|
|
| Line 2: |
Line 2: |
| | number = ML22112A077 | | | number = ML22112A077 |
| | issue date = 01/31/1997 | | | issue date = 01/31/1997 |
| | title = Abb System 80+ Design Control Document - Volume 19 | | | title = ABB System 80+ Design Control Document - Volume 19 |
| | author name = | | | author name = |
| | author affiliation = ABB Combustion Engineering, Inc | | | author affiliation = ABB Combustion Engineering, Inc |
| Line 17: |
Line 17: |
|
| |
|
| =Text= | | =Text= |
| {{#Wiki_filter:. - - _ . . _ _ . . . | | {{#Wiki_filter:}} |
| iO
| |
| ; the System 80+
| |
| ; standardplant 3
| |
| }
| |
| i Design ControlDocument O
| |
| Volume 19 i :
| |
| \
| |
| i O A ItIt Combustion Engineering, Inc. M EFEF
| |
| __ _____ ____ _ __ _--- _ ----- J
| |
| | |
| O Copyright C 1997 j Combustion Engineering, Inc.,
| |
| All Rights Reserved.
| |
| Warning, Legal Notice and Disclaimer of Liability The design, engineering and other information contained in this document have been ;
| |
| prepared by or for Combustion Engineering, Inc. in connection with its application to the ;
| |
| United States Nuclear Regulatory Commission (US NRC) for design certification of the j System 80+ nuclear plant design pursuant to Title 10, Code of Federal Regulations i Part 52. No use of any such information is authorized by Combustion Engineering, Inc.
| |
| except for use by the US NRC and its contractors in connection with review and approval of such application. Combustion Engineenng, Inc. hereby disclaims all responsibility and liability in connection with unauthorized use of such information.
| |
| Neither Combustion Engineering, Inc. nor any other person or entity makes any warranty or represent & tion to any person or entity (other than the US NRC in connection with its i review of Combustion Engineering's application) concerning such information or its use, I except to the extent an express warranty is made by Combustion Engineering, Inc. to l its customer in a written contract for the sale of the goods or services described in this document. Potential users are hereby warned that any such information may be unsuitable for use except in connection with the performance of such a written contract by Combustion Engineering, Inc.
| |
| Such information or its use are subject to copyright, patent, trademark or other rights of Combustion Engineering, Inc, or of others, and no license is granted with respect to such rights, except that the US NRC is authorized to make such copies as are necessary for the use of the US NRC and its contractors in connection with the Combustion Engineering, Inc. application for design certification.
| |
| Publication, distribution or sale of this document does not constitute the performance of engineering or other professional services and does not create or establish any duty of care towards any recipient (other than the US NRC in connection with its review of Combustion Engineering's application) or towards any person affected by this document.
| |
| For information address: Combustion Engineering, Inc., Nuclear Systems Licensing, 2000 Day Hill Road; Windsor, Connecticut 06095 O
| |
| | |
| System 80+ Desian contratDocument
| |
| [ Introduction V}
| |
| . Certified Design Material ,
| |
| 1.0 Introduction i 2.0 System and Structure ITAAC 3.0 Non-System ITAAC ,
| |
| 4.0 Interface Requirements 5.0 Site Parameters Approved Design Material - Design & Analysis ;
| |
| +
| |
| 1.0 General Plant Description
| |
| '2.0 Site Characteristics 3.0 Design of Systems, Structures & Components 4.0 Reactor 5.0 .RCS and Connected Systems 6.0 Engineered Safety Features 7.0 Instrumentation and Control 8.0 Electric Power 9.0 Auxiliary Systems 10.0 Steam and Power Conversion 11.0 Radioactive Waste Management
| |
| , 12.0 Radiation Protection
| |
| ( 13.0 Conduct of Operations 14.0 Initial Test Program 15.0 Accident Analyses 16.0 Technical Specifications 17.0 Quality Assurance 18.0 Human Factors 19.0 Probabilistic Risk Assessment 20.0 Unresolved and Generic Safety Issues Approved Design Material - Emergency Operations Guidelines 1.0 Introduction 2.0 Standard Post-Trip Actions 3.0 Diagnostic Actions 4.0 Reactor Trip Recovery 5.0 Loss of Coolant Accident Recovery 6.0 Steam Generator Tube Rupture Recovery
| |
| , 7.0 Excess Steam Demand Event Recovery 8.0 Loss of All Feedwater Recovery 9.0 Loss of Offsite Power Recovery 10.0 Station Blackout Recovery 11.0 Functional Recovery Guideline
| |
| ' (~x
| |
| (_[
| |
| c- -
| |
| | |
| 1 l
| |
| the System 80+ .
| |
| standardplant !
| |
| 'l l
| |
| 1 I
| |
| Approved Design Material O Design & Analysis
| |
| 'l O . Combustion Engineering, Inc.
| |
| AH R EFEF
| |
| | |
| . -, .__ _ ,. _ _ ~ ~ . . _ _ . _ . _ _ . _ _ _ . _ _ _ . ._ - .._._ __ _,
| |
| 1
| |
| , 'l l
| |
| RPS Instrumentation - Operating B 3.3.1~
| |
| ~B.3.3. INSTRUMENTATION ,
| |
| B 3.3.1 Reactor Protective System (RPS) Instrumentation - Operating 'l L BASES $
| |
| i . BACKGROUND The RPS initiates a react'or trip to protect against i 4 violating the core specified acceptable fuel design limits !
| |
| and breaching the reactor coolant pressure boundary (RCPB)' :
| |
| during anticipated operational occurrences (A00s).- By . i tripping the reactor, the RPS also assists the engineered _;
| |
| safety features (ESF) systems in mitigating accidents. j t The protection and monitoring systems have been designed to j
| |
| [ '
| |
| ensure safe operation of the reactor. This is achieved by j.
| |
| specifying limiting safety system settings (LSSS) in terms ;
| |
| of parameters directly monitored by the RPS, as well as LCOs j on other reactor system parameters and equipment performance. i e l T. The-LSSS, defined in this Specification as the Allowable .l F Value, in conjunction with the LCOs, establishes the 4 threshold for protective system action to prevent exceeding acceptable limits during Design Basis Accidents (DBAs).
| |
| During A00s, which are those events expected to occur one or i more times during the plant life, the acceptable limits are: -l l
| |
| e The departure from nucleate boiling ratio (DNBR) shall i be maintained above the Safety Limit (SL) value to ;
| |
| prevent departure from nucleate boiling _ (DNB) ,
| |
| e Fuel centerline melting shall not occur; and
| |
| * The Reactor Coolant System (RCS) pressure SL of .[
| |
| 2750 psia shall not be exceeded. i Maintaining the parameters within the above values ensures that offsite dose will be within the 10 CFR 50 (Ref. 1)~and 10 CFR 100 (Ref. 2) criteria during A00s.
| |
| e Accidents are' events that-are analyzed even though they are l not expected to occur =during the plant life. The acceptable-limit during accidents is that the' offsite dose shall be maintained within an acceptable fraction of 10 CFR 100 ;
| |
| (Ref.-2) limits. Different' accident categories allow (continued) !
| |
| :1. ;
| |
| SYSTEM 80+I ..
| |
| B 3.3-1 Rev. 00 i
| |
| ' 16A : Tech Spec - Bases
| |
| -~ . - - - , ._ - ..
| |
| I
| |
| | |
| RPS Instrumentation - Operating B 3.3.1 O
| |
| BASES BACKGROUND a different fraction of these limits based on probability of (continued) occurrence. Meeting the acceptable dose limit for an accident category is considered having acceptable consequences for that event.
| |
| The RPS portion of the Plant Protection System (PPS) is a vital system which consists of sensors, calculators, logic, and other equipment necessary to monitor selected plant condit''ns and to effect reliable and rapid reactor shutdown (reactm trip) if monitored conditions approach specified limitt., safety system settings. The systcm's functions are to protect the core fuel design limits and Reactor Coolant System (RCS) pressure boundary for Anticipated Operational Occurrences, and also to provide assistance in mitigating the consequences of accidents. Four measurement CHANNELS with electrical and physical separation are provided for each parameter used in the direct generation of trip signals, with the exception of Control Element Assembly (CEA) position which is a two CHANNEL measurement.
| |
| The RPS portion of the PPS includes the following functions:
| |
| bistable trip, local coincidence logic, reactor trip initiation logic and automatic testing of PPS logic. The bistable trip processors generate trips based on the measurement CHANNEL digitized value exceeding a digital setpoint. The bistable trip processors provide their trip signals to the coincidence processors located in the four redundant PPS CHANNELS. The coincidence processors evaluate the local coincidence logic based on the state of the four like trip signals and their respective bypasses. The coincidence signals are used in the generation of the Reactor Trip Switchgear System (RTSS) or Engineered Safety Features-Component Control System (ESF-CCS) initiation. A coincidence of two-out-of-four like trip signals is required to generate a reactor trip signal. The fourth CHANNEL allows bypassing of one CHANNEL while maintaining a two-out-of-three system.
| |
| The PPS has four pairs of cabine+,s housing the Plant Protection Calculator (PPC) and Core Protection Claculator (CPC). Each pair of cabinets is located in a separate equipment room and contains the bistable processors, coincidence processors and interface hardware of one of the four PPS safety CHANNELS designated A, B, C and D.
| |
| (continued)
| |
| SYSTEM 80+ B 3.3-2 Rev. 00 16A Tech Spec Bases
| |
| | |
| RPS Instrumentation - Operating n
| |
| B 3.3.1 BASES ,
| |
| BACKGROUND The reactor trip signal deenergizes the Control Element i (continued) Drive Mechanism (CEDM) coils, allowing all CEAs to drop into the core.
| |
| The local and main control room PPS operator's module (one i per CHANNEL) provides for entering TRIP CHANNEL bypasses, ;
| |
| operating bypasses, and variable setpoint resets. These modules also provide indication of status of bypasses, operating bypasses, bistable trip and pre-trip.. The locci operator's module provides the man-machine interface during manual testing of bistable trip functions not tested ;
| |
| automatically.
| |
| 4 This LCO addresses MEASUREMENT CHANNELS, bistable trip processors, CPCs, automatic operating bypass removal '
| |
| features for those trips with operating bypasses, and trip bypasses on the local coincidence logic while operating.
| |
| LC0 3.3.2 addresses MEASUREMENT CHANNELS, bistable trip processes, CPCs, automatic operating bypass removal features i for those trips with operating bypasses, and trip bypasses i p on the local coincidence logic while shutdown. The RPS ,
| |
| (j local coincidence logic (except for trip bypasses), l I
| |
| initiation logic, Reactor Trip Circuit Breakers (RTCBs), and Manual Trip are addressed in LC0 3.3.4, " Reactor Protective System (RPS) Logic and Trip Initiation." The CEACs are addressed in LCO 3.3.3, " Control Element Assembly Calculators (CEACs)."
| |
| I Each of the above RPS instrumentation is segmented into three functions. These functions are:
| |
| * MEASUREMENT CHANNELS l e Bistable Processors and e RPS Logic MEASUREMENT CHANNELS MEASUREMENT CHANNELS, consisting of the sensor, transmitter, ;
| |
| and signal conditioning devices, provide a measurable signal i based upon the physical characteristics of the parameter being measured.
| |
| )
| |
| (continued)
| |
| SYSTEM 80+ B 3.3-3 Rev. 00 ;
| |
| 16A Tech Spec Bases l
| |
| | |
| m 5
| |
| RPS Instrumentation - Operating 8 3.3.1 ,
| |
| BASES BACKGROUND The excore nuclear instrumentation, the core protection (continued) calculators (CPCs), and the CEACs, though complex, are considered components in the measurement CHANNELS of the Variable Overpower - High, Logarithmic Power Level-High, DNBR-Low, and Local Power Density (LPD)-High trips.
| |
| Four identical MEASUREMENT CHANNELS, designated CHANNELS A through D, with electrical and physical separation, are provided for each parameter used in the generation of trip signals, with the exception of the control element assembly (CEA) position indication used in the CPCs. Each measurement CHANNEL provides input to one or more RPS bistables within the same RPS CHANNEL. The bistable function is an integral part of the Trip Logic Calculators (TLCs) in the CPCs. In addition, some measurement CHANNELS may also be used as inputs to Engineered Safety Features Actuation System (ESFAS) bistables, and most provide indication in the enat ol room.
| |
| When a CHANNEL monitoring a parameter exceeds a predetermined setpoint, indicating an unsafe condition, the bistable monitoring the parameter in that CHANNEL will trip.
| |
| Tripping bistables monitoring the same parameter in two or h
| |
| more CHANNELS will de-energize Local Coincidence Logic, which in turn de-energizes the Initiation Logic. This causes all four RTCBs to open, interrupting power to the CEAs, allowing them to fall into the core.
| |
| Three of the four MEASUREMENT CHANNELS and bistable processors CHANNELS are necessary to meet the redundancy and testability of 10 CFR 50, Appendix A, GDC 21 (Ref. 1). The fourth CHANNEL provides additional flexibility, by allowing one CHANNEL to be removed from service (trip channel bypass) for maintenance or testing, while still maintaining a minimum two out of three logic. Thus, even with a CHANNEL inoperable, no single additional failure in the RPS can either cause an inadvertent trip, or prevent a required trip from occurring.
| |
| Adequate CHANNEL to CHANNEL independence includes physical and electrical independence of each CHANNEL from the others.
| |
| This allows operation in two-out-of-three logic with one removed from service until entering MODE 2 following the next MODE 5 entry. Since no single failure will either ;
| |
| cause or prevent a protective system actuation, this (continued)
| |
| SYSTEM 80+ B 3.3-4 Rev. 00 16A Tech Spec Bases
| |
| | |
| i RPS Instrumentation - Operating B 3.3.1
| |
| )
| |
| BASES BACKGROUND arrangement meets the requirements of IEEE Standard 279-1971 (continued) (Ref. 4).
| |
| The CPCs perform the calculations required to derive the DNBR and LPD parameters and their associated RPS trips.
| |
| Four independent Trip Logic Calculators (TLCs) are provided, one in each Core Protection Calculator (CPC) CHANNEL. ,
| |
| Calculation of DNBR and local power density is performed in -
| |
| each TLC, utilizing the input signals described below. The DNBR and local power density so calculated are compared with trip setpoints for initiation of a low DNBR trip and the high local power density trip. A trip signal from a TLC in each CHANNEL is sent to the local coincidence processors in i all four protective CHANNELS. The TLC also provides pre- I trip output signals. !
| |
| Two independent CEA Calculators are provided as part of the i CPC to calculate individual CEA deviations from the position 1 of the other CEAs in their subgroup.
| |
| Each TLC receives the following inputs:
| |
| A. Hot leg temperature and cold leg temperature.
| |
| B. Pressurizer pressure.
| |
| C. Reactor coolant pump speed.
| |
| D. Ex-core nuclear instrumentation flux power (each subchannel from the safety CHANNEL).
| |
| E. Selected CEA posit..,n.
| |
| F. Penalty factors for CEA deviations within a subgroup from the CEA Calculators.
| |
| The input signals are processed in the TLC or the CEA Calculators. A description of the calculations performed and outputs of each TLC are described in CESSAR-DC, Section i I
| |
| 7.2 (Ref. 8).
| |
| Each calculator is mounted in cabinets located in separate channelized equipment rooms with an operator's display and control module located in the main control room. From the i four modules an operator can monitor all calculators, I Q
| |
| V (continued)
| |
| I SYSTEM 80+ B 3.3-5 Rev. 00 16A Tech Spec Bases
| |
| | |
| RPS Instrumentation - Operating l B 3.3.)
| |
| O BASES including specific inputs or calculated functions. Changes BACKGROUND (continued) to CPC constants by the operator are controlled by j administrative procedures.
| |
| CEACs are addressed in LCO 3.3.3.
| |
| Bistable Processors The trip signal is generated by the Bistable Logic processors or CPC Trip Logic Calculators which compare the input signals to either fixed or variable setpoints. These Bistable outputs for each parameter (e.g. Pressurizer Pressure, Steam Generator Level etc.) are sent to Local Coincidence Logic where the two-out-of-four logics are performed. Bistable trip generation is described in CESSAR-DC, Section 7.2 (Ref. 8).
| |
| The trip setpoints used in the bistables are based on the analytical limits derived from the accident analysis (Ref. 5). The selection of these trip setpoints is such that adequate protection is provided when all sensor and processing time delays are taken into account. To allow for calibration tolerances, instrumentation uncertainties, instrument drift, and severe environment errors for those RPS CHANNELS that must function in harsh environments as defined by 10 CFR 50.49 (Ref. 6), Allowable Values specified in Table 3.3.1-1, in the accompanying LCO, are conservatively adjusted with respect to the analytical limits. A detailed example of the methodology used to calculate the trip setpoints, including their explicit uncertainties, is provided in the [Setpoint Report]
| |
| (Ref. 7). The nominal trip setpoint entered into the bistable is normally still more conservative than that specified by the Allowable Value to account for changes in random measurement errors detectable by a CHANNEL FUNCTIONAL TEST. One example of such a change in measurement error is drift during the interval between surveillances. A CHANNEL is inoperable if its actual setpoint is not within its Allowable Value.
| |
| Setpoints in accordance with the Allowable Value will ensure that SLs of Chapter 2.0, " Safety Limits (SLs)," are not violated during A00s, and the consequences of DBAs will be acceptable, providing the plant is operated from within the (continued)
| |
| SYSTEM 80+ B 3.3-6 Rev. 00 16A Tech Spec Bases
| |
| | |
| RPS Instrumentation - Operating B 3.3.1 ;
| |
| V .
| |
| BASES i
| |
| BACKGROUND LCOs at the onset of the A00 or DBA, and the equipment t (continued) functions as designed.
| |
| Note that in LCO 3.3.1, the Allowable Values of Table 3.3.1-1 are the LSSS. 3 The status of any bypass is indicated at the PPS CHANNEL j cabinet and the PPS Operator's Module in the control room.
| |
| In addition, all operating bypasses and a summary of the bistable trip channel bypasses in each CHANNEL are made available for control room indication via PPS Operator's Module, DIAS and DPS. CESSAR-DC Section 7.2 (Ref. 8) provides a detailed description of these bypasses. ;
| |
| Functional testing of the entire RPS, from bistable input l through the opening of individual sets of RTCBs, can be ;
| |
| performed either at power or shutdown and is normally !
| |
| performed on a quarterly basis. Nuclear instrumentation, :
| |
| the CPCs, and the CEACs can be similarly tested. CESSAR-DC Section 7.2 (Ref. 8) provides more detail on RPS testing.
| |
| Processing transmitter calibration is normally performed on O, a refueling basis.
| |
| Bypasses :
| |
| The trip channel bypasses and operating bypasses are manipulated by separate Interface and Test processors.
| |
| The trip channel bypass prevents a bistable trip from !
| |
| contributing to the initiation of protective action. The trip channel bypass information is provided to four CHANNELS of Local Coincidence Logics by Interface and Test processors to change their logic into 2/3 . The LCLs only allow one CllANNEL bypass at a time.
| |
| In addition to the trip channel bypasses, there are also operating bypasses on selected RPS trips. These bypasses are enabled manually, in all four RPS CHANNELS, when plant conditions do not warrant the specific trip protection. All operating bypasses are automatically removed when enabling bypass conditions are no longer satisfied.
| |
| V (continued)
| |
| SYSTEM 80+ B 3.3-7 Rev. 00 16A Tech Spec Bases-
| |
| | |
| RPS Instrumentation - Operating B 3.3.1 O
| |
| BASES BACKGROUND RPS Loaic (continued)
| |
| The RPS Logic, addressed in LC0 3.3.4, consists of both Local Coincidence and Initiation Logic and employs a scheme that provides a reactor trip when bistables in any two of the four CHANNELS sense the same input parameter trip. This is called a two-out-of-four trip logic.
| |
| Local Coincidence Loaic There is one Local Coincidence Logic (LCL) associated with each trip bistable logic of each CHANNEL. Each local coincidence logic receives four trip signals, one from its associated bistable logic in the CHANNEL and one from each of the equivalent bistable logic located in the other three CHANNELS. The local coincidence logic (LCL) also receives the trip channel bypass status associated with each of the above mentioned bistables. The function of the local coincidence logic is to generate a coincidence signal whenever two or more like bistables are in a tripped condition. The LCL takes into consideration the trip bypass input state when determining the coincidence logics state.
| |
| Designating the protective CHANNELS as A, B, C, D, with no trip bypass present, the local coincidence logic will produce a coincidence signal for any of the following trip inputs: AB, AC, AD, BC, BD, CD, ABC, ABD, ACD, BCD, ABCD.
| |
| These represent all possible two- or more out-of-four trip combinations of the four protective CHANNELS. Should a trip bypass be present, the logic will provide a coincidence signal when two or more of the three unbypassed bistables are in a tripped condition. On a system basis, a coincidence signal is generated in all four protective CHANNELS whenever a coincidence of two or more like bistables of the four CHANNELS are in a tripped state.
| |
| In addition to a coincidence signal, each LCL also provides bypass status outputs. The bypass status is provided to verify that a bypass has actually been entered into the logic either locally or remotely via the operator's module.
| |
| The bypass status is available for display at the local and remote operator's modules and DPS.
| |
| (continued)
| |
| SYSTEM 80+ B 3.3-8 Rev. 00 16A Toch Spec Bases
| |
| | |
| RPS Instrumentation - Operating B 3.3.1
| |
| -BASES e BACKGROUND Initiation loaic ;
| |
| (continued)
| |
| The Reactor Protective System initiation logic consists of ,
| |
| an "0R" eircuit for each undervoltage and shunt trip relay.
| |
| The inputs to the initiation logic are the LCL outputs from the appropriate local coincidence logics. The initiation circuits also contain a time delay (TD). The TD functions as a noise and/or transient filter. It accomplishes this filter action by monitoring the continuous presence of an input for a minimum period of time. If the signal is '
| |
| present for the required time, the signal is transmitted to the initiation relay. Test capability is also provided.
| |
| The initiation circuit is designed to fail-safe (e.g., in a trip condition). This will result in a partial trip (1 of
| |
| : 4) in the selective 2-out-of-4 reactor trip breaker arrangement. The partial trip will be alarmed the same as a '
| |
| full trip and actuation and indicated by the DIAS and DPS; the partial trip cannot be bypassed. If the initiation circuit fails in an undesired condition the failure will be Oi promptly detected and alarmed via the automatic test function. Since the actuation function in the RTSG work in i a selective coincidence logic, this is considered a degraded condition.
| |
| Reactor Trio Circuit Breakers (RTCBs)
| |
| The reactor trip switchgear, addressed in LC0 3.3.4, consists of four RTCBs, which are operated in two sets of two breakers (four CHANNELS). Power input to the reactor trip switchgear comes from two fuli capacity MG sets operated in paralici, such that the loss of either MG set does not de-energize the CEDMs. Initiation relays interface with the shunt trip and undervoltage devices to trip the circuit breakers. To completely remove power from the output circuits requires a minimum of two initiation relays (in opposite legs of the circuit) opening their associated circuit breakers.
| |
| Each line passes through two trip circuit breakers (each actuated by a separate initiation circuit) in series so that, although both sides of the branch lines must be .
| |
| deenergized to release the CEAs, there are two separate !
| |
| means of interrupting each side of.the line. Upon removal
| |
| ( (continued) )
| |
| SYSTEM 80+ B 3.3-9 Rev. 00 16A Tech. Spec Bases
| |
| | |
| RPS Instrumentation - Operating 8 3.3.1 O
| |
| BASES BACKGROUND of power to the CEDM power supplies, the CEAs fall into the (continued) reactor core by gravity.
| |
| Two pairs of manual trip switches are provided in the MCR and an additional pair is provided in the RSR. Actuation of any pair will open the RTCBs. Both manual trip switches in a pair must be actuated to initiate a reactor trip. Each RTCB is actuated by a separate initiation circuit.
| |
| The trip switchgear is housed in separate cabinets from the RPS. In addition to the trip circuit breakers, the cabinet also contains current monitoring devices for testing purposes and pushbuttons on each trip switchgear which allow for manual opening of the circuit breaker.
| |
| Testina Functional testing of the entire RPS, from bistable input through the opening of individual sets of RTCBs, can be performed either at power or shutdown, and is normally performed on a quarterly basis. CESSAR-DC, Section 7.2 (Ref. 8) explains RPS testing in more detail.
| |
| Provisions are made to permit periodic testing of the complete RPS with the reactor operating at power or when shutdown. These tests cover the trip actions from sensor input through the protective system and the trip circuit breakers. The system test does not interfere with the protective function of the system.
| |
| Periodic testing consists of automatic testing and manual testing. The two methods complement each other and provide for complete testing of the protection system. There are areas of overlap between the two methods so that the entire RPS can be tested. The overlap test methods also permit each system to, in part, verify proper functioning of the other.
| |
| Major portions of the Reactor Protective System are monitored and/or tested by the test network in the automatic mode. Those portions of the system which are not amenable to automatic testing because they involve actuation of electromechanical devices, involve rate / time or involve devices which are not within the PPS cabinets, can be tested manually. The automatic mode is capable of performing tests (continued)
| |
| SYSTEM 80+ B 3.3-10 Rev. 00 16A Tech Spec Bases
| |
| | |
| I i
| |
| RPS Instrumentation - Operating B 3.3.1 1
| |
| BASES l 1
| |
| BACKGROUND- during reactor operation. The automatic testing does not (continued) degrade the ability of tie RPS to perform its intended function. The test network consists of channelized ;
| |
| Interface and Test Procre; sors (ITPs), their associated.
| |
| protection system interface circuits, and test prohibit circuits (the latter prevents malfunctions of the. test system from interferirs with the normal operation of.the safety system). OGelap exists between the individual . tests performed by the automatic test. The automatic test can i test the protection system continuously. Operation of the 1 automatic test may be verified locally at the FPS cabinet by requesting test results data. Alarms for fault conditions are alarmed via DIAS and DPS. The status and a summary of the automatic testing results are available to the operator ,
| |
| via DPS. CESSAR-DC, Section 7.2 (Ref. 8) describes the l automatic testing performed by the RPS.
| |
| APPLICABLE The RPS is designed to ensure that the following operational SAFETY ANALYSIS criteria are met:
| |
| * The associated actuation will occur when the monitored parameter reaches its setpoint and specific coincidence logic is satisfied; l e Separation and redundancy are maintained to permit a CHANNEL to be out of service for testing or maintenance while still maintaining redundancy within the RPS instrumentation network.
| |
| Each RPS setpoint is chosen to be consistent with the function of the respective trip. The basis for each trip setpoint falls into one of two general categories:
| |
| Category 1: To ensure that the SLs are not exceeded during A00s; l Category 2: To assist the ESFAS during accidents.
| |
| The RPS maintains the SLs during A00s and mitigates the j consequences of DBAs in all MODES in which the RTCBs are i closed.
| |
| (continued) i SYSTEM 80+ B 3.3-11 Rev. 00 16A Tech Spec Bases l'
| |
| | |
| i RPS Instrumentation - Operating B 3.3.1 O
| |
| BASES APPLICABLE The specific safety analysis applicable to eacJ. protective SAFETY ANALYSIS function are identifie! aelow:
| |
| (continued)
| |
| : 1. Variable Overoower-Hiah The Variable Overpower Level-High trip provides protection against core damage during the following events:
| |
| e Steam Line Break e Uncontrolled CEA Withdrawal From Low Power (A00);
| |
| e Uncontrolled CEA Withdrawal At Power (A00);
| |
| and e CEA Ejection (Accident). ,
| |
| : 2. Loaarithmic Power level - Hiah The Logarithmic Power Level-High trip protects the integrity of the fuel cladding and helps protect the RCPB in the event of an unplanned criticality from a shutdown condition.
| |
| In MODES 2, 3, 4, and 5, with the RTCBs closed and the CEA Drive System capable of CEA withdrawal, protection is required for CEA withdrawal events originating when THERMAL POWER is < [1E-4%] RTP.
| |
| For events originating above this power level, other trips provide adequate protection.
| |
| MODES 3, 4, and 5, with the RTCBs closed, are addressed in LC0 3.3.2, " Reactor Protective System (RPS) Instrumentation - Shutdown."
| |
| In MODES 3, 4, or 5, with the RTCBs open or the CEAs not capable of withdrawal, the Logarithmic Power Level - High trip does not have to be OPERABLE.
| |
| However, the indication and alarm portion of two logarithmic CHANNELS must be OPERABLE to ensure proper indication of neutron population and to indicate a boron dilution event. The indication and alarm functions are addressed in LC0 3.3.13,
| |
| " Logarithmic Power Monitoring CHANNELS."
| |
| (continued)
| |
| SYSTEM 80+ B 3.3-12 Rev. 00 16A Tech Spec Bases
| |
| | |
| I RPS Instrumentation - Operating B 3.3.1 ;
| |
| y BASES APPLICABLE- 3. Pressurizer Pressure - Hiah l SAFETY ANALYSIS (continued) The Pressurizer Pressure - High trip provides protection for the high RCS pressure SL. In 1 conjunction with the main steam safety valves (MSSVs), it provides protection against l overpressurization of the RCPB during the following events:
| |
| e Loss of Electrical Load (A00);
| |
| e Loss of Condenser Vacuum (A00);
| |
| e CEA Withdrawal From Low Power Conditions (A00);
| |
| e Chemical and Volume Control System Malfunction (A00); and e Main Feedwater System Pipe Break (Accident). {
| |
| Q, 4. Pressurizer Pressure - Low The Pressurizer Pressure - Low trip is provided to trip the reactor to assist the ESF System in the event of loss of coolant accidents (LOCAs). During a LOCA, the SLs may be exceeded; however, the !
| |
| consequences of the accident will be acceptable.
| |
| I
| |
| : 5. Containment Pressure - Hiah The Containment Pressure - High trip prevents l exceeding the containment design pressure psig during a design basis LOCA or main steam line break (MSLB) accident. During a LOCA or MSLB the SLs may be exceeded; however, the consequences of the accident will be acceptable.-
| |
| 6, 7. Steam Generator Pressure - Low The Steam Generator #1 Pressure - Low and Steam Generator #2 Pressure - Low trips provide protection against an excessive rate of heat extraction from the steam generators and resulting rapid, uncontrolled cooldown of the RCS. This trip is 9 :
| |
| - (V (continued) l SYSTEM 80+ B 3.3-13 Rev. 00 16A Tech Spec Bases
| |
| | |
| l l
| |
| RPS Instrumentation - Operating )
| |
| B 3.3.1 i O
| |
| ^SES APPLICABLE 6, 7. Steam Generator Pressure - Low (continued)
| |
| SAFETY ANALYSES needed to shut down the reactor and assist the ESF System in the event of an MSLB or main feedwater line break accident.
| |
| 8, 9. Steam Generator Level - Low The Steam Generator #1 Level - Low and Steam Generator #2 Level - Low trips ensure that a reactor trip signal is generated for the following events to help prevent exceeding the design pressure of the RCS due to the loss of the heat sink:
| |
| * Loss of Normal Feedwater Event (A00); and e Feedwater System Pipe Break (Accident).
| |
| 10, 11. Steam Generator level - Hiah The Steam Generator #1 Level - High and Steam Generator #2 Level - High trips are provided to protect the turbine from excessive moisture carryover in case of a steam generator overfill event.
| |
| : 12. Reactor Coolant Flow - Low The Reactor Coolant Flow - Low trip provides protection against an RCP Sheared Shaft Event. The DNBR limit may be exceeded during this event; however, the trip ensures the consequences are acceptable.
| |
| : 13. Local Power Density - Hiah The CPCs perform the calculations required to derive the DNBR and LPD parameters, and their associated RPS trips. The DNBR - Low and LPD - High trips provide plant protection during the following A00s and assist the ESF systems in the mitigation of the following accidents.
| |
| (continued)
| |
| SYSTEM 80+ B 3.3-14 Rev. 00 16A Tech Spec Bases
| |
| | |
| RPS Instrumentation - Operating B 3.3.1 O BASES APPLICABLE- 13. Local Power Density - Hiah (continued)
| |
| SAFETY ANALYSES i The LPD - High trip provides protection against fuel centerline melting due to the occurrence of l excessive local power density peaks during the 1 following A00s:
| |
| e Decrease in Feedwater Temperature; e Increase in Feedwater Flow; j e Increased Main Steam Flow (not due to the I steam line rupture) Without Turbine Trip; j l
| |
| e Uncontrolled CEA Withdrawal From Low Power-I o Uncontrolled CEA Withdrawal at Power; e CEA Misoperation; Single Part Strength CEA 1 Drop; f e CEA Misoperation; Full-strength and part-strength CEA subgroup drop; and e CEA Misoperation; Out-of-sequence operation.
| |
| For the events listed above (except CEA Misoperation; Single Part Strength CEA Drop)
| |
| DNBR-Low will trip the reactor first, since DNB would occur before fuel centerline melting would occur.
| |
| : 14. Departure from Nucleate Boilina Ratio (DNBR) - Low The CPCs perform the calculations required to derive 1 the DNBR and LPD parameters, and their associated i' RPS trips. The DNBR - Low and LPD - High trips provide plant protection during the following A00s and assist the ESF systems in the mitigation of the following accidents. l I
| |
| I i
| |
| i
| |
| ~~
| |
| (continued)
| |
| I SYSTEM 80+ B 3.3-15 Rev. 00 16A Tech Spec Bases
| |
| | |
| RPS Instrumentation - Operating B 3.3.1 O
| |
| BASES APPLICABLE 14. Departure from Nucleate Boilina Ratio (DNBR) - Low SAFETY ANALYSES (continued)
| |
| The DNBR - Low trip provides protection against core damage due to the occurrence of locally saturated conditions in the limiting (hot) CHANNEL during the following events and is the primary reactor trip (trips the reactor first) for these events:
| |
| * Decrease in Feedwater Temperature; e Increase in Feedwater Flow; e Increased Main Steam Flow (not due to steam line rupture) Without Turbine Trip; e Increased Main Steam Flow (not due to steam line rupture) With a Concurrent Single Failure of an Active Component; e Steam Line Break With/Without Concurrent Loss of Offsite AC Power; e Loss of Normal AC Power; e Partial Loss of Forced Reactor Coolant Flow; e Total loss of Forced Reactor Coolant Flow; e Single Reactor Coolant Pump (RCP) Shaft Seizure; e Uncontrolled CEA Withdrawal From Low Power; e Uncontrolled CEA Withdrawal at Power; e CEA Misoperation; Full-Strength Subgroup CEA Drop; e CEA Misoperations; Full-Strength or Part-Strength CEA drop without RPCB; e Steam Generator Tube Rupture; e Inadvertent depressurization of RCS; (continued) I l
| |
| l SYSTEM 80+ B 3.3-16 Rev. 00 16A Tech Spec Bases
| |
| | |
| RPS Instrumentation - Operating B 3.3.1 O-BASES APPLICABLE 14. Deoarture from Nucleate Boilina Ratio (DNBR) - Low SAFETY ANALYSES (continued) e Uncontrolled boron dilution; e Out-of-Sequence insertion or withdrawal of CEA group.
| |
| Interlocks /BYDasses The bypasses and their Allowable Values are addressed in footnotes to Table 3.3.1-1. They are not otherwise addressed as specific Table entries.
| |
| i The automatic operating bypass removal features must function as a backup to manual actions for all safety related trips to ensure the trip Functions are not operationally bypassed when the safety analysis assumes the ;
| |
| Functions are not bypassed. The basis for each of the !
| |
| operating bypasses is discussed under individual trips in (N the LC0 section:
| |
| >b
| |
| : a. Logarithmic Power Level - High;
| |
| : b. DNBR - Low and LPD - High; and
| |
| : c. Pressurizer Pressure - Low.
| |
| The RPS satisfies Criterion 3 of the NRC Policy Statement.
| |
| LC0 The LC0 requires all instrumentation performing an RPS Function to be OPERABLE. Failure of any required portion of the instrument CHANNEL renders the affected CHANNEL (s) inoperable and reduces the reliability of the affected Functions.
| |
| Actions allow maintenance (TRIP CHANNEL) bypass of individual CHANNELS but the bypass activates interlocks that prevent operation with a second CHANNEL in the same Function bypassed. With one CHANNEL in each Function TRIP CHANNEL bypassed, this effectively places the plant in a two-out-of-three logic configuration in those Functions.
| |
| b d (continued)
| |
| SYSTEM 80+ B 3.3-17 Rev. 00 16A Tech Spec Bases
| |
| | |
| I l
| |
| RPS Instrumentation - Operating l B 3.3.1 '
| |
| O BASES LC0 Only the Allowable Values are specified for each RPS trip (continued) Function in the LCO. Nominal trip setpoints are specified in the plant specific setpoint calculations. The nominal setpoints are selected to ensure the setpoints measured by CHANNEL FUNCTIONAL TESTS do not exceed the Allowable Value, if the CHANNEL is performing as required. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable, provided that operation and testing are consistent with the assumptions of the plant specific setpoint calculations. A CHANNEL is inoperable if its actual trip setpoint is not within its required Allowable Value. Each Allowable Value specified is more conservative than the analytical limit assumed in the safety analysis in order to account for instrument uncertainties appropriate to the trip Function.
| |
| These uncertainties are defined in the [Setpoint Report)
| |
| (Ref. 7).
| |
| Bases for the individual Function requirements are as follows:
| |
| : 1. Variable Overpower - Hiah This LC0 requires four CHANNELS of Variable Overpower - High to be OPERABLE in MODES 1 and 2.
| |
| The LC0 on the variable overpower trip ensures that the violation of the Safety Limits for the reactor core and RCS is prevented during normal operations and A00s and assists the engineered safety features system during the CEA ejection accident.
| |
| The allowable values setpoints for ceiling and rate are selected large enough to prevent spurious trips during performance design base transients on reactor power cutback. The setpoint is low enough for the system to maintain a margin to unacceptable fuel cladding damage should a CEA withdrawal event, or rod ejection accident occur.
| |
| Only the allowable values setpoints are specified for each RPS trip function in the LCO. Each allowable value is specified such that the analytical limit assumed in the safety analysis is (continued)
| |
| SYSTEM 80+ B 3.3-18 Rev. 00 16A Tech Spec Bases
| |
| | |
| RPS Instrumentation - Operating B 3.3.1 O
| |
| BASES LC0 1. Variable Overpower - Hiah (continued) conservative including all applicable setpoint uncertainties.
| |
| The Variable Overpower trip is applicable in MODES I and 2 because the reactor can be critical in these modes. The tri) is designed to take the reactor subcritical witch assists (as described above) in mitigating the consequences of the particular accidents and A00s listed.
| |
| In MODES 3, 4, and 5 the main concern is for a return to power event. The reactor is protected during this event by the High Log Power trip, and therefore, the above trip does not need to be OPERABLE.
| |
| : 2. Loaarithmic Power Level - Hiah This LCO requires four CHANNELS of the Logarithmic
| |
| \ Power Level - High to be OPERABLE in MODE 2, and in MODE 3, 4, or 5 when the RTCBs are closed and the CEA Drive System is capable of CEA withdrawal.
| |
| The MODES 3, 4, and 5 Condition is addressed in LC0 3.3.2.
| |
| The LC0 on the Log Power Level - High trip ensures that violation of the Safety Limits for the reactor core and RCS is prevented during a continuous CEA withdrawal from low power levels event. Also, it ensures that the log power level CHANNELS are available to detect and alert the operator to a boron dilution event.
| |
| The allowable value setpoint is high enough to provide an operating envelope that prevents unnecessary Log Power Level - High reactor trips during normal plant operations. The setpoint is low enough for the system to maintain a margin to unacceptable fuel cladding damage should a CEA withdrawal event occur.
| |
| (continued)
| |
| SYSTEM 80+ B 3.3-19 Rev. 00 16A Tech Spec Bases (2/95)
| |
| | |
| l RPS Instrumentation - Operating B 3.3.1 O
| |
| BASES LC0 2. Loaarithmic Power Level - Hiah (continued)
| |
| Only the Allowable Values are specified for each RPS trip function in the LCO. Each allowable value is specified such that the analytical limit assumed in the safety analysis is conservative including all applicable setpoint uncertainties.
| |
| The Logarithmic Power Level - High trip may be bypassed when THERMAL POWER is above [1E-4%) RTP to allow the reactor to be brought to power during a reactor startup. This bypass is automatically removed when THERMAL POWER decreases below [1E-4%)
| |
| RTP. Above [1E-4%) RTP, the Variable Overpower -
| |
| High and Pressurizer Pressure - High trips provide protection for reactivity transients.
| |
| The trip may be manually bypassed during physics testing pursuant to LCO 3.1.16, "RCS Loops - Test Exceptions." During this testing, the Variable i Overpower - High trip and administrative controls l provide the required protection.
| |
| : 3. Prc;surizer Pressure - Hiah l This LC0 requires four CHANNELS of Pressurizer Pressure - High to be OPERABLE in MODES 1 and 2.
| |
| The Allowable Value is set below the nominal lift l setting of the pressurizer code safety valves, and l its operation avoids the undesirable operation of these valves during normal plant operation. In the !
| |
| event of a complete loss of electrical load from 100% power, this setpoint ensures the reactor trip will take place, thereby limiting further heat input to the RCS and consequent pressure rise. The pressurizer safety valves may lift to prevent overpressurization of the RCS.
| |
| : 4. Pressurizer Pressure - Low This LC0 requires four CHANNELS of Pressurizer Pressure - Low to be OPERABLE in MODES 1 and 2.
| |
| (continued)
| |
| SYSTEM 80+ B 3.3-20 Rev. 00 16A Tech Spec Bases (2/95)
| |
| | |
| _~ . _ . _ . _ . . _ _ _ . _. . . . . _ _ . _ __ __ - . _ _ _ _ _ .. _ _ _ . . _ __
| |
| s
| |
| .t RPS Instrumentation - Operating
| |
| ~ B 3.3.1 ;
| |
| . ' O 1 BASES 1
| |
| j i i
| |
| e I
| |
| LCO 4. Pressurizer Pressure - Low -(continued) ;
| |
| c i'
| |
| The Allowable Value is set low enough to prevent a
| |
| ' reactor trip during normal plant operation and l pressurizer. pressure transients. However, the ;
| |
| setpoint?is high enough that with a LOCA, the ,
| |
| reactor trip will occur soon enough to allow the ;
| |
| ESF systems to perform as expected in.the analyses i and mitigate the consequences of the accident. i j The trip setpoint may be manually decreased to a l minimum value (floor value) of [300 psia] as pressurizer pressure is reduced during controlled ;
| |
| 2 plant shutdowns, provided the margin between the ;
| |
| pressurizer pressure and the setpoint is maintained -
| |
| ; less than [400 psia]. This allows for controlled 4- - depressurization of the RCS while still maintaining ,
| |
| t an active trip setpoint until the time is reached i when the trip is no longer needed to protect the plant. Since the same Pressurizer Pressure - Low i' i
| |
| bistable is also shared with the SIAS, an inadvertent SIAS actuation is also prevented. The -
| |
| setpoint increases automatically as pressurizer pressure increases, until the trip setpoint is reached.
| |
| i The Pressurizer Pressure - Low trip and the SIAS Function may be simultaneously bypassed when RCS pressure is below [400 psia), when neither the reactor trip nor an inadvertent SIAS actuation are desirable, and these Functions are no longer needed i to protect the plant. The bypass is automatically removed as RCS pressure ir.r.reases above [500 psia].
| |
| The difference between the operating bypass enable
| |
| ; and removal features allows for bypass permissive
| |
| . bistable hysteresis, nd allows setting the operating bypass setpoint close enough to the limit so as to avoid inadvertent actuation at the
| |
| [300 psia] trip setpoint minimum value-(floor value).
| |
| : 5. Containment Pressure - Hioh The LCO requires four CHANNELS of Containment pressure-High to be OPERABLE in MODES I and 2.
| |
| (continted)
| |
| . . SYSTEM 80+ B 3.3-21 Rav. 00
| |
| ; 16A Tech Spec' Bases.
| |
| -.,a . . a. - ... - -. - - . . ~ . . . - . - . . . - - . _ _ _ - - _ _ . -
| |
| | |
| RPS Instrumentation - Operating B 3.3.1 O
| |
| BASES LCO 5. Containment Pressure - Hiah (continued)
| |
| The Allowable Value is set high enough to allow for small pressure increases in containment expected during normal operation (i.e., plant heatup), and is not indicative of an abnormal condition. It is set low enough to initiate a reactor trip when an abnormal condition is indicated.
| |
| 6, 7. Steam Generator Pressure - Low This LC0 requires four CHANNELS for the Steam Generator #1 Pressure - Low and Steam Generator #2 Pressure - Low to be OPERABLE in MODES I and 2.
| |
| The MODE 3 Condition is addressed in LC0 3.3.2.
| |
| This Allowable Value is sufficiently below the full load operating value for steam pressure so as not to interfere with normal plant operation, but still high enough to provide the required protection in the event of excessive steam demand. Since excessive steam demand causes the RCS to cool down, resulting in positive reactivity addition to the core, a reactor trip is required to offset that effect.
| |
| The trip setpoint may be manually decreased as steam generator pressure is reduced during controlled plant cooldown, provided the margin between steam generator pressure and the setpoint is maintained less than [200 psi.] This allows for controlled depressurization of the secondary system while still maintaining an active reactor trip setpoint and MSIS setpoint, until the time is reached when the setpoints are no longer needed to protect the plant. The setpoint increases automatically as steam generator pressure increases until the specified trip setpoint is reached.
| |
| 8, 9. Steam Generator Level - Low This LC0 requires four CHANNELS of Steam Generator #1 Level - Low and Steam Generator #2 Level - Low for each steam generator to be OPERABLE in MODES I and 2.
| |
| (continued)
| |
| SYSTEM 80+ B 3.3-22 Rev. 00 16A Tech Spec Bases
| |
| | |
| RPS Instrumentation - Operating B 3.3.1 V
| |
| _ BASES LCO 8, 9. Steam Generator level - Low (continued)
| |
| The Allowable Value is sufficiently below the normal operating level for the steam generators so as not to cause a reactor trip during normal plant operations. The minimum setpoint is governed by ,
| |
| EFAS requirements. The reactor trip will remove the heat source (except decay heat), thereby ;
| |
| conserving the. reactor heat sink.
| |
| The Steam Generator Level - Low trip setpoint varies with power level and is rate limited with a preset low value. As reactor power is decreased this setpoint is decreased. This automatic rate limiting variable setpoint permits automatic incrementing and decrementing of the setpoint based upon the value of the bistable input variable. The design attempts to maintain a fixed differential !
| |
| between the bistable input and the setpoint. The i design includes the ability to adjust the rate at A which the setpoint is allowed to change. If the V input signal is changing at a rate greater than the rate at which the setpoint can change, the differential between the two values eventually becomes zero, creating a bistable trip condition.
| |
| When the bistable trip occurs, it prevents the setpoint from changing until the bistable trip l clears. !
| |
| The Steam Generator Level - Low setpoint is lower l than the input signal, as such it limits the rate i at which the signals can decrease.
| |
| 10, 11. Steam Generator level - Hiah This LC0 requires four CHANNELS of Steam Generator
| |
| #1 Level - High and Steam Generator #2 Level-High to be OPERABLE in MODES 1 and 2. ,
| |
| The Allowable Value is high enough to allow for normal plant operation and transients without causing a reactor trip. It is set low enough to ensure a reactor trip occurs before the level .
| |
| reaches the steam dryers. In addition to the Steam i O (continued)
| |
| SYSTEM 80+ B 3.3-23 Rev. 00 16A Tech Spec Bases
| |
| | |
| RPS Instrumentation - Operating B 3.3.1 O
| |
| BASES LCO 10, 11. Steam Generator Level - Hiah (continued)
| |
| Generator Level - High trip, the safety grade narrow range steam generator level sensors provide a MSIS on steam generator level - high.
| |
| : 12. Reactor Coolant Flow - La This LC0 requires four CHANNELS of Reactor Coolant Flow - Low to be OPERABLE in MODES 1 and 2.
| |
| The MODES 3, 4, 5 condition is addressed in LC0 3.3.2.
| |
| The Allowable Value is set low enough to allow for the slight variations in reactor coolant flow during normal plant operations, while providing the required protection. Tripping the reactor ensures that the resultant power to flow ratio provides adequate core cooling to maintain DNBR under the expected pressure conditions for this event.
| |
| The Reactor Coolant Flow - Low trip setpoint may be adjusted when reactor power reaches the specified val ue. This allows for the de-energization of up tc one Reactor Coolant Pump (RCP) per SG loop (e.g.
| |
| lar plant cooldown), while maintaining the ability to keep the shutdown CEA banks withdrawn from the core if desired. The analyses of increased heat removal and CEA withdrawal events would show unacceptably low values of DNBR if they were to be initiated with less than one RCP operating in each steam generator loop.
| |
| The Reactor Coolant Flow - Low trip setpoint is rate limited with a preset low value. This automatic rate limiting of variable setpoint permits automatic incrementing and decrementing of the setpoint based upon the value of the bistable input variable. The design attempts to maintain a fixed differential between the bistable input and the setpoint. The design includes the ability to adjust the rate at which the setpoint is allowed to change. If the input signal is changing at a rate (continued)
| |
| SYSTEM 80+ B 3.3-24 Rev. 00 16A Tech Spec Bases
| |
| | |
| 1 l RPS Instrumentation - Operating .i B 3.3.1 l g-
| |
| ,O l BASES J
| |
| LCO 12. Reactor Coolant Flow - Low (continued) greater than the rate at which the setpoint can change, the differential between the two values eventually becomes zero, creating a bistable trip :
| |
| condition. When the bistable trip occurs, it prevents the setpoint from changing until the bistable trip clears. l The Reactor Coolant Flow - Low setpoint is lower than the input signal, as such it limits the rate at which the signals can decrease.
| |
| LCOs 3.4.5, "RCS Loops - MODE 3," LCO 3.4.6, "RCS Loops - MODE 4," and LCO 3.4.7, "RCS Loops - '
| |
| MODE 5, Loops Filled," ensure adequate RCS flow rate is maintained. l
| |
| : 13. Local Power Density - Hiah 1 This LC0 requires four CHANNELS of LPD-High to be l O. OPERABLE in MODES 1 and 2. i l
| |
| The MODES 3, 4, 5 condition is addressed in LC0 !
| |
| 3.3.2. l The LC0 on the CPCs ensures that the SLs are maintained during all A00s, and the consequences of '
| |
| accidents are acceptable.
| |
| A CPC is not considered inoperable if CEAC inputs to the CPC are inoperable. The Required Actions required in the event of CEAC CHANNEL failures l ensure the CPCs are capable of performing their safety Function.
| |
| The CPC CHANNELS may be manually bypassed below l
| |
| [lE-4%) RTP, as sensed by the logarithmic nuclear i instrumentation. This bypass is enabled manually :
| |
| in all four CPC CHANNELS when plant conditions do !
| |
| not warrant the trip protection. The bypass !
| |
| effectively removes the DNBR-Low and LPD-High trips from the RPS logic circuitry. The operating bypass is automatically removed when enabling bypass conditions are no longer satisfied.
| |
| (continued)
| |
| SYSTEM 80+ B 3.3-25 Rev. 00 16A Tech Spec Bases
| |
| | |
| RPS Instrumentation - Operating B 3.3.1 O
| |
| BASES LCO 13. Local Power Density - High (continued)
| |
| This operating bypass is required to perform a plant startup, since both CPC generated trips will be in effect whenever shutdown CEAs are inserted.
| |
| It also allows system tests at low power with Pressurizer Pressure - Low or RCPs off.
| |
| During special testing pursuant to LCO 3.4.17, the CPC CHANNELS may be manually bypassed when THERMAL POWER is below [5%) RTP to allow special testing without generating a reactor trip. The Variable Overpower - High trip setpoint is reduced, so as to provide protection during testing.
| |
| : 14. Departure from Nucleate Boilina Ratio (DNBR)-Low This LC0 requires four CHANNELS of DNBR-Low to be OPERABLE in MODES 1 and 2.
| |
| The MODES 3, 4, 5 condition is addressed in LCO ,
| |
| 3.3.2.
| |
| The LC0 on the CPCs ensures that the SLs ars maintained during all A00s, and the consequences of accidents are acceptable.
| |
| A CPC is not considered inoperable if CEAC inputs to the CPC are inoperable. The Required Actions required in the event of CEAC CHANNEL failures ,
| |
| ensure the CPCs are capable of performing their '
| |
| safety Function.
| |
| The CPC CHANNELS may be manually bypassed below
| |
| [lE-4%) RTP, as sensed by the logarithmic nuclear instrumentation. This bypass is enabled manually in all four CPC CHANNELS when plant conditions do not warrant the trip protection. The bypass effectively removes the DNBR - Low and LPD - High trips from the RPS logic circuitry. The operating bypass is automatically removed when enabling bypass conditions are no longer satisfied.
| |
| (continued)
| |
| SYSTEM 80+ B 3.3-26 Rev. 00 16A Tech Spec Bases
| |
| | |
| l RPS Instrumentation - Operating l B 3.3.1 )
| |
| v I BASES LC0 14. Departure from Nucleate Boilina Ratio (DNBR)-Low ;
| |
| (continued)
| |
| This operating bypass is required to perform a l plant startup, since both CPC generated trips will l be in effect whenever shutdown CEAs are inserted.
| |
| It also allows system tests at low power with j Pressurizer Pressure - Low or RCPs off.
| |
| During special testing pursuant to LC0 3.4.17, the CPC CHANNELS may be manually bypassed when THERHAL ,
| |
| POWER is below [5%) RTP to allow special testing !
| |
| without generating a reactor trip. The Variable l Overpower - High trip setpoint is reduced, so as to I provide protection during testing.
| |
| Interlocks / Bypasses The LC0 on operating bypass permissive removal CHANNELS requires that the automatic operating bypass removal feature l of all four operating bypass CHANNELS be OPERABLE for each l RPS Function with an operating bypass in the MODES addressed in the specific LCO for each Function. All four operatirig bypass removal CHANNELS must be OPERABLE to ensure that none of the four RPS CHANNELS are inadvertently bypassed.
| |
| This LCO applies to the operating bypass removal feature only. If the bypass enable Function is failed so as to prevent entering a bypass condition, operation may continue. '
| |
| In the case of the Logarithmic Power Level - High trip (Function 2), the absence of a bypass will limit maximum power to below the trip setpoint.
| |
| The interlock function Allowable Values are based upon analysis of functional requirements for the bypassed ,
| |
| Functions. These are discussed above as part of the LC0 discussion for the affected Functions.
| |
| APPLICABILITY The Variable Overpower - High, Pressurizer Pressure - High, Pressurizer Pressure - Low, Containment Pressure - High, Steam Generator Level - Low, and Steam Generator Level -
| |
| High trips are required to be OPERABLE in MODES 1 and 2 because the reactor is critical in these MODES. The reactor i
| |
| G b (continued) ,
| |
| SYSTEM 80+ B 3.3-27 Rev. 00 16A Tech Spec Bases
| |
| | |
| RPS Instrumentation - Operating B 3.3.1 O
| |
| BASES APPLICABILITY trips are designed to take the reactor subcritical, which (continued) maintains the SLs during A00s and assists the ESFAS in providing acceptable consequences during accidents.
| |
| The Logarithmic Power Level - High trip is applicable in MODES 2, 3, 4, and 5 with the Reactor Trip Circuit Breakers (RTCBs) closed and power available to the CEA drive system.
| |
| It is required for protection against CEA withdrawal events originating below [10'3 %] RTP. The Logarithmic Power Level
| |
| - High trip is bypassed prior to MODE 1 entry, and is not required in MODE 1. For events originating above this power level, other RPS trips provide adequate protection. In MODES 3, 4, and 5 with the RTCBs open, the CEAs are not capable of withdrawal and the Logarithmic Power Level - High trip does not have to be OPERABLE. However, two Logarithmic Power Level CHANNELS must be OPERABLE to ensure proper indication of neutron population, and to indicate a boron dilution event.
| |
| The Logarithmic Power Level - High trip in MODES 3, 4, and 5 is addressed in LC0 3.3.2. The Logarithmic Power Level Instrumentation - Shutdown with RTCBs open is addressed in LC0 3.3.13.
| |
| h The Steam Generator Pressure - Low trip is applicable in MODES 1, 2, and 3 with the RTCBs closed and power available to the CEA drive system. The steam Generator Pressure - Low trip is required to be OPERABLE in MODES 1 and 2 because the reactor is critical in these MODES. The reactor trips are designed to take the reactor subcritical, which maintains the SLs during A00s and assists the ESFAS in providing acceptable consequences during accidents. The Steam Generator Pressure - Low trip is required to be OPERABLE in MODE 3 to protect against a Steam Line Break.
| |
| The Reactor Coolant Flow - Low trip is applicable in MODES 1, 2, 3, 4, and 5 with the RTCBs closed and power available to the CEA drive system. The Reactor Coolant Flow - Low trip is required to be OPERABLE in MODES 1 and 2 because the reactor is critical in these MODES. The reactor trips are designed to take the reactor subcritical, which maintains i the SLs during A00s and assists the ESFAS in providing acceptable consequences during accidents. The Reactor Coolant Flow - Low trip is required to be OPERABLE in MODES (continued)
| |
| I SYSTEM 80+ B 3.3-28 Rev. 00 16A Tech Spec Bases
| |
| | |
| _ _ _ _ . . -_ _ _ ___ _ .3
| |
| + ,
| |
| k- ,
| |
| RPS Instrumentation - Operating I B 3.3.1 .
| |
| a !
| |
| BASES APPLICABILITY 3, 4, and 5 to protect against increased heat removal _
| |
| (continued) events. The LPD.-High trip and DNBR - Low trip are required to be.0PERABLE in MODES 1, 2, 3, 4, and 5 with the RTCBs closed and power available to the CEA drive system. - The 1.PD
| |
| - High and the DNBR - Low trips are required to be OPERABLE in MODES I and 2 to ensure that an RPS trip will occur when F
| |
| required, to prevent exceeding the SAFDLs during the A00s listed, and help mitigate the consequences of the accidents
| |
| . listed. The LPD - Low trip and the DNBR - High trip are required to be OPERABLE in MODES 3, 4,-and 5 to protect against excess heat removal events and an unplanned CEA Group Withdrawal accident. )
| |
| i j
| |
| ACTIONS If the trip setpoint is less conservative than the Allowable i Value in Table 3.3.1-1, the CHANNEL is declared inoperable '
| |
| l immediately, and the appropriate Condition (s) must be entered immediately.
| |
| ,o In the event a RPS Component is found inoperable then all affected functions must be declared inoperable and the unit U must enter the Condition for the particular protection Function affected.
| |
| When the number of inoperable CHANNELS in a trip Function exceeds that specified in any related Condition associated with the same trip Function, then the plant is outside the safety analysis. Therefore, LC0 3.0.3 is immediately entered, if applicable in the current MODE of operation.
| |
| Two Notes have been added to the Actions. A Note has been added to the ACTIONS to clarify the application of the Completion Time rules. The Conditions of this Specification ,
| |
| may be entered independently for each Function. The '
| |
| Completion Times of each inoperable Function will be tracked separately for each Function, starting from the time the -
| |
| Condition was entered, for that Function. Note 2 was added to ensure review by the onsite review committee (per Specification (5.5.1.2.e]) is performed to discuss the desirability of maintaining the CHANNEL in the bypassed condition.
| |
| 4 (continued)
| |
| SYSTEM'80+ . B 3.3-29 Rev. 00
| |
| , -16A Tech Spec Bases-
| |
| | |
| RPS Instrumentation - Operating B 3.3.1 O
| |
| BASES ACTIONS A.1 and A.2 (continued)
| |
| Condition A applies to the failure of a single TRIP CHANNEL or associated instrument CHANNEL inoperable in any RPS automatic trip Function. RPS coincidence logic is two out of four.
| |
| If one TRIP CHANNEL is inoperable, startup or power operation is allowed to continue, providing the inoperable CHANNEL is placed in bypass or trip in I hour (Required Action A.1). The 1 hour allotted to bypass or trip the TRIP CHANNEL is sufficient to allow the operator to take all appropriate actions for the failed TRIP CHANNEL and still ensure that the risk involved in operating with the failed TRIP CHANNEL is acceptable. The Failed TRIP CHANNEL must be restored to OPERABLE status prior to entering MODE 2 following the next MODE 5 entry. With a TRIP CHANNEL in bypass, the coincidence logic is now in a two-out-of-three configuration.
| |
| The Completion Time prior to entering MODE 2 following next MODE 5 entry is based on adequate CHANNEL to CHANNEL independence, which allows operation with two or more channels since no single Failure will prevent a reactor trip.
| |
| Ll Condition B applies to the failure of two TRIP CHANNELS in any RPS automatic trip Function.
| |
| The Required Action was modified by a Note stating that LC0 3.0.4 is not applicable. The Note was added to allow the changing of MODES, even though two TRIP CHANNELS are inoperable, with one TRIP CHANNEL bypassed and one tripped.
| |
| In this configuration, the protection system is in a one-out-of-two logic, which is adequate to ensure that no random failure will prevent protection system operation.
| |
| Required Action B.1 provides for placing one inoperable TRIP CHANNEL in bypass and the other TRIP CHANNEL in trip within the Completion Time of 1 hour. This Completion Time is sufficient to allow an operator to take all appropriate actions for the failed TRIP CHANNELS while ensuring the risk (continued)
| |
| SYSTEM 80+ B 3.3-30 Rev. 00 16A Tech Spec Bases l
| |
| | |
| i RPS Instrumentation - Operating i B 3.3.1 BASES ACTIONS L1 (contirc;ed) involved in operating with the failed TRIP CHANNELS is acceptable. With one TRIP CHANNEL of protective ;
| |
| instrumentation bypassed, the RPS is in a two-out-of-three logic; but with another TRIP CHANNEL failed, the RPS may be operating in a two-out- of-two logic. This is outside the assumptions made in the analyses and should be corrected.
| |
| To correct the problem, the second TRIP CHANNEL is placed in trip. This places the RPS in a one-out-of-two log?c. !f any of the other OPERABLE TRIP CHANNELS receives a trip signal, the reactor will trip.
| |
| One of the two inoperable channels will need to be restored to operable status prior to the next required CHANNEL FUNCTIONAL TEST, because channel surveillance testing on an OPERABLE channel requires that the OPERABLE channel be placed in bypass. However, it is not possible to bypass 1 more than one RPS channel, and placing a second channel in )
| |
| trip will result in a reactor trip. Therefore, if one RPS q channel is in trip and a second channel is in bypass, a Q third inoperable channel would place the unit in LC0 3.0.3.
| |
| C.I. C.2.1. and C.2.2 Condition C applies to one automatic operating bypass removal function inoperable. If the inoperable bypass removal function for any bypass cannot be restored to OPERABLE status within 1 hour, the associated TRIP CHANNEL ;
| |
| may be considered OPERABLE only if the bypass is not in !
| |
| effect. The operator must verify that the operating bypass l 1s not in effect within 1 hour and once per 12 hours 1 thereafter; otherwise the affected TRIP CHANNEL must be ;
| |
| declared inoperable, as in Condition A, and the affected automatic TRIP CHANNEL placed in bypass or trip. The operating bypass removal function and the automatic TRIP CHANNEL must be repaired prior to entering MODE 2 following the next MODE 5 entry. The Bases for the Required Actions and required Completion Times are consistent with Condition A.
| |
| /
| |
| (continued)
| |
| SYSTEM 80+ B 3.3-31 Rev. 00 16A Tech Spec Bases
| |
| | |
| RPS Instrumentation - Operating B 3.3.1 O
| |
| BASES ACTIONS C.l. C.2.1. and C.2.2 (continued)
| |
| The Required Action is modified by a Note stating that this LCO applies only to Functions 2, 4, 13, and 14. This note aids in identifying the applicable functions; Logarithmic Power Level - High, Pressurizer Pressure - Low, Reactor Coolant Flow - Low, LPD - High, and DNBR - Low.
| |
| D.1 and 0.2 Condition D applies to two inoperable automatic operating bypass removal function. If the operating bypass removal functions for two operating bypasses cannot be restored to OPERABLE status within I hour, the associated TRIP CHANNEL may be considered OPERABLE only if the operating bypass is not in effect. The operator must verify that the operating bypasses are in effect within 1 hour and once per 12 hours thereafter; otherwise the affected TRIP CHANNELS must be declared inoperable, as in Condition B, and the operating bypasses either removed or one automatic TRIP CHANNEL placed in bypass and the other in trip within I hour. The restoration of one affected bypassed automatic TRIP CHANNEL must be completed prior to the next CHANNEL FUNCTIONAL TEST, or the plant nust shut down per LC0 3.0.3 as explained in Condition B.
| |
| The Required Action is modified by two Notes stating that LCO 3.0.4 is not applicable and that this LC0 applies only to Functions 2, 4, 13, and 14. The first Note was added to allow the changing of MODES even though two CHANNELS are inoperable, with one CHANNEL bypassed and one tripped. In this configuration, the protection system is in a one-out-of-two logic, which is adequate to ensure that no random failure will prevent protection system operation. The second note was added to identify the applicable functions; logarithmic Power Level - High, Pressurizer Pressure - Low, Reactor Coolant Flow - Low, LPD - High, and DNBR - Low.
| |
| (continued)
| |
| SYSTEM 80+ B 3.3-32 Rev. 00 16A Tech Spec Bases
| |
| | |
| l I
| |
| l RPS Instrumentation - Operating B 3.3.1 l (,_
| |
| o BASES 1 ,
| |
| ACTIONS L1 (continued)
| |
| Condition E is entered when the Required Action and :
| |
| associated Completion Time of Condition A, B, C,-or D are not met.
| |
| If the Required Actions associated with these Conditions -
| |
| cannot be completed within the required Completion Times, the reactor must be brought to a MODE where the Required Actions do not apply. The allowed Completion Time of 6 hours is reasonable, based on operating experience, for reaching the required MODE from full power conditions in an orderly manner without challenging plant systems.
| |
| SURVEILLANCE The SRs for any particular RPS Function are found in the SR REQUIREMENTS column of Table 3.3.1-1, for that Function. Most Functions are subject to CHANNEL CHECK, CHANNEL FUNCTIONAL TEST, CHANNEL. CALIBRATION, and response time testing.
| |
| O SR 3.3.1.1 i
| |
| Performance of the CHANNEL CHECK once every 12 hours ensures i that gross failure of instrumentation has not occurred. A l CHANNEL CHECK is a comparison of the parameter indicated on l one CHANNEL to a similar parameter on other CHANNELS. It is !
| |
| based on the assumption that instrument CHANNELS monitoring ,
| |
| the same parameter should read approximately the same value. l Significant deviations between the two instrument CHANNELS could be an indication of excessive instrument drift in one of the CHANNELS. CHANNEL CHECK will detect gross CHANNEL failure; thus, it is key to verifying that the instrumentation continues to operate properly between each CHANNEL CALIBRATION.
| |
| Agreement criteria are determined by the plant staff based on a combination of the CHANNEL instrument uncertainties, including indication and readability. If a CHANNEL is outside the match criteria, it may be an indication that the ;
| |
| transmitter or the si p al processing equipment has drifted ;
| |
| outside its limits.
| |
| -k (continued)
| |
| SYSTEM 80+ B 3.3-33 Rev. 00 16A Tech Spec Bases
| |
| | |
| RPS Instrumentation - Operating B 3.3.1 O
| |
| BASES SURVEILLANCE SR 3.3.1.1 (continued)
| |
| REQUIREMENTS The Frequency, about once every shift, is based on operating experience that demonstrates the rarity of CHANNEL failure.
| |
| Thus, performance of the CHANNEL CHECK guarantees that undetected overt CHANNEL failure is limited to 12 hours.
| |
| Since the probability of two random failures in redundant CHANNELS in any 12 hour period is extremely low, the CHANNEL CHECK minimizes the chance of loss of protective Function due to failure of redundant CHANNELS. The CHANNEL CHECK supplements less formal, but more frequent, checks of CHANNEL OPERABILITY during normal operational use of the displays associated with the LC0 required CHANNELS.
| |
| In the case of RPS trips with multiple inputs, such as the DNBR and LPD inputs to the CPCs, a CHANNEL CHECK must be performed on all inputs.
| |
| The Data Processing System (DPS) and Discrete Indication and Alarm System (DIAS) continuously performs a cross CHANNEL comparison and will institute an alarm to warn operators that a CHANNEL has drifted out-of-tolerance or is not working properly. The operators would ensure that DPS or DIAS is OPERABLE and that there are no alarms associated with the RPS Instrumentation. In the event that both DPS and DIAS are INOPERABLE or do not perform a cross CHANNEL comparison on a particular parameter, the operator would be required to perform the CHANNEL CHECK manually.
| |
| SR 3.3.1.2 The RCS flow rate indicated by each CPC is verified, as required by a Note, to be less than or equal to the actual RCS total flow rate every 12 hours when THERMAL POWER is a 70% RTP. The 12 hours after reaching 70% RTP is for plant stabilization, data taking, and flow verification. If necessary, adjust the CPC addressable constant flow coefficients such that each CPC indicated flow is less than or equal to the RCS flow rate. This check (and if necessary, the adjustment of the CPC addressable constant flow coefficients) ensures that the DNBR setpoint is conservatively adjusted with respect to actual flow indications, as determined by the Core Operating Limits Supervisory System (COLSS).
| |
| (continued)
| |
| SYSTEM 80+ B 3.3-34 Rev. 00 16A Tech Spec Bases
| |
| | |
| Y t
| |
| ; i RPS Instrumentation - Operating i B 3.3.1 !
| |
| BASES-SURVEILLANCE SR 3.3.1.3 i REQUIREMENTS- ..
| |
| (continued) The CPC auto restart count is' checked to be less than three :
| |
| 4- every 12 hours to monitor the CPC for normal operation. If ;
| |
| three or more autorestarts of a nonbypassed CPC occur within ,
| |
| a 12 hour period, the CPC may not be completely reliable. :
| |
| Therefore, a CHANNEL FUNCTIONAL TEST on the affected CPC i must be. performed'(SR 3.3.1.8). The Frequency is based on
| |
| -I operating experience that demonstrates the rarity of more ;
| |
| ; than one CHANNEL failing within the same 12 hour interval. i SR 3.3.1.4 )
| |
| The PPS cabinet temperatures must be verified to be below j the high limit once per 12 hours. If a PPS cabinet has a - i high temperature it is possible for the PPS to be affected 4
| |
| and not be com>1etely reliable. The operator may be
| |
| ; informed of a ligh PPS cabinet temperature via routine surveillance or high PPS cabinet temperature alarm. If a c'
| |
| PPS cabinet has a high temperature a CHANNEL FUNCTIONAL TEST j
| |
| on the affected RPS must be performed (SR 3.3.1.8).
| |
| SR 3.3.1.5 1
| |
| ; A daily heat balance calibration is performed when THERMAL POWER is a 20%. The Linear Power Level signal and the CPC addressable constant multipliers are adjusted to make the o CPC AT power and nuclear power calculations agree with the l calorimetric calculation if the absolute difference is a [2%). Then the excore nuclear power is adjusted to agree c with CPC nuclear power if the absolute difference is = [2%]. !
| |
| : l. The value of [2%) is adequate because this value is assumed I in the safety analysis. These checks (and if necessary, the adjustment of the Linear Power Level signal, CPC addressable constant coefficients) are adequate to ensure that the 1 accuracy of these CPC calculations is maintained within the analyzed error margins. The checks (and, if necessary, the
| |
| , adjustment of excore nuclear power to agree with the CPC l nuclear power) are necessary to ensure that Variable Overpower trip margins are within the analyzed error margins. - The power . level must be > 20% RTP to obtain accurate data. At lower power levels, the accuracy of calorimetric data is questionable.
| |
| (continued)
| |
| SYSTSM 80+ B 3.3-35 Rev. 00
| |
| '16A Tech Spec Bases
| |
| .. . -,.- a. -.
| |
| | |
| RPS Instrumentation - Operating B 3.3.1 O;
| |
| BASES l SURVEILLANCE SR 3.3.1.5 (continued) l l
| |
| REQUIREMENTS The Frequency of 24 hours is based on plant operating experience and takes into account indications and alarms located in the control room to detect deviations in CHANNEL outputs. The Frequency is modified by two Notes, Note 1 indicating this Surveillance need only be performed within 12 hours after reaching 20% RTP. The 12 hours after reaching 20% RTP is required for plant stabilization, data taking, and flow verification. The secondary calorimetric is inaccurate at lower power levels. A second Note in the SR indicates the SR may be suspended during PliYSICS TESTS provided the calibration is performed upon reaching each major test power plateau and prior to proceeding to the next test power plateau. These test power plateaus are the power level at which testing is done. These plateau values are established in the restart test programs for each fuel cycle. The conditional suspension of the daily calibrations under strict administrative control is necessary to allow special testing to occur.
| |
| SR 3.3.1.6 The RCS flow rate indicated by each CPC is verified to be less than or equal to the RCS total flow rate every 31 days.
| |
| The Note indicates the Surveillance is performed within 12 hours after THERMAL POWER is a 70% RTP. This check (and if necessary, the adjustment of the CPC addressable flow constant coefficients) ensures that the DNBR setpoint is conservatively adjusted with respect to actual flow indications as determined by a calorimetric calculation.
| |
| Operating experience has shown the specified Frequency is adequate, as instrument drift is minimal, and changes in actual flow rate are minimal over core life.
| |
| SR 3.3.1.7 The three vertically mounted excore nuclear instrumentation detectors in each CHANNEL are used to determine LPD for use in the DNBR and LPD calculations. Because the detectors are mounted outside the reactor vessel, a portion of the signal from each detector is from core sections not adjacent to the detector. This is termed shape annealing, and is (continued)
| |
| SYSTEM 80+ B 3.3-36 Rev. 00 16A Tech Spec Bases
| |
| | |
| i RPS Instrumentation - Operating l B 3.3.1 ;
| |
| O BASES l
| |
| SURVEILLANCE SR 3.3.1.7 (continued) !
| |
| REQUIREMENTS compensated for after every refueling by performing +
| |
| SR 3.3.1.12, which adjusts the' gains of the three detector amplifiers for shape annealing. SR 3.3.1.7 ensures that the i preassigned gains are stil1~ proper. Power must be 2 15% RTP l 5 because the CPCs do not use the excore generated signals for
| |
| - axial flux shape information at low. power levels. The Note allowing 12 hours after reaching 15% RTP is required for plant stabilization and testing. *
| |
| ; The 31 day Frequency is adequate'because the demonstrated o i long term drift of the instrument CHANNELS is minimal.
| |
| SR 3.3.1.8 .
| |
| 4 A CHANNEL FUNCTIONAL TEST on each channel is performed every i 92 days to ensure the entire CHANNEL will perform its
| |
| , intended function when needed. Major portions of the RPS i
| |
| , are monitored and tested by the automatic test network. The ;
| |
| operability of the automatic CHANNEL FUNCTIONAL TEST is !
| |
| verified by the operator every 92 days to meet the surveillance requirement. Capability is also provided to '
| |
| F allow manual performance of the CHANNEL FUNCTIONAL TEST if the automatic CHANNEL test is inoperable. Those portions of i the system which_are not amenable to automatic testing because they involve actuation of electromechanical devices, .
| |
| or involve devices which are not within the PPS cabinets, !
| |
| can be tested manually. The automatic test network is !
| |
| capable of performing tests during reactor operation. The !
| |
| automatic testing does not degrade the ability of the RPS to perform its intended function.
| |
| The RPS CHANNEL FUNCTIOFAL TEST consists of overlapping tests as described in CISSAR-DC, Section 7.2 (Reference 8).
| |
| These tests verify that the RPS is capable of performing its intended function, from bistable input through the RTCBs.
| |
| They include:
| |
| 4 I
| |
| T (continued) l 6
| |
| SYSTEM 80+ 'B 3.3 Rev. 00 16A' Tech Spec Bases
| |
| .._u... _ ., . _ .
| |
| | |
| RPS Instrumentation - Operating B 3.3.1 O
| |
| BASES SURVEILLANCE Trio Bistable Tests REQUIREMENTS (continued) Automatic Bistable Testing - The automatic test feature checks trip status and forces a trip condition to verify operability of the trip bistable function. Interlocks assure testing is performed in only one CHANNEL at a time and the trip condition is removed before the initiation circuit can respond.
| |
| Manual Bistable Testing - The manual test feature facilitates variation of the input parameter to cause a bistable trip condition. Interlocks assure testing can be performed in only one CHANNEL at a time. Manual test capability is provided for both fixed bistable and variable setpoint bistable functions.
| |
| Local Coincidence Loaic Testina Automatic Local Coincidence Logic Testing - The automatic test feature checks output status, generates trip conditions for each function, and munitors output status for correctness. The Reactor Trip Circuit Breakers (R1CB) are not opened as part of the Automatic Local Coincidence Logic Testing. The RTCB test is a manually initiated test. This test is described in LCO B 3.3.4.
| |
| RPS Initiation Loaic Testina The "0R" logic which comprises the RPS Initiation Logic is tested at the same time the Local Coincidence Logic is tested. Propagation of the coincidence signal through the "0R" logic is verified.
| |
| The CPC and CEAC CHANNELS and excore nuclear instrumentation CHANNELS are tested separately.
| |
| The excore CHANNELS use preassigned test signals to verify proper CHANNEL alignment. The excore logarithmic CHANNEL test signal is inserted into the preamplifier input, so as to test the first active element downstream of the detector.
| |
| The linear range excore test signal is inserted at the drawer input, since there is no preamplifier.
| |
| (continued) 1 SYSTEM 80+ B 3.3-38 Rev. 00 16A_ Tech Spec Bases i l
| |
| | |
| t h
| |
| RPS Instrumentation - Operating B 3.3.1 O BASES ,
| |
| SURVEILLANCE RPS Initiation Loaic Testina (continued)
| |
| DEQUIREMENTS The quarterly CPC CHANNEL FUNCTIONAL TEST is performed using ,
| |
| software. This software includes preassigned addressable '
| |
| constant values that may differ from the current values. l Provisions are made to store the addressable constant values on a computer disk prior to testing and to reload them after testing. A Note is added to the Surveillance Requirements '
| |
| to verify that the CPC CHANNEL FUNCTIONAL TEST includes the correct values of addressable constants.
| |
| The 92 day surveillance interval is based upon the experience with safety related computer systems for .
| |
| operating plants.
| |
| I SR 3.3.1.9 l A Note indicates that neutron detectors are excluded from CHANNEL CALIBRATION. A CHANNEL CALIBRATION of the power range neutron flux channel every 92 days ensures that the p.)
| |
| y channels are reading accurately and within tolerance. The Surveillance verifies that the channel responds to a measured parameter within the necessary range and accuracy. ,
| |
| CHANNEL CALIBRATION leaves the channel adjusted to account I for instrument drifts between successive calibrations to ensure that the channel remains operational between successive tests. Measurement error determination, setpoint error determination, and calibration adjustment must be performed consi eent with the plant specific setpoint analysis. The c.hannel shall be left calibrated consistent ,
| |
| with the assumptions of the current plant specific setpoint I analysis.
| |
| The as found and as left values must be recorded and '
| |
| l reviewed for consistency with the assumptions of the interval between surveillance interval analysis. The requirements for this review are outlined in Reference [9].
| |
| The Frequency is based upon the assumption of an [18] month calibration interval for the determination of the magnitude of equipment drift in the setpoint analysis as well as operating experience and consistency with the typical
| |
| [18] month fuel cycle. The detectors are excluded from
| |
| . CHANNEL CALIBRATION because they are passive devices, with minimal drift, and because of the difficulty of simulating a 0
| |
| V (continued) l l
| |
| l SYSTEM 80+ B 3.3-39 Rev. 00 16A Tech Spec Bases' l l
| |
| | |
| RPS Instrumentation - Operating B 3.3.1 O
| |
| BASES SURVEILLANCE SR 3.3.1.9 (continued)
| |
| REQUIREMENTS meaningful signal. Slow changes in detector sensitivity are compensated by performing the daily calorimetric calibration (SR 3.3.1.4) and the monthly linear subchannel gain check (SR 3.3.1.7). In addition, the associated control room indications are monitored by the operators.
| |
| SR _3 3,1.10 SR 3.3.1.10 is the performance of a CHANNEL CALIBRATION on the Analog to Digital (A/D) Reference Sources. A CHANNEL CALIBRATION on the A/D Reference Sources ensures that voltage reference sources are within the manufacturers specification. The [18] month interval is based on manufacturers recommended calibration interval. NOTE: If the manufacturers required A/D calibration interval exceeds i the CHANNEL CALIBRATION frequency then SR 3.3.1.11 " CHANNEL
| |
| _ CALIBRATION" includes this surveillance. _
| |
| SR 3.3.1.11 SR 3.3.1.11 is the performance of a CHANNEL CALIBRATION every (18] months. ]
| |
| i CHANNEL CALIBRATION is a complete check of the instrument I CHANNEL including the sensor. The Surveillance verifies that the CHANNEL responds to a measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the CHANNEL adjusted to account for instrument drifts between successive calibrations to ensure that the CHANNEL remains operational between successive tests. Measurement error determination, setpoint error determination, and calibration adjustment must be performed consistent with the plant specific setpoint analysis. The CHANNEL shall be left calibrated consistent with the assumptions of the current plant specific setpoint analysis.
| |
| The as found and as left values must be recorded and reviewed for consistency with the assumptions of the
| |
| [ surveillance interval analysis]. The requirements for this review are outlined in Reference [10].
| |
| (continued)
| |
| SYSTEM 80+ B 3.3-40 Rev. 00 16A Tech Spec Bases
| |
| | |
| RPS Instrumentation - Operating ,
| |
| 8 3.3.1 G
| |
| r BASES i
| |
| SURVEILLANCE SR 3.3.1.11 (;ontinued)
| |
| REQUIREMENTS The Frequency is based upon the assumption of an [18] month calibration interval for the determination of the magnitude of equipment drift in the setpoint analysk as well as operating experience and consistency with the ;
| |
| typical {18] month fuel cycle.
| |
| The Surveillance is modified by a Note to indicate that the f neutron detectors are excluded from CHANNEL CALIBRATION because they are passive devices, with minimal drift, and because of the difficulty of simulating a meaningful signal.
| |
| Slow changes in detector sensitivity are compensated for by performing the daily calorimetric calibration (SR 3.3.1.5) and the monthly linear subchannel gain check (SR 3.3.1.7).
| |
| l SR 3.3.1.12 i Every [lP) months, a CHANNEL FUNCTIONAL TEST is performed on p the CPC'. The CHANNEL FUNCTIONAL TEST shall include the injection of a signal as close to the sensors as practicable V to verify OPERABILITY including alarm and trip Functions.
| |
| The basis for the [18] month Frequency is that the CPCs perform a continuous scif monitoring function that eliminates the need for frequent CHANNEL FUNCTIONAL TESTS.
| |
| This CHANNEL FUNCTIONAL TEST essentially validates the self monitoring function and checks for a small set of failure modes that are undetectable by the self monitoring function.
| |
| Operating experience has shown that these undetected CPC or ,
| |
| CEAC failures have not occurred. Therefore, the [18] month interval is acceptable.
| |
| SR 3.3.1.13 The three excore detectors used by each CPC CHANNEL for axial flux distribution information are far enough from the core to be exposed to flux from all heights in the core, although it is desired that they only read their particular level. The CPCs adjust for this flux overlap by using the predetermined shape annealing matrix elements in the CPC software, (d
| |
| v
| |
| )
| |
| (continued)
| |
| SYSTEM 80+ B 3.3-41 Rev. 00 16A Tech Spec Bases
| |
| | |
| RPS Instrumentation - Operating i B 3.3.1 BASES l
| |
| SURVEILLANCE SR 3.3.1.13 (continued)
| |
| REQUIREMENTS After refueling, it is necessary to re-establish the shape ,
| |
| annealing matrix elements for the excore detectors based on more accurate incore detector readings. This is necessary because refueling could possibly produce a significant change in the shape annealing matrix coefficients.
| |
| Incore detectors are inaccurate at low power levels.
| |
| THERMAL POWER should be significant, but < 70% to perform an accurate axial shape calculation used to derive the shape annealing matrix elements.
| |
| By restricting power to 5 70% until shape annealing matrix elements are verified, excessive local power peaks within the fuel are avoided. Operating experience has shown this Frequency to be acceptable.
| |
| SR 3.3.1.14 SR 3.3,1,14 is a CHANNEL FUNCTIONAL TEST similar to SR 3.3.1.8, except SR 3.3.1.14 is applicable only to automatic h
| |
| operating bypass functions and is performed once w' thin 92 days prior to each startup. Proper operation by operating bypass permissives is critical during plant startup because the operating bypass must be in place to allow startup operation and must be automatically removed at the appropriate points during power ascent to enable certain reactor trips. Consequently, the appropriate time to verify bypass removal function OPERABILITY is just prior to startup. The allowance to conduct this Surveillance within 92 days of startup is based on the r <iability analysis presented in (Ref.10). Once the ovating bypasses are removed, the bypasses must not fail in such a way that the associated trip Function gets inadvertently bypassed.
| |
| This feature is verified by the trip Function CHANNEL FUNCTIONAL TEST, SR 3.3.1.8. Therefore, further testing of the bypass removal function after startup is unnecessary.
| |
| (continued)
| |
| SYSTEM 80+ B 3.3-42 Rev. 00 16A Tech Spec Bases
| |
| | |
| 1 RPS Instrumentation - Operating i B 3.3.1 O BASES- ,
| |
| t SURVEILLANCE SR 3.3.1.15 REQUIREMENTS l (continued) This SR ensures that the RPS RESPONSE TIMES are verified to i be less than or equal to the maximum values assumed in the safety analysis. Individual component response times are ,
| |
| not modeled in the analyses. The analyses model the overall !
| |
| or total elapsed time, from the point at which the parameter exceeds the trip setpoint value at the sensor, to the point at which the RTCBs open. Response times are conducted on an
| |
| [18] month STAGGERED TEST BASIS. This results in the interval between successive surveillances of a given CHANNEL '
| |
| of n x 18 months, where n is the number of CHANNELS in the function. The Frequency of 18 months is required because c response times cannot be determined at power, since i equipment operation is required. Testing may be performed in one measurement or in overlapping segments, with >
| |
| verification that all components are tested.
| |
| A Note is added to indicate that the neutron detectors may l be excluded from FPS. RESPONSE TIME testing because they are passive devices, with minimal drift, and because of the difficulty of simulating a meaningful signal. Slow changes O. in detector sensitivity are compensated for by performing the daily calorimetric calibration (SR 3.3.1.5).
| |
| REFERENCES 1. 10 CFR 50, Appendix A, GDC 21.
| |
| : 2. 10 CFR 100.
| |
| : 3. Removed
| |
| : 4. IEEE Standard 279-1971, April 5, 1972.
| |
| : 5. Chapter 15.
| |
| : 6. 10 CFR 50.49.
| |
| : 7. [Setpoint Report].
| |
| : 8. Chapter 7.
| |
| i t'
| |
| (continued)
| |
| SYSTEM 80+ B 3.3-43 Rev. 00 16A Tech Spec Bases 1
| |
| | |
| RPS Instrumentation - Operating B 3.3.1 O
| |
| BASES REFERENCES 9. CEN-327, June 2, 1986, including Supplement 1, March (contiuued) 3, 1989.
| |
| : 10. [ Surveillance Interval Analysis.]
| |
| O 1 I
| |
| 1 I
| |
| l i
| |
| 1 1
| |
| l 9 l SYSTEM 80+ B 3.3-44 Rev. 00 l 16A Tech Spec Bases
| |
| ~ _ _ _ _ _ - - _ _ _ - _ - - - _ - - _ _ _ _
| |
| | |
| RPS Instrumentation - Shutdown B 3.3.2
| |
| , B 3.3 INSTRUMENTATION B 3.3.2 Reactor Protective System (RPS) Instrumentation - Shutdown BASES BACKGROUND The RPS initiates a reactor trip to protect against 7 violating the core fuel design limits and reactor coolant pressure boundary (RCPB) integrity during anticipated operational occ6rrences (A00s). By tripping the reactor, the RPS also assists the engineered safety features systems in mitigating accidents.
| |
| The protection and monitoring systems have been designed to ensure safe operation of the reactor. This is achieved by specifying limiting safety system settings (LSSS) in terms of parameters directly monitored by the RPS, as well as LCOs.
| |
| on other reactor system parameters and equipment performance.
| |
| The LSSS defined in this Specification as the Allowable t Values, in conjunction with the LCOs, establishes the n thresholds for protective system action to prevent exceeding acceptable limits during Design Basis Accidents (DBAs).
| |
| ()
| |
| During A00s, which are those events expected to occur one or more times during the plant life, the acceptable limit is:
| |
| e The departure from nucleate boiling ratio (DNBR) shall be maintained above the Safety Limit (SL) value to prevent departure from nucleate boiling; e Fuel centerline melting shall not occur; and e The Reactor Coolant System pressure SL of 2750 psia shall not be exceeded.
| |
| Maintaining the parameters within the above values ensures that offsite dose will be within the 10 CFR 50 (Ref. 1) and 10 CFR 100 (Ref. 2) criteria during A00s.
| |
| Accidents are events that are analyzed even though they are ,
| |
| not expected to occur during the plant life. The acceptable :
| |
| limit during accidents is that the offsite dose shall be maintained within an acceptable fraction of 10 CFR 100
| |
| -(Ref. 2) limits. Different accident categories allow a
| |
| .,G V (continued) !
| |
| SYSTEM 80+ B 3.3-45 Rev. 00 16A Tech Spec Bases ,
| |
| | |
| RPS Instrumentation - Shutdown B 3.3.2 O
| |
| BASES BACKGROUND different fraction of these limits based on probability of (continued) occurrence. Meeting the acceptable dose limit for an accident category is considered having acceptable consequences for that event.
| |
| The RPS portion of the Plant Protection System (PPS) is a vital system which consists of sensors, calculators, logic, and other equipment necessary to monitor selected plant conditions and to effect reliable and rapid reactor shutdown (reactor trip) if monitored conditions approach specified limiting safety system settings. The system's functions are to protect the core fuel design limits and Reactor Coolant System (RCS) pressure boundary for Anticipated Operational Occurrences, and also to provide assistance in mitigating the consequences of accidents.
| |
| Four measurement channels with electrical and physical separation are provided for each parameter used in the direct generation of trip signals, with the exception of Control Element Assembly (CEA) position which is a two channel measurement.
| |
| The RPS portion of the PPS includes the following functions:
| |
| bistable trip, local coincidence logic, reactor trip h
| |
| initiation logic and automatic testing of PPS logic. The bistable trip processors generate trips based on the measurement channel digitired value exceeding a digital setpoint. The bistable trip processors provide their trip signals to the coincidence processors located in the four redundant PPS channels. The coincidence processors evaluate the local coincidence logic based on the state of the four like trip signals and their respective bypasses. The coincidence signals are used in the generation of the Reactor Trip Switchgear System (RTSS) or Engineered Safety Features-Component Control System (ESF-CCS) initiation. A coincidence of two-out-of-four like trip signals is required to generate a reactor trip signal. The fourth channel allows bypassing of one channel while maintaining a two-out-of-three system.
| |
| The PPS has four pairs of cabinets housing the Plant Protection Calculator (PPC) and Core Protection Calculator (CPC). Each pair of cabinets is located in a separate equipment room and contains the bistable processors, coincidence processors and interface hardware of one of the four PPS safety channels designated A, B, C and D.
| |
| (continued)
| |
| SYSTEM 80+ B 3.3-46 Rev. 00 16A Tech Spec Bases
| |
| | |
| '~
| |
| RPS Instrumenta' tion - Shutdown l B 3.3.2 !
| |
| O 1 l
| |
| BASES-
| |
| - l BACKGROUND The reactor trip signal deenergizes the Control Element (continued) Drive Mechanism (CEDM) coils, allowing all CEAs to drop into the core. j
| |
| ~
| |
| The local and main control room PPS operator's module (one per channel) provides for entering trip channel bypasses, operating bypasses, and variable setpoint rasets. These-modules also provide indication of status of bypasses, operating bypasses, bistable trip and pre-trip. The local operator module provides the man-machine interface during manual testing of bistable trip functions not tested ;
| |
| automatically. >
| |
| i This LCO only applies to Logarithmic Power Level - High, ~ !
| |
| Reactor Coolant Flow - Low, Local Power Density (LPD) - -
| |
| High, and Departure from Nucleate Boiling Ratio (DNBR) - Low in MODES 3, 4, 5 and Steam Generator Pressure #1 - Low and ,
| |
| i Steam Generator Pressure #2 - Low in MODE 3. In MODES I and l 2 these trip functions are addressed in LC0 3.3.1, " Reactor Protective Steam (RPS) Instrumentation - Operating.: LCO ;
| |
| 3.3.13, " Logarithmic Power Monitoring Channels," applies to O
| |
| the Logarithmic. Power Monitoring Channels when the RTCBs !
| |
| are open. In the case of LC0 3.3.13, the logarithmic I channels are required for monitoring neutron flux, although the trip function is not required.
| |
| Each of the above RPS instrumentation is segmented into three functions. These functions are as follows:
| |
| e MEASUREMENT CHANNELS; Bistable Processor; and e
| |
| i e RPS Logic MEASUREMENT CHANNELS MEASUREMENT CHANNELS consisting of the sensor, transmitter, and signal conditioning devices, provide a measurable signal based upon the physical characterir, tics of the parameter being measured.
| |
| (continued) i SYSTEM 80+E B 3.3-47 Rev. 00 16A Tech Spec Bases-
| |
| | |
| RPS Instrumentation - Shutdown B 3.3.2 O
| |
| BASES BACKGROUND The excore nuclear instrumentation, the core protection (continued) calculators (CPCs), and the CEACs, though complex, are considered components in the measurement channels of the Logarithmic Power Level - High, DNBR - Low, and Local Power Density (LPD) - High trips.
| |
| Four identical MEASUREMENT CHANNELS, designated channels A through D, with electrical and physical separation, are provided for each parameter used in the generation of trip signals, with the exception of the control element assembly (CEA) position indication used in the CPCs. Each measurement channel provides input to one or more RPS bistables within the same RPS channel. The bistable function is an integral part of the Trip Logic Calculators (TLCs) in the CPCs. In addition, some measurement channels may also be used as inputs to Engineered Safety Features Actuation System (ESFAS) bistables, and most provide indication in the control room.
| |
| When a channel monitoring a parameter exceeds a predetermined setpoint, indicating an unsafe condition, the bistable monitoring the parameter in that channel will trip.
| |
| Tripping bistables monitoring the san orameter in two or more channels will de-energize Local : incidence Logic, which in turn de-energizes the Initiation Logic. This causes all four RTCBs to open, interrupting power to the CEAs, allowing them to fall into the core.
| |
| Three of the four measurement and bistable channels are necessary to meet the redundancy and testability of 10 CFR 50, Appendix A, GDC 21 (Ref. 1). The fourth channel provides additional flexibility by allowing one channel to be removed from service (trip channel bypass) for maintenance or testing while still maintaining a minimum j two-out-of-three logic. Thus, even with a channel !
| |
| inoperable, no single additional failure in the RPS can l either cause an inadvertent trip or prevent a required trip i from occurring. Adequate channel to channel independence l includes physical and electrical independence of each channel from the others. This allows operation in two-out-of-three logic with one channel removed from service until entering MODE 2 following the next MODE 5 entry. Since no l single failure will either cause or prevent a ;
| |
| protective system actuation, this arrangement meets the !
| |
| requirements of IEEE Standard 279-1971 (Ref. 3). l i
| |
| (continued) 4 SYSTEM 80+ B 3.3-48 Rev. 00 16A Tech Spec Bases
| |
| | |
| RPS Instrumentation - Shutdown B 3.3.2 BASES BACKGROUND The CPCs perform the calculations required to derive the (continued) DNBR and LPD parameters and their associated RPS trips.
| |
| Four independent Trip Logic Calculators (TLCs) are provided, one in each Core Protection Calculator (CPC) channel.
| |
| Calculation of DNBR and local power density is performed in each TLC, utilizing the input signals described below. The DNBR and local power density so calculated are compared with trip setpoints for initiation of a low DNBR trip and the high local power density trip. A trip signal from a TLC in each channel is sent to the local coincidence processors in all four protective channels. The TLC also provides pre-trip output signals.
| |
| Two independent CEA Calculators are provided as part of the CPC to calculate individual CEA deviations from the position of the other CEAs in their subgroup.
| |
| Each TLC receives the following inputs:
| |
| e Hot leg temperature and cold leg temperature; n
| |
| * Pressurizer pressure; e Reactor coolant pump speed; e Ex-core nuclear instrumentation flun power (each subchannel from the safety channel);
| |
| e Selected CEA position; and e Penalty factors for CEA deviations within a subgroup from the CEA Calculators.
| |
| The input signals are processed in the TLC or the CEA Calculators. A description of the calculations performed and outputs of each TLC are described in CESSAR-DC, Section 7.2 (Ref. 4).
| |
| Each calculator is mounted in cabinets located in separate channelized equipment rooms with an operator's display and control module located in the main control room. From the four modules an operator can monitor all calculators, including specific inputs or calculated functions. Changes to CPC constants by the operator are controlled by administrative procedures.
| |
| (continued)
| |
| SYSTEM 80+ B 3.3-49 Rev. 00 16A Tech Spec Bases
| |
| | |
| 4
| |
| )
| |
| RPS Instrumentation - Shutdown B 3.3.2 O
| |
| BASES BACKGROUND CEACs are addressed in LC0 3.3.3.
| |
| (continued)
| |
| Bistable Trio Generation The trip signal is generated by the Bistable Logic processors or CPC Trip Logic Calculators which compare the input signals to either fixed or variable setpoints. These Bistable outputs for each parameter (e.g. Pressurizer Pressure, Steam Generator Level etc.) are sent to Local Coincidence Logic where the two-out-of-four logics are performed. Bistable trip generation is described in CESSAR-DC, Section 7.2 (Ref. 4).
| |
| The trip setpoints used in the bistables are based on the analytical limits derived from the accident analysis (Ref.
| |
| 5). The selection of these trip setpoints is such that adequate protection is provided when all sensor and processing time delays are taken into account. To allow for calibration tolerances, instrumentation uncertainties, instrument drift, and severe environment errors for those RPS channels that must function in harsh environments as defined by 10 CFR 50.49 (Ref.5), Allowable Values specified in Table 3.3.1-1, in the accompanying LCO, are conservatively adjusted with respect to the analytical limits. A detailed example of the methodology used to calculate the trip setpoints, including their explicit uncertainties, is provided in the (Setpoint Report) (Ref.
| |
| 6). The nominal trip setpoint entered into the bistable is normally still more conservative than that specified by the Allowable Value to account for changes in random measurement errors detectabie by a CHANNEL FUNCTIONAL TEST. One example of such a change in measurement error is drift during the interval between surveillances. A channel is inoperable if its actual setpoint is not within its Allowable Value.
| |
| Setpoints in accordance with the Allowable Value will ensure that SLs of Chapter 2.0, " SAFETY LIMITS (SLs)," are not violated during A00s, and the consequences of DBAs will be acceptable, providing the plant is operated from within the LCOs at the onset of the A00 or DBA and the equipment functions as designed.
| |
| Note that in LCO 3.3.2 the Allowable Values of Table 3.3.2-1 are the LSSS.
| |
| (continued)
| |
| SYSTEM 80+ B 3.3-50 Rev. 00 16A Tech Spec Bases
| |
| | |
| RPS Instrumentation - Shutdown B 3.3.2
| |
| ,fS U
| |
| ' BASES BACKGROUND The status of any bypass is indicated at the PPS channel <
| |
| (continued) cabinet and the PPS Remote Operator's Module in the control room. In addition, operating bypasses and a summary of the bistable trip channel bypasses in each channel are made available for control room indication via PPS Operator's Module, DIAS and DPS. CESSAR-DC, Section 7.2 (Ref. 4) provides a detailed description of these bypasses.
| |
| Functional testing of the entire RPS, from bistable input through the opening of individual sets of RTCBs, can be performed either at power or shutdown and is normally performed on a quarterly basis. Nuclear instrumentation, the CPCs, and the CEACs can be similarly tested. CESSAR-DC, Section 7.2 (Ref. 4), provides more detail on RPS testing.
| |
| Processing transmitter calibration is normally performed on a refueling basis.
| |
| Bypasses p The trip channel bypasses and operating bypasses are !
| |
| Q manipulated by separate Interface and Test processors. .
| |
| )
| |
| The trip channel bypass prevents a bistable trip from contributing to the initiation of protective action. The
| |
| - trip channel bypass information is provided to four channels of Local Coincidence Logics by Interface and Test processors to change their logic into 2/3. The LCLs only allow one channel bypass at a time.
| |
| In addition to the trip channel bypasses, there are also operating bypasses on selected RPS trips. These bypasses are enabled manually, in all four RPS channels, when plant conditions do not warrant the specific trip protection. All operating bypasses are automatically removed when enabling bypass conditions are no longer satisfied.
| |
| RPS Loaic The RPS Logic, addressed in LC0 3.3.4, consists of both i Local Coincidence and Initiation Logic and employs a scheme i that provides a reactor trip when bistables in any two of the four channels sense the same input parameter trip. This is called a two-out-of-four trip logic.
| |
| (continued)
| |
| SYSTEM 80+ B 3.3-51 Rev. 00 16A Tech Spec Bases I
| |
| | |
| RPS Instrumentation - Shutdown B 3.3.2 O
| |
| BASES BACKGROUND Local Coincidence Loaic (continued)
| |
| There is one Local Coincidence Logic (LCL) associated with each trip bistable logic of each channel. Each local coincidence logic receives four trip signals, one from its associated bistable logic in the channel and one from each of the equivalent bistable logic located in the other three channels. The local coincidence logic (LCL) also receives the trip channel bypass status associated with each of the above mentioned bistables. The function of the local coincidence logic is to generate a coincidence signal whenever two or more like bistables are in a tripped condition. The LCL takes into consideration the trip bypass input state when determining the coincidence logics state.
| |
| Designating the protective channels as A, B, C, D, with no trip bypass present, the local coincidence logic will produce a coincidence signal for any of the following trip inputs: AB, AC, AD, BC, BD, CD, ABC, ACD, BCD, ABCD. These represent all possible two- or more out-of-four trip combinations of the four protective channels. Should a trip bypass be present, the logic will provide a coincidence signal when two or more of the three unbypassed bistables are in a tripped condition.
| |
| On a system basis, a coincidence signal is generated in all four protective channelswhenever a coincidence of two or more like bistables of the four channels are in a tripped state.
| |
| In addition to a coincidence signal, each LCL also provides bypass status outputs. The bypass status is provided to verify that a bypass has actually been entered into the logic either locally or remotely via the operator's module.
| |
| The bypass status is available for display at the local and remote operators modules and DPS.
| |
| Jni.tiption Loaic The R9 actor Protective System initiation logic consists of an "0:t" circuit for each undervoltage and shunt trip relay.
| |
| The inputs to the initiation logic are the LCL outputs from the appropriate local coincidence logics. The initiation circuits also contain a time delay (TD). The TD functions (continued)
| |
| SYSTEM 80+ B 3.3-52 Rev. 00 16A Tech Spec Bases
| |
| | |
| l RPS~ Instrumentation - Shutdown B 3.3.2 ,i O m
| |
| ; BASES 1
| |
| h BACKGROUND Initiation Loaic
| |
| .(continued) as a noise and/or transient filter. It accomplishes this filter action by monitoring the continuous presence of an-
| |
| +
| |
| input for a minimum period of time. . If the signal is- i present for the required time, the signai is transmitted to i
| |
| the initiation relay. Test capability is also provided. l
| |
| - .The initiation circuit is designed to fail-safe (e.g., in a :
| |
| trip condition). This will result in a partial trip (1 of 4) ;
| |
| in the selective 2-out-of-4 reactor trip circuit breaker i arrangement. The partial trip will be alarmed the same as a i
| |
| L full trip and actuation and indicated by the DIAS and DPS; >
| |
| the partial trip cannot be bypassed. If the initiation :
| |
| circuit fails in an undesired condition the-failure will be promptly detected and alarmed via the automatic test function. Since the actuation function in the RTSG work in )
| |
| i '
| |
| a selective coincidence logic, this is considerad a degraded condition.
| |
| lt Reactor Trio Circuit Breakers (RTCBs)
| |
| The reactor trip switchgear, addressed in LC0 3.3.4, consists of four RTCBs, which are operated in four sets (four channels). Power input to the reactor trip switchgear comes from two full capacity MG sets operated in parallel, such that the loss of either MG set does not de-energize the I CEDMs.
| |
| Initiation relays interface with the shunt trip and undervoltage devices to trip the circuit breakers. To completely remove power from the output circuits requires a minimum of two initiation relays (in opposite legs of the circuit) opening their associated circuit breakers.
| |
| Each line passes through two trip circuit breakers (each t actuated by a separate initiation circuit) in series so j that, although both sides of the branch lines must'be i deenergized to release the CEAs, there are two separate means of interrupting each side of the line. Upon removal of power to the CEDM power supplies, the CEAs fall into the reactor core by gravity.
| |
| l l
| |
| O (continued)
| |
| SYSTEM 80+ B 3.3-53 Rev. 00 16A Tech Spec Bases .
| |
| I i
| |
| | |
| RPS Instrumentation - Shutdown B 3.3.2 O
| |
| BASES l
| |
| BACKGROUND Reactor Trio Circuit Breakers (RTCBs) )
| |
| (continued) l Two pairs of manual trip switches are provided in the MCR I and an additional pair is provided in the RSR. Actuation of l any pair will open the RTCBs. Both manual trip switches in i a pair must be actuated to initiate a reactor trip. Each RTCB is actuated by a separate initiation circuit. The manual trip completely bypasses the trip logic. j The trip switchgear is housed in separate cabinets from the ;
| |
| RPS. In addition to the trip circuit breakers, the cabinet '
| |
| also contains current monitoring devices for testing ,
| |
| purposes and pushbuttons on each trip switchgear which allow for manual opening the circuit breaker. 1 1
| |
| Testina j Functional testing of the entire RPS, from bistable input through the opening of individual sets of RTCBs, can be performed either at power or shutdown and is normally performed on a quarterly basis. CESSAR-DC, Section 7.2 i (Ref. 4), explains RPS testing in more detail. i l
| |
| Provisions are made to permit periodic testing of the l complete RPS. These tests cover the trip actuations from sensor input through the protective system and trip circuit breakers. Testing is described in Bases 3.3.1.
| |
| APPLICABLE The RPS functions to maintain the SLs during A00s and I SAFETY ANALYSES mitigates the consequence of DBAs in all MODES, in which the RTCBs are closed.
| |
| Each of the analyzed transients and accidents can be detected by one or more RPS Functions. The specific safety analyses applicable to each protective function are identified below- l 1
| |
| : 1. Loaarithmic Power Level - Hiah ]
| |
| The Logarithmic Power Level - High trip protects the l integrity of the fuel cladding and helps protect the (continued)
| |
| SYSTEM 80+ B 3.3-54 Rev. 00 16A Tech Spec Bases
| |
| | |
| n ?
| |
| f RPS Instrumentation - Shutdown B 3.3.2
| |
| }
| |
| : BASES I
| |
| APPLICABLE 1. Loaarithmic Power Level - Hiah (continued)
| |
| SAFETY ANALYSES RCPB in the event of an unplanned criticality from a j shutdown condition. t in MODES 2, 3, 4, and 5, with the RTCBs closed, and "
| |
| the Control Element Assembly (CEA) Drive System capable of CEA withdrawal, protection is required for i CEA withdrawal events originating when THERMAL POWER i is < [1E-4%) RTP. For events originating above this power level, other trips provide adequate protection. ,
| |
| MODES 3, 4, and 5, with the RTCBs closed, are i addressed in this LCO. MODE 2 is addressed in LCO 3.3.1. l l
| |
| In MODES 3, 4, or 5, with the RTCBs open or the CEAs not capable of withdrawal, the Logarithmic Power Level ,
| |
| - High trip does not have to be OPERABLE. However,
| |
| " i the indication and alarm portion of two logarithmic channels must be OPERABLE to ensure proper indication 1O of neutron population and to indicate a boron dilution event. The indication and alarm functions are addressed in LCO 3.3.13. ,
| |
| 2,3. Steam Generator Pressure - Low ,
| |
| The Steam Genetator #1 Pressure - Low and Steam Generator #2 Pressure - Low trips provide protection against an excessive rate of heat extraction from the l
| |
| steam generators and resulting rapid, uncontrolled cooldown of the RCS. This trip is needed to maintain shutdown conditions and assist the ESF System in the event of an MSLB while shutdown. ,
| |
| : 4. Reactor Coolant Flow - Low The Reactor Coolant Flow-Low trip provides protection against Excess Heat Removal Events while shutdown.
| |
| This' trip will ensure'that the plant is in a configuration (i.e., at least one RCP running in each loop) which results in acceptable consequences of an Excess Heat Removal Event.
| |
| (continued)
| |
| SYSTEM 80+ B 3.3-55 Rev. 00 16A' Tech Spec Bases
| |
| | |
| l l
| |
| RPS Instrumentation - Shutdown B 3.3.2 O
| |
| BASES APPLICABLE 5. Local Power Density (LPD) - Hiah SAFETY ANALYSES (continued) The CPCs perform the calculations required to derive !
| |
| the DNBR and LPD parameters and their associated RPS !
| |
| trips. The DNBR - Low and LPD - High trips provide plant protection durina Excess Heat Removal events and l an Unplanned CEA Withdrawel while in the shutdown mode. Although the CPCs may be bypassed below I0'S RTP, they continue to perform their calculations and can thus be in a tripped condition due to, for example, less than four RCPs operating. If fission power should increase above 10'% RTP while in a shutdown condition, the operating bypass is automatically removed and a reactor trip will occur.
| |
| : 6. Departure from Nucleate Boilina Ratio (DNBR) - Low The CPCs perform the calculations required to derive the DNBR and LPD parameters and their associated RPS trips. The DNBR - Low and LPD - High trips provide plant protection during Excess Heat Removal events and an Unplanned CEA Withdrawal while in the shutdown %
| |
| mode. Although the CPCs may be bypassed below 10' RTP, they continue to perform their calculations and can thus be in a tripped condition due to, for erating. If fission example, less than four RCPs power should increase above 10' op% RTP while in a shutdown condition, the operating bypass is automatically removed and a reactor trip will occur.
| |
| Interlocks / Bypasses The bypasses and their Allowable Values are addressed in footnotes to Table 3.3.2-1. They are not otherwise addressed as specific entries.
| |
| The automatic operating bypass removal features must function as a backup to manual actions for all safety related trips to ensure the trip Functions are not operationally bypassed when the safety analysis assumes the Functions are not bypassed. The basis for each of the operating bypasses is discussed under individual trips in the LCO section:
| |
| (continued)
| |
| SYSTEM 80+ B 3.3-56 Rev. 00 16A Tech Spec Bases
| |
| | |
| RPS Instrumentation - Shutdown B 3.3.2 l O
| |
| BASES APPLICABLE 6. Deoarture from Nucleate Boilina Ratio (DNBR) - Low SAFETY ANALYSES (continued)
| |
| : a. Logarithmic Power Level - High;
| |
| : b. DNBR - Low and LPD - High.
| |
| The RPS satisfies Criterion 3 of the NRC Policy Statement.
| |
| LCO The LCO requires all instrumentation performing an RPS Function to be OPERABLE. Failure of any required portion of the instrument channel renders the affected channel (s) inoperable and reduces the reliability of the affected Functions.
| |
| Actions allow maintenance (trip channel) bypass of individual channels, but the bypass activates interlocks that' prevent operation with a second channel in the same Function bypassed. With one channel in each Function in O trip channel bypass, the plant is in a two-out-of-three logic configuration in those Functions.
| |
| Only the Allowable Values are specified for each RPS trip Function in the LCO. Nominal trip setpoints are specified in the plant specific setpoint calculations. The nominal setpoints are selected to ensure the setpoints measured by CHANNEL FUNCTIONAL TESTS do not exceed the Allowable Value if the bistable is performing as required. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable, provided that operation and testing are consistent with the assumptions of the plant specific setpoint calculations. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. Each Allowable Value specified is more conservative than the analytical limit assumed in the safety analysis in order to account for ;
| |
| instrument uncertainties appropriate to the trip Function. '
| |
| These uncertainties are defined in the [Setpoint Report]
| |
| (Ref. 6). ,
| |
| The Bases for the individual Function requirements are as l follows:
| |
| (continued)
| |
| SYSTEM 80+ B 3.3-57 Rev. 00 16A Tech Spec Bases
| |
| | |
| F-t RPS Instrumentation - Shutdown B 3.3.2 O
| |
| BASES LCO 1. Locarithmic Power level - Hiah (continued)
| |
| This LC0 requires four channels of the Logarithmic Power Level - High to be OPERABLE in MODE 2, and in MODE 3, 4, or 5 when the RTCBs are closed and the CEA Drive System is capable of CEA withdrawal.
| |
| The MODES I and 2 Condition is addressed in LCO 3.3.1.
| |
| The LC0 on the Log Power Level - High trip ensures that violation of the Safety Limits for the reactor core and RCS is prevented during a continuous CEA withdrawal from low power levels event. Also, it ensures that the log power level channels are available to detect and alert the operator to a boron dilution event.
| |
| The allowable value setpoint is high enough to provide an operating envelope that prevents unnecessary Log Power Leel - High reactor trips during normal plant operatio.is. The setpoint is low enough for the system to maintain a margin to unacceptable fuel cladding damage should a CEA withdrawal event occur.
| |
| Only the Allowable Values are specified for each RPS trip function in the LCO. Each allowable value is specified such that the analytical limit assumed in the safety analysis is conservative including all applicable setpoint uncertainties.
| |
| The Logarithmic Power Level - High trip may be bypassed when THERMAL POWER is above [1E-4%) RTP to allow the reactor to be brought to power during a reactor startup. This bypass is automatically removed when THERMAL POWER decreases below [1E-4%) RTP. Above
| |
| [lE-4%) RTP, the Variable Overpower - High and Pressurizer Pressure - High trips provide protection for reactivity transients.
| |
| 2,3. Steam Generator Pressure - Iow This LC0 requires four channels of Steam Generator #1 Pressure - Low and Steam Generator #2 Pressere - Low to be OPERABLE in MODE 3.
| |
| (continued)
| |
| SYSTEM 80+ B 3.3-58 Rev. 00 16A Tech Spec Bases
| |
| | |
| . . - - - - - . . . . . .. - - . . . .- . _ - .. . -.. - - = - . .. .
| |
| RPS Instrumentation'- Shutdown B 3.3.2 :
| |
| O BASES 1
| |
| LCO 2,3. Steam Generator Pressure - Low (continued) l F
| |
| . The-MODES I and 2 condition is addressed in LCO 3.3.1. !
| |
| t This Allowable _Value is~ sufficiently be19w the shutdown steam pressure so as not to' interfere with !
| |
| ' plant operation, but still high enough t's provide the- !
| |
| required protection in the event.of exctssive steam demand. Since excessive steam demand ceuses the RCS i to cool- down, resulting in positive reactivity addition to the core, a reactor trip is required to I I- offset that effect.~ >
| |
| 1 The trip setpoint may be manually decreased as steam '
| |
| ! generator pressure is reduced during controlled plant '
| |
| cooldown, provided the margin between steam generator pressure and the setpoint is maintained < [200 psia). .
| |
| This allows for controlled depressurization of the secondary system while still maintaining an active reactor trip setpoint and MSIS setpoint, until.the 2 time is reached when the setpoints are no longer. ;
| |
| needed to protect the plant. The setpoint increases
| |
| : i. .
| |
| automatically as steam generator pressure increases
| |
| '- until the specified trip'setpoint is reached.
| |
| ! )'
| |
| :. 4. Reactor Coolant Flow -Low r
| |
| This LCO requires four channels of Reactor Coolant i Flow - Low to be OPERABLE in MODES 3, 4, and 5.
| |
| The MODES I and 2 condition is addressed in LC0 3.3.1.
| |
| The Allowable Value is set low enough to allow for slight variations in reactor coolant flow during normal' plant operation while providing the required
| |
| : protection. Tripping the' reactor ensures that the resultant power to flow ratio provides adequate core cooling to maintain DNBR under the expected pressure 4 conditions for this event.
| |
| The Reactor Coolant Flow - Low trip setpoint may be
| |
| - ' adjusted when reactor power reaches the specified value. This allows for the de-energization of up to one Reactor Coolant Pump-(RCP) per SG loop (e.g., for (continued) i
| |
| ' SYSTEM 80+ B 3.3-59 'Rev. 00-16A Tech Spec' Bases u 2 .' - . , . - - , . - . . , . - - . _ . . ,r - - . . . . , _ , . . . - . - .-
| |
| | |
| RPS Instrumentation - Shutdown B 3.3.2 O
| |
| BASES LC0 4. Reactor Coolant Flow -Low (continued) plant cooldown), while maintaining the ability to keep the shutdown CEA banks withdrawn from the core if desired. The analyses of increased heat removal and CEA withdrawal events would show unacceptably low values of DNBR if they were to be initiated with less than one RCP operating in each steam generator loop.
| |
| The Reactor Coolant Flow - Low trip setpoint is rate limited with a preset low value. This automatic rate limiting of variable setpoint permits automatic incrementing and decrementing of the setpoint based upon the value of the bistable input variable. The design attempts to maintain a fixed differential between the bistable input and the setpoint. The design includes the ability to adjust the rate at which the setpoint is allowed to change. If the input signal is changing at a rate greater than the rate at which the setpoint can change, the differential between the two values eventually becomes zero, creating a bistable trip condition. When the bistable trip occurs, it prevents the setpoint from changing until the bistable trip clears.
| |
| The Reactor Coolant Flow - Low setpoint is lower than the input signal, as such it limits the rate at which the signals can decrease.
| |
| LCO 3.4.5, "RCS Loops - MODE 3, "LC0 3.4.6, "RCS Loops
| |
| - MODE 4," and LC0 3.4.7, "RCS Loops - MODE 5, Loops Filled," ensure adequate RCS flow rate is maintained.
| |
| : 5. Local Power Density (LPD) - Hiah This LC0 requires four channels of LPD - High to be OPERABLE in MODES 3, 4, and 5.
| |
| The MODES 1 and 2 Condition is addressed in LCO 3.3.1.
| |
| The LC0 on the CPCs ensures that the SLs are maintained during all A00s and the consequences of accidents are acceptable.
| |
| (continued)
| |
| SYSTEM 80+ B 3.3-60 Rev. 00 16A Tech Spec Bases
| |
| | |
| W RPS Instrumentation - Shutdown I B 3.3.2 O BASES i
| |
| LCO 5. Local Power Density (LPD) - Hiah ' (continued)
| |
| ~
| |
| The DNBR - Low and LPD .High trips provide plant :
| |
| protection during excess Heat Removal events and an :
| |
| ; Unplanned CEA Withdrawal while in the shutdown mode. I Although the CPCs may be- bypassed below 10''% RTP, they continue to perform their calculations and can thus be in a tripped condition due to, for example, 3~
| |
| less than four RCPs operating. If fission power should increase above 10''% RTP while in a shutdown ;
| |
| condition, the operating bypass is automatically removed and a reactor trip will occur. ;
| |
| t A CPC .is not considered inoperable if CEAC inputs to the CPC are inoperable. Additionally, the CEACs are
| |
| ' not required to be OPERABLE in MODES 3, 4 and 5 because the penalty factors associated with CEA 'i position are not significant in these modes. i The CPC channels may be manually bypassed below [1E- l 4%) RTP, as sensed by the logarithmic nuclear instrumentation. This bypass is enabled manually in all four CPC channels when plant conditions do not warrant the trip protection.- The bypass effectively ,
| |
| removes the DNBR Low and LPD - High trips from the i RPS Logic Circuitry. The operating bypass is automatically removed when enabling bypass conditions i are no. longer satisfied. ;
| |
| This operating bypass is required to perform a plant !
| |
| - startup, since both CPC generated trips will be in effect whenever shutdown CEAs are inserted. It also allows system tests at low power with Pressurizer ;
| |
| ,'' Pressure - Low or RCPs off. l
| |
| : 6. Departure from Nucleate Boilina Ratio (DNBR) - Low l This LCO requires four channels of DNBR-Low to be OPERABLE in MODES 3, 4, and 5.
| |
| The MODES I and 2 condition is addressed in LC0 3.3.1.
| |
| ~
| |
| I (continued) s SYSTEM 80+ B 3.3-61 Rev. 00 !
| |
| 16A. Tech.. Spec Bases-l
| |
| | |
| RPS Instrumentation - Shutdown B 3.3.2 O
| |
| BASES LCO 6. Departure from Nuc]eate Boilina Ratio (DNBR) - Low (continued)
| |
| The LCO on the CPCs ensures that the SLs are maintained during all A00s and the consequences of accidents are acceptable.
| |
| The DNBR - Low and LPD - High trips provide plant protection during excess Heat Removal events and an Unplanned CEA Withdrawal while in the shutdown mode.
| |
| Although the CPCs may be bypassed below 10''% RTP, they continue to perform their calculations and can thus be in a tripped condition due to, for example, less than four RCPs operating. If fission power should increase above 10''% RTP while in a shutdown condition, the operating bypass is automatically removed and a reactor trip will occur.
| |
| A CPC is not considered inoperable if CEAC inputs to the CPC are inoperable. Additionally, the CEACs are not required to be OPERABLE in MODES 3, 4, 5 because the penalty factors associated with CEA position are not significant in these modes.
| |
| h The CPC channels may be manually bypassed below [1E-4%) RTP, as sensed by the logarithmic nuclear instrumentation. This bypass is enabled manually in all four CPC channels when plant conditions do not warrant the trip protection. The bypass effectively removes the DNBR - Low and LPD - High trips from the RPS logic circuitry. The operating bypass is automatically removed when enabling bypass conditions are no longer satisfied.
| |
| This operating bypass is required to perform a plant startup, since both CPC generated trips will be in effect whenever shutdown CEAs are inserted. It also allows system tests at low power with Pressurizer 1 Pressure - Low or RCPs off.
| |
| 4 i
| |
| (continued) el SYSTEM 80+ B 3.3-62 Rev. 00 l 16A Tech Spec Bases i
| |
| | |
| RPS Instrumentation - Shutdown B 3.3.2 BASES LC0 Interlocks /Bvoasses (continued)
| |
| The LC0 on operating bypass removal channels requires that the automatic operating bypass removal feature of all four operating bypass channels be OPERABLE for each RPS Function with an operating bypass in the MODES addressed in the specific LCO for each Function. All four operating bypass removal channels must be OPERABLE to ensure that none of the RPS channels are inadvertently bypassed.
| |
| This LCO applies to the operating bypass removal feature only. If the operating bypass enable Function is failed so as to prevent entering a bypass condition, operation may continue. In the case of the Logarithmic Power Level - High trip (Function 2), the absence of a bypass will limit maximum power to below the trip setpoint.
| |
| The interlock function Allowable Values are based upon !
| |
| analysis of functional requirements for the bypassed Functions. These are discussed above as part of the LC0 p discussion for the affected Functions.
| |
| O APPLICABILITY The Logarithmic Power Level - High trip is applicable in MODES 2, 3, 4, and 5 with the Reactor Trip Circuit Breakers (RTCBs) closed and power available to the CEA drive system.
| |
| It is required for protection against CEA withdrawal events originating below [10~3 %) RTP. The Logarithmic Power Level
| |
| - High trip is bypassed prior to MODE 1 entry, and is not required in MODE 1. For events originating above this power level, other RPS trips provide adequate protection. In i MODES 3, 4, and 5 with the RTCBs open, the CEAs are not !
| |
| capable of withdrawal and the Logarithmic Power Level - High trip does not have to be OPERABLE. However, two Logarithmic Power Level channels must be OPERABLE to ensure pr'>er indication of neutron population, and to indicate boron dilution event. ,
| |
| l The Logarithmic Power Level - High trip MODES I and 2 is addressed in LCO 3.3.1. The Logarithmic Power Level Instrumentation - Shutdown with RTCBs Open is addressed in LC0 3.3.13.
| |
| 0
| |
| 'd (continued) !
| |
| i l
| |
| SYSTEM 80+ B 3.3-63 Rev. 00 l 16A Tech Spec Bases !
| |
| I
| |
| | |
| i l
| |
| l 1
| |
| RPS Instrumentation - Shutdown l B 3.3.2 !
| |
| O BASES 1
| |
| APPLICABILITY The Steam Generator Pressure - Low trip is applicable in (continued) MODES 1, 2, and 3 with the RTCBs closed and power available to the CEA drive system. The Steam Generator Pressure -Low trip is required to be OPERABLE in MODES 1 and 2 because the reactor is critical in these MODES. The reactor trips are designed to take the reactor subcritical, which maintains the SLs during A00s and arsists the ESFAS in providing acceptable consequences during accidents. The Steam Generator Pressure - Low trip is required to be OPERABLE in MODE 3 to protect against a MSLB.
| |
| The Reactor Coolant Flow - Low trip is applicable in MODES 1, 2, 3, 4, and 5 with the RTCBs closed and power available to the CEA drive system. The Reactor Coolant Flow - Low trip is required to be OPERABLE in MODES 1 and 2 because the reactor is critical in these MODES. The reactor trips are designed to take the reactor subcritical, which maintains the SLs during A00s and assists the ESFAS in providing acceptable consequences during accidents. The Reactor Coolant Flow - Low trip is required to be OPERABLE in MODES 3, 4, and 5 to protect against increased heat removal '
| |
| events.
| |
| The LPD - High trip and DNBR - Low trip are required to be OPERABLE in MODES 1, 2, 3, 4, and 5 with the RTCBs closed and power available to the CEA drive system. The LPD - High and the DNBR - Low trips are required to be OPERABLE in MODES 1 and 2 to ensure that an RPS trip will occur when required, to prevent exceeding the SAFDLs during the A00s listed, and help mitigate the consequences of the accidents listed. The LPD - Low trip and the DNBR - High trip are required to be OPERABLE in MODES 3, 4, and 5 to protect against an unplanned CEA Group Withdrawal Accident.
| |
| CESSAR-DC, Section 7.2 (Ref. 4) and CESSAR-DC, Section 19.8 (Ref. 9) provide a detailed discussion on these RPS trips.
| |
| If the trip setpoint '- 13 conservative than the Allowable Value stated in the LCO, the channel is declared inoperable immediately, and the appropriate Condition (s) must be entered immediately.
| |
| (continued)
| |
| O.
| |
| SYSTEM 80+ B 3.3-64 Rev. 00 16A Tech Spec Bases
| |
| | |
| r . _ _ _ __ _ __ _ . - _
| |
| w ;
| |
| )
| |
| RPS Instrumentation i B 3.3.2 i BASES (continued)
| |
| ACTIONS In the event a channel's trip setpoint is found ,
| |
| nonconservative with respect to the Allowable Value, or the j excore logarithmic power channel or RPS bistable trip unit ,
| |
| is found inoperable, then all affected Functions provided by )
| |
| that channel must be declared inoperable and the unit-must 1 enter the Condition for the_particular protection Function '
| |
| affected.
| |
| When the number of inoperable channels in a trip Function exceeds that specified in any related Condition associated l with the same trip Function, then the plant is outside the safety analysis. Therefore, LC0 3.0.3 is immediately entered, if applicable in the current MODE of operation.
| |
| Two Notes have been added to the ACTIONS. Note 1 has been added to clarify the application of the Completion Time rules. The Conditions of this Specification may be entered independently for each Function. The Completion Times of each inoperable Function will be tracked separately for each l Function, starting from the time the Condition was entered for that Function. Note 2 was added to ensure review by the
| |
| ( onsite review committee [per Specification 5.5.1.2.e] is performed to discuss the desirability of maintaining the channel in the bypassed condition.
| |
| A.] and A.2 Condition A applies to the failure of a single TRIP CHANNEL or associated instrument channel inoperable in any RPS automatic trip Function. RPS coincidence logic is two-out-of-four.
| |
| If one RPS channel is inoperable, startup or power operation is allowed to continue, providing the inoperable channel is placed in bypass or trip in I hour (Required Action A.1).
| |
| The 1 hour allotted to bypass or trip the channel is sufficient to allow the operator to take all appropriate I actions for the failed channel and still ensures t%at the risk involved in operating with the failed channel is acceptable. The failed channel must be restored to OPERABLE status prior to entering MODE 2 following the next MODE 5 4 entry. With a channel in bypass, the coincidence logic is now in a two-out-of-three configuration.
| |
| l (continued)
| |
| SYSTEM 80+ B 3.3-65 Rev. 00 16A Tech Spec Bases
| |
| | |
| RPS Instrumentation B 3.3.2 O
| |
| BASES ACTIONS A.] and A.2 (continued)
| |
| The Completion Time of prior to entering MODE 2 following the next MODE 5 entry is based on adequate channel to channel independence, which allows operation with two or more channels since no single failure will prevent a reactor trip.
| |
| El Condition B applies to the failure of two channels in any RPS automatic trip Function.
| |
| The Required Action is modified by a Note stating that LC0 3.0.4 is not applicable. The Note was added to allow the changing of MODES, even though two channels are inoperable, with one channel bypassed and one tripped. In this configuration, the protection system is in a one-out-of-two logic, which is adequate to ensure that no random failure will prevent protection system operation.
| |
| Required Action B.1 provides for ) lacing one inoperable channel in bypass and the other clannel in trip within the Completion Time of 1 hour. This Completion Time is sufficient to allow the operator to take all appropriate actions for the failed channels while ensuring the risk involved in operating with the failed channels is acceptable. With one channel of protective instrumentation bypassed, the RPS is in a two-out-of-three logic; but with another channel failed, the RPS may be operating in a two-out-of-two logic. This is outside the assumptions made in the analyses and should be corrected. To correct the problem, the second channel is placed in trip. This places the RPS in a one-out-of-two logic. If any of the other OPERABLE channels receives a trip signal, the reactor will trip.
| |
| One of the two inoperable channels will need to be restored to operable status prior to the next required CHANNEL FUNCTIONAL TEST, because channel surveillance testing on an OPERABLE channel requires that the OPERABLE channel be placed in bypass. However, it is not possible to bypass more than one RPS channel, and placing a second channel in trip will result in a reactor trip. Therefore, if one RPS channel is in trip and a second channel is in bypass, a third inoperable channel would place the unit in LC0 3.0.3.
| |
| (continued)
| |
| SYSTEM 80+ B 3.3-66 Rev. 00 16A Tech Spec Bases
| |
| | |
| -RPS Instrumentation B 3.3.2 BASES ACTIONS C.I. C.2.1. and C.2.2 (continued) l l Condition C applies to one automatic operating bypass l removal function inoperable. If. the inoperable bypass removal function for any TRIP CHANNEL cannot be restored to OPERABLE status within I hour, the associated RPS channel may be considered OPERABLE only if the bypass is not in ,
| |
| effect. The operator must verify that the operating bypass ;
| |
| is not in effect within one hour and every 12 hours' thereafter;.otherwise the affected RPS channel must.be declared inoperable, as in Condition A, and the affected automatic TRIP CHANNEL placed in bypass or trip. The operating bypass removal function and the automatic TRIP CHANNEL must be repaired prior to entering MODE 2 following the next MODE 5 entry. The Bases for the Required Actions and Required Completion Times are consistent with condition A.
| |
| The Required Action is modified by a Note stating that this LCO applies only to Functions 1, 5, and 6. This Note aids j in identifying the applicable functions; Logarithmic Power O Level - High, Reactor Coolant Flow - Low, LPD - High, and DNBR - Low.
| |
| D.1 and 0.2 Condition D applies to two inoperable automatic operating bypass removal- functions. If the operating bypass removal i functions for two operating bypasses cannot be restored to OPERABLE status within I hour, the associated TRIP CHANNEL may be considered OPERABLE only if the operating bypasses i are not in effect. The operator must verify that the i operating bypass is not in effect within one hour and every :
| |
| 12 hours thereafter; otherwise the affected RPS channels !
| |
| must be declared inoperable, as in Condition B, and the !
| |
| opsrating bypasses either removed or one automatic TRIP ;
| |
| CHANNEL placed in bypass and the ~other in trip within 1 i hour. The restoration of one affected bypassed automatic trip channel must be completed prior to the next CHANNEL FUNCTIONAL TEST, or the plant must shut down per LCO 3.0.3 as explained in Condition B.
| |
| -i (continued)
| |
| SYST9180+ B 3.3-67 Rev. 00 16A Tech Spec Bases (2/95)
| |
| --- . . . ~
| |
| | |
| l RPS Instrumentation I B 3.3.2 l BASES l
| |
| ACTIONS D.1 and 0.2 (continued)
| |
| The Required Action is modified by two Notes stating that LC0 3.0.4 is not applicable and that this LC0 applies only to Functions 1, 5, and 6. The first Note was added to allow the changing of MODES even though two channels are inoperable, with one channel bypassed and one tripped. In this configuration, the protection system is in a one-out-of-two logic, which is adequate to ensure that no random failure will prevent protection system operation.
| |
| The second note was added to ideni.ify the applicable functions; Logarithmic Power Level - High, Reactor Coolant Flow - Low, LPD - High, and DNBR - Low.
| |
| Ed Condition E is entered when the Required Actions and associated Completion Times of Conditions A, B, C or D are not met.
| |
| If Required Actions associated with these Conditions cannot be completed within the required Completion Time, all RTCBs h
| |
| must be opened, placing the plant in a condition where the Required Actions do not apply. A Completion Time of 1 hour is a reasonable time to perform the Required Action, which maintains the risk at an acceptable level while having one or two channels inoperable.
| |
| SURVEILLANCE The SRs for the RPS Instrumentation - Shutdown are an REQUIREMENTS extension of those listed in LC0 3.3.1, listed here because of their Applicability in these MODES.
| |
| The SRs for any particular RPS Function are found in the SR Column of Table 3.3.2-1 for that Function.
| |
| SR 3.3.2.1 SR 3.3.2.1 is the performance of a CHANNEL CHECK of each logarithmic power channel. This SR is identical to SR 3.3.1.1. Only the Applicability differs.
| |
| (continued)
| |
| SYSTEM 80+ B 3.3-68 Rev. 00 16A Tech Spec Bases
| |
| | |
| l l
| |
| l RPS Instrumentation B 3.3.2 n
| |
| U BASES SURVEILLANCE SR 3.3.2.1 (continued)
| |
| REQUIREMENTS Performance of the CHANNEL CHECK once every 12 hours ensures that gross failure of instrumentation has not occurred. A CHANNEL CHECK is a comparison of the parameter indicated on one channel to a similar parameter on another channel. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels. CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying that the instrumentation continues to operate properly between each CHANNEL CALIBRATION.
| |
| Agreement criteria are determined by the plant staff based i on a combination of the channel instrument uncertainties, i including indication, and readability. If a channel is l outside the match criteria, it may be an indication that the l
| |
| . sensor or the signal processing equipment has drifted outside its limits. l The Frequency, about once every shift, is based on operating experience that demonstrates the rarity of channel failure.
| |
| Thus, performance of the CHANNEL CHECK guarantees that i undetected overt channel failure is limited to 12 hours.
| |
| Since the probability of two random failures in redundant channels in any 12 hour period is extremely low, the CHANNEL '
| |
| CHECK minimizes the chance of loss of protective function due to failure of redundant channels. The CHANNEL CHECK supplements less formal, but more frequent, checks of !
| |
| channel OPERABILITY during normal operational use of the displays associated with the LC0 required channels.
| |
| The Data Processing System (DPS) and Discrete Indication and Alarm System (DIAS) continuously performs a cross channel ,
| |
| comparison and will institute an alarm to warn operators that a channel has drifted out-of-tolerance or is not '
| |
| working properly. The operators would ensure that DPS or DIAS is OPERABLE and that there are no alarms associated with the RPS Instrumentation. In the event that both DPS and DIAS are inoperable, or do not perform a cross CHANNEL comparison on a particular parameter, the operator would be required to perform the CHANNEL CHECK manually.
| |
| ' (continued)
| |
| SYSTEM 80+ B 3.3-69 Rev. 00 16A Tech Spec Bases
| |
| | |
| RPS Instrumentation B 3.3.2 O
| |
| BASES SURVEILLANCE SR 3.3.2.2 REQUIREMENTS (continued) The CPC autorestart count is checked to be less than three every 12 hours to monitor the CPC for normal operation. If three or more autorestarts of a nonbypassed CPC occur within a 12 hour period, the CPC may not be completely reliable.
| |
| Therefore, a CHANNEL FUNCTIONAL TEST on the affected CPC must be performed (SR 3.3.2.3). The Frequency is based on operating experience that demonstrates the rarity of more than one channel failing within the same 12 hour interval.
| |
| SR 3.3.2.3 A CHANNEL FUNCTIONAL TEST on each channel is performed every 92 days to ensure the entire channel will perform its intended function when needed.
| |
| Major portions of the RPS are monitored and/or tested by the automatic test network. The operability of the automatic CHANNEL FUNCTIONAL TEST is verified by the operator every 92 days to meet the surveillance requirement. Capability is also provided to allow manual performance of the CHANNEL FUNCTIONAL TEST if the automatic CHANNEL test is inoperable.
| |
| Those portions of the system which are not amenable to automatic testing because they involve actuation of electromechanical devices, or involve devices which are not within the PPS cabinets, can be testea manually. The automatic test network is capable of performing tests during reactor operation. The automatic testing does not degrade the ability of the RPS to perform its intended function. SR is modified by two Notes. Note 1 is a requirement to verify the correct CPC addressable constant values are installed in !
| |
| the CPCs when the CPC CHANNEL FUNCTIONAL TEST is performed. ,
| |
| Note 2 allows the CHANNEL FUNCTIONAL TEST for the Logarithmic Power Level-High channels to be performed 2 hours after power drops below [lE-4]% RTP and is required to be performed only if the RTCBs are closed.
| |
| The RPS CHANNEL FUNCTIONAL TEST consists of overlapping l tests as described in CESSAR-DC, Section 7.2 (Ref. 4). '
| |
| These tests verify that the RPS is capable of performing its intended function, from bistable input through the RTCBs. ,
| |
| They include. i i
| |
| (continued)
| |
| SYSTEM 80+ B 3.3-70 Rev. 00 16A Tech Spec Bases !
| |
| | |
| l RPS Instrumentation
| |
| -~ B 3.3.2 1
| |
| BASES i
| |
| SURVEILLANCE Trio Bistable Tests REQUIREMENTS (continued) Automatic Bistable Testing - The automatic test feature !
| |
| checks trip status and forces a trip condition to verify i operability of the trip bistable function. Interlocks assure testing is performed in only one channel at a time ,
| |
| and the trip condition is removed before the initiation l circuit can respond.
| |
| Manual Bistable Testing - The manual test feature facilitates variation of the input parameter to cause a bistable trip condition. Interlocks assure testing can be performed in only one channel at a time. Manual test i capability is provided for both fixed bistable and variable i setpoint bistable functions. .
| |
| Local Coincidence Loaic Testina Automatic Local Coincidence Logic Testing - The automatic test feature checks output status, generates trip conditions
| |
| ( for each function, and monitors output status for
| |
| ( correctness. The Reactor Trip Circuit Breakers (RTCB) are ,
| |
| l not opened as part of the Automatic Local Coincidence Logic Testing. The RTCB test is a manually initiated test. This test is described in LC0 B 3.3.4.
| |
| 1 RPS Initiation Loaic Testina i
| |
| The "0R" logic which comprises the RPS Initiation Logic is tested at the same time the Local Coincidence Logic is tested. Propagation of the coincidence signal through the "0R" logic is verified.
| |
| The CPC and CEAC channels and excore nuclear instrumentation channels are tested separately.
| |
| The excore channels use preassigned test signals to verify proper channel alignment. The excore logarithmic channel test signal is inserted into the preamplifier input, so as to test the first active element downstream of the detector.
| |
| The linear range excore test signal is inserted at the drawer input, since there is no preamplifier. i (3
| |
| Y (continued) l r
| |
| SYSTEM 80+- B 3.3-71 Rev. 00 ,
| |
| 16A Tech Spec Bases
| |
| | |
| i RPS Instrumentation l B 3.3.2 l
| |
| O BASES SURVEILLANCE RPS Initiation looic Testina (continued)
| |
| REQUIREMENTS The quarterly CPC CHANNEL FUNCTIONAL TEST is performed using software. This software includes preassigned addressable constant values that may differ from the current values.
| |
| Provisions are made to store the addressable constant values on a computer disk prior to testing and to reload them after testing. A Note is added to the Surveillance Requirements to verify that the CPC CHANNEL FUNCTIONAL TEST includes the correct values of addressable constants.
| |
| SR 3.3.2.4 The PPS cabinet temperatures must be verified to be below the high limit once per 12 hours. If a PPS has a high temperature it is possible for the PPS to be affected and not be completely reliable. The operator may be informed of a high PPS cabinet temperature via routine surveillance or high PPS cabinet temperature alarm. If a PPS cabinet has a high temperature, a CHANNEL FUNCTIONAL TEST on the affected RPS must be performed (SR 3.3.2.3).
| |
| SR 3.3.2.5 SR 3.3.2.4 is a CHANNEL FUNCTIONAL TEST similar to SR 3.3.2.3 except SR 3.3.2.5 is applicable only to automatic operating bypass functions and is performed once every 92 days during shutdown MODES 3, 4 and 5. Proper operation of bypass permissives is critical during shutdown because it ensures the LPD-High and LPD-Low trips will provide protection against excess heat removal and unplanned CEA withdrawal events. During plant startup the operating bypasses must be in place to allow startup operation and must be automatically removed at the appropriate points during power ascent to enable certain reactor trips.
| |
| Consequently, the appropriate time to verify bypass removal function OPERABILITY is every 92 days during shutdown MODES 3, 4, and 5. The allowance to conduct this Surveillance every 92 days is based on the reliability analysis presented in (Ref. 8). Once the operating bypasses are removed, the bypasses must not fail in such a way that the associated trip Function gets inadvertently bypassed. This feature is (continued)
| |
| SYSTEM 80+ B 3.3-72 Rev. 00 16A Tech Spec Bases
| |
| | |
| 1 RPS Instrumentation B 3.3.2 i
| |
| ),
| |
| BASES SURVEILLANCE SR 3.3.2.5 (continued)
| |
| REQUIREMENTS verified by the trip Function CHANNEL FUNCTIONAL TEST, SR 3.3.2.4. Therefore, further testing.of the bypass removal function after startup is unnecessary.
| |
| SR 3.3.2.6 .
| |
| [SR 3.3.2.6 is the performance of a CHANNEL CALIBRATION on the Analog to Digital (A/D) Reference Sources. A CHANNEL ,
| |
| CALIBRATION on the A/D Reference Sources ensures that-voltage reference sources are within the manufacturers specification. The (18] month interval is based on manufacturers recommended calibration interval. If the manufacturers required A/D calibration interval exceeds the CHANNEL CALIBRATION frequency then SR 3.3.2.7 " CHANNEL CALIBRATION" includes this surveillance.] ,
| |
| SR 3.3.2.7 A Note indicates that neutron detectors are excluded from CHANNEL CALIBRATION. A CHANNEL CALIBRATION of the power range neutron flux channels every [18] months ensures that the channels are reading accurately and within tolerance (Ref.6). The Surveillance verifies that the channel responds to a measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drift between successive calibrations to ensure that the channel remains operational between successive tests. Measurement error determination, setpoint error determination, and calibration adjustment must be performed consistent with the plant specific setpoint analysis. The channel shall be left calibrated consistent with the assumptions of the current plant specific setpoint analysis.
| |
| The as found and as left values must be recorded and reviewed for consistency with the assumptions of the
| |
| [ surveillance interval analysis]. The requirements for this review are outlined in Reference 8.
| |
| t
| |
| (
| |
| (continued)
| |
| SYSTEM 80+ B 3.3-73 Rev. 00 16A Tech Spec Bases
| |
| | |
| RPS Instrumentation B 3.3.2 O
| |
| BASES SURVEILLANCE SR 3.3.2.7 (continued)
| |
| REQUIREMENTS The detectors are excluded from CHANNEL CALIBRATION because they are out of range in the shutdown MODES, they are passive devices with minimal drift, and because of the difficulty of simulating a meaningful signal.
| |
| SR 3.3.2.8 This SR ensures that the RPS RESPONSE TIMES are verified to be less than or equal to the values assumed in the safety analysis. Individual component response times are not modeled in the analyses. The analyses model the overall or total elapsed time, from the point at which the parameter exceeds the trip setpoint value at the sensor, to the point at which the RTCBs open. Response times are conducted on an
| |
| [18] month STAGGERED TEST BASIS. This results in the interval between successive tests of a given channel of n x 18 months, where n is the number of channels in the Function. The [18] month Frequencies are based on engineering judgment and plant operating experience, which show that random failures of instrumentation components causing serious response time degradation, but not channel failure, are infrequent occurrences. Response times cannot be determined at power, since equipment operation is required. The Surveillance may be performed in one measurement or in overlapping segments, with verification that all components are tested.
| |
| A Note is added to indicate that the neutron detectors are excluded from RPS RESPONSE TIME testing because they are passive devices with minimal drift and because of the difficulty of simulating a meaningful signal. Slow changes in detector sensitivity are compensated for by performing the daily calorimetric calibration in LC0 3.3.1 (SR 3.3.1.5).
| |
| REFERENCES 1. 10 CFR 50, Appendix A, GDC 21.
| |
| : 2. 10 CFR 100. f
| |
| : 3. IEEE Standard 279-1971.
| |
| 1 (continued)
| |
| SYSTEM 80+ B 3.3-74 Rev. 00 l 16A Tech Spec Bases l
| |
| | |
| I 1
| |
| RPS' Instrumentation 1 B 3.3.2 O' BASES -l l
| |
| 1 REFERENCES 4. Section 7.2. 2 I
| |
| (continued)
| |
| : 5. 10 CFR 50.49.
| |
| : 6. [Setpoint Report). -
| |
| : 7. CEN-327, June 2,1986, including Supplement 1, !
| |
| March 3, 1989. !
| |
| i
| |
| : 8. [ Surveillance Interval Analysis.) ;
| |
| : 9. Section 19.8. >
| |
| i i
| |
| l I
| |
| O i
| |
| i I
| |
| l l
| |
| 1 l
| |
| i l
| |
| i i
| |
| i I
| |
| O 1 SYSTEM 80+ . B 3.3-75 Rev. 00 16A Tech Spec Bases
| |
| | |
| CEACs B 3.3.3 B 3.3 INSTRUMENTATION B 3.3.3 Control Element Assembly Calculators (CEACs)
| |
| BASES BACKGROUND The Reactor Protective System (RPS) initiates a reactor trip to protect against violating the core specified acceptable fuel design limits (SAFDLs) and breaching the reactor coolant pressure boundary (RCPB) during anticipated operational occurrences (A00s). By tripping the reactor, the RPS also assists the engineered safety features systems in mitigating accidents.
| |
| The protection and monitoring systems have been designed to ensure safe operation of the reactor. This is achieved by specifying limiting safety system settings (LSSS) in terms of parameters directly monitored by the RPS, as well as LCOs on other reactor system parameters and equipment performance.
| |
| The LSSS (defined in this Specification as the Allowable Values), in conjunction with the LCOs, establishes the thresholds fer protective system action to prevent exceeding acceptable limits during Design Basis Accidents.
| |
| During A00s, which are those events expected to occur one or more times during the plant life, the acceptable limit is:
| |
| * The departure from nucleate boiling ratio (DNBR) shall be maintained above the Safety Limit (SL) value to prevent departure from nucleate boiling; e Fuel centerline melting shall not occur; and e The Reactor Coolant System pressure SL of 2750 psia shall not be exceeded.
| |
| Maintaining the parameters within the above values ensures that offsite dose will be within the 10 CFR 50 (Ref.1) and 10 CFR 100 (Ref. 2) criteria during A00s.
| |
| Accidents are events that are analyzed even though they are not expected to occur during the plant life. The acceptable limit during accidents is that the offsite dose shall be maintained within an acceptable fraction of 10 CFR 100 (continued)
| |
| SYSTEM 80+ B 3.3-76 Rev. 00 16A Tech Spec Bases
| |
| | |
| i CEACs ;
| |
| B 3.3.3
| |
| - BASES ~ !
| |
| t
| |
| ; BACKGROUND- (Ref. 2) limits. Different accident categories allow a i
| |
| ; (continued) different fraction of these limits' based on probability of. ,
| |
| occurrence. Meeting the acceptable dose limit fcr an- i accident category is considered having acceptable !
| |
| consequences for that event.
| |
| O The excore nuclear instrumentation, the core r otection !
| |
| calculators (CPCs), and the CEACs are consid' ed components i in the MEASUREMENT CHANNELS of the Variable Jverpower - j
| |
| ; High,- Logarithmic Power Level - High, DNBR - Low, and Local !
| |
| Power Density (LPD) - High trips. The CEACs are addressed !
| |
| by this Specification. l r
| |
| All four CPCs receive control element assembly (CEA) r deviation penalty factors from each CEAC and use the larger i of the power factors from the two CEACs in the calculation i of DNBR and LPD. CPCs are further described in the background section of LCO 3.3.1.
| |
| The CEACs perform the calculations required to determine the position of CEAs within their subgroups for the CPCs. Two independent CEACs compare the position of each CEA to its 4
| |
| subgroup position. If a deviation is detected by either
| |
| - CEAC, an annunciator sounds, and appropriate " penalty factors" are transmitted to all CPCs. These penalty factors
| |
| : conservatively adjust the effective operating margins to the DNBR - Low and LPD - High trips. Each CEAC also drives a position indication on the CEAC Operators Module. The DPS via CRTs displays individual CEA positions and current values of the penalty factors from the selected CEAC.
| |
| Each CEA has two separate reed switch asseniblies mounted outside the RCPB. Each of the two CEACs receives CEA position input from one of the two reed switch position
| |
| : transmitters on each CEA, so that the position of all CEAs is independently monitored by both CEACs. i l
| |
| Functional testing of the entire RPS, from bistable input through the opening of individual sets of RTCBs, can be -
| |
| performed ev',her at power or shutdown and is normally i ,. performed on a quarterly basis. ' Nuclear instrumentation, the CPCs, and the CEACs can be similarly tested. CESSAR-DC, Section 7.2 (Ref. 3), provides more detail on RPS testing.
| |
| Process transmitter calibration is normally performed on a
| |
| .; ; refueling basis.
| |
| .O (continued)
| |
| SYSTEM 80+ B 3.3-77 Rev. 00 16A' Tech Spec Bases t
| |
| ,,,y' .y y - , , 7 ._,_, .- , . . . . .
| |
| | |
| CEACs B 3.3.3 O
| |
| BASES (continued)
| |
| APPLICABLE Each of the analyzed transients and accidents can be SAFETY ANALYSES detected by one or more RPS Functions.
| |
| The effect of any misoperated CEA within a subgroup on the core power distribution is assessed by the CEACs, and an appropriately augmented power Hstribution penalty factor will be supplied as input to the CPCs. As the reactor core responds to the reactivity changes caused by the misoperated CEA and the ensuing reactor coolant and doppler feedback effects, the CPCs will initiate a DNBR-Low, or LPD-High trip signal, if SAFDLs are approached. Each CPC also directly monitors one " target CEA" from each subgroup, and uses this information to account for excessive radial peaking factors for events involving CEA groups out of sequence and subgroup deviations within a group, without the need for CEACs.
| |
| Therefore, although the CEACs do not provide a direct reactor trip Function, their input to the CPCs is taken credit for in the CEA misoperation analysis.
| |
| The CEACs satisfy Criterion 3 of the NRC Policy Statement.
| |
| O LC0 This LC0 on the CEACs ensures that the CPCs are either informed of individual CEA position within each subgroup, l using one or both CEACs, or that appropriate conservatism is l included in the CPC calculations to account for anticipated LC0 CEA deviations. Each CEAC provides an identical input ,
| |
| into all four CPC channels. Each CPC uses the higher of the l two CEAC transmitted CEA deviation penalty factors. Thus, only one OPERABLE CEAC is required to provide CEA deviation protection. This LCO requires both CEACs to be OPERABLE, so that no single CEAC failure can prevent a required reactor i trip from occurring. l l
| |
| APPLICABILITY Most RPS trips are required to be OPERABLE in MODES 1 and 2 i because the reactor is critical in these MODES. The trips are designed to take the reactor subcritical, which maintains the SLs during A00s, and assists the Engineered ,
| |
| Safety Features Actuation System in providing acceptable l consequences during accidents. In MODES 3, 4, and 5, the (continued)
| |
| SYSTEM 80+ B 3.3-78 Rev. 00 l 16A Tech Spec Bases l l
| |
| l l
| |
| | |
| CEACs B 3.3.3 U
| |
| BASES APPLICABILITY emphasis is placed on return to power events. The reactor (continued) is protected in these MODES by ensuring adequate SDM.
| |
| Because CEACs provide the inputs to tM DNBR - Low and LPD -
| |
| High trips, they are required to be OPERABLE in MODES 1 and 2 as those trips for the same reasons. They are not <
| |
| required to be OPERABLE in MODES 3, 4 and 5 because the penalty factors associated with CEA position are not significant in these modes.
| |
| ACTIONS A.1 and A.2 Condition A applies to the failure of a single CEAC channel.
| |
| There are only two CEACs, each providing CEA deviation input into all four CPC channels. The CEACs include complex diagnostic software, making it unlikely that a CEAC will fail without informing the CPCs of its failed status. With one failed CEAC, the CPC will receive CEA deviation penalty factors from the remaining OPERABLE CEAC. If the second Q
| |
| (j CEAC should fail (Condition B), the CPC will use large preassigned penalty factors. The specific Required Actions allowed are as follows:
| |
| With one CEAC inoperable, the second CEAC still provides a comprehensive set of comparison checks on individual CEAs within subgroups, as well as outputs to all CPCs, CEA deviation alarms, and position indication for display.
| |
| Verification that eacr. CEA is within 7 inches of the other CEAs in its group every 4 hours provides a check on the position of all CEAs, and provides verification of the proper operation of the remaining CEAC. An OPERABLE CEAC will not generate penalty factors until deviations of
| |
| > 7 inches within a subgroup are encountered.
| |
| The Completion Time of once per 4 hours is adequate based on operating experience, considering the low probability of an undetected CEA deviation coincident with an undetected failure in the remaining CEAC within this limited time frahie. As long as Required Action A.1 is accomplished as specified, the inoperable CEAC can be restored to OPERABLE status within 7 days. The Completion Time of 7 days is (continued)
| |
| SYSTEM 80+ B 3.3-79 Rev. 00 16A Tech Spec Bases
| |
| | |
| CEACs B 3.3.3 O
| |
| BASES ACTIONS' A.1 and A.2 (continued) adequate for most repairs, while minimizing risk, considering that dropped CEAs are detectable by the redundant CEAC, and other LCOs specify Required Actions necessary to maintain DNBR and LPD margin.
| |
| B.l. B.2. B.3. B.4. and B.1 Condition B applies if the Required Action and associated Completion Time of Required Action A are not met, or if both CEACs are inoperable. Actions associated with this Condition involve disabling the Control Element Drive Mechanism Control System (CEDMCS), while providing increased assurance that CEA deviations are not occurring, and informing all OPERABLE CPC channels, via a software flag, that both CEACs are failed. This will ensure that the large penalty factor associated with two CEAC failures will be applied to CPC calculations. The penalty factor for two failed CEACs is sufficiently large that power must be maintained significantly < 100% RTP if CPC generated reactor trips are to ba avoided. The Completion Time of 4 hours is adequate to accomplish these actions while minimizing risks.
| |
| The Required Actions are as follows:
| |
| M Meeting the DNBR margin requirements of LC0 3.2.4,
| |
| " Departure From Nucleate Boiling Ratio (DNBR)", ensures that power level is within a conservative region of operation based on actual core conditions. In addition to the above actions, the Reactor Power Cutback System (RPCS) must be disabled. This ensures that CEA position will not be affected by RPCS operation.
| |
| M The " full out" CEA reed switches provide acceptable indication of CEA position. Therefore, the CEAs will remain fully withdrawn, except as required for specified testing or (continued)
| |
| SYSTEM 80+ B 3.3-80 Rev. 00 16A Tech Spec Bases
| |
| | |
| l l
| |
| I CEACs B 3.3.3 g
| |
| V ~
| |
| BASES l \
| |
| ACTIONS M (continued) I flux control. This verification ensures that undesired 4 perturbations in local fuel burnup are prevented.
| |
| i M
| |
| i The "RSPT/CEAC Inoperable" addressable constant in each of the.CPCs is set to indicate that both CEACs are inoperable. '
| |
| 4 This provides a conservative penalty factor to ensure that a s conservative effective margin is maintained by the CPCs in the computation of DNBR and LPD trips.
| |
| i M
| |
| The CEDMCS is placed and maintained in " STANDBY," except during CEA motion permitted by Required Action B.2, to prevent inadvertent motion and possible misalignment of the CEAs.
| |
| u A comprehensive set of comparison checks on individual CEAs within groups must be made within 4 hours. Verification that each CEA is within 7 inches of other CEAs in its group provides a check that no CEA has deviated from its proper position within the group.
| |
| )
| |
| E.d Condition C is entered when the Required Action and associated Completion Time of Condition B is not met.
| |
| If the Required Actions associated with this Condition !
| |
| cannot be completed within the required Completion Time, the ;
| |
| reactor must be brought to a MODE where the Required Actions do not apply. The Completion Time of 6 hours is reasonable, based on operating experience, for reaching the required
| |
| . plant conditions from. full power conditions in an. orderly 1 manner and without challenging plant systems.
| |
| O (continued) I B 3.3-81 Rev. 00 ~I
| |
| . SYSTEM 80+-
| |
| - .16A~ Tech Spec Bases-
| |
| | |
| CEACs B 3.3.3 O
| |
| BASES (continued)
| |
| SURVEILLANCE SR 3.3.3 1 REQUIREMENTS Performance of the CHANNEL CHECK once every 12 hours easures that gross failure of instrumentation has not occurred. A CHANNEL CHECK is a comparison of the parameter indicated on one channel to a similar parameter on another channel. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value.
| |
| Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels. CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying that the instrumentation continues to operate properly between each CHANNEL CALIBRATION.
| |
| Agreement criteria are determined by the plant staff, based on a combination of the channel instrument uncertainties, including indication, and readability. If a channel is outside the match criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limits.
| |
| The Frequency, about once every shift, is based on operating experience that demonstrates the rarity of channel failure.
| |
| Tnus, performance of the CHANNEL CHECK guarantees that undetected overt channel failure is limited to 12 hours.
| |
| Since the probability of two random failures in redundant channels in any 12 hour period is extremely low, the CHANNEL CHECK minimizes the chance of loss of protective function due to failure of redundant channels. The CHANNEL CHECK supplements less formal, but more frequent, checks of channel OPERABILITY during normal operational use of the displays associated with the LCO required channels.
| |
| The CHANNEL CHECK may be performed automatically by validation algorithms within the DPS and DIAS. To take credit for the automatic CHANNEL CHECK, the operator will be required to verify that DPS or DIAS is OPERABLE and that there are no alarms associated with CEAC Instrumentation.
| |
| The frequency interval (12 hours) specified in this SR will be applicable. In the event that neither the DPS nor DIAS validation checking function is OPERABLE, or do not perform (continued)
| |
| SYSTEM 80+ B 3.3-82 Rev. 00 16A Tech Spec Bases
| |
| | |
| CEACs B 3.3.3 b
| |
| BASES SURVEILLANCE SR 3.3.3.1 (continued)
| |
| REQUIREMENTS a cross CHANNEL comparison on a particular parameter, the operator will be required to perform the CHANNEL CHECK manually.
| |
| SR 3.3.3.2 The CEAC autorestart count is checked to be less than three every 12 hours to monitor the CEAC for normal operation. If three or more autorestarts of a nonbypassed CEAC occur within a 12 hour period, the CEAC may not be completely reliable. Therefore, a CHANNEL FUNCTIONAL TEST on the affected CEAC must be performed (SR 3.3.3.4). The Frequency is based on operating experience that demonstrates the rarity of more than one channel failing within the same 12 hour interval.
| |
| P SR 3.3.3.3 b The CEAC cabinet temperatures must be verified to be below the high limits once per 12 hours. If a CEAC cabinet has a high temperature, it is possible for the CEAC to be affected and not be completely reliable. This operator may be informed of a high CEAC cabinet temperature via routine surveillance or high CEAC cabinet temperature alarm. If a CEAC cabinet has a high temperature, a CHANNEL FUNCTIONAL TEST on the affected CEAC must be performed (SR 3.3.3.4).
| |
| SR 3.3.3.4 A CHANNEL FUNCTIONAL TEST on each CEAC channel is performed every 92 days to ensure the entire channel will perform its intended function when needed. The quarterly CHANNEL FUNCTIONAL TEST is performed using test software. The Frequency of 92 days is based on the reliability analysis presented in (Ref. 4).
| |
| (continued)
| |
| SYSTEM 80+ B 3.3-83 Rev. 00
| |
| .16A Tech Spec Bases
| |
| | |
| CEACs B 3.3.3 O
| |
| BASES SURVEILLANCE SR 3.3.3.5 REQUIREMENTS (continued) SR 3.3.3.5 is the performance of a CHANNEL CALIBRATION every
| |
| [18] months.
| |
| CHANNEL CALIBRATION is a complete check of the MEASUREMENT CHANNEL including the sensor. The Surveillance verifies that the channel responds to a measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations to ensure that the channel remains operational between successive surveillances.
| |
| Measurement error determination, setpoint error determination, and calibration adjustment must be performed consistent with the plant specific setpoint analysis. The channel shall be left calibrated consistent with the assumptions of the current plant specific setpoint analysis.
| |
| The as found and as left values must also be recorded and reviewed for consistency with the assumptions of the
| |
| [ surveillance interval analysis). The requirements for this review are outlined in Reference 4.
| |
| The frequency is based upon the assumption of an [18] month calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis and includes operating experience and consistency with the typical
| |
| [18] month fuel cycle.
| |
| SR 3.3.3.6 Every [18] months, a CHANNEL FUNCTIONAL TEST is performed on the CEACs. The CHANNEL FUNCTIONAL TEST shall include the injection of a signal as close to the sensors as practicable to verify OPERABILITY including alarm and trip Functions.
| |
| The as found and as left values must be recorded and reviewed for consistency with the assumptions of the surveillance interval analysis. The basis for the
| |
| [18] month Frequency is because the CEACs perform a continuous self monitoring function that eliminates the need for frequent CHANNEL FUNCTIONAL TESTS. This CHANNEL FUNCTIONAL TEST essentially validates the self-monitoring function and checks for a small set of failure modes that (continued)
| |
| SYSTEM 80+ B 3.3-84 Rev. 00 16A Tech Spec Bases
| |
| | |
| I s
| |
| 4 CEACs ,
| |
| B 3.3.3 BASES ;
| |
| SURVEILLANCE SR 3.3.3.6 (continued)
| |
| ; REQUIREMENTS .
| |
| are undetectable by the self monitoring function. 0perating
| |
| < experience has shown that undetected CEAC failures do not occur in any given [18] month interval.
| |
| REFERENCES 1. 10 CFR 50.
| |
| : 2. 10 CFR 100.
| |
| : 3. Section 7.2. f
| |
| : 4. [ Surveillance Interval Analysis.] j O
| |
| 4
| |
| 'l l
| |
| (
| |
| l SYSTEM 80+ B 3.3-85 'Rev. 00 '
| |
| 16A Tech Spec Bases
| |
| | |
| RPS Logic and Trip Initiation B 3.3 INSTRUMENTATION B 3.3.4 Reactor Protective System (RPS) Logic and Trip Initiation BASES BACKGROUND The RPS initiates a reactor trip to protect against violating the core fuel design limits and reactor coolant pressure boundary integrity during anticipated operational occurrences (A00s). By tripping the reactor, the RPS also assists the Engineered Safety Features (ESF) System in mitigating accidents.
| |
| The protection and monitoring systems have been designed to ensure safe operation of the reactor. This is achieved by specifying limiting safety system settings (LSSS) in terms of parameters directly monitored by the RPS, as well as LCOs on other reactor system parameters and equipment performance.
| |
| The LSSS, defined in this specification as the Allowable Value, in conjunction with the LCOs, establishes the threshold for protective system action to prevent exceeding acceptable limits during Design Basis Accidents.
| |
| During A00s, which are those events expected to occur one or more times during the plant life, the acceptable limits are:
| |
| e The departure from nucleate boiling ratio must be maintained above the Safety Limit (SL) value to J l
| |
| prevent departure from nucleate boiling; e Fuel centerline melting must not occur; and e The Reactor Coolant System pressure SL of 2750 psia must not be exceeded.
| |
| Maintaining the parameters within the above values ensures j that offsite dose will be within the 10 CFR 50 (Ref. 1) and 10 CFR 100 (Ref. 2) criteria during A00s.
| |
| Accidents are events that are analyzed even though they are not expected to occur during the plant life. The acceptable !
| |
| limit during accidents is that the offsite dose must be i maintained within an acceptable fraction of 10 CFR 100 (Ref. 2) limits. Different accident categories allow a (continued)
| |
| SYSTEM 80+ B 3.3-86 Rev. 00 i 16A Tech Spec Bases l
| |
| | |
| RPS Logic and Trip Initiation B 3.3.4 v
| |
| BASES BACKGROUND different fraction of these limits based on probability of (continued) occurrence. Meeting the acceptable dose limit for an (continued) accident category is considered having acceptable consequences for that event.
| |
| The RPS portion of the Plant Protection System (PPS) is a vital system which consists of sensors, calculators, logic, and other equipment necessary to monitor selected plant conditions and to effect reliable and rapid reactor shutdown
| |
| -(reactor trip) if monitored conditions approach specified safety system settings. The system's functions are to-protect the core fuel design limits and Reactor Coolant System (RCS) pressure boundary for Anticipated Operational )
| |
| Occurrences, and also to provide assistance in mitigating the consequences of accidents. Four measurement channels with electrical and physical separation are provided for each parameter used in the direct generation of trip signals, with the exception of Control Element Assembly (CEA) position which is a two channel measurement.
| |
| The portion of the PPS includes the following functions:
| |
| 'OV bistable trip, local coincidence logic, reactor trip initiation logic and automatic testing of PPS logic. The bistable trip processors generate trips based on the measurement channel digitized value exceeding a digital setpoint. The bistable trip processors provide their trip ,
| |
| signals to the coincidence processors located in the four '
| |
| redundant PPS channels. The coincidence processors evaluate the local coincidence logic based on the state of the four like trip signals and their respective bypasses. The coincidence signals are used in the generation of the Reactor Trip Switchgear System (RTSS) or Engineered Safety l Features-Component Control System (ESF-CCS) initiation. A coincidence of two-out-of-four like trip signals is required to generate a reactor trip signal. The fourth channel allows bypassing of one channel while maintaining a two-out-of-three system.
| |
| The PPS has four pairs of cabinets housing the Plant Protection Calculator (PPC). Each pair of cabinets is located in a separate equipment room and contains the !
| |
| bistable processors, coincidence processors and interface hardware of one of the four PPS safety channels designated A, B, C and D.
| |
| l (continued)
| |
| SYSTEM 80+ B 3.3-87 Rev. 00 16A Tech Spec Bases
| |
| | |
| RPS Logic and Trip Initiation B 3.3.4 O
| |
| BASES BACKGROUND The reactor trip signal deenergizes the Control Element (continued) Drive Mechanism (CEDM) coils, allowing all CEAs to drop into the core.
| |
| The local and main control room PPS operator's module (one per channel) provides for entering trip channel bypasses, operating bypasses, and variable setpoint resets. These modules also provide indication of status of bypasses, operating bypasses, bistable trip and pre-trip. The local operator module provides the man-machine interface during manual testing of bistable trip functions not tested automatically.
| |
| This LC0 addresses the RPS Local Coincidence Logic (except for trip bypasses), Initiation Logic, Reactor Trip Circuit Breakers (RTCBs), and Manual Trip. LC0 3.3.1, " Reactor Protective System (RPS) Instrumentation-Operating,"
| |
| provides a description of the role of this equipment in the RPS. This is summarized below:
| |
| The Reactor Protection System Logic can be subdivided into subsections: Local Coincidence Logic and Initiation Logic.
| |
| Local Coincidence The Local Coincidence Logic determines if a coincidence exists in the tripping of like bistable logics (those monitoring the same parameter) in two or more channels. The actual bistables logics and upstream instrumentation are addressed in LCOs 3.3.1, 3.3.2, and 3.3.3. If a coincidence occurs in two or more channels, the Initiation Logic is deenergized, resulting in a reactor trip.
| |
| There are four Local Coincidence Logic channels, comparing the outputs of all four channels of bistables, taken two, three and four at a time. Coincidence Logic is implemented in the LCL which receives inputs from the bistables in all four channels such that like bistables must be tripped in two or more Channels to deenergize a LCL Channel.
| |
| Deenergizing two or more Local Coincidence Logic Channels will deenergize associated Initiation Logic Channels, which open associated Reactor Trip Circuit Breakers (RTCBs). See CESSAR-DC, Section 7.2 (Ref. 3).
| |
| (continued)
| |
| SYSTEM 80+ B 3.3-88 Rev. 00 16A Tech Spec Bases
| |
| | |
| l l
| |
| RPS Logic and Trip Initiation i' B 3.3.4 BASES BACKGROUND Initiation Loaic (continued)
| |
| The initiation logic consists of an OR circuit for each I undervoltage and shunt trip relay. The outputs from the l associated Local Coincidence Logic for each parameters are provided to the OR circuit. The initiation circuit contains ,
| |
| a time delay for noise filtering. The Initiation Logic generates two outputs, each initiating under voltage relay and shunt trip relays respectively.
| |
| There are four Initiation Logic Channels, each responsible ,
| |
| for opening one RTCB (referred to as CHANNELS of RTCBs) if :
| |
| the associated coincidence logics deenergize. l Reactor Trio Circuit Breakers (RTCBs)
| |
| The Reactor Trip Switchgear consists of 4 RTCBs which are operated as four CHANNELS. Power input to the reactor trip switchgear comes from two full-capacity motor generator (MG) f sets (operated in parallel), such that the loss of either MG set does not deenergize the Control Element Drive Mechanisms (CEDMs). There are two separate CEDM power supply busses.
| |
| Both Power supply Bus No. I and No. 2 are tied together through a Synchronizer. Power is supplied from the MG sets to CEDM power bus via two redundant paths (trip legs). This ensures that a fault, or opening of a breaker in one trip leg (i.e., for testing purposes) will not interrupt power to the CEDM buses.
| |
| Each of the two trip legs consists of two RTCBs in series. l Each RTCB is assigned to one Manual Reactor Trip Push button '
| |
| in the control room and one RPS Initiation Logic Circuit.
| |
| Two additional Manual Reactor Trip Push buttons are provided in the Remote Shutdown Room for RTCBs in opposite trip legs.
| |
| Thus each Trip circuit breaker is operated by a Manual Reactor Trip pushbutton or a Reactor Protection System (RPS) actuated initiation relays (automatic reactor trip).
| |
| Initiation Logic circuits in RPS actuate two initiation relay outputs. One relay output deenergizes the undervoltage trip circuit, the other energizing the shunt trip circuit. This configuration gives redundancy and diversity. l l
| |
| V (continued) !
| |
| i SYSTEM 80+ B 3.3-89 Rev. 00 1 16A Tech Spec Bases l
| |
| | |
| RPS Logic and Trip Initiation B 3.3.4 O
| |
| BASES BACKGROUND During an automatic reactor trip, all initiation relays are (continued) deenergized, thereby opening all four breakers, and allowing the CEAs to fall into the core. When a Manual Reactor Trip is initiated via the pushbuttons in the Control Room or Remote Shutdown Room, the RPS trip path logic and the initiation relays are bypassed, and the signal is sent directly to the RTCBs.
| |
| Each Manual Reactor Trip pushbutton operates a single breaker. Therefore, at least two pushbuttons in opposite TRIP LEGS must be depressed to cause a reactor trip. To ensure a reactor trip can be manually actuated with a single random failure in one breaker or its trip circuit, all four of the control room pushbuttons are required to be operable.
| |
| Additionally, both Remote Shutdown Room pushbuttons are required to be operable. The Remote Shutdown Manual Reactor Trip pushbutton OPERABILITY is addressed in LC0 3.3.12,
| |
| " Remote Shutdown Instrumentation and Control."
| |
| Each CHANNEL of RTCBs starts at the contacts which are actuated by the initiation relay, and the contacts which are actuated by the Manual Reactor Trip, for each breaker.
| |
| Functional testing of the entire RPS, from bistable input through the opening of the individual sets of RTCBs, can be i performed either at power or shutdown, and is normally ;
| |
| performed on a quarterly basis. CESSAR-DC, Section 7.2 (Ref. 3), explains RPS testing in more detail.
| |
| l APPLICABLE Reactor Protective System (RPS) Loaic SAFETY ANALYSES The RPS Logic provides for automatic trip initiation to maintain the SLs during A00s and assist the ESF systems in '
| |
| I ensuring acceptable consequences during accidents. All transients and accidents that call for a reactor trip assume the RPS Logic is functioning as designed.
| |
| Reactor Trio Circuit Preakers (RTCBs)
| |
| All of the transient and accident analyses that call for a reactor trip assume that the RTCBs operate and interrupt power to the CEDMs. ]
| |
| I (continued) 9 j l
| |
| SYSTEM 80+ B 3.3-90 Rev. 00 !
| |
| 16A Tech Spec Bases j l
| |
| 1
| |
| | |
| RPS Logic and Trip Initiation
| |
| ,m B 3.3.4 L.);
| |
| BASES APPLICABLE Manual Trio SAFETY ANALYSES (continued) There are no accident analyses that take credit for the Manual Trip; however, the Manual Trip is part of the RPS circuitry as required by 10 CFR 50 Appendix A (Ref. 1). It is used by the operator to shut down the reactor whenever any parameter is rapidly trending toward its trip setpoint.
| |
| A Manual Trip accomplishes the same results as any one of the automatic trip Functions.
| |
| The RPS logic trip initiation satisfies Criterion 3 of the NRC Policy Statement.
| |
| LC0 Reactor Protective System (RPS) Loaic The LC0 on the RPS LOGIC CHANNELS ensures that each of the following requirements are met:
| |
| e A reactor trip will be initiated when necessary;
| |
| <J e The required protection system coincidence logic is maintained (minimum two-out-of-three, normal two-out-of-four); and e Sufficient redundancy is maintained to permit a channel to be out of service for testing or maintenance.
| |
| Failures of individual bistables and their contacts are addressed in LC0 3.3.1 and LC0 3.3.2. This Specification l addresses failures of the RPS Logic not addressed in the above, such as the failure of Local Coincidence logic power supplies or the failure of the trip channel bypass contact in the bypass condition.
| |
| Loss of a single vital bus will de-energize one of the power supplies in each Local Coincidence Logic Channel. This will result in one RTCB opening; however, the remaining three closed RTCBs will prevent a reactor trip. Each of the four RPS Logic channels opens one RTCB.
| |
| ()
| |
| V (continued)
| |
| SYSTEM 80+ B 3.3-91 Rev. 00 16A Tech Spec Bases
| |
| | |
| RPS Logic and Trip Initiation B 3.3.4 O
| |
| BASES LCO If one RTCB has been opened in response to a single RTCB (continued) channel, RPS Logic channel, or Manual Trip channel failure, the affected RTCB may be closed for up to I hour for Surveillance on the OPERABLE RPS Logic Channel, RTCB, and MANUAL TRIP CHANNELS. In this case, the redundant RTCB will provide protection if a trip should be required. It is unlikely that a trip will be required during the Surveillance, coincident with a failure of the remaining series RTCB channel. If a single Local Coincidence Logic power supply or vital bus failure has opened the RTCB in a trip leg, Manual Trip and RTCB testing on the closed breakers cannot be performed without causing a trip.
| |
| : 1. RPS LOGIC CHANNELS This LCO requires four RPS LOGIC CHANNELS to be OPERABLE in MODES 1 and 2, and in MODES 3, 4, and 5 when the RTCBs are closed and any CEA is capable of being withdrawn.
| |
| : 2. Reactor Trio Circuit Breakers The LC0 requires four RTCB channels to be OPERABLE in ,
| |
| MODES 1 and 2, and in MODES 3, 4, and 5 when the RTCBs I are closed and any CEA is capable of being withdrawn.
| |
| Each channel of RTCBs starts at the Local Coincidence Logic output signal actuated and the Manual Trip for each breaker.
| |
| A Note associated with the ACTIONS states that if one RTCB has been opened in response to a single RTCB !
| |
| channel, RPS Logic channel, or MANUAL TRIP CHANNEL failure, the affected RTCB may be closed for up to I hour for Surveillance on the OPERABLE RPS Logic !
| |
| Channel, RTCB, and MANUAL TRIP CHANNELS. In this case l the redundant RTCB will provide protection. If a i Local Coincidence Logic supply or vital bus failure has opened the RTCB in a trip leg, Manual Trip and RTCB testing on the closed breakers cannot be performed without causing a trip.
| |
| (continued) 91 SYSTEM 80+ B 3.3-92 Rev. 00 16A Tech Spec Bases
| |
| | |
| . -- - . . . ~ . .. -- -- - - - - . . . . - . _ --. .- -.- -.
| |
| i i !
| |
| RPS Logic and Trip Initiation :
| |
| B 3.3.4 !
| |
| LO BASES i i j
| |
| : LCO - 3. Manual Trio } ,
| |
| (continued) -'
| |
| The LCO requires all four MANUAL TRIP CHANNELS to be OPERABLE in MODES I and 2, and MODES 3, 4, and 5 when the RTCBs are closed and any CEA is capable of being
| |
| ; withdrawn.
| |
| j' Two independent sets of two adjacent push buttons are
| |
| : provided at separate locations in the control room. 1 2 Each push button is considered a channel and operates one of the four RTCBs. Depressing both push buttons .
| |
| in either set in the control room will cause an :
| |
| interruption of power to the CEDMs, allowing the CEAs !
| |
| to fall into the core. This design ensures that no 1
| |
| i single failure in any push button circuit can either cause or prevent a reactor trip. ;
| |
| Two manual trip push buttons are provided in the t Remote Shutdown Room and are also provided at the ;
| |
| reactor trip switchgear (locally) in case the control .
| |
| ! room push buttons become inoperable or the control l t room becomes uninhabitable. These are not part of the l RPS and cannot be credited in fulfilling the LCO 3.3.4 OPERABILITY requirements. Furthermore, LC0 3.3.4 ACTIONS need not be entered due to failure of a local 4
| |
| or Remote Shutdown Room Manual Trip. Remote Shutdown Room Manual Trip push buttons are addressed in LCO 3.3.12.
| |
| k '
| |
| J APPLICABILITY The RPS LOGIC CHANNELS, RTCBs, and MANUAL TRIP CHANNELS are required to be OPERABLE in any MODE when the CEAs are capable of being withdrawn (i.e., RTCBs closed and power available to the CEDMs). This ensures that the reactor can E be tripped when necessary, but allows for maintenance and testing when the reactor trip is not needed.
| |
| [
| |
| ACTIONS In MODES 3, 4, and 5 with.the RTCBs open, the CEAs are not
| |
| -capable of withdrawal and these Functions do not have to be OPERABLE.
| |
| t O (continued) i SYSTEM 80+' B 3.3 Rev. 00
| |
| -16A Tech Spec Bases
| |
| | |
| RPS Logic and Trip Initiation B 2.3.4 i BASES ACTIONS When the number of inoperable channels in a trip Function (continued) exceeds that specified in any related Condition associated with the same trip Function, then the plant is outside the safety analysis. Therefore, LC0 3.0.3 is immediately entered if applicable in the current MODE of operation.
| |
| M Condition A applies to one RPS Logic Channel, RTCB channel, or MANUAL TRIP CHANNEL in MODES 1 and 2, since they have the same actions. MODES 3, 4, and 5, with the RTCBs shut, are addressed in Condition B. These Required Actions require opening the affected RTCBs by using the appropriate Manual Trip push buttons in the control room or via the local trip push buttons on the RTCBs. This removes the need for the affected channel by performing its associated safety function. With an RTCB open, the affected Functions are in one-out-of-two logic, which meets redundancy requirements, but testing on the OPERABLE channels cannot be performed without causing a reactor trip unless the RTCBs in the inoperable channels are closed to permit testing.
| |
| Therefore, a Note has been added, specifying that the RTCBs associated with one inoperable channel may be closed for up to I hour for the performance of an RPS CHANNEL FUNCTIONAL TEST.
| |
| Required Action A.1 provides for opening the RTCBs associated with the inoperable channel within a Completion Time of 1 hour. This Required Action is conservative, since depressing the Manual Trip push button associated with either set of breakers in the other trip leg will cause a reactor trip. With this configuration, a single channel failure will not prevent a reactor trip. The allotted Completion Time is adequate for opening the affected RTCBs while maintaining the risk of having them closed at an acceptable level.
| |
| M Condition B applies to the failure of one RPS Logic Channel, RTCB channel, or MANUAL TRIP CHANNEL affecting the same trip leg in MODES 3, 4, or 5 with the RTCBs closed. The channel must be restored to OPERABLE status within 48 hours. If the (continued)
| |
| SYSTEM 80+ B 3.3-94 Rev. 00 16A Tech Spec Bases
| |
| | |
| RPS Logic and Trip Initiation B 3.3.4 BASES ACTIONS IL1 (continued) inoperable channel cannot be restored to OPERABLE status within 48 hours, all RTCBs must be opened, placing the plant in a MODE in which the LC0 does not apply and ensuring no CEA withdrawal occurs.
| |
| The Completion Time of 48 hours is consistent with that of other RPS instrumentation and should be adequate to repair most failures.
| |
| Testing on the OPERABLE channels cannot be performed without causing a reactor trip, unless the RTCBs in the inoperable channels are closed to permit testing. Therefore, a Note has been added specifying that the RTCBs associated with one inoperable channel may be closed for up to I hour for the performance of an RPS CHANNEL FUNCTIONAL TEST.
| |
| fa.1 Condition C applies to the failure of both RPS Logic Channels, MANUAL TRIP CHANNELS, or RTCBs affecting the same trip leg. Since this will open two channels of RTCBs, this Condition is also applicable to channels in the same trip leg. This will open both RTCBs in the affected trip leg, satisfying the Required Action of opening the affected RTCBs.
| |
| Of greater concern is the failure of the initiation circuit in a nontrip condition. With only one RPS Logic Channel failed in a nontrip condition, there is still the redundant set of RTCBs in the trip leg. With both failed in a nontrip condition, the reactor will not trip automatically when required. In either case, the affected RTCBs must be opened immediately by using the appropriate Manual Trip push buttons in the control room or via the local trip push buttons on the RTCBs, since each of the four push buttons opens one RTCB.
| |
| , If the affected RTCB cannot be opened, Required Action D is entered. This would only occur if there is a failure in the Manual Trip circuitry or the RTCB(s).
| |
| O b (continued)
| |
| SYSTEM 80+ B 3.3-95 Rev 00 16A Tech Spec Bases
| |
| | |
| RPS Logic and Trip Initiation B 3.3.4 O
| |
| BASES D.] and D.2 l ACTIONS (continued)
| |
| Condition D is entered if Required Actions associated with Condition A or C are not met within the required Completion i Time or if for one or more Functions, more than one RPS Logic Channel, Manual Trip Channel, or RTCB Channel is inoperable for reasons other than Condition A or C.
| |
| If the RTCBs associated with the inoperable channel cannot be opened, the reactor must be shut down within 6 hours and all the RTCBs opened. A Completion Time of 6 hours is reasonable, based on operating experience, for reaching the required plant conditions from full power conditions in an orderly manner and without challenging plant systems and for opening RTCBs. All RTCBs should then be opened, placing the plant in a MODE where the LC0 does not apply and ensuring no CEA withdrawal occurs.
| |
| SURVEILLANCE SR 3.3.4.1 REQUIREMENTS A CHANNEL FUNCTIONAL TEST on each channel is performed every 92 days to ensure the entire channel will perform its intended function when needed. This surveillance interval is based on the reliability analysis presented in Referenc'
| |
| : 4. Major portions of the RPS are monitored and tested by the automatic test network. The operability of the automatic CHANNEL FUNCTIONAL TEST is verified by the operator every 92 days to meet the surveillance requirement.
| |
| Capability is also provided to allow manual performance of the CHANNEL FUNCTIONAL TEST if the automatic CHANNEL TEST is inoperable. Those portions of the system which are not amenable to automatic testing because they involve actuation of electromechanical devices, or involve devices which are not within the PPS cabinets, can be tested manually. The automatic test network is capable of performing tests during reactor operation. The automatic testing does not degrade the ability of the RPS to perform its intended function.
| |
| The RPS CHANNEL FUNCTIONAL TEST consistsof overlapping tests as described in Section 7.2 of Reference 3. These tests verify that the RPS is capable of performing its intended function, from bistable input through the RTCBs. The RPS Logic and Trip Initiation tests include:
| |
| (continued)
| |
| SYSTEM 80+ B 3.3-96 Rev. 00 16A Tech Spec Bases
| |
| - - .--_-__-__-__J
| |
| | |
| i RPS Logic and Trip Initiation :
| |
| B 3.3.4 V !
| |
| BASES l
| |
| SURVEILLANCE Local Coincidence Loaic Testina REQUIREMENTS (continued) Automatic Local Coincidence Logic Testing - The automatic test feature checks output status, generates trip conditions for each function, and monitors output status for correctness.
| |
| RPS Initiation Loaic Testina ,
| |
| The "0R" logic which comprises the RPS Initiation Logic is tested at the same time the Local Coincidence Logic is tested. Propagation of the coincidence signal through the "0R" logic is verified.
| |
| RTCB Testina The RTCB test is a manual initiated test because operator involvement in the testing and reclosing of the RTCBs is !
| |
| required. This test is called a Manual Trip Test and is initiated by the operator with the Manual Trip push buttons.
| |
| ,o This test is performed to ensure that RTCBs are available U when required. The [92] day test interval is based on ;
| |
| Reference 4.
| |
| I SR 3.3.4.2 l l
| |
| Each RTCB is actuated by an ondervoltage coil and a shunt trip coil. The system is dr. signed so that either de-energizing the undervoltage coil or energizing the shunt trip coil will cause the circuit breaker to open. When an RTCB is opened, either during an automatic reactor trip or by using the manual push buttons in the control room, the undervoltage coil is de-energized and the shunt trip coil is i energized. This makes it impossible to determine if one of the coils or associated circuitry is defective.
| |
| Therefore, once every [18) months, a CHANNEL FUNCTIONAL TEST is performed that individually tests all four sets of undervoltage coils and all four sets of shunt trip coils.
| |
| During undervoltage coil testing, the shunt trip coils must remain de-energized, preventing their operation.
| |
| Conversely, during shunt trip coil testing, the undervoltage ;
| |
| coils must remain energized, preventing their operation.
| |
| This Surveillance ensures that every undervoltage coil and n
| |
| b (continued) l SYSTEM 80+ B 3.3-97 Rev. 00 l 16A Tech Spec Bases
| |
| | |
| i RPS Logic and Trip Initiation B 3.3.4 O
| |
| BASES SURVEILLANCE SR 3.? M (continued)
| |
| REQUIREMENTS every shunt trip coil is capable of performing its intended function, and that no single active failure of any RTCB component will prevent a reactor trip. The [18] month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. Operating experience has shown these components usually pass the Surveillance when performed at the Frequency of once every (18] months.
| |
| SR 3.3.4.3 A TRIP TEST on the MANUAL TRIP CHANNELS is performed prior to a reactor startup to ensure the entire channel will perform its intended function if required. The Manual Trip Function can only be tested at shutdown. However, the simplicity of this circuitry and the absence of drift concern make this Frequency adequate.
| |
| REFERENCES 1. 10 CFR 50, Appendix A.
| |
| : 2. 10 CFR 100.
| |
| : 3. Section 7.2.
| |
| : 4. [ Surveillance Interval Analysis.]
| |
| SYSTEM 80+ B 3.3-98 Rev. 00 16A Tech Spec Bases
| |
| | |
| l ESFAS Instrumentation i B 3.3.5 l B 3.3 INSTRUMENTATION 1
| |
| - B 3.3.5 Engineered Safety Features Actuation System (ESFAS) Instrumentation BASES BACKGROUND The ESFAS initiates necessary safety systems, based upon the values of selected unit parameters, to protect against violating core design limits and Reactor Coolant System ,
| |
| (RCS) pressure boundary during anticipated operational occurrences (A00s) and ensures acceptable consequences t during accidents.
| |
| The ESFAS contains devices and circuitry that generate the i following signals when monitored variables reach levels that are indicative of conditions requiring protective action: j
| |
| : 1. Safety Injection Actuation Signal (SIAS),
| |
| : 2. Containment Spray Actuation Signal (CSAS);
| |
| : 3. Containment Isolation Actuation Signal (CIAS);
| |
| A V 4. Main Steam Isolati,n Signal (MSIS);
| |
| 5, 6. Emergency Feedwater Actuation Signal (EFAS). ;
| |
| Each of the above ESFAS instrumentation systems is segmented into three functions. These functions are:
| |
| e MEASUREMENT CHANNELS; ,
| |
| o Bistable Processor-e ESFAS Logic:
| |
| LOGIC CHANNEL,
| |
| - ACTUATION LOGIC, and '
| |
| COMPONENT CONTROL LOGIC This LC0 addresses MEASUREMENT CHANNELS and Bistable Processors. Logic is addressed in LCO 3.3.6, " Engineered Safety Features Actuation System (ESFAS) Logic and Manual Trip."
| |
| (continued) f SYSTEM 80+ B 3.3-99 Rev. 00 16A Tech Spec Bases
| |
| | |
| ESFAS Instrumentation B 3.3.5 O
| |
| BASES BACKGROUND The role of each of these functions in the ESFAS, including (continued) the logic of LC0 3.3.6, is discussed below.
| |
| MEASUREMENT CHANNELS MEASUREMENT CHANNELS, consisting of the sensor, transmitter and signal conditioning devices provide a measurable electronic signal based upon the physical characteristics of the parameter being measured.
| |
| Four identical MEASUREMENT CHANNELS with electrical and physical separation are provided for each parameter used in the generation of trip signals. These channels are designated A through D. Measurement channels provide input to ESFAS bistable processors within the same ESFAS channel.
| |
| In addition, some measurement channels are used as inputs to Reactor Protective System (RPS) bistable processors, and provide indication in the control room.
| |
| When a channel monitoring a parameter indicates an unsafe condition, the bistable monitoring the parameter in that channel will trip. Tripping two or more channels of bistables monitoring the same parameter will de-energize Local Coincidence Logic, which in turn de-energizes the Initiation Logic. This causes both channels of Actuation Logic to respond. Each channel of ACTUATION LOGIC controls one train of the associated Engineered Safety Features (ESF) equipment.
| |
| Three of the four MEASUREMENT CHANNELS and bistable processors are necessary to meet the redundancy and testability of GDC 21 in Appendix A to 10 CFR 50 (Ref. 2).
| |
| The fourth channel provides additional flexibility, by allowing one channel to be removed from service (trip channel bypass) for maintenance or testing, while still maintaining a minimum two out of three logic.
| |
| Since no single failure will prevent a protective system actuation, this arrangement meets the requirements of IEEE 279-1971 (Ref. 4).
| |
| (continued)
| |
| SYSTEM 80+ B 3.3-100 Rev. 00 16A Tech Spec Bases
| |
| | |
| l ESFAS Instrumentation B 3.3.5 l
| |
| BASES BACKGROUND Bistable Processors (continued)
| |
| The trip signal is generated by the Bistable Logic processors which compare the input signals to either fixed or variable set points. These bistable outputs for each parameter (e.g. Pressurizer Pressure, Steam Generator Level, etc.) are sent to Local Coincidence Logic where two-out-of- ,
| |
| four logics are performed. Bistable trip generation is described in CESSAR-DC, Section 7.3 (Ref. 1).
| |
| The trip setpoints and Allowable Values used in the l bistables are based on the analytical limits stated in !
| |
| (Ref. 5). The selection of these trip setpoints is such that adequate protection is provided when all sensor and processing time delays are taken into account. To allow for calibration tolerances, instrumentation uncertainties, instrument drift, and severe environment effects, for those !
| |
| ESFAS channels that must function in harsh environments as I defined by 10 CFR 50.49 (Ref. 6), Allowable Values I specified in Table 3.3.5-1, in the accompanying LCO, are q conservatively adjusted with respect to the analytical limits. A detailed example of the methodology used to
| |
| 'v calculate the trip setpoints, including their explicit j uncertainties, is provided in the [Setpoint Report] l (Ref. 7). The actual nominal trip setpoint entered into the bistable is normally still more conservative than that specified by the Allowable Value to account for changes in random measurement errors detectable by a CHANNEL FUNCTIONAL TEST. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value.
| |
| Setpoints in accordance with the Allowable Value will ansure that Safety Limits of LC0 Section 2.0, " Safety Limit,, are not violated during A00s and the consequences of Design Basis Accidents (DBAs) will be acceptable, providing the plant is operated from within the LCOs at the onset of the A00 or DBA and the equipment functions as designed.
| |
| Bvoasses )
| |
| i The trip channel bypasses and operating bypasses are manipulated by the Interface and Test Processor in each channel.
| |
| (
| |
| k (continued)
| |
| SYSTEM 80+ - B 3.3-101 Rev. 00 ;
| |
| -16A Tech Spec Bases- !
| |
| l
| |
| | |
| 1 ESFAS Instrumentation B 3.3.5 9
| |
| BASES BACKGROUND Bynasses (continued)
| |
| The trip channel bypass prevents a bistable trip from contributing to the initiation of protective action. The trip channel bypass information is provided to four channels of Local Coincidence Logics to change their logic into two-out-of-three by Interface and Test Processors. The LCLs only allow one channel bypass at a time.
| |
| In addition to the trip channel bypasses, there are also operating bypasses on low pressurizer pressure. These bypasses are enabled manually, in all four PPS channels, when plant conditions do not warrant the specific trip protection. All operating bypasses are automatically removed when enabling bypass conditions are no longer satisfied.
| |
| The status of any bypass is indicated at the PPS channel cabinet and the PPS Remote Operator's Module in the control room. In addition, all operating bypasses and a summary of the bistable trip channel bypasses in each channel are made available for control room indication via PPS Operator's Module, DIAS and DPS. CESSAR-DC, Section 7.3 (Ref. 1) provides a detailed description of these bypasses.
| |
| Functional testing of the ESFAS, from the bistable input through the opening of initiation relay contacts in the ESFAS Actuation Logic, can be performed either at power or at shutdown, and is normally performed on a quarterly basis.
| |
| CESSAR-DC, Section 7.3 (Ref. 1) provides more detail on ESFAS testing. Process transmitter calibration is normally performed on a refueling basis. SRs for the channels are specified in the Surveillance Requirements section.
| |
| ESFAS Loaic The ESFAS Logic, consisting of LOGIC CHANNEL, ACTUATION LOGIC, and, COMP 0NENT CONTROL LOGIC employs a scheme that provides an ESF actuation of all trains when bistables in any two of the four channels sensing the same input parameter trip. This is called a two out of four trip logic.
| |
| (continued) !
| |
| SYSTEM 80+ B 3.3-102 Rev. 00 16A Tech Spec Bases
| |
| | |
| I
| |
| ~
| |
| ESFAS Instrumentation ;
| |
| B 3.3.5 !
| |
| J BASES
| |
| ]
| |
| BACKGROUND LOGIC CHANNEL l
| |
| ; .(continued)' There is one Local Coincidence Logic (LCL) associated with i
| |
| : each trip bistable logic of each channel. Each LCL receives :
| |
| four trip signals, one for its associated bistable logic in i the channel and one from each of the equivalent bistable l logic-located in the other three channels. The LCL receives i j
| |
| the trip channel-bypass status associated with each of the :
| |
| above mentioned bistables. The function of the LCL is to t t generate a coincidence signal whenever two or more like 4 bistables are in a tripped condition. The LCL takes into. !
| |
| consideration the trip bypass input state when determining j the coincidence logics state. Designating the protective ;
| |
| channels as A, B, C, D, with no trip bypass present, the LCL !
| |
| will produce a coincidence signal for any of the following
| |
| - trip inputs: AB, AC, AD, BC, BD, CD, ABC, ABD, ACD, BCD, I ABCD. These represent all possible two- or more out-of-four trip combinations af the four protective channels. Should a trip bypass be present, the logic will provide a coincidence ;
| |
| signal when two or more of the three unbypassed bistables :
| |
| are in a tripped condition. l i
| |
| On a system basis, a coincidence signal is generated in all four protective channels whenever a coincidence of two or ,
| |
| more like bistables of the four channels are in a tripped ;
| |
| state.
| |
| In addition to a coincidence signal, each LCL also provides
| |
| ' bypass status outputs. The bypass status is provided to verify that a bypass has actually been entered into the' logic either locally or remotely via the operator's module.
| |
| The bypass status is available for display at the local and remote operators modules and DPS.
| |
| ACTUATION LOGIC
| |
| ' The inputs to the ACTUATION LOGIC are the LCL outputs from
| |
| : the appropriate local coincidence logics.
| |
| If an initiation circuit fails it will fail-safe (i.e., in a trip condition). This will result in a partial trip (1 of
| |
| : 4) in the selective 2-out-of-4 ESFAS actuation logic. The partial trip -will be alarmed the same as a full ESF trip and actuation and indicated by the DIAS and DPS; the partial (continued)
| |
| SYSTEM 80+ B 3.3-103 Rev. 00 16A-Tech Spec Bases iL_. - - -- -. . - - .- , -. -
| |
| | |
| ESFAS Instrumentation B 3.3.5 O
| |
| BASES BACKGROUND ACTUATION LOGIC (continued) trip cannot be bypassed. If the initiation circuit fails in an undesired condition the failure will be promptly detected and alarmed via the automatic test function. Since the actuation functions in the ESF-CCS work in a selective coincidence logic, this is considered a degraded condition and a technical specification LC0 will apply. CESSAR-DC, Section 7.3 (Ref. 1) describes actuation logic in detail.
| |
| COMPONENT CONTROL LOGIC The COMPONENT CONTROL LOGIC is used to actuate the individual ESF components which are actuated to mitigate the consequences of the occurrence that caused the actuation.
| |
| The ESFAS actuation and component control logics are physically located in four independent and geographically separate ESF-CCS cabinets.
| |
| The four initiation circuits in the PPS actuate a selective two-out-of-four logic in the ESF-CCS. In the actuation h
| |
| logic, each signal also sets a latch when the selective two-out-of-four logic actuates to assure that the signal is not automatically reset once it has been initiated.
| |
| Receipt of two selective engineered safety system initiation channel signals will generate the actuation channel signals.
| |
| This is done independently in each ESF-CCS cabinet, generating division A and division B and where required, division C, and division D signals.
| |
| Manual ESFAS initiation capability is provided to permit the operator to manually actuate an ESF System when necessary.
| |
| Two sets of two push buttons (located in the control room) for each ESF Function are provided, and each set actuates all trains. Each Manual Trip push button opens one trip path, de-energizing one set of two initiation logic, one affecting each train of ESF. Trip path logic is arranged in l a selective two-out-of-four configuration in the ACTUATION l LOGIC. By arranging the push buttons in two sets of two, such that both push buttons in a set must be depressed, it (continued) Ol SYSTEM 80+ B 3.3-104 Rev. 00 16A Tech Spec Bases 1
| |
| j
| |
| | |
| (
| |
| ESFAS Instrumentation B 3.3.5 p
| |
| V BASES BACKGROUND COMPONENT CONTROL LOGIC (continued) is possible to ensure that Manual Trip will not be prevented in the event of a single random failure.
| |
| Provisions are made to permit periodic testing of the complete ESFAS. These tests cover the trip actions from sensor input through the protection system and actuation devices. The system test does not interfere with the protective function of the system. Overlap between individual tests exists so that the entire ESFAS can be tested. CESSAR-DC, Section 7.3 (Ref.1) describes ESFAS testing in detail.
| |
| APPLICABLE Each of the analyzed accidents can be detected by one or SAFETY ANALYSES more ESFAS Functions. One of the ESFAS Functions is the primary actuation signal for that accident. An ESFAS Function may be the primary actuation signal for more than
| |
| / one type of accident. An ESFAS Function may also be the Q] secondary, or backup, actuation signal for one or more other accidents.
| |
| ESFAS protective Functions are as follows:
| |
| : 1. Safety In.iection Actuation Sianal (SIAjl SIAS ensures acceptable consequences during large break loss of coolant accidents (LOCAs), small break LOCAs, control element assembly (CEA) ejection accidents, steam generator tube rupture, excess steam demand events, and main steam line breaks (MSLBs).
| |
| To provide the required protection, either a high containment pressure or a low pressurizer pressure signal will initiate SIAS. The SIAS actuates the components necessary to inject borated water into the reactor coolant system and actuates components for emergency cooling. SIAS also actuates containment spray pumps. SIAS is also initiated by a loss of power to two or more like measurement channels.
| |
| pM
| |
| % (continued)
| |
| SYSTEM 80+ B 3.3-105 Rev. 00 16A Tech Spec Bases
| |
| | |
| ESFAS Instrumentation B 3.3.5 O
| |
| BASES APPLICABLE 2. Containment Sorav Actuation Sianal (CSAS)
| |
| SAFETY ANALYSES (continued) CSAS actuates containment spray, preventing containment overpressurization during large break LOCAs, small break LOCAs, and MSLBs or feedwater line breaks (FWLBs) inside containment. CSAS is initiated by high high containment pressure. CSAS is also initiated by loss of power to two or more like measurement channels.
| |
| : 3. Containment Isolation Actuation Sianal (CIAS)
| |
| CIAS ensures acceptable mitigating actions during large and small break LOCAs, and MSLBs inside containment or FWLBs either inside or outside containment. CIAS is initiated by low pressurizer pressure or high containment pressure. CIAS is also initiated by loss of power to two or more like measurement channels.
| |
| : 4. Main Steam Isolation Sianal (MSIS)
| |
| MSIS ensures acceptable consequences during an MSLB or FWLB (between the steam generator and the main feedwater check valve), either inside or outside containment. MSIS isolates both steam generators if either generator indicates a low pressure condition or if a high containment pressure condition exists.
| |
| This prevents an excessive rate of heat extraction and subsequent cooldown of the RCS during these events. There is also a reactor trip on steam generator level- high to protect the turbine from excessive moisture carry over in case of a steam generator over fill event.
| |
| 5, 6. Emeraency Feedwater Actuation Sianal EFAS consists of two steam generator specific signals (EFAS-1 and EFAS-2). EFAS-1 initiates emergency feed to SG #1 and EFAS-2 initiates emergency feed to SG
| |
| #2.
| |
| i (continued)
| |
| SYSTEM 80+ B 3.3-106 Rev. 00 16A Tech Spec Bases
| |
| | |
| ESFAS Instrumentation B 3.3.5 p ;
| |
| l V
| |
| BASES APPLICABLE 5, 6. Emeraency Feedwater Actuation Sianal (continued)
| |
| SAFETY ANALYSES EFAS maintains a steam generator heat sink during a loss of MFW event, steam generator tube rupture event, MSLB, or FWLB event either inside or outside containment, or any event where normal AC power or
| |
| ; the MFW system is unavailable. EFAS is also initiated by a loss of power to two or more like -
| |
| measurement channels.
| |
| Low steam generator water level initiates emergency feed to the affected steam generator. If the affected steam generator recovers the level high enough, then the high level signal terminates the emergency feedwater flow to the affected steam generator.
| |
| The ESFAS satisfies Criterion 3 of the NRC Policy Statement.
| |
| l LCO The LCO ensures each of the following requirements is met:
| |
| : 1. An ESF function is initiated when necessary.
| |
| : 2. The required protection system instrumentation coincidence logic is maintained.
| |
| : 3. Sufficient redundancy is maintained to permit a channel to be out of service for testing or maintenance.
| |
| Allowable values specified ensure that violation of the Safety Limits for the reactor core and RCS is prevented during normal operation and A00s, and the consequences of accidents are acceptable.
| |
| Only the Allowable Values are specified for each ESFAS function. The allowable value is specified such that the analytical limit assumed in the safety analysis is conservative including all applicable setpoint uncertainties. '
| |
| .O
| |
| ()) (continued)
| |
| SYSTEM 80+ B 3.3-107 Rev. 00 '
| |
| 16A Tech _ Spec Bases t
| |
| | |
| ESFAS Instrumentation B 3.3.5 O
| |
| BASES LC0 The LCO require all channel components necessary to provide (continued) an ESFAS actuation to be OPERABLE. Failure of any required portion of the instrument channel renders the affected channel (s) inoperable and reduces the reliability of the affected Functions.
| |
| Actions allow maintenance (trip channel) bypass of individual channels, but the bypass activates interlocks that prevent operation with a second channel in the same Function bypassed. With one channel in each Function trip channel bypassed, this effectively places the plant in a two-out-of-three logic configuration in those Functions.
| |
| The Bases for the LCOs on ESFAS Functions are:
| |
| : 1. Safety in.iection Actuation Sianal
| |
| : a. Containment Pressure-Hiah This LC0 requires four channels of Containment Pressure-High to be OPERABLE in MODES 1, 2, 3 and 4.
| |
| The Containment Pressure-High signal is shared among the SIAS (Function 1), CIAS (Function 3),
| |
| and MSIS (Function 4).
| |
| The Allowable Value for this trip is set high enough to allow for small pressure increases in containment expected during normal operation (i.e., plant heatup), and not indicative of an abnormal condition. The setting is low enough to initiate the ESF Functions when an abnormal condition is indicated. This allows the ESF systems to perform as expected in the accident analyses to mitigate the consequences of the analyzed accidents,
| |
| : b. Pressurizer Pressure-Low This LC0 requires four channels of Pressurizer Pressure-Low to be OPERABLE in MODES 1, 2, 3, and 4.
| |
| (continued)
| |
| SYSTEM 80+ B 3.3-108 Rev. 00 16A Tech Spec Bases
| |
| | |
| ESFAS Instrumentation f,
| |
| B 3.3.5 BASES LC0 b. Pressurizer Pressure-Low (continued)
| |
| The Allowable Value for this trip is set low enough to prevent actuating the ESF Functions (SIAS and CIAS) during normal plant operation and pressurizer pressure transients. The setting is high enough that with the specified accidents the ESF systems will actuate to perform as expected, mitigating the consequences of the accident.
| |
| The Pressurizer Pressure-Low trip setpoint, which provides SIAS, CIAS, and P.PS trip, may be manually decreased to a floor value of
| |
| [300 psia] to allow for a controlled cooldown and depressurization of the RCS without causing a reactor trip, CIAS, or SIAS. The margin l between actual pressurizer pressure and the .
| |
| l trip setpoint must be maintained less than or equal to the specified value [400 psia] to ensure a reactor trip, CIAS, and SIAS will
| |
| ()
| |
| (N occur if requirect during RCS cooldown and depressurization.
| |
| From this reduced setting, the trip setpoint will increase automatically as pressurizer pressure increases, tracking actual RCS pressure until the trip setpoint is reached.
| |
| ~
| |
| When the trip setpoint has been lowered below the operating bypass permissive setpoint of
| |
| [400 psia), the Pressurizer Pressure-Low reactor trip, CIAS, and SIAS actuation may be manually bypassed in preparation for shutdown cooling. When RCS pressure rises above the bypass removal setpoint, the bypass is removed.
| |
| Bypass Removal This LC0 requires the operating bypass removal function for all four Pressurizer Pressure-Low TRIP CHANNELS to be OPERABLE in MODES 1, 2, 3, and 4.
| |
| 1 O
| |
| (continued)
| |
| ' SYSTEM 80+ B 3.3-109 Rev. 00 16A Tech Spec Bases
| |
| | |
| ESFAS Instrumentation B 3.3.5 O
| |
| BASES LC0 Byoass Removal (continued)
| |
| Each of the four channels enables and disables the operating bypass capability for a single channel. Therefore, this LC0 applies to the operating bypass removal feature only. If the operating bypass enable function is failed so as to prevent entering a bypass condition, operation may continue. Since the trip setpoint has a floor value of [300 psia], a channel trip will result if pressure is decreased below this setpoint without bypassing.
| |
| The operating bypass removal Allowable Value was chosen because MSLB events originating from below this setpoint add less positive reactivity than that which can be compensated for by required SDM.
| |
| : 2. Containment Soray Actuation Sianal Containment Spray is initiated cither manually or automatically. For an automatic actuation, it is necessary to have a Containment Pressure-High High signal. Additionally, the Containment spray pumps start automatically on a SIAS. This provides pump availability before a legitimate CSAS, since the Containment Pressure-High signal used in the SIAS will initiate before the Containment Pressure-High High. This ensures that a CSAS will initiate immediately after the valves open (CSAS signal).
| |
| : a. Containment Pressure-Hiah Hiah This LC0 requires four channels of Containment Pressure-High High to be OPERABLE in MODES 1, 2, 3, and 4.
| |
| The Allowable Value for this trip is set high enough to allow for first response ESF systems (containment cooling systems) to attempt to mitigate the consequences of an accident before resorting to spraying borated water onto (continued)
| |
| SYSTEM 80+ B 3.3-110 Rev. 00 16A Tech Spec Bases
| |
| | |
| i ESFAS Instrumentation B 3.3.5
| |
| -V ;
| |
| . BASES
| |
| -LC0 a. Containment Pressure-Hiah Hiah (continued) containment equipment. The setting is low enough to initiate CSAS in time to prevent containment pressure from exceeding design.
| |
| : 3. [gntainment Isolation Actuation Sianal The SIAS and CIAS are actuated on Pressurizer !
| |
| Pressure-Low or Containment Pressure-High, the SIAS and CIAS share the same input channels, bistables, and Local Coincidence Logic. The remainder of the initiation channels, the manual channels, and the Actuation Logic are separate, and are addressed in LC0 3.3.6. Since their Applicability is also the <
| |
| same, they have identical Required Actions.
| |
| : a. Containment Pressure-Hiah
| |
| ,Q This LC0 requires four channels of Containment j L1 Pressure-High to be OPERABLE in MODES 1, 2, 3, and 4. ;
| |
| 1
| |
| , The Containment Pressure-High signal is shared among the SIAS (Function 1), CIAS (Function 3),
| |
| and MSIS (Function 4).
| |
| The Allowable Value for this trip is set high enough to allow for small pressure increases in containment expected during normal operation (i.e., plant heatup), and not indicative of an abnormal condition. The setting is low enough to initiate the ESF Functions when an abnormal condition is indicated. This allows the ESF systems to perform as expected in the accident analyses to mitigate the consequences of the analyzed accidents,
| |
| : b. Pressurizer Pressure-Low This LC0 requires four channels of Pressurizer Pressure-Low to be OPERABLE in MODES 1, 2, 3, and 4.
| |
| (continued) l i
| |
| SYSTEM 80+ B 3.3-111 Rev. 00 16A Tech Spec Bases
| |
| | |
| ESFAS Instrumentation B 3.3.5 O
| |
| BASES LC0 b. Pressurizer Pressure-Low (continued)
| |
| The Allowable Value for this trip is set low enough to prevent actuating the ESF Functions (SIAS and CIAS) during normal plant operation and pressurizer pressure transients. The setting is high enough that with the specified accident the ESF systems will actuate to perform as expected, mitigating the consequences of the accidents.
| |
| The Pressurizer Pressure-Low trip setpoint, which provides an SIAS, CIAS, and RPS trip, may be manually decreased to a floor Allowable Value of [300 psia] to allow for a controlled cooldown and depressurization of the RCS without causing a reactor trip, CIAS or SIAS.
| |
| The safety margin between actual pressurizer ,
| |
| pressure and the trip setpoint must be '
| |
| maintained less than or equal to the specified value [400 psi] to ensure a reactor trip, CIAS, and SIAS will occur if required during RCS cooldown and depressurization.
| |
| From this reduced setting, the trip setpoint will increase automatically as pressurizer pressure increases, tracking actual RCS l pressure until the trip setpoint is reached.
| |
| When the trip setpoint has been lowered below the operating bypass removal setpoint of
| |
| [400 psia), the Pressurizer Pressure-Low reactor trip, CIAS, and SIAS actuation may be manually bypassed in preparation for shutdown cooling. When RCS pressure rises above the operating bypass removal, the bypass is removed.
| |
| Bvoass Removal This LC0 requires the bypass removal function for all four Pressurizer Pressure-Low TRIP CHANNELS to be OPERABLE in MODES 1, 2, 3, and 4.
| |
| (continued)
| |
| SYSTEM 80+ B 3.3-112 Rev. 00 16A Tech Spec Bases
| |
| | |
| ESFAS Instrumentation B 3.3.5 BASES LC0 Bvoass Removal (continued)
| |
| Each of the four channels enables and disables the operating bypass capability for a single channel. Therefore all four operating bypass removal channels must be OPERABLE to ensure that none of the four channels are inadvertently bypassed.
| |
| This LCO applies to the operating bypass removal feature only. If the operating bypass enable function is failed so as to prevent entering a bypass condition, operation may continue. Since the trip setpoint has a floor value of [300 psia], a channel trip will result if pressure is decreased below this setpoint without bypassing.
| |
| The operating bypass removal Allowable Value was chosen because MSLB events originating from q below this setpoint add less positive Q reactivity than that which can be compensated by required SDM.
| |
| : 4. Main Steam Isolation Sianal The LC0 is applicable to the MSIS in MODE I and in MODES 2, 3, and 4 except when all associated valves are closed and de-activated.
| |
| : a. Steam Generator pressure-Low This LC0 requires four channels of Steam Generator Pressure-Low to be OPERABLE in MODES 1, 2, 3, and 4.
| |
| The Allowable Value for this trip is set below the full load operating value for steam pressure so as not to interfere with normal plant operation. However, the setting is high enough to provide an MSIS (Function 4) during an excessive steam demand event. An excessive steam demand event causes the RCS to cool down resulting in a positive reactivity addition to A
| |
| (continued)
| |
| SYSTEM 80+ B 3.3-113 Rev. 00 16A Tech Spec Bases
| |
| | |
| ESFAS Instrumentation B 3.3.5 O
| |
| BASES LC0 a. Steam Generator Pressure-Low (continued) the core. MSIS limits this cooldown by isolating both steam generators if the pressure in either drops below the trip setpoint. An RPS trip on Steam . Generator Pressure-Low is initiated simultaneously, using the same bistable.
| |
| The Steam Generator Pressure-Low trip setpoint may be manually decreased as steam generator pressure is reduced. This prevents an RPS trip or MSIS actuation during controlled plant cooldown. The margin between actual steam generator pressure and the trip setpoint must be maintained less than or equal to the specified value of [200 psig] to ensure a reactor trip and MSIS will occur when required.
| |
| Unlike Pressurizer Pressure-Low, there is neither a floor, nor a bypass on the Steam Generator Pressure-Low function.
| |
| : b. Containment Pressure-Hiah This LCO requires four channels of Containment Pressure-High to be OPERABLE in MODES 1, 2, 3, and 4. The Containment Pressure-High signal is shared among the SIAS (Function 1), CIAS (Function 3), and MSIS (Function 4).
| |
| The Allowable Value for this trip is set high enough to allow for small pressure increases in containment expected during normal operation (i.e., plant heatup), and not indicative of an abnormal condition. The setting is low enough to initiate the ESF Functions when an abnormal condition is indicated. This allows the ESF systems to perform as expected in the accident analyses to mitigate the consequences of the analyzed accidents.
| |
| (continued)
| |
| SYSTEM 80+ B 3.3-114 Rev. 00 16A Tech Spec Bases
| |
| | |
| I i
| |
| ESFAS Instrumentation B 3.3.5
| |
| -BASES l
| |
| LCO -
| |
| : c. Steam Generator Level - Hiah !
| |
| (continu'ed) '
| |
| This LCO requires four channels of Steam Generator Level - High to be OPERABLE in MODES 1, 2, 3, and 4.
| |
| The allowable value_ is received from the Steam .!'
| |
| Generator Level narrow range sensors. This :
| |
| prevents against a steam generator overfill and excessive steam demand events. ;
| |
| Emeroency Feedwater Actuation Sianal SG .#1 and SG #2 5, 6.
| |
| (EFAS-1 and EFAS-2) l EFAS-1 is initiated to SG #1 by a low steam generator level . EFAS-2 is similarly configured to feed SG #2.
| |
| To prevent steam generator overfill, a high steam j 9enerator level interlock is provided by the ESF-CCS to automatically close the isolation values. ,
| |
| i The following LC0 description applies to both EFAS signals.
| |
| : a. Steam Generator Level-Low <
| |
| This LCO requires four channels of Steam !
| |
| Generator Level-Low to be OPERABLE for each
| |
| ' EFAS in MODES 1, 2, and 3.
| |
| ' The Steam Generator Level-Low EFAS input is .
| |
| i derived from the Steam Generator Level-Low PPS bistable output. EFAS is thus initiated simultaneously with a reactor trip. The setpoint ensures at least a 20 minute inventory i of water remains in the affected steam
| |
| . generator at reactor trip. Thus, EFAS is 4
| |
| initiated well before steam generator inventory is challenged.
| |
| i-P p
| |
| (continued)
| |
| SYSTEM 80+- B 3.3-115 Rev. 00 16A Tech Spec Bases-
| |
| _ _ _ _ _ . . _ _ _. _, . _ . _ _ . _-_u -.
| |
| | |
| ESFAS Instrumentation B 3.3.5 O
| |
| BASES LCO b. Steam Generator level-Hiah (continued)
| |
| This LCO requires four channels of Steam Generator Level-High to be OPERABLE for each EFAS in MODES 1, 2, and 3.
| |
| The Steam Generator Level-High ESFAS input is derived from the Steam Generator Level-High PPS bistable output. This high level interlock automatically closes the emergency feedwater isolation valves. This interlock is disabled by EFAS actuation on low steam generator level.
| |
| This interlock also protects against steam generator overfill due to erroneous operation of the Emergency Feedwater System by the operator or Alternate Protective System.
| |
| APPLICABILITY In MODES 1, 2 and 3 there is sufficient energy in the primary and secondary systems to warrant automatic ESF System responses to:
| |
| o Close the main steam isolation valves to preclude a positive reactivity addition; e Actuate emergency feedwater to preclude the loss of the steam generators as a heat sink (in the event the normal feedwater system is not available);
| |
| e Actuate ESF systems to prevent or limit the release of fission product radioactivity to the environment by isolating containment and limiting the containment pressure from exceeding the containment design pressure during a design basis LOCA or MSLB; and e Actuate ESF systems to ensure sufficient borated inventory to permit adequate core cooling and reactivity control during a design basis LOCA or MSLB accident.
| |
| All the following ESF functions are required to be operable in these MODES:
| |
| : 1. Safety Injection Actuation - SIAS (continued)
| |
| SYSTEM 80+ B 3.3-116 Rev. 00 16A Tech Spec Bases I
| |
| | |
| i ESFAS Instrumentation B 3.3.5 BASES APPLICABILITY 2. Containment Spray Actuation - CSAS (continued '
| |
| : 3. Containment Isolation - CIAS
| |
| : 4. ' Main Steam Line Isolation - MSIS
| |
| : 5. Emergency Feedwater Actuation - EFAS For MODE 4 there is sufficient energy and potential in the primary and secondary systems to warrant 1) the automatic actuation of all components to mitigate the consequences of a large break LOCA or Main Steam Line Break (MSLB) and 2) prevent or limit the release of fission product radioactivity to the environment. ESF functions which apply to Mode 4 operation follow:
| |
| : 1. Safety Injection Actuation - SIAS ,
| |
| : 2. Containment Spray Actuation - CSAS
| |
| : 3. Containment Isolation - CIAS
| |
| : 4. Main Steam Line Isolation - MSIS In MODES 5, and 6 these functions are not required because adequate time is available to evaluate plant conditions and respond by manually operating the ESF components if required. In most cases, the equipment actuated by these ESFAS functions need not be operable.
| |
| ACTIONS In the event a channel's trip setpoint is found nonconservative with respect to the Allowable Value, or the transmitter, instrument loop, signal processing electronics, or ESFAS bistable is found inoperable, then all affected Functions provided by that channel must be declared inoperable and the LC0 Condition entered for the particular protection function affected.
| |
| When the number of inoperable channels in a trip Function exceeds those specified in any related Condition associated with the same trip Function, then the plant is outside the safety analysis. Therefore, LC0 3.0.3 should be entered immediately, if applicable in the current MODE of operation.
| |
| O- (continued)
| |
| SYSTEM 80+ B 3.3-117 Rev. 00 16A Tech Spec Bases
| |
| | |
| ESFAS Instrumentation B 3.3.5 O
| |
| BASES ACTIONS (continued) Two Notes have been added in the ACTIONS. Note I has been added to clarify the application of the Completion Time rules. The Conditions of this Specification may be entered independently for each Function. The Completion Time for the inoperable channel of a Function will be tracked separately for each Function starting from the time the Condition was entered for that Function. Note 2 was added to ensure review by the onsite review committee [per Specification 5.5.1.2.e] is performed to discuss the desirability of maintaining the channel in the bypassed condition.
| |
| A.I and A.2 Condition A applies to the failure of a single channel of one or more input parameters in any ESFAS Function.
| |
| ESFAS coincidence logic is normally selective two out of four.
| |
| If one ESFAS channel is inoperable, startup or power operation is allowed to continue providing the inoperable channel is placed in bypass or trip within I hour (Required Action A.1).
| |
| The Completion Time of I hour allotted to restore, bypass, or trip the channel is sufficient to allow the operator to take all appropriate actions for the failed channel and still ensures that the risk involved in operating with the failed channel is acceptable. The failed channel is restored to OPERABLE status prior to entering MODE 2 following the next MODE 5 entry. With a channel bypassed, the coincidence logic is in a two-out-of-three
| |
| :onfiguration. In this configuration, common cause failure of dependent channels cannot prevent trip. The Completion Time of prior to entering MODE 2 following the next MODE 5 entry is based on adequate channel to channel independence, which allows a two-out-of-three channel operation, since no single failure will prevent a ESFAS initiation.
| |
| (continued)
| |
| SYSTEM 80+ B 3.3-118 Rev. 00 16A Tech Spec Bases ,
| |
| M
| |
| | |
| ESFAS Instrumentation B 3.3.5 BASES ACTIONS B.d (continued)
| |
| The Required Action is modified by a Note stating that LC0 3.0.4 is not applicable. The Note was added to allow the changing of MODES even though two channels are inoperable, with one channel bypassed and one tripped. In this configuration, the protection system is in a one out of '
| |
| two logic, which is adequate to ensure that no random failure will prevent protection system operation.
| |
| Condition B applies to the failure of two channels of one or more input parameters in any EFAS automatic trip Function.
| |
| With two inoperable channels, power operation may continue, provided one inoperable channel is placed in bypass and the other channel is placed in trip within 1 hour. With one channel of protective instrumentation bypassed, the ESFAS Function is in two out of three logic in the bypassed input parameter, but with another channel failed, the ESFAS may be operating with a two out of two logic. This is outside the assumptions made in the analyses and should be corrected.
| |
| A)
| |
| ( To correct the problem, the second channel is placed in trip. This places the ESFAS Function in a one out of two logic. If any of the other OPERABLE channels receives a trip signal, ESFAS actuation will occur.
| |
| One of the two inoperable channels fwill need to be restored to operable status prior to the next required CHANNEL FUNCTIONAL TEST because channel surveillance testing on an OPERABLE channel requires that the OPERABLE channel be placed in bypass. However, it is not possible to bypass more than one ESFAS channel, and placing a second channel in trip will result in an ESFAS actuation. Therefore, if one ESFAS channel, is in trip and a second channel is in bypass, a third inoperable channel would place the unit in LC0 3.0.3.
| |
| C.1. C.2.1. and C.2.2.
| |
| Condition C applies te one automatic operating bypass removal function inoperable. The only automatic operating bypass removal on an ESFAS is on the Pressurizer Pressure-Low signal. This bypass removal is shared with the RPS Pressurizer Pressure-Low bypass removal.
| |
| ~
| |
| (continued)
| |
| SYSTEM 80+ B 3.3-119 Rev. 00 16A Tech Spec Bases
| |
| | |
| ESFAS Instrumentation B 3.3.5 O
| |
| BASES ACTIONS C.I. C.2.1. and C.2.2. (continued)
| |
| If the bypass removal function for any operating bypass cannot be restored to OPERABLE, the associated ESFAS channel may be considered OPERABLE only if the operating bypass is not in effect. The operator must verify that the operating bypass is not in effect within 1 hour and once per 12 hours thereafter, otherwise the affected ESFAS channel must be declared inoperable, as in Condition A, and the bypass either removed, or the operating bypass removal channel repaired. The Bases for the Required Actions and required Completion Times are consistent with Condition A.
| |
| D.1 and D.2 The Required Action is modified by a Note stating that LC0 3.0.4 is not applicable. The Note was added to allow the changing of MODES even though two channels are inoperable, with one channel bypassed and one tripped. In this configuration, the protection system is in a one-out-of-two logic, which is adequate to ensure that no random failure will prevent protection system operation.
| |
| Condition D applies to two inoperable automatic operating bypass removal functions. If the bypass removal functions for two operating bypasses cannot be restored to OPERABLE, the associated ESFAS channel may be considered OPERABLE, only if the bypass is not in effect. The operator must verify that the operating bypasses are not in effect within 1 hour and once per 12 hours thereafter, otherwise the affected ESFAS channels must be declared inoperable, as in Condition B, and either the bypasses removed, or the operating bypass removal functions repaired. The restoration of one affected bypassed automatic TRIP CHANNEL must be completed prior to the next CHANNEL FUNCTIONAL TEST or the plant must shut down per LC0 3.0.3, as explained in Condition B. Completion Times are consistent with Condition B.
| |
| (continued)
| |
| SYSTEM 80+ B 3.3-120 Rev. 00 16A Tech Spec Bases
| |
| | |
| _ .. - - ~ .-.- - - - . - , - - - ~ . _ , . - ---
| |
| l.
| |
| ESFAS Instrumentation B 3.3.5 O: a 1
| |
| BASES- i ACTIONS (continued)
| |
| E.1 and E.2
| |
| -If the Required Actions and associated Completion Times. of
| |
| \.
| |
| Condition A, B, C, or D cannot be met, the plant must be I brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be. brought-to at-least MODE 3 within 6 hours and to MODE 4 within 12 hours. The !
| |
| allowed Completion Times are reasonable, based on operating !
| |
| experience, to reach the required plant conditions from full !
| |
| power conditions .in an orderly manner and.without ~
| |
| challenging plant systems. .
| |
| Required Actions E.1 and E.2 are modified by a NOTE to '
| |
| indicate that this action applies only to Functions 5'and 6 of Table 3.3.5-1 (EFAS-1 and EFAS-2).
| |
| F.1 and F.2 If the Required Actions and associated Completion Times of Conditions A, B, C, or D cannot be met, the plant must be O brought to a MODE in which the LCO does not apply. To achieve this . status, 'the plant must be brought to at least MODE 3 within 6 hours and to MODE 5 within 36 hours. The 1 allowed Completion Times are reasonable, based on operating j experience, to reach the required plant conditons from full power conditions in an orderly manner and without challenging plant systems.
| |
| Required Actions F.1 and F.2 are modified by a Note to indicate that this action applies only to Functions 1, 2, 3, j and 4 of Table 3.3.5-1 (SIAS, CSAS, CIAS, and MSIS).
| |
| )
| |
| SURVEILLANCE SR 3.3.5.1 REQUIREMENTS Performance of the CHANNEL CHECK once every 12 hours ensures 2
| |
| that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is a comparison of the parameter indicated on
| |
| .one. channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring.
| |
| the same parameter should read approximately the-same value.
| |
| Significant deviations between instrument channels could be an indication of excessive instrument drift in one of the (continued) l SYSTEM.80+ B 3.3-121 Rev. 00 1
| |
| ; 16A Tech Spec Bases ;
| |
| I
| |
| | |
| ESFAS Instrumentation B 3.3.5 O
| |
| BASES SURVEILLANCE SR 3. 3. 5J (continued)
| |
| REQUIREMENTS channels. CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.
| |
| Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the match criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit. If the channels are within the match criteria, it is an indication that the channels are OPERABLE.
| |
| The Frequency, about once every shift, is based on operating experience that demonstrates channel failure is rare. Thus, performance of the CHANNEL CHECK guarantees that undetected overt channel failure is limited to 12 hours. Since the probability of two random failures in redundant channels in any 12 hour period is low, the CHANNEL CHECK minimizes the chance of loss of protective function due to failure of redundant channels. The CHANNEL CHECK supplements less formal, but more frequent, checks of channel 0PERABILITY during normal operational use of displays associated with the LCO required channels.
| |
| The Data Processing System (DPS) and Discrete Indication and Alarm Lystem (DIAS) continuously performs a cross channel comparison and will institute an alarm to warn operators that a channel has drifted out-of-tolerance or is not working properly.
| |
| ,, The operators would ensure that DPS or DIAS is OPERABLE and that there are no alarms associated with the ESFAS Instrumentation. In the event that both DPS and DIAS are inoperable or do not perform a cross CHANNEL comparison on a particular parameter, the operator would be required to perform the CHANNEL CHECK manually.
| |
| SR 3.3.5.2 A CHANNEL FUNCTIONAL TEST on each channel is performed every 92 days to ensure the entire channel will perform its (continued)
| |
| SYSTEM 80+ B 3.3-122 Rev. 00 16A Tech Spec Bases
| |
| | |
| ESFAS Instrumentation B 3.3.5 g
| |
| O BASES SURVEILLANCE SR 3.3.5.2 (continued)
| |
| REQUIREMENTS intended function when needed. This test is part of an i overlapping test sequence similar to that employed in the RPS. This sequence consists of this SR 3.3.5.2 and SR 3.3.6.1. Major portions of the ESFAS are monitored and tested by the automatic test network. The operability of the automatic CHANNEL FUNCTIONAL TEST is verified by the operator every 92 days to meet the surveillance requirement.
| |
| Capability is also provided to allow manual performance of the CHANNEL FUNCTIONAL TEST if the automatic CHANNEL TEST is :
| |
| inoperable. Those portions of the system which are not amenable to automatic testing because they involve actuation of electromechanical devices, or involve devices which are not within the PPS cabinets, can be tested manually. The J automatic test network is capable of performing tests during i reactor operation. The automatic testing does not degrade j the ability of the ESFAS to perform its intended function. ;
| |
| In addition to power supply tests, the ESFAS CHANNEL FUNCTIONAL TESTS consists of overlapping tests as described i
| |
| (
| |
| ' in Reference 1. These tests verify that the ESFAS is I capable of performing its intended function, from bistable through the actuated components.
| |
| SR 3.3.5.2 and SR 3.3.6.1 are normally performed together and in conjunction with RPS testing. SR 3.3.6.1 is ,
| |
| addressed in LC0 3.3.6. SR 3.3.5.2 includes bistable tests.
| |
| Trio Bistable Tests Automatic Bistable Testing - The automatic test feature checks trip status and forces a trip condition to verify operability of the trip bistable function. Interlocks assure testing is performed in only one channel at a time and the trip condition is removed before the initiation i circuit can respond.
| |
| Manual Bistable Testing - The manual test feature facilitates variation of the input parameter to cause a l bistable trip condition. Interlocks assure testing can be performed in only one channel at a time. Manual test capability is provided for both fixed bistable and variable '
| |
| setpoint bistable functions.
| |
| .I
| |
| ' (continued) l SYSTEM 80+ B 3.3-123 Rev. 00 i 16A Tech Spec Bases j
| |
| | |
| ESFAS Instrumentation B 3.3.5 O
| |
| BASES SURVEILLANCE Local Coincidence Loaic Testina REQVIREMENTS (continued) Automatic Local Coincidence Logic Testing - The automatic test feature checks output status, generates trip conditions for each function, and mo11 tors output status for correctness.
| |
| ESFAS Initiation Loaic Testng The ESFAS Initiation Logic is tested at the same time the Local Coincidence Logic is tested. Propagation of the coincidence signal is verified.
| |
| Actuatina Loaic Test The ESF-CCS actuation logic receives short duration initiation signals (test signals) from the PPS. These signals are processed in the 7.SF-CCS and returned to the PPS for detection of initiation signal failure or the loss of an actuation signal to a group. Sequentially, the PPS transmits short duration initiation signals for each ESFAS signal.
| |
| The PPS processes the returned test signal for both the presence of an actuation signal when there should be one, and the absence of an actuation signal when 'there should not be one. The absence of a desired actuation signal or the presence of an unwanted actuation signal is detected at the time an abnormal or failed condition occurs. When an actuation channel is manually actuated at the ESF-CCS (e.g.,
| |
| for latch testing), a discrepancy between the PPS initiation signals and the state of the actuation channel is automatically detected.
| |
| SR 3.3.5.3 CHANNEL CALIBRATION is a complete check of the instrument channel including the detector and the operating bypass removal functions. The Surveillance verifies that the channel responds to a measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations to ensure that the channel remains operational between successive surveillances.
| |
| (continued) ,
| |
| SYSTEM 80+ B 3.3-124 Rev. 00 16A Tech Spec Bases
| |
| | |
| ESFAS Instrumentation B 3.3.5 q
| |
| LJ BASES i
| |
| SURVEILLANCE SR 3.3.5.3 (continued)
| |
| Measurement error determination, setpoint error determination, and calibration adjustment must be performed .
| |
| consistent with the plant specific setpoint analysis. The i channel shall be left calibrated consistent with the assuniptions of the current plant specific setpoint analysis.
| |
| The as found and as left values must be recorded and reviewed for consistency with the assumptions of the
| |
| [ surveillance interval analysis). The requirements for this review are outlined in Reference [9].
| |
| The Frequency is based upon the assumption of an [18] month calibration interval for the determination of the magnitude of equipment drift in the setpoint analysis as well as operating experience and consistency with the (18] month fuel cycle.
| |
| SR 3.3.5.4 This Surveillance ensures that the actuation response times are within the maximum values assumed in the safety analyses.
| |
| Response time testing acceptance criteria are included in Reference 10.
| |
| ESF RESPONSE TIME tests are conducted on a STAGGERED TEST BASIS of once every [18] months. The [18] month Frequency is consistent with the typical industry refueling cycle and is based upon plant operating experience, which shows that random failures of instrumentation components causing serious response time degradation, but not channel failure, are infrequent occurrences.
| |
| SR 3.3.5.5 SR 3.3.5.5 is a CHANNEL FUNCTIONAL TEST similar to SR 3.3.5.2, except SR 3.3.5.5 is performed within 92 days prior to startup and is only applicable to operating bypass functions. Since the Pressurizer Pressure-Low bypass is
| |
| \
| |
| (
| |
| \ (continued)
| |
| SYSTEM 80+ B 3.3-125 Rev. 00 16A Tech Spec Bases .
| |
| | |
| ~
| |
| ESFAS Instrumentation B 3.3.5 O
| |
| BASES SURVEILLANCE SR 3.3.5.5 (continued)
| |
| REQUIREMENTS identical for both the RPS and ESFAS, this is the same Surveillance performed for the RPS in SR 3.3.1.14.
| |
| The CHANNEL FUNCTIONAL TEST for proper operation of the bypass permissives is critical during plant heattps because the operating bypasses may be in place prior to entering MODE 3, but must be removed'at the appropriate points during plant startup to enable the ESFAS Function. Consequently, just prior to startup is the appropriate time to verify bypass function OPERABILITY. Once the operating bypasses are removed, the bypasses must not fail in such a way that the associated ESFAS Function is inappropriately bypassed.
| |
| This feature is verified by SR 3.3.5.2.
| |
| The allowance to conduct this surveillance within 92 days of startup is based on the reliability analysis presented in (Ref. 9). Once the operating bypasses are removed, the bypasses must not fail in such a way that the associated trip Function gets inadvertently bypassed. This feature is verified by the trip Function CHANNEL FUNCTIONAL TEST, SR 3.3.5.2. Therefore, further testing of the bypass removal function after startup is unnecessary.
| |
| REFERENCES 1. Section 7.3.
| |
| : 2. 10 CFR 50, Appendix A.
| |
| : 3. Reference Removed
| |
| : 4. IEEE Standard 279-1971.
| |
| : 5. Chapter 15.
| |
| : 6. 10 CFR 50.49.
| |
| : 7. [Setpoint Report].
| |
| : 8. Section 7.2.
| |
| : 9. [ Surveillance Interval Analysis]
| |
| : 10. Response Time Testing Acceptance Criteria.
| |
| I l
| |
| O' SYSTEM 80+ B 3.3-126 Rev. 00 l 16A Tech Spec Bases !
| |
| i l
| |
| | |
| i ESFAS Logic and Manual Initiation
| |
| ; ,, B 3.3.6 l(
| |
| B 3.3 INSTRUMENTATION B 3.3.6 Engineered Safety Features Actuation System (ESFAS) Logic and Manual Initiation BASES BACKGROUND The ESFAS initiates necessary safety systems, based upon the values of selected unit parameters, to protect against violating core design limits and RCPB during anticipated operational occurrences (A00s) and ensures acceptable consequences during accidents.
| |
| The ESFAS contains devices and circuitry which generate the following signals when monitored variables reach levels that are indicative of conditions requiring protective action:
| |
| : 1. Safety Injection Actuation Signal (SIAS);
| |
| : 2. Containment Spray Actuation Signal (CSAS);
| |
| : 3. Containment Isolation Actuation Signal (CIAS);
| |
| : 4. Mail Steam Isolation Signal (MSIS);
| |
| : 5. Emergency Feedwater Actuation Signal, SG #1 (EFAS-1);
| |
| and
| |
| : 6. Emergency Feedwater Actuation Signal, SG #2 (EFAS-2).
| |
| Each of the above ESFAS instrumentation systems is segmented into three interconnected modules. These modules are:
| |
| e MEASUREMENT CHANNELS; e Bistable Processor; and e ESFAS Logic:
| |
| - LOGIC CHANNEL,
| |
| - ACTUATION LOGIC, and COMPONENT CONTROL LOGIC.
| |
| This LC0 addresses ESFAS Logic. Bistable Processors and MEASUREMENT CHANNELS are addressed in LC0 3.3.5, " Engineered Safety Features Actuation System (ESFAS) Instrumentation."
| |
| A V (continued)
| |
| . SYSTEM 80+ B 3.3-127 Rev. 00 16A Tech Spec Bases
| |
| | |
| ESFAS Logic and Manual Initiation B 3.3.6 O
| |
| BASES BACKGROUND The role of the MEASUREMENT CHANNELS and Bistable Processors is described in LC0 3.3.5. The role of the ESFAS Logic is (continued) described below.
| |
| ESFAS Loaic The ESFAS Logic, consisting of LOGIC CHANNEL, ACTUATION LOGIC, and COMPONENT CONTROL LOGIC, employs a scheme that provides an ESF actuation of all channels when bistables in any two of the four measurement channels sense the same input parameter trip. This is called a two-out-of-four trip logic.
| |
| LOGIC CHANNEL There is one Local Coincidence Logic (LCL) associated with each trip bistable logic of each channel. Each LCL receives four trip signals, one for its associated bistable logic in the channel and one from each of the equivalent bistable logic located in the other three channels. The LCL receives the trip channel bypass status associated with each of the above mentioned bistables. The function of the LCL is to generate a coincidence signal whenever two or more like bistables are in a tripped condition. The LCL takes into consideration the trip bypass input state when determining the coincidence logics state. Designating the protective channels as A, B, C, D, with no trip bypass present, the LCL will produce a coincidence signal for any of the following trip inputs: AB, AC, AD, BC, BD, CD, ABC, ABD, ACD, BCD, ABCD. These represent all possible two- or more out-of-four trip combinations of the four protective channels. Should a trip bypass be present, the logic will provide a coincidence signal when two or more of the three unbypassed bistables are in a tripped condition.
| |
| On a system basis, a coincidence signal is generated in all four protective channels whenever a coincidence of two or more like bistables of the four channels are in a tripped state.
| |
| In addition to a coincidence signal, each LCL also provides bypass status outputs. The bypass status is provided to verify that a bypass has actually been entered into the (continued)
| |
| SYSTEM 80+ B 3.3-128 Rev. 00 16A Tech Spec Bases
| |
| | |
| ESFAS Logic and Manual Initiation ;
| |
| B 3.3.6 i
| |
| 'IO V
| |
| BASES l
| |
| BACKGROUND LOGIC CHANNEL (continued) l l
| |
| logic either locally at the maintenance and test panels or l remotely via the operator's module. The bypass status is i available for display at the local maintenance and test panels, remote operators modules, and DPS.
| |
| l ACTUATION LOGIC !
| |
| I The ESFAS Actuation Logic consists of a selective two-out-of-four logic for each ESFAS function.
| |
| The inputs to the ACTUATION LOGIC are the LCL outputs from the appropriate local coincidence logics. The initiation circuits also contain a time delay (TD). The TD functions as a noise filter. It accomplishes this filter action by monitoring the continuous presence of an input for a minimum period of time. If the signal is present for the required ,
| |
| time, the signal is transmitted to the initiation relay. l
| |
| _c Test capability is also provided. l l
| |
| The initiation circuit is designed to fail-safe (i.e., in a l trip condition). This will result in a partial trip (1 of l
| |
| : 4) in the selective 2-out-of-4 ESFAS actuation logic. The partial trip will be alarmed the same as a full ESF trip and actuation and will be indicated by the DIAS and DPS; the '
| |
| partial trip cannot be bypassed. If the initiation circuit fails in an undesired condition the failure will be promptly detected and alarmed via the automatic test function. Since the actuation functions in the ESF-CCS work in a selective coincidence logic, this is considered a degraded condition and a technical specification LC0 will apply. CESSAR-DC Section 7.3 (Ref. 1) describes ACTUATION LOGIC in detail.
| |
| [QEONENT CONTROL LOGIC .!
| |
| The COMPONENT CONTROL LOGIC is used to actuate fLe individual ESF components which are actuated to mitigate the consequences of the occurrence that caused the actuation.
| |
| The ESFAS actuation and component control logics are physically located in four independent and geographically separate ESF-CCS cabinets.
| |
| (continued)
| |
| SYSTEM 80+ B 3.3-129 Rev. 00 16A-Tech Spec Bases (2/95) ,
| |
| | |
| ESFAS Logic and Manual Initiation B 3.3.6 O;
| |
| BASES l l
| |
| BACKGROUND COMPONENT CONTROL LOGIC (continued)
| |
| The four initiation circuits in the PPS actuate a selective two-cut-of-four logic in the ESF-CCS. In the actuation l logic, each signal also sets a latch when the selective two- l out-of-four logic actuates to assure that the signal is not autcmatically reset once it has been initiated.
| |
| Receipt of two selective engineered safety system initiation channel signals will generate the actuation channel signals.
| |
| This is done independently in each ESF-CCS cabinet, generating division A and division B and where required, division C, and division D signals.
| |
| MANUAL INITIATION Manual ESFAS initiation capability is provided to permit the operator to manually actuate an ESF System when necessary.
| |
| Two sets of two push buttons (located in the control room) for each ESF Function are provided, and each set actuates all trains. Each Manual Trip push button opens one trip path, de-energizing one set of two initiation logic, one affecting each train of ESF. Trip path logic is arranged in a selective two-out-of-four configuration in the ACTUATION LOGIC. By arranging the push buttons in two sets of two, such that both push buttons in a set must be depressed, it is possible to ensure that Manual Trip will not be prevented in the event of a single random failure.
| |
| DIVERSE MANUAL ESF ACTUATION Independent of the above design features, System 80+
| |
| implements a means for narual actuation of Engineered Safety Feature functions using a single channel which uses hardwired communication that bypasses all data links, network communications, and all computers with large software applications. Switches located in the Main Control Room pravide for system level actuation of two trains of safety injection and one train each of containment spray, emergency feedwater, closure of main steam isolation valves, closure of containment air purge valves and closure of a letdown isolation valve. The switches for safety injection, (continued)
| |
| SYSTEM 80+ B 3.3-130 Rev. 00 16A Tech Spec Bases
| |
| | |
| ESFAS Logic and Manual Initiation B 3.3.6
| |
| /~T b i BASES BACKGROUND DIVERSE MANUAL ESF ACTUATION (continued) containment spray and emergency feedwater have three positions as follows: normal, actuate and stop.
| |
| The hardwired manual input signal from the control room switches will override input data received from the network communication interface to actuate the plant components.
| |
| This feature of the System 80+ design provides an additional level of protection against a postulated common mode failure of protective system software.
| |
| Provisions are made to permit periodic testing of the complete ESFAS. These tests cover the trip actions from sensor input through the protection system and actuation devices. The system test does not interfere with the :
| |
| protective function of the system. Overlap between l individual tests exists so that the entire ESFAS can be I tested. CESSAR-DC, Section 7.3 (Ref. 1) describes ESFAS ,
| |
| testing in detail.
| |
| (a APPLICABLE Each of the analyzed accidents can be detected by one or SAFETY ANALYSES more ESFAS Functions. One of the ESFAS Functions is the primary actuation signal for that accident. An ESFAS Function may be the primary actuation signal for more than one type of accident. An ESFAS Function may also be the secondary, or backup, actuation signal for one or more other i accidents. !
| |
| ESFAS protective Functions are as follows:
| |
| : 1. Safety In.iection Actuation Sianal (SIAS)
| |
| SIAS ensures acceptable consequences during large )
| |
| break loss of coolant accidents (LOCAs), small break i LOCAs, control element assembly ejection accidents, steam generator tube ruptures, excess steam demand events, and main steam line breaks (MSLBs). To i provide the required protection, either a high containment pressure or a low pressurizer pressure signal will initiate SIAS. The SIAS actuates the components necessary to inject borated water into the f3
| |
| \J (continued)
| |
| SYSTEM 80+ B 3.3-131 Rev. 00 ;
| |
| 16A Tech Spec Bases i
| |
| | |
| ESFAS Logic and Manual Initiation B 3.3.6 O
| |
| BASES APPLICABLE 1. Safety In.iection Actuation Sianal (SIAS) (continued)
| |
| SAFETY ANALYSES reactor coolant system and actuates components for emergency cooling. SIAS also actuates containment spray pumps. SIAS is also initiated by a loss of power to two or more measurement channels.
| |
| : 2. Containment Soray Actuation Sianal (CSAS)
| |
| CSAS actuates containment spray, preventing containment overpressurization during large break LOCAs, small break LOCAs, and MSLBs or feedwater line breaks (FWLBs) inside containment. CSAS is initiated by high containment pressure. CSAS is also initiated by loss of power to two or more measurement channels.
| |
| : 3. [ontainment Isolation Actuation Sianal (CIAS.1 CIAS ensures acceptable mitigating actions during large and small break LOCAs, and MSLBs inside containment or FWLBs either inside or outside containment. CIAS is initiated by low pressurizer pressure or high containment pressure. CIAS is also initiated by loss of power to two or nore measurement channels.
| |
| : 4. Main Steam Isolation Sianal (MSIS)
| |
| MSIS ensures acceptable consequences during an MSLB or FWLB (between the steam generator and the main feedwater check valve), either inside or outside containment. MSIS isolates both steam generators if either generator indicates a low pressure condition or if a high Containment pressure condition exists.
| |
| This prevents an excessive rate of heat extraction and subsequent cooldown of the RCS during these events.
| |
| 5, 6. Emeraency Feedwater Actuation Sianal (EFAS)
| |
| EFAS consists of two steam generator specific signals (EFAS-1 and EFAS-2). EFAS-1 initiates emergency feed to SG #1 and EFAS-2 initiates emergency feed to SG
| |
| #2. l 1
| |
| (continued)
| |
| SYSTEM 80+ B 3.3-132 Rev. 00 16A Tech Spec Bases
| |
| | |
| l i
| |
| ESFAS Logic and Manual Initiation B 3.3.6 g
| |
| V BASES APPLICABLE 5, 6. Emeroency Feedwater Actuation Sianal (EFAS)
| |
| SAFETY ANALYSES (continued)
| |
| EFAS maintains a steam generator heat sink during a loss of MFW event, steam generator tube rupture event, MSLB, or FWLB event either inside or outside containment, or any event where normal AC power or the MFW system is unavailable. EFAS is also initiated by a loss of power to two or more measurement channels.
| |
| Low steam generator water level initiates emergency feed to the affected steam generator. If the affected steam generator recovers the level high enough, then the high level signal terminates the emergency feedwater flow to the affected steam generator.
| |
| The ESFAS satisfies Criterion 3 of the NRC Policy Statement. j O
| |
| ,V 7. Diverse Manual ESF Actuation Interface to ESF Components The Diverse Manual ESF Actuation Interface to ESF Components is a single channel which uses hardwired communication that bypasses all data links, network communications, and all computers with large software applications. Switches located in the control room provide system level actuation of two trains of safety injection and one train each of containment spray, emergency feedwater, closure of main steam isolation valves, closure of containment air purge valves, and closure of a letdown isolation valve.
| |
| The hardwired manual input signal from the control room switches will override input data received from the network communication interface to actuate the plant components. The three position control room switches for safety injection, containment spray, and emergency feedwater also have the ability to deactivate the associated plant components. These features of the System 80+ design provide an additional level of protection against a postulated common mode failure of protective system software.
| |
| O' (continued) j SYSTEM 80+ B 3.3-133 Rev. 00 16A Tech Spec Bases
| |
| | |
| ESFAS Logic and Manual Initiation B 3.3.6 O
| |
| BASES APPLICABLE 7. Diverse Manual ESF Acteation Interface to ESF SAFETY ANALYSES _Gomoonents (continued)
| |
| The DIVERSE MANUAL ESF ACTUATION CHANNEL satisfies Criterion 4 of the NRC Policy Statement.
| |
| LC0 The LCO requires all channel components necessary to provide an ESFAS actuation to be OPERABLE.
| |
| The requirements for each Function are ~ listed below. The reasons for the applicable MODES for each Function are addressed under APPLICABILITY.
| |
| : 1. Safety In.iection Actuation Sianal (SIAS)
| |
| Automatic SIAS occurs on Pressurizer Pressure-Low or Containment Pressure-High and is explained in Bases 3.3.5.
| |
| SIAS is initiated either manually or automatically.
| |
| : a. ES.fAS LOGIC CHANNELS This LC0 requires four SIAS ESFAS LOGIC CHANNELS to be OPERABLE in MODES 1, 2, 3 and 4.
| |
| : b. ESFAS MANUAL INITIATION CHANNELS This LC0 requires four SIAS ESFAS MANUAL INITIATION CHANNELS to be OPERABLE in MODES 1, 2, 3 and 4.
| |
| : c. ACTUATION LOGIC This LC0 requires four divisions of SIAS l ACTUATION LOGIC to be OPERABLE in MODES 1, 2, 3 l and 4.
| |
| : d. COMPONENT CONTROL LOGIC This LC0 requires four divisions of SIAS I COMPONENT CONTROL LOGIC to be OPERABLE in MODES l 1, 2, 3 and 4. J (continued)
| |
| SYSTEM 80+ B 3.3-134 Rev. 00 16A Tech Spec Bases j
| |
| | |
| 4 ESFAS Logic and Manual Initiation m B 3.3.6 BASES LC0 2. . Containment Soray Actuation Sianal (CSAS)
| |
| (continued)
| |
| CSAS is initiated either manually or automatically.
| |
| Automatic CSAS occurs on Pressurizer Pressure-Low or Containment Pressure-High and is explained in Bases 3.3.5.
| |
| : a. ESFAS LOGIC CHANNELS This LCO requires four CSAS ESFAS LOGIC CHANNELS to be OPERABLE in MODES 1, 2, 3 and 4. ,
| |
| : b. ESFAS MANUAL INITIATION CHANNELS This LC0 requires four CSAS ESFAS MANUAL INITIATION CHANNELS to be OPERABLE in MODES 1, 2, 3 and 4.
| |
| : c. ACTUATION LOGIC This LCO requires four divisions of CSAS ACTUATION LOGIC to be OPERABLE in MODES 1, 2, 3 <
| |
| s I and 4.
| |
| : d. COMPONENT CONTROL LOGIC This LC0 requires four divisions of CSAS COMPONENT CONTROL LOGIC to be OPERABLE in MODES 1, 2, 3 and 4.
| |
| : 3. Containment Isolation Actuation Sianal (CIAS) i The SIAS and CIAS are actuated on Pressurizer j Pressure-Low or Containment Pressure-High, the SIAS J and CIAS share the same input channels, bistables, and Local Coincidence Logic. The remainder of the initiation channels, the manual channels, and the ACTUATION LOGIC are separate. Since their applicability is also the same, they have identical actions.
| |
| : a. ESFAS LOGIC CHANNELS This LCO requires four CIAS ESFAS LOGIC CHANNELS to be OPERABLE in MODES 1, 2, 3 and 4.
| |
| _t (continued)
| |
| SYSTEM 80+ B 3.3-135 Rev. 00
| |
| -16A Tech Spec Bases .
| |
| | |
| l I'
| |
| ESFAS Logic and Manual Initiation B 3.3.6 O
| |
| BASES LC0 3. Containment Isolation Actuation Sianal (CIAS).
| |
| (continued)
| |
| : b. ESFAS MANUAL INITIATION CHANNELS This LC0 requires four CIAS ESFAS MANUAL INITIATION CHANNELS to be OPERABLE in MODES 1, 2, 3 and 4.
| |
| : c. ACTUATION LOGIC This LC0 requires two divisions of CIAS ACTUATION LOGIC to be OPERABLE in MODES 1, 2, 3 and 4.
| |
| : d. COMPONENT CONTROL LOGIC This LC0 requires two divisions of CIAS COMPONENT CONTROL LOGIC to be OPERABLE in MODES 1, 2, 3 and 4.
| |
| : 4. Main Steam Isolation Sianal (MSIS) h MSIS is initiated either manually or automatically.
| |
| Automatic MSIS occurs on Steam Generator Pressure-Low or Containment Pressure-High and is explained in Bases 3.3.5.
| |
| : a. fSF_A_S M IC CHANNELS This LC0 requires four MSIS ESFAS LOGIC CHANNELS to be OPERABLE in MODES 1, 2, 3 and 4.
| |
| : b. ESFAS MANUAL INITIATION CHANNELS This LCO requires four MSIS ESFAS MANUAL INITIATION CHANNELS to be OPE'MBLE in MODES 1, 2, 3 and 4.
| |
| : c. ACTUATION LOGLQ This LCO requires two divisions of MSIS ACTUATION LOGIC to be OPERABLE in MODES 1, 2, 3 and 4.
| |
| (continued)
| |
| SYSTEM 80+ B 3.3-136 Rev. 00 16A Tech Spec Bases
| |
| | |
| - ESFAS Logic and Manual Initiation B 3.3.6 O
| |
| BASES i
| |
| ; LC0 4. Main Steam Isolation Sianal (MSIS) (continued) l
| |
| : d. COMPONENT CONTROL LOGIC This LC0 requires two divisions of MSIS COMPONENT CONTROL LOGIC to be OPERABLE in MODES i 1, 2, 3 and 4.
| |
| Emeraency Feedwater Actuation Sianal SG #1 (EFAS-1) l 5.
| |
| EFAS-1 is initiated either manually or automatically. l Automatic EFAS-1 occurs on a Steam Generator Level- )
| |
| Low. A Steam Generator Level-High interlock l automatically closes the emergency feedwater isolation valves to protect against steam generator overfill. This interlock is disabled by EFAS actuation on low steam generator level. Automatic initiation is explained in Bases 3.3.5.
| |
| : a. ESFAS Loaic Channels !
| |
| ,V(~%. This LC0 requires four EFAS-1 ESFAS LOGIC CHANNELS to be OPERABLE in MODES 1, 2 and 3.
| |
| : b. ESFAS Manual Initiation Channels This LCO requires four EFAS-1 ESFAS MANUAL INITIATION CHANNELS to be OPERABLE in MODES 1, 2 and 3.
| |
| : c. ACTUATION LOGIC This LC0 requires four divisions of EFAS-1 ACTUATION LOGIC to be OPERABLE in MODES 1, 2 and 3.
| |
| < d. Component Control loaic This LC0 requires four divisions of EFAS-1 COMPONENT CONTROL LOGIC to be OPERABLE in MODES 1, 2 and 3.
| |
| (continued)
| |
| SYSTEM 80+ B 3.3-137 Rev. 00 16A Tech Spec Bases
| |
| | |
| ESFAS Logic and Manual Initiation B 3.3.6 9\!
| |
| BASES LCO 6. Emeraency Feedwater Actuation Sional SG #2 (EFAS-2)
| |
| (continued) EFAS-2 is initiated either manually or automatically.
| |
| Automatic EFAS-2 occurs on a Steam Generator Level-Low. A Steam Generator Level-High interlock automatically closes the emergency feedwater isolation valves to protect against steam generator overfill. This interlock is disabled by EFAS actuation on low steam generator level. Automatic initiation is explained in Bases 3.3.5.
| |
| : a. ISFAS LOGIC CHANNELS This LCO requires four EFAS-2 ESFAS LOGIC CHANNELS to be OPERABLE in MODES 1, 2 and 3.
| |
| : b. ESFAS MANUAL INITIATION CHANNELS This LC0 requires four EFAS-2 ESFAS MANUAL INITIATION CHANNELS to be OPERABLE in MODES 1, 2 and 3.
| |
| : c. ACTUATION LOGIC This LC0 requires four divisions of EFAS-2 ACTUATION LOGIC to be OPERABLE in MODES 1, 2 and 3.
| |
| : d. COMPONENT CONTROL LOGIC This LC0 requires four divisions of EFAS-2 COMP 0NENT CONTROL LOGIC to be OPERABLE in MODES 1, 2 and 3.
| |
| : 7. Diverse Manual ESF Actuation Interface to ESF Comoonents The Diverse Manual ESF Actuation Interface to ESF Components is initiated manually from switches in the control room. The switches for safety injection, containment spray, and emergency feedwater have three positions as follows: normal, actuate, and stop.
| |
| When in actuate, input received from the network communication interface to actuate the components will be overridden.
| |
| (continued)
| |
| SYSTEM 80+ B 3.3-138 Rev. 00 16A Tech Spec Bases
| |
| | |
| ESFAS Logic and Manual Initiation B 3.3.6 :
| |
| L7 ;
| |
| ! BASES
| |
| ( .
| |
| r LCO 7. Diverse Manual ESF Actuation Interface to ESF l Comoonents (continued)
| |
| This.LC0 requires one DIVERSE MANUAL ESF ACTUATION CHANNEL to be OPERABLE in MODES 1, 2, 3, and 4 for '
| |
| each of the following: safety injection, containment spray, emergency feedwater, closure of main steam ;
| |
| isolation valves, closure of containment air purge valves, and closure of a letdown isolation valve.
| |
| , APPLICABILITY In MODES 1, 2 and 3, there is sufficient energy in the primary and secondary systems to warrant automatic ESF l
| |
| . . System responses to: ]
| |
| e Close the main steam isolation valves to preclude a positive reactivity addition; e- Actuate emergency feedwater to preclude the loss of the steam generators as a heat sink (in the event the O normal feedwater system is not available);
| |
| e Actuate ESF systems to prevent or.11mit the release of fission product radioactivity to the environment by isolating containment and limiting the containment pressure from exceeding the containment design pressure during a design basis LOCA or MSLB; and ;
| |
| e Actuate ESF systems to ensure sufficient borated inventory to permit adequate core cooling and reactivity control during a design basis LOCA or MSLB accident..
| |
| i All the following ESF functions are required to be operable in these MODES:
| |
| : 1. Safety Injection Actuation - SIAS
| |
| : 2. Containment Spray Actuation - CSAS ;
| |
| : 3. Containment Isolation - CIAS
| |
| : 4. Main Steam Line Isolation - MSIS (continued)
| |
| Rev. 00
| |
| ~ SYSTEM 80+ B 3.3-139
| |
| '16A Tech Spec Bases w ,. .-.
| |
| | |
| ESFAS Logic and Manual Initiation B 3.3.6 O
| |
| BASES APPLICABILITY 5, 6. Emergency Feedwater - EFAS-1 and EFAS-2 (continued)
| |
| : 7. Diverse Manual ESF Actuation Interface to ESF Components.
| |
| For MODE 4 there is sufficient energy and potential in the primary and secondary systems to warrant I) the automatic actuation of all components to mitigate the consequences of a large break LOCA or Main Steam Line Break (MSLB) and 2) prevent or limit the release of fission product radioactivity to the environment. ESF functions which apply to MODE 4 operation follow:
| |
| : 1. Safety Injection Actuation - SIAS
| |
| : 2. Containment Spray Actuation - CSAS
| |
| : 3. Containment Isolation - CIAS
| |
| : 4. Main Steam Line Isolation - MSIS
| |
| : 5. Diverse Manual ESF Actuation Interface to ESF Components In MODES 5 and 6 these functions are not required because adequate time is available to evaluate plant conditions and respond by manually operating the ESF components if required. In most cases, the equipment actuated by these ESFAS functions need not be operable.
| |
| ACTIONS When the number of inoperable CHANNELS or divisions in a trip Function exceeds those specified in any related Condition associated with the same trip Function, then the plant is outside the safety analysis. Therefore, LC0 3.0.3 should be entered immediately, if applicable in the current MODE of operation.
| |
| A Note has been added to the ACTIONS to clarify the application of the Completion Time rules. The Conditions of this Specification may be entered independently for each Function. The Completion Time for the inoperable channel of a Function will be tracked separately for each Function, starting from the time the Condition was entered for that Function.
| |
| (continued)
| |
| SYSTEM 80+ B 3.3-140 Rev. 00 16A Tech Spec Bases
| |
| | |
| . ,- . .- . - . . .. . ~ . - -- -
| |
| ESFAS Logic and Manual Initiation ,
| |
| ~ B 3.3.6 '
| |
| BASES a
| |
| ACTIONS M i (continued)
| |
| Condition A applies to one LOGIC CHANNEL or MANUAL INITIATION CHANNEL inoperable, Place the affected TRIP LEG in each division in trip within +
| |
| one hour to place the ACTUATION LOGIC in one-out-of-two logic vice a selective two-out-of-three logic. A TRIP LEG '
| |
| of the Selective 2-out-of-4 Logic in each division is placed in a trip condition from the control room using the Operator's modules.
| |
| Failure of a single LOGIC CHANNEL or MANUAL INITIATION l CHANNEL may open contacts in all ACTUATION LOGIC divisions. l For the purposes of this Specification the ACTUATION LOGIC is not inoperable, i
| |
| 161 Condition B applies to the failure of both LOGIC CHANNELS or
| |
| ; bq MANUAL INITIATION CHANNELS affecting the same TRIP LEG.
| |
| Place the affected TRIP LEG in each division in trip immediately to place the ACTUATION LOGIC in one-out-of-two logic. Without this action the ESFAS function is
| |
| - inoperable. A TRIP LEG of the Selective 2-out-of-4 Logic in each division is placed in a trip condition from the control room using the Operator's Modules.
| |
| fu.1 Condition C applies to one or more Functions with two or
| |
| ~
| |
| more LOGIC CHANNELS or MANUAL INITIATION CHANNELS affecting both TRIP LEGS in the associated Function inoperable.
| |
| With two or more LOGIC CHANNELS or MANUAL INITIATION
| |
| ' CHANNELS affecting both TRIP LEGS in the associated Function ,
| |
| inoperable, automatic or manual division actuation of the associated Function is not possible. Therefore, the associated Function must be declared inoperable immediately. ;
| |
| i (continued)
| |
| SYSTEM 80+ B 3.3-141 Rev. 00 ,
| |
| 16A Tech Spec Bases j
| |
| | |
| ESFAS Logic and Manual Initiation B 3.3.6 O
| |
| BASES ACTIONS p_,1 (continued)
| |
| Condition D applies to one or more Functions with one or more divisions of ACTUATION LOGIC or COMPONENT CONTROL LOGIC inoperabic.
| |
| With one division of ACTUATION LOGIC or COMPONENT CONTROL LOGIC inoperable, automatic and manual division level actuation of the associated ESF components is not possible.
| |
| Required Action D.1 ensures that the applicable Conditionss and Required Actions for the associated Function made inoperable by one or more inoperable associated divisions of ACTUATION LOGIC or COMPONENT CONTROL LOGIC are entered immediately.
| |
| L1 Condition E applies if the DIVERSE MANUAL ESF ACTUATION CHANNEL is inoperable.
| |
| The associated ESF Function must be declared inoperable.
| |
| The associated ESF Function must be declared inoperable h
| |
| because failure of the DIVERSE MANUAL ESF ACTUATION CHANNEL could block the automatic signal from the ACTUATION LOGIC on the associated ESF Function. The DIVERSE MANUAL ESF ACTUATION CHANNEL is restored to OPERABLE via the associated ESF function required action.
| |
| El If the Required Actions and associated Completion Times cannot be met, the plant must be brought to a MODE in which the LC0 does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours and to MODE 4 within [12) hours. These times meet the intent of LC0 3.0.3. The allowed Completion Times are reasonable, based on operating experience, to reach the required p % t conditions from full power conditions in an orderly manner and without challenging plant systems.
| |
| Required Actions F.1 and F.2 are modified by a Note to indicate that this action applies only to Functions 5 or 6 of Table 3.3.6-1 (EFAS-1 or EF AS-2).
| |
| (continued)
| |
| SYSTEM 80+ B 3.3-142 Rev. 00 16A Tech Spec Bases
| |
| | |
| l l
| |
| : l I ESFAS Logic and Manual Initiation B 3.3.6 BASES i
| |
| < ACTIONS G.1 and G.2 (continued) ..
| |
| 4 If the Required Actions and associated Completion Times are f not met, the plant must be brought to a MODE in which the
| |
| : j. LCO does not' apply.. To achieve this status, the plant must i be brought to at least MODE 3 within 6 hours and to MODE 5 L within 36 hours. These times meet the intent of LCO 3.0.3.
| |
| The al'1 owed Completion Times are reasonable, based on 4
| |
| operating experience, to reach the required plant conditions
| |
| ; from full power conditions in an orderly manner and without j challenging plant systems.
| |
| ! Required Actions G.1 and G.2 are modified by a Note to
| |
| : indicate that this action applies only to Functions 1, 2, 3,
| |
| . .4, or 7 of Table 3.3.6-1 (SIAS, CSAS, CIAS, MSIS, or DIVERSE j MANUAL ESF ACTUATION CHANNEL).
| |
| 4 SURVEILLANCE SR 3.3.6.1 REQUIREMENTS
| |
| *O A CHANNEL FUNCTIONAL TEST on each ESFAS channel and division is performed every 92 days to ensure the entire channel and I
| |
| division will perform its intended function when needed.
| |
| The 92 day frequency is based on Reference 2. Major portions of the ESFAS are monitored and/or tested by the automatic test network. The operability of the automatic p CHANNEL FUNCTIONAL TEST is verified by the operator every 92 days to meet the surveillance requirement. Capability is i also provided to allow manual performance of the CHANNEL l
| |
| FUNCTIONAL TEST if the automatic CHANNEL TEST is inoperable.
| |
| Those portions of the system which are not amenable to automatic testing because they involve actuation of electromechanical devices, or involve devices which are not within the PPS cabinets, can be tested manually. The automatic test network is capable of performing tests during reactor operation. The automatic testing does not degrade
| |
| ' the ability of the ESFAS to perform its intended function.
| |
| The CHANNEL FUNCTIONAL TEST is part of an overlapping test sequence similar to that employed in the RPS. This sequence, consisting of SR 3.3.5.2 and SR 3.3.6.1 tests the entire ESFAS from the bistable input through the actuation of the individual-component control logic. These overlapping tests are described in Reference 1. SR 3.3.5.2-(continued)
| |
| J - SYSTEM 80+ . B 3.3-143 Rev. 00 16A Tech Spec, Bases t
| |
| .. -~ , , , , , - . , . . - _
| |
| . . _ . . . _ . _ ~ .-
| |
| | |
| ESFAS Logic and Manual Initiation B 3.3.6 O
| |
| BASES SURVEILLANCE SR 3.3.6.1 (continued REQUIREMENTS and SR 3.3.6.1 are normally performed together and in conjunction with ESFAS testing.
| |
| These tests verify that the ESFAS is capable of performing its intended function, from bistable input through the actuated components. SR 3.3.5.2 is addressed in LC0 3.3.5.
| |
| SR 3.3.6.1 includes Local Coincidence Logic Testing, Initiation Logic Testing, and ACTUATION LOGIC Testing.
| |
| Local Coincidence Loaic Testina Automatic Local Coincidence Logic Testing - The automatic test feature checks output status, generates trip conditions for each function, and monitors output status for correctness.
| |
| ESFAS Initiation Loaic Testina The ESFAS Initiation Logic is tested at the same time the O i Local Coincidence Logic is tested. Propagation of the l coincidence signal is verified.
| |
| ACTUATION LOGIC Test The ESF-CCS actuation logic receives short duration initiation signals (test signals) from the PPS. These signals are processed in the ESF-CCS and returned to the PPS for detection of initiation signal failure or the loss of an actuation signal to a group. Sequentially, the PPS transmits short duration initiation signals for each ESFAS signal.
| |
| The PPS processes the returned test signal for both the presence of an actuation signal when there should be one, i and the absence of an actuation signal when there should not ,
| |
| be one. The absence of a desired actuation signal or the presence of an unwanted actuation signal is detected at the time an abnormal or failed condition occurs. When an actuation channel is manually actuated at the ESF-CCS (e.g.,
| |
| for latch testing), a discrepancy between the PPS initiation (continued)
| |
| SYSTEM 80+ B 3.3-144 Rev. 00 16A Tech Spec Bases
| |
| | |
| i ESFAS Logic and Manual Initiation B 3.3.6 O :
| |
| BASES
| |
| ' SURVEILLANCE ACTUATION LOGIC Test (continued) .
| |
| REQUIREMENTS signals and the state of the actuation channel is automatically detected.
| |
| SR 3.3.6.2 :
| |
| )
| |
| A selective group test-on each division of ACTUATION LOGIC and COMPONENT. CONTROL LOGIC is performed to verify the OPERABILITY of each selective group. The [18]. month frequency is based on Reference 2 and the fact that some components cannot be tested at power since their actuation i might lead to plant trip or equipment damage.
| |
| ESFAS selective group-testing is performed by an operator in I the control room. This testing overlaps the PPS automatic i testing of the ESF-CCS selective two-out-of-four coincidence logic and includes complete testing of the ESFAS through to the actuation of the components. The components for each ESFAS are grouped. Testing is conducted one group at a
| |
| :I time, thus preventing the complete undesired actuation of an ESF system during testing. Since this testing causes components to actuate, an ESFAS signal from the PPS will not be impeded and the ESF system will proceed to full actuation.
| |
| SR 3.3.6.3 A CHANNEL FUNCTIONAL TEST is performed on each ESFAS MANUAL INITIATION CHANNEL and on each DIVERSE MANUAL ESF ACTUATION CHANNEL to ensure the Actuation push buttons are capable of enabling the ACTUATION LOGIC (for the MANUAL ESF ACTUATION CHANNEL) or COMPONENT CONTROL LOGIC (for the DIVERSE MANUAL ESF ACTUATION CHANNEL) when needed. The [18] month frequency is based on Reference 2.
| |
| l REFERENCES 1. Section 7.3.
| |
| : 2. (Surveillance Interval Analysis]
| |
| l
| |
| . SYSTEM 80+. B 3.3-145 Rev. 00.
| |
| 16A Tech Spec Bases l
| |
| | |
| DG - LOVS B 3.3.7 B 3.3 INSTRUMENTATION O
| |
| B 3.3.7 Diesel Generator (DG)-Loss of Voltage Start (LOVS)
| |
| BASES BACKGROUND The DGs provide a source of emergency power when offsite power is either unavailable or insufficiently stable to allow safe unit operation. Undervoltage protection will generate a LOVS in the event a Loss of Voltage or Degraded Voltage condition occurs. There are two LOVS Functions for each 4.16 kV safety bus.
| |
| Three loss of voltage relays and three degraded voltage relays are provided on each 4.16 kV safety bus for the purpose of detecting a sustained undervoltage condition or a loss of bus voltage. The relays are combined in a two-out-of-three logic for each Function to generate a LOVS if the voltage is below [75%) for a short time or below [90%] for a long time. The LOVS initiated actions are described in "Onsite Power Systems" (Ref. 1).
| |
| Trio Setooints and Allowable Value The trip setpoints and Allowable Values are based on the analytical limits presented in " Accident Analysis,"
| |
| Reference 2. The selection of these trip setpoints is such that adequate protection is provided when all sensor and processing time delays are taken into account. To allow for calibration tolerances, instrumentation uncertainties, and instrument drift, Allowable Values specified in SR 3.3.7.3 are conservatively adjusted with respect to the analytical limits. A detailed description of the methodology used to calculate the trip setpoints, including their explicit uncertainties, is provided in Reference 3. The actual nominal trip setpoint is normally still more conservative than that required by the plant specific setpoint calculations. If the measured trip setpoint does not exceed the documented Surveillance acceptance criteria, the undervoltage relay is considered OPERABLE.
| |
| Setpoints in accordance with the Allowable Values will ensure that the consequences of accidents will be acceptable, providing the plant is operated from within the (continued)
| |
| SYSTEM 80+ B 3.3-146 Rev. 00 16A Tech Spec Bases
| |
| | |
| DG - LOVS-B 3.3.7 i
| |
| 'D V ;
| |
| BASES.
| |
| {
| |
| 4
| |
| ) BACKGROUND LCOs at the. onset of the accident and the equipment ,
| |
| .(continued) functions as designed. l The undervoltage protection scheme has'been designed.to
| |
| . protect the plant from spurious trips caused by the offsite power source. This is made'possible by the loss of voltage ,
| |
| and degraded voltage relays used. . In the event that offsite l power is unavailable and the diesel generators are not yet up to required voltage and speed at the time that an ESFAS is generated, there can be a delay-of up to 20 seconds {
| |
| before the diesel-generator output breakers close and power is supplied to the ESF buses. Emergency power is established within the maximum time delay assumed for each !
| |
| event analyzed in the accident analysis (Ref. 2)'. J 9
| |
| l F Trio Setooints and Allowable Value !
| |
| Since there are three protective. loss of voltage Function !
| |
| CHANNELS and three protective degraded voltage Function CHANNELS in a two-out-of-three trip logic for each of the ,
| |
| ) 4.16 kV safety buses per 4.16 kV division, no single failure will cause protective system actuation. This arrangement meets IEEE Standard 603-1980 criteria (Ref. 4).
| |
| APPLICABLE The DG - LOVS is required for engineered safety features SAFETY ANALYSES (ESF) systems to function in any accident with a loss of offsite power. Its design basis is that of the ESFAS.
| |
| Accident analyses credit the loading of the DG based on a loss of offsite power during a loss of coolant accident (LOCA). The actual DG start has historically been associated with the ESFAS actuation. The diesel loading has been included in the delay time associated with each safety system component requiring DG supplied power following a loss of offsite. power. The analysis assumes a nonsechanistic DG loading, which does not explicitly account for each individual component of the. loss of power detection
| |
| - and subsequent actions. .This delay time includes contributions from the DG start, DG loading, and Safety Injection System component actuation. ~The response of the i DG to a loss of power must be demonstrated to fall within (continued) l SYSTEM 80+' B 3.3-147 Rev. 00 :
| |
| 116A Tech Spec' Bases- l l
| |
| 1
| |
| | |
| I DG - LOVS l B 3.3.7 l 0
| |
| BASES l
| |
| APPLICABLE this analysis response time when including the contributions !
| |
| SAFETY ANALYSES of all portions of the delay. 1 (continued) '
| |
| 1 The required CHANNELS of LOVS (loss of voltage and degraded voltage), in conjunction with the ESF systems powered from the DGs, provide plant protection in the event of any of the analyzed accidents discussed in Reference 2, in which a loss of offsite power is assumed. LOVS (loss of voltage and degraded voltage) CHANNELS are required to meet the redundancy and testability requirements of GDC 21 in 10 CFR 50, Appendix A (Ref. 5).
| |
| The delay times assumed in the safety analysis for the ESF equipment include the DG start delay and the appropriate sequencing delay, if applicable. The response times for ESFAS actuated equipment in LCO 3.3.5, " Engineered Safety Features Actuation System (ESFAS) Instrumentation," include the appropriate DG loading and sequencing delay.
| |
| The DG-LOVS (loss of voltage and degraded voltage) CHANNELS satisfy Criterion 3 of the NRC Policy Statement.
| |
| LC0 The LC0 for the LOVS requires that three CHANNELS per 4.16 kV safety bus of each LOVS instrumentation Function (loss of voltage and degraded voltage) be OPERABLE in MODES 1, 2, 3, and 4 and when the associated DG is required to be OPERABLE by LC0 3.8.2, "AC Sources -Shutdown." The LOVS (loss of voltage and degraded voltage) supports safety systems associated with the ESFAS. In MODES 5 and 6, the three CHANNELS must be OPERABLE whenever the associated DG is required to be OPERABLE to ensure that the automatic start of the DG is available when needed.
| |
| Loss of LOVS Function (loss of voltage and degraded voltage) could result in the delay of safety system initiation when required. This could lead to unacceptable consequences during accidents. During the loss of offsite power, which is an anticipated operational occurrence, the DG powers the motor driven emergency feedwater pumps. Failure of these pumps to start would leave only turbine driven pumps, as well as an increased potential for a loss of decay heat removal through the secondary system.
| |
| (continued)
| |
| SYSTEM 80+ B 3.3-148 Rev. 00 16A Tech Spec Bases
| |
| | |
| DG - LOVS
| |
| ,-s B 3.3.7 BASES LCO Only Allowable Values are specified for each Function in the (continued) LCO. Nominal trip setpoints are specified in the plant specific setpoint calculations. The nominal setpoints are selected to ensure that the setpoint measured by CHANNEL FUNCTIONAL TESTS does not exceed the Allowable Value if the bistable is performing as required. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within the A11ouable Value, is acceptable, provided that operation and testing is consistent with the assumptions of the plant specific setpoint calculation. A channel is inoperable if its actual trip setpoint is not within its
| |
| _ required Allowable Value. _
| |
| For this unit, the Allowable Values and trip setpoints are
| |
| __, specified in Reference 3. _
| |
| APPLICABILITY The DG - LOVS actuation (loss of voltage and degraded voltage) Function is required in MODES 1, 2, 3, and 4
| |
| .p because ESF Functions are designed to provide protection in these MODES. Actuation in MODE 5 or 6 is required whenever lv the required DG must be OPERABLE, so that it can perform its function on a loss of power or degraded power to the vital bus.
| |
| ACTIONS A LOVS CHANNEL is inoperable when it does not satisfy the OPERABILITY criteria for the CHANNEL's Function.
| |
| Determination of setpoint drift is generally made during the performance of a CHANNEL FUNCTIONAL TEST when the instrument is set up for adjustment to bring it within Specification.
| |
| If the actual trip setpoint is not within the Allowable Value, the CHANNEL is inoperable, and the appropriate Conditions must be entered.
| |
| In the event a CHANNEL's trip setpoint is found nonconservative with respect to the Allowable Value, or the CHANNEL is found inoperable, then all affected Functions provided by that CHANNEL must be declared inoperable and the LCO Condition entered. The required CHANNELS are specified on a per 4.16 kV safety bus basis.
| |
| x (continued)
| |
| SYSTEM 80+ B 3.3-149 Rev. 00 16A Tech Spec Bases
| |
| | |
| l l
| |
| DG - LOVS !
| |
| B 3.3.7 l O'
| |
| BASES ACTIONS When the number of inoperable CHANNELS in a trip Function (continued) exceeds those specified in one or other related Conditions associated with the same trip Function, then the plant is outside the safety analysis. Therefore, LC0 3.0.3 should be entered immediately if applicable in the current MODE of operation.
| |
| A Note has been added to clarify the application of Completion Time rules. The Conditions of this Specification may be entered independently for each DG-LOVS Function.
| |
| The Completion Time (s) of the inoperable CHANNEL (s) of a Function will be tracked separately for each Function, starting from the time the Condition was entered for that Function.
| |
| Ad Condition A applies if one CHANNEL is inoperable for one or more Functions per DG bus.
| |
| The Required Action is modified by a Note stating that LC0 3.0.4 is not applicable. The Note was added to allow the h1 changing of MODES even though one CHANNEL is inoperable, with that CHANNEL bypassed. In this configuration, the protection system is in a two-out-of-two logic.
| |
| If the CHANNEL cannot be restored to OPERABLE status, the affected CHANNEL should be placed in bypass within 2 hours (Required Action A.1).
| |
| Placing this CHANNEL in the bypass Condition ensures that logic is in a known configuration. In bypass, the LOVS logic for loss of voltage Function and degraded voltage Function is two-out-of-two for the safety bus with the failed LOVS CHANNEL. This is acceptable for the following reasons: 1) The other 4.16 kV safety bus in that division would be unaffected and still in a two-out-of-three logic to start the DG on a loss of offsite power source. Since the sequencer is an "or" circuit for DG start, a single subsequent failure will not prevent the DG in that division from starting and 2) The output logic (i.e., trip or no trip) is unaffected by the bypass and because there are two Diesel Generators (each capable of powering the required safety buses). Functions are not individually subject to (continued)
| |
| SYSTEM 80+ B 3.3-150 Rev. 00 16A Tech Spec Bases
| |
| | |
| DG - LOVS !
| |
| B 3.3.7 l O i BASES i
| |
| ACTIONS ~ A_J (continued) t single failure criteria. The 2 hour Completion Time is sufficient to perform these Required Actions since the ;
| |
| bypass is not required to be performed from the control room. ,
| |
| B.1 and B.2 !
| |
| i Condition B applies if two CHANNELS are inoperable for one l or more Functions.
| |
| In accordance with Required Action B.1, with two CHANNELS i inoperable. One CHANNEL must be placed in trip and the ;
| |
| other in bypass for each affected Function within 2 hours. ;
| |
| 4 With one CHANNEL in trip and the other in bypass the DG LOVS i (loss of voltage function or degraded voltage Function) is still OPERABLE for a DG start on a single additional CHANNEL failure. No additional failures on that 4.16 kV safety bus '
| |
| can be tolerated. However, the other division of 4.16 kV !
| |
| vital power is unaffected. The 2 hour Completion Time is !
| |
| sufficient to perform these required c.ctions since the j
| |
| ~
| |
| bypass is not reqlired to be performed from the Control Room.
| |
| 1 In accordance with Required Action B.2, two or more CHANNELS *
| |
| : must be restored to CPERA3LE status within 8 hours for each Function. The 8 hour Completion Time is sufficient time to !
| |
| i repair without declaring a DG inoperable, l U !
| |
| Condition C applies if there are one or more Functions with i three CHANNELS inoperable or the Required Actions of Conditions and associated Completion Time is not met.
| |
| Required. Action C.1 ensures that Required Actions for the affected DG inoperabD ities are initiated. Depending upon plant MODE, the ACTIONS specified in LC0 3.8.1, "AC Sources-Operating," or LC0 3.8.2 "AC Soures-Shutdown" are required immediately.
| |
| 5.
| |
| O (continued)
| |
| SYSTEM 80+ B 3.3-151 Rev, "O 16A Tech Spec Bases
| |
| | |
| I DG - LOVS B 3.3.7 ,
| |
| 1 BASES (continued) l SURVEILLANCE The following SRs apply to each DG - LOVS function. i I
| |
| REQUIREMENTS SR 3.3.7.1 Performance of the CHANNEL CHECK once every 12 hours ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is a comparison of the indicated output of the potential transformers that feed the LOVS undervoltage relays. It is based on the assumption that instrument CHANNELS monitoring the same parameter should reflect the same logic. CHANNEL CHECK will detect gross CHANNEL failure; thus, it is key to verifying that the instrumentation continues to operate properly between each CHANNEL CALIE; RATION.
| |
| SR 3.3. M A CHANNEL FUNCTIONAL TEST is performed every 92 days to ensure that the entire CHANNEL will perforr its intended function when needed.
| |
| 1 The frequency of 92 days is based on plant operating experience with regard to CHANNEL OPERABILITY, which demonstrates that failure of more than one CHANNEL of a given Function in any 92 day Frequency is a rare event.
| |
| The as found and as left states must be recorded and reviewed for consistency with the assumptions of the surveillance interval analysis. The requirements for this review are outlined in Reference [6].
| |
| SR 3.3.7.3 SR 3.3.3.2 is the performance of a CHANNEL CALIBRATION every (18] months. The CHANNEL CALIBRATION verifies the accuracy of each component within the MEASUREMENT CHANNEL. This includes calibration of the undervoltage relays and demonstrates that the equipment falls within the specified operating characteristics defined by the manufacturer. The Surveillance verifies that the CHANNEL responds to a measured parameter within the necessary range and accuracy.
| |
| CHANNEL CALIBRATION leaves the CHANNEL adjusted to account (continued)
| |
| SYSTEM 80+ B 3.3-152 Rev. 00 16A Tech Spec Bases
| |
| | |
| l I
| |
| DG - LOVS m B 3.3.7 i
| |
| BASES SURVEILLANCE SR 3.3.7.3 (continued)
| |
| REQUIREMENTS for instrument drift between successive surveillances, to ensure the instrument CHANNEL remains operational.
| |
| Measurement error determination, setpoint error determination, and calibration adjustment must be performed consistent with the plant specific setpoint analysis. The CHANNEL shall be left calibrated consistent with the assumptions of the :urrent plant specific setpoint analysis.
| |
| The as found and as left values must be recorded and reviewed for consistency with the assumptions of the j surveillance interval analysis. The requirements for this ;
| |
| review are outlined in Reference [6].
| |
| The setpoints, as well as the response to a Loss of Voltage !
| |
| and Degraded Voltage test, shall include a single point l verification that the trip occurs withia the required delay time as shown in Reference 1. The Frequency is based upon the assumption of an (18] month calibration interval for the
| |
| &)-
| |
| ( determination of the magnitude of equipment drift in the setpoint analysis.
| |
| REFERENCES 1. Chapter 8.
| |
| : 2. Chapter 15.
| |
| : 3. [Setpoint Report].
| |
| : 4. IEEE Standard 603-1980.
| |
| : 5. 10 CFR 50, Appendix A, GDC 21.
| |
| : 6. [ Surveillance Interval Analysis.]
| |
| SYSTEM 80+ B 3.3-153 Rev. 00 16A Tech Spec Bases i
| |
| | |
| APS B 3.3.8 O
| |
| B 3.3 INSTRUMENTATION B 3.3.8 Alternate Protection System Instrumentation BASES BACKGROUND The Alternate Protection System (APS) augments the Reactor Protective System to address 10 CFR 50.62 (Ref. 1) requirements for the reduction in risk of Anticipated Transients Without Scram (ATWS) and the use of ATWS Mitigating Systems Actuation Circuitry (AMSAC).
| |
| The APS is designed to initiate a reactor trip for all Anticipated Operational Occurrences (A00s) which cause an overpressurization of the Reactor Coolant System with a concurrent failure of the Reactor Protective System (RPS) to trip the reactor.
| |
| These increasing pressure A00s include the following events for System 80+:
| |
| e Loss of Offsite Power e Loss of Load, o Loss of Condenser Vacuum, e CEA Withdrawal From Low Power Conditions, o Chemical and Volume Control System Malfunctions, and e Loss of Normal Feedwater.
| |
| Of the above listed A00s, the Loss of Condenser Vacuum is the limitir.g event [i.e., the event with the lowest Pressurizer Press - High trip setpoint and the highest Steam Generator Level - Low Emergency feedwater Actuation System (EFAS) setpoint.]
| |
| CESSAR-DC Sections 15.2, 15.4, and 15.5 (Ref. 4) provde a complete description of the above listed A00s.
| |
| The APS design includes an Alternate Reactor Trip Signal (ARTS) and Alternate Feedwater Actuation Signal (AFAS) that are separate and diverse from the Plant Protection System (PPS). The ARTS equipment provides a simple, yet diverse mechanism to significantly decrease the possibility of an ATWS and the AFAS provides added assurance that an ATWS event could be mitigated if it were to occur.
| |
| (continued)
| |
| SYSTEM 80+ B 3.3-154 Rev. 00 16A Tech Spec Bases
| |
| | |
| APS B 3.3.8
| |
| '~'s BASES BACKGROUND The ARTS will initiate a reactor trip when pressurizer (continued) pressure exceeds a predetermined value. The ARTS circuitry is diverse from that of the RPS. The ARTS design uses a two-out-of-two logic to open the CEDM motor generator output contactors, thus removing motive power to the Reactor Trip Switchgear System (RTSS).
| |
| The AFAS will initiate emergency feedwater when the level in ;
| |
| either steam generator decreases below a predetermined value. Its circuitry is diverse from that of the PPS Reactor Protection System. To satisfy the ATWS rule, a component control logic module in the Process-CCS is used to provide a means of emergency feedwater actuation which is diverse and independent from the PPS and ESF-CCS.
| |
| The APS uses equipment from sensor output to final actuated device that is diverse from the PPS to automatically initiate a turbine trip under conditions indicative of an ATWS. On detection of high pressurizer pressure indicative of an ATWS, the Alternate Protection System interrupts power to the CEDMs by opening the CEDM Motor Generator Set Output
| |
| .(/'')
| |
| ,/ Contractors. When under voltage relays in the Control Element Drive Mechanism Control System (CEDMCS) detect that power to the Control Element Drive Mechanisms (CEDMs) has been interrupted, the CEDMCS generates a turbine trip.
| |
| CESSAR-DC, Section 7.7 (Ref. 2) provide a complete description of the APS.
| |
| APPLICABLE LC0 3.3.8 requires two Alternate Protective (APS) CHANNELS SAFETY ANALYSIS for Pressurizer Pressure Reactor Trip, Steam Generator 1 Level - Alternate Feedwater Actuation Signal (AFAS), Steam Generator 2 Level - AFAS, and CEDMCS Bus Under Voltage Turbine Trip - when in MODE 1 or 2. The failure of a single CHANNEL will make the function inoperable since the system is activated by a two-out-of-two logic.
| |
| The Alternate Protection System satisfies Criterion 4 of the NRC Policy Statement.
| |
| d O
| |
| \s_J (continued)
| |
| SYSTEM 80+. B 3.3-155 Rev. 00 16A Tech Spec Bases
| |
| | |
| APS B 3.3.8 O
| |
| BASES (continued)
| |
| APPLICABILITY The APS is required to be operable in MODES 1 and 2 where it contributes to high pressure protection and the availability of Alternate Feedwater Actuation.
| |
| ACTIONS A.1 and A.2 Condition A applies when one or more APS CHANNEL is inoperable in MODES 1 or 2 for Pressurizer Pressure Reactor Trip, Steam Generator 1 1.evel-AFAS, Steam Generator Level 2
| |
| - AFAS, or CEDMCS Bus Uniler Voltage Turbine Trip.
| |
| Required Action A.1 places the inoperable CHANNEL in bypass to disable that trip function. A completion time of I hour is reasonable based on operating experience. The Required Action A.1 disables that trip function.
| |
| Required Action A.2 to Restore all CHANNELS to OPERABLE status within 30 days is reasonable because the APS is a separate and diverse non-safety backup system for the Reactor Trip and Emergency Feedwater Actuation Signal PPS trips. The 30 days allows sufficia.t time to repair an inoperable CHANNEL but ensures the CHANNEL is repaired to provide backup protection.
| |
| B.1 and B.2 Condition B applies when Completion Time or Required Action A.2 cannot be completed within the required completion time of 30 days. Required Action B.1 requires SR 3.3.1.8,
| |
| " Perform CHANNEL FUNCTIONAL TEST" for RPS Instrumentation-Operating to be performed once per 31 days.
| |
| It is desirable to have the APS OPERABLE during MODES I and
| |
| : 2. However, certain failures (e.g. sensor failure inside containment) may not be repairable during power operation.
| |
| The APS is a non-safety system; however, its operability has a significant impact on core damage frequency. When one APS CHANNEL is inoperable at power risk is reduced if the surveillance interval for the RPS Instrumentation-Operating, SR ?.3.1.8, " Perform CHANNEL FUNCTIONAL TEST" is performed every 31 days vice every 92 days.
| |
| (continued)
| |
| SYSTEM 80+ B 3.3-156 Rev. 00 16A Tech Spec Bases I
| |
| | |
| 1 APS B 3.3.8 i r'\ !
| |
| G :
| |
| BASES II ACTIONS B.1 and 8.2 (continued) ,
| |
| Required Action B.2 to restore all CHANNELS to OPERABLE l I
| |
| status prior to entering MODE 2 following next MODE 5 entry is provitrJ to ensure that all APS CHANNELS are restored to ;
| |
| OPERABLE status following the next plant shutdown. l L.1 Condition C is entered if the Required Action associated with Condition A.1 or B is not met within the required 1 completion time. The Required Action C.1 to be in MODE when the APS is required within 6 hours is reasonable 'oased )
| |
| on plant operating experience, for reaching the required i plant conditions from full power conditions in an orderly manner without challenging plant systems.
| |
| A SURVEILLANCE SR 3.3.8.1 '
| |
| V REQUIREMENTS Performance of the CHANNEL check once every 12 hours ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is a comparison of the parameter indicated on one CHANNEL to a similar parameter on other CHANNELS. It is i based on the assumption that instrument CHANNELS monitoring the same parameter should read approximately the same value.
| |
| Significant deviations between the two instrument CHANNELS i could be an indication of excessive instrument drift in one of the CHANNELS. A CHANNEL CHECK will detect gross CHANNEL l failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.
| |
| Agreement criteria are determined by the plant staff based on a combination of the CHANNEL instrument uncertainties, including indication and readability. If a CHANNEL is outside the match criteria, it may be an indication that the sensor or the signal processir; equipment has drifted !
| |
| outside its limit. If the CHANNELS are within the match criteria, it is an indication that the CHANNELS are OPERABLE. If the CHANNELS are normally off scale during times when surveillance is required, the CHANNEL CHECK will l only verify that they are off scale in the same direction.
| |
| f).
| |
| V- (continued)
| |
| SYSTEM 80+ B 3.3-157 Rev. 00 ,
| |
| 16A Tech Spec Bases
| |
| | |
| APS B 3.3.8 O
| |
| BASES SURVEILLANCE SR 3.3.8.1 (continued)
| |
| REQUIREMENTS Off scale low current loop CHANNELS are verified to be reading at the bottom of the range and not failed downscale.
| |
| The Frequency of 12 hours is based upon plant operating experience with regard to CHANNEL OPERABILITY and drift, which demonstrates that failure of more than one CHANNEL of a given Function in any 12 hour interval is a rare event.
| |
| The CHANNEL CHECK supplements less formal, but more frequent, checks of CHANNEL OPERABILITY during normal operational use of the displays associated with this LC0's required CHANNELS.
| |
| The CHANNEL CHECK may be performed automatically by validation algorithms within the DPS and DIAS. To take credit for the automatic CHANNEL CHECK, the operator will be required to verify that DPS or DIAS is OPERABLE and that there are no alarms associated with APS instrumentation.
| |
| In the event that neither DPS or DIAS validation checking function is OPERABLE, or do not perform a cross CHANNEL comparison on a particular parameter, the operator will be required to perform the CHANNEL CHECK manually.
| |
| SR 3.3.8.2 A CHANNEL FUNCTIONAL TEST is performed on each Alternate l Protection System CHANNEL to ensure the entire CHANNEL will l I
| |
| perform its intended function. Setpoints must be found within Allowable Values specified in SR 3.3.8.2 and left consistent with the assumptions of the plant specific setpoint methodology (Ref. 3). The frequency of 92 days is based on plant operating experience with regard to CHANNEL OPERABILITY and drift, which demonstrates that failure of a CHANNEL of a given function in any 92 day interval is a rare event. !
| |
| l (continued)
| |
| SYSTEM 80+ B 3.3-158 Rev. 00 16A Tech Spec Bases
| |
| | |
| APS B 3.3.8 BASES SURVEILLANCE SR 3.3.8.3 .
| |
| REQUIREMENTS (continued) A CHANNEL CALIBRATION is performed every [18] months.
| |
| CHANNEL CALIBRATION is a complete check of the instrument CHANNEL including the sensor. The Surveillance verifies the CHANNEL responds to the measured parameter within the necessary range and accuracy.
| |
| The bases for the APS Technical Specification trip setpoints and Allowable Values is that in all cases the safety grade PPS signal takes priority over the control grade APS if the PPS is functioning normally.
| |
| The Alternate Reactor Trip System (ARTS) is designed to initiate a reactor trip when the pressurizer pressure exceeds a predetermined value. This value is based on the following requirements:
| |
| : 1. The ARTS will initiate a reactor trip at a ,
| |
| pressure above the PPS High Pressurizer !
| |
| Pressure Trip. !
| |
| : 2. The ARTS will initiate a reactor trip at a pressure below the Primary Safety Valve (PSV) opening pressure.
| |
| : 3. Electrical and mechanical instrument and equipment uncertainties must be considered.
| |
| However, harsh environment uncertainties need not be included for the ARTS setpoint analysis.
| |
| The Auxiliary Feedwater Actuation Signal (AFAS) is designed to initiate auxiliary feedwater flow when the downcomer ;
| |
| level in either steam generator decreases below a l predetermined value. This value is established based on the '
| |
| following requirements: ;
| |
| i The AFAS will initiate auxiliary feedwater at a 1.
| |
| level in either steam generator which is less that the Engineered Safety Features Actuation System low level signal used by the PPS when the PPS is operating normally.
| |
| f 4 4 V (continued)
| |
| SYSTEM 80+ B 3.3-159 Rev. 00 16A Tech Spec Bases l
| |
| | |
| APS B 3.3.8 9
| |
| BASES SURVEILLANCE SR 3.3.8.3 (continued)
| |
| REQUIREMENTS
| |
| : 2. Electrical and mechanical instrument and equipment uncertainties must be considered.
| |
| However, harsh environment uncertainties need not be included for the AFAS setpoint analysis.
| |
| CHANNEL CALIBRATION shall find measurement errors are l _ ithin w the acceptance criteria specified in Reference 3. __
| |
| The Frequency is based upon operating experience and consistency with the typical industry refueling cycle and is justified by the assumption of an [18] month calibration interval for the determination of the magnitude of equipment drift.
| |
| REFERENCES 1. 10 CFR 50, Appendix A
| |
| : 2. Section 7.7 h
| |
| : 3. [Setpoint Report]
| |
| : 4. Sections 15.2, 15.4, and 15.5 O
| |
| SYSTEM 80+ B 3.3-160 Rev. 00 16A Tech Spec Bases (2/95)
| |
| | |
| p CRIFS B 3.3.9 i
| |
| u B 3.3 INSTRUMENTATION B 3.3.9 Control Room Intake / Filtration Signal (CRIFS)
| |
| BASES BACKGROUND This LC0 encompasses CRIFS actuation, which is an instrumentation CHANNEL that performs an actuation Function required for plant protection but is not otherwise included in the LCO 3.3.6, " Engineered Safety Features Actuation System (ESFAS) Actuation," or LC0 3.3.7, " Diesel Generator (DG) - Loss of Voltage Start (LOVS)." This is a non Nuclear Steam Supply System ESF Function that, because of differences in purpose, design, and operating requirements, is not included in LC0 3.3.6 and LC0 3.3.7.
| |
| The CRIFS includes two independent, redundant divisions, including actuation trains, and radiation sensors. The
| |
| , CRIFS performs the following two functions: 1) isolate the control room intake which has the greater radiation level and block the isolation of the control room intake which has A the lesser radiation level, and 2) start the designated
| |
| ()' control room filtration units and ventilation fan. These functions minimize operator radiation exposure. The two
| |
| ; divisions use separate radiation sensor inputs and actuate separate control room intakes. Actuation of either division will perform the intended function. The designated control room filtration units and ventilation fan also start
| |
| ; automatically on a Safety Injection Actuation Signal (SIAS).
| |
| Actuation Setooints and Allowable Values Actuation setpoints used in the comparator logic are based on the analytMal limits (Ref.1). The selection of these trip setpoints is such that adequate protection is provided when all sensor and processing time delays are taken into account. To allow for calibration tolerances, !
| |
| instrumentation uncertainties, and instrument drift, Allowable Values specified in LCO 3.3.9 are conservatively adjusted with respect to the analytical limits. A detailed "
| |
| example of the methodology used to calculate the trip setpoints, including their explicit uncertainties, is provided in [Setpoint Report) (Ref. 2). The actual nominal trip setpoint entered into the bistable is normally still
| |
| ,O b) (continued)
| |
| SYSTEM 80+ B 3.3-161 Rev. 00 16A Tech Spec Bases i
| |
| . . . . . )
| |
| | |
| CRIFS B 3.3.9 O
| |
| BASES BACKGROUND more conservative than that specified by the Allowable Value (continued) to account for changes in random measurement errors detectable by a CHANNEL FUNCTIONAL TEST. One example of such a change in measurement error is drift during the surveillance interval. If the measured setpoint does not exceed the Allowable Value, the bistable is considered OPERABLE.
| |
| Setpoints in accordance with the Allowable Value will ensure that Safety Limits are not violated during anticipated operational occurrences (A00s), and the consequences of Design Basis Accidents will be acceptable, providing the plant is operated from within the LCOs at the onset of the A00 or accident, and the equipment functions as designed.
| |
| APPLICABLE The CRIFS, in conjunction with the Control Complex Air SAFETY ANALYSES Handling System, maintains the control room atmosphere within conditions suitable for prolonged occupancy throughout the. duration of any one of the accidents discussed in Reference 1. The radiation exposure of control room personnel, through the duration of any one of the postulated accidents discussed in " Accident Analysis,"
| |
| CESSAR-DC, Chapter 15 (Ref.1), does not exceed the limits set by 10 CFR 50, Appendix A, GDC 19 (Ref. 3).
| |
| The CRIFS satisfies the requirements of Criterion 3 of the NRC Policy Statement.
| |
| l LC0 LC0 3.3.9 requires two divisions of CRIFS to be OPERABLE. i The required division consists of ACTUATION LOGIC and !
| |
| radiation monitors. The specific Allowable Values for the j setpoints of the CRIFS are listed in the SRs.
| |
| Only the Allowable Values are specified for each actuation Function in the LCO. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable, provided that the difference between the nominal trip setpoint and the Allowable Value is equal to or greater than the drift allowance assumed for i each trip in the transient and accident analyses. !
| |
| (continued) I SYSTEM 80+ B 3.3-162 Rev. 00 l 16A Tech Spec Bases !
| |
| l 1
| |
| | |
| _ . _ _ . . __ _ . _ _ _ . _ _ . __ . . . _ . _ _~ . . _ -
| |
| l CRIFS-B 3.3.9 BASES' r a
| |
| LCO Each Allowable Value specified is more conservative than the (continued) analytical limit assumed in the transient and accident !
| |
| analysis in order to' account for instrument uncertainties ;
| |
| appropriate to the trip Function. These uncertainties are :
| |
| defined in the (Setpoint Report) (Ref. 2). A CHANNEL is ;
| |
| inoperable if its actual trip setpoint is not within its required Allowable Value. 7 The Bases for the LCO on'the CRIFS are discussed below for each Function:
| |
| : a. Airborne Radiation l t
| |
| Both CHANNELS of Airborne Radiation detection in the associated CRIFS division are required to be OPERABLE to ensure the control room isolates the control room intake with the highest radiation level and filtration units are placed in operation. ;
| |
| [For this unit, the Allowable Values are specified in i Reference 2.] t
| |
| : b. Actuation Loaic l Two divisions of Actuation Logic must be OPERABLE, since isolation of the control room intake with the highest radiation' level is only accomplished automatically by CRIFS.
| |
| AFPLICABILITY The CRIFS Functions must be OPERABLE in MODES 1, 2, 3, and 4, during CORE ALTERATIONS and during movament of irradiated fuel assemblies to ensure a habitable environment for the control room operators.
| |
| ACTIONS A CRIFS division is inoperable when it does not satisfy the
| |
| : OPERABILITY criteria for the division's function. The most common cause of division inoperability is outright failure
| |
| .or drift of the bistable or process module sufficient to exceed the tolerance allowed by the plant specific setpoint analysis. Typically the drift is not large and would result O { continued) <
| |
| SYSTEM 80+ B 3.3-163 Rev. 00 16A Tech Spec Bases
| |
| | |
| CRIFS B 3.3.9 O
| |
| BASES ACTIONS in a delay of actuation, rather than a total loss of (continued) function. This determination is generally made during the performance of a CHANNEL FUNCTIONAL TEST when the process instrument is set up for adjustment to bring it within specification. If the trip setpoint is not within the Allowable Value, the division is inoperable and the appropriate Conditions must be entered.
| |
| A.1 and A.2 Condition A applies if one CRIFS division is inoperable in the 1, 2, 3 or 4 MODE. A CRIFS division is inoperable if its actuation signal, comparator logic, or either input radiation monitor CHANNELS are inoperable. With one division inoperable the redundant division is capable of performing the required safety function.
| |
| Required Action A.1 places the filtration units in operation by closing the bypass dampers and starting the filtration units within a Completion Time of I hour. This required action is conservative since the redundant division will perform the isolation and filtration functions and a SIAS will initiate the filtration function. Placing the filtration units in operation ensures that the control room air is filtered in the event of an accident.
| |
| Required Action A.2 restores the division to OPERABLE status with a Completion Time of 7 days. This required action is conservative since the redundant division will initiate the isciation and filtration functions and a SIAS will perform the filtration function. Restoring the inoperable division to OPERABLE status within 7 days ensures the excess redundancy is available for the isolation function.
| |
| Completion Time is consistent with the completion time for the loss of a control room ventilation division and is based on operating experience and takes into account the remaining OPERABLE division and SIAS which initiates the filtration function, and the low probability of an event requiring CRIFS during this interval.
| |
| (continued)
| |
| SYSTEM 80+ B 3.3-164 Rev. 00 16A Tech Spec Bases
| |
| | |
| CRIFS B 3.3.9 ,
| |
| BASES l
| |
| ACTIONS- B.1. B.2. and B.3 !
| |
| .(continued) !
| |
| Condition B applies if two CRIFS divisions are inoperable in l MODE 1, 2, 3, or 4 or if the Required Actions and associated Completion Times of Condition A are not met. With both -
| |
| 'CRIFS divisions inoperable the isolation function cannot be i accomplished automatically and filtration function can only ,
| |
| -be accomplished automatically via SIAS.
| |
| If both divisions cannot be restored to OPERABLE status, the -
| |
| plant must be brought.to.a Mode in which the LCO does not apply and place the filtration units in operation. To achieve this status, close the bypass dampers on the control ;
| |
| room filtration units and start the filtration units within i 1 hour (Required Action B.1). Additionally, the plant must be brought to at least MODE 3 within 6 hours (Required l Action B.2) and to MODE 5 within 36 hours (Required Action -l '
| |
| B.3). A completion of time of I hour is a reasonable time to accomplish this task. The Completion Times of 6 hours
| |
| .and 36 hours for reaching MODES 3 and 5 from MODE I are reasonable, based on operating experience and normal i O cooldown rates, for reaching the required MODE from full power conditions in an orderly manner and without challenging plant safety systems or operators.
| |
| C.1 and C.2 Condition C applies.if one CRIFS division is inoperable
| |
| ! durir.g CORE ALTERATIONS or during movement of irradiated fuel. A CRIFS division is inoperable if its actuation i signal, comparator logic or either input radiation monitor CHANNELS are inoperable. With one division inoperable the
| |
| ; redundant division is capable of performing the required safety function.
| |
| Required Action C.1 places the filtration units in operation
| |
| : by closing the bypass dampers and starting the filtration units within a Completion Time of I hour. This required
| |
| , action is conservative since the redundant division will perform the isolation and filtration functions and a SIAS Placing the will initiate the filtration function.
| |
| filtration units in operation ensures that the control room air is filtered in- the event of an accident. !
| |
| o j
| |
| '. (continued) i I
| |
| SYSTEM 80+- B 3.3-165 Rev. 00
| |
| '16A Tech Spec 4 Bases"
| |
| | |
| CRIFS B 3.3.9 O
| |
| BASES ACTIONS C.1 and C.2 (continued)
| |
| Required Action C.2 restores the division to OPERABLE status within 7 days. This required action is conservative since the redundant division will perform the isolation and filtration function. Restoring the inoperable division to OPERABLE status within 7 days ensures the excess redundancy is available to perform the isolation function.
| |
| Completion Time is consistent with the completion time for loss of a control room ventilation division and is based on operating experience. That takes into account the remaining OPERABLE division which initiates the filtration and isolation functions, and the low probability of an event requiring CRIFS during this interval.
| |
| D.1. D.2. D.3. and D.4 Condition D applies if two CRIFS divisions are inoperable during CORE ALTERATIONS, or during movement of irradiated fuel assemblies. The Required Actions are immediately taken to close bypass dampers on control room filtration units and start the filtration units; or suspend movement of irradiated fuel assemblies, positive reactivity additions, and suspend CORE ALTERATIONS. The Completion Time recognizes the fact that the radiation signals are the only functions available to indicate the need for control room filtration and isolation functions in the event of a fuel handling accident.
| |
| SURVEILLANCE SR 3.3.9.1 REQUIREMENTS Performance of the CHANNEL CHECK once every 12 hours ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is a comparison of the parameter indicated on one CHANNEL to e similar parameter on other CHANNELS. It is based on the assumption that instrument CHANNELS monitoring the same parameter should read approximately the same value.
| |
| Significant deviations between the two instrument CHANNELS could be an indication of excessive instrument drift in one of the CHANNELS. CHANNEL CHECK will detect gross CHANNEL (continued)
| |
| SYSTEM 80+ B 3.3-166 Rev. 00 16A Tech Spec Bases
| |
| | |
| CRIFS-B 3.3.9 BASES i
| |
| 4 SURVEILLANCE SR 3.3.9.1 (continued) l REQUIREMENTS l failure; thus, it is key to verifying the instrumentation i continues. to operate properly between each CHANNEL j CALIBRATION.
| |
| Agreement criteria are determined by the plant staff based ;
| |
| on.a combination.of the CHANNEL instrument uncertainties, including indication and readability. If a CHANNEL is outside the match criteria, it may be an indication that the-
| |
| * transmitter or the signal processing equipment have drifted outside its limit.
| |
| The Frequency, about once every shift, is based on operating !
| |
| experience that demonstrates the rarity of CHANNEL failure, j Thus, performance of the CHANNEL CHECK guarantees that .
| |
| undetected overt CHANNEL failure is limited to 12 hours.
| |
| Since the probability of two-random failures in redundant .
| |
| CHANNELS in any 12 hour period is low, the CHANNEL CHECK :
| |
| minimizes the chance of loss -of-protective function due to failure of redundant CHANNELS. The CHANNEL CHECK O supplements less formal, but more frequent, checks of CHANNEL OPERABILITY during normal operational use of the -1 i
| |
| displays associated with the LC0 required CHANNELS.
| |
| SR 3.3.9.2 A CHANNEL FUNCTIONAL TEST is performed on each CRIFS LOGIC CHANNEL to ensure the entire CHANNEL will perform its intended function.
| |
| The as found and as left values must be recorded and reviewed for consistency with the assumptions of the
| |
| [ surveillance interval analysis]. The requirements for this review are outlined in Reference [4].
| |
| The Frequency of 92 days is based on plant operating experience with regard to CHANNEL OPERABILITY and drift, I which demonstrates that failure of more than one CHANNEL of a given Function in any 92 day interval is a rare event.
| |
| 1 l
| |
| 1 cO V (continued)
| |
| SYSTEM 80+ B 3.3-167 Rev. 00 i 16A1 Tech Spec Bases i
| |
| - u
| |
| | |
| CRIFS B 3.3.9 BASES SURVEILLANCE SR 3.3.9.3 REQUIREMENTS (continued) Proper operation of each CRIFS Output Division is verified by performing a selective group FUNCTIONAL TEST of the Actuation Logic every [18] months. This will actuate the Function by operating all associated equipment.
| |
| The Frequency of {18] months is based on plant operating experience with regard to CHANNEL OPERABILITY, which demonstrates that failure of more than one CHANNEL of a given Function in any [18] month interval is a rare event.
| |
| A Note indicates this Surveillance includes verification of operation for each subgroup.
| |
| SR 3.3.9.4 CHANNEL CALIBRATION is a complete check of the instrument CHANNEL including the sensor. The Surveillance verifies that the CHANNEL responds to a measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the CHANNEL adjusted to account for instrument drifts between successive calibrations to ensure that the CHANNEL remains operational between successive surveillance.
| |
| Measurement error determination, setpoint error determination, and calibration adjustment must be performed consistent with the plant specific setpoint analysis. The CHANNEL shall be left calibrated consistent with the assumptions of the current plant specific setpoint analysis.
| |
| The as found and as left values must also be recorded and reviewed for consistency with the assumptions of the
| |
| [ surveillance interval analysis]. The requirements for this review are outlined in Reference [4].
| |
| The Frequency is based upon the assumption of an [I8] month calibration interval for the determination of the magnitude of equipment drift in the setpoint analysis.
| |
| (continued)
| |
| O' SYSTEM 80+ B 3.3-168 Rev. 00 l 16A Tech Spec Bases I
| |
| | |
| ~l j
| |
| I CRIFS B 3.3.9 1 BASES'(continued)~
| |
| REFERENCES 1. Chapter 15.
| |
| : 2. [Setpoint Report] .
| |
| : 3. 10 CFR 50, Appendix A, GDC 19. !
| |
| : 4. [ Surveillance Interval Analysis.]
| |
| l i
| |
| I
| |
| .i
| |
| ;. l j
| |
| .O a
| |
| 8 i
| |
| i t
| |
| 4 4
| |
| 'O SYSTEM 80+ . B 3.3-169 Rev. 00 16A~ Tech Spec. Bases- ;
| |
| | |
| Containment Bypass Instrumentation SGTR B 3.3 INSTRUMENTATION B 3.3.10 Containment Bypass Instrumentation Steam Generator Tube Rupture (SGTR)
| |
| BASES BACKGROUND This instrumentation is required to:
| |
| : a. Detect an incipient Steam Generator Tube Rupture.
| |
| : b. Identify the ruptured steam generator so that emergency procedures may be followed by the operator.
| |
| The postulated release path is from failed fuel to the reactor coolant system to the steam generator secondary side to the condenser air ejection to the plant stack.
| |
| Monitors are provided at a steam line for each steam generator and at the steam generator blowdown line for each steam generator.
| |
| The Technical Specification assures that radiation monitors are available to identify which steam generator has h
| |
| experienced a rupture.
| |
| APPLICABLE The instrumentation is not credited in the safety analysis, SAFETY ANALYSES however, it is required so that the operator can identify that a steam generator tube rupture has occurred and take the correct actions to control a steam generator tube rupture and prevent radiation release from the plant. This instrumentation satisfies the Criteria 4 of the NRC Policy statement.
| |
| LC0 LC0 3.3.10 requires two CHANNELS of steam generator tube rupture identification instrumentation, one of which is a Main Steam Line N-16 MEASUREMENT CHANNEL, to be OPERABLE in MODE 1 when 2 25% RTP for each steam generator and one MEASUREMENT CHANNEL of steam generator tube rupture identification instrumentation, excluding the Main Steam Line N-16 MEASUREMENT CHANNEL, to be OPERABLE in MODE 1 when (continued)
| |
| SYSTEM 80+ B 3.3-170 Rev. 00 16A Tech Spec Bases
| |
| | |
| 1 Containment Bypass Instrumentation SGTR n B 3.3.10 )
| |
| b BASES ;
| |
| l LC0 < 25% RTP and in MODES 2, 3, and 4 for each steam generator. 4 (continued) Two radiation monitor MEASUREMENT CHANNELS, a Steam l Generator Blowdown Radiation and Main Steam Line Radiation i are available for each steam generator to perform the Steam Generator Blowdown / Radiation Monitor Function A.1 and A.2.
| |
| If either MEASUREMENT CHANNEL is OPERABLE the LC0 :
| |
| requirement is satisfied.
| |
| I APPLICABILITY This LC0 requires two MEASUREMENT CHANNELS of steam !
| |
| generator tube rupture identification instrumentation, one l of which is a Main Steam Line N-16 MEASUREMENT CHANNEL, to be OPERABLE in MODE 1 when = 25% RTP for each steam generator to accommodate single failure criteria at high power levels. The Main Steam Line N-16 MEASUREMENT CHANNEL l is required for each steam generator when a 25% RTP because it has increased sensitivity over the Main Steam Line Radiation or Steam Generator Blowdown Radiation Monitor MEASUREMENT CHANNELS. This LC0 requires one MEASUREMENT A CHANNEL of steam generator tube rupture identification
| |
| 'Q instrumentation, excluding the Main Steam Line N-16 MEASUREMENT CHANNEL to be OPERABLE in MODE 1 when < 25% RTP and in MODES 2, 3, and 4 for each steam generator to ensure that a steam generator tube rupture can be identified at low power or during shutdown MODES when the potential radiation release exists. The N-16 has inadequate sensitivity at
| |
| < 25% RTP, hence it cannot be credited below this power.
| |
| ACTIONS These CHANNELS have no automatic functions hence bypassing or tripping a CHANNEL is not applicable. The operator action is to restore a required failed CHANNEL to operation within the required tirne.
| |
| Ad Condition A applies as follows:
| |
| Loss of one Function in Table 3.3.10-1.
| |
| )
| |
| C'' (continued)
| |
| SYSTEM 80+ B 3.3-171 Rev. 00 16A Tech Spec Bases
| |
| | |
| Containment Bypass Instrumentation SGTR B 3.3.10 0
| |
| BASES ACTIONS M (continued)
| |
| If the required steam generator tube rupture identification instrumentation is not available, the required MEASUREMENT CHANNEL must be restored to OPERABLE status within 30 days.
| |
| The 30 day completion time is based on operating experience and takes into account the remaining OPERABLE CHANNEL when a 25% RTP and the relative low probability of an event requiring steam generator tube rupture identification instrumentation and availability of alternate means to cbtain the required information (e.g., steam generator sample) .
| |
| M Condition B is entered if there is one or more Functions with two required MEASUREMENT CHANNELS inoperable or, if the required action associated with Condition A is not met within the required completion time. The Required Action B.1 to be in MODE 3 within 6 hours and to be in MODE 5 within 36 hours is reasonable, based on operating experience, for reaching the required plant conditions from h
| |
| full power conditions in an orderly manner without challenging plant systems.
| |
| SURVEILLANCE SR 3.3.10.1 l REQUIREMENTS l Performance of the CHANNEL CHECK once every 12 hours ensures that a gross failure of instrumentation has not occurred.
| |
| CHANNEL CHECK is a comparison of the parameter indicated on one CHANNEL to a similar parameter on other CHANNELS. It is ,
| |
| based on the assumption that instrument CHANNELS monitoring the same parameter should read approximately the same value.
| |
| Significant deviations between the two instrument CHANNELS could be an indication of excessive instrument drift in one of the CHANNELS. A CHANNEL CHECK will detect gross CHANNEL failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.
| |
| (continued)
| |
| SYSTEM 80+ B 3.3-172 Rev. 00 16A Tech Spec Bases
| |
| | |
| _ . . . _ - _ _ _ . _ _ . _ . _ . _ ~ . _ _ . . . _ _ . _ . _ _ . . _ . _ _ _ _ _ _ _
| |
| Containment Bypass Instrumentation 9GTR B 3.3.10 j
| |
| BASES '
| |
| j SURVEILLANCE SR 3.3.10.1 (continued). '
| |
| REQUIREMENTS Agreement criteria are determined.by the plant staff based on a combination of the CHANNEL instrument uncertainties, including. indication and readability. If a CHANNEL is outside the match criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit. If the CHANNELS are within the match criteria, it is an indication that the CHANNELS are. <
| |
| OPERABLE. If the CHANNELS are normally off scale during ,
| |
| times when surveillance is required, the CHANNEL CHECK will only verify that they are off scale in the same direction. -
| |
| Off scale low current loop CHANNELS are verified to be reading at the bottom of the range and not failed downscale.
| |
| Frequency of 12 hours is based upon plant operating experience with regard to CHANNEL OPERABILITY and drift, '
| |
| which demonstrates that failure of more than one CHANNEL of a given Function in any 12 hour interval is a rare event. The CHANNEL CHECK supplements less formal, but more frequent, checks of the CHANNEL during normal operational O
| |
| use of the displays associated with this LCO's required CHANNELS.
| |
| 51_L3.10.2 A CHANNEL FUNCTIONAL TEST on each MEASUREMENT CHANNEL is performed every 92 days to ensure the entire MEASUREMENT CHANNEL will perform its intended function when needed.
| |
| This test may be performed automatically by an automatic test network with self diagnostics or manually. If
| |
| ' performed automatically, the operability of the automatic i- test network is verified every 92 days to meet the Surveillance requirement.
| |
| i - SR 3.3.10.3 A CHANNEL CALIBRATION is performed every [18] months. ;
| |
| CHANNEL CALIBRATION is a complete check of the instrument -
| |
| CHANNEL _ including the sensor.- The surveillance verifies the CHANNEL responds to the measured parameter within the necessary range and accuracy.
| |
| (continued)
| |
| LSYSTEM 806 .
| |
| B 3.3-173 Rev. 00 ,
| |
| -16A Tech Spec Bases f
| |
| m --.t g
| |
| * ut pe - -. ,, e + -e s
| |
| | |
| Containment Bypass Instrumentation SGTR B 3.3.10 0
| |
| BASES SURVEILLANCE -
| |
| SR 3.3.10.3 (continued) -
| |
| REQUIREMENTS At this unit, CHANNEL CALIBRATION shall find measurement
| |
| _ errors are within the values specified in Reference 4. _
| |
| The Frequency is based upon operating experience and consistency with the typical industry refueling cycle and is justified by the assumption of an [18] month calibration interval for the determination of the magnitude of equipment drift.
| |
| REFERENCES 1. 10 CFR 50 Appendix A.
| |
| : 2. Chapter 12.
| |
| [3. Section 19.8, " Shutdown Risk Evaluation."]
| |
| : 4. [Setpoint Report).
| |
| O O
| |
| SYSTEM 80+ B 3.3-174 Rev. 00 16A Tech Spec Bases
| |
| | |
| 4 PAMI B 3.3.11
| |
| * B 3.3 INSTRUMENTATION B 3.3.11 Post Accident Monitoring Instrumentation (PAMI)
| |
| BASES BACKGROUND The primary purpose of the PAMI is to display plant variables that provide information required by the control room operators during accident situations. This informatio, provides the necessary support for the operator to take the manual actions, for which no automatic control is provided, that are required for safety systems to accomplish their safety functions for Design Basis Events.
| |
| The OPERABILITY of PAMI ensures that there is sufficient information available on selected plant parameters to monitor and assess plant status and behavior following an accident.
| |
| The availability of PAMI is important so that responses to ;
| |
| corrective actions can be observed, and the need for further )
| |
| actions can be determined. These essential instruments are 1 identified in (Refs. I and 4) and by the recommendations of i (G)
| |
| Regulatory Guide 1.97 (Ref. 2), as required by Supplement 1 to NUREG-0737, "TMI Action Items" (Ref. 3).
| |
| Category I variables are the key variables deemed risk significant because they are needed to:
| |
| e Determine whether other syste.ms important to safety i are performing their intended functions; I e Provide information to the operators that will enable them to determine the potential for causing a gross breach of the barriers to radioactivity release; and e Provide information regarding the release of radioactive materials to allow for early indication of the need to initiate action necessary to protect
| |
| ;- the public as well as to obtain an estimate of the magnitude of any impending threat.
| |
| These key variables were identified by System 80+ Regulatory Guide 1.97 analyses (Ref.1) and are identified in Ref.1.
| |
| These analyses also identified that there are no Type A variables and provided justification for deviating from the NRC proposed list of Category I variables.
| |
| . f~)
| |
| V (continued)
| |
| SYSTEM 80+ B 3.3-175 Rev. 00 16A Tech Spec Bases-
| |
| | |
| l PAMI B 3.3.11 O
| |
| BASES (continued)
| |
| APPLICABLE The PAMI also ensures OPERABILITY of Category 1, non-Type A SAFETY ANALYSIS variables. This ensures the control room operating staff can:
| |
| e Determine whether systems important to safety are performing their intended functions; e Determine the potential for causing a gross breach of the barriers to radioactivity release; e Determine if a gross breach of a barrier has occurred; and e Initiate action necessary to protect the public as well as to obtain an estimate of the magnitude of any impending threat.
| |
| Category 1 nontype A PAMI are retained in the Specification because they are intended to assist operators in minimizing the consequences of accidents. Therefore, these Category 1 variables are important in reducing public risk. (Criterion 4 of the NRC Policy Statement).
| |
| The seismically qualified Discrete Indication and Alarm System (DIAS) CHANNEL P is dedicated to continuously monitor and display the category 1 parameters. The DIAS CHANNEL N and Data Processing System (DPS) also monitor all the category 1 parameters as a backup for CHANNEL P.
| |
| Two measurement CHANNELS provide the necessary information in the Control Room for adequate accident monitoring. The CHANNELS provide wide-range information which meet electrical and physical separation requirements for each parameter displayed. This design is consistent with the requirements of IEEE 279-1971 (Ref. 5). The CHANNELS are provided with equipment qualified to operate in the environments specified for design basis events in the CESSAR-DC. These CHANNELS comply with the recommendations of Regulatory Guide 1.97.
| |
| O (continued)
| |
| SYSTEM 80+ B 3.3-176 Rev. 00 16A Tech Spec Bases
| |
| | |
| PAMI B 3.3.11 BASES (continued)
| |
| LC0 LCO 3.3.11 requires two OPERABLE MEASUREMENT CHANNELS for all but one Function to ensure no single failure prevents the operators from being presented with the informaticn necessary to determine the status of the plant and to bring the plant to, and maintain it in, a safe condition following that accident.
| |
| Furthermore, provision of two CHANNELS allows a CHANNEL CHECK during the post accident phase to confirm the va';'ity of displayed information. .
| |
| The exception to the two CHANNEL requirement is Containment Isolation Valve Position. In this case, the important information is the status of the containment penetrations.
| |
| The LC0 requires one position indicator for each active containment isolation valve. This is sufficient to <
| |
| redundantly verify the isolation status of each isolable penetration either via indicated status of the active valve and prior knowledge af passive valve or via system boundary i status. If a normally active containment isolation valve is known to be closed and deactivated, position indication is
| |
| ! not needed to determine status. Therefore, the position indication for valves in this state is not required to be OPERABLE.
| |
| Listed below are discussions of the specified instrument Functions listed in Table 3.3.11-1. The following instrument functions are displayed on DIAS-P, DIAS-N, and DPS.
| |
| : 1. Neutron Flux Power Level Neutron Flux Power Level indication is provided to )
| |
| verify reactor shutdown. l Inputs are provided by two safety CHANNELS with a minimum sensor and indicated range of 1 x 10'7 to 200% power.
| |
| 1 O
| |
| V (continued)
| |
| SYSTEM 80+ B 3.3-177 Rev. 00 16A Tech Spec Bases l
| |
| | |
| r 1 PAMI B 3.3.11 O
| |
| BASES LCO 2, 3. Reactor Coolant Outlet Temoerature (T-hot) (Wide (continued) Rance) and Inlet Temperature (T-Cold) (Wide Ranae)
| |
| Reactor Coolant Outlet and Inlet Temperatures are Category 1 variables provided for verification of core cooling and long term surveillance. They are also inputs to the Reactor Coclant System Subcooled Margin Monitor.
| |
| Reactor outlet temperature inputs to the PAMI are provided by two fast response resistance elements and associated transmitters in each loop. The CHANNELS provide indication over a minimum sensor and indicated range of 50 to 750'F.
| |
| : 4. Reactor Coolant System Pressure (wide rance)
| |
| RCS Pressure (wide range) is a Category 1 variable, provided for verification of core cooling and RCS integrity long term surveillance. Wide rance RCS loop pressure is measured by pressure transmitters with a minimum sensor and indicated range of 0 to 4000 psig. The pressure transmitters are located inside the containment. Redundant monitoring capability is provided by two trains of instrumentation.
| |
| : 5. Reactor Vessel Coolant Level j Reactor Vessel Coolant Level is rrovided for verification and long term surveillance of core cooling.
| |
| The Reactor Vessel Water Level Monitors provide a direct measurement of the collapsed liquid level above the core support surface. The collapsed liquid represents the amount of liquid mass that is in the reactor vessel above the core. Measurement of the collapsed water level is selected because it is a direct indication of the water inventory. The collapsed level is obtained over the same temperature and pressure range as the saturation measurements, thereby encompassing all operating and eccident (continued)
| |
| SYSTEM 80+ B 3.3-178 Rev. 00 16A Tech Spec Bases
| |
| | |
| PAMI B 3.3.11 U
| |
| BASES LCO 5. Reactor Vessel CckhnLlay11 (continued) conditions where it must function. Also, it functions during the recovery interval. Therefore, it is designed to survive the high steam temperature that may occur during the preceding core recovery interval.
| |
| The level range extends from the top of the vessel down to the top of the core support surface. The response time is short enough to track the level during small break LOCA events. The resolution is sufficient to show the initial level drop, the key locations near the hot leg elevation, and the lowest levels just above the core support surface. This provides the operator with adequate indication to track the progression of the accident and to detect the consequences of its mitigating actions or the '
| |
| functionality of automatic equipment.
| |
| Two CHANNELS with minimum sensor range of 0 - 370
| |
| (]
| |
| U/ inches above the core support surface is provided. j The minimum indicated range for these two CHANNELS is 0 - 100%.
| |
| : 6. Reactor Cavity level Reactor Cavity Level is provided for verification and long term surveillance of RCS integrity and vessel integrity.
| |
| Reactor Cavity Level is measured by two instruments with a minimum sensor and indicated range of 0 -
| |
| 100%.
| |
| : 7. Containment Pressure Containment Pressure (wide range and narrow range) is provided for verification of RCS and containment OPERABILITY.
| |
| O kl -
| |
| (continued) l i
| |
| SYSTEM 80+ B 3.3-179 Rev. 00 1
| |
| 16A Tech Spec Bases i
| |
| | |
| I l
| |
| PAMI !
| |
| B 3.3.11 l i
| |
| BASES i
| |
| LC0 7. Containment Pressure (continued) 1 I
| |
| Two wide range pressure sensors with a minimum sensor and indicated range of -5 psig to 4 times containment !
| |
| design pressure provide input. Four narrow range j sensors with a minimum sensor and indicated range of ;
| |
| i
| |
| -5 psig to 1 times containment design pressure provide input.
| |
| I
| |
| : 8. Containment Isolation Valve Positign Containment Isolation Valve Position is provided for verification of containment isolation OPERABILITY. l Containment Isolation Valve Position indication is ,
| |
| summarized by two status indicators. The containment j isolation valves are split between the two status indicators in cases where there are two containment isolation valves for one penetration. For any particular containment penetration, one isolation s valve or bcundary is on one status indicator, and the 9 other isolation valve or boundary is on the other I status indicator. These status indicators will identify if any single Containment Isolation Valve is not in its required position (closed) for isolation ,
| |
| valves aggregated under that status indicator. Any Containment Isolation Valve whose associated i penetration is isolated by at least one closed and I deactivated automatic valve, closed manual valve, (
| |
| blind flange, or check valve with flow through the i valve secured will not cause the associated l Containment Isolation Valve status indicator to I indicate that not all of the Containment Isolation Valves are closed, if all other Containment Isolation Valves associated with that indicator closed.
| |
| Required inputs, to the Containment Isolation Valve position status algorithm include 1 pair of closed /not closed valve position indication for each Containment Isolation Valve.
| |
| I (continued) l SYSTEM 80+ B 3.3-180 Rev. 00 16A Tech Spec Bases I
| |
| | |
| q ._ ~ m. ....e m a s m.m. - -
| |
| PAMI
| |
| -. B 3.3.11 V
| |
| BASES
| |
| . .LCO 9. Containment Area Radiation (continued)
| |
| Containment Area Radiation is provided to monitor for the potential of significant radiation releases and to provide release assessment for use by operators in determining the need to invoke site emergency plans. i Twosensorswitpaminimumsensorandindicatedrange of 1 R/hr to 10 R/hr provide input. ,
| |
| : 10. Containment Hydroaen Concentration Containment Hydrogen Concentration is provided to :
| |
| detect high hydrogen concentration conditions that represent a potential for containment breach. This ;
| |
| variable is also important in verifying the !
| |
| adequacy of mitigating actions. Two hydrogen i concentration sensors with a minimum sensor range of !
| |
| i 0 - 15% by volume and a minimum indicated range of 0
| |
| - 15% are provided.
| |
| O 11. Eressurizer Water level Pressurizer Water Level is used to determine whether to terminate safety injection (SI), if still in progress, or to reinitiate SI if it has been stopped.
| |
| Knowledge of pressurizer water level is also used to verify the plant conditions necessary to establish natural circulation in the RCS and to verify that the plant is maintained in a safe shutdown condition.
| |
| Two pressurizer level sensors are provided. They have a minimum indicated and sensor range of 0 -
| |
| 100%.
| |
| : 12. Steam Generator Water Level (Wide Ranae)
| |
| Steam Generator Water Level (wide range) is provided to monitor operation of decay heat removal via the steam generators. The Category 1 indication of steam generator level- is the extended startup range level instrumentation. The extended startup range level covers a span of 0 to 100% above the lower tubesheet.
| |
| (continued)
| |
| SYSTEM 80+ B 3.3-181 Rev. 00 16A Tech Spec Bases l
| |
| 1
| |
| | |
| PAMI B 3.3.11 O
| |
| BASES LC0 12. Steam Generator Water Level (Wide Ranae) (continue <i)
| |
| The measured differential pressure is displayed as 0 to 100% at 68'F. Temperature compensation of this indication is performed manually by the operator.
| |
| Redundant monitoring capability is provided by two trains of instrumentation.
| |
| : 13. Emeraency Feedwater (EFW) Storaae Tank level Emergency Feedwate? Storage Tank Level is provided to ensure water suppl, for EFW. The EFW Storage Tank provides the ensured, safety grade water supply for the EFW System. The EFW Storage Tanks consists of two identical tanks, one for each EFW mechanical train. There are two 0 - 100% sensors and indicated range level CHANNELS for each storage tank.
| |
| 14, 15, 16, 17. Core Exit Temperature Core Exit Temperature was provided for verification and long term surveillance of core cooling.
| |
| An evaluation was made of the minimum number of valid core exit thermocouples necessary for inadequate core cooling detection. The evaluation determined the reduced complement of core exit thermocouples necessary to detect initial core recovery and trend the ensuing core heatup. The evaluations account for core nonuniformities including incore effects of the radial decay power distribution and excore effects of condensate runback in the hot legs and nonuniform inlet temperatures. Based on these evaluations, adequate or inadequate core cooling detection is ensured with two valid core exit thermocouples per quadrant.
| |
| The design of the Incore Instrumentation System includes a Type K (chromel alumel) thermocouple within each of the incore instrument detector assemblies. The junction of each thermocouple is located a few inches above the fuel assembly, inside 1
| |
| (continued) l SYSTEM 80+ B 3.3-182 Rev. 00 16A Tech Spec Bases
| |
| | |
| s PAMI B 3.3.11 (v -
| |
| BASES LCO 14, 15, 16, 17. Core Exit Temoerature (continued) a structure that supports and sMelds the incore 1 instrument detector assembly string from flow forces in the outlet plenum region. These core exit ;
| |
| thermocouples monitor the temperature of the reactor coolant as it exits the fuel assemblies. ,
| |
| The core exit thermocouples have a usable sensor and i indicated temperature range from 32 to 2300*F, although accuracy is reduced at temperatures above .
| |
| 1800*F. l
| |
| : 18. Steam Generator Pressure Steam Generator Pressure is provided to monitor operation of the Steam Generators and verification of RCS heat removal.
| |
| A There are two sensed CHANNELS of Steam Generator V Pressure per Steam Generator. The minimum sensor range of these CHANNELS is 15 - 1500 psia. The q
| |
| 1 minimum indicated range of these CHANNELS is [0 -
| |
| 1485 psig.]
| |
| : 19. Dearee of Subcoolina Degree of Subcooling is provided for verification and analysis of plant conditions.
| |
| There are two sensed CHANNELS cf Degree of Subcooling. Degree of Subcooling is calculated from inc following instruments: High Range Pressurizer Pressere (minimum sensor range of 1500 - 2500 psia),
| |
| Mid Rangs Pressurizer Pressure (Minimum Sensor Range of 600 - 1550 psia), Low Range Pressurizer Prr.ssure (Minimum Sensor Range of 0 - 750 psia), Reactor Coolant Hot Leg and Cold Leg Temperatures (Minimum Sensor Range of 50 - 750*F), and Core Exit Temperatures (Minimum Sensor Range of 32 - 2300 F).
| |
| The Degree of Subcooling indicated range is a minimum of 200 F subcooling to 35*F superheat. i (continued) l SYSTEM 80+ S 3.3-183 Rev. 00 16A' lech Spec Bases
| |
| | |
| PAMI B 3.3.11 O
| |
| BASES LCO 20. Primary Coolant (TJ Radiation level (continued)
| |
| Primary Coolant Radiation Level is provided for detection of a breach.
| |
| Primary Coolant (Ts) Radiation Level is provided by two sensed CHANNELS with a 8minimum sensor and indicated range of 1.0 - 10 R/hr.
| |
| Two CHANNELS are required to be OPERABLE for most Functions.
| |
| Two OPERABLE CHANNELS ensure that no single failure within the PAMI or its auxiliary supporting features or power sources, concurrent with failures that are a condition of or result from a specific accident, prevents the operators from being presented the information necessary for them to determine the safety status of the plant and to bring the plant to and maintain it in a safe condition following that accident.
| |
| In Table 3.3.11-1 the exception to the two CHANNEL requirement is Containment Isolation Valve Position.
| |
| [T*, OPERABLE CHANNELS of core exit thermocouples are required for each CHANNEL in each quadrant] to provide indication of radial distribution of the coolant temperature rise across representative regions of the core. Power distribution symmetry is considered in determining the specific number and locations provided for diagnosis of local core problems. Therefore, two randomly selected thermocouples may not be sufficient to meet the two thermocouples per CHANNEL requirement in any quadrant. The two thermocouples in each CHANNEL must meet the additional requirement that one be located near the center of the core and the other near the core perimeter, such that the pair of core exit thermocouples indicate the radial temperature gradient across their core quadrant. [Two sets of two thermocouples in each quadrant ensure a single failure will not disable the ability to determine the radial temperature gradient.]
| |
| For loop and steam generator related variables, the required l information is individual loop temperature and individual l steam generator level. In these cases two CHANNELS are !
| |
| required to be OPERABLE for each loop of steam generator to redundantly provide the necessary information.
| |
| (continued)
| |
| SYSTEM 80+ B 3.3-184 Rev. 00 16A Tech Spec Bases
| |
| | |
| . . _.._. ..- _ _ _ . _ _ ~ . _
| |
| l
| |
| ;i
| |
| ' PAMI ,
| |
| B 3.3.11 l j
| |
| L ' BASES j q
| |
| il I
| |
| ; LCO - 20. Primary Coolant (TJ Radiation Level (continued) {.
| |
| ~
| |
| In the case of Containment Isolation Valve Position, the 1 important information is the status of the containment l penetrations. The LCO requires one position indicator for '
| |
| each active containment isolation valve.- This is sufficient to redundantly verify the isolation status of each isolable ;
| |
| penetration either via indicated status of toa active valve j and prior knowledge of passive valve or system boundary j l status. If a normally active containment isolation valve is ;
| |
| - known to be closed and deactivated, position indication is not needed to determine' status. Therefore, the pos1 tion indication for valves in this state is not required to be l OPERABLE.
| |
| ! APPLICABILITY The PAMI LC0 is applicable in MODES 1, 2, and 3. These variables are related to the diagnosis and preplanned :
| |
| ; actions required to mitigate DBAs. The applicable DBAs are i assumed to occur in MODES 1, 2, and 3. In MODES 4, 5, and 6, plant conditions are such'that the likelihood of an 4 event occurring that would require PAMI is low; therefore,
| |
| : the PAMI is not required to be OPERABLE ,n these MODES.
| |
| ACTIONS- Note I has been added in the ACTIONS to exclude the MODE change restriction of LC0 3.0.4. - This exception allows 3' entry into the applicable MODE while relying on the ACTIONS, even though the ACTIONS may eventually require plant '
| |
| I shutdown. This exception is acceptable due to the passive function of the instruments, the operator's ability to monitor an accident using alternate instruments and methods,
| |
| . and the low probability of an event requiring these instruments.
| |
| Note 2 has been added in the ACTIONS to clarify the application of Completion Time rules. The Condition of this Specification may be entered -independently for each Function listed in Table 3.3.11-1. The Completion Time (s) of the inoperable CHANNEL (s) of a Function will be tracked h separately for each Function starting from the time the
| |
| . Condition was entered for that Function.
| |
| (continued)
| |
| SYSTEM 80+ . .B 3.3-185 Rev. 00 i 16A-Tech Spec Bases-
| |
| | |
| PAMI B 3.3.11 1 O
| |
| BASES ACTIONS A_d (continued)
| |
| When one or more Functions have one required MEASUREMENT CHANNEL that is inoperable, the required inoperable CHANNEL must be restored to OPERABLE status within 30 days. The 30 day Completion Time is based on operating experience and takes into account the remaining OPERABLE MEASUREMENT CHANNEL (or in the case of a Function that has only one required MEASUREMENT CHANNEL, other non Regulatory Guide 1.97 instrument MEASUREMENT CHANNELS to monitor the Function), the passive nature of the instrument (no critical automatic action is assumed to occur from these instruments), and the low probability of an event requiring PAMI during this interval.
| |
| 16 1 This Required Action specifies initiation of actions in Specification [5.9.2.c,] which requires a written report, approved by the [onsite review committee], to be submitted to the Nuclear RegulaL,ry Commission. This report discusses the results of the root cause evaluation of the inoperability and identifies proposed restorative Required Actions. This Required Action is appropriate in lieu of a shutdown requirement, given the likelihood of plant conditions that would require information provided by this instrumentation. Also, alternative Required Actions are identified before a loss of functional capability condition occurs.
| |
| C.1 l
| |
| When one or more Functions have two required MEASUREMENT ;
| |
| CHANNELS inoperable (i.e., two MEASUREMENT CHANNELS inoperable in the same Function), one MEASUREMENT CHANNEL in the Function should be restored to OPERABLE status within 7 days. The Completion Time of 7 days is based on the l relatively low probability of an event requiring PAMI ,
| |
| operation and the availability of alternate means to obtain l the required information. Continuous operation with two required CHANNELS inoperable in a function is not acceptable because the alternate indications may not fully meet all performance qualification requirements applied to the PAMI.
| |
| (continued) 1 I
| |
| SYSTEM 80+ B 3.3-186 Rev. 00 16A Tech Spec Bases i
| |
| 1
| |
| | |
| .. . = .
| |
| PAMI L g B 3.3.11 ,
| |
| BASES ACTIONS C.d (continued)
| |
| Therefore, requiring restoration of one inoperable CHANNEL of the Function limits the risk that-the PAMI Function will be in a degraded condition should an accident occur.
| |
| D.d This Required Action directs entry into the appropriate Condition referenced in Table 3.3.11-1. The applicable Condition referenced in the Table is function dependent.
| |
| Each time Required Action C.1 is not met, and the associated ;
| |
| Completion Time has expired, Condition D is entered for that CHANNEL and provides for transfer to the appropriate subsequent Condition. ,
| |
| E.1 and E.2 If the Required Action and associated Completion Time of Condition C is not met and Table 3.3.11-1 directs entry into -
| |
| Condition E, the plant must be brought to a MODE in which !
| |
| the LCO does not apply. To achieve this status, the plant l must be brought to at least MODE 3 within 6 hours and to l MODE 4 within 12 hours. The allowed Completion Times are i reasonable, based on operating experience, to reach the l required plant conditions from full power conditions in an orderly manner and without challenging plant systems. ,
| |
| f.d Alternate means of monitoring Reactor Vessel Water Level and l Containment Area Radiation may be temporarily installed if I the normal PAMI CHANNEL cannot be restored to OPERABLE status within the allotted time. If these alternate means are used, the Required Action is not to shut down the plant, but rather to follow the directions of Specification 5.9.2.c. The report provided to the NRC should discuss whether the alternate means are equivalent to the installed PAMI CHANNELS, justify the areas in which they are not equivalent, and provide a schedule for restoring the normal PAMI CHANNELS.
| |
| ' O.
| |
| V (continued)
| |
| SYSTEM 80+ B 3.3-187 Rev. 00 16A Tech Spec Bases ,
| |
| l
| |
| | |
| PAMI B 3.3.11 O
| |
| BASES (continued)
| |
| SURVEILLANCE A Note in the beginning of the SR table specifies that the REQUIREMENTS following SRs apply to each PAMI Function found in Table 3.3.11-1.
| |
| _S_R 3.3.11.1 Performance of the CHANNEL CHECK for each required instrument CHANNEL that is normally energized once every 31 days ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is a comparison of the parameter indicated on one CHANNEL to a similar parameter on other CHANNELS. It is based on the assumption that instrument CHANNELS monitoring the same parameter should read approximately the same value. Significant deviations ;
| |
| between the two instrument CHANNELS could be an indication !
| |
| i of excessive instrument drift in one of the CHANNELS. A Ci4ANNEL CHECK will detect gross CHANNEL failure; thus, it is l key to verifying the instrumentation continues to operate l 1
| |
| properly between each CHANNEL CALIBRATION.
| |
| Agreement criteria are determined by the plant staff based on a combination of the CHANNEL instrument uncertainties, including indication and readability. If a CHANNEL is outside the match criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit. If tLe CHANNELS are within the match criteria, it is an indication that the CHANNELS are OPERABLE. If the CHANNELS are normally off scale during time when surveillance is required, the MEASUREMENT CHANNEL CHECK will only verify that they are off scale in the same direction. Off scale low current loop CHANNELS are verified to be reading at the bottom of the range and not failed downscale.
| |
| The Frequency of 31 days is based upon plant operating experience with regard to CHANNEL OPERABILITY and drift, which demonstrates that failure of more than one CHANNEL of given Function in any 31 day interval is a rare event. The MEASUREMENT CHANNEL CHECK supplements less formal, but more frequent, checks of CHANNEL OPERABILITY during normal opisrational use of the displays associated with this LCO's rrquired e CHANNELS.
| |
| (continued)
| |
| SYSTEM 80+ B 3.3-188 Rev. 00 16A Tech Spec Bases
| |
| | |
| I PAMI '
| |
| l s B 3.3.11
| |
| )
| |
| BASES (continued)'
| |
| SURVEILLANCE SR 3.3.11.1 (continued)
| |
| REQUIREMENTS !
| |
| The CHANNEL CHECK may be performed automatically by validation algorithms within the DPS and DIAS. To take :
| |
| credit for the automatic CHANNEL CHECK, the operator will be required to verify that DPS or DIAS is OPERABLE and that there are no alarms associated with the PAMI. The frequency interval (31 days) specified for this SR will be applicable.
| |
| In the event that neither DPS or DIAS validation checking function is OPERABLE, or do not perform a cross CHANNEL comparison on a particular parameter, the operator will be r required to perform the CHANNEL CHECK manually via DPS or DIAS.
| |
| SR 3.3.11.2 3
| |
| A CHANNEL CALIBRATION is performed every [18] months.
| |
| CHANNEL CALIBRATION is a complete check of the instrument ,
| |
| CHANNEL including the sensor. The Surveillance verifies the j Q CHANNEL responds to the measured parameter with the j
| |
| 'V _ necessary range and accuracy. _
| |
| For the Containment Area Radiation instrumentation, a l CHANNEL CALIBRATION may consist of an electronic calibration of the CHANNEL, not including the detector, for range i decades above 10 R/hr, and one point calibration check of I
| |
| _ the detector below 10 R/hr with a gamma source. _
| |
| The Frequency is based upon operating experience and ,
| |
| consistency with the typical industry refueling cycle and is i justified by the assumption of an [18] month calibration l interval for the determination of the magnitude of equipment '
| |
| drift.
| |
| O (continued)
| |
| SYSTEM 80+ B 3.3-189 Rev. 00 16A Tech Spec Bases l
| |
| | |
| PAMI B 3.3.11 O '
| |
| BASES (continued)
| |
| REFERENCES 1. Chapter 7, " Instrumentation and Controls" and 15
| |
| " Accident Analysis".
| |
| : 2. Regulatory Guide 1.97.
| |
| : 3. NUREG-0737, Supplement 1.
| |
| : 4. System 80+ Procedure Guidelines
| |
| : 5. IEEE Standard 279,1971, " Criteria for Protection Systems for Nuclear Power Generating Stations," April 5, 1972.
| |
| O l
| |
| Ol SYSTEM 80+ B 3.3-190 Rev. 00 l 16A Tech Spec Bases
| |
| | |
| i Remote Shutdown Instrumentation and Controls B 3.3.12 p
| |
| 8 3.3 INSTRUMENTATION j B 3.3.12 Remote Shutdown Instrumentation and Controls L
| |
| BASES BACKGROUND The Remote Shutdown Instrumentation and Controls provides l the control room operator with sufficient instrumentation and controls to place and maintain the unit in a safe j shutdown condition from a location other than the control 4
| |
| : room. This capability is necessary to protect against the l possibility that the control room becomes inaccessible. A safe shutdown condition is defined as MODE 3. With the unit i in MODE 3, the Emergency Feedwater (EFW) System and the l' steam generator safety valves or the steam generator atmosphe-ic dump valves (ADVs) can be used to remove core decay heat and meet all safety requirements. The long term I supply of water for the EFW System and the ability to borate the Reactor Coolant System (RCS) from outside the control room allows extended operation in MODE 3.
| |
| In the event that the control room becomes inaccessible, the operators can establish control at the remote shutdown panel m
| |
| and place and maintain the unit in MODE 3. The operators can transfer control from the Control Room to the Remote Shutdown Instrumentation and Controls on the Remote Shutdown Panel (RSP) via switches near each control room exit. Once i control has been transferred to the RSP, the RSP will contain all controls and indications necessary to achieve and maintain hot standby. (MODE 3). The unit automatically reaches MODE 3 fcilowing a unit shutdown and can be maintained safely in MODE 3 for an extended period of time.
| |
| The RSP includes all divisions of safe shutdown controls, l isolated from the main control panels. The man-machine !
| |
| interface for this instrumentation is consi; tent with the control room. The indications and controls at the RSP are physically separated and electrically isolated from the ,
| |
| control room.
| |
| The OPERABILITY of the Remote Shutdown Instrumentation and Controls Functions ensures that there is sufficient information available on selected plant parameters to bring the p! ant to, and maintain it in MODE 3 should the control room become inaccessible.
| |
| O (continued)
| |
| SYSTEM 80+ B 3.3-191 Rev. 00 16A Tech Spec Bases
| |
| | |
| 4 i
| |
| 1 Remote Shutdown Instrumentation and Controls i 8 3.3.12 i O
| |
| BASES (continued) l i
| |
| APPLICABLE The Remote Shutdown Instrumentation and Controls are SAFETY ANALYSES required to provide equipment at appropriate locations l outside the control room with a capability to promptly shut down the plant and maintain it in a safe condition in MODE 3.
| |
| The criteria governing the design and the specific system requirements of the Remote Shutdown Instrumentation and Controls are located in 10 CFR 50, Appendix A, GDC 19 (Ref. 1).
| |
| The Remote Shutdown Instrumentation and Controls has been identified as an important contributor to the reduction of plant accident risk and, therefore, has been retained in the Technical Specifications, as indicated in the NRC Policy Statement. The Remote Shutdown Instrumentation and Controls meet Criterion 4 of the NRC Policy Statement.
| |
| The Remote Shutdown Instrumentation and Controls LC3 LCO requires two OPERABLE divisions for each function necessary to place and maintain the plant in H0DE 3 from a location h
| |
| other than the control room. The instrumentht bn and controls required are listed in Table 3.3.12-1 in the accompanying LCO.
| |
| The controls, instrumentation, and transfer switches are those required to perform the following functions:
| |
| * Reactivity Control (initial and long term);
| |
| e RCS Pressure Control; e Decay Heat Removal; e RCS Inventory Control; and e Safety support systems for the above Functions, as well as station service water, component cooling water, and cnsite power.
| |
| (continued)
| |
| SYSTEM 80+ B 3.3-192 Rev. 00 16A Tech Spec Bases
| |
| | |
| I Remote Shutdown Instrumentation and Controls B 3.3.12 g
| |
| V BASES LCO A Function of a Remote Stutdown Instrumentation and Controls (continued) is OPERABLE if all instrument and control parameters needed to support the Function are OPERABLE. A division is a set of instruments and controls needed to accomplish the RSIC function. A given RSIC function may be performed by different parameters in the redundant divisions.
| |
| Electrical / physical separation of the individual measurement division functions is not met at the associated RSP display device. Operability of individual CHANNEL functions can be verified using the common display device that is part of the Discrete Indication and Alarm System (DIAS) or using Data Processing System (DPS) CRT display pages.
| |
| The Remote Shutdown System instrumentation and control circuits covered by this LC0 do not need to be energized to be considered OPEi'ABLE. This LC0 is intended to ensure that the instrument ano control circuits will be OPERABLE if plant conditions require that the Remote Shutdown System be placed in operation.
| |
| O APPLICABILITY The Remote Shutdown System LC0 is applicable in MODES 1, 2, and 3. This is required so that the unit can be placed and ,
| |
| maintained in MODE 3 for an extended period of time from a l location other than the control room. This LC0 is not l applicable in MODE 4, 5, or 6. In these MODES, the unit is l already subtritical and in the condition of reduced RCS I energy. Under these conditions, considerable time is available to restore necessary instrument control Functions if control room instruments or control become unavailable.
| |
| 4 ACTIONS A Note has been included that excludes the MODE change restrictions of LC0 3.0.4. This exception allows entry into an applicable MODE, while relying on the ACTIONS, even though the ACTIONS may eventually require a plant shutdown.
| |
| This is acceptable due to the low probability of an event requirina this system.
| |
| A Remote Shutdown System division is inoperable when each Function listed in Table 3.3.12-1 is not accomplished by at Ir.ast one designated Remote Shutdown System CHANNEL that ,
| |
| O
| |
| 'G) (continued)
| |
| SYSTEM 80+ B 3.3-193 Rev. 00 16A Tech Spec Bases
| |
| | |
| Remote Shutdown Instrumentation and Controls B 3.3.12 O
| |
| BASES ACTIONS satisfies the OPERABILITY criteria for the CHANNEL's (continued) Function. These criteria are outlined in the LCO section of the '3ases.
| |
| M Condition A addresses the situation where one division with one or more Required Functions of the Remote Shutdown Instrumentation and Controls are inoperable. This includes any Function listed in Table 3.3.12-1 as well as the control and transfer switches.
| |
| The Required Action is to restore the division to OPERABLE status within 92 days. The Completion Time is based on operating experience, the availability of a redundant division supplying the same Functions, and the low probability of an event that would require evacuation of the control room.
| |
| u O Condition B addresses the situation where two divisions with I one or more Required Functions of the Remote Shutdown !
| |
| Instrumentation and Controls are inoperable. This includes I I
| |
| any Function listed in Table 3.3.12-1 as well as the control and transfer switches.
| |
| The Required Action is to restore one division to OPERABLE status within 31 days. The completion time is based on operating experience and the low probability of an event that would require evacuation of tha control room.
| |
| C.1 and C.2 l If the Required Action and associated Completion Time of l Condition A or B is not met, the plant must be brought to a MODE in which the LC0 does not apply. To achieve this i status, the plant must be brought to at least MODE 3 within l 6 hours and to MODE 4 within [12] hours. The allowed ;
| |
| Completion Times are reasonable, based on operating i experience, to reach the required MODES from full power j conditions in an orderly manner and without challenging '
| |
| plant systems.
| |
| (continued) j SYSTEM 80+ B 3.3-194 Rev. 00 1 16A Tech Spec Bases
| |
| | |
| Remote Shutdown Instrumentation and Controls e1 B 3.3.12 1
| |
| QJ CASES (continued)
| |
| SURVEILLANCE SR 3.3.12.1 REQUIREMENTS Performance of the CHANNEL CHECK once every 31 days ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is a comparison of the parameter indicated on one CHANNEL to a similar parameter on other CHANNELS. It is based on the assumption that instrument CHANNELS monitoring the same parameter should read approximately the same value.
| |
| Significant deviations between the instrument CHANNELS could be an indication of excessive instrument drift in one of the CHANNELS. A CHANNEL CHECK will detect gross CHANNEL failure; thus it is key to verifying that the instrumentation continues to operate properly between each CHANNEL CALIBRATION. Agreement criteria are determined by the plant staff, based on a combination of the CHANNEL instrument uncertainties, including indication and readability. If a CHANNEL is outside the match criteria, it may be an indication that the sensor or the signal processing equipment have drifted outside its limit. As specified in the Surveillance, a CHANNEL CHECK is only Q required for those CHANNELS which are normally energized.
| |
| '~
| |
| The Frequency is based on plant operating experience that demonstrates CHANNEL failure is rare.
| |
| The CHANNEL CHECK may be performed automatically by validation algorithms within the DPS and/or DIAS. To take credit for the automatic CHANNEL CHECK, the operator will be required to verify that DPS or DIAS is OPERABLE and that there are no alarms associated with Remote Shutdown Instrumentation. DPS or DIAS surveillance in the control room may encompass the CHANNEL CHECK for the Remote Shutdown Instrumentation and Controls. The frequency interval (31 days) specified in this SR will be applicable. In the event that neither the DPS or DIAS validation checking function is OPERABLE or do not perform a cross CHANNEL comparison on a particular parameter, the operator will be required to perform the CHANNEL CHECK manually via DPS or DIAS.
| |
| SR 3.3.12.2 SR 3.3.12.2 verifies that each required Remote Shutdown System indicator, transfer switch, and control circuits perform their intended function. This verification is O
| |
| V (continued)
| |
| SYSTEM 80+ B 3.3-195 Rev. 00 16A Tech Spec Bases
| |
| | |
| Remote Shutdown Instrumentation and Controls B 3.3.12 O
| |
| BASES SURVEILLANCE SR 3.3.12.2 (continued)
| |
| REQUIREMENTS performed from the control room, Vital Instrumentation Equipment Rooms, and Remote Shutdown Room, as appropriate.
| |
| This will ensure that if the control room becomes inaccessible, the plant can be brought to and maintained in MODE 3 from the RSP. The [18] month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. Operating experience demonstrates that Remote Shutdown Instrumentation and Controls control CHANNELS seldom fail to pass the Surveillance when performed at a Frequency of once every [18] months.
| |
| SR 3.3.12.3 CHANNEL CALIBRATION is a complete check of the instrument CHANNEL including the sensor. The Surveillance verifies that the CHANNEL responds to measured parameter with the necessary range and accuracy.
| |
| The [18] month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power.
| |
| SR 3.3.12.3 has been modified by a Note stating that Neutron detectors are excluded from the CHANNEL CALIBRATION.
| |
| REFERENCES 1. 10 CFR 50, Appendix A, GDC 19.
| |
| : 2. Chapters 7 " Instrumentation and Controls," and 15
| |
| " Accident Analysis."
| |
| O SYSTEM 80+ B 3.3-196 Rev. 00 16A Tech Spec Bases
| |
| | |
| Logarithmic Power Monitorin Channels B 3.3.13 g
| |
| U B 3.3 INSTRUMENTATION B 3.3.13 Logarithmic Power Monitoring CHANNELS BASES BACKGROUND The logarithmic power monitoring CHANNELS provide neutron flux power indication from < IE-7% RTP to > 100% RTP. They also provide reactor protection when the reactor trip circuit breakers (RTCBs) are shut, in the form of a Logarithmic Power Level-High trip.
| |
| This LC0 addresses MODES 3, 4, and 5 with the RTCBs open.
| |
| When the RTCBs are shut, the logarithmic power monitoring CHANNELS are addressed by LC0 3.3.2, " Reactor Protective System (RPS) Instrumentation - Shutdown."
| |
| When the RTCBs are open, two.of the four wide range power CHANNELS must be available to monitor neutron flux power.
| |
| In this application, the RPS CHANNELS need not be OPERABLE, l since the reactor trip Function is not required. By I monitoring neutron flux (wide range) power when the RTCBs I are open, loss of SDM caused by boron dilution can be (n) detected as an increase in flux. Alarms are also provided
| |
| * when power increases above the fixed bistable setpoints.
| |
| Two CHANNELS must be OPERABLE to provide single failure protection and to facilitate detection of CHANNEL failure by providing CHANNEL CHECK capability.
| |
| APPLICABLE The logarithmic power monitoring CHANNELS are necessary to !
| |
| SAFETY ANALYSES monitor core reactivity changes. They are one of the l primary means for detecting and triggering operator actions to respond to reactivity transients initiated from Conditions in which the RPS is not required to be OPERABLE.
| |
| Boron dilution instrumentation is the primary means for detecting and triggering operator actions in a boron dilution event while in a shutdown mode. LC0 3.1.12. " Boron Dilution Alarms," addresses this instrumentation. The logarithmic power monitoring CHANNELS also trigger operator actions to anticipate RPS actuation in the event of reactivity transients starting from shutdown or low power Conditions. The logarithmic power monitoring CHANNEL's LCO ;
| |
| requirements support compliance with 10 CFR 50, Appendix A, ,
| |
| f%
| |
| J (continued) i SYSTEM 80+ B 3.3-197 Rev. 00 16A Tech Spec Bases
| |
| | |
| Logarithmic Power Monitoring Channels B 3.3.13 0'
| |
| BASES APPLICABLE GDC 13 (Ref. 1). Reference 2 describes the specific SAFETY ANALYSES logarithmic power monitoring CHANNEL features that are (continued) critical to comply with the GDC.
| |
| The OPERABILITY of logarithmic power monitoring CHANNELS is necessary to assist the operator in detecting a boron dilution event and to provide for the mitigation of accident and transient conditions.
| |
| The logarithmic power monitoring CHANNELS satisfy Criterion 4 of the NRC Policy Statement.
| |
| LC0 The LC0 on the logarithmic power monitoring CHANNELS ensures that adequate information is available to verify core reactivity conditions while shut down.
| |
| A minimum of two logarithmic power monitoring CHANNELS are required to be OPERABLE. System 80+ has four CHANNELS capable of performing this function. Multiple failures may be tolerated while the plant is still complying with LC0 requirements.
| |
| g APPLICABILITY In MODES 3, 4, and S, with RTCBs open or the Control Element Assembly (CEA) Drive System not capable of CEA withdrawal, logarithmic power monitoring CHANNELS must be OPERABLE to monitor core power for reactivity changes. In MODES 1 and 2, and in MODES 3, 4, and 5, with the RTCBs shut and the CEAs capable of withdrawal, the logarithmic power monitoring CHANNELS are addressed as part of the RPS in LC0 3.3.1,
| |
| " Reactor Protective System Instrumentation - Operating" and LC0 3.3.2, " Reactor Protective System Instrumentation -
| |
| Shutdown."
| |
| The requirements for source range neutron flux monitoring in MODE 6 are addressed in LC0 3.9.2, " Nuclear Instrumentation." The source range nuclear instrumentation CHANNELS provide neutron flux coverage extending an additional one to two decades below the logarithmic CHANNELS for use during refueling, when neutron flux may be extremely low.
| |
| (continued) 9 >
| |
| SYSTEM 80+ B 3.3-198 Rev. 00 16A Tech Spec Bases
| |
| | |
| Logarithmic Power Monitoring Channels I B 3.3.13 !
| |
| O i i
| |
| i LBASES: (continued)
| |
| .i ACTIONS A CHANNEL is inoperable when it does not satisfy the i OPERABILITY criteria for the CHANNEL's function. These !
| |
| criteria are outlined in the LCO section of the Bases.- j A.1 and A.2 With one required CHANNEL inoperable, it may not be possible 1 to perform a MEASUREMENT CHANNEL CHECK to verify that the other required CHANNEL is OPERABLE. Therefore, with one or !
| |
| more required CHANNELS inoperable, the lograthmic power monitoring Function cannot be reliably performed.
| |
| Consequently, the 4equired Actions are the same for one l required CHANNEL'inaperable or more than one required l CHANNEL inoperal.le. The absence of reliable neutron flux i indication makes it difficult to ensure SDM is maintained. ,
| |
| Required Action A.1 therefore requires that all positive reactivity additions that are under operator control, such !
| |
| as boron dilution or Reactor Coolant System temperature ;
| |
| changes, be halted immediately. !
| |
| SDM must be verified periodically to ensure that it is being maintained. Both required CHANNELS must be restored as soon as possible. The initial Completion Time of 4 hours and once every 12 hours thereafter to perform SDN verification takes into consideration that Required Action A.1 eliminates many of the means by which SDM can be reduced. These Completion Times are also based on operating experience in performing the Required Actions and the fact that plant conditions will change slowly.
| |
| SURVEILLANCE SR 3.3.13.1 REQUIREMENTS SR 3.3.13.1 is the performance of a CHANNEL CHECK on each required CHANNEL every 12 hours. A CHANNEL CHECK is a comparison of the parameter indicated on one CHANNEL to a similar parameter on other CHANNELS. It is based upon the assumption that instrument CHANNELS monitoring the same parameter should read approximately the same value.
| |
| Significant deviations between innrument CHANNELS could be an indication of excessive instrument drift in one of the CHANNELS. CHANNEL CHECK will detect gross CHANNEL failure, (continued)
| |
| SYSTEM 80+- ..
| |
| B 3.3-199 Rev. 00 16A' Tech Spec Bases
| |
| . _ _ _ - . m_ _ , _ . _ . _ __ _ _ _ _ _ _ _ - _ . - - ._ _
| |
| | |
| Logarithmic Power Monitoring Channels B 3.3.13 O
| |
| BASES SURVEILLANCE SR 3.3.13.1 (continued)
| |
| REQUIREMENTS thus it is the key to verifying that the instrumentation continues to operate properly between each CHANNEL CALIBRATION.
| |
| Agreement criteria are determined by the plant staff and should be based on a combination of the CHANNEL instrument uncertaintles, including control isolation, indication, and readability. If a CHANNEL is outside of the match criteria, it may be an indication that the transmitter or the signal processing equipment has drifted outside of its limits. If the CHANNELS are within the match criteria, it is an indication that the CHANNELS are OPERABLE.
| |
| The Frequency, about once every shift, is based on operating experience that demonstrates the rarity of CHANNEL failure.
| |
| Thus, the performance of MEASUREMENT CHANNEL CHECK ensures that undetected overt CHANNEL failure is limited to 12 hours. Since the probability of two random failures in redundant CHANNELS in any 12 hour period is extremely low, MEASUREMENT CHANNEL CHECK minimizes the chance of loss of protective function due to failure of redundant CHANNELS.
| |
| MEASUREMENT CHANNEL CHECK supplements less formal, but more frequent, checks of CHANNEL OPERABILITY during normal operational use of displays associated with the LC0 required CHANNELS.
| |
| SR 3.3.13.2 A CHANNEL FUNCTIONAL TEST is performed every 92 days to ensure that the entire CHANNEL is capable of properly indicating neutron flux. Internal test c;,cuitry is used to feed preadjusted test signals into the preamplifier to verify CHANNEL alignment. It is not necessary to test the detector, because generating a meaningful test signal is difficult; the detectors are of simple construction, and any failures in the detectors will be apparent as change in ,
| |
| CHANNEL output. This Frequency is the same as that employed !
| |
| for the same CHANNELS in the other applicable MODES. i I
| |
| (continued) O l SYSTEM 80+ B 3.3-200 Rev. 00 16A Tech Spec Bases
| |
| | |
| i i
| |
| Logarithmic Power Monitoring Channels' B 3.3.13 O--
| |
| * 1
| |
| ! BASES l SURVEILLANCE- SR 3.3.13.3 REQUIREMENTS-(continued) SR 3.3.13.3 is the performance of a CHANNEL CALIBRATION. A- 1
| |
| ~ CHANNEL CALIBRATION.is performed every [18] months. The !
| |
| Surveillance is a complete check and readjustment of the -
| |
| logarithmic power CHANNEL from the preamplifier input i through to a remote display. The Surveillance verifies' that I the CHANNEL responds to a measured REQUIREMENTS parameter l within the necessary range and accuracy. CHANNEL r
| |
| : CALIBRATION' leaves the CHANNEL adjusted to account for l
| |
| :. instrument drifts between successive calibrations to ensure !
| |
| ! that the CHANNEL remains operational. Measurement error 6
| |
| ; determination, setpoint . error determination, and 1 calibration adjustment must be performed consistent with the plant specific setpoint analysis. The CHANNEL shall be left
| |
| : calibrated consistent with the assumptions of the current i
| |
| ; plant specific .>etpoint analysis.
| |
| This SR is modified by a Note to indicate that it is not necessary to test the detector, because generating a meaningful test signal is difficult; the detectors are of
| |
| ; : simple construction, and any failures in the detectors will be apparent as change in CFANNEL output. This test interval is the'same as that employed for the same CHANNELS in the other applicable MODES.
| |
| O REFERENCES 1. 10 CFR 50, Appendix A, GDC 13.
| |
| : 2. Chapter 7 and Chapter 15.
| |
| l 1
| |
| 4 O >
| |
| 'SYSTEN 80+ B 3.3-201 Rev. 00 16A Tech Spec Bases 4 , , , , .,,y, ....,-e e-w.. . . , 4~ .- -- -- _ _ - _ _ _ _ - - - - - - - - - -
| |
| | |
| Reactor Coolant Monitoring - Instrumentation B 3.3.14 B 3.3 INSTRUMENTATION B 3.3.14 Reactor Coolant Monitoring - Instrumentation BASES BACKGROUND Inkdequate instrumentation can be a factor in the less of shutdown cooling (Reference 1) or an inadvertert drain down event. To ensure that shutdown cooling is mainttined and RCS level can be monitored, the NRC recommendaticns (Reference 2) regarding instrumentation during REDUCED RCS INVENTORY operations have been adopted.
| |
| The installed instrumentation is provided to monitor RCS level, RCS temperature, Shutdown Cooling System (SCS) performance, and reactor vessel level. Visual indication and alarms of the above mentioned parameters are provided in the control room to inform the operator of the conditions necessary for adequate decay heat removal. If used, temporary instrumentation should be functionally equivalent to the installed instrumentation.
| |
| Four independent and redundant sets of water level monitoring instruments provide indication of water level or required by Table 3.3.14-1. Level monitoring capability is h
| |
| available from the pressurizer to below the bottom of the hot leg. These level indicators are calibrated for low RCS temperature operation and are highly accurate.
| |
| The level instrumentation provided is diverse and independent. This diversity should be utilized by the operator whenever possible during shutdown cooling and/or drain down operations. The diversity can eliminate common cause failure and assure the operator of accurate RCS level and reactor vessel level indication.
| |
| The following is a discussion of the level instrumentation provided:
| |
| : 1. A pair of wide range dp based water level sensors provide indication of RCS water level from the pressurizer to below the minimum level required for SCS operation. Each level sensor measures RCS level from the reference tap located at the top of the pressurizer to a tap located at the hot leg /SCS suction line interface. Each sensor is independent and redundant.
| |
| (continued)
| |
| SYSTEM 80+ B 3.3-202 Rev. 00 16A Tech Spec Bases
| |
| | |
| Reactor Power Monitoring - Instrunentation B 3.3.14 b
| |
| BASES BACKGROUND 2. A pair of narrow range dp based water level sensors (continued) provide indication of RCS water level during drain down operations. Level is monitored from reference ;
| |
| leg taps located at the Direct Vessel Injection (DVI) nozzles to taps located at the hot leg /SCS suction line interfaces. i
| |
| : 3. Two Heated Junction Thermocouples (HJTC's) in the Inadequate Core Cooling Instrumentation System provide indication of levei from the reactor vessel head region to the fuel alignment plate.
| |
| : 4. Two refueling water level HJTC instruments provide indication of water level from the reactor vessel )
| |
| head region to the fuel alignment plate with improved )
| |
| level detection capability across the hot leg region i via clustered thermocouples located in that region. !
| |
| Reactor coolant monitoring level sensors available for MODE 6 with RCS water level < [120'] elevation are provided as described in Items 1 and 2 above, although no planned (3
| |
| (,') evolutions to reduce RCS inventory to below the reactor vessel (RV) flange are recommended for MODE 6.
| |
| Instruments are available for continuous temperature measurements during MODE 5 with loops not filled and MODE 6 with the RCS water level < [120'] elevation. The following is a discussion of the temperature instrumentation provided:
| |
| : 1. RTDs are located in each hot leg near the SCS suction lines. The RTDs are available to monitor RCS temperature. The RTDs are an accurate measurement of reactor coolant temperature exiting the core when the SCS is in operation.
| |
| : 2. RTDs are located in the Shutdown Cooling System piping which provide RCS temperature indication when the SCS is operational. These RTDs are located at both shutdown cooling heat exchanger inlet and return line.
| |
| : 3. The Core Exit Thermocouples (CETs) are capable of monitoring RCS temperature as it exits the core with the reactor head installed. When the reactor vessel head is removed for refueling purposes, the RCS and (3
| |
| V (continued)
| |
| SYSTEM 80+ B 3.3-203 Rev. 00 16A Tech Spec Bases
| |
| | |
| Reactor Power Monitoring - Instrumentation hl B 3.3.14 BASES l l
| |
| SCS RTDs provide RCS temperature indication due to I BACKGROUND (continued) the unavailability of the CETs during fuel movement.
| |
| : 4. The HJTC probes are capable of providing a continuous i measurement of coolant temperr.ture inside the vessel. i The HJTC temperature sensors are available when the (
| |
| reactor vessel head is installed. When the reactor vessel head is removed the RCS RTDs, SCS RTDs and CETs if available, provide temperature indication.
| |
| In the event of a loss of shutdown cooling, the RTDs can no longer be relied upon to provide an exact indication of reactor coolant temperature exiting the core due to their l location near the SCS suction lines in the hot legs and in the SCS piping. In this situation, other instruments, such as the CETs and the HJTC probes, are available to monitor reactor coolant temperature as it exits the core.
| |
| Indication will be available to the control *oom operator to adequately monitor SCS performance. The following is a discussion of the SCS performance instrumentation provided:
| |
| : 1. SCS pump suction and discharge pressure transmitters are installed to provide control room indication of SCS pump operating pressures throughout the design pressure range. Alarms are provided in the control room to warn operators of a low suction or discharge pressure.
| |
| : 2. SCS flowrate is provided via an installed flowmeter in each SCS return line to the RCS. Alarms are provided in the control room to warn operators of a degraded SCS flow condition.
| |
| : 3. SCS/CS pump motor current indication is provided in the control room. An alarm is provided to alert the operator of a preset drop in motor current.
| |
| : 4. SCS heat exchanger inlet and return line temperature l sensors provide indication in the control room of ;
| |
| SCS temperature. A heat exchanger AT can demonstrate I adequate SCS heat removal to verify support system l heat removal capability.
| |
| (continued)
| |
| SYSTEM 80+ B 3.3-204 Rev. 00 16A Tech Spec Bases j
| |
| | |
| l Reactor Power Monitoring - Instrumentation :
| |
| l B 3.3.14 I O l BASES ,
| |
| i BACKGROUND- 5. SCS valve position indication is provided in the (continued) control room to inform the operator of system ,
| |
| alignment and available SCS flow paths. Open, closed and throttled indication of the major SCS inlet and ;
| |
| return valves is provided. j q .
| |
| i
| |
| ' Indications of insufficient pump suction pressure and i possible vortexing include the following: l 2
| |
| : 1. _ Unsteady pump motor current as indicated by SCS/CS j pump motor amps. [
| |
| l
| |
| : 2. Low SCS pump suction oressure.
| |
| L
| |
| : 3. Low SCS flowrate.
| |
| ' Increasing RCS level due to air / vapor displacement of
| |
| : 4. f water.
| |
| Vortex formation'in the SCS suction line is a function of '
| |
| RCS water level and' SCS flourate. The higher the SCS y( flowrate, the higher the hot leg level must be maintainu to !
| |
| preclude vortexing. Requiring an adequate fluid level in l the hot leg above the level at which vortexing occurs at the maximum allowable SCS flowrate will ensure that the suction line does not entrain air. Therefore, for all SCS flowrates, operations below [21 inches, the hot leg :
| |
| centerline), are never recommended. l 4
| |
| Accordingly, instrument inaccuracies are considered when defining the operating window for mid loop operations. The following method was chosen for the application of instrument inaccuracies. Absolute limitations on the operating window were identified. The upper limitation is the lowest hot leg level necessary for steam generator nozzle dam installation. The lower limitation, [the hot leg centerline), is defined by the lowest level which precludes 4
| |
| air entrainment in the shutdown cooling suction line for any shutdown cooling flowrate. Instrument inaccuracies are added in a conservative direction to each of these limiting 4
| |
| levels of operation. Consequently, the operating window is made more limiting by adding the absolute value of the instrument inaccuracy to the lower limitation (the hot leg j l
| |
| (continued) l SYSTEM 80+ B 3.3-205 Rev. 00 zl6A Tech Spec'. Bases
| |
| | |
| Reactor Power Monitoring - Instrumentation B 3.3.14 O
| |
| BASES BACKGROUND centerline) and subtracting the absolute value of the (continued) inaccuracy from the upper limitation (steam generator nozzle dam installation level).
| |
| The instrumentation provided for monitoring RCS water level, temperature, SCS performance and reactor vessel level will significantly reduce risk associated with SCS operation at low RCS water levels and RCS drain down conditions provided the instrumentation is placed in service and verified operable prior to the start of the draining evolution.
| |
| APPLICABLE In MODE 5 and in MODE 6 with RCS water level < [120']
| |
| SAFETY ANALYSIS elevation an accurate assessment is required of RCS conditions to enhance monitoring capabilities for prevention of loss of shutdown cooling, provide for a timely response to a loss of shutdown cooling, and provide for accurate indication of RCS level and reactor vessel level during drain down evolutions.
| |
| The instrumentation provided for Reactor Coolant Monitoring satisfies Criterion 3 of the NRC Policy Statement.
| |
| LC0 The LCO requires a specified number of MEASUREMENT CHANNELS for each function in Table 3.3.14-1 to be operable in order to closely monitor RCS operating parameters to assist in preventing a loss of core heat removal capabilities and ensure a timely response to a loss of shutdown cooling event or RCS drain down event.
| |
| The requirement of two independent MEASUREMENT CHANNELS for monitoring RCS level ensures that continuous monitoring capability during RCS draindown is available. The level indicators provide indication from the pre-drain down normal level to a level below that necessary for SCS operation.
| |
| The requirement for one wide range and one narrow range level indicator ensures that sufficient instrumentation is available to cover draining from the pressurizer to the bottom of the hot leg and to accurately display the level within the hot leg once that level is reached.
| |
| (continued)
| |
| SYSTEM 80+ B 3.3-206 Rev. 00 16A Tech Spec Bases
| |
| | |
| Reactor Power Monitoring - Instrumentation B 3.3.14 V
| |
| BASES LC0 The requirement of two independent MEASUREMENT CHANNELS for (continued) monitoring RCS temperature ensures that continuous indication of temperature representative of c /e exit conditions is available regardless of reactor vessel head status.
| |
| The requirement of two independent MEASUREMENT CHANNELS for monitoring SCS performance in the division on service for decay heat removal ensures that sufficient instrumentation is available at all times to detect a degradation in SCS performance. The required number of MEASUREMENT CHANNELS for SCS performance is modified by a Note in Table 3.3.14-1.
| |
| This Note ensures each required shutdown cooling division has OPERABLE instrumentation.
| |
| The requirement of two independent MEASUREMENT CHANNELS for monitoring reactor vessel level ensures that monitoring capability is available during RCS draindown or loss of inventory events when the vessel head is in place.
| |
| (~/
| |
| APPLICABILITY This LC0 is applicable in accordance with Table 3.3.14-1.
| |
| This ensures that the required MEASUREMENT CHANNELS are provided to avoid causing or contributing to a loss of shutdown cooling, to aid in correctly interpreting a loss of shutdown cooling, should one occur, to assist in the restoration of decay heat removal, should a loss occur, to avoid causing or contributing to a RCS drain down event, and to be able to readily identify and recover from a loss of inventory event, should the event occur. The Appicability for reactor vessel level instrumentation is modified by a Note in Table 3.3.14-1. This Note a' lows for the disconnecting and reconnecting of the instrumentation cabling during MODE 5.
| |
| ACTIONS A.1. A.2. A.3. and A.4 Wide range MEASUREMENT CHANNELS available for monitoring RCS level include the two (2) dp based water level sensors and the two (2) HJTC's in the Integrated Core Cooling Instrumentation System. Any one (1) of these four (4) p 1 r
| |
| C' (continued)
| |
| SYSTEM 80+ B 3.3-207 Rev. 00 16A Tech Spec Bases
| |
| | |
| Reactor Power Monitoring - Instrumentation B 3.3.14 9
| |
| BASES ACTIONS A.I. A.2. A.3. and A.4 (continued)
| |
| MEASUREMENT CHANNELS being OPERABLE will satisfy compliance with the LC0 for wide range indication.
| |
| In the event that all wide range (WR) level MEASUREMENT CHANNELS are declared inoperable, immediate action must be taken to restore this indication.
| |
| NR RCS level shall be monitored and recorded [every 10 minutes). While every attempt is being made to restore WR level indication, conditions such as RCS temperature and SCS performance shall be monitored and recorded [every 30 minutes] .o determine if a trend is developing.
| |
| B.I. B.2. B.3. B.4. and B.5 Narrow range MEASUREMENT CHANNELS available for monitoring RCS level include the two (2) dp based water level sensors and the two (2) refueling water level HJTC's. Any one (1) of these four (4) MEASUREMENT CHANNELS being OPERABLE will satisfy compliance with the LC0 for narrow range indication.
| |
| In the event that all r.orrow range (NR) level MEASUREMENT CHANNELS are declared inoperable, immediate action must be taken to restore this indication. NR level indication is necessary to accurately determine RCS level.
| |
| It is also necessary to take action to restore RCS level to greater than the elevation of [120'] immediately. This is required because of ti:e relatively small amount of coolant in the reactor vessel during low inventory conditions.
| |
| During MID-LOOP operation, boiling in the core could take place in as little as (15 to 20] minutes if the SCS were to become air bound due to an undetected reduction in RCS level.
| |
| The WR level indication shall be monitored and recorded every [10] minutes due to the loss of the preferred means of level indication. While every attempt is being made to restore FR level indication, conditions such as RCS temperature and SCS performance shall be monitored and recorded (every 30 minutes] to determine if a trend is developing.
| |
| (continued)
| |
| SYSTEM 80+ B 3.3-208 Rev. 00 16A Tech Spec Bases
| |
| | |
| i Reactor Power Monitoring - Instrumentation B 3.3.14 V
| |
| BASES I
| |
| ACTIONS C.1. C.2. C.3. and C.4 (continued)
| |
| Several (as many as eight or more could be available at one ,
| |
| time) independent temperature measurements representative of l core exit temperature are provided.
| |
| MEASUREMENT CHANNELS available for monitoring RCS temperature include the four (4) RTDs in the RCS hot legs (2 per hot leg), the two (2) refueling water HJTC sensors, the i four (4) SCS RTDs (heat exchangers inlet and return lines) I and the CETs. Any two (2) of these independent MEASUREMENT CH4NNELS being OPERABLE will satisfy compliance with the LCO l for RCS temperature indication. j In the event that required RCS temperature monitoring has l been reduced to a single CHANNEL of temperature indication, immediate action shall be taken to restore RCS temperature monitoring to at least two independent CHANNELS.
| |
| I Frequent monitoring [every 30 minutes] of the RCS level, SCS A performance, and the OPERABLE temperature CHANNEL ensures V awareness of any trends to identify potential for a loss of ,
| |
| shutdown cooling. j l
| |
| D.1. D.2. D.3. and D.4 In the event that none of the required RCS temperature monitoring capability is available, immediat' action shall be taken to restore RCS temperature monitoring .:o at least one CHANNEL to OPERABLE status. !!1so, since temperature indication is valuable in determining decay heat removal adequacy, as well as guiding SCS restoration actions and monitoring the success of recovery actions, it is necessary to take action to restore RCS level to greater than the elevation of [120'] immediately if temperature MEASUREMENT CHANNELS are not available. During the time period that RCS temperature MEASUREMENT CHANNELS are not available, SCS performance and RCS level shall be monitored and recorded every [10] minutes.
| |
| O (continued)
| |
| SYSTEM 80+ B 3.3-209 Rev. 00 16A Tech Spec Bases
| |
| | |
| Reactor Power Monitoring - Instrumentation B 3.3.14 O
| |
| BASES ACTIONS E.1. E.2. E.3. and E.4 (continued)
| |
| In the event that SCS performance monitoring capability is not available, immediate action shall be taken to restore SCS performance monitoring to at least two independent channels. During the time period that SCS performance channels are not available, RCS temperature and RCS level shall be monitored and recorded [every 10 minutes).
| |
| An additional action is provided to place the other division of SCS in operation. A [two hour] time period is stated to allow the operators to safely secure the running SCS division and restart the other division should a MID-LOOP condition exist.
| |
| F.1 and F.2 The HEASUREMENT CHANNELS available for monitoring reactor vessel level includes two (2) HJTCs in the Integrated Core Cooling Instrumentation System and two (2) refueling water level HJTCs. Any two (2) of these four (4) MEASUREMENT CHANNELS being OPERABLE will satisfy compliance with the h
| |
| LCO.
| |
| In the event that one of the required reactor vessel level MEASUREMENT CHANNELS becomes inoperable, immediate action shall be taken to restore the CHANNEL to OPERABLE status.
| |
| In addition, the OPERABLE CHANNEL shall be monitored and recorded [Every 2 hours].
| |
| G.I. G.2. G.3. and G.4 In the event that none of the required reactor vessel level monitoring capability is available, immediate action shall be taken to restore reactor vessel level monitoring to at least one CHANNEL to OPERABLE status. Also, since level indication is valuable for ensuring adequate inventory, immediate action shall be taken to establish restrictions for changing RCS inventory. During the time that reactor vessel level MEASUREMENT CHANNELS are not available, RCS level (WR and NR) and SCS performance thall be monitored and recorded [once per hour].
| |
| (continued)
| |
| O1' SYSTEM 80+ B 3.3-210 Rev. 00 16A Tecn Spec Bases i
| |
| j
| |
| | |
| Reactor Coolant Monitoring - Instrumentation ,
| |
| B 3.3.14 ,
| |
| .p V
| |
| , BASES (continued)
| |
| SURVEILLANCE SR 3.3.14.1 REQUIREMENTS This Surveillance requires verification of the WR and NR RCS ,
| |
| level channels in service for monitoring level by performing a CHANNEL CHECK to determine the channels are consistent with one another.
| |
| The Data Processing System (DPS) continuously performs a cross CHANNEL comparison and will institute an alarm to warn !
| |
| operators that a CHANNEL has drifted out-of-tolerance or is not working properly. Should the DPS become inoperable the required CHANNEL CHECK shall be performed once [every 6 ,
| |
| : hours) (twice per shift) by the control room operators. ,
| |
| The Frequency of [every 6 hours) is based on the importance of RCS level indication during these operating conditions and the ability to verify normal expected drift. .
| |
| SR 3.3.14.2 O This Surveillance requires verification of the RCS :
| |
| V temperature CHANNELS in service used for monitoring core 1 exit /RCS temperature. This is accomplished by performing CHANNEL CHECK to determine the temperature CHANNELS are consistent with one another.
| |
| The Data Processing System (DPS) continuously performs a cross CHANNEL comparison and will institute an alarm to warn
| |
| : operators that a CHANNEL has drifted out-of-tolerance or is
| |
| ; not working properly. Should the DPS become inoperable the required CHANNEL CHECK shall be performed once [every 6 hours] (twice per shift) by the control room operators.
| |
| The Frequency of [every 6 hours] is based on the importance of RCS temperature indication during these operating conditions and the ability to verify normal expected drift.
| |
| o l
| |
| (continued) l SYSTEM 80+ B 3.3-211 Rev. 00 16A Tech Spec Bases l l
| |
| 1
| |
| | |
| Reactor Coolant Monitoring - Instrumentation B 3.3.14 O
| |
| BASES SURVEILLANCE SR 3.3.14.3 REQUIREMENTS (continued) This Surveillance requires verification of the SCS performance channels in service used for monitoring decay heat removal capability. This is accomplished by performing CHANNEL CHECK to determine the SCS performance channels are consistent with one another.
| |
| The Data Processing System (DPS) continuously performs a cross CHANNEL comparison and will institute an alarm to warn operators that a CHANNEL has drifted out-of-tolerance or is not working properly. Should the DPS become inoperable the required CHANNEL CHECK shall be performed once [every 6 hours] (twice per shift) by the control room operators.
| |
| The Frequency of [every 6 hours) is based on the importance of SCS performance indications during these operating conditions and the ability to verify normal expected drift.
| |
| SR 3.3.14.4 This Surveillance requires verification of the reactor vessel level CHANNELS in service for monitoring level by performing a CHANNEL CHECK to determine the CHANNELS are consistent with one another.
| |
| The Data Processing System (DPS) continuously performs a j cross CHANNEL comparison and will institute an alarm to warn operators that a CHANNEL has drifted out-of-tolerance or is not working properly. Should the DPS become inoperable the '
| |
| required CHANNEL CHECK shall be performed once [every 6 hours] (twice per shift) by the control room operators.
| |
| The Friauency of [every 6 hours] is based on the importance l of reactor vessel indication during these operating l conditions and the ability to verify normal expected drift. i SR 3.3.14.5 ,
| |
| i Performance of a CHANNEL CALIBRATION of the MEASUREMENT j CHANNELS in use for monitoring RCS/SCS parameters ensures that the CHANNELS have been recently calibrated and are (continued) Oi '
| |
| 1 SYSTEM 80+ B 3.3-212 Rev. 00 16A Tech Spec Bases
| |
| | |
| r Reactor Coolant Monitoring - Instrumentation B 3.3.14
| |
| .O-BASES SURVEILLANCE SR 3.3.14.5 (continued)
| |
| GEQUIREMENTS reading accurately within specified tolerances prior to placing them in service and declaring them OPERABLE for inventory monitoring.
| |
| This calibration requirement of [60 days] is intended to be - ;
| |
| more restrictive than the normal calibration frequencies !
| |
| specified for a particular MEASUREMENT CHANNEL that may already be in service for other plant monitoring purposes. ,
| |
| REFERENCES 1. Appendix 19.8A, Shutdown Risk Evaluation.
| |
| . 2. NUREG-1449, Shutdown and Low-Power Operation at
| |
| - Commercial Nuclear Power Plants in the United States, Draft Report, February 1992.
| |
| (
| |
| 4 t
| |
| /\~
| |
| O SYSTEM 80+- B 3.3-213 Rev. 00 16A Tech Spec Bases
| |
| | |
| 2 i
| |
| j i
| |
| RCS Pressure, Temperature and Flow Limits B 3.4.1 r
| |
| [ LB3.C REACTOR COOLANT SYSTEM (RCS)
| |
| ~
| |
| B 3.4.1 RCS Pressure, Temperature and Flow Limits
| |
| ; BASES i
| |
| j BACKGROUND These Bases address requirements for maintaining Reactor
| |
| : Coolant System (RCS) pressure, . temperature, and flow rate 1 L within limits assumed in the safety analyses.
| |
| i The safety analyses (Ref.1) normal operating conditions and j Anticipated. Operational Occurrences (A00s) assume initial d i conditions within the normal steady: state envelope. ~ The .;
| |
| limits placed on DNB related parameters ensure that. these >
| |
| - . parameters will not be less conservative than were assumed i in the safety analyses and thereby provide assurance that 1
| |
| J. the minimus Departure from Nucleate Boiling Ratio (DNBR)
| |
| ~
| |
| will meet the required criteria for each of the transients ,
| |
| y analyzed. ;
| |
| 3 The LCO limits for the minimum and maximum RCS pressures as
| |
| , measured at the pressurizer are consistent with operation within the nominal operating envelope and are bounded by
| |
| ,O those used as the initial pressures in the safety analyses.
| |
| The LCO limits for minimum and maximum RCS cold leg temperatures are consistent with operation at the indicated power level and are bounded by those used as the initial
| |
| ; temperatures in the safety analyses.
| |
| I The LCO limits for minimum and maximum RCS flow rates are bounded by those used as the initial flow rates in the f~ safety analyses. The RCS flow rate is not expected to vary i 9
| |
| during plant operation with all pumps running. ;
| |
| ; APPLICABLE The requirements of LCO 3.4.1 represent the initial SAFETY ANALYSES conditions for DNB limited transients analyzed in the safety '
| |
| analyses (Ref.1). .The safety analyses have shown that transients initiated from the limits of this LCO will meet .,
| |
| the DNBR critarion of a: [1.24]. This is.the acceptance -
| |
| limit for the RCS DNB parameters. Changes to the facility i that could impact these parameters must _ be' assessed for their impact on the DNBR criterion. . The transients. analyzed include loss of coolant flow events and dropped or stuck (continued)
| |
| SYSTEM'80+ B 3.4-1 Rev. 00 16A Tech Spec Bases
| |
| | |
| RCS Pressure, Temperature and Flow Limits B 3.4.1 O
| |
| BASES APPLICABLE Control Element Assembly (CEA) events. A key assumption for SAFETY ANALYSES the analysis of these events is that the core power (continued) distribution is within the limits of LCO 3.1.7, " Regulating Control Element Assembly (CEA) Insertion Limits"; LCO 3.1.8, "Part Strength Control Element Assembly WEA) Insertie9 Limits"; LC0 3.2.3, " AZIMUTHAL POWER TILT (Tq )"; and LCO 3.2.5, " AXIAL SHAPE INDEX (ASI)." The Safety Analyses are performed over the following range of initial values: RCS pressure [2175-2325] psig, core inlet temperature
| |
| [543-561] *F, and reactor vessel inlet coolant flow rate
| |
| [95-116]% of [445,600] gpm.
| |
| The RCS DNB limits satisfy Criterion 2 of NRC Policy Statement.
| |
| LC0 This LCO specifies limits on the monitored process vari-ables: pressurizer pressure, RCS cold leg temperature, and RCS total flow rate to ensure that the core operates within the limits assumed for the plant safety analyses. Operating within these limits will result in meeting the DNBR criterion in the event of a DNB limited transient.
| |
| The LC0 numerical values for pressure, temperature, and flow rate are given for the measurement location but have not been adjusted for instrument error. Plant specific limits of instrument error are established by the plant staff to meet the operational requirements of this LCO.
| |
| APPLICABILITY In MODES 1 and 2, the limits on pressurizer pressure, RCS cold leg temperature, and RCS total flow rate must be maintained during steady state operation in order to ensure that DNBR criteria will be met in the event of an unplanned loss of forced coolant flow or other DNB limited transient.
| |
| In all other MODES, the power level is low enough so that DNBR is not a concern.
| |
| A Note has been added to indicate the limit on pressurizer pressure may be exceeded during short term operational transients such as a THERMAL POWER ramp increase in excess of 5% RTP per minute or a THERMAL POWER step increase of >
| |
| (continued)
| |
| SYSTEM 80+ B 3.4-2 Rev. 00 16A Tech Spec Bases
| |
| | |
| . ~
| |
| (.
| |
| RCS Pressure, Temperature and Flow Limits B 3.4.1
| |
| ,q O ,
| |
| BASES i
| |
| APPLICABILITY 10% RTP. These conditions represent short term (continued) perturbations where actions to control pressure variations might be counterproductive. Also, since they represent transients initiated from power levels < 100% RTP, an ;
| |
| increased DNBR margin exists to offset the temporary pressure variations. .
| |
| Another set of limits on DNB related parameters is provided -
| |
| in Safety Limit (SL) 2.1.1, " Reactor Core Safety Limits."
| |
| Those limits are less restrictive than the limits of this LCO, but violation of SLs merits a stricter, more severe Required Action. Should a violation of this LCO occur, the operator should check whether or not an SL may have been i exceeded.
| |
| ACTIONS Al Pressurizer pressure is a controllable and measurable parameter. With this parameter not within the LC0 limits,
| |
| ()
| |
| /"N ,
| |
| action must be taken to restore tha parameter. The two hour Completion Time is based on plant operating experience that shows the parameter can be restored in this time period.
| |
| RCS total flow rate is not a controllable parameter and is not expected to vary during steady state operation. If the '
| |
| flow rate is not within the limit, then power must be reduced, as required in ACTION B.1, to restore DNB margin and eliminate the potential for violation of the accident analysis bounds. The two hour Completion Time for restoration of the parameter provides sufficient time to adjust plant parameters, to determine the cause of the off normal condition, and to restore the readings within limits. i The Completion Time is based on plant operating experience. t N l If Required Action A.1 is not met within the associated Completion Time, the plant must be brought to a MODE in j which the LCO does not apply. To achieve this status, the j plant must be brought to at.least MODE 3 in six hours. The i six hours is a reasonable time that permits the plant power to be reduced at an orderly rate in conjunction with even
| |
| .m e (continued) l SYSTEM 80+ B 3.4-3 Rev. 00 16A Tech Spec Bases
| |
| | |
| RCS Pressure, Temperature and Flow limits B 3.4.1 O
| |
| BASES ACTIONS LJ, (continued) control of steam generator heat removal. In MODE 3, the reduced power condition eliminates the potential for violation of the accident analysis bounds.
| |
| C1 RCS cold leg temperature is a controllable and measurable parameter. If this parameter is not within the LC0 limits, action must be taken to restore the parameter. The two hour Completion Time is based on plant operating experience that shows that the parameter can be restored in this time period.
| |
| D.d If Required Action C.1 is not met within the associated Completion Time, the plant must be brought to a MODE in which the LC0 does not apply. To achieve this status, the plant must be brought to at least MODE 3 in six hours. The six hours is a reasonable time that permits the plant power to be reduced at an orderly rate in conjunction with even control of steam generator heat removal. In MODE 3, the reduced power condition eliminates the potential for violation of the accident analysis bounds.
| |
| SURVEILLANCE SR 3.4.1.1 REQUIREMENTS Since Required Action A.1 allows a Completion Time of 2 '
| |
| hours to restore parameters that are not within limits, the 12 hour Surveillance Frequency for pressurizer pressure is sufficient to ensure that the pressure can be restored to a normal operation, steady-state condition following load changes and other expected transient operations. The 12 h7ur interval has been shown by operating practice to be sufficient to regularly assess degradation and verify operation within safety analysis assumptions.
| |
| (continued)
| |
| SYSTEM 80+ B 3.4-4 Rev. 00 16A Tech Spec Bases
| |
| | |
| . . - _ = ,
| |
| L
| |
| \
| |
| ' RCS Pressure, Temperature and Flow Limits !
| |
| B 3.4.1 P
| |
| BASES SURVEILLANCE E!L 3.4.1.2 ,
| |
| , REQUIREMENTS .
| |
| (continued) Since Required Action A.1 allows a Completion Time of 2 -
| |
| hours to restore parameters that are not within limits, the 12 hour Surveillance Frequency for RCS cold leg temperature is sufficient to ensure that the RCS coolant temperature can ,
| |
| be restored to a normal operation, steady-state condition .
| |
| following load changes and other expected transient operations. The 12 hour interval has been shown by operating practice to be sufficient to regularly assess for i potential degradation and to verify operation is within l safety analysis assumptions. j SR 3.4.1.3 ,
| |
| I The 12 hour Surveillance Frequency for RCS total flow rate i is performed using the installed flow instrumentation. The ;
| |
| 12 hour interval has been shown by operating experience to i be sufficient to assess for potential degradation and to i verify operation is within safety analysis assumptions.
| |
| This SR is modified by a Note which only requires '
| |
| performance of this SR in MODE 1. The Note is necessary to allow measurement of RCS flow at normal operating conditions at power with all RCPs running.
| |
| SR 3.4.1.4 Measurement of RCS total flow rate by performance of a precision calorimetric heat balance once every [18] months.
| |
| This allows the installed RCS flow instrumentation to be calibrated and verifies that the actual RCS flow is within the bounds of the analyses.
| |
| The Frequency of (18] months reflects the importance of verifying flow after a refueling outage where the core has been altered, which may have caused an alteration of flow j resistance. !
| |
| i
| |
| )
| |
| (continued) i SYSTEM 80+ _ B 3.4-5 Rev. 00 i 16A Tech Spec Bases ;
| |
| i
| |
| | |
| RCS Pressure, Tenperature and Flow limits B 3.4.1 O
| |
| BASES SURVEILLANCE SR 3.4.1.4 (continued)
| |
| REQUIREMENTS The SR is modified by a Note which states the SR is only required to be met (24) hours after reaching 90% RTP. The Note is necessary to allow measurement of the flow rate at normal operating conditions at power in MODE 1. The Surveillance cannot be performed in MODE 2 or below, and will not yield accurate results if performed below 90% RTP.
| |
| i REFERENCES 1. Chapter 15.
| |
| O O
| |
| SYSTEM 80+ B 3.4-6 Rev. 00 16A Tech Spec Bases
| |
| | |
| 1
| |
| )
| |
| t' RCS Minimum Temperature for Criticality j B 3.4.2 :
| |
| 'O B 3.4 REACTOR COOLANT SYSTEM (RCS) i B 3.4.2. RCS Minimum Temperature for Criticality l BASES 1
| |
| BACKGROUND Establishing the value for the minimum temperature for reactor criticality is based upon considerations for: 1) operation within the existing instrumentation ranges and accuracies, 2) operation within the bounds of the existing l accident analyses and 3) operation with the reactor vessel !
| |
| above its minimum nil ductility reference temperature when ,
| |
| the reactor is critical. he reactor. protection system j receives inputs from the narrow range hot leg temperature i detectors which have a range of [520*F to 620*F], and the :
| |
| integrated control system controls. average temperature- .i n (T ) using inputs of the same range. Nominal temperature {
| |
| < T for making the reactor critical is'[543*F]. 1 T@oretically there is no specific minimum temperature '!
| |
| design constraint for making the reactor critical. There do ;
| |
| [ not appear to be any fundamental material- or equipment .
| |
| limitations which would prevent adoption of a lower minimum. l i- However, selection of instrument ranges and analysis inputs !
| |
| was done in anticipation of [543*F] being the minimum i temperature at which criticality would occur. Safety and operating analyses for lower temperatures have not been
| |
| - made. Plants have not beel licensed for low temperature criticality and licensing regulations permitting criticality below the normal power operating range have not been developed for commercial power reactors.
| |
| ! APPLICABLE There are no accident analyses which dictate the minimum SAFETY ANALYSES temperature for criticality,but all low power safety analyses assume initial temperatures no lower than [543 F]
| |
| limit (Ref. 1).
| |
| The RCS minimum temperature for criticality satisfies Criterion 2 of the ERC Policy Statement.
| |
| 2 LC0- The' purpose of the LC0 is to prevent criticality outside the normal: operating range (543-561*F]. While it is theoretically possible to operate the reactor at critical (continued).
| |
| SYSTEM 80+ B 3.4-7 Rev. 00
| |
| :16A Tech Spec Bases.
| |
| , - - - . .- - - - - . . -. 1
| |
| | |
| i l
| |
| RCS Minimum Temperature for Criticality 1 B 3.4.2 BASES
| |
| * l i
| |
| LCO conditions at lower temperatures, specific design features (continued) have been included and analyses have been performed on the basis that it is neither necessary nor desirable to do so.
| |
| Consequently, this LC0 prevents operation in an unanalyzed regime.
| |
| The LC0 is only applicable below [550*F] and provides a reasonable distance to the limit of [543 F]. This allows adequate time to trend its approach and take corrective actions prior to exceeding the limit.
| |
| APPLICABILITY The reactor has been designed and analyzed to be critical in MODES 1 and 2 only, and in accordance with this specification, criticality is not permitted in any other MODE. Therefore, this LC0 is applicable in MODE 1 and MODE 2 when K , a 1.0. Coupled with the Applicability definiti,on, for criticality is a temperature limit.
| |
| Monitoring is required at or below a T of [550 F]. The no-load temperature of [557 F] is maiIi?ainedbythesteam bypass system.
| |
| ACTIONS Ad If T is below [543 F], rapid reactor shutdown can Le readliyandpracticallyachievedwithina30minuteperiod.
| |
| The plant must be brought to a MODE in which the LC0 does not apply. To achieve this status, the plant must be brought to MODE 3 within 30 minutes. The allowed time reflects the ability to perform this action and maintain the plant within the analyzed range.
| |
| SURVEILLANCE SR _3.4.2.1 REQUIREMENTS T is required to be verified 2 [543 F] within 15 minutes pFfor to achieving criticality and every 30 minutes thereafter when the MODE requirements apply. The 15 minute time period allows the operator to adjust temperatures or (continued)
| |
| SYSTEM 80+ B 3.4-8 Rev. 00 16A Tech Spec Bases
| |
| | |
| 1 RCS Minimum Temperature for Criticalf ty B 3.t.2 O -
| |
| BASES SURVEILLANCE SR 3.4.2.1 (continued) '
| |
| REQUIREMENTS delay criticality so the LCO will not be violated. The 30 ,
| |
| minute time is frequent enough to prevent inadvertent '
| |
| violation of the LCO.
| |
| While this Surveillance is required whenever the reactor is critical and temperature is at or below [550*F], in practice the Surveillance is most appropriate during the period when the reactor is brought critical. Because the operator would likely verify average RCS temperature more often than required by this Surveillance, it is less restrictive than '
| |
| normal operating practice.
| |
| REFERENCES 1. Chapter 15.
| |
| O V
| |
| i 4
| |
| O SYSTEM 80+ B 3.4-9 Rev. 00 16A Tech Spec Bases
| |
| | |
| 1 I
| |
| RCS P/T Limits B 3.4.3 8 3.4 REACTOR COOLANT SYSTEM (RCS)
| |
| B 3.4.3 RCS Pressure and Temperature (P/T) Limits l l
| |
| BASES I
| |
| BACKGROUND All components of the RCS are designed to withstand effects )
| |
| of cyclic loads due to system pressure and temperature changes. These loads are introduced by startup (heatuo) and shutdown (cooldown) operations, power transients, and ;
| |
| reactor trips. This LCO limits the pressure and temperature i changes during RCS heatup and cooldown, within the design assumptions and the stress limits for cyclic operation.
| |
| Pressure and Temperature (P/T) limit curves for heatup, cooldown, and Inservice Leak and Hydrostatic testing (ISLH),
| |
| and data for the maximum allowable rate of change of reactor i coolant temperature are in the Pressure and Temperature l Limits Report (PTLR). Both sets of curves also provide l criticality limits and regions of unallowed operation. l l
| |
| The P/T limit curves define an acceptable region for normal l operation. The usual use of the curves is operational J l
| |
| guidance during heatup and cooldown maneuvering where loop temperature and pressure indications are monitored and compared to the curves to determine that operation is within the allowable region. The limit for the allowable rate-of-change of temperature is similarly monitored by predicting the temperature change over a fixed time period and comparing it to the limit.
| |
| The purpose of this LC0 is to establish operating limits that provide a wide margin to non-ductile (brittle) failure of major piping and pressure vessel components of the Reactor Coolant Pressure Boundary (RCPB). Of the major components within the RCPB, the reactor vessel, is most subject to brittle failure and therefore is the component for which the Technical Specification limits are most pertinent. The limits do not apply to the pressurizer, which had different design characteristics and operating functions.
| |
| (continued)
| |
| SYSTEM 80+ B 3.4-10 Rev. 00 16A Tech Spec Bases
| |
| | |
| RCS P/T Limits :
| |
| B 3.4.3 l q
| |
| BASES BACKGROUND The origin of the P/T limits is found in Appendix G to 10 !
| |
| (continued) CFR 50 (Ref. 1). Appendix G requires that limits be established based on specific fracture toughness require-ments for RCPB materials such that an adequate margin to brittle failure will be provided during normal operation, anticipated operational occurrences, and system hydrostatic tests. 10 CFR 50 Appendix G mandates the use of the American Society of Mechanical Engineers (ASME) Code, Section III, Appendix G (Ref. 2).
| |
| 1he concern addressed by 10 CFR 50 Appendix G is that undetected flaws could exist in the RCPB components which, if subjected to unusual pressure and/or thermal stresses, could result in non-ductile failure. Certain RCS P/T-combinations can create stress concentrations at flaw locations. If the stress concentrations are of sufficient
| |
| :::agnitude, flaw growth can result in failure before the ultimate strength of the material is attained. Flaw growth is resisted by the material toughness and toughness can cause flaw growth to be arrested. Toughness is a property .
| |
| that varies with temperature and is lower at room l
| |
| (' temperature than operating temperature. Furthermore, the ;
| |
| material toughness is affected by neutron flux which causes (
| |
| the steel ductility to decrease. The effect of flux is cumulative and ductility steadily decreases with exposure time. Only the vessel beltline region is in a high neutron J flux area. Toughness is also dependent on the chemistry of the base metal, weld metal, and heat affected zona metal and i their impurities.
| |
| One indicator used to indicate the temperature effect on ductility is the Nil-Ductility Temperature, NDT (formerly called the Nil-Ductility Transition Temperature, NDTT). The NDT for the steel alloy used in vessel fabrication has been established by testing. The NDT is a temperature below which non-ductile (brittle) fracture failure may occur. ;
| |
| Ductile failure may occur above the NDT. The exact temperature value cannot be determined very precisely.
| |
| has been Consequently a reference temperature established by experimental means. The neu (RT ,) tron embrittlement effect on the material toughness is reflected by increasing the RT 7 as exposure to neutron flux increases. In effect, the temperature at which brittle
| |
| ' failure can occur increases. Regulatory Guide 1.99 (Ref. 3)
| |
| <- provides guidance for evaluating the effect of neutron flux.
| |
| h
| |
| 'J (continued)
| |
| SYSTEM 80+ B 3.4-11 Rev. 00 16A Tech Spec Bases
| |
| | |
| l RCS P/T Limits B 3.4.3 O
| |
| BASES BACKGROUND To assist in evaluating the amount of RT,37 shift to be (continued) applied, surveillance specimens, made up of samples of reactor vessel material, are periodically withdrawn and analyzed in accordance with ASTM E 185 (Ref. 5) and Appendix H of 10 CFR 50 (Ref. 6).
| |
| increases with vessel exposure to neutron flux As the RT,3'erial and the mat toughness decreases, the P/T limit curves are correspondingly adjusted, thus giving limits that provide pressure boundary protection over the design life of the vessel. The effect of the RT 1 shift is to cause the pressure limit to decrease at a g ,iven temperature.
| |
| This specification provides two types of limits:
| |
| Reactor coolant P/T curves that define allowable operating regions
| |
| - Limits on the allowable rate-of-change of temperature of the reactor coolant which provide limit:; on the thermal gradients through the walls of the vessel and thus limits tensile stresses in the vessel wall.
| |
| In use, the P/T curves are primarily for prevention of non-ductile failure, whereas the rate-of-change of temperature limits assist in prevention of both ductile and non-ductile failure.
| |
| The three curves (heatup, cooldown, and ISLH) are composite cur es established by superimposing limits derived from stress analyses for those portions of the reactor vessel and head that are most restrictive. At any specific pressure, temperature, and temperature rate-of-change, one location within the geometry of the reactor vessel or head will dictate the most restrictive limit. Across the entire pressure and temperature span of the limit curves, different locations are most restrictive and thus the curves are composites of the most restrictive regions.
| |
| The heatup curves represent a different set of restrictive elements than the cooldown curves because the thermal gradients through the vessel wall are reversed. The thermal gradient reversal tends to alter the location of the tensile (continued)
| |
| SYSTEM 80+ 8 3.4-12 Rev. 00 16A Tech Spec Bases
| |
| | |
| RCS P/T Limits B 3.4.3 O
| |
| BASES BACKGROUND stress from outer to inner walls. The ISLH curve values use (continued) different calculation safety factors (per ASME Appendix G) from the heatup and cooldown curves.
| |
| The ISLH curves also extend to the higher pressure (3125 psia) to bound the test range. The curves have been developed for heatup, ISLH testing, and cooldown in conjunction with stress analyses to allow a large number of l operating cycles and also provide a conservative margin to non-ductile failure. The heatup and cooldown curves also ,
| |
| contains a limit defining the minimum P/T for criticality.
| |
| The criticality limit includes the Reference I requirement that the limit be a 40 F above the heatup curve or the cooldown curve and not less than the minimum permissible temperature for the ISLH testing. However, the criticality limit is not operationally limiting; a more restrictive limit exists in LCO 3.4.2, "RCS Minimum Temperature for i Criticality." l
| |
| )
| |
| A This specification requires a post-event evaluation if the 1
| |
| ( limits are violated. The evaluation may take different forms !
| |
| depending on the severity of the violation and can include: ,
| |
| comparisons to existing pre-analyzed transients already contained in the stress analysis, new stress analysis, component inspection, or other. One method that may be used is the guidance given by ASME XI Appendix E (Ref. 4).
| |
| Appendix E is simplified and permits a quick review, but it is limited in application (only the vessel beltline).
| |
| Although the P/T limits have been created primarily for monitoring the vessel and head, a severe violation may indicate a need to also review the condition of other RCS components.
| |
| APPLICABLE The P/T limits are not derived from Design Basis Accident SAFETY ANALYSES (DBA) analyses presented in the CESSAR-DC except as noted below, but are prescribed as guidance used during normal operation to avoid encountering pressure, temperature, and temperature rate-of-change conditions which might cause undetected flaws to propagate, resulting in non-ductile failure of the RCPB, an unanalyzed condition.
| |
| t (continued)
| |
| SYSTEM 80+ B 3.4-13 Rev. 00 16A Tech Spec Bases
| |
| | |
| I RCS P/T Limits B 3.4.3 i BASES O\
| |
| APPLICABLE Steam line break and other increased heat removal events SAFETY ANALYSES require a SIAS on low pressurizer pressure to ensure (continued) subcriticality via boration for events postulated to be initiated at relatively high RCS temperatures. The pressurizer temperature will not drop sufficiently to cause a SIAS for these events if the combination of pressurizer pressure and temperature is not maintained above the limit specified by the region of unallowed operation in Figures 3.4.3-1A and B.
| |
| Linear Elastic Fracture Mechanics (LEFM) methodology, following the guidance given by 10 CFR 50 Appendix G, ASME III Appendix G, and Regulatory Guide 1.99, is used to determine the stresses and material toughness at locations within the RCPB. Although any region within the pressure boundary is subject to non-ductile failure, the regions that provide the most restrictive limits are the vessel closure head, the outlet nozzles, and the vessel beltline. With increasing neutron flux, the vessel beltline becomes the most restrictive region.
| |
| A number of analytical steps comprise the overall analyses that establish the limits. The following summarizes the h
| |
| basic elements:
| |
| : 1. Define the temperature profile for heatuo and cool-down. The reactor coolant temperature rate-of-change is defined so that normal plant operation can readily proceed without constraint. Cooldown and ISLH rates-of-change have been similarly defined. These rates-of-change become LC0 limits as well as the basis for heat transfer calculations.
| |
| : 2. Perform heat transfer calculations to determine the thermal gradient through the reactor vessel walls.
| |
| The analyses account for variance of flow rate and consequent changes in the rate of heat transfer between the reactor coolant and the walls during different stages of heatup and cooldown when the number of operating reactor coolant pumps change.
| |
| (continued)
| |
| SYSTEM 80+ B 3.4-14 Rev 00 16A Tech Spec Bases
| |
| | |
| RCS P/T Limits B 3.4.3 BASES 1
| |
| APPLICABLE 3. Establish the material touahness as a function of !
| |
| SAFETY ANALYSES % ASME Section III, Appendix G provides the basis (continued) for RT and Regulatory Guide 1.99 provides the basis foradYustingRT as a function of neutron flux and i materialsconstiIu'entsandimpurities. j of the beltline region The actual shift in RT material will be estabfi 'shed periodically during !
| |
| operation by removing and evaluating the reactor ;
| |
| vessel material irradiation surveillance specimens installed near the inside wall of the reactor vessel in the core area. Since the neutron spectra at the 3 irradiation samples and vessel inside radius are i essentially identical, the measured transition shift for a sample can be applied to the adjacent section of the reactor vessel. The limit curves must be i recalculated when the RT determined from the !
| |
| surveillance capsule is fi'fferent from the calculated RT , for the equivalent capsule radiation exposure.
| |
| Perform a LEFM analysis to establish the pressure and p
| |
| V 4.
| |
| temperature limits. Stress analyses are performed and the criteria for setting the limits is that the !
| |
| combined temperature and pressure stresses cannot exceed the material toughness for the specific temperature under examination. Analytical stress
| |
| . concentration at each location under examination is driven by postulating specific flaw sizes. Stress intensity factors for pressure and temperature are calculated and are compared to a reference stress intensity factor. Safety factors are applied to the pressure stress intensity factor.
| |
| : 5. Measurement Ad.iustment - The curves are adjusted for differences in elevation between the instrumentation tap location and the location of interest (beltline, etc.) and are adjusted for the system pressure losses for the number of reactor coolant pumps that are operated at different stages of heatup or cooldown.
| |
| 1 (continued) l SYSTEM 80+ B 3.4-15 Rev. 00 16A. Tech Spec Bases i
| |
| 1 l
| |
| | |
| RCS P/T Limits B 3.4.3 O
| |
| BASES APPLICABLE 6. The limiting curves for criticality are developed SAFETY ANALYSES based on the methods prescribed in 10 CFR 50 Appendix (continued) G. This method limits the minimum temperature to 40*F above the governing P/T curve and not less than the minimum permissible temperature for the ILHT curve.
| |
| Instrument errors are estimated and the curves include adjustments to pressure and temperature.
| |
| The RCS.P/T limits satisfy Criterion 2 of the NRC Policy Statement.
| |
| LCO The two elements of this LC0 are:
| |
| : 1. The limit curves (Figures 3.4.3-IA and 3.4.3-18) for a) heatup, b) cooldown, and c) ISLH; and
| |
| : 2. Limits on the rate-of-change of temperature.
| |
| The LC0 limits apply to all components of the RCS, except the pressurizer.
| |
| These limits define allowable operating regions and permit a large number of operating cycles while providing a wide margin to nonductile failure.
| |
| The rate-of-change of temperature limits control the thermal gradient through the walls and is used as input for calculating the heatup, cooldown, and ISLH limit curves.
| |
| Thus, the LC0 for the rate-of-change of temperature restricts stresses caused by thermal gradients and also ensures the validity of the P/T limit curves.
| |
| Violation of the limits places the reactor vessel outside of the bounds of the stress analysis and can increase stresses in other RCPB components. The consequences to the reactor vessel and other RCS components depends on several factors including the nyerity of the departure from the allowable operating pressure temperature regime or the severity of the rate of change of temperature. The consequences also depend on the length of time that the limits were violated (longer violations allow the temperature gradient in the thick walls (continued)
| |
| SYSTEM 80+ B 3.4-16 Rev. 00 16A Tech Spec Bases
| |
| | |
| i RCS P/T Limits ,
| |
| B 3.4.3
| |
| ' BASES-i LCO of the vessel to become more pronounced), and the j
| |
| : (continued) consequences also depend on the existences, sizes and orientations of flaws in the vessel material. ~ Although j vessel failure is not.an expected outcome of a violation, ,
| |
| i .the possibility for failure exists. ;
| |
| i ,
| |
| 4 APPLICABILITY. The RCS P/T limits provides a definition of acceptable ;
| |
| : operation for prevention.of non-ductile failure that is in accordance with 10 CFR 50 Appendix G (Ref. 1). Although the ;
| |
| P/T limits were developed to provide guidance for operation during heatup and cooldown (MODES 3, 4, and 5) or ISLH testing, their Applicability is at all times in keeping with ,
| |
| ; the concern for non-ductile failure. ' At all times. is 1 defined to be any condition with fuel in the reactor vessel. l The limits do not apply to the pressurizer. '
| |
| However, during MODES 1 and 2, other Technical Specifications provide limits for operation that can be more restrictive than or can supplement the P/T limits. These O other LCOs include LCO 3.4.2, "RCS Minimum Temperature for Criticality," and LCO 3.4.1, "RCS Pressure, Temperature, and Flow limits." SL 2.1, safety limits for pressure and '
| |
| temperature and maximum pressure, also provides operational
| |
| ;- restrictions. In MODE 6, with the reactor vessel head detensioned or removed, the capability for violating the P/T curves does not exist, however the potential for violating the temperature rate-of-change limit remains. i i
| |
| Furthermore, in MODES 1 and 2, operation is above the
| |
| , temperature range of concern for non-ductile failure. As l, such, stress analyses have been developed in accordance with normal maneuvering profiles such as power ascension.
| |
| The actions of this LCO consider the premise that a
| |
| . violation of the limits occurred during normal plant maneuvering. Severe violations caused by abnormal transients, which may be accompanied by equipment failures,
| |
| . may also require additional actions based on emergency operating procedures.
| |
| N v
| |
| I (continued) l SYSTEM 80+ B 3.4-17 Rev. 00 .
| |
| 216A Tech Spec Bases' (2/95) i j
| |
| | |
| RCS P/T Limits B 3.4.3 O
| |
| BASES (centinued)
| |
| ACTIONS A.1 and A.2 The actions of this LC0 in MODE 1, 2, 3, or 4 consider the premise that a violation of the limits occurred during normal plant maneuvering. Severe violations caused by abnormal transients, at times accompanied by equipment failures, may also require additional actions from emergency operating procedures.
| |
| Operation outside the P/T limits must be corrected so that the RCPB is returned to a condition that has been verified by stress analysis. The Required Action is in the proper direction to reduce RCPB stress. The Completion Time of 30 minutes reflects the urgency of restoring the parameter (s) to within the analyzed range. Most violations will not be severe and the activity can be accomplished in this time in a controlled manner. However, if the activity cannot be accomplished, then the subsequent Required Actions B.1 and 8.2 require further pressure and temperature reduction.
| |
| In addition to restoration, an evaluation to determine if RCS operation may proceed is required. The Note to Required Action A.2 eliminates the requirement for this evaluation h when the operation extends to the " Region of Una11 owed Operation" since the RCS P/T limits have not been exceeded.
| |
| The purpose of the evaluation is to determine if RCPB integrity remains acceptable and must be accomplished prior to continuing operation. A variety of methods may be used for the evaluation including a comparison to pre-analyzed transients accounted for in the stress analysis, new analyses, or inspection of the components. ASME Code, Section XI, Appendix E (Ref. 4) may be used to support the evaluation. However, its use is restricted to evaluation of the vessel beltline. If the evaluation cannot be accomplished in 72 hours, or if the results of the evaluation are indeterminate or unfavorable, then the next appropriate action is to proceed to further reduce pressure and temperature as given in Required Actions B.1 and B.2.
| |
| The 72 hour Completion Time is a reasonable time to accomplish the necessary activities. For a mild violation, the evaluation should be possible within this time. As part of the evaluation it may be desirable to determine what an appropriate rate of cooldown might be or if a soak period is desirable. More severe violations may require special, (continued)
| |
| SYSTEM 80+ B 3.4-18 Rev. 00 16A Tech Spec Bases
| |
| | |
| < l l
| |
| RCS P/T Limits B 3.4.3 1
| |
| BASES ACTIONS A,1 and A.2 (continued) l event specific stress analyses and/or inspections which are appropriately carried out while the RCS is in a reduced pressure and temperature condition as specified by Required Actions B.1 and B.2. A favorable evaluation must be completed before continuing to operate.
| |
| Condition A is modified by a Note requiring Required Action A.2 to be completed whenever the Condition is entered. The Note emphasize!, the need to perform the evaluation of the effects of the excursion outside the allowable limits.
| |
| Restoration alone per Required Action A.1 is insufficient because higher than analyzed stresses may have occurred and may have affected the RCPB integrity, i B.1 and 8.2 If a Required Action and associated Completion Time of ;
| |
| Condition A are not met, the plant must be placed in a lower i dp operating MODE because-l a) the RCS remained in an unacceptable P/T region for an i extended period of increased stress, or l b) a sufficiently severe event caused entry into an I unacceptable region. Either possibility indicates a j need for more careful examination of the event, which I is best accomplished while the RCS is in a low !
| |
| pressure and temperature state. With the plant at '
| |
| I reduced pressure conditions, the possibility of j: propagation of undetected flaws is reduced.
| |
| Pressure and temperature are reduced by placing the plant in l MODE 3 within 6 hours and in MODE 5 with RCS pressure <
| |
| [500] psig within 36 hours.
| |
| The six hour time for achieving MODE 3 is a reasonable time f'
| |
| - to reach MODE 3 from full power without challenging plant systems.
| |
| l (continued)
| |
| SYSTEM 80+ B 3.4-19 Rev. 00 16A Tech Spec Bases ,
| |
| | |
| RCS P/T Limits B 3.4.3 O
| |
| BASES ACTIONS B.1 and B.2 (continued)
| |
| The 36 hour completion time for achieving MODE 5 is reasonable based on operating experience to reach the required MODE from full power without challenging plant systems. The time permits an orderly cooldown and a soak period, if needed, or a slower average rate of cooldown
| |
| (~5 F/hr). A soak period may be desirable if the temperature rate of change limit has been violated.
| |
| C1. and C.2 The actions of this LCO, anytime othcr than in MODE 1, 2, 3, or 4, consider the premise that a violation of the limits occurred during normal plant maneuvering. Severe violations caused by abnormal transients, at times accompanied by equipment failures, may also require additional actions from emergency operating procedures. Operation outside the P/T limits must be corrected so that the RCPB is returned to a condition that has been verified by stress analyses.
| |
| The Completion Time of "immediately" reflects the urgency of restoring the parameters to within the analyzed range. Most violations will not be severe, and the activity can be accomplished in a short period of time in a controlled manner.
| |
| Besides restoring operation to within limits, an evaluation is required to determine if RCS operation can continue. The evaluation must verify that the RCPB integrity remains acceptable and must be completed befs continuing operation. Several methods may be useo, including comparison with pre-analyzed transients in the stress analyses, new analyses, or inspection of the components.
| |
| ASME Code, Section XI, Appendix E (Ref. 4), may be used to support the evaluation. However, its use is restricted to evaluation of the vessel beltline.
| |
| The Completion Time of prior to entering MODE 4 forces the evaluation prior to entering a MODE where temperature and pressure can be significantly increased. The evaluation for a mild violation is possible within several days, but more (continued)
| |
| SYSTEM 80+ B 3.4-20 Rev. 00 16A Tech Spec Bases
| |
| | |
| l l
| |
| RCS P/T Limits
| |
| - B 3.4.3
| |
| . b BASES ACTIONS C1. and C.2 (continued) severe violations may require special, event specific stress analyses or inspections. ;
| |
| Condition C is modified by a Note requiring Required Action ,
| |
| C.2 to be completed whenever the condition is entered. The Note emphasizes the need to perform the evaluation of the effects of the excursion outside the allowable limits.
| |
| Restoration alone per Required Action C.1 is insufficient !
| |
| because higher than analyzed stresses may have occurred and may have affected the RCPB integrity. -
| |
| The Note to Required Action C.2 eliminates the requirement '
| |
| for this evaluation when the operation extends to the
| |
| " Region of Unallowed Operation" since the RCS P/T li:aits have not been exceeded. ,
| |
| SURVEILLANCE SR 3.4.3.1 i O" REQUIREMENTS Verification that operation is within the PTLR limits is '
| |
| required every 30 minutes when RCS temperature and pressure .
| |
| conditions are undergoing planned changes. The time period of 30 minutes is based on industry-accepted practice. Since ,
| |
| temperature rate-of-change limits are specified in hourly increments, a half hour time period permits assessment and correction for minor deviations within a reasonable time.
| |
| Surveillance for heatup, cooldown, or ISLH testing may be discontinued when definitions given in the plant procedures for defining the end of these conditions are satisfied.
| |
| The Surveillance is modified by a Note which states that the i Surveillance is only required during RCS system heatup, ;
| |
| cooldown, and ISLH testing. There are no Surveillance Requirements during critical operation because LCO 3.4.2, "RCS Minimum Temperature for Criticality," contains a more restrictive requirement. ,
| |
| I l
| |
| REFERENCES 1. 10 CFR 50, Appendix G, " Fracture Toughness l Requirements."
| |
| l
| |
| ~ v (continued) j SYSTEM 80+ B 3.4-21 Rev. 00 16A Tech Spec Bases
| |
| . _ _ l
| |
| | |
| RCS P/T Limits B 3.4.3 O
| |
| BASES REFERENCES 2. American Society of Mechanical Engineers (ASME),
| |
| (continued) Boiler and Pressure Vessel Code, Section III, Appendix G, " Protection Against hon-Ductile Failure."
| |
| : 3. NRC Regulatory Guide 1.99, Revision 2, " Radiation Embrittlement of Reactor Vessel Materials," May,1E88.
| |
| : 4. American Society of Mechanical Engineers (ASME),
| |
| Boiler and Pressure Vessel Code, Section XI, Appendix E, " Evaluation of Unanticipated Operating Events."
| |
| : 5. ASTM E 185-82, July 1982.
| |
| : 6. 10 CFR 50, Appendix H.
| |
| O l
| |
| i l
| |
| l 1
| |
| l l
| |
| l SYSTEM 80+ B 3.4-22 Rev. 00 ICA Tech Spec Bases l
| |
| | |
| i l
| |
| RCS 1. cops MODES 1 and 2 B 3.4.4 ;
| |
| . [,
| |
| B 3.4 REACTOR COOLANT SYSTEM (RCS)
| |
| B 3.4.4 RCS Loops - MODES I and 2 BASES 1
| |
| BACKGROUND The primary function of 14 RCS is removal or' the heat !
| |
| generated in the fuel due to the fission process and :
| |
| transfer of this heat, via the steam generators (SGs), to the secondary plant.
| |
| The secondary functions of the RCS include: :
| |
| : a. Moderating the neutron energy level to the thermal l state, to increase the probability of fission; ,
| |
| : b. Improving the neutron economy by acting as a !
| |
| reflector;
| |
| : c. Carrying the soluble neutron poison, boric acid; ;
| |
| : d. Providing a second barrier agaivist fission product release to the environment; and
| |
| : e. Removing the heat generated in the fuel due to fission product decay following a unit shutdown.
| |
| The RCS configuration for heat transport uses two RCS loops.
| |
| Each RCS loop contains a SG and two reactor coolant pumps (RCPs). An RCP is located in each of the two SG cold legs.
| |
| The pump flow rate has been sized to provide core heat '
| |
| removal with appropriate margin to departure from nucleate boiling (DNB) during power operation and for anticipated ,
| |
| transients originating from power operation. This Specification requires two RCS loops with both RCPs in operation in each loop. The intent of the Specification is to require core heat removal with forced flow during power operation. Specifying two RCS loops provides the minimum necessary paths (two SGs) for heat removal. <
| |
| APPLICABLE Safety analyses contain various assumptions for the Design ;
| |
| SAFETY ANALYSES Bases Accident (DBA) initial conditions including: RCS pressure, RCS temperature, reactor power level, core parameters, and safety system setpoints. The important
| |
| - r3 >
| |
| (continued) i SYSTEM 80+ B 3.4-23 Rev. 00 16A Tech Spec Bases-
| |
| | |
| RCS Loops - MODES I and 2 B 3.4.4 O
| |
| BASES APPLICABLE aspect for this LC0 is the reactor coolant forced flow rate SAFETY ANALYSES which is represented by the number of RCS loops in service.
| |
| (continued)
| |
| Both transient and steady state analyses have been performed to establish the effect of flow on DNB. The transient or accident analysis for the plant has been performed assuming four RCPs are in operation. The majority of the plant safety analyses are based on initial conditions at high core power or zero power. The accident analyses which involve RCP misoperation are the four pump coastdown, single pump locked rotor, and single pump broken shaft or coastdown (Ref.1).
| |
| RCS Loops - MODES 1 and 2 satisfy Criteria 2 and 3 of the NRC Policy Statement.
| |
| LC0 The purpose of this LCO is to require adequate forced flow for core heat removal. Flow is represented by having both RCS loops with both RCPs in each loop in operation for removal of heat by the two steam generators. To meet safety analysis acceptance criteria for DNB, four pumps are required at rated power.
| |
| Operation in these MODES implies that important components are OPERABLE, and an OPERABLE loop consists of two RCPs providing forced flow for heat transport to a steam generator which is OPERABLE in accordance with the Steam Generator Tube Surveillance Program. Steam generator, and hence RCS loop, OPERABILITY with regard to SG water level is ensured by the Reactor Protection System (RPS) in MODES 1 and 2. A reactor trip places the plant in MODE 3 if any SG low level setpoint is reached as sensed by the RPS. The minimum water level to declare the SG OPERABLE is (25%] WR.
| |
| APPLICABILITY In MODES I and 2, the reactor is critical and thus has the potential to produce maximum THERMAL POWER. Thus, to ensure that the assumptions of the accident analyses remain valid, all RCS loops are required to be OPERABLE and in operation in these MODES to prevent DNB and core damage.
| |
| (continued)
| |
| SYSTEM 80+ B 3.4-24 Rev. 00 16A Tech Spec Bases
| |
| | |
| l RCS Loops - MODES 1 and 2 B 3.4.4 i
| |
| BASES 1 APPLICABILITY The decay heat production rate is much lower than the full (continued) power heat rate. As such, the forced circulation flow and heat sink requirements are reduced for lower, noncritical ,
| |
| I MODES as indicated by the LCOs for MODES 3, 4, 5, and 6.
| |
| Operation in other MODES is covered by:
| |
| LC0 3.4.5, "RCS Loops -MODE 3";
| |
| LC0 3.4.6, "RCS Loops -MODE 4";
| |
| LC0 3.4.7, "RCS Loops-MODE 5 (Loops Filled)"; .
| |
| LCO 3.4.8, "RCS Loops-MODE 5 (Loops Not Filled)"; I LC0 3.9.4, " Shutdown Cooling System (SCS) and Coolant i Circulation-High Water Level" (MODE 6); and LCO 3.9.5, " Shutdown Cooling System (SCS) and Coolant Circulation-Low Water Level" (MODE 6).
| |
| ACTIONS ad If the required number of loops are not in operation, the O Required Action is to reduce power and bring the plant to MODE 3. The action lowers power level and thus reduces the core heat removal needs and minimizes the possibility of violating DNB limits. It sheuld be noted that the reactor will trip and place the plant in MODE 3 as soon as the Reactor Protection System senies less than four RCPs operating.
| |
| The six hours allowed is a reasonable time based on operating experience to reach MODE 3 from full power without challenging safety systems.
| |
| SURVEILLANCE SR 3.4.4.1 REQUIREMENTS This SR requires verification of the required number of loops in operation and reactor coolant circulation every 12 hours to ensure that forced flow is providing heat removal.
| |
| The 12 hour interval has been shown by operating practice to be sufficient to regularly assess degradation and verify operation within safety analysis assumptions. The verification may be performed by checking RCPs in operation and RCS flow and temperature indications.
| |
| O d.
| |
| (continued)
| |
| SYSTEM 80+ B 3.4-25 Rev. 00 16A Tech Spec Bases
| |
| | |
| RCS Loops - MODES 1 O
| |
| BASES (continued)
| |
| REFERENCES 1. Chapter 15.
| |
| O O
| |
| Rev. 00 1
| |
| SYSTEM 80+ B 3.4-26 16A Tech Spec Bases
| |
| | |
| . - -- - - - - - . -. . - = . . - - . .. -. . - ..
| |
| i 4 .
| |
| RCS Loops - MODE 3 . ;
| |
| B 3.4.5 O
| |
| ^
| |
| B;3.4 REACTOR COOLANT SYSTEM (RCS) i B 3.4.5 -RCS Loops - MODE 3 j
| |
| . l
| |
| ; BASES ;
| |
| BACKGROUND The primary function of the reactor coolant in MODE 3'is ,
| |
| removal of dec.ay heat and transfer of this heat, via.the steam generators, to the. secondary plant. fluid. The j secondary function of the reactor coolant is to act as a i carrier for soluble neutron poison, boric acid. ]
| |
| In MODE 3, reactor coolant pumps (RCPs) are used to provide .!
| |
| : forced circulation heat removal during heatup and cooldown. !
| |
| The MODE 3 decay heat removal requirements are low enough !
| |
| that a single RCS loop with one'RCP running is sufficient to j i remove core decay heat. However, [two) RCS loops are ,
| |
| required to be OPERABLE to satisfy single failure criteria.
| |
| Only one RCP need be OPERABLE to declare the associated RCS loop OPERABLE.
| |
| [ Reactor coolant natural circulation is not normally used, 1 but is sufficient for core cooling. However, natural circulation does not provide turbulent flow conditions.
| |
| i Therefore, boron reductic:1 in. natural circulation is prohibited because mixing to obtain a homogeneous concentration in all portions of the RCS cannot be ensured.
| |
| Analyses have shown that the rod withdrawal event from MODE APPLICABLE SAFETY ANALYSES 3 with one RCS loop in operation is bounded by the rod withdrawal initiated from MODE 2. i Failure to provide heat removal may result in challenges to a fission product barrier. The RCS loops are part of the ,
| |
| -primary success path which functions or actuates to prevent !
| |
| or mitigate a design basis accident or transient that either i assumes the failure of, or presents a challenge to, the l integrity of a fission product barrier. RCS loops - MODE 3 j r satisfy Criterion 3 of the NRC Policy Statement. ;
| |
| 4 l
| |
| l O (continued) l l
| |
| l SYSTEM 80+ B 3.4-27 Rev.- 00 !
| |
| 16A Tech. Spec Bases l
| |
| | |
| l RCS Loops - MODE 3 B 3.4.5 O
| |
| BASES (continued) <
| |
| LCO The purpose of this LC0 is to require [two] RCS loops to be available for heat removal, thus providing redundancy. The LC0 requires the [two] loops to be OPERABLE with the intent of requiring both steam generators to be capable (2 [25%]WR water level) of transferring heat from the reactor coolant at a controlled rate. Forced react- coolant flow is the required way to transport heat, alt.+_va natural circulation flow provides adequate removal. A minimum of one running RCP meets the LCO requirement for one loop in operation.
| |
| The LCO Note permits a limited period of operation without RCPs. All RCPs may be de-energized for s I hour per 8-hour oeriod. This means that natural circulation has been established. When in natural circulation, baron reduction is prohibited because an even concentration distribution throughout the RCS cannot be ensured. Core outlet temperature is to be maintained at least 10 F below the saturation temperature so that no vapor bubble may form and possibly cause a natural circulation flow obstruction.
| |
| In MODES 3, 4, and 5, it is sometimes necessary to stop all RCPs or shutdown cooling (SCS) pump forced circulation (e.g., change operation from one SCS division to the other, perform surveillance or startup testing, perform the transition to and from SCS cooling, or to avoid operation below the RCP minimum NPSH limit). The time period is acceptable because natural circulation is adequate for heat removal, or the reactor coolant temperature can be maintained subcooled and boron stratification affecting reactivity control is not expected. l Operation in this MODE implies that components are OPERABLE, and an OPERABLE loop consists of a RCP providing forced flow for heat transport and a steam generator which is OPERABLE in accordance with the Steam Generator Tube Surveillance Program and has the minimum water level for SG OPERABILITY.
| |
| An RCP is OPERABLE if it is capable of being powered and is able to provide forced flow if required.
| |
| APPLICABILITY In MODE 3, the heat load is lower than at power; therefore, one RCS loop in operation is adequate for transport and heat ,
| |
| removal. A second RCS loop is required to be OPERABLE but '
| |
| not in operation for redundant heat removal capability.
| |
| (continued)
| |
| SYSTEM 80+ B 3.4-28 Rev. 00 16A Tech Spec Bases
| |
| | |
| 1 RCS Loops - MODE 3 f.-
| |
| B 3.4.5 V ;
| |
| -BASES t
| |
| APPLICABILITY Operation in other MODES is covered by-(continued) !
| |
| LC0 3.4.4, "RCS Loops - MODES I and 2";
| |
| LCO 3.4.6, "RCS Loops - MODE 4"; ;
| |
| ; LC0 3.4.7, "RCS Loops - MODE 5 (Loops Filled)";
| |
| LC0 3.4.8, "RCS Loops - MODE 5 (Loops Not Filled)"; ,
| |
| LC0 3.9.4, " Shutdown Cooling System (SCS) and Coolant l Circulation - High Water Level" (MODE 6); and LCO 3.9.5, " Shutdown Cooling System (SCS) and Coolant ,
| |
| Circulation - Low Water Level" (MODE 6).
| |
| ACTIONS M If one required RCS loop is inoperable, redundancy for forced flow heat removal is lost.
| |
| The Required Action is restoration of the required RCS loop to OPERABLE status within a Completion Time of 72 hours.
| |
| G This time allowance is based on engineering judgment b considering that a single loop has a heat transfer capability much greater than needed to remove the decay heat produced in the reactor core.
| |
| M If restoration is not possible within 72 hours, the unit must be placed in MODE 4 within 12 hours. In MODE 4 the plant may be placed on the Shutdown Cooling System. The Completion Time of 12 hours is compatible with required operation to achieve cooldown and depressurization from the existing plant condition without challenging plant systems.
| |
| C.1 and C.2 If no RCS loop is in operation, except as provided by the Note in.the LC0 section, all operations involving a reduction of RCS boron concentration must be immediately suspended. This is necessary because boron dilution requires forced circulation for proper homogenization.
| |
| Action to restore one RCS loop to OPERABLE status and operation shall be immediately initiated and continued until L (continued)
| |
| ' SYSTEM 80+ B 3.4-29. Rev. 00 16A Tech Spec Bases
| |
| | |
| r RCS Loops - MODE 3 B 3.4.5 O
| |
| BASES ACTIONS C.1 and C.2 (continued) one RCS loop is restored to OPERABLE status and operation.
| |
| The immediate Completion Times reflect the importance of maintaining operation for decay heat removal.
| |
| SURVEILLANCE SR 3.4.5.1 REQUIREMENTS This SR requires verification of the required RCS loop in operation and reactor coolant circulation every 12 hours to ensure forced flow is providing heat removal. Verification includes flow rate, temperature, and pump status monitoring.
| |
| The 12 hour interval has been shown by operating practice to be sufficient to regularly assess degradation and verify operation within safety analysis assumptions.
| |
| SR 3.4.5.2 This SR requires verification of water level in each steam generator a [25]%WR every 12 hours. An adequate SG water level is required in order to have a heat sink for removal of the core decay heat from the reactor coolant. The 12-hour interval has been shown by operating practice to be sufficient to regularly assess degradation and verify operation within the safety analysis assumptions.
| |
| SR 3.4.5.3 Verification that the required number of reactor coolant pumps are OPERABLE ensures that the single failure criterion is met and that an additional reactor coolant loop can be placed in operation, if needed, to maintain decay heat removal and reactor coolant circulation. Verification is performed by verifying proper breaker alignment and power availability to the required RCPs. The Frequency of seven days is an accepted industry practice and has been shown to be acceptable by operating experience.
| |
| I REFERENCES None.
| |
| O!
| |
| SYSTEM 80+ B 3.4-30 Rev. 00 I
| |
| '16A Tech Spec Bases l l
| |
| | |
| .I i
| |
| RCS Loops - MODE:4 !
| |
| B 3.4.6 b ;
| |
| B 3.4 REACTOR COOLANT SYSTEM (RCS) l
| |
| '8 3.4.6 RCS Loops -. MODE 4 L 1 1 BASES '
| |
| BACKGROUND -In MODE 4, the primary function of the reactor coolant is v
| |
| .the removal of decay heat and transfer of this heat to the !
| |
| steam generator (s) or Shutdown Cooling System (SCS) heat ;
| |
| exchangers. The secondary function of the reactor coolant-F 'is to 'act as a carrier for-soluble neutron poison, boric !
| |
| acid. .;
| |
| s In MODE'4, eithar reactor coolant pumps (RCPs) or SCS-
| |
| [j divisions can be used for coolant circulation. The intent !
| |
| ~
| |
| of this LCO is to provide forced-flow from at least one RCP. .!'
| |
| or one SCS division for decay heat' removal and transport. ,
| |
| The flow provided by one RCP or SCS division is adequate for
| |
| : heat' removal. The other intent of this LCO is to require !
| |
| ! that two paths be available-to provide redundancy for heat [
| |
| f removal. j
| |
| ; r 4
| |
| This LC0 permits limited periods without forced circulation.
| |
| '( When RCPs are stopped, the steam generator heat removal provides a natural circulation flow rate that is sufficient .!
| |
| for decay heat removal.- l When the SCS pumps are stopped, no alternate heat removal path exists, unless '.ne RCS and steam generators have been i i placed in service''in forced or natural circulation. The i response of'the RCS without the SCS depends on the core decay heat load and the length of time that the SCS pumps
| |
| .are stopped.- As decay heat diminishes, the effects on RCS ;
| |
| i temaerature and pressure diminish. Without' cooling by SCS,. ,
| |
| higier heat loads will cause the reactor coolant temperature l r and pressure to increase at a rate proportional to the decay 3
| |
| : heat load. Because pressure can increase, the applicable system pressure limits (pressure and temperature limits or
| |
| : l. low temperature overpressurization limit) must be observed
| |
| ; and forced SCS flow or heat removal via the steam generators ,
| |
| .must be reestablished prior to reaching the pressure limit. ,
| |
| i i
| |
| (continued) l SYSTEM 80+. B 3.4-31 Rev. 00 16A Tech Spec Bases
| |
| ,. V'
| |
| | |
| RCS Loops - MODE 4 B 3.4.6 O
| |
| BASES BACKGROUND Entry into a condition with no SCS divisions in operation (continued) should only be considered for limited circumstances which include: 1) a heat removal path (s) via the RCS and steam generator (s) is in operation, or 2) pressure and temperature increases are easily maintained within the allowable pressure and subcooling limits.
| |
| APPLICABLE The only safety analyses performed with initial conditions S.AFETY ANALYSES in MODE 4 are the inadvertent deboration and inadvertent startup of RCP events. No forced coolant circulation was credited for the inadvertent deboration event. For the inadvertent startup of an RCP, not more than two RC'Ps were assumed to be in operation. (If two RCPs were running, they were assumed to be in the same loop.)
| |
| Failure to provide heat removal may result in challenges to a fission product barrier. The RCS loops or SCS divisions are a part of the primary success path which functions or actuates to prevent or mitigate a design basis accident or transient that either assumes the failure of, or presents a challenge to, the integrity of a fission product barrier.
| |
| RCS Loops - MODE 4 have been identified in the NRC Policy Statement as important contributors to risk reduction.
| |
| LC0 The purpose of this LC0 is to require that at least two RCS loops or SCS divisions be OPERABLE in MODE 4 and one of these loops or divisions be in operation. The LCO allows the two loops that are required to be OPERABLE to consist of any combination of RCS loops and SCS divisions. Any one leu;3 or division in operation provides enough flow to remove the de:ay heat from the core with forced circulation. An aoditional loop or division is required to be OPERABLE to previde redundancy for heat removal.
| |
| Note 1 permits all RCPs and SCS pumps to be de-energized s I hour per 8 hour period. This means that natural circulation has been established using the steam generators. The Note prohibits boron dilution when forced flow is stopped because an even concentration distribution cannot be ensured. Core outlet temperature is to be maintained at least 10 F below saturation temperature so that no vapor bubble may form and (continued)
| |
| SYSTEM 80+ B 3.4-32 Rev. 00 16A Tech Spec Bases
| |
| | |
| RCS Loops - MODE 4 B 3.4.6 ,
| |
| q -
| |
| . L.J BASES LCO possibly cause a natural circulation flow obstruction. The f (continued) response of the RCS without the RCPs or SCS pumps depends on the core decay heat load and the length of time that the pumps are stopped. As decay heat diminishes, the effects on RCS temperature and pressure diminish. Without cooling by ;
| |
| forced flow, higher heat loads will cause the reactor coolant temperature and pressure to increase at a rate proportional to the decay heat load. Because pressure can increase, the applicable system pressure limits (pressure and temperature (P/T) limits or Low Temperature Overpressure Protection (LTOP) limits) must be observed and forced SCS flow or heat removal via the steam generators must be re-established prior to reaching the pressure limit. The !
| |
| circumstances for stopping both RCPs or SCS pumps are to be limited'to situations where:
| |
| : a. Pressure and temperature increases can be maintained well within the allowable pressure (P/T limits and LTOP) and 10*F subcooling limits; or l
| |
| : b. An alternate heat removal path through the -steam O generators is in operation.
| |
| Note 2 requires that either of the following conditions be satisfied before an RCP is started with any RCS cold leg temperature s [259'F] during cooldown or s [290 F] during ,
| |
| heatup (the heatup rate is limited to [40 F/hr or less]): l
| |
| : a. Pressurizer water level is < [60%]; or I
| |
| : b. Secondary side water temperature in each steam ,
| |
| generator is < [100 F] above each of the RCS cold leg i temperatures.
| |
| Satisfying either of the above conditions will preclude a ;
| |
| large pressure surge in the RCS when the RCP is started.
| |
| Note 3 permits the alignment of a Containment Spray pump if an SCS pump is not available or becomes inoperable. These pumps are designed to be interchangeable for operational flexibility.
| |
| l
| |
| ,V (continued)
| |
| SYSTEM.80+ B 3.4-33 Rev. 00 16A Tech Spec Bases
| |
| | |
| RCS Loops - MODE 4 B 3.4.6 O
| |
| BASES LCO In MODES 3, 4, and 5, it is sometimes necessary to stop all (continued) RCP or SCS pump forced circulation (i.e., change operation from one SCS division to the other, perform surveillance or startup testing, perform the transition to and from SCS, or to avoid operation below the RCP minimum NPSH limit). The time period is acceptable because natural circulation is adequate for heat removal or the reactor coolant temperature can be maintained subcooled, and boron stratification affecting reactivity control is not expected.
| |
| An OPERABLE RCS loop consists of at least one OPERABLE RCP and a steam generator that is OPERABLE in accordance with the Steam Generator Tube Surveillance Program and has the minimum water level specified in SR 3.4.6.2.
| |
| Similarly, for the SCS, an OPERABLE SCS division is composed of the OPERABLE SCS pump (s) capable of providing forced flow to the SCS heat exchanger (s). RCPs and SCS pumps are OPERABLE if they are capable of being powered and are able to provide flow if required.
| |
| O APPLICABILITY In MODE 4, this LC0 applies because it is possible to remove core decay heat with either the RCS loops and steam generators or the SCS.
| |
| Operation in other MODES is covered by:
| |
| LC0 3.4.4, "RCS Loops - MODES 1 and 2";
| |
| LCO 3.4.5, "RCS Loops - MODE 3";
| |
| LC0 3.4.7, "RCS Loops - MODE 5 (Loops Filled)";
| |
| LCO 3.4.8, "RCS Loops - MODE 5 (Loops Not Filled)";
| |
| LC0 3.9.4, " Shutdown Cooling System (SCS) and Coolant Circulation - High Water Level" (MODE 6); and LCO 3.9.5, " Shutdown Cooling System (SCS) and Coolant Circulation - Low Water Level" (MODE 6).
| |
| O (continued)
| |
| SYSTEM 80+ B 3.4-34 Rev. 00 16A Tech Spec Bases
| |
| | |
| RCS Loops - MODE 4-g B 3.4.6 '
| |
| ()
| |
| BASES (continued)
| |
| ACTIONS M ,
| |
| With one required RCS loop inoperable and two SCS divisions inoperable, redundancy for heat removal is lost. The Required Action is to initiate action to restore a second loop or division to OPERABLE status and the action must be taken immediately. Even though one loop or division is OPERABLE and in operation, the Completion Time emphasizes the importance of maintaining the availability of two paths for heat removal.
| |
| M With one required SCS division inoperable and two required RCS loops inoperable, redundancy for heat removal is lost. i The plant must be placed in MODE 5 within the next 24 hours.
| |
| Placing the plant in MODE 5 is a conservative action with ,
| |
| regard to decay heat removal. With only one SCS division OPERABLE, redundancy for decay heat removal is lost and, in Q the event of a loss of the remaining SCS division, it would V be safer to initiate that loss from MODE 5 (s 210*F) rather than MODE 4 (210 - 350*F). The completion time of 24 hours is reasonable based on operating experience to reach MODE 5 from MODE 4, with only one SCS division operating, in 6n orderly manner and without challenging plant systems.
| |
| C.1 and C.2 If required RCS loop or SCS division is inoperable or no RCS loop or SCS division is in operation, except during conditions permitted by Note 1 in the LCO section, all operations involving reduction of RCS boron concentration must be suspended and action to restore one RCS loop or SCS division to OPERABLE status and operation must be initiated.
| |
| Boron dilution requires forced circulation for proper mixing, and the margin to criticality must not be reduceo in this type of operation. The immediate Completion Time reflects the importance of maintaining operation for decay heat removal. The action to restore must be continued until one loop or division is restored to 9peration.
| |
| .m
| |
| () (continued)
| |
| SYSTEM 80+ B 3.4-35 Rev. 00
| |
| .16A Tech Spec Bases
| |
| | |
| RCS Loops - MODE 4 B 3.4.6 O ,
| |
| BASES (continued)
| |
| SURVEILLANCE SR 3.4.6.1 REQUIREMENTS This SR requires verification of the required loop or division in operation every 12 hours to ensure forced flow is providing heat removal. Verification of RCS or SCS operation includes flow rate, temperature, and pump status monitoring. The 12 hour Frequency has been shown by operating practice to be sufficient to regularly assess RCS or SCS status. In addition, control room indication and alarms will normally indicate status.
| |
| SR 3.4.6.2 This SR requires verification of secondary side water level in the required steam generator (s) [a 25% WR] every 12 hours. An adequate SG water level is required in order to have a heat sink for removal of the core decay heat from the reactor coolant. The 12 hour interval has been shown by operating practice to be sufficient to regularly assess degradation and verify operation within safety analyses assumptions.
| |
| SR 3.4.6.3 Verification that the required number of pumps are OPERABLE ensures that an additional RCS loop or SCS division can be placed in operation, if needed to maintain decay heat removal and reactor coolant circulation. Verification is performed by verifying proper breaker alignment and power available to the required pumps. The Frequency of seven days is considered reasonable in view of other i i
| |
| administrative controls available and has been shown to be acceptable by operating experience.
| |
| REFERENCES None.
| |
| (continued) 9 !
| |
| l SYSTEM 80+ B 3.4-36 Rev. 00 l 1
| |
| 16A Tech Spec Bases i
| |
| | |
| t a
| |
| ^
| |
| RCS Loops - MODE 5 (Loops Filled)
| |
| B 3.4.7 1 B 3.4 REACTOR COOLANT SYSTEM (RCS)
| |
| B 3.4.7 RCS Loops - MODE 5 (Loops Filled) f 2
| |
| BASES BACKGROUND In MODE 5 with the RCS loops filled, the primary function of !
| |
| f the. reactor coolant is to remove decay heat and transfer this heat to the steam generators (SGs) or shutdown cooling '
| |
| system (SCS) heat exchangers. While the principal ~ means for decay heat removal is via the SCS, the SGs are specified as :
| |
| a backup means for redundancy. Even though the SGs cannot ;
| |
| produce steam in this MODE, they are capable of being a heat f sink due to their large contained volume of secondary side water. As long as the SG secondary side water is at a lower -
| |
| temperature than the reactor coolant, heat transfer will occur. The rate of heat transfer is directly proportional ;
| |
| to the temperature difference. The secondary function of i the reactor coolant is to act as a carrier for soluble ;
| |
| neutron poison, boric acid. i In MODE 5 with RCS loops filled, the SCS divisions are the
| |
| / principal means for decay heat removal. The number of
| |
| ( divisions in operation can vary to suit the operational ,
| |
| needs. The intent of this LC0 is to provide forced flow from at least one SCS division for decay heat removal and transport. The flow provided by one SCS division is adequate for decay heat removal. The other intent of this LCO is to require that a second path be available to provide
| |
| . redundancy for decay heat removal.
| |
| The LC0 provides for redundant paths of decay heat removal l capability. The first path can be an SCS division that must be OPERABLE and in operation. The second path can be another OPERABLE SCS division, or through the SGs, having 1 an adequate water level. j i
| |
| l APPLICABLE In MODE 5, RCS circulation is considered in the l SAFETY ANALYSES determination of the time available for mitigation of the ,
| |
| accidental boron dilution event. The SCS divisions provide i this circulation.
| |
| RCS loops - MODE 5 (loops filled) have been identified in <
| |
| the NRC Policy Statement as important contributors to risk reduction.
| |
| O G.
| |
| I (continued)
| |
| SYSTEM 80+ B 3.4-37 Rev. 00 16A Tech Spec Bases
| |
| | |
| RCS Loops - Mode 5 (Loops Filled)
| |
| B 3.4.7 O
| |
| BASES (continued)
| |
| LCO The purpose of this LC0 is to require at least one of the SCS divisions be OPERABLE and in operation with an additional SCS division OPERABLE or secondary side water level of each SG shall be = [25]% wide range. One SCS division provides sufficient forced circulation to perform the safety functions of the reactor coolant under these conditions. The second SCS division is normally maintained OPERABLE as a backup to the operating SCS division to provide redundant paths for decay heat removal. However, if the standby SCS division is not OPERABLE, a sufficient alternate method to provide redundant paths for decay heat removal is two SGs with their secondary side water levels a [25%] wide range. Should the operating SCS division fail, the SGs could be used to remove the decay heat.
| |
| Note 1 permits all SCS pumps to be de-energized 5 1 hour per 8 hour period. The circumstances for stopping both SCS divisions are to be limited to situations where pressure and temperature increases can be maintained well within the allowable pressure (pressure and temperature P/T limits or low Temperature Overpressure Protection (LTOP) limits) and 10 F subcooling limits, or an alternate heat removal path through the SG(s) is in operation.
| |
| Note 1 further prohibits boron dilution when SCS forced flow is stopped because an even concentratior, distribution cannot be ensured. Core outlet temperature is to be maintained at least 10 F below saturation temperature, so that no vapor bubble would form and possibly cause a natural circulation flow obstruction. In this MODE, the SG(s) can be used as the backup for SCS heat removal. To ensure their availability, the RCS loop flow path is to be maintained with subcooled liquid.
| |
| In MODE 5, it is sometimes necessary to stop all RCP or SCS forced circulation. This is permitted to change operation from one SCS division to the other, perform surveillance or startup testing, perform the transition to and from the SCS, !
| |
| or to avoid operation below the RCP minimum net positive i suction head limit. The time period is acceptable because l natural circulation is acceptable for decay heat removal, !
| |
| the reactor coolant temperature can be maintained subcooled, and boron stratification affecting reactivity control is not expected.
| |
| 1 (continued)
| |
| SYSTEM 80+ B 3.4-38 Rev. 00 16A Tech Spec Bases
| |
| | |
| RCS Loops - MODE 5 (Loops Filled)
| |
| B 3.4.7 (q)
| |
| BASES LCO Note 2 allows one SCS division to be inoperable for a period (continued) of up to 2 hours provided that the other SCS division is OPERABLE and in operation. This permits periodic surveillance tests to be performed on the inoperable division during the only time when such testing is safe and possible.
| |
| Note 3 requires that either of the following two conditions be satisfied before an RCP may be started with any RCS cold leg temperature s [259] F during cooldown or 5 [290*F]
| |
| during heatup (the heatup rate is limited to [40*F/hr or less]) unless:
| |
| : a. Pressurizer water level is < [60]%; or
| |
| : b. Secondary side water temperature of each SG is
| |
| < [100] F above each of the RCS cold leg temperatures.
| |
| Satisfying either of the above conditions will preclude a low temperature overpressure event due to a thermal transient when the RCP is started.
| |
| O V Note 4 provides for an orderly transition from MODE 5 to MODE 4 during a planned heatup by permitting removal of SCS divisions from operation when at least one RCP is in operation. This Note provides for the transition to MODE 4 where an RCP is permitted to be in operation and replaces ,
| |
| the heat removal function provided by the SCS divisions. !
| |
| Note 5 permits the alignment of a Containment Spray pump if an SCS pump is not available or becomes inoperable. These pumps are designed to be interchangeable for operational ,
| |
| flexibility. l l
| |
| An OPERABLE SCS division is composed of an OPERABLE SCS pump l and an OPERABLE SCS heat exchanger.
| |
| SCS pumps are OPERABLE if they are capable of being powered I and are able to provide flow if required. An OPERABLE SG can perform as a heat sink when it has an adequate water level and is OPERABLE in accordance with the SG Tube ,
| |
| ' Surveillance Program.
| |
| l n !
| |
| (continued)
| |
| SYSTEM 80+ B 3.4-39 Rev. 00 16A Tech Spec Bases i
| |
| | |
| RCS Loops - MODE 5 (Loops Filled)
| |
| B 3.4.7 O
| |
| BASES (continued)
| |
| APPLICABILITY In MODE 5 with RCS loops filled, this LCO requires forced circulation to remove decay heat from the core and to provide proper boron mixing. One SCS division provides sufficient circulation for these purposes.
| |
| )peration in other MODES is covered by:
| |
| LCO 3.4.4, "RCS Loops - MODES 1 and 2";
| |
| LC0 3.4.5, "RCS Loops - MODE 3";
| |
| LC0 3.4.6, "RCS Loops - MODE 4";
| |
| LC0 3.4.8, "RCS Loops - MODE 5 (Loops Not Filled)";
| |
| LC0 3.9.4, " Shutdown Cooling System (SCS) and Coolant Circulation - High Water Level" (MODE 6); and LC0 3.9.5, " Shutdown Cooling System (SCS) and Coolant Circulation - Low Water Level" (MODE 6).
| |
| ACTIONS A.1 and A.2 If the required SCS division is inoperable and any SGs have secondary side water levels < [25%] wide range, redundancy ,
| |
| for heat removal is lost. Action must be initiated immediately to restore a second SCS division to OPERABLE status or to restore the water level in the required SGs.
| |
| Either Required Action A.1 or Required Action A.2 will restore redundant decay heat removal paths. The immediate Completion Times reflect the importance of maintaining the availability of two paths for decay heat removal.
| |
| l ILLand_.fkl 1
| |
| If no SCS division is in operation or required SCS division l inoperable, except as permitted in Note 1, all operations (
| |
| involving the reduction of RCS boron concentration must be suspended. Action to restore one SCS division to OPERABLE status and operation taust be initiated. Boron concentration changes require forced circulation for proper mixing. With a loss of SCS the margin to criticality must not be reduced by boron dilution operations. The immediate Completion Times reflect the importance of maintaining operation for l decay heat removal.
| |
| O (continued)
| |
| SYSTEM 80+ B 3.4-40 Rev. 00 16A Tech Spec Bases
| |
| | |
| RCS Loops - MODE 5 (Loops Filled)
| |
| B 3.4.7 o
| |
| b BASES (continued)
| |
| SURVEILLANCE .SR 3.4.7.1 REQUIREMENTS This SR requires verification every 12 hours that one SCS ,
| |
| division is in operation. Verification includes flow rate, l temperature, or pump status monitoring, which help ensure that forced flow is providing decay heat removal. The 12 hour Frequency has been shown by operating practice to be sufficient to regularly assess degradation and verify operation is within safety analyses assumptions. In addition, control room indication and alarms will normally indicate SCS status.
| |
| The SCS flow is established to ensure that core outlet temperature is maintained sufficiently below saturation to allow time for sw:p over to the standby SCS division should the operating division be lost. -
| |
| 1 SR 3.4.7.2 1
| |
| p Verifying the SGs are OPERABLE by ensuring their secondary l
| |
| : j side water levels are = [25%] wide range ensures that
| |
| "' redundant heat removal paths are available if the second SCS division is inoperable. The Surveillance is required to be performed when the LC0 requirement is being met by use of i the SGs. If both SCS divisions are OPERABLE, this SR is not needed. The 12 hour Frequency has been shown by operating practice to be sufficient to regularly assess degradation and verify operation within safety analyses assumptions.
| |
| I SR 3.4.7.3 Verification that the second SCS division is OPERABLE ensures that redundant paths for decay heat removal are ;
| |
| available. The requirement also ensures that the additional division can be placed in operation, if needed, to maintain decay heat removal and reactor coolant circulation.
| |
| Verification is performed by verifying proper breaker I alignment and power available to the required pump. The ,
| |
| Surveillance is required to be performed when the LCO l requirement is being met by one of two SCS divisions, e.g.,
| |
| SGs have < [25]% wide range water level. The Frequency of 7 days is considered reasonable in view of other administrative controls available and has been shown to be acceptable by operating experience.
| |
| 'p
| |
| -)
| |
| (continued)
| |
| SYSTEM 80+ B 3.4-41 Rev. 00 16A Tech Spec Bases
| |
| | |
| RCS Loops - MODE 5 (Loops Filled)
| |
| B 3.4.7 O
| |
| BASES (continued)
| |
| REFERENCES None.
| |
| O i
| |
| 1 1
| |
| Ol l
| |
| SYSTEM 80+ B 3.4-42 Rev. 00 !
| |
| 16A Tech Spec Bases l
| |
| | |
| l RCS Loops - MODE 5 (Loops Not Filled)
| |
| .B 3.4.8 S
| |
| )
| |
| B 3.4 REACTOR COOLANT SYSTEM (RCS)
| |
| B 3.4.8 RCS Loops - MODE 5 (Loops Not Filled)
| |
| BASES ;
| |
| i BACKGROUND In MODE 5 with the Reactor Coolant System (RCS) loops not filled, the primary function of the reactor coolant is the removal of decay heat and transfer of this heat to the Shutdown Cooling System (SCS) heat exchangers. The steam generators are not available as a heat sink when the loops are not filled. The secondary function of the reactor coolant is to act as a carrier for soluble neutron poison, boric acid.
| |
| In MODE 5 with loops not filled, only the SCS can be used for coolant circulation. The number of divisions in operation can vary to suit the operational needs. The intent of this LCO is to provide forced flow from at least .
| |
| one SCS division for decay heat removal and transport. The i other intent of this LCO is to require that two paths be available to provide redundancy for heat removal.
| |
| This LCO permits limited periods without forced circulation.
| |
| When the SCS divisions are not in operation, no alternate ;
| |
| heat removal path exists. The response of the RCS without !
| |
| the SCS depends on the decay heat load and the length of time that the SCS pumps are stopped. As decay heat diminishes, the effects on RCS temperature diminish.
| |
| Without cooling by SCS, higher heat loads will cause the reactor coolant temperature to increase at a rate proportional to the decay heat load. Because pressure can increase, applicable system pressure limits (pressure and temperature limits or low temperature overpressurization limits) must be observed and forced SCS flow must be reestablished prior to reaching the pressure limit. Entry into a condition with no SCS division in operation stops heat removal and should only be considered for limited circumstances such as when switching from one SCS division to the other. With the pumps stopped, pressure and temperature may increase and pumps must be restored prior to exceeding pressure and subcooling limits.
| |
| The Shutdown Cooling System (SCS) removes decay heat from the reactor coolant system and transfers the heat to the Component Cooling Water (CCW) System.
| |
| (continued)
| |
| SYSTEM 80+ B 3.4-43 Rev. 00 16A Tech Spec Bases
| |
| | |
| RCS Loops - MODE 5 (Loops Not Filled)
| |
| B 3.4.8 O
| |
| BASES BACKGROUND During REDUCED RCS INVENTORY operations the interruption or (continued) loss of SCS flow, decay heat removal (DHR) capability, can lead to bulk boiling and fuel uncovery quite rapidly. In some cases, this can occur in 15-20 minutes. During REDUCED RCS INVENTORY operations, the SCS is the primary means of decay heat removal.
| |
| Each SCS division has a SCS pump, SCS heat exchanger, valves and connecting piping. In addition to these components, the Containment Spray System (CS) pumps, which are identical to the SCS pumps can be used as a backup pumping source with some valve manipulations should the SCS pumps become inoperable.
| |
| APPLICABLE The only safety analyses performed with initial conditions SAFETY ANALYSES in MODE 5 with loops not filled are the inadvertent deboration and inadvertent startup of an RCP events. For this analysis one SCS division was credited as operating.
| |
| The flow provided by one SCS division is adequate for heat removal and for boron mixing. Failure to provide heat removal may result in challenges to a fission product h
| |
| barrier. The SCS is part of the primary success path which functions or actuates to prevent or mitigate a design basis accident or transient that either assumes the failure of, or presents a challenge to, the integrity of a fission product barrier. As such, this LC0 satisfies the requirements of Criterion 3 of the NRC Policy Statement.
| |
| LC0 The purpose of this LC0 is to require a minimum of two SCS divisions be OPERABLE and one of these divisions be in operation. An OPERABLE division is one that has the capability of transferring heat from the reactor coolant at a controlled rate. Heat removal cannot occur via the SCS unless forced flow is used. A minimum of one running SCS pump meets the LC0 requirement for one division in operation. An additional SCS division is required to be OPERABLE to meet the single failure criterion. With REDUCED RCS INVENTORY, the Containment Spray pump in the operable SCS division shall be OPERABLE.
| |
| (continued)
| |
| SYSTEM 80+ B 3.4-44 Rev. 00 16A Tech Spec Bases
| |
| | |
| ~. ,. - __. .- .-
| |
| i i
| |
| l l
| |
| RCS Loops - MODE 5 (Loops Not Filled) l B 3.4.8 i g]
| |
| L i BASES LC0 Note 1 permits the SCS pumps to be de-energized for s 15 (continued) minutes when switching from one division to another. The circumstances for stopping both SCS pumps are to be limited to situations when the outage time is short and the core outlet temperature is maintained at least 10"F below saturation temperature. The Note prohibits boron dilution and draining operations when SCS forced flow is stopped.
| |
| Note 2 allows one SCS division to be inoperable for a period of 2 hours providd that the other division is OPERABLE and in operation. This permit:, periodic surveillance tests to be performed on the inoperable division during the only time when these tests are safe and possible.
| |
| An OPERABLE SCS division is composed of an OPERABLE SCS pump capable of providing forced flow to an OPERABLE SCS heat exchanger, along with the appropriate flow and temperature l instrumentation for control, protection, and indication. j SCS pumps are OPERABLE if they are capable of being powered i' and are able to provide flow if required.
| |
| Note 3 permits the alignment of a Containment Spray pump if an SCS pump is not available or becomes inoperable. These pumps are designed to be interchangeable for operational flexibility.
| |
| APPLICABILITY In MODE 5 with loops not filled, this LC0 requires core heat 4 removal and coolant circulation by the SCS.
| |
| Operation in other MODES is covered by:
| |
| LC0 3.4.4, "RCS Loops - MODES I and 2",
| |
| LCO 3.4.5, "RCS Loops - MODE 3",
| |
| LC0 3.4.6, "RCS Loops - MODE 4", l LC0 3.4.7, "RCS Loops - MODE 5 (Loops Filled)", !
| |
| LCO 3.9.4, " Shutdown Cooling System (SCS) and Coolant Circulation-High Water Level" (MODE 6), and LC0 3.9.5, " Shutdown Cooling System (SCS and Coolant Circulation-Low Water Level" MODE 6).
| |
| (continued)
| |
| SYSTEM 80+ B 3.4-45 Rev. 00 16A Tech Spec Bases l
| |
| | |
| RCS Loops - MODE 5 (Loops Not Filled)
| |
| B 3.4.8 O
| |
| BASES (continued)
| |
| ACTIONS Ad If only one required SCS division is OPERABLE, redundancy for heat removal is lost. The Required Action is to initiate activities to restore a second division to OPERABLE status and the action must be taken immediately. Even though one division is OPERABLE and in operation, the Completion Time emphasizes the importance of maintaining the availability of two paths for heat removal.
| |
| B.1. B.2. and 8.3 If required SCS divisions are inoperable or no division is in operation, the action requires immediate suspension of any operation for boron concentration reduction, initiating action to raise RCS level to > [EL 117'.0"] and requires action to immediately start restoration of one SCS division to OPERABLE status. The Required Action for restoration does not apply to the condition of divisions not in operation when the exemption NOTE in the LC0 is in force.
| |
| The immediate Completion Time reflects the importance of maintaining operation for decay heat removal and prevent a boron dilution event. The Required Action to restore must be continued until one division is restored.
| |
| C.I. C.2. and C.3 If the Containment Spray pump in the operating SCS division is inoperable, action must be initiated immediately to place the alternate SCS division in operation if the Containment Spray pump in the alternate division is OPERABLE. Also, SCS performance must be monitored (every 30 minutes] and the inoperable Containment Spray pump must be restored to ;
| |
| OPERABLE status within [48] hours.
| |
| D.d If the Containment Spray pump cannot be restored within [48]
| |
| hours, RCS level must be raised to > EL.[117'0"] within [6 hours). This will place the plant in a conservative position with respect to providing decay heat removal.
| |
| O (continued)
| |
| SYSTEM 80+ B 3.4-46 Rev. 00 16A Tech Spec Bases
| |
| | |
| i t
| |
| RCS Loops - MODE 5 (Loops Not Filled)
| |
| B 3.4.8
| |
| , BASES ~(continued)
| |
| SURVEILLANCE SR 3.4.8.1 REQUIREMENTS This SR requires verification of the required SCS division in operation every 12 hours to ensure forced flow is providing heat removal. Verification of SCS operation is performed by flow rate, temperature, or pump status monitoring. The 12 hour Frequency has been shown by ,
| |
| operating practice to be sufficient to regularly assess ,
| |
| degradation and verify operation within safety analyses assumptions.
| |
| SR 3.4.8.2 Verification that the required number of SCS divisions are OPEPABLE ensures that redundant paths for heat removal are available and that additional SCS divisions can be placed in i operation, if needed, to maintain decay heat removal and l reactor coolant circulation. Verification is performed by I verifying proper breaker alignment and indicated power r available to the required SCS pumps. The Frequency of seven
| |
| (%) days is considered reasonable in view of other administrative controls available and has been shown to be acceptable by operating experience.
| |
| SR 3.4.8.3 1
| |
| Verification of the correct breaker alignment and indicated power available to the operable CS pump ensures that the redundant CS pump will be able to remove heat from the RCS in the event of a power failure to the operating SCS division. The Frequency of (24] hours is based on operating experience.
| |
| l l
| |
| REFERENCES 1. Chapter 5.
| |
| : 2. Chapter 19.
| |
| O SYSTEM 80+ B 3.4-47 Rev. 00 16A Tech Spec Bases
| |
| | |
| Pressurizer B 3.4 REACTOR COOLANT SYSTEM (RCS)
| |
| B 3.4.9 Pressurizer BASES BACKGROUND The pressurizer provides a point in the RCS where liquid and vapor are maintained in equilibrium under saturated conditions for pressure control purposes to prevent bulk boiling in the remainder of the RCS. Key functions include maintaining required primary system pressure during steady state operation and limiting the pressure changes caused by reactor coolant thermal expansion and contraction during normal load transients.
| |
| The pressure control components assessed by this LC0 include the pressurizer water level, the required heaters and their backup heater controls, and emergency power supplies.
| |
| Pressurizer safety valves are addressed by LC0 3.4.10,
| |
| " Pressurizer Safety Valves."
| |
| The maximum water level limit has been established to ensure that a liquid-to-vapor interface exists to permit Reactor Coolant System (RCS) pressure control, using the sprays and heaters, during normal operation and proper pressure .
| |
| response for anticipated design basis transients. The water level limit serves two purposes:
| |
| : a. Pressure control during normal operation maintains subcooled reactor coolant in the loops and thus, in the preferred state for heat transport, and
| |
| : b. By restricting the level to a maximum, expected transient reactor coolant volume increases (pressurizer insurge) will not cause excessive level changes which could result in degraded ability for pressure control.
| |
| The maximum level limit permits pressure control equipment to function as designed. The limit preserves the steam space during normal operation, thus, both sprays and heaters can operate to maintain the design operating pressure. The level limit also prevents filling the pressurizer (water solid) for anticipated design basis transients, thus assuring that pressure relief devices (pressurizer safety valves) can control pressure by steam relief rather than (continued)
| |
| SYSTEM 80+ B 3.4-48 Rev. 00 16A Tech Spec Bases
| |
| | |
| Pressurizer m B 3.4.9
| |
| ( )
| |
| v BASES BACKGROUND water relief. If the level limits were exceeded prior to a (continued) transient that creates a large pressurizer insurge volume leading to water relief, the maximum RCS pressure might exceed the design safety limit of 2750 psia or damage may occur to the pressurizer safety valves.
| |
| The requirement to have two groups of pressurizer heaters ensures that RCS pressure can be maintained. The pressurizer heaters maintain RCS pressure to maintain the reactor coolant subcooled. Inability to control RCS pressure during natural circulation flow could result in a loss of single phase flow and a decreased capability to remove core decay heat.
| |
| APPLICABLE In MODES 1, 2, and 3, the LC0 requirement for a steam bubble SAFETY ANALYSIS is reflected implicitly in the accident analyses. No safety analyses are performed in lower MODES with the exception of the inadvertent deboration and inadvertent startup of an RCP
| |
| /'N events. All analyses performed from a critical reactor V condition assume the existence of a steam bubble and saturated conditions in the pressurizer. In making this assumption, the analyses neglect the small fraction of non-condensible gases normally present. The steam bubble limits the volume of non-condensible gases.
| |
| Safety analyses presented in the CESSAR-DC do not take credit for pressurizer heater operation, however, an l implicit initial condition assumption of the safety analyses is that the pressurizer is operating in the range of (2175 to 2325 psia].
| |
| The maximum level limit is of prime interest for the feedwater line break event with loss of offsite power (FLBLOP). Conservative safety analyses assumptions for this event indicate that it produces the largest increase in pressurizer level. Thus, this cvent has been selected to establish the pressurizer water level limit. Assuming proper responsr. action by emergency systems, the level limit prevents water relief through the pressurizer safety valves.
| |
| Since prevention of water relief is a goal for abnormal transient operation rather than a safety limit, the value for pressurizer level is nominal and is not adjusted for instrument error, p
| |
| (continued)
| |
| SYSTEM 80+ B 3.4-49 Rev. 00 16A Tech Spec Bases
| |
| | |
| Pressurizer B 3.4.9 O
| |
| BASES APPLICABLE Although the heaters are not specifically credited in SAFETY ANALYSES accident analysis, the need to maintain subcooling in the (continued) long term during loss of offsite power, as indicated by the NRC in NUREG-0737 (Ref. 1), is the reason for inclusion.
| |
| The re direment for emergency power supplies is based on NUREG-0137 (Ref. 1). The intent is to allow maintaining the reactor coolant in a subcooled condition with natural circulation at hot, high pressure conditions for an undefined, but extended, ti .e period after a loss of offsite power. While loss of offsite power is an initial condition or coincident event assumed in mar.y accident analyses, maintaining hot, high pressure coriditions over an extended time period is not evaluated as part of CtSSAR-DC accident analyses.
| |
| The maximum pressurizer water level limit satisfies the requirements of Criterion 2 of the NRC Policy Statement because it prevents exceeding the initial reactor coolant mass which is an input assumption of the safety analysis.
| |
| The maximum water level also permits the pressurizer safety valves to relieve steam for anticipated pressure increase transients, preserving their function for mitigation. Thus, Criterion 3 is also indirectly applicable.
| |
| LC0 The LC0 requirement for the pressurizer to be OPERABLE with water level n [26%] and s (60%) ensures that a steam bubble exists. Limiting the maximum operating water level preserves the steam for pressure control. The intent of the LC0 is to ensure that a steam bubble exists in the pressurizer to minimize the consequences of potential overpressure transients. Requiring the presence of a steam bubble is consistent with analytical assumptions.
| |
| The minimum heater capacity required is sufficient to maintain the RCS near normal operating pressure when accounting for heat losses through the pressurizer insulation. By maintaining the pressure near the operating conditions, a wide subcooling to saturation margin can be obtained in the loops. The exact design value of [200 kW) is derived from the use of [4] heaters rated at [50 kW) each. The amount needed to maintain pressure is dependent on the ambient heat losses. Tests indicate that pressurized heat losses do not usually impose a need for [200 kW]. ;
| |
| O (continued)
| |
| SYSTEM 80+ B 3.4-50 Rev. 00 16A Tech Spec Bases
| |
| | |
| Pressurizer B 3.4.9 V
| |
| BASES (continued)
| |
| APPLICABILITY The need for RCS pressire control-is most pertinent when core heat can cause the greatest effect on reactor coolant system temperature resulting in the greatest effect on ,
| |
| pressurizer level and RCS pressure control. Thus, Applicability has been designated for MODES 1, 2, and 3.
| |
| The purpose is to prevent solid water RCS operation during haatup and cooldown to avoid rapid pressure rises caused by '
| |
| normal operational perturbation, such as reactor coolant pump startup. The LCO does not apply to MODE 5 (Loops .
| |
| Filled) because LC0 3.4.11, " Low Temperature Overpressure Protection (LTOP) System," applies. The LC0 does not apply to MODES 5 and 6 with partial loop operation.
| |
| In MODES 1, 2, and 3, the need to maintain the availability of pressurizer heaters and their emergency power supplies is >
| |
| most pertinent. In the event of a loss of offsite power, the initial conditions of these MODES gives the greatest demand for maintaining the RCS in a hot pressurized condition with loop subcooling for an extended period. For MODES 4, 5, or 6, it is not necessary to control pressure A (by heaters) to ensure loop sobcooling for heat transfer V when the decay heat removal system is inservice and, j therefore, the LC0 is not scolicable.
| |
| ACTIONS A.1 and A.2 With pressurizer water level outside the limits, action must be taken to restore the plant to operation within the bounds of the safety analyses. This is done by placing the plant in MODE 3 with the reactor trip breakers open within six hours, and placing the plant in MODE 4 within [12] hours. ;
| |
| This takes the lant out of the applicable MODES and restores the plant to operation within the bounds of the safety analyses.
| |
| Six hours is a reasonable time based on operating experience j to reach MODE 3 from full power in an orderly manner and without challenging plant systems. Further pressure and temperature reduction to MODE 4 -with RCS temperature < !
| |
| [350]*F places the plant into a MODE where the LC0 is not applicable. The [12] hour time to reach the non-applicable i MODE is reasonable based on operating experience for that evaluation. j i '- (continued)
| |
| SYSTEM 80+ B 3 A-31 Rev. 00 !
| |
| 16A Tech Spec Bases
| |
| | |
| Pressurizer B 3.4.9 O
| |
| BASES ACTIONS Bd (continued)
| |
| If one required group of pressurizer heaters is inoperable, restoration is required in 72 hours. The Completion Time of 72 hours is reasonable considering that a demand caused by loss of offsite power would be unlikely in this period.
| |
| Pressure control may be maintained during this time using normal station-powered heaters.
| |
| C.1 and C.2 If one required group of pressurizer heaters is inoperable and cannot be restored within the allowed Completion Time of Required Action B.1, the plant must be brought to a MODE in which the LC0 does not apply. To achieve this status, the plant must be brought to MODE 3 within 6 hours and to MODE 4 within [12] hours. The Completion Time of 6 hours is reasonable, based on operating experience, to reach MODE 3 from full power in an orderly manner and without challenging safety systems. Similarly, the Completion Time of [12]
| |
| hours is reasonable, based on operating experience, to reach MODE 4 from full power in an orderly manner and without challenging plant systems.
| |
| SURVEILLANCE S_R 3.4.9.I REQUIREMENTS This Surveillance ensures that during steady state operation, pressurizer water level is maintained below the nominal upper limit to provide a minimum space for a steam l bubble and above the nominal lower limit to ensure heater operability. The Surveillance is performed by observing indicated ~1evel. The [12] hour interval has been shown by operating practice to be sufficient i.o regularly assess I degradation and verify operation within :afety analysis assumptions. Alarms are also available for early detection of abnormal level indications.
| |
| (continued) ,
| |
| 1 SYSTEM 80+ B 3.4-52 Rev. 00 16A Tech Spec Bases 4
| |
| | |
| ; Pressurizer !
| |
| -B 3.4.9 !
| |
| O BASES SURVEILLANCE SP. 3.4.9.2 i I
| |
| REQUIREMENTS
| |
| . (continued) The Surveillance is satisfied when the power supplies are '
| |
| demon:trated to be capable of producing the minimum power .
| |
| and t'ae associated pressurizer heaters are verified to be at i
| |
| }
| |
| tha'r design rating. (This may be done by testing the power -!
| |
| supply output and by performing an electrical check on !
| |
| i heater element continuity and resistance.) The Frecuency of i
| |
| ~
| |
| 92 days is considered adequate to detect heater deg<adation
| |
| ; and has been shown by operating experience to be acceptable.
| |
| lr SR 3.4.9.3 ,
| |
| f i (This SR is not applicable if the heaters are permanently i powered by IE power supplies.] l i [This Surveillance demonstrates that the heaters can be- !
| |
| manually transferred to and energized by emergency power
| |
| , supplies. The Frequency of [18] m nths is based on a ,
| |
| typical fuel cycle and industry accepted practice. This is l consistent with similar verifications of emergency power.] j i
| |
| l REFERENCES 1. NUREG-0737, " Clarification of TMI Action Plan Requirements," November,1980. l L
| |
| l
| |
| . i i
| |
| l r
| |
| .O l I'
| |
| SYSTEM 80+ B 3.4-53 Rev. 00 ,
| |
| '16A Tech. Spec Bases
| |
| | |
| Pressurizer Safety Valves B 3.4 REACTOR COOLANT SYSTEM (RCS)
| |
| B 3.4.10 Pressurizer Safety Valves BASES BACKGROUND The purpose of the [four] spring loaded pressurizer safety valves is to provide Reactor Coolant System (RCS) overpres-sure protection. Operating in conjunction with the reactor protection system, [four] valves are used to ensure that the Safety Limit (SL) of 2750 psia is not exceeded for analyzed transients during operation in MODES I and 2. [Four] safety valves are used for MODE 3 and portions of MODE 4. For the remainder of MODE 4 and for MODE 5, overpressure protection is provided by operating procedures and LC0 3.4.11, " Low Temperature Overpressurization Protection (LTOP) System".
| |
| For these conditions, ASME requirements are satisfied with one safety valve.
| |
| The self-actuated pressurizer safety valves are designed in accordance with the requirements set forth in the ASME Boiler and Pressure Vessel Code, Section III. (Ref. 1). The required lift pressure is 2500 psia 1%. The safety valves discharge steam from the pressurizer to the Incontainment Refueling Water Storage Tank (IRWST) located in the containment.
| |
| The upper and lower pressure limits are based on the 1%
| |
| tolerance requirement (Ref.1) for lifting pressures above 1000 psig. The lift setting is for the ambient conditions associated with MCOES 1, 2, and 3. This requires either that the valves be set hot or that a correlation between hot and cold settings be established.
| |
| The pressurizer safety valves are part of the primary success path and mitigate the effects of postulated accidents. OPERABILITY of the safety valves ensures that ,
| |
| the RCS pressure will be limited to 110% of design pressure. 1 The consequences of exceeding the ASME pressure limit (Ref.
| |
| : 1) could include damage to RCS components, increased ,
| |
| leakage, or a requirement to perform additional stress analyses prior to resumption of reactor operation.
| |
| (continued)
| |
| Ol) i SYSTEM 80+ B 3.4-54 Rev. 00 16A Tech Spec Bases i
| |
| | |
| i Pressurizer Safety Valves B 3.4.10 l p
| |
| d BASES (continued) l APPLICABLE All accident analyses in CESSAR-DC which require safety )
| |
| SAFETY ANALYSES valve actuation assume operation of all pressurizer safety valves to limit increasing reactor coolant pressure. The overpressure protection analysis is also based on operation of all safety valves and assumes that the valves open at the high range of the setting (2500 psia system design pressure plus 1%). These valves must accommodate pressurizer insurges which could occur during various heatup events such as rod withdrawal, ejected rod, loss of main feedwater, loss of load or main feedrater line break accident. The loss of load event with delayed reactor trip establishes the ,
| |
| minimum safety valve capacity. The single failure of a safety valve to open is neither assumed in the accident analysis nor required to be addressed by the ASME code.
| |
| Compliance with this specification is required to assure !
| |
| that the accident analysis and design basis calculations '
| |
| remain valid. The pressurizer safety valves are components that are part of the primary success path and which function or actuate to mitigate a design basis accident or transient ;
| |
| that either assumes the failure of, or presents a challenge r to, the integrity of a fission product barrier. As such,
| |
| 's the pressurizer safety valves satisfy the requirements of Criterion 3 of the NRC Policy Statement. j l
| |
| LC0 The [four) pressurizer safety valves are set to open at the RCS design pressure (2500 psia) and within the ASME l specified tolerance to avo.' exceeding the maximum RCS l design pressure Safety Limit, to maintain accident analysis i assumptions, and to comply with ASME code requirements. The upper and lower pressure tolerance limits are based on the 1% tolerance requirements (Ref.1) for lifting pressures above 1000 psig. The limit protected by this specification is the reactor coolant pressure boundary Safety Limit of 110% of design pressure. Inoperability of one or more vi.ives could esult in exceeding the Safety Limit were a transient to occur. The consequences of exceeding the ASME i pressure limit could include damage to one or more RCS components, increased leakage, or additional stress analysis being required prior to resumption of reactor operation. ,
| |
| l i
| |
| k I (continued)
| |
| SYSTEM 80+ B 3.4-55 Rev. 00 16A Tech Spec Bases
| |
| | |
| l i
| |
| l Pressurizer Safety Valves l B 3.4.10 O,
| |
| BASES (continued)
| |
| APPLICABILITY In MODES 1, 2, and 3, and portions of MODE 4 above the LTOP temperature, OPERABILITY of [four] valves is required because the combined capacity is required to keep reactor coolant pressure below 110% of its design value during certain accidents. MODE 3 and portions of MODE 4 are conservatively included although the listed accidents may not require all safety valves for protection. The Lrn is not applicable in MODE 4 when all RCS cold leg temperatures are s [259] F for cooldown or s the LTOP disable temperature specified in Figure 3.4.3-1A for heatup.
| |
| Overpressure protection is not required in MODE 6 with the reactor vessel head detensioned.
| |
| The Note allows entry into M'..l.3 :s and 4 with the lift settings outside the LC0 lin:i+5 This permits testing and examination of the safety valves at high pressure and temperature near their normal operating range, but only after the valves have had a preliminary cold setting. The cold setting gives assurance that the valves are OPERABLE near their design condition. Only one valve at a time will be removed from service for testing. The [72] hour exception is based on [18] hour outage time i;r each of the
| |
| [four] valves. The [18] hour period is derived from operating experience that hot testing can be performed within this time frame.
| |
| ACTIONS A_d With one pressurizer safety valve inoperable, restoration must take place within 15 minutes. The Completion Time of 15 minutes reflects the importance of maintaining the RCS overpressure protection system. An inoperable safety valve coincident with an RCS overpressure event could challenge ,
| |
| the integrity of the RCS pressure boundary.
| |
| B.l. B.2. and B.3 If the Required Action cannot be met within the required Completion Time, or if [two] or more pressurizer safety valves are inoperable, the plant must be placed in a MODE in which the requirement does not apply. This is done by (continued)
| |
| SYSTEM 80+ B 3.4-56 Rev. 00 16A Tech Spec Bases
| |
| | |
| t Pressurizer Safety-Valves B 3.4.10 ,
| |
| BASES ACTIONS B.1. B.2. and 8.3 (continued) placing the plant in at MODE 4ator.below[259]}eastMODE3withinsixho F in [12] hours, or by placing the plant in shutdown cooling with the LTOP relief valves in service in [12] hours. The six hours allowed to reich MODE 3 is a reasonable time based on operating experience to reach MODE 3.from full power without challenging plant .
| |
| systems. Similarly, the [12] hours. allowed is a reasonable <
| |
| timebasedonoperatingexperiencetoreachMQOE4without challenging plant systems. At or below [259] F, ;
| |
| overpressure protection is provided by LTOP. The change -
| |
| from MODES 1, 2, or 3 to MODE 4 reduces the RCS energy (core power and pressure), lowers the potential for large i
| |
| pressurizer insurges, and thereby removes the need for overpressure protection Q [four] pressurizer safety valves.
| |
| SURVEILLANCE SR 3.4.10.1
| |
| / REQUIREMENTS i Surveillance Requirements are specified in the Inservice Testing Program. Section XI of the ASME Code (Ref. I) :
| |
| provides the activities and the Frequency necessary to ,
| |
| satisfy the Surveillance Requirements. No additional :
| |
| requirements are specified.
| |
| The pressurizer safety valve setpoint is [3]% for OPERABILITY; however, the valves are reset to [1]% during the Surveillance to allow for drift.
| |
| REFERENCES 1. ASME Boiler & Pressure Vessel Code, Section III,
| |
| " Nuclear Vessels," Section XI " Rules for Inservice Inspection of Nuclear Power Plant Components."
| |
| b l l
| |
| O SYSTEM 80+ B 3.4-57 Rev. 00 16A Tech. Spec Bases
| |
| | |
| LTOP System B 3.4 REACTOR COOLANT SYSTEM (RCS)
| |
| B 3.4.11 Low Temperature Overpressure Protection (LTOP) System BASES BACKGROUND The purpose of the Low Temperature Overpressure Protection (LTOP) System LC0 is to limit reactor coolant pressure at low tei@eratures to levels which will not compromise Reactor Coolant Prcssure Boundary (RCPB) integrity (Ref.1). The reactor vessel is the limiting component for demonstrating that protection is provided. LC0 3.4.3, "RCS Pressure and Temperature (P/T) Limits", provides the allowable combinations for operational pressure and temperature during cooldown, shutdown, and heatup to keep from violating the Reference 1 requirements during the LTOP MODES.
| |
| The reactor vessel material is less tough at low temperatures than at normal operating temperatures. As reactor vessel neutron exposure accumulates, the vessel material toughness decreases and becomes less resistant to pressure stress at low temperatures (Ref. 2). RCS pressure, therefore, is maintained low at low temperatures and is increased only as temperature is increased.
| |
| Overpressure protection given by the LC0 is provided by placing the SCS relief valves in service or depressurizing the Reactor Coolant System (RCS) through an open vent. The open RCS vent or the SCS relief valves are the overpressure protection devices which provide backup to the operator in terminating increasing pressure events.
| |
| APPLICABLE Safety analyses (Ref. 3) demonstrate that the reactor vessel SAFETY ANALYSES is adequately protected against exceeding the Reference 1 P/T limits during shutdown. Transients that are capable of overpressurizing the Reactor Coolant System have been ;
| |
| identified and evaluated. Postulated transients include inadvertent safety injection actuation; energizing the i pressurizer heaters; failing the makeup control valve open; i temporary loss of decay heat removal; and, reactor coolant l thermal expansion caused by reactor coolant pump (RCP) start ]
| |
| causing heat transfer from hot steam generators. <
| |
| (continued) l l
| |
| Rev. 00 i SYSTEM 80+ B 3.4-58 16A Tech Spec Bass:
| |
| | |
| P LTOP System
| |
| , B 3.4.11 :
| |
| U BASES APPLICABLE The LTOP system was designed to protect the RCS from SAFETY ANALYSES overpressurization resulting from any of the following (continued) conditions:
| |
| : 1. The starting of an idle RCP with the secondary water temperature of the steam generator s [100'F] above the RCS cold leg temperature.
| |
| : 2. The simultaneous starting of all four SI pumps and its injection into the RCS.
| |
| During the two design bases events, no operator action is assumed to take place until ten minutes have passed.
| |
| 4 LTOP System satisfies Criterion 2 of the NRC Policy Statement.
| |
| LCO The LC0 requires that the SCS relief valves be OPERABLE with ;
| |
| ( a setpoint at the overpressure limit or the RCS be I depressurized via an open vent. !
| |
| APPLICABILITY This LC0 is applicable in MODE 4 with the temperature of any RCS cold leg 5 [259*F] during cooldown or 5 the LTOP disable temperature specified in Figure 3.4.3-1A during heatup, in MODE 5, and in MODE 6 with the reactor vessel head on. The ,
| |
| LC0 is not applicable for operating conditions above the specified temperatures because the pressurizer safety valves 3
| |
| are able to provide overpressure protection. With the vessel head off, there is no need for overpressure l protection.
| |
| ACTIONS A.1 and B.1 With one SCS relief valve inoperable, overpressure relieving i capability is reduced. The other SCS relief valve remains ;
| |
| OPERABLE or the RCS must be depressurized through an open ;
| |
| vent. Either of these paths provide adequate overpressure l protection. However, redundancy has been lost. The seven i day completion time in MODE 4, and 24 hour completion time (continued)
| |
| SYSTEM 80+ B 3.4-59 Rev. 00 16A Tech Spec Bases
| |
| | |
| LTOP System B 3.4.11 O
| |
| BASES ACTIONS A.1 and B.1 (continued) in MODES 5 and 6 (per NRC GL 90-06) (Ref. 4) reflects the need to restore redundancy and also takes into consideration the other overpressure protection paths available in this condition.
| |
| L.d If the Required Actions cannot be met within the associated Completion Times, the plant must be placed in a condition where an overpressure event cannot occur. This is done by depressurizing the RCS through the open alternate vent. The Completion Time of eight hours is reasonable based on the amount of time required to place the plant in this condition and the probability of an accident requiring the LTOP System during this relatively short period of time.
| |
| D_d In the unlikely event that both SCS relief valves are O
| |
| inoperable action must be taken to establish an alternate path. The Completion Time of "immediately" reflects the need to restore vent path capability since inadvertent or uncontrolled operation of an SI or charging pumps could cause overpressurization.
| |
| i l
| |
| l SURVEILLANCE SR 3.4.11.1 REQUIREMENTS The RCS ven', must be verified open for relief protection.
| |
| The required frequency is every 12 hours. This Frequency has been shown by operating practices to be sufficient to regularly asse;s degradation and verify operation within the safety anahsi:. assumptions.
| |
| This Surveiliance is modified by a Note only requiring performance when the vent path is being used for LTOP.
| |
| l l
| |
| (continued) l SYSTEM 80+ B 3.4-60 Rev. 00 16A Tech Spec Bases
| |
| | |
| .. . ~ __ _ . . . .. _.- . _ . _ _ _ . . _ . . _ . _ . . .
| |
| LTOP System B 3.4.11 *
| |
| ^
| |
| BASES 1
| |
| SR 3.4.11.2 SURVEILLANCE REQUIREMENTS "
| |
| (continued) _The pressurizer manway must be verified open for relief protection. The Frequency of every 12 hours is sufficient ;
| |
| to verify compliance within the safety analysis assumptions. l The Surveillance is modified by a Note only requiring 4 performance when manway is being used for LTOP. l SR 3.4.11.3 t Surveillance Requirement 3.4.11.3.is the performance of a setpoint calibration every [18. months]. The setpoint calibration for the LTOP ensures that the SCS relief valves will be actuated at the appropriate RCS pressure by verifying the accuracy of the valve lift pressure. The Frequency of (18 months) is based on a typical refueling ;
| |
| cycle and industry accepted practice. ,
| |
| 1 l
| |
| \ -
| |
| REFERENCES 1. 10 CFR 50, Appendix G, " Fracture Toughness Requirements."
| |
| l 2. Generic Letter 88-11, "NRC Position on Radiation Embrittlement of Reactor Vessel Materials and its
| |
| ! Impact on Plant Operation."
| |
| : 3. Chapter 15.
| |
| : 4. Generic Letter 90-06.
| |
| i I
| |
| SYSTEM 80+ B 3.4-61 Rev. 00_ j 16A: Tech Spec Bases
| |
| | |
| RCS Operational LEAKAGE B 3.4.12 B 3.4 REACTOR COOLANT SYSTEM (RCS)
| |
| C 3.4.12 RCS Operational LEAKAGE BASES --.
| |
| BACKGROUND Components that contain or transport the coolant to or from the reactot core make up the RCS. Component joints are made by welding, bolting, rolling, or pressure loading, and valves isolate connecting systems from the RCS, During plant life, the joint and valve interfaces can produce varying amounts of reactor coolant LEAKAGE, through either normal operational wear or mechanical deterioration.
| |
| The purpose of the RCS Operational LEAKAGE LC0 is to limit system operation in the presence of LEAKAGE from these sources to amounts that do not compromise safety. This LC0 specifies the types and amounts of LEAKAGE.
| |
| 10 CFR 50, Appendix A, GDC 30 (Ref.1), requires means for detecting and, to the extent practical, identifying the source of reactor coolant LEAKAGE. Regulatory Guide 1.45 (Ref. 2) describes acceptable methods for selecting leakage detection systems.
| |
| The safety significance of RCS LEAKAGE varies widely depending on its source, rate, and duration. Therefore, detecting and monitoring reactor coolant LEAKAGE into the containment area is necessary. Quickly separating the identified LEAKAGE from the unidentified LEAKAGE is necessary to provide quantitative information to the operators, allowing them to take corrective action should a leak occur detrimental to the safety of the facility and the public.
| |
| A limited amount of leakage inside containment is expected from auxiliary systems that cannot be made 100% leaktight.
| |
| Leakage from these systems should be detected, located, and isolated from the containment atmosphere, if possible, to not interfere with RCS LEAKAGE oetection.
| |
| This LCO deals with protection of the reactor coolant pressure boundary (RCPB) from degradation and the core from inadequate cooling, in addition to preventing the accident analysis radiation release assumptions from being exceeded.
| |
| The consequences of violating this LC0 include the possibility of a loss of coolant accident (LOCA).
| |
| O (continued)
| |
| SYSTEM 80+ B 3.4-62 Rev. 00 16A Tech Spec Bases
| |
| | |
| RCS Operational LEAKAGE n B 3.4-12 b
| |
| BASES (continued)
| |
| APPLICABLE Except for primary to secondary LEAKAGE, the safety analyses SAFETY ANALYSES do not address operational LEAKAGE. However, other operational LEAKAGE is related to the safety analyses for LOCA; the amount of leakage can affect the probability of such an event. The safety analysis for an event resulting in steam discharge to the atmosphere assumes a 1 gpm primary to secondary LEAKAGE as the initial condition.
| |
| Primary to secondary LEAKAGE is a factor in the dose releases outside containment resulting from a steam line break (SLB) accident. To a lesser extent, other accidents or transients involve (continued) secondary steam release to the atmosphere, such as a steam generator tube rupture (SGTR), RCP locked rotor, control element assembly ejection, letdown line break, and feedwater line break. The leakage contaminates the secondary fluid.
| |
| The dose consequences resulting from these accidents are well within the limits defined in 10 CFR 100.11, the staff approved licensing basis, and 10 CFR 50, Appendix A, GDC 19.
| |
| /^'s
| |
| () RCS operational LEAKAGE satisfies Criterion 2 of the NRC Policy Statement.
| |
| LCO a. Pressure Boundary LEAKAGE No Pressure Boundary LEAKAGE is allowed because it would be indicative of material deterioration.
| |
| Pressure Boundary LEAKAGE is defined as leakage through a non-isolable fault in an RCS component body, pipe, or vessel wall (excluding RCP shaft seals, packing, and steam generator tube leakage). Leakage of this type is unacceptable as the leak itself could cause further deterioration, resulting in higher leakage. Violation of this LC0 could result in continued degradation of the RCPB.
| |
| : b. Unidentified LEAKAGE One gallon per minute (gpm) of unidentified LEAKAGE is allowed as a reasonable minimum detectable amount that the containment air monitoring and containment sump / holdup volume tank monitoring equipment can
| |
| \~J (continued)
| |
| SYSTEM 80+ B 3.4-63 Rev. 00 16A Tech Spec Bases
| |
| | |
| RCS Operational LEAKAGE B 3.4.12 O
| |
| BASES LCO b. Unidentified LEAKAGE (continued) detect within a reasonable time period. Unidentified LEAKAGE is defined as reactor coolant leakage which is not identified. Violation of this LCO could result in continued degradation of the RCPB, if the LEAKAGE is from the pressure boundary.
| |
| : c. Identified LEAKAGE Identified LEAKAGE is defined as leakage into closed systems connected to the RCS that is captured and recovered. Up to 10 gpm of identified LEAKAGE is considered allowable because leakage is from known sources which do not interfere with detection of unidentified LEAKAGE and is well within the capability of the RCS makeup system.
| |
| Identified LEAKAGE includes leakage to the containment from sources that are specifically known and located, but does not include pressure boundary LEAKAGE or controlled RCP seal leakoff (which is a normal function and is not considered leakage). Violation of this LC0 could result in continued degradation of a component or system.
| |
| Other related LCOs include LCO 3.4.13, "RCS Pressure Isolation Valve (PIV) LEAKAGE", which specifies ;
| |
| leakage limits for certain valves that isolate the i 1
| |
| high pressure RCS from other low pressure systems and Surveillance 3.4.13.1 measures leakage through each j PIV individually. Since there are two PIVs in series in each PIV line, leakage measured through one PIV may not result in any RCS LEAKAGE if the other is leak l' tight. If both series valves leak resulting in a loss of mass from the RCS, the loss is to be included in allowable identified LEAKAGE. LCO 3.4.14, "RCS Leakage Detection Instrumentation", specifies the requirements for the monitoring equipment used to detect leakage into the containment. ,
| |
| (continued) OI l
| |
| SYSTEM 80+ B 3.4-64 Rev. 00 16A Tech Spec Bases
| |
| | |
| t f
| |
| RCS Operational LEAKAGE
| |
| - B 3.4.12 i
| |
| BASES LCO d. Primarv-to-Secondary LEAKAGE Throuch All Steam 1 (continued) Generators Total Primary-to-Secondary LEAKAGE of one (1) gpm to all steam generators produces acceptable offsite doses in the SLB accident analysis. Violation of this LCO could exceed the offsite dose limits for this accident analysis. Primary-to-Secondary LEAKAGE must be included in the total allowable limit for Identified LEAKAGE.
| |
| : e. Primary-to-Secondary LEAKAGE Throuah Any One Steam .
| |
| Generator ,
| |
| i The [720] gallons per day (gpd) limit on one steam generator is based on allocating the total one (1) gpm allowed Primary-to-Secondary LEAKAGE equally between the two steam generators.
| |
| APPLICABILITY In MODES 1, 2, 3, and 4, the potential for RCPB leakage is greatest when the RCS is pressurized.
| |
| In MODES 5 and 6, LEAKAGE limits are not provided because the reactor coolant pressure is far lower resulting in lower stresses and a reduced potential for LEAKAGE.
| |
| ACTIONS Ad With Identified LEAKAGE, Unidentified LEAKAGE, or Primary-to-Secondary LEAKAGE in excess of the LC0 limits, the leakage must be reduced to within limits within four hours.
| |
| This Completion Time allows four hours to verify leakage rates and either identify Unidentified LEAKAGE or reduce LEAKAGE to within limits, before the reactor must be shut down. This action is necessary to prevent further deterioration of the RCPB.
| |
| W (continued)
| |
| SYSTEM 80+ B 3.4-65 Rev. 00 16A Tech Spec Bases
| |
| | |
| RCS Operational LEAKAGE B 3.4.12 O
| |
| BASES ACTIONS B.1 and B.2 (continued)
| |
| If any Pressure Boundary LEAKAGE exists or if Identified, Unidentified, or Primary-to-Secondary LEAKAGE cannot be reduced to within limits within four hours, the reactor must be brought to lower pressure conditions to reduce the severity of the LEAKAGE and its potential consequences. The reactor must be placed in MODE 3 within six hours and MODE 5 within 36 hours. This action reduces the LEAKAGE and also reduces the factors which tend to degrade the pressure boundary. The Completion Time of six hours is reasonable based on operating experience, to reach MODE 3 from full power without challenging plant systems. Similarly, the Completion Time of 36 hours to reach MODE 5 is reasonable based on operating experience to reach the required MODE without challenging plant systems. In MODE 5, the pressure stresses acting on the RCPB are much lower and further deterioration is much less likely.
| |
| SURVEILLANCE SR 3.4.12.1 REQUIREMENTS Verifying that RCS LEAKAGE is within the LCO limits ensures that the integrity of the RCPB is maintained. Pressure Boundary LEAKAGE would at first appear as Unidentified LEAKAGE and can only be positively identified by inspection.
| |
| Unidentified LEAKAGE and Identified LEAKAGE are demonstrated ,
| |
| to be within limits by performance of a RCS water inventory balance. Primary-to-Secondary LEAKAGE is also measured by performance of an RCS water inventory balance in conjunction ,
| |
| with effluent monitoring within the secondary Feedwater and Steam Systems. The RCS water inventory balance must be performed with the reactor steady state operating conditions and near operating pressure. Therefore, this SR is not required to be performed in MODES 3 and 4, until 12 hours of steady state operation near operating pressure have elap:sd.
| |
| An early warning of Pressure Boundary LEAKAGE or Unidentified LEAKAGE is provided by the automatic systems which monitor the containment atmosphere radioactivity or containment sump. These leakage detection systems are specified in LC0 3.4.14, "RCS LEAKAGE Detection Instrumentation."
| |
| (continued)
| |
| SYSTEM 80+ B 3.4-66 Rev. 00 16A Tech Spec Bases
| |
| | |
| l RCS Operational LEAKAGE !
| |
| B 3.4.12 i
| |
| BASES l i
| |
| I SURVEILLANCE SR 3.4.12.1 (continued)
| |
| : REQUIREMENTS .
| |
| The 72 hour Frequency permits a-reasonable interval for trending of LEAKAGE while recognizing the relative j importance of early leak detection in the prevention of accidents. A Note under the Frequency column states that i i this SR is required to be performed during steady state !
| |
| operation. Steady state operation is required to perform a ;
| |
| proper inventory balance; calculations during maneuvering !
| |
| are not useful and the Surveillance is not required unless l l
| |
| steady state is established. For purposes of LEAKAGE .
| |
| i determination by inventory balance, steady state is defined j as stable RCS pressure, temperature, power level, pressurizer and makeup tank level, constant makeup and letdown and reactor coolant pump seal injection and return
| |
| ; flows. Pressure Boundary LEAKAGE would be detected more l
| |
| ; quickly by the LEAKAGE detection systems referenced in LCO 3.4.14, ".RCS LEAKAGE Detection Instrumentation".
| |
| 1 SR 3.4.12.2 This SR provides the means necessary to determine SG OPERABILITY in an operational MODE. The requirement to demonstrate SG tube integrity in accordance with the Steam Generator Tube Surveillance Program emphasizes the importance of SG tube integrity, even though this Surveillance cannot be performed at normal operating
| |
| - conditions.
| |
| REFERENCES 1. 10 CFR 50, Appendix A, GN 30.
| |
| : 2. Regulatory Guide 1.45, May 1973.
| |
| : 3. Chapter 15.
| |
| l i
| |
| SYSTEM 80+- B 3.4-67 Rev. 00 16A Tech Spec Bases l
| |
| | |
| RCS PIV Leakage B 3.4.13 B 3.4 REACTOR COOLANT SYSTEM (RCS)
| |
| B 3.4.13 RCS Pressure Isolation Valve (PIV) Leakage BASES BACKGROUND 10 CFR 50.2, 10 CFR 50.55a(c), and GDC 55 of 10 CFR 50, Appendix A (Refs. 1, 2, and 3), define RCS PIVs as any two normally closed valves in series within the RCS pressure boundary that separate the high pressure RCS from an attached low pressure system. During their lives, these valves can produce varying amounts of reactor coolant leakage through either normal operational wear or mechanical deterioration. The RCS PIV LC0 allows RCS high pressure operation when leakage through these valves exists in amounts that do not compromise safety.
| |
| This specification applies to the four series check valves (two per line) that isolate the high pressure Reactor Coolant System (RCS) from low pressure portions of the Shutdown Cooling System (SCS) outside the containment. Two valves in series are required to provide redundancy of i isolation, and the concept of the LC0 is to provide two j barriers. A high pressure rated, motor operated gate valve is upstream of the two check valves. The selection of valves is based on information presented in Reference I which requires testing of two in-series check valves used for isolation of high pressure to low pressure systems when leakage of one valve could go undetected for a substantial ;
| |
| length of time. ;
| |
| 1 The PIV leakage limit applies to each individual valve. l Leakage through both PIVs in series in a line must be included as part of the idertified LEAKAGE, governed by l LC0 3.4.12, "RCS Operational LEAKAGE." This is true during i operation only when the loss of RCS mass through two valves l in series is determined by a water inventory balance ,
| |
| (SR 3.4.12.1). A known component of the identified LEAKAGE I
| |
| before operation begins is the least of the two individual 1 leakage rates determined for leaking series PIVs during the required surveillance testing; leakage measured through one PIV in a line is not RCS operational LEAKAGE if the other is leaktight.
| |
| (continued)
| |
| SYSTEM 80+ B 3.4-68 Rev. 00 16A Tech Spec Bases
| |
| | |
| 1 f
| |
| l RCS PIV Leakage j t
| |
| B 3.4.13 .
| |
| BASES l
| |
| l BACKGROUND Although this specification provides a limit on the (continued) allowable PIV leakage rate, the important purpose of the i specification is to prevent overpressure failure of the low l pressure portions of the SCS caused by high RCS pressure.
| |
| 4 The leakage limits are symptoms that the boundary (check ,
| |
| valves) between the RCS and the SCS is degraded or becoming degraded. Failure of the check valves could lead to ;
| |
| overpressure of the SCS piping or components. Failure consequences could be a Loss of Coolant Accident (LOCA) outside of containment, with the possibility of being unable to recirculate from the containment after the initial Incontainment Refueling Water Storage Tank (IRWST) injection.
| |
| The basis for this LC0 is the 1975 NRC " Reactor Safety Study", WASH-1400 (Ref. 4), which identified potential !
| |
| intersystem LOCAs as a significant contributor to the risk
| |
| , of core melt. A subsequent study (Ref.5) evaluated various PIV configurations to determine the probability of intersystem LOCAs. This study determined that periodic leak testing of PIVs can reduce the probability of a LOCA.
| |
| PIVs are provided to isolate the RCS from the following typically connected systems:
| |
| : a. Shutdown Cooling (SCS) System;
| |
| : b. Safety Injection System; and
| |
| : c. Chemical and Volume Control System.
| |
| Violation of this LC0 could result in continued degradation of a PIV, which could lead to overpressurization of a low pressure system and the loss of the integrity of a fission product barrier.
| |
| l l
| |
| APPLICABLE Pressure isolation valve leakage is not considered in any SAFETY ANALYSES design basis accident analyses. This specification provides for monitoring the condition of the reactor coolant pressure boundary to detect degradation which could lead to acci-dents. Therefore, Criterion 2 of the NRC Policy Statement i is satisfied.
| |
| (continued)
| |
| SYSTEM 80+ B 3.4-69 Rev. 00 I6A Tech Spec Bases i
| |
| | |
| RCS PIV Leakage B 3.4.13 O
| |
| BASES (continued)
| |
| LCO RCS PIV leakage is identified LEAKAGE into closed systems connected to the RCS. Isolation valve leakage is usually on the order of drops per minute. Leakage that increases significantly suggests that something is operationally wrong and corrective action must be taken.
| |
| The LCO PIV leakage limit is 0.5 gpm per nominal inch of valve size, with a maximum limit of [5 gpm]. The previous criterion of 1 gpm for all valve sizes imposed an unjustified penalty on the larger valves without providing information on potential valve degradation and resulted in higher personnel radiation exposures. A study concluded a leakage rate limit based on valve size was superior to a single allowable value.
| |
| Reference 6 permits leakage testing at a lower pressure ,
| |
| differential than between the specified maximum RCS pressure '
| |
| and the normal pressure of the connected system during RCS operation (the maximum pressure differential) in those types of valves in which the higher service pressure will tend to diminish the overall leakage channel opening. In such <
| |
| cases, the observed rate may be adjusted to the maximum I pressure differential by assuming leakage is directly proportional to the pressure differential to the one half power.
| |
| APPLICABILITY In MODES 1, 2, 3, and 4, this LC0 applies because the potential for PIV leakage is greatest when the RCS is pressurized. In MODES 5 and 6, leakage limits are not provided because the reactor coolant pressure is far lower resulting in a reduced potential for leakage and a lower potential for LOCA outside the containment.
| |
| ACTIONS The Actions are modified by two Notes. Note 1 is added to provide clarification that each flow path allows separate entry into a Condition. This is allowed based on the functional independence of the flow path. Note 2 requires an evaluation of affected systems if a PIV is inoperable.
| |
| The leakage may have affected system operability or isolation of a leaking flow path with an alternate valve may (continued)
| |
| SYSTEM 80+ B 3.4-70 Rev. 00 16A Tech Spec Bases
| |
| | |
| RCS PIV Leakage B 3.4.13 v
| |
| BASFS ACTIONS have degraded the ability of the interconnected system to
| |
| , (continued) perform its safety function.
| |
| A.1. A.2.1 and A.2.2 The flow path must be isolated by two valves. Required Actions A.1 and A.2 are modified by a Note stating that the valves used for isolation must meet the same leakage requirements as the PIVs and must be in the RCPB [or the high pressure portion of the system].
| |
| Required Action A.1 requires that the isolation with one valve must be performed within 4 hours. Four hours provides time to reduce leakage in excess of the allowable limit and to isolate if leakage cannot be reduced. The 4 hours allows the actions and restricts the operation with leaking isolation valves.
| |
| Required Action A.2.1 and A.2.2 specifies that the double isolation barrier of two valves be restored by closing some O other valve qualified for isolation or restore one leaking PIV to within limits. The 72 hour Completion Time after exceeding the limit considers the time required to complete the action and the low probability of a second valve failing during this time period. This time also allows for the restoration of the leaking PIV to OPERABLE status. This time frame considers the time required to complete this Action and the low probability of a second valve failing during this period.
| |
| B.1 and B.2 i
| |
| If leakage cannot be reduced [the system isolated] or other !
| |
| Required Actions accomplished, the plant must be placed in a MODE in which the LC0 does not apply. This is done by placing the plant in MODE 3 within six hours and MODE 5 within 36 hours. This Action may reduce the leakage and also reduces the potential for a LOCA outside the containment. The allowed completion times are reasonable to achieve the required MODES from full power without challenging plant systems.
| |
| O (continued)
| |
| SYSTEM 80+ B 3.4-71 Rev. 00 16A Tech Spec Bases 1
| |
| | |
| RCS Ply Leakage B 3.4.13 BASES (continued)
| |
| SURVEILLANCE SR 3.4.13.1 REQUIREMENTS Performance of leakage testing on each RCS PIV or isolation valve used to satisfy Required Action A.1 or A.2.1 or A.2.2 is required to verify that leakage is below the specified limit and to identify each leaking valve. The leakage limit of 0.5 gpm per inch of nominal valve diameter up to [5 gpm]
| |
| maximum applies to each valve. Leakage testing requires a stable pressure condition.
| |
| For the two PIVs in series, the leakage requirement applies to each valve individually and not to the combined leakage across both valves. If the PIVs are not individually leakage tested, one valve may have failed completely and may not be detected if the other valve in series meets the leakage requirement. In this situation, the protection provided by redundant valves would be lost.
| |
| Testing is to be performed every 9 months, but may be extended up to a maximum of [18] months, a typical refueling cycle, if the plant does not go into MODE 5 for at least 7 days. The [18] month Frequency is required in 10 CFR 50.55a(g) (Ref. 7), as contained in the Inservice Testing Program, is within the American Society of ,
| |
| Mechanical Engineers (ASME) Code, Section XI (Ref. 8), and :
| |
| is based on the need to perform the Surveillance under i conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance )
| |
| were performed with the reactor at power.
| |
| In addition, testing must be performed once after the valve has been opened by flow or exercised to ensure tight reseating. PIVs disturbed in the performance of this Surveillance should also be tested unless documentation shows that an infinite testing loop cannot practically be avoided. Testing must be performed within 24 hours after the valve has been reseated. Within 24 hours is a reasonable and practical time limit for perforning this test after opening or reseating a valve.
| |
| The leakage limit is to be met at the RCS pressure associated with MODES 1 and 2. This permits leakage testing i at high differential pressures with stable conditions not i possible in the MODES with lower pressures.
| |
| (continued) l SYSTEM 80+ B 3.4-72 Rev. 00 i J
| |
| 16A Tech Spec Bases
| |
| | |
| RCS PIV Leakage i B 3.4.13 O BASES I
| |
| SURVEILLANCE SR 3.4.13.1 (continued) i REQUIREMENTS Entry into MODES 3 and 4 is. allowed to establish the (
| |
| necessary differential pressures and stable conditions to !
| |
| allow for performance of this-Surveillance. The Note that i allows this provision is complimentary to the Frequency of prior to entry into MODE 2 whenever the unit has been in I MODE 5 for 7 days or more, if leakage testing has not been- .
| |
| i performed in the previous 9 months. In addition, this Surveillance is not required to be performed on the SCS when the SCS is aligned to the RCS in the shutdown cooling mode .i of operation. :PIVs contained in the SCS shutdown cooling '
| |
| flow path must be leakage rate tested after SCS is secured ;
| |
| and stable unit conditions and the necessary differential i pressures are established. j REFERENCES 1. 10 CFR 50.2.
| |
| : 2. 10 CFR 50.55a(c).
| |
| : 3. 10 CFR 50, Appendix A, Section V, GDC 55.
| |
| : 4. USNRC, " Reactor Safety Study - An Assessment of i Accident Risks in U.S. Commercial Nuclear Power I Plants," Appendix V, WASH-1400 (NUREG-75/014), Oct.
| |
| 1975.
| |
| : 5. USNRC, "The Probability of Intersystem LOCA: Impact l Due to Leak Testing and Operational Changes," NUREG- i 0677, May 1980. .
| |
| I
| |
| : 6. ASME, Boiler and Pressure Vessel Code, Section XI, i IWV-3423(e).
| |
| : 7. 10 CFR 50.55a(g). j
| |
| : 8. ASME Boiler and Pressure Vessel Code, Section XI, IWV- ,
| |
| I 3422.
| |
| I I I II I I I I I ll ll . I l
| |
| SYSTEM 80+ B 3.4-73 Rev. 00 16A Tech Spec: Bases
| |
| | |
| RCS LEAKAGE Detection Instrumentation B 3.4.14 B 3.4 REACTOR COOLANT SYSTEM (RCS)
| |
| B 3.4.14 RCS LEAKAGE Detection Instrumentation BASES BACKGROUND GDC 30 of Appendix A to 10 CFR 50 (Ref. 1) requires means for detecting and, to the extent practical, identifying the location of the source of RCS LEAKAGE. Regulatory Guide 1.45 (Ref. 2) describes acceptable methods for selecting leakage detection systems.
| |
| Leakage detection systems must have the capability to detect significant reactor coolant pressure boundary (RCPB) degradation as soon after occurrence as practical to minimize the potential for propagation to a gross failure.
| |
| Thus, an early indication or warning signal is necessary to permit proper evaluation of all unidentified LEAKAGE.
| |
| The instrumentation available for monitoring leakage includes the following:
| |
| A. Containment Sump Moaitor
| |
| : 1. Containment Floor Drain Sump
| |
| : a. Level
| |
| : b. Flow Rate from pump discharge
| |
| : 2. Reactor Cavity Sump
| |
| : a. Level
| |
| : b. Flow Rate from pump discharge B. Containment Atmosphere Radioactivity Monitor
| |
| : 1. Gaseous
| |
| : 2. Particulate C. Containment Cooler Condensate Tank Monitor
| |
| : 1. Level
| |
| : 2. Flow Rate from pump discharge Industry practice has shown that water flow changes of 0.5 to 1.0 gpm can readily be detected in contained volumes by monitoring changes in water level, in flow rate, or in the operating frequency of a pump. The containment sump, used to collect unidentified LEAKAGE, and the containment air (continued)
| |
| SYSTEM 80+ B 3.4-74 Rev. 00 16A Tech Spec Bases
| |
| | |
| RCS LEAKAGE Detection Instrumentation B 3.4.14 J
| |
| BASES' f J
| |
| i BACKGROUND cooler condensate tank is instrumented to alarm for i (continued) increases of 1.0 gpm in the normal flow rates. This l sensitivity is acceptable for detecting increases in ;
| |
| unidentified LEAKAGE.
| |
| The reactor coolant contains radioactivity that, when released to the containment, can be detected by radiation monitoring instrumentation. Reactor coolant radioactivity levels will be low during initial reactor :iartup and for a few weeks thereafter until activated corrosion products have been formed and fission products appear from fuel element ,
| |
| cladding contaminati,on or cladding defects. Instrument j sensitivities of 10' l monitoring and of 10',4Ci/cc radioactivity Ci/cc radioactivity for particulate for gaseous l I
| |
| monitoring are practical for these leakage detection systems. Radioactivity detection systems are included for i monitoring both particulate and gaseous activities, because j of their sensitivities and rapid responses to RCS LEAKAGE. i An increase in humidity of the containment atmosphere would l C indicate release of water vapor to the containment. Dew i( point temperature measurements can thus be used to monitor humidity levels of the containment atmosphere as an indicator of potential RCS LEAKAGE. A 1 F increase in dew point is well within the sensitivity. range of available instruments.
| |
| Since the humidity level is influenced by several factors, a quantitative evaluation of an indicated leakage rate by this means may be questionable and should be compared to observed increases in liquid flow into or from the containment sump .
| |
| and condensate flow from the containment air coolers.
| |
| Humidity level monitoring is considered most useful as an indirect alarm or indication to alert the operator to a potential problem. Humidity monitors are not required by this LCO.
| |
| i Air temperature and pressure monitoring methods may also be j used to infer unidentified LEAKAGE to the containment.
| |
| Containment temperature and pressure fluctuate slightly during plant operation, but a rise above the normally indicated range of values may indicate RCS LEAKAGE into i the containment. The relevance of temperature and pressure i measurements are affected by containment free volume and, ;
| |
| 3
| |
| . (O (continued) l SYSTEM 80+ B 3.4-75 Rev. 00 1 16A Tech Spec Bases l
| |
| | |
| RCS LEAKAGE Detection Instrumentation l B 3.4.14 :
| |
| Oi BASES BACKGROUND for temperature, detector location. Alarm signals from (continued) these instruments can be valuable in recognizing rapid and sizable leakage to the containment. Temperature and pressure monitors are not required by this LCO.
| |
| APPLICABLE The need to evaluate the severity of an alarm or an SAFETY ANALYSES indication is important to the operators, and the ability to compare and verify with indications from other systems is necessary. The system response times and sensitivities are described in the CESSAR-DC (Ref. 3). Multiple instrument locations are utilized, if needed, to ensure the transport delay time of the LEAKAGE from its source to an instrument location yields an acceptable overall response time.
| |
| The safety significance of RCS LEAKAGE varies widely depending on its source, rate, and duration. Therefore, detecting and monitoring of RCS LEAKAGE into the containment area are necessary. Quickly separating the identified LEAKAGE from the unidentified LEAKAGE provides quantitative information to the operators, allowing them to take corrective action should leakage occur detrimental to the g
| |
| safety of the facility and the public.
| |
| RCS LEAKAGE detection instrumentation satisfies Criterion 1 of the NRC Policy Statement.
| |
| LCO One method of protecting against large RCS LEAKAGE derives from the ability of instruments to rapidly detect extremely small leaks. This LCO requires instruments of diverse monitoring principles to be OPERABLE to provide a high degree of confidence that extremely small leaks are detected in time to allow actions to place the plant in a safe condition when RCS LEAKAGE indicates possible RCPB degradation.
| |
| The required containment sump (containment floor drain and reactor cavity sumps) monitoring includes at least one of the two methods (flow rate or level) in each sump. In addition, required instrumentation includes at least one of the two containment radioactivity monitors (gaseous or (continued)
| |
| SYSTEM 80+ B 3.4-76 Rev. 00 16A Tech Spec Bases
| |
| | |
| RCS LEAKAGE Detection Instrumentation 8 3.4.14 73 e
| |
| C/
| |
| BASES LCO particulate) and one of the two methods (flow rate or level)
| |
| (continued) for the containment cooler condensate tank monitor.
| |
| The LC0 is satisfied when these monitors of diverse measurement means are available. Thus, the combination of containment sump monitors, radioactivity monitors, and containment cooler condensate tank monitors, provides an acceptable minimum.
| |
| APPLICABILITY Because of elevated RCS temperature and pressure in MODES 1, 2, 3, and 4, RCS LEAKAGE detection instrumentation is required to be OPERABLE.
| |
| In MODE 5 or 6, the temperature is 5 210*F and pressure is maintained low or at atmospheric pressure. Since the temperatures and pressures are far lower than those for MODES 1, 2, 3, and 4, the likelihood of leakage and crack propagation is much smaller. Therefore, the requirements p of this LC0 are not applicable in MODES 5 and 6.
| |
| C/
| |
| ACTIONS A.1 and A.2 If the containment sump monitor or containment cooler condensate tank monitor is inoperable, no other form of sampling can provide the equivalent information.
| |
| However, the containment atmosphere radioactivity monitor will provide indications of changes in leakage. Together with the atmosphere monitor, the periodic surveillance for the RCS water inventory balance, SR 3.4.12.1, must be performed within [4] hours and at an increased Frequency of 24 hours to provide information that is adequate to detect leakage.
| |
| Restoration of the monitor to OPERABLE status is required to regain the function in a Completion Time of 7 days after the monitor's failure. This time is acceptable considering the frequency and adequacy of the RCS water inventory balance required by Required Action A.I.
| |
| (~\
| |
| LJ (continued)
| |
| SYSTEM 80+ B 3.4-77 Rev 00 16A Tech Spec Bases
| |
| | |
| RCS LEAKAGE Detection Instrumentation B 3.4.14 O
| |
| BASES ACTIONS A.1 and A.2 (continued)
| |
| Required Action A.1 and Required Action A.2 are modified by a Note that indicates the provisions of LC0 3.0.4 are not applicable. As a result, a MODE change is allowed when the monitor channel is inoperable. This allowance is provided because other instrumentation is available to monitor for RCS LEAKAGE.
| |
| B.1.1. B.1.2 and B.2 With both gaseous and particulate containment atmosphere radioactivity monitoring instrumentation inoperable, alternative action is required. Either grab samples of the containment atmosphere must be taken and analyzed or water inventory balances, in accordance with SR 3.4.12.1, must be performed to provide alternate periodic information. With a sample obtained and analyzed or an inventory balance performed every 24 hours, the reactor may be operated for up to 30 days to allow restoration of at least one of the radioactivity monitors. h The 24 hour interval provides periodic information that is adequate to detect leakage. The [30 day] Completion Time recognizes at least one other form of leakage detection is available.
| |
| Required Actions B.I.1, B.I.2, and B.2 are modified by a Note that indicates that the provisions of LC0 3.0.4 are not applicable. As a result, a MODE change is allowed when the gaseous and particulate containment atmosphere radioactivity monitor channels are inoperable. This allowance is provided because other instrumentation is available to monitor for RCS LEAKAGE.
| |
| C.1 and C.2 If any Required Action of Condition A or B cannot be met within the required Completion Time, the plant must be brought to a MODE in which the LC0 does not apply. To achieve this status, the plant must be brought to at least MODE 3 within six hours and to MODE 5 within 36 hours. The (continued)
| |
| SYSTEM 80+ B 3.4-78 Rev. 00 16A Tech Spec Bases
| |
| | |
| - . _ _ _ _ _ _ . . _ . . . =._. . . . _ . .._ _ _._ _ _ _
| |
| RCS LEAKAGE Detection Instrumentation B 3.4.14- 1 O !
| |
| BASES: l ACTIONS C.1 and C.2 (continued) allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full ;
| |
| power conditions in an orderly manner and without l
| |
| ~
| |
| challenging plant systems.
| |
| IL.1 l+
| |
| If all required monitors are inoperable, no automatic means i of monitoring leakage are available, an immediate plant shutdown in accordance with LCO 3.0.3 is required. l l
| |
| a
| |
| )
| |
| SURVEILLANCE SR 3.4.14.1 REQUIRENENTS SR 3.4.14.1 requires the performance of a CHANNEL CHECK of the required containment atmosphere radioactivity monitors.
| |
| The check gives reasonable confidence the channel is O operating properly. The Frequency of (12] hours is based on instrument reliability and is reasonable for detecting off normal conditions.
| |
| SR 3.4.14.2 SR 3.4.14.2 requires the performance of a CHANNEL FUNCTIONAL TEST of the required containment atmosphere radioactivity monitors. The test ensures that the monitor can perform its function in the desired manner. The test verifies the alarm setpoint and relative accuracy of the instrument channel.
| |
| The Frequency of 31 days considers instrument reliability and operating experience has shown it proper for detecting ,
| |
| degradation. l I
| |
| O (continued) i 1
| |
| . SYSTEM 80+ B 3.4-79 Rev. 00 16A Tech Spec Bases l
| |
| .h
| |
| | |
| RCS LEAXAGE Detection Instrumentation B 3.4.14 O
| |
| BASES SURVEILLANCE SR 3.4.14.3. SR 3.4.14.4 and SR 3.4.14.5 REQUIREMENTS (continued) These SRs require the performance of a CHANNEL CALIBRATION for each of the RCS leakage detection instrumentation channels. The celibration verifies the accuracy of the instrument channel, including the instruments located inside containment. The Frequency of [18] months is a typical refueling cycle and considers channel reliability.
| |
| Operating experience has shown this Frequency is acceptable.
| |
| REFERENCES 1. 10 CFR 50, Appendix A, Section IV, GDC 30.
| |
| : 2. Ragulatory Guide 1.45, U. S. Nuclear Regulatory Commission.
| |
| : 3. Chapter 5.
| |
| O O
| |
| SYSTEM 80+ B 3.4-80 Rev. 00 16A Tech Spec Bases
| |
| | |
| RCS Specific Activity B 3.4.15 O B 3.4 REACTOR COOLANT SYSTEM (RCS)
| |
| B 3.4.15 RCS Specific Activity BASES BACKGROUND The Code of Federal Regulations 10 CFR 100 (Ref.1) specifies the maximum dose to the whole body and thyroid an individual at the site boundary can receive for two hours during an accident. The limits on specific activity ensure-that the dose is held to a small fraction of the 10 CFR 100 limits during analyzed transients and accidents.
| |
| The design basis event that has the greatest sensitivity to RCS specific activity is the steam generator tube rupture (SGTR). Other design basis events that are sensitive to RCS specific activity are the steam line break, letdown line break, feedwater line break and RCP locked rotor. The purpose of the Reactor Coolant System (RCS) specific activity LC0 is to limit the concentration of radionuclides in the reactor coolant and the resultant offsite dose consequences of these events.
| |
| The LCO contains specific activity limits for both DOSE
| |
| ( EQUIVALENT I-131 and gross specific activity. The allowable levels are intended to limit the two hour dose at the site boundary to a small fraction of the 10 CFR 100 dose guideline limits. The limits in the LC0 are standardized based on parametric evaluations of offsite radioactivity dose consequences for typical site locations. The parametric evaluations showed that the potential offsite dose levels for a SGTR accident were an appropriately small fraction of the 10 CFR 100 guideline dose limits, assuming a broad range of site applicable atmospheric dispersion factors in a parametric evaluation. These standard limits on specific activity were also used in establishing standardization in shielding and unit personnel radiation protection practices.
| |
| APPLICABLE The LC0 limits on the specific activity of the reactor SAFETY ANALYSES coolant ensure that the resulting two hour dose at the site boundary will not exceed a small fraction of the 10 CFR 100 dose guidelines (Ref. 1) following a SGTR accident. In the safety analyses, the specific activity of the reactor V, (continued)
| |
| SYSTEM 80+ B 3.4-81 Rev. 00 16A Tech Spec Bases
| |
| | |
| RCS Specific Activity B 3.4.15 O
| |
| BASES APPLICABLE coolant is assumed to be at the LC0 limit and an existing SAFETY ANALYSES reactor coolant-steam generator tube leakage rate of one (1)
| |
| (continued) gpm is assumed. In addition, for some events a pre-existing iodine spike (PIS) is assumed.
| |
| For accidents with a PIS, the RCS activity was assumed to be at 60 meiroCi/gm. The 60 microCi/gm activity is the worst case PIS assumed in the safety analyses. However, operation with iodine specific activity levels greater than the LC0 limit is permissible, provided that the activity levels do not exceed the limits of Figure 3.4.15-1 and do not exist for more than 48 hours.
| |
| When specific activity exceeds the LC0 limits due to iodine spiking but is within the limits of Figure 3.4.15-1 plant operation is considered acceptable based upon the low probability of an accident occurring during the established 48 hour time limit, together with the fact that iodine spiking of 60 microCi/gm is considered in the safety analysis.
| |
| The reactor coolant specific activity is a process variable that is an initial condition of a design basis accident that either assumes the failure of, or presents a challenge to, the integrity of a fission product barrier. As such, it satisfies the requirements of Criterion 2 of the NRC Policy Statement.
| |
| LC0 The specific iodine activity is limited to 1.0 microcurie per gram DOSE EQUIVALENT I-131 and the gross specific activity in the primary coolant is limited to_the number of microcuries per gram equal to 100 divided by E (average disintegration energy of the sum of the average beta and gamma energies of the coolant nuclides). The limit on DOSE EQUIVALENT I-131 ensures the two hour dose to an individual at the site boundary during design basis accidents will be a small fraction of the allowed thyroid dose. The limit on gross specific activity ensures the two hour whole body dose to an individual at the site boundary during design basis accidents will be a small fraction of the allowed whole body dose.
| |
| (continued)
| |
| SYSTEM 80+ B 3.4-82 Rev. 00 16A Tech Spec Bases
| |
| | |
| RCS Specific Activity B 3.4.15 q
| |
| 'v' BASES LCO The SGTR accident analysis (Ref. 2) shows that the 2 hour (continued) site boundary dose levels are within acceptable limits.
| |
| Violation of the LC0 may result in reactor coolant radioactivity levels that could, in the event of an SGTR, lead to site boundary doses that exceed the 10 CFR 100 dose guide-line.
| |
| APPLICABILITY In MODES 1, 2, and MODE 3, with RCS average temperature 3 500*F operation within the LC0 limits for DOSE EQUIVALENT I-131 and gross specific activity are necessary to contain the potential consequences of a SGTR to within the acceptable site boundary dose values. For operation in MODE 3 with RCS average temperature <500*F, and in MODES 4, 5, and 6, the probability of a steam, feedwater or letdown line break is small due to the low primary and secondary pressures and the release of radioactivity in the event of a SGTR is prevented since the saturation pressure of the reactor N. coolant is below the lift pressure settings of the main (Q steam safety valves. In all applicable MODES, with the LC0 limits exceeded, an isotopic analysis for iodine i
| |
| concentration is appropriate to monitor the activity level I while actions are being taken to reduce the specific activity level. j ACTIONS A.1 and A.2 I With the DOSE EQUIVALENT I-131 greater than the LCO limit of l 1.0 meiroCi/gm, frequent samples at intervals not to exceed four hours are to be taken to demonstrate that the limits of Figure 3.4.15-1 are not exceeded. The completion Time of four hours is reasonable based on the typical time to obtain, transport, and analyze a sample. Sampling is to continue to provide a trend. If the limit violation resulted from nominal iodine spiking, then the DOSE EQUIVALENT I-131 should be restored to nominal within 48 hours.
| |
| l l
| |
| p l V (continued)
| |
| SYSTEM 80+ B 3.4-83 Rev. 00 16A Tech Spec Bases l
| |
| | |
| RCS Specific Activity B 3.4.15 O
| |
| BASES ACTIONS Ed (continued)
| |
| If a Required Action and associated Completion Time of Condition A are not met, or if the DOSE EQUIVALENT I-131 is in the unacceptable region of Figure 3.4.15-1, an abnormal condition is indicated and the reactor must be placed in MODE 3 with RCS average temperature < 500 F within 6 hours.
| |
| The Completion Time of 6 hours is based on engineering judgment and is considered a reasonable time to get to MODE 3 below 500'F from full power without challenging plant systems.
| |
| C.1 and C.2 With the gross specific activity in excess of the allowed limit, an analysis must be performed within four hours to determine DOSE EQUIVALENT I-131. The Completion Time of four hours is reasonable based on the typical time to obtain, transport, and analyze a sample. The change within 6 hours to MODE 3 and RCS average temperature < 500 F lowers the saturation pressure for the reactor coolant below the setpoints of the main steam safety valves. This action prevents venting of the steam generator to the environment in the event of a SGTR. The Completion Time of six hours is reasonable based on operating experience to reach MODE 3 l below 500 F from full power without challenging plant systems.
| |
| SURVEILLANCE SR 3.4.15.1 I REQUIREMENTS The Surveillance is performed at least once per 7 days to monitor the gamma isotopic analysis of the reactor coolant.
| |
| It basically is a quantitative measurement of radionuclides with half lives > 15 minutes, excluding radioiodines. This measurement considers the sum of the degassed gamma activity and the total of the identified gaseous activities in the sample taken. This Surveillance provides an indication of any increase in gross specific activity of the reactor coolant. Monitoring of the results of this Surveillance i allows for proper remedial actions to be taken prior to !
| |
| reaching the LCO limits under normal operating conditions.
| |
| I (continued) l SYSTEM 80+ B 3.4-84 Rev. 00 16A Tech Spec Bases
| |
| | |
| RCS Specific Activity B 3.4.15 c
| |
| '(
| |
| BASES SURVEILLANCE SR 3.4.15.1 (continued)
| |
| REQUIREMENTS
| |
| 'This Surveillance is applicable in MODES 1, 2, and in MODE 3 with RCS average temperature at least 500 F. The Frequency of 7 days considers the unlikelihood of a gross fuel failure during the time.
| |
| SR 3.4.15.2 This Surveillance is performed to ensure iodine levels remain within limits during normal operation and following fast power changes when fuel failure is more apt to occur.
| |
| The 14 day Frequency is adequate to trend changes in the activity level considering that gross activity is monitored every 7 days. The Frequency between two and six hours following a power change z 15% RTP within a one hour period is established because iodine spikes during this time following fuel failure. Samples at other times would provide inaccurate results.
| |
| O'O SR 3.4.15.3 A radiochemical analysis for I determination is required to be performed every 184 days (six months) with the plant operating in MODE _1 with equilibrium conditions. These requirements for E determination directly relate to the LC0 and are required to verify plant operation within the specified gross activity LC0 limit. The radiochemical analysis for E is a measurement of the average energies per disintegration of isotopes with half lives > 15 minutes, excluding lodiges. The Frequency of 184 days is based on the fact that E does not change rapidly during operation.
| |
| The Frequency of 184 days recognizes E does nut change rapidly.
| |
| This SR has been modified by a Note that indicates sampling is required to be performed within 31 days after 2 effective full power days and 20 days of MODE 1 operation have elapsed since the reactor was last subcritical for at least 48 hours. This ensures the radioactive materials are at equilibrium so the analysis for E is representative and not skewed by a crud burst or other similar aonormal event.
| |
| -f)
| |
| %J (continued)
| |
| SYSTEM 80+ B 3.4-85 Rev. 00 16A Tech Spec Bases k
| |
| | |
| RCS Specific Activity B 3.4.15 O
| |
| BASES (continued)
| |
| REFERENCES 1. 10 CFR 100, " Determination of Exclusion Area, Low Population Zone, and Population Center Distance,"
| |
| USHRC, 1973.
| |
| : 2. Chapter 15.
| |
| O O
| |
| SYSTEM 80+ B 3.4-86 '#'
| |
| 16A Tech Spec Basos I
| |
| | |
| r RCS Loops - Test Exceptions B 3.4.16 (q
| |
| d B 3.4 REACTOR COOLANT SYSTEMS (RCS) i B 3.4.16 RCS Loops - Test Exceptions BASES P
| |
| BACKGROUND This special test exception to LCO 3.4.4, "RCS Loops-MODES 1 and 2," and LCO 3.3.1, " Reactor Protection System '
| |
| (RPS) Instrumentation-Operating," permits reactor criticality under no flow conditions during PHYSICS TESTS (natural circulation demonstration, station blackout, and loss of offsite power) while at low THERMAL POWER levels.
| |
| Section XI of 10 CFR Part 50, Appendix B (Ref.1), requires that a test program be established to ensure that structures, systems, and components will perform satisfactorily in service. All functions necessary to ensure that the specified design conditions are not exceeded during normal operation and anticipated operational occurrences must be tested. Thii testing is an integral '
| |
| part of the design, construction, and operation of the power plant as specified in 10 CFR 50, Appendix A, GDC 1 (Ref. 2).
| |
| The key objectives of a test program are to provide ;
| |
| j assurance that the facility has been adequately designed to validate the analytical models used in the design and analysis, to verify the assumptions used to predict plant response, to provide assurance that installation of equipment at the facility has been accomplished in accordance with the design, and to verify that the operating :
| |
| and emergency procedures are adequate. Testing is performed prior to initial criticality, during startup, and following low power operations.
| |
| The tests will include verifying the ability to establish and maintain natural circulation following a plant trip between 10% and 20% RTP, performing natural circulation cooldown on emergency power, and during the cooldown, showing that adequate boron mixing occurs and that pressure can be controlled using auxiliary spray and pressurizer heaters powered from the emergency power sources.
| |
| APPLICABLE RCS loops-test exceptions do not satisfy any Criterion ir.
| |
| SAFETY ANALYSES the NRC Policy Statemert, but are included as they suppor'c other LCOs that meet a Criterion for inclusion.
| |
| = - - .
| |
| (continued)
| |
| SYSTEM 80+ B 3.4-87 Rev. 00 16A Tech Spec Bases
| |
| | |
| RCS Loops - Test Exceptions ;
| |
| B 3.4.16 O
| |
| BASES (continued)
| |
| LC0 The LC0 is provided to allow for the performance of PHYSICS TESTS in MODE 2 (after refueling), where the core cooling requirements are significantly different than after the core has been operating. Without the LCO, plant operations would be held bound to the normal operating LCOs for reactor coolant loops and circulation (MODES 1 and 2), a minimum temperature for criticalities, and minimum pressure, temperature air flow limits. Hence, the appropriate physics tests could not be performed.
| |
| In MODE 2, where core power level is considerably lower and the associated PHYSICS TESTS must be performed, operation is allowed under low flow conditions provided THERMAL POWER is
| |
| < 5% RTP and the reactor trip setpoints of the OPERABLE power level channels are set s 20% RTP. Both RCS loops and at least one reactor coolant pump in each loop are in operation. The RCS pressure temperature relationship is maintained within the acceptable region of operation required by Figure 3.4.3-1A except that the core critical line shown in the figure does not apply. These limits ensure no Safety Limits or fuel design limits will be violated.
| |
| The exemption is allowed even though there are no bounding safety analyses. These tests are allowed since they are performed under close supervision during the test program and provide valuable information on the plant's capability to cool down without offsite power available to the reactor coolant pumps.
| |
| APPLICABILITY This LC0 ensures that the plant will not be operated in MODE 1 without forced circulation. It only allows testing under these conditions while in MODE 2. This testing establishes that heat input from nuclear heat does not exceed the natural circulation heat removal capabilities. Therefore, no safety or fuel design limits will be violated as a result of the associated tests.
| |
| O (continued)
| |
| SYSTEM 80+ B 3.4-88 Rev. 00 16A Tech Spec Bases
| |
| | |
| l 1
| |
| RCS Loops - Test Exceptions B 3.4.16
| |
| ~
| |
| I %
| |
| j e .
| |
| r I. BASES (continued)-
| |
| . a l
| |
| ~
| |
| ACTIONS- Al If THERMAL POWER-increases to > 5% RTP-or the required :
| |
| ; number of RCS loops and RCPs not in operation, the reactor must be tripped.immediately. This ensures the plant is not
| |
| - placed in an unanalyzed condition, and prevents exceeding- ,
| |
| the specified acceptable fuel design limits. l
| |
| ~
| |
| . SURVEILLANCE SR 3.4.16.1 REQUIREMENTS-
| |
| - THERMAL-POWER must be verified to be within limits once per r hour to ensure that the fuel design criteria are not i violated during the performance of the PHYSICS TESTS. The hourly Frequency has been shown by operating practice to be ,
| |
| sufficient to regularly assess conditions for potential :
| |
| degradation and verify operation is within the LC0 limits.
| |
| Plant operations are conducted slowly during the performance l of PHYSICS TESTS, and monitoring the power level once per .
| |
| hour is sufficient to ensure that the power level does not !
| |
| exceed the limit.
| |
| . SR 3.4.16.2 y Within 12 hours of initiating startup or PHYSICS TESTS, a i CHANNEL FUNCTIONAL TEST must be performed on each ,
| |
| logarithmic power level and linear power level neutron flux l monitoring channel _to verify OPERABILITY and adjust _l setpoints to proper values. This will ensure that the !
| |
| Reactor Protection System is properly aligned to provide i
| |
| the required degree of core protection during startup or the j performance of the PHYSICS TESTS. The interval is adequate .
| |
| to ensure that the appropriate-equipment is OPERABLE prior ;
| |
| to the tests.to aid the monitoring and protection of the i plant during these tests. l REFERENCES 1. 10 CFR 50, Appendix B, Section XI.
| |
| -2.. 10 CFR 50, Appendix A, GDC 1, 1988. j 1
| |
| 'O l l
| |
| l
| |
| ^ SYSTEM 80+ . B 3.4-89' Rev. 00 16A' Tech-Spec Bases ;
| |
| | |
| Reactor Coolant Gas Vent System B 3.4.17 B 3.4 REACTOR COOLANT SYSTEM (RCS)
| |
| B 3.4.17 Reactor Coolant Gas Vent System BASES BACKGROUND The function of the Reactor Coolant Gas Vent System (RCGVS) it to provide a safety grade means of venting non-condensible gases and steam from the pressurizer and the reactor vessel upper head. The RCGVS is designed to be used during all design bases events for RCS pressure control purposes when main spray and auxiliary spray systems are unavailable. The operability of at least one RCGVS path from the pressurizer and at least one RCGVS path from the reactor vessel head to the RDT or the IWRST ensures that this function can be performed.
| |
| The RCGVS is a manually operated safety grade system. It removes non-condensible gases or steam from the pressurizer and the reactor vessel through vent lines to the RDT/IRWST .
| |
| Each vent line has two pairs of parallel isolation valves which are closed during normal operation. During shutdown or transient conditions, if the operator determines that non-condensible gases have collected in the pressurizer or in the reactor vessel upper head, the operator follows the g
| |
| operating procedures to vent the gases by manually opening the RCGVS valves from the main control room. The RCGVS will have the capability to be manually actuated, monitored, and controlled from the control room as required by GDC 19.
| |
| The two isolation valves in each parallel path are normally powered off of the 125VDC buses. Emergency power is provided to the valves by batteries. A Failure Modes and Effect Analysis (FMEA) (Ref.1) demonstrates that the RCGVS will maintain a vent path after a single failure of any single valve or its power source. This demonstration satisfies the requirements of GDC 17 and GDC 34.
| |
| APPLICABLE The RCGVS provides a safety grade method of RCS SAFETY ANALYSES depressurization that is credited during natural circulation l and during steam generator tube rupture events. The (
| |
| operator uses the SI system, the pressurizer backup heaters, i and the RCGVS to control RCS inventory and subcooling.
| |
| (continued)
| |
| SYSTEM 80+ B 3.4-90 Rev. 00 16A Tech Spec Bases
| |
| | |
| Reactor Coolant Gas Vent System ;
| |
| B 3.4.17 O
| |
| V BASES APPLICABLE The pressurizer vent line is 1-1/2 inch nominal diameter to SAFETY ANALYSES meet the requirement to vent one-half the RCS volume in one (continued) hour. The reactor vessel vent line is a three-quarter inch line which expands to one inch through the valving. This provides adequate venting to remove steam and non-condensible gases from the reactor vessel head. ,
| |
| The RCGVS satisfies criterion 3 of the NRC Policy Statement.
| |
| LC0 The LCO requires the RCGVS to be OPERABLE for all design basis events. The RCGVS is OPERABLE when a vent path can be established from the pressurizer steam space and from the reactor vessel head to the RDT or IRWST.
| |
| APPLICABILITY In MODES 1, 2, 3, and 4, the [two) vent paths are required !
| |
| to be OPERABLE. The RCGVS is primarily used for natural l circulation and for tube rupture events; however, it must be l "I available for all design basis events.
| |
| ACTIONS A.I. A.2.1. and A.2.2 With inoperable components, such that one required vent path )
| |
| from the reactor vessel upper head to the RDT or the IRWST is inoperable, the required vant path must be returned to i OPERABLE status within 72 hours. If the required vent path I from the reactor vessel to the RDT/IRWST cannot be made OPERABLE within 72 hours, then the plant must be in MODE 3 within an additional 6 hours, and then in MODE 5 within an additional 36 hours.
| |
| Based on the frequency of accidents for which this system is ;
| |
| ~
| |
| credited to help mitigate, 72 hours is a reasonable and conservative time limit. This value reflects an adequate time allotted for return of redundant safety grade systems :'
| |
| to OPERABLE status.
| |
| (continued)
| |
| SYSTEM 80+' B 3.4-91 Rev. 00 16A Tech Spec Bases
| |
| | |
| Reactor Coolant Gas Vent System B 3.4.17 O
| |
| BASES ACTIONS B.l. B.2.1. and B.2.2 (continued)
| |
| With inoperable components, such that one required vent path from the pressurizer steam space to the RDT/IRWST is inoperable, the required vent path must be returned to OPERABLE status within 72 hours. If the required vent path from the pressurizer steam space to the RDT cannot be made OPERABLE within 72 hours, then the plant must be in MODE 3 within an additional 6 hours, and then in MODE 5 within an additional 36 hours.
| |
| C.l. C.2.1. and C.2.2 With components inoperable, such that two required vent paths from either location are inoperable, at least one of the RCGVS vent paths must be returned to OPERABLE status within 6 hours. If at least one RCGVS vent path cannot be made OPERABLE within 6 hours, then the plant must be in MODE 3 within an additional G hours, and then in MODE 5 within an additional 36 houre..
| |
| O SURVEILLANCE SR 3.4.1.17.1 REQUIREMENTS There is one locally operated manual valve in the RCGVS; it is in the vent path from the reactor vessel upper head. It is necessary to verify that this valve is locked open to ensure that a vent path can be established from the reactor vessel upper head to the RDT. The 18 month Frequency is based on accessibility during the refueling cycle.
| |
| SR 3.4.17.2 Cycling each vent valve through at least one complete cycle verifies the RCGVS valves will function when necessary. The frequency of 18 months is based on a typical refueling cycle and is an industry accepted practice.
| |
| (continued)
| |
| SYSTEM 80+ B 3.4-92 Rev. 00 16A Tech Spec Bases
| |
| | |
| e i
| |
| Reactor Coolant Gas Vent System .
| |
| - B 3.4.17 BASES ,
| |
| SURVEILLANCE SR 3.4.17.3 r
| |
| REQUIREMENTS (continued) Verifying that the pressure instrument root valves are open i ensures that line pressure between can be monitored. The 18 month Frequency is based on accessibility during the refueling cycle.
| |
| i 4
| |
| SR 3.4.17.4 Verification of correct breaker alignment and valve position indications ensures that valves can be operated when required and valve position can be monitored. The Frequency :
| |
| of seven days has been shown to be acceptable by operating experience.
| |
| REFERENCES 1. Chapter 6.
| |
| ~
| |
| )'
| |
| l i
| |
| r SYSTEM 80+ B 3.4 Rev. 00 ,
| |
| 16A Tech Spec Bases l r
| |
| | |
| Rapid Depressurization Function B 3.4 REACTOR COOLANT SYSTEM B 3.4.18 Rapid Depressurization Function BASES BACKGROUND The Rapid Depressurization Function (RDF) of the Safety Depressurization System (SDS) is designed as a manually operated system that removes steam or water from the pressurizer through two isolation valves in each of two parallel depressurization lines to the Incontainment Refueling Water Storage Tank. The RDF is designed to mitigate the consequences of a beyond-design-basis event such as a total loss of normal and emergency feedwater (TLOFW).
| |
| The RDF valves are closed during normal operation. These valves are motor operated and fail in the "as is" position.
| |
| The emergency power DC busses supply electrical power to the motor operators. A Failure Modes and Effects Analysis (FMEA) (Ref.1) demonstrates that an RDF bleed path can be established in the event of a single failure of the valves or an electrical fault. The RDF will have the capability to be manually actuated, monitored, and controlled from the control room, as required by GDC 19.
| |
| The RDF also performs an important function in mitigating a severe accident. During a core melt, the system would allow ,
| |
| the RCS to be depressurized and reduce the possibility of a i challenge to the containment, such as from direct containment heating.
| |
| APPLICABLE The event for determining the size or the RDF bleed valves !
| |
| SAFETY ANALYSES is a TLOFW event. The analysis was performed using a '
| |
| realistic version of the CEFLASH-4AS code with assumed best estimate decay heat values. Use of the realistic version of ,
| |
| the CEFLASH-4AS code is acceptable because the RDF is !
| |
| designed to mitigate accidents beyond the design basis. ;
| |
| Inlet and outlet flows were evaluated. In the accident scenario; it is assumed that the initial RCS power and I secondary steam are generated at the rated output. The l primary and secondary valves open at lift pressures of 2500 !
| |
| psia and 1200 psia, respectively, and the RCS pumps trip 10 l minutes after the event is initiated. j I
| |
| (continued) l SYSTEM 80+ B 3.4-94 Rev. 00 16A Tech Spec Bases
| |
| | |
| Rapid Depressurization Function B 3.4.18 ;
| |
| BASES ,
| |
| APPLICABLE Two cases were analyzed: (1) a TLOFW event with one RDF SAFETY ANALYSES bleed path open, two SI pumps operable, and immediate ;
| |
| (continued) operator action to open the RDF bleed path after the primary safety valves (PSVs) open, and (2) a TLOFW event with both RDF bleed paths operable, four SI pumps operable, and an operator delay to open the RDF paths after the PSVs open. '
| |
| The analysis shows that case 2 is the worst case, which requires larger RDF bleed valves, each sized to meet the acceptance criteria.
| |
| The RDS satisfies Criterion 3 of the NRC Policy Statement.
| |
| LC0 The LC0 requires the RDF to be OPERABLE. Both vent paths
| |
| - shall be closed for all design basis events. The RDF is OPERABLE when a vent path can be established form the pressurizer to the IRWST.
| |
| APPLICABILITY In MODES 1, 2, 3, and 4, at least one vent path is required i to be operable, and both vent paths closed. The RDF is for ]
| |
| use in beyond-design-bases events such as a TLOFW, and for l mitigating severe accidents such as a core melt. 1 i
| |
| f ACTIONS A.1. A. 2.W J With inoperable components, such that both vent paths are l inoperable, one of the two vent paths must be returned to OPERABLE status within 72 hours. If at least one RDF vent path cannot be made OPERABLE within 72 hours, then the plant must be in MODE 3 within an additional 6 hours, and then in i N0DE 5 within an additional 36 hours. The 72 hour Completion Time is based on the extremely low probability of ,
| |
| the beyond-design-basis event (TLOFW) that the RDF is I
| |
| designed for and reflects an adequate time allotted for return of redundant safety grade systems to OPERABLE status.
| |
| O w/
| |
| (continued)
| |
| SYSTEM 80+ B 3.4-95 Rev. 00 16A Tech Spec Bases
| |
| | |
| Rapid Depressurization Function B 3.4.18 O'
| |
| BASES (continued)
| |
| SURVEILLANCE SR 3.4.18.1 REQUIREMENTS Verifying that the pressure instrument root valves are open ensures that line pressure between the globe and gate valves can be monitored. The [18 month] Frequency is based on accessibility during the refueling cycle.
| |
| SR 3.4.18.2 Cycling each vent valve through at least one complete cycle verifies the RDF valves will function when necessary. The Frequency of (18 months] is based on a typical refueling cycle and is an industry accepted practice.
| |
| SR 3.4.18.3 Periodic verification of the correct valve position indication in the control room for all RDF valves ensures that the valves are properly aligned and that the position indicators are functioning properly. A Frequency of [12]
| |
| hours is accepted by industry practice, and has been shown to be acceptable by operating experience.
| |
| SR 3.4.18.4 Verification of correct breaker alignment and power availability to the valve indicators ensures that valves can be operated when required, and valve position can be monitored. The Frequency of seven days is accepted industry practice, and has been shown to be acceptable by operating experience.
| |
| REFERENCES 1. Chapter 6.
| |
| O SYSTEM 80+ B 3.4-96 Rev. 00 16A Tech Spec Bates
| |
| | |
| l Vent Paths - REDUCED RCS INVENTORY Operations B 3.4.19 in)
| |
| 'd' B 3.4 REACTOR COOLANT SYSTEM (RCS)
| |
| B 3.4.19 Vent Paths - REDUCED RCS INVENTORY Operations BASES BACKGROUND The requirement for a sufficient RCS vent path to be established during REDUCED RCS INVENTORY operations prevents the pressurization of the RCS which would be anticipated upon inadequate Decay Heat Removal (DHR) capability. This pressurization of the RCS could lead to SG nozzle dam failure and a potential loss of reactor coolant.
| |
| When the [ pressurizer manway] is opened to the containment atmosphere, it provides sufficient venting capacity to prevent core uncovery due solely to pressurization of the ;
| |
| hot side resulting from boiling in the core coolant.
| |
| 1 APPLICABLE During REDUCED RCS INVENTORY operations analyses were l SAFETY ANALYSES performed, Reference 1, and have indicated that with the n [ pressurizer manway) opened and relieving to the pressurizer
| |
| (, )~
| |
| cubicle, RCS boiling at REDUCED RCS INVENTORY conditions will not cause a pressurization of the RCS that would exceed the SG nozzie dam design pressure of 40 psig.
| |
| The RCS vent paths satisfy Criterion 2 of the NRC Policy Statement.
| |
| LC0 The LC0 requires that during REDUCED RCS INVENTORY operations a vent path of a [ pressurizer manway] removal is established and maintained prior to and during REDUCED RCS INVENTORY conditions.
| |
| APPLICABILITY This LCO is applicable in MODE 5 with REDUCED RCS INVENTORY and MODE 6 with REDUCED RCS INVENTORY with the reactor vessel head in place and at least one reactor vessel stud tensioned.
| |
| When the reactor vessel head is removed, a sufficient vent path is established to prevent pressurization of the RCS and therefore does not apply during this condition.
| |
| (.
| |
| /
| |
| (continued)
| |
| SYSTEM 80+ B 3.4-97 Rev. 00 16A Tech Spec Bases
| |
| | |
| 1 Vent Paths - REDUCED RCS INVENTORY Operations B 3.4.19 O
| |
| BASES (continued)
| |
| ACTIONS A.1. A.2 and A.3 Immediate action shall take place to restore the RCS vent path used for reduced inventory operations should it be discovered to be inoperable / isolated.
| |
| During the period of time that the vent path is inoperable, reactor coolant monitoring instrumentation such as RCS temperature, RCS level and SCS performance shall be monitored [ hourly] by the control room operator in order to detect a trend leading to the loss of DHR.
| |
| A time of [6 hours] is provided to allow for vent path restoration. The vent path could remain closed indefinitely as long as the SCS is operating. The vent path will normally be provided by removing the pressurizer manway. If the manway is not removed prior to entry into REDUCED RCS INVENTORY some time period will be required to remove the manway. This will require access to the manway area by maintenance personnel. Therefore, the [6 hours] is a reasonable time period. [The actual time required to remove the pressurizer manway is plant specific; the COL applicant will develop plant specific procedures for manway removal.]
| |
| h IL.1 Immediate action shall be taken to restore the RCS level to a level > reduced inventory elevation of (117'-0"] should any of the Required Actions or Completion Times can not be met.
| |
| Initiating immediate action to restore the level emphasizes the importance of ensuring decay heat removal capability is not jeopardized.
| |
| SURVEILLANCE SR 3.4.19.1 REQUIREMENTS Once the vent path is initially established it shall be verified established and unobstructed once per [12 hours] by operating personnel. This frequency is considered a reasonable time interval for operating personnel to perform this verification.
| |
| (continued)
| |
| O SYSTEM 80+ B 3.4-98 Rev. 00 16A Tech Spec Bases
| |
| | |
| Vent Paths - REDUCED RCS INVENTORY Operations B 3.4.19 p
| |
| b l BASES (centinued) l REFERENCES 1. Appendix 19.8A, Shutdown Risk Evaluation.
| |
| l t
| |
| I 1
| |
| i g
| |
| SYSTEM 80+ B 3.4-99 Rev. 00 16A Tech Spec Bases
| |
| | |
| - - - - . - . - . - . , - . . . - - . _ . - . . ~ . - .- .-. . - - - . - - - -
| |
| l I
| |
| SITS ]
| |
| B 3.5.1 :l 1
| |
| B.3.5 EMERGENCY CORE COOLING. SYSTEM (ECCS) j B 3.5.1 Safety-Injection Tanks (SITS)'
| |
| l.
| |
| BASES- l 1, l
| |
| : BACKGROUND The functions of the four Safety Injection Tanks.(SITS) are i
| |
| : to supply water to the reactor vessel during the blowdown phase of. a Loss of Coolant Accident (LOCA), to provide
| |
| : inventory to help accomplish the refill phase that follows
| |
| ;- thereafter, and to provide Reactor Coolant' System (RCS) makeup for a small break LOCA.
| |
| i t
| |
| The blowdown phase of a large break LOCA is the initial-
| |
| ,- period of the transient during which the RCS departs from 1
| |
| , equilibrium conditions, and heat from fission product decay, ;
| |
| i hot internals, and the vessel continues to be transferred to i the reactor coolant. The blowdown phase of the transient !
| |
| ends when the RCS pressure. falls to a value approaching that )
| |
| of the containment atmosphere. j
| |
| \-
| |
| l The refill phase of a LOCA follows immediately where reactor coolant inventory has vacated the core through steam O
| |
| flashing and ejection out through the break. The core is essentially in adiabatic heatup. The balance of the SITS inventory is then available to help fill voids in the lower a plenum and reactor vessel downconer to establish a recovery level at the bottom of the core and ongoing reflood of the core with the addition of safety injection (SI) water.
| |
| The SITS are pressure vessels partially filled with borated water and pressurized with nitrogen gas. The SITS are passive components, since no operator or control action is required for them to perform their function. Internal tank
| |
| - pressure and gravity are sufficient to discharge the contents to the'RCS, if RCS pressure decreases below the SIT pressure.
| |
| Each SIT discharges its water volume directly to the reactor j vessel downcomer via a direct vessel injection (DVI) nozzle, ;
| |
| also utilized by the Safety Injection System. Each SIT is j isolated from the RCS by a motor operated isolation valve and two check valves in series. The motor operated isolation valves are normally open with power removed from-the valve motor'to prevent inadvertent closure prior to, or during an accident. Additionally, the isolation valves are (continued) l SYSTEM'80+ B 3.5-1 Rev. 00 l'
| |
| '16A' Tech Spec Bases I
| |
| | |
| l 1
| |
| I SITS B 3.5.1 0'
| |
| l BASES (continued)
| |
| BACKGROUND interlocked with the pressurizer pressure instrumentation (continued) channels to ensure the valves will automatically open as RCS pressure is increased above SIT pressure and to prevent inadvertent closure prior to an accident. The valves also receive a Safety Injection Actuation Signal (SIAS) to open.
| |
| These features ensure the valves meet the raquirements of IEEE Std 279-1971 (Ref. 1) for " operating bypasses" and that the SITS will be available for injection withoet reliance on operator action.
| |
| The SIT gas and water volumes, gas pressure, and outlet pipe size are selected to allow three of the four SITS to partially recover the core before significant clad melting or zirconium-water reaction can occur following a LOCA. The need to ensure that three SITS are adequate for this function is consistent with LOCA analysis assumption that the entire contents of one SIT will be lost via the break during the blowdown phase of a LOCA.
| |
| l The SITS are taken credit for in both the large and small i APPLICABLE break LOCA analysis at full power (Ref. 3). These are the '
| |
| SAFETY ANALYSES Design Basis Accidents (DBAs) that establish the acceptance l limits for the SITS. Reference to the analyses for these DBAs is used to assess changes to the SITS as they relate to the acceptance limits.
| |
| In performing the LOCA calculations, conservative ,
| |
| assumptions are made concerning the availability of safety injection flow. These assumptions include signal generation time, equipment starting times, and delivery time due to system piping. In the early stages of a LOCA with a loss of offsite power, the SITS provide the sole source of makeup water to the RCS. (The assumption of a loss of offsite power is required by regulations). This is because the safety injection pumps cannot deliver flow until the diesel generators (DGs) start, come to rated speed, and go through their timed loading sequence. In cold leg breaks, the entire contents of one SIT are assumed to be lost through ,
| |
| the break during blowdown, even through the SITS discharge ;
| |
| their contents directly to vessel downcomer via the direct I vessel injection nozzle. !
| |
| The limiting large break LOCA is a double ended guillotine cold leg break at the discharge of the reactor coolant pump. !
| |
| (continued)
| |
| SYSTEM 80+ B 3.5-2 Rev. 00 16A Tech Spec Bases (2/95)
| |
| | |
| SITS B 3.5.1 tt l
| |
| BASES (continued) l APPLICABLE -During this event the SITS discharge to the RCS as soon as SAFETY ANALYSES RCS pressure decreases below SIT pressure. As a (continued) consarvative estimate in the calculation of the reflood portion of the accident, no credit is taken for safety injection pump flow until the SITS empty. This results in a minimum effective delay of over [60] seconds during which the SITS must provide the core cooling function. The actual delay time does not exceed [40] seconds. No operator action is assumed during the blowdown stage of a large break LOCA.
| |
| The worst case small break LOCA assumes a time delay of
| |
| [140] seconds before pumped flow reaches the core. For the larger range of small breaks, the rate of blowdown is such that the increase in fuel clad temperature is terminated solely by the SITS, with pumped flow then providing continued cooling. As break size continues to decrease, the SITS and an SI pump both play a part in terminating the rise in clad temperature. As break size decreases the role of the SITS decreases until they are not required and the SI pumps become solely responsible for terminating the temperature increase.
| |
| Q O This LCO helps to ensure that the following acceptance criteria, established by 10 CFR 50.46 (Ref. 2) for Emergency Core Cooling Systems (ECCS), will be met following a LOCA:
| |
| : a. Maximum fuel element cladding temperature of 5 2200 F.
| |
| : 5. Maximum cladding oxidation of 5 0.17 times the total cladding thickness before oxidation.
| |
| : c. Maximum hydrogen generation from a zirconium-water reaction of s 0.01 times the hypothetical amount that would be generated if all of the metal in the cladding cylinders surrounding the fuel, excluding the cladding surrounding the plenum volume, were to react; and
| |
| : d. The core is maintained in a coolable geometry.
| |
| Since the SITS discharge during the blowdown phase of a LOCA, they do not contribute to the long term requirements of 10 CFR 50.46.
| |
| Since the SITS are passive components, single active failures are not applicable to their operation. The SIT (continued)
| |
| SYSTEM 80+ B 3.5-3 Rev. 00 16A Tech Spec Bases (2/95)
| |
| | |
| SITS B 3.5.1 O
| |
| l BASES (continued)
| |
| APPLICABLE isolation valves, however, are not single failure proof; SAFETY ANALYSES therefore, whenever the valves are open, power is removed (continued) from their operators and the switch is key locked open.
| |
| These precautions ensure that the SITS are available during an accident (Ref. 4). With power supplied to the valves a single active failure could result in a valve closure, which would render one SIT unavailable for injection. If a second SIT is lost through a DVI break only two SITS would reach the core. Since the only active failure which could affect the SITS would be the closure of a motor-operated outlet valve, the requirement to remove power from these eliminates this failure mode.
| |
| The minimum volume requirement for the SITS ensures that three SITS can provide adequate inventory to reflood the core and downcomer following a LOCA. The downcomer then remains flooded until the Safety Injection Pumps start to deliver flow.
| |
| The maximum volume limit is based upon maintaining an adequate gas volume to ensure proper injection and the ability of the SITS to fully discharge, as well as li . ting the maximum amount of boron inventory in the SITS.
| |
| A minimum of [*] narrow range level corresponding to [I600]
| |
| cubic feet of borated water, and a maximum of [*] narrow range level corresponding to [1927] cubic feet of borated water, are used in the safety analyses as the volume in the SITS. To allow for instrument accuracy, [*] narrow range (corresponding to [I625] cubic feet) and [*] narrow range (corresponding to [1902] cubic feet), are specified. The analyses are based upon the cubic feet requirements; the percentage figures are provided for operator use because the level indication provided in the control room is in percentages, not in cubic feet.
| |
| The minimum nitrogen cover pressure requirement ensures that the contained gas volume will generate discharge flow rates during injection which are consistent with those assumed in the safety analyses.
| |
| * Values to be determined by system detail design.
| |
| (continued)
| |
| SYSTEM 80+ B 3.5-4 Rev. 00 16A Tech Spec Bases (2/95) .
| |
| | |
| I SITS ;
| |
| B 3.5.1 :
| |
| O l i
| |
| .8ASES (continued) '
| |
| APFLICABLE The maximum nitrogen cover pressure limit ensures that l SAFETY ANALYSES excessive amounts of gas will not be injected into the RCS l 1 (continued) after the SITS have emptied. l
| |
| 'A minimum pressure of [570] psig and a maximum pressure of j
| |
| [632] psig are used in the analyses. To allow for i instrument accuracy, a (575] psig minimum and [627] psig l i
| |
| maximum are specified. The maximum allowable boron ;
| |
| concentration of [4400] ppe in the SITS is based upon boron
| |
| : precipitation limits in the core following' a LOCA. i j
| |
| Establishing a maximum limit for boron is necessary since i
| |
| the time at which boron precipitation would occur in the ,
| |
| core following a LOCA is a function of break location, break i size, the amount of boron injected into the core and the point of ECCS injection. Post-LOCA emergency procedures ,
| |
| directing the operator to establish simultaneous hot leg and i DVI nozzle injection are based upon the worst case minimum l
| |
| ' boron precipitation time. Maintaining the maximum SIT boron j
| |
| concentration within the upper limit ensures the SITS do not invalidate this calculation. An excessive boron concentration in any of the berated water nurces used for injection during a LOCA could result in boron precipitation earlier than predicted.
| |
| " The minimum boron requirements of [4000] ppm are based on i beginning of life reactivity values and are selected to ensure the reactor will remain subcritical during the i reflood stage of a large break LOCA. During a large break l LOCA all control element assemblies (CEAs) are assumed not ,
| |
| ; to insert into the core and the initial reactor shutdown is !
| |
| : accomplished by void formation during blowdown. Sufficient i boron concentration must be maintained in the SITS to prevent a return to criticality during reflood. Although this requirement is similar to the basis for the minimum boron concentration of the In-Containment Refueling Water Storage Tank (IRWST) the minimum SIT concentration is lower than the IRWST since the SITS need not account for dilution i by the RCS. l
| |
| ) '
| |
| The SITS satisfy Criterion 3 of the NRC Policy Statement.
| |
| 1
| |
| -LCO The LCO establishes the minimum conditions required to ensure the SITS are available to accomplish their core ;
| |
| i O- (continued)
| |
| SYSTEM 80+ B 3.5-5 Rev. 00 16A Tech Spec Bases (2/95) i
| |
| | |
| l l
| |
| SITS B 3.5.1 l BASES (continued)
| |
| LCO cooling safety function following a LOCA. [Four] SITS are l (continued) required OPERABLE to ensure 100% of the contents of [three]
| |
| of the SITS will reach the core during a LOCA.
| |
| This is consistent with the assumption that the contents of one tank spill through the break for a DVI line break. If the contents of fewer than three tanks are injected during the blowdown phase of a LOCA, the ECCS acceptance criteria of 10 CFR 50.46 (Ref. 2) could be violated.
| |
| For a SIT to be considered OPERABLE, the isolation valve must be fully open with power removed and the limits established in the SR for contained volume, boron concentration and nitrogen cover pressure must be met.
| |
| APPLICABILITY In MODES 1 and 2, and MODES 3 and 4 with RCS pressure h
| |
| [900] psia the SIT OPERABILITY requirements are based on an assumption of full power operation. Although cooling requirements decrease as power decreases the SITS are still required to provide core cooling as long as elevated RCS pressures and temperatures exist.
| |
| This LCO is only applicable at pressures 2 [900] psia.
| |
| Below [900] psia, the rate of RCS blowdown is such that the SI Pumps can provide adequate injection to ensure that peak clad temperature remains below the 10 CFR 50.46 (Ref. 2) limit of 2200'F.
| |
| In MODE 3 and 4 with pressure < [900] psia and in MODES 5 and 6, the SIT motor-operated isolation valves are closed to isolate the SITS from the RCS. This allows RCS cooldown and depressurization without discharging the SITS into the RCS or requiring depressurization of the SITS.
| |
| ACTIONS Ad If the boron concentration of one SIT is not within limits, it must be returned to within the limits within 72 hours.
| |
| In this condition, ability to maintain subcriticality or minimum boron precipitation time may be reduced, but the reduced concentration effects on core subcriticality during (continued)
| |
| SYSTEM 80+ B 3.5-6 Rev. 00 16A Tech Spec Bases (2/95)
| |
| | |
| l SITS B 3.5.1 BASES (continued), l ACTIONS ~ M (continued) reflood are minor. Boiling of the ECCS water in the core j during reflood concentrates the boron in the saturated i liquid that remains in the core. In addition, the volume of the SIT is still available for' injection, since the boron
| |
| ~
| |
| requirements are based on the average boron concentration of-the-total volume of three SITS, the consequences are.less ,
| |
| severe than they would be if an SIT were not available for 1 injection. Thus, 72 hours is allowed to return the boron _ 1 concentration to within limits.- !
| |
| t'
| |
| (
| |
| M I 1
| |
| : If one SIT is inoperable, for a reason other than boron j concentration, the SIT must be returned to OPERABLE status within I hour. In this Condition, the required contents of three SITS cannot be assumed to reach the core during a LOCA. Due to the severity of the consequences should a LOCA occur in these conditions, the I hour Completion Time to
| |
| , open the valve, remove power to the valve, or restore the e proper water volume or nitrogen cover pressure ensures that prompt action will be taken to return the inoperable SIT to OPERABLE status. The Completion Time minimizes the exposure of the plant.to a LOCA in these conditions.
| |
| ; C.1 and C.2-If the SIT cannot be returned to OPERABLE status within the associated Completion Time, the plant must be placed in a MODE in which the LC0 does not apply. To achieve this status, the plant must be brought to at least MODE 3 within six hours and pressurizer pressure reduced to < [900) psia within 12 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.
| |
| l d
| |
| M If more than one SIT is inoperable, the unit is in' a condition outside the accident analyses. Therefore, LCO 3.0.3 must be entered immediately.
| |
| OL (continued)
| |
| SYSTEM 80+ B 3.5-7 Rev. 00
| |
| ; 16A Tech Spe: Bases: (2/95)
| |
| | |
| SITS B 3.5.1 O
| |
| l BASES (continued)
| |
| SURVEILLANCE SR 3.5.1.1 REQUIREMENTS Verification every 12 hours that each SIT isolation valve is fully open, as indicated in the control room, ensures the SITS are available for injection and ensures timely discovery if a valve should be partially closed. If an isolation valve is not fully open the rate of injection to the RCS would be reduced. Although a motor-operated valve position should not change with power removed, a closed valve could result in not meeting accident analysis assumptions. A 12 hour Frequency is considered reasonable in view of other administrative controls that ensure the unlikelihood of a mispositioned isolation valve.
| |
| SR 3.5.1.2 and 3.5_l d SIT borated water volume and nitrogen cover pressure should be verified to within specified limits every 12 hours in order to ensure adequate injection during a LOCA. Due to the static design of the SITS, a 12 hour Frequency allows the operator sufficient time to identify changes before the limits are reached. Operating experience has shown this Frequency to be appropriate for early detection and correction of off normal trends.
| |
| SR 3.5.1.4 Thirty-one days is reasonable for verification to determine that each SIT's boron concentration is within the required l limits, because the static design of the SITS limits the ways in which the concentration can be changed. The 31 day Frequency is adequate to identify changes which could occur from mechanisms such as stratification or in-leakage.
| |
| Sampling the affected SIT within 6 hours after a 1% volume )
| |
| increase will identify whether inleakage from the RCS has caused a reduction in boron concentration to below the required limit. It is not necessary to verify boron concentration if the added water is from the IRWST, because the water contained in the IRWST is within the SIT boron concentration requirements. This is consistent with the i recommendations of NUREG-1366 (Ref. 5). !
| |
| (continued) <
| |
| SYSTEM 80+ B 3.5-8 Rev. 00 16A Tech Spec Bases (2/95) l
| |
| | |
| SITS B 3.5.1 U l BASES l
| |
| . SURVEILLANCE SR 3.5.1.5 REQUIREMENTS (continued) Verification every 31 cays that power is removed from each !
| |
| SIT isolation valve operator when the pressurizer pressure I is a [900] psia ensures that an active failure could not result in the undetected closure of an SIT motor operated isolation valve. If this were to occur, only two SITS would be available for injection, given a single failure coincident with a LOCA. Since installation and removal of power to the SIT isolation valve operators is conducted under administrative control, the 31 day Frequency was chosen to provide additional assurance that power is removed.
| |
| This SR allows power to be supplied to the motor operated l isolation valves when RCS pressure is < [900] psia, thus j allowing operational flexibility by avoiding unnecessary delays to manipulate the breakers during unit startups or shutdowns. Even with power supplied to the valves, inadvertent closure is prevented by the RCS pressure interlock associated with the valves. Should closure of a O valve occur in spite of the interlock, the SI signal provided to the valves would open a closed valve in the event of a LOCA. ,
| |
| l l
| |
| SR 3.5.1.6 '
| |
| 4 This Surveillance ensures that an active failure could not I result in the opening of a SIT solenoid-operated vent valve !
| |
| coincident with a LOCA. If there were to occur only two !
| |
| SITS would be available for injection assuming one SIT contents are lost. Installation and removal of the power is conducted under administrative control. Since this Surveillance is a verification that the power is removed and is relatively easy, the 31 day Frequency was chosen to provide additional assurances that the power is removed.
| |
| This SR is nodified by a Note which allows power to be 3 supplied to the motor-operated isolation valves when RCS pressure is < [900] psia, thus allowing operational flexibility by avoiding unnecessary delays to manipulate the power during plant startups or shutdowns. Even with power supplied to the valves, inadvertent closure is prevented by the RCS pressure interlock, the SIAS signal provided to the valve would open a closed valve should a LOCA occur.
| |
| m (continued)
| |
| SYSTEM 80+ B 3.5-9 Rev. 00 16A Tech Spec Bases (2/95) !
| |
| l I
| |
| | |
| SITS B 3.5.1 O
| |
| l BASES (continued)
| |
| REFERENCES 1. IEEE Std. 279-1971, Criteria For Protection Systems for Nuclear Power Generating Stations.
| |
| : 2. 10 CFR 50.46, Acceptance Criteria for Emergency Core Cooling Systems for Light Water Nuclear Power Plants.
| |
| : 3. Chapter 6.
| |
| : 4. Chapter 15.
| |
| : 5. NUREG-1366, " Improvements to Technical Specification Requirements."
| |
| O 1
| |
| I I
| |
| l l
| |
| l l
| |
| O SYS TEi1 80+ B 3.5-10 Rev. 00 l 16A Tech Spec Bases (2/95) )
| |
| | |
| i 4- SIS - Operating B 3.5.2 B 3.5' EMERGENCY CORE COOLING SYSTEM (ECCS) j F B 3.5.2~ Safety Injection System (SIS) - Operating BASES .j
| |
| . i l
| |
| BACKGROUND The function of the SIS is to provide core cooling and 1 negative reactivity to_ ensure that the reactor core is ;
| |
| : protected after.any of the following accidents:
| |
| : a. Loss of coolant-accident (LOCA)-
| |
| : b. Control Element Assembly (CEA) ejection accident;
| |
| : c. Loss of secondary. coolant accident, including uncontrolled steam release or loss of feedwater; and ,
| |
| i
| |
| : d. Steam generator tube rupture (SGTR).
| |
| The addition of negative reactivity is designed primarily for the loss of secondary coolant accident where primary L cooldown could add enough positive reactivity to achieve criticality and return to significant power.
| |
| Four mechanically redundant safety injection (SI) trains are provided. Each train consists of an SI pump and the associated piping and valves. . SI flow credited in LOCA analyses is dependent on the pipe break location. Full flow from two SI pumps and four SITS is credited for a break in an RCP discharge leg. Full flow from one SI pump and three SITS is credited for a break in a DVI line; the flow from i the remaining pump (Same emergency power division) and from one SIT is assumed to spill out the break. In MODES 1, 2 and 3, all SI trains are required to be OPERABLE. This ensures that 100% of the core cooling requirements can be provided even in the event of a RCP discharge leg break or a
| |
| : DVI line break with a failure of diesel generator (DG) to start.
| |
| An independent suction header supplies water from the Incontainment Refueling Water Storage Tank (IRWST) to each of the safety injection pumps. Each SI pump discharges j directly to the reactor vessel downconer via the Direct !
| |
| Vessel Injection nozzle. The SI pump directs sufficient flow to the core to meet the analysis assumptions following i a loss of coolant accident (LOCA) in one of the RCS cold !
| |
| legs. l (continued) I i
| |
| SYSTEM'80+ .
| |
| B 3.5-11 Rev. 00 16A Tech Spec Bases. :
| |
| . . , _ _. ,_ 1
| |
| | |
| SIS - Operating B 3.5.2 O
| |
| l BASES BACKGROUND During a large break LOCA RCS pressure will decrease to less (continued) than 200 psia in less than 20 seconds. The safety injection (SI) systems are actuated upon receipt of an SIAS. The actuation of safeguard loads is accomplished in a programmed time sequence. If offsite power is available, the safeguard loads start immediately in the programmed sequence.
| |
| If offsite power is not available, the Engineered Safety Features (ESF) buses shed normally operating loads and are connected to the emergency diesel generators (DGs).
| |
| Safeguard loads are then actuated in the programmed time sequence. The time delay associated with diesel starting, 4 sequenced loading, and pump starting determines the time required before pumped flow is available to the core following a LOCA.
| |
| The active SIS components, along with the passive safety injection tanks (SITS) and the IRWST, covered in LC0 3.5.1,
| |
| " Safety Injection Tanks (SITS)" and LCO 3.5.4, "In-containment Refueling Water Storage Tank (IRWST)," provide the cooling water to meet GDC 35 (Ref. 3).
| |
| APPLICABLE LC0 3.5.2 helps to ensure that the following acceptance SAFETY ANALYSES criteria established by 10 CFR 50.46 (Ref.1) for SIS will be met following a LOCA:
| |
| : a. Maximum fuel element cladding temperature of 5 2200 F.
| |
| : b. Maximum cladding oxidation of s 0.17 times the total cladding thickness before oxidation.
| |
| : c. Maximum hydrogen generation from a zirconium-water reaction of 5 0.01 times the hypothetical amount that would be generated if all of the metal in the cladding cylinders surrounding the fuel, excluding the cladding surrounding the plenum volume, were to react.
| |
| : d. The core is maintained in a coolable geometry.
| |
| : e. Adequate long term core cooling capability is maintained.
| |
| (continued)
| |
| SYSTEM 80+ B 3.5-12 Rev. 00 16A Tech Spec Bases (2/95)
| |
| | |
| i i
| |
| SIS - Operating
| |
| < B 3.5.2 .
| |
| O i BASES l [
| |
| APPLICABLE The LCO also limits the potential for a post-trip return to i
| |
| SAFETY ANALYSES power following a steamline break (SLB) event and a CEA
| |
| :(continued) ejection accident.
| |
| SI pump flow is set during pre-operational testing to ensure that- the pump runout flow is not excessive when the RCS is at atmospheric conditions.' The SI system is assumed to be OPERABLE in the large break and small break LOCA analyses at full power, CESSAR-DC Chapter 6 (Ref. 2). The delivered SI 1 pump flow credited in safety analyses for a LOCA is ,
| |
| dependent on the pressure conditions that exist as a result i of the size of the LOCA. SI delivery curves define the SI ,
| |
| performance credited in the large and small break LOCA !
| |
| analyses over the operating range of the SI pumps from pump i shutoff head to pump runout flow. The main steam line break i event also establishes the flow-head requirement and in addition establishes the minimum required response time for actuation of the pumps. The Steam Generator Tube Rupture (SGTR), CEA eject 1on, and inadvertent opening of an atmospheric dump valve analyses also credit the SI pumps, i but do not limit the design.
| |
| l The large break LOCA event with a loss of offsite power and a single failure (disabling two SIS trains) establishes the OPERABILITY requirements for the SIS. During the blowdown stage of a LOCA, the RCS depressurizes as primary coolant is ejected through the break into the containment. The nuclear reaction is terminated either by moderator voiding during large breaks or CEA insertion during small breaks. Long-term shutdown is preserved by the borated water delivered by the SIS to the core. Following depressurization, emergency cooling water is injected through the direct vessel injection nozzles, flows down the downcomer, fills the lower plenum, and refloods the core.
| |
| On smaller breaks, RCS pressure will stabilize at a value dependent upon break size, heat load, and injection flow.
| |
| The smaller the break, the higher this equilibrium pressure and the lower the injection flow rate. In all LOCA analyses, injection flow is not credited until RCS pressure drops below the shutoff head of the SI pumps.
| |
| f (continued)
| |
| SYSTEM 80+ B 3.5-13 Rev. 00 16A Tech Spec Bases (2/95) er y ,end-+ , .4 *->-9 +w* F -V -+mw-& - 'w *e-6 %
| |
| | |
| SIS - Operating B 3.5.2 O
| |
| l BASES APPLICABLE The LC0 ensures an SIS division will deliver sufficient SAFETY ANALYSES water to match decay heat boil-off rates soon enough to (continued) minimize core uncovery for a large LOCA. It also ensures that the SI pump will deliver sufficient water during a small break LOCA, and provide sufficient boron, in conjunctier. ::!tn the CEA's (assuming that the most reactive CEA does not insert), to maintain the core suberitical following a SLB.
| |
| SIS - Operating satisfies Criterion 3 of the NRC Policy Statement.
| |
| LCO In MODES 1, 2, and 3, four independent (and redundant) SIS trains are required to ensure sufficient SIS flow is available to mitigate the consequences of a LOCA assuming a single failure coincident with a LOOP. Additionally, the SIS trains may be called upon to mitigate the consequences of other transients and accidents.
| |
| In MODES 1, 2, and 3, an SIS train consists of a SI pump, the piping, instruments and controls to ensure an OPERABLE flow path capable of taking suction from the IRWST on a SIAS.
| |
| During an event requiring SIS actuation, a flow path is provided to ensure an abundant supply of water from the IRWST to the RCS via the SI pumps and their respective supply lines to each of the four direct vessel injection nozzles. In the long term, flow paths may be switched to supply part of its flow to the RCS hot legs via the hot leg injection nozzles on two of the trains.
| |
| The flow path for each train must maintain its designed independence to ensure that no single failure can prevent delivery of the minimum required flow rate.
| |
| APPLICABILITY In MODES 1, 2, and 3 the SIS OPERABILITY requirements for :
| |
| the limiting Design Basis Accident (DBA), large break LOCA, l are based on full power operation. Although reduced power '
| |
| would not require the same level of performance, the accident analysis does not provide for reduced cooling l (continued)
| |
| G, ,
| |
| SYSTEM 80+ B 3.5-14 Rev. 00 16A Tech Spec Bases (2/95)
| |
| | |
| -. . - . _ . ... ._ -- -. - - - . = --. . .-
| |
| L l '
| |
| l
| |
| ( SIS - Operating )
| |
| : 1. B 3.5.2 ;
| |
| l BASES l i
| |
| e APPLICABILITY requirements in the lower MODES. Surveillance requirements i (continued) for SI pump testing are based on the limiting safety .
| |
| analyses. Surveillance requirements for SI pump performance :
| |
| are specified to ensure that head / flow characteristics, as !
| |
| measured at design conditions, are within the tolerances i allowed in developing the SI delivery curves over the i operating range from shutoff head to runout flow. ,
| |
| The SIS functional requirements for MODE 4, 5, and 6 are described in LC0 3.5.3. .
| |
| ACTIONS 8_d If one or more trains are inoperable, the inoperable .
| |
| components must be returned to OPERABLE status within 72 hours. The 72 hour Completion Time is based on an NRC study (Ref. 4) using a reliability evaluation and is a reasonable amount of time to effect many repairs.
| |
| An SIS train is inoperable if it is not capable of delivering the design flow to the RCS. The individual components are inoperable if they are not capable of t performing their design function, or if supporting systems are not available (except as allowed by their respective LCOs). :
| |
| An event accompanied by a loss of offsite power and the :
| |
| failure of an emergency diesel generator can disable two SIS I trains until power is restored.
| |
| It is assumed that flow from the third SI pump is discharged through the break.
| |
| Analysis has shown that flow from one SI pump is sufficient to keep the core covered for a break the size of a DVI ,
| |
| nozzle which is the limiting SBLOCA. Hence, continued ;
| |
| operation for 72 hours is justified.
| |
| B.1 and B.2 If the inoperable train cannot be restored to OPERABLE status within the associated Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within six hours followed by placing the plant in (continued)
| |
| SYSTEM 80+ B 3.5-15 Rev. 00 16A Tech Spec Bases (2/95)
| |
| | |
| SIS - Operating B 3.5.2 O
| |
| l BASES ACTIONS B.1 and B.2 (continued)
| |
| MODE 4 within 12 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power in an orderly manner and without challenging unit systems.
| |
| SURVEILLANCE SR 3.5.2.1 REQUIREMENTS
| |
| [ Verification of proper valve position ensures the flow path from the SIS pumps to the RCS is maintained. Misalignment of these valves could render the associated SIS train inoperable. Securing these valves in position by disabling the control device after positioning them in the correct position ensures that the valves cannot be inadvertently misaligned or change position as the result of an improper operation (e.g., unauthorized, inadvertent). These valves are status controlled. CESSAR-DC Chapter 18 (Ref. 6)
| |
| - describes status controlled components. A 12 hour Frequency is considered reasonable in view of other administrative controls ensuring that a mispositioned valve is an unlikely possibility.]
| |
| SR 3.5.2.2 Verifying the correct alignment for manual, power operated, and automatic valves in the SIS flow paths provides assurance that the proper flow paths will exist for SIS operation. This SR does not apply to valves which are locked, sealed or otherwise secured in position since these were verified to be in the correct position prior to locking, sealing or securing. A valve which receives an actuation signal is allowed to be in a non-accident position provided the valve automatically repositions within the proper stroke time. This Surveillance does not require any testing or valve manipulation. Rather, it involves verification that those valves capable of being mispositioned are in the correct position. The 31 day Frequency is appropriate because the valves are operated under procedural control, an improper valve poM tion would only affect a single train, and the probability of an event (continued)
| |
| SYSTEM 80+ B 3.5-16 Rev. 00 16A Tech Spec Bases (2/95)
| |
| | |
| _ . . _ . _ . _ . _ _ .._. . ~ _ _ . . . _ _ _ _ . . .. - _ . . _ . _ _ _ _
| |
| ~!
| |
| 5 SIS - Operating l B 3.5.2 BASES l l I
| |
| i
| |
| . SURVEILLANCE SR 3.5.2.2 (continued) ;
| |
| ~
| |
| REQUIREMENTS requiring SIS actuation during this time period is low. l This Frequency has been shown to be acceptable through ,
| |
| operating experience. ;
| |
| b SR 3.5.2.3
| |
| ; [With the exception of systems in operation, the SIS pumps are normally in a standby, non-operating condition. As such, flow path piping has the potential to develop voids and pockets of entrained gases. Maintaining the piping from ,
| |
| ; the SIS pumps to the RCS full of water ensures that the ,
| |
| system will perform properly, injecting its full capacity ,
| |
| into the RCS-upon demand. This will also prevent water ;
| |
| hammer, pump cavitation, and pumping of non-condensible_ gas ;
| |
| (e.g., air, nitrogen, or hydrogen) into the reactor vessel j following an SIAS or during shutdown cooling. The 31 day ,
| |
| - Frequency is based on the low probability of an event
| |
| , regt.tring SIS actuation during this time, the gradual nature of gas accumulation in the SIS piping, and the adequacy of procedural controls governing system operation.]
| |
| SR 3.5.2.4 Periodic Surveillance testing of SIS pumps to detect gross degradation caused by impeller structural damage or other hydraulic component problems is required by Section XI of the ASME Code. This type of testing may be accomplished by measuring the pump developed head at only one point of the i
| |
| pump characteristic curve. This verifies both that the i
| |
| ~
| |
| measured performance is within an acceptable tolerance of the original pump baseline performance and that the performance at the test flow is greater than or equal to the .
| |
| performance assumed in the unit safety analysis. SRs are
| |
| . specified in the Inservice Testing Program, which encompasses Section XI of the ASME Code. Section XI of the -
| |
| ASME Code provides the activities and frequencies necessary ,
| |
| to satisfy the requirements.
| |
| O (continued)
| |
| : SYSTEM 80+ B 3.5-17 Rev. 00 16A Tech Spec Bases (2/95)-
| |
| | |
| SIS - Operating B 3.5.2 O
| |
| l BASES SURVEILLANCE SR 3.5.2.5 REQUIREMENTS (continued) (Discharge head at design flow is a normal test of SI pump performance required by Section XI of the ASME Code. The Frequency for such tests is a Code requirement. Such inservice inspections detect component degradation and incipient failures.]
| |
| SR 3.5.2.6 and SR 3.5.2.7 These SRs demonstrate each automatic SIS valve actuates to its required position on an actual or simulated Safety Injection Actuation Signal (SIAS) and that each SIS Pump starts on receipt of an actual or simulated SIAS. The [18]
| |
| month Frequency is based on the need to perform these Surveillances under the conditions that apply during a plant outage and the potential for unplanned transients if the Surveillances were performed with the reactor at power. The
| |
| [18] month Frequency is also acceptable based on ,
| |
| consideration of the design reliability (and confirming l operating experience) of the equipment. The actuation logic is tested as part of the Engineered Safety Feature Actuation System (ESFAS) testing, and equipment performance is monitored as part of the Inservice Testing Program.
| |
| SR 3.5.2.8 Periodic inspections of the IRWST Holdup Volume Tank ensures that it is unrestricted and it stays in proper operating condition. The (18] month Frequency is based en the need to perform this Surveillance under the conditions dat apply during an outage, on the need to have access to the location, and on the potential for unplanned transients if the Surveillance were performed with the reactor at power.
| |
| This Frequency is sufficient to detect abnormal degradation and is confirmed by operating experience.
| |
| REFERENCES 1. 10 CFR 50.46, Acceptance Criteria for Emergency Core Cooling Systems for Light Water Nuclear Power Plants.
| |
| : 2. Chapter 6.
| |
| (continued)
| |
| SYSTEM 80+ B 3.5-18 Rev. 00 16A Tech Spec Bases (2/95)
| |
| | |
| .~ . . . -. _. . . . . ..
| |
| l l
| |
| SIS - Operating i
| |
| B 3.5.2 1 BASES l REFERENCES 3. 10 CFR 50, Appendix A, GDC 35 - Emergency Core Cooling (continued) System.
| |
| l
| |
| : 4. NRC Memorandum R. L. Bayer to V. Stello, Jr., l
| |
| " Recommended Interim Revisions to LCOs for ECCS l Components," December 1, 1975.
| |
| : 5. NRC Information Notice No. 87-01, PJiR Valve Misalignment Causes Degradation of ECCS in PWRs,
| |
| -January 6, 1987.
| |
| g SYSTEM 80+ B 3.5-19 Rev. 00 16A Tech Spec Bases- (2/95)
| |
| | |
| SIS Shutdown B 3.5.3 B 3.3 EMERGENCY CORE COOLING SYSTEM (ECCS)
| |
| B 3.5.3 Safety Injection System (SIS) - Shutdown BASES BACKGROUND The Background section for Bases B 3.5.2, " Safety Injection System (SIS) - Operating," is applicable to these Bases with the following modifications:
| |
| In MODES 4, 5, and 6 with RCS level < [120'0"] the decay heat generation and RCS blowdown rates are such that a single SI pump is capable of providing the core cooling function in the event of a Loss of Coolant Accident (LOCA).
| |
| Also, a zero power steam line break will have negligible consequences with respect to a reactivity transient.
| |
| APPLICABLE The Applicable Safety Analysis section of Bases 3.5.2 is SAFETY ANALYSES applicable to this Bases.
| |
| SIS - Shutdown satisfies Criterion 3 of the NRC Policy '
| |
| Statement.
| |
| l LC0 Two operable SI trains in separate divisions ensures at least one pump is capable of adequate flow to the core in the event of a LOCA.
| |
| APPLICABILITY In MODES 4, 5, and 6 with RCS level < [120'0"] a loss of coolant resulting from a DVI line break requires two SI trains in separate divisions to be operable to ensure that if a LOCA disables one train an alternate SIS train is available. The requirement of having two OPERABLE SI trains I is acceptable without single failure consideration on the !
| |
| basis of the stable reactivity condition and the limited I core cooling requirements.
| |
| s (continued)
| |
| SYSTEM 80+ B 3.5-20 Rev. 00 16A Tech Spec Bases
| |
| | |
| A SIS - Shutdown
| |
| ~
| |
| B 3.5.3 :
| |
| BASES (continued) [
| |
| < ACTIONS A_,.1 With only one SI Pump OPERABLE, the unit is not prepared to respond _to a LOCA. The 1- hour Completion Time to restore at ,
| |
| least two SIS trains to OPERABLE status ensures prompt >
| |
| ) action is taken to restore the required cooling capacity.
| |
| i B.1.1. B.I.2. and B.2 The plant must be placed in a condition in which the LCO does not apply if SIS cannot be returned to CPERABLE status l' within the associated completion time. . An RCS level of 2.
| |
| [120'0"] (the top of the reactor vessel flange) will provide a minimum water inventory in the event of a LOCA. In ,
| |
| addition, the reduction of RCS temperature to <135 F will l nrovide a reduction in clad temperature. The 24 hour i
| |
| . wpletion Time limits the time the plant is subject to conditions where the LCO is applicable.
| |
| < SURVEILLANCE SR 3.5.3.1 l
| |
| REQUIREMENTS !
| |
| - The applicable Surveillance descriptions from Bases LCO 3.5.2 apply.
| |
| REFERENCES 1. 10 CFR 50.46, Acceptance Criteria for Emergency Core Cooling Systems for Light Water Nuclear Power Plants.
| |
| : 2. Chapter 6.
| |
| : 3. 10 CFR 50, Appendix A, GDC 35 - Emergency Core Cooling System.
| |
| : 4. NRC Memorandum R. L. Bayer to V. Stello, Jr.,
| |
| ; " Recommended Interim Revisions to LCOs for ECCS Components," December 1, 1975.
| |
| : 5. NRC Information Notice No. 87-01, RHR Valve Misalignment Causes Degradation of ECCS in PWRs, January 6, 1987.
| |
| : 6. Section 19.8A, " Shutdown Risk Evaluation" .
| |
| c.
| |
| SYSTEM 80+ B 3.5-21 Rev. 00
| |
| - 16A Tech Spec. Bases (2/95)
| |
| | |
| IRWST B 3.5.4 B 3.5 EMERGENCY CORE COOLING SYSTEM (ECCS)
| |
| B 3.5.4 Incontainment Refueling Water Storage Tank (IRWST)
| |
| BASES l
| |
| BACKGROUND The Incontainment Refueling Water Storage Tank (IRWST) l supports the SIS and the Containment Spray System by l providing a source of borated water for Engineering Safety i
| |
| )
| |
| Feature (ESF) pump operation.
| |
| The IRWST supplies four trains of SIS. Each SIS train is supplied by a separate suction line. The IRWST also supplies 2 divisions of containment spray and 2 divisions of shutdown cooling pumps. Use of a single IRWST to supply four trains of SIS and two divisions of containment spray is acceptable since the IRWST is a passive component, and passive failures are not assumed to occur coincidently with the Design Basis Event during the injection phase of an accident.
| |
| The Safety Injection (SI) pumps, Shutdown Cooling (SCS) pumps and Containment Spray (CS) pumps are provided with recirculation lines which ensure each pump can maintain minimum flow requirements when operating at shutoff head g
| |
| conditions. The SI pump recirculation lines discharge back to the IRWST. The SCS and CS pumps have individual recirculation loops with heat exchangers which discharge back to the pump suction.
| |
| This LCO ensures that the IRWST contains sufficient borated water to support the SIS during the injection phase, ensures the reactor remains subcritical following a LOCA, ensures sufficient spray dilution for limiting offsite LOCA dose, and ensures that the assumptions used in the safety analysis for containment net free volume are maintained.
| |
| Insufficient water inventory in the IRWST could result in insufficient cooling capacity of the SIS or higher offsite doses following a LOCA. Improper boron concentrations could result in a reduction of SHUTDOWN MARGIN or excessive boric acid precipitation in the core following a LOCA, as well as excessive caustic stress corrosion of mechanical components and systems inside containment.
| |
| Storage capacity of the IRWST is based on operational and safety analysis requirements. The location of the SIS (continued)
| |
| SYSTEM 80+ B 3.5-22 Rev. 00 16A Tech Spec Bases
| |
| | |
| i
| |
| ' IRWST B 3.5.4 f
| |
| BASES l BACKGROUND suction piping in IRWST will result in some portion of the (continued) stored volume being unavailable for injection. The minimum LCO volume is based upon SIS and spray dilution requirements. The maximum LCO volume is based on i
| |
| containment free volume requirements. The IRWST. temperature requirements are based on an inadvertent containment. spray actuation. l 1
| |
| The IRWST supplies the Containment Spray System covered in LCO 3.6.6, " Containment Spray System",'and the SIS, covered in LCOs 3.5.2, " Safety Injection System (SIS)-Operating",
| |
| and 3.5.3, " Safety Injection System (SIS)-Shutdown", with i the abundant supply of cooling water to meet GDC 35 (Ref. l l 1.) i 4
| |
| APPLICABLE During accident conditions the IRWST provides a source of SAFETY ANALYSES borated water to the SI and CS pumps. As such, it provides containment cooling and depressurization, core cooling and
| |
| 'e replacement inventory, RCS depressurization using feed and bleed methods, and is a source of negative reactivity for reactor shutdown. The design basis transients and applicable safety analyses concerning each of these systems are discussed in the Applicable Safety Analyses section of Bases for LCOs 3.5.2, 3.5.3, and 3.6.6. These analyses are used to assess changes to the IRWST in order to evaluate their effects in relation to the acceptance limits.
| |
| This LCO establishes the minimum requirements for contained volume, boron concentration and temperature of the IRWST inventory. This ensures an adequate supply of cool, borated
| |
| ; water is available to: cool and depressurize the containment in the event of a LOCA or steam / feed line break, cool and cover the core in the event of a LOCA, ensure the reactor remains subcritical following a LOCA or steam line
| |
| ; break, and depressurize the RCS using feed and bleed
| |
| , methods.
| |
| The safety analyses assumes a minimum volume in the IRWST of
| |
| : [495,000 gallons] for SIS requirements. The safety analyses also assumes a free space of [40,000 cubic feet) in the
| |
| -IRWST to allow for adequate containment free volume. In addition the Holdup Volume Tank (HVT) is assumed dry. To allow for instrument accuracy a minimum volume of [555,800 (continued)
| |
| SYSTEM 80+ B 3.5-23 Rev. 00 16A Tech Spec Bases (2/95)
| |
| ]
| |
| | |
| IRWST B 3.5.4 O
| |
| l BASES APPLICABLE gallons] and a maximum volume of [575,000 gallons] is SAFETY ANALYSES specified. The LOCA dose analyses assumes a volume of at (continued) least [545,800 gallons) for spray dilution.
| |
| The [4000) ppm limit for minimum boron concentration was established to ensure that, following a LOCA with a minimum IRWST level, the reactor will remain subcritical in the cold condition following mixing of the IRWST and RCS water volumes. Small break LOCAs assume that all control rods are inserted, except for the Control Element Assembly (CEA) of highest worth, which is withdrawn from the core. Large break LOCAs assume that all CEAs remain withdrawn from the core. The most limiting case occurs at beginning of life.
| |
| The maximum boron limit of [4400] ppm in the IRWST is based on boron precipitation in the core following a LOCA. With the reactor vessel at saturated conditions, the core dissipates heat by pool nucleate boiling. Because of this boiling phenomenon in the core, the boric acid concentration will increase in this region. If allowed to proceed in this ,
| |
| manner, a point will be reached where boron precipitation will occur in the core. Post-LOCA emergency procedures !
| |
| direct the operator to establish simultaneous hot leg /DVI )
| |
| nozzle injection to prevent this condition by establishing a forced flow path through the core regardless of break location. These procedures are based upon the minimum time in which precipitation could occur, assuming that maximum boron concentrations exist in the borated water sources used for injection following a LOCA.
| |
| Boron concentrations in the IRWST in excess of the limit could result in precipitation earlier than assumed in the l analysis. l l
| |
| The limits on IRWST temperature are determined by an I inadvertent containment spray actuation. Relatively cold !
| |
| containment spray water will reduce the containment atmosphere temperature and thus the air and steam partial pressures. Since the air pressure in the shield building is not innediately affected, this would put a negative pressure across the containment vessel. The design pressure is
| |
| [-2.0) psig.
| |
| (couinued)
| |
| SYSTEM 80+ B 3.5-24 Rev. 00 16A Tech Spec Bases (2/95)
| |
| | |
| IRWST B 3.5.4
| |
| ~
| |
| BASES APPLICABLE The final containment pressure after an inadvertent ,
| |
| SAFETY ANALYSES containment spray actuation is sensitive to the initial '
| |
| (continued) containment atmosphere temperature and the IRWST water temperature. Figure 3.5.4-1 shows the minimum allowed IRWST water temperature for a given containment atmosphere l temperature. .For example, if the containment atmosphere l l
| |
| temperature is [110*]F, the minimum allowed IRWST water temperature is [81*]F. The maximum temperature of the IRWST i is [110*]F. ll The IRWST satisfies Criterion 3 of the NRC Policy Statement.
| |
| LC0 The IRWST ensures that an adequate supply of borated water is available to cool and depressurize the containment in the event of a Design Basis Accident (DBA) and to cool and cover the core in the event of a LOCA. The IRWST ensures the reactor remains subcritical following a DBA.
| |
| To be considered OPERABLE, the IRWST must meet the limits O established in the SR for water volume, boron concentration and temperature.
| |
| APPLICABILITY In MODES 1, 2, 3 and 4 the IRWST OPERABILITY requirements are dictated by the SIS and Containment Spray System OPERABILITY requirements. Since both the SIS and Containment Spray System must be OPERABLE in MODES 1, 2, 3 and 4, the IRWST must be OPERABLE to support their operation. <
| |
| In MODES 5 and 6 with RCS level < [120'-0"] the IRWST OPERABILITY requirements are dictated by the SIS. Two trains of SIS are required in these MODES, therefore the IRWST must be OPERABLE to support the SIS. ,
| |
| i P
| |
| (continued)
| |
| SYSTEM 80+ B 3.5-25 Rev. 00 e 16A Tech Spec Bases (11/96)
| |
| | |
| 1 IRWST B 3.5.4 O
| |
| l BASES (continued)
| |
| ACTIONS 8.d With IRWST boron concentration or borated water temperature not within limits, they must be returned to within limits within 8 hours. In this condition neither the SIS nor the CS can perform its design functions, therefore, prompt action must be taken to restore the tank to OPERABLE condition. The allowed Completion Time of 8 hours to restore the IRWST temperature to within limits was developed considering the time required to change boron concentration or temperature and that the contents of the tank are still available for injection.
| |
| B.d With IRWST borated water volume not within limits, it must be returned to within limits within I hour. In this condition neither the SIS nor the Containment Spray System can perform its design function; therefore, prompt action must be taken to restore the tank to OPERABLE status or to place the plant in a MODE in which these systems are not required. The Completion Time of one hour to restore the IRWST to OPERABLE is based on this condition simultaneously affecting multiple trains.
| |
| C.l. C.2. C.3 and C.4 If the IRWST cannot be returned to OPERABLE status within the associated Completion Time, the plant must be brought to a condition in which the LC0 does not apply. To achieve this status the plant must be brought to at least MODE 3 within 6 hours, to MODE 5 within 36 hours, reduction of RCS temperature to <135*F within 24 hours and immediate action must be taken to restore RCS level to 2 (120 '0").(top of reactor vessel fiange). The allowed Completion Times are reasonable, based on operating experience, to reach the required plan'. condition from full power and shutdown conditions in an orderly mar.ner and without challenging plant systems.
| |
| (continued)
| |
| O SYSTEM 80+ B 3.5-26 Rev. 00 16A Tech Spec Bases (2/95)
| |
| | |
| IRWST
| |
| - B 3.5.4 BASES (continued) l SURVEILLANCE SR 3.5.4.1 REQUIREMENTS IRWST borated water temperature shall be verified every 24 hours to be within the limits assumed in the accident analysis. This Frequency has been shown to be sufficient to identify temperature changes that approach either acceptable limit.
| |
| SR 3.5.4.2 The IRWST water volume must be maintained above the required minimum level . Minimum IRWST water volume level shall be verified every 7 days. This Frequency ensures that a sufficient initial water supply is available for injection and to support continued ESF pump operation on recirculation. Since the IRWST volume is normally stable and provided with a low level alarm, a 7 day Frequency is appropriate and has been shown to be acceptable through ,
| |
| operating experience.
| |
| O SR 3.5.4.3 The IRWST Holdup Volume Tank must be at or below the stated limits to ensure that the containment free volume assumed in the safety analysis exists. Since the tank is not used in ,
| |
| any operational MODE, a 7 day Frequency is appropriate and has been shown to be acceptable through operating experience.
| |
| SR 3.5.4.4 The boron concentration of the IRWST shall be verified every 7 days to be within the required range. This Frequency ,
| |
| ensures that the reactor will remain subcritical following a LOCA. Further, it ensures that the resulting sump pH is maintained in an acceptable range such that boron .
| |
| precipitation in the core will not occur earlier than predicted and the effect of chloride and caustic stress corrosion on mechanical systems and components will be minimized. Since the IRWST volume is normally stable a 7 day sampling Frequency is appropriate and has been shown through operating experience to be acceptable. >
| |
| -/ G i
| |
| (continued) .
| |
| SYSTEM 80+ B 3.5-27 Rev. 00 16A Tech Spec Bases (2/95)
| |
| | |
| IRWST B 3.5.4 9
| |
| l BASES (continued)
| |
| REFERENCES 1. 10 CFR, Appendix A, GDC 35 - Emergency Core Cooling Systems.
| |
| : 2. Chapter 6.
| |
| : 3. Chapter 15.
| |
| O l
| |
| O I SYSTEM 80+ B 3.5-28 Rev. 00 16A Tech Spec Bases (2/95)
| |
| | |
| I TSP B 3.5.5 j
| |
| (
| |
| B 3.5 EMERGENCY CORE COOLING SYSTEM (ECCS)
| |
| B 3.5.5 Trisodium Phosphate (TSP)
| |
| BASES BACKGROUND The IRWST is the suction source for the SI pumps and CS l i
| |
| pumps during short-term injection and long-term cooling modes of post-accident operation. Reactor coolant lost out through a break (LOCA) or water sprayed by the containment spray pumps is collected by the Holdup Volume Tank (HVT)..
| |
| Spi 11 ways allow accumulated water in the HVT to spill back into the IRWST, thereby replenishing IRWST water volume during accident operations. Trisodium phosphate dodecahydrate (TSP) is placed in the Holdup Volume Tank (HVT) of the containment to assure that iodine, which may be dissolved in the recirculated reactor cooling water l
| |
| following a loss of coolant accident (LOCA), remains in solution. TSP also helps inhibit stress corrosion cracking 1 (SCC) of austenitic stainless steel components in ;
| |
| containment during the long-term cooling phase following an l J
| |
| accident.
| |
| (3 Fuel that is damaged during a LOCA will release iodine in V several chemical forms to the reactor coolant and to the containment atmosphere. A portion of the iodine in the containment atmosphere is washed to the HVT by containment sprays. The emergency core cooling water is borated for reactivity control. This borated water causes the HVT solution to be acidic. In a low pH (acidic) solution, dissolved iodine will be converted to a volatile form. The volatile iodine will evolve out of solution into the l' containment atmosphere, significantly increasing the levels of airborne iodine. The increased levels of airborne iodine in containment contribute to the radiological releases and increase the consequences from the accident due to containment atmosphere leakage. !
| |
| After a LOCA, the components of the core cooling and containment spray systems will be exposed to high j temperature borated water. Prolonged exposure to the core ;
| |
| cooling water combined with stresses imposed on the components can cause stress corrosion cracking (SCC). The SCC is a function of stress, oxygen and chloride concentrations, pH, temperature, and alloy composition of the components. High temperatures and low pH, which would i
| |
| O (continued)
| |
| SYSTEM 80+ B 3.5-29 Rev. 00 16A Tech Spec Bases ,
| |
| l
| |
| | |
| TSP B 3.5.5 O
| |
| l BASES BACKGROUND (continued) be present after a LOCA, tend to promote SCC. This can lead to the failure of necessary safety systems or components.
| |
| Adjusting the pH of the recirculated solution to levels above 7.0 prevents a significant fraction of the dissolved lodine from converting to a volatile form. The higher pH thus decreases the level of airborne iodine in containment and reduces the radiological consequences from containment atmosphere leakage following a LOCA. Maintaining the solution pH above 7.0 also reduces occurrence SCC of austenitic stainless steel components in containment.
| |
| Reducing SCC reduces the probability of failure of components.
| |
| Granular TSP is employed as a passive form of pH control for post LOCA containment spray and core cooling water. Baskets of TSP are attached to the walls of the Holdup Volume Tank in the containment to dissolve with released reactor coolant water and containment sprays after a LOCA. Recirculation of the water for core cooling and containment sprays then provides mixing to achieve a uniform solution pH. The dodecahydrate form of TSP is used because of the humidity inside containment during normal operation. Since the TSP is hydrated, it is less likely to absorb large amounts of water from the humid atmosphere and will undergo less physical and chemical change than the anhydrous form of TSP.
| |
| Note: pH values given refer to 298*K (25 C).
| |
| The LOCA radiological consequences analysis takes credit for APPLICABLE iodine retention in the sump solution based on the SAFETY ANALYSES recirculated water pH being a 7.0. The radionuclide releases from the containment atmosphere and the consequences of a LOCA would be increased if the pH of the recirculated water were not adjusted to 7.0 or above.
| |
| TSP satisfies criterion 2 of the NRC Policy Statement.
| |
| O (continued)
| |
| SYSTEM 80+ B 3.5-30 Rev. 00 16A Tech Spec Bases (2/95)
| |
| | |
| TSP B 3.5.5 BASES (continued) l LCO The TSP is required to adjust the pH of the recirculated water to > 7.0 after a LOCA. A pH > 7.0 is necessary to prevent significant amounts of iodine released from fuel failures and dissolved in the recirculated water from l converting to a volatile form and evolving into the containment atmosphere. Higher levels of airborne iodine in i containment may increase the release of radionuclides and )
| |
| the consequences of the accident. A pH > 7.0 is also J necessary to prevent stress corrosion cracking (SCC) of-austenitic stainless steel components in containment. SCC ,
| |
| increases the probability of failure of components. !
| |
| The required amount of TSP is based upon the extreme cases l I
| |
| of water volume and pH possible in the HVT after a large break LOCA. The minimum required volume is the volume of TSP that will achieve a solution pH of 2 7.0 when taking into consideration the maximum possible HVT volume and the minimum possible pH. The amount of TSP needed in the containment is based on the mass of TSP required to achieve the desired pH. However, a required volume is specified, rather than mass, since it is not feasible to weigh the O entire amount of TSP in containment. The minimum required volume is based on the manufactured density of TSP. Since ;
| |
| TSP can have a tendency to agglomerate from humidity inside containment, the density may increase and the volume decrease during normal plant operation. Due to possible agglomeration and increase in density, estimating the minimum volume of TSP in containment is conservative with respect to achieving a minimum required pH.
| |
| In MODES 1, 2, and 3, the RCS is at elevated temperature and pressure, providing an energy potential for a LOCA. The potential for a LOCA results in a need for the ability to control the pH of the recirculated coolant.
| |
| In MODES 4, 5, and 6, the potential for a LOCA is reduced or nonexistent, and TSP is not required.
| |
| O (continued)
| |
| SYSTEM 80+ B 3.5-31 Rev. 00
| |
| -16A Tech Spec Bases (2/95)
| |
| | |
| TSP B 3.5.5 O
| |
| l BASES (continued)
| |
| ACTIONS L1 If it is discovered that the TSP in the HVT is not within limits, action must be taken to restore the TSP to within limits. During plant operation the HVT is not accessible and corrective actions may not be possible.
| |
| The Completion Time of 72 hours is allowed for restoring the TSP within limits, where possible, because 72 hours is the same time allowed for restoration of other ECCS variables.
| |
| B.1 and B.2 If the TSP cannot be restored within limits within the Completion Time of Required Action A.1, the plant must be brought to a MODE in which the LCO does not apply. The specified Completion Times for reaching MODES 3 and 4 are those used throughout the Technical Specifications; they were chosen to allow reaching the specified conditions from '
| |
| full power in an orderly manner without challenging plant systems.
| |
| SURVEILLANCE SR 3.5.5.1 REQUIREMENTS The stainless steel baskets, which are attached to the walls of the HVT, have a solid top and bottom with mesh sides to permit submergence of the trisodium phosphate. The elevation of the baskets is above the normal operating water level in the HVT and below the IRWST spillway. Access is provided to the baskets for inspection and sampling.
| |
| Periodic determination of the volume of TSP in the containment must be performed due to the possibility of leaking valves and components inside containment that could cause the dissolution of TSP during normal operation. A Frequency of [18] months is required to determine visually that a minimum of [926] cubic feet is contained in the TSP baskets. This requirement ensures that there is an adequate volume of TSP to adjust the pH of the post LOCA solution to a value a 7.0.
| |
| (continued)
| |
| SYSTEM 80+ B 3.5-32 Rev. 00 16A Tech Spec Bases (2/95)
| |
| | |
| i TSP. }
| |
| B 3.5.5
| |
| : O-BASES 1
| |
| i i . SURVEILLANCE SR 3.5.5.1 :(continued) !
| |
| . . REQUIREMENTS j
| |
| ; The periodic verification is required every [18] months, i since access to the TSP baskets is only feasible during ;
| |
| outages, and normal fuel cycles are scheduled for 18 months. !
| |
| Operating experience has shown this Surveillance Frequency i acceptable due-to the margin in the volume of TSP. placed in !
| |
| l the containment. =
| |
| ; 't '
| |
| 4 SR 3.5.5.2 i Testing must be performed to ensure' the solubility and
| |
| ;. buffering ability of the TSP after exposure to the i
| |
| containment environment. A. representative sample of [33.8]
| |
| grams of TSP from one of-the baskets in containment is submerged in 1.0 i 0.05 gallons of water at a boron concentration of [4400] ppe and at the standard temperature of 25 i 5*C. Without agitation,.the solution pH should be
| |
| . raised to 2 7.0 within 4 hours. The representative sample weight is based on the minimum required TSP weight of
| |
| [23,939] kilograms, which at manufactured density
| |
| +-O corresponds to a minimum volume of [926) cubic feet and maximum possible post LOCA recirculated water volume of 6 [708,316] gallons, normalized to buffer a 1.0 gallon sample.
| |
| I The boron concentration of the test water is representative 4
| |
| of the maximum possible boron concentration corresponding to the maximum possible post LOCA HVT recirculated water y volume.- Agitation of the test solution is prohibited, since
| |
| ; an adequate standard for the agitation-intensity cannot be specified. Tne test time of 4 hours is necessary to allow time for the dissolved TSP to naturally diffuse through the
| |
| ; sample solution. In the post LOCA HVT, rapid mixing would ,
| |
| occur, significactly decreasing the actual amount of time befee the required pH is achieved. This would ensure L compliance with the Standard Review Plan requirement of a pH
| |
| ~
| |
| 2 7.0 by the t,nset of recirculation after w LOCA.
| |
| L REFERENCES None.:
| |
| i f
| |
| LO
| |
| +
| |
| SYSTEM 80+. B 3.5 Rev. 00 16A Tech Spec Bases
| |
| | |
| CFS B 3.5.6 B 3.5 EMERGENCY CORE COOLING SYSTEM (ECCS)
| |
| B 3.5.6 Cavity Flooding System (CFS)
| |
| BASES BACKGROUND The function of the CFS is to provide a means of flooding the reactor cavity during a severe accident for the purpose of covering core debris in the cavity with water. This facilitates the cooling and stabilization of the debris.
| |
| Flooding of the reactor cavity is manually initiated from the control room. Four spillways connect the IRWST to the Holdup Volume Tank (HVT), and two spillways connect the HVT to the reactor cavity. Each spillway flow path contains a normally closed motor operated isolation valve. In the event of a severe accident that results in a determination that a core melt condition is either imminent or in progress, the operator will initiate cavity flooding by opening the HVT and reactor cavity flooding valves. After the valves are opened, water flows from the IRWST to the HVT and from the HVT to the reactor cavity. The motive force for cavity flooding is gravity and the static head differential between the IRWST/HVT and the reactor cavity.
| |
| The CFS is not required for the mitigation of the APPLICABLE consequences of any design basis accidents. The CFS is SAFETY ANALYSES intended to be used during a severe accident after the operator has determined that a potential core melt condition is imminent or in progress. Severe accident analyses utilizing the CFS are performed assuming that the plant is initially operating in MODE 1. In the event of a reactor vessel breach, flooding of the reactor cavity will provide cooling of the core debris in the cavity and scrubbing of the fission products released due to corium-concrete interaction.
| |
| Assuming that the CFS is actuated when a potential core melt condition is determined to be imminent or has been diagnosed as being in progress, analyses have shown that a single CFS flow path consisting of one open HVT flooding spillway and one open cavity flooding spillway is capable of flooding the reactor cavity to a level of at least five feet prior to a (continued)
| |
| SYSTEM 80+ B 3.5-34 Rev. 00 16A Tech Spec Bases
| |
| | |
| CFS B 3.5.6 q
| |
| V BASES l APPLICABLE reactor vessel breach. The results of these analyses show SAFETY ANALYSES that a flooded reactor cavity level of five feet produces (continued) acceptable consequences.
| |
| Actuation of the CFS after a reactor vessel breach will also have acceptable consequences, provided that the corium debris does not block both cavity flooding spillways. This condition is considered unlikely based on the relatively ,
| |
| high location of the spillways and the consideration that the dominant corium flow path is away from the wall containing the cavity flooding spillways. ,
| |
| The CFS satisfies Criterien 4 of the NRC Policy Statement.
| |
| LCO In MODES 1, 2, and 3 three HVT flooding valves and two cavity flooding valves are required to be OPERABLE to allow !
| |
| ~ ling of core debris in the reactor cavity after a severe '
| |
| accident. A CFS flow path consisting of one HVT flooding n valve and one reactor cavity flooding valve is capable of l flooding the reactor cavity to an acceptable level prior to 1 Q- a breach of the reactor vessel.
| |
| Since the CFS is credited only for severe accidents, the ability of the CFS to meet single failure criteria is not required, but has been provided in the design to provide an additional margin of safety. The LC0 specifying three of four HVT flooding valves and both cavity flooding valves to be OPERABLE would allow the CFS to accomplish its function assu:ning the failure of two HVT flooding valves and one of the cavity flooding valves.
| |
| APPLICABILITY CFS OPERABILITY requirements specified for MODES 1, 2, and 3 are based on the potential for significant fuel damage with a breach of the reactor vessel and the decay heat generated after a severe accident occurring during full power operation. In MODES 4, 5, and 6, the probability of an accident occurring with significant fuel damage and a breach of the reactor vessel is significantly reduced below that of O
| |
| SYSTEM 80+ B 3.5-35 Rev. 00 16A Tech Spec Bases (2/95)
| |
| | |
| CFS B 3.5.6 O
| |
| l BASES APPLICABILITY the already low probability of a severe accident initiated (continued) during MODES 1, 2, and 3. In MODE 6, IRWST inventory will be depleted for refueling operations. Therefore, there are no OPERABILITY requirements specified for the CFS in MODES 4, 5, and 6.
| |
| ACTIOMs A.1 and 8.1 With two or three HVT flooding valves inoperable, the inoperable valve (s) must be returned to OPERABLE status within 7 days. With one reactor cavity flooding valve inoperable, the inoperable valve must be returned to OPERABLE status within 7 days. In this condition, one CFS flow path consisting of one OPERABLE HVT flooding valve and one OPERABLE cavity flooding valve is adequate to perform the CFS function.
| |
| The 7 day Completion Time is specified to allow maintenance and/or repair to a CFS valve or any of its attend?nt instrumentation, controls, or electrical power sources. A7 day Completion Time is considered acceptable on the basis h
| |
| that CFS operability is not required for design bases events. The severe accidents for which the CFS is used have a very low probability of occurrence.
| |
| C.1 and C.2 The plant must be placed in a MODE in which the LC0 does not i apply if the inoperable components cannot be returned to l OPERABLE status within the associated Completion Time. This is done by placing the plant in at least MODE 3 in six hours followed by placing the plant in MODE 4 within 12 hours. ;
| |
| The allowed Completion Times are reasonable, based on )
| |
| operating experience, to reach the required plant conditions '
| |
| from full power without challenging plant systems. l l
| |
| (continued) 9 !
| |
| SYSTEM 80+ B 3.5-36 Rev. 00 16A Tech Spec Bases (2/95)
| |
| | |
| CFS B 3.5.6 C/
| |
| BASES (continued) l SURVEILLANCE SR 3.5.6.1 REQUIREMENTS Verification of proper valve position ensures that the correct CFS alignment is maintained. Misalignment of these valves could affect the OPERABILITY of the IRWST. The 31 day Frequency is based on operating experience.
| |
| SR 3.5.6.2 The CFS valves are stroke tested in accordance with the Inservice Inspection and Testing Program, and Section XI of the ASME Code. A test interval based on the refueling outage Frequency was specified considering it is prudent that this Surveillance be performed only during a plant outage. Testing of the HVT flooding valves requires that i the manual valves located upstream be closed to prevent the i flow of water from the IRWST to the HVT. Closing the manual ;
| |
| valve is not practical during plant power operations because ,
| |
| containment entry is required. Based on the low pobability j n of a severe accident requiring use of the CFS and the redundancy provided by the design, a refueling outage
| |
| (-) interval for stroke testing the HVT flooding valves is considered acceptable. The reactor cavity flooding valve !
| |
| are to be stroke test at the same at the same interval as in i tha HVT flooding valves. l l
| |
| 1 REFERENCES 1. SECY-90-016 of 1/12/90,
| |
| | |
| ==Subject:==
| |
| Evolutionary Light Water Reactor (LWR) Certification Issues and their j Relationship to Current Regulatory Requirements, i
| |
| : 2. Chapter 3.
| |
| : 3. Chapter 6. ;
| |
| 1
| |
| : 4. Chapter 19.
| |
| (\ ;
| |
| L]
| |
| SYSTEM 80+ B 3.5-37 Rev. 00 I 16A Tech Spec Bases (2/95) i
| |
| | |
| Containment
| |
| 'B 3.6 CONTAINMENT ~ SYSTEMS
| |
| -B 3.6.1 Containment BASES 8ACKGROUND The containment vessel, including all its penetrations, is a
| |
| ' low leakage steel shell which is designed to withstand the postulated Loss of Coolant' Accident.(LOCA)~or a Main Steam Line Break-(NSLB) while limiting the postulated release of radioactive material to within the requirements of 10 CFR
| |
| .100-(Ref. 1). Additionally, the containment and shield building provide shielding from the fission products-which may be present in the containment atmosphere following ;
| |
| accident conditions. ,
| |
| l The containment vessel is a 200-ft, diameter spherical steel j
| |
| 3 shell with a wall thickness of, approximately one and three-quarter inches. This containment shell is supported by a ,
| |
| spherica1 depression in an intermediate floor of the shield -l building. The containment is enclosed by a reinforced i concrete. cylindrical shield building with a hemispherical dome. An annular space exists between the steel containment i vessel.and the shield building.
| |
| The internal structure is a group of reinforced concrete ;
| |
| structures that enclose the reactor vessel and primary system. The internal structure provides biological r shielding.for the containment interior. The internal ;
| |
| - structure concrete base rests inside the lower portion of i the containment vessel sphere. l
| |
| ; 'The primary shield wall encloses the reactor vessel and ,
| |
| .provides protection for the vessel from internal missiles. l 4
| |
| The primary shield wall provides biological shielding and is !
| |
| designed to withstand the temperatures and pressures following a LOCA. In addition, the primary shield wall provides structural support for the reactor vessel. The primary shield wall is a minimum of six feet thick.
| |
| The secondary s.hield wall (crane' wall) provides supports for the polar crane and protects the steel containment vessel from internal ~ missiles. In addition to providing biological shielding for'the coolant ~1oop and equipment, the crane wall also provides structural support for pipe supports / restraints and platforms.at various levels. The b;
| |
| ;; d (continued)-
| |
| 4 SYSTEM 80+: . ._ B 3.6-1 Rev. 00 16A Tech Spec Bases
| |
| , , , _ u ,. , v. - , -s -, . __ _- _ ___ _ __- . _
| |
| | |
| Containment B 3.6.1 O
| |
| BASES BACKGROUND crane wall is a right cylinder with an inside diameter of (continued) 130 feet and a height of 118 feet from its base. The crane wall is a minimum of four feet thick.
| |
| Containment piping penetration assemblies provide for the passage of process, service, sampling and instrumentation pipe lines into the containment vessel while maintaining containment OPERABILITY. The shield building provides biological shielding and controlled release of the annulus atmosphere under accident conditions, and environmental missile protection for the containment vessel and Nuclear Steam Supply System.
| |
| The inner steel containment and its penetrations establish the leakage limiting boundary of the containment.
| |
| Maintaining the containment OPERABLE limits the leakage of fission product radioactivity from the containment to the environment. Loss of containment OPERABILITY could cause site boundary doses, in the event of a DBA, to exceed values given in the licensing basis. SR 3.6.1.1 leakage rate requirements comply with 10 CFR 50, Appendix J (Ref. 4), as modified by approved exemptions.
| |
| The isolation devices for the penetrations in the containment boundary are a part of the containment leak tight barrier. To maintain this leak tight barrier:
| |
| : a. All penetrations required to be closed during accident conditions are either:
| |
| : 1. capable of being closed by an OPERABLE automatic containment isolation system, or
| |
| : 2. closed by manual valves, blind flanges, or de-activated automatic valves secured in their closed positions, except as provided in LC0 3.6.3, " Containment Isolation Valves".
| |
| : b. Each air lock is OPERABLE except as provided in LC0 3.6.2, " Containment Air Locks".
| |
| O (continued)
| |
| SYSTEM 80+ B 3.6-2 Rev. 00 16A Tech Spec Bases
| |
| | |
| Containment B 3.6.1 v
| |
| BASES (continued)
| |
| APPLICABLE The safety design basis for the containment is that the SAFETY ANALYSES contt.inment must withstand the loadings of the limiting DBA ,
| |
| without exceeding the design leakage rate.
| |
| The DBAs which result in a release of radioactive material within containment are a Loss of Coolant Accident (LOCA), a Main Feedwater Line Break (MFLB), and a Control Element Assembly (CEA) ejection accident (Ref. 2). In the analysis of each of these accidents, it is assumed that the containment and containment shield building are OPERABLE at event initiation such that the majority of the release of fission products to the environment is controlled by the rate of containment leakage. In addition, for the above accidents, it is assumed that the containment low volume purge is operating at event initiation. Isolation of the purge will be automatic or manual depending upon the pressure transient associated with the analyzed accident.
| |
| The containment was designed with an allowable leakage rate of [0.5) percent of the containment volume per day (Ref. 3).
| |
| ( This leakage rate, used in the evaluation of offsite doses resulting from accidents, is defined in 10 CFR 50, Appendix
| |
| (
| |
| J (Ref. 4) as La: the maximum allowable containment leakage rate at the calculated maximum peak containment pressure (Pa) following a DBA. The calculated maximum peak 1 containment pressure (48.1] psig was obtained from a [0%) !
| |
| power MSLB DBA. The containment internal design pressure is
| |
| [53.0) psig. The allowable leakage rate represented by La l forms the basis for the acceptance criteria imposed on all containment leak rate testing.
| |
| I Satisfactory leak test results are a requirement for the establishment of containment OPERABILITY.
| |
| The acceptance criteria applied to accidental releases of radioactive material to the environment are given in terms of total radiation dose received by a member of the general public who remains at the exclusion area boundary for two hours following onset of the postulated fidon product release. The limits established in Reference 1 are a whole body dose of 25 Rem or a 300 Rem dose to the thyroid from iodine exposure, or both.
| |
| ("D (continued)
| |
| SYSTEM 80+ B 3.6-3 Rev. 00 16A Tech Spec Bases
| |
| | |
| 1 Containment .
| |
| B 3.6.1 O
| |
| BASES APPLICABLE The containment satisfies Criterion 3 of the NRC Policy SAFETY ANALYSES Statement.
| |
| (continued)
| |
| LC0 Containment OPERABILITY is maintained by limiting leakage to within the acceptance criteria of 10 CFR 50, Appendix J (Ref. 4). Compliance with this LC0 will ensure a containment configuration, including equipment hatches, that is structurally sound and that will limit leakage to those leakage rates assumed in the safety analysis.
| |
| Individual leakage rates specified for the containment air locks (LC0 3.6.2) [, purge valves with resilient seals, and secondary bypass leakage (LC0 3.6.3)] are not specifically part of the acceptance criteria of 10 CFR 50, Appendix J.
| |
| Therefore, leakage rates exceeding these individual limits only result in the containment being inoperable when the leakage results in exceeding the acceptance criteria of Appendix J.
| |
| O i APPLICABILITY In MODES 1, 2, 3, and 4, a DBA could cause a release of l radioactive material into containment. In MODES 5 and 6, when not in REDUCED RCS INVENTORY, the probability and consequences of these events are reduced because of the '
| |
| Reactor Coolant System (RCS) pressure and temperature l limitations of these MODES. Therefore, containment is not !
| |
| required to be OPERABLE in MODE 5, unless in REDUCED RCS l INVENTORY, to prevent leakage of radioactive material from l containment. The requirements for containment during MODES l 5 and 6 are addressed in LCOs 3.9.3, " Containment i Penetrations" and 3.6.11, " Containment Penetrations -
| |
| REDUCED RCS INVENTORY Operations."
| |
| l ACTIONS Ad i
| |
| In the event containment is inoperable, containment must be ,
| |
| restored to OPERABLE status within I hour. The 1 hour l Completion Time provides a period of time to correct the problem commensurate with the importance of maintaining containment OPERABLE during MODES 1, 2, 3, and 4. This time (continued) O ,
| |
| SYSTEM 80+ B 3.6-4 Rev. 00 l 16A Tech Spec Bases I
| |
| | |
| i I
| |
| i Containment i 8 3.6.1 !
| |
| O 1 BASES i
| |
| ACTIONS A l (continued) j
| |
| - period also ensures th'at the probability of an accident '
| |
| j (requiring containment OPERABILITY) occurring during periods
| |
| : where containment is inoperable is minimal. l
| |
| ?
| |
| B.1 and B.2 l If containment cannot be restored to OPERABLE status in the associated Completion Time, the plant must be placed in a' j
| |
| 1 MODE in'which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within .
| |
| 6 hours and to MODE 5 within 36 hours. The allowed :
| |
| Completion Times are reasonable, based on operating j experience, to reach the required plant conditions from full- :
| |
| power conditions in an orderly manner and without
| |
| : j. challenging plant systems. j i
| |
| . SURVEILLANCE SR 3.6.1.1 r REQUIREMENTS Maintaining containment OPERABLE requires compliance with
| |
| ^
| |
| the visual examinations and leakage rate test requirements !
| |
| of 10 CFR 50, Appendix J (Ref. 4) as modified by approved i exemptions. Failure to meet air lock and' purge valve with resilient seal specific leakage limits specified in LCO i 3.6.2 and LCO 3.6.3 does not invalidate the acceptability of these overall leakage determinations unless their contribution to overall Type A, B, and C: leakage causes that to exceed-limits. SR Frequencies are as required by ,
| |
| Appendix J, as modified by approved exemptions. Thus, SR 3
| |
| 3.0.2 (which allows Frequency extensions) does not apply.
| |
| 1 These periodic testing requirements verify that the j containment leakage rate does not exceed the leakage rate ,
| |
| t ,umed in the safety analysis. ,
| |
| 4 1
| |
| ~O :
| |
| (continued)-
| |
| SYSTEM 80+' B 3.6-5 Rev. 00 16A : Tech Spec Bases
| |
| | |
| Containment B 3.6.1 l BASES (continued) l REFERENCES :. 10 CFR 100.11, " Determination of Exclusion Area, Low Population Zone, and Population Center Distance."
| |
| : 2. Chapter 15.
| |
| : 3. Chapter 6.
| |
| : 4. 10 CFR 50, Appendix J, " Primary Reactor Containment Leakage Testing for Water-Cooled Power Reactors."
| |
| O .
| |
| I l
| |
| l l
| |
| l l
| |
| 9 SYSTEM 80+ B 3.6-6 Rev. 00 16A Tech Spec Bases 1
| |
| | |
| 4 i i
| |
| b Containment Air Locks !
| |
| B 3.6.2 l B 3.6 CONTAINMENT SYSTEMS i B 3.6.2 Containment Air Locks' i BASES
| |
| . J 1
| |
| ?
| |
| ; : BACKGROUND [Two) containment air locks form part of the containment [
| |
| pressure boundary and provide a means for personnel access :
| |
| during all MODES of operation. I s i
| |
| ' Each air lock is nominally a right circular cylinder [10]
| |
| ? feet in diameter with a door at each end. The doors are !
| |
| interlocked to prevent simultaneous opening. During periods l 3
| |
| when containment is not required to be OPERABLE, the door '
| |
| 4 interlock mechanism may be disabled, allowing both doors to remain open for extended periods when frequent containment ,
| |
| entry is necessary. Each air lock door has been designed and tested to certify its ability to withstand a pressure in !
| |
| excess of the maximum expected pressure fo11 ewing a DBA in 4 containment. As such, closure of a single door supports containment OPERABILITY. Each of the doors contains double l gasketed seals and local leakage rate testing capability to ensure pressure integrity. To effect a leak tight seal, the air lock design uses pressure seated doors (i.e., an ,
| |
| increase in containment internal pressure results in '
| |
| increased sealing force on each door).
| |
| Each air lock is prcviled with limit switches on both doors
| |
| : that provide control room indication of door position. ;
| |
| Additionally, control room indication is provided to alert i
| |
| ^
| |
| the operator whenever an air lock door interlock mechanism is defeated.
| |
| e i The containment air locks form part of the containment pressure boundary. As such, air lock integrity and leak- l tightness is essential for maintaining the containment leakage rate within limit in the event of a DBA. Not i - maintaining air lock integrity or leak-tightness may result in a leakage rate in excess of that assumed in the unit l' safety analysis. SR 3.6.1.1 leakage rate requirements are in conformance with 10 CFR 50, Appendix J (Ref. 4), as modified by approved exemptions.
| |
| t 1
| |
| (continued)
| |
| SYSTEM 80+' B 3.6-7 Rev. 00 16A Tech Spec Bases 4
| |
| = * - = n m v r v. a.
| |
| | |
| Containment Air Locks B 3.6.2 O
| |
| BASES (continued)
| |
| APPLICABLE The Containment Air Lock LCO is derived from the SAFETY ANALYSES requirements related to the control of off-site radiation doses from major accidents by verifying that the actual containment leak rate does not exceed the value assumed in the accident analysis.
| |
| The DBAs which result in a release of radioactive material within containment are a LOCA, a Main Steam Line Break (MSLB), a Main Feed Line Break (MFLB), and a CEA ejection accident (Ref. 2). In the analysis of each of these accidents, it is assumed that containment is OPERABLE at event initiation, such that release of fission products to the environment is controlled by the rate of containment leakage. In addition, for the above accidents, it is assumed that the containment low volume purge is operating at event initiation. Isolation of the purge will be automatic or manual depending upon the pressure transient associated with the analyzed accident.
| |
| The containment was designed with an allowable leakage rate of [0.5) percent of containment volume per day (Ref. 3).
| |
| This leakage rate is defined in 10 CFR 50, Appendix J (Ref.
| |
| : 4) as La: the maximum allowable containment leakage rate at the calculated maximum peak containment pressure (Pa) following a DBA. This allowable leakage rate forms the basis for the acceptance criteria imposed on the SRs associated with the air lock.
| |
| The acceptance criteria applied to DBA releases of radioactive material to the environment are given in terms of total radiation dose received by a member of the general public who remains at the exclusion area boundary for two hours following onset of the postulated fission product release. The limit established in Reference 1 are a whole body dose of 25 Rem or a 300 Rem dose to the thyroid from iodine exposure, or both.
| |
| Application of single failure criteria to the air locks is not required because the air locks fulfill their design safety function in a passive manner and are not subject to active failures. Therefore, closure of a single door in each air lock is sufficient to ensure OPERABILITY following postulated events. Nevertheless, both doors are kept closed when the air lock is not being used for normal entry and exit from containment.
| |
| (continued)
| |
| SYSTEM 80+ B 3.6-8 Rev. 00 16A Tech Spec Bases
| |
| | |
| 1 Containment Air Locks B 3.6.2 BASES APPLICABLE The containment air locks satisfy Criterion 3 of the NRC .
| |
| SAFETY ANALYSES Policy Statement.
| |
| (continued) ,
| |
| LC0 Each containment air lock forms part of the containment ,
| |
| pressure boundary. As part of containment, the air lock l safety function is related to control of the containment leakage rate resulting from a DBA. Thus, each air lock's structural integrity and leak tightness is essential to the successful mitigation of such an event.
| |
| [Two] air locks are required to be OPERABLE. For the air ;
| |
| lock to be considered OPERABLE, the air lock interlock mechanism must be OPERABLE, the air lock must be in compliance with the Type B air lock leakage test and both air lock doors must be OPERABLE. The interlock allows only one air lock door of an air lock to be opened at one time.
| |
| Closure of a single door in each air lock is sufficient to provide a leak tight barrier following postulated events.
| |
| Nevertheless, both doors are kept closed when the air lock (Q> is not being used for normal entry into and exit from containment. Each door is designed to withstand the peak containment pressure calculated to occur following a DBA.
| |
| APFLICABILITY In MODES 1, 2, 3, and 4, a DBA could cause a release of radioactive material to containment. In MODES 5 and 6, the probability and consequences of these events are reduced due i to the pressure and temperature limitations of these MODES.
| |
| In MODE 6, fuel handling evolutions are conducted. The requirements for the containment air locks during MODE 6 refueling operations -are addressed in LCO 3.9.3,
| |
| " Containment Penetrations". In MODES 5 and 6 with REDUCED RCS INVENTORY conditions, the. requirements of the containment air locks are addressed in LCO 3.6.11,
| |
| " Containment Penetrations - REDUCED RCS INVENTORY".
| |
| ACTIONS The ACTIONS are modified by a Note that allows entry and exit to perform repairs on the affected air lock component.
| |
| If the outer door is inoperable, then it may be easily accessed to repair. If the inner door is the one that is (continued)
| |
| SYSTEM 80+ B 3.6-9 Rev. 00 16A Tech Spec Bases l- . _ _ _ _ _ _ _ _ _ - -
| |
| | |
| Containment Air Locks B 3.6.2 O
| |
| BASES ACTIONS inoperable, then a short time exists when the containment (continued) boundary is not intact (during access through the outer door). The ability to open the OPERABLE door, even if it means the containment boundary is temporarily not intact, is acceptable because of the low probability of an event that could pressurize the containment during the short time in which the OPERABLE door is expected to be open. After each entry and exit, the OPERABLE door must be imrMiately closed. If ALARA conditions permit, entry and exit should be via an OPERABLE air lock.
| |
| A second Note has been added to provide clarification that, for this LCO, separate Condition entry is allowed for each air lock. A third Note has been included that requires entry into the applicable Conditions and Required Actions of LC0 3.6.1, " Containment", when leakage results in exceeding the overall containunt leakage limit.
| |
| A.l. A.2.. and A.3 The Required Actions A.1, A.2, and A.3 have been modified by two Notes. Note 1 ensures that only the Required Actions h
| |
| and associated Completion Times of Condition C are required if both doors in the same air lock are inoperable. With both doors in the same air lock inoperable, an OPERABLE door is not available to be closed. Note 2 allows use of the air lock for entry and exit for 7 days under administrative controls. Containment entry may be required to perform Technical Specifications (TS) Surveillances and Required Actions, as well as other activities on equipment inside containment that are required by TS or activities on equipment that support TS-required equipment. This Note is not intended to preclude performing other activities (i.e.,
| |
| non-TS-required activities) if the containment was entered, using the inoperable air lock, to perform an allowed activity listed above. This allowance is acceptable due to the low probability of an event that could pressurize the containment during the short time that the OPERABLE door is expected to be open.
| |
| With one air lock door inoperable or in one or more containment air lock (s), the OPERABLE door must be verified closed (Required Action A.1) in each affected containment air lock. This ensures that a leak tight containment (continued)
| |
| - SYSTEM 80+ B 3.6-10 Rev. 00 16A Tech Spec Bases
| |
| | |
| _ . _ _ _ _,_ _____.._.m_ .. _ _ __
| |
| n l I
| |
| 'i Containment Air Locks. i B 3.6.2 i BASES .
| |
| . ACTIONS .A.I.'A.2.. and A.3 (continued) -l
| |
| ' barrier is maintained by the use of an OPERABLE air lock l door. This action'eust be completed within I hour. This !
| |
| specified time period is consistent with the ACTIONS of-LCO l 1
| |
| 3.6.1 which requires containment to be restored to OPERABLE status within I hour.
| |
| ! In addition, the affected air lock penetration must be i isolated by locking closed an OPERABLE air lock door within i the 24 hour Completion Time. The 24 hour Completion Time is !
| |
| considered reasonable for' locking the operable air lock i door, considering the OPERABLE door of the affected air lock .
| |
| is being maintained closed. .
| |
| Required Action A.3 verifies that' an air lock with an inoperable door has been isolated by use of a locked and closed OPERABLE air lock door. This ensures that an
| |
| : acceptable containment leakage boundary is maintained. The i Completion Time ~ of once per 31 days is ba' sed on engineering judgment. Required _ Action A.3 is modified by a Note that applies to air lock doors ~1ocated in high radiation areas
| |
| " and allows these~ doors to be verified locked closed by use of administrative means. Allowing verification by administrative means is considered acceptable, since access to these areas is typically restricted. Therefore, the probability of misalignment of the door, once it has been verified to be in the proper position, is small.
| |
| B.1. B.2. and B.3 With an air lock door interlock mechanism inoperable in one
| |
| ~
| |
| or more air locks, the Required Actions and associated Completion Times are consistent with those specified in
| |
| . Condition A.
| |
| i The Required Actions have been modified by two Notes. Note 1 ensures that only the Required Actions and associated Completion Times of Condition C are required if both doors in the same air lock are inoperable. With both doors in the same air lock inoperable, an OPERABLE door is not available to be closed. Required Actions C.1 and C.2 are the 1
| |
| : appropriate remedial actions.- Note 2 allows entry into and I c exit from containment under the control of a dedicated 1
| |
| ~ (continued)
| |
| - SYSTEM 80+ .
| |
| .B 3.6-11 Rev. 00
| |
| ..16A, Tech Spec Bases
| |
| . , . . - - - w
| |
| | |
| l Containment Air Locks B 3.6.2 O
| |
| BASES ,
| |
| ACTIONS B.l. B.2. and B.3 (continued) i individual stationed at the air lock to ensure that only one door is opened at a time (i.e., the individual performs the function of the interlock).
| |
| Required Action B.3 is modified by a Note that applies to air lock doors located in high radiation areas and allows these doors to be verified locked closed by use of administrative means. Allowing verification by administrative means is considered acceptable, since access ,
| |
| to these areas is typically restricted. Therefore, the probability of misalignment of the door, once it has been verified to be in the proper position, is small.
| |
| C.I. C.2. and C.3 With one or more air locks inoperable for reasons other than those described in Condition A or 8, Required Action C.1 requires action to be initiated immediately to evaluate previous combined leakage rates per LC0 3.6.1,
| |
| " Containment", using current air lock test results. An evaluation is acceptable since it is overly conservative to immediately declare the containment inoperable if both doors in an air lock have failed a seal test or if the overall air lock leakage is not within limits. In many instances (e.g.,
| |
| only one seal per door has failed), containment remains l OPERABLE, yet only I hour (per LC0 3.6.1) would be provided l to restore the air lock door to OPERABLE status prior to l requiring a plant shutdown. In addition, even with both doors failing the seal test, the overall containment leakage rate can still be within limits. i l
| |
| Required Action C.2 requires that one door in the affected !
| |
| containment air lock must be verified to be closed. This i action must be completed within the I hour Completion Time.
| |
| This specified time period is consistent with the ACTIONS of LC0 3.6.1, which requires that containment be restored to OPERABLE status within I hour.
| |
| Additionally, the affected air lock (s) must be restored to OPERABLE status within the 24 hour Completion Time. The specified time period is considered reasonable for restoring I
| |
| (continued)
| |
| SYSTEM 80+ B 3.6-12 Rev. 00 16A Tech Spec Bases ,
| |
| l
| |
| | |
| i t
| |
| t Containment Air Locks !
| |
| B 3.6.2 :
| |
| : BASES ACTIONS: C.I. C.2. and C.3 (continued) an inoperable air lock to OPERABLE status, assuming that at
| |
| * least one door is maintained closed in each affected air
| |
| .l ock, ,
| |
| D.1 and D.2 !
| |
| I
| |
| . If the inoperable air lock cannot be restored to OPERABLE status within the required Completion Time, the plant must
| |
| :be placed to a MODE in which the LCO does not apply. To .i achieve this status, the plant must be brought to at least MODE 3 within six hours and to MODE 5 within 36 hours. The 4 allowed Completion Times are reasonable,. based on operating l experience, to reach the required plant conditions from full !
| |
| power conditions in an orderly manner and without ,
| |
| challenging plant systems.
| |
| 1
| |
| )
| |
| SURVEILLANCE SR 3.6.2.1 .
| |
| REQUIREMENTS
| |
| . Maintaining containment air locks OPERABLE requires compliance with the leakage rate test requirements of 10 CFR 50, Appendix J (Ref. 4), as modified by approved exemptions.
| |
| This SR reflects the leakage rate testing requirements with regard to air lock leakage (Type B leakage tests). The g acceptance criteria were established during initial air lock and containment OPERABILITY testing. The periodic testing requirements verify that the air lock leakage does not exceed the allowed fraction of the overall containment l leakage rate. The Frequency is required by Appendix J, as I modified by approved exemptions. Thus, SR 3.0.2 (which 1 allows Frequency extensions) does not apply. )
| |
| The SR has been modified by two Notes. Note 1 states that l an inoperable air lock door does not invalidate the previous i successful performance of the overall air lock leakage test. !
| |
| This is considered reasonable since either air lock door is i 4
| |
| capable of providing a fission product barrier in the event
| |
| * i I
| |
| i L
| |
| (continued) j
| |
| .) ,
| |
| . SYSTEM 80+' .
| |
| B 3.6-13 Rev. 00 l 16A Tech'. Spec Bases.. j
| |
| - , . , c. . . . - . ,
| |
| r , , . , - ___________.___-_---Ei
| |
| | |
| Containment Air Locks B 3.6.2 O
| |
| BASES SURVEILLANCE SR 3.6.2.1 (continued)
| |
| REQUIREMENTS of a DBA. Note 2 nas been added to this SR requiring the results to be evaluated against the acceptance criteria of SR 3.6.1.1. This ensures that air lock leakage is properly accounted for in determining the overall containment leakage rate.
| |
| SR 3.6.2 2 The air lock door interlock is designed to prevent simultaneous opening of both doors in a single air lock.
| |
| Since both the inner and outer doors of an air lock are designed to withstand the maximum expected post-accident containment pressure [48.1 psig], closure of either door will support containment OPERABILITY. Thus, the door interlock feature supports containment OPERABILITY while the air lock is being used for personnel transit into and out of containment. Periodic testing of this interlock demonstrates that the interlock will function as designed and that simultaneous opening of inner and outer door will not inadvertently occur. Due to the purely mechanical nature of this interlock, and given that the interlock mechanism is only challenged when containment is entered, this test is only required to be performed upon entering containment but is not required more frequently than every 184 days.
| |
| REFERENCES 1. 10 CFR 100.11, " Determination of Exclusion Area, Low Population Zone and Population Center Distance."
| |
| : 2. Chapter 15.
| |
| : 3. Chapter 6.
| |
| : 4. 10 CFR 50, Appendix J, " Primary Reactor Containment Leakage Testing for Water-Cooled Power Reactors."
| |
| O SYSTEM 80+ B 3.6-14 Rev. 00 16A Tech Spec Bases
| |
| | |
| 1 Containment Isolation Valves '
| |
| B 3.6.3 B 3.6 CONTAINMENT SYSTEMS B 3.6.3 Containment Isolation Valves s
| |
| BASES BACKGROUND The containment structure serves to contain radioactive '
| |
| material which may be released from the reactor core following a Design Basis Accident (DBA), such that offsite ,
| |
| radiation exposures are maintained within the requirements '
| |
| of 10 CFR 100 (Ref. 1). The containment isolation valves form part of the containment pressure boundary and provide a means for fluid penetrations not serving accident consequence limiting systems to be provided with two isolation barriers that are closed on a Containment :'
| |
| Isolation Actuation Signal (CIAS). These isolation devices are either passive or active (automatic). Manual valves, de-activated automatic valves secured in their closed position (including check valves with flow through the valve ,
| |
| secured), blind flanges, and closed systems are considered
| |
| < passive devices. Check valves, or other automatic valves designed to close without operator action following an 7 accident, are considered active devices. ~Two barriers in l (V series are provided for each penetration so that no single credible failure or malfunction of an active component can result in a loss of isolation or leakage that exceeds limits assumed in the accident analysis. One of these barriers may be a closed system.
| |
| Automatic containment isolation occurs upon receipt of a high containment pressure signal or Safety Injection Actuation Signal (SIAS). The CIAS closes automatic containment isolation valves in fluid penetrations not required for operation of engineered safeguards systems in order to prevent leakage of radioactive material. Other penetrations are isolated by the use of valves in the closed position or blind flanges. As a result, the containment ;
| |
| isolation valves (and blind flanges) help ensure that the containment atmosphere will be isolated in the event of a release of radio:ctiva material to containment atmosphere ,
| |
| from the RCS following a DBA. OPERABILITY of the Containment Isolation valves (and blind flanges) ensures ,
| |
| containment integrity is maintained during accident conditions.
| |
| /3 .
| |
| A)
| |
| \
| |
| (continued) l
| |
| . SYSTEM 80+ B 3.6-15 Rev. 00 16A Tech Spec Bases ;
| |
| | |
| Containment Isolation Valves B 3.6.3 O
| |
| BASES BACKGROUND Redundant Containment Isolation Valves are designed, (continued) constructed, and tested in accordance with ASME Section III, Class 2. The valves are leak-tested periodically to verify acceptability of seat leakage.
| |
| The OPERABILITY requirements for containment isolation valves help ensure that containment leak tightness is maintained during and after an accident by minimizing potential leakage paths to the environment. Therefore, the OPERABILITY requirements provide assurance that containment leakage rates assumed in the accident analysis will not be exceeded.
| |
| Containment purge valves were designed for intermittent operation. The containment high volume purge system and low volume purge system purge the containment atmosphere to the unit vent. The high volume purge system operates before and during personnel entries to reduce airborne radioactivity. The low volume purge system is a pressure relief system that is used to relieve containment pressure during start-up or shutdown. The high volume purge and low volume purge supply and exhaust lines are each supplied with ,
| |
| inside and outside containment isolation valves. These l containment isolation valves (with the exception of check 4 valves used as containment isolation valves) are operated l manually from the control room. The valves (except check i valves) will close automatically upon receipt of a i Containment Isolation Actuation Signal (CIAS). Air operated i valves fail closed upon a loss of instrument air. !
| |
| Because of their large size, the high volume purge containment isolation valves may not be able to close under DBA conditions. Therefore, the high volume purge containment isolation valves (supply and exhaust) are normally maintained closed in MODES 1,2,3, and 4 to ensure leak tightness.
| |
| Open high volume purge valves or failure of the low volume purge valves to close, following an accident that releases contamination to the atmosphere, would cause a significant increase in the co1tainment leakage rate.
| |
| O (continued) ;
| |
| SYSTEM 80+ B 3.6-16 Rev. 00 16A Tech Spec Bases
| |
| | |
| r Containment Isolation Valves B 3.6.3 BASES (continued)
| |
| APPLICABLE The containment isolation valve LC0 was derived from the SAFETY ANALYSES requirements related to the control of offsite radiation doses resulting from major accidents. As delineated in 10 CFR 100, the determination of exclusion areas and low population zones surrounding a proposed site must consider a fission product release from the core with offsite release based upon the expected demonstrable leak rate from the containment. This LC0 is intended to ensure the offsite dose limits are not exceeded (actual containment leak rate does not exceed the value assumed in the safety analysis).
| |
| As part of the containment boundary, containment isolation valve and containment purge valve OPERABILITY support leak tightness of the containment. Therefore, the safety analysis of any event requiring isolation of containment is applicable to this LCO. ,
| |
| The DBAs which result in a release of radioactive material within ccdnment are a Loss of Coolant Accident (LOCA), a ,
| |
| Main Steam Line Break (MSLB), a Main Feedwater Line Break t (MFLB), or a Control Element Assembly (CEA) ejection i s accident. In the analysis for each of these accidents, it i s is assumed that containment isolation valves are either ;
| |
| closed or function to close within the required isolation time following event initiation. This ensures that potential leakage paths to the environment throvgh containment isolation valves (including containrAnt purge valves) are minimized.
| |
| Containment isolation valve closure time should be less than 1 minute regardless of valve size. However, valves in lines that provide a direct path to the environment require shorter isolation times. Time frames greater than 5 seconds have been evaluated by the radiological analyses.
| |
| The acceptance criteria applied to accidental releases of radioactive material to the environment are given in terms of total radiation dose received by a member of the general public who remains at the exclusion area boundary for two hours following the onset of a postulated fission product release. The limits established in Reference 1 are a whole body dose of 25 Rem or a 300 Rem dose to the thyroid from iodine exposure, or both, i
| |
| G (continued) .
| |
| SYSTEM 80+ B 3.6-17 Rev. 00 16A Tech Spec Bases
| |
| | |
| I l
| |
| Containment Isolation Valves B 3.6.3 O
| |
| BASES APPLICABLE The LOCA analysis assumes that the containment low volume SAFETY ANALYSES purge is isolated within [30 seconds] of a CIAS, e.g. l (continued) isolation of the containment is complete and leakage :
| |
| terminated except for the design leak rate, La. The total !
| |
| response time of [30 seconds] includes signal delay, diesel generator startup (for loss of offsite power), and containment isolation valve stroke times. The remaining accident analyses reflect longer isolation times.
| |
| The single failure criteria required to be imposed in the conduct of unit safety analyses was considered in the design of the containment purge valves. Two valves in series on each purge line provide assurance that both the supply and exhaust lines could be isolated even if a single failure occurred. The inboard and outboard isolation valves on each line are provided with diverse power sources. This arrangement was designed to preclude common mode failures from disabling both valves on a purge line.
| |
| The high volume purge valves may be unable to close in the j environment following a LOCA. Therefore, each of the high j volume purge valves is required to remain closed during !
| |
| MODES 1, 2, 3 and 4. In this case, the single failure l criteria remain applicable to the containment purge valves i due to failure in the control circuit associated with each I valve. Again, the purge system valve design precludes a l single failure from compromising containment OPERABILITY as long as the system is operated in accordance with the subject LCO.
| |
| The low volume ' urge valves are capable of closing under i accident condi .ons. Therefore, they are allowed to be open I for limited periods during power operation.
| |
| The containment isolation valves satisfy Criterion 3 of the NRC Policy Statement, i
| |
| LCO Containment isolation valves form a part of the containment i boundary. The cortainment isolation valve safety function l is related to control of offsite radiation exposures I resulting from a DBA. This LCO addresses containment I isolation valve structural integrity, stroke time, and ,
| |
| containment purge valve leakage. The other containment (continued) i SYSTEM 80+ B 3.6-18 Rev. 00 16A Tech Spec Bases I i
| |
| | |
| Containment Isolation Valves B 3.6.3 p 1 1
| |
| N)
| |
| BASES LCO isolation valve leakage rates are addressed by LC0 3.6.1, (continued) " Containment," under Type C testing.
| |
| The automatic power operated isolation valves are required to have isolation times within limits and to actuate on an automatic isolation signal. The purge valves must be maintained sealed closed. The valves covered by this LC0 are listed with their associated stroke times in Chapter 6.
| |
| The normally closed isolation valves are considered OPERABLE when manual valves are closed, automatic valves are de-activated and secured in their closed position, blind flanges are in place, and closed systems are intact.
| |
| Purge valves with resilient seals [and secondary containment bypass valves] must meet additional leakage rate :
| |
| requirements. The other containment isolation valve leakage l rates are addressed by LCO 3.6.1, " Containment," as Type C )
| |
| testing. l
| |
| /^ This LC0 provides assurance that the containment isolation
| |
| ()T valves and purge valves will perform their designed safety function to mitigate the consequences of accidents that could result in offsite exposure comparable to the Reference 3 limits.
| |
| APPLICABILITY In MODES 1, 2, 3 and 4, a DBA could cause a release of radioactive material to containment. However, in MODES 5 and 6 when not in REDUCED RCS INVENTORY, the probability and consequences of these events are reduced due to the pressure and temperature limitations of these MODES. Therefore, the containment isolation valves are not required to be OPERABLE and the purge valves are not required to be sealed closed in MODE 5, unless in REDUCED RCS INVENTORY. In MODE 6, fuel handling evolutions are conducted. The requirements i for containment isolation valves and containment purge l valves during MODES 5 and 6 are addressed in LCOs 3.9.3, i
| |
| " Containment Penetrations" and 3.6.11, " Containment Penetrations - REDUCED RCS INVENTORY Operations." l 4
| |
| O V
| |
| (continued)
| |
| SYSTEM 80+ B 3.6-19 Rev. 00 16A Tech Spec Bases
| |
| | |
| Containment Isolation Valves B 3.6.3 9
| |
| BASES (continued)
| |
| ACTIONS The ACTIONS are modified by a Note allowing penetration flow paths, except for [24] inch purge valve penetration flow paths, to be unisolated intermittently under administrative controls. Due to the size of the containment purge line penetration and the fact that those penetrations exhaust directly from the containment atmosphere to the environment, these valves may not be opened under administrative controls.
| |
| A second Note has been added to provide clarification that, for this LCO, separate Condition entry is allowed for each penetration flow path.
| |
| The ACTIONS are further modified by a third Note, which ensures that appropriate remedial actions are taken, if necessary, if the affected systems are rendered inoperable by an inoperable containment isolation valve.
| |
| A fourth Note has been added that requires entry into the applicable Conditions and Required Actions of LC0 3.6.1 when leakage results in exceeding the overall containment leakage limit.
| |
| A.1 and A.2 In the event one containment isolation valve in one or more penetration flow paths is inoperable (except for purge valve leakage and shield building bypass leakage not within limit], the affected penetration flow path must be isolated.
| |
| The method of isolation must include the use of at least one isolation barrier that cannot be adversely affected by a single active failure. Isolation barriers that meet this criterion are a closed and de-activated automatic containment isolation valve, a closed manual valve, a blind flange, and a check valve with flow through the valve secured. For penetrations isolated in accordance with Required Action A.1, the valve used to isolate the penetration should be the closest available one to containment. Required Action A.1 must be completed within the 4 hour Completion Time. The 4 hour Completion Time is reasonable, considering the time required to isolate the penetration and the relative importance of supporting containment OPERABILITY during MODES 1, 2, 3 and 4.
| |
| (continued)
| |
| SYSTEM 80+ B 3.6-20 Rev. 00 16A Tech Spec Bases
| |
| | |
| Containment Isolation Valves n B 3.6.3 BASES 1
| |
| ACTIONS A.1 and A.2 (continued)
| |
| I For affected penetrations which cannot be restored to l OPERABLE status within the 4 hour Completion Time and that .
| |
| have been isolated in accordance with Required Action A.1, 4 the affected penetration flow path must be verified to be isolated on a periodic basis. This is necessary to ensure i that containment penetrations required to be isolated following an accident and no longer capable of being ,
| |
| automatically isolated will be in the isolation position should an event occur. This Required Action does not require any testing or valve manipulation. Rather, it involves verification, through a system walkdown, that those isolation devices outside containment and capable of being mispositioned are in the correct position. The Completion Time of "once per 31 days for isolation devices outside containment" is appropriate considering the fact that the i valves are operated under administrative controls and the probability of their misalignment is low. For the isolation ;
| |
| devices inside containment, the time period specified as
| |
| (] " prior to entering MODE 4 from MODE 5 if not performed V within the previous 92 days" is based on engineering .
| |
| Judgment and is considered reasonable in view of the inaccessibility of the isolation devices and other administrative controls that will ensure that isolation ,
| |
| device misalignment is an unlikely possibility.
| |
| Condition A has been modified by a Note indicating that this Condition is only applicable to those penetration flow paths with two containment isolation valves. For penetration flow paths with only one containment isolation valve and a closed system, Condition C provides appropriate actions.
| |
| Required Action A.2 is modified by a Note that applies to !
| |
| valves and blind flanges located in high radiation areas and allows these valves to be verified closed by use of administrative means. Allowing verification by administrative means is considered acceptable, since access to these areas is typically restricted. Therefore, the probability of misalignment of these valves, once they have been verified to be in the proper position, is small.
| |
| (]
| |
| b (continued)
| |
| SYSTEM 80+ B 3.6-21 Rev. 00 16A Tech Spec Bases
| |
| | |
| I Containment Isolation Valves B 3.6.3 BASES ACTIONS IL1 (continued)
| |
| With two containment isolation valves in one or more penetration flow paths inoperable {except for purge valve leakage and shield building bypass leakage not within limit], the affected penetration flow path must be isolated within I hour. The method of isolation must include the use of at least one isolation barrier that cannot be adversely affected by a single active failure. Isolation barriers that meet this criterion are a closed and de-activated automatic valve, a closed manual valve, and a blind flange.
| |
| The I hour Completion Time is consistent with the ACTIONS of LC0 3.6.1. In the event the affected penetration is isolated in accordance with Required Action B.1, the affected penetration must be verified to be isolated on a periodic basis per Required Action A.2, which remains in effect. This periodic verification is necessary to assure leak tightness of containment and that penetrations requiring isolation following an accident are isolated. The Completion Time of once per 31 days for verifying each affected penetration flow path is isolated is appropriate considering the fact that the valves are operated under administrative controls and the probability of their misalignment is low.
| |
| Condition B is modified by a Note indicating this Condition is only applicable to penetration flow paths with two :
| |
| containment isolation valves. Condition A of this LC0 !
| |
| addresses the condition of one containment isolation valve I I
| |
| inoperable in this type of penetration flow path.
| |
| C.1 and C.2 With one or more penetration flow paths with one containment isolation valve inoperable, the inoperable valve must be !
| |
| restored to OPERABLE status or the affected penetration flow l path must be isolated. The method of isolation must include the use of at least one isolation barrier that cannot be adversely affected by a single active failure. Isolation i barriers that meet this criterion are a closed and de- I activated automatic valve, a closed manual valve, and a blind flange. A check valve may not be used to isolate the affected penetration. Required Action C.1 must be completed 1 within the [4] hour Completion Time. The specified time (continued) 9 !
| |
| l SYSTEM 80+ B 3.6-22 Rev. 00 i 16A Tech Spec Bases !
| |
| | |
| i t.
| |
| Containment Isolation' Valves I B 3.6.3 i BASES .
| |
| -ACTIONS C.1 and C.2 (continued) )
| |
| period is reasonable, considering the relative stability of r the closed system (hence, reliability) to act as a i penetration isolation boundary and the. relative importance i
| |
| ! of supporting containment OPERABILITY during MODES 1, 2, 3, ,
| |
| and 4. In the event the affected penetration is isolated in ;
| |
| ' accordance.with Required' Action C.1, the affected ;
| |
| i- penetration flow path must be verified to be isolated on a ;
| |
| periodic basis. .This. is necessary~ to assure leak tightness . !
| |
| of containment and that containment penetrations requiring !
| |
| isolation following an accident are isolated. The .
| |
| Completion Time of once per 31 days for verifying that each i affected penetration flow path is isolated is appropriate >
| |
| l
| |
| > considering the valves are operated under administrative !
| |
| controls and the probability of their misalignment is low. i l '
| |
| Condition C is modified by a Note indicating that this ,
| |
| j~ Condition'is only applicable to those penetration flow paths with only one containment isolation valve and a closed
| |
| - - system. This Note is necessary since this Condition is ;
| |
| written to specifically. address those penetration flow paths !
| |
| '~
| |
| in a closed system. )
| |
| Required Action C.2 is modified by a Note that applies to valves and blind flanges located in high radiation areas and allows these devices to be verified closed by use of i
| |
| administrative means. Allowing verification by administrative means is considered acceptable, since access L t:: these areas is typically restricted. Therefore, the probability of misalignment of these valves, once they have been verified to be in the proper position, is small. ,
| |
| i l 4
| |
| (With the secondary containment bypass leakage rate not within limit, the assumptions of the safety analysis are not met. Therefore, the leakage must be restored to within
| |
| -limit within 4 hours. Restoration can be accomplished by ]
| |
| isolating the penetration (s) that caused the limit to be exceeded by use of one closed and de-activated automatic valve, closed manual valve, or blind flange. When a !
| |
| penetration'is isolated, the leakage rate for the isolated j
| |
| . penetration is assumed to be the actual pathway leakage i 1
| |
| (continued)
| |
| SYSTEM 80+ _
| |
| B 3.6-23 Rev. 00 16A Tech Spec. Bases a- p 3 .- ,- -,,.=n- , , , , ,.-n-
| |
| ,- a- - --. -- -e *
| |
| * Containment Isolation Valves B 3.6.3 O
| |
| BASES ACTIONS {L1 (continued) through the isoistion device. If two isolation devices are used to isolate ;he penetration, the leakage rate is assumed to be the lesser actual pathway leakage of the two devices. -
| |
| The 4 hour Completion Time is reasonable considering the time required to restore the leakage by isolating the penetration (t) and the relative importance of secondary containment bypass leakage to the overall containment function.]
| |
| 1 E.1. E.2. and E.3 i
| |
| In the event one or more containment purge valves in one or more penetration flow paths are not within the purge valve leakage limits, purge valve leakage must be restored to ,
| |
| within limits, or the affected penetration must be isolated. l The method of isolation must be by the use of at least one )
| |
| isolation barrier that cannot be adversely affected by a single active failure. Isolation barriers that meet this criterion are a [ closed and de-activated automatic valve with resilient seals, a closed manual valve with resilient seals, or a blind flange]. A purge valve with resilient seals utilized to satisfy Required Action E.1 must have been demonstrated to meet the leakage requirements of SR 3.6.3.6.
| |
| The specified Completion Time is reasonable, considering that one containment purge valve remains closed so that a gross breach of containment does not exist.
| |
| In accordance with Required Action E.2, this penetration flow path must be verified to be isolated on a periodic basis. The periodic verification is necessary to ensure that containment penetrations required to be isolated following an accident, which are no longer capable of being automatically isolated, will be in the isolation position should an event occur. This Required Action does not require any testing or valve manipulation. Rather, it involves verification, through a system walkdown, that those being mispositioned are in the correct position. For the isolation devices inside containment, the time period specified as " prior to entering MODE 4 from MODE 5 if not performed within the previous 92 days" is based on engineering judgment and is considered reasonable in view of the inaccessibility of the isolation devices and other (continued)
| |
| SYSTEM 80+ B 3.6-24 Rev. 00 16A Tech Spec Bases
| |
| | |
| Containment Isolation Valves B 3.6.3 BASES ACTIONS- E.1. E.2. and E.3 (continued) administrative controis that will ensure that isolation device misalignment is an unlikely possibility.
| |
| For the containment purge valve with resilient seal that is isolated in accordance with Required Action E.1, SR 3.6.3.6 must be performed at least once every [92] days. This assures that degradation of the resilient seal is detected and confirms that the leakage rate of the containment purge valve does not increase during the time the penetration.is isolated. The normal Frequency for SR 3.6.3.6, 184 days, is based on an NRC initiative, Generic Issue B-20 (Ref. 4).
| |
| Since more reliance is placed on a single valve while in this Condition, it is. prudent to perform the SR more often.
| |
| Therefore, a Frequency of once per [92] days was chosen and has been shown to be acceptable based on operating experience.
| |
| F.1 and F.2 If the Required Actions and associated Completion Times are not met, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours and to MODE 5 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.
| |
| SURVEILLANCE SR 3.6.3.1 REQUIREMENTS
| |
| [Each [24-inch] containment purge valve is required to be verified sealed closed at 31 day intervals. This Surveillance is designed to ensure that a gross breach of containment is not caused by an inadvertent or spurious-opening of a containment purge. valve. Detailed analysis of the purge valves failed to conclusively demonstrate their ability to close during a LOCA in time to prevent offsite
| |
| -dose limits from exceeding 10 CFR 100' limits (Ref. 1).
| |
| Therefore, these valves are required to be sealed closed position during MODES 1, 2, 3 and 4. A containment purge O (continued)
| |
| SYSTEM 80+ B 3.6-25 Rev. 00
| |
| :16A. Tech Spec-Bases i
| |
| f-
| |
| | |
| Containment Isolation Valves B 3.6.3 BASES 9
| |
| SURVEILLANCE SR 3.6.3.1 (continued)
| |
| REQUIREMENTS valve that is closed must have motive power to the valve operator removed. This can be accomplished by deenergizing the source of electric power or removing the air supply to the valve operator. In this application, the term " sealed" has no connotation of leak tightness. The Frequency is a result of an NRC initiative, Generic Item B-24, related to !
| |
| l containment purge valve use during plant operations (Ref.
| |
| l 5).]
| |
| SR 3.6.3.2 This SR ensures the [six inch] purge valves are closed as required, or, if open, open for an allowable reason. The SR is not required to be met when the purge valves are open for pressure control, ALARA, and air quality considerations for personnel entry, and for Surveillance that require the valves to be open. The [six inch] purge valves are capable of closing in the environment following a LOCA. Therefore, these valves are allowed to be open for limited periods of time. The 31 day Frequency is consistent with other containment isolation valve requirements discussed under SR 3.6.3.3.
| |
| SR 3.6.3.3 This SR requires verification that each containment isolation manual valve and blind flange located outside containment and required to be closed during accident conditions is closed. The SR helps to ensure that post accident leakage of radioactive fluids or gases outside the containment boundary is within design limits. This SR does not require any testing or valve manipulation. Rather, it involves verification, through a system walkdown, that those valves outside containment and capable of being mispositioned are in the correct position. Since verification of valve position for valves outside containment is relatively easy, the 31 day Frequency is based on engineering judgment and was chosen to provide added assurance of the correct positions. Valves that are open under administrative controls are not required to meet the SR during the time the valves are open.
| |
| (continued)
| |
| SYSTEM 80+ B 3.6-26 Rev. 00 16A Tech Spec Bases
| |
| | |
| Containment Isolation Valves B 3.6.3 q
| |
| V t BASES SURVEILLANCE SR 3.6.3.3 (continued)
| |
| REQUIREMENTS The Note applies to valves and blind flanges located in high radiation areas and allows these devices to be verified closed by use of administrative means. Allowing verification by administrative means is conside' red acceptable, since access to these areas is typically restricted during MODES 1, 2, 3 and 4 for ALARA reasons.
| |
| Therefore, the probability of misalignment of these valves, once they have been verified to be in the proper position, is small.
| |
| t SR 3.6.3.4 i
| |
| This SR requires verification that each containment isolation manual valve and blind flange located inside containment and required to be closed during accident conditions is closed. The SR helps to ensure that post accident leakage of radioactive fluids or gases outside the p containment boundary is within design limits. For valves i inside containment, the Frequency of " prior to entering MODE j U 4 from MODE 5 if not performed within the previous 92 days" is appropriate, since these valves and flanges are operated under administrative controls and the probability of their misalignment is low. Valves that are open under
| |
| , administrative controls are not required to meet the SR during the time that they are open.
| |
| The Note allows valves and blind flanges located in high j radiation areas to be verified closed by use of l administrative means. Allowing verification by administrative means is considered acceptable, since the primary containment is inerted and access to these areas is typically restricted during MODES 1, 2, and 3 for ALARA i reasons. Therefore, the probability of misalignment of I
| |
| these valves, once they have been verified to be in their proper position, is small.
| |
| SR 3.6.3.5 i
| |
| Verifying that the isolation time of each power-operated and automatic containment isolation valve is within limits is l required to demonstrate OPERABILITY. The isolation time ;
| |
| (continued) i SYSTEM 80+ B 3.6-27 Rev. 00 i 16A Tech Spec Bases
| |
| | |
| Containment Isolation Valves B 3.6.3 O
| |
| BASES SURVEILLANCE SR 3.6.3.5 (continued)
| |
| REQUIREMENTS test ensures the valve will isolate in a time period less than or equal to that assumed in the safety analysis. The isolation time and Frequency of this SR are in accordance with the Inservice Testing Program or 92 days.
| |
| SR 3.6.3.6 For containment purge valves with resilient seals, additional leakage rate testing beyond the test requirements of 10 CFR 50, Appendix J (Ref. 6), is required to ensure OPERABILITY. Operating experience has demonstrated that this type of seal has the potential to degrade in a shorter time period than do other seal types. Based on this observation and the importance of maintaining this penetration leak tight (due to the direct path between containment and the environment), a Frequency of 184 days was established as part of the NRC resolution of Generic Issue B-20, " Containment Leakage Due to Seal Deterioration" (Ref. 4). h Additionally, this SR must be performed within 92 days after opening the valve. The 92 day Frequency was chosen recognizing that cycling the valve could introduce additional seal degradation (beyond that occurring to a valve that has not been opened). Thus, decreasing the interval (from 184 days) is a prudent measure after a valve has been opened.
| |
| A Note to this SR requires the results to be evaluated against the acceptance criteria of SR 3.6.1.1. This ensures that excessive containment purge valve leakage is properly accounted for in determining the overall containment leakage rate to verify containment OPERABILITY.
| |
| SR 3.6.3.7 Automatic containment isolation valves close on a Containment Isolation Actuation Signal (CIAS) to prevent leakage of radioactive material from containment following a DBA.
| |
| (continued)
| |
| SYSTEM 80+ B 3.6-28 Rev. 00 16A Tech Spec Bases
| |
| | |
| i Containment Isolation Valves B 3.6.3 O BASES l
| |
| SURVEILLANCE SR 3.6.3.7-(continued) :
| |
| REQUIREMENTS '
| |
| This SR ensures each automatic containment isolation valve will actuate to its isolation position on a Containment i Isolation Actuation Signal. The [18] month Frequency was ,
| |
| developed considering it is prudent that this SR be ,
| |
| performed only during a unit outage, since isolation of ;
| |
| penetrations would eliminate cooling water flow and disrupt !
| |
| i normal operation of many critical components. Operating experience has shown that these components usually pass this i j
| |
| SR when performed on the [18] month Frequency. Therefore, the Frequency was concluded to be acceptable from a i reliability standpoint.
| |
| SR 3.6.3.8
| |
| .[This SR ensures that the combined leakage rate of all secondary containment bypass leakage paths is less than or equal to the specified leakage rate. This provides n assurance that the assumptions in the safety analysis are
| |
| ( met. The leakage rate of each bypass leakage path is assumed to be the maximum pathway leakage (leakage through the worse of the two isolation valves) unless the penetration is isolated by use of one closed and deactivated automatic valve, closed manual valve, or blind flange. In this case, the leakage rate of the isolated bypass leakage path is assumed to be'the actual pathway leakage through the ;
| |
| isolation device. If both isolation valves in the i penetration are closed, the actual leakage rate is the lesser leakage rate of the two valves. This method of quantifying maximum pathway leakage is only' to be used for this SR (i.e., Appendix J maximum pathway leakage limits are to be quantified in accordance with Appendix J). The [18]
| |
| month Frequency was developed considering it is prudent that this Surveillance be performed only during unit outage. !
| |
| Operating experience has shown that these components usually pass this SR when performed at the [18] month Frequency.
| |
| Therefore, the Frequency was concluded to be acceptable from a reliability standpoint. A Note has been added to this SR requiring the results to be evaluated against the acceptance criteria of SR 3.6.1.1. This ensures that shield building bypass leakage is properly accounted for in determining the overall primary containment leakage rate.] i O (continued)
| |
| ' SYSTEM 80+- .
| |
| B 3.6-29 Rev. 00 16A Tech Spec Bases ;
| |
| | |
| 1 Containment Isolation Valves B 3.6.3 O i BASES (continued) l I
| |
| REFERENCES 1. 10 CFR 100.11, " Determination of Exclusion Area, Low '
| |
| Population Zone, and Population Center Distance."
| |
| : 2. Cnapter 6.
| |
| : 3. Chapter 15.
| |
| : 4. Generic Issue (GI B-20), " Containment Leakage Due to Seal Deterioration."
| |
| : 5. NRC Generic Item B-24, " Purge Valve Reliability."
| |
| : 6. 10 CFR 50, Appendix J, " Primary Reactor Containment Leakage Testing for Water-Cooled Power Reactors."
| |
| O O
| |
| SYSTEM 80+ B 3.6-30 Rev. 00 16A Tech Spec Bases [
| |
| | |
| Containment Pressure
| |
| + B 3.6.4 8 3.6 CONTAINMENT SYSTEMS B 3.6.4 Containment Pressure ,
| |
| 4
| |
| ; BASES. .
| |
| BACKGROUND The containment structure serves to contain radioactive i material.which may be released from the reactor core l following a Design. Basis Accident (DBA), such that offsite :
| |
| radiation exposures are. maintained within the requirement of 10 CFR 100 (Ref. 1). The containment pressure is limited ,
| |
| during normal operation to preserve the initial conditions- .
| |
| assumed in the accident analyses for a Loss of Coolant Accident (LOCA) or Main Steam Line Break (MSLB). These limits also prevent the containment pressure from exceeding L the containment design negative pressure differential with
| |
| , respect to the outside atmosphere in the event of inadvertent actuation of the Containment Spray System.
| |
| Containment pressure is a process variable which is i monitored and controlled during MODES 1 through 4. The !
| |
| containment pressure limits are derived from the input _
| |
| conditions used in the containment functional analyses and i l
| |
| the containment structure external pressure analysis.
| |
| Should operation occur outside these limits coincident with a Design Basis Accident (DBA), a loss of containment integrity may result. Loss of containment integrity could cause site boundary doses, due to a DBA, to exceed values given in Reference 3.
| |
| APPLICABLE The limits for containment pressure ensure that operation is SAFETY ANALYSIS maintained within the design and accident analysis bases for i containment. The accident analyses and evaluations considered both LOCAs and MSLBs for determining the maximum ;
| |
| peak containment pressure (Pa) of [48.1) psig. A double-ended rupture of a main steam line at [0%] THERMAL POWER concurrent with a loss of one containment spray division results in the highest calculated internal containment pressure, [48.1] psig. This is below the internal design pressure of [53] psig. The MSLB event bounds the LOCA event from the containment peak pressure standpoint.
| |
| O (continued)
| |
| B 3.6-31 Rev. 00
| |
| .16A SYSTEM 80+.
| |
| Tech Spec Bases l
| |
| | |
| Containment Pressure B 3.6.4 O
| |
| BASES APPLICABLE The initial pressure condition used in the containment SAFETY ANALYSES analysis was [15.1) psia ([0.4] psig). The maximum (continued) containment pressure resulting from the limiting DBA, [48.1]
| |
| psig, does not exceed the containment design pressure, [53]
| |
| psig. The containment was also designed for an internal pressure equal to [2.0] psid below external pressure to withstand the resultant pressure drop from accidental actuation of the Containment Spray System. The maximum calculated differential pressure which would occur as a result of an inadvertent actuation of the Containment Spray System is [-1.83] psid, starting with an initial pressure of
| |
| [-0.4] psig. The LC0 limit of [-0.4] psig ensures that operation within design limits of [-2.0] psid is maintained.
| |
| Containment pressure satisfies Criterion 2 of the NRC Policy Statement.
| |
| LCO Maintaining containment pressure less than or equal to the LC0 upper pressure limit ensures that, in the event of a DBA, the resultant peak containment accident pressure will <
| |
| remain below the containment design pressure. Maintaining containment pressure greater than or equal to the LC0 lower pressure limit ensures the containment will not exceed the design negative differential pressure following the inadvertent actuation of the Containment Spray System.
| |
| 1 APPLICABILITY In MODES 1, 2, 3, and 4, a DBA could cause a release of i radioactive material to containment. Since maintaining ]
| |
| containment pressure within limits is essential to ensure initial conditions assumed in the accident analysis are maintained, the LC0 is applicable in MODES 1, 2, 3, and 4.
| |
| In MODES 5 and 6 the probability and consequences of a DBA are reduced due to the pressure and temperature limitations of these MODES.
| |
| 1 l
| |
| l O
| |
| (continued)
| |
| SYSTEM 80+ B 3.6-32 Rev. 00 !
| |
| 16A Tech Spec Bases
| |
| | |
| l l
| |
| Containment Pressure B 3.6.4 lp I (./
| |
| BASES (continued)
| |
| ACTIONS L.].
| |
| When containment pressure is not within the limits of the LCO, containment pressure must be restored within these limits within I hour. The Required Action is necessary to return operation to within the bounds of the containment analysis. The I hour Completica Time is consistent with the ACTIONS of LCO 3.6.1, " Containment," which requires the containment be restored to OPERABLE status within I hour.
| |
| 8.1 and B.2 If containment pressure cannot be restored within limits within the required Completion Time, the plant must be placed in a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within six hours and to MODE 5 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full A power conditions in an orderly manner and without V challenging plant systems.
| |
| SURVEILLANCE SR 3.6.4.1 REQUIREMENTS Verifying containment pressure is within limits ensures that operation remains within the limits assumed in the containment analysis. The 12 hour Frequency of this SR was developed after taking into consideration operating experience related to containment pressure variations and pressure instrument drift during the applicable MODES, and the low probability of a DBA occurring between surveillances. Furthermore, the 12 hour Frequency is considered adequate in view of other indications in the control room, including alarms, to alert the operator of an abnormal containment pressure condition.
| |
| O (continued)
| |
| SYSTEM 80+ B 3.6-33 Rev. 00 16A_ Tech Spec Bases
| |
| | |
| Containment Pressure B 3.6.4 BASES (continued)
| |
| REFERENCES 1. 10 CFR 100.11, " Determination of Exclusion Area, Low Population Zone, and Population Center Distance."
| |
| : 2. Chapter 6.
| |
| : 3. Chapter 15.
| |
| O 9
| |
| SYSTEM 80+ B 3.6-34 Rev. 00 16A Tech Spec Bases e
| |
| | |
| i l i l- -;
| |
| Containment Air Temperature i r B 3.6.5 i l- :
| |
| r ~
| |
| B 3.6 CONTAINMENT-SYSTEMS !
| |
| B 3.6.5 Containment Air Temperature ;
| |
| , o BASES i
| |
| BACKGROUND The containment structure serves to contain radioactive material which may be released from the reactor core following a Design Basis Accident (DBA), such that offsite i radiation exposures are maintained within the requirements l of 10 CFR 100 (Ref.1). The containment average. air j temperature is limited during normal operation to preserve 4 the initial conditions assumed in the accident analyses for j j
| |
| a Loss of Coolant Accident (LOCA) or Main Steam Line Break (MSLB). Containment air temperature is a process variable i which is monitored and controlled during MODES 1 through 4. :
| |
| Temperature measurements from specified locations are i I
| |
| combined to determine an average air temperature.
| |
| The containment average air temperature limits are derived I from the input conditions used in the containment functional !
| |
| analyses and the containment structure external pressure l analyses. This LCO ensures that initial conditions assumed O in the analysis of containment response to a DBA are not violated during unit operations. The total amount of energy to be removed from containment by the Containment Spray System during post accident conditions is dependent on the energy released to the containment due to the event, as well as the initial containment temperature and pressure. The higher the initial temperature, the more energy that must be removed, resulting in a higher peak containment pressure and temperature. Should operation occur outside containment average air temperature limits concurrent with a DBA, a loss of containment integrity or a violation of NRC LOCA acceptance criteria may result. Loss of containment integrity could cause site boundary doses, due to a design basis MSLB, to exceed values given in Reference 3. I APPLICABLE Containment average air temperature is an initial condition SAFETY ANALYSIS used in the DBA analyses that establishes the containment environmental qualification operating envelope for both pressure and temperature. The limit for containment average air temperature' ensures that operation is maintained within i the DBA analysis assumptions for containment. The accident 1 (continued).
| |
| SYSTEM 80+ B 3.6-35 Rev. 00
| |
| '16A; Tech Spec Bases
| |
| | |
| Containment Air Temperature B 3.6.5 O
| |
| BASES APPLICABLE analyses and evaluations considered both LOCAs and MSLBs for SAFETY ANALYSES determining the maximum peak containment pressures and (continued) temperatures. The worst case MSLB generates larger mass and energy releases than the worst case LOCA. Thus, the MSLB event bounds the LOCA event from the containment peak pressure and temperature standpoint. The initial pre-accident temperature inside containment was assumed to be
| |
| [110 F] (Ref. 3).
| |
| The initial containment average air temperature condition of
| |
| [110 F] resulted in a maximum vapor temperature in containment of [410.5'F]. The containment average temperature limit of [110 F] ensures that in the event of an accident, the maximum design temperature for containment of
| |
| [290*F] is not exceeded. The consequence of exceeding this design temperature may be the potential for degradation of the containment structure under accident loads.
| |
| Containment average air temperature satisfies Criterion 2 of the NRC Policy Statement.
| |
| O LC0 During a DBA, with an initial containment average temperature less than or equal to the LC0 temperature limit, the resultant peak accident pressure and temperature is maintained below the containment design limits. As a ,
| |
| result, the ability of containment to perform its function !
| |
| is assured.
| |
| APPLICABILITY In MODES 1, 2, 3, and 4, a DBA could cause a release of I radioactive material to containment. In MODES 5 and 6, the probability and consequences of these events are reduced due to the pressure and temperature limitations of these MODES.
| |
| Therefore, maintaining containment air temperature limit is not required in MODES 5 or 6.
| |
| (continued)
| |
| O' SYSTEM 80+ B 3.6-36 Rev. 00 16A Tech Spec Bases
| |
| | |
| Containment Air Temperature B 3.6.5 O
| |
| BASES (continued) "
| |
| ACTIONS Ad With containment average air temperature not within the limit of the LCO, containment average air temperature must be restored within the 8 hour Completion Time. The Required Action must be taken to return operation to within the bounds of the containnent analysis. The 8 hour Completion ,
| |
| Time is acceptable considering the sensitivity of the analysis to variations in this parameter and provides sufficient time to correct minor problems or to prepare the plant for an orderly shutdown.
| |
| B.1 and B.2 If the containment average air temperature cannot be restored to within its limits within the required Completion Time the plant must be brought to a MODE in which the LC0 ,
| |
| does not apply. To. achieve this status, the plant must be i brought to at least MODE 3 within six hours and to MODE 5 r within 36 hours. The allowable Completion Times are
| |
| ( reasonable based on operating experience to reach the required plant conditions from full power conditions in an orderly manner and without challenging the plant systems.
| |
| SURVEILLANCE Sr 3.6.5.1 REQUIREMENTS Verifying the containment average air temperature is within the LC0 limit ensures that containment operation remains within the limits assumed for the containment analyses. In order to determine the average temperature, an arithmetic average is calculated using measurements taken at several locations within the containment selected to be a :
| |
| representative sample of the overall containment atmosphere. {
| |
| The 24 hour Frequency of this Surveillance is based on engineering judgment.
| |
| This SR is modified by a Note indicating the minimum temperature requirements are only applicable in MODES I and ,
| |
| 2.
| |
| O (continued) l SYSTEM 80+ B 3.6-37 Rev. 00 ;
| |
| 16A Tech Spec Bases l l
| |
| | |
| Containment Air Temperature B 3.6.5 O
| |
| BASES (continued)
| |
| REFERENCES 1. 10 CFR 100.11, " Determination of Exclusion Area, Low Population Zone, and Population Center Distance."
| |
| : 2. Chapter 6.
| |
| : 3. Chapter 15.
| |
| O l
| |
| 1 i
| |
| O SYSTEM 80+ B 3.6-38 Rev. 00 l
| |
| 16A Tech Spec Bases 1 l
| |
| | |
| Containment Spray System B 3.6.6
| |
| '(
| |
| 1- B 3.6 CONTAINMENT SYSTEMS B 3.6.6 Containment Spray System i
| |
| BASES BACKGROUND The Containment Spray System provides containment atmosphere cooling to limit post-accident building temperature and pressure to less than the design values ([53] psig and
| |
| [290'F]). Additionally, it reduces the release of radioactive material from the containment in the event of a primary or secondary break (the limiting events are a Loss of Coolant Accident (LOCA) and a Main Steam Line Break (MSLB)) in two ways:
| |
| : 1. Reduction of containment pressure to nearly l atmospheric pressure thereby reducing the potential leakage rate from containment; and
| |
| : 2. The spray system minimizes the fission product inventory in the building atmosphere by removal of particulates through mechanism such as impaction, diffusiophoresis and through the absorption of
| |
| >O volatile species such as molecular iodine by the spray droplets.
| |
| In the event of a LOCA or MSLB, the Containment Spray System sprays IRWST water into the containment atmosphere to reduce the post-accident energy and to remove fission product iodine. There are two redundant Containment Spray divisions. Each division consists of one pump, one containment spray heat exchanger, one containment spray header and associated piping, valves, instrumentation and controls. The pumps and remotely operated valves may be 4 operated from the control room. l A two out of four containment pressure high-high signal from the Engineered Safety Features Actuation System generates a Containment Spray Actuation Signal (CSAS) which initiates i containment spray operation. Upon receipt of a CSAS, the j Containment Spray Header isolation valve opens and the containment spray pump starts in each of the two redundant i divisions. The pumps take suction initially from the !
| |
| Incontainment Refueling Water Storage Tank (IRWST) and discharge through the containment spray heat exchangers and (continued)
| |
| SYSTEM 80+ B 3.6-39 Rev. 00 16A Tech Spec Bases
| |
| | |
| t Containment Spray System l
| |
| B 3.6.6 O
| |
| BASES BACKGROUND the spray header isolation valves and to their respective (continued) spray nozzle headers, then into the containment atmosphere.
| |
| The Containment Spray System is capable of removing sufficient decay heat from the containment atmosphere following a DBA accident to maintain containment pressure and temperature within design limits.
| |
| The Containment Spra'y System protects the integrity of the containment by limiting the temperature and pressure that could be expected following a DBA. Protection of adequate containment leaktightness prevents leakage of radioactive material from containment. Loss of adequate contaiiaent leaktightness could cause site boundary doses, due to a design bases LOCA, to exceed values given in Reference 3.
| |
| APPLICABLE The accident analysis considers the worst case single active SAFETY ANALYSIS failure in the power supply which results in minimum containment cooling. The analysis and evaluation show that under this scenario, the highest peak containment pressure is [48.1) psig (experienced during a MSLB), actual I temperature of the containment structure however, remained i below the maximum design temperature of [290]*F. (See Bases B 3.6.4 " Containment Pressure," and B 3.6.5 " Containment Air Temperature," for a detailed discussion.) The limiting event is a MSLB initiated at 0% RTP. The analysis also j assumes that one Containment Spray division is operating and i I
| |
| an initial (pre-accident) condition of [110 F] and [0.40]
| |
| psig for containment temperature and pressure respectively.
| |
| The dose analyses utilizes spray removal coefficients based on the worst case single failure, et.g. loss of a division.
| |
| The effect of an inadvertent containment spray actuation has been analyzed. An inadvertent containment spray actuation reduces the containment pressure to [-1.83] psig due to the sudden cooling effect in the interior of the air tight containment. The design containment pressure is [-2.0]
| |
| psig, hence the inadvertent actuation of the Containment Spray System will not exceed containment design limits. !
| |
| Additional discussion is provided in Bases 3.6.4, '
| |
| " Containment Pressure."
| |
| (continued) l SYSTEM 80+ B 3.6-40 Rev. 00 1 16A Tech Spec Bases l
| |
| | |
| Containment Spray System B 3.6.6 n
| |
| BASES APPLICABLE The Containment Spray System satisfies Criterion 3 of the SAFETY ANALYSES NRC Policy Statement.
| |
| (continued)
| |
| LC0 During a DBA, one division of Containment Spray is required to maintain containment peak pressure and temperature below design limits. To ensure these requirements are met, two Containment Spray divisions must be OPERABLE during normal operations. This ensures minimum cooling requirements are met if a DBA then occurs concurrently with a loss of offsite power.
| |
| A Note permits the alignment of a Shutdown Cooling System pump if a Containment Spray pump is not available or becomes inoperable. These pumps are designed to be interchangeable for operational flexibility.
| |
| n APPLICABILITY In MODES 1, 2, 3 and 4, a DBA could cause a release of l 1 radioactive material to containment and an increase in containment pressure and temperature requiring the operation of the Containment Spray divisions.
| |
| In MODES 5 and 6 the probability and consequences of such an event are reduced due to the pressure and temperature limitations of these MODES. The RCS coolant temperature for MODE 5 is less than 210 F, a LOCA in MODES 5 and/or 6 would not result in any significant containment pressurization (Ref. 4) that would require containment spray. In addition, the Containment Spray System is not required to remove fission product iodine to limit the site boundary dose to less than the limits stated in 10CFR100, as described in Shutdown Risk Evaluation Report (Ref. 4). Therefore, the Containment Spray System is not required to be OPERABLE in MODES 5 and 6.
| |
| ALTIONS Ad With one Containment Spray division inoperable, the inoperable Containment Spray division must be restored to OPERABLE status within 72 hours. In this condition, the
| |
| / \
| |
| U (continued)
| |
| SYSTEM 80+ B 3.6-41 Rev. 00 16A Tech Spec Bases
| |
| | |
| Containment Spray System B 3.6.6 O
| |
| BASES ACTIONS A d (continued) remaining OPERABLE Containment Spray division is adequate to perform the containment cooling and iodine removal function.
| |
| However, the overall reliability is reduced because a single failure in the OPERABLE Containment Spray divisions could result in no containment cooling and no iodine removal capability. The 72 hour Completion Time is based on the iodine removal function and is consistent with other Engineered Safety Feature Systems' Completion Times for loss of one redundant division.
| |
| B.1 and B.2 If the inoperable Containment Spray division cannot be restored to OPERABLE status within the required Completion Time, the plant must be placed in a MODE in which the LC0 does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours and to MODE 5 within 84 hours. The allowed Completion Time of 6 hours is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging plant systems. The allowed Completion Time of 84 hours to reach MODE 5 allows additional time for the restoration of the Containment Spray division and is reasonable when considering that the driving force for a release of radioactive material from the Reactor Coolant System is reduced in MODE 3.
| |
| fu.1 With two Containment Spray divisions inoperable, the unit is in a condition outside the accident analysis. Therefore, LC0 3.0.3 must be entered immediately.
| |
| SURVEILLANCE SR 3.6.6.1 REQUIREMENTS Verifying the correct alignment for manual, power-operated, and automatic valves in the containment spray flowpath provides assurance that the proper flowpaths will exist for Containment Spray System operation. This SR does not apply (continued)
| |
| SYSTEM 80+ B 3.6-42 Rev. 00 16A Tech Spec Bases
| |
| | |
| i Containment Spray System !
| |
| B 3.6.6 i
| |
| ~O ;
| |
| . BASES. ;
| |
| 4
| |
| . SURVEILLANCE. SR 3.6.6.1 (continued) ,
| |
| i REQUIREMENTS.
| |
| to valves which are. locked, sealed, or otherwise secured in position since they were verified to be in the correct position prior to locking, sealing, or securing. : This SR i
| |
| < alao does not: apply to valves which'cannat be inadvertently ;
| |
| misaligned, such as check valves. A valve which receives an !
| |
| actuation signal is allowed to-be in a non-accident position -
| |
| provided the valve will automatically reposition within the. ,
| |
| i proper stroke time. This SR does not require any valve testing or manipulation. Rather, it involves verifying !
| |
| through a system walkdown that those valves outside l containment and capable of being mispositioned, are in the '
| |
| correct position. The 31 day Frequency is appropriate because the valves are operated under procedural control.
| |
| An improper lineup would only affect a single division, and the probability of an event requiring containment spray actuation during this' time period is low. This Frequency has been shown to be acceptable through operating.
| |
| experience. l SR 3.6.6.2
| |
| ; [ Verifying that the Containment Spray header piping is full of water to the [*] ft level minimizes the time required to fill the header. This ensures that spray flow will be admitted to the containment atmosphere within the time frame assumed in the containment analysis. The 31 day Frequency is based on the static nature of the fill header and the low probability of a significant degradation of water level in the piping occurring between surveillances.]
| |
| : SR 3.6.6.3 Verifying that each Containment Spray pump develops [a 400 feet of head at a flow rate of a 5000 gpm] on recirculation ensures that each Containment Spray pump performance has not degraded during the cycle. Flow and pressure are normal e tests of centrifugal pump performance required by Section XI
| |
| * Values to be determined by system' detail design.
| |
| v (continued)
| |
| ' SYSTEM 80+ B 3.6-43 Rev. 00
| |
| ~16A Tech; Spec Bases
| |
| | |
| Containment Spray System B 3.6.6 O
| |
| BASES SURVEILLANCE SP 3.6.6.3 (continued)
| |
| REQUIREMENTS of the ASME Code. Since the Containment Spray pumps cannot be tested with flow through the spray nozzles, they are tested on recirculation flow. The recirculation alignment is full flow to the IRWST. This test confirms pump performance. Such inservice inspections confirm component OPERABILITY, trend performance, and detect incipient failures by indicating abnormal performance. The Frequency of this SR is in accordance with the Inservice Testing Program.
| |
| SR 3.6.6.4 and SR 3.6.6.5 These SRs demonstrate each automatic Containment Spray valve actuates to its correct position and that each Containment Spray pump starts upon receipt of an actual or simulated Containment Spray Actuation Signal. The [18] month Frequency is based on the need to perform these Surveillances under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillances were performed with the reactor at power.
| |
| Operating experience has shown that these components usually pass the Surveillances when performed at the [18] month Frequency. Therefore, the Frequency was concluded to be acceptable from a reliability standpoint.
| |
| SR 3.6.6.6 With the Containment Spray inlet valves closed and the Containment Spray header drained of any solution, low pressure air or smoke can be blown through test connections.
| |
| Performance of this SR demonstrates that each spray nozzle is unobstructed and provides assurance that spray coverage of the containment during an accident is not degraded. Due to the passive nature of the design of the nozzle, a test at
| |
| [the first refueling and at] 10 year intervals is considered adequate to detect obstruction of the spray nozzles.
| |
| O (continued)
| |
| SYSTEM 80+ B 3.6-44 Rev. 00 16A Tech Spec Bases
| |
| | |
| Containment Spray System i a 3.e.e ;
| |
| c;)
| |
| ~
| |
| BASES (continued) l REFERENCES 1. Chapter 6.
| |
| ; 2 .- Chapter 15.
| |
| : 3. 10 CFR 100.11, " Determination of Exclusion Area, Low l Population Zone, and Population Center Distance."
| |
| i
| |
| : 4. Appendix 19.8A, Shutdown Risk Evaluation.
| |
| h 1
| |
| , i 1
| |
| O I
| |
| SYSTEM 80+ B 3.6-45 Rev. 00 16A Tech Spec Bases
| |
| | |
| Hydrogen Analyzers B 3.6.7 8 3.6 CONTAINMENT SYSTEMS B 3.6.7 Hydrogen Analyzers BASES BACKGROUND Hydrogen Analyzers are required to monitor the hydrogen concentration in the containment following a primary or secondary break, such as a Loss of Coolant Accident (LOCA) or Main Steam Line Break (MSLB) in containment. Hydrogen may accumulate within containment following a primary break as a result of a metal-steam reaction involving the zirconium fuel cladding and the reactor coolant, radiolytic decomposition of the post-accident emergency cooling solutions, corrosion of metals by solutions used for emergency cooling and containment spray, and hydrogen in the Reactor Geolant System (RCS) at the time of a primary break. I During a secondary break such as MSLB, hydrogen production l will only result from the corrosion of metals and paints in l containment.
| |
| The Hydrogen Analyzers are post-accident Type A Category I l instruments. As such they are used to determine when to initiate hydrogen recombination operation following a primary or secondary break in containment.
| |
| h Two independent Hydrogen Analyzers have been provided and each is powered from a separate vital AC power source.
| |
| Within 30 minutes after a LOCA, both Hydrogen Analyzers are manually activated to monitor hydrogen levels and to alert the operators in the control room if hydrogen concentration exceeds 3.5%. The analyzers when actuated will continuously monitor hydrogen concentration levels between [0 and 15%].
| |
| Both analyzers have the capability to interface with two areas that have been selected to provide a representative sample of the containment atmosphere following an accident.
| |
| The Hydrogen Analyzers measure the hydrogen concentration in containment so that required operator actions (e.g., actuate the Hydrogen Recombiners in accordance with emergency operating procedures) may be taken to prevent the hydrogen concentration from exceeding the flammability limit of 4.0%
| |
| by volume. This eliminates the potential for a breach of containment due to a hydrogen-oxygen reaction.
| |
| (continued)
| |
| O SYSTEM 80+ B 3.6-46 Rev. 00 16A Tech Spec Bases
| |
| | |
| l Hydrogen Analyzers B 3.6.7
| |
| .O BASES (continued) l 2
| |
| i
| |
| . APPLICABLE To evaluate the potential for hydrogen accumulation in !
| |
| SAFETY ANALYSES containment following a LOCA, hydrogen generation (as a function of time following the initiation of the accident) is calculated. Conservative assumptions recommended in' l Reference 1 are used to maximize the amount of hydrogen j calculated. Assuming containment isolation, the concentration of hydrogen that would result as a function of i
| |
| ~
| |
| time is calculated with and without credit taken for mitigating systems.
| |
| 1 The calculations confirm that when mitigating systems are ,
| |
| actuated, in accordance with the emergency operating l procedures,. the peak hydrogen concentration in containment :
| |
| is less than 4.0% by volume. 1 1
| |
| Hydrogen may accumulate within containment following a LOCA .
| |
| (or CEA ejection) as a result of: l
| |
| : a. A metal-steam reaction between the zirconium fuel rod !
| |
| cladding and the reactor coolant.
| |
| : b. Radiolytic decomposition of water in the Reactor Coolant System (RCS) and the containment sump.
| |
| ;- c. Hydrogen in the RCS at the time of the LOCA, i.e.,
| |
| : hydrogen dissolved in the reactor coolant, and hydrogen gas in the pressurizer vapor space.
| |
| : d. Corrosion of metals exposed to Containment Spray and Safety Injection System solutions.
| |
| The Hydrogen Analyzers meet Criterion 3 of the NRC Policy Statement.
| |
| l LCO Two Hydrogen Analyzers must be OPERABLE with power from two
| |
| - independent safety-related power supplies. This assures 1 operation of at-least one Hydrogen Analyzer in the event of a worst case single active failure. Operation of at least
| |
| . one Hydrogen Analyzer will ' provide the operator with information to enable action to be taken to prevent the containment post-LOCA hydrogen concentration from exceeding the f1ammabilitt limit.
| |
| TO (continued)
| |
| SYSTEM 80+ B 3.6-47 Rev. 00 16A Tech Spec Bases
| |
| _, i
| |
| | |
| i Hydrogen Analyzers B 3.6.7 O
| |
| BASES (continued)
| |
| APPLICABILITY In MODES 1 and 2, two Hydrogen Analyzers provide the operator with the capability to measure hydrogen concentration in containment assuming a worst case single active failure and allow, if required, action to be taken to control the hydrogen concentration within containment below its flammability limit of 4.0% by volume following a LOCA (Ref. 2). This ensures containment integrity and prevents damage to safety-related equipment and instrumentation located within containment.
| |
| In MODES 3 and 4, both the hydrogen production rate and the total hydrogen produced after a LOCA would be significantly less than that calculated for the DBA LOCA. Thus, if the hydrogen analysis were to be performed starting with a LOCA in MODE 3 or 4, the time to reach a bulk concentration of 4.0% by volume would be extended beyond the conservatively !
| |
| calculated for MODES 1 and 2. The extended time would allow l containment atmosphere sampling by other means to determine l the hydrogen buildup, if the event the Hydrogen Analyzers i are not available. Therefore, Hydrogen Analyzers are not i required to be OPERABLE in MODES 3 and 4. l In MODES 5 and 6, the probability and consequences of a LOCA or MSLB are reduced due to the pressure and temperature l limitations. The Hydrogen Analyzers are not required to be OPERABLE in these MODES to protect the integrity of containment.
| |
| ACTIONS A.1 With one Hydrogen Analyzer inoperable, the inoperable l analyzer must be restored to OPERABLE status within 30 days.
| |
| The 30 day Completion Time is based on the low probability of the occurrence of a primary or secondary break that would generate hydrogen in amounts capable of exceeding the flammability limit, and the length of time after the event that operator action would be required to prevent exceeding this limit, and the availability of the Hydrogen Recombiners and the Post-Accident Sampling System.
| |
| (continued)
| |
| SYSTEM 80+ B 3.6-48 Rev. 00 16A Tech Spec Bases
| |
| | |
| Hydrogen Analyzers B 3.6.7 o
| |
| BASES ACTIONS M (continued)
| |
| Required Action A.1 is modified by a Note which indicates the provisions of LCO 3.0.4 are not applicable. As a i result, a MODE change is allowed when one Hydrogen Analyzer is inoperable. This allowance is provided because the probability of the occurrence of a primary or secondary break that would generate hydrogen in amounts capable of exceeding the flammability limit is low, the probability of the failure of the OPERABLE analyzer is low, and the length r of time after a postulated primary or secondary break before ,
| |
| operator action would be required to prevent exceeding the flammability limit.
| |
| M With two Hydrogen Analyzers inoperable, at least one ,
| |
| analyzer must be restored to OPERABLE status within seven days. The seven day Completion Time is based on the low e probability of the occurrence of a primary or secondary l
| |
| ( break that would generate hydrogen in amounts capable of '
| |
| exceeding the flamability limit, and the length of time ,
| |
| after the event that operator action would be required to !
| |
| prevent exceeding this limit, and the availability of the !
| |
| Hydrogen Recombiners, and the Post-Accident Sampling System. l N l The plant must be placed in a MODE in which the LC0 does not apply if an inoperable Hydrogen Analyzer cannot be restored to OPERABLE status in the associated Completion Time. This is done by placing the plant in at least MODE 3 in six :
| |
| hours. The allowable Completion Times are reasonable based j on operating experience to reach the required MODE from full -
| |
| power without challenging the plant systems.
| |
| i i
| |
| 1 SURVEILLANCE SR 3.6.7.1 REQUIREMENTS A CHANNEL FUNCTIONAL TEST is performed every 92 days to ensure the entire channel will perform its intended function, i ry j D (continued)
| |
| SYSTEM 80+ B 3.6-49 Rev. 00 j 16A Tech Spec Bases
| |
| | |
| Hydrogen Analyzers B 3.6.7 O
| |
| BASD SURVEILLANCE SR 3.6.7.1 (continued)
| |
| REQUIREMENTS The 92 day Frequency has been shown to be acceptable through operating experience and is consistent with the recommendations of NUREG-1366 (Ref. 3).
| |
| SR 3.6.7.2 Performance of a CHANNEL CALIBRATION on the Hydrogen Analyzers using sample gases ensures the OPERABILITY of the analyzers is maintained. A typical CHANNEL CALIBRATION includes a minimum of two data points to verify accuracy of the analyzers over the range of interest. The sample gases used for performing the Surveillances are nominally % by volume hydrogen a [0.98] and s [1.02] (balance nitrogen),
| |
| and nominally % by volume hydrogen = [3.92] and s [4.08]
| |
| (balance nitrogen). The lower hydrogen flammability limit is assumed as 4.0% by volume hydrogen in air or steam-air atmospheres. Therefore, calibration with these sample gases helps ensure accurate information regarding containment i hydrogen concentrations up to and including the flammability limit is available to operators following a LOCA. The 18 h
| |
| month Frequency has been shown to be acceptable through operating experience and is consistent with the recommendations of NUREG-1366 (Ref. 3).
| |
| l REFERENCES 1. Regulatory Guide 1.7, " Control of Combustible Gas !
| |
| Concentrations in containment Following a Loss-of-Coolant Accident, Revision 2, November 1978.
| |
| : 2. Chapter 6
| |
| : 3. NUREG-1366, " Improvements to Technical Specification Surveillance Requirements."
| |
| I l
| |
| l l
| |
| SYSTEM 80+ B 3.6-50 Rev. 00 1 16A Tech Spec Bases l
| |
| | |
| Shield Building B 3.6.8 B 3.6 CONTP.iNMENT SYSTEMS B 3.6.8 Shield cuilding i
| |
| BASES BACKGROUND The shield building is a reinforced concrete structure composed of a right cylinder with a hemispherical dome. The shield building houses the steel containment vessel and safety related equipment. The shield building is designed ,
| |
| to provide biological shielding as well as external missile protection for the steel containment shell and safety related equipment. Between the steel containment vessel and the shield building inner wall is an annular space which collects any containment leakage which may occur following :
| |
| an in-containment break such as a Loss of Coolant Accident (LOCA). This space also allows for periodic inspection of the outer surface of the steel containment vessel.
| |
| Following a LOCA, the Annulus Ventilation System (AVS) ,
| |
| establishes a negative pressure in the annulus between the shield buihling and the steel containment vessel. Filters Q in the system then control the release of radioactive b contaminants to the environment. A description of the AVS is provided in the Bases for Specification 3.6.9, " Annulus Ventilation System." Shield building OPERABILITY is required to ensure retention of primary containment leakage and proper operation of the AVS.
| |
| APPLICABLE The design basis for shield building OPERABILITY is a large SAFETY ANALYSIS break LOCA. Maintaining shield building OPERABILITY ensures that the release of radioactive materials from the primary containment atmosphere is restricted to those leakage paths and associated leakage rates assumed in the accident analysis. This restriction, in conjunction with the operation of the AVS, will limit the site boundary radiation doses to within the limits of 10 CFR 100 (Ref. 3) during an accident. ,
| |
| The shield building satisfies Criterion 3 of the NRC Policy Statement. i 1
| |
| l 7s kb' (continued)
| |
| SYSTEM 80+ B 3.6-51 Rev. 00
| |
| '16A Tech Spec Bases
| |
| | |
| Shield Building B 3.6.8 O
| |
| BASES (continued)
| |
| LC0 Shield building OPERABILITY must be maintained to ensure proper operation of the AVS and to limit radioactive leakage from the containment to those paths and leakage rates assumed in the accident analysis.
| |
| APPLICABILITY Maintaining shield building OPERABILITY prevents leakage of radioactive material from the shield building. Radior.ctive material may enter the shield building from the primary containment following a LOCA. Therefore, shield building OPERABILITY is required in MODES 1, 2, 3, and 4 when a main steam line break, LOCA, or control element assembly ejection accident could release radioactive material to the containment atn.osphere.
| |
| In MODES 5 and 6 the probability and consequences of these events are low due to the reactor coolant system temperature and pressure limitations in these MODES.
| |
| Therefore, shield building OPERABILITY is not required in MODES 5 or 6.
| |
| O ACTIONS Ad In the event shield building OPERABILITY is not maintained, shield building OPERABILITY must be restored within 24 hours.
| |
| Twenty-bur hours is a reasonable Completion Time '
| |
| considering the limited leakage design of the containment and the low probability of a DBA occurring during this time period.
| |
| B.1 and B.2 If the shield building cannot be restored to OPERABLE status within the required Completion Time, the plant must be ;
| |
| placed in a MODE in which the requirement does not apply. ;
| |
| To achieve this status, the plant must be brought to at least MODE 3 within six hours and to MODE 5 within 36 hours.
| |
| (continued) '
| |
| SYSTEM 80+ B 3.6-52 Rev. 00 ;
| |
| 16A Tech Spec Bases ,
| |
| J
| |
| | |
| Shield Building B 3.6.8 O BASES I
| |
| ACTIONS B.1 and 8.2 (continued)
| |
| The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging safety systems.
| |
| h SURVEILLANCE SR 3.6.8.1 ;
| |
| REQUIREMENTS Maintaining shield building OPERABILITY requires maintaining each door in the access opening closed except when the access opening is being used for normal transit entry and exit; then, at least one door must remain closed. The Surveillance Frequency of 31 days is based on engineering l Judgment, and has been shown to be acceptable through operating experience,
| |
| : e. SR 3.6.8.2
| |
| \
| |
| +
| |
| This Surveillance would give advance indication of gross deterioration of the concrete structural integrity of the shield building. The Frequency of this SR is the same as that of SR 3.6.1.1. The verification is done during shutdown and as part of Type A leakage tests associated with SR 3.6.1.1.
| |
| SR 3.6.8.3 The AVS is required to produce the required negative pressure equal to or more negative than [-0.25) inch water gauge relative to outside environment during test operation.
| |
| The negative pressure ensures that the building is adequately sealed and that leakage from the building will be prevented, since outside air will be drawn in by the low pressure. The negative pressure must be established within the time limit used in the dose analyses [110 seconds).
| |
| '! 1 V- (continued)
| |
| SYSTEM 80+ B 3.6-53 Rev. 00 16A Tech Spec Bases
| |
| | |
| Shield Building B 3.6.8 O
| |
| BASES SURVEILLANCE SR 3.6,M (continued)
| |
| REQUIREMENTS The [18] month Frequency to verify the required negative pressure in the shield building is consistent with Regulatory Guide 1.52 (Ref 4) guidance for functional testing of the ability of the AVS to " pull do i" the required negative pressure every [18] months REFERENCES 1. Chapter 3.
| |
| : 2. Chapttr 6.
| |
| : 3. 10 CFR 100.11, " Determination of Exclusion Area, Low Population Zone and Population Center Distance."
| |
| : 4. Regulatory Guide 1.52 (Rev. 02), " Design, Testing and Maintenance Criteria for Post Accident Engineered Safety Feature Atmospheric Cleanup System Air Filtration and Adsorption Units of Light-Water Cooled Nuclear Power Plants." h i
| |
| l 1
| |
| l l
| |
| l l
| |
| i O
| |
| SYSTEM 80+ B 3.6-54 Rev. 00 16A Tech Spec Bases
| |
| | |
| 1 Annulus Ventilation System !
| |
| B 3.6.9 l B 3.6 CONTAINMENT SYSTEMS
| |
| ; B 3.6.9 Annulus Ventilation System j BASES k .
| |
| BACKGROUND- The Annulus Ventilation System (AVS) serves the space i
| |
| between the primary containment and the secondary
| |
| : containment. The system does not perform any normal !
| |
| ventilation function. However, it does provide additional :
| |
| ' assurance against the release of radioactivity to the ;
| |
| environment; therefore, it is designed as an engineered ,
| |
| safety. feature and should be capable of operating and ;
| |
| -performing its function during startup, power operation, hot !
| |
| standby and hot shutdown.
| |
| l Two independent AVS divisions are provided. Each division -i
| |
| ; consists of a fan, a filter train, associated ductwork, i' i
| |
| dampers, and controls-as necessary to accomplish the design
| |
| ; function. Each filter train consists of a moisture
| |
| * eliminator, prefilter, and absolute filter, a carbon filter, j 4
| |
| and a post filter.
| |
| I The two AVS divisions share one duct in the upper portion of i the annulus and one duct in the lower portion of the ;
| |
| annulus. Therefore, there is one common duct in the upper ]
| |
| annulus and one common duct in the lower annulus for both divisions. These distribution ducts contain grilles for
| |
| * annulus air intake and exhaust. The grilles of the upper duct draw air in from above the primary containment. This air passes through the moisture eliminator and the filter train before reaching the suction of the ventilation fan.
| |
| The fan directs air either to the unit vent or both the unit vent and the lower annulus distribution duct. The grilles of the lower distribution ring expel air into the annulus.
| |
| The AVS will discharge sufficient air from the annulus to the unit vent to create a negative pressure of approximately
| |
| [-0.25 in.] water gauge with respect to the outside atmosphere after a LOCA.
| |
| Two full capacity ventilation fans are provided with each I one redundant of the other. The fans are supplied with {
| |
| power from the Class 1E Emergency Diesel Generators on LOOP. j l
| |
| 4 (continued)
| |
| ' -SYSTEM 80+' .
| |
| B 3.6 Rev. 00 16A Tech Spec Bases
| |
| | |
| l Annulus Ventilation System 4 I
| |
| B 3.6.9 O
| |
| BASES BACKGROUND The moisture eliminator consists of a mechanical demister (continued) which is designed to remove entrained moisture droplets from the influent. An electric heater is provided to decrease the effluent relative humidity.
| |
| HEPA filters are provided to adsorb the fission products released to the annulus following any of the postulated accidents. Failure of the filtration unit to perform the intended function will be detected by a unit vent radiation monitor, which monitors the activity level of the system effluent.
| |
| APPLICABLE The purpose of this system is to produce and maintain a SAFETY ANALYSIS negative pressure in the annulus. This mitigates the consequences of airborne products of radiation that might otherwise become an environmental hazard during and following an accident.
| |
| The Annulus Ventilation System is designed and sized to meet the following criteria.
| |
| : a. Produce and maintain a negative pressure within the total annulus space in order to preclude the I' unacceptable release of radioisotopes following an accident,
| |
| : b. Provide fission product removal capability by decay and filtration.
| |
| : c. Provide for the mixing of any in-leakage into the annulus space,
| |
| : d. The design annulus in-leakage rate through the reactor l shield wall and from the exterior atmosphere is [1000 SCFM at 0.25 in.] water differential pressure. i The system is designed to function during a seismic event; l its location protects it from tornado / wind and missiles. (
| |
| The system has no containment penetrations.
| |
| The system is 100% redundant which precludes single system l failure.
| |
| (continued) O!
| |
| SYSTEM 80+ B 3.6-56 Rev. 00 16A Tech Spec Bases I
| |
| l
| |
| | |
| Annulus Ventilation System B 3.6.9 BASES APPLICABLE The system has complete electrical separation between the SAFETY ANALYSES two divisions. Each division is powered by its respective ;
| |
| (continued) Class IE Emergency Diesel Generator. The Annulus Ventilation System is an Engineered Safety Feature System. .
| |
| The AVS satisfies Criterion 3 of the NRC Policy Statement.
| |
| 1 LCO Two independent and redundant divisions of the Annulus Ventilation System active components must be OPERABLE to ensure that at least one division will operate, assuming that the c' e division is disabled by a single active failun APPLICABILITY In MODES 1, 2, 3 and 4, a DBA could lead to fission product
| |
| < release to containment which leaks to the shield building.
| |
| The large break LOCA, on which this system's design is based, is a full power event. Less severe LOCAs and leakage O still require the system to be OPERABLE throughout these MODES. The probability and severity of a LOCA decreases as core power and RCS pressure decrease. With the reactor shutdown the probability of release of radioactivity l resulting from such an accident is low. 1 In MODES 5 and 6, the probability and consequences of a DBA '
| |
| - are very low due to the pressure and temperature limitations I in these MODES. Under these conditions, the Annulus Ventilation System is not required to be OPERABLE.
| |
| i 1
| |
| ACTIONS A,1 l
| |
| With one division of the Annulus Ventilation System inoperable, the inoperable division must be returned to OPERABLE status within seven days. The seven day Completion Time is based on the low probability of a LOCA during this time period and the leaktightness of the containment and is adequate to make most repairs.
| |
| (continued)
| |
| SYSTEM 80+ B 3.6-57 Rev. 00 16A Tech Spec Bases
| |
| | |
| I Annulus Ventilation System !
| |
| B 3.6.9 1 9'
| |
| BASES ACTIONS B.1 and B.2 (continued)
| |
| If the inoperable AVS cannot be restored to OPERABLE status within the required Completion Time, the plant must be placed in a MODE in which the LC0 does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours and to MODE 5 within 36 hours. The allowea Completion Times are reasonable based on operating experience to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.
| |
| SURVEILLANCE SR 3.6.9.1 Operating each AVS division, with the heaters operating, ensures that all divisions are OPERABLE and that all associated controls are functioning properly. It also ensures that binckage, fan or motor failure, or excessive ,
| |
| vibration can be detected for corrective action. (Operation 4
| |
| with the heaters on for a 10 continuous hours eliminates moisture in the filtration units. Experience from filter h'
| |
| testing at operating units indicates that the 10 hour period is adequate for moisture elimination in the filtration units.] The 31 day Frequency was developed considering the known reliability of fan motors and controls, the two division redundancy available, and the iodine removal capability of the Containment Spray System.
| |
| SR 3.6.9.2 This SR verifies that the required AVS filter testing is performed in accordance with the (Ventilation Filter Testing Program (VFTP)]. Filter tests are in accordance with Regulatory Guide 1.52 (Ref 3). The VFTP includes testing of HEPA filter performance, minimum system flow rate, and the physical properties of the activated carbon (general use and following specific operations). Specific test frequencies and additional information are discussed in detail in the VFTP.
| |
| (continued)
| |
| SYSTEM 80+ B 3.6-58 Rev. 00 16A Tech Spec Bases
| |
| | |
| I Annulus Ventilation System B 3.6.9 h
| |
| v l
| |
| BASES l
| |
| l SURVEILLANCE SR 3.6.9.3 REQUIREMENTS (continued) The automatic startup ensures that each AVS division ,
| |
| responds properly. The [18] month Frequency is based on the j need to perform this Surveillance under the conditions that l apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. Operating experience has shown that i these components usually pass the Surveillance when performed at the [18] month Frequency. Therefore, the Frequency was concluded to be acceptable from a reliability standpoint. Furthermore, the SR interval was developed considering that the AVS equipment OPERABILITY is demonstrated at a 31 day Frequency by SR 3.6.9.1.
| |
| I SR 3.6.9.4 The AVS division flow rate is verified s [18,000] cfm to :
| |
| ensure that the flow rate through the filters is not l excessive. l The (18] month on a STAGGERED TEST BASIS Frequency is consistent with the Regulatory Guide 1.52 (Ref. 3) guidance.
| |
| REFERENCES 1. Chapter 6.
| |
| : 2. Chapter 15.
| |
| : 3. Regulatory Guide 1.52 (Rev. 02), " Design, Testing and 4
| |
| Maintenance Criteria for Post Accident Engineered Safety Feature Atmospheric Cleanup System Air Filtration and Adsorption Units of Light-Water Cooled Nuclear Power Plants."
| |
| O)
| |
| C/
| |
| SYSTEM 80+ B 3.6-59 Rev. 00 16A Tech Spec Bases
| |
| | |
| l HMS Ignitors B 3.6.10 B 3.6 CONTAINMENT SYSTEMS B 3.6.10 Hydrogen Mitigation System (HMS) Igniters BASES BACKGROUND The HMS igniters are installed to ensure that the hydrogen concentration in the containment following a severe accident, which is assumed to result in 100% oxidation of the active zircaloy cladding, will not result in a containment threatening hydrogen detonation within the containment. The HMS igniters are required for advanced large dry PWRs under the requirements of 10 CFR 50.34(f).
| |
| 10 CFR 50.34(f) requires that a hydrogen mitigation system be available for advanced large drv PWRs and that the system be capable of accommodating the oxidation of 100% of active zircaloy cladding and maintain the global concentration of the containment to below 10 volume percent. Accumulation of concentrations above the 10 volume percent level allows for the remote possibility of a hydrogen detonation. The HMS will control hydrogen concentrations and burning within the containment and will therefore minimize the likelihood of a detonation.
| |
| The HMS is based on the concept of controlled ignition of hydrogen using thermal igniters. The igniters are not safety grade but are seismically supported and are designed to be functional in a severe accident environment. The devices are intended to be manually energized from the control room following the determination of a sustained core uncovery. The system consists of a total of 80 igniters distributed in various regions in the containment where hydrogen could either be released, flow or accumulate in significant quantities.
| |
| The distribution of the igniters serves to ensure that a buildup of hydrogen pockets will not develop. The igniters are arranged in two independent trains such that each critical or limiting containment region contains at least two igniters. All igniters are powered from Class IE emergency buses which receive power from the offsite power source, an emergency diesel generator, or the combustion turbine generator. In addition, the system is designed such that all igniters can be powered by batteries. A minimum set of 34 igniters would be powered off the batteries during (continued)
| |
| SYSTEM 80+ B 3.6-60 Rev. 00 16A Tech Spec Bases
| |
| | |
| I 1
| |
| HMS Igniters j B 3.6.10 BASES !
| |
| BACKGROUND a station blackout scenario. This is based on an i (continued) optimization of the number of igniters required for adequate containment coverage and battery power limitations.
| |
| When an igniter element is energized, the igniter heats up to a surface temperature in excess of [1700 F). At this temperature, it will ignite hydrogen in the vicinity of the ,
| |
| igniter, in a "non-inert" steam laden atmosphere and in the presence of spray droplets.
| |
| APPLICABLE Analyses of the HMS have been performed with the MAAP4 SAFETY ANALYSIS Computer Code. Results of these analyses indicate that operation of the HMS igniters will control the local accumulation of hydrogen below detonable levels throughout the containment.
| |
| These analyses also indicate that the HMS igniters would control hyrirogen burn pressures to below the containment design pressure.
| |
| Based on the PRA, the potentiel for a severe accident is about 100 times lower than tMt for plants with igniter systems currently licensed unoar 10 CFR 50.44. Furthermore, PRA sensitivity studies show that without the hydrogen igniters, hydrogen burn induced containment failures can result in 2% or less of the core damage sequences.
| |
| Consequently, the OPERABILITY of the hydrogen igniters is not a dominant contributor to PRA predicted core damage frequency.
| |
| As a result of the large containment free volume of this design, accumulation of hydrogen to detonable levels is highly unlikely. Even under the most severe core damage events, the hydrogen accumulation in the upper containment is likely to be below the detonation threshold. To control hydrogen accumulation in the Incontainment Refueling Water Storage Tank (IRWST) freeboard space, four hydrogen igniters are located in the IRWST. In addition, the IRWST is vented to the containment atmosphere such that hydrogen accumulation in the IRWST is minimized. Other regions of potential concern to hydrogen accumulation include potential hydrogen source locations above IRWST vents, and in the vicinity of RCS piping. Hydrogen igniters are located in hs (continued)
| |
| SYSTEM 80+ B 3.6-61 Rev. 00 16A Tech Spec Bases P
| |
| | |
| HMS Igniters B 3.6.10 0
| |
| BASES APPLICABLE these regions to control the concentration to below the SAFETY ANALYSES detonable level.
| |
| (continued)
| |
| The Technical Specifications on hydrogen igniters satisfy Criterion 4 of the NRC Policy Statement.
| |
| LC0 An igniter is defined as OPERABLE when it has passed SR 3.6.10.1.
| |
| Operation with 62 igniters, as specified in Table 3.6.10-1, will ensure sufficient coverage throughout the containment so as to maintain the hydrogen concentration below the detonable limit.
| |
| APPLICABILITY In MODES 1 and 2, the required number of HMS igniters ensure the capability to prevent localized hydrogen concentrations above the flammability limit of 4.1 % in containment, assuming a worst case single active failure. h In MODE 3 or 4, both the hydrogen production rate and the total hydrogen produced after a LOCA would be less than that calculated for the DBA LOCA. Also, because of the limited time in these MODES, the probability of an accident requiring the HMS is low. Therefore, the HMS is not required in MODE 3 or 4.
| |
| In MODES 5 and 6, the probability and consequences of a LOCA or main steam line break are low due to the pressure and temperature limitations of these MODES. Therefore, the HMS is not required in these MODES.
| |
| ACTIONS ad With less than the 62 igniters identified in Table 3.6.10-1 OPERABLE, the HMS must be restored to an OPERABLE status prior to startup after each refueling outage. For the HMS igniters to be classified as OPERABLE, the minimum set of igniters specified in Table 3.6.10-1 must pass the requirements of SR 3.6.10.1. OPERABLE igniters are capable (continued)
| |
| SYSTEM 80+ B 3.6-62 Rev. 00 16A Tech Spec Bases
| |
| | |
| HMS Igniters B 3.6.10 g
| |
| (
| |
| BASES ACTIONS A d (continued) of being powered 'from Class 1E power supplies including the Class 1E batteries.
| |
| Assurance that the minimum set of igniters identified in Table 3.6.10-1 are OPERABLE provides a high level of confidence that sufficient redundancy exists within the HMS to accomplish its intended function.
| |
| SURVEILLANCE SR 3.5.10.1 REQUIREMENTS A detailed functional test is performed every plant refueling outage to verify total system OPERABILITY. This requires that all igniters be visually inspected to ensure they are clean and that the electrical circuitry can be energized, All igniters are visually checked to verify that they are energized and the surface temperature of each p ignitor is measured to be > [1700 F]. This temperature V response provides a demonstration that ignition can be achieved in most environments.
| |
| Experience on operating plants with igniters has shown that these components are very reliable and normally pass the SR when performed at refueling. No forced plant shutdowns have occurred as a result of failure of Surveillance tests conducted during power operation. Therefore, Surveillance testing at refueling outages is considered acceptable for igniters which are intended only for low probability severe accident mitigation.
| |
| It is intended that all 80 igniters be OPERABLE or be made OPERABLE prior to restart after refueling. However, failure of igniters during testing in containment regions other than those identified in Table 3.6.10-1 does not adversely impact i containment coverage or the OPERABILITY of the system and therefore should not be considered sufficient to delay or otherwise limit return to power operation after a refueling outage.
| |
| REFERENCES None, p
| |
| LJ SYSTEM 80+ B 3.6-63 Rev. 00 16A Tech Spec Bases
| |
| | |
| Containment Penetrations - REDUCED RCS INVENTORY Operations B 3.6 CONTAINMENT SYSTEMS B 3.6.11 Containment Penetrations - REDUCED RCS INVENJ9RY Operations BASES BACKGROUND During REDUCED RCS INVENTORY operations, a release of fission product radioactivity within containment will be restricted from leakage to the environment when the LC0 requirements are met.
| |
| APPLICABLE Release of fission products to the environment from SAFETY ANALYSIS containment is limited by 10 CFR 100. If the LC0 requirements are adhered to, then no release exceeding the 10 CFR 100 limits can occur (Ref. 1).
| |
| REDUCED RCS INVENTORY operations satisfy Criterion 3 of the NRC Policy Statement.
| |
| LC0 This LC0 minimizes the release of radioactivity from containment. The LC0 requires the equipment hatch be closed h'
| |
| and held in place by [four bolts), one door in each airlock be closed, and each penetration providing direct access to l the outside environment to be closed with the exception of the containment purge and exhaust isolation system.
| |
| APPLICABILITY The LC0 is applicable during MODE 5 with REDUCED RCS INVENTORY or MODE 6 with REDUCED RCS INVENTORY. l ACTIONS a_l If one or more containment penetrations are not in the required status, restoration must be accomplished within [6]
| |
| hours. This will ensure that the plant will be within the assumptions of the safety analysis. j (continued)
| |
| SYSTEM 80+ B 3.6-64 Rev. 00 16A Tech Spec Bases
| |
| | |
| ,. ~. _. _. _ _ __ . .. . . _- .
| |
| l 1
| |
| )
| |
| Containment Penetrations - REDUCED ECS INVENTORY Operations B 3.6.11 BASES i
| |
| : ACTIONS L1 t (continued)
| |
| If Action A.1 has not been completed within' the (6] hours, :
| |
| t then the RCS level must be restored to > [EL-117' 0"] within (6]. hours of Action A.1 not being met. l l
| |
| SURVEILLANCE- SR 3.6.11.1 i
| |
| REQUIREMENTS This SR verifies that each required containment building l penetration is in its required status every [12 hours). ,
| |
| This ensures that fission products will not escape j containment in a quantity greater than assumed in the safety !
| |
| analysis. >
| |
| c
| |
| ; SR 3.6.11.2 i
| |
| This SR verifies each containment purge and exhaust valve n actuates to its isolated position on an actual or simulated actuation signal. The [18 month] Frequency maintains
| |
| (~') consistency with similar ESFAS testing requirements and has i
| |
| been shown to be acceptable through operating experience. ,
| |
| I REFERENCES 1. Appendix 19.8A, Shutdown Risk Evaluation. ;
| |
| )
| |
| i l
| |
| t i
| |
| O l t
| |
| i SYSTEM 80+; B 3.6-65 Rev. 00 :
| |
| 16A Tech Sp*.c Bases- <
| |
| | |
| s .
| |
| l l
| |
| MSSVs B 3.7.1 3
| |
| ^
| |
| 2 J B 3.7 PLANT SYSTEMS i-B 3.7.1: Main Steam Safety Valves (MSSVs) r
| |
| ~
| |
| BASES 4
| |
| BACKGROUND The Main Steam Safety Valves (MSPh) mainly provide over- l
| |
| - _p ressure.. protection for the seccadary system. In doing so, ;
| |
| ; the MSSVs also provide protection against overpressurizing the reactor coolant pressure boundary by providing a heat. l sink for removal of energy from the Reactor Coolant System j
| |
| '(RCS) if the preferred heat sink, provided by the Condenser i
| |
| and Circulating Water. system, is not available.
| |
| '- Five' Main Steam Safety Valves, (ten per steam generator) are located on each Main Steam Line, outside Containment, .
| |
| J upstream of the Main Steam Isolation Valves, as described in Chapter 5'(Ref.1). The MSSVs' rated capacity passes the full steam flow at 102% RATED THERMAL POWER (RTP)(100 + 2%
| |
| l for instrument error) with the valves full open. This meets
| |
| - the requirements of the ASME Code (Ref. ,, as described in the Over-pressure Protection Report, Appendix 5.A. The MSSV s design includes staggered setpoints, as shown in Table 3.7.1-2, so that only the number.of valves needed will actuate. The maximum system overpressure is calculated based on maximum allowable tolerance on the MSSV setpoint.
| |
| i
| |
| : Staggered setpoints reduce the potential for valve chattering because of insufficient steam pressure to fully
| |
| : open all valves following a turbine-reactor trip.
| |
| APPLICABLE The design basis for the MSSVs comes from the ASME Code SAFETY ANALYSES (Ref. 2) and limits secondary system pressure to s 110% of design pressure when passing 100% of design steam flow.
| |
| This design basis is more than sufficient to cope with any 1
| |
| : Anticipated Operating Occurrence (A00) or accident considered in the Design Basis Accident and Transient
| |
| . Analysis. For most analyzed events, RCS pressure remains l below the setpoint of the Pressurizer Safety Valves (PSVs), ;
| |
| 1 or, at most, cause only a short opening of the PSVs. ;
| |
| 1 The events that challenge the ilSSVs' relieving capacity, and
| |
| . thus RCS pressure, are those characterized as Decreased Heat ;
| |
| Removal events, and are presented in Section 15.2 l
| |
| l l
| |
| (continued) ;
| |
| i l
| |
| SYSTEM 80+: B 3.7-1 Rev. 00 l 16A Tech Spec Bases ;
| |
| | |
| MSSVs B 3.7.1 O
| |
| BASES APPLICABLE (Ref. 4). Of these, the full power Loss of Condenser SAFETY ANALYSES Vacuum (LOCV) event is the limiting A00. A LOCV isolates (continued) the turbine and condenser, and terminates normal feedwater flow to the steam generators. Before delivery of Emergency Feedwater (EFW) to the steam generators, RCS pressure reaches s [2,726] psia. This peak pressure is less than 110% of the design pressure of 2,500 psia, but high enough to actuate the PSVs. The maximum secondary pressure during the LOCV event is [1273] psia, which is less than 110% of secondary design pressure of 1200 psia.
| |
| The limiting accident for peak RCS pressure is the full power feedwater line break, inside Containment, with a loss of offsite power. Water from the affected steam generator is assumed to be lost through the break with minimal additional heat transfer from the RCS.
| |
| With heat removal limited to the unaffected steam generator, the reduced heat transfer causes an increase in RCS temperature and the resulting RCS fluid expansion causes an increase in pressure. The RCS pressure increases to 5 [2,798] psia, with the PSVs providing relief capacity.
| |
| The maximum secondary pressure during the feedwater line break event is s [1273] psia, which is less than the rated capacity of 110% of the design pressure of 1200 psia.
| |
| The MSSVs satisfy Criterion 3 of the NRC Policy Statement.
| |
| LC0 The LC0 requires all MSSVs to be OPERABLE in coapliance with the ASME Code.0peration with less than the full number of MSSVs requires limitations on allowable THERMAL POWER (to l I
| |
| meet ASME Code requirements) and adjustment to the Reactor Protective System Trip Setpoints. These limitations are ;
| |
| addressed in Table 3.7.1-1 and Required Actions A.1 and A.2.
| |
| An MSSV is considered inoperable if it fails to open upon demand.
| |
| The OPERABILITY of the MSSVs is defined as the ability to open within the setpoint tolerances, relieve steam generator over-pressure and to re-seat when pressure has been reduced.
| |
| The OPERABILITY of the MSSVs is determined by periodic surveillance testing in accordance with the Inservice Testing Program.
| |
| (continued)
| |
| SYSTEM 80+ B 3.7-2 Rev. 00 16A Tech Spec Bases
| |
| | |
| i MSSVs B 3.7.1 .
| |
| O -BASES i
| |
| LCO .
| |
| .The lift settings specified in Table 3.7.1-2 correspond to (continued) ambient conditions of the valve at nominal operating i temperature and pressure. !
| |
| -This LCO provides assurance that the MSSVs will perform I their designed safety function to mitigate the consequences of accidents that could result in a challenge to the reactor._ ,
| |
| coolant pressure boundary.
| |
| 4 4
| |
| t In MODE 1, the accident analysis assumes all MSSVs OPERABLE i
| |
| ' APPLICABILITY at RTP 2% uncertainty which is limiting and bounds all lower. MODES. In MODES 2 and 3 the accident analysis i
| |
| '- requires MSSVs per. Table 3.7.1-1.
| |
| In MODES 4 and 5 there is no credible transient requiring the MSSVs.
| |
| ; In MODE 6, the steam generators are not used for heat j- removal and cannot be overpressurized. . ,
| |
| ACTIONS The ACTIONS table is modified by a Note indicating that separate Condition entry is allowed for each MSSV.
| |
| A.1, and A.2 An alternative to restoring the inoperable MSSV(s) to OPERABLE status is to reduce power so that the available 3
| |
| MSSV relieving capacity meets ASME Code requirements for the power level. Operation may continue provided the allowable THERMAL POWER is equal to the product of: 1) the ratio of the number of MSSVs available per steam generator to the total number of MSSVs per steam generator; and 2) the ratio of the available relieving capacity to the total steam flow multiplied by 100%.
| |
| 10 N
| |
| [ Allowable THERMAL POWER = ( } ) x 105.6]
| |
| (continued) ;
| |
| I
| |
| . SYSTEM 80+ B 3.7-3' Rev. 00 . I 16A Tech Spec Bases
| |
| --. . - , - . - l
| |
| | |
| MSSVs B 3.7.1 BASES 0
| |
| ACTIONS A.1 and A.2 (continued)
| |
| The ceiling on the variable overpower trip is also reduced to an amount over the allowable THERMAL POWER equal to the band given for this trip in Table 3.7.1-1.
| |
| SP = Allowaolo THERMAL POWER + 9.8 where: SP = Reduced reactor trip setpoint in percent RTP. This is a ratio of the available relieving capacity over the total steam flow at rated power.
| |
| 10 - Total number of MSSVs per steam generator.
| |
| N = Number of inoperable MSSVs on the steam generator with the greatest number of inoperable valves.
| |
| 105.6 - Ratio of MSSV relieving capacity at 110% steam generator design pressure to calculated steam flow rate at 100% RTP +
| |
| 2% instrument uncertainty expressed as a percentage (see text above).
| |
| 9.8 - Band between the maximum THERMAL POWER and the variable overpower trip setpoint ceiling (Table 3.7.1-1).
| |
| The operator should limit the maximum steady state power level to some value slightly below this setpoint to avoid an inadvertent overpower trip.
| |
| The 12 hour Completion Time for Required Action A.2 is consistent with A.I. An additional 8 hours is allowed to reduce the setpoints in recognition of the difficulty of resetting all channels of this trip function within a period of 8 hours. The Completion Time of 12 hours for Required Action A.2 is based on operating experience in resetting all l channels of a protective function and on the low probability of the occurrence of a transient that could result in steam generator overpressure. ,
| |
| )
| |
| I i
| |
| (continued) i SYSTEM 80+ B 3.7-4 Rev. 00 16A Tech Spec Bases
| |
| | |
| MSSVs B 3.7.1 ,
| |
| (~}
| |
| v BASES-ACTIONS B.1 and B.2 (continued)
| |
| The plant must be placed in a MODE in which the requirement does not apply if the MSSVs cannot be restored to OPERABLE status in the associated Completion Time. This is done by placing the plant in at least MODE 3 in six hours and in MODE 4 in [12 hours). The allowed Completion Times are reasonable based on operating experience to reach the required MODES from full power operation without challenging plant systems.
| |
| SURVEILLANCE SR 3.7.1.1 REQUIREMENTS This SR demonstrates the OPERABILITY of the MSSVs. The ASME Code Section XI (Ref. 5) requires that safety and relief valve tests be performed as required by ASME/ ANSI OM-1-1987 (Ref. 3). According to Reference 3, the following tests are required for MSSVs:
| |
| : a. Visual examination,
| |
| " b. Seat tightness determination,
| |
| : c. Set pressure determination (lift setting),
| |
| : d. Compliance with owner's seat tightness criteria, and
| |
| : e. Verification of the balancing device integrity on balanced valves.
| |
| The ANSI /ASME standard requires testing all valves every five years, with a minimum of 20% of the valves tested every 24 months. Surveillance requirements are specified in the Inservice Testing Program which encompasses Section XI of the ASME Code. ASME Code provides the activities and frequencies necessary to satisfy the requirements.
| |
| SR 3.7.1.1 is modified by a Note that allows entry into and operation in MODE 3 prior to performing the SR. This is to allow testing of MSSVs at hot conditions. The MSSVs may be either bench tested, or tested in-situ at hot conditions using an assist device to simulate lift pressure. If the MSSVs are not tested at hot conditions, the lift setting pressure shall be corrected to ambient conditions of the valve at operating temperature and pressure.
| |
| (continued)
| |
| SYSTEM 80+ B 3.7-5 Rev. 00 16A' Tech Spec Bases
| |
| | |
| MSSVs B 3.7.1 O
| |
| BASES (continued)
| |
| REFERENCES 1. Chapter 5.
| |
| : 2. ASME Boiler and Pressure Vessel Code, Section III, Article NC-7000, " Overpressure Protection" Class 2 Components.
| |
| : 3. ANSI /ASME OM-1-1987, " Requirements for Inservice Performance Testing of Nuclear Power Plant Pressure Relief Devices."
| |
| : 4. Chapter 15.
| |
| : 5. ASME Boiler and Pressure Vessel Code, Section XI, Article IWV-3500, " Inservice Tests - Category C Val ves. "
| |
| O O
| |
| SYSTEM 80+ B 3.7-6 Rev. 00 16A Tech Spec Bases
| |
| | |
| MSIVs B 3.7.2 (3
| |
| V' B 3.7 PLANT SYSTEMS B 3.7.2 Main Steam Isohtson Valves (MSIVs)
| |
| BASES BACKGROUND The Main Steam Isolation Valves (MSIVs) isolate steam flow from the secondary side of the steam ganerators following a high energy line break. MSIV closure terminates flow from the unaffected (intact) steam generator.
| |
| One MSIV is located in each Main Steam line outside, but close to, containment. The MSIVs are downstream from the l MSSVs, ADVs and Emergency Feedwater Pump turbine's steam supplies to prevent their being isolated from the steam generators by MSIV closure. The MSIVs have bypass valves that allow the warming of the downstream main steam piping.
| |
| l Closing the MSIVs isolates each steam generator from the f other, and isolates the turbine, steam bypass system, and l other auxiliary steam supplies from the steam generators.
| |
| The MSIVs and MSIV Bypass Valves close on a Main Steam Isolation Signal (MSIS) generated by either low steam
| |
| , p) 1 generator pressure, high containment pressure, or high steam
| |
| '' generator water level. The MSIVs and bypass valves fail close on loss of control or activation power. The MSIS also actuates the Main Feedwater Isolation Valves to close. The MSIVs and bypass valves may also be closed manually.
| |
| A description of the MSIVs and bypass valves is found in Chapter 10 (Ref. 1).
| |
| The design basis of the MSIVs is established by the APPLICABLE containment analysis for the large steam line break inside SAFETY ANALYSES containment (Ref. 2). It is also influenced by the accident analysis of the steam line break events presented in Chapter 15 (Ref. 3). The design precludes the blowdown of more than one steam generator, assuming a single active component failure, i.e., the failure of one MSIV to close on demand.
| |
| The limiting case for the containment anaiysis is the hot j zero power steam line break inside containment with a loss 4 of offsite power following turbine trip and failure of one !
| |
| ,a
| |
| () (continued)
| |
| SYSTEM 80+ B 3.7-7 Rev. 00 16A Tech Spec Bases
| |
| | |
| MSIVs B 3.7.2 O
| |
| BASES APPLICABLE containment spray division. At zero power the steam SAFETY ANALYSES generator inventory and temperature are at their maximum, (continued) maximizing the analyzed mass and energy release to the containment. Failure of the MSIV to close contributes the additional mass and energy in the steam headers downstream of the other MSIV to the total releases via backflow. With the most reactive rod cluster control assembly assumed stuck in the fully withdrawn position, there is an increased possibility that the core will become critical and return to power. The core is ultimately shut down by the borated water injection delivered by the Emergency Core Cooling System. Other failures considered are the failure of a Main Feedwater Isolation Valve to close, and failure of an emergency diesel generator to start.
| |
| The accident analysis compares several different steam line break events against different acceptance criteria. The large steam line break outside containment upstream of the MSIV is limiting for offsite dose, although a break in this short section of main steam header has a very low probability. The large steam line break inside containment at hot full power is the limiting case for a post-trip return to power. The analysis includes scenarios with offsite power available and with a loss of offsite power following turbine trip.
| |
| With offsite power available, the reactor coolant pumps continue to circulate coolant through the steam generators, maximizing the RCS cooldown. With a loss of offsite power, the response of mitigating systems, such as the Safety Injection (SI) pumps is delayed. Significant single failures considered include: failure of an MSIV to close, failure of an emergency diesel generator, and failure of a SI pump.
| |
| The MSIVs serve only a safety function and remain open during power operation. These valves operate under the following situations:
| |
| : a. High energy line break inside containment. For this scenario, steam is discharged into containment from both steam generators. Mass and energy release from a break results in pressure and temperature increases in 1 containment. Closure of the MSIVs isolates the break and limits the blowdown to a single steam generator.
| |
| (continued)
| |
| SYSTEM 80+ B 3.7-8 Rev. 00 16A Tech Spec Bases
| |
| | |
| MSIVs B 3.7.2
| |
| .n U: !
| |
| BASES APPLICABLE b. A break outside of containment and upstream from the '
| |
| SAFETY ANALYSES MSIVs is not a containment pressurization concern.
| |
| (continued) The uncontrolled blowdown of more than one steam ;
| |
| generator must be prevented to limit the potential for uncontrolled RCS cooldown and positive reactivity i addition. Closure of the MSIVs isolates the break and limits the blowdown to a single steam generator,
| |
| : c. A break downstream of the MSIVs will be isolated by {
| |
| the closure of the MSIVs. Events such as increased steam flow through the turbine or the steam bypass valves will also terminate on closing the MSIVs. l
| |
| : d. Following a steam generator tube rupture, closure of the MSIVs isolates the affected steam generator from i the intact steam generator. In addition to minimizing radiological releases, this enables the operator to establish a pressure difference between the ruptured and intact steam generators, a necessary step toward terminating the flow through the rupture.
| |
| : e. The MSIVs are also utilized during other events such as a feedwater line break. These events are less 1 limiting so far as MSIV OPERABILITY is concerned.
| |
| The MSIVs satisfy Criterion 3 of the NRC Policy Statement.
| |
| l LC0 This LCO requires that the MSIV and associated bypass valve in each of the steam lines bo OPERABLE. The MSIVs are considered OPERABLE when their isolation times are within limits, and they close on an isolation actuation signal.
| |
| This LC0 provides assurance that the MSIVs will perform j their design safety function to mitigate the consequences of l accidents which could result in offsite exposures comparable 1 to the 10 CFR 100 (Ref. 5) limits.
| |
| APPLICABILITY The MSIVs must be OPERABLE in MODES 1, 2, 3, and 4, except when all MSIVs are closed and [ deactivated). These MODES are when there is significant mass and energy in the RCS and O (continued) ]
| |
| SYSTEM 80+ B 3.7-9 Rev. 00
| |
| '16A Tech Spec Bases-
| |
| | |
| MSIVs B 3.7.2 O
| |
| BASES APPLICABILITY steam generators. When the MSIVs are closed and (continued) [ deactivated), they are already performing their safety function.
| |
| In MODES 5 and 6, the steam generators do not contain much energy because their temperature is below the boiling point of water. Therefore, the MSIVs are not required for isolation of potential high energy secondary system pipe breaks in these MODES.
| |
| ACTIONS M With one MSIV or bypass valve inoperable in MODE 1, time is allowed to restore the component to OPERABLE status. Some repairs can be made to the MSIV with the plant hot. The [8]
| |
| hour Completion Time is reasonable considering the probability of an accident occurring during the time period which would require closure of the MSIVs.
| |
| The [8] hour Completion Time is greater than that normally allowed for containment isolation valves because the MSIVs h
| |
| are valves that isolate a closed system penetrating containment. These valves differ from other containment isolation valves in that the closed system provides additional support for the containment isolation function.
| |
| M If the MSIV or bypass valve cannot be restored to OPERABLE status within [8] hours, the MSIV must be closed within the next six hours. Six hours is a reasonable time to complete the Actions required to close the MSIV, which includes performing a controlled plant shutdown to MODE 2. The Completion Time is based on plant operating experience related to the time required to reach MODE 2 with the MSIVs closed without challenging plant systems.
| |
| C.1 and C.2 Condition C is modified by a Note indicating that separate Condition entry is allowed for each MSIV or bypass valve.
| |
| (continued)
| |
| SYSTEM 80+ B 3.7-10 Rev. 00 16A Tech Spec Bases
| |
| | |
| MSIVs B 3.7.2 BASES ACTIONS C.1 ard C.2 (continued) :
| |
| Since the MSIVs are required to be OPERABLE in MODES 2, 3, and 4, the inoperable MSIVs may be either restored to '
| |
| OPERABLE status or closed. When closed, the MSIVs are in the position required by the assumptions in the safety analysis.
| |
| The [8] hour Completion Time is consistent with that allowed in Condition A.
| |
| Inoperable MSIVs or bypass valves that cannot be restored to OPERABLE status within the specified Completion Time, but are closed, must be verified on a periodic basis to be closed. This is necessary to ensure that the assumptions in the safety analysis remain valid. The 7 day Completion Time is reasonable, based on engineering judgment, MSIV status '
| |
| indications available in the control room, and other administrative controls, to ensure these valves are in the closed position.
| |
| ~G V D.1. D.2. and D.3 If the MSIVs or bypass valves cannot be restored to OPERABLE status, or closed, within the associated Completion Time, ;
| |
| the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE 3 within 6 hours, in' MODE 4 within [12] hours and MODE 5 in [24] hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from MODE 2 conditions in an orderly manner and without challenging unit systems.
| |
| SURVEILLANCE SR 3.7.2.1 REQUIREMENTS This SR verifies that the closure time of each MSIV is s
| |
| [5.0] seconds on an actual or simulated actuation signal.
| |
| The MSIV closure time is assumed in the accident and containment analyses. This SR is normally performed upon returning the unit.to operation following a refueling outage. The SR is modified by a Note stating the MSIVs should not be tested in MODES 1 and 2 since even a part.
| |
| G) (continued) i SYSTEM 80+ B 3.7-11 Rev. 00 16A. Tech Spec Bases
| |
| | |
| MSIVs B372 BASES SVRVEILLANCE SR 3.7.2.1 (continued)
| |
| REQUIREMENTS stroke exercise increases the risk of a valve closure with the unit generating power. As the MSIVs are not tested at power, they are exempt from the ASME Code, Section XI (Ref.
| |
| 4), requirements during operation in MODES 1 and 2.
| |
| The Frequency for this SR is in accordance with the
| |
| [ Inservice Testing Program or [18] months]. This [18] month frequency demonstrates the valve closure time at least once per refueling cycle. Operating experience has shown that these components usually pass the SR when performed at the
| |
| [18] month Frequency. Therefore, the Frequency is acceptable from a reliability standpoint.
| |
| This test should be conducted in MODE 3, with the unit at operating temperature and pressure, as discussed in the Reference 4 exercising requirements. This SR is modified by a Note that allows entry into and operation in MODE 3 and 4 prior to performing the SR. This allows a delay of testing until MODE 3, in order to establish conditions consistent with those under which the acceptance criterion was generated.
| |
| g REFERENCES 1. Chapter 10.
| |
| : 2. Chapter 6.
| |
| : 3. Chapter 15.
| |
| : 4. American Society for Mechanical Engineers. Boiler and Pressure Vessel Code, Section XI, Inservice Inspection. Article IWV-3400 " Inservice Tests -
| |
| Category A and B Valves."
| |
| : 5. 10 CFR '*' Reactor Site Criteria.
| |
| O SYSTEM 80+ B 3.7-12 Rev. 00 16A Tech Spec Bases
| |
| | |
| i MFIVs B 3.7.3 g
| |
| B 3.7 PLANT SYSTEMS B 3.7.3 Main Feedwater Isolation Valves (MFIVs)
| |
| BASES BACKGROUND The Main Feedwater Isolation Valves (MFIVs) isolate main feedwater flow to the secondary side of the steam generators following a high energy line break. Closure of the MFIVs !
| |
| terminates flow to both steam generators, terminating the event for feedwater line breaks occurring upstream of the MFIVs. The consequences of events occurring in the main steam lines or in the main feedwater lines downstream of the ;
| |
| MFIVs will be mitigated by their closure. Closure of the i MFIVs effectively terminates the addition of feedwater to an affected steam generator, limiting the mass and energy release to containment for inside containment steam or feedwater line breaks, and reducing the cooldown effects for steam line breaks.
| |
| The MFIVs isolate the non-safety related portions from the ;
| |
| safety related portion of the system. In the event of a secondary side pipe rupture inside containment, the valves l q limit the quantity of high energy fluid that enters Q containment through the break and provides a pressure boundary for the controlled addition of Emergency Feedwater (EFW) to the intact steam generator.
| |
| Two MFIVs are located in series on each main feedwater downcomer line and each main feedwater economizer line (4 per steam generator), outside, but close to containment.
| |
| The valves in series offer redundant isolation of main feedwater to each steam generator. The MFIVs are located upstream of the Emergency Feedwater (EFW) injection point so that EFW may be supplied to an unaffected steam generator following MFIV closure. The large length of piping from the MFIVs to the steam generators must be accounted for in calculating mass and energy releases, and must be refilled prior to EFW reaching the steam generator following either a steam or feedwater line break.
| |
| The MFIVs close on receipt of a Main Steam Isolation Signal (MSIS) generated by either low steam generator pressure, high containment pressure or high steam generator water level. The MSIS also actuates the main steam isolation valves to close. The MFIVs may also be actuated manually.
| |
| /" i V) (continued)
| |
| SYSTEM 80+ B 3.7-13 Rev. 00 16A Tech Spec Bases i l
| |
| | |
| MFIVs B 3.7.3 O
| |
| BASES BACKGROUND The MFIVs and i check valve inside containment is available (continued) to isolate the feedwater line penetrating containment, and to ensure the consequences of events do not exceed the capacity of the containment heat removal systems.
| |
| A description of the MFIVs is found in Chapter 10 (Ref.1).
| |
| APPLICABLE SAFETY ANALYSES The design basis of the MFIVs is established by the analysis >
| |
| for the large steam line break (SLB). It is also influenced by the accident analysis for the large feedwater line break (FWLB). Closure of the MFIVs may also be relied on to terminate an m ess feed avent upon the generation of a MSIS on hiah Lieam generator level.
| |
| Failure of a MFIV to close following an SLB, FWLB, or excess feedwater flow event can result in additional mass and energy to the steam generators contributing to cooldown.
| |
| This failure also results in additional mass and energy releases following an SLB or FWLB event. h The MFIVs satisfy Criterion 3 of the NRC Policy Statement.
| |
| LC0 This LC0 ensures that the MFIVs will isolate feedwater flow to the steam generators. Following a feedwater or main stream line break, these valves will also isolate the nonsafety related portions from the safety related portions of the system. This LC0 requires that two MFIVs in each feedwater line be OPERABLE. The MFIVs are considered OPERABLE when their isolation times are within limits, and are closed on an isolation actuation signal.
| |
| Failure to meet the LC0 requirements can result in additional mass and energy being released to containment following a steam or feed line break inside containment. If MSIS on high steam generator level is relied on to terminate an excess feedwater flow event, failure to meet the LC0 may result in the introduction of water into the main steam lines.
| |
| (continued)
| |
| O' SYSTEM 80+ B 3.7-14 Rev. 00 16A Tech Spec Bases
| |
| | |
| MFIVs B 3.7.3 BASES (continued)
| |
| APPLICABILITY The MFIVs must be OPERABLE whenever there is significant mass and energy in the Reactor Coolant System and steam generators. This ensures that, in the event of an High Energy Line Break (HELB), a single failure cannot result in the blowdown of more than one steam generator, f
| |
| In MODES 1, 2, and 3, the MFIVs are required to be OPERABLE, except when they are closed and [ deactivated) or [ isolated by a closed manual valve], in order to limit the amount of available fluid that could be added to containment in the case of a secondary system pipe break inside containment.
| |
| When the valves are closed and deactivated or isolated by a i closed manual valve, they are already performing their safety function.
| |
| In MODES 4, 5, and 6, steam generator energy is low.
| |
| Therefore, the MFIVs are normally closed since main feedwater is not required.
| |
| ACTIONS A.1 and A.2 With one MFIV inoperable, action must be taken to close or '
| |
| isolate the valve. When these valves are closed or isolated, they are performing their required safety function (e.g., to isolate the line).
| |
| The [72] hour Completion Time takes into account the redundancy afforded by the remaining OPERABLE valves, and the low probability of an event occurring during this time period that would require isolation of the feedwater flow paths.
| |
| B.1 and B.2 With both the MFIVs in the same flow path inoperable the Required Action is to restore at least one valve in the affected flow paths to OPERABLE status or to close or isolate at least one valve.
| |
| The MFIVs isolate a closed system that penetrates ;
| |
| containment. These valves differ from other containment isolation valves in that the closed system provides O
| |
| V (continued)
| |
| SYSTEM 80+ B 3.7-15 Rev. 00 16A Tech Spec Bases
| |
| | |
| MFIVs B 3.7.3 O
| |
| BASES ACTIONS B.1 and B.2 (continued) additional support for the containment isolation function.
| |
| The [8 hour) Completion Time to isolate the affected flow path is reasonable. This is acceptable due to the low probability of the events requiring the MFIVs and the availability of backups by non-safety grade features to terminate main feedwater flow.
| |
| Inoperable MFIVs that cannt t be restored to OPERABLE status within the Completion Time but are closed or isolated, must s
| |
| be verified on a periodic basis that they are c.losed or isolated. This is necessary to ensure that the assumptions in the safety analysis remain valid. The [7 day] Completion Time is reasonable, based on engineering judgment, in view of valve status indications available in the control room, and other administrative controls to ensure that these valves are closed or isolated.
| |
| C.1 and C.2 The plant must be placed in a MODE in which the LC0 does not O
| |
| apply, if the MFIVs cannot be restored to OPERABLE status, closed or isolated, in the associated Completion Time. This is done by placing the plant in at least MODE 3 in six hours and in MODE 4 in [12] hours. The allowed Completion Times are reasonable based on operating experience to reach the required MODES from full power operation without challenging plant systems.
| |
| SURVEILLANCE SR 3.7.3.1 REQUIREMENTS This SR ensures the verification of each MFIV is s [5]
| |
| seconds on an actual or simulated signal.
| |
| The' MFIV closure time is assumed in the accident and containment analyses. This SR is normally performed upon returning the plant to operation following a refueling outage.
| |
| As the MFIVs cannot be tested at power, of a valve closure with the plant generating power, they are exempt from the (continued)
| |
| SYSTEM 80+ B 3.7-16 Rev. 00 16A Tech Spec Bases
| |
| | |
| MFIVs B 3.7.3 O BASES-SURVEILLANCE SR 3.7.3.1 (continued) ;
| |
| REQUIREMENTS ASME Section XI (Ref. 2) requirements during operation in MODES 1 and 2.
| |
| This SR ensures that the MFIVs are fully tested at least once per refueling cycle. The Frequency is in'accordance :
| |
| with the [ Inservice Testing Program or 18 months.] The Frequency of [18] months is based on the refueling cycle and has been shown to be acceptable through operating experience.
| |
| 1 REFERENCES 1. Chapter 10.
| |
| : 2. American Society for Mechanical Engineers, Boiler and Pressure Vessel Code, Section XI, Inservice l Inspection, Article IWV-3400 " Inservice Tests - ,
| |
| Category A and B Valves." l O
| |
| l l
| |
| l O ,
| |
| SYSTEM 80+ B 3.7-17 Rev. 00 l 16A Tech Spec Bases
| |
| -]
| |
| | |
| EFW B 3.7.4 83.7 PLANT SYSTEMS B 3.7.4 Emergency Feedwater (EFW) System BASES BACKGROUND The Emergency Feedwater (EFW) System provides an independent safety related means of supplying feedwater to the steam generators for removal of decay heat and prevention of reactor core uncovery during emergency phases of plant operation. The EFW system is a dedicated safety system which has no operating functions for normal plant operation.
| |
| It does this by supplying water from the Emergency Feedwater Storage Tanks (EFWSTs), covered by LCO 3.7.5 " Emergency Feedwater Storage Tank (EFWST)", to the steam generator secondary side via a connection to the main feedwater piping inside containment. Steam is released to the atmosphere from the steam generators via the main steam safety valves or atmospheric dump valves.
| |
| Automatic EFW System actuation on low steam generator level is accomplished by the Emergency Feedwater Actuation Signal (EFAS) of the Engineered Safety Features Actuation System (ESFAS), or the Alternate Feedwater Actuation Signal (AFAS) of the Alternate Protection System (APS). The EFAS will h
| |
| actuate feedwater to either or both steam generators with low levels, and will terminate EFW to a steam generator having a high steam generator level.
| |
| The EFW System is configured into two separate mechanical divisions. Each division is aligned to feed its respective steam generator. Each division consists of one Emergency Feedwater Storage Tank (EFWST), one 100% capacity motor-driven pump subdivision, one 100% capacity steam-driven pump subdivision, valves, one cavitating venturi, and specified instrumentation. Each pump subdivision takes suction from its respective EFWST and has its respective discharge header. Each subdivision discharge header contains a pump !
| |
| discharge check valve, flow regulating valve, steam :
| |
| generator isolation valve and steam generator isolation ;
| |
| check valve. The motor-driven subdivision and steam-driven i subdivision are joined together inside containment to feed their respective steam generator through a common EFW header which connects to the steam generator downcomer feedwater line. Each common EFW header contains a cavitating venturi to restrict the maximum EFW flow rate to each steam !
| |
| l (continued)
| |
| SYSTEM 80+ B 3.7-18 Rev. 00 l 16A Tech Spec Bases j
| |
| | |
| EFW B 3.7.4 BASES BACKGROUND generator. The cavitating venturi restricts the magnitude (continued) of the two pump flow as well as the magnitude of individual pump runout flow to the steam generator.
| |
| A cross-connection is provided between each EFWST so that either tank can supply either division of EFW. Pump discharge crossover piping is provided to enhance system versatility during long-term emergency modes, such that a !
| |
| single pump can feed both steam generators. Two normally l locked closed, local manually operated isolation valves are provided for subdivision separation. 1 One-hundred percent capacity is sufficient to remove decay heat and cool the plant to shutdown cooling entry conditions at the design cooldown rate, [100*F/hr]. Fifty percent capacity is sufficient to remove decay heat but is insufficient to maintain the design cooldown rate. The diverse motive power of the two divisions meets the diversity requireneent of BTP ASB 10-1 (Ref. 6).
| |
| The EFW System is one of the systems required to meet GDC 34 q and GDC 44 regarding the capability to remove decay heat and 1
| |
| Q transfer it to as ultimate heat sink, in this case the atmosphere.
| |
| An OPERABLE EFW System is required if the steam generators are to be considered OPERABLE. 1 The EFW System is discussed in Chapter 10 (Ref. 1).
| |
| l APPLICABLE The EFW System mitigates the consequences of any event with 1 SAFETY ANALYSES a loss of normal feedwater. The EFW System provides at least the minimum required flow to the steam generators to meet the design basis heat removal requirements. Following the event, the EFW System maintains adequate feedwater inventory in the steam generator (s) for heat removal and is capable of maintaining hot standby and facilitating a plant cooldown from hot standby to shutdown cooling system initiation.
| |
| l U, (continued)
| |
| SYSTEM 80+ B 3.7-19 Rev. 00 16A Tech Spec Bases
| |
| | |
| )
| |
| EFW l B 3.7.4 O'
| |
| BASES APPLICABLE The EFW System design must be such that it can perform its SAFETY ANALYSES function following a feedwater line break between the MFIV (continued) and containment, combined with a loss of offsite power following turbine trip, and a single active failure of the steam-turbine driven EFW pump. In such a case, one steam generator is lost for heat removal but the other steam generator still can provide the required heat removal capability.
| |
| The EFW System satisfies Criterion 3 of the NRC Policy Statement.
| |
| LC0 The LC0 ensures the availability of at least one steam generator to remove residual heat for all events accompanied by a loss of offsite power and single failure. This is accomplished by two redundant and diverse emergency feedwater pumps for each steam generator.
| |
| The LC0 is modified by a Note indicating that only one EFW division, which includes a motor-driven pump, is required to be OPERABLE in MODE 4. This is because of reduced heat g
| |
| removal requirements, the short period of time in MODE 4 during which EFW is required, and the insufficient steam supply available in MODE 4 to power the steam-turbine-driven EFW pump.
| |
| APPLICABILITY Because the EFW System is the safety grade means of removing core heat, it must be OPERABLE whenever the steam generators are required for RCS heat removal in MODES 1 through 4.
| |
| In MODES 5 and 6, the steam generators are not normally used for decay heat removal and the EFW System is not required.
| |
| ACTIONS ad If one EFW pump is inoperable, action must be taken to restore the pump to OPERABLE status within 7 days. The 7 day Completion Time is considered reasonable and is based on there being adequate redundancy within each division of the EFW system and within the system itself.
| |
| (continued)
| |
| SYSTEM 80+ B 3.7-20 Rev. 00 16A Tech Spec Dases
| |
| | |
| I EFW B 3.7.4 l
| |
| ,9 (y
| |
| BASES ACTIONS 1L1 (continued)
| |
| If one EFW division is inoperable, action must be taken to restore that division to OPERABLE status. The 72 hour Completion Time is similar to that for ECCS systems for which it has been shown to be a suitable limit on risk.
| |
| C.1 and C.2 If one EFW pump in each division is inoperable, action must 1 be taken to restore an EFW pump to OPERABLE status within 72 hours. Subsequent action must be taken as specified in Required Action A.1, within 7 days.
| |
| D.1 and D.2 When a Required Action cannot be completed within the required Completion Time, a controlled shutdown should be O commenced. Six hours is a reasonable time, based on !
| |
| Q operating experience, to reach MODE 3 from full power conditions without challenging plant systems.
| |
| I Further action is required to bring the plant to MODE 4 within [18] hours.
| |
| Ll Required Action E.1 is modified by a Note indicating that all required MODE changes or power reductions are suspended until one EFW division is restored to OPERABLE status.
| |
| With required EFW division inoperable in MODE 4, action must be taken to immediately restore the inoperable train to OPERABLE status. LCO 3.0.3 is not applicable, as it could force the unit into a less safe condition.
| |
| In MODE 4, either the reactor coolant pumps or the SCS divisions can be used to provide forced circulation as discussed in LC0 3.4.6, "RCS Loops-MODE 4."
| |
| q NJ (continued)
| |
| SYSTEM 80+ B 3.7-21 Rev. 00 16A Tech Spec Bases
| |
| | |
| EFW B 3.7.4 O
| |
| BASES (continued)
| |
| SURVEILLANCE SR 3.7.4.1 REQUIREMENTS Verifying the correct alignment for manual, power operated, and automatic valves in the EFW flow path provides assurance that the proper flow paths exist for EFW operation. This SR 1, does not apply to valves which are locked, sealed, or otherwise secured in position, since they were verified to be in the correct position prior to locking, sealing, or securing. This SR also does not apply to valves which cannot be inadvertently misaligned, such as check valves.
| |
| The 31 day Frequency is based on engineering judgement considering the importance of these valves and the low probability of their misalignment.
| |
| SR 3.7.4.2 This SR demonstrates that the EFW pumps develop sufficient discharge pressure to deliver the required flow at the full open pressure of the MSSVs. Because it is undesirable to introduce cold EFW into the steam generators while they are operating, this testing is performed on recirculation flow. ,
| |
| Periodically comparing the reference differential pressure developed on recirculation flow detects trends that might be indicative of incipient failures. The ASME Section XI (Ref.
| |
| : 3) inservice testing (only required at three month intervals) satisfies this requirement when performed per the Inservice Inspection and Testing Program. A [31] day Frequency on a STAGGERED TEST BASIS results in testing each pump once per three months as required by the ASME code.
| |
| SR 3.7.4.2 is modified by a Note to allow an exception. For purposes of testing the turbine driven EFW pumps, the test is not required until reaching [800] psig in the steam generators for (24] hours.
| |
| SR 3.7.4.3 This SR ensures that EFW can be delivered to the appropriate steam generator in the event of any accident or transient that generates an EFAS by demonstrating that each automatic ;
| |
| valve in the flow path actuates to its correct position on i an actual or simulated actuation signal. Although the ;
| |
| actuation logic is tested as part of the ESFAS functional l (continued) l l
| |
| SYSTEM 80+ B 3.7-22 Rev. 00 16A Tech Spec Bases l
| |
| | |
| 4 EFW B 3.7.4 BASES SURVEILLANCE SR 3.7.4.3 (continued)
| |
| REQUIREMENTS test every 92 days, the subgroup relays that actuate the system cannot be tested during normal plant operation. The _
| |
| Frequency of [18] months is based on the refueling cycle and has been shown to be acceptable through operating :
| |
| experience. t SR 3.7.4.4 This SR ensures that the EFW pumps will start in the event of any accident or transient that generates an EFAS by demonstrating that each EFW pump starts automatically on an i actual or simulated actuation signal. Although the -
| |
| actuation logic is tested as part of the ESFAS functional test every 92 days, the subgroup relays that actuate the system cannot be tested during normal plant operation. The Frequency of [18] months is based on the refueling cycle, and has been shown to be acceptable through operating experience.
| |
| SR 3.7.4.4 is modified by a Note to suspend the provisions of SR 3.0.4 for entry into MODE 3 for purposes of testing the turbine driven EFW pumps due to insufficient amount of d
| |
| steam in MODES 4, 5, and 6 to perform a valid test.
| |
| SR 3.7.4.5 1
| |
| This SR ensures that the EFW System is properly aligned by demonstrating the flow path to each steam generator prior to entering MODE 2 operation, after > 30 days in MODE 5 or 6.
| |
| OPERABILITY of EFW flow paths must be demonstrated before sufficient core heat is generated requiring operation of the EFW System during a subsequent shutdown. The Frequency is based on the probability of improper valve lineups occurring during an extended outage. This SR ensures that the flow path from the EFWST to the steam generators is properly aligned by requiring a verification of flow.
| |
| O (continued)
| |
| SYSTEM 80+ B 3.7-23 Rev. 00 16A Tech Spec Bases
| |
| | |
| EFW B 3.7.4 O
| |
| BASES (continued)
| |
| REFERENCES 1. Chapter 10.
| |
| : 2. NRC Generic Letter 88-03, " Resolution of Generic Safety Issue 93, " Steam Binding of Auxiliary Feedwater Pumps", February 17, 1988.
| |
| : 3. American Society for Mechanical Engineers, Boiler and Pressure Vessel Code, Section XI, Inservice Inspection, Article IWV-3400 " Inservice Tests -
| |
| Category A and B Valves."
| |
| : 4. 10 CFR 50, Appendix A, GDC 34 - Residual Heat Removal.
| |
| : 5. NUREG-0800, " Standard Review Plan", (SRP) Section 10.4.9, Rev. 2, " Auxiliary Feedwater System (PWR)."
| |
| : 6. Branch Technical Position ASB 10-1, " Design Guidelines for Auxiliary Feedwater System Pump Drive and Power '
| |
| Supply Diversity for Pressurized Water Reactor Plants."
| |
| O O
| |
| SYSTEM 80+ B 3.7-24 Rev. 00 16A Tech Spec Bases
| |
| | |
| EFWST ;
| |
| - B 3.7.5: ;
| |
| B 3.7 PLANT SYSTEMS ,
| |
| t B 3.7.5 Emergency Feedwater Storage Tank (EFWST) ,
| |
| t BASES 2 ==
| |
| 1( .
| |
| BACKGROUND The Emergency Feedwater Storage Tanks EFWSTs) provide a safety grade source of water for reme ing decay and sensible j i
| |
| heat from the Reactor' Coolant Syster (RCS) during emergency !
| |
| J- phases of the plant. The EFWST pre ides a passive flow of !
| |
| {
| |
| water by gravity to the emergency teedwater.(EFW) pumps.-
| |
| t The EFW pumps supply this water to the steam generators to :
| |
| remove heat from the RCS. The steam produced is released to ,
| |
| the atmosphere by the main steam safety valves (MSSVs) or
| |
| 'the atmospheric dump valves (ADVs). !
| |
| 4 When the main steam isolation valves (MSIVs) are open, the preferred means of heat removal is to discharge steam to the ;
| |
| i condenser by the non-safety grade path'of the turbine bypass !
| |
| valves. This has the advantage of conserving condensate i while minimizing releases to the environs. j t -
| |
| There are two EFWSTs, each tank provides suction head for one motor-driven and one steam-driven EFW pump.
| |
| A normal locked closed, local manually operated isolation valve is provided for each EFWST to provide separation. A i line connected to a non-safety source of condensate is also provided with local manual isolation so that it can be manually aligned for gravity feed to either of the EFWSTs, i should the EFWSTs reach low level before Shutdown Cooling System entry conditions are reached.
| |
| Each tank contains 100% of the total required water supply.
| |
| l
| |
| ^
| |
| A descrsption of the EFWST is found in Chapter 10 (Ref. 1).
| |
| t Because the EFWST is a principal component in removing residual heat from the RCS, it is designed to withstand earthquakes and other natural phenomena, as well as missiles i which might be generated by natural phenomena. ;
| |
| i The water. volume of each EFWST = [350,000] gallons is determined by the quantity required to achieve safe cold shutdown considering:-
| |
| , i
| |
| !b l
| |
| l' (continued) l I
| |
| e SYSTEM 80+ B 3.7-25 Rev. 00 16ALTech Spec Bases i
| |
| -. ,- - ~ . _._.I
| |
| | |
| EFWST B 3.7.5 O
| |
| BASES BACKGROUND a. A main feedline break without isolation of EFW flow to (continued) the affected steam generator for 30 minutes.
| |
| : b. Refill of the intact steam generator.
| |
| : c. Eight hours of c pration at hot standby conditions,
| |
| : d. Subsequent cooldown of RCS within six hours to conditions which permit operation of the Shutdown Cooling System.
| |
| : e. Continuous operation of one reactor coolant pump.
| |
| At the end of this cooldown, the EFWST level must be sufficient to ensure adequate NPSH for the operating EFW j pumps.
| |
| The EFWST is one of the systems required to meet GDC 34 and GDC 44 regarding the capability to remove decay heat and transfer it to an Ultimate Heat Sink. ;
| |
| O' APPLICABLE The EFWST provides cooling water to remove decay heat and SAFETY ANALYSES cooldown the plant following all events in the accident analysis, Chapters 6 and 15. For anticipated operating occurrences and accidents which do not affect the operability of the steam generators, the analysis assumption is generally 30 minutes at MODE 3, steaming through the MSSVs, followed by a cooldown to Shutdown Cooling entry conditions at the design cooldown rate.
| |
| The Chapters 6 and 15 accident analysis does not form the basis for the EFWST volume as the events analyzed require 4 less condensate than the design basis. The limiting event I for the condensate volume is the large feedwater line break l with a loss of offsite power. Single failures that also affect this event include; 1) the failure of the diesel generator powering the motor driven EFW pump to the unaffected steam generator (requiring additional steam to drive the remaining EFW pump's turbine); and 2) the failure of the steam driven EFW pump. These are not usually the limiting failures in terms of consequences for these events.
| |
| (continued)
| |
| SYSTEM 80+ B 3.7-26 Rev. 00 16A Tech Spec Bases
| |
| | |
| EFWST B 3.7.5 BASES APPLICABLE The EFWST satisfies Criterion 3 of the NRC Policy Statement SAFETY ANALYSES because it is in the primary success path for all events in (continued) which the steam genvators are available for heat removal from the RCS.
| |
| LC0 To satisfy accident analysis assumptions, the EFWST must contain sufficient cooling water to remove decay heat for 30 minutes following a reactor trip from 102% RATED THERMAL POWER and then cooldown the RCS to Shutdown Cooling entry I conditions, assuming a loss of offsite power and the most adverse single failure. In doing this it must retain j sufficient water to ensure adequate NPSH for the EFW pumps i during the cooldown, as well as to account for any losses !
| |
| from the steam driven EFW pump's turbine, or before isolating EFW to a broken line.
| |
| The specified usable volume of a (350,000] gallons is based on holding the plant in MODE 3 for eight hours followed by a p cooldown to Shutdown Cooling entry conditions at
| |
| [100*F/ hour]. This bases is established by BTP RSB 5-1 V (Ref. 2) and exceeds the volume required by the accident analysis.
| |
| APPLICABILITY The required condensate volume must be available whenever the steam generators provide the heat sink for the RCS.
| |
| Once a coolda u commences, the condensate volume may be reduced by using it for the cooldown. Proceeding with the cooldown ensures that the plant can reach Shutdown Cooling entry conditions on the available condensate inventory.
| |
| In MODES 5 and 6 the steam generators are not required for cooldown, and the inventory in the EFWST is not required, l
| |
| ACTIONS A.1 and A.2 If the EFWST level is not within the limit, the OPERABILITY of the other EFWST must be verified by administrative means within 4 hours.
| |
| l p
| |
| (continued)
| |
| SYSTEM 80+ B 3.7-27 Rev. 00 16A Tech Spec Bases
| |
| | |
| EFWST B 3.7.5 O
| |
| BASES ACTIONS A.1 and A.2 (continued)
| |
| OPERABILITY of the other EFWST must include verification of the OPERABILITY of flow paths from the tank to the EFW pumps, and availability of the required volume of water.
| |
| The EFWST level must be returned to OPERABLE status within 7 days. The 4 hour Completion Time is reasonable, based on operating experience, to verify the OPERABILITY of the other EFWST. The 7 days Completion Time is reasonable, based on an OPERABLE EFWST being available.
| |
| B.1 and B.2 When a Required Action cannot be completed within the Completion Time, a controlled shutdown should be commenced.
| |
| Six hours is a reasonable time, based on operating experience, to reach MODE 3 from full power conditions without challenging plant systems.
| |
| Continuing the plant sh.utdown begun in Required Action B.1,
| |
| [18] hours is a reasonable time, based on operating experience, to reach MODE 4 from full power conditions without challenging plant systems.
| |
| SURVEILLANCE SR 3.7.5.1 REQUIREMENTS Checking the EFWST level a [350,000] gallons verifies that the EFWST contains the required volume of cooling water.
| |
| Checking once per 12 hours is adequate because the operator will be aware of plant evolutions which can affect the EFWST inventory between checks.
| |
| REFERENCES 1. Chapter 10.
| |
| : 2. Branch Technical Position RSB 5-1, " Design Requirements for the Residual Heat Removal System."
| |
| O SYSTEM 80+ B 3.7-28 Rev. 00 16A Tech Spec Bases
| |
| | |
| . - -. - .- - . . - . - - - . . . -.- .- - ~ -
| |
| Secondary Specific Activity !
| |
| E- B 3.7.6 !
| |
| 4
| |
| : C' B 3.7 PLANT SYSTEMS i
| |
| l B 3.7.6 Secondary Specific Activity l
| |
| BASES j BACKGROUND Activity in the secondary coolant results from steam generator tube out-leakage from the Reactor Coolant System j (RCS). Under steady-state conditions, the activity is- .
| |
| primarily iodines with relatively short~ half-lives, and thus !
| |
| is indicative of current conditions. During transients, I- !
| |
| 131 spikes have been observed as well as increased releases l l
| |
| of some noble gases. Other fission product isotopes, as
| |
| : well as activated corrosion products in lesser amounts, may :
| |
| also be found in the secondary coolant. i A 1.init on secondary coolant specific activity during power !
| |
| operction minimizes releases to the environment because of normal operation, ~ anticipated operational occurrences, and accidents, i The LCO limit is lower than the activity value which might
| |
| ;p be expected from a 1.0 gpm tube leak, LCO 3.4.12, Operational Leakage", of-primary coolant at the limit of 1.0 "RCS
| |
| : i. !
| |
| Ci/ gram, LCO 3.4.15, "RCS Specific Activity." The steam i line failure is assumed to result in the release of the ,
| |
| noble gas and iodine activity contained in the steam
| |
| ^
| |
| generator inventory, the feedwater, and reactor coolant !
| |
| LEAKAGE. Most of the iodine isotopes have short half-lives, (i.e., less than 20 hours). I-131 with a half-life of 8.04 days concentrates faster than it decays, but does not !
| |
| reach equilibrium because of blowdown and other losses. t With the specified activity limit, the resultant two-hour thyroid dose to a person at the exclusion area boundary
| |
| :- would be about [.13 rem] should the MSSVs open for the two hours following a trip from full power. Operating the plant at the allowable limits results in a 2-hour Exclusion Area a Boundary (EAB) exposure of a small fraction of the 10 CFR 100 (Ref. 1) limits. ;
| |
| , APPLICABLE The accident analysis of the MSLB failure (Ref. 2) assumes SAFETY ANALYSES- the initial secondary coolant specific activity to have a radioactive isotope concentration of 0.1 Ci/gm DOSE l (continued)
| |
| SYSTEM 80+' B 3.7-29 Rev. 00 116A Tech. Spec Bases-
| |
| | |
| Secondary Specific Activity B 3.7.6 O
| |
| BASES APPLICABLE EQUIVALENT I-131. This assumption is used in the analysis SAFETY ANALYSES for determining the radiological consequences of the (continued) postulated accident. The accident analysis, based on this and other assumptions, shows that the radiological consequences of a MSLB do not exceed a small fraction of the plant exclusion area boundary limits of 10 CFR 100 for whole body and thyroid dose rates.
| |
| With the loss of offsite power, the remaining steam generator is available for core decay heat dissipation by venting steam to the atmosnhere through the main steam safety valves (MSSVs) and steam generator atmospheric dump valves (ADVs). The Emergency Feedwater System supplies the necessary makeup to the steam generator. Venting continues until the reactor coolant temperature and pressure has decreased sufficiently for the Shutdown Cooling System to complete the cooldown. 1 In the evaluation of the radiological consequences of this accident, the activity released from the steam generator connected to the failed steam line is assumed to be released directly to the environment. The unaffected steam generator is assumed to discharge steam and any entrained activity through the MSSVs and ADVs during the event.
| |
| Other accidents that cause the release of secondary steam to the environment are the SGTR, RCP locked rotor, letdown line break, feedwater line break, and control element assembly ejection.
| |
| Secondary specific activity limits satisfy Criterion 2 of the NRC Policy Statement.
| |
| LC0 As indicated in the Applicable Safety Analyses, the specific i activity limit in the secondary coolant system of s [0.1] i Ci/gm DOSE EQUIVALENT I-131 is required to limit the radiological consequences of a DBA to a small fraction of 10 CFR 100.
| |
| (continued) l SYSTEM 80+ B 3.7-30 Rev. 00 16A Tech Spec Bases l l
| |
| | |
| Secondary Specific Activity B 3.7.6 c
| |
| BASES LC0 Monitoring the specific activity of the secondary coolant (continued) ensures that when secondary specific activity limits are ,
| |
| exceeded, appropriate actions are taken in a timely manner to place the unit in an operational MODE that would minimize the radiological consequences of a DBA.
| |
| 1 APPLICABILITY In MODES 1, 2, 3 and 4 the limits on secondary specific activity apply due to the potential secondary steam releases to atmosphere.
| |
| In MODES 5 and 6, the steam generators are not being used t for heat removal. Both the RCS and steam generators are depressurized, and primary to secondary LEAKAGE is minimal.
| |
| Therefore, monitoring of secondary activity is not required.
| |
| ACTIONS A.1 and A.2
| |
| *( DOSE EQUIVALENT I-131 exceeding the allowable value is an indication of a problem in the RCS, as well as contributing to increased post-accident doses. The plant should be shut dcwn in an orderly manner to minimize the increased DOSE EQUIVALENT I-131 in the RCS, potentially increasing the secondary activity even further. An orderly shutdown also minimizes potential releases to the environs. The plant must be placed in a MODE in which the requirement does not apply if Secondary Activity cannot be restored to within limits in the associated Completion Time. This is done by placing the plant in at least MODE 3 in six hours and in MODE 5 in 36 hours. The allowed Completion Times are reasonable based on operating experience to reach the required MODES from full power operation without challenging plant systems.
| |
| SURVEILLANCE SR 3.7.6.1 '
| |
| REQUIREMENTS This SR ensures that the Secondary Activity is within the limits of the accident analysis. A Gamma Isotopic analysis of the secondary coolant, which determines DOSE EQUIVALENT I-131, confirms the validity of the accident analysis assumptions as to the source terms in post-accident J (continued)
| |
| SYSTEM 80+ 8 3.7-31 Rev. 00 16A_ Tech Spec _ Bases
| |
| | |
| Secondary Specific Activity B 3.7.6 O
| |
| BASES SURVEILLANCE SR 3.7.6.1 (continued)
| |
| REQUIREMENTS releases. It also serves to identify and trend any unusual isotopic concentrations which might indicate changes in reactor coolant activity or LEAKAGE. The [31] day Frequency allows the level of DOSE EQUIVALENT I-131 to be monitored, increasing trends to be detected, and appropriate action to be taken to maintain levels below the LC0 limit.
| |
| REFERENCES 1. 10 CFR 100, " Site Dose Criteria".
| |
| : 2. Chapter 15.
| |
| O l
| |
| l 1
| |
| l 1
| |
| (continued) ,
| |
| SYSTEM 80+ B 3.7-32 Rev. 00 l 16A Tech Spec Bases l 1
| |
| | |
| CCW B 3.7.7 O
| |
| B 3.7 PLANT SYSTEMS B 3.7.7 Component Cooling Water (CCW) System BASES ,
| |
| BACKGROUND The Component Cooling Water System (CCWS) is a closed loop cooling water system which cools components and heat exchangers connected to the CCWS. The CCWS is capable of removing sufficient heat using various combinations of pumps and heat exchangers to:
| |
| : a. Ensure a safe reactor shutdown coincident with loss of offsite' power;
| |
| : b. Perform a normal shutdown cooling of the reactor within 24 hours- ,
| |
| : c. Perform a safety grade shutdown cooling of the reactor '
| |
| within 24 hours;
| |
| : d. Perform post LOCA cooling;
| |
| : e. Perform normal power operation cooling.
| |
| The CCWS consists of two separate, independent, redundant, closed loop, safety related divisions. Either division of the CCWS is capable of supporting 100% of the cooling functions required for a safe reactor shutdown.
| |
| Each division of the CCWS includes two heat exchangers, a surge tank, two component cooling water pumps, a chemical addition tank, a component cooling water radiation monitor, two sump pumps, a component cooling water heat exchanger structure sump pump, piping, valves, controls, and l instrumentation. No cross connections between the two divisions exist. The CCWS provides cooling water to essential and non-essential components.
| |
| The non-essential headers and the spent fuel pool cooling heat exchangers are isolated automatically on an SIAS. If these headers fail to isolate, the idle component cooling j water pump in the respective loop will automatically start )
| |
| on a low pump differential pressure signal. This assures that there is no. flow degradation to the safety related r
| |
| .t (continued) i SYSTEM 80+ B 3.7-33 Rev. 00 16A Tech Spec Bases
| |
| | |
| l I
| |
| l CCW l B 3.7.7 O\
| |
| BASES I BACKGROUND (continued) components. The non-essential headers and the RCP headers isolate on a low-low surge tank level.
| |
| Makeup water to the CCWS is normally supplied by the Demineralized Water System. The backup makeup water source is from the Station Service Water System (SSWST).
| |
| The CCWS serves as an intermediate cooling water system between the Reactor Coolant System (RCS) and the SSWS. A radiation monitor is provided at the outlet of the component cooling water pumps to detect any radioactive leakage into the CCWS.
| |
| Additional information on the design and operation of the system, along with a list of components served, can be found in Chapter 9 (Ref. 1).
| |
| APPLICABLE The CCWS, in conjunction with the Station Service Water SAFETY ANALYSES System (SSWS) and the Ultimate Heat Sink (VHS), is capable of removing sufficient heat from the essential heat exchangers to ensure a safe reactor shutdown and cooling following a postulated accident coincident with a loss of offsite power.
| |
| The CCWS, in conjunction with the SSWS, is capable of maintaining the outlet temperature of the component cooling water heat exchanger within the limits of 65 and 120 F during a design basis accident with loss of offsite power.
| |
| A single failure of any component in the CCWS will not impair the ability of the CCWS to meet its functional requirements.
| |
| The CCWS, in conjunction with the SCS and SSWS, is designed to cool the reactor coolant from 350 F to 140 F through the shutdown cooling heat exchangers and the component cooling water heat exchangers. The reactor can be cooled to 140 F within 24 hours after reactor shutdown by first cooling the reactor coolant to 350 F through the steam generators and then cooling to 140*F by utilizing both divisions of SCS, CCWS, and SSWS.
| |
| (continued)
| |
| SYSTEM 80+ B 3.7-34 Rev. 00 16A Tech Spec Bases
| |
| | |
| CCW B 3.7.7
| |
| (~'N '
| |
| G BASES APPLICABLE The CCWS satisfies Criterion 3 of the NRC Policy Statement.
| |
| SAFETY ANALYSES (continued)
| |
| LC0 The CCWS divisions are completely independent of each other to the degree that each has separate controls, power supplies, and the operation of one does not depend on the other. In the event of a DBA, one OPERABLE division of the CCWS is required to provide the minimum heat removal capability assumed in the safety analysis for the systems to which it supplies cooling water. To ensure this requirement is met, two divisions of CCWS must be OPERABLE. At least one division will operate assuming the worst single active failure occurs coincident with the loss of off-site power.
| |
| A division is considered OPERABLE when:
| |
| : a. it has an OPERABLE pump and associated surge tank, and
| |
| : b. the associated piping, valves, heat exchanger and l instrumentation and controls required to perform O'
| |
| safety related functions are OPERABLE. l The isolation of CCW to other components or systems may l render those components or systems inoperable, but does not (
| |
| affect the OPERABILITY of the CCW System.
| |
| APPLICABILITY In MODES 1, 2, 3, and 4 the CCW System is a normally operating system, which must be available to perform its post-accident safety functions, primarily RCS heat removal, by cooling the Shutdown Cooling Heat Exchanger.
| |
| In MODES 5 and 6, the OPERABILITY requirements of the CCW System are determined by the system (s) its supports.
| |
| ACTIONS A_d Required Action A.1 is modified by two Notes indicating the requirement of entry into the applicable Conditions and Required Actions of LCO 3.4.6, "RCS Loops-MODE 4," for SCS (continued)
| |
| SYSTEM 80+ B 3.7-35 Rev. 00 16A Tech Spec Bases 1
| |
| | |
| CCW B 3.7.7 0.
| |
| BASES ACTIONS L1 (continued) made inoperable by CCW and LCO 3.8.1, "AC Sources-Operating," for DGs made inoperable by CCW. This is an exception to LC0 3.0.6 and ensures the proper actions are taken for these components.
| |
| In MODES 1, 2, 3 or 4 with one CCW division inoperable, action must be taken to restore OPERABLE status within 72 hours. In this Condition, the remaining OPERABLE CCW ;
| |
| division is adequate to perform the heat removal function.
| |
| The 72 hour Completion Time is based on the redundant !
| |
| capabilities afforded by the OPERABLE division and the low !
| |
| probability of a DBA occurring during this period.
| |
| B.1 and 8.2 If the CCW division cannot be restored to OPERABLE status within the associated Completion Time, the unit must be placed in a MODE in which the LC0 does not apply. To achieve this status, the unit must be placed in at least MODE 3 within 6 hours and in MODE 5 within 36 hours.
| |
| h ,
| |
| I The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without I challenging unit systems.
| |
| l ful Required Action C.1 is modified by a Note indicating the requirement of entry into the applicable Conditions and Required Actions of: LC0 3.4.7, "RCS Loops - MODE 5 (Loops Filled)", LC0 3.4.8, "RCS Loops - MODE 5 (Loops Not Filled)", LC0 3.8.2, "AC Sources - Shutdown", LC0 3.9.4,
| |
| " Shutdown Cooling System (SCS) and Coolant Circulation -
| |
| High Water Level", and LC0 3.9.5, " Shutdown Cooling System (SCS) and Coolant Circulation - Low Water Level". This is .
| |
| an exception to LCO 3.0.6. l (continued)
| |
| SYSTEM 80+ B 3.7-36 Rev. 00 16A Tech Spec Bases
| |
| | |
| CCW l B 3.7.7 i "O BASES i
| |
| ACTIONS [.d (continued)
| |
| : t In MODES 5 or 6 with required CCW division (s) inoperable,
| |
| ~
| |
| actions must be taken to restore OPERABLE status , ;
| |
| immediately. The immediate Completion Time reflects the importance of maintaining operation for decay heat removal. ,
| |
| l
| |
| . SURVEILLANCE SR 3.7.7.1 [
| |
| '. REQUIREMENTS .
| |
| ; Verifying the correct alignment for manual, power operated, !
| |
| and automatic valves in the CCW flow path provides assurance l l
| |
| that the proper flow paths exist for CCW operation. This SR does not apply to valves which are locked, sealed, or !
| |
| - otherwise secured in position, since they were' verified to ;
| |
| be in the correct position prior to locking, sealing, or .
| |
| securing. This SR also does not apply to valves which cannot be inadvertently misaligned, such as check valves. !
| |
| This Surveillance does not require any testing or valve manipulation; rather, it involves verification that those i valves capable of potentially being mispositioned are in their correct positions.
| |
| This SR is modified by a Note indicating that the isolation of the CCW components or systems may render those components inoperable but does not affect the OPERABILITY of the CCW l System.
| |
| The 31 day Frequency is based on engineering judgment, is 1 consistent with the procedural controls governing valve !
| |
| : operation, and ensures correct valve positions.
| |
| e i F SR 3.7.7.2
| |
| ' .This SR verifies proper automatic operation of the CCW )
| |
| valves on an actual or simulated actuation signal. The CCW !
| |
| System is a normally operating system that cannot be fully actuated as part of routine testing during normal operation.
| |
| The [18] month Frequency is based on the need to perform !
| |
| this Surveillance under the conditions that~ apply during a j unit outage and the potential for an unplanned transient if 4 the Surveillance were performed with the reactor at power.
| |
| ' Operating experience has shown that these components usually (continued) ,
| |
| . SYSTEM 80+. .
| |
| B 3.7-37 Rev. 00 l16A Tech Spec Bases
| |
| -. _ _ , . . , - ~ . _ . _ , _ , < -
| |
| | |
| CCW l B 3.7.7 O
| |
| BASES l
| |
| SURVEILLANCE SR 3.7.7.2 (continued)
| |
| REQUIREMENTS pass the Surveillance when performed at the [18] month Frequency. Therefore, the Frequency is acceptable from a reliability standpoint.
| |
| SR 3.7.7.3 This SR verifies proper automatic operation of the CCW pumps on an actual or simulated actuation signal. The CCW System is a normally operating system that cannot be fully actuated as part of routine testing during normal operation. The
| |
| [18] month Frequency is based on the need to perform this Surveillance under the conditions that apply during a unit outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power.
| |
| Operating experience has shown these components usually pass the Surveillance when performed at the [18] month Frequency.
| |
| Therefore, the Frequency is acceptable from a reliability standpoint.
| |
| O REFERENCES 1. Chapter 9.
| |
| O SYSTEM 80+ B 3.7-38 Rev. 00 16A Tech Spec Bases
| |
| | |
| l l SSWS- l B 3.7.8 !
| |
| lO B 3.7' PLANT' SYSTEMS l B 3.7.8 Station Service ~ Water System (SSWS)
| |
| ! BASES
| |
| )
| |
| BACKGROUND ~ The Station Service Water System (SSWS) provides.a heat sink i for the removal of process and operating heat from safety ,
| |
| related components during a. transient or DBA. . During normal operation or a normal shutdown, the SSWS also provides this :
| |
| function for various safety related and non-safety related ;
| |
| components through the CCWS. l The SSWS consists of two separate, redundant, open loop, )
| |
| safety related divisions. Each division cools one of two 1 divisions of the CCWS, which in turn cools 100% of the ,
| |
| safety-related loads. The SSWS operates at a lower pressure ;
| |
| than the CCWS to prevent contamination of the CCWS with raw :
| |
| water.
| |
| Each division of the SSWS consists of two pumps, two strainers, two sump pumps, and associated piping, valves, i controls and instrumentation. The station service water O pumps circulate cooling water to the component cooling water heat exchanger and back to the ultimate heat sink.
| |
| Provisions are made to ensure a continuous flow of cooling water under normal and accident conditions.
| |
| Additional information about the design and operation of the SSWS, along with a list of the components served, can be found in Chapter 9 (Ref. 1).
| |
| APPLICABLE The SSWS, in conjunction with the Component Cooling Water SAFETY ANALYSES System (CCWS) and Ultimate Heat Sink (VHS), is capable of removing sufficient heat to ensure a safe reactor shutdown coincident with a loss of offsite power.
| |
| The SSWS is capable of maintaining the CCWS supply temperature of 120*F or less following the design basis accident under the most adverse historical meteorological conditions consistent with the intent of Regulatory Guide 1.27.
| |
| (continued)
| |
| SYSTEM _80+1 . .
| |
| B 3.7-39 Rev. 00 E16A Tech Spec Bases
| |
| -_u._ _ _ _ _ ~ _ _ _ _ _ _ _ _ _ _ _
| |
| | |
| SSWS B 3.7.8 O
| |
| BASES APPLICABLE A single failure of any component in the SSWS will not SAFETY ANALYSES impair the ability of the SSWS to meet its functional (continued) requirements.
| |
| The SSWS, in conjunction with the CCWS and SCS, is designed to cool the reactor coolant from 350 F to 140 F through the shutdown cooling heat exchangers and the component cooling water heat exchangers. The reactor coolant system can be cooled to 140 F within 24 hours after reactor shutdown by first cooling the reactor coolant to 350 F through the steam generators and then cooling the reactor coolant to 140 F by utilizing both divisions of the SCS, CCWS, and SSWS.
| |
| The SSWS, in conjunction with the CCWS, is designed to provide a maximum component cooling water temperature of 105*F or less during normal operating MODES.
| |
| The SSWS satisfies Criterion 3 of the NRC Policy Statement.
| |
| LC0 Two SSWS divisions provide the required redundancy to ensure the system functions to remove post-accident heat loads, g
| |
| assuming the worst single active failure occurs coincident with the loss of off-site power.
| |
| An SSWS division is considered OPERABLE when:
| |
| : 1. An associated pump is OPERABLE; and
| |
| : 2. The associated piping, valves, instrumentation, and strainer on the safety related flowpath are OPERABLE.
| |
| APPLICABILITY In MODES 1, 2, 3, and 4 the SSWS system is a normally operating system, which is required to support the OPERABILITY of the equipment serviced by the SSWS and
| |
| . required to be OPERABLE in these MODES.
| |
| In MODES 5 and 6, the OPERABILITY requirements of the SSWS are determined by the system (s) it supports.
| |
| (continued)
| |
| SYSTEM 80+ B 3.7-40 Rev. 00 16A Tech Spec Bases
| |
| | |
| L i
| |
| SSWS l
| |
| B 3.7.8
| |
| . BASES (continued)
| |
| . ACTIONS Ad In MODES 1, 2, 3 and 4 with one' SSWS division inoperable,
| |
| . action must be taken to restore OPERABLE status within 72 hours. In this condition, the remaining OPERABLE SSWS division is adequate to perform the heat removal function.
| |
| However, the overall reliability is reduced because a single
| |
| : failure in the OPERABLE SSWS division could result in reduced heat removal capability. Required Action A.1 is modified by a Note. The Note. indicates that the applicable Conditions of LCO 3.7.7, " Component Cooling Water (CCW)
| |
| System" should be entered if the inoperable SSWS train results in an inoperable CCW division. This is an exception to LCO 3.0.6. . The 72 hour Completion Time is based on the redundant capabilities afforded by the OPERABLE division, and the low probability of a DBA occuring during this time period..
| |
| , B.1 and B.2 The unit must be placed in a MODE in which the requirement does not apply if tha SSWS division cannot be restored to OPERABLE status in the associated Completion Time. This is done by placing the plant in at least MODE 3 in 6 hours and in MODE 5 in 36 hours. The allowed Completion Times are reasonable based on operating experience to reach the required MODES from full power operation without challenging unit systems.
| |
| C.d Required Action C.1 is modified by a Note indicating the requirement of entry into the applicable Cwditions and Required Actions of LC0 3.7.7 " Component Cooling Water _(CCW)
| |
| System," for CCW made inoperable by SSWS.
| |
| In MODES 5 or 6 with required SSWS division (s) inoperable, actions must be taken to restore OPERABLE status immediately. -The immediate Completion Time reflects the importance of maintaining operation for decay heat removal.
| |
| O (continued)
| |
| SYSTEM.80+ B 3.7-41 Rev. 00 16A Tech Spec Bases
| |
| | |
| SSWS B 3.7.8 O
| |
| BASES (continued)
| |
| SURVEILLANCE SR 3.7.8.1 REQUIREMENTS Verifying the correct alignment for manual, power operated, and motor operated, valves in the SSWS flowpath provides assurance that the proper flowpaths exist for SSWS operation. This SR does not apply to valves which are locked, sealed, or otherwise secured in position, since they were verified to be in the correct position prior to locking, sealing, or securing. This SR also does not apply to valves which cannot be inadvertently misaligned, such as check valves.
| |
| Surveillance does not require any testing or valve manipulation; rather, it involves verification that those valves capable of potentially being mispositioned are in the correct position. This SR is modified by a Note indicating that the isolation of the SSWS components or systems may render those components inoperable but does not affect the OPERABILITY of the SSWS.
| |
| The 31 day Frequency is based on engineering judgment, is consistent with the procedural controls governing valve operation, and ensures correct valve positions. i SR 3.7.8.2 The SR verifies proper automatic operation of the SSWS pumps on an actual or simulated actuation signal. The SSWS is a normally operating system that cannot be fully actuated as part of the normal testing during normal operation. The
| |
| [18] month Frequency is based on the need to perform this Surveillance under the conditions that apply during a unit outage and the potential for an unplanned transient if the l Surveillance were performed with the reactor at power.
| |
| Operating experience has shown that these components usually pass the Surveillance when performed at the (18] month l Frequency. Therefore, the Frequency is acceptable from a reliability standpoint.
| |
| REFERENCES 1. Chapter 9.
| |
| O SYSTEM 80+ B 3.7-42 Rev. 00 16A Tech Spec Bases
| |
| | |
| q l
| |
| ~ UHS B 3.7.9 -
| |
| O %
| |
| B 3i7 PLANT SYSTEMS B 3.7.9 Ultimate Heat Sink-(UHS)- !
| |
| q 1
| |
| BASES .
| |
| .J
| |
| -i BACKGROUND The. UHS provides a heat sink for process and operating heat j from safety related components during a Design Basis l Accident :(DBA) or transient, as well as during normal !
| |
| operation. This is done utili7.ing the Station Service Water ,
| |
| System (SSWS) and the Component Cooling Water (CCWS) System. j I The UHS has been defined as that complex of water sources, including necessary retaining' structures (e.g., a pond with j its dam, or.a river with its dam), and the canals or ,
| |
| conduits connecting the sources with, but not including, the i cooling water system intake structures, as discussed in. 1 Chapter 9 (Ref.1). If cooling towers or portions thereof )
| |
| -are required to accomplish the UHS safety functions, they l should meet the same requirements as the sink. The two i I
| |
| : principal functions of the UHS are the dissipation of L residual heat after reactor shutdown, and dissipation of
| |
| [ residual heat after an accident.
| |
| A variety of complexes _ are used to meet the requirements for a UHS. A lake or an ocean may qualify as a single source. '
| |
| [ If the complex includes a water source contained by a r' structure, it is likely that a second source will be ,
| |
| y required. !
| |
| l The basic performance requirements are that a 30 day supply. l of water be available, and that the design basis i temperatures of safety related equipment not be exceeded.
| |
| Basins of cooling. towers generally include less than a 30 day supply of water, typically 7 days or less. A 30 day supply would be dependent on another sourca(s) and a makeup system (s) for replenishing the source in the cooling tower basin. For smaller basin sources, which may be as small' as a 1 day supply, the' systems for replenishing the basin and ;
| |
| the backup source (s) become of sufficient importance that ,
| |
| the makeup system itself may be required to meet the same design-criteria-.as an Engineered Safety Feature (e.g.,
| |
| single failure ~ considerations, and multiple makeup water sources may'be required).
| |
| i-I (continued)
| |
| SYSTEM 80+- B 3.7-43 Rev. 00 16A Tech Spec Bases:
| |
| | |
| UHS B 3.7.9 O'
| |
| HASES BACKGROUND It follows that the many variations in the VHS (continued) configurations will result in many unit-to-unit variations in OPERABILITY determinations and SRs. The ACTIONS and SRs are illustrative of a cooling tower UHS without a makeup requirement.
| |
| Additional information on the design and operation of the system, along with a list of components served, can be found in Reference 1.
| |
| APPLICABLE The UHS removes heat from the reactor core following all SAFETY ANALYSES accidents and Anticipated Operational Occurrences (A00s) in which the plant is cooled down and placed on shutdown cooling. For those plants using it as the normal heat sink for condenser cooling via the Condenser Circulating Water System, plant operation at full power is its maximum heat load. Its maximum post-accident heat load occurs after a design basis Loss Of Coolant Accident (LOCA). At this time, recirculation of the IRWST through the Containment Spray System and Safety Injection System is required to remove the core decay heat.
| |
| h The operating limits are based on a conservative heat transfer analyses for the worse case LOCA. Refer te ,ter 9 (Ref.1) for details of the assumptions used ir. ...e analysis. These assumptions include: worst expected meteorological conditions, conservative uncertainties when calculating decay heat, and the worst case single active failure. The UHS is designed in accordance with Regulatory Guide 1.27 (Ref. 2) which requires a 30 day supply of cooling water in the VHS.
| |
| The Ultimate Heat Sink satisfies the requirements of Criterion 3 of the NRC Policy Statement.
| |
| LCO The UHS is required to be OPERABLE. The UHS is considered OPERABLE if it contains a sufficient volume of water at or below the maximum temperature that would allow the SSWS to operate for at least 30 days following the design basis LOCA without the loss of NPSH and without exceeding the maximum design temperature of the equipment served by the SSWS. To (continued) ,
| |
| SYSTEM 80+ B 3.7-44 Rev. 00 16A Tech Spec Bases
| |
| | |
| UHS B 3.7.9 O BASES '
| |
| 4 LCO meet this condition the UHS temperature should not exceed (continued) [95] F and the level should not fall below [*ft mean sea level] during normal plant operation.
| |
| APPLICABILITY In MODES 1, 2, 3, and 4 the UHS is normally operating and must be prepared to perform its post-accident safety functions, primarily RCS heat removal.
| |
| In MODES 5 and 6, the OPERABILITY requirements of the UHS are determined by the systems it supports.
| |
| ACTIONS Ad i
| |
| [If one or more cooling towers have one fan inoperable (i.e., up to one fan per cooling tower inoperable in MODES 1, 2, 3, or 4), action must be taken to restore the inoperable cooling tower fan (s) to OPERABLE status within 7 O days.
| |
| The 7 day Completion Time is reasonable, based on the low probability of an accident occurring during the 7 days that one cooling tower fan is inoperable, the number of available systems, and the time required to complete the action.]
| |
| B.1 and B.2 If [the cooling tower fan cannot be restored to OPERABLE status within the associated Completion Time, or if] the UHS is inoperable (for reasons other than Condition A], the unit must be placed in a MODE in which the LCO does not apply.
| |
| To achieve this status, the unit must be placed in at least MODE 3 within 6 hours and in MODE 5 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.
| |
| m
| |
| _) (continued)
| |
| SYSTEM 80+ B 3.7-45 Rev. 00 16A Tech Spec Bases
| |
| | |
| UHS B 3.7.9 O
| |
| BASES ACTIONS C.,1 (continued)
| |
| Required Action C.1 is modified by a Note indicating the requirement of entry into the applicable Conditions and Required Actions of LC0 3.7.8 " Station Service Water System (SSWS)", for the SSWS division (s) made inoperable by the VHS.
| |
| In MODES 5 or 6 with required UHS inoperable, actions must be taken to restore OPERABLE status immediately. The immediate Completion Time reflects the importance of maintaining operation for decay heat removal.
| |
| SURVEILLANCE SR 3.7.9.1 REQUIREMENTS
| |
| [This SR verifies adequate long tern, (30 days) cooling can be maintained. The level specified ensures enough net positive suction head (NPSH) available for operating the SSWS pumps. The 24-hour Frequency is based on operating experience related to the trending of the parameter variations during applicable MODES. This SR verifies that the VHS water level is 2 [* ft mean sea level).]
| |
| SR 3.7.9.2
| |
| [This SR verifies the SSWS is available to cool the CCWS to at least its maximum design temperature within the maximum accident or normal design heat loads for 30 days following a DBA. The 24-hour Frequency is based on operating experience related to the trending of the parameter variations during which temperature is s [95] F.]
| |
| SR 3.7.9.3
| |
| [0perating each cooling tower fan for 2 (15] minutes verifies that all fans are OPERABLE and that all associated controls are functioning properly. It also ensures that f an or motor failure or excessive vibration can be detected for l
| |
| * Value to be determined by system detail design.
| |
| (continued) i SYSTEM 80+ B 3.7-46 Rev. 00 l 16A Tech Spec Bases
| |
| | |
| I UHS B 3.7.9 O !
| |
| '_O ]
| |
| BASES
| |
| - 3 SURVEILLANCE SR 3.7.9.3 (continued)
| |
| REQUIREMENTS corrective action. The 31 day Frequency is based on operating experience, the known reliability of the fan ,
| |
| units, the redundancy available, and the low probability of significant degradation of the UHS cooling tower fans occurring between surveillances.] ,
| |
| REFERENCES 1. Chapter 9.
| |
| : 2. Regulatory Guide 1.27 (Rev. 01), " Ultimate Heat Sink for Nuclear Power Plants." -l
| |
| -l
| |
| -l O
| |
| 1 l
| |
| 1 i'
| |
| SYSTEM 80+ B 3.7-47 Rev. 00 16A Tech Spec Bases
| |
| | |
| Fuel Storage Pool Water Level B 3.7 PLANT SYSTEMS B 3.7.10 Fuel Storage Pool Water Level BASES BACKGROUND The minimum water level in the Fuel Storage Pool meets the assumptions of Iodine decontamination factors following a fuel handling accident. The specified water level shields and minimizes the general area dose when the storage racks are at their maximum capacity. The water also provides shielding during the movement of spent fuel.
| |
| A general description of the Fuel Storage Pool design is found in Chapter 9 (Ref. 1). The assumptions of the fuel handling accident are found in Chapter 15 (Ref. 2).
| |
| APPLICABLE The minimum water level in the Fuel Storage Pool meets the SAFETY ANALYSES assumptions of the fuel handling accident described in RG 1.25 (Ref. 3) . The resultant two hour thyroid dose to a person at the exclusion area boundary (EAB) is well within the 10 CFR 100 (Ref. 4) limits.
| |
| According to Reference 3, there is 23 feet of water between the top of the damaged fuel bundle and the fuel pool surface for a fuel handling accident. With 23 feet water level, the assumptions of Reference 3 can be used directly. In practice, this LC0 preserves this assumption for the bulk of the fuel in the storage racks. In the case of a single bundle, dropped and lying horizontally on top af the spent fuel racks, however, there may be less than 23 feet above the top of the fuel bundle and the surface by the width of the bundle. To offset this small non-conservatism, the analysis assumes that all 236 fuel rods fail, although analysis shows that only the first four rows, 60 fuel rods, fail from a hypothetical maximum drop.
| |
| The fuel storage pool water level satisfies Criterion 3 of the NRC Policy Statement.
| |
| I (continued)
| |
| O SYSTEM 80+ B 3.7-48 Rev. 00 16A Tech Spec Bases
| |
| | |
| Fuel Storage Pool Water Level B 3.7.10 (v~\
| |
| BASES (continued)
| |
| LCO The specified water level preserves the assumptions of the fuel handling accident analysis (Ref. 2). As such, it is the minimum required for irradiated fuel storage within the fuel storage pool.
| |
| APPLICABILITY This LCO applies whenever irradiated fuel is in the Fuel Storage Pool because the potential for a release of fission products exists.
| |
| ACTIONS M Required Action A.1 is modified by a Note indicating that LC0 3.0.3 does not apply.
| |
| When the initial conditions for an accident cannot be met, i steps should be taken to preclude the accident from l occurring. When the fuel storage pool water level is lower .
| |
| than the required level, the movement of irradiated fuel l n assemblies in the fuel storage pool is immediately l V suspended. This effectively precludes a spent fuel handling accident from occurring. This does not preclude moving a fuel assembly to a safe position.
| |
| If moving irradiated fuel assemblies while in MODE 5 or 6, LC0 3.0.3 would not specify any action. If moving irradiated fuel assemblies while in MODES 1, 2, 3, and 4, the fuel movement is independent of reactor operations.
| |
| Therefore, in either case, inability to suspend movement of irradiated fuel assemblies is not sufficient reason to l require a reactor shutdown.
| |
| SURVEILLANCE SR 3.7.10.1 REQUIREMENTS This SR verifies sufficient fuel storage pool water is available in the event of a fuel handling accident. The water level in the fuel storage pool must be checked periodically. The 7 day Frequency is appropriate because
| |
| 'n v (continued)
| |
| SYSTEM 80+ B 3.7-49 Rev. 00 16A Tech Spec Bases
| |
| | |
| Fuel Storage Pool Water Level B 3.7.10 0
| |
| BASES SURVEILLANCE SR 3.7.10.1 (continued)
| |
| REQUIREMINTS the volume in the pool is normally stable. Water level changes are controlled by plant procedures and are acceptable, based on operating experience.
| |
| During refueling operations, the level in the fuel storage pool is in equilibrium with the refueling canal, and the level in the refueling canal is checked daily in accordance with LC0 3.9.6, " Refueling Water Level ."
| |
| REFERENCES 1. Chapter 9.
| |
| : 2. Chapter 15,
| |
| : 3. Regulatory Guide 1.25 (Rev. 00), " Assumptions Used for Evaluating the Potential Radiological Consequences of a Fuel Handling Accident in the Fuel Handling and Storage Facility for Boiling and Pressurized Water Reactors."
| |
| : 4. 10 CFR 100, Reactor Site Criteria.
| |
| O SYSTEM 80+ B 3.7-50 Rev. 00 16A Tech Spec Bases
| |
| | |
| ADVs B 3.7.11
| |
| (- B 3.7 PLANT SYSTEMS ]
| |
| B 3.7.11 Atmospheric Dump Valves (ADVs) ;
| |
| BASES BACKGROUND The Atmospheric Dump Valves (ADVs) provide a safety grade !
| |
| method for. cooling the plant to Shutdown Cooling System (SCS) entry conditions should the preferred heat sink via the Steam Bypass System to the condenser not be available.
| |
| This is done in conjunction with the Emergency Feedwater System providing cooling water from the Emergency Feedwater '
| |
| Storage Tank (EFWST). The ADVs may also be required to meet the design cooldown rate during a normal cooldown when steam pressure drops too low for maintenance of a vacuum in the ,
| |
| condenser to permit use of the Steam Bypass System. l i
| |
| Four ADV lines are provided. Each ADV line consists of one l ADV and an associated block valve. Two ADV lines per steam :
| |
| generator are required to meet single failure assumptions following an event rendering one steam generator unavailable for Reactor Coolant System (RCS) heat removal.
| |
| ' The ADVs are provided with upstream block valves to permit their being tested at power and to provide an alternate means of isolation. The ADVs are electrically operated with !
| |
| internal solenoid operated pilot valves and electronic valve i positioning circuits to permit control of the cooldown rate.
| |
| The ADVs are OPERABLE with only a DC power source available.
| |
| A description of the ADVs is found in Chapter 10. (Ref. 1).
| |
| APPLICABLE The design basis of the Atmospheric Dump Valves (ADVs) is SAFETY ANALYSES established by the the capability to cool the plant to )
| |
| shutdown cooling entry conditions at the design rate of l
| |
| [100 F/hr] using both steam generators, each with two ADVs. !
| |
| This design is adequate to cool the plant to SCS entry conditions with only one ADV and one steam generator utilizing the cooling water supply available in the EFWST.
| |
| [
| |
| V (continued) l
| |
| 'l SYSTEM 80+ B 3.7-51 Rev. 00 16A Tech Spec Bases l
| |
| | |
| ADVs B 3.7.11 O
| |
| BASES APPLICABLE In the accident analysis presented in Chapters 6 and 15, the SAFETY ANALYSES ADVs are not assumed to be used until the operator takes (continued) action to cool down the plant to SCS entry conditions for accidents accompanied by a loss of offsite power. Prior to the operator action, the main steam safety valves (MSSVs) are used to maintain the steam generators pressure and temperature at the MSSVs setpoint. This is typically 30 minutes following initiation of an event. (This may be less for a Steam Generator Tube Rupture (SGTR) event). The limiting events are those which render one steam generator unavailable for RCS heat removal, with a coincident loss of offsite power as a result of turbine trip and the single failure of one ADV on the unaffected steam generator.
| |
| Typical initiating events falling into this category are a main steam line break (MLSB) upstream of the main steam isolation valves, a feedwater line break (FWLB), and a SGTR event (although the ADVs on the affected steam generator may still be available following a SGTR event).
| |
| The design must accommodate the single failure of one ADV to open on demand; thus, each steam generator must have at least two ADVs. The ADVs are equipped with block valves in the event an ADV spuriously opens, or fails to close during h
| |
| use.
| |
| The ADVs satisfy Criterion 3 of the NRC Policy Statement.
| |
| LC0 [Two] ADV lines are required on each steam generator to ensure that at least one ADV is OPERABLE to conduct a plant cooldown following an event in which one steam generator becomes unavailable, accompanied by a single active failure of one ADV line on the unaffected steam generator. The block valves must be OPERABLE to isolate a failed open ADV.
| |
| A closed block valve does not render it or its ADV line inoperable if operator action time to open the block valve is supported in the accident analysis. ;
| |
| Failure to meet the LC0 can result in the inability to cool the plant to SCS entry conditions following an event in which the condenser is unavailable for use with the Steam Bypass System.
| |
| (continued)
| |
| SYSTEM 80+ B 3.7-52 Rev. 00 16A Tech Spec Bases
| |
| | |
| ADVs B 3.7.11
| |
| ;U BASES-I LC0 An ADV is considered OPERABLE when it is capable of (continued) providing a controlled relief of the main steam flow and is capable of fully opening and closing on demand.
| |
| APPLICABILITY In MODES 1, 2, and 3 [and in MODE 4, when steam generator is ,
| |
| being relied upon for heat removal,] the ADVs are required to be OPERABLE.
| |
| In MODES 5 and 6 the steam generator is not relied upon for heat removal.
| |
| ACTIONS M ;
| |
| i With one required ADV line inoperable, action must be taken to restore the OPERABLE status within 7 days. The 7 day Completion Time takes into account the redundant capability afforded by the remaining OPERABLE ADV lines and a non-
| |
| .1 safety grade backup in the Steam Bypass System and MSSV.
| |
| Required Action A.1 is modified by a Note indicating that LCO 3.0.4 does not apply. ;
| |
| I M
| |
| With [two or more required] ADV lines inoperable, action must be taken to restore at least [one] ADV line to OPERABLE status. As the block valve can be closed to isolate an ADV, .
| |
| some repairs may be possible with the plant at power. The i 24 hour Completion Time is reasonable to repair inoperable ADV lines, based on the availability of the MSSVs and the Steam Bypass System, and the low probability of an event occurring during this period that requires the ADV lines.
| |
| C.1. C.2. and C.3 If the ADV lines cannot be restored to OPERABLE status in the associated Completion Time, the plant must be placed in a MODE in which the LC0 does not apply. This is done by placing the plant in at least MODE 3 in 6 hours; MODE 4 in O
| |
| V (continued)
| |
| SYSTEM 80+ B 3.7-53 Rev. 00 16A Tech Spec Bases
| |
| | |
| ADVs B 3.7.11 O
| |
| BASES ACTIONS C.1. C.2. and C.3 (continued)
| |
| [12] hours; and MODE 5 in [24] hours. The allowed Completion Times are reasonable based on operating experience to reach the required MODES from full power operation without challenging plant systems.
| |
| SURVEILLANCE SR 3.7.11.1 REQUIREMENTS To perform a controlled cooldown of the RCS, the ADVs must be able to be opened and throttled through their full range.
| |
| This SR ensures the ADVs are tested through a full control cycle at least once per fuel cycle. Performance of inservice testing, or use of an ADV during a plant cooldown may satisfy this requirement. This Surveillance Frequency is based on the length of a fuel cycle and has been shown to be adequate through operating experience.
| |
| SR 3.7.11.2 The function of the block valve is to isolate a failed open ADV. Cycling the block valve closed and open demonstrates its capability to perform this function. Performance of inservice testing, or use of the block valve during plant cooldown may satisfy this requirement. The Surveillance interval of 18 months is based on engineering judgment, and has been shown to be acceptable through operating experience.
| |
| REFERENCES 1. Chapter 10.
| |
| O SYSTEM 80+ B 3.7-54 Rev. 00 16A Tech Spec Bases
| |
| | |
| I CCVS B 3.7.12
| |
| /G V
| |
| i B 3.7 ' PLANT SYSTEMS B 3.7.12 Control Complex Ventilation System (CCVS)
| |
| BASES BACKGROUND The CCVS is designed to maintain the environment in the e control room envelope and balance of control building within acceptable limits for the operation of unit controls, for maintenance and testing of the controls as required, and for uninterrupted safe occupancy of the control building area ,
| |
| during post-accident shutdown. These systems are designed in accordance with the requirements of General Design Criteria 2, 4, 5, 19, and 60.
| |
| The Main Control Room (MCR) air-handling system is divisionally separated and consists of two redundant air-handling units, each with filters, safety related chilled water cooling coils for heat removal, and fans for air circulation. The emergency circulation system consists of filter trains with particulate filters, carbon filters, and fans for emergency air circulation. Each of the filter o trains consists of prefilter, electric heater, absolute Q (HEPA) filter, carbon adsorber and post filter (HEPA) along with ducts and valves and related instrumentation. Chilled water is supplied from the Essential Chilled Water System.
| |
| During normal operation, return air from the control room is mixed with a small quantity of outside air for ventilation, is filtered and conditioned in the control room air- !
| |
| conditioning unit, and is delivered to the control room through supply ductwork. Duct-mounted heating coils and humidification equipment provide final adjustments to the I control room temperature and humidity for maintaining normal i 4
| |
| comfort conditions.
| |
| The designated MCR filtration units and ventilation fan start automatically on a Safety Injection Actuation Signal (SIAS) or high radiation signal. Control logic is provided to ensure that the more contaminated intake is isolated. i I
| |
| This control logic is operational for the entire 30 days of the accident. Upon failure of the designated filtration unit, the redundant filtration unit starts automatically.
| |
| The MCR filtration unit filters particulates and potential radioactive iodines from all the return air and delivers the filtered air to the inlet of the main air-handling unit. )
| |
| i 1
| |
| 0)
| |
| V (continued) ,
| |
| SYSTEM 80+ B 3.7-55 Rev. 00 16A Tech Spec Bases ;
| |
| i
| |
| | |
| CCVS B 3.7.12 O
| |
| BASES BACKGROUND The Technical Support Center (TSC) air-conditioning system (continued) consists of an air-handling unit, return air and smoke purge fans, and an emergency filter unit. lhe computer room air-conditioning system consists of two 100% air-conditioning units and associated fans. Both the Technical Support Center and computer room air-handling systems are non-safety and non-seismic.
| |
| The balance of CCVS consists of two redundant air-handling units, each with roughing filters, essential chilled water cooling coils and fans serving Division I electrical rooms, channel A and channel C. Two equal units are serving Division II channel B and D. Each division will function with one of the redundant air handling units delivering filtered, conditioned air to the various electrical equipment rooms, including essential battery rooms. Chilled water is supplied from the Essential Chilled Water System.
| |
| Each division also contains redundant battery rooms with fans operating continuously to maintain the hydrogen concentration below two percent. Outlet ducts in battery i rooms are located near the ceiling for hydrogen control.
| |
| The safe shutdown area is served by Division II. hi Return air from the various essential electrical equipment areas is mixed with a portion of outside air for ventilation, is filtered and conditioned in the air-handling unit, and is delivered to the rooms through supply ductwork.
| |
| Duct-mounted heating coils provide final adjustments to temperature in selected equipment rooms.
| |
| The Operation Support Center (OSC), Personnel Decon Rooms, Break Room, Shift Assembly and Offices, and Radiation Access Control areas all are served by an individual air handling unit consisting of a centrifugal fan, non essential chilled water coil and roughing filter.
| |
| The MCR and TSC receive outside air from the cleanest of two sources.
| |
| A single division will pressurize the MCR to at least (0.125] inches water gauge, and provides an air recirculation rate in excess of [25%] per hour. The Control Complex Ventilation Systems operation in maintaining the MCR habitable is discussed in Chapter 6 (Ref.1).
| |
| (continued)
| |
| SYSTEM 80+ B 3.7-56 Rev. 00 16A Tech Spec Bases
| |
| | |
| CCVS B 3.7.12 BASES I
| |
| BACKGROUND Redundant supply and recirculation divisions provide the (continued) required filtration should an excessive pressure drop i J
| |
| develop across the other filter division. Normally open isolation dampers are arranged in series pairs so that the failure of one damper to shut will not result in a breach of ;
| |
| isolation. Redundant detectors for radiation and toxic gas protection are provided. The Control Complex Ventilation j System is designed in accordance with Seismic Category I <
| |
| requirements.
| |
| The Control Complex Ventilation System is designed to maintain the MCR environment for 30 days continuous occupancy after a DBA without exceeding 5 rem whole body )
| |
| dose.
| |
| The air entering the MCR is continuously monitored by l radiation and toxic gas detectors. One detector above the l setpoint will cause actuation of the emergency radiation !
| |
| mode or toxic gas isolation mode as required.
| |
| O APPLICABLE The Control Complex Ventilation System components are )
| |
| SAFETY ANALYSES arranged in redundant safety-related ventilation divisions. t The location'of components and ducting within the control room envelope ensures an adequate supply of filtered air to all areas requiring access. During emergency operation the Control Complex Ventilation System maintains the MCR 1 temperature between 73 F and 78'F. The Control Complex Ventilation System provides airborne radiological protection for the control room operators as demonstrated by the !
| |
| control room accident dose analyses for the most limiting '
| |
| design basis Loss Of Coolant Accident fission product release presented in Chapter 15 (Ref. 2).
| |
| The analysis of toxic gas releases demonstrates that the toxicity limits are not exceeded in the control room following a toxic chemical release.
| |
| The worst case single active failure of a component of the ;
| |
| Control Complex Ventilation System, assuming a loss of -
| |
| offsite power, does not impair the ability of the system to perform its design function.
| |
| i I (continued)
| |
| SYSTEM 80+ B 3.7-57 Rev. 00 16A Tech Spec Bases 1
| |
| | |
| CCVS B 5.7.12 O
| |
| BASES APPLICABLE The Control Complex Ventilation System satisfies Criterion 3 SAFETY ANALYSES of the NRC Policy Statement.
| |
| (continued)
| |
| LC0 Two independent and redundant divisions of the Control Complex Ventilation System are required to be OPERABLE to ensure that at least one is available, assuming a single failure disables the other division. Total system failure could result in exceeding a dose of 5 rem to the control room operators in the event of a large radioactive release.
| |
| The Control Complex Ventilation System is considered OPERABLE when the individual components necessary to control operator exposure are OPERABLE in both divisions. A division is considered OPERABLE when:
| |
| : a. its associated fan is OPERABLE; and
| |
| : b. its associated HEPA filter and carbon adsorber are not excessively restricting flow and are capable of performing their filtration functions; and
| |
| : c. its associated heater, demister, ductwork, valves and dampers are OPERABLE and air circulation can be maintained.
| |
| In addition, the control room boundary must be maintained, including the integrity of the walls, floors, ceilings, ductwork, and access doors.
| |
| APPLICABILITY In MODES 1, 2, 3, and 4, the Control Complex Ventilation System must be OPERABLE to limit operator exposure during and following a DBA.
| |
| In MODES [5 and 6], the Control Complex Ventilation System is required to cope with the release from a rupture of an outside waste gas tank.
| |
| During movement of irradiated fuel, the Control Complex Ventilation System must be OPERABLE to cope with the release from a fuel handling accident.
| |
| (continued) 9 SYSTEM 80+ B 3.7-58 Pev. 00 16A Tech Spec Bases
| |
| | |
| 1 CCVS B 3.7.12 BASES (continued) i l
| |
| ACTIONS L.1 With one Control Complex Ventilation System division l inoperable, action must be taken to restore OPERABLE status j within seven days. In this condition, the remaining )
| |
| OPERABLE Control Complex Ventilation System division is adequate to perform the control room radiation protection function. However, the overall reliability is reduced because a single failure in the OPERABLE division could result in less Control Complex Ventilation System function. l The seven day Completion Time is based on the low !
| |
| probability of a DBA occurring during this time period, and i considering that the remaining division to provide the 1 required capabilities.
| |
| i i
| |
| B.1 and B.2 )
| |
| If the inoperable CCVS cannot be restored to OPERABLE status I' within the required Completion Time in MODE 1, 2, 3, or 4, 4
| |
| p the unit must be placed in a MODE that minimizes the (j accident risk. To achieve this status, the unit must be placed in at least MODE 3 within 6 hours, and in MODE 5 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the i required unit conditions from full power conditions in an orderly manner and without challenging unit systems.
| |
| C.1. C.2.1. and C.2.2 l
| |
| Required Action C.1 is modified by a Note indicating to place the system in the toxic gas protection mode if the automatic transfer to toxic gas mode is inoperable.
| |
| In MODE 5 or 6, or during movement of irradiated fuel 4
| |
| assemblies, if Required Action A.1 cannot be completed within the required Completion Time, the OPERABLE CCVS division must be immediately placed in the emergency mode of operation. This action ensures that the remaining division is OPERABLE, that no failures preventing automatic actuation will occur, and that any active failure will be readily detected. .
| |
| (m (continued) 1 SYSTEM 80+ B 3.7-59 Rev. 00 16A Tech Spec Bases 1
| |
| | |
| I I
| |
| l CCVS i B 3.7.12 O
| |
| BASES (continued)
| |
| ACTIONS C.l. C.2.1. and C.2.2 (continued)
| |
| An alternative to Required Action C.1 is to immediately suspend activities that could result in a release of radioactivity that might require isolation of the control room. This places the unit in a condition that minimizes the accident risk. This does not preclude the movement of fuel assemblies to a safe position.
| |
| Ibl If both CCVS divisions are inoperable in MODE 1, 2, 3, or 4, the CCVS may not be capable of performing the intended function and the unit is in a condition outside the accident analyses. Therefore, LCO 3.0.3 must be entered immediately.
| |
| E.1 and E.2 When [in MODES 5 and 6, or] during movement of irradiated fuel assemblies with two CCVS divisions inoperable, action must be taken immediately to suspend activities that could result in a release of radioactivity that might enter the '
| |
| i control room. This places the unit in a condition that minimizes the accident risk. This does not preclude the !
| |
| movement of fuel to a safe position. i l
| |
| l SURVEILLANCE SR 3.7.12.1 REQUIREMENTS Standby systems should be checked periodically to ensure they function properly. Since the environment and normal operating conditions on this system are not severe, testing each division once every month provides an adequate check on this system.
| |
| SR 3.7.12.2 This SR verifies that the required CCVS testing is performed in accordance with Regulatory Guide 1.52 (Ref. 3).
| |
| (continued)
| |
| SYSTEM 80+ B 3.7-60 Rev. 00 16A Tech Spec Bases
| |
| | |
| .CCVS B 3.7.12 q
| |
| U BASES (continued)
| |
| SURVEILLANCE SR 3.7.12.3 REQUIREMENTS (continued) This SR verifies each CCVS division starts and operates on an actual or simulated actuation signal. The Frequency of !
| |
| [18] months is consistent with that specified in Reference 3.
| |
| i SR 3.7.12.4 '
| |
| This SR verifies the integrity of the control room enclosure and the assumed inleakage rates of potentially contaminated air. The control room positive pressure, with respect to potentially contaminated adjacent areas, is periodically tested to verify proper function of the CCVS. The CCVS is designed to pressurize the control room a [0.125] inches water gauge positive pressure with respect to adjacent areas in order to prevent unfiltered inleakage. The CCVS is designed to maintain this positive pressure during the
| |
| [ pressurization] mode of operation at a rate of [5 2000]
| |
| p cfm. The Frequency of (18] months on a STAGGERED TEST BASIS is consistent with the guidance provided in NUREG-0800, Q Section 6.4 (Ref. 4).
| |
| REFERENCES 1. Chapter 6.
| |
| : 2. Chapter 15.
| |
| : 3. Regulatory Guide 1.52 (Rev. 02), " Design, Testing and Maintenance Criteria for Post Accident Engineered-Safety-Feature Atmospheric Cleanup System Air Filtration and Adsorption Units of Light-Water Cooled Nuclear Power Plants."
| |
| : 4. NUREG-0800, " Standard Review Plan," Section 6.4,
| |
| " Control Room Habitability System," Rev. 2, July 1981.
| |
| O U
| |
| SYSTEM 80+ B 3.7-61 Rev. 00 16A Tech Spec Bases
| |
| | |
| CRVS B 3.7.13 8 3.7 PLANT SYSTEMS B 3.7.13 Control Room Ventilation System (CRVS)
| |
| BASES BACKGROUND The CRVS provides temperature control for the Main Control Room (MCR) following isolation of the MCR.
| |
| The CRVS consists of two independent, redundant divisions which provide cooling and heating of recirculated MCR air.
| |
| Each division consists of a heating coils, cooling coils, instrumentation and controls to provide for MCR temperature control. The CRVS is a sub-system providing air temperature control for the " Control Complex Ventilation System," LC0 3.7.12.
| |
| The CRVS is a standby system, parts of which may also operate during normal plant operations. A single division will provide the required temperature control to maintain the MCR between 73"F and 78*F. The CRVS operation in maintaining the MCR temperature is discussed in Chapter 9 (Ref. 2).
| |
| The design basis of the CRVS is to maintain the MCR environment throughout 30 days continuous occupancy. The APPLICABLE SAFETY ANALYSES CRVS operation in maintaining the MCR temperature is discussed in Chapter 9 (Ref. 2).
| |
| The CRVS components are arranged in redundant safety related divisions. During emergency operation, the CRVS maintains the temperature between 73 F and 78 F. A single active failure of a component of the CRVS, assuming a loss of offsite power, does not impair the ability of th~e system to perform its design function. Redundant detectors and controls are provided for control room temperature control.
| |
| CRVS is designed in accordance with Seismic Category I requirements. CRVS is capable of removing sensible and latent heat loads from the control room which include consideration of equipment heat loads and personnel occupancy requirements to ensure equipment OPERABILITY.
| |
| The CRVS satisfies Criterion 3 of the NRC Policy Statement.
| |
| (continued)
| |
| O SYSTEM 80+ B 3.7-62 Rev. 00 16A Tech Spec Bases
| |
| | |
| CRVS !
| |
| f B 3.7.13 BASES (continued)
| |
| LCO Two independent and redundant divisions of the CRVS are required to be OPERABLE to ensure that at least one is available, assuming a single failure disabling the other division. Total system failure could result in exceeding.
| |
| equipment operating temperature limits.
| |
| The CRVS is considered OPERABLE when the individual components that are necessary to maintain the control room temperature are OPERABLE in both divisions. These components include the cooling coils, and associated temperature control instrumentation. In addition the CRVS must be OPERABLE to the extent that air circulation can be maintained.
| |
| APPLICACILITY In MODES 1, 2, 3, 4, [5, and 6] and during movement of irradiated fuel, the CRVS must be OPERABLE to ensure that the control room temperature will not exceed equipment OPERABILITY requirements following isolation of the control
| |
| , room.
| |
| ACTIONS L1 With one CRVS division inoperable, the inoperable CRVS division must be restored to OPERABLE status within 30 days.
| |
| In this condition, the remaining OPERABLE CRVS division is adequate to perform control room temperature control function. The 30 day Completion Time is reasonable based on the low probability of an event occurring requiring control room isolation, consideration that the remaining division can provide the required capabilities, and alternate safety 4 or non-safety related cooling means are available.
| |
| B.1 and B.2 In MODES 1, 2, 3 or 4, when Required Ac* ion A.1 cannot be completed within the required Completion Time, the plant must be placed in a MODE that minimizes the accident risk.
| |
| This is done by placing the plant in at least MODE 3 in 6 hours and in MODE 5 in 36 hours. The allowed Completion O (continued) ;
| |
| SYSTEM 80+ B 3.7-63 Rev. 00 16A Tech Spec Bases F
| |
| | |
| CRVS B 3 7 13 BASES ACTIONS 8.1 and B.2 (continued)
| |
| Times are reasonable based on operating experience, to reach the required plant conditions from full power conditions without challenging plant systems.
| |
| C.l. C.2.1. and C.2.2
| |
| [In MODES 5 and 6, or] during movement of irradiated fuel, when Required Action A.1 cannot be completed within the required Completion Time, the OPERABLE CRVS division should be immediately placed in operation. This action ensures that the remaining division is OPERABLE, that no failures which would prevent automatic actuation will occur, and that any active failure will be readily detected.
| |
| An alternative to Required Action C.1 is to immediately suspend activities that present a potential for releasing radioactivity which might require isolation of the control room. This places the plant in a condition which minimizes the accident risk. This does not preclude the movement of fuel to a safe position.
| |
| D.d ,
| |
| I If both CRVS divisions are inoperable in MODE 1, 2, 3, or 4, I the CRVS may not be capable of performing the intended 1 function and the unit is in a condition outside the accident analysis. Therefore, LC0 3.0.3 must be entered immediately. j E.1 and E.2
| |
| [In MODE 5 or 6, or] during movement of irradiated fuel I assemblies, with two CRVS divisions inoperable, action must be taken immediately to suspend activities that could result in a release of radioactivity that might require isolation of the MCR. This places the unit in a condition that minimizes the accident risk. This does not preclude the movement of fuel to a safe position.
| |
| O (continued)
| |
| SYSTEM 80+ B 3.7-64 Rev. 00 16A Tech Spec Bases
| |
| | |
| t t
| |
| CRBS B 3.7.13 O
| |
| BASES (continued)
| |
| SURVEILLANCE SR 3.7.13.1 ;
| |
| REQUIREMENTS This SR verifies that the heat removal capability of the j system is sufficient to meet design requirements. This SR -
| |
| consists of a combination of testing and calculations. An !
| |
| [18] month Frequency is appropriate, since significant degradation of the CRVS is slow and is not expected over ;
| |
| this time period. ,
| |
| r P
| |
| ~ REFERENCES 1. Chapter 6.
| |
| : 2. Chapter 9. !
| |
| : 3. Regulatory Guide 1.52 (Rev. 2).
| |
| : 4. NURES-0800, " Standard Review Plan," Section 6.4,
| |
| " Control Room Habitability System," Rev. 2, July 1981.
| |
| (}
| |
| l I
| |
| p V
| |
| SYSTEM 80+- B 3.7-65~ Rev. 00 16A Tech Spec Bases
| |
| | |
| i SBVS B 3.7.14 B 3.7 PLANT SYSTEMS l B 3.7.14 Subsphere Building Ventilation System (SBVS) i BASES BACKGROUND The SBVS consists of a general supply and exhaust ventilation system that performs heat removal and air l exchange functions. The ventilation system is supplemented by individual cooling units and ventilation fans that serve !
| |
| essential mechanical equipment areas. The SBVS serves all areas of the subsphere. j The SBVSs are separated according to divisions, with each l 100% exhaust system containing a filter train consisting of l a moisture eliminator, prefilter, electric heater, absolute !
| |
| (HEPA) filter, carbon adsorber, post filter (HEPA), along with ducts and valves, related instrumentation and two 100%
| |
| capacity fans.
| |
| The SBVS is discussed in Chapters 9 and 15 (Refs. I and 2 respectively), as it is used for normal, as well as post l accident, atmospheric cleanup functions. The primary I purpose of the heaters is to maintain the relative humidity at an acceptable level consistent with iodine removal h
| |
| efficiencies, as discussed in the Regulatory Guide 1.52 i l
| |
| (Ref. 3). (Carbon adsorbers are not credited for iodine removal in SBVS.)
| |
| The design basis of the SBVS is established by the large !
| |
| APPLICABLE break LOCA. The system evaluation assumes a passive failure SAFETY ANALYSES of the SIS outside containment, such as safety injection ,
| |
| pump seal failure. In such a case, the system limits the radioactive release to within 10 CFR 100 limits (Ref. 4).
| |
| The analysis of the effects and consequences of a large break LOCA is presented in Reference 2.
| |
| The SBVS satisfies Criterion 3 of the NRC Policy Statement.
| |
| l 4
| |
| LC0 Two independent and redundant divisions of the Subsphere Building Ventilation System are required to ensure that at least one is available, assuming a single failure coincident ;
| |
| (continued)
| |
| SYSTEM 80+ B 3.7-66 Rev. 00 16A Tech Spec Bases l l
| |
| | |
| I SBVS B 3.7.14 :
| |
| BASES LC0 with a loss of offsite power disabling the other train.
| |
| (continued) Total system failure could result in the atmospheric releases from the SIS Pump Room exceeding the 10 CFR 100 limits in the event of a DBA.
| |
| The Subsphere Building Ventilation System is considered OPERABLE when the individual components necessary to maintain the SIS Pump Room filtration are OPERABLE in both i divisions. A division is considered OPERABLE when:
| |
| : 1. its associated fan is OPERABLE; and 4
| |
| : 2. its associated HEPA filter is not excessively restricting flow and is capable of performing its filtration function; and
| |
| : 3. its associated heater, moisture eliminator, ductwork, .'
| |
| valves and dampers are OPERABLE and air circulation can be maintained.
| |
| )
| |
| ' I h
| |
| l
| |
| %.s In MODES 1, 2, 3, and 4 the Subsphere Building Ventilation l APPLICABILITY '
| |
| System is required to be OPERABLE consistent with the OPERABILITY requirements of the SIS.
| |
| In MODES 5 and 6, with reactor vessel level < (120'-0"), the Subsphere Building Ventilation System is required to be OPERABLE to support SI pump OPERABILITY requirements.
| |
| ACTIONS Ad With one Subsphere Building Ventilation System division inoperable, the inoperable Subsphere Building Ventilation System division must be restored to OPERABLE status within seven days. In this condition, the OPERABLE Subsphere Building Ventilation System divisions are adequate to perform the SIS Pump Room air filtration.
| |
| The 7 day Completion Time is appropriate because the risk !
| |
| contribution of the system is less than that for the SIS and !
| |
| this system is not a direct support system for the SIS. The j
| |
| -d (continued)
| |
| SYSTEM 80+ B 3.7-67 Rev. 00 16A Tech Spec Bases j
| |
| | |
| SBVS l B 3.7.14 !
| |
| O\
| |
| BASES l
| |
| l ACTIONS A d (continued) 7 day Completion Time is reasonable, based on the low probability of a DBA occurring during this time period, and ;
| |
| the consideration that the remaining division can provide I the required capability.
| |
| B.1. B.2. and B.3 The plant must be placed in a MODE in which the requirement does not apply if the Subsphere Building Ventilation System cannot be restored to OPERABLE status in the associated Completion Time. This is done by placing the plant in at least MODE 3 in 6 hours and in MODE 5 in 36 hours and reducing RCS temperature below 135 F with RCS level > [120'-
| |
| 0") within [42] hours. The allowed Completion Times are reasonable based on operating experience to reach the required MODES from full power operation without challenging plant systems.
| |
| O SURVEILLANCE SR 3.7.14.1 REQUIREMENTS Systems should be checked periodically to ensure they start and function properly. As the environment and normal operating conditions on this system are not severe, testing each division once every month provides an adequate check on this system. Monthly heater operations dry out any moisture that may have accumulated in the charcoal from humidity in the ambient air. [ Systems with heaters must be operated for 2 10 continuous hours with the heaters energized. Systems without heaters need only be operated for 2 15 minutes to demonstrate the function of the system.] Normal operation of the system during required MODES satisfies this SR. The 31 day Frequency is based on the known reliability of equipment and the two division redundancy available.
| |
| SR 3.7.14.2 This SR verifies that the required SBVS testing is performed in accordance with the [ Ventilation Filter Testing Program (VFTP)]. The SBVS filter tests are in accordance with (continued)
| |
| SYSTEM 80+ B 3.7-6B Rev. 00 16A Tech Spec Bases
| |
| | |
| SBVS B 3.7.14 I d
| |
| BASES SURVEILLANCE SR 3.7.14.2 (continued)
| |
| REQUIREMENTS Regulatory Guide 1.52 (Ref. 3). The [VFTP] includes testing ,
| |
| l HEPA filter performance and the minimum system flow rate.
| |
| Specific test frequencies and additional information are .
| |
| discussed in detail in the [VFTP).
| |
| SR 3.7.14.3 This SR verifies that on an actual or simulated actuation signal each Subsphere Building Ventilation System division ;
| |
| starts and operates. The Frequency of (18] months is consistent with that specified in RG 1.52.
| |
| SR 3.7.14.4 This SR verifies the integrity of the SIS Pump Room enclosure. The ability of the SIS Pump Room to maintain a negative pressure with respect to potentially uncontaminated 5O adjacent areas is periodically tested to verify proper function of the Subsphere Building Ventilation System.
| |
| During the emergency mode of operation, the Subsphere '
| |
| Building Ventilation System is designed to maintain a slight negative pressure in the SIS Pump Room with respect to adjacent areas to prevent unfiltered leakage. The Subsphere Building Ventilation System is designed to maintain this negative pressure at a flow rate of s [13,200] cfm from the subsphere. The Frequency of (18] months is consistent with j the guidance provided in NUREG 0800, Section 6.5.1 (Ref. 5). j The filters have a certain pressure drop at the design flow rate when clean. The magnitude of the pressure drop indicates acceptable performance and is based on manufacturer's recommendations for the filter and adsorber elements at the design flow rate. An increase in pressure drop and/or decrease in flow indicate that the filter is being loaded or are indicative of other problems with the system.
| |
| This test is conducted with the tests for filter penetration thus an [18] month Frequency on a STAGGERED TEST BASIS is consistent with other filtration SRs.
| |
| O V
| |
| (continued)
| |
| SYSTEM 80+ B 3.7-69 Rev. 00 16A Tech Spec Bases- ,
| |
| | |
| SBVS B 3.7.14 O
| |
| BASES (continued)
| |
| REFERENCES 1. Chapter 9.
| |
| : 2. Chapter 15.
| |
| : 3. Regulatory Guide 1.52 (Rev. 02), " Design, Testing and Maintenance Criteria for Post Accident Engineered-Safety-Feature Atr% spheric Cleanup System Air Filtration and Aesorption Units of Light-Water Cooled Nuclear Power Plants."
| |
| : 4. 10 CFR 100, Reactor Site Criteria.
| |
| : 5. NUREG-0800, " Standard Review Plan", Section 6.5.1, Rev. 2, "ESF Atmosphere Cleanup Systems", Rev. 2, July 1981.
| |
| 9 i
| |
| l 1
| |
| I O'
| |
| SYSTEM 80+ B 3.7-70 Rev. 00 i 16A Tech Spec Bases !
| |
| l
| |
| | |
| FBVES B 3.7.15
| |
| ?
| |
| O' xs B 3.7 PLANT SYSTEMS B 3.7.15 Fuel Building Ventilation Exhaust System (FBVES) -
| |
| BASES ,
| |
| BACKGROUND The FBVES filters airborne radioactive particulates from the ;
| |
| area of the fuel pool following a fuel handling acciden+. l The FBVES, in conjunction with other, normally operating systems also provides environmental control of temperature and humidity in the fuel pool area.
| |
| The Fuel Building Ventilation Exhaust System consists of two
| |
| ' independent, redundant divisions. Each of the divisions ,
| |
| consists of a moisture eliminator, prefilter, electric heater, absolute filter, and post filter. It is equipped .
| |
| .with a bypass section. The normal mode of operation for the '
| |
| filter trains is in the bypass position. Radiation detection is provided in the duct system header, upstream of the filter train inlet to monitor radioactivity. Upon indication of high radioactivity in the exhaust duct system, ;
| |
| the bypass dampers will automatically close and the filter f-~g train inlet dampers will automatically open to direct air i
| |
| ( j flow through the filter trains. Air from the fuel Building i Exhaust System is directed to the unit vent, where it is monitored before release to the atmosphere.
| |
| i The exhaust air system is manually set to the filtered mode during all fuel handling operations.
| |
| -The FBVES is discussed in Chapter 9 (Ref. 1). It may be used for normal, as well as post-accident atmospheric cleanup functions.
| |
| APPLICABLE The FBVES is designed-to mitigate the consequences of a fuel SAFETY ANALYSES handling accident in which [all] rods in the fuel assembly are assumed to be damaged. The analysis of the fuel '
| |
| handling accident is given in Reference 2. The Design Basis Accident analysis of the fuel handling accident assumes that only one division of the FBVES functional, due to a single failure that disables the other division. The accident analysis accounts for the reduction in airborne radioactive material provided by the remaining one division of this filtration system. The amount of fission products available
| |
| {'
| |
| 's- (continued)
| |
| SYSTEM 80+ B 3.7-71 Rev. 00 16A Tech Spec Bases
| |
| | |
| FBVES B 3.7.15 BASES 0
| |
| APPLICABLE for release from the fuel handling building is determined SAFETY ANALYSES for a fuel handling accident. These assumptions and the (continued) analysis follow the guidance provided in Regulatory Guide 1.25 (Ref. 4).
| |
| The FBVES satisfies Criterion 3 of the NRC Policy Statement.
| |
| LC0 Two independent and redundant divisions of the FBVES are required to be OPERABLE to ensure that at least one is available, assuming a single failure of the other division coincident with loss of offsite power. Total system failure could result in the atmospheric release from the fuel building exceeding the 10 CFR 100 limits in the event of a fuel handling accident.
| |
| The FBVES is considered OPERABLE when the individual components necessary to control operator exposure are OPERABLE in both divisions. A division is considered OPERABLE when:
| |
| : 1. its associated fan is OPERABLE; O
| |
| : 2. its associated HEPA filter is not excessively restricting flow and is capable of performing the 1 filtration functions; and 1
| |
| : 3. its associated heater, moisture eliminator, ductwork, !
| |
| valves and campers are OPERABLE and air circulation can be maintained.
| |
| APPLICABILITY During movement of irradiated fuel in the fuel building, the FBVES is required to be OPERABLE to alleviate the consequences of a fuel handling accident. l ACTIONS A_d If one FBVES division is inoperable, action must be taken to restore OPERABLE status within seven days. During this time !
| |
| period, the remaining OPERABLE division is adequate to (continued)
| |
| SYSTEM 80+ B 3.7-72 Rev. Ob 16A Tech Spec Bases
| |
| | |
| FBVES B 3.7.15 L]
| |
| BASES ACTIONS Ad (continued) perform the FBVES function. The seven day Completion Time l is reasonable, based on the risk from an event occurring requiring the inoperable FBVES division, and ability of the remaining FBVES division to provide the required protection.
| |
| B.1 and B.2 When Required Action A.1 cannot be completed within the ,
| |
| l required Completion Time during movement of irradiated fuel in the fuel building, the OPERABLE FBVES division must be i started immediately or fuel movement suspended. This action ensures that the remaining division is OPERABLE and that no undetected failures preventing system operation will occur and that any active failures will be readily detected. If the system is not placed in operation, this action requires
| |
| - suspension of fuel movement which precludes a fuel handling accident. This does not preclude the movement of fuel to a safe position.
| |
| p)
| |
| 'w C1 When two divisions of the FBVES are inoperable during movement of irradiated fuel assemblies in the fuel building, action should be taken to place the unit in a condition in which the LC0 does not apply. This LC0 involves immediately suspending movement of irradiated fuel assemblies in the fuel building. This does not preclude the movement of fuel to a safe position.
| |
| SURVEILLANCE SR 3.7.15.1 REQUIREMENTS The standby FBVES division should be checked periodically to ensure it functions properly. As the 6nvironment and normal operating conditions on this system are not severe, testing each division once every month provides an adequate check on this system. Monthly heater operation drys out any moisture accumulated in the carbon from humidity in the ambient air.
| |
| The 31 day Frequency is based on the known reliability of the equipment and the two division redundancy available.
| |
| V (continued)
| |
| SYSTEM 80+ B 3.7-73 Rev. 00 16A Tech Spec Bases
| |
| | |
| FBVES B 3.7.15 O
| |
| BASES SURVEILLANCE SR 3.7.15.2 REQUIREMENTS (continued) This SR verifies the performance of FBVES filter testing in accordance with the [ Ventilation Filter Testing Program (VFTP)]. The FBVES filter tests are in accordance with the Regulatory Guide 1.52 (Ref. 3). The [VFTP] includes testing HEPA filter performance and minimum systen flow rate.
| |
| Specific test frequencies and additional information are discussed in detail in the [VFTP].
| |
| SR 3.7.15.3 This SR verifies that on an actual or simulated actuation signal each FBVES division starts and operates. The Frequency of 18 months is specified in RG 1.52 (Ref. 3).
| |
| SR 3.7.15.4 This SR verifies the integrity of the fuel building enclosure. The ability of the fuel building to maintain a h
| |
| negative pressure with respect to potentially uncontaminated adjacent areas is periodically tested to verify proper function of the FBVES. During the post accident mode of operation, the FBVES is designed to maintain a slight negative pressure in the fuel building, with respect to adjacent areas to prevent unfiltered leakage. The FBVES is designed to maintain this negative pressure at a flow rate of [25,000] cfm from the fuel building. The Frequency of 18 months is consistent with the guidance provided in NUREG-0800, (Ref. 6).
| |
| This test is conducted with the tests for filter penetration; thus, an [18] month Frequency as a STAGGERED TEST BASIS is consistent with the other filtration SRs.
| |
| ER 3.7.15.5 Operating the FBVES filter bypass damper is necessary to ensure the system functions properly. The OPERABILITY of the filter bypass damper is verified if it can be closed. A Frequency of [18] months is specified in RG 1.52 (Ref. 3).
| |
| (continued) 9 SYSTEM 80+ B 3.7-74 Rev. 00 16A Tech Spec Bases
| |
| | |
| FBVES B 3.7.15 CASES (continued)
| |
| REFERENCES 1. Chapter 9.
| |
| : 2. Chapter 15.
| |
| : 3. Regulatory Guide 1.52 (Rev. 02), " Design, Testing and Maintenance Criteria for Post Accident Engineered-Safety-Feature Atmospheric Cleanup System Air Filtration and Adsorption Units of Light-Water Cooled Nuclear Power Plants."
| |
| : 4. Regulatory Guide 1.25, " Assumptions Used for Evaluating the Potential Radiological Consequences of a Fuel Handling Accident in the Fuel Handling and Storage Facility for Boiling and Pressurized Water Reactors".
| |
| : 5. 10 CFR 100 - Reactor Site Criteria.
| |
| : 6. NUREG-0800, " Standard Review Plan", Section 6.5.1, Rev. 2, "ESF Atmosphere Cleanup Systems", July 1981.
| |
| O SYSTEM 80+ B 3.7-75 Rev. 00 16A Tech Spec Bases
| |
| | |
| DBVS B 3.7.16 B 3.7 PLANT SYSTEMS B 3.7.16 Diesel Building Ventilation System (DBVS)
| |
| BASES BACKGROUND Each DBVS is designed to maintain the diesel building temperature between 40 F minimum and 120*F maximum when the diesel is not operating, and between 40*F minimum and 122 F maximum when the diesel is operating.
| |
| Each DBVS consists of supply air intakes, normal ventilation !
| |
| fan and emergency exhaust fans with associated dampers, and I controls for the diesel room. Heat energy from the diesel engine and other sources is absorbed by the ventilation supply air and discharged to the building exterior by the exhaust fans.
| |
| Emergency Diesel Building Ventilation System is powered from the associated Class 1E power source; Normal Diesel Building Ventilation System is non-safety class.
| |
| Two 50% capacity exhaust fans, each equipped with a two speed motor, create negative pressure inside the diesel generator room, which causes outside air to be pulled in to the diesel generator room throughout the common outside air louvers.
| |
| The DBVS fans are automatically activated in response to building temperature. These automatic controls sequence the fans to meet required cooling demands.
| |
| When the diesel generator is shut down, the ventilation system can be manually activated if necessary to provide cooling for maintenance or testing access. A low room temperature setpoint will shut down all fans in order to limit the minimum room temperature to 40 F and prevent freezing. Unit heaters will be installed to hold the room temperature above 40 F.
| |
| A missile barrier is provided over each air intake and exhaust louver to prevent the penetration of a missile into either diesel generator building. Intake and exhaust ducts are protected by appropriate security barriers.
| |
| (continued)
| |
| SYSTEM 80+ B 3.7-76 Rev. 00 16A Tech Spec Bases
| |
| | |
| l l
| |
| DBVS B 3.7.16 q
| |
| V BASES BACKGROUND Unit heaters are cycled as necessary to maintain a minimum (continued) temperature of 40*F for freeze prevention. Heat losses from equipment are conservatively estimated based on calculations and operating experience.
| |
| A single failure will not prevent the diesel generator building ventilation system from performing the intended heat removal function. Emergency ventilation system is
| |
| . cowered by a Class IE electrical system capable of being fed from the associated diesel generator.
| |
| Essential components of the DBVS are designed to Seismic Category I requirements and will remain functional following a safe shutdown earthquake.
| |
| Each penetration into the building is provided with protection from external missiles. No high or moderate '
| |
| energy piping is located in the vicinity of the ventilation equipment or controls.
| |
| i O APPLICABLE The Diesel Generator Building Ventilation System is a SAFETY ANALYSES support system required for operation of diesel generators.
| |
| Hence the Design Bases Accidents which credit the operation of diesel generators (see Tech Spec Section 3.8) are also applicable to the Diesel Generator Building Ventilation System.
| |
| The Diesel Building Ventilation System satisfies Criterion 3 of the NRC Policy Statement.
| |
| LC0 The LC0 requires that each Diesel Generator Building Ventilation System is operable to ensure that the diesel ,
| |
| generators can perform their safety hmetions when required.
| |
| For the Diesel Generator Building Ventjlation System to be considered operable, the diesel generator building ,
| |
| temperature must be within design limits when thn diesel generator is running. ,
| |
| n (continued)
| |
| SYSTEM 80+ B 3.7-77 Rev. 00 16A Tech Spec Bases
| |
| | |
| l DBVS B 3.7.16 O
| |
| BASES (continued)
| |
| APPLICABILITY Since both diesel generators are required to be operable in MODES 1, 2, 3 and 4, the ventilation system for each diesel generator building must also be operable in MODES 1, 2, 3 and 4. This same requirement for MODES 5 and 6 applies when the diesel generators are required to be OPERABLE.
| |
| ACTIONS M With the ventilation system inoperable, a time limit of [72 hours) is provided to return the ventilation system to operable status. The [72 hours] time limit is consistent with the time allowed to return an inoperable diesel generator to operable status.
| |
| U '
| |
| i Since the ventilation system supports the operation of each diesel generator, the diesel generator must be declared inoperable if the ventilation system is declared inoperable. g, l B.1 and 8.2 The plant must be placed in a MODE in which the LC0 does not apply if the Diesel Generator Building Ventilation System cannot be returned to operable status within the associated Completion Time. This is done by placing the plant in MODE 3 within 6 hours and in MODE 5 within 36 hours. The allowed !
| |
| Completion Times are based on operating experience, to reach the required plant conditions from full power without challenging plant systems.
| |
| SURVEILLANCE SR 3.7.16.1 REQUIREMENTS Verification that the diesel building temperature is within the limits ensures that the building ventilation system is ,
| |
| functioning properly and that the diesel generators can perform their safety functions when required. A [12 hour]
| |
| Frequency ensures that potential problems will be quickly identified.
| |
| (continued)
| |
| SYSTEM 80+ B 3.7-78 Rev. 00 16A Tech Spec Bases
| |
| | |
| r_ . . . - . . _ _ ._ . .. . . . . _ _ _ _ . .. . . _ . _ . . - . _ - _ - _ __ _ ._ _ _ ._ _
| |
| P DBVS i B 3.7.16 O !
| |
| BASES. ,
| |
| SURVEILLANCE- SR 3.7.16.2 :
| |
| REQUIREMENTS .
| |
| (continued) Periodically, the exhaust fans and their controls must be tested to verify proper performance. _ A Frequency of 18 1' months is judged to be adequate and is consistent with the major surveillance testing performed on the diesel generators.
| |
| . REFERENCES 1. Chapter 9.
| |
| -l O
| |
| SYSTEM 80+ B 3.7-79 Rev. 00 16A Tech Spec Bases
| |
| | |
| ECWS B 3.7 PLANT SYSTEMS B 3.7.17 Essential Chilled Water System (ECWS)
| |
| BASES i
| |
| BACKGROUND The ECWS provides a heat sink for the removal of process and operating heat from selected safety related air handling systems during a Design Basis Accident (DBA) or transient.
| |
| The ECWS is a closed loop system consisting of two independent divisions. Each 100% capacity division includes a chiller, heat exchanger, expansion tank, two pumps, chemical addition tank, piping, valves, controls, and instrumentation. An independent, 100% capacity chiller cools each division. The essential chiller is actuated on i high ECWS temperature and supplies chilled water to l essential HVAC units during a design basis event.
| |
| During normal operation, the Normal Chilled Water System (NCWS) performs the cooling function of the ECWS through the ECWS heat exchanger with one of the ECWS pumps recirculating chilled water through the system. The NCWS is a non-safety related system. Additional information about the design and '
| |
| operation of the system, can be found in Chapter 9 (Ref.1).
| |
| APPLICABLE The design basis of the ECWS is to remove the post-accident SAFETY ANALYSES heat load from ESF spaces following a design basis accident with a loss of offsite power. Each division provides ;
| |
| chilled wat::r to the HVAC units at the design temperature of 45 F.
| |
| The maximum heat load in the ESF pump room area occurs following a loss of coolant accident (LOCA). Hot fluid from l the IRWST is supplied to the Safety Injection (SI) and !
| |
| Containment Spray (CS) Pumps. This heat load to the area i atmosphere must be removed by the ECW System to ensure these l' systems remain OPERABLE. During a normal cooldown, the Shutdown Cooling System (SCS) piping also provides a heat load in areas served the by ECWS.
| |
| The ECWS satisfies Criterion 3 of the NRC Policy Statement.
| |
| ]
| |
| O1 (continued) i SYSTEM 80+ B 3.7-80 Rev. 00 16A Tech Spec Bases
| |
| | |
| i ECWS B 3.7.17 BASES (continued) l LCO [Two] ECWS divisions are required to be OPERABLE to provide ,
| |
| the required redundancy to ensure that the system functions j to remove post-accident heat loads, assuming the worst single failure.
| |
| 1 A division is considered OPERABLE when:
| |
| : 1. It has an OPERABLE pump and associated expansion tank; i
| |
| and
| |
| : 2. the associated piping, valves, chiller, and instrumentation on the safety related flowpath are OPERABLE.
| |
| The isolation of ECWS to other components or systems may render those components or systems inoperable, but does not affect the OPERABILITY of the ECWS.
| |
| APPLICABILITY In MODES 1, 2, 3, and 4 the ECWS is required to be OPERABLE i when a LOCA or other accidents would require ESF operation.
| |
| V("T 1 In MODES 5 and 6, potential heat loads are smaller and the probability of accidents requiring the ECWS is low. i ACTIONS L.1 If one ECWS division is inoperable, action must be taken to restore OPERABLE status within 7 days. In this condition, one OPERABLE ECW division is adequate to perform the cooling function. The 7 day Completion Time is reasonable, based on the low probability of an event occurring during this time, the high reliability of offsite power, and the availability of the NCWS.
| |
| B.1 and B.2 If the ECWS division cannot be restored to OPERABLE status ;
| |
| within the associated Completion Time, or two ECWS divisions i are inoperable, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit i
| |
| O (continued)
| |
| I' SYSTEM 80+ B 3.7-81 Rev. 00 16A Tech Spec Bases i
| |
| | |
| ECWS B 3.7.17 O
| |
| BASES ACTIONS B.1 and 8.2 (continued) must be placed in at least MODE 3 within 6 hours, and in MODE 5 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner without challenging unit systems.
| |
| SURVEILLANCE SR 3.7.17.1 REQUIREMENTS Verifying the correct alignment for manual, power operated, and automatic valves in the ECWS flowpath provides assurance that the proper flowpaths exist for ECWS operation. This SR i does not apply to valves which are locked, sealed, or otherwise secured in position, since they were verified to be in the correct position prior to locking, sealing, or securing. This SR also does not apply to valves which cannot be inadvertently misaligned, such as check valves.
| |
| This Surveillance does not require any testing or valve manipulation; rather, it involves verification that those valves capable of potentially being mispositioned are in the correct position.
| |
| The 31 day Frequency is based on engineering judgment, is consistent with the procedural controls governing valve operation, and ensures correct valve positions.
| |
| SR 3.7.17J This SR demonstrates proper automatic operation of the ECWS.
| |
| The (18] month Frequency is basod on the need to perform this Surveillance under the conditions that apply during a unit outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power.
| |
| The (18] month Frequency is based on operating experience and design reliability of tha enuipment.
| |
| REFERENCES 1. Chapter 9.
| |
| O SYSTEM 80+ B 3.7-82 Rev. 00 16A Tech Spec Bases
| |
| | |
| 1 1
| |
| MAIN STEAM LINE LEAKAGE I
| |
| .B 3.7.18 i
| |
| B 3.7 PLANT SYSTEMS f
| |
| B 3.7.18 MAIN STEAM LINE LEAKAGE ,
| |
| !~
| |
| i
| |
| ; . BASES 1
| |
| !. BACKGROUND' A limit on leakage from the main steam lines inside containment is required to limit system operation in.the presence of excessive leakage. Leakage is limited to an amount which would not compromise safety consistent with the
| |
| ; Leak-Before-Break (LBB) analysis discussed in Chapter 3 (Reference 1). This leakage limit ensures appropriate action can be taken before the integrity of the main steam lines is impaired.
| |
| 3 LBB is an argument which allows elimination of design for dynamic load effects of postulated pipe breaks. The fundamental premise of LBB is that the materials used in nuclear plant piping are strong enough that even a large throughwall crack leaking well in excess 'of rates detectable
| |
| : by present leak detection systems would remain stable, and i would not result in a double-ended guillotine break under i maximum loading conditions. The benefit of LBB is the l
| |
| Lp _
| |
| tQ elimination of pipe whip restraints, jet impingement l effects, subcompartment pressurization, and internal system blowdown loads.
| |
| As described in Chapter 3 (Reference 1), LBB has been !
| |
| applied to the four main steam line pipe runs inside containment. Hence, the potential safety significance of main steam line leaks inside containment requires detection 1 and monitoring of any leakage inside containment. This LC0 i protects the main steam lines inside containment against ;
| |
| e degradation, and helps assure that serious leaks or Main -l Steam Line Breaks (MSLBs) will not develop. The 1 l
| |
| consequences of violating this LC0 include the possibility I of further degradation of the main steam lines, which may lead to an MSL2.
| |
| . APPLICABLE ~ The safety significance of plant leakage inside containment I SAFETY ANALYSES varies depending on its source, rate, and duration. l Therefore, detection and monitoring of plant leakage inside containment are necessary. This is accomplished via.the 4
| |
| instrumentation required by LC0 3.4.14, "RCS Leakage n
| |
| (continued)'
| |
| : SYSTEM 80+ B 3.7-83 Rev. 00
| |
| :16A Tech Spec. Bases i
| |
| | |
| 1 MAIN STEAM LINE LEAKAGE l B 3.7.18 O
| |
| BASES APPLICABLE Detection Instrumentation," and the RCS water inventory SAFETY ANALYSES balance (SR 3.4.12.1). Subtracting RCS leakage as well as (continued) any other identified non-RCS LEAKAGE into the containment area from the total plant leakage inside containment provides qualitative information to the operators regarding possible MAIN STEAM LINE LEAKAGE. This allows the operators to take corrective action should leakage occur which is detrimental to the safety of the facility and/or the public.
| |
| MAIN STEAM LINE LEAKAGE inside containment is an initial assumption in the LBB analysis described in Chapter 3 (Reference 1). As such, it satisfies the requirements of Criterion 2 of the NRC Policy Statement.
| |
| LCD MAIN STEAM LINE LEAKAGE is defined as leakage inside containment in any portion of the four (4) 28" I.D. main steam line pipe walls. Up to 10 gpm of MAIN STEAM LINE LEAKAGE is allowable because such leakage is within the capability of the makeup system, and is well below the leak rate calculated by the industry standard computer program PICEP (Pipe Crack Evaluation Program, Reference 2) for the LBB analyzed case of a main steam line crack twice as long as a crack leaking at ten (10) times the detectable leak rate under normal operating load conditions. Violation of this LC0 could result in continued degradation of the main steam lines.
| |
| APPLICABILITY Because of elevated main steam system temperatures and pressures, the potential for MAIN STEAM LINE LEAKAGE is greatest in MODES 1, 2, 3, and 4.
| |
| In MODES 5 and 6, a MAIN STEAM LINE LEAKAGE limit is not provided because the main steam t.ystem pressure is far lower, resulting in lower stresse and a reduced potential for leakage. In addition, the steam generators are not the primary method of RCS heat removal in MODES 5 and 6.
| |
| (continued)
| |
| O' SYSTEM 80+ B 3.7-84 Rev. 00 16A Tech Spec Bases ,
| |
| i
| |
| | |
| MAIN STEAM LINE LEAKAGE B 3.7.18 V
| |
| BASES (continued)
| |
| ACTIONS A.1 and A.2 With MAIN STEAM LINE LEAKAGE in excess of the LCO limit, the unit must be brought to lower pressure conditions to reduce the severity of the leakage and its potential consequences.
| |
| The reactor must be placed in MODE 3 within 6 hours and MODE 5 within 36 hours. This action reduces the main steam line pressure and leakage, and also reduces the factors which tend to degrade the main steam lines. The Completion Time of 6 hours to reach MODE 3 from full power without challenging plant systems is reasonable based on operating experience. Similarly, the Completion Time of 36 hours to reach MODE 5 without challenging plant systems is also reasonable based on operating experience. In MODE 5, the pressure stresses acting on the main steam lines are much lower, and further deterioration of the main steam lines is less likely.
| |
| -m SURVEILLANCE SR 3.7.18.1 C
| |
| REQUIREMENTS Verifying that MAIN STEAM LINE LEAKAGE is within the LCO limit assures the integrity of the main steam lines inside containment is maintained. An early warning of MAIN STEAM LINE LEAKAGE is provided by the automatic systems which monitor the containment sump and containment cooler condensate tank (see LCO 3.4.14). MAIN STEAM LINE LEAKAGE would appear as unidentified LEAKAGE inside containment via these systems, and can only be positively identified by inspection. However, by performance of an RCS water inventory balance (SR 3.4.12.1) and evaluation of the cooling and chilled water systems inside containment, determination of whether the main steam lines are potential sources of unidentified LEAKAGE inside containment is possible.
| |
| REFERENCES 1. Chapter 3.
| |
| : 2. PICEP, Pipe Crack Evaluation Program.
| |
| O SYSTEM 80+ B 3.7-85 Rev. 00 16A Tech Spec Bases
| |
| | |
| Fuel Storage Pool Boron Concentration ,
| |
| B 3.7 PLANT SYSTEMS B 3.7.19 Fuel Storage Pool Boron Concentration BASES BACKGROUND As described in LC0 3.7.20, " Spent Fuel Assembly Storage,"
| |
| fuel assemblies are stored in the spent fuel racks [in a
| |
| " checkerboard" pattern] in accordance with criteria based on
| |
| [ initial enrichment and discharge burnup]. Although the water in the spent fuel pool is normally borated to a [4000]
| |
| ppm, the criteria which limits the storage of a fuel assembly to specific rack locations is conservatively developed without taking credit for boron.
| |
| A fuel assembly could be inadvertently loaded into a spent APPLICABLE fuel rack location not allowed by LC0 3.7.20 (e.g., an SAFETY ANALYSES unirradiated fuel assembly or an insufficiently depleted fuel assembly). This accident is analyzed assuming the extreme case of completely loading the fuel pool racks with unirradiated assemblies of maximum enrichment. Another type of postulated accident is associated with a fuel assembly which is dropped onto the fully loaded fuel pool storage rack. Either incident could have a positive reactivity effect, decreasing the margin to criticality. However, the negative reactivity effect of the soluble boron compensates for the increased reactivity caused by either one of the two postulated accident scenarios.
| |
| The concentration of dissolved boron in the fuel pool satisfies Criterion 2 of the NRC Policy Statement.
| |
| LCO The specified concentration of dissolved boron in the fuel pool preserves the assumptions used in the analyses of the potential accident scenarios described above. This concentration of dissolved boron is the minimum required concentration for fuel assembly storage and movement within the fuel pool.
| |
| (continued) 9 SYS1EM 80+ B 3.7-86 Rev. 00 16A Tech Spec Bases
| |
| | |
| W Fuel Storage Pool Boron Concentration-B-3.7.19 l O- :
| |
| BASES (continued) 1 f
| |
| APPLICABILITY This LCO applies whenever fuel assemblies are stored in the ;
| |
| spent fuel pool until a complete spent fuel pool i verification has been performed following the last movement !
| |
| ; of fuel assemblies in the spent fuel pool. This LC0 does '
| |
| I not apply following the verification since the verification
| |
| ! would confirm that there are no misloaded fuel assemblies.
| |
| With no further fuel assembly movements in progress, there
| |
| ~
| |
| is no potential for a misloaded fuel assembly or a dropped fuel assembly. ,
| |
| ACTIONS- A.1. A.2.1. and A.2.2 )
| |
| The Required Actions are modified by a Note indicating that LC0 3.0.3_does not apply.
| |
| 4 When the concentration of boron in the spent fuel pool is i less than required, immediate action must be taken to preclude an accident from happening or to mitigate the J consequences of an accident in progress. This is most i efficiently achieved by immediately suspending the movement '
| |
| fuel of assemblies. This does not preclude the movement of fuel assemblies to a safe position. In addition, action
| |
| ' must be immediately initiated to restore boron concentration to within limit. Alternately, an immediate verification, by administrative means, of the fuel storage pool fuel locations, to ensure proper locations of the fuel since the last movement of fuel assemblies in the fuel storage pool, can be performed, j If moving irradiated fuel assemblies while in MODE 5 or 6, i LC0 3.0.3 would not specify any action. If moving irradiated fuel assemblies while in MODE 1, 2, 3, or 4, the i fuel movement is independent of reactor operation. !
| |
| Therefore, inability to suspend movement of fuel assemblies ,
| |
| is not sufficient reason to require a reactor shutdown. i 1
| |
| l l
| |
| l I
| |
| l l
| |
| O (continued) l SYSTEM 80+ B 3.7-87 Rev. 00 16A Tech Spec Bases:
| |
| l
| |
| . I
| |
| | |
| 1 l
| |
| Fuel Storage Pool Boron Concentration B 3.7.19 O
| |
| BASES (continued) l SURVEILLANCE SR 3.7.19.1 REQUIREMENTS This SR verifies that the concentration of boron in the spent fuel pool is within the required limit. As long as ,
| |
| this SR is met, the analyzed incidents are fully addressed. !
| |
| i The 7 day Frequency is appropriate because no major l replenishment of pool water is expected to take place over a short period of time. l l
| |
| REFERENCES None. J l
| |
| l i
| |
| l l
| |
| O SYSTEM 80+ B 3.7-88 Rev. 00 l 16A Tech Spec Bases
| |
| | |
| r Spent Fuel Assembly Storage B 3.7.20 B 3.7 PLANT SYSTEMS B 3.7.20 Spent Fuel Assembly Storage BASES I
| |
| BACKGROUND The spent fuel storage facility is designed to store either new (nonirradiated) nuclear fuel assemblies, or burned (irradiated) fuel assemblies in a vertical. configuration underwater. The storage pool is sized to store [907]
| |
| irradiated fuel assemblies, which includes storage for [5]
| |
| failed fuel assemblies. The spent fuel storage cells are installed in parallel rows with center to center spacing of
| |
| [9.780] inches in one direction, and [9.780] inches in the--
| |
| other orthogonal direction. This spacing and " flux trap" construction using non-poisoned "L" inserts is sufficient to maintain a k , of 5 0.95 for spent fuel of original enrichmentofupto[5%). However, as higher initial enrichment fuel assemblies are stored in the spent fuel pool, they must be stored in a checkerboard pattern taking into account fuel burn up to maintain a k,,, of 0.95 or less.
| |
| O APPLICABLE The spent fuel storage facility is designed for SAFETY ANALYSES noncriticality by use of adequate spacing, and " flux trap"
| |
| . construction.
| |
| The spent fuel assembly storage satisfies Criterion 2 of the NRC Policy Statement.
| |
| The restrictions on the placement of fuel assemblies within LC0 the spent fuel pool, according to [ Figure 3.7.20-1], in the accompanying LCO, ensures that the k ,, of the spent fuel pool will always remain < 0.95 assuming the pool to be flooded with unborated water. The restrictions are consistent with the criticality safety analysis performed for the spent fuel pool according to [ Figure 3.7.20-1), in the accompanying LCO. Fuel assemblies not meeting the criteria of [ Figure 3.7.20-1] shall be stored in accordance with Specification 4.3.1.1.
| |
| v)-
| |
| (continued)
| |
| SYSTEM'80+ B 3.7-89 Rev. 00
| |
| .16A Tech Spec Bases l
| |
| | |
| Spent Fuel Assembly Storage B 3.7.20 0
| |
| BASES (continued)
| |
| APPLICABILITY This LC0 applies whenever any fuel assembly is stored in
| |
| [ Region 2] of the spent fuel pool.
| |
| ACTIONS 6.,.1 Required Action A.1 is modified by a Note indicating that LC0 3.0.3 does not apply.
| |
| When the configuration of fuel assemblies stored in [ Region 2] of the spent fuel pool is not in accordance with Figure
| |
| [3.7.20-1], immediate action must be taken to make the necessary fuel as;embly movement (s) to bring the configuration into complience with Figure [3.7.20-1].
| |
| If moving irradiated fuel assemblies while in MODE 5 or 6, LCO 3.0.3 would not specify any action. If moving irradiated fuel assemblies while in MODE 1, 2, 3, or 4, the fuel movement is independent of reactor operation.
| |
| Therefore, in either case, inability to move fuel assemblies is not sufficient reason to require a reactor shutdown.
| |
| SURVEILLANCE SR 3.7.20.1 REQUIREMENTS This SR verifies by administrative means that the initial enrichment and burnup of the fuel assembly is in accordance with Figure [3.7.20-1] in the accompanying LCO. For fuel assemblies in the unacceptable range of [ Figure 3.7.20-1], i performance of this SR will ensure compliance with Specification 4.3.1.1. l REFERENCES None.
| |
| i i
| |
| l SYSTEM 80+ B 3.7-90 Rev. 00 16A Tech Spec Bases}}
| |