prevention Circuitry will also re-establish flow to the containment air coolers following WPS actuation once the LPSW system has repressurized.
The LPSW RB Waterhammer Prevention Circuitry satisfies Criterion 3 of 10 CFR 50.36 (Ref. 1).OCONEE UNITS 1, 2, & 3 B 3.3.27-2 12/10/14 1 LPSW RB Waterhammer Prevention Circuitry B 3.3.27 BASES (continued)
The RBCU fans and RBCU cooling water motor operated return valves are Engineered Safeguards (ES) features. On an ES actuation, these valves open. The LPSW RB Waterhammer Prevention Pneumatic Discharge Isolation Valves are designed to close on low LPSW supply header pressure and re-open when the LPSW supply header pressure is restored. The LPSW RB Waterhammer Prevention Controllable Vacuum Breaker Valves are designed to open on low LPSW pressure and re-close when LPSW pressure is restored.
LCO Three LPSW RB Waterhammer Prevention analog channels and two digital logic channels shall be OPERABLE.
The LPSW RB Waterhammer Prevention Pneumatic Discharge Isolation Valves fail open on loss of instrument air. During normal operation, a control solenoid valve in the instrument air supply to each OCONEE UNITS 1, 2, & 3                   B 3.3.27-1                                     12/10114     1
Each analog sensor channel contains a safety related pressure transmitter and current switch. The two digital logic channels consist of safety related relays. The LPSW RB Waterhammer Prevention Circuitry design ensures that a single active failure will not prevent the circuitry and associated components from performing the intended safety functions.
 
There are four analog channels, but only three are required to support OPERABILITY.
LPSW RB Waterhammer Prevention Circuitry B 3.3.27 BASES BACKGROUND         LPSW RB Waterhammer Prevention Pneumatic Discharge Isolation (continued)    Valve is energized to vent air from the actuator to maintain the isolation valves in the open position. On loss of two of four of the analog input signals for the LPSW RB Waterhammer Prevention Isolation Circuitry, the 3-way control solenoid valve is de-energized to align the air accumulator with the pneumatic operator; thereby closing the LPSW RB Waterhammer Prevention Pneumatic Discharge Isolation Valve(s). LPSW RB Waterhammer Prevention Controllable Vacuum Breaker Valves are located downstream of the pneumatic discharge isolation valves. The LPSW RB Waterhammer Prevention Controllable Vacuum Breaker Valves are normally closed. They open simultaneously with the closing of the LPSW RB Waterhammer Prevention Pneumatic Discharge Isolation Valves in order to break vacuum in the return header by energizing the control solenoid valve.
These three analog channels are configured in a two out of three control logic scheme that will isolate/reset the LPSW RB Waterhammer Prevention Circuitry.
The LPSW RB Waterhammer Prevention Circuitry contains four analog sensor channels and two digital actuation logic channels. Only three analog sensor channels are required to support OPERABILITY. Each analog sensor channel contains a safety grade pressure transmitter and current switch. The two digital actuation logic channels consist of safety grade relays in a two-out-of-two logic configuration. The actuation of the LPSW RB Waterhammer Prevention Circuitry requires two of the three required LPSW pressure signals supplied from the LPSW header pressure transmitters.
The LPSW RB Waterhammer Prevention Circuitry will close/open the four LPSW RB Pneumatic Discharge Isolation Valves when LPSW pressure is either low or returns to normal. Either digital logic channel will trip/restore the flow path.The actuation logic used for the LPSW RB Waterhammer Prevention Circuitry is similar to other safety related circuitry currently being used. The LCO allowed required action and Completion Times are acceptable based on the number of channels normally available.
APPLICABLE       In a LOOP event, the LPSW RB Waterhammer Prevention SAFETY ANALYSES Circuitry isolates the cooling water flow to the RBCUs, RBACs and RCPM cooler on low LPSW supply header pressure prior to LPSW pump restart to prevent waterhammers. The LPSW RB Waterhammer Prevention Circuitry will also re-establish flow to the containment air coolers following WPS actuation once the LPSW system has repressurized. Isolating and re-establishing the LPSW flowpath ensures that Containment Integrity and Containment Heat Removal functions are maintained.
Though one of the four analog channels can be out of service for an extended period, it is not a normal practice.When one required analog channel is taken out of service, the two out of three analog control logic scheme is reduced to a two out of two analog control logic scheme. This control logic scheme will trip/reset the digital channels on decreasing/increasing supply header pressure.Failure of an analog channel while in the two out of two control logic mode will reduce the control logic to a one out of two control logic scheme. This control logic is unacceptable because a failure will prevent the LPSW RB Waterhammer Prevention Circuitry from working as required.The two digital channels are triggered by two of four analog channels consisting of a pressure transmitter/current switch. On decreasing/increasing supply header pressure, two of four analog channels will trip/reset the digital channels.
The RBCU Fans presently have a 3 minute delay to re-start following ES activation. LPSW flow will be restored to the RBCUs prior to the RBCU fan restart. This ensures the Containment Heat Removal function is unaffected.
If one of the two digital channels is inoperable or out of service, the system is no longer single failure proof.OCONEE UNITS 1, 2, & 3 B 3.3.27-3 12/10/14 1 LPSW RB Waterhammer Prevention Circuitry B 3.3.27 BASES (continued)
The LPSW RB Waterhammer Prevention Circuitry satisfies Criterion 3 of 10 CFR 50.36 (Ref. 1).
APPLICABILITY The LPSW RB Waterhammer Prevention Circuitry is required to be OPERABLE in MODES 1, 2, 3, and 4. This ensures LPSW is available to support the OPERABILITY of the equipment serviced by the LPSW system.In MODES 5 and 6, the probability and consequences of the events that the LPSW System supports is reduced due to the pressure and temperature limitations of these MODES. As a result, the LPSW RB Waterhammer Prevention Circuitry is not required to be OPERABLE in MODES 5 and 6.I ACTIONS A..1 If one required LPSW RB Waterhammer Prevention analog channel is inoperable, the LPSW RB Waterhammer Prevention Circuitry is no longer single failure proof and the control logic scheme is reduced to a two out of two configuration.
OCONEE UNITS 1, 2, & 3               B 3.3.27-2                                         12/10/14   1
Required Action A.1 requires the LPSW RB Waterhammer Prevention analog channels be restored to OPERABLE status within 7 days.The 7 day Completion Time takes into account the allowed outage times of similar systems, reasonable time for repairs, and the low probability of an event occurring during this period.B.1 If one required LPSW RB Waterhammer Prevention digital logic channel is inoperable, the LPSW RB Waterhammer Prevention Circuitry is not single failure proof. Required Action B.1 requires the digital channels be restored to OPERABLE status within 7 days.The 7 day Completion Time takes into account the allowed outage times of similar systems, reasonable time for repairs, and the low probability of an event occurring during this period.OCONEE UNITS 1, 2, & 3 B 3.3.27-4 12/10/14 1 LPSW RB Waterhammer Prevention Circuitry B 3.3.27 BASES ACTIONS C.1 and C.2 (continued)
 
If two or more required LPSW RB Waterhammer Prevention analog channel(s) or two digital logic channel(s) are inoperable or the Required Actions and associated Completion Times of Condition A or B are not met, the WPS must be configured in order to assure the Containment Integrity and Heat removal functions are maintained.
LPSW RB Waterhammer Prevention Circuitry B 3.3.27 BASES (continued)
To achieve this status, actions to prevent automatic closing by manually opening (remote or local) two LPSW RB Waterhammer Prevention Pneumatic Discharge Isolation valves in the same header shall be completed immediately and actions to repair the inoperable equipment shall be taken immediately.
LCO               Three LPSW RB Waterhammer Prevention analog channels and two digital logic channels shall be OPERABLE. Each analog sensor channel contains a safety related pressure transmitter and current switch. The two digital logic channels consist of safety related relays. The LPSW RB Waterhammer Prevention Circuitry design ensures that a single active failure will not prevent the circuitry and associated components from performing the intended safety functions.
LCO 3.7.7 will also apply when the LPSW RB Waterhammer Prevention Pneumatic Discharge Isolation valves in the same header are opened.SURVEILLANCE SR 3.3.27.1 REQUIREMENTS Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred.
There are four analog channels, but only three are required to support OPERABILITY. These three analog channels are configured in a two out of three control logic scheme that will isolate/reset the LPSW RB Waterhammer Prevention Circuitry. The LPSW RB Waterhammer Prevention Circuitry will close/open the four LPSW RB Pneumatic Discharge Isolation Valves when LPSW pressure is either low or returns to normal. Either digital logic channel will trip/restore the flow path.
A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels.
The actuation logic used for the LPSW RB Waterhammer Prevention Circuitry is similar to other safety related circuitry currently being used. The LCO allowed required action and Completion Times are acceptable based on the number of channels normally available. Though one of the four analog channels can be out of service for an extended period, it is not a normal practice.
It is based on the assumption that analog instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two analog instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. CHANNEL CHECK will detect gross channel failure; therefore, it is key in verifying that the instrumentation continues to operate properly between each CHANNEL CALIBRATION.
When one required analog channel is taken out of service, the two out of three analog control logic scheme is reduced to a two out of two analog control logic scheme. This control logic scheme will trip/reset the digital channels on decreasing/increasing supply header pressure.
Agreement criteria are determined, based on a combination of the channel instrument uncertainties, including isolation, indication, and readability.
Failure of an analog channel while in the two out of two control logic mode will reduce the control logic to a one out of two control logic scheme. This control logic is unacceptable because a failure will prevent the LPSW RB Waterhammer Prevention Circuitry from working as required.
If a channel is outside the criteria, it may be an indication that the transmitter or the signal processing equipment has drifted outside its limit.The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.OCONEE UNITS 1, 2, & 3 B 3.3.27-5 12/10/14 1 LPSW RB Waterhammer Prevention Circuitry B 3.3.27 BASES SURVEILLANCE SR 3.3.27.1 (continued)
The two digital channels are triggered by two of four analog channels consisting of a pressure transmitter/current switch. On decreasing/increasing supply header pressure, two of four analog channels will trip/reset the digital channels. If one of the two digital channels is inoperable or out of service, the system is no longer single failure proof.
REQUIREMENTS The CHANNEL CHECK supplements less formal, but potentially more frequent, checks of channel operability during normal operational use of the displays associated with the LCO's required channels.SR 3.3.27.2 A CHANNEL FUNCTIONAL TEST is performed on each channel to ensure the circuitry will perform its intended function.
OCONEE UNITS 1, 2, & 3               B 3.3.27-3                                       12/10/14     1
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR 3.3.27.3 A CHANNEL CALIBRATION is a complete check of the analog instrument channel, including the sensor. The test verifies that the channel responds to a measured parameter within the necessary range and accuracy.
 
The CHANNEL CALIBRATION leaves the components adjusted to account for instrument drift to ensure that the circuitry remains operational between successive tests. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.REFERENCES
LPSW RB Waterhammer Prevention Circuitry B 3.3.27 BASES (continued)                                                                                 I APPLICABILITY     The LPSW RB Waterhammer Prevention Circuitry is required to be OPERABLE in MODES 1, 2, 3, and 4. This ensures LPSW is available to support the OPERABILITY of the equipment serviced by the LPSW system.
: 1. 10 CFR 50.36.OCONEE UNITS 1, 2, & 3 B 3.3.27-6 12/10/14 1 Reactor Building Spray and Cooling Systems B 3.6.5 B 3.6 CONTAINMENT SYSTEMS B 3.6.5 Reactor Building Spray and Cooling Systems BASES BACKGROUND The Reactor Building Spray and Reactor Building Cooling systems provide containment atmosphere cooling to limit post accident pressure and temperature in containment to less than the design values. Reduction of containment pressure and the iodine removal capability of the spray reduces the release of fission product radioactivity from containment to the environment, in the event of an accident, to within limits. The Reactor Building Spray and Reactor Building Cooling systems are designed to meet ONS Design Criteria (Ref. 1).The Reactor Building Cooling System and Reactor Building Spray System are Engineered Safeguards (ES) systems. They are designed to ensure that the heat removal capability required during the post accident period can be attained.
In MODES 5 and 6, the probability and consequences of the events that the LPSW System supports is reduced due to the pressure and temperature limitations of these MODES. As a result, the LPSW RB Waterhammer Prevention Circuitry is not required to be OPERABLE in MODES 5 and 6.
The Reactor Building Spray System and Reactor Building Cooling System provide containment heat removal operation.
ACTIONS           A..1 If one required LPSW RB Waterhammer Prevention analog channel is inoperable, the LPSW RB Waterhammer Prevention Circuitry is no longer single failure proof and the control logic scheme is reduced to a two out of two configuration. Required Action A.1 requires the LPSW RB Waterhammer Prevention analog channels be restored to OPERABLE status within 7 days.
The Reactor Building Spray System and Reactor Building Cooling System provide methods to limit and maintain post accident conditions to less than the containment design values.Reactor Building Spray System The Reactor Building Spray System consists of two separate trains of equal capacity, each capable of meeting the design basis. Each train includes a reactor building spray pump, spray headers, nozzles, valves, piping and a flow indicator.
The 7 day Completion Time takes into account the allowed outage times of similar systems, reasonable time for repairs, and the low probability of an event occurring during this period.
Each train is powered from a separate ES bus.The borated water storage tank (BWST) supplies borated water to the Reactor Building Spray System during the injection phase of operation.
B.1 If one required LPSW RB Waterhammer Prevention digital logic channel is inoperable, the LPSW RB Waterhammer Prevention Circuitry is not single failure proof. Required Action B.1 requires the digital channels be restored to OPERABLE status within 7 days.
In the recirculation mode of operation, Reactor Building Spray System pump suction is manually transferred to the reactor building sump.OCONEE UNITS 1, 2, & 3 B 3.6.5-1 12/10/14 1 Reactor Building Spray and Cooling Systems B 3.6.5 BASES BACKGROUND Reactor Building Spray System (continued)
The 7 day Completion Time takes into account the allowed outage times of similar systems, reasonable time for repairs, and the low probability of an event occurring during this period.
The Reactor Building Spray System provides a spray of relatively cold borated water into the upper regions of containment to reduce the containment pressure and temperature and to reduce the concentration of fission products in the containment atmosphere during an accident.
OCONEE UNITS 1, 2, & 3               B 3.3.27-4                                       12/10/14     1
In the recirculation mode of operation, heat is removed from the reactor building sump water by the decay heat removal coolers. Each train of the Reactor Building Spray System provides adequate spray coverage to meet the system design requirements for containment heat removal.The Reactor Building Spray System is actuated automatically by a containment High-High pressure signal. An automatic actuation opens the Reactor Building Spray System pump discharge valves and starts the two Reactor Building Spray System pumps.Reactor Buildingq Cooling System The Reactor Building Cooling System consists of three reactor building cooling trains. Each cooling train is equipped with cooling coils, and an axial vane flow fan driven by a two speed electric motor.During normal unit operation, typically two reactor building cooling trains with two fans operating at low speed or high speed, serve to cool the containment atmosphere.
 
Low speed cooling fan operation is available during periods of lower containment heat load. The third unit is usually on standby. Upon receipt of an emergency signal, the operating cooling fans running at low speed or high speed will automatically trip, then restart in low speed after a 3 minute delay, and any idle unit is energized in low speed after a 3 minute delay. The fans are operated at the lower speed during accident conditions to prevent motor overload from the higher density atmosphere.
LPSW RB Waterhammer Prevention Circuitry B 3.3.27 BASES ACTIONS           C.1 and C.2 (continued)
The common LPSW return header will split into two new headers downstream of the Reactor Building Cooling Units (RBCUs). Each header will contain two pneumatic discharge isolation valves and will be capable of full LPSW flow. The headers will be rejoined downstream of the discharge isolation valves into a common return.APPLICABLE The Reactor Building Spray System and Reactor Building Cooling System SAFETY ANALYSES reduce the temperature and pressure following an accident.
If two or more required LPSW RB Waterhammer Prevention analog channel(s) or two digital logic channel(s) are inoperable or the Required Actions and associated Completion Times of Condition A or B are not met, the WPS must be configured in order to assure the Containment Integrity and Heat removal functions are maintained. To achieve this status, actions to prevent automatic closing by manually opening (remote or local) two LPSW RB Waterhammer Prevention Pneumatic Discharge Isolation valves in the same header shall be completed immediately and actions to repair the inoperable equipment shall be taken immediately. LCO 3.7.7 will also apply when the LPSW RB Waterhammer Prevention Pneumatic Discharge Isolation valves in the same header are opened.
The limiting accidents considered are the loss of coolant accident (LOCA) and the steam line break. The postulated accidents are analyzed, with regard to containment ES systems, assuming the loss of one ES bus. This is the OCONEE UNITS 1, 2, & 3 B 3.6.5-2 12/10/14 1 Reactor Building Spray and Cooling Systems B 3.6.5 BASES APPLICABLE worst-case single active failure, resulting in one train of the Reactor Building SAFETY ANALYSES Spray System and one train of the Reactor Building Cooling System being (continued) inoperable.
SURVEILLANCE     SR 3.3.27.1 REQUIREMENTS Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that analog instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two analog instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. CHANNEL CHECK will detect gross channel failure; therefore, it is key in verifying that the instrumentation continues to operate properly between each CHANNEL CALIBRATION.
Agreement criteria are determined, based on a combination of the channel instrument uncertainties, including isolation, indication, and readability. If a channel is outside the criteria, it may be an indication that the transmitter or the signal processing equipment has drifted outside its limit.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
OCONEE UNITS 1, 2, & 3               B 3.3.27-5                                             12/10/14   1
 
LPSW RB Waterhammer Prevention Circuitry B 3.3.27 BASES SURVEILLANCE     SR 3.3.27.1     (continued)
REQUIREMENTS The CHANNEL CHECK supplements less formal, but potentially more frequent, checks of channel operability during normal operational use of the displays associated with the LCO's required channels.
SR 3.3.27.2 A CHANNEL FUNCTIONAL TEST is performed on each channel to ensure the circuitry will perform its intended function. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
SR 3.3.27.3 A CHANNEL CALIBRATION is a complete check of the analog instrument channel, including the sensor. The test verifies that the channel responds to a measured parameter within the necessary range and accuracy. The CHANNEL CALIBRATION leaves the components adjusted to account for instrument drift to ensure that the circuitry remains operational between successive tests. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
REFERENCES       1.       10 CFR 50.36.
OCONEE UNITS 1, 2, & 3                 B 3.3.27-6                                       12/10/14   1
 
Reactor Building Spray and Cooling Systems B 3.6.5 B 3.6 CONTAINMENT SYSTEMS B 3.6.5 Reactor Building Spray and Cooling Systems BASES BACKGROUND           The Reactor Building Spray and Reactor Building Cooling systems provide containment atmosphere cooling to limit post accident pressure and temperature in containment to less than the design values. Reduction of containment pressure and the iodine removal capability of the spray reduces the release of fission product radioactivity from containment to the environment, in the event of an accident, to within limits. The Reactor Building Spray and Reactor Building Cooling systems are designed to meet ONS Design Criteria (Ref. 1).
The Reactor Building Cooling System and Reactor Building Spray System are Engineered Safeguards (ES) systems. They are designed to ensure that the heat removal capability required during the post accident period can be attained. The Reactor Building Spray System and Reactor Building Cooling System provide containment heat removal operation. The Reactor Building Spray System and Reactor Building Cooling System provide methods to limit and maintain post accident conditions to less than the containment design values.
Reactor Building Spray System The Reactor Building Spray System consists of two separate trains of equal capacity, each capable of meeting the design basis. Each train includes a reactor building spray pump, spray headers, nozzles, valves, piping and a flow indicator. Each train is powered from a separate ES bus.
The borated water storage tank (BWST) supplies borated water to the Reactor Building Spray System during the injection phase of operation. In the recirculation mode of operation, Reactor Building Spray System pump suction is manually transferred to the reactor building sump.
OCONEE UNITS 1, 2, & 3                   B 3.6.5-1                                     12/10/14     1
 
Reactor Building Spray and Cooling Systems B 3.6.5 BASES BACKGROUND       Reactor Building Spray System (continued)
The Reactor Building Spray System provides a spray of relatively cold borated water into the upper regions of containment to reduce the containment pressure and temperature and to reduce the concentration of fission products in the containment atmosphere during an accident. In the recirculation mode of operation, heat is removed from the reactor building sump water by the decay heat removal coolers. Each train of the Reactor Building Spray System provides adequate spray coverage to meet the system design requirements for containment heat removal.
The Reactor Building Spray System is actuated automatically by a containment High-High pressure signal. An automatic actuation opens the Reactor Building Spray System pump discharge valves and starts the two Reactor Building Spray System pumps.
Reactor Buildingq Cooling System The Reactor Building Cooling System consists of three reactor building cooling trains. Each cooling train is equipped with cooling coils, and an axial vane flow fan driven by a two speed electric motor.
During normal unit operation, typically two reactor building cooling trains with two fans operating at low speed or high speed, serve to cool the containment atmosphere. Low speed cooling fan operation is available during periods of lower containment heat load. The third unit is usually on standby. Upon receipt of an emergency signal, the operating cooling fans running at low speed or high speed will automatically trip, then restart in low speed after a 3 minute delay, and any idle unit is energized in low speed after a 3 minute delay. The fans are operated at the lower speed during accident conditions to prevent motor overload from the higher density atmosphere.
The common LPSW return header will split into two new headers downstream of the Reactor Building Cooling Units (RBCUs). Each header will contain two pneumatic discharge isolation valves and will be capable of full LPSW flow. The headers will be rejoined downstream of the discharge isolation valves into a common return.
APPLICABLE       The Reactor Building Spray System and Reactor Building Cooling System SAFETY ANALYSES reduce the temperature and pressure following an accident. The limiting accidents considered are the loss of coolant accident (LOCA) and the steam line break. The postulated accidents are analyzed, with regard to containment ES systems, assuming the loss of one ES bus. This is the OCONEE UNITS 1, 2, & 3               B 3.6.5-2                                         12/10/14 1
 
Reactor Building Spray and Cooling Systems B 3.6.5 BASES APPLICABLE       worst-case single active failure, resulting in one train of the Reactor Building SAFETY ANALYSES Spray System and one train of the Reactor Building Cooling System being (continued)     inoperable.
The analysis and evaluation show that, under the worst-case scenario (LOCA with worst-case single active failure), the highest peak containment pressure is 57.75 psig. The analysis shows that the peak containment temperature is 283.1 OF. Both results are less than the design values. The analyses and evaluations assume a power level of 2619 MWt, one reactor building spray train and two reactor building cooling trains operating, and initial (pre-accident) conditions of 80&deg;F and 15.9 psia. The analyses also assume a delayed initiation to provide conservative peak calculated containment pressure and temperature responses.
The analysis and evaluation show that, under the worst-case scenario (LOCA with worst-case single active failure), the highest peak containment pressure is 57.75 psig. The analysis shows that the peak containment temperature is 283.1 OF. Both results are less than the design values. The analyses and evaluations assume a power level of 2619 MWt, one reactor building spray train and two reactor building cooling trains operating, and initial (pre-accident) conditions of 80&deg;F and 15.9 psia. The analyses also assume a delayed initiation to provide conservative peak calculated containment pressure and temperature responses.
The Reactor Building Spray System total delay time of approximately 142 seconds includes Keowee Hydro Unit startup (for loss of offsite power), reactor building spray pump startup, and spray line filling (Ref. 2).Reactor building cooling train performance for post accident conditions is given in Reference
The Reactor Building Spray System total delay time of approximately 142 seconds includes Keowee Hydro Unit startup (for loss of offsite power),
: 2. The result of the analysis is that any combination of two trains can provide 100% of the required cooling capacity during the post accident condition.
reactor building spray pump startup, and spray line filling (Ref. 2).
The train post accident cooling capacity under varying containment ambient conditions is also shown in Reference 2.Reactor Building Cooling System total delay time of 3 minutes includes KHU startup (for loss of offsite power) and allows all ES equipment to start before the Reactor Building Cooling Unit on the associated train is started. This improves voltages at the 600V and 208V levels for starting loads (Ref. 2).The Reactor Building Spray System and the Reactor Building Cooling System satisfy Criterion 3 of 10 CFR 50.36 (Ref. 3).LCO During an accident, a minimum of two reactor building cooling trains and one reactor building spray train are required to maintain the containment pressure and temperature following a LOCA. Additionally, one reactor building spray train is required to remove iodine from the containment atmosphere and maintain concentrations below those assumed in the safety analysis.
Reactor building cooling train performance for post accident conditions is given in Reference 2. The result of the analysis is that any combination of two trains can provide 100% of the required cooling capacity during the post accident condition. The train post accident cooling capacity under varying containment ambient conditions is also shown in Reference 2.
To ensure that these requirements are met, two reactor building spray trains and three reactor building cooling trains must be OPERABLE in MODES 1 and 2.In MODES 3 or 4, one reactor building spray train and two reactor building cooling trains are required to be OPERABLE.
Reactor Building Cooling System total delay time of 3 minutes includes KHU startup (for loss of offsite power) and allows all ES equipment to start before the Reactor Building Cooling Unit on the associated train is started. This improves voltages at the 600V and 208V levels for starting loads (Ref. 2).
The LCO is provided with a note that clarifies this requirement.
The Reactor Building Spray System and the Reactor Building Cooling System satisfy Criterion 3 of 10 CFR 50.36 (Ref. 3).
Therefore, in the event of an accident, the minimum requirements are met, assuming the worst-case single active failure occurs.OCONEE UNITS 1, 2, & 3 B 3.6.5-3 12/10/14 1 Reactor Building Spray and Cooling Systems B 3.6.5 BASES LCO (continued)
LCO               During an accident, a minimum of two reactor building cooling trains and one reactor building spray train are required to maintain the containment pressure and temperature following a LOCA. Additionally, one reactor building spray train is required to remove iodine from the containment atmosphere and maintain concentrations below those assumed in the safety analysis. To ensure that these requirements are met, two reactor building spray trains and three reactor building cooling trains must be OPERABLE in MODES 1 and 2.
Each reactor building spray train shall include a spray pump, spray headers, nozzles, valves, piping, instruments, and controls to ensure an OPERABLE flow path capable of taking suction from the BWST (via the LPI System) upon an Engineered Safeguards Protective System signal and manually transferring suction to the reactor building sump. The OPERABILITY of RBS train flow instrumentation is not required for OPERABILITY of the corresponding RBS train because system resistance hydraulically maintains adequate NPSH to the RBS pumps and manual throttling of RBS flow is not required.
In MODES 3 or 4, one reactor building spray train and two reactor building cooling trains are required to be OPERABLE. The LCO is provided with a note that clarifies this requirement. Therefore, in the event of an accident, the minimum requirements are met, assuming the worst-case single active failure occurs.
During an event, LPI train flow must be monitored and controlled to support the RBS train pumps to ensure that the NPSH requirements for the RBS pumps are not exceeded.
OCONEE UNITS 1, 2, & 3                 B 3.6.5-3                                         12/10/14   1
If the flow instrumentation or the capability to control the flow in a LPI train is unavailable then the associated RBS train's OPERABILITY is affected until such time as the LPI train is restored or the associated LPI pump is placed in a secured state to prevent actuation during an event.Each reactor building cooling train shall include cooling coils, fusible dropout plates or duct openings, an axial vane flow fan, instruments, valves, and controls to ensure an OPERABLE flow path. Two headers of the LPSW RB Waterhammer Prevention Discharge Isolation Valves are required to support flowpath OPERABILITY or one header of LPSW RB Waterhammer Prevention Discharge Isolation Valves shall be manually opened (remote or local) to prevent automatic closure. Valve LPSW-108 shall be locked open to support system OPERABILITY.
 
I APPLICABILITY In MODES 1, 2, 3, and 4, an accident could cause a release of radioactive material to containment and an increase in containment pressure and temperature, requiring the operation of the reactor building spray trains and reactor building cooling trains.In MODES 5 and 6, the probability and consequences of these events are reduced due to the pressure and temperature limitations of these MODES.Thus, the Reactor Building Spray System and the Reactor Building Cooling System are not required to be OPERABLE in MODES 5 and 6.ACTIONS The Actions are modified by a Note indicating that the provisions of LCO 3.0.4 do not apply for Unit 2 only. As a result, this allows entry into a MODE or other specified condition in the Applicability with the LCO not met after performance of a risk assessment addressing inoperable systems and components, consideration of the results, determination of the acceptability of entering the MODE or other specified condition in the Applicability, and OCONEE UNITS 1, 2, & 3 B 3.6.5-4 12/10/14 1 Reactor Building Spray and Cooling Systems B 3.6.5 BASES ACTIONS (continued) establishment of risk management actions, if appropriate.
Reactor Building Spray and Cooling Systems B 3.6.5 BASES LCO               Each reactor building spray train shall include a spray pump, spray (continued)      headers, nozzles, valves, piping, instruments, and controls to ensure an OPERABLE flow path capable of taking suction from the BWST (via the LPI System) upon an Engineered Safeguards Protective System signal and manually transferring suction to the reactor building sump. The OPERABILITY of RBS train flow instrumentation is not required for OPERABILITY of the corresponding RBS train because system resistance hydraulically maintains adequate NPSH to the RBS pumps and manual throttling of RBS flow is not required. During an event, LPI train flow must be monitored and controlled to support the RBS train pumps to ensure that the NPSH requirements for the RBS pumps are not exceeded. If the flow instrumentation or the capability to control the flow in a LPI train is unavailable then the associated RBS train's OPERABILITY is affected until such time as the LPI train is restored or the associated LPI pump is placed in a secured state to prevent actuation during an event.
The risk assessment may use quantitative, qualitative, or blended approaches and the risk assessment will be conducted using the plant program, procedures, and criteria in place to implement 10 CFR 50.65(a)(4), which requires that risk impacts of maintenance activities to be assessed and managed. The risk assessment must take into account all inoperable Technical Specifications equipment regardless of whether the equipment is included in the normal 10 CFR 50.65(a)(4) risk assessment scope. The risk assessments will be conducted using the procedures and guidance endorsed by Regulatory Guide 1.182, "Assessing and Managing Risk Before Maintenance Activities at Nuclear Power Plants." Regulatory Guide 1.1 82 endorses the guidance in Section 11 of NUMARC 93-01,"Industry Guideline for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants." These documents address general guidance for conduct of the risk assessment, quantitative and qualitative guidelines for establishing risk management actions, and example risk management actions. These include actions to plan and conduct other activities in a manner that controls overall risk, increased risk awareness by shift and management personnel, actions to reduce the duration of the condition, actions to minimize the magnitude of risk increases (establishment of backup success paths or compensatory measures), and determination that the proposed MODE change is acceptable.
Each reactor building cooling train shall include cooling coils, fusible dropout plates or duct openings, an axial vane flow fan, instruments, valves, and controls to ensure an OPERABLE flow path. Two headers of             I the LPSW RB Waterhammer Prevention Discharge Isolation Valves are required to support flowpath OPERABILITY or one header of LPSW RB Waterhammer Prevention Discharge Isolation Valves shall be manually opened (remote or local) to prevent automatic closure. Valve LPSW-108 shall be locked open to support system OPERABILITY.
Consideration should also be given to the probability of completing restoration such that the requirements of the LCO would be met prior to the expiration of ACTIONS Completion Times that would require exiting the Applicability.
APPLICABILITY     In MODES 1, 2, 3, and 4, an accident could cause a release of radioactive material to containment and an increase in containment pressure and temperature, requiring the operation of the reactor building spray trains and reactor building cooling trains.
In MODES 5 and 6, the probability and consequences of these events are reduced due to the pressure and temperature limitations of these MODES.
Thus, the Reactor Building Spray System and the Reactor Building Cooling System are not required to be OPERABLE in MODES 5 and 6.
ACTIONS           The Actions are modified by a Note indicating that the provisions of LCO 3.0.4 do not apply for Unit 2 only. As a result, this allows entry into a MODE or other specified condition in the Applicability with the LCO not met after performance of a risk assessment addressing inoperable systems and components, consideration of the results, determination of the acceptability of entering the MODE or other specified condition in the Applicability, and OCONEE UNITS 1, 2, & 3               B 3.6.5-4                                           12/10/14 1
 
Reactor Building Spray and Cooling Systems B 3.6.5 BASES ACTIONS           establishment of risk management actions, if appropriate. The risk (continued)    assessment may use quantitative, qualitative, or blended approaches and the risk assessment will be conducted using the plant program, procedures, and criteria in place to implement 10 CFR 50.65(a)(4), which requires that risk impacts of maintenance activities to be assessed and managed. The risk assessment must take into account all inoperable Technical Specifications equipment regardless of whether the equipment is included in the normal 10 CFR 50.65(a)(4) risk assessment scope. The risk assessments will be conducted using the procedures and guidance endorsed by Regulatory Guide 1.182, "Assessing and Managing Risk Before Maintenance Activities at Nuclear Power Plants." Regulatory Guide 1.1 82 endorses the guidance in Section 11 of NUMARC 93-01, "Industry Guideline for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants." These documents address general guidance for conduct of the risk assessment, quantitative and qualitative guidelines for establishing risk management actions, and example risk management actions. These include actions to plan and conduct other activities in a manner that controls overall risk, increased risk awareness by shift and management personnel, actions to reduce the duration of the condition, actions to minimize the magnitude of risk increases (establishment of backup success paths or compensatory measures), and determination that the proposed MODE change is acceptable. Consideration should also be given to the probability of completing restoration such that the requirements of the LCO would be met prior to the expiration of ACTIONS Completion Times that would require exiting the Applicability.
The risk assessment does not have to be documented.
The risk assessment does not have to be documented.
There is a small subset of systems and components that have been determined (Ref: B&W owners group generic qualitative risk assessments-attachment to TSTF-359, Rev. 9, "B&W owners group Qualitative Risk Assessment for Increased Flexibility in MODE Restraints," Framatome Technologies BAW-2383, October 2001.) to be of higher risk significance for which an LCO 3.0.4 exemption would not be allowed. For Oconee these are the Decay Heat Removal System (DHR)entering MODES, 5 and 4; Keowee Hydro Units entering MODES 1-5;and the emergency feedwater system (EFW) entering MODE 1. The Reactor Spray and Cooling System is not one of the higher risk significant systems noted.The provisions of this Note should not be interpreted as endorsing the failure to exercise the good practice of restoring systems or components to OPERABLE status before entering an associated MODE or other specified Condition in the Applicability.
There is a small subset of systems and components that have been determined (Ref: B&W owners group generic qualitative risk assessments- attachment to TSTF-359, Rev. 9, "B&W owners group Qualitative Risk Assessment for Increased Flexibility in MODE Restraints," Framatome Technologies BAW-2383, October 2001.) to be of higher risk significance for which an LCO 3.0.4 exemption would not be allowed. For Oconee these are the Decay Heat Removal System (DHR) entering MODES, 5 and 4; Keowee Hydro Units entering MODES 1-5; and the emergency feedwater system (EFW) entering MODE 1. The Reactor Spray and Cooling System is not one of the higher risk significant systems noted.
OCONEE UNITS 1, 2, & 3 B 3.6.5-5 12/10/14 1 Reactor Building Spray and Cooling Systems B 3.6.5 BASES ACTIONS A.1 (continued)
The provisions of this Note should not be interpreted as endorsing the failure to exercise the good practice of restoring systems or components to OPERABLE status before entering an associated MODE or other specified Condition in the Applicability.
With one reactor building spray train inoperable in MODE 1 or 2, the inoperable reactor building spray train must be restored to OPERABLE status within 7 days. In this Condition, the remaining OPERABLE spray and cooling trains are adequate to perform the iodine removal and containment cooling functions.
OCONEE UNITS 1, 2, & 3               B 3.6.5-5                                       12/10/14 1
The 7 day Completion Time takes into account the redundant heat removal capability afforded by the OPERABLE reactor building spray train, reasonable time for repairs, and the low probability of an accident occurring during this period.The 14 day portion of the Completion Time for Required Action A.1 is based upon engineering judgment.
 
It takes into account the low probability of coincident entry into two Conditions in this LCO coupled with the low probability of an accident occurring during this time. Refer to Section 1.3, Completion Times, for a more detailed discussion of the purpose of the"from discovery of failure to meet the LCO" portion of the Completion Time.B. 1 With one of the reactor building cooling trains inoperable in MODE 1 or 2, the inoperable reactor building cooling train must be restored to OPERABLE status within 7 days. The components in this degraded condition provide iodine removal capabilities and are capable of providing at least 100% of the heat removal needs after an accident.
Reactor Building Spray and Cooling Systems B 3.6.5 BASES ACTIONS         A.1 (continued)
The 7 day Completion Time was developed taking into account the redundant heat removal capabilities afforded by combinations of the Reactor Building Spray System and Reactor Building Cooling System and the low probability of an accident occurring during this period.The 14 day portion of the Completion Time for Required Action B. I is based upon engineering judgment.
With one reactor building spray train inoperable in MODE 1 or 2, the inoperable reactor building spray train must be restored to OPERABLE status within 7 days. In this Condition, the remaining OPERABLE spray and cooling trains are adequate to perform the iodine removal and containment cooling functions. The 7 day Completion Time takes into account the redundant heat removal capability afforded by the OPERABLE reactor building spray train, reasonable time for repairs, and the low probability of an accident occurring during this period.
It takes into account the low probability of coincident entry into two Conditions in this LCO coupled with the low probability of an accident occurring during this time. Refer to Section 1.3 for a more detailed discussion of the purpose of the "from discovery of failure to meet the LCO" portion of the Completion Time.C.1 With one reactor building spray train and one reactor building cooling train inoperable in MODE 1 or 2, at least one of the inoperable trains must be restored to OPERABLE status within 24 hours. In this Condition, the remaining OPERABLE spray and cooling trains are adequate to provide iodine removal capabilities and are capable of providing at least 100% of OCONEE UNITS 1, 2, & 3 B 3.6.5-6 12/10/14 1 Reactor Building Spray and Cooling Systems B 3.6.5 BASES ACTIONS C.1 (continued) the heat removal needs after an accident.
The 14 day portion of the Completion Time for Required Action A.1 is based upon engineering judgment. It takes into account the low probability of coincident entry into two Conditions in this LCO coupled with the low probability of an accident occurring during this time. Refer to Section 1.3, Completion Times, for a more detailed discussion of the purpose of the "from discovery of failure to meet the LCO" portion of the Completion Time.
The 24 hour Completion Time takes into account the heat removal capability afforded by the remaining OPERABLE spray train and cooling trains, reasonable time for repairs, and the low probability of an accident occurring during this period.D.1 If the Required Action and associated Completion Time of Condition A, B or C are not met, the unit must be brought to a MODE in which the LCO, as modified by the Note, does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 12 hours. The allowed Completion Time is reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.E.1 With one of the required reactor building cooling trains inoperable in MODE 3 or 4, the required reactor building cooling train must be restored to OPERABLE status within 24 hours.The 24 hour Completion Time is reasonable based on engineering judgement taking into account the iodine and heat removal capabilities of the remaining required train of reactor building spray and cooling.F._1 With one required reactor building spray train inoperable in MODE 3 or 4, the required reactor building spray train must be restored to OPERABLE status within 24 hours. The 24 hour Completion Time is reasonable based on engineering judgement taking into account the heat removal capabilities of the remaining required trains of reactor building cooling.G. 1 If the Required Actions and associated Completion Times of Condition E or F of this LCO are not met, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to MODE 5 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit OCONEE UNITS 1, 2, & 3 B 3.6.5-7 12/10/14 1 Reactor Building Spray and Cooling Systems B 3.6.5 BASES ACTIONS G.1 (continued) conditions from full power conditions in an orderly manner and without challenging unit systems.H..1 With two reactor building spray trains, two reactor building cooling trains or any combination of three or more reactor building spray and reactor building cooling trains inoperable in MODE 1 or 2, the unit is in a condition outside the accident analysis.
B.1 With one of the reactor building cooling trains inoperable in MODE 1 or 2, the inoperable reactor building cooling train must be restored to OPERABLE status within 7 days. The components in this degraded condition provide iodine removal capabilities and are capable of providing at least 100% of the heat removal needs after an accident. The 7 day Completion Time was developed taking into account the redundant heat removal capabilities afforded by combinations of the Reactor Building Spray System and Reactor Building Cooling System and the low probability of an accident occurring during this period.
Therefore, LCO 3.0.3 must be entered immediately.
The 14 day portion of the Completion Time for Required Action B. I is based upon engineering judgment. It takes into account the low probability of coincident entry into two Conditions in this LCO coupled with the low probability of an accident occurring during this time. Refer to Section 1.3 for a more detailed discussion of the purpose of the "from discovery of failure to meet the LCO" portion of the Completion Time.
With any combination of two or more required reactor building spray and reactor building cooling trains inoperable in MODE 3 or 4, the unit is in a condition outside the accident analysis.
C.1 With one reactor building spray train and one reactor building cooling train inoperable in MODE 1 or 2, at least one of the inoperable trains must be restored to OPERABLE status within 24 hours. In this Condition, the remaining OPERABLE spray and cooling trains are adequate to provide iodine removal capabilities and are capable of providing at least 100% of OCONEE UNITS 1, 2, & 3               B 3.6.5-6                                         12/10/14 1
Therefore, LCO 3.0.3 must be entered immediately.
 
SURVEILLANCE SR 3.6.5.1 REQUIREMENTS Verifying the correct alignment for manual and non-automatic power operated valves in the reactor building spray and cooling flow path provides assurance that the proper flow paths will exist for Reactor Building Spray and Cooling System operation.
Reactor Building Spray and Cooling Systems B 3.6.5 BASES ACTIONS           C.1 (continued) the heat removal needs after an accident. The 24 hour Completion Time takes into account the heat removal capability afforded by the remaining OPERABLE spray train and cooling trains, reasonable time for repairs, and the low probability of an accident occurring during this period.
This SR does not apply to valves that are locked, sealed, or otherwise secured in position, since these were verified to be in the correct position prior to locking, sealing, or securing.
D.1 Ifthe Required Action and associated Completion Time of Condition A, B or C are not met, the unit must be brought to a MODE in which the LCO, as modified by the Note, does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 12 hours. The allowed Completion Time is reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.
Similarly, this SR does not apply to automatic valves since automatic valves actuate to their required position upon an accident signal. This SR also does not apply to valves that cannot be inadvertently misaligned, such as check valves. This SR does not require any testing or valve manipulation.
E.1 With one of the required reactor building cooling trains inoperable in MODE 3 or 4, the required reactor building cooling train must be restored to OPERABLE status within 24 hours.
Rather, it involves verification, through a system walkdown, that those valves outside containment and capable of potentially being mispositioned are in the correct position.
The 24 hour Completion Time is reasonable based on engineering judgement taking into account the iodine and heat removal capabilities of the remaining required train of reactor building spray and cooling.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.OCONEE UNITS 1, 2, & 3 B 3.6.5-8 12/10/14 1 Reactor Building Spray and Cooling Systems B 3.6.5 BASES SURVEILLANCE REQUIREMENTS (continued)
F._1 With one required reactor building spray train inoperable in MODE 3 or 4, the required reactor building spray train must be restored to OPERABLE status within 24 hours. The 24 hour Completion Time is reasonable based on engineering judgement taking into account the heat removal capabilities of the remaining required trains of reactor building cooling.
SR 3.6.5.2 Operating each required reactor building cooling train fan unit for>_ 15 minutes ensures that all trains are OPERABLE and that all associated controls are functioning properly.
G.1 Ifthe Required Actions and associated Completion Times of Condition E or F of this LCO are not met, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to MODE 5 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit OCONEE UNITS 1, 2, & 3               B 3.6.5-7                                         12/10/14 1
It also ensures that blockage, fan or motor failure, or excessive vibration can be detected for corrective action.The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR 3.6.5.3 Verifying that each required Reactor Building Spray pump's developed head at the flow test point is greater than or equal to the required developed head ensures that spray pump performance has not degraded during the cycle. Flow and differential pressure are normal tests of centrifugal pump performance required by Section XI of the ASME Code (Ref. 4). Since the Reactor Building Spray System pumps cannot be tested with flow through the spray headers, they are tested on recirculation flow. This test confirms one point on the pump design curve and is indicative of overall performance.
 
Such inservice tests confirm component OPERABILITY, trend performance, and may detect incipient failures by indicating abnormal performance.
Reactor Building Spray and Cooling Systems B 3.6.5 BASES ACTIONS           G.1 (continued) conditions from full power conditions in an orderly manner and without challenging unit systems.
The Frequency of this SR is in accordance with the Inservice Testing Program.SR 3.6.5.4 Verifying the containment heat removal capability provides assurance that the containment heat removal systems are capable of maintaining containment temperature below design limits following an accident.
H..1 With two reactor building spray trains, two reactor building cooling trains or any combination of three or more reactor building spray and reactor building cooling trains inoperable in MODE 1 or 2, the unit is in a condition outside the accident analysis. Therefore, LCO 3.0.3 must be entered immediately.
This test verifies the heat removal capability of the Low Pressure Injection (LPI)Coolers and Reactor Building Cooling Units. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.OCONEE UNITS 1, 2, & 3 B 3.6.5-9 12/10/14 1 Reactor Building Spray and Cooling Systems B 3.6.5 BASES SURVEILLANCE REQUIREMENTS (continued)
With any combination of two or more required reactor building spray and reactor building cooling trains inoperable in MODE 3 or 4, the unit is in a condition outside the accident analysis. Therefore, LCO 3.0.3 must be entered immediately.
SR 3.6.5.5 and 3.6.5.6 These SRs require verification that each automatic reactor building spray and cooling valve actuates to its correct position and that each reactor building spray pump starts upon receipt of an actual or simulated actuation signal. The test will be considered satisfactory if visual observation and control board indication verifies that all components have responded to the actuation signal properly; the appropriate pump breakers have closed, and all valves have completed their travel. This SR is not required for valves that are locked, sealed, or otherwise secured in position under administrative controls.
SURVEILLANCE     SR 3.6.5.1 REQUIREMENTS Verifying the correct alignment for manual and non-automatic power operated valves in the reactor building spray and cooling flow path provides assurance that the proper flow paths will exist for Reactor Building Spray and Cooling System operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position, since these were verified to be in the correct position prior to locking, sealing, or securing. Similarly, this SR does not apply to automatic valves since automatic valves actuate to their required position upon an accident signal. This SR also does not apply to valves that cannot be inadvertently misaligned, such as check valves. This SR does not require any testing or valve manipulation.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR 3.6.5.7 This SR requires verification that each required reactor building cooling train actuates upon receipt of an actual or simulated actuation signal. The test will be considered satisfactory if control board indication verifies that all components have responded to the actuation signal properly, the appropriate valves have completed their travel, and fans are running at half speed. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR 3.6.5.8 With the reactor building spray header isolated and drained of any solution, station compressed air is introduced into the spray headers. This SR requires verification that each spray nozzle is unobstructed following activities which could cause nozzle blockage.
Rather, it involves verification, through a system walkdown, that those valves outside containment and capable of potentially being mispositioned are in the correct position. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.REFERENCES
OCONEE UNITS 1, 2, & 3               B 3.6.5-8                                           12/10/14 1
: 1. UFSAR, Section 3.1.2. UFSAR, Section 6.2.3. 10 CFR 50.36.4. ASME, Boiler and Pressure Vessel Code, Section Xl.OCONEE UNITS 1, 2, & 3 B 3.6.5-10 12/10/14 1 LPSW System B 3.7.7 B 3.7 PLANT SYSTEMS B 3.7.7 Low Pressure Service Water (LPSW) System BASES BACKGROUND The LPSW System provides a heat sink for the removal of process and operating heat from safety related components during a transient or accident.
 
During normal operation and normal shutdown, the LPSW System also provides this function for various safety related and nonsafety related components.
Reactor Building Spray and Cooling Systems B 3.6.5 BASES SURVEILLANCE     SR 3.6.5.2 REQUIREMENTS (continued)      Operating each required reactor building cooling train fan unit for
The LPSW system for Unit 1 and Unit 2 is shared and consists of three LPSW pumps which can supply multiple combinations of path ways to supply required components.
                  >_15 minutes ensures that all trains are OPERABLE and that all associated controls are functioning properly. It also ensures that blockage, fan or motor failure, or excessive vibration can be detected for corrective action.
The LPSW system for Unit 3 consists of two LPSW pumps which can supply multiple combinations of path ways to supply required components.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
Although multiple combinations of path ways exist, only one flow path is necessary, since no single failure of an active component can prevent the LPSW system from supplying necessary components.
SR 3.6.5.3 Verifying that each required Reactor Building Spray pump's developed head at the flow test point is greater than or equal to the required developed head ensures that spray pump performance has not degraded during the cycle. Flow and differential pressure are normal tests of centrifugal pump performance required by Section XI of the ASME Code (Ref. 4). Since the Reactor Building Spray System pumps cannot be tested with flow through the spray headers, they are tested on recirculation flow. This test confirms one point on the pump design curve and is indicative of overall performance. Such inservice tests confirm component OPERABILITY, trend performance, and may detect incipient failures by indicating abnormal performance. The Frequency of this SR is in accordance with the Inservice Testing Program.
The pumps and valves are remote manually aligned, except in the unlikely event of a loss of coolant accident (LOCA)or other accidents.
SR 3.6.5.4 Verifying the containment heat removal capability provides assurance that the containment heat removal systems are capable of maintaining containment temperature below design limits following an accident. This test verifies the heat removal capability of the Low Pressure Injection (LPI)
The pumps are automatically started upon receipt of an Engineered Safeguards actuation signal, and automatic valves are aligned to their post accident positions.
Coolers and Reactor Building Cooling Units. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
The LPSW System also provides cooling directly to the Reactor Building Cooling Units (RBCU) and Low Pressure Injection coolers, turbine driven EFW pump, HPI pump motor coolers, and the motor driven EFW pumps.GL 96-06 required consideration of waterhammer inside containment during a LOCA or MSLB combined with a loss of offsite power (LOOP)event. As a result, the LPSW Reactor Building (RB) Waterhammer Prevention System (WPS) was added to maintain LPSW piping water solid inside containment during any event that causes a loss of LPSW system pressure.
OCONEE UNITS 1, 2, & 3               B 3.6.5-9                                       12/10/14 1
The WPS is fully automatic.
 
Other functions of the WPS are addressed by LCO 3.3.27 and LCO 3.6.5.Additional information about the design and operation of the LPSW System, along with a list of the components served, is presented in the UFSAR, Section 9.2.2 (Ref. 1).APPLICABLE The primary safety function of the LPSW System is, in conjunction with a SAFETY ANALYSES 100% capacity reactor building cooling system, (a combination of the reactor building spray and reactor building air coolers) to remove core decay heat following a design basis LOCA, as discussed in the UFSAR, OCONEE UNITS 1, 2, & 3 B 3.7.7-1 12/10/14 1 LPSW System B 3.7.7 BASES APPLICABLE Section 6.3 (Ref. 2). This provides for a gradual reduction in the SAFETY ANALYSES temperature of the fluid, as it is supplied to the Reactor Coolant System (continued) (RCS) by the High Pressure and Low Pressure Injection pumps.The LPSW System is designed to perform its function with a single active failure of any component, assuming loss of offsite power.The LPSW System also cools the unit from Decay Heat Removal (DHR)System entry conditions, to MODE 5 during normal and post accident operation.
Reactor Building Spray and Cooling Systems B 3.6.5 BASES SURVEILLANCE     SR 3.6.5.5 and 3.6.5.6 REQUIREMENTS (continued)      These SRs require verification that each automatic reactor building spray and cooling valve actuates to its correct position and that each reactor building spray pump starts upon receipt of an actual or simulated actuation signal. The test will be considered satisfactory if visual observation and control board indication verifies that all components have responded to the actuation signal properly; the appropriate pump breakers have closed, and all valves have completed their travel. This SR is not required for valves that are locked, sealed, or otherwise secured in position under administrative controls. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
The time required for this evolution is a function of the number of DHR System trains that are operating.
SR 3.6.5.7 This SR requires verification that each required reactor building cooling train actuates upon receipt of an actual or simulated actuation signal. The test will be considered satisfactory if control board indication verifies that all components have responded to the actuation signal properly, the appropriate valves have completed their travel, and fans are running at half speed. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
One LPSW pump per unit and a flowpath is sufficient to remove decay heat during subsequent operations in MODES 5 and 6. This assumes a maximum LPSW System temperature of 90&deg;F occurring simultaneously with maximum heat loads on the system.The LPSW System satisfies Criterion 3 of 10 CFR 50.36 (Ref. 2).LCO For the LPSW system shared by Units 1 and 2, three LPSW pumps are required to be OPERABLE to provide the required redundancy to ensure that the system functions to remove post accident heat loads, assuming the worst case single active failure occurs coincident with the loss of offsite power. The LCO is modified by a Note which requires only two LPSW pumps to be OPERABLE for Units I or 2 if either Unit is defueled and one LPSW pump is capable of mitigating the DBA on the fueled Unit.The Units 1 and 2 LPSW System requires only two pumps to meet the single failure criterion provided that one of the units has been defueled and the following LPSW System loads on the defueled unit are isolated: Reactor Building Cooling Units (RBCU), Reactor Building Auxiliary Coolers, Component Cooling, Main Turbine Oil Tank, Reactor Coolant (RC) Pumps, and Low Pressure Injection (LPI) Coolers.For the LPSW system for Unit 3, two LPSW pumps are required to be OPERABLE to provide the required redundancy to ensure that the system functions to remove post accident heat loads, assuming the worst case single active failure occurs coincident with the loss of offsite power.An LPSW flow path is considered OPERABLE when the associated piping, valves, heat exchangers, and instrumentation and controls required to perform the safety related function are OPERABLE.
SR 3.6.5.8 With the reactor building spray header isolated and drained of any solution, station compressed air is introduced into the spray headers. This SR requires verification that each spray nozzle is unobstructed following activities which could cause nozzle blockage. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
Any combination of pathways to supply the required components is acceptable, provided there is no single active failure which can prevent supplying necessary loads and applicable design criteria (e.g., seismic qualification) are satisfied.
REFERENCES         1.       UFSAR, Section 3.1.
OCONEE UNITS 1, 2, & 3 B 3.7.7-2 12/10/14 1 LPSW System B 3.7.7 BASES LCO (continued)
: 2.       UFSAR, Section 6.2.
The LPSW WPS is considered OPERABLE when the associated leakage accumulator, relief valves, seat leakage limits for check valves and pneumatic discharge isolation valves, closure capability of pneumatic discharge isolation valves, and opening capability of the controllable vacuum breaker valves are OPERABLE.APPLICABILITY In MODES 1, 2, 3, and 4, the LPSW System is a normally operating system that is required to support the OPERABILITY of the equipment serviced by the LPSW System. Therefore, the LPSW System is required to be OPERABLE in these MODES.In MODES 5 and 6, the OPERABILITY requirements of the LPSW System are determined by the systems it supports.ACTIONS A.1 If one required LPSW pump is inoperable, action must be taken to restore the required LPSW pump to OPERABLE status within 72 hours.In this Condition, the remaining OPERABLE LPSW pump(s) are adequate to perform the heat removal function.
: 3.       10 CFR 50.36.
However, the overall reliability is reduced because a single failure in the OPERABLE LPSW pump(s) could result in loss of LPSW system function.
: 4.       ASME, Boiler and Pressure Vessel Code, Section Xl.
The 72 hour Completion Time is based on the redundant capabilities afforded by the OPERABLE pump, and the low probability of a DBA occurring during this period.B. 1 If the LPSW WPS is inoperable, action shall be taken to restore the required LPSW WPS components to OPERABLE status within 7 days.The 7 day Completion Time is based on similar systems and is considered reasonable based on engineering judgment and the low probability of a DBA occurring during the period of maintenance.
OCONEE UNITS 1, 2, & 3               B 3.6.5-10                                           12/10/14 1
C.1 and C.2 If the LPSW pump or WPS cannot be restored to OPERABLE status within the associated Completion Time, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit I OCONEE UNITS 1, 2, & 3 B 3.7.7-3 12/10/14 1 LPSW System B 3.7.7 BASES ACTIONS C.1 and C.2 (continued) must be placed in at least MODE 3 within 12 hours, and in MODE 5 within 60 hours.The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.The extended interval to reach MODE 5 provides additional time to restore the required LPSW pump and is reasonable considering that the potential for an accident or transient is reduced in MODE 3.SURVEILLANCE SR 3.7.7.1 REQUIREMENTS Verifying the correct level in the leakage accumulator will provide assurance that in the event of boundary valve leakage during a LOOP event, there is sufficient water to keep the LPSW piping filled. The required water level is between half full and full, which corresponds to a level indication of 20.5" to 41". Any level glass reading is bounded by 20.5" to 41" level indication, therefore any level glass reading is considered acceptable.
 
During LPSW testing, accumulator level > 41" is acceptable because the mass of air in the accumulator is unchanged in the short term; therefore the accumulator is still capable of performing its safety function.The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR 3.7.7.2 Verifying the correct alignment for manual, and power operated valves in the LPSW System flow path provides assurance that the proper flow paths exist for LPSW System operation.
LPSW System B 3.7.7 B 3.7 PLANT SYSTEMS B 3.7.7 Low Pressure Service Water (LPSW) System BASES BACKGROUND         The LPSW System provides a heat sink for the removal of process and operating heat from safety related components during a transient or accident. During normal operation and normal shutdown, the LPSW System also provides this function for various safety related and nonsafety related components.
This SR does not apply to valves that are locked, sealed, or otherwise secured in position, since they are verified to be in the correct position prior to locking, sealing, or securing.
The LPSW system for Unit 1 and Unit 2 is shared and consists of three LPSW pumps which can supply multiple combinations of path ways to supply required components. The LPSW system for Unit 3 consists of two LPSW pumps which can supply multiple combinations of path ways to supply required components. Although multiple combinations of path ways exist, only one flow path is necessary, since no single failure of an active component can prevent the LPSW system from supplying necessary components. The pumps and valves are remote manually aligned, except in the unlikely event of a loss of coolant accident (LOCA) or other accidents. The pumps are automatically started upon receipt of an Engineered Safeguards actuation signal, and automatic valves are aligned to their post accident positions. The LPSW System also provides cooling directly to the Reactor Building Cooling Units (RBCU) and Low Pressure Injection coolers, turbine driven EFW pump, HPI pump motor coolers, and the motor driven EFW pumps.
This SR does not require any testing or valve manipulation; rather, it involves verification that those valves capable of potentially being mispositioned are in the correct position.
GL 96-06 required consideration of waterhammer inside containment during a LOCA or MSLB combined with a loss of offsite power (LOOP) event. As a result, the LPSW Reactor Building (RB) Waterhammer Prevention System (WPS) was added to maintain LPSW piping water solid inside containment during any event that causes a loss of LPSW system pressure. The WPS is fully automatic. Other functions of the WPS are addressed by LCO 3.3.27 and LCO 3.6.5.
This SR also does not apply to valves that cannot be inadvertently misaligned, such as check valves.OCONEE UNITS 1, 2, & 3 B 3.7.7-4 12/10/14 1 LPSW System B 3.7.7 BASES SURVEILLANCE SR 3.7.7.2 (continued)
Additional information about the design and operation of the LPSW System, along with a list of the components served, is presented in the UFSAR, Section 9.2.2 (Ref. 1).
REQUIREMENTS The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.This SR is modified by a Note indicating that the isolation of components or systems supported by the LPSW System does not affect the OPERABILITY of the LPSW System.SR 3.7.7.3 The SR verifies proper automatic operation of the LPSW System valves.The LPSW System is a normally operating system that cannot be fully actuated as part of the normal testing. This SR is not required for valves that are locked, sealed, or otherwise secured in position under administrative controls.
APPLICABLE         The primary safety function of the LPSW System is, in conjunction with a SAFETY ANALYSES 100% capacity reactor building cooling system, (a combination of the reactor building spray and reactor building air coolers) to remove core decay heat following a design basis LOCA, as discussed in the UFSAR, OCONEE UNITS 1, 2, & 3                 B 3.7.7-1                                       12/10/14 1
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR 3.7.7.4 The SR verifies proper automatic operation of the LPSW System pumps on an actual or simulated actuation signal. The LPSW System is a normally operating system that cannot be fully actuated as part of normal testing during normal operation.
 
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR 3.7.7.5 The SR verifies proper operation of the LPSWRB Waterhammer Prevention System leakage accumulator.
LPSW System B 3.7.7 BASES APPLICABLE       Section 6.3 (Ref. 2). This provides for a gradual reduction in the SAFETY ANALYSES temperature of the fluid, as it is supplied to the Reactor Coolant System (continued)     (RCS) by the High Pressure and Low Pressure Injection pumps.
Verifying adequate flow from the accumulator will provide assurance that in the event of boundary valve leakage during a LOOP event, there is sufficient water to keep LPSW piping filled.The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.OCONEE UNITS 1, 2, & 3 B 3.7.7-5 12/10/14 1 LPSW System B 3.7.7 BASES SURVEILLANCE REQUIREMENTS (continued)
The LPSW System is designed to perform its function with a single active failure of any component, assuming loss of offsite power.
SR 3.7.7.6 The SR verifies that LPSW WPS boundary valve leakage is < 20 gpm.Verifying boundary valve leakage is within limits will ensure that in the event of a LOOP, a waterhammer will not occur, because the LPSW leakage accumulator will be able to maintain the LPSW piping water solid.The LPSW Leakage Accumulator is designed to allow up to 25 gpm of aggregate leakage for one minute. The boundary valve leakage is limited to 20 gpm in order to allow five (5) gpm of miscellaneous leakage.The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.I REFERENCES
The LPSW System also cools the unit from Decay Heat Removal (DHR)
: 1. UFSAR, Section 9.2.2.2. UFSAR, Section 6.3.3. 10 CFR 50.36.OCONEE UNITS 1, 2, & 3 B 3.7.7-6 12/10/14 1}}
System entry conditions, to MODE 5 during normal and post accident operation. The time required for this evolution is a function of the number of DHR System trains that are operating. One LPSW pump per unit and a flowpath is sufficient to remove decay heat during subsequent operations in MODES 5 and 6. This assumes a maximum LPSW System temperature of 90&deg;F occurring simultaneously with maximum heat loads on the system.
The LPSW System satisfies Criterion 3 of 10 CFR 50.36 (Ref. 2).
LCO               For the LPSW system shared by Units 1 and 2, three LPSW pumps are required to be OPERABLE to provide the required redundancy to ensure that the system functions to remove post accident heat loads, assuming the worst case single active failure occurs coincident with the loss of offsite power. The LCO is modified by a Note which requires only two LPSW pumps to be OPERABLE for Units I or 2 if either Unit is defueled and one LPSW pump is capable of mitigating the DBA on the fueled Unit.
The Units 1 and 2 LPSW System requires only two pumps to meet the single failure criterion provided that one of the units has been defueled and the following LPSW System loads on the defueled unit are isolated:
Reactor Building Cooling Units (RBCU), Reactor Building Auxiliary Coolers, Component Cooling, Main Turbine Oil Tank, Reactor Coolant (RC) Pumps, and Low Pressure Injection (LPI) Coolers.
For the LPSW system for Unit 3, two LPSW pumps are required to be OPERABLE to provide the required redundancy to ensure that the system functions to remove post accident heat loads, assuming the worst case single active failure occurs coincident with the loss of offsite power.
An LPSW flow path is considered OPERABLE when the associated piping, valves, heat exchangers, and instrumentation and controls required to perform the safety related function are OPERABLE. Any combination of pathways to supply the required components is acceptable, provided there is no single active failure which can prevent supplying necessary loads and applicable design criteria (e.g., seismic qualification) are satisfied.
OCONEE UNITS 1, 2, & 3                 B 3.7.7-2                                       12/10/14 1
 
LPSW System B 3.7.7 BASES LCO               The LPSW WPS is considered OPERABLE when the associated leakage (continued)      accumulator, relief valves, seat leakage limits for check valves and pneumatic discharge isolation valves, closure capability of pneumatic discharge isolation valves, and opening capability of the controllable vacuum breaker valves are OPERABLE.
APPLICABILITY     In MODES 1, 2, 3, and 4, the LPSW System is a normally operating system that is required to support the OPERABILITY of the equipment serviced by the LPSW System. Therefore, the LPSW System is required to be OPERABLE in these MODES.
In MODES 5 and 6, the OPERABILITY requirements of the LPSW System are determined by the systems it supports.
ACTIONS           A.1 If one required LPSW pump is inoperable, action must be taken to restore the required LPSW pump to OPERABLE status within 72 hours.
In this Condition, the remaining OPERABLE LPSW pump(s) are adequate to perform the heat removal function. However, the overall reliability is reduced because a single failure in the OPERABLE LPSW pump(s) could result in loss of LPSW system function. The 72 hour Completion Time is based on the redundant capabilities afforded by the OPERABLE pump, and the low probability of a DBA occurring during this period.
B. 1 If the LPSW WPS is inoperable, action shall be taken to restore the required LPSW WPS components to OPERABLE status within 7 days.               I The 7 day Completion Time is based on similar systems and is considered reasonable based on engineering judgment and the low probability of a DBA occurring during the period of maintenance.
C.1 and C.2 If the LPSW pump or WPS cannot be restored to OPERABLE status within the associated Completion Time, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit OCONEE UNITS 1, 2, & 3                 B 3.7.7-3                                     12/10/14 1
 
LPSW System B 3.7.7 BASES ACTIONS         C.1 and C.2 (continued) must be placed in at least MODE 3 within 12 hours, and in MODE 5 within 60 hours.
The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.
The extended interval to reach MODE 5 provides additional time to restore the required LPSW pump and is reasonable considering that the potential for an accident or transient is reduced in MODE 3.
SURVEILLANCE     SR 3.7.7.1 REQUIREMENTS Verifying the correct level in the leakage accumulator will provide assurance that in the event of boundary valve leakage during a LOOP event, there is sufficient water to keep the LPSW piping filled. The required water level is between half full and full, which corresponds to a level indication of 20.5" to 41". Any level glass reading is bounded by 20.5" to 41" level indication, therefore any level glass reading is considered acceptable. During LPSW testing, accumulator level > 41" is acceptable because the mass of air in the accumulator is unchanged in the short term; therefore the accumulator is still capable of performing its safety function.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
SR 3.7.7.2 Verifying the correct alignment for manual, and power operated valves in the LPSW System flow path provides assurance that the proper flow paths exist for LPSW System operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position, since they are verified to be in the correct position prior to locking, sealing, or securing. This SR does not require any testing or valve manipulation; rather, it involves verification that those valves capable of potentially being mispositioned are in the correct position. This SR also does not apply to valves that cannot be inadvertently misaligned, such as check valves.
OCONEE UNITS 1, 2, & 3               B 3.7.7-4                                         12/10/14 1
 
LPSW System B 3.7.7 BASES SURVEILLANCE     SR 3.7.7.2 (continued)
REQUIREMENTS The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
This SR is modified by a Note indicating that the isolation of components or systems supported by the LPSW System does not affect the OPERABILITY of the LPSW System.
SR 3.7.7.3 The SR verifies proper automatic operation of the LPSW System valves.
The LPSW System is a normally operating system that cannot be fully actuated as part of the normal testing. This SR is not required for valves that are locked, sealed, or otherwise secured in position under administrative controls. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
SR 3.7.7.4 The SR verifies proper automatic operation of the LPSW System pumps on an actual or simulated actuation signal. The LPSW System is a normally operating system that cannot be fully actuated as part of normal testing during normal operation. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
SR 3.7.7.5 The SR verifies proper operation of the LPSWRB Waterhammer Prevention System leakage accumulator. Verifying adequate flow from the accumulator will provide assurance that in the event of boundary valve leakage during a LOOP event, there is sufficient water to keep LPSW piping filled.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
OCONEE UNITS 1, 2, & 3               B 3.7.7-5                                       12/10/14 1
 
LPSW System B 3.7.7 BASES SURVEILLANCE     SR 3.7.7.6 REQUIREMENTS (continued)      The SR verifies that LPSW WPS boundary valve leakage is < 20 gpm.             I Verifying boundary valve leakage is within limits will ensure that in the event of a LOOP, a waterhammer will not occur, because the LPSW leakage accumulator will be able to maintain the LPSW piping water solid.
The LPSW Leakage Accumulator is designed to allow up to 25 gpm of aggregate leakage for one minute. The boundary valve leakage is limited to 20 gpm in order to allow five (5) gpm of miscellaneous leakage.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
REFERENCES       1.     UFSAR, Section 9.2.2.
: 2.     UFSAR, Section 6.3.
: 3.     10 CFR 50.36.
OCONEE UNITS 1, 2, & 3               B 3.7.7-6                                       12/10/14 1}}

Latest revision as of 17:11, 31 October 2019

Technical Specification (TS) Bases Change
ML15035A549
Person / Time
Site: Oconee  Duke Energy icon.png
Issue date: 01/29/2015
From: Batson S
Duke Energy Carolinas
To:
Document Control Desk, Office of Nuclear Reactor Regulation
References
ONS-2015-006
Download: ML15035A549 (112)
v  d  e


Text

DUKE ENE LRGYIOconee Vice President Scott L. Batson Nuclear Station Duke Energy ONOIVP 17800 Rochester Hwy Seneca, SC 29672 10 CFR 50.36 o: 864.873.3274 f 864.873.4208 ONS-2015-006 Scott.Batson@duke-energy.com January 29, 2015 ATTN: Document Control Desk U.S. Nuclear Regulatory Commission 11555 Rockville Pike Rockville,. Maryland 20852

Subject:

Duke Energy Carolinas, LLC Oconee Nuclear Station Docket Numbers 50-269, 50-270, and 50-287 Technical Specification (TS) Bases Change Please find attached changes to the Oconee Nuclear Station (ONS) TS Bases. These changes were processed in accordance with the provisions of Technical Specification 5.5.15, "Technical Specifications (TS) Bases Control Program."

TS Bases (TSB) Change 2014-05 revises TS Bases 3.4.3, RCS Pressure and Temperature Limits, Limited Condition for Operation section on the intent of the "any" period of time used in TS Tables 3.4.3-1, "Operational Requirements for Unit Heatup" and 3.4.3-2, "Operational Requirements for Unit Cooldown." This clarification is needed to ensure that the heatup and cooldown rates are evaluated over a continuous period of time.

Amendments 388/390/389 were issued to remove obsolete information associated with the Reactor Protective System/Electrical System upgrades, Low Pressure Service Water Waterhammer Prevention System modifications, and Emergency Condenser Circulating Water System upgrades. TS Bases (TSB) Change 2014-13 revises TS Bases 3.3.1, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.7, 3.3.27, 3.6.5 and 3.7.7 consistent with these amendments.

Any questions regarding this information should be directed to Sandra Severance, ONS Regulatory Affairs Group, at (864) 873-3466.

Sincerely, Scott L. Batson Vice President Oconee Nuclear Station Attachment Aw)

I-(CC www.duke-energy.com

U. S. Nuclear Regulatory Commission January 29, 2015 Page 2 cc: Mr. Victor McCree, Regional Administrator U.S. Nuclear Regulatory Commission, Region II Marquis One Tower 245 Peachtree Center Ave., NE, Suite 1200 Atlanta, GA 30303-1257 Mr. James R. Hall, Senior Project Manager (ONS)

(By electronic mail only)

U. S. Nuclear Regulatory Commission Office of Nuclear Reactor Regulation 11555 Rockville Pike Mail Stop O-8G9A Rockville, MD 20852 Mr. Jeffrey A. Whited, (Acting) Project Manager (ONS)

(By electronic mail only)

U. S. Nuclear Regulatory Commission Office of Nuclear Reactor Regulation 11555 Rockville Pike Mail Stop O-8B1A Rockville, MD 20852 Mr. Eddy Crowe Senior Resident Inspector Oconee Nuclear Station

luclear Station DUKE

ENERGY, Oconee Duke Energy 7800 Rochester Hwy Sen eca, SC 29672 January 29, 2015 Re: Oconee Nuclear Station Technical Specification Bases Change Please replace the corresponding pages in your copy of the Oconee Technical Specifications Bases Manual as follows:

REMOVE THESE PAGES INSERT THESE PAGES List of Effective Pages (LOEP) 1- 17 List of Effective Pages (LOEP) 1- 17 TS Bases Page B 3.4.3-1 thru 8 TS Bases Page B 3.4.3-1 thru 8 TS Bases Page B 3.3.1-1 thru 30 TS Bases Page B 3.3.1-1 thru 26 TS Bases Page B 3.3.3-1 thru 6 TS Bases Page B 3.3.3-1 thru 4 TS Bases Page B 3.3.4-1 thru 4 TS Bases Page B 3.3.4-1 thru 4 TS Bases Page B 3.3.5-1 thru 17 TS Bases Page B 3.3.5-1 thru 15 TS Bases Page B 3.3.6-1 thru 4 TS Bases Page B 3.3.6-1 thru 4 TS Bases Page B 3.3.7-1 thru 8 TS Bases Page B 3.3.7-1 thru 8 TS Bases Page B 3.3.27-1 thru 6 TS Bases Page B 3.3.27-1 thru 6 TS Bases Page B 3.6.5-1 thru 11 TS Bases Page B 3.6.5-1 thru 10 TS Bases Page B 3.7.7-1 thru 6 TS Bases Page B 3.7.7-1 thru 6 If you have any questions concerning the contents of this Technical Specification Bases update, contact Sandra Severance (864) 873-3466.

C 4s Wasik Regulatory Affairs Manager www.duke-energy.com

Attachment Oconee Nuclear Station Revised Technical Specification Bases Pages

OCONEE NUCLEAR STATION TECHNICAL SPECIFICATIONS-BASES REVISED 01/14/15 LIST OF EFFECTIVE PAGES PAGE AMENDMENT BASES REVISION DATE LOEPI BASES REVISION 12/10/14 LOEP2 BASES REVISION 07/23/12 LOEP3 BASES REVISION 12/10/14 LOEP4 BASES REVISION 12/10/14 LOEP5 BASES REVISION 12/10/14 LOEP6 BASES REVISION 05/16/14 LOEP7 BASES REVISION 12/10/14 LOEP8 BASES REVISION 01/14/15 LOEP9 BASES REVISION 06/13/14 LOEP 10 BASES REVISION 05/16/12 LOEP 11 BASES REVISION 12/10/14 LOEP12 BASES REVISION 12/10/14 LOEP 13 BASES REVISION 09/03/14 LOEP14 BASES REVISION 08/28/14 LOEP 15 BASES REVISION 05/16/12 LOEP16 BASES REVISION 11/05/14 LOEP17 BASES REVISION 11/05/14 i BASES REVISION 06/03/11 ii 363/365/364 10/29/08 iii 355/357/356 04/02/07 iv BASES REVISION 09/03/14 B 2.1.1-1 BASES REVISION 05/31/12 B 2.1.1-2 BASES REVISION 05/31/12 B 2.1.1-3 BASES REVISION 05/31/12 B 2.1.1-4 BASES REVISION 05/31/12 B 2.1.2-1 BASES REVISION 02/06/14 B 2.1.2-2 BASES REVISION 02/06/14 B 2.1.2-3 BASES REVISION 02/06/14 B 3.0-1 356/358/357 04/02/07 B 3.0-2 BASES REVISION 10/23/03 B 3.0-3 BASES REVISION 10/23/03 B 3.0-4 BASES REVISION 10/23/03 B 3.0-5 BASES REVISION 10/23/03 B 3.0-6 BASES REVISION 10/23/03 B 3.0-7 BASES REVISION 10/23/03 B 3.0-8 BASES REVISION 10/23/03 LOEPI

OCONEE NUCLEAR STATION TECHNICAL SPECIFICATIONS-BASES REVISED 01/14/15 LIST OF EFFECTIVE PAGES PAGE AMENDMENT BASES REVISION DATE B 3.0-9 356/358/357 04/02/07 B 3.0-10 356/358/357 04/02/07 B 3.0-11 356/358/357 04/02/07 B 3.0-12 356/358/357 04/02/07 B 3.0-13 BASES REVISION 10/20/11 B 3.0-14 BASES REVISION 10/23/03 B 3.0-15 BASES REVISION 10/23/03 B 3.1.1-1 BASES REVISION 05/16/12 B 3.1.1-2 BASES REVISION 05/16/12 B 3.1.1-3 BASES REVISION 05/16/12 B3.1.1-4 BASES REVISION 05/16/12 B 3.1.2-1 BASES REVISION 05/16/12 B 3.1.2-2 BASES REVISION 05/16/12 B 3.1.2-3 BASES REVISION 05/16/12 B 3.1.2-4 BASES REVISION 05/16/12 B 3.1.2-5 BASES REVISION 05/16/12 B 3.1.3-1 BASES REVISION 06/02/99 B 3.1.3-2 BASES REVISION 03/27/99 B 3.1.3-3 300/300/300 12/16/98 B 3.1.3-4 300/300/300 12/16/98 B 3.1.4-1 BASES REVISION 07/23/12 B 3.1.4-2 BASES REVISION 07/23/12 B 3.1.4-3 BASES REVISION 07/23/12 B 3.1.4-4 BASES REVISION 07/23/12 B 3.1.4-5 BASES REVISION 07/23/12 B 3.1.4-6 BASES REVISION 07/23/12 B 3.1.4-7 BASES REVISION 07/23/12 B 3.1.4-8 BASES REVISION 07/23/12 B 3.1.4-9 BASES REVISION 07/23/12 B 3.1.5-1 BASES REVISION 05/16/12 B 3.1.5-2 BASES REVISION 05/16/12 B 3.1.5-3 BASES REVISION 05/16/12 B 3.1.5-4 BASES REVISION 05/16/12 B 3.1.6-1 BASES REVISION 07/23/12 B 3.1.6-2 BASES REVISION 07/23/12 B 3.1.6-3 BASES REVISION 07/23/12 B 3.1.6-4 DELETE BASES REV. 07/23/12 LOEP2

OCONEE NUCLEAR STATION TECHNICAL SPECIFICATIONS-BASES REVISED 01/14/15 LIST OF EFFECTIVE PAGES PAGE AMENDMENT BASES REVISION DATE B 3.1.7-1 BASES REVISION 07/23/12 B 3.1.7-2 BASES REVISION 07/23/12 B 3.1.7-3 BASES REVISION 07/23/12 B 3.1.7-4 BASES REVISION 07/23/12 B 3.1.8-1 BASES REVISION 05/16/12 B 3.1.8-2 BASES REVISION 05/16/12 B 3.1.8-3 BASES REVISION 05/16/12 B 3.1.8-4 BASES REVISION 05/16/12 B 3.1.8-5 BASES REVISION 05/16/12 B 3.2.1-1 BASES REVISION 05/16/12 B 3.2.1-2 BASES REVISION 05/16/12 B 3.2.1-3 BASES REVISION 05/16/12 B 3.2.1-4 BASES REVISION 05/16/12 B 3.2.1-5 BASES REVISION 05/16/12 B 3.2.1-6 BASES REVISION 05/16/12 B 3.2.1-7 BASES REVISION 05/16/12 B 3.2.2-1 BASES REVISION 05/16/12 B 3.2.2-2 BASES REVISION 05/16/12 B 3.2.2-3 BASES REVISION 05/16/12 B 3.2.2-4 BASES REVISION 05/16/12 B 3.2.2-5 BASES REVISION 05/16/12 B 3.2.2-6 BASES REVISION 05/16/12 B 3.2.2-7 BASES REVISION 05/16/12 B 3.2.3-1 BASES REVISION 05/16/12 B 3.2.3-2 BASES REVISION 05/16/12 B 3.2.3-3 BASES REVISION 05/16/12 B 3.2.3-4 BASES REVISION 05/16/12 B 3.2.3-5 BASES REVISION 05/16/12 B 3.2.3-6 BASES REVISION 05/16/12 B 3.2.3-7 BASES REVISION 05/16/12 B 3.2.3-8 BASES REVISION 05/16/12 B 3.2.3-9 BASES REVISION 05/16/12 B 3.3.1-1 BASES REVISION 12/10/14 B 3.3.1-2 BASES REVISION 12/10/14 B 3.3.1-3 BASES REVISION 12/10/14 B 3.3.1-4 BASES REVISION 12/10/14 B 3.3.1-5 BASES REVISION 12/10/14 B 3.3.1-6 BASES REVISION 12/10/14 LOEP3

OCONEE NUCLEAR STATION TECHNICAL SPECIFICATIONS-BASES REVISED 01/14/15 LIST OF EFFECTIVE PAGES PAGE AMENDMENT BASES REVISION DATE B 3.3.1-7 BASES REVISION 12/10/14 B 3.3.1-8 BASES REVISION 12/10/14 B 3.3.1-9 BASES REVISION 12/10/14 B 3.3.1-10 BASES REVISION 12/10/14 B 3.3.1-11 BASES REVISION 12/10/14 B 3.3.1-12 BASES REVISION 12/10/14 B 3.3.1-13 BASES REVISION 12/10/14 B 3.3.1-14 BASES REVISION 12/10/14 B 3.3.1-15 BASES REVISION 12/10/14 B 3.3.1-16 BASES REVISION 12/10/14 B 3.3.1-17 BASES REVISION 12/10/14 B 3.3.1-18 BASES REVISION 12/10/14 B 3.3.1-19 BASES REVISION 12/10/14 B 3.3.1-20 BASES REVISION 12/10/14 B 3.3.1-21 BASES REVISION 12/10/14 B 3.3.1-22 BASES REVISION 12/10/14 B 3.3.1-23 BASES REVISION 12/10/14 B 3.3.1-24 BASES REVISION 12/10/14 B 3.3.1-25 BASES REVISION 12/10/14 B.3.3.1-26 BASES REVISION 12/10/14 B.3.3.1-27 DELETED 12/10/14 B.3.3.1-28 DELETED 12/10/14 B.3.3.1-29 DELETED 12/10/14 B.3.3.1-30 DELETED 12/10/14 B 3.3.2-1 BASES REVISION 12/14/04 B 3.3.2-2 BASES REVISION 12/14/04 B 3.3.2-3 BASES REVISION 12/14/04 B 3.3.3-1 BASES REVISION 12/10/14 B 3.3.3-2 BASES REVISION 12/10/14 B 3.3.3-3 BASES REVISION 12/10/14 B 3.3.3-4 BASES REVISION 12/10/14 B.3.3.3-5 DELETED 12/10/14 B.3.3.3-6 DELETED 12/10/14 B 3.3.4-1 BASES REVISION 12/10/14 B 3.3.4-2 BASES REVISION 12/10/14 B 3.3.4-3 BASES REVISION 12/10/14 B 3.3.4-4 BASES REVISION 12/10/14 B 3.3.5-1 BASES REVISION 12/10/14 B 3.3.5-2 BASES REVISION 12/10/14 B 3.3.5-3 BASES REVISION 12/10/14 B 3.3.5-4 BASES REVISION 12/10/14 LOEP4

OCONEE NUCLEAR STATION TECHNICAL SPECIFICATIONS-BASES REVISED 01/14/15 LIST OF EFFECTIVE PAGES PAGE AMENDMENT BASES REVISION DATE B 3.3.5-5 BASES REVISION 12/10/14 B 3.3.5-6 BASES REVISION 12/10/14 B 3.3.5-7 BASES REVISION 12/10/14 B 3.3.5-8 BASES REVISION 12/10/14 B 3.3.5-9 BASES REVISION 12/10/14 B 3.3.5-10 BASES REVISION 12/10/14 B 3.3.5-11 BASES REVISION 12/10/14 B 3.3.5-12 BASES REVISION 12/10/14 B 3.3.5-13 BASES REVISION 12/10/14 B 3.3.5-14 BASES REVISION 12/10/14 B 3.3.5-15 BASES REVISION 12/10/14 B 3.3.5-16 DELETED 12/10/14 B 3.3.5-17 DELETED 12/10/14 B 3.3.6-1 BASES REVISION 12/10/14 B 3.3.6-2 BASES REVISION 12/10/14 B 3.3.6-3 BASES REVISION 12/10/14 B 3.3.6-4 BASES REVISION 12/10/14 B 3.3.7-1 BASES REVISION 12/10/14 B 3.3.7-2 BASES REVISION 12/10/14 B 3.3.7-3 BASES REVISION 12/10/14 B 3.3.7-4 BASES REVISION 12/10/14 B 3.3.7-5 BASES REVISION 12/10/14 B 3.3.7-6 BASES REVISION 12/10/14 B 3.3.7-7 BASES REVISION 12/10/14 B 3.3.7-8 BASES REVISION 12/10/14 B 3.3.8-1 BASES REVISION 05/16/12 B 3.3.8-2 BASES REVISION 05/16/12 B 3.3.8-3 BASES REVISION 05/16/12 B 3.3.8-4 BASES REVISION 05/16/12 B 3.3.8-5 BASES REVISION 05/16/12 B 3.3.8-6 BASES REVISION 05/16/12 B 3.3.8-7 BASES REVISION 05/16/12 B 3.3.8-8 BASES REVISION 05/16/12 B 3.3.8-9 BASES REVISION 05/16/12 B 3.3.8-10 BASES REVISION 05/16/12 B 3.3.8-11 BASES REVISION 05/16/12 B 3.3.8-12 BASES REVISION 05/16/12 B 3.3.8-13 BASES REVISION 05/16/12 B 3.3.8-14 BASES REVISION 05/16/12 B 3.3.8-15 BASES REVISION 05/16/12 B 3.3.8-16 BASES REVISION 05/16/12 B 3.3.8-17 BASES REVISION 05/16/12 LOEP5

OCONEE NUCLEAR STATION TECHNICAL SPECIFICATIONS-BASES REVISED 01/14/15 LIST OF EFFECTIVE PAGES PAGE AMENDMENT BASES REVISION DATE B 3.3.8-18 BASES REVISION 05/16/12 B 3.3.8-19 BASES REVISION 05/16/12 B 3.3.8-20 Deleted 350/352/351 06/01/06 B 3.3.9-1 BASES REVISION 05/16/12 B 3.3.9-2 BASES REVISION 05/16/12 B 3.3.9-3 BASES REVISION 05/16/12 B 3.3.9-4 BASES REVISION 05/16/12 B 3.3.10-1 BASES REVISION 05/16/12 B 3.3.10-2 BASES REVISION 05/16/12 B 3.3.10-3 BASES REVISION 05/16/12 B 3.3.10-4 BASES REVISION 05/16/12 B 3.3.11-1 BASES REVISION 05/16/12 B 3.3.11-2 BASES REVISION 05/16/12 B 3.3.11-3 BASES REVISION 05/16/12 B 3.3.11-4 BASES REVISION 05/16/12 B 3.3.11-5 BASES REVISION 05/16/12 B 3.3.11-6 DELETE BASES REV 4/17/02 B 3.3.12-1 BASES REVISION 05/16/12 B 3.3.12-2 BASES REVISION 05/16/12 B 3.3.12-3 DELETE 320/320/320 9/26/01 B 3.3.13-1 BASES REVISION 05/16/12 B 3.3.13-2 BASES REVISION 05/16/12 B 3.3.13-3 BASES REVISION 05/16/12 B 3.3.13-4 BASES REVISION 05/16/12 B 3.3.14-1 BASES REVISION 05/16/12 B 3.3.14-2 BASES REVISION 05/16/12 B 3.3.14-3 BASES REVISION 05/16/12 B 3.3.14-4 BASES REVISION 05/16/12 B 3.3.15-1 BASES REVISION 05/16/12 B 3.3.15-2 BASES REVISION 05/16/12 B 3.3.15-3 BASES REVISION 05/16/12 B 3.3.16-1 BASES REVISION 05/16/12 B 3.3.16-2 BASES REVISION 05/16/12 B 3.3.16-3 BASES REVISION 05/16/12 B 3.3.16-4 BASES REVISION 05/16/12 B 3.3.17-1 BASES REVISION 05/16/12 B 3.3.17-2 BASES REVISION 05/16/12 B 3.3.17-3 BASES REVISION 05/16/12 B 3.3.18-1 BASES REVISION 05/16/12 B 3.3.18-2 BASES REVISION 05/16/12 B 3.3.18-3 BASES REVISION 05/16/12 B 3.3.18-4 BASES REVISION 05/16/12 LOEP6

OCONEE NUCLEAR STATION TECHNICAL SPECIFICATIONS-BASES REVISED 01/14/15 LIST OF EFFECTIVE PAGES PAGE AMENDMENT BASES REVISION DATE B 3.3.19-1 BASES REVISION 05/16/12 B 3.3.19-2 BASES REVISION 05/16/12 B 3.3.19-3 BASES REVISION 05/16/12 B 3.3.19-4 BASES REVISION 05/16/12 B 3.3.20-1 BASES REVISION 05/16/12 B 3.3.20-2 BASES REVISION 05/16/12 B 3.3.20-3 BASES REVISION 05/16/12 B 3.3.20-4 BASES REVISION 05/16/12 B 3.3.21-1 BASES REVISION 05/16/12 B 3.3.21-2 BASES REVISION 05/16/12 B 3.3.21-3 BASES REVISION 05/16/12 B 3.3.22-1 BASES REVISION 05/16/12 B 3.3.22-2 BASES REVISION 05/16/12 B 3.3.23-1 BASES REVISION 05/16/12 B 3.3.23-2 BASES REVISION 05/16/12 B 3.3.23-3 BASES REVISION 05/16/12 B 3.3.23-4 BASES REVISION 05/16/12 B 3.3.24-1 320/320/320 9/26/01 B 3.3.25-1 336/336/337 11/5/03 B 3.3.25-2 Delete,336/336/337 11/5/03 B 3.3.25-3 Delete,336/336/337 11/5/03 B 3.3.25-4 Delete,336/336/337 11/5/03 B 3.3.25-5 Delete,336/336/337 11/5/03 B 3.3.25-6 Delete,336/336/337 11/5/03 B 3.3.26-1 336/336/337 11/5/03 B 3.3.26-2 Delete,336/336/337 11/5/03 B 3.3.26-3 Delete,336/336/337 11/5/03 B 3.3.27-1 BASES REVISION 12/10/14 B 3.3.27-2 BASES REVISION 12/10/14 B 3.3.27-3 BASES REVISION 12/10/14 B 3.3.27-4 BASES REVISION 12/10/14 B 3.3.27-5 BASES REVISION 12/10/14 B 3.3.27-6 BASES REVISION 12/10/14 B 3.3.28-1 BASES REVISION 05/16/12 B 3.3.28-2 BASES REVISION 05/16/12 B 3.3.28-3 BASES REVISION 05/16/12 B 3.3.28-4 BASES REVISION 05/16/12 B 3.4.1-1 BASES REVISION 05/16/12 B 3.4.1-2 BASES REVISION 05/16/12 B 3.4.1-3 BASES REVISION 05/16/12 B 3.4.1-4 BASES REVISION 05/16/12 B 3.4.1-5 BASES REVISION 05/16/12 B 3.4.2-1 300/300/300 12/16/98 LOEP7

OCONEE NUCLEAR STATION TECHNICAL SPECIFICATIONS-BASES REVISED 01/14/15 LIST OF EFFECTIVE PAGES PAGE AMENDMENT BASES REVISION DATE B 3.4.2-2 300/300/300 12/16/98 B 3.4.3-1 BASES REVISION 01/14/15 B 3.4.3-2 BASES REVISION 01/14/15 B 3.4.3-3 BASES REVISION 01/14/15 B 3.4.3-4 BASES REVISION 01/14/15 B 3.4.3-5 BASES REVISION 01/14/15 B 3.4.3-6 BASES REVISION 01/14/15 B 3.4.3-7 BASES REVISION 01/14/15 B 3.4.3-8 BASES REVISION 01/14/15 B 3.4.4-1 BASES REVISION 05/16/12 B 3.4.4-2 BASES REVISION 05/16/12 B 3.4.4-3 BASES REVISION 05/16/12 B 3.4.4-4 BASES REVISION 05/16/12 B 3.4.5-1 BASES REVISION 05/16/12 B 3.4.5-2 BASES REVISION 05/16/12 B 3.4.5-3 BASES REVISION 05/16/12 B 3.4.5-4 BASES REVISION 05/16/12 B 3.4.6-1 BASES REVISION 05/16/12 B3.4.6-2 BASES REVISION 05/16/12 B 3.4.6-3 BASES REVISION 05/16/12 B 3.4.6-4 BASES REVISION 05/16/12 B 3.4.7-1 BASES REVISION 05/16/12 B 3.4.7-2 BASES REVISION 05/16/12 B 3.4.7-3 BASES REVISION 05/16/12 B 3.4.7-4 BASES REVISION 05/16/12 B 3.4.7-5 BASES REVISION 05/16/12 B 3.4.8-1 BASES REVISION 05/16/12 B 3.4.8-2 BASES REVISION 05/16/12 B 3.4.8-3 BASES REVISION 05/16/12 B 3.4.8-4 BASES REVISION 05/16/12 B 3.4.9-1 BASES REVISION 05/16/12 B 3.4.9-2 BASES REVISION 05/16/12 B 3.4.9-3 BASES REVISION 05/16/12 B 3.4.9-4 BASES REVISION 05/16/12 B 3.4.9-5 BASES REVISION 05/16/12 B 3.4.9-6 BASES REVISION 05/16/12 B 3.4.10-1 309/309/309 1/18/00 B 3.4.10-2 309/309/309 1/18/00 B 3.4.10-3 309/309/309 1/18/00 B 3.4.10-4 309/309/309 1/18/00 B 3.4.11-1 BASES REVISION 10/12/12 B 3.4.11-2 BASES REVISION 10/12/12 LOEP8

OCONEE NUCLEAR STATION TECHNICAL SPECIFICATIONS-BASES REVISED 01/14/15 LIST OF EFFECTIVE PAGES PAGE AMENDMENT BASES REVISION DATE B 3.4.11-3 BASES REVISION 10/12/12 B 3.4.11-4 BASES REVISION 10/12/12 B 3.4.11-5 DELETE BASES REV 10/12/12 B 3.4.12-1 BASES REVISION 06/13/14 B 3.4.12-2 BASES REVISION 06/13/14 B 3.4.12-3 BASES REVISION 06/13/14 B 3.4.12-4 BASES REVISION 06/13/14 B 3.4.12-5 BASES REVISION 06/13/14 B 3.4.12-6 BASES REVISION 06/13/14 B 3.4.12-7 BASES REVISION 06/13/14 B 3.4.12-8 BASES REVISION 06/13/14 B 3.4.12-9 BASES REVISION 06/13/14 B 3.4.12-10 BASES REVISION 06/13/14 B 3.4.12-11 BASES REVISION 06/13/14 B 3.4.12-12 BASES REVISION 06/13/14 B 3.4.13-1 BASES REVISION 05/16/12 B 3.4.13-2 BASES REVISION 05/16/12 B 3.4.13-3 BASES REVISION 05/16/12 B 3.4.13-4 BASES REVISION 05/16/12 B 3.4.13-5 BASES REVISION 05/16/12 B 3.4.13-6 BASES REVISION 05/16/12 B 3.4.14-1 BASES REVISION 05/16/12 B 3.4.14-2 BASES REVISION 05/16/12 B 3.4.14-3 BASES REVISION 05/16/12 B 3.4.14-4 BASES REVISION 05/16/12 B 3.4.14-5 BASES REVISION 05/16/12 B 3.4.14-6 BASES REVISION 05/16/12 B 3.4.15-1 BASES REVISION 05/16/12 B 3.4.15-2 BASES REVISION 05/16/12 B 3.4.15-3 BASES REVISION 05/16/12 B 3.4.15-4 BASES REVISION 05/16/12 B 3.4.15-5 BASES REVISION 05/16/12 B 3.4.16-1 355/357/356 4/2/07 B 3.4.16-2 355/357/356 4/2/07 B 3.4.16-3 355/357/356 4/2/07 B 3.4.16-4 355/357/356 4/2/07 B 3.4.16-5 355/357/356 4/2/07 B 3.4.16-6 355/357/356 4/2/07 B 3.4.16-7 355/357/356 4/2/07 B 3.5.1-1 BASES REVISION 05/16/12 B 3.5.1-2 BASES REVISION 05/16/12 B 3.5.1-3 BASES REVISION 05/16/12 B 3.5.1-4 BASES REVISION 05/16/12 B 3.5.1-5 BASES REVISION 05/16/12 LOEP9

OCONEE NUCLEAR STATION TECHNICAL SPECIFICATIONS-BASES REVISED 01/14/15 LIST OF EFFECTIVE PAGES PAGE AMENDMENT BASES REVISION DATE B 3.5.1-6 BASES REVISION 05/16/12 B 3.5.1-7 BASES REVISION 05/16/12 B 3.5.1-8 BASES REVISION 05/16/12 B 3.5.2-1 BASES REVISION 05/16/12 B 3.5.2-2 BASES REVISION 05/16/12 B 3.5.2-3 BASES REVISION 05/16/12 B 3.5.2-4 BASES REVISION 05/16/12 B 3.5.2-5 BASES REVISION 05/16/12 B 3.5.2-6 BASES REVISION 05/16/12 B 3.5.2-7 BASES REVISION 05/16/12 B 3.5.2-8 BASES REVISION 05/16/12 B 3.5.2-9 BASES REVISION 05/16/12 B 3.5.2-10 BASES REVISION 05/16/12 B 3.5.2-11 BASES REVISION 05/16/12 B 3.5.2-12 BASES REVISION 05/16/12 B 3.5.2-13 BASES REVISION 05/16/12 B 3.5.2-14 BASES REVISION 05/16/12 B 3.5.3-1 BASES REVISION 05/16/12 B 3.5.3-2 BASES REVISION 05/16/12 B 3.5.3-3 BASES REVISION 05/16/12 B 3.5.3-4 BASES REVISION 05/16/12 B 3.5.3-5 BASES REVISION 05/16/12 B 3.5.3-6 BASES REVISION 05/16/12 B 3.5.3-7 BASES REVISION 05/16/12 B 3.5.3-8 BASES REVISION 05/16/12 B 3.5.3-9 BASES REVISION 05/16/12 B 3.5.3-10 Delete 09/02/04 B 3.5.4-1 BASES REVISION 05/16/12 B 3.5.4-2 BASES REVISION 05/16/12 B 3.5.4-3 BASES REVISION 05/16/12 B 3.5.4-4 BASES REVISION 05/16/12 B 3.5.4-5 BASES REVISION 05/16/12 B 3.5.4-6 BASES REVISION 05/16/12 B 3.6.1-1 BASES REVISION 10/20/11 B 3.6.1-2 BASES REVISION 10/20/11 B 3.6.1-3 BASES REVISION 10/20/11 B 3.6.1-4 BASES REVISION 10/20/11 B 3.6.1-5 Delete 12/16/98 B 3.6.2-1 BASES REVISION 05/16/12 B 3.6.2-2 BASES REVISION 05/16/12 B 3.6.2-3 BASES REVISION 05/16/12 B 3.6.2-4 BASES REVISION 05/16/12 B 3.6.2-5 BASES REVISION 05/16/12 LOEP10

OCONEE NUCLEAR STATION TECHNICAL SPECIFICATIONS-BASES REVISED 01/14/15 LIST OF EFFECTIVE PAGES PAGE AMENDMENT BASES REVISION DATE B 3.6.2-6 BASES REVISION 05/16/12 B 3.6.2-7 BASES REVISION 05/16/12 B 3.6.3-1 BASES REVISION 05/16/12 B 3.6.3-2 BASES REVISION 05/16/12 B 3.6.3-3 BASES REVISION 05/16/12 B 3.6.3-4 BASES REVISION 05/16/12 B 3.6.3-5 BASES REVISION 05/16/12 B 3.6.3-6 BASES REVISION 05/16/12 B 3.6.3-7 BASES REVISION 05/16/12 B 3.6.3-8 BASES REVISION 05/16/12 B 3.6.3-9 BASES REVISION 05/16/12 B.3.6.3-10 BASES REVISION 05/16/12 B 3.6.4-1 BASES REVISION 05/16/12 B 3.6.4-2 BASES REVISION 05/16/12 B 3.6.4-3 BASES REVISION 05/16/12 B 3.6.5-1 BASES REVISION 12/10/14 B 3.6.5-2 BASES REVISION 12/10/14 B 3.6.5-3 BASES REVISION 12/10/14 B 3.6.5-4 BASES REVISION 12/10/14 B 3.6.5-5 BASES REVISION 12/10/14 B 3.6.5-6 BASES REVISION 12/10/14 B 3.6.5-7 BASES REVISION 12/10/14 B 3.6.5-8 BASES REVISION 12/10/14 B 3.6.5-9 BASES REVISION 12/10/14 B 3.6.5-10 BASES REVISION 12/10/14 B 3.6.5-11 DELETED 12/10/14 B 3.7.1-1 BASES REVISION 08/08/12 B 3.7.1-2 BASES REVISION 08/08/12 B 3.7.1-3 BASES REVISION 08/08/12 B 3.7.1-4 BASES REVISION 08/08/12 B 3.7.2-1 BASES REVISION 11/13/12 B 3.7.2-2 BASES REVISION 11/13/12 B 3.7.2-3 BASES REVISION 11/13/12 B 3.7.2-4 BASES REVISION 11/13/12 B 3.7.2-5 BASES REVISION 11/13/12 B 3.7.3-1 BASES REVISION 1/17/06 B 3.7.3-2 BASES REVISION 1/17/06 B 3.7.3-3 BASES REVISION 1/17/06 B 3.7.3-4 BASES REVISION 1/17/06 B 3.7.4-1 BASES REVISION 05/16/12 B3.7.4-2 BASES REVISION 05/16/12 LOEP 1I

OCONEE NUCLEAR STATION TECHNICAL SPECIFICATIONS-BASES REVISED 01/14/15 LIST OF EFFECTIVE PAGES PAGE AMENDMENT BASES REVISION DATE B3.7.4-3 BASES REVISION 05/16/12 B3.7.4-4 BASES REVISION 05/16/12 B 3.7.5-1 BASES REVISION 05/16/12 B 3.7.5-2 BASES REVISION 05/16/12 B 3.7.5-3 BASES REVISION 05/16/12 B 3.7.5-4 BASES REVISION 05/16/12 B 3.7.5-5 BASES REVISION 05/16/12 B 3.7.5-6 BASES REVISION 05/16/12 B 3.7.5-7 BASES REVISION 05/16/12 B 3.7.5-8 BASES REVISION 05/16/12 B 3.7.6-1 BASES REVISION 05/16/12 B 3.7.6-2 BASES REVISION 05/16/12 B 3.7.6-3 BASES REVISION 05/16/12 B 3.7.7-1 BASES REVISION 12/10/14 B 3.7.7-2 BASES REVISION 12/10/14 B 3.7.7-3 BASES REVISION 12/10/14 B 3.7.7-4 BASES REVISION 12/10/14 B 3.7.7-5 BASES REVISION 12/10/14 B 3.7.7-6 BASES REVISION 12/10/14 B 3.7.8-1 BASES REVISION 05/16/12 B 3.7.8-2 BASES REVISION 05/16/12 B 3.7.8-3 BASES REVISION 05/16/12 B 3.7.8-4 BASES REVISION 05/16/12 B 3.7.8-5 BASES REVISION 05/16/12 B 3.7.8-6 BASES REVISION 05/16/12 B 3.7.8-7 BASES REVISION 05/16/12 B 3.7.9-1 BASES REVISION 08/28/14 B 3.7.9-2 BASES REVISION 08/28/14 B 3.7.9-3 BASES REVISION 08/28/14 B 3.7.9-4 BASES REVISION 08/28/14 B 3.7.9-5 BASES REVISION 08/28/14 B 3.7.10-1 BASES REVISION 09/03/14 B 3.7.10-2 BASES REVISION 09/03/14 B 3.7.10-3 BASES REVISION 09/03/14 B 3.7.10-4 BASES REVISION 09/03/14 B 3.7.10-5 BASES REVISION 09/03/14 B 3.7.10-6 BASES REVISION 09/03/14 B 3.7.10-7 BASES REVISION 09/03/14 B 3.7.10-8 BASES REVISION 09/03/14 B 3.7.10-9 BASES REVISION 09/03/14 B 3.7.10-10 BASES REVISION 09/03/14 B 3.7.10-11 BASES REVISION 09/03/14 LOEP12

OCONEE NUCLEAR STATION TECHNICAL SPECIFICATIONS-BASES REVISED 01/14/15 LIST OF EFFECTIVE PAGES PAGE AMENDMENT BASES REVISION DATE B 3.7.10-12 BASES REVISION 09/03/14 B 3.7.10-13 BASES REVISION 09/03/14 B 3.7.1Oa-1 BASES REVISION 09/03/14 B 3.7.1Oa-2 BASES REVISION 09/03/14 B 3.7.1Oa-3 BASES REVISION 09/03/14 B 3.7.1Oa-4 BASES REVISION 09/03/14 B 3.7.1Oa-5 BASES REVISION 09/03/14 B 3.7.10a-6 BASES REVISION 09/03/14 B 3.7.10a-7 BASES REVISION 09/03/14 B 3.7.11-1 BASES REVISION 05/16/12 B 3.7.11-2 BASES REVISION 05/16/12 B 3.7.11-3 BASES REVISION 05/16/12 B 3.7.12-1 BASES REVISION 05/16/12 B 3.7.12-2 BASES REVISION 05/16/12 B 3.7.12-3 BASES REVISION 05/16/12 B 3.7.12-4 BASES REVISION 05/16/12 B 3.7.12-5 Deleted 351/353/352 06/15/06 B 3.7.13-1 BASES REVISION 08/19/10 B 3.7.13-2 BASES REVISION 08/19/10 B 3.7.13-3 BASES REVISION 08/19/10 B 3.7.13-4 BASES REVISION 08/19/10 B 3.7.13-5 BASES REVISION 08/19/10 B 3.7.14-1 BASES REVISION 05/16/12 B 3.7.14-2 BASES REVISION 05/16/12 B 3.7.14-3 BASES REVISION 05/16/12 B 3.7.15-1 BASES REVISION 10/24/07 B 3.7.15-2 BASES REVISION 10/24/07 B 3.7.15-3 BASES REVISION 10/24/07 B 3.7.16-1 BASES REVISION 05/16/12 B 3.7.16-2 BASES REVISION 05/16/12 B 3.7.16-3 BASES REVISION 05/16/12 B 3.7.16-4 BASES REVISION 05/16/12 B 3.7.16-5 BASES REVISION 05/16/12 B 3.7.16-6 BASES REVISION 05/16/12 B 3.7.16-7 BASES REVISION 05/16/12 B 3.7.17-1 BASES REVISION 04/12/06 B 3.7.17-2 BASES REVISION 04/12/06 B 3.7.17-3 BASES REVISION 04/12/06 B 3.7.18-1 351/353/352 06/15/06 B 3.7.18-2 351/353/352 06/15/06 B 3.7.18-3 351/353/352 06/15/06 B 3.7.18-4 351/353/352 06/15/06 B 3.7.19-1 BASES REVISION 06/25/14 B 3.7.19-2 BASES REVISION 06/25/14 LOEP 13

OCONEE NUCLEAR STATION TECHNICAL SPECIFICATIONS-BASES REVISED 01/14/15 LIST OF EFFECTIVE PAGES PAGE AMENDMENT BASES REVISION DATE B 3.7.19-3 BASES REVISION 06/25/14 B 3.7.19-4 BASES REVISION 06/25/14 B 3.7.19-5 BASES REVISION 06/25/14 B 3.7.19-6 BASES REVISION 06/25/14 B 3.8.1-1 BASES REVISION 08/28/14 B 3.8.1-2 BASES REVISION 08/28/14 B 3.8.1-3 BASES REVISION 08/28/14 B 3.8.1-4 BASES REVISION 08/28/14 B 3.8.1-5 BASES REVISION 08/28/14 B 3.8.1-6 BASES REVISION 08/28/14 B 3.8.1-7 BASES REVISION 08/28/14 B 3.8.1-8 BASES REVISION 08/28/14 B 3.8.1-9 BASES REVISION 08/28/14 B 3.8.1-10 BASES REVISION 08/28/14 B 3.8.1-11 BASES REVISION 08/28/14 B 3.8.1-12 BASES REVISION 08/28/14 B 3.8.1-13 BASES REVISION 08/28/14 B 3.8.1-14 BASES REVISION 08/28/14 B 3.8.1-15 BASES REVISION 08/28/14 B 3.8.1-16 BASES REVISION 08/28/14 B 3.8.1-17 BASES REVISION 08/28/14 B 3.8.1-18 BASES REVISION 08/28/14 B 3.8.1-19 BASES REVISION 08/28/14 B 3.8.1-20 BASES REVISION 08/28/14 B 3.8.1-21 BASES REVISION 08/28/14 B 3.8.1-22 BASES REVISION 08/28/14 B 3.8.1-23 BASES REVISION 08/28/14 B 3.8.1-24 BASES REVISION 08/28/14 B 3.8.1-25 BASES REVISION 08/28/14 B 3.8.1-26 BASES REVISION 08/28/14 B 3.8.2-1 BASES REVISION 04/07/11 B 3.8.2-2 BASES REVISION 04/07/11 B 3.8.2-3 BASES REVISION 04/07/11 B 3.8.2-4 BASES REVISION 04/07/11 B 3.8.2-5 BASES REVISION 04/07/11 B 3.8.2-6 BASES REVISION 04/07/11 B 3.8.2-7 BASES REVISION 04/07/11 B 3.8.3-1 BASES REVISION 05/16/12 B 3.8.3-2 BASES REVISION 05/16/12 B 3.8.3-3 BASES REVISION 05/16/12 B 3.8.3-4 BASES REVISION 05/16/12 B 3.8.3-5 BASES REVISION 05/16/12 B 3.8.3-6 BASES REVISION 05/16/12 B 3.8.3-7 BASES REVISION 05/16/12 LOEP14

OCONEE NUCLEAR STATION TECHNICAL SPECIFICATIONS-BASES REVISED 01/14/15 LIST OF EFFECTIVE PAGES PAGE AMENDMENT BASES REVISION DATE B 3.8.3-8 BASES REVISION 05/16/12 B 3.8.3-9 BASES REVISION 05/16/12 B 3.8.3-10 BASES REVISION 05/16/12 B 3.8.4-1 338/339/339 12/18/07 B 3.8.4-2 338/339/339 12/18/07 B 3.8.4-3 338/339/339 12/18/07 B 3.8.4-4 300/300/300 12/18/07 B 3.8.5-1 BASES REVISION 05/16/12 B 3.8.5-2 BASES REVISION 05/16/12 B 3.8.5-3 BASES REVISION 05/16/12 B 3.8.5-4 BASES REVISION 05/16/12 B 3.8.5-5 BASES REVISION 05/16/12 B 3.8.5-6 BASES REVISION 05/16/12 B 3.8.6-1 BASES REVISION 05/16/12 B 3.8.6-2 BASES REVISION 05/16/12 B 3.8.6-3 BASES REVISION 05/16/12 B 3.8.6-4 BASES REVISION 05/16/12 B 3.8.7-1 BASES REVISION 05/16/12 B 3.8.7-2 BASES REVISION 05/16/12 B 3.8.7-3 BASES REVISION 05/16/12 B 3.8.8-1 BASES REVISION 05/16/12 B 3.8.8-2 BASES REVISION 05/16/12 B 3.8.8-3 BASES REVISION 05/16/12 B 3.8.8-4 BASES REVISION 05/16/12 B 3.8.8-5 BASES REVISION 05/16/12 B 3.8.8-6 BASES REVISION 05/16/12 B 3.8.8-7 BASES REVISION 05/16/12 B 3.8.8-8 BASES REVISION 05/16/12 B 3.8.8-9 BASES REVISION 05/16/12 B 3.8.9-1 BASES REVISION 05/16/12 B 3.8.9-2 BASES REVISION 05/16/12 B 3.8.9-3 BASES REVISION 05/16/12 B 3.8.9-4 BASES REVISION 05/16/12 B 3.9.1-1 BASES REVISION 05/16/12 B 3.9.1-2 BASES REVISION 05/16/12 B 3.9.1-3 BASES REVISION 05/16/12 LOEP 15

OCONEE NUCLEAR STATION TECHNICAL SPECIFICATIONS-BASES REVISED 01/14/15 LIST OF EFFECTIVE PAGES PAGE AMENDMENT BASES REVISION DATE B 3.9.2-1 BASES REVISION 05/16/12 B 3.9.2-2 BASES REVISION 05/16/12 B 3.9.2-3 BASES REVISION 05/16/12 B 3.9.2-4 BASES REVISION 05/16/12 B 3.9.3-1 BASES REVISION 05/16/12 B 3.9.3-2 BASES REVISION 05/16/12 B 3.9.3-3 BASES REVISION 05/16/12 B 3.9.3-4 BASES REVISION 05/16/12 B 3.9.3-5 BASES REVISION 05/16/12 B 3.9.4-1 BASES REVISION 05/16/12 B 3.9.4-2 BASES REVISION 05/16/12 B 3.9.4-3 BASES REVISION 05/16/12 B 3.9.4-4 BASES REVISION 05/16/12 B 3.9.5-1 BASES REVISION 05/16/12 B 3.9.5-2 BASES REVISION 05/16/12 B 3.9.5-3 BASES REVISON 05/16/12 B 3.9.5-4 BASES REVISION 05/16/12 B 3.9.6-1 BASES REVISION 05/16/12 B 3.9.6-2 BASES REVISION 05/16/12 B 3.9.6-3 BASES REVISION 05/16/12 B 3.9.7-1 BASES REVISION 05/16/12 B 3.9.7-2 BASES REVISION 05/16/12 B 3.9.7-3 BASES REVISION 05/16/12 B 3.9.8-1 BASES REVISION 06/25/14 B 3.9.8-2 BASES REVISION 06/25/14 B 3.9.8-3 BASES REVISION 06/25/14 B 3.10.1-1 BASES REVISION 11/05/14 B 3.10.1-2 BASES REVISION 11/05/14 B 3.10.1-3 BASES REVISION 11/05/14 B 3.10.1-4 BASES REVISION 11/05/14 B 3.10.1-5 BASES REVISION 11/05/14 B 3.10.1-6 BASES REVISION 11/05/14 B 3.10.1-7 BASES REVISION 11/05/14 B 3.10.1-8 BASES REVISION 11/05/14 B 3.10.1-9 BASES REVISION 11/05/14 B 3.10.1-10 BASES REVISION 11/05/14 B 3.10.1-11 BASES REVISION 11/05/14 B 3.10.1-12 BASES REVISION 11/05/14 B 3.10.1-13 BASES REVISION 11/05/14 B 3.10.1-14 BASES REVISION 11/05/14 B 3.10.1-15 BASES REVISION 11/05/14 B 3.10.1-16 BASES REVISION 11/05/14 B 3.10.1-17 BASES REVISION 11/05/14 LOEP 16

OCONEE NUCLEAR STATION TECHNICAL SPECIFICATIONS-BASES REVISED 01/14/15 LIST OF EFFECTIVE PAGES PAGE AMENDMENT BASES REVISION DATE B 3.10.1-18 BASES REVISION 11/05/14 B 3.10.1-19 BASES REVISION 11/05/14 B 3.10.2-1 BASES REVISION 11/05/14 B 3.10.2-2 BASES REVISION 11/05/14 B 3.10.2-3 BASES REVISION 11/05/14 B 3.10.2-4 BASES REVISION 11/05/14 B 3.10.2-5 BASES REVISION 11/05/14 B 3.10.2-6 BASES REVISION 11/05/14 LOEP 17

RCS P/T Limits B 3.4.3 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.3 RCS Pressure and Temperature (P/T) Limits BASES BACKGROUND All components of the RCS are designed to withstand effects of cyclic loads due to system pressure and temperature changes. These loads are introduced by startup (heatup) and shutdown (cooldown) operations, power transients, and reactor trips. This LCO limits the pressure and temperature changes during RCS heatup and cooldown, within the design assumptions and the stress limits for cyclic operation.

Figures 3.4.3-1 through 3.4.3-9 contain P/T limit curves for heatup, cooldown, and leak and hydrostatic (LH) testing. Tables 3.4.3-1 and 3.4.3 2 contain data for the maximum rate of change of reactor coolant temperature. The minimum temperature indicated in the P/T limit curves and tables of 60OF is the lowest unirradiated nil ductility reference temperature (RTNDT) of all materials in the reactor vessel. This temperature (60 0 F) is the minimum allowable reactor pressure vessel temperature if any head closure stud is not fully detensioned. There is no minimum allowable temperature limit for the reactor vessel if all of the studs are fully detensioned.

Figures 3.4.3-1, 3.4.3-2, 3.4.3-4, 3.4.3-5, 3.4.3-7 and 3.4.3-8 define an acceptable region for normal operation. The usual use of the curves is operational guidance during heatup or cooldown maneuvering, when pressure and temperature indications are monitored and compared to the applicable curve to determine that operation is within the allowable region.

The LCO establishes operating limits that provide a margin to brittle failure of the reactor vessel and piping of the reactor coolant pressure boundary (RCPB). The vessel is the component most subject to brittle failure, and the LCO limits apply mainly to the vessel. The limits do not apply to the pressurizer, which has different design characteristics and operating functions.

10 CFR 50, Appendix G (Ref. 1), requires the establishment of P/T limits for material fracture toughness requirements of the RCPB materials.

Reference 1 requires an adequate margin to brittle failure during normal operation, anticipated operational occurrences, and system hydrostatic tests. It mandates the use of the American Society of Mechanical Engineers (ASME), Boiler and Pressure Vessel Code,Section III, Appendix G (Ref. 2).

Linear elastic fracture mechanics (LEFM) methodology is used to determine the stresses and material toughness at locations within the RCPB. The LEFM methodology follows the guidance given by 10 CFR 50, Appendix G; ASME Code,Section III, Appendix G; and Regulatory Guide 1.99 (Ref. 3).

OCONEE UNITS 1, 2, & 3 B 3.4.3-1 BASES REVISION DATED 01/14/15 1

RCS P/T Limits B 3.4.3 BASES BACKGROUND Material toughness properties of the ferritic materials of the reactor (continued) vessel are determined in accordance with ASTM E 185 (Ref. 4), and additional reactor vessel requirements. These properties are then evaluated in accordance with Reference 2.

The actual shift in the nil ductility reference temperature (RTNDT) of the vessel material will be established periodically by evaluating the irradiated reactor vessel material specimens, in accordance with ASTM E 185 (Ref. 5) and Appendix H of 10 CFR 50 (Ref. 5). The operating P/T limit curves will be adjusted, as necessary, based on the evaluation findings and the recommendations of Reference 2.

The P/T limit curves are composite curves established by superimposing limits derived from stress analyses of those portions of the reactor vessel and head that are the most restrictive. At any specific pressure, temperature, and temperature rate of change, one location within the reactor vessel will dictate the most restrictive limit. Across the span of the P/T limit curves, different locations are more restrictive, and, thus, the curves are composites of the most restrictive regions.

The heatup curve represents a different set of restrictions than the cooldown curve because the directions of the thermal gradients through the vessel wall are reversed. The thermal gradient reversal alters the location of the tensile stress between the outer and inner walls.

The calculation to generate the LH testing curve uses different safety factors (per Ref. 2) than the heatup and cooldown curves.

The P/T limit curves and associated temperature rate of change limits are developed in conjunction with stress analyses for large numbers of operating cycles and provide conservative margins to nonductile failure.

Although created to provide limits for these specific normal operations, the curves also can be used to determine if an evaluation is necessary for an abnormal transient.

As stated in the tables associated with this LCO, reactor coolant (RC) temperature is cold leg temperature if one or more RC pumps are in operation; otherwise, it is the LPI cooler outlet temperature. An analysis examined the effects of initiating flow through a previously idle LPI train (i.e. either placing a train of LPI in operation or swapping from one train to the other) when none of the RC pumps are operating. The analysis assumed the initial temperature of the fluid entering the vessel to be the lowest expected temperature in an idle LPI cooler. As RC fluid is pumped through the system and returns to the reactor vessel, the temperature increases to a "stable" value. The duration of the temperature excursion is dependent on LPI flow and volume of the piping system. This analysis has determined that the brief temperature excursion caused by the fluid initially in the idle LPI train can be accommodated if, at the time the LPI header is put in service, the RCS pressure is less than 295 psig (Instrument Uncertainty Adjusted). This value is less limiting than the OCONEE UNITS 1, 2, & 3 B 3.4.3-2 BASES REVISION DATED 01/14/15 I

RCS P/T Limits B 3.4.3 BAS ES BACKGROUND LPI initiation pressure limit imposed by procedures to protect the LPI (continued) system from overpressure. The brief temperature excursion does not place the reactor vessel outside of the bounds of the stress analyses.

The criticality limit curve includes the Reference 1 requirement that it be 40°F above the heatup curve or the cooldown curve, and not less than the minimum permissible temperature for LH testing. However, the criticality curve is not operationally limiting; a more restrictive limit exists in LCO 3.4.2, "RCS Minimum Temperature for Criticality."

The consequence of violating the LCO limits is that the RCS has been operated under conditions that can result in brittle failure of the RCPB, possibly leading to a nonisolable leak or loss of coolant accident. In the event these limits are exceeded, an evaluation must be performed to determine the effect on the structural integrity of the RCPB components.

The ASME Code,Section XI, Appendix E (Ref. 6) provides a recommended methodology for evaluating an operating event that causes an excursion outside the limits.

APPLICABLE The P/T limits are not derived from accident analyses. They are SAFETY ANALYSES prescribed during normal operation to avoid encountering pressure, temperature, and temperature rate of change conditions that might cause undetected flaws to propagate and cause nonductile failure of the RCPB, an unanalyzed condition. Reference 1 establishes the methodology for determining the P/T limits. Since the P/T limits are not derived from any accident analysis, there are no acceptance limits related to the P/T limits.

Rather, the P/T limits are acceptance limits themselves since they preclude operation in an unanalyzed condition.

RCS P/T limits satisfy Criterion 2 of 10 CFR 50.36 (Ref. 7).

LCO The three elements of this LCO are:

a. The limit curves for heatup and cooldown,
b. Limits on the rate of change of temperature, and
c. Allowable RC pump combinations.

The LCO is modified by three Notes. Note 1 states that for leak tests of the RCS and leak tests of connected systems where RCS pressure and temperature are controlling, the RCS may be pressurized to the limits of the specified figures. Note 2 states that for thermal steady state hydro tests required by ASME Section XI RCS may be pressurized to the limits Specification 2.1.2 and the specified figures. The limits on the rate of change of reactor coolant temperature RCS P/T Limits are the same ones OCONEE UNITS 1, 2, & 3 B 3.4.3-3 BASES REVISION DATED 01/14/15 I

RCS P/T Limits B 3.4.3 BASES LCO used for normal heatup and cooldown operations. Note 3 states the RCS (continued) P/T limits are not applicable to the pressurizer.

The LCO limits apply to all components of the RCS, except the pressurizer. These limits define allowable operating regions and permit a large number of operating cycles while providing a wide margin to nonductile failure.

Table 3.4.3-1 includes temperature rate of change limits with allowable pump combinations for RCS heatup while Table 3.4.3-2 includes temperature rate of change limits with allowable pump combinations for RCS cooldown. The breakpoints between temperature rate of change limits in these two tables are selected to limit reactor vessel thermal gradients to acceptable limits. The breakpoint between allowable pump combinations was selected based on operational requirements and are used to determine the change of RCS pressure associated with the change in number of operating reactor coolant pumps.

The limits for the rate of change of temperature control the thermal gradient through the vessel wall and are used as inputs for calculating the heatup, cooldown, and LH P/T limit curves. Thus, the LCO for the rate of change of temperature restricts stresses caused by thermal gradients and also ensures the validity of the P/T limit curves.

The limits on allowable RC pump combinations controls the pressure differential between the vessel wall and the pressure measurement point and are used as inputs for calculating the heatup, cooldown and LH P/T limit curves. Thus, the LCO for the allowable RC pump combinations restricts the pressure at the vessel wall and ensures the validity of the P/T limit curves.

Heatup and Cooldown Rate limits are specified in TS Table 3.4.3-1 "Operational Requirements for Unit Heatup" and TS Table 3.4.3-2 "Operational Requirements for Unit Cooldown." These limits are specified as a change in temperature for "any" time period. As such, the Heatup or Cooldown period is a rolling period and is required to be considered at any point in time, i.e., the beginning, middle, or end of the period under evaluation. This action is required to ensure the heatup or cooldown rate limit meets design limits.

The LPI cooler outlet temperature during the brief period of stabilization does not need to be considered when determining heatup or cooldown rates or RCS P/T conditions when an LPI train is placed in operation with no operating RCPs. The period of stabilization is the time required to fully displace the stagnant fluid in the idle LPI train. The time required for LCO stabilization is a function of LPI flow rate. Operating procedures control both placing a train of LPI in service and swapping trains of LPI to limit the duration of the temperature transient to a value that has been shown to be acceptable.

OCONEE UNITS 1, 2, & 3 B 3.4.3-4 BASES REVISION DATED 01/14/15 I

RCS P/T Limits B 3.4.3 BASES LCO Violating the LCO limits places the reactor vessel outside of the bounds of (continued) the stress analyses and can increase stresses in other RCPB components. The consequences depend on several factors, as follows:

a. The severity of the departure from the allowable operating P/T regime or the severity of the rate of change of temperature;
b. The length of time the limits were violated (longer violations allow the temperature gradient in the thick vessel walls to become more pronounced); and
c. The existences, sizes, and orientations of flaws in the vessel material.

APPLICABILITY The RCS P/T limits Specification provides a definition of acceptable operation for prevention of nonductile failure in accordance with 10 CFR 50, Appendix G (Ref. 1). Although the P/T limits were developed to provide guidance for operation during heatup or cooldown (MODES 3, 4, and 5) or LH testing, their applicability is at all times in keeping with the concern for nonductile failure. The limits do not apply to the pressurizer.

During MODES 1 and 2, other Technical Specifications provide limits for operation that can be more restrictive than or can supplement these P/T limits. LCO 3.4.1, "RCS Pressure, Temperature, and Flow Departure from Nucleate Boiling (DNB) Limits"; LCO 3.4.2, "RCS Minimum Temperature for Criticality"; and Safety Limit (SL) 2.1, "SLs," also provide operational restrictions for pressure and temperature and maximum pressure.

MODES 1 and 2 are above the temperature range of concern for nonductile failure, and stress analyses have been performed for normal maneuvering profiles, such as power ascension or descent.

ACTIONS A.1 and A.2 Operation outside the P/T limits during MODE 1, 2, 3, or 4 must be corrected so that the RCPB is returned to a condition that has been verified by stress analyses.

The 30 minute Completion Time reflects the urgency of restoring the parameters to within the analyzed range. Most violations will not be severe, and the activity can be accomplished in this time in a controlled manner.

Besides restoring operation to within limits, an evaluation is required to determine if RCS operation can continue. The evaluation must verify the RCPB integrity remains acceptable and must be completed before continuing operation. Several methods may be used, including comparison with pre-analyzed transients in the stress analyses, new analyses, or inspection of the components. The evaluation must be OCONEE UNITS 1, 2, & 3 B 3.4.3-5 BASES REVISION DATED 01/14/15 I

RCS P/T Limits B 3.4.3 BASES ACTIONS A.1 and A.2 (continued) completed, documented, and approved in accordance with established plant procedures and administrative controls.

ASME Code,Section XI, Appendix E (Ref. 6) may be used to support the evaluation. However, its use is restricted to evaluation of the vessel beltline. The evaluation must extend to all components of the RCPB.

The 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> Completion Time is reasonable to accomplish the evaluation.

The evaluation for a mild violation is possible within this time, but more severe violations may require special, event specific stress analyses or inspections. A favorable evaluation must be completed before continuing to operate.

Condition A is modified by a Note requiring Required Action A.2 to be completed whenever the Condition is entered. The Note emphasizes the need to perform the evaluation of the effects of the excursion outside the allowable limits. Restoration alone per Required Action A.1 is insufficient because higher than analyzed stresses may have occurred and may have affected the RCPB integrity.

B.1 and B.2 If a Required Action and associated Completion Time of Condition A are not met, the unit must be brought to a lower MODE because: (a) the RCS remained in an unacceptable pressure and temperature region for an extended period of increased stress, or (b) a sufficiently severe event caused entry into an unacceptable region. Either possibility indicates a need for more careful examination of the event, best accomplished with the RCS at reduced pressure and temperature. With reduced pressure and temperature conditions, the possibility of propagation of undetected flaws is decreased.

If the required restoration activity cannot be accomplished within 30 minutes, Required Action B.1 and Required Action B.2 must be implemented to reduce pressure and temperature.

If the required evaluation for continued operation cannot be accomplished within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, or the results are indeterminate or unfavorable, action must proceed to reduce pressure and temperature as specified in Required Actions B.1 and B.2. A favorable evaluation must be completed and documented before returning to operating pressure and temperature conditions. However, if the favorable evaluation is accomplished while reducing pressure and temperature conditions, a return to power operation may be considered without completing Required Action B.2.

Pressure and temperature are reduced by bringing the unit to MODE 3 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> and to MODE 5 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. The allowed Completion OCONEE UNITS 1, 2, & 3 B 3.4.3-6 BASES REVISION DATED 01/14/15 I

RCS P/T Limits B 3.4.3 BASES ACTIONS B.1 and B.2 (continued)

Times are reasonable, based on operating experience, to reach the required MODE from full power conditions in an orderly manner and without challenging unit systems.

C.1 and C.2 Actions must be initiated immediately to correct operation outside of the P/T limits at times other than MODE 1, 2, 3, or 4, so that the RCPB is returned to a condition that has been verified acceptable by stress analysis.

The immediate Completion Time reflects the urgency of initiating action to restore the parameters to within the analyzed range. Most violations will not be severe, and the activity can be accomplished within this time in a controlled manner.

In addition to restoring operation to within limits, an evaluation is required to determine if RCS operation can continue. The evaluation must verify that the RCPB integrity remains acceptable and must be completed prior to entry into MODE 4. Several methods may be used, including comparison with pre-analyzed transients in the stress analysis, or inspection of the components.

ASME Code, Section Xl, Appendix E (Ref. 6), may also be used to support the evaluation. However, its use is restricted to evaluation of the vessel beltline.

Condition C is modified by a Note requiring Required Action C.2 to be completed whenever the Condition is entered. The Note emphasizes the need to perform the evaluation of the effects of the excursion outside the allowable limits. Restoration alone, per Required Action C.1, is insufficient because higher than analyzed stresses may have occurred and may have affected RCPB integrity.

SURVEILLANCE SR 3.4.3.1 REQUIREMENTS Verification that operation is within limits is required when RCS pressure or temperature conditions are undergoing planned changes.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

Surveillance for heatup, cooldown, or LH testing may be discontinued when the definition given in the relevant plant procedure for ending the activity is satisfied.

OCONEE UNITS 1, 2, & 3 B 3.4.3-7 BASES REVISION DATED 01/14/15 I

RCS P/T Limits B 3.4.3 BASES SURVEILLANCE SR 3.4.3.1 (continued)

REQUIREMENTS This SR is modified by a Note that requires this SR to be performed only during system heatup, cooldown, and LH testing.

REFERENCES 1. 10 CFR 50, Appendix G.

2. ASME, Boiler and Pressure Vessel Code,Section III, Appendix G.
3. Regulatory Guide 1.99, Revision 2, May 1988.
4. ASTM E 185-82, July 1982.
5. 10 CFR 50, Appendix H.
6. ASME, Boiler and Pressure Vessel Code, Section Xl, Appendix E.
7. 10 CFR 50.36.

OCONEE UNITS 1, 2, &3 B 3.4.3-8 BASES REVISION DATED 01/14/15 I

RPS Instrumentation B 3.3.1 B 3.3 INSTRUMENTATION B 3.3.1 Reactor Protective System (RPS) Instrumentation BASES BACKGROUND The RPS initiates a reactor trip to protect against violating the core fuel design limits and the Reactor Coolant System (RCS) pressure boundary during anticipated transients. By tripping the reactor, the RPS also assists the Engineered Safeguards (ES) Systems in mitigating accidents.

The protective and monitoring systems have been designed to assure safe operation of the reactor. This is achieved by specifying limiting safety system settings (LSSS) in terms of parameters directly monitored by the RPS, as well as the LCOs on other reactor system parameters and equipment performance.

The LSSS, defined in this Specification as the Allowable Value, in conjunction with the LCOs, establishes the threshold for protective system action to prevent exceeding acceptable limits during accidents or transients.

During anticipated transients, which are those events expected to occur one or more times during the unit's life, the acceptable limit is:

a. The departure from nucleate boiling ratio (DNBR) shall be maintained above the Safety Limit (SL) value;
b. Fuel centerline melt shall not occur; and
c. The RCS pressure SL of 2750 psia shall not be exceeded.

Maintaining the parameters within the above values ensures that the offsite dose will be within the 10 CFR 20 and 10 CFR 100 criteria during anticipated transients. Accidents are events that are analyzed even though they are not expected to occur during the unit's life. The acceptable limit during accidents is that the offsite dose shall be maintained within reference 10 CFR 100 limits. Meeting the acceptable dose limit for an accident category is considered having acceptable consequences for that event.

OCONEE UNITS 1, 2, & 3 B 3.3.1 -1 12/10/14 1

RPS Instrumentation B 3.3.1 BASES BACKGROUND RPS Overview (continued)

The RPS consists of four separate redundant protective channels that receive inputs of neutron flux, RCS pressure, RCS flow, RCS temperature, RCS pump status, reactor building (RB) pressure, main feedwater (MFW) pump turbines status, and main turbine status.

Figure 7.1 of UFSAR, Chapter 7 (Ref. 1), shows the arrangement of a typical RPS protective channel. A protective channel is composed of measurement channels, a manual trip channel, a reactor trip component (RTC), and a control rod drive (CRD) trip device. LCO 3.3.1 provides requirements for the individual measurement channels. These channels encompass all equipment and electronics from the point at which the measured parameter is sensed through the processor output trip devices in the trip string. LCO 3.3.2, "Reactor Protective System (RPS) Manual Reactor Trip," LCO 3.3.3, "Reactor Protective System (RPS) - Reactor Trip Component (RTC)," and LCO 3.3.4, "Control Rod Drive (CRD) Trip Devices," discuss the remaining RPS elements.

The RPS instrumentation measures critical unit parameters and compares these to predetermined setpoints.

If the setpoint for a parameter input to a single channel (for example, the RC high pressure input to Channel A) is exceeded, a channel trip does not occur. Due to the inter-channel communication, all 4 RPS channels recognize that this parameter input has been exceeded for one channel.

However, due to the 2.MIN/2.MAX logic within the system, the same parameter input setpoint for one of the other three channels must be exceeded before channel trips occur. Again, due to the inter-channel communication, all 4 RPS channels will then trip since the 2.MIN/2.MAX condition has been satisfied.

The RTS consists of four AC Trip Breakers arranged in two parallel combinations of two breakers each. Each path provides independent power to the CRD motors. Either path can provide sufficient power to operate all CRD's. Two separate power paths to the CRD's ensure that a single failure that opens one path will not cause an unwanted reactor trip.

The RPS consists of four independent protective channels (A, B, C, and D).

Each RPS protective channel contains the sensor input modules, a protective channel computer, output modules, four hardwired (energized during power operations) reactor trip relays (RTRs) (A, B, C, and D) and their associated 120 VAC contacts (closed when RTR is energized).

OCONEE UNITS 1, 2, & 3 B 3.3.1-2 12/10/14 1

RPS Instrumentation B 3.3.1 BASES BACKGROUND RPS Overview (continued)

Protective channel A controls the channel A RTR and also controls the A RTR in channels B, C, and D. Likewise, channels B, C and D control the respective RTR in each of the four channels. Each energized RTR (A, B, C, and D) in each RPS channel A, B, C, and D maintains two closed 120 VAC contacts. One contact from each RTR is configured in two separate redundant output trip actuation logic schemes. Each output trip actuation logic scheme contains a contact from each of the four RTRs in the four channels. This configuration results in a two-out-of-four coincidence reactor trip logic. Ifany channel protective set initiates a trip signal, the respective four RTRs (one in each of the four channels) de-energize and open the respective contacts. The outputs from the RTR contacts interrupt the 120 VAC power to the CRD trip devices.

Three of the four RPS protective channel computers (A, B, and C) also perform a redundant Engineered Safeguards Protective System (ESPS) logic function. Therefore, three of the four RPS protective channels calculate both RPS and ESPS functions, and the fourth RPS channel D calculates only RPS functions. See Technical Specification Bases section B 3.3.5 for additional discussion of the ESPS protective channels and the duplicated ESPS functions performed by the RPS protective channels.

The reactor is tripped by opening the reactor trip breakers.

There are three bypasses: shutdown bypass, manual bypass, and channel I trip function bypass. The shutdown bypass and the manual bypass are initiated by use of a keyswitch located in the respective RPS channel cabinet. The Shutdown bypass allows the withdrawal of safety rods for SDM availability and rapid negative reactivity insertion during unit cooldowns or heatups. The manual bypass allows putting a complete RPS channel into bypass for maintenance activities. This includes the planned power-down of the bypassed RPS channel computer. If the complete RPS channel is powered down, the manual bypass condition cannot be maintained. That RPS channel output signal goes to "trip" and the manual bypass Unit Statalarm window will not illuminate. The channel trip function bypass allows an individual channel trip function in any RPS channel to be bypassed through the use of the RPS screens of the Graphical Service Monitor (GSM). The GSM is located on the Service Unit.

The RPS operates from the instrumentation channels discussed next. The specific relationship between measurement channels and protective channels differs from parameter to parameter. Three basic configurations are used:

OCONEE UNITS 1, 2, & 3 B 3.3.1-3 12/10/14 1

RPS Instrumentation B 3.3.1 BASES BACKGROUND RPS Overview (continued)

a. Four completely redundant measurements (e.g., reactor coolant flow) with one channel input to each protective channel;
b. Four channels that provide similar, but not identical, measurements (e.g., power range nuclear instrumentation where each RPS channel monitors a different quadrant), with one channel input to each protective channel; and
c. Redundant measurements with combinational trip logic inside the protective channels and the combined output provided to each protective channel (e.g., main feedwater pump turbines trip instrumentation).

These arrangements and the relationship of instrumentation channels to trip Functions are discussed next to assist in understanding the overall effect of instrumentation channel failure.

Power Range Nuclear Instrumentation Power Range Nuclear Instrumentation channels provide inputs to the following trip Functions:

1. Nuclear Overpower
a. Nuclear Overpower - High Setpoint;
b. Nuclear Overpower - Low Setpoint;
7. Reactor Coolant Pump to Power;
8. Nuclear Overpower Flux/Flow Imbalance;
9. Main Turbine Trip (Hydraulic Fluid Pressure); and
10. Loss of Main Feedwater (LOMFW) Pump Turbines (Hydraulic Oil Pressure).

OCONEE UNITS 1, 2, & 3 B 3.3.1-4 12/10/14 1

RPS Instrumentation B 3.3.1 BASES BACKGROUND Power Range Nuclear Instrumentation (continued)

The power range instrumentation has four linear level channels, one for each core quadrant. Each channel feeds one RPS protective channel.

Each channel originates in a detector assembly containing two uncompensated ion chambers. The ion chambers are positioned to represent the top half and bottom half of the core. The individual currents from the chambers are fed to individual linear amplifiers. The summation of the top and bottom is the total reactor power. The difference of the top minus the bottom neutron signal is the measured AXIAL POWER IMBALANCE for the associated core quadrant.

Reactor Coolant System Outlet Temperature The Reactor Coolant System Outlet Temperature provides input to the following Functions:

2. RCS High Outlet Temperature; and
5. RCS Variable Low Pressure.

The RCS Outlet Temperature is measured by two resistance temperature detection elements in each hot leg, for a total of four. One temperature detection element is associated with each protective channel.

Reactor Coolant System Pressure The Reactor Coolant System Pressure provides input to the following Functions:

3. RCS High Pressure;
4. RCS Low Pressure;
5. RCS Variable Low Pressure; and
11. Shutdown Bypass RCS High Pressure.

The RPS inputs of reactor coolant pressure are provided by two pressure transmitters in each hot leg, for a total of four. One sensor is associated with each protective channel.

OCONEE UNITS 1, 2, & 3 B 3.3.1-5 12/10/14 1

RPS Instrumentation B 3.3.1 BASES BACKGROUND Reactor Building Pressure (continued)

The Reactor Building Pressure measurements provide input only to the Reactor Building High Pressure trip, Function 6. There are four RB High Pressure sensors, one associated with each protective channel.

Reactor Coolant Pump Power Monitoring Reactor coolant pump power monitors are inputs to the Reactor Coolant Pump to Power trip, Function 7. Each RCP has a RCP Power Monitor (RCPPM), which monitors the electrical power and breaker status of each pump motor to determine if it is running. Each RCPPM provides inputs to all four RPS channels.

Reactor Coolant System Flow The Reactor Coolant System Flow measurements are an input to the Nuclear Overpower Flux/Flow Imbalance trip, Function 8. The reactor coolant flow inputs to the RPS are provided by eight high accuracy differential pressure transmitters, four on each loop, which measure flow through calibrated flow tubes. One flow input in each loop is associated with each protective channel.

Main Turbine Hydraulic Fluid Pressure Main Turbine Hydraulic Fluid Pressure is an input to the Main Turbine Trip (Hydraulic Fluid Pressure) reactor trip, Function 9. Each of the four protective channels receives turbine status information from one of the four pressure switches monitoring main turbine hydraulic fluid pressure. Each protective channel continuously monitors the status of the contact inputs and initiates an RPS trip when a main turbine trip is indicated.

Feedwater Pump Turbine Hydraulic Oil Pressure Feedwater Pump Turbine Hydraulic Oil Pressure is an input to the Loss of Main Feedwater Pumps (Hydraulic Oil Pressure) trip, Function 10.

Hydraulic Oil pressure is measured by four switches on each feedwater pump turbine. One switch on each pump turbine is associated with each protective channel.

OCONEE UNITS 1, 2, & 3 B 3.3.1-6 12/10/14 1

RPS Instrumentation B 3.3.1 BASES BACKGROUND Feedwater Pump Turbine Hydraulic Oil Pressure (continued)

Each RPS channel receives a contact input from both Feedwater Pump Turbines (A and B) Hydraulic Oil Pressure switches. When the switches from both turbines indicate that the associated Turbine Hydraulic Oil Pressure is low (turbine has tripped), a reactor trip signal is initiated on that channel.

RPS Bypasses The RPS is designed with three types of bypasses: shutdown bypass, manual bypass and channel trip function bypass.

Each bypass is discussed next.

Shutdown Bypass During unit cooldown and heatup, it is desirable to leave the safety rods at least partially withdrawn to provide shutdown capabilities in the event of unusual positive reactivity additions (moderator dilution, etc.).

However, the unit is also depressurized as coolant temperature is decreased. Ifthe safety rods are withdrawn and coolant pressure is decreased, an RCS Low Pressure trip will occur at 1800 psig and the rods will fall into the core. To avoid this, the protective system allows the operator to bypass the low pressure trip and maintain shutdown capabilities. During the cooldown and depressurization, the safety rods are inserted prior to the low pressure trip of 1800 psig. The RCS pressure is decreased to less than 1720 psig, then each RPS channel is placed in shutdown bypass.

A shutdown bypass signal is provided by the operator from the shutdown bypass keyswitch (status shall be indicated by a light). This action bypasses the RCS Low Pressure trip, Nuclear Overpower Flux/Flow Imbalance trip, Reactor Coolant Pump to Power trip, and the RCS Variable Low Pressure trip, and inserts a new RCS High Pressure, 1720 psig trip.

The operator can now withdraw the safety rods for additional rapidly insertable negative reactivity.

The insertion of the new high pressure trip performs two functions. First, with a trip setpoint of 1720 psig, the processor output trip device prevents operation at normal system pressure, 2155 psig, with a portion of the RPS bypassed. The second function is to ensure that the bypass is removed prior to normal operation. When the RCS pressure is increased during a OCONEE UNITS 1, 2, & 3 B 3.3.1-7 12/10/14 1

RPS Instrumentation B 3.3.1 BASES BACKGROUND Shutdown Bypass (continued) unit heatup, the safety rods are inserted prior to reaching 1720 psig. The shutdown bypass is removed, which returns the RPS to normal, and system pressure is increased to greater than 1800 psig. The safety rods are then withdrawn and remain at the full out condition for the rest of the heatup.

In addition to the Shutdown Bypass RCS High Pressure trip, the High Flux Reactor Trip setpoint is automatically lowered to less than 5% when the operator closes the shutdown bypass keyswitch. This provides a backup to the Shutdown Bypass RCS High Pressure trip and allows testing while preventing the generation of any significant amount of power.

Manual Bypass The RPS Manual Bypass allows putting the complete RPS channel into bypass for maintenance activities. Placing the RPS channel in bypass does not power-down the computer. If it is necessary to power-down the computer for one channel, the Manual Bypass keyswitch is used to keep the four RTRs associated with the respective channel energized while the channel computer is powered down. To place a protective channel in manual bypass, the other three channels must not be in manual bypass or otherwise inoperable (e.g., a channel trip function in bypass).

The RPS Manual Bypass status information is sent to the Unit Statalarm panel (hardwired output of the RPS Channel computer and in parallel as a hardwired signal from a keyswitch contact in case the computer is powered down) and is sent to the plant Operator Aid Computer (OAC) via a gateway.

Ifthe complete RPS cabinet is powered down, the Manual Bypass condition cannot be maintained. That RPS channel output signal goes to "trip" and the Manual Bypass Unit Statalarm window will not illuminate.

Channel Trip Function Bypass An individual Channel Trip Function Bypass allows placing one trip function in bypass for maintenance activities through the RPS GSM screens. This allows the remaining trip functions in the channel to remain operable while the channel input device for the affected channel is inoperable.

Operation to put functions in bypass is administratively controlled since there is no interlock to prevent placing functions in multiple channels in bypass. Channel trip functions may be placed in bypass in only one RPS channel at a time.

OCONEE UNITS 1, 2, & 3 B 3.3.1-8 12/10/14 1

RPS Instrumentation B 3.3.1 BASES BACKGROUND Parameter Change Enable Mode (continued)

Parameter Change Enable Mode allows each RPS instrument input channel processor to be placed in different operating modes through the use of the Parameter Change Enable keyswitches and commands from the Service Unit. Each protective channel has a keyswitch located in that channel's cabinet pair.

Placing RPS Channels A, B, or C in Parameter Change Enable Mode through the use of the "Parameter Change Enable" keyswitch will also place the corresponding ESPS Channels Al, B1 or Cl in Parameter Change Enable Mode.

When a keyswitch is placed from the normal Operating Mode position to the Parameter Change Enable Mode position:

  • The processors continue with normal operation.
  • A permissive is provided that allows the Service Unit to be used to change the operating mode of the processors associated with that keyswitch.

With the keyswitch in the Parameter Change Enable Position the following modes of operation are allowed for processors:

  • Normal Operation - with permissive for operating mode change.
  • Parameterization - allows changes to specific parameters (example placing a parameter into a tripped condition or performing Reactor Trip Relay testing).
  • Function Test - for disabling the application function and forcing output signal for testing purposes (normally not used).
  • Diagnostics - for downloading new application software.

The Function Test and Diagnostics modes result in the processor ceasing its cyclic processing of the application functions. Entry into these modes first requires entry into Parameterization mode and setting a separate parameter.

When a keyswitch is placed in the Parameter Change Enable Mode Position for any activity, the affected processor shall first be declared out of service. In addition to declaring the processor out of service (1) the affected RPS channel shall be bypassed and (2) either the affected ESPS input channel (Al, B1, or Cl) shall be tripped OR the ESPS Set 1 voters shall be placed in Bypass for the following activities:

  • Loading or revising the software in a processor.

" Changing parameters via the RPS High Flux Trip (Variable Setpoint) screen at the Service Unit.

OCONEE UNITS 1, 2, & 3 B 3.3.1-9 12/10/14 1

RPS Instrumentation B 3.3.1 BASES BACKGROUND Parameter Change Enable Mode (continued)

Changing parameters via the RPS Flux/Flow/Imbalance Parameters screen at the Service Unit.

Only one RPS channel at a time is allowed to be placed into Parameter Change Enable Mode Position for these activities.

Each Parameter Change Enable keyswitch status information is sent to the Statalarm panel and to the OAC via the Gateway.

RPS Parameter Change Enable keyswitches are administratively controlled (there are no hardware or software interlocks between channels).

Trip Setpoints/Allowable Value The Allowable Value and trip setpoint are based on the analytical limits stated in UFSAR, Chapter 15 (Ref. 2). The selection of the Allowable Value and associated trip setpoint is such that adequate protection is provided when all sensor and processing time delays are taken into account. To allow for calibration tolerances, instrumentation uncertainties, instrument drift, and severe environment errors for those RPS channels that must function in harsh environments as defined by 10 CFR 50.49 (Ref. 3), the Allowable Values specified in Table 3.3.1-1 in the accompanying LCO are conservative with respect to the analytical limits to account for all known uncertainties for each channel. The actual trip setpoint entered into the processor output trip device is more conservative than that specified by the Allowable Value to account for changes in random measurement errors detectable by a CHANNEL CALIBRATION.

A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. All field sensors and signal processing equipment for these channels are assumed to operate within the allowances of these uncertainty magnitudes. The trip setpoints are the nominal values at which the processor output trip devices are set. Any processor output trip device is considered to be properly adjusted when the "as left" value is within the band for CHANNEL CALIBRATION accuracy. A detailed description of the methodology used to determine the Allowable Value and associated uncertainties is provided in Reference 4.

Setpoints in conjunction with the Allowable Value ensure that the limits of Chapter 2.0, "Safety Limits," in the Technical Specifications are not violated during anticipated transients and that the consequences of accidents will be acceptable, providing the unit is operated from within the LCOs at the onset of the anticipated transient or accident and the equipment functions OCONEE UNITS 1, 2, & 3 B 3.3.1 -10 12/10/14 1

RPS Instrumentation B 3.3.1 BASES BACKGROUND Trip Setpoints/Allowable Value (continued) as designed. Note that in LCO 3.3.1 the Allowable Values listed in Table 3.3.1-1 for Functions 1 through 8 and 11 are the LSSS.

With the exception of the RB High Pressure function, each channel is tested online by manually retrieving the software setpoint to ensure it has been entered correctly. Signals into the system (from the field instrument or at the protective system cabinet) are applied during the channel calibration to ensure that the instrumentation is within the specified allowance requirements.

APPLICABLE Each of the analyzed accidents and transients that require a reactor trip to SAFETY ANALYSES, meet the acceptance criteria can be detected by one or more RPS LCO, and Functions. The accident analysis contained in the UFSAR, Chapter 15 APPLICABILITY (Ref. 2), takes credit for most RPS trip Functions. Functions not specifically credited in the accident analysis were qualitatively credited in the safety analysis and the NRC staff approved licensing basis for the unit.

These Functions are high RB pressure, turbine trip, and loss of main feedwater. These Functions may provide protection for conditions that do not require dynamic transient analysis to demonstrate Function performance. These Functions also serve as backups to Functions that were credited in the safety analysis.

The LCO requires all instrumentation performing an RPS Function to be OPERABLE. Failure of any instrument renders the affected channel(s) inoperable and reduces the reliability of the affected Functions. The three channels of each Function in Table 3.3.1-1 of the RPS instrumentation shall be OPERABLE during its specified Applicability to ensure that a reactor trip will be actuated if needed. Additionally, during shutdown bypass with any CRD trip breaker closed, the applicable RPS Functions must also be available. This ensures the capability to trip the withdrawn CONTROL RODS exists at all times that rod motion is possible. The trip Function channels specified in Table 3.3.1-1 are considered OPERABLE when all channel components necessary to provide a reactor trip are functional and in service for the required MODE or Other Specified Condition listed in Table 3.3.1-1.

Only the Allowable Values are specified for each RPS trip Function in the LCO. Nominal trip setpoints are specified in the setpoint calculations. The nominal setpoints are selected to ensure that the setpoint measured by CHANNEL CALIBRATIONS does not exceed the Allowable Value. A trip setpoint found less conservative than the nominal trip setpoint, but within its Allowable Value, is considered OPERABLE with respect to the uncertainty allowances assumed for the applicable surveillance interval provided that OCONEE UNITS 1, 2, & 3 B 3.3.1 -11 12/10/14 1

RPS Instrumentation B 3.3.1 BASES APPLICABLE operation, testing and subsequent calibration are consistent with the SAFETY ANALYSES, assumptions of the setpoint calculations. Each Allowable Value specified is LCO, and more conservative than instrument uncertainties appropriate to the trip APPLICABILITY Function. These uncertainties are defined in Reference 4.

(continued)

For most RPS Functions, the Allowable Value in conjunction with the nominal trip setpoint ensure that the departure from nucleate boiling (DNB),

center line fuel melt, or RCS pressure SLs are not challenged. Cycle specific values for use during operation are contained in the COLR.

Certain RPS trips function to indirectly protect the SLs by detecting specific conditions that do not immediately challenge SLs but will eventually lead to challenge if no action is taken. These trips function to minimize the unit transients caused by the specific conditions. The Allowable Value for these Functions is selected at the minimum deviation from normal values that will indicate the condition, without risking spurious trips due to normal fluctuations in the measured parameter.

The safety analyses applicable to each RPS Function are discussed next.

1. Nuclear Overpower
a. Nuclear Overpower - High Setpoint The Nuclear Overpower - High Setpoint trip provides protection for the design thermal overpower condition based on the measured out of core neutron leakage flux.

The Nuclear Overpower - High Setpoint trip initiates a reactor trip when the neutron power reaches a predefined setpoint at the design overpower limit. Because THERMAL POWER lags the neutron power, tripping when the neutron power reaches the design overpower will limit THERMAL POWER to prevent exceeding acceptable fuel damage limits.

Thus, the Nuclear Overpower - High Setpoint trip protects against violation of the DNBR and fuel centerline melt SLs.

However, the RCS Variable Low Pressure, and Nuclear Overpower Flux/Flow Imbalance, provide more direct protection. The role of the Nuclear Overpower - High Setpoint trip is to limit reactor THERMAL POWER below the highest power at which the other two trips are known to provide protection.

The Nuclear Overpower - High Setpoint trip also provides transient protection for rapid positive reactivity excursions OCONEE UNITS 1, 2, & 3 B 3.3.1-12 12/10/14 1

RPS Instrumentation B 3.3.1 BASES APPLICABLE a. Nuclear Overpower - High Setpoint (continued)

SAFETY ANALYSES, LCO, and during power operations. These events include the rod APPLICABILITY withdrawal accident and the rod ejection accident. By providing a trip during these events, the Nuclear Overpower -

High Setpoint trip protects the unit from excessive power levels and also serves to limit reactor power to prevent violation of the RCS pressure SL.

Rod withdrawal accident analyses cover a large spectrum of reactivity insertion rates (rod worths), which exhibit slow and rapid rates of power increases. At high reactivity insertion rates, the Nuclear Overpower - High Setpoint trip provides the primary protection. At low reactivity insertion rates, the high pressure trip provides primary protection.

b. Nuclear Overpower - Low Setpoint When initiating shutdown bypass, the Nuclear Overpower -

Low Setpoint trip must be reduced to _<5% RTP. The low power setpoint, in conjunction with the lower Shutdown Bypass RCS High Pressure setpoint, ensure that the unit is protected from excessive power conditions when other RPS trips are bypassed.

The setpoint Allowable Value was chosen to be as low as practical and still lie within the range of the out of core instrumentation.

2. RCS High Outlet Temperature The RCS High Outlet Temperature trip, in conjunction with the RCS Low Pressure and RCS Variable Low Pressure trips, provides protection for the DNBR SL. A trip is initiated whenever the reactor vessel outlet temperature approaches the conditions necessary for DNB. Portions of each RCS High Outlet Temperature trip channel are common with the RCS Variable Low Pressure trip. The RCS High Outlet Temperature trip provides steady state protection for the DNBR SL.

The RCS High Outlet Temperature trip limits the maximum RCS temperature to below the highest value for which DNB protection by the Variable Low Pressure trip is ensured. The trip setpoint Allowable Value is selected to ensure that a trip occurs before hot leg temperatures reach the point beyond which the RCS Low Pressure OCONEE UNITS 1, 2, & 3 B 3.3.1-13 12/10/14 1

RPS Instrumentation B 3.3.1 BASES APPLICABLE 2. RCS High Outlet Temperature (continued)

SAFETY ANALYSES, LCO, and and Variable Low Pressure trips are analyzed. Above the high APPLICABILITY temperature trip, the variable low pressure trip need not provide protection, because the unit would have tripped already. The setpoint Allowable Value does not reflect errors induced by harsh environmental conditions that the equipment is expected to experience because the trip is not required to mitigate accidents that create harsh conditions in the RB.

3. RCS High Pressure The RCS High Pressure trip works in conjunction with the pressurizer and main steam relief valves to prevent RCS overpressurization, thereby protecting the RCS High Pressure SL.

The RCS High Pressure trip has been credited in the transient analysis calculations for slow positive reactivity insertion transients (rod withdrawal transients and moderator dilution). The rod withdrawal transient covers a large spectrum of reactivity insertion rates and rod worths that exhibit slow and rapid rates of power increases. At high reactivity insertion rates, the Nuclear Overpower

- High Setpoint trip provides the primary protection. At low reactivity insertion rates, the RCS High Pressure trip provides the primary protection.

The setpoint Allowable Value is selected to ensure that the RCS High Pressure SL is not challenged during steady state operation or slow power increasing transients. The setpoint Allowable Value does not reflect errors induced by harsh environmental conditions because the equipment is not required to mitigate accidents that create harsh conditions in the RB.

4. RCS Low Pressure The RCS Low Pressure trip, in conjunction with the RCS High Outlet Temperature and Variable Low Pressure trips, provides protection for the DNBR SL. A trip is initiated whenever the system pressure approaches the conditions necessary for DNB. The RCS Low Pressure trip provides DNB low pressure limit for the RCS Variable Low Pressure trip.

The RCS Low Pressure setpoint Allowable Value is selected to ensure that a reactor trip occurs before RCS pressure is reduced below the lowest point at which the RCS Variable Low Pressure trip is analyzed. The RCS Low Pressure trip provides protection for OCONEE UNITS 1, 2, & 3 B 3.3.1-14 12/10/14 1

RPS Instrumentation B 3.3.1 BASES APPLICABLE 4. RCS Low Pressure (continued)

SAFETY ANALYSES, LCO, and primary system depressurization events and has been credited in APPLICABILITY the accident analysis calculations for small break loss of coolant accidents (LOCAs). Harsh RB conditions created by small break LOCAs cannot affect performance of the RCS pressure sensors and transmitters within the time frame for a reactor trip. Therefore, degraded environmental conditions are not considered in the Allowable Value determination.

5. RCS Variable Low Pressure The RCS Variable Low Pressure trip, in conjunction with the RCS High Outlet Temperature and RCS Low Pressure trips, provides protection for the DNBR SL. A trip is initiated whenever the system parameters of pressure and temperature approach the conditions necessary for DNB. The RCS Variable Low Pressure trip provides a floating low pressure trip based on the RCS High Outlet Temperature within the range specified by the RCS High Outlet Temperature and RCS Low Pressure trips.

The RCS Variable Low Pressure setpoint Allowable Value is selected to ensure that a trip occurs when temperature and pressure approach the conditions necessary for DNB while operating in a temperature pressure region constrained by the low pressure and high temperature trips. The RCS Variable Low Pressure trip is assumed for transient protection in the main steam line break analysis. The setpoint allowable value does not include errors induced by the harsh environment, because the trip actuates prior to the harsh environment.

6. Reactor Building High Pressure The Reactor Building High Pressure trip provides an early indication of a high energy line break (HELB) inside the RB. By detecting changes in the RB pressure, the RPS can provide a reactor trip before the other system parameters have varied significantly. Thus, this trip acts to minimize accident consequences. It also provides a backup for RPS trip instruments exposed to an RB HELB environment.

The Allowable Value for RB High Pressure trip is set at the lowest value consistent with avoiding spurious trips during normal operation.

The electronic components of the RB High Pressure trip are located in an area that is not exposed to high temperature steam environments during HELB transients inside containment. The OCONEE UNITS 1, 2, & 3 B 3.3.1-15 12/10/14 1

RPS Instrumentation B 3.3.1 BASES APPLICABLE 6. Reactor Building High Pressure (continued)

SAFETY ANALYSES, LCO, and components are exposed to high radiation conditions. Therefore, the APPLICABILITY determination of the setpoint Allowable Value accounts for errors induced by the high radiation.

7. Reactor Coolant Pump to Power The Reactor Coolant Pump to Power trip provides protection for changes in the reactor coolant flow due to the loss of multiple RCPs.

Because the flow reduction lags loss of power indications due to the inertia of the RCPs, the trip initiates protective action earlier than a trip based on a measured flow signal.

The Reactor Coolant Pump to Power trip has been credited in the accident analysis calculations for the loss of more than two RCPs.

The Allowable Value for the Reactor Coolant Pump to Power trip setpoint is selected to prevent normal power operation unless at least three RCPs are operating. Each reactor coolant pump has an RCPPM, which monitors the electrical power and breaker status of each pump motor to determine if the pump is running. Each RCPPM provides inputs to all four RPS channels. The RCPPM will initiate a reactor trip if fewer than three reactor coolant pumps are operating and reactor power is greater than approximately 2%

rated full power.

8. Nuclear Overpower Flux/Flow Imbalance The Nuclear Overpower Flux/Flow Imbalance trip provides steady state protection for the power imbalance SLs. A reactor trip is initiated prior to the core power, AXIAL POWER IMBALANCE, and reactor coolant flow conditions exceeding the DNB or fuel centerline temperature limits.

This trip supplements the protection provided by the Reactor Coolant Pump to Power trip, through the power to flow ratio, for loss of reactor coolant flow events. The power to flow ratio provides direct protection for the DNBR SL for the loss of one or more RCPs and for locked RCP rotor accidents.

The power to flow ratio of the Nuclear Overpower Flux/Flow Imbalance trip also provides steady state protection to prevent reactor power from exceeding the allowable power when the primary system flow rate is less than full four pump flow. Thus, the power to flow ratio prevents overpower conditions similar to the Nuclear OCONEE UNITS 1, 2, & 3 B 3.3.1-16 12/10/14 1

RPS Instrumentation B 3.3.1 BASES APPLICABLE 8. Nuclear Overpower Flux/Flow Imbalance (continued)

SAFETY ANALYSES, LCO, and Overpower trip. This protection ensures that during reduced flow APPLICABILITY conditions the core power is maintained below that required to begin DNB.

The Allowable Value is selected to ensure that a trip occurs when the core power, axial power peaking, and reactor coolant flow conditions indicate an approach to DNB or fuel centerline temperature limits.

By measuring reactor coolant flow and by tripping only when conditions approach an SL, the unit can operate with the loss of one pump from a four pump initial condition at power levels at least as low as approximately 80% RTP. The Allowable Value for the Function, including the upper limits of the Function are given in the unit COLR because the cycle specific core peaking changes affect the Allowable Value.

9. Main Turbine Trip (Hydraulic Fluid Pressure)

The Main Turbine Trip Function trips the reactor when the main turbine is lost at high power levels. The Main Turbine Trip Function provides an early reactor trip in anticipation of the loss of heat sink associated with a turbine trip. The Main Turbine Trip Function was added to the B&W designed units in accordance with NUREG-0737 (Ref. 5) following the Three Mile Island Unit 2 accident. The trip lowers the probability of an RCS power operated relief valve (PORV) actuation for turbine trip cases. This trip is activated at higher power levels, thereby limiting the range through which the Integrated Control System must provide an automatic runback on a turbine trip.

Each of the four turbine hydraulic fluid pressure switches feeds one protective channel that continuously monitors the status of the contacts.

For the Main Turbine Trip (Hydraulic Fluid Pressure), the Allowable Value of 800 psig is selected to provide a trip whenever main turbine hydraulic fluid pressure drops below the normal operating range.

This trip is bypassed at power levels < 30% RTP for unit startup.

The turbine trip is not required to protect against events that can create a harsh environment in the turbine building. Therefore, errors induced by harsh environments are not included in the determination of the setpoint Allowable Value.

OCONEE UNITS 1, 2, & 3 B 3.3.1-17 12/10/14 1

RPS Instrumentation B 3.3.1 BASES APPLICABLE 10. Loss of Main Feedwater PumD Turbines (Hydraulic Oil Pressure)

SAFETY ANALYSES, LCO, and The Loss of Main Feedwater Pump Turbines (Hydraulic Oil APPLICABILITY Pressure) trip provides a reactor trip at high power levels when both (continued) MFW pump turbines are lost. The trip provides an early reactor trip in anticipation of the loss of heat sink associated with the LOMF.

This trip was added in accordance with NUREG-0737 (Ref. 5) following the Three Mile Island Unit 2 accident. This trip provides a reactor trip at high power levels for a LOMF to minimize challenges to the PORV.

For the feedwater pump turbine hydraulic oil pressure, the Allowable Value of 75 psig is selected to provide a trip whenever feedwater pump turbine hydraulic oil pressure drops below the normal operating range. This trip is bypassed at power levels < 2% RTP for unit startup. The Loss of Main Feedwater Pump Turbines (Hydraulic Oil Pressure) trip is not required to protect against events that can create a harsh environment in the turbine building. Therefore, errors caused by harsh environments are not included in the determination of the setpoint Allowable Value.

11. Shutdown Bypass RCS High Pressure The RPS Shutdown Bypass RCS High Pressure is provided to allow for withdrawing the CONTROL RODS prior to reaching the normal RCS Low Pressure trip setpoint. The shutdown bypass provides trip protection during deboration and RCS heatup by allowing the operator to at least partially withdraw the safety groups of CONTROL RODS. This makes their negative reactivity available to terminate inadvertent reactivity excursions. Use of the shutdown bypass trip requires that the neutron power trip setpoint be reduced to 5% of full power or less. The Shutdown Bypass RCS High Pressure trip forces a reactor trip to occur whenever the unit switches from power operation to shutdown bypass or vice versa. This ensures that the CONTROL RODS are all inserted before power operation can begin.

The operator is required to remove the shutdown bypass, reset the Nuclear Overpower - High Power trip setpoint, and again withdraw the safety group rods before proceeding with startup.

Accidents analyzed in the UFSAR, Chapter 15 (Ref. 2), do not describe events that occur during shutdown bypass operation, because the consequences of these events are enveloped by the events presented in the UFSAR.

OCONEE UNITS 1, 2, & 3 B 3.3.1-18 12/10/14 1

RPS Instrumentation B 3.3.1 BASES APPLICABLE 11. Shutdown Bypass RCS High Pressure (continued)

SAFETY ANALYSES, LCO, and During shutdown bypass operation with the Shutdown Bypass RCS APPLICABILITY High Pressure trip active with a setpoint of < 1720 psig and the Nuclear Overpower - Low Setpoint set at or below 5% RTP, the trips listed below can be bypassed. Under these conditions, the Shutdown Bypass RCS High Pressure trip and the Nuclear Overpower - Low Setpoint trip act to prevent unit conditions from reaching a point where actuation of these Functions is necessary.

1a. Nuclear Overpower - High Setpoint;

3. RCS High Pressure;
4. RCS Low Pressure;
5. RCS Variable Low Pressure;
7. Reactor Coolant Pump to Power; and
8. Nuclear Overpower Flux/Flow Imbalance.

The Shutdown Bypass RCS High Pressure Function's Allowable Value is selected to ensure a trip occurs before producing THERMAL POWER.

General Discussion The RPS satisfies Criterion 3 of 10 CFR 50.36 (Ref. 7). In MODES 1 and 2, the following trips shall be OPERABLE because the reactor can be critical in these MODES. These trips are designed to take the reactor subcritical to maintain the SLs during anticipated transients and to assist the ESPS in providing acceptable consequences during accidents.

1a. Nuclear Overpower - High Setpoint;

2. RCS High Outlet Temperature;
3. RCS High Pressure;
4. RCS Low Pressure;
5. RCS Variable Low Pressure;
6. Reactor Building High Pressure; OCONEE UNITS 1, 2, & 3 B 3.3.1-19 12/10/14 1

RPS Instrumentation B 3.3.1 BASES APPLICABLE General Discussion (continued)

SAFETY ANALYSES, LCO, and 7. Reactor Coolant Pump to Power; and APPLICABILITY

8. Nuclear Overpower Flux/Flow Imbalance.

Functions la, 3, 4, 5, 7, and 8 just listed may be bypassed in MODE 2 when RCS pressure is below 1720 psig, provided the Shutdown Bypass RCS High Pressure and the Nuclear Overpower - Low setpoint trip are placed in operation. Under these conditions, the Shutdown Bypass RCS High Pressure trip and the Nuclear Overpower - Low setpoint trip act to prevent unit conditions from reaching a point where actuation of these Functions is necessary.

The Main Turbine Trip (Hydraulic Fluid Pressure) Function is required to be OPERABLE in MODE 1 at Ž_30% RTP. The Loss of Main Feedwater Pump Turbines (Hydraulic Oil Pressure) Function is required to be OPERABLE in MODE 1 and in MODE 2 at __2% RTP. For operation below these power levels, these trips are not necessary to minimize challenges to the PORVs as required by NUREG-0737 (Ref. 5).

Because the safety function of the RPS is to trip the CONTROL RODS, the RPS is not required to be OPERABLE in MODE 3, 4, or 5 if either the reactor trip breakers are open, or the CRD System is incapable of rod withdrawal. Similarly, the RPS is not required to be OPERABLE in MODE 6 because the CONTROL RODS are normally decoupled from the CRDs.

However, in MODE 2, 3, 4, or 5, the Shutdown Bypass RCS High Pressure and Nuclear Overpower - Low setpoint trips are required to be OPERABLE if the CRD trip breakers are closed and the CRD System is capable of rod withdrawal. Under these conditions, the Shutdown Bypass RCS High Pressure and Nuclear Overpower - Low setpoint trips are sufficient to prevent an approach to conditions that could challenge SLs.

ACTIONS Conditions A and B are applicable to all RPS protective Functions. If a channel's trip setpoint is found nonconservative with respect to the required Allowable Value in Table 3.3.1-1, or the transmitter, instrument loop, signal processing electronics or processor output trip device is found inoperable, the channel must be declared inoperable and Condition A entered immediately.

When an RPS channel is manually tripped, the functions that were inoperable prior to tripping remain inoperable. Other functions in the same channel that were OPERABLE prior to tripping remain OPERABLE.

OCONEE UNITS 1, 2, & 3 B 3.3.1-20 12/10/14 1

RPS Instrumentation B 3.3.1 BASES ACTIONS A._1 (continued)

For Required Action A.1, if one or more Functions in a required protective channel becomes inoperable, the affected protective channel must be placed in trip.

Placing the affected Function in trip places only the affected Function in each required channel in a one-out-of-two logic configuration. Ifthe same function in another channel exceeds the setpoint, all channels will trip. In this configuration, the RPS can still perform its safety function in the presence of a random failure of any single Channel. The 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> Completion Time is justified based on the continuous monitoring and signal validation being performed and is sufficient time to place a Function in trip. If the individual Function cannot be placed in trip, the Operator can trip the affected channel with the use of the Manual Trip Keyswitch until such time that the Function can be placed in trip. This places all RPS Functions in a one-out-of-two logic configuration.

B.1 Required Action B.1 directs entry into the appropriate Condition referenced in Table 3.3.1-1. The applicable Condition referenced in the table is Function dependent. Ifthe Required Action and the associated Completion Time of Condition A are not met or if more than two channels are inoperable, Condition B is entered to provide for transfer to the appropriate subsequent Condition.

C.1 and C.2 If the Required Action and associated Completion Time of Condition A are not met and Table 3.3.1-1 directs entry into Condition C, the unit must be brought to a MODE in which the specified RPS trip Functions are not required to be OPERABLE. The allowed Completion Time of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and to open all CRD trip breakers without challenging unit systems.

D..1 Ifthe Required Action and associated Completion Time of Condition A are not met and Table 3.3.1-1 directs entry into Condition D, the unit must be brought to a MODE in which the specified RPS trip Functions are not OCONEE UNITS 1, 2, & 3 B 3.3.1-21 12/10/14 1

RPS Instrumentation B 3.3.1 BASES ACTIONS D.1 (continued) required to be OPERABLE. To achieve this status, all CRD tdp breakers must be opened. The allowed Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable, based on operating experience, to open CRD tdp breakers without challenging unit systems.

E.1 If the Required Action and associated Completion Time of Condition A are not met and Table 3.3.1-1 directs entry into Condition E, the unit must be brought to a MODE in which the specified RPS trip Function is not required to be OPERABLE. To achieve this status, THERMAL POWER must be reduced < 30% RTP. The allowed Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable, based on operating experience, to reach 30% RTP from full power conditions in an orderly manner without challenging unit systems.

F.1 If the Required Action and associated Completion Time of Condition A are not met and Table 3.3.1-1 directs entry into Condition F, the unit must be brought to a MODE in which the specified RPS trip Function is not required to be OPERABLE. To achieve this status, THERMAL POWER must be reduced < 2% RTP. The allowed Completion Time of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is reasonable, based on operating experience, to reach 2% RTP from full power conditions in an orderly manner without challenging unit systems.

SURVEILLANCE The SRs for each RPS Function are identified by the SRs column of REQUIREMENTS Table 3.3.1-1 for that Function. Most Functions are subject to CHANNEL CHECK, CHANNEL FUNCTIONAL TEST, and CHANNEL CALIBRATION testing.

The SRs are modified by a Note. The Note directs the reader to Table 3.3.1-1 to determine the correct SRs to perform for each RPS Function.

SR 3.3.1.1 Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> ensures that a gross failure of instrumentation has not occurred.

OCONEE UNITS 1, 2, & 3 B 3.3.1-22 12/10/14 1

RPS Instrumentation B 3.3.1 BASES SURVEILLANCE SR 3.3.1.1 (continued)

REQUIREMENTS A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. CHANNEL CHECK will detect gross channel failure; therefore, it is key in verifying that the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined based on a combination of the channel instrument uncertainties, including isolation, indication, and readability. If a channel is outside the criteria, it may be an indication that the transmitter or the signal processing equipment has drifted outside its limit. If the channels are within the criteria, it is an indication that the channels are OPERABLE. If the channels are normally off scale during times when surveillance is required, the CHANNEL CHECK will only verify that they are off scale in the same direction.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program. The CHANNEL CHECK supplements less formal but more frequent checks of channel OPERABILITY during normal operational use of the displays associated with the LCO's required channels.

For Functions that trip on a combination of several measurements, such as the Nuclear Overpower Flux/Flow Imbalance Function, the CHANNEL CHECK must be performed on each input.

The CHANNEL CHECK requirement is met automatically. The digital RPS provides continuous online automatic monitoring of each of the input signals in each channel, performs signal online validation against required acceptance criteria, and provides hardware functional validation.

If any protective channel input signal is identified to be in the failure status, this condition is alarmed on the Unit Statalarm and input to the plant OAC. Immediate notification of the failure status is provided to the Operations staff.

OCONEE UNITS 1, 2, & 3 B 3.3.1-23 12/10/14 1

RPS Instrumentation B 3.3.1 BASES SURVEILLANCE SR 3.3.1.2 REQUIREMENTS (continued) This SR is the performance of a heat balance calibration for the power range channels when reactor power is > 15% RTP. The heat balance calibration consists of a comparison of the results of the calorimetric with the power range channel output. The outputs of the power range channels are normalized to the calorimetric. If the calorimetric exceeds the Nuclear Instrumentation System (NIS) channel output by > 2% RTP, the NIS is not declared inoperable but must be adjusted. Ifthe NIS channel cannot be properly adjusted, the channel is declared inoperable. A Note clarifies that this Surveillance is required to be performed only if reactor power is >_15%

RTP and that 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is allowed for performing the first Surveillance after reaching 15% RTP. At lower power levels, calorimetric data are less accurate.

The power range channel's output shall be adjusted consistent with the calorimetric results if the calorimetric exceeds the power range channel's output by _>2% RTP. The value of 2% is adequate because this value is assumed in the safety analyses of UFSAR, Chapter 15 (Ref. 2). These checks and, if necessary, the adjustment of the power range channels ensure that channel accuracy is maintained within the analyzed error margins. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.3.1.3 A comparison of power range nuclear instrumentation channels against incore detectors shall be performed when reactor power is _>15% RTP. A Note clarifies that 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is allowed for performing the first Surveillance after reaching 15% RTP. Ifthe absolute value of imbalance error is >_2%

RTP, the power range channel is not inoperable, but an adjustment of the measured imbalance to agree with the incore measurements is necessary.

The Imbalance error calculation is adjusted for conservatism by applying a correlation slope (CS) value to the error calculation formula. This ensures that the value of the APIo is > API,. The CS value is listed in the COLR and is cycle dependent. If the power range channel cannot be properly recalibrated, the channel is declared inoperable. The calculation of the Allowable Value envelope assumes a difference in out of core to incore measurements of 2.0%. Additional inaccuracies beyond those that are measured are also included in the setpoint envelope calculation.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

OCONEE UNITS 1, 2, & 3 B 3.3.1-24 12/10/14 1

RPS Instrumentation B 3.3.1 BASES SURVEILLANCE SR 3.3.1.4 REQUIREMENTS (continued) This SR has been deleted.

SR 3.3.1.5 This SR manually retrieves the software setpoints and verifies they are correct. The proper functioning of the processor portion of the channel is continuously checked by an automatic cyclic self monitoring. Verification of field instrument setpoints is not required by this surveillance. This surveillance does not apply to the Reactor Building Pressure Function because it consists of pressure switches which provide a contact status to the system and there is no software setpoint to verify.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.3.1.6 This SR requires manual actuation of the output channel interposing relays to demonstrate OPERABILITY of the relays. The proper functioning of the processor portion of the channel is continuously checked by an automatic cyclic self monitoring.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.3.1.7 A Note to the Surveillance indicates that neutron detectors are excluded from CHANNEL CALIBRATION. This Note is necessary because of the difficulty in generating an appropriate detector input signal. Excluding the detectors is acceptable because the principles of detector operation ensure virtually instantaneous response.

A CHANNEL CALIBRATION is a complete check of the instrument channel, including the sensor. The test verifies that the channel responds to the measured parameter within the necessary range and accuracy.

CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drift to ensure that the instrument channel remains operational between successive tests. CHANNEL CALIBRATION shall find that OCONEE UNITS 1, 2, & 3 B 3.3.1-25 12/10/14 1

RPS Instrumentation B 3.3.1 BASES SURVEILLANCE SR 3.3.1.7 (continued)

REQUIREMENTS measurement errors and processor output trip device setpoint errors are within the assumptions of the uncertainty analysis. Whenever a sensing element is replaced, the CHANNEL CALIBRATION of the resistance temperature detectors (RTD) sensors is accomplished by an inplace cross calibration that compares the other sensing elements with the recently installed sensing element.

Since the CHANNEL FUNCTIONAL TEST is a part of the CHANNEL CALIBRATION a separate SR is not required. The digital RPS software performs a continuous online automated cross channel check, separately for each channel, and continuous online signal error detection and validation. The protection system also performs continuous online hardware monitoring. The CHANNEL CALIBRATION essentially validates the self monitoring function and checks for a small set of failure modes that are undetectable by the self monitoring function.

The digital processors shall be rebooted as part of the calibration. This verifies that the software has not changed. Signals into the system (from the field instrument or at the protective system cabinet) are applied during the channel calibration to ensure that the instrumentation is within the specified allowance requirements. This, in combination with ensuring the setpoints are entered into the software correctly per SR 3.3.1.5, verifies the setpoints are within the Allowable Values.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. UFSAR, Chapter 7.

2. UFSAR, Chapter 15.
3. 10 CFR 50.49.
4. EDM-1 02, "Instrument Setpoint/Uncertainty Calculations."
5. NUREG-0737, "Clarification of TMI Action Plan Requirements,"

November 1979.

6. BAW-10167, May 1986.
7. 10 CFR 50.36.

OCONEE UNITS 1, 2, & 3 B 3.3.1-26 12/10/14 1

RPS - RTC B 3.3.3 B 3.3 INSTRUMENTATION B 3.3.3 Reactor Protective System (RPS) - Reactor Trip Component (RTC)

BASES BACKGROUND The RPS consists of four independent protection channels, each containing an RTC. Figure 7.1 of UFSAR, Chapter 7 (Ref. 1), shows a typical RPS protection channel and the relationship of the RTC to the RPS instrumentation, manual trip, and CONTROL ROD drive (CRD) trip devices.

The RTC is made up of two digital output modules and four Reactor Trip Relays (RTR) all contained within the respective RPS channel's cabinet.

The RTC receives a channel trip signal in its own channel and channel trip signals from the digital output modules in the other three RPS channels.

Whenever any two RPS channels transmit channel trip signals, the RTC logic in each channel actuates to remove 120 VAC power from its associated CRD trip devices.

The RPS trip scheme consists of processor output trip devices.

During normal unit operations, the digital output modules maintain the RTRs energized. However, if an RPS channel initiates a trip signal, the digital output modules in that RPS channel will de-energize the reactor trip relay in that RPS channel and the associated RTR in each of the other three RPS channels.

When an RPS channel provides a trip signal, the digital output modules in that RPS channel de-energize RTRs such that the following occurs:

a. Each of the four (4) RTRs driven by that RPS channel's digital output modules "informs" its associated RPS channel that a reactor trip signal has occurred in the tripped RPS channel;
b. The contacts in the trip device circuitry, powered by the tripped channel, open, but the trip device remains energized through the closed contacts from the RTRs of the other RTCs. (This condition exists in each RPS - RTC. Each RPS - RTC controls power to a trip device.)

OCONEE UNITS 1, 2, & 3 B 3.3.3-1 12/10/14 1

RPS - RTC B 3.3.3 BASES BACKGROUND When the second RPS channel senses a reactor trip condition, the RTRs (continued) driven by the digital output modules for the second channel de-energize and open contacts that supply power to the trip devices. With contacts opened by two separate RPS channels, power to the trip devices is interrupted and the CONTROL RODS fall into the core.

A minimum of two out of four RTCs must sense a trip condition to cause a reactor trip.

Because of the interchannel communication and 2.MIN/2.MAX (for I analog inputs) and two-out-of-four (for binary inputs), an RPS channel will not provide a trip signal to its RTC until trip conditions are satisfied in at least two RPS channels for the same trip function.

The contacts of the four reactor trip relays in each RPS Channel cabinet are wired in a two-out-of-four logic scheme. The relays de-energize to de-energize the Control Rod Drive Breaker undervoltage circuit wired to that channel and cause the shunt trip coil monitoring the circuit to be energized. Either de-energizing the undervoltage circuit or energizing the shunt trip circuit trips the CRD breaker.

APPLICABLE Transient and accident analyses rely on a reactor trip for protection of SAFETY ANALYSES reactor core integrity, reactor coolant pressure boundary integrity, and reactor building OPERABILITY. A reactor trip must occur when needed to prevent accident conditions from exceeding those calculated in the accident analyses. More detailed descriptions of the applicable accident analyses are found in the bases for each of the RPS trip Functions in LCO 3.3.1, "Reactor Protective System (RPS) Instrumentation."

The RTCs satisfy Criterion 3 of 10 CFR 50.36 (Ref. 2).

LCO LCO 3.3.3 requires all four RTCs to be OPERABLE. Failure of any RTC renders a portion of the RPS inoperable.

An OPERABLE RTC must be able to receive and interpret trip signals from OPERABLE RPS channels and to open its associated trip device.

The requirement of four RTCs to be OPERABLE ensures that a minimum of two RTCs will remain OPERABLE if a single failure has occurred in one RTC and if a second RTC is out of service. This two-out-of-four trip logic also ensures that a single RTC failure will not cause an unwanted reactor trip.

Violation of this LCO could result in a trip signal not causing a reactor trip when needed.

I OCONEE UNITS 1, 2, & 3 B 3.3.3-2 12/10/14 1

RPS - RTC B 3.3.3 BASES (continued)

APPLICABILITY The RTCs are required to be OPERABLE in MODES 1 and 2. They are also required to be OPERABLE in MODES 3, 4, and 5 ifany CRD trip breakers are in the closed position and the CRD System is capable of rod withdrawal. The RTCs are designed to ensure a reactor trip would occur, if needed. This condition can exist in all of these MODES; therefore, the RTCs must be OPERABLE.

ACTIONS A.1 and A.2 When an RTC is inoperable, the associated CRD trip breaker must then be placed in a condition that is equivalent to a tripped condition for the RTC.

Required Action A.1 or Required Action A.2 requires this either by tripping the CRD trip breaker or by removing power to the CRD trip device. Tripping one RTC or removing power opens one of the CRD trip devices, which will result in the loss of one of the parallel power supplies. Power to hold CONTROL RODS in position is still provided via the parallel CRD power supply. Therefore, a reactor trip will not occur until a second protection channel trips.

B.1, B.2.1. and B.2.2 Condition B applies if two or more RTCs are inoperable or if the Required Action and associated Completion Time of Condition A are not met in MODE 1, 2, or 3. In this case, the unit must be placed in a MODE in which the LCO does not apply. This is done by placing the unit in at least MODE 3 with all CRD trip breakers open or with power from all CRD trip breakers removed within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. The allowed Completion Time of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging unit systems.

C.1 and C.2 Condition C applies if two or more RTCs are inoperable or if the Required Action and associated Completion Time of Condition A are not met in MODE 4 or 5. In this case, the unit must be placed in a MODE in which the LCO does not apply. This is done by opening all CRD trip breakers or removing power from all CRD trip breakers. The allowed Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable, based on operating experience, to open all CRD trip breakers or remove power from all CRD trip breakers without challenging unit systems.

OCONEE UNITS 1, 2, & 3 B 3.3.3-3 i-2/1-0/14 I

RPS - RTC B 3.3.3 BASES (continued)

SURVEILLANCE SR 3.3.3.1 REQUIREMENTS The SRs include performance of a CHANNEL FUNCTIONAL TEST. This test shall verify the OPERABILITY of the RTC and its ability to receive and properly respond to channel trip and reactor trip signals.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

This testing is normally performed on a rotational basis. Testing in this manner reduces the likelihood of the same systematic test errors being introduced into each redundant RTC.

REFERENCES 1. UFSAR, Chapter 7.

2. 10 CFR 50.36.

OCONEE UNITS 1, 2, & 3 B 3.3.3-4 12/10/14 1

CRD Trip Devices B 3.3.4 B 3.3 INSTRUMENTATION B 3.3.4 Control Rod Drive (CRD) Trip Devices BASES BACKGROUND The Reactor Protective System (RPS) contains multiple CRD trip devices in the form of four AC trip breakers. The system has two separate paths (or channels), with each path having two AC breakers in series. In either case, each path provides independent power to the CRDs. Also, in either case, either path can provide sufficient power to operate the entire CRD System.

Figure 7.1, UFSAR, Chapter 7 (Ref. 1), illustrates the configuration of Reactor Protection System (RPS) Reactor Trip Components (RTC's) and the trip breakers. To trip the reactor, power to the CRDs must be removed. Loss of power causes the CRD mechanisms to release the CONTROL RODS, which then fall by gravity into the core.

Power to CRIs is supplied from two separate sources through the AC trip circuit breakers. These breakers are designated A, B, C, and D. Their undervoltage (trip) coils are powered by RPS channels A, B, C, and D, respectively and their shunt (trip) coils are actuated by RPS channels A, B, C, and D, respectively. From the circuit breakers, the CRD power travels through voltage regulators and stepdown transformers. These devices in turn supply redundant buses that feed the Single Rod Power Supplies (SRPS).

Two AC breakers (A and C) are in series to feed one redundant train of the SRPS, whereas the other two series AC breakers (B and D)feed the other redundant train of the SRPS. The minimum required logic required to cause a reactor trip is the opening of a circuit breaker in each parallel path to the SRPS. This is known as a one-out-of-two taken twice logic. The following examples illustrate the operation of the reactor trip circuit breakers.

a. Ifthe A or C circuit breaker opens, input power to one train of the SRPS's is lost.
b. If in addition, the B or D circuit breaker opens, input power to the other train of the SRPS's is lost, which will result in the dropping of all rods (except APSR's) into the core.

OCONEE UNITS 1, 2, & 3 B 3.3.4-1 12/10/14 1

CRD Trip Devices B 3.3.4 BASES BACKGROUND The reactor trip relays located in RPS Channel A cabinet provide the I (continued) two-out-of-four relay logic to trip CRD breaker A, relays in RPS B cabinet trip CRD breaker B, relays in RPS C cabinet trip CRD breaker C, and relays in RPS D cabinet trip CRD breaker D. Iftwo or more channels of RPS indicate a valid software trip logic condition (two-out-of-four), the binary outputs will de-energize the trip relays associated with those channels in all RPS cabinets, tripping all four CRD breakers resulting in a reactor trip.

APPLICABLE Accident analyses rely on a reactor trip for protection of reactor core SAFETY ANALYSES integrity, reactor coolant pressure boundary integrity, and reactor building OPERABILITY. A reactor trip must occur when needed to prevent accident consequences from exceeding those calculated in the accident analyses. The CONTROL ROD position limits ensure that adequate rod worth is available upon reactor trip to shut down the reactor to the required SDM. Further, OPERABILITY of the CRD trip devices ensures that all CONTROL RODS will trip when required. More detailed descriptions of the applicable accident analyses are found in the Bases for each of the individual RPS trip Functions in LCO 3.3.1, "Reactor Protective System (RPS) Instrumentation."

The CRD trip devices satisfy Criterion 3 of CFR 50.36 (Ref. 2).

LCO The LCO requires all of the specified CRD trip devices to be OPERABLE.

Failure of any required CRD trip device renders a portion of the RPS inoperable and reduces the reliability of the affected Functions. Without reliable CRD reactor trip circuit breakers and associated support circuitry, a reactor trip may not reliably occur when initiated either automatically or manually.

All required CRD trip devices shall be OPERABLE to ensure that the reactor remains capable of being tripped any time it is critical.

OPERABILITY is defined as the CRD trip device being able to receive a reactor trip signal and to respond to this trip signal by interrupting power to the CRDs. Both of the CRD trip breaker's diverse trip devices and the breaker itself must be functioning properly for the breaker to be OPERABLE.

Requiring all breakers to be OPERABLE ensures that at least one device in each of the two power paths to the CRDs will remain OPERABLE even with a single failure.

OCONEE UNITS 1, 2, & 3 B83.3.4-2 12/10/14 1

CRD Trip Devices B 3.3.4 BASES (continued)

APPLICABILITY The CRD trip devices shall be OPERABLE in MODES 1 and 2, and in MODES 3, 4, and 5 when any CRD trip breaker is in the closed position and the CRD System is capable of rod withdrawal.

The CRD trip devices are designed to ensure that a reactor trip would occur if needed. Since this condition can exist in all of these MODES, the CRD trip devices shall be OPERABLE.

ACTIONS A Note has been added to the ACTIONS indicating separate Condition entry is allowed for each CRD trip device.

A.1 and A.2 Condition A represents reduced redundancy in the CRD trip Function.

Condition A applies when one diverse trip Function (undervoltage or shunt trip device) is inoperable in one or more CRD trip breaker(s).

Ifone of the diverse trip Functions on a CRD trip breaker becomes inoperable, actions must be taken to preclude the inoperable CRD trip device from preventing a reactor trip when needed. This is done by manually tripping the inoperable CRD trip breaker or by removing power from the inoperable CRD trip breaker. Either of these actions places the affected CRDs in a one-out-of-two trip configuration, which precludes a single failure from preventing a reactor trip. The 48 hour5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> Completion Time has been shown to be acceptable through operating experience.

B.1 and B.2 Condition B represents a loss of redundancy for the CRD trip Function.

Condition B applies when both diverse trip Functions are inoperable in one or more trip breaker(s).

Required Action B.1 and Required Action B.2 are the same as Required Action A.1 and Required Action A.2, but the Completion Time is shortened.

The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time allowed to trip or remove power from the CRD trip breaker allows the operator to take all the appropriate actions for the inoperable breaker and still ensures that the risk involved is acceptable.

OCONEE UNITS 1, 2, & 3 B 3.3.4-3 12/10/14 1

CRD Trip Devices B 3.3.4 BASES ACTIONS C.1, C.2.1, and C.2.2 (continued)

With the Required Action and associated Completion Time of Condition A or B not met in MODE 1, 2, or 3, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to MODE 3, with all CRD trip breakers open or with power from all CRD trip breakers removed within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. The allowed Completion Time of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging unit systems.

D.1 and D.2 With the Required Action and associated Completion Time of Condition A or B not met in MODE 4 or 5, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, all CRD trip breakers must be opened or power from all CRD trip breakers removed within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.

The allowed Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable, based on operating experience, to open all CRD trip breakers or remove power from all CRD trip breakers without challenging unit systems.

SURVEILLANCE SR 3.3.4.1 REQUIREMENTS SR 3.3.4.1 is to perform a CHANNEL FUNCTIONAL TEST. This test verifies the OPERABILITY of the trip devices by actuation of the end devices. Also, this test independently verifies the undervoltage and shunt trip mechanisms of the trip breakers. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. UFSAR, Chapter 7.

2. 10 CFR 50.36.

OCONEE UNITS 1, 2, & 3 B 3.3.4-4 12/10/14 1

ESPS Input Instrumentation B 3.3.5 B 3.3 INSTRUMENTATION B 3.3.5 Engineered Safeguards Protective System (ESPS) Input Instrumentation BASES BACKGROUND The ESPS initiates necessary safety systems, based on the values of I selected unit Parameters, to protect against violating core design limits and to mitigate accidents.

ESPS actuates the following systems:

  • High Pressure Injection (HPI);
  • Low Pressure Injection (LPI);
  • Reactor Building (RB) cooling;
  • RB Spray; 0 RB Isolation; and
  • Keowee Hydro Unit Emergency Start.

The ESPS operates in a distributed manner to initiate the appropriate systems. The ESPS does this by determining the need for actuation in each of three input channels monitoring each actuation Parameter. Once the need for actuation is determined, the condition is transmitted to automatic actuation output logic channels, which perform the two-out-of-three logic to determine the actuation of each end device. Each end device has its own automatic actuation logic, although all automatic actuation output logic channels take their signals from the same processor output trip device in each channel for each Parameter.

Four Parameters are used for actuation:

  • High RB Pressure; and
  • High High RB Pressure.

I OCONEE UNITS 1, 2, & 3 B 3.3.5-1 12/10/14 1

ESPS Input Instrumentation B 3.3.5 BASES BACKGROUND LCO 3.3.5 covers only the input instrumentation channels that measure (continued) these Parameters. These channels include all intervening equipment necessary to produce actuation before the measured process Parameter exceeds the limits assumed by the accident analysis. This includes sensors, processor output trip devices, operational bypass circuitry, and voter input. LCO 3.3.6, "Engineered Safeguards Protective System (ESPS) Manual Initiation," and LCO 3.3.7, "Engineered Safeguards Protective System (ESPS) Automatic Actuation Output Logic Channels,"

provide requirements on the manual initiation and automatic actuation output logic Functions.

There are three input channels. The ESPS Protective Channels A, B and C are made up of two independent subsystems - one subsystem is installed in the ESPS cabinets and is designated A2, B2, and C2. The other independent and redundant subsystem is installed in the RPS cabinets and is designated Al, B1, and Cl. This subsystem uses the RPS protective channels (A, B, and C) computers. The ESPS input signals are not redundant for the two subsystems. The same input signals are fed to ESPS subsystems 1 and 2. The ESPS subsystems are fully redundant with the exception of the shared inputs. Each of these two independent ESPS subsystems is fully capable of performing all required protective actions.

The three ESPS channel computers in each subsystem are interconnected via fiber optic data links, in a way that enables the exchange of data and signal online validation, before the calculation of trip functions. If the setpoint for a single input channel (for example, the RB High pressure input to Channel A) is exceeded, a channel trip statalarm is actuated but a channel trip signal is not sent to the automatic actuation output logic channel. Since the two ES subsystems share inputs, this condition will be sensed by both Channel Al and A2. Also, due to the inter-channel communication, all 3 ES channels in each subsystem recognize that this input channel setpoint has been exceeded for one channel. However, due to the 2.MIN/2.MAX logic within the system, the same input channel setpoint for one of the other three channels must be exceeded before channel trip signals are sent to the automatic actuation output logic channels. Again, due to the inter-channel communication, all 3 ES channels will then generate trip signals since the 2.MIN/2.MAX condition has been satisfied. The ESPS output actuation signals are sent from ESPS protective channels A, B and C to the ESPS actuation computers (Voters) via fiber optic data links. Figure 7.5 UFSAR, Chapter 7 (Ref. 1), illustrates how input instrumentation channel trips combine to cause automatic actuation output logic channel trips.

OCONEE UNITS 1, 2, & 3 B 3.3.5-2 12/10/14 1

ESPS Input Instrumentation B 3.3.5

.BASES BACKGROUND The following matrix identifies the input instrumentation (measurement)

(continued) channels and the Automatic Actuation Output Logic Channels actuated by each.

Output Actuated RCS RCS RB RB Logic Channels Systems/ PRESS PRESS PRESS PRESS Functions LOW LOW HIGH HIGH LOW HIGH 1 and 2 HPI and RB Non-Essential X X Isolation, Keowee Emergency Start, Load Shed and Standby Breaker Input, and Keowee Standby Bus Feeder Breaker Input 3 and 4 LPI X X 5 and 6 RB Cooling and RB X Essential isolation 7 and 8 RB Spray X The ES equipment is generally divided between the two redundant actuation output logic channels. The division of the equipment between the two actuation output logic channels is based on the equipment redundancy and function and is accomplished in such a manner that the failure of one of the actuation output logic channels and the related safeguards equipment will not inhibit the overall ES Functions. Redundant ES pumps are controlled from separate and independent actuation output logic channels with some exceptions (e.g., HPI B pump which is actuated by both).

The actuation of ES equipment is also available by manual actuation switches located on the control room console.

The ESPS, in conjunction with the actuated equipment, provides protective functions necessary to mitigate accidents, specifically the loss of coolant accident (LOCA) and main steam line break (MSLB) events. The ESPS relies on the OPERABILITY of the automatic actuation output logic for each component to perform the actuation of the selected systems of LCO 3.3.7.

OCONEE UNITS 1, 2, & 3 B 3.3.5-3 12/10/14 1

ESPS Input Instrumentation B 3.3.5 BASES BACKGROUND Engineered Safeguards Protective System Bypasses (continued)

No provisions are made for maintenance bypass of ESPS instrumentation channels. Operational bypass of certain input parameters is necessary to allow accident recovery actions to continue and, for some input parameters, to allow unit shutdown without spurious ESPS actuation.

The ESPS RCS pressure instrumentation channel design allows Manual Bypass when reactor pressure is below the point at which the low and low low pressure trips are required to be OPERABLE. Once permissive conditions are sensed, the RCS pressure trips may be manually bypassed.

Bypasses are automatically removed when bypass permissive conditions are exceeded. This bypass provides an operational provision only outside the Applicability for this parameter, and provides no safety function.

There are two redundant subsystems. The same input signal is fed to each subsystem. In subsystem 1, channels Al, B1, and Cl provide the input to Voter 1 Odd and Voter 1 Even. In subsystem 2, channels A2, B2, and C2 provide input to Voter 2 Odd and Voter 2 Even. Either subsystem provides the full complement of Voters. This allows for a Manual (maintenance) Bypass of one complete subsystem, or portion of a subsystem, without entering into an LCO Condition.

Parameter Change Enable Mode The ESPS Instrument Input Channel A2, B2, and C2 processors can each be placed in different operating modes through the use of the "Parameter Change Enable" keyswitches and commands from the Service Unit. Each protective channel A2, B2,and C2 has a keyswitch located in that channel's cabinet pair.

Placing ESPS Channels Al, B1 or Cl in Parameter Change Enable Mode through the use of the "Parameter Change Enable" keyswitch located in the corresponding RPS cabinet will also place the corresponding RPS Channels A, B, or C in Parameter Change Enable Mode.

When a keyswitch is placed from the normal Operating Mode position to the Parameter Change Enable Mode position:

  • The processors continue with normal operation.
  • A permissive is provided that allows the Service Unit to be used to change the operating mode of the processors associated with that keyswitch.

OCONEE UNITS 1, 2, & 3 B 3.3.5-4 12/10/14 1

ESPS Input Instrumentation B 3.3.5 BASES BACKGROUND Parameter Change Enable Mode (continued)

With the keyswitch in the Parameter Change Enable Position the following modes of operation are allowed for processors:

  • Normal Operation - with permissive for operating mode change.
  • Parameterization - allows changes to specific parameters (example placing a parameter into a tripped condition or performing Go/NoGo testing).
  • Function Test - for disabling the application function and forcing output signal for testing purposes (normally not used).
  • Diagnostics - for downloading new application software.

The Function Test and Diagnostics modes result in the processor ceasing its cyclic processing of the application functions. Entry into these modes first requires entry into Parameterization mode and setting a separate parameter.

When a keyswitch is placed in the Parameter Change Enable Mode Position for any activity, the affected processor shall first be declared out of service. In addition to declaring the processor out of service, when loading or revising software in a processor, the affected ESPS input shall be tripped OR the associated ESPS voters shall be placed in Bypass. If this activity is being performed on an ES Input Channel in subsystem 1, the associated RPS channel shall also be placed in manual bypass. Only one ESPS channel at a time is allowed to be placed into Parameter Change Enable Mode Position for software loading/revision.

Each Parameter Change Enable keyswitch status information is sent to the Statalarm panel and to the OAC via the TXS Gateway.

ESPS Parameter Change Enable keyswitches are administratively controlled (there are no hardware or software interlocks between channels).

Reactor Coolant System Pressure The RCS pressure is monitored by three independent pressure transmitters located in the RB. These transmitters are separate from the transmitters that provide inputs to the Reactor Protective System (RPS). The output of each transmitter terminates in an input isolation module in the ESPS, which provides individually isolated output pressure signals. Each of the pressure signals generated by these transmitters is monitored by two independent digital processing systems, with three ESPS input logic channels and three RPS/ESPS input logic channels to provide two trip OCONEE UNITS 1, 2, & 3 B 3.3.5-5 12/10/14 1

ESPS Input Instrumentation B 3.3.5 BASES BACKGROUND Reactor Coolant System Pressure (continued) signals, at,>_ 1590 psig and Ž_500 psig, and two bypass permissive signals, at _<1750 psig and _<900 psig.

The outputs of the three logic processor channels in each of the two processing subsystems (ESPS and RPS/ESPS) generate an output trip signal to its associated independent actuation train Voters (Odd and Even) when the second minimum pressure signal of any of the three input channels falls below the Low RCS pressure setpoint. This will initiate an actuation of the Voter Output Channels 1 and 2 (HPI Actuation). The outputs of the input logic processors in each processing system also generate an output trip signal to its associated independent actuation train Voters (Odd and Even) when the second minimum pressure signal of the three input channels falls below the Low Low RCS pressure setpoint. This will initiate an actuation of the Voter Output Channels 3 and 4 (LPI Actuation).

Reactor Building Pressure There are three independent RB pressure transmitters. The outputs of the three logic processor channels in each of the two processing subsystems (ESPS and RPS/ESPS) generate an output trip signal to its associated independent actuation train Voters (Odd and Even) when the second maximum pressure signal of any of the three input channels increases above the High RB pressure setpoint. This will initiate an actuation of Voter Output Channels 5 and 6 (RB Cooling Actuation and RB Essential Isolation). The outputs of the three high RB pressure processor output trip devices also trip Voter Output Channels 1, 2, 3 and 4 to initiate HPI and LPI.

The ESPS channels of the RB Spray System are formed by two separate two-out-of-three logic networks with the active elements originating in six RB pressure sensing pressure switches. One two-out-of-three network actuates Channel 7 and the other two-out-of-three network actuates Channel 8. Either of the two networks is capable of initiating the required protective action.

Trip Setpoints and Allowable Values Trip setpoints are the nominal value at which the processor output trip devices are set. Any processor output trip device is considered to be properly adjusted when the "as left" value is within the band for CHANNEL CALIBRATION accuracy.

OCONEE UNITS 1, 2, & 3 B 3.3.5-6 12/10/14 1

ESPS Input Instrumentation B 3.3.5 BASES BACKGROUND Trip Setpoints and Allowable Values (continued)

The trip setpoints used in the processor output trip devices are selected such that adequate protection is provided when all sensor and processing time delays are taken into account. To allow for calibration tolerances, instrumentation uncertainties, instrument drift, and severe environment induced errors for those ESPS channels that must function in harsh environments as defined by 10 CFR 50.49 (Ref. 2), the Allowable Values specified in Table 3.3.5-1 in the accompanying LCO are conservatively adjusted with respect to the analytical limits. A detailed description of the methodology used to calculate the trip setpoints and associated uncertainties is provided in Reference 3. The actual trip setpoint entered into the processor output trip device is more conservative than that specified by the Allowable Value to account for changes in random measurement errors detectable by a CHANNEL CALIBRATION. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value.

Setpoints, in accordance with the Allowable Values, ensure that the consequences of accidents will be acceptable, providing the unit is operated from within the LCOs at the onset of the accident and the equipment functions as designed.

With the exception of Reactor Building Pressure - High High function, each channel is tested online by manually retrieving the software setpoint I to ensure it has been entered correctly. Signals into the system (from the field instrument or at the protective system cabinet) are applied during the channel calibration to ensure that the instrumentation is within the specified allowance requirements. The Reactor Building Pressure - High High actuation channel does not have software setpoints; it is actuated by a pressure switch that provides contact status only.

APPLICABLE The following ESPS Functions have been assumed within the accident SAFETY ANALYSES analyses.

High Pressure Iniection The ESPS actuation of HPI has been assumed for core cooling in the LOCA analysis and is credited with boron addition in the MSLB analysis.

Low Pressure Iniection The ESPS actuation of LPI has been assumed for large break LOCAs.

OCONEE UNITS 1, 2, & 3 B 3.3.5-7 12/10/14 1

ESPS Input Instrumentation B 3.3.5 BASES APPLICABLE Reactor Buildinq Spray, Reactor Buildinq Cooling, and SAFETY ANALYSES Reactor Building Isolation (continued)

The ESPS actuation of the RB coolers and RB Spray have been credited in RB analysis for LOCAs, both for RB performance and equipment environmental qualification pressure and temperature envelope definition.

Accident dose calculations have credited RB Isolation and RB Spray.

Keowee Hydro Unit Emergency Start The ESPS initiated Keowee Hydro Unit Emergency Start has been included in the design to ensure that emergency power is available throughout the limiting LOCA scenarios.

The small break LOCA analyses assume a conservative 48 second delay time for the actuation of HPI and LPI in UFSAR, Chapter 15 (Ref. 4). The large break LOCA analyses assume LPI flow starts in 38 seconds while full LPI flow does not occur until 36 seconds later, or 74 seconds total (Ref. 4). This delay time includes allowances for Keowee Hydro Unit starting, Emergency Core Cooling Systems (ECCS) pump starts, and valve openings. Similarly, the RB Cooling, RB Isolation, and RB Spray have been analyzed with delays appropriate for the entire system analyzed.

Accident analyses rely on automatic ESPS actuation for protection of the core temperature and containment pressure limits and for limiting off site dose levels following an accident. These include LOCA, and MSLB events that result in RCS inventory reduction or severe loss of RCS cooling.

The ESPS channels satisfy Criterion 3 of 10 CFR 50.36 (Ref. 5).

LCO The LCO requires three input channels of ESPS instrumentation for each Parameter in Table 3.3.5-1 to be OPERABLE in each ESPS automatic actuation output logic channel. Failure of any instrument renders the affected input channel(s) inoperable and reduces the reliability of the affected Functions. There are two redundant ESPS subsystems each having three input channels. Only one subsystem is required to be OPERABLE.

OCONEE UNITS 1, 2, & 3 B 3.3.5-8 12/10/14 1

ESPS Input Instrumentation B 3.3.5 BASES LCO Only the Allowable Value is specified for each ESPS Function in the (continued) LCO. Nominal trip setpoints are specified in the setpoint calculations. The nominal trip setpoints are selected to ensure the setpoints measured by CHANNEL FUNCTIONAL TESTS or CHANNEL CALIBRATIONS do not exceed the Allowable Value if the processor output trip device is performing as required. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable provided that operation and testing are consistent with the assumptions of the setpoint calculations. Each Allowable Value specified is more conservative than the analytical limit assumed in the safety analysis to account for instrument uncertainties appropriate to the trip Parameter. These uncertainties are defined in Reference 3.

The values for operating bypass removal functions are stated in the Applicable MODES or Other Specified Condition column of Table 3.3.5-1.

Three ESPS input instrumentation channels shall be OPERABLE to ensure that a single failure in one input channel will not result in loss of the ability to automatically actuate the required safety systems.

The bases for the LCO on ESPS Parameters include the following.

Three input channels of RCS Pressure-Low, RCS Pressure-Low Low, RB Pressure-High and RB Pressure-High High are required OPERABLE. Each channel includes a sensor, input isolation modules, interchannel communication modules and processor output trip devices.

Failures that affect the ability to bypass an input channel do not render the input channel inoperable since the input channel is still capable of performing its safety function, i.e., this is not a safety related bypass function.

APPLICABILITY Three input channels of ESPS instrumentation for each of the following Parameters shall be OPERABLE.

1. Reactor Coolant System Pressure - Low The RCS Pressure - Low actuation Parameter shall be OPERABLE during operation at or above 1750 psig. This requirement ensures the capability to automatically actuate safety systems and components during conditions indicative of a LOCA or secondary unit overcooling. Below 1750 psig, the low RCS Pressure actuation Parameter can be bypassed to avoid actuation during normal unit cooldowns when safety systems actuations are not required.

OCONEE UNITS 1, 2, & 3 B 3.3.5-9 12/10/14 1

ESPS Input Instrumentation B 3.3.5 BASES APPLICABILITY 1. Reactor Coolant System Pressure - Low (continued)

The allowance for the bypass is consistent with the transition of the unit to a lower energy state, providing greater margins to safety limits. The unit response to any event, given that the reactor is already tripped, will be less severe and allows sufficient time for operator action to provide manual safety system actuations. This is even more appropriate during unit heatups when the primary system and core energy content is low, prior to power operation.

In MODES 5 and 6, there is adequate time for the operator to evaluate unit conditions and respond by manually starting individual systems, pumps, and other equipment to mitigate the consequences of an abnormal condition or accident. RCS pressure and temperature are very low, and many ES components are administratively controlled or otherwise prevented from actuating to prevent inadvertent overpressurization of unit systems.

2. Reactor Coolant System Pressure - Low Low The RCS Pressure - Low Low actuation Parameter shall be OPERABLE during operation above 900 psig. This requirement ensures the capability to automatically actuate safety systems and components during conditions indicative of a LOCA or secondary unit overcooling. Below 900 psig, the low low RCS Pressure actuation Parameter can be bypassed to avoid actuation during normal unit cooldowns when safety system actuations are not required.

The allowance for the bypass is consistent with the transition of the unit to a lower energy state, providing greater margins to safety limits. The unit response to any event, given that the reactor is already tripped, will be less severe and allows sufficient time for operator action to provide manual safety system actuations. This is even more appropriate during unit heatups when the primary system and core energy content is low, prior to power operation.

OCONEE UNITS 1, 2, & 3 B 3.3.5-10 12/10/14 1

ESPS Input Instrumentation B 3.3.5 BASES APPLICABILITY 2. Reactor Coolant System Pressure - Low Low (continued)

In MODES 5 and 6, there is adequate time for the operator to evaluate unit conditions and respond by manually starting individual systems, pumps, and other equipment to mitigate the consequences of an abnormal condition or accident. RCS pressure and temperature are very low, and many ES components are administratively controlled or otherwise prevented from actuating to prevent inadvertent overpressurization of unit systems.

3, 4. Reactor Building Pressure - High and Reactor Building Pressure -High High The RB Pressure - High and RB Pressure - High High actuation Functions of ESPS shall be OPERABLE in MODES 1, 2, 3, and 4 when the potential for a HELB exists. In MODES 5 and 6, the unit conditions are such that there is insufficient energy in the primary and secondary systems to raise the containment pressure to either the RB Pressure - High or RB Pressure - High High actuation setpoints. Furthermore, in MODES 5 and 6, there is adequate time for the operator to evaluate unit conditions and respond by manually starting individual systems, pumps, and other equipment to mitigate the consequences of an abnormal condition or accident.

RCS pressure and temperature are very low and many ES components are administratively controlled or otherwise prevented from actuating to prevent inadvertent overpressurization of unit systems.

ACTIONS Required Actions A and B apply to all ESPS input instrumentation Parameters listed in Table 3.3.5-1.

A Note has been added to the ACTIONS indicating separate Condition entry is allowed for each Parameter.

If an input channel's trip setpoint is found nonconservative with respect to the Allowable Value, or the transmitter, instrument loop, signal processing electronics, or ESPS input isolation modules, inter-channel communication modules and processor output trip devices are found inoperable, then all affected functions provided by that input channel should be declared inoperable and the unit must enter the Conditions for the particular protective Parameter affected.

OCONEE UNITS 1, 2, & 3 B 3.3.5-11 12/10/14 1

ESPS Input Instrumentation B 3.3.5 BASES ACTIONS A..1 (continued)

Condition A applies when one input channel becomes inoperable in one or more Parameters. Ifone ESPS input instrument channel is inoperable, placing it in a tripped condition leaves the system in a one-out-of-two condition for actuation. Thus, if another input channel were to fail, the ESPS instrumentation could still perform its actuation functions.

This can be accomplished two ways: (1) by placing an input logic channel (A, B or C) in trip with the associated Manual Trip keyswitch (the input Manual Trip channel keyswitch trips all ESPS functions in the channel), or (2) tripping the individual input parameter functional software through the interactive Graphical Service Monitor dialog screen. The 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> Completion Time is justified based on the continuous monitoring and signal validation being performed and is sufficient time to place a Parameter in trip. If the Parameter cannot be placed in trip, the Operator can trip the affected channel with the use of the Manual Trip keyswitch until such time that the individual parameter can be placed in trip.

B.1, B.2.1. B.2.2. and B.2.3 Condition B applies when the Required Action and associated Completion Time of Condition A are not met or when one or more parameters have two or more inoperable input channels. If Condition B applies, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> and, for the RCS Pressure-Low Parameter, to

< 1750 psig, for the RCS Pressure-Low Low Parameter, to < 900 psig, and for the RB Pressure-High Parameter and RB Pressure-High High Parameter, to MODE 5 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

OCONEE UNITS 1, 2, & 3 B 3.3.5-12 12/10/14 1

ESPS Input Instrumentation B 3.3.5 BASES SURVEILLANCE The ESPS Parameters listed in Table 3.3.5-1 are subject to REQUIREMENTS CHANNEL CHECK, CHANNEL FUNCTIONAL TEST, and CHANNEL CALIBRATION.

SR 3.3.5.1 Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred.

A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that input instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two input instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. CHANNEL CHECK will detect gross channel failure; therefore, it is key in verifying that the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined, based on a combination of the channel instrument uncertainties, including isolation, indication, and readability. If a channel is outside the criteria, it may be an indication that the transmitter or the signal processing equipment has drifted outside its limit.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program. The CHANNEL CHECK supplements less formal, but potentially more frequent, checks of channel operability during normal operational use of the displays associated with the LCO's required channels.

The CHANNEL CHECK requirement is met automatically. The digital ESPS provides continuous online automatic monitoring of each of the input signals in each channel, performs signal online validation against required acceptance criteria, and provides hardware functional validation.

Ifany protective channel input signal is identified to be in the failure status, this condition is alarmed on the Unit Statalarm and input to the plant OAC. Immediate notification of the failure status is provided to the Operations staff.

OCONEE UNITS 1, 2, & 3 B 3.3.5-13 12/10/14 1

ESPS Input Instrumentation B 3.3.5 BASES SURVEILLANCE SR 3.3.5.2 REQUIREMENTS (continued) The SR is modified by a Note indicating that it is not applicable to the Reactor Building Pressure - High High parameter. This surveillance does not apply to the Reactor Building Pressure High High parameter because it consists of pressure switches which provide a contact status to the system and there is no software setpoint to verify. This SR manually retrieves the software setpoints and verifies they are correct.

The proper functioning of the processor portion of the channel is continuously checked by automatic cyclic self monitoring. The proper functioning of the processor portion of the channel is continuously checked by automatic cyclic self monitoring. Verification of field instrument setpoints is not required by this surveillance. I The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.3.5.3 This SR has been deleted.

SR 3.3.5.4 CHANNEL CALIBRATION is a complete check of the input instrument channel, including the sensor. The test verifies that the channel responds to a measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drift to ensure that the instrument channel remains operational between successive tests. CHANNEL CALIBRATION assures that measurement errors and processor output trip device setpoint errors I are within the assumptions of the unit specific uncertainty analysis.

CHANNEL CALIBRATIONS must be performed consistent with the assumptions of the uncertainty analysis.

Since the CHANNEL FUNCTIONAL TEST is a part of the CHANNEL CALIBRATION a separate SR is not required. The digital ESPS software performs a continuous online automated cross channel check, separately for each channel, and continuous online signal error detection and validation. The protection system also performs continuous online hardware monitoring. The CHANNEL CALIBRATION essentially validates the self monitoring function and checks for a small set of failure modes that are undetectable by the self monitoring function.

OCONEE UNITS 1, 2, & 3 B 3.3.5-14 12/10/14 1

ESPS Input Instrumentation B 3.3.5 BASES SURVEILLANCE SR 3.3.5.4 (continued)

REQUIREMENTS The digital processors shall be rebooted as part of the calibration. This verifies that the software has not changed. Signals into the system (from the field instrument or at the protective system cabinet) are applied during the channel calibration to ensure that the instrumentation is within the specified allowance requirements. This, in combination with ensuring the setpoints are entered into the software correctly per SR 3.3.5.2, verifies the setpoints are within the Allowable Values.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. UFSAR, Chapter 7.

2. 10 CFR 50.49.
3. EDM-102, "Instrument Setpoint/Uncertainty Calculations."
4. UFSAR, Chapter 15.
5. 10 CFR 50.36.

OCONEE UNITS 1, 2, & 3 B 3.3.5-15 12/10/14 1

ESPS Manual Initiation B 3.3.6 B 3.3 INSTRUMENTATION B 3.3.6 Engineered Safeguards Protective System (ESPS) Manual Initiation BASES BACKGROUND The ESPS manual initiation capability allows the operator to actuate ESPS Functions from the main control room in the absence of any other initiation condition. This ESPS manual initiation capability is provided in the event the operator determines that an ESPS Function is needed and has not been automatically actuated. Furthermore, the ESPS manual initiation capability allows operators to rapidly initiate Engineered Safeguards (ES)

Functions.

LCO 3.3.6 covers only the system level manual initiation of these Functions. LCO 3.3.5, "Engineered Safeguards Protective System (ESPS)

Input Instrumentation," and LCO 3.3.7, "Engineered Safeguards Protective System (ESPS) Automatic Actuation Output Logic Channels," provide requirements on the portions of the ESPS that automatically initiate the Functions described earlier.

The ESPS manual initiation Function relies on the OPERABILITY of the automatic actuation output logic channels (LCO 3.3.7) to perform the actuation of the systems. A manual trip push button is provided on the control room console for each of the automatic actuation output logic channels. Operation of the push button energizes relays whose contacts perform a logical "OR" function with the automatic actuation.

The ESPS manual initiation portion of the ESPS system is defined as the instrumentation between the control console Trip/Reset switches and the relay output (RO) relays which actuate the end devices. Other means of manual initiation, such as controls for individual ES devices, may be available in the control room and other unit locations. These alternative means are not required by this LCO, nor may they be credited to fulfill the requirements of this LCO.

OCONEE UNITS 1, 2, & 3 B 3.3.6-1 12/10/14 1

ESPS Manual Initiation B 3.3.6 BASES BACKGROUND A manual actuation of the ESPS actuation functions shall be capable of (continued) being initiated from the main control board Trip/Reset pushbutton switches. Individual pushbuttons are provided for High Pressure Injection and Reactor Building (RB) Non-Essential Isolation (Channels 1 and 2),

Low Pressure Injection and Low Pressure Service Water Actuation (Channels 3 and 4), RB Cooling and RB Essential Isolation (Channels 5 and 6), and RB Spray (Channels 7 and 8). The manual actuation is independent of the ESPS automatic actuation signal and is capable of actuating all channel related actuation field components regardless of any failures of the automatic signal. Initiation of the manual actuation portion of ESPS will also input an actuation signal to the automatic system to provide input to the automatic system indicating that a manual actuation has occurred.

APPLICABLE The ESPS, in conjunction with the actuated equipment, provides protective SAFETY ANALYSES functions necessary to mitigate accidents, specifically, the loss of coolant accident and steam line break events.

The ESPS manual initiation ensures that the control room operator can rapidly initiate ES Functions. The manual initiation trip Function is required as a backup to automatic trip functions and allows operators to initiate ESPS whenever any parameter is rapidly trending toward its trip setpoint.

The ESPS manual initiation functions satisfy Criterion 3 of 10 CFR 50.36 (Ref. 1).

LCO Two ESPS manual initiation channels of each ESPS Function shall be OPERABLE whenever conditions exist that could require ES protection of the reactor or RB. Two OPERABLE channels ensure that no single random failure will prevent system level manual initiation of any ESPS Function. The ESPS manual initiation Function allows the operator to initiate protective action prior to automatic initiation or in the event the automatic initiation does not occur.

OCONEE UNITS 1, 2, & 3 B 3.3.6-2 12/10/14 1

ESPS Manual Initiation B 3.3.6 BASES LCO The required Function is provided by two associated channels. as indicated (continued) in the following table:

Function Associated Channels HPI and RB Non-Essential 1 &2 Isolation, Keowee Emergency Start, Load Shed and Standby Breaker Input, and Keowee Standby Bus Feeder Breaker Input.

LPI 33&4 RB Cooling and RB Essential 5 &6 isolation RB Spray 7 &8 APPLICABILITY The ESPS manual initiation Functions shall be OPERABLE in MODES 1 and 2, and in MODES 3 and 4 when the associated engineered safeguard equipment is required to be OPERABLE. The manual initiation channels are required because ES Functions are designed to provide protection in these MODES. ESPS initiates systems that are either reconfigured for decay heat removal operation or disabled while in MODES 5 and 6.

Accidents in these MODES are slow to develop and would be mitigated by manual operation of individual components. Adequate time is available to evaluate unit conditions and to respond by manually operating the ES components, if required.

ACTIONS A Note has been added to the ACTIONS indicating separate Condition entry is allowed for each ESPS manual initiation Function.

A..I Condition A applies when one manual initiation channel of one or more ESPS Functions becomes inoperable. Required Action A. I must be taken to restore the channel to OPERABLE status within the next 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. The Completion Time of 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> is based on operating experience and administrative controls, which provide alternative means of ESPS Function initiation via individual component controls. The 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> Completion Time is generally consistent with the allowed outage time for the safety systems actuated by ESPS.

OCONEE UNITS 1, 2, & 3 B 3.3.6-3 12/10/14 1

ESPS Manual Initiation B 3.3.6 BASES ACTIONS B.1 and B.2 (continued)

With the Required Action and associated Completion Time not met, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> and to MODE 5 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required MODES from full power conditions in an orderly manner and without challenging unit systems.

SURVEILLANCE SR 3.3.6.1 REQUIREMENTS This SR requires the performance of a CHANNEL FUNCTIONAL TEST of the ESPS manual initiation. This test verifies that the initiating circuitry is OPERABLE and will actuate the automatic actuation output logic channels.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

Failure of reactor building purge valves PR-1, 2, 3, 4, 5, 6 to close following a design basis event would cause a significant increase in the radioactive release because of the large containment leakage path introduced by these 48 inch purge lines. Because of their large size, the 48 inch purge valves are not qualified for automatic closure from their open position under accident conditions. Therefore, the 48 inch purge valves are maintained sealed closed (SR 3.6.3.1) in MODES 1, 2, 3, and 4 to ensure the containment boundary is maintained (Reference 2). Since they are sealed closed in all modes where the Engineered Safeguards system is required operable, testing of these reactor building purge valves is not required per SR 3.3.6.1.

REFERENCES 1. 10 CFR 50.36.

2. NUREG 0737, Section I1.E.4.2.6.

OCONEE UNITS 1, 2, & 3 B 3.3.6-4 12/10/14 1

ESPS Automatic Actuation Output Logic Channels B 3.3.7 B 3.3 INSTRUMENTATION B 3.3.7 Engineered Safeguards Protective System (ESPS) Automatic Actuation Output Logic Channels BASES BACKGROUND The automatic actuation output logic channels are defined as the Voters, the output relays and associated contacts. The Voters are used to provide an output signal to the output relays for the LP-1 interlock. Since LP-1 is not an ES valve, any inoperability of the ESPS associated with this particular function would require no action by TS 3.3.7. Each of the components actuated by the ESPS Functions is associated with one or more automatic actuation output logic channels. If two-out-of-three ESPS input instrumentation channels indicate a trip, or if channel level manual initiation occurs, the automatic actuation output logic channel is activated and the associated equipment is actuated. The purpose of requiring OPERABILITY of the ESPS automatic actuation output logic channels is to ensure that the Functions of the ESPS can be automatically initiated in the event of an accident. Automatic actuation of some Functions is necessary to prevent the unit from exceeding the Emergency Core Cooling Systems (ECCS) limits in 10 CFR 50.46 (Ref. 1). It should be noted that OPERABLE automatic actuation output logic channels alone will not ensure that each Function can be activated; the input instrumentation channels and actuated equipment associated with each Function must also be OPERABLE to ensure that the Functions can be automatically initiated during an accident.

LCO 3.3.7 covers only the automatic actuation output logic channels that initiates these Functions. LCO 3.3.5, "Engineered Safeguards Protective System (ESPS) Input Instrumentation," and LCO 3.3.6, "Engineered Safeguards Protective System (ESPS) Manual Initiation," provide requirements on the input instrumentation and manual initiation channels that feed into the automatic actuation output logic channels.

The ESPS Protective Channels (computers) A, B, and C are I implemented on two independent and redundant subsystems. One subsystem, containing channels A2, B2, and C2, uses the ESPS protective channel computers, which are installed in the ESPS cabinets.

The other sub-system, containing independent and redundant channels Al, B1, and Cl, uses the RPS protective channel computers, which are installed in the RPS cabinets.

OCONEE UNITS 1, 2, & 3 B 3.3.7-1 12/10/14 1

ESPS Automatic Actuation Output Logic Channels B 3.3.7 BASES BACKGROUND Each of the independent ESPS and ESPS/RPS protective channel (continued) function output signals are sent to two redundant digital actuation Voter Sets each comprised of an Odd and Even Voter. The Odd Voter is associated with ESPS Automatic Actuation Output Logic Channels 1, 3, 5, and 7 while the Even Voter is associated with Channels 2, 4, 6, and 8. One of the Odd and Even Voter sets (Voter 2) performs the two-out-of-three voting for the actuation signals coming from the ESPS protective channels; the other independent and redundant Odd and Even Voter set (Voter 1) performs the two-out-of-three voting for the actuation signals coming from the ESPS/RPS sets. The independent and redundant ESPS protective safety actuation functions are duplicated in the ESPS and ESPS/RPS subsystems.

The ESPS, in conjunction with the actuated equipment, provides protective functions necessary to mitigate accidents, specifically, the loss of coolant accident (LOCA) and main steam line break (MSLB) events. The ESPS relies on the OPERABILITY of the automatic actuation logic for each component to perform the actuation of the selected systems.

The small break LOCA analyses assume a conservative 48 second delay time for the actuation of High Pressure Injection (HPI) in UFSAR, Chapter 15 (Ref. 2). The large break LOCA analyses assume Low Pressure Injection (LPI) flow starts in 38 seconds while full LPI flow does not occur until 36 seconds later, or 74 seconds total (Ref. 2). This delay time includes allowances for Keowee Hydro Unit startup and loading, ECCS pump starts, and valve openings. Similarly, the Reactor Building (RB)

Cooling, RB Isolation, and RB Spray have been analyzed with delays appropriate for the entire system.

The ESPS automatic initiation of Engineered Safeguards (ES) Functions to mitigate accident conditions is assumed in the accident analysis and is required to ensure that consequences of analyzed events do not exceed the accident analysis predictions. Automatically actuated features include HPI, LPI, RB Cooling, RB Spray, and RB Isolation.

OCONEE UNITS 1, 2, & 3 B 3.3.7-2 12/10/14 1

ESPS Automatic Actuation Output Logic Channels B 3.3.7 BASES BACKGROUND Engineered Safeguards Protective System Bypasses (continued)

There are two redundant subsystems.

The same analog input signal is fed to each subsystem. In subsystem 1, channels Al, B1, and Cl provide the input to Voter 1 Odd and Voter 1 Even. In subsystem 2, channels A2, B2, and C2 provide input to Voter 2 Odd and Voter 2 Even.

Either subsystem provides the full complement of Voters. This allows for a Manual (maintenance) Bypass of one complete subsystem, or portion of a subsystem, without entering into an LCO Condition. While one Voter or a set of Voters are bypassed, the ESPS function is provided by the redundant ESPS subsystem.

Placing a Voter in Manual Bypass is implemented by keyswitches located in the respective ESPS Actuation cabinets. If an ESPS Voter is placed in Manual Bypass, all automatic ESPS actuation functions from that specific Voter are disabled. However, a manual ESPS trip is still available for Operator action to initiate the ESPS safety actuation functions. Only one Manual Bypass keyswitch for the two Odd Voters (Voter 1 Odd or Voter 2 Odd) and one Manual Bypass keyswitch for the two Even Voters (Voter 1 Even or Voter 2 Even) is allowed to be placed in Manual Bypass at a time. Placing an ESPS Voter in Manual Bypass is administratively controlled. The ESPS Manual Bypass keyswitch status information is sent to the Unit control room Statalarm panel and sent to the plant Operator Aid Computer (OAC).

Parameter Chan-ge Enable Mode ESPS Voters for subsystems 1 and 2 and Status processors can be placed in a parameter change enable mode through the use of the Parameter Change Enable keyswitches. One keyswitch will place Odd Voter 1 and the Odd Component Status processor in Parameter Change Enable Mode. One keyswitch will place Even 1 Voter and the Even Component Status processor in Parameter Change Enable Mode. Odd Voter 2 and Even Voter 2 each have their own keyswitch that can be used to place each processor in Parameter Change Enable Mode.

When a keyswitch is placed from the normal Operating Mode position to the Parameter Change Enable Mode position:

  • The processors continue with normal operation.
  • A permissive is provided that allows the Service Unit to be used to change the operating mode of the processors associated with that keyswitch.

OCONEE UNITS 1, 2, & 3 B 3.3.7-3 12/10/14 1

ESPS Automatic Actuation Output Logic Channels B 3.3.7 BASES BACKGROUND Parameter Change Enable Mode (continued)

With the keyswitch in the Parameter Change Enable Position the following modes of operation are allowed for processors:

  • Normal Operation - with permissive for operating mode change.
  • Parameterization - allows changes to specific parameters (example placing a parameter into a tripped condition or performing Go/NoGo testing).
  • Function Test - for disabling the application function and forcing output signal for testing purposes (normally not used).
  • Diagnostics - for downloading new application software.

The Function Test and Diagnostics modes result in the processor ceasing its cyclic processing of the application functions. Entry into these modes first requires entry into Parameterization mode and setting a separate parameter.

When a keyswitch is placed in the Parameter Change Enable Mode Position for any activity, the affected processor shall first be declared out of service. In addition to declaring the processor out of service, when loading or revising software in a processor, the affected ESPS voter (Set 1 or Set 2) shall be placed in Bypass. Only one ESPS voter at a time is allowed to be placed into Parameter Change Enable Mode Position for software loading/revision.

Each Parameter Change Enable keyswitch status information is sent to the Statalarm panel and to the OAC via the Gateway.

ESPS Parameter Change Enable keyswitches are administratively controlled (there are no hardware or software interlocks between channels).

APPLICABLE Accident analyses rely on automatic ESPS actuation for protection of the SAFETY ANALYSES core and RB and for limiting off site dose levels following an accident. The automatic actuation output logic is an integral part of the ESPS.

The ESPS automatic actuation output logic channels satisfy Criterion 3 of 10 CFR 50.36 (Ref. 3).

OCONEE UNITS 1, 2, & 3 B 3.3.7-4 12/10/14 1

ESPS Automatic Actuation Output Logic Channels B 3.3.7 BASES (continued)

LCO The automatic actuation output logic channels are required to be OPERABLE whenever conditions exist that could require ES protection of the reactor or the RB. This ensures automatic initiation of the ES required to mitigate the consequences of accidents.

The ESPS automatic actuation output logic channels are comprised of I two independent and redundant subsystems. Only one of the independent subsystems is required to be OPERABLE.

The required Function is provided by two associated output channels as indicated in the following table:

Function Associated Channels HPI and RB Non-Essential 1&2 Isolation, Keowee Emergency Start, Load Shed and Standby Breaker Input, and Keowee Standby Bus Feeder Breaker Input LPI 3 &4 RB Cooling and RB Essential 5&6 isolation RB Spray 7 &8 APPLICABILITY The automatic actuation output logic channels shall be OPERABLE in MODES 1 and 2 and in MODES 3 and 4 when the associated engineered safeguard equipment is required to be OPERABLE, because ES Functions are designed to provide protection in these MODES. Automatic actuation in MODE 5 or 6 is not required because the systems initiated by the ESPS are either reconfigured for decay heat removal operation or disabled.

Accidents in these MODES are slow to develop and would be mitigated by manual operation of individual components. Adequate time is available to evaluate unit conditions and respond by manually operating the ES components, if required.

OCONEE UNITS 1, 2, & 3 B 3.3.7-5 12/10/14 1

ESPS Automatic Actuation Output Logic Channels B 3.3.7 BASES ACTIONS A Note has been added to the ACTIONS indicating separate Condition entry is allowed for each ESPS automatic actuation output logic channel.

A.1 and A.2 When one or more automatic actuation output logic channels are inoperable, the associated component(s) can be placed in their engineered safeguard configuration. Required Action A.1 is equivalent to the automatic actuation output logic channel performing its safety function ahead of time.

In some cases, placing the component in its engineered safeguard configuration would violate unit safety or operational considerations. In these cases, the component status should not be changed, but the supported system component must be declared inoperable. Conditions which would preclude the placing of a component in its engineered safeguard configuration include, but are not limited to, violation of system separation, activation of fluid systems that could lead to thermal shock, or isolation of fluid systems that are normally functioning. The Completion Time of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> is based on operating experience and reflects the urgency associated with the inoperability of a safety system component.

Required Action A.2 requires declaring the associated components of the affected supported systems inoperable, since the true effect of automatic actuation output logic channel failure is inoperability of the supported system. The Completion Time of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> is based on operating experience and reflects the urgency associated with the inoperability of a safety system component. A combination of Required Actions A.1 and A.2 may be used for different components associated with an inoperable automatic actuation output logic channel.

OCONEE UNITS 1, 2, & 3 B 3.3.7-6 12/10/14 1

ESPS Automatic Actuation Output Logic Channels B 3.3.7 BASES SURVEILLANCE SR 3.3.7.1 REQUIREMENTS This SR requires manual actuation of the output channel interposing relays (referred to as Ro relays) to demonstrate OPERABILITY of the relays. The proper functioning of the processor portion of the channel is continuously checked by automatic cyclic self monitoring.

Failure of reactor building purge valves PR-1, 2, 3, 4, 5, 6 to close following a design basis event would cause a significant increase in the radioactive release because of the large containment leakage path introduced by these 48 inch purge lines. Because of their large size, the 48 inch purge valves are not qualified for automatic closure from their open position under accident conditions. Therefore, the 48 inch purge valves are maintained sealed closed (SR 3.6.3.1) in MODES 1, 2, 3, and 4 to ensure the containment boundary is maintained (Reference 4). Since they are sealed closed in all modes where the Engineered Safeguards system is required operable, testing of these reactor building purge valves is not required per SR 3.3.7.1.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.3.7.2 SR 3.3.7.2 is the performance of a CHANNEL FUNCTIONAL TEST. The functional test consists of rebooting the digital processors. This verifies that the software has not changed.

Failure of reactor building purge valves PR-1, 2, 3, 4, 5, 6 to close following a design basis event would cause a significant increase in the radioactive release because of the large containment leakage path introduced by these 48 inch purge lines. Because of their large size, the 48 inch purge valves are not qualified for automatic closure from their open position under accident conditions. Therefore, the 48 inch purge valves are maintained sealed closed (SR 3.6.3.1) in MODES 1, 2, 3, and 4 to ensure the containment boundary is maintained (Reference 4). Since they are sealed closed in all modes where the Engineered Safeguards system is required operable, testing of these reactor building purge valves is not required per SR 3.3.7.2.

OCONEE UNITS 1, 2, & 3 B 3.3.7-7 12/10/14 1

ESPS Automatic Actuation Output Logic Channels B 3.3.7 BASES SURVEILLANCE SR 3.3.7.2 (continued)

REQUIREMENTS The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

The digital ESPS software performs a continuous online automated cross channel check, separately for each channel, and continuous online signal error detection and validation. The protection system also performs continual online hardware monitoring. The CHANNEL FUNCTIONAL TEST essentially validates the self monitoring function and checks for a small set of failure modes that are undetectable by the self monitoring function.

REFERENCES 1. 10 CFR 50.46.

2. UFSAR, Chapter 15.
3. 10 CFR 50.36.
4. NUREG 0737,Section II.E.4.2.6.

OCONEE UNITS 1, 2, & 3 B 3.3.7-8 12/10/14 1

LPSW RB Waterhammer Prevention Circuitry B 3.3.27 B 3.3 INSTRUMENTATION B 3.3.27 Low Pressure Service Water (LPSW) Reactor Building (RB) Waterhammer Prevention Circuitry BASES BACKGROUND NRC Generic Letter 96-06 identified three issues of concern relative to effects of fluid in piping following postulated design basis events. One area of concern is the cooling water system piping serving the containment air coolers. The Low Pressure Service Water (LPSW) system provides cooling water to the safety related Reactor Building Cooling Units (RBCUs), non-safety related Reactor Building Auxiliary Cooling Units (RBACs) and non-safety related Reactor Coolant Pump Motor (RCPM) coolers. There is a possibility of waterhammer in the LPSW piping inside containment during either a Loss-of-Coolant Accident (LOCA) or a Main Steam Line Break (MSLB) concurrent with a loss of off-site power (LOOP) without means to prevent waterhammer.

The LPSW RB Waterhammer Prevention System (WPS) is composed of check valves, active pneumatic discharge isolation valves, and active controllable vacuum breaker valves. The LPSW RB Waterhammer Prevention Circuitry isolates LPSW to the RBCUs, RBACs and RCPM coolers any time the LPSW header pressure decreases significantly, such as during a LOOP event or LPSW pump failure during normal operations. The isolation function prevents and/or minimizes the potential waterhammers in the associated piping. The LPSW RB Waterhammer Prevention Circuitry will also re-establish flow to the containment air coolers following WPS actuation once the LPSW system has repressurized.

The RBCU fans and RBCU cooling water motor operated return valves are Engineered Safeguards (ES) features. On an ES actuation, these valves open. The LPSW RB Waterhammer Prevention Pneumatic Discharge Isolation Valves are designed to close on low LPSW supply header pressure and re-open when the LPSW supply header pressure is restored. The LPSW RB Waterhammer Prevention Controllable Vacuum Breaker Valves are designed to open on low LPSW pressure and re-close when LPSW pressure is restored.

The LPSW RB Waterhammer Prevention Pneumatic Discharge Isolation Valves fail open on loss of instrument air. During normal operation, a control solenoid valve in the instrument air supply to each OCONEE UNITS 1, 2, & 3 B 3.3.27-1 12/10114 1

LPSW RB Waterhammer Prevention Circuitry B 3.3.27 BASES BACKGROUND LPSW RB Waterhammer Prevention Pneumatic Discharge Isolation (continued) Valve is energized to vent air from the actuator to maintain the isolation valves in the open position. On loss of two of four of the analog input signals for the LPSW RB Waterhammer Prevention Isolation Circuitry, the 3-way control solenoid valve is de-energized to align the air accumulator with the pneumatic operator; thereby closing the LPSW RB Waterhammer Prevention Pneumatic Discharge Isolation Valve(s). LPSW RB Waterhammer Prevention Controllable Vacuum Breaker Valves are located downstream of the pneumatic discharge isolation valves. The LPSW RB Waterhammer Prevention Controllable Vacuum Breaker Valves are normally closed. They open simultaneously with the closing of the LPSW RB Waterhammer Prevention Pneumatic Discharge Isolation Valves in order to break vacuum in the return header by energizing the control solenoid valve.

The LPSW RB Waterhammer Prevention Circuitry contains four analog sensor channels and two digital actuation logic channels. Only three analog sensor channels are required to support OPERABILITY. Each analog sensor channel contains a safety grade pressure transmitter and current switch. The two digital actuation logic channels consist of safety grade relays in a two-out-of-two logic configuration. The actuation of the LPSW RB Waterhammer Prevention Circuitry requires two of the three required LPSW pressure signals supplied from the LPSW header pressure transmitters.

APPLICABLE In a LOOP event, the LPSW RB Waterhammer Prevention SAFETY ANALYSES Circuitry isolates the cooling water flow to the RBCUs, RBACs and RCPM cooler on low LPSW supply header pressure prior to LPSW pump restart to prevent waterhammers. The LPSW RB Waterhammer Prevention Circuitry will also re-establish flow to the containment air coolers following WPS actuation once the LPSW system has repressurized. Isolating and re-establishing the LPSW flowpath ensures that Containment Integrity and Containment Heat Removal functions are maintained.

The RBCU Fans presently have a 3 minute delay to re-start following ES activation. LPSW flow will be restored to the RBCUs prior to the RBCU fan restart. This ensures the Containment Heat Removal function is unaffected.

The LPSW RB Waterhammer Prevention Circuitry satisfies Criterion 3 of 10 CFR 50.36 (Ref. 1).

OCONEE UNITS 1, 2, & 3 B 3.3.27-2 12/10/14 1

LPSW RB Waterhammer Prevention Circuitry B 3.3.27 BASES (continued)

LCO Three LPSW RB Waterhammer Prevention analog channels and two digital logic channels shall be OPERABLE. Each analog sensor channel contains a safety related pressure transmitter and current switch. The two digital logic channels consist of safety related relays. The LPSW RB Waterhammer Prevention Circuitry design ensures that a single active failure will not prevent the circuitry and associated components from performing the intended safety functions.

There are four analog channels, but only three are required to support OPERABILITY. These three analog channels are configured in a two out of three control logic scheme that will isolate/reset the LPSW RB Waterhammer Prevention Circuitry. The LPSW RB Waterhammer Prevention Circuitry will close/open the four LPSW RB Pneumatic Discharge Isolation Valves when LPSW pressure is either low or returns to normal. Either digital logic channel will trip/restore the flow path.

The actuation logic used for the LPSW RB Waterhammer Prevention Circuitry is similar to other safety related circuitry currently being used. The LCO allowed required action and Completion Times are acceptable based on the number of channels normally available. Though one of the four analog channels can be out of service for an extended period, it is not a normal practice.

When one required analog channel is taken out of service, the two out of three analog control logic scheme is reduced to a two out of two analog control logic scheme. This control logic scheme will trip/reset the digital channels on decreasing/increasing supply header pressure.

Failure of an analog channel while in the two out of two control logic mode will reduce the control logic to a one out of two control logic scheme. This control logic is unacceptable because a failure will prevent the LPSW RB Waterhammer Prevention Circuitry from working as required.

The two digital channels are triggered by two of four analog channels consisting of a pressure transmitter/current switch. On decreasing/increasing supply header pressure, two of four analog channels will trip/reset the digital channels. If one of the two digital channels is inoperable or out of service, the system is no longer single failure proof.

OCONEE UNITS 1, 2, & 3 B 3.3.27-3 12/10/14 1

LPSW RB Waterhammer Prevention Circuitry B 3.3.27 BASES (continued) I APPLICABILITY The LPSW RB Waterhammer Prevention Circuitry is required to be OPERABLE in MODES 1, 2, 3, and 4. This ensures LPSW is available to support the OPERABILITY of the equipment serviced by the LPSW system.

In MODES 5 and 6, the probability and consequences of the events that the LPSW System supports is reduced due to the pressure and temperature limitations of these MODES. As a result, the LPSW RB Waterhammer Prevention Circuitry is not required to be OPERABLE in MODES 5 and 6.

ACTIONS A..1 If one required LPSW RB Waterhammer Prevention analog channel is inoperable, the LPSW RB Waterhammer Prevention Circuitry is no longer single failure proof and the control logic scheme is reduced to a two out of two configuration. Required Action A.1 requires the LPSW RB Waterhammer Prevention analog channels be restored to OPERABLE status within 7 days.

The 7 day Completion Time takes into account the allowed outage times of similar systems, reasonable time for repairs, and the low probability of an event occurring during this period.

B.1 If one required LPSW RB Waterhammer Prevention digital logic channel is inoperable, the LPSW RB Waterhammer Prevention Circuitry is not single failure proof. Required Action B.1 requires the digital channels be restored to OPERABLE status within 7 days.

The 7 day Completion Time takes into account the allowed outage times of similar systems, reasonable time for repairs, and the low probability of an event occurring during this period.

OCONEE UNITS 1, 2, & 3 B 3.3.27-4 12/10/14 1

LPSW RB Waterhammer Prevention Circuitry B 3.3.27 BASES ACTIONS C.1 and C.2 (continued)

If two or more required LPSW RB Waterhammer Prevention analog channel(s) or two digital logic channel(s) are inoperable or the Required Actions and associated Completion Times of Condition A or B are not met, the WPS must be configured in order to assure the Containment Integrity and Heat removal functions are maintained. To achieve this status, actions to prevent automatic closing by manually opening (remote or local) two LPSW RB Waterhammer Prevention Pneumatic Discharge Isolation valves in the same header shall be completed immediately and actions to repair the inoperable equipment shall be taken immediately. LCO 3.7.7 will also apply when the LPSW RB Waterhammer Prevention Pneumatic Discharge Isolation valves in the same header are opened.

SURVEILLANCE SR 3.3.27.1 REQUIREMENTS Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that analog instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two analog instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. CHANNEL CHECK will detect gross channel failure; therefore, it is key in verifying that the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined, based on a combination of the channel instrument uncertainties, including isolation, indication, and readability. If a channel is outside the criteria, it may be an indication that the transmitter or the signal processing equipment has drifted outside its limit.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

OCONEE UNITS 1, 2, & 3 B 3.3.27-5 12/10/14 1

LPSW RB Waterhammer Prevention Circuitry B 3.3.27 BASES SURVEILLANCE SR 3.3.27.1 (continued)

REQUIREMENTS The CHANNEL CHECK supplements less formal, but potentially more frequent, checks of channel operability during normal operational use of the displays associated with the LCO's required channels.

SR 3.3.27.2 A CHANNEL FUNCTIONAL TEST is performed on each channel to ensure the circuitry will perform its intended function. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.3.27.3 A CHANNEL CALIBRATION is a complete check of the analog instrument channel, including the sensor. The test verifies that the channel responds to a measured parameter within the necessary range and accuracy. The CHANNEL CALIBRATION leaves the components adjusted to account for instrument drift to ensure that the circuitry remains operational between successive tests. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. 10 CFR 50.36.

OCONEE UNITS 1, 2, & 3 B 3.3.27-6 12/10/14 1

Reactor Building Spray and Cooling Systems B 3.6.5 B 3.6 CONTAINMENT SYSTEMS B 3.6.5 Reactor Building Spray and Cooling Systems BASES BACKGROUND The Reactor Building Spray and Reactor Building Cooling systems provide containment atmosphere cooling to limit post accident pressure and temperature in containment to less than the design values. Reduction of containment pressure and the iodine removal capability of the spray reduces the release of fission product radioactivity from containment to the environment, in the event of an accident, to within limits. The Reactor Building Spray and Reactor Building Cooling systems are designed to meet ONS Design Criteria (Ref. 1).

The Reactor Building Cooling System and Reactor Building Spray System are Engineered Safeguards (ES) systems. They are designed to ensure that the heat removal capability required during the post accident period can be attained. The Reactor Building Spray System and Reactor Building Cooling System provide containment heat removal operation. The Reactor Building Spray System and Reactor Building Cooling System provide methods to limit and maintain post accident conditions to less than the containment design values.

Reactor Building Spray System The Reactor Building Spray System consists of two separate trains of equal capacity, each capable of meeting the design basis. Each train includes a reactor building spray pump, spray headers, nozzles, valves, piping and a flow indicator. Each train is powered from a separate ES bus.

The borated water storage tank (BWST) supplies borated water to the Reactor Building Spray System during the injection phase of operation. In the recirculation mode of operation, Reactor Building Spray System pump suction is manually transferred to the reactor building sump.

OCONEE UNITS 1, 2, & 3 B 3.6.5-1 12/10/14 1

Reactor Building Spray and Cooling Systems B 3.6.5 BASES BACKGROUND Reactor Building Spray System (continued)

The Reactor Building Spray System provides a spray of relatively cold borated water into the upper regions of containment to reduce the containment pressure and temperature and to reduce the concentration of fission products in the containment atmosphere during an accident. In the recirculation mode of operation, heat is removed from the reactor building sump water by the decay heat removal coolers. Each train of the Reactor Building Spray System provides adequate spray coverage to meet the system design requirements for containment heat removal.

The Reactor Building Spray System is actuated automatically by a containment High-High pressure signal. An automatic actuation opens the Reactor Building Spray System pump discharge valves and starts the two Reactor Building Spray System pumps.

Reactor Buildingq Cooling System The Reactor Building Cooling System consists of three reactor building cooling trains. Each cooling train is equipped with cooling coils, and an axial vane flow fan driven by a two speed electric motor.

During normal unit operation, typically two reactor building cooling trains with two fans operating at low speed or high speed, serve to cool the containment atmosphere. Low speed cooling fan operation is available during periods of lower containment heat load. The third unit is usually on standby. Upon receipt of an emergency signal, the operating cooling fans running at low speed or high speed will automatically trip, then restart in low speed after a 3 minute delay, and any idle unit is energized in low speed after a 3 minute delay. The fans are operated at the lower speed during accident conditions to prevent motor overload from the higher density atmosphere.

The common LPSW return header will split into two new headers downstream of the Reactor Building Cooling Units (RBCUs). Each header will contain two pneumatic discharge isolation valves and will be capable of full LPSW flow. The headers will be rejoined downstream of the discharge isolation valves into a common return.

APPLICABLE The Reactor Building Spray System and Reactor Building Cooling System SAFETY ANALYSES reduce the temperature and pressure following an accident. The limiting accidents considered are the loss of coolant accident (LOCA) and the steam line break. The postulated accidents are analyzed, with regard to containment ES systems, assuming the loss of one ES bus. This is the OCONEE UNITS 1, 2, & 3 B 3.6.5-2 12/10/14 1

Reactor Building Spray and Cooling Systems B 3.6.5 BASES APPLICABLE worst-case single active failure, resulting in one train of the Reactor Building SAFETY ANALYSES Spray System and one train of the Reactor Building Cooling System being (continued) inoperable.

The analysis and evaluation show that, under the worst-case scenario (LOCA with worst-case single active failure), the highest peak containment pressure is 57.75 psig. The analysis shows that the peak containment temperature is 283.1 OF. Both results are less than the design values. The analyses and evaluations assume a power level of 2619 MWt, one reactor building spray train and two reactor building cooling trains operating, and initial (pre-accident) conditions of 80°F and 15.9 psia. The analyses also assume a delayed initiation to provide conservative peak calculated containment pressure and temperature responses.

The Reactor Building Spray System total delay time of approximately 142 seconds includes Keowee Hydro Unit startup (for loss of offsite power),

reactor building spray pump startup, and spray line filling (Ref. 2).

Reactor building cooling train performance for post accident conditions is given in Reference 2. The result of the analysis is that any combination of two trains can provide 100% of the required cooling capacity during the post accident condition. The train post accident cooling capacity under varying containment ambient conditions is also shown in Reference 2.

Reactor Building Cooling System total delay time of 3 minutes includes KHU startup (for loss of offsite power) and allows all ES equipment to start before the Reactor Building Cooling Unit on the associated train is started. This improves voltages at the 600V and 208V levels for starting loads (Ref. 2).

The Reactor Building Spray System and the Reactor Building Cooling System satisfy Criterion 3 of 10 CFR 50.36 (Ref. 3).

LCO During an accident, a minimum of two reactor building cooling trains and one reactor building spray train are required to maintain the containment pressure and temperature following a LOCA. Additionally, one reactor building spray train is required to remove iodine from the containment atmosphere and maintain concentrations below those assumed in the safety analysis. To ensure that these requirements are met, two reactor building spray trains and three reactor building cooling trains must be OPERABLE in MODES 1 and 2.

In MODES 3 or 4, one reactor building spray train and two reactor building cooling trains are required to be OPERABLE. The LCO is provided with a note that clarifies this requirement. Therefore, in the event of an accident, the minimum requirements are met, assuming the worst-case single active failure occurs.

OCONEE UNITS 1, 2, & 3 B 3.6.5-3 12/10/14 1

Reactor Building Spray and Cooling Systems B 3.6.5 BASES LCO Each reactor building spray train shall include a spray pump, spray (continued) headers, nozzles, valves, piping, instruments, and controls to ensure an OPERABLE flow path capable of taking suction from the BWST (via the LPI System) upon an Engineered Safeguards Protective System signal and manually transferring suction to the reactor building sump. The OPERABILITY of RBS train flow instrumentation is not required for OPERABILITY of the corresponding RBS train because system resistance hydraulically maintains adequate NPSH to the RBS pumps and manual throttling of RBS flow is not required. During an event, LPI train flow must be monitored and controlled to support the RBS train pumps to ensure that the NPSH requirements for the RBS pumps are not exceeded. If the flow instrumentation or the capability to control the flow in a LPI train is unavailable then the associated RBS train's OPERABILITY is affected until such time as the LPI train is restored or the associated LPI pump is placed in a secured state to prevent actuation during an event.

Each reactor building cooling train shall include cooling coils, fusible dropout plates or duct openings, an axial vane flow fan, instruments, valves, and controls to ensure an OPERABLE flow path. Two headers of I the LPSW RB Waterhammer Prevention Discharge Isolation Valves are required to support flowpath OPERABILITY or one header of LPSW RB Waterhammer Prevention Discharge Isolation Valves shall be manually opened (remote or local) to prevent automatic closure. Valve LPSW-108 shall be locked open to support system OPERABILITY.

APPLICABILITY In MODES 1, 2, 3, and 4, an accident could cause a release of radioactive material to containment and an increase in containment pressure and temperature, requiring the operation of the reactor building spray trains and reactor building cooling trains.

In MODES 5 and 6, the probability and consequences of these events are reduced due to the pressure and temperature limitations of these MODES.

Thus, the Reactor Building Spray System and the Reactor Building Cooling System are not required to be OPERABLE in MODES 5 and 6.

ACTIONS The Actions are modified by a Note indicating that the provisions of LCO 3.0.4 do not apply for Unit 2 only. As a result, this allows entry into a MODE or other specified condition in the Applicability with the LCO not met after performance of a risk assessment addressing inoperable systems and components, consideration of the results, determination of the acceptability of entering the MODE or other specified condition in the Applicability, and OCONEE UNITS 1, 2, & 3 B 3.6.5-4 12/10/14 1

Reactor Building Spray and Cooling Systems B 3.6.5 BASES ACTIONS establishment of risk management actions, if appropriate. The risk (continued) assessment may use quantitative, qualitative, or blended approaches and the risk assessment will be conducted using the plant program, procedures, and criteria in place to implement 10 CFR 50.65(a)(4), which requires that risk impacts of maintenance activities to be assessed and managed. The risk assessment must take into account all inoperable Technical Specifications equipment regardless of whether the equipment is included in the normal 10 CFR 50.65(a)(4) risk assessment scope. The risk assessments will be conducted using the procedures and guidance endorsed by Regulatory Guide 1.182, "Assessing and Managing Risk Before Maintenance Activities at Nuclear Power Plants." Regulatory Guide 1.1 82 endorses the guidance in Section 11 of NUMARC 93-01, "Industry Guideline for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants." These documents address general guidance for conduct of the risk assessment, quantitative and qualitative guidelines for establishing risk management actions, and example risk management actions. These include actions to plan and conduct other activities in a manner that controls overall risk, increased risk awareness by shift and management personnel, actions to reduce the duration of the condition, actions to minimize the magnitude of risk increases (establishment of backup success paths or compensatory measures), and determination that the proposed MODE change is acceptable. Consideration should also be given to the probability of completing restoration such that the requirements of the LCO would be met prior to the expiration of ACTIONS Completion Times that would require exiting the Applicability.

The risk assessment does not have to be documented.

There is a small subset of systems and components that have been determined (Ref: B&W owners group generic qualitative risk assessments- attachment to TSTF-359, Rev. 9, "B&W owners group Qualitative Risk Assessment for Increased Flexibility in MODE Restraints," Framatome Technologies BAW-2383, October 2001.) to be of higher risk significance for which an LCO 3.0.4 exemption would not be allowed. For Oconee these are the Decay Heat Removal System (DHR) entering MODES, 5 and 4; Keowee Hydro Units entering MODES 1-5; and the emergency feedwater system (EFW) entering MODE 1. The Reactor Spray and Cooling System is not one of the higher risk significant systems noted.

The provisions of this Note should not be interpreted as endorsing the failure to exercise the good practice of restoring systems or components to OPERABLE status before entering an associated MODE or other specified Condition in the Applicability.

OCONEE UNITS 1, 2, & 3 B 3.6.5-5 12/10/14 1

Reactor Building Spray and Cooling Systems B 3.6.5 BASES ACTIONS A.1 (continued)

With one reactor building spray train inoperable in MODE 1 or 2, the inoperable reactor building spray train must be restored to OPERABLE status within 7 days. In this Condition, the remaining OPERABLE spray and cooling trains are adequate to perform the iodine removal and containment cooling functions. The 7 day Completion Time takes into account the redundant heat removal capability afforded by the OPERABLE reactor building spray train, reasonable time for repairs, and the low probability of an accident occurring during this period.

The 14 day portion of the Completion Time for Required Action A.1 is based upon engineering judgment. It takes into account the low probability of coincident entry into two Conditions in this LCO coupled with the low probability of an accident occurring during this time. Refer to Section 1.3, Completion Times, for a more detailed discussion of the purpose of the "from discovery of failure to meet the LCO" portion of the Completion Time.

B.1 With one of the reactor building cooling trains inoperable in MODE 1 or 2, the inoperable reactor building cooling train must be restored to OPERABLE status within 7 days. The components in this degraded condition provide iodine removal capabilities and are capable of providing at least 100% of the heat removal needs after an accident. The 7 day Completion Time was developed taking into account the redundant heat removal capabilities afforded by combinations of the Reactor Building Spray System and Reactor Building Cooling System and the low probability of an accident occurring during this period.

The 14 day portion of the Completion Time for Required Action B. I is based upon engineering judgment. It takes into account the low probability of coincident entry into two Conditions in this LCO coupled with the low probability of an accident occurring during this time. Refer to Section 1.3 for a more detailed discussion of the purpose of the "from discovery of failure to meet the LCO" portion of the Completion Time.

C.1 With one reactor building spray train and one reactor building cooling train inoperable in MODE 1 or 2, at least one of the inoperable trains must be restored to OPERABLE status within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. In this Condition, the remaining OPERABLE spray and cooling trains are adequate to provide iodine removal capabilities and are capable of providing at least 100% of OCONEE UNITS 1, 2, & 3 B 3.6.5-6 12/10/14 1

Reactor Building Spray and Cooling Systems B 3.6.5 BASES ACTIONS C.1 (continued) the heat removal needs after an accident. The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Completion Time takes into account the heat removal capability afforded by the remaining OPERABLE spray train and cooling trains, reasonable time for repairs, and the low probability of an accident occurring during this period.

D.1 Ifthe Required Action and associated Completion Time of Condition A, B or C are not met, the unit must be brought to a MODE in which the LCO, as modified by the Note, does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. The allowed Completion Time is reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

E.1 With one of the required reactor building cooling trains inoperable in MODE 3 or 4, the required reactor building cooling train must be restored to OPERABLE status within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.

The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Completion Time is reasonable based on engineering judgement taking into account the iodine and heat removal capabilities of the remaining required train of reactor building spray and cooling.

F._1 With one required reactor building spray train inoperable in MODE 3 or 4, the required reactor building spray train must be restored to OPERABLE status within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Completion Time is reasonable based on engineering judgement taking into account the heat removal capabilities of the remaining required trains of reactor building cooling.

G.1 Ifthe Required Actions and associated Completion Times of Condition E or F of this LCO are not met, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to MODE 5 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit OCONEE UNITS 1, 2, & 3 B 3.6.5-7 12/10/14 1

Reactor Building Spray and Cooling Systems B 3.6.5 BASES ACTIONS G.1 (continued) conditions from full power conditions in an orderly manner and without challenging unit systems.

H..1 With two reactor building spray trains, two reactor building cooling trains or any combination of three or more reactor building spray and reactor building cooling trains inoperable in MODE 1 or 2, the unit is in a condition outside the accident analysis. Therefore, LCO 3.0.3 must be entered immediately.

With any combination of two or more required reactor building spray and reactor building cooling trains inoperable in MODE 3 or 4, the unit is in a condition outside the accident analysis. Therefore, LCO 3.0.3 must be entered immediately.

SURVEILLANCE SR 3.6.5.1 REQUIREMENTS Verifying the correct alignment for manual and non-automatic power operated valves in the reactor building spray and cooling flow path provides assurance that the proper flow paths will exist for Reactor Building Spray and Cooling System operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position, since these were verified to be in the correct position prior to locking, sealing, or securing. Similarly, this SR does not apply to automatic valves since automatic valves actuate to their required position upon an accident signal. This SR also does not apply to valves that cannot be inadvertently misaligned, such as check valves. This SR does not require any testing or valve manipulation.

Rather, it involves verification, through a system walkdown, that those valves outside containment and capable of potentially being mispositioned are in the correct position. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

OCONEE UNITS 1, 2, & 3 B 3.6.5-8 12/10/14 1

Reactor Building Spray and Cooling Systems B 3.6.5 BASES SURVEILLANCE SR 3.6.5.2 REQUIREMENTS (continued) Operating each required reactor building cooling train fan unit for

>_15 minutes ensures that all trains are OPERABLE and that all associated controls are functioning properly. It also ensures that blockage, fan or motor failure, or excessive vibration can be detected for corrective action.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.6.5.3 Verifying that each required Reactor Building Spray pump's developed head at the flow test point is greater than or equal to the required developed head ensures that spray pump performance has not degraded during the cycle. Flow and differential pressure are normal tests of centrifugal pump performance required by Section XI of the ASME Code (Ref. 4). Since the Reactor Building Spray System pumps cannot be tested with flow through the spray headers, they are tested on recirculation flow. This test confirms one point on the pump design curve and is indicative of overall performance. Such inservice tests confirm component OPERABILITY, trend performance, and may detect incipient failures by indicating abnormal performance. The Frequency of this SR is in accordance with the Inservice Testing Program.

SR 3.6.5.4 Verifying the containment heat removal capability provides assurance that the containment heat removal systems are capable of maintaining containment temperature below design limits following an accident. This test verifies the heat removal capability of the Low Pressure Injection (LPI)

Coolers and Reactor Building Cooling Units. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

OCONEE UNITS 1, 2, & 3 B 3.6.5-9 12/10/14 1

Reactor Building Spray and Cooling Systems B 3.6.5 BASES SURVEILLANCE SR 3.6.5.5 and 3.6.5.6 REQUIREMENTS (continued) These SRs require verification that each automatic reactor building spray and cooling valve actuates to its correct position and that each reactor building spray pump starts upon receipt of an actual or simulated actuation signal. The test will be considered satisfactory if visual observation and control board indication verifies that all components have responded to the actuation signal properly; the appropriate pump breakers have closed, and all valves have completed their travel. This SR is not required for valves that are locked, sealed, or otherwise secured in position under administrative controls. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.6.5.7 This SR requires verification that each required reactor building cooling train actuates upon receipt of an actual or simulated actuation signal. The test will be considered satisfactory if control board indication verifies that all components have responded to the actuation signal properly, the appropriate valves have completed their travel, and fans are running at half speed. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.6.5.8 With the reactor building spray header isolated and drained of any solution, station compressed air is introduced into the spray headers. This SR requires verification that each spray nozzle is unobstructed following activities which could cause nozzle blockage. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. UFSAR, Section 3.1.

2. UFSAR, Section 6.2.
3. 10 CFR 50.36.
4. ASME, Boiler and Pressure Vessel Code, Section Xl.

OCONEE UNITS 1, 2, & 3 B 3.6.5-10 12/10/14 1

LPSW System B 3.7.7 B 3.7 PLANT SYSTEMS B 3.7.7 Low Pressure Service Water (LPSW) System BASES BACKGROUND The LPSW System provides a heat sink for the removal of process and operating heat from safety related components during a transient or accident. During normal operation and normal shutdown, the LPSW System also provides this function for various safety related and nonsafety related components.

The LPSW system for Unit 1 and Unit 2 is shared and consists of three LPSW pumps which can supply multiple combinations of path ways to supply required components. The LPSW system for Unit 3 consists of two LPSW pumps which can supply multiple combinations of path ways to supply required components. Although multiple combinations of path ways exist, only one flow path is necessary, since no single failure of an active component can prevent the LPSW system from supplying necessary components. The pumps and valves are remote manually aligned, except in the unlikely event of a loss of coolant accident (LOCA) or other accidents. The pumps are automatically started upon receipt of an Engineered Safeguards actuation signal, and automatic valves are aligned to their post accident positions. The LPSW System also provides cooling directly to the Reactor Building Cooling Units (RBCU) and Low Pressure Injection coolers, turbine driven EFW pump, HPI pump motor coolers, and the motor driven EFW pumps.

GL 96-06 required consideration of waterhammer inside containment during a LOCA or MSLB combined with a loss of offsite power (LOOP) event. As a result, the LPSW Reactor Building (RB) Waterhammer Prevention System (WPS) was added to maintain LPSW piping water solid inside containment during any event that causes a loss of LPSW system pressure. The WPS is fully automatic. Other functions of the WPS are addressed by LCO 3.3.27 and LCO 3.6.5.

Additional information about the design and operation of the LPSW System, along with a list of the components served, is presented in the UFSAR, Section 9.2.2 (Ref. 1).

APPLICABLE The primary safety function of the LPSW System is, in conjunction with a SAFETY ANALYSES 100% capacity reactor building cooling system, (a combination of the reactor building spray and reactor building air coolers) to remove core decay heat following a design basis LOCA, as discussed in the UFSAR, OCONEE UNITS 1, 2, & 3 B 3.7.7-1 12/10/14 1

LPSW System B 3.7.7 BASES APPLICABLE Section 6.3 (Ref. 2). This provides for a gradual reduction in the SAFETY ANALYSES temperature of the fluid, as it is supplied to the Reactor Coolant System (continued) (RCS) by the High Pressure and Low Pressure Injection pumps.

The LPSW System is designed to perform its function with a single active failure of any component, assuming loss of offsite power.

The LPSW System also cools the unit from Decay Heat Removal (DHR)

System entry conditions, to MODE 5 during normal and post accident operation. The time required for this evolution is a function of the number of DHR System trains that are operating. One LPSW pump per unit and a flowpath is sufficient to remove decay heat during subsequent operations in MODES 5 and 6. This assumes a maximum LPSW System temperature of 90°F occurring simultaneously with maximum heat loads on the system.

The LPSW System satisfies Criterion 3 of 10 CFR 50.36 (Ref. 2).

LCO For the LPSW system shared by Units 1 and 2, three LPSW pumps are required to be OPERABLE to provide the required redundancy to ensure that the system functions to remove post accident heat loads, assuming the worst case single active failure occurs coincident with the loss of offsite power. The LCO is modified by a Note which requires only two LPSW pumps to be OPERABLE for Units I or 2 if either Unit is defueled and one LPSW pump is capable of mitigating the DBA on the fueled Unit.

The Units 1 and 2 LPSW System requires only two pumps to meet the single failure criterion provided that one of the units has been defueled and the following LPSW System loads on the defueled unit are isolated:

Reactor Building Cooling Units (RBCU), Reactor Building Auxiliary Coolers, Component Cooling, Main Turbine Oil Tank, Reactor Coolant (RC) Pumps, and Low Pressure Injection (LPI) Coolers.

For the LPSW system for Unit 3, two LPSW pumps are required to be OPERABLE to provide the required redundancy to ensure that the system functions to remove post accident heat loads, assuming the worst case single active failure occurs coincident with the loss of offsite power.

An LPSW flow path is considered OPERABLE when the associated piping, valves, heat exchangers, and instrumentation and controls required to perform the safety related function are OPERABLE. Any combination of pathways to supply the required components is acceptable, provided there is no single active failure which can prevent supplying necessary loads and applicable design criteria (e.g., seismic qualification) are satisfied.

OCONEE UNITS 1, 2, & 3 B 3.7.7-2 12/10/14 1

LPSW System B 3.7.7 BASES LCO The LPSW WPS is considered OPERABLE when the associated leakage (continued) accumulator, relief valves, seat leakage limits for check valves and pneumatic discharge isolation valves, closure capability of pneumatic discharge isolation valves, and opening capability of the controllable vacuum breaker valves are OPERABLE.

APPLICABILITY In MODES 1, 2, 3, and 4, the LPSW System is a normally operating system that is required to support the OPERABILITY of the equipment serviced by the LPSW System. Therefore, the LPSW System is required to be OPERABLE in these MODES.

In MODES 5 and 6, the OPERABILITY requirements of the LPSW System are determined by the systems it supports.

ACTIONS A.1 If one required LPSW pump is inoperable, action must be taken to restore the required LPSW pump to OPERABLE status within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />.

In this Condition, the remaining OPERABLE LPSW pump(s) are adequate to perform the heat removal function. However, the overall reliability is reduced because a single failure in the OPERABLE LPSW pump(s) could result in loss of LPSW system function. The 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> Completion Time is based on the redundant capabilities afforded by the OPERABLE pump, and the low probability of a DBA occurring during this period.

B. 1 If the LPSW WPS is inoperable, action shall be taken to restore the required LPSW WPS components to OPERABLE status within 7 days. I The 7 day Completion Time is based on similar systems and is considered reasonable based on engineering judgment and the low probability of a DBA occurring during the period of maintenance.

C.1 and C.2 If the LPSW pump or WPS cannot be restored to OPERABLE status within the associated Completion Time, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit OCONEE UNITS 1, 2, & 3 B 3.7.7-3 12/10/14 1

LPSW System B 3.7.7 BASES ACTIONS C.1 and C.2 (continued) must be placed in at least MODE 3 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />, and in MODE 5 within 60 hours6.944444e-4 days <br />0.0167 hours <br />9.920635e-5 weeks <br />2.283e-5 months <br />.

The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

The extended interval to reach MODE 5 provides additional time to restore the required LPSW pump and is reasonable considering that the potential for an accident or transient is reduced in MODE 3.

SURVEILLANCE SR 3.7.7.1 REQUIREMENTS Verifying the correct level in the leakage accumulator will provide assurance that in the event of boundary valve leakage during a LOOP event, there is sufficient water to keep the LPSW piping filled. The required water level is between half full and full, which corresponds to a level indication of 20.5" to 41". Any level glass reading is bounded by 20.5" to 41" level indication, therefore any level glass reading is considered acceptable. During LPSW testing, accumulator level > 41" is acceptable because the mass of air in the accumulator is unchanged in the short term; therefore the accumulator is still capable of performing its safety function.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.7.7.2 Verifying the correct alignment for manual, and power operated valves in the LPSW System flow path provides assurance that the proper flow paths exist for LPSW System operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position, since they are verified to be in the correct position prior to locking, sealing, or securing. This SR does not require any testing or valve manipulation; rather, it involves verification that those valves capable of potentially being mispositioned are in the correct position. This SR also does not apply to valves that cannot be inadvertently misaligned, such as check valves.

OCONEE UNITS 1, 2, & 3 B 3.7.7-4 12/10/14 1

LPSW System B 3.7.7 BASES SURVEILLANCE SR 3.7.7.2 (continued)

REQUIREMENTS The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

This SR is modified by a Note indicating that the isolation of components or systems supported by the LPSW System does not affect the OPERABILITY of the LPSW System.

SR 3.7.7.3 The SR verifies proper automatic operation of the LPSW System valves.

The LPSW System is a normally operating system that cannot be fully actuated as part of the normal testing. This SR is not required for valves that are locked, sealed, or otherwise secured in position under administrative controls. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.7.7.4 The SR verifies proper automatic operation of the LPSW System pumps on an actual or simulated actuation signal. The LPSW System is a normally operating system that cannot be fully actuated as part of normal testing during normal operation. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.7.7.5 The SR verifies proper operation of the LPSWRB Waterhammer Prevention System leakage accumulator. Verifying adequate flow from the accumulator will provide assurance that in the event of boundary valve leakage during a LOOP event, there is sufficient water to keep LPSW piping filled.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

OCONEE UNITS 1, 2, & 3 B 3.7.7-5 12/10/14 1

LPSW System B 3.7.7 BASES SURVEILLANCE SR 3.7.7.6 REQUIREMENTS (continued) The SR verifies that LPSW WPS boundary valve leakage is < 20 gpm. I Verifying boundary valve leakage is within limits will ensure that in the event of a LOOP, a waterhammer will not occur, because the LPSW leakage accumulator will be able to maintain the LPSW piping water solid.

The LPSW Leakage Accumulator is designed to allow up to 25 gpm of aggregate leakage for one minute. The boundary valve leakage is limited to 20 gpm in order to allow five (5) gpm of miscellaneous leakage.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. UFSAR, Section 9.2.2.

2. UFSAR, Section 6.3.
3. 10 CFR 50.36.

OCONEE UNITS 1, 2, & 3 B 3.7.7-6 12/10/14 1

Retrieved from "https://kanterella.com/w/index.php?title=ONS-2015-006,_Technical_Specification_(TS)_Bases_Change&oldid=2038265"