ML20056G088
| ML20056G088 | |
| Person / Time | |
|---|---|
| Site: | 05200001 |
| Issue date: | 08/30/1993 |
| From: | GENERAL ELECTRIC CO. |
| To: | |
| Shared Package | |
| ML20056G087 | List: |
| References | |
| NUDOCS 9309020033 | |
| Download: ML20056G088 (300) | |
Text
{{#Wiki_filter:1 l SSLC Sensor Instrumentation i 3.3.1.1 3.3 INSTRUMENTATION 3.3.1.1 Safety System Logic and Control (SSLC) Sensor Instrumentation LCO 3.3.1.1 The SSLC instrumentation for each Function in Table 3.3.1.1-1 shall be OPERABLE. APPLICABILITY: According to Table 3.3.1.1-1. ACTIONS NOTE Separate Condition entry is allowed for each channel. CONDITION REQUIRED ACTION COMPLETION TIME A. One or more Functions A.1 Place SENSOR CHANNEL in 6 hours with one required trip. SENSOR CHANNEL inoperable. DR A.2.1 NOTE Applies only to Functions 3 through 33. Place affected division 6 hours in division of sensors bypass 0B A.2.2 NOTE Applies only to Functions 1 & 2. Place channel in bypas; 6 hours et Neutron Monitoring System. BED (continued) ABWR TS 3.3-1 P&R 08/30/93 9309020033 930830 I PDR ADOCK 05200001 ., A PDR h3 - _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ l
l SSLC Sensor Instrumentation 3.3.1.1 ACTIONS (continued) CONDITION REQUIRED ACTION COMPLETION TIME A. Continued A.2.3 Restore required 30 days channel to OPERABLE status. 08 A.2.4 NOTE
- 1. Remove division of sensors or NMS channel bypass after placing channel in trip.
- 2. Division of sensor bypass or NMS bypass is allowed for [6]
hours for restoring channel to OPERABLE status.
- 3. SENSOR CHANNEL (s) may be considered to remain in a tripped condition when a division containing tripped channel (s) is placed in division of sensors bypass due to subsequent entries into this condition.
Place channel in trip 30 days (continued) ABWR TS 3'.3-2 P&R 08/30/93
SSLC Sensor Instrumentation 3.3.1.1 ACTIONS (continued) CONDITION REQUIRED ACTION COMPLETION TIME B. One or more functions B.1 Place one channel in trip 3 hours. with two required SENSOR CHANNELS AND inoperable. B.2.1 NOTE Applies only to Functions 3 through 33. Place the other 6 Hours affected division in di.ision of sensons bypass. l OR B.2.2 NOTE Applies only to Functions 1 & 2. Place the other 6 hours affected channel in bypass. AND B.3 Restore at least one 30 days required channel to OPERABLE status. C. Dr.e ir more Functions NOTE with three required Applies only to Functions 1 SENSOR CHANNELS through 33. inoperable. C.1 Place one channel in Immediately trip. AND C.2 Restore at least one 6 hours required channel to OPERABLE status. (continued) ABWR TS 3.3-3 P&R 08/30/93
SSLC Sensor Instrumentation 3.3.1.1 ACTIONS (continued) CONDITION REQUIRED ACTION COMPLETION TIME
- 0. One or more Functions NOTE with four required Applies only to Functions 1 SENSOR CHANNELS through 33.
inoperable. D.1 Place one channel in Immediately trip. AND D.2 Restore at least one I hour required channel to OPERABLE status. E. Required Action and E.1 Enter the Condition Immediately associated Completion referenced in Time of Condition A, Table 3.3.1.1-1 for the B, C or D not met. Function. F. One or two required NOTE SENSOR CHANNELS Applies only to Functions 35 inoperable in one or through 38. more ADS divisions. F.1 Restore required Prior to channel (s) to OPERABLE entering MODE 2 status. following the next MODE 4 entry G. Three required SENSOR NOTE CHANNELS inoperable Applies only to Functions 35 in one or more ADS through 38. divisions. G.1 Restore three required 7 days. channel (s) to OPERABLE status in each division. H. Four required SENSOR NOTE CHANNELS inoperable Applies only to Functions 35 in one or more ADS through 38. divisions. H.1 Restore two required 24 hours. channel (s) to OPERABLE status. (continued) ABWR TS 3.3-4 P&R 08/30/93
SSLC Sensor Instrumentation 3.3.1.1 ACTIONS (continued) CONDITION REQUIRED ACTION COMPLETION TIME I. ADS initiation NOTE capability not Applies only to Functions 35 maintained in one or through 38. more ADS divisions. I.1 Declare affected ADS 1 hour. OR division inoperable. Required Actions and Completion Times of Condition F, G, or H not met. J. As required by J.1 Reduce THERMAL POWER to 4 hours l Required Action E.1 below the level listed in and referenced in Table 3.3.1.1-1 for the Table 3.3.1.1-1. Function. K. As required by K.1 Be in MODE 2. 6 hours Required Action E.1 and referenced in Table 3.3.1.1-1. L. As required by L.1 Be in MODE 3. 12 hours Required Action E.1 and referenced in Table 3.3.1.1-1. M. As required by M.1 Initiate action to insert Immediately Required Action E.1 all insertable control and referenced in rods in core cells Table 3.3.1.1-1. containing one or more fuel assemblies. N. As required by N.1 Initiate action to place Immediately Required Action E.1 the reactor power / flow and referenced in relationship outside of Table 3.3.1.1-1. the region of applicability shown in Figure 3.3.1.1-1. (continued) ABWR TS 3.3-5 P&R 08/30/93 ________________ --- l
SSLC Sensor Instrumentation 3.3.1.1 ACTIONS (continued) CONDITION REQUIRED ACTION COMPLETION TIME
- 0. As required by 0.1 Isolate the affected I hour Required Action E.1 penetration flow path (s).
and referenced in Table 3.3.1.1-1. P. As required ty P.1 Isolate the affected Immediately Required Action E.1 penetration flow path (s). and referenced in Table 3.3.1.1-1. OR l P.2.1 Suspend CORE Immediately ALTERATIONS. 61@ P.2.2 -NOTE Applies only to function 24. Suspend movement of Immediately irradiated fuel assemblies in the containment. AND P.E.3 Initiate action to Immediately suspend operations with a potential for draining the reactor vessel. Q. As required by NOTE Required Action E.1 Only applicable if RCIC and referenced in and/or HPCF pump suction is Table 3.3.1.1-1. not aligned to the suppression pool. Q.1 Align RCIC and HPCF 1 hour from suction to the discovery of suppression pool. loss of transfer capability. (continued) ABWR TS 3.3-6 P&R 08/30/93 i
SSLC Sensor Instrumentation 3.3.1.1 ACTIONS (continued) CONDITION REQUIRED ACTION COMPLETION TIME R. As required by R.1 Declare supported I hour Required Action E.1 feature (s) inoperable. and referenced in Table 3.3.1.1-1. S. Required Action and S.1 Declare supported immediately, associated Completion feature (s) inoperable. Time of Condition Q.1 not met. T. One or more NOTE instrumentation This action applies only to channels required for Functions 34, 39 and 40 in i automatic isolation Table 3.3.1.1-1 actuation inoperable. , T.1 Restore inoperable [24] hours l instrumentation Channels. U. Required Action and U.1 Enter the Condition Immediately associated Completion referenced in Time of Condition T Table 3.3.1.1-1 for the not met. channel. V. As required by V.1 Be in MODE 3. 12 hours Required Action E.1 and referenced in AND Table 3.3.1.1-1. V.2 Be in MODE 4. 36 hours W. As required by W.1 Isolate the associated 12 hours Required Action E.1 penetration flow path (s) and referenced in Table 3.3.1.1-1. OR W.2.1 Be in MODE 3. 12 hours AND W.2.2 Be in MODE 4. 36 hours. (continued) ABWR TS 3.3-7 P&R 08/30/93
. _ _ _ d
SSLC Sensor Instrumentation 3.3.1.1 ACTIONS (continued) CONDITION REQUIRED ACTION COMPLETION TIME X. Required Action and X.1 Be in MODE 3. 12 hours associated Completion Time of Condition 0.1 AND not met. X.2 Be in MODE 4. 36 hours Y. As required by Y.1 Declare supported I hour Required Action U.1 features inoperable. and referenced in ! Table 3.3.1.1-1. OR Y.2 NOTE Applies only to function 34. Isolate the Reactor Water 1 hour Cleanup System. 1 ABWR TS 3.3-8 P&R 08/30/93 _------------- }
SSLC Sensor Instrumentation 3.3.1.1 SURVEILLANCE REQUIREMENTS NOTE Refer to Table 3.3.1.1-1 to determine which SRs apply for each SSLC Sensor Instrumentation Function SURVEILLANCE FREQUENCY SR 3.3.1.1.1 Perform SENSOR CHANNEL CHECK. 12 hours SR 3.3.1.1.2 NOTE Only required to be met with THERMAL POWER 2: 25% RTP. Verify the absolute difference between the [7] days average power range monitor (APRM) channels and the calculated power is s 2% RTP SR 3.3.1.1.3 NOTE Not required to be performed when entering MODE 2 from MODE 1 until 12 hours after entering MODE 2. Perform DIVISION FUNCTIONAL TEST. [7] days SR 3.3.1.1.4 Perform DIVISION FUNCTIONAL TEST. [32] days SR 3.3.1.1.5 Perform DIVISION FUNCTIONAL TEST [92] days SR 3.3.1.1.5.a Perform CHANNEL FUNCTIONAL TEST [92] days ABWR TS 3.3-9 P&R 08/30/93 ___--_------------ i
SSLC Sensor lastrumentation 3.3.1.1 i l SURVEILLANCE REQUIREMENTS (continued) l FREQUENCY j SURVEILLANCE i l SR 3.3.1.1.6 Calibrate the local power range monitors. 1000 MWD /T average core l exposure l l i SR 3.3.1.1.7 NOTE
- 1. Required to be met with THERMAL POWER ;
s5% RTP prior to entry into MODE 1 ' from MODE 2.
- 2. Required to be met prior to entry into MODE 2 from MODE 1. ,
Verify the SRNM and APRM channels overlap [7] days within at least 1/2 decade. l l SR 3.3.1.1.8 NOTE l 1. Radiation and Neutron detectors are excluded.
- 2. Response time tests shall encompass testing of dynamic elements that are part of the RPS logic (EG TPM Time constant).
Perform COMPREHENSIVE FUNCTIONA,L TEST. [18] months l I i ABWR TS 3.3-10 P&R 08/30/93
I i SSLC Sensor Instrumentation ! 3.3.1.1 ! 1 SURVEILLANCE REQUIREMENTS (continued) l l SURVEILLANCE FREQUENCY l l l l SR 3.3.1.1.9 ;40TE ! 1. Neutron detectors are excluded. l l i
- 2. SENSOR CHANNEL CAllBRATION shall include calibration of all parameters used to calculate setpoints (e.g.
recirculation flow for TPM setpoint) and all parameters used for trip i i function bypasses (e.g. Turbine first stage pressure for TSV closure bypass). Perform SENSOR CHANNEL CALIBRATION. [18] months i SR 3.3.1.1.9.a Perform CHANNEL CALIBRATION [18] months SR 3.3.1.1.10 NOTE Neutron detectors are excluded. , [18] months Verify RPS RESPONSE TIME is within limits. j SR 3.3.1.1.11 Verify ECCS RESPONSE TIME is within [18] months limits. i SR 3.3.1.1.12 NOTE l Neutron detectors are excluded. Verify ISOLATION RESPONSE TIME is within [18] months limits. l ABWR T5 3.3-11 P&R 08/30/93
i SSLC Sensor Instrumentation 3.3.1.1 Table 3.3.1.1-1 (Page 1 of 7) SSLC Sensor Instrumentation APPLICABLE CONDifIONS MODES OR REFERENCED OTHER FROM SPECIFIED REQUIRED REQUIRED S'.1RVE ILL ANCE ALLOWABLE FUNCTION COND l f 10h 5 CHAkkELS ACTIoks REQUIREMENTS VALUE
- 1. Startup Range Monitors l 1a. SRhm heutron Flux - High 2 4 L SR 3.3.1.1.1 5 I 3% RTP
' SR 3.3.1.1.3 SR 3.3.1.1.7 SR 3.3.1.1.8 SR 3.3.1.1.9 5(a) 4 M SR 3.3.1.1.1 5 [ )% RTP SR 3.3.1.1.4 SR 3.3.1.1.8 SR 3.3.1.1.9 lb. SRNM heutron Flux-short 2(D) 4 L SR 3.3.1.1.1 5[] Period SR 3.3.1.1.3 Seconds l SR 3.3.1.1.7 5(*)(b) 4 M SR 3.3.1.1.1 1 [} SR 3.3.1.1.4 Seconds SR 3.3.1.1.8 SR 3.3.1.1.9 1c. SRNM ATWS Permissive 1 4 K SR 3.3.1.1.5 s I } RTP SR 3.3.1.1.8 1d. SRNM-Inop 2 4 L SR 3.3.1.1.3 NA 5(a) 4 g gp 3,3,g,3,4 SR 3.3.1.1.8
- 2. Average Power Range Monitors 2a. APRM Neutron Flux - High, 2 4 L SR 3.3.1.1.1 5 I ]% RTP Setdown SR 3.3.1.1.3 SR 3.3.1.1.6 SR 3.3.1.1.7 5(a) 4 M SR 3.3.1.1.1 5 [ 3% RTP SR 3.3.1.1.4 SR 3.3.1.1.6 SR 3.3.1.1.8 SR 3.3.1.1.9 2b. APRM Simulated lhermal 1 4 K SR 3.3.1.1.1 s[ W+ ]%
Power-Nigh, Flow Biased SR 3.3.1.1.2 RTP SR 3.3.1.i.5 and SR 3.3.1.1.6 5[ 3% SR 3.3.1.1.8 RTP SR 3.3.1.1.9 SR 3.3.1.1.10 2c. APRM Fixed heutron 1 4 K SR 3.3.1.1.1 I 3% RTP F lux - High SR 3.3.1.1.2 SR 3.3.1.1.5 SR 3.3.1.1.6 SR 3.3.1.1.8 SR 3.3.1.1.9 SR 3.3.1.1.10 (CONTINUED) ABWR TS 3.3-12 P&R 08/30/93
l l SSLC Sensor Instrumentation I 3.3.1.1 l Tabte 3.3.1.1-1 (Page 2 of 7) l L SSLC Sensor Instrunentation i l APPLICABLE CONDITIONS MODES OR REFERENCED OTHER FROM SPECIFIED REQUIRED REQUIRED SURVEILLANCE ALLOWABLE FUNCTION CONDIT I DNS ChAhkELS ACTIONS REQUIREMENTS VALUE 2d. APRM.Inop 1.2 4 L SR 3.3.1.1.5 kA SR 3.3.1.1.6 NA 5(a) , $g 3,3,g,g,4 SR 3.3.1.1.8 2e. Rapid Core Flow Decrease ![801% RTP 4 J SR 3.3.1.1.1 aI 3 SR 3.3.1.1.5 %/Sec : SR 3.3.1.1.8 SR 3.3.1.1.9 SR 3.3.1.1.10 2f. Oscillation Power Range Fer figure 4 N SR 3.3.1.1.1 See Moni t or. 3.3.1.1-1 SR 3.3.1.1.5 footnote (c) SR 3.3.1.1.8 SR 3.3.1.1.9 ' SR 3.3.1.1.10
- 3. Reactor Vesset Steam Dome 4 Pressure - High j
! 3a. RPS Trip Initiation 1.2 4 L SR 3.3.1.1.1 5 [ ] i ' SR 3.3.1.1.5 kg/cm' SR 3.3.1.1.8 SR 3.3.1.1.9 SR 3.3.1.1.10
.ib . Isolation initiation 1,2,3 4 0 SR 3.3.1.1.1 sI )
SR 3.3.1.1.5 kg/cm' SR 3.3.1.1.8 SR 3.3.1.1.9 SR 3.3.1.1.12 3c. SLCS and FwRB Initiation 1 4 K SR 3.3.1.1.1 5 [ ] SR 3.3.1.1.5.a kg/cm' SR 3.3.1.1.9.a i l
- 4. Reactor Steam Dome Pressure - Low 1,2,3 4 R SR 3.3.1.1.1 5[ ]
(Injection Permissive) SR 3.3.1.1.5 kg/cm' SR 3.3.1.1.8 SR 3.3.1.1.9 ' SR 3.3.1.1.11
- 5. Reactor Vessel Water Level - 1,2,3 4 R SR 3.3.1.1.1 sI 3 cm High. Level 8 SR 3.3.1.1.5 4(*),5(') SR 3.3.1.1.8 SR 3.3.1.1.9
- 6. Reactor Vessel Water Level - Low, Level 3 6a. RPS Trip Initiation. 1,2 4 L SR 3.3.1.1.1 tI 3 cm SR 3.3.1.1.5
~
SR 3.3.1.1.8 i SR 3.3.1.1.9 SR 3.3.1.1.10 (CONTINUED) ABWR TS 3.3-13 P&R 08/30/93 J
I I SSLC Sensor Instrumentation 3.3.1.1 T able 3.3.1.1-1 (Page 3 of 7) i SSLC Sensor Instrumentation APPLICABLE CONDITIDks Mt0ES OR REFERENCED s'HER FROM SPECIFIED REQUIRED REQUIRED SURVEILLANCE ALLDWABLE FUNCTION CONDIT10kS CHAAhELS ACT! DES REQUIREMENTS VALUE
- 66. Isolation initiation. 1,2,3 4 O SR 3.3.1.1.1 a I 1 cm SR 3.3.1.1.5 SR 3.3.1.1.8 SR 3.3.1.1.9 SR 3.3.1.1.12 (g) 4 P SR 3.3.1.1.1 SR 3.3.1.1.5 l SR 3.3.1.1.8 I SR 3.3.1.1.9
! SR 3.3.1.1.12
- 7. Reactor Wessel Water Level-Low, Level 2 ?
7a. ESF Initiation 1,2,3 4 R SR 3.3.1.1.1 t I 3 cm SR 3.3.1.1.5 h SR 3.3.1.1.8 , SR 3.3.1.1.9 SR 3.3.1.1.11 7b. Isolation Initiation. 1,2,3 4 0 SR 3.3.1.1.1 1 I ) cm SR 3.3.1.1.5 ; SR 3.3.1.1.8 l SR 3.3.1.1.9 SR 3.3.1.1.12 (g) 4 P SR 3.3.1.1.1 SR 3.3.1.1.5 SR 3.3.1.1.8 i SR 3.3.1.1.9 SR 3.3.1.1.12
'l 7c. SLCS and FWEB Initiation 1 4 K SR 3.3.1.1.1 s[ ]
SR 3.3.1.1.5.a kg/cm' SR 3.3.1.1.9.a l B. Reactor Vessel Water Level -Low, Level 1.5 Ba. ESF Initiation. 1,2,3, 4 R SR 3.3.1.1.1 z [ ] cm SR 3.3.1.1.5 4('),5(') SR 3.3.1.1.8 SR 3.3.1.1.9 SR 3.3.1.1.11 Bo. Isolation Initiation. 1,2,3 4 w SR 3.3.1.1.1 I [ 3 cm I SR 3.3.1.1.5 SR 3.3.1.1.8 SR 3.3.1.1.9 SR 3.3.1.1.12
- 9. Reactor vessel Water Level-Low, Level 1 9a. ADS A, LPFL A & LPFL C 1,2,3, 4 R SR 3.3.1.1.1 t I 3 cm I initiation SR 3.3.1.1.5 SR 3.3.1.1.8 4(e)* $(e) SR 3.3.1.1.9 SR 3.3.1.1.11 (CONTINUED)
ABWR TS 3.3-14 P&R 08/30/93
SSLC Sensor Instrumentation 3.3.1.1 Table 3.3.1.1 1 (Page 4 af 7) SSLC Sensor Instrtsnentation APPLICABLE CONDITicks MODES OR REFEREhCED OTHER FROM ' SPECIFIED REQUIRED REQUIRED SURVEILLANCE ALLOWABLE CONDIT10NS ChAWhELS ACTIONS REQUIREMENTS VALUE FUNCTION
- 90. ADS B Dieset Generator, 1,2,3, 4 R SR 3.3.1.1.1 2 I ] cm RCW, & LPFL 6 Initiation SR 3.3.1.1.5 SR 3.3.1.1.8 4(e)* 5(e) SR 3.3.1.1.9 SR 3.3.1.1.11 Oc. Isolation Initiation 1,2,3, 4 W SR 3.3.1.1.1 2 I 3 cm SR 3.3.1.1.5 SR 3.3.1.1.8 SR 3.3.1.1.9 :
I SR 3.3.1.1.12 Main Steam isolation 1 4 K SR 3.3.1.1.5 s t 3%
- 10. closed Valve - Closure SR 3.3.1.1.8 SR 3.3.1.1.9 SR 3.3.1.1.10 t
- 11. Drywell Pressure - High 11a. RPS Initiation. 1,2,3 4 V SR 3.3.1.1.1 5IJ ,
SR 3.3.1.1.5 kg/cm' SR 3.3.1.1.8 SR 3.3.1.1.9 SR 3.3.1.1.10 11b. ESF Initiation. 1,2,3 4 V SR 3.3.1.1.1 5[] SR 3.3.1.1.5 kg/cm' SR 3.3.1.1.8 i SR 3.3.1.1.9 SR 3.3.1.1.11 { l 4('),5(') 4 R SR 3.3.1.1.1 SR 3.3.1.1.5 SR 3.3.1.1.8 SR 3.3.1.1.9 SR 3.3.1.1.11 11c. Isolation Initiation. 1,2,3 4 W SR 3.3.1.1.1 5t1 SR 3.3.1.1.5 kg/cm' SR 3.3.1.1.8 SR 3.3.1.1.9 SR 3.3.1.1.12
- 12. CRD Water Header Charging 1,2 4 1. SR 3.3.1.1.1 s()
Pressure-Low SR 3.3.1.1.5 kg/cm' 5(*) 4 M SR S.3.1.1.1 SR 3.3.1.1.5 SR 3.3.1.1.8 SR 3.3.1.1.9
- 13. Turbine Stop Valve-Closure t[40]% RTP 4 J SR 3.3.1.1.5 s ( 2%
SR 3.3.1.1.8 closed SR 3.3.1.1.9 SR 3.3.1.1.10 14 Turbine Control Valve t[402% RTP 4 J SR 3.3.1.1.1 t() Fast Closure, Trip uit SR 3.3.1.1.5 kg/cm' Pressure - Low SR 3.3.1.1.8 oil SR 3.3.1.1.9 pressure SR 3.3.1.1.10 (CONTINUED) ABWR TS 3.3-15 P&R 08/30/93 i
SSLC Sensor Instrumentation 3.3.1.1 l Tabte 3.3.1.1-1 (Page 5 of 7) SSLC Sensor Instrunentation l APPLICABLE CONDITIONS I I MODES OR REFERENCED CTHER FROM SURVEILLANCE ALLOWABLE I SPECIFIED REQUIRED RE 0'JIRED FUhCTION CONDITIONS CHANNELS ACT10h5 REQUIREMENTS VALUE ( j 15. Main Steam Tunnel Radiation-High i 15a. RPS Trip Initiation 1,2,3 4 V SR 3.3.1.1.5 5 I I rods l SR 3.3.1.1.8 l SR 3.3.1.1.9 i 15b. Isolation Initiation. 1,2,3 4 W SR 3.3.1.1.5 s I 1 rads SR 3.3.1.1.8 SR 3.3.1.1.9
- 16. Suppression Poot Temperature-High I
! 16a. RPS Initiation. 1,2 4 L SR 3.3.1.1.1 5 I 3 'F I SR 3.3.1.1.5 l SR 3.3.1.1.8 I SR 3.3.1.1.9 SR 3.3.1.1.10 16b. ESF Initiation. 1,2,3 4 R SR 3.3.1.1.1 5 [ } 'F SR 3.3.1.1.5 SR 3.3.1.1.8 SR 3.3.1.1.9 ,
- 17. Condensate Storage Tank Level - 1,2,3 4 0 SR 3.3.1.1.1 2 1 3 cm Low SR 3.3.1.1.5 l 4(*),5(') SR 3.3.1.1.8 SR 3.3.1.1.9
- 18. Suppression Pool Water level - 1.2,3 4 0 SR 3.3.1.1.1 5 I 3 cm High SR 3.3.1.1.5 4('),5(') SR 3.3.1.1.8 SR 3.3.1.1.9
- 19. Main Steam Line Pressure - Low 1 4 K SR 3.3.1.1.1 5[] ,
SR 3.3.1.1.5 kg/cm2 : SR 3.3.1.1.8 SR 3.3.1.1.9
- 20. Main Steam Line Flow - High 1,2,3 4 per W SR 3.3.1.1.1 2 kg/hr MSL SR 3.3.1.1.5 SR 3.3.1.1.8 '
SR 3.3.1.1.9 SR 3.3.1.1.12 i 21. Condenser Vacuum- Low 1, 2(d) 4 W SR 3.3.1.1.1 e!1 I SR 3.3.1.1.5 kg/cm' l ,3(d) SR 3.3.1.1.8 i SR 3.3.1.1.9
- 22. Main Steam Tunnel 1,2,3 4 W SR 3.3.1.1.1 5 [ ] *C Tenperat ure - H igh SR 3.3.1.1.5 SR 3.3.1.1.8 i SR 3.3.1.1.9 >
i
- 23. Main Turbine Area Temperature- 1,2,3 4 W SR 3.3.1.1.1 5[] 'C j High SR 3.3.1.1.5 '
SR 3.3.1.1.8 SR 3.3.1.1.9 f (CONTINUED) , ABWR TS 3.3-16 P&R 08/30/93
SSLC Sensor Instrumentation 3.3.1.1 Table 3.3.1.1-1 (Page 6 of 7) SSLC Sensor Instrumentation APPLICABLE CONDITIONS MODES OR REFERENCED OTHER FROM SPECIFIED REQUIRED REQUIRED SURVE!LLANCE ALLOWABLE FUNCTION CONDITIONS CHANLELS ACTIONS REQUIREMENTS VALUE 24a. Reactor Building Area Enhaust Air 1,2,3 4 0 SR 3.3.1.1.1 5 I 3 Rads Radiation-High SR 3.3.1.1.5 (g),(h) 4 P SR 3.3.1.1.1 SR 3.3.1.1.5 SR 3.3.1.1.8 SR 3.3.1.1.9 SR 3.3.1.1.12 24.b Fuel Handling Area Exhaust Air 1,2,3 4 0 SR 3.3.1.1.1 s ! 3 Reds Radiation-Migh SR 3.3.s.1.5 (g),(h) 4 P SR 3.3.1.1.1 SR 3.3.1.1.5 SR 3.3.1.1.8 SR 3.3.1.1.9 SR 3.3.1.1.12
- 25. RCIC Steam Line Flow - Hign 1,2,3 4 0 SR 3.3.1.1.1 E kg/Hr SR 3.3.1.1.5 SR 3.3.1.1.8 SR 3.3.1.1.9
- 26. RCIC Steam Supply Line 1,2,3 4 0 SR 3.3.1.1.1 5IJ Pressure - Low SR 3.3.1.1.5 kg/cm' SR 3.3.1.1.8 SR 3.3.1.1.9
- 27. RCIC Turbine Exhaust Diaphragm 1,2,3 4 0 SR 3.3.1.1.1 EI3 Pressure - Hi g% SR 3.3.1.1.5 kg/cm' SR 3.3.1.1.8 SR 3.3.1.1.9
- 28. RCIC Equipment Area 1,2,3 4 0 SR 3.3.1.1.1 s I 3 'C Temperature - Mi gh SR 3.3.1.1.5 SR 3.3.1.1.8 SR 3.3.1.1.9
- 29. CUW Dif f erential Flow - High 1,2,3 4 0 SR 3.3.1.1.1 5I3 SR 3.3.1.1.5 Liters / Min SR 3.3.1.1.8 for <= ! 3 SR 3.3.1.1.9 Seconds
- 30. CUW Regenerative meat Exchanger 1,2,3 4 0 SR 3.3.1.1.1 5 I 3 'C Area Temperature - High SR 3.3.1.1.5 SR 3.3.1.1.8 !
SR 3.3.1.1.9 31 CUW non-regenerative Heat 1,2,3 4 0 SR 3.3.1.1.1 5 I J *C Exchanger Area Temperature - High SR 3.3.1.1.5 SR 3.3.1.1.8 SR 3.3.1.1.9
- 32. CUW Equipment Area 1,2,3 4 0 SR 3.3.1.1.1 5 t 7 *C T enperature - M i gh SR 3.3.1.1.5 SR 3.3.1.1.8 SR 3.3.1.1.9 1
i (CONTINUED) l ABWR TS 3.3-17 P&R 08/30/93
i i i SSLC Sensor Instrumentation l 3.3.1.1 I Table 3.3.1.1-1 (Page 7 of 7) l SSLC Sensor Instrisnentation APPLICABLE CONDITIONS MODES OR REFERENCED l OTHER FROM SPECIFIED REQUlkED REQUIRED SURVEILLANCE ALLOWABLE FUhCTION CONDITIONS CHANNELS ACTIONS REQUIREMENTS VALUE
- 33. RNR Area Tenperatures-Hig5 2,3 4 each 0 SR 3.3.1.1.1 s t J *C i RNR area SR 3.3.1.1.5 SR 3.3.1.1.8 SR 3.3.1.1.9
- 34. CUW lsolation on SLC Initiation 1,2 1 per Y SR 3.3.1.1.8 SLC puno
- 35. ADS Division ! LPFL Pm p 1, 2(II, 1 per NA SR 3.3.1.1.5 tI Discharge Pressure - High 3(f) each of SR 3.3.1.1.8 kg/cm (permissive) 3 pmps SR 3.3.1.1.9
- 36. ADS Division I HPCF Pm p 1, 2(I) , 1 per NA SR 3.3.1.1.5 t I 1.
Discharge Pressure - High 3(f) each of SR 3.3.1.1.8 kg/cm' (permissive) 2 pmps SR 3.3.1.1.9
- 37. ADS Division 11 LPFL Punp 1, 2 EI} , 1 per NA SR 3.3.1.1.5 t!
Discharge Pressure - High 3(f) each of SR 3.3.1.1.8 kg/cm (permissive) 3 peps SR 3.3.1.1.9 l 38. AOS Division 11 HPCF Pm p 1, 2(II, 1 per kA SR 3.3.1.1.5 t I l Discharge Pressure - High 3(f) each of SR 3.3.1.1.8 kg/cm j (permissive) 2 punps SR 3.3.1.1.9
- 39. Drywell Smp Drain LCW Radiation- 1,2,3 1 W SR 3.3.1.1.1 5 [ ] Rads High SR 3.3.1.1.5 SR 3.3.1.1.8 SR 3.3.1.1.9
- 40. Crywell Sep Drain HCW Radiation- 1 3 1 W SR 3.3.1.1.1 s I 3 Rads High SR 3.3.1.1.5 SR 3.3.1.1.8 SR 3.3.1.1.9 (a) With any control rod withdrawn f rom a core cell containing one or more fuel assemblies.
(b) Trip automatically bypassed within each SRNM and not required to be OPERABLE at reactor power levels 5t0.00013% RTP. (c) 1. Neutron flux oscillations within any OPRM cell have a period between (1.153 seconds and I3.353 seconds that persists for [10) cycles with a peak to peak amplitude of that is 110]% of point or greater.
- 2. Neutron flux oscillations within any OPRM cell that have a period between [0.31) and [2.23 seconds become targer than (30]% of point within (3) periods or oscillations with the specified period range that are greater than [10%) of point grow by (303% of point within I3] cycles.
(d) With any Turbine Stop Valve not fully closed. (e) When associated features are required to be operable. (f) With reactor pressure > 50 psig. (g) During CORE ALTERATIONS or operations with a potential for draining the reactor vessel. (h) During movement of irradiated fuel assernblies in the containment. l (CONTINUED) ABWR TS 3.3-18 P&R 08/30/93
7 SSLC Sensor Instrumentation i 3.3.1.1
~
t i 90 - l
>x
' ^
80 - C. : l R.EGION OF APPLICABILITY w ~
- ,0
, - N g. , -
%ws I o eM.2.: >c.;
ux,. - s' , b m
-..jNV <
i l
~ \ 4 -[ e [
] :f.hhN/O' 0[Ns'
+em-s e :- - -- x t
$ 60- ,
aw-4v:e t o - ~ Mn p'i:p .
- ): - ,
1 Y..pi : I
. .L.; 'y (
l m x..+: x - ap r e s-..s i
- o 50 - gg , m*.
o w ~ , 1 < m2: .~ f's~.: >#
^
I y MJsSTI co.u+g~'*.
= 40 g p<+ ,-
r l u.w. N e.
. n 2ww:m .v23 1
w e-u..c t . > s - 7 30- -. .a 2 s ,
. . ... :;.sumews ~"**W~~m
~ ~. . 3 I isi;g:::;.. ., , :;+:%.t;p 2Yb, ' * **hREGION OF EXCLUSIONi
,m. .. . wn.%aMW.
^
m l ' ; W:X
.1 v ' l.,,. D yb.- a [n wGi$?#dPVaf en.-a w af.J:ms-N m^'y g a m -
! g e' .#e#&4b. OINfhk%h f, ayme, gf,P !if s:;;.ffsf ' .y ..' inh:h #- .e
;g: cm: ...
s .
-< * <rpsp qwp .>., u: m:.m.: 4.
x e%? : ' fjJ,-.r;:.3 ,
- TQ>,+Ni;:s.s qg AQs: JM.M$: :5.
ideF X : ' V %~ itg;'d 5
?yN:
----5Mf M ..g;Y, & .7 ;.xA:.-(.:,.g.fg' ;. .:o ' Mpg < > ' - fp'6;Xy,4^:y_:T ':feg: );$::#'#
f'
- p. . .; . ; y.f $:gy! t ::. A j .-
10- . . . e3v.
. ' %gg-jag,gpw.g:gg:3. .#.,g-::, g ,a p , -:w
- .% .: . .. .;xep'.;;&:.f
, ~ .. .e d:-) *
' I-
,,.;n vtfe.M;;d,
. Mf. ;%6-:!.f/$27N/i' 75%- @-' v. n
@A:,.:#
x +- MD$EP...M. % y7.?id'@??.J}.Yk!Kf@$ v -v o. ?+. M .;- ..v.- 39 W':%MT%@i74' 36@I' ?
" 8+:
4 Y h$YllNhTs')e5,&jhbh.&+'??lE?.& d . .k; to . .. - :- .:&jQ?'A+>
O L i i I i i i i i I 0 10 20 30 40 50 60 70 70 90 100 CORE FLOW- % t 6 FIGURE 3.3.1.1-1: Osci!!ation Power Range Function Conditions of Operability 1 t F t i 4 i t ABWR TS 3.3-19 P&R 08/30/93 l I l l t I t-
RPS and MSIV Actuation 3.3.1.2 3.3 INSTRUMENTATION 3.3.1.2 Reactor Protection System (RPS) and Main Steam Isolation i Valve (MSIV) Actuation , LC0 3.3.1.2 The RPS and MSIV Actuation Functions in Table 3.3.1.2-1 shall be OPERABLE. i i i APPLICABILITY: According to Table 3.3.1.2-1. j NOTE Separate condition entry is allowed for each channel. t ACTIONS l I CONDITION REQUIRED ACTION COMPLETION TIME A. One or more Functions NOTE ! with one channel Only applicable to Functions ; inoperable. la, 2a, and 5. j A.1 Place affected division 6 hours in trip. !
)
OR i A.2.1 Place affected 6 hours division in TLU logic ; output bypass. l l AND A.2.2.1 Restore required 30 days j channel (s) to ! OPERABLE status ! E I A.2.2.2 Place affected 30 days j division in trip. j i (continued) l i t l ABWR TS 3.3-20 P&R 08/30/93 j l l
i l 1 RPS and MSIV Actuatiri , 3.3.1.2 l l ACTIONS (continued) \ CONDITION REQUIRED ACTION COMPLETION TIME l B. One or more Functions NOTE with two channels Only applicable tc fanctions inoperable, la, 2a, and 5. B.1 Place one affected 3 hours L division in trip. AND B.2 Place the other 6 hours affected division in TLU logic output i bypass. ; ! AND B.3 Restore at least one 30 days , inoperable channel to ! OPERABLE status. j C. One or more Functions NOTE { with three channels Only applicable to Functions , inoperable. la, 2a, and 5. C.1 Place one affected Immediately ! division in trip. ; AND C.2 Restore at least one 6 hours i inoperable channel to OPERABLE status l D. One or more Functions NOTE [ with four channels Only applicable to Functions ; inoperable. la, 2a, and 5. i D.1 Place one affected Immediately I division in trip. [ AND ; D.2 Restore at least one 1 hours , inoperable channel to ! OPERABLE status (continued) I ABWR TS 3.3-21 P&R 08/30/93 l
l RPS and MSIV Actuation 3.3.1.2 ACTIONS (continued) CONDITION REQUIRED ACTION COMPLETION TIME i E. One or more functions NOTE l with one OUTPUT Only applicable to Functions > , CHANNEL inoperable. 1.b and 2.b. . l l E.1 Place inoperable 6 hours 1 channel in trip l i F. One or more Functions NOTE with two OUTPUT Only applicable to Functions CHANNELS inoperable. Ib and 2b. F.1 Place one inoperable I hour ; channel in trip. ! l l AND l l F.2 Restore at least one 7 days ; I inoperable channel to , OPERABLE status. : G. One or more Functions NOTE with three or more Only applicable to Functions ' OUTPUT CHANNELS Ib and 2b. j inoperable. i-G.1 Restore at least two I hour I channels to OPERABLE i status. , H. One or more Reactor H.1 Restore required I hour , Mode Switch-Shutdown channel to OPERABLE , Position channels status. I inoperable. i (continued) ABWR TS 3.3-22 P&R 08/30/93
RPS and MSIV Actuation 3.3.1.2 ACTIONS (continued) CONDITION REQUIRED ACTION COMPLETION TIME I. One RPS manual scram NOTE l channel inoperable. The inoperable channel may be bypassed for up to 6 hours for surveillance ! testing of the other l channels. I.1 Place affected division I hour i in trip. f AND i I.2 Restore required 30 days channel to OPERABLE i status. l J. Required Action and NOTE i associated Completion Only applicable to Functions l Time not met for 1, 3 and 4. ! Conditions A, B, C, i D, E, F, G, H, or I J.1 Be in MODE 3. 12 hours , in MODE 1 or 2. K. Required Action and K.1 Initiate action to Immediately ; associated Completion insert all insertable j l Time not met for control rods in core ! Conditions A, B, C, cells containing one or : D, E, F, G, H, or I more fuel assemblies. { in MODE 5(a). : i L. Required Action and NOTE i associated Completion Only applicable to Functions ' Time not met for 2 and 5. , Conditions A, B, C, I l D, E, F or G. L.1 Isolate the associated 12 hours l penetration flow l path (s). I l E
~
L.2.1 Be in MODE 3. 12 hours AND L.2.2 Be in MODE 4. 36 hours
.=
ABWR TS 3.3-23 P&R 08/30/93
I RPS and MSIV Actuation ! 3.3.1.2 ; SURVEILLANCE REQUIREMENTS l SURVEILLANCE FREQUENCY [ SR 3.3.1.2.1 Perform CHANNEL FUNCTIONAL TEST. [7] days l f SR 3.3.1.2.2 Perform DIVISION FUNCTIONAL TEST. 92 days l SR 3.3.1.2.3 Perform CHANNEL FUNCTIONAL TEST. [92] days j i i i l ! SR 3.3.1.2.4 Perform COMPREHENSIVE FUNCTIONAL TEST. [18] months l i SR 3.3.1.2.5 Perform OUTPUT CHANNEL FUNCTIONAL TEST. [18] months ! t i i i l I l SR 3.3.1.2.6 Verify RPS RESPONSE TIME is within limits. [18] months l I l ! t i f I l l ABWR TS 3.3-24 PSR 08/30/93 d
i RPS and MSIV Actuation 3.3.1.2 i Table 3.3.1.2-1 (Page 1 of 1) RPS and MSIV Actuation , APPLICABLE MDCES OR OTHER SPECIFIED REQUIRED SURVFILLANCE ' FUNCTION CONDITIOkS CHAhhELS REQUIREMENTS
- 1. RPS Actuation.
- a. LOGIC ChAhWEls 1, 2, 5(a) 4 SR 3.3.1.2.2 i SR 3.3.1.2.4 i SR 3.3.1.2.6 i i
- b. DUTPUT ChAkWELs 1, 2, 5C *) 4 SR 3.3.1.2.2 SR 3.3.1.2.4 1 SR 3.3.1.2.5 I SR 3.3.1.2.6 ;
- 2. MSlvs and MSL Drain Valves Actuation.
- a. LOGIC CHAANELs 1,2,3 4 SR 3.3.1.2.2 SR 3.3.1.2.4 4 SR 3.3.1.2.2 f
- b. DUTPUT CHANNELS 1,2,3 SR 3.3.1.2.4 l SR 3.3.1.2.5
- 3. Ma u l RPS Scram. 1, 2, 5(a) 2 SR 3.3.1.2.1 !
4 Reactor Mooe Switch-Shutdown Position. 1, 2, 5(a) 2 SR 3.3.1.2.4 f
- 5. Manual MS!v Actuation. 1,2,3 4 SR 3.3.1.2.3 !
SR 3.3.1.2.4 (a) With any control rod withdrawn in a core cell containing at least one fuel assembly. I
?
\ t ABWR TS 3.3-25 P&R 08/30/93
i SLC and FWRB Actuation 3.3.1.3 3.3 INSTRUMENTATION 3.3.1.3 Standby Liquid Control (SLC) and Feedwater Runback (FWRB) j Actuation LC0 3.3.1.3 The SLC and FWRB Actuation functions in Table 3.3.1.3-1 shall be OPERABLE. ) l APPLICABILITY: MODE 1 NOTE : Separate condition entry is allowed for each channel. ; ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME ; A. One or more Functions NOTE l with one logic Only applicable to Functions ! channel inoperable. 1.a, 2.a, and 3. ; i A.1 Place affected ATWS 6 hours ; division in trip. , r M M ! One division with one A.2 Place affected 6 hours or two manual ARI division in ATWS logic ; channels inoperable. output bypass. l l (continued) ABWR TS 3.3-26 P&R 08/30/93 ! l l l
i SLC and FWRB Actuation 3.3.1.3 l l ACTIONS (continued) 1 CONDITION REQUIRED ACTION COMPLETION TIME B. One or more Functions --- NOT E with two logic Only applicable to Functions channels inoperable. 1.a, 2.a, and 3. B.1 PlaceoneaffectedATb c3 hours OR division in trip. l Two divisions with AND one or more manual l ARI channels B.2 Place the other 6 hours ;
- inoperable. affected division in .,
ATWS logic output L bypass. i AND i B.3 Restore at least one 30 days inoperable channel to l OPERABLE status. 1 C. One or more Fur.ctions NOTE l with one OUTPUT Only applicable to Functions l CHANNEL inoperable. 1.b and 2.b. C.1 Place inoperable 6 hours channel in trip l D. One or more Functions NOTE with two OUTPUT ' Only applicable to Functions l CHANNELS inoperable. 1.b and 2.b. l D.1 Place one inoperable 1 hour channel in trip. AND D.2 Restore at least one 7 days inoperable channel to OPERABLE status. l (continued) l ABWR TS 3.3-27 P&R 08/30/93 f r--- -
SLC and INRB Advecion 3.3.1.3
)
ACTIONS (continued) j 1 CONDITION REQUIRED ACTION COMPLETION TIME j E. Required Action and E.1 Declare SLC system I bour associated Completion inoperable. Time not met for Conditions A, B, C, ; or D. . 1 ! M One or more functions with three or more LOGIC CHANNELS or OUTPUT CHANNELS inoperable. M Three or more divisions with one or more manual ARI channels inoperable e r I i e I a M ABWR TS 3.3-28 P&R 08/30/93 J e-
e ! i t l l . SLC and FWRB Actuation 3.3.1.3 l s i i SURVEILLANCE REQUIREMENTS ; i SURVEILLANCE FREQUENCY SR 3.3.1.3.1 Perform DIVISION FUNCTIONAL TEST. [92] days i f SR 3.3.1.3.2 Perform COMPREHENSIVE FUNCTIONAL TEST. [18] months i i SR 3.3.1.3.3 Perform OUTPUT CHANNEL FUNCTIONAL TEST. [18] months ! I f l e i i
'l 1
l 1 I ABWR TS 3.3-29 P&R 08/30/93
i l l SLC and FWRB Actuation l l 3.3.1.3 l l Table 3.3.1.3-1 (Fage 1 of 1) SLC and FWEB Actuation
)
REQUIRED SURVEILLANCE - FUNCTION CHAWWELS REQUIREMENTS ;
)
- 1. SLC Actuation. l
- a. LOGIC CHAbkELs 4 SR 3.3.1.3.1 SR 3.3.1.3.2
- b. DUTPUT CHANNELS 4 SR 3.3.1.3.2 SR 3.3.1.3.3
- 2. FWRB Actuation
- a. LOGIC CHANNELS 4 SR 3.3.1.3.1 SR 3.3.1.3.2 4 SR 3.3.1.3.2
- b. OUTPUT CHAhkEls SR 3.3.1.3.3
- 3. Manual Alternate Rod Insertion 2/ division SR 3.3.1.3.1 SR 3.3.1.3.2 l
l l ABWR TS 3.3-30 P&R 08/30/93
l ESF Actuation Instrumentation 3.3.1.4 3.3 INSTRUMENTATION 3.3.1.4 ESF Actuation Instrumentation LCO 3.3.1.4 The ESF Actuation Instrumentation for each Function in Table 3.3.1.4-1 shall be SPERABLE. APPLICABILITY: According to Table 3.3.1.4-1. NOTE Separate Condition entry is allowed for each channel. ACTIONS l l CONDITION REQUIRED ACTION COMPLETION TIME l A. One or more Functions NOTE - with one required Not applicable to Function 4 l LOGIC CHANNEL inoperable. l A.1 Place the associated l OUTPUT CHANNEL (s) in I hour bypass. AND A.2.1 Restore the inoperable channel to 30 days OPERABLE status. OB l A.2.2 Verify redundant ! i Feature (s) are 30 days l l OPERABLE. . B. One or more Functions NOTE with one or more Not applicable to Function 4 required SENSOR CHANNELS, a manual B.1 Restore at least one initiation channel, required channel to I hour ! or two LOGIC CHANNELS OPERABLE status. ! inoperable. (continued) ABWR TS 3.3-31 P&R 08/30/93 l i
l j ESF Actuation Instrumentation i 3.3.1.4 ACTIONS (continued) CONDITION REQUIRED ACTION COMPLETION TIME C. One or more Functions NOTE with one or more Not applicable to Function 4 OUTPUT CHANNELS inoperable. C.1 Restore ESF actuation 1 hour capability for the affected Feature (s). 0.8 l l C.2 Actuate associated I hour device (s), i D. Required Action and D.1 Declare the supported I hour associated Completion Feature (s) inoperable. Time not met for ! Condition B or C. I E. One or more logic or NOTE OUTPUT channels Applies only to Function 4 inoperable. E.1 Declare associated valve (s) inoperable. I hour ABWR TS 3.3-32 P&R 08/30/93 4
i ESF Actuation Instrumentation 3.3.1.4 l SURVEILLANCE REQUIREMENTS SURVEILLANCE FREQUENCY l l ; I SR 3.3.1.4.1 Perform SENSOR CHANNEL CHECK. 12 hours ! l l SR 3.3.1.4.2 Perform OUTPUT CHANNEL FUNCTIONAL TEST. [24] months ; i i SR 3.3.1.4.3 Perform DIVISIONAL FUNCTIONAL TEST. [92] days SR 3.3.1.4.4 Perform COMPREHENSIVE FUNCTIONAL TEST. [24] months ; I l SR 3.3.I.4.5 Perform ECCS RESPONSE TIME TEST. [24] months SR 3.3.1.4.6 Perform SENSOR CHANNEL CALIBRATION. [24] months SR 3.3.1.4.7 Perform Manual initiation CHANNEL [24] months- l FUNCTIONAL TEST. 1 ; l l : ABWR TS 3.3-33 P&R 08/30/93 l l
ESF Actuation Instrumentation 3.3.1.4 Tabte 3.3.1.4-1 (Page 1 of 5) ESF Actuation Instrumentation l APPLICABLE MODES OR OTHER > SPECIFIED REQUIRED SURVE!LLANCE FUNCTION CONDITIONS CHANNELS REQUIREMENTS ALLOWABLE VALUE
- 1. Low Pressure Core Flooder Actuation.
i 1.a LPFL Purp Discharge Pressure - 1,2,3, 1p SR 3.3.1.4.1 1 I J Kg/cm2 l High. 4(g) *5(g) pmp{r SR 3.3.1.4.3 l SR 3.3.1.4.4 SR 3.3.1.4.6 1.6 LPFL Pttp Discharge Flow - Low. 1,2,3, 1p SR 3.3.1.4.1 5 t 1 Liters per puno{ra) SR 3.3.1.4.3 min 4C8), 5(8) sR 3.3.1.4.4 SR 3.3.1.4.6 , i i 1.c LPFL system Initiation. 1,2,3 2 per SR 3.3.1.4.3 NA system (b) gg 3,3,3,4,4 l' 4(8) 5(8)
, SR 3.3.1.4.5 1.d LPFL Device Actuation. 1,2,3 1 per sR 3.3.1.4.2 NA actuate SR 3.3.1.4.3 4(8) 5(g) oeyice(cg sa 3,3,3,4,4 SR 3.3.1.4.5 1.e LPFL Manual Initiation. 1,2,3, 1 per SR 3.3.1.4.3 NA system'd) sR 3.3.1.4.4 d8)5(8)
, SR 3.3.1.4.7
- 2. High Pressure Core Flooder Actuation.
2.a HPCF Ptrio Discharge Pressure - 1,2,3, 3.3.1.4.1 t t 1 Kg/Cm2 i High. gg)s(g) 1 g) SR st 3.3.,.4.3 l
- SR 3.3.1.4.4 l SR 3.3.1.4.6 -
2.b HPCF Ptsp Discharge Flow - Low. 1,2,3, 1 ga)r SR 3.3.1.4.1 5 I ] Liters per pep SR 3.3.1.4.3 min d8)5(8)
, SR 3.3.1.4.4 ,
SR 3.3.1.4.6 i 2.c HPCF Pmp suction Pressure-Low. 1,2,3, r SR 3.3.1.4.1 2 I ] Kg/cm2 1pga) 4(g) 3(g) pwp SR 3.3.1.4.3 SR 3.3.1.4.4 SR 3.3.1.4.6 a 2.d HPCF system Initiation. 1,2,3 2 pe SR 3.3.1.4.3 NA l system (b) gg 3,3,3,4,4 l d8)5(8)
, SR 3.3.1.4.5 2.e HPCF Device Actuation. 1,2,3 1 per SR 3.3.1.4.2 NA actuate SR 3.3.1.4.3 4(8) 5(8) device (Cg SR 3.3.1.4.4 st 3.3.1.4.5 ;
2.f HPCF Manual Initiation. 1,2,3, 1 per SR 3.3.1.4.3 NA system (d) gg 3,3,g,4,4 , d8)5(8)
, SR 3.3.1.4.7 '
- 3. Reactor Core Isolation Cooling system Actuation, j 3.a RCIC Pmp Discharge Pressure - 1, 2('), 3(') 1(a) SR 3.3.1.4.1 1 I J Kg/cm2 ,
High. SR 3.3.1.4.3 SR 3.3.1.4.4 SR 3.3.1.4.6 l ABWR TS 3.3-34 P&R 08/30/93 1 l
t > ESF Actuation Instrumentation 3.3.1.4 table 3.3.1.4-1 (Page 2 of 5) ESF Actuation Instrtsnentation APPLICABLE , MODES OR OTHER SPECIFIED REQUIRED SURVEILLANCE FUNCTION CONDIT!0ks CHANNELS REDUIREMENtS ALLOWABLE VALUE 3.b RCIC Pi.sm Discharge Flow - Low. 1, 2('), 3(') 1(a) SR 3.3.1.4.1 5 t 1 Liters per SR 3.3.1.4.3 min SR 3.3.1.4.4 SR 3.3.1.4.6 3.c RCIC System initiation. 1, 2('), 3(') 2(b) SR 3.3.1.4.3 NA SR 3.3.1.4.4 SR 3.3.1.4.5 3.d RCIC Device Actuation. 1, 2('), 3(') 1 per SR 3.3.1.4.2 NA I actuat SR 3.3.1.4.3 ! device]C SR 3.3.1.4.4 SR 3.3.1.4.5 3.e RCIC Manual Initiation. 1, 2('), 3(') 1(d) SR 3.3.1.4.3 NA SR 3.3.1.4.4 SR 3.3.1.4.7 ;
- 4. Automatic Depressurization System.
4.a ADS System Initiation. 1,2,3 2 pe SR 3.3.1.4.3 NA system {b) SR 3.3.1.4.4 4.b ADS Device Actuation. 1,2,3 1 per hR h.'I.1.4.2 NA actuate SR 3.3.1.4.3 i ' 4(I) 5, CI) device (Cg SR 3.3.1.4.4 SR 3.3.1.4.5 4.c ADS Manual Initiation. 1,2,3, 2 per ) SR 3.3.1.4.3 NA system td SR 3.3.1.4.4 4(I) 5(I)
, SR 3.3.1.4.7 I
- 5. Diesel-Generator Actuation.
5.a Division 1, II, & !!! Loss of 1,2,3, 1 pe SR 3.3.1.4.1 t []v and 5 I3V Voltage-6.9 kV. g(h) *$(h) phase [a) SR 3.3.1.4.2 SR 3.3.1.4.3 for SR 3.3.1.4.4
- SR 3.3.1.4.5 e t 3 sees and SR 3.3.1.4.6 5 1 3 secs 5.b Division I, II, & III Degraded 1,2,3, 1 pe SR 3.3.1.4.1 a [ JV and s I JV :
Voltage-6.9 kV. phase [a) SR 3.3.1.4.2 4(h)* 5th) SR 3.3.1.4.3 for SR 3.3.1.4.4 L i SR 3.3.1.4.5 t I ) sees and l SR 3.3.1.4.6 s I 3 secs 5.c DG System Initiation. 1,2,3 2 per ) SR 3.3.1.4.3 NA system tb SR 3.3.1.4.4 l 4(h) $th) gg 3,3,g,4,$ 5.d DG Device Actuation. 1,2,3 1 per SR 3.3.1.4.2 NA actuatgC SR 3.3.1.4.3 4(h) $(h)
, device SR 3.3.1.4.4 5.e DG Manual Initiation. 1,2,3, 1 per DG(d) SR 3.3.1.4.3 NA SR 3.3.1.4.4 4(h) $(h) SR 3.3.1.4.7 l
l l ABWR TS 3.3-35 PAR 08/30/93 l l i
i ESF Actuation Instrumentation 3.3.1.4 Table 3.3.1.4-1 (Page 3 of 5) ESF Actuation Instrumentation I APPLICABLE MODES OR CThER SPECIFIED REQUIRED SURVEILLANCE FUkCTION CONDITIONS CHANNELS REQUIREMENTS ALLOWABLE VALUE
- 6. Standby Gas Treatment System Actuation.
6.a SGTS System Initiation. 1,2,3 1 pe SR 3.3.1.4.3 EA system {b) gg 3,3,g,4,4 l g , 6.b SS15 Device Actuation. 1,2,3 1 per SR 3.3.1.4.2 NA l actuatg SR 3.3.1.4.3 l (i)(j) device SR 3.3.1.4.4
- 7. Reactor Building Cooling Water /
l Service Water Actuation. 7.a RCW/RSW System Initiation. 1, 2, 3, 2 per SR 3.3.1.4.3 NA system (D) SR 3.3.1.4.4 4(g) 5(8) l 7.b RCW/RSW Device Actuation. 1, 2, 3, 1 per SR 3.3.1.4.2 kA j actuate SR 3.3.1.4.3 4(8) 5(8) device (cg SR 3.3.1.4.4 7.c RCW/RSW Manual Initiation. 1, 2, 3, 1 per SR 3.3.1.4.3 hA System (d) SR 3.3.1.4.4 4(8) 5(8)
, SR 3.3.1.4.7 l
7.d Division I, II, & III Loss of 1,2,3, 1 per SR 3.3.1.4.1 2 I JV and 5 I 3V l Voltage-6.9 kV. 4(h) 5(h) phase a) SR 3.3.1.4.2 r SR 3.3.1.4.3 for SR 3.3.1.4.4 SR 3.3.1.4.5 t [ 3 secs and SR 3.3.1.4.6 5 [ ] secs 7.e Division I, II, & !!I Degraded 1,2,3, 1 pe SR 3.3.1.4.1 1 [ ]V and 5 ( ]V Voltage-6.9 kV. phase [a) SR 3.3.1.4.2 4th) * $(h) SR 3.3.1.4.3 for SR 3.3.1.4.4 SR 3.3.1.4.5 t I 1 secs and SR 3.3.1.4.6 s ( ) secs
- 8. Containment Atmospheric Monitoring 8.a CAM System Initiation. 1, 2 ,3 2 per ) SR 3.3.1.4.3 hA system tb gg 3,3,3,4,4 8.b CAM Device Actuation. 1,2,3 1 per SR 3.3.1.4.2 hA actuate SR 3.3.1.4.3 device (f SR 3.3.1.4.4
- 9. Suppression Pool Cooling Actuation.
9.a SPC System Initiation. 1, 2, 3, 2 per SR 3.3.1.4.3 kA system (b) gg 3,3,3,4,4 4(8) 5(8) 9.b SPC Device Actuation. 1, 2, 3, 1 per SR 3.3.1.4.2 kA actuat SR 3.3.1.4.3 4(8) 5(8) device (qC SR 3.3.1.4.4 9.c SPC Manual Initiation. 1, 2, 3, 1 per SR 3.3.1.4.3 hA System (d) gg 3,3,3,4,4 4(8) 5(8)
, SR 3.3.1.4.7 ABWR TS 3.3-36 P&R 08/30/93 i
i
ESF Actuation Instrumentation 3.3.1.4 Table 3.3.1.4-1 (Page 4 of 5) ESF Actuation Instrumentation APPLICABLE MODES OR OTHER SPECIFIED REQUIRE) SURVEILLANCE FUNCTION CONDIT!cNS CHANNE8' REQUIREMEN15 ALLOWABLE VALUE i
- 10. Primary Containment Isolation valves i Actuation.
10.a PCIV System Initiation. 1, 2, 3, 2CD) SR 3.3.1.4.3 kA SR 3.3.1.4.4 (i)(j) 10.b PCIV Device Actuation. 1, 2, 3, 1 per SR 3.3.1.4.2 NA actuatg SR 3.3.1.4.3 (i)(j) device SR 3.3.1.4.4 10.c PCIV Manual Initiation. 1, 2, 3, 2(d) SR 3.3.1.4.3 NA SR 3.3.1.4.4 (t)(j) SR 3.3.1.4.7
- 11. Secondary Containment isolation valves Actuation.
11.s CIV system Initiation. 1, 2, 3, 2(b) gg 3,3,3,4,3 gg SR 3.3.1.4.4 (j) 11.b CIV Cevice Actuation. 1, 2, 3, 1 per SR 3.3.1.4.2 NA actuat SR 3.3.1.4.3 (j) device (g SR 3.3.1.4.4 11.c CIV Manuat Initiation. 1, 2, 3, 2(d) SR 3.3.1.4.3 hA SR 3.3.1.4.4 (j) SR 3.3.1.4.7
- 12. Reactor Core Isolation Cooling isolation Actuation.
12.a RCIC System Isolation 1,2,3 2(b) SR 3.3.1.4.3 NA Initiation. SR 3.3.1.4.4 12.b RCIC ! solation Device Actuation. 1,2,3 1 per SR 3.3.1.4.2 hA actuatg SR 3.3.1.4.3 device SR 3.3.1.4.4 12.c RCIC Manual Isolation 1,2,3 2(d} SR 3.3.1.4.3 NA Initiation. SR 3.3.1.4.4 SR 3.3.1.4.7
- 13. Reactor Water Cleanup Isolation Actuation.
i 13.a PWCU System Isolation 1, 2, 3, 2(b) SR 3.3.1.4.3 NA l Initiation. (i) SR 3.3.1.4.4 13.b RWCU ! solation Device Actuation. 1, 2, 3, 1 per SR 3.3.1.4.2 NA (i) actuatg SR 3.3.1.4.3 ; device SR 3.3.1.4.4 13.c RWCU Manual Isolation 1, 2, 3, 2(d) SR 3.3.1.4.3 NA Initiation. (i) SR 3.3.1.4.4 ! SR 3.3.1.4.7 ABWR TS 3.3-37 P&R 08/30/93 i P
ESF Actuation Instrumentation 3.3.1.4 i Table 3.3.1.4-1 (Page 5 of 5) ESF Actuation Instrumentation i l APPLICABLE MODES OR OTHER SPECIFIED REQUIRED SURVEILLANCE FUNCTION CONDITIONS CHAhWELS REQUIREMENTS ALLOWABLE VALUE
- 14. Shutdown Cooling System Isolation Actuation.
14.a SD Coolirig System Isolation 2, 3,(1) 2(D) SR 3.3.1.4.3 EA initiation. SR 3.3.1.4.4 1 14.b SD Cooling Isolation Device 2, 3, (i) 1 per SR 3.3.1.4.2 EA I 1 Actuation. SR 3.3.1.4.3 actuatfCI device SR 3.3.1.4.4 I l 14.c SD Cooling Manual Isolation 2, 3, (1) 2(d) Sg 3,3,3,4,3 gg Initiation. SR 3.3.1.4.4 SR 3.3.1.4.7 (a) These are SEkSOR CHANNEL Functions. (b) These are LOGIC CHANNEL Functions. , (c) These are OUTPUT CHANNEL Functions. l (d) These are manual initiation channel Functions. t (e) With reactor pressure greater than 150 Psig (f) With reactor pressure greater than SD Psig (g) When associated subsystems are required to be operable. (h) When associated Diesel-Generator is required to be OPERABLE per LCO 3.8.2 "AC Sources - Shutdown" (i) Dueing CORE ALTERATIONS and operations with the potential for draining the reactor vessel. (j) During movement of irradiated fuel assert > lies in the secondary containment. b l l I 6 ABWR TS 3.3-38 P&R 08/30/93
SRNM Instrumentation 3.3.2.1 3.3 INSTRUMENTATION l 3.3.2.1 Source Range Monitor (SRNM) Instrumentation l LCO 3.3.2.1 The SRNM instrumentation for each Function in < Table 3.3.2.1-1 shall be OPERABLE. t APPLICABILITY: According to Table 3.3.2.1-1. ; NOTE Separate Condition entry is allowed for each channel. t ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME r A. One required channel NOTE inoperable in one or LC0 3.04 is not applicable more bypass groups. Place inoperable channel in I hour bypass B. Required Action and B.1 Be in MODE 3. 12 hours associated Completion , Time of Condition A ! not met. OR < Four or more required i channels inoperable. C. One or more required C.1 Fully insert all I hour SRNMs inoperable in insertable control rods. MODE 3 or 4. ! AND l C.2 Place reactor mode 1 hour switch in the shutdown : position. I (continued) ABWR TS 3.3-39 P&R 08/30/93
i SRNM Instrumentation 3.3.2.1 ACTIONS (Continued) , CONDITION REQUIRED ACTION COMPLETION TIME i D. One required SRNM D.1 Suspend CORE ALTERATIONS Immediately inoperable in MODE 5. except for control red ; insertion. ; AND D.2 Initiate action to Immediately insert all insertable control rods in core cells containing one or more fuel assemblies. AND D.3 Initiate action to 7 days restore required SRNM to OPERABLE status. E. Two required SRNMs E.1 Initiate action to Immediately inoperable in MODE 5. restore one required 3 SRNM to OPERABLE status. l ! ABWR TS 3.3-40 P&R 08/30/93 1 l _ _ _ ., _ _ .- _ - . . _ _
I SRNM Instrumentation j 3.3.2.1 l l SURVEILLANCE REQUIREMENTS NOTE Refer to Table 3.3.2.1-1 to determine which SRs apply for each applicable MOD or other specified conditions. SURVEILLANCE FREQUENCY SR 3.3.1.3.1 Perform CHANNEL CHECK. 12 hours SR 3.3.2.1.2 NOTE ,
- 1. Only required to be met during CORE ALTERATIONS. ,
- 2. Only part a. is required under the
- conditions specified in footnote (a) t of Table 3.3.2.1-1.
- 3. One SRNM may be used to satisfy more than one of the following.
Verify an OPERABLE SRNM detector is 12 hours located in: AND
- a. The fueled region; Following a change
- b. The core quadrant where CORE in the core ALTERATIONS are being performed when quadrant where the associated SRNM is included in CORE ALTERATIONS j the fueled region; and are being performed. '
- c. A core quadrant adjacent to where CORE ALTERATIONS are being performed, when the associated SRNM is included in the fueled region. ?
l (continued) ABWR TS 3.3-41 P&R 08/30/93 i
SRNM Instrumentation 3.3.2.1 SURVEILLANCE REQUIREMENTS (Continued) SURVEILLANCE FREQUENCY SR 3.3.2.1.3 NOTE Not required to be met with four or less fuel assemblies adjacent to the SRNM and no other fuel assemblies in the associated core quadrant. Verify count rate is 2 3.0 cps 12 hours during CORE ALTERATIONS AND 24 hours 6 SR 3.3.2.1.4 Perform CHANNEL FUNCTIONAL TEST. 7 days SR 3.3.2.1.5 Perform CHANNEL FUNCTIONAL TEST. 31 days SR 3.3.2.1.6 NOTE - Neutron detectors are excluded. Perform CHANNEL CALIBRATION. 18 months l l I j ABWR TS 3.3-42 P&R 08/30/93
SRNM Instrumentation 3.3.2.1 Table 3.3.2.1-1 (page 1 of 1) Startup Range heutron Monitor Instrumentation APPLICABLE MODES OR OTHER REQUIRED SURVEILLANCE Fl%CTION SPECIFIED CONDIfloNS CHANNELS REQUIREMENTS
- 1. Startup Range heutron Monitor 2 Croup # 1 - 3 SR 3.3.2.1.1 Croup # 2 - 2 SR 3.3.2.1.3 Croup # 3 - 2 SR 3.3.2.1.5 SR 3.3.2.1.6 ,
3,4 2 SR 3.3.2.1.1 ' SR 3.3.2.1.3 SR 3.3.2.1.5 SR 3.3.2.1.6 5 2(a),(b) SR 3.3.2.1.1 SR 3.3.2.1.2 SR 3.3.2.1.3 SR 3.3.2.1.4 SR 3.3.2.1.6 (a) Only one SRNM channet is required to be OPERABLE during spiral offtood or reload when the fueled region includes only that SRNM detector. (b) Special movable detectors may be used in place of SRNMs if connected to normal SENM circuits. i I 1 ll i ABWR TS 3.3-43 P&R 08/30/93
Essential Multiplexing System (EMS) 1 3.3.3.1 3.3 INSTRUMENTATION 3.3.3.1 Essential Multiplexing System (EMS) LC0 3.3.3.1 Four divisions of EMS data transmission shall be OPERABLE. l APPLICABILITY: MODES 1, 2, 3, 4, and 5. NOTE t Separate Condition entry is allowed for each division. ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME A. One or more data NOTE transmission segments LC0 3.0.4 is not applicable. inoperable in one EMS division with data A.1 Restore all data Prior to transmission transmission segments entering MODE 2 L maintained. to OPERABLE status. following next Mode 4 entry. l B. One or more data B.1 Restore inoperable data [30] days ! transmission segments transmission segments inoperable in two or in at least three EMS more EMS divisions divisions to operable with data transmission status, maintained in all divisions. C. Required Actions and C.1 Verify data 1 hour associated Completion transmission Times of Condition B capability. AND not met. AND once per 24 hours thereafter. , 0.2 Initiate action in Immediately accordance with specification 5.9.2.e. (continued) ABWR TS 3.3-44 P&R 08/30/93 ! l
l Essential Multiplexing System (EMS) l ( 3.3.3.1 l i i ACTIONS (continued) CONDITION REQUIRED ACTION COMPLETION TIME j D. One or more EMS D.I NOTE divisions inoperable. LC0 3.0.4 is not applicable. Declare affected 4 hours Functions and supported Features inoperable. I I l l l ABWR TS 3.3-45 P&R 08/30/93
l 1 Essential Multiplexing System (EMS) , 3.3.3.1 l l SURVEILLANCE REQUIREMENTS l SURVEILLANCE FREQUENCY SR 3.3.3.1.1 Verify the required data transmission path [92] days segments are OPERABLE. SR 3.3.3.1.2 Perform a comprehensive network [18] months performance test. i I i ABWR TS 3.3-46 P&R 08/30/93
ATUS & E0C-RPT Instrumentation 3.3.4.1 l 3.3 INSTRUMENTATION l 3.3.4.1 Anticipated Transient Without Scram (ATWS) and End-of-Cycle Recirculation Pump Trip (EOC-RPT) Instrumentation LCO 3.3.4.1 The channels for each Function listed in Table 3.3.4.1-1 shall be OPERABLE. APPLICABILITY: According to Table 3.3.4.1-1. I NOTE Separate Condition entry is allowed for each channel. ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME A. One or more Functions NOTE with one inoperable Applies only to Functions 1, channel. 3, 5, 11, and 13 in Table 3.3.4.1-1. A.1 Place inoperable 6 hours channel (s) in trip. 0_3 A.2.1 Place inoperable 6 hours channel (s) in bypass. ! AND A.2.2.1 Restore inoperable 14 days channel (s) to l OPERABLE status. OR
~~
i A.2.2.2 Place inoperable 14 days j channel (s) in trip. (continued) i ABWR TS 3.3-47 P&R 08/30/93 ! i
, .I
ATWS & E0C-RPT Instrumentation 3.3.4.1 ACTIONS (continued) CONDITION REQUIRED ACTION COMPLETION TIME B. One or more Functions NOTE with two or more Applies only to Functions 1, channels inoperable. 3, 5, II, and 13 in Table 3.3.4.1-1. B.1 Restore two channels 72 hours to OPERABLE status. C. One or more Functions NOTE with one channel Applies only to Functions 2, inoperable. 4, and 9 in Table 3.3.4.1-1. C.1 Place inoperable 6 hours channel (s) in trip. 08 C.2.1 Place inoperable 6 hours channel (s) in bypass. AND C.2.2.1 Restore inoperable 30 days channel (s) to OPERABLE status. 08 C.2.2.2 Place inoperable 30 days channel (s) in trip. D. One or more Functions NOTE with two channels Applies only to Functions 2, inoperable. 4, and 9 in Table 3.3.4.1-1. D.1 Restore one inoperable 72 hours channel to OPERABLE status. (continued) ABWR TS 3.3-48 P&R 08/30/93
i l I ATUS & E0C-RPT Instrumeatotion 3.3.4.1 ACTIONS (continued) , CONDITION REQUIRED ACTION COMPLETION TIME : E. One or more functions NOTE with three or more Applies only to Functions 2, l channels inoperable. 4, and 9 in Table 3.3.4.1-1. , i E.1 Restore at least one [24] hours l inoperable channel to j OPERABLE status. l f F. Required Action and NOTE l associated Completion Applies only to Function 4 Time of Condition C, in Table 3.3 4.1-1. D, or E not met. ! i l F.1 Apply the MCPR limit [2] hours ; for inoperable E0C-RPT i as specified in the ; COLR. l G. One or more Functions NOTE : with one or more Applies only to functions 6, l' channels inoperable. 7, 8,10,12,14, and 15 in Table 3.3.4.1-1. ; G.1 Restore channels to [24] hours OPERABLE status. . l r l l (continued) ABWR TS 3.3-49 P&R 08/30/93 h h I
ATBS & EOC-RPT Instrumentation 3.3.4.1 ACTIONS (continued) j CONDITION REQUIRED ACTION COMPLETION TIME l i H. Required Action and H.1 NOTE ; associated Completion Applies only to Time not met. Functions 6, 7, 8, 10, 12, 14, and 15 in Table 3.3.4.1-1. Declare affected Immediately Functions and supported features , inoperable. Q3 l l H.2 NOTE i Applias only to l' l Function 1, 2, 3, 4, 5, 9, 11, and 13 in ; l Table 3.3.4.1-1. l l l Be in MODE 2. 6 hours E3 H.3 NOTE , Applies only to l Function 4 in Table ! 3.3.4.1-1. i.
. i-Reduce power to s 40% 6 hours RTP.
i l h ABWR TS 3.3-50 P&R 08/30/93 l Y I
l ATBS & E0C-RPT Instrumentation 3.3.4.1 - l SURVEILLANCE REQUIREMENTS f NOTE , Refer to Table 3.3.4.1-1 to determine the applicability of the SRs to each RPT function. : SURVEILLANCE FREQUENCY i SR 3.3.4.1.1 Perform SENSOR CHANNEL CHECK. 12 hours f SR 3.3.4.1.2 Perform CHANNEL FUNCTIONAL TEST. [92] days 1 SR 3.3.4.1.3 Perform SENSOR CHANNEL CALIBRATION. [18] months i SR 3.3.4.1.4 Perform LOGIC SYSTEM FUNCTIONAL TEST. [18] months ! i I l I SR 3.3.4.1.5 Verify the RPT SYSTEM RESPONSE TIME is [18] months within limits. SR 3.3.4.1.6 Perform COMPREHENSIVE FUNCTIONAL TEST. [18] months ! SR 3.3.4.1.7 Perform CHANNEL FUNCTIONAL TEST 7 days i I l ! i 1 ABWR TS 3.3-51 P&R 08/30/93
r ATUS & EOC-RPT lastrumentation 3.3.4.1 Table 3.3.4.1-1 (page 1 of 1) ATWS and E0C RPT Instrumentation APPLICABLE MDOES AND OTHER REQUIRED SPECIFIED SURVEILLANCE ALLOWABLE FuhCTION ChANAELS CONDITIONS REQUIREgrNTS
- VALUES
- 1. Feedwater Reactor Water Level-Low, Level 3 1 SR 3.3.4.1.1 5 t3 cm
- 3. SR 3.3.4.1.2 SR 3.3.4.1.3 SR 3.3.4.1.4 SR 3.3.4.1.5
- 2. Reactor Water Level-Low, Level 2. 4 1 SR 3.3. 1.1 5 t I cm SR 3.3.4.1.2 SR 3.3.4.1.3 SR 3.3.4.1.4 SR 3.3.4.1.5 SR 3.3.4.1.6
- 3. SS&PC Reactor Dome Pressure-High. 3 1 SR 3.3.4.1.1 5 [ ] psig SR 3.3.4.1.2 SR 3.3.4.1.3 SR 3.3.4.1.4 SR 3.3.4.1.5 4 EOC-RPT Initiation 4 t40% RTP. SR 3.3.4.2.2 NA SR 3.3.4.1.5 SR 3.3.4.1.6
- 5. RPT Trip Initiation Funetton cf the RFC. 3 1 SR 3.3.4.1.2 EA SR 3.3.4.1.4
- 6. ASD Pw p Trip Actuation. 1 per ASD 1 SR 3.3.4.1.4 hA 7 ASD Pmp Trip Timers. 1 per ASD 1 SR 3.3.4.1.3 footnote (*)
SR 3.3.4.1.4
- 8. ASD Pmp Trip Load Interrupters 1 per ASD 1 SR 3.3.4.1.3 kA SR 3.3.4.1.4
- 9. RPS Scram follow Signal. 4 1 SR 3.3.4.1.2 5( ) em SR 3.3.4.1.4 SR 3.3.4.1.6 i 10. Manual ATWS-ARI Initiation. 2 1 SR 3.3.4.1.4 NA l SR 3.3.4.1.7
- 11. ATW$-ARI Trip Initiation function of the 3 1 SR 3.3.4.1.4 hA RFC.
- 12. ATWS-FMCRD Initiation Function of the 2 1 SR 3.3.4.1.4 EA RCIS.
- 13. ATVS-ARI valve Actuation. 3 1 SR 3.3.4.1.4 EA 14 FMCRD Emergency Insertion Inverter Controt 1 per rod 1 SR 3.3.4.1.4 EA
} Logic ? I 15. Recirculation Runback 1 per punp 1 SR 3.3.4.1.4 WA (a) 5 [ ] secords f or RIPS [A, D, F, J, B, E, & H] and 5 [ ] seconom for RIPS (C, G, & K). ABWR TS 3.3-52 P&R 08/30/93
Feedwater and Maia Turbine Trip Instrumentation 3.3.4.2 3.3 INSTRUMENTATION 3.3.4.2 Feedwater and Main Turbine Trip Instrumentation , I l l LCO 3.3.4.2 Three channels of feedwater and main turbine trip i instrumentation shall be OPERABLE. j APPLICABILITY: THERMAL POWER 2 25% RTP. l : NOTE i Separate Condition entry is allowed for each channel. l j ACTIONS ! j CONDITION REQUIRED ACTION COMPLETION TIME l i 1 A. One feedwater and main A.1 Place channel in 6 hours i turbine trip channel trip. ! inoperable. ! E l A.2.1 Place channel in 6 hours l bypass. i E ! A.2.2.1 Restore channel to 14 days OPERABLE status. l M l l A.2.2.2 Place channel in 14 days j trip. j B. Two or more feedwater B.1 Restore two channels 72 hours I and main turbine trip to OPERABLE status. channels inoperable. C. Re' quired Action and C.1 Reduce THERMAL POWER 4 hours associated Completion to < 25% RTP. Time not met. ABWR TS 3.3-53 P&R 08/30/93 i I
Feedwater and Main Turbine Trip Instrumentation 3.3.4.2 l SURVEILLANCE REQUIREMENTS , I l SURVEILLANCE FREQUENCY SR 3.3.4.2.1 Perform SENSOR CHANNEL CHECK. 24 hours I SR 3.3.4.2.2 Perform CHANNEL FUNCTIONAL TEST. [92] days SR 3.3.4.2.3 Perform SENSOR CHANNEL CALIBRATION. The [18] months Allowable Value shall be s [ ] inches. l l i SR 3.3.4.2.4 Perform I.0GIC SYSTEM FUNCTIONAL TEST [18] months ; l includirg [ valve] actuation. ' l 1 l 1 ABWR TS 3.3-54 P&R 08/30/93
l Control Rod Block Instrumentation 3.3.5.1 3.3 INSTRUMENTATION j 3.3.5.1 Control Rod Block Instrumentation LCO 3.3.5.1 The control rod block instrumentation for each Function in Table 3.3.5.1-1 shall be OPERABLE. APPLICABILITY: According to Table 3.3.5.1-1. l ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME A. One Automated Thermal A.1 Restore channel to [72] hours , limit Monitor (ATLM) OPERABLE status channel inoperable. 02 A.2 Verify the thermal 4 hours limits are met. AND once per 4 hours thereafter B. Two ATLM channels NOTE inoperable Removal of ATLM block under administrative control is permitted provided manual control of rod movement and thermal limits are verified by a second licensed operator. B.1 Insert an ATLM block. Immediately AND B.2 Verify RCIS blocks 4 hours control rod movement by AND attempting to withdraw once per 4 hours or insert one rod. thereafter C. One Rod Worth C.1 Restore channel to [72] Hours Minimizer (RWM) OPERABLE status. i channel inoperable. ! l (continued) ABWR TS 3.3-55 P&R 08/30/93 l
Control Rod Block Instrumentation 3.3.5.1 ACTIONS (continued) , i CONDITION REQUIRED ACTION COMPLETION TIME D. Two RWM channels D.1 Suspend control rod Immediately inoperable. movement, except by scram. QB Required Actions and associated Completion Time of Condition C not Met. E. One or more Reactor E.1 Suspend control rod Immediately Mode Switch-Shutdown withdrawal. Position channels inoperable. AND E.2 Initiate action to fully Immediately insert all insertable control rods in core cells containing ore or more fuel assemblies.
.=
h ] a ABWR TS 3.3-56 P&R 08/30/93
Control Rod Block Instrumentation ! 3.3.5.1 l l l i l SURVEILLANCE REQUIREMENTS NOTE Refer to Table 3.3.5.1-1 to determine which SRs apply for each Control Rod Block Function. SURVEILLANCE FREQUENCY l SR 3.3.5.1.1 NOTE Not required to be performed until I hour after THERMAL POWER is > [10]% RTP. Perform CHANNEL FUNCTIONAL TEST. [92] days r SR 3.3.5.1.2 NOTE Not required to be performed until I hour after any control rod is withdrawn in l MODE 2. i Perform CHANNEL FUNCTIONAL TEST. [92] days l SR 3.3.5.1.3 Verify the RWM is not bypassed when [24] months THERMAL POWER is s [10]% RTP. ; 4-SR 3.3.5.1.4 Verify the ATLM is not bypassed when THERMAL POWER is s [10]% RTP. SR 3.3.5.1.5 NOTE Not required to be performed until I hour after reactor mode switch is in the shutdown position. Perform CHANNEL FUNCTIONAL TEST. [24] months I ( Continued ) I l ABWR TS 3.3-57 P&R 08/30/93 I i
I Control Rod Block Instrumentation i 3.3.5.1 ! i SURVEILLANCE REQUIREMENTS (continued) SURVEILLANCE FREQUENCY SR 3.3.5.1.6 Perform CHANNEL CHECK of process [24] hours parameter and setpoint inputs to the ATLM. i l i o ABWR TS 3.3-58 P&R 08/30/93
Control Rod Block Instrumentation ! 3.3.5.1 t i l Tabte 3.3.5.1-1 (page 1 of 1) Control Rod Block Instrunentation l ! APPLICABLE MODES OR OTHER SPECIFIED REQUIRED St.3VEILLAkCE FUhCTION CONDITIONS CHANNELS REQUIREMENTS
- 1. Rod Control & Information System
- a. Automated Thermal Limit Monitor I(a)3 2 SR 3.3.5.1.1 SR 3.3.5.1.4.
SR 3.3.5.1.6 ,
- b. Rod Worth Minimizer 1(b) 2(b)
, 2 SR 3.3.5.1.2 SR 3.3.5.1.3 i
- 2. Reactor Mode 5 witch - Shutdown Position (c) 4 SR 3.3.5.1.5 1
i t (a) THERMAL POWER > [10]% RTP. I l (b) With THERMAL POWER 5 (10]% RTP. (c) Reactor mode switch in the shutdown position. l I i l l l l ABWR TS 3.3-59 P&R 08/30/93
i PAM Instrumentation 3.3.6.1 3.3 INSTRUMENTATION i 3.3.6.1 Post Accident Monitoring (PAM) Instrumentation LC0 3.3.6.1 The PAM instrumentation for each Function in Table 3.3.6.1-1 shall be OPERABLE. APPLICABILITY: MODES I and 2. . NOTE I
- 1. LCO 3.0.4 is not applicable.
- 2. Separate Condition entry is allowed for each Function.
ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME A. One or more Functions A.1 Restore required channel 30 days - with one required to OPERABLE status. channel inoperable. l t B. Required Action and B.1 Initiate action in Immediately associated Completion accordance with Time of Condition A Specification 5.9.2.c. not met. l l C. One or more Functions NOTE with two required This Action is not channels inoperable. applicable to Functions 11 and 12. 7 C.1 Restore at least one 7 days inoperable channel to OPERABLE status. D. Two required D.1 Restore one required 72 hours hydrogen / oxygen hydrogen / oxygen monitor , monitor channels channel to OPERABLE ; inoperable. status. l l l l (Continued) ! ABWR TS 3.3-60 P&R 08/30/93 i
l PAM Instrumentation ' 3.3.6.1 ACTIONS (continued) CONDITION REQUIRED ACTION COMPLETION TIME E. Required Action and E.1 Enter the Condition Immediately associated Complet ion referenced in Time of Conditisi C or Table 3.3.6.1-1 for the , D not met. channel. F. As required b- F.1 Be in MODE 3. 12 hours Required Acti)n E.1 and referenced in Table 3.3.6.1-1. G. As required by G.1 Initiate action in Immediately Required Action E.1 accordance with and referenced in Specification 5.9.2.c. Table 3.3.6.1-1. l l l I l l (Continued) ABWR TS 3.3-61 P&R 08/30/93
i PAM Instrumentation l 3.3.6.1 } SURVEILLANCE REQUIREMENTS NOTE - These SRs apply to each Function in Table 3.3.6.1-1. SURVEILLANCE FREQUENCY SR 3.3.6.1.1 t'erform CHANNEL CHECK. 31 days i NOTE Neutron detectors are excluded. i SR 3.3.6.1.2 Perform CHANNEL CALIBRATION. 18 months i i l (Continued) ABWR TS 3.3-62 P&R 08/30/93 1
i t i PAM Instrumentation l 3.3.6.1 i l Table 3.3.6.1-1 (page 1 of 1) . Post Accident Monitoring Instrtsnentation { i t CONDITIONS l REFERENCED j FROM , REQUIRED REQUIRED FUNCTION CHANNELS ACTION I.1
- 1. Reactor Steam Dome Pressure. 2 F
- 2. Reactor Vessel Water Levet-wide Range. 2 F
- 3. Reactor Vessel Water Level-Fuel Zone. 2 F
- 4. Suppression Pool Water Levet. 2 F l
- 5. Containment Pressure.
Sa. Drywelt Pressure. 2 F Sb. Wide Range containment Pressure. 2 F ?
- 6. Drywell Area Radiation. 2 G f'
- 7. Wetwell Area Radiation. 2 G
- 8. PCIV Position. 2 per penetration (*I+(D) F f
- 9. Startup Range Neutron Monitor-Weutron Flux. 2(CI F 5
- 10. Average Power Range Monitor-Weutron Flux. 2(d) F i
- 11. Containment Atmospheric Monitors *Drywell H &O 2 I i 2 2 Analyzer. .
r
- 12. Containment Atmospheric Monitors Wetwell H E0 2 F [
2 2 Analy2er. , s
- 13. Containment Water Level. 2 F !
14 Suppression Pool Water Tenperature. 2(') F
- 15. Drywell Atmosphere Tenperature. 2 F- j
- 16. Main Steam Line Radiation. 2 F f l
1 (a) Only one channel is required for penetration flow paths that have only one PCIV with position indication in the control room. E (b) Not required for isolation valves whose associated penetration flow path is isolated by at least one closed and de-activated automatic valve, closed manual valve, blind flange, or check valve with flow I through the valve secured. (c) When power is s (10]% RTP (d) When power is > (10]% RTP (e) Bulk average tenperature. ABWR TS 3.3-63 P&R 08/30/93 1 I i
,. . . . . _ . . , _ _ . . . _ _ . . . _ _ . ~ _ .,. , , , , , , _ . . _ , . _ , _.__-._.,._.,.I
l I Remote Shutdown System 3.3.6.2 l 3.3 INSTRUMENTATION f 3.3.6.2 Remote Shutdown System LCO 3.3.6.2 The Remote Shutdown System instrumentation for each Function listed in Table 3.3.6.2-1 shall be OPERABLE. APPLICABILITY: MODES 1 and 2. NOTE
- 1. LCO 3.0.4 is not applicable.
- 2. Separate Condition entry is allowed for each Function.
ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME j , 1 A. One division with one A.1 Restore required 90 days or more required division to OPERABLE ! Functions inoperable. status. B. Two divisions with one B.1 Restore required 30 days l or more required Functions to OPERABLE Functions inoperable. status. C. Required Action and C.1 Be in MODE 3. 12 hours associated Completion Time not met. l l l ABWR TS 3.3-64 P&R 08/30/93
l Remote Shutdown System ' 3.3.6.2 SURVEILLANCE REQUIREMENTS l SURVEILLANCE FREQUENCY SR 3.3.6.2.1 Perform CHANNEL CHECK for each required 31 days l instrumentation channel. i l SR 3.3.6.2.2 Verify each required control circuit and 18 months transfer switch is capable of performing : the intended functions. l SR 3.3.6.2.3 Perform CHANNEL CALIBRATION for each 18 months required instrumentation channel. b 6 s i ABWR TS 3.3-65 P&R 08/30/93 i i l 1 l i i
Remote Shutdown System 3.3.6.2 Table 3.3.6.2-1 (page 1 of 2) Remote Shutdown System Instrumentation REQUIRED NUMBER l FUNCTION (INSTRUMENT OR CONTROL PARAMETER) 0F DIVISIONS l
\
- 1. Reactor Pressure. 2
- 2. HPCF B Flow. 1 l
- 3. HPCF B Controls. 1 !
- 4. HPCF B Pump Discharge Pressure. I f
- 5. RHR Flow. 2(a)
- 6. RHR Hx Inlet Temperature. 2(a)
- 7. RHR Hx Outlet Temperature. 2(a)
- 8. RHR Hx Bypass Valve Position. 2(a)
- 9. RHR Hx Outlet Valve Position. 2(a)
- 10. RHR Pump Discharge Pressure. 2(a)
- 11. RHR Controls. 2(a)
- 12. RPV Wide Range Water Level. 2
- 13. RPV Narrow Range Water Level. 2
- 14. Reactor Building Cooling Water Flow. 2
- 15. Reactor Building Cooling Water Controls. 2 .
l l 16. Reactor Service Water System Controls. 2 ;
- 17. Flammability Control System Controls 1 l
- 18. Suppression Pool Level. 2
- 19. Condensate Storage Pool Level. 1
( Continued ) ABWR TS 3.3-66 P&R 08/30/93 l !
i l ! Remote Shutdown System l 3.3.6.2 l l Table 3.3.6.2-1 (page 2 of 2) l Remote Shutdown System Instrumentation.
=
REQUIRED NUMBER FUNCTION (IN57RUMENT OR CONTROL PARAMETER) 0F DIVISIONS
- 20. Suppression Pool Temperature. 2
- 21. Electric Power Distribution Controls. 2
- 22. Diesel Generator System Monitors. 2
- 23. SRV Controls. (b)
(a) RHR A for division I RSS panel, RHR B for division 11 RSS panel. (b) Three on the Division I RSS, 1 on division II RSS. i s 4 l ABWR TS 3.3-67 P&R 08/30/93
. .. ~ _ .
I CRHA HVAC EF System Instrumentation 3.3.7,1 3.3 INSTRUMENTATION { i 3.3.7.1 Control Room Habitability Area (CRHA) HVAC Emergency Filtration (EF) system Instrumentation ., LC0 3.3.7.1 The CRHA EF System instrumentation for each Function in ! Table 3.3.7.1-1 shall be OPERABLE. ' APPLICABILITY: a. MODES 1, 2, and 3. ; I
- b. During movement of irradiated final assemblies in the '
secondary containment.
- c. During CORE ALTERATIONS. j i
- d. During operations with a potential for draining the [
reactor vessel. l NOTE , j Separate Condition entry is allowed for each channel. !
)
ACTIONS { ! CONDITION REQUIRED ACTION COMPLETION TIME
- A. One or more EF units A.1 Place channel in trip. 6 h'ours l with one control room ventilation QB !
radiation monitor ! channel system A.2 Place channel in bypass 6 hours ! inoperable. l l r B. One or more EF units B.1 Place one channel in 6 hours with two control trip and the other in i room ventilation bypass. i radiation channels ; inoperable. mfd l 4 B.2 Restore one channel to Prior to i
~
OPERABLE status. completion of next i CHANNEL FUNCTIONAL TEST ; ( Continued ) f ABWR TS 3.3-68 P&R 08/30/93 f l l _ __ _ _ .__ . . _ _ _ __ _J
CRHA HVAC EF System Instrumentation 3.3.7.1 ACTIONS (continued) CONDITION REQUIRED ACTION COMPLETION TIME C. Required Action and C.1 Place the one I hour associated associated EF unit in Completion Time of the emergency Condition A or B not filtration mode of ' met. operation. 03 0_3 One or more EF units C.2 Declare associated EF with one or more unit inoperable. I hour Manual Switch l channel, Standby ' Switch channel, or low flow actuation channel inoperable. 03 . One or more EF units with 3 or more ' control room radiation mon'.turing channel inoperable. - 1 1 I ABWR TS 3.3-69 par 08/30/93
CRHA HVAC EF System Instrumentation 3.3.7.1 SURVEILLANCE REQUIREMENTS NOTE Refer to Table 3.3.7.1-1 to determine which SRs apply for each Function. SURVEILLANCE FREQUENCY SR 3.3.7.1.1 Perform SENSOR CHANNEL CHECK. [24] hours SR 3.3.7.1.2 Perform CHANNEL FUNCTIONAL TEST. [92] days SR 3.3.7.1.3 Perform SENSOR CHANNEL CALIBRATION. [18] months SR 3.3.7.1.4 Perform LOGIC SYSTEM FUNCTIONAL TEST. [18] months l e { ABWR TS 3.3-70 P&R 08/30/93
CRHA HVAC EF System Instrumentation 3.3.7.1 Table 3.3.7.1-1 (page 1 of 1) Control Room Habitability Area NVAC - Emergency Filtration System Instrtsnentation l SURVEILLANCE ALLOWABLE FUNCTION REQUIRED CHAhhELS REculREMENTS VALUE l
- 1. Control Room 4 SR 3.3.7.1.1 1 I ) mR/hr Ventilation Fer EF Unit SR 3.3.7.1.2 Radiation Monitors SR 3.3.7.1.3 SR 3.3.7.1.4
- 2. Emergency Filtration 2 per EF unit SR 3.3.7.1.2 s I 1 kg/hr System Low Flow SR 3.3.7.1.3 SR 3.3.7.1.4
- 3. Emergency Filtration 1 per IF Unit SR 3.3.7.1.2 N/A System Manual Switch SR 3.3. 7.1. 4
- 4. Emergency Filtration 1 per EF Uni: SR 3.3.7.1.2 k/A System Standby SR 3.3.7.1.4 Snitch (a) During operations with a potential for draining the reactor vessel.
(b) During novement of irradiated fuel assent > lies in the primary or secondary containment. l 1 l ABWR TS 3.3-71 P&R 08/30/93 l l l
Electric Power Monitoring 3.3.8.1 l 3.3 INSTRUMENTATION f 3.3.8.1 Electric Power Monitoring ; LC0 3.3.8.1 Two electric power monitoring assemblies shall be OPERABLE for each inservice constant voltage constant frequency (CVCF) power supply. APPLICABILITY: MODES 1, 2, and 3. I MODES 4 and 5 with any control rod withdrawn from a core i cell containing one or more fuel assemblies. NOTE Separate condition entry is allowed for each CVFC power supply. ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME i A. One or more inservice A.1 Place the associated I hour , l CVCF power supplies electric power with one electric monitoring assembly ' power monitoring circuit breaker in assembly inoperable. tripped condition. . i l : B. One or more inservice B.1 Remove associated 72 hours CVCF power supplies inservice power ' i with both electric supply (s) from service. I power monitoring i assemblies i inoperable. l C. Required Action and C.1 Be in MODE 3. 12 hours associated Completion l Time of Condition A AND i or B not met in MODE l 1, 2, or 3. C.2 Be in MODE 4. 36 hours 1 i l ABWR TS 3.3-72 P&R 08/30/93
l Electric Power Monitoring j 3.3.8.1 i ! l SURVEILLANCE REQUIREMENTS f SURVEILLANCE FREQUENCY SR 3.3.8.1.1 Perfon:, CHANNEL CHECK. 7 days l SR 3.3.8.1.2 Perform CHANNEL FUNCTIONAL TEST. 92 days
}
SR 3.3.8.1.3 Perform CHANNEL CALIBRATION [18] months i i 1 l > l : r l : i I ABWR TS 3.3-73 P&R 08/30/93
RPV Coolant Temperature Monitoring 3.3.8.2 3.3 INSTRUMENTATION 3.3.8.2 Reactor Coolant Temperature Monitoring-Shutdown i i LC0 3.3.8.2 One Reactor Coolant Temperature Monitoring channel ; associated with each RHR subsystem operating in the Shutdown
- Cooling Mode shall be OPERABLE.
r APPLICABILITY: When RHR.is operating in the Shutdown Cooling Mode. ACTIONS ! t l CONDITION REQUIRED ACTION COMPLETION TIME l i A. One or more reactor A.1 Verify at least one Immediately. l coolant temperature RHR subsystem is j monitoring channels operating in the ! ! inoperable. Shutdown Cooling i Mode. i l l AND l
- A.2 Verify an alternate 1 hour l
- method of reactor l coolant temperature !LNQ l monitoring is l available. Once per 24 l hours I thereafter. 'l l
B. Required Action and B.1 Initiate action to Immediately. ' l associated Completion restore reactor l Time of Condition A coolant temperature not met, monitoring capability. j ABWR TS 3.3-74 8/23/93
RPV Coolant Temperature Monitoring 3.3.8.2 SURVEILLANCE REQUIREMENTS l SURVEILLANCE FREQUENCY SR 3.3.8.2.1 Perform CHANNEL CHECK. [7] days i I l SR 3.3.8.2.2 Perform CHANNEL FUNCTIONAL TEST. [92] days l SR 3.3.8.2.3 Perform CHANNEL CALIBRATION. [18] months j r f P t l i l i ABWR TS 3.3-75 P&R 08/30/93 l I
1 SSLC Sensor Instrumentation B 3.3.1.1 B 3.3 INSTRUMENTATION B 3.3.1.1 Safety System Logic and Control (SSLC) Sensor Instrumentation BASES BACKGROUND The SSLC initiates protective actions when one or more monitored parameters exceed their specified limit to preserve the integrity of the fuel cladding and the Reactor Coolant System (RCS) and minimize the energy that must be removed from the RCS following accidents or transients. The protection and monitoring functions of the SSLC have been designed to ensure safe operation of the reactor. This is achieved by specifying Limiting Safety System Settings (LSSS) in terms of parameters monitored by the SSLC, as well as Limiting Conditions of Operation (LCOs) on reactor system parameters and equipment performance. For the purpose of this specification the LSSS are defined as the Allowable Values, which, in conjunction with the LCOs, establish the threshold for protective system action to prevent exceeding acceptable limits, including Safety Limits (SLs), during Design Basis Accidents (DBAs). The SSLC is comprised of four independent logic divisions (Div. I, II, III, IV). Each logic division provides protective action initiation signals for safety system prime movers associated with their division. Each division is a collection of SENSOR CHANNELS which provide data to the LOGIC CHANNEL in the division. The LOGIC CHANNELS provide initiation signals to the OUTPUT CHANNEL in each division. The OUTPUT CHANNELS cause actuation of the equipment that implements a protective actions. The Functions listed in Table 3.3.1.1-1 have a SENSOR CHANNEL in one or more divisions. Each SSLC division has five main domponents:
- Digital Trip Module (DTM). The digital trip module is a microprocessor based device that acquires data for most process parameters to be monitored in its division and generates a protective action actuation signal within its division if the monitored parameter is outside of specified limits. Most of the parameters are transmitted to the DTM via the Essential Multiplexer System (EMS) in its division while some are received from sub-systems or devices associated with the same division as the DTM.
(continued) ABWR TS B 3.3-1 P&R 08/30/93
i SSLC Sensor Instrumentation B 3.3.1.1 . BASES i BACKGROUND There are two DTMs in each division. One DTM serves the l ( Continued ) Reactor Protection System and MSIV closure functions while the other serves the ESF and non-MSIV isolation functions. For the discussions in this LC0 the DTMs that implement the RPS and MSIV closure functions are referred to as the "RPS DTMs" and the ones that implement the ESF : and non-MSIV closure functions are referred to as the r
"ESF DTMs".
- Trip togic Unit (TLU). The TLU is a microprocessor based device that uses the parameter trip information from the ,
RPS DTMs in all four divisions to determine if a i protective action is required. There is a TLU in each t division. The combinatorial logic used to create protective system actuation commands is performed in the < TLU. Some data used for initiating pro'ective actions are connected directly to the TLUs.
- Safety Logic Unit (SLU). The SLU is a microprocessor based device that uses the parameter trip information ,
from the ESF DTMs in all four divisions to determine if a protective action is required. The potential for spurious i actuation due to failure of an SLU is greatly reduced by , I employing two SLUs in parallel with a two-out-of-two output confirmation required before component or systein I actuation is permitted. The combinatorial logic used to create protective system actuation commands is performed : in the SLU. Some data used for initiating protective actions are ct,nnected directly to the Slus. There are dual redundant SLUs in three divisions. (DIV I, II, & l III). ;
- Out)ut Logic Unit (0LU). The OLUs receive protective action actuation commands from the TLUs in the same division. The OLU contains hardware logic to provide -
trip, seal-in, reset, and manual test functions for the RPS and MSIV closure functions.
- Bypass Unit (BPU). The BPU provides the bypass and bypass interlock functions. There is a BPU in each division that provides bypass signals to the TLU, SLU and OLU in its division. The bypass unit contains logic to enforce restrictions on bypassing multiple divisions of related functions.
(continued) ABWR TS B 3.3-2 P&R08/30/93 l . . ._ _ . -.
SSLC Sensor Instrumentation B 3.3.1.1 BASES BACKGROUND Most of the parameters are analog signals that are digitized ( Continued ) by the EMS. Each division has one EMS that transmits data to ! the DTMs in the same division. The DTM processing logic , compares this data against numeric trip setpoints to l determine if a protective action is required. Typically, a process sensor in each of the four divisions provides a signal to the EMS and DTMs in its division. Exceptions are:
- Some parameters are received by the DTM as discrete (i.e.
2 state) actuation data signals directly from other systems or devices (e.g. MSIV closure signals, PRRM ! system). l l - Some parameters are received by the DTM as analog signals . I directly from process sensors (e.g. Turbine 1st stage 1 pressure).
- Some parameters are received directly by the SLU or TLU ;
as discrete (i.e. 2 state) actuation data signals ! directly from other systems (e.g. HMS signals, ECCS manual initiation signals). . l
- Some parameters are received by the SLU as analog signals !
directly from process sensors (e.g. RHR pump discharge 1 pressure). i
- Parameters that are used for control of equipment associated with a specific division may use one or two sensors (e.g. ECCS pump pressure interlocks, manual initiation of an ECCS pump).
- Some parameters may use multiple sensors within a division to provide additional redundancy or where a l
distributed parameter is monitored (e.g. Level 1, l Suppression pool temperature). l The SSLC hardware and logic is arranged so the system uses I two-out-of four coincident initiation logic (i.e. 2 signals for the same parameter must exceed the setpoint before a protective action initiation command is issued). The interdivisional initiation data used in the SLU/TLU logic is transmitted between divisions by isolated fiber optic links. (continued) ABWR TS B 3.3-3 P&R 08/30/93
SSLC Sensor Instrumentation ; B 3.3.1.1 i BASES f i BACKGROUND There are two basic segments that are used to initiate ( Continued ) protective actions. The SENSOR CHANNEL segment consists of the instrumentation portion which encompasses the sensors, i sensor data conversion, sensor data transmission path (i.e. EMS), the functions responsible for acquiring data from the ; EMS, and the setpoint comparison functions. Capability is provided to manually trip individual SENSOR CHANNELS. l Interlocks are provided to prevent placing more than one : l SENSOR CHANNEL for a given Function in trip at the same time. t The LOGIC CHANNEL segment consists of the functions ; responsible for implementing the initiation logic, generating initiation signals when needed, and various ! support functions. The LOGIC CHANNELS in each division send data to the OUTPUT CHANNELS. ! l The SENSOR CHANNELS and LOGIC CHANNELS are replicated in , four independent and separated divisions of equipment. The sensors and EMS are not considered to be part of the SSLC. ; However, the sensors and the analog to digital conversion ; portion of the EMS are addressed by this LCO since these devices can effect the results of surveillances required by this LCO. 1 Various bypasses are provided to permit on-line maintenance and calibration. The " division of sensors bypass" disables ; the DTM inputs to the associated SLU and TLU in one i division. The direct trip inputs to the SLU and TLU are not bypassed. Interlocks are provided so only one division of sensors at a time can be placed in bypass. When a division of sensors is bypassed the sensor trip logic in all SLUs and
- TLUs become 2 out of 3 and all of them are capable of i providing signals to equipment used to provide protective l action. Other bypasses are used to manually or automatically disable selected functions when they are not required.
l The RPS/MSIV OUTPUT CHANNEL may be bypassed with the division out of service bypass which disables the trip input to the OLU in one logic division. Interlocks are provided so only one division at a time can be placed in division out of service bypass. When a logic division is bypassed the final actuation logic becomes 2/3 for the scram and MSIV closure actions. The sensor trip logic within the unbypassed logic divisions remains as 2/4. (continued) { ABWR TS B 3.3-4 P&R 08/30/93
i SSLC Sensor Instrumentation B 3.3.1.1 BASES BACKGROUND The Main Steamline Isolation special bypass is similar to
; Continued ) the division of sensors bypass except it affects only the MSIV closure scram. This bypass is provided to permit operation with one steam line isolated.
If one of the redundant SLUs in a division is inoperable it can be bypassed which changes the actuation logic to one-of-one in the associated division. The NMS contains a bypass which causes one of the NMS APRM divisions to be bypassed in the NMS logic. The trip logic in all four NMS APRM divisions then becomes 2/3 and all divisions will send a trip signal to all four SSLC divisions when appropriate. This bypass is therefore transparent to the SSLC. Interlocks are provided so only one NMS division can be placed in bypass. Since the logic is 2/3 even with any one division of sensors in bypass and any one division out of service bypass, the SSLC still meets the single failure criteria for failure to trip and spurious trip prevention under this condition. Similarly, the NMS contains a bypass for SRNM channels. Refer to the bases of LCO 3.3.2.1 for details of the bypass implementation. Each processing division has test and trip switches located in the divisional control room panels. These test switches are used for testing the SSLC and can also provide manual protective action initiation. The SSLC includes a variety of self-test and monitoring features. The self test in each microprocessor based device checks the health of the micro-processor, RAM, ROM, communications, and software. Any detected failure that I could degrade protective action initiation activates an annunciator and provides fault indication to the board level. Transient failures (e.g data transmission bit error) are logged to provide maintenance information. Monitoring of the power supplies, card out of file interlocks, and memory batteries (if used) causes an IN0P/ TRIP in addition to activating an annunciator. If the self test detects a failure in one of the redundant SLUs within a division, the f ailed SLU is automatically bypassed (initiation logic becomes one-of-one) and an alarm is generated. (continued) ABWR TS B 3.3-5 P&R 08/30/93
! l SSLC Sensor Instrumentation B 3.3.1.1 l l I BASES i BACKGROUND Signal validity tests are performed on the data received ( Continued ) from the EMS. If a permanent error is detected on a ; particular parameter the logic state for that parameter will j default to a tripped state for the signal and an annunciator ! or alarm will be activated. Soft (i.e., transient) errors ! will be logged to provide maintenance information. l t Once a protective action is initiated, it seals in and must i be manually reset. The manual resets are inoperative if the j SSLC initiation signals are still present. ! Reactor Protection System (RPS) The RPS portion of the SSLC initiates a reactor scram when , one or more monitored parameters exceed their specified i limit to preserve the integrity of the fuel cladding and the : l Reactor Coolant System (RCS) and minimize the energy that ! must be absorbed following a loss of coolant accident ! l i (LOCA). This can be accomplished either automatically or manually. t l The RPS, as shown in reference 10, uses four independent I divisions each containing sensors, the EMS, the SSLC, load ; drivers, and switches that are necessary to cause initiation : of a reactor scram. Functional diversity is provided by l monitoring a wide range of dependent and independent i' parameters. The input parameters to the SSLC scram logic are from devices that monitor: j reactor vessel water level
- reactor steam dome pressure ;
- SRNM Neutron Flux & neutron flux period j
- APRM simulated thermal power
- oscillation power range monitor
- rapid core flow decrease
- main steam line isolation valve-closure
- turbine control valve fast closure (trip oil pressure low)
- turbine stop valve-closure suppression pool temperature 1
~
main steam tunnel radiation
- drywell pressure
- CRD water header charging pressure (continued)
ABWR TS B 3.3-6 P&R 08/30/93
SSLC Sensor Instrumentation B 3.3.1.1 BASES i BACKGROUND Reactor protection System (RPS) (continued) - ( Continued ) Two normally energized, solenoid operated, scram pilot valves are located in the Hydraulic Control Unit (HCU) for each Control Rod Drive (CRD) pair. The scram pilot valves control the air supply to the scram inlet valve for the associated CRD pair. When either scram pilot valve solenoid is energized, air pressure holds the scram valves closed. Therefore, both scram pilot valve solenoids must be de-energized to cause a control rod pair to scram. The scram valve controls the supply path for the CRD water during a scram. Each of the pilot valve solenoids is controlled by a series / parallel arrangement of four load drivers (one set of ' load drivers is in division II, a second set is in division III) with the outputs of the four logic divisions connected ! to the load drivers such that a trip signal from any two of the logic divisions results in de-energizing both solenoids, air bleeding off, scram valves opening, and control rod ( scram. Two hardwired manual scram switches which completely ' bypass the EMS, SSLC, and load driver logic inputs are provided. The switches on the main control console remove power from the scram pilot valve solenoids and also energize the air header dump valve solenoids (backup scram). When the reactor mode switch is in the SHUTDOWN position, manual scram is , also ' itiated. The manual scram functions are covered in l LC0 3.3.1.2. i ! l The backup scram valves, which energize on a scram signal to ! depressurize the scram air header, are also controlled by l the RPS portion of the SSLC. Emeroency Core Coolina Systems (ECCS) The Emergency Core Cooling Systems (ECCS) encompasses the High Pressure Core Flooder (HPCF) system, Automatic Depressurization System (ADS), Reactor Core Isolation Cooling (RCIC) system, and the Low Pressure Flooder (LPFL) mode of the Residual Heat Removal (RHR) system. The purpose of the ECCS portion of the SSLC instrumentation is to initiate appropriate responses from the systems and the standby Diesel Generators (DGs) to ensure that fuel is (continued) l ABWR TS B 3.3-7 P&R 08/30/93 i
SSLC Sensor Instrumentation B 3.3.1.1 BASES BACKGROUND Emercency Core Coolina Systems (ECCS) (continued) ( Continued ) adequately cooled in the event of a design basis accident or transient. The equipment involved with each of these systems i is described in the Bases for LCO 3.5.1, "ECCS-Operating. To provide redundant and diverse protection against l anticipated operational occurrences (A00s) and Design Basis Accidents (DBAs), a wide range of dependent and independent , parameters are monitored. In addition, hard wired manual i start of HPCF C is provided from the main control room. Motive power for the motor driven ECCS pumps is supplied from AC buses that can receive normal AC power or standby AC power from the DGs. Instrumentation power for all of the ECCS system originates in the 12S VDC essential busses. The three LPFL systems, except valves with isolation functions, are supplied by the division I, II, and III AC and DC busses while the two HPCF system are supplied by the division II and III AC and DC busses. Control power for RCIC instruments and controls, except for valves with isolation functions, : originates in the division I DC bus. ADS 1 is powered by the division I DC bus and ADS 2 by the division II DC bus. The LPFL and RCIC valves that provide isolation functions receive power from busses suitable for providing the redundant isolation functions. f low pressure Flooder (LPFL) System (Mode of the Residual Heat Removal System) The LPFL consists of three independent subsystems. Each subsystem has separate and independent pumps, valves, and vessel injection paths.
- The LPFL pumps and the associated Dr are initiated l
automatically when high drywell pressure or low reactor I water level (Level 1) is detected. Automatic and manual ! opening of the injection valve to the vessel is prohibited l until reactor pressure drops below the injection permissive j setpoint. The LPFL pumps motor starters are interlocked with l bus undervoltage monitors to prevent starting the motors unless the bus voltage is adequate. The LPFL pump motor and valves are provided with manual controls to permit the operator control of the systems. ; I (continued) ABWR TS B 3.3-8 P&R 08/30/93 ; 1 l 4 i l
SSLC Sensor Instrumentation B 3.3.1.1 BASES i BACKGROUND Emeraency Core Coolina Systems (ECCS) ( LPFL continued) ( Continued ) The LPFL pumps start immediately if normal power is ! available. The delay times for the pumps to start when normal AC power is not available include approximately 3 seconds for the start signal to develop after the actual reactor vessel low water level or drywell high pressure occurs, 10 seconds for the standby power to become available, and a sequencing delay to reduce peak demand on standby power. Thc coFL is designed to provide flow into the reactor vessel within 36 seconds of the receipt of an initiation signal and the low reactor pressure permissive. I A pump discharge pressure and pump flow transmitter monitor the discharge of each pump to control the minimum flow bypass valve. The LPFL suction valves from the seppression pool are normally open. On receipt of an LPFL initiation signal, the reactor shutdown cooling system valves and the RHR test line i i valves are signaled to close to ensure that the LPFL pump discharge is aligned for injection to the reactor.
- Reactor Core Isolation Coolina System (RCIC) ,
The instrumentation and controls for the RCIC system l provides control of the RCIC pump, turbine and associated valves and other equipment during a loss-of-coolant accident, when the reactor vessel isolated while in hot . standby, when normal coolant flow is unavailable with the l reactor vessel isolated, during a plant shutdown with loss l of feedwater, and for a complete loss of AC power. [ t When actuated, the RCIC system pumps demineralimr water , from the Condensate Storage Tank (CST) to the reactor vessel i but may use thE suppression pool as an alternate source of [ water. Suction flow will transfer automatically to the suppression pool on low CST level or high suppression pool level. l The RCIC system is initiated automatically when either high , drywell pressure or low reactor vessel water level 2 is l l (continued) i ABWR TS B 3.3-9 P&R 08/30/93 T
i SSLC Sensor Instrumentation B 3.3.1.1 BASES BACKGROUND Emeraency Core Coolina Systems (ECCS) ( RCIC continued) ( Continued ) detected and produces the design flow rate within 30 ' seconds. The system then functions to provide makeup water to the reactor vessel until the reactor vessel water level is restored. RCIC flow will shut down automatically when high reactor water level - Level 8 is detected. In addition, turbine overspeed and high exhaust pressure equipment protection signals will trip the turbine. The RCIC system is also shut down by the isolation feature described in the isolation section of this LCO. r ! A pump discharge pressure and pump flow transmitter monitor I the discharge of each pump to control the minimum flow bypass valve. The RCIC turbine and valves are provided with manual controls which permit the operator control of the systems. Hioh Pressure Core Flooder System (HPCF) The HPCF consists of two independent subsystems. Each ! subsystem has separate and independent pumps, valves, and vessel injection paths. The HPCF system is initiated when reactor vessel low water level (level 1.5) or high drywell pressure is detected. The HPCF pumps motor starters are interlocked with bus undervoltage monitors to prevent starting the motors unless the bus voltage is adequate. The HPCF will continue discharging to the reactor vessel until reactor high water level (Level 8) is detected. The HPCF then automatically stops flow by closing the injection valve but the motor will continue to run. The injection valve will reopen if reactor water level subsequently , decreases to the low level initiation point. The HPCF is provided with manual controls which permit , operator control of the systems. ; When actuated, the HPCF system pumps demineralizer water ' from the Condensate Storage Tank (CST) to the reactor vessel but may use the suppression pool as an alternate source of i water. Suction flow will transfer automatically to the i (continued) l l ABWR TS B 3.3-10 P&R 08/30/93 1
SSLC Sensor Instrumentation B 3.3.1.1 BASES BACKGROUND Emeraency Core Coolina Systems (ECCS) ( HPCF continued) ( Continuee ) i suppression pool on low CST level or high suppression pool l evel . l The HPCF valve must be opened sufficiently to provide design flow rate within 36 seconds from receipt of the initiation signal. The sequence of motor start when normal AC power is + not available is as described for the LPFL system. ! A pump discharge pressure and pump flow transmitter monitor t the discharge of each pump to control the minimum flow ; bypass valve. i Automatic Depressurization System (ADS) { Reactor deprasurization by the ADS is provided to reduce ; the pressure during a loss-of-coolant accident where the HPCF and/or RCIC are unable to maintain vessel water level ! above the LPFL initiation point and reactor pressure remains e above the low pressure injection permissive setpoint. ! Opening the ADS valves reduces pressure sufficiently to I allow the LPFL systems to inject water at the design flow rate. The motive power for the opening the ADS valves is from f l local accumulators supplied by the high pressure nitrogen l supply systems (Division I and II). The ADS accumulators have sufficient capacity to operate the safety relief valve , twice with the drywell at 70% of design pressure with no ! external source of nitrogen. Two ADS subsystems, ADS I and ADS 2 are provided. ADS 1 is controlled by the division I SLU and ADS 2 is controlled by . the division II SLU. Each ADS division controls one of the t two separate solenoid-operated pilot solenoids on each . Safety / Relief Valve (SRV) assigned to the ADS. Energizing ' either pilot valve causes the SRV to open. ADS initiation is armed when low reactor water level (level
- 1) persists for more then a specified amount of time 1 (outside containment LOCA) or when low reactor water level !
l occurs concurrently with high drywell pressure (inside ' containment LOCA). When ADS is armed, the ADS initiation i timer will start if any one of the 5 LPFL or HPCF pumps are (continued) ABWR TS B 3.3-11 P&R 08/30/93
l l SSLC Sensor Instrumentation - ! B 3.3.1.1 I i i l i BASES BACKGROUND Emeroency Core Coolina Systems (ECCS) ( ADS continued) ( Continued ) operating. While the ADS timer is running, ADS initiation may be interrupted by operator action or by loss of the arming signal. If the timer is not interrupted, ADS will initiate when the timer times out. The reactor low water level initiation setting for the ADS is selected to depressurize the reactor vessel in time to allow adequate cooling by the LPFL system following : loss-of-coolant accident with an assumed failure of the HPCF and/or RCIC. Positive indication of operation of an HPCF or LPFL pump is detected by two pump discharge pressure transmitters connected to each pump. One transmitter serves the ADS 1 logic and the second serves the ADS 2 logic. These transmitters are different from the transmitter used for l controlling the minimum flow valve (i.e. there are three ' pressure transmitters on each pump). ; The reactor vessel low water level for ADS is sourced from 8 level transmitters. One set of four is used by the ADS 1 logic and the other set is used by the ADS 2 logic. , The ADS initiation timer setting is long enough to permit l HPCF and/or RCIC to restore water level but short enough to l provide adequate time for LPFL to adequately cool the fuel l if the HPCF is assumed to be inoperable. i Manual actuation pushbuttons are provided to allow the j operator to initiate ADS. Manual actuation requires a sequence of actions combined with annunciators to assure manual initiation of ADS is a deliberate act. Manual actuation is prohibited unless a pump discharge pressure permissive is active. Isol ation The isolation portion of the SSLC automatically initiates closure of appropriate isolation valves. The function of the isolation valves, in combination with other accident mitigation systems, is to limit fission product release during and following postulated Design Basis Accidents (DBAs). Valve closure within the time limits specified for (continued) l l ABWR TS B 3.3-12 P&R 08/30/93 L _ _ . _
l l l s l SSLC Sensor Instrumentation B 3.3.I.1 l l . BASES l l BACKGROUND Isolation (continued) , j ( Continued ) those isolation valves designed to close automatically , ensures that the release of radioactive material to the ! environment will be consistent with the assumptions used in l the analyses for a DBA. Reference 18 maps the isolation functions to the equipment that is isolated. The isolation instrumentation includes the sensors, the EMS, the SSLC, load drivers, and switches that are necessary to cause closure of the valves provided to close off flow paths that could result in unacceptable fission product release. . Functional diversitv is provided by monitoring a wide range of independent parameters. The input data to the isolation , logic originates in devices that monitor local parameters (e.g. high temperatures, high radiation, high flows) as well as primary system and containment system parameters that are indicative of a leak. Manual isolation capability is provided by operator switches that initiate a division trip or individual valve closures. l The isolation functions are provided in the same signal processing devices as the ECCS, except for the MSIV closure, which is provided in the same devices as the RPS. I. Main Steam line Isolation Two normally energized, solenoid operated, pilot valves are located on each MSIV. Both solenoids must be de-energized to cause the valve to close. The pilot valve solenoids are controlled by a series / parallel arrangement of four load drivers with the outputs of the four logic divisions connected to the load drivers such that a trip signal from any two of the logic divisions results in de-energizing both solenoids. The Load drivers for the outboard MSIVs are in division I and the load drivers for the inboard MSIVs are in division II. The Functions used to initiate MSIV closure are:
- reactor vessel water level-low, level 1.5 l
- Steam line low pressure (continued)
ABWR TS B 3.3-13 P&R 08/30/93
SSLC Sensor Instrumentation B 3.3.1.1 BASES . BACKGROUND 1. Main Steam Line Isolation (continued) ( Continued )
- main steam line flow-high (in any one of the steamlines)
- main steam tunnel radiation-high
- main steam tunnel temperature-high
- main turbine area temperature-high
- condenser vacuum-low.
- 2. Containment Isolation Containment isolation closes valves (except MSIVs) and dampers in effluent pipes and ducts that penetrate the primary and/or secondary containment to prevent fission product release and initiates the standby gas treatment system (SGTS) to remove fission products from the secondary I containment atmosphere. Isolation initiation is performed in l the division I and II ESF SLUs. The Functions used for i containment isolation initiation are:
i
- reactor vessel water level-low, level 1
- reactor vessel water level-low, level 2
- - reactor vessel water level-low, level 3 l - drywell pressure-High l - drywell sump drain Low Conductivity Water (LCW) ,
l Radiation-High (Note: Single signal from PRRM system to ' division I SLU only)
- drywell sump drain High Conductivity water (HCW) l Radiation-High (Note: Single signal from PRRM system to division I SLU only) ,
- Reactor building area / fuel handling area exhaust air 1 Radiation-High. (Note: Signal received directly from PRRM discrete outputs to the DTMs).
Each of these parameters is used to isolate one or more lines that penetrate the containment. l l 3. Reactor Core Isolation Coolino (RCICl System Isolation The RCIC isolation protects against breaks in the steam ; supply line to the RCIC turbine. RCIC trip calculations are ' performed in the DTMs in all four ESF divisions. Isolation initiation for the inboard isolation valve is performed in the division I ESF SLU and for the outboard isolation valves (continued) ABWR TS B 3.3-14 P&R 08/30/93 l
l SSLC Sensor Instrumentation l B 3.3.1.1 : BASES BACKGROUND 3. Reactor Core Isolation Coolina (RCIC) System Isolation ( Continued ) (continued) in the division II ESF SLU. The Functions used for RCIC isolation initiation are:
- RCIC area temperature
- RCIC steam supply line pressure-low
- RCIC steam supply line flow-high
- RCIC turbine exhaust diaphragm pressure-high 4 Reactor Water Cleanuo System Isolation This isolation protects against breaks in lines carrying i Cleanup Water (CUW) and also serves to align CUW valves so t they do not interfere with ECCS injection. Isolation !
initiation for the inboard isolation valve is performed in the division II ESF SLU and for the outboard isolation l valves in the division I ESF SLU. The Functions used for CUW line isolation /ECCS lineup initiation are:
- CUW area temperatures-high
- CUW differential flow-high
- main steam tunnel temperature-high
- reactor vessel water level-low, level 2
- CUW isolation on Standby Liquid Control initiation
- Reactor vessel steam dome pressure-High (This function is used only in division I to close the head spray valve)
- 5. Shutdown Coolina System Isolation l
l This isolation protects against breaks in lines used in the l shutdown cooling mode of the RHR and also serves to align RHR valves so they do not interfere with ECCS injection. Isolation initiation for the RHR loops are performed in the ESF SLUs as follows: RHR LOOP A B C Inboard Div. I Div. II Div. III Outboard Div. II Div. III Div. I (continued) ABWR TS B 3.3-15 P&R 08/30/93 l .-. -. - .
i t SSLC Sensor Instrumentation B 3.3.1.1 BASES BACKGROUND 5. Shutdown Coolino System Isolation (continued) ( Continued ) The Functions used for RHR isolation /ECCS lineup initiation are:
- RHR area temperatures-high
- reactor vessel water level -low, level 3
- reactor vessel steam dome pressure-High OTHER ESF FUNCTIONS ,
l The SSLC provides actuation Functions for various other ESF l Functions
- 1. Diesel Generator (DG) Initiation. The DG are initiated on high drywell pressure, . low reactor water level, or !
Essential 6.9KV bus undervoltage (covered in LCO l 3.3.1.3). l
- 2. Standby Gas Treatment Actuation. The Standby Gas i Treatment (SGTS) system is automatically initiated on !
high drywell pressure, low level 3, Reactor building t area high radiation, or fuel handling area high -l radiation.
- 3. Reactor Building Cooling Water / Service Water l Actuation. This Feature is actuated on high drywell l pressure, low level 1, or 6.9 KV emergency bus undervoltage signals (covered in LCO 3.3.1.3). ,
, 4. Containment Atmospheric Monitoring System Start. The i Containment Atmospheric Monitoring (CAM) system is !
- automatically started on a high drywell pressure or r low level 1 signal. ;
l l
- 5. Suppression Pool Cooling Actuation. Suppression pool !
cooling is automatically initiated on high suppression pool temperature. ATWS Mitiaation l The ABWR provides various features to mitigate a postulated Anticipated Transient Without Scram (ATWS) event. The l Standby Liquid Control System (SLCS) and Feedwater Runback i 1 (continued) { l ABWR TS B 3.3-16 P&R 08/30/93 l i
l SSLC Sensor Instrumentation ! B 3.3.1.1 BASES BACKGROUND 5. Shutdown Coolina System Isolation (continued) l i ( Continued ) l l (FWRB). are initiated by Reactor Vessel Steam Dome Pressurc - l [ High or Reactor Water Level - Low, level 2 Functions. The- 1 l initiation signals are provided by Analog Trip Modules (ATM) that are located in the SSLC cabinets. There is an ATM in each division for each of the functions. l l The ATMs are connected directly to the sensors in the division associated with the ATM. The outputs of all four ATMs are connected to four logic units (one in each l division) using suitable isolation. Each logic unit uses 2 i out of 4 logic to create initiation signals. The SRNM ATWS e permissive function will permit initiation only when power j level is above a specified value. The initiation signals ; from the four logic units are connected to a. series / parallel ! arrangement of load drivers such that an initiation signal ! from only two of the logic units will cause actuation of the ! ATWS mitigation features. i SSLC
SUMMARY
i I The SSLC is a complex of equipment and software that i supports a variety of Functions and Features in a variety of j configurations. Table B3.3.1.1-1 is a summary of the SSLC : functions and the protective equipment supported by the l Functions along with the LCO actions applicable to the i Functions. l l l I l APPLICABLE The actions of the SSLC are a q ueed in the safety analyses l SAFETY ANALYSIS, of References 1, 2, 3, 8, 10, ad 11. The SSLC initiates ! LCO, and appropriate protective actions when a monitored parameter is l APPLICABILITY outside of a specified Allowable Value to preserve the ; integrity of the fuel cladding, the Reactor Coolant Pressure l Boundary (RCPB), and the containment. The Allowable Values j given in Table 3.3.1.1-1 are calculated using a prescribed ! setpoint methodology. The SSLC provides initiation signals ; for RPS, ECCS and plant isolation. j SSLC instrumentation satisfies Criterion 3 of the NRC Policy l Statement. Functions not specifically credited in the ABWR SSAR analysis are retained for the overall redundancy and j (continued) [ ABWR TS B 3.3-17 P&R 08/30/93 l l
i SSLC Sensor Instrumentation , B 3.3.1.1 ) i BASES i I l I APPLICABLE diversity of the RPS as required by the NRC approved SAFETY ANALYSIS, licensing basis. ! LCO, and
- APPLICABILITY The OPERABILITY of the SSLC is dependent on the OPERABILITY
( Continued ) of the Functions specified in Table 3.3.1.1-1. Each Function must have a required number of OPERABLE divisions, .I with their setpoints within the specified Allowable Value, , where appropriate. The signal processing channels within ; each division are calibrated consistent with applicable setpoint methodology assumptions. Each channel must also respond within its assumed response time. 1 Allowable Values are specified for each SSLC Function
- specified in the Table. Nominal trip setpoints are specified in the setpoint calculations. The nominal ,
setpoints are selected to ensure that the effective trip
- points do not exceed the Allowable Value between successive l i
CHANNEL CALIBRATIONS. Operation with an effective trip l point less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable. A channel is inoperable if the effective trip point is outside the Allowable Value. t Setpoints are those predetermined values of output at which i an action should take place. The numeric setpoints provided , in the processor data base are compared to the measured process parameter (e.g., reactor vessel water level), and ] when the measured value of the process parameter exceeds the ,
- setpoint, the logic in the signal processors declares a trip
} condition for the parameter. ! The analytic limits are derived from the limiting values of
- the process parameters obtained from the safety analysis. i j The Allowable Values are derived from the analytic limits, l corrected for calibration, process, and some of the !
4 i instrument errcrs. The nominal trip setpoints are then ! j determined, accounting for the remaining instrument errors , (e.g., drift). The trip setpoints derived in this manner 1 i provide adequate protection because instrumentation
- uncertainties, process effects, calibration tolerances, 1 instrument drift, and severe environment errors (for char.nels that must function in harsh environments as defined by 10 CFR 50.49) are accounted for.
j The individual SSLC functions that are required to be
- OPERABLE in the MODES and other conditions specified in i .
i l
- (continued)
ABWR TS B 3.3-18 P&R 08/30/93 1 i
i i l SSLC Sensor Instrumentation l B 3.3.1.1 BASES , APPLICABLE Table 3.3.1.1-1 may be needed to mitigate the consequences SAFETY Af4ALYSIS, of a design basis accident or transient. To ensure reliable ; LCO, and initiation of protective actions several functions are APPLICABILITY required for each safety system actuation to provide primary ( Continued ) and diverse initiation signals. ; Reactor Protection System , RPS is required to be OPERABLE in MODE 1, MODE 2, and MODE 5 ' with any control rod withdrawn from a core cell containing one or more fuel assemblies. Control rods withdrawn from a core cell containing no fuel assemblies do not affect the reactivity of the core and therefore do not need scram capability. The required Shut Down Margin SDM (LCO 3.1.1) and refuel position one-rod-out interlock (LCO 3.9.2) ensure that no event requiring RPS will occur when the reactor mode switch is in the refueling position. During normal operation in MODES 3 and 4, all control rods are fully inserted and the Reactor Mode Switch Shutdown Position control rod withdrawal block (LC0 3.3.2.1) does not allow any control rod to be withdrawn. Under these conditions, the RPS ; function is not. required to be OPERABLE. The OPERABILITY of scram pilot valves and associated solenoids and backup scram valves, described in the Background section, are not addressed by this LCO. Emeraency Core Lcolina System (ECCS) I l The ECCS is initiated to preserve the integrity of the fuel l cladding by limiting the post LOCA peak cladding temperature to less than the 10CFR50.46 limits. In general, the ECCS initiation Functions are required to be OPERABLE in the MODES or other specified conditions that may require ECCS (or DG) initiation to mitigate the consequences of a design j basis accident or transient. The applicability basis for i the ECCS systems are given in LCO 3.5.1 and 3.5.2. To ensure i reliable ECCS and DG function, a combination of Functions is required to provide primary and secondary initiation i signals. l (continued) ABWR TS B 3.3-19 P&R 08/30/93 i (
SSLC Sensor Instrumentation B 3.3.1.1 BASES j APPLICABLE Isol ation SAFETY ANALYSIS, LCO, and Isolation valve closures are used to limit the offsite dose ! APPLICABILITY as described in LCO 3.6.1.3. In general, the individual , ( Continued ) Functions that initiate isolation valve closure are required to be OPERABLE in MODES 1, 2, and 3 consistent with the Applicability for LC0 3.6.1.1, " Primary Containment." Functions that have different Applicabilities are discussed i below in the individual Functions discussion. Functions The specific Applicable Safety Analyses, LCO, and l Applicability discussions are listed below on a Function by ! l Function basis. I 1.a & b. Startuo Ranae Neutron Monitor (SRNM) Neutron l Flux - Hiah/Short Period The SRNMs monitor neutron flux levels from very low power ! l levels to a power level where the Average Power Range l Monitors (APRMs) are on scale. There is a specified minimum overlap between the SRNMs and APRMs to assure continuous monitoring of neutron flux levels. The SRNMs generate trip signals to prevent fuel damage resulting from abnormal positive re ctivity insertions under conditions that are not covered by the APRMs. The SRNMs generate both high neutron ; flux and high rate of change of neutron flux (i.e. short ' period) trips. In this power range, the most significant source of reactivity change is due to control rod j wit hdrawal . I l The SRNM provides diverse protection for the Rod Warth Minimizer (RWM) in the Rod Control & Information System (RCIS) which monitors and controls the movement of control rods at low power. The RWM prevents the withdrawal of an out of sequence control rod during startup that could result , in an unacceptable neutron flux excursion (Ref.13). The ! SRNM provides mitigation of any neutron flux excursion. Generic analyses have been performed (Ref.14) to evaluate the consequences of control rod withdrawal events during ; startup that are mitigated only by the SRNM. This analysis, which assumes the most limiting SRNM bypass or out of i service condition, demonstrates that the SRNMs provide (continued) ABWR TS B 3.3-20 P&R 08/30/93
SSLC Sensor Instrumentation B 3.3.1.1 j l BASES l APPLICABLE 1.a & b. Startuo Ranae Neutron Monitor (SRNM) Neutron ! SAFETY ANALYSIS, Flux-Hich/Short Period (continued) LCO, and APPLICABILITY protection against control rod withdrawal errors and results : ( Continued ) in peak fuel energy depositions below the fuel failure i threshold criterion. s The SRNMs are also capable of limiting other reactivity excursions during startup, such as cold water injection events, although no credit is specifically assumed. The ten SRNM fixed in-core regenerative fission chambers are , each connected to electronics suitable for monitoring neutron flux for power levels up to 15% RTP. The SRNM detectors are evenly distributed throughout the core and are : lccated slightly above the fuel mid-plane. The SRNM's are , assigned to the four Neutron Monitoring System (NMS) divisions as follows: Division I: SRNM Detectors A, E & J i Division II: SRNM Detectors B & F Division III: SRNM Detectors C, G & L i Division IV: SRNM Detectors D & H For each division, a high flux, short period, or INOP trip from any one SRNM channel will result in a trip signal from - that division. The SRNM trip data is transmitted to the TLUs ! in the SSLC. The SRNM channels are divided into three bypass Groups. One channel from each Group may be bypassed using three bypass switches on the operators console (i.e. bypass of up to three channels). The Groups are arranged so there is at least one unbypassed channel in each division and one i unbypassed channel in each core quadrant. The SRNMS are I assigned to the bypass Groups as follows: Group 1: SRNM A, B, F, G Group 2: SRNM C, E. H Group 3: SRNM D, J, L (continued) ; i ABWR TS B 3.3-21 P&R 08/30/93 _ _ _ . _ _ _ . . _ . , _d
SSLC Sensor Instrumentation B 3.3.1.1 , BASES APPLICABLE 1.a & b. Startup Ranae Neutron Monitor (SRNM) Neutron SAFETY ANALYSIS, Flux-Hiah/Short Period (continued) LCO, and APPLICABILITY Each of the three multiposition operator switches ( Continued ) corresponds to one of the Groups. An SRNM division is OPERABLE if one or more channels in the division is OPERABLE. The division of sensor bypass in the RPS portion of the SSLC does not bypass the SRNM trip signal input. i Operability of the SRNM function of the SSLC also requires at least one OPERABLE SRNM channel in each core quadrant. The arrangement of SRNM channels into bypass Groups and the actions of LC0 3.3.2.1 ensure this requirement is satisfied. The Startup Range Monitor Neutron Flux-High/Short Period Function must be OPERABLE during MODE 2 when control rods may be withdrawn and the potential for criticality exists. In MODE 5, when a cell with fuel has its control rod withdrawn, the SRNMs provide monitoring for and protection against unexpected reactivity excursions. In MODE I, the APRM System, the thermal power monitor (TPM), and the Automatic Thermal Limit Monitor (ATLM) function of the RC&IS l provide protection against control rod withdrawal error events and the SRNMs are not required. l 1.c. SRNM ATWS Permissive l L During some low power plant conditions the ATWS trips could interfere with normal plant maneuvering and cause unnecessary stress on plant equipment. In order to prevent the risks associated with the stresses, and to confirm that a ATWS may have occurred, the ATWS Functions are disabled at , low neutron flux levels. ; 1 The SRNM ATWS Permissive function is used in some of the systems that implemert ATWS Functions to permit initiation ! of ATWS functions wl . the power level as detected by the l SRNM is greater that the Allowable Value. When all of the SRNM channels indicate that power level is less than the Allowable Value then the permissive is removed and all ATWS trips are automatically bypassed. (continued) ABWR TS B 3.3-22 P&R 08/30/93 l
. ~ ..
l SSLC Sensor Instrumentation B 3.3.1.1 . I l l BASES i l APPLICABLE 1.c SRNM ATWS Permissive (continued) l i SAFETY ANALYSIS, l LCO, and This Function is required to be OPERABLE in Mode 1 since APPLICABILITY this is the MODE where the ATWS functions must be OPERABLE. l ( Continued ) See the RPT LCO (LC0 3.3.4.1) for the operability basis. i l The Allowable Value is selected be high enough to permit the necessary plant maneuvers, and low enough to assure that ATWS is available when the plant power level will not permit long term cooling by the ECCS and their support systems. 3 1.d. SRNM-Inoo This trip signal provides assurance that a minimum number of SRNMs are OPERABLE. Whenever the SRNM self test and monitoring features detect a condition that could prevent it l from generating a trip when needed an IN0P/ TRIP signal will be sent to all four RPS TLUs. This Function was not specifically credited in any ABWR SSAR analysis, but it is < retained for the overall redundancy and diversity of the RPS as required by the NRC approved licensing basis. This Function is provided Ly self test and other monitoring features and is a discrete signal so there is no Allowable Value for this Function. This function is required to be OPERABLE when the Startup Range Monitor Neutron Flux-High/Short Period Functions are required. 1 ; 2.a. Averaae Power Ranae Monitor Neutron Flux-Hich. i Setdown The APRM divisions receive input signals from the local power range monitors (LPRM) within the reactor core to provide an indication of the power distribution and local power changes. The APRM divisions average these LPRM signals to provide a continuous indication of average reactor power from a few percent to greater than Rated Thermal Power (RTP). For operation at low power (i.e., MODE 2), the Average Power Range Monitor Neutron i Flux-High/Setdown Function is capable of generating a trip i signal that prevents fuel damage resulting from abnormal operating transients in this power range. For most (continued) ABWR TS B 3.3-23 P&R 08/30/93
SSLC Sensor Instrumentation : B 3.3.1.1 f i BASES l APPLICABLE 2.a. Averaae Power Ranae Monitor Neutron Flux-Hiah. SAFETY ANALYSIS, Setdown (continued) LCO, and APPLICABILITY operations at low power levels, the Average Power Range i ( Continued ) Monitor Neutron Flux-High/Setdown Function will provide a i secondary scram to the Startup Range Monitor Neutron l Flux-High/Short Period Function because of the relative setpoints. With the SRNMs near the high end of their range, it is possible that the Average Power Range Monitor Neutron Flux-High/Setdown Function will provide the primary trip signal for a corewide increase in power. 1 No specific safety analyses take direct credit for the Average Power Range Monitor Neutron Flux-High/Setdown Function. However, this function indirectly ensures that, before the reactor mode switch is placed in the run position, reactor power does not exceed 25% RTP (SL 2.1.1.1) when operating at low reactor pressure and low core flow. Therefore, it indirectly prevents fuel damage during significant reactivity increases with THERMAL POWER
< 25% RTP.
l l The APRM System is made up of four independent divisions. Each APRM division transmits a trip signal to all four RPS TLUs using suitable isolators. The system is designed to i allow one division to be bypassed. Three divisions of APRM Neutron Flux-High/Setdown are required to be OPERABLE to , ensure that no single failure will preclude a scram from i this function on a valid signal. In addition, to provide adequate coverage of the entire core, at least [20] LPRM inputs are required for each APRM division, with at least j two LPRM inputs from each of the four axial levels at which l the LPRMs are located. The Allowable Value is based on preventing significant increases in power when THERMAL POWER is < 25% RTP. The Average Power Range Monitor Neutron Flux-High/Setdown Function must be OPERABLE during MODE 2 when control rods may be withdrawn, and in MODE 5 with any control rod withdrawn from a core cell containing one or more fuel l assemblies, since the potential for criticality exits. In l MODE 1, the Average Power Range Monitor Neutron Flux-High ' Function provides protection against reactivity transients and the ATLM function of the RC&IS protects against control rod withdrawal error events. (continued) ABWR TS B 3.3-24 P&R 08/30/93
l I i SSLC Sensor Instrumentation l 1 s B 3.3.1.1 . l l 1
, BASES I i t i i i APPLICABLE 2.b. Averaae Power Ranoe Monitor Simulated Thermal Power-t j SAFETY ANALYSIS, Hich, Flow Biased l
i LCO, and APPLICABILITY The Average Power Range Monitor Simulated Thermal i { 1 ( Continued ) Power-High/ flow biased Function monitors a calculated value l j for the THERMAL POWER being transferred to the reactor- ! ) coolant. The neutron flux to thermal power relationship is i l I modeled using a single time constant to represent the fuel heat transfer dynamics and calculate a parameter that is ! i proportional to the THERMAL POWER in the reactor. The trip l } i 1 level is varied as a function of recirculation flow. The ! j setpoint is proportional to the reactor power that corresponds to the recirculation flow for a rod pattern that ; l provides 100% power at 100% recirculation flow. There is an ! j upper limit on the setpoint that is lower than the APRM i l Fixed Neutron Flux-High Allowable Value. , t ' i j The Average Power Range Monitor Simulated Thermal i Power-High/ Flow biased Function provides protection against j j g transients where THERMAL POWER increases slowly (such as the ! j loss of feedwater heating event) and protects the fuel ! cladding integrity by ensuring that the MCPR SL is not j exceeded. During these events, the thermal power increase l j does not significantly lag the neutron flux response and, ! j because of a lower trip setpoint, will initiate a scram , before the high neutron flux scram. For rapid neutron flux i increase events, the thermal power lags the neutron flux and the Average Power Range Monitor Fixed Neutron Flux-High Function will provide a scram signal before the Average l Power Range Monitor Simulated Thermal Power-High/ Flow 4 Biased Function setpoint is exceeded. 1 I This Function's trip signal is sent to RPS over the same j data transmission paths as those described in-Function 2.a i above and is subject to the same operability conditions. 3 Each APRM division receives a total recirculation flow data j value from the EMS. The flow is measured using 4 independent i flow transmitters that monitor the core plate pressure drop. i The Allowable Value for the upper limit is based on analyses that take credit for the Average Power Range Monitor i ) Simulated Thermal Power-High/ Flow Biased Function for the i mitigation of the loss of feedwater heater event. The j thermal power time constant of < [7]_ seconds is based on the i fuel heat transfer dynamics. 1 i (continued) i s-ABWR TS B 3.3-25 P&R 08/30/93 li t _ . _ . _ _ . _ , _ _ ... _ .-
l l SSLC Sensor Instrumentation B 3.3.1.1 BASES APPLICABLE 2.b. Averace Power Ranae Monitor Simulated Thermal Power-SAFETY ANALYSIS, Hiah. Flow Biased (continued) LCO, and APPLICABILITY The Average Power Range Monitor Simulated Theral ( Continued ) Power-High/ Flow Biased Function is required to be OPERABLE ! in MODE 1 when there is the possibility of generating excessive thermal power and potentially exceeding the SL applicable to high pressure and core flow conditions (MCPR SL). During MODES 2 and 5, other SRNM and APRM Functions provide protection for fuel cladding integrity. i 2.c. Averaae Power Ranoe Monitor Fixed Neutron Flux-Hiah The APRM divisions provide the primary indication of neutron flux within the core and respond almost instantaneously to neutron flux increases. The Average Power Range Monitor Fixed Neutron Flux-High Function is capable of generating a trip signal to prevent fuel damage or excessive RCS pressure. For the overpressurization protection analysis of Reference 11, the Average Power Range Monitor Fixed Neutron - Flux-High Function is assumed to terminate the main steam isolation valve (MSIV) closure event and, along with the ! safety / relief valves (S/Rvs), limits the peak reactor pressure vessel (RPV) pressure to less than the ASME Code ! limits. ; l l This Function's trip signal is sent to RPS over the same ; data transmission paths as those described for Function 2.a ! above and is subject to the same operability conditions. l The Allowable Value is based on the Analytical Limit assumed in the vessel overpressure protection analyses. l l The Average Power Range Monitor fixed Neutron Flux-High ! Function is required to be OPERABLE in MODE 1 where the ! potential consequences of the analyzed transients could j j result in the SLs (e.g., MCPR and RCS pressure) being j l exceeded. Although the Average Power Range Monitor Fixed 1 Neutron Flux-High Function is assumed in the CRDA analysis that is applicable in MODE 2, the Average Pcwer Range i Monitor Neutron Flux-High, Setdown Function conservatively i bounds the assumed trip and, together with the assumed SRNM trips, provides adequate protection. Therefore, the Average Power Monitor Fixed Neutron Flux-High Function is not required in MODE 2. (continued) ABWR TS B 3.3-26 P&R 08/30/93 l
1 l SSLC Sensor Instrumentation l B 3.3.1.1 BASES APPLICABLE 2.d. Averace Power Rance Monitor-Inon f SAFETY ANALYSIS, LCO, and This signal provides assurance that a minimum number of APPLICABILITY APRMs are OPERABLE. Whenever the APRM self test and i ( Continued ) monitoring algorithms detect a condition that could prevent it from generating a trip when needed or the APRM has insufficient OPERABLE LPRMs and the division is not bypassed, an IN0P/ TRIP signal will be sent to all four RPS divisions over the same data transmission paths as those described for function 2.a above. Interlocks prevent placing i i more then on division in bypass so only one division may be inoperable without causing a reactor trip. This function was , not specifically credited in any ABWR SSAR analysis, but it , is retained for the overall redundancy and diversity of the i RPS as required by the NRC approved licensing basis. i Three unbypassed divisions of Average Power Range ' Monitor-Inop are required to be OPERABLE to ensure that no single failure will preclude a scram from this Function on a valid signal. There is no Allowable Value for this function. ; This Function is required to be OPERABLE in the MODES where the APRM Functions are required. f 2.e. Rapid Core Flow Decrease l A rapid flow decrease from high power can jeopardize the . MCPR SL. The NMS Rate of Core Flow Decrease-High Function l l causes a scram for rapid flow decreases when thermal power is greater than 80% RTP to provide confidence that the SL will not be violated. The Neutron Monitoring System Rate of Core Flow Decrease-High Function provides protection against transients where 1 core flow decreases rapidly. This function is assumed in the all pump trip analysis. l l The scram signal from this function is sent to the RPS TLUs I over the same data transmission path as the APRM trips. The APRM System is divided into four divisions. Each APRM division sends a trip signal to all four RPS TLUs via suitable isolators. The rate of flow decrease is calculated from total recirculation flow data acquired from the EMS. (continued) ABWR TS B 3.3-27 P&R 08/30/93 J
l I l SSLC Sensor Instrumentation i B 3.3.1.1 ] BASES APPLICABLE 2.e. Rapid Core Flow Decrease (continued) SAFETY ANALYSIS, LCO, and The flow is measured using 4 independent flow transmitters APPLICABILITY that monitor the core plate pressure drop. ( Continued ) The Neutron Monitoring System Rate of Core Flow Decrease-High function is automatically bypassed when thermal power l is less than 80% RTP. The thermal power value calculated for i the Average Power Range Monitor Simulated Thermal Power-High/ Flow Biased Function is used to implement the bypass. ! Three unbypassed divisions of this function are required to l be OPERABLE to ensure that no single failure will preclude a I scram from this Function on a valid signal. l The Allowable Value for this function is derived from the analytic limit used in the all pump trip analysis. ; The Neutron Monitoring System Rate of Core Flow Decrease- l High Function is required to be OPERABLE in MODE 1 when ! thermal power is greater than 80% RTP where there is a possibility of a rapid flow decrease jeopardizing the MCPR SL. At power levels less than 80% RTP a trip of all recirculation pumps will not violate the MCPR SL. 2.f. Oscillation Power Ranae Monitor The Oscillation Power Range Monitor (0PRM) Function detects the existence of neutron flux oscillations that could cause violation of the fuel thermal limits. This function is not i assumed in any analysis in the ABWR SSAR. However, it is included for redundancy and diversity and to provide confidence that the assumptions used in fuel limits calculations are preserved.
)
i The OPRM uses two algorithms to detect flux oscillations. l Each algorithm operates on several groups of LPRMs (called OPRM cells). The OPRM cells are selected to provided a ; representation of the radial neutron flux distribution so l that local flux oscillations will be detected. ; ! The amplitude / growth rate algorithm measures the amplitude l of flux oscillations as a fraction of the average value (i.e
% of point). The algorithm is invoked if the peak to average '
value exceeds a specified amount. The algorithm measures the (continued) ABWR TS B 3.3-28 P&R 08/30/93 1
f SSLC Sensor Instrumentation l B 3.3.1.1 BASES . APPLICABLE 2.f. Oscillation Power Range Monitor (continued) ; SAFETY ANALYSIS, LCO, and period of the oscillation to determine if it is within the APPLICABILITY range expected for therm-hydraulic core oscillations. If it ~ ( Continued ) is, then the cell flux is scanned for three of the measured periods. If the sensed flux increases (growth rate) by a specified amount or becomes larger than a specified amcunt (amplitude) within this period, then a trip is declared. The period based algorithm measures the period of successive . peaks and minimize in sensed flux. If the period is within : the range expected for core therm-hydraulic for a specified number of times and the amplitude is greater than a specified value, then a trip is declared. There are four divisions of OPRMs, one in each NMS division. [ Each OPRM acquires data froc LPRMs distributed throughout the core. Therefore, each OPRM is capable of detecting an ! oscillation in any core region. Each OPRM sends trip data to all four RPS TLUs via suitable isolators. The potential for power oscillations in a BWR is restricted i to operation conditions with low core flow and relatively high power. In order to reduce the potential for spurious > trips due to LPRM noise, the OPRM function is automatically bypassed when the power flow relationship is below the characteristic shown in figure 3.3.1.1-1. The OPRM satisfies GDC 12. The Allowable Values for the trip ; and bypass setpoints are based on extensive analysis of BWR ; core oscillation characteristics (see reference 16). The Average Power Range Monitor Fixed Neutron Flux-High l Function is required to be OPERABLE in MODE 1 when the l power / flow characteristic is as shown in figure 3.3.1.1-1 l since this is the mode and other conditions where core l oscillations can occur. Three divisions of this function are I required to be OPERABLE to ensure that no single failure will preclude a scram from this Function on a valid signal. 3.a. b. & c. Reactor Vessel Steam Dome Pressure-Hioh An increase in the RPV pressure during reactor operation compresses the steam voids and results in a positive reactivity insertion. This causes the neutron flux and (continued) ABWR TS B 3.3-29 P&R 08/30/93
l I I SSLC Sensor Instrumentation B 3.3.1.1 BASES APPLICABLE 3.a. b. & c. Reactor Vessel Steam Dome Pres sure -- Hioh SAFETY ANALYSIS, (continued) LCO, and APPLICABILITY THERMAL POWER transferred to the reactor coolant to ( Continued ) increase, which could challenge the integrity of the fuel , cladding and the RCPB. None of the ABWR SSAR safety ! i analysis takes direct credit for this Function. However, ! the Reactor Vessel Steam Dome Pressure-High Function i l initiates a scram (3.a) for transients that results.in a i pressure increrae, counteracting the pressure increase by l l rapidly reducing core power. For the overpressure prctection analysis of Reference 11, the reactor scram which l i terminates the MSIV closure event is conservatively assumed ! to occur on the Average Power Range Monitor Fixed Neutron Flux-High signal, and, along with the S/RVs, limits the , ! peak RPV pressure to less the the ASME Section III Code limits. l The Reactor Steam Dome Pressure-High Function also isolates ! (3.b) the shutdown cooling portion of the RHR System and the ! l head spray line from the CUW system. This interlock is l l provided only for equipment protection to prevent an ! I intersystem LOCA scenario and credit for the interlock is ! l not assumed in any accident or transient analysis in the i ABWR SSAR. l Automatic Standby Liquid Control System (SLCS) and Feedwater Runback (FWRB) are also initiated by this Function (3c). These features are provided to mitigate a postulated ATWS i event. I Each DTM receives a value representing measured reactor i pressure from the EMS in its division and compares the value l against a numeric setpoint to determine if a trip is ' required. Reactor pressure is measured using four : independent (separate vessel taps, instrument piping, etc) pressure transmitters connected to the RPV steam space. The j Reactor Vessel Steam Dome Pressure-High Allowable Value is ; chosen to provide a sufficient margin to the ASME ; Section III Code limits during pressurization events. Three unbypassed divisions of Reactor Vessel Steam Dome Pressure-High Function are required to be OPERABLE to ensure that no single instrument failure will preclude a protective action from this Function on a valid signal. (continued) ABWR TS B 3.3-30 P&R 08/30/93
._ - . ~_ _ _ _ _ __ . __ _- _ _ _ . . _ _ . _ _ _ _ . _ . _ . _
l l I l SSLC Sensor Instrumentation i B 3.3.1.1 { BASES i i l APPLICABLE 3.a. b. & c. Reactor Vessel Steam Dome Pressure-Hich i ! SAFETY ANALYSIS, (continued) l l LCO, and ! APPLICABILITY Function 3a. is required to be OPERABLE in MODES 1 and 2 ! ( Continued ) since these are the MODES where RPS is required to be ; l OPERABLE. ! l i ! Function 3b. is required to be OPERAGLE in MODES 1, 2, and 3 l l when the RCS may be pressurized and the potential for ; pressure increase exists. -l l l Function 3c. is required to be OPERABLE in MODE 1 since this ! is the MODE where ATWS features must be OPERABLE. !
- 4. Reactor Steam Dome Pressure-tow (In.iection Permissive) l Low reactor steam dome pressure signals are used as permissives for the low pressure ECCS subsystems. This ensures that, prior to opening the injection valves of the ;
low pressure ECCS subsystems, the reactor pressure has ; fallen to a value below these subsystems' maximum design pressure. The Reactor Steam Dome Pressure-Low is one of the Functions assumed to be OPERABLE and capable of permitting initiation of the ECCS during the transients j analyzed in References 2 and 8. .In addition, the Reactor i Steam Dome Pressure-Low Function is directly assumed in the j analysis of the Design Basis Accident (maximum steamline > break, or maximum feedwater line break,' or maximum RHR { ! shutdown suction line break). The core cooling function of j l the ECCS, along with the scram action of the RPS, ensures i that the fuel peak cladding temperature remains below the j limits of 10CFR50.46. ! i Each ESF DTM receives a value representing measured reactor i pressure value from the EMS in its division and compares the l value against a numeric setpoint to determine if a trip is ! required. Reactor pressure is measured using four i independent (separate vessel taps, instrument piping, etc) ! pressure transmitters connected to the RPV steam space. j The Allowable Value is low enough to prevent overpressurizing the equipment in the low pressure ECCS, but high enough to ensure that the ECCS injection prevents.the fuel peak cladding temperature from exceeding the limits of 10 CFR 50.46. (continued) ABWR TS B 3.3-31 P&R 08/30/93 i i t
. _ _ , _ _ _ _ . _ . . _ . . . . _ - _ . . . , _.-,,_.__,._,__,._,__._.-,_,r,,__,_,_
SSLC Sensor Instrumentation B 3.3.1.1 BASES APPLICABLE 4 Reactor Steam Dome Pressure-low fin.iection Permissive) SAFETY ANALYSIS, (continued) LCO, and ' APPLICABILITY Three divisions of Reactor Steam Dome Pressure-Low function ( Continued ) are required to be OPERABLE when the associated ECCS is , required to be OPERABLE to ensure that no single instrc nt failure can preclude ECCS initiation. Refer to LC0 3.5.1 and LC0 3.5.2 for Applicability Bases for the low pressure ECCS l subsystems. [ r
- 5. Reactor Vessel Water Level-Hich. Level 8 High RPV water level indicates that sufficient cooling water l inventory exists ir. the reactor vessel such that there is no l danger to the fuel. Therefore, the Level 8 signal is used <
to automatically terminate RCIC and HPCF injection to prevent overflow into the Main Steam Lines (MSLs). RCIC injection is terminated by closing the RCIC steam supply, ; steam supply bypass, and cooling water supply valves. HPCF injection is terminated by closing the injection valve. The ; Reactor Vessel Water Level-High, Level 8 Function is not i assumed in the accident and transient analyses. It was ; retained since it is a potentially significant contributor ; to risk. Each ESF DTM receives a data value representing measured l reactor vessel level value from the EMS in its division and l compares it against a numeric setpoint to determine if a level 8 trip is required. The reactor water level signals j originate in four independent (separate vessel taps, ; instrument piping, etc.) level transmitters that sense the pressure difference between a constant column of water t (reference leg) and the effective water column (variable ; leg) in the vessel. A concurrent high level signal from any l two of the sensors will cause termination of the injection l fl ows . l Three divisions of the Reactor Vessel Water Level-High, ! Level 8 Functio: are required to be OPERABLE when the ' associated ECCS is required to be OPERABLE to ensure that no single instrument failure can preclude ECCS initiation due , to false high level. Refer to LCO 3.5.1 and LC0 3.5.2 for : Applicability Bases for the low pressure ECCS subsystems. (continued) , ABWR TS B 3.3-32 P&R 08/30/93 t
SSLC Sensor Instrumentation B 3.3.1.1 - BASES APPLICABLE 6.a. & b. Reactor Vessel Water Level--Low. Level 3 SAFETY ANALYSIS, LCO, and Low RPV water level indicates the capability to cool the ' APPLICABILITY fuel may be threatened. Therefore, a reactor scram is , ( Continued ) initiated at Level 3 to substantially reduce the heat i generated in the fuel from fission. The Reactor Vessel Water Level--Low, Level 3 scram Function (6.a) is assumed in the LOCA analysis (Ref.11). This Function (6.b) also initiates a containment isolation and isolates the RHR shutdown cooling mode. The isolation functions are not specifically assumed in any of the ABWR SSAR analysis, however, they are implicitly assumed in fission release calculations since the paths they isolate are assumed to be isolated. The reactor scram reduces the amount of energy required to be absorbed and, along with the isolation and Emergency Core ; Cooling Systems (ECCS) actions, ensures that the fuel peak l cladding temperature remains below the limits of 3 10 CFR 50.46. l Each DTM receives a data value representing measured reactor vessel level value from the EMS in its division and compares it against a numeric setpoint to determine if a level 3 trip ! is required. The reactor water level signals originate in four independent (separate vessel taps, instrument piping, etc.) level transmitters that sense the pressure difference between a constant column of water (reference leg) and the effective water column (variable leg) in the vessel. , Three unSypassed divisions of Reactor Vessel Water l Level--Low, Level 3 Function are required to be OPERABLE to ' enscre that no single instrument failure will preclude s ; protective action from this function on a valid signal. ! The Reactor Vessel Water Level--Low, Level 3 Allowable Value l is selected to ensure that, for transients involving loss of ! all normal feedwater flow with successful operation of a high pressure system, initiation of the low pressure ECCS at RPV Water Level I will not be required. Reactor scram on this Function is required in MODES I and 2 where considerable energy exists in the RCS resulting in the limiting transients and accidents. Isolation initiation on this function is required in modes 1, 2, and 3 which is (continued) ABWR TS B 3.3-33 P&R 08/30/93 l i i
i l SSLC Sensor Instrumentation ! B 3.3.1.1 i l BASES l APPLICABLE 6.a. & b. Reactor Vessel Water Level-Low. Level 3 SAFETY ANALYSIS, (continued) LCO, and ! APPLICABILITY consistent with the applicability of LC0 3.6.1.1. Shutdown ! ( Continued ) cooling isolation is also required to be OPERABLE during
- core alterations and operations with the potential for
! draining the reactor vessel. 7.a.. b. & c. Reactor Vessel Water level-tow. Level 2 Low RPV water level indicates that the capability to cool l the fuel may be threatened. Should RPV water level decrease i too far, fuel damage could result. Low reactor water level indicates that normal feedwater flow is insufficient to maintain reactor vessel water level and that the capability to cool the fuel may be threatened. Therefore, the RCIC system is initiated at Level 2 to assist in maintaining water level above the active fuel. The Reacter Vessel Water Level-Low, Level 2 is one of the Functions (7a) assumed to be OPERABLE and capable of initiating RCIC during the transients analyzed in Reference 2 and 8. The Reactor Vessel Water Level-Low, Level 2 Function associated with RCIC is directly assumed in the analysis of the Design Basis Accident (maximum steamline break, or maximum fEedwater line break, or maximum RHR shutdown suction line break). I This Function also initiates a containment isolation and isolates the Reactor Water Clean-up system. Tta isolation Functions (7.b) are not specifically assumed in any of the ABWR SSAR analysis, however, they are implicitly assumed in fission release calculations since the paths they isolate are assumed to be isolated. The core cooling function of the ECCS, along with the isolation and RPS scram actions, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. Automatic Standby Liquid Control System (SLCS) and Feedwater Runback (FWRB) are also initiated by this Function (7c). These features are provided to mitigate a postulated ATWS event. Each ESF DTM receives a data value representing measured reactor vessel level value from the EMS in its division and (continued) ( ABWR TS B 3.3-34 P&R 08/30/93 l
SSLC Sensor Instrumentation l B 3.3.1.1 BASES APPLICABLE 7.a.. b. & c. Reactor Vessel Water Level-Low. Level 2 I SAFETY ANALYSIS, (continued) LCO, and APPLICABILITY compares it against a numeric setpoint to determine if a ( Continued ) level 2 trip is required. The reactor water level signals originate in four independent (separate vessel taps, instrument piping, etc.) level transmitters that sense the pressure difference between a constant column of water (reference leg) and the effective water column (variable j leg) in the vessel. The Reactor Vessel Water Level - Level 2 Allowable Value is chosen such that for complete loss of feedwater flow, the RCIC System flow, coupled with an assumed failure of the high pressure core flooders, will be sufficient to avoid initiation of low pressure ECCS at Reactor Vessel Water Level >
- Low, Level 1.
Three unbypassed divisions of Reactor Vessel Water l Level-Low, level 2 function are required to be OPERABLE to l ensure that no single instrument failure will preclude a protective action from this Function on a valid signal. The Reactor Vessel Water Level-Level 2 Functions 3a. and 3b. i are required to be OPERABLE in modes 1, 2, & 3. The CLfW t isolation is also required to be OPERABLE during CORE l ALTERATIONS or operations with the potential for draining the reactor vessel. Refer to LCO 3.5.1 and LC0 3.5.2 for Applicability Baser for the RCIC system and LCO 3.6.1 for the Applicability ~.!s for isolation. Function 7c. is required to be OPERABLE in MODE 1 since this is the MODE where ATWS features must be OPERABLE. I 8.a. & b. Reactor Vessel Water Level-Low. Level 1.5 Low RPV water level indicates that the capability to cool < the fuel may be threatened. Should RPV water level decrease , too far, fuel damage could result. Therefore, the HPCF ' Systems and associated DGs are initiated at Level 1.5 to maintain level above the top of the active fuel. The Reactor Vessel Water-Low, Level 1.5 is one of the Functions l (8.a) assumed to be OPERABLE and capable of initiating HPCF ; I during the transients analyzed in References 2 and 8. The ; Reactor Vessel Water Level -Low, Level 1.5 Function i associated with HPCF is directly assumed in the analysis of ! (continued) ABWR TS B 3.3-35 P&R 08/30/93 3
i SSLC Sensor Instrumentation B 3.3.1.1 BASES APPLICABLE 8.a. & b. Reactor Vessel Water level-Low. level L5 SAFETY ANALYSIS, (continued) LCO, and APPLICABILITY the Design Basis Accident (maximum steamline break, or ( Continued ) maximum feedwater line break, or maximum RHR shutdown , suction line break). ; I This Function (8 b) also initiates an MSIV closure. The MSIV ! closure is not specifically assumed in any of the ABWR SSAR analysis, however, they are implicitly assumed in fission , release calculations since the calculations assume the main ! steam lines are isolated. The core cooling function of the ECCS, along with scram and MSIV closure, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. j l Each DTM receives a data value represerting measured reactor ' l vessel level value from the EMS in its division and compares l it against a numeric setpoint to determine if a level 1.5 l trip is required. The reactor water level signals originate ! in four independent (separate vessel tcps, instrument piping, etc.) level transmitters that sense the pressure difference between a constant column of water (reference , l leg) and the effective water column (variable leg) in the l vessel. j The Reactor Vessel Water Level- Level 1.5 Allowable Value is chosen such that for complete loss of feedwater flow, the HPCF flow, coupled with an assumed failure of the RCIC, will be sufficient to avoid initiation of LPFL at Reactor Vessel Water Level - Level 1. Three unbypassed divisions of Reactor Vessel Water Level-Low, Level 1.5 Function are required to be OPERABLE to ensure that no single instrument failure will preclude a protective action from this function on a valid signal. The Reactor Vessel Water Level-Level 1.5 Function is required to be OPERABLE in modes 1, 2, & 3. Refer to LC0 3.5.1 and LC0 3.5.2 for Applicability Bases for the HPCF l
. system and LC0 3.6.1 for the Applicability basis for -
isolation. (continued) ABWR TS B 3.3-36 P&R 00/30/93
l l l SSLC Sensor Instrumentation : B 3.3.1.1 l i l BASES i APPLICABLE 5.a. b. & c. Reactor Vessel Water Level--Low. Level 1 SAFETY ANALYSIS, LCO, and Low reactor pressure vessel (PPV) wa'ar level indicates that APPLICABILITY the capability to cool the fuel may be threatened. Should , ( Continued ) RPV water le';el decrease too far, fuel damage could result. RCW, ADS, LPFL, and the associated DGs are initiated at Level 1 to ensure that low pressure flooding is available to , , prevent or minimize fuel damage. The Reactor Vessel Water Level-{ow, Level 1 Function (9.a&b) is assumed to be OPERABLE and capable of initiating LPFL during the transients analyzed in References 2 and 8. In addition, the Reactor Vessel Water Level-- Low, Level 1 ADS and LPFL initiation is assumed in the analysis of Design Basis Accidents (maximum stearline break, or maximum feedwater line break, or maximum RHR shutdown suction line break) (Ref. 1). Additional details on the conditions for initiating ADS are given in the background section of this LCO. This Function (9.c) is also used in the containment isolation logic. The containment isolation is not specifically assumed in any of the ABWR SSAR analysis, however, they are implicitly assumed in fission release calcto::tions since the calculations assume these paths are isolu td. The core cooling function of the ECCS, along with the scram and isolation actions, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR C3.46. Each ESF DTM receives two data values representing measured reactor vessel level value from the EMS in its division and compares them against a numeric setpoint to determine if a level 1 trip is required. The reactor water level signals originate in eight level transmitters that sense the pressure difference between a constant column of water (reference leg) and the effective water column (variable leg) in the vessel. Data values from four independent ; transmitters (sepanate vessel taps, instrument piping, etc.) l are used in the trip calculations for ADS A, LPFL A & C l (9.a), and for the isolation logic (9.c). Four additional j transmitters are used to provide data values for initiating - the Diesel Generators, the Reactor Building Cooling Water, 1 ADS B and LPFL B (9.b). (continued)
, ABWR TS B 3.3-37 P&R 08/30/93 1
l 1
SSLC Sensor Instrumentation B 3.3.1.1 ! BASES APPLICABLE 9.a. b. 1_ c . Reactor Vessel Water L e vel -- L ow. Level 1 SAFETY ANALYSIS, (continued) LCO, and APPLICABILITY The Reactor Vessel Water Level-Low, Level 1 Allowable Value ( Continued ) is high enough to allow sufficient time for the high pressure systems to be effective before the low pressure flooders initiate and provide adequate cooling. Three unbypassed divisions of Reactor Vessel Water Level--Low, Level 1 Function are required to be OPERABLE to ensure that no single instrument failure will preclude a protective action from this function on a valid signal. The Reactor Vessel Water Level-Level 1 Function is required to be OPERABLE in modes 1, 2, & 3. Refer to LC0 3.5.1 and LC0 3.5.2 for the Apolicability Bases of the ADS & LPFL systems, LCO 3.8.1 and 3.8.2 for the Applicability Bases of the DGs and LCO 3.6.1 for the Applicability basis for isolation. !
- 10. Main Steam Isolation Valve--Closure MSIV closure results in loss of the main turbine and the condenser as a heat sink for the Nuclear Steam Supply System and indicates a need to shut down the reactor to reduce heat generation. Therefore, a reactor scram is initiated on a Main Steam Isolation Valve-Closure signal before the MSIVs are completely closed in anticipation of the complete loss of the normal heat sink and subsequent overpressurization transient. However, for the overpressurization protection analysis of Reference 11, the Average Power Range Monitor Fixed Neutron Flux--High Function, along with the S/RVs, '
limits the peak RPV pressure to less than the ASME Code limits. That is, the direct scram on position switches for MSIV closure events is not assumed in the overpressurization analysis. Additionally, MSIV closure scram is assumed in the transients analyzed in Reference 2 (e.g., low steam line pressure, manual closure of MSIVs, high steam line flow). The reactor scram reduces the amount of energy to be absorbed and, along with the actions of the ECCS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. Each RPS DTM directly receives (i.e. not via the EMS) valve l closure data from both the outboard and inboard MSIVs on a i (continued) ABWR TS B 3.3-38 P&R 08/30/93 l _ . . . -.
SSLC Sensor Instrumentation B 3.3.1.1 BASES APPLICABLE 10. Main Steam Isolation Valve-Closure (continued) SAFETY ANALYSIS, LCO, and single steamline. The closure signals originate from APPLICABILITY position switches mounted on each MSIV. The Main Steam ( Continued ) Isolation Valve-Closure logic will cause a scram when the steam flow is shut off in two or more steam lines. One division (i.e. one steamline) of this function may be bypassed to permit operation with one steamline isolated. The Main Steam Isolation Valve-Closure Allowable Value is specified to ensure that a scram occurs prior to a significant reduction in steam flow, thereby reducing the severity of the subsequent pressure transient. Note that the allowable value is not implemented in the initiation logic, but is part of the MSIV requirements and the MSIVs are part of the Nuclear Boiler System (NBS). Three unbypassed divisions of the Main Steam Isolation Valve-Clorure Function are required to be OPERABLE to ensure that no single instrument failure will preclude the scram from this Function on a valid signal. This Function is only required in MODE 1 since, with the MSIVs open and the heat generation rate high, a pressurization transient can occur if the MSIVs clos 3. In MODE 2, the heat generation rate is low enough so that the other diverse RPS functions provide sufficient protection. II .a. . b. & c. Drywell Pressure-Hiah High pressure in the drywell could indicate a Reactor Coolant Pressure Boundary (RCPB) break inside the drywell. Various protective actions are initiated to minimize the possibility of fuel damage, to reduce the amount of energy added to the coolant and the drywell, and to keep offsite dose within limits. The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. The protective actions are:
- Reactor Scram (ll.a). This function provides a scram signal that is diverse to the Reactor Vessel Water Level-Low, Level 3 Function for LOCA events inside the drywell . This scram initiation is not specifically credited in any ABWR SSAR analysis, but it is retained (continued)
ABWR TS B 3.3-39 P&R 08/30/93
SSLC Sensor Instrumentation B 3.3.1.1 BASES APPLICABLE ll.a.. b.. & c. Drywell Pressure-Hiah (continued) SAFETY ANALYSIS, LCO, and for the overall redundancy and diversity of the RPS as APPLICABILITY required by the NRC approved licensing basis. ( Continued ) '
- ECCS pumps (LPFL, HPCF, & RCIC) and the associated Diesel-Generators (DGs) (ll.b). This function provides an ECCS initiation signal that is diverse to the low reactor water level initiations. ECCS initiation on this function is not specifically credited in any ABWR SSAR analysis, but it is retained for overall redundancy and ,
diversity as requ. red by the NRC approved licensing basis.
- Automatic Depressurization System (ADS) (ll.b). The Drywell Pressure-High is assumed to be OPERABLE and capable of initiating the ADS during the accidents analyzed in Reference 1.
- Containment Isolation (ll.c). The isolation of some of the CIVs on high drywell pressure supports actions to ensure that offsite dose limits of 10 CFR 100 are not i exceeded. The Drywell Pressure-High Function associated ,
with isolation of the containment is implicitly assumed in the ABWR SSAR accident analysis as these leakage paths - are assumed to be isolated post LOCA. Each DTM ( both the RPS and ESF DTM's) receives a data value representing measured drywell pressure from the EMS in its division and compares it against a numeric setpoint to determine if a trip is required. Drywell pressure is ! measured using four pressure transmitters connected to the drywell atmosphere. The Allowable Value was selected to be as low as possible and be indicative of a LOCA inside l primary containment. Negative barometric fluctuations are accounted for in the Allowable Value. Three unbypassed divisions of Drywell Pressure-High Function are required to be OPERABLE to ensure that no single instrument failure will preclude protective action from this . Function on a valid signal. The Function is required in l MODES 1, 2, and 3 where considerable energy exists in the RCS, resulting in the limiting transients and accidents. In MODES 4 and 5, the Drywell Pressure-High function is not required since there is insufficient energy in the reactor (continued) ABWR TS B 3.3-40 P&R 08/30/93 , _ -. - _ . _ ._,t _ ~. _. -
l SSLC Sensor Instrumentation 1 B 3.3.1.1 BASES l APPLICABLE ll.a., b., & c. Drywell Pressure-Hiah (continued) SAFFTY ANALYSIS, LCO, and to pressurize the drywell to the Drywell Pressure 41igh APPLICABILITY setpoint. ( Continued )
- 12. CRD Accumulator Charaina Header Pressure-Low ,
l The Control Rod Drives (CRD) use high pressure water that is l stored in accumulators as the motive power for driving in the control rods. The accumulators are connected through suitable valve arrangements to a header which provides the ! high pressure water. If the header pressure is lower then , some threshold value then the control rod insertion time may ; ! be greater then specified. Therefore, a low CRD accumulator charging header pressure scram is provided. The CRD header , i pressure is indirectly used in any safety analysis where the ! scram time is a significant parameter. Each RPS DTM receives a measured CRD charging header i pressure value from its associated EMS and compares it against a numeric setpoint to determine if a trip is required. CRD charging header pressure is measured using four pressure transmitters connected to the header. The , Allowable Value was selected to assure that the scram time l will be equal to or less than the values used in various safety analysis with the reactor pressure at the highest value that occurs during the analyzed events. - The CRD charging header pressure trip may be manually l l bypassed from keylock switches in each division when the reactor is in the shutdown or refueling modes. Each division sends a rod withdrawal block to the Rod Control and l Information System (RC&IS) when the bypass is invoked in ! that division. i Three unbypassed divisions of CRD Accumulator Charging l Header Pressure-Low are required to be OPERABLE to ensure l that no single instrument failure will preclude a scram from this function on a valid signal. The Function is required to be OPERABLE in MODES I and 2 when the scram function is , required and in MODE 5 with any control rod withdrawn from a core cell containing one or more fuel assemblies. At all ; other times, this Function is not required. (continued) l l ABWR TS B 3.3-41 P&R 08/30/93 l l l l 1 l ;
y i SSLC Sensor Instrumentation B 3.3.1.1 - BASES APPLICABLE 13. Turbine Stop Valve-Closure , SAFETY ANALYSIS, LCO, and Closure of the Turbine Stop Valves (TSV) results in the loss i l APPLICABILITY of the normal heat sink and causes reactor pressure, neutron ( Continued ) flux, and heat flux transients that must be limited. Therefore, a reactor scram is initiated at the start of TSV ' l closure in anticipation of these transients. The Turbine : Stop Valve-Closure Function is the primary scram signal for : the turbine trip event analyzed in Reference 2. For this event, the reactor scram reduces the amount of energy to be absorbed and, along with the actions of the End of Cycle Recirculation Pump Trip (E0C-RPT), ensures that the MCPR SL is not exceeded. ! Turbine Stop Valve-Closure signals are initiated by a i position switch on each of the four stop valves. Each i position switch sends a discrete signal directly to one of ; the four RPS DTMs. The logic for the Turbine Stop Valve- ; Closure Function is such that a trip will occur when closure ; of two or more TSV is detected. This Function must be enabled at THERMAL POWER 2: 40% RTP. , This is normally accomplished automatically using the data , from four independent pressure transmitters sensing turbine first stage pressure. Turbine first stage pressure data is received in each RPS DTM via the EMS. The Turbine Stop Valve-Closure Allowable Value is selected ; to be high enough to detect imminent TSV closure thereby , reducing the severity of the subsequent pressure transient. Three unbypassed divisions of Turbine Stop Valve-Closure are ! required to be OPERABLE to ensure that no single instrument t failure will preclude a scram from this Function. This Function is required, consistent with analysis assumptions, whenever THERMAL POWER is 2: 40% RTP. The Reactor Vessel Steam Dome Pressure--High and the Average Power Range Monitor Fixed Neutron Flux--High Functions are adequate to maintain the necessary safety margins when power is less than 40% RTP. (continued) ABWR TS B 3.3-42 P&R 08/30/93
I SSLC Sensor lastrumentation B 3.3.1.1 BASES APPLICABLE 14. Turbine Control Valve Fast Closure. Trio Oil Pressure-SAFETY ANALYSIS, Low LCO, and APPLICABILITY Fast closure of the TCVs results in loss of the normal heat ! ( Continued ) sink and causes reactor pressure, neutron flux, and heat flux transients that must be limited. Therefore, a reactor ; scram is initiated on TCV fast closure in anticipation of , these transients. The Turbine Control Valve Fast Closure, Trip Oil Pressure-Low function is the primary scram signal for the generator load rejection event analyzed in Reference 2. For this event, the reactor scram reduces the amount of energy to be absorbed and, along with the actions of the EOC-RPT System, ensures that the MCPR SL is not exceeded. Turbine Control Valve f ast Closure, Trip Oil Pressure-Low signals are initiated from a pressure sensor on each of the four turbine control valve hydraulic mechanisms. The pressure sensor data associated with each control valve is transmitted directly to one of the four RPS DTMs. This function must be enabled at THERMAL POWER 2 40% RTP as described for the Turbine Stop Valve-Closure Function. l The Turbine Control Valve Fast Closure, Trip Oil - i Pressure-Low Allowable Value is selected high enough to - detect imminent TCV fast closure. Three unbypassed divisions of Turbine Control Valve Fast Closure, Trip Oil Pressure-Low Function are required to be OPERABLE to ensure that no single instrument failure will preclude a scram from this function on a valid signal. This Function is required, consistent with the analysis assumptions, whenever THERMAL POWER is a 40% RTP. The Reactor Vessel Steam Dome Pressure-High and the Average Power Range Monitor Fixed Neutron Flux-High Fu; :tions are , adequate to maintain the necessary safety margins when power ! is less than 40% RTP. l l 15.a. & b. Main Steam Tunnel Radiation-Hioh High radiation in the steam line tunnel indicates a potential gross fuel failure. The MSIVs are therefore closed when high steam tunnel radiation (15.b) is detected to prevent possible violation of the offsite release limits. The MSIV closure causes a loss of the normal heat sink which (continued) ABWR TS B 3.3-43 P&R 08/30/93 l l
-- - ~.__ ._.. _ _
I SSLC Sensor Instrumentation B 3.3.1.1 i BASES APPLICABLE 15.a. & b. Main Steam Tunnel Radiation-Hiah (continued) SAFETY ANALYSIS, ! LCO, and results in reactor pressure, neutron flux, and heat flux ! APPLICABILITY transients that must be limited. Therefore, a reactor scram ? ( Continued ) (15.a) is also initiated on high radiation in the main steam ! tunnel to rapidly reduce power and therefore the severity of the transients. This Function is not specifically credited in any ABWR SSAR analysis, but it is retained for the overall redundancy and diversity of the RPS as required by the NRC approved licensing basis. High steam tunnel radiation is detected using four radiation detectors located such that each detector can sense all four main steam lines. One radiation detector is connected to each division of the Process Radiation Monitoring (PRRM) System where trip signals are generated when the radiation level exceeds its setpoint. A discrete signal is sent , directly from the PRRM divisions to the RPS DTM in the same division (i.e. does not come through the EMS). The Allowable Value for this Function is set low enough to provide reasonable assurance that a scram will occur due to excessive radiation but high enough to prevent spurious scrams due to normal steam tunnel radiation levels. Three unbypassed divisions of Steam Line Tunnel Radiation-High are required to be OPERABLE in MODES 1, 2 & 3. See LCO 3.6.1.1 for the applicability basis. 16.a. & b. Suppression Pool Temperature-Hiah High temperature in the suppression pool could indicate a break in the reactor coolant system or a leak through the Safety / Relief Valves (S/RV), or a stuck open S/RV. A reactor scram (16.a) is initiated to reduce the amount of energy being added to the containment. The Suppression Pool Temperature-High Function is assumed in the stuck open S/RV analysis. l High suppression pool temperature signals originate in four i divisions of temperature sensors distributed throughout the j suppression pool. The suppression pool temperature ! monitoring system in each of the four divisions calculates a bulk average temperature from the sensors and compares in against a setpoint. The high temperature trip data from the (continued) ABWR TS B 3.3-44 P&R 08/30/93 1
i 1 l t ! SSLC Sensor Instrumentation
- B 3.3.1.1 i :
l 1 l BASES APPLICABLE 16.a. & b. Suporession Pool Temperature-Hiah (continued) SAFETY ANALYSIS, LCO, and suppression pool temperature monitoring system is connected APPLICABILITY to the RPS DTM in the same division. The allowable value was : ( Continued ) selected considering the maximum normal suppression pool , temperature and to indicate a stuck open S/RV. This Function (16.b) also cause automatic initiation of the : suppression pool cooling mode of the RHR systeas. l l Three divisions of the Suppression Pool Temperature-High l Function are required to be OPERABLE to provide confidence i that no single failure will preclude a scram from this function on a valid signal. The Function is required in MODES 1 and 2 where considerable energy exists in the primary coolant. , i
- 17. Condensate Storaae Tank level-Low I ihe normal source of water for the RCIC and HPCF pumps is the Condensate Storage Tank (CST). Low level in the ,
Condensate Storage Tank (CST) indicates the potential for an inadequate supply of makeup water. If the water level in the CST falls below a specified level, the suppression pool suction valve automatically opens, followed by automatic ' closure of the CST suction valve. This ensures that an adequate supply of makeup water is available to the pumps. To prevent losing suction to the pump, the valves are interlocked so that the suppression pool suction valve must be open before the CST suction valve automatially closes. The Function is implicitly assumed in the accident and transient analyses which take credit for RCIC or HPCF since the analyses assume that the suction source is the suppression pool. Each ESF DTM receives a data value representing measured condensate storage tank level fror the EMS in its division and compares it against a numeric st:tpoint to determine if a transfer is required. Condensate Storage Tank Level-Low , signals originate from four level transmitters. The ! Condensate Storage Tank Level-Low Function Allowable Value ; is high enough to ensure adequate pump suction head while water is being taken from the CST. (continued) ABWR TS B 3.3-45 P&R 08/30/93 1 1
SSLC Sensor Instrumentation B 3.3.1.1 BASES APPLICABLE 17. Condensate Storaae Tank Level-Low (continued) l SAFETY ANALYSIS, i LCO, and Three divisions of the Suppression Pool Temperature-High ! APPLICABILITY Function are required to be OPERABLE to provide confidence l ( Continued ) that no single failure will preclude a transfer of the ! suction source on a valid signal. The Function is required ! to be ORERABLE in MODE I and in MODES 2 and 3. This Function ! must also be OPERABLE in MODES 4 and 5 when HPCF is used to ! satisfy the requirement that at least 2 ECCS system be ! OPERABLE with RPV Level less than [23] feet above the vessel ! flange. The applic-hility basis is the same as given for -! RCIC and HPCF in Ltc 3.5.1 and LC0 3.5.2. j
- 18. Suppression Pool Water Level-Hioh Excessively high suppression pool water could result in the !
loads on the suppression pool exceeding desigt values should i there be a blowdown of the reactor vessel pressure through , the S/RVs. Therefore, high suppression pool water level is ; used to transfer the suction source of RCIC and HPCF from 1 the Condensate Storage Tank (CST) to the suppression pool to eliminate the possibility of continuing to provide additional water from a source outside containment. To i prevent losing suction to the pump,- the suction valves are !
- interlocked so that the suppression pool suction valve must l be open before the CST suction valve automatically closes. ;
This Function is implicitly assumed in the accident and l transient analyses which take credit for RCIC or SPCF since ! the analyses assume that the suction source is the i suppression pool. i l 1 Each ESF DTM receives a data value representing measured ! l suppression pool water level from the EMS in its division l and compares it against a numeric setpoint to determine if a l transfer is required. Suppression Pool Water Level-High data originates in four level transmitters. The Allowable ! Value for the Suppression Pool Water Level-High Function is ! chosen to ensure that RCIC and HPCF will be aligned for i suction from the suppression pool before the water level ! reaches the point at which suppression pool design loads l would be exceeded. j Three divisions of the Suppression Pool Temperature-High ) Function are required to be OPERABLE to provide confidence that no single failure will preclude a transfer of the (continued) ABWR TS B 3.3-46 P&R 08/30/93
L SSLC Sensor Instrumentation B 3.3.1.1 i BASES l APPLICABLE 18. Suppression Pool Water level-Hiah (continued) . SAFETY ANALYSIS, l LCO, and suction source on a valid signal. The Function is required APPLICABILITY to be OPERABLE in MODE I and in MODES 2 and 3. This function ( Continued ) must also be OPERABLE in MODES 4 and 5 when HPCF is used to satisfy the requirement that at least 2 ECCS system be , OPERABLE with RPV Level less than [23] feet above the vessel i flanges. The applicability basis is the same as given for RCIC and HPCF in LC0 3.5.1 and LC0 3.5.2.
- 19. Main Steam Line Pressure-Low Low MSL pressure indicates that there may be a problem with the turbine pressure regulation, which could result in a low
- reactor vessel water level condition and the RPV cooling down more than 100*F/ hour if the pressure loss is allowed to l continue. The Main Steam Line Pressure-Low Function is ,
directly assumed in the analysis of the pressure regulator failure (Ref. 2). For this event, the closure of the MSIVs ensures that the RPV temperature change limit (100*F/ hour) is not reached. In addition, this function supports actions to ensure that Safety Limit 2.1.1.1 is not exceeded. (This Function closes the MSIVs prior to pressure decreasing below l 785 psig, which results in a scram due to MSIV closure, thus l reducing reactor power to < 25% RTP.) l The MSL low pressure data originates in four transmitters that are connected to the MSL header. The transmitters are arranged such that, even though physically separated from each other, each transmitter is able to detect low MSL pressure. The pressure transmitter signals are digitized and transmitted to the RPS DTMs via the EMS. Three divisions of i Main Steam Line Pressure-Low Function are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function or cause a spurious isolation. The Allowable Value was selected to be high enough to prevent excessive RPV depressurization. The Main Steam Line Pressure-Low Function is required to be OPERABLE in MODE 1 since this is when the assumed transient can occur. The Function is automatically bypassed when the reactor mode switch is not in the RUN position. ] (continued) ABWR TS B 3.3-47 P&R 08/30/93
. LL
l ! SSLC Sensor Instrumentation B 3.3.1.1 i BASES APPLICABLE 20. Main Steam Line Flow-Hioh SAFETY ANALYSIS, LCO, and Main Steam Line flow-High is provided to detect a break of APPLICABILITY the MSL and to initiate closure of the MSIVs. If the steam ' ( Continued ) were allowed to continue flowing out of the break, the reactor would depressurize and the core could uncover. If the RPV water level decreases too far, fuel damage could occur. Therefore, the isolation is initiated on high flow ; The Main Steam Line Flow-High to prevent core damage. Function is directly assumed in the analysis of the main stream line break (MSLB) accident (Ref. 1). The isolation action, along with the scram function of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46 and offsite doses do not exceed the ' 10 CFR 100 limits. The MSL flow data originates in 16 transmitters that are - connected to the four MSLs. The transmitters are arranged such that, even though physically separated from each other, all four connected to one steam line can detect high flow. The flow transmitter signals are digitized and transmitted to the RPS DTMs via the EMS. Three divisions of Main Steam l Line Flow-High Function for each unisolated MSL are - required to be OPERABLE so that no single instrument failure will preclude detecting a break in any individual MSL or cause a spurious isolation. The Allowable Value is chosen to ensure that offsite dose ! limits are not exceeded due to the break. This Function is required to be OPERABLE in MODES 1, 2, and 3 consistent with ! the Applicability for LC0 3.6.1.1, " Primary Containment."
- 21. Condenser Vacuum-Low ,
The Condenser Vacuum-Low Function is provided to prevent overpressurization of the main condenser in the event of a loss of the main condenser vacuum. Since the integrity of l the condenser is an assumption in offsite dose calculations, l ths Condenser Vacuum-Low Function is implicitly assumed ta be OPERABLE and capable of initiating closure of the h!Vs. The closure of the MSIVs is initiated to prevent the addition of steam that would lead to additional condens'.c pressurization and possible rupture of the diaphragm installed to protect the turbine exhaust hood, thereby (continued) 1 ABWR TS B 3.3-48 P&R 08/30/93
. _ - . .. l
i SSLC Sensor Instrumentation B 3.3.1.1 BASES I APPLICABLE 21. Condenser Vacuum-low (continued) SAFETY ANALYSIS, LCO, and ,,reventing a potential radiation leakage path following an APPLICABILITY accident. ( Continued ) Condenser vacuum pressure data originates in four pressure transmitters that sense the pressure in the condenser. The pressure transmitter signals are digitized and transmitted ! to the RPS DTMs via the EMS. Three divisions of Condenser Vacuum-Low function are required to be OPERABLE to ensure no single instrument failure can preclude the isolation function or cause a spurious isolation. The Allowable Value is chosen to prevent damage to the ' condenser due to pressurization, thereby ensuring its ! integrity for offsite dose analysis. This Function is required to be OPERABLE in mode 1, consistent with LC0 3.6.1.1. However, as noted in footnote (h) to Table 3.3.1.1-1, the Function is required to be OPERABLE in MODES 2 and 3 only when one or more TSVs are not fully l closed, since the potential for condenser overpressurization is minimized. Operator controls are provided to manually bypass the Function. Bypass is automatically prohibited unless all TSVs are closed, the reactor mode switch is not in run, and reactor pressure is low. j r i
- 22. Main Steam Tunnel Temperature--Hiah !
Main Steam Tunnel Temperature-High is provided to detect a leak in the RCPB, and provides diversity to the high steam line flow Function. This function is capable of detecting a very small leak. If the small leak is allowed to continue ! without isolation, offsite dose limits may be reached. However, credit for these instruments is not taken in any l transient or accident analysis in the ABWR SSAR, since ! l bounding analyses are performed for large breaks such as ' MSLBs. Main steam temperature data originates in four temperature l transmitters located in the area being monitored. The ; l temperature signals are digitized and transmitted to the RPS a and ESF DTMs via the EMS. Three divisions of Main Steam ) Tunnel Temperature-High function are required to be OPERABLE to ensure that no single instrument failure can (continued) ABWR TS B 3.3-49 P&R 08/30/93
P l SSLC Sensor instrumentation ; B 3.3.1.1 ] BASES ) APPLICABLE 22. Main Steam Tunnel Temperature-Hiah (continued) ! SAFETY ANALYSIS, l LCO, and preclude the isolation function or cause a spurious ! APPLICABILITY isolation. ( Continued ) : The Main Steam Tunnel Temperature-High Allowable Value is ! chosen to detect a leak equivalent to [25] gpm. This : Function is required to be OPERABLE in MODES 1, 2, and 3 l consistent with the Applicability for LC0 3.6.1.1, " Primary l Containment." _ l
- 23. Main Tyrbine Area Temperature-Hiah l Min turbine area temperatures are provided to detect a leak from the associated system steam piping. This Function is i capable of detecting a very small leak and is diverse to the !
high steam line flow function. If the small leak is allowed , to continue without isolation, offsite dose limits may be ! reached. These functions are not assumed in any ABWR SSAR , transient or accident analysis, since bounding analyses are ; performed for large breaks. ; Main turbine area temperature data originates in four ! temperature transmitters that are appropriately located to i detect potential leaks in the main steam lines. The. l temperature transmitter data is digitized and transmitted to i the RPS DTMs in each division via the associated EMS. Three . divisions of the Main Turbine Area Temperature-High Function are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function or > cause a spurious isolation. The Allowable Values are set low enough to detect a leak equivalent to 25 gpm. This function is required to be OPERABLE in MODES 1, 2, and 3 consistent with the Applicability for LC0 3.6.1.1, " Primary Containment." 24a. & 24b. Reactor Buildina Area / Fuel Handlino Area Exhaust Radiation-Hiah High ventilation exhaust radiation is an indication of possible gross failure of the fuel cladding. The release may have originated from the containment due to a break in the RCPB or from the refueling floor due to a refueling (continued)- ABWR TS B 3.3-50 P&R 08/30/93-
)
i l l SSLC Sensor Instrumentation I B 3.3.1.1 i l l BASES APPLICABLE 24a. & 24b. Reactor Buildina Area / Fuel Handlina Area Exhaust l SAFETY ANALYSIS, Air Radiation-Hiah (continued) l LCO, and APPLICABILITY accident. When Exhaust Air Radiation-High is detected, ( Continued ) valves whose penetrations communicate with the containment i atmosphere are isolated to limit the release of fission products. Additionally, this Function is assumed to : initiate isolation of the containment during a fuel handling : accident (Ref. 2). j The Exhaust Radiation-High signals are initiated from radiation detectors that are located on the ventilation exhaust piping coming from the monitored areas. There are four radiation detectors in each area which are connected to i the four independent PRRM divisions. Trip signals from the ! PRRM divisions are sent to the ESF DTMs in the same division. Three divisions of Exhaust Air Radiation-High are ' required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function or cause a l spurious isolation. , The Allowable Values are chosen to promptly detect gross failure of the fuel cladding and to ensure offsite doses remain below 10 CFR 20 and 10 CFR 100 limits. This function is required to be OPERABLE in MODES 1, 2, & 3. In addition the Function is required to be OPERABLE during CORE ALTERATIONS, operations with a potential for draining the reactor vessel (0PDRVs), and movement of irradiated fuel assemblies in the primary or secondary containment because ! the capability of detecting radiation releases due to fuel failures (due to fuel uncovery or dropped fuel assemblies) must be provided to ensure offsite dose limits are not exceeded.
- 25. RCIC Steam Line Flow-Hiah The RCIC Steam Line flow-High Function is provided to l detect a break of the RCIC steam lines and initiates closure I of the RCIC steam line isolation valves. If the steam is l allowed to continue flowing out of the break, the reactor ;
will depressurize and core uncovery can occur. Therefore, the isolation is initiated on high flow to prevent core i damage. Specific credit for this Function is not assumed in any ABWR SSAR accident analyses since the bounding analysis (continued) ABWR TS B 3.3-51 P&R 08/30/93
.I SSLC Sensor Instrumentation B 3.3.1.1 BASES i
APPLICABLE 25. RCIC Steam Line Flow--High (continued) SAFETY ANALYSIS, ; LCO, and is performed for large breaks such as MSL breaks. However, ; APPLICABILITY these instruments prevent the RCIC steam line break from ( Continued ) becoming bounding. The RCIC Steam Line Flow--High data originates in four transmitters that are connected to the RCIC steam lines. The transmitter signals are digitized and transmitted to the ESF ! DTMs via the EMS. Three divisions of RCIC Steam Line Flow-High Functions are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function or cause a spurious isolation. , The Allowable Value is chosen to be low enough to ensure that the trip occurs to prevent fuel damage and maintains the MSLB event as the bounding event. This function is
- required to be OPERABLE in MODES 1, 2, and 3 consistent with the Applicability for LCO 3.6.1.1, " Primary Containment."
- 26. RCIC Steam Suooly Line Pressure--Low Low RCIC steam supply line pressure indicates that the pressure of the steam in the RCIC turbine may be too low to continue operation of the turbine. This isolation is for equipment protection and is not assumed in any transient or ,
accident analysis in the ABWR SSAR. However, it also ' provides a diverse signal to indicate a possible system break. These instruments are included in the Technical Specifications (TS) because of the potential for risk due to 1 possible failure of the instruments preventing RCIC l initiations. The RCIC Steam Supply Line Pressure-Low data originates in four pressure transmitters that are connected to the system steam line. The transmitter signals are digitized and transmitted to the ESF DTMs via the EMS. Three divisions of RCIC Steam Supply Line Pressure--Low Functions are required l to be OPERABLE to ensure that no single instrument failure i can preclude the isolation function or cause a spurious ; i sol ation. l l The Allowable Value is selected to be high enough to prevent damage to the system's turbines. This Function is required i I (continued) ABWR TS B 3.3-52 P&R 08/30/93
SSLC Sensor Instrumentation B 3.3.1.1 BASES APPLICABLE 26. RCIC Steam Supply Line Pressure-Low (continued) SAFETY ANALYSIS, LCO, and to be OPERABLE in MODES 1, 2, and 3 consistent with the APPLICABILITY Applicability for LC0 3.6.I.1, " Primary Containment." , ( Continued ) l l
- 27. RCIC Turbine Exhaust Diaphraam Pressure-Hiah High turbine exhaust diaphragm pressure indicates that the pressure may be too high to continue operation of the RCIC turbine. That is, one of two exhaust diaphragms has ruptured and pressure is reaching turbine casing pressure l limits. This isolation is for equipment protection and is not assumed in any transient or accident analysis in the ABWR SSAR. These instruments are included in the TS because of the potential for risk due to possible failure of the i instruments preventing RCIC initiations (Ref. 3).
The RCIC Turbine Exhaust Diaphragm Pressure-High data originates in four transmitters that are connected to the area between the rupture diaphragms on the turbine exhaust line. The division I and division II ESF SLUs each receive , trip data from two of the turbine exhaust pressetre transmitters. Two-of-two isolation logic is used in the Slus i for this function. Four instrumentation channels of RCIC Turbine Exhaust Diaphragm Pressure-High functions are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function or cause a spurious isolation. l The Allowable Value , are high enough to prevent damage to the system's turbines. .
- 28. RCIC Eouipment Area Temperature-Hiah l
RCIC equipment area temperatures are provided to detect a leak from the associated system steam piping. This Function is capable of detecting a very small leak and is diverse to l the high flow Function. If the small leak is allowed to j continue without isolation, offsite dose limits may be reached. These Functions are not assumed in any ABWR SSAR transient or accident analysis, since bounding analyses are performed for large breaks such as MSL breaks. l 1 (continued) ABWR IS B 3.3-53 P&R 08/30/93 i l
, - ,-~
SSLC Sensor Instrumentation i B 3.3.1.1 BASES APPLICABLE 28. RCIC Eauipment Area Temperature--Hiah (continued) SAFETY ANALYSIS, LCO, and RCIC equipment area temperature data originates in APPLICABILITY temperature transmitters that are appropriately located to ( Continued ) detect potential leaks in RCIC steam lines. The temperature transmitter data is digitized and transmitted to the ESF DTMs via the EMS. Three divisions of the RCIC Equipment Area Temperature-High Function are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function or cause a spurious isolation. The Allowable Values are set low enough to detect a leak equivalent to 25 gpm. This Function is required to be OPERABLE in MODES 1, 2, and 3 consistent with the Applicability for LCO 3.6.1.1, " Primary Containment."
- 29. CUW Differential Flow--Hiah The high differential flow signal is provided to detect a break in the CUW System. This will detect leaks in the CUW System when area temperature would not provide detection (i.e., a cold leg break). Should the reactor coolant continue to flow out of the break, offsite dose limits may be exceeded. Therefore, isolation of the CUW System is initiated when high differential flow is sensed to prevent exceeding offsite doses. This function is not assumed in any ABWR SSAR transient or accident analysis, since bounding analyses are performed for large breaks such as MSLBs. '
Differential mass flow is calculated in the DTM in each ESF divisior, as the sum of the return and blowdown flows subtracted from the suction flow. In order to avoid spurious trips due to transient flow conditions, the flow mismatch l must persist for a specified time period before a trip is decl ared. The mass flow value for each of the three flows is calculated from differential pressure and temperature data I . associated with each of the flows. The data for the ! differential mass flow calculation originates in three differential pressure transmitters and three temperature transmitters in each division (total of 12 each type). The sensors are arranged to maintain adequate divisional separation while providing a representative measurement of flow and temperature in the three flow paths. The (continued) l j ABWR TS B 3.3-54 P&R 08/30/93 l i
l i l SSLC Sensor Instrumentation B 3.3.1.1 BASES APPLICABLE 29. CVW Differential Flow-Hiah (continued) SAFETY ANALYSIS, LCO, and differential pressure transmitter and temperature APPLICABILITY transmitter data is digitized and transmitted to the ESF ( Continued ) DTMs via the EMS. If the calculated flow difference is too large, each DTM generates an isolation signal. Three divisions of the CVW Differential Flow-High Function are required to be OPERABLE to ensure that no single instrument f ailure can preclude the isolation function or cause a spurious isolation. Three differential pressure SENSOR CHANNELS and three temperature SENSOR CHANNELS must be OPERABLE in a division in order for the Function to be OPERABLE in the division. Therefore, a failure in any one of the six sensors in a division will result in the Function i being declared inoperable in the division. The CUW Differential Flow-High Allowable Value ensures that ' the break of the CUW piping is detected. The Allowable Value of the persistence time is selected to ensure that the MSLB outside containment remains the limiting break in the ABWR SSAR analysis for offsite dose calculations. This Function is required to be OPERABLE in MODES 1, 2, and 3 consistent with the Applicability for LCO 3.6.1.1, " Primary Containment."
- 30. 31. & 32. CVW Area Temperatures-Hiah Ambient and Differential CUW Area Temperature-High j l Functions are provided to detect leaks in the CUW System. ,
l These Functions are capable of detecting very small leaks l and - for the hot portions of the CUW system - are diverse < to the high differential flow instrumentation. If the small i leak continues without isolation, offsite dose limits may be reached. Credit for these instruments is not taken in any transient or accident analysis in the ABWR SSAR, since bounding analyses are performed for large breaks such as MSLBs. CUW area temperature data originates in temperature elements that are located in the room that is being monitored. There are twelve temperature transmitters that provide input to the CUW Area Temperature-High Functions (four per area). The temperature data is digitized and transmitted to the l DTMs via the EMS. Three divisions are required to be (continued) ABWR TS B 3.3-55 P&R 08/30/93
SSLC Sensor Instrumentation . B 3.3.1.1 { BASES APPLICABLE 30. 31. & 32. CUW Area Temperatures-Hiah (continued) , SAFETY ANALYSIS, ! LCO, and OPERABLE to ensure that no single instrument failure can APPLICABILITY preclude the isolation function or cause a spurious , ( Continued ) isolation. ! l The CUW Area Temperature-High Allowable Values are set low j enough to detect a leak equivalent to 25 gpm. l l
- 33. RHR Area Temperature-Hiah !
i RHR Area Temperature-High is provided to detect a leak from l the associated system steam piping when the RHR is in the ; shutdown cooling mode. This Function is capable of detecting j a very small leak. If the small leak is allowed to continue i without isolation, offsite dose limits may be reached. i These Functions are not assumed in any ABWR SSAR transient l or accident analysis, since bounding analyses are performed ; for large breaks such as MSLBs. l RHR Area Temperature-High data originates in temperature l transmitters that are. appropriately located-to detect leaks ! in RHR equipment. Four instruments monitor each of the ! three RHR areas. The temperature transmitter outputs are ! digitized and transmitted to the ESF DTMs via the EMS. Three divisions of RHR Area Temperature-High Function are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function or cause a spurious isolation. This Function is only required to be OPERABLE in MODES 2 and , i 3 since these are the modes where the shutdown cooling mode ! of the RHR is used. The Allowable Values are set low enough to detect a leak equivalent to 25 gpm. i
- 34. CUW Isolation on SLC Initiation The isolation of the CUW System is required when the SLC-System has been initiated to pr .ent dilution and removal of the baron solution by the CUW Sjstem (Ref. 4). SLC System initiation signals originate from the two SLC pump start signals. The SLC pump A start signal is connected to the division I SLU and the pump B signal to the division II SLU (continued) l
. ABWR TS B 3.3-56 P&R 08/30/93-
SSLC Sensor Instrumentation ! ! B 3.3.1.1 i l { ! ! BASES j i APPLICABLE 34. CUW Isolation on SLC Initiation (continued) SAFETY ANALYSIS, LCO, and The data is shared between division via suitable isolators. 7 APPLICABILITY CUW isolation occurs when either pump is running. : ( Continued ) There is no Allowable Value associated with this Function ! since-it is mechanically actuated based solely on the position of the SLC System initiation switch. Two channels (one from each pump) of the SLC Initiation Function are required to be OPERABLE only in MODES 1 and 2, ! since these are the only MODES where the reactor can be t critical, and these MODES are consistent with the , Applicability for the SLC System (LCO 3.1.7). ! l 34, 35, 36, 37 & 38. ADS Division I/ Division II ECCS Pumo Discharge Pressure-Hiah (termissive) The Pump Discharge Pressure-High signals from the LPFL and i HPCF pumps are used as permissives for ADS initiation to i provide confidence that there is a source available to restore vessel water inventory prior to initiating reactor i blowdown. This Function is assumed to be OPERABLE and l capable of permitting ADS initiation during the events ; i analyzed in References 1 and 8. For these events, the ADS i' depressurizes the reactor vessel so that the low pressure ECCS can perform the core cooling functions. The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature ; remains below the limits of 10 CFR 50.46. i i Pump discharge pressure data originates in two pressure l transmitters on the discharge side of each of the three low ' pressure and two high pressure ECCS pumps. The data from one transmitter on each pump is sent to the ESF DTM associated with ADS 1 and the data from the second transmitter on each pump is sent to the ESF DTM associated with ADS 2. The logic will declare an ADS permissive if any one of the 5 pressure values are above their respective setpoints. The Pump Discharge Pressure-High Allowable Value is less ; than the pump discharge pressure when the pump is operating i in a full flow mode, and above the maximum expected pressure that can occur when the pumps are running and the valves are (continued) ABWR TS B 3.3-57 P&R 08/30/93
I l : i SSLC Sensor Instrumentation ! B 3.3.1.1 ! l i BASES l ! APPLICABLE 34. 35, 36. 37 & 38. ADS Division I/ Division II ECCS Pump ! SAFETY ANALYSIS, Discharae pressure-Hiah (permissive) (continued) i LCO, and ! APPLICABILITY aligned for injection. The actual operating point of this j ( Continued ) Function is not assume <J in any ABWR SSAR analysis. , l Three ECCS Pump Discharge Pressure-High SENSOR CHANNELS in { l an ADS division are required to be OPERABLE to provide ! confidence that no single instrument failure can preclude > l ADS initiation on a valid condition. The SENSOR CHANNE!S are : required to be OPERABLE when the ADS is required to be {i OPERABLE. Refer to LC0 3.S.1 for ADS Applicability Bases. [ ! 39 & 40. Drvwell Sumo Drain Line LCW/HCW Radiation-Hiah I The drywell drain lines to the radwaste system are monitored i for high radiation using one detector in each of the drain lines. High activity in the drain lines could result in ; excessive radioactivity in the radwaste collection tanks. If ; the high activity flow continues without isolation, offsite l : dose limits may be reached. This function also provides a ! diverse indication of primtry coolant activity. Credit for : these instruments is not taken in any transient or accident (' analysis in the ABWR SSAR. 4 The detectors are connected to the PRRM system which sends a l trip signal to the division I SLU. The Allowable value is ' l selected to be consistent with primary coolant activity limits. One channel of each of the Functions is required to be OPERABLE in MODES 1, 2, and 3 consistent with the , Applicability for LCO 3.6.1.1, " Primary Containment." ! l ACTIONS A Note has been provided to modify the ACTIONS related to ! SSLC instrumentation channels. Section 1.3, Completion i Times, specifies that once a Condition has been entered, j subsequent trains, subsystems, components, or variables i expressed in the Condition, discovered to be inoperable or ! not within limits, will not result in separate entry into the Condition. Section 1.3 also speciiies that Required !
. Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial ,
entry into the Condition. However, the Required Actions for i inoperable SSLC instrumentation provide appropriate compensatory measures for multiple inoperable channels. As (continued) [ t 6 ABWR TS B 3.3-58 P&R 08/30/93 . l l
i SSLC Sensor Instrumentation B 3.3.1.1 ! BASES ACTIONS such, a Note has been provided that allows separate ! ( Continued ) Condition entry for each inoperable SSLC instrumentation i channel. - Note that some of the conditions have placing a channel in ! trip as an allowable action. This causes the initiation logic to become 1 out of 3 which provides adequate plant ' protection but increases the vulnerability to spurious initiations. This action should be used with caution on l Functions that initiate SSLC (3 & 7) because a spurious SLC actuation could cause a delay in plant restart. , A.I. A.2.1. A.2.2. A.2.3 and A.2.4 " l l A SENSOR CHANNEL is considered to be OPERABLE when all l associated instruments and devices required to provide the < ! results of a trip calculation in the divisions that use the data from the channel are OPERABLE. If any LOGIC CHANNEL that uses the trip data from a SENSOR CHANNEL does not l receive valid data then the channel is considered to be ; inoperable. Notes are included in the LCOs for these Actions so they are ! applied only to those Functions that have four SENSOR CHANNELS. For these functions, a failure ia one SENSOR t CHANNEL will cause the trip logic to become 1/3 or 2/3 depending on the nature of the failure ( i.e failure which ! causes a channel trip vs. a failure which does not cause a channel trip). Therefore, an additional single failure will not result in loss of protection but could cause a spurious initiation of a protective action for additional failures ; that result in a tripped condition. Action A.1 forces a trip condition from the SENSOR CHANNEL ' which causes the initiation logic to become 1/3 for the l l specific Functions that are placed in trip. In this i l condition a single failure will not result in loss of I protection. This Action is applicable when more than one l Function has a single inoperable SENSOR CHANNEL without l l regard to the divisions containing the failed channels. In this condition, the availability of the Function to provide a plant protective action is at least equivalent to the 2/4 trip logic. Since plant protection capability is within the design basis no further action is required when the inoperable SENSOR CHANNEL is placed in trip. l (continued) l l ABWR TS B 3.3-59 P&R 08/30/93 l i
SSLC Sensor Instrumentation i B 3.3.1.1 BASES I I l ACTIONS A.1, A.2.1. A.2.2. A.2.3 and A.2.4 (continued) ( Continued ) l Action A.2.1 bypasses all SENSOR CHANNELS, except the NMS, i in the division containing the inoperable SENSOR CHANNEL. l This causes the logic for all functions to become 2/3 so a l single failure will not result in loss of protection or ! cause a spurious initiation. However, the degree of : redundancy is reduced. As indicated by a note in the LCO, ! l this action is not applicable to the NMS. This action may be . l l implemented for single SENSOR CHANNEL failures in multiple Functions only when all failures are in the same division. Action A.2.2 is similar to Action A.2.1 but applies only to i the NMS functions as indicated by a note in the LCO. The NMS trip logic in all NMS divisions then becomes 2/3 and remains as 2/4 in the SSLC. In this condition a single failure will 1 not result in loss of protection or cause a spurious initiation. , The APRM portion of the HMS is bypassed or tripped on a 1 division basis. The SRNM, however, is bypassed or tripped by tripping or bypassing the individual sensor channels. : l Bypass must be accomplished using the three SRNM bypass l l switches as described in Function la. and b. This ; arrangement also prevents bypassing all Division II sensors; ! therefore, failure of all Division II sensors requires ; taking the trip action. For the SRNM, any inoperable sensor j channel must be bypassed even if the associated SSLC SRNM l division remains OPERABLE. The requirement for the ! individual channel bypass is controlled by LCO 3.3.3.1. ! 1 The Completion Time of six hours for implementing Actions l A.1, A.2.1, A.2.2 is based on providing sufficient time for ! l the operator to determine which of the actions is ! appropriate. The Completion Time is acceptable because the ! probability of an event requiring the Function coupled with ; a failure in two other SENSOR CHANNELS associated with it i occurring within that time period is quite low. l l Action A.2.3 restores all required SENSOR CHANNELS for the ! Function to the OPERABLE status following completion of l Action A.2.1 or A.2.2. Action A.2.4 provides an alternate l to A.2.3. Both of these Actions place the SSLC within the - SSLC availability design basis. Implementing Actions A.2.1 I or A.2.2 provides confidence that Plant protection is maintained given an additional single failure and the SSLC (continued) ABWR TS B 3.3-60 P&R 08/30/93
i SSLC Sensor Instrumentation B 3.3.1.1 l l BASES l ACTIONS A.l. A.2.1. A.2.2. A.2.3 and A.2.4 (continued) l l , ( Continued ) ' self-tests will detect most failures, so operation in this i condition for 30 days is acceptable. Also, the PRA analysis has shown that the change in core damage frequency is negligible with three instead of four OPERABLE divisions of sensors. l ' i Note I for Action A.2.4 requires that the bypass implemented , per Action A.2.1 or A.2.2 be removed after implementing Action A.2.4. This is necessary to restore the SSLC to ) within its availability design basis. Note 2 is included to f permit restoration of the bypass for a limited period to permit repairs. Note 3 is included to permit placing a division in division of sensors bypass even if the division ' contains SENSOR CHANNELS that were manual tripped due to : , previous entries into the condition. Placing a division in , l division of sensor bypass masks any SENSOR CHANNEL manual - trips in the division. This configuration is acceptable for ! the period of time that a division of sensor bypass is j permitted under other actions of condition A. S_.l. B.2.1 B.2.2 and B.3 , i Condition B occurs when two SENSOR CHANNELS for the same Function become inoperable for the functions that have a SENSOR CHANNEL in all four divisions. In this condition the initiation logic could be 2/2 so a single failure would cause loss of initiation from the function. ; Placing one of the failed SENSOR CHANNELS in trip (Action ! B.1) causes the trip logic to become 1/2 so a failure in an I additional SENSOR CHANNEL for the function will not prevent j initiation of a protective action from the Function. The i three hour Completion time for this Action provides sufficient time for the operator to implement the Action. Operation for this amount of time does not contribute significantly to plant risk because the probability of an event requiring the function, coupled with a single Failure in one of the remaining channels for the Function, within the time period is quite low. Action B.2.1 requires placing the division containing the-second failed SENSOR CHANNEL ia division of sensors bypass for those Functions given in the LCO note. Action B.2.2 (continued) ABWR TS B 3.3-61 P&R 08/30/93 ) I i 1
SSLC Sensor Instrumentation B 3.3.1.1 l i BASES ACTIONS B.I. B.2.1. B.2.2 and B.3 (continued) ( Continued ) requires a similar action for inoperable NMS channels. l Performing this action will prevent a change in status of ! the inoperable channel from causing a spurious initiation of a protective cction. A Completion Time of 6 hours is l permitted for these actions. The probability of the failed , channel causing a spurious initiation during this time t period is quite low. ! l Action B.3 restores at least one of the failed channels to i OPERABLE status. A Completion Time of 30 days is permitted l for this Action. The Completion Time is based on the low i probability of an undetected failure in both of the OPERABLE channels for the Function occurring in that time period. The self-test features of the SSLC, NMS, and EMS provide a high ! degree of confidence that no undetected failures will occur l in the allowable Completion Time. i l Multiple entry into the condition table causes Condition A to be invoked on completion of Action B.3 so appropriate , additional action is taken. i l C.1 & C.2 This Condition applies when three SENSOR CHANNELS for the same Function become inoperable for those Functions that have four SENSOR CHANNELS. This Condition represents a case where automatic protective action from a function is 1/1 (one of the channels fails in a tripped state) or is completely unavailable. Action C.1 causes the initiation logic to become 1/1 so a protective Action from the Function is still available but ! the single failure criteria for automatic actuation is not met. However, other diverse trip parameters are available, including manual initiation. l Action C.2 causes restoration of a second channel for the Function so the initiation logic becomes 1/2 and plant i protection is maintained for a single additional failure. l The six hour Completion Time for C.2 provides a reasonable amount of time to effect repairs on at least on of the inoperable channels and avoid the risks associated with plant shutdown. (continued) ABWR TS B 3.3-62 P&R 08/30/93 ! 1 i
SSLC Sensor Instrumentation B 3.3.1.1 l BASES ACTIONS C.1 & C.2 (continued) l ( Continued ) l Multiple entry into the condition table causes Condition B to be invoked on completion of Action C.2 so appropriate additional action is taken. D.1 & D.2 1 This Condition applies when all of the SENSOR CHANNELS for the same function become inoperable for those Functions that I have four SENSOR CHANNELS. This Condition represents a case where automatic protective action from a function is completely unavailable. However, other diverse trip parameters are available, including manual initiation. Although Action D.1 does not restore the initiation 7 capability from the Function it is required so that the logic will become 1/1 when Action D.2 is completed. i Action D.2 causes restoration of at least one channel for the Function which causes the initiation logic to become 1/1 so protective action for the Function is restored. The one hour Completion Time for D.2 provides some amount of time to effect repairs on at least on of the inoperable channels and avoid the risks associated with plant shutdown. Plant operation in this condition for the specified time does not contribute significantly to plant risk because the probability of an event requiring the Function within the ; Completion Time is quite low. l Multiple entry into the condition table causes Condition C , to be invoked on completion of Action D.2 so appropriate additional action is taken. 1 Ll Required Action E.1 directs entry into the appropriate t Condition referenced in Table 3.3.1.1-1 if the Required i Action and associated Completion Times of Conditions A, B, C, or D are not met. The applicable Condition specified in the Table is function and MODE or other specified condition dependent and may change as the Required Action of a previous Condition is completed. Each time the entry condition is met, Condition E will be entered for that (continued) ABWR TS B 3.3-63 P&R 08/30/93 {
'l
SSLC Sensor Instrumentation B 3.3.1.1 - BASES ACTIONS Eml (continued) ( Continued ) channel / division and provides for transfer to the appropriate subsequent Condition. . F.1 As noted in the LC0 this action applies only to the ADS permissive Functions from the ECCS pump discharge pressure. This condition occurs when one or two of the ECCS pump pressure permissive SENSOR CHANNELS associated with an ADS ' division become inoperable. The logic for the ADS permissive will change from 1/5 to 1/4 or 1/3. Therefore, a high degree of redundancy is maintained. Action F.1 restores all required SENSOR CHANNELS for the l Function to the OPERABLE status. All divisions of ADS , I initiation logic remain OPERABLE for this condition and a single failure will not result in loss of protection. In
- addition, the self test features provide confidence that any l additional failures will be automatically detected. This is an acceptabla long term condition so the Completion Time specified for repair corresponds to a maximum time equal to the refueling interval. However, the LC0 requires the repairs to be completed if a cold shutdown occurs prior to the next refueling outage. l G
- .1
- As noted in the LCO this action applies only to the ADS permissive Functions from the ECCS pump discharge pressure.
l This condition occurs when three of the ECCS pump pressure t l permissive SENSOR CHANNELS associated with an ADS division i become inoperable. For this condition the logic for the ADS < permissive becomes 1/2 so the degree of redundancy is reduced to some extent. However, All divisions of ADS initiation logic remain OPERABLE for this condition and a single failure will not result in loss of automatic ADS initiation. Action G.1 restores at least three of the required SENSOR CHANNELS for the Function to the OPERABLE status. The completion time of 7 days is based on the low probability of undetected failures in both of the OPERABLE channels for the (continued) { ABWR TS B 3.3-64 P&R 08/30/93 l l
i l l 1 SSLC Sensor Instrumentation B 3.3.1.1 1 l BASES ACTIONS G.1 (continued) , ( Continued ) Function occurring in that time period. The self-test
- I features of the SSLC, NMS, and EMS pre, vide a high degree of !
confidence that no undetected failures will occur. l Since multiple entry to the condition table is required, l completion of Action G.1 will cause Condition F to be , ! invoked and appropriate action taken. 4 i ! H.1 As noted in the LC0 this action applies only to the ADS i permissive Functions from the ECCS pump discharge pressure. ! This condition occurs when four of the ECCS pump pressure permissive SENSOR CHANNELS associated with an ADS division become inoperable. For this condition the logic for the ADS permissive becomes 1/1 so a single failure in the remaining i OPERABLE SENSOR CHANNEL for the Function will cause loss of l automatic ADS initiation. Action b.1 retores at least two of the required SENSOR CHANNELS for trie Func'. ion to the OPERABLE status. The completion time ni 24 hours is based on the low probability of undetected failures in the remaining OPFRABLE channel for the function occurring in that time period. The self-test i features of the SSLC, NMS, and EMS provide a high degree of 1 confidence that no undetected failures will occur. ! 1 M As noted in 11e LCO this action applies only to the ADS permissive Fuactions from the ECCS pump discharge pressure. ; This condition occurs when all of the ECCS pump pressure l permissive SENSOR CHANNELS associatea with an ADS division l become inoperable. For this Condition automatic ADS - initiation for the associated division becomes unavailable , , Action 1.1 causes the associated ADS division to be declared l ' inoperable, which will cause the LC0 for incperable ADS l divisions to be invoked. I
- This Action is also invoked if the completion times of Actions F, G, or H are not met.
a I (continued) l ABWR TS B 3.3-65 P&R 08/30/93 : i . [ i
i I SSLC Sensor Instrumentation j B 3.3.1.1 L l l BASES i i ACTIONS J.1. K.1. L.1 and N,1 ( Continued ) If the specified action for Conditions A, B, C, or D are not ! implemented within the specified completion times, the plant j must be placed in a MODE or other specified condition in ; which the LC0 does not ann' The Completion Times are i reasonable, based on ope,a .J experience, to reach the specified condition from rull power conditions in an orderly manner and without challenging plant systems. In addition, the Completion Time of Required Action J.1 is consistent with the Completion Time provided in LCO 3.2.2, " MINIMUM CRITICAL POWER RATIO (MCPR)."
!id If the specified action for Conditions A, B, C, or 9 are not implemented within the specified completion times, the plant must be placed in a condition in which the LC0 does not ,
apply. This is done by immediately initiating action to t insert all insertable control rods in core cells containing one or more fuel assemblies. Control rods in core cells containing no fuel assemblies do nct affect the reactivity [ of the core and are, therefore, not required to be inserted. ! Action must continue until all insertable control rods in core cells containing one or more fuel assemblies are fully inserted. 0.1 ; This Action applies to instrumentation that is used to isolate specific flow paths. ! If the Function is not restored to OPERABLE status or placed , ! in trip within the allowed Completion Time, plant operation 1 may continue if the affected penetration flow path (s) is isolated. Isolating the affected penetration flow path (s) accomplishes the safety action of the inoperable function. For some of the Functions, the affected penetration flow path (s) may be considered isolated by isolating only that portion of the system in the associated room monitored by the inoperable function. l i l (continued) ABWR TS B 3.3-66 P&R 08/30/93 l i (
i I l l SSLC Sensor Instrumentation [ B 3.3.1.1 i l BASES ACTIONS The Completion Time is acceptable because it minimizes rist ' ( Continued ) while allowing sufficient time for plant operations personnel to isolate the affected penetration flow path (s). P.l. P.2.1 P.2.2 and P.2.3 If the Function is not restored to OPERABLE status or placed in trip within the allowed Completion Time, the associated penetration flow path (s) should be isolated (Required Action P.1). Isolating the affected penetration flow path (s) accomplishes the safety action of the inoperable Function. Alternately, the plant must be placed in a condition in which the LCD does not apply. If applicable, CORE ALTERATIONS and movement of irradiated fuel assemblies must be immediately suspended. Suspension of these activities shall not preclude completion of movement of a component to a safe condition. Also, if applicable, action must be immediately initiated to suspend OPDRVs to minimize the probability of a vessel drain down and subsequent , potential for fission production release. ACTIONS must continue until OPDRVs are suspended. As noted, Action P.2.2 applies only to Function 24 since this is the only function required while moving fuel assemblies in the containment. L1 This Required Action is intended to ensure that appropriate ; actions are taken if multiple, inoperable, untripped SENSOR ! CHANNELS for the same Function results in a complete loss of automatic transfer of the suction from the condensate storage tank to suppression pool for the HPCF and RCIC. l Automatic transfer capability is considered to be lost if , the Required Actions applicable to Functions 17 and 18 are I not met within the allowable Completion Time. In this ' situation (loss of automatic suction swap) the intended f Function must be manually implemented if the Funct'n cannot be restored. As noted, the Required Action is onl applicable if the HPCF or RCIC pump suction is not aligned to the suppression pool, since, if aligned, the Requireo Action is already performed. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time in Actions A, B, C or D, the suction source must be aligned to the (continued) ABWR TS B 3.3-67 P&R 08/30/93 i
SSLC Sensor Instrumentation B 3.3.1.1 l i BASES ACTIONS 0.1 (continued) ( Continued ) i suppression pool which performs the intended function of the ! I channel (shifting the suction source to the suppression pool). The completion time provides sufficient time to , perform the operation which will allow operation to continue. Measures should be taken to ensure that the HPCF and RCIC System piping remains filled with water while the suction is aligned to the suppression pool. ; R.1 Required Action R.1 is intended to ensure that appropriate ! actions are taken for multiple failures in devices that l affect one or more of the available ECCS systems. The affected Functions are those Functions with four SENSOR ; l CHANNELS that effect either the low pressures systems only , or the high pressure systems only. The inoperable SENSOR > CHANNELS for the functions covered by this action may result in loss of automatic initiation capability for.the associated feature (s). In this situation, the feature (s) ' l associated with the inoperable channels must be declared inoperable within 1 hour. The Completion time is based on ; providing a reasonable amount of time to establish which t features are associated with the inoperable Function. l l Declaring the supported features inoperable will cause entry into the LCO that is appropriate for the inoperable Feature. - With Required Action Q is not completed within its specified Completion Time, the associated feature (s) may be incapable of performing the intended function so the supported , feature (s) associated with the inoperable untripped channels i must be declared inoperable immediately. i.1 This Condition addresses SENSOR CHANNEL failures for functions that have only one or two channels. For these Functions a failure in a single SENSOR CHANNEL causes the protective action logic to become 1/1 or is completely (continued) ABWR TS B 3.3-68 P&R 08/30/93
i l r i SSLC Sensor Instrumentation ) B 3.3.1.1 ) l l BASES ACTIONS T.1 (continued) ( Continued ) unavailable. In this condition the single failure criteria for automatic protective action actuation is not met. The situation is similar to condition H, so the completion time to restore the Inoperable channels is the same as for action H.l. j As noted, this Action applies only to Functions 32, 35, & 36 i since these are the Functions with one or two SENSORS > CHANNELS. t U.1 Required Action U.1 directs entry into the appropriate Condition referenced in Table 3 3.1.1-1. The applicable Condition specified in Table 3.3.1.1-1 is Function and MODE : l or other specified condition dependent and may change as the ; Required Action of a previous Condition is completed. Each time any Required Action of Condition T has not been met t within the associated Completion Time, Condition U will be i entered for the inoperable Function and provides for t transfer to the appropriate subsequent Condition. j i i V.1, V.2, X.1, and X.2 l If the specified number of OPERABLE channels / divisions are ; not restored to OPERABLE status within the allowed : i Completion Time, the plant must be placed in a MODE or other specified condition in which the RPS LC0 does not apply. : This is done by placing the plant in at least MODE 3 within i 12 hours and in MODE 4 within 36 hours. The Completion ! Times are reasonable, based en operating experience, to l reach the required plant conditions from full power : conditions in an orderly manner and without challenging
~
plant systems. . These Conditions apply to isolation functions that are required in modes 1, 2, and 3. l I I t (continued) ABWR TS B 3.3-69 P&R 08/30/93 b
i 4 i SSLC Sensor Instrumentation B 3.3.1.1 BASES ACTIONS W.1, W.2.1 and W.2.2 ( Continued ) If the Function is not restored to OPERABLE status or placed in trip within the allowed Completion Time, the plant must be placed in a MODE or other specified condition in which the LCD does not apply. This is done by isolating the associated penetrations or by placing the plant in MODE 4. Note that MSIV closures functions are covered by this ACTION to permit closure of the MSIVs should the Condition occur while in MODE 3. The allowed Completion Time of 1 hour for Action W.1 is reasonable to permit the operator to identify the affected flow paths and isolate them. The Completion Times for ' Actions W.2.1 and W.2.2 are reasonable, based on operating experience, to achieve the specified conditions in an ! orderly manner and without challenging plant systems. l Y.1 and Y.2 j t if the Function is not restored to OPERABLE status within l the allowed Completion Time, the associated Feature (s) is ! declared inoperable (Action Y.1). Declaring the Feature ; inoperable cause entry into the appropriate LC0 for inoperable Features. ; I ! The CUW isolation on SLC initiation Function is included to l l provide confidence that the SLC System performs its intended l function. Isolating the CUW system performs the intended ; Function so Action Y.2 is a sufficient remedial measure for Function 32. ; i The Completion Time of 1 hour is acceptable because it minimizes risk while allowing sufficient time for personnel l to implement the required actions. 3 SURVEILLANCE As noted at the beginning of the SRs, the SRs for each SSLC REQUIREMENTS instrumentation Function are located in the SRs column of Table 3.3.1.1-1. j r ! (continued) ; ABWR TS B 3.3-70 P&R 08/30/93 i I i l
l [ SSLC Sensor Instrumentation ' B 3.3.1.1 : BASES SURVEILLANCE SR 3.3.1.1.1 l REQUIREMENTS Performance of the SENSOR CHANNEL CHECK provides confidence ( Continued ) that a gross failure of a device in a SENSOR CHANNEL has not [ occurred. A SENSOR CHANNEL CHECK is a comparison of the parameter indicated in one SENSOR CHANNEL to a similar parameter in a different SENSOR CHANNEL. It is based on the ! assumption that SENSOR CHANNELS monitoring the same parameter should read approximately the same value. Significant deviations between the channels could be an indication of excessive instrument drift on one of the r channels or other channel faults. A SENSOR CHANNEL CHECK will detect gross channel failure; thus, it is key to e verifying the instrumentation continues to operate properly between each OlvlSION FUNCTIONAL TEST. Agreement criteria are determined by the plant staff based on a combination of the channel instrument and parameter , indication uncertainties. The high reliability of each channel provides confidence that a channel failure will be rare. In addition, the continuous self tests provide confidence that failures will be automatically detected. However, a low surveillance l interval of 12 hours is used to provide confidence that gross failures which do not activate an annunciator or alarm will be detected within 12 hours. The SENSOR CHANNEL CHECK l supplements less formal, but more frequent, checks of I channels during normal operational use of the displays associated with the channels required by the LCO. SR 3.3.1.1.2 To ensure that the APRMs are accurately indicating the true l core average power, the APRMs are calibrated to the reactor power calculated from a heat balance. The Frequency of once per 7 days is based on minor changes in LPRM sensitivity, which could affect the APRM reading between LPRM calibrations (SR 3.3.1.1.6). A Note is provided that imposes the SR only when power is ! 2: 25% RTP because it is difficult to accurately determine core THERMAL POWER from a heat balance when < 25% RTP. At low power levels, a high degree of accuracy is unnecessary because of the large inherent margin to thermal limits (MCPR (continued) ABWR TS B 3.3-71 P&R 08/30/93
l l SSLC Sensor Instrumentation i t B 3.3.1.1 ' BASES SURVEILLANCE SR 3.3.1.1.2 (continued) ; REQUIREMENTS ( Continued ) and APLHGR). At a 25% RTP, the Surveillance is required to have been satisfactorily performed within the last 7 days in ! accordance with SR 3.0.2. l SR 3.3.1.1.3 ; A DIVISION FUNCTIONAL TEST is performed on the SRNM and APRM-High/Setdown channels in each division to provide confidence that the function will perform as intended. If the as found trip point is not within its required Allowable Value, the plant specific setpoint methodology may be revised, as appropriate, if the history and all other , pertinent information indicate a need for the revision. The i as-left setpoint shall be consistent with the assumptions of the current plant specific setpoint methodology. i i As noted, this SR is not required to be perfonned prior'to : entering MODE 2 from MODE 1 since testing of the MODE 2 required SRNM and APRM Functions cannot be performed in 1 MODE 1. This allows entry into MODE 2 if the 7 day frequency - is not met per SR 3.0.2. In this event, the SR must be i performed within 12 hours after entering MODE 2 from MODE 1. Twelve hours is based on the high reliability of these sub- ; l functions and providing a reasonable time in which to l l complete the SR. , A Frequency of 7 days provides an acceptable level of system ; average unavailability over the Frequency interval and is : based on reliability analysis (Ref. 17). ! l i SR 3.3.1.1.4 i A DIVISION FUNCTIONAL TEST is performed on the required SRNM and APRM-High channels in each division to provide . I confidence that the functions will perform as intended. A ! Frequency of [32] days provides an acceptable level of ! system average availability over the Frequency and is based on the reliability analysis of Reference 17. (The Manual Scram functional test frequency described in LC0 3.3.1.2 was credited in the analysis to extend many automatic scram ! f Functions' Frequencies.) l (continued) ) i B 3.3-72 P&R 08/30/93 l ABWR TS
}
i
= - . _
SSLC Sensor lastrumentation B 3.3.1.1 BASES SURVEILLANCE SR 3.3.1.1.5 and SR 3.3.1.1.5a REQUIREMENTS ( Continued ) A DIVISIONAL FUNCTIONAL TEST or CHANNEL FUNCTIONAL TEST is performed on the required Functions or Channels in each ! division to provide confidence that the Functions will perform as intended. The test is performed by replacing the process signal with a test signal as far upstream in the l instrument loop as possible within the constraints of the
- instrumentation design and the need to perform the surveillance without disrupting plant operations. The testing may be performed so that multiple uses of a parameter may be tested at one time.
If the as found trip point is not within its required Allowable Value, the plant specific setpoint methodology may be revised, as appropriate, if the history and all other ; pertinent information indicate a need for the revision. The setpoint shall be left set consistent with the assumptions i of the current plant specific setpoint methodology. The l [92] day Frequency is based on the reliability analysis of t Reference 17. l The operability of the SENSOR CHANNELS is determined by injecting a test signal in a single sensor division as near ' to the source as possible to assure that the DTMs in all divisions create a trip signal when needed and that the l signal is received by the TLU or SLU. The operability of a LOGIC CHANNEL is determined by simulating the trip signal inputs to the SLU or TLU in a single division and confirming ; that the division trip signal is generated. SR 3.3.1.1.6 LPRM gain settings are determined from the local flux 1 ! profiles measured by the Automatic Traversing Incore Probe ! ! (ATIP) System. This establishes the relative local flux l profile for appropriate representative input to the APRM System. The 1000 MWD /T Frequency is based on operating experience with LPRM sensitivity changes. l SR 3.3.1.1.7 This surveillance assures that no gaps in neutron . flux indication exist between the SRNM and APRM measurements. (continued) ABWR TS B 3.3-73 P&R 08/30/93 l
i l SSLC Tansor Instrumentation B 3.3 1.1 ; BASES l SURVEILLANCE SR 3.3.1.1.7 (continued) ; REQUIREMENTS ( Continued ) The overlap between SRNMs and APRMs is of concern when reducing power into the SRNM range. On power increases, :' the system design will prevent further increases (initiate a rod block) if adequate overlap is not maintained. ? P This SR is imposed only for the conditions given in the i notes in the Lf0. After the overlap requirement has been met i and indication has transitioned to the SRNMs, establishing the overlap may not be possible (APRMs may be reading ' downscale once in MODE 2). If overlap is not demonstrated within a division, the Functions in that division that are required per the current mode and other conditions shall be declared inoperable. The basic Surveillance Frequency is whenever a transition to : low power occurs. A maximum frequency of 7 days is also provided so the SR may be skipped if less than 7 days has elapsed since the last transition to power less than 5% RTP. ! The maximum Frequency of 7 days is reasonable based on reliability of the SRNMs and APRMs. I SR 3.3.1.1.8 A COMPREHENSIVE FUNCTIONAL TEST tests a division using a selected range of sensor inputs into the division while simulating the other three divisions as appropriate. This test verifies the OPERABILITY of all SENSOR CHANNELS, LOGIC CHANNELS, and OUTPUT CHANNELS. See LCO 1.1 for additional , information on the scope of this test. l This surveillance overlaps or is performed in conjunction with the OUTPUT CHANNEL COMPREHENSIVE FUNCTIONAL TESTS in , the LCOs that address the OUTPUT CHANNELS and LCOs that test the final actuation devices. The combined or overlapping tests provide complete end-to-end testing of all protective actions associated with the SSLC. i l The [18] month frequency is based on the ABWR expected j REFUELING INTERVAL and the need to perform this Surveillance l under the conditions that apply during a plant outage to ! reduce the potential for an unplanned transient if the ! Surveillance were performed with the reactor at power. The high reliability of the devices used in the SSLC processing (continued) l ABWR TS B 3.3-74 P&R 08/30/93 1 I r _ _ _
i SSLC Sensor Instrumentation B 3.3.1.1 . BASES t 1 i SURVEILLANCE SR 3.3.1.1.8 (continued) REQUIREMENTS s Continued ) coupled with the DIVISION FUNCTIONAL TESTS provide confidence that the specified frequency is adequate. SR 3.3.1.1.9 and SR 3.3.1.1.9a A SENSOR CHANNEL CALIBRATION or CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies that a channel responds to the measured l parameter within the necessary range and accuracy. Calibration leaves the channel adjusted to account for instrument drifts between successive calibrations. ; Measurement error historical determinations must be performed consistent with the plant specific setpoint methodology. The channel shall be left calibrated consistent with the assumptions of the setpoint methodology. As noted, the calibration includes calibratian of all parameters used to establish derived setpoints (e.g. TPM setpoint) and all parameters used to automatically bypass a trip function (e.g. < 40% RTP bypass of TSV closure). , CHANNEL CALIBRATION includes calibration of the Analog Trip l Modules used to implement the ATWS mitigation fecture l t initiation. If the as found trip point (fixed or variable) is not within its Allowable Value, the plant specific setpoint methodology may be revised, as appropriate, if the history and all other pertinent information indicate a need for the revision. Suitable calibration shall be provided that is consistent with the assumptions of the current plant specific setpoint methodology. 3 As noted, neutron detectors are excluded from SENSOR CHANNEL , CAllBRATION because of the difficulty of simulating a r meaningful signal. Changes in neutron detector sensitivity are compensated for by performing the 7 day calorimetric calibration (SR 3.3.1.1.2) and the 1000 MWD /T LPRM calibration (SR 3.3.1.1.6) . The [18] month frequency is based on the ABWR expected ; refueling interval and the need to perform this Surveillance under the conditions that apply during a plant outage. The {l8] month frequency must be supported with a setpoint t n (continued) ! ABWR TS B 3.3-75 P&R 08/30/93 t
I SSLC Sensor Instrumentation B 3.3.1.1 BASES i SuR7EILLANCE SR 3.3.1.1.9 and SR 3.3.1.1.9a (continued) Rf'gUIREMENTS ( Continued ) analysis that includes a drift allowance commensurate with , this frequency. l SR 3.3.1.1.10 This SR ensures that the individual channel response times are less than or equal to the maximum values assumed in the accident analysis. The RPS RESPONSE TIME acceptance criteria are included in Reference [ ]. As noted, neutron detectors are excluded from RPS RESPONSE TIME testing because the principles of detector operation virtually ensure an instantaneous response time. The [18] month frequency is based on the ABWR expected REFUELING INTERVAL and the need to perform this Surveillance under the conditions that apply during a plant outage. The high reliability of the devices used in the RPS processing coupled with operating experience which shows that random failures of instrumentation and embedded processor components causing serious time degradation, but not channel failure, are infrequent provide confidence that the specified Frequency is adequate. i ( SP 3.3.1.1.11 l Thf a SR ensures that the individual channel response times for ECCS actuation are less than or equal to the maximum values assumed in the accident analysis. Response time i testing acceptance criteria are included in Reference [ ]. I The [18] month frequency is based on the ABWR expected REFUELING INTERVAL and the need to perform this Surveillance j under the conditions that apply during a plant outage. The high reliability of the devices used in the ESF and ECCS ' l processing coupled with operating experience which shows that random failures of instrumentation and embedded processor components causing serious time degradation, but not channel failure, are infrequent provide confidence that the specified Frequency frequency is adequate. ; i (continued) ! l ABWR TS B 3.3-76 P&R 08/30/93
l l SSLC Sensor Instrumentation i B 3.3.1.1 l BASES i SURVEILLANCE SR 3.3.1.1.12 { REQUIREMENTS ( Continued ) This SR ensures that the individual channel response times ; are less than or equal to the maximum values assumed in the accident analysis. The instrument response times must be added to the CIV closure times to obtain the ISOLATION SYSTEM RESPONSE TIME. ISOLATION SYSTEM RESPONSE TIME acceptance criteria are included in Reference [ ). A Note to the Surveillance states that the radiation ! detectors may be excluded from ISOLATION SYSTEM RESPONSE TIME testing. This Note is necessary because of the difficulty of generating an appropriate detector input ' signal and because the principles of detector operation ^ virtually ensure an instantaneous response time. Response i time for radiation detection channels shall be measured from detector output on the input of the first electronic component in the channel. ! The [18] month frequency is based on the ABWR expected : REFUELING INTERVAL and the need to perform this Surveillance under the conditions that apply during a plant outage. The high reliability of the devices used in the RPS processing coupled with operating experience which shows that random , failures of instrumentation and embedded processor components causing serious time degradation, but not channel failure, are infrequent provide confidence that the specified Frequency is adequate. REFERENCES 1. ABWR SSAR, Section [6.3].
- 2. ABWR SSAR, Chapter [15].
- 3. NED0-31466, " Technical Specification Screening l Criteria Application and Risk Assessment,"
November 1987. l
- 4. ABWR SSAR, Section (9.3.5]. !
- 5. NEDC-31577-P-A, " Technical Specification Improvement Analysis for BWR Isolation Actuation Instrumentation," ,
June 1989.
- 6. NEDC-30851-P-A, Supplement 2, " Technical I Specificati(ns Improvement Analysis for BWR Isolation l
(continued) ABWR TS B 3.3-77 P&R 08/30/93 l
l SSLC Sensor Instrumentation l B 3.3.1.1 i BASES ( i REFERENCES Instrumentation Common to RPS and ECCS l l ( Continued ) Instrumentation," March 1989. ,
- 7. ABWR SSAR, Section [7.3].
I
- 8. ABWR SSAR, Section [5.2]. l
- 9. .ABWR SSAR, Section [6.3], Table [6.3-2]. .
l
- 10. ABWR SSAR, Figure [ ].
- 11. ABWR SSAR, Section [5.2.2].
i
- 12. ABWR SSAR, Section [6.3.3]. !
- 13. ABWR SSAR, Section [15.4.1]. !
- 14. NE00-23842, " Continuous Control Rod Withdrawal in the !
Startup Range," April 18, 1978. ,
- 15. ABWR SSAR, Section [15.4.9].
l
- 16. NED0-31960, "BWR Owners' Group Long-Term Stability '
Solutions Licensing Methodology.", June 1991
- 17. NEDO-30851-P-A, " Technical Specification Improvement '
Analyses for BWR Reactor Protection System," l March 1988.
- 18. ABWR SSAR, Table 5.2-6 l
- 19. ABWR SSAR, Section []
i ABWR TS B 3.3-78 P&R 08/30/93
- - , - , , .- . .--...____-.l
SSLC Sensor Instrumentation B 3.3.1.1 ; l Table 3.3.1.1-1 (Page 1 of 3) i SSLC Instrumentation Summary i BASES l I EMS FUNCTION Y/N USAGE
- 1. Startup Range Monitors la. SRNM Neutron Flux-High N RPS lb. SRNM Neutron Flux-Short Period N RPS Ic. SRNM ATWS Permissive N ATWS Id. SRNM Inop N RPS l
- 2. Average Power Range Monitors l
2a. APRM Neutron Flux-High, Setdown N RPS 2b. APRM Flow Biased Simulated Thermal N RPS Power-High 2c. APRM Fixed Neutron Flux-High N RPS 2d. APRM Inop N RPS 2e. Rapid Core Flow Decrease N RPS i l 2f. Oscillation Power Range Monitor. N RPS l l 3. Reactor Vessel Steat, Dome Pressure-High Y RPS ATWS ISO
- 4. Reactor Steam Dome Pressure-Low (Injection Y LPFL ATWS Permissive)
- 5. Reactor Water Level - High, level 8 Y RCIC HPCF
- 6. Reactor Vessel Water Level-Low, Level 3 Y RPS ISO
- 7. Reactor Vessel Water Level - Level 2 Y RCIC ISO l
l 8. Reactor Vessel Water Level - Level 1.5 Y HPCF DG MSIV
- 9. Reactor Vessel Water Level Level 1 Y LPFL ADS DG ISO l 10. Main Steam Isolation Valve-Closure N RPS l 11. Drywell Pressure-High Y RPS LPFL RCIC l HPCF ADS ISO
- 12. CRD Water Header Charging Pressure-Low Y RPS
- 13. Turbine Stop Valve-Closure N RPS E0C-RPT
- 14. Turbine Control Valve Fast Closure, Trip N RPS E0C-RPT l Oil Pressure-Low '
ABWR TS B 3.3-79 P&R 08/30/93 l l
SSLC Sensor Instrumentation B 3.3.1.1 Table 3.3.1.1-1 (Page 2 of 3) : SSLC Instrumentation Summary BASES EMS FUNCTION Y/N USAGE
- 15. Main Steam Tunnel Radiation-High N RPS MSIV
- 16. Suppression Pool Temperature-High Y RPS ESF
- 17. Condensate Storage Tank Level - Low Y RCIC HPCF
- 18. Suppression Pool Water level - High Y RCIC HPCF
- 19. Main Steam Line Pressure-Low Y MSIV
- 20. Main Steam Line Flow-High Y MSIV
- 21. Condenser Vacuum-Low Y MSIV .
I
- 22. Main Steam Tunnel Temperature-High Y ISO MSIV
- 23. Main Turbine Area Temperature-High Y MSIV '
- 24. Reactor Building or Fuel Handling Area N ISO ,
Radiation-High
- 25. RCIC Steam Line Flow-High Y ISO ,
- 26. RCIC Steam Supply Line Pressure-Low Y ISO
- 27. RCIC Turbine Exhaust Diaphragm Y ISO Pressure-High
- 28. RCIC Equipment Area Temperature-High Y 150 !
- 29. CUW Differential Flow-High Y ISO
- 30. CUW Regenerative Heat Exchanger Y 150 [
Temperature-High
- 31. CUW non-regenerative Heat Exchanger Y 150 Temperature-High
- 32. CUW Equipment Area Temperature-High Y ISO
- 33. RHR Area Temperature s -High Y 150
- 34. CUW Isolation on SLC Initiation Y 150 l 35. ADS Division I LPFL Pump Discharge pressure Y ADS
- high (Permissive)
- 36. ADS Division I HPCF Pump Discharge Y ADS (9)
Pressure-High (Permissive)
- 37. ADS Division II LPFL Pump Discharge Y LPFL pressure - high (Permissive) l ABWR TS B 3.3-80 P&R 08/30/93
t l SSLC Sensor Instrumentation B 3.3.1.1 Table 3.3.1.1-1 (Page 3 of 3) SSLC Instrumentation Summary BASES P EMS ! FUNCTION Y/N USAGE l
- 38. ADS Division II HPCF Pump Discharge Y HPCF I Pressure--High (Permissive) . l l
- 39. Drywell Sump Drain LCW Radiation-High N ISO
- 40. Drywell Sump Drain HCW Radiation-High N ISO :
I r
?
f i i I l l i ABWR TS B 3.3-81 P&R 08/30/93
RPS and MSIV Actuation B 3.3.1.2 B 3.3 INSTRUMENTATION , J B 3.3.1.2 Reactor Protection System (RPS) and Main Steam Isolation l Valve (MSIV) Actuation BASES i BACKGROUND The RPS initiates a reactor scr:m when one or more mon tored i parameters exceed their specified limit to preserve the l integrity of the fuel cladding and the Reactor Coolant System (RCS) and minimize the energy that must be absorbed following a loss of coolant accident (LOCA). This can be accomplished either automatically or manually. The RPS uses sensors, data transmission, signal processing, load drivers, relays, bypass circuits, and switches that are necessary to cause initiation of a reactor scram. Functional diversity is provided by monitoring a wide range of dependent and independent parameters (see B 3.3.1.1). The RPS control logic hardware and software is contained within the four independent, divisional panels of Safety System logic and Control (SSLC) as described in LCO B 3.3.1.1. Two hardwired manual scrams which completely bypass the SSLC processing are provided. The hardwired manual scrams remove power from the scram pilot valve solenoids and also energize the air header dump valve solenoids (backup scram) via two manual scram switches on the main control console or when the reactor mode switch is in the SHUTDOWN position. The RPS logic includes a Main Steamline Isolation special bypass in addition to the division of sensors bypass and division of logic bypass provided for most SSLC instrumentation (see LC0 B 3.3.1.1 for a description of the bypasses). The Main Steamline Isolation bypass is similar to ; the division of sensors bypass except it affects only the j MSIV closure scram. This bypass is provided to permit , operation with one steam line isolated. The MSIV actuation automatically initiates closure of the i MSIVs when measured parameters exceed specified limits. The s function of the MSIVs valves, in combination with other t accident mitigation systems, is to limit fission product release during and following postulated Design Basis Accidents (DBAs). Valve closure within the specified time limits ensures that the release of radioactive material to the environment will be consistent with the assumptions used in the analyses for a DBA. . (continued) i ABWR TS B 3.3-82 P&R 08/30/93 i
.+ ~ ...
4 RPS and MSIV Trip Initiation B 3.3.1.2 BASES BACKGROUND MSIV isolation initiation includes sensors, data ( Continued ) transmission, signal processing, load drivers, relays, and > switches that are necessary to cause closure of the valves. Functional diversity is provided by monitoring a wide range of independent parameters. The input data to the isolation . logic originates in devices that monitor local parameters (e.g. high temperatures, high flows) as well as primary
- system and containment system parameters that are indicative of a leak. The MSIV control logic hardware and software for developing isolation initiation signals is contained within the four independent, divisional panels of Safety System logic and Control (SSLC) as described in LCO B 3.3.1.1. The Functions used to create the initiation signals are addressed in LC0 B 3.3.1.1. This LCO addresses the isolation actuation devices.
The final initiation signals for isolating the main steamlines are transmitted to the Output logic Units (0LUs) and MSIV lead drivers by the TLUs in the SSLC. There are OLUs in all four divisions and load drivers in the two MSIV i actuation divisions. The RPS and MSIV use 2/4 logic in both i the LOGIC CHANNELS and OUTPUT CHANNELS. , One RPS and one MSIV actuation output from the TLU may be bypassed. Implementing this bypass causes the LOGIC CHANNEL j and OUTPUT CHANNEL to change to 2/3. Interlocks are provided i to prevent placing more then one RPS or MSIV actuation output in bypass. APPLICABLE The actions of the RPS are assumed in the safety analyses of SAFETY ANALYSIS References 2, 3, and 4. The RPS initiates a reactor scram LCO, and when monitored parameter values exceeds its setpoint. See APPLICABILITY LC0 B 3.3.1.1 for additional information. RPS instrumentation satisfies Criterion 3 of the NRC Policy Statement. Functions not specifically credited in the accident analysis are retained for the overall redundancy and diversity of the RPS as required by the NRC approved licensing basis. The isolation of the main steam lines is implicitly assumed
. in the safety analyses of References 1 and 2 to limit offsite doses. Refer to LCO 3.6.1.3, " Primary Containment Isolation Valves (PCIVs)," and LC0 3.3.1.1 "SSLC Instrumentation" Applicable Safety Analyses Bases, for more detail.
(continued) ABWR TS B 3.3-83 P&R 08/30/93
i i RPS and MSIV Actuation B 3.3.1.2 BASES APPLICABLE The containment isolation actuation satisfies Criterion 3 of SAFETY ANALYSIS, the NRC Policy Statement. LCO, and , APPLICABILITY The OPERABILITY of the RPS and MSIV closure is dependent on ! ( Continued ) the OPERABILITY of the indicidual SENSOR CHANNEL Functions ! within each division and are covered by LCO 3.3.1.1. The l OPERABILITY of the LOGIC CHANNELS and OUTPUT CHANNELS (0LUs
& load drivers) and manual initiation is covered by this LCO.
- 1. RPS Actuation The RPS Actuation must be OPERABLE in MODE 1, MODE 2, and in MODE 5 with any control rod withdrawn from a core cell ,
containing at least one fuel assembly. The Shutdown Margin (LC0 3.1.1) and rod-out interlock (LC0 3.9.2) provide confidence that no event requiring RPS will occur while in MODE 5. RPS is not required in MODES 3 and 4 since all control rods are fully inserted and the Reactor Mode Switch in Shutdown position rod withdrawal block (LCO 3.3.2.1) ! prevent rod withdrawal in these modes. Three unbypassed LOGIC CHANNELS and OUTPUT CHANNELS must be l OPERABLE to assure that no single failure will preclude ; scram when needed.
- 2. MSIV and MSL Drain Valves Actuation .
The MSIV and MSL Drain Valves Actuation Function uses a TLU in all four divisions. The TLU acquires trip information from the DTMs and sends actuation signals to the OLUs. Two normally energized, solenoid operated, pilot valves are located on each MSIV. Both solenoids must be de-energized to , cause the valve to close. Each pilot solenoid is controlled ' I by independent series / parallel arrangements of four load drivers (eight total for each MSIV) with the outputs of the four OLus arranged so that a trip signal from any two of 1 them de-energizes both solenoids. For each MSIV, the Load drivers for one pilot valve are in division I and the load drivers for the other pilot valve are in division II. The MSIV actuation must be operable in MODES 1,2, and 3 since these are the modes where one or more of the MSIV closure functions must be OPERABLE. (continued) ABWR TS B 3.3-84 P&R 08/30/93
RPS and MSIV Actuation B 3.3.1.2 BASES APPLICABLE 2. MSIV and MSL Drain Valves Actuation (continued) } SAFETY ANALYSIS, j LCO, and Three unbypassed LOGIC CHANNELS and OUTPUT CHANNELS must be . APPLICABILITY OPERABLE to assure that no single instrument failure can ; ( Continued ) preclude MSIV closure when needed. ! r
- 3. Manual RPS Scram The Manual Scram push buttons are completely independent of and isolated from the RPS automatic trip divisions. This function was not specifically credited in the accident analysis, but it is retained for the overall redundancy and i f
diversity of the RPS as required by the NRC approved licensing basis. ! There are two independent manual scram switches, one in i division II and one in division III. Each switch removes ! power from one set of scram solenoids and energizes one of the air header dump valves so the function completely bypasses the automatic scram logic divisions. Both switches . must be activated to cause a scram. l There is no Allowable Value for this Function since the divisions are mechanically actuated based solely on the position of the push buttons. Two divisions of Manual Scram are required to be OPERABLE in MODES I and 2, and in MODE 5 with any control rod withdrawn from a core cell containing one or more fuel assemblies, since these are the MODES and other specified conditions ! when control rods are withdrawn. , i ! 4. Reactor Mode Switch-Shutdown Position l l The Reactor Mode Switch-Shutdown Position Function provides manual reactor trip signals, via the manual scram logic divisions (II and III), that are redundant to the automatic protective instrumentation divisions. This Function was not specifically credited in the accident analysis, but it is retained for the overall redundancy and diversity of the RPS as required by the NRC approved licensing basis. The reactor mode switch is a single switch with independent contacts for initiating scram when the switch is in the (continued) ABWR TS B 3.3-85 P&R 08/30/93 i
l [ i RPS and MSIV Actuation l l B 3.3.1.2 ' i BASES ' I APPLICABLE 4 Reactor Mode Switch-Shutdown Position (continued) SAFETY ANALYSIS, LCO, and SHUTDOWN position. This function removes power from the APPLICABILITY scram solenoids and energizes the air header dump valves so ( Continued ) it completely bypasses the automatic scram logic divisions. l, There is no Allowable Value for this Function since the ' divisions are mechanically actuated based solely on reactor mode switch position. ! Two divisions of Reactor Mode Switch-Shutdown Position i Function are available and required to be OPERABLE. The Reactor Mode-Switch Shutdown Position Function is required : to be OPERABLE in MODES 1 and 2, and in MODE 5 with any l control rod withdrawn from a core cell containing one or more fuel assemblies, since these are the MODES and other ; specified conditions when control rods are withdrawn. l t
- 5. Manual MSIV Actuation J, The Manual Initiation push button Function provides signals l j
to the OLU in each division that are redundant to the automatic protective instrumentation and provide manual 6 isolation capability. There is no specific ABWR SSAR safety i analysis that takes credit for this function. It is i retained for overall redundancy and diversity of the j isolation function as required by the NRC in the plant i licensing basis. l ! There are four MSIV manual actuation pushbuttons. The data is routed directly to the OLUs for the MSIVs so this i Function bypasses the EMS, DTMs and TLus. l t
- Pressing any two of the four manual pushbuttons will cause l
isolation of all four steam lines. There is no Allowable i Value for this Function since the channels are mechanically actuated based solely on the position of the push buttons. l Three divisions of the MSL Manual Initiation Function are required to be OPERABLE in MODES 1, 2, and 3, since these are the MODES in which the MSIVs are required to be OPERABLE. l (continued) l ABWR TS B 3.3-86 P&R08/30/93 i
.m_ ,
RPS and MSIV Actuation B 3.3.1.2 , BASES i ACTIONS A Note has been provided to modify the ACTIONS related to RPS and MSIV Actuation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent trains, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial l entry into the Condition. However, the Required Actions for ' ! inoperable RPS and MSIV Actuation channels provide appropriate compensatory measures for multiple inoperable channels. As such, a Note has been provided that allows separate Condition entry for each inoperable RPS or MSIV Actuation channel. A.I. A.2.1. A.2.2.1. and A.2.2.2 , These Actions assure that appropriate compensatory measures are taken when one LOGIC CHANNEL or MSIV manual channel becomes inoperable. For these Functions, a failure in one ; channel will cause the actuation logic to become 1/3 or 2/3 depending on the nature of the failure ( i.e failure which causes a channel trip vs. a failure which does not cause a , channel trip). Therefore, an additional single failure will not result in loss of protection. Action A.1 forces a trip condition in the inoperable division which causes the initiation logic to become 1/3 for the Function. In this condition a single additional fdlure ;
- j. will not result in loss of protection and the availability
! of the function to provide a plant protective action is at least as high as 2/4 trip logic. Since plant protection capability is within the design basis no further action is required when the inoperable channel is placed in trip. Action A.2.1 bypasses the inoperable division which causes the logic to become 2/3 so a single failure will not result in loss of protection or cause a spurious initiation. Since overall redundancy is reduced, operation in this condition is permitted only for a limited time. Action A.2.2.1 restores the inoperable channel. Action A.2.2.2 repeats Action A.1 if repairs are not made within the allowable (continued) ) ABWR TS B 3.3-87 P&R 08/30/93
RPS and MSIV Actuation B 3.3.1.2 BASES ACTIONS A.1, A.2.1. A.2.2.1, and A.2.2.2 (continued) ( Continued ) ; Completion Time of Action A.2.2.1. Either of the Actions ! A.2.2.1 or A.2.2.2 places plant protection capability within i the design basis so no further action is required. l The Completion Time of six hours for implementing Actions ( A.1 and A.2.1 is based on providing sufficient time for the i operator to determine which of the actions is appropriate. The Completion Time is acceptable because the probability of , an event requiring the Function, coupled with failures that
- would defeat two other channels associated with the Function, occurring within that time period is quite low.
The self-test features of the SSLC provide a high degree of ' confidence that no undetected failures will occur within the allowable Completion Time. Implementing Action A.2.1 provides confidence that Plant I protection is maintained (2/3 logic) for an additional ; single instrument failure. However, with division I or III in bypass, a loss of the division 11 power supply could disable two of the remaining channels. Therefore, operation with one division in bypass is restricted to 30 days (Actions A.2.2.1 and A.2.2.2 Completion Time). The l probability of an event requiring the Function coupled with l undetected failures which cause the loss of two of the remaining OPERABLE divisions in the Completion Time is quite low. The self-test features of the SSLC provide a high degree of confidence that no undetected failures will c:. cur i within the allowable Completion Time. B.l. B.2, and B.3 i Condition B occurs if two LOGIC CHANNELS or MSIV manual
- channels become inoperable in a f ashion that does not result i
in an Actuation. In this Condition, the actuation logic l could become 2/2. Therefore, it is appropriate to place one l division in trip (Action B.1) and the other in TLU output bypass (Action B.2). The trip logic then becomes 1/2 so a single failure in the remaining operable divisions would not cause loss of protection. However, a single failure in one of the operable divisions could result in a spurious trip. The Completion Times for implementing Actions B.1 and B.2 is based on providing adequate time for the operator to (continued) ABWR TS B 3.3-88 P&R 08/30/93 6
, - v , &
RPS and M51V Actuation B 3.3.1.2 BASES i l ACTIONS 8.i. B.2 and B.3 (continued) ( Continued ) implement the Required Actions. The Co:rnletion Times are acceptable because the probability of an event requiring the Function, coupled with a f ailure in one or two of the other channels associated with the Function, occurring within that time period is quite low. Action B.3 restores at least one of the failed channels to OPERABLE status. A Completion Time of 30 days is permitted for this Action. The basis for the Completion Time is as given for Action A.2.2.1 and A.2.2.2 since the plant protective action capability is similar. ion based on the low probability of an undetected failure in both of the OPERABLE channels for the Function occurring in that time period. The self-test features of the SSLC provide a high degree of confidence that no undetected failures will occur , within the allowable Completion Time. Multiple entry into the condition table causes Condition A to be invoked on completion of Action B.3 so appropriate additional action is taken. C.1 & C.R l i This Condition applies when three LOGIC CHANNELS for the same Function or three MSIV manual initiation channels become inoperable. This Condition represents a case where i intended protective action from a Function is 1/1 (one channels fail:; tripped) or is completely unavailable. Action C.1 forces the initiation logic to become 1/1 so a l protective Action from the Function is still available but l the single failure criteria for plant protective action is not met. l l Action C.2 causes restoration of a second channel for the l Function so the initiation logic becomes 1/2 and plant protection is maintained for a single additional failure. The six hour Completion Time for C.2 provides a reasonable amount of time to effect repairs on at least on of the inoperable channels and avoid the risks associated with plant shutdown. (continued) ABWR TS B 3.3-89 i P&R 08/30/93
RPS and MSIV Actuation B 3.3.1.2 f BASES ACTIONS C.1 & C.2 (continued) ( Continued ) Multiple entry into the condition table causes Condition B to be invoked on completion of Action C.2 so appropriate additional action is taken. D.1 & D.2 l l This Condition occurs when all of the LOGIC CHANNELS for the same Function or all of the manual MSIV channels become # inoperable. In this Condition the intended protective action from a function is completely unavailable. l Although Action D.1 does not restore the initiation f capability from the Function it is required so that the i logic will become 1/1 when Action D.2 is completed. i Action D.2 causes restoration of at least one channel for the Function which causes the actuation logic to become 1/1 i so the intended protective action is restored. The one hour l Completion Tine for D.2 provides some amount of time to ! effect repairs on at least on of the inoperable channels and avoid the rists associated with plant shutdown. Continued ! plant operation in this condition for the specified time does not contribute significantly to plant risk because the l probability of an event requiring the Function within the l completion Time is quite low. l Multiple entry into the condition table causes Condition C ! to be invoked on completion of Action D.2 so appropriate , additional action is taken. l l ! i l L._l l l These Actions assure that appropriate compensatory measures are taken when one OUTPUT CHANNEL becomes inoperable. For , i j these functions, a f ailure in one channel will cause the actuation logic to become 1/3 or 2/3 depending on the type j of failure ( i.e failure which causes a trip vs. a failure ! which does not cause a trip). Therefore, an additional ' single failure will not result in loss of protection. Action E.1 forces a trip condition in the inoperable channel which causes the actuation logic to become 1/3. In this (continued) ABWR TS B 3.3-90 P&R 08/30/93
RPS and MSIV Actuation B 3.3.1.2 BASES ACTIONS E.1 (continued) ( Continued ) condition a single additional failure will not result in loss of protection and the availability of the Function to ; provide a plant protective action is at least as high as for ; the 2/4 trip logic. Since plant protection capability is within the design basis no further action is required. The Completion Time of six hours for implementing Action A.1 ' is acceptable because the probability of an event requiring the Function, coupled with failures that would defeat two ! other channels associated with the Function, necurring within that time period is quite low. F.1 and F.2 Condition F occurs if two OUTPUT CHANNELS become inoperable in a fashion that does not result in an Actuation. In this Condition, the actuation logic could become 2/2. Placing one of the inoperable channels in trip (Action F.1) causes the ; logic to become 1/2 so a single failure in the remaining j operable channels would not cause loss of protection. l' However, a single failure in one of the operable channels could result in a spurious trip. The Completion Times for implementing Action F.1 is based on i providing adequate time for the operator to implement the Required Action. The Completion Time is acceptable because the probability of an event reouiring the Function, coupled with undetected failures in one of the OPERABLE channels associated with the Function, occurring within that time period is quite low. Action F.2 restores at least one of the failed channels to OPERABLE status. A Completion Time of 7 days is permitted for this Action. The Completion Time is based on the low ; probability of an undetected failure in both of the OPERABLE l channels for the Function occurring in that time period. The i self-test features of the SSLC provide a high degree of confidence that no undetected failures will occur within the allowable Completion Time. Multiple entry into the condition table causes Condition E to be invoked on completion of Action F.2 so appropriate additinnal action is taken. (continued) ABWR TS B 3.3-91 P&R 08/30/93
RPS and MSIV Actuation l B 3.3.1.2 ! BASES ACTIONS M ( Continued ) This Condition applies when three or four OUTPUT CHANNELS , for the same Function become inoperable. This Condition represents a case where protective action from a Function is ! 1/1 or is completely unavailable. , Action G.1 requires restoring a total of at least two channels to OPERABLE status which restores the actuation logic to 1/2 so plant protection is maintained for a single additional failure. The one hour Completion Time for D.2 provides some amount of time to effect repairs and avoid the risks associated with . plant shutdown. Plant operation in this condition for the ! specified time does not contribute significantly to plant risk because the probability of an event requiring the Function within the completion Time is quite low. - Multiple entry into the condition table causes Condition F to be invoked on completion of Action G.1 so appropriate i additional action is taken. M ; I This Condition address failures in the Reactor Mode Switch- l Shutdown Position Function. Since the Function Logic is 2/2 ! any failure causes protective action from the Function to become unavailable. Action H.1 restores the required channels to OPERABLE i status. The one hour Completion Time for H.1 provides some ! amount of time to effect repairs prior to implementing additicnal Actions to place the plant in a state where the LCO does not apply. Continued operations in this condition , for the specified time does not contribute significanti, to ' plant risk because the probability of an event requiring the Function within the Completion Time is quite low. I 1.1 and I.2 If one of the manual scram divisions becomes inoperable then manual scram is unavailable. Placing the affected division in trip (Action 1.1) causes the manual scam logic to become (continued) ABWR TS B 3.3-92 P&R 08/30/93
RPS and MSIV Actuation , B 3.3.1.2 ; 2 BASES i ACTIONS I.1 and I.2 (continued) 1/1. Note that the automatic actuation logic becomes 1/3 in this condition so there is an increased vulnerability to spurious trips. Since the manual trip uses a minimum of - l equipment and completely bypasses the automatic RPS trip logic, there is high confidence that manual scram will be i available if needed. The one hour Completion Time for I.1 provides sufficient time for the operator to implement the Action. Plant operation in this condition for the specified time does not ; contribute significantly to plant risk because the . probability of an event requiring the Function within the ! completion Time is quite low. I I Action 1.2 restores all required manual scram channels. The ! completion time for Action I.2 is set the same as for condition B.3 since the conditions are similar in terms of overall plant protection. , t J.1 . i This Condition assures that appropriate actions are taken for multiple inoperable RPS Actuation Functions while in MODE 1 or 2. If the specified Actions for Conditions A, B, : C, D, E, F, G, H, or I are not implemented within the specified Completion Times the plant must be placed in a condition where the LC0 does not apply. This is accomplished by placing the plant in MODE 3. The Completion Time is reasonable, based on operating experience, to reach MODE 3 from MODES 1 or 2 in an orderly manner and without challenging plant systems. \ l K.1 This Condition assures that appropriate actions are taken for mJ1tiple inoperable RPS Actuation functions while in MODE 5 with any control rod withdrawn from a core cell ' containing at least one fuel assembly, if the specified Actions for Conditions A, B, C, D, E, F, G, H, or I are not l implemented within the specified Completion Times the plant ! must be placed in a condition where the LC0 does not apply. This is done by immediately initiating action to insert all (continued) ABWR TS B 3.3-93 P&R 08/30/93 :
RPS and MSIV Actuation ' 1 B 3.3.1.2 l BASES ACTIONS K.) (continued) ' ( Continued ) insertable control rods in core cells containing one or more fuel assemblies. Control rods in core cells containing no , fuel assemblies do not affect the reactivity of the core and > are, therefore, not required to be inserted. Action must continue until all insertable control rods in core cells - containing one or more fuel assemblies are fully inserted. L.1 and L.2 This Condition assures that appropriate actions are taken for multiple inoperable MSIV Actuation Functions. If the specified Actions for Conditions A, B, C, D, E, F, or G are i not implemented within the specified Completion Times the plant must be placed in a condition where the LCO does not apply. This is accomplished by placing the plant in MODE 3 , where the LC0 does not apply. The Completion Times are , reasonable, based on operating experience, to reach MODE 4 in an orderly manner and without challenging plant systems. SURVEI L'_ANCE The CHANNEL FUNCTIONAL TESTS required in LCO 3.3.1.1 ensures REQUIREMENTS that the required functions will perform as intended and generate a trip condition when required. This LC0 addresses the operability of the LOGIC CHANNELS and OUTPUT CHANNELS for RPS and MSIV, which covers the TLUs, output logic units (0LUs), the load drivers cnd the manual actuation functions. SR 3.3.1.2.1 A CHANNEL FUNCTIONAL TEST is performed on each manual RPS scram division *.o ensure that the entire manual trip channel will operate as intended. This function uses a minimum of components, and the components have been proven highly reliable through operating experience. However, a relatively short surveillance interval of [7] days is used since availability of manual scram is important for providing a diverse means of reactor scram and the logic is 2/2. The probability of an event requiring manual scram coupled with a failure of one of the scram channels within this time period is very low. (continued) ABWR TS B 3.3-94 P&R 08/30/93
i : i I RPS and MSIV Actuation i l B 3.3.1.2 t l BASES SURVEILLANCE SR 3.3.1.2.2 , REQUIREMENTS A DIVISIONAL FUNCTIONAL TEST is performed on the LOGIC ; ( Continued ) CHANNELS in each division to provide confidence that the t functions will perform as intended. The test is performed by replacing the normal signal with a test signal as far i upstream in the channel as possible within the constraints of the instrumentation design and the need to perform the : surveillance without disrupting plant operations. See Section 1.1, " definitions" for additional information on the scope of the test. The devices used to implement the RPS and MSIV actuation l l l functions are of high reliability and have a high degree of ( redundancy. Therefore, the [92] day frequency provide I confidence that device Actuation will occur when needed. I This test overlaps or is performed in conjunction with the DIVISIONAL FUNCTIONAL TESTS performed under LCO 3.3.1.1 to i provide testing up to the final actuating device. SR 3.3.1.2.3 : A CHANNEL FUNCTIONAL TEST is performed on each manual MSIV Actuation channel to ensure that the channel will operate as ! intended. The devices used to implement the aanual MSIV actuation are of high reliability and have a high degree of redundancy. Therefore, the [92] day frequency provide confidence that device Actuation will occur when needed. The probability of an event requiring manual MSIV actuation coupled with undetected failures in three channels within this time period is very low. I SR 3.3.1.2.4 A COMPREHENSIVE FUNCTIONAL TEST tests a division using a , selected range of sensor inputs into the division while l simulating the other three divisions as appropriate. This l test verifies the OPERABILITY of all SENSOR CHANNELS, LOGIC i CHANNELS, and OUTPUT CHANNELS. See LCO 1.1 for additional ; information on the scope of this test. (continuea) ABWR TS B 3.3-95 P&R 08/30/93
RPS and MSIV Actuation B 3.3.1.2 BASES SURVEILLANCE }9 3.3.1.2.4 (continued) r REQUIREMENTS ( Continued ) This surveillance overlaps or is performed in conjunction i vith the COMPREHENSIVE FUNCTIONAL TESTS in LC0 3.3.1.1. The
;ombined or overlapping tests provide complete end-to-end testing of all RPS and MSIV protective actions.
The [18] month frequency is based on the ABWR expected l REFUELING INTERVAL and the need to perform this Surveillance t under the conditions that apply during a plant outage to f reduce the potential for an unplanned transient 'r J ' Surveillance were performed with the reactor et power. The high reliability of the devices used in the SSLC processing coupled with the CHANNEL FUNCTIONAL TESTS provide confidence ' that the specified frequency is adequate. SR 3.3.1.2.5 , The OUTPUT CHANNEL FUNCTIONAL TEST demonstrates the capability to actuate all of the devices (e.g pumps, valves, etc) required to implement a protective action. The [18] month frequency is based on the ABWR ?xpected REFUELING INTERVAL and the need in perform this Surveillance , under the conditions that apply during a plant outage to reduce the potential for an unplanned transient if the Surveillance were performed with the reactor at power. The high reliability of the devices used in the SSLC processing coupled with the DIVISIONAL FUNCTIONAL TESTS provide confidence that the specified frequency is adequate. SR 3.3.1.2.6 i This SR ensures that the response times are less than or equal to the maximum values assumed in the accident i analysis. This surveillance overlaps or is performed in conjunction with the RPS RESPONSE TIME Surveillance in LCO 3.3.1.1. Tiis combined or overlapping tests provide complete end-to-end testing of the RPS protective actions. The [18] month frequency is based on the ABWR expected REFUELING INTERVAL and the need to perform this Surveillance (continued) 1 ABWR TS B 3.3-96 P&R 08/30/93 i
1 . l RPS and MSIV Actuation B 3.3.1.2 ; BASES SURVEILLANCE SR 3.3.1.2.6 (continued) REQUIREMENTS ( Continued ) under the conditions that apply during a plar.t outage. The high reliability of the devices used in the RPS processing r coupled with operating experience which shows that random failures of instrumentation and embedded processor ; components causing serious time degradation, but not channel ; failure, are infrequent provide confidence that the I specified frequency is adequate. I SR 3.3.1.?.7 This SR ensures that the individual channel response times , are less than or equal to the maximum values assumed in the ! accident analysis. The instrument response times must be i added to the MSIV closure times to obtain the ISOLATION l SYSTEM RESPONSE TIME. : This surveillance overlaps or is performed in conjunction l with the ISOLATION RESPONSE TIME Surveillance in LC0 7 3.3.1.1. The combined or overlapping tests provide complete l end-to-end testing of the MSIV response time. ! t The [18] month frequency is based on the ABWR expected REFUELING INTERVAL and the need to perform this Surveillance under the conditions that apply during a plant outage. The l high reliability of the devices used in the MSIV processing l coupled with operating experience which shows that random l failures of instrumentation and embeaded processor ' components causing serious time degradation, but not channel failure, are infrequent provide confidence that the , specified frequency is adequate. REFERENCES NONE 1 l l i ABWR TS B 3.3-97 P&R 08/30/93 l l l
SLC and FWRB Actuation ! B 3.3.1.3 ! l ! B 3.3 INSTRUMENTATION ! B 3.3.1.3 Standby Liquid Control (SLC) and Feedwater Runback (FWRB) !
- Actuation l l
BASES j BACKGROUND The SLC and FWRB Functions provide alternate means for i reactivity reduction to protect against the remote ! l probability of a failure to insert all ~ control rods when l l needed. j i ; These Functions are in addition to those described'in LC0 ! B3.3.4.1, ATWS and EOC-RPT. Instrumentation. SLC and FWRB l are initiated on Reactor Vessel Water Level-Low, Level 2 or ! Reactor Steam Dome Pressure-High. These features will not ! be initiated unless the neutron flux' level is above the ! value specified for the SRNM ATWS permissive Function. The SLC injects a solution of Boron (a neutron absorber) and , water into the reactor vessel. The available quantity of { borated water is sufficient to reduce core reactivity to an j acceptable level for a postulated failure of all control ! rods to be inserted. There are two SLC pumps and. injection .; valves.
~
The FWRB causes the feedwater pumps to go to minimum speed, which reduces core inlet subcooling and therefore core , reactivity and power level. A runback signal'is sent to - l each of the feedwater pumps, j i l An SLC and FWRB LOGIC CHANNEL and OUTPUT CHANNEL is ! l contained in each of the four SSLC divisions. Both channel l l types use 2/4 logic with suitable isolation between ! l divisions. See the background section of LC0 3.3.1.1, "SSLC l Sensor Instrumentation" for additional information. ! i APPLICABLE SLC and FWRB are not assumed in any ABWR SSAR analysis, i SAFETY ANALYSIS These features are initiated to aid in preserving the ' LCO, and integrity of the fuel cladding following events in which a APPLICABILITY required scram may not occur. The features are included as required by the NRC Policy Statement.
~
The OPERABILITY of the SLC and FWRB is dependent on the OPERABILITY of the individual Functions. Each Function must have a required number of OPERABLE channels. (continued) ABWR TS B 3.3-98 P&R 08/30/93 i
l SLC and FWRB Activation ; l B 3.3.1.3 l BASES APPLICABLE The individual Fur.ctions are required to be OPERABLE in MODE SAFETY ANALYSIS, I to protect against postulated common mode failures of the LCO, and Reactor Protection System by providing a diverse method of J APPLICABILITY reducing core reactivity. In MODE 1 the reactor is J ( Continued ) producing significant power. In MODE 2, the reactor is at low power so SLC and FWRB are not necessary. In MODES 3 and 4, the reactor is shut down with all control rods inserted; l thus, an ATWS event is not credible. In MODE 5, the one- ' rod-out interlock ensures the reactor remains subcritical; thus, an ATWS event is not significant. I The discussions are listed below on a Function by function . l basis. l 1.a. 2.a. RFC and FWRB Initiation i l These LOGIC CHANNELS must generate and transmit initiation data to the OUTPUT CHANNELS. Each of the four channels l sends initiation data to all four OUTPUT CHANNELS. Four channels of this function are required to be OPERABLE and three are necessary to provide confidence that no single instrument failure can preclude RFC or FWRB initiation from this Function on a valid signal. There is no allowable value associated with this Function. l.b. 2.b. SLC and FWRB Actuation These OUTPUT CHANNELS cause actuation of the SLC and FWRB. Protective action will occur when Actuation signals occur in 2 of the 4 channels. Four channels are required to be OPERABLE and three channels must be OPERABLE to provide confidence that no single instrument failure can preclude an , RFC or FWRB Actuation from this Function on a valid signal. l
- 3. Manual ARI Initiation The Manual Initiation push button channels introduce signals into the SLC and FWRB logic to provide manual initiation f capability that is redundant to the automatic initiation.
There are two push buttons and both must be activated to initiate SLC and FWRB. Signals from both manual switches are sent to the logic in all four divisions. (continued) l l ABWR TS B 3.3-99 P&R 08/30/93 t l l
l SLC and FBRB Activation B 3.3.1.3 i BASES l h APPLICABLE 3. Manual ARI Initiation (continued) SAFETY ANALYSIS, ' LCO, and There is no Allowable Value for this Function since it is APPLICABILITY mechanically actuated based solely on the position of the ( Continued ) push buttons. Two channels per division of the Manual l Initiation Function are required to be OPERABLE when the SLC i l and FWRB are required to be OPERABLE. j ACTIONS A Note has been provided to modify the ACTIONS related to ARI instrumentation channels. Section 1.3, Completion , Times, specifies that once a Condition has been entered, L subsequent trains, subsystems, components, or variables ! l expressed in the Condition, discovered to be inoperable or l not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable ARI instrumentation channels provide appropriate i compensatory measures for separate inoperable channels. As l such, a Note has been provided that allows separate ! Condition entry for each inoperable channel. Some of the Actions permit placing a division in trip. The protective action actuation becomes 1 out of 3 or 1 out of 2 when this is done. For this condition, plant protection capability is maintained but a spurious actuation becomes more likely. Caution should be used when placing a channel in trip because a spurious SLC injection could cause a significant delay in plant restart. A.1 and A.2 l l These Actions assure that appropriate compensatory measures l are taken when a function becomes inoperable in one ! l division. A failure in one channel will cause the logic to ; become 1/3 or 2/3 depending on the nature of the failure 1 (i.e. failure which causes a trip vs. a failure which does not cause a trip). Therefore, an additional single failure will not result in loss of protection. Action A.1 forces a trip condition in the inoperable i division which causes the initiation logic to become 1/3 for the Function. In this condition a single additional failure (continued) ABWR TS B 3.3-100 P&R 08/30/93 i I I
~
I l SLC and FWRB Activation [ l B 3.3.1.3 l 1 BASES j REQUIRED A.1 and A 2 (continued) ; SURVEILLANCE ( Continued ) will not result in loss of protection and the availability ; of the Function to provide a plant protective action is at least as high as for 2/4 trip logic. Since plant protection capability is within the design basis no further action is ' required when the inoperable channel is placed in trip. Action A.2. bypasses the inoperable channel which causes the ; logic to become 2/3 so a single failure will not result in loss of protection or cause a spurious initiation. l The Completion Time of six hours for implementing the ; Actions is based on providing sufficient time for the ! operator to determine which of the actions is appropriate. 1 implementing these Actions provides confidence that Plant protection is maintained for an additional single instrument failure. Also, the SLC features do not provide rapid response so there is adequate time for the operator to assess the need for these features and initiate them , manually. Therefore, no further action is required. l B.I. B.2. and B.3 I These Actions assure that appropriate compensatory measures are taken when a Function is inoperable in two divisions. For this condition, the actuation logic becomes 2/2. Action B.1 forces a trip condition in one inoperable . division which causes the initiation logic to become 1/2 for l l the Function. In this condition a single additional failure will not result in loss of protection and the availability of the Function to provide a plant protective action is l maintained but the degree of redundancy is reduced. Action B.2 bypasses the other inoperable division in order to force it to a known state. Action B.3 restores at least one inoperable channel. The Completion Time of 3 hours for implementing Actions B.1 l is based on providing sufficient time for the operator to perform the Action. An additional 3 hours is permitted for B.2 since it is less urgent. The Completion Times are acceptable because the probability of an event requiring the Function, coupled with a failure that would defeat the other (continued) ABWR TS B 3.3-101 P&R 08/30/93
l l l SLC and FWRB Activation l B 3.3.1.3 BASES REQUIRED B.l. B.2. and B.3 (continued) SURVEILLANCE ( Continued ) channels associated with the function, occurring within that , time period is quite low. Since protective action is maintained as long as the other ' channels remain OPERABLE, operation in this condition is permitted for 30 days. (Action B.3 Completion Time). The probability of an event requiring plant scram, combined with failure to scram and an undetected failure in another ' channel of the Function in the Completion Time is quite low. L.1 These Actions assure that appropriate compensatory measures are taken when one OUTPUT CHANNEL of a function becomes l inoperable. For these Functions, a failure in one channel will cause the actuation logic to become 1/3 or 2/3 depending on the nature of the failure (i.e. failure which [ causes a channel trip vs. a failure which does not cause a channel trip). Therefore, an additional single failure will not result in loss of protection. Action C.1 forces a trip condition in the inoperable channel which causes the initiation logic to become 1/3 for the Function. In this condition a single additional failure will not result in loss of protection and the availability j of the Function to provide a plant protective action is at least as high as 2/4 trip logic. Since plant protection capability is within the design basis no further action is required when the inoperable channel is placed in trip. The Completion Time of six hours for implementing Action C.1 is based on providing sufficient time to implement the Actions. The Completion Time is acceptable because the ! probability of an event requiring the Function, coupled with i failures that would defeat two other channels associated with the Function, occurring within that time period is quite low. D.1 & D.2 l l Required Action D.1 is intended to ensure that appropriate i actions are taken when two OUTPUT CHANNELS become inoperable. For this Condition the actuating logic becomes 2/2. (continued) ABWR TS B 3.3-102 P&R 08/30/93 l
SLC and FWRB Activation B 3.3.1.3 BASES REQUIRED D.1 & D.2 (continued) SURVEILLANCE ( Continued ) Placing one channel in trip causes the logic to become 1/2. Since plant protection is maintained a 7 day Completion Time is allowed to restore one channel. The Completion Time to restore one of the inoperable channels is sufficient for the operator to take corrective action and takes into account the low likelihood of an event requiring actuation of the SLC and FWRB during this period. Completion of Required Action D.2 places the system in the same state as in Condition C and multiple condition entry will then result in suitable compensatory measures. E.1 , With any Required Action and associated Completion Time not met, or multiple failures that cause loss of a Function or the logic to become 1/1 the SLC must be declared inoperable. This will cause the LC0 for an inoperable SLC to be invoked and appropriate compensatory measures taken. The allowed Completion Time provides sufficient time to perform the Actions. SURVEILLANCE REQUIREMENTS SR 3.3.1 2.1 A DIVISION FUNCTIONAL TEST is performed on each required Function to ensure that the division will perform the intended functions. l I The frequency of [92] days is based on the high reliability and redundancy of the devices used to implement the features and the low inherent drift of the devices. This l surveillance for the Reactor Water Level-Low, Level 2 Function must be performed in conjunction with the equivalent surveillance in the SSLC Sensor Instrumentation LC0 (LCO 3.3.1.1). SR 3.3.1.3.2 A COMPREHENSIVE FUNCTIONAL TEST tests a division using a selected range of sensor inputs into the division while (continued) ABWR TS B 3.3-103 P&R 08/30/93 l l
i i SLC and FBRB Activation B 3.3.1.3 BASES ! REQUIRED SR 3.3.1.2.2 (continued) SURVEILLANCE ( Continued ) simulating the other three divisions as appropriate. This test verifies the OPERABILITY of all SENSOR CHANNELS, LOGIC CHANNELS, and OUTPUT CHANNELS. See Section 1.1, <
" Definitions" for additional information on the scope of l this test.
This surveillance overlaps or is performed in conjunction with the COMPREHENSIVE FUNCTIONAL TESTS in LC0 3.1.3.1.1. The combined or overlapping tests provide complete end-to- ' end testing of all protective actions associated with the SSLC. The [18] month frequency is based on the ABWR expected refueling interval and the need to perform this Surveillance under the conditions that apply during a plant outage to reduce the potential for an unplanned transient if the Surveillance were pcrformed with the reactor at power. The high reliability of the devices used in the SLC and FWRB ! processing coupled with the DIVISION FUNCTIONAL TESTS ! provide confidence that the specified frequency is adequate. l SR 3 . 3.1. 3J An OUTPUi ;HANNEL FUNCTIONAL TEST is performed on each i Function to ensure that the channels will operate as . intended. ! The frequency of [18] months is based on the ABWR expected refueling interval and the need to perform this surveillance ,
- under conditions that apply during a plant outage to reduce >
the potential for an unplanned transient if the surveillance was performed at power. The high reliability of the signal processing devices coupled with SR 3.3.1.3.1 provides ; confidence that the specified frequency is adequate. REFERENCES NONE l i l l l
)
ABWR TS B 3.3-104 P&R 08/30/93
ESF Actuation Instrumentation B 3.3.1.4 l l B 3.3 INSTRUMENTATION B 3.3.1.4 Engineered Safety Features (ESF) Actuation Instrumentation. 1 l BASES BACKGROUND This LCO addresses the devices needed to cause Actuation of l the devices that implement protective actions for the ECCS, l non-MSIV isolation, and ESF support Features. The ESF l actuation system automatically starts appropriate systems to i protect against plant transients and accidents analyzed in the ABWR SSAR. The ECCS systems ensure adequate core cooling following Loss i of Coolant Accidents. The Emergency Core Cooling Systems (ECCS) encompasses the High Pressure Core Flooder (HPCF) system, Automatic Depressurization System (ADS), Reactor , Core Isolation Cooling (RCIC) system, and the Low Pressure l Flooder (LPFL) mode of the Residual Heat Removal (RHR) i system. The purpose of the ECCS is to initiate appropriate responses from the systems to ensure that fuel is adequately cooled in the event of a design basis accident or transient. The equipment involved with each of these systems is described in the Bases for LC0 3.5.1, "ECCS-Operating." The ESF support systems needed to assure adequate performance of the ESF systems and adequate heat removal are also covered by this LCO. A description of the systems is i given in LC0 B3.3.1.1. The isolation actuation Functions automatically initiate closure of appropriate isolation valves when measured parameters exceed specified limits. The function of the l isolation valves, in combination with other accident i mitigation systems, is to limit fission product release l during and following postulated Design Basis Accidents , (DBAs). Valve closure within the time limits specified for those isolation valves designed to close automatically ! l ensures that the release of radioactive material to the environment will be consistent with the assumptions used in the analyses for a DBA. The non-MSIV isolation instrumentation provides valve closure signals for isolating the containment, Reactor Core Isolation Cooling (RCIC), Reactor Water Cleanup (CUW) system, and the Shutdown cooling mode of the Residual Heat Removal (RHR) system. The SENSOR CHANNELS Functions used to (continued) ABWR TS B 3.3-105 P&R 08/30/93
t ESF Actuation Instrumentation l B 3.3.1.4 l l BASES 1 BACKGROUND create the initiation signals are addressed in LCO 3.3.1.1. ( Continued ) This LCO addresses the isolation LOGIC CHANNELS and OUTPUT CHANNELS. The final initiation signals for the non-MSIV valves are transmitted from the SSLC Slus to remote actuation devices. l The non-MSIV isolation valve logic is contained in three of I the four SLUs as described in LCO 3.3.1.1. The ESF portion of the SSLC uses sensors, data transmission, i l signal processing, relays, and switches that are necessary to cause initiation of the various features needed to mitigate the consequences of a Loss of Coolant Accident (LOCA). Functional diversity is provided by monitoring a wide range of independent parameters. The input data to the ESF features originates in devices that monitor local process parameters (e.g. high temperatures, high flows) as - l well as primary :ystem (e.g RPV level) and containment system (e.g. Drywell pressure) parameters that are , indicative of a breach in any of the various barriers provided to prevent release of fission products and maintain core integrity. The ESF control logic hardware and software for developing initiation signals are contained within the four independent, divisional panels of Safety System logic l and Control (SSLC) as described in LCO B3.3.1.1. l A description of the operation of the ESF SENSOR CHANNELS and LOGIC CHANNELS is given in LC0 3.3.1.1. Each of a l redundant pair of ESF SLUs sends initiation data to a pair of OUTPUT CHANNELS via the EMS. Both OUTPUT CHANNELS must receive initiation data before system actuation will occur. . The 2/2 output initiation logic is provided to reduce the l l potential for inadvertent ESF actuation and the resulting i stress on plant equipment and attendant plant risk. There is i a pair of OUTPUT CHANNELS for each required device (pump, valve, etc.). l One of a redundant pair of OUTPUT CHANNELS may be bypassed either manually or automatically be the SSLC self test. When an OUTPUT CHANNEL is bypassed the actuation logic becomes one-of-one. Most of the SENSOR CHANNELS required to initiate ESF systems are covered in LC0 3.3.1.1. This LC0 covers the LOGIC CHANNELS, OUTPUT CHANNELS, and those SENSOR CHANNELS not addressed in LC0 3.3.1.1. The SENSOR CHANNELS that are (continued) ABWR TS B 3.3-106 P&R 08/30/93 1 ?
1 1 l 1 ESF Actuation Instrumentation f B 3.3.1.4 BASES BACKGROUND routed directly to the SLUs are covered by this LCO since ( Continued ) the SLUs are part of the LOGIC CHANNEL. ; Table B3.3.1.3-1 provides a summary of the systems and i features addressed by this LCO. APPLICABLE Operation of the ECCS and its support features is explicitly SAFETY ANALYSIS or implicitly assumed in the analysis of references of 1, 2, , LCO, and and 3. The ESF is initiated to preserve the integrity of the ' , APPLICABILITY fuel cladding by limiting the post LOCA peak cladding i temperature to less than the 10CFR50.46 limits. The ESF channels are required to be OPERABLE in the MODES or other
- specified conditions that may require ESF initiation to
- l. mitigate the consequences of a design basis accident or l transient. The applicability basis for the ECCS systems are given in LC0 3.5.1 and 3.5.2. To ensure reliable ECCS l initiation, a combination of features are required.
The ESF LOGIC CHANNELS and OUTPUT CHANNELS satisfy Criterion 3 of the NRC Policy Statement. The isolation of flow paths from the containment and the Reactor Coolant Pressure Boundary (RCPB) are implicitly assumed in the safety analyses of References [] and [] to initiate closure of valves to limit offsite doses. Refer to LCO 3.6.1.3, " Primary Containment Isolation Valves (PCIVs)," ; and LCO 3.3.1.1 "SSLC Sensor Instrumentation" Applicable Safety Analyses Bases, for more detail. , i The ESF isolation actuation Functions satisfies Criterion 3 of the NRC Policy Statement. The OPERABILITY of the ESF actuation is dependent on the OPERABILITY of the individual Functions specified in LCO ; 3.3.1.1. and in this LCO. The OPERABILITY of the LOGIC ' CHANNEL and OUTPUT CHANNEL Functions shown in table 3.3.1.3-1 are covered by this LCO. A LOGIC CHANNEL is OPERABLE when it is capable of accessing the divisional trip data from the ASSOCIATED SENSOR CHANNELS, using the trip data to generate device actuation data, and transmitting the actuation data to the ASSOCIATED OUTPUT CHANNELS. l 1 l (continued) ABWR TS B 3.3-107 P&R 08/30/93 1 1
ESF Actuation Instrumentation B 3.3.1.4 BASES APPLICABLE An OUTPUT CHANNEL is OPERABLE when it is capable of SAFETY ANALYSIS, receiving the actuation data from the LOGIC channel and LCO, and converting the data to signal levels suitable for causing APPLICABILITY the associated device (pump, valve, etc) to assume its ( Continued ) protective action state and restore the device to its normal state. l
- 1. a . 1. b. 2. a. 2. b. 3. a . 3. b. ECCS Pumo Discharoe Flowdow and Pressure - hiah The minimum flow SENSOR CHANNELS are provided to protect the HPCF, LPFL, and RCIC pumps from overheating when the pump is operating and the flow through the normal injection path is ,
insufficient to provide adequate pump cooling. The minimum ! flow valve is opened when pump discharge pressure is high enough to indicate pump operation and the flow is low enough : ! to indicate the potential for inadequate cooling. The ' minimum flow valve is automatically closed when the flow l rate is adequate to protect the pump. For the HPCF pumps, the minimum flow valve is also closed when discharge l pressure is low. These Functions are assumed to be OPERABLE and capable of closing the minimum flow valves in the transients and i accidents analyzed in References 1, 2, and 8. The core cooling function of tt.c ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature ! remains below the limits of 10 CFR 50.46. ; One flow and one pressure transmitter per pump ais used to l detect the associated subsystem discharge pressure to verify the operation of the pump. Note that these pressure transmitters are not the same as the ones used in the ADS l permissive (Function 34). Data values representing pressure l and flow are received by the ESF DTM associated with the l pump initiation division via the EMS in the same division. The data values are compared to the respective setpoints to determine if the associated minimum flow valve is to be closed or opened. The LPFL minimum flow valves are time i delayed so the valves will not open unless high pressure i concurrent with low flow persists for [8] seconds. The time delay is provided to limit reactor vessel inventory loss ; during the startup of the RHR shutdown cooling mode. l l (continued) ABWR TS B 3.3-108 P&R 08/30/93
I' l ESF Actuation Instrumentation : B 3.3.1.4 , l l BASES l APPLICABLE 1.a. 1.b. 2.a. 2.b. 3.a. 3.b. ECCS Pumo Discharae Flow-tow SAFETY ANALYSIS, and Pressure - hiah (continued) LCO, and
- APPLICABILITY The ECCS System Flow Rate-Low Allowable Values are high
( Continued ) enough to ensure that pump flo.. rate is sufficient to protect the pump, yet low enough to ensure that the closure l of the minimum flow valve is initiated to allow full flow t ' l into the core. The ECCS Pump Discharge Pressure-High Allowable Values are set high enough to ensure that the valve will not be open when the pump is not operating. ; l One channel of these functions for each pump are required to l be OPERABLE when the associated ECCS is required to be , l OPERABLE, to ensure that no single instrument failure can ' preclude the ECCS function. Refer to LC0 3.S.1 and l LCO 3.5.2 for Applicability Bases for the ECCS subsystems. 2.c. HPCF Pump Suction Pressure-Low The HPCF low suction pressure SENSOR CHANNEL is provided to l protect the pump from damage due to cavitation. If the suction pressure is less than the pump NPSH requirement, the pump start will be inhibited. l The suction pressure data originates in a pressure transmitter and is sent via the EMS to the ESF DTM in the division that controls the HPCF pump being monitored. The SLU logic is arranged so that Low suction pressure must exist for a specified amount of time before pump start will , be inhibited to prevent spurious inhibits due to suction ' l pressure transients. The HPCF low suction pressure signal is automatically reset (i.e. no manual reset needed to remove the pump start inhibit when suction pressure recovers). The l HPCF Suction Pressurc-Low Function is assumed to be l OPERABLE and will not cause a spurious pump start inhibit during the transients and accidents analyzed in References 1, 2, and 8. The HPCF Suction Pressure-Low Allowable Value are selected to assure that there is sufficient NPSH for the pump and prevent spurious start inhibits due to normal fluctuations in suction pressure. (continued) ABWR TS B 3.3-109 P&R 08/30/93 o _ __
ESF Actuation Instrumentation B 3.3.1.4 BASES APPLICABLE 2.c. HPCF Pump Suction Pressure-Low (continued) SAFETY ANALYSIS, LCO, and One channel for each HPCF system is required to be OPERABLE APPLICABILITY when the NPCF is required to be OPERABLE. Refer to ( Continued ) LCO 3.5.1 and LC0 3.5.2 for HPCF Applicability Bases. 5.a. 5.b. 7.d. 7.e. Divisions I. II. & III Loss of Voltaae-6.9 kV and Dearaded Voltaae-6.9 kV. l The 6.9 kV busses are monitored to detect a loss of the l offsite power or degraded bus conditions. If the bus voltage l is less then required to support ESF Features, the l associated emergency Diesel-Generator (DG), provided as a i back up to the offsite power source, is started. These SENSOR CHANNELS are provided to assure that there is sufficient power available to supply safety systems should they be needed. This Function is assumed in the loss of offsite power analysis of reference 19. The RCW systein is ! also started on these Functions since it provides cooling for the diesels. The signals for this function originate in undervoltage relays connected to each phase of the 6.9 kV bus. The phases are connected so that the loss of a single phase will cause two of the undervoltage relays to trip. The three undervoltage relays are combined in 2/3 logic so that a loss of any phase will cause starting of the associated DG while a failure in one of the relays will not cause a spurious start. A time delay is provided to prevent starting the DG due to transient conditions on the bus. The undervoltage relay trip signals are transmitted to the ESF DTMs in the associated division via the EMS. Three channels of this Function are required to be OPERABLE in each of divisions I, II, & II in order to cause start of the associated DG on a valid signal. The Functions must be operable in MODES 1, 2, and 3 and in MODE 4 when any safety system is required to be OPERABLE as described in LCO 3.8.2. The Allowable values are selected high enough to detect degradation in offsite power loss to the point where it cannot supply the loads but low enough to assure that normal transients do not cause a spurious DG start. The degraded voltage Function uses a higher voltage set point but a longer time delay than the loss of voltage Function. (continued) ABWR TS B 3.3-110 P&R 08/30/93
l I ESF Actuation Instrumentation j B 3.3.1.4 BASES j APPLICABLE 1.c. 2.d. 3.c. 4.a. ECCS Systems Initiation. '! SAFETY ANALYSIS, l LCO, and These Functions are the LOGIC CHANNELS that send initiation l APPLICABILITY data to the OUTPUT CHANNELS for the ECCS systems. Two LOGIC l ( Continued ) CHANNELS (dual redundant SLUs) must be OPERABLE when the l associated ECCS Feature is required to be OPERABLE. The i applicability basis for the ECCS systems are given in LCO ' 3.5.1 and 3.5.2. A LOGIC CHANNEL is OPERABLE when it is capable of calculating device actuation data and transmitting it to the OUTPUT CHANNELS. ; 10.a. 11.a. 12.a. 13.a. and 14.a Isolation Initiation. These Functions are the LOGIC CHANNELS that send initiation data to the OUTPUT CHANNELS for the various isolation valves. The sensor Functions for each of the isolation ! valves are as described in LC0 3.3.1.1, "SSLC Sensor Instrumentation". ; i Two LOGIC CHANNELS (dual redundant SLUs) must be OPERABLE ' ! when the associated isolation. function is required to be l OPERABLE. See LC0 3.3.1.1, "SSLC Sensor Instrumentation" for the basis. A LOGIC CHANNEL is OPERABLE when it is capable of generating initiation data and transmitting it to-the associated OUTPUT CHANNEL. 1.d. 2. e. 3.d. 4. b. 5.d. 6. b. 7. b. 8. b. 9. b. 10. b. 11. b. j 12.b. 13.b. and 14.b. ESF Device Actuation. These functions are the OUTPUT CHANNELS that cause the ESF devices (e.g. pumps, valves) to begin performing their intended plant protective action. There is an OUTPUT CHANNEL connected to each actuated device that causes the device ! state to change to the state suitable for its protective l Function. Each output receives an appropriate signal from I the associated LOGIC CHANNEL when a protective action is j required. The OUTPUT CHANNEL Functions must be OPERABLE when the associated ESF Feature is required to be OPERABLE. The channels are OPERABLE when they are capable of going to the state needed to perform the protective action. (continued) ABWR TS B 3.3-111 P&R 08/30/93 l
i i l ESF Actuation Instrumentation ! B 3.3.1.4 i l \ BASES i i APPLICABLE 1.e. 2.f. 3.e. ECCS Iniection Manual Initiation. : SAFETY ANALYSIS, ! LCO, and The Manual Initiation push button channels introduce signals l APPLICABILITY into the appropriate ECCS logic to provide manual initiation : l ( Continued ) capability that is redundant to the automatic initiation l SENSOR CHANNELS. There is one push button for each of the . l ECCS pumps. The manual actuation data is acquired by the SLU l that controls the ECCS pumping subsystem, except for HPCF B. HPCF B Manual Initiation is hardwired to provide a diverse : means of ECCS initiatien. ' The Manual Initiation function is not assumed in any accident or transient analyses in the ABWR SSAR. However, i the Function is retained for overall redundancy and i diversity of the ECCS Features as required by the NRC in the plant licensing basis. l There is no Allowable Value for this Function since it is mechanically actuated based solely on the position of the LPFL initiation switches. Each division of the Manual Initiation Function is required to be OPEPABLE when the i associated ECCS is required to be OPERABLE. Refer to l LC0 3.5.1 and LC0 3.5.2 for Applicability Bases for the ECCS l subsystems. l l 4.c. ADS Manual Initiation The Manual Initiation push button channels introduce signals into the ADS logic to provide manual initiation capability that is redundant to the automatic SENSOR CHANNELS. There are two push buttons for each ADS division trip system (total of four). The manual actuation data is acquired by ' the SLUs that controls the ADS subsystems. Both switches associated with one of the ADS divisions must be activated l to initiate ADS. t The Manual Initiation Function is not assumed in any accident or transient analyses in the ABWR SSAR. However, the Function is retained for overall redundancy and diversity of the ADS function as required by the NRC in the plant licensing basis. There is no Allowable Value for this Function since the i division is mechanically actuated based solely on the position of the push buttons. Four channels of the Manual I (continued) ABWR TS B 3.3-112 P&R 08/30/93 1
4 ESF Actuation Instrumentation B 3.3.1.4 I BASES APPLICABLE 4.c. ADS Manual Initiation (continued) SAFETY ANALYSIS, LCO, and Initiation Function (two channels and two pushbuttons per : APPLICABILITY ADS trip system) are only required to be OPERABLE when the ; ( Continued ) ADS is required to be OPERABLE. Refer to LC0 3.5.1 for ADS l Applicability Bases. 6 5.c. 7.c. 9.c. ESF Manual Initiation. The Manual Initiation push button channels introduce signals into the appropriate ESF Feature logic to provide manual initiation capability that is redundant to the automatic initiation SENSOR CHANNELS. There is one push button for i each of the ESF systems with manual initiation capability. i The manual actuation data is acquired by the SLU that , controls the ESF Feature. , l The ESF Manual Initiation Function is not assumed in any i accident or transient analyses in the ABWR SSAR. However, the Function is retained for overall redundancy and diversity of the ECCS Features as required by the NRC in
- the plant licensing basis.
There is no Allowable Value for this Function since it is : mechanically actuated based solely on the position of the LPFL initiation switches. Each channel of the Manual Initiation Function is required to be OPERABLE when the : associated ESF Feature is required to be OPERABLE. t 10.c. 11.c. 12.c. 13.c. and 14.c. Isolation Valve Manual : Initiation The Manual Initiation push button channels introduce signals into the isolation logic to provide manual initiation capability that is redundant to the automatic SENSOR , CHANNELS. There are two push buttons for each isolation Function. One pushbutton controls the inboard valve (s) for i isolating the flow path (s) and the second controls the outboard valve (s). The manual actuation data is acquired by
. the SLU in the same division as the valve. Either of the i pushbuttons causes the flow path to be isolated. !
4 The Manual Initiation Function is not assumed in any accident or transient analyses in the ABWR SSAR. However, (continued) ABWR TS B 3.3-113 P&R 08/30/93 1 > _. _ 1 1
l I ESF Actuation Instrumentation B 3.3.1.4 : I BASES APPLICABLE 10.c. 11.c. 12.c. 13.c. and 14.c. Isolation Valve Manual SAFETY ANALYSIS, Initiation (continued) LCO, and ' l APPLICABILITY the Function is retained for overall redundancy and ( Continued ) diversity of the ADS function as required by the NRC in the l plant licensing basis. , l There is no Allowable Value for this function since the division is mechanically actuated based solely on the ; position of the push buttons. Two channels of the Manual ' Isolation Initiation Functions are required to be OPERABLE when the associated isolation Function is required to be r OPERABLE. t 5.e Diesel Generator Initiation. The Diesel Generators (DG) are used to supply emergency back , up power to the ESF systems. The division 11 and III DGs < receive a start signal when HPCF is initiated and all three t divisions receive a start signal when the LPFL's are . initiated. Each DG also receives a start signal from the ; divisional 6.9 KV bus monitors. ; The DGs LOGIC CHANNELS are required to be OPERABLE in MODES ! 1,2, 3, and in MODE 4 and 5 when the associated features are required to be OPERABLE. 6.a Standby Gas Treatment Initiation. , The Standby Gas Treatment (SGTS) systems removes radioactive : gasses from the containment atmosphere following a LOCA and ! when the normal offgas treatment system is unable to maintain containment activity levels within specified bounds. The OPERABILITY of the SGTS is implicitly assumed in l plant offsite dose calculations. The SGTS system is initiated on high drywell pressure, low i level 3, Reactor building area high radiation, or fuel handling area high radiation. This LOGIC CHANNEL Function is required to be OPERABLE in the MODES and other conditions I that the SGTS is required to be OPERABLE. ( l l (continued) ABWR TS B 3.3-114 P&R 08/30/93
i I ! ESF Actuation Instrumentation : ! B 3.3.1.4 i BASES APPLICABLE 7.a. Reactor Buildinc Coolina Water / Service Water SAFETY ANALYSIS, Initiation, t LCO, and j APPLICABILITY This Function is included to provide confidence that the ' ( Continued ) HVAC needed to support ESF systems is within the design basis. The initiation occurs on high drywell pressure, low level 1, or 6.9 KV emergency bus monitors. This Function is j not explicitly assumed in any accident or transient analysis ! in the ABWR SSAR. These signals, or suppression pool high temperature, also initiate shedding of non-essential loads. This LOGIC CHANNEL Function is required to be OPERABLE in ; MODES 1, 2, & 3 and in MODE 4 and 5 when the DGs are i required to be OPERABLE. l 8.a. Containment Atmospheric Monitorina System Initiation. l The Containment Atmospheric Monitoring (CAM) system provides indications of the activity level in the containment following a LOCA. The CAM system is automatically started on a high drywell pressure or low level 1 signal. Two CAM : systems are provided, one in division I and one in division , II. The OPERABILITY of the CAM is not assumed in any ABWR ; SSAR transient or accident analysis. l l The CAM automatic start LOGIC CHANNEL Function must be OPERABLE in MODES 1, 2 & 3 since these are the MODES where the CAM system is required to be operable. 9.a. Suppression Pool Coolina Initiation. Suppression pool cooling is included to provide confidence that containment overpressure will not occur. Therefore, j this Function is automatically initiated on high suppression I pool temperature. The suppression pool cooling initiation is j needed to keep the energy in the containment within the I assumptions of the containment pressure analysis. The suppression pool cooling LOGIC CHANNEL Function must be OPERABLE in MODES 1, 2, & 3 since these are the MODES where suppression pool cooling is required to be OPERABLE. ! i i l l l (continued) ABWR TS B 3.3-115 P&R 08/30/93 l 1
. . - =- .
i ESF Actuation Instrumentation ! B 3.3.1.4 : i BASES t l ACTIONS A Note has been provided to modify the ACTIONS. l Section 1.3, Completion Times, specifies that once a ! ' Condition has been entered, subsequent trains, subsystems, i components, or variables expressed in the Condition, !
- discovered to be inoperable or not within limits, will not j l result in separate entry into the Condition. Section 1.3 '
also specifies that Required Actions of the Condition l continue to apply for each additional failure, with ; Completion Times based on initial entry into the Condition. l However, the Required Actions for inoperable ESF channels provide appropriate compensatory measures for multiple ; inoperable divisions. As such, a Hote has been provided " that allows separate Condition entry for each inoperable ESF l channels. ! f
- A.I. A.2.1. and A.2 2 This condition assures that appropriate actions are taken -
when one of a redundant pair of ESF LOGIC CHANNELS is inoperable. Placing the associated OUTPUT CHANNEL in bypass causes the logic to change from 2 out of 2 to 1 out of I so i initiation capability is maintained. However, the ESF ! Feature is more vulnerable to spurious actuation. l The 1 hour Completion Time for A.1 provides sufficient time ! for the operator to determine which OUTPUT CHANNELS are associated with the inoperable channel. Plant operation in
- this condition for the specified time does not contribute i significantly to plant risk. ;
Since plant protection is maintained and the potential for a , spurious trip is low because of the high reliability of the : logic, operation in this condition for an extended period is l acceptable. Therefore, a Completion Time of 30 days is allowed for restoring the inoperable channel (Action A.2.1). ; The probability of an event requiring the Function coupled ' with an undetected failure in the associated redundant LOGIC CHANNEL in the Completion Time is quite low. Also, redundant i ESF Features may provide adequate plant protection given the unavailability of the associated Features. The self-test capabilities of the SSLC provide a high degree of confidence ! (continued) ABWR TS B 3.3-116 P&R 08/30/93 i r
ESF Actuation Instrumentation B 3.3.1.4 , BASES ACTIONS A.1, A.2.1. and A.2.2 (continued) ( Continued ) that no undetected failures will occur within the allowable l Completion Time. Action A.2.2 provides an alternate to Action A.2.1. Verification of the OPERABILITY of any redundant Feature (s) ' provides confidence that adequate plant protection capability is maintained. Action A.2.2 does not apply to Features with no redundant alternate. The Completion Time for Action A.2.2 is as given for Action A.2.1. Implementing either of the Actions A.2.1 or A.2.2 provides confidence that plant protection is within the design basis so no further Action is required. E.:.1 : This Condition is provided to assure that appropriate action is taken for single or multiple inoperable channels that cause automatic or manual actuation of an ESF Feature to i become unavailable. However, automatic and manual initiatior, , for redundant features are not affected. l The I hour Completion Time for Action B.1 provides some amount of time to restore automatic or manual actuation ! before additional Required Actions are imposed. { Action B.1 either restores the intended plant protection , capability or will cause condition A to be invoked due to multiple entry into the condition table. C.1 , l l This Condition is provided to assure that appropriate action ; is taken for inoperable OUTPUT CHANNELS. The nature of the OUTPUT CHANNELS is such that the failure that makes the channel inoperable could also prevent bypassing the channel. ! Therefore, no distinction is made between one or two inoperable OUTPUT CHANNELS and an inoperable channel is assumed to make the associated device (pump, valve, etc.) unable to perform its protective action. (continued) ABWR TS B 3.3-117 P&R 08/30/93 , l _ _
l 1
\
ESF Actuation Instrumentation .I B 3.3.1.4 i BASES ) i ACTIONS C.1 (continued) j ( Continued ) { i Required Action C.1 restores the actuation capability for i the device controlled by the channel. Action C.2 provides an i' alternate to C.1 for some devices. Actuating the associated device is equivalent to the channel performing its intended Function and will place the associated device in the configuration needed to perform its protective action. Actuating the associated device cannot be performed if it would cause violation of other safety criteria, prevent I normal plant operation, create potential thermal shock, etc. l F The I hour Completion Time for Action C.1 provides some amount of time to restore automatic or manual actuation , j before additional Required Actions are imposed. The I hour l Completion Time for Action C.2 provides some amount of time ! l for the operator to determine if the associated device can i be actuated. l Dd l If the specified action for Conditions B or C are not . implemented within the specified Completion Times the ! j Feature (s) associated with the inoperable channel must be ! declared inoperable. Declaring the associated feature ! inoperable will cause entry into the appropriate Condition ! of LCOs that address the Feature so appropriate compensatory ; measures will be taken. ; I i l l This condition assures that appropriate compensatory measures are taken for the ADS LOGIC CHANNELS and OUTPUT , CHANNELS. For ADS, these channels cannot be tripped or i bypassed so the associated valves must be declared i inoperable if any one of the two channels is inoperable. ) The Completion Time provides adequate time for the operator ; to complete the action. The Completion Time is acceptable j because of the probability of an event requiring the feature - coupled with failures in redundant features within the time j frame is very low. j (continued) i t ABWR TS B 3.3-118 p&R 08/30/93 } . I
ESF Actuation Instrumentation B 3.3.1.4 BASES l
\
SURVEILLANCE REQUIREMENTS ( Continued ) SURVEILLANCE This LCO addresses the operability of the LOGIC CHANNELS and ) REQUIREHENTS OUTPUT CHANNELS for ESF which covers the SLUs, output 2/2 voter, and the manual actuation Functions. SR 3.3.1.3.1 Performance of the SENSOR CHANNEL CHECK provides confidence i that a gross failure of a device in a SENSOR CHANNEL has not l occurred. A SENSOR CHANNEL CHECK is a comparison of the ' parameter indicated in one SENSOR CHANNEL to a similar l l parameter in a different SENSOR CHANNEL. It is based on the assumption that SENSOR CHANNELS monitoring the same l parameter should read ap roximately the same value. ; Significant deviations between the channels could be an indication of excessive instrument drift on one of the I channels or other channel faults. A SENSOR CHANNEL CHECK will detect gross channel failure; thus, it is key to ; verifying the instrumentation continues to operate properly between each DIVISION FUNCTIONAL TEST. Agreement criteria are determined by the plant staff based on a combination of the channel instrument and parameter indication uncertainties. The high reliability of each channel provides confidence that a channel failure will be rare. In addition, the continuous self tests provide confidence that failures will be automatically detected. However, a low surveillance , interval of 12 hours is used to provide confidence that gross failures which do not activate an annunciator or alarm will be detected within 12 hours. The SENSOR CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the channels required by the LCO. , l l SR 3.3.1.3.2 An OUTPUT CHANNEL FUNCTIONAL TEST is performed on each OUTPUT CHANNEL to provide confidence that an ESF device will l actuate as intended. This test overlaps or is performed in (continued) ABWR TS B 3.3-119 P&R 08/30/93
ESF Actuation Instrumentation { B 3.3.1.4 ! BASES ! SURVEILLANCE SR 3.3.1.3.2 (continued) ! REQUIREMENTS ( Continued ) c conjunction with the COMPREHENSIVE FUNCTIONAL TEST in SR ; 3.3.1.3.4 to provide end to end testing. : The [18] month frequency is based on the ABWR expected REFUELING INTERVAL and the need to perform this Surveillance under the conditions that apply during a plant outage to reduce the potential for an unplanned transient if the Surveillance were performed with the reactor at power. The high reliability of the devices used in the OUTPUT CHANNELS provide confidence that the specified frequency is adequate. SR 3.3.1.3.3 A DIVISIONAL FUNCTIONAL TEST is performed on the LOGIC CHANNELS and SENSOR CHANNELS in each ESF division to provide confidence that the functions will perform as intended. The , test is performed by replacing the normal signal with a test i signal as far upstream in the channel as possible within the i constraints of the instrumentation design and the need to i' perform the surveillance without disrupting plant operations. See LC01.1 for additional information on the scope of the test. The devices used to implement the Functions are of high reliability and have a high degree of redundancy. Therefore, the [92] day frequency provide confidence that device Actuation will occur when needed. This test overlaps or is performed in conjunction with the DIVISIONAL FUNCTIONAL TESTS performed under LC0 3.3.1.1 to provide testing up to the final actuating device. SR 3.3.1.3.4 A COMPREHENSIVE FUNCTIONAL TEST tests a division using a selected range of sensor inputs into the division while simulating the other three divisions as appropriate. This test verifies the OPERABILITY of all SENSOR CHANNELS, LOGIC CHANNELS, and OUTPUT CHANNELS. See LCO 1.1 for additional information on the scope of this test. (continued) ABWR TS B 3.3-120 P&R 08/30/93 1
ESF Actuation Instrumentat'.on B 3.3.1.4 BASES SURVEILLANCE SR 3.3.1.3.4 (continued) REQUIREMENTS ( Continued ) This surveillance overlaps or is performed in conjunction ; with the COMPREHENSIVE FUNCTIONAL TESTS in LC0 3.3.1.1. The combined or overlapping tests provide complete end-to-end ! testing of all ESF protective actions. l The [18] month frequency is based on the ABWR expected REFUELING INTERVAL and the need to perform this Surveillance under the conditions that apply during a plant outage to reduce the potential for an unplanned transient if the Surveillance were performed with the reactor at power. The high reliability of the devices used in the SSLC processing coupled with the CHANNEL FUNCTIONAL TESTS provide confidence l that the specified frequency is adequate. 1 SR 3.3.5.1.5 This SR ensures that the individual channel response times for ECCS actuation are less than or equal to the maximum . values assumed in the accident analysis. Response time ! testing acceptance criteria are included in Reference [ ]. ' l The [18] month frequency is based on the ABWR expected l REFUELING INTERVAL and the need to perform this Surveillance under the conditions that apply during a plant outage. The high reliability of the devices used in the ESF and ECCS processing coupled with operating experience which shows that random failures of instrumentation and embedded processor components causing serious time degradation, but not channel failure, are infrequent provide confidence that the specified Frequency is adequate. l SR 3 . 3.1. l_ . 6 A SENSOR CHANNEL CAllBRATION is a complete check of the instrument loop and the sensor. This test verifies a SENSOR ; CHANNEL responds to the measured parameter within the . necessary range and accuracy. SENSOR CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations. Measurement error historical determinations must be performed consistent with the plant specific setpoint methodology. The channel shall (continued) l ABWR TS B 3.3-121 P&R 08/30/93 . i
ESF Actuation Instrumentation B 3.3.1.4 BASES SURVEILLANCE SR 3.3.1.1.6 (continued) REQUIREMENTS ( Continued ) be left calibrated consistent with the assumptions of the setpoint methodology. As noted, the calibration includes calibration of all parameters used to establish deri- ed setpoints and all parameters used to automatically L.< ass a trip function. If the as found trip point (fixed or variable) is not within its Allowable Value, the plant specific setpoint methodology may be revised, as appropriate, if the history and all other pertinent information indicate a need for the revision. Suitable calibration shall be provided that is consistent with the assumptions of the current plant specific setpoint methodology. SR 3.3.1.3.7 An manual initiation CHANNEL FUNCTIONAL TEST is performed on each required manual initiation channel to provide confidence that an ESF device will actuate as intended. The [18] month frequency is based on the ABWR expected REFUELING INTERVAL and the need to perform this Surveillance under the conditions that apply during a plant outage to reduce the potential for an unplanned transient if the Surveillance were performed with the reactor at power. The high reliability of the devices used for manual initiation provide confidence that the specified frequency is adequate. REFERENCES 1. ABWR SSAR, Section [5.2].
- 2. ABWR SSAR, Section [6.3].
- 3. ABWR SSAR, Chapter [15].
- 4. ABWR SSAR, Chapter [ ]
ABWR TS B 3.3-122 P&R 08/30/93
1 ESF Actuation Instrumentation B 3.3.1.4 ! l BASES i Table B3.3.1.3-1 (Page 1 of 1) ESF Systems Instrumentation i
- 1. Low Pressure Core Flooder Actuation. l
- 2. High Pressure Core Flooder Actuation.
- 3. Reactor Core Isolation Cooling System Actuation. .
r
- 4. Automatic Depressurization System.
- 5. Diesel-Generator Actuation.
- 6. Standby Gas Treatment System Actuation. ,
- 7. Reactor Building Cooling Water / Service Water Actuation.
- 8. Containment Atmospheric Monitoring ;
- 9. Suppression Pool Cooling Actuation.
- 10. Primary Containment Isolation Valves Actuation. ,
- 11. Secondary Containment Isolation Valves Actuation.
- 12. Reactor Core Isolation Cooling Isolation Actuation.
- 13. Reactor Water Cleanup Isolation Actuation.
- 14. Shutdown Cooling System Isolation Actuation. ,
6 i t ABWR TS B 3.3-123 P&R 08/30/93
l r SRNM Instrumentation 1 B 3.3.2.1 ! l i B 3.3 INSTRUMENTATION , B 3.3.2.1 Startup Range Neutron Monitor (SRNM) Instrumentation ; i l BASES t BACKGROUND The SRNMs provide the operator with information relative to , the neutron level from very low flux levels to 15% power. i There is sufficient overlap between the SRNMs and the APRMs to assure continuous indication of core power level. The SRNM subsystem protects against abnormal reactivity ; insertions when the plant is in the startup power range by sending a trip signal to the RPS on a high neutron flux level or short reactor period (i.e. high rate of flux increase). The setpoints are selected to provide confidence in maintaining fuel integrity for the worst reactivity insertion event coincident with the most limiting SRNM ; bypass or out of service condition. f The SRNM subsystem of the Neutron Monitoring System (NMS) consists of ten channels connected to detectors which are evenly distributed throughout the core and located slightly above the fuel mid-plane. Each channel consists of a fission ' chamber with associated cabling, signal conditioning equipment, and electronics to implement the various SRNM functions. The SRNM's are assigned to the four Neutron Monitoring System (NMS) divisions as follows: ; Division 1: SRNM Detectors A, E & J i Division II: SRNM Detectors B & F ! l Division III: SRNM Detectors C, G & L i Division IV: SRNM Detectors D & H The SRNM channels are divided into three bypass Groups. One 1 channel from each Group may be bypassed (i.e. bypass of up to three channels). The Groups are arranged so there is at least one unbypassed channel in each division ancl one unbypassed channel in each core quadrant. The SRNMS are assigned to the following bypass Groups: Group 1: SRNM A, B, F, G l Group 2: SRNM C, E, H Group 3: SRNM D, J, L (continued) l ABWR TS B 3.3-124 P&R 08/30/93 1
! SRNM Instrumentation B 3.3.2.1 BASES BACKGROUND There are three multiposition operator control switches that ( Continued ) correspond to the Groups, so that only one channel from each l Group can be bypassed. In addition to scram and rod block functions, each SRNM ; i channel includes indication and alarm functions. Scram and rod block functions are addressed by other LCOs while this LCO addresses OPERABILITY requirements only for the ' monitoring and indication functions. 5 During refueling, shutdown, and low power operations, the primary indication of neutron flux levels is provided by the SRNMs. During refueling special movable detectors may be connected to the normal SRNM circuits. The SRNMs provide monitoring of reactivity changes during fuel or control rod movement and give the control room operator early indication j of unexpected subtritical multiplication that could indicate ; an approach to criticality. APPLICABLE Prevention and mitigation of prompt reactivity excursions $ SAFETY ANALYSIS during refueling and low power operation are provided by: i t
- LC0 3.9.1, " Refueling Equipment Interlocks"
- LCO 3.1.1, " SHUTDOWN MARGIN (SDM)" t
^
l LC0 3.3.1.1, "SSLC SENSOR Instrumentation," Startup l Range Neutron Monitoring Flux High/ Flux short period i i and Average Power Range Monitor Neutron Flux-High/Setdown Functions !
- LC0 3.3.5.1, " Control Rod Block Instrumentation."
The applicable safety analysis for the SRNMs are covered by ? the listed LCOs. This LC0 is included in the technical r i specifications since the SRNMs are the only indication of l neutron flux levels during refueling and during those ! portions of startup where the APRMs are off scale. The SRNM instrumentation satisfies Criterion 2 of the NRC Policy Stateme ~ LCO While in MODE 2 with the APRMs downscale, at least seven SRNM channels are required to be OPERABLE to monitor the I reactor flux level prior to and during control rod withdrawal, to monitor subcritical multiplication and reactor criticality, and to monitor neutron flux level and . reactor period until the flux level is within the range of (continued) ABWR TS B 3.3-125 P&R 08/30/93 l l l
1 l l SRNM Instrumentation l [ B 3.3.2.1 l BASES LCO the APRMs. The assignment of SRNM detectors to the four ( Continued ) divisions and three bypass Groups are such that with one division INOPERABLE or one group in bypass the indications provide an adequate representation of the overall core response during those periods when reactivity changes are occurring throughout the core The preferred configurationis to have the SLNMs in different core quadrants. In MODES 3 and 4, with the reactor shut down, two SRNM channels are sufficient to provide redundant monitoring of flux levels in the core. The preferred configuration is to ; have the SRNMs in different core quadrants. In MODE 5, during a spiral offload or reload, an SRNM outside the fueled region is not required to be OPERABLE, since it is not capable of monitoring neutron flux in the(a) fueled region of the core. Thus, the LC0 (per footnote in Table 3.3.2.1-1) permits CORE ALTERATIONS in a quadrant with no OPERABLE SRNM in an adjacent quadrant when the bundles being spiral reloaded or spiral offloaded are all in a single fueled region containing at least one OPERABLE SRNM. Spiral reloading and offloading are core alterations in a cell on the edges of a continuous fueled region (the cell can be reloaded or offloaded in any sequence). In nonspiral routine operations, two SRNMs are required to be OPERABLE to provide redundant monitoring of reactivity changes occurring in the reactor core. Because of the local nature of reactivity changes during refueling, adequate ; coverage is provided by requiring one SRNM to be OPERABLE in the quadrant of the reactor core where CORE ALTERATIONS are being performed and one SRNM to be OPERABLE in an adjacent quadrant. These requirements ensure that the reactivity of the core will be continuously monitored during CORE ALTERATIONS. Footnote (b) to Table 3.3.2.1-1 permits the substitution of ; movable detectors for the fixed detectors during CORE > ALTERATIONS. These special detectors must be connected to the normal SRNM circuits in the NMS such that the applicable i neutron flux indication can be generated. These special l detectors provide more flexibility in monitoring reactivity changes during fuel loading, since they can be positioned anywhere within the core during refueling. The movable detectors must meet the location requirements of SR 3.3.2.1.2, and all other required SRs for SRNMs. (continued) ABWR TS B 3.3-126 P&R 08/30/93
l l l SRNM Instrumentation B 3.3.2.1 l l BASES LCO For an SRNM channel to be considered OPERABLE, it must be ( Continued ) providing neutron flux monitoring indication. i APPLICABILITY The SRNMs are required to be OPERABLE in MODES 3, 4, 5, and in MODE 2 until neutron flux is within the range of the APRMs. In MODE 1 and in MODE 2 with the APRMs on scale, the APRMs provide adequate monitoring of reactivity changes in the core. ACTIONS A.1 In MODE 2, while the APRMs are downscale SRNMs provide monitoring of core reactivity and criticality. The assignment of the SRNM channels to the bypass Groups and SRNM divisions are such that there is adequate redundancy and core coverage when there is one required inoperable SRNM in each Group. Action A requires placing the inoperable channel in bypass within one hour. Since adequate redundancy and core coverage j is maintained, no further action is required. The Completion l Time is sufficient to permit the operator to perform the l action. l l B.1 If the Required Action for Condition A is not implemented within the allowed Completion Time, or if four or more channels are inoperable, the reactor must be placed in MODE 3. With all control rods fully inserted, the core is in its least reactive state with the most margin to criticality. The allowed Completion Time of 12 hours is reasonable, based on operating experience, to reach MODE 3 i in an orderly manner and without challenging plant systems. l l C.1 and C.2 , With one or more required SRNM channels inoperable in MODE 3 or 4, the neutron flux monitoring capability is degraded or nonexistent. The requirement to fully insert all insertable control rods ensures that the reactor will be at its minimum reactivity level. Placing the reactor mode switch in the J (continued) I ABWR TS B 3.3-127 P&R 08/30/93
i i SRNM Instrumentation B 3.3.2.1 BASES l l ACTIONS C.1 and C.2 (continued) i' ( Continued ) shutdown position causes a scram and prevents subsequent l control rod withdrawal by maintaining a control rod block. The allowed Completion Time of I hour is sufficient to accomplish the Required Action, and takes into account the ' low probability of an event requiring the SRNM occurring during this time. D.1, D.2, and D.3 With one or more required SRNMs inoperable in MODE 5, the capability to detect local reactivity changes in the core during refueling is degraded or nonexistent. CORE ' ALTERATIONS must be immediately suspended, and action must be immediately initiated to insert all insertable control rods in core cells containing one or more fuel assemblies. j Suspending CORE ALTERATIONS prevents the two most probable l causes of reactivity changes, fuel loading and control rod l withdrawal, from occurring. Inserting all insertable ' control rods ensures that the reactor will be at its minimum reactivity, given that fuel is present in the core. Rcquired Action E.3, which must be initiated within 24 hours, is provided to ensure that having less than the required number of SRNMs inoperable with the vessel head , removed is not construed as a condition that allows continuous operations. Thus, entry into MODE 5 without the required SRNM channels OPERABLE is not allowed per LC0 3.0.4. Suspension of CORE ALTERATIONS shall not i preclude completion of the movement of a component to a ; safe, conservative position. ' Actions (once required to be initiated) to insert control rods and restore SRNMs must continue until all insertable i rods in core cells containing one or more fuel assemblies are inserted, and the required SRNMs are restored to OPERABLE status. L.1 With two required SRNMs inoperable in MODE 5, the ability to detect local reactivity changes in the core during refueling i is unavailable. Required Actions E.1, E.2, and E.3 are i already applicable and continue to be applicable. Required j J (continued) l ABWR TS B 3.3-128 P&R 08/30/93 j
^
I I SRNM Instrumentation B 3.3.2.1 BASES ACTIONS F.1 (continued) ( Continued ) Action F.1 modifies Required Action E.3 to require immediate initiation of action to restore one of the inoperable required SRNMs to OPERABLE status instead of requiring , initiation of action within the former Completion Time of ; [7] days. SURVEILLANCE The SRs for each SRNM Applicable MODE or other specified REQUIREMENTS condition are found in the SRs column of Table 3.3.2.1-1. - SR 3.3.2.1.1 Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred between Channel Functional Tests. A CHANNEL CHECK is a comparison of the : parameter indicated on one channel to the same parameter indicated on other similar channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift or other channel faults in one of the channels. l f l Agreement criteria are determined by the plant staff, based l on a combination of the channel instrument uncertainties, l including indication and readability. If a channel is l outside the match criteria, it may be an indication that the ! instrument has drifted outside its limit. l The high reliability of each SRNM channel provides ! confidence that a channel failure will be rare. However, a l surveillance interval of [24] hours is used to provide l confidence that gross failures that do not activate an ! annunciator or alarm will be detected within [24] hours. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the channels required by the LCO. SR 3.3.2.1.2 To provide adequate coverage of potential reactivity changes in the core, one SRNM is required to be OPERABLE in the I (continued) ABWR TS B 3.3-129 P&R 08/30/93 I
I SRNM Instrumentation B 3.3.2.1 j BASES i l 1 SURVEILLANCE SR 3.3.2.1.2 (continued) REQUIREMENTS quadrant where CORE ALTERATIONS are being performed, and ! ( Continued ) another OPERABLE SRNM must be in an adjacent quadrant. Note 1 states that this SR is imposed only during CORE : ALTERATIONS. It is not required to be met at other times in MODE 5 since core reactivity changes are not occurring. This Surveillance consists of an evaluation to establish that the number and location of OPERABLE SRNM channels are appropriate for the core region undergoing alteration. Note 2 covers situations where only one SRNM is required to be OPERABLE, per footnote (b) in Table 3.3.2.1-1, so cnly the
- a. portion of this SR is required. Note 3 clarifies that l
the three requirements can be met by the same or different l OPERABLE SRNMs. The high reliability of each SRNM channel provides confidence that a channel failure will be rare. However, a , surveillance interval of [24] hours is used to provide confidence that the required number of SRNMs are operable during core alterations. The SR is also imposed when the quadrant undergoing alterations changes to provide confidence that the configuration of OPERABLE SRNM channels is appropriate. This SR supplements the alarms and/or annunciators that result from most failures and operational controls over refueling activities, which include steps to ensure that the SRNMs required by the LCO are in the proper quadrant. l t SR 3.3.2.1.3 This Surveillance consists of a verification of the SRNM instrument readout to ensure that the SRNM reading is greater than a specified minimum count rate. This ensures l that the detectors are indicating count rates typical of I neutron flux levels within the core. l l If thei are insufficient fuel assemblies in the core the i count rate will be to low to meet this SR. Therefore, the SR is modified by a Note that exempts an SRNM channel from the SR when there are four or less fuel assemblies adjacent to the SRNM and no other fuel assemblies are in the associated , core quadrant. With four or less fuel assemblies loaded around each SRNM and no other fuel assemblies in the (continued) l ABWR TS B 3.3-130 P&R 08/30/93 i
i SRNM Instrumentation B 3.3.2.1 i BASES SURVEILLANCE SR 3.3.2.1.3 (continued) REQUIREMENTS , ( Continued ) associated quadrant, even with a control rod withdrawn the configuration will not be critical. The Frequency is based upon channel redundancy and other information available in the control room, and ensures that ) the required channels are frequently monitored while core reactivity changes are occurring. When no reactivity changes are in progress, the Frequency is relaxed from 12 hours to 24 hours. SR 3.3.2.1.4 and SR 3.3.2.1.5 Performance of a CHANNEL FUNCTIONAL TEST demonstrates the associated channel will function properly. SR 3.3.2.1.4 is required in MODE 5, and the 7 day Frequency ensures that the channels are OPERABLE while core reactivity changes could be in progress. This 7 day Frequency is reasonable, based on the reliability of the devices used in the SRNM and on other Surveillances (such as a CHANNEL CHECK) that ensure proper functioning between CHANNEL FUNCTIONAL TESTS. SR 3.3.2.1.5 is required in MODE 2 with the APRMs downscale and in MODES 3 and 4. Since core reactivity changes do not i normally take place in these modes, the Frequency has been extended from 7 days to 31 days. The 31 day Frequency is based on the reliability of the processing devices used and on other Surveillances (such as CHANNEL CHECK) that ensure proper functioning between CHANNEL FUNCTIONAL TESTS. This Surveillance may be delayed on entry into the specified condition of Applicability. The SR must be performed within 12 hours of reaching a neutron flux level where the SRNMs are sufficiently below their upscale value to permit i satisfactory testing. The permissible delay is short compared to the surveillance interval and permits sufficient time to perform the surveillance. Note that surveillances parformed under LCO 3.3.1.1 overlap this SR to some degree. j (continued) ABWR TS B 3.3-131 P&R 08/30/93
SRNM lastrumentation B 3.3.2.1 BASES SURVEILLANCE SR 3.3.2.1.6 REQUIREMENTS ( Continued ) Performance of a CHANNEL CALIBRATION verifies the performance of the SRNM detectors and associated circuitry. The Frequency considers the plant conditions required to perform the test and the likelihood of a change in the system or component status. The neutron detectors are excluded from the CHANNEL CALIBRATION because they cannot readily be adjusted. The detectors are fission chambers , that are designed to have a relatively constant sensitivity l over the range, and with an accuracy specified for a fixed l useful life. l REFERENCES None. l l 1 ABWR TS B 3.3-132 P&R 08/30/93
~
i I Essential Multiplexir; Sy>'em (EMS) B ?.? ' 1 B 3.3 INSTRUMENTATION B 3.3.3.1 Essential Multiplexing System (EMS) BASES BACKGROUND The EMS is a data collection and data distribution system 4 that provides plant parameter data for use by the safety l systems in providing protective action. The EMS consists of ! remote multiplexing units (RMU), Control Room Multiplexing ; units (CMU), and a segmented dual redundant data , transmission path. The transmissions paths are ! reconfigurable so that most data transmission failures effect only one segment in one of the redundant paths. l The EMS is comprised of four independent divisions (Div. 1, 1 II, III, IV ). Strategically located RMUs gather data from l plant sensors, convert it to serial digital data, and transmit the data to the Safety System Logic and Control (SSLC) Digital Trip Modules (DTMs) over dual redundant optical data transmission paths. The RMUs also receive data representing the desired actions for controlled devices and i delivers it to the appropriate OUTPUT CHANNEL. The OUTPUT l l CHANNEL converts the data to a signal level suitable for the l controlled device. , l l The EMS includes a variety of self-test and monitoring features. The self test checks the health of the micro-processor, RAM, ROM, communications, data transmission : segments, and software. A hard failure will activate an : alarm and provide fault indication to the board level. Soft failures are logged to provide maintenance information. Reconfiguration status after a segment failure also activates an alarm. : i The dual redundant data transmission paths provide i communication between the RMUs and CMUs. The paths are > reconfigurable so that communication is maintained as long - as there is one OPERABLE path between all pairs of multiplexers. One path between any pair of units is called a
" segment" in this LCO. ;
A data transmission segment is OPERABLE when communication between a pair of multiplexers can occur over the segment. ' This requires the line drivers and line receivers on both ends to be OPERABLE and the path between the units to be OPERABLE. The EMS must also be capable of providing the (continued) ABWR TS B 3.3-133 P&R 08/30/93
i Essential Multiplexing System (EMS) l B 3.3.3.1 i i i l BASES BACKGROUND specified maximum throughput and the data error rates must ( Continued ) be within specified limits for it to be considered OPERABLE. APPLICABLE Some portion of the EMS is required to be operable in all SAFETY ANALYSIS, modes since there are one or more safety systems that LCO, and acquire data from the EMS in all modes. The applicable APPLICABILITY safety analysis for the various portions of the EMS are the analysis that apply to the Functions that acquire data from the EMS. The signal acquisition and conversion portions of l the EMS are adequately covered by the LCOs for the systems I that acquire and/or transmit data over the EMS. Therefore, this LCO addresses only the data transmission portion of the EMS. The Es sential Multiplexing System (EMS) does not directly l generate any trip functions so there are no specific Allowable Value for the EMS since the effect of any EMS l ' processing is included in the allowable values for the , Functions in systems that utilize the EMS.. ACTIONS A Note has been provided to modify the ACTIONS related to EMS. Section 1.3, Completion Times, specifies that once a i Condition has been entered, subsequent trains, subsystems, components, or variables expressed in the Condition, i discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. ; However, the Required Actions for inoperable EMS divisions provide appropriate compensatory measures for multiple ! inoperable divisions. As such, a Note has been provided that allows separate Condition entry for each inoperable EMS division. b:1 This Condition address the situation where there is some loss of data transmission redundancy in one EMS division but a complete data transmission path is maintained so the i systems serviced by the EMS can acquire the needed data. (continued) ABWR TS B 3.3-134 P&R 08/30/93
Essential Multiplexing System (EMS) B 3.3.3.1 BASES ACTIONS A.1 (continued) ( Continued ) All Functions required for protective actions remain OPERABLE and a single failure will not result in loss of protection. In addition, the self test features provide confidence that any additional failures will be automatically detected. This is an acceptable long term condition so the Completion Time specified for repair : corresponds to a maximum time equal to the refueling interval. However, the LC0 requires the repairs to be completed if a cold shutdown occurs prior to the next , refueling outage. i B.1 This Condition address the situation where there is some loss of data transmission redundancy in more than one EMS , division but complete data transmission paths are maintained ! in all divisions. This LC0 is included to assure that any degradation in data transmission redundancy in more than one i EMS division will be repaired on a reasonable schedule. The I Completion Time is based on the high reliability of the individual data transmission segments and the limited number of devices involved in each segment. C.1 If the required action of condition B is not accomplished l l within the required Completion Time, then additional EMS l l monitoring ( Action C.1) is required to provide confidence I l that adequate data transmission capability is maintained. l The Completion Times for C.1 are adequate to detect an inoperable EMS division soon enough so that the impact of any additional failures on plant risk is negligible. 1 Action C.2 requires preparation of a special evaluation to determine the root cause of the inoperable data transmission segment failure and to assure that it is not a potential ; common mode failure. I l (continued) ABWR TS B 3.3-135 P&R 08/30/93 l . - -
Essential Multiplexing System (EMS) B 3.3.3.1 BASES ACTIONS D.1 ( Continued ) When one or more EMS divisions become inoperable then the L Functions and/or Features associated with the EMS become unavailable. The loss of one or more EMS data transmission divisions is similar to the loss of multiple SENSOR CHANNELS in LC0 3.3.1.1 or LOGIC channels in LC0 3.3.1.2 and 3.3.1.3. : Therefore, declaring the associated Functions and Features to be inoperable will cause entry into the appropriate conditions in other LCOs and suitable compensatory measures will be implemented. The Completion Time is provides adequate time for the operator to determine which Functions and/or Features need to be declared inoperable. i SURVEILLANCE SR 3.3.3.1.1 i REQUIREMENTS The operability of the EMS data transmission segments should ' be periodically confirmed to assure that an adequate degree l of redundancy is maintained. This SR is included to provide l confidence that the data transmission segments are OPERABLE. l The test consists of assuring that the two data transmission , l paths between all connected pairs of multiplexers are
- i OPERABLE. The test assures that the line drivers and line '
receivers on both ends of each of the redundant paths between the multiplexers are OPERABLE. The test must also assure the ability to reconfigure the data transmission paths. Reconfiguration is accomplished by cross connecting the line drivers and line receivers to the data transmission l paths. The inability to reconfigure shall be treated as a loss of a single segment (i.e., Condition A). The EMS data transmission segments are constructed from a few highly reliable devices and the loss of segments while l maintaining data transmission integrity does not degrade J plant safety. Therefore, a frequency of [92] days is adequate. ; SR 3.3.3.1.2 l A comprehensive network analysis confirms that the data transmission capability is as intended. The test may be performed using commercially available equipment (continued) ABWR TS B 3.3-136 P&R 08/30/93
l Essential Multiplexing System (EMS) i B 3. .3.1 l l BASES , SURVEILLANCE SR 3.3.3.1.2 (continued) , REQUIREMENTS ( Continued ) specifically designed to perform tests on digital communication networ5. The network analysis provides l confidence that data error rates are within specified limits, signal quality is within specifications and the network is capable of handling the specified maximum required throughput. The [lB] month frequency is based on the ABWR expected , REFUELING INTERVAL and the need to perform this Surveillance under the conditions that apply during a plant outage to reduce the potential for an unplanned transient if the : Surveillance were performed with the reactor at power. The high reliability of the devices used in the EMS combined i with self tests intended to detect EMS degradation provide confidence that this frequency is suitable for detecting EMS inoperability. REFERENCES 1. ABWR SSAR, Section [ ].
- 3. ABWR SSAR, Section [ ].
l 4. ABWR SSAR, Chapter [15]. 1 I ABWR TS B 3.3-137 P&R 08/30/93 l l
ATWS & EOC-RPT Instrumentation B 3.3.4.1 B 3.3 INSTRUMENTATION j , B 3.3.4.1 Anticipated Transient Without Scram (ATWS) and End Of Cycle l Recirculation Pump Trip (EOC-RPT) Instrumentation BASES BACKGROUND The E0C-RPT is provided to improve margins to the MCPR limit during selected pressurization transient. ATWS features are provided to protect against the remote probability of a failure to insert all control rods when needed. The ATWS Functions initiate several devices to add negative l reactivity as a backup to control rod insertion by the hydraulic drives for events where the control rods may not ; be fully inserted. Tripping the recirculation pumps mitigates the effects of an ATWS event since it adds negative reactivity from the increase in steam voiding in the core region as core flow decreases. When the Reactor Vessel Water Level-Low, Level 3 or Reactor Steam Dome Pressure-High setpoint is reached, a specified number of the Reactor Internal Pumps ! (RIP) are tripped. If reactor level decreases to the Reactor l Vessel Water Level-Low, Level 2 setpoint the remaining RIPS ; I are tripped, with a specified number of the pumps tripped : l immediately and the others tripped after a specified delay. l The RIP trip at level 3 is included to mitigate level l transients and prevent level 2 ECCS initiations for I pressurization and inventory reduction events that are less severe than the design basis events while the level 2 trip is provided to trip all of the RIPS as required by the design basis. The Anticipated Transient Without Scram Alternate Rode Insert (ATWS-ARI) System initiates the electric motor-driven Fine Motion Control Rod Drives (FMCRD), a runback of the recirculation pumps and alternate scram air header uump l valves. The alternate air header dump valves are intended to cause the control rod hydraulic drives to insert the control rods and the electric drives provide an alternate to the hydraulic rod drives. The recirculation runback is provided to reduce void reactivity and reduce the extent of the level transient. l l (continued) ABWR TS B 3.3-138 P&R 08/30/93 L
--J J.-- % . . - - - - ----a - 4e a _A.. a ~ t . + >d -.a-w ! 4A. a-h4 44- -m34 ,n:-- t.
ATWS & E0C-RPT Instrumentation B 3.3.4.1 BASES BACKGROUND The ATWS-ARI Functions are included in the Recirculation ( Continued ) Flow Control (RFC) system and the' Rod Control and Information System (RCIS). The RFC system is a triple redundant microprocessor based system with the data needed by the ATWS Functions acquired from other systems over the multiplexing system. The RCIS is a dual redundant microprocessor based system with the data needed by the ATWS-ARI Functions acquired from other systems over the. multiplexing system. These systems are completely : independent of and diverse to the RPS. The data used is: ( i
- Four independent low level 2 discrete trip data from the ECCS portion of.the SSLC in the RFC. l
- Three independent discrete data representations of ;
reactor pressure from the Steam Bypass and Pressure ! l Control (SB&PC) system in the RFC. l l
- Four independent scram follow discrete trip data from the ECCS portion of the SSLC in the RCIS. ,
3 Independent ATWS-ARI signals are generated in all three RFC subsystems using 2/4 or 2/3 logic, as appropriate. ATWS-ARI initiation data from all three RFC subsystems are ! transmitted to both of the RCIS subsystems and to hardwired l logic in each of the controllers for the FMCRDs. Each RCIS l sends an initiation signal to the FMCRD controllers-when l l trip signals are received from .two of the three-RFCs or when ' a scram follow signal is received from any two' of the RPS i
- divisions. The hardwired logic in the drives provides an ,
! ATWS confirmation signal using logic similar to the RCIS. ! The FMCRDs are actuated when a signal- is received from both - ; of the RCIS channels and from the hardwired logic. ' The ' recirculation runback is initiated when a signal is received ! from both RCIS channels. l The E0C-RPT instrumentation initiates a trip of a specified , number of the Reactor Internal Pumps (RIP) to reduce the t peak reactor pressure and power resulting from turbine trip or generator load rejection transients to provide additional ' margin to core thermal MCPR-Safety Limits (SLs). The need for the additional negative reactivity in excess of that ; normally inserted on' a scram reflects end of cycle reactivity considerations. Flux shapes at the end of. cycle ! are such that the control rods may not be able to ensure ! that thermal limits are maintained during the first few feet of rod travel upon a scram caused by Turbine Control Valve (continued) ABWR TS- B 3.3-139 P&R 08/30/93 , I i 1 1
ATWS & EOC-RPT Instrumentation B 3.3.4.1 1 BASES
]
BACKGROUND (TCV) Fast Closure, Trip Oil Pressure-Low, or Turbine Stop ( Continued ) Valve (TSV)-Closure. The physical phenomenon involved is that the void reactivity feedback due to a pressurization transient can add positive reactivity at a faster rate than the control rods can add negative reactivity. The RPT Functions are included in the Recirculation Flow Control (RFC) system. The RFC system is a triple redundant microprocessor based system with the data needed by the RPT ; Functions acquired from other systems over the multiplexing system. The data used by the function is: Three independent low level 3 digital trip data from the feedwater Control (FWC) System for the ATWS-RPT. Four independent low level 2 discrete trip data from the ECCS portion of the SSLC for the ATWS-RPT. l - Three independent discrete data representations of l reactor pressure from the Steam Bypass and Pressure - Control (SB&PC) system for the ATWS-RPT. l Four independent composite discrete data values which are a trip state data value when either a Turbine Stop I Valve-Closure or Turbine Control Valve Fast Closure, l Trip Oil Pressure-Low scram initiation occurs. The data is received from the RPS portion of the SSLC and is used for the EOC-RPT. The logic for these signals i is described in the SSLC Sensor Instrumentation LC0 ; (LCO 3.3.1.1). Four discrete data values which represent an ATWS Permissive Condition orginating in the NMS. The data , is received from the RPS portion of the SSLC and is used for the ATWS-RPT. The basis for these signals is described in the SSLC Sensor Instrumentation LCO (LCO 3.3.1.1). Independent RPT signals are generated in all three RFC ' i subsystems using 2/4 or 2/3 logic, as appropriate. RPT data from all three RFC subsystems are transmitted to the RIP i l (continued) i i ABWR TS B 3.3-140 P&R 08/30/93 ; 1 ; l
l ATWS & E0C-RPT Instrumentation B 3.3.4.1 BASES BACKGROUND Adjustable Speed Drives (ASD) sia the multiplexing system. ( Continued ) The ASDs use 2/3 logic to implement the trip and include an adjustable delay on the trip actuation signals to the load interrupters.
- APPLICABLE The ATWS actions are not assumed in any ABWR SSAR safety l SAFETY ANALYSIS, analysis. The ATWS aids in preserving the integrity of the LCO, and fuel cladding following events in which a required scram may
! APPLICABILITY not occur. Based on its contribution to the reduction of overall plant risk, however, the instrumentation is included as required by the NRC Policy Statement. l The EOC-RPT of a specified number of RIPS is provided to l mitigate the neutron flux, heat flux and pressure transients, and to increase the margin to the MCPR SL for l events that cause a rapid shutoff of the steam flow to the ! main turbine. The analytical methods and assumptions used in evaluating the turbine trip and generator load rejection, as well as other safety analyses that assume EOC-RPT, are summarized in References 3, 4, and 5. 1 To mitigate pressurization on transient effects, the E0C-RPT l must trip the RIPS after initial movement of either the TSVs or the TCVs. The combined effects of this RIP trip and a l scram reduce fuel bundle power more rapidly than does a l scram alone, resulting in an increased margin to the MCPR I SL. Alternatively, MCPR limits for an inoperable E0C-RPT as specified in the COLR are sufficient to mitigate pressurization transient effects. The OPERABILITY of the ATWS and E0C-RPT is dependent on the OPERABILITY of the individual trip Functions. Each Function must have a required number of OPERABLE channels with their i trip points within the specified Allowable Values. The data value for the trip point is set consistent with applicable setpoint methodology assumptions. Channel 0PERABILITY also includes the associated RIP ASDs. A channel is inoperable if its actual trip point is not within its required Allowable Value. Allowable Values are specified for the SB&PC Reactor Steam
~
Dome Pressure-High, Feedwater Reactor Water Level-Low, level 3, and RIP Trip Delay Functions. The Allowable Values for the remaining Functions are covered by the SSLC Sensor Instrumentation LC0 (LCO 3.3.1.1). Nominal trip setpoints are established in the setpoint calculations. The data (continued) ABWR TS B 3.3-141 P&R 08/30/93
~. - - . __- I ATWS & EOC-RPT Instrumentation B 3.3.4.1 i BASES APPLICABLE values for the setpoints are selected to ensure the trip SAFETY ANALYSIS points do not exceed the Allowable Value between CHANNEL LCO, and CALIBRATIONS. Operation with a trip point less conservative APPLICABILITY than the nominal trip point, but within its Allowable Value, ( Continued ) is acceptable. Trip points are those predetermined values < of output at which an action should take place. The i setpoint data values are compared to the data values ; representing the measured process parameter (e.g., reactor vessel water level), and when the data value for the process , parameter exceeds the setpoint, the logic declares a tripped , condition and changes the state of the associated output ! data value. The analytic limits are derived from the [ limiting values of the process parameters obtained from the l safety analysis. The Allowable Values are derived from the ; analytic limits corrected for calibration, process, and some i of the instrument errors. The trip setpoint data values are l then determined accounting for the remaining instrument errors (e.g., drift). The trip setpoints derived in this ' manner provide adequate protection because instrumentation uncertainties, process effects, calibration tolerances, ; instrument drift, and severe environment errors (for I channels that must function in harsh environments as defined by 10 CFR 50.49) are accounted for. The individual ATWS Functions are required to be OPERABLE in MODE 1 to protect against postulated common mode failures of the Reactor Protection System by providing a diverse trip to mitigate the consequences of a postulated ATWS event. In ! MODE 1 the reactor is producing significant power and the i recirculation system could be at high flow. During this - MODE, the potential exists for pressure increases or low i water level, assuming an ATWS event. In MODE 2, the reactor : is at low power and the recirculation system is at low flow; l thus, the potential is low for a pressure increase or low l water level, assuming an ATWS event. Therefore, ATWS is not i necessary. In MODES 3 and 4, the reactor is shut down with j all control rods inserted; thus, an ATWS event is not ! significant and the possibility of a significant pressure increase or low water level is negligible. In MODE 5, the I one-rod-out interlock ensures the reactor remains subcritical; thus, an ATWS event is not significant. In addition, the reactor pressure vessel (RPV) head is not fully tensioned and no pressure transient threat to the reactor coolant pressure boundary (RCPB) exists. l I (continued) .
\
I ABWR TS B 3.3-142 P&R 08/30/93
ATWS & E0C-RPT lastrumentation B 3.3.4.1 BASES APPLICABLE EOC-RPT instrumentation satisfies Criterion 3 of the NRC SAFETY ANALYSIS Policy Statement. The modes and other conditions where the LCO, and EOC-RPT must be OPERABLE are as specified for the turbine l APPLICABILITY stop valve closure and turbine control valve fast closure l ( Continued ) Functions in the SSLC Sensor Instrumentation LCO (LC0 3.3.1.1). The specific Applicable Safety Analyses and LC0 discussions are listed below on a Function by Function basis.
- 1. Feedwater Reactor Vessel Water level-Low. Level 3 Low RPV water level indicates the capability to cool the l fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, the ATWS-RPT System trips a specified number of RIPS at Level 3 to aid in i maintaining level above the top of the active fuel. The l reduction of core flow reduces the neutron flux and THERMAL POWER and, therefore, the rate of coolant boiloff. '
The Feedwater Reactor Vessel Water Level-Low, Level 3 data y originates from three level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Data from the l three level transmitters are received by the three FWC : controllers via the three plant multiplexing systems. Level 3 trip data is generated in the FWC and the results from all three FWC controllers by each of the three RFC controllers which use 2/3 logic to create RPT data. : Three channels of the Reactor Vessel Level-Low, Level 3 Function with are available and required to be OPERABLE to l ensure that no single instrument failure can preclude an l ATWS-RPT from this Function on a valid signal. The l Allowable Value is the same as the SSLC Allowable Value (see l LC0 3.3.1.1).
- 2. Reactor Vessel Water Level-Low, level 2 Low RPV water level indicates the capability to cool the '
fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, ATWS mitigation is initiated if water level continues to decrease to Level 2 (continued) ABWR TS B 3.3-143 P&R 08/30/93 i
i ATWS & E0C-RPT Instrumentation . B 3.3.4.1 BASES i APPLICABLE 2. Reactor vessel Water Level-Low Level 2 (continued) ; SAFETY ANALYSIS LCO, and to aid in maintaining level above the top of the active fuel APPLICABILITY and to provide alternate methods for reducing core , ( Continued ) reactivity. The actions reduce the neutron flux and THERMAL l POWER and, therefore, the rate of coolant boiloff. Reactor Vessel Water Level-Low, Level 2 trip data is received from all four SSLC divisions. The ATWS trip logic ; will generate a trip data value when 2 of the four are in a tripped state. A trip will occur when needed and spurious trips cannot occur if three of the four level 2 data values are valid. The basis for this function is as described in the SSLC LC0 (LCO 3.3.1.1). Four channels of Reactor Vessel Level-Low, Level 2 are j available and three are required to be OPERABLE to ensure that no single instrument failure can preclude an ATWS-RPT from this Function on a valid signal. l
- 3. SB&PC Reactor Steam Dome Pressure-Hiah Excessively high RPV pressure may rupture the RCPB. An l increase in the RPV pressure during reactor operation compresses the steam voids and results in a positive reactivity insertion. This increases neutron flux and THERMAL POWER, which could potentially result in fuel failure and RPV overpressurization. The SB&PC Reactor Steam Dome Pressure-High Function initiates ATWS for transients that result in a pressure increase, counteracting the pressure increase by rapidly reducing core power generation.
For the overpressurization event, the actions aid in the termination of the ATWS event and, along with the safety / relief valves (S/Rvs), limits the peak RPV pressure ; to less than the ASME Section III Code Service Level C i ! limits (1500 psig). I l The SB&PC Reactor Steam Dome Pressure-High data originates from three pressure transmitters that monitor reactor steam dome pressure. Data from the three transmitters are received by the three SB&PR controllers via the three plant multiplexing systems. Data values for all three sensor are received by each of the three RFC controllers which use 2/3 logic to create RPT data. Three channels of Reactor Steam Dome Pressure-High are available and required to be (continued) ABWR TS B 3.3-144 P&R 08/30/93 4 1
i ATWS & E0C-RPT Instrumeatetion B 3.3.4.1 , I BASES I APPLICABLE 3. SB&PC Reactor Steam Dome Pressure-Hiah (continued) ! SAFETY ANALYSIS , LCO, and OPERABLE to ensure that no single instrument failure can , l APPLICABILITY preclude an initiation from this Function on a valid signal. l ( Continued ) The SB&PC Reactor Steam Dome Pressure-High Allowable Value . l is chosen to provide an adequate margin to the ASME l Section III Code Service Level C allowable Reactor Coolant System pressure.
- 4. EOC-RPT Initiation.
l The E0C-RPT initiation signal is a composite signal received ; l from the SSLC. The allowable values, applicable safety . l analysis, and applicability of this function is as described ! l in the SSLC LC0 (LC0 3.3.1.1) for the Turbine Stop Valve-l Closure and Turbine Control Valve Fast Closure, Trip Oil i Pressure-Low Functions. l Four channels of Turbine Steam Flow Rapid Shutoff E0C-RPT are available and three are required to be OPERABLE to l I provide confidence that no single instrument failure can
- preclude an ATWS-RPT from this function on a valid signal.
! Four channels of SRNM ATWS Permissive are available and l three are required to be OPERABLE to provide confidence that l no single instrument failure can preclude an ATWS-RPT from this function on a valid signal.
- 5. RPT Initiation Function of the RFC.
l The RFC must provide RPT initiation data to the ASD i l controllers. Each RFC sends RPT data to the ASD controllers. Three channels of RPT initiation must be operable to provide l confidence that no single instrument failure can preclude an l RPT from this Function on a valid signal. There is no allowable value associated with this function.
- 6. Ad.iustable Speed Drive Pump Trio Actuation The trip actuation devices in the ASD are required to be operable in order to complete the RIP trip Function. Each (continued) ,
i l i ABWR TS B 3.3-145 P&R 08/30/93 I I
P l l ATWS & EOC-RPT Instrumentation I B 3.3.4.1 l l BASES I APPLICABLE 6. Adiustable Speed Drive Pump Trio Actuation (continued) : SAFETY ANALYSIS I LCO, and ASD uses signals from the RPT Function in all three of the APPLICABILITY RFC controllers. A trip condition from any two of the ( Continued ) controllers will cause a trip of the associated RIP. Three , channels of pump trip actuation must be operable to provide : confidence that no single instrument failure can preclude an l RPT from this function on a valid signal. ; There is no allowable value associated with this function. ! 7 & 8. Adiustable Speed Drive Pump Trio Timers & Load ! Interrupters i t The ASDs provide timers to cause a small delay before i interrupting the devices that provide power to the RIPS. One l timer channel and load driver in each ASD is available and required to be operable. The Allowable Values are chosen to cause a trip of the pumps in a timely fashion while
- minimizing the effects of the transients caused by the pump ;
I trips. ! l l 9. RPS Scram Follow Sianal i An RPS scram indicates that control rod insertion is ! required. Therefore, an ATWS-ARI is initiated from these signals. The basis for this signal is as described in LCO ! 3.3.1.1. l Scram trip data is received from all four RPS SSLC : divisions. The ATWS-ARI trip logic will generate a trip data l value when 2 of the four are in a tripped state. A trip will ' occur when needed and spurious trips cannot occur if three of the four data values are valid. l Four channels of RPS Scram Follow Signal are required to be , OPERABLE to ensure that no single instrument failure can ' preclude an ATWS-ARI from this Function on a valid signal. ' l ,
- 10. Manual ATWS-ARI initiation.
l The Manual Initiation push button channels introduce signals into the ATWS-ARI logic to provide manual initiation capability that is redundant to the automatic initiation. (continued) { ABWR TS B 3.3-146 P&R 08/30/93 ,
ATWS & EOC-RPT Instrumentation B 3.3.4.1 l i i ! BASES ) l APPLICABLE 10. Manual ATWS-ARI Initiation. (continued) . SAFETY ANALYSIS l LCO, and There are two push buttons and both must be activated to ' APPLICABILITY initiate ATWS-ARI. ( Continued ) There is no Allowable Value for this Function since the division is mechanically actuated based solely on the position of the push buttons. Two channels of the Manual i Initiation Function are required to be OPERABLE when the ! ATWS-ARI is required to be OPERABLE.
- 11. ATWS- ARI Initiation Function of the RFC.
The RFC must transmit ATWS-ARI initiation data to the RCIS and electric drive controllers. Each of the three RFC channels sends initiation data to the RCIS and FMCRD controllers. Three channels of this~ Fur.. tion must be operable to provide confidence that no single instrument failure can preclude an ATWS-ARI initiation from this Function on a valid signal. l There is no allowable value associated with this function. l
- 12. ATWS-FMCRD Initiation Function of the RCIS. :
1 The RCIS must transmit ATWS-ARI initiation data to the FMCRD controllers. Both of the RCIS channels sends initiation : signals to the FMCRD controllers. Two channels of this t Function must be operable to provide confidence that ATWS- ! ARI initiation will occur on a valid signal. 1 There is no allowable value associated with this function. ;
- 13. ATWS-ARI Valve Actuation j The RFC sends Actuation signals to Alternate Rod Insertion !
(ARI) valves that are intended to cause control rod insertion from the hydraulic drives. All three RFC channels i send data to both of the ARI valves. The valves will open l , when Actuation signals are received from 2 of the 3 of the ; l RFC channels. Three channels of pump trip actuation must be ! l operable to provide confidence that no single instrument { l (continued) ABWR TS B 3.3-147 P&R 08/30/93
ATWS & EOC-RPT Instrumentation B 3.3.4.1 BASES i APPLICABLE 13. ATWS-ARI Valve Actuation (continued) . l SAFETY ANALYSIS ' LCO, and failure can preclude an ATWS-ARI from this Function on a APPLICABILITY valid signal. ( Continued ) There is no allowable value associated with this function.
- 14. FMCR0 Emeraency Insertion Inverter Control Loaic Each FMCRD controller receives emergency insertion signals from all three RFCs and scram follow signals from all four +
SSLC divisions. An emergency insertion signal is generated using 2/3 logic for the RFC signals or 2/4 logic on the scram follow signals. The FMCRD motors will start when a ; i signal is received from both RCIS channels and from the ' internal logic. One channel of this function must be OPERABLE when ATWS is required to be OPERABLE. 1
- 15. Recirculation Runback l
Each RIP receives a runback signal from the RCIS channels. l The RIP will go to its minimum speed when a trip signal is received on both RCIS channels. One channel of runback for each RIP is required to be OPERABLE when ATWS is required to be OPERABLE. 1 ACTIONS A Note has been provided to modify the ACTIONS related to RPT instrumentation channels. Section 1.3, Completion . Times, specifies that once a Condition has been entered, subsequent trains, subsystems, components, or variables , expressed in the Condition, discovered to be inoperable or ! l not within limits, will not result in separate entry into , the Condition. Section 1.3 also specifies that Required ! Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial ! entry into the Condition. However, the Required Actions for ! inoperable RPT instrumentation channels provide appropriate l compensatory measures for separate inoperable channels. As l such, a Note has been provided that allows separate Condition entry for each inoperable RPT instrumentation channel. (continued) ABWR TS B 3.3-148 P&R 08/30/93 i _ ._. - .1
i ATWS & E0C-RPT Instrumentation B 3.3.4.1 l BASES ACTIONS A.I. A.2.1. A.2.2.1. and A.2.2.2 l ( Continued ) These Actions assure that appropriate compensatory measures are taken when channel of a Function is inoperable. For the l Functions lised in the note, a failure in one channel will ! cause the actuation logic to become 2/2. ! l Action A.1 forces a trip condition in the inoperable division which causes the initiation logic to become 1/2 for i the Function. In this condition a single additional failure ; I will not result in loss of protection and the availability i of the Function to provide a plant protective action is i adequate so no further action is required when the l inoperable channel is placed in trip. Action A.2.1 bypasses the inoperable division which causes ! the logic to become 2/2 so the single failure criteria is , not met. Since overall redundancy is reduced, operation in i this condition is permitted only for a limited time. Action 1 A.2.2.1 restores the inoperable channel. Action A.2.2.2 ; repeats Action A.1 if repairs are not made within the allowable Completion Time of Action A.2.2.1. Either of the ! Actions A.2.2.1 or A.2.2.2 provides adequate plant protection capability so no further action is required. I i The Completion Time of six hours for implementing Actions ! A.1 and A.2.1 is based on providing sufficient time for the ! operator to determine which of the actions is appropriate. The Completion Time is acceptable because the probability of an event requiring the Function, coupled with a failure that would defeat the other channels associated with the Function, occurring within that time period is quite low. The self-test features of the RPT logic provide a high degree of confidence that no undetected failures will occur within the allowable Completion Time. Implementing Action A.2.1 causes the logic to be 2/2 so protective action capability is maintained as long as the other channels remain OPERABLE. Operation in this condition is restricted to 14 days (Actions A.2.2.1 and A.2.2.2 Completion Time). The probability of an event requiring plant scram, combined with failure to scram and an undetected failure in a second cxhannel of the function the in the Completion Time is quite low. The self-test features of the RPT logic provide a high degree of confidence that no (continued) ABWR TS B 3.3-149 P&R 08/30/93
ATWS & E0C-RPT Instrumentation B 3.3.4.1 BASES ACTIONS A.I. A.2.1. A.2.2.1. and A.2.2.2 (continued) ( Continued ) undetected failures will occur within the allowable Completion Time. B.1 Required Action B.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same three channel function result in the function not maintaining RPT trip capability. A Function is considered to be maintaining RPT trip capability when sufficient channels are OPERABLE or in trip such that the RPT System will generate a trip signal from the given function on a valid signal. This requires two channels of the Function to be OPERABLE or in trip. The [72] hour Completion Time to restore two channels (Required Action B.1) is sufficient for the operator to take corrective action and takes into account the likelihood of an event requiring actuation of the RPT instrumentation during this period. Completion of Required Action B.1 places the system in the same state as in Condition A and multiple condition entry will then result is suitable compensatory measures. C.I. C.2.1, C.2.2.1, and C.2.2.2 These Actions assure that appropriate compensatory measures are taken when one channel of a Function with four channels becomes inoperable. For these Functions, a failure in one channel will cause the actuation logic to become 1/3 or 2/3 depending on the nature of the failure ( i.e failure which causes a channel trip vs. a failure which does not cause a channel trip). Therefore, an additional single failure will not result in loss of protection. Action C.1 forces a tt ip condition in the inoperable channel which causes the initiation logic to become 1/3 for the function. In this condition a single additional failure will not result in loss of protection and the availability of the Function to provide a plant protective action is at least as high as 2/4 trip logic. Since plant protection capability is (continued) ABWR TS B 3.3-150 P&R 08/30/93
l ATWS & EOC-RPT Instrumentation B 3.3.4.1 BASES l 1 APPLICABLE 13. ATWS-ARI Valve Actuation (continued) SAFETY ANALYSIS LCO, and failure tan preclude an ATWS-ARI from this Function on a APPLICABILITY valid signal. 1 ( Continued ) l There is no allowable value associated with this function.
- 14. FMCRD Emeroency Insertion Inverter Control Loaic ,
l Each FMCRD controller receives emergency insertion signals from all three RFCs and scram follow signals from all four ; SSLC divisions. An emergency insertion signal is generated using 2/3 logic for the RFC signals or 2/4 logic on the scram follow signals. The FMCRD motors will start when a , signal is received from both RCIS channels and from the ! internal Iogic. One channel of this function must be OPERABLE when ATWS is required to be OPERABLE.
- 15. Recirculation Runback Each RIP receives a runback signal from the RCIS channels.
The RIP will go to its minimum speed when a trip signal is ' received on both RCIS channels. One channel of runback for each RIP is required to be OPERABLE when ATWS is required to be OPERABLE. ACTIONS A Note has been provided to modify the ACTIONS related to RPT instrumentation channels. Section 1.3, Completion ' i Times, specifies that once a Condition has been entered, subsequent trains, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable RPT instrumentation channels provide appropriate compensatory measures for separate inoperable channels. As such, a Note has been provided that allows separate , Condition entry for each inoperable RPT instrumentation l channel. (continued) ABWR TS B 3.3-14B P&R 08/30/93
i ! l ATWS & E0C-RPT Instrumentation l l B 3.3.4.1 l l l i BASES ACTIONS A.I. A.2.1. A.2.2.1, and A.2.2.2 ( Continued ) These Actions assure that appropriate compensatory measures are taken when channel of a Function is inoperable. For the functions lised in the note, a failure in one channel will cause the actuation logic to become 2/2. Action A.1 forces a trip condition in the inoperable , division which causes the initiation logic to become 1/2 for , the Function. In this condition a single additional failure j will not result in loss of protection and the availability of the Function to provide a plant protective action is ' i adequate so no further action is required when the inoperable channel is placed in trip. ! Action A.2.1 bypasses the inoperable division which causes I the logic to become 2/2 so the single failure criteria is ; not met. Since overall redundancy is reduced, operation in this condition is permitted only for a limited time. Action A.2.2.1 restores the inoperable channel. Action A.2.2.2 1 repeats Action A.1 if repairs are not made within the allowable Completion Time of Action A.2.2.1. Either of the Actions A.2.2.1 or A.2.2.2 provides adequate plant ; protection capability so no further action is required. t
- The Completion Time of six hours for implementing Actions A.1 and A.2.1 is based on providing sufficient time for the .
operator to determine which of the actions is appropriate. ' The Completion Time is acceptable because the probability of an event requiring the Function, coupled with a failure that i would defeat the other channels associated with the Function, occurring within that time period is quite low. The self-test features of the RPT logic provide a high degree of confidence that no undetected failures will occur within the allcwable Completion Time. i l Implementing Action A.2.1 causes the logic to be 2/2 so I protective action capability is maintained as long as the l other channels remain OPERABLE. Operation in this condition is restricted to 14 days (Actions A.2.2.1 and A.2.2.2 Completion Time). The probability of an event requiring plant scram, combined with failure to scram and an undetected failure in a second cxhannel of the function the in the Completion Time is quite low. The self-test features of the RPT logic provide a high degree of confidence that no j (continued) ! ABWR TS B 3.3-149 P&R 08/30/93 _ l
l ATWS & E0C-RPT Instrumentation B 3.3.4.1 i BASES ACTIONS A.l. A.2.1. A.2.2.1, and A.2.2.2 (continued) ( Continued ) undetected failures will occur within the allowable Completion Time. , B.:.1 Required Action B.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same three channel Function result in . l the Function not maintaining RPT trip capability. A l l Function is considered to be maintaining RPT trip capability when sufficient channels are OPERABLE or in trip such that . the RPT System will generate a trip signal from the given l Function on a valid signal. This requires two channels of the Function to be OPERABLE or in trip. The [72] hour Completion Time to restore two channels i (Required Action B.1) is sufficient for the operator to take corrective action and takes into account the likelihood of an event requiring actuation of the RPT instrumentation during this period. Completion of Required Action B.1 places the system in the same state as in Condition A and multiple condition entry will then result is suitable compensatory measures. C.1. C.2.1. C.2.2.1, and C.2.2.2 These Actions assure that appropriate compensatory measures are taken when one channel of a function with four channels becomes inoperable. For these Functions, a failure in one channel will cause the actuation logic to become 1/3 or 2/3 depending on the nature of the failure ( i.e failure which causes a channel trip vs. a failure which does not cause a i channel trip). Therefore, an additional single failure will not result in loss of protection. Action C.1 forces a trip condition in the inoperable channel which causes the initiation logic to become 1/3 for the Function. In this condition a single additional failure will not result in loss of protection and the availability of the Function to provide a plant protective action is at least as high as 2/4 trip logic. Since plant protection capability is (continued) ABWR TS B 3.3-150 P&R 08/30/93 l l
i l ATWS & EOC-RPT Instrumentation
- B 3.3.4.1 BASES ACTIONS C.], C.2.1, C.2.2.1, and C.2.2.2 (continued) :
( Continued ) l l within the design basis no further action is required when the inoperable channel is placed in trip. Action C.2.1 bypasses the inoperable channel which causes the logic to become 2/3 so a single failure will not result in loss of protection or cause a spurious initiation. Since overall redundancy is reduced, operation in this condition is permitted only for a limited time. Action C.2.2.1 , restores the inoperable channel. Action C.2.2.2 repeats ' Action C.1 if repairs are not made within the allowable Completion Time of Action C.2.2.1. Either of the Actions C.2.2.1 or C.2.2.2 places plant protection capability within , the design basis so no further action is required. The Completion Time of six hours for implementing Actions , C.1 and C.2.1 is based on providing sufficient time for the ! operator to determine which of the actions is appropriate. The Completion Time is acceptable because the probability of ' an event requiring the Function, coupled with failures that would defeat two other channels associated with the Function, occurring within that time period is quite low. The self-test features of the SSLC provide a high degree of confidence that no undetected failures will occur within the i allowable Completion Time. l Implementing Action C.2.1 provides confidence that Plant ; protecticn is maintained (2/3 logic) for an additional i single instrument failure. However, with division I or III in bypass, a loss of the division Il power supply could disable two of the remaining channels. Therefore, operation with one division in bypass is restricted to 30 days (Actions C.2.2.1 and C.2.2.2 Completion Time). The probability of an event requiring the Function coupled with undetected failures which cause the loss of two of the remaining OPERABLE divisions in the Completion Time is quite ) low. The self-test features of the SSLC provide a high ! degree of confidence that no undetected failures will occur within the allowable Completion Time. 1 D_d Required Action D.1 is intended to ensure that appropriate actions are taken when two channels become inoperable for a (continued) ABWR TS B 3.3-151 P&R 08/30/93
1 1 ATWS & EOC-RPT Instrumentation B 3.3.4.1 : BASES ACTIONS D.1 (continued) , ( Continued ) a function that utilizes 2/4 logic. For this Condition the initiating logic becomes 2/2. l The [72] hour Completion Time to restore one of the l inoperable channels is sufficient for the operator to take corrective action and takes into account the low likelihood of an event requiring actuation of the RPT instrumentation I during this period. Completion of Required Action D.1 places the system in the same state as in Condition C and multiple condition entry will then result is suitable compensatory ; measures. Ll Required Action E.1 is intended to ensure that appropriate actions are taken when three channels become inoperable for a Function that utilizes 2/4 logic. For this Condition the initiation from the Function is unavalable. The [24] hour Completion Time to restore one of the inoperable channels is sufficient for the operator to take corrective action and takes into account the low likelihood of an event requiring actuation of the RPT instrumentation . during this period. Completion of Required Action E.1 places ! the system in the same state as in Condition D and multiple ; condition entry will then result is suitable compensatory ; measures. l F.1 Required Action F.1 is inten-ied to ensure that appropriate actions are taken for i; the required Actions and associated Completion Times for the E0C-RPT Functions is not met. Required Action F.1 requires the MCPR limit for inoperable EOC-RPT, as specified in the COLR, to be applied which l restores the margin to MCPR assumed in the safety analysis. The [2] hour Completion Time to implement the inoperable E0C-RPT COLR is sufficient for the operator to take corrective action, and takes into account the high reliability of the devices used to implement the E0C-RPT and (continued) ABWR TS B 3.3-152 P&R 08/30/93
-f m - - w g - ---w4
-- n-*-i. w-
ATWS & E0C-RPT Instrumentation B 3.3.4.1 I BASES i l ACTIONS Eml (continued) i ( Continued ) l the low likelihood of an event requiring actuation of the ! EOC-RP1 instrumentation during this period. l
\
l Gil 1 This required Action assures that appropriate compensatory ; measures are taken for inoperable channels in Functions with one or two channels. ; Because of the low probability of an event requiring these Functions, [24] hours is provided to restore the inoperable ! functions. 4.1 H.2, and H.3 With any Required Action and associated Completion Time not met, the plant must be brought to a MODE or other specified condition in which the LC0 does not apply. To achieve this status: the trip capability of the associated RIP must be , declared inoperable (Action H.2) for the ASD Function the plant must be brought to at least MODE 7 for Functions associated with ATWS (required Action H.2) the power level must be reduced to below the applicability of the EOC-RPT for the Function i associated with the E0C-RPT (Required Action H.3). The allowed Completion Time of [6] hours for Actions H.2 and ! H.3 is reasonable, based on operating experience to reach the specified conditions from full power conditions in an orderly manner and without challenging plant systems. SURVEILLANCE The note on the surveillances indicates Table 3.3.4.1-1 REQUIREMENTS indicates the applicability of the surveillances. (continued) l I ABWR TS B 3.3-153 P&R 08/30/93 l i i I
ATWS & EOC-RPT Instrumentation B 3.3.4.1 i BASES SURVEILLANCE SR 3.3.4.1.1 REQUIREMENTS ' ( Continued ) Performance of the SENSOR CHANNEL CHECK once every 12 hours provides confidence that gross failure of instrumentation i has not occurred. A SENSOR CHANNEL CHECK is a comparison of the parameter indicated on one instrumentation channel to a similar parameter on other instrumentation channels. It is - based on the assumption that independent displays of the same parameter should read approximately the same value. Significant deviations between the instrument channels could i be an indication of excessive instrument drift or other faults in one of the channels. A SENSOR CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying that the instrumentation continues to operate properly between each SENSOR CHANNEL CALIBRATION. Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, ' including indication and readability. If a channel is outside the match criteria, it may be an indication that the instrument has drifted outside its limit. The high reliability and redundancy of the devices used to implement the RPT functions provides confidence that failure of more then one instrumentation channel in any 8 hour period is rare. Thus, performance of the SENSOR CHANNEL CHECK provides confidence that undetected outright i instrumentation channel failure is limited to 8 hours. The SENSOR CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the requin ad channels of i this LCO. 1 As indicated in Table 3.3.4.1-1 this surveillance applies only to the SB&PC Reactor Dome Pressure-High and Feedwater Reactor Water Level-Low, Level 3 Functions. The equivalent surveillance for the SRNM ATWS permissive and Turbine Steam I l Flow Rapid Shut off Functions are provided under the SSLC LC0 (LC0 3.3.1.1) while the surveillance does not apply to the remaining Functions. l (continued) i i ABWR TS B 3.3-154 P&R 08/30/93
ATWS & EOC-RPT Instrumentation B 3.3.4.1 BASES 1 l SURVEILLANCE SR 3.3.4.1.2 REQUIREMENTS ( Continued ) A CHANNEL FUNCTIONAL TEST is performed on each required i channel to ensure that the entire channel will perform the i 1 intended function. If the as found trippoint is not within its required Allowable Value, the plant specific setpoint methodology may , be revised, as appropriate, if the history and all other ; pertinent information indicate a need for the revision. The , as left trip point shall be consistent with the assumptions i of the current plant specific setpoint methodology. l The frequency of [92] days is based on the high reliability and redundancy of the devices used to impiement the RPT functions, the low inherent drift of the devices and the signal validation tests that are automatically and continuously performed on the channels. This surveillance for the Reactor Water Level-Low, Level 2, SRNM ATWS Permissive, and Turbine Steam Flow Rapid Shutoff Functions must be performed in conjunction with the equivalent surveillances in the SSLC LCO (LCO 3.3.1.1). SR 3.3.4.1.3 A CHANNEL CAllBRATION is a complete check of the instrument processing channel and the sensor. This test verifies that the channel responds to the measured parameter within the specified range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations. Measurement and setpoint error historical determinations must be performed consistent with the plant specific setpoint methodology. The channel ! shall be left calibrated consistent with the assumptions of the setpoint methodology. ! If the as found setpoint is not within its required
- Allowable Value, the plant specific setpoint methodology may be revised, as appropriate, if the history and all other pertinent information indicate a need for the revision. The setpoint shall be left set consistent with the assumptions I of the current plant specific setpoint methodology.
The [18] month frequency is based on the ABWR expected REFUELING INTERVAL and the need to perform this Surveilluce (continued) ] ABWR TS B 3.3-155 P&R 08/30/93 i l l u
l J ATWS & E0C-RPT lastrumentation l B 3.3.4.1 i BASES SURVEILLANCE SR 3.3.4.1.3 (continued) REQUIREMENTS : ( Continued ) under the conditions that apply during a plant outage to reduce the potential for an unplanned transient if the Surveillance were performed with the reactor at power. The low inherent drift of the devices used to implement the function provides confidence that the trip points will remain within the allowable values for the specified period. As indicated by Table 3.3.4.1-1 this surveillance applies only to the SB&PC Reactor Steam Dome Pressure-High, _ Feedwater Reactor Water Level-Low, level 3, and ASD l timer Functions. The calibration of the Reactor Water Level-Low, Level 2, SRNM ATWS Permissive, and Turbine Steam Flow rapid Shutoff Functions are covered by the SSLC LC0 (LC0 3.3.1.1). l SR 3.3.4.1.4
- The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the ,
OPERABILITY of the required trip logic for a specific l l Function. The system functional test encompasses the RIP ! power interrupting devices provide complete testing of the assumed safety function. The [18] month frequency is based on the ABWR expected 4 REFUELING INTERVAL and the need to perform this Surveillance under the conditions that apply during a plant outage to reduce the potential for an unplanned transient if the Surveillance were performed with the reactor at power. The high reliability of the devices used in the SSLC processing coupled with the DIVISIONAL FUNCTIONAL TESTS provide confidence that the specified frequency is adequate. This surveillance for the Reactor Water Level-Low, Level 2, SRNM ATWS Permissive, and Turbine Steam Flow Rapid Shutoff , ! Functions must be performed in conjunction with the l l equivalent surveillances in the SSLC LCO (LCO 3.3.1.1), j SR 3.3.4.1.5 This SR ensures that the individual channel response times are less than or equal to the maximum values assumed in the (continued) ABWR TS B 3.3-156 P&R 08/30/93
ATWS & EOC-RPT Instrumentation B 3.3.4.1 BASES SUP.VEILLANCE SR 3.3.4.1.5 (continued) REQUIREMENTS ( Continued ) accident analysis. The EOC-RPT SYSTEM RESPONSE TIME i acceptance criteria are included in Reference 7. EOC-RPT SYSTEM RESPONSE TIME tests are conducted on an REFUELING INTERVAL frequency. The refueling interval ! Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. The frequency is ; consistent with the fact that the nature of the devices used ) to implement the E0C-RPT function are such that random failures of instrumentation components that cause serious , response time degradation, but not channel failure, are ; infrequent occurrencer. , SR 3.3.4.1.6 , A COMPREHENSIVE FUNCTIONAL TEST tests a division using a selected range of sensor inputs into the division while simulating the other three divisions as appropriate. This test verifies the OPERABILITY of all SENSOR CHANNELS, LOGIC . CHANNELS, and NITPUT CHANNELS. See Section 1.1, :
" Definitions" additional information on the scope of this test.
This surveillance overlaps or is performed in conjunction with the COMPREHENSIVE FUNCTIONAL TESTS in LC0 3.3.1.1. The combined or overlapping tests provide complete end-to-end testing of the protective actions. The [18] month frequency is based on the ABWR expected , REFUELING INTERVAL and the need to perform this Surveillance under the conditions that apply during a plant outage to reduce the potential for an unplanned transient if the Surveillance were performed with the reactor at power. The high reliability of the devices used in the logic processing coupled with the CHANNEL FUNCTIONAL TESTS provide confidence that the specified frequency is adequate. (continued) ABWR TS B 3.3-157 P&R 08/30/93 ; l
- - - - - -. - .-, .f
I ATWS & EOC-RPT Instrumentation B 3.3.4.1 l l BASES ! SURVEILLANCE SR 3.3.4.1.7 ! REQUIREMENTS i ( Continued ) A CHANNEL FUNCTIONAL TEST is performed on each manual ATWS-ARI channel to ensure that the entire manual trip channel ! will operate as intended. l ' This function uses a minimum of components, and the 1 components have been proven highly reliable through operating experience. However, a relatively short , surveillance interval of [7] days is used since availability i of manual scram is important for providing a diverse means of reactor scram and the logic is 2/2. The probability of ' an event requiring manual scram coupled with a failure of ' one of the scram channels within this time period is very low. REFERENCES 1. ABWR SSAR, Figure [ ].
- 2. ABWR SSAR, Figure [ ] (E0C-RPT instrumentation logic).
- 3. ABWR SSAR, Section [5.2.2].
l
- 4. ABWR SSAR, Sections [15.1.1], [15.1.2], and [15.1.3]. :
S. ABWR SSAR, Sections [5.5.16.1) and [7.6.10]. ,
- 6. GENE-770-06-1, " Bases for Changes To Surveillance Test Intervals And Allowed Out-0f-Service Times For Selected Instrumentation Technical Specifications,"
February 1991. ;
- 7. ABWP SSAR, Section [5.5.16.2].
l l 1 ABWR TS B 3.3-158 P&R 08/30/93 l l
l ATWS & E0C-RPT Instrumentation l B 3.3.4.1 j BASES i REFERENCES l ( Continued) l l l i f i figure 3.3.4.1-1 TBD l 1 ABWR TS B 3.3-159 P&R 08/30/93 . 6
~~'-
Feedwater and Main Turbine Trip Instrumentation B 3.3.4.2 B 3.3 INSTRUMENTATION B 3.3.4.2 Feedwater ano Main Turbine Trip Instrumentation BASES I ! BACKGROUND The feedwater and main turbine trip instrumentation is ( l designed to detect a potential failure of the Feedwater i ! Level Control System that causes excessive feedwater flow. ' With excessive feedwater flow, the water level in the ' reactor vessel rises toward the high water level, Level 8 !' reference point, causing the trip of the two feedwater pump l adjustable speed drives (ASDs) and the main turbine. Reactor Vessel Water Level-High, level 8 signals are provided by level sensors that sense the difference between {: the pressure due to a constant column of water (reierence ' leg) and the pressure due to the actual water level in the reactor vessel (variable leg). Three channels of Reactor l Vessel Water Level-High, Level 8 instrumentation are provided as input to a two-out-of-three initiation logic that trips the two feedwater pump ASDs and the main turbine. The channels include electronic equipment (e.g., digital i trip logic) that compares measured input signals with pre-established setpoints. When the setpoint is exceeded, the channel output a trip signal, which then outputs a main i feedwater and ASD trip signal to the trip logic. ' A trip of the feedwater pump turbines limits further ' increase in reactor vessel water level by limiting further addition of feedwater to the reactor vessel. A trip of the main turbine and closure of the stop valves protects the : turbine from damage due to water entering the turbine. i APPLICABLE The feedwater and main turbine trip instrumentation is SAFETY ANALYSES ! assumed to be capable of providing a turbine trip in the design basis transient analysis for a feedwater controller , failure, maximum demand event (Ref. 1). The Level 8 trip indirectly initiates a reactor scram from the main turbine trip (above 40% RTP) and trips the feedwater pumps, thereby i terminating the event. The reactor scram mitigates the ! reduction in MCPR. Feedwater and main turbine trip instrumentation satisfies Criterion 3 of the NRC Policy Statement. 1 (continued) l ABWR TS B 3.3-160 P&R 08/30/93 l l i
i i Feedwater and Main Turbine Trip Instrumentation B 3.3.4.2 i BASES l APPLICABILITY The feedwater and main turbine trip instrumentation is l required to be OPERABLE at 2 25% RTP to ensure that the fuel cladding integrity Safety Limit and the cladding 1% plastic l strain limit are not violated during the feedwater j controller failure, maximum demand event. As discussed in ; the Bases for LCO 3.2.1, " Average Planar Linear Heat i Generation Rate (APLHGR)," and LC0 3.2.2, " MINIMUM CRITICAL ! POWER RATIO (MCPR)," sufficient margin to these limits . exists below 25% RTP; therefore, these requirements are only ! necessary when operating at or above this power level. 1 ! ACTIONS A Note has been provided to modify the ACTIONS related to feedwater and main turbine trip instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent trains, subsystems, components, or variables expressed in the Condition, : discovered to be inoperable or not within limits, will not ! result in separate entry into the Condition. Section 1.3 l also specifies that Required Actions of the Condition l continue to apply for each-additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable feedwater and main turbine trip instrumentation channels provide i appropriate compensatory measures for separate inoperable channels. As such, a Note has been provided that allows f separate Condition entry for each inoperable feedwater and ! main turbine trip instrumentation channel. j A.I. A.2.2. A.2.2.1. and A.2.2.2 These actions assure that appropriate compensatory measures f are taken when a channel is inoperable. A failure in one ! channel will cause the actuation logic to become 2/2. l Action A.1 forces a trip condition in the inoperable channel ; which causes the initiation logic to become 1/2. In this ! condition a single additional failure will not result in i loss of protection and the availability to provide a plant 4 protective action is adequate so no further action is ' required when the inoperable channel is placed in trip. l i I (continued) { r ABWR TS B 3.3-162 P&R 08/30/93. !
i 2 Feedeater and Main Turbine Trip Instrumentation B 3.3.4.2 BASES ACTIONS A.I. A.2.2. A.2.2.1. and A.2.2.2 (continued) , ( Continued ) t Action A.2.1 bypasses the inoperable channel which causes the logic to become 2/2. Since overall redundancy is reduced, operation in this condition is permitted only for a limited time. Action A.2.2.1 restores the inoperable channel. Action A.2.2.2 repeats Action A.1 if repairs are not made within the allowable Completion Time of Action A.2.2.1. Either of the Actions A.2.2.1 or A.2.2.2 provides adequate plant protection capability so no further action is required. l The Completion Time of six hours for implementing Actions A.1 and A.2.1 is based on providing sufficient time for the operator to determine which actions is appropriate. The ' Completion Time is acceptable because the probability of an event coupled with a failure that would defeat the other channels occurring within the time period is low. The self-test features of the main turbine ~ and feedpump trip logic provide a high degree of confidence that no undectected failures will occur within the allowable Completion Time. Imple. anting Action A.2.1 causes the logic to be 2/2 so protect);o action capability is maintained as long as the other channels remain OPERABLE. Operation in this condition is restricted b 14 days (Actions A.2.2.1 and A.2.2.2 , Completion Time). The Completion Time is acceptable because the probability of an event coupled with a failure that would defeat the other channels occurring within the time period is low. The self-test features of the main turbine and feedpump trip logic provide a high degree of confidence that no undectected failures will occur within the allowable Completion Time. B.1 With two or more channels inoperable, the feedwater and main turbine trip instrumentation cannot perform its design function (feedwater and main turbine trip capability is not maintained). Therefore, continued operation is only
. permitted for a 72 hour period, during which feedwater and main turbine trip capability must be restored. The trip capability is considered maintained when sufficient channels '
are OPERABLE or in trip such that the feedwater and main turbine trip logic will generate a trip on a valid (continued) ABWR TS B 3.3-163 P&R 08/30/93
Feedwater and Main Turbine Trip Instrumentation B 3.3.4.2 BASES i ACTIONS B.I (continued) , ( Continued ) signal. This requires two channels to be OPERABLE or in trip. If the required channels cannot be restored to OPERABLE status or placed in trip, Condition C must be entered and its Required Action taken. ; The 72 hour Completion Time is sufficient for the operator to take corrective action, and takes into account the likelihood of an event requiring actuation of feedwater and main turbine trip instrumentation occurring during this period and the reliability of the triplicated fault-tolerant digital control system for the feedwater control. C.1 With the required channels not restored to OPERABLE status or placed in trip, THERMAL POWER must be reduced to
< 25% RTP within 4 hours. As discussed in the Applicability section of the Bases, operation below 25% RTP results in sufficient margin to the required limits, and the feedwater and main turbine trip instrumentation is not required to protect fuel integrity during the feedwater controller failure, maximum demand event. The allowed Completion Time of 4 hours is based on operating experience to reduce THERMAL POWER to < 25% RTP from full power conditions in an orderly manner and without challenging plant systems.
SURVEILLANCE Reviewer's Note: Certain Frequencies are based on approved REQUIREMENTS topical reports. In order for a licensee to use these Frequencies the licensee must justify the Frequencies as ' required by the staff Safety Evaluation Report (SER) for the I _ topical report. _ 1
- SR 3.3.4.2.1 Performance of the SENSOR CHANNEL CHECK once every 24 hours ensures that a gross failure of instrumentation has not occurred. A SENSOR CHANNEL CHECK is a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should i (continued) ,
ABWR TS B 3.3-164 P&R 08/30/93 l 1 1
r Feedwater and Main Turbine Trip Instrumentation ! B 3.3.4.2 ! BASES j l SURVEILLANCE SR 3.3.4.2.1 (continued) l REQUIREMENTS ' ( Continued ) read approximately the same value. Significant' deviations between instrument channels could be an indication of excessive instrument drift in one of the channels, or something even more serious. A SENSOR CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying ( the instrumentation continues.to operate properly between each SENSOR CHANNEL CALIBRATION. Agreement criteria are determined by the plant staff-based on a combination of the channel instrument uncertainties, i including indication and readability. If a channel is i outside the match criteria, it may be an indication that the ! instrument has drifted outside its limits. The Frequency is based on operating experience that ' demonstrates channel failure is rare. Performance ~of the i SENSOR CHANNEL CHECK guarantees that undetected outright ; l channel failure is limited to 24 hours. The CHANNEL CHECK ! supplements less formal, but more frequent, checks of: i channel status during normal operational use of the displays l l associated with the channels required by the LCO. l I l t f SR 3.3.4.2.2 A CHANNEL FUNCTIONAL TEST is performed on each' required. I channel to ensure that the entire channel will perform the l intended function. If the as found setpoint is not within ! its required Allowable Value, the plant specific setpoint ! methodology may be revised, as appropriate, if the history l and all other pertinent information indicate a need for the ! revision. The setpoint shall be left set consistent with. ! the assumptions of the current plant specific setpoint methodology. ; The Frequency of 92 days is based on the system capability l l to autcmatically perform self-tests and diagnostics. , 1 SR 3.3.4.2.3 , 5 SENSOR CHANNEL CALIBRATION is a complete check of the < instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the l (continued) ABWR TS B 3.3-165 P&R 08/30/93 . l
. _ _ _ .. _ . . - - , , _ , . . . ._ . . ~ - - . - - -
Control Rod Block Instrumentation B 3.3.5.1 B 3.3 INSTRUMENTATION B 3.3.5.1 Control Rod Block Instrumentation BASES BACKGROUND Control rods provide the primary means for implementing reactivity changes. Control rod block instrumentation includes sensors, logic and associated electronic equipment, operator controls, data transmission paths, and load drivers needed to enforce control rod patterns that will provide confidence that specified fuel design limits are not exceeded for postulated transients and accidents. During operation above a specified Low Power Setpoint (LPSP), the { Automated Thermal Limit Monitor (ATLM) provides protection for control rod withdrawal error events. During operations ! below the LPSP, control rod blocks from the Rod Worth Minimizer (RWM) enfurce specific control rod sequences designed to mitigate the consequences of a rod withdrawal error (RWE). During shutdown conditions, control rod blocks from the Reactor Mode Switch-Shutdown Position ensure that all control rods remain inserted to prevent inadvertent criticalities. The ATLM and RWM are subsystems of the Rod Control and , Information System (RC&lS). The RC&lS is a non-safety system (category 3) but is made up of dual redundant systems to assure high availability. Both systems independently acquire all of the required data and perform identical functions. The RC&lS functions are implemented on micro-processors with a high degree of segmentation within the system. The data ,
- needed by the RC&ls is acquired from the Essential i Multiplexing System with suitable isolators or from the l RC&lS multiplexing system. The rod block logic is arranged l so that a rod block from either channel will prevent rod l withdrawal. APRM data received from all four NMS divisions l is used to determine reactor power level for comparison with l
the LPSP to automatically disable and simultaneously enable I the appropriate rod block function. The purpose of the ATLM is to prohibit control rod withdrawal that would cause violation of the fuel thermal limits. The ATLM provides a rod block function to other RC&IS subsystems to appropriately inhibit control rod withdrawal when reactor power is at or above the low power setpoint (LPSP). (continued) ABWR TS B 3.3-168 P&R 08/30/93
Control Rod Block Instrumentation ! B 3.3.5.1 'l BASES i BACKGROUND The purpose of the RWM is to ensure control rod patterns ( Continued ) during startup are such that only specified control rod i sequences and relative positions are allowed over the , operating range from all control rods inserted until reactor power is at the tPSP. The sequences effectively limit the ; potential amount and rate of reactivity increase during a : RWE. The RWM, in conjunction with other RC&IS subsystems, ; will initiate control rod blocks when the actual sequence deviates beyond allowances from the specified sequence. With the reactor mode switch in the shutdown position, a control rod withdrawal block is applied to all control rods to ensure that the shutdown condition is maintained. This function prevents criticality resulting from inadvertent control rod withdrawal during MODE 3 or 4, or during MODE 5 when the reactor mode switch is required to be in the , shutdown position. There are four divisions of the reactor I mode switch-shutdown position rod block. Each RC&IS logic , receives data from all four divisions and will issue a rod ' block when any two of the mode switch-shutdown position divisions are active. The scram times of the control rods are required to comply with LC0 3.1.4. The scram time testing is performed by simultaneously scramming the two rods associated with a Hydraulic Control Unit (HCU) - exc2pt for one of the 103 HCUs which has only one associated control rod. Scram time ; testing during MODE 5 requires a withdrawal block for all other rods. There are four divisions of the Reactor Mode Switch-Shutdown Position rod block. Each RC&IS logic rece.;ves data from all four divisions and will issue a , required rod block when any two of the mode switch-refueling position divisions are active. ; The thermal limits information calculated in the process computer is based on various process parameters measured acquired by the process computer. The ATLM and RWM Functions provide automatic control of rod sequencing to permit relatively rapid plant maneuvering. If the automatic capabilities are inoperable, plant maneuvering may proceed using alternate means to establish assure operation within prescribed limits. The alternate methods must be implemented using suitable procedures and plant state information that does not depend on the ATLM OPERABILITY. (continued) ABWR TS B 3.3-169 P&R 08/30/93 1
Control Rod Block Instrumentation B 3.3.5.1 BASES APPLICABLE 1.a. Fr.omated Thermal Limit Monitor SAFETY ANALYSES, LCO, and The AYLM is designed to prevent violation of the fuel APPLICABILITY thernal operating limits and the cladding 1% plastic strain fuel design limit that may result from a single control rod withdrawal error (RWE) event. The analytical methods and assumptions used in evaluating the RWE event are summarized in Reference 2. A statistical analysis of RWE events was i l performed to determine the fuel thermal performance response l l as a function of withdrawal distance and initial operating conditions. These analysis were used to establish the coefficients used in the ATLM algorithms for calculating rod block setpoints. The ATLM satisfies Criterion 3 of the NRC Policy Statement. Two channels of the ATLM are available and are required to be OPERABLE to ensure that no single , instrument failure can preclude a rod block from this : Function. The ATLM compares the calculated rod block setpoints in each of the ATLM core regions with the LPRM readings in the region to determine if a rod block is needed. The calculated setpoints include factors to accommodate the uncertainties in the measured parameters used to perform the rod block , setpoint calculations. The ATLM is assumed to mitigate the consequences of an RWE event when operating with reactor power above the LPSP. Below this power level, the consequences of an RWE event i will not exceed the fuel thermal limits, and therefore the ATLM is not required to be OPERABLE (Ref. 3). 1.b. Rod Worth Minimizer (RWM) The RWM enforces the Ganged rod Withdrawal Sequence Restrictions (GWSR) to ensure that the initial conditions of the RWE analysis are not violated. The analytical methods and assumptions used in evaluating the RWE are summarized in References 4, 5, and 6. The GWSR requires that control rods be moved in groups, with all control rods assigned to a specific group required to be within specified positions. Requirements that the control rod sequence is in compliance with GWSR are specified in LCO 3.1.6. The RWM satisfies Criterion 3 of the NRC Policy Statement. The RWM is a backup to operator selection of rod sequences (continued) ABWR TS B 3.3-170 P&R 08/30/93
.~.. -. .
I Control Rod Block Instrumentation 3.3.5.1 BASES APPLICABLE 1.b. Rod Worth Minimizer (RWM) (continued) SAFETY ANALYSIS, LCO, and during manual operation and is a backup to the Reference Rod APPLICABILITY Pull Sequence during automatic operation. The system design - ( Continued ) prohibits automatic control rod sequencing operations when only one channel is operable (automatically switches to manual when one channel is inoperable). Required Actions of LCO 3.1.3 and LCO 3.1.6 may necessitate bypassing individual ' control rods to allow continued operation with inoperable control rods or to allow correction of a control rod pattern not in compliance with the GWSR. The individual control : rods may be bypassed as required by the conditions, and the RWM is not considered inoperable provided SR 3.3.5.1.6 is met. Compliance with the GWSR, and therefore OPERABILITY of the RWM, is required in MODES 1 and 2 with THLhMAL POWER below f the LPSP. When THERMAL POWER is above the LPSP there is no possible control rod configuration that results in a control rod worth that could exceed the fuel damage limit for the ! worst case RWE. In MODES 3 and 4, all control rods are i required to be inserted in the core. In MODE 5, restrictions uon control rod withdrawals in core cells containing fuel assemblies provides sufficient Shutdown Margin (SDM) to assure that the reactor is subcritical and , the consequences of a RWE are within limits. r
- 2. Reactor Mode Switch--Shutdown Position ,
During MODES 3 and 4, and during MODE 5 when the reactor mode switch is required to be in the shutdown position, the ! core is assumed to be subcritical; therefore, no positive , reactivity insertion events are analyzed. The Reactor Mode ' Switch--Shutdown Position control rod withdrawal block ensures that the reactor remains subtritical by blocking control rod withdrawal, thereby preserving the assumptions of the safety analysis. The Reactor Mode Switch--Shutdown Position Function satisfies Criterion 3 of the NRC Policy Statement. Three channels are required to be OPERABLE to ensure that no single channel failure will preclude a rod block when required. No Allowable Value is applicable for this (continued) ABWR TS B 3.3-171 PSR 08/30/93
t Control Rod Block Instrumentation ! B 3.3.5.1 BASES ACTIONS C.1 (continued) ; ( Continued ) be in the manual mode. Automatic operation can be restored only by restoring RWM operation. Manual control rod withdrawal may proceed if the inoperable RWM is placed in bypass. The [72] hour Completion Time is based on the high ! reliability of the RWM Function and provides sufficient time ; to effect repairs. The RWM is considered to remain OPERABLE when individual control rods are bypassed as required by LC0 3.1.3 or LCO 3.1.6. D.1 , If both RWMs become inoperable then there may be no protection from erroneous rod withdrawals. Therefore, all . control rod withdrawals are prohibited until both RWMs are ; restored to OPERABLE status. Rod withdrawals are also , prohibited if Required Action C is not implemented within i the specified Completion Time to limit the amount of time operations are permitted to continue with one RWM inoperable. 4 E.1 and E.2 ! i If there are failures in of the Reactor Mode Switch-Shutdown Position Function the plant must be placed in a condition ' where the LC0 does not apply. This is accomplished by suspending all control rod withdrawal immediately (Action : E.1), and initiating to fully inserting all insertable control rods in core cells containing one or more fuel i assemblies (Action E.2). This will ensure that the core is subcritical, with adequate SDM ensured by LCO 3.1.1,
" SHUTDOWN MARGIN (SDM)." Control rods in core cells containing no fuel assemblies do not affect the reactivity of the core and are therefore not required to be inserted.
Action must continue until all insertable control rods in core cells containing one or more fuel assemblies are fully l inserted. ! SURVEILLANCE As noted at the beginning of the SR, the SRs for each REQUIREMENTS Control Rod Block instrumentation Function are found in the SR column of Table 3.3.5.1-1. (continued) ABWR TS B 3.3-173 P&R 08/30/93
P Control Rod Block Instrumentation ! B 3.3.5.1 BASES : 1 SURVEILLANCE SR 3.3.5.1.1 and SR 3.3.5.1.2 i REQUIREMENTS i ( Continued ) The CHANNEL FUNCTIONAL TESTS for the ATLM and RWM are ! performed using simulated data that emulates an action ; outside of permissible rod withdrawals and verifying that a ' rod block output occurs. If the rod blocks do not occur within the specified allowable values , the plant specific setpoint methodology may be revised, as appropriate, if the history and all other pertinent information indicate a need ; for the revision. The setpoint shall be left set consistent t with the assumptions of the current planc specific setpoint i methodology. As noted, the SRs are not required to be performed until I hour after specified conditions are met ; (e.g., after any control rod is withdrawn in MODE 2). This ! allows entry into the appropriate conditions needed to i perform the required SRs. The Frequencies are based on I reliability analysis (Ref. 7). SR 3.3.5.1.3 and SR 3.3.5.1.4 The [10]% LPSP is the point where the transition is made between the ATLM and RWM functions. The effective setpoint ' of the LPSP must be periodically confirmed. The [18] month frequency is based on the ABWR expected REFUELING INTERVAL and the need to perform these Surveillance under the conditions that apply during a plant outage. Since the LPSP function is very reliable and the setpoint is not subjected to drift, a surveillance interval equal to the specified interval is adequate. SR 3.3.5.1.5 The CHANNEL FUNCTIONAL TEST for the Reactor Mode Switch-Shutdown Position Function is performed by attempting to withdraw any control rod with tha rest. tor mode switch in the shutdown position and verifying a control rod block occurs. l The Reactor Mode Switch-Refueling Position Function may be tested by attempting to withdraw control rods other than the rods under test while the scram test is active. As noted in the SR, the Surveillance is not required to be performed until I hour after one hour after the condition of (continued) ABWR TS B 3.3-174 P&R 08/30/93
l ( l , Control Rod Block Instrumentation ! B 3.3.5.1 j BASES I SURVEILLANCE SR 3.3.5.1.5 (continued) REQUIREMENTS I ( Continued ) applicability occurs, since testing of the functions in any other condition would require lifting leads and installing jumpers. This allows entry into the modes and other conditions of applicability if the specified Frequency is ' not met per SR 3.0.2. The [18] month frequency is based on the ABWR expected REFUELING INTERVAL and the need to perform this Surveillance i under the conditions that apply during a plant outage. The high reliability of the devices used in the RC&IS provide confidence that the specified frequency is adequate. l SR 3.3.5.1.6 l The process computer calculations that provide setpoints to l the ATLM uses various measured process parameters. A CHANNEL CHECK on the parameters is performed every [24] hours. These parameters are:
- a. FMCRD cooling water flow,
- b. Feedwater flow,
- c. Feedwater temperature, d.
Recirculation flow,
- e. RPV pressure, ;
CUW flow, f.
- g. APRM, and
- h. Selected LPRMs.
Performance of the CHANNEL CHECK provides confidence that a gross failure of a device in a channel has not occurred. A CHANNEL CHECK is a comparison of the parameter indicated in : one channel to a similar parameter in a different channel. It is based on the assumption that channels monitoring the ; same parameter should read approximately the same value. 5 Significant deviations between the channels could be an indication of excessive instrument drift on one of the channels or other channel faults. Agreement criteria are determined by the plant staff based on a combination of the channel instrument and parameter I indication uncertainties. (continued) l ABWR TS B 3.3-175 P&R 08/30/93
l I Control Rod Block Instrumentation l B 3.3.5.1 BASES l SURVEILLANCE SR 3.3.5.1.6 (continued) REQUIREMENTS ( Continued ) The high reliability of each channel provides confidence i that a channel failure will be rare. The CHANNEL CHECK , supplements less formal, but more frequent, checks of channels during normal operational use of the displays : associated with the channels required by the LCO. I REFERENCES 1. ABWR SSAR, Section [7.6.1.7.3].
- 2. ABWR SSAR, Section [15.4.2].
- 3. NEDE-240ll-P-A-9-US, " General Electrical Standard Application for Reload Fuel," Supplement for United States, Section S 2.2.3.1, September 1988.
4 " Modifications to the Requirements for Control Rod i Drop Accident Mitigating Systems," BWR Owners Group, July 1986. !
- 5. NED0-21231, " Banked Position Withdrawal Sequence,"
January 1977.
- 6. NRC SER, Acceptance of Referencing of Licensing Topical Report NEDE-240ll-P-A, " General Electric Standard Application for Reactor Fuel, Revision 8, Amendment 17," December 27, 1987.
- 7. NEDC-30851-P-A, " Technical Specification Improvement i Analysis for BWR Control Rod Block Instrumentation,"
October 1988. l [ l (continued) ABWR TS B 3.3-176 P&R 08/30/93
PAM Instrumentation B 3.3.6.1 B 3.3 INSTRUMENTATION B 3.3.6.1 Post Accident Monitoring (PAM) Instrumentation BASES BACKGROUND The primary purpose of the PAM instrumentation is to display plant variables that provide information required by the control room operators during accident situations. This information provides the necessary support for the operator to take the manual actions for which no automatic control is provided and that are required for safety systems to accomplish their safety functions for Design Basis Events. The instruments that monitor these variables are designated as Type A, Category I, and r.on-Type A, Category I in accordance with Regulatory Guide 1.97 (Ref.1). , The OPERABILITY of the accident monitoring instrumentation ensures that there is sufficient information available on ! selected plant parameters to monitor and assess plant status and behavior following an accident. This capability is ' consistent with the recommendations of Reference 1. APPLICABLE The PAM instrumentation LCO ensures the OPERABILITY of SAFETY ANALYSIS Regulatory Guide 1.97, Type A, variables so that the control room operating staff can:
- Perform the diagnosis specified in the Emergency Operating Procedures (EOP). These variables are restricted to preplanned actions for the primary success path of Design Basis Accidents (DBAs)
(e.g., loss of coolant accident (LOCA)); and :
- Take the specified, preplanned, manually controlled )
actions for which no automatic control is provided, which are required for safety systems to accomplish their safety function. The PAM instrumentation LC0 also ensures OPERABILITY of Category 1, non-Type A, variables. This ensures the control room operating staff can:
- Determine whether systems important to safety are l performing their intended functions; l
l l (continued) ABWR TS B 3.3-177 P&R 08/30/93 1
1 PAM Instrumentation B 3.3.6.1 BASES APPLICABLE
- Determine the potential for causing a gross breach of SAFETY ANALYSIS the barriers to radioactivity release;
( Continued )
- Determine whether a gross breach of a barrier has occurred; and
- Initiate action necessary to protect the public and to obtain an estimate of the magnitude of any impending ,
threat. The plant specific Regulatory Guide 1.97 analysis (Ref. 2) documents the process that identified Type A and Category I, non-Type A, variables. PAM instrumentation that meets the definition of Type A in Regulatory Guide 1.97 satisfies Criterion 3 of the NRC Policy Statement. Category I, non-Type A, instrumentation is retained in the Technical Specifications (TS) because it is intended to assist operators in minimizing the , consequences of accidents. Therefore, these Category I, non-Type A, variables are important for reducing public risk.
'CO LC0 3.3.6.1 requires the OPERABLE Functions and channels as .
indicated in Table 3.3.6.1-1. All Functions, except for PCIV ' position, have at least two channels to ensure no single failure prevents the operators from being presented with the information necessary to determine the status of the unit
- and to bring the unit to, and maintain it in, a safe condition following an accident. Furthermore, multiple channels permit performing CHANNEL CHECKS during the post accident phase to confirm the validity of displayed information.
For the PCIV's, the important information is the status of l the primary containment penetrations. The LCO for PCIV l position describes the requirements and provides the basis l for PCIV position indication. If a normally i.:.tive PCIV is known to be closed and deactivated, position indication is not needed to determine status. Therefore, the position indication for valves in this state is not required to be OPERABLE. Listed below is a discussion of each of the specified instrument functions listed in Table 3.3.6.1-1. These (continued) ABWR TS B 3.3-178 P&R 08/30/93 l l
, ~_. _ ,
PAM Instrumentation B 3.3.6.1 , BASES l LCO discussions are intended as examples of what should be ( Continued ) provided for each function when the plant specific Bases are prepared. Data for most of the display Functions are transmitted to the operator displays via the four divisions , of the Essential Multiplexer System (EMS). Exceptions are noted in the following discussions for each Function. .
- 1. Reactor Steam Dome Pressure l Reactor steam dome pressure is a Category I variable !
i provided to support monitoring of Reactor Coolant System (RCS) integrity and to verify operation of the Emergency , Core Cooling Systems (ECCS). Four independent pressure transmitters with a range of 0 psig to 1500 psig monitor pressure. Wide range displays are the primary indication used by the operator during an accident. Therefore, the PAM t Specification deals specifically with this portion of the ! instrument channel. , 2.3. Reactor Vessel Water level-Wide Ranae. Fuel Zone Reactor vessel water level is a Category I variable provided to support monitoring of core cooling and to verify operation of the ECCS. The wide range and fuel zone water level channels provide the PAM Reactor Vessel Water Level Function. The four wide range water level channels cover , the range from the near top of the fuel to the steam lines i and two fuel zone channels cover the range from below the core support plate to the top of the steam separator shroud. The display controller uses these channels to create a : continuous display of reactor water level. These displays ' are the primary indication used by the operator during an accident. Therefore, the PAM Specification deals ; specifically with this portion of the instrument channel. j Either the hardwired or multiplexed displays of this function may be used to satisfy the LCO. l
- 4. Sucoression Pool Water Level ,
Suppression pool water level is a Category I variable provided to detect a breach in the reactor coolant pressure boundary (RCPB). This variable is also used to verify and r (continued) ABWR TS B 3.3-179 P&R 08/30/93
i PAM Instrumentation B 3.3.6.1 BASES i LCO 4 Suppression Pool Water Level (continued) ( Continued ) provide long term surveillance of ECCS function. The wide range suppression pool water level measurement provides the operator with sufficient information to assess the status of the RCPB and to assess the status of the water supply to the ! ECCS. The wide range water level indicators monitor the suppression pool level from the bottom of the ECCS suction lines to five feet above the normal suppression pool level. Four wide range suppression pool water level signals are i transmitted from separate differential pressure transmitters : and are continuously displayed in the control room. These . displays are the primary indication used by the operator j during an accident. Therefore, the PAM Specification deals i specifically with this portion of the instrument channel. , 5.a. Drywell Pressure. 5.b. Wide Rance Containment Pressure Drywell pressure is a Category I variable provided to detect breach of the RCPB and to verify ECCS functions that operate to maintain RCS integrity. Requirements for monitoring of , I drywell pressure are specified for both narrow range and 1 wide range. The narrow range monitoring requirement is satisfied in the existing essential safety system designs by the four divisions of drywell pressure instruments which provide inputs to the initiation of the reactor protection ' (trip) system (RPS) and the emergency core cooling systems (ECCS). The requirement for unambiguous wide range drywell pressure monitoring are satisfied with two channels of instrumentation and integration with the wetwell pressure
- instrumentation. Given the existence of (1)- the normal i pressure suppression vent path between the drywell and l
wetwell and (2) the wetwell to drywell vacuum breakers, the l long-term pressure within the drywell and wetwell will be ; l approximately the same. Drywell pressure signals are transmitted from separate pressure transmitters and are , continuously displayed in the main control room. These displays are the primary indication used by the operator during an accident. Therefore, the PAM Specification deals specifically with this portion of the instrument channel. Either the hardwired or multiplexed displays may be used to satisfy the LCO. (continued) ( ABWR TS B 3.3-180 P&R 08/30/93 l l I
l l PAM Instrumentation i B 3.3.6.1 ! BASES j LC0 6.7. Drywell/Wetwell Area Radiation (Hiah Rance) } ( Continued ) Drywell and wetwall radiation measurements and displays are ! provided to monitor for the potential of significant j radiation releases and to provide release assessment for use l by operators in determining the need to invoke site emergency plans. Two separate divisions of instrumentation are provided with both drywell and wetwell monitor channels in each division and are continuously displayed in the main control room. These displays are the primary indication used by the operator during an accident. Therefore, the PAM Specification deals specifically with this portion of the l instrument channel. i
- 8. Primary Containment Isolation Valve (PCIV) Position
! PCIV position is provided for verification of containment : ! integrity. In the case of PCIV position, the important i information is the isolation status of the containment ! penetration. The LCO requires two channels of PCIV position status per i penetration to be OPERABLE for penetration flow paths with , two active valves. For containment penetrations with only ! one active PCIV with control room indication, note (a) requires a single channel of valve position indication to be OPERABLE. This is sufficient to provide indications of the isolation status of each isolatable penetration via indicated status of the active valves and, where applicable, ' prior knowledge of passive valve or system boundary status. If a penetration flow path is isolated by at least one , closed and de-activated automatic valve, closed manual valve, blind flange, or check valve with flow through the valve secured, position indication for the PCIV(s) in the associated penetration flow path is not needed to determine ; status. Therefore, per footnote (b) in Table 3.3.6.1-1, the position indication for valves in an isolated penetration is ; not required to be OPERABLE. Indication of the completion of the containment isolation function is provided by valve closed /not closed indications f for individual valves on safety related displays. ; Annunciators are provided to alert the operator to any lines ; that may not be isolated. l l (continued) ABWR TS B 3.3-181 P&R 08/30/93
i I ! PAM Instrumentation l B 3.3.6.1 ! I
- BASES I
LCO 8. Primary Containment isol ation Vaj ve (PCIV) Position ( Continued ) (continued) For this plant, the PCIV position PAM instrcr nthlion : _ consists of the following: _ l l l 9.10. Wide Ranoe Neutron Flux Wide range neutron flux is a Category I variable provided to verify reactor shutdown. The display controller uses data from four required APRM channels and four required SRNM channels to provide a display of neutr:,a flux on the main control room panel with a range of 10 % to full power. These displays are the primary indication used by the operator during an accident. Therefore, the PAM , Specification deals specifically with this portion of the instrument channel.
- 11. 12. Containment Atmoscheric Monitors-Drywell and Wetwell Hydrocen and Oxvoen Analyzer Drywell and wetwell hydrogen and oxygen analyzers are ;
Category I instruments provided to detect high hydrogen or oxygen concentration conditions that represent a potential for containment breach. These parameters are also important l in verifying the adequacy of mitigating actions. There are
- two divisions in the Containment Atmospheric Monitoring '
System analyzers ~with one channel of H2 monitoring and one channel of 02 monitoring per division. Samples of either the drywell or wetwell are drawn into the analyzers based on the position of a selector switch in the main control room. Displays and alarms are provided in the main control room. These displays are the primary indication used by the ; operator during an accident. Therefore, the PAM : Specification deals specifically with this portion of the f instrument channel. 1 i
- 13. Containment Water Level.
Containment Water Level displays analyzers are Category I ! instruments provided for early detection of small leaks in the containment and as an alternate to drywell pressure and (continued) ABWR TS B 3.3-182 P&R 08/30/93 l
i i PAM Instrumentation
- B 3.3.6.1 i i
i BASES LCO 13. Containment Water level. (continued) , ( Continued ) drywell radiation Functions. There are two channels of , Containment Water Level with displays and alarms provided in the main control room. These displays are the primary ; indication used by the operator during an accident. i Therefore, the PAM Specification deals specifically with this portion of the instrument channel. V
- 14. Suporession Pool Water Temperature ;
Suppression Pool Water Temperature is a Category I variable provided to detect a condition that could potentially lead ; to containment breach, and to verify the effectiveness of - ECCS actions taken to prevent containment breach. The i suppression pool water temperature instrumcntation allows ' operators to detect trends in suppression pool water ' temperature in sufficient time to take action to prevent l steam quenching vibrations in the suppression pool. There , l are two divisions of suppression pool temperature monitoring ! l with a display channel in each division. There are multiple temperature sensors in each division. The temperature sensors in each division are spatially i distributed at specified circumfrential positions and , several elevations at each position to provide an indication of the average pool temperature. The temperature sensors are also located to monitor each relief valve discharge location. The individual sensors and bulk average . temperature may be selected for display in the control room. These displays are the primary indication used by the operator during an accident. Therefore, the PAM - Specification deals specifically with this portion of the instrument channels. l l
- 15. Drvwell Air Temperature Drywell air temperature is a Category I variable provided to verify RCS and containment integrity and to verify the effectiveness of actions taken to remove energy from the containment. There are two divisions of drywell temperature -
monitoring with a display channel in each division. ; Temperature sensors are distributed throughout the drywell i to provide confidence that there is an adequate t a (continued) ; ABWR TS B 3.3-183 P&R 08/30/93 ]
I PAM Instrumentation B 3.3.6.1 j 1 I
~
BASES I LCO 15. Drywell Air Temperature (continued) ; ( Continued ) representation of the state of the drywell. Control room displays of the temperatures are the primary indication used i by the operator during an accident. Therefore, the PAM : Specification deals specifically with this portion of the , instrument channel. l 1
- 16. Main Steam Line Radiation Main steam line radiation is a Category I variable provided to monitor fuel integrity. Radiation in the main steam line i tunnel - which is measured by the process radiation i monitoring system - is an indicator of coolant radiation. ,
There are four divisions of main steam tunnel radiation ! I monitoring with a control room display channel- from each ' division. These displays are the primary indication used by the operator during an accident. Therefore, the PAM Specification deals specifically with this portion of the , instrument channel. . APPLICABILITY The PAM instrumentation LCO is applicable in MODES 1 and 2. These variables are related to the diagnosis and preplanned actions required to mitigate DBAs. The applicable DBAs are assumed to occur in MODES 1 and 2. In MODES 3, 4, and 5, ; plant conditions are such that the likelihood of an event i that would require PAM instrumentation is extremely low- ! therefore, PAM instrumentation is not required to be ! OPERABLE in these MODES. j l ACTIONS Note I has been added to the ACTIONS to exclude the MODE ! change restriction of LCO 3.0.4. This exception allows entry into the applicable MODE while relying on the Actions j even though the Actions may eventually require plant ! shutdown. '.his exception is acceptable due to the passive function of the instruments, the operator's ability to diagnose an accident using alternate instruments and methods, and the low probability of an event requiring these instruments. A Note has also been provided to modify the ACTIONS related to PAM instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, (continued) ABWR TS B 3.3-184 P&R 08/30/93 _ . . _ _ -, i
i i PAH Instrunsntation l B 3.3.6.1 l BASES ACTIONS subsequent trains, subsystems, components, or variables ( Continued ) expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable PAM instrumentation channels provide appropriate compensatory measures for separate inoperable functions. As such, a Note has been provided that allows separate Condition entry for each inoperable PAM Function. . A.1 When a function has one required channel that is inoperable, the required inoperable channel must be restored to OPERABLE status within 30 days. The Completion Time is based on the high reliability of the remaining devices for monitoring the l parameter and takes into account the passive nature of the instrument (no critical automatic action is assumed to occur from these instruments), and the low probability of an event requiring PAM instrumentation during this interval. , B.1 If the required actions and associated completion time of condition A is not met, this Required Action specifies initiation of actions in accordance with Specification 5.9.2.c, "Special Reports," which requires a written report, approved by the [onsite review committee], to be submitted to the NRC. This report discusses the ! results of the root cause c..luation of the inoperability ! and identifies proposed restorative actions. This Action is 1 appropriate in lieu of a shutdown requirement since '
- alternative Actions are identified before loss of functional l capability, and given the likelihood of plant conditions that would require information provided by this instrumentation.
Cml ! l i As noted in the LC0 this action does not apply to functions l 11 & 12, (hydrogen / oxygen monitors), which are addressed in Condition D. When one of these Functions has two required (continued) ABWR TS B 3.3-185 P&R 08/30/93
PAM Instrumentation B 3.3.6.1 1 BASES ACTIONS C.1 (continued) ( Continued ) channels that are INOPERABLE then one channel must be , restored to OPERABLE status within 7 days. The Completion Time of 7 days is based on the relatively low probability of an event requiring PAM instrument operation and the , availability of alternate means to obtain the required information. Continuous operation with two required channels inoperable in a Function is not acceptable because the alternate indications may not fully meet all performance qualification requirements applied to the PAM instrumentation. Therefore, requiring restoration of one inoperable channel of the Function limits the risk that the PAM Function will be in a degraded condition should an l accident occur. , l Multiple entry into the condition table causes Condition A to be invoked on completion of Action C.1 so appropriate l additional action is taken. ; D1 When two hydrogen / oxygen monitor display channels are h inoperable, at least one channel must be restored to , OPERABLE status within 72 hours. The 72 hour Completion Time is reasonable, based on the backup capability of the Post Accident Sampling System to monitor the hydrogen concentration for evaluation of core damage and to provide ; information for operator decisions. Also, it is unlikely ! that a LOCA that would cause core damage would occur during i this time. ; i L1 l ! This Required Action directs entry into the appropriate Condition referenced in Table 3.3.6.1-1. The applicable Condition referenced in the Table is function dependent. If the required Actions and associated Completion Times for ! Conditions f, or D is not met for a Function then Condition E is entered for that function and Table 3.3.6.1-1 used to transfer to the appropriate subsequent Condition. ! l (continued) ABWR TS B 3.3-186 P&R 08/30/93
)
l
PAM Instrumentation B 3.3.6.1 i BASES ACTIONS F.1 ( Continued ) For the PAM Functions in Table 3.3.6.1-1, if any Required Action and associated Completion Time of Condition F or D is not met, the plant must he placed in a MODE in which the LC0 does not apply. This is done by placing the plant in at least MODE 3 within 12 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant condition from full power conditions in an orderly manner and without challenging plant systems. L1 Since alternate means of monitoring the parameters to which this Condition applies have been developed and tested, the Required Action is to follow the directions of
- Specification 5.9.2.c instead of requiring a plant shut i down. These alternate means may be temporarily installed if the normal PAM channel cannot be restored to OPERABLE status within the allotted time. The report provided to the NRC should discuss the alternate means used, describe the degree to which the alternate means are equivalent to the installed PAM channels, justify the areas in which they are not equivalent, and provide a schedule for restoring the normal PAM channels.
SURVEILLANCE The following SRs apply to each PAM instrumentation Function REQUIREMENTS in Table 3.3.6.1-1. l SR 3.3.6.1.1 , Performance of the CHANNEL CHECK once every 31 days ensures ' l that a gross instrumentation failure has not occurred. A CHANNEL CHECK is a comparison of the parameter indicated on one instrumentation channel to a similar parameter on other
- instrumentation channels. It is based on the assumption I that independent displays of the same parameter should read ,
approximately the same value. Significant deviations between displays could be an indication of excessive instrument drift or other faults in one of the channels. A CHANNEL CHECK will detect gross channel failure; thus, it is (continued) ABWR TS B 3.3-187 P&R 08/30/93 1
PAM Instrumentation B 3.3.6.1 j MSES SURVEILLANCE SR 3.3.6.1.1 (continued) - REQUIREMENTS : (Continued ) key to verifying the instrumentation continues to operate l properly between each CHANNEL CALIBRATION. l l Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including isolation, indication, and readability. If a , be an - channel indicationisthat outside the sensorthe matchor thecriteria, signal'itprocmayessing i equipment has drifted outside its limit. Performance of the l CHANNEL CHECK provides confidence that undetected outright ; channel failure is limited to 31 days. ! The high reliability of the devices used to implement the l PAM functions provides confidence that failure of more than ! one channel of a given function in any 31 day interval is ! rare. The CHANNEL CHECK supplements less formal, but more ! frequent, checks of chnnels during normal operational use ! of those displays assos.iated with the required channels of j this LCO. l SR 3.3.6.1.2 CHANNEL CALIBRATION is a complete check of the instrument ! loop including the sensor. The test verifies that the ! display reflects the measured parameter with the necessary ! range and accuracy. As noted, neutron detectors are excluded from SENSOR CHANNEL i CALIBRATION because of the difficulty of simulating a ; meaningful signal. Changes in neutron detector sensitivity ! are compensated for by performing the 7 day calorimetric -l calibration and the 1000 MWD /T LPRM calibration specified in j LC0 3.3.1.1. l t The [18] month frequency is based on the ABWR expected ! refueling interval and the need to perform this Surveillance ! under the conditions that apply during a plant outage. The- i frequency is_ adequate based on the low drift of the devices -j used to implement the Functions covered by this LC0. Note i that calibration of these channels overlaps or is encompassed by calibrations required by other LCOs that address some of the same components required by the PAM displays. , (continued) li ABWR TS B 3.3-188 P&R 08/30/93 .! l l l 1
.- - - . - - .- . - . - - . . . - . - . a
PAM Instrumentation B 3.3.6.1 BASES REFERENCES 1. Regulatory Guide 1.97, " Instrumentation for Light-Water Cooled Nuclear Power Plants to Assess Plant and Environs Conditions During and Following an Accident," [Date].
- 2. ABWR SSAR, Section 7.5 l
1 l ABWR TS B 3.3-189 P&R 08/30/93
Remote Shutdown System B 3.3.6.2 l B 3.3 INSTRUMENTATION ! B 3.3.6.2 Remote Shutdown System ; BASES BACKGROUND The Remote Shutdown System provides the control room operator with sufficient instrumentation and co trols to ; place and maintain the plant in a safe shutdown conditiot from a location other than the control room..This capability ! is necessary to protect against the possibility of the ! control room becoming inaccessible. A safe shutdown , condition is defined as MODE 3. With the plant in MODE 3, i the High Pressure Core Flooder System, the safety / relief I valves, and the Residual Heat Removal Shutdown Cooling System can be used to remove core decay heat and meet all ! safety requirements. Additional systems assisting in the ; remote shutdown capability are portions of_ the Nuclear . Boiler System, the Reactor Building Cooling Water System, ! the Reactor Service Water System, the Electrical Power ! Distribution System, and the Flammability Control System. ; The long term supply of water for the HPCF and the ability : to operate shutdown cooling from outside the control room - allow extended operation in MODE 3. ' In the event that the control room becomes inaccessible, the operators can establish control at either of two remote ; shutdown paneh (Division I and Division II) and place and maintain the plant in MODE 3. The two panels have a .i different complement of controls snd indications, but either l panel may be used to achieve and' maintain MODE 3. The main l difference between the two panels is that one of them uses l HPCF and one SRV to regulate pressure and provide the decay j heat removal and inventory make up. The other panel uses 3 i SRVs and the LPCF and shutdown cooling mu'a of a RHR system l l to provide this capability. l l i The postulated conditions assumed to exist when the Main , Control Room becomes inaccessible are 1) the plant is l operating initially at or less than design power and 2) the , plant is not experiencing any transient or accident- ' situations. Therefore, complete control of engineered safeguard feature systems from outside the main control room is not required. L Even though the loss of offsite power is considered' unlikely, the remote shutdown panels are powered from Class IE power system buses I and 11 so that backup AC power would (continued) l ABWR TS B 3.3-190 P&R 08/30/93 j
Remote Shutdown System B 3.3.6.2 BASES l BACKGROUND be automatically supplied by the plant diesel generator. J ( Continued ) Manual controls of the diesel generator are also available ! locally, i All plant personnel are assumed to have evacuated the main control room and the main control room continues to be inaccessible for several hours. The initial event that i causes the main control room to become inaccessible assumes j the reactor operator can manually scram the reactor before i leaving the main control room. If this is not possible, the ; capability of a backup means-to achieve reactor reactivity l shutdown is available. i Some of the existing systems used for normal reactor , shutdown operations are also utilized in the remote shutdown panels. The functions needed for remote shutdown control are ! transferred to the remote shutdown panels using manual i switches that disable control of the functions from the main ; control room and enable control from the remote shutdown panels. Control signals are interrupted by the transfer i devices at the hardwired, analog loop. Sensor signals which I interface with the remote shutdown system for local display ! of process variables are continuously powered and available for monitoring at all times. Control signals from the main control room are routed from the RMUs to remote shutdown : transfer devices, and then to the interfacing system l ! equipment. Actuation of the transfer switches bypasses the ! l RMUs and connects the control . signals directly to the remote l i ! shutdown canels. l All necessary power supply circuits are also transferred to other sources. Remote shutdown control is not possible i without actuation of the transfer devices. Operation of the ! transfer devices causes an alarm in the main control room. ; The remote shutdown control panels are located outside the l l main control room. Access to the panels is administratively i l and procedurally controlled. ! The OPERABILITY of the Remote Shutdown System control and i instrumentation Functions ensures that there is sufficient i information available on selected plant parameters to place. i and maintain the plant in MODE 3 should the control room j become inaccessible. i . i (continued) l l l r ABWR TS B 3.3-191 P&R 08/30/93. l t
Remote Shutdoan System B 3.3.3.2 { BASES APPLICABLE The Remote Shutdown System is required to provide equipment SAFETY ANALYSIS at appropriate locations outside the control room with a design capability to promptly shut down the reactor to MODE 3, including the necessary instrumentation and controls, to maintain the plant in a safe condition in D DE 3. The criteria governing the design and the specific system requirements of the Remote Shutdown System are located in 10 CFR 50, Appendix A, GDC 19 (Ref. 1). The Remote Shutdown System is considered an important contributor to reducing the risk of accidents; as such, it i has been retained in the Technical Specifications (TS) as indicated in the NRC Policy Statement. ; LC0 The Remote Shutdown System LC0 provides the requirements for L the OPERABILITY of the instrumentation and controls necessary to place and maintain the plant in MODE 3 from a location other than the control room. The instrumentation ; and controls typically required are listed in Table 3.3.6.2-1 in the accompanying LCO. The Functions with two required channels have one on each RSS panel while those 4 with one required channel are on only one of the RSS panels. The controls, instrumentation, and transfer switches are those required for:
- Reactor pressure vessel (RPV) pressure control;
- Decay heat removal;
- RPV inventory control; l
- Flammability Control; ,
- Atmospheric Control Monitoring; and
- Safety support systems for the above functions, '
including service water, component cooling water, and onsite power, including the diesel generators. l A Remote Shutdown System panel is OPERABLE if all instrument and controls on the panel are OPERABLE. In some cases, (continued) ABWR TS B 3.3-192 PER 08/30/93 l a
i Remote Shutdown System B 3.3.6.2 BASES LC0 the required information or control capability is available ( Continued ) from several alternate sources. In these cases, the Remote Shutdown panel is OPERABLE as long as one of the alternate information or control sources for each Function is OPERABLE. The Remote Shutdown System instruments and control circuits ' covered by this LC0 do not need to be energized to be considered OPERABLE. This LCO is intended to ensure that the instruments and control circuits will be OPERABLE if plant conditions require that the Remote Shutdown System be placed in operation.
- 1. Reactor Steam Dome Pressure.
Reactor steam dome pressure is an indication of Reactor Coolant System (RCS) integrity and is a necessary parameter for achieving and maintaining the reactor in MODE 3. A reactor pressure indication is provided on both of the RSS panels. Both channels are required to be OPERABLE in order to achieve MODE 3 from either RSS panel.
- 2. 3. and 4. HPCF B Flow / Controls /Discharae Pressure.
The HPCF system can be used to provide vessel inventory make up and decay heat removal while bringing the plant to MODE
- 3. The HPCF in conjunction with other instruments and controls on the division II RSS panel is sufficient to l achieve and maintain MODE 3 from the division II panel. The HPCF flow and pressure indications provide monitoring of HPCF operation. The controls provided are as given in reference 2. One channel of each Function is required to be OPERABLE in order to achieve MODE 3 from either RSS panel.
5 throuah 11. RHR A. B Control & Indication. The RHR system can be used to provide vessel inventory make up and decay heat removal while bringing the plant to MODE :
- 3. The RHR in conjunction with other instruments and
- controls on the RSS panels is sufficient to achieve and I maintain MODE 3 from either panel. The RHR flow indications i provide monitoring of RHR operation and the heat exchanger monitors provide indication of decay heat removal. The RHR l
(continued) ABWR TS B 3.3-193 P&R 08/30/93 1
Remote Shutdown System B 3.3.6.2 BASES l l LCO 5 throuch 11. RHR A. B Control & Indication. (continued) ( Continued ) t controls and monitors are adequate to place it in the - shutdown mode. The controls provided are as given in reference 3. Two channels of each Function (RHR A on the , division I panel and RHR B on the division 11 panel) are ' required to be OPERABLE in order to achieve MODE 3 from either RSS panel.
- 12. and 13. RPV Wide Rance/ Narrow Rance Water level.
t Reactor vessel water level is provided to support monitoring of core cooling, to verify operation of the make up pumps, and is needed for satisfactory operator control of make up pumps. The wide range water level channels cover the range from the near top of the fuel to near the top of the steam ' separators. The narrow range provides indication from near the bottom of the separators to above the steam lines. RPV ' level is a necessary parameter for achieving and maintaining the reactor in MODE 3. One channel of each range is provided
- I on both of the RSS panels. Both channels are required to be OPERABLE in order to achieve MODE 3 from either RSS panel, l
l 14 15, and 16. Reactor Buildino Coolina Water l Flow / Controls & Reactor Service Water Controls. . These parameters and controls are required to monitor and control the water supply for cooling the equipment needed to . achieve MODE 3 and to provide containment heat removal. The > Reactor Building Cooling Water controls provided are as given in reference 4 and the Reactor Service Water controls > provided are as given in reference 5. One channel of each l Function is provided on both of the RSS panels. Both ! channels of each Function are required to be OPERABLE in order to achieve MODE 3 from either RSS panel. i
- 17. Flammabilit y Control System Control .
A control for the FCS B inlet valve is provided on the
~
division II panel only. This control is'needed in order for the operator to manage cooling water flow. One channel is required to be OPERABLE to assure that MODE 3 can be achieved from either RSS panel. (continued) ABWR TS B 3.3-194 P&R 08/30/93 1 - __ - .
I Remote Shutdown System B 3.3.6.2 BASES LCD ,
- 18. Sucoression Pool Level, i
( Continued ) Suppression pool water level provides information needed to assess the status of the RCPB and to assess the status of the water supply to the ECCS. The level indicators monitor the suppression pool level from the bottom of the ECCS ; suction lines to five feet above the normal suppression pool ; level. One channel of this Function is provided on both of . the RSS panels. Both channels are required to be OPERABLE in : order to achieve MODE 3 from either RSS panel. i F
- 19. Condensate Storaae Pool Level . {
Condensate Storage Level provides information needed to assess the status of the water supply to the HPCF. The indication is needed in order to achieve and maintain MODE 3 - when using HPCF. A channel of this Function is provided on ! the division 11 RSS panel. The channel is required to be ! OPERABLE in order to achieve MODE 3 from either RSS panel. l l l 20. Suppression Pool Temperature. Suppression Pool Water Temperature allows the operator to detect trends in suppression pool water temperature in sufficient time to take action to prevent steam quenching ; vibrations in the suppression pool. This Function is i required in order to maintain MODE 3. One channel of this Function is provided on both of the RSS panels. Both channels are required to be OPERABLE in order to maintain MODE 3 from either RSS panel.
- 21. Electric Power Distribution Controls.
These Functions are provided so the operator can select various AC power sources for the equipment needed to achieve l
^
and maintain MODE 3. The Electric Power Distribution Controls provided are as given in referentes 6 and 7. One channel of each Function is provided on both of the RSS ! panels. Both channels of each function are required to be OPERABLE in order to achieve MODE 3 from either RSS panel. (continued) ABWR TS B 3.3-195 P&R 08/30/93
Remote Shutdown System B 3.3.6.2 BASES LCO 22. Diesel Generator System Interlock and Monitors. ( Continued ) This function is provided to permit monitoring the status of t the emergency DG. These monitors are required to permit the operator to manage the electric power distribution. The , interlock disables DG start /stop form the control room to assure that the event that made the control room unavailable will not disrupt DG operation. One channel of this Function is provided on both of the RSS panels. Both channels of the Function are required to be OPERABLE in order to achieve MODE 3 from either RSS panel.
- 23. SRV Controls.
This Function is provide to permit the operator to perform a controlled depressurization and to maintain reactor pressure within limits. Three channels are provided on the division I RSS panel and one channel is provided on the division 11 panel. These channels, in conjunction with other controls and indications on the panels, are sufficient to achieve and maintain MODE 3 from either panel. One channel of this function is provided on both of the RSS panels. Three channels on the division I panel'and one channel on the division 11 panel are required to be OPERABLE in order to ' achieve MODE 3 from either RSS panel. APPLICABILITY The Remote Shutdown System LC0 is applicable in MODES I, and 2. This is required so that the plant can be placed and maintained in MODE 3 for an extended period of time from a location other than the main control room. This LC0 is not applicable in MODES 3, 4, and 5. In these i MODES, the plant is already subcritical and in a condition of reduced Reactor Coolant System energy. Under these conditions, considerable time is available to restore necessary instrument control Functions if main control room instruments or control becomes unavailable. Consequently, the TS do not require OPERABILITY in MODES 3, 4, and 5. ACTIONS A Note is included that excludes the MODE change restriction of LCO 3.0.4. This exception allows entry into an applicable MODE while relying on the ACTIONS even though the ACTIONS may eventually require a plant shutdown. This (continued) > ABWR IS B 3.3-196 P&R 08/30/93
. .- . ._~ - .
Remote Shutdown System B 3.3.6.2 BASES ACTIONS exception is acceptable due to the low probability of an ( Continued ) event requiring this system. Note 2 has been provided to modify the ACTIONS related to Remote Shutdown System Functions. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent trains, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable Remote Shutdown System Functions provide appropriate compensatory measures for separate Functions. As such, a Note has been provided that allows separate Condition entry for each inoperable Remote Shutdown System . Function. l A.1 Condition A addresses the situation where one or more required Functions ore inoperable in one of the RSS divisions. This includes any Function listed in Table 3.3.6.2-1, as well as the control and transfer switches. The Required Action is to restore the inoperable division of the function to OPERABLE status within (90] days. The Completion Time is based on the high reliability of the devices used to implement the Functions and the low probability of an event that would require evacuation of the control room. B.1 Condition A addresses the situation where one or more required Functions are inoperable in both of the RSS divisions. This includes any Function listed in Table 3.3.6.2-1, as well as the control and transfer switches. The Required Action is to restore the Function (both divisions, if applicable) to OPERABLE status within (continued) ABWR 15 B 3.3-197 P&R 08/30/93
Remote Shutdown System B 3.3.6.2 BASES ACTIONS B.1 (continued) ; ( Continued ) ! [30] days. The Completion Time is based on the low i probability of an event that would require evacuation of the . control room. C.1 If the Required Action and associated Completion Time of i Condition A or 8 are not met, the plant must be brought to a l l MODE in which the LCO does not apply. To achieve this ; status, the plant must be brought to at least MODE 3 within ! [12] hours. The allowed Completion Time is reasonable, ; based on operating experience, to reach the required MODE l from full power conditions in an orderly manner and without ; challenging plant systems. ! SURVEILLANCE SR 3.3.6.2.1 REQUIREMENTS l Performance of the CHANNEL CHECK once every 31 days ensures l that a gross failure of instrumeritation has not occurred. A ; CHANNEL CHECK is a comparison of the parameter indicated on one c!annel to a similar parameter on other channels. It is based on the assumption that instruments monitoring the same - paraneter should read approximately the same value, t Signi ficant deviations between the instruments could be an indicatier. of excessive instrument drift in one of them divisions or something even more serious. A CHANNEL CHECK will detect gross channel or division failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION. Agreement criteria are determined by the plant staff based on a combination of the instrument uncertainties, including indications. If a channel is outside the acceptance criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit. As specified in the Surveillance, a CHANNEL CHECK is only required for those channels that are normally energized. Performance of a CHANNEL CHECK provides confidence that undetected outright channel failure is limited to 31 days. The Frequency is based upon the high reliability of the devices used to implement the Functions. (continued) ABWR TS B 3.3-198 P&R 08/30/93
Remote Shutdown System B 3.3.6.2 BASES i 1 SURVEILLANCE SR 3.3.6.2.2 REQUIREMENTS ( Continued ) SR 3.3.6.2.2 verifies each required Remote Shutdown System transfer switch and control circuit performs the intended function. This verification is performed from the remote , shutdown panel and locally, as appropriate. This will i ensure that if the control room becomes inaccessible, the ! plant can be placed and maintained in MODE 3 from the remote ! shutdown panel and the local control stations. However, this . Surveillance is not required to be performed only during a ! plant outage. Operating experience demonstrates that Remote Shutdown System control divisions usually pass the Surveillance when performed at every refueling Frequency. SR 3.3.6.2.3 f A CHANNEL CAllBRATION is a complete check of the instrument loop and the sensor. The test verifies the channel responds to measured parameter with the necessary range and accuracy. l The [18] month frequency is based on the ABWR expected i l REFUELING INTERVAL and the need to perform this Surveillance under the conditions that apply during a plant outage. The Frequency is adequate based on the inherent low drift of the ' devices used to implement the Functions covered by this LCO. Note that calibration of these channels overlaps or is encompassed by calibrations required by other LCOs that address some of the same components required by the RSS indications. - REFERENCES 1. 10 CFR 50, Appendix A, GDC 19. j
- 2. ABWR SSAR Section 7.4.1.4.4(2)(a)
I
- 3. ABWR SSAR Section 7.4.1.4.4(3)(a)
- 4. ABWR SSAR Section 7.4.1.4.4(5)(a) ,
- 5. ABWR SSAR Section 7.4.1.4.4(6)(a) ;
I
~
- 6. ABWR SSAR Section 7.4.1.4.4(7)(a)
- 7. ABWR SSAR Section 7.4.1.4.4(7)(b) i 4
ABWR TS B 3.3-199 P&R 08/30/93 ! __ _ _ ~,
CRHA HVAC EF Instrumentation B 3.3.7.1 B 3.3 INSTRUMENTATION B 3.3.7.1 Control Room Habitability Area (CRHA) HVAC Emergency Filtration (EF) System Instrumentation BASES BACKGROUND The CRHA Emergency Filtration system is designed to provide ( a radiologically controlled environment to ensure the l habitability of the main control area envelope for the l safety of control rocm operators under all plant conditions. Two independent CRHA Emergency Filtration systems are each capable of fulfilling the intended safety function. The instrumentation and controls for the CRHA Emergency Filtration System automatically initiate action to isolate or pressurize the main control area envelope (MCAE) to minimize the consequences of radioactive material in the main control area evelope environment. Each system consists of an electric heater, prefilter, a high efficiency particulate air (HEPA) filter, an activated charcoal adsorber section, a second HEPA filter and two fans. Two redundant systems of the CRHA system are required to ensure at least one is available assuming a single failure disables the other system. Should any component in one system fail, filtration can be performed by the other system. The OPERABILITY of each independent system is based on having adequate system flow and OPERABLE HEPA filters, charcoal adsorbers and heaters. The CRHA system instrumentation has eight radiation monitoring sensors; four sensors monitoring each of two air intake ducts. The output logic is a two-out-of-four logic which produces two trip systems: one trip system initiates one system, while the second trip system initiates the other CRHA system. Upon receipt of an actuation signal the CRHA system automatically switches to the emergency mode of operation to prevent infiltration of radioactive contaminated air into the main control area envelope. A system of dampers isolates the normal air intake and minimum outdoor air is mixed with recirculated air. The Emergency Filtration system is an automatic or manual operation. The operator can place either of the two units in standby mode. The system selected as the standby unit will initiate when the emergency occurs. If the operational system detects a low flow condition possibly due to a plugged filter element, j an automatic switchover to the other system will occur. l (continued) ABWR TS B 3.3-200 P&R 08/30/93
CRHA HVAC EF Instrumentation B 3.3.7.1 BASES BACKGROUND Each Emergency Filtration system has two flow switches, one ( Continued ) in each discharge duct of the recirculation supply fan. A two-out-of-two logic low flow indication will initiate the automatic switchover to the other system. The main control area envelope Ventilation Radiation Monitors are arranged in a two-out-of-four logic. The channels include electronic equipment that compares measured 4 input signals with pre-established setpoints. When the setpoint is exceeded, the division output logic actuates, which then outputs a CRHA initiation signal. Each division receives an output initiation signal to initiate only the system on standby. APPLICABLE TheabilityoftheCRHASystemtomaintainthehabitabilit[ SAFETY ANALYSIS, of the MCAE is explicitly assumed for certain accidents a LCO, and discussed in the ABWR SSAR safety analyses (Refs. 2 and 3). APPLICABILITY CRHA HVAC System operat'.on ensures that the radiation exposure of control room personnel, through the duration of any one of the postulated accidents, does not exceed the limits set by GDC 19 of 10 CFR 50, Appendix A. CRHA HVAC instrumentation satisfies Criterion 3 of the NRC Policy Statement. The OPERABILITY of the CRHA HVAC Emergency Filtration system instrumentation is dependent upon the OPERABILITY of the individual instrumantation Functions specified in Table 3.3.7.1-1. Each Function must have a required number of OPERABLE channels, with their setpoints within the specified Allowable Values, where appropriate. A channel is inoperable if its actual setpoint is not within its required Allowable Value. The actual setpoint is calibrated consistent with applicable setpoint methodology assumptions. Allowable Values are specified for each CRHA HVAC and Emergency Filtration Function specified in the Table. Nominal trip setpoints are specified in the setpoint calculations. These nominal setpoints are selected to ensure that the setpoints do not exceed the Allowable Value between successive CHANNEL CALIBRATIONS. Operation with a trip setpoint that is less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable. (continued) ABWR TS B 3.3-201 P&R 08/30/93
- +
i CRHA HVAC EF Instrumentation : B 3.3.7.1 ! BASES : e APPLICABLE Trip setpoints are those predetermined values of output at l SAFETY ANALYSIS, which an action should take place. The setpoints are - LCO, and compared to the actual process parameter and, when the i APPLICABILITY measured output value of the process parameter exceeds the ( Continued ) setpoint, the associated device changes state. The analytic , limits are derived from the limiting values of the process parameters obtained from the safety analysis. The Allowable Values are derived from the analytic limits, corrected for : calibration, process, and some of the instrument errors. The trip setpoints are then determined, accounting for the remaining instrument errors (e.g., drift). The trip , setpoints derived in this manner provide adequate protection l ! because instrumentation and parameter indication j uncertainties, process effects, calibration tolerances, ! instrument drift . and severe environment errors (for , t channels that must function in harsh environments as defined by 10 CFR 50.49) are accounted for. The CRHA HVAC EF System is required to be OPERABLE in MODES 1, 2, and 3 and in MODES 4 and 5 during CORE ALTERATIONS, OPDRVs, and movement of irradiated fuel in the ; secondary containment to ensure that main control area ; envelope personnel are protected during a LOCA, fuel l handling event, or a vessel draindown event. , r
- 1. Main Control Area Envelope Ventilation Radiation ,
Monitors i The main control area envelope Ventilation Radiation ! Monitors measure radiation levels exterior to the inlet ducting of the MCAE. A high radiation level may pose a threat to MCAE personnel; thus, a detector indicating this condition automatically signals initiation of the Emergency Filtration unit on standby. The Main Control Area Envelope Ventilation Radiation Monitors Function consists of eight independent monitors; four monitors on the outdoor intake to each unit. Four channels of Main Control Area Envelope Ventilation Radiation Monitors on each duct are available and are required to be OPERABLE to ensure that no single instrument failure can , preclude Emergency Filter unit initiation. The Allowable ! Value was selected to ensure protection of the control room ! personnel. (continued) ABWR TS B 3.3-202 P&R 08/30/93
.CRHA HVAC EF Instrumentation :
B 3.3.7.1 BASES l APPLICABLE 2. Emeraency Filtration System low Flow Switches SAFETY ANALYSIS, i LCO, and The Emergency Filtration unit flow switch measures the i APPLICABILITY recirculation fan air discharge flow in the. duct. Low flow ! ( Continued ) measurement is indicative of the recirculation fan i inoperable. Each of the recirculation supply fan flow rate j is monitored. Each supply fan is capable of delivery of ! 100% flow. Low flow in both supply fan (i.e., two-out-of- ! two logic) in one subsystem will initiate an automatic : switchover to the other emergency filtration unit. l
- 3. EmeraenCv Filtration System Hanual Switch l
The Emergency Filtration system has standby system selection capability and can be manually selected. There are two , manual selection switches; one for each unit. One of the j two units must be selected prior to the CRHA system i i initiation for the Emergency Filtration HVAC to- ' automatically initiate. Otherwise,'the Emergency Filtration i unit can be initiated manually by the operator. However, a ! low flow condition as described above, an automatic ! switchover will occur without the unit selection in the. j standby mode. ! ACTIONS A Note has been provided to modify the ACTIONS related to ! CRHA instrumentation channels. Section 1.3, Completion l Times, specifies that once a Condition has been entered, subsequent trains, subsystems, components, or variables expressed in the Condition discovered to be inoperable or. not within limits will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions 'for inoperable CRHA HVAC instrumentation channels provide appropriate ! compensatory measures for separate inoperable channels. As l such, a Note has been providec' that allows separate , Condition entry for each inoperable CRHA HVAC. j instrumentation channel. ; [ (continued)- ABWR TS B 3.3-203 P&R 08/30/93 ;
, . _ , . ~ , .,. . , . . _ . . . . ,_ -, _ . . _ . ~ , , _ _ . . . , _ . . _ . . . _ . -
CRHA HVAC EF Instrumentation ! B 3.3.7.1 i i l BASES
?
ACTIONS A.1. A.2.1. A.2.2.1, and A.2.2.2 ( Continued ) - A instrumentation channel is considered to be OPERABLE when i all associated instruments and devices are OPERABLE. If any LOGIC CHANNEL that uses the trip data from a instrumentation ; channel does not receive valid data then the channel is considered to be inoperable. A failure in one ventilation i radiation monitor instrumentation channel will cause the trip logic to become 1/3 or 2/3 depending on the nature of i the failure ( i.e failure which causes a channel trip vs. a j failure which does not cause a channel trip). Therefore, an additional single failure will not result in loss of protection but could cause a spurious initiation of a protective action for additional failures that result in a l tripped condition. Action A.1 forces a trip condition on the inoperable f instrumentation channel which causes the initiation logic to l become 1/3. In this condition a single failure will not ' result in loss of protection. Action A.2 bypasses the l inoperable instrumentation channel. This causes the logic for the function to become 2/3 so a single failure will not result in loss of protection or cause a spurious initiation. , Since plant protection capability is maintained no further ' ! action is required when the inoperable instrumentation channel is placed in trip. ! The Completion Time of six hours for implementing Actions i A.1 and A.2 is based on providing sufficient time for the i operator to determine which of the actions is appropriate. I The Completion Time is acceptable because the probability of , an event requiring the Function coupled with a failure in i two other instrumentation channels associated with the ; Function occurring within that time period is quite low. l l B.1 and B.2 l Condition B occurs when two instrumentation channels for the t MCAE ventilation radiation monitors become inoperable. For these conditions it is appropriate to place one channel in l trip and the other in bypass. The trip logic then becomes 1/2 so a single failure in the remaining operable channels
~
l i would not cause loss of protection. However, a single failure could result in a spurious trip. (continued) ABWR TS B 3.3-204 P&R 08/30/93
/ qu.~g .- - _ * , -- ,
1 CRHA HVAC EF Instrumentation B 3.3.7.1 l BASES l ACTIONS B.1 and B.2 (continued) ( Continued ) Since plant protection is maintained and the potential for a spurious trip is low because of the high reliability of the trip logic, operation in this condition for several days is acceptable. A maximum completion time corresponding to the next channel functional test is acceptable since the channel functional test interval criteria is a suitable criteria for ; operation in this condition. , i Since there is multiple entry in this LCO, restoration of one channel to OPERABLE status will cause Condition A to be invoked an appropriate compensatory measures taken I t C.1 This Condition represents a case where an automatic or manual Function is 1/1 or completely unavailable. In this condition the single failure criteria for automatic action is not met. For this condition it is appropriate to declare l the system inoperable. This Condition also occurs if the i Required Action and associated Completion Times for Condition A or B are not met. The Completion Time provides a reasonable amount of time to perform the required actions. The Completion Time is acceptable because the probability of an event requiring the Function within that time period is quite low. SURVEILLANCE As noted at the beginning of the SRs, the SRs for each CRHA , REQUIREMENTS and Emergency Filtration Instrumentation Function are :' located in the SRs column of Table 3.3.7.1-1. SR 3.3.7.1.1 Performance of the SENSOR CHANNEL CHECK once every i [24] hours ensures that a gross failure of instrumentation l has not occurred. A SENSOR CHANNEL CHECK is a comparison of the indicated parameter for one instrument channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could (continued) ABWR TS B 3.3-205 P&R 08/30/93 1 l 1
CRHA HVAC EF Instrumentation B 3.3.7.1 BASES l SURVEILLANCE SR 3.3.7.1.1 (continued) ! REQUIREMENTS ' be an indication of excessive instrument drift in one of the ( Continued ) channels or other channel faults. A SENSOR CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL FUNCTIONAL TEST. , Agreement criteria are determined by the plant staff based ! on a combination of the channel instrument and parameter t
- indication uncertainties. ,
The Frequency is based upon operating experience that
]
demonstrates channel failure is rare. Thus, performance of j the SENSOR CHANNEL CHECK ensures that undetected outright i channel failure is limited to [24] hours. The SENSOR Cr;ANNEL CHECK supplements less formal, but more frequent, ; checks of channel status during normal operational use of the displays associated with channels required by the LCO. SR 3.3.7.1.2 i A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended function and that the programmed setpoints in the ' initiation logic devices (micro-processor based) are correct. The Frequency of 92 days is based on requiring the Emergency Filtration train to oo'; rate for a specified duration every 92 days. SR 3.3.7.1.3 I A SENSOR CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. SENSOR CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations. Measurement and setpoint i error historical determinations must be performed consistent with the plant specific setpoint methodology. The channel , shall be left calibrated consistent with the assumptions of ' the setpoint methodology, i (continued) ABWR TS B 3.3-206 P&R 08/30/93
CRHA HVAC EF Instrumentation B 3.3.7.1 BASES SURVEILLANCE SR 3.3.7.1.3 (continued) l REQUIREMENTS If the as found trip points (fixed or variable) is not ( Continued ) within its Allowable Value, the plant specific setpoint , methodology may be revised, as appropriate, if the history and all other pertinent information indicate a need for the revision. The setpoint shall be left set consistent with the assumptions of the current plant specific setpoint methodology. ; The [18] month frequency is based on the ABWR expected - refueling interval and the need to perform this Surveillance under the corditions that apply during a plant outage. The , [18] month frequency must be supporter
- with a setpoint '
analysis that ir.cludes a drift allowa ., ~nmensurate with ! this frequency. SR 3.3.7.1.4 ! The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the initiation logic for a specific division. The system functional testing performed in LCO 3.7.3, " Main Control Area Envelope Habitability Area (CRHA) HVAC System," overlaps this Surveillance to provide complete testing of the assumed safety function. The [18] month frequency is based on the ABWR expected ; refueling interval and the need to perform this Surveillance under the conditions that apply during a plant outage. The high reliability of the devices used in the signal processing coupled with the CHANNEL FUNCTIONAL TEST provides confidence that the specified frequency is adequate. REFERENCES 1. ABWR SSAR, Figure [ ].
- 2. ABWR SSAR, Section [6.4].
- 3. ABWR SSAR, Chapter [15].
1 ABWR TS B 3.3-207 P&R 08/30/93
l Power Monitoring l l B 3.3.8.1 B 3.3 INSTRUMENTATION l B 3.3.8,1 Power Monitoring ) BASES ! BACKGROUND The Power Monitor is provided to isolate the Vital AC bus l from the constant frequency constant voltage (CVCF) power ! l supply in the event of overvoltage, undervoltage, or ; underfrequency. This system protects the loads connected to , the Vital AC bus against unacceptable voltage and frequency l conditions (Ref. 1) and forms an important part of the
~
primary success path for the essential safety circuits. , l Some of the essential equipment powered from the Vital AC ! i buses includes the RPS logic, scram solenoids, MSIV :
- solenoids, and various valve isolation logic. ,
l l The Power Monitor will detect any abnormal high or low l voltage or low frequency condition in the outputs of the + CVCF power supply within the division and will de-energize i its respective Vital AC bus, thereby causing all safety functions normally powered by this bus to de-energize. l In the event of a low voltage condition for an extended i period of time, the scram solenoids can chatter and potentially lose their pneumatic control capability, resulting in a loss of primary scram action. In the event of an overvoltage condition for an extended period of time, the RPS logic relays and scram solenoids, as well as the main steam isolation valve solenoids, may experience a voltage higher than their design voltage. If the overvoltage condition persists for an extended time period, it may cause equipment degradation and the loss of plant safety function. , Two redundant Class lE circuit breakers are connected in
- parallel between each Vital AC bus and its CVCF power
- supply. Each of these circuit breakers has an associated set of Class lE overvoltage, undervoltage, and underfrequency sensing logic. Together, a circuit breaker and its sensing logic constitute an electric power l monitoring assembly. If the output of the CVCF power supply t exceeds the predetermined limits of overvoltage, ,
undervoltage, or underfrequency, a trip coil driven by this ! logic circuitry opens each of the two circuit breakers, wnich removes the associated CVCF power supply from service. (continued) l i ABWR TS B 3.3-208 P&R 08/30/93 l
i Power Monitor ' B 3.3.8.1 BASES APPLICABLE Power monitoring is necessary to meet the ' SAFETY ANALYSES assumptions of the safety analyses by ensuring that the equipment powered from the Vital AC buses can perform its intended function. Power monitoring provides protection to - the RPS and other systems that receive power from the Vital , AC buses, by disconnecting the RPS and other systems from ' the power supply under specified conditions that could damage the Vitus AC bus powered equipment. Power monitoring satisfies Criterion 3 of the NRC Policy I Statement. , LC0 The OPERABILITY of each power monitor is dependent upon the OPERABILITY of the overvoltage, undervoltage, and underfrequency logic, as well as the OPERABILITY of the ' associated circuit breaker. One power monitor with one of two electric power monitoring assemblies are required to be OPERABLE for each inservice and OPERABLE CVCF power supply. The OPERABLE power monitor and CVCF power supply provides redundant protection against any abnormal voltage or frequency conditions to ensure that no single power monitor failure or no single CVCF power supply failure can preclude l the function of Vital AC bus powered components. Each ! inservice electric power monitoring assembly's trip logic setpoints are required to be within the specific Allowable Value. The actual setpoint is calibrated consistent with applicable setpoint methodology assumptions. , Allowable Values are specified for each RPS electric power l monitoring assembly trip logic (refer to SR 3.3.8.1.2). ! Nominal trip setpoints are specified in the setpoint ! calculations. The nominal setpoints are seler,ted to ensure . l that the setpoints do not exceed the Allowable Value between ! CHANNEL CALIBRATIONS. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable. A channel is inoperable if i its actual trip setpoint is not within its required Allowable Value. Trip setpoints are those predetermined i values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., overvoltage), and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g., trip unit) changes state. The analytic limits are derived from the limiting values of the process j l (continued) i ABWR TS B 3.3-209 P&R 08/30/93 i
l Power Monitor B 3.3.8.1 i BASES parameters obtained from the safety analysis. The Allowable - Values are derived from the analytic limits, corrected for ; calibration, process, and some of the instrument errors. , The trip setpoints are then determined, accounting for the t remaining instrument errors (e.g., drift). The trip ; setpoints derived in this manner provide adequate protection ' because instrumentation uncertainties, process effects, calibration tolerances, instrument drift, and severe environment errors (for channels that must function in harsh : environments as defined by 10 CFR 50.49) are accounted for. The Allowable Values for the instrument settings are based , on the power supply providing ;t 57 Hz,120 V 10% (to all i equipment), and 115 V i 10 V (to scram and MSIV solenoids). The most limiting voltage requirement determines the settings of the electric power monitoring instrument channels. The settings are calculated based on the loads on the buses and CVCF power supply being 120 VAC and 60 Hz. The operation of the power monitor is essential to APPLICABILITY disconnect the Vital AC bus powered components from the CVCF ! power supply during abnormal voltage or frequency l conditions. Since the degradation of a Class IE or non-Class IE source supplying power to the Vital AC bus can occur as a result of any random single failure, the OPERABILITY of the power monitor is required when the Vital AC bus powered components are required to be OPERABLE. This results in the Power Monitor OPERABILITY being required in MODES 1, 2, and 3, and MODES 4 and 5 with any control rod withdrawn from a core cell containing one or more fuel assemblies or with both residual heat removal (RHR) shutdown cooling isolation valves open. e I (continued) ABWR TS B 3.3-210 P&R 08/30/93 l
l ! Power Monitoring ! B 3.3.8.1 l [ ! l : i BASES (continued) l l ACTIONS A.1 l l ; ) i If one electric power monitoring assembly for an inservice ! l power supply (CVCF) is inoperable, or one electric power j monitoring assembly on each inservice power supply is j inoperable, the OPERABLE assembly will still provide ! protection to the Vital AC bus powered components under j degraded voltage or frequency conditions provided the i circuit breaker associate with the inoperable assembly is ; placed in the tripped (open) position. In this condition, i i 1 hour is allowed to place the associated circuit breaker in ! l the tripped position. The 1 hour Completion Time is i i sufficient for the plant operations personnel to.take , corrective actions. If the associated circuit breaker can ! not be placed in the tripped position, the power monitor is j inoperable and the required action of condition B shall be i followed. t i I M ! t If both electric power monitoring assemblies- (the power i monitor) for an inservice' power supply (CVCF) are ! inoperable, or both electric power monitoring assemblies in j each inservice power supply are inoperable, the OPERABLE t CVCF power supply will'still provide voltage and frequency [ to the Vital AC bus powered components within allowable i limits. However, the reliability and redundancy of the ! protection provided Vital AC bus power components is reduced and only a limited time (72 hours) is. allowed to restore one ; of two inoperable assembly (s) to OPERABLE status. If one of ! the two inoperable assembly (s) cannot be restored to i OPERABLE status, the associated power supply must be removed i from service (Required Action B.1). This places the Vital ; AC bus in a safe condition. l The 72 hour Completion Time takes into account the' remaining l OPERABLE CVCF power supply and the low probability of an ; event (requiring Power Monitor protection) occurring during ! this period. It allows time for plant operations personnel , to take corrective actions or to place the plant in the ! required condition in an orderly manner and without r challenging plant systems. l l 1 (continued) l; l ABWR TS B 3.3-211 P&R 08/30/93 i
- i
Power Monitoring B 3.3.8.1 BASES (continued) I l l Alternatively, if it is not desired to remove the power supply (s) from service (e.g., as in the case where removing the power supply (s) from service would result in a scram or isolation), Condition C or D, as applicable, must be entered and its Required Actions taken. { Alternately, if it is not desired to remove the power !
- supply (s) from service (e.g., as in the case where removing l the power supply (s) from service would result in a scram or l l isolation), Condition C or D, as applicable, must be entered ;
and its Required Actions taken. I i C.1 and C.2 If any Required Action and associated Completion Time of < Condition B is not met in MODE 1, 2, or 3, a plant shutdown must be performed. This places the plant in a condition where minimal equipment, powered through the inoperable electric power monitoring assembly (s) (power monitor), is required and ensures that the safety function of the RPS '; (e.g., scram of control rods) is nnt required. The plant shutdown is accomplished by placing the plant in MODE 3 within 12 hours and in MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full ! power conditions in an orderly manner and without challenging plant systems. l D.I. D.2.1, and D.2.2 l If any Required Action and associated Completion Time of Condition B are not met in MODE 4 or 5, with any control rod 1 withdrawn from a core cell containing one or more fuel assemblies or with both isolation valves of a RHR shutdown : cooling subsystem open, the operator must immediately initiate action to fully insert all insertable control rods in core cells containing one or more fuel assemblies (Required Action D.1). This Required Action results in the least reactive condition for the reactor core and ensures that the safety function of the RPS (e.g., scram of control rods) is not required. ' In addition, action must be immediately initiated to either restore one of two electric power monitoring assembly to (continued) ABWR TS B 3.3-212 P&R 08/30/93 ;
Power Monitoring i B 3.3.8.1 ; l BASES (continued) OPERABLE status for the inservice power source supplying the l' required instrumentation powered from the Vital AC bus (Required Action D.2.1) or to isolate the RHR Shutdown Cooling System (Required Action D.2.2). Required Action D.2.1 is provided because the RHR Shutdown Cooling , System (s) may be needed to provide core cooling. All actions must continue until the applicable Required Actions are completed. l l SURVEILLANCE SR 3.3.8.1.1 REQUIREMENTS , A CHANNEL FUNCTIONAL TEST is performed on each overvoltage, undervoltage, and underfrequency channel to ensure that the entire channel will perform the intended function. l As noted in the Surveillance, the CHANNEL FUNCTIONAL TEST is
- only required to be performed while the plant is in a
l condition in which the loss of the Vital AC bus will not ! jeopardize steady state power operation (the design of the system is such that the oower source must be removed from service to conduct - illance). The 24 hours is l intended to indicate -.. ._; age of sufficient duration to ! allow for scheduling and proper performance of the Surveillance. The 184 day Frequency and the Note in the Surveillance are based on guidance provided in Generic Letter 91-09 (Ref. 2). SR 3.3.8.1.2 CHANNEL CALIBRATION is a complete check of the instrument
- loop and the sensor.
1 The Frequency is based upon the assumption of ar, 18 month calibration interval in the determination of the magnitude ! of equipment drift in the setpoint analysis. I l SURVEILLANCE SR 3.3.8.1.3 REQUIREMENTS Performance of a system functional test demonstrates a required system actuation (simulated or actual) signal. The logic of the system will automatically trip open the : associated power monitoring assembly circuit breaker. Only one signal per power monitoring assembly is required to be . 1 (continued) 1 l l ABWR TS B 3.3-213 P&R 08/30/93 f l I t
l Power Monitoring , B 3.3.8.1 l BASES (continued) tested. This Surveillance overlaps with the CHANNEL CALIBRATION to provide complete testing of the safety function. The system functional test of the Class IE circuit breakers is included as part of this test to provide complete testing of the safety function. If the breakers are incapable of operating, the associated electric power monitoring assembly would be inoperable. The 18 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. Operating experience has shown that these components usually pass the Surveillance when performed at the 18 month Frequency. REFERENCES 1. ABWR SSAR, Section 8.3.1.1.4.2.2.
- 2. NRC Generic Letter 91-09, " Modification of Surveillance Interval for the Electric Protective Assemblies in Power Supplies for the Reactor Protection System."
l ABWR TS B 3.3-214 P&R 08/30/93 l l
Reactor Coolant Temperature Monitoring I B 3.3.8.2 , l B 3.3 INSTRUMENTATION B 3.3.8.2 Reactor Coolant Temperature Monitoring i BASES BACKGROUND Reactor coolant temperature monitoring is provided to i monitor the progress and the effectiveness of residual decay ! heat removal operations. The RHR System consist of three i subsystems each of which can be operated in the Shutdown ! Cooling Mode for decay heat removal. RHR shutdown cooling i operation can be initiated during a reactor shutdown when l reactor pressure decreases to the shutdown cooling interlock , pressure (approximately 135 psig). RHR shutdown cooling i operation is normally required to maintain the reactor in l cold shutdown conditions (MODE 4) and to maintain the l' reactor coolant temperature as low-as possible for refueling operations in MODE 5. } The temperature monitoring instrumentation will provide temperature indication and trends to the operator in the ! main control room when during RHR decay heat removal t operation. One temperature monitoring channel is available ! to monitor reactor coolant temperature at the inlet to the ! RHR heat exchanger. This monitoring' channel will also detect i the loss of decay heat removal capability during low power ; operation and shutdown conditions. Sufficient time is i available to the operator to take corrective actions when i required to minimize the potential for a complete loss of , decay heat removal capability APPLICABLE No specific safety analyses were performed for' loss of decay SAFETY ANALYSIS heat removal capability. Chapter 19 of the SSAR, Probability Risk Assessment (PRA), evaluates the ] consequences of shutdown risk due to loss of decay heat I removal. The reactor coolant tempeature monitoring l instrumentation provides the necessary information and I trending information for monitoring the effectiveness of shutdown cooling operation and for detecting loss of decay heat removal capability to allow the operator to take necessary corrective actions. LCO AND The OPERABILITY of the reactor coolant temperature APPLICABILITY monitoring channel is specified only for RHR subsystems that are' operating in the shutdown cooling mode. RHR is normally in operation in MODE 3 with reactor pressure below the (continued)- ! ABWR TS B 3.3-215 P&R 08/30/93 4 i l .. _
- . . . - _- - - . - . , - .~ - . - .
h Reactor Coolant Temperature Monitoring B 3.3.8.2 l ! BASES
- l 1
LCO AND shutdown cooling interlock pressure during a reactor APPLICABILITY shutdown. When the reactor coolant temperature is less than 200 *F, it is considered to be in MODE 4. For operation in MODE 5, reactor coolant temperature is maintained as low as , possible for refueling operations. The reactor coolant temperature monitoring instrumentation , is not required to be OPEPABLE when its associated RHR system is not operating in shutdown cooling. In MODES I and 3 above the shutdown cooling interlock pressure,- RHR shutdown cooling mode is isolated. In MODE 2 during power ascension, decay heat removal is secured to allow the reactor to heatup and pressurize. l ACTIONS A.l. A.2 If one or more reactor coolant temperature monitoring instrument channel is inoperable, the decay heat removal capability of the affected RHR subsystem must be verified to assure continuous shutdown cooling operation. This l verification typically involves checking valve alignments, other part. meters such as flow and pressure, heat exchanger outlet temperature, and heat exchanger cooling water l temperatures in the Closed Cooling Water system. If RHR ! shutdown cooling can be verified, continued decay heat removal capability exists although the reactor coolant temperature monitoring instrumentation is inoperable. However, with the reactor coolant temperature inoperable, it is prudent to establish alternate methods of reactor coolant temperature monitoring capability. One alternate method is by monitoring of the reactor bottom drain line temperature if the Reactor Water Cleanup system is in operation. The one hour Completion Time is reasonable since the rate of change of reactor coolant temperature change is typically small over this time interval even for the loss of decay heat removal capability. The Completion Time is also based on the corsideration that the Reactor Cleanup System may not be in operation and adequate time is required to place this system into operation for a reliable temperature indication. 1 (continued) ABWR TS B 3.3-216 P&R 08/30/93
Reactor Coolant Temperature Monitoring B 3.3.1.2 BASES ACTIONS B.1 ( Continued ) if it can not be verified that at least one RHR is operating : in the shutdow cooling mode, and alternate reactor coolant ' temperature monitoring capability can not be established, it is necessary to take actions to restore the capability immediately.. Local indication of reactor coolant temperature is an acceptable alternate when control room indications can not be established. SURVEILLANCE SR 3.3.8.2.1 REQUIREMENTS Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred between Channel Functional Tests. A CHANNEL CHECK is a comparison of the parameter indicated on one channel to the same parameter indicated on other similar channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of exce;sive instrument drift or other channel faults in one of the channels. Agreement criteria are determined by the plant staff, based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the match criteria, it may be an indication that the instrument has drifted outside its limit. The high reliability of each SRNM channel provides confidence that a channel failure will be rare. However, a surveillance interval of [24] hours is used to provide ; confidence that gross failures that do not activate an annunciator or alarm will be detected within [24] hours. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the l displays associated with the channels required by the LCO. SR 3.3.8.2.2 A CHANNEL FUNCTIONAL TEST is performed on each reactor coolant temperature monitoring channel to ensure that the 4 entire channel will perform the intended function. As noted ) in the Surveillance, the CHANNEL FUNCTIONAL TEST is only (continued) ABWR TS B 3.3-217 P&R 08/30/93 1
l Reactor Coolant Temperature Monitoring l B 3.3.1.2 BASES i ACTIONS SR 3.3.8.2.2 (continued) l I ( Continued ) required to be performed prior to RHR shutdown operation. , The 92 day frequency is based on the simple design and , reliability of the temperature monitoring instrumentation. l l SR3.3.8.2.3 CHANNEL CALIBRATION is a complete check of the instrument loop and sensor. The frequency is based upon the as.sumption of an 18 month calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis. , REFERENCES 1. ABWR SSAR, Section 19. [later] l 9 k i e i l l ABWR TS B 3.3-218 P&R 08/30/93 l}}