ML102371266
ML102371266 | |
Person / Time | |
---|---|
Site: | Kewaunee |
Issue date: | 08/18/2010 |
From: | Dominion Energy Kewaunee |
To: | Office of Nuclear Reactor Regulation |
References | |
10-457, TAC ME2139 | |
Download: ML102371266 (0) | |
Text
ITS NRC Questions Id1401NRC Question Number KAB-057 Category Technical ITS Section 3.3 ITS Number 3.3.2 DOC Number JFD Number JFD Bases Number Page Number(s) 212 NRC Reviewer Supervisor Gerald Waig Technical Branch POC Add Name Conf Call Requested N NRC Question On page 212 of Attachment 1, volume 8, function 6.e in TS Table 3.3.2-1 references justification fo r deviations (JFD) 16.
However, there is no JFD
- 16. Please provide a JFD reference that explains the change.
Attach File 1 Attach File 2 Issue Date 12/14/2009 Added By Kristy Bucholtz Date Modified Modified By Date Added 12/14/2009 2:54 PM Notification NRC/LICENSEE Supervision Pa ge 1of 1 Kewaunee ITS Conversion Database 06/08/2010 htt p://www.excelservices.com/rai/index.
p h p?re q uestT ype=areaItemPrint&itemId=1401 Licensee Response/NRC Response/NRC Question Closure Id1371NRC Question Number KAB-057 Select Application Licensee Response Response Date/Time 12/18/2009 9:25 AM Closure Statement Response Statement After further review, Kewaunee Power Station (KPS) has determined that JFDs 15 and 16 s hould actually be 14 and 15. JFD 14 justifies deleting ISTS SR 3.3.2.9 (a CHANNEL CALIBRATION) and JFD 15 justifies deleting ISTS SR 3.3.2.10 (ESFAS RESPONSE TIME test). Furthermore, JFD 15 uses the term RTS RESPONSE TI ME, but should be ESFA S RESPONSE TIME. A draft markup regarding this change is attached. This change will be reflected in the supplement to this section of the ITS conversion amendment.
Question Closure Date Attachment 1 KAB-057 Markup.pdf (1MB) Attachment 2 Notification NRC/LICENSEE Supervision Kristy Bucholtz Jerry Jones Bryan Kays Added By David Mielke Date Added 12/18/2009 9:27 AM Modified By Date Modified Pa ge 1of 1 Kewaunee ITS Conversion Database 06/09/2010 htt p://www.excelservices.com/rai/index.
p h p?re q uestT ype=areaItemPrint&itemId=1371 ESFAS Instrumentation 3.3.2 WOG STS 3.3.2-15 Rev. 3.0, 03/31/04 Table 3.3.2-1 (page 7 of 8) Engineered Safety Feature Actuation System Instrumentation
FUNCTION APPLICABLE MODES OR OTHER SPECIFIED CONDITIONS REQUIRED CHANNELS CONDITIONS SURVEILLANCE REQUIREMENTS ALLOWABLE VALUE NOMINAL (j) TRIP SETPOINT 6. Auxiliary Feedwater
- c. SG Water Level - Low Low 1,2,3 [3] per SG D SR 3.3.2.1 SR 3.3.2.5
SR 3.3.2.9 SR 3.3.2.10
- d. Safety Injection Refer to Function 1 (Safety Injection) for all initiation functions and requirements.
- e. Loss of Offsite Power 1,2,3 3] per bus F SR 3.3.2.7 SR 3.3.2.9 SR 3.3.2.10 with delay [2975] V with delay f. Undervoltage Reactor Coolant Pump 1,2 [3] per bus I SR 3.3.2.7
SR 3.3.2.9 SR 3.3.2.10 voltage voltage g. Trip of all Main Feedwater Pumps 1,2 [2] per pump J SR 3.3.2.8
SR 3.3.2.9 SR 3.3.2.10 psig [ ] psig
- h. Auxiliary Feedwater Pump Suction Transfer on Suction Pressure - Low 1,2,3 [2] F SR 3.3.2.1
[ ] [psia]
- 7. Automatic Switchover to Containment Sump
- a. Automatic Actuation Logic and Actuation Relays 1,2,3,4 2 trains C SR 3.3.2.2
SR 3.3.2.4 SR 3.3.2.6 NA NA b. Refueling Water Storage Tank (RWST) Level - Low Low 1,2,3,4 4 K SR 3.3.2.1
SR 3.3.2.9 SR 3.3.2.10 Coincident with Safety Injection Refer to Function 1 (Safety Injection) for all initiation functions and requirements.
REVIEWER'S NOTE--------------------------------------------------------------------- (j) Unit specific implementations may contain only Allowable Value depending on Setpoint Study methodology used by the unit. ------------------------------------------------------------------------------------------------------------------------------------------------------------------------
CTS b. both c. d. e. Tables TS 3.5-3, #4.a and #5.a; TS 4.1-1, #11.a Table TS 3.5-3, #4.c Tables TS 3.5-2, #13; TS 3.5-3, #5.b; DOC M14 DOC M13; Tables TS 3.5-3, #4.b; TS 4.1-1, #35 2 1 H I INSERT 2 4 2 All changes are unless otherwise noted 3 1 8 9 8 8 8 1 8 1 8 5 5 5 10 10 12 12 4 6 3 6 5 15 15 15 16 4 INSERT 3 A ttachment 1, Volume 8, Rev. 0, Page 212 of 517 A ttachment 1, Volume 8, Rev. 0, Page 212 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 3 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 3 of 111 14 15 JUSTIFICATION FOR DEVIATIONS ITS 3.3.2, ENGINEERED SAFETY FEATURE ACTUATION SYSTEM (ESFAS) INSTRUMENTATION Kewaunee Power Station Page 5 of 5 requirement to perform the surveillance test in accordance with the SCP. Hence, the addition of the phrase "in accordance wi th the Setpoint Control Program" to ITS SR 3.3.2.4, CHANNEL OPERATIONAL TEST (COT) and ITS SR 3.3.2.6, CHANNEL CALIBRATION in the surveillance requirement table.
- 13. The ISTS contains bracketed information and/or values that are generic to all Westinghouse vintage plants. ISTS Required Actions D, E, and I (ITS Required
Actions D, E, and H, respectively) are modified by a Note that provides two options for bypassing a channel for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for the purpose of performing surveillance testing without entry into the applicable Required Actions. One option is for plants that have installed bypass testing capabilities. The other option is for plants that do not have installed bypass testing capabilities. KPS does not have installed bypass testing capabilities. Therefore, the Note for plants that do not have bypass testing capabilities is retained for Required Actions D, E, and H.
- 14. ISTS Table 3.3.2-1 Function 6.g (Trip of all Main Feedwater Pumps) specifies that ISTS SR 3.3.2.9, a CHANNEL CALIBRATION, is required for the Function. This CHANNEL CALIBRATION requirement is not being included in the KPS ITS for the same Function (ITS Table 3.3.2-1 Function 6.e). The ISTS shows that the
Function has an ALLOWABLE VALUE and NOMINAL TRIP SETPOINT based on a pressure. The ISTS Bases describes that the trip is derived from low pressure on the control air/oil line of the turbine driven main feedwater pumps. Thus, it is appropriate to perform a CHANNEL CALIBRATION on the sensors. However, KPS uses motor driven main feedwater pum ps, and the signal to start the AFW pumps comes from the breaker position contacts. Thus, there is no CHANNEL CALIBRATION to perform. This is also consistent with the KPS CTS, which does not require a CHANNEL CALIBRATION.
- 15. The RTS RESPONSE TIME requirement, ISTS SR 3.3.2.10, has not been adopted into the KPS ITS, consistent with Kewaunee current licensing basis and current Technical Specifications. The Kewaunee USAR describes the implementation of the principles as related to the proposed IEEE-279 "Standard, Nuclear Power Plant Protection Systems," August 1968. This industry standard provides guidance and requirements for conducting periodic testing of protection systems. IEEE-279-1968 does not address response time testing. Furthermore, generic studies have shown that instrumentation response time changes (increasing times), that could impact
safety, do not normally vary such that they would not be detected during other required surveillances (e.g., CHANNEL CALIBRATIONS). Since the addition of these tests would be a major burden (plant design does not readily lend itself to such testing) with little gain in safety, ISTS SR 3.3.2.10 has not been added.
A ttachment 1, Volume 8, Rev. 0, Page 219 of 517 A ttachment 1, Volume 8, Rev. 0, Page 219 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 4 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 4 of 111 ESFAS Licensee Response/NRC Response/NRC Question Closure Id1731NRC Question Number KAB-057 Select Application NRC Question Closure Response Date/Time Closure Statement This question is closed and no further information is required at this time to draft the Safety Evaluation. Response Statement Question Closure Date 1/12/2010 Attachment 1 Attachment 2 Notification NRC/LICENSEE Supervision Added By Kristy Bucholtz Date Added 1/12/2010 3:21 PM Modified By Date Modified Pa ge 1of 1 Kewaunee ITS Conversion Database 06/09/2010 htt p://www.excelservices.com/rai/index.
p h p?re q uestT ype=areaItemPrint&itemId=1731 ITS NRC Questions Id1411NRC Question Number KAB-058 Category Technical ITS Section 3.3 ITS Number 3.3.2 DOC Number JFD Number 8l9 JFD Bases Number Page Number(s) 212 NRC Reviewer Supervisor Gerald Waig Technical Branch POC Add Name Conf Call Requested N NRC Question On page 212 of Attachment 1, volu me 8, function 7a & b in TS Table 3.3.2-1 references justification for de viations (JFD) 9.
Should JFD 8 be the reference for function 7a & b?
Attach File 1 Attach File 2 Issue Date 12/14/2009 Added By Kristy Bucholtz Date Modified Modified By Date Added 12/14/2009 2:55 PM Notification NRC/LICENSEE Supervision Pa ge 1of 1 Kewaunee ITS Conversion Database 06/08/2010 htt p://www.excelservices.com/rai/index.
p h p?re q uestT ype=areaItemPrint&itemId=1411 Licensee Response/NRC Response/NRC Question Closure Id1381NRC Question Number KAB-058 Select Application Licensee Response Response Date/Time 12/18/2009 9:25 AM Closure Statement Response Statement After further review, Kewaunee Power Station (KPS) has determined that the NRC reviewer is corre ct, in that the annotatio n for ISTS Table 3.3.2-1 Functions 7.a and 7.b sh ould be JFD 8, not JF D 9. A draft markup regarding this change is attached.
This change will be reflected in the supplement to this section of the ITS conversion amendment.
Question Closure Date Attachment 1 KAB-058 Markup.pdf (844KB) Attachment 2 Notification NRC/LICENSEE Supervision Kristy Bucholtz Jerry Jones Bryan Kays Added By David Mielke Date Added 12/18/2009 9:30 AM Modified By Date Modified Pa ge 1of 1 Kewaunee ITS Conversion Database 06/09/2010 htt p://www.excelservices.com/rai/index.
p h p?re q uestT ype=areaItemPrint&itemId=1381 ESFAS Instrumentation 3.3.2 WOG STS 3.3.2-15 Rev. 3.0, 03/31/04 Table 3.3.2-1 (page 7 of 8) Engineered Safety Feature Actuation System Instrumentation
FUNCTION APPLICABLE MODES OR OTHER SPECIFIED CONDITIONS REQUIRED CHANNELS CONDITIONS SURVEILLANCE REQUIREMENTS ALLOWABLE VALUE NOMINAL (j) TRIP SETPOINT 6. Auxiliary Feedwater
- c. SG Water Level - Low Low 1,2,3 [3] per SG D SR 3.3.2.1 SR 3.3.2.5
SR 3.3.2.9 SR 3.3.2.10
- d. Safety Injection Refer to Function 1 (Safety Injection) for all initiation functions and requirements.
- e. Loss of Offsite Power 1,2,3 3] per bus F SR 3.3.2.7 SR 3.3.2.9 SR 3.3.2.10 with delay [2975] V with delay f. Undervoltage Reactor Coolant Pump 1,2 [3] per bus I SR 3.3.2.7
SR 3.3.2.9 SR 3.3.2.10 voltage voltage g. Trip of all Main Feedwater Pumps 1,2 [2] per pump J SR 3.3.2.8
SR 3.3.2.9 SR 3.3.2.10 psig [ ] psig
- h. Auxiliary Feedwater Pump Suction Transfer on Suction Pressure - Low 1,2,3 [2] F SR 3.3.2.1
[ ] [psia]
- 7. Automatic Switchover to Containment Sump
- a. Automatic Actuation Logic and Actuation Relays 1,2,3,4 2 trains C SR 3.3.2.2
SR 3.3.2.4 SR 3.3.2.6 NA NA b. Refueling Water Storage Tank (RWST) Level - Low Low 1,2,3,4 4 K SR 3.3.2.1
SR 3.3.2.9 SR 3.3.2.10 Coincident with Safety Injection Refer to Function 1 (Safety Injection) for all initiation functions and requirements.
REVIEWER'S NOTE--------------------------------------------------------------------- (j) Unit specific implementations may contain only Allowable Value depending on Setpoint Study methodology used by the unit. ------------------------------------------------------------------------------------------------------------------------------------------------------------------------
CTS b. both c. d. e. Tables TS 3.5-3, #4.a and #5.a; TS 4.1-1, #11.a Table TS 3.5-3, #4.c Tables TS 3.5-2, #13; TS 3.5-3, #5.b; DOC M14 DOC M13; Tables TS 3.5-3, #4.b; TS 4.1-1, #35 2 1 H I INSERT 2 4 2 All changes are unless otherwise noted 3 1 8 9 8 8 8 1 8 1 8 5 5 5 10 10 12 12 4 6 3 6 5 15 15 15 16 4 INSERT 3 A ttachment 1, Volume 8, Rev. 0, Page 212 of 517 A ttachment 1, Volume 8, Rev. 0, Page 212 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 8 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 8 of 111 8
Licensee Response/NRC Response/NRC Question Closure Id1741NRC Question Number KAB-058 Select Application NRC Question Closure Response Date/Time Closure Statement This question is closed and no further information is required at this time to draft the Safety Evaluation. Response Statement Question Closure Date 1/12/2010 Attachment 1 Attachment 2 Notification NRC/LICENSEE Supervision Added By Kristy Bucholtz Date Added 1/12/2010 3:22 PM Modified By Date Modified Pa ge 1of 1 Kewaunee ITS Conversion Database 06/09/2010 htt p://www.excelservices.com/rai/index.
p h p?re q uestT ype=areaItemPrint&itemId=1741 ITS NRC Questions Id1421NRC Question Number KAB-059 Category Technical ITS Section 3.3 ITS Number 3.3.1 DOC Number JFD Number 7 JFD Bases Number Page Number(s) 73 NRC Reviewer Supervisor Rob Elliott Technical Branch POC Add Name Conf Call Requested N NRC Question On page 73 of Attachme nt 1, volume 8, justif ication for deviation 7 indicates that response ti me testing is not being adopted into the KPS ITS. Please explain how KPS will ensu re the safety analysis is met without response time testing for TS 3.3.1 Functions 2.a, 2.b, 3.b, 5, 6, 7, 8.a, 8.b, 10, 12, 13, 14, and 15.
Attach File 1 Attach File 2 Issue Date 12/18/2009 Added By Kristy Bucholtz Date Modified Modified By Date Added 12/18/2009 1:38 PM Notification NRC/LICENSEE Supervision Pa ge 1of 1 Kewaunee ITS Conversion Database 06/24/2010 htt p://www.excelservices.com/rai/index.
p h p?re q uestT ype=areaItemPrint&itemId=1421 Licensee Response/NRC Response/NRC Question Closure Id1771NRC Question Number KAB-059 Select Application Licensee Response Response Date/Time 1/13/2010 11:35 AM Closure Statement Response Statement RPS and ESFAS Response Time Testing are not being adopted into KPS ITS. This is consistent with Kewaunee's current licensing basis and current Technical Specifications. The Kewaunee USAR describes the testing principles as stated in the proposed IEEE-279, "Standard Nuclear Power Plant Protection Systems,"
August 1968. This industry standard provides guidance and requirements for conducting periodic testing of protection systems. IEEE-279-1968 does not address response time testing.
In 1975 the NRC started requiring Response Time Testing and KPS was licensed prior to 1975 without requirements for Response Time Testing. In addition, plants of KPS vintage that have implemented ITS also do not perform Response Time Testing (e.g., Ginna, Point Beach).
Additionally, the Westinghouse Owners Group developed a document, "Elimination of Periodic Protection Channel Response Time Tests," MUHP-3041 Rev. 1, dated October 6, 1998 to facilitate the removal of Response Time Testing for plants that were licensed after 1975 and subject to Response Time Testing requirements (which Kewaunee is not).
Studies like these have shown that instrumentation response time changes (increasing times), that could impact safety, do not normally vary such that they would not be detected during other surveillances (e. g. CHANNEL CALIBRATIONS). Therefore, it is the KPS position that Response Time Surveillances are not needed to ensure safety analysis assumptions are met.
Question Closure Date Attachment 1 Attachment 2 Notification NRC/LICENSEE Supervision Kristy Bucholtz Jerry Jones Bryan Kays
Ray Schiele Added By Robert Hanley Date Added 1/13/2010 11:40 AM Modified By Pa ge 1of 2 Kewaunee ITS Conversion Database 06/24/2010 htt p://www.excelservices.com/rai/index.
p h p?re q uestT ype=areaItemPrint&itemId=1771 Date Modified Pa ge 2of 2 Kewaunee ITS Conversion Database 06/24/2010 htt p://www.excelservices.com/rai/index.
p h p?re q uestT ype=areaItemPrint&itemId=1771 Licensee Response/NRC Response/NRC Question Closure Id3241NRC Question Number KAB-059 Select Application NRC Question Closure Response Date/Time Closure Statement This question is closed and no further information is required at this time to draft the Safety Evaluation. Response Statement Question Closure Date 5/26/2010 Attachment 1 Attachment 2 Notification NRC/LICENSEE Supervision Added By Kristy Bucholtz Date Added 5/26/2010 11:20 AM Modified By Date Modified Pa ge 1of 1 Kewaunee ITS Conversion Database 06/24/2010 htt p://www.excelservices.com/rai/index.
p h p?re q uestT ype=areaItemPrint&itemId=3241 ITS NRC Questions Id1431NRC Question Number KAB-060 Category Technical ITS Section 3.3 ITS Number 3.3.2 DOC Number JFD Number 15 JFD Bases Number Page Number(s) 219 NRC Reviewer Supervisor Rob Elliott Technical Branch POC Barry Marcus Conf Call Requested N NRC Question On page 219 of Attachment 1, volume 8, justification for deviation 15 indicates that response time testing is not being adopted into the KPS ITS. Please explain how KPS will ensure the safety analysis is met without response time testing for TS 3.3.2 functions 1.c, 1.d, 1.e, 2.c, 4.c, 4.d, 4.e, 5.b, 6.b, 6.d, and 6.e. Attach File 1 Attach File 2 Issue Date 12/18/2009 Added By Kristy Bucholtz Date Modified Modified By Date Added 12/18/2009 1:39 PM Notification NRC/LICENSEE Supervision Pa ge 1of 1 Kewaunee ITS Conversion Database 06/24/2010 htt p://www.excelservices.com/rai/index.
p h p?re q uestT ype=areaItemPrint&itemId=1431 Licensee Response/NRC Response/NRC Question Closure Id1781NRC Question Number KAB-060 Select Application Licensee Response Response Date/Time 1/13/2010 11:40 AM Closure Statement Response Statement RPS and ESFAS Response Time Testing are not being adopted into KPS ITS. This is consistent with Kewaunee's current licensing basis and current Technical Specifications. The Kewaunee USAR describes the testing principles as stated in the proposed IEEE-279, "Standard Nuclear Power Plant Protection Systems,"
August 1968. This industry standard provides guidance and requirements for conducting periodic testing of protection systems. IEEE-279-1968 does not address response time testing.
In 1975 the NRC started requiring Response Time Testing and KPS was licensed prior to 1975 without requirements for Response Time Testing. In addition, plants of KPS vintage that have implemented ITS also do not perform Response Time Testing (e.g., Ginna, Point Beach).
Additionally, the Westinghouse Owners Group developed a document, "Elimination of Periodic Protection Channel Response Time Tests," MUHP-3041 Rev. 1, dated October 6, 1998 to facilitate the removal of Response Time Testing for plants that were licensed after 1975 and subject to Response Time Testing requirements (which Kewaunee is not).
Studies like these have shown that instrumentation response time changes (increasing times), that could impact safety, do not normally vary such that they would not be detected during other surveillances (e. g. CHANNEL CALIBRATIONS). Therefore, it is the KPS position that Response Time Surveillances are not needed to ensure safety analysis assumptions are met.
Question Closure Date Attachment 1 Attachment 2 Notification NRC/LICENSEE Supervision Kristy Bucholtz Jerry Jones Bryan Kays
Ray Schiele Added By Robert Hanley Date Added 1/13/2010 11:42 AM Modified By Pa ge 1of 2 Kewaunee ITS Conversion Database 06/24/2010 htt p://www.excelservices.com/rai/index.
p h p?re q uestT ype=areaItemPrint&itemId=1781 Date Modified Pa ge 2of 2 Kewaunee ITS Conversion Database 06/24/2010 htt p://www.excelservices.com/rai/index.
p h p?re q uestT ype=areaItemPrint&itemId=1781 Licensee Response/NRC Response/NRC Question Closure Id3251NRC Question Number KAB-060 Select Application NRC Question Closure Response Date/Time Closure Statement This question is closed and no further information is required at this time to draft the Safety Evaluation. Response Statement Question Closure Date 5/26/2010 Attachment 1 Attachment 2 Notification NRC/LICENSEE Supervision Added By Kristy Bucholtz Date Added 5/26/2010 11:21 AM Modified By Date Modified Pa ge 1of 1 Kewaunee ITS Conversion Database 06/24/2010 htt p://www.excelservices.com/rai/index.
p h p?re q uestT ype=areaItemPrint&itemId=3251 ITS NRC Questions Id1491NRC Question Number KAB-061 Category Technical ITS Section 3.3 ITS Number 3.3.4 DOC Number JFD Number JFD Bases Number Page Number(s) 360 NRC Reviewer Supervisor Carl Schulten Technical Branch POC Add Name Conf Call Requested N NRC Question On page 360 of Attachment 1, volume 8, the sentence, "A function of a remote shutdown system is OPERABLE if all instrume nt and control channels needed to support the re mote shutdown syst em function are OPERABLE." has been changed to , "A function of a dedicated shutdown system is OPERABLE if all instrument s or control channels for the function are OPERABLE." The wording change, specifically the "and" to "or" changes the requirements for operability for each function. STS 3.3.4 requires the operability of all control channels and all instrumentation for each function to be operable. For example, the RCS Inventory Control function is operable when pressurizer level is operable and the charging pump control is operable. Please correct this change or provide an explan ation of the wording change.
Attach File 1 Attach File 2 Issue Date 1/20/2010 Added By Kristy Bucholtz Date Modified Modified By Date Added 1/20/2010 2:41 PM Notification NRC/LICENSEE Supervision Pa ge 1of 1 Kewaunee ITS Conversion Database 06/08/2010 htt p://www.excelservices.com/rai/index.
p h p?re q uestT ype=areaItemPrint&itemId=1491 Licensee Response/NRC Response/NRC Question Closure Id1851NRC Question Number KAB-061 Select Application Licensee Response Response Date/Time 1/21/2010 12:45 PM Closure Statement Response Statement KPS changed the words from "and" to "or" since not all of the four Functions listed in ITS 3.3.4 Bases Ta ble B 3.3.4-1 include both instruments and control channels (i.e., Function 1, Reactivity Contro l). Thus, it was believed that including the word "and" implied that all Functions included controls. After further review, Kewaunee Power Station (KPS) has determined that the change is not necessary, and could wrongly imply that the other three Functions only need either the list ed instruments or the controls to be OPERABLE for the entire Function to be OPERABLE. Therefore, the word "or" will be changed back to "and" in the ITS 3.3.4 Bases for the LCO secti on. A draft markup rega rding this change is attached. This change will be reflected in the suppl ement to this section of the ITS conversion amendment.
Question Closure Date Attachment 1 KAB-061 Markup.pdf (838KB) Attachment 2 Notification NRC/LICENSEE Supervision Kristy Bucholtz Jerry Jones Bryan Kays
Ray Schiele Added By Robert Hanley Date Added 1/21/2010 12:49 PM Modified By Date Modified Pa ge 1of 1 Kewaunee ITS Conversion Database 06/09/2010 htt p://www.excelservices.com/rai/index.
p h p?re q uestT ype=areaItemPrint&itemId=1851 Remote Shutdown System B 3.3.4 WOG STS B 3.3.4-2 Rev. 3.0, 03/31/04 Dedicated BASES
LCO The Remote Shutdown System LCO provides the OPERABILITY requirements of the instrumentation and controls necessary to place and
maintain the unit in MODE 3 from a location other than the control room. The instrumentation and controls required are listed in Table B 3.3.4-1.
The controls, instrumentation, and transfer switches are required for:
Core reactivity control (initial and long term), RCS pressure control, Decay heat removal via the AFW S ystem and the SG safety valves or SG ADVs, RCS inventory control via charging flow, and Safety support systems for the above Functions, including service water, component cooling water, and onsite power, including the diesel generators.
A Function of a Remote Shutdown System is OPERABLE if all instrument and control channels needed to support the Remote Shutdown System Function are OPERABLE. In some cases, Table B 3.3.4-1 may indicate that the required information or control capability is available from several alternate sources. In these cases, the Function is OPERABLE as long as one channel of any of the alternate inform ation or control sources is OPERABLE.
The remote shutdown instrument and control circuits covered by this LCO do not need to be energized to be considered OPERABLE. This LCO is intended to ensure the instruments and control circuits will be
OPERABLE if unit conditions require that the Remote Shutdown System be placed in operation.
APPLICABILITY The Remote Shutdown System LCO is applicable in MODES 1, 2, and 3. This is required so that the unit can be placed and maintained in MODE 3 for an extended period of time from a location other than the control room.
This LCO is not applicable in MODE 4, 5, or 6. In these MODES, the facility is already subcritical and in a condition of reduced RCS energy. Under these conditions, considerabl e time is available to restore necessary instrument control functions if control room instruments or controls become unavailable. Dedicated Dedicated dedicated Dedicated Dedicated All changes are unless otherwise noted 1 Steam Dump System or for the s PORVs ; ; A ttachment 1, Volume 8, Rev. 0, Page 360 of 517 A ttachment 1, Volume 8, Rev. 0, Page 360 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 20 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 20 of 111 stet Licensee Response/NRC Response/NRC Question Closure Id1901NRC Question Number KAB-061 Select Application NRC Question Closure Response Date/Time Closure Statement This question is closed and no further information is required at this time to draft the Safety Evaluation. Response Statement Question Closure Date 1/22/2010 Attachment 1 Attachment 2 Notification NRC/LICENSEE Supervision Added By Kristy Bucholtz Date Added 1/22/2010 8:23 AM Modified By Date Modified Pa ge 1of 1 Kewaunee ITS Conversion Database 06/09/2010 htt p://www.excelservices.com/rai/index.
p h p?re q uestT ype=areaItemPrint&itemId=1901 ITS NRC Questions Id1501NRC Question Number KAB-062 Category Technical ITS Section 3.3 ITS Number 3.3.6 DOC Number M-4 JFD Number JFD Bases Number Page Number(s) 413 NRC Reviewer Supervisor Carl Schulten Technical Branch POC Add Name Conf Call Requested N NRC Question On page 413 of Attachment 1, volume 8, discussion of change M04 references ITS 3.3.5. Please explain why ITS 3.3.5 is being referenced or correct the discrepancy?
Attach File 1 Attach File 2 Issue Date 1/20/2010 Added By Kristy Bucholtz Date Modified Modified By Date Added 1/20/2010 2:44 PM Notification NRC/LICENSEE Supervision Pa ge 1of 1 Kewaunee ITS Conversion Database 06/08/2010 htt p://www.excelservices.com/rai/index.
p h p?re q uestT ype=areaItemPrint&itemId=1501 Licensee Response/NRC Response/NRC Question Closure Id1861NRC Question Number KAB-062 Select Application Licensee Response Response Date/Time 1/21/2010 12:50 PM Closure Statement Response Statement After further review, Kewaunee Power Station (KPS) has determined that in the reference is in error. Discussion of Change (DOC) M04 should reference ITS 3.3.6, not IT S 3.3.5. A draf t markup regarding this change is attached. This change wi ll be reflected in the supplement to this section of the ITS conversion amendment.
Question Closure Date Attachment 1 KAB-062 Markup.pdf (851KB) Attachment 2 Notification NRC/LICENSEE Supervision Kristy Bucholtz Jerry Jones Bryan Kays
Ray Schiele Added By Robert Hanley Date Added 1/21/2010 12:51 PM Modified By Date Modified Pa ge 1of 1 Kewaunee ITS Conversion Database 06/09/2010 htt p://www.excelservices.com/rai/index.
p h p?re q uestT ype=areaItemPrint&itemId=1861 DISCUSSION OF CHANGES ITS 3.3.6, CONTAINMENT PURGE AND VENT ISOLATION INSTRUMENTATION Kewaunee Power Station Page 4 of 6 M03 CTS Table TS 4.1-1 Channel Description 19 requires a Daily instrument check of the radiation monitoring system. ITS SR 3.3.6.1 requires the performance of a CHANNEL CHECK of the required containment purge and vent isolation radiation monitors every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. This changes the CTS by requiring a check of the required containment purge and vent isolation radiation monitors more often
The purpose of the instrument check is to demonstrate that the required containment purge and vent isolation radiation monitors are OPERABLE and
capable of providing an early indication of any abnormal leakage conditions in the containment. ITS SR 3.3.6.1 provides reasonable confidence that the channel is operating properly. This change is designated more restrictive because less time is allowed between performances of the CHANNEL CHECK than was allowed in the CTS.
M04 CTS 3.5.d states, in part, that in the event of subsystem instrumentation channel failure permitted by CTS 3.5.b, then Tables TS 3.5-2 through TS 3.5-5 need not be observed for approximately 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> while the operable channels are tested, as long as the failed channel is blocked to prevent an unnecessary reactor trip. CTS 3.5.b states, in part, that in the event of failure of a subsystem instrumentation channel, plant operation shall be permitted to continue at RATED POWER in accordance with Tables TS 3.5-2 through TS 3.5-5. ITS 3.3.5 does not contain this allowance. This changes the CTS by removing the allowance to block a failed channel.
The purpose of CTS 3.5.d is to allow time to perform testing of the operable subsystem channels without entering into the requirements specified in Tables TS 3.5-2 through TS 3.5-5. In order to perform this task, the inoperable channel must be placed in bypass. Currently, KPS does not have the ability to perform a bypass of an inoperable channel for the purpose of testing without performing a temporary alteration of the circuit. Since the installation of temporary alterations is intrusive, KPS has determined that this practice is unacceptable. Therefore KPS does not have the ability to perform testing with a channel in bypass and the allowance is not incorporated in the ITS. This change is designated as more restrictive because an allowance that wa s allowed in the CTS is not allowed in the ITS.
RELOCATED SPECIFICATIONS
None
REMOVED DETAIL CHANGES LA01 (Type 1 - Removing Details of System Design and System Description, Including Design Limits) CTS Table TS 4.1-1 Channel Description 19, Remarks Section Note (a) states that the CHECK, CALIBRATE, and TEST Frequencies for the Radiation Monitoring System are applic able only to channels R11 thru R15, R19, R21, and R23. For the Containment Purge and Vent Isolation Instrumentation Specification, only instruments R11, R12, and R21 apply. ITS 3.3.6 does not A ttachment 1, Volume 8, Rev. 0, Page 413 of 517 A ttachment 1, Volume 8, Rev. 0, Page 413 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 24 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 24 of 111 3.3.6 Licensee Response/NRC Response/NRC Question Closure Id1911NRC Question Number KAB-062 Select Application NRC Question Closure Response Date/Time Closure Statement This question is closed and no further information is required at this time to draft the Safety Evaluation. Response Statement Question Closure Date 1/22/2010 Attachment 1 Attachment 2 Notification NRC/LICENSEE Supervision Added By Kristy Bucholtz Date Added 1/22/2010 8:23 AM Modified By Date Modified Pa ge 1of 1 Kewaunee ITS Conversion Database 06/09/2010 htt p://www.excelservices.com/rai/index.
p h p?re q uestT ype=areaItemPrint&itemId=1911 ITS NRC Questions Id1511NRC Question Number KAB-063 Category Technical ITS Section 3.3 ITS Number 3.3.2 DOC Number JFD Number JFD Bases Number Page Number(s) 221-292 NRC Reviewer Supervisor Select Technical Branch POC Add Name Conf Call Requested N NRC Question Pages 221 through 292 of Attachment 1, volume 8, are the proposed TS 3.3.2 Bases. TS 3.3.2 Bases are not consistent with the Bases in TSTF-493, Revision 4, in cluding applicable errata. Please correct the TS 3.3.2 Bases or provide an explanation of the changes.
Attach File 1 Attach File 2 Issue Date 1/20/2010 Added By Kristy Bucholtz Date Modified Modified By Date Added 1/20/2010 2:45 PM Notification NRC/LICENSEE Supervision Pa ge 1of 1 Kewaunee ITS Conversion Database 06/08/2010 htt p://www.excelservices.com/rai/index.
p h p?re q uestT ype=areaItemPrint&itemId=1511 Licensee Response/NRC Response/NRC Question Closure Id1871NRC Question Number KAB-063 Select Application Licensee Response Response Date/Time 1/21/2010 12:55 PM Closure Statement Response Statement The Kewaunee Power Station (KPS)
ITS Amendment was based upon the most current revision of TSTF-493 at the time of submittal. Since the date of the submittal, a newer revision (Rev. 4) of the TSTF has been sent to the NRC for review. KPS has reviewed this revision and appropriate changes will be made. A draft markup regarding this change is attached. This change will be reflected in the suppl ement to this se ction of the ITS conversion amendment.
Question Closure Date Attachment 1 KAB-063 Markup.pdf (2MB) Attachment 2 Notification NRC/LICENSEE Supervision Kristy Bucholtz Jerry Jones Bryan Kays
Ray Schiele Added By Robert Hanley Date Added 1/21/2010 12:55 PM Modified By Date Modified Pa ge 1of 1 Kewaunee ITS Conversion Database 06/09/2010 htt p://www.excelservices.com/rai/index.
p h p?re q uestT ype=areaItemPrint&itemId=1871 B 3.3.2 Insert Page B 3.3.2-1a INSERT 1 This is achieved by specifying limiting safety system settings (LSSS) in terms of parameters directly monitored by the RTS, as well as specifying LCOs on other reactor system parameters and equipment performance. Technical Specifications are required by 10 CFR 50.36 to include LSSS for variables that have significant safety functions. LSSS are defined by the regulation as "...settings for automatic protective devices...so chosen that automatic protective action will correct the abnormal situation before a Safety Limit (SL) is exceeded." The Analytical Limit is the limit of the process variable at which a protective action is initiated, as established by the safety analysis, to ensure that a SL is not exceeded. Any automatic protection action that occurs on reaching the Analytical Limit therefore ensures that the SL is not exceeded. However, in practice, the actual settings for autom atic protection channels must be chosen to be more conservative than the Analytical Limit to account for instrument loop uncertainties related to the setting at which the automatic protective action would actually occur. The LSSS values are identified and maintained in the
Setpoint Control Program (SCP) controlled by 10.CFR.50.59.
REVIEWER'S NOTE ------------------------------------------- The term "Limiting Trip Setpoint (LTSP)" is generic terminology for the calculated setting (setpoint) value calculated by means of the plant-specific setpoint methodology documented in a document controlled under 10 CFR 50.59. The term [LTSP] indicates that no additional margin has been added between the Analytical Limit and the calculated trip setting. For most Westinghouse plants the term Nominal Trip Setpoint (NTSP) is the terminology for the setpoint value calculated by means of the plant-
specific setpoint methodology documented in a document subject to 10 CFR 50.59. The term NTSP indicates that no additional margin has been added between the Analytical Limit and the calculated trip setting. The NTSP would replace LTSP in the Bases descriptions. The term field setting is terminology for the actual setpoint implemented in the plant surveillance procedures which is standard terminology for the NTSP with additional margin applied. The as-found and as-left tolerances will apply to the actual setpoint (field setting) implemented in the Surveillance procedures to confirm channel
performance.
The [NTSP] is included in the SCP. -------------------------------------------------------------------------------------------------------------------
4 8 ESFAS 10 A ttachment 1, Volume 8, Rev. 0, Page 222 of 517 A ttachment 1, Volume 8, Rev. 0, Page 222 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 28 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 28 of 111 ESFAS Where a LSSS is specified for a variable on which a safety limits has been placed, the must be chosen so used in place of the term LTSP, and NTSP will replace LTSP in the Bases descriptions. "Field setting" is the suggested terminology for the actual setpoint implemented in the plant surveillance procedures where margin has been added to the calculated.
B 3.3.2 Insert Page B 3.3.2-1b INSERT 1 (continued)
The [NTSP] specified in the SCP is a predetermined setting, plus margin, for a protection channel chosen to ensure automatic actuation prior to the process variable reaching the
Analytical Limit and thus ensuring that the SL would not be exceeded. As such, the [NTSP] accounts for uncertainties in setting the channel (e.g., calibration), uncertainties in how the channel might actually perform (e.g., repeatability), changes in the point of action of the channel over time (e.g., drift during surveillance intervals), and any other factors which may influence its actual performance (e.g., harsh accident environments). In this manner, the [NTSP] ensures that SLs are not exceeded. Therefore, the [NTSP]
meets the definition of an LSSS (Ref. 1).
Technical Specifications contain values related to the OPERABILITY of equipment required for safe operation of the facility. OPERABLE is defined in Technical Specifications as "...being capable of performing its safety functions(s)." Relying solely on the [NTSP] to define OPERABILITY in Technical Specifications would be an overly restrictive requirement if it were appli ed as an OPERABILITY limit for the "as-found" value of a protection channel setting during a surveillance. This would result in Technical Specification compliance problems, as well as reports and corrective actions required by the rule which are not necessa ry to ensure safety. For example, an automatic protection channel with a setting that has been found to be different from the [NTSP] due to some drift of the setting may still be OPERABLE since drift is to be
expected. This expected drift would have been specifically accounted for in the setpoint methodology for calculating the [NTSP] and thus the automatic protective action would still have ensured that the SL would not be exceeded with the "as-found" setting of the protection channel. Therefore, the channel would still be OPERABLE since it would
have performed its safety function and the onl y corrective action required would be to reset the channel to the [NTSP] to account for fu rther drift during the next surveillance interval. Note that, although the channel is OPERABLE under these circumstances, the trip setpoint must be left adjusted to a value within the as-left tolerance, in accordance with uncertainty assumptions stated in the referenced setpoint methodology (as-left criteria), and confirmed to be operating within the statistical allowances of the uncertainty terms assigned (as-found criteria).
However, there is also some point bey ond which the channel would have not been able to perform its function due to, for example, greater than expected drift. The Allowable Value specified in the SCP is the least conservative value of the as-found setpoint that the channel can have when tested, such that a channel is OPERABLE if the as-found setpoint is conservative with respect to the Allowable Value during the CHANNEL OPERATIONAL TEST (COT). As such, the A llowable Value differs from the [NTSP] by an amount [greater than or] equal to the expected instrument channel uncertainties, such as drift, during the surveillance interval. In this manner, the actual setting of the channel will ensure that a SL is not exceeded at any given point of time as long as the channel has not drifted beyond that expected during the surveillance interval. Note that, although the channel is OPERABLE under these circumstances, the trip setpoint must be left adjusted to a value within the as-left tolerance, in accordance with uncertainty assumptions stated in the referenced setpoint methodology (as-left criteria), and confirmed to be operating within the statistical allowances of the uncertainty terms assigned (as-found criteria).
6 6 11 9 10 6 A ttachment 1, Volume 8, Rev. 0, Page 223 of 517 A ttachment 1, Volume 8, Rev. 0, Page 223 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 29 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 29 of 111 within the established as-left tolerance around the
[NTSP] to account for further drift during the next surveillance interval.6 B 3.3.2 Insert Page B 3.3.2-1c INSERT 1 (continued)
If the actual setting of the channel is found to be conservative with respect to the Allowable Value but is beyond the as-found tolerance band, the channel is OPERABLE.
However, a potential degraded condition has been identified. During the SR performance, the condition of the channel will be evaluated. This evaluation will consist of resetting the channel setpoint to the [LTSP] (within the allowed tolerance), and the
channel's response evaluated. If the channel is functioning as required and expected to pass the next surveillance, then the channel can be restored to service at the completion of the surveillance. After the surveillance is completed, the channel's as-found setting will be entered into the Corrective Action Program for further evaluation. If any of the above-described evaluations determine that the channel is not performing as expected the channel is degraded because it may not pass its next surveillance test. If the channel setpoint can not be reset to the [LTSP], it is inoperable.
If the actual setting of the channel is found to be non-conservative with respect to the Allowable Value, the channel would be considered inoperable. This requires corrective action including those actions require d by 10 CFR 50.36 when automatic protection channels do not function as required.
During AOOs, which are those events expected to occur one or more times during the unit life, the acceptable limits are:
- 1. The Departure from Nucleate Boiling Ratio (DNBR) shall be maintained above the Safety Limit (SL) value to prevent departure from nucleate boiling (DNB),
- 2. Fuel centerline melt shall not occur, and
Operation within the SLs of Specification 2.0, "Safety Limits (SLs)," also maintains the above values and assures that offsite dose will be within the 10 CFR 50 and 10 CFR 100 criteria during AOOs.
Accidents are events that are analyzed even though they are not expected to occur during the unit life. The acceptable limit during accidents is that offsite dose shall be maintained within an acceptable fraction of 10 CFR 100 limits. Different accident categories are allowed a different fraction of these limits, based on probability of occurrence. Meeting the acceptable dose limit for an accident category is considered having acceptable consequences for that event. However the acceptable dose limit for an accident category and their associated [NTSPs] are not considered to be LSSS as defined in 10 CFR 50.36.
6 10 6 6 50.67 1 1 A ttachment 1, Volume 8, Rev. 0, Page 224 of 517 A ttachment 1, Volume 8, Rev. 0, Page 224 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 30 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 30 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 WOG STS B 3.3.2-2 Rev. 3.0, 03/31/04 BASES
BACKGROUND (continued)
Field Transmitters or Sensors To meet the design demands for redundancy and reliability, more than one, and often as many as four, field transmitters or sensors are used to measure unit parameters. In many cases, field transmitters or sensors that input to the ESFAS are shared with the Reactor Trip System (RTS). In some cases, the same channels also provide control system inputs. To account for calibration tolerances and instrument drift, which are
assumed to occur between calibration s, statistical allowances are provided in the Trip Setpoint and Allowable Values. The OPERABILITY
of each transmitter or sensor is determined by either "as-found" calibration data evaluated during the CHANNEL CALIBRATION or by qualitative assessment of field transmitter or sensor, as related to the
channel behavior observed duri ng performance of the CHANNEL CHECK.
Signal Processing Equipment Generally, three or four channels of process control equipment are used for the signal processing of unit parameters measured by the field instruments. The process control equipment provides signal conditioning, comparable output signals for instruments located on the main control board, and comparison of measured input signals with setpoints established by safety analyses. These setpoints are defined in FSAR, Chapter [6] (Ref. 1), Chapter [7] (Ref. 2), and Chapter [15] (Ref. 3). If the measured value of a unit parameter exceeds the predetermined setpoint, an output from a bistable is forwarded to the SSPS for decision evaluation. Channel separation is maintained up to and through the input bays. However, not all unit parameters require four channels of sensor measurement and signal processing. Some unit parameters provide input only to the SSPS, while others provide input to the SSPS, the main control board, the unit computer, and one or more control systems.
Generally, if a parameter is used only for input to the protection circuits, three channels with a two-out-of-three logic are sufficient to provide the required reliability and redundancy. If one channel fails in a direction that would not result in a partial Function trip, the Function is still OPERABLE with a two-out-of-two logic. If one channel fails such that a partial Function trip occurs, a trip will not occur and the Function is still OPERABLE with a one-out-of-two logic. All changes are unless otherwise noted 1 six Protection P logic relay cabinets 3 U 14 ESF logic relays ESF logic relays 6 [NTSP] [NTSPs] [NTSPs] 10 10 10 A ttachment 1, Volume 8, Rev. 0, Page 225 of 517 A ttachment 1, Volume 8, Rev. 0, Page 225 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 31 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 31 of 111 Anal y tical Limits NTSPs derived from Analytical Limits Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 WOG STS B 3.3.2-3 Rev. 3.0, 03/31/04 BASES
BACKGROUND (continued)
Generally, if a parameter is used for input to the SSPS and a control function, four channels with a two-out-of-four logic are sufficient to provide the required reliability and redundancy. The circuit must be able to withstand both an input failure to the control system, which may then require the protection function actuation, and a single failure in the other channels providing the protection function actuation. Again, a single failure will neither cause nor prevent the protection function actuation.
These requirements are described in IEEE-279-1971 (Ref. 4). The actual number of channels required for each unit parameter is specified in
Reference 2.
Allowable Values and ESFAS Setpoints The trip setpoints used in the bistabl es are based on the analytical limits stated in Reference 2. The selection of these trip setpoints is such that adequate protection is provided when all sensor and processing time delays are taken into account. To allow for calibration tolerances, instrumentation uncertainties, instru ment drift, and severe environment errors for those ESFAS channels that must function in harsh
environments as defined by 10 CFR 50.49 (Ref. 5), the Allowable Values specified in Table 3.3.2-1 in the acco mpanying LCO are conservative with respect to the analytical limits. A detailed description of the methodology used to calculate the Allowable Values and ESFAS setpoints including their explicit uncertainties, is provided in the plant
specific setpoint methodology study (Ref.
- 6) which incorporates all of the known uncertainties applicable to each channel. The magnitudes of these uncertainties are factored into the determination of each ESFAS setpoint and corresponding Allowable Value. The nominal ESFAS setpoint entered into the bistable is more conservative than that specified by the Allowable Value to account fo r measurement errors detectable by the COT. The Allowable Value serves as the Technical Specification OPERABILITY limit for the purpose of the COT. One example of such a change in measurement error is drift during the surveillance interval. If the measured setpoint does not exceed the Allowable Value, the bistable is considered OPERABLE.
The ESFAS setpoints are the values at which the bistables are set and is the expected value to be achieved during calibration. The ESFAS setpoint value ensures the safety analysis limits are met for the surveillance interval selected when a channel is adjusted based on stated channel uncertainties. Any bistable is considered to be properly adjusted when the "as-left" setpoint value is within the band for CHANNEL a protection function 1 3 1 analytical limits The as-left tolerance and as-found tolerance band methodology is provided in the SCP. [NTSP] [NTSP] is the value
[NTSPs] [NTSP] is the LSSS and
[NTSP] as-left tolerance
[NTSPs] 10 10 10 the SCP as-found trip setpoint A ttachment 1, Volume 8, Rev. 0, Page 226 of 517 A ttachment 1, Volume 8, Rev. 0, Page 226 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 32 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 32 of 111 calculation the Nominal Trip Setpoints
,
Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 WOG STS B 3.3.2-4 Rev. 3.0, 03/31/04 BASES
BACKGROUND (continued)
CALIBRATION uncertainty allowance (i.e., calibration tolerance uncertainties). The ESFAS setpoint value is therefore considered a "nominal value" (i.e., expressed as a value without inequalities) for the purposes of the COT and CHANNEL CALIBRATION.
Setpoints adjusted consistent with the requirements of the Allowable Value ensure that the consequences of Design Basis Accidents (DBAs) will be acceptable, providing the unit is operated from within the LCOs at the onset of the DBA and the equipment functions as designed.
Each channel can be tested on line to verify that the signal processing equipment and setpoint accuracy is within the specified allowance requirements of Reference 2. Once a designated channel is taken out of service for testing, a simulated signal is injected in place of the field
instrument signal. The process equip ment for the channel in test is then tested, verified, and calibrated. SRs for the channels are specified in the SR section.
Solid State Protection System
The SSPS equipment is used for the decision logic processing of outputs from the signal processing equipment bistables. To meet the redundancy requirements, two trains of SSPS, each performing the same functions, are provided. If one train is taken out of service for maintenance or test purposes, the second train will provide ESF actuation for the unit. If both trains are taken out of service or placed in test, a reactor trip will result.
Each train is packaged in its own cabinet for physical and electrical separation to satisfy separation and independence requirements.
The SSPS performs the decision logic for most ESF equipment actuation; generates the electrical output signals that initiate the required actuation; and provides the status, permissive, and annunciator output signals to the main control room of the unit.
The bistable outputs from the signal processing equipment are sensed by the SSPS equipment and combined into logic matrices that represent combinations indicative of various transients. If a required logic matrix combination is completed, the system will send actuation signals via
master and slave relays to those components whose aggregate Function best serves to alleviate the condition and restore the unit to a safe condition. Examples are given in the Applicable Safety Analyses, LCO, and Applicability sections of this Bases.
3 +/- rack and comparator setting
[NTSP] [Nominal Trip Setpoints] in conjunction with the use of as-found and as-left tolerances together Note that the Allowable Values listed in the SCP are the least conservative value of the as-found setpoint that a channel can have during a periodic CHANNEL CALIBRATION, COT, or a TADOT that re quires tri p set point verification.
10 the SCP provided 8 A ttachment 1, Volume 8, Rev. 0, Page 227 of 517 A ttachment 1, Volume 8, Rev. 0, Page 227 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 33 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 33 of 111
,
Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 WOG STS B 3.3.2-5 Rev. 3.0, 03/31/04 BASES
BACKGROUND (continued)
Each SSPS train has a built in te sting device that can automatically test the decision logic matrix functions and the actuation devices while the unit is at power. When any one train is taken out of service for testing, the other train is capable of providing unit monitoring and protection until the testing has been completed. The testing device is semiautomatic to
minimize testing time.
The actuation of ESF components is accomplished through master and
slave relays. The SSPS energizes the master relays appropriate for the condition of the unit. Each master relay then energizes one or more slave relays, which then cause actuation of the end devices. The master and slave relays are routinely tested to ensure operation. The test of the master relays energizes the relay, which then operates the contacts and
applies a low voltage to the associated slave relays. The low voltage is not sufficient to actuate the slave relays but only demonstrates signal path continuity. The SLAVE RELAY TEST actuates the devices if their operation will not interfere with continued unit operation. For the latter case, actual component operation is prevented by the SLAVE RELAY TEST circuit, and slave relay contact operation is verified by a continuity check of the circuit containing the slave relay.
REVIEWERS NOTE------------------------------------------ No one unit ESFAS incorporates all of the Functions listed in Table 3.3.2-1. In some cases (e.g., Containment Pressure - High 3, Function 2.c), the Table reflects several different implementations of the same Function. Typically, only one of these implementations are used at any specific unit.
APPLICABLE Each of the analyzed accidents can be detected by one or more ESFAS SAFETY Functions. One of the ESFAS Functions is the primary actuation signal ANALYSES, LCO, for that accident. An ESFAS Function may be the primary actuation and APPLICABILITY signal for more than one type of accident. An ESFAS Function may also be a secondary, or backup, actuation signal for one or more other accidents. For example, Pressuri zer Pressure - Low is a primary actuation signal for small loss of co olant accidents (LOCAs) and a backup actuation signal for steam line br eaks (SLBs) outside containment. Functions such as manual initiation, not specifically credited in the accident safety analysis, are qualitatively credited in the safety analysis and the NRC staff approved licensing basis for the unit. These Functions may provide protection for conditions that do not require dynamic transient analysis to demonstrate Function performance. These Functions may also serve as backups to Functions that were credited in the accident analysis (Ref. 3).
break 4 1 channel channel channels 1 channels 1 3 channels 10 10 10 A ttachment 1, Volume 8, Rev. 0, Page 228 of 517 A ttachment 1, Volume 8, Rev. 0, Page 228 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 34 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 34 of 111 STET STET STET B 3.3.2 Insert Page B 3.3.2-6a INSERT 2 Permissive and interlock setpoints allow the blocking of trips during plant startups, and restoration of trips when the permissive conditions are not satisfied, but they are not explicitly modeled in the Safety Analyses. These permissives and interlocks ensure that the starting conditions are consistent wi th the safety analysis, before preventive or mitigating actions occur. Because these permissives or interlocks are only one of
multiple conservative starting assumptions for the accident analysis, they are generally considered as nominal values without regard to measurement accuracy, (i.e., the value indicated is sufficiently close to the nece ssary value to ensure proper operation of the safety systems to turn the AOO).
INSERT 3 The Allowable Value specified in the SCP is the least conservative value of the as-found setpoint that the channel can have when tested, such that a channel is OPERABLE if the as-found setpoint is conservative with respect to the Allowable Value during the CHANNEL CALIBRATION or CHANNEL OPERATIONAL TEST (COT). As such, the Allowable Value differs from the [NTSP] by an amount [greater than or] equal to the expected instrument channel uncertainties, such as drift, during the surveillance interval. In this manner, the actual setting of the channel ([NTSP]) will ensure that a SL is not exceeded at any given point of time as long as the channel has not drifted beyond that expected during the surveillance interval.
Note that, although the channel is OPERABLE under these circumstances, the trip setpoint must be left adjusted to a value within the as-left tolerance, in accordance with uncertainty assumptions stated in the referenced setpoint methodology (as-left criteria), and confirmed to be operating within the statist ical allowances of the uncertainty terms assigned (as-found criteria).
If the actual setting of the channel is found to be conservative with respect to the Allowable Value but is beyond the as-found tolerance band, the channel is OPERABLE but a degraded condition has been identified. During the SR performance, the condition of the channel will be evaluated. This evaluation will consist of resetting the channel setpoint to the [NTSP] (within the allowed tolerance) and determining that the channel is performing as expected. At the completion of the SR, operations will confirm the SR results and determine the channel condition. If the channel is functioning as required and expected to pass the next surveillance, then the channel can be restored to service at the completion of the surveillance. After the surveillance is completed, the channel's as-found setting will be entered into the Corrective Action Program for further evaluation.
If the channel is not performing as expec ted the channel is degraded because it may not pass its next surveillance test. If the channel setpoint cannot be reset to the [NTSP], it is inoperable.
6 6 6 10 10 A ttachment 1, Volume 8, Rev. 0, Page 230 of 517 A ttachment 1, Volume 8, Rev. 0, Page 230 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 35 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 35 of 111 within the as-found tolerance and is tolerances The degraded condition of the channel will be evaluated during performance of the SR.evaluating the channel response.
B 3.3.2 Insert Page B 3.3.2-6b INSERT 3 (continued)
A trip setpoint may be set more conservative than the [NTSP] as necessary in response to plant conditions. However, in this case, the operability of the instrument must be verified based on the [field setting] and not the NTSP. Failure of any instrument renders the affected channel(s) inoperable and reduces the reliability of the affected Functions.
If the actual setting of the channel is found to be non-conservative with respect to the Allowable Value, the channel would be considered inoperable. This requires corrective action including those actions require d by 10 CFR 50.36 when automatic protection channels do not function as required.
6 10 6 A ttachment 1, Volume 8, Rev. 0, Page 231 of 517 A ttachment 1, Volume 8, Rev. 0, Page 231 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 36 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 36 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 WOG STS B 3.3.2-12 Rev. 3.0, 03/31/04 BASES
APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
(2) Steam Line Pressure - High Differential Pressure Between Steam Lines Steam Line Pressure - High Differential Pressure Between
Steam Lines provides pr otection against the following accidents:
SLB, Feed line break, and Inadvertent opening of an SG relief or an SG safety valve. Steam Line Pressure - High Differential Pressure Between
Steam Lines provides no input to any control functions.
Thus, three OPERABLE channels on each steam line are sufficient to satisfy the requirements, with a two-out-of-three logic on each steam line.
With the transmitters typically located inside the steam tunnels, it is possible for them to experience adverse
environmental conditions during an SLB event. Therefore, the Trip Setpoint reflects both steady state and adverse environmental instrument uncertainties. Steam line high
differential pressure must be OPERABLE in MODES 1, 2, and 3 when a secondary side break or stuck open valve could result in the rapid depressurization of the steam line(s). This Function is not required to be OPERABLE in MODE 4, 5, or 6 because there is not sufficient energy in the secondary side of the unit to cause an accident.
f, g. Safety Injection - High Steam Flow in Two Steam Lines Coincident With Tavg - Low Low or Coincident With Steam Line Pressure - Low These Functions (1.f and 1.g) provide protection against the
following accidents:
SLB, and the inadvertent opening of an SG relief or an SG safety valve. 5 [NTSP] 10 A ttachment 1, Volume 8, Rev. 0, Page 239 of 517 A ttachment 1, Volume 8, Rev. 0, Page 239 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 37 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 37 of 111 STET STET Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 WOG STS B 3.3.2-14 Rev. 3.0, 03/31/04 BASES
APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
With the transmitters typically located inside the containment (Tavg) or inside the steam tunnels (High Steam Flow), it is possible for them to experience adverse steady state
environmental conditions during an SLB event. Therefore, the Trip Setpoint reflects both steady state and adverse
environmental instrument uncertainties. The Steam Line Pressure - Low signal was discussed previously under Function 1.e.(1).
This Function must be OPERABLE in MODES 1, 2, and 3 (above P-12) when a secondary side break or stuck open valve could result in the rapid depressurization of the steam line(s). This signal may be manually blocked by the operator when below the P-12 setpoint. Above P-12, this Function is automatically unblocked. This Function is not required
OPERABLE below P-12 because the r eactor is not critical, so feed line break is not a concern. SLB may be addressed by Containment Pressure High 1 (inside containment) or by High Steam Flow in Two Steam Lines coincident with Steam Line
Pressure - Low, for Steam Line Isolation, followed by High Differential Pressure Between Two Steam Lines, for SI. This Function is not required to be OPERABLE in MODE 4, 5, or 6 because there is insufficient energy in the secondary side of the unit to cause an accident.
- 2. Containment Spray Containment Spray provides three primary functions:
- 1. Lowers containment pressure and temperature after an HELB in containment,
- 2. Reduces the amount of radioactive iodine in the containment atmosphere, and
These functions are necessary to:
Ensure the pressure boundary integrity of the containment structure, a LOCA or main steam line break
- ; ; 5 1 2 2 2 [NTSP] 10 spray water and the 1 A ttachment 1, Volume 8, Rev. 0, Page 241 of 517 A ttachment 1, Volume 8, Rev. 0, Page 241 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 38 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 38 of 111 STET STET Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 WOG STS B 3.3.2-18 Rev. 3.0, 03/31/04 All changes are 1 unless otherwise noted BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
CCW is not isolated at this time to permit continued operation of the RCPs with cooling water flow to the thermal barrier heat exchangers and air or oil coolers. All process lines not equipped with remote operated isolation valves are manually closed, or otherwise isolated, prior to reaching MODE 4.
Manual Phase A Containment Isolation is accomplished by either of two switches in the control room. Either switch actuates both trains.
Note that manual actuation of Phase A Containment Isolation also actuates Containment Purge and Exhaust Isolation.
depressingpushbuttonpushbutton Ventilation The Phase B signal isolates CCW. This occurs at a relatively high containment pressure that is indicative of a large break LOCA or an SLB. For these events, forced circulation using the RCPs is no longer desirable. Isolating the CCW at the higher pressure does not pose a challenge to the containment boundary because the CCW
System is a closed loop inside containment. Although some system components do not meet all of the ASME Code requirements applied to the containment itself, the system is continuously pressurized to a pressure greater than the Phase B setpoint. Thus, routine operation
demonstrates the integrity of the system pressure boundary for pressures exceeding the Phase B setpoint. Furthermore, because system pressure exceeds the Phase B setpoint, any system leakage prior to initiation of Phase B isolation would be into containment.
Therefore, the combination of CCW System design and Phase B isolation ensures the CCW System is not a potential path for
radioactive release from containment.
Phase B containment isolation is actuated by Containment Pressure - High 3 or Containment Pressure - High High, or manually, via the
automatic actuation logic, as previously discussed. For containment pressure to reach a value high enough to actuate Containment Pressure - High 3 or Containment Pressure - High High, a large break LOCA or SLB must have occurred and containment spray must have been actuated. RCP operation will no longer be required and
CCW to the RCPs is, therefore, no longer necessary. The RCPs can be operated with seal injection flow alone and without CCW flow to the thermal barrier heat exchanger.
Manual Phase B Containment Isolation is accomplished by the same switches that actuate Containment Spray. When the two switches in either set are turned simultaneously, Phase B Containment Isolation and Containment Spray will be actuated in both trains.
10 7 A ttachment 1, Volume 8, Rev. 0, Page 246 of 517 A ttachment 1, Volume 8, Rev. 0, Page 246 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 39 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 39 of 111 STET Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 WOG STS B 3.3.2-23 Rev. 3.0, 03/31/04 BASES
APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
Steam Line Pressure - Low Function must be OPERABLE in MODES 1, 2, and 3 (above P-11), with any main steam valve open, when a secondary side break or stuck open valve could result in the rapid depressurization of the steam lines. This signal may be manually blocked by the operator below the P-11 setpoint. Below P-11, an inside containment SLB will be terminated by automatic actuation via Containment Pressure - High 2. Stuck valve transients and outside containment SLBs will be terminated by the Steam Line Pressure - Negative Rate - High signal for Steam Line Isolation below P-11 when SI has been manually blocked. The Steam Line Isolation Functi on is required in MODES 2 and 3 unless all MSIVs are closed and [de-activated]. This Function is not required to be OPERABLE in MODES 4, 5, and 6 because there is insuffici ent energy in the secondary side of the unit to have an accident.
(2) Steam Line Pressure - Negative Rate - High Steam Line Pressure - Negative Rate - High provides closure of the MSIVs for an SLB when less than the P-11 setpoint, to maintain at least one unfaulted SG as a heat sink for the reactor, and to limit the mass and energy release to containment. When the operator manually blocks the Steam Line Pressure - Low main steam isolation signal
when less than the P-11 setpoint, the Steam Line Pressure -
Negative Rate - High signal is automatically enabled.
Steam Line Pressure - Negative Rate - High provides no input to any control functions. Thus, three OPERABLE channels are sufficient to satisfy requirements with a two-
out-of-three logic on each steam line.
Steam Line Pressure - Negative Rate - High must be OPERABLE in MODE 3 when less than the P-11 setpoint, when a secondary side break or stuck open valve could result in the rapid depressurization of the steam line(s). In MODES 1 and 2, and in MODE 3, when above the P-11 setpoint, this signal is automati cally disabled and the Steam Line Pressure - Low signal is automatically enabled. The 5 10 A ttachment 1, Volume 8, Rev. 0, Page 252 of 517 A ttachment 1, Volume 8, Rev. 0, Page 252 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 40 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 40 of 111 STET Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 WOG STS B 3.3.2-24 Rev. 3.0, 03/31/04 BASES
APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
Steam Line Isolation Function is required to be OPERABLE in MODES 2 and 3 unless all MSIVs are closed and [de-activated]. In MODES 4, 5, and 6, there is insufficient energy in the primary and secondary sides to have an SLB or other accident that would result in a release of significant enough quantities of energy to cause a cooldown of the RCS.
While the transmitters may experience elevated ambient temperatures due to an SLB, the trip function is based on
rate of change, not the absolute accuracy of the indicated steam pressure. Therefore, the Trip Setpoint reflects only steady state instrument uncertainties.
e, f. Steam Line Isolation - High Steam Flow in Two Steam Lines Coincident with Tavg - Low Low or Coincident With Steam Line Pressure - Low (Three and Four Loop Units)
These Functions (4.e and 4.f) provide closure of the MSIVs
during an SLB or inadvertent opening of an SG relief or a safety valve, to maintain at least one unfaulted SG as a heat sink for the reactor and to limit the mass and energy release to containment.
These Functions were discussed previously as Functions 1.f.
and 1.g. These Functions must be OPERABLE in MODES 1 and 2, and in MODE 3, when a secondary side break or stuck open valve could result in the rapid depressurization of the steam lines unless all MSIVs are closed and [de-activated]. These Functions are not required to be OPERABLE in MODES 4, 5, and 6 because there is insufficient energy in the secondary side of the unit to have an accident.
- g. Steam Line Isolation - High Steam Flow Coincident With Safety Injection and Coincident With Tavg - Low Low (Two Loop Units)
This Function provides closure of the MSIVs during an SLB or inadvertent opening of an SG relief or safety valve to maintain at least one unfaulted SG as a heat sink for the reactor, and to limit the mass and energy release to containment.
d 5 5 [NTSP] 10 10 10 10 A ttachment 1, Volume 8, Rev. 0, Page 253 of 517 A ttachment 1, Volume 8, Rev. 0, Page 253 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 41 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 41 of 111 STET STET STET STET Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 WOG STS B 3.3.2-25 Rev. 3.0, 03/31/04 BASES
APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
Two steam line flow channels per steam line are required OPERABLE for this Function. These are combined in a one-out-of-two logic to indicate high steam flow in one steam line. The
steam flow transmitters provide control inputs, but the control
function cannot cause the events that the function must protect against. Therefore, two channels are sufficient to satisfy redundancy requirements. The one-out-of-two configuration allows online testing because trip of one high steam flow channel is not sufficient to cause initiation.
The High Steam Flow Al 25% of full steam flow at no load steam pressure. The Trip Setpoint is similarly calculated.
With the transmitters (d/p cells) typically located inside the steam tunnels, it is possible for them to experience adverse
environmental conditions during an SLB event. Therefore, the Trip Setpoints reflect both steady state and adverse environmental instrument uncertainties.
The main steam line isolates only if the high steam flow signal occurs coincident with an SI and low low RCS average temperature. The Main Steam Line Isolation Function requirements for the SI Functions are the same as the requirements for their SI function. Therefore, the requirements are not repeated in Table 3.3.2-1. Instead, Function 1, SI, is referenced for all initiating functions and requirements.
Two channels of Tavg per loop are required to be OPERABLE.
The Tavg channels are combined in a logic such that two channels tripped cause a trip for the parameter. The accidents that this Function protects against cause reduction of Tavg in the entire primary system.
Therefore, the provision of two OPERABLE channels per loop in a two-out-of-four configuration ensures no single random failure disables the T avg - Low Low Function. The Tavg channels provide control inputs, but the control function cannot initiate events that the Function acts to mitigate. Therefore, additional channels are not required to
address control protection interaction issues.
With the Tavg resistance temperature detectors (RTDs) located inside the containment, it is possible for them to experience
adverse environmental conditions during an SLB event.
Therefore, the Trip Setpoint reflects both steady state and adverse environmental instrumental uncertainties.
normal All changes are unless otherwise noted 1 INSERT 8 [NTSP] [NTSP] However, the channel statistical allowance calculation does not consider any environmental allowance as part of the instrument uncertainty, since the function is assumed to be performed prior to the time that adverse conditions can affect the Function.
10 10 11 a 8 8 s A ttachment 1, Volume 8, Rev. 0, Page 254 of 517 A ttachment 1, Volume 8, Rev. 0, Page 254 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 42 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 42 of 111 STET STET Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 WOG STS B 3.3.2-32 Rev. 3.0, 03/31/04 BASES
APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) sensed by any one of the switches will cause the emergency supply of water for both pumps to be aligned, or cause the AFW pumps to stop until the emergency source of water is aligned.
ESW (safety grade) is then lined up to supply the AFW pumps to
ensure an adequate supply of water for the AFW System to maintain at least one of the SGs as the heat sink for reactor decay heat and sensible heat removal.
Since the detectors are located in an area not affected by HELBs or high radiation, they will not experience any adverse
environmental conditions and the Trip Setpoint reflects only steady state instrument uncertainties.
This Function must be OPERABLE in MODES 1, 2, and 3 to ensure a safety grade supply of water for the AFW System to maintain the SGs as the heat sink for the reactor. This Function does not have to be OPERABLE in MODES 5 and 6 because there is not enough heat being generated in the reactor to require the SGs as a heat sink. In MODE 4, AFW automatic suction transfer does not need to be OPERABLE because RHR
will already be in operation, or sufficient time is available to place RHR in operation, to remove decay heat.
- 7. Automatic Switchover to Containment Sump At the end of the injection phase of a LOCA, the RWST will be nearly empty. Continued cooling must be provided by the ECCS to remove decay heat. The source of water for the ECCS pumps is automatically switched to the containment recirculation sump. The low head residual heat removal (RHR) pumps and containment spray
pumps draw the water from the containment recirculation sump, the RHR pumps pump the water through the RHR heat exchanger, inject the water back into the RCS, and supply the cooled water to the other ECCS pumps. Switchover from the RWST to the containment sump must occur before the RWST empties to prevent damage to the RHR pumps and a loss of core cooling capability. For similar reasons, switchover must not occur before there is sufficient water in
the containment sump to support ESF pump suction. Furthermore, early switchover must not occur to ensure that sufficient borated water is injected from the RWST. This ensures the reactor remains shut down in the recirculation mode. INSERT 12 All changes are unless otherwise noted 1 5 [NTSP] 10 5 A ttachment 1, Volume 8, Rev. 0, Page 265 of 517 A ttachment 1, Volume 8, Rev. 0, Page 265 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 43 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 43 of 111 STET Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 WOG STS B 3.3.2-33 Rev. 3.0, 03/31/04 BASES
APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
b, c. Automatic Switchover to Containment Sump - Refueling Water Storage Tank (RWST) Level - Low Low Coincident With Safety Injection and Coincident With Containment Sump Level - High During the injection phase of a LOCA, the RWST is the source of water for all ECCS pumps. A low low level in the RWST coincident with an SI signal prov ides protection against a loss of water for the ECCS pumps and indicates the end of the injection phase of the LOCA. The RWST is equipped with four level transmitters. These transmitters provide no control functions. Therefore, a two-out-of-four logic is adequate to initiate the protection function actuation. Although only three channels would be sufficient, a fourth channel has been added for
increased reliability.
The RWST - Low Low Allowable Value/Trip Setpoint has both upper and lower limits. The lower limit is selected to ensure switchover occurs before the RWST empties, to prevent ECCS pump damage. The upper limit is selected to ensure enough borated water is injected to ensure the reactor remains shut
down. The high limit also ensur es adequate water inventory in the containment sump to provide ECCS pump suction.
The transmitters are located in an area not affected by HELBs or post accident high radiation. Thus, they will not experience any
adverse environmental conditions and the Trip Setpoint reflects
only steady state instrument uncertainties.
Automatic switchover occurs only if the RWST low low level signal is coincident with SI. This prevents accidental switchover during normal operation. Accidental switchover could damage ECCS pumps if they are attempting to take suction from an empty sump. The automatic swit chover Function requirements for the SI Functions are the same as the requirements for their SI
function. Therefore, the requirements are not repeated in Table 3.3.2-1. Instead, Function 1, SI, is referenced for all initiating Functions and requirements.
5 [NTSP] 10 A ttachment 1, Volume 8, Rev. 0, Page 268 of 517 A ttachment 1, Volume 8, Rev. 0, Page 268 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 44 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 44 of 111 STET Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 WOG STS B 3.3.2-34 Rev. 3.0, 03/31/04 BASES
APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
REVIEWERS NOTE------------------------------- In some units, additional protection from spurious switchover is provided by requiring a Containment Sump Level - High signal as well as RWST Level - Low Low and SI. This ensures sufficient water is available in containment to support the recirculation phase of the accident. A Containment Sump Level - High signal must be present, in addition to the SI signal and the RWST Level - Low Low signal, to transfer the suctions of the RHR pumps to the containment sump. The containment sump is equipped with four level transmitters.
These transmitters provide no control functions. Therefore, a two-out-of-four logic is adequate to initiate the protection function actuation. Although only three channels would be sufficient, a fourth channel has been added for increased reliability. The containment sump level Trip Setpoint/Allowable Value is selected to ensure enough borated water is injected to ensure the reactor remains
shut down. The high limit also ensures adequate water inventory in the containment sump to provide ECCS pum p suction. The transmitters are located inside containment and thus possibly experience adverse environmental conditions. Therefore, the trip setpoint reflects the inclusion of both steady state and envi ronmental instrument uncertainties.
Units only have one of the Functions, 7.b or 7.c. --------------------------------------------------------------------------------------------------
These Functions must be OPERABLE in MODES 1, 2, 3, and 4 when there is a potential for a LOCA to occur, to ensure a continued supply of water for the ECCS pumps. These Functions are not required to be OPERABLE in MODES 5 and 6
because there is adequate time for the operator to evaluate unit conditions and respond by manually starting systems, pumps, and other equipment to mitigate the consequences of an
abnormal condition or accident. System pressure and temperature are very low and many ESF components are
administratively locked out or otherwise prevented from actuating to prevent inadvertent overpressurization of unit systems.
- 8. Engineered Safety Feature Actuation System Interlocks To allow some flexibility in unit operations, several interlocks are included as part of the ESFAS. These interlocks permit the operator to block some signals, automatically enable other signals, prevent some actions from occurring, and cause other actions to occur. The
interlock Functions back up manual actions to ensure bypassable functions are in operation under the conditions assumed in the safety
analyses.
an is s 4 5 1 [NTSP] 10 A ttachment 1, Volume 8, Rev. 0, Page 269 of 517 A ttachment 1, Volume 8, Rev. 0, Page 269 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 45 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 45 of 111 STET Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 WOG STS B 3.3.2-36 Rev. 3.0, 03/31/04 BASES
APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
The RTB position switches that provide input to the P-4 interlock only function to energize or de-energize or open or close contacts. Therefore, this Function has no adjustable trip setpoint with which to associate a Trip Setpoint and Allowable Value.
This Function must be OPERABLE in MODES 1, 2, and 3 when the reactor may be critical or approaching criticality. This Function does not have to be OPERABLE in MODE 4, 5, or 6 because the main turbine, the MFW System, and the Steam
Dump System are not in operation.
- b. Engineered Safety Feature Actuation System Interlocks -
Pressurizer Pressure, P-11 The P-11 interlock permits a normal unit cooldown and
depressurization without actuation of SI or main steam line isolation. With two-out-of-three pressurizer pressure channels (discussed previously) less than the P-11 setpoint, the operator can manually block the Pressurizer Pressure - Low and Steam Line Pressure - Low SI signals and the Steam Line Pressure -
Low steam line isolation signal (previously discussed). When the
Steam Line Pressure - Low steam line isolation signal is manually blocked, a main steam isolation signal on Steam Line Pressure - Negative Rate - High is enabled. This provides
protection for an SLB by closure of the MSIVs. With two-out-of-three pressurizer pressure channels above the P-11 setpoint, the Pressurizer Pressure - Low and Steam Line Pressure - Low SI signals and the Steam Line Pressure - Low steam line isolation signal are automatically enabled.
The operator can also enable these trips by use of the respective manual reset buttons. When the Steam Line Pressure - Low steam line isolation signal is
enabled, the main steam isolation on Steam Line Pressure - Negative Rate - High is disabled. The Trip Setpoint reflects only steady state instrument uncertainties.
This Function must be OPERABLE in MODES 1, 2, and 3 to allow an orderly cooldown and depressurization of the unit without the actuation of SI or main steam isolation. This
Function does not have to be OPERABLE in MODE 4, 5, or 6 because system pressure must already be below the P-11 setpoint for the requirements of the heatup and cooldown curves
to be met.
5 [NTSP] [NTSP] 10 10 A ttachment 1, Volume 8, Rev. 0, Page 271 of 517 A ttachment 1, Volume 8, Rev. 0, Page 271 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 46 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 46 of 111 STET Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 WOG STS B 3.3.2-38 Rev. 3.0, 03/31/04 BASES
ACTIONS (continued)
In the event a channel's Trip Setpoint is found nonconservative with respect to the Allowable Value, or the transmitter, instrument Loop, signal processing electronics, or bistable is found inoperable, then all affected Functions provided by that channel must be declared inoperable and the LCO Condition(s) entered for the protection Function(s) affected. When the Required Channels in Table 3.3.2-1 are specified (e.g., on a per steam line, per loop, per SG, etc., basis), then the Condition may be entered separately for each steam line, loop, SG, etc., as appropriate.
When the number of inoperable channels in a trip function exceed those specified in one or other related Conditions associated with a trip function, then the unit is outside the safety analysis. Therefore, LCO 3.0.3 should be immediately entered if applicable in the current MODE of operation.
REVIEWERS NOTE------------------------------------------
Certain LCO Completion Times are based on approved topical reports. In order for a licensee to use these times, the licensee must justify the Completion Times as required by the staff Safety Evaluation Report (SER) for the topical report.
A.1 Condition A applies to all ESFAS protection functions.
Condition A addresses the situation where one or more channels or trains for one or more Functions are inoperable at the same time. The Required Action is to refer to Table 3.3.2-1 and to take the Required Actions for the protection functions affected. The Completion Times are those from the referenced Conditions and Required Actions.
B.1, B.2.1, and B.2.2 Condition B applies to manual initiation of:
SI, Containment Spray, Phase A Isolation, and Phase B Isolation.
Containment
- ; and 4 2 2 5 5 [NTSP] 10 A ttachment 1, Volume 8, Rev. 0, Page 273 of 517 A ttachment 1, Volume 8, Rev. 0, Page 273 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 47 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 47 of 111 or the channel is not functioning as required, 10 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 WOG STS B 3.3.2-50 Rev. 3.0, 03/31/04 BASES
SURVEILLANCE REQUIREMENTS (continued)
SR 3.3.2.4 SR 3.3.2.4 is the performance of a MASTER RELAY TEST. The MASTER RELAY TEST is the energizing of the master relay, verifying contact operation and a low voltage continuity check of the slave relay coil. Upon master relay contact operation, a low voltage is injected to the slave relay coil. This voltage is insufficient to pick up the slave relay, but large enough to demonstrate signal path continuity. This test is performed every 92 days on a STAGGERED TEST BASIS. The time allowed for the testing (4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />) is justified in Reference 11. The Frequency of 92 days is justified in Reference 9.
SR 3.3.2.5 is the performance of a COT.
A COT is performed on each required channel to ensure the entire channel will perform the intended Function. Setpoints must be found
within the Allowable Values specified in Table 3.3.1-1. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable COT of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions.
The difference between the current "as found" values and the previous test "as left" values must be consistent with the drift allowance used in the setpoint methodology. The setpoint shall be left set consistent with the assumptions of the current unit specific setpoint methodology.
The "as found" and "as left" values must also be recorded and reviewed for consistency with the a ssumptions of Reference 6.
The Frequency of 184 days is justified in Reference 11.
10 4 5 5 5 10 10 in accordance with the SCP conservative with respect to the Allowable Values as controlled by the SCP The SCP establishes the necessary controls for properly maintaining the applicable ESFAS instrumentation channels.
Move SR 3.3.2.3 from page B 3.3.2-51 to here A ttachment 1, Volume 8, Rev. 0, Page 287 of 517 A ttachment 1, Volume 8, Rev. 0, Page 287 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 48 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 48 of 111 The test is performed in accordance with the SCP. If the actual setting of the channel is found to be conservative with respect to the Allowable Value but is beyond the as-found tolerance band, the channel is OPERABLE but degraded. The degraded condition of the channel will be further evaluated during performance of the SR. This evaluation will consist of resetting the channel setpoint to the [NTSP] (within the allowed tolerance), and evaluating the channel response. If the channel is functioning as required and is expected to pass the next surveillance, then the channel is OPERABLE and can be restored to service at the completion of the surveillance. After the surveillance is completed, the channel as-found condition will be entered into the Corrective Action Program for further evaluation.
10 10 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 WOG STS B 3.3.2-51 Rev. 3.0, 03/31/04 BASES
SURVEILLANCE REQUIREMENTS (continued)
SR 3.3.2.6 SR 3.3.2.6 is the performance of a SLAVE RELAY TEST. The SLAVE RELAY TEST is the energizing of the slave relays. Contact operation is
verified in one of two ways. Actuation equipment that may be operated in the design mitigation MODE is either allowed to function, or is placed in a condition where the relay contact operation can be verified without operation of the equipment. Actuation equipment that may not be operated in the design mitigation MODE is prevented from operation by the SLAVE RELAY TEST circuit. For this latter case, contact operation is verified by a continuity check of the circuit containing the slave relay. This test is performed every [92] days. The Frequency is adequate, based on industry operating experience, c onsidering instrument reliability and operating history data.
SR 3.3.2.7 SR 3.3.2.7 is the performance of a TADOT every [92] days. This test is a check of the Loss of Offsite Power, Undervoltage RCP, and AFW Pump Suction Transfer on Suction Pressure - Low Functions. Each Function is tested up to, and including, the master transfer relay coils. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This
clarifies what is an acceptable TADO T of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions.
The test also includes trip devices that provide actuation signals directly to the SSPS. The SR is modified by a Note that excludes verification of setpoints for relays. Relay setpoints require elaborate bench calibration and are verified during CHANNEL CALIBRATION. The Frequency is adequate. It is based on industry operating experience, considering instrument reliability and operating history data.
3 5 5 5 6 1 channels 10 Move to previous page before SR 3.3.2.4 A ttachment 1, Volume 8, Rev. 0, Page 288 of 517 A ttachment 1, Volume 8, Rev. 0, Page 288 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 49 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 49 of 111 STET Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 WOG STS B 3.3.2-52 Rev. 3.0, 03/31/04 BASES
SURVEILLANCE REQUIREMENTS (continued)
SR 3.3.2.8 SR 3.3.2.8 is the performance of a TADOT. This test is a check of the Manual Actuation Functions and AFW pump start on trip of all MFW
pumps. It is performed every [18] months. Each Manual Actuation Function is tested up to, and including, the master relay coils. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable TADOT of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions. In some instances, the test includes actuation of the end device (i.e., pump starts, valve cycles, etc.). The Frequency is adequate, based on industry operating experience and is consistent with the typical refueling cycle. The SR is modified by a Note that excludes verification of setpoints during the TADOT for manual initiation Functions. The manual initiation Functions have no associated setpoints.
SR 3.3.2.9 SR 3.3.2.9 is the performance of a CHANNEL CALIBRATION.
A CHANNEL CALIBRATION is per formed every [18] months, or approximately at every refueling. CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor. The test verifies that the channel responds to measured parameter within the necessary range and accuracy.
CHANNEL CALIBRATIONS must be performed consistent with the assumptions of the unit specific setpoint methodology. The difference between the current "as found" values and the previous test "as left" values must be consistent with the drift allowance used in the setpoint methodology.
The Frequency of [18] months is based on the assumption of an
[18] month calibration interval in the determination of the magnitude of equipment drift in the setpoint methodology.
This SR is modified by a Note stating that this test should include verification that the time constants are adjusted to the prescribed values
where applicable.
5 6 5 5 6 5 5 6 6 SCP. The SCP establishes the necessary controls for properly maintaining the applicable ESFAS instrumentation channels.
10 in accordance 10 A ttachment 1, Volume 8, Rev. 0, Page 289 of 517 A ttachment 1, Volume 8, Rev. 0, Page 289 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 50 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 50 of 111 INSERT for ISTS SR 3.3.2.8 INSERT for ISTS SR 3.3.2.9 10 10 INSERT for ISTS SR 3.3.2.8 The test is performed in accordance with the SCP. If the actual setting of the channel is found to be conservative with respect to the Allowable Value but is beyond the as-found tolerance band, the channel is OPERABLE but degraded. The degraded condition of the channel will be further evaluated during performance of the SR. This evaluation will consist of resetting the channel setpoint to the [NTSP] (within the allowed tolerance), and evaluating the channel response. If the channel is functioning as required and is expected to pass the next surveillance, then the channel is OPERABLE and can be restored to service at the completion of the surveillance. After the surveillance is completed, the channel as-found condition will be entered into the Corrective Action Program for further evaluation.
INSERT for ISTS SR 3.3.2.9 The test is performed in accordance with the SCP. If the actual setting of the channel is found to be conservative with respect to the Allowable Value but is beyond the as-found tolerance band, the channel is OPERABLE but degraded. The degraded condition of the channel will be further evaluated during performance of the SR. This evaluation will consist of resetting the channel setpoint to the [NTSP] (within the allowed tolerance), and evaluating the channel response. If the channel is functioning as required and is expected to pass the next surveillance, then the channel is OPERABLE and can be restored to service at the completion of the surveillance. After the surveillance is completed, the channel as-found condition will be entered into the Corrective Action Program for further evaluation.
Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 51 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 51 of 111 10 10 Licensee Response/NRC Response/NRC Question Closure Id2241NRC Question Number KAB-063 Select Application Licensee Response Response Date/Time 2/18/2010 4:00 PM Closure Statement Response Statement KPS has reviewed the errata to TSTF-493, Rev. 4 and de termined that the draft markup attached to the previous KPS response to KAB-065 did not include a few minor changes. A draf t markup regarding these changes is attached, and supersedes the previous draft markup. Changes from the previous markup are identified in red (see pages 1 and 10 of the attachment). These changes will be reflected in the supplement to this section of the ITS conversion amendment.
Question Closure Date Attachment 1 KAB-063, Rev. 1 Markup.pdf (2MB) Attachment 2 Notification NRC/LICENSEE Supervision Kristy Bucholtz Jerry Jones Bryan Kays David Mielke
Ray Schiele Added By Robert Hanley Date Added 2/18/2010 4:00 PM Modified By Date Modified Pa ge 1of 1 Kewaunee ITS Conversion Database 06/09/2010 htt p://www.excelservices.com/rai/index.
p h p?re q uestT ype=areaItemPrint&itemId=2241 B 3.3.2 Insert Page B 3.3.2-1a INSERT 1 This is achieved by specifying limiting safety system settings (LSSS) in terms of parameters directly monitored by the RTS, as well as specifying LCOs on other reactor system parameters and equipment performance. Technical Specifications are required by 10 CFR 50.36 to include LSSS for variables that have significant safety functions. LSSS are defined by the regulation as "...settings for automatic protective devices...so chosen that automatic protective action will correct the abnormal situation before a Safety Limit (SL) is exceeded." The Analytical Limit is the limit of the process variable at which a protective action is initiated, as established by the safety analysis, to ensure that a SL is not exceeded. Any automatic protection action that occurs on reaching the Analytical Limit therefore ensures that the SL is not exceeded. However, in practice, the actual settings for autom atic protection channels must be chosen to be more conservative than the Analytical Limit to account for instrument loop uncertainties related to the setting at which the automatic protective action would actually occur. The LSSS values are identified and maintained in the
Setpoint Control Program (SCP) controlled by 10.CFR.50.59.
REVIEWER'S NOTE ------------------------------------------- The term "Limiting Trip Setpoint (LTSP)" is generic terminology for the calculated setting (setpoint) value calculated by means of the plant-specific setpoint methodology documented in a document controlled under 10 CFR 50.59. The term [LTSP] indicates that no additional margin has been added between the Analytical Limit and the calculated trip setting. For most Westinghouse plants the term Nominal Trip Setpoint (NTSP) is the terminology for the setpoint value calculated by means of the plant-
specific setpoint methodology documented in a document subject to 10 CFR 50.59. The term NTSP indicates that no additional margin has been added between the Analytical Limit and the calculated trip setting. The NTSP would replace LTSP in the Bases descriptions. The term field setting is terminology for the actual setpoint implemented in the plant surveillance procedures which is standard terminology for the NTSP with additional margin applied. The as-found and as-left tolerances will apply to the actual setpoint (field setting) implemented in the Surveillance procedures to confirm channel
performance.
The [NTSP] is included in the SCP. -------------------------------------------------------------------------------------------------------------------
4 8 ESFAS 10 A ttachment 1, Volume 8, Rev. 0, Page 222 of 517 A ttachment 1, Volume 8, Rev. 0, Page 222 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 53 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 53 of 111 ESFAS Where a LSSS is specified for a variable on which a safety limit has been placed, the must be chosen so used in place of the term LTSP, and NTSP will replace LTSP in the Bases descriptions. "Field setting" is the suggested terminology for the actual setpoint implemented in the plant surveillance procedures where margin has been added to the calculated.
field field setting B 3.3.2 Insert Page B 3.3.2-1b INSERT 1 (continued)
The [NTSP] specified in the SCP is a predetermined setting, plus margin, for a protection channel chosen to ensure automatic actuation prior to the process variable reaching the
Analytical Limit and thus ensuring that the SL would not be exceeded. As such, the [NTSP] accounts for uncertainties in setting the channel (e.g., calibration), uncertainties in how the channel might actually perform (e.g., repeatability), changes in the point of action of the channel over time (e.g., drift during surveillance intervals), and any other factors which may influence its actual performance (e.g., harsh accident environments). In this manner, the [NTSP] ensures that SLs are not exceeded. Therefore, the [NTSP]
meets the definition of an LSSS (Ref. 1).
Technical Specifications contain values related to the OPERABILITY of equipment required for safe operation of the facility. OPERABLE is defined in Technical Specifications as "...being capable of performing its safety functions(s)." Relying solely on the [NTSP] to define OPERABILITY in Technical Specifications would be an overly restrictive requirement if it were appli ed as an OPERABILITY limit for the "as-found" value of a protection channel setting during a surveillance. This would result in Technical Specification compliance problems, as well as reports and corrective actions required by the rule which are not necessa ry to ensure safety. For example, an automatic protection channel with a setting that has been found to be different from the [NTSP] due to some drift of the setting may still be OPERABLE since drift is to be
expected. This expected drift would have been specifically accounted for in the setpoint methodology for calculating the [NTSP] and thus the automatic protective action would still have ensured that the SL would not be exceeded with the "as-found" setting of the protection channel. Therefore, the channel would still be OPERABLE since it would
have performed its safety function and the onl y corrective action required would be to reset the channel to the [NTSP] to account for fu rther drift during the next surveillance interval. Note that, although the channel is OPERABLE under these circumstances, the trip setpoint must be left adjusted to a value within the as-left tolerance, in accordance with uncertainty assumptions stated in the referenced setpoint methodology (as-left criteria), and confirmed to be operating within the statistical allowances of the uncertainty terms assigned (as-found criteria).
However, there is also some point bey ond which the channel would have not been able to perform its function due to, for example, greater than expected drift. The Allowable Value specified in the SCP is the least conservative value of the as-found setpoint that the channel can have when tested, such that a channel is OPERABLE if the as-found setpoint is conservative with respect to the Allowable Value during the CHANNEL OPERATIONAL TEST (COT). As such, the A llowable Value differs from the [NTSP] by an amount [greater than or] equal to the expected instrument channel uncertainties, such as drift, during the surveillance interval. In this manner, the actual setting of the channel will ensure that a SL is not exceeded at any given point of time as long as the channel has not drifted beyond that expected during the surveillance interval. Note that, although the channel is OPERABLE under these circumstances, the trip setpoint must be left adjusted to a value within the as-left tolerance, in accordance with uncertainty assumptions stated in the referenced setpoint methodology (as-left criteria), and confirmed to be operating within the statistical allowances of the uncertainty terms assigned (as-found criteria).
6 6 11 9 10 6 A ttachment 1, Volume 8, Rev. 0, Page 223 of 517 A ttachment 1, Volume 8, Rev. 0, Page 223 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 54 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 54 of 111 within the established as-left tolerance around the
[NTSP] to account for further drift during the next surveillance interval.6 B 3.3.2 Insert Page B 3.3.2-1c INSERT 1 (continued)
If the actual setting of the channel is found to be conservative with respect to the Allowable Value but is beyond the as-found tolerance band, the channel is OPERABLE.
However, a potential degraded condition has been identified. During the SR performance, the condition of the channel will be evaluated. This evaluation will consist of resetting the channel setpoint to the [LTSP] (within the allowed tolerance), and the
channel's response evaluated. If the channel is functioning as required and expected to pass the next surveillance, then the channel can be restored to service at the completion of the surveillance. After the surveillance is completed, the channel's as-found setting will be entered into the Corrective Action Program for further evaluation. If any of the above-described evaluations determine that the channel is not performing as expected the channel is degraded because it may not pass its next surveillance test. If the channel setpoint can not be reset to the [LTSP], it is inoperable.
If the actual setting of the channel is found to be non-conservative with respect to the Allowable Value, the channel would be considered inoperable. This requires corrective action including those actions require d by 10 CFR 50.36 when automatic protection channels do not function as required.
During AOOs, which are those events expected to occur one or more times during the unit life, the acceptable limits are:
- 1. The Departure from Nucleate Boiling Ratio (DNBR) shall be maintained above the Safety Limit (SL) value to prevent departure from nucleate boiling (DNB),
- 2. Fuel centerline melt shall not occur, and
Operation within the SLs of Specification 2.0, "Safety Limits (SLs)," also maintains the above values and assures that offsite dose will be within the 10 CFR 50 and 10 CFR 100 criteria during AOOs.
Accidents are events that are analyzed even though they are not expected to occur during the unit life. The acceptable limit during accidents is that offsite dose shall be maintained within an acceptable fraction of 10 CFR 100 limits. Different accident categories are allowed a different fraction of these limits, based on probability of occurrence. Meeting the acceptable dose limit for an accident category is considered having acceptable consequences for that event. However the acceptable dose limit for an accident category and their associated [NTSPs] are not considered to be LSSS as defined in 10 CFR 50.36.
6 10 6 6 50.67 1 1 A ttachment 1, Volume 8, Rev. 0, Page 224 of 517 A ttachment 1, Volume 8, Rev. 0, Page 224 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 55 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 55 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 WOG STS B 3.3.2-2 Rev. 3.0, 03/31/04 BASES
BACKGROUND (continued)
Field Transmitters or Sensors To meet the design demands for redundancy and reliability, more than one, and often as many as four, field transmitters or sensors are used to measure unit parameters. In many cases, field transmitters or sensors that input to the ESFAS are shared with the Reactor Trip System (RTS). In some cases, the same channels also provide control system inputs. To account for calibration tolerances and instrument drift, which are
assumed to occur between calibration s, statistical allowances are provided in the Trip Setpoint and Allowable Values. The OPERABILITY
of each transmitter or sensor is determined by either "as-found" calibration data evaluated during the CHANNEL CALIBRATION or by qualitative assessment of field transmitter or sensor, as related to the
channel behavior observed duri ng performance of the CHANNEL CHECK.
Signal Processing Equipment Generally, three or four channels of process control equipment are used for the signal processing of unit parameters measured by the field instruments. The process control equipment provides signal conditioning, comparable output signals for instruments located on the main control board, and comparison of measured input signals with setpoints established by safety analyses. These setpoints are defined in FSAR, Chapter [6] (Ref. 1), Chapter [7] (Ref. 2), and Chapter [15] (Ref. 3). If the measured value of a unit parameter exceeds the predetermined setpoint, an output from a bistable is forwarded to the SSPS for decision evaluation. Channel separation is maintained up to and through the input bays. However, not all unit parameters require four channels of sensor measurement and signal processing. Some unit parameters provide input only to the SSPS, while others provide input to the SSPS, the main control board, the unit computer, and one or more control systems.
Generally, if a parameter is used only for input to the protection circuits, three channels with a two-out-of-three logic are sufficient to provide the required reliability and redundancy. If one channel fails in a direction that would not result in a partial Function trip, the Function is still OPERABLE with a two-out-of-two logic. If one channel fails such that a partial Function trip occurs, a trip will not occur and the Function is still OPERABLE with a one-out-of-two logic. All changes are unless otherwise noted 1 six Protection P logic relay cabinets 3 U 14 ESF logic relays ESF logic relays 6 [NTSP] [NTSPs] [NTSPs] 10 10 10 A ttachment 1, Volume 8, Rev. 0, Page 225 of 517 A ttachment 1, Volume 8, Rev. 0, Page 225 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 56 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 56 of 111 Anal y tical Limits NTSPs derived from Analytical Limits Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 WOG STS B 3.3.2-3 Rev. 3.0, 03/31/04 BASES
BACKGROUND (continued)
Generally, if a parameter is used for input to the SSPS and a control function, four channels with a two-out-of-four logic are sufficient to provide the required reliability and redundancy. The circuit must be able to withstand both an input failure to the control system, which may then require the protection function actuation, and a single failure in the other channels providing the protection function actuation. Again, a single failure will neither cause nor prevent the protection function actuation.
These requirements are described in IEEE-279-1971 (Ref. 4). The actual number of channels required for each unit parameter is specified in
Reference 2.
Allowable Values and ESFAS Setpoints The trip setpoints used in the bistabl es are based on the analytical limits stated in Reference 2. The selection of these trip setpoints is such that adequate protection is provided when all sensor and processing time delays are taken into account. To allow for calibration tolerances, instrumentation uncertainties, instru ment drift, and severe environment errors for those ESFAS channels that must function in harsh
environments as defined by 10 CFR 50.49 (Ref. 5), the Allowable Values specified in Table 3.3.2-1 in the acco mpanying LCO are conservative with respect to the analytical limits. A detailed description of the methodology used to calculate the Allowable Values and ESFAS setpoints including their explicit uncertainties, is provided in the plant
specific setpoint methodology study (Ref.
- 6) which incorporates all of the known uncertainties applicable to each channel. The magnitudes of these uncertainties are factored into the determination of each ESFAS setpoint and corresponding Allowable Value. The nominal ESFAS setpoint entered into the bistable is more conservative than that specified by the Allowable Value to account fo r measurement errors detectable by the COT. The Allowable Value serves as the Technical Specification OPERABILITY limit for the purpose of the COT. One example of such a change in measurement error is drift during the surveillance interval. If the measured setpoint does not exceed the Allowable Value, the bistable is considered OPERABLE.
The ESFAS setpoints are the values at which the bistables are set and is the expected value to be achieved during calibration. The ESFAS setpoint value ensures the safety analysis limits are met for the surveillance interval selected when a channel is adjusted based on stated channel uncertainties. Any bistable is considered to be properly adjusted when the "as-left" setpoint value is within the band for CHANNEL a protection function 1 3 1 analytical limits The as-left tolerance and as-found tolerance band methodology is provided in the SCP. [NTSP] [NTSP] is the value
[NTSPs] [NTSP] is the LSSS and
[NTSP] as-left tolerance
[NTSPs] 10 10 10 the SCP as-found trip setpoint A ttachment 1, Volume 8, Rev. 0, Page 226 of 517 A ttachment 1, Volume 8, Rev. 0, Page 226 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 57 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 57 of 111 calculation the Nominal Trip Setpoints
,
Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 WOG STS B 3.3.2-4 Rev. 3.0, 03/31/04 BASES
BACKGROUND (continued)
CALIBRATION uncertainty allowance (i.e., calibration tolerance uncertainties). The ESFAS setpoint value is therefore considered a "nominal value" (i.e., expressed as a value without inequalities) for the purposes of the COT and CHANNEL CALIBRATION.
Setpoints adjusted consistent with the requirements of the Allowable Value ensure that the consequences of Design Basis Accidents (DBAs) will be acceptable, providing the unit is operated from within the LCOs at the onset of the DBA and the equipment functions as designed.
Each channel can be tested on line to verify that the signal processing equipment and setpoint accuracy is within the specified allowance requirements of Reference 2. Once a designated channel is taken out of service for testing, a simulated signal is injected in place of the field
instrument signal. The process equip ment for the channel in test is then tested, verified, and calibrated. SRs for the channels are specified in the SR section.
Solid State Protection System
The SSPS equipment is used for the decision logic processing of outputs from the signal processing equipment bistables. To meet the redundancy requirements, two trains of SSPS, each performing the same functions, are provided. If one train is taken out of service for maintenance or test purposes, the second train will provide ESF actuation for the unit. If both trains are taken out of service or placed in test, a reactor trip will result.
Each train is packaged in its own cabinet for physical and electrical separation to satisfy separation and independence requirements.
The SSPS performs the decision logic for most ESF equipment actuation; generates the electrical output signals that initiate the required actuation; and provides the status, permissive, and annunciator output signals to the main control room of the unit.
The bistable outputs from the signal processing equipment are sensed by the SSPS equipment and combined into logic matrices that represent combinations indicative of various transients. If a required logic matrix combination is completed, the system will send actuation signals via
master and slave relays to those components whose aggregate Function best serves to alleviate the condition and restore the unit to a safe condition. Examples are given in the Applicable Safety Analyses, LCO, and Applicability sections of this Bases.
3 +/- rack and comparator setting
[NTSP] [Nominal Trip Setpoints] in conjunction with the use of as-found and as-left tolerances together Note that the Allowable Values listed in the SCP are the least conservative value of the as-found setpoint that a channel can have during a periodic CHANNEL CALIBRATION, COT, or a TADOT that re quires tri p set point verification.
10 the SCP provided 8 A ttachment 1, Volume 8, Rev. 0, Page 227 of 517 A ttachment 1, Volume 8, Rev. 0, Page 227 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 58 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 58 of 111
,
Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 WOG STS B 3.3.2-5 Rev. 3.0, 03/31/04 BASES
BACKGROUND (continued)
Each SSPS train has a built in te sting device that can automatically test the decision logic matrix functions and the actuation devices while the unit is at power. When any one train is taken out of service for testing, the other train is capable of providing unit monitoring and protection until the testing has been completed. The testing device is semiautomatic to
minimize testing time.
The actuation of ESF components is accomplished through master and
slave relays. The SSPS energizes the master relays appropriate for the condition of the unit. Each master relay then energizes one or more slave relays, which then cause actuation of the end devices. The master and slave relays are routinely tested to ensure operation. The test of the master relays energizes the relay, which then operates the contacts and
applies a low voltage to the associated slave relays. The low voltage is not sufficient to actuate the slave relays but only demonstrates signal path continuity. The SLAVE RELAY TEST actuates the devices if their operation will not interfere with continued unit operation. For the latter case, actual component operation is prevented by the SLAVE RELAY TEST circuit, and slave relay contact operation is verified by a continuity check of the circuit containing the slave relay.
REVIEWERS NOTE------------------------------------------ No one unit ESFAS incorporates all of the Functions listed in Table 3.3.2-1. In some cases (e.g., Containment Pressure - High 3, Function 2.c), the Table reflects several different implementations of the same Function. Typically, only one of these implementations are used at any specific unit.
APPLICABLE Each of the analyzed accidents can be detected by one or more ESFAS SAFETY Functions. One of the ESFAS Functions is the primary actuation signal ANALYSES, LCO, for that accident. An ESFAS Function may be the primary actuation and APPLICABILITY signal for more than one type of accident. An ESFAS Function may also be a secondary, or backup, actuation signal for one or more other accidents. For example, Pressuri zer Pressure - Low is a primary actuation signal for small loss of co olant accidents (LOCAs) and a backup actuation signal for steam line br eaks (SLBs) outside containment. Functions such as manual initiation, not specifically credited in the accident safety analysis, are qualitatively credited in the safety analysis and the NRC staff approved licensing basis for the unit. These Functions may provide protection for conditions that do not require dynamic transient analysis to demonstrate Function performance. These Functions may also serve as backups to Functions that were credited in the accident analysis (Ref. 3).
break 4 1 channel channel channels 1 channels 1 3 channels 10 10 10 A ttachment 1, Volume 8, Rev. 0, Page 228 of 517 A ttachment 1, Volume 8, Rev. 0, Page 228 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 59 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 59 of 111 STET STET STET B 3.3.2 Insert Page B 3.3.2-6a INSERT 2 Permissive and interlock setpoints allow the blocking of trips during plant startups, and restoration of trips when the permissive conditions are not satisfied, but they are not explicitly modeled in the Safety Analyses. These permissives and interlocks ensure that the starting conditions are consistent wi th the safety analysis, before preventive or mitigating actions occur. Because these permissives or interlocks are only one of
multiple conservative starting assumptions for the accident analysis, they are generally considered as nominal values without regard to measurement accuracy, (i.e., the value indicated is sufficiently close to the nece ssary value to ensure proper operation of the safety systems to turn the AOO).
INSERT 3 The Allowable Value specified in the SCP is the least conservative value of the as-found setpoint that the channel can have when tested, such that a channel is OPERABLE if the as-found setpoint is conservative with respect to the Allowable Value during the CHANNEL CALIBRATION or CHANNEL OPERATIONAL TEST (COT). As such, the Allowable Value differs from the [NTSP] by an amount [greater than or] equal to the expected instrument channel uncertainties, such as drift, during the surveillance interval. In this manner, the actual setting of the channel ([NTSP]) will ensure that a SL is not exceeded at any given point of time as long as the channel has not drifted beyond that expected during the surveillance interval.
Note that, although the channel is OPERABLE under these circumstances, the trip setpoint must be left adjusted to a value within the as-left tolerance, in accordance with uncertainty assumptions stated in the referenced setpoint methodology (as-left criteria), and confirmed to be operating within the statist ical allowances of the uncertainty terms assigned (as-found criteria).
If the actual setting of the channel is found to be conservative with respect to the Allowable Value but is beyond the as-found tolerance band, the channel is OPERABLE but a degraded condition has been identified. During the SR performance, the condition of the channel will be evaluated. This evaluation will consist of resetting the channel setpoint to the [NTSP] (within the allowed tolerance) and determining that the channel is performing as expected. At the completion of the SR, operations will confirm the SR results and determine the channel condition. If the channel is functioning as required and expected to pass the next surveillance, then the channel can be restored to service at the completion of the surveillance. After the surveillance is completed, the channel's as-found setting will be entered into the Corrective Action Program for further evaluation.
If the channel is not performing as expec ted the channel is degraded because it may not pass its next surveillance test. If the channel setpoint cannot be reset to the [NTSP], it is inoperable.
6 6 6 10 10 A ttachment 1, Volume 8, Rev. 0, Page 230 of 517 A ttachment 1, Volume 8, Rev. 0, Page 230 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 60 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 60 of 111 within the as-found tolerance and is tolerances The degraded condition of the channel will be evaluated during performance of the SR.evaluating the channel response.
B 3.3.2 Insert Page B 3.3.2-6b INSERT 3 (continued)
A trip setpoint may be set more conservative than the [NTSP] as necessary in response to plant conditions. However, in this case, the operability of the instrument must be verified based on the [field setting] and not the NTSP. Failure of any instrument renders the affected channel(s) inoperable and reduces the reliability of the affected Functions.
If the actual setting of the channel is found to be non-conservative with respect to the Allowable Value, the channel would be considered inoperable. This requires corrective action including those actions require d by 10 CFR 50.36 when automatic protection channels do not function as required.
6 10 6 A ttachment 1, Volume 8, Rev. 0, Page 231 of 517 A ttachment 1, Volume 8, Rev. 0, Page 231 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 61 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 61 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 WOG STS B 3.3.2-5 Rev. 3.0, 03/31/04 BASES
BACKGROUND (continued)
Each SSPS train has a built in te sting device that can automatically test the decision logic matrix functions and the actuation devices while the unit is at power. When any one train is taken out of service for testing, the other train is capable of providing unit monitoring and protection until the testing has been completed. The testing device is semiautomatic to
minimize testing time.
The actuation of ESF components is accomplished through master and
slave relays. The SSPS energizes the master relays appropriate for the condition of the unit. Each master relay then energizes one or more slave relays, which then cause actuation of the end devices. The master and slave relays are routinely tested to ensure operation. The test of the master relays energizes the relay, which then operates the contacts and
applies a low voltage to the associated slave relays. The low voltage is not sufficient to actuate the slave relays but only demonstrates signal path continuity. The SLAVE RELAY TEST actuates the devices if their operation will not interfere with continued unit operation. For the latter case, actual component operation is prevented by the SLAVE RELAY TEST circuit, and slave relay contact operation is verified by a continuity check of the circuit containing the slave relay.
REVIEWERS NOTE------------------------------------------ No one unit ESFAS incorporates all of the Functions listed in Table 3.3.2-1. In some cases (e.g., Containment Pressure - High 3, Function 2.c), the Table reflects several different implementations of the same Function. Typically, only one of these implementations are used at any specific unit.
APPLICABLE Each of the analyzed accidents can be detected by one or more ESFAS SAFETY Functions. One of the ESFAS Functions is the primary actuation signal ANALYSES, LCO, for that accident. An ESFAS Function may be the primary actuation and APPLICABILITY signal for more than one type of accident. An ESFAS Function may also be a secondary, or backup, actuation signal for one or more other accidents. For example, Pressuri zer Pressure - Low is a primary actuation signal for small loss of co olant accidents (LOCAs) and a backup actuation signal for steam line br eaks (SLBs) outside containment. Functions such as manual initiation, not specifically credited in the accident safety analysis, are qualitatively credited in the safety analysis and the NRC staff approved licensing basis for the unit. These Functions may provide protection for conditions that do not require dynamic transient analysis to demonstrate Function performance. These Functions may also serve as backups to Functions that were credited in the accident analysis (Ref. 3).
break 4 1 channel channel channels 1 channels 1 3 channels 10 10 10 A ttachment 1, Volume 8, Rev. 0, Page 228 of 517 A ttachment 1, Volume 8, Rev. 0, Page 228 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 62 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 62 of 111 stet stet implicitly 10 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 WOG STS B 3.3.2-12 Rev. 3.0, 03/31/04 BASES
APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
(2) Steam Line Pressure - High Differential Pressure Between Steam Lines Steam Line Pressure - High Differential Pressure Between
Steam Lines provides pr otection against the following accidents:
SLB, Feed line break, and Inadvertent opening of an SG relief or an SG safety valve. Steam Line Pressure - High Differential Pressure Between
Steam Lines provides no input to any control functions.
Thus, three OPERABLE channels on each steam line are sufficient to satisfy the requirements, with a two-out-of-three logic on each steam line.
With the transmitters typically located inside the steam tunnels, it is possible for them to experience adverse
environmental conditions during an SLB event. Therefore, the Trip Setpoint reflects both steady state and adverse environmental instrument uncertainties. Steam line high
differential pressure must be OPERABLE in MODES 1, 2, and 3 when a secondary side break or stuck open valve could result in the rapid depressurization of the steam line(s). This Function is not required to be OPERABLE in MODE 4, 5, or 6 because there is not sufficient energy in the secondary side of the unit to cause an accident.
f, g. Safety Injection - High Steam Flow in Two Steam Lines Coincident With Tavg - Low Low or Coincident With Steam Line Pressure - Low These Functions (1.f and 1.g) provide protection against the
following accidents:
SLB, and the inadvertent opening of an SG relief or an SG safety valve. 5 [NTSP] 10 A ttachment 1, Volume 8, Rev. 0, Page 239 of 517 A ttachment 1, Volume 8, Rev. 0, Page 239 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 63 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 63 of 111 STET STET Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 WOG STS B 3.3.2-14 Rev. 3.0, 03/31/04 BASES
APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
With the transmitters typically located inside the containment (Tavg) or inside the steam tunnels (High Steam Flow), it is possible for them to experience adverse steady state
environmental conditions during an SLB event. Therefore, the Trip Setpoint reflects both steady state and adverse
environmental instrument uncertainties. The Steam Line Pressure - Low signal was discussed previously under Function 1.e.(1).
This Function must be OPERABLE in MODES 1, 2, and 3 (above P-12) when a secondary side break or stuck open valve could result in the rapid depressurization of the steam line(s). This signal may be manually blocked by the operator when below the P-12 setpoint. Above P-12, this Function is automatically unblocked. This Function is not required
OPERABLE below P-12 because the r eactor is not critical, so feed line break is not a concern. SLB may be addressed by Containment Pressure High 1 (inside containment) or by High Steam Flow in Two Steam Lines coincident with Steam Line
Pressure - Low, for Steam Line Isolation, followed by High Differential Pressure Between Two Steam Lines, for SI. This Function is not required to be OPERABLE in MODE 4, 5, or 6 because there is insufficient energy in the secondary side of the unit to cause an accident.
- 2. Containment Spray Containment Spray provides three primary functions:
- 1. Lowers containment pressure and temperature after an HELB in containment,
- 2. Reduces the amount of radioactive iodine in the containment atmosphere, and
These functions are necessary to:
Ensure the pressure boundary integrity of the containment structure, a LOCA or main steam line break
- ; ; 5 1 2 2 2 [NTSP] 10 spray water and the 1 A ttachment 1, Volume 8, Rev. 0, Page 241 of 517 A ttachment 1, Volume 8, Rev. 0, Page 241 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 64 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 64 of 111 STET STET Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 WOG STS B 3.3.2-18 Rev. 3.0, 03/31/04 All changes are 1 unless otherwise noted BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
CCW is not isolated at this time to permit continued operation of the RCPs with cooling water flow to the thermal barrier heat exchangers and air or oil coolers. All process lines not equipped with remote operated isolation valves are manually closed, or otherwise isolated, prior to reaching MODE 4.
Manual Phase A Containment Isolation is accomplished by either of two switches in the control room. Either switch actuates both trains.
Note that manual actuation of Phase A Containment Isolation also actuates Containment Purge and Exhaust Isolation.
depressingpushbuttonpushbutton Ventilation The Phase B signal isolates CCW. This occurs at a relatively high containment pressure that is indicative of a large break LOCA or an SLB. For these events, forced circulation using the RCPs is no longer desirable. Isolating the CCW at the higher pressure does not pose a challenge to the containment boundary because the CCW
System is a closed loop inside containment. Although some system components do not meet all of the ASME Code requirements applied to the containment itself, the system is continuously pressurized to a pressure greater than the Phase B setpoint. Thus, routine operation
demonstrates the integrity of the system pressure boundary for pressures exceeding the Phase B setpoint. Furthermore, because system pressure exceeds the Phase B setpoint, any system leakage prior to initiation of Phase B isolation would be into containment.
Therefore, the combination of CCW System design and Phase B isolation ensures the CCW System is not a potential path for
radioactive release from containment.
Phase B containment isolation is actuated by Containment Pressure - High 3 or Containment Pressure - High High, or manually, via the
automatic actuation logic, as previously discussed. For containment pressure to reach a value high enough to actuate Containment Pressure - High 3 or Containment Pressure - High High, a large break LOCA or SLB must have occurred and containment spray must have been actuated. RCP operation will no longer be required and
CCW to the RCPs is, therefore, no longer necessary. The RCPs can be operated with seal injection flow alone and without CCW flow to the thermal barrier heat exchanger.
Manual Phase B Containment Isolation is accomplished by the same switches that actuate Containment Spray. When the two switches in either set are turned simultaneously, Phase B Containment Isolation and Containment Spray will be actuated in both trains.
10 7 A ttachment 1, Volume 8, Rev. 0, Page 246 of 517 A ttachment 1, Volume 8, Rev. 0, Page 246 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 65 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 65 of 111 STET Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 WOG STS B 3.3.2-23 Rev. 3.0, 03/31/04 BASES
APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
Steam Line Pressure - Low Function must be OPERABLE in MODES 1, 2, and 3 (above P-11), with any main steam valve open, when a secondary side break or stuck open valve could result in the rapid depressurization of the steam lines. This signal may be manually blocked by the operator below the P-11 setpoint. Below P-11, an inside containment SLB will be terminated by automatic actuation via Containment Pressure - High 2. Stuck valve transients and outside containment SLBs will be terminated by the Steam Line Pressure - Negative Rate - High signal for Steam Line Isolation below P-11 when SI has been manually blocked. The Steam Line Isolation Functi on is required in MODES 2 and 3 unless all MSIVs are closed and [de-activated]. This Function is not required to be OPERABLE in MODES 4, 5, and 6 because there is insuffici ent energy in the secondary side of the unit to have an accident.
(2) Steam Line Pressure - Negative Rate - High Steam Line Pressure - Negative Rate - High provides closure of the MSIVs for an SLB when less than the P-11 setpoint, to maintain at least one unfaulted SG as a heat sink for the reactor, and to limit the mass and energy release to containment. When the operator manually blocks the Steam Line Pressure - Low main steam isolation signal
when less than the P-11 setpoint, the Steam Line Pressure -
Negative Rate - High signal is automatically enabled.
Steam Line Pressure - Negative Rate - High provides no input to any control functions. Thus, three OPERABLE channels are sufficient to satisfy requirements with a two-
out-of-three logic on each steam line.
Steam Line Pressure - Negative Rate - High must be OPERABLE in MODE 3 when less than the P-11 setpoint, when a secondary side break or stuck open valve could result in the rapid depressurization of the steam line(s). In MODES 1 and 2, and in MODE 3, when above the P-11 setpoint, this signal is automati cally disabled and the Steam Line Pressure - Low signal is automatically enabled. The 5 10 A ttachment 1, Volume 8, Rev. 0, Page 252 of 517 A ttachment 1, Volume 8, Rev. 0, Page 252 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 66 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 66 of 111 STET Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 WOG STS B 3.3.2-24 Rev. 3.0, 03/31/04 BASES
APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
Steam Line Isolation Function is required to be OPERABLE in MODES 2 and 3 unless all MSIVs are closed and [de-activated]. In MODES 4, 5, and 6, there is insufficient energy in the primary and secondary sides to have an SLB or other accident that would result in a release of significant enough quantities of energy to cause a cooldown of the RCS.
While the transmitters may experience elevated ambient temperatures due to an SLB, the trip function is based on
rate of change, not the absolute accuracy of the indicated steam pressure. Therefore, the Trip Setpoint reflects only steady state instrument uncertainties.
e, f. Steam Line Isolation - High Steam Flow in Two Steam Lines Coincident with Tavg - Low Low or Coincident With Steam Line Pressure - Low (Three and Four Loop Units)
These Functions (4.e and 4.f) provide closure of the MSIVs
during an SLB or inadvertent opening of an SG relief or a safety valve, to maintain at least one unfaulted SG as a heat sink for the reactor and to limit the mass and energy release to containment.
These Functions were discussed previously as Functions 1.f.
and 1.g. These Functions must be OPERABLE in MODES 1 and 2, and in MODE 3, when a secondary side break or stuck open valve could result in the rapid depressurization of the steam lines unless all MSIVs are closed and [de-activated]. These Functions are not required to be OPERABLE in MODES 4, 5, and 6 because there is insufficient energy in the secondary side of the unit to have an accident.
- g. Steam Line Isolation - High Steam Flow Coincident With Safety Injection and Coincident With Tavg - Low Low (Two Loop Units)
This Function provides closure of the MSIVs during an SLB or inadvertent opening of an SG relief or safety valve to maintain at least one unfaulted SG as a heat sink for the reactor, and to limit the mass and energy release to containment.
d 5 5 [NTSP] 10 10 10 10 A ttachment 1, Volume 8, Rev. 0, Page 253 of 517 A ttachment 1, Volume 8, Rev. 0, Page 253 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 67 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 67 of 111 STET STET STET STET Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 WOG STS B 3.3.2-25 Rev. 3.0, 03/31/04 BASES
APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
Two steam line flow channels per steam line are required OPERABLE for this Function. These are combined in a one-out-of-two logic to indicate high steam flow in one steam line. The
steam flow transmitters provide control inputs, but the control
function cannot cause the events that the function must protect against. Therefore, two channels are sufficient to satisfy redundancy requirements. The one-out-of-two configuration allows online testing because trip of one high steam flow channel is not sufficient to cause initiation.
The High Steam Flow Al 25% of full steam flow at no load steam pressure. The Trip Setpoint is similarly calculated.
With the transmitters (d/p cells) typically located inside the steam tunnels, it is possible for them to experience adverse
environmental conditions during an SLB event. Therefore, the Trip Setpoints reflect both steady state and adverse environmental instrument uncertainties.
The main steam line isolates only if the high steam flow signal occurs coincident with an SI and low low RCS average temperature. The Main Steam Line Isolation Function requirements for the SI Functions are the same as the requirements for their SI function. Therefore, the requirements are not repeated in Table 3.3.2-1. Instead, Function 1, SI, is referenced for all initiating functions and requirements.
Two channels of Tavg per loop are required to be OPERABLE.
The Tavg channels are combined in a logic such that two channels tripped cause a trip for the parameter. The accidents that this Function protects against cause reduction of Tavg in the entire primary system.
Therefore, the provision of two OPERABLE channels per loop in a two-out-of-four configuration ensures no single random failure disables the T avg - Low Low Function. The Tavg channels provide control inputs, but the control function cannot initiate events that the Function acts to mitigate. Therefore, additional channels are not required to
address control protection interaction issues.
With the Tavg resistance temperature detectors (RTDs) located inside the containment, it is possible for them to experience
adverse environmental conditions during an SLB event.
Therefore, the Trip Setpoint reflects both steady state and adverse environmental instrumental uncertainties.
normal All changes are unless otherwise noted 1 INSERT 8 [NTSP] [NTSP] However, the channel statistical allowance calculation does not consider any environmental allowance as part of the instrument uncertainty, since the function is assumed to be performed prior to the time that adverse conditions can affect the Function.
10 10 11 a 8 8 s A ttachment 1, Volume 8, Rev. 0, Page 254 of 517 A ttachment 1, Volume 8, Rev. 0, Page 254 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 68 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 68 of 111 STET STET Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 WOG STS B 3.3.2-32 Rev. 3.0, 03/31/04 BASES
APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) sensed by any one of the switches will cause the emergency supply of water for both pumps to be aligned, or cause the AFW pumps to stop until the emergency source of water is aligned.
ESW (safety grade) is then lined up to supply the AFW pumps to
ensure an adequate supply of water for the AFW System to maintain at least one of the SGs as the heat sink for reactor decay heat and sensible heat removal.
Since the detectors are located in an area not affected by HELBs or high radiation, they will not experience any adverse
environmental conditions and the Trip Setpoint reflects only steady state instrument uncertainties.
This Function must be OPERABLE in MODES 1, 2, and 3 to ensure a safety grade supply of water for the AFW System to maintain the SGs as the heat sink for the reactor. This Function does not have to be OPERABLE in MODES 5 and 6 because there is not enough heat being generated in the reactor to require the SGs as a heat sink. In MODE 4, AFW automatic suction transfer does not need to be OPERABLE because RHR
will already be in operation, or sufficient time is available to place RHR in operation, to remove decay heat.
- 7. Automatic Switchover to Containment Sump At the end of the injection phase of a LOCA, the RWST will be nearly empty. Continued cooling must be provided by the ECCS to remove decay heat. The source of water for the ECCS pumps is automatically switched to the containment recirculation sump. The low head residual heat removal (RHR) pumps and containment spray
pumps draw the water from the containment recirculation sump, the RHR pumps pump the water through the RHR heat exchanger, inject the water back into the RCS, and supply the cooled water to the other ECCS pumps. Switchover from the RWST to the containment sump must occur before the RWST empties to prevent damage to the RHR pumps and a loss of core cooling capability. For similar reasons, switchover must not occur before there is sufficient water in
the containment sump to support ESF pump suction. Furthermore, early switchover must not occur to ensure that sufficient borated water is injected from the RWST. This ensures the reactor remains shut down in the recirculation mode. INSERT 12 All changes are unless otherwise noted 1 5 [NTSP] 10 5 A ttachment 1, Volume 8, Rev. 0, Page 265 of 517 A ttachment 1, Volume 8, Rev. 0, Page 265 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 69 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 69 of 111 STET Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 WOG STS B 3.3.2-33 Rev. 3.0, 03/31/04 BASES
APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
b, c. Automatic Switchover to Containment Sump - Refueling Water Storage Tank (RWST) Level - Low Low Coincident With Safety Injection and Coincident With Containment Sump Level - High During the injection phase of a LOCA, the RWST is the source of water for all ECCS pumps. A low low level in the RWST coincident with an SI signal prov ides protection against a loss of water for the ECCS pumps and indicates the end of the injection phase of the LOCA. The RWST is equipped with four level transmitters. These transmitters provide no control functions. Therefore, a two-out-of-four logic is adequate to initiate the protection function actuation. Although only three channels would be sufficient, a fourth channel has been added for
increased reliability.
The RWST - Low Low Allowable Value/Trip Setpoint has both upper and lower limits. The lower limit is selected to ensure switchover occurs before the RWST empties, to prevent ECCS pump damage. The upper limit is selected to ensure enough borated water is injected to ensure the reactor remains shut
down. The high limit also ensur es adequate water inventory in the containment sump to provide ECCS pump suction.
The transmitters are located in an area not affected by HELBs or post accident high radiation. Thus, they will not experience any
adverse environmental conditions and the Trip Setpoint reflects
only steady state instrument uncertainties.
Automatic switchover occurs only if the RWST low low level signal is coincident with SI. This prevents accidental switchover during normal operation. Accidental switchover could damage ECCS pumps if they are attempting to take suction from an empty sump. The automatic swit chover Function requirements for the SI Functions are the same as the requirements for their SI
function. Therefore, the requirements are not repeated in Table 3.3.2-1. Instead, Function 1, SI, is referenced for all initiating Functions and requirements.
5 [NTSP] 10 A ttachment 1, Volume 8, Rev. 0, Page 268 of 517 A ttachment 1, Volume 8, Rev. 0, Page 268 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 70 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 70 of 111 STET Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 WOG STS B 3.3.2-34 Rev. 3.0, 03/31/04 BASES
APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
REVIEWERS NOTE------------------------------- In some units, additional protection from spurious switchover is provided by requiring a Containment Sump Level - High signal as well as RWST Level - Low Low and SI. This ensures sufficient water is available in containment to support the recirculation phase of the accident. A Containment Sump Level - High signal must be present, in addition to the SI signal and the RWST Level - Low Low signal, to transfer the suctions of the RHR pumps to the containment sump. The containment sump is equipped with four level transmitters.
These transmitters provide no control functions. Therefore, a two-out-of-four logic is adequate to initiate the protection function actuation. Although only three channels would be sufficient, a fourth channel has been added for increased reliability. The containment sump level Trip Setpoint/Allowable Value is selected to ensure enough borated water is injected to ensure the reactor remains
shut down. The high limit also ensures adequate water inventory in the containment sump to provide ECCS pum p suction. The transmitters are located inside containment and thus possibly experience adverse environmental conditions. Therefore, the trip setpoint reflects the inclusion of both steady state and envi ronmental instrument uncertainties.
Units only have one of the Functions, 7.b or 7.c. --------------------------------------------------------------------------------------------------
These Functions must be OPERABLE in MODES 1, 2, 3, and 4 when there is a potential for a LOCA to occur, to ensure a continued supply of water for the ECCS pumps. These Functions are not required to be OPERABLE in MODES 5 and 6
because there is adequate time for the operator to evaluate unit conditions and respond by manually starting systems, pumps, and other equipment to mitigate the consequences of an
abnormal condition or accident. System pressure and temperature are very low and many ESF components are
administratively locked out or otherwise prevented from actuating to prevent inadvertent overpressurization of unit systems.
- 8. Engineered Safety Feature Actuation System Interlocks To allow some flexibility in unit operations, several interlocks are included as part of the ESFAS. These interlocks permit the operator to block some signals, automatically enable other signals, prevent some actions from occurring, and cause other actions to occur. The
interlock Functions back up manual actions to ensure bypassable functions are in operation under the conditions assumed in the safety
analyses.
an is s 4 5 1 [NTSP] 10 A ttachment 1, Volume 8, Rev. 0, Page 269 of 517 A ttachment 1, Volume 8, Rev. 0, Page 269 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 71 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 71 of 111 STET Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 WOG STS B 3.3.2-36 Rev. 3.0, 03/31/04 BASES
APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
The RTB position switches that provide input to the P-4 interlock only function to energize or de-energize or open or close contacts. Therefore, this Function has no adjustable trip setpoint with which to associate a Trip Setpoint and Allowable Value.
This Function must be OPERABLE in MODES 1, 2, and 3 when the reactor may be critical or approaching criticality. This Function does not have to be OPERABLE in MODE 4, 5, or 6 because the main turbine, the MFW System, and the Steam
Dump System are not in operation.
- b. Engineered Safety Feature Actuation System Interlocks -
Pressurizer Pressure, P-11 The P-11 interlock permits a normal unit cooldown and
depressurization without actuation of SI or main steam line isolation. With two-out-of-three pressurizer pressure channels (discussed previously) less than the P-11 setpoint, the operator can manually block the Pressurizer Pressure - Low and Steam Line Pressure - Low SI signals and the Steam Line Pressure -
Low steam line isolation signal (previously discussed). When the
Steam Line Pressure - Low steam line isolation signal is manually blocked, a main steam isolation signal on Steam Line Pressure - Negative Rate - High is enabled. This provides
protection for an SLB by closure of the MSIVs. With two-out-of-three pressurizer pressure channels above the P-11 setpoint, the Pressurizer Pressure - Low and Steam Line Pressure - Low SI signals and the Steam Line Pressure - Low steam line isolation signal are automatically enabled.
The operator can also enable these trips by use of the respective manual reset buttons. When the Steam Line Pressure - Low steam line isolation signal is
enabled, the main steam isolation on Steam Line Pressure - Negative Rate - High is disabled. The Trip Setpoint reflects only steady state instrument uncertainties.
This Function must be OPERABLE in MODES 1, 2, and 3 to allow an orderly cooldown and depressurization of the unit without the actuation of SI or main steam isolation. This
Function does not have to be OPERABLE in MODE 4, 5, or 6 because system pressure must already be below the P-11 setpoint for the requirements of the heatup and cooldown curves
to be met.
5 [NTSP] [NTSP] 10 10 A ttachment 1, Volume 8, Rev. 0, Page 271 of 517 A ttachment 1, Volume 8, Rev. 0, Page 271 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 72 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 72 of 111 STET Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 WOG STS B 3.3.2-38 Rev. 3.0, 03/31/04 BASES
ACTIONS (continued)
In the event a channel's Trip Setpoint is found nonconservative with respect to the Allowable Value, or the transmitter, instrument Loop, signal processing electronics, or bistable is found inoperable, then all affected Functions provided by that channel must be declared inoperable and the LCO Condition(s) entered for the protection Function(s) affected. When the Required Channels in Table 3.3.2-1 are specified (e.g., on a per steam line, per loop, per SG, etc., basis), then the Condition may be entered separately for each steam line, loop, SG, etc., as appropriate.
When the number of inoperable channels in a trip function exceed those specified in one or other related Conditions associated with a trip function, then the unit is outside the safety analysis. Therefore, LCO 3.0.3 should be immediately entered if applicable in the current MODE of operation.
REVIEWERS NOTE------------------------------------------
Certain LCO Completion Times are based on approved topical reports. In order for a licensee to use these times, the licensee must justify the Completion Times as required by the staff Safety Evaluation Report (SER) for the topical report.
A.1 Condition A applies to all ESFAS protection functions.
Condition A addresses the situation where one or more channels or trains for one or more Functions are inoperable at the same time. The Required Action is to refer to Table 3.3.2-1 and to take the Required Actions for the protection functions affected. The Completion Times are those from the referenced Conditions and Required Actions.
B.1, B.2.1, and B.2.2 Condition B applies to manual initiation of:
SI, Containment Spray, Phase A Isolation, and Phase B Isolation.
Containment
- ; and 4 2 2 5 5 [NTSP] 10 A ttachment 1, Volume 8, Rev. 0, Page 273 of 517 A ttachment 1, Volume 8, Rev. 0, Page 273 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 73 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 73 of 111 or the channel is not functioning as required, 10 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 WOG STS B 3.3.2-50 Rev. 3.0, 03/31/04 BASES
SURVEILLANCE REQUIREMENTS (continued)
SR 3.3.2.4 SR 3.3.2.4 is the performance of a MASTER RELAY TEST. The MASTER RELAY TEST is the energizing of the master relay, verifying contact operation and a low voltage continuity check of the slave relay coil. Upon master relay contact operation, a low voltage is injected to the slave relay coil. This voltage is insufficient to pick up the slave relay, but large enough to demonstrate signal path continuity. This test is performed every 92 days on a STAGGERED TEST BASIS. The time allowed for the testing (4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />) is justified in Reference 11. The Frequency of 92 days is justified in Reference 9.
SR 3.3.2.5 is the performance of a COT.
A COT is performed on each required channel to ensure the entire channel will perform the intended Function. Setpoints must be found
within the Allowable Values specified in Table 3.3.1-1. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable COT of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions.
The difference between the current "as found" values and the previous test "as left" values must be consistent with the drift allowance used in the setpoint methodology. The setpoint shall be left set consistent with the assumptions of the current unit specific setpoint methodology.
The "as found" and "as left" values must also be recorded and reviewed for consistency with the a ssumptions of Reference 6.
The Frequency of 184 days is justified in Reference 11.
10 4 5 5 5 10 10 in accordance with the SCP conservative with respect to the Allowable Values as controlled by the SCP The SCP establishes the necessary controls for properly maintaining the applicable ESFAS instrumentation channels.
Move SR 3.3.2.3 from page B 3.3.2-51 to here A ttachment 1, Volume 8, Rev. 0, Page 287 of 517 A ttachment 1, Volume 8, Rev. 0, Page 287 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 74 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 74 of 111 The test is performed in accordance with the SCP. If the actual setting of the channel is found to be conservative with respect to the Allowable Value but is beyond the as-found tolerance band, the channel is OPERABLE but degraded. The degraded condition of the channel will be further evaluated during performance of the SR. This evaluation will consist of resetting the channel setpoint to the [NTSP] (within the allowed tolerance), and evaluating the channel response. If the channel is functioning as required and is expected to pass the next surveillance, then the channel is OPERABLE and can be restored to service at the completion of the surveillance. After the surveillance is completed, the channel as-found condition will be entered into the Corrective Action Program for further evaluation.
10 10 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 WOG STS B 3.3.2-51 Rev. 3.0, 03/31/04 BASES
SURVEILLANCE REQUIREMENTS (continued)
SR 3.3.2.6 SR 3.3.2.6 is the performance of a SLAVE RELAY TEST. The SLAVE RELAY TEST is the energizing of the slave relays. Contact operation is
verified in one of two ways. Actuation equipment that may be operated in the design mitigation MODE is either allowed to function, or is placed in a condition where the relay contact operation can be verified without operation of the equipment. Actuation equipment that may not be operated in the design mitigation MODE is prevented from operation by the SLAVE RELAY TEST circuit. For this latter case, contact operation is verified by a continuity check of the circuit containing the slave relay. This test is performed every [92] days. The Frequency is adequate, based on industry operating experience, c onsidering instrument reliability and operating history data.
SR 3.3.2.7 SR 3.3.2.7 is the performance of a TADOT every [92] days. This test is a check of the Loss of Offsite Power, Undervoltage RCP, and AFW Pump Suction Transfer on Suction Pressure - Low Functions. Each Function is tested up to, and including, the master transfer relay coils. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This
clarifies what is an acceptable TADO T of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions.
The test also includes trip devices that provide actuation signals directly to the SSPS. The SR is modified by a Note that excludes verification of setpoints for relays. Relay setpoints require elaborate bench calibration and are verified during CHANNEL CALIBRATION. The Frequency is adequate. It is based on industry operating experience, considering instrument reliability and operating history data.
3 5 5 5 6 1 channels 10 Move to previous page before SR 3.3.2.4 A ttachment 1, Volume 8, Rev. 0, Page 288 of 517 A ttachment 1, Volume 8, Rev. 0, Page 288 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 75 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 75 of 111 STET Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 WOG STS B 3.3.2-52 Rev. 3.0, 03/31/04 BASES
SURVEILLANCE REQUIREMENTS (continued)
SR 3.3.2.8 SR 3.3.2.8 is the performance of a TADOT. This test is a check of the Manual Actuation Functions and AFW pump start on trip of all MFW
pumps. It is performed every [18] months. Each Manual Actuation Function is tested up to, and including, the master relay coils. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable TADOT of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions. In some instances, the test includes actuation of the end device (i.e., pump starts, valve cycles, etc.). The Frequency is adequate, based on industry operating experience and is consistent with the typical refueling cycle. The SR is modified by a Note that excludes verification of setpoints during the TADOT for manual initiation Functions. The manual initiation Functions have no associated setpoints.
SR 3.3.2.9 SR 3.3.2.9 is the performance of a CHANNEL CALIBRATION.
A CHANNEL CALIBRATION is per formed every [18] months, or approximately at every refueling. CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor. The test verifies that the channel responds to measured parameter within the necessary range and accuracy.
CHANNEL CALIBRATIONS must be performed consistent with the assumptions of the unit specific setpoint methodology. The difference between the current "as found" values and the previous test "as left" values must be consistent with the drift allowance used in the setpoint methodology.
The Frequency of [18] months is based on the assumption of an
[18] month calibration interval in the determination of the magnitude of equipment drift in the setpoint methodology.
This SR is modified by a Note stating that this test should include verification that the time constants are adjusted to the prescribed values
where applicable.
5 6 5 5 6 5 5 6 6 SCP. The SCP establishes the necessary controls for properly maintaining the applicable ESFAS instrumentation channels.
10 in accordance 10 A ttachment 1, Volume 8, Rev. 0, Page 289 of 517 A ttachment 1, Volume 8, Rev. 0, Page 289 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 76 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 76 of 111 INSERT for ISTS SR 3.3.2.8 INSERT for ISTS SR 3.3.2.9 10 10 INSERT for ISTS SR 3.3.2.8 The test is performed in accordance with the SCP. If the actual setting of the channel is found to be conservative with respect to the Allowable Value but is beyond the as-found tolerance band, the channel is OPERABLE but degraded. The degraded condition of the channel will be further evaluated during performance of the SR. This evaluation will consist of resetting the channel setpoint to the [NTSP] (within the allowed tolerance), and evaluating the channel response. If the channel is functioning as required and is expected to pass the next surveillance, then the channel is OPERABLE and can be restored to service at the completion of the surveillance. After the surveillance is completed, the channel as-found condition will be entered into the Corrective Action Program for further evaluation.
INSERT for ISTS SR 3.3.2.9 The test is performed in accordance with the SCP. If the actual setting of the channel is found to be conservative with respect to the Allowable Value but is beyond the as-found tolerance band, the channel is OPERABLE but degraded. The degraded condition of the channel will be further evaluated during performance of the SR. This evaluation will consist of resetting the channel setpoint to the [NTSP] (within the allowed tolerance), and evaluating the channel response. If the channel is functioning as required and is expected to pass the next surveillance, then the channel is OPERABLE and can be restored to service at the completion of the surveillance. After the surveillance is completed, the channel as-found condition will be entered into the Corrective Action Program for further evaluation.
Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 77 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 77 of 111 10 10 Licensee Response/NRC Response/NRC Question Closure Id1921NRC Question Number KAB-063 Select Application NRC Question Closure Response Date/Time Closure Statement This question is closed and no further information is required at this time to draft the Safety Evaluation. Response Statement Question Closure Date 1/22/2010 Attachment 1 Attachment 2 Notification NRC/LICENSEE Supervision Added By Kristy Bucholtz Date Added 1/22/2010 8:45 AM Modified By Date Modified Pa ge 1of 1 Kewaunee ITS Conversion Database 06/09/2010 htt p://www.excelservices.com/rai/index.
p h p?re q uestT ype=areaItemPrint&itemId=1921 Licensee Response/NRC Response/NRC Question Closure Id2251NRC Question Number KAB-063 Select Application NRC Question Closure Response Date/Time Closure Statement This question is closed and no further information is required at this time to draft the Safety Evaluation. Response Statement Question Closure Date 2/19/2010 Attachment 1 Attachment 2 Notification NRC/LICENSEE Supervision Added By Kristy Bucholtz Date Added 2/19/2010 2:31 PM Modified By Date Modified Pa ge 1of 1 Kewaunee ITS Conversion Database 06/09/2010 htt p://www.excelservices.com/rai/index.
p h p?re q uestT ype=areaItemPrint&itemId=2251 ITS NRC Questions Id1521NRC Question Number KAB-064 Category Technical ITS Section 3.3 ITS Number 3.3.2 DOC Number JFD Number JFD Bases Number Page Number(s) 221-292 NRC Reviewer Supervisor Carl Schulten Technical Branch POC Add Name Conf Call Requested N NRC Question Pages 221 through 292 of Attachment 1, volume 8, are the proposed TS 3.3.2 Bases. Throughout the Bases there appear to be errors in the reference to the Bases justifications for deviations. Please correct these errors or provide an explanation of the changes.
Attach File 1 Attach File 2 Issue Date 1/20/2010 Added By Kristy Bucholtz Date Modified Modified By Date Added 1/20/2010 2:46 PM Notification NRC/LICENSEE Supervision Pa ge 1of 1 Kewaunee ITS Conversion Database 06/08/2010 htt p://www.excelservices.com/rai/index.
p h p?re q uestT ype=areaItemPrint&itemId=1521 Licensee Response/NRC Response/NRC Question Closure Id1881NRC Question Number KAB-064 Select Application Licensee Response Response Date/Time 1/21/2010 12:55 PM Closure Statement Response Statement After further review, Kewaunee Power Station (KPS) has determined that the NRC reviewer is correct , in that there are errors in the annotated Bases JFDs. These identified e rrors will be corrected.
A draft markup regarding this change is attached.
This change will be re flected in the supplement to this section of the ITS conversion amendment.
Question Closure Date Attachment 1 KAB-064 Markup.pdf (3MB) Attachment 2 Notification NRC/LICENSEE Supervision Kristy Bucholtz Jerry Jones Bryan Kays
Ray Schiele Added By Robert Hanley Date Added 1/21/2010 12:58 PM Modified By Date Modified Pa ge 1of 1 Kewaunee ITS Conversion Database 06/09/2010 htt p://www.excelservices.com/rai/index.
p h p?re q uestT ype=areaItemPrint&itemId=1881 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 WOG STS B 3.3.2-1 Rev. 3.0, 03/31/04 B 3.3 INSTRUMENTATION
B 3.3.2 Engineered Safety Feature Actuation System (ESFAS) Instrumentation
BASES BACKGROUND The ESFAS initiates necessary safety systems, based on the values of selected unit parameters, to protect against violating core design limits and the Reactor Coolant System (RCS) pressure boundary, and to mitigate accidents.
The ESFAS instrumentation is segmented into three distinct but interconnected modules as identified below:
Field transmitters or process sensors and instrumentation: provide a measurable electronic signal based on the physical characteristics of the parameter being measured, Signal processing equipment including analog protection system, field contacts, and protection c hannel sets: provide signal conditioning, bistable setpoint comparison, process algorithm actuation, compatible electrical signal output to protection system
devices, and control board/control room/miscellaneous indications, and Solid State Protection System (SSPS) including input, logic, and output bays: initiates the proper unit shutdown or engineered safety feature (ESF) actuation in accordance with the defined logic and based on the bistable outputs from the signal process control and protection system.
The Allowable Value in conjunction with the trip setpoint and LCO establishes the threshold for ESFAS action to prevent exceeding acceptable limits such that the consequences of Design Basis Accidents (DBAs) will be acceptable. The Allowable Value is considered a limiting value such that a channel is O PERABLE if the setpoint is found not to exceed the Allowable Value during the CHANNEL OPERATIONAL TEST (COT). Note that, although a channel is "OPERABLE" under these circumstances, the ESFAS setpoint must be left adjusted to within the established calibration tolerance band of the ESFAS setpoint in accordance with the uncertainty assumptions stated in the referenced setpoint methodology, (as-left criteria) and confirmed to be operating within the statistical allowances of the uncertainty terms assigned.
1 . and two 3 2 2 INSERT 1 channels 10 10 10 A ttachment 1, Volume 8, Rev. 0, Page 221 of 517 A ttachment 1, Volume 8, Rev. 0, Page 221 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 82 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 82 of 111 3 3 B 3.3.2 Insert Page B 3.3.2-1c INSERT 1 (continued)
If the actual setting of the channel is found to be conservative with respect to the Allowable Value but is beyond the as-found tolerance band, the channel is OPERABLE.
However, a potential degraded condition has been identified. During the SR performance, the condition of the channel will be evaluated. This evaluation will consist of resetting the channel setpoint to the [LTSP] (within the allowed tolerance), and the
channel's response evaluated. If the channel is functioning as required and expected to pass the next surveillance, then the channel can be restored to service at the completion of the surveillance. After the surveillance is completed, the channel's as-found setting will be entered into the Corrective Action Program for further evaluation. If any of the above-described evaluations determine that the channel is not performing as expected the channel is degraded because it may not pass its next surveillance test. If the channel setpoint can not be reset to the [LTSP], it is inoperable.
If the actual setting of the channel is found to be non-conservative with respect to the Allowable Value, the channel would be considered inoperable. This requires corrective action including those actions require d by 10 CFR 50.36 when automatic protection channels do not function as required.
During AOOs, which are those events expected to occur one or more times during the unit life, the acceptable limits are:
- 1. The Departure from Nucleate Boiling Ratio (DNBR) shall be maintained above the Safety Limit (SL) value to prevent departure from nucleate boiling (DNB),
- 2. Fuel centerline melt shall not occur, and
Operation within the SLs of Specification 2.0, "Safety Limits (SLs)," also maintains the above values and assures that offsite dose will be within the 10 CFR 50 and 10 CFR 100 criteria during AOOs.
Accidents are events that are analyzed even though they are not expected to occur during the unit life. The acceptable limit during accidents is that offsite dose shall be maintained within an acceptable fraction of 10 CFR 100 limits. Different accident categories are allowed a different fraction of these limits, based on probability of occurrence. Meeting the acceptable dose limit for an accident category is considered having acceptable consequences for that event. However the acceptable dose limit for an accident category and their associated [NTSPs] are not considered to be LSSS as defined in 10 CFR 50.36.
6 10 6 6 50.67 1 1 A ttachment 1, Volume 8, Rev. 0, Page 224 of 517 A ttachment 1, Volume 8, Rev. 0, Page 224 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 83 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 83 of 111
BACKGROUND (continued)
Field Transmitters or Sensors To meet the design demands for redundancy and reliability, more than one, and often as many as four, field transmitters or sensors are used to measure unit parameters. In many cases, field transmitters or sensors that input to the ESFAS are shared with the Reactor Trip System (RTS). In some cases, the same channels also provide control system inputs. To account for calibration tolerances and instrument drift, which are
assumed to occur between calibration s, statistical allowances are provided in the Trip Setpoint and Allowable Values. The OPERABILITY
of each transmitter or sensor is determined by either "as-found" calibration data evaluated during the CHANNEL CALIBRATION or by qualitative assessment of field transmitter or sensor, as related to the
channel behavior observed duri ng performance of the CHANNEL CHECK.
Signal Processing Equipment Generally, three or four channels of process control equipment are used for the signal processing of unit parameters measured by the field instruments. The process control equipment provides signal conditioning, comparable output signals for instruments located on the main control board, and comparison of measured input signals with setpoints established by safety analyses. These setpoints are defined in FSAR, Chapter [6] (Ref. 1), Chapter [7] (Ref. 2), and Chapter [15] (Ref. 3). If the measured value of a unit parameter exceeds the predetermined setpoint, an output from a bistable is forwarded to the SSPS for decision evaluation. Channel separation is maintained up to and through the input bays. However, not all unit parameters require four channels of sensor measurement and signal processing. Some unit parameters provide input only to the SSPS, while others provide input to the SSPS, the main control board, the unit computer, and one or more control systems.
Generally, if a parameter is used only for input to the protection circuits, three channels with a two-out-of-three logic are sufficient to provide the required reliability and redundancy. If one channel fails in a direction that would not result in a partial Function trip, the Function is still OPERABLE with a two-out-of-two logic. If one channel fails such that a partial Function trip occurs, a trip will not occur and the Function is still OPERABLE with a one-out-of-two logic. All changes are unless otherwise noted 1 six Protection P logic relay cabinets 3 U 14 ESF logic relays ESF logic relays 6 [NTSP] [NTSPs] [NTSPs] 10 10 10 A ttachment 1, Volume 8, Rev. 0, Page 225 of 517 A ttachment 1, Volume 8, Rev. 0, Page 225 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 84 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 84 of 111 6
Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 WOG STS B 3.3.2-3 Rev. 3.0, 03/31/04 BASES
BACKGROUND (continued)
Generally, if a parameter is used for input to the SSPS and a control function, four channels with a two-out-of-four logic are sufficient to provide the required reliability and redundancy. The circuit must be able to withstand both an input failure to the control system, which may then require the protection function actuation, and a single failure in the other channels providing the protection function actuation. Again, a single failure will neither cause nor prevent the protection function actuation.
These requirements are described in IEEE-279-1971 (Ref. 4). The actual number of channels required for each unit parameter is specified in
Reference 2.
Allowable Values and ESFAS Setpoints The trip setpoints used in the bistabl es are based on the analytical limits stated in Reference 2. The selection of these trip setpoints is such that adequate protection is provided when all sensor and processing time delays are taken into account. To allow for calibration tolerances, instrumentation uncertainties, instru ment drift, and severe environment errors for those ESFAS channels that must function in harsh
environments as defined by 10 CFR 50.49 (Ref. 5), the Allowable Values specified in Table 3.3.2-1 in the acco mpanying LCO are conservative with respect to the analytical limits. A detailed description of the methodology used to calculate the Allowable Values and ESFAS setpoints including their explicit uncertainties, is provided in the plant
specific setpoint methodology study (Ref.
- 6) which incorporates all of the known uncertainties applicable to each channel. The magnitudes of these uncertainties are factored into the determination of each ESFAS setpoint and corresponding Allowable Value. The nominal ESFAS setpoint entered into the bistable is more conservative than that specified by the Allowable Value to account fo r measurement errors detectable by the COT. The Allowable Value serves as the Technical Specification OPERABILITY limit for the purpose of the COT. One example of such a change in measurement error is drift during the surveillance interval. If the measured setpoint does not exceed the Allowable Value, the bistable is considered OPERABLE.
The ESFAS setpoints are the values at which the bistables are set and is the expected value to be achieved during calibration. The ESFAS setpoint value ensures the safety analysis limits are met for the surveillance interval selected when a channel is adjusted based on stated channel uncertainties. Any bistable is considered to be properly adjusted when the "as-left" setpoint value is within the band for CHANNEL a protection function 1 3 1 analytical limits The as-left tolerance and as-found tolerance band methodology is provided in the SCP. [NTSP] [NTSP] is the value
[NTSPs] [NTSP] is the LSSS and
[NTSP] as-left tolerance
[NTSPs] 10 10 10 the SCP as-found trip setpoint A ttachment 1, Volume 8, Rev. 0, Page 226 of 517 A ttachment 1, Volume 8, Rev. 0, Page 226 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 85 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 85 of 111 9 6 6 6 6 6 6 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 WOG STS B 3.3.2-4 Rev. 3.0, 03/31/04 BASES
BACKGROUND (continued)
CALIBRATION uncertainty allowance (i.e., calibration tolerance uncertainties). The ESFAS setpoint value is therefore considered a "nominal value" (i.e., expressed as a value without inequalities) for the purposes of the COT and CHANNEL CALIBRATION.
Setpoints adjusted consistent with the requirements of the Allowable Value ensure that the consequences of Design Basis Accidents (DBAs) will be acceptable, providing the unit is operated from within the LCOs at the onset of the DBA and the equipment functions as designed.
Each channel can be tested on line to verify that the signal processing equipment and setpoint accuracy is within the specified allowance requirements of Reference 2. Once a designated channel is taken out of service for testing, a simulated signal is injected in place of the field
instrument signal. The process equip ment for the channel in test is then tested, verified, and calibrated. SRs for the channels are specified in the SR section.
Solid State Protection System
The SSPS equipment is used for the decision logic processing of outputs from the signal processing equipment bistables. To meet the redundancy requirements, two trains of SSPS, each performing the same functions, are provided. If one train is taken out of service for maintenance or test purposes, the second train will provide ESF actuation for the unit. If both trains are taken out of service or placed in test, a reactor trip will result.
Each train is packaged in its own cabinet for physical and electrical separation to satisfy separation and independence requirements.
The SSPS performs the decision logic for most ESF equipment actuation; generates the electrical output signals that initiate the required actuation; and provides the status, permissive, and annunciator output signals to the main control room of the unit.
The bistable outputs from the signal processing equipment are sensed by the SSPS equipment and combined into logic matrices that represent combinations indicative of various transients. If a required logic matrix combination is completed, the system will send actuation signals via
master and slave relays to those components whose aggregate Function best serves to alleviate the condition and restore the unit to a safe condition. Examples are given in the Applicable Safety Analyses, LCO, and Applicability sections of this Bases.
3 +/- rack and comparator setting
[NTSP] [Nominal Trip Setpoints] in conjunction with the use of as-found and as-left tolerances together Note that the Allowable Values listed in the SCP are the least conservative value of the as-found setpoint that a channel can have during a periodic CHANNEL CALIBRATION, COT, or a TADOT that re quires tri p set point verification.
10 the SCP provided 8 A ttachment 1, Volume 8, Rev. 0, Page 227 of 517 A ttachment 1, Volume 8, Rev. 0, Page 227 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 86 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 86 of 111 6 6 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 WOG STS B 3.3.2-5 Rev. 3.0, 03/31/04 BASES
BACKGROUND (continued)
Each SSPS train has a built in te sting device that can automatically test the decision logic matrix functions and the actuation devices while the unit is at power. When any one train is taken out of service for testing, the other train is capable of providing unit monitoring and protection until the testing has been completed. The testing device is semiautomatic to
minimize testing time.
The actuation of ESF components is accomplished through master and
slave relays. The SSPS energizes the master relays appropriate for the condition of the unit. Each master relay then energizes one or more slave relays, which then cause actuation of the end devices. The master and slave relays are routinely tested to ensure operation. The test of the master relays energizes the relay, which then operates the contacts and
applies a low voltage to the associated slave relays. The low voltage is not sufficient to actuate the slave relays but only demonstrates signal path continuity. The SLAVE RELAY TEST actuates the devices if their operation will not interfere with continued unit operation. For the latter case, actual component operation is prevented by the SLAVE RELAY TEST circuit, and slave relay contact operation is verified by a continuity check of the circuit containing the slave relay.
REVIEWERS NOTE------------------------------------------ No one unit ESFAS incorporates all of the Functions listed in Table 3.3.2-1. In some cases (e.g., Containment Pressure - High 3, Function 2.c), the Table reflects several different implementations of the same Function. Typically, only one of these implementations are used at any specific unit.
APPLICABLE Each of the analyzed accidents can be detected by one or more ESFAS SAFETY Functions. One of the ESFAS Functions is the primary actuation signal ANALYSES, LCO, for that accident. An ESFAS Function may be the primary actuation and APPLICABILITY signal for more than one type of accident. An ESFAS Function may also be a secondary, or backup, actuation signal for one or more other accidents. For example, Pressuri zer Pressure - Low is a primary actuation signal for small loss of co olant accidents (LOCAs) and a backup actuation signal for steam line br eaks (SLBs) outside containment. Functions such as manual initiation, not specifically credited in the accident safety analysis, are qualitatively credited in the safety analysis and the NRC staff approved licensing basis for the unit. These Functions may provide protection for conditions that do not require dynamic transient analysis to demonstrate Function performance. These Functions may also serve as backups to Functions that were credited in the accident analysis (Ref. 3).
break 4 1 channel channel channels 1 channels 1 3 channels 10 10 10 A ttachment 1, Volume 8, Rev. 0, Page 228 of 517 A ttachment 1, Volume 8, Rev. 0, Page 228 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 87 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 87 of 111 5 3 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 WOG STS B 3.3.2-9 Rev. 3.0, 03/31/04 BASES
APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
pressure and temperature are very low and many ESF components are administratively locked out or otherwise prevented from actuating to prevent inadvertent
overpressurization of unit systems.
- c. Safety Injection - Containment Pressure - High 1 This signal provides protection against the following accidents:
SLB inside containment, LOCA, and Feed line break inside containment.
Containment Pressure - High 1 provides no input to any control functions. Thus, three OPERABLE channels are sufficient to satisfy protective requirements with a two-out-of-three logic. The transmitters (d/p cells) and electronics are located outside of
containment with the sensing line (high pressure side of the
transmitter) located inside containment.
Thus, the high pressure Function will not experience any adverse environmental conditions and the Trip Setpoint reflects only steady state instrument uncertainties.
Containment Pressure - High 1 must be OPERABLE in
MODES 1, 2, and 3 when there is sufficient energy in the primary and secondary systems to pressurize the containment following a pipe break. In MODES 4, 5, and 6, there is insufficient energy in the primary or secondary systems to pressurize the
containment.
- d. Safety Injection - Pressurizer Pressure - Low This signal provides protection against the following accidents:
Inadvertent opening of a steam generator (SG) relief or safety valve, SLB, ; and INSERT 4 ; . All changes are unless otherwise noted 1 2 2 2 [NTSP] 10 A ttachment 1, Volume 8, Rev. 0, Page 234 of 517 A ttachment 1, Volume 8, Rev. 0, Page 234 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 88 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 88 of 111 and Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 WOG STS B 3.3.2-10 Rev. 3.0, 03/31/04 BASES
APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
A spectrum of rod cluster control assembly ejection accidents (rod ejection), Inadvertent opening of a pressurizer relief or safety valve, LOCAs, and SG Tube Rupture.
At some units pressurizer pressure provides both control and protection functions: input to the Pressurizer Pressure Control System, reactor trip, and SI. Therefore, the actuation logic must be able to withstand both an input failure to control system, which may then require the protection function actuation, and a single failure in the other channels providing the protection function actuation. Thus, four OPERABLE channels are required
to satisfy the requirements with a two-out-of-four logic. For units that have dedicated protection and control channels, only three protection channels are necessary to satisfy the protective requirements.
The transmitters are located inside containment, with the taps in the vapor space region of the pressurizer, and thus possibly
experiencing adverse environmental conditions (LOCA, SLB inside containment, rod ejection). Therefore, the Trip Setpoint reflects the inclusion of both steady state and adverse environmental instrument uncertainties.
This Function must be OPERABLE in MODES 1, 2, and 3 (above P-11) to mitigate the consequences of an HELB inside containment. This signal may be manually blocked by the operator below the P-11 setpoint. Automatic SI actuation below
this pressure setpoint is then performed by the Containment Pressure - High 1 signal.
This Function is not required to be OPERABLE in MODE 3 below the P-11 setpoint. Other ESF functions are used to detect accident conditions and actuate the ESF systems in this MODE.
In MODES 4, 5, and 6, this Functi on is not needed for accident detection and mitigation. three , with pressurizer pressure greater than or equal to 2000 psig, when pressurizer pressure is less than 2000 psig when pressurizer pressure is less than 2000 psig
- ; ; 2 2 2 All changes are unless otherwise noted 1 [NTSP] 10 a LOCA or SLB accident A ttachment 1, Volume 8, Rev. 0, Page 236 of 517 A ttachment 1, Volume 8, Rev. 0, Page 236 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 89 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 89 of 111 6
Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 WOG STS B 3.3.2-11 Rev. 3.0, 03/31/04 BASES
APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
- e. Safety Injection - Steam Line Pressure (1) Steam Line Pressure - Low Steam Line Pressure - Low provides protection against the
following accidents:
SLB, Feed line break, and Inadvertent opening of an SG relief or an SG safety valve. Steam Line Pressure - Low provides no input to any control functions. Thus, three OPERABLE channels on each steam line are sufficient to satisfy the protective requirements with a two-out-of-three logic on each steam line.
With the transmitters typically located inside the steam tunnels, it is possible for them to experience adverse
environmental conditions duri ng a secondary side break. Therefore, the Trip Setpoint reflects both steady state and adverse environmental instrument uncertainties.
This Function is anticipatory in nature and has a typical
lead/lag ratio of 50/5.
Steam Line Pressure - Low must be OPERABLE in MODES 1, 2, and 3 (above P-11) when a secondary side break or stuck open valve c ould result in the rapid depressurization of the steam lines. This signal may be
manually blocked by the operator below the P-11 setpoint. Below P-11, feed line break is not a concern. Inside containment SLB will be terminated by automatic SI actuation via Containment Pressure - High 1, and outside
containment SLB will be terminated by the Steam Line Pressure - Negative Rate - High signal for steam line isolation. This Function is not required to be OPERABLE in MODE 4, 5, or 6 because there is insufficient energy in the secondary side of the unit to cause an accident. in close proximity to the main steam lines INSERT 5 , with pressurizer pressure greater than or equal to 2000 psig, when pressurizer pressure is less than 2000 psig When pressurizer pressure is less than 2000 psig The steam line break event will be terminated by the SI signal actuation due to the coincidence of Hi-Hi steam flow and Lo-Lo steam pressure.
normal and 8 All changes are unless otherwise noted 1 [NTSP] 10 12/2 A ttachment 1, Volume 8, Rev. 0, Page 237 of 517 A ttachment 1, Volume 8, Rev. 0, Page 237 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 90 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 90 of 111 6
Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 WOG STS B 3.3.2-16 Rev. 3.0, 03/31/04 BASES
APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
Manual and automatic initiation of containment spray must be OPERABLE in MODES 1, 2, and 3 when there is a potential for an accident to occur, and sufficient energy in the primary or secondary systems to pose a threat to containment integrity due to overpressure conditions. Manual initiation is also required in MODE 4, even though automatic actuation is not required. In this MODE, adequate time is av ailable to manually actuate required components in the event of a DBA. However, because of the large number of components actuated on a containment
spray, actuation is simplified by the use of the manual actuation push buttons. Automatic actuation logic and actuation relays must be OPERABLE in MODE 4 to support system level manual initiation. In MODES 5 and 6, there is insufficient energy in the primary and secondary systems to result in containment overpressure. In MODES 5 and 6, there is also adequate time
for the operators to evaluate unit conditions and respond, to mitigate the consequences of abnormal conditions by manually starting individual components.
- c. Containment Spray - Containment Pressure This signal provides protection agai nst a LOCA or an SLB inside containment. The transmitters (d/p cells) are located outside of containment with the sensing line (high pressure side of the
transmitter) located inside containment. The transmitters and electronics are located outside of containment. Thus, they will not experience any adverse env ironmental conditions and the Trip Setpoint reflects only steady state instrument uncertainties.
This is one of the only Functions that requires the bistable output to energize to perform its required action. It is not desirable to have a loss of power actuate containment spray, since the
consequences of an inadvertent actuation of containment spray could be serious. Note that this Function also has the inoperable channel placed in bypass rather than trip to decrease the probability of an inadvertent actuation.
Two different logic configurations are typically used. Three and
four loop units use four channels in a two-out-of-four logic configuration. This configuration may be called the Containment Pressure - High 3 Setpoint for three and four loop units, and - High High All changes are unless otherwise noted 1 [NTSP] 10 10 12 A ttachment 1, Volume 8, Rev. 0, Page 244 of 517 A ttachment 1, Volume 8, Rev. 0, Page 244 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 91 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 91 of 111 6
Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 WOG STS B 3.3.2-17 Rev. 3.0, 03/31/04 BASES
APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
Containment Pressure - High High Setpoint for other units. Some two loop units use three sets of two channels, each set combined in a one-out-of-two configuration, with these outputs
combined so that two-out-of-three sets tripped initiates
containment spray. This configuration is called Containment Pressure - High 3 Setpoint. Since containment pressure is not used for control, both of these arrangements exceed the minimum redundancy requirements. Additional redundancy is warranted because this Function is energize to trip.
Containment Pressure - [High 3] [High High] must be OPERABLE in MODES 1, 2, and 3 when there is sufficient energy in the primary and secondary sides to pressurize the containment following a pipe break. In MODES 4, 5, and 6, there is insufficient energy in the primary and secondary sides to pressurize the containment and reach the Containment Pressure
- High 3 (High High) setpoints.
- 3. Containment Isolation Containment Isolation provides isolation of the containment atmosphere, and all process systems that penetrate containment, from the environment. This Function is necessary to prevent or limit the release of radioactivity to the environment in the event of a large break LOCA.
There are two separate Containment Isolation signals, Phase A and
Phase B. Phase A isolation isolates all automatically isolable process lines, except component cooli ng water (CCW), at a relatively low containment pressure indicative of primary or secondary system leaks. For these types of events, forced circulation cooling using the reactor coolant pumps (RCPs) and SGs is the preferred (but not required) method of decay heat removal. Since CCW is required to support RCP operation, not isolating CCW on the low pressure Phase A signal enhances unit safety by allowing operators to use forced RCS circulation to cool the unit. Isolating CCW on the low pressure signal may force the use of feed and bleed cooling, which
could prove more difficult to control.
Phase A containment isolation is actuated automatically by SI, or manually via the automatic actuation logic. All process lines penetrating containment, with the exception of CCW, are isolated.
s three 6 All changes are unless otherwise noted 1 7 systems required for accident mitigation A ttachment 1, Volume 8, Rev. 0, Page 245 of 517 A ttachment 1, Volume 8, Rev. 0, Page 245 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 92 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 92 of 111 5 5 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 WOG STS B 3.3.2-18 Rev. 3.0, 03/31/04 All changes are 1 unless otherwise noted BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
CCW is not isolated at this time to permit continued operation of the RCPs with cooling water flow to the thermal barrier heat exchangers and air or oil coolers. All process lines not equipped with remote operated isolation valves are manually closed, or otherwise isolated, prior to reaching MODE 4.
Manual Phase A Containment Isolation is accomplished by either of two switches in the control room. Either switch actuates both trains.
Note that manual actuation of Phase A Containment Isolation also actuates Containment Purge and Exhaust Isolation.
depressingpushbuttonpushbutton Ventilation The Phase B signal isolates CCW. This occurs at a relatively high containment pressure that is indicative of a large break LOCA or an SLB. For these events, forced circulation using the RCPs is no longer desirable. Isolating the CCW at the higher pressure does not pose a challenge to the containment boundary because the CCW
System is a closed loop inside containment. Although some system components do not meet all of the ASME Code requirements applied to the containment itself, the system is continuously pressurized to a pressure greater than the Phase B setpoint. Thus, routine operation
demonstrates the integrity of the system pressure boundary for pressures exceeding the Phase B setpoint. Furthermore, because system pressure exceeds the Phase B setpoint, any system leakage prior to initiation of Phase B isolation would be into containment.
Therefore, the combination of CCW System design and Phase B isolation ensures the CCW System is not a potential path for
radioactive release from containment.
Phase B containment isolation is actuated by Containment Pressure - High 3 or Containment Pressure - High High, or manually, via the
automatic actuation logic, as previously discussed. For containment pressure to reach a value high enough to actuate Containment Pressure - High 3 or Containment Pressure - High High, a large break LOCA or SLB must have occurred and containment spray must have been actuated. RCP operation will no longer be required and
CCW to the RCPs is, therefore, no longer necessary. The RCPs can be operated with seal injection flow alone and without CCW flow to the thermal barrier heat exchanger.
Manual Phase B Containment Isolation is accomplished by the same switches that actuate Containment Spray. When the two switches in either set are turned simultaneously, Phase B Containment Isolation and Containment Spray will be actuated in both trains.
10 7 A ttachment 1, Volume 8, Rev. 0, Page 246 of 517 A ttachment 1, Volume 8, Rev. 0, Page 246 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 93 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 93 of 111 5 5 5 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 WOG STS B 3.3.2-19 Rev. 3.0, 03/31/04 BASES
APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
- a. Containment Isolation - Phase A Isolation (1) Phase A Isolation - Manual Initiation Manual Phase A Containment Isolation is actuated by either of two switches in the control room. Either switch actuates both trains. Note that manual initiation of Phase A Containment Isolation also actuates Containment Purge Isolation.
(2) Phase A Isolation - Automatic Actuation Logic and Actuation Relays Automatic Actuation Logic and Actuation Relays consist of the same features and operate in the same manner as described for ESFAS Function 1.b.
Manual and automatic initiati on of Phase A Containment Isolation must be OPERABLE in MODES 1, 2, and 3, when there is a potential for an accident to occur. Manual initiation is also required in MODE 4 even though automatic actuation is not required. In this MODE, adequate time is available to manually actuate required components in the event of a DBA, but because of the large number of components actuated on a Phase A Containment Isolation, actuation is simplified by the use of the manual actuation push buttons. Automatic actuation logic and actuation relays must be OPERABLE in MODE 4 to support system level manual initiation. In MODES 5 and 6, there is insufficient energy in the primary or secondary systems to pressurize the containment to require Phase A Containment Isolation. There also is adequate time for the operator to evaluate unit conditions and manually actuate individual isolation valves in response to abnormal or accident conditions.
(3) Phase A Isolation - Safety Injection Phase A Containment Isolation is also initiated by all Functions that initiate SI. The Phase A Containment Isolation requirements for these Functions are the same as
the requirements for their SI function. Therefore, the requirements are not repeated in Table 3.3.2-1. Instead, Function 1, SI, is referenced for all initiating Functions and requirements. Manual Initiation depressing pushbutton Ventilation pushbutton b. Containment c. Containment All changes are unless otherwise noted 1 A ttachment 1, Volume 8, Rev. 0, Page 247 of 517 A ttachment 1, Volume 8, Rev. 0, Page 247 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 94 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 94 of 111 5 5 5 5 5 5 5 5 5 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 WOG STS B 3.3.2-22 Rev. 3.0, 03/31/04 BASES
APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
- c. Steam Line Isolation - Containment Pressure - High 2 This Function actuates closure of the MSIVs in the event of a
LOCA or an SLB inside containment to maintain at least one unfaulted SG as a heat sink for the reactor, and to limit the mass
and energy release to containment. The transmitters (d/p cells) are located outside containment with the sensing line (high pressure side of the transmitter) located inside containment. Containment Pressure - High 2 provides no input to any control functions. Thus, three OPERABLE channels are sufficient to
satisfy protective requirements with two-out-of-three logic. However, for enhanced reliability, this Function was designed with four channels and a two-out-of-four logic. The transmitters and electronics are located outs ide of containment. Thus, they will not experience any adverse environmental conditions, and the Trip Setpoint reflects only steady state instrument
uncertainties.
Containment Pressure - High 2 must be OPERABLE in
MODES 1, 2, and 3, when there is sufficient energy in the primary and secondary side to pressurize the containment following a pipe break. This would cause a significant increase in the containment pressure, thus allowing detection and closure of the MSIVs. The Steam Line Isolation Function remains OPERABLE in MODES 2 and 3 unless all MSIVs are closed and
[de-activated]. In MODES 4, 5, and 6, there is not enough energy in the primary and secondary sides to pressurize the
containment to the Containment Pressure - High 2 setpoint.
- d. Steam Line Isolation - Steam Line Pressure (1) Steam Line Pressure - Low Steam Line Pressure - Low provides closure of the MSIVs in the event of an SLB to maintain at least one unfaulted SG
as a heat sink for the reactor, and to limit the mass and energy release to containment. This Function provides
closure of the MSIVs in the event of a feed line break to
ensure a supply of steam for the turbine driven AFW pump.
Steam Line Pressure - Low was discussed previously under SI Function 1.e.1.
High-High High-High High-High 5 All changes are unless otherwise noted 1 6 [NTSP] High-High 10 10 10 A ttachment 1, Volume 8, Rev. 0, Page 251 of 517 A ttachment 1, Volume 8, Rev. 0, Page 251 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 95 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 95 of 111 5 STET 5 5 5 6 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 WOG STS B 3.3.2-25 Rev. 3.0, 03/31/04 BASES
APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
Two steam line flow channels per steam line are required OPERABLE for this Function. These are combined in a one-out-of-two logic to indicate high steam flow in one steam line. The
steam flow transmitters provide control inputs, but the control
function cannot cause the events that the function must protect against. Therefore, two channels are sufficient to satisfy redundancy requirements. The one-out-of-two configuration allows online testing because trip of one high steam flow channel is not sufficient to cause initiation.
The High Steam Flow Al 25% of full steam flow at no load steam pressure. The Trip Setpoint is similarly calculated.
With the transmitters (d/p cells) typically located inside the steam tunnels, it is possible for them to experience adverse
environmental conditions during an SLB event. Therefore, the Trip Setpoints reflect both steady state and adverse environmental instrument uncertainties.
The main steam line isolates only if the high steam flow signal occurs coincident with an SI and low low RCS average temperature. The Main Steam Line Isolation Function requirements for the SI Functions are the same as the requirements for their SI function. Therefore, the requirements are not repeated in Table 3.3.2-1. Instead, Function 1, SI, is referenced for all initiating functions and requirements.
Two channels of Tavg per loop are required to be OPERABLE.
The Tavg channels are combined in a logic such that two channels tripped cause a trip for the parameter. The accidents that this Function protects against cause reduction of Tavg in the entire primary system.
Therefore, the provision of two OPERABLE channels per loop in a two-out-of-four configuration ensures no single random failure disables the T avg - Low Low Function. The Tavg channels provide control inputs, but the control function cannot initiate events that the Function acts to mitigate. Therefore, additional channels are not required to
address control protection interaction issues.
With the Tavg resistance temperature detectors (RTDs) located inside the containment, it is possible for them to experience
adverse environmental conditions during an SLB event.
Therefore, the Trip Setpoint reflects both steady state and adverse environmental instrumental uncertainties.
normal All changes are unless otherwise noted 1 INSERT 8 [NTSP] [NTSP] However, the channel statistical allowance calculation does not consider any environmental allowance as part of the instrument uncertainty, since the function is assumed to be performed prior to the time that adverse conditions can affect the Function.
10 10 11 a 8 8 s A ttachment 1, Volume 8, Rev. 0, Page 254 of 517 A ttachment 1, Volume 8, Rev. 0, Page 254 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 96 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 96 of 111 STET STET 6 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 WOG STS B 3.3.2-26 Rev. 3.0, 03/31/04 BASES
APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
This Function must be OPERABLE in MODES 1 and 2, and in MODE 3, when above the P-12 setpoint, when a secondary side break or stuck open valve could result in rapid depressurization of the steam lines. Below P-12 this Function is not required to be OPERABLE because the High High Steam Flow coincident with SI Function provides the required protection. The Steam Line Isolation Function is required to be OPERABLE in MODES 2 and 3 unless all MSIVs are closed and [de-activated].
This Function is not required to be OPERABLE in MODES 4, 5, and 6 because there is insuffici ent energy in the secondary side of the unit to have an accident.
- h. Steam Line Isolation - High High Steam Flow Coincident With Safety Injection (Two Loop Units)
This Function provides closure of the MSIVs during a steam line break (or inadvertent opening of a relief or safety valve) to maintain at least one unfaulted SG as a heat sink for the reactor, and to limit the mass and energy release to containment.
Two steam line flow channels per steam line are required to be
OPERABLE for this Function. These are combined in a one-out-of-two logic to indicate high steam flow in one steam line. The steam flow transmitters provide control inputs, but the control
function cannot cause the events that the Function must protect against. Therefore, two channels are sufficient to satisfy
redundancy requirements.
The Allowable Value for high steam flow is a to 130% of full steam flow at full steam pressure. The Trip
Setpoint is similarly calculated.
With the transmitters typically located inside the steam tunnels, it is possible for them to experience adverse environmental conditions during an SLB event. Therefore, the Trip Setpoint reflects both steady state and adverse environmental instrument uncertainties.
The main steam lines isolate only if the high steam flow signal occurs coincident with an SI signal. The Main Steam Line Isolation Function requirements for the SI Functions are the same as the requirements for their SI function. Therefore, the requirements are not repeated in Table 3.3.2-1. Instead, Function 1, SI, is referenced for all initiating functions and requirements. , high- high- normal e All changes are unless otherwise noted 1 6 5 INSERT 9 [NTSP] 10 11 A ttachment 1, Volume 8, Rev. 0, Page 256 of 517 A ttachment 1, Volume 8, Rev. 0, Page 256 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 97 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 97 of 111 STET 6 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 WOG STS B 3.3.2-28 Rev. 3.0, 03/31/04 BASES
APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
- b. Turbine Trip and Feedwater Isolation - Steam Generator Water Level - High High (P-14)
This signal provides protection against excessive feedwater flow. The ESFAS SG water level instruments provide input to the SG Water Level Control System. Therefore, the actuation logic must be able to withstand both an input failure to the control system (which may then require the protection function actuation) and a single failure in the other channels providing the protection function actuation. Thus, four OPERABLE channels are required
to satisfy the requirements with a two-out-of-four logic. For units that have dedicated protection and control channels, only three protection channels are necessary to satisfy the protective requirements. For other units that have only three channels, a median signal selector is provided or justification is provided in NUREG-1218 (Ref. 7).
The transmitters (d/p cells) are located inside containment. However, the events that this Function protects against cannot cause a severe environment in containment. Therefore, the Trip
Setpoint reflects only steady state instrument uncertainties.
- c. Turbine Trip and Feedwater Isolation - Safety Injection Turbine Trip and Feedwater Isolation is also initiated by all Functions that initiate SI. The Feedwater Isolation Function requirements for these Functions are the same as the requirements for their SI function. Therefore, the requirements are not repeated in Table 3.3.2-1. Instead Function 1, SI, is referenced for all initiating functions and requirements.
Turbine Trip and Feedwater Isolation Functions must be OPERABLE in MODES 1 and 2 [and 3] except when all MFIVs, MFRVs, [and associated bypass valves] are closed and [de-activated] [or isolated by a closed manual valve] when the MFW System is in operation and
the turbine generator may be in operation. In MODES [3,] 4, 5, and 6, the MFW System and the turbi ne generator are not in service and this Function is not required to be OPERABLE. three normal environmental is 5 8 All changes are unless otherwise noted 1 5 6 6 6 6 [NTSP] 10 8 MODES The KPS logic design for this Function is justified in Reference 7. main feedwater isolation valves (MFIVs), main feedwater regulation valves (MFRVs)
A ttachment 1, Volume 8, Rev. 0, Page 259 of 517 A ttachment 1, Volume 8, Rev. 0, Page 259 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 98 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 98 of 111 5 6 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 WOG STS B 3.3.2-30 Rev. 3.0, 03/31/04 BASES
APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
With the transmitters (d/p cells) located inside containment and thus possibly experiencing adver se environmental conditions (feed line break), the Trip Setpoint reflects the inclusion of both steady state and adverse environmental instrument
uncertainties.
- d. Auxiliary Feedwater - Safety Injection An SI signal starts the motor driven and turbine driven AFW
pumps. The AFW initiation functions are the same as the requirements for their SI function. Therefore, the requirements are not repeated in Table 3.3.2-1. Instead, Function 1, SI, is referenced for all initiating functions and requirements.
- e. Auxiliary Feedwater - Loss of Offsite Power A loss of offsite power to the se rvice buses will be accompanied by a loss of reactor coolant pumping power and the subsequent need for some method of decay heat removal. The loss of offsite power is detected by a voltage drop on each service bus. Loss
of power to either service bus will start the turbine driven AFW pumps to ensure that at least one SG contains enough water to serve as the heat sink for reac tor decay heat and sensible heat removal following the reactor trip.
Functions 6.a through 6.e must be OPERABLE in MODES 1, 2, and 3 to ensure that the SGs remain the heat sink for the reactor.
SG Water Level - Low Low in any operating SG will cause the motor driven AFW pumps to start. The sy stem is aligned so that upon a start of the pump, water immediately begins to flow to the SGs. SG
Water Level - Low Low in any two operating SGs will cause the turbine driven pumps to start. These Functions do not have to be
OPERABLE in MODES 5 and 6 because there is not enough heat being generated in the reactor to require the SGs as a heat sink. In MODE 4, AFW actuation does not need to be OPERABLE because
either AFW or residual heat removal (RHR) will already be in operation to remove decay heat or sufficient time is available to
manually place either system in operation.
normal INSERT 10 c. c both either All changes are unless otherwise noted 1 5 5 [NTSP] 10 A ttachment 1, Volume 8, Rev. 0, Page 261 of 517 A ttachment 1, Volume 8, Rev. 0, Page 261 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 99 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 99 of 111 5 6 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 WOG STS B 3.3.2-36 Rev. 3.0, 03/31/04 BASES
APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
The RTB position switches that provide input to the P-4 interlock only function to energize or de-energize or open or close contacts. Therefore, this Function has no adjustable trip setpoint with which to associate a Trip Setpoint and Allowable Value.
This Function must be OPERABLE in MODES 1, 2, and 3 when the reactor may be critical or approaching criticality. This Function does not have to be OPERABLE in MODE 4, 5, or 6 because the main turbine, the MFW System, and the Steam
Dump System are not in operation.
- b. Engineered Safety Feature Actuation System Interlocks -
Pressurizer Pressure, P-11 The P-11 interlock permits a normal unit cooldown and
depressurization without actuation of SI or main steam line isolation. With two-out-of-three pressurizer pressure channels (discussed previously) less than the P-11 setpoint, the operator can manually block the Pressurizer Pressure - Low and Steam Line Pressure - Low SI signals and the Steam Line Pressure -
Low steam line isolation signal (previously discussed). When the
Steam Line Pressure - Low steam line isolation signal is manually blocked, a main steam isolation signal on Steam Line Pressure - Negative Rate - High is enabled. This provides
protection for an SLB by closure of the MSIVs. With two-out-of-three pressurizer pressure channels above the P-11 setpoint, the Pressurizer Pressure - Low and Steam Line Pressure - Low SI signals and the Steam Line Pressure - Low steam line isolation signal are automatically enabled.
The operator can also enable these trips by use of the respective manual reset buttons. When the Steam Line Pressure - Low steam line isolation signal is
enabled, the main steam isolation on Steam Line Pressure - Negative Rate - High is disabled. The Trip Setpoint reflects only steady state instrument uncertainties.
This Function must be OPERABLE in MODES 1, 2, and 3 to allow an orderly cooldown and depressurization of the unit without the actuation of SI or main steam isolation. This
Function does not have to be OPERABLE in MODE 4, 5, or 6 because system pressure must already be below the P-11 setpoint for the requirements of the heatup and cooldown curves
to be met.
5 [NTSP] [NTSP] 10 10 A ttachment 1, Volume 8, Rev. 0, Page 271 of 517 A ttachment 1, Volume 8, Rev. 0, Page 271 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 100 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 100 of 111 STET 6 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 WOG STS B 3.3.2-38 Rev. 3.0, 03/31/04 BASES
ACTIONS (continued)
In the event a channel's Trip Setpoint is found nonconservative with respect to the Allowable Value, or the transmitter, instrument Loop, signal processing electronics, or bistable is found inoperable, then all affected Functions provided by that channel must be declared inoperable and the LCO Condition(s) entered for the protection Function(s) affected. When the Required Channels in Table 3.3.2-1 are specified (e.g., on a per steam line, per loop, per SG, etc., basis), then the Condition may be entered separately for each steam line, loop, SG, etc., as appropriate.
When the number of inoperable channels in a trip function exceed those specified in one or other related Conditions associated with a trip function, then the unit is outside the safety analysis. Therefore, LCO 3.0.3 should be immediately entered if applicable in the current MODE of operation.
REVIEWERS NOTE------------------------------------------
Certain LCO Completion Times are based on approved topical reports. In order for a licensee to use these times, the licensee must justify the Completion Times as required by the staff Safety Evaluation Report (SER) for the topical report.
A.1 Condition A applies to all ESFAS protection functions.
Condition A addresses the situation where one or more channels or trains for one or more Functions are inoperable at the same time. The Required Action is to refer to Table 3.3.2-1 and to take the Required Actions for the protection functions affected. The Completion Times are those from the referenced Conditions and Required Actions.
B.1, B.2.1, and B.2.2 Condition B applies to manual initiation of:
SI, Containment Spray, Phase A Isolation, and Phase B Isolation.
Containment
- ; and 4 2 2 5 5 [NTSP] 10 A ttachment 1, Volume 8, Rev. 0, Page 273 of 517 A ttachment 1, Volume 8, Rev. 0, Page 273 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 101 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 101 of 111 6
Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 WOG STS B 3.3.2-40 Rev. 3.0, 03/31/04 BASES
ACTIONS (continued)
an additional 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> (30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br /> total time) and in MODE 5 within an additional 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br /> (60 hours6.944444e-4 days <br />0.0167 hours <br />9.920635e-5 weeks <br />2.283e-5 months <br /> total time). The Completion Times are reasonable, based on operating experi ence, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.
The Required Actions are modified by a Note that allows one train to be bypassed for up to [4] hours for surveillance testing, provided the other train is OPERABLE. This allowance is based on the reliability analysis assumption of WCAP-10271-P-A (Ref. 9) that 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> is the average time required to perform train surveillance.
D.1, D.2.1, and D.2.2
Condition D applies to:
Containment Pressure - High 1, Pressurizer Pressure - Low (two, three, and four loop units), Steam Line Pressure - Low, Steam Line Differential Pressure - High, High Steam Flow in Two Steam Lines Coincident With Tavg - Low Low or Coincident With Steam Line Pressure - Low, Containment Pressure - High 2, Steam Line Pressure - Negative Rate - High, High Steam Flow Coincident With Safety Injection Coincident With Tavg - Low Low, High High Steam Flow Coincident With Safety Injection, High Steam Flow in Two Steam Lines Coincident With Tavg - Low Low, SG Water level - Low Low (two, three, and four loop units), and
[SG Water level - High High (P-14) (two, three, and four loop units). ]
- ; ; ; ; ; ; High-High Steam Line Isolation 1 6 5 2 5 2 2 5 5 5 2 5 5 5 5 2 2 2 A ttachment 1, Volume 8, Rev. 0, Page 275 of 517 A ttachment 1, Volume 8, Rev. 0, Page 275 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 102 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 102 of 111 6 1 1 1 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 WOG STS B 3.3.2-41 Rev. 3.0, 03/31/04 BASES
ACTIONS (continued)
If one channel is inoperable, 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> are allowed to restore the channel to OPERABLE status or to place it in the tripped condition. Generally this Condition applies to functions that o perate on two-out-of-three logic. Therefore, failure of one channel places the Function in a two-out-of-two configuration. One channel must be tripped to place the Function in a
one-out-of-three configuration that sati sfies redundancy requirements. The 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> allowed to restore the channel to OPERABLE status or to place it in the tripped condition is justified in Reference 8.
Failure to restore the inoperable channel to OPERABLE status or place it in the tripped condition within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> requires the unit be placed in MODE 3 within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and MODE 4 within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.
The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power
conditions in an orderly manner and without challenging unit systems. In MODE 4, these Functions are no longer required OPERABLE.
[ The Required Actions are modified by a Note that allows the inoperable channel to be bypassed for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for surveillance testing of other channels. The 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> allowed for testing, are justified in Reference 8. ]
REVIEWERS NOTE------------------------------------------
The below text should be used for pl ants with installed bypass test capability:
The Required Actions are modified by a Note that allows placing one channel in bypass for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> while performing routine surveillance testing. The 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> time limit is justified in Reference 8. --------------------------------------------------------------------------------------------------
E.1, E.2.1, and E.2.2
Condition E applies to:
Containment Spray Containment Pressure - High 3 (High, High) (two, three, and four loop units), and Containment Phase B Isolation Containment Pressure - High 3 (High, High). . - High High two (78 hours9.027778e-4 days <br />0.0217 hours <br />1.289683e-4 weeks <br />2.9679e-5 months <br /> total time) (84 hours9.722222e-4 days <br />0.0233 hours <br />1.388889e-4 weeks <br />3.1962e-5 months <br /> total time) 7 7 8 2 2 5 5 2 5 1 1 A ttachment 1, Volume 8, Rev. 0, Page 276 of 517 A ttachment 1, Volume 8, Rev. 0, Page 276 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 103 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 103 of 111 STET 6 6 4 5 1 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 WOG STS B 3.3.2-42 Rev. 3.0, 03/31/04 BASES
ACTIONS (continued)
None of these signals has input to a control function. Thus, two-out-of-three logic is necessary to meet acceptable protective requirements. However, a two-out-of-three design would require tripping a failed channel. This is undesirable because a single failure would then cause spurious containment spray initiation. Spurious spray actuation is undesirable because of the cleanup problems presented. Therefore, these channels are designed with two-out-of-four logic so that a failed channel may be bypassed rather than tripped. Note that one channel may be bypassed and still satisfy the single failure criterion. Furthermore, with one channel bypassed, a single in strumentation channel failure will not spuriously initiate containment spray.
To avoid the inadvertent actuation of containment spray and Phase B
containment isolation, the inoperable channel should not be placed in the tripped condition. Instead it is bypassed. Restoring the channel to OPERABLE status, or placing the inoperable channel in the bypass condition within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, is sufficient to assure that the Function remains OPERABLE and minimizes the time that the Function may be in a partial trip condition (assuming the inoperable channel has failed high). The Completion Time is further justified based on the low probability of an
event occurring during this interval. Failure to restore the inoperable channel to OPERABLE status, or place it in the bypassed condition within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />, requires the unit be placed in MODE 3 within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and MODE 4 within the next 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.
In MODE 4, these Functions are no longer required OPERABLE.
[ The Required Actions are modified by a Note that allows one additional channel to be bypassed for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for surveillance testing.
Placing a second channel in the bypa ss condition for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for testing purposes is acceptable based on the results of Reference 8. ]
REVIEWERS NOTE------------------------------------------
The below text should be used for pl ants with installed bypass test capability:
The Required Actions are modified by a Note that allows placing one channel in bypass for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> while performing routine surveillance testing. The 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> time limit is justified in Reference 8. --------------------------------------------------------------------------------------------------
INSERT 13 INSERT 14 72 (78 hours9.027778e-4 days <br />0.0217 hours <br />1.289683e-4 weeks <br />2.9679e-5 months <br /> total time) 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> (84 hours9.722222e-4 days <br />0.0233 hours <br />1.388889e-4 weeks <br />3.1962e-5 months <br /> total time) 1 1 12 7 8 5 tripped 12 trip 12 12 tripped 1 1 A ttachment 1, Volume 8, Rev. 0, Page 277 of 517 A ttachment 1, Volume 8, Rev. 0, Page 277 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 104 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 104 of 111 6 6 4 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 WOG STS B 3.3.2-44 Rev. 3.0, 03/31/04 BASES
ACTIONS (continued)
The action addresses the train orientation of the SSPS and the master and slave relays for these functions. If one train is inoperable, 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> are allowed to restore the train to OPERABLE status. The 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> allowed for restoring the inoperable train to OPERABLE status is justified in Reference 8. The Completion Time for restoring a train to OPERABLE status is reasonable considering that there is another train OPERABLE, and the low probability of an event occurring during this interval. If the train cannot be returned to OPERABLE status, the unit must be brought to MODE 3 within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and MODE 4 within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. Placing the unit in MODE 4 removes all requirements for OPERABILITY of the protection channels and actuation functions. In this MODE, the unit does not have analyzed transients or conditions that require the explicit use of the protection functions noted above.
The Required Actions are modified by a Note that allows one train to be bypassed for up to [4] hours for surveillance testing provided the other train is OPERABLE. This allowance is based on the reliability analysis (Ref. 9) assumption that 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> is the average time required to perform channel surveillance.
[ H.1 and H.2
Condition H applies to the automatic ac tuation logic and actuation relays for the Turbine Trip and Feedwater Isolation Function.
This action addresses the train orientation of the SSPS and the master and slave relays for this Function. If one train is inoperable, 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> are allowed to restore the train to OPERABLE status or the unit must be placed in MODE 3 within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. The 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> allowed for restoring the inoperable train to OPERABLE status is justified in Reference 8. The Completion Time for restoring a train to OPERABLE status is reasonable considering that there is another train OPERABLE, and the low probability of an event occurring during this interval. The allowed Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable, based on operating
experience, to reach MODE 3 from fu ll power conditions in an orderly manner and without challenging unit systems. These Functions are no longer required in MODE 3. Placing the unit in MODE 3 removes all requirements for OPERABILITY of the protection channels and actuation functions. In this MODE, the unit d oes not have analyzed transients or conditions that require the explicit use of the protection functions noted above. ESF relay logic (36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br /> total time) (30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br /> total time) 1 7 5 1 A ttachment 1, Volume 8, Rev. 0, Page 280 of 517 A ttachment 1, Volume 8, Rev. 0, Page 280 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 105 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 105 of 111 6
Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 WOG STS B 3.3.2-45 Rev. 3.0, 03/31/04 BASES
ACTIONS (continued)
The Required Actions are modified by a Note that allows one train to be bypassed for up to [4] hours for surveillance testing provided the other train is OPERABLE. This allowance is based on the reliability analysis (Ref. 9) assumption that 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> is the average time required to perform channel surveillance. ]
I.1 and I.2
Condition I applies to:
[ SG Water Level - High High (P-14) (two, three, and four loop units), and ] Undervoltage Reactor Coolant Pump.
If one channel is inoperable, 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> are allowed to restore one channel to OPERABLE status or to place it in the tripped condition. If placed in the tripped condition, the Function is then in a partial trip condition where one-out-of-two or one-out-of-three logic will result in actuation. Failure to
restore the inoperable channel to OPERAB LE status or place it in the tripped condition within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> requires the unit to be placed in MODE 3 within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. The allowed Completion Time of 78 hours9.027778e-4 days <br />0.0217 hours <br />1.289683e-4 weeks <br />2.9679e-5 months <br /> is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging unit systems. In MODE 3, these Functions are no longer required OPERABLE.
[ The Required Actions are modified by a Note that allows the inoperable channel to be bypassed for up to [12] hours for surveillance testing of other channels. The 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> allowed to place the inoperable channel in the tripped condition, and the 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> allowed for a second channel to be in the bypassed condition for testing, are justified in Reference 8. ]
REVIEWERS NOTE------------------------------------------
The below text should be used for pl ants with installed bypass test capability:
The Required Actions are modified by a Note that allows placing one channel in bypass for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> while performing routine surveillance
testing. The 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> allowed to place the inoperable channel in the
tripped condition, and the 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> allowed for a second channel to be in the bypassed condition for testing, are justified in Reference 8. --------------------------------------------------------------------------------------------------
H H (78 hours9.027778e-4 days <br />0.0217 hours <br />1.289683e-4 weeks <br />2.9679e-5 months <br /> total time) channels on the other bus 5 5 5 2 5 2 1 7 5 1 1 A ttachment 1, Volume 8, Rev. 0, Page 281 of 517 A ttachment 1, Volume 8, Rev. 0, Page 281 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 106 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 106 of 111 5 6 6 6 4 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 WOG STS B 3.3.2-49 Rev. 3.0, 03/31/04 BASES
SURVEILLANCE REQUIREMENTS (continued)
Agreement criteria are determined by the unit staff, based on a combination of the channel instrument uncertainties, including indication and reliability. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its
limit.
The Frequency is based on operating experience that demonstrates channel failure is rare. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the LCO required channels.
SR 3.3.2.2 is the performance of an ACTUATION LOGIC TEST. The
SSPS is tested every 92 days on a STAGGERED TEST BASIS, using the semiautomatic tester. The train being tested is placed in the bypass condition, thus preventing inadvertent actuation. Through the semiautomatic tester, all possible logic combinations, with and without applicable permissives, are tested for each protection function. In
addition, the master relay coil is pulse tested for continuity. This verifies that the logic modules are OPERABLE and that there is an intact voltage signal path to the master relay coils. The Frequency of every 92 days on a STAGGERED TEST BASIS is justified in Reference 11.
SR 3.3.2.3 SR 3.3.2.3 is the performance of an ACTUATION LOGIC TEST as described in SR 3.3.2.2, except that the semiautomatic tester is not used and the continuity check does not have to be performed, as explained in the Note. This SR is applied to the balance of plant actuation logic and relays that do not have the SSPS test circuits installed to utilize the semiautomatic tester or perform the continui ty check. This test is also performed every 31 days on a STAGGERED TEST BASIS. The Frequency is adequate based on industry operating experience, considering instrument reliability and operating history data.
ESF relay logic test 1 5 10 A ttachment 1, Volume 8, Rev. 0, Page 286 of 517 A ttachment 1, Volume 8, Rev. 0, Page 286 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 107 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 107 of 111 9
Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 WOG STS B 3.3.2-50 Rev. 3.0, 03/31/04 BASES
SURVEILLANCE REQUIREMENTS (continued)
SR 3.3.2.4 SR 3.3.2.4 is the performance of a MASTER RELAY TEST. The MASTER RELAY TEST is the energizing of the master relay, verifying contact operation and a low voltage continuity check of the slave relay coil. Upon master relay contact operation, a low voltage is injected to the slave relay coil. This voltage is insufficient to pick up the slave relay, but large enough to demonstrate signal path continuity. This test is performed every 92 days on a STAGGERED TEST BASIS. The time allowed for the testing (4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />) is justified in Reference 11. The Frequency of 92 days is justified in Reference 9.
SR 3.3.2.5 is the performance of a COT.
A COT is performed on each required channel to ensure the entire channel will perform the intended Function. Setpoints must be found
within the Allowable Values specified in Table 3.3.1-1. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable COT of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions.
The difference between the current "as found" values and the previous test "as left" values must be consistent with the drift allowance used in the setpoint methodology. The setpoint shall be left set consistent with the assumptions of the current unit specific setpoint methodology.
The "as found" and "as left" values must also be recorded and reviewed for consistency with the a ssumptions of Reference 6.
The Frequency of 184 days is justified in Reference 11.
10 4 5 5 5 10 10 in accordance with the SCP conservative with respect to the Allowable Values as controlled by the SCP The SCP establishes the necessary controls for properly maintaining the applicable ESFAS instrumentation channels.
Move SR 3.3.2.3 from page B 3.3.2-51 to here A ttachment 1, Volume 8, Rev. 0, Page 287 of 517 A ttachment 1, Volume 8, Rev. 0, Page 287 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 108 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 108 of 111 9
Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 WOG STS B 3.3.2-55 Rev. 3.0, 03/31/04 BASES REFERENCES 1. FSAR, Chapter [6].
- 2. FSAR, Chapter [7].
- 3. FSAR, Chapter [15]. 4. IEEE-279-1971.
- 5. 10 CFR 50.49.
- 6. Plant-specific setpoint methodology study.
- 7. NUREG-1218, April 1988.
- 8. WCAP-14333-P-A, Rev. 1, October 1998.
- 9. WCAP-10271-P-A, Supplement 2, Rev. 1, June 1990.
- 10. [Plant specific evaluation reference.]
- 11. WCAP-15376, Rev. 0. October 2000.
- 12. Technical Requirements Manual, Section 15, "Response Times." 13. WCAP-13632-P-A, Revision 2, "Elimination of Pressure Sensor Response Time Testing Requirements," January 1996.
- 14. WCAP-14036-P, Revision 1, "Elimination of Periodic Protection Channel Response Time Tests," December 1995.
14 U U 6 1 Letter from C. R. Steinhardt (WPSC) to NRC Document Control Desk, "Kewaunee Nuclear Power Plant Response to Generic Letter 89-19," dated March 19, 1990.
10 1 9 9 5 10 11. Regulatory Guide 1.105, "Setpoints for Safety Related Instrumentation," Revision 3. Technical Report EE-0116, Revision 5, "Allowable Values for North Anna Improved Technical Specifications (ITS) Table 3.3.1-1 and 3.3.2-1, Setting Limits for Surry Custom Technical Specifications (CTS), Sections 2.3 and 3.7, and Allowable Values for Kewaunee Power Station Improved Technical Specifications (ITS) Functions listed in Specification 5.5.16." A ttachment 1, Volume 8, Rev. 0, Page 292 of 517 A ttachment 1, Volume 8, Rev. 0, Page 292 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 109 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 109 of 111 1 9 JUSTIFICATION FOR DEVIATIONS ITS 3.3.2 BASES, ENGINEERED SAFETY FEATURE ACTUATION SYSTEM (ESFAS) INSTRUMENTATION Kewaunee Power Station Page 2 of 2 type of the information contained within the Bases. Allowable Values are typically found in a plant specific setpoint calculation or Setpoint Control Program document. At KPS, the Allowable Values for the Steam Line Isolation High Steam Flow and the High-High Steam Flow Functions will be contained and controlled in accordance with the Setpoint Control Program. In addition, the only ISTS ESFAS Functions that discuss the Allowable Values to this detail are those relative to steam flow as found in ISTS Functions 1.f, 1.g, 4.g, and 4.h. This change to not include the Allowable Value information in the ITS Bases is acceptable because
this type of information is not necessa ry to be retained in the Technical Specifications and is better suited to be retained and controlled in the Setpoint Control Program document.
- 12. Throughout the ISTS, in both the Specifications and the Bases, reference is made to placing a channel in bypass or bypassing an inoperable channel. KPS does not have the ability to place a channel in bypass or perform a bypass of an inoperable channel without performing a temporary alteration of the circuit. Since the installation of temporary alterations is intrusive, KPS has determined that this practice is unacceptable. Therefore, KPS does not have the ability place a channel in bypass or perform a bypass of an inoperable channel. As a result, when a channel is required to be placed in bypass or a bypass of an inoperable channel is required, the channel is placed in the trip condition. JFD 13 and JFD 14 of the Specifications address those cases where a Note or a Reviewer's Note makes reference to the allowance to bypass a channel.
- 13. Response Time testing has been deleted. See ITS 3.3.2 JFD 15 for justification for exclusion of Response Time testing.
A ttachment 1, Volume 8, Rev. 0, Page 294 of 517 A ttachment 1, Volume 8, Rev. 0, Page 294 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 110 of 111 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 110 of 111 This change is also consistent with changes made to the Specifications.
Licensee Response/NRC Response/NRC Question Closure Id1931NRC Question Number KAB-064 Select Application NRC Question Closure Response Date/Time Closure Statement This question is closed and no further information is required at this time to draft the Safety Evaluation. Response Statement Question Closure Date 1/22/2010 Attachment 1 Attachment 2 Notification NRC/LICENSEE Supervision Added By Kristy Bucholtz Date Added 1/22/2010 8:52 AM Modified By Date Modified Pa ge 1of 1 Kewaunee ITS Conversion Database 06/09/2010 htt p://www.excelservices.com/rai/index.
p h p?re q uestT ype=areaItemPrint&itemId=1931