ML102660554
| ML102660554 | |
| Person / Time | |
|---|---|
| Site: | Calvert Cliffs  |
| Issue date: | 09/17/2010 |
| From: | Constellation Energy Nuclear Group, Calvert Cliffs, EDF Development |
| To: | Office of Nuclear Reactor Regulation |
| References | |
| Download: ML102660554 (150) | |
Text
RPS Instrumentation-Operating B 3.3.1 B 3.3 INSTRUMENTATION B 3.3.1 Reactor Protective System (RPS) Instrumentation-Operating
BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.1-1 Revision 2 BACKGROUND The RPS initiates a reactor trip to protect against violating the core specified acceptable fuel design limits and breaching the reactor coolant pressure boundary during
anticipated operational occurrences (AOOs). By tripping the reactor, the RPS also assists the Engineered Safety Features (ESF) systems in mitigating accidents.
The protecti ve systems have been designed to ensure safe operation of the reactor. This is achieved by specifying
limiting safety system settings (LSSS) in terms of
parameters directly monitored by the RPS, as well as
Limiting Conditions for Operation (LCOs) on other reactor system parameters and equipment performance.
The LSSS, defined in this Specification as the Allowable
Value, in conjunction with the LCOs, establish es the threshold for protective system action to prevent exceeding
acceptable limits during Design Basis Accidents (DBAs).
During AOOs, which are those events expected to occur one or
more times during the plant life, the acceptable limits are:
- The departure from nucleate boiling ratio (DNBR) shall be maintained above the Safety Limit (SL) value to
prevent departure from nucleate boiling;
- Fuel centerline melting shall not occur; and
- The Reactor Coolant System (RCS) pressure SL of 2750 psia shall not be exceeded.
Maintaining the parameters within the above values ensures that the offsite dose will be within Reference 2 , 10 CFR Parts 50 and 100, criteria during AOOs.
Accidents are events that are analyzed even though they are not expected to occur during the plant life. The acceptable limit during accidents is that the offsite dose shall be
maintained within the acceptance criteria given in the Reference 1, Chapter 14.
RPS Instrumentation-Operating B 3.3.1 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.1-2 Revision 2 The RPS is segmented into four interconnected modules.
These modules are:
- Measurement channels;
- Bistable trip units;
- RPS l ogic; and
- Reactor trip circuit breakers (RTCBs).
This LCO addresses measurement channels and bistable trip units. It also addresses the automatic bypass removal
channel for those trips with operating bypasses. The RPS
l ogic and RTCBs are addressed in LCO 3.3.3
.
An instrument channel consists of the m easurement c hannel and bistable trip unit for one channel of one Function.
The role of each of these modules in the RPS, including
those associated with the logic and RTCBs, is discussed
below.
Measurement Channels Measurement channels, consisting of field transmitters or
process sensors and associated instrumentation, provide a
measurable electronic signal based upon the physical
characteristics of the parameter being measured.
The Power Range excore nuclear instrumentation drawers, Thermal Margin/Low Pressure (TM/LP) trip calculators, and Axial Power Distribution (APD) trip calculators, are considered components in the measurement channels. The
power range nuclear instruments (NIs) provide average power
and subchannel deviation signals. The wide range NIs
provide a Rate of Change of Power-High t rip. Two decades of overlap are provided between the power range NIs and the
wide range NIs. Three RPS trip functions use a power level designated as Q power as an input. Q power is the higher of NI power and primary calorimetric power (T power) based on RCS hot leg and cold leg temperatures. Trip functions using Q power as an input include the Power Level-High, TM/LP, and
the APD trips.
RPS Instrumentation-Operating B 3.3.1 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.1-3 Revision 2 The TM/LP and APD trip calculators provide the complex signal processing necessary to calculate the TM/LP trip setpoint, Asymmetric Steam Generator Transient (ASGT) trip
setpoint, APD trip setpoint, Power Level-High trip setpoint, and Q power calculation.
The excore NI drawers (wide range and power range) and the TM/LP and APD trip calculators are mounted in the RPS cabinet, with one channel of each in each of the four RPS
bays.
Four measurement channels with electrical and physical
separation are provided for each parameter used in the
direct generation of trip signals. These are designated
C hannels A through D. Measurement channels provide input to one or more RPS bistables within the same RPS channel. In
addition, some measurement channels may also be used as
inputs to Engineered Safety Features Actuation System (ESFAS) sensor modules, and most provide indication in the
C ontrol R oom. Measurement channels used as an input to the RPS are never used for control functions.
When a measurement channel monitoring a parameter exceeds a
predetermined setpoint, indicating an unsafe condition, the
bistable in the bistable trip unit monitoring the parameter
in that measurement channel will trip. Tripping two or more
bistable trip units monitoring the same parameter
de-energizes m atrix l ogic, which in turn de-energizes the t rip p ath l ogic. This causes all eight RTCBs to open, interrupting power to the control element assemblies (CEAs),
allowing them to fall into the core.
Three of the four instrument channels are necessary to meet
the redundancy and testability as described in Reference 1 , Appendix 1C. The fourth channel provides additional flexibility by allowing one channel to be removed from
service (trip bypass) for maintenance or testing
, while still maintaining a minimum two-out-of-three logic. Thus, even with a channel inoperable, no single additional failure
in the RPS can either cause an inadvertent trip or prevent a
required trip from occurring.
RPS Instrumentation-Operating B 3.3.1 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.1-4 Revision 2 Since no single failure will either cause or prevent a protective system actuation, and no protective channel feeds
a control channel, this arrangement meets the requirements
of Reference 1, Section 7.2.2 and Reference 3
. Many of the RPS Function trips are generated by comparing a single measurement to a fixed bistable setpoint. Certain Functions, however, make use of more than one measurement to
provide a trip. The following trips use multiple
measurement channel inputs:
- Steam Generator Level-Low Trip This trip uses the lower of the two steam generator levels as an input to a common bistable.
- Steam Generator Pressure-Low Trip This trip uses the lower of the two steam generator pressures as an input to a common bistable.
- Power Level-High Trip The Power Level-High trip uses Q power as its only input. Q power is the higher of NI power and T power. Q power has a trip setpoint that tracks power levels downward so that the trip setpoint is always
within a fixed increment above current power, subject
to a minimum value.
On power increases, the trip setpoint remains fixed unless manually reset, at which point the trip setpoint
increases to the new setpoint, which is a fixed
increment above Q power at the time of reset, and the
trip setpoint is subject to a maximum value. Thus, during power escalation, the trip setpoint must be
repeatedly reset to avoid a reactor trip.
- TM/LP and ASGT Trip Q power is only one of several inputs to the TM/LP trip. Other inputs include internal AXIAL SHAPE INDEX (ASI) and cold leg temperature based on the higher of two cold leg resistance temperature detectors. The
TM/LP trip setpoint is a complex function of these RPS Instrumentation-Operating B 3.3.1 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.1-5 Revision 2 inputs and represents a minimum acceptable RCS pressure to be compared to actual RCS pressure in the TM/LP trip
unit.
Steam generator pressure is also an indirect input to the TM/LP trip via the ASGT. This Function provides a reactor trip when the secondary pressure in either steam generator exceeds that of the other generator by
greater than a fixed amount. The trip is implemented
by biasing the TM/LP trip setpoint upward so as to
ensure TM/LP trip if an ASGT is detected.
- APD-High Trip Q power and subchannel deviation are inputs to the APD trip. The APD trip setpoint is a function of Q power, being more restrictive at higher power levels. It
provides a reactor trip if actual ASI exceeds the APD
trip setpoint.
Bistable Trip Units Bistable trip units, mounted in the RPS cabinet, receive an
analog input from the measurement channels, compare the
analog input to trip setpoints, and provide contact output
to the matrix logic. They also provide local trip indication and remote annunciation.
There are four channels of bistable trip units, designated
A through D, for each RPS Function, one for each measurement
channel. Bistable output relays de-energize when a trip
occurs.
The contacts from these bistable relays are arranged into six coincidence matrices, comprising the matrix logic. If bistables monitoring the same parameter in at least two bistable trip unit channels trip, the matrix logic will generate a reactor trip (two-out-of-four logic).
Some of the RPS measurement channels provide contact outputs
to the RPS, so the comparison of an analog input to a trip
setpoint is not necessary. In these cases, the bistable
trip unit is replaced with an auxiliary trip unit. The
auxiliary trip units provide contact multiplication so the RPS Instrumentation-Operating B 3.3.1 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.1-6 Revision 12 single input contact opening can provide multiple contact outputs to the matrix logic, as well as trip indication and
annunciation.
Trip Functions employing auxiliary trip units include the
Loss of Load trip and the APD trip.
The APD trip, described above, is a complex function in
which the actual trip comparison is performed within the APD
calculator. Therefore the APD trip unit employs a contact
input from the APD calculator.
All RPS trips, with the exception of the Loss of Load trip, generate a pretrip alarm as the trip setpoint is approached.
The trip setpoints used in the bistable trip units are based on the analytical limits stated in Reference 1, Chapter 14, except for the APD and Loss of Load Functions, which are not
credited in safety analyses. The selection of these trip
setpoints is such that adequate protection is provided when
all sensor and processing time delays are taken into account
in the respective analytical limits. To allow for
calibration tolerances, instrumentation uncertainties, instrument channel drift, and severe environment errors (for
those RPS channels that must function in harsh environments, as defined by Reference 2, 10 CFR 50.49) RPS trip setpoints
are conservatively adjusted with respect to the analytical
limits. In the case of the TM/LP trip, there is also an additional adjustment for cold leg temperature differences.
A detailed description of the methodology used to calculate
the trip setpoints, including their explicit uncertainties, is provided in Reference 4. The nominal trip setpoint
entered into the bistable is more conservative than that
specified by the Allowable Value. A channel is inoperable if its actual setpoint is not within its required Allowable Value.
Setpoints in accordance with the Allowable Value will ensure
that SLs of Chapter 2.0 are not violated during AOOs and the
consequences of DBAs will be acceptable, providing the plant
is operated from within the LCOs at the onset of the AOO or
DBA and the equipment functions as designed.
RPS Instrumentation-Operating B 3.3.1 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.1-7 Revision 12 Note that in the accompanying LCO 3.3.1, the Allowable Values of Table 3.3.1-1 are the LSSS.
RPS Logic The RPS logic, addressed in LCO 3.3.3, consists of both
matrix and trip path logic and employs a scheme that provides a reactor trip when bistables in any two of the four channels sense the same input parameter trip signal.
This is called a two-out-of-four trip logic. This logic and
the RTCB configuration are shown in Figure B 3.3.1-1.
Bistable relay contact outputs from the four bistable trip unit channels are configured into six logic matrices. Each
logic matrix checks for a coincident trip in the same
parameter in two bistable trip unit channels. The matrices
are designated the AB, AC, AD, BC, BD, and CD matrices to
reflect the bistable trip unit channels being monitored.
Each logic matrix contains four normally energized matrix
relays. When a coincidence is detected, consisting of a
trip in the same Function in the two channels being
monitored by the logic matrix, all four matrix relays
de-energize.
The logic matrix relay contacts are arranged into trip paths, with one of the four matrix relays in each matrix
opening contacts in one of the four trip paths. Each trip
path provides power to one of the four normally energized
RTCB control relays (K1, K2, K3, and K4). Thus, the trip
paths each have six contacts in series, one from each
matrix, performing a logical OR function by opening the RTCBs if any one or more of the six logic matrices indicate
a coincidence condition.
Each trip path is responsible for opening one set of two of the eight RTCBs. When de-energized, the RTCB control relays (K-relays) interrupt power to the breaker undervoltage trip
coils and simultaneously apply power to the shunt trip coils
on each of the two breakers. Actuation of either the
undervoltage or shunt trip coil is sufficient to open the
RTCB and interrupt power from the motor generator (MG) sets
to the control element drive mechanisms (CEDMs).
RPS Instrumentation-Operating B 3.3.1 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.1-8 Revision 12 When a coincidence occurs in two RPS instrument channels from one Function, all four matrix relays in the affected
matrix de-energize. This, in turn, de-energizes all four
RTCB control relays, which simultaneously de-energize the
undervoltage and energize the shunt trip coils in all eight
RTCBs, tripping them open.
Matrix logic refers to the matrix power supplies, trip
channel bypass contacts, and interconnecting matrix wiring
between bistable and auxiliary trip units, up to but not
including the matrix relays. Contacts in the bistable and
auxiliary trip units are excluded from the matrix logic
definition, since they are addressed separately.
The trip path logic consists of the trip path power source, matrix relays and their associated contacts, and all
interconnecting wiring through the K-relay contacts in the
RTCB control circuitry.
It is possible to change the two-out-of-four RPS logic to a two-out-of-three logic for a given input parameter, in one
channel at a time, by trip bypassing select portions of the
matrix logic. Trip bypassing a bistable trip unit
effectively shorts the bistable relay contacts in the three
matrices associated with that instrument channel. Thus, the
bistables will function normally, producing normal trip
indication and annunciation, but a reactor trip will not
occur unless two additional instrument channels indicate a
trip condition. Trip bypassing can be simultaneously
performed on any number of parameters in any number of
Functions, providing each parameter is bypassed in only one
instrument channel per function at a time. Administrative
controls prevent simultaneous trip bypassing of the same
parameter in more than one instrument channel. Trip bypassing is normally employed during maintenance or testing.
In addition to the trip bypasses, there are also operating bypasses on select RPS trips. Some of these operating
bypasses are enabled manually, others automatically, in all
four RPS instrument channels for a Function when plant
conditions do not warrant the specific trip function
protection. All operating bypasses are automatically RPS Instrumentation-Operating B 3.3.1 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.1-9 Revision 12 removed when enabling bypass conditions are no longer satisfied. Trip Functions with operating bypasses include
Rate of Change of Power-High, Reactor Coolant Flow-Low, Steam Generator Pressure-Low, APD-High, TM/LP, and Steam
Generator Pressure Difference trips. The Loss-of-Load, Rate
of Change of Power-High, and APD-High trips' operating bypasses are automatically enabled and disabled.
RTCBs The reactor trip switchgear, addressed in LCO 3.3.3 and
shown in Figure B 3.3.1-1, consists of eight RTCBs, which
are operated in four sets of two breakers (four RTCB
channels, including shunt trip coils and undervoltage
coils). Power input to the reactor trip switchgear comes
from two full capacity MG sets operated in parallel such
that the loss of either MG set does not de-energize the
CEDMs. There are two separate CEDM power supply buses, each
bus powering half of the CEDMs. Power is supplied from the
MG sets to each bus via two redundant trip paths. This
ensures that a fault or the opening of a breaker in one trip
path (i.e., for testing purposes) will not interrupt power
to the CEDM buses.
Each of the four trip paths consists of two RTCBs in series.
The two RTCBs within a trip path are actuated by separate
trip paths.
The eight RTCBs are operated as four sets of two breakers (four RTCB channels, including shunt trip coils and
undervoltage coils). Each set of two RTCBs is opened by the
same K-relay. This arrangement ensures that power is
interrupted to both CEDM buses, thus preventing trip of only
half of the CEAs (a half trip). Any one inoperable RTCB in
a RTCB channel (set of two breakers) will make the entire RTCB channel inoperable.
Each set of RTCBs is operated by either a manual trip push button or an RPS actuated K-relay. There are four manual
trip push buttons, arranged in two sets of two, as shown in
Figure B 3.3.1-1. Depressing both push buttons in either
set will result in a reactor trip.
RPS Instrumentation-Operating B 3.3.1 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.1-10 Revision 12 When a manual trip is initiated using the control room push buttons, the RPS trip paths and K-relays are bypassed, and
the RTCB undervoltage and shunt trip coils are actuated
independent of the RPS.
A manual trip channel includes the push button and interconnecting wiring to both RTCBs necessary to actuate both the undervoltage and shunt trip coils but excludes the
K-relay contacts and their interconnecting wiring to the
RTCBs, which are considered part of the trip path logic.
Functional testing of the RPS instrument and logic channels, from bistable input through the opening of individual sets
of RTCBs, can be performed either at power or shutdown and
is normally performed on a quarterly basis. Reference 1, Section 7.2 explains RPS testing in more detail.
APPLICABLE Most of the analyzed accidents and transients can be SAFETY ANALYSES detected by one or more RPS Functions. The accident analysis contained in Reference 1, Chapter 14 takes credit
for most RPS trip Functions. Some Functions not
specifically credited in the accident analysis are part of
the Nuclear Regulatory Commission (NRC)-approved licensing
basis for the plant. These Functions may provide protection
for conditions that do not require dynamic transient
analysis to demonstrate Function performance. Other
Functions, such as the Loss of Load trip, are purely
equipment protective, and their use minimizes the potential
for equipment damage.
The specific safety analyses applicable to each protective Function are identified below: 1. Power Level-High Trip The Power Level-High trip provides reactor core protection against positive reactivity excursions that
are too rapid for a Pressurizer Pressure-High or TM/LP
trip to protect against. The following events require
Power Level-High trip protection:
- Uncontrolled CEA withdrawal event;
- Excess load; and
- CEA ejection event.
RPS Instrumentation-Operating B 3.3.1 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.1-11 Revision 31 The first two events are AOOs, and fuel integrity is maintained. The third is an accident, and limited fuel damage may occur.
- 2. Rate of Change of Power-High Trip The Rate of Change of Power-High trip is used to trip the reactor when excore logarithmic power, measured by
the wide range logarithmic neutron flux monitors, indicates an excessive rate of change. The Rate of
Change of Power-High trip Function minimizes transients
for events such as a born dilution event, continuous
CEA withdrawal, or CEA ejection from subcritical
conditions. Because of this Function, such events are
assured of having much less severe consequences than
events initiated from critical conditions. The trip is
automatically bypassed when NUCLEAR INSTRUMENT POWER is
< 1E-4% RTP, when poor counting statistics may lead to
erroneous indication. It is also bypassed at
> 12% RTP, where other RPS trips provide protection
from these events.
The automatic bypass removal feature ensures that the Rate of Change of Power-High trip is enabled when reactor power is between 1E-4% and 12% RTP.
With the RTCBs open, the Rate of Change of Power-High trip is not required to be OPERABLE;
however, at least two wide range logarithmic neutron
flux monitor channels are required by LCO 3.3.12 to be
OPERABLE. Limiting Condition for Operation 3.3.12
ensures the wide range logarithmic neutron flux monitor
channels are available to detect and alert the operator
to a boron dilution event.
- 3. Reactor Coolant Flow-Low Trip The Reactor Coolant Flow-Low trip provides protection during the following events:
- Loss of RCS flow;
- Loss of non-emergency AC power; and
- Reactor coolant pump (RCP) seized rotor.
The loss of RCS flow and of non-emergency AC power events are AOOs where fuel integrity is maintained.
RPS Instrumentation-Operating B 3.3.1 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.1-12 Revision 31 The RCP seized rotor is an accident where fuel damage may result.
- 4. Pressurizer Pressure-High Trip The Pressurizer Pressure-High trip, in conjunction with pressurizer safety valves and main steam safety valves, provides protection against overpressure conditions in the RCS during the following events:
- Loss of Load; and
- Feedwater Line Break (FWLB).
- 5. Containment Pressure-High Trip The Containment Pressure-High trip prevents exceeding the containment design pressure during certain loss of
coolant accidents (LOCAs) or FWLB accidents. It
ensures a reactor trip prior to, or concurrent with, a
LOCA, thus assisting the ESFAS in the event of a LOCA
or Main Steam Line Break (MSLB). Since these are
accidents, SLs may be violated. However, the
consequences of the accident will be acceptable.
- 6. Steam Generator Pressure-Low Trip The Steam Generator Pressure-Low trip provides protection against an excessive rate of heat extraction
from the steam generators, which would result in a
rapid uncontrolled cooldown of the RCS. This trip is
needed to shut down the reactor and assist the ESFAS in
the event of an MSLB. Since these are accidents, SLs
may be violated. However, the consequences of the
accident will be acceptable.
- 7. Steam Generator 1 and 2 Level-Low Trip The Steam Generator 1 Level-Low and Steam Generator 2 Level-Low trips are required for the loss of normal feedwater and ASGT events.
The Steam Generator Level-Low trip ensures that low DNBR, high local power density, and the RCS pressure
SLs are maintained during normal operation and AOOs, and, in conjunction with the ESFAS, the consequences of RPS Instrumentation-Operating B 3.3.1 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.1-13 Revision 31 the Feedwater System pipe break accident will be acceptable.
- 8. APD-High Trip The APD-High trip ensures that excessive axial peaking, such as that due to axial xenon oscillations, will not cause fuel damage. It ensures that neither a DNBR less than the SL, nor a peak linear heat rate that
corresponds to the temperature for fuel centerline
melting, will occur. This trip is the primary
protection against fuel centerline melting. While no
event specifically credits the Axial Flux Offset trip, the ASI limits established by this trip provide ASI
limits for safety and setpoint analyses.
- 9. Thermal Margin
- a. TM/LP Trip The TM/LP trip prevents exceeding the DNBR SL during AOOs and aids the ESFAS during certain
accidents. The following events require TM/LP
trip protection:
- RCS depressurization (inadvertent safety or power-operated relief valves opening);
- Steam generator tube rupture; and
- LOCA accident.
The first event is an AOOs, and fuel integrity is maintained. The second and third events are
accidents, and limited fuel damage may occur, although only the LOCA is expected to result in
fuel damage. The trip is initiated whenever the
RCS pressure signal drops below a minimum value (Pmin) or a computed value (Pvar) as described below, whichever is higher. The setpoint is a Function of Q power, ASI, and reactor inlet (cold leg) temperature.
The minimum value of reactor coolant flow rate, the maximum AZIMUTHAL POWER TILT (T q), and the maximum CEA deviation permitted for continuous
operation are assumed in the generation of this RPS Instrumentation-Operating B 3.3.1 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.1-14 Revision 31 trip signal. In addition, CEA group sequencing in accordance with LCO 3.1.7 is assumed. Finally, the maximum insertion of CEA banks that can occur
during any AOO prior to a Power Level-High trip is
assumed. b. ASGT The ASGT provides protection for those AOOs associated with secondary system malfunctions that result in asymmetric primary coolant temperatures.
The most limiting event is closure of a single
main steam isolation valve (MSIV). Asymmetric
Steam Generator Transient is provided by comparing
the secondary pressure in both steam generators in
the TM/LP trip calculator. If the pressure in
either exceeds that in the other by the trip
setpoint, a TM/LP trip will result.
- 10. Loss of Load The Loss of Load trip causes a trip when operating above 15% of RTP. This trip provides turbine
protection, reduces the severity of the ensuing
transient, and helps avoid the lifting of the main
steam safety valves during the ensuing transient, thus
extending the service life of these valves. No credit
was taken in the accident analyses for operation of
this trip. Its functional capability is required to
enhance overall plant equipment service life and
reliability.
Operating Bypasses The operating bypasses are addressed in footnotes to
Table 3.3.1-1. They are not otherwise addressed as specific
table entries.
The automatic bypass removal features must function as a
backup to manual actions for all trips credited in safety
analyses to ensure the trip Functions are not operationally
bypassed when the safety analysis assumes the Functions are
not bypassed. The RPS operating bypasses are:
RPS Instrumentation-Operating B 3.3.1 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.1-15 Revision 31 Zero power mode bypass (ZPMB) removal of the TM/LP, ASGT, and reactor coolant low flow trips when NUCLEAR INSTRUMENT
POWER is < 1E-4% RTP. This bypass is manually enabled below
the specified setpoint to permit low power testing. The
wide range NI Level 1 bistable in the wide range drawer
provides a signal to auxiliary logic, which then permits manual bypassing below the setpoint and removes the bypass above the setpoint.
Power rate of change bypass removal The Rate of Change of Power-High trip is automatically bypassed at < 1E-4% RTP, as sensed by the wide range NI Level 1 bistable, and at
> 12% RTP by the linear range NI Level 1 bistable, mounted
in their respective NI drawers (Reference 5). Automatic
bypass removal is also effected by these bistables when
conditions are no longer satisfied.
The automatic bypass removal feature ensures that the Rate of Change of Power-High trip is enabled when reactor power is between 1E-4% and 12% RTP. Loss of Load and APD-High trip bypass removal The Loss of Load and APD-High trips are automatically bypassed when at
< 15% RTP as sensed by the linear range NI Level 1 bistable.
The bypass is automatically removed by this bistable above
the setpoint. This same bistable is used to bypass the Rate
of Change of Power-High trip.
Steam Generator Pressure-Low trip bypass removal. The Steam Generator Pressure-Low trip is manually enabled below the
pretrip setpoint. The permissive signal is removed, and the
bypass automatically removed, when the Steam Generator
Pressure-Low trip is above the pretrip setpoint.
The RPS instrumentation satisfies 10 CFR 50.36(c)(2)(ii), Criterion 3.
LCO The LCO requires all instrumentation performing an RPS
Function to be OPERABLE. Failure of any required portion of
the instrument channel renders the affected channel(s)
inoperable and reduces the reliability of the affected
Functions. The specific criteria for determining channel
OPERABILITY differ slightly between Functions. These RPS Instrumentation-Operating B 3.3.1 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.1-16 Revision 31 criteria are discussed on a Function-by-Function basis below.
Actions allow trip channel bypass of individual instrument
channels, but administrative controls prevent operation with
a second channel in the same Function bypassed. Plants are restricted to 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> in a trip bypass condition before either restoring the Function to four channel operation (two-out-of-four logic) or placing the channel in trip (one-out-of-three logic).
Only the Allowable Values are specified for each RPS trip
Function in the LCO. Nominal trip setpoints are established
for the Functions via the plant-specific procedures. The
nominal setpoints are selected to ensure the plant
parameters do not exceed the Allowable Value if the bistable
trip unit is performing as required. Operation with a trip
setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable, provided that
operation and testing are consistent with the assumptions of
the plant-specific setpoint calculations. Each nominal trip
setpoint is more conservative than the analytical limit
assumed in the safety analysis in order to account for
instrument channel uncertainties appropriate to the trip
Function. These uncertainties are defined in Reference 4.
The nominal trip setpoint entered into a bistable is more
conservative than that specified by the Allowable Value. A
channel is inoperable if its actual setpoint is not within
its required Allowable Value.
The following Bases for each trip Function identify the above RPS trip Function criteria items that are applicable
to establish the trip Function OPERABILITY.
- 1. Power Level-High Trip This LCO requires all four instrument channels of the Power Level-High trip to be OPERABLE in MODEs 1 and 2.
The Allowable Value is high enough to provide an operating envelope that prevents unnecessary Power
Level-High trips during normal plant operations. The
Allowable Value is low enough for the system to RPS Instrumentation-Operating B 3.3.1 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.1-17 Revision 34 maintain a margin to unacceptable fuel cladding damage should a CEA ejection accident occur.
The Power Level-High trip setpoint is operator adjustable and can be set at a fixed increment above
the indicated THERMAL POWER level. Operator action is required to increase the trip setpoint as THERMAL POWER is increased. The trip setpoint is
automatically decreased as THERMAL POWER decreases.
The trip setpoint has a maximum and a minimum
setpoint.
Adding to this maximum value the possible variation in trip setpoint due to calibration and instrument
errors, the maximum actual steady state THERMAL POWER
level at which a trip would be actuated is 109% RTP, which is the value used in the safety analyses.
To account for these errors, the safety analysis minimum value is 40% RTP. The 10% step increase in
trip setpoint is a maximum value assumed in the safety
analysis. There is no uncertainty applied to the step
in the safety analyses.
- 2. Rate of Change of Power-High Trip This LCO requires four instrument channels of Rate of Change of Power-High trip to be OPERABLE in MODEs 1
and 2.
The high power rate of change trip serves as a backup to the administratively-enforced startup rate limit.
The accident analyses implicitly credit the trip as justification for not explicitly analyzing certain events initiated from subcritical conditions. For events initiated from critical conditions, the trip is not credited in the accident analyses
.
- 3. Reactor Coolant Flow-Low Trip This LCO requires four instrument channels of Reactor Coolant Flow-Low trip to be OPERABLE in MODEs 1 and 2.
RPS Instrumentation-Operating B 3.3.1 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.1-18 Revision 34 The trip may be manually bypassed when NUCLEAR INSTRUMENT POWER falls below 1E-4% RTP. This operating bypass is part of the ZPMB circuitry, which also bypasses the TM/LP trip and provides a T power block signal to the Q power select logic. The ZPMB allows low power physics testing at reduced RCS temperatures and pressures. It also allows heatup and cooldown with shutdown CEAs withdrawn.
This trip is set high enough to maintain fuel integrity during a loss of flow condition. The
setting is low enough to allow for normal operating
fluctuations from offsite power. Reactor Coolant
System flow is maintained above design flow by
- 4. Pressurizer Pressure-High Trip This LCO requires four instrument channels of Pressurizer Pressure-High trip to be OPERABLE in
MODEs 1 and 2.
The Allowable Value is set high enough to allow for pressure increases in the RCS during normal operation (i.e., plant transients) not indicative of an abnormal
condition. The setting is below the lift setpoint of
the pressurizer safety valves and low enough to
initiate a reactor trip when an abnormal condition is
indicated. The analysis setpoint includes allowance
for harsh environment, where appropriate.
The Pressurizer Pressure-High trip concurrent with power-operated relief valve operation avoids
unnecessary operation of the pressurizer safety valves (Reference 5).
- 5. Containment Pressure-High Trip This LCO requires four instrument channels of Containment Pressure-High trip to be OPERABLE in MODEs 1 and 2.
The Allowable Value is high enough to allow for small pressure increases in Containment, expected during RPS Instrumentation-Operating B 3.3.1 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.1-19 Revision 34 normal operation (i.e., plant heatup) that are not indicative of an abnormal condition. The setting is
low enough to initiate a reactor trip to prevent
containment pressure from exceeding design pressure
following a DBA.
- 6. Steam Generator Pressure-Low Trip This LCO requires four instrument channels of Steam Generator Pressure-Low trip per steam generator to be OPERABLE in MODEs 1 and 2.
The Allowable Value is sufficiently below the full load operating value for steam pressure so as not to
interfere with normal plant operation, but still high
enough to provide the required protection in the event
of excessive steam demand. Since excessive steam
demand causes the RCS to cool down, resulting in
positive reactivity addition to the core in the
presence of a negative moderator temperature
coefficient, a reactor trip is required to offset that
effect.
The analysis setpoint value includes harsh environment uncertainties, where appropriate.
The Function may be manually bypassed as steam generator pressure is reduced during controlled plant
shutdowns. This operating bypass is permitted at a
preset steam generator pressure. The bypass, in
conjunction with the ZPMB, allows testing at low
temperatures and pressures, and heatup and cooldown
with the shutdown CEAs withdrawn. From a bypass
condition, the trip will be automatically reinstated
as steam generator pressure increases above the preset pressure.
- 7. Steam Generator Level-Low Trip This LCO requires four instrument channels of Steam Generator Level-Low per steam generator to be
OPERABLE in MODEs 1 and 2.
RPS Instrumentation-Operating B 3.3.1 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.1-20 Revision 34 The Allowable Value is sufficiently below the normal operating level for the steam generators so as not to cause a reactor trip during normal plant operations.
The trip setpoint is high enough to ensure a reactor
trip signal is generated to prevent operation with the
steam generator water level below the minimum volume required for adequate heat removal capacity, and ensures that the pressure of the RCS will not exceed
its SL. The specified setpoint, in combination with
the Auxiliary Feedwater Actuation System (AFAS),
ensures that sufficient water inventory exists in both
steam generators to remove decay heat following a Loss
of Main Feedwater Flow event.
- 8. APD-High Trip This LCO requires four instrument channels of APD-High trip to be OPERABLE in MODE 1, NUCLEAR INSTRUMENT POWER 15% RTP.
The Allowable Value curve was derived from an analysis of many axial power shapes with allowances for
instrumentation inaccuracies and the uncertainty
associated with the excore to incore ASI relationship.
The APD-High trip is automatically bypassed at
< 15% RTP, as measured by the NIs, where it is not
required for reactor protection (Reference 5).
- 9. Thermal Margin
- a. TM/LP Trip This LCO requires four instrument channels of
TM/LP trip to be OPERABLE in MODEs 1 and 2.
The Allowable Value includes allowances for
equipment response time, measurement uncertainties, processing error, and a further allowance to compensate for the time delay
associated with providing effective termination
of the occurrence that exhibits the most rapid
decrease in margin to the SLs.
RPS Instrumentation-Operating B 3.3.1 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.1-21 Revision 34 This trip may be manually bypassed when NUCLEAR INSTRUMENT POWER falls below 1E-4% RTP. This
operating bypass is part of the ZPMB circuitry, which also bypasses the Reactor Coolant Flow-Low trip and provides a T power block signal to the Q power select logic (Reference 5). The ZPMB allows low power physics testing at reduced RCS temperatures and pressures. It also allows
heatup and cooldown with shutdown CEAs
withdrawn.
- b. ASGT This LCO requires four instrument channels of
ASGT to be OPERABLE in MODEs 1 and 2.
The Allowable Value is high enough to avoid
trips caused by normal operation and minor
transients, but ensures DNBR protection in the
event of DBAs. The difference between the
Allowable Value and the analysis setpoint allows
for instrument uncertainty.
The trip may be manually bypassed when NUCLEAR INSTRUMENT POWER falls below 1E-4% RTP as part
of the ZPMB circuitry operating bypass. The
Steam Generator Pressure Difference is subject
to the ZPMB, since it is an input to the TM/LP
trip and is not required for protection at low
power levels (Reference 5).
- 10. Loss of Load The LCO requires four Loss of Load instrument channels to be OPERABLE in MODE 1, NUCLEAR INSTRUMENT POWER 15% RTP. The Loss of Load trip is automatically bypassed when NUCLEAR INSTRUMENT POWER falls below 15%, as measured by NIs, to allow loading the turbine.
RPS Instrumentation-Operating B 3.3.1 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.1-22 Revision 34 Bypasses The LCO on automatic bypass removal features requires that the automatic bypass removal feature of all four operating
bypass channels be OPERABLE for each RPS Function with an
operating bypass in the MODEs addressed in the specific LCO
for each Function. All four automatic bypass removal features must be OPERABLE to ensure that none of the four RPS instrument channels are inadvertently bypassed.
The LCO applies to the automatic bypass removal feature
only. If the bypass channel is failed so as to prevent entering a bypass condition, operation may continue.
APPLICABILITY This LCO is applicable in accordance with Table 3.3.3-1.
Most RPS trip functions are required to be OPERABLE in
MODEs 1 and 2 because the reactor is critical in these
MODEs. The trips are designed to take the reactor
subcritical, maintaining the SLs during AOOs and assisting
the ESFAS in providing acceptable consequences during
accidents. Exceptions are addressed in footnotes to the
table. Exceptions to this APPLICABILITY are:
- The APD-High and Loss-of-Load trips are only applicable in MODE 1, NUCLEAR INSTRUMENT POWER 15% RTP because they are automatically bypassed at < 15% RTP, as
measured by NIs, where they are no longer needed.
- The Rate of Change of Power-High trip, RPS logic, RTCBs, and manual trip are also required in MODEs 3, 4, and 5, with the RTCBs closed, to provide protection for
boron dilution and CEA withdrawal events. The Rate of
Change of Power-High trip in these lower MODEs is addressed in LCO 3.3.2. The RPS logic in MODEs 1, 2, 3, 4, and 5 is addressed in LCO 3.3.3.
Most trip functions are not required to be OPERABLE in
MODEs 3, 4, and 5. In MODEs 3, 4, and 5, the emphasis is
placed on return to power events. The reactor is protected in these MODEs by ensuring adequate SHUTDOWN MARGIN (SDM).
ACTIONS The most common causes of instrument channel inoperability are outright failure or drift of the bistable trip unit or
measurement channel sufficient to exceed the tolerance
allowed by Reference 4. Typically, the drift is found to be RPS Instrumentation-Operating B 3.3.1 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.1-23 Revision 34 small which, at worst, results in a delay of actuation rather than a total loss of Function. This determination is
generally made during the performance of a CHANNEL
CALIBRATION when the process instrument is set up for
adjustment to bring it to within specification. Sensor
Drift could also be identified during the CHANNEL CHECKS.
CHANNEL FUNCTIONAL TESTs identify bistable trip unit drift.
If the trip setpoint is less conservative than the Allowable
Value in Table 3.3.1-1, the instrument channel is declared
inoperable immediately, and the appropriate Condition(s)
must be entered immediately.
In the event that either an instrument channel's trip
setpoint is found nonconservative with respect to the
Allowable Value or the transmitter, instrument loop, signal
processing electronics, RPS bistable trip unit, or
applicable automatic bypass removal feature when bypass is
in effect, is found inoperable, then all affected Functions
provided by that channel must be declared inoperable, and
the plant must enter the Condition for the particular
protection Function affected.
When the number of inoperable instrument channels in a trip Function exceeds that specified in any related Condition
associated with the same trip Function, the plant is outside
the safety analysis. Therefore, LCO 3.0.3 is immediately
entered, if applicable, in the current MODE of operation.
A Note has been added to the ACTIONS to clarify the application of the Completion Time rules. The Conditions of
this Specification may be entered independently for each
Function. The Completion Times of each inoperable Function
will be tracked separately for each Function, starting from
the time the Condition was entered.
A.1, A.2.1, and A.2.2 Condition A applies to the failure of a single instrument
channel in any RPS automatic trip Function. Reactor
Protective System coincidence logic is normally
two-out-of-four.
If one RPS bistable trip unit or associated measurement
channel is inoperable, startup or power operation is allowed RPS Instrumentation-Operating B 3.3.1 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.1-24 Revision 34 to continue, providing the inoperable bistable trip unit is placed in bypass or trip within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> (Required
Action A.1).
The Completion Time of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> allotted to restore, bypass, or trip the instrument channel is sufficient to allow the operator to take all appropriate actions for the failed channel, while ensuring that the risk involved in operating
with the failed channel is acceptable.
The failed instrument channel is restored to OPERABLE status
or is placed in trip within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> (Required Action A.2.1
or Required Action A.2.2). Required Action A.2.1 restores
the full capability of the Function.
Required Action A.2.2 places the Function in a one-out-of-three configuration. In this configuration, common cause failure of dependent channels cannot prevent a
trip.
The Completion Time of 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> is based on operating experience, which has demonstrated that a random failure of
a second instrument channel occurring during the 48-hour
period is a low probability event.
B.1 and B.2 Condition B applies to the failure of two instrument
channels in any RPS automatic trip Function.
Required Action B.1 provides for placing one inoperable
channel in bypass and the other channel in trip within the
Completion Time of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. This Completion Time is
sufficient to allow the operator to take all appropriate
actions for the failed channels, while ensuring that the risk involved in operating with the failed channels is acceptable. With one channel of protective instrumentation
bypassed, the RPS Function is in a two-out-of-three logic;
but with another channel failed, the RPS Function may be
operating in a two-out-of-two logic. This is outside the
assumptions made in the analyses and should be corrected.
To correct the problem, the second channel is placed in
trip. This places the RPS Function in a one-out-of-two RPS Instrumentation-Operating B 3.3.1 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.1-25 Revision 34 logic. If any of the other OPERABLE channels receives a trip signal, the reactor will trip.
One instrument channel should be restored to OPERABLE status
within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> for reasons similar to those stated under
Condition A. After one channel is restored to OPERABLE status, the provisions of Condition A still apply to the remaining inoperable channel. Therefore, the channel that
is still inoperable after completion of Required Action B.2
must be placed in trip if more than 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> have elapsed
since the initial channel failure.
C.1 and C.2 The excore detectors are used to generate the internal ASI
used as an input to the TM/LP and APD-High trips. Incore
detectors provide a more accurate measurement of ASI. If
one or more excore channels cannot be calibrated to match
incore detectors, power is restricted or reduced during
subsequent operations because of increased uncertainty
associated with using uncalibrated excore channels.
The Completion Time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is adequate to perform the Surveillance Requirement (SR) while minimizing the risk of
operating in an unsafe condition.
D.1, D.2.1, D.2.2.1, and D.2.2.2 Condition D applies to one automatic bypass removal feature
inoperable. If the automatic bypass removal feature for any
operating bypass channel cannot be restored to OPERABLE
status, the associated RPS channel may be considered
OPERABLE only if the bypass is not in effect. Otherwise, the affected RPS channel must be declared inoperable, as in
Condition A, and the bypass either removed or the automatic
bypass removal feature repaired. The Bases for Required Actions and Completion Times are the same as discussed for Condition A.
E.1, E.2.1, and E.2.2 Condition E applies to two inoperable automatic bypass
removal features. If the automatic bypass removal features
cannot be restored to OPERABLE status, the associated RPS
channel may be considered OPERABLE only if the bypasses are RPS Instrumentation-Operating B 3.3.1 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.1-26 Revision 34 not in effect. Otherwise, the affected RPS channels must be declared inoperable, as in Condition B, and the bypasses
either removed or the automatic bypass removal features
repaired. Also, Required Action E.2.2 provides for the
restoration of the one affected RPS channel to OPERABLE
status within the rules of Completion Time specified under Condition B. Completion Times are consistent with Condition B.
F.1 Condition F is entered when the Required Action and
associated Completion Time of Condition A, B, C, D, or E are
not met for the APD-High trip and Loss-of-Load trip
Functions.
If the Required Actions associated with these Conditions
cannot be completed within the required Completion Times, the reactor must be brought to a MODE in which the Required
Actions do not apply. The allowed Completion Time of
6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> to reduce THERMAL POWER to < 15% RTP is reasonable, based on operating experience, to decrease power to < 15%
RTP from full power conditions in an orderly manner and
without challenging plant systems.
G.1 Condition G is entered when the Required Action and
associated Completion Time of Condition A, B, C, D, or E are
not met except for the APD-High trip and Loss-of-Load trip
Functions.
If the Required Actions associated with these Conditions
cannot be completed within the required Completion Times, the reactor must be brought to a MODE in which the Required
Actions do not apply. The allowed Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> to be in MODE 3 is reasonable, based on operating experience, for reaching the required MODE from full power
conditions in an orderly manner and without challenging plant systems.
RPS Instrumentation-Operating B 3.3.1 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.1-27 Revision 34 SURVEILLANCE The SRs for any particular RPS Function are found in the SR REQUIREMENTS column of Table 3.3.1-1 for that Function. Most Functions are subject to CHANNEL CHECK, CHANNEL FUNCTIONAL TEST, and
CHANNEL CALIBRATION.
SR 3.3.1.1 Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> ensures that gross failure of instrumentation has not occurred. A
CHANNEL CHECK is normally a comparison of the parameter
indicated on one instrument channel to a similar parameter
on other channels. It is based on the assumption that
instrument channels monitoring the same parameter should
read approximately the same value. Significant deviations
between the two instrument channels could be an indication
of excessive instrument channel drift in one of the channels
or of something even more serious. CHANNEL CHECK will
detect gross channel failure; thus, it is key to verifying
that the instrumentation continues to operate properly
between each CHANNEL CALIBRATION.
Agreement criteria are determined by the plant staff based on a qualitative assessment of the instrument channel
combined with the instrument channel uncertainties, including indication and readability. If a channel is
outside the criteria, it may be an indication that the
transmitter or the signal processing equipment has drifted
outside its limits. CHANNEL CHECKS are performed on the
wide range logarithmic neutron flux monitor for the Rate of
Change of Power-High trip Function.
The Frequency, about once every shift, is based on operating experience that demonstrates the rarity of instrument
channel failure. Since the probability of two random
failures in redundant channels in any 12-hour period is extremely low, the CHANNEL CHECK minimizes the chance of loss of RPS Function due to failure of redundant channels.
The CHANNEL CHECK supplements less formal, but more
frequent, checks of the channel during normal operational
use of the displays.
RPS Instrumentation-Operating B 3.3.1 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.1-28 Revision 34 SR 3.3.1.2 A daily calibration (heat balance) is performed when THERMAL POWER is 15%. The daily calibration shall consist of adjusting the "nuclear power calibrate" potentiometers to agree with the calorimetric calculation if the absolute difference is > 1.5%. The "T power calibrate" potentiometers are then used to null the "nuclear power-T power" indicators on the RPS Calibration and Indication Panel. Performance of the daily calibration ensures that
the two inputs to the Q power measurement are indicating
accurately with respect to the much more accurate secondary
calorimetric calculation. The heat balance addresses
overall gain of the instruments and does not include ASI.
The Frequency of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is based on plant operating
experience and takes into account indications and alarms
located in the Control Room to detect deviations in channel
outputs. The Frequency is modified by a Note indicating
that once the unit reaches 15% RTP, 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is the maximum
time allowed for completing this Surveillance. The
secondary calorimetric is inaccurate at lower power levels.
The 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> allows time for plant stabilization, data-
taking, and instrument calibration.
A second Note indicates the daily calibration may be
suspended during PHYSICS TESTS. This ensures that
calibration is proper both preceding and following physics
testing at each plateau, recognizing that during testing, changes in power distribution and RCS temperature may render
the calibration inaccurate.
SR 3.3.1.3 It is necessary to calibrate the excore power range channel
upper and lower subchannel amplifiers such that the internal
ASI used in the TM/LP trip and APD-High trip Functions reflects the true core power distribution as determined by the incore detectors. A Note indicates that once the unit
reaches 20% RTP, 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is the maximum time allowed for
completion of this Surveillance. The Surveillance is
required to be performed prior to operation above 90% RTP.
Uncertainties in the excore and incore measurement process
make it impractical to calibrate when THERMAL POWER is RPS Instrumentation-Operating B 3.3.1 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.1-29 Revision 36
< 20% RTP. The Completion Time of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> allows time for plant stabilization, data-taking, and instrument
calibration. The Frequency requires the SR be performed
every 31 days after the initial performance prior to
operation above 90% RTP. Requiring the SR prior to
operations above 90% RTP is because of the increased uncertainties associated with using uncalibrated excore detectors. If the excore channels are not properly
calibrated to agree with the incore detectors, power is
restricted during subsequent operations because of increased
uncertainty associated with using uncalibrated excore
channels. The 31-day Frequency is adequate, based on
operating experience of the excore linear amplifiers and the
slow burnup of the detectors. The excore readings are a
strong function of the power produced in the peripheral fuel
bundles and do not represent an integrated reading across
the core. Slow changes in neutron flux during the fuel
cycle can also be detected at this Frequency.
SR 3.3.1.4 A CHANNEL FUNCTIONAL TEST is performed on each RPS
instrument channel, except Loss of Load and Rate of Change
of Power, every 92 days to ensure the entire channel will
perform its intended function when needed.
A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL FUNCTIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specification tests at least once per refueling interval with applicable extensions.
In addition to reference voltage power supply tests, the RPS CHANNEL FUNCTIONAL TEST consists of three overlapping tests as described in Reference 1, Section 7.2. These tests
verify that the RPS is capable of performing its intended
function, from bistable input through the RTCBs. They
include: Bistable Tests The bistable setpoint must be found to trip within the
Allowable Values specified in the LCO and left set RPS Instrumentation-Operating B 3.3.1 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.1-30 Revision 36 consistent with the assumptions of Reference 4. As-found values must also be recorded and reviewed for consistency
with the assumptions of the frequency extension analysis.
The requirements for this review are outlined in
Reference 8.
A test signal is substituted as the input in one instrument channel at a time to verify that the bistable trip unit
trips within the specified tolerance around the setpoint.
This is done with the affected RPS channel bistable trip
unit bypassed. Any setpoint adjustment shall be consistent
with the assumptions of Reference 4.
Matrix Logic Tests Matrix logic tests are addressed in LCO 3.3.3. This test is
performed one matrix at a time. It verifies that a
coincidence in the two instrument channels for each Function
removes power from the matrix relays. During testing, power
is applied to the matrix relay test coils and prevents the
matrix relay contacts from assuming their de-energized
state. This test will detect any short circuits around the
bistable contacts in the coincidence logic, such as may be
caused by faulty bistable relay or trip bypass contacts.
Trip Path Tests Trip path logic tests are addressed in LCO 3.3.3. These
tests are similar to the matrix logic tests, except that
test power is withheld from one matrix relay at a time, allowing the trip path circuit to de-energize, opening the
affected set of RTCBs. The RTCBs must then be closed prior
to testing the other three trip path circuits, or a reactor
trip may result.
The Frequency of 92 days is based on the reliability analysis presented in Reference 6.
SR 3.3.1.5 A CHANNEL CALIBRATION of the excore power range channels
every 92 days ensures that the channels are reading
accurately and within tolerance. The SR verifies that the
channel responds to a measured parameter within the
necessary range and accuracy. CHANNEL CALIBRATION leaves RPS Instrumentation-Operating B 3.3.1 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.1-31 Revision 36 the channel adjusted to account for instrument drift between successive calibrations to ensure that the channel remains
operational between successive tests. CHANNEL CALIBRATIONS
must be performed consistent with the plant-specific SRs.
The as-found and as-left values must also be recorded and reviewed for consistency with the assumptions of the Frequency extension analysis. The requirements for this
review are outlined in Reference 8.
A Note is added stating that the neutron detectors are
excluded from CHANNEL CALIBRATION because they are passive
devices with minimal drift and because of the difficulty of
simulating a meaningful signal (Reference 7). Slow changes
in detector sensitivity are compensated for by performing
the daily calorimetric calibration (SR 3.3.1.2) and the
monthly linear subchannel gain check (SR 3.3.1.3). In
addition, associated control room indications are
continuously monitored by the operators.
The Frequency of 92 days is acceptable, based on plant operating experience, and takes into account indications and
alarms available to the operator in the Control Room.
SR 3.3.1.6 A CHANNEL FUNCTIONAL TEST on the Loss of Load, and Rate of
Change of Power channels is performed prior to a reactor
startup to ensure the entire channel will perform its
intended function if required.
A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL FUNCTIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specification tests at least once per refueling interval with applicable extensions.
The Loss of Load sensor cannot be tested during reactor operation
without causing reactor trip. The Power Rate of Change-High
trip Function is required during startup operation and is
bypassed when shut down or > 12% RTP.
RPS Instrumentation-Operating B 3.3.1 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.1-32 Revision 36 SR 3.3.1.7 Surveillance Requirement 3.3.1.7 is a CHANNEL FUNCTIONAL TEST similar to SR 3.3.1.4, except SR 3.3.1.7 is applicable
only to Functions with automatic bypass removal features.
A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL FUNCTIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specification tests at least once per refueling interval with applicable extensions.
Proper operation of operating bypasses are critical during plant startup because the bypasses must be
in place to allow startup operation and must be removed at
the appropriate points during power ascent to enable certain
reactor trips. A 24-month SR Frequency is adequate to
ensure proper automatic bypass removal feature operation as
described in Reference 5. Once the operating bypasses are
removed, the bypasses must not fail in such a way that the
associated trip Function gets inadvertently bypassed. This
feature is verified by the trip Function CHANNEL FUNCTIONAL
TEST, SR 3.3.1.4. Therefore, further testing of the
automatic bypass removal feature after startup is
unnecessary.
SR 3.3.1.8 Surveillance Requirement 3.3.1.8 is the performance of a
CHANNEL CALIBRATION every 24 months.
CHANNEL CALIBRATION is a check of the instrument channel, including the sensor. The SR verifies that the channel
responds to a measured parameter within the necessary range
and accuracy. CHANNEL CALIBRATION leaves the channel
adjusted to account for instrument channel drift between successive calibrations to ensure that the channel remains operational between successive tests. CHANNEL CALIBRATIONS
must be performed consistent with Reference 4.
The as-found and as-left values must also be recorded and reviewed for consistency with the assumptions of the
frequency extension analysis. The requirements for this
review are outlined in Reference 6.
RPS Instrumentation-Operating B 3.3.1 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.1-33 Revision 36 The Frequency is based upon the assumption of a 24-month
calibration interval for the determination of the magnitude
of equipment drift.
The SR is modified by a Note to indicate that the neutron detectors are excluded from CHANNEL CALIBRATION because they are passive devices with minimal drift, and because of the
difficulty of simulating a meaningful signal. Slow changes
in detector sensitivity are compensated for by performing
the daily calorimetric calibration (SR 3.3.1.2) and the
monthly linear subchannel gain check (SR 3.3.1.3).
SR 3.3.1.9 This SR ensures that the RPS RESPONSE TIMES are verified to
be less than or equal to the maximum values assumed in the
safety analysis. Individual component response times are
not modeled in the analyses. The analyses model the overall
or total elapsed time from the point at which the parameter
exceeds the trip setpoint value at the sensor to the point
at which the RTCBs open. Response times are conducted on a
24-month STAGGERED TEST BASIS. Response time testing
acceptance criteria are included in Reference 1, Section 7.2. This results in the interval between
successive SRs of a given channel of n x 24 months, where n
is the number of channels in the function. The Frequency of
24 months is based upon operating experience, which has
shown that random failures of instrumentation components
causing serious response time degradation, but not channel
failure, are infrequent occurrences. Also, response times
cannot be determined at power since equipment operation is
required. Testing may be performed in one measurement or in
overlapping segments, with verification that all components
are tested.
Response time may be verified by any series of sequential, overlapping or total channel measurements, including
allocated sensor response time, such that the response time
is verified. Allocations for sensor response times may be
obtained from records of test results, vendor test data, or
vendor engineering specifications. Reference 9 provides the
basis and methodology for using allocated sensor response
times in the overall verification of the channel response RPS Instrumentation-Operating B 3.3.1 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.1-34 Revision 36 time for specific sensors identified in the reference.
Response time verification for other sensor types must be
demonstrated by test. The allocation of sensor response
times must be verified prior to placing a new component in
operation and reverified after maintenance that may
adversely affect the sensor response time.
Instrument loop or test cables and wiring add an
insignificant response time and can be ignored.
A Note is added to indicate that the neutron detectors are
excluded from RPS RESPONSE TIME testing because they are
passive devices with minimum drift, and because of the
difficulty of simulating a meaningful signal. Slow changes
in detector sensitivity are compensated for by performing the daily calorimetric calibration (SR 3.3.1.3).
REFERENCES 1. Updated Final Safety Analysis Report
- 2. Title 10 Code of Federal Regulations
- 3. Institute of Electrical and Electronic Engineers (IEEE)
No. 279, "Proposed IEEE Criteria for Nuclear Power Plant Protection Systems," August 1968 4. CCNPP Setpoint File 5. Letter from Mr. R. E. Denton (BGE) to NRC Document Control Desk, dated June 5, 1995, "Response to NRC Request for Review & Comment on Review of Preliminary
Accident Precursor Analysis of Trip; Loss of 13.8 kV
Bus; Short-Term Saltwater Cooling System
Unavailability, CCNPP Unit 2" 6. Combustion Engineering Topical Report CEN-327, "RPS/ESFAS Extended Test Interval Evaluation" dated
June 2, 1986, including Supplement 1, March 3, 1989 7. Letter from Mr. D. G. McDonald (NRC) to Mr. R. E. Denton (BGE), dated October 19, 1995, "Issuance of Amendments for Calvert Cliffs Nuclear
Power Plant, Unit No. 1 (TAC No. M92479) and Unit No. 2 (TAC No. M92480) 8. Calvert Cliffs Procedure EN-4-104, "Surveillance Testing" RPS Instrumentation-Operating B 3.3.1 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.1-35 Revision 36
- 9. Combustion Engineering Owners Group Topical Report CE NPSD 1167-A, Revision 2, "Elimination of Pressure Sensor Response Time Testing Requirements", July 3, 2000
RPS Instrumentation-Operating B 3.3.1 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.1-36 Revision 36
Figure B 3.3.1-1 Functional Diagram of the Two-Out-of-Four Logic and RTCB Configuration
RPS Instrumentation-Shutdown B 3.3.2 B 3.3 INSTRUMENTATION B 3.3.2 Reactor Protective System (RPS) Instrumentation-Shutdown
BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.2-1 Revision 2 BACKGROUND The RPS initiates a reactor trip to protect against violating the core specified acceptable fuel design limits and reactor coolant pressure boundary integrity during AOOs. By tripping the reactor, the RPS also assists the ESF systems in mitigating accidents.
The protecti ve systems have been designed to ensure safe operation of the reactor. This is achieved by specifying LSSS in terms of parameters directly monitored by the RPS, as well as LCOs on other reactor system parameters and
equipment performance.
The LSSS, defined in this Specification as the Allowable
Value, in conjunction with the LCOs, establish the threshold
for protective system action to prevent exceeding acceptable
limits during DBAs.
During AOOs, which are those events expected to occur one or
more times during the plant life, the acceptable limits are:
- Fuel centerline melting shall not occur; and
Maintaining the parameters within the above values ensures
that the offsite dose will be within the Reference 1 criteria during AOOs.
Accidents are events that are analyzed even though they are
not expected to occur during the plant life. The acceptable
limit during accidents is that the offsite dose shall be
maintained within the acceptance criteria given in Reference 2
.
Meeting the acceptable dose limit for an accident category
is considered having acceptable consequences for that event.
RPS Instrumentation-Shutdown B 3.3.2 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.2-2 Revision 2 The RPS is segmented into four interconnected modules.
These modules are:
- Measurement channels;
- Bistable trip units;
- RPS l ogic; and
- R TCBs.
This LCO applies only to the Rate of Change of Power-High
trip Functions and associated instrument channels in
MODEs 3, 4, and 5 with any of the RTCBs closed and any CEA capable of being withdrawn. In MODEs 1 and 2, this trip Function is addressed in LCO 3.3.1. Limiting Condition for Operation 3.3.12 applies when the RTCBs are open or CEDM System is not capable of CEA withdrawal. In the case of
LCO 3.3.12, the wide range logarithmic neutron flux channels
are required for monitoring neutron flux, although the trip
Function is not required.
Measurement Channels and Bistable Trip Units The measurement channels providing input to the Rate of
Change of Power-High trip Function consist of wide range NI channels using neutron flux leakage from the reactor vessel.
Other aspects of the Rate of Change of Power-High trip are
similar to the other RPS measurement channels and bistable
trip units. These are addressed in the Background section of LCO 3.3.1.
APPLICABLE Most of the analyzed accidents and transients can be SAFETY ANALYSES detected by one or more RPS Functions. The accident analysis contained in Reference 2 takes credit for most RPS
trip Functions. Some Functions not specifically credited in
the accident analysis were qualitatively credited in the
safety analysis and the NRC staff-approved licensing basis for the plant. These Functions may provide protection for
conditions that do not require dynamic transient analysis to
demonstrate Function performance. Other Functions, such as
the Loss of Load trip, are purely equipment protective, and
their use minimizes the potential for equipment damage.
RPS Instrumentation-Shutdown B 3.3.2 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.2-3 Revision 31 The Rate of Change of Power-High trip is used to trip the reactor when excore wide range power indicates an excessive
rate of change.
The Rate of Change of Power-High trip serves as a backup to
the administratively-enforced startup rate limit.
The Rate of Change of Power-High trip Function minimizes
transients for events such as a continuous CEA withdrawal or
a boron dilution event from low power levels. The Rate of
Change of Power-High trip is automatically bypassed at
< 1E-4% RTP, as sensed by the wide range NI flux trip bistable, when poor counting statistics may lead to
erroneous indication. It is also bypassed at
> 12% RTP, where moderator temperature coefficient and fuel temperature coefficient make high rate of change of power unlikely.
This bypass is effected by the power range NI Level 1
bistable. Automatic bypass removal is also effected by
these bistables.
The automatic bypass removal feature ensures that the Rate of Change of Power-High trip is enabled when reactor power is between 1E-4% and 12% RTP.
With the RTCBs open, the Rate of Change of Power-High trip
is not required to be OPERABLE; however, the indication and
alarm Functions of at least two wide range channels are
required to be OPERABLE. Limiting Condition for
Operation 3.3.12 ensures the wide range channels are
available to detect and alert the operator to a boron
dilution event, when LCOs 3.3.1 and 3.3.2 are not
applicable.
The RPS instrumentation satisfies 10 CFR 50.36(c)(2)(ii), Criterion 3.
LCO The LCO requires all instrumentation performing an RPS
Function to be OPERABLE. Failure of any required portion of
the instrument channel renders the affected channel(s)
inoperable and reduces the reliability of the affected
Functions.
Actions allow trip bypass of individual instrument channels, but administrative controls prevent operation with a second
channel in the same Function bypassed. Plants are in a trip
bypass condition before either restoring the Function to RPS Instrumentation-Shutdown B 3.3.2 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.2-4 Revision 31 four channel operation (two-out-of-four logic) or placing the channel in trip (one-out-of-three logic).
This LCO requires four instrument channels and automatic
bypass removal features of Rate of Change of Power-High trip
to be OPERABLE in MODEs 3, 4, and 5, when the RTCBs are closed and the CEDM System is capable of CEA withdrawal.
MODE 1 and 2 requirements are addressed in LCO 3.3.1. This
trip is not credited in the safety analysis. Therefore, the Allowable Value is not derived from an analytical limit.
APPLICABILITY This LCO is applicable to the Rate of Change of Power-High trip in MODEs 3, 4, and 5. MODEs 1 and 2 are addressed in
The power rate of change trip is required in MODEs 3, 4, and 5, with the RTCBs closed and a CEA capable of being
withdrawn to provide backup protection for boron dilution
and CEA withdrawal events. The power rate of change trip is
not credited in the safety analysis, but is part of the NRC-
approved licensing basis for the plant.
The power rate of change trip has operating bypasses discussed in the LCO section. In MODEs 3, 4, and 5, the
emphasis is placed on return to power events. The reactor is protected in these MODEs by ensuring adequate SDM.
ACTIONS The most common causes of instrument channel inoperability are outright failure or drift of the bistable trip unit or
measurement channel sufficient to exceed the tolerance
allowed by Reference 3. Typically, the drift is found to be
small, which at worst results in a delay of actuation rather
than a total loss of Function. This determination is
generally made during the performance of a CHANNEL
CALIBRATION when the process instrument is set up for
adjustment to bring it to within specification. Sensor
drift could also be identified during the CHANNEL CHECKS.
CHANNEL FUNCTIONAL TESTS identify bistable trip unit drift.
If the trip setpoint is less conservative than the Allowable
Value in Table 3.3.1-1, the instrument channel is declared
inoperable immediately, and the appropriate Condition(s)
must be entered immediately.
RPS Instrumentation-Shutdown B 3.3.2 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.2-5 Revision 31 In the event that either an instrument channel's trip setpoint is found nonconservative with respect to the
Allowable Value, or the transmitter, instrument loop, signal
processing electronics, RPS bistable trip unit, or automatic
bypass removal feature when bypass is in effect, is found
inoperable, then the Rate of Change of Power-High trip Function provided by that instrument channel must be declared inoperable and the plant must enter the Condition
for the particular RPS Function affected.
A.1, A.2.1, and A.2.2 Condition A applies to the failure of a single instrument
channel of the Rate of Change of Power-High trip RPS
automatic trip Function.
Reactor Protective System coincidence logic is normally
two-out-of-four. If one RPS bistable trip unit or
associated measurement channel is inoperable, startup or
power operation is allowed to continue, providing the
inoperable bistable trip unit is placed in bypass or trip
within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> (Required Action A.1).
The Completion Time of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> allotted to restore, bypass, or trip the instrument channel is sufficient to allow the
operator to take all appropriate actions for the failed
channel, while ensuring that the risk involved in operating
with the failed channel is acceptable.
The failed instrument channel is restored to OPERABLE status or is placed in trip within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> (Required Action A.2.1
or Required Action A.2.2). Required Action A.2.1 restores
the full capability of the Function. Required Action A.2.2
places the Function in a one-out-of-three coincidence logic.
In this coincidence logic, common cause failure of dependent channels cannot prevent trip.
The 48-hour Completion Time is based on operating experience, which has demonstrated that a random failure of
a second instrument channel occurring during the 48-hour
period is a low probability event.
RPS Instrumentation-Shutdown B 3.3.2 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.2-6 Revision 31 B.1 and B.2 Condition B applies to the failure of two instrument channels in the Rate of Change of Power-High trip RPS
automatic trip Function.
Required Action B.1 provides for placing one inoperable instrument channel in bypass and the other channel in trip within the Completion Time of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. This Completion Time
is sufficient to allow the operator to take all appropriate
actions for the failed channels, while ensuring the risk
involved in operating with the failed channels is
acceptable. With one instrument channel bypassed, the RPS
Function is in a two-out-of-three logic; but with another
channel failed, the RPS Function may be operating in a
two-out-of-two logic. This is outside the assumptions made
in the analyses and should be corrected. To correct the
problem, the second channel is placed in trip. This places
the RPS Function in a one-out-of-two logic. If any of the
other OPERABLE channels receives a trip signal, the reactor
will trip.
The bypassed instrument channel should be restored to OPERABLE status within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> for reasons similar to those
stated under Condition A. After one channel is restored to
OPERABLE status, the provisions of Condition A still apply
to the remaining inoperable channel. Therefore, the channel
that is still inoperable after completion of Required
Action B.2 shall be placed in trip if more than 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />
have elapsed since the initial channel failure.
C.1, C.2.1, C.2.2.1, and C.2.2.2 Condition C applies to one automatic bypass removal feature
inoperable. If the automatic bypass removal feature cannot
be restored to OPERABLE status, the associated Rate of Change of Power-High trip RPS channel may be considered OPERABLE only if the bypass is not in effect. Otherwise, the affected RPS channel must be declared inoperable, as in
Condition A, and the bypass either removed or the automatic
bypass removal feature repaired. The Bases for the Required
Actions and Completion Times are the same as discussed for
Condition A.
RPS Instrumentation-Shutdown B 3.3.2 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.2-7 Revision 31 D.1, D.2.1, and D.2.2 Condition D applies to two inoperable automatic bypass removal features. If the automatic bypass removal features
cannot be restored to OPERABLE status, the associated Rate
of Change of Power-High trip RPS channel may be considered
OPERABLE only if the bypasses are not in effect. Otherwise, the affected RPS channels must be declared inoperable, as in Condition B, and the bypasses either removed or the
automatic bypass removal features repaired. Also, Required
Action D.2.2 provides for the restoration of the one
affected automatic trip channel to OPERABLE status within
the rules of Completion Time specified under Condition B.
Completion Times are consistent with Condition B.
E.1 Condition E is entered when the Required Actions and
associated Completion Times of Condition A, B, C, or D are
not met.
If Required Actions associated with these Conditions cannot
be completed within the required Completion Time, opening
the RTCBs brings the reactor to a MODE where the LCO does
not apply and ensures no CEA withdrawal will occur. The
basis for the Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is that it is
adequate to complete the Required Actions without challenging plant systems.
SURVEILLANCE SR 3.3.2.1 REQUIREMENTS
Performance of the CHANNEL CHECK on each wide range channel once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> ensures that gross failure of instrumentation has not occurred. A CHANNEL CHECK is
normally a comparison of the parameter indicated on one
instrument channel to a similar parameter on another
channel. It is based on the assumption that instrument
channels monitoring the same parameter should read
approximately the same value. Significant deviations
between the two instrument channels could be an indication
of excessive instrument channel drift in one of the channels
or of something even more serious. CHANNEL CHECK will
detect gross channel failure; thus, it is key to verifying RPS Instrumentation-Shutdown B 3.3.2 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.2-8 Revision 36 that the instrumentation continues to operate properly between each CHANNEL CALIBRATION.
Agreement criteria are determined by the plant staff based
on a qualitative assessment of the instrument channel that
considers instrument channel uncertainties, including isolation, indication, and readability. If a channel is outside the criteria, it may be an indication that the
transmitter or the signal processing equipment has drifted
outside its limits.
The Frequency, once every shift, is based on operating
experience that demonstrates the rarity of instrument
channel failure. Since the probability of two random
failures in redundant channels in any 12-hour period is
extremely low, the CHANNEL CHECK minimizes the chance of
loss of RPS Function due to failure of redundant channels.
The CHANNEL CHECK supplements less formal, but more
frequent, checks of the channel during normal operational
use of the displays.
SR 3.3.2.2 A CHANNEL FUNCTIONAL TEST on the power rate of change
channels is performed once within 7 days prior to each
reactor startup to ensure the entire instrument channel will
perform its intended function if required.
A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL FUNCTIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specification tests at least once per refueling interval with applicable extensions.
The Rate of Change of Power-High trip Function is required during startup operation and is bypassed when shut down or
> 12% RTP. Additionally, operating experience has shown that these components usually pass the SR when performed at a Frequency of once within 7 days prior to each
reactor startup.
Only the Allowable Values are specified for each RPS trip
Function in the SR. Nominal trip setpoints are established
for the Functions via the plant-specific procedures. The RPS Instrumentation-Shutdown B 3.3.2 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.2-9 Revision 36 nominal setpoints are selected to ensure the plant parameters do not exceed the Allowable Value if the bistable
trip unit is performing as required. Operation with a trip
setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable, provided that
operation and testing are consistent with the assumptions of the plant-specific setpoint calculations. Each nominal trip setpoint is more conservative than the analytical limit
assumed in the safety analysis in order to account for
instrument channel uncertainties appropriate to the trip
Function. These uncertainties are defined in Reference 3.
SR 3.3.2.3 Surveillance Requirement 3.3.2.3 is a CHANNEL FUNCTIONAL
TEST similar to SR 3.3.2.2, except SR 3.3.2.3 is applicable
only to bypass Functions and is performed once every
24 months.
A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL FUNCTIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specification tests at least once per refueling interval with applicable extensions.
Proper operation of operating bypasses is critical during
plant startup because the bypasses must be in place to allow
startup operation and must be removed at the appropriate
points during power ascent to enable certain reactor trips.
A 24-month SR Frequency is adequate to ensure proper
automatic bypass removal feature operation as described in
Reference 5. Once the operating bypasses are removed, the
bypasses must not fail in such a way that the associated
trip Function gets inadvertently bypassed. This feature is verified by SR 3.3.2.2. Therefore, further testing of the automatic bypass removal feature after startup is
unnecessary.
SR 3.3.2.4 Surveillance Requirement 3.3.2.4 is the performance of a
CHANNEL CALIBRATION every 24 months.
RPS Instrumentation-Shutdown B 3.3.2 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.2-10 Revision 36 CHANNEL CALIBRATION is a check of the instrument channel including the sensor. The SR verifies that the channel
responds to a measured parameter within the necessary range
and accuracy. CHANNEL CALIBRATION leaves the channel
adjusted to account for instrument drift between successive
calibrations to ensure that the channel remains operational between successive tests. CHANNEL CALIBRATIONS must be performed consistent with Reference 3.
The as-found and as-left values must also be recorded and
reviewed for consistency with the assumptions of the SR
interval extension analysis. The requirements for this
review are outlined in Reference 4.
The Frequency is based upon the assumption of a 24-month calibration interval in the determination of the magnitude
of equipment drift.
The SR is modified by a Note to indicate that the neutron detectors are excluded from CHANNEL CALIBRATION because they are passive devices with minimal drift (Reference 5).
REFERENCES 1. 10 CFR Parts 50, "Domestic Licensing of Production and Utilization Facilities," and 100, "Reactor Site
Criteria" 2. Updated Final Safety Analysis Report (UFSAR), Chapter 14, "Safety Analysis" 3. CCNPP Setpoint File 4. Combustion Engineering Topical Report CEN-327, "RPS/ESFAS Extended Test Interval Evaluation" dated June 2, 1986, including Supplement 1, March 3, 1989 5. Letter from Mr. R. E. Denton (BGE) to NRC Document Control Desk, dated June 6, 1995, "License Amendment Request; Extension of Instrument Surveillance Intervals"
RPS Logic and Trip Initiation B 3.3.3 B 3.3 INSTRUMENTATION B 3.3.3 Reactor Protective System (RPS) Logic and Trip Initiation
BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.3-1 Revision 2 BACKGROUND The RPS initiates a reactor trip to protect against violating the core specified acceptable fuel design limits and reactor coolant pressure boundary integrity during AOOs. By tripping the reactor, the RPS also assists the ESF systems in mitigating accidents.
The protecti ve systems have been designed to ensure safe operation of the reactor. This is achieved by specifying LSSS in terms of parameters directly monitored by the RPS, as well as LCOs on other reactor system parameters and
equipment performance.
The LSSS, defined in this Specification as the Allowable
Value, in conjunction with the LCOs, establish the threshold
for protective system action to prevent exceeding acceptable
limits during DBA s.
During AOOs, which are those events expected to occur one or
more times during the plant life, the acceptable limits are:
- Fuel centerline melting shall not occur; and
Maintaining the parameters within the above values ensures
that the offsite dose will be within the Reference 2 criteria during AOOs.
Accidents are events that are analyzed even though they are
not expected to occur during the plant life. The acceptable
limit during accidents is that the offsite dose shall be
maintained within the acceptance criteria given in Reference 1 , Chapter 14.
The RPS is segmented into four interconnected modules.
These modules are:
- Measurement channels;
- Bistable trip units; RPS Logic and Trip Initiation B 3.3.3 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.3-2 Revision 2
- RPS l ogic; and
- R TCBs. This LCO addresses the RPS l ogic and RTCBs, including manual trip capability.
Limiting Condition for Operation
3.3.1 provides
a description of the role of this equipment in the RPS. This is summarized below:
RPS Logic The RPS l ogic, consisting of m atrix and trip path logic , employs a scheme that provides a reactor trip when bistable
trip units in any two of the four instrument channels sense
the same input parameter trip. This is called a
two-out-of-four trip logic. This logic and the RTCB
configuration are shown in Figure B 3.3.1-1.
Bistable relay contact outputs from the four bistable trip
unit channels are configured into six logic matrices. Each
logic matrix checks for a coincident trip in the same
parameter in two bistable trip unit channels. The matrices
are designated the AB, AC, AD, BC, BD, and CD matrices to
reflect the bistable trip unit channels being monitored.
Each logic matrix contains four normally energized matrix
relays. When a coincidence is detected, consisting of a
trip in the same Function in the two channels being
monitored by the logic matrix, all four matrix relays
de-energize.
The logic matrix relay contacts are arranged into trip paths, with one of the four matrix relays in each matrix
opening contacts in one of the four trip paths. Each trip
path provides power to one of the four normally energized
RTCB control relays (K1, K2, K3, and K4).
Thus, t he trip paths each have six contacts in series, one from each matrix, and perform a logical OR function, opening the RTCBs if any one or more of the six logic matrices indicate a
coincidence condition.
Each trip path is responsible for opening one set of two of
the eight RTCBs. The RTCB control relays (K-relays), when
de-energized, interrupt power to the breaker undervoltage
trip coils and simultaneously apply power to the shunt trip RPS Logic and Trip Initiation B 3.3.3 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.3-3 Revision 2 coils on each of the two breakers. Actuation of either the undervoltage or shunt trip coil is sufficient to open the
RTCB and interrupt power from the MG sets to the CEDMs.
When a coincidence occurs in two RPS channels from one
Function, all four matrix relays in the affected matrix de-energize. This in turn de-energizes all four breaker control relays, which simultaneously de-energize the
undervoltage and energize the shunt trip coils in all eight
RTCBs, tripping them open.
The trip path logic consists of the trip path power source, matrix relays and their associated contacts, and all
interconnecting wiring, through the K-relay contacts in the
RTCB control circuitry.
It is possible to change the two-out-of-four RPS l ogic to a two-out-of-three logic for a given input parameter in one
instrument channel at a time by trip bypassing select
portions of the matrix logic. Trip bypassing a bistable
effectively shorts the bistable relay contacts in the three
matrices associated with that channel. Thus, the bistables
will function normally, producing normal trip indication and
annunciation, but a reactor trip will not occur unless two
additional instrument channels indicate a trip condition.
Trip bypassing can be simultaneously performed on any number
of parameters in any number of Functions, providing each
parameter is bypassed in only one instrument channel per
Function at a time. Administrative c ontrols prevent simultaneous trip bypassing of the same parameter in more
than one instrument channel. Trip bypassing is normally
employed during maintenance or testing.
RTCBs The reactor trip switchgear, shown in Figure B 3.3.1-1, consists of eight RTCBs, which are operated in four sets of
two breakers (four RTCB channels including the shunt trip
coils and undervoltage coils). Power input to the reactor
trip switchgear comes from two full capacity MG sets
operated in parallel such that the loss of either MG set
does not de-energize the CEDMs. There are two separate CEDM
power supply buses, each bus powering half of the CEDMs.
RPS Logic and Trip Initiation B 3.3.3 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.3-4 Revision 2 Power is supplied from the MG sets to each bus via two redundant trip legs. This ensures that a fault or the
opening of a breaker in one trip leg (i.e., for testing
purposes) will not interrupt power to the CEDM buses.
Each of the four trip paths consists of two RTCBs in series.
The two RTCBs within a trip path are actuated by separate trip paths.
The eight RTCBs are operated as four sets of two breakers (four RTCB channels including the shunt trip coils and
undervoltage coils). Each set of two RTCBs is opened by the
same K-relay. This arrangement ensures that power is
interrupted to both CEDM buses, thus preventing trip of only
half of the CEAs (a half trip). Any one inoperable RTCB in a RTCB channel (set of two breakers) will make the entire
RTCB channel inoperable.
Each set of RTCBs is operated by either a manual trip push button or an RPS actuated K-relay. There are four manual trip push buttons, arranged in two sets of two, as shown in Figure B 3.3.1-1. Depressing both push buttons in either
set will result in a reactor trip.
When a manual trip is initiated using the control room push buttons, the RPS trip paths and K-relays are bypassed, and
the RTCB undervoltage and shunt trip coils are actuated
independent of the RPS.
A manual trip channel includes the push button and interconnecting wiring to both RTCBs necessary to actuate
both the undervoltage and shunt trip coils, but excludes the
K-relay contacts and their interconnecting wiring to the
RTCBs, which are considered part of the trip path logic.
Functional testing of the entire RPS instrument and logic
channels, from bistable input through the opening of
individual sets of RTCBs, can be performed either at power
or shut down , and is normally performed on a quarterly basis. Reference 1, Section 7.2 explains RPS testing in more detail.
RPS Logic and Trip Initiation B 3.3.3 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.3-5 Revision 2 APPLICABLE R PS Logic SAFETY ANALYSES The RPS l ogic provides for automatic trip initiation to maintain the SLs during AOOs and assist the ESF systems in
ensuring acceptable consequences during accidents. All
transients and accidents that call for a reactor trip assume the RPS l ogic is functioning as designed.
RTCBs All of the transient and accident analyses that call for a
reactor trip assume that the RTCBs operate and interrupt
power to the CEDMs.
Manual Trip There are no accident analyses that take credit for the
- however, the manual trip is part of the RPS circuitry. It is used by the operator to shut down the
reactor whenever any parameter is rapidly trending toward
its trip setpoint. A manual trip accomplishes the same results as any one of the automatic trip Functions.
The RPS l ogic and initiation satisfy 10 CFR 50.36(c)(2)(ii), Criterion 3.
LCO R PS Logic Failures of individual bistable relays and their contacts
are addressed in LCO 3.3.1. This Specification addresses
failures of the matrix logic not addressed in the above, such as the failure of matrix relay power supplies or the
failure of the trip bypass contact in the bypass condition.
Loss of a single vital bus will de-energize one of the two
power supplies in each of three matrices. This will result
in two sets of two RTCBs opening; however, the remaining two
sets of two closed RTCBs will prevent a reactor trip. For
the purposes of this LCO, de-energizing up to three matrix
power supplies due to a single failure is to be treated as a
single channel failure, providing the affected matrix relays
de-energize as designed, opening the affected RTCBs.
RPS Logic and Trip Initiation B 3.3.3 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.3-6 Revision 2 Each of the four trip path logic channels opens one set of RTCBs if any of the six logic matrices de-energize their associated matrix relays.
Thus, t hey perform a logical OR function. Each trip path logic channel has its own power supply and is independent of the others. A trip path logic channel includes the matrix relay through to the K-relay contacts, which open the RTCB.
It is possible for two trip path logic channels affecting the same trip leg to de-energize if a matrix power supply or
vital instrument bus fails. This will result in opening the
two affected sets of two RTCBs.
If one set of RTCBs has been opened in response to a single
RTCB channel, trip path logic channel, or manual trip channel failure, the affected set of RTCBs may be closed for
up to 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> for s urveillance on the OPERABLE trip path logic , RTCB, and manual trip channels. In this case, the redundant set of RTCBs will provide protection if a trip
should be required. It is unlikely that a trip will be
required during the SR , coincident with a failure of the remaining series RTCB channel. If a single matrix power
supply or vital bus failure has opened two sets of RTCBs, manual trip and RTCB testing on the closed breakers cannot be performed without causing a trip.
- 1. Matrix Logic This LCO requires six channels of matrix logic to be OPERABLE in MODEs 1 and 2, and in MODEs 3, 4, and 5 when any RTCB is closed and any CEA is capable of being
withdrawn.
- 2. Trip Path Logic This LCO requires four channels of trip path logic to be OPERABLE in MODEs 1 and 2, and in MODEs 3, 4, and 5 when any RTCB is closed and any CEA is capable of being
withdrawn.
- 3. R TCBs The LCO requires four RTCB channels to be OPERABLE in MODEs 1 and 2, as well as in MODEs 3, 4, and 5 when any RPS Logic and Trip Initiation B 3.3.3 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.3-7 Revision 2 RTCB is closed and any CEA is capable of being withdrawn.
Each RTCB channel consists of two breakers operated in a single set by the trip path logic or manual trip circuitry. This ensures that power is interrupted at identical locations in the trip paths for both CEDM buses, thus preventing power removal to only one CEDM
bus (a half trip).
Failure of a single breaker affects the entire RTCB channel, and both breakers in the set must be opened.
Without reliable RTCBs and associated support
circuitry, a reactor trip cannot occur whether
initiated automatically or manually.
Each channel of RTCBs starts at the contacts actuated by the K-relay, and the contacts actuated by the manual trip , for each set of breakers. The K-relay actuated contacts and the upstream circuitry are considered to
be RPS l ogic. Manual t rip contacts and upstream circuitry are considered to be part of the manual trip channels.
A Note associated with the ACTIONS states that if one set of RTCBs has been opened in response to a single
RTCB channel, trip path logic channel, or manual trip channel failure, the affected set of RTCBs may be
closed for up to 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> for a s urveillance test on the OPERABLE trip path logic , RTCB, and manual trip channels. In this case, the redundant set of RTCBs
will provide protection. If a single matrix power
supply or vital bus failure has opened two sets of
RTCBs, manual trip and RTCB testing on the closed breakers cannot be performed without causing a trip.
This Note is not applicable to Condition A, with one
matrix logic channel inoperable.
- 4. Manual Trip The LCO requires all four manual trip channels to be OPERABLE in MODEs 1 and 2, and MODEs 3, 4, and 5 when RPS Logic and Trip Initiation B 3.3.3 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.3-8 Revision 2 any RTCB is closed and any CEA is capable of being withdrawn.
Two independent sets of two adjacent push buttons are provided at separate locations. Each push button is
considered a channel and operates two of the eight RTCBs. Depressing both push buttons in either set will cause an interruption of power to the CEDMs, allowing
the CEAs to fall into the core. This design ensures
that no single failure in any push button channel can either cause or prevent a reactor trip.
APPLICABILITY The RPS matrix logic , RTCBs, and manual trip are required to be OPERABLE in any MODE when any CEA is capable of being
withdrawn from the core (i.e., RTCBs closed and power
available to the CEDMs). This ensures the reactor can be
tripped when necessary, but allows for maintenance and
testing when the reactor trip is not needed.
In MODEs 3, 4, and 5
, with all the RTCBs open, the CEAs are not capable of withdrawal and these Functions do not have to
be OPERABLE. However, two wide range logarithmic neutron
flux monitor channels must be OPERABLE to ensure proper
indication of neutron population and to indicate a boron dilution event. This is addressed in LCO 3.3.12
. ACTIONS When the number of inoperable RPS logic or t rip i nitiation channels exceeds that specified in any related Condition, the plant is outside the safety analysis. Therefore, LCO 3.0.3 is immediately entered if applicable in the
current MODE of operation.
A.1 Condition A applies if one matrix logic channel is inoperable or three l ogic m atrices channels are inoperable due to a common power source failure de-energizing three
matrix power supplies in any applicable MODE.
The matrix logic channel must be restored to OPERABLE status within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />. The Completion Time of 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> provides
the operator time to take appropriate actions and still
ensures that any risk involved in operating with a failed RPS Logic and Trip Initiation B 3.3.3 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.3-9 Revision 2 channel is acceptable. Operating experience has demonstrated that the probability of a random failure of a
second matrix logic channel is low during any given 48
-hour interval. If the channel cannot be restored to OPERABLE
status within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />, Condition E is entered.
B.1 Condition B applies to one trip path logic channel, RTCB channel, or manual trip channel in MODEs 1 and 2, since they have the same actions.
MODEs 3, 4, and 5, with the RTCBs shut, are addressed in Condition C. These Required Actions require opening the affected RTCBs. This removes the need
for the affected channel by performing its associated safety
function. With the RTCB open, the affected Functions are in
one-out-of-two logic, which meets redundancy requirements, but testing on the OPERABLE channels cannot be performed
without causing a reactor trip unless the RTCBs in the
inoperable channels are closed to permit testing. Limiting
Condition for Operation 3.0.5 allows the RTCBs associated
with the inoperable channel to be closed to perform testing.
Required Action B.1 provides for opening the RTCBs associated with the inoperable channel within a Completion
Time of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. This Required Action is conservative, since
depressing the manual trip push button associated with either set of breakers in the other trip leg will cause a
reactor trip. With this configuration, a single channel
failure will not prevent a reactor trip. The allotted
Completion Time is adequate to open the affected RTCBs
, while maintaining the risk of having them closed at an
acceptable level.
C.1 Condition C applies to the failure of one trip path logic channel, RTCB channel, or manual trip channel in MODE 3, 4, or 5 with the RTCBs closed. The channel must be restored to
OPERABLE status within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />. If the inoperable channel
cannot be restored to OPERABLE status within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />, all
RTCBs must be opened, placing the plant in a MODE in which
the LCO does not apply and ensuring no CEA withdrawal
occurs.
RPS Logic and Trip Initiation B 3.3.3 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.3-10 Revision 2 The Completion Time of 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> is consistent with that of other RPS instrumentation and should be adequate to repair
most failures.
Testing on the OPERABLE channels cannot be performed without
causing a reactor trip unless the RTCBs in the inoperable channels are closed to permit testing. Limiting Condition for Operation 3.0.5 allows the RTCBs associated with the
inoperable channel to be closed to perform testing.
D.1 Condition D applies to the failure of both trip path logic channels affecting the same trip leg. Since this will open
two channels of RTCBs, this Condition is also applicable to
the two affected channels of RTCBs. This Condition allows
for loss of a single vital instrument bus or matrix power
supply, which will de-energize both trip path logic channels in the same trip leg. This will open both sets of RTCBs in
the affected trip leg, satisfying the Required Action of
opening the affected channels of RTCBs.
Of greater concern is the failure of the trip path circuit
in a nontrip condition (e.g., due to two trip path K-relay
failures). With only one trip path logic channel failed in a nontrip condition, there is still the redundant set of
RTCBs in the trip leg. With both failed in a nontrip
condition, the reactor will not trip automatically when
required. In either case, the affected RTCBs must be opened
immediately by using the appropriate manual trip push buttons, since each of the four push buttons opens one set
of RTCBs, independent of the trip path circuitry. Caution
must be exercised, since depressing the wrong push buttons
may result in a reactor trip.
If the affected RTCB(s) cannot be opened, Condition E is entered. This would only occur if there is a failure in the
manual trip channel or the RTCB(s).
E.1 and E.2 Condition E is entered if Required Actions associated with
Condition A, B, or D are not met within the required
Completion Time or if one or more Functions with more than RPS Logic and Trip Initiation B 3.3.3 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.3-11 Revision 36 one manual trip, matrix logic, trip path logic, or RTCB channel is inoperable for reasons other than Condition A
or D.
If the RTCBs associated with the inoperable channel cannot
be opened, the reactor must be shut down within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and all the RTCBs opened. A Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable, based on operating experience, to reach the
required MODE from full power conditions in an orderly
manner, without challenging plant systems, and to open
RTCBs. All RTCBs should then be opened, placing the plant
in a MODE where the LCO does not apply and ensuring no CEA withdrawal occurs.
SURVEILLANCE SR 3.3.3.1 REQUIREMENTS
A CHANNEL FUNCTIONAL TEST is performed on each RTCB channel
every 92 days. This verifies proper operation of each RTCB.
A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL FUNCTIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specification tests at least once per refueling interval with applicable extensions.
The RTCB must then be closed prior to testing the other RTCBs, or a reactor trip may result. The
frequency of 92 days is based on the reliability analysis
presented in Reference 3. Scheduling SR 3.3.3.1 and SR
3.3.3.2 such that the RTCBs testing is performed at least every 6 weeks meets vendor recommended intervals for cycling of each RTCB in accordance with Reference 3.
SR 3.3.3.2 A CHANNEL FUNCTIONAL TEST on each RPS logic channel is
performed every 92 days to ensure the entire channel will
perform its intended function when needed.
A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL FUNCTIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specification tests at RPS Logic and Trip Initiation B 3.3.3 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.3-12 Revision 36 least once per refueling interval with applicable extensions.
In addition to reference voltage tests, the RPS CHANNEL
FUNCTIONAL TEST consists of three overlapping tests as
described in Reference 1, Section 7.2. These tests verify that the RPS is capable of performing its intended function, from bistable input through the RTCBs. The first test, the
instrument channel test, is addressed by SR 3.3.1.4 in
This SR addresses the two tests associated with the RPS
logic: matrix logic and trip path logic.
Scheduling SR 3.3.3.1 and SR 3.3.3.2 such that the RTCBs
testing is performed at least every 6 weeks meets vendor
recommended intervals for cycling of each RTCB in accordance
with Reference 3.
Matrix Logic Tests These tests are performed one matrix at a time. They verify
that a coincidence in the two instrument channels for each
Function removes power from the matrix relays. During
testing, power is applied to the matrix relay test coils and
prevents the matrix relay contacts from assuming their
de-energized state. The matrix logic tests will detect any
short circuits around the bistable contacts in the
coincidence logic such as may be caused by faulty bistable
relay or trip bypass contacts.
Trip Path Tests These tests are similar to the matrix logic tests, except
that test power is withheld from one matrix relay at a time, allowing the trip path circuit to de-energize, opening the affected set of RTCBs. The RTCBs must then be closed prior to testing the other three trip path circuits, or a reactor
trip may result.
The Frequency of 92 days is based on the reliability
analysis presented in Reference 4.
RPS Logic and Trip Initiation B 3.3.3 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.3-13 Revision 36 SR 3.3.3.3 A CHANNEL FUNCTIONAL TEST on the manual trip channels is performed prior to a reactor startup to ensure the entire
channel will perform its intended function if required.
A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL FUNCTIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specification tests at least once per refueling interval with applicable extensions.
The manual trip Function can be tested either at power or shut down. However, the simplicity of this
circuitry and the absence of drift concern makes this
Frequency adequate. Additionally, operating experience has
shown that these components usually pass the SR when performed once within 7 days prior to each reactor startup.
REFERENCES 1. UFSAR
- 2. 10 CFR Part 100, "Reactor Site Criteria" 3. Combustion Engineering Topical Report CE NPSD-951-A, Revision 01, "Reactor Trip Circuit Breakers Surveillance Frequency Extension," dated September 1999 4. Combustion Engineering Topical Report CEN-327, "RPS/ESFAS Extended Test Interval Evaluation" dated June 2, 1986, including Supplement 1, March 3, 1989
ESFAS Instrumentation B 3.3.4 B 3.3 INSTRUMENTATION B 3.3.4 Engineered Safety Features Actuation System (ESFAS) Instrumentation
BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.4-1 Revision 2 BACKGROUND The ESFAS actuates necessary safety systems, based upon the values of selected unit parameters to mitigate accidents in order to protect the public and plant personnel from the
accidental release of radioactive fission products.
The ESFAS contains devices and circuitry that generate the
following signals when the monitored variables reach levels
that are indicative of conditions requiring protective
action: 1. Safety Injection Actuation Signal (SIAS);
- 2. Containment Spray Actuation Signal (CSAS);
- 3. Containment Isolation Signal (CIS); 4. Steam Generator Isolation Signal (SGIS); 5. Recirculation Actuation Signal (RAS) for the Containment Sump; and
- 6. A FAS Signal. Equipment actuated by each of the above signals is
identified in the Reference 1 , Section 7.3.
Each of the above ESFAS actuation systems is segmented into
four sensor channel and two actuation logic channels. Each
sensor channel includes measurement channels and bistables
(s ensor m odules). The actuation logic channels include two sets of logic circuitry (actuation logic modules) and actuation relay equipment. The actuation logic channels
actuate ESFAS equipment trains that are sequentially loaded
on the diesel generators (DGs).
Each of the four sensor modules monitors redundant and
independent process measurement channels. Each sensor is
monitored by at least one sensor module. The sensor module associated with each ESFAS sensor channel will trip when the monitored variable exceeds the trip setpoint. When tripped, the sensor channels provide outputs to the two actuation
logic channels.
ESFAS Instrumentation B 3.3.4 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.4-2 Revision 2 The two independent actuation logic channels compare the four sensor channel outputs. If a trip occurs in the same
parameter in two or more sensor channels, the
two-out-of-four logic in each actuation logic channel will
initiate the associated train of ESFAS. Each train can
provide protection to the public in the case of a DBA. Actuation l ogic is addressed in LCO 3.3.5
.
Each of the four sensor channels is mounted in a separate
cabinet, excluding the sensors and field wiring.
The role of the sensor channel (measurement channels and
sensor modules) is discussed below; actuation logic channels
are discussed in LCO 3.3.5.
Measurement Channels Measurement channels, consisting of field transmitters or
process sensors and associated instrumentation, provide a
measurable electronic signal based upon the physical
characteristics of the parameter being measured.
Four measurement channels with electrical and physical
separation are provided for each parameter used in the
generation of actuation signals. These are designated
Channels ZD through ZG. Measurement channels provide input
to ESFAS sensor modules within the same ESFAS channel. In
addition, some measurement channels may also be used as
inputs to Reactor Protective System (RPS) bistable trip
units, and most provide indication in the Control Room. Measurement channels used as an input to the RPS or ESFAS
are not used for control f unctions.
When a measurement channel monitoring a parameter indicates
an unsafe condition, the sensor module monitoring the parameter in that channel will trip. Tripping two or more channels of sensor modules monitoring the same parameter
will de-energize both channels of actuation logic of the associated ESF equipment.
Three of the four sensor channels are necessary to meet the
redundancy and testability requirements of Reference 1, Appendix 1C. The fourth channel provides additional ESFAS Instrumentation B 3.3.4 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.4-3 Revision 2 flexibility by allowing one channel to be removed from service (maintenance bypass) for maintenance or testing
while still maintaining a minimum two-out-of-three logic.
Since no single failure will either cause or prevent a
protective system actuation and no protective channel feeds a control channel, this arrangement meets the requirements of proposed Reference
- 2.
Sensor Modules Sensor modules receive an analog input (digital for RAS)
from the measurement channels, compare the input to trip
setpoints, and provide contact output to the actuation logic c hannels (Reference 3). They also provide local trip indication and remote annunciation.
There are four channels of sensor modules, designated ZD
through ZG, for each ESF Function, one for each measurement
channel.
The trip setpoints and Allowable Values used in the sensor
modules are based on the analytical limits used in
Reference 1, Chapter 14. The selection of these trip setpoints is such that adequate protection is provided when
all sensor and processing time delays are taken into account
in the respective analytical limits. To allow for
calibration tolerances, instrumentation uncertainties, sensor channel drift, and severe environment errors, (for
those ESFAS channels that must function in harsh
environments
, where appropriate
, as defined by Reference
- 4. Engineered Safety Features Actuation System sensor modules trip setpoints are conservatively adjusted with respect to
the analytical limits. A detailed description of the method
used to calculate the trip setpoints, including their explicit uncertainties, is provided in Reference
- 5. The actual nominal trip setpoint entered into the sensor module is more conservative than that specified by the Allowable
Value. If the measured setpoint does not exceed the
Allowable Value, the sensor module is considered OPERABLE.
Setpoints in accordance with the Allowable Value will ensure
that the consequences of AOOs and DBAs will be acceptable, ESFAS Instrumentation B 3.3.4 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.4-4 Revision 2 providing the plant is operated from within the LCOs at the onset of the AOO or DBA and the equipment functions as
designed.
ESFAS Logic It is possible to change the two-out-of-four ESFAS logic to a two-out-of-three logic for a given input parameter in one sensor channel at a time by disabling one sensor channel
input to the logic. Thus, the sensor modules will function
normally, producing normal trip indication and annunciation, but ESFAS actuation will not occur since the bypassed
channel is effectively removed (blocked) from the
coincidence logic. Sensor channel bypassing can be
simultaneously performed on any number of parameters in any
number of Functions, providing each parameter is bypassed in
only one sensor channel per Function at a time. Sensor
channel bypassing is normally employed during maintenance or
testing.
Engineered Safety Features Actuation System l ogic is addressed in LCO 3.3.5.
APPLICABLE Most of the analyzed accidents can be detected by one or SAFETY ANALYSES more ESFAS Functions. One of the ESFAS Functions is the primary actuation signal for that accident. An ESFAS
Function may be the primary actuation signal for more than
one type of accident. An ESFAS Function may also be a
secondary or backup actuation signal for one or more other accidents. Functions such as m anual a ctuation, not specifically credited in the accident analysis, serve as backups to Functions and are part of the NRC approved licensing basis for the plant.
ESFAS protective Functions are as follows:
- 1. SIAS The SIAS ensures acceptable consequences during LOCA events, including steam generator tube rupture, and
other DBA s. To provide the required protection, either a high containment pressure or a low pressurizer
pressure signal will actuate SIAS.
The SIAS actuates the Emergency Core Cooling System (ECCS), control room ESFAS Instrumentation B 3.3.4 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.4-5 Revision 2 isolation, and performs other functions, such as starting the DG s.
- 2. CSAS The CSAS actuates containment spray, preventing containment overpressurization during a LOCA or MSLB. Both a high containment pressure signal and a SIAS have to actuate to provide the required protection. This
configuration reduces the likelihood of inadvertent
- 3. CIS The CIS actuates the Containment Isolation System, ensuring acceptable consequences during LOCAs and other
DBA s (inside C ontainment). A high containment pressure signal will actuate CIS.
- 4. SGIS The SGIS ensures acceptable consequences during an excessive loss of steam from the Main Steam System by
isolating both steam generators if either generator
indicates a low steam generator pressure. The SGIS, concurrent with or following a reactor trip, minimizes
the rate of heat extraction and subsequent cooldown of
the RCS during these events.
- 5. RAS At the end of the injection phase of a LOCA, the refueling water tank (RWT) will be nearly empty.
Continued cooling must be provided by the ECCS to
remove decay heat. The source of water for the ECCS
pumps is automatically switched to the containment
recirculation sump. Switchover from RWT to the
containment sump must occur before the RWT empties to prevent damage to the ECCS pumps and a loss of core cooling capability. For similar reasons, switchover
must not occur before there is sufficient water in the
containment sump to support pump suction. Furthermore, early switchover must not occur so sufficient borated water is injected from the RWT to ensure the reactor
remains shut down in the recirculation mode. An RWT ESFAS Instrumentation B 3.3.4 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.4-6 Revision 2 Level-Low trip signal, generated by a level switch, actuates the RAS.
- 6. AFAS Signal An AFAS Signal actuates feedwater flow to both steam generators if a low level is indicated in either steam generator, unless the generator is ruptured.
The AFAS Signal maintains a steam generator heat sink during the following events:
- MSLB;
- F WLB; and
- Loss of feedwater.
A low steam generator water level signal will actuate auxiliary feed to both steam generators.
Secondary steam generator differential pressure (SG-1 > SG-2) or (SG-2 > SG-1) blocks auxiliary
feed water (AFW) to a generator identified as being ruptured. This input to the AFAS logic prevents loss
of the intact generator while preventing feeding a
ruptured generator during MSLBs and FWLBs. This
prevents containment overpressurization and/or
excessive RCS cooldown during these events.
The ESFAS satisfies 10 CFR 50.36(c)(2)(ii), Criterion 3.
LCO The LCO requires all sensor channel components necessary to provide an ESFAS actuation to be OPERABLE.
The Bases for the LCO on ESFAS Functions are:
- 1. SIAS a. Containment Pressure-High Trip This LCO requires four sensor channels of SIAS Containment Pressure-High trip to be OPERABLE in MODEs 1, 2, and 3.
ESFAS Instrumentation B 3.3.4 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.4-7 Revision 2 The Allowable Value for this trip is set high enough to allow for small pressure increases in C ontainment expected during normal operation (i.e., plant heatup) and is not indicative of an
offnormal condition. The setting is low enough to
initiate the ESF Functions when a LOCA or other DBA condition is indicated. This allows the ESF systems to perform as expected in the accident
analyses to mitigate the consequences of the
analyzed accidents.
- b. Pressurizer Pressure-Low Trip This LCO requires four sensor channels of SIAS Pressurizer Pressure-Low trip to be OPERABLE in MODEs 1, 2, and 3.
The Allowable Value for this trip is set low enough to prevent actuating the SIAS during normal
plant operation and pressurizer pressure
transients. The setting is high enough that with
a LOCA or some other DBA it will actuate to perform as expected, mitigating the consequences
of the accidents.
The Pressurizer Pressure-Low trip may be blocked when pressurizer pressure is reduced during
controlled plant shutdowns. This block is
permitted below 1800 psia, and block permissive
responses are annunciated in the Control Room.
This allows for a controlled depressurization of
the RCS, while maintaining administrative control
of ESF protection. From a blocked condition, the
block will be automatically removed as pressurizer
pressure increases above 1800 psia, as sensed by two of the four sensor channels, in accordance with the block philosophy of removing blocks when
the enabling conditions are no longer satisfied.
This LCO requires four channels of the automatic block removal features for SIAS Pressurizer
Pressure-Low trip to be OPERABLE in MODEs 1, 2, and 3.
ESFAS Instrumentation B 3.3.4 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.4-8 Revision 2 The block permissive channels consist of four sensor channels and two actuation sensor block modules. This LCO applies to failures in the four
sensor channels, including measurement channels
and sensor block modules. Failures in the
actuation logic channels, including the manual bypass key switches, are considered actuation logic failures and are addressed in LCO 3.3.5.
This LCO applies to the automatic block removal feature, not the sensor block modules. If the
block enable Function is failed so as to prevent
entering a block condition, operation may
continue.
The block permissive is set low enough so as not to be enabled during normal plant operation, but
high enough to allow blocking prior to reaching
the trip setpoint.
It is also necessary to have an automatic or manual
SIAS for complete actuation. The CSAS opens the
containment spray valves, where as SIAS actuates other
related components. The SIAS requirement should always
be satisfied on a legitimate CSAS, since the
Containment Pressure-High trip signal field setpoint used in the SIAS is the same or below the setpoint used
in the CSAS.
- a. Containment Pressure-High Trip This LCO requires four sensor channels of CSAS Containment Pressure-High trip to be OPERABLE in MODEs 1, 2, and 3.
The Allowable Value is set high enough to allow for small pressure increases in C ontainment expected during normal operation (i.e., plant
heatup) and is not indicative of an offnormal
condition. The setting is low enough to initiate ESFAS Instrumentation B 3.3.4 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.4-9 Revision 2 the ESF Functions when an offnormal condition is indicated. This allows the ESF systems to perform
as expected in the accident analyses to mitigate
the consequences of the analyzed accidents.
The Containment Pressure-High trip setpoint is the same in the SIAS (Function 1), CIS (Function 3),
and is a different setpoint for CSAS (Function 2).
However, different logic is used in each of these
Functions.
- 3. CIS a. Containment Pressure-High Trip This LCO requires four sensor channels of CIS Containment Pressure-High trip to be OPERABLE in MODEs 1, 2, and 3.
The Allowable Value is set high enough to allow for small pressure increases in C ontainment expected during normal operation (i.e., plant
heatup) and is not indicative of an offnormal
condition. The setting is low enough to initiate
the ESF Functions when an offnormal condition is
indicated. This allows the ESF systems to perform
as expected in the accident analyses to mitigate
the consequences of the analyzed accidents.
The Containment Pressure-High trip setpoint is the same in the SIAS (Function 1) and CIS (Function 3), and is a different setpoint for CSAS (Function 2). However, different logic is used in
each of these Functions.
- 4. SGIS The SGIS is required to be OPERABLE in MODEs 1, 2, and 3 except when all associated valves are closed and
de-activated. De-activated means valve operating power
is removed.
ESFAS Instrumentation B 3.3.4 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.4-10 Revision 2
- a. Steam Generator Pressure-Low Trip This LCO requires four sensor channels of SGIS Steam Generator Pressure-Low trip for each steam generator to be OPERABLE in MODEs 1, 2, and 3.
The Allowable Value is set below the full load operating value for steam pressure so as not to
interfere with normal plant operation. However, the setting is high enough to provide the required
protection for excessive steam demand. An
excessive steam demand causes the RCS to cool
down, resulting in a positive reactivity addition
to the core. An SGIS is required to prevent the
excessive cooldown.
This Function may be manually blocked when steam generator pressure is reduced during controlled
plant cooldowns. The block is permitted below
785 psia, and block permissive responses are
annunciated in the C ontrol R oom. This allows a controlled depressurization of the secondary
system, while maintaining administrative control
of ESF protection. From a blocked condition, the
block will be removed automatically as steam
generator pressure increases above 785 psia, as
sensed by two of the four sensor channels, in
accordance with the block philosophy of removing
blocks when the enabling conditions are no longer
satisfied.
This LCO requires four channels per steam generator of the automatic block removal for SGIS
Steam Generator Pressure-Low trip to be OPERABLE in MODEs 1, 2, and 3.
The automatic block removal features consist of four sensor channels and two actuation logic
channels. This LCO applies to failures in the
four sensor channels, including measurement
channels and sensor block modules. Failures in
the actuation logic channels, including the manual ESFAS Instrumentation B 3.3.4 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.4-11 Revision 2 bypass key switches, are considered actuation logic failures and are addressed in LCO 3.3.5.
This LCO applies to the automatic block removal feature only. If the block enable Function is
failed so as to prevent entering a block condition, operation may continue.
The block permissive is set low enough so as not to be enabled during normal plant operation, but
high enough to allow blocking prior to reaching
the trip setpoint.
- a. RWT Level-Low Trip This LCO requires four sensor channels of RWT Level-Low trip to be OPERABLE in MODEs 1, 2, and 3. The signal provided is a level indication
from a level switch, not an analog signal.
The upper limit on the Allowable Value for this trip is set low enough to ensure RAS does not
actuate before sufficient water is transferred to
the containment sump. Premature recirculation
could impair the reactivity control Function of
safety injection by limiting the amount of boron
injection. Premature recirculation could also
damage or disable the recirculation system if
recirculation begins before the sump has enough
water to prevent air entrainment in the suction.
The lower limit on the RWT Level-Low trip
Allowable Value is high enough to transfer suction
to the containment sump prior to emptying the RWT.
- 6. AFAS Signal The AFAS logic actuates AFW to a steam generator on low level in that generator unless it has been identified as being ruptured.
A low level in either generator, as sensed by a two-out-of-four coincidence of four wide range sensors
for any generator, will generate an AFAS start signal, ESFAS Instrumentation B 3.3.4 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.4-12 Revision 2 which starts both trains of AFW pumps, operates other equipment, and feeds both steam generators. The AFAS
also monitors the secondary differential pressure in
both steam generators and actuates an AFAS block signal
to a ruptured generator, if the pressure in that
generator is lower than that in the other generator by the differential pressure setpoint.
- a. Steam Generator 1/2 Level-Low Trip This LCO requires four sensor channels for each steam generator of Steam Generator Level-Low trip to be OPERABLE in MODEs 1, 2, and 3.
The Allowable Value ensures adequate time exists to initiate AFW
, while the steam generators can function as a heat sink.
- b. Steam Generator Pressure Difference-High Trip (SG-1 > SG-2) or (SG-1 > SG-2)
This LCO requires four sensor channels per steam generator of Steam Generator Pressure Difference-
High trip to be OPERABLE in MODEs 1, 2, and 3.
The Allowable Value for this trip is high enough to allow for small pressure differences and normal
instrumentation errors between the steam generator
channels during normal operation without an
actuation. The setting is low enough to detect
and block feeding of a ruptured steam generator in
the event of an MSLB or FWLB, while permitting the feeding of the intact steam generator.
APPLICABILITY All ESFAS Functions are required to be OPERABLE in MODEs 1, 2, and 3. In MODEs 1, 2, and 3
, there is sufficient energy in the primary and secondary systems to warrant automatic
ESF s ystem responses to:
- Close the MSIV s to preclude a positive reactivity addition;
- Actuate AFW to preclude the loss of the steam generators as a heat sink (in the event the normal
feedwater system is not available);
ESFAS Instrumentation B 3.3.4 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.4-13 Revision 2
- Actuate ESF systems to prevent or limit the release of fission product radioactivity to the environment by isolating C ontainment and limiting the containment pressure from exceeding the containment design pressure
during a design basis LOCA or other DBA s; and
- Actuate ESF systems to ensure sufficient borated inventory to permit adequate core cooling and
reactivity control during a design basis LOCA or other
DBA s.
In MODEs 4, 5, and 6, automatic actuation of ESFAS Functions is not required because adequate time is available for plant
operators to evaluate plant conditions and respond by
manually operating the ESF components, if required, as
addressed by LCO 3.3.5. In LCO 3.3.5, manual capability is
required for Functions other than AFAS in MODE 4, even
though automatic actuation is not required. Because of the
large number of components actuated on each ESFAS, actuation
is simplified by the use of the m anual actuation push buttons. Manual s tart of AFAS is not required in MODE 4 because AFW or shutdown cooling will already be in operation
or available in this MODE.
The ESFAS actuation logic must be OPERABLE in the same MODEs as the automatic and m anual actuation. In MODE 4, only the portion of the ESFAS logic responsible for the required
m anual actuation must be OPERABLE.
In MODEs 5 and 6, ESFAS actuated systems are either reconfigured or disabled for shutdown cooling operation.
Accidents in these MODEs are slow to develop and would be mitigated by manual operation of individual components.
The most common cause of sensor channel inoperability is outright failure or drift of the sensor module or measurement channel sufficient to exceed the tolerance
allowed by Reference 5.
Typically, the drift is small which , at worst , results in a delay of actuation rather than a total loss of Function.
Determination of setpoint drift is generally made during the
performance of a CHANNEL CALIBRATION when the process ESFAS Instrumentation B 3.3.4 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.4-14 Revision 2 instrument is set up for adjustment to bring it to within specification. Sensor drift could also be identified during
the CHANNEL CHECKS. CHANNEL FUNCTIONAL TESTS identify
sensor module drift. If the actual trip setpoint is not
within the Allowable Value in Table 3.3.4-1, the sensor
channel is inoperable and the appropriate Condition(s) are entered. In the event that either a sensor channel's trip setpoint is found nonconservative with respect to the Allowable Value in
Table 3.3.4-1, or the sensor, instrument loop, signal
processing electronics, ESFAS sensor module or applicable
automatic block removal feature when block is in effect is
found inoperable, all affected Functions provided by that sensor channel must be declared inoperable and the plant
must enter the Condition statement for the particular
protection Function affected.
When the number of inoperable sensor channels in an ESFAS
Function exceeds those specified in any related Condition
associated with the same ESFAS Function, the plant is outside the safety analysis. Therefore, LCO 3.0.3 should be
immediately entered if applicable in the current MODE of
operation.
A Note has been added to clarify the application of the
Completion Time rules. The Conditions of this Specification
may be entered independently for each Function in
Table 3.3.4-1. Completion Times for the inoperable channel
of a Function will be tracked separately.
A.1, A.2.1, and A.2.2 Condition A applies to the failure of a single channel (measurement channel or sensor module) of one or more input parameters in the following ESFAS Functions:
- 1. SIAS Containment Pressure-High Trip Pressurizer Pressure-Low Trip
- 2. CSAS Containment Pressure-High Trip ESFAS Instrumentation B 3.3.4 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.4-15 Revision 2
- 3. CIS Containment Pressure-High Trip
- 4. SGIS Steam Generator Pressure-Low Trip
- 6. AFAS Signal Steam Generator Level-Low Trip Steam Generator Pressure Difference-High Trip Engineered Safety Features Actuation System coincidence logic is normally two-out-of-four. If one ESFAS sensor
channel is inoperable, startup or power operation is allowed
to continue as long as action is taken to restore the design
level of redundancy.
If one ESFAS sensor channel is inoperable, startup or power
operation is allowed to continue, providing the inoperable
channel is placed in bypass or trip within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> (Required
Action A.1).
The Completion Time of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> allotted to bypass or trip the sensor channel is sufficient to allow the operator to take
all appropriate actions for the failed channel
, and still ensures that the risk involved in operating with the failed
channel is acceptable.
One failed sensor channel is restored to OPERABLE status or
is placed in trip within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> (Required Action A.2.1
or A.2.2). Required Action A.2.1 restores the full capability of the function. Required Action A.2.2 places the function in a one-out-of-three configuration. In this
configuration, common cause failure of the dependent channel
cannot prevent ESFAS actuation. The 48
-hour Completion Time is based upon operating experience, which has demonstrated
that a random failure of a second channel occurring during
the 48-hour period is a low probability event.
ESFAS Instrumentation B 3.3.4 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.4-16 Revision 2 B.1 and B.2 Condition B applies to the failure of two sensor channels in any of the following ESFAS functions:
- 1. SIAS Containment Pressure-High Trip Pressurizer Pressure-Low Trip
- 2. CSAS Containment Pressure-High Trip
- 3. CIS Containment Pressure-High Trip
- 4. SGIS Steam Generator Pressure-Low Trip
- 6. AFAS Signal Steam Generator Level-Low Trip Steam Generator Pressure Difference-High Trip With two inoperable sensor channels, one channel should be
placed in bypass, and the other channel should be placed in
trip within the 1
-hour Completion Time. With one channel of protective instrumentation bypassed, the ESFAS Function is
in two-out-of-three logic
- but with another channel failed
, the ESFAS may be operating with a two-out-of-two logic.
This is outside the assumptions made in the analyses and
should be corrected. To correct the problem, the second
channel is placed in trip. This places the ESFAS in a
one-out-of-two logic. If any of the other OPERABLE channels
receive a trip signal, ESFAS actuation will occur.
One of the failed sensor channels should be restored to
OPERABLE status within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />. After one channel is
restored to OPERABLE status, the provisions of Condition A
still apply to the remaining inoperable channel. Therefore, ESFAS Instrumentation B 3.3.4 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.4-17 Revision 26 the channel that is still inoperable after completion of Required Action B.2 must be placed in trip if more than
48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> has elapsed since the initial channel failure.
C.1 and C.2 Condition C applies to the failure of one automatic block removal feature when the block is in effect.
The automatic block removal features are incorporated into the four sensor block modules (per steam generator for SGIS)
and two block logic modules. Condition C applies to
failures in the automatic block removal feature of one of
the four sensor block modules. Failures in the block logic
modules, including the block logic manual bypass key
switches, are considered actuation logic failures and are
addressed in LCO 3.3.5.
In Condition C, it is permissible to continue operation with the automatic block removal feature in one sensor block
module failed, providing the sensor block module is disabled (Required Action C.1). This can be accomplished by
adjusting the sensor block module setpoint, which disables
the sensor block modules to both block logic modules.
Therefore, a block permissive signal is not produced by the
sensor block module.
Placing a sensor module in bypass defeats the block permissive input in one of the four channels to the
two-out-of-four block removal logic, placing the automatic
block removal feature in one-out-of-three logic. Thus, any
of the remaining three channels is capable of removing the
block feature when the block enable conditions are no longer
valid. In this configuration, common cause failure of the dependent channel cannot prevent block removal.
D.1, D.2.1, and D.2.2 Condition D applies to two inoperable automatic block
removal features. The automatic block removal features
consist of four sensor block modules (per steam generator
for SGIS) and two actuation logic channels. This Condition ESFAS Instrumentation B 3.3.4 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.4-18 Revision 26 applies to failures in two of the four sensor block modules.
With two of the four sensor block modules failed in a
nonconservative direction (enabling the block feature), the
automatic block removal feature is in two-out-of-two logic.
Failures in the actuation logic channels, including the
manual bypass key switches, are considered actuation logic failures and are addressed in LCO 3.3.5.
In Condition D, it is permissible to continue operation with
two automatic block removal features failed, providing the
sensor block modules are disabled in a similar manner as
discussed for Condition C.
If the failed sensor block modules cannot be disabled, actions to address the inoperability of the affected sensor
block modules must be taken. Required Action D.2.1 and
Required Action D.2.2 are equivalent to the Required Actions
for a two sensor channel failure (Condition B). Also
similar to Condition B, after one inoperable sensor block
module is restored, the provisions of Condition C still
apply to the remaining inoperable automatic block removal
feature, with the Completion Time measured from the point of
the initial bypass channel failure. The 1-hour Completion
Time minimizes the time that the plant is in two-out-of-two
logic. The 48-hour Completion Time limits the time the
plant is in one-out-of-two logic. Limits on the time in
these logic conditions are similar to those found in
Action B.
E.1 and E.2 If the Required Actions and associated Completion Times of
Condition A, B, C, or D are not met, the plant must be
brought to a MODE in which the LCO does not apply. To
achieve this status, the plant must be brought to at least MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and to MODE 4 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. The allowed Completion Times are reasonable, based on operating
experience, to reach the required plant conditions from full
power conditions in an orderly manner and without challenging plant systems.
ESFAS Instrumentation B 3.3.4 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.4-19 Revision 26 SURVEILLANCE The SRs for any particular ESFAS Function are found in the REQUIREMENTS SRs column of Table 3.3.4-1 for that Function. Most Functions are subject to CHANNEL CHECK, CHANNEL FUNCTIONAL
TEST, CHANNEL CALIBRATION, and response time testing.
SR 3.3.4.1 Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> ensures that a gross failure of instrumentation has not occurred. A
CHANNEL CHECK is normally a comparison of the parameter
indicated on one sensor channel to a similar parameter on
other sensor channels. It is based on the assumption that
sensor channels monitoring the same parameter should read
approximately the same value. Significant deviations
between sensor channels could be an indication of excessive
sensor channel drift in one of the channels or of something
even more serious. CHANNEL CHECK will detect gross channel
failure; thus, it is key to verifying the instrumentation
continues to operate properly between each CHANNEL
CALIBRATION.
Agreement criteria are determined by the plant staff based on a qualitative assessment of the sensor channel, which
considers sensor channel uncertainties, including indication
and readability. If a channel is outside the criteria, it
may be an indication that the sensor or the signal
processing equipment has drifted outside its limit. If the
channels are within the criteria, it is an indication that
the channels are OPERABLE. If the channels are normally
off-scale during times when surveillance testing is
required, the CHANNEL CHECK will only verify that they are
off-scale in the same direction. Off-scale low current loop
channels are verified to be reading at the bottom of the
range and not failed down-scale.
The Frequency of about once every shift is based on operating experience that demonstrates sensor channel failure is rare. Since the probability of two random
failures in redundant channels in any 12-hour period is
extremely low, the CHANNEL CHECK minimizes the chance of
loss of ESFAS Function due to failure of redundant channels.
The CHANNEL CHECK supplements less formal, but more
frequent, checks of the channel during normal operational
use of displays.
ESFAS Instrumentation B 3.3.4 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.4-20 Revision 36 SR 3.3.4.2 A CHANNEL FUNCTIONAL TEST is performed every 92 days to ensure the entire sensor channel will perform its intended
function when needed.
A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL FUNCTIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specification tests at least once per refueling interval with applicable extensions.
The CHANNEL FUNCTIONAL TEST tests the individual sensor
channels using an analog or level switch test input to each
bistable.
A test signal is substituted for the input in one sensor
channel at a time to verify that the bistable trips within
the specified tolerance around the setpoint. Any setpoint
adjustment shall be consistent with the assumptions of the
Reference 5.
SR 3.3.4.3 Surveillance Requirement 3.3.4.3 is a CHANNEL FUNCTIONAL
TEST similar to SR 3.3.4.2, except 3.3.4.3 is performed
every 24 months and is only applicable to automatic block
removal features of the sensor block modules. These include
the Pressurizer Pressure-Low trip block and the SGIS Steam
Generator Pressure-Low trip block.
A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL FUNCTIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specification tests at least once per refueling interval with applicable extensions.
The CHANNEL FUNCTIONAL TEST for proper operation of the
automatic block removal features is critical during plant
heatups because the blocks may be in place prior to entering
MODE 3, but must be removed at the appropriate points during
plant startup to enable the ESFAS Function. A 24-month SR ESFAS Instrumentation B 3.3.4 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.4-21 Revision 36 Frequency is adequate to ensure proper automatic block removal module operation as described in Reference 3. Once
the blocks are removed, the blocks must not fail in such a
way that the associated ESFAS Function is inappropriately
blocked. This feature is verified by the appropriate ESFAS
Function CHANNEL FUNCTIONAL TEST.
The 24-month SR Frequency is adequate to ensure proper
automatic block removal feature operation as described in
Reference 3.
SR 3.3.4.4 CHANNEL CALIBRATION is a check of the sensor channel, including the automatic block removal feature of the sensor
block module and the sensor. The SR verifies that the
channel responds to a measured parameter within the
necessary range and accuracy. CHANNEL CALIBRATION leaves
the channel adjusted to account for sensor channel drift
between successive calibrations to ensure that the channel
remains operational between successive surveillance tests.
CHANNEL CALIBRATIONS must be performed consistent with
Reference 5.
The as-found and as-left values must also be recorded and reviewed for consistency with the assumptions of the
extension analysis. The requirements for this review are
outlined in Reference 6.
The Frequency is based upon the assumption of a 24-month calibration interval for the determination of the magnitude
of equipment drift in the setpoint analysis.
SR 3.3.4.5 This SR ensures that the train actuation response times are the maximum values assumed in the safety analyses.
Individual component response times are not modeled in the
analyses. The analysis models the overall or total elapsed
time, from the point at which the parameter exceeds the trip
setpoint value at the sensor to the point at which the
equipment in both trains reaches the required functional
state (e.g., pumps are rated discharge pressure, valves in
full open or closed position). Response time testing ESFAS Instrumentation B 3.3.4 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.4-22 Revision 36 acceptance criteria are included in Reference 1, Section 7.3. The test may be performed in one measurement
or in overlapping segments, which verification that all
components are measured.
Response time may be verified by any series of sequential, overlapping or total channel measurements, including allocated sensor response time, such that the response time
is verified. Allocations for sensor response times may be
obtained from records of test results, vendor test data, or
vendor engineering specifications. Reference 7 provides the
basis and methodology for using allocated sensor response
times in the overall verification of the channel response
time for specific sensors identified in the reference.
Response time verification for other sensor types must be
demonstrated by test. The allocation of sensor response
times must be verified prior to placing a new component in
operation and reverified after maintenance that may
adversely affect the sensor response time.
Instrument loop or test cables and wiring add an insignificant response time and can be ignored.
Engineered Safety Feature Response Time tests are conducted on a STAGGERED TEST BASIS of once every 24 months. This
results in the interval between successive tests of a given
channel of n x 24 months, where n is the number of channels
in the Function. Surveillance of the final actuation
devices, which make up the bulk of the response time, is
included in the testing of each channel. Therefore, staggered testing results in Response Time verification of
these devices every 24 months. The 24-month STAGGERED TEST
BASIS Frequency is based upon plant operating experience, which shows that random failures of instrumentation components causing serious response time degradation, but
not channel failure, are infrequent occurrences.
REFERENCES 1. UFSAR
- 2. IEEE No. 279, "Proposed IEEE Criteria for Nuclear Power Plant Protection Systems," August 1968 ESFAS Instrumentation B 3.3.4 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.4-23 Revision 36
- 3. Letter from Mr. R. E. Denton (BGE) to NRC Document Control Desk, dated June 5, 1995, "Response to NRC Request for Review & Comment on Review of Preliminary
Accident Precursor Analysis of Trip; Loss of 13.8 kV
Bus; Short-Term Saltwater Cooling System
Unavailability, CCNPP Unit 2"
- 4. 10 CFR 50.49, "Environmental Qualification of Electric Equipment Important to Safety for Nuclear Power Plants"
- 5. CCNPP Setpoint File
- 6. Calvert Cliffs Procedure EN-4-104, "Surveillance Testing" 7. Combustion Engineering Owners Group Topical Report CE NPSD 1167-A, Revision 2, "Elimination of Pressure
Sensor Response Time Testing Requirements", July 3, 2000
ESFAS Logic and Manual Actuation B 3.3.5 B 3.3 INSTRUMENTATION B 3.3.5 Engineered Safety Features Actuation System (ESFAS) Logic and Manual Actuation BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.5-1 Revision 2 BACKGROUND The ESFAS initiates necessary safety systems, based upon the values of selected unit parameters to mitigate accidents in order to protect the public and plant personnel from the accidental release of radioactive fission products.
The ESFAS contains devices and circuitry that generate the
following signals when the monitored variables reach levels
that are indicative of conditions requiring protective
action: 1. S IAS; 2. C SAS; 3. C IS; 4. S GIS; 5. R AS for the Containment Sump; and
- 6. A FAS.
Equipment actuated by each of the above signals is
identified in Reference 1
.
Each of the above ESFAS actuation systems is segmented into
four sensor channels addressed by LCO 3.3.4 and two actuation subsystems addressed by this LCO. Each sensor
subsystem includes measurement channels and bistables (sensor modules). The SIAS actuation logic channels include
two sets of logic circuitry (actuation logic module s) and actuation relay equipment. The actuation logic channels
actuate ESFAS equipment trains that are sequentially loaded
on the DG s.
Each of the four sensor modules monitors redundant and
independent process measurement channels. Each sensor is monitored by at least one bistable. The bistable associated with each ESFAS sensor channel will trip when the monitored
variable exceeds the trip setpoint. When tripped, the
sensor channels provide outputs to the two actuation logic
channels.
ESFAS Logic and Manual Actuation B 3.3.5 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.5-2 Revision 2 The two independent actuation logic channels each compare the four associated sensor channel outputs. If a trip
occurs in two or more sensor channels, the two-out-of-four
logic in each actuation logic channel will actuate the
associated train of ESFAS. Each has sufficient equipment to
provide protection to the public in the case of a DBA. The sensor logic channel is addressed in LCO 3.3.4. This LCO
addresses the actuation logic channel.
Each of the four sensor channels is mounted in a separate
cabinet, excluding the sensors and field wiring.
The role of the sensor channel (measurement channels and
sensor module) and sensor block module is discussed in
LCO 3.3.4. That of the actuation logic channel is discussed
below.
ESFAS Logic The two independent actuation logic channels compare the
four sensor channel outputs. If a trip occurs in the same
parameter in two or more sensor channels, the
two-out-of-four logic in each actuation logic channel
initiates one train of ESFAS. Either train actuates
sufficient redundant and independent equipment.
Each actuation logic channel is housed in two cabinets. One cabinet contains the logic circuitry (actuation logic module s) for the actuation logic channel, while the other cabinet contains the actuation relay equipment. This
actuation relay equipment includes the actuation relays that
actuate the ESFAS equipment in response to a signal from the
actuation logic c hannels.
It is possible to change the two-out-of-four ESFAS logic to a two-out-of-three logic for a given input parameter in one
sensor channel at a time by blocking one channel input to
the logic. Thus, the actuation logic module s will function normally, producing normal trip indication and annunciation, but ESFAS actuation will not occur since the blocked channel
is effectively removed from the coincidence logic.
Maintenance bypassing can be simultaneously performed on any ESFAS Logic and Manual Actuation B 3.3.5 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.5-3 Revision 2 number of parameters in any number of Functions, providing each parameter is bypassed in only one sensor channel per
Function at a time.
Maintenance bypassing is normally employed during
maintenance or testing.
In addition to the maintenance bypasses, there are operating
bypasses (blocks) on the Pressurizer Pressure-Low trip input to the SIAS and on the Steam Generator Pressure-Low trip input to the SGIS when these inputs are no longer required
for protection. These blocks are enabled manually when the
enabling conditions are satisfied in three of the four
sensor block modules. The block circuitry employs four
sensor block modules, sensing pressurizer pressure (for the
SIAS) and steam generator pressure (for the SGIS). These
sensor block modules provide contact output to the
three-out-of-four logic in the two block logic modules.
When the logic is satisfied, manual blocking is permitted.
There are two manual block controls for each Function, one
per actuation logic channel.
The block logic modules provide one of the signals to a logic circuit that senses the actuation logic output and the output from the block logic module. When block logic is
met, and the block is manually enabled, the logic circuit
receiving signals from both logic sources prevents an
actuation signal from being sent to the ESFAS equipment.
All blocks are automatically removed when enabling block
conditions are no longer satisfied.
Manual ESFAS actuation capability is provided to permit the operator to manually actuate an ESF s ystem when necessary.
Two push buttons are provided in the C ontrol R oom for each ESFAS Function, except SGIS and AFAS. Manual AFAS s tart capability is provided in the Control Room. Steam generator
isolation signal manual actuation requires operation of MSIV handswitches and f eed water h ead er i solation handswitches. Each push button actuates one equipment train via the ESFAS logic.
ESFAS Logic and Manual Actuation B 3.3.5 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.5-4 Revision 2 The actuation logic is tested by inserting a local test signal. A coincidence logic trip will occur if there is the simultaneous presence of a sensor channel trip, either
legitimate or due to testing
, and block logic allows. The automatic block removal feature of block logic modules is
tested with the actuation logic modules. Most ESFAS Functions employ several separate parallel two-out-of-four
actuation logic module subchannels, with each subchannel actuating a subset of the ESFAS equipment associated with
that Function. Each of these subchannels can be tested
individually so that simultaneous actuation of an entire
train can be avoided during testing.
Except in the case of actuation subchannels SIAS Nos. 5
and 10, CIS No. 5, CSAS No. 3, and SGIS No. 1, all actuation logic channels can be tested at power. The above designated subchannels must be tested when shut down because they
actuate the following equipment, which cannot be actuated at
power:
- Reactor coolant pump (RCP) seal bleedoff isolation valves;
- Service water isolation valves;
- Volume control tank discharge valves;
- Letdown stop valves;
- Component cooling to RCPs;
- Component Cooling from RCPs;
- M SIVs;
- Feedwater isolation valves;
- Instrument air containment isolation valves (CIVs);
- Heater drain pumps;
- Main Feedwater Pump; and
- Condensate Booster Pumps.
APPLICABLE Most of the analyzed accidents can be detected by one or SAFETY ANALYSES more ESFAS Functions. One of the ESFAS Functions is the primary actuation signal for that accident. An ESFAS
Function may be the primary actuation signal for more than
one type of accident. An ESFAS Function may also be a ESFAS Logic and Manual Actuation B 3.3.5 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.5-5 Revision 2 secondary or backup actuation signal for one or more other accidents. Functions such as manual actuation , not specifically credited in the accident analysis, serve as backups to Functions and are part of the NRC staff
-approved licensing basis for the plant.
E ngineered S afety F eatures A ctuation S ystem protective Functions are as follows:
- 1. SIAS The SIAS ensures acceptable consequences during LOCA events, including steam generator tube rupture, and other DBA s. To provide the required protection, either a high containment pressure or a low pressurizer
pressure signal will actuate SIAS. Safety injection
actuation signal actuates the Emergency Core Cooling
System (ECCS) and performs several other Functions, such as starting the DG s.
- 2. CSAS The CSAS actuates containment spray, preventing containment overpressurization during a LOCA or MSLB.
Both a high containment pressure signal and a SIAS have to actuate to provide the required protection. This
configuration reduces the likelihood of inadvertent
- 3. CIS The CIS actuates the Containment Isolation System, ensuring acceptable consequences during LOCAs and other
DBA s (inside C ontainment). A high containment pressure signal will actuate CIS.
- 4. SGIS The SGIS ensures acceptable consequences during an excessive loss of steam from the Main Steam System by
isolating both steam generators if either generator
indicates a low steam generator pressure. The SGIS, concurrent with or following a reactor trip, minimizes
the rate of heat extraction and subsequent cooldown of
the RCS during these events.
ESFAS Logic and Manual Actuation B 3.3.5 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.5-6 Revision 2
- 5. RAS At the end of the injection phase of a LOCA, the refueling water tank (RWT) will be nearly empty.
Continued cooling must be provided by the ECCS to
remove decay heat. The source of water for the ECCS pumps is automatically switched to the containment recirculation sump. Switchover from RWT to containment sump must occur before the RWT empties to prevent
damage to the ECCS pumps and a loss of core cooling
capability. For similar reasons, switchover must not
occur before there is sufficient water in the
containment sump to support pump suction. Furthermore, early switchover must not occur so sufficient borated water is injected from the RWT to ensure the reactor
remains shut down in the recirculation mode. An RWT
Level-Low trip signal generated by a level switch actuates the RAS.
- 6. AFAS Signal An AFAS signal actuates feedwater flow to both steam generators if a low level is indicated in either steam
generator, unless the generator is ruptured.
The AFAS maintains a steam generator heat sink during the following events:
- MSLB;
- FWLB; and
- Loss of feedwater.
A low steam generator water level signal will actuate auxiliary feed to both steam generators.
Secondary steam generator (SG) differential pressure , (SG-1 > SG-2) or (SG-2 > SG-1)
, blocks auxiliary feed to a ruptured steam generator. This input to the AFAS logic prevents loss of the intact generator while
preventing feeding a ruptured generator during MSLBs
and FWLBs. This prevents containment
overpressurization and/or excessive RCS cooldown during
these events.
ESFAS Logic and Manual Actuation B 3.3.5 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.5-7 Revision 2 The ESFAS satisfies 10 CFR 50.36(c)(2)(ii), Criterion 3.
LCO The LCO requires that all components necessary to provide an
Actions allow maintenance bypass of individual sensor
channels. Plants are in a maintenance bypass condition
before either restoring the Function to four channel
operation (two-out-of-four logic) or placing the channel in
trip (one-out-of-three logic).
The Bases for the LCO on ESFAS automatic actuation Functions are addressed in the Bases for LCO 3.3.4. Those associated
with the manual actuation or actuation logic are addressed below.
- 1. SIAS a. Manual Actuation This LCO requires two channels of SIAS manual actuation to be OPERABLE in MODEs 1, 2, 3, and 4.
- b. Actuation Logic This LCO requires two channels of SIAS actuation logic to be OPERABLE in MODEs 1, 2, and 3.
Failures in the actuation logic channels, including the manual bypass key switches, are
actuation logic failures and are addressed in this LCO.
Actuation l ogic consists of all circuitry housed within the actuation logic channels, including the
actuating relay contacts responsible for actuating
the ESF equipment.
It is also necessary to have an automatic or manual
SIAS for a complete actuation. The CSAS opens the
containment spray valves, whereas the SIAS actuates ESFAS Logic and Manual Actuation B 3.3.5 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.5-8 Revision 2 other required components. The SIAS requirement should always be satisfied on a legitimate CSAS, since the
Containment Pressure-High trip analytical setpoint used in the SIAS is the same analytical setpoint used in the
CSAS. The transmitters used to actuate CSAS are
independent of those used in the SIAS to prevent inadvertent containment spray due to failures in two sensor channels.
- a. Manual Actuation This LCO requires two channels of CSAS manual actuation to be OPERABLE in MODEs 1, 2, 3, and 4.
- b. Actuation Logic This LCO requires two channels of CSAS actuation logic to be OPERABLE in MODEs 1, 2, and 3.
Actuation l ogic consists of all circuitry housed within the actuation logic channels, including the
actuating relay contacts responsible for actuating
the ESF equipment.
- 3. CIS a. Manual Actuation This LCO requires two channels of CIS manual actuation to be OPERABLE in MODEs 1, 2, 3, and 4.
- b. Actuation Logic This LCO requires two channels of actuation logic for CIS to be OPERABLE in MODEs 1, 2, and 3.
Actuation l ogic consists of all circuitry housed within the actuation logic channels, including the
actuating relay contacts responsible for actuating the ESF equipment.
ESFAS Logic and Manual Actuation B 3.3.5 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.5-9 Revision 2
- 4. SGIS a. Manual Actuation This LCO requires one channel per MSIV of the SGIS manual actuation to be OPERABLE in MODEs 1, 2, 3, and 4. b. Actuation Logic This LCO requires two channels of SGIS actuation logic to be OPERABLE in MODEs 1, 2, and 3.
Failures in the actuation logic channels, including the manual bypass key switches, are
considered actuation logic failures and are addressed in the logic LCO.
- 5. RAS a. Manual Actuation This LCO requires two channels of RAS manual actuation to be OPERABLE in MODEs 1, 2, 3, and 4.
- b. Actuation Logic This LCO requires two channels of RAS actuation logic to be OPERABLE in MODEs 1, 2, and 3.
- 6. AFAS Signal A low level in either generator, as sensed by a two-out-of-four coincidence of four wide range sensors
for each generator, will generate an AFAS signal, which
starts both trains of AFW pumps and feeds both steam generators. The AFAS also monitors the secondary
differential pressure in both steam generators and
actuates an AFAS block signal to a ruptured generator
if the pressure in that generator is lower than the
other generator by the differential pressure setpoint (Reference 2).
- a. Manual Actuation This LCO requires two channels of AFAS manual actuation s tart to be OPERABLE in MODEs 1, 2, and 3.
ESFAS Logic and Manual Actuation B 3.3.5 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.5-10 Revision 2
- b. Actuation Logic This LCO requires two channels of AFAS actuation logic to be OPERABLE in MODEs 1, 2, and 3.
Actuation l ogic consists of all circuitry housed within the actuation logic channels, including the
actuating relay contacts responsible for actuating the ESF equipment.
APPLICABILITY All ESFAS Functions are required to be OPERABLE in MODEs 1, 2, and 3. In MODEs 1, 2, and 3, there is sufficient energy in the primary and secondary systems to warrant automatic
ESF s ystem responses to:
- Close the MSIVs to limit a positive reactivity addition;
- Actuate AFW to preclude the loss of the steam generators as a heat sink (in the event the normal
feedwater system is not available);
- Actuate ESF systems to prevent or limit the release of fission product radioactivity to the environment by
isolating C ontainment and limiting the containment pressure from exceeding the containment design pressure
during a design basis LOCA or other DBA s; and
- Actuate ESF systems to ensure sufficient borated inventory to permit adequate core cooling and
reactivity control during a design basis LOCA or MSLB
accident.
In MODEs 4, 5, and 6, automatic actuation of ESFAS Functions is not required, because adequate time is available for
plant operators to evaluate plant conditions and respond by
manually operating the ESF components if required.
Engineered Safety Features Actuation System manual actuation capability is required for Functions other than AFAS in
MODE 4 , even though automatic actuation is not required.
Because of the large number of components actuated on each
ESFAS, actuation is simplified by the use of the manual actuation push buttons. Manual a ctuation of AFAS is not required in MODE 4 because AFW or shutdown cooling will
already be in operation or available.
ESFAS Logic and Manual Actuation B 3.3.5 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.5-11 Revision 2 The ESFAS actuation logic must be OPERABLE in the same MODEs as the a utomatic and manual actuation
- s. In MODE 4, only the portion of the ESFAS logic responsible for the required
manual actuation must be OPERABLE.
In MODEs 5 and 6, ESFAS actuated systems are either reconfigured or disabled for shutdown cooling operation.
Accidents in these MODEs are slow to develop and would be mitigated by manual operation of individual components.
ACTIONS When the number of inoperable actuation logic or manual actuation channels in an ESFAS Function exceeds those specified in any related Condition associated with the same
ESFAS Function, the plant is outside the safety analysis.
Therefore, LCO 3.0.3 should be immediately entered
.
A Note has been added to the ACTIONS to clarify the
application of the Completion Time rules. The Conditions of
this Specification may be entered independently for each
Function in Table 3.3.5-1 in the LCO. Completion Times for
the inoperable actuation logic channel of a Function will be
tracked separately.
A.1 Condition A applies to one AFAS manual actuation or AFAS actuation logic channel inoperable. It is identical to Condition C for the other ESFAS Functions, except for the
shutdown track imposed by Condition D.
The channel must be restored to OPERABLE status to restore redundancy of the AFAS Function. The 48
-hour Completion Time is commensurate with the importance of avoiding the
vulnerability of a single failure in the only remaining
OPERABLE channel.
B.1 and B.2 If the Required Action and associated Completion Time of
Condition A cannot be met, the reactor should be brought to
a mode in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within
6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and to MODE 4 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. The allowed ESFAS Logic and Manual Actuation B 3.3.5 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.5-12 Revision 2 Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full
power conditions in an orderly manner and without
challenging plant systems.
C.1 Condition C applies to one manual actuation or actuation logic channel inoperable for those ESFAS Functions that must be OPERABLE in MODEs 1, 2, 3, and 4 (manual actuation) or MODEs 1, 2, and 3 (actuation logic channel). Actuation l ogic includes the block logic modules when the affected block is in effect. The shutdown track imposed by
Condition D or E requires entry into MODE 4 or 5, respectively, where the LCO does not apply to the affected
Functions.
The channel must be restored to OPERABLE status to restore
redundancy of the affected Functions. The 48
-hour Completion Time is commensurate with the importance of
avoiding the vulnerability of a single failure in the only
remaining OPERABLE channel.
D.1 and D.2 Condition D is entered when the Required Action and
associated Completion Time of Condition C are not met for
one manual actuation channel. If Required Action C.1 for one manual actuation channel cannot be met within the required Completion Time, the plant must be brought to a
mode in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within
6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> to MODE 5 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. The allowed Completion
Times are reasonable, based on operating experience, to
reach the required plant conditions from full power
conditions in an orderly manner and without challenging plant systems.
E.1 and E.2 Condition E is entered when the Required Action and
associated Completion Time of Condition C are not met for
one actuation logic channel. If Required Action C.1 for one actuation logic channel cannot be met within the required Completion Time, the plant must be brought to a MODE in ESFAS Logic and Manual Actuation B 3.3.5 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.5-13 Revision 36 which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> to
MODE 4 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. The allowed Completion Times are
reasonable, based on operating experience, to reach the
required plant conditions from full power conditions in an orderly manner and without challenging plant systems.
SURVEILLANCE SR 3.3.5.1 REQUIREMENTS
A CHANNEL FUNCTIONAL TEST is performed every 92 days to
ensure the entire actuation logic channel will perform its
intended function when needed. Sensor channel tests are
addressed in LCO 3.3.4. This SR addresses actuation logic
tests. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL FUNCTIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specification tests at least once per refueling interval with applicable extensions.
Actuation Logic Tests Actuation logic channel testing includes injecting one
actuation signal into each two-out-of-four logic actuation
modules in each ESFAS Function, and using a bistable trip
input to satisfy the actuation logic. Testing includes
block logic modules.
Note 1 requires that actuation logic tests include operation of actuation relays. Note 2 allows deferred at power
testing of certain subchannel relays to allow for the fact
that operating certain relays during power operation could
cause plant transients or equipment damage. Those
subchannel relays that cannot be tested at power must be
tested in accordance with Note 2. These include SIAS No. 5, SIAS No. 10, CIS No. 5, SGIS No. 1, and CSAS No. 3.
These subchannel relays actuate the following components, which cannot be tested at power:
- RCP seal bleedoff isolation valves;
- Service water isolation valves; ESFAS Logic and Manual Actuation B 3.3.5 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.5-14 Revision 36
- Volume control tank discharge valves;
`* Letdown stop valves;
- Component Cooling to and from the RCPs;
- Instrument air CIVs;
- Heater drain pumps;
- Main feedwater pumps; and
- Condensate booster pumps.
The reasons each of the above cannot be fully tested at power are stated in Reference 1.
Actuation logic tests verify that the ESFAS is capable of performing its intended function, from bistable input
through the actuated components.
The Frequency of 92 days is based on operating experience that has shown these components usually pass the
surveillance test when performed at this Frequency.
SR 3.3.5.2 A CHANNEL FUNCTIONAL TEST is performed on the manual ESFAS
actuation circuitry, de-energizing relays and providing
manual actuation of the Function.
A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL FUNCTIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specification tests at least once per refueling interval with applicable extensions.
This surveillance test verifies that the actuation push
buttons are capable of opening contacts in the actuation logic as designed, de-energizing the actuation relays and providing manual trip of the Function. The 24-month
Frequency is based on the need to perform this surveillance
test under the conditions that apply during a plant outage, and the potential for an unplanned transient if the test
were to be performed with the reactor at power. Operating ESFAS Logic and Manual Actuation B 3.3.5 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.5-15 Revision 36 experience has shown these components usually pass the surveillance test when performed at a Frequency of once every 24 months.
REFERENCES 1. UFSAR, Section 7.3, "Engineered Safety Features Actuation Systems" 2. Letter from Mr. R. E. Denton (BGE) to NRC Document Control Desk, dated June 5, 1995, "Response to NRC
Request for Review & Comment on Review of Preliminary
Accident Precursor Analysis of Trip; Loss of 13.8 kV
Bus; Short-Term Saltwater Cooling System Unavailability, CCNPP Unit 2" DG-LOVS B 3.3.6 B 3.3 INSTRUMENTATION B 3.3.6 Diesel Generator (DG)-Loss of Voltage Start (LOVS)
BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.6-1 Revision 36 BACKGROUND The DGs provide a source of emergency power, when offsite power is unavailable, to allow safe plant operation.
Undervoltage protection will generate a Loss of Voltage
Start (LOVS) signal in the event a loss of voltage or degraded voltage condition occurs. There are three LOVS Functions; loss of voltage, transient degraded voltage, and
steady state degraded voltage, for each 4.16 kV emergency
bus.
Each of the redundant 4 kV emergency buses is equipped with
two sets of two undervoltage relays. Each of the four
redundant and independent undervoltage relays is comprised
of three sensing elements. The first element of the four
relays is set to provide a two-out-of-four undervoltage
signal upon a loss of bus voltage. The second element of
the four relays is set to provide a two-out-of-four
transient undervoltage signal on 4 kV emergency bus
undervoltage. The third element of the four relays provides
a two-out-of-four steady state undervoltage signal on a
sustained 4 kV emergency bus undervoltage condition.
Settings and Tolerances The settings and tolerances are based on the analytical
limits presented in Reference 1. The selection of these
settings is such that adequate protection is provided when
all test equipment time delays are taken into account. The
transient and steady state undervoltage setpoints ensure
that the safety-related motors relied upon for accident
mitigation are provided with a minimum of 75% and 90% of
their rated voltage, respectively. The setting specified in
SR 3.3.6.2 allows for calibration tolerances, potential transformer correction factors, test equipment uncertainties, and relay drift. A detailed description of the methodology used to calculate the settings is provided
in Reference 2. The nominal setting accounts for factors
described above, plus additional margin to the analytical
limit. If the measured setting does not exceed the
documented surveillance trip acceptance criteria, the
undervoltage relay is considered OPERABLE.
DG-LOVS B 3.3.6 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.6-2 Revision 2 Settings will ensure that the consequences of accidents will be acceptable, providing the plant is operated from within
the LCOs at the onset of the accident and the equipment
functions as designed. A setting is the desired
characteristic, obtained as a result of having set a device, stated in terms of calibration markings or of actual performance benchmarks
, such as pickup current and operating time at a given value of input. The term setpoint applies to instruments, and since protective relays discussed here
are not instruments as discussed in other LCOs, the term
setpoint does not apply here.
The undervoltage detection scheme has been designed to sense
a degraded (transient or steady state) or total loss of
voltage at the 4 kV safety buses. The LOVS is sensed by 2
- second delay bistables in the ESFAS undervoltage sensor logic module. A complete loss of offsite power will result
in approximately a 2
-second delay in LOVS actuation. The DG starts and is available to accept loads within a 10 second
time interval after the ESFAS receives a LOVS. Emergency
power is established within the maximum time delay assumed
for each event analyzed in the accident analysis (Reference 1).
Sensor channels, measurement channels, sensor modules and
actuation logic are described in the Background for B 3.3.4.
Since there are four protective channels in a
two-out-of-four logic for each division of the 4.16 kV power
system, no single failure will prevent protective system actuation. This arrangement meets Reference 3 criteria. APPLICABLE The DG-LOVS is required for ESF systems to function in any SAFETY ANALYSES a ccident with a loss of offsite power. Its design basis is that of the ESFAS.
Accident analyses credit the loading of the DG based on a
loss of offsite power during a LOCA. The actual DG start has historically been associated with the ESFAS actuation.
The diesel loading has been included in the delay time
associated with each safety system component requiring DG
- supplied power following a loss of offsite power. The
analysis assumes a nonmechanistic DG loading, which does not DG-LOVS B 3.3.6 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.6-3 Revision 2 explicitly account for each individual component of the loss of power detection and subsequent actions. This delay time
includes contributions from the DG start, DG loading, and
Safety Injection System component actuation. The response
of the DG to a loss of power must be demonstrated to fall
within this analysis response time when including the contributions of all portions of the delay.
The required channels of LOVS, in conjunction with the ESF
systems powered from the DGs, provide plant protection in
the event of any of the analyzed accidents discussed in
Reference 1, Chapter 8 in which a loss of offsite power is assumed. Loss of v oltage s tart channels are required to meet the redundancy and testability requirements of Reference 1, Appendix 1C.
The delay times assumed in the safety analysis for the ESF
equipment include the 10
-second DG start delay and the appropriate sequencing delay, if applicable. The response
times for ESFAS
-actuated equipment include the appropriate DG loading and sequencing delay.
The DG-LOVS channels satisfy 10 CFR 50.36(c)(2)(ii), Criterion 3.
LCO The LCO for the LOVS requires that four channels per bus of
each LOVS instrumentation Function be OPERABLE in MODEs 1, 2, 3, and 4. The LOVS supports safety systems associated
with the ESFAS.
Actions allow maintenance bypass of individual sensor channels. The plant is restricted to 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> in a
maintenance bypass condition before either restoring the
Function to four channel operation (two-out-of-four logic)
or placing the channel in trip (one-out-of-three logic).
Loss of LOVS Function could result in the delay of safety
system actuation when required. This could lead to
unacceptable consequences during accidents. During the loss
of offsite power, which is a AOO , the DG powers the motor
-driven AFW pump. Failure of this pump to start would leave two turbine
-driven pumps as well as an increased potential DG-LOVS B 3.3.6 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.6-4 Revision 13 for a loss of decay heat removal through the secondary system.
Only Allowable Values are specified for each Function in the
LCO. Nominal trip settings are specified in the plant-
specific procedures. The nominal settings are selected to ensure that the setting measured by CHANNEL FUNCTIONAL TESTS does not exceed the Allowable Value if the bistable is
performing as required. Operation with a trip setting less
conservative than the nominal trip setting, but within the
Allowable Value, is acceptable, provided that operation and
testing are consistent with the assumptions of the plant-
specific setting calculation. A channel is inoperable if
its actual trip setting is not within its required Allowable
Value.
The Allowable Values and trip settings are established in order to start the DGs at the appropriate time, in response
to plant conditions, in order to provide emergency power to
start and supply the essential electrical loads necessary to
safely shut down the plant and maintain it in a safe shutdown condition.
APPLICABILITY The DG-LOVS actuation Function is required in MODEs 1, 2, 3, and 4 because ESF Functions are designed to provide protection in these MODEs.
ACTIONS A LOVS sensor channel is inoperable when it does not satisfy the OPERABILITY criteria for the channel's Function. The
most common cause of sensor channel inoperability is
outright failure of the bistable (sensor module) or outright failure or drift of the measurement channel sufficient to exceed the tolerance allowed by the plant-specific setting
analysis. Determination of setting drift is generally made during the performance of a CHANNEL CALIBRATION when the
process instrument is set up for adjustment to bring it to
within specification. CHANNEL FUNCTIONAL TESTS check that the sensor modules are functioning properly. If the actual trip setting is not within the Allowable Value or not functioning , the channel is inoperable and the appropriate Conditions must be entered.
DG-LOVS B 3.3.6 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.6-5 Revision 2 In the event a sensor channel's setting is found to be nonconservative with respect to the Allowable Value, or the channel is found to be inoperable, then all affected Functions provided by that channel must be declared
inoperable and the LCO Condition entered. The required
channels are specified on a per DG basis.
When the number of inoperable channels in a Function exceeds
those specified in any related Condition associated with the
same Function, the plant is outside the safety analysis.
Therefore, LCO 3.0.3 should be entered immediately if
applicable in the current MODE of operation.
A Note has been added to the ACTIONS to clarify the
application of Completion Time rules. The Conditions of
this LCO may be entered independently for each Function.
The Completion Time(s) of the inoperable channel(s) of a
Function will be tracked separately for each Function, starting from the time the Condition was entered for that
Function.
A.1, A.2.1, and A.2.2 Condition A applies if one sensor channel is inoperable for
one or more Functions per DG bus.
If the channel cannot be restored to OPERABLE status, the
affected channel should either be bypassed or tripped within
1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> (Required Action A.1).
Placing this channel in either Condition ensures that logic is in a known configuration. In trip, the LOVS l ogic is one-out-of-three. In bypass, the LOVS l ogic is two-out-of-three. The 1
-hour Completion Time is sufficient to perform these Required Actions.
Once Required Action A.1 has been complied with, Required Action A.2.1 allows 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> to repair the inoperable sensor
channel. If the channel cannot be restored to OPERABLE
status, it must be tripped in accordance with Required
Action A.2.2. The time allowed to repair or trip the
channel is reasonable to repair the affected channel while
ensuring that the risk involved in operating with the DG-LOVS B 3.3.6 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.6-6 Revision 26 inoperable channel is acceptable. The 48-hour Completion Time is based upon operating experience, which has
demonstrated that a random failure of a second channel is a
rare event during any given 48-hour period.
B.1, B.2.1, and B.2.2 Condition B applies if two sensor channels are inoperable for one or more Functions per DG.
Restoring at least one channel to OPERABLE status is the
preferred action. If the channel cannot be restored to
OPERABLE status within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />, the Conditions and Required
Actions for the associated DG made inoperable by DG-LOVS
instrumentation are required to be entered. Alternatively, one affected channel is required to be bypassed and the
other is tripped, in accordance with Required Action B.2.1.
This places the Function in one-out-of-two logic. The
1-hour Completion Time is sufficient to perform the Required
Actions.
Once Required Action B.2.1 has been complied with, Required Action B.2.2 allows 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> to repair the bypassed or
inoperable channel.
After one channel is restored to OPERABLE status, the provisions of Condition A still apply to the remaining
inoperable channel. Therefore, the channel that is still
inoperable after completion of Required Action B.2.2 shall
be placed in trip if more than 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> have elapsed since
the initial channel failure.
C.1 Condition C applies when more than two undervoltage or
degraded (transient or steady state) voltage sensor channels on a single bus are inoperable.
Required Action C.1 requires all but two channels to be restored to OPERABLE status within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. With more than
two channels inoperable, the logic is not capable of
providing a DG-LOVS signal for valid loss of voltage or
degraded voltage conditions. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time is
reasonable to evaluate and take action to correct the DG-LOVS B 3.3.6 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.6-7 Revision 36 degraded condition in an orderly manner and takes into account the low probability of an event requiring LOVS
occurring during this interval.
D.1 Condition D applies if the Required Actions and associated Completion Times are not met.
Required Action D.1 ensures that Required Actions for the affected DG inoperabilities are initiated. The actions specified in LCO 3.8.1 are required immediately.
SURVEILLANCE The following SRs apply to each DG-LOVS Function.
REQUIREMENTS
SR 3.3.6.1 A CHANNEL FUNCTIONAL TEST is performed every 92 days to
ensure that the entire sensor channel will perform its
intended function when needed.
A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL FUNCTIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specification tests at least once per refueling interval with applicable extensions.
The Frequency of 92 days is based on plant operating
experience with regard to channel OPERABILITY and drift, which demonstrates that failure of more than one sensor
channel of a given function in any 92 day Frequency is a rare event. Any setting adjustment shall be consistent with the assumptions of the current plant specific setting
analysis.
SR 3.3.6.2 Surveillance Requirement 3.3.6.2 is the performance of a
CHANNEL CALIBRATION every 24 months. The CHANNEL
CALIBRATION verifies the accuracy of each component within
the sensor channel, except stepdown transformers, which are
not calibrated. This includes calibration of the
undervoltage relays and demonstrates that the equipment DG-LOVS B 3.3.6 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.6-8 Revision 36 falls within the specified operating characteristics defined by the manufacturer.
The SR verifies that the sensor channel responds to a
measured parameter within the necessary range and accuracy.
CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drift between successive calibrations to ensure that the channel remains operational between
successive tests. CHANNEL CALIBRATIONS must be performed
consistent with the plant-specific setting analysis.
The as-found and as-left values must also be recorded and
reviewed for consistency with the assumptions of the SR
interval extension analysis. The requirements for this
review are outlined in Reference 4.
The settings, as well as the response to Loss of Voltage and Degraded Voltage tests, shall include a single point
verification that the trip occurs within the required delay
time as shown in Reference 1, Section 7.3. The Frequency is
based upon the assumption of a 24-month calibration interval
for the determination of the magnitude of equipment drift in the plant setting analyses.
REFERENCES 1. UFSAR
- 2. CCNPP Setpoint File
- 3. IEEE No. 279, "Proposed IEEE Criteria for Nuclear Power Plant Protection Systems," August 1968
- 4. Calvert Cliffs Procedure EN-4-104, "Surveillance Testing" CRS B 3.3.7 B 3.3 INSTRUMENTATION B 3.3.7 Containment Radiation Signal (CRS)
BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.7-1 Revision 19 BACKGROUND This LCO encompasses CRS actuation, which is a plant-specific instrumentation system that performs an actuation Function required to mitigate offsite dose, but is not
otherwise included in LCO 3.3.5 or LCO 3.3.6. This is a non-Nuclear Steam Supply System ESFAS Function that, because of differences in purpose, design, and operating
requirements, is not included in LCOs 3.3.5 and 3.3.6.
The CRS provides protection from radioactive contamination
in the Containment in the event an irradiated fuel assembly
should be severely damaged during handling.
The CRS will detect abnormal amounts of radioactive material
in the Containment and will initiate purge valve closure to
limit the release of radioactivity to the environment. The
containment purge supply and exhaust valves are closed on a
CRS when a high radiation level in Containment is detected.
The CRS includes two independent, redundant actuation logic channels. One actuation logic channel ("A" CRS Actuation
Logic Channel) secures the containment purge exhaust fan and
containment purge supply fan. This actuation logic channel
also initiates isolation valve closure. A list of actuated
valves and an additional description of the CRS are included
in Reference 1, Section 7.3. Both trains of CRS are
actuated on a two-out-of-four coincidence from the same four
containment radiation sensor channels.
Trip Setpoints and Allowable Values Trip setpoints used in the sensor modules are based on the
analytical limits stated in Reference 1, Chapter 14. The
selection of these trip setpoints is such that adequate protection is provided when all sensor and processing time delays are taken into account in the respective analytical
limits. To allow for calibration tolerances, instrumentation uncertainties, and sensor channel drift, sensor module trip setpoints are conservatively adjusted
with respect to the analytical limits. A detailed
description of the methodology used to calculate the trip
setpoints, including their explicit uncertainties, is CRS B 3.3.7 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.7-2 Revision 19 provided in Reference 2. The actual nominal trip setpoint entered into the sensor module is more conservative than
that specified by the Allowable Value. One example of such
a change in measurement error is drift during the SR
interval. If the measured setpoint does not exceed the
Allowable Value, the bistable is considered OPERABLE.
Sensor channels, measurement channels, sensor modules, and
actuation logic are described in the Background for B 3.3.4.
Setpoints in accordance with the Allowable Value will help
ensure that 10 CFR Part 100 exposure limits are not violated
during a Fuel Handling Accident, providing the plant is
operated from within the LCOs at the onset of the Fuel Handling Accident and the equipment functions as designed.
APPLICABLE The CRS satisfies the requirements of 10 CFR SAFETY ANALYSES 50.36(c)(2)(ii), Criterion 3.
LCO Only the Allowable Values are specified in the LCO.
Operation with a trip setpoint less conservative than the
nominal trip setpoint, but within its Allowable Value, is
acceptable, provided that operation and testing are
consistent with the assumptions of the plant-specific
setpoint calculations.
Each nominal trip setpoint specified is more conservative
than the analytical limit assumed in the Fuel Handling
Accident analysis in order to account for instrument
uncertainties appropriate to the actuation Function. These
uncertainties are defined in Reference 2. A sensor channel
is inoperable if its actual trip setpoint is not within its
required Allowable Value.
The Bases for the LCO on the CRS are discussed below for each Function: a. Manual Actuation The LCO on manual actuation backs up the automatic actuations and ensures operators have the capability to
rapidly initiate the CRS Function if any parameter is
trending toward its setpoint. At least one channel CRS B 3.3.7 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.7-3 Revision 29 must be OPERABLE to be consistent with the requirements of LCO 3.9.3.
- b. Containment Radiation-High Trip The LCO on the radiation sensor channels requires that all four be OPERABLE. The radiation sensor channels have a measurement range of 10 10 4 mr/hr. The Containment Radiation-High trip setpoint is based on sensing radiation resulting from a fuel handling
accident in order to prevent a release of radioactivity
through the containment purge system.
- c. Actuation Logic One channel of actuation logic must be OPERABLE to be consistent with the requirements of LCO 3.9.3. If one fails, it must be restored to OPERABLE status.
APPLICABILITY In MODE 5 or 6, the CRS isolation of containment purge valves is not required to be OPERABLE. However, during movement of irradiated fuel, there is the possibility of a
Fuel Handling Accident requiring the CRS on high radiation
in Containment. Accordingly, the CRS must be OPERABLE when moving any irradiated fuel in Containment when the
containment purge valves are open.
In MODEs 1, 2, 3, and 4, the containment purge valves are sealed closed.
ACTIONS A CRS sensor channel is inoperable when it does not satisfy the OPERABILITY criteria for the channel's Function. The
most common cause of channel inoperability is outright
failure or drift of the sensor module or measurement channel
sufficient to exceed the tolerance allowed by Reference 2.
Typically, the drift is not large, which at worst would
result in a delay of actuation rather than a total loss of
Function. This determination is generally made during the
performance of a CHANNEL CALIBRATION when the process
instrument is set up for adjustment to bring it within
specification. Sensor drift could also be identified during
CHANNEL CHECKS. CHANNEL FUNCTIONAL TESTS identify sensor
module drift. If the actual trip setpoint is not within the CRS B 3.3.7 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.7-4 Revision 29 Allowable Value in SR 3.3.7.2, the channel is inoperable and the appropriate Conditions must be entered.
In the event that either a sensor channel's trip setpoint is
found nonconservative with respect to the Allowable Value, or the sensor, instrument loop, signal processing electronics, or sensor module is found inoperable, that channel should be declared inoperable and the LCO Condition
entered.
A.1 and A.2 Condition A applies to the failure of one Containment
Radiation-High trip CRS channel. The Required Action is to
place the affected channel in the trip condition within
4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, or suspend movement of irradiated fuel assemblies within Containment immediately. The Completion Time
accounts for the fact that three redundant channels
monitoring containment radiation are still available to
provide a single trip input to the CRS logic to provide the
automatic mitigation of a radiation release.
B.1 and B.2 Condition B applies to the failure of the required manual
actuation or actuation logic, to the failure of more than
one radiation sensor channel, or if the Required Action and
associated Completion Time of Condition A are not met.
Required Action B.1 is to place the containment purge and
exhaust isolation valves in the closed position. The
Required Action immediately performs the isolation Function
of the CRS. Required Action B.2 is to immediately enter the
applicable Conditions and Required Actions for the affected
isolation valves of LCO 3.9.3 that were made inoperable by
the inoperable instrumentation of the CRS LCO. The Required
Action directs the operator to take actions appropriate for the containment isolation Function of the CRS. The Completion Time accounts for the fact that the automatic
capability to isolate Containment on valid containment high
radiation signals is degraded during conditions in which a
Fuel Handling Accident is possible and CRS provides the only automatic mitigation of radiation release.
CRS B 3.3.7 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.7-5 Revision 36 SURVEILLANCE SR 3.3.7.1 REQUIREMENTS Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> ensures
that a gross failure of instrumentation has not occurred. A
CHANNEL CHECK is normally a comparison of the parameter
indicated on one sensor channel to a similar parameter on other channels. It is based on the assumption that sensor channels monitoring the same parameter should read
approximately the same value.
Significant deviations between the two sensor channels could
be an indication of excessive sensor channel drift in one of
the channels or of something more serious. CHANNEL CHECK
will detect gross channel failure; thus, it is key to
verifying the instrumentation continues to operate properly
between each CHANNEL CALIBRATION.
Agreement criteria are determined by the plant staff, based on a qualitative assessment of the sensor channel that
considers sensor channel uncertainties, including indication
and readability. If a channel is outside the criteria, it
may be an indication that the transmitter or the signal
processing equipment has drifted outside its limits.
The Frequency, about once every shift, is based on operating experience that demonstrates the rarity of sensor channel
failure. Since the probability of two random failures in
redundant channels in any 12-hour period is low, the CHANNEL
CHECK minimizes the chance of loss of protective function
due to failure of redundant channels. The CHANNEL CHECK
supplements less formal, but more frequent, checks of the
channel during normal operational use of the displays.
SR 3.3.7.2 Proper operation of the actuation relays is verified by verification of the relay driver output signal.
A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL FUNCTIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specification CRS B 3.3.7 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.7-6 Revision 36 tests at least once per refueling interval with applicable extensions.
The Frequency of 92 days is based on plant operating
experience with regard to actuation channel OPERABILITY, which demonstrates that failure of more than one channel of a given Function in any 92-day interval is a rare event.
SR 3.3.7.3 A CHANNEL FUNCTIONAL TEST is performed on each containment
radiation sensor channel to ensure the entire channel, except for sensor and initiating relays, will perform its
intended function.
A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL FUNCTIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specification tests at least once per refueling interval with applicable extensions.
The Frequency of 92 days is based on plant operating
experience with regard to sensor channel OPERABILITY and
drift, which demonstrates that failure of more than one
channel of a given Function in any 92-day interval is a rare
event.
SR 3.3.7.4 CHANNEL CALIBRATION is a check of the sensor channel
including the sensor. The Surveillance verifies that the
channel responds to a measured parameter within the
necessary range and accuracy. CHANNEL CALIBRATION leaves
the channel adjusted to account for sensor channel drift
between successive calibrations to ensure that the channel remains operational between successive tests. CHANNEL CALIBRATIONS must be performed consistent with Reference 2.
The Frequency is based upon the assumption of a 24-month
calibration interval based on the refueling interval and the
instruments not being inservice during power operations, but
part of preparation for being placed in service is a CHANNEL
CALIBRATION.
CRS B 3.3.7 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.7-7 Revision 36 SR 3.3.7.5 Every 24 months, a CHANNEL FUNCTIONAL TEST is performed on
the manual CRS actuation circuitry.
A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL FUNCTIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specification tests at least once per refueling interval with applicable extensions.
This surveillance test verifies that the actuation push
buttons are capable of opening contacts in the actuation
logic as designed, de-energizing the actuation relays and
providing manual actuation of the Function. The 24-month
Frequency is based on the need to perform this SR under the
conditions that apply during a plant outage and the
potential for an unplanned transient if the SR were
performed with the reactor at power. Operating experience
has shown these components usually pass the surveillance
test when performed at a Frequency of once every 24 months.
SR 3.3.7.6 This surveillance test ensures that the train actuation
response times are less than or equal to the maximum times
assumed in the analyses. Response times are defined in the
same manner as ESF RESPONSE TIME. Response time testing
acceptance criteria are included in Reference 1, Section 7.3. The 24-month Frequency is based upon plant
operating experience, which shows random failures of
instrumentation components causing serious response time
degradation, but not channel failure, are infrequent
occurrences. Testing of the final actuating devices, which make up the bulk of the response time, is included. Testing of the final actuating device is one channel is included in the testing of each actuation logic channel.
REFERENCES 1. UFSAR 2. CCNPP Setpoint File
CRRS B 3.3.8 B 3.3 INSTRUMENTATION B 3.3.8 Control Room Recirculation Signal (CRRS)
BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.8-1 Revision 8 BACKGROUND This LCO encompasses CRRS actuation, which is a plant-specific instrumentation channel that performs an actuation Function required for plant protection, but is not otherwise
included in LCO 3.3.5 or LCO 3.3.6. This is a non-Nuclear Steam Supply System ESFAS Function that, because of differences in purpose, design, and operating requirements, is not included in LCO 3.3.5 and LCO 3.3.6.
The CRRS ensures the supply of outside air to the Control Room is terminated , shuts off the kitchen and toilet exhaust fan, and initiates actuation of the Control Room Emergency
Ventilation System (CREVS) fans and places filters in
service to minimize operator radiation exposure. This
places CREVS in filtered recirculation mode. When the
radiation level signal from the measurement channel exceeds
the trip setpoint, the trip circuit sends a CRRS to actuate
equipment placing CREVS in filtered recirculation mode.
Control Room isolation also occurs on a SIAS.
Trip Setpoints and Allowable Values The Trip setpoint used in the trip circuit is conservatively
adjusted with respect to the Allowable Value. One example
of such a change in measurement error is drift during the SR
interval. If the measured setpoint does not exceed the Allowable Value, the trip circuit is considered OPERABLE.
APPLICABLE The CRRS, in conjunction with the CREVS, maintains the SAFETY ANALYSES control room atmosphere within conditions suitable for prolonged occupancy throughout the duration of any one of
the accidents discussed in Reference 1, Chapter 14. The
radiation exposure of control room personnel, through the
duration of any one of the postulated accidents discussed in
Reference 1, Chapter 14, meets the intent of Reference 1, Appendix 1C.
The CRRS satisfies the requirements of 10 CFR 50.36(c)(2)(ii), Criterion 3.
CRRS B 3.3.8 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.8-2 Revision 2 LCO LCO 3.3.8 requires one channel of CRRS to be OPERABLE. The required channel consists of a trip circuit and the gaseous
radiation monitor (measurement channel). The specific
Allowable Value for the setpoint of the CRRS is listed in
the SRs. Only the Allowable Value is specified for the trip Function in the LCO. Operation with a trip setpoint less
conservative than the nominal trip setpoint, but within its
Allowable Value, is acceptable.
Operation and testing are consistent with the assumptions of
Reference 2. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value.
The Bases for the LCO on the CRRS is that one channel of
a irborne radiation detection and trip circuitry is required to be OPERABLE to ensure the Control Room isolates on high gaseous concentration. The Allowable Value was established
as part of original plant design. It provides reasonable assurance of safety for c ontrol r oom personnel.
APPLICABILITY The CRRS Functions must be OPERABLE in MODEs 1, 2, 3, and 4, and during movement of irradiated fuel assemblies to ensure a habitable environment for the control room operators.
ACTIONS A CRRS channel is inoperable when it does not satisfy the OPERABILITY criteria for the channel's function. The most
common cause of channel inoperability is outright failure or
drift of the trip circuit or measurement channel sufficient
to exceed the nominal trip setpoint. Typically, the drift
is not large
, which at worst would result in a delay of actuation rather than a total loss of function. This
determination is generally made during the performance of a
CHANNEL CALIBRATION when the process instrument is set up
for adjustment to bring it to within specification. CHANNEL
FUNCTIONAL TESTS identify trip circuit drift. If the trip
setpoint is not within the Allowable Value, the channel is
inoperable and the appropriate Conditions must be entered.
CRRS B 3.3.8 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.8-3 Revision 2 A.1, B.1, B.2, C.1, C.2.1, and C.2.2 Conditions A, B, and C are applicable to the CRRS trip circuit and measurement channel. Condition A applies to the
failure of the CRRS trip circuit or measurement channel in
MODE 1, 2, 3, or 4. Entry into this Condition requires
action to either restore the failed channel or manually perform the CREVS function (Required Action A.1). The Completion Time of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> is sufficient to complete the
Required Actions. If the channel cannot be restored to
OPERABLE status, the plant must be brought to a MODE in
which the LCO does not apply. To achieve this status, the
plant must be brought to at least MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and
to MODE 5 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. The Completion Times of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />
and 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br /> for reaching MODEs 3 and 5 from MODE 1 are reasonable, based on operating experience and normal
cooldown rates, for reaching the required MODE from full
power conditions in an orderly manner and without
challenging plant safety systems or operators.
Condition C applies to the failure of the CRRS trip circuit
or measurement channel when moving irradiated assemblies.
The Required Actions are immediately taken to place one
OPERABLE CREVS train in the recirculation mode with post-
LOCA fans in service or to suspend movement of irradiated
fuel assemblies. The Completion Time recognizes the fact
that the radiation signal is the only Function available to
initiate control room isolation in the event of a F uel H andling A ccident.
SURVEILLANCE SR 3.3.8.1 REQUIREMENTS Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> ensures that a gross failure of instrumentation has not occurred.
CHANNEL CHECK will detect gross channel failure; thus, it is
key to verifying the instrumentation continues to operate
properly between each CHANNEL CALIBRATION.
Acceptance criteria are determined by the plant staff based
on a combination of the channel instrument uncertainties, including indication and readability. If a channel is
outside the criteria, it may be an indication that the CRRS B 3.3.8 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.8-4 Revision 36 transmitter or the signal processing equipment has drifted outside its limit.
The Frequency, about once every shift, is based on operating
experience that demonstrates the rarity of channel failure.
The CHANNEL CHECK supplements less formal, but more frequent, checks of channel OPERABILITY during normal operational use of the displays associated with the LCO
required channels. In addition, a down-scale alarm and up-
scale alarm immediately alert operations to loss of the
channel.
SR 3.3.8.2 A CHANNEL FUNCTIONAL TEST is performed on the control room
radiation monitoring channel to ensure the entire channel
will perform its intended function.
A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL FUNCTIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specification tests at least once per refueling interval with applicable extensions.
The Frequency of 92 days is based on plant operating
experience with regard to channel OPERABILITY and drift.
SR 3.3.8.3 CHANNEL CALIBRATION is a check of the CRRS channel, including the sensor. The surveillance test verifies that
the channel responds to a measured parameter within the
necessary range and accuracy. CHANNEL CALIBRATION leaves
the channel adjusted to account for channel drift between
successive calibrations to ensure that the channel remains operational between successive surveillance tests. CHANNEL CALIBRATIONS must be performed consistent with Reference 2.
The Frequency of 24 months has been shown by operating experience to be adequate to detect any failures.
REFERENCES 1. UFSAR 2. CCNPP Setpoint File CVCS Isolation Signal B 3.3.9 B 3.3 INSTRUMENTATION B 3.3.9 Chemical and Volume Control System (CVCS) Isolation Signal
BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.9-1 Revision 2 BACKGROUND This LCO encompasses CVCS Isolation Signal actuation. This is a plant
-specific instrumentation channel that performs an actuation Function required for plant protection and is not otherwise included in LCO 3.3.5 or LCO 3.3.6
. This is a non-Nuclear Steam Supply System ESFAS Function that, because
of differences in purpose, design, and operating
requirements, is not included in LCOs 3.3.5 and 3.3.6.
The CVCS Isolation Signal isolates the RCS and provides protection from radioactive contamination, as well as
personnel and equipment protection in the event of a letdown
line rupture outside C ontainment (Reference 1).
Each of the two actuation logic channels will isolate a
separate letdown isolation valve in response to a high
pressure condition in either the West Penetration Room or
Letdown Heat Exchanger Room. Two pressure detectors in each
of these rooms feed the four sensor channels. On a
two-out-of-four coincidence, both actuation logic channels
will actuate.
Trip Setpoints and Allowable Values Trip setpoints used in the sensor modules are based on
Reference 2 to protect personnel and equipment and minimize radioactive contamination. The selection of these trip
setpoints is such that adequate protection is provided when
all sensor and processing time delays are taken into
account. To allow for calibration tolerances, instrumentation uncertainties, and sensor channel drift, sensor module trip setpoints are conservatively adjusted
with respect to the Allowable Value. A detailed description
of the methodology used to calculate the trip setpoints, including their explicit uncertainties, is provided in Reference 2
. The actual nominal trip setpoint entered into the sensor module is more conservative than that specified by the Allowable Value. One example of such a change in
measurement error is drift during the SR interval. If the measured setpoint does not exceed the Allowable Value, the
sensor module is considered OPERABLE.
CVCS Isolation Signal B 3.3.9 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.9-2 Revision 2 Sensor modules, measurement channels, sensor channels, and actuation logic are described in the B ackground for B 3.3.4.
APPLICABLE The CVCS Isolation Signal is redundant to the SIAS for SAFETY ANALYSES letdown line breaks outside C ontainment (Reference 2). In addition, an excess flow check valve is located in
C ontainment just downstream of the regenerative heat exchanger, which is designed to isolate letdown when flow
exceeds 255 gpm.
The CVCS satisfies the requirements of 10 CFR 50.36(c)(2)(ii), Criterion 3.
LCO Only the Allowable Values are specified in the LCO.
Operation with a trip setpoint less conservative than the
nominal trip setpoint, but within its Allowable Value, is
acceptable, provided that operation and testing are
consistent with the assumptions of the plant
-specific setpoint calculations.
Each nominal trip setpoint specified is more conservative
than the Allowable Value, in order to account for instrument
uncertainties appropriate to the trip Function. These
uncertainties are defined in Reference 2
. Chemical and Volume Control System isolation consists of closing the appropriate valve. This is undesirable at power, since letdown isolation will result (Reference 3).
The absence of letdown flow will significantly decrease the
charging flow temperature due to the absence of the
regenerative heat exchanger preheating, causing unnecessary
thermal stress to the charging nozzle. Therefore, the
preferred action is to restore the valve function to
OPERABLE status.
Four channels of w est p enetration r oom and l etdown h eat e xchanger r oom pressure sensors, and two actuation logic channels are required to be OPERABLE.
The Allowable Values and trip setpoints are established in
order to isolate the CVCS from C ontainment
, in the event of a letdown line rupture outside C ontainment
, to minimize CVCS Isolation Signal B 3.3.9 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.9-3 Revision 2 radioactive contamination and protect personnel and equipment.
APPLICABILITY The CVCS Isolation Signal must be OPERABLE in MODEs 1, 2, 3, and 4, since the possibility of a loss of coolant accident
is greatest in these MODEs. In MODE 5 or 6, the probability is greatly diminished, and there is time to manually isolate CVCS. ACTIONS A CVCS isolation channel is inoperable when it does not satisfy the OPERABILITY criteria for the channel's Function.
The most common cause of channel inoperability is outright
failure or drift of the sensor module or measurement channel
sufficient to exceed the tolerance allowed by Reference 2. Typically, the drift is not large and would result in a
delay of actuation rather than a total loss of function.
This determination is generally made during the performance
of a CHANNEL CALIBRATION when the process instrument is set
up for adjustment to bring it to within specification.
Sensor drift could also be identified during CHANNEL CHECKS.
CHANNEL FUNCTIONAL TESTS identify sensor module drift. If
the trip setpoint is not consistent with the Allowable Value
in SR 3.3.9.2, the channel must be declared inoperable
immediately and the appropriate Conditions must be entered.
In the event a sensor channel's trip setpoint is found nonconservative with respect to the Allowable Value, or the sensor, instrument loop, signal processing electronics, or
bistable is found inoperable, that channel should be declared inoperable and the LCO Condition entered.
When the number of inoperable sensor channels in a trip
Function exceeds those specified in any related Condition
associated with the same trip Function, the plant is outside the safety analysis. Therefore, LCO 3.0.3 should be
immediately entered if applicable in the current MODE of
operation.
A.1 Condition A applies to the failure of one CVCS actuation logic channel associated with the CVCS Isolation Signal.
Required Action A.1 requires restoration of the inoperable CVCS Isolation Signal B 3.3.9 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.9-4 Revision 2 channel to restore redundancy of the affected Function. The Completion Time of 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> is consistent with the
Completion Time of other ESFAS Functions and should be
adequate for most repairs, while minimizing the risk of
operating with an inoperable channel.
B.1, B.2.1, and B.2.2 Condition B applies if one of the four CVCS sensor channels is inoperable. The Required Actions are identical to those
of ESFAS Functions employing four redundant sensors
specified in LCO 3.3.4
. The channel must be placed in bypass or trip if it cannot be repaired within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> (Required Action B.1). The provision of four sensor
channels allows one channel to be bypassed (removed from
service) during operations, placing the ESFAS in
two-out-of-three coincidence logic. Placing the channel in
bypass is preferred, since the CVCS isolation Function will
be in two-out-of-three logic. This will avoid possible
inadvertent CVCS isolation if an additional channel fails.
The 1-hour Completion Time to bypass or trip the channel is sufficient time to perform the Required Actions.
Once the Required Action to trip or bypass the sensor
channel has been complied with, Required Action B.2.1 and
Required Action B.2.2 provide for restoring the channel to
OPERABLE status or placing it in trip within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />.
Required Action B.2.1 restores the full capability of the
Function. Required Action B.2.2 places the Function in a
one-out-of-three configuration. In this configuration, common cause failure of dependent channels cannot prevent
CVCS isolation actuation. The Completion Time provides the
operator with time to take appropriate actions and still
ensures that any risk involved in operating with a failed
channel is acceptable. It is improbable that a failure of a second channel will occur during any given 48
-hour period.
C.1 and C.2 Condition C applies if two of the four CVCS w est p enetration r oom/l etdown h eat e xchanger r oom Pressure-High trip sensor channels are inoperable. The Required Actions are identical
to those for other ESFAS Functions employing four redundant
sensors in LCO 3.3.4.
CVCS Isolation Signal B 3.3.9 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.9-5 Revision 26 Restoring at least one sensor channel to OPERABLE status is the preferred Required Action. If this cannot be
accomplished, one channel should be placed in bypass and the
other channel in trip. The allowed Completion Time of
1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> is sufficient time to perform the Required Actions.
Once the Required Action to trip or bypass the channel has been complied with, Required Action C.2 provides for
restoring one channel to OPERABLE status within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />.
The justification of the 48-hour Completion Time is the same
as for Condition B.
After one channel is restored to OPERABLE status, the
provisions of Condition C still apply to the remaining
inoperable channel.
D.1 and D.2 Condition D specifies the shutdown track to be followed if
the Required Actions and associated Completion Times of
Condition A, B, or C are not met. If the Required Actions
cannot be met within the required Completion Time, the plant
must be brought to a MODE in which the LCO does not apply.
To achieve this status, the plant must be brought to at
least MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and to MODE 5 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />.
The Completion Times are reasonable, based on operating
experience, to reach the required MODE from full power
conditions in an orderly manner and without challenging plant systems.
SURVEILLANCE SR 3.3.9.1 REQUIREMENTS Performance of the CHANNEL CHECK on each CVCS isolation pressure indicating sensor channel once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />
ensures that a gross failure of instrumentation has not
occurred. A CHANNEL CHECK is normally a comparison of the
parameter indicated on one channel to a similar parameter on
other channels. It is based on the assumption that sensor
channels monitoring the same parameter should read
approximately the same value.
Significant deviations between the two sensor channels could
be an indication of excessive sensor channel drift in one of
the channels or of something more serious. CHANNEL CHECK CVCS Isolation Signal B 3.3.9 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.9-6 Revision 36 will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly
between each CHANNEL CALIBRATION.
Agreement criteria are determined by the plant staff, based
on a qualitative assessment of the sensor channel that considers sensor channel uncertainties, including indication and readability. If a channel is outside the criteria, it
may be an indication that the transmitter or the signal
processing equipment has drifted outside its limit.
The Frequency, about once every shift, is based on operating
experience that demonstrates the rarity of channel failure.
Since the probability of two random failures in redundant
channels in any 12-hour period is low, the CHANNEL CHECK
minimizes the chance of loss of protective function due to
failure of redundant channels. The CHANNEL CHECK
supplements less formal, but more frequent, checks of
channels during normal operational use of the displays.
SR 3.3.9.2 A CHANNEL FUNCTIONAL TEST is performed on each sensor
channel to ensure the entire channel, except for sensor and
initiation logic, will perform its intended function.
A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL FUNCTIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specification tests at least once per refueling interval with applicable extensions.
The Frequency of 92 days is based on plant operating experience with regard to channel OPERABILITY and drift, which demonstrates that failure of more than one channel of
a given Function in any 92-day interval is a rare event.
Note 1 indicates proper operation of the individual
actuation relays is verified by verification of proper relay
driver output signal. Note 2 indicates that relays that
cannot be tested at power are excepted from the SR while at CVCS Isolation Signal B 3.3.9 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.9-7 Revision 36 power. These relays must, however, be tested once per 24 months.
SR 3.3.9.3 CHANNEL CALIBRATION is a check of the sensor channel
including the sensor. The surveillance test verifies that the channel responds to a measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves
the channel adjusted to account for sensor channel drift
between successive calibrations to ensure that the channel
remains operational between successive tests. CHANNEL
CALIBRATIONS must be performed consistent with Reference 2.
The as-found and as-left values must also be recorded and reviewed for consistency with the assumptions of the SR
interval extension analysis. The requirements for this
review are outlined in Reference 4.
Radiation detectors may be removed and calibrated in a laboratory, calibrated in place using a transfer source, or
replaced with an equivalent laboratory calibrated unit.
The Frequency is based upon the assumptions of a 24-month calibration interval for the determination of the magnitude
of equipment drift in the setpoint analysis, and includes
operating experience, as well as consistency with a 24-month
fuel cycle.
SR 3.3.9.4 This surveillance test ensures that the train actuation
response times are less than or equal to the maximum times
assumed in the analyses. Response times are defined in the
same manner as ESF RESPONSE TIME. The 24-month Frequency is
based upon plant operating experience, which shows random failures of instrumentation components causing serious response time degradation, but not channel failure, are
infrequent occurrences. Testing of the final actuating
devices, which make up the bulk of the response time, is
included. Testing of the final actuating device in one
channel is included in the testing of each actuation logic channel.
CVCS Isolation Signal B 3.3.9 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.9-8 Revision 36 REFERENCES 1. Updated Final Safety Analysis Report, Section 7.3, "Engineered Safety Features Actuation Systems" and Section 10A.7.17, "Leak Detection Equipment"
- 2. CCNPP Setpoint File
- 3. Letter from Mr. R. E. Denton (BGE) to NRC Document Control Desk, dated June 6, 1995, "License Amendment Request; Extension of Instrument Surveillance Intervals"
- 4. Calvert Cliffs Procedure EN-4-104, "Surveillance Testing" PAM Instrumentation B 3.3.10 B 3.3 INSTRUMENTATION B 3.3.10 Post-Accident Monitoring (PAM) Instrumentation
BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.10-1 Revision 2 BACKGROUND The primary purpose of the PAM instrumentation is to display plant variables that provide information required by the control room operators during accident situations. This
information provides the necessary support for the operator to take the manual actions, for which no automatic control is provided, that are required for safety systems to
accomplish their safety Functions for DBA s (Reference 1).
The OPERABILITY of the PAM instrumentation ensures that
there is sufficient information available on selected plant
parameters to monitor and assess plant status and behavior
following an accident.
The availability of PAM instrumentation is important so that
responses to corrective actions can be observed and the need
for, and magnitude of, further actions can be determined.
These essential indicator channels are identified by plant
-specific documents (Reference 2) addressing the
recommendations of Reference 3
, as required by Reference 4
.
Type A variables are included in this LCO because they
provide the primary information required to permit the
control room operator to take specific manually
-controlled actions, for which no automatic control is provided, that
are required for safety systems to accomplish their safety
functions for some DBAs.
Category I variables are the key variables deemed risk
significant because they are needed to:
- Determine whether other systems important to safety are performing their intended functions;
- Provide information to the operators that will enable them to determine the potential for causing a gross
breach of the barriers to radioactivity release; and
- Provide information regarding the release of radioactive materials to allow for early indication of
the need to initiate action necessary to protect the
public and for an estimate of the magnitude of any
impending threat.
PAM Instrumentation B 3.3.10 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.10-2 Revision 2 These key variables are identified by plant
-specific analyses in Reference 2
. These analyses identified the plant-specific Type A and Category I variables and provided justification for deviating from the NRC proposed list of Category I variables.
APPLICABLE The PAM instrumentation ensures the OPERABILITY of
SAFETY ANALYSES Reference 3 Type A variables, so that the control room operating staff can:
- Perform the diagnosis specified in the emergency operating procedures. These variables are restricted
to preplanned actions for the primary success path of
DBAs; and
- Take the specified, preplanned, manually
-controlled actions, for which no automatic control is provided, that are required for safety systems to accomplish
their safety functions.
The PAM instrumentation also ensures OPERABILITY of
Category I, non-Type A variables. This ensures the control
room operating staff can:
- Determine whether systems important to safety are performing their intended functions;
- Determine the potential for causing a gross breach of the barriers to radioactivity release;
- Determine if a gross breach of a barrier has occurred; and
- Initiate action necessary to protect the public
, as well as to obtain an estimate of the magnitude of any impending threat.
Post-a ccident m onitoring instrumentation that satisfies the definition of Type A in Reference 3 meets 10 CFR 50.36(c)(2)(ii), Criterion 3.
Category I, non-Type A PAM instruments are retained in the
Specification because they are intended to assist operators
in minimizing the consequences of accidents. Therefore, PAM Instrumentation B 3.3.10 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.10-3 Revision 14 these Category I variables are important in reducing public risk. LCO Limiting Condition for Operation 3.3.10 requires two
OPERABLE indication channels for all but one Function to
ensure no single failure prevents the operators from being
presented with the information necessary to determine the
status of the plant and to bring the plant to, and maintain
it in, a safe condition following that accident.
Furthermore, provision of two indication channels allows a CHANNEL CHECK during the post-accident phase to confirm the
validity of displayed information.
An indication channel consists of field transmitters or process sensors and associated instrumentation, providing a
measurable electronic signal based upon the physical
characteristics of the parameter being measured, plus a
display of the measured parameter.
The exceptions to the two-channel requirement are CIV position and the subcooled margin monitoring (SMM) instrumentation. In the case of valve position, the important information is the status of the containment
penetrations. The LCO requires one position indicator for
each active CIV. This is sufficient to redundantly verify
the isolation status of each isolable penetration, either
via indicated status of the active valve and prior knowledge
of the passive valve, or via system boundary status. If a
normally active CIV is known to be closed and deactivated, position indication is not needed to determine status.
Therefore, the position indication for valves in this state
is not required to be OPERABLE. Alternate means are
available for obtaining information provided by the SMM instrumentation.
Listed below are discussions of the specified instrument
Functions listed in Table 3.3.10-1.
- 1. Wide Range Logarithmic Neutron Flux Monitors Wide range logarithmic neutron flux is a Category I variable indication is provided to verify reactor
shutdown.
PAM Instrumentation B 3.3.10 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.10-4 Revision 19 The wide range logarithmic neutron flux PAM channels consist of two wide range neutron monitoring channels.
2, 3. RCS Outlet and Inlet Temperature Reactor Coolant System outlet and inlet temperatures are Category I variables provided for verification of
core cooling and long-term surveillance.
Reactor outlet temperature inputs to the PAM are provided by four resistance elements and associated
transmitters in each loop. The channels provide indication over a range of 50 F to 700 F. 4. SMM The RCS SMM is part of the PAM System and is provided to monitor inadequate core cooling by calculating the
margin to saturation based on the RCS pressure/
temperature relationships and displaying the calculated
margin in degrees F on a control room display. Also, a
control room low subcooled margin alarm is provided.
The RCS SMM portion of the PAM System is
microprocessor-based and is provided with inputs from
the RCS hot legs, cold legs, and wide range RCS
pressure channels. The core exit thermocouple (CET) SMM and upper head SMM functions are not required for
channel operability.
The RCS SMM is one of three components of inadequate core cooling instrumentation. With the SMM portion of
the PAM System inoperable, the CETs and the reactor
vessel water level heated junction thermocouple (HJTC)
sensors provide diverse indication of core cooling.
Alternate indications and methods for calculating subcooled margin exist in the e vent of a PAM System failure. 5. Reactor Vessel Water Level Reactor vessel water level indication is provided for verification and long-term surveillance testing of core
cooling.
PAM Instrumentation B 3.3.10 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.10-5 Revision 19 This indication uses HJTC technology. This technology measures reactor coolant inventory with discrete heated
junction thermocouple sensors located in different
levels within a separator tube. The sensors enable a
direct measurement of the collapsed liquid level above the fuel alignment plate. The collapsed level represents the amount of liquid mass that is in the
reactor vessel above the core. Measurement of the
collapsed water level is selected because it is a
direct indication of the water inventory. The
collapsed level is obtained over the same temperature
and pressure range as the saturation measurements, thereby encompassing all operating and accident
conditions where it must function. Also, it functions
during the recovery interval. Therefore, it is
designed to survive the high steam temperature that may
occur during the preceding core recovery interval.
The level range extends from the top of the vessel down to 10" above the top of the fuel alignment plate. The
response time is short enough to track the level during
small break LOCA events. The resolution is sufficient
to show the initial level drop, the key locations near
the hot leg elevation, and the lowest levels just above
the alignment plate. This provides the operator with
adequate indication to track the progression of the
accident and to detect the consequences of its
mitigating actions or the functionality of automatic
equipment.
A channel has eight sensors in a probe. A channel is OPERABLE if four sensors, one in the upper three and
three in the lower five, are OPERABLE.
- 6. Containment Sump Water Level (wide range) Monitor Containment sump water level monitors are provided for verification and long-term surveillance of RCS
integrity.
Containment sump water level instrumentation consists of two level transmitters that provide input to control
room indicators. The transmitters are located above PAM Instrumentation B 3.3.10 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.10-6 Revision 19 the containment flood level and utilize sealed reference legs to sense water level.
- 7. Containment Pressure (wide range) Monitor The containment pressure monitor is provided for verification of RCS and containment OPERABILITY.
Containment pressure instrumentation consists of three containment pressure transmitters with overlapping
ranges that provide input to control room indicators.
The transmitters are located outside the Containment
and are not subject to a harsh environment.
- 8. CIV Position Indicator Containment isolation valve position indicators are provided for verification of containment OPERABILITY
and integrity.
In the case of CIV position, the important information is the isolation status of the containment penetration.
The LCO requires one channel of valve position
indication in the Control Room to be OPERABLE for each
active CIV in a containment penetration flow path, i.e., two total channels of CIV position indication for
a penetration flow path with two active valves. For
containment penetrations with only one active CIV
having control room indication, Note (b) requires a
single channel of valve position indication to be
OPERABLE. This is sufficient to redundantly verify the
isolation status of each isolable penetration via
indicated status of the active valve, as applicable, and prior knowledge of passive valve or system boundary
status. If a penetration flow path is isolated, position indication for the CIV(s) in the associated penetration flow path is not needed to determine status. Therefore, the position indication for valves
in an isolated penetration flow path is not required to
be OPERABLE.
The CIV position PAM instrumentation consists of ZL-505, 506, 515, 516, 2080, 2180, 2181, 3832, 3833, 4260, 5291, 5292, 6900, and 6901 (Reference 5).
PAM Instrumentation B 3.3.10 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.10-7 Revision 19
- 9. Containment Area Radiation (high range) Detector Containment area radiation detectors are provided to monitor for the potential of significant radiation
releases and to provide release assessment for use by
operations in determining the need to invoke site emergency plans.
Containment area radiation instrumentation consists of two radiation detectors with displays and alarm in the
Control Room. The radiation detectors have a
measurement range of 1 to 10 8 R/hr.
- 10. Pressurizer Pressure (wide range)
Pressurizer wide range pressure is a Category I variable provided for verification of core cooling and
RCS integrity long-term surveillance.
Wide range pressurizer pressure is measured by two pressure transmitters with a span of 0 psia to
4000 psia. The pressure transmitters are located
inside the Containment. Redundant monitoring
capability is provided by two indication channels.
Control Room indications are provided.
Pressurizer pressure is a Type I variable because the operator uses this indication to monitor the cooldown
of the RCS following a LOCA and other DBAs. Operator
actions to maintain a controlled cooldown, such as
adjusting steam generator pressure or level, would use
this indication. Furthermore, pressurizer pressure is
one factor that may be used in decisions to terminate
RCP operation.
- 11. Steam Generator Pressure Transmitter Steam generator pressure transmitters are Category 1 instruments and are provided to monitor operation of decay heat removal via the steam generators.
There are four redundant pressure transmitters per steam generator, but only two per steam generator are
required to satisfy the Technical Specification PAM Instrumentation B 3.3.10 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.10-8 Revision 19 Requirements. The transmitter provides wide range indication over the range from 0 to 1200 psia. Each
transmitter provides input to control room indication.
Since the primary indication used by the operator
during an accident is the control room indicator, the
PAM instrumentation Specification deals specifically with this portion of the instrument channel.
- 12. Pressurizer Level Transmitters Pressurizer level transmitters are used to determine whether to terminate safety injection, if still in
progress, or to reinitiate safety injection if it has
been stopped. Knowledge of pressurizer water level is
also used to verify the plant conditions necessary to
establish natural circulation in the RCS and to verify
that the plant is maintained in a safe shutdown
condition.
Pressurizer Level instrumentation consists of two pressurizer level transmitters that provide input to
control room indicators.
- 13. Steam Generator Water Level Transmitters Steam Generator Water Level transmitters are provided to monitor operation of decay heat removal via the
steam generators. The Category I indication of steam
generator level is the extended startup range level
instrumentation. The extended startup range level
covers a span of -40 inches to -63 inches (relative to
normal operating level), above the lower tubesheet.
The measured differential pressure is displayed in
inches of water at process conditions of the fluid.
Redundant monitoring capability is provided by four
transmitters. The uncompensated level signal is input to the plant computer and a control room indicator.
Steam generator water level instrumentation consists of
two level transmitters.
Operator action is based on the control room indication of steam generator water level. The RCS response
during a design basis small break LOCA is dependent on
the break size. For a certain range of break sizes, PAM Instrumentation B 3.3.10 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.10-9 Revision 19 the boiler condenser mode of heat transfer is necessary to remove decay heat. Extended startup range level is
a Type A variable because the operator must manually
raise and control the steam generator level to
establish boiler condenser heat transfer. Feedwater
flow is increased until indication is in range.
- 14. Condensate Storage Tank Level Monitor Condensate storage tank (CST) level monitoring is provided to ensure water supply for AFW. Condensate
Storage Tank 12 provides the ensured safety grade water
supply for the AFW System. Inventory in CST 12 is
monitored by level indication covering the full range
of required usable water level. Condensate storage
tank level is displayed on control room indicators and
the plant computer. In addition, a control room
annunciator alarms on low level.
Condensate storage tank level is considered a Type A variable because the control room meter and annunciator
are considered the primary indication used by the
Operator. The DBAs that require AFW are the steam line
break and loss of main feedwater. Condensate Storage
Tank 12 is the initial source of water for the AFW
System. However, as the CST is depleted, manual
operator action is necessary to replenish the CST or
align suction to the AFW pumps from an alternate
source.
15, 16, 17, 18. Core Exit Temperature Core Exit Temperature indication is provided for verification and long-term surveillance of core
cooling. An evaluation was made of the minimum number of valid CETs necessary for inadequate core cooling detection.
The evaluation determined the reduced complement of
CETs necessary to detect initial core uncovery and
trend the ensuing core heatup. The evaluations account
for core nonuniformities, including incore effects of
the radial decay power distribution and excore effects
of condensate runback in the hot legs and nonuniform PAM Instrumentation B 3.3.10 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.10-10 Revision 32 inlet temperatures. Based on these evaluations, adequate or inadequate core cooling detection is ensured with two valid CETs per quadrant for each channel. The two CETs per quadrant must consist of 1 interior CET and either 1 peripheral CET or 1 shroud peripheral CET.
The design of the Incore Instrumentation System includes a Type K (chromel alumel) thermocouple within
each of the 35 incore instrument detector assemblies.
The junction of each thermocouple is located more than a foot above the fuel assembly, inside a structure that
supports and shields the incore instrument detector
assembly string from flow forces in the outlet plenum
region. These CETs monitor the temperature of the
reactor coolant as it exits the fuel assemblies.
The CETs have a usable temperature range from 40°F to 2300°F, although accuracy is reduced at temperatures
above 1800°F.
- 19. Pressurizer Pressure (low range)
Pressurizer low range pressure is a Category I variable provided for verification of core cooling and RCS
integrity long-term surveillance.
Low-range pressurizer pressure is measured by two pressure transmitters with a span of 0 psia to
1600 psia. The pressure transmitters are located
inside the Containment. Redundant monitoring
capability is provided by two indication channels.
Control Room indications are provided.
Pressurizer pressure is a Type I variable because the operator uses this indication to monitor the cooldown of the RCS following a LOCA and other DBAs. Operator
actions to maintain a controlled cooldown, such as
adjusting steam generator pressure or level, would use
this indication. Furthermore, pressurizer pressure is
one factor that may be used in decisions to terminate
RCP operations.
PAM Instrumentation B 3.3.10 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.10-11 Revision 32 Two indication channels are required to be OPERABLE for all but two Functions. Two OPERABLE channels ensure that no
single failure, within either the PAM instrumentation or its
auxiliary supporting features or power sources (concurrent
with the failures that are a condition of or result from a
specific accident), prevents the operators from being presented the information necessary for them to determine the safety status of the plant, and to bring the plant to
and maintain it in a safe condition following that accident.
In Table 3.3.10-1 the exceptions to the two channel
requirement are CIV position and the SMM.
Two OPERABLE CETs are required for each channel in each
quadrant to provide indication of radial distribution of the
coolant temperature rise across representative regions of
the core. Power distribution symmetry was considered in
determining the specific number and locations provided for
diagnosis of local core problems. Therefore, two randomly
selected thermocouples may not be sufficient to meet the two
thermocouples per channel requirement in any quadrant. The
two thermocouples in each channel must meet the additional
requirement that one be located near the center of the core
and the other near the core perimeter (either peripheral or shroud peripheral), such that the pair of CETs indicate the radial temperature gradient across their core quadrant. The
two channels in each core quadrant must be electronically
independent. A CETs operability is based on a comparison of
the CET temperature indication with the hot leg resistance
temperature detector temperature indication. Different
criteria have been specified for interior CETs
, peripheral CETs , and shroud peripheral CETs to account for the core radial power distribution. Plant specific evaluations in
response to Item II.F.2 of NUREG-0737 should have identified the thermocouple pairings that satisfy these requirements.
Two sets of two thermocouples in each quadrant ensure a
single failure will not disable the ability to determine the
radial temperature gradient.
For loop- and steam generator-related variables, the
required information is individual loop temperature and
individual steam generator level. In these cases, two PAM Instrumentation B 3.3.10 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.10-12 Revision 32 channels are required to be OPERABLE for each loop of steam generator to redundantly provide the necessary information.
In the case of CIV position, the important information is
the status of the containment penetrations. The LCO
requires one position indicator for each active CIV. This is sufficient to redundantly verify the isolation status of each isolable penetration either via indicated status of the
active valve and prior knowledge of the passive valve or via
system boundary status. If a normally active CIV is known
to be closed and deactivated, position indication is not
needed to determine status. Therefore, the position
indication for valves in this state is not required to be
The SMM, CETs, and the HJTC-based reactor vessel water level indication comprise the inadequate core cooling
instrumentation. The function of the inadequate core
cooling instrumentation is to enhance the ability of the
plant operator to diagnose the approach to, and recovery from, inadequate core cooling.
APPLICABILITY The PAM instrumentation LCO is applicable in MODEs 1, 2, and 3. These variables are related to the diagnosis and
preplanned actions required to mitigate DBAs. The
applicable DBAs are assumed to occur in MODEs 1, 2, and 3.
In MODEs 4, 5, and 6, plant conditions are such that the
likelihood of an event occurring requiring PAM
instrumentation is low; therefore, PAM instrumentation is not required to be OPERABLE in these MODEs.
ACTIONS A Note has been added in the ACTIONS to clarify the application of Completion Time rules. The Conditions of
this Specification may be entered independently for each
Function listed in Table 3.3.10-1. The Completion Time(s)
of the inoperable channel(s) of a Function will be tracked
separately for each Function, starting from the time the Condition was entered for that Function.
A.1 When one or more Functions have one required indication
channel that is inoperable, the required inoperable channel
must be restored to OPERABLE status within 30 days. The PAM Instrumentation B 3.3.10 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.10-13 Revision 32 30-day Completion Time is based on operating experience and takes into account the remaining OPERABLE channel (or in the
case of a Function that has only one required channel, other
non-Reference 3 indication channels to monitor the
Function), the passive nature of the instrument (no critical
automatic action is assumed to occur from these instruments), and the low probability of an event requiring PAM instrumentation during this interval.
B.1 This Required Action specifies initiation of actions in
accordance with Specification 5.6.7, which requires a
written report to be submitted to the NRC. This report
discusses the results of the root cause evaluation of the
inoperability and identifies proposed restorative Required
Actions. This Required Action is appropriate in lieu of a
shutdown requirement, given the likelihood of plant
conditions that would require information provided by this
instrumentation. Also, alternative Required Actions such as
grab sampling or diverse indications are identified before a
loss of functional capability condition occurs.
C.1 When one or more Functions have two required indication
channels inoperable (i.e., two channels inoperable in the
same Function), one channel in the Function should be
restored to OPERABLE status within 7 days. The Completion
Time of 7 days is based on the relatively low probability of
an event requiring PAM instrumentation operation and the
availability of alternate means to obtain the required
information. Continuous operation with two required
channels inoperable in a Function is not acceptable because
the alternate indications may not fully meet all performance
qualification requirements applied to the PAM instrumentation. Therefore, requiring restoration of one inoperable channel of the Function limits the risk that the
PAM Function will be in a degraded condition should an
accident occur.
D.1 This Required Action directs entry into the appropriate
Condition referenced in Table 3.3.10-1. The applicable PAM Instrumentation B 3.3.10 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.10-14 Revision 32 Condition referenced in the Table is Function-dependent.
Each time Required Action C.1 is not met and the associated
Completion Time has expired, Condition D is entered for that
channel and provides for transfer to the appropriate
subsequent Condition.
E.1 and E.2 If the Required Action and associated Completion Time of Condition C are not met, and Table 3.3.10-1 directs entry
into Condition E, the plant must be brought to a MODE in
which the requirements of this LCO do not apply. To achieve
this status, the plant must be brought to at least MODE 3
within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and to MODE 4 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />.
The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions
from full power conditions in an orderly manner and without
challenging plant systems.
F.1 Alternate means of monitoring containment area radiation
have been developed and tested. These alternate means may
be temporarily installed if the normal PAM channel cannot be
restored to OPERABLE status within the allotted time. The
HJTC-based reactor vessel water level instrumentation is one
of three components of the inadequate core cooling
instrumentation. The SMM instrumentation and CETs could be
used to monitor inadequate core cooling. If these alternate
means are used, the Required Action is not to shut down the
plant, but rather to follow the directions of
Specification 5.6.7. The report provided to the NRC should
discuss the alternate means used, describe the degree to
which the alternate means are equivalent to the installed
PAM channels, justify the areas in which they are not equivalent, and provide a schedule for restoring the normal
PAM channels.
SURVEILLANCE A Note at the beginning of the SRs specifies that the REQUIREMENTS following SRs apply to each PAM instrumentation Function in Table 3.3.10-1.
PAM Instrumentation B 3.3.10 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.10-15 Revision 32 SR 3.3.10.1 Performance of the CHANNEL CHECK once every 31 days ensures that a gross failure of instrumentation has not occurred. A
CHANNEL CHECK is normally a comparison of the parameter
indicated on one indication channel to a similar parameter
on other channels. It is based on the assumption that indication channels monitoring the same parameter should read approximately the same value. Significant deviations
between the two indication channels could be an indication
of excessive instrument drift in one of the channels or of
something more serious. A CHANNEL CHECK will detect gross
channel failure; thus, it is key to verifying the
instrumentation continues to operate properly between each
CHANNEL CALIBRATION.
Agreement criteria are determined by the plant staff, based on a qualitative assessment of the indication channel that
considers indication channel uncertainties, including
indication and readability. If a channel is outside the
criteria, it may be an indication that the sensor or the
signal processing equipment has drifted outside its limit.
If the channels are within the criteria, it is an indication
that the channels are OPERABLE. If the channels are
normally off-scale during times when surveillance testing is
required, the CHANNEL CHECK will only verify that they are
off-scale in the same direction. Off-scale low current loop
channels are verified to be reading at the bottom of the
range and not failed down-scale.
The Frequency of 31 days is based upon plant operating experience with regard to channel OPERABILITY and drift, which demonstrates that failure of more than one indication
channel of a given Function in any 31 day interval is a rare
event. The CHANNEL CHECK supplements less formal, but more frequent, checks of channel during normal operational use of the displays associated with this LCO's required channels.
SR 3.3.10.2 Deleted.
PAM Instrumentation B 3.3.10 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.10-16 Revision 32 SR 3.3.10.3 A CHANNEL CALIBRATION is performed every 24 months or approximately every refueling. CHANNEL CALIBRATION is a
check of the indication channel including the sensor. The
SR verifies the channel responds to the measured parameter
within the necessary range and accuracy. CHANNEL CALIBRATION of the CIV position indication channels will consist of verification that the position indication changes
from not-closed to closed when the valve is exercised to the
isolation position as required by Technical
Specification 5.5.8, Inservice Testing Program. The
position switch is the sensor for the CIV position
indication channels. A Note allows exclusion of neutron
detectors, CETs, and reactor vessel level (HJTC) from the
CHANNEL CALIBRATION.
The Frequency is based upon operating experience and consistency with the typical industry refueling cycle and is
justified by an 24 month calibration interval for the determination of the magnitude of equipment drift.
REFERENCES 1. Letter from Mr. R. E. Denton (BGE) to NRC Document Control Desk, dated June 6, 1995, "License Amendment
Request; Extension of Instrument Surveillance
Intervals"
- 2. Letter from Mr. J. A. Tiernan (BGE) to NRC Document Control Desk, dated August 9, 1988, "Regulatory
Guide 1.97 Review Update" 3. Regulatory Guide 1.97, "Instrumentation for Light-Water-Cooled Nuclear Power Plants To Assess Plant and Environs Conditions During and Following an Accident (Errata Published July 1981), December 1975 4. NUREG-0737, Supplement 1, Requirements for Emergency Response Capabilities (Generic Letter 82-33),
December 17, 1982 5. UFSAR, Chapter 7, "Instrumentation and Control" Remote Shutdown Instrumentation B 3.3.11 B 3.3 INSTRUMENTATION B 3.3.11 Remote Shutdown Instrumentation
BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.11-1 Revision 2 BACKGROUND The Remote Shutdown Instrumentation provides the control room operator with sufficient instrumentation to help place and maintain the unit in a safe shutdown condition from a
location other than the Control Room. This capability is necessary to protect against the possibility that the
Control Room becomes inaccessible. A safe shutdown condition is defined as MODE 3. With the unit in MODE 3, the AFW System and the steam generator safety valves or the steam generator atmospheric dump valves can be used to
remove core decay heat and meet all safety requirements.
The long term supply of water for the AFW System and the
ability to borate the RCS from outside the Control Room allow extended operation in MODE 3.
In the event that the Control Room becomes inaccessible, the operators can establish control outside the control room and
monitor remote shutdown instrumentation at the remote
shutdown panel and place and maintain the unit in MODE 3.
The unit automatically reaches MODE 3 following a unit
shutdown and can be maintained safely in MODE 3 for an
extended period of time.
The OPERABILITY of the Remote Shutdown Instrumentation Functions ensures that there is sufficient information
available on selected plant parameters to place and maintain
the plant in MODE 3, should the Control Room become inaccessible.
APPLICABLE The Remote Shutdown Instrumentation is required to provide SAFETY ANALYSES equipment at appropriate locations outside the Control Room to help operators promptly shut down and maintain the plant
in a safe condition in MODE 3.
Remote Shutdown Instrumentation assists in meeting the
requirements of Reference
- 1.
The Remote Shutdown Instrumentation does not meet any of the
criteria in 10 CFR 50.36(c)(2)(ii) but has been retained at the request of the NRC.
Remote Shutdown Instrumentation B 3.3.11 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.11-2 Revision 2 LCO The Remote Shutdown Instrumentation LCO provides the requirements for the OPERABILITY of the instrumentation
necessary to help place and maintain the unit in MODE 3 from
a location other than the Control Room.
The instrumentation typically required are listed in Table 3.3.11-1 in the accompanying LCO.
The instrumentation are those required for:
- Core Reactivity Monitoring (initial and long term);
- RCS Pressure Monitoring;
- Monitoring Decay Heat Removal via Steam Generators; and
- RCS Inventory Monitoring.
A Function of a Remote Shutdown Instrumentation is OPERABLE
if all indication channels needed to support the remote
shutdown Functions are OPERABLE. In some cases, Table 3.3.11-1 may indicate that the required information
capability is available from several alternate sources. In
these cases, the Function is OPERABLE as long as one channel
of any of the alternate information sources for each
Function is OPERABLE.
An indication channel consists of field transmitters or process sensors and associated instrumentation, providing a
measurable electronic signal based upon the physical
characteristics of the parameter being measured, plus a
display of the measured parameter.
The Remote Shutdown Instrumentation circuits covered by this LCO do not need to be energized to be considered OPERABLE.
This LCO is intended to ensure that the instrument circuits
will be OPERABLE if plant conditions require that the Remote Shutdown Instrumentation be placed in operation.
APPLICABILITY The Remote Shutdown Instrumentation LCO is applicable in MODEs 1, 2, and 3. This is required so that the unit can be placed and maintained in MODE 3 for an extended period of
time from a location other than the Control Room.
Remote Shutdown Instrumentation B 3.3.11 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.11-3 Revision 26 This LCO is not applicable in MODE 4, 5, or 6. In these MODEs, the unit is already subcritical and in the condition
of reduced RCS energy. Under these conditions, considerable
time is available to restore necessary instrument Functions if control room instruments become unavailable.
ACTIONS A Remote Shutdown Instrumentation Function is inoperable when the Function is not accomplished by at least one
designated Remote Shutdown Instrumentation channel that
satisfies the OPERABILITY criteria for each Function
requirement, except Manual Reactor Shutdown Control, which
requires two channels. These criteria are outlined in the
LCO section of the Bases.
A Note has been added in the ACTIONS to clarify the application of Completion Time rules. The conditions of
this Specification may be entered independently for each
Function listed in Table 3.3.11-1. The Completion Time(s)
of the inoperable channel(s) of a Function will be tracked
separately for each Function, starting from the time the
Condition was entered for that Function.
A.1 Condition A addresses the situation where one or more
Functions of the Remote Shutdown System are inoperable.
This includes any Function listed in Table 3.3.11-1.
The Required Action is to restore the Functions to OPERABLE
status within 30 days. The Completion Time is based on
operating experience and the low probability of an event that would require evacuation of the Control Room.
B.1 and B.2 If the Required Action and associated Completion Time of
Condition A are not met, the plant must be brought to a MODE
in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />
and to MODE 4 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. The allowed Completion Times
are reasonable, based on operating experience, to reach the
required MODE from full power conditions in an orderly manner and without challenging plant systems.
Remote Shutdown Instrumentation B 3.3.11 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.11-4 Revision 26 SURVEILLANCE SR 3.3.11.1 REQUIREMENTS Performance of the CHANNEL CHECK once every 31 days ensures
that a gross failure of instrumentation has not occurred. A
CHANNEL CHECK is normally a comparison of the parameter
indicated on one indication channel to a similar parameter on other channels. It is based on the assumption that indication channels monitoring the same parameter should
read approximately the same value. Significant deviations
between the indication channels could be an indication of
excessive instrument drift in one of the channels or of
something more serious. A CHANNEL CHECK will detect gross
channel failure; thus, it is key to verifying that the
instrumentation continues to operate properly between each
CHANNEL CALIBRATION. Agreement criteria are determined by
the plant staff, based on a qualitative assessment of the
indication channel that considers indication channel
instrument uncertainties, including indication and
readability. If a channel is outside the criteria, it may
be an indication that the sensor or the signal processing
equipment has drifted outside its limit. As specified in
the SR, a CHANNEL CHECK is only required for those channels
that are normally energized. If the channels are within the
criteria, it is an indication that the channels are
OPERABLE. If the channels are normally off-scale during
times when surveillance testing is required, the CHANNEL
CHECK will only verify that they are off-scale in the same
direction. Off-scale low current loop channels are verified
to be reading at the bottom of the range and not failed
down-scale.
The Frequency is based on plant operating experience that demonstrates indication channel failure is rare.
SR 3.3.11.2 CHANNEL CALIBRATION is a check of the indication channel including the sensor. The surveillance test verifies that
the channel responds to the measured parameter within the
necessary range and accuracy.
The 24-month Frequency is based upon the need to perform
this SR under the conditions that apply during a plant
outage, and the potential for an unplanned transient if the Remote Shutdown Instrumentation B 3.3.11 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.11-5 Revision 26 surveillance test were to be performed with the reactor at power.
The SR is modified by a Note, which excludes neutron
detectors and reactor trip breaker indication from the CHANNEL CALIBRATION.
REFERENCES 1. Updated Final Safety Analysis Report, Appendix 1C, "AEC Proposed General Design Criteria for Nuclear Power Plants" Wide Range Logarithmic Neutron Flux Monitor Channels B 3.3.12 B 3.3 INSTRUMENTATION B 3.3.12 Wide Range Logarithmic Neutron Flux Monitor Channels
BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.12-1 Revision 2 BACKGROUND The wide range logarithmic neutron flux monitor channels provide neutron flux power indication from < 1E-7%
RATED THERMAL POWER to > 100%
RATED THERMAL POWER. They also provide reactor protection when the RTCBs are shut, in the form of a Rate of Change of Power-High trip.
This LCO addresses MODEs 3, 4, and 5 with the RTCBs open.
When the RTCBs are shut, the wide range logarithmic neutron
flux monitor channels are addressed by LCO 3.3.2
.
When the RTCBs are open, two of the four wide range
logarithmic neutron flux monitor channels must be available
to monitor neutron flux power. In this application, the RPS
channels need not be OPERABLE since the reactor trip
Function is not required. By monitoring neutron flux power
when the RTCBs are open, loss of SHUTDOWN MARGIN (SDM) caused by boron dilution can be detected as an increase in
flux. Alarms are also provided when power increases above
the fixed bistable setpoints. Two channels must be OPERABLE
to provide single failure protection and to facilitate
detection of channel failure by providing CHANNEL CHECK capability.
APPLICABLE The wide range logarithmic neutron flux monitor channels SAFETY ANALYSES are necessary to monitor core reactivity changes. They are the primary means for detecting and triggering operator
actions to respond to reactivity transients initiated from
conditions in which the RPS is not required to be OPERABLE.
They also trigger operator actions to anticipate RPS actuation in the event of reactivity transients starting
from shutdown or low power conditions.
The OPERABILITY of wide range logarithmic neutron flux
monitor channels is not necessary to meet the assumptions of
the safety analyses and provide for the mitigation of
accident and transient conditions.
The wide range logarithmic neutron flux monitor channels satisfy 10 CFR 50.36(c)(2)(ii), Criterion 3.
Wide Range Logarithmic Neutron Flux Monitor Channels B 3.3.12 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.12-2 Revision 19 LCO The LCO on the wide range logarithmic neutron flux monitor channels ensures that adequate information is available to
verify core reactivity conditions while shut down. A
minimum of two wide range logarithmic neutron flux monitor channels are required to be OPERABLE.
APPLICABILITY In MODEs 3, 4, and 5, with RTCBs open or the CEDM System not capable of CEA withdrawal, wide range logarithmic neutron
flux monitor channels must be OPERABLE to monitor core power
for reactivity changes. In MODEs 1 and 2, and in MODEs 3, 4, and 5 with the RTCBs shut and the CEAs capable of
withdrawal, the wide range logarithmic neutron flux monitor
channels are addressed as part of the RPS in LCO 3.3.1.
The requirements for source range neutron flux monitoring in MODE 6 are addressed in LCO 3.9.2. The source range nuclear
instrumentation channels provide neutron flux coverage the
logarithmic channels use during refueling, when neutron flux
may be extremely low. They are built into the wide range logarithmic neutron flux channels and PAM channels.
ACTIONS A.1 and A.2 With one required channel inoperable, it may not be possible
to perform a CHANNEL CHECK to verify that the other required
channel is OPERABLE. Therefore, with one or more required channels inoperable, the wide range logarithmic neutron flux monitoring Function cannot be reliably performed.
Consequently, the Required Actions are the same for one
required channel inoperable or more than one required
channel inoperable. The absence of reliable neutron flux
indication makes it difficult to ensure SDM is maintained.
Required Action A.1 restricts the addition of positive reactivity (e.g., temperature or boron fluctuations associated with RCS inventory management or temperature control) to those that are accounted for in the calculated SDM.
SHUTDOWN MARGIN must be verified periodically to ensure that
it is being maintained. Both required channels must be
restored as soon as possible. The initial Completion Time
of 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, and once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> thereafter, to perform
SDM verification takes into consideration that Required
Action A.1 eliminates many of the means by which SDM can be Wide Range Logarithmic Neutron Flux Monitor Channels B 3.3.12 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.12-3 Revision 2 reduced. These Completion Times are also based on operating experience in performing the Required Actions and the fact that plant conditions will change slowly.
SURVEILLANCE SR 3.3.12.1 REQUIREMENTS
Surveillance Requirement 3.3.12.1 is the performance of a CHANNEL CHECK on each required channel every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. A
CHANNEL CHECK is normally a comparison of the parameter
indicated on one channel to a similar parameter on other
channels. It is based upon the assumption that instrument
channels monitoring the same parameter should read
approximately the same value. Significant deviations
between instrument channels could be an indication of
excessive instrument drift in one of the channels or of
something more serious. CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying that the
instrumentation continues to operate properly between each
CHANNEL CALIBRATION.
Agreement criteria are determined by the plant staff and
should be based on a qualitative assessment of the indication channel that considers indication channel uncertainties
, including control isolation, indication, and readability. If a channel is outside the criteria, it may
be an indication that the transmitter or the signal
processing equipment has drifted outside its limits. If the
channels are within the criteria, it is an indication that
the channels are OPERABLE.
The Frequency, about once every shift, is based on operating experience that demonstrates the rarity of channel failure.
Since the probability of two random failures in redundant
channels in any 12
-hour period is extremely low, CHANNEL CHECK minimizes the chance of loss of indication due to
failure of redundant channels. CHANNEL CHECK supplements
less formal, but more frequent, checks of channel
OPERABILITY during normal operational use of displays
associated with the LCO required channels.
Wide Range Logarithmic Neutron Flux Monitor Channels B 3.3.12 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.12-4 Revision 36 SR 3.3.12.2 A CHANNEL FUNCTIONAL TEST is performed once within 7 days prior to each reactor startup. This SR ensures that the
entire channel is capable of properly indicating neutron
flux. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL FUNCTIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specification tests at least once per refueling interval with applicable extensions.
Internal test circuitry is used to feed pre-adjusted test signals into the preamplifier to
verify channel alignment. It is not necessary to test the
detector, because generating a meaningful test signal is
difficult; the detectors are of simple construction, and any
failures in the detectors will be apparent as change in
channel output. This Frequency is the same as that employed
for the same channels in the other applicable MODEs.
SR 3.3.12.3 Surveillance Requirement 3.3.12.3 is the performance of a
CHANNEL CALIBRATION. A CHANNEL CALIBRATION is performed
every 24 months. The surveillance test is a complete check
and readjustment of the wide range logarithmic neutron flux
monitor channel from the preamplifier input through to the
remote indicators. The surveillance test verifies that the
channel responds to a measured parameter within the
necessary range and accuracy. CHANNEL CALIBRATION leaves
the channel adjusted to account for instrument drift between
successive calibrations to ensure that the channel remains
operational between successive surveillance tests. CHANNEL
CALIBRATIONS must be performed consistent with the plant-
specific setpoint analysis.
This SR is modified by a Note to indicate that it is not necessary to test the detector because generating a
meaningful test signal is difficult; the detectors are of
simple construction, and any failures in the detectors will
be apparent as change in channel output. This Frequency is
the same as that employed for the same channels in the other applicable MODEs.
Wide Range Logarithmic Neutron Flux Monitor Channels B 3.3.12 BASES CALVERT CLIFFS - UNITS 1 & 2 B 3.3.12-5 Revision 36 REFERENCES None