ML072070260: Difference between revisions

From kanterella
Jump to navigation Jump to search
(Created page by program invented by StriderTol)
(Created page by program invented by StriderTol)
Line 19: Line 19:


=Text=
=Text=
{{#Wiki_filter:R PS I nst r um ent at i on B 3.3.1 BW O G ST S B 3.3.1-1 R ev. 3.0, 03/31/04 B 3.3  I NS TRU ME NTA TI ON B 3.3.1  React or Pr ot ect i on Sy st em (R PS) I nst r um ent at
{{#Wiki_filter:RPS Instrumentation B 3.3.1 B 3.3 INSTRUMENTATION B 3.3.1 Reactor Protection System (RPS) Instrumentation BASES BACKGROUND          The RPS initiates a reactor trip to protect against violating the core fuel design limits and the Reactor Coolant System (RCS) pressure boundary during anticipated operational occurrences (AOOs). By tripping the reactor, the RPS also assists the Engineered Safety Feature (ESF)
Systems in mitigating accidents.
The protection and monitoring systems have been designed to assure safe operation of the reactor. This is achieved by specifying limiting safety system settings (LSSS) in terms of parameters directly monitored by the RPS, as well as the LCOs on other reactor system parameters and equipment performance. The subset of LSSS that directly protect against violating the the Reactor Ccore Safety Limits or the and Reactor Coolant System (RCS) pPressure boundary Ssafety lLimit s during anticipated operational occurrences (AOOs) are referred to as Safety Limit LSSS (SL-LSSS).
10 CFR 50.36(c)(1)(ii)(A) requires that TSs include LSSSs for variables that have significant safety functions. For variables on which a SL has been placed, the LSSS must be chosen to initiate automatic protective action to correct abnormal situations before the SL is exceeded.
Technical Specifications are required by 10 CFR 50.36 to contain SL-LSSS defined by the regulation as "...settings for automatic protective devices...so chosen that automatic protective actions will correct the abnormal situation before a Safety Limit (SL) is exceeded." The AnalyticAnalytical Limit is the limit of the process variable at which a safety action is initiated, as established by the safety analysis, to ensure

Revision as of 05:15, 23 November 2019

NRC Response to 4/16/2007 Submittal of TSTF-493, Revision 2, Clarify Application of Setpoint Methodology for LSSS Functions, Enclosure 3a - Bwog - 3.3.01_ B for TSTF -493R23e ITSB
ML072070260
Person / Time
Site: Technical Specifications Task Force
Issue date: 07/25/2007
From: Kobetz T
NRC/NRR/ADRO/DIRS/ITSB
To:
Technical Specifications Task Force
Schulten C. S., NRR/DIRS, 415-1192
Shared Package
ML072070202 List:
References
TAC MD5249, TSTF-493, Rev 2
Download: ML072070260 (37)
v  d  e


Text

RPS Instrumentation B 3.3.1 B 3.3 INSTRUMENTATION B 3.3.1 Reactor Protection System (RPS) Instrumentation BASES BACKGROUND The RPS initiates a reactor trip to protect against violating the core fuel design limits and the Reactor Coolant System (RCS) pressure boundary during anticipated operational occurrences (AOOs). By tripping the reactor, the RPS also assists the Engineered Safety Feature (ESF)

Systems in mitigating accidents.

The protection and monitoring systems have been designed to assure safe operation of the reactor. This is achieved by specifying limiting safety system settings (LSSS) in terms of parameters directly monitored by the RPS, as well as the LCOs on other reactor system parameters and equipment performance. The subset of LSSS that directly protect against violating the the Reactor Ccore Safety Limits or the and Reactor Coolant System (RCS) pPressure boundary Ssafety lLimit s during anticipated operational occurrences (AOOs) are referred to as Safety Limit LSSS (SL-LSSS).

10 CFR 50.36(c)(1)(ii)(A) requires that TSs include LSSSs for variables that have significant safety functions. For variables on which a SL has been placed, the LSSS must be chosen to initiate automatic protective action to correct abnormal situations before the SL is exceeded.

Technical Specifications are required by 10 CFR 50.36 to contain SL-LSSS defined by the regulation as "...settings for automatic protective devices...so chosen that automatic protective actions will correct the abnormal situation before a Safety Limit (SL) is exceeded." The AnalyticAnalytical Limit is the limit of the process variable at which a safety action is initiated, as established by the safety analysis, to ensure that an SLa SL is not exceeded. Any automatic protection action that occurs on reaching the AnalyticAnalytical Limit therefore ensures that the SL is not exceeded. However, in practice, the actual settings for automatic protective devices must be chosen to be more conservative than the AnalyticAnalytical Limit to account for instrument loop uncertainties related to the setting at which the automatic protective action would actually occur.

The trip setpoint is a predetermined setting for a protective device chosen to ensure automatic actuation prior to the process variable reaching the Analytic Limit and thus ensuring that the SL would not be exceeded. As such, the trip setpoint accounts for uncertainties in setting the device (e.g., calibration), uncertainties in how the device might actually perform (e.g., repeatability), changes in the point of action of the device over time (e.g., drift during surveillance intervals), and any other factors which may influence its actual performance (e.g., harsh accident environments). In this manner, the trip setpoint plays an important role in ensuring that SLs BW OG STS B 3.3.1-1 Rev. 3.0, 03/31/04

RPS Instrumentation B 3.3.1 are not exceeded. As such, the trip setpoint meets the definition of an LSSS (Ref. 1) and could be used to meet the requirement that they be contained in the Technical Specifications.

REVIEW ER'S NOTE ------------------------------------

The term "Limiting Trip Setpoint (LTSP)" is generic terminology for the setpoint value calculated by means of the plant-specific setpoint methodology documented in a document controlled under 10 CFR 50.59.

The term Limiting Trip Setpoint indicates that no additional margin has been added between the Analytical Limit and the calculated trip setting.

W here margin is added between the Analytical Limit and trip setpoint, the term Nominal Trip Setpoint (NTSP) is preferred. The trip setpoint (field setting) may be more conservative than the Limiting or Nominal Trip Setpoint. W here the [LTSP] is not included in Table 3.3.1-1 for the purpose of compliance with 10 CFR 50.36, the plant-specific term for the Limiting or Nominal Trip Setpoint must be cited in Note d of Table 3.3.1-1.

The brackets indicate plant-specific terms may apply, as reviewed and approved by the NRC. The as-found and as-left tolerances will apply to the actual setpoint implemented in the Surveillance procedures to confirm channel performance.

Licensees are to insert the name of the document(s) controlled under 10 CFR 50.59 that contain the [LTSP] and the methodology for calculating the as-left and as-found tolerances, for the phrase "[a document controlled under 10 CFR 50.59]" in the specifications.

The [Limiting Trip Setpoint (LTSP)] is a predetermined setting for a protective device chosen to ensure automatic actuation prior to the process variable reaching the Analytical Limit and thus ensuring that the SL would not be exceeded. As such, the [LTSP] accounts for uncertainties in setting the device (e.g., calibration), uncertainties in how the device might actually perform (e.g., repeatability), changes in the point of action of the device over time (e.g., drift during surveillance intervals), and any other factors which may influence its actual performance (e.g., harsh accident environments). In this manner, the

[LTSP] ensures that SLs are not exceeded. As such, the [LTSP] meets the definition of an SLa SL-LSSS (Ref. 1).

BW OG STS B 3.3.1-2 Rev. 3.0, 03/31/04

RPS Instrumentation B 3.3.1 BASES BACKGROUND (continued)

Technical Specifications contain values related to the OPERABILITY of equipment required for safe operation of the facility. OPERABLE is defined in Technical Specifications as "...being capable of performing its safety function(s)." For automatic protective devices, the required safety function is to ensure that a SL is not exceeded and therefore the LSSS as defined by 10 CFR 50.36 is the same as the OPERABILITY limit for these devices. However, uUse of the trip setpoint[LTSP] to define OPERABILITY in Technical Specifications and its corresponding designation as the LSSS required by 10 CFR 50.36 would be an overly restrictive requirement if it were applied as an OPERABILITY limit for the "as -found" value of a protective device setting during a Surveillance.

This would result in Technical Specification compliance problems, as well as reports and corrective actions required by the rule which are not necessary to ensure safety. For example, an automatic protective device with a setting that has been found to be different from the trip setpoint[LTSP] due to some drift of the setting may still be OPERABLE since because drift is to be expected. This expected drift would have been specifically accounted for in the setpoint methodology for calculating the trip setpoint[LTSP] and thus the automatic protective action would still have ensured that the SL would not be exceeded with the "as -found" setting of the protective device. Therefore, the device would still be OPERABLE because since it would have performed its safety function and the only corrective action required would be to reset the device to the trip setpoint[LTSP] to account for further drift during the next surveillance interval.

Use of the trip setpoint to define "as found" OPERABILITY and its designation as the LSSS under the expected circumstances described above would result in actions required by both the rule and Technical Specifications that are clearly not warranted. However, there is also some point beyond which the device would have not been able to perform its function due, for example, to greater than expected drift. This value needs to be specified in the Technical Specifications in order to define OPERABILITY of the devices and is designated as the Allowable Value which, as stated above, is the same as the LSSS.

The Allowable Value specified in Table 3.3.1-1 serves as the LSSS such that a channel is OPERABLE if the trip setpoint is found not to exceed the Allowable Value during the CHANNEL FUNCTIONAL TEST (CFT). As such, the Allowable Value differs from the trip setpoint by an amount primarily equal to the expected instrument loop uncertainties, BW OG STS B 3.3.1-3 Rev. 3.0, 03/31/04

RPS Instrumentation B 3.3.1 However, there is also some point beyond which the device would have not been able to perform its Function due, for example, to greater than expected drift. The Allowable Value specified in Table 3.3.1-1 is the least conservative value of the as-found setpoint that a channel can have during testing such that a channel is OPERABLE if the trip setpoint is found conservative with respect to the Allowable Value during the CHANNEL FUNCTIONAL TEST (CFT) or CHANNEL CALIBRATION.

BASES BACKGROUND (continued)

As such, the Allowable Value differs from the [LTSP] by an amount

[greater than or] equal to the expected instrument channel uncertainties, such as drift, during the surveillance interval. In this manner, the actual setting of the device will still meet the LSSS definition and ensure that an SLa SL is not exceeded at any given point of time as long as the device has not drifted beyond that expected during the surveillance interval. If the actual setting of the device is found to have exceeded the Allowable Value the device would be considered inoperable from a Technical Specification perspective. This requires corrective action including those actions required by 10 CFR 50.36 when automatic protective devices do not function as required. Note that, although the channel is "OPERABLE" under these circumstances, the trip setpoint should [LTSP] must be left adjusted to a value within the established trip setpoint calibration tolerance band, in accordance with uncertainty assumptions stated in the referenced setpoint methodology (as-left criteria), and confirmed to be operating within the statistical allowances of the uncertainty terms assigned. (as-found criteria). If the actual setting of the device is found to be conservative with respect to the Allowable Value but is beyond the as-found tolerance band, then this condition indicates that the instrument is degraded and is not performing in accordance with the setpoint methodology assumptions. This condition must be entered into the plant corrective action program, the trip setpoint must be left adjusted to a value within the as-left tolerance band, and an immediate determination of operability decision must be made. If the actual setting of the device is found to be non-conservative with respect to the Allowable Value, the device channel would be considered inoperable from a Technical Specification perspective. This requires corrective action including those actions required by 10 CFR 50.36 when automatic protective devices do not function as required.

During AOOs, which are those events expected to occur one or more times during the unit's life, the acceptable limits are:

a. The departure from nucleate boiling ratio (DNBR) shall be maintained above the SL value,
b. Fuel centerline melt shall not occur, and
c. The RCS pressure SL of 2750 psia shall not be exceeded.

BW OG STS B 3.3.1-4 Rev. 3.0, 03/31/04

RPS Instrumentation B 3.3.1 Maintaining the parameters within the above values ensures that the offsite dose will be within the 10 CFR 20 and 10 CFR 100 criteria during AOOs.

Accidents are events that are analyzed even though they are not expected to occur during the unit's life. The acceptable limit during accidents is that the offsite dose shall be maintained within 10 CFR 100 limits. Meeting the acceptable dose limit for an accident category is considered having acceptable consequences for that event. However, the acceptable dose limit for an accident category these values and their associated trip setpoints are not considered to be SL-LSSS as defined in 10 CFR 50.36.

RPS Overview The RPS consists of four separate redundant protection channels that receive inputs of neutron flux, RCS pressure, RCS flow, RCS temperature, RCS pump status, reactor building (RB) pressure, main feedwater (MFW ) pump status, and turbine status.

BW OG STS B 3.3.1-5 Rev. 3.0, 03/31/04

RPS Instrumentation B 3.3.1 BASES BACKGROUND (continued)

Figure [ ] , FSAR, Chapter [7] (Ref. 2), shows the arrangement of a typical RPS protection channel. A protection channel is composed of measurement channels, a manual trip channel, a reactor trip module (RTM), and CONTROL ROD drive (CRD) trip devices. LCO 3.3.1 provides requirements for the individual measurement channels. These channels encompass all equipment and electronics from the point at which the measured parameter is sensed through the bistable relay contacts in the trip string. LCO 3.3.2, "Reactor Protection System (RPS)

Manual Reactor Trip," LCO 3.3.3, "Reactor Protection System (RPS) -

Reactor Trip Module (RTM)," and LCO 3.3.4, "CONTROL ROD Drive (CRD) Trip Devices," discuss the remaining RPS elements.

The RPS instrumentation measures critical unit parameters and compares these to predetermined setpoints. If the setpoint is exceeded, a channel trip signal is generated. The generation of any two trip signals in any of the four RPS channels will result in the trip of the reactor.

The Reactor Trip System (RTS) contains multiple CRD trip devices, two AC trip breakers, and two DC trip breaker pairs that provide a path for power to the CRD System. Additionally, the power for most of the CRDs passes through electronic trip assembly (ETA) relays. The system has two separate paths (or channels), with each path having either two breakers or a breaker and an ETA relay in series. Each path provides independent power to the CRDs. Either path can provide sufficient power to operate all CRDs. Two separate power paths to the CRDs ensure that a single failure that opens one path will not cause an unwanted reactor trip.

The RPS consists of four independent protection channels, each containing an RTM. The RTM receives signals from its own measurement channels that indicate a protection channel trip is required.

The RTM transmits this signal to its own two-out-of-four trip logic and to the two-out-of-four logic of the RTMs in the other three RPS channels.

W henever any two RPS channels transmit channel trip signals, the RTM logic in each channel actuates to remove 120 VAC power from its associated CRD trip breaker.

The reactor is tripped by opening circuit breakers that interrupt the power supply to the CRDs. Six breakers are installed to increase reliability and allow testing of the trip system. A one-out-of-two taken twice logic is used to interrupt power to the rods.

BW OG STS B 3.3.1-6 Rev. 3.0, 03/31/04

RPS Instrumentation B 3.3.1 BASES BACKGROUND (continued)

The RPS has two bypasses: a shutdown bypass and a channel bypass.

Shutdown bypass allows the withdrawal of safety rods for SDM availability and rapid negative reactivity insertion during unit cooldowns or heatups. Channel bypass is used for maintenance and testing. Test circuits in the trip strings allow complete testing of all RPS trip Functions.

The RPS operates from the instrumentation channels discussed next.

The specific relationship between measurement channels and protection channels differs from parameter to parameter. Three basic configurations are used:

a. Four completely redundant measurements (e.g., reactor coolant flow) with one channel input to each protection channel,
b. Four channels that provide similar, but not identical, measurements (e.g., power range nuclear instrumentation where each RPS channel monitors a different quadrant), with one channel input to each protection channel, and
c. Redundant measurements with combinational trip logic outside of the protection channels and the combined output provided to each protection channel (e.g., main turbine trip instrumentation).

These arrangements and the relationship of instrumentation channels to trip Functions are discussed next to assist in understanding the overall effect of instrumentation channel failure.

Power Range Nuclear Instrumentation Power Range Nuclear Instrumentation channels provide inputs to the following trip Functions:

1. Nuclear Overpower
a. Nuclear Overpower - High Setpoint,
b. Nuclear Overpower - Low Setpoint,
7. Reactor Coolant Pump to Power, BW OG STS B 3.3.1-7 Rev. 3.0, 03/31/04

RPS Instrumentation B 3.3.1 BASES BACKGROUND (continued)

8. Nuclear Overpower RCS Flow and Measured AXIAL POW ER IMBALANCE (Power Imbalance Flow),
9. Main Turbine Trip (Control Oil Pressure), and
10. Loss of Main Feedwater (LOMFW ) Pumps (Control Oil Pressure).

The power range instrumentation has four linear level channels, one for each core quadrant. Each channel feeds one RPS protection channel.

Each channel originates in a detector assembly containing two uncompensated ion chambers. The ion chambers are positioned to represent the top half and bottom half of the core. The individual currents from the chambers are fed to individual linear amplifiers. The summation of the top and bottom is the total reactor power. The difference of the top minus the bottom neutron signal is the measured AXIAL POW ER IMBALANCE of the reactor core.

Reactor Coolant System Outlet Temperature The Reactor Coolant System Outlet Temperature provides input to the following Functions:

2. RCS High Outlet Temperature and
5. RCS Variable Low Pressure.

The RCS Outlet Temperature is measured by two resistance elements in each hot leg, for a total of four. One temperature detector is associated with each protection channel.

Reactor Coolant System Pressure The Reactor Coolant System Pressure provides input to the following Functions:

3. RCS High Pressure,
4. RCS Low Pressure, BW OG STS B 3.3.1-8 Rev. 3.0, 03/31/04

RPS Instrumentation B 3.3.1 BASES BACKGROUND (continued)

5. RCS Variable Low Pressure, and
11. Shutdown Bypass RCS High Pressure.

The RPS inputs of reactor coolant pressure are provided by two pressure transmitters in each hot leg, for a total of four. One sensor is associated with each protection channel.

Reactor Building Pressure The Reactor Building Pressure measurements provide input only to the Reactor Building High Pressure trip, Function 6. There are four RB High Pressure sensors, one associated with each protection channel.

Reactor Coolant Pump Power Monitoring Reactor coolant pump power monitors are inputs to the Reactor Coolant Pump to Power trip, Function 7. Each RCP, operating current, and voltage is measured by four current transformers and four potential transformers driving four overpower and four underpower relays. Each power monitoring channel consists of an overpower relay and an underpower relay. One channel for each pump is associated with each protection channel.

Reactor Coolant System Flow The Reactor Coolant System Flow measurements are an input to the Nuclear Overpower RCS Flow and Measured AXIAL POW ER IMBALANCE trip, Function 8. The reactor coolant flow inputs to the RPS are provided by eight high accuracy differential pressure transmitters, four on each loop, which measure flow through calibrated flow tubes. One flow input in each loop is associated with each protection channel.

Main Turbine Automatic Stop Oil Pressure Main Turbine Automatic Stop Oil Pressure is an input to the Main Turbine Trip (Control Oil Pressure) reactor trip, Function 9. Each of the four protection channels receives turbine status information from the same four pressure switches monitoring main turbine automatic stop oil pressure. An open indication will be provided to the RPS on a turbine trip. Contact buffers in each protection channel continuously monitor the status of the contact inputs and initiate an RPS trip when a turbine trip is indicated.

BW OG STS B 3.3.1-9 Rev. 3.0, 03/31/04

RPS Instrumentation B 3.3.1 BASES BACKGROUND (continued)

Feedwater Pump Control Oil Pressure Feedwater Pump Control Oil Pressure is an input to the Loss of Main Feedwater Pumps (Control Oil Pressure) trip, Function 10. Control oil pressure is measured by four switches on each feedwater pump. One switch on each pump is associated with each protection channel.

RPS Bypasses The RPS is designed with two types of bypasses: channel bypass and shutdown bypass.

Channel bypass provides a method of placing all Functions in one RPS protection channel in a bypassed condition, and shutdown bypass provides a method of leaving the safety rods withdrawn during cooldown and depressurization of the RCS. Each bypass is discussed next.

Channel Bypass A channel bypass provision is provided to allow for maintenance and testing of the RPS. The use of channel bypass keeps the protection channel trip relay energized regardless of the status of the instrumentation channel of the bistable relay contacts. To place a protection channel in channel bypass, the other three channels must not be in channel bypass. This is ensured by contacts from the other channels being in series with the channel bypass relay. If any contact is open, the second channel cannot be bypassed. The second condition is the closing of the key switch. W hen the bypass relay is energized, the bypass contact closes, maintaining the channel trip relay in an energized condition. All RPS trips are reduced to a two-out-of-three logic in channel bypass.

Shutdown Bypass During unit cooldown, it is desirable to leave the safety rods withdrawn to provide shutdown capabilities in the event of unusual positive reactivity additions (moderator dilution, etc.).

BW OG STS B 3.3.1-10 Rev. 3.0, 03/31/04

RPS Instrumentation B 3.3.1 BASES BACKGROUND (continued)

However, the unit is also depressurized as coolant temperature is decreased. If the safety rods are withdrawn and coolant pressure is decreased, an RCS Low Pressure trip will occur at 1800 psig and the rods will fall into the core. To avoid this, the protection system allows the operator to bypass the low pressure trip and maintain shutdown capabilities. During the cooldown and depressurization, the safety rods are inserted prior to the low pressure trip of 1800 psig. The RCS pressure is decreased to less than 1720 psig, then each RPS channel is placed in shutdown bypass.

In shutdown bypass, a normally closed contact opens and the operator closes the shutdown bypass key switch. This action bypasses the RCS Low Pressure trip, Nuclear Overpower RCS Flow and Measured AXIAL POW ER IMBALANCE trip, Reactor Coolant Pump to Power trip, and the RCS Variable Low Pressure trip, and inserts a new RCS High Pressure, 1720 psig trip. The operator can now withdraw the safety rods for additional SDM.

The insertion of the new high pressure trip performs two functions. First, with a trip setpoint of 1720 psig, the bistable prevents operation at normal system pressure, 2155 psig, with a portion of the RPS bypassed. The second function is to ensure that the bypass is removed prior to normal operation. W hen the RCS pressure is increased during a unit heatup, the safety rods are inserted prior to reaching 1720 psig. The shutdown bypass is removed, which returns the RPS to normal, and system pressure is increased to greater than 1800 psig. The safety rods are then withdrawn and remain at the full out condition for the rest of the heatup.

In addition to the Shutdown Bypass RCS High Pressure trip, the high flux trip setpoint is administratively reduced to 5% RTP while the RPS is in shutdown bypass. This provides a backup to the Shutdown Bypass RCS High Pressure trip and allows low temperature physics testing while preventing the generation of any significant amount of power.

Module Interlock and Test Trip Relay Each channel and each trip module is capable of being individually tested. W hen a module is placed into the test mode, it causes the test trip relay to open and to indicate an RPS channel trip. Under normal conditions, the channel to be tested is placed in bypass before a module is tested.

BW OG STS B 3.3.1-11 Rev. 3.0, 03/31/04

RPS Instrumentation B 3.3.1 BASES BACKGROUND (continued)

[Limiting Trip Setpoints]/Allowable Value The trip setpoints are the normal values at which the bistables are set.

Any bistable is considered to be properly adjusted when the "as-left" value is within the band for CHANNEL CALIBRATION accuracy (i.e.,

+/- [rack calibration + comparator setting accuracy]).

The trip setpoints used in the bistables are based on the analytical limits stated in FSAR, Chapter [14] (Ref. 3). The selection of these trip setpoints [LTSPs] is such that adequate protection is provided when all sensor and processing uncertainties and and time delays are taken into account. To allow for calibration tolerances, instrumentation uncertainties, instrument drift, and severe environment errors for those RPS channels that must function in harsh environments as defined by 10 CFR 50.49 (Ref. 4), the Allowable Values specified in Table 3.3.1-1 in the accompanying LCO are conservatively adjusted with respect to the analytical limits. A detailed description of the methodology used to calculate the [LTSPs], as-left tolerance and as-found tolerance, including their explicit uncertainties, is provided in "[Unit Specific Setpoint Methodology]" (Ref. 5). The actual trip setpoint entered into the bistable is more conservative than that specified by the Allowable Value to account for changes in random measurement errors detectable by a CHANNEL FUNCTIONAL TEST. One example of such a change in measurement error is drift during the Surveillance Frequency. A channel is inoperable if its actual trip setpoint is non-conservative with respect to its required Allowable Value.

[Limiting Trip Setpoints] in accordance with the Allowable Value ensure that the limits of Chapter 2.0, "Safety Limits," in the Technical Specifications are not violated during AOOs and that the consequences of DBAs will be acceptable, providing the unit is operated from within the LCOs at the onset of the AOO or DBA and the equipment functions as designed. Note that in LCO 3.3.1 the Allowable Values listed in Table 3.3.1-1 are the LSSSleast conservative value of the as-found setpoint that a channel can have during a periodic CHANNEL CALIBRATION or CHANNEL FUNCTIONAL TEST.

Each channel can be tested online to verify that the signal and setpoint accuracy are within the specified allowance requirements of Reference 5.

Once a designated channel is taken out of service for testing, a simulated signal is injected in place of the field instrument signal. The process equipment for the channel in test is then tested, verified, and calibrated.

Surveillances for the channels are specified in the SR section.

BW OG STS B 3.3.1-12 Rev. 3.0, 03/31/04

RPS Instrumentation B 3.3.1 BASES BACKGROUND (continued)

The Allowable Values listed in Table 3.3.1-1 are based on the methodology described in "[Unit Specific Setpoint Methodology]" (Ref. 5),

which incorporates all of the known uncertainties applicable for each channel. The magnitudes of those uncertainties are factored into the determination of each trip setpoint.[LTSP]. All field sensors and signal processing equipment for these channels are assumed to operate within the allowances of these uncertainty magnitudes.

APPLICABLE The RPS Functions to maintain the SLs during all AOOs and SAFETY mitigates the consequences of DBAs. Trip Setpoints [LTSPs] that directly protect ANALYSES, LCO, against violating the Rreactor Ccore Safty Limits or the Reactor Coolant System (RCS) Ppressure boundary Safety Limits during anticipated operational occurrences (AOOs) are Safety Limit-Limiting Safety System Settings (SL-LSSS). Permissive and interlock setpoints allow bypass of trips when they are not required by the Safety Analysis. These permissives and interlocks ensure that the starting conditions are consistent with the safety analysis, before preventative or mitigating actions occur. Because these permissives or interlocks are only one of multiple conservative starting assumptions for the accident analysis, they are generally considered as nominal values without regard to measurement accuracy, (i.e. the value indicated is sufficiently close to the necessary value to ensure proper operation of the safety systems to turn the AOO). Therefore permissives and interlocks are not considered to be SL-LSSS.

Each of the analyzed accidents and transients can be detected by one or more RPS Functions. The accident analysis contained in Reference 6 takes credit for most RPS trip Functions. Functions not specifically credited in the accident analysis were qualitatively credited in the safety analysis and the NRC staff approved licensing basis for the unit.

However, qualitatively credited or backup Functions are not SL-LSSS These Functions are high RB pressure, high temperature, turbine trip, and loss of main feedwater. These Functions may provide protection for conditions that do not require dynamic transient analysis to demonstrate Function performance. These Functions also serve as backups to Functions that were credited in the safety analysis.

The LCO requires all instrumentation performing an RPS Function, listed in Table 3.3.1-1 in the accompanying LCO,performing an RPS Function to be OPERABLE. Failure of any instrument renders the affected channel(s) inoperable and reduces the reliability of the affected Functions. The four channels of each Function in Table 3.3.1-1 of the RPS instrumentation shall be OPERABLE during its specified Applicability to ensure that a reactor trip will be actuated if needed. Additionally, during shutdown bypass with any CRD trip breaker closed, the applicable BW OG STS B 3.3.1-13 Rev. 3.0, 03/31/04

RPS Instrumentation B 3.3.1 RPS Functions must also be available. This ensures the capability to trip the withdrawn CONTROL RODS exists at all times that rod motion is possible. The trip Function channels specified in Table 3.3.1-1 are considered OPERABLE when all channel components necessary to provide a reactor trip are functional capable of performing their specified safety function and in service for the required MODE or Other Specified Condition listed in Table 3.3.1-1.

Required Actions allow maintenance (protection channel) bypass of individual channels, but the bypass activates interlocks that prevent operation with a second channel bypass. Bypass effectively places the unit in a two-out-of-three logic configuration that can still initiate a reactor trip, even with a single failure within the system.

BW OG STS B 3.3.1-14 Rev. 3.0, 03/31/04

RPS Instrumentation B 3.3.1 BASESAPPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Only the Allowable Values are specified for each RPS trip Function in the LCO. Nominal trip setpoints are specified in the unit specific setpoint calculations.The [LTSP] and the methodologies for calculation of the as-left and as-found tolerances are described in [a document controlled under 10 CFR 50.59]. The nominal setpoints[LTSPs] are selected to ensure that the setpoint measured by CHANNEL FUNCTIONAL TESTS does not exceed the Allowable Value if the bistable is performing as required. The Allowable Value specified in Table 3.3.1-1 is the least conservative value of the as-found setpoint that the channel can have when tested, such that a channel is OPERABLE if the as-found setpoint is conservative with respect to the Allowable Value during the CHANNEL FUNCTIONAL TEST (CFT). Each Allowable Value specified is more conservative than instrument uncertainties appropriate to the trip Function. These uncertainties are defined in the "[Unit Specific Setpoint Methodology]" (Ref. 5). As such, the Allowable Value differs from the

[LTSP] by an amount [greater than or] equal to the expected instrument channel uncertainties, such as drift, during the surveillance interval. In this manner, the actual setting of the device will ensure that a SL is not exceeded at any given point of time as long as the device has not drifted beyond that expected during the surveillance interval. Note that, although the channel is OPERABLE under these circumstances, the trip setpoint must be left adjusted to a value within the as-left tolerance, in accordance with uncertainty assumptions stated in the referenced setpoint methodology (as-left criteria), and confirmed to be operating within the statistical allowances of the uncertainty terms assigned (as-found criteria). If the actual setting of the device is found to be conservative with respect to the Allowable Value but is beyond the as-found tolerance band, then this condition indicates that the instrument is degraded and is not performing in accordance with the setpoint methodology assumptions. This condition must be entered into the plant corrective action program, the trip setpoint must be left adjusted to a value within the as-left tolerance band, and an immediate determination of operability decision must be made. If the actual setting of the device is found to be non-conservative with respect to the Allowable Value, the channel device would be considered inoperable. This requires corrective action including those actions required by 10 CFR 50.36 when automatic protective devices do not function as required. Operation with a trip setpoint less conservative than the nominal trip setpoint[LTSP], but within conservative with respect to its Allowable Value, is acceptable provided that operation and testing are consistent with the assumptions of the unit specific setpoint calculations. and that the as found setpoint is within the as-found tolerance. Each Allowable Value specified is more conservative than instrument uncertainties appropriate to the trip Function. These uncertainties are defined in the "[Unit Specific Setpoint Methodology]"

(Ref. 5).

For most RPS Functions, the trip setpoint[LTSP] Allowable Value is to ensures that the departure from nucleate boiling (DNB) or the RCS BW OG STS B 3.3.1-15 Rev. 3.0, 03/31/04

RPS Instrumentation B 3.3.1 Ppressure SLs are not challenged. Cycle specific figures for use during operation are contained in the COLR.

Certain RPS trips function to indirectly protect the SLs by detecting specific conditions that do not immediately challenge SLs but will eventually lead to challenge if no action is taken. These trips function to minimize the unit transients caused by the specific conditions. The Allowable Value for these Functions is selected at the minimum deviation from normal values that will indicate the condition, without risking spurious trips due to normal fluctuations in the measured parameter.

These Allowable Values and their associated [LTSPs] are considered to be LSSS, but not considered to be SL-LSSS.

The Allowable Values for bypass removal Functions are stated in the Applicable MODE or Other Specified Condition column of Table 3.3.1-1.

The safety analyses applicable to each RPS Function are discussed next.

1. Nuclear Overpower
a. Nuclear Overpower - High Setpoint The Nuclear Overpower - High Setpoint trip provides protection for the design thermal overpower condition based on the measured out of core fast neutron leakage flux.

BW OG STS B 3.3.1-16 Rev. 3.0, 03/31/04

RPS Instrumentation B 3.3.1 BASESAPPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

The Nuclear Overpower - High Setpoint trip initiates a reactor trip when the neutron power reaches a predefined setpoint[LTSP] at the design overpower limit. Because THERMAL POW ER lags the neutron power, tripping when the neutron power reaches the design overpower will limit THERMAL POW ER to a maximum value of the design overpower. Thus, the Nuclear Overpower -

High Setpoint trip protects against violation of the DNBR and fuel centerline melt SLs. However, the RCS Variable Low Pressure, and Nuclear Overpower RCS Flow and Measured AXIAL POW ER IMBALANCE, provide more direct protection. The role of the Nuclear Overpower - High Setpoint trip is to limit reactor THERMAL POW ER below the highest power at which the other two trips are known to provide protection. The Nuclear Overpower - High Setpoint trip also provides transient protection for rapid positive reactivity excursions during power operations.

These events include the rod withdrawal accident, the rod ejection accident, and the steam line break accident. By providing a trip during these events, the Nuclear Overpower -

High Setpoint trip protects the unit from excessive power levels and also serves to reduce reactor power to prevent violation of the RCS pressure SL.

Rod withdrawal accident analyses cover a large spectrum of reactivity insertion rates (rod worths), which exhibit slow and rapid rates of power increases. At high reactivity insertion rates, the Nuclear Overpower - High Setpoint trip provides the primary protection. At low reactivity insertion rates, the high pressure trip provides primary protection.

The specified Allowable Value is selected to ensure that a trip occurs before reactor power exceeds the highest point at which the RCS Variable Low Pressure and the Nuclear Overpower RCS Flow and Measured AXIAL POW ER IMBALANCE trips are analyzed to provide protection against DNB and fuel centerline melt. The Allowable Value does not account for harsh environment induced errors, because the trip will actuate prior to degraded environmental conditions being reached.

BW OG STS B 3.3.1-17 Rev. 3.0, 03/31/04

RPS Instrumentation B 3.3.1 BASESAPPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

b. Nuclear Overpower - Low Setpoint W hile in shutdown bypass, with the Shutdown Bypass RCS High Pressure trip OPERABLE, the Nuclear Overpower - Low Setpoint trip must be reduced to # 5% RTP. The low power setpoint, in conjunction with the lower Shutdown Bypass RCS High Pressure setpoint, ensure that the unit is protected from excessive power conditions when other RPS trips are bypassed.

The setpoint Allowable Value was chosen to be as low as practical and still lie within the range of the out of core instrumentation.

2. RCS High Outlet Temperature The RCS High Outlet Temperature trip, in conjunction with the RCS Low Pressure and RCS Variable Low Pressure trips, provides protection for the DNBR SL. A trip is initiated whenever the reactor vessel outlet temperature approaches the conditions necessary for DNB. Portions of each RCS High Outlet Temperature trip channel are common with the RCS Variable Low Pressure trip. The RCS High Outlet Temperature trip provides steady state protection for the DNBR SL.

The RCS High Outlet Temperature trip limits the maximum RCS temperature to below the highest value for which DNB protection by the Variable Low Pressure trip is ensured. The trip setpoint Allowable Value is selected to ensure that a trip occurs before hot leg temperatures reach the point beyond which the RCS Low Pressure and Variable Low Pressure trips are analyzed. Above the high temperature trip, the variable low pressure trip need not provide protection, because the unit would have tripped already. The setpoint Allowable Value does not reflect errors induced by harsh environmental conditions that the equipment is expected to experience because the trip is not required to mitigate accidents that create harsh conditions in the RB.

BW OG STS B 3.3.1-18 Rev. 3.0, 03/31/04

RPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

3. RCS High Pressure The RCS High Pressure trip works in conjunction with the pressurizer and main steam safety valves to prevent RCS overpressurization, thereby protecting the RCS High Pressure SL.

The RCS High Pressure trip has been credited in the accident analysis calculations for slow positive reactivity insertion transients (rod withdrawal accidents and moderator dilution) and loss of feedwater accidents. The rod withdrawal accidents cover a large spectrum of reactivity insertion rates and rod worths that exhibit slow and rapid rates of power increases. At high reactivity insertion rates, the Nuclear Overpower - High Setpoint trip provides the primary protection. At low reactivity insertion rates, the RCS High Pressure trip provides the primary protection.

The setpoint Allowable Value is selected to ensure that the RCS High Pressure SL is not challenged during steady state operation or slow power increasing transients. The setpoint Allowable Value does not reflect errors induced by harsh environmental conditions because the equipment is not required to mitigate accidents that create harsh conditions in the RB.

4. RCS Low Pressure The RCS Low Pressure trip, in conjunction with the RCS High Outlet Temperature and Variable Low Pressure trips, provides protection for the DNBR SL. A trip is initiated whenever the system pressure approaches the conditions necessary for DNB. The RCS Low Pressure trip provides DNB low pressure limit for the RCS Variable Low Pressure trip.

The RCS Low Pressure setpoint Allowable Value is selected to ensure that a reactor trip occurs before RCS pressure is reduced below the lowest point at which the RCS Variable Low Pressure trip is analyzed. The RCS Low Pressure trip provides protection for primary system depressurization events and has been credited in the accident analysis calculations for small break loss of coolant accidents (LOCAs). Consequently, harsh RB conditions created by small break LOCAs can affect performance of the RCS pressure sensors and transmitters. Therefore, degraded environmental conditions are considered in the Allowable Value determination.

BW OG STS B 3.3.1-19 Rev. 3.0, 03/31/04

RPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

5. RCS Variable Low Pressure The RCS Variable Low Pressure trip, in conjunction with the RCS High Outlet Temperature and RCS Low Pressure trips, provides protection for the DNBR SL. A trip is initiated whenever the system parameters of pressure and temperature approach the conditions necessary for DNB. The RCS Variable Low Pressure trip provides a floating low pressure trip based on the RCS High Outlet Temperature within the range specified by the RCS High Outlet Temperature and RCS Low Pressure trips.

The RCS Variable Low Pressure setpoint Allowable Value is selected to ensure that a trip occurs when temperature and pressure approach the conditions necessary for DNB while operating in a temperature pressure region constrained by the low pressure and high temperature trips. The RCS Variable Low Pressure trip is not assumed for transient protection in the unit safety analysis; therefore, determination of the setpoint Allowable Value does not account for errors induced by a harsh RB environment.

6. Reactor Building High Pressure The Reactor Building High Pressure trip provides an early indication of a high energy line break (HELB) inside the RB. By detecting changes in the RB pressure, the RPS can provide a reactor trip before the other system parameters have varied significantly. Thus, this trip acts to minimize accident consequences. It also provides a backup for RPS trip instruments exposed to an RB HELB environment.

The Allowable Value for RB High Pressure trip is set at the lowest value consistent with avoiding spurious trips during normal operation.

The electronic components of the RB High Pressure trip are located in an area that is not exposed to high temperature steam environments during HELB transients. The components are exposed to high radiation conditions. Therefore, the determination of the setpoint Allowable Value accounts for errors induced by the high radiation.

BW OG STS B 3.3.1-20 Rev. 3.0, 03/31/04

RPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

7. Reactor Coolant Pump to Power The Reactor Coolant Pump to Power trip provides protection for changes in the reactor coolant flow due to the loss of multiple RCPs.

Because the flow reduction lags loss of power indications due to the inertia of the RCPs, the trip initiates protective action earlier than a trip based on a measured flow signal.

The trip also prevents operation with both pumps in either coolant loop tripped. Under these conditions, core flow and core fluid mixing are insufficient for adequate heat transfer. Thus, the Reactor Coolant Pump to Power trip functions to protect the DNBR and fuel centerline melt SLs.

The Reactor Coolant Pump to Power trip has been credited in the accident analysis calculations for the loss of four RCPs. The trip also provides the primary protection for the loss of a pump or pumps, which would result in both pumps in a single steam generator loop being tripped.

The Allowable Value for the Reactor Coolant Pump to Power trip setpoint is selected to prevent normal power operation unless at least three RCPs are operating. RCP status is monitored by power transducers on each pump. These relays indicate a loss of an RCP on overpower with an Allowable Value of $ 14,400 kW and on underpower with an Allowable Value of # 1752 kW . The overpower Allowable Value is selected low enough to detect locked rotor conditions (although credit is not allowed for this capability) but high enough to avoid a spurious trip on the in rush current when the pumps start. The underpower Allowable Value is selected to reliably trip on loss of voltage to the RCPs. Neither the reactor power nor the pump power Allowable Value account for instrumentation errors caused by harsh environments because the trip Function is not required to respond to events that could create harsh environments around the equipment.

BW OG STS B 3.3.1-21 Rev. 3.0, 03/31/04

RPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

8. Nuclear Overpower RCS Flow and Measured AXIAL POW ER IMBALANCE The Nuclear Overpower RCS Flow and Measured AXIAL POW ER IMBALANCE trip provides steady state protection for the power imbalance SLs. A reactor trip is initiated when the core power, AXIAL POW ER IMBALANCE, and reactor coolant flow conditions indicate an approach to DNB or fuel centerline melt limits.

This trip supplements the protection provided by the Reactor Coolant Pump to Power trip, through the power to flow ratio, for loss of reactor coolant flow events. The power to flow ratio provides direct protection for the DNBR SL for the loss of a single RCP and for locked RCP rotor accidents. The imbalance portion of the trip is credited for steady state protection only.

The power to flow ratio of the Nuclear Overpower RCS Flow and Measured AXIAL POW ER IMBALANCE trip also provides steady state protection to prevent reactor power from exceeding the allowable power when the primary system flow rate is less than full four pump flow. Thus, the power to flow ratio prevents overpower conditions similar to the Nuclear Overpower trip. This protection ensures that during reduced flow conditions the core power is maintained below that required to begin DNB.

The Allowable Value is selected to ensure that a trip occurs when the core power, axial power peaking, and reactor coolant flow conditions indicate an approach to DNB or fuel centerline melt limits. By measuring reactor coolant flow and by tripping only when conditions approach an SLa SL, the unit can operate with the loss of one pump from a four pump initial condition. The Allowable Value for this Function is given in the unit COLR because the cycle specific core peaking changes affect the Allowable Value.

9. Main Turbine Trip (Control Oil Pressure)

The Main Turbine Trip Function trips the reactor when the main turbine is lost at high power levels. The Main Turbine Trip Function provides an early reactor trip in anticipation of the loss of heat sink associated with a turbine trip. The Main Turbine Trip Function was added to the B&W designed units in accordance with NUREG-0737 (Ref. 7) following the Three Mile Island Unit 2 accident. The trip BW OG STS B 3.3.1-22 Rev. 3.0, 03/31/04

RPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) lowers the probability of an RCS power operated relief valve (PORV) actuation for turbine trip cases. This trip is activated at higher power levels, thereby limiting the range through which the Integrated Control System must provide an automatic runback on a turbine trip.

Each of the four turbine oil pressure switches feeds all four protection channels through buffers that continuously monitor the status of the contacts. Therefore, failure of any pressure switch affects all protection channels.

For the Main Turbine Trip (Control Oil Pressure) bistable, the Allowable Value of 45 psig is selected to provide a trip whenever feedwater pump control oil pressure drops below the normal operating range. To ensure that the trip is enabled as required by the LCO, the reactor power bypass is set with an Allowable Value of 45% RTP. The turbine trip is not required to protect against events that can create a harsh environment in the turbine building.

Therefore, errors induced by harsh environments are not included in the determination of the setpoint Allowable Value.

10. Loss of Main Feedwater Pumps (Control Oil Pressure)

The Loss of Main Feedwater Pumps (Control Oil Pressure) trip provides a reactor trip at high power levels when both MFW pumps are lost. The trip provides an early reactor trip in anticipation of the loss of heat sink associated with the LOMFW . This trip was added in accordance with NUREG-0737 (Ref. 7) following the Three Mile Island Unit 2 accident. This trip provides a reactor trip at high power levels for an LOMFW to minimize challenges to the PORV.

For the feedwater pump control oil pressure bistable, the Allowable Value of 55 psig is selected to provide a trip whenever feedwater pump control oil pressure drops below the normal operating range.

To ensure that the trip is enabled as required by the LCO, the reactor power bypass is set with an Allowable Value of 15% RTP. The Loss of Main Feedwater Pumps (Control Oil Pressure) trip is not required to protect against events that can create a harsh environment in the turbine building. Therefore, errors caused by harsh environments are not included in the determination of the setpoint Allowable Value.

BW OG STS B 3.3.1-23 Rev. 3.0, 03/31/04

RPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

11. Shutdown Bypass RCS High Pressure The RPS Shutdown Bypass RCS High Pressure is provided to allow for withdrawing the CONTROL RODS prior to reaching the normal RCS Low Pressure trip setpoint. The shutdown bypass provides trip protection during deboration and RCS heatup by allowing the operator to withdraw the safety groups of CONTROL RODS. This makes their negative reactivity available to terminate inadvertent reactivity excursions. Use of the shutdown bypass trip requires that the neutron power trip setpoint be reduced to 5% of full power or less. The Shutdown Bypass RCS High Pressure trip forces a reactor trip to occur whenever the unit switches from power operation to shutdown bypass or vice versa. This ensures that the CONTROL RODS are all inserted and the flux distribution is known before power operation can begin. The operator is required to remove the shutdown bypass, reset the Nuclear Overpower - High Power trip setpoint, and again withdraw the safety rod groups before proceeding with startup.

Accidents analyzed in the FSAR, Chapter [14] (Ref. 3), do not describe events that occur during shutdown bypass operation, because the consequences of these events are enveloped by the events presented in the FSAR.

During shutdown bypass operation with the Shutdown Bypass RCS High Pressure trip active with a setpoint of # [1720] psig and the Nuclear Overpower - Low Setpoint set at or below 5% RTP, the (numbered) trip Functions listed below can be bypassed. Under these conditions, the Shutdown Bypass RCS High Pressure trip and the Nuclear Overpower - Low Setpoint trip act to prevent unit conditions from reaching a point where actuation of these trip Functions is necessary.

1.a Nuclear Overpower - High Setpoint,

4. RCS Low Pressure,
5. RCS Variable Low Pressure, BW OG STS B 3.3.1-24 Rev. 3.0, 03/31/04

RPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

7. Reactor Coolant Pump to Power, and
8. Nuclear Overpower RCS Flow and Measured AXIAL POW ER IMBALANCE.

The Shutdown Bypass RCS High Pressure Function's Allowable Value is selected to ensure a trip occurs before producing THERMAL POW ER.

The RPS satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii).

In MODES 1 and 2, the following (numbered) trip Functions shall be OPERABLE because the reactor is critical in these MODES. These trips are designed to take the reactor subcritical to maintain the SLs during AOOs and to assist the ESFAS in providing acceptable consequences during accidents.

1.a Nuclear Overpower - High Setpoint,

2. RCS High Outlet Temperature,
3. RCS High Pressure,
4. RCS Low Pressure,
5. RCS Variable Low Pressure,
6. Reactor Building High Pressure,
7. Reactor Coolant Pump to Power, and
8. Nuclear Overpower RCS Flow and Measured AXIAL POW ER IMBALANCE.

Functions 1, 3, 4, 5, 7, and 8 just listed may be bypassed in MODE 2 when RCS pressure is below [1720] psig, provided the Shutdown Bypass RCS High Pressure and the Nuclear Overpower - Low setpoint trip are placed in operation. Under these conditions, the Shutdown Bypass RCS High Pressure trip and the Nuclear Overpower - Low setpoint trip act to prevent unit conditions from reaching a point where actuation of these Functions is necessary.

BW OG STS B 3.3.1-25 Rev. 3.0, 03/31/04

RPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

In MODE 3 when not operating in shutdown bypass but with any CRD trip breaker in the closed position and the CRD System capable of rod withdrawal, the Nuclear Overpower-High Setpoint trip and the RCS High Pressure trip are required to be OPERABLE.

Two other Functions are required to be OPERABLE during portions of MODE 1. These are the Main Turbine Trip (Control Oil Pressure) and the Loss of Main Feedwater Pumps (Control Oil Pressure) trip. These Functions are required to be OPERABLE above [45]% RTP and

[15]% RTP, respectively. Analyses presented in BAW -1893 (Ref. 8) have shown that for operation below these power levels, these trips are not necessary to minimize challenges to the PORVs as required by NUREG-0737 (Ref. 7).

Because the only safety function of the RPS is to trip the CONTROL RODS, the RPS is not required to be OPERABLE in MODE 3, 4, or 5 if the reactor trip breakers are open, or the CRD System is incapable of rod withdrawal. Similarly, the RPS is not required to be OPERABLE in MODE 6 when the CONTROL RODS are decoupled from the CRDs.

However, in MODE 2, 3, 4, or 5, the Shutdown Bypass RCS High Pressure and Nuclear Overpower - Low setpoint trips are required to be OPERABLE if the CRD trip breakers are closed and the CRD System is capable of rod withdrawal. Under these conditions, the Shutdown Bypass RCS High Pressure and Nuclear Overpower - Low setpoint trips are sufficient to prevent an approach to conditions that could challenge SLs.

ACTIONS Conditions A, B, and C are applicable to all RPS protection Functions. If a channel's trip setpoint is found non-conservative with respect to the required Allowable Value in Table 3.3.1-1, or the transmitter, instrument loop, signal processing electronics or bistable is found inoperable, the channel must be declared inoperable and Condition A or Conditions A and B entered immediately.

W hen the number of inoperable channels in a trip Function exceed those specified in the related Conditions associated with a trip Function, then the unit is outside the safety analysis. Therefore, LCO 3.0.3 must be immediately entered if applicable in the current MODE of operation.

BW OG STS B 3.3.1-26 Rev. 3.0, 03/31/04

RPS Instrumentation B 3.3.1 BASES ACTIONS (continued)

REVIEW ERS NOTE-----------------------------------

If a unit is to take credit for topical reports as the basis for justifying Completion Times, the reports must be supported by an NRC Staff Safety Evaluation Report (SER) that establishes the acceptability of each topical report for that unit.

A.1 If one or more Functions in one protection channel become inoperable, the affected protection channel must be placed in bypass or trip. If the channel is bypassed, all RPS Functions are placed in a two-out-of-three logic configuration and the bypass of any other channel is prevented. In this configuration, the RPS can still perform its safety function in the presence of a random failure of any single channel. Alternatively, the inoperable channel can be placed in trip. Tripping the affected protection channel places all RPS Functions in a one-out-of-three configuration.

Operation in the two-out-of-three configuration or in the one-out-of-three configuration may continue indefinitely based on the NRC SER for BAW -10167, Supplement 2 (Ref. 9). In this configuration, the RPS is capable of performing its trip Function in the presence of any single random failure. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time is sufficient to perform Required Action A.1.

B.1 and B.2 For Required Action B.1 and Required Action B.2, if one or more Functions in two protection channels become inoperable, one of two inoperable protection channels must be placed in trip and the other in bypass. These Required Actions place all RPS Functions in a one-out-of-two logic configuration and prevent bypass of a second channel. In this configuration, the RPS can still perform its safety functions in the presence of a random failure of any single channel. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time is sufficient time to perform Required Action B.1 and Required Action B.2.

BW OG STS B 3.3.1-27 Rev. 3.0, 03/31/04

RPS Instrumentation B 3.3.1 BASES ACTIONS (continued)

C.1 Required Action C.1 directs entry into the appropriate Condition referenced in Table 3.3.1-1. The applicable Condition referenced in the table is Function dependent. If the Required Action and the associated Completion Time of Condition A or B are not met or if more than two channels are inoperable, Condition C is entered to provide for transfer to the appropriate subsequent Condition.

D.1 and D.2 If the Required Action and associated Completion Time of Condition A or B are not met and Table 3.3.1-1 directs entry into Condition D, the unit must be brought to a MODE in which the specified RPS trip Functions are not required to be OPERABLE. The allowed Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and to open all CRD trip breakers without challenging plant systems.

E.1 If the Required Action and associated Completion Time of Condition A or B are not met and Table 3.3.1-1 directs entry into Condition E, the unit must be brought to a MODE in which the specified RPS trip Functions are not required to be OPERABLE. To achieve this status, all CRD trip breakers must be opened. The allowed Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable, based on operating experience, to open CRD trip breakers without challenging plant systems.

F.1 If the Required Action and associated Completion Time of Condition A or B are not met and Table 3.3.1-1 directs entry into Condition F, the unit must be brought to a MODE in which the specified RPS trip Function is not required to be OPERABLE. To achieve this status, THERMAL POW ER must be reduced < [45]% RTP. The allowed Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable, based on operating experience, to reach

[45]% RTP from full power conditions in an orderly manner without challenging plant systems.

BW OG STS B 3.3.1-28 Rev. 3.0, 03/31/04

RPS Instrumentation B 3.3.1 BASES ACTIONS (continued)

G.1 If the Required Action and associated Completion Time of Condition A or B are not met and Table 3.3.1-1 directs entry into Condition G, the unit must be brought to a MODE in which the specified RPS trip Function is not required to be OPERABLE. To achieve this status, THERMAL POW ER must be reduced < [15]% RTP. The allowed Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable, based on operating experience, to reach

[15]% RTP from full power conditions in an orderly manner without challenging plant systems.

SURVEILLANCE The SRs for each RPS Function are identified by the SRs column of REQUIREMENTS Table 3.3.1-1 for that Function. Most Functions are subject to CHANNEL CHECK, CHANNEL FUNCTIONAL TEST, CHANNEL CALIBRATION, and RPS RESPONSE TIME testing.

The SRs are modified by a Note. The [first] Note directs the reader to Table 3.3.1-1 to determine the correct SRs to perform for each RPS Function.

REVIEW ERS NOTE-----------------------------------

The CHANNEL FUNCTIONAL TEST Frequencies are based on approved topical reports. For a licensee to use these times, the licensee must justify the Frequencies as required by the NRC Staff SER for the topical report.

REVIEW ERS NOTE ------------------------------------

The Notes in Table 3.3.1-1 requiring reset of the channel to a predefined as-left tolerance and the verification of the as-found tolerance are only associated with SL-LSSS values. Therefore, the Notes are applied to specific SRs for the associated Functions in the SR column only. The Notes may be placed at the top of the Allowable Value column in the Table and applied to all Functions with allowable values in the table.

REVIEW ERS NOTE ------------------------------------

Notes 1 and 2 are applied to the setpoint verification Surveillances for all SL-LSSS Functions unless one or more of the following exclusions apply:

1. Notes 1 and 2 are not applied to SL-LSSS Functions which utilize mechanical components to sense the trip setpoint or to manual initiation circuits (the latter are not explicitly modeled in the accident analysis). Examples of mechanical components are limit switches, float switches, proximity detectors, manual actuation switches, and other such devices that are normally only checked on a "go/no go" BW OG STS B 3.3.1-29 Rev. 3.0, 03/31/04

RPS Instrumentation B 3.3.1 basis. Note 1 requires a comparison of the periodic surveillance requirement results to provide an indication of channel (or individual device) performance. This comparison is not valid for most mechanical components. W hile it is possible to verify that a limit switch functions at a point of travel, a change in the surveillance result probably indicates that the switch has moved, not that the input/output relationship has changed. Therefore, a comparison of surveillance requirement results would not provide an indication of the channel or component performance.

2. Notes 1 and 2 are not applied to Technical Specifications associated with mechanically operated safety relief valves. The performance of these components is already controlled (i.e., trended with as-left and as-found limits) under the ASME Section XI testing program.
3. Notes 1 and 2 are may not applyied to SL-LSSS Functions and Surveillances which test only digital components. For purely digital components, such as actuation logic circuits and associated relays, there is no expected change in result between surveillance performances other than measurement and test errors (M&TE) and, therefore, justification is needed to confirm that comparison of Surveillance results does not provide an indication of channel or component performance.

An evaluation of the potential SL-LSSS Functions resulted in Notes 1 and 2 being applied to the Functions shown in the TS markups. Each licensee proposing to fully adopt this TSTF must review the the potential SL-LSSS Functions to identify which of the identified functions are SL-LSSS according to the definition of SL-LSSS and their plant specific safety analysis. The two TSTF Notes are not required to be applied to any of the listed Functions which meet any of the exclusion criteria or are not SL-LSSS based on the plant specific design and analysis.

SR 3.3.1.1 Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. CHANNEL CHECK will detect gross channel failure; therefore, it is key in verifying that the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

BW OG STS B 3.3.1-30 Rev. 3.0, 03/31/04

RPS Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)

Agreement criteria are determined by the unit staff based on a combination of the channel instrument uncertainties, including isolation, indication, and readability. If a channel is outside the criteria, it may be an indication that the transmitter or the signal processing equipment has drifted outside its limit. If the channels are within the criteria, it is an indication that the channels are OPERABLE. If the channels are normally off scale during times when surveillance is required, the CHANNEL CHECK will only verify that they are off scale in the same direction. Off scale low current loop channels are verified to be reading at the bottom of the range and not failed downscale.

The agreement criteria includes an expectation of one decade of overlap when transitioning between neutron flux instrumentation. For example, during a power increase near the top of the scale of the intermediate range monitors, a power range monitor reading is expected with at least one decade overlap. W ithout such an overlap, the power range monitors are considered inoperable unless it is clear that an intermediate range monitor inoperability is responsible for the lack of the expected overlap.

The Frequency, about once every shift, is based on operating experience that demonstrates channel failure is rare. Since the probability of two random failures in redundant channels in any 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> period is extremely low, the CHANNEL CHECK minimizes the chance of loss of protective function due to failure of redundant channels. The CHANNEL CHECK supplements less formal but more frequent checks of channel OPERABILITY during normal operational use of the displays associated with the LCO's required channels.

For Functions that trip on a combination of several measurements, such as the Nuclear Overpower RCS Flow and Measured AXIAL POW ER IMBALANCE Function, the CHANNEL CHECK must be performed on each input.

SR 3.3.1.2 This SR is the performance of a heat balance calibration for the power range channels every 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> when reactor power is > 15% RTP. The heat balance calibration consists of a comparison of the results of the calorimetric with the power range channel output. The outputs of the power range channels are normalized to the calorimetric. Note 1 to the SR states if the absolute difference between the calorimetric and the BW OG STS B 3.3.1-31 Rev. 3.0, 03/31/04

RPS Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)

Nuclear Instrumentation System (NIS) channel output is > [2]% RTP, the NIS is not declared inoperable but must be adjusted. If the NIS channel cannot be properly adjusted, the channel is declared inoperable. Note 2 clarifies that this Surveillance is required only if reactor power is

$ 15% RTP and that 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is allowed for performing the first Surveillance after reaching 15% RTP. At lower power levels, calorimetric data are inaccurate.

The power range channel's output shall be adjusted consistent with the calorimetric results if the absolute difference between the calorimetric and the power range channel's output is > [2]% RTP. The value of [2]% is adequate because this value is assumed in the safety analyses of FSAR, Chapter [14] (Ref. 3). These checks and, if necessary, the adjustment of the power range channels ensure that channel accuracy is maintained within the analyzed error margins. The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Frequency is adequate, based on unit operating experience, which demonstrates the change in the difference between the power range indication and the calorimetric results rarely exceeds a small fraction of [2]% in any 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> period.

Furthermore, the control room operators monitor redundant indications and alarms to detect deviations in channel outputs.

SR 3.3.1.3 A comparison of power range nuclear instrumentation channels against incore detectors shall be performed at a 31 day Frequency when reactor power is > 15% RTP. The SR is modified by two Notes. Note 2 clarifies that 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is allowed for performing the first Surveillance after reaching 15% RTP. Note 1 states if the absolute difference between the power range and incore measurements is $ [2]% RTP, the power range channel is not inoperable, but an adjustment of the measured imbalance to agree with the incore measurements is necessary. If the power range channel cannot be properly recalibrated, the channel is declared inoperable. The calculation of the Allowable Value envelope assumes a difference in out of core to incore measurements of 2.5%. Additional inaccuracies beyond those that are measured are also included in the setpoint[LTSP] envelope calculation. The 31 day Frequency is adequate, considering that long term drift of the excore linear amplifiers is small and burnup of the detectors is slow. Also, the excore readings are a strong function of the power produced in the peripheral fuel bundles, and do not represent an integrated reading across the core. The slow changes in neutron flux during the fuel cycle can also be detected at this interval.

BW OG STS B 3.3.1-32 Rev. 3.0, 03/31/04

RPS Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.1.4 A CHANNEL FUNCTIONAL TEST is performed on each required RPS channel to ensure that the entire channel will perform the intended function. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL FUNCTIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions. Setpoints must be found withinconservative with respect to the Allowable Values specified in Table 3.3.1-1. Any setpoint adjustment shall be consistent with the assumptions of the current unit specific setpoint analysis.

The as -found and as -left values must also be recorded and reviewed for consistency with the assumptions of the surveillance interval extension analysis. The requirements for this review are outlined in BAW -10167 (Ref. 10).

The Frequency of [45] days on a STAGGERED TEST BASIS is consistent with the calculations of Reference 9 that indicate the RPS retains a high level of reliability for this test interval.

SR 3.3.1 4 for SL-LSSS functions is modified by two Notes as identified in Table 3.3.1-1. The first Note requires evaluation of channel performance for the condition where the as-found setting for the channel setpoint is outside its as-found tolerance but conservative with respect to the Allowable Value. Evaluation of instrument performance will verify that the instrument will continue to behave in accordance with safety analysis setpoint methodology assumptions. The purpose of the assessment is to ensure confidence in the instrument performance prior to returning the instrument to service. These channels will also be identified in the Corrective Action Program. Entry into the Corrective Action Program will ensure required review and documentation of the condition for continued OPERABILITY. The second Note requires that the as-left setting for the instrument be returned to within the as-left tolerance of the [LTSP].

W here a setpoint more conservative than the [LTSP] is used in the plant surveillance procedures, the as-left and as-found tolerances, as applicable, will be applied to the surveillance procedure setpoint. This will ensure that sufficient margin to the Safety Limit and/or Analytical Limit is maintained. If the as-left instrument setting cannot be returned to a setting within the as-left tolerance of the [LTSP], then the instrument channel shall be declared inoperable.

BW OG STS B 3.3.1-33 Rev. 3.0, 03/31/04

RPS Instrumentation B 3.3.1 The second Note also requires that [LTSP] and the methodologies for calculating the as-left and the as-found tolerances be in [a document controlled under 10 CFR 50.59].

SR 3.3.1.5 A Note to the Surveillance indicates that neutron detectors are excluded from CHANNEL CALIBRATION. This Note is necessary because of the difficulty in generating an appropriate detector input signal. Excluding the detectors is acceptable because the principles of detector operation ensure a virtually instantaneous response.

A CHANNEL CALIBRATION is a complete check of the instrument channel, including the sensor. The test verifies that the channel responds to the measured parameter within the necessary range and accuracy.

CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drift to ensure that the instrument channel remains operational between successive tests. CHANNEL CALIBRATION shall find that measurement errors and bistable setpoint errors are within the assumptions of the unit specific setpoint analysis. CHANNEL CALIBRATIONS must be performed consistent with the assumptions of the unit specific setpoint analysis.

BW OG STS B 3.3.1-34 Rev. 3.0, 03/31/04

RPS Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)

W henever a sensing element is replaced, the next required CHANNEL CALIBRATION of the resistance temperature detectors (RTD) sensors is accomplished by an inplace cross calibration that compares the other sensing elements with the recently installed sensing element.

The Frequency is justified by the assumption of an [18] month calibration interval in the determination of the magnitude of equipment drift in the setpoint[LTSP] analysis.

SR 3.3.1.5 for SL-LSSS functions is modified by two Notes as identified in Table 3.3.1-1. The first Note requires evaluation of channel performance for the condition where the as-found setting for the channel setpoint is outside its as-found tolerance but conservative with respect to the Allowable Value. Evaluation of instrument performance will verify that the instrument will continue to behave in accordance with safety analysis setpoint methodology assumptions. The purpose of the assessment is to ensure confidence in the instrument performance prior to returning the instrument to service. These channels will also be identified in the Corrective Action Program. Entry into the Corrective Action Program will ensure required review and documentation of the condition for continued OPERABILITY. The second Note requires that the as-left setting for the instrument be returned to within the as-left tolerance of the [LTSP].

W here a setpoint more conservative than the [LTSP] is used in the plant surveillance procedures, the as-left and as-found tolerances, as applicable, will be applied to the surveillance procedure setpoint. This will ensure that sufficient margin to the Safety Limit and/or Analytical Limit is maintained. If the as-left instrument setting cannot be returned to a setting within the as-left tolerance of the [LTSP], then the instrument channel shall be declared inoperable.

The second Note also requires that [LTSP] and the methodologies for calculating the as-left and the as-found tolerances be in [a document controlled under 10 CFR 50.59].

SR 3.3.1.6 This SR verifies individual channel actuation response times are less than or equal to the maximum values assumed in the accident analysis.

Individual component response times are not modeled in the analyses.

The analyses model the overall, or total, elapsed time from the point at which the parameter exceeds the analytical limit at the sensor to the point of rod insertion. Response time testing acceptance criteria for this unit are included in Reference 2.

BW OG STS B 3.3.1-35 Rev. 3.0, 03/31/04

RPS Instrumentation B 3.3.1 A Note to the Surveillance indicates that neutron detectors are excluded from RPS RESPONSE TIME testing. This Note is necessary because of the difficulty in generating an appropriate detector input signal. Excluding the detectors is acceptable because the principles of detector operation ensure a virtually instantaneous response.

Response time tests are conducted on an [18] month STAGGERED TEST BASIS. Testing of the final actuation devices, which make up the bulk of the response time, is included in the testing of each channel.

Therefore, staggered testing results in response time verification of these devices every [18] months. The [18] month Frequency is based on unit operating experience, which shows that random failures of instrumentation components causing serious response time degradation, but not channel failure, are infrequent occurrences.

BW OG STS B 3.3.1-36 Rev. 3.0, 03/31/04

RPS Instrumentation B 3.3.1 BASES REFERENCES 1. Regulatory Guide 1.105, Revision 3, Setpoints for Safety Related Instrumentation.

2. FSAR, Chapter [7].
3. FSAR, Chapter [14].
4. 10 CFR 50.49.
5. [Unit Specific Setpoint Methodology].
6. [Unit Specific Accident Analysis].
7. NUREG-0737, November 1979.
8. BAW -1893.
9. NRC SER for BAW -10167, Supplement 2, July 8, 1992.
10. BAW -10167, May 1986.

BW OG STS B 3.3.1-37 Rev. 3.0, 03/31/04

Retrieved from "https://kanterella.com/w/index.php?title=ML072070260&oldid=2175028"