ML100550501

From kanterella
Revision as of 03:12, 12 March 2020 by StriderTol (talk | contribs) (StriderTol Bot change)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
Developmental Revision B - Technical Specifications Bases B 3.3 - Instrumentation
ML100550501
Person / Time
Site: Watts Bar Tennessee Valley Authority icon.png
Issue date: 02/02/2010
From:
Tennessee Valley Authority
To:
Office of Nuclear Reactor Regulation
References
Download: ML100550501 (176)


Text

RTS Instrumentation B 3.3.1 B 3.3 INSTRUMENTATION B 3.3.1 Reactor Trip System (RTS) Instrumentation BASES BACKGROUND The RTS initiates a unit shutdown, based on the values of selected unit parameters, to protect against violating the core fuel design limits and Reactor Coolant System (RCS) pressure boundary during Anticipated Operational Occurrences (AOOs) and to assist the Engineered Safety Features (ESF) Systems in mitigating accidents.

The protection and monitoring systems have been designed to assure safe operation of the reactor. This is achieved by specifying limiting safety system settings (LSSS) in terms of parameters directly monitored by the RTS, as well as specifying LCOs on other reactor system parameters and equipment performance.

Technical specifications are required by 10 CFR 50.36 to include LSSS for variables that have significant safety functions. LSSS are defined by the regulation as Where a LSSS is specified for a variable on which a safety limit has been placed, the setting must be chosen so that automatic protective actions will correct the abnormal situation before a Safety Limit (SL) is exceeded. The Analytical Limit is the limit of the process variable at which a protective action is initiated, as established by the safety analysis, to ensure that a SL is not exceeded. Any automatic protection action that occurs on reaching the Analytical Limit therefore ensures that the SL is not exceeded. However, in practice, the actual settings for automatic protection channels must be chosen to be more conservative than the Analytical Limit to account for instrument loop uncertainties related to the setting at which the automatic protective action would actually occur.

(continued)

Watts Bar - Unit 2 B 3.3-1 (developmental) B

RTS Instrumentation B 3.3.1 BASES BACKGROUND The Nominal Trip Setpoint (NTSP) specified in Table 3.3.1-1 is a (continued) predetermined setting for a protection channel chosen to ensure automatic actuation prior to the process variable reaching the Analytical Limit and thus ensuring that the SL would not be exceeded. As such, the NTSP accounts for uncertainties in setting the channel (e.g., calibration),

uncertainties in how the channel might actually perform (e.g.,

repeatability), changes in the point of action of the channel over time (e.g., drift during surveillance intervals), and any other factors which may influence its actual performance (e.g., harsh accident environments). In this manner, the NTSP ensures that SLs are not exceeded. Therefore, the NTSP meets the definition of an LSSS (Ref. 1).

Technical Specifications contain values related to the OPERABILITY of equipment required for safe operation of the facility. OPERABLE is defined is the Technical Specifications as being capable of performing its safety function(s). Relying solely on the NTSP to define OPERABILITY in Technical Specifications would be an overly restrictive requirement if it were applied as an OPERABILITY limit for the as-found value of a protection channel setting during a surveillance. This would result in Technical Specification compliance problems, as well as reports and corrective actions required by the rule which are not necessary to ensure safety. For example, an automatic protection channel with a setting that has been found to be different from the NTSP due to some drift of the setting may still be OPERABLE since drift is to be expected.

This expected drift would have been specifically accounted for in the setpoint methodology for calculating the NTSP and thus the automatic protective action would still have ensured that the SL would not be exceeded with the as-found setting of the protection channel.

Therefore, the channel would still be OPERABLE since it would have performed its safety function and the only corrective action required would be to reset the channel within the established as-left tolerance around the NTSP to account for further drift during the next surveillance interval.

(continued)

Watts Bar - Unit 2 B 3.3-2 (developmental) B

RTS Instrumentation B 3.3.1 BASES BACKGROUND During AOOs, which are those events expected to occur one or more (continued) times during the unit life, the acceptable limits are:

1. The Departure from Nucleate Boiling Ratio (DNBR) shall be maintained above the Safety Limit (SL) value to prevent departure from nucleate boiling (DNB);
2. Fuel centerline melt shall not occur; and
3. The RCS pressure SL of 2750 psia shall not be exceeded.

Operation within the SLs of Specification 2.0, "Safety Limits (SLs)," also maintains the above values and assures that offsite dose will be within the 10 CFR 20 and 10 CFR 100 criteria during AOOs.

Accidents are events that are analyzed even though they are not expected to occur during the unit life. The acceptable limit during accidents is that offsite dose shall be maintained within an acceptable fraction of 10 CFR 100 limits. Different accident categories are allowed a different fraction of these limits, based on probability of occurrence.

Meeting the acceptable dose limit for an accident category is considered having acceptable consequences for that event.

The RTS instrumentation is segmented into four distinct but interconnected modules as illustrated in Figure 7.1-1, FSAR, Section 7 (Ref. 2), and as identified below:

1. Field transmitters or process sensors: provide a measurable electronic signal or contact actuation based upon the physical characteristics of the parameter being measured;
2. Signal Process Control and Protection System, including Process Protection System, Nuclear Instrumentation System (NIS), and field contacts: provides analog to digital conversion (Digital Protection System) signal conditioning, setpoint comparison, process algorithm actuation (Digital Protection System), compatible electrical signal output to protection system channels, and control board/control room/miscellaneous indications;
3. Solid State Protection System (SSPS), including input, logic, and output bays: initiates proper unit shutdown and/or ESF actuation in accordance with the defined logic, which is based on the bistable, setpoint comparators, or contact outputs from the signal process control and protection system; and (continued)

Watts Bar - Unit 2 B 3.3-3 (developmental) B

RTS Instrumentation B 3.3.1 BASES BACKGROUND 4. Reactor trip switchgear, including reactor trip breakers (RTBs) and (continued) bypass breakers: provides the means to interrupt power to the control rod drive mechanisms (CRDMs) and allows the rod cluster control assemblies (RCCAs), or "rods," to fall into the core and shut down the reactor. The bypass breakers allow testing of the RTBs at power.

Field Transmitters or Sensors To meet the design demands for redundancy and reliability, more than one, and often as many as five, field transmitters or sensors are used to measure unit parameters. To account for the calibration tolerances and instrument drift, which are assumed to occur between calibrations, statistical allowances are provided in the NTSP and Allowable Values.

The OPERABILITY of each transmitter or sensor is determined by either "as found" calibration data evaluated during the CHANNEL CALIBRATION or by qualitative assessment of field transmitter or sensor as related to the channel behaviour observed furing performance of the CHANNEL CHECK.

Signal Process Control and Protection System Generally, three or four channels of process control equipment are used for the signal processing of unit parameters measured by the field instruments. The process control equipment provides signal conditioning comparable output signals for instruments located on the main control board, and comparison of measured input signals with NTSPs derived from Analytical Limits established by the safety analyses. Analytical Limits are defined in Reference 6. If the measured value of a unit parameter exceeds the predetermined setpoint, an output from a bistable, setpoint comparator, or contact is forwarded to the SSPS for decision evaluation. Channel separation is maintained up to and through the input bays. However, not all unit parameters require four channels of sensor measurement and signal processing. Some unit parameters provide input only to the SSPS, while others provide input to the SSPS, the main control board, the unit computer, and one or more control systems.

(continued)

Watts Bar - Unit 2 B 3.3-4 (developmental) B

RTS Instrumentation B 3.3.1 BASES BACKGROUND Signal Process Control and Protection System (continued)

(continued)

Generally, if a parameter is used only for input to the protection circuits, three channels with a two-out-of-three logic are sufficient to provide the required reliability and redundancy. If one channel fails in a direction that would not result in a partial Function trip, the Function is still OPERABLE with a two-out-of-two logic. If one channel fails, such that a partial Function trip occurs, a trip will not occur and the Function is still OPERABLE with a one-out-of-two logic.

Generally, if a parameter is used for input to the SSPS and a control function, four channels with a two-out-of-four logic are sufficient to provide the required reliability and redundancy. The circuit must be able to withstand both an input failure to the control system, which may then require the protection function actuation, and a single failure in the other channels providing the protection function actuation. Again, a single failure will neither cause nor prevent the protection function actuation.

These requirements are described in IEEE-279-1971 (Ref. 4). The actual number of channels required for each unit parameter is specified in Reference 2.

Two logic trains are required to ensure no single random failure of a logic train will disable the RTS. The logic trains are designed such that testing required while the reactor is at power may be accomplished without causing trip.

Allowable Values and Nominal Trip Setpoints The Trip Setpoints are the nominal values at which the bistables, setpoint comparators, or contact trip outputs are set. Any bistable or trip output is considered to be properly adjusted when the "as left" value is within the band for CHANNEL CALIBRATION accuracy.

The Trip Setpoints used in the bistables, setpoint comparators, or contact trip outputs are based on the analytical limits stated in Reference 6. The calculation of the Nominal Trip Setpoints specified in Table 3.3.1-1 is such that adequate protection is provided when all sensor and processing time delays are taken into account. To allow for calibration tolerances, instrumentation uncertainties, instrument drift, and severe environment errors for those RTS channels that must function in harsh environments as defined by 10 CFR 50.49 (Ref. 5), the Trip Setpoints specified in Table 3.3.1-1 in the accompanying LCO are conservatively adjusted with respect to the analytical limits.

(continued)

Watts Bar - Unit 2 B 3.3-5 (developmental) B

RTS Instrumentation B 3.3.1 BASES (continued)

BACKGROUND Allowable Values and Nominal Trip Setpoints (continued)

(continued)

A detailed description of the methodology used to calculate the Allowable Values and NTSP, including their explicit uncertainties, is provided in the "Setpoint Methodology for Watts Bar Unit 2" (Ref. 6). The as-left tolerance and as-found tolerance band methodology is provided in Reference 6. The magnitudes of these uncertainties are factored into the determination of each NTSP and corresponding Allowable Value. The trip setpoint entered into the bistable is more conservative than that specified by the Allowable Value to account for measurement errors detectable by the COT. The Allowable Value serves as the as-found Technical Specification OPERABILITY limit for the purpose of the COT. The Source Range and Intermediate Range Neutron detector setpoints are based on the requirements and recommendations of ISA 67.04 (Reference 10).

The NTSP is the value at which the bistable is set and is the expected value to be achieved during calibration. The NTSP value is the LSSS and ensures the safety analysis limits are met for the surveillance interval selected when a channel is adjusted based on stated channel uncertainties. Any bistable is considered to be properly adjusted when the as-left NTSP value is within the as-left tolerance band for CHANNEL CALIBRATION uncertainty allowance (i.e., + rack calibration and comparator setting uncertainties). The NTSP value is therefore considered a nominal value (i.e., expressed as a value without inequalities) for the purposes of COT and CHANNEL CALIBRATION.

Allowable Values and Nominal Trip Setpoints (continued)

Nominal Trip Setpoints, in conjunction with the use of as-found and as-left tolerances, together with the requirements of the Allowable Value ensure that SLs are not violated during AOOs (and that the consequences of DBAs will be acceptable, providing the unit is operated from within the LCOs at the onset of the AOO or DBA and the equipment functions are designed). Each channel of the process control equipment can be tested on line to verify that the signal or setpoint accuracy is within the specified allowance requirements of Reference 2. Once a designated channel is taken out of service for testing, a simulated signal is injected in place of the field instrument signal. The process equipment for the channel in test is then tested, verified, and calibrated. SRs for the channels are specified in the SRs section.

(continued)

Watts Bar - Unit 2 B 3.3-6 (developmental) B

RTS Instrumentation B 3.3.1 BASES (continued)

BACKGROUND Note that the Allowable Values listed in Table 3.3.1-1 are the least (continued) conservative value of the as-found setpoint that a channel can have during a periodic CHANNEL CALIBRATION, CHANNEL OPERATIONAL TESTS, or a TRIP ACTUATING DEVICE OPERATIONAL TEST that requires trip setpoint verification. The Process Protection System is designed to permit any one channel to be tested and maintained at power in a bypassed mode. If a channel has been bypassed for any purpose, the bypass is continuously indicated in the control room.

The NTSP and Allowable Values listed in Table 3.3.1-1 are based on the methodology described in References 6 and 10, which incorporates all of the known uncertainties applicable for each channel. The magnitudes of these uncertainties are factored into the determination of each Trip Setpoint. All field sensors and signal processing equipment for these channels are assumed to operate within the allowances of these uncertainty magnitudes.

Solid State Protection System The SSPS equipment is used for the decision logic processing of setpoint comparator trip outputs, contact outputs, and bistable outputs from the signal processing equipment. To meet the redundancy requirements, two trains of SSPS, each performing the same functions, are provided. If one train is taken out of service for maintenance or test purposes, the second train will provide reactor trip and/or ESF actuation for the unit. If both trains are taken out of service or placed in test, a reactor trip will result.

Each train is packaged in its own cabinet for physical and electrical separation to satisfy separation and independence requirements. The system has been designed to trip in the event of a loss of power, directing the unit to a safe shutdown condition.

The SSPS performs the decision logic for actuating a reactor trip or ESF actuation, generates the electrical output signal that will initiate the required trip or actuation, and provides the status, permissive, and annunciator output signals to the main control room of the unit.

The setpoint comparator trip outputs, contact outputs and bistable outputs from the signal processing equipment are sensed by the SSPS equipment and combined into logic matrices that represent combinations indicative of various unit upset and accident transients. If a required logic matrix combination is completed, the system will initiate a reactor trip and/or send actuation signals via master and slave relays to those components whose aggregate Function best serves to alleviate the condition and restore the unit to a safe condition. Examples are given in the Applicable Safety Analyses, LCO, and Applicability sections of this Bases.

(continued)

Watts Bar - Unit 2 B 3.3-7 (developmental) B

RTS Instrumentation B 3.3.1 BASES (continued)

BACKGROUND Reactor Trip Switchgear (continued)

The RTBs are in the electrical power supply line from the control rod drive motor generator set power supply to the CRDMs. Opening of the RTBs interrupts power to the CRDMs, which allows the shutdown rods and control rods to fall into the core by gravity. Each RTB is equipped with a bypass breaker to allow testing of the RTB while the unit is at power.

During normal operation the output from the SSPS is a voltage signal that energizes the undervoltage coils in the RTBs and bypass breakers, if in use. When the required logic matrix combination is completed, the SSPS output voltage signal is removed, the undervoltage coils are de-energized, the breaker trip lever is actuated by the de-energized undervoltage coil, and the RTBs and bypass breakers are tripped open.

This allows the shutdown rods and control rods to fall into the core. In addition to the de-energization of the undervoltage coils, each breaker is also equipped with a shunt trip device that is energized to trip the breaker open upon receipt of a reactor trip signal from the SSPS. Either the undervoltage coil or the shunt trip mechanism is sufficient by itself, thus providing a diverse trip mechanism.

The decision logic matrix Functions are described in the functional diagrams included in Reference 2. In addition to the reactor trip or ESF, these diagrams also describe the various "permissive interlocks" that are associated with unit conditions. Each train has a built in testing device that can automatically test the decision logic matrix Functions and the actuation channels while the unit is at power.

When any one train is taken out of service for testing, the other train is capable of providing unit monitoring and protection until the testing has been completed. The testing device is semiautomatic to minimize testing time.

(continued)

Watts Bar - Unit 2 B 3.3-8 (developmental) B

RTS Instrumentation B 3.3.1 BASES (continued)

APPLICABLE The RTS functions to preserve the SLs during all AOOs and mitigates the SAFETY consequences of DBAs in all MODES in which the Rod Control System is ANALYSES, capable of rod withdrawal or one or more rods are not fully inserted.

LCO, and APPLICABILITY Each of the analyzed accidents and transients can be detected by one or more RTS Functions. The accident analysis described in Reference 3 takes credit for most RTS trip functions. RTS trip functions that are retained yet not specifically credited in the accident analysis are implicitly credited in the safety analysis and the NRC staff approved licensing basis for the unit. These RTS trip Functions may provide protection for conditions that do not require dynamic transient analysis to demonstrate Function performance. They may also serve as backups to RTS trip Functions that were credited in the accident analysis.

Permissive and interlock setpoints allow the blocking of trips during plant startups, and restoration of trips when the permissive conditions are not satisfied, but they are not explicitly modeled in the Safety Analyses.

These permissives and interlocks ensure that the starting conditions are consistent with the safety analysis, before preventive or mitigating actions occur. Because these permissives or interlocks are only one of multiple conservative starting assumptions for the accident analysis, they are generally considered as nominal values without regard to measurement accuracy.

The LCO requires all instrumentation performing an RTS Function, listed in Table 3.3.1-1 to be OPERABLE. The Allowable Value specified in Table 3.3.1-1 is the least conservative value of the as-found setpoint that the channel can have when tested, such that a channel is OPERABLE if the as-found setpoint is within the as-found tolerance and is conservative with the respect to the Allowable Value during a CHANNEL CALIBRATION or CHANNEL OPERATIONAL TEST (COT). As such, the Allowable Value differs from the NTSP by an amount greater than or equal to the expected instrument channel uncertainties, such as drift, during the surveillance interval. In this manner, the actual setting of the channel (NTSP) will ensure that a SL is not exceeded at any given point of the time as long as the channel has not drifted beyond expected tolerances during the surveillance interval. Note that, although the channel is OPERABLE under these circumstances, the trip setpoint must be left adjusted to a value within the as-left tolerance, in accordance with uncertainty assumptions stated in the referenced setpoint methodology (as-left criteria), and confirmed to be operating within the statistical allowances of the uncertainty terms assigned (as-found criteria).

(continued)

Watts Bar - Unit 2 B 3.3-9 (developmental) B

RTS Instrumentation B 3.3.1 BASES (continued)

APPLICABLE If the actual setting of the channel is found to be conservative with SAFETY respect to the Allowable Value but is beyond the as-found tolerance band, ANALYSES, the channel is OPERABLE but degraded. The degraded condition of the LCO, and channel will be further evaluated during performance of the SR. This APPLICABILITY evaluation will consist of resetting the channel setpoint to the NTSP (continued) (within the allowed tolerance), and evaluating the channel response. If the channel is functioning as required and is expected to pass the next surveillance, then the channel is OPERABLE and can be restored to service at the completion of the surveillance. After the surveillance is completed, the channel as-found condition will be entered into the Corrective Action Program for further evaluation.

A trip setpoint may be set more conservative than the NTSP as necessary in response to plant conditions. However, in this case, the operability of this instrument must be verified based on the field setting and not the NTSP. Failure of any instrument renders the affected channel(s) inoperable and reduces the reliability of the affected Functions.

The LCO generally requires OPERABILITY of four or three channels in each instrumentation Function, two channels of Manual Reactor Trip in each logic Function, and two trains in each Automatic Trip Logic Function.

Four OPERABLE instrumentation channels in a two-out-of-four configuration are required when one RTS channel is also used as a control system input. This configuration accounts for the possibility of the shared channel failing in such a manner that it creates a transient that requires RTS action. In this case, the RTS will still provide protection, even with random failure of one of the other three protection channels.

Three operable instrumentation channels in a two-out-of-three configuration are generally required when there is no potential for control system and protection system interaction that could simultaneously create a need for RTS trip and disable one RTS channel. The two-out-of-three and two-out-of-four configurations allow one channel to be tripped during maintenance or testing without causing a reactor trip. Specific exceptions to the above general philosophy exist and are discussed below.

(continued)

Watts Bar - Unit 2 B 3.3-10 (developmental) B

RTS Instrumentation B 3.3.1 BASES APPLICABLE Reactor Trip System Functions SAFETY ANALYSES, The safety analyses and OPERABILITY requirements applicable to each LCO, and RTS Function are discussed below:

APPLICABILITY (continued) 1. Manual Reactor Trip The Manual Reactor Trip ensures that the control room operator can initiate a reactor trip at any time by using either of two reactor trip switches in the control room. A Manual Reactor Trip accomplishes the same results as any one of the automatic trip Functions. It is used by the reactor operator to shut down the reactor whenever any parameter is rapidly trending toward its Trip Setpoint.

The LCO requires two Manual Reactor Trip channels to be OPERABLE. Each channel is controlled by a manual reactor trip switch. Each channel actuates the reactor trip breakers in both trains. Two independent channels are required to be OPERABLE so that no single random failure will disable the Manual Reactor Trip Function.

In MODE 1 or 2, manual initiation of a reactor trip must be OPERABLE. These are the MODES in which the shutdown rods and/or control rods are partially or fully withdrawn from the core. In MODE 3, 4, or 5, the manual initiation Function must also be OPERABLE if the shutdown rods or control rods are withdrawn or the Control Rod Drive (CRD) System is capable of withdrawing the shutdown rods or the control rods. In this condition, inadvertent control rod withdrawal is possible. In MODE 3, 4, or 5, manual initiation of a reactor trip does not have to be OPERABLE if the CRD System is not capable of withdrawing the shutdown rods or control rods. If the rods cannot be withdrawn from the core, there is no need to be able to trip the reactor because all of the rods are inserted. In MODE 6, neither the shutdown rods nor the control rods are permitted to be withdrawn and the CRDMs are disconnected from the control rods and shutdown rods. Therefore, the manual initiation Function is not required.

(continued)

Watts Bar - Unit 2 B 3.3-11 (developmental) A

RTS Instrumentation B 3.3.1 BASES APPLICABLE 2. Power Range Neutron SAFETY ANALYSES, The NIS power range detectors are located external to the reactor LCO, and vessel and measure neutrons leaking from the core. The NIS APPLICABILITY power range detectors provide input to the Rod Control System (continued) and the Steam Generator (SG) Water Level Control System.

Therefore, the actuation logic must be able to withstand an input failure to the control system, which may then require the protection function actuation, and a single failure in the other channels providing the protection function actuation. Note that this Function also provides a signal to prevent automatic and manual rod withdrawal prior to initiating a reactor trip. Limiting further rod withdrawal may terminate the transient and eliminate the need to trip the reactor.

a. Power Range Neutron Flux - High The Power Range Neutron Flux - High trip Function ensures that protection is provided, from all power levels, against a positive reactivity excursion leading to DNB during power operations.

These can be caused by rod withdrawal or reductions in RCS temperature.

The LCO requires all four of the Power Range Neutron Flux -

High channels to be OPERABLE.

In MODE 1 or 2, when a positive reactivity excursion could occur, the Power Range Neutron Flux - High trip must be OPERABLE. This Function will terminate the reactivity excursion and shut down the reactor prior to reaching a power level that could damage the fuel. In MODE 3, 4, 5, or 6, the NIS power range detectors cannot detect neutron levels in this range. In these MODES, the Power Range Neutron Flux - High does not have to be OPERABLE because the reactor is shut down and reactivity excursions into the power range are extremely unlikely. Other RTS Functions and administrative controls provide protection against reactivity additions when in MODE 3, 4, 5, or 6.

(continued)

Watts Bar - Unit 2 B 3.3-12 (developmental) A

RTS Instrumentation B 3.3.1 BASES APPLICABLE b. Power Range Neutron Flux - Low SAFETY ANALYSES, The LCO requirement for the Power Range Neutron Flux -

LCO, and Low trip Function ensures that protection is provided against APPLICABILITY a positive reactivity excursion from low power or subcritical (continued) conditions.

The LCO requires all four of the Power Range Neutron Flux -

Low channels to be OPERABLE.

In MODE 1, below the Power Range Neutron Flux (P-10 setpoint), and in MODE 2, the Power Range Neutron Flux -

Low trip must be OPERABLE. This Function may be manually blocked by the operator when two out of four power range channels are greater than approximately 10% RTP (P-10 setpoint). This Function is automatically unblocked when three out of four power range channels are below the P-10 setpoint. Above the P-10 setpoint, positive reactivity additions are mitigated by the Power Range Neutron Flux -

High trip Function.

In MODE 3, 4, 5, or 6, the Power Range Neutron Flux - Low trip Function does not have to be OPERABLE because the reactor is shut down and the NIS power range detectors cannot detect neutron levels in this range. Other RTS trip Functions and administrative controls provide protection against positive reactivity additions or power excursions in MODE 3, 4, 5, or 6.

3. Power Range Neutron Flux Rate The Power Range Neutron Flux Rate trip uses the same channels as discussed for Function 2 above.
a. Power Range Neutron Flux - High Positive Rate The Power Range Neutron Flux - High Positive Rate trip Function ensures that protection is provided against rapid increases in neutron flux that are characteristic of an RCCA drive rod housing rupture and the accompanying ejection of the RCCA. This Function complements the Power Range Neutron Flux - High and - Low Setpoint trip Functions to ensure that the criteria are met for a rod ejection from the power range.

(continued)

Watts Bar - Unit 2 B 3.3-13 (developmental) B

RTS Instrumentation B 3.3.1 BASES APPLICABLE a. Power Range Neutron Flux - High Positive Rate (continued)

SAFETY ANALYSES, The LCO requires all four of the Power Range Neutron Flux -

LCO, and High Positive Rate channels to be OPERABLE.

APPLICABILITY (continued) In MODE 1 or 2, when there is a potential to add a large amount of positive reactivity from a rod ejection accident (REA), the Power Range Neutron Flux - High Positive Rate trip must be OPERABLE. In MODE 3, 4, 5, or 6, the Power Range Neutron Flux - High Positive Rate trip Function does not have to be OPERABLE because other RTS trip Functions and administrative controls will provide protection against positive reactivity additions. Also, since only the shutdown banks may be withdrawn in MODE 3, 4, or 5, the remaining complement of control bank worth ensures a sufficient degree of SDM in the event of an REA. In MODE 6, no rods are withdrawn and the SDM is increased during refueling operations. The reactor vessel head is also removed or the closure bolts are detensioned preventing any pressure buildup. In addition, the NIS power range detectors cannot detect neutron levels present in this MODE.

b. Power Range Neutron Flux - High Negative Rate Deleted
4. Intermediate Range Neutron Flux The Intermediate Range Neutron Flux trip Function ensures that protection is provided against an uncontrolled RCCA bank rod withdrawal accident from a subcritical condition during startup.

This trip Function provides backup protection to the Power Range Neutron Flux - Low Setpoint trip Function. The NIS intermediate range detectors are located external to the reactor vessel and measure neutrons leaking from the core. The NIS intermediate range detectors do not provide any input to control systems. Note that this Function also provides a signal to prevent automatic and manual rod withdrawal prior to initiating a reactor trip.

The LCO requires two channels of Intermediate Range Neutron Flux to be OPERABLE. Two OPERABLE channels are sufficient to ensure no single random failure will disable this trip Function.

(continued)

Watts Bar - Unit 2 B 3.3-14 (developmental) A

RTS Instrumentation B 3.3.1 BASES APPLICABLE 4. Intermediate Range Neutron Flux (continued)

SAFETY ANALYSES, Because this trip Function is important only during startup, there is LCO, and generally no need to disable channels for testing while the Function APPLICABILITY is required to be OPERABLE. Therefore, a third channel is (continued) unnecessary.

In MODE 1 below the P-10 setpoint, and in MODE 2, when there is a potential for an uncontrolled RCCA bank rod withdrawal accident during reactor startup, the Intermediate Range Neutron Flux trip must be OPERABLE. Above the P-10 setpoint, the Power Range Neutron Flux - High Setpoint trip provides core protection for a rod withdrawal accident. In MODE 3, 4, or 5, the Intermediate Range Neutron Flux trip does not have to be OPERABLE because the control rods must be fully inserted and only the shutdown rods may be withdrawn. The reactor cannot be started up in this condition.

The core also has the required SDM to mitigate the consequences of a positive reactivity addition accident. In MODE 6, all rods are fully inserted and the core has a required increased SDM.

5. Source Range Neutron Flux The LCO requirement for the Source Range Neutron Flux trip Function ensures that protection is provided against an uncontrolled RCCA rod bank withdrawal accident from a subcritical condition during startup. This trip Function provides redundant protection to the Power Range Neutron Flux - Low Setpoint and Intermediate Range Neutron Flux trip Functions. In MODES 3, 4, and 5, administrative controls also prevent the uncontrolled withdrawal of rods. The NIS source range detectors are located external to the reactor vessel and measure neutrons leaking from the core. The NIS source range detectors do not provide any inputs to control systems. The source range trip is the only RTS automatic protection function required in MODES 3, 4, and 5.

Therefore, the functional capability at the specified Trip Setpoint is assumed to be available.

The LCO requires two channels of Source Range Neutron Flux to be OPERABLE. Two OPERABLE channels are sufficient to ensure no single random failure will disable this trip Function. The LCO also requires one channel of the Source Range Neutron Flux to be OPERABLE in MODE 3, 4, or 5 with RTBs open.

(continued)

Watts Bar - Unit 2 B 3.3-15 (developmental) A

RTS Instrumentation B 3.3.1 BASES APPLICABLE 5. Source Range Neutron Flux (continued)

SAFETY ANALYSES, The Source Range Neutron Flux Function provides protection for LCO, and control rod withdrawal from subcritical, boron dilution and control APPLICABILITY rod ejection events. The Function also provides visual neutron flux (continued) indication in the control room.

In MODE 2 when below the P-6 setpoint during a reactor startup, the Source Range Neutron Flux trip must be OPERABLE. Above the P-6 setpoint, the Intermediate Range Neutron Flux trip and the Power Range Neutron Flux - Low Setpoint trip will provide core protection for reactivity accidents. Above the P-6 setpoint, the NIS Source Range Neutron Flux trip Function is disabled and inoperable.

In MODE 3, 4, or 5 with the reactor shut down, the Source Range Neutron Flux trip Function must also be OPERABLE. If the CRD System is capable of rod withdrawal, the Source Range Neutron Flux trip must be OPERABLE to provide core protection against a rod withdrawal accident. If the CRD System is not capable of rod withdrawal, the source range detectors are not required to trip the reactor. However, their monitoring Function must be OPERABLE to monitor core neutron levels and provide visual indication and audible alarm of reactivity changes that may occur as a result of events like a boron dilution. The requirements for the NIS source range detectors in MODE 6 are addressed in LCO 3.9.3, "Nuclear Instrumentation."

6. Overtemperature T The Overtemperature T trip Function is provided to ensure that the design limit DNBR is met. This trip Function also limits the range over which the Overpower T trip Function must provide protection. The inputs to the Overtemperature T trip include pressurizer pressure, coolant temperature, axial power distribution, and reactor power as indicated by loop T assuming full reactor coolant flow. Protection from violating the DNBR limit is assured for those transients that are slow with respect to delays from the core to the measurement system. The Function monitors both variation in power and flow since a decrease in flow has the same effect on T as a power increase. The Overtemperature T trip (continued)

Watts Bar - Unit 2 B 3.3-16 (developmental) A

RTS Instrumentation B 3.3.1 BASES APPLICABLE 6. Overtemperature T (continued)

SAFETY ANALYSES, Function uses each loop's T as a measure of reactor power and is LCO, and compared with a setpoint that is automatically varied with the APPLICABILITY following parameters:

(continued)

  • reactor coolant average temperature - the Trip Setpoint is varied to correct for changes in coolant density and specific heat capacity with changes in coolant temperature;
  • pressurizer pressure - the Trip Setpoint is varied to correct for changes in system pressure; and
  • axial power distribution - the f(I) Overtemperature T Trip Setpoint is varied to account for imbalances in the axial power distribution as detected by the NIS upper and lower power range detectors. If axial peaks are greater than the design limit, as indicated by the difference between the upper and lower NIS power range detectors, the Trip Setpoint is reduced in accordance with Note 1 of Table 3.3.1-1.

Dynamic compensation is included for delays associated with fluid transport from the core to the loop temperature detectors (RTDs),

and thermowell and RTD response time delays.

T0, as used in the Overtemperature and Overpower T trips, represents the 100% RTP value as measured for each loop.

T represents the 100% RTP Tavg value as measured by the plant for each loop. T0 and T normalize each loops T setpoint to the actual operating conditions existing at the time of measurement, thus forcing the setpoint to reflect the equivalent full power conditions as assumed in the accident analyses. Differences in RCS loop T and Tavg can be due to several factors, e.g.,

measured RCS loop flow greater than minimum measured flow, and slightly asymmetric power distributions between quadrants.

While RCS loop flows are not expected to change with cycle life, radial power redistribution between quadrants may occur, resulting in small changes in loop specific T and Tavg values. Loop specific values of T0 and T must be determined at the beginning of each fuel cycle at full power, steady-state conditions (i.e., power distribution not affected by xenon transient conditions) and will be checked quarterly and updated, if required. Tolerances for T0 and T have been included in the determination of the Overtemperature T setpoint.

(continued)

Watts Bar - Unit 2 B 3.3-17 (developmental) A

RTS Instrumentation B 3.3.1 BASES APPLICABLE 6. Overtemperature T (continued)

SAFETY ANALYSES, The Overtemperature T trip Function is calculated for each loop LCO, and as described in Note 1 of Table 3.3.1-1. Trip occurs if APPLICABILITY Overtemperature T is indicated in two loops. The pressure and (continued) temperature signals are used for other control functions. The actuation logic must be able to withstand an input failure to the control system, which may then require the protection function actuation, and a single failure in the other channels providing the protection function actuation. Note that this Function also provides a signal to generate turbine runback prior to reaching the Trip Setpoint. A turbine runback will reduce turbine power and reactor power. A reduction in power will normally alleviate the Overtemperature T condition and may prevent a reactor trip.

The LCO requires all four channels of the Overtemperature T trip Function to be OPERABLE. Note that the Overtemperature T Function receives input from channels shared with other RTS Functions. Failures that affect multiple Functions require entry into the Conditions applicable to all affected Functions.

In MODE 1 or 2, the Overtemperature T trip must be OPERABLE to prevent DNB. In MODE 3, 4, 5, or 6, this trip Function does not have to be OPERABLE because the reactor is not operating and there is insufficient heat production to be concerned about DNB.

7. Overpower T The Overpower T trip Function ensures that protection is provided to ensure the integrity of the fuel (i.e., no fuel pellet melting and less than 1% cladding strain) under all possible overpower conditions. This trip Function also limits the required range of the Overtemperature T trip Function and provides a backup to the Power Range Neutron Flux - High Setpoint trip.

(continued)

Watts Bar - Unit 2 B 3.3-18 (developmental) A

RTS Instrumentation B 3.3.1 BASES APPLICABLE 7. Overpower T (continued)

SAFETY ANALYSES, The Overpower T trip Function ensures that the allowable heat LCO, and generation rate (kW/ft) of the fuel is not exceeded. It uses the T APPLICABILITY of each loop as a measure of reactor power with a setpoint that is (continued) automatically varied with the following parameters:

  • reactor coolant average temperature - the Trip Setpoint is varied to correct for changes in coolant density and specific heat capacity with changes in coolant temperature; and

including dynamic compensation for delays associated with fluid transport from the core to the loop temperature detectors (RTDs),and thermowell and RTD response time delays.

T0, as used in the Overtemperature and Overpower T trips, represents the 100% RTP value as measured for each loop.

T represents the 100% RTP Tavg value as measured by the plant for each loop. T0 and T normalize each loops T setpoint to the actual operating conditions existing at the time of measurement, thus forcing the setpoint to reflect the equivalent full power conditions as assumed in the accident analyses. Differences in RCS loop T and Tavg can be due to several factors, e.g.,

measured RCS loop flow greater than minimum measured flow, and slightly asymmetric power distributions between quadrants.

While RCS loop flows are not expected to change with cycle life, radial power redistribution between quadrants may occur, resulting in small changes in loop specific T and Tavg values. Loop specific values of T0 and T must be determined at the beginning of each fuel cycle at full power, steady-state conditions (i.e., power distribution not affected by xenon transient conditions) and will be checked quarterly and updated, if required. Tolerances for T0 and T have been included in the determination of the Overtemperature T setpoint.

The Overpower T trip Function is calculated for each loop as per Note 2 of Table 3.3.1-1. Trip occurs if Overpower T is indicated in two loops. The temperature signals are used for other control functions. Therefore, the actuation logic must be able to withstand an input failure to the control system, which may then require the protection function actuation and a single failure in the remaining channels providing the protection function actuation. Note that this Function also provides a signal to generate a turbine runback prior (continued)

Watts Bar - Unit 2 B 3.3-19 (developmental) A

RTS Instrumentation B 3.3.1 BASES APPLICABLE 7. Overpower T (continued)

SAFETY ANALYSES, to reaching the Trip Setpoint. A turbine runback will reduce turbine LCO, and power and reactor power. A reduction in power will normally APPLICABILITY alleviate the Overpower T condition and may prevent a reactor (continued) trip.

The LCO requires four channels of the Overpower T trip Function to be OPERABLE. Note that the Overpower T trip Function receives input from channels shared with other RTS Functions.

Failures that affect multiple Functions require entry into the Conditions applicable to all affected Functions.

In MODE 1 or 2, the Overpower T trip Function must be OPERABLE. These are the only times that enough heat is generated in the fuel to be concerned about the heat generation rates and overheating of the fuel.

In MODE 3, 4, 5, or 6, this trip Function does not have to be OPERABLE because the reactor is not operating and there is insufficient heat production to be concerned about fuel overheating and fuel damage.

8. Pressurizer Pressure The same sensors provide input to the Pressurizer Pressure - High and - Low trips and the Overtemperature T trip. The Pressurizer Pressure channels are also used to provide input to the Pressurizer Pressure Control System. Therefore, the actuation logic must be able to withstand an input failure to the control system, which may then require the protection function actuation, and a single failure in the other channels providing the protection function actuation.
a. Pressurizer Pressure - Low The Pressurizer Pressure - Low trip Function ensures that protection is provided against violating the DNBR limit due to low pressure.

The LCO requires all four channels of Pressurizer Pressure -

Low to be OPERABLE in MODE 1 above P-7.

(continued)

Watts Bar - Unit 2 B 3.3-20 (developmental) A

RTS Instrumentation B 3.3.1 BASES APPLICABLE a. Pressurizer Pressure - Low (continued)

SAFETY ANALYSES, In MODE 1, when DNB is a major concern, the Pressurizer LCO, and Pressure - Low trip must be OPERABLE. This trip Function APPLICABILITY is automatically enabled on increasing power by the P-7 (continued) interlock (NIS power range P-10 or turbine impulse pressure greater than approximately 10% of full power equivalent (P-13)). On decreasing power, this trip Function is automatically blocked below P-7. Below the P-7 setpoint, no conceivable power distributions can occur that would cause DNB concerns.

b. Pressurizer Pressure - High The Pressurizer Pressure - High trip Function ensures that protection is provided against overpressurizing the RCS.

This trip Function operates in conjunction with the pressurizer relief and safety valves to prevent RCS overpressure conditions.

The LCO requires all four channels of the Pressurizer Pressure - High to be OPERABLE.

The Pressurizer Pressure - High LSSS is selected to be below the pressurizer safety valve actuation pressure and above the power operated relief valve (PORV) setting. This setting minimizes challenges to safety valves while avoiding unnecessary reactor trip for those pressure increases that can be controlled by the PORVs.

In MODE 1 or 2, the Pressurizer Pressure - High trip must be OPERABLE to help prevent RCS overpressurization and minimize challenges to the relief and safety valves. In MODE 3, 4, 5, or 6, the Pressurizer Pressure - High trip Function does not have to be OPERABLE because transients that could cause an overpressure condition will be slow to occur. Therefore, the operator will have sufficient time to evaluate unit conditions and take corrective actions.

Additionally, low temperature overpressure protection systems provide overpressure protection when below MODE 4.

(continued)

Watts Bar - Unit 2 B 3.3-21 (developmental) A

RTS Instrumentation B 3.3.1 BASES APPLICABLE 9. Pressurizer Water Level - High SAFETY ANALYSES, The Pressurizer Water Level - High trip Function provides a backup LCO, and signal for the Pressurizer Pressure - High trip and also provides APPLICABILITY protection against water relief through the pressurizer safety (continued) valves. These valves are designed to pass steam in order to achieve their design energy removal rate. A reactor trip is actuated prior to the pressurizer becoming water solid. The LCO requires three channels of Pressurizer Water Level - High to be OPERABLE. The pressurizer level channels are used as input to the Pressurizer Level Control System. A fourth channel is not required to address control/protection interaction concerns. The level channels do not actuate the safety valves, and the high pressure reactor trip is set below the safety valve setting.

Therefore, with the slow rate of charging available, pressure overshoot due to level channel failure cannot cause the safety valve to lift before reactor high pressure trip.

In MODE 1, when there is a potential for overfilling the pressurizer, the Pressurizer Water Level - High trip must be OPERABLE. This trip Function is automatically enabled on increasing power by the P-7 interlock. On decreasing power, this trip Function is automatically blocked below P-7. Below the P-7 setpoint, transients that could raise the pressurizer water level will be slow and the operator will have sufficient time to evaluate unit conditions and take corrective actions.

10. Reactor Coolant Flow - Low The Reactor Coolant Flow - Low trip Function ensures that protection is provided against violating the DNBR limit due to low flow in one or more RCS loops, while avoiding reactor trips due to normal variations in loop flow. Above the P-7 setpoint, the reactor trip on low flow in two or more RCS loops is automatically enabled.

Above the P-8 setpoint, which is approximately 48% RTP, a loss of flow in any RCS loop will actuate a reactor trip. Each RCS loop has three flow detectors to monitor flow. The flow signals are not used for any control system input.

The LCO requires three Reactor Coolant Flow - Low channels per loop to be OPERABLE in MODE 1 above P-7.

(continued)

Watts Bar - Unit 2 B 3.3-22 (developmental) A

RTS Instrumentation B 3.3.1 BASES APPLICABLE 10. Reactor Coolant Flow - Low (continued)

SAFETY ANALYSES, In MODE 1 above the P-8 setpoint, a loss of flow in one RCS loop LCO, and could result in DNB conditions in the core because of the higher APPLICABILITY power level. In MODE 1 below the P-8 setpoint and above the P-7 (continued) setpoint, a loss of flow in two or more loops is required to actuate a reactor trip because of the lower power level and the greater margin to the design limit DNBR. Below the P-7 setpoint, all reactor trips on low flow are automatically blocked since there is insufficient heat production to generate DNB conditions.

The Reactor Coolant Flow-Low Trip Setpoint and Allowable Value are specified in % thermal design flow adjusted for uncertainties (95,000 gpm); however, the Eagle-21TM values entered through the MMI are specified in an equivalent % differential pressure.

11. Undervoltage Reactor Coolant Pumps The Undervoltage RCPs trip Function ensures that protection is provided against violating the DNBR limit due to a loss of flow in two or more RCS loops. The voltage to each RCP is monitored.

Above the P-7 setpoint, a loss of voltage detected on two or more RCP buses will initiate a reactor trip. This trip Function will generate a reactor trip before the Reactor Coolant Flow - Low Trip Setpoint is reached in two or more RCS loops. The loss of voltage in two loops must be sustained for a length of time equal to or greater than that set in the time delay. Time delays are incorporated into the Undervoltage RCPs channels to prevent reactor trips due to momentary electrical power transients.

The LCO requires one Undervoltage RCP channel per bus to be OPERABLE.

In MODE 1 above the P-7 setpoint, the Undervoltage RCP trip must be OPERABLE. Below the P-7 setpoint, all reactor trips on loss of flow are automatically blocked since no conceivable power distributions could occur that would cause a DNB concern at this low power level. Above the P-7 setpoint, the reactor trip on loss of flow in two or more RCS loops is automatically enabled.

(continued)

Watts Bar - Unit 2 B 3.3-23 (developmental) B

RTS Instrumentation B 3.3.1 BASES APPLICABLE 12. Underfrequency Reactor Coolant Pumps SAFETY ANALYSES, The Underfrequency RCPs trip Function ensures that protection is LCO, and provided against violating the DNBR limit due to a loss of flow in APPLICABILITY two or more RCS loops from a major network frequency (continued) disturbance. An underfrequency condition will slow down the pumps, thereby reducing their coastdown time following a pump trip. The proper coastdown time is required so that reactor heat can be removed immediately after reactor trip. The frequency of each RCP bus is monitored. Above the P-7 setpoint, a loss of frequency detected on two or more RCP buses will initiate a reactor trip. This trip Function will generate a reactor trip before the Reactor Coolant Flow - Low Trip Setpoint is reached in two or more RCS loops. Time delays are incorporated into the Underfrequency RCPs channels to prevent reactor trips due to momentary electrical power transients.

The LCO requires one Underfrequency RCP channel per bus to be OPERABLE.

In MODE 1 above the P-7 setpoint, the Underfrequency RCPs trip must be OPERABLE. Below the P-7 setpoint, all reactor trips on loss of flow are automatically blocked since no conceivable power distributions could occur that would cause a DNB concern at this low power level. Above the P-7 setpoint, the reactor trip on loss of flow in two or more RCS loops is automatically enabled.

13. Steam Generator Water Level - Low-Low Loss of the steam generator as a heat sink can be caused by the loss of normal feedwater, a station blackout or a feedline rupture.

Feedline ruptures inside containment are protected by the containment high pressure trip Function (Ref. 3). Feedline ruptures outside containment and the other causes of the heat sink loss are protected by the SG Water Level - Low-Low trip Function.

The SG Water Level - Low-Low trip Function ensures that protection is provided against a loss of heat sink and actuates the AFW System prior to uncovering the SG tubes. The SGs are the heat sink for the reactor. In order to act as a heat sink, the SGs must contain a minimum amount of water. A narrow range low-low level in any SG is indicative of a loss of heat sink for the reactor.

The level transmitters provide input to the SG Level Control System. Control/protection interaction is addressed by the use of a (continued)

Watts Bar - Unit 2 B 3.3-24 (developmental) B

RTS Instrumentation B 3.3.1 BASES APPLICABLE 13. Steam Generator Water Level - Low-Low (continued)

SAFETY ANALYSES, Median Signal Selector which prevents a single failure of a channel LCO, and providing input to the control system from initiating a condition APPLICABILITY requiring protection function action. The Median Signal Selector (continued) performs this by not selecting the channels indicating the highest or lowest steam generator levels as input to the control system.

Because one failed protection instrument channel would not result in an adverse control system action, a second random protection system failure (as otherwise required by IEEE 279-1971) need not be considered.

The Steam Generator Water Level Trip Time Delay (TTD) creates additional operational margin when the plant needs it most, during escalation to power, by allowing the operator time to recover level when the primary side load is sufficiently small to allow such action.

The TTD is based on continuous monitoring of primary side power through the use of vessel T. Two time delays are calculated based on the number of steam generators indicating less than the Low-Low Trip Setpoint per Note 3 of Table 3.3.1-1. The magnitude of the delays decreases with increasing primary side power level, up to 50% RTP. Above 50% RTP there are no time delays for the Low-Low Level channel trips.

The algorithm for the TTD, Ts and Tm, determines the trip delay as a function of power level (P) and four constants (A through D for Ts, E through H for Tm). An allowance for the accuracy of the Eagle-21TM time base is included in the determination of the magnitude of the constants. The magnitude of the accuracy allowance is 1%, i.e., the constant values were multiplied by 0.99 to account for this potential error.

In the event of failure of a Steam Generator Water Level Channel, the channel is placed in the trip condition as input to the Solid State Protection System (SSPS) and does not affect the TTD setpoint calculations for the remaining OPERABLE channels. It is then necessary for the operator to force the use of the shorter TTD time delay by adjustment of the single steam generator time delay calculation (TS) to match the multiple steam generator time delay calculation (TM) for the affected protection set, through the Man-Machine Interface. Failure of the vessel T channel input (failure of more than one TH RTD or failure of both TC RTDs) affects (continued)

Watts Bar - Unit 2 B 3.3-25 (developmental) A

RTS Instrumentation B 3.3.1 BASES APPLICABLE 13. Steam Generator Water Level - Low-Low (continued)

SAFETY ANALYSES, the TTD calculation for a protection set. This results in the LCO, and requirement that the operator adjust the threshold power level for APPLICABILITY zero seconds time delay from 50% RTP to 0% RTP, through the (continued) Man Machine Interface.

The LCO requires three channels of SG Water Level - Low-Low per SG to be OPERABLE. This function initiates a reactor trip and the ESFAS function auxiliary feedwater pump start. The reactor trip feature is required to be OPERABLE in MODES 1 and 2 and the auxiliary feedwater pump start feature is required to be OPERABLE in MODES 1, 2, and 3.

In MODE 3, OPERABILITY of loop T input to TTD is not required because MODE 3 T = 0 (by definition). The Eagle-21TM code does not allow anything less than 0. The value of T is low-limited to 0.0 prior to use in the calculation of the single and multiple trip time delays.

For MODES 1 and 2, T0, as used in the Vessel T Equivalent to Power represents the 100% RTP value as measured for each loop.

T0 normalizes each loops vessel T to the actual operating conditions existing at the time of measurement, thus forcing the TTD to reflect the equivalent full power conditions as assumed in the accident analyses. Differences in RCS loop T can be due to several factors, e.g., measured RCS loop flow greater than minimum measured flow, and slightly asymmetric power distributions between quadrants. While RCS loop flows are not expected to change with cycle life, radial power redistribution between quadrants may occur, resulting in small changes in loop specific T values. Loop specific values of T0 must be determined at the beginning of each fuel cycle at full power, steady-state conditions (i.e., power distribution not affected by xenon transient conditions) and will be checked quarterly and updated, if required. Tolerances for T0 have been included in the determination of the Vessel T Equivalent to Power.

(continued)

Watts Bar - Unit 2 B 3.3-26 (developmental) A

RTS Instrumentation B 3.3.1 BASES APPLICABLE 13. Steam Generator Water Level - Low-Low (continued)

SAFETY ANALYSES, For MODES 1, 2, and 3, channel check surveillance testing on LCO, and RCS loop T input to TTD is not required. There are no provisions APPLICABILITY for performing a channel check on the RCS loop T for the SG (continued) Level TTD Function. The power level can only be verified by connecting the Eagle-21TM Man-Machine Interface terminal and viewing the Dynamic Information for this channel. The Eagle-21TM system uses a redundant sensor algorithm for the hot leg and cold leg inputs, and will alert the operator if a failure occurs with the sensor or input signal conditioning.

The coefficients (A, B, C, D, E, F, G, and H) shown in the equation of Note 3 represent conservative values for the calculation of the time delay (i.e., the values given are 99% of the values used for the safety analyses). For the Eagle-21TM System, these coefficients are displayed (via the Man-Machine Interface) as A, B, C and D for the single request time delay, and E, F, G and H for the multiple request time delay.

In MODE 1 or 2, when the reactor is critical, the SG Water Level -

Low-Low trip must be OPERABLE. In MODES 1, 2, and 3 the normal source of water for the SGs is the Main Feedwater (MFW)

System (not safety related). The AFW System is the safety related backup source of water to ensure that the SGs remain the heat sink for the reactor in these MODES. The ESFAS Function of the SG Water Level - Low-Low trip must be OPERABLE in MODES 1, 2, and 3. In MODES 3, 4, 5, and 6, the SG Water Level - Low-Low trip Function does not have to be OPERABLE because the reactor is not operating or even critical.

(continued)

Watts Bar - Unit 2 B 3.3-27 (developmental) A

RTS Instrumentation B 3.3.1 BASES APPLICABLE 14. Turbine Trip SAFETY ANALYSES, a. Turbine Trip - Low Fluid Oil Pressure LCO, and APPLICABILITY The Turbine Trip - Low Fluid Oil Pressure trip Function (continued) anticipates the loss of heat removal capabilities of the secondary system following a turbine trip. This trip Function acts to minimize the pressure/temperature transient on the reactor. Any turbine trip from a power level below the P-9 setpoint, approximately 50% power, will not actuate a reactor trip. Three pressure switches monitor the control oil pressure in the Turbine Electrohydraulic Control System. A low pressure condition sensed by two-out-of-three pressure switches will actuate a reactor trip. These pressure switches do not provide any input to the control system. The unit is designed to withstand a complete loss of load and not sustain core damage or challenge the RCS pressure limitations. Core protection is provided by the Pressurizer Pressure - High trip Function and RCS integrity is ensured by the pressurizer safety valves.

The LCO requires three channels of Turbine Trip - Low Fluid Oil Pressure to be OPERABLE in MODE 1 above P-9.

Below the P-9 setpoint, a turbine trip does not actuate a reactor trip. In MODE 2, 3, 4, 5, or 6, there is no potential for a turbine trip, and the Turbine Trip - Low Fluid Oil Pressure trip Function does not need to be OPERABLE.

b. Turbine Trip - Turbine Stop Valve Closure The Turbine Trip - Turbine Stop Valve Closure trip Function anticipates the loss of heat removal capabilities of the secondary system following a turbine trip from a power level below the P-9 setpoint, approximately 50% power. This action will not actuate a reactor trip. The trip Function anticipates the loss of secondary heat removal capability that occurs when the stop valves close. Tripping the reactor in anticipation of loss of secondary heat removal acts to minimize the pressure and temperature transient on the reactor. This trip Function will not and is not required to operate in the presence of a single channel failure. The unit is designed to withstand a complete loss of load and not sustain core damage or challenge the RCS pressure limitations. Core protection is provided by the Pressurizer (continued)

Watts Bar - Unit 2 B 3.3-28 (developmental) A

RTS Instrumentation B 3.3.1 BASES APPLICABLE b. Turbine Trip - Turbine Stop Valve Closure (continued)

SAFETY ANALYSES, Pressure - High trip Function, and RCS integrity is ensured LCO, and by the pressurizer safety valves. This trip Function is APPLICABILITY diverse to the Turbine Trip - Low Fluid Oil Pressure trip (continued) Function. Each turbine stop valve is equipped with one limit switch that inputs to the RTS. If all four limit switches indicate that the stop valves are all closed, a reactor trip is initiated.

The LSSS for this Function is set to assure channel trip occurs when the associated stop valve is completely closed.

The LCO requires four Turbine Trip - Turbine Stop Valve Closure channels, one per valve, to be OPERABLE in MODE 1 above P-9. All four channels must trip to cause reactor trip.

Below the P-9 setpoint, a load rejection can be accommodated by the Steam Dump System. In MODE 2, 3, 4, 5, or 6, there is no potential for a load rejection, and the Turbine Trip - Stop Valve Closure trip Function does not need to be OPERABLE.

15. Safety Injection (SI) Input from Engineered Safety Feature Actuation System (ESFAS)

The SI Input from ESFAS ensures that if a reactor trip has not already been generated by the RTS, the ESFAS automatic actuation logic will initiate a reactor trip upon any signal that initiates SI. Reactor trip is not credited in the large break LOCA.

However, other transients and accidents take credit for varying levels of ESF performance and rely upon rod insertion, except for the most reactive rod that is assumed to be fully withdrawn, to ensure reactor shutdown. Therefore, a reactor trip is initiated every time an SI signal is present.

Trip Setpoint and Allowable Values are not applicable to this Function. The SI Input is provided by solid state logic in the ESFAS. Therefore, there is no measurement signal with which to associate an LSSS.

The LCO requires two trains of SI Input from ESFAS to be OPERABLE in MODE 1 or 2.

(continued)

Watts Bar - Unit 2 B 3.3-29 (developmental) A

RTS Instrumentation B 3.3.1 BASES APPLICABLE 15. Safety Injection (SI) Input from Engineered Safety Feature SAFETY Actuation System (ESFAS) (continued)

ANALYSES, LCO, and A reactor trip is initiated every time an SI signal is present.

APPLICABILITY Therefore, this trip Function must be OPERABLE in MODE 1 or 2, (continued) when the reactor is critical, and must be shut down in the event of an accident. In MODE 3, 4, 5, or 6, the reactor is not critical, and this trip Function does not need to be OPERABLE.

16. Reactor Trip System Interlocks Reactor protection interlocks are provided to ensure reactor trips are in the correct configuration for the current unit status. They back up operator actions to ensure protection system Functions are not bypassed during unit conditions under which the safety analysis assumes the Functions are not bypassed. Therefore, the interlock Functions do not need to be OPERABLE when the associated reactor trip Functions are outside the applicable MODES. These are:
a. Intermediate Range Neutron Flux, P-6 The Intermediate Range Neutron Flux, P-6 interlock is actuated when any NIS intermediate range channel indicates approximately one decade above the minimum channel reading. If both channels decrease below the setpoint, the permissive will automatically be defeated. The LCO requirement for the P-6 interlock ensures that the following Functions are performed:
  • on increasing power, the P-6 interlock allows the manual block of the NIS Source Range Neutron Flux reactor trip. This prevents a premature block of the source range trip and allows the operator to ensure that the intermediate range is OPERABLE prior to increasing power above the source range; and
  • on decreasing power, the P-6 interlock automatically enables the NIS Source Range Neutron Flux reactor trip.

The LCO requires two channels of Intermediate Range Neutron Flux, P-6 interlock to be OPERABLE in MODE 2 when below the P-6 interlock setpoint.

(continued)

Watts Bar - Unit 2 B 3.3-30 (developmental) A

RTS Instrumentation B 3.3.1 BASES APPLICABLE a. Intermediate Range Neutron Flux, P-6 (continued)

SAFETY ANALYSES, Above the P-6 interlock setpoint, the NIS Source Range LCO, and Neutron Flux reactor trip may be blocked, and this Function APPLICABILITY would no longer be necessary. In MODE 3, 4, 5, or 6, the (continued) P-6 interlock is not required to be OPERABLE because the NIS Source Range is providing core protection.

b. Low Power Reactor Trips Block, P-7 The Low Power Reactor Trips Block, P-7 interlock is actuated by input from either the Power Range Neutron Flux, P-10, or the Turbine Impulse Pressure, P-13 interlock. The LCO requirement for the P-7 interlock ensures that the following Functions are performed:

(1) on increasing power, the P-7 interlock automatically enables reactor trips on the following Functions:

  • Pressurizer Pressure - Low;
  • Pressurizer Water Level - High;
  • Undervoltage RCPs; and
  • Underfrequency RCPs.

These reactor trips are only required when operating above the P-7 setpoint (approximately 10% power). The reactor trips provide protection against violating the DNBR limit. Below the P-7 setpoint, the RCS is capable of providing sufficient natural circulation without any RCP running.

(continued)

Watts Bar - Unit 2 B 3.3-31 (developmental) A

RTS Instrumentation B 3.3.1 BASES APPLICABLE b. Low Power Reactor Trips Block, P-7 (continued)

SAFETY

ANALYSES, LCO, and (2) on decreasing power, the P-7 interlock automatically APPLICABILITY blocks reactor trips on the following Functions:

(continued)

  • Pressurizer Pressure - Low;
  • Pressurizer Water Level - High;
  • Undervoltage RCPs; and
  • Underfrequency RCPs.

Trip Setpoint and Allowable Value are not applicable to the P-7 interlock because it is a logic Function, and thus has no parameter with which to associate an LSSS.

The P-7 interlock is a logic Function with train and not channel identity. Therefore, the LCO requires one channel per train of Low Power Reactor Trips Block, P-7 interlock to be OPERABLE in MODE 1.

The low power trips are blocked below the P-7 setpoint and unblocked above the P-7 setpoint.

In MODE 2, 3, 4, 5, or 6, this Function does not have to be OPERABLE because the interlock performs its Function when power level drops below 10% power, which is in MODE 1.

(continued)

Watts Bar - Unit 2 B 3.3-32 (developmental) A

RTS Instrumentation B 3.3.1 BASES APPLICABLE c. Power Range Neutron Flux, P-8 SAFETY ANALYSES, The Power Range Neutron Flux, P-8 interlock is actuated at LCO, and approximately 48% power as determined by two-out-of-four APPLICABILITY NIS power range detectors. Above approximately 48%

(continued) power the P-8 interlock automatically enables the Reactor Coolant Flow - Low reactor trip on low flow in one or more RCS loops on increasing power. The LCO requirement for this trip Function ensures that protection is provided against a loss of flow in any RCS loop that could result in DNB conditions in the core when greater than approximately 48%

power. On decreasing power, the reactor trip on low flow in any loop is automatically blocked.

The LCO requires four channels of Power Range Neutron Flux, P-8 interlock to be OPERABLE in MODE 1.

In MODE 1, a loss of flow in one RCS loop could result in DNB conditions, so the Power Range Neutron Flux, P-8 interlock must be OPERABLE. In MODE 2, 3, 4, 5, or 6, this Function does not have to be OPERABLE because the core is not producing sufficient power to be concerned about DNB conditions.

d. Power Range Neutron Flux, P-9 The Power Range Neutron Flux, P-9 interlock is actuated at approximately 50% power as determined by two-out-of-four NIS power range detectors. The LCO requirement for this Function ensures that the Turbine Trip - Low Fluid Oil Pressure and Turbine Trip - Turbine Stop Valve Closure reactor trips are enabled above the P-9 setpoint. Above the P-9 setpoint, a turbine trip will cause a load rejection beyond the combined capacity of the Steam Dump System and Rod Control System. A reactor trip is automatically initiated on a turbine trip when it is above the P-9 setpoint, to minimize the transient on the reactor.

The LCO requires four channels of Power Range Neutron Flux, P-9 interlock to be OPERABLE in MODE 1.

In MODE 1, a turbine trip could cause a load rejection beyond the capacity of the Steam Dump System, so the Power Range Neutron Flux interlock must be OPERABLE.

(continued)

Watts Bar - Unit 2 B 3.3-33 (developmental) A

RTS Instrumentation B 3.3.1 BASES APPLICABLE d. Power Range Neutron Flux, P-9 (continued)

SAFETY ANALYSES, In MODE 2, 3, 4, 5, or 6, this Function does not have to be LCO, and OPERABLE because the reactor is not at a power level APPLICABILITY sufficient to have a load rejection beyond the capacity of the (continued) Steam Dump System.

e. Power Range Neutron Flux, P-10 The Power Range Neutron Flux, P-10 interlock is actuated at approximately 10% power, as determined by two-out-of-four NIS power range detectors. If power level falls below 10% power on 3 of 4 channels, the nuclear instrument trips will be automatically unblocked. The LCO requirement for the P-10 interlock ensures that the following Functions are performed:
  • on increasing power, the P-10 interlock allows the operator to manually block the Intermediate Range Neutron Flux reactor trip. Note that blocking the reactor trip also blocks the signal to prevent automatic and manual rod withdrawal;
  • on increasing power, the P-10 interlock allows the operator to manually block the Power Range Neutron Flux - Low reactor trip;
  • on increasing power, the P-10 interlock automatically provides a backup signal to block the Source Range Neutron Flux reactor trip;
  • the P-10 interlock provides one of the two inputs to the P-7 interlock; and
  • on decreasing power, the P-10 interlock automatically enables the Power Range Neutron Flux - Low reactor trip and the Intermediate Range Neutron Flux reactor trip (and rod stop).

The LCO requires four channels of Power Range Neutron Flux, P-10 interlock to be OPERABLE in MODE 1 or 2.

(continued)

Watts Bar - Unit 2 B 3.3-34 (developmental) A

RTS Instrumentation B 3.3.1 BASES APPLICABLE e. Power Range Neutron Flux, P-10 (continued)

SAFETY ANALYSES, OPERABILITY in MODE 1 ensures the Function is available LCO, and to perform its decreasing power Functions in the event of a APPLICABILITY reactor shutdown. This Function must be OPERABLE in (continued) MODE 2 to ensure that core protection is provided during a startup or shutdown by the Power Range Neutron Flux - Low and Intermediate Range Neutron Flux reactor trips. In MODE 3, 4, 5, or 6, this Function does not have to be OPERABLE because the reactor is not at power and the Source Range Neutron Flux reactor trip provides core protection.

f. Turbine Impulse Pressure, P-13 The Turbine Impulse Pressure, P-13 interlock is actuated when the pressure at the inlet of the high pressure turbine is greater than approximately 10% of the rated full load pressure. This is determined by one-out-of-two pressure detectors. The LCO requirement for this Function ensures that one of the inputs to the P-7 interlock is available.

The LCO requires two channels of Turbine Impulse Pressure, P-13 interlock to be OPERABLE in MODE 1.

The Turbine Impulse Pressure, P-13 interlock must be OPERABLE when the turbine generator is operating. The interlock Function is not required OPERABLE in MODE 2, 3, 4, 5, or 6 because the turbine generator is not operating.

17. Reactor Trip Breakers This trip Function applies to the RTBs exclusive of individual trip mechanisms. The LCO requires two OPERABLE trains of trip breakers. A trip breaker train consists of all trip breakers associated with a single RTS logic train that are racked in, closed, and capable of supplying power to the CRD System. Thus, the train may consist of the main breaker, bypass breaker, or main breaker and bypass breaker, depending upon the system configuration. Two OPERABLE trains ensure no single random failure can disable the RTS trip capability.

(continued)

Watts Bar - Unit 2 B 3.3-35 (developmental) B

RTS Instrumentation B 3.3.1 BASES APPLICABLE 17. Reactor Trip Breakers (continued)

SAFETY ANALYSES, These trip Functions must be OPERABLE in MODE 1 or 2 when LCO, and the reactor is critical. In MODE 3, 4, or 5, these RTS trip Functions APPLICABILITY must be OPERABLE when the RTBs or associated bypass (continued) breakers are closed, and the CRD System is capable of rod withdrawal.

18. Reactor Trip Breaker Undervoltage and Shunt Trip Mechanisms The LCO requires both the Undervoltage and Shunt Trip Mechanisms to be OPERABLE for each RTB that is in service. The trip mechanisms are not required to be OPERABLE for trip breakers that are open, racked out, incapable of supplying power to the CRD System, or declared inoperable under Function 17 above.

OPERABILITY of both trip mechanisms on each breaker ensures that no single trip mechanism failure will prevent opening any breaker on a valid signal.

These trip Functions must be OPERABLE in MODE 1 or 2 when the reactor is critical. In MODE 3, 4, or 5, these RTS trip Functions must be OPERABLE when the RTBs or associated bypass breakers are closed, and the CRD System is capable of rod withdrawal.

19. Automatic Trip Logic The LCO requirement for the RTBs (Functions 17 and 18) and Automatic Trip Logic (Function 19) ensures that means are provided to interrupt the power to allow the rods to fall into the reactor core. Each RTB is equipped with an undervoltage coil and a shunt trip coil to trip the breaker open when needed. Each RTB is equipped with a bypass breaker to allow testing of the trip breaker while the unit is at power. The reactor trip signals generated by the RTS Automatic Trip Logic cause the RTBs and associated bypass breakers to open and shut down the reactor.

The LCO requires two trains of RTS Automatic Trip Logic to be OPERABLE. Having two OPERABLE channels ensures that random failure of a single logic channel will not prevent reactor trip.

(continued)

Watts Bar - Unit 2 B 3.3-36 (developmental) A

RTS Instrumentation B 3.3.1 BASES APPLICABLE 19. Automatic Trip Logic (continued)

SAFETY ANALYSES, These trip Functions must be OPERABLE in MODE 1 or 2 when LCO, and the reactor is critical. In MODE 3, 4, or 5, these RTS trip Functions APPLICABILITY must be OPERABLE when the RTBs or associated bypass (continued) breakers are closed, and the CRD System is capable of rod withdrawal.

The RTS instrumentation satisfies Criterion 3 of the NRC Policy Statement.

ACTIONS A Note has been added to the ACTIONS to clarify the application of Completion Time rules. The Conditions of this Specification may be entered independently for each Function listed in Table 3.3.1-1.

In the event a channel's NTSP is found non-conservative with respect to the Allowable Value, or the channel is not functioning as required, or the transmitter, instrument loop, signal processing electronics, or bistable is found inoperable, then all affected Functions provided by that channel must be declared inoperable and the LCO Condition(s) entered for the protection Function(s) affected.

When the number of inoperable channels in a trip Function exceed those specified in one or other related Conditions associated with a trip Function, then the unit is outside the safety analysis. Therefore, LCO 3.0.3 must be immediately entered if applicable in the current MODE of operation.

A.1 Condition A applies to all RTS protection functions. Condition A addresses the situation where one or more required channels for one or more Functions are inoperable at the same time. The Required Action is to refer to Table 3.3.1-1 and to take the Required Actions for the protection functions affected. The Completion Times are those from the referenced Conditions and Required Actions.

(continued)

Watts Bar - Unit 2 B 3.3-37 (developmental) B

RTS Instrumentation B 3.3.1 BASES ACTIONS B.1, B.2.1, and B.2.

(continued)

Condition B applies to the Manual Reactor Trip in MODE 1 or 2. This action addresses the train orientation of the SSPS for this Function. With one channel inoperable, the inoperable channel must be restored to OPERABLE status within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />. In this Condition, the remaining OPERABLE channel is adequate to perform the safety function.

The Completion Time of 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> is reasonable considering that there are two automatic actuation trains and another manual initiation channel OPERABLE, and the low probability of an event occurring during this interval.

If the Manual Reactor Trip Function cannot be restored to OPERABLE status within the allowed 48-hour Completion Time, the plant must be brought to a MODE in which the requirement does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 additional hours (54 hours6.25e-4 days <br />0.015 hours <br />8.928571e-5 weeks <br />2.0547e-5 months <br /> total time) followed by opening the RTBs within 1 additional hour (55 hours6.365741e-4 days <br />0.0153 hours <br />9.093915e-5 weeks <br />2.09275e-5 months <br /> total time). The 6 additional hours to reach MODE 3 and the 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> to open the RTBs are reasonable, based on operating experience, to reach MODE 3 and open the RTBs from full power operation in an orderly manner and without challenging plant systems. With the RTBs open and the plant in MODE 3, this trip Function is no longer required to be OPERABLE.

C.1 and C.2 Condition C applies to the following reactor trip Functions in MODE 3, 4, or 5 with the RTBs closed and the CRD System capable of rod withdrawal:

  • RTBs;
  • RTB Undervoltage and Shunt Trip Mechanisms; and

This action addresses the train orientation of the SSPS for these Functions. With one channel or train inoperable, the inoperable channel or train must be restored to OPERABLE status within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />. If the affected Function(s) cannot be restored to OPERABLE status within the allowed 48 hour5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> Completion Time, the plant must be placed in a MODE in which the requirement does not apply. To achieve this status, the RTBs (continued)

Watts Bar - Unit 2 B 3.3-38 (developmental) A

RTS Instrumentation B 3.3.1 BASES ACTIONS C.1 and C.2 (continued)

(continued) must be opened within the next hour. The additional hour provides sufficient time to accomplish the action in an orderly manner. With the RTBs open, these Functions are no longer required. The Completion Time is reasonable considering that in this Condition, the remaining OPERABLE channel or train is adequate to perform the safety function, and given the low probability of an event occurring during this interval.

D.1.1, D.1.2, D.2.1, D.2.2, and D.3 Condition D applies to the Power Range Neutron Flux - High Function.

The NIS power range detectors provide input to the CRD System and the SG Water Level Control System and, therefore, have a two-out-of-four trip logic. A known inoperable channel must be placed in the tripped condition. This results in a partial trip condition requiring only one-out-of-three logic for actuation. The 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> allowed to place the inoperable channel in the tripped condition is justified in Reference 14.

In addition to placing the inoperable channel in the tripped condition, THERMAL POWER must be reduced to 75% RTP within 78 hours9.027778e-4 days <br />0.0217 hours <br />1.289683e-4 weeks <br />2.9679e-5 months <br />.

Reducing the power level prevents operation of the core with radial power distributions beyond the design limits. With one of the NIS power range detectors inoperable, 1/4 of the radial power distribution monitoring capability is lost.

As an alternative to the above actions, the inoperable channel can be placed in the tripped condition within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> and the QPTR monitored once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> as per SR 3.2.4.2, QPTR verification. Calculating QPTR every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> compensates for the lost monitoring capability due to the inoperable NIS power range channel and allows continued unit operation at power levels 75% RTP. The 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> Frequency is consistent with LCO 3.2.4, "QUADRANT POWER TILT RATIO (QPTR)."

As an alternative to the above actions, the plant must be placed in a MODE where this Function is no longer required OPERABLE.

Seventy-eight hours are allowed to place the plant in MODE 3. The 78 hour9.027778e-4 days <br />0.0217 hours <br />1.289683e-4 weeks <br />2.9679e-5 months <br /> Completion Time includes 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> for channel corrective maintenance and an additional 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> for the MODE reduction as required by Required Action D.3. This is a reasonable time, based on operating experience, to reach MODE 3 from full power in an orderly manner and without challenging plant systems. If Required Actions cannot be completed within their allowed Completion Times, LCO 3.0.3 must be entered.

(continued)

Watts Bar - Unit 2 B 3.3-39 (developmental) A

RTS Instrumentation B 3.3.1 BASES ACTIONS D.1.1, D.1.2, D.2.1, D.2.2, and D.3 (continued)

(continued)

The Required Actions have been modified by a Note that allows placing the inoperable channel in the bypass condition for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> while performing routine surveillance testing of other channels. The Note also allows placing the inoperable channel in the bypass condition to allow setpoint adjustments of other channels when required to reduce the setpoint in accordance with other Technical Specifications. The 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> time limit is justified in Reference 14.

Required Action D.2.2 has been modified by a Note which only requires SR 3.2.4.2 to be performed if the Power Range Neutron Flux input to QPTR becomes inoperable. Failure of a component in the Power Range Neutron Flux channel which renders the High Flux trip Function inoperable may not affect the capability to monitor QPTR. As such, determining QPTR using the PDMS once per 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> may not be necessary.

E.1 and E.2 Condition E applies to the following reactor trip Functions:

  • Power Range Neutron Flux - Low; and
  • Power Range Neutron Flux - High Positive Rate.

A known inoperable channel must be placed in the tripped condition within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. Placing the channel in the tripped condition results in a partial trip condition requiring only one-out-of-two logic for actuation of the two-out-of-three trips and one-out-of-three logic for actuation of the two-out-of-four trips. The 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> allowed to place the inoperable channel in the tripped condition is justified in Reference 14.

If the inoperable channel cannot be placed in the trip condition within the specified Completion Time, the plant must be placed in a MODE where these Functions are not required OPERABLE. An additional 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is allowed to place the plant in MODE 3. Six hours is a reasonable time, based on operating experience, to place the plant in MODE 3 from full power in an orderly manner and without challenging plant systems.

The Required Actions have been modified by a Note that allows placing the inoperable channel in the bypassed condition for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> while performing routine surveillance testing of the other channels. The 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> time limit is justified in Reference 14.

(continued)

Watts Bar - Unit 2 B 3.3-40 (developmental) B

RTS Instrumentation B 3.3.1 BASES ACTIONS F.1 and F.2 (continued)

Condition F applies to the Intermediate Range Neutron Flux trip when THERMAL POWER is above the P-6 setpoint and below the P-10 setpoint and one channel is inoperable. Above the P-6 setpoint and below the P-10 setpoint, the NIS intermediate range detector performs the monitoring Functions. If THERMAL POWER is greater than the P-6 setpoint but less than the P-10 setpoint, 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> is allowed to reduce THERMAL POWER below the P-6 setpoint or increase THERMAL POWER above the P-10 setpoint. The NIS Intermediate Range Neutron Flux channels must be OPERABLE when the power level is above the capability of the source range, P-6, and below the capability of the power range, P-10. If THERMAL POWER is greater than the P-10 setpoint, the NIS power range detectors perform the monitoring and protection functions and the intermediate range is not required. The Completion Times allow for a slow and controlled power adjustment above P-10 or below P-6 and take into account the redundant capability afforded by the redundant OPERABLE channel, and the low probability of its failure during this period. This action does not require the inoperable channel to be tripped because the Function uses one-out-of-two logic. Tripping one channel would trip the reactor. Thus, the Required Actions specified in this Condition are only applicable when channel failure does not result in reactor trip.

G.1 and G.2 Condition G applies to two inoperable Intermediate Range Neutron Flux trip channels in MODE 2 when THERMAL POWER is above the P-6 setpoint and below the P-10 setpoint. Required Actions specified in this Condition are only applicable when channel failures do not result in reactor trip. Above the P-6 setpoint and below the P-10 setpoint, the NIS intermediate range detector performs the monitoring Functions. With no intermediate range channels OPERABLE, the Required Actions are to suspend operations involving positive reactivity additions immediately.

This will preclude any power level increase since there are no OPERABLE Intermediate Range Neutron Flux channels. The operator must also reduce THERMAL POWER below the P-6 setpoint within two hours. Below P-6, the Source Range Neutron Flux channels will be able to monitor the core power level. The Completion Time of 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> will allow a slow and controlled power reduction to less than the P-6 setpoint and takes into account the low probability of occurrence of an event during this period that may require the protection afforded by the NIS Intermediate Range Neutron Flux trip.

(continued)

Watts Bar - Unit 2 B 3.3-41 (developmental) A

RTS Instrumentation B 3.3.1 BASES ACTIONS H.1 (continued)

Condition H applies to the Intermediate Range Neutron Flux trip when THERMAL POWER is below the P-6 setpoint and one or two channels are inoperable. Below the P-6 setpoint, the NIS source range performs the monitoring and protection functions. The inoperable NIS intermediate range channel(s) must be returned to OPERABLE status prior to increasing power above the P-6 setpoint. The NIS intermediate range channels must be OPERABLE when the power level is above the capability of the source range, P-6, and below the capability of the power range, P-10.

I.1 Condition I applies to one inoperable Source Range Neutron Flux trip channel when in MODE 2, below the P-6 setpoint, and performing a reactor startup. With the unit in this Condition, below P-6, the NIS source range performs the monitoring and protection functions. With one of the two channels inoperable, operations involving positive reactivity additions shall be suspended immediately.

This will preclude any power escalation. With only one source range channel OPERABLE, core protection is severely reduced and any actions that add positive reactivity to the core must be suspended immediately.

J.1 Condition J applies to two inoperable Source Range Neutron Flux trip channels when in MODE 2, below the P-6 setpoint, and performing a reactor startup, or in MODE 3, 4, or 5 with the RTBs closed and the CRD System capable of rod withdrawal. With the unit in this Condition, below P-6, the NIS source range performs the monitoring and protection functions. With both source range channels inoperable, the RTBs must be opened immediately. With the RTBs open, the core is in a more stable condition and the plant enters Condition L.

(continued)

Watts Bar - Unit 2 B 3.3-42 (developmental) A

RTS Instrumentation B 3.3.1 BASES ACTIONS K.1 and K.2 (continued)

Condition K applies to one inoperable Source Range Neutron Flux trip channel in MODE 3, 4, or 5 with the RTBs closed and the CRD System capable of rod withdrawal. With the unit in this Condition, below P-6, the NIS source range performs the monitoring and protection functions. With one of the source range channels inoperable, 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> is allowed to restore it to an OPERABLE status. If the channel cannot be returned to an OPERABLE status, 1 additional hour is allowed to open the RTBs.

Once the RTBs are open, the core is in a more stable condition and the plant enters Condition L. The allowance of 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> to restore the channel to OPERABLE status, and the additional hour to open the RTBs, are justified in Reference 7.

L.1, L.2, and L.3 Condition L applies when the required Source Range Neutron Flux channel is inoperable in MODE 3, 4, or 5 with the RTBs open. With the unit in this Condition, the NIS source range performs the monitoring and protection functions. With the required source range channel inoperable, operations involving positive reactivity additions shall be suspended immediately. This will preclude any power escalation. In addition to suspension of positive reactivity additions, all valves that could add unborated water to the RCS must be closed within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> as specified in LCO 3.9.2. The isolation of unborated water sources will preclude a boron dilution accident.

Also, the SDM must be verified within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> and once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> thereafter as per SR 3.1.1.1, SDM verification. With no source range channels OPERABLE, core protection is severely reduced. Verifying the SDM within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> allows sufficient time to perform the calculations and determine that the SDM requirements are met. The SDM must also be verified once per 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> thereafter to ensure that the core reactivity has not changed. Required Action L.1 precludes any positive reactivity additions; therefore, core reactivity should not be increasing, and a 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> Frequency is adequate. The Completion Times of within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> and once per 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> are based on operating experience in performing the Required Actions and the knowledge that unit conditions will change slowly.

(continued)

Watts Bar - Unit 2 B 3.3-43 (developmental) A

RTS Instrumentation B 3.3.1 BASES ACTIONS M.1 and M.2 (continued)

Condition M applies to the following reactor trip Functions:

  • Undervoltage RCPs; and
  • Underfrequency RCPs.

With one channel inoperable, the inoperable channel must be placed in the tripped condition within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. Placing the channel in the tripped condition results in a partial trip condition requiring only one additional channel to initiate a reactor trip above the P-7 setpoint and below the P-8 setpoint. These Functions do not have to be OPERABLE below the P-7 setpoint because there are no loss of flow trips below the P-7 setpoint.

The 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> allowed to place the channel in the tripped condition is justified in Reference 14. An additional 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is allowed to reduce THERMAL POWER to below P-7 if the inoperable channel cannot be restored to OPERABLE status or placed in trip within the specified Completion Time.

Allowance of this time interval takes into consideration the redundant capability provided by the remaining redundant OPERABLE channel, and the low probability of occurrence of an event during this period that may require the protection afforded by the Functions associated with Condition M.

The Required Actions have been modified by a Note that allows placing the inoperable channel in the bypassed condition for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> while performing routine surveillance testing of the other channels. The 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> time limit is justified in Reference 14.

N.1 and N.2 Condition N applies to the Reactor Coolant Flow - Low reactor trip Function. With one channel inoperable, the inoperable channel must be placed in trip within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. Placing the channel in the tripped condition when above the P-8 setpoint results in a partial trip condition requiring only one additional channel in the same loop to initiate a reactor trip. Two tripped channels in each of two RCS loops are required to initiate a reactor trip when below the P-8 setpoint and above the P-7 setpoint. This trip Function does not have to be OPERABLE below the P-7 setpoint because there is no loss of flow trip below the P-7 setpoint. There is insufficient heat production to generate DNB conditions below the P-7 setpoint. The 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> allowed to place the channel in the tripped (continued)

Watts Bar - Unit 2 B 3.3-44 (developmental) A

RTS Instrumentation B 3.3.1 BASES ACTIONS N.1 and N.2 (continued)

(continued) condition is justified in Reference 14. An additional 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is allowed to reduce THERMAL POWER to below P-7 if the inoperable channel cannot be restored to OPERABLE status or placed in trip within the specified Completion Time.

Allowance of this time interval takes into consideration the redundant capability provided by the remaining redundant OPERABLE channel, and the low probability of occurrence of an event during this period that may require the protection afforded by the Function associated with Condition N.

The Required Actions have been modified by a Note that allows placing an inoperable channel in the bypassed condition for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> while performing routine surveillance testing of the other channels. The Note also allows a channel to be placed in bypass for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for testing of the bypassed channel. However, only one channel may be placed in bypass at any one time. The 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> time limit is justified in Reference 14.

O.1 and O.2 Condition O applies to Turbine Trip on Low Fluid Oil Pressure. With one channel inoperable, the inoperable channel must be placed in the tripped condition within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. Placing a channel in the tripped condition results in a partial trip condition requiring only one additional channel to initiate a reactor trip. If the channel cannot be restored to OPERABLE status or placed in the tripped condition, then power must be reduced below the P-9 setpoint within the next 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />. The 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> allowed to place the inoperable channel in the tripped condition and the 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> allowed for reducing power are justified in Reference 14.

The Required Actions have been modified by a Note that allows placing the inoperable channel in the bypassed condition for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> while performing routine surveillance testing of the other channels. The 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> time limit is justified in Reference 14.

(continued)

Watts Bar - Unit 2 B 3.3-45 (developmental) A

RTS Instrumentation B 3.3.1 BASES ACTIONS P.1 and P.2 (continued)

Condition P applies to the SI Input from ESFAS reactor trip and the RTS Automatic Trip Logic in MODES 1 and 2. These actions address the train orientation of the RTS for these Functions. With one train inoperable, 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> are allowed to restore the train to OPERABLE status (Required Action P.1) or the plant must be placed in MODE 3 within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. The Completion Time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> (Required Action P.1) is reasonable considering that in this Condition, the remaining OPERABLE train is adequate to perform the safety function and given the low probability of an event during this interval. The 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> allowed to restore the inoperable RTS Automatic Trip Logic train to OPERABLE status is justified in Reference 14. The Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> (Required Action P.2) is reasonable, based on operating experience, to reach MODE 3 from full power in an orderly manner and without challenging plant systems.

The Required Actions have been modified by a Note that allows bypassing one train up to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> for surveillance testing, provided the other train is OPERABLE.

Q.1 and Q.2 Condition Q applies to the RTBs in MODES 1 and 2. These actions address the train orientation of the RTS for the RTBs. With one train inoperable, 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> are allowed for train corrective maintenance to restore the train to OPERABLE status or the plant must be placed in MODE 3 within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> completion time is justified in Reference 15. The Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable, based on operating experience, to reach MODE 3 from full power in an orderly manner and without challenging plant systems. Placing the Unit in Mode 3 results in Condition C entry while RTB(s) are inoperable.

The Required Actions have been modified by a Note. The Note allows one train to be bypassed for up to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> for surveillance testing, provided the other train is OPERABLE. The 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> time limit is justified in Reference 15.

(continued)

Watts Bar - Unit 2 B 3.3-46 (developmental) A

RTS Instrumentation B 3.3.1 BASES ACTIONS R.1 and R.2 (continued)

Condition R applies to the P-6 and P-10 interlocks. With one channel inoperable for one-out-of-two or two-out-of-four coincidence logic, the associated interlock must be verified to be in its required state for the existing plant condition within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> or the plant must be placed in MODE 3 within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. Verifying the interlock status manually accomplishes the interlock's Function. The Completion Time of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> is based on operating experience and the minimum amount of time allowed for manual operator actions. The Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable, based on operating experience, to reach MODE 3 from full power in an orderly manner and without challenging plant systems. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> and 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> Completion Times are equal to the time allowed by LCO 3.0.3 for shutdown actions in the event of a complete loss of RTS Function.

S.1 and S.2 Condition S applies to the P-7, P-8, P-9, and P-13 interlocks. With one channel inoperable for one-out-of-two or two-out-of-four coincidence logic, the associated interlock must be verified to be in its required state for the existing plant condition within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> or the plant must be placed in MODE 2 within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. These actions are conservative for the case where power level is being raised. Verifying the interlock status manually accomplishes the interlock's Function. The Completion Time of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> is based on operating experience and the minimum amount of time allowed for manual operator actions. The Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable, based on operating experience, to reach MODE 2 from full power in an orderly manner and without challenging plant systems.

T.1, T.2.1, and T.2.2 Condition T applies to the RTB Undervoltage and Shunt Trip Mechanisms, or diverse trip features, in MODES 1 and 2. With one of the diverse trip features inoperable, it must be restored to an OPERABLE status within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> or the plant must be placed in a MODE where the requirement does not apply. This is accomplished by placing the plant in MODE 3 within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> (54 hours6.25e-4 days <br />0.015 hours <br />8.928571e-5 weeks <br />2.0547e-5 months <br /> total time) followed by opening the RTBs in 1 additional hour (55 hours6.365741e-4 days <br />0.0153 hours <br />9.093915e-5 weeks <br />2.09275e-5 months <br /> total time).

The Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is a reasonable time, based on operating experience, to reach MODE 3 from full power in an orderly manner and without challenging plant systems. With the RTBs open and the plant in MODE 3, this trip Function is no longer required to be (continued)

Watts Bar - Unit 2 B 3.3-47 (developmental) A

RTS Instrumentation B 3.3.1 BASES ACTIONS T.1, T.2.1, and T.2.2 (continued)

(continued)

OPERABLE. The affected RTB shall not be bypassed while one of the diverse features is inoperable except for the time required to perform maintenance to one of the diverse features. The allowable time for performing maintenance of the diverse features is 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> for the reasons stated under Condition Q.

The Completion Time of 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> for Required Action T.1 is reasonable considering that in this Condition there is one remaining diverse feature for the affected RTB, and one OPERABLE RTB capable of performing the safety function and given the low probability of an event occurring during this interval.

U.1.1, U.1.2, and U.2 Condition U applies to the Steam Generator Water Level - Low-Low reactor trip Function.

A known inoperable channel must be restored to OPERABLE status or placed in the tripped condition within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. Placing the channel in the tripped condition requires only one-out-of-two logic for actuation of the two-out-of-three trips. The 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> allowed to place the inoperable channel in the tripped condition is justified in Reference 14.

If a channel fails, it is placed in the tripped condition and does not affect the TTD setpoint calculations for the remaining OPERABLE channels. It is then necessary for the operator to force the use of the shorter TTD time delay by adjustment of the single steam generator time delay calculation (TS) to match the multiple steam generator time delay calculation (TM) for the affected protection set, through the Man Machine Interface.

If the inoperable channel cannot be restored or placed in the tripped condition within the specified Completion Time, the plant must be placed in a MODE where these Functions are not required OPERABLE. An additional 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is allowed to place the plant in MODE 3. Six hours is a reasonable time, based on operating experience, to place the plant in MODE 3 from MODE 1 from full power in an orderly manner and without challenging plant systems.

(continued)

Watts Bar - Unit 2 B 3.3-48 (developmental) A

RTS Instrumentation B 3.3.1 BASES ACTIONS U.1.1, U.1.2, and U.2 (continued)

(continued)

The Required Actions have been modified by a Note that allows placing an inoperable channel in the bypassed condition for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> while performing routine surveillance testing of the other channels. The Note also allows a channel to be placed in bypass for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for testing of the bypassed channel. However, only one channel may be placed in bypass at any one time. The 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> time limit is justified in Reference 14.

V.1 and V.2 Condition V applies to the Vessel T Equivalent to Power reactor trip Function.

Failure of the vessel T channel input (failure of more than one TH RTD or failure of both TC RTDs) affects the TTD calculation for a protection set.

This results in the requirement that the operator adjust the threshold power level for zero seconds time delay from 50% RTP to 0% RTP, through the Man Machine Interface.

If the inoperable channel cannot be restored or the threshold power level for zero seconds time delay adjusted within the specified Completion Time, the plant must be placed in a MODE where these Functions are not required to be OPERABLE. An additional 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is allowed to place the plant in MODE 3. Six hours is a reasonable time, based on operating experience, to place the plant in MODE 3 from MODE 1 from full power in an orderly manner and without challenging plant systems.

The Required Actions have been modified by a Note that allows placing an inoperable channel in the bypassed condition for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> while performing routine surveillance testing of the other channels. The Note also allows a channel to be placed in bypass for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for testing of the bypassed channel. However, only one channel may be placed in bypass at any one time. The 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> time limit is justified in Reference 14.

(continued)

Watts Bar - Unit 2 B 3.3-49 (developmental) A

RTS Instrumentation B 3.3.1 BASES ACTIONS W.1 and W.2 (continued)

Condition W applies to the following reactor trip functions:

  • Overtemperature T;
  • Overpower T; and
  • Pressurizer Pressure - High.

A known inoperable channel must be placed in the tripped condition within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. Placing the channel in the tripped condition results in a partial trip condition requiring only one-out-of-two logic for actuation of the two-out-of-three trips and one-out-of-three logic for actuation of the two-out-of-four trips. The 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> allowed to place the inoperable channel in the tripped condition is justified in Reference 14.

If the operable channel cannot be restored or placed in the trip condition within the specified Completion Time, the plant must be placed in a MODE where these Functions are not required OPERABLE. An additional 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is allowed to place the plant in MODE 3. Six hours is a reasonable time, based on operating experience, to place the plant in MODE 3 from full power in an orderly manner and without challenging plant systems.

The Required Actions have been modified by a Note that allows placing an inoperable channel in the bypassed condition for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> while performing routine surveillance testing of the other channels. The Note also allows a channel to be placed in bypass for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for testing of the bypassed channel. However, only one channel may be placed in bypass at any one time. The 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> time limit is justified in Reference 14.

X.1 and X.2 Condition X applies to the following reactor trip functions:

  • Pressurizer Pressure - Low; and
  • Pressurizer Water Level - High.

(continued)

Watts Bar - Unit 2 B 3.3-50 (developmental) B

RTS Instrumentation B 3.3.1 BASES ACTIONS X.1 and X.2 (continued)

(continued)

With one channel inoperable, the inoperable channel must be placed in the tripped condition within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. Placing the channel in the tripped condition when above the P-7 setpoint results in a partial trip condition requiring only one additional channel to initiate a reactor trip. These Functions do not have to be OPERABLE below the P-7 setpoint since there is insufficient heat production to generate DNB conditions below the P-7 setpoint. The 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> allowed to place the channel in the tripped condition is justified in Reference 14. An additional 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is allowed to reduce THERMAL POWER to below P-7 if the inoperable channel cannot be restored to OPERABLE status or placed in trip within the specified Completion Time.

Allowance of this time interval takes into consideration the redundant capability provided by the remaining redundant OPERABLE channel, and the low probability of occurrence of an event during this period that may require the protection afforded by the Functions associated with Condition X.

The Required Actions have been modified by a Note that allows placing an inoperable channel in the bypassed condition for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> while performing routine surveillance testing of the other channels. The Note also allows a channel to be placed in bypass for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for testing of the bypassed channel. However, only one channel may be placed in bypass at any one time. The 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> time limit is justified in Reference 14.

Y.1 and Y.2 Condition Y applies to the Turbine Trip on Stop Valve Closure. With one, two or three channels inoperable, the inoperable channels must be placed in the trip condition within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. Since all the valves must be tripped (not fully open) in order for the reactor trip signal to be generated, it is acceptable to place more than one Turbine Stop Valve Closure channel in the trip condition. With one or more channels in the trip condition, a partial reactor trip condition exists. All of the remaining Turbine Stop Valve channels are required to actuate in order to initiate a reactor trip. If a channel cannot be restored to OPERABLE status or placed in the trip condition, then power must be reduced to below the P-9 setpoint within the next 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />. The 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> allowed to place an inoperable channel in the trip condition and the 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> allowed for reducing power are justified in Reference 14.

(continued)

Watts Bar - Unit 2 B 3.3-51 (developmental) A

RTS Instrumentation B 3.3.1 BASES ACTIONS Z.1 (continued)

With two RTS trains inoperable, no automatic capability is available to shutdown the reactor, and immediate plant shutdown in accordance with the LCO 3.0.3 is required.

SURVEILLANCE The SRs for each RTS Function are identified by the Surveillance REQUIREMENTS Requirements column of Table 3.3.1-1 for that Function.

A Note has been added to the SR Table stating that Table 3.3.1-1 determines which SRs apply to which RTS Functions.

Note that each channel of process protection supplies both trains of the RTS. When testing Channel I, Train A and Train B must be examined.

Similarly, Train A and Train B must be examined when testing Channel II, Channel III, and Channel IV. The CHANNEL CALIBRATION and COTs are performed in a manner that is consistent with the assumptions used in analytically calculating the required channel accuracies.

The protection Functions associated with the EAGLE-21TM Process Protection System have an installed bypass capability, and may be tested in either the trip or bypass mode, as approved in Reference 7. When testing is performed in the bypass mode, the SSPS input relays are not operated, as justified in Reference 9. The input relays are checked during the CHANNEL CALIBRATION every 18 months.

(continued)

Watts Bar - Unit 2 B 3.3-52 (developmental) A

RTS Instrumentation B 3.3.1 BASES SURVEILLANCE SR 3.3.1.1 REQUIREMENTS (continued) Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> ensures that gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying that the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the unit staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit.

The Frequency is based on operating experience that demonstrates channel failure is rare. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the LCO required channels.

SR 3.3.1.2 SR 3.3.1.2 compares the calorimetric heat balance calculation to the NIS channel output every 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. If the calorimetric exceeds the NIS channel output by > 2% RTP, the NIS is not declared inoperable, but must be adjusted. If the NIS channel output cannot be properly adjusted, the channel is declared inoperable.

Two Notes modify SR 3.3.1.2. The first Note indicates that the NIS channel output shall be adjusted consistent with the calorimetric results if the absolute difference between the NIS channel output and the calorimetric is > 2% RTP. The second Note clarifies that this Surveillance is required only if reactor power is > 15% RTP and that 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is allowed for performing the first Surveillance after reaching 15% RTP. At lower power levels, calorimetric data are inaccurate.

(continued)

Watts Bar - Unit 2 B 3.3-53 (developmental) A

RTS Instrumentation B 3.3.1 BASES SURVEILLANCE SR 3.3.1.2 (continued)

REQUIREMENTS (continued) The Frequency of every 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is adequate. It is based on unit operating experience, considering instrument reliability and operating history data for instrument drift. Together these factors demonstrate the change in the absolute difference between NIS and heat balance calculated powers rarely exceeds 2% in any 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> period.

In addition, control room operators periodically monitor redundant indications and alarms to detect deviations in channel outputs.

SR 3.3.1.3 SR 3.3.1.3 compares the power distribution measurement to the NIS channel AFD output every 31 EFPD. If the absolute difference is 3%,

the NIS channel is still OPERABLE, but must be readjusted. If the NIS channel cannot be properly readjusted, the channel is declared inoperable. This Surveillance is performed to verify the f(I) input to the Overtemperature T Function. The incore power distribution measurement is obtained using the OPERABLE Power Distribution Monitoring System (PDMS) (Ref. 16).

Two Notes modify SR 3.3.1.3. Note 1 indicates that the excore NIS channel shall be adjusted if the absolute difference between the incore and excore AFD is 3%. Note 2 clarifies that the Surveillance is required only if reactor power is 15% RTP and that 96 hours0.00111 days <br />0.0267 hours <br />1.587302e-4 weeks <br />3.6528e-5 months <br /> is allowed for performing the first Surveillance after reaching 15% RTP. This surveillance is typically performed at greater than or equal to 50% RTP to ensure the results of the evaluation are more accurate and the adjustments more reliable. Ninety-six (96) hours are allowed to ensure Xenon stability and allow for instrumentation alignments.

The Frequency of every 31 EFPD is adequate. It is based on unit operating experience, considering instrument reliability and operating history data for instrument drift. Also, the slow changes in neutron flux during the fuel cycle can be detected during this interval.

(continued)

Watts Bar - Unit 2 B 3.3-54 (developmental) B

RTS Instrumentation B 3.3.1 BASES SURVEILLANCE SR 3.3.1.4 REQUIREMENTS (continued) SR 3.3.1.4 is the performance of a TADOT every 62 days on a STAGGERED TEST BASIS. This test shall verify OPERABILITY by actuation of the end devices.

The RTB test shall include separate verification of the undervoltage and shunt trip mechanisms. Independent verification of RTB undervoltage and shunt trip Function is not required for the bypass breakers. No capability is provided for performing such a test at power. The bypass breaker test shall include a local shunt trip. A Note has been added to indicate that this test must be performed on the bypass breaker prior to placing it in service.

The Frequency of every 62 days on a STAGGERED TEST BASIS is justified in Reference 15.

SR 3.3.1.5 SR 3.3.1.5 is the performance of an ACTUATION LOGIC TEST. The SSPS is tested every 92 days on a STAGGERED TEST BASIS, using the semiautomatic tester. The train being tested is placed in the bypass condition, thus preventing inadvertent actuation. Through the semiautomatic tester, all possible logic combinations, with and without applicable permissives, are tested for each protection Function. The Frequency of every 92 days on a STAGGERED TEST BASIS is justified in Reference 15.

SR 3.3.1.6 SR 3.3.1.6 is a calibration of the excore channels to the incore channels.

If the measurements do not agree, the excore channels are not declared inoperable but must be calibrated to agree with the incore power distribution measurement(s). If the excore channels cannot be adjusted, the channels are declared inoperable. This Surveillance is performed to verify the f(I) input to the Overtemperature T Function. The incore power distribution measurement(s) are obtained using the OPERABLE Power Distribution Monitoring System (PDMS) (Ref. 16).

A Note modifies SR 3.3.1.6. The Note states that this Surveillance is required only if reactor power is > 50% RTP, and that 6 days is allowed for performing the first surveillance after reaching 50% RTP.

(continued)

Watts Bar - Unit 2 B 3.3-55 (developmental) B

RTS Instrumentation B 3.3.1 BASES SURVEILLANCE SR 3.3.1.6 (continued)

REQUIREMENTS (continued) The Frequency of 92 EFPD is adequate. It is based on industry operating experience, considering instrument reliability and operating history data for instrument drift.

SR 3.3.1.7 SR 3.3.1.7 is the performance of a COT every 184 days.

A COT is performed on each required channel to ensure the entire channel will perform the intended Function.

Setpoints must be conservative with respect to the Allowable Values specified in Table 3.3.1-1.

The difference between the current "as found" values and the previous test "as left" values must be consistent with the drift allowance used in the setpoint methodology. The setpoint shall be left set consistent with the assumptions of the current unit specific setpoint methodology.

The "as-found" and "as-left" values must also be recorded and reviewed for consistency with the assumptions of References 6 and 7.

SR 3.3.1.7 is modified by a Note that this test shall include verification that the P-10 interlock is in the required state for the existing unit condition.

The Frequency of 184 days is justified in Reference 15, except for Function 13. The justification for Function 13 is provided in References 9 and 15.

SR 3.3.1.7 is modified by two Notes as identified in Table 3.3.1-1. The first Note requires evaluation of channel performance for the condition where the as-found setting for the channel setpoint is outside its as-found tolerance but conservative with respect to the Allowable Value.

Evaluation of channel performance will verify that the channel will continue to behave in accordance with safety analysis assumptions and the channel performance assumptions in the setpoint methodology. The purpose of the assessment is to ensure confidence in the channel performance prior to returning the channel to service.

(continued)

Watts Bar - Unit 2 B 3.3-56 (developmental) B

RTS Instrumentation B 3.3.1 BASES SURVEILLANCE SR 3.3.1.7 (continued)

REQUIREMENTS (continued) For channels determined to be OPERABLE but degraded, after returning the channel to service the channels will be evaluated under the plant Corrective Action Program. Entry into the Corrective Action Program will ensure required review and documentation of the condition. The second Note requires that the as-left setting for the channel be returned to within the as-left tolerance of the NTSP. Where a setpoint more conservative than the NTSP is used in the plant surveillance procedures (field setting),

the as-left and as-found tolerances, as applicable, will be applied to the surveillance procedure setpoint. This will ensure that sufficient margin to the Safety Limit and/or Analytical Limit is maintained. If the as-left channel setting cannot be returned to a setting within the as-left tolerance of the NTSP, then the channel shall be declared inoperable.

SR 3.3.1.8 SR 3.3.1.8 is the performance of a COT as described in SR 3.3.1.7, except it is modified by two Notes. Note 1 provides a 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> delay in the requirement to perform this Surveillance for source range instrumentation when entering MODE 3 from MODE 2. This Note allows a normal shutdown to proceed without a delay for testing in MODE 2 and for a short time in MODE 3 until the RTBs are open and SR 3.3.1.8 is no longer required to be performed. If the unit is to be in MODE 3 with the RTBs closed for greater than 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, this Surveillance must be performed within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> after entry into MODE 3. Note 2 states that this test shall include verification that the P-6 interlock is in the required state for the existing unit condition. The Frequency is modified by a Note that allows this surveillance to be satisfied if it has been performed within 31 days prior to reactor startup and 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> after reducing power below P-10 and P-6. The Frequency of "prior to startup" ensures this surveillance is performed prior to critical operations and applies to the source and intermediate range instrument channels. The Frequency of "Four hours after reducing power below P-10" (applicable to intermediate channels) and "Four hours after reducing power below P-6" (applicable to source range channels) allows a normal shutdown to be completed and the unit removed from the MODE of Applicability for this surveillance without a delay to perform the testing required by this surveillance. The Frequency of every 31 days thereafter applies if the plant remains in the MODE of Applicability after the initial performances of prior to reactor startup and 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> after reducing power below P-10 or P-6.

(continued)

Watts Bar - Unit 2 B 3.3-57 (developmental) B

RTS Instrumentation B 3.3.1 BASES SURVEILLANCE SR 3.3.1.8 (continued)

REQUIREMENTS (continued) The MODE of Applicability for this surveillance is < P-10 for the intermediate range channels and < P-6 for the source range channels.

Once the unit is in MODE 3, this surveillance is no longer required. If power is to be maintained < P-10 or < P-6 for more than 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, then the testing required by this surveillance must be performed prior to the expiration of the 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> limit. Four hours is a reasonable time to complete the required testing or place the unit in a MODE where this surveillance is no longer required. This test ensures that the NIS source and intermediate range channels are OPERABLE channels prior to taking the reactor critical and after reducing power into the applicable MODE (<

P-10 or < P-6) for periods > 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />.

SR 3.3.1.8 is modified by two Notes as identified in Table 3.3.1-1. The first Note requires evaluation of channel performance for the condition where the as-found setting for the channel setpoint is outside its as-found tolerance but conservative with respect to the Allowable Value.

Evaluation of channel performance will verify that the channel will continue to behave in accordance with safety analysis assumptions and the channel performance assumptions in the setpoint methodology. The purpose of the assessment is to ensure confidence in the channel performance prior to returning the channel to service. For channels determined to be OPERABLE but degraded, after returning the channel to service the performance of these channels will be evaluated under the plant Corrective Action Program. Entry into the Corrective Action Program will ensure required review and documentation of the condition.

The second Note requires that the as-left setting for the channel be returned to within the as-left tolerance of the NTSP. Where a setpoint more conservative than the NTSP is used in the plant surveillance procedures (field setting), the as-left and as-found tolerances, as applicable, will be applied to the surveillance procedure setpoint. This will ensure that sufficient margin to the Safety Limit and/or Analytical Limit is maintained. If the as-left channel setting cannot be returned to a setting within the as-left tolerance of the NTSP, then the channel shall be declared inoperable.

(continued)

Watts Bar - Unit 2 B 3.3-58 (developmental) B

RTS Instrumentation B 3.3.1 BASES SURVEILLANCE SR 3.3.1.9 REQUIREMENTS (continued) SR 3.3.1.9 is the performance of a TADOT and is performed every 92 days, as justified in Reference 7.

The SR is modified by a Note that excludes verification of setpoints from the TADOT. Since this SR applies to RCP undervoltage and underfrequency relays, setpoint verification requires elaborate bench calibration and is accomplished during the CHANNEL CALIBRATION.

SR 3.3.1.10 A CHANNEL CALIBRATION is performed every 18 months, or approximately at every refueling. CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor. The test verifies that the channel responds to a measured parameter within the necessary range and accuracy.

CHANNEL CALIBRATIONS must be performed consistent with the assumptions of the Watts Bar setpoint methodology. The difference between the current "as found" values and the NTSP or previous test "as left" values must be consistent with the drift allowance used in the setpoint methodology.

The Frequency of 18 months is based on the assumption of an 18 month calibration interval in the determination of the magnitude of sensor/transmitter drift in the setpoint methodology.

SR 3.3.1.10 is modified by a Note stating that this test shall include verification that the time constants are adjusted to the prescribed values where applicable. For channels with a trip time delay (TTD), this test shall include verification that the TTD coefficients are adjusted correctly.

(continued)

Watts Bar - Unit 2 B 3.3-59 (developmental) B

RTS Instrumentation B 3.3.1 BASES SURVEILLANCE SR 3.3.1.10 (continued)

REQUIREMENTS (continued) SR 3.3.1.10 is modified by two Notes as identified in Table 3.3.1-1. The first Note requires evaluation of channel performance for the condition where the as-found setting for the channel setpoint is outside its as-found tolerance but conservative with respect to the Allowable Value.

Evaluation of channel performance will verify that the channel will continue to behave in accordance with safety analysis assumptions and the channel performance assumptions in the setpoint methodology. The purpose of the assessment is to ensure confidence in the channel performance prior to returning the channel to service. For channels determined to be OPERABLE but degraded, after returning the channel to service the performance of these channels will be evaluated under the plant Corrective Action Program. Entry into the Corrective Action Program will ensure required review and documentation of the condition.

The second Note requires that the as-left setting for the channel be returned to within the as-left tolerance of the NTSP. Where a setpoint more conservative than the NTSP is used in the plant surveillance procedures (field setting), the as-left and as-found tolerances, as applicable, will be applied to the surveillance procedure setpoint. This will ensure that sufficient margin to the Safety Limit and/or Analytical Limit is maintained. If the as-left channel setting cannot be returned to a setting within the as-left tolerance of the NTSP, then the channel shall be declared inoperable.

SR 3.3.1.11 SR 3.3.1.11 is the performance of a CHANNEL CALIBRATION, as described in SR 3.3.1.10, every 18 months. This SR is modified by a Note stating that neutron detectors are excluded from the CHANNEL CALIBRATION. The CHANNEL CALIBRATION for the power range neutron detectors consists of a normalization of the detectors based on a power calorimetric performed above 15% RTP. The CHANNEL CALIBRATION for the source range and intermediate range neutron detectors consists of obtaining the detector plateau or preamp discriminator curves, evaluating those curves, and comparing the curves to the manufacturer's data. This Surveillance is not required for the NIS power range detectors for entry into MODE 2 or 1, and is not required for the NIS intermediate range detectors for entry into MODE 2, because the unit must be in at least MODE 2 to perform the test for the intermediate range detectors and MODE 1 for the power range detectors.

(continued)

Watts Bar - Unit 2 B 3.3-60 (developmental) B

RTS Instrumentation B 3.3.1 BASES SURVEILLANCE SR 3.3.1.11 (continued)

REQUIREMENTS (continued) The 18-month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. Operating experience has shown these components usually pass the Surveillance when performed on the 18-month Frequency.

SR 3.3.1.11 is modified by two Notes as identified in Table 3.3.1-1. The first Note requires evaluation of channel performance for the condition where the as-found setting for the channel setpoint is outside its as-found tolerance but conservative with respect to the Allowable Value.

Evaluation of channel performance will verify that the channel will continue to behave in accordance with safety analysis assumptions and the channel performance assumptions in the setpoint methodology. The purpose of the assessment is to ensure confidence in the channel performance prior to returning the channel to service. For channels determined to be OPERABLE but degraded, after returning the channel to service the performance of these channels will be evaluated under the plant Corrective Action Program. Entry into the Corrective Action Program will ensure required review and documentation of the condition.

The second Note requires that the as-left setting for the channel be returned to within the as-left tolerance of the NTSP. Where a setpoint more conservative than the NTSP is used in the plant surveillance procedures (field setting), the as-left and as-found tolerances, as applicable, will be applied to the surveillance procedure setpoint. This will ensure that sufficient margin to the Safety Limit and/or Analytical Limit is maintained. If the as-left channel setting cannot be returned to a setting within the as-left tolerance of the NTSP, then the channel shall be declared inoperable.

SR 3.3.1.12 SR 3.3.1.12 is the performance of a COT of RTS interlocks every 18 months.

The Frequency is based on the known reliability of the interlocks and the multichannel redundancy available, and has been shown to be acceptable through operating experience.

(continued)

Watts Bar - Unit 2 B 3.3-61 (developmental) B

RTS Instrumentation B 3.3.1 BASES SURVEILLANCE SR 3.3.1.13 REQUIREMENTS (continued) SR 3.3.1.13 is the performance of a TADOT of the Manual Reactor Trip, Reactor Trip from Manual SI, and the Reactor Trip from Automatic SI Input from ESFAS. This TADOT is performed every 18 months. The test shall independently verify the OPERABILITY of the undervoltage and shunt trip mechanisms for these Reactor Trip Functions for the Reactor Trip Breakers. The test shall also verify OPERABILITY of the Reactor Trip Bypass Breakers for these Functions. Independent verification of the Reactor Trip Bypass Breakers undervoltage and shunt trip mechanisms is not required.

The Frequency is based on the known reliability of the Functions and the multichannel redundancy available, and has been shown to be acceptable through operating experience.

The SR is modified by a Note that excludes verification of setpoints from the TADOT. The Functions affected have no setpoints associated with them.

SR 3.3.1.14 SR 3.3.1.14 is the performance of a TADOT of Turbine Trip Functions.

This TADOT is as described in SR 3.3.1.4, except that this test is performed prior to exceeding the P-9 interlock whenever the unit has been in Mode 3. This Surveillance is not required if it has been performed within the previous 31 days. Verification of the Trip Setpoint does not have to be performed for this Surveillance. Performance of this test will ensure that the turbine trip Function is OPERABLE prior to exceeding the P-9 interlock.

SR 3.3.1.15 SR 3.3.1.15 verifies that the individual channel/train actuation response times are less than or equal to the maximum values assumed in the accident analysis. Response time testing acceptance criteria are included in Technical Requirements Manual, Section 3.3.1 (Ref. 8).

Individual component response times are not modeled in the analyses.

The analyses model the overall or total elapsed time, from the point at which the parameter exceeds the trip setpoint value at the sensor to the point at which the equipment reaches the required functional state (i.e.,

control and shutdown rods fully inserted in the reactor core).

(continued)

Watts Bar - Unit 2 B 3.3-62 (developmental) A

RTS Instrumentation B 3.3.1 BASES SURVEILLANCE For channels that include dynamic transfer Functions (e.g., lag, lead/lag, REQUIREMENTS rate/lag, etc.), the response time test may be performed with the transfer (continued) Function set to one, with the resulting measured response time compared to the appropriate FSAR response time. Alternately, the response time test can be performed with the time constants set to their nominal value, provided the required response time is analytically calculated assuming the time constants are set at their nominal values. The response time may be measured by a series of sequential tests such that the entire response time is measured.

Response time may be verified by actual response time tests in any series of sequential, overlapping or total channel measurements, or by the summation of allocated sensor, signal processing and actuation logic response times with actual response time tests on the remainder of the channel. Allocations for sensor response times may be obtained from: (1) historical records based on acceptable response time tests (hydraulic, noise, or power interrupt tests), (2) in place, onsite, or offsite (e.g. vendor) test measurements, or (3) utilizing vendor engineering specifications.

WCAP-13632-P-A Revision 2, Elimination of Pressure Sensor Response Time Testing Requirements (Reference 11), provides the basis and methodology for using allocated sensor response times in the overall verification of the channel response time for specific sensors identified in the WCAP. Response time verification for other sensor types must be demonstrated by test.

WCAP-14036-P-A, Revision 1, Elimination of Periodic Protection Channel Response Time Tests (Reference 12), provides the basis and methodology for using allocated signal processing and actuation logic response times in the overall verification of the protection system channel response time. The allocations for sensor, signal conditioning and actuation logic response times must be verified prior to placing the component in operational service and re-verified following maintenance that may adversely affect response time. In general, electrical repair work does not impact response time provided the parts used for repair are of the same type and value. Specific components identified in the WCAP may be replaced without verification testing. One example where response time could be affected is replacing the sensing assembly of a transmitter.

(continued)

Watts Bar - Unit 2 B 3.3-63 (developmental) A

RTS Instrumentation B 3.3.1 BASES SURVEILLANCE SR 3.3.1.15 (continued)

REQUIREMENTS (continued) As appropriate, each channel's response must be verified every 18 months on a STAGGERED TEST BASIS. Testing of the final actuation devices is included in the testing. Response times cannot be determined during unit operation because equipment operation is required to measure response times. Experience has shown that these components usually pass this surveillance when performed at the 18-month Frequency. Therefore, the Frequency was concluded to be acceptable from a reliability standpoint.

SR 3.3.1.15 is modified by a Note stating that neutron detectors are excluded from RTS RESPONSE TIME testing. This Note is necessary because of the difficulty in generating an appropriate detector input signal. Excluding the detectors is acceptable because the principles of detector operation ensure a virtually instantaneous response.

REFERENCES 1. Watts Bar FSAR, Section 6.0, "Engineered Safety Features."

2. Watts Bar FSAR, Section 7.0, "Instrumentation and Controls."
3. Watts Bar FSAR, Section 15.0, "Accident Analysis."
4. Institute of Electrical and Electronic Engineers, IEEE-279-1971, "Criteria for Protection Systems for Nuclear Power Generating Stations," April 5, 1972.
5. 10 CFR Part 50.49, "Environmental Qualifications of Electric Equipment Important to Safety for Nuclear Power Plants."
6. WCAP-17044, Rev. 0, "Setpoint Methodology for Watts Bar 2
7. WCAP-10271-P-A, Supplement 1, and Supplement 2, Rev. 1, "Evaluation of Surveillance Frequencies and Out of Service Times for the Reactor Protection Instrumentation System," May 1986 and June 1990.
8. Watts Bar Technical Requirements Manual, Section 3.3.1, "Reactor Trip System Response Times."
9. Evaluation of the applicability of WCAP-10271-P-A, Supplement 1, and Supplement 2, Revision 1, to Watts Bar, Westinghouse Letter WAT-D-10128.

(continued)

Watts Bar - Unit 2 B 3.3-64 (developmental) B

RTS Instrumentation B 3.3.1 BASES REFERENCES 10. ISA-DS-67.04, 1982, "Setpoint for Nuclear Safety Related (continued) Instrumentation Used in Nuclear Power Plants."

11. WCAP-13632-P-A Revision 2, Elimination of Pressure Sensor Response Time Testing Requirements, January 1996
12. WCAP-14036-P-A, Revision 1, Elimination of Periodic Protection Channel Response Time Tests, October 1998.
13. Deleted
14. WCAP-14333 P-A, Revision 1, Probablistic Risk Analysis of the RPS and ESFAS Test Times and Completion Times, October 1998.
15. WCAP-15376-P-A, Revision 1, Risk Informed Assessment of the RTS and ESFAS Surveillance Test Intervals and Reactor Trip Breaker Test and Completion Times, March 2003
16. WCAP-12472-P-A, BEACON Core Monitoring and Operations Support System, August 1994 (Addendum 2, April 2002).

Watts Bar - Unit 2 B 3.3-65 (developmental) B

ESFAS Instrumentation B 3.3.2 B 3.3 INSTRUMENTATION B 3.3.2 Engineered Safety Feature Actuation System (ESFAS) Instrumentation BASES BACKGROUND The ESFAS initiates necessary safety systems, based on the values of selected unit parameters, to protect against violating core design limits and the Reactor Coolant System (RCS) pressure boundary, and to mitigate accidents. This is achieved by specifying limiting safety system settings (LSSS) in terms of parameters directly monitored by the ESFAS, as well as specifying LCOs on other reactor system parameters and equipment performance.

Technical Specifications are required by 10 CFR 50.36 to include LSSS for variables that have significant safety functions. LSSS are defined by the regulation as Where a LSSS is specified for a variable on which a safety limit has been placed, the setting must be chosen so that automatic protective actions will correct the abnormal situation before a Safety Limit (SL) is exceeded." The Analytical Limit is the limit of the process variable at which a protective action is initiated, as established by the safety analysis, to ensure that a SL is not exceeded. Any automatic protection action that occurs on reaching the Analytical Limit therefore ensures that the SL is not exceeded. However, in practice, the actual settings for automatic protection channels must be chosen to be more conservative than the Analytical Limit to account for instrument loop uncertainties related to the setting at which the automatic protective action would actually occur.

The NTSP specified in Table 3.3.2-1 is a predetermined setting for a protection channel chosen to ensure automatic actuation prior to the process variable reaching the Analytical Limit and thus ensuring that the SL would not be exceeded. As such, the NTSP accounts for uncertainties in setting the channel (e.g., calibration), uncertainties in how the channel might actually perform (e.g., repeatability), changes in the point of action of the channel over time (e.g., drift during surveillance intervals), and any other factors which may influence its actual performance (e.g., harsh accident environments). In this manner, the NTSP ensures that SLs are not exceeded. Therefore, the NTSP meets the definition of an LSSS (Ref. 2).

(continued)

Watts Bar - Unit 2 B 3.3-66 (developmental) B

ESFAS Instrumentation B 3.3.2 BASES BACKGROUND Technical Specifications contain values related to the OPERABILITY of (continued) equipment required for safe operation of the facility. OPERABLE is defined in Technical Specifications as "...being capable of performing its safety functions(s)." Relying solely on the NTSP to define OPERABILITY in Technical Specifications would be an overly restrictive requirement if it were applied as an OPERABILITY limit for the "as-found" value of a protection channel setting during a surveillance. This would result in Technical Specification compliance problems, as well as reports and corrective actions required by the rule which are not necessary to ensure safety. For example, an automatic protection channel with a setting that has been found to be different from the NTSP due to some drift of the setting may still be OPERABLE since drift is to be expected. This expected drift would have been specifically accounted for in the setpoint methodology for calculating the NTSP and thus the automatic protective action would still have ensured that the SL would not be exceeded with the "as-found" setting of the protection channel. Therefore, the channel would still be OPERABLE since it would have performed its safety function and the only corrective action required would be to reset the channel within the established as-left tolerance around the NTSP to account for further drift during the next surveillance interval.

During AOOs, which are those events expected to occur one or more times during the unit life, the acceptable limits are:

1. The Departure from Nucleate Boiling Ratio (DNBR) shall be maintained above the Safety Limit (SL) value to prevent departure from nucleate boiling (DNB),
2. Fuel centerline melt shall not occur, and
3. The RCS pressure SL of 2750 psia shall not be exceeded. Operation within the SLs of Specification 2.0, "Safety Limits (SLs)," also maintains the above values and assures that offsite dose will be within the 10 CFR 50 and 10 CFR 100 criteria during AOOs.

Accidents are events that are analyzed even though they are not expected to occur during the unit life. The acceptable limit during accidents is that offsite dose shall be maintained within an acceptable fraction of 10 CFR 100 limits. Different accident categories are allowed a different fraction of these limits, based on probability of occurrence.

Meeting the acceptable dose limit for an accident category is considered having acceptable consequences for that event.

(continued)

Watts Bar - Unit 2 B 3.3-67 (developmental) B

ESFAS Instrumentation B 3.3.2 BASES BACKGROUND The ESFAS instrumentation is segmented into three distinct but (continued) interconnected modules as identified below:

  • Field transmitters or process sensors: provide a measurable electronic signal or contact actuation based on the physical characteristics of the parameter being measured;
  • Signal processing equipment including process protection system, and field contacts: provide analog to digital conversion (Digital Protection System), signal conditioning, setpoint comparison, process algorithm actuation (Digital Protection System), compatible electrical signal output to protection system channels, and control board/control room/ miscellaneous indications; and
  • Solid State Protection System (SSPS) including input, logic, and output bays: initiates the proper unit shutdown or engineered safety feature (ESF) actuation in accordance with the defined logic and based on the bistable, setpoint comparators, or contact outputs from the signal process control and protection system.

Field Transmitters or Sensors To meet the design demands for redundancy and reliability, more than one, and often as many as five, field transmitters or sensors are used to measure unit parameters. In many cases, field transmitters or sensors that input to the ESFAS are shared with the Reactor Trip System (RTS).

In some cases, the same channels also provide control system inputs. To account for calibration tolerances and instrument drift, which are assumed to occur between calibrations, statistical allowances are provided in the NTSP and Allowable Value. The OPERABILITY of each transmitter or sensor can be evaluated when its "as found" calibration data are compared against its documented acceptance criteria.

(continued)

Watts Bar - Unit 2 B 3.3-68 (developmental) B

ESFAS Instrumentation B 3.3.2 BASES BACKGROUND Signal Processing Equipment (continued)

Generally, three or four channels of process control equipment are used for the signal processing of unit parameters measured by the field instruments. The process control equipment provides analog to digital conversion (Digital Protection System), signal conditioning, comparable output signals for instruments located on the main control board, and comparison of measured input signals with NTSPs derived from Analytical Limits established by the safety analyses. These NTSPs are defined in Reference 6. If the measured value of a unit parameter exceeds the predetermined setpoint, an output from a setpoint comparator or contact is forwarded to the SSPS for decision evaluation.

Channel separation is maintained up to and through the input bays.

However, not all unit parameters require four channels of sensor measurement and signal processing. Some unit parameters provide input only to the SSPS, while others provide input to the SSPS, the main control board, the unit computer, and one or more control systems.

Generally, if a parameter is used only for input to the protection circuits, three channels with a two-out-of-three logic are sufficient to provide the required reliability and redundancy. If one channel fails in a direction that would not result in a partial Function trip, the Function is still OPERABLE with a two-out-of-two logic. If one channel fails such that a partial Function trip occurs, a trip will not occur and the Function is still OPERABLE with a one-out-of-two logic.

Generally, if a parameter is used for input to the SSPS and a control function, four channels with a two-out-of-four logic are sufficient to provide the required reliability and redundancy. The circuit must be able to withstand both an input failure to the control system, which may then require the protection function actuation, and a single failure in the other channels providing the protection function actuation. Again, a single failure will neither cause nor prevent the protection function actuation.

These requirements are described in IEEE-279-1971 (Ref. 4). The actual number of channels required for each unit parameter is specified in Reference 2.

(continued)

Watts Bar - Unit 2 B 3.3-69 (developmental) B

ESFAS Instrumentation B 3.3.2 BASES BACKGROUND NTSPs and Allowable Values (continued)

The Trip Setpoints are the nominal values at which the setpoint comparators or contact outputs are set. Any output is considered to be properly adjusted when the "as left" value is within the band for CHANNEL CALIBRATION accuracy.

The Trip Setpoints used in the bistables, setpoint comparators, or contact outputs are based on the analytical limits stated in Reference 6. The calculation of the Nominal Trip Setpoints specified in Table 3.3.2-1 is such that adequate protection is provided when all sensor and processing time delays are taken into account. To allow for calibration tolerances, instrumentation uncertainties, instrument drift, and severe environment errors for those ESFAS channels that must function in harsh environments as defined by 10 CFR 50.49 (Ref. 5), the NTSPs specified in Table 3.3.2-1 in the accompanying LCO are conservatively adjusted with respect to the analytical limits. A detailed description of the methodology used to calculate the NTSPs including their explicit uncertainties, is provided in the Setpoint Methodology for Watts Bar Unit 2" (Ref. 6). The as-left tolerance and as-found tolerance band methodology is provided in Reference 6. The nominal Trip Setpoint entered into the comparator or contact output is more conservative than that specified by the Allowable Value to account for changes in random measurement errors detectable by a COT.

The NTSP is the value at which the bistables are set and is the expected value to be achieved during calibration. The NTSP value is the LSSS and ensures the safety analysis limits are met for the surveillance interval selected when a channel is adjusted based on stated channel uncertainties. Any bistable is considered to be properly adjusted when the "as-left" setpoint NTSP value is within the band as-left tolerance for CHANNEL CALIBRATION uncertainty allowance (i.e., +/- rack calibration and comparator setting uncertainties). The NTSP value is therefore considered a "nominal value" (i.e., expressed as a value without inequalities) for the purposes of the COT and CHANNEL CALIBRATION.

Nominal Trip Setpoints, in conjunction with the use of as-left and as-found tolerances together with the requirements of the Allowable Value ensure that the consequences of Design Basis Accidents (DBAs) will be acceptable, providing the unit is operated from within the LCOs at the onset of the DBA and the equipment functions as designed.

(continued)

Watts Bar - Unit 2 B 3.3-70 (developmental) B

ESFAS Instrumentation B 3.3.2 BASES BACKGROUND Note that the Allowable Values listed in Table 3.3.2-1 are the least (continued) conservative value of the as-found setpoint that a channel can have during a periodic CHANNEL CALIBRATION, COT, or a TADOT.

Each channel can be tested on line to verify that the signal processing equipment and setpoint accuracy is within the specified allowance requirements of Reference 2. Once a designated channel is taken out of service for testing, a simulated signal is injected in place of the field instrument signal. The process equipment for the channel in test is then tested, verified, and calibrated. SRs for the channels are specified in the SR section.

The NTSPs and Allowable Values listed in Table 3.3.2-1 are based on the methodology described in Reference 6, which incorporates all of the known uncertainties applicable for each channel. The magnitudes of these uncertainties are factored into the determination of each NTSP. All field sensors and signal processing equipment for these channels are assumed to operate within the allowances of these uncertainty magnitudes.

Solid State Protection System The SSPS equipment is used for the decision logic processing of outputs from the signal processing equipment. To meet the redundancy requirements, two trains of SSPS, each performing the same functions, are provided. If one train is taken out of service for maintenance or test purposes, the second train will provide ESF actuation for the unit. If both trains are taken out of service or placed in test, a reactor trip will result.

Each train is packaged in its own cabinet for physical and electrical separation to satisfy separation and independence requirements.

The SSPS performs the decision logic for most ESF equipment actuation; generates the electrical output signals that initiate the required actuation; and provides the status, permissive, and annunciator output signals to the main control room of the unit.

The outputs from the signal processing equipment are sensed by the SSPS equipment and combined into logic matrices that represent combinations indicative of various transients. If a required logic matrix combination is completed, the system will send actuation signals via master and slave relays to those components whose aggregate Function best serves to alleviate the condition and restore the unit to a safe condition. Examples are given in the Applicable Safety Analyses, LCO, and Applicability sections of this Bases.

(continued)

Watts Bar - Unit 2 B 3.3-71 (developmental) B

ESFAS Instrumentation B 3.3.2 BASES BACKGROUND Each SSPS train has a built in testing device that can automatically test (continued) the decision logic matrix functions and the actuation channels while the unit is at power. When any one train is taken out of service for testing, the other train is capable of providing unit monitoring and protection until the testing has been completed. The testing device is semiautomatic to minimize testing time.

The actuation of most ESF components is accomplished through master and slave relays. Some ESF components are actuated by relay logic.

The SSPS energizes the master relays appropriate for the condition of the unit. Each master relay then energizes one or more slave relays, which then cause actuation of the end devices. The master and slave relays are routinely tested to ensure operation. The test of the master relays energizes the relay, which then operates the contacts and applies a low voltage to the associated slave relays. The low voltage is not sufficient to actuate the slave relays but only demonstrates signal path continuity. The SLAVE RELAY TEST actuates the devices if their operation will not interfere with continued unit operation. For the latter case, actual component operation is prevented by the SLAVE RELAY TEST circuit, and slave relay contact operation is verified by a continuity check of the circuit containing the slave relay.

APPLICABLE Each of the analyzed accidents can be detected by one or more ESFAS SAFETY Functions. One of the ESFAS Functions is the primary actuation signal ANALYSES, for that accident. An ESFAS Function may be the primary actuation LCO, and signal for more than one type of accident. An ESFAS Function may also APPLICABILITY be a secondary, or backup, actuation signal for one or more other accidents. For example, Pressurizer Pressure - Low is a primary actuation signal for small loss of coolant accidents (LOCAs) and a backup actuation signal for steam line breaks (SLBs) outside containment.

Functions such as manual initiation, not specifically credited in the accident safety analysis, are implicitly credited in the safety analysis and the NRC staff approved licensing basis for the unit. These Functions may provide protection for conditions that do not require dynamic transient analysis to demonstrate Function performance. These Functions may also serve as backups to Functions that were credited in the accident analysis (Ref. 3).

(continued)

Watts Bar - Unit 2 B 3.3-72 (developmental) B

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE Permissive and interlock setpoints allow the blocking of trips during plant SAFETY startups, and restoration of trips when the permissive conditions are not ANALYSES, satisfied, but they are not explicitly modeled in the Safety Analyses.

LCO, and These permissives and interlocks ensure that the starting conditions are APPLICABILITY consistent with the safety analysis, before preventive or mitigating actions (continued) occur. Because these permissives or interlocks are only one of multiple conservative starting assumptions for the accident analysis, they are generally considered as nominal values without regard to measurement accuracy.

The LCO requires all instrumentation performing an ESFAS Function listed in Table 3.3.2-1 in the accompanying LCO, to be OPERABLE. The Allowable Value specified in Table 3.3.2-1 is the least conservative value of the as-found setpoint that the channel can have when tested, such that a channel is OPERABLE if the as-found setpoint is within the as-found tolerance and is conservative with respect to the Allowable Value during the CHANNEL CALIBRATION or CHANNEL OPERATIONAL TEST (COT). As such, the Allowable Value differs from the NTSP by an amount

[greater than or] equal to the expected instrument channel uncertainties, such as drift, during the surveillance interval. In this manner, the actual setting of the channel (NTSP) will ensure that a SL is not exceeded at any given point of time as long as the channel has not drifted beyond expected tolerances during the surveillance interval. Note that, although the channel is OPERABLE under these circumstances, the trip setpoint must be left adjusted to a value within the as-left tolerance, in accordance with uncertainty assumptions stated in the referenced setpoint methodology (as-left criteria), and confirmed to be operating within the statistical allowances of the uncertainty terms assigned (as-found criteria).

If the actual setting of the channel is found to be conservative with respect to the Allowable Value but is beyond the as-found tolerance band, the channel is OPERABLE but degraded. The degraded condition of the channel will be further evaluated during performance of the SR. This evaluation will consist of resetting the channel setpoint to the NTSP (within the allowed tolerance) and evaluating the channel response. If the channel is functioning as required and expected to pass the next surveillance, then the channel can be restored to service at the completion of the surveillance.

(continued)

Watts Bar - Unit 2 B 3.3-73 (developmental) B

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE A trip setpoint may be set more conservative than the NTSP as SAFETY necessary in response to plant conditions. However, in this case, the ANALYSES, operability of this instrument must be verified based on the field setting LCO, and and not the NTSP. Failure of any instrument renders the affected APPLICABILITY channel(s) inoperable and reduces the reliability of the affected (continued) Functions.

The LCO generally requires OPERABILITY of four or three channels in each instrumentation function and two channels in each logic and manual initiation function. The two-out-of-three and the two-out-of-four configurations allow one channel to be tripped during maintenance or testing without causing an ESFAS initiation. Two logic or manual initiation channels are required to ensure no single random failure disables the ESFAS.

The required channels of ESFAS instrumentation provide unit protection in the event of any of the analyzed accidents.

ESFAS protection functions are as follows:

1. Safety Injection Safety Injection (SI) provides two primary functions:
1. Primary side water addition to ensure maintenance or recovery of reactor vessel water level (coverage of the active fuel for heat removal, clad integrity, and for limiting peak clad temperature to < 2200°F); and
2. Boration to ensure recovery and maintenance of SDM (keff < 1.0).

These functions are necessary to mitigate the effects of high energy line breaks (HELBs) both inside and outside of containment. The SI signal is also used to initiate other Functions such as:

  • Phase A Isolation;
  • Containment Vent Isolation;

Watts Bar - Unit 2 B 3.3-74 (developmental) B

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE 1. Safety Injection (continued)

SAFETY ANALYSES,

  • Control room ventilation isolation; and LCO, and APPLICABILITY
  • Enabling automatic switchover of Emergency Core Cooling (continued) Systems (ECCS) suction to containment sump.

These other functions ensure:

  • Isolation of non-essential systems through containment penetrations;
  • Trip of the turbine and reactor to limit power generation;
  • Isolation of main feedwater (MFW) to limit secondary side mass losses;
  • Start of AFW to ensure secondary side cooling capability;
  • Isolation of the control room to ensure habitability; and
  • Enabling ECCS suction from the refueling water storage tank (RWST) switchover on low RWST level to ensure continued cooling via use of the containment sump.
a. Safety Injection - Manual Initiation The LCO requires one channel per train to be OPERABLE.

The operator can initiate SI at any time by using either of two switches in the control room. This action will cause actuation of all components in the same manner as any of the automatic actuation signals.

The LCO for the Manual Initiation Function ensures the proper amount of redundancy is maintained in the manual ESFAS actuation circuitry to ensure the operator has manual ESFAS initiation capability.

Each channel consists of one hand switch and the interconnecting wiring to the actuation logic cabinet. Each hand switch actuates both trains. This configuration does not allow testing at power.

(continued)

Watts Bar - Unit 2 B 3.3-75 (developmental) A

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE b. Safety Injection - Automatic Actuation Logic and Actuation SAFETY Relays

ANALYSES, LCO, and This LCO requires two trains to be OPERABLE. Actuation APPLICABILITY logic consists of all circuitry housed within the actuation (continued) subsystems, including the initiating relay contacts responsible for actuating the ESF equipment, Control Room Emergency Ventilation System (CREVS), and Auxiliary Building Gas Treatment System (ABGTS).

Manual and automatic initiation of SI must be OPERABLE in MODES 1, 2, and 3. In these MODES, there is sufficient energy in the primary and secondary systems to warrant automatic initiation of ESF systems. Manual Initiation is also required in MODE 4 even though automatic actuation is not required. In this MODE, adequate time is available to manually actuate required components in the event of a DBA, but because of the large number of components actuated on a SI, actuation is simplified by the use of the manual actuation hand switches. Automatic actuation logic and actuation relays must be OPERABLE in MODE 4 to support system level manual initiation.

These Functions are not required to be OPERABLE in MODES 5 and 6 because there is adequate time for the operator to evaluate unit conditions and respond by manually starting individual systems, pumps, and other equipment to mitigate the consequences of an abnormal condition or accident. Unit pressure and temperature are very low and many ESF components are administratively locked out or otherwise prevented from actuating to prevent inadvertent overpressurization of unit systems.

c. Safety Injection - Containment Pressure - High This signal provides protection against the following accidents:
  • SLB inside containment;
  • Feed line break inside containment.

(continued)

Watts Bar - Unit 2 B 3.3-76 (developmental) A

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE c. Safety Injection - Containment Pressure - High (continued)

SAFETY ANALYSES, Containment Pressure - High provides no input to any LCO, and control functions. Thus, three OPERABLE channels are APPLICABILITY sufficient to satisfy protective requirements with a (continued) two-out-of-three logic. The transmitters (d/p cells) and electronics are located outside of containment, inside the containment annulus, with the sensing line (high pressure side of the transmitter) located inside containment.

Thus, the high pressure Function will not experience any adverse environmental conditions and the NTSP reflects only steady state instrument uncertainties.

Containment Pressure - High must be OPERABLE in MODES 1, 2, and 3 when there is sufficient energy in the primary and secondary systems to pressurize the containment following a pipe break. In MODES 4, 5, and 6, there is insufficient energy in the primary or secondary systems to pressurize the containment.

d. Safety Injection - Pressurizer Pressure - Low This signal provides protection against the following accidents:
  • SLB;
  • Inadvertent opening of a pressurizer relief or safety valve;
  • SG Tube Rupture.

Three protection channels are necessary to satisfy the protective Function requirements.

(continued)

Watts Bar - Unit 2 B 3.3-77 (developmental) B

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE The transmitters are located inside containment, with the SAFETY taps in the vapor space region of the pressurizer, and thus ANALYSES, possibly experiencing adverse environmental conditions LCO, and (LOCA, SLB inside containment, rod ejection). Therefore, APPLICABILITY the NTSP reflects the inclusion of both steady state and (continued) adverse environmental instrument uncertainties.

This Function must be OPERABLE in MODES 1, 2, and 3 (above P-11) to mitigate the consequences of an HELB inside containment. This signal may be manually blocked by the operator below the P-11 setpoint. Automatic SI actuation below this pressure setpoint is then performed by the Containment Pressure - High signal.

This Function is not required to be OPERABLE in MODE 3 below the P-11 setpoint. Other ESF functions are used to detect accident conditions and actuate the ESF systems in this MODE. In MODES 4, 5, and 6, this Function is not needed for accident detection and mitigation.

(continued)

Watts Bar - Unit 2 B 3.3-78 (developmental) B

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE e. Safety Injection - Steam Line Pressure - Low SAFETY ANALYSES, Steam Line Pressure - Low provides protection against the LCO, and following accidents:

APPLICABILITY (continued)

  • SLB;
  • Feed line break; and
  • Inadvertent opening of an SG relief or an SG safety valve.

Steam Line Pressure - Low provides no input to any control functions. Thus, three OPERABLE channels on each steam line are sufficient to satisfy the protective requirements with a two-out-of-three logic on each steam line.

Since some of the transmitters are located inside the steam valve vaults, it is possible for them to experience adverse environmental conditions during a secondary side break.

Therefore, the NTSP reflects both steady state and adverse environmental instrument uncertainties. This Function has lead/lag compensation with a lead/lag ratio of 50/5.

Steam Line Pressure - Low must be OPERABLE in MODES 1, 2, and 3 (above P-11) when a secondary side break or stuck open valve could result in the rapid depressurization of the steam lines. This signal may be manually blocked by the operator below the P-11 setpoint.

Below P-11, feed line break is not a concern. Inside Containment SLB will be terminated by automatic SI actuation via Containment Pressure - High, and outside containment SLB will be terminated by the Steam Line Pressure - Negative Rate - High signal for steam line isolation. This Function is not required to be OPERABLE in MODE 4, 5, or 6 because there is insufficient energy in the secondary side of the unit to cause an accident.

(continued)

Watts Bar - Unit 2 B 3.3-79 (developmental) B

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE 2. Containment Spray SAFETY ANALYSES, Containment Spray provides one primary Function; it lowers LCO, and containment pressure and temperature after an HELB in APPLICABILITY containment.

(continued)

This function is necessary to:

  • Ensure the pressure boundary integrity of the containment structure; and
  • Limit the release of radioactive iodine to the environment in the event of a failure of the containment structure.

The containment spray actuation signal starts the containment spray pumps and aligns the discharge of the pumps to the containment spray nozzle headers in the upper levels of containment. Water is initially drawn from the RWST by the containment spray pumps. When the RWST reaches the low level setpoint, the spray pump suctions are shifted to the containment sump if continued containment spray is required. Containment spray is actuated manually or by Containment Pressure - High High.

a. Containment Spray - Manual Initiation The operator can initiate containment spray at any time from the control room by simultaneously turning two containment spray actuation switches in the same train. Because an inadvertent actuation of containment spray could have such serious consequences, two switches must be turned simultaneously to initiate containment spray. There are two sets of two switches each in the control room.

Simultaneously turning the two switches in either set will actuate containment spray in both trains in the same manner as the automatic actuation signal. Two trains of Manual Initiation switches are required to be OPERABLE to ensure no single failure disables the Manual Initiation Function.

Note that Manual Initiation of containment spray also actuates Phase B containment isolation.

(continued)

Watts Bar - Unit 2 B 3.3-80 (developmental) A

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE b. Containment Spray - Automatic Actuation Logic and SAFETY Actuation Relays

ANALYSES, LCO, and Automatic actuation logic and actuation relays consist of the APPLICABILITY same features and operate in the same manner as (continued) described for ESFAS Function 1.b.

Manual and automatic initiation of containment spray must be OPERABLE in MODES 1, 2, and 3 when there is a potential for an accident to occur, and sufficient energy in the primary or secondary systems to pose a threat to containment integrity due to overpressure conditions.

Manual initiation is also required in MODE 4, even though automatic actuation is not required. In this MODE, adequate time is available to manually actuate required components in the event of a DBA. However, because of the large number of components actuated on a containment spray, actuation is simplified by the use of the manual actuation hand switches.

Automatic actuation logic and actuation relays must be OPERABLE in MODE 4 to support system level manual initiation. In MODES 5 and 6, there is insufficient energy in the primary and secondary systems to result in containment overpressure. In MODES 5 and 6, there is also adequate time for the operators to evaluate unit conditions and respond, to mitigate the consequences of abnormal conditions by manually starting individual components.

c. Containment Spray - Containment Pressure - High High This signal provides protection against a LOCA or a SLB inside containment. The transmitters (d/p cells) are located outside of containment, inside the containment annulus, with the sensing line (high pressure side of the transmitter) located inside containment. The transmitters and electronics are located inside the containment annulus, but outside containment, and experience more adverse environmental conditions than if they were located outside containment altogether. However, the environmental effects are less severe than if the transmitters were located inside containment. The NTSP reflects the inclusion of both steady state instrument uncertainties and slightly more adverse environmental instrument uncertainties.

(continued)

Watts Bar - Unit 2 B 3.3-81 (developmental) B

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE c. Containment Spray - Containment Pressure - High High SAFETY (continued)

ANALYSES, LCO, and This is one of the few Functions that requires the output to APPLICABILITY energize to perform its required action. It is not desirable to (continued) have a loss of power actuate containment spray, since the consequences of an inadvertent actuation of containment spray could be serious. Note that this Function also has the inoperable channel placed in bypass rather than trip to decrease the probability of an inadvertent actuation.

This Function uses four channels in a two-out-of-four logic configuration. This arrangement exceeds the minimum redundancy requirements. Additional redundancy is warranted because this Function is energized to trip.

Containment Pressure - High High must be OPERABLE in MODES 1, 2, and 3 when there is sufficient energy in the primary and secondary sides to pressurize the containment following a pipe break. In MODES 4, 5, and 6, there is insufficient energy in the primary and secondary sides to pressurize the containment and reach the Containment Pressure - High High setpoint.

3. Containment Isolation Containment Isolation provides isolation of the containment atmosphere, and all process systems that penetrate containment, from the environment. This Function is necessary to prevent or limit the release of radioactivity to the environment in the event of a large break LOCA.

There are two separate Containment Isolation signals, Phase A and Phase B. Phase A isolation isolates all automatically isolable process lines, except Component Cooling System (CCS) and Essential Raw Cooling Water (ERCW) System, at a relatively low containment pressure indicative of primary or secondary system leaks. For these types of events, forced circulation cooling using the reactor coolant pumps (RCPs) and SGs is the preferred (but not required) method of decay heat removal. Since the CCS is required to support RCP operation, not isolating the CCS on the low pressure Phase A signal enhances unit safety by allowing operators to use forced RCS circulation to cool the unit. Isolating the CCS on the low pressure signal may force the use of feed and bleed cooling, which could prove more difficult to control.

(continued)

Watts Bar - Unit 2 B 3.3-82 (developmental) B

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE 3. Containment Isolation (continued)

SAFETY ANALYSES, Phase A containment isolation is actuated automatically by SI, or LCO, and manually via the automatic actuation logic. All process lines APPLICABILITY penetrating containment, with the exception of the CCS and (continued) ERCW, are isolated. CCS is not isolated at this time to permit continued operation of the RCPs with cooling water flow to the thermal barrier heat exchangers and ERCW to air or oil coolers.

All process lines not equipped with remote operated isolation valves are manually closed, or otherwise isolated, prior to reaching MODE 4.

Manual Phase A Containment Isolation is accomplished by either of two switches in the control room or from local panel(s). Either switch actuates both trains. Note that manual actuation of Phase A Containment Isolation also actuates Containment Vent Isolation.

The Phase B signal isolates the CCS. This occurs at a relatively high containment pressure that is indicative of a large break LOCA or a SLB. For these events, forced circulation using the RCPs is no longer desirable. Isolating the CCS at the higher pressure does not pose a challenge to the containment boundary because the CCS is a closed loop inside containment. Although some system components do not meet all of the ASME Code requirements applied to the containment itself, the system is continuously pressurized to a pressure greater than the Phase B setpoint. Thus, routine operation demonstrates the integrity of the system pressure boundary for pressures exceeding the Phase B setpoint.

Furthermore, because system pressure exceeds the Phase B setpoint, any system leakage prior to initiation of Phase B isolation would be into containment. Therefore, the combination of the CCS design and Phase B isolation ensures the CCS is not a potential path for radioactive release from containment.

Phase B containment isolation is actuated by Containment Pressure - High High, or manually, via the automatic actuation logic, as previously discussed. For containment pressure to reach a value high enough to actuate Containment Pressure - High High, a large break LOCA or SLB must have occurred and containment spray must have been actuated. RCP operation will no longer be required and CCS to the RCPs is, therefore, no longer necessary.

The RCPs can be operated with seal injection flow alone and without CCS flow to the thermal barrier heat exchanger.

(continued)

Watts Bar - Unit 2 B 3.3-83 (developmental) B

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE 3. Containment Isolation (continued)

SAFETY ANALYSES, Manual Phase B Containment Isolation is accomplished by the LCO, and same switches that actuate Containment Spray. When the two APPLICABILITY switches in either set are turned simultaneously, Phase B (continued) Containment Isolation and Containment Spray will be actuated in both trains.

a. Containment Isolation - Phase A Isolation (1) Phase A Isolation - Manual Initiation Manual Phase A Containment Isolation is actuated by either of two switches in the control room or from local panel(s). Either switch actuates both trains. Note that manual initiation of Phase A Containment Isolation also actuates Containment Vent Isolation.

(2) Phase A Isolation - Automatic Actuation Logic and Actuation Relays Automatic Actuation Logic and Actuation Relays consist of the same features and operate in the same manner as described for ESFAS Function 1.b.

Manual and automatic initiation of Phase A Containment Isolation must be OPERABLE in MODES 1, 2, and 3, when there is a potential for an accident to occur. Manual initiation is also required in MODE 4 even though automatic actuation is not required. In this MODE, adequate time is available to manually actuate required components in the event of a DBA, but because of the large number of components actuated on a Phase A Containment Isolation, actuation is simplified by the use of the manual actuation hand switches.

Automatic actuation logic and actuation relays must be OPERABLE in MODE 4 to support system level manual initiation. In MODES 5 and 6, there is insufficient energy in the primary or secondary systems to pressurize the containment to require Phase A Containment Isolation.

There also is adequate time for the operator to evaluate unit conditions and manually actuate individual isolation valves in response to abnormal or accident conditions.

(continued)

Watts Bar - Unit 2 B 3.3-84 (developmental) A

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE a. Containment Isolation - Phase A Isolation (continued)

SAFETY ANALYSES, (3) Phase A Isolation - Safety Injection LCO, and APPLICABILITY Phase A Containment Isolation is also initiated by all (continued) Functions that initiate SI. The Phase A Containment Isolation requirements for these Functions are the same as the requirements for their SI function. Therefore, the requirements are not repeated in Table 3.3.2-1.

Instead, Function 1, SI, is referenced for all initiating Functions and requirements.

b. Containment Isolation - Phase B Isolation Phase B Containment Isolation is accomplished by Manual Initiation, Automatic Actuation Logic and Actuation Relays, and by Containment Pressure channels. The Containment Pressure initiation of Phase B Containment Isolation is energized to actuate in order to minimize the potential of spurious initiations that may damage the RCPs.

(1) Phase B Isolation - Manual Initiation (2) Phase B Isolation - Automatic Actuation Logic and Actuation Relays Automatic Actuation Logic and Actuation Relays consist of the same features and operate in the same manner as described for ESFAS Function 1.b.

Manual and automatic initiation of Phase B Containment Isolation must be OPERABLE in MODES 1, 2, and 3, when there is a potential for an accident to occur. Manual initiation is also required in MODE 4 even though automatic actuation is not required. In this MODE, adequate time is available to manually actuate required components in the event of a DBA. However, because of the large number of components actuated on a Phase B Containment Isolation, actuation is simplified by the use of the manual actuation hand switches.

Automatic actuation logic and actuation relays must be OPERABLE in MODE 4 to support system (continued)

Watts Bar - Unit 2 B 3.3-85 (developmental) A

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE level manual initiation. In MODES 5 and 6, there is SAFETY insufficient energy in the primary or secondary systems to ANALYSES, pressurize the containment to require Phase B Containment LCO, and Isolation. There also is adequate time for the operator to APPLICABILITY evaluate unit (continued)

b. Containment Isolation - Phase B Isolation (continued) conditions and manually actuate individual isolation valves in response to abnormal or accident conditions.

(3) Phase B Isolation-Containment Pressure - High High The basis for containment pressure MODE applicability is as discussed for ESFAS Function 2.c above.

4. Steam Line Isolation Isolation of the main steam lines provides protection in the event of a SLB inside or outside containment.

Rapid isolation of the steam lines will limit the steam break accident to the blowdown from one SG, at most. For a SLB upstream of the main steam isolation valves (MSIVs), inside or outside of containment, closure of the MSIVs limits the accident to the blowdown from only the affected SG. For a SLB downstream of the MSIVs, closure of the MSIVs terminates the accident as soon as the steam lines depressurize. Steam Line Isolation also mitigates the effects of a feed line break and ensures a source of steam for the turbine driven AFW pump during a feed line break.

a. Steam Line Isolation - Manual Initiation Manual initiation of Steam Line Isolation can be accomplished from the control room. There are four switches in the control room (one for each valve) which can immediately close each individual MSIV. The LCO requires one switch for each valve to be OPERABLE.

(continued)

Watts Bar - Unit 2 B 3.3-86 (developmental) B

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE b. Steam Line Isolation - Automatic Actuation Logic and SAFETY Actuation Relays

ANALYSES, LCO, and Automatic actuation logic and actuation relays consist of the APPLICABILITY same features and operate in the same manner as (continued) described for ESFAS Function 1.b.

Manual and automatic initiation of steam line isolation must be OPERABLE in MODES 1, 2, and 3 when there is sufficient energy in the RCS and SGs to have a SLB or other accident. This could result in the release of significant quantities of energy and cause a cooldown of the primary system. The Steam Line Isolation Function is required in MODES 2 and 3 unless all MSIVs are closed and de-activated. In MODES 4, 5, and 6, there is insufficient energy in the RCS and SGs to experience a SLB or other accident releasing significant quantities of energy.

c. Steam Line Isolation - Containment Pressure - High High This Function actuates closure of the MSIVs in the event of a LOCA or a SLB inside containment to maintain at least one unfaulted SG as a heatsink for the reactor, and to limit the mass and energy release to containment. The transmitters (d/p cells) are located outside containment, inside the containment annulus, with the sensing line (high pressure side of the transmitter) located inside containment.

Containment Pressure - High High provides no input to any control functions. Thus, three OPERABLE channels are sufficient to satisfy protective requirements with two-out-of-three logic. However, for enhanced reliability, this Function was designed with four channels and a two-out-of-four logic. The transmitters and electronics are located inside the containment annulus, but outside containment, and experience more adverse environmental conditions than if they were located outside containment altogether. However, the environmental effects are less severe than if the transmitters were located inside containment. The NTSP reflects the inclusion of both steady state instrument uncertainties and slightly more adverse environmental instrument uncertainties.

(continued)

Watts Bar - Unit 2 B 3.3-87 (developmental) B

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE c. Steam Line Isolation - Containment Pressure - High High SAFETY (continued)

ANALYSES, LCO, and Containment Pressure - High High must be OPERABLE in APPLICABILITY MODES 1, 2, and 3, when there is sufficient energy in the (continued) primary and secondary side to pressurize the containment following a pipe break. This would cause a significant increase in the containment pressure, thus allowing detection and closure of the MSIVs. The Steam Line Isolation Function remains OPERABLE in MODES 2 and 3 unless all MSIVs are closed and de-activated. In MODES 4, 5, and 6, there is not enough energy in the primary and secondary sides to pressurize the containment to the Containment Pressure-High High setpoint.
d. Steam Line Isolation - Steam Line Pressure (1) Steam Line Pressure - Low Steam Line Pressure - Low provides closure of the MSIVs in the event of a SLB to maintain at least one unfaulted SG as a heat sink for the reactor, and to limit the mass and energy release to containment. This Function provides closure of the MSIVs in the event of a feed line break to ensure a supply of steam for the turbine driven AFW pump. Steam Line Pressure - Low was discussed previously under SI Function 1.e.

Steam Line Pressure - Low Function must be OPERABLE in MODES 1, 2, and 3 (above P-11), with any main steam valve open, when a secondary side break or stuck open valve could result in the rapid depressurization of the steam lines. This signal may be manually blocked by the operator below the P-11 setpoint. Below P-11, an inside containment SLB will be terminated by automatic actuation via Containment Pressure - High High. Stuck valve transients and outside containment SLBs will be terminated by the Steam Line Pressure - Negative Rate - High signal for Steam Line Isolation below P-11 when SI has been manually blocked. The Steam Line Isolation Function is required in MODES 2 and 3 unless all MSIVs are closed and de-activated. This Function is not required to be OPERABLE in MODES 4, 5, and 6 because there is insufficient energy in the secondary side of the unit to have an accident.

(continued)

Watts Bar - Unit 2 B 3.3-88 (developmental) A

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE (2) Steam Line Pressure - Negative Rate - High SAFETY ANALYSES, Steam Line Pressure - Negative Rate - High provides LCO, and closure of the MSIVs for a SLB when less than the P-11 APPLICABILITY setpoint, to maintain at least one unfaulted SG as a heat (continued) sink for the reactor, and to limit the mass and energy release to containment. When the operator manually blocks the Steam Line Pressure - Low main steam isolation signal when less than the P-11 setpoint, the Steam Line Pressure - Negative Rate - High signal is automatically enabled. Steam Line Pressure - Negative Rate - High provides no input to any control functions.

Thus, three OPERABLE channels are sufficient to satisfy requirements with a two-out-of-three logic on each steam line.

Steam Line Pressure - Negative Rate - High must be OPERABLE in MODE 3 when less than the P-11 setpoint, when a secondary side break or stuck open valve could result in the rapid depressurization of the steam line(s). In MODES 1 and 2, and in MODE 3, when above the P-11 setpoint, this signal is automatically blocked and the Steam Line Pressure -

Low signal is automatically enabled. The Steam Line Isolation Function is required to be OPERABLE in MODES 2 and 3 unless all MSIVs are closed and de-activated. In MODES 4, 5, and 6, there is insufficient energy in the primary and secondary sides to have a SLB or other accident that would result in a release of significant enough quantities of energy to cause a cooldown of the RCS.

While the transmitters may experience elevated ambient temperatures due to a SLB, the trip function is based on rate of change, not the absolute accuracy of the indicated steam pressure. Therefore, the NTSP reflects only steady state instrument uncertainties.

(continued)

Watts Bar - Unit 2 B 3.3-89 (developmental) B

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE 5. Turbine Trip and Feedwater Isolation SAFETY ANALYSES, The primary functions of the Turbine Trip and Feedwater Isolation LCO, and signals are to prevent damage to the turbine due to water in the APPLICABILITY steam lines, and to stop the excessive flow of feedwater into the (continued) SGs. These Functions are necessary to mitigate the effects of a high water level in the SGs, which could result in carryover of water into the steam lines and excessive cooldown of the primary system.

The SG high water level is due to excessive feedwater flows.

An additional function of the Turbine Trip and Feedwater Isolation signal is to prevent submergence of safety related equipment in the Main Steam Valve Vault (MSVV) Rooms in the event of a Main Feedwater Line Break.

This Function is actuated by SG Water Level - High High, MSVV Water Level - High, or by an SI signal. The RTS also initiates a turbine trip signal whenever a reactor trip (P-4) is generated. In the event of SI, the unit is taken off line and the turbine generator must be tripped. The MFW System is also taken out of operation, and the AFW System is automatically started.

The SI signal was discussed previously.

a. Turbine Trip and Feedwater Isolation - Actuation Logic and Actuation Relays Automatic Actuation Logic and Actuation Relays consist of the same features and operate in the same manner as described for ESFAS Function 1.b.
b. Turbine Trip and Feedwater Isolation - Steam Generator Water Level-High High (P-14)

This signal provides protection against excessive feedwater flow. The ESFAS SG water level instruments provide input to the SG Water Level Control System. Therefore, the actuation logic must be able to withstand both an input failure to the control system (which may then require the protection function actuation) and a single failure in the other channels providing the protection function actuation. Since Watts Bar has only 3 level channels per SG, control/protection interaction is addressed by the use of a Median Signal Selector which prevents a single failure of a (continued)

Watts Bar - Unit 2 B 3.3-90 (developmental) A

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE b. Turbine Trip and Feedwater Isolation - Steam Generator SAFETY Water Level-High High (P-14) (continued)

ANALYSES, LCO, and channel providing input to the control system requiring APPLICABILITY protection function action. That is, a single failure of a (continued) channel providing input to the control system does not result in the control system initiating a condition requiring protection function action. The Median Signal Selector performs this by not selecting the channels indicating the highest or lowest steam generator levels as input to the control system.

The Function is actuated when the level in any SG exceeds the high high setpoint, and performs the following functions:

  • Trips the MFW pumps;
  • Shuts the MFW regulating valves and the bypass feedwater regulating valves.

Since no adverse control system action may now result from a single, failed protection instrument channel, a second random protection system failure (as would otherwise be required by Reference 4) need not be considered.

The transmitters (d/p cells) are located inside containment.

However, the events that this Function protects against cannot cause a severe environment in containment.

Therefore, the NTSP reflects only steady state instrument uncertainties.

c. Turbine Trip and Feedwater Isolation - Safety Injection Turbine Trip and Feedwater Isolation is also initiated by all Functions that initiate SI. The Feedwater Isolation Function requirements for these Functions are the same as the requirements for their SI function. Therefore, the requirements are not repeated in Table 3.3.2-1. Instead Function 1, SI, is referenced for all initiating functions and requirements.

(continued)

Watts Bar - Unit 2 B 3.3-91 (developmental) B

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE d. Turbine Trip and Feedwater Isolation - Main Steam Valve SAFETY Vault Room Water Level - High

ANALYSES, LCO, and This signal precludes submergence of equipment that is APPLICABILITY required for safe shutdown in the event of a MSVV Room (continued) flood due to a Main Feedwater line break. MSVV Room Water Level - High does not provide any control function.

Thus, three OPERABLE channels in each Valve Vault Room are sufficient to satisfy the protection requirements with a two-out-of-three logic.

The level switches which are located inside the MSVV Rooms are subjected to adverse environmental conditions during a Main Feedwater line break. The NTSP reflects both steady state and adverse environmental instrument uncertainties.

Turbine Trip and Feedwater Isolation Functions - Automatic Actuation Logic and Actuation Relays, Steam Generator Water Level - High High (P-14), and Safety Injection must be OPERABLE in MODES 1, 2, and 3 except when all MFIVs, MFRVs, and associated bypass valves are closed and de-activated or isolated by a closed manual valve when the MFW System is in operation and the turbine generator may be in operation. In MODES 4, 5, and 6, the MFW System and the turbine generator are not in service and this Function is not required to be OPERABLE.

Turbine Trip and Feedwater Isolation Function - MSVV Room Water Level - High must be OPERABLE in MODE 1 and in MODE 2 when the Turbine Driven Main Feedwater Pumps are operating. In MODE 2, due to the limited capacity of the Standby Main Feed Pump, and in MODES 3, 4, 5, and 6 a Main Feedwater Line break will not result in flooding which will submerge required safety equipment in the MSVV Rooms, therefore this Function is not required to be OPERABLE.

(continued)

Watts Bar - Unit 2 B 3.3-92 (developmental) B

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE 6. Auxiliary Feedwater SAFETY ANALYSES, The AFW System is designed to provide a secondary side heat LCO, and sink for the reactor in the event that the MFW System is not APPLICABILITY available. The system has two motor driven pumps and a turbine (continued) driven pump, making it available during normal unit operation, during a loss of AC power, a loss of MFW, and during a Feedwater System pipe break. The normal source of water for the AFW System is the condensate storage tank (CST) (non safety related).

A low suction pressure to the AFW pumps will automatically realign the pump suctions to the Essential Raw Cooling Water (ERCW)

System (safety related). The AFW System is aligned so that upon a pump start, flow is initiated to the respective SGs immediately.

a. Auxiliary Feedwater - Automatic Actuation Logic and Actuation Relays (Solid State Protection System)

Automatic actuation logic and actuation relays consist of the same features and operate in the same manner as described for ESFAS Function 1.b.

b. Auxiliary Feedwater - Steam Generator Water Level -

Low Low SG Water Level - Low Low provides protection against a loss of heat sink due to a feed line break outside of containment, or a loss of MFW, which results in a loss of SG water level. SG Water Level - Low Low provides input to the SG Level Control System as well as Automatic Actuation of AFW. Since Watts Bar has only 3 channels per SG, control protection interaction is addressed by the use of a Median Signal Selector as discussed in the bases for Function 5.b, "Steam Generator Water Level - High High."

With the transmitters (d/p cells) located inside containment and thus possibly experiencing adverse environmental conditions (feed line break), the SG Water Level - Low Low NTSP may not have sufficient margin to account for adverse environmental instrument uncertainties. In this case, AFW pump start will be provided by a Containment Pressure -

High SI signal.

(continued)

Watts Bar - Unit 2 B 3.3-93 (developmental) B

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE b. Auxiliary Feedwater - Steam Generator Water Level -

SAFETY Low Low (continued)

ANALYSES, LCO, and The Steam Generator Water Level Channel Trip Time Delay APPLICABILITY (TTD) creates additional operational margin when the unit (continued) needs it most, during power escalation from low power, by allowing the operator time to recover level when the primary side load is sufficiently small to allow such action. The TTD is based on continuous monitoring of primary side power through the use of vessel T. Two time delays are calculated, based on the number of steam generators indicating less than the Low Low Level channel NTSP per Note 1 of Table 3.3.2-1. The magnitude of the delays decreases with increasing primary side power level, up to 50% RTP. Above 50% RTP there are no time delays for the Low Low Level channel trips.

The algorithm for the TTD, Ts and Tm, determines the trip delay as a function of power level (P) and four constants (A through D for Ts, E through H for Tm). An allowance for the accuracy of the Eagle-21TM time base is included in the determination of the magnitude of the constants. The magnitude of the accuracy allowance is 1%, i.e., the constant values were multiplied by 0.99 to account for this potential error.

In the event of a failure of a Steam Generator Water Level channel, the channel is placed in the trip condition as input to the Solid State Protection System and does not affect the TTD setpoint calculations for the remaining OPERABLE channels. It is then necessary for the operator to force the use of the shorter TTD time delay by adjustment of the single steam generator time delay calculation (TS) to match the multiple steam generator time delay calculation (TM) for the affected protection set, through the Man Machine Interface. Failure of the vessel T channel input (failure of more than one TH RTD or failure of both TC RTDs) affects the TTD calculation for a protection set. This results in the requirement that the operator adjust the threshold power level for zero seconds time delay from 50% RTP to 0% RTP, through the Man Machine Interface.

(continued)

Watts Bar - Unit 2 B 3.3-94 (developmental) B

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE b. Auxiliary Feedwater - Steam Generator Water Level -

SAFETY Low Low (continued)

ANALYSES, LCO, and Refer to the Bases for the Steam Generator Water Level APPLICABILITY Low-Low Reactor Trip, B 3.3.1, for a discussion of the (continued) required MODES and normalization of the vessel T input to the TTD.
c. Auxiliary Feedwater - Safety Injection An SI signal starts the motor driven and turbine driven AFW pumps. The AFW initiation functions are the same as the requirements for their SI function. Therefore, the requirements are not repeated in Table 3.3.2-1. Instead, Function 1, SI, is referenced for all initiating functions and requirements.
d. Auxiliary Feedwater - Loss of Offsite Power A loss of offsite power to the RCP buses will be accompanied by a loss of reactor coolant pumping power and the subsequent need for some method of decay heat removal. The loss of offsite power is detected by a voltage drop on each 6.9 kV shutdown board. Loss of power to either 6.9 kV shutdown board will start the turbine driven AFW pump to ensure that enough water is available to serve as the heat sink for reactor decay heat and sensible heat removal following the reactor trip.

Functions 6.a through 6.d (except the loop T input to the trip time delay) must be OPERABLE in MODES 1, 2, and 3 to ensure that the SGs remain the heat sink for the reactor. SG Water Level -

Low Low in any operating SG will cause the motor driven AFW pumps to start. The system is aligned so that upon a start of the pump, water immediately begins to flow to the SGs. SG Water Level - Low Low in any two operating SGs will cause the turbine driven pump to start. These Functions do not have to be OPERABLE in MODES 5 and 6 because there is not enough heat being generated in the reactor to require the SGs as a heat sink. In MODE 4, AFW actuation does not need to be OPERABLE because either AFW or residual heat removal (RHR) will already be in operation to remove decay heat or sufficient time is available to manually place either system in operation.

(continued)

Watts Bar - Unit 2 B 3.3-95 (developmental) A

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE e. Auxiliary Feedwater - Trip Of All Main Turbine Driven SAFETY Feedwater Pumps

ANALYSES, LCO, and A Trip of both turbine driven MFW pumps is an indication of APPLICABILITY a loss of MFW and the subsequent need for some method of (continued) decay heat and sensible heat removal to bring the reactor back to no load temperature and pressure. A turbine driven MFW pump is equipped with one pressure switch on the control oil line for the speed control system. A low pressure signal from this pressure switch indicates a trip of that pump.

A trip of both turbine driven MFW pumps starts the motor driven and turbine driven AFW pumps to ensure that enough water is available to act as the heat sink for the reactor.

This Function must be OPERABLE in MODES 1 and 2. This ensures that at least one SG is provided with water to serve as the heat sink to remove reactor decay heat and sensible heat in the event of an accident. Mode 2 applicability is when one or more turbine driven MFW pump(s) are supplying feedwater to the steam generators. In Mode 2 the AFW system pump(s) will be used for startup/shutdown conditions. During startup, a turbine driven MFW pump is placed in service along with the operating AFW System pump(s). During the process of placing the first turbine driven MFW pump in service, the anticipatory AFW auto-start channel for the non-operating turbine driven MFW pump is placed in bypass (electrical control circuit is de-energized) to prevent inadvertent AFW auto-start during rollup trip testing and overspeed trip testing. Once the operating turbine driven MFW pump has established sufficient feed flow to maintain SG level, the anticipatory AFW auto-start channel for the non-operating turbine driven MFW pump is placed in the trip condition, and the AFW pumps secured.

Under these conditions, the AFW auto start circuit will be in a half trip condition (one-out-of-two) in Mode 2 and during transitions from Mode 2 to Mode 1. If the operating turbine driven MFW pump were to trip during this time period, an AFW auto start signal would be generated causing all three AFW pumps to start. Having the requirement for auto start of the AFW pumps to be required only when one or more turbine driven MFW pumps are in service limits the potential for an overcooling transient due to inadvertent AFW actuation. Mode 1 applicability allows (continued)

Watts Bar - Unit 2 B 3.3-96 (developmental) B

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE e. Auxiliary Feedwater - Trip Of All Main Turbine Driven SAFETY Feedwater Pumps (continued)

ANALYSES, LCO, and entry into LCO 3.3.2, Condition J to be suspended for up to APPLICABILITY 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> when placing the second turbine driven MFW pump (continued) in service or removing one of two turbine driven MFW pumps from service. This provision will reduce administrative burden on the plant. Plant safety is not compromised during this short period because the safety grade AFW auto start channels associated with steam generator low-low levels are operable. In MODES 3, 4, and 5, the RCPs and MFW pumps may be normally shut down, and thus neither pump trip is indicative of a condition requiring automatic AFW initiation.
f. Auxiliary Feedwater - Pump Suction Transfer on Suction Pressure - Low A low pressure signal in the AFW pump suction line protects the AFW pumps against a loss of the normal supply of water for the pumps, the CST. Three pressure switches are located on each motor driven AFW pump suction line from the CST. A low pressure signal sensed by two switches of a set will cause the emergency supply of water for the respective pumps to be aligned. ERCW (safety grade) is then lined up to supply the AFW pumps to ensure an adequate supply of water for the AFW System to maintain at least one of the SGs as the heat sink for reactor decay heat and sensible heat removal.

Since the detectors are located in an area not affected by HELBs or high radiation, they will not experience any adverse environmental conditions and the NTSP reflects only steady state instrument uncertainties.

These Functions must be OPERABLE in MODES 1, 2, and 3 to ensure a safety grade supply of water for the AFW System to maintain the SGs as the heat sink for the reactor. These Functions do not have to be OPERABLE in MODES 5 and 6 because there is not enough heat being generated in the reactor to require the SGs as a heat sink.

(continued)

Watts Bar - Unit 2 B 3.3-97 (developmental) B

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE f. Auxiliary Feedwater - Pump Suction Transfer on Suction SAFETY Pressure - Low (continued)

ANALYSES, LCO, and In MODE 4, AFW automatic suction transfer does not need APPLICABILITY to be OPERABLE because RHR will already be in operation, (continued) or sufficient time is available to place RHR in operation, to remove decay heat.
7. Automatic Switchover to Containment Sump At the end of the injection phase of a LOCA, the RWST will be nearly empty. Continued cooling must be provided by the ECCS to remove decay heat. The source of water for the ECCS pumps is automatically switched to the containment recirculation sump. The low head residual heat removal (RHR) pumps draw the water from the containment recirculation sump, the RHR pumps pump the water through the RHR heat exchanger, inject the water back into the RCS, and supply the cooled water to the other ECCS pumps.

Switchover from the RWST to the containment sump must occur before the RWST empties to prevent damage to the RHR pumps and a loss of core cooling capability. For similar reasons, switchover must not occur before there is sufficient water in the containment sump to support ESF pump suction. Furthermore, early switchover must not occur to ensure that sufficient borated water is injected from the RWST. This ensures the reactor remains shut down in the recirculation mode.

a. Automatic Switchover to Containment Sump - Automatic Actuation Logic and Actuation Relays Automatic actuation logic and actuation relays consist of the same features and operate in the same manner as described for ESFAS Function 1.b.

(continued)

Watts Bar - Unit 2 B 3.3-98 (developmental) A

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE b. Automatic Switchover to Containment Sump - Refueling SAFETY Water Storage Tank (RWST) Level - Low Coincident With ANALYSES, Safety Injection and Coincident With Containment Sump LCO, and Level - High APPLICABILITY (continued) During the injection phase of a LOCA, the RWST is the source of water for all ECCS pumps. A low level in the RWST coincident with an SI signal provides protection against a loss of water for the ECCS pumps and indicates the end of the injection phase of the LOCA. The RWST is equipped with four level transmitters. These transmitters provide no control functions. Therefore, a two-out-of-four logic is adequate to initiate the protection function actuation.

Although only three channels would be sufficient, a fourth channel has been added for increased reliability.

The RWST - Low NTSP is selected to ensure switchover occurs before the RWST empties, to prevent ECCS pump damage.

This setpoint will also ensure that enough borated water is injected to maintain the reactor shut down. The limit also ensures adequate water inventory in the containment sump to provide ECCS pump suction.

The transmitters are located in an area not affected by HELBs or post accident high radiation. Thus, they will not experience any adverse environmental conditions and the NTSP reflects only steady state instrument uncertainties.

Automatic switchover occurs only if the RWST low level signal is coincident with SI. This prevents accidental switchover during normal operation. Accidental switchover could damage ECCS pumps if they are attempting to take suction from an empty sump. The automatic switchover Function requirements for the SI Functions are the same as the requirements for their SI function. Therefore, the requirements are not repeated in Table 3.3.2-1. Instead, Function 1, SI, is referenced for all initiating Functions and requirements.

(continued)

Watts Bar - Unit 2 B 3.3-99 (developmental) B

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE b. Automatic Switchover to Containment Sump - Refueling SAFETY Water Storage Tank (RWST) Level - Low Coincident With ANALYSES, Safety Injection and Coincident With Containment Sump LCO, and Level - High (continued)

APPLICABILITY (continued) Additional protection from spurious switchover is provided by requiring a Containment Sump Level - High signal as well as RWST Level - Low and SI. This ensures sufficient water is available in containment to support the recirculation phase of the accident. A Containment Sump Level - High signal must be present, in addition to the SI signal and the RWST Level -

Low signal, to transfer the suctions of the RHR pumps to the containment sump. The containment sump is equipped with four level transmitters. These transmitters provide no control functions. Therefore, a two-out-of-four logic is adequate to initiate the protection function actuation. Although only three channels would be sufficient, a fourth channel has been added for increased reliability. The containment sump level NTSP is selected to ensure enough borated water is injected to ensure the reactor remains shut down. The high limit also ensures adequate water inventory in the containment sump to provide ECCS pump suction. The transmitters are located inside containment and thus possibly experience adverse environmental conditions. Therefore, the NTSP reflects the inclusion of both steady state and environmental instrument uncertainties.

These Functions must be OPERABLE in MODES 1, 2, 3, and 4 when there is a potential for a LOCA to occur, to ensure a continued supply of water for the ECCS pumps.

These Functions are not required to be OPERABLE in MODES 5 and 6 because there is adequate time for the operator to evaluate unit conditions and respond by manually starting systems, pumps, and other equipment to mitigate the consequences of an abnormal condition or accident. System pressure and temperature are very low and many ESF components are administratively locked out or otherwise prevented from actuating to prevent inadvertent overpressurization of unit systems.

(continued)

Watts Bar - Unit 2 B 3.3-100 (developmental) B

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE 8. Engineered Safety Feature Actuation System Interlocks SAFETY ANALYSES, To allow some flexibility in unit operations, several interlocks are LCO, and included as part of the ESFAS. These interlocks permit the APPLICABILITY operator to block some signals, automatically enable other signals, (continued) prevent some actions from occurring, and cause other actions to occur. The interlock Functions back up manual actions to ensure bypassable functions are in operation under the conditions assumed in the safety analyses.

a. Engineered Safety Feature Actuation System Interlocks -

Reactor Trip, P-4 The P-4 interlock is enabled when a reactor trip breaker (RTB) and its associated bypass breaker is open. Once the P-4 interlock is enabled, automatic SI initiation may be blocked after a 90 second time delay. This Function allows operators to take manual control of SI systems after the initial phase of injection is complete. Once SI is blocked, automatic actuation of SI cannot occur until the RTBs have been manually closed. The functions of the P-4 interlock are:

  • Isolate MFW with coincident low Tavg;
  • Prevent reactuation of SI after a manual reset of SI;
  • Transfer the steam dump from the load rejection controller to the unit trip controller; and
  • Prevent opening of the MFW isolation valves if they were closed on SI or SG Water Level - High High, or MSVV Water Level - High.

Each of the above Functions is interlocked with P-4 to avert or reduce the continued cooldown of the RCS following a reactor trip. An excessive cooldown of the RCS following a reactor trip could cause an insertion of positive reactivity with a subsequent increase in generated power.

To avoid such a situation, the noted Functions have been interlocked with P-4 as part of the design of the unit control and protection system.

(continued)

Watts Bar - Unit 2 B 3.3-101 (developmental) A

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE a. Engineered Safety Feature Actuation System Interlocks -

SAFETY Reactor Trip, P-4 (continued)

ANALYSES, LCO, and None of the noted Functions serves a mitigation function in APPLICABILITY the unit licensing basis safety analyses. Only the turbine trip (continued) Function is explicitly assumed since it is an immediate consequence of the reactor trip Function. Neither turbine trip, nor any of the other four Functions associated with the reactor trip signal, is required to show that the unit licensing basis safety analysis acceptance criteria are not exceeded.

The RTB position switches that provide input to the P-4 interlock only function to energize or de-energize or open or close contacts. Therefore, this Function has no adjustable trip setpoint with which to associate a NTSP and Allowable Value.

This Function must be OPERABLE in MODES 1, 2, and 3 when the reactor may be critical or approaching criticality.

This Function does not have to be OPERABLE in MODE 4, 5, or 6 because the main turbine, the MFW System, and the Steam Dump System are not in operation.

b. Engineered Safety Feature Actuation System Interlocks -

Pressurizer Pressure, P-11 The P-11 interlock permits a normal unit cooldown and depressurization without actuation of SI or main steam line isolation. With two-out-of-three pressurizer pressure channels (discussed previously) less than the P-11 setpoint, the operator can manually block the Pressurizer Pressure -

Low and Steam Line Pressure - Low SI signals and the Steam Line Pressure - Low steam line isolation signal (previously discussed). When the Steam Line Pressure -

Low SI and Steam Line Isolation signals are manually blocked, the Steam Line Pressure Negative Rate - High is automatically enabled. With two out of three pressurizer pressure channels > P-11 setpoint, the Pressurizer Pressure

- Low and Steam Line Pressure - Low SI Steam Line Isolation signals are automatically enabled, and Steam Line Pressure Negative Rate - High is automatically blocked. The NTSP reflects only steady state instrument uncertainties.

(continued)

Watts Bar - Unit 2 B 3.3-102 (developmental) B

ESFAS Instrumentation B 3.3.2 BASES (continued)

APPLICABLE b. Engineered Safety Feature Actuation System Interlocks -

SAFETY Pressurizer Pressure, P-11 (continued)

ANALYSES, LCO, and This Function must be OPERABLE in MODES 1, 2, and 3 to APPLICABILITY allow an orderly cooldown and depressurization of the unit (continued) without the actuation of SI or main steam isolation. This Function does not have to be OPERABLE in MODE 4, 5, or 6 because system pressure must already be below the P-11 setpoint for the requirements of the heatup and cooldown curves to be met.

The ESFAS instrumentation satisfies Criterion 3 of the NRC Policy Statement.

ACTIONS A Note has been added in the ACTIONS to clarify the application of Completion Time rules. The Conditions of this Specification may be entered independently for each Function listed on Table 3.3.2-1.

In the event a channel's NTSP is found nonconservative with respect to the Allowable Value, or the channel is not functioning as required, or the transmitter, instrument loop, signal processing electronics, setpoint comparator output, contact output, or bistable is found inoperable, then all affected Functions provided by that channel must be declared inoperable and the LCO Condition(s) entered for the protection Function(s) affected.

When the Required Channels in Table 3.3.2-1 are specified (e.g., on a per steam line, per loop, per SG, etc., basis), then the Condition may be entered separately for each steam line, loop, SG, etc., as appropriate.

When the number of inoperable channels in a trip function exceed those specified in one or other related Conditions associated with a trip function, then the unit is outside the safety analysis. Therefore, LCO 3.0.3 should be immediately entered if applicable in the current MODE of operation.

(continued)

Watts Bar - Unit 2 B 3.3-103 (developmental) B

ESFAS Instrumentation B 3.3.2 BASES ACTIONS A.1 (continued)

Condition A applies to all ESFAS protection functions.

Condition A addresses the situation where one or more channels or trains for one or more Functions are inoperable at the same time. The Required Action is to refer to Table 3.3.2-1 and to take the Required Actions for the protection functions affected. The Completion Times are those from the referenced Conditions and Required Actions B.1, B.2.1 and B.2.2 Condition B applies to manual initiation of:

  • Phase A Isolation; and
  • Phase B Isolation.

This action addresses the train orientation of the SSPS for the functions listed above. If a channel or train is inoperable, 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> is allowed to return it to an OPERABLE status. Note that for containment spray and Phase B isolation, failure of one or both channels in one train renders the train inoperable. Condition B, therefore, encompasses both situations.

The specified Completion Time is reasonable considering that there are two automatic actuation trains and another manual initiation train OPERABLE for each Function, and the low probability of an event occurring during this interval. If the train cannot be restored to OPERABLE status, the plant must be placed in a MODE in which the LCO does not apply. This is done by placing the plant in at least MODE 3 within an additional 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> (54 hours6.25e-4 days <br />0.015 hours <br />8.928571e-5 weeks <br />2.0547e-5 months <br /> total time) and in MODE 5 within an additional 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br /> (84 hours9.722222e-4 days <br />0.0233 hours <br />1.388889e-4 weeks <br />3.1962e-5 months <br /> total time). The allowable Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. The allowance of 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> is justified in Reference 7.

(continued)

Watts Bar - Unit 2 B 3.3-104 (developmental) A

ESFAS Instrumentation B 3.3.2 BASES ACTIONS C.1, C.2.1 and C.2.2 (continued)

Condition C applies to the automatic actuation logic and actuation relays for the following functions:

  • Phase A Isolation;
  • Phase B Isolation; and
  • Automatic Switchover to Containment Sump.

This action addresses the train orientation of the SSPS and the master and slave relays. If one train is inoperable, 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> are allowed to restore the train to OPERABLE status. The 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> allowed for restoring the inoperable train to OPERABLE status are justified in Reference 17. The specified Completion Time is reasonable considering that there is another train OPERABLE, and the low probability of an event occurring during this interval. If the train cannot be restored to OPERABLE status, the plant must be placed in a MODE in which the LCO does not apply. This is done by placing the plant in at least MODE 3 within an additional 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> (30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br /> total time) and in MODE 5 within an additional 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br /> (60 hours6.944444e-4 days <br />0.0167 hours <br />9.920635e-5 weeks <br />2.283e-5 months <br /> total time). The Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

The Required Actions are modified by a Note that allows one train to be bypassed for up to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> for surveillance testing, provided the other train is OPERABLE. This allowance is based on the reliability analysis assumption of WCAP-10271-P-A (Ref. 7) that 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> is the average time required to perform train surveillance.

(continued)

Watts Bar - Unit 2 B 3.3-105 (developmental) A

ESFAS Instrumentation B 3.3.2 BASES ACTIONS D.1, D.2.1, and D.2.2 (continued)

Condition D applies to:

  • Containment Pressure - High;
  • Pressurizer Pressure - Low;
  • Steam Line Pressure - Low; and
  • Steam Line Pressure - Negative Rate - High.

If one channel is inoperable, 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> are allowed to restore the channel to OPERABLE status or to place it in the tripped condition. Generally this Condition applies to functions that operate on two-out-of-three logic.

Therefore, failure of one channel places the Function in a two-out-of-two configuration. One channel must be tripped to place the Function in a one-out-of-three configuration that satisfies redundancy requirements.

The 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> allowed to restore the channel to OPERABLE status or to place it in the tripped condition are justified in Reference 17.

Failure to restore the inoperable channel to OPERABLE status or place it in the tripped condition within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> requires the plant be placed in MODE 3 within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and MODE 4 within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.

The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

In MODE 4, these functions are no longer required OPERABLE.

The Required Actions have been modified by a Note that allows placing an inoperable channel in the bypassed condition for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> while performing routine surveillance testing of other channels. The Note also allows a channel to be placed in bypass for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for testing of the bypassed channel. However, only one channel may be placed in bypass at any one time. The 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> allowed for testing are justified in Reference 17.

(continued)

Watts Bar - Unit 2 B 3.3-106 (developmental) A

ESFAS Instrumentation B 3.3.2 BASES ACTIONS E.1, E.2.1, and E.2.2 (continued)

Condition E applies to:

  • Steam Line Isolation - Containment Pressure - High High; and
  • Containment Phase B Isolation - Containment Pressure - High High.

None of these signals has input to a control function. Thus, two-out-of-three logic is necessary to meet acceptable protective requirements. However, a two-out-of-three design would require tripping a failed channel. This is undesirable because a single failure would then cause spurious containment spray initiation. Spurious spray actuation is undesirable because of the cleanup problems presented. Therefore, these channels are designed with two-out-of-four logic so that a failed channel may be bypassed rather than tripped. Note that one channel may be bypassed and still satisfy the single failure criterion. Furthermore, with one channel bypassed, a single instrumentation channel failure will not spuriously initiate containment spray.

To avoid the inadvertent actuation of containment spray and Phase B containment isolation, the inoperable channel should not be placed in the tripped condition. Instead it is bypassed. Restoring the channel to OPERABLE status, or placing the inoperable channel in the bypass condition within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, is sufficient to assure that the Function remains OPERABLE and minimizes the time that the Function may be in a partial trip condition (assuming the inoperable channel has failed high). The Completion Time is further justified based on the low probability of an event occurring during this interval. Failure to restore the inoperable channel to OPERABLE status, or place it in the bypassed condition within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, requires the plant be placed in MODE 3 within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and MODE 4 within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. In MODE 4, these Functions are no longer required OPERABLE.

The Required Actions are modified by a Note that allows placing one channel in bypass for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> while performing routine surveillance testing. The channel to be tested can be tested in bypass with the inoperable channel also in bypass. The time limit is justified in Reference 17.

(continued)

Watts Bar - Unit 2 B 3.3-107 (developmental) A

ESFAS Instrumentation B 3.3.2 BASES ACTIONS F.1, F.2.1, and F.2.2 (continued)

Condition F applies to:

  • Manual Initiation of Steam Line Isolation;
  • Loss of Offsite Power;

Low; and

  • P-4 Interlock.

For the Manual Initiation and the P-4 Interlock Functions, this action addresses the train orientation of the SSPS. For the Loss of Offsite Power Function, this action recognizes the lack of manual trip provision for a failed channel. For the AFW System pump suction transfer channels, this action recognizes that placing a failed channel in trip during operation is not necessarily a conservative action. Spurious trip of this function could align the AFW System to a source that is not immediately capable of supporting pump suction. If a train or channel is inoperable, 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> is allowed to return it to OPERABLE status. The specified Completion Time is reasonable considering the nature of these Functions, the available redundancy, and the low probability of an event occurring during this interval. If the Function cannot be returned to OPERABLE status, the plant must be placed in MODE 3 within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and MODE 4 within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power in an orderly manner and without challenging plant systems. In MODE 4, the plant does not have any analyzed transients or conditions that require the explicit use of the protection functions noted above.

(continued)

Watts Bar - Unit 2 B 3.3-108 (developmental) A

ESFAS Instrumentation B 3.3.2 BASES ACTIONS G.1, G.2.1 and G.2.2 (continued)

Condition G applies to the automatic actuation logic and actuation relays for the Steam Line Isolation and AFW actuation Functions.

The action addresses the train orientation of the SSPS and the master and slave relays for these functions. If one train is inoperable, 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> are allowed to restore the train to OPERABLE status. The 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> allowed for restoring the channel to OPERABLE status or to place it in the tripped condition are justified in Reference 17. The Completion Time for restoring a train to OPERABLE status is reasonable considering that there is another train OPERABLE, and the low probability of an event occurring during this interval. If the train cannot be returned to OPERABLE status, the plant must be brought to MODE 3 within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and MODE 4 within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. Placing the plant in MODE 4 removes all requirements for OPERABILITY of the protection channels and actuation functions. In this MODE, the plant does not have analyzed transients or conditions that require the explicit use of the protection functions noted above.

The Required Actions are modified by a Note that allows one train to be bypassed for up to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> for surveillance testing provided the other train is OPERABLE. This allowance is based on the reliability analysis (Ref. 7) assumption that 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> is the average time required to perform channel surveillance.

(continued)

Watts Bar - Unit 2 B 3.3-109 (developmental) A

ESFAS Instrumentation B 3.3.2 BASES ACTIONS H.1, H.2.1 and H.2.2 (Continued)

Condition H applies to the automatic actuation logic and actuation relays for the Turbine Trip and Feedwater Isolation Function.

This action addresses the train orientation of the SSPS and the master and slave relays for this Function. If one train is inoperable, 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> are allowed to restore the train to OPERABLE status or the plant must be placed in MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and in MODE 4 in the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.

The 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> allowed for restoring the channel to OPERABLE status or to place it in the tripped condition are justified in Reference 17. The Completion Time for restoring a train to OPERABLE status is reasonable considering that there is another train OPERABLE, and the low probability of an event occurring during this interval. The allowed Completion Times are reasonable, based on operating experience, to reach MODE 4 from full power conditions in an orderly manner and without challenging plant systems. These Functions are no longer required in MODE 4. Placing the plant in MODE 4 removes all requirements for OPERABILITY of the protection channels and actuation functions. In this MODE, the plant does not have analyzed transients or conditions that require the explicit use of the protection functions noted above.

The Required Actions are modified by a Note that allows one train to be bypassed for up to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> for surveillance testing provided the other train is OPERABLE. This allowance is based on the reliability analysis (Ref. 7) assumption that 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> is the average time required to perform channel surveillance.

I.1, I.2.1 and I.2.2 Condition I applies to SG Water Level - High High (P-14).

If one channel is inoperable, 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> are allowed to restore one channel to OPERABLE status or to place it in the tripped condition. If placed in the tripped condition, the Function is then in a partial trip condition where one-out-of-two logic will result in actuation. The 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> allowed to restore the channel to OPERABLE status or to place it in the tripped condition are justified in Reference 17. Failure to restore the inoperable channel to OPERABLE status or place it in the tripped condition within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> requires the plant to be placed in MODE 3 in 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and in MODE 4 within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach MODE 4 from full power conditions in an orderly manner and without challenging plant (continued)

Watts Bar - Unit 2 B 3.3-110 (developmental) A

ESFAS Instrumentation B 3.3.2 BASES ACTIONS I.1, I.2.1 and I.2.2 (Continued)

(Continued) systems. In MODE 4, these Functions are no longer required OPERABLE.

The Required Actions have been modified by a Note that allows placing an inoperable channel in bypassed condition for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> while performing routine surveillance testing of other channels. The Note also allows a channel to be placed in bypass for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for testing of the bypassed channel. However, only one channel may be placed in bypass at any one time. The 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> allowed for testing are justified by Reference 17.

J.1 and J.2 Condition J applies to the AFW pump start on trip of all turbine driven MFW pumps.

The OPERABILITY of the AFW System must be assured by allowing automatic start of the AFW System pumps. If a channel is inoperable, 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> are allowed to return it to an OPERABLE status. If the function cannot be returned to an OPERABLE status, 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> are allowed to place the plant in MODE 3. The allowed Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging plant systems. In MODE 3, the plant does not have any analyzed transients or conditions that require the explicit use of the protection function noted above. The allowance of 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> to return the train to an OPERABLE status is justified in Reference 7.

MODE 1 applicability allows entry into LCO 3.3.2, Condition J to be suspended for up to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> when placing the second turbine driven MFW pump in service or removing one of the two turbine driven MFW pumps from service.

K.1, K.2.1 and K.2.2 Condition K applies to RWST Level - Low Coincident with Safety Injection and Coincident with Containment Sump Level - High.

RWST Level - Low Coincident With SI and Coincident With Containment Sump Level - High provides actuation of switchover to the containment sump. Note that this Function requires the comparators to energize to perform their required action. The failure of up to two channels will not prevent the operation of this Function.

(continued)

Watts Bar - Unit 2 B 3.3-111 (developmental) B

ESFAS Instrumentation B 3.3.2 BASES ACTIONS K.1, K.2.1 and K.2.2 (continued)

(Continued)

However, placing a failed channel in the tripped condition could result in a premature switchover to the sump, prior to the injection of the minimum volume from the RWST. Placing the inoperable channel in bypass results in a two-out-of-three logic configuration, which satisfies the requirement to allow another failure without disabling actuation of the switchover when required.

Restoring the channel to OPERABLE status or placing the inoperable channel in the bypass condition within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> is sufficient to ensure that the Function remains OPERABLE, and minimizes the time that the Function may be in a partial trip condition (assuming the inoperable channel has failed high). The 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> Completion Time is justified in References 10, 17, and 19. If the channel cannot be returned to OPERABLE status or placed in the bypass condition within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, the plant must be brought to MODE 3 within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and MODE 5 within the next 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. In MODE 5, the plant does not have any analyzed transients or conditions that require the explicit use of the protection functions noted above.

The Required Actions are modified by a Note that allows placing one channel in bypass for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> while performing routine surveillance testing. The channel to be tested can be tested in bypass with the inoperable channel also in bypass. The time limit is justified in Reference 17.

L.1, L.2.1 and L.2.2 Condition L applies to the P-11 Interlock.

With one channel inoperable, the operator must verify that the interlock is in the required state for the existing unit condition. This action manually accomplishes the function of the interlock. Determination must be made within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time is equal to the time allowed by LCO 3.0.3 to initiate shutdown actions in the event of a complete loss of ESFAS function. If the interlock is not in the required state (or placed in the required state) for the existing plant condition, the plant must be placed in MODE 3 within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and MODE 4 within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.

(continued)

Watts Bar - Unit 2 B 3.3-112 (developmental) A

ESFAS Instrumentation B 3.3.2 BASES ACTIONS L.1, L.2.1 and L.2.2 (continued)

(Continued)

The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

Placing the plant in MODE 4 removes all requirements for OPERABILITY of these interlocks.

M.1.1, M.1.2 and M.2 Condition M is applicable to the SG Water Level Low-Low Function.

A known channel inoperable, must be restored to OPERABLE status, or placed in the tripped condition within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. Placing the channel in the tripped condition results in a partial trip condition requiring only one-out-of-two logic for actuation of the two-out-of-three trip. The 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> allowed to restore the channel to OPERABLE status or to place it in the tripped condition are justified in Reference 17.

If a channel fails, it is placed in the tripped condition and does not affect the TTD setpoint calculations for the remaining OPERABLE channels. It is then necessary for the operator to force the use of the shorter TTD Time Delay by adjustment of the single SG time delay calculation (TS) to match the multiple SG time delay calculation (TM) for the affected protection set, through the Man-Machine Interface.

If the inoperable channel cannot be restored or placed in the tripped condition within the specified Completion Time, the plant must be placed in MODE 3 within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and MODE 4 within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. The allowed Completion Times are reasonable, based on operating experience, to place the plant in MODE 3 from MODE 1 full power conditions in an orderly manner and without challenging plant systems.

The Required Actions have been modified by a Note that allows placing an inoperable channel in the bypassed condition for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> while performing routine surveillance testing of other channels. The Note also allows a channel to be placed in bypass for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for testing of the bypassed channel. However, only one channel may be placed in bypass at any one time. The 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> time limit is justified in Reference 17.

(continued)

Watts Bar - Unit 2 B 3.3-113 (developmental) A

ESFAS Instrumentation B 3.3.2 BASES ACTIONS N.1 and N.2 (Continued)

Condition N applies to Vessel T equivalent to Power Function.

Failure of the vessel T channel input (failure of more than one TH RTD or failure of both TC RTDs) will affect the TTD calculation for a protection set.

This results in the requirement that the operator adjust the threshold power level for zero seconds time delay from 50% RTP to 0% RTP, through the Man-Machine Interface. If the inoperable channel cannot be restored or the threshold power level for zero seconds time delay adjusted within the specified Completion Time, the plant must be placed in a MODE where this Function is not required to be OPERABLE. An additional 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is allowed to place the plant in MODE 3. Six hours is a reasonable time based on operating experience, to place the plant in MODE 3 from MODE 1 full power conditions in an orderly manner and without challenging plant systems.

The Required Actions have been modified by a Note that allows placing an inoperable channel in the bypassed condition for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> while performing routine surveillance testing of the other channels. The Note also allows a channel to be placed in bypass for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for testing of the bypassed channel. However, only one channel may be placed in bypass at any one time. The 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> time limit is justified in Reference 17.

O.1 and O.2 Condition O applies to the North or South MSVV Room Water Level -

High function.

If one channel is inoperable, 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> are allowed to restore that channel to OPERABLE status or place it in the tripped condition. If placed in the tripped condition, the Function is then in a partial trip condition where one-out-of-two logic will result in actuation. The 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> allowed to place the inoperable channel in the tripped condition are justified in References 10 and 17.

Failure to restore the inoperable channel to OPERABLE status or place it in the tripped condition within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> requires the plant to be placed in MODE 3 within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. The allowed Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging plant systems. In MODE 3, these functions are no longer required OPERABLE.

(continued)

Watts Bar - Unit 2 B 3.3-114 (developmental) A

ESFAS Instrumentation B 3.3.2 BASES (continued)

ACTIONS O.1 and O.2 (continued)

(continued)

The Required Actions have been modified by a Note that allows placing the inoperable channel in the bypassed condition for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> while performing routine surveillance testing of the other channels. The 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> time limit is justified in References 10 and 17.

The SRs for each ESFAS Function are identified by the Surveillance Requirements column of Table 3.3.2-1.

A Note has been added to the SR Table to clarify that Table 3.3.2-1 determines which SRs apply to which ESFAS Functions.

Note that each channel of process protection supplies both trains of the ESFAS. When testing channel I, train A and train B must be examined.

Similarly, train A and train B must be examined when testing channel II, channel III, and channel IV. The CHANNEL CALIBRATION and COTs are performed in a manner that is consistent with the assumptions used in analytically calculating the required channel accuracies.

The protection Functions associated with the EAGLE-21TM Process Protection System have an installed bypass capability, and may be tested in either the trip or bypass mode, as approved in Reference 7. When testing is performed in the bypass mode, the SSPS input relays are not operated, as justified in Reference 10. The input relays are checked during the CHANNEL CALIBRATION every 18 months.

SURVEILLANCE SR 3.3.2.1 REQUIREMENTS Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

(continued)

Watts Bar - Unit 2 B 3.3-115 (developmental) A

ESFAS Instrumentation B 3.3.2 BASES SURVEILLANCE SR 3.3.2.1 (continued)

REQUIREMENTS (continued) Agreement criteria are determined by the unit staff, based on a combination of the channel instrument uncertainties, including indication and reliability. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit.

The Frequency is based on operating experience that demonstrates channel failure is rare. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the LCO required channels.

SR 3.3.2.2 SR 3.3.2.2 is the performance of an ACTUATION LOGIC TEST. The SSPS is tested every 92 days on a STAGGERED TEST BASIS, using the semiautomatic tester. The train being tested is placed in the bypass condition, thus preventing inadvertent actuation. Through the semiautomatic tester, all possible logic combinations, with and without applicable permissives, are tested for each protection function. In addition, the master relay coil is pulse tested for continuity. This verifies that the logic modules are OPERABLE and that there is an intact voltage signal path to the master relay coils. The Frequency of every 92 days on a STAGGERED TEST BASIS is justified in Reference 18.

SR 3.3.2.3 SR 3.3.2.3 is the performance of a MASTER RELAY TEST. The MASTER RELAY TEST is the energizing of the master relay, verifying contact operation and a low voltage continuity check of the slave relay coil. Upon master relay contact operation, a low voltage is injected to the slave relay coil. This voltage is insufficient to pick up the slave relay, but large enough to demonstrate signal path continuity. This test is performed every 92 days on a STAGGERED TEST BASIS. The Frequency of 92 days is justified in Reference 18.

SR 3.3.2.4 SR 3.3.2.4 is the performance of a COT.

A COT is performed on each required channel to ensure the entire channel will perform the intended Function. Setpoints must be found within the Allowable Values specified in Table 3.3.2-1.

(continued)

Watts Bar - Unit 2 B 3.3-116 (developmental) B

ESFAS Instrumentation B 3.3.2 BASES SURVEILLANCE SR 3.3.2.4 (continued)

REQUIREMENTS (continued) The difference between the current "as found" values and the previous test "as left" values must be consistent with the drift allowance used in the setpoint methodology. The setpoint shall be left set consistent with the assumptions of the current unit specific setpoint methodology.

The "as found" and "as left" values must also be recorded and reviewed for consistency with the assumptions of Reference 6.

The Frequency of 184 days is justified in Reference 18, except for Function 7. The Frequency for Function 7 is justified in References 10 and 18.

SR 3.3.2.4 is modified by two Notes as identified in Table 3.3.2-1. The first Note requires evaluation of channel performance for the condition where the as-found setting for the channel setpoint is outside its as-found tolerance but conservative with respect to the Allowable Value.

Evaluation of channel performance will verify that the channel will continue to behave in accordance with safety analysis assumptions and the channel performance assumptions in the setpoint methodology. The purpose of the assessment is to ensure confidence in the channel performance prior to returning the channel to service. For channels determined to be OPERABLE but degraded, after returning the channel to service the performance of these channels will be evaluated under the plant Corrective Action Program. Entry into the Corrective Action Program will ensure required review and documentation of the condition. The second Note requires that the as-left setting for the channel be returned to within the as-left tolerance of the NTSP. Where a setpoint more conservative than the NTSP is used in the plant surveillance procedures (field setting), the as-left and as-found tolerances, as applicable, will be applied to the surveillance procedure setpoint. This will ensure that sufficient margin to the Safety Limit and/or Analytical Limit is maintained.

If the as-left channel setting cannot be returned to a setting within the as-left tolerance of the NTSP, then the channel shall be declared inoperable.

(continued)

Watts Bar - Unit 2 B 3.3-117 (developmental) B

ESFAS Instrumentation B 3.3.2 BASES SURVEILLANCE SR 3.3.2.5 REQUIREMENTS (continued) SR 3.3.2.5 is the performance of a SLAVE RELAY TEST. The SLAVE RELAY TEST is the energizing of the slave relays. Contact operation is verified in one of two ways. Actuation equipment that may be operated in the design mitigation MODE is either allowed to function, or is placed in a condition where the relay contact operation can be verified without operation of the equipment. Actuation equipment that may not be operated in the design mitigation MODE is prevented from operation by the SLAVE RELAY TEST circuit. For this latter case, contact operation is verified by a continuity check of the circuit containing the slave relay.

This test is performed every 92 days. The Frequency is adequate, based on industry operating experience, considering instrument reliability and operating history data.

For ESFAS slave relays which are Westinghouse type AR or Potter &

Brumfield MDR series relays, the SLAVE RELAY TEST is performed every 18 months. The frequency is based on the relay reliability assessments presented in References 13 and 22. These reliability assessments are relay specific and apply only to Westinghouse type AR and Potter & Brumfield MDR series relays with AC coils. Note that, for normally energized applications, the relays may require periodic replacement in accordance with the guidance given in References 13 and 22.

This SR is modified by a Note, which states that performance of this test is not required for those relays tested by SR 3.3.2.7.

SR 3.3.2.6 SR 3.3.2.6 is the performance of a TADOT every 92 days. This test is a check of the Turbine Trip and Feedwater Isolation - Main Steam Valve Vault Rooms Water Level - High (Functions 5.d and 5.e), and AFW Pump Suction Transfer on Suction Pressure - Low (Function 6.f).

The SR is modified by a Note that excludes verification of setpoints for relays. Relay setpoints require elaborate bench calibration and are verified during CHANNEL CALIBRATION. The Frequency is adequate. It is based on industry operating experience, considering instrument reliability and operating history data.

(continued)

Watts Bar - Unit 2 B 3.3-118 (developmental) B

ESFAS Instrumentation B 3.3.2 BASES SURVEILLANCE SR 3.3.2.7 REQUIREMENTS (continued) SR 3.3.2.7 is the performance of a SLAVE RELAY TEST for slave relays K603A, K603B, K604A, K604B, K607A, K607B, K609A, K609B, K612A, K625A, and K625B. The SLAVE RELAY TEST is the energizing of the slave relays. Contact operation is verified in one of two ways. Actuation equipment which may be operated in the design mitigation MODE is either allowed to function or is placed in a condition where the relay contact operation can be verified without operation of the equipment.

Actuation equipment which may not be operated in the design mitigation MODE is prevented from operation by the slave relay test circuit.

For this latter case, contact operation is verified by a continuity check of the circuit containing the slave relay. This test is performed every 18 months. The Frequency is justified by TVA correspondence to the NRC dated November 9, 1984 (Ref. 9) and Design Change Notice W-38238-A associated documentation (Reference 12), and for relays K607A, K607B, and K612A, Westinghouse letter to TVA (Ref. 11).

SR 3.3.2.8 SR 3.3.2.8 is the performance of a TADOT. This test is a check of the Manual Actuation Functions and AFW pump start on trip of all MFW pumps. It is performed every 18 months. The Frequency is based on industry operating experience and is consistent with the typical refueling cycle. The SR is modified by a Note that excludes verification of setpoints during the TADOT for manual initiation functions. The manual initiation functions have no associated setpoints.

SR 3.3.2.9 SR 3.3.2.9 is the performance of a CHANNEL CALIBRATION.

A CHANNEL CALIBRATION is performed every 18 months, or approximately at every refueling. CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor. The test verifies that the channel responds to measured parameter within the necessary range and accuracy.

CHANNEL CALIBRATIONS must be performed consistent with the assumptions of the Watts Bar setpoint methodology. The difference between the current "as found" values and the previous test "as left" values must be consistent with the drift allowance used in the setpoint methodology.

(continued)

Watts Bar - Unit 2 B 3.3-119 (developmental) A

ESFAS Instrumentation B 3.3.2 BASES SURVEILLANCE SR 3.3.2.9 (continued)

REQUIREMENTS The Frequency of 18 months is based on the assumption of an 18 month calibration interval in the determination of the magnitude of sensor/transmitter drift in the setpoint methodology.

This SR is modified by a Note stating that this test should include verification that the time constants are adjusted to the prescribed values where applicable. For channels with a trip time delay (TTD), this test shall include verification that the TTD coefficients are adjusted correctly.

SR 3.3.2.9 is modified by two Notes as identified in Table 3.3.2-1. The first Note requires evaluation of channel performance for the condition where the as-found setting for the channel setpoint is outside its as-found tolerance but conservative with respect to the Allowable Value.

Evaluation of channel performance will verify that the channel will continue to behave in accordance with safety analysis assumptions and the channel performance assumptions in the setpoint methodology. The purpose of the assessment is to ensure confidence in the channel performance prior to returning the channel to service. For channels determined to be OPERABLE but degraded, after returning the channel to service the performance of these channels will be evaluated under the plant Corrective Action Program. Entry into the Corrective Action Program will ensure required review and documentation of the condition. The second Note requires that the as-left setting for the channel be returned to within the as-left tolerance of the NTSP. Where a setpoint more conservative than the NTSP is used in the plant surveillance procedures (field setting), the as-left and as-found tolerances, as applicable, will be applied to the surveillance procedure setpoint. This will ensure that sufficient margin to the Safety Limit and/or Analytical Limit is maintained.

If the as-left channel setting cannot be returned to a setting within the as-left tolerance of the NTSP, then the channel shall be declared inoperable.

SR 3.3.2.10 This SR ensures the individual channel ESF RESPONSE TIMES are less than or equal to the maximum values assumed in the accident analysis.

Response Time testing acceptance criteria are included in Technical Requirements Manual, Section 3.3.2 (Ref. 8). Individual component response times are not modeled in the analyses. The analyses model the overall or total elapsed time, from the point at which the parameter exceeds the NTSP value at the sensor, to the point at which the (continued)

Watts Bar - Unit 2 B 3.3-120 (developmental) B

ESFAS Instrumentation B 3.3.2 BASES SURVEILLANCE SR 3.3.2.10 (continued)

REQUIREMENTS equipment in both trains reaches the required functional state (e.g.,

pumps at rated discharge pressure, valves in full open or closed position).

For channels that include dynamic transfer functions (e.g., lag, lead/lag, rate/lag, etc.), the response time test may be performed with the transfer functions set to one with the resulting measured response time compared to the appropriate FSAR response time. Alternately, the response time test can be performed with the time constants set to their nominal value provided the required response time is analytically calculated assuming the time constants are set at their nominal values. The response time may be measured by a series of sequential tests such that the entire response time is measured.

Response time may be verified by actual response time tests in any series of sequential, overlapping or total channel measurements, or by the summation of allocated sensor, signal processing and actuation logic response times with actual response time tests on the remainder of the channel. Allocations for sensor response times may be obtained from:

(1) historical records based on acceptable response time tests (hydraulic, noise, or power interrupt tests), (2) in place, onsite, or offsite (e.g., vendor) test measurements, or (3) utilizing vendor engineering specifications. WCAP-13632-P-A Revision 2, Elimination of Pressure Sensor Response Time Testing Requirements (Reference 15), provides the basis and methodology for using allocated sensor response times in the overall verification of the channel response time for specific sensors identified in the WCAP. Response time verification for other sensor types must be demonstrated by test.

WCAP-14036-P-A, Revision 1, Elimination of Periodic Protection Channel Response Time Tests (Reference 16), provides the basis and methodology for using allocated signal processing and actuation logic response times in the overall verification of the protection system channel response time. The allocations for sensor, signal conditioning and actuation logic response times must be verified prior to placing the component in operational service and re-verified following maintenance that may adversely affect response time. In general, electrical repair work does not impact response time provided the parts used for repair are of the same type and value. Specific components identified in the WCAP may be replaced without verification testing. One example where response time could be affected is replacing the sensing assembly of a transmitter.

(continued)

Watts Bar - Unit 2 B 3.3-121 (developmental) A

ESFAS Instrumentation B 3.3.2 BASES SURVEILLANCE ESF RESPONSE TIME tests are conducted on an 18 month REQUIREMENTS STAGGERED TEST BASIS. Testing of the final actuation devices, which (continued) make up the bulk of the response time, is included in the testing of each channel. The final actuation device in one train is tested with each channel.

Therefore, staggered testing results in response time verification of these devices every 18 months. The 18 month Frequency is consistent with the typical refueling cycle and is based on unit operating experience, which shows that random failures of instrumentation components causing serious response time degradation, but not channel failure, are infrequent occurrences.

This SR is modified by a Note indicating that the SR should be deferred until suitable test conditions are established. This deferral is required because there may be insufficient steam pressure to perform the test.

SR 3.3.2.11 SR 3.3.2.11 is the performance of a TADOT as described in SR 3.3.2.8, except that it is performed for the P-4 Reactor Trip Interlock, and the Frequency is once per RTB cycle. This Frequency is based on operating experience demonstrating that undetected failure of the P-4 interlock sometimes occurs when the RTB is cycled.

The SR is modified by a Note that excludes verification of setpoints during the TADOT. The Function tested has no associated setpoint.

REFERENCES 1. Watts Bar FSAR, Section 6.0, "Engineered Safety Features."

2. Watts Bar FSAR, Section 7.0, "Instrumentation and Controls."
3. Watts Bar FSAR, Section 15.0, "Accident Analyses."
4. Institute of Electrical and Electronic Engineers, IEEE-279-1971, "Criteria for Protection Systems for Nuclear Power Generating Stations," April 5, 1972.
5. Code of Federal Regulations, Title 10, Part 50.49, "Environmental Qualification of Electrical Equipment Important to Safety for Nuclear Power Plants."

(continued)

Watts Bar - Unit 2 B 3.3-122 (developmental) A

ESFAS Instrumentation B 3.3.2 BASES REFERENCES 6. WCAP-17044, Rev. 0, "Setpoint Methodology for Watts Bar Unit 2, (continued)

7. WCAP-10271-P-A, Supplement 1 and Supplement 2, Rev. 1, "Evaluation of Surveillance Frequencies and Out of Service Times for the Reactor Protection Instrumentation System," and "Evaluation of Surveillance Frequencies and Out of Service Times for the Engineered Safety Features Actuation System." May 1986 and June 1990.
8. Watts Bar Technical Requirements Manual, Section 3.3.2, "Engineered Safety Feature Response Times."
9. TVA Letter to NRC, November 9, 1984, "Request for Exemption of Quarterly Slave Relay Testing, (L44 841109 808)."
10. Evaluation of the applicability of WCAP-10271-P-A, Supplement 1, and Supplement 2, Revision 1, to Watts Bar, Westinghouse letter to TVA WAT-D-10128.
11. Westinghouse letter to TVA (WAT-D-8347), September 25, 1990, "Charging/Letdown Isolation Transients" (T33 911231 810).
12. Unit 1 Design Change Notice W-38238 and Unit 2 Engineering Document Construction Release 53352 and associated documentation.
13. WCAP-13877-P-A, Revision 2, Reliability Assessment of Westinghouse Type AR Relays Used As SSPS Slave Relays.
14. Not Applicable for Unit 2
15. WCAP-13632-P-A Revision 2, Elimination of Pressure Sensor Response Time Testing Requirements, January 1996.
16. WCAP-14036-P-A, Revision 1, Elimination of Periodic Protection Channel Response Time Tests, October 1998.
17. WCAP-14333-P-A, Revision 1, Probablistic Risk Analysis of the RPS and ESFAS Test Times and Completion Times, October 1998 (continued)

Watts Bar - Unit 2 B 3.3-123 (developmental) B

ESFAS Instrumentation B 3.3.2 BASES REFERENCES 18. WCAP-15376-P-A, Revision 1, Risk-Informed Assessment of the (continued) RTS and ESFAS Surveillance Test Intervals and Reactor Trip Breaker Test and Completion Times, March 2003

19. Westinghouse letter to TVA, WAT-D-11248, Revised Justification for Applicability of Instrumentation Technical Specification Improvements to the Automatic Switchover to Containment Sump Signal, June 2004.
20. Letter from John G. Lamb (NRC) to Mr. Preston D. Swafford (TVA) dated March 4, 2009, Includes Enclosures (a) Amendment No. 75 to Facility Operating License No. NPF-90 for Watts Bar Nuclear Plant, Unit 1 and (b) NRC Safety Evaluation (SE) for Amendment No. 75.
21. Regulatory Guide 1.105, "Setpoints for Safety Related Instrumentation," Revision 3.
22. WCAP-13878-P-A, Revision 2, Reliability Assessment of Potter &

Brumfield MDR Series Relays.

Watts Bar - Unit 2 B 3.3-124 (developmental) B

PAM Instrumentation B 3.3.3 B 3.3 INSTRUMENTATION B 3.3.3 Post Accident Monitoring (PAM) Instrumentation BASES BACKGROUND The primary purpose of the PAM instrumentation is to display unit variables that provide information required by the control room operators during accident situations.

The OPERABILITY of the accident monitoring instrumentation ensures that there is sufficient information available on selected unit parameters to monitor and to assess unit status and behavior following an accident.

The availability of accident monitoring instrumentation is important so that responses to corrective actions can be observed and the need for, and magnitude of, further actions can be determined. These essential instruments are identified by unit specific documents (Ref. 1) addressing the recommendations of Regulatory Guide 1.97 (Ref. 2) as required by Supplement 1 to NUREG-0737 (Ref. 3).

The instrument channels required to be OPERABLE by this LCO include two classifications of parameters (variable Type and Category) identified during unit specific implementation of Regulatory Guide 1.97. These instrument channels are Types A, B, C, D, and E Category 1 variables.

Type A variables are included in this LCO because they provide the primary information required for the control room operator to identify events and take specific manually-controlled actions required by the emergency instructions for which no automatic control is provided and that are required for safety systems to accomplish their safety functions for Design Basis Accidents (DBAs). Those Type A variables listed in Table 3.3.3-1 are Category 1 variables.

Types B, C, D, and E (non-Type A) Category 1 variables are the key variables deemed risk significant because they are needed to:

  • Type B - Determine whether other systems important to safety are performing their intended functions;
  • Type C - Provide information to the operators that will enable them to determine the likelihood of a gross breach of the barriers to radioactivity release; (continued)

Watts Bar - Unit 2 B 3.3-125 (developmental) A

PAM Instrumentation B 3.3.3 BASES BACKGROUND

  • Type D - Provide information to indicate the operation of individual (continued) safety systems and other plant systems. These variables are to help the operator make appropriate decisions in using the individual systems in mitigating the consequences of an accident; and
  • Type E - Provide information regarding the release of radioactive materials to allow for early indication of the need to initiate action necessary to protect the public, and to estimate the magnitude of any impending threat.

These key variables are identified by the unit specific Regulatory Guide 1.97 analyses (Ref. 1). These analyses identify the unit specific Type A and Category 1 variables and provide justification for deviating from the NRC proposed list of Category 1 variables.

The specific instrument Functions listed in Table 3.3.3-1 are discussed in the LCO section.

APPLICABLE The PAM instrumentation ensures the operability of Regulatory SAFETY Guide 1.97 Types A, B, C, D, and E Category 1 variables so that the ANALYSES control room operating staff can:

  • Perform the diagnoses specified in the emergency operating procedures for identifying events and taking pre-planned manual actions for the primary success path of DBAs (e.g., loss of coolant accident (LOCA));
  • Take the specified, pre-planned, manually controlled actions for which no automatic control is provided and that are required for safety systems to accomplish their safety function;
  • Monitor performance of individual safety systems;
  • Determine whether systems important to safety are performing their intended functions;
  • Determine the likelihood of a gross breach of the barriers to radioactivity release;
  • Determine if a gross breach of a barrier has occurred; and
  • Initiate action necessary to protect the public, to estimate the magnitude of any impending threat, and monitor the magnitude of any releases.

(continued)

Watts Bar - Unit 2 B 3.3-126 (developmental) A

PAM Instrumentation B 3.3.3 BASES APPLICABLE PAM instrumentation that meets the definition of Type A in Regulatory SAFETY Guide 1.97 satisfies Criterion 3 of the NRC Policy Statement.

ANALYSES Non-Type A Category 1 instrumentation must be retained in TS because (continued) it is intended to assist operators in minimizing the consequences of accidents. Therefore, Non-Type A Category 1 variables are important for reducing public risk.

LCO The PAM Instrumentation LCO provides OPERABILITY requirements for Regulatory Guide 1.97 Type A monitors, which provide information required by the control room operators to identify events and perform certain manual actions specified in the unit Emergency Operating Procedures. These manual actions ensure that a system can accomplish its safety function, and are credited in the safety analyses. Additionally, this LCO addresses Regulatory Guide 1.97 instruments that have been designated Non-Type A Category 1.

The OPERABILITY of the PAM instrumentation ensures there is sufficient information available on selected unit parameters to monitor and assess unit status following an accident. This capability is consistent with the recommendations of Reference 1.

LCO 3.3.3 requires two OPERABLE channels for most Functions. Two OPERABLE channels ensure no single failure prevents operators from getting the information necessary for them to determine the safety status of the unit, and to bring the unit to and maintain it in a safe condition following an accident.

Furthermore, OPERABILITY of two channels allows a CHANNEL CHECK during the post accident phase to confirm the validity of displayed information. More than two channels are required for some Functions because failure of one accident monitoring channel results in information ambiguity (that is, the redundant displays disagree) that could lead operators to defeat or fail to accomplish a required safety function.

One exception to the two channel requirement is Containment Isolation Valve (CIV) Position. In this case, the important information is the status of the containment penetrations. The LCO requires one position indicator for each active CIV. This is sufficient to redundantly verify the isolation status of each isolable penetration either via indicated status of the active valve and prior knowledge of a passive valve, or via system boundary status. For example, if a normally active CIV is known to be closed and deactivated, position indication is not needed to determine status.

Therefore, the position indication for valves in this state is not required to be OPERABLE.

(continued)

Watts Bar - Unit 2 B 3.3-127 (developmental) A

PAM Instrumentation B 3.3.3 BASES LCO Another exception to the two channel requirement is RCS hot and cold (continued) leg temperature. One channel is sufficient because the loop temperatures are normally similar in value, and there is other adequate instrumentation to verify abnormal readings in one channel.

A third exception is the steam generator water level (wide range). One channel is sufficient because the wide range levels are back up measurements for the auxiliary feedwater flow (two channels).

A fourth exception is AFW valve position. This is acceptable since verification of adequate AFW flow and SG level ensures that the AFW valves are in the correct position.

Table 3.3.3-1 provides a list of all Category 1 variables. All Category 1 variables are normally required to meet Regulatory Guide 1.97 Category 1 (Ref. 2) design and qualification requirements for seismic and environmental qualification, single failure criterion, utilization of emergency standby power, immediately accessible display, continuous readout, and recording of display.

Listed below are discussions of the specified instrument Functions listed in Table 3.3.3-1.

1, 2. Intermediate Range Neutron Flux and Source Range Neutron Flux Intermediate Range Neutron Flux and Source Range Neutron Flux indication is provided to verify reactor shutdown. The two ranges are necessary to cover the full range of flux that may occur post accident.

The Intermediate Range Neutron Flux indication is a non-Type A, Category 1 variable.

Neutron flux is used for accident diagnosis, verification of subcriticality, and diagnosis of positive reactivity insertion.

Two Notes modify the APPLICABILITY of the Intermediate Range Neutron Flux indication to recognize that the Intermediate Range Neutron Flux channels is not required OPERABLE above the P-10 (Power Range Neutron Flux) interlock when in MODE 1 and below the P-6 (Intermediate Range Neutron Flux) interlock.

A Note modifies the APPLICABILITY of the Source Range Neutron Flux indication to recognize that the Source Range Neutron Flux channel is not required OPERABLE above the P-6 (Intermediate Range Neutron Flux) interlock.

(continued)

Watts Bar - Unit 2 B 3.3-128 (developmental) A

PAM Instrumentation B 3.3.3 BASES LCO 3, 4. Reactor Coolant System (RCS) Hot and Cold Leg Temperatures (continued)

RCS Hot (T-Hot) and Cold (T-Cold) Leg Temperatures are Category 1 variables provided for verification of natural circulation and core cooling and long term surveillance.

RCS hot leg temperature is also used as an input to determine RCS subcooling margin. RCS subcooling margin and/or reactor vessel water level is used to make decisions to terminate Safety Injection (SI), if still in progress, or to re-initiate SI if it has been stopped. RCS subcooling margin is also used for unit stabilization and cooldown control.

In addition, RCS cold leg temperature is used in conjunction with RCS hot leg temperature to verify the unit conditions necessary to establish natural circulation in the RCS and verify adequate core cooling. The T-Hot and T-Cold channels provide indication over a range of 50°F to 700°F.

5. Reactor Coolant System Pressure (Wide Range)

RCS wide range pressure is a Category 1 variable provided for event identification, verification of core cooling and RCS integrity long term surveillance.

Wide-range RCS loop pressure is measured by 3 channels of pressure transmitters with a span of 0 - 3000 psig. Control room indications are provided by panel meters.

RCS pressure is used to verify delivery of SI flow to RCS from at least one train when the RCS pressure is below the pump shutoff head. RCS pressure is also used to verify closure of manually closed spray line valves and pressurizer power operated relief valves (PORVs).

In addition to these verifications, RCS pressure is used for determining RCS subcooling margin. RCS subcooling margin will allow termination of SI, if still in progress, or re-initiation of SI if it has been stopped. RCS subcooling margin is also used for unit stabilization and cooldown control.

RCS pressure can also be used:

  • to determine whether to terminate actuated SI or to re-initiate stopped SI;

Watts Bar - Unit 2 B 3.3-129 (developmental) A

PAM Instrumentation B 3.3.3 BASES LCO 5. Reactor Coolant System Pressure (Wide Range) (continued)

  • to make a determination on the nature of the accident in progress and where to go next in the procedure.

RCS pressure is also related to three decisions about depressurization.

They are:

  • to determine whether to proceed with primary system depressurization;
  • to verify termination of depressurization; and
  • to determine whether to close accumulator isolation valves during a controlled cooldown/depressurization.

A final use of RCS pressure is to determine whether to operate the pressurizer heaters.

RCS pressure is a Type A variable because the operator uses this indication to identify events and to monitor the cooldown of the RCS following a steam generator tube rupture (SGTR) or small break LOCA.

Operator actions to maintain a controlled cooldown, such as adjusting steam generator (SG) pressure or level, would use this indication.

6. Reactor Vessel Water Level Reactor Vessel Water Level, a non-Type A, Category 1 variable, is provided for verification and long term surveillance of core cooling. It is also used for accident diagnosis and to determine reactor coolant inventory adequacy.

The Reactor Vessel Level Instrumentation System (RVLIS) provides a direct measurement of the liquid level above the bottom of the reactor vessel up to the top of the reactor vessel. Indication is in percent of this distance (i.e., the reactor vessel bottom is 0% and the vessel top is 100%). It also has a dynamic range vessel liquid content (% LIQ) normalized from 20% to 100%. Normalization corrects the transmitted level information for the RCP operational configuration so that the accurate dynamic % LIQ is indicated regardless of the pattern of pumps running or the fluid density. Control room indications are provided through the Common Q PAMS flat panel display. The Common Q PAMS flat panel display is the primary indication used by the operator during an accident.

(continued)

Watts Bar - Unit 2 B 3.3-130 (developmental) B

PAM Instrumentation B 3.3.3 BASES LCO 7. Containment Sump Water Level (Wide Range)

(continued)

Containment Sump Water Level is provided for event identification, and verification and long term surveillance of RCS integrity.

Containment Sump Water Level is used to:

  • Verify water source for recirculation mode of ECCS operation after a LOCA.
  • Determine whether high energy line rupture has occurred inside or outside containment.
8. Containment Lower Compartment Atmospheric Temperature The lower compartment temperature monitors will verify the temperatures in the lower compartment after an accident with display in the main control room. The monitoring system consists of two channels with range 0°F to 350°F.
9. Containment Pressure (Wide Range)

Containment Pressure (Wide Range), a non-Type A Category 1 variable, is provided for verification of RCS and containment OPERABILITY.

Containment Pressure (Wide Range) instrumentation consists of two recorded trains on separate power supplies with a range of -5 psig to

+60 psig.

Containment pressure wide range is used to monitor the post accident containment pressure up to the rupture pressure of containment to indicate potential containment breach.

10. Containment Pressure (Narrow Range)

Containment Pressure (Narrow Range) is provided to determine margin to containment design pressure. The narrow range monitors are also used in event identification to monitor containment conditions following a break inside containment and to verify if the accident is being properly controlled. The narrow range instrumentation has a range of -2 psig to

+15 psig.

(continued)

Watts Bar - Unit 2 B 3.3-131 (developmental) A

PAM Instrumentation B 3.3.3 BASES LCO 11. Containment Isolation Valve Position (continued)

CIV Position, a non-Type A Category 1 variable, is provided for verification of Containment OPERABILITY, and verification of isolation after receipt of Phase A and/or Phase B isolation signals.

When used to verify valve closure for Phase A and/or Phase B isolation, the important information is the isolation status of the containment penetrations. The LCO requires one channel of valve position indication in the control room to be OPERABLE for each active CIV in a containment penetration flow path, i.e., two total channels of CIV position indication for a penetration flow path with two active valves. For containment penetrations with only one active CIV having control room indication, Note (i) from Table 3.3.3-1 requires a single channel of valve position indication to be OPERABLE. This is sufficient to redundantly verify the isolation status of each isolable penetration either via indicated status of the active valve, as applicable and prior knowledge of a passive valve, or via system boundary status. If a normally active CIV is known to be closed and deactivated, position indication is not needed to determine status. Therefore, the position indication for valves in this state is not required to be OPERABLE.

A Note to the Required Channels states that the Function is not required for isolation valves whose associated penetration is isolated by at least one closed and deactivated automatic valve, closed manual valve, blind flange, pressure relief valve, or check valve with flow through the valve secured.

12. Containment Radiation (High Range)

Containment Radiation is provided to monitor for the potential of significant radiation releases and to provide release assessment for use by operators in determining the need to invoke site emergency plans.

Containment radiation level is also used to determine if a loss of reactor coolant or secondary coolant has occurred.

(continued)

Watts Bar - Unit 2 B 3.3-132 (developmental) A

PAM Instrumentation B 3.3.3 BASES LCO 13. RCS Pressurizer Level (continued)

Pressurizer Level is one factor used to determine whether to terminate SI, if still in progress, or to re-initiate SI if it has been stopped. Knowledge of pressurizer water level is also used to verify the unit conditions necessary to establish natural circulation in the RCS and to verify that the unit is maintained in a safe shutdown condition.

Pressurizer Level instrumentation consists of the three differential pressure transmitters and associated instrumentation used to measure pressurizer level. The channels provide indication over the entire distance between taps.

14, 15. Steam Generator Water Level (Wide Range and Narrow Range)

SG Water Level is provided to monitor operation of decay heat removal via the SGs. The non-Type A Category 1 indication of SG level is the wide range level instrumentation.

Temperature compensation of wide range SG level indication is performed manually by the operator. The indication is cold calibrated.

The uncompensated level signal is input to the plant computer for control room indications, and is used for diverse indication of AFW flow.

Narrow range steam generator level is used to make a determination on the nature of the accident in progress, e.g., verify a steam generator tube rupture. SG level (Narrow Range) is also used to help identify the ruptured steam generator following a tube rupture and verify that the intact steam generators are an adequate heat sink for the reactor.

Narrow range steam generator water level is used when verifying plant conditions for termination of SI during secondary plant high energy line breaks outside containment.

(continued)

Watts Bar - Unit 2 B 3.3-133 (developmental) B

PAM Instrumentation B 3.3.3 BASES LCO 16. AFW Valve Status (continued)

The status of each AFW swap over to Essential Raw Cooling Water (ERCW) valve is monitored with non-Type A Category 1 indication in the control room. Indication on each valve for fully open or fully closed position is provided. AFW valve status is monitored to give verification to the operator that automatic transfer to ERCW has taken place.

17, 18, 19, 20. Core Exit Temperature Core Exit Temperature is provided for verification and long term surveillance of core cooling.

Core exit thermocouples, in conjunction with RCS wide range temperatures, are sufficient to provide indication of radial distribution of the coolant enthalpy rise across representative sections of the core. Core Exit Temperature is used to support determination of whether to terminate SI, if still in progress, or to re-initiate SI if it has been stopped. Core Exit Temperature is also used for unit stabilization and cooldown control.

The Common Q Post Accident Monitoring (PAM) System is used to monitor the core exit thermocouples. There are two isolated systems, with each system monitoring at least four thermocouples per quadrant.

The flat panel display gives the representative value, the high quadrant value, and the individual values.

Two OPERABLE channels are required in each quadrant to provide adequate indication of coolant temperature rise in representative regions of the core. Two isolated channels of two thermocouples each ensure a single failure will not disable the ability to identify significant temperature gradients.

(continued)

Watts Bar - Unit 2 B 3.3-134 (developmental) B

PAM Instrumentation B 3.3.3 BASES LCO 21. Auxiliary Feedwater Flow (continued)

AFW Flow is provided to monitor operation of decay heat removal via the SGs.

Redundant monitoring capability is provided by two independent trains of instrumentation for each SG. Each differential pressure transmitter provides an input to a control room indicator. Since the primary indication used by the operator during an accident is the control room indicator, the PAM specification deals specifically with this portion of the instrument channel.

AFW flow is used three ways:

  • to verify AFW flow to the SGs;
  • to determine whether to terminate SI if still in progress, in conjunction with SG water level (narrow range); and
  • to regulate AFW flow so that the SG tubes remain covered.
22. Reactor Coolant System Subcooling Margin Monitor The RCS subcooling margin monitor is used to determine the temperature margin to saturation of the primary coolant. Control room indications are provided through the Common Q PAMS flat panel display and digital panel meters. The Common Q PAMS flat panel display is the primary indication used by the operator during an accident.
23. Refueling Water Storage Tank Level RWST water level is used to verify the water source availability to the ECCS and Containment Spray (CS) Systems. It alerts the operator to manually switch the CS suction from the RWST to the containment sump.

It may also provide an indication of time for initiating cold leg recirculation from the sump following a LOCA.

(continued)

Watts Bar - Unit 2 B 3.3-135 (developmental) B

PAM Instrumentation B 3.3.3 BASES LCO 24. Steam Generator Pressure (continued)

Steam pressure is used to determine if a high energy secondary line rupture has occurred and the availability of the steam generators as a heat sink. It is also used to verify that a faulted steam generator is isolated. Steam pressure may be used to ensure proper cooldown rates or to provide a diverse indication for natural circulation cooldown.

25. Auxiliary Building Passive Sump Level Auxiliary Building Passive Sump Level, a non-Type A Category 1 variable, monitors the sump level in the auxiliary building. The two functions of this indication are to monitor for a major breach of the spent fuel pit and to monitor for an RCS breach in the auxiliary building (i.e., an RHR or CVCS line break). The purpose is to verify that radioactive water does not leak to the auxiliary building. The Auxiliary Building Passive Sump Level monitor consists of two channels on separate power supply. One channel is recorded. The calibrated range of the two monitors is 12.5" to 72.5".

APPLICABILITY The PAM instrumentation LCO is applicable as shown in Table 3.3.3-1.

These variables are related to the diagnosis and pre-planned actions required to mitigate DBAs. The applicable DBAs are assumed to occur in MODES 1, 2, and 3. In MODES 4, 5, and 6, unit conditions are such that the likelihood of an event that would require PAM instrumentation is low; therefore, the PAM instrumentation is not required to be OPERABLE in these MODES.

ACTIONS A Note has been added in the ACTIONS to clarify the application of Completion Time rules. The Conditions of this Specification may be entered independently for each Function listed on Table 3.3.3-1. The Completion Time(s) of the inoperable channel(s) of a Function will be tracked separately for each Function starting from the time the Condition was entered for that Function.

(continued)

Watts Bar - Unit 2 B 3.3-136 (developmental) B

PAM Instrumentation B 3.3.3 BASES ACTIONS A.1 (continued)

Condition A applies when one or more Functions have one required channel that is inoperable. Required Action A.1 requires restoring the inoperable channel to OPERABLE status within 30 days. The 30 day Completion Time is based on operating experience and takes into account the remaining OPERABLE channel (or in the case of a Function that has only one required channel, other non-Regulatory Guide 1.97 instrument channels to monitor the Function), the passive nature of the instrument (no critical automatic action is assumed to occur from these instruments), and the low probability of an event requiring PAM instrumentation during this interval.

Condition A is modified by a Note that excludes single channel Functions 3, 4, 14, and 16.

B.1 Condition B applies when the Required Action and associated Completion Time for Condition A are not met. This Required Action specifies initiation of actions in Specification 5.9.8, "PAMS Report," which requires a written report to be submitted to the NRC immediately. This report discusses the results of the root cause evaluation of the inoperability and identifies proposed restorative actions. This action is appropriate in lieu of a shutdown requirement since alternative actions are identified before loss of functional capability, and given the likelihood of unit conditions that would require information provided by this instrumentation.

C.1 Condition C applies when one or more Functions have two inoperable required channels (i.e., two channels inoperable in the same Function).

Condition C also applies to single channel Functions 3, 4, 14, and 16 when the one required channel is inoperable. Required Action C.1 requires restoring one channel in the Function(s) to OPERABLE status within 7 days.

The Completion Time of 7 days is based on the relatively low probability of an event requiring PAM instrument operation and the availability of alternate means to obtain the required information. Continuous operation with two required channels inoperable in a Function or the single required channel inoperable in the single channel Functions is not acceptable because the alternate indications may not fully meet all performance (continued)

Watts Bar - Unit 2 B 3.3-137 (developmental) B

PAM Instrumentation B 3.3.3 BASES ACTIONS C.1 (continued) qualification requirements applied to the PAM instrumentation. Therefore, requiring restoration of one inoperable channel of the Function limits the risk that the PAM Function will be in a degraded condition should an accident occur.

D.1 Condition D applies when the Required Action and associated Completion Time of Condition C are not met. Required Action D.1 requires entering the appropriate Condition referenced in Table 3.3.3-1 for the channel immediately. The applicable Condition referenced in the Table is Function dependent. Each time an inoperable channel has not met any Required Action of Condition C, and the associated Completion Time has expired, Condition D is entered for that channel and provides for transfer to the appropriate subsequent Condition.

E.1 and E.2 If the Required Action and associated Completion Time of Condition D are not met and Table 3.3.3-1 directs entry into Condition E, the plant must be brought to a MODE where the requirements of this LCO do not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and MODE 4 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />.

The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

F.1 Alternate means may be temporarily installed for monitoring reactor vessel water level and Containment Area Radiation if the normal PAM channel cannot be restored to OPERABLE status within the allotted time.

Alternate means would be developed and tested prior to use. If these alternate means are used, the Required Action is not to shut down the unit but rather to follow the directions of Specification 5.9.8, in the Administrative Controls section of the TS. The report provided to the NRC should discuss the alternate means used, describe the degree to which the alternate means are equivalent to the installed PAM channels, justify the areas in which they are not equivalent, and provide a schedule for restoring the normal PAM channels.

(continued)

Watts Bar - Unit 2 B 3.3-138 (developmental) B

PAM Instrumentation B 3.3.3 BASES SURVEILLANCE A Note has been added to the SR Table to clarify that SR 3.3.3.1 and REQUIREMENTS SR 3.3.3.3 apply to each PAM instrumentation Function in Table 3.3.3-1.

SR 3.3.3.1 Performance of the CHANNEL CHECK once every 31 days ensures that a gross instrumentation failure has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION. The high radiation instrumentation should be compared to similar unit instruments located throughout the unit.

Agreement criteria are determined by the unit staff, based on a combination of the channel instrument uncertainties, including isolation, indication, and readability. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit. If the channels are within the criteria, it is an indication that the channels are OPERABLE.

As specified in the SR, a CHANNEL CHECK is only required for those channels that are normally energized.

The Frequency of 31 days is based on operating experience that demonstrates that channel failure is rare. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the LCO required channels.

(continued)

Watts Bar - Unit 2 B 3.3-139 (developmental) A

PAM Instrumentation B 3.3.3 BASES SURVEILLANCE SR 3.3.3.2 REQUIREMENTS A CHANNEL CALIBRATION is performed every 18 months, or approximately at every refueling. CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor. The test verifies that the channel responds to measured parameter with the necessary range and accuracy. This SR is modified by two Notes.

Note 1 excludes neutron detectors. The calibration method for neutron detectors is specified in the Bases of LCO 3.3.1, "Reactor Trip System (RTS) Instrumentation." Note 2 indicates that Functions 11 and 16 (valve position indicators) are excluded from the CHANNEL CALIBRATION. The Frequency is based on operating experience and consistency with the typical industry refueling cycle.

SR 3.3.3.3 SR 3.3.3.3 is the performance of a TADOT. This test is performed every 18 months. The test checks operation of the containment isolation valve position indicators and AFW valve position indicators. The Frequency is based on the known reliability of the indicators and has been shown to be acceptable through operating experience.

This SR has been modified by two Notes. Note 1 excludes verification of setpoints for the valve position indicators. Note 2 indicates that this SR is only applicable to Functions 11 and 16, which are the only Functions with valve position indicators.

REFERENCES 1. NUREG-0847, Safety Evaluation Report, Supplement Number 9, June 16, 1992, Section 7.5.2, "Post Accident Monitoring System."

2. Regulatory Guide 1.97, Revision 2, December 1980, "Instrumentation for Light-Water-Cooled Nuclear Power Plants to Assess Plant and Environs Conditions During and Following an Accident."
3. NUREG-0737, "Clarification of TMI Action Plan Requirements,"

Supplement 1, January 1983.

Watts Bar - Unit 2 B 3.3-140 (developmental) B

Remote Shutdown System B 3.3.4 B 3.3 INSTRUMENTATION B 3.3.4 Remote Shutdown System BASES BACKGROUND The Remote Shutdown System provides the control room operator with sufficient instrumentation and controls to place and maintain the unit in a safe shutdown condition from a location other than the control room. This capability is necessary to protect against the possibility that the control room becomes inaccessible. A safe shutdown condition is defined as MODE 3. With the unit in MODE 3, the Auxiliary Feedwater (AFW)

System and the steam generator (SG) safety valves or the SG atmospheric dump valves (ADVs) can be used to remove core decay heat and meet all safety requirements. The long term supply of water for the AFW System and the ability to borate the Reactor Coolant System (RCS) from outside the control room allows extended operation in MODE 3.

If the control room becomes inaccessible, the operators can establish control in the auxiliary control room, and place and maintain the unit in MODE 3. Not all controls and necessary transfer switches are located in the auxiliary control room. Some controls and transfer switches will have to be operated locally at the switchgear, motor control panels, or other local stations. Some instrumentation serves a dual purpose in providing information to the operator. This instrumentation includes the pressurizer pressure indicator, which can be used to indicate pressurizer pressure and RCS wide range pressure, and the SG pressure indicators, which can be used to indicate SG pressure and SG Tsat. Additionally, controls for the RCS PORVs can be used for both RCS pressure and inventory control. The unit automatically reaches MODE 3 following a unit shutdown and can be maintained safely in MODE 3 for an extended period of time.

The OPERABILITY of the remote shutdown control and instrumentation functions ensures there is sufficient information available on selected unit parameters to place and maintain the unit in MODE 3 should the control room become inaccessible. Should it be necessary to go to MODE 4 or MODE 5, decay heat removal via the Residual Heat Removal (RHR)

System is available to support the transition.

(continued)

Watts Bar - Unit 2 B 3.3-141 (developmental) A

Remote Shutdown System B 3.3.4 BASES (continued)

APPLICABLE The Remote Shutdown System is required to provide equipment at SAFETY appropriate locations outside the control room with a capability to ANALYSES promptly shut down and maintain the unit in a safe condition in MODE 3.

The criteria governing the design and specific system requirements of the Remote Shutdown System are located in 10 CFR 50, Appendix A, GDC 19 (Ref. 1).

The Remote Shutdown System is considered an important contributor to the reduction of unit risk to accidents and as such it has been retained in the Technical Specifications as indicated in the NRC Policy Statement.

LCO The Remote Shutdown System LCO provides the OPERABILITY requirements of the instrumentation and controls necessary to place and maintain the unit in MODE 3 from a location other than the control room.

The instrumentation and controls typically required are listed in Table 3.3.4-1 in the accompanying LCO.

The controls, instrumentation, and transfer switches are required for:

  • Core reactivity control (initial and long term);
  • RCS pressure control;
  • RCS inventory control via charging and letdown flow;
  • Safety support systems though not specifically listed in Table 3.3.4-1, for the above Functions, including service water, component cooling water, reactor containment fan cooler units, auxiliary control air compressors, and onsite power, including the diesel generators are required as discussed in FSAR Section 7.4 (Reference 2).

(continued)

Watts Bar - Unit 2 B 3.3-142 (developmental) A

Remote Shutdown System B 3.3.4 BASES LCO A Function of a Remote Shutdown System is OPERABLE if all instrument (continued) and control channels needed to support the Remote Shutdown System Function are OPERABLE. References 3 and 4 provide additional information on required equipment. In some cases, Table 3.3.4-1 may indicate that the required information or control capability is available from several alternate sources. In these cases, the Function is OPERABLE as long as one channel of any of the alternate information or control sources is OPERABLE.

The remote shutdown instrument and control circuits covered by this LCO do not need to be energized to be considered OPERABLE. This LCO is intended to ensure the instruments and control circuits will be OPERABLE if unit conditions require that the Remote Shutdown System be placed in operation.

APPLICABILITY The Remote Shutdown System LCO is applicable in MODES 1, 2, and 3.

This is required so that the unit can be placed and maintained in MODE 3 for an extended period of time from a location other than the control room.

This LCO is not applicable in MODE 4, 5, or 6. In these MODES, the facility is already subcritical and in a condition of reduced RCS energy.

Under these conditions, considerable time is available to restore necessary instrument control functions if control room instruments or controls become unavailable.

ACTIONS A Note has been added to the ACTIONS to clarify the application of Completion Time rules. Separate Condition entry is allowed for each Function listed on Table 3.3.4-1.

The Completion Time(s) of the inoperable channel(s)/train(s) of a Function will be tracked separately for each Function starting from the time the Condition was entered for that Function.

A.1 Condition A addresses the situation where one or more required Functions of the Remote Shutdown System are inoperable. This includes any Function listed in Table 3.3.4-1, as well as the control and transfer switches.

(continued)

Watts Bar - Unit 2 B 3.3-143 (developmental) A

Remote Shutdown System B 3.3.4 BASES ACTIONS A.1 (continued)

The Required Action is to restore the required Function to OPERABLE status within 30 days. The Completion Time is based on operating experience and the low probability of an event that would require evacuation of the control room.

B.1 and B.2 If the Required Action and associated Completion Time of Condition A is not met, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and to MODE 4 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE SR 3.3.4.1 REQUIREMENTS Performance of the CHANNEL CHECK once every 31 days ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying that the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the plant staff, based on a combination of the channel instrument uncertainties, including indication and readability. If the channels are within the criteria, it is an indication that the channels are OPERABLE. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit.

As specified in the Surveillance, a CHANNEL CHECK is only required for those channels which are normally energized.

(continued)

Watts Bar - Unit 2 B 3.3-144 (developmental) A

Remote Shutdown System B 3.3.4 BASES SURVEILLANCE SR 3.3.4.1 (continued)

REQUIREMENTS The Frequency of 31 days is based upon operating experience which demonstrates that channel failure is rare. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the LCO required channels.

SR 3.3.4.2 SR 3.3.4.2 verifies each required Remote Shutdown System control circuit and transfer switch performs the intended function. This verification is performed from the auxiliary control room and locally, as appropriate. Operation of the equipment from the remote shutdown panel is not necessary. The Surveillance can be satisfied by performance of a continuity check. This will ensure that if the control room becomes inaccessible, the plant can be placed and maintained in MODE 3 from the auxiliary control room and the local control stations. The 18-month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. However, this Surveillance is not required to be performed only during a unit outage. Operating experience demonstrates that remote shutdown control channels usually pass the Surveillance test when performed at the 18-month Frequency.

SR 3.3.4.3 CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. The test verifies that the channel responds to a measured parameter within the necessary range and accuracy.

The Frequency of 18 months is based upon operating experience and consistency with the typical industry refueling cycle.

SR 3.3.4.4 SR 3.3.4.4 is the performance of a TADOT every 18 months. This test should verify the OPERABILITY of the reactor trip breakers (RTBs) open and closed indication on the remote shutdown panel, by actuating the RTBs. The Frequency is based upon operating experience and consistency with the typical industry refueling outage.

(continued)

Watts Bar - Unit 2 B 3.3-145 (developmental) A

Remote Shutdown System B 3.3.4 BASES (continued)

REFERENCES 1. Title 10, Code of Federal Regulations, Part 50, Appendix A, "General Design Criteria 19, "Control Room."

2. Watts Bar FSAR Section 7.4, "Systems Required for Safe Shutdown."
3. TVA Calculation WBN-OSG4-193, "Auxiliary Control System Required Equipment per GDC 19."
4. Design Criteria WB-DC-40-58, "Auxiliary Control System."

Watts Bar - Unit 2 B 3.3-146 (developmental) A

LOP DG Start Instrumentation B 3.3.5 B 3.3 INSTRUMENTATION B 3.3.5 Loss of Power (LOP) Diesel Generator (DG) Start Instrumentation BASES BACKGROUND The DGs provide a source of emergency power when offsite power is either unavailable or is insufficiently stable to allow safe unit operation.

Undervoltage protection will generate an LOP start if a loss of voltage or degraded voltage condition occurs in the switchyard. There are four LOP start signals, one for each 6.9 kV shutdown board.

Three degraded voltage relays (one per phase) are provided on each 6.9 kV Shutdown Board for detecting a sustained undervoltage condition.

The relays are combined in a two-out-of-three logic configuration to generate a supply breaker trip signal if the voltage is below 96% for 10 seconds (nominal). Additionally, three undervoltage relays (one per phase) are provided on each 6.9 kV Shutdown Board for the purpose of detecting a loss of voltage condition. These relays are combined in a two-out-of-three logic to generate a supply breaker trip signal if the voltage is below 87% for 0.75 seconds (nominal).

Once the supply breakers have been opened, either one of two induction disk type relays, which have a voltage setpoint of 70% of 6.9 kV (nominal, decreasing) and an internal time delay of 0.5 seconds (nominal) at zero volts, will start the diesel generators. Four additional induction disk type relays, in a logic configuration of one-of-two taken twice which have a voltage setpoint of 70% of 6.9 kV (nominal, decreasing) and an internal time delay of 3 seconds (nominal), at zero volts, will initiate load shedding of the 6.9 kV shutdown board loads and selected loads on the 480 V shutdown boards and close the 480 V shutdown boards' current limiting reactor bypass breaker. The LOP start actuation is described in FSAR Section 8.3, "Onsite (Standby) Power System" (Ref. 1).

Trip Setpoints and Allowable Values The Trip Setpoints used in the relays and timers are based on the analytical limits presented in TVA calculations (References 3, 5, and 6). The selection of these Trip Setpoints is such that adequate protection is provided when all sensor and time delays are taken into account.

(continued)

Watts Bar - Unit 2 B 3.3-147 (developmental) A

LOP DG Start Instrumentation B 3.3.5 BASES BACKGROUND Trip Setpoints and Allowable Values (continued)

The actual nominal Trip Setpoint entered into the relays is more conservative than that required by the Allowable Value. If the measured setpoint does not exceed the Allowable Value, the relay is considered OPERABLE.

Setpoints adjusted in accordance with the Allowable Value ensure that the consequences of accidents will be acceptable, providing the unit is operated from within the LCOs at the onset of the accident and that the equipment functions as designed.

Allowable Values are specified for each Function in Table 3.3.5-1. Nominal Trip Setpoints are also specified in the unit specific setpoint calculations.

The nominal setpoints are selected to ensure that the setpoint measured by the surveillance procedure does not exceed the Allowable Value if the relay is performing as required. If the measured setpoint does not exceed the Allowable Value, the relay is considered OPERABLE. Operation with a Trip Setpoint less conservative than the nominal Trip Setpoint, but within the Allowable Value, is acceptable provided that operation and testing is consistent with the assumptions of the unit specific setpoint calculation.

Each Allowable Value specified is more conservative than the analytical limit assumed in the transient and accident analyses in order to account for instrument uncertainties appropriate to the trip function. These uncertainties are defined in Reference 3.

APPLICABLE The LOP DG start instrumentation is required for the Engineered Safety SAFETY Features (ESF) Systems to function in any accident with a loss of offsite ANALYSES power. Its design basis is that of the ESF Actuation System (ESFAS).

Accident analyses credit the loading of the DG based on the loss of offsite power during a loss of coolant accident (LOCA). The actual DG start has historically been associated with the ESFAS actuation. The DG loading has been included in the delay time associated with each safety system component requiring DG supplied power following a loss of offsite power.

The analyses assume a non-mechanistic DG loading, which does not explicitly account for each individual component of loss of power detection and subsequent actions.

The channels of LOP DG start instrumentation, in conjunction with the ESF systems powered from the DGs, provide unit protection in the event of any of the analyzed accidents discussed in Reference 2, in which a loss of offsite power is assumed.

(continued)

Watts Bar - Unit 2 B 3.3-148 (developmental) A

LOP DG Start Instrumentation B 3.3.5 BASES APPLICABLE The delay times assumed in the safety analysis for the ESF equipment SAFETY include the 10 second DG start delay, and the appropriate sequencing ANALYSES delay, if applicable. The response times for ESFAS actuated equipment in (continued) LCO 3.3.2, "Engineered Safety Feature Actuation System (ESFAS)

Instrumentation," include the appropriate DG loading and sequencing delay.

The LOP DG start instrumentation channels satisfy Criterion 3 of the NRC Policy Statement.

LCO The LCO for LOP DG Start Instrumentation requires that the loss of voltage, degraded voltage, load shed, and DG Start Functions shall be OPERABLE in MODES 1, 2, 3, and 4 when the LOP DG Start Instrumentation supports safety systems associated with the ESFAS. In MODES 5 and 6, the Functions must be OPERABLE whenever the associated DG is required to be OPERABLE to ensure that the automatic start of the DG is available when needed. Loss of the LOP DG Start Instrumentation Function could result in the delay of safety systems initiation when required. This could lead to unacceptable consequences during accidents. During the loss of offsite power the DG powers the motor driven auxiliary feedwater pumps. Failure of these pumps to start would leave only one turbine driven pump, as well as an increased potential for a loss of decay heat removal through the secondary system.

APPLICABILITY The LOP DG Start Instrumentation Functions are required in MODES 1, 2, 3, and 4 because ESF Functions are designed to provide protection in these MODES. Actuation in MODE 5 or 6 is required whenever the required DG must be OPERABLE so that it can perform its function on an LOP or a degraded voltage condition on the 6.9 kV Shutdown Board.

ACTIONS In the event a channel's Trip Setpoint is found nonconservative with respect to the Allowable Value, or the channel is found inoperable, then the Function that channel provides must be declared inoperable and the LCO Condition entered for the particular protection Function affected.

Because the required channels are specified on a per bus basis, the Condition may be entered separately for each bus as appropriate.

(continued)

Watts Bar - Unit 2 B 3.3-149 (developmental) A

LOP DG Start Instrumentation B 3.3.5 BASES ACTIONS A Note has been added in the ACTIONS to clarify the application of (continued) Completion Time rules. The Conditions of this Specification may be entered independently for each Function listed in the LCO. The Completion Time(s) of the inoperable channel(s) of a Function will be tracked separately for each Function starting from the time the Condition was entered for that Function.

A.1 Condition A applies to the LOP DG start Function with one channel per bus inoperable.

If one channel is inoperable, Required Action A.1 requires the channel to be restored to OPERABLE status within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. The specified Completion Time is reasonable considering the Function remains fully OPERABLE on every bus and the low probability of an event occurring during these intervals.

A Note has been added to Required Action A.1 to direct entry into the applicable Conditions and Required Actions of LCO 3.3.2, "ESFAS Instrumentation," for inoperable Auxiliary Feedwater start instrumentation.

The load shed relays required by this LCO also generate the start signal for the LOP start of the turbine driven auxiliary feedwater pump required in LCO 3.3.2. The Required Actions of LCO 3.3.2 are entered in addition to the requirements of this LCO.

B.1 Condition B applies when more than one channel on a single bus is inoperable.

Required Action B.1 requires restoring all but one channel to OPERABLE status. The 1-hour Completion Time should allow ample time to repair most failures and takes into account the low probability of an event requiring an LOP start occurring during this interval.

(continued)

Watts Bar - Unit 2 B 3.3-150 (developmental) A

LOP DG Start Instrumentation B 3.3.5 BASES ACTIONS C.1 (continued)

Condition C applies to each of the LOP DG start Functions when the Required Action and associated Completion Time for Condition A or B are not met.

In these circumstances the Conditions specified in LCO 3.8.1, "AC Sources

- Operating," or LCO 3.8.2, "AC Sources - Shutdown," for the DG made inoperable by failure of the LOP DG start instrumentation are required to be entered immediately. The actions of those LCOs provide for adequate compensatory actions to assure unit safety.

SURVEILLANCE A Note has been added to refer to Table 3.3.5-1 to determine which REQUIREMENTS Surveillance Requirements apply for each LOP Function.

SR 3.3.5.1 SR 3.3.5.1 is the performance of a TADOT. This test is performed every 92 days. The test checks operation of the undervoltage and degraded voltage relays that provide actuation signals. There is a plant specific program which verifies that the instrument channel functions as required by verifying the as-left and as-found setting are consistent with those established by the setpoint methodology. The Frequency is based on the known reliability of the relays and timers and the redundancy available, and has been shown to be acceptable through operating experience.

This SR has been modified by a Note that excludes verification of setpoints for relays/timers. Relay/timer setpoints require elaborate bench calibration and are verified during a CHANNEL CALIBRATION.

SR 3.3.5.2 SR 3.3.5.2 is the performance of a CHANNEL CALIBRATION.

The setpoints, as well as the response to a loss of voltage and a degraded voltage test, shall include a single point verification that the trip occurs within the required time delay, as shown in Reference 1.

(continued)

Watts Bar - Unit 2 B 3.3-151 (developmental) B

LOP DG Start Instrumentation B 3.3.5 BASES SURVEILLANCE SR 3.3.5.2 (continued)

REQUIREMENTS A CHANNEL CALIBRATION is performed every 6 months. CHANNEL CALIBRATION is a check of the four functions. The test verifies that the channel responds to a measured parameter within the necessary range and accuracy. There is a plant specific program which verifies that the instrument channel functions as required by verifying the as-left and as-found setting are consistent with those established by the setpoint methodology.

The Frequency of 6 months is based on operating experience and is justified by the assumption of a 6-month calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis.

SR 3.3.5.3 SR 3.3.5.3 is the performance of a CHANNEL CALIBRATION.

The setpoints, as well as the response to a loss of voltage and a degraded voltage test, shall include a single point verification that the trip occurs within the required time delay, as shown in Reference 1.

A CHANNEL CALIBRATION is performed every 18 months, or approximately at every refueling. CHANNEL CALIBRATION is a complete check of the four functions. The test verifies that the channel responds to a measured parameter within the necessary range and accuracy. There is a plant specific program which verifies that the instrument channel functions as required by verifying the as-left and as-found setting are consistent with those established by the setpoint methodology.

The Frequency of 18 months is based on operating experience and consistency with the typical industry refueling cycle and is justified by the assumption of an 18-month calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis.

(continued)

Watts Bar - Unit 2 B 3.3-152 (developmental) B

LOP DG Start Instrumentation B 3.3.5 BASES REFERENCES 1. Watts Bar FSAR, Section 8.3, "Onsite (Standby) Power System."

2. Watts Bar FSAR, Section 15.0, "Accident Analysis."
3. TVA Calculation WPE2119202001, "6.9 kV Shutdown and Logic Boards Undervoltage Relays Requirements/Demonstrated Accuracy Calculation."
4. Technical Requirements Manual, Section 3.3.2, "Engineered Safety Features Actuation System (ESFAS) Instrumentation."
5. TVA Calculation TDR SYS.211-LV1, "Demonstrated Accuracy Calculation TDR SYS.211-LV1."
6. TVA Calculation TDR SYS.211-DS1, "Demonstrated Accuracy Calculation TDR SYS.211-DS1."

Watts Bar - Unit 2 B 3.3-153 (developmental) B

Containment Vent Isolation Instrumentation B 3.3.6 B 3.3 INSTRUMENTATION B 3.3.6 Containment Vent Isolation Instrumentation BASES BACKGROUND Containment Vent Isolation Instrumentation closes the containment isolation valves in the Containment Purge System. This action isolates the containment atmosphere from the environment to minimize releases of radioactivity in the event of an accident. The Reactor Building Purge System may be in use during reactor operation and with the reactor shutdown.

Containment vent isolation is initiated by a safety injection (SI) signal or by manual actuation. The Bases for LCO 3.3.2, "Engineered Safety Feature Actuation System (ESFAS) Instrumentation," discuss initiation of SI signals.

Redundant and independent gaseous radioactivity monitors measure the radioactivity levels of the containment purge exhaust, each of which will initiate its associated train of automatic Containment Vent Isolation upon detection of high gaseous radioactivity.

The Reactor Building Purge System has inner and outer containment isolation valves in its supply and exhaust ducts. This system is described in the Bases for LCO 3.6.3, "Containment Isolation Valves."

The plant design basis requires that when moving irradiated fuel in the Auxiliary Building and/or Containment with the Containment open to the Auxiliary Building ABSCE spaces, a signal from the spent fuel pool radiation monitors 0-RE-90-102 and -103 will initiate a Containment Ventilation Isolation (CVI) in addition to their normal function. In addition, a signal from the containment purge radiation monitors 2 -RE-90-130, and

-131 or other CVI signal will initiate that portion of the Auxiliary Building Isolation (ABI) normally initiated by the spent fuel pool radiation monitors.

Therefore, the containment ventilation instrumentation must remain operable when moving irradiated fuel in the Auxiliary Building if the containment air locks, penetrations, equipment hatch, etc. are open to the Auxiliary Building ABSCE spaces.

(continued)

Watts Bar - Unit 2 B 3.3-154 (developmental) B

Containment Vent Isolation Instrumentation B 3.3.6 BASES (continued)

APPLICABLE The containment isolation valves for the Reactor Building Purge System SAFETY close within six seconds following the DBA. The containment vent ANALYSES isolation radiation monitors act as backup to the SI signal to ensure closing of the purge air system supply and exhaust valves. They are also the primary means for automatically isolating containment in the event of a fuel handling accident during shutdown. Containment isolation in turn ensures meeting the containment leakage rate assumptions of the safety analyses, and ensures that the calculated accidental offsite radiological doses are below 10 CFR 100 (Ref. 1) limits.

The Containment Vent Isolation instrumentation satisfies Criterion 3 of the NRC Policy Statement.

When moving irradiated fuel inside containment or in the Auxiliary Building with containment air locks or penetrations open to the Auxiliary Building ABSCE spaces, or when moving fuel in the Auxiliary Building with the containment equipment hatch open, the provisions to initiate a CVI from the spent fuel pool radiation monitors and to initiate an ABI (i.e.,

the portion of an ABI normally initiated by the spent fuel pool radiation monitors) from a CVI, including a CVI generated by the containment purge monitors, in the event of a fuel handling accident (FHA) must be in place and functioning. The containment equipment hatch cannot be open when moving irradiated fuel inside containment in accordance with Technical Specification 3.9.4.

The ABGTS is required to be operable during movement of irradiated fuel in the Auxiliary Building during any mode and during movement of irradiated fuel in the Reactor Building when the Reactor Building is established as part of the ABSCE boundary (see TS 3.3.8, 3.7.12, &

3.9.4). When moving irradiated fuel inside containment, at least one train of the containment purge system must be operating or the containment must be isolated. When moving irradiated fuel in the Auxiliary Building during times when the containment is open to the Auxiliary Building ABSCE spaces, containment purge can be operated, but operation of the system is not required. However, whether the containment purge system is operated or not in this configuration, all containment ventilation isolation valves and associated instrumentation must remain operable. This requirement is necessary to ensure a CVI can be accomplished from the spent fuel pool radiation monitors in the event of an FHA in the Auxiliary Building.

(continued)

Watts Bar - Unit 2 B 3.3-155 (developmental) A

Containment Vent Isolation Instrumentation B 3.3.6 BASES (continued)

LCO The LCO requirements ensure that the instrumentation necessary to initiate Containment Vent Isolation, listed in Table 3.3.6-1, is OPERABLE.

1. Manual Initiation The LCO requires two channels OPERABLE. The operator can initiate Containment Vent Isolation at any time by using either of two switches in the control room or from local panel(s). Either switch actuates both trains. This action will cause actuation of all components in the same manner as any of the automatic actuation signals. These manual switches also initiate a Phase A isolation signal.

The LCO for Manual Initiation ensures the proper amount of redundancy is maintained in the manual actuation circuitry to ensure the operator has manual initiation capability.

Each channel consists of one selector switch and the interconnecting wiring to the actuation logic cabinet.

2. Automatic Actuation Logic and Actuation Relays The LCO requires two trains of Automatic Actuation Logic and Actuation Relays OPERABLE to ensure that no single random failure can prevent automatic actuation.

Automatic Actuation Logic and Actuation Relays consist of the same features and operate in the same manner as described for ESFAS Function 1.b, SI. The applicable MODES and specified conditions for the containment vent isolation portion of the SI Function is different and less restrictive than those for the SI role. If one or more of the SI Functions becomes inoperable in such a manner that only the Containment Vent Isolation Function is affected, the Conditions applicable to the SI Functions need not be entered. The less restrictive Actions specified for inoperability of the Containment Vent Isolation Functions specify sufficient compensatory measures for this case.

(continued)

Watts Bar - Unit 2 B 3.3-156 (developmental) A

Containment Vent Isolation Instrumentation B 3.3.6 BASES LCO 3. Containment Radiation (continued)

The LCO specifies two required channels of radiation monitors to ensure that the radiation monitoring instrumentation necessary to initiate Containment Vent Isolation remains OPERABLE.

For sampling systems, channel OPERABILITY involves more than OPERABILITY of the channel electronics. OPERABILITY may also require correct valve lineups and sample pump operation, as well as detector OPERABILITY, if these supporting features are necessary for trip to occur under the conditions assumed by the safety analyses.

Only the Allowable Value is specified for the Containment Purge Exhaust Radiation Monitors in the LCO. The Allowable Value is based on expected concentrations for a small break LOCA, which is more restrictive than 10 CFR 100 limits. The Allowable Value specified is more conservative than the analytical limit assumed in the safety analysis in order to account for instrument uncertainties appropriate to the trip function. The actual nominal Trip Setpoint is normally still more conservative than that required by the Allowable Value. If the setpoint does not exceed the Allowable Value, the radiation monitor is considered OPERABLE.

4. Safety Injection (SI)

Refer to LCO 3.3.2, Function 1, for all initiating Functions and requirements.

APPLICABILITY The Manual Initiation, Automatic Actuation Logic and Actuation Relays, Safety Injection, and Containment Radiation Functions are required OPERABLE in MODES 1, 2, 3, and 4, and during movement of irradiated fuel assemblies within containment. Under these conditions, the potential exists for an accident that could release significant fission product radioactivity into containment. Therefore, the Containment Vent Isolation Instrumentation must be OPERABLE in these MODES. See additional discussion in the Background and Applicable Safety Analysis sections.

While in MODES 5 and 6 without fuel handling in progress, the Containment Vent Isolation Instrumentation need not be OPERABLE since the potential for radioactive releases is minimized and operator action is sufficient to ensure post accident offsite doses are maintained within the limits of Reference 1.

(continued)

Watts Bar - Unit 2 B 3.3-157 (developmental) A

Containment Vent Isolation Instrumentation B 3.3.6 BASES (continued)

ACTIONS The most common cause of channel inoperability is outright failure or drift sufficient to exceed the tolerance allowed by unit specific calibration procedures. Typically, the drift is found to be small and results in a delay of actuation rather than a total loss of function. If the Trip Setpoint is less conservative than the tolerance specified by the calibration procedure, the channel must be declared inoperable immediately, and the appropriate Condition entered.

A Note has been added to the ACTIONS to clarify the application of Completion Time rules. The Conditions of this Specification may be entered independently for each Function listed in Table 3.3.6-1. The Completion Time(s) of the inoperable channel(s)/train(s) of a Function will be tracked separately for each Function starting from the time the Condition was entered for that Function.

A.1 Condition A applies to the failure of one containment purge isolation radiation monitor channel. Since the two containment radiation monitors are both gaseous detectors, failure of a single channel may result in loss of the redundancy. Consequently, the failed channel must be restored to OPERABLE status. The 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> allowed to restore the affected channel is justified by the low likelihood of events occurring during this interval, and recognition that one or more of the remaining channels will respond to most events.

B.1 Condition B applies to all Containment Vent Isolation Functions and addresses the train orientation of the Solid State Protection System (SSPS) and the master and slave relays for these Functions. It also addresses the failure of multiple radiation monitoring channels, or the inability to restore a single failed channel to OPERABLE status in the time allowed for Required Action A.1.

If a train is inoperable, multiple channels are inoperable, or the Required Action and associated Completion Time of Condition A are not met, operation may continue as long as the Required Action for the applicable Conditions of LCO 3.6.3 is met for each valve made inoperable by failure of isolation instrumentation. A Note has been added above the Required Actions to allow one train of actuation logic to be placed in bypass and to delay entering the Required Actions for up to four hours to perform surveillance testing provided the other train is OPERABLE. The 4-hour allowance is consistent with the Required Actions for actuation logic trains in LCO 3.3.2, "Engineered Safety Features Actuation System (continued)

Watts Bar - Unit 2 B 3.3-158 (developmental) A

Containment Vent Isolation Instrumentation B 3.3.6 BASES ACTIONS B.1 (continued)

Instrumentation" and allows periodic testing to be conducted while at power without causing an actual actuation. The delay for entering the Required Actions relieves the administrative burden of entering the Required Actions for isolation valves inoperable solely due to the performance of surveillance testing on the actuation logic and is acceptable based on the OPERABILITY of the opposite train.

A Note is added stating that Condition B is only applicable in MODE 1, 2, 3, or 4.

C.1 and C.2 Condition C applies to all Containment Vent Isolation Functions and addresses the train orientation of the SSPS and the master and slave relays for these Functions. It also addresses the failure of multiple radiation monitoring channels, or the inability to restore a single failed channel to OPERABLE status in the time allowed for Required Action A.1.

If a train is inoperable, multiple channels are inoperable, or the Required Action and associated Completion Time of Condition A are not met, operation may continue as long as the Required Action to place and maintain containment purge and exhaust isolation valves in their closed position is met or the applicable Conditions of LCO 3.9.4, "Containment Penetrations," are met for each valve made inoperable by failure of isolation instrumentation. The Completion Time for these Required Actions is Immediately.

A Note states that Condition C is only applicable during movement of irradiated fuel assemblies within containment.

SURVEILLANCE A Note has been added to the SR Table to clarify that Table 3.3.6-1 REQUIREMENTS determines which SRs apply to which Containment Vent Isolation Functions.

SR 3.3.6.1 Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value.

(continued)

Watts Bar - Unit 2 B 3.3-159 (developmental) A

Containment Vent Isolation Instrumentation B 3.3.6 BASES SURVEILLANCE SR 3.3.6.1 (continued)

REQUIREMENTS Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the unit staff, based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit.

The Frequency is based on operating experience that demonstrates channel failure is rare. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the LCO required channels.

SR 3.3.6.2 SR 3.3.6.2 is the performance of an ACTUATION LOGIC TEST. The train being tested is placed in the bypass condition, thus preventing inadvertent actuation. Through the semiautomatic tester, all possible logic combinations, with and without applicable permissives, are tested for each protection function. In addition, the master relay coil is pulse tested for continuity. This verifies that the logic modules are OPERABLE and there is an intact voltage signal path to the master relay coils. This test is performed every 92 days on a STAGGERED TEST BASIS. The Surveillance interval is justified in Reference 4.

The SR is modified by a Note stating that the surveillance is only applicable to the actuation logic of the ESFAS instrumentation.

SR 3.3.6.3 SR 3.3.6.3 is the performance of a MASTER RELAY TEST. The MASTER RELAY TEST is the energizing of the master relay, verifying contact operation and a low voltage continuity check of the slave relay coil. Upon master relay contact operation, a low voltage is injected to the slave relay coil. This voltage is insufficient to pick up the slave relay, but large enough to demonstrate signal path continuity. This test is performed every 92 days on a STAGGERED TEST BASIS. The Surveillance interval is justified in Reference 4.

(continued)

Watts Bar - Unit 2 B 3.3-160 (developmental) A

Containment Vent Isolation Instrumentation B 3.3.6 BASES SURVEILLANCE SR 3.3.6.3 (continued)

REQUIREMENTS (continued) The SR is modified by a Note stating that the surveillance is only applicable to the master relays of the ESFAS instrumentation.

SR 3.3.6.4 A COT is performed every 92 days on each required channel to ensure the entire channel will perform the intended Function. The Frequency is based on the staff recommendation for increasing the availability of radiation monitors according to NUREG-1366 (Ref. 2). This test verifies the capability of the instrumentation to provide the containment vent system isolation. The setpoint shall be left consistent with the current unit specific calibration procedure tolerance. There is a plant specific program which verifies that the instrument channel functions as required by verifying the as-left and as-found setting are consistent with those established by the setpoint methodology.

SR 3.3.6.5 SR 3.3.6.5 is the performance of a SLAVE RELAY TEST. The SLAVE RELAY TEST is the energizing of the slave relays. Contact operation is verified in one of two ways. Actuation equipment that may be operated in the design mitigation mode is either allowed to function or is placed in a condition where the relay contact operation can be verified without operation of the equipment. Actuation equipment that may not be operated in the design mitigation mode is prevented from operation by the SLAVE RELAY TEST circuit. For this latter case, contact operation is verified by a continuity check of the circuit containing the slave relay.

This test is performed every 92 days. The Frequency is acceptable based on instrument reliability and industry operating experience.

For ESFAS slave relays which are Westinghouse type AR or Potter &

Brumfield MDR series relays, the SLAVE RELAY TEST is performed every 18 months. The frequency is based on the relay reliability assessments presented in References 3 and 5. These reliability assessments are relay specific and apply only to Westinghouse type AR and Potter & Brumfield MDR series relays with AC coils. Note that for normally energized applications, the relays may require periodic replacement in accordance with the guidance given in References 3 and 5.

(continued)

Watts Bar - Unit 2 B 3.3-161 (developmental) B

Containment Vent Isolation Instrumentation B 3.3.6 BASES SURVEILLANCE SR 3.3.6.6 REQUIREMENTS (continued) SR 3.3.6.6 is the performance of a TADOT. This test is a check of the Manual Actuation Functions and is performed every 18 months. Each Manual Actuation Function is tested up to, and including, the master relay coils. In some instances, the test includes actuation of the end device (i.e., pump starts, valve cycles, etc.).

For these tests, the relay trip setpoints are verified and adjusted as necessary. The Frequency is based on the known reliability of the Function and the redundancy available, and has been shown to be acceptable through operating experience.

The SR is modified by a Note that excludes verification of setpoints during the TADOT. The Functions tested have no setpoints associated with them.

SR 3.3.6.7 A CHANNEL CALIBRATION is performed every 18 months, or approximately at every refueling. CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor. The test verifies that the channel responds to a measured parameter within the necessary range and accuracy.

The Frequency is based on operating experience and is consistent with the typical industry refueling cycle.

REFERENCES 1. Title 10, Code of Federal Regulations, Part 100.11, "Determination of Exclusion Area, Low Population Zone, and Population Center Distance."

2. NUREG-1366, "Improvement to Technical Specification Surveillance Requirements," December 1992.
3. WCAP-13877-P-A, Revision 2, Reliability Assessment of Westinghouse Type AR Relays Used as SSPS Slave Relays.

(continued)

Watts Bar - Unit 2 B 3.3-162 (developmental) B

Containment Vent Isolation Instrumentation B 3.3.6 BASES REFERENCES 4. WCAP-15376-P-A, Revision 1, Risk-Informed Assessment of the (continued) RTS and ESFAS Surveillance Test Intervals and Reactor Trip Breaker Test and Completion Times, March 2003

5. WCAP-13878-P-A, Revision 2, Reliability Assessment of Potter &

Brumfield MDR Series Relays.

Watts Bar - Unit 2 B 3.3-163 (developmental) B

CREVS Actuation Instrumentation B 3.3.7 B 3.3 INSTRUMENTATION B 3.3.7 Control Room Emergency Ventilation System (CREVS) Actuation Instrumentation BASES BACKGROUND The CREVS provides an enclosed control room environment from which the unit can be operated following an uncontrolled release of radioactivity.

During normal operation, the Control Building Ventilation System provides control room ventilation. Upon receipt of an actuation signal, the CREVS initiates filtered ventilation and pressurization of the control room. This system is described in the Bases for LCO 3.7.10, "Control Room Emergency Ventilation System (CREVS)."

The actuation instrumentation consists of redundant radiation monitors. A high radiation signal from any detector will initiate its associated trains of the CREVS. The control room operator can also initiate CREVS trains by manual switches in the control room. The CREVS is also actuated by a safety injection (SI) signal. The SI Function is discussed in LCO 3.3.2, "Engineered Safety Feature Actuation System (ESFAS) Instrumentation."

APPLICABLE The control room must be kept habitable for the operators stationed there SAFETY during accident recovery and post accident operations.

ANALYSES The CREVS acts to terminate the supply of unfiltered outside air to the control room, initiate filtration, and emergency pressurization of the control room. These actions are necessary to ensure the control room is kept habitable for the operators stationed there during accident recovery and post accident operations by minimizing the radiation exposure of control room personnel.

In MODES 1, 2, 3, and 4, the radiation monitor actuation of the CREVS is a backup for the SI signal actuation. This ensures initiation of the CREVS during a loss of coolant accident or steam generator tube rupture.

The radiation monitor actuation of the CREVS in MODES 5 and 6 and during movement of irradiated fuel assemblies, is the primary means to ensure control room habitability in the event of a fuel handling or waste gas decay tank rupture accident.

The CREVS actuation instrumentation satisfies Criterion 3 of the NRC Policy Statement.

(continued)

Watts Bar - Unit 2 B 3.3-164 (developmental) A

CREVS Actuation Instrumentation B 3.3.7 BASES (continued)

LCO The LCO requirements ensure that instrumentation necessary to initiate the CREVS is OPERABLE.

1. Manual Initiation The LCO requires two channels OPERABLE. The operator can initiate the CREVS at any time by using either of two switches in the control room. This action will cause actuation of all components in the same manner as any of the automatic actuation signals.

The LCO for Manual Initiation ensures the proper amount of redundancy is maintained in the manual actuation circuitry to ensure the operator has manual initiation capability.

Each channel consists of one hand switch and the interconnecting wiring to the actuation logic relays.

2. Control Room Radiation The LCO specifies two required Control Room Air Intake Radiation Monitors to ensure that the radiation monitoring instrumentation necessary to initiate the CREVS remains OPERABLE. One radiation monitor is dedicated to each train of CREVS.

For sampling systems, channel OPERABILITY involves more than OPERABILITY of channel electronics. OPERABILITY may also require correct valve lineups, sample pump operation, and filter motor operation, as well as detector OPERABILITY, if these supporting features are necessary for trip to occur under the conditions assumed by the safety analyses.

Only the Allowable Value is specified for the Control Room Air Intake Radiation Monitors in the LCO. The Allowable Value is based on 10 CFR 50, Appendix A, Criterion 19 exposure limits considering the most limiting accident, which has been determined to be a steam generator tube rupture event. This event is more limiting than a fuel handling accident event or a LOCA. The Allowable Value specified is more conservative than the analytical limit assumed in the safety analysis in order to account for instrument uncertainties appropriate to the trip function. The actual nominal Trip Setpoint is normally still more conservative than that required by the Allowable Value. If the setpoint does not exceed the Allowable Value, the radiation monitor is considered OPERABLE.

(continued)

Watts Bar - Unit 2 B 3.3-165 (developmental) A

CREVS Actuation Instrumentation B 3.3.7 BASES LCO 3. Safety Injection (continued)

Refer to LCO 3.3.2, Function 1, for all initiating Functions and requirements.

APPLICABILITY The CREVS Functions must be OPERABLE in MODES 1, 2, 3, 4, and during movement of irradiated fuel assemblies. The Functions must also be OPERABLE in MODES 5 and 6 when required for a waste gas decay tank rupture accident, to ensure a habitable environment for the control room operators.

ACTIONS The most common cause of channel inoperability is outright failure or drift sufficient to exceed the tolerance allowed by the plant specific calibration procedures. Typically, the drift is found to be small and results in a delay of actuation rather than a total loss of function. If the Trip Setpoint is less conservative than the tolerance specified by the calibration procedure, the channel must be declared inoperable immediately and the appropriate Condition entered.

A Note has been added to the ACTIONS indicating that separate Condition entry is allowed for each Function. The Conditions of this Specification may be entered independently for each Function listed in Table 3.3.7-1 in the accompanying LCO. The Completion Time(s) of the inoperable channel(s)/train(s) of a Function will be tracked separately for each Function starting from the time the Condition was entered for that Function.

A.1 Condition A applies to the actuation logic train Function of the CREVS, the radiation monitor channel Functions, and the manual channel Functions.

If one train is inoperable, or one radiation monitor channel is inoperable in one or more Functions, 7 days are permitted to restore it to OPERABLE status. The 7 day Completion Time is the same as is allowed if one train of the mechanical portion of the system is inoperable. The basis for this Completion Time is the same as provided in LCO 3.7.10. If the channel/train cannot be restored to OPERABLE status, one CREVS train must be placed in the emergency radiation protection mode of operation.

This accomplishes the actuation instrumentation Function and places the unit in a conservative mode of operation.

(continued)

Watts Bar - Unit 2 B 3.3-166 (developmental) A

CREVS Actuation Instrumentation B 3.3.7 BASES ACTIONS B.1.1, B.1.2, and B.2 (continued)

Condition B applies to the failure of two CREVS actuation trains, two radiation monitor channels, or two manual channels. The first Required Action is to place one CREVS train in the emergency radiation protection mode of operation immediately. This accomplishes the actuation instrumentation Function that may have been lost and places the unit in a conservative mode of operation. The applicable Conditions and Required Actions of LCO 3.7.10 must also be entered for the CREVS train made inoperable by the inoperable actuation instrumentation. This ensures appropriate limits are placed upon train inoperability as discussed in the Bases for LCO 3.7.10.

Alternatively, both trains may be placed in the emergency radiation protection mode. This ensures the CREVS function is performed even in the presence of a single failure.

C.1 and C.2 Condition C applies when the Required Action and associated Completion Time for Condition A or B have not been met and the plant is in MODE 1, 2, 3, or 4. The plant must be brought to a MODE in which the LCO requirements are not applicable. To achieve this status, the plant must be brought to MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and MODE 5 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />.

The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

D.1 Condition D applies when the Required Action and associated Completion Time for Condition A or B have not been met when irradiated fuel assemblies are being moved. Movement of irradiated fuel assemblies must be suspended immediately to reduce the risk of accidents that would require CREVS actuation.

E.1 Condition E applies when the Required Action and associated Completion Time for Condition A or B have not been met in MODE 5 or 6. Actions must be initiated to restore the inoperable train(s) to OPERABLE status immediately to ensure adequate isolation capability in the event of a waste gas decay tank rupture.

(continued)

Watts Bar - Unit 2 B 3.3-167 (developmental) A

CREVS Actuation Instrumentation B 3.3.7 BASES (continued)

SURVEILLANCE A Note has been added to the SR Table to clarify that Table 3.3.7-1 REQUIREMENTS determines which SRs apply to which CREVS Actuation Functions.

SR 3.3.7.1 Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the unit staff, based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit.

The Frequency is based on operating experience that demonstrates channel failure is rare. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the LCO required channels.

SR 3.3.7.2 A COT is performed once every 92 days on each required channel to ensure the entire channel will perform the intended function. This test verifies the capability of the instrumentation to provide the CREVS actuation. The Frequency is based on the known reliability of the monitoring equipment and has been shown to be acceptable through operating experience. There is a plant specific program which verifies that the instrument channel functions as required by verifying the as-left and as-found setting are consistent with those established by the setpoint methodology.

(continued)

Watts Bar - Unit 2 B 3.3-168 (developmental) B

CREVS Actuation Instrumentation B 3.3.7 BASES SURVEILLANCE SR 3.3.7.3 REQUIREMENTS (continued) SR 3.3.7.3 is the performance of a TADOT. This test is a check of the Manual Actuation Functions and is performed every 18 months. Each Manual Actuation Function is tested up to, and including, the relay coils.

In some instances, the test includes actuation of the end device (i.e., pump starts, valve cycles, etc.).

The Frequency is based on the known reliability of the Function and the redundancy available, and has been shown to be acceptable through operating experience.

The SR is modified by a Note that excludes verification of setpoints during the TADOT. The Functions tested have no setpoints associated with them.

SR 3.3.7.4 A CHANNEL CALIBRATION is performed every 18 months, or approximately at every refueling. CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor. The test verifies that the channel responds to a measured parameter within the necessary range and accuracy. There is a plant specific program which verifies that the instrument channel functions as required by verifying the as-left and as-found setting are consistent with those established by the setpoint methodology.

The Frequency is based on operating experience and is consistent with the typical industry refueling cycle.

REFERENCES None Watts Bar - Unit 2 B 3.3-169 (developmental) B

ABGTS Actuation Instrumentation B 3.3.8 B 3.3 INSTRUMENTATION B 3.3.8 Auxiliary Building Gas Treatment (ABGTS) Actuation Instrumentation BASES BACKGROUND The ABGTS ensures that radioactive materials in the fuel building atmosphere following a fuel handling accident or a loss of coolant accident (LOCA) are filtered and adsorbed prior to exhausting to the environment. The system is described in the Bases for LCO 3.7.12, "Auxiliary Building Gas Treatment System (ABGTS)." The system initiates filtered exhaust of air from the fuel handling area, ECCS pump rooms, and penetration rooms automatically following receipt of a fuel pool area high radiation signal or a Containment Phase A Isolation signal.

Initiation may also be performed manually as needed from the main control room.

High area radiation, monitored by either of two monitors, provides ABGTS initiation. Each ABGTS train is initiated by high radiation detected by a channel dedicated to that train. There are a total of two channels, one for each train. High radiation detected by any monitor or a Phase A isolation signal from the Engineered Safety Features Actuation System (ESFAS) initiates auxiliary building isolation and starts the ABGTS. These actions function to prevent exfiltration of contaminated air by initiating filtered ventilation, which imposes a negative pressure on the Auxiliary Building Secondary Containment Enclosure (ABSCE).

The plant design basis requires that when moving irradiated fuel in the Auxiliary Building and/or Containment with the Containment and/or annulus open to the Auxiliary Building ABSCE spaces, a signal from the spent fuel pool radiation monitors 0-RE-90-102 and -103 will initiate a Containment Ventilation Isolation (CVI) in addition to their normal function. In addition, a signal from the containment purge radiation monitors 2-RE-90-130, and -131 or other CVI signal will initiate that portion of the Auxiliary Building Isolation (ABI) normally initiated by the spent fuel pool radiation monitors. Therefore, the containment ventilation instrumentation must remain operable when moving irradiated fuel in the Auxiliary Building if the containment and/or annulus air locks, penetrations, equipment hatch, etc. are open to the Auxiliary Building ABSCE spaces.

(continued)

Watts Bar - Unit 2 B 3.3-170 (developmental) B

ABGTS Actuation Instrumentation B 3.3.8 BASES (continued)

APPLICABLE The ABGTS ensures that radioactive materials in the ABSCE atmosphere SAFETY following a fuel handling accident or a LOCA are filtered and adsorbed ANALYSES prior to being exhausted to the environment. This action reduces the radioactive content in the auxiliary building exhaust following a LOCA or fuel handling accident so that offsite doses remain within the limits specified in 10 CFR 100 (Ref. 1).

The ABGTS Actuation Instrumentation satisfies Criterion 3 of the NRC Policy Statement.

When moving irradiated fuel inside containment or in the Auxiliary Building with containment air locks or penetrations open to the Auxiliary Building ABSCE spaces, or when moving fuel in the Auxiliary Building with the containment equipment hatch open, the provisions to initiate a CVI from the spent fuel pool radiation monitors and to initiate an ABI (i.e.,

the portion of an ABI normally initiated by the spent fuel pool radiation monitors) from a CVI, including a CVI generated by the containment purge monitors, in the event of a fuel handling accident (FHA) must be in place and functioning. The containment equipment hatch cannot be open when moving irradiated fuel inside containment in accordance with Technical Specification 3.9.4.

The ABGTS is required to be operable during movement of irradiated fuel in the Auxiliary Building during any mode and during movement of irradiated fuel in the Reactor Building when the Reactor Building is established as part of the ABSCE boundary (see TS 3.3.8, 3.7.12, &

3.9.4). When moving irradiated fuel inside containment, at least one train of the containment purge system must be operating or the containment must be isolated. When moving irradiated fuel in the Auxiliary Building during times when the containment is open to the Auxiliary Building ABSCE spaces, containment purge can be operated, but operation of the system is not required. However, whether the containment purge system is operated or not in this configuration, all containment ventilation isolation valves and associated instrumentation must remain operable. This requirement is necessary to ensure a CVI can be accomplished from the spent fuel pool radiation monitors in the event of a FHA in the Auxiliary Building.

(continued)

Watts Bar - Unit 2 B 3.3-171 (developmental) A

ABGTS Actuation Instrumentation B 3.3.8 BASES (continued)

LCO The LCO requirements ensure that instrumentation necessary to initiate the ABGTS is OPERABLE.

1. Manual Initiation The LCO requires two channels OPERABLE. The operator can initiate the ABGTS at any time by using either of two switches in the control room. This action will cause actuation of all components in the same manner as any of the automatic actuation signals.

The LCO for Manual Initiation ensures the proper amount of redundancy is maintained in the manual actuation circuitry to ensure the operator has manual initiation capability.

Each channel consists of one hand switch and the interconnecting wiring to the actuation logic relays.

2. Fuel Pool Area Radiation The LCO specifies two required Fuel Pool Area Radiation Monitors to ensure that the radiation monitoring instrumentation necessary to initiate the ABGTS remains OPERABLE. One radiation monitor is dedicated to each train of ABGTS.

For sampling systems, channel OPERABILITY involves more than OPERABILITY of channel electronics. OPERABILITY may also require correct valve lineups, sample pump operation, and filter motor operation, as well as detector OPERABILITY, if these supporting features are necessary for trip to occur under the conditions assumed by the safety analyses.

Only the Allowable Value is specified for the Fuel Pool Area Radiation Monitors in the LCO. The Allowable Value specified is more conservative than the analytical limit assumed in the safety analysis in order to account for instrument uncertainties appropriate to the trip function. The actual nominal Trip Setpoint is normally still more conservative than that required by the Allowable Value. If the measured setpoint does not exceed the Allowable Value, the radiation monitor is considered OPERABLE.

(continued)

Watts Bar - Unit 2 B 3.3-172 (developmental) A

ABGTS Actuation Instrumentation B 3.3.8 BASES LCO 3. Containment Phase A Isolation (continued)

Refer to LCO 3.3.2, Function 3.a, for all initiating Functions and requirements.

APPLICABILITY The manual ABGTS initiation must be OPERABLE in MODES 1, 2, 3, and 4 and when moving irradiated fuel assemblies in the fuel handling area to ensure the ABGTS operates to remove fission products associated with leakage after a LOCA or a fuel handling accident. The Phase A ABGTS Actuation is also required in MODES 1, 2, 3, and 4 to remove fission products caused by post LOCA Emergency Core Cooling Systems leakage.

High radiation initiation of the ABGTS must be OPERABLE in any MODE during movement of irradiated fuel assemblies in the fuel handling area to ensure automatic initiation of the ABGTS when the potential for a fuel handling accident exists.

While in MODES 5 and 6 without fuel handling in progress, the ABGTS instrumentation need not be OPERABLE since a fuel handling accident cannot occur. See additional discussion in the Background and Applicable Safety Analysis sections.

ACTIONS The most common cause of channel inoperability is outright failure or drift sufficient to exceed the tolerance allowed by unit specific calibration procedures. Typically, the drift is found to be small and results in a delay of actuation rather than a total loss of function. If the Trip Setpoint is less conservative than the tolerance specified by the calibration procedure, the channel must be declared inoperable immediately and the appropriate Condition entered.

A Note has been added to the ACTIONS to clarify the application of Completion Time rules. The Conditions of this Specification may be entered independently for each Function listed in Table 3.3.8-1 in the accompanying LCO. The Completion Time(s) of the inoperable channel(s)/train(s) of a Function will be tracked separately for each Function starting from the time the Condition was entered for that Function.

(continued)

Watts Bar - Unit 2 B 3.3-173 (developmental) A

ABGTS Actuation Instrumentation B 3.3.8 BASES ACTIONS A.1 (continued)

Condition A applies to the actuation logic train function from the Phase A Isolation, the radiation monitor functions, and the manual initiation function. Condition A applies to the failure of a single actuation logic train, radiation monitor channel, or manual channel. If one channel or train is inoperable, a period of 7 days is allowed to restore it to OPERABLE status. If the train cannot be restored to OPERABLE status, one ABGTS train must be placed in operation. This accomplishes the actuation instrumentation function and places the unit in a conservative mode of operation. The 7-day Completion Time is the same as is allowed if one train of the mechanical portion of the system is inoperable. The basis for this time is the same as that provided in LCO 3.7.12.

B.1.1, B.1.2, B.2 Condition B applies to the failure of two ABGTS actuation logic signals from the Phase A Isolation, two radiation monitors, or two manual channels. The Required Action is to place one ABGTS train in operation immediately. This accomplishes the actuation instrumentation function that may have been lost and places the unit in a conservative mode of operation. The applicable Conditions and Required Actions of LCO 3.7.12 must also be entered for the ABGTS train made inoperable by the inoperable actuation instrumentation. This ensures appropriate limits are placed on train inoperability as discussed in the Bases for LCO 3.7.12.

Alternatively, both trains may be placed in the emergency radiation protection mode. This ensures the ABGTS Function is performed even in the presence of a single failure.

C.1 Condition C applies when the Required Action and associated Completion Time for Condition A or B have not been met and irradiated fuel assemblies are being moved in the fuel building. Movement of irradiated fuel assemblies in the fuel building must be suspended immediately to eliminate the potential for events that could require ABGTS actuation. Performance of these actions shall not preclude moving a component to a safe position.

(continued)

Watts Bar - Unit 2 B 3.3-174 (developmental) A

ABGTS Actuation Instrumentation B 3.3.8 BASES ACTIONS D.1 and D.2 (continued)

Condition D applies when the Required Action and associated Completion Time for Condition A or B have not been met and the plant is in MODE 1, 2, 3, or 4. The plant must be brought to a MODE in which the LCO requirements are not applicable. To achieve this status, the plant must be brought to MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and MODE 5 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />.

The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE A Note has been added to the SR Table to clarify that Table 3.3.8-1 REQUIREMENTS determines which SRs apply to which ABGTS Actuation Functions.

SR 3.3.8.1 Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the unit staff, based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit.

The Frequency is based on operating experience that demonstrates channel failure is rare. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the LCO required channels.

(continued)

Watts Bar - Unit 2 B 3.3-175 (developmental) A

ABGTS Actuation Instrumentation B 3.3.8 BASES SURVEILLANCE SR 3.3.8.2 REQUIREMENTS (continued) A COT is performed once every 92 days on each required channel to ensure the entire channel will perform the intended function. This test verifies the capability of the instrumentation to provide the ABGTS actuation. The Frequency of 92 days is based on the known reliability of the monitoring equipment and has been shown to be acceptable through operating experience. There is a plant specific program which verifies that the instrument channel functions as required by verifying the as-left and as-found setting are consistent with those established by the setpoint methodology.

SR 3.3.8.3 SR 3.3.8.3 is the performance of a TADOT. This test is a check of the manual actuation functions and is performed every 18 months. Each manual actuation function is tested up to, and including, the relay coils. In some instances, the test includes actuation of the end device (e.g., pump starts, valve cycles, etc.). The Frequency is based on operating experience and is consistent with the typical industry refueling cycle.

The SR is modified by a Note that excludes verification of setpoints during the TADOT. The Functions tested have no setpoints associated with them.

SR 3.3.8.4 A CHANNEL CALIBRATION is performed every 18 months, or approximately at every refueling. CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor. The test verifies that the channel responds to a measured parameter within the necessary range and accuracy. The Frequency is based on operating experience and is consistent with the typical industry refueling cycle.

There is a plant specific program which verifies that the instrument channel functions as required by verifying the as-left and as-found setting are consistent with those established by the setpoint methodology.

REFERENCES 1. Title 10, Code of Federal Regulations, Part 100.11, "Determination of Exclusion Area, Low Population Zone, and Population Center Distance."

Watts Bar - Unit 2 B 3.3-176 (developmental) B