ML11237A127

From kanterella
Jump to navigation Jump to search
Comanche Peak Units 1 & 2 Final Safety Analysis Report (Fsar), Amendment 104, Technical Specifications Bases
ML11237A127
Person / Time
Site: Comanche Peak  Luminant icon.png
Issue date: 08/01/2011
From:
Luminant Power, Luminant Generation Co
To:
Office of Nuclear Reactor Regulation
References
CP-201101065, TXX-11094
Download: ML11237A127 (656)
v  d  e


Text

TECHNICAL SPECIFICATIONS BASES FORCOMANCHE PEAK STEAM ELECTRIC STATION UNITS 1 AND 2 COMANCHE PEAK - UNITS 1 AND 2B iRevision 57TABLE OF CONTENTSB 2.0SAFETY LIMITS (SLs)........

..................................................................................B 2.0-1B 2.1.1Reactor Core SLs....

..................................................................................B 2.0-1B 2.1.2Reactor Coolant System (RCS) Pressure SL............................................B 2.0-4B 3.0LIMITING CONDITION FOR OPERATION (LCO) APPLICABILITY.....................B 3.0-1 B 3.0SURVEILLANCE REQUIREMENT (SR) APPLICABILITY....................................B 3.0-10B 3.1REACTIVITY CONTROL SYSTEMS..............................................................B 3.1-1B 3.1.1SHUTDOWN MARGIN (SDM)..................................................................B 3.1-1B 3.1.2Core Reactivity........

..................................................................................B 3.1-6B 3.1.3Moderator Temperature Coefficient (MTC)...............................................B 3.1-11B 3.1.4Rod Group Alignment Limits.....................................................................B 3.1-17B 3.1.5Shutdown Bank Insertion Limits................................................................B 3.1-26B 3.1.6Control Bank Insertion Limits....................................................................B 3.1-30B 3.1.7Rod Position Indication..............................................................................B 3.1-36B 3.1.8PHYSICS TESTS Exceptions - MODE2..................................................B 3.1-42B 3.2POWER DISTRIBUTION LIMITS....................................................................B 3.2-1B 3.2.1Heat Flux Hot Channel Factor (F Q(Z))......................................................B 3.2-1B 3.2.2Nuclear Enthalpy Rise Hot Channel Factor ..............................................B 3.2-22B 3.2.3AXIAL FLUX DIFFERENCE (AFD)...........................................................B 3.2-30B 3.2.4QUADRANT POWER TILT RATIO (QPTR)..............................................B 3.2-41B 3.3INSTRUMENTATION...............

.......................................................................B 3.3-1B 3.3.1Reactor Trip System (RTS) Instrumentation.............................................B 3.3-1B 3.3.2Engineered Safety Feature Actuation System (ESFAS) Instrumentation.B 3.3-57 B 3.3.3Post Accident Monitoring (PAM) Instrumentation......................................B 3.3-107B 3.3.4Remote Shutdown System

........................................................................B 3.3-122B 3.3.5Loss of Power (LOP) Diesel Generator (DG) Start Instrumentation..........B 3.3-127 B 3.3.6Containment Ventilation Isolation Instrumentation...................................B 3.3-136B 3.3.7Control Room Emergency Filtration System (CREFS) Actuation Instrumentation.....................................................................................B 3.3-143B 3.4REACTOR COOLANT SYSTEM (RCS).........................................................B 3.4-1B 3.4.1RCS Pressure, Temperature, and Flow Departure from NucleateBoiling (DNB)Limits.......

..................................................................................B 3.4-1B 3.4.2RCS Minimum Temperature for Criticality.................................................B 3.4-7B 3.4.3RCS Pressure and Temperature (P/T) Limits...........................................B 3.4-10 B 3.4.4RCS Loops - MODES 1 and 2...................................................................B 3.4-16B 3.4.5RCS Loops - MODE 3

...............................................................................B 3.4-19B 3.4.6RCS Loops - MODE 4

...............................................................................B 3.4-24B 3.4.7RCS Loops - MODE 5, Loops Filled..........................................................B 3.4-28B 3.4.8RCS Loops - MODE 5, Loops Not Filled...................................................B 3.4-33B 3.4.9Pressurizer.........................

.......................................................................B 3.4-36B 3.4.10Pressurizer Safety Valves.........................................................................B 3.4-40B 3.4.11Pressurizer Power Operated Relief Valves (PORVs)................................B 3.4-44B 3.4.12Low Temperature Overpressure Protection (LTOP) System....................B 3.4-51 B 3.4.13RCS Operational LEAKAGE.....................................................................B 3.4-63 COMANCHE PEAK - UNITS 1 AND 2B iiRevision 57 TABLE OF CONTENTSB 3.4.14RCS Pressure Isolation Valve (PIV) Leakage...........................................B 3.4-69B 3.4.15RCS Leakage Detection Instrumentation..................................................B 3.4-75B 3.4.16RCS Specific Activity.................................................................................B 3.4-81B 3.4.17SG Tube Integrity

......................................................................................B 3.4-87B 3.5EMERGENCY CORE COOLING SYSTEMS (ECCS)....................................B 3.5-1B 3.5.1Accumulators......................

.......................................................................B 3.5-1B 3.5.2ECCS - Operating.....................................................................................B 3.5-9B 3.5.3ECCS - Shutdown..............

.......................................................................B 3.5-19B 3.5.4Refueling Water Storage Tank (RWST)....................................................B 3.5-22 B 3.5.5Seal Injection Flow..

..................................................................................B 3.5-28B 3.6CONTAINMENT SYSTEMS............................................................................B 3.6-1B 3.6.1Containment.......................

.......................................................................B 3.6-1B 3.6.2Containment Air Locks

..............................................................................B 3.6-5B 3.6.3Containment Isolation Valves....................................................................B 3.6-12B 3.6.4Containment Pressure

...............................................................................B 3.6-27B 3.6.5Containment Air Temperature...................................................................B 3.6-30B 3.6.6Containment Spray Syst em.......................................................................B 3.6-33B 3.6.7Spray Additive System..............................................................................B 3.6-40B 3.7PLANT SYSTEMS..........................................................................................B 3.7-1B 3.7.1Main Steam Safety Valves (MSSVs).........................................................B 3.7-1 B 3.7.2Main Steam Isolation Valves (MSIVs).......................................................B 3.7-7B 3.7.3Feedwater Isolation Valves (FIVs) and Feedwater Control Valves(FCVs) and Associated Bypass Valves............................................................B 3.7-12B 3.7.4Steam Generator Atmospheric Relief Valves (ARVs)...............................B 3.7-19B 3.7.5Auxiliary Feedwater (AFW) System..........................................................B 3.7-23B 3.7.6Condensate Storage Tank (CST)..............................................................B 3.7-32 B 3.7.7Component Cooling Water (CCW) System...............................................B 3.7-35B 3.7.8Station Service Water System (SSWS).....................................................B 3.7-39B 3.7.9Ultimate Heat Sink (UHS)..........................................................................B 3.7-44B 3.7.10Control Room Emergency Filtration/Pressurization System (CREFS)......B 3.7-47B 3.7.11Control Room Air Conditioning System (CRACS).....................................B 3.7-56B 3.7.12Primary Plant Ventilation System (PPVS) - ESF Filtration Trains.............B 3.7-60 B 3.7.13FUEL BUILDING AIR CLEANUP SYSTEM (FBACS)...............................B 3.7-67B 3.7.14PENETRATION ROOM EXHAUST AIR CLEANUP SYSTEM (PREACS)B 3.7-68B 3.7.15Fuel Storage Area Water Level.................................................................B 3.7-69 B 3.7.16Fuel Storage Pool Boron Concentration....................................................B 3.7-72B 3.7.17Spent Fuel Assembly Storage...................................................................B 3.7-77B 3.7.18Secondary Specific Activity.......................................................................B 3.7-80B 3.7.19Safety Chilled Water System.....................................................................B 3.7-83B 3.7.20UPS HVAC System - Operating................................................................B 3.7-87B 3.8ELECTRICAL POWER SYSTEMS.................................................................B 3.8-1B 3.8.1AC Sources - Operating............................................................................B 3.8-1B 3.8.2AC Sources - Shutdown

............................................................................B 3.8-30B 3.8.3Diesel Fuel Oil, Lube Oil, and Starting Air.................................................B 3.8-37B 3.8.4DC Sources - Operating............................................................................B 3.8-45 TABLE OF CONTENTSCOMANCHE PEAK - UNITS 1 AND 2B iiiRevision 57B 3.8.5DC Sources - Shutdown

............................................................................B 3.8-55B 3.8.6Battery Parameters.

..................................................................................B 3.8-59B 3.8.7Inverters - Operating.................................................................................B 3.8-67B 3.8.8Inverters - Shutdown

.................................................................................B 3.8-72B 3.8.9Distribution Systems - Operating...............................................................B 3.8-76B 3.8.10Distribution Systems - Shutdown..............................................................B 3.8-83B 3.9REFUELING OPERATIONS

...........................................................................B 3.9-1B 3.9.1Boron Concentration.................................................................................B 3.9-1B 3.9.2Unborated Water Source Isolation Valves................................................B 3.9-5 B 3.9.3Nuclear Instrumentation............................................................................B 3.9-8B 3.9.4Containment Penetrations.........................................................................B 3.9-12B 3.9.5Residual Heat Removal (RHR) and Coolant Circulation - High Water Level.....................................................................................................B 3.9-18B 3.9.6Residual Heat Removal (RHR) and Coolant Circulation - Low Water Level.....................................................................................................B 3.9-22B 3.9.7Refueling Cavity Water Level....................................................................B 3.9-25 Reactor Core SLs B 2.1.1COMANCHE PEAK - UNITS 1 AND 2B 2.0-1Revision 51B 2.0 SAFETY LIMITS (SLs)

B 2.1.1 Reactor Core SLs BASESBACKGROUNDGDC10 (Ref.1) requires that specified acceptable fuel design limits are not exceeded during steady state operation, normal operational transients, and anticipated operational occurrences (AOOs). This is accomplished by having a departure from nucleate boiling (DNB) design basis, which corresponds to a 95% probability at a 95% confidence level (the 95/95DNB criterion) that DNB will not occur and by requiring that fuel centerline temperature stays below the melting temperature.The restrictions of this SL prevent overheating of the fuel and cladding, as well as possible cladding perforation, that would result in the release of fission products to the reactor coolant.

Overheating of the fuel is prevented by maintaining the steady state peak linear heat rate (LHR) below the level at which fuel centerline melting occurs. Overheating of the fuel cladding is prevented by restricting fuel operation to within the nucleate boiling regime, where the heat transfer coefficient is large and the cladding surface temperature is slightly above the coolant saturation temperature.Fuel centerline melting occurs when the local LHR, or power peaking, in a region of the fuel is high enough to cause the fuel centerline temperature to

reach the melting point of the fuel.

Expansion of the pellet upon centerline melting may cause the pellet to stress the cladding to the point of failure, allowing an uncontrolled release of activity to the reactor coolant.Operation above the boundary of the nucleate boiling regime could result in excessive cladding temperature because of the onset of DNB and the resultant sharp reduction in heat transfer coefficient. Inside the steam film, high cladding temperatures are reached, and a cladding water (zirconium water) reaction may take place. This chemical reaction results in oxidation of the fuel cladding to a structurally weaker form. This weaker form may lose its integrity, resulting in an uncontrolled release of activity to the reactor coolant.The proper functioning of the Reactor Protection System (RPS) and steam generator safety valves prevents violation of the reactor core SLs.

APPLICABLE SAFETY ANALYSESThe fuel cladding must not sustain damage as a result of normal operation and AOOs. The reactor core SLs are established to preclude violation of the following fuel design criteria:(continued)

Reactor Core SLs B 2.1.1 BASESCOMANCHE PEAK - UNITS 1 AND 2B 2.0-2Revision 51APPLICABLE SAFETY ANALYSES (continued)a.There must be at least 95% probability at a 95% confidence level (the 95/95 DNB criterion) that the hot fuel rod in the core does not experience DNB; andb.The hot fuel pellet in the core must not experience centerline fuel melting.The Reactor Trip System Allowable Values in Table3.3.1-1, in combination with all the LCOs, are designed to prevent any anticipated combination of transient conditions for Reactor Coolant System (RCS) temperature, pressure, RCS flow, I, and THERMAL POWER level that would result in a departure from nucleate boiling ratio (DNBR) of less than the DNBR limit and preclude the existence of flow instabilities.Protection for these reactor core SLs is provided by the appropriate operation of the RPS and the steam generator safety valves.

The SLs represent a design requiremen t for establishing the RPS Allowable Values identified previously. LCO3.4.1, "RCS Pressure, Temperature, and Flow Departure from Nucleate Boiling (DNB) Limits," and the assumed initial conditions of the safety analyses (as indicated in the FSAR, Ref.2) provide more restrictive limits to ensure that the SLs are not exceeded.SAFETY LIMITSThe reactor core SLs are established to preclude violation of the following fuel design criteria:a.There must be at least a 95% probability at 95% confidence level (the 95/95 DNB criterion) that the hot fuel rod in the core does not

experience DNB; andb.There must be at least a 95% probability at a 95% confidence level that the hot fuel pellet in the core does not experience centerline fuel melting.The reactor core SLs are used to define the various RPS functions such that the above criteria are satisfied during steady state operation, normal operational transients and anticipated operational occurrences (AOOs). To ensure that the RPS precludes the violation of the above criteria, additional criteria are applied to the Overtemperature N-16 reactor trip functions. That is, it must be demonstrated that the average enthalpy in the hot leg is less than or equal to the saturation enthalpy and that the core exit quality is within the limits defined by the DNBR correlation.(continued)

Reactor Core SLs B 2.1.1 BASESCOMANCHE PEAK - UNITS 1 AND 2B 2.0-3Revision 51SAFETY LIMITS (continued)Appropriate functioning of the RPS and the steam generator safety valves ensure that for variations in the THERMAL POWER, RCS Pressure, RCS average temperature, RCS flow rate, and I that the reactor core SLs will be satisfied during steady state operation, normal operational transients, and AOOs. Limits on process variables are developed both to protect the reactor core SLs and for compliance with the additional restrictions on hot leg

enthalpy and vessel exit quality. The Reactor Core Safety Limit figures, provided in the COLR , reflect these process variable limits.APPLICABILITYSL2.1.1 only applies in MODES1 and2 because these are the only MODES in which the reactor is critical. Automatic protection functions are required to be OPERABLE during MODES1 and2 to ensure operation within the reactor core SLs. The steam generator safety valves or automatic protection actions serve to prevent RCS heatup to the reactor core SL conditions or to initiate a reactor trip function, which forces the unit into MODE3. Allowable Values for the reactor trip functions are specified in LCO3.3.1, "Reactor Trip System (RTS) Instrumentation." In MODES3, 4, 5, and 6, Applicability is not required since the reactor is not generating significant THERMAL POWER.

SAFETY LIMIT VIOLATIONSThe following SL violation responses are applicable to the reactor core SLs. If SL2.1.1 is violated, the requirement to go to MODE3 places the unit in a MODE in which this SL is not applicable.The allowed Completion Time of 1hour recognizes the importance of bringing the unit to a MODE of operation where this SL is not applicable, and reduces the probability of fuel damage.

Per 10CFR50.36, if a Safety Limit is violated, operations must not be resumed until authorized by the Commission.REFERENCES1.10CFR50, AppendixA, GDC10.

2.FSAR, Chapter7

.3."Power Distribution Control Analysis and Overtemperature N-16 and Overpower N-16 Trip Setpoint Methodology," RXE-90-006-P-A, June

1994.

RCS Pressure SL B 2.1.2COMANCHE PEAK - UNITS 1 AND 2B 2.0-4Revision 51B 2.0 SAFETY LIMITS (SLs)

B 2.1.2 Reactor Coolant System (RCS) Pressure SL BASESBACKGROUNDThe SL on RCS pressure protects the integrity of the RCS against overpressurization. In the event of fuel cladding failure, fission products are released into the reactor coolant. The RCS then serves as the primary barrier in preventing the release of fission products into the atmosphere. By establishing an upper limit on RCS pressure, the continued integrity of the RCS is ensured. According to 10CFR50, AppendixA, GDC14, "Reactor Coolant Pressure Boundary," and GDC15, "Reactor Coolant System Design" (Ref.1), the reactor pressure coolant boundary (RCPB) design conditions are not to be exceeded during normal operation and anticipated

operational occurrences (AOOs). Also, in accordance with GDC28, "Reactivity Limits" (Ref.1), reactivity accidents, including rod ejection, do not result in damage to the RCPB greater than limited local yielding.The design pressure of the RCS is 2485psig. During normal operation and AOOs, RCS pressure is limited from exceeding the design pressure by more than 10%, in accordance with SectionIII of the ASME Code (Ref.2). To ensure system integrity, all RCS components are hydrostatically tested at 125% (3107 psig) of design pressure, according to the ASME Code requirements prior to init ial operation when there is no fuel in the core. Following inception of unit operation, RCS components shall be pressure tested, in accordance with the requirements of ASME Code, SectionXI (Ref.3).Overpressurization of the RCS could result in a breach of the RCPB. If such a breach occurs in conjunction with a fuel cladding failure, fission products could enter the containment atmosphere, raising concerns relative to limits on radioactive releases specified in 10CFR100, "Reactor Site Criteria" (Ref.4).APPLICABLE SAFETY ANALYSESThe RCS pressurizer safety valves, the main steam safety valves (MSSVs), and the reactor high pressure trip have settings established to ensure that the RCS pressure SL will not be exceeded. The RCS pressurizer safety valves are sized to prevent system pressure from exceeding the design pressure by more than 10%, as specified in SectionIII of the ASME Code for Nuclear Power Plant Components (Ref.2). The transient that establishes the required relief capacity, and hence valve size requirements and lift settings, is a turbine trip without a direct reactor trip. Safety valves on the secondary side are assumed to open when the steam pressure reaches the safety valve settings. Main feedwater supply is lost at the time of turbine trip.(continued)

RCS Pressure SL B 2.1.2 BASESCOMANCHE PEAK - UNITS 1 AND 2B 2.0-5Revision 51APPLICABLE SAFETY ANALYSES (continued)The Reactor Trip System Allowable Values in Table3.3.1-1 , together with the settings of the MSSVs, provide pressure protection for normal operation and AOOs. The reactor high pressure trip setpoint is specifically set to provide protection against overpressurization. The safety analyses for both the high pressure trip and the RCS pressurizer safety valves are performed using conservative assumptions relative to pressure control devices.More specifically, no credit is taken for operation of the following:a.Pressurizer power operated relief valves (PORVs);b.Steam Generator Atmospheric Relief Valves; c.Steam Dump System;d.Reactor Control System;e.Pressurizer Level Control System; orf.Pressurizer spray valves.SAFETY LIMITSThe maximum transient pressure allowed in the RCS pressure vessel under the ASME Code, SectionIII, is 110% of design pressure.The SL on maximum allowable RCS pressure is 2735psig.APPLICABILITYSL2.1.2 applies in MODES1, 2, 3, 4, and5 because this SL could be approached or exceeded in these MODES due to overpressurization events. The SL is not applicable in MODE6 because the reactor vessel head closure bolts are not fully tightened, making it unlikely that the RCS can be pressurized.

SAFETY LIMIT

VIOLATIONIf the RCS pressure SL is violated when the reactor is in MODE1 or2, the requirement is to restore compliance and be in MODE3 within 1hour.Exceeding the RCS pressure SL may cause immediate RCS failure and create a potential for radioactive releases in excess of 10CFR100, "Reactor Site Criteria," limits (Ref.4).(continued)

RCS Pressure SL B 2.1.2 BASESCOMANCHE PEAK - UNITS 1 AND 2B 2.0-6Revision 51 SAFETY LIMIT VIOLATION (continued)The allowable Completion Time of 1hour recognizes the importance of reducing power level to a MODE of operation where the potential for challenges to safety systems is minimized.If the RCS pressure SL is exceeded in MODE3, 4, or5, RCS pressure must be restored to within the SL value within 5minutes. Exceeding the RCS pressure SL in MODE3, 4, or5 is more severe than exceeding this SL in MODE1 or2, since the reactor vessel temperature may be lower and the vessel material, consequently, less duct ile. As such, pressure must be reduced to less than the SL within 5minutes. The action does not require reducing MODES, since this would require reducing temperature, which would compound the problem by adding thermal gradient stresses to the existing pressure stress.

Per 10CFR50.36, if a Safety Limit is violated, operations must not be resumed until authorized by the Commission.REFERENCES1.10CFR50, AppendixA, GDC14, GDC15, and GDC28.2.ASME, Boiler and Pressure Vessel Code, SectionIII, ArticleNB-7000.3.ASME, Boiler and Pressure Vessel Code, SectionXI, ArticleIWX-5000.4.10CFR100.

5.FSAR, Chapter 7

.

LCO Applicability B 3.0COMANCHE PEAK - UNITS 1 AND 2B 3.0-1Revision 62B 3.0 LIMITING CONDITION FOR OPERATION (LCO) APPLICABILITY BASESLCOsLCO3.0.1 through LCO3.0.6 establish the general requirements applicable to all Specifications and apply at all times, unless otherwise stated.LCO 3.0.1LCO3.0.1 establishes the App licability statement within each individual Specification as the requirement for when the LCO is required to be met (i.e., when the unit is in the MODES or other specified conditions of the Applicability statement of each Specification).LCO 3.0.2LCO3.0.2 establishes that upon discovery of a failure to meet an LCO, the associated ACTIONS shall be met. The Completion Time of each Required Action for an ACTIONS Condition is applicable from the point in time that an ACTIONS Condition is entered. The Required Actions establish those

remedial measures that must be taken within specified Completion Times when the requirements of an LCO are not met. This Specification establishes that:a.Completion of the Required Actions within the specified Completion Times constitutes compliance with a Specification; andb.Completion of the Required Actions is not required when an LCO is met within the specified Completion Time, unless otherwise

specified.

There are two basic types of Required Actions. The first type of Required Action specifies a time limit in which the LCO must be met. This time limit is the Completion Time to restore an inoperable system or component to OPERABLE status or to restore variables to within specified limits. If this type of Required Action is not comp leted within the specified Completion Time, a shutdown may be required to place the unit in a MODE or condition in which the Specification is not applicable. (Whether stated as a Required Action or not, correction of the entered Condition is an action that may always be considered upon entering ACTIONS.) The second type of Required Action specifies the remedial measures that permit continued

operation of the unit that is not further restricted by the Completion Time. In this case, compliance with the Required Actions provides an acceptable level of safety for continued operation.Completing the Required Actions is not required when an LCO is met or is no longer applicable, unless otherwise stated in the individual Specifications.The nature of some Required Actions of some Conditions necessitates that, once the Condition is entered, the Required Actions must be completed even(continued)

LCO Applicability B 3.0 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.0-2Revision 62 LCO 3.0.2 (continued) though the associated Conditions no longer exist. The individual LCO's ACTIONS specify the Required Actions where this is the case. An example of this is in LCO3.4.3, "RCS Pressure and Temperature (P/T) Limits." The Completion Times of the Required Actions are also applicable when a system or component is removed from service intentionally. The reasons for intentionally relying on the ACTIONS include, but are not limited to, performance of Surveillances, preventive maintenance, corrective maintenance, or investigation of operational problems.

Entering ACTIONS for these reasons must be done in a manner that does not compromise safety. Intentional entry into ACTIONS should not be made for operational convenience. Additionally, if intentional entry into ACTIONS would result in redundant equipment being inoperable, alternatives should be used instead. Doing so limits the time both subsystems/trains of a safety function are inoperable and limits the time conditions exist which may result in LCO3.0.3 being entered. Individual Specifications may specify a time limit for performing an SR when equipment is re moved from service or bypassed for testing. In this case, the Completion Times of the Required Actions are applicable when this time limit expires, if the equipment remains removed from service or bypassed.When a change in MODE or other specified condition is required to comply with Required Actions, the unit may enter a MODE or other specified condition in which another Specification becomes applicable.

In this case, the Completion Times of the associat ed Required Actions would apply from the point in time that the new Specif ication becomes applicable, and the ACTIONS Condition(s) are entered.LCO 3.0.3LCO3.0.3 establishes the actions that must be implemented when an LCO is not met and:a.An associated Required Action and Completion Time is not met and no other Condition applies; orb.The condition of the unit is not specifically addressed by the associated ACTIONS. This means that no combination of Conditions stated in the ACTIONS can be made that exactly corresponds to the actual condition of the unit. So metimes, possible combinations of Conditions are such that entering LCO3.0.3 is warranted; in such cases, the ACTIONS specifically state a Condition corresponding to such combinations and also that LCO3.0.3 be entered immediately.(continued)

LCO Applicability B 3.0 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.0-3Revision 62 LCO 3.0.3 (continued)This Specification delineates the time limits for placing the unit in a safe MODE or other specified condition when operation cannot be maintained within the limits for safe operation as defined by the LCO and its ACTIONS.

It is not intended to be used as an operational convenience that permits routine voluntary removal of redundant systems or components from service in lieu of other alternatives that would not result in redundant systems or

components being inoperable.Upon entering LCO3.0.3, 1hour is allo wed to prepare for an orderly shutdown before initiating a change in unit operation. This includes time to permit the operator to coordinate the reduction in electrical generation with the load dispatcher to ensure the stability and availability of the electrical grid. The time limits specified to reach lower MODES of operation permit the shutdown to proceed in a controlled and orderly manner that is well within the specified maximum cooldown rate and within the capabilities of the unit, assuming that only the minimum required equipment is OPERABLE. This reduces thermal stresses on components of the Reactor Coolant System and the potential for a plant upset that could challenge safety systems under conditions to which this Specification applies. The use and interpretation of specified times to complete the actions of LCO3.0.3 are consistent with the discussion of Section1.3, Completion Times.

A unit shutdown required in accordance with LCO3.0.3 may be terminated and LCO3.0.3 exited if any of the following occurs:a.The LCO is now met.b.A Condition exists for which the Required Actions have now been performed.c.ACTIONS exist that do not have expired Completion Times. These Completion Times are applicable from the point in time that the Condition is initially entered and not from the time LCO3.0.3 is exited.The time limits of Specification3.0.3 allow 37hours for the unit to be in MODE5 when a shutdown is required during MODE1 operation. If the unit is in a lower MODE of operation when a shutdown is required, the time limit for reaching the next lower MODE applies. If a lower MODE is reached in less time than allowed, however, the total allowable time to reach MODE5, or other applicable MODE, is not reduced. For example, if MODE3 is reached in 2hours, then the time allowed for reaching MODE4 is the next (continued)

LCO Applicability B 3.0 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.0-4Revision 62 LCO 3.0.3 (continued)11hours, because the total time for reaching MODE4 is not reduced from the allowable limit of 13hours. Therefore, if remedial measures are completed that would permit a return to MODE1, a penalty is not incurred by having to reach a lower MODE of operation in less than the total time allowed.In MODES1, 2, 3, and4, LCO3.0.3 provides actions for Conditions not covered in other Specifications. The requirements of LCO3.0.3 do not apply in MODES5 and6 because the unit is already in the most restrictive Condition required by LCO3.0.3. The requirements of LCO3.0.3 do not apply in other specified conditions of the Applicability (unless in MODE1, 2, 3, or4) because the ACTIONS of individual Specifications sufficiently define the remedial measures to be taken.Exceptions to LCO3.0.3 are provided in instances where requiring a unit shutdown, in accordance with LCO3.0.3, would not provide appropriate remedial measures for the associated condition of the unit. An example of this is in LCO3.7.15, "Fuel Storage Area Water Level." LCO3.7.15 has an Applicability of "During movement of irradiated fuel assemblies in the fuel storage area." Therefore, this LCO can be applicable in any or all MODES.

If the LCO and the Required Actions of LCO3.7.15 are not met while in MODE1, 2, 3 or 4, there is no safety benefit to be gained by placing the unit in a shutdown condition. The Required Action of LCO3.7.15 of "Suspend movement of irradiated fuel assemblies in the fuel storage area." is the appropriate Required Action to complete in lieu of the actions of LCO3.0.3.

These exceptions are addressed in the individual Specifications.LCO 3.0.4LCO 3.0.4 establishes limitations on changes in MODES or other specified conditions in the Applicability when an LCO is not met. It allows placing the unit in a MODE or other specified condition stated in that Applicability (e.g.,

the Applicability desired to be entered) when unit conditions are such that the requirements of the LCO would not be met, in accordance with LCO 3.0.4.a, LCO 3.0.4.b or LCO 3.0.4.c. LCO 3.0.4.a allows entry into a MODE or other specified condition in the Applicability with the LCO not met when the associated ACTIONS to be entered permit continued operation in the MODE or other specified condition in the Applicability for an unlimited period of time. Compliance with Required Actions that permit continued operation of the unit for an unlimited period of

time in a MODE or other specified condition provides an acceptable level of safety for continued operation. This is without regard to the status of the unit before or after the MODE change. Therefore, in such cases, entry into a(continued)

LCO Applicability B 3.0 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.0-5Revision 62 LCO 3.0.4 (continued)MODE or other specified condition in the Applicability may be made in accordance with the provisions of the Required Actions.LCO 3.0.4.b allows entry into a MODE or other specified condition in the Applicability with the LCO not met after performance of a risk assessment addressing inoperable systems and components, consideration of the results, determination of the acceptability of entering the MODE or other specified condition in the Applicability, and establishment of risk management actions, if appropriate.

The risk assessment may use quantitative, qualitative, or blended approaches, and the risk assessment will be conducted using the plant program, procedures, and criteria in place to implement 10 CFR 50.65(a)(4), which requires that risk impacts of maintenance activities to be assessed and managed. The risk assessment, for the purposes of LCO 3.0.4(b), must take into account all inoperable Technical Specification equipment regardless of whether the equipment is included in the normal 10 CFR 50.65(a)(4) risk assessment scope. The risk assessments will be conducted using the procedures and guidance en dorsed by Regulatory Guide 1.182, "Assessing and Managing Risk Before Maintenance Activities at Nuclear Power Plants." Regulatory Guide 1.18 2 endorses the guidance in Section 11 of NUMARC 93-01, "Industry Guideline for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants." These documents address general guidance for conduct of the risk assessment, quantitative and qualitative guidelines for establishing risk management actions, and example risk management actions. These include actions to plan and conduct other activities in a manner that controls overall risk, increased risk awareness by shift and management personnel, actions to reduce the duration of the condition, actions to minimize the magnitude of risk increases (establishment of backup success paths or compensatory measures), and determination that the proposed MODE change is acceptable. Consideration should also be given to the probability of completing restoration such that the requirements of the LCO would be met prior to the expiration of ACTIONS Completion Times that would require exiting the Applicability.LCO 3.0.4.b may be used with single, or multiple systems and components unavailable. NUMARC 93-01 provides guidance relative to consideration of simultaneous unavailability of multiple systems and components.The results of the risk assessment shall be considered in determining the acceptability of entering the MODE or other specified condition in the Applicability, and any corresponding risk management actions. The LCO3.0.4.b risk assessments do not have to be documented.(continued)

LCO Applicability B 3.0 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.0-6Revision 62 LCO 3.0.4 (continued)The Technical Specifications allow continued operation with equipment unavailable in MODE 1 for the duration of the Completion Time. Since this is allowable, and since in general the risk impact in that particular MODE bounds the risk of transitioning into and through the applicable MODES or other specified conditions in the Applicability of the LCO, the use of the LCO 3.0.4.b allowance should be generally acceptable, as long as the risk is assessed and managed as stated above. However, there is a small subset of systems and components that have been determined to be more Important to risk and use of the LCO 3.0.4.b allowance is prohibited. The

LCOs governing these systems and components contain Notes prohibiting the use of LCO 3.0.4.b by stating that LCO 3.0.4.b is not applicable.LCO 3.0.4.c allows entry into a MODE or other specified condition in the Applicability with the LCO not met based on a Note in the Specification which states LCO 3.0.4.c is applicable. These specific allowances permit entry into MODES or other specified conditions in the Applicability when the associated ACTIONS to be entered do not provide for continued operation for an unlimited period of time and a risk assessment has not been performed. This allowance may apply to all the ACTIONS or to a specific Required Action of a Specification. The risk assessments performed to justify the use of LCO 3.0.4.b usually only consider systems and components. For this reason, LCO 3.0.4.c is typically applied to Specifications which describe values and parameters (e.g., [Containment Air Temperature, Containment Pressure, MCPR, Moderator Temperature Coefficient]), and may be applied to other Specifications based on NRC plant specific approval.The provisions of this Specification should not be interpreted as endorsing the failure to exercise the good practice of restoring systems or components to OPERABLE status before entering an associated MODE or other specified condition in the Applicability.The provisions of LCO 3.0.4 shall not prevent changes in MODES or other specified conditions in the Applicability that are required to comply with ACTIONS. In addition, the provisio ns of LCO 3.0.4 shall not prevent changes in MODES or other specified conditions in the Applicability that result from any unit shutdown. In this context, a unit shutdown is defined as a change in MODE or other specified co ndition in the Applica bility associated with transitioning from MODE 1 to MODE 2, MODE 2 to MODE3, MODE 3 to MODE 4, and MODE 4 to MODE 5.Upon entry into a MODE or other specified condition in the Applicability with the LCO not met, LCO 3.0.1 and LCO3.0.2 require entry into the applicable(continued)

LCO Applicability B 3.0 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.0-7Revision 62 LCO 3.0.4 (continued)Conditions and Required Actions until the Condition is resolved, until the LCO is met, or until the unit is not within the Applicability of the Technical Specification.Surveillances do not have to be performed on the associated inoperable equipment (or on variables outside the specified limits), as permitted by SR 3.0.1. Therefore, utilizing LCO 3.0.4 is not a violation of SR 3.0.1 or SR 3.0.4 for any Surveillances that have not been performed on inoperable

equipment. However, SRs must be met to ensure OPERABILITY prior to declaring the associated equipment OPERABLE (or variable within limits) and restoring compliance with the affected LCO.LCO 3.0.5LCO3.0.5 establishes the allowance for restoring equipment to service under administrative controls when it has been removed from service or declared inoperable to comply with ACTIONS. The sole purpose of this Specification is to provide an exception to LCO3.0.2 (e.g., to not comply with the applicable Required Action(s)) to allow the performance of required testing to demonstrate:a.The OPERABILITY of the equipment being returned to service; orb.The OPERABILITY of other equipment.

The administrative controls ensure th e time the equipment is returned to service in conflict with the requirements of the ACTIONS is limited to the time absolutely necessary to perform th e required testing to demonstrate OPERABILITY. This Specification does not provide time to perform any other preventive or corrective maintenance. An example of demonstrating the OPERABILITY of the equipment being returned to service is reopening a containment isolation valve that has been closed to comply with Required Actions and must be reopened to perform the required testing.

An example of demonstrating the OPERABILITY of other equipment is taking an inoperable channel or trip system out of the tripped condition to prevent the trip function from occurring during the performance of required testing on another channel in the other trip system. A similar example of demonstrating the OPERABILITY of other equipment is taking an inoperable channel or trip system out of the tripped condition to permit the logic to

function and indicate the appropriate response during the performance of required testing on another channel in the same trip system.(continued)

LCO Applicability B 3.0 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.0-8Revision 62LCO 3.0.6LCO3.0.6 establishes an exception to LCO3.0.2 for support systems that have an LCO specified in the Technica l Specifications (TS). This exception is provided because LCO3.0.2 would require that the Conditions and Required Actions of the associated inoperable supported system LCO be entered solely due to the inoperability of the support system. This exception is justified because the actions that are required to ensure the unit is maintained in a safe condition are specified in the support system LCO's Required Actions. These Required Actions may include entering the supported system's Conditions and Required Actions or may specify other

Required Actions.When a support system is inoperable and there is an LCO specified for it in the TS, the supported system(s) are required to be declared inoperable if determined to be inoperable as a result of the support system inoperability. However, it is not necessary to enter into the supported systems' Conditions and Required Actions unless directed to do so by the support system's Required Actions. The potential confusion and inconsistency of requirements related to the entry into multiple support and supported systems' LCOs' Conditions and Required Actions are eliminated by providing all the actions that are necessary to ensure the unit is maintained in a safe condition in the support system's Required Actions.However, there are instances where a support system's Required Action may either direct a supported system to be declared inoperable or direct entry into Conditions and Required Actions for the supported system. This may occur immediately or after some specified delay to perform some other Required Action. Regardless of whether it is immediate or after some delay, when a support system's Required Action directs a supported system to be declared inoperable or directs entry into Conditions and Required Actions for a supported system, the applicable Conditions and Required Actions shall be entered in accordance with LCO3.0.2.Specification5.5.15, "Safety Function Determination Program (SFDP)," ensures loss of safety function is detected and appropriate actions are taken. Upon entry into LCO 3.0.6, an evaluation shall be made to determine if loss of safety function exists. Additionally, other limitations, remedial actions, or compensatory actions may be identified as a result of the support system

inoperability and corresponding exception to entering supported system Conditions and Required Actions. The SFDP implements the requirements of LCO3.0.6.(continued)

LCO Applicability B 3.0 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.0-9Revision 62 LCO 3.0.6 (continued)Cross train checks to identify a loss of safety function for those support systems that support multiple and redundant safety systems are required. The cross train check verifies that the supported systems of the redundant OPERABLE support system are OPERABLE, thereby ensuring safety function is retained. If this evaluation determines that a loss of safety function exists, the appropriate Conditions and Required Actions of the LCO in which the loss of safety function exists are required to be entered.LCO 3.0.7There are certain special tests a nd operations required to be performed at various times over the life of the unit. These special tests and operations are necessary to demonstrate select unit performance characteristics, to perform special maintenance activities, and to perform special evolutions. Test Exception LCO 3.1.8, allows specified Technical Specification (TS)

requirements to be changed to permit performances of these special tests and operations, which otherwise could not be performed if required to comply with the requirements of these TS.

Unless otherwise specified, all the other TS requirements remain unchanged. This will ensure all appropriate requirements of the MODE or other specified condition not directly associated with or required to be changed to perform the special test or operation will remain in effect.The Applicability of a Test Exception LCO represents a condition not necessarily in compliance with the normal requirements of the TS.

Compliance with Test Exception LCOs is optional. A special operation may be performed either under the provisions of the appropriate Test Exception LCO or under the other applicable TS requirements. If it is desired to perform the special operation under the provisions of the Test Exception LCO, the requirements of the Test Exception LCO shall be followed.

SR Applicability B 3.0COMANCHE PEAK - UNITS 1 AND 2B 3.0-10Revision 62 B 3.0 SURVEILLANCE REQUIREMENT (SR) APPLICABILITY BASESSRsSR3.0.1 through SR3.0.4 establish the general requirements applicable to all Specifications and apply at all times, unless otherwise stated.SR 3.0.1SR3.0.1 establishes the requirement that SRs must be met during the MODES or other specified conditions in the Applicability for which the requirements of the LCO apply, unless otherwise specified in the individual SRs. This Specification is to ensure that Surveillances are performed to verify the OPERABILITY of systems and components, and that variables are within specified limits. Failure to meet a Surveillance within the specified Frequency, in accordance with SR3.0.2, constitutes a failure to meet an

LCO.Systems and components are assumed to be OPERABLE when the associated SRs have been met. Nothing in this Specification, however, is to be construed as implying that systems or components are OPERABLE when:a.The systems or components are known to be inoperable, although still meeting the SRs; orb.The requirements of the Surveillance(s) are known not to be met between required Surveillance performances.Surveillances do not have to be performed when the unit is in a MODE or other specified condition for which the requirements of the associated LCO are not applicable, unless otherwise specified. The SRs associated with a test exception are only applicable when the test exception is used as an allowable exception to the requirements of a Specification.Unplanned events may satisfy the requirements (including applicable acceptance criteria) for a given SR. In this case, the unplanned event may be credited as fulfilling the performance of the SR. This allowance includes those SRs whose performance is normally precluded in a given MODE or other specified condition.Surveillances, including Surveillances invoked by Required Actions, do not have to be performed on inoperable equipment because the ACTIONS define the remedial measures that apply.Surveillances have to be met and performed in accordance with SR3.0.2, prior to returning equipment to OPERABLE status. Upon completion of maintenance, appropriate post maintenance testing is required to declare(continued)

SR Applicability B 3.0 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.0-11Revision 62 SR 3.0.1 (continued)equipment OPERABLE. This includes ensuring applicable Surveillances are not failed and their most recent performance is in accordance with SR3.0.2. Post maintenance testing may not be possible in the current MODE or other specified conditions in the Applicability due to the necessary unit parameters not having been established. In these situations, the equipment may be considered OPERABLE provided testing has been satisfactorily completed to the extent possible and the equipm ent is not otherwise believed to be incapable of performing its function. This will allow operation to proceed to a MODE or other specified condition where other necessary post maintenance

tests can be completed.SR 3.0.2SR3.0.2 establishes the requirements for meeting the specified Frequency for Surveillances and any Required Action with a Completion Time that requires the periodic performance of the Required Action on a "once per . . ." interval.SR3.0.2 permits a 25% extension of the interval specified in the Frequency. This extension facilitates Surveillance scheduling and considers plant operating conditions that may not be suitable for conducting the Surveillance (e.g., transient conditions or other ongoing Surveillance or maintenance activities).

The 25% extension does not significan tly degrade the reliability that results from performing the Surveillance at its specified Frequency. This is based on the recognition that the most probable result of any particular Surveillance being performed is the verification of conformance with the SRs. The exceptions to SR3.0.2 are those Su rveillances for which the 25% extension of the interval specified in the Frequen cy does not apply. These exceptions are stated in the individual Specifications. The requirements of regulations take precedence over the TS.Therefore, when a test interval is specified in the regulations, the test interval cannot be extended by the TS, and the SR include a Note in the Frequency stating, "SR 3.0.2 is not applicable." An example of an exception when the test interval is not specified in the regulations is theNote in the Containment Leakage Rate Testing Program, "SR 3.0.2 is not applicable." This exception is provided because the program already includes extension of test intervals.As stated in SR3.0.2, the 25% extension also does not apply to the initial portion of a periodic Completion Time that requires performance on a "once(continued)

SR Applicability B 3.0 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.0-12Revision 62 SR 3.0.2 (continued)per ..." basis. The 25% extension applies to each performance after the initial performance. The initial performance of the Required Action, whether it is a particular Surveillance or some other remedial action, is considered a single action with a single Completion Time. One reason for not allowing the 25% extension to this Completion Time is that such an action usually verifies that no loss of function has occurred by checking the status of redundant or diverse components or accomplishes the function of the inoperable

equipment in an alternative manner.The provisions of SR3.0.2 are not intended to be used repeatedly merely as an operational convenience to extend Surveillance intervals (other than those consistent with refueling intervals) or periodic Completion Time

intervals beyond those specified.SR 3.0.3SR3.0.3 establishes the flex ibility to defer declaring affected equipment inoperable or an affected variable outside the specified limits when a Surveillance has not been completed wit hin the specified Frequency. A delay period of up to 24hours or up to the limit of the specified Frequency, whichever is greater, applies from the point in time that it is discovered that the Surveillance has not been performed in accordance with SR3.0.2, and not at the time that the specified Frequency was not met.

This delay period provides adequate time to complete Surveillances that have been missed. This delay period permits the completion of a Surveillance before complying with Required Actions or other remedial measures that might preclude completion of the Surveillance.The basis for this delay period includes consideration of unit conditions, adequate planning, availability of personnel, the time required to perform the Surveillance, the safety significance of the delay in completing the required Surveillance, and the recognition that the most probable result of any particular Surveillance being performed is the verification of conformance with the requirements. When a Surveillance with a Frequency based not on time intervals, but upon specified unit conditions, operational situations, or requirements of regulations (e.g., prior to entering MODE 1 after each fuel loading, or in accordance with 10 CFR 50, Appen dix J, as modified by approved exemptions, etc.) is discovered not to have been performed when specified, SR3.0.3 allows the full delay period of up to the specified Frequency to perform the Surveillance. However, since there is not a time interval specified, the missed Surveillance should be performed at the first

reasonable opportunity.(continued)

SR Applicability B 3.0 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.0-13Revision 62SR 3.0.3 (continued)SR3.0.3 provides a time limit for, and allowances for the performance of Surveillances that become applicable as a consequence of MODE changes imposed by Required Actions.

Failure to comply with specified Frequencies for SRs is expected to be an infrequent occurrence. Use of the delay period established by SR3.0.3 is a flexibility which is not intended to be used as an operational convenience to extend Surveillance intervals. While up to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> or the limit of the specified Frequency is provided to perform the missed Surveillance, it is expected that the missed Surveillance will be performed at the first reasonable opportunity. The determination of the first reasonable opportunity should include consideration of the impact on plant risk (from

delaying the Surveillance as well as an y plant configuration changes required or shutting the plant down to perform the Surveillance) and impact on any analysis assumptions, in addition to unit conditions, planning, availability of personnel, and the time required to perform the Surveillance.

This risk impact should be managed through the program in place to implement 10 CFR 50.65(a)(4) and its implementation guidance, NRC Regulatory Guide 1.182, "Assessing and Managing Risk Before

Maintenance Activities at Nuclear Power Plants." The Regulatory Guide addresses consideration of temporary and aggregate risk impacts, determination of risk management action thresholds, and risk management action up to and including plant shutdown. The missed Surveillance should be treated as an emergent condition as discussed in the Regulatory Guide. The risk evaluation may use quantitative, qualitative, or blended methods.

The degree of depth and rigor of the evaluation should be commensurate with the importance of the component. Missed Surveillances for important components should be analyzed quantitatively. If the results of the risk evaluation determine the risk increase is significant, this evaluation should be used to determine the safest course of action. All missed Surveillances will be placed in the licensee's Corrective Action Program.If a Surveillance is not completed within the allowed delay period, then the equipment is considered inoperable or the variable is considered outside the specified limits and the Completion Times of the Required Actions for the applicable LCO Conditions begin immediately upon expiration of the delay period. If a Surveillance is failed within the delay period, then the equipment is inoperable, or the variable is out side the specified limits and the Completion Times of the Required Actions for the applicable LCO Conditions begin immediately upon the failure of the Surveillance. Completion of the

Surveillance within the delay period allowed by this Specification, or within the Completion Time of the ACTIONS, restores compliance with SR3.0.1.(continued)

SR Applicability B 3.0 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.0-14Revision 62SR 3.0.4SR 3.0.4 establishes the requirement that all applicable SRs must be met before entry into a MODE or other specified condition in the Applicability.This Specification ensures that system and component OPERABILITY requirements and variable limits are met before entry into MODES or other specified conditions in the Applicability for which these systems and

components ensure safe operation of the unit. The provisions of this Specification should not be interpreted as endorsing the failure to exercise the good practice of restoring systems or components to OPERABLE status before entering an associated MODE or other specified condition in the Applicability.A provision is included to allow entry into a MODE or other specified condition in the Applicability when an LCO is not met due to a Surveillance not being met in accor dance with LCO 3.0.4.However, in certain circumstances, failing to meet an SR will not result in SR 3.0.4 restricting a MODE change or other specified condition change. When a system, subsystem, division, component, device, or variable is inoperable or outside its specified limits, the associated SR(s) are not required to be performed per SR 3.0.1, which states that surveillances do not have to be performed on inoperable equipment. When equipment is inoperable, SR 3.0.4 does not apply to the associated SR(s) since the requirement for the SR(s) to be performed is removed. Therefore, failing to perform the surveillance(s) within the specified Frequency does not result in an SR 3.0.4 restriction to changing MODES or other specified conditions of the Applicability. However, since the LCO is not met in this instance, LCO 3.0.4 will govern any restrictions that may (o r may not) apply to MODE or other specified condition changes. SR 3.0.4 does not restrict changing MODES or other specified conditions of the Applicability when a Surveillance has not been performed within the specified Frequency, provided the requirement to declare the LCO not met has been delayed in accordance with SR 3.0.3.The provisions of SR 3.0.4 shall not prevent entry into MODES or other specified conditions in the Applicability that are required to comply with ACTIONS. In addition, the provisions of SR 3.0.4 shall not prevent changes in MODES or other specified conditions in the Applicability that result from any unit shutdown. In this context, a unit shutdown is defined as a change in MODE or other specified condition in the Applicability associated with transitioning from MODE 1 to MODE 2, MODE 2 to MODE3, MODE 3 to

MODE 4, and MODE 4 to MODE 5.

The precise requirements for performance of SRs are specified such that exceptions to SR 3.0.4 are not necessary. The specific time frames and (continued)

SR Applicability B 3.0 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.0-15Revision 62SR 3.0.4 (continued)conditions necessary for meeting the SRs are specified in the Frequency, in the Surveillance, or both. This allows performance of Surveillances when the prerequisite condition(s) specified in a Surveillance procedure require entry into the MODE or other specified condition in the Applicability of the associated LCO prior to the performance or completion of a Surveillance. A Surveillance that could not be perfor med until after entering the LCO's Applicability, would have its Frequency specified such that it is not "due" until the specific conditions needed are met. Alternately, the Surveillance may be stated in the form of a Note, as not required (to be met or performed) until a particular event, condition, or time has been reached. Further discussion of

the specific formats of SR's annotat ion is found in Section 1.4, Frequency.

SDM B 3.1.1COMANCHE PEAK - UNITS 1 AND 2B 3.1-1Revision 57 B 3.1 REACTIVITY CONTROL SYSTEMSB 3.1.1 SHUTDOWN MARGIN (SDM)

BASESBACKGROUNDAccording to GDC26 (Ref.1), the reactivity control systems must be redundant and capable of holding the r eactor core subcritical when shut down under cold conditions. Maintenance of the SDM ensures that postulated reactivity events will not damage the fuel.

SDM requirements provide sufficient reactivity margin to ensure that acceptable fuel design limits will not be exceeded for normal shutdown and anticipated operational occurrences (AOOs). As such, the SDM defines the degree of subcriticality that would be obtained immediately following the insertion or scram of all shutdown and control rods, assuming that the single rod cluster assembly of highest reactivity worth is fully withdrawn.The system design requires that two independent reactivity control systems be provided, and that one of these systems be capable of maintaining the core subcritical under cold conditions. These requirements are satisfied by the use of movable control assemblies and soluble boric acid in the Reactor Coolant System (RCS). The Rod Control System can compensate for the reactivity effects of the fuel and water temperature changes accompanying power level changes over the range from full load to no load. In addition, the Rod Control System, together with the Chemical and Volume Control System (CVCS), provides the SDM during power operation and is capable of making the core subcritical, assuming that the rod of highest reactivity worth remains fully withdrawn. The CVCS can control the soluble boron concentration to compensate for fuel depletion during operation and all xenon burnout reactivity changes and can maintain the reactor subcritical

under cold conditions.During power operation, SDM control is ensured by operating with the shutdown banks fully withdrawn and the control banks within the limits of LCO3.1.6, "Control Bank Insertion Limits." When the unit is in the shutdown and refueling modes, the SDM req uirements are met by means of adjustments to the RCS boron concentration.

APPLICABLE

SAFETY ANALYSES The minimum required SDM is assumed as an initial condition in safety analyses. The safety analysis establishes an SDM that ensures specified acceptable fuel design limits are not exceeded for normal operation and AOOs, with the assumption of the highest worth rod stuck out on a scram.(continued)

SDM B 3.1.1 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.1-2Revision 57APPLICABLE SAFETY ANALYSES (continued)The acceptance criteria for the SDM requirements are that specified acceptable fuel design limits are maintained. This is done by ensuring that:a.The reactor can be made subcritical from all operating conditions, transients, and Design Basis Events;b.The reactivity transients associated with postulated accident conditions are controllable within a cceptable limits (departure from nucleate boiling ratio (DNBR), fuel centerline temperature limits for AOOs, and 280cal/gm average fuel pellet enthalpy at the hot spot for the rod ejection accident); andc.The reactor will be maintained sufficiently subcritical to preclude inadvertent criticality in the shutdown condition.The most limiting accidents for the SDM requirements area main steam line break (MSLB) and boron dilution accidents, as described in the accident analysis (Ref.2).The increased steam flow resulting from a pipe break in the main steam system causes an increased energy removal from the affected steam generator (SG), and consequently the RCS. This results in a reduction of the reactor coolant temperature. The resultant coolant shrinkage causes a reduction in pressure. In the presence of a negative moderator temperature coefficient, this cooldown causes an increase in core reactivity. As the initial RCS temperature decreases, the severity of an MSLB decreases until MODE5 is reached. The most limiting MSLB, with respect to potential fuel damage before a reactor trip occurs, is a guillotine break of a main steam line inside containment initiated at the end of core life. The positive reactivity addition from the moderator temperature decrease will terminate when the affected SG boils dry, thus term inating RCS heat removal and cooldown. Following the MSLB, a post trip return to power may occur; however, no fuel damage occurs as a result of the post trip return to power, and THERMAL POWER does not violate the Safety Limit (SL) requirement of SL2.1.1.In the boron dilution analysis, the required SDM defines the reactivity difference between an initial subcritical boron concentration and the corresponding critical boron concentration. These values, in conjunction with the configuration of the RCS and the assumed dilution flow rate, directly affect the results of the analysis. This event is most limiting at the beginning of core life, when critical boron concentrations are highest. The shutdown margin must be adequate to allow sufficient time for the reactor operators to detect an inadvertent bor on dilution and initiate appropriate action to prevent a complete loss of shutdown margin.(continued)

SDM B 3.1.1 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.1-3Revision 57APPLICABLE SAFETY ANALYSES (continued)SDM satisfies Criterion2 of 10CFR50.36(c)(2)(ii). Even though it is not directly observed from the control room, SDM is considered an initial condition process variable because it is periodically monitored to ensure that the unit is operating within the bounds of accident analysis assumptions.LCOSDM is a core design condition that can be ensured during operation through control rod positioning (control and shutdown banks) and through the soluble boron concentration.

The MSLB and the boron dilution accidents (Ref.2) are the most limiting analyses that establish the SDM value of the LCO. For MSLB accidents, if the LCO is violated, there is a potential to exceed the DNBR limit and to exceed 10CFR100, "Reactor Site Criteria," limits (Ref.4). For the boron dilution accident, if the LCO is violated, the minimum required time assumed for operator action to terminate dilution may no longer be available. The required SDM is specified in the COLR.APPLICABILITYIn MODE2 with k eff 1.0 and in MODES3, 4 and 5, the SDM requirements are applicable to provide sufficient negative reactivity to meet the assumptions of the safety analyses discussed above. In MODE6, the shutdown reactivity requirements are given in LCO3.9.1 , "Boron Concentration." In MODES1 and2, SDM is ensured by complying with LCO3.1.5, "Shutdown Bank Insertion Limits," and LCO3.1.6, "Control Bank Insertion Limits."The Applicability is modified by a Note stating that the transition from MODE6 to MODE5 is not permitted while LCO3.1.1 is not met. This Note specifies an exception to LCO3.0.4 and prohibits the transition when SDM limits are not met. This Note assures that the initial assumptions of a postulated boron dilution event in MODE5 are met.ACTIONSA.1 If the SDM requirements are not met, boration must be initiated promptly. A Completion Time of 15minutes is adequate for an operator to correctly align and start the required systems and components. It is assumed that boration will be continued until the SDM requirements are met.In the determination of the required combination of boration flow rate and boron concentration, there is no unique requirement that must be satisfied. Since it is imperative to raise the boron concentration of the RCS as soon as(continued)

SDM B 3.1.1 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.1-4Revision 57ACTIONSA.1 (continued)possible, the borated water source should be a highly concentrated solution, such as that normally found in the boric acid storage tank, or the refueling water storage tank. The operator should borate with the best source

available for the plant conditions.SURVEILLANCE

REQUIREMENTS SR 3.1.1.1In MODES 2 (with k eff < 1.0), 3, 4 and 5, the SDM is verified by performing a reactivity balance calculation, considering the listed reactivity effects:a.RCS boron concentration;b.Shutdown and Control bank position;c.RCS average temperature; d.Fuel burnup based on gross thermal energy generation;e.Xenon concentration;f.Samarium concentration; andg.Isothermal temperature coefficient (ITC).Using the ITC accounts for Doppler reactivity in this calculation because the reactor is subcritical, and the fuel temperature will be changing at the same rate as the RCS.In the event that a rod is known to be untrippable, however, SDM verification must account for the worth of the untrippable rod as well as another rod of maximum worth.The Frequency of 24hours is based on the generally slow change in required boron concentration and the low probability of an accident occurring without the required SDM. This allows time for the operator to collect the required data, which includes performing a boron concentration analysis, and complete the calculation.(continued)

SDM B 3.1.1 BASES (continued)COMANCHE PEAK - UNITS 1 AND 2B 3.1-5Revision 57REFERENCES1.10CFR50, AppendixA, GDC26.

2.FSAR, Chapter15

.3.Not Used.4.10CFR100.

Core Reactivity B 3.1.2COMANCHE PEAK - UNITS 1 AND 2B 3.1-6Revision 57 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.2 Core Reactivity BASESBACKGROUNDAccording to GDC26, GDC28, and GDC29 (Ref.1), reactivity shall be controllable such that subcriticality is maintained under cold conditions and acceptable fuel design limits are not exceeded during normal operation and anticipated operational occurrences. Therefore, reactivity balance is used as a measure of the predicted versus measured core reactivity during power operation. The periodic confirmation of core reactivity is necessary to ensure that Design Basis Accident (DBA) and transient safety analyses remain valid. A large reactivity difference could be the result of unanticipated changes in fuel, control rod worth, or operation at conditions not consistent with those assumed in the predictions of core reactivity, and could potentially result in a loss of SDM or violation of acceptable fuel design limits. Comparing predicted versus measured core reactivity validates the nuclear methods used in the safety analysis and supports the SDM demonstrations

(LCO3.1.1, "SHUTDOWN MARGIN") in ensur ing the reactor can be brought safely to cold, subcritical conditions.When the reactor core is critical or in normal power operation, a reactivity balance exists and the net reactivity is zero. A comparison of predicted and measured reactivity is convenient under such a balance, since parameters are being maintained relatively stable under steady state powe r conditions. The positive reactivity inherent in the core design is balanced by the negative reactivity of the control components, thermal feedback, neutron leakage, and materials in the core that absorb neutrons, such as burnable absorbers producing zero net reactivity. Excess reactivity can be inferred from the boron letdown curve (or critical boron curve), which provides an indication of the soluble boron concentration in the Reactor Coolant System (RCS) versus cycle burnup. Periodic measurement of the RCS boron concentration for comparison with the predicted value with other variables fixed (such as rod height, temperature, pressure, and power), provides a convenient method of ensuring that core reactivity is within design expectations and that the calculational models used to generate the safety analysis are adequate.In order to achieve the required fuel cycle energy output, the uranium enrichment in the new fuel loading and in the fuel remaining from the previous cycle provides excess positive reactivity beyond that required to sustain steady state operation throughout the cycle. When the reactor is critical at RTP and moderator temperature, the excess positive reactivity is compensated by burnable absorbers (if any), control rods, whatever neutron poisons (mainly xenon and samarium) are present in the fuel, and the RCS boron concentration.(continued)

Core Reactivity B 3.1.2 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.1-7Revision 57 BACKGROUND (continued

)When the core is producing THERMAL POWER, the fuel is being depleted and excess reactivity is decreasing.

As the fuel depletes, the RCS boron concentration is reduced to decrease negative reactivity and maintain constant THERMAL POWER. The boron letdown curve is based on steady state operation at RTP. Therefore, deviations from the predicted boron letdown curve may indicate deficiencies in the design analysis, deficiencies in the calculational models, or abnormal core conditions, and must be evaluated.

APPLICABLE SAFETY ANALYSESThe acceptance criteria for core reactivity are that the reactivity balance limit ensures plant operation is maintained within the assumptions of the safety analyses.Accurate prediction of core reactivity is either an explicit or implicit assumption in the accident analysis evaluations. Every accident evaluation

(Ref.2) is, therefore, dependent upon accurate evaluation of core reactivity. In particular, SDM and reactivity transients, such as control rod withdrawal accidents or rod ejection accidents, are very sensitive to accurate prediction of core reactivity. These accident analysis evaluations rely on computer codes that have been qualified against available test data, operating plant data, and analytical benchmarks. Monitoring reactivity balance additionally ensures that the nuclear methods prov ide an accurate representation of the core reactivity.Design calculations and safety analyses are performed for each fuel cycle for the purpose of predetermining reactivity behavior and the RCS boron concentration requirements for reactivity control during fuel depletion.

The comparison between measured and predicted initial core reactivity provides a normalization for the calculational models used to predict core reactivity. If the measured and predicted RCS boron concentrations for identical core conditions at beginning of cycle (BOC) do not agree, then the assumptions used in the reload cycle design analysis or the calculational models used to predict soluble boron requirements may not be accurate. If reasonable agreement between measured and predicted core reactivity exists at BOC, then the prediction may be normalized to the measured boron concentration. Thereafter, any significant deviations in the measured boron concentration from the predicted boron letdown curve that develop during fuel depletion may be an indication t hat the calculational model is not adequate for core burnups beyond BOC, or that an unexpected change in core conditions has occurred.(continued)

Core Reactivity B 3.1.2 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.1-8Revision 57APPLICABLE SAFETY ANALYSES (continued)The normalization of predicted RCS boron concentration to the measured value shall be performed after reaching RTP following startup from a refueling outage, with the control rods in their normal positions for power operation. The normalization is performed at BOC conditions, so that core reactivity relative to predicted values can be continually monitored and evaluated as core conditions change during the cycle.Core reactivity satisfies Criterion2 of 10CFR50.36(c)(2)(ii).LCOLong term core reactivity behavior is a result of the core physics design and cannot be easily altered once the core design is fixed. During operation, therefore, the LCO can only be ensured through measurement and tracking, and appropriate actions taken as necessary. Large differences between actual and predicted core reactivity may indicate that the assumptions of the DBA and transient analyses are no longer valid, or that the uncertainties in the Nuclear Design Methodology are larger than expected. A limit on the reactivity balance of 1%k/k has been established based on engineering judgment. A 1% deviation in reactivity from that predicted is larger than expected for normal operation and should therefore be evaluated.When measured core reactivity is within 1%k/k of the predicted value at steady state thermal conditions, the core is considered to be operating within acceptable design limits. Since deviations from the limit are normally detected by comparing predicted and measured steady state RCS critical boron concentrations, the difference between measured and predicted values would be approximately 100ppm (depending on the boron worth) before the limit is reached. These values are well within the uncertainty limits for analysis of boron concentration samples, so that spurious violations of the limit due to uncertainty in measuring the RCS boron concentration are unlikely.APPLICABILITYThe limits on core reactivity must be maintained during MODES1 and2 because a reactivity balance must exist when the reactor is critical or producing THERMAL POWER. As the fuel depletes, core conditions are

changing, and confirmation of the reactivity balance ensures the core is operating as designed. This Specification does not apply in MODES3, 4, and5 because the reactor is shut down and the reactivity balance is not

changing.In MODE6, fuel loading results in a continually changing core reactivity. Boron concentration requirements (LCO3.9.1, "Boron Concentration")(continued)

Core Reactivity B 3.1.2 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.1-9Revision 57 APPLICABILITY (continued)ensure that fuel movements are performed within the bounds of the safety an analysis. An SDM demonstration is required during the first startup following operations that could have altered core reactivity (e.g., fuel movement, control rod replacement, control rod shuffling).ACTIONSA.1 and A.2Should an anomaly develop between measured and predicted core reactivity, an evaluation of the core design and safety analysis must be performed. Core conditions are evaluated to determine their consistency with input to design calculations. Measured core and process parameters are evaluated to determine that they are within the bounds of the safety analysis, and safety analysis calculational models are reviewed to verify that they are adequate for representation of the core conditions. The required Completion Time of 7 days is based on the low probability of a DBA occurring during this period, and allows sufficient time to assess the physical condition of the reactor and complete the evaluation of the core design and

safety analysis.Following evaluations of the core design and safety analysis, the cause of the reactivity anomaly may be resolved. If the cause of the reactivity anomaly is a mismatch in core conditions at the time of RCS boron concentration sampling, then a recalculation of the RCS boron concentration requirements may be performed to demonstrate that core reactivity is behaving as expected. If an unexpected physical change in the condition of the core has occurred, it must be evaluated and corrected, if possible. If the cause of the reactivity anomaly is in the calculation technique, then the calculational models must be revised to pr ovide more accurate predictions. If any of these results are demonstrated, and it is concluded that the reactor core is acceptable for continued operation, then the boron letdown curve may be renormalized and power operation may continue. If operational restriction or additional SRs are necessary to ensure the reactor core is acceptable for continued operation, then they must be defined.The required Completion Time of 7 days is adequate for preparing whatever operating restrictions or Surveillances that may be required to allow continued reactor operation.

B.1If the core reactivity cannot be restored to within the 1%/k limit, the plant must be brought to a MODE in which the LCO does not apply. To achieve(continued)

Core Reactivity B 3.1.2 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.1-10Revision 57ACTIONSB.1 (continued)this status, the plant must be brought to at least MODE3 within 6hours. If the SDM for MODE3 is not met, then the boration required by LCO 3.1.1 Required Action A.1 would occur. The allowed Completion Time is

reasonable, based on operating experience, for reaching MODE3 from full power conditions in an orderly manner and without challenging plant systems.SURVEILLANCE REQUIREMENTS SR 3.1.2.1Core reactivity is verified by peri odic comparisons of measured and predicted RCS boron concentrations. The comparison is made, considering that other core conditions are fixed or stable, including control rod position, moderator temperature, fuel temperature, fuel depletion, xenon concentration, and samarium concentration. The Surveillance is performed prior to entering MODE1 as an initial check on core conditions and design calculations at BOC. The SR is modified by a Note. The Note requires that the normalization of predicted core reactivity to the measured value must take place within the first 60effectiv e full power days (EF PD) after each fuel loading. However, if the deviation between measured and predicted values is within the associated measurement and analytical uncertainties, it is not necessary to normalize the predicted core reactivity. This allows sufficient time for core conditions to reach steady state, but prevents operation for a large fraction of the fuel cycle without establishing a benchmark for the

design calculations. The required subsequent Frequency of 31EFPD, following the initial 60EFPD after entering MODE1, is acceptable, based on the slow rate of core changes due to fuel depletion and the presence of other indicators (QPTR, AFD, etc.) for prompt indication of an anomaly.REFERENCES1.10CFR50, AppendixA, GDC26, GDC28, and GDC29.

2.FSAR, Chapter15

.

MTC B 3.1.3COMANCHE PEAK - UNITS 1 AND 2B 3.1-11Revision 57 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.3 Moderator Temperature Coefficient (MTC)

BASESBACKGROUNDAccording to GDC11 (Ref.1), the reactor core and its interaction with the Reactor Coolant System (RCS) must be designed for inherently stable power operation, even in the possible event of an accident. In particular, the net reactivity feedback in the system must compensate for any unintended reactivity increases.The MTC relates a change in core reactivity to a change in reactor coolant temperature (a positive MTC means that reactivity increases with increasing moderator temperature; conversely, a negative MTC means that reactivity decreases with increasing moderator temperature). The reactor is designed to operate with a negative MTC over most of the fuel cycle. Therefore, a coolant temperature increase will cause a reactivity decrease, so that the coolant temperature tends to return toward its initial value. Reactivity increases that cause a coolant temperature increase will thus be self limiting, and stable power operation will result.MTC values are predicted at selected burnups during the safety evaluation analysis and are confirmed to be acceptable by measurements. Reload cores are designed so that the beginning of cycle (BOC) MTC is less than zero when THERMAL POWER is at RTP. The actual value of the MTC is dependent on core characteristics, such as fuel loading and reactor coolant soluble boron concentration. The core design may require additional fixed distributed poisons to yield an MTC at BOC within the ra nge analyzed in the plant accident analysis. The end of cycle (EOC) MTC is also limited by the requirements of the accident analysis. Fuel cycles that are designed to achieve high burnups or that have changes to other characteristics are evaluated to ensure that the MTC does not exceed the EOC limit.The limitations on MTC are provided to ensure that the value of this coefficient remains within the limiting conditions assumed in the FSAR accident and transient analyses.If the LCO limits are not met, the unit response during transients may not be as predicted. The core could violate criteria that prohibit a return to criticality, or the departure from nucleate boiling ratio criteria of the approved correlation may be violated, which could lead to a loss of the fuel cladding integrity.The SRs for measurement of the MTC at the beginning and near the end of the fuel cycle are adequate to confirm that the MTC remains within its limits,(continued)

MTC B 3.1.3 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.1-12Revision 57 BACKGROUND (continued)since this coefficient changes slowly, due principally to the reduction in RCS boron concentration asso ciated with fuel burnup.

APPLICABLE SAFETY ANALYSESThe acceptance criteria for the specified MTC are:a.The MTC values must remain within the bounds of those used in the accident analysis (Ref.2); andb.The MTC must be such that inherently stable power operations result during normal operation and accidents, such as overheating and

overcooling events.The FSAR, Chapter15 (Ref.2), contains analyses of accidents that result in both overheating and overcooling of the reactor core. MTC is one of the controlling parameters for core reactivity in these accidents. Both the most positive value and most negative value of the MTC are important to safety, and both values must be bounded. V alues used in the analyses consider worst case conditions to ensure that the accident results are bounding (Ref. 2).The consequences of accidents that cause core overheating must be evaluated when the MTC is positive. Such accidents include the rod withdrawal transient from either zero (Ref.2) or RTP, loss of main feedwater flow, and loss of forced reactor coolant flow. The consequences of accidents that cause core overcooling must be evaluated when the MTC is negative. Such accidents include sudden feedwater flow increase, sudden decrease in feedwater temperature, and steam line break.In order to ensure a bounding accident analysis, the MTC is assumed to be its most limiting value for the analysis conditions appropriate to each accident. The bounding value is de termined by considering rodded and unrodded conditions, whether the reactor is at Rated Thermal Power or zero power, and whether it is the BOC or EOC. The most conservative combination appropriate to the accident is then used for the analysis (Ref.2).MTC values are bounded in reload safety evaluations assuming steady state conditions at BOC and EOC. An EOC measurement is conducted at conditions when the RCS reaches a boron concentration equivalent to 300 ppm at an equilibrium, all rods out, RTP condition. The measured value may be extrapolated to project the EOC value, in order to confirm reload design predictions.(continued)

MTC B 3.1.3 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.1-13Revision 57APPLICABLE SAFETY ANALYSES (continued)MTC satisfies Criterion2 of 10CFR50.36(c)(2)(ii). Even though it is not directly observed and controlled from the control room, MTC is considered an initial condition process variable beca use of its dependence on boron concentration.LCOLCO3.1.3 requires the MTC to be within specified limits of the COLR to ensure that the core operates within the assumptions of the accident analysis. During the reload core safety evaluation, the MTC is analyzed to determine that its values remain within the bounds of the original accident analysis during operation.Assumptions made in safety analyses require that the MTC be less positive than a given upper bound and less negativ e than a given lower bound. The MTC is most positive near BOC; this upper bound must not be exceeded. This maximum upper limit occurs near BOC, all rods out (ARO), hot zero power conditions. At EOC the MTC takes on its most negative value, when the lower bound becomes important. This LCO exists to ensure that both the upper and lower bounds are not exceeded.During operation, therefore, the condit ions of the LCO can only be ensured through measurement. The Surveillance checks at BOC and EOC on MTC provide confirmation that the MTC is behaving as anticipated so that the acceptance criteria are met.

The LCO establishes a maximum positive value that cannot be exceeded. This limit is defined to be +5pcm/°F for power levels up to 70% RTP and a linear ramp from that point to 0 pcm/°F at 100% RTP for the all rods withdrawn, beginning of cycle life (BOL) condition. The BOC positive limit and the EOC negative limit are established in the COLR to allow specifying limits for each particular cycle. This permits the unit to take advantage of improved fuel management and changes in unit operating schedule.APPLICABILITYTechnical Specifications place both LCO and SR values on MTC, based on the safety analysis assumptions described above.In MODE1, the limits on MTC must be maintained to ensure that any accident initiated from THERMAL POWER operation will not violate the design assumptions of the accident analysis. In MODE2 with the reactor critical, the upper limit must also be maintained to ensure that startup and subcritical accidents (such as the uncontrolled CONTROL ROD assembly or group withdrawal) will not violate the assumptions of the accident analysis. (continued)

MTC B 3.1.3 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.1-14Revision 57 APPLICABILITY (continued)The lower MTC limit must be maintained in MODES2 and3, in addition to MODE1, to ensure that cooldown accidents will not violate the assumptions of the accident analysis. In MODES4, 5, and6, this LCO is not applicable, since no Design Basis Accidents using the MTC as an analysis assumption are initiated from these MODES.ACTIONSA.1If the BOC MTC limit is violated, administrative withdrawal limits for control

banks must be established to mainta in the MTC within its limits. The MTC becomes more negative with control bank insertion and decreased boron concentration. A Completion Time of 24hours provides enough time for evaluating the MTC measurement and computing the required bank withdrawal limits.In general, as cycle burnup is increased, the RCS boron concentration will initially be increased to accommodate a PMTC (between roughly 150-3000 MWd/MTU, depending on cycle energy requirements, burnable absorbers, etc.) and then will be reduced. The reduced boron concentration causes the MTC to become more negative. Using physics calculations, the time in cycle life at which the calculated MTC will meet the LCO requirement can be determined. At this point in core life ConditionA no longer exists. The unit is no longer in the Required Action, so the administrative withdrawal limits are no longer in effect.

B.1 If the required administrative withdrawal limits at BOC are not established within 24hours, the unit must be brought to MODE2 with k eff <1.0 to prevent operation with an MTC that is more positive than that assumed in safety analyses.The allowed Completion Time of 6hours is reasonable, based on operating experience, for reaching the required MODE from full power conditions in an orderly manner and without challenging plant systems.

C.1Exceeding the EOC MTC limit means that the safety analysis assumptions for the EOC accidents that use a bounding negative MTC value may be invalid. If the EOC MTC limit is exceeded, the plant must be brought to a(continued)

MTC B 3.1.3 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.1-15Revision 57ACTIONSC.1 (continued)MODE or condition in which the LCO requirements are not applicable. To achieve this status, the unit must be brought to at least MODE4 within 12hours.The allowed Completion Time is reasonable, based on operating experience, for reaching the required MODE from full power conditions in an orderly manner and without challenging plant systems.SURVEILLANCE

REQUIREMENTS SR 3.1.3.1This SR requires measurement of the MTC at BOC prior to entering MODE1 in order to demonstrate compliance with the most positive MTC LCO. Meeting the limit prior to entering MODE1 ensures that the limit will also be met at higher power levels.The BOC MTC value for ARO will be inferred from isothermal temperature coefficient measurements obtained durin g the physics tests after refueling.

The ARO value can be directly compared to the BOC MTC limit of the LCO. If required, measurement results and predicted design values can be used to establish administrative withdrawal limits for control banks.

SR 3.1.3.2In similar fashion, the LCO requires that the MTC be less negative than the specified value for EOC full power conditions. This measurement may be performed at any THERMAL POWER, but its results must be extrapolated to the conditions of RTP and all banks withdrawn in order to make a proper comparison with the LCO value. Because the RTP MTC value will gradually become more negative with further core deplet ion and boron concentration reduction, 60ppm and 300ppm SR values of MTC should necessarily be less negative than the EOC LCO limit. The 60ppm and 300ppm SR value is sufficiently less negative than the EOC LCO limit value to ensure that the

LCO limit will be met when the Surveillance criterion is met.The 60ppm and 300ppm SR values are determined consistent with a natural (fresh) Boron-10 (B-10) isot opic abundance in the RCS boron. During normal operation, neutron, neutron absorption reduces the fraction of B-10 in the RCS boron concentration. When the plant operates at steady state full power during the cycle, boration is generally not required and the (continued)

MTC B 3.1.3 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.1-16Revision 57SURVEILLANCE REQUIREMENTS SR 3.1.3.2 (continued)B-10 is not replenished. A B-10 depletion model that accounts for the reduction in the B-10 isotopic abundance may be used to adjust the measured boron concentration to be mo re consistent with the calculational basis of the SR values.SR 3.1.3.2 is modified by three Notes that include the following requirements:1.The SR is not required to be performed until 7 effective full power days (EFPDs) after reaching the equivalent of an equilibrium RTP all rods out (ARO) boron concentrat ion of 300 ppm. The measured equilibrium boron concentration should be adjusted to RTP, ARO

conditions and may be adjusted for B-10 isotopic abundance. Normally, the measured concentration will be greater than the adjusted concentration near this time in cycle life. The SR should not be performed prior to the adjuste d concentration indicating 300ppm. The SR shall be performed prior to exceeding 7 EFPDs after achieving an adjusted concentration of 300ppm.2.If the 300ppm Surveillance limit is exceeded, it is possible that the EOC limit on MTC could be reached before the planned EOC. Because the MTC changes slowly with core depletion, the Frequency of 14effective full power days (EFPDs) is sufficient to avoid exceeding the EOC limit.3.The Surveillance limit for RTP boron concentration of 60ppm is conservative. If the measured MTC at 60ppm is more positive than the 60ppm Surveillance limit, the EOC limit will not be exceeded

because of the gradual manner in which MTC changes with core burnup.REFERENCES1.10CFR50, AppendixA, GDC11.

2.FSAR, Chapter15

.

Rod Group Alignment Limits B 3.1.4COMANCHE PEAK - UNITS 1 AND 2B 3.1-17Revision 57 B 3.1 REACTIVITY CONTROL SYSTEMSB 3.1.4 Rod Group Alignment Limits BASESBACKGROUNDThe OPERABILITY (i.e., trippability) of the shutdown and control rods is an initial assumption in all safety analyse s that assume rod insertion upon reactor trip. Maximum rod misalignment is an initial assumption in the safety analysis that directly affects core power distributions and assumptions of available SDM.The applicable criteria for these reactivity and power distribution design requirements are 10CFR50, AppendixA, GDC10, "Reactor Design," GDC26, "Reactivity Control System Redundancy and Capability" (Ref.1), and 10CFR50.46, "Acceptance Criteria for Emergency Core Cooling Systems for Light Water Nuclear Power Plants" (Ref.2).Mechanical or electrical failures may cause a control rod to become inoperable or to become misaligned from its group. Control rod inoperability or misalignment may cause increased power peaking, due to the asymmetric reactivity distribution and a reduction in the total available rod worth for reactor shutdown. Therefore, cont rol rod alignment and OPERABILITY are related to core operation in design p ower peaking limits and the core design requirement of a minimum SDM.Limits on control rod alignment have been established, and all rod positions are monitored and controlled during power operation to ensure that the power distribution and reactivity limits defined by the design power peaking and SDM limits are preserved.Rod cluster control assemblies (RCCAs), or rods, are moved by their control rod drive mechanisms (CRDMs). Each CRDM moves its RCCA one step (approximately 5/8inch) at a time, but at varying rates (steps per minute) depending on the signal output from the Rod Control System.The RCCAs are divided among four control banks and five shutdown banks. Each bank may be further subdivided into two groups to provide for precise reactivity control. A group consists of two or more RCCAs that are electrically paralleled to step simultaneously. A bank of RCCAs typically consists of two groups that are moved in a staggered fashion, but always

within one step of each other.

The shutdown banks are maintained either in the fully inserted or fully withdrawn position. The control banks are moved in an overlap pattern, using the following withdrawal sequence: When control bankA reaches a predetermined height in the core, control bankB begins to move out with (continued)

Rod Group Alignment Limits B 3.1.4 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.1-18Revision 57 BACKGROUND (continued)control bankA. Control bankA stops at the position of maximum withdrawal, and control bankB continues to move out. When control bankB reaches a predetermined height, control bankC begins to move out with control bankB. This sequence continues until control banksA, B, andC are at the fully withdrawn position, and control bankD is approximately halfway withdrawn. The insertion sequence is the opposite of the withdrawal sequence. The control rods are arranged in a radially symmetric pattern, so that control bank motion does not introduce radial asymmetries in the core power distributions.

The axial position of shutdown rods and control rods is indicated by two separate and independent systems, which are the Bank Demand Position Indication System (commonly called group step counters) and the Digital Rod Position Indication (DRPI) System.The Bank Demand Position Indication System counts the pulses from the rod control system that moves the rods. There is one step counter for each group of rods. Individual rods in a group all receive the same signal to move and should, therefore, all be at the same position indicated by the group step counter for that group. The Bank Demand Position Indication System is considered highly precise (+/- 1step or +/-5/8 inch). If a rod does not move one step for each demand pulse, th e step counter will still count the pulse and incorrectly reflect the position of the rod.The DRPI System provides a highly accurate indication of actual rod position, but at a lower precision than the step counters. This system is based on inductive analog signals from a series of coils spaced along a hollow tube. To increase the reliability of the system, the inductive coils are connected alternately to data systemA orB. Thus, if one data system fails, the accuracy of the DRPI System will be reduced by half.The DRPI system is capable of monitoring rod position within at least +/-12 steps with either full accuracy or half accuracy.

APPLICABLE SAFETY ANALYSES Control rod misalignment accidents are analyzed in the safety analysis (Ref.3). The acceptance criteria for addressing control rod inoperability or misalignment are that:a.There be no violations of:1.specified acceptable fuel design limits, or(continued)

Rod Group Alignment Limits B 3.1.4 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.1-19Revision 57APPLICABLE SAFETY ANALYSES (continued)2.Reactor Coolant System (RCS) pressure boundary integrity; andb.The core remains subcritical after accident transients.Two types of misalignment are distinguished. During movement of a control rod group, one rod may stop moving, while the other rods in the group continue. This condition may cause excessive power peaking. The second type of misalignment occurs if one rod fails to insert upon a reactor trip and remains stuck fully withdrawn. This condition requires an evaluation to determine that sufficient reactivity worth is held in the control rods to meet the SDM requirement, with the maximum worth rod stuck fully withdrawn.Two types of analysis are performed in regard to static rod misalignment (Ref.3). With control banks at their insertion limits, one type of analysis considers the case when any one rod is completely inserted into the core.

The second type of analysis considers the case of a completely withdrawn single rod from a bank inserted to its insertion limit. An additional analysis is performed in which all rods but one ar e assumed to be fully withdrawn; the remaining rod is assumed to be fully inserted. Satisfying limits on departure from nucleate boiling ratio in these cases bounds the situation when a rod is misaligned from its group by 12steps.Another type of misalignment occurs if one RCCA fails to insert upon a reactor trip and remains stuck fully withdrawn. This condition is assumed in the evaluation to determine that the required SDM is met with the maximum worth RCCA also fully withdrawn (Ref.3).The Required Actions in this LCO ensure that either deviations from the alignment limits will be corrected or that THERMAL POWER will be adjusted so that excessive local linear heat rates (LHRs) will not occur, and that the

requirements on SDM and ejected rod worth are preserved.Continued operation of the reactor with a misaligned control rod is allowed if the heat flux hot channel factor (F Q (Z)) and the nuclear enthalpy hot channel factor are verified to be within their limits in the COLR and the safety analysis is verified to remain valid. When a control rod is misaligned, the assumptions that are used to determine the rod insertion limits, AFD limits, and quadrant power tilt limits are not preserved. Therefore, the limits may not preserve the design peaking factors, and F Q(Z) and must be verified(continued)

FH NFH N Rod Group Alignment Limits B 3.1.4 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.1-20Revision 57APPLICABLE SAFETY ANALYSES (continued)directly by core power distribution measurement. Bases Section3.2 (Power Distribution Limits) contains more complete discussions of the relation of F Q(Z) and to the operating limits.Shutdown and control rod OPERABILITY and alignment are directly related to power distributions and SDM, which are initial conditions assumed in safety analyses. Therefore they satisfy Criterion 2 of 10CFR50.36(c)(2)(ii).LCOThe limits on shutdown or control rod alignments ensure that the assumptions in the safety analysis will remain valid. The requirements on OPERABILITY ensure that upon reactor trip, the assumed reactivity will be available and will be inserted. The OPERABILITY requirements (i.e., trippability to meet SDM) are separate from the alignment requirements, which ensure that the RCCAs and banks maintain the correct power distribution and rod alignment. A rod is considered OPERABLE based on the last satisfactory performance of SR 3.1.4.2 and has met the rod drop time criteria during the last performance of SR 3.1.4.3. Rod control malfunctions that result in the inability to move a rod (e.g., rod urgent failures), which do not impact trippability within the time requirements of SR3.1.4.3, do not result in rod inoperability.The requirement to maintain the rod a lignment to within plus or minus 12steps of their group step counter demand position is conservative. The minimum misalignment assumed in safety analysis is 24steps (15inches),

and in some cases a total misalignment from fully withdrawn to fully inserted is assumed.Failure to meet the requirements of this LCO may produce unacceptable power peaking factors and LHRs, or unacceptable SDMs, all of which may constitute initial conditions inconsistent with the safety analysis.APPLICABILITYThe requirements on RCCA OPERABILITY and alignment are applicable in MODES1 and2, because these are the only MODES in which neutron (or fission) power is generated, and the OPERABILITY (i.e., trippability) and

alignment of rods have the potential to affect the safety of the plant. In MODES3, 4, 5, and6, the alignment limits do not apply because the rods are typically fully inserted and the re actor is shut down and not producing fission power. In the shutdown MODES, the OPERABILITY of the shutdown and control rods has the potential to affect the required SDM, but this effect(continued)

FH N Rod Group Alignment Limits B 3.1.4 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.1-21Revision 57 APPLICABILITY (continued)can be compensated for by an increase in the boron concentration of the RCS. See LCO3.1.1 , "SHUTDOWN MARGIN (SDM)," for SDM in MODES2 with keff < 1.0, 3, 4, and5 and LCO3.9.1, "Boron Concentration," for boron concentration requirements during refueling.ACTIONSA.1.1 and A.1.2When one or more rods are inoperable (i.e.,untrippable), there is a possibility that the required SDM may be adversely affected. Under these conditions, it is important to determine the SDM, and if it is less than the required value, initiate boration until the required SDM is recovered. The Completion Time of 1hour is adequate for determining SDM and, if necessary, for initiating boration to restore SDM. It is assumed that boration will continue until SDM requirements are met.In this situation, SDM verification must include the worth of the untrippable rod (at its present position or greater (e.g., full out), to ensure the position used is conservative with respect to SDM verification), as well as the rod of maximum worth.

A.2 If the inoperable rod(s) cannot be restored to OPERABLE status, the plant must be brought to a MODE or condition in which the LCO requirements are not applicable. To achieve this status, the unit must be brought to at least MODE3 within 6hours.The allowed Completion Time is reasonable, based on operating experience, for reaching MODE3 from full power conditions in an orderly manner and without challenging plant systems.

B.1When a rod becomes misaligned, it can usually be moved and is still trippable (i.e., OPERABLE). If the rod can be realigned within the Completion Time of 1hour, local xenon redistribution during this short interval will not be significant, and oper ation may proceed without further restriction.An alternative to realigning a single misaligned RCCA to the group demand position is to align the remainder of the group to the position of the (continued)

Rod Group Alignment Limits B 3.1.4 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.1-22Revision 57ACTIONSB.1 (continued)misaligned RCCA. However, this must be done without violating the bank sequence, overlap, and insertion limits specified in LCO3.1.5 , "Shutdown Bank Insertion Limits," and LCO3.1.6 , "Control Bank Insertion Limits." The Completion Time of 1hour gives the operator sufficient time to adjust the rod positions in an orderly manner.B.2.1.1 and B.2.1.2With a misaligned rod, SDM must be verified to be within limit or boration

must be initiated to restore SDM to within limit. Verification of shutdown banks fully withdrawn and the control banks within the limits of LCO 3.1.6 , "CONTROL BANK INSERTION LIMITS" ensure SDM is maintained provided the misaligned rod is above the insertion limits.In many cases, realigning the remainder of the group to the misaligned rod may not be desirable. For example, realigning control bankB to a rod that is misaligned 15steps from the top of the core would require a significant power reduction, since control bankD must be fully inserted and control bankC must be inserted to approximately 100to 115steps.Power operation may continue with one RCCA OPERABLE (i.e., trippable) but misaligned, provided that SDM is verified within 1hour. The Completion Time of 1hour represents the time necessary for determining the actual unit SDM and, if necessary, aligning and starting the necessary systems and components to initiate boration. It is assumed that boration will continue until SDM requirements are met.B.2.2, B.2.3, B.2.4, B.2.5, and B.2.6For continued operation with a misaligned rod, reactor power must be reduced, SDM must periodically be verified within limits, hot channel factors (F Q(Z) and ) must be verified within limits, and the safety analyses must be re-evaluated to confirm c ontinued operation is permissible.Reduction of power to 75%RTP ensures that local LHR increases due to a misaligned RCCA will not cause the core design criteria to be exceeded

(Ref.3) The Completion Time of 2hours gives the operator sufficient time to accomplish an orderly power reduct ion without challeng ing the Reactor Protection System.When a rod is known to be misaligned, there is a potential to impact the SDM. Since the core conditions can change with time, periodic verification of SDM is required. A Frequency of 12hours is sufficient to ensure this requirement continues to be met.(continued)

FH N Rod Group Alignment Limits B 3.1.4 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.1-23Revision 57ACTIONSB.2.2, B.2.3, B.2.4, B.2.5, and B.2.6 (continued)Verifying that F Q (Z), as approximated by F Q C (Z) and F Q W(Z), and are within the required limits ensures that current operation at 75%RTP with a rod misaligned is not resulting in power distributions that may invalidate safety analysis assumptions at full power. The Completion Time of 72hours allows sufficient time to obtain a core power distribution measurement and to calculate F Q(Z) and .Once current conditions have been veri fied acceptable, time is available to perform evaluations of the affected accident analysis to determine that core limits will not be exceeded during a Design Basis Event for the duration of operation under these conditions. The accident analyses presented in FSAR Chapter 15 (Ref. 3) that may be adversely affected will be evaluated to ensure that the analyses results remain valid for the duration of continued operation under these conditions. A Completion Time of 5days is sufficient time to obtain the required input data and to perform the analysis.

C.1 When Required Actions of Condition B cannot be completed within their Completion Time, the unit must be brought to a MODE or Condition in which the LCO requirements are not applicable. To achieve this status, the unit must be brought to at least MODE3 within 6hours, which obviates concerns about the development of undesirable xenon or power distributions. The allowed Completion Time of 6hours is reasonable, based on operating experience, for reaching MODE3 from full power conditions in an orderly manner and without challenging the plant systems.

D.1.1 and D.1.2More than one control rod becomin g misaligned from its group demand position is not expected, and has the potential to reduce SDM. Therefore, SDM must be evaluated. Verification of shutdown banks fully withdrawn and the control banks within the limits of LCO 3.1.6 , "CONTROL BANK INSERTION LIMITS" ensure SDM is maintained provided the misaligned rod is above the insertion limit. One hour allows the operator adequate time to determine SDM. Restoration of the required SDM, if necessary, requires increasing the RCS boron concentration to provide negative reactivity, as described in the Bases of LCO3.1.1. The required Completion Time of 1hour for initiating boration is reasonable, based on the time required for potential xenon redistribution, the low probability of an accident occurring, and the steps required to complete the action. This allows the operator sufficient time to align the required v alves and start the required pumps. Boration will continue until the required SDM is restored.(continued)

FH N FH N Rod Group Alignment Limits B 3.1.4 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.1-24Revision 57ACTIONS (continued)

D.2If more than one rod is found to be misaligned or becomes misaligned because of bank movement, the unit c onditions fall outside of the accident analysis assumptions. Since automatic bank sequencing would continue to cause misalignment, the unit must be brought to a MODE or Condition in which the LCO requirements are not applicable. To achieve this status, the unit must be brought to at least MODE3 within 6hours.The allowed Completion Time is reasonable, based on operating experience, for reaching MODE3 from full power conditions in an orderly manner and without challenging plant systems.SURVEILLANCE REQUIREMENTSSR 3.1.4.1Verification that individual rod positions are within alignment limits at a Frequency of 12hours provides a history that allows the operator to detect a rod that is beginning to deviate from its expected position. If the rod position deviation monitor is inoperable, the Frequency is increased to 4hours per TRM requirement TRS 13.1.37.1 which a ccomplishes the same goal. The specified Frequency takes into account othe r rod position information that is continuously available to the operator in the control room, so that during actual rod motion, deviations can immediately be detected.SR 3.1.4.2Verifying each control rod is OPERABLE would require that each rod be tripped. However, in MODES1 and2, tripping each control rod would result in radial or axial power tilts, or oscillations. Exercising each individual control rod every 92days provides increased confidence that all rods continue to be OPERABLE without exceeding the alignment limit, even if they are not regularly tripped. Moving each control rod by 10steps will not cause radial or axial power tilts, or oscillations, to occur. The 92day Frequency takes into consideration other information available to the operator in the control room and SR 3.1.4.1, which is performed more frequently and adds to the determination of OPERABILITY of the rods. Between or during required performances of SR 3.1.4.2 (determination of control rod OPERABILITY by movement), if a control rod(s) is discovered to be immovable, but remains trippable, the control rod(s) is considered to be OPERABLE until the surveillance interval expires. At any time, if a control rod(s) is immovable, a determination of the trippability (OPERABILITY) of the control rod(s) must be made, and appropriate action taken.(continued)

Rod Group Alignment Limits B 3.1.4 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.1-25Revision 57SURVEILLANCE REQUIREMENTS (continued)

SR 3.1.4.3Verification of rod drop times allows the operator to determine that the maximum rod drop time permitted is consistent with the assumed rod drop time used in the safety analysis. Measuring rod drop times prior to reactor criticality, after reactor vessel head removal, ensures that the reactor internals and rod drive mechanism will not interfere with rod motion or rod drop time, and that no degradation in these systems has occurred that would adversely affect control rod motion or drop time. This testing is performed with all RCPs operating and the average moderator temperature 500°F to simulate a reactor trip under actual conditions.This Surveillance is performed during a plant outage, due to the plant conditions needed to perform the SR and the potential for an unplanned plant transient if the Surveillance were performed with the reactor at power.REFERENCES1.10CFR50, AppendixA, GDC10 andGDC26.2.10CFR50.46.

3.FSAR, Chapter15

.

Shutdown Bank Insertion Limits B 3.1.5COMANCHE PEAK - UNITS 1 AND 2B 3.1-26Revision 57 B 3.1 REACTIVITY CONTROL SYSTEMSB 3.1.5 Shutdown Bank Insertion Limits BASESBACKGROUNDThe insertion limits of the shutdown and control rods are initial assumptions in all safety analyses that assume rod insertion upon reactor trip. The insertion limits directly affect core power and fuel burnup distributions and assumptions of available ejected rod worth, SDM and initial reactivity insertion rate.The applicable criteria for these reactivity and power distribution design requirements are 10CFR50, AppendixA, GDC10, "Reactor Design," GDC26, "Reactivity Control System Redundancy and Capability," GDC 28, "Reactivity Limits" (Ref.1), and 10CFR50.46, "Acceptance Criteria for Emergency Core Cooling Systems for Light Water Nuclear Power Reactors" (Ref.2). Limits on control rod insertion have been established, and all rod positions are monitored and controlled during power operation to ensure that the power distribution and reactivity limits defined by the design power peaking and SDM limits are preserved.

The rod cluster control assemblies (RCCAs) are divided among four control banks and five shutdown banks. Each bank may be further subdivided into two groups to provide for precise reactivity control. A group consists of two or more RCCAs that are electrically paralleled to step simultaneously. A bank of RCCAs typically consists of two groups that are moved in a staggered fashion, but always within one step of each other. See LCO3.1.4 , "Rod Group Alignment Limits," for c ontrol and shutdown rod OPERABILITY and alignment requirements, and LCO3.1.7, "Rod Position Indication," for position indication requirements.

The control banks are used for precise reactivity control of the reactor. The positions of the control banks can be automatically controlled by the Rod Control System or manually controlled by the reactor operators. They are capable of adding negative reactivity very quickly (compared to borating). The control banks must be maintained above designed insertion limits and are typically near the fully withdrawn position during normal full power operations. Hence, they are not capable of adding a large amount of positive reactivity. Boration or dilution of the Reactor Coolant System (RCS) compensates for the reactivity changes associated with large changes in RCS temperature.

The design calculations are performed with the assumption that the shutdown banks are withdrawn first. The shutdown banks can be fully withdrawn without the core going critical. This provides available negative (continued)

Shutdown Bank Insertion Limits B 3.1.5 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.1-27Revision 57 BACKGROUND (continued)reactivity in the event of boration errors. The shutdown banks are controlled manually by the control room operator. During normal unit operation, the shutdown banks are either fully withdrawn or fully inserted. The shutdown banks must be completely withdrawn from the core, prior to withdrawing any control banks during an approach to criticality. The shutdown banks are then left in this position until the reactor is shut down. They affect core power and burnup distribution, and add negative reactivity to shut down the reactor upon receipt of a reactor trip signal.

APPLICABLE SAFETY ANALYSES On a reactor trip, all RCCAs (shutdown banks and control banks), except the most reactive RCCA, are assumed to insert into the core. The shutdown banks shall be at or above their insertion limits and available to insert the maximum amount of negative reactivity on a reactor trip signal. The control banks may be partially inserted in the core, as allowed by LCO3.1.6 , "Control Bank Insertion Limits." The shutdown bank and control bank insertion limits are established to ensure that a sufficient amount of negative reactivity is available to shut down the reactor and maintain the required SDM (see LCO3.1.1 , "SHUTDOWN MARGIN (SDM)") following a reactor trip from full power. The combination of control banks and shutdown banks (less the most reactive RCCA, which is assumed to be fully withdrawn) is sufficient to take the reactor from full power conditions at rated temperature to zero power, and to maintain the required SDM at rated no load temperature (Ref.3). The shutdown bank insertion limit also limits the reactivity worth of an ejected shutdown rod.The acceptance criteria for addre ssing shutdown and control rod bank insertion limits and inoperability or misalignment is that:a.There be no violations of:1.specified acceptable fuel design limits, or2.RCS pressure boundary integrity; andb.The core remains subcritical after accident transients.

As such, the shutdown bank insertion limits affect safety analysis involving core reactivity and SDM (Ref.3).The shutdown bank insertion limits preserve an initial condition assumed in the safety analyses and, as such, satisfy Criterion2 of 10CFR50.36(c)(2)(ii).(continued)

Shutdown Bank Insertion Limits B 3.1.5 BASES (continued)COMANCHE PEAK - UNITS 1 AND 2B 3.1-28Revision 57LCOThe shutdown banks must be within their insertion limits any time the reactor is critical or approaching criticality. This ensures that a sufficient amount of negative reactivity is available to shut down the reactor and maintain the required SDM following a reactor trip.

The shutdown bank insertion limits are defined in the COLR.APPLICABILITYThe shutdown banks must be within their insertion limits, with the reactor in MODE1 and in Mode 2 with any control bank not fully inserted. The applicability in MODE2 begins prior to initial control bank withdrawal, during an approach to criticality, and continues throughout MODE2, until all control bank rods are again fully inserted by reactor trip or by shutdown. This ensures that a sufficient amount of negat ive reactivity is available to shut down the reactor and maintain the required SDM following a reactor trip. The shutdown banks do not have to be within their insertion limits in MODE3, unless an approach to criticality is being made. In MODE3, 4, 5, or6, the shutdown banks are typically fully inserted in the core and contribute to the SDM. Refer to LCO3.1.1 for SDM requirements in MODES2 with k eff < 1.0, 3, 4, and5. LCO3.9.1 , "Boron Concentration," ensures adequate SDM in MODE6.The Applicability requirements have been modified by a Note indicating the LCO requirement is suspended during SR 3.1.4.2. This SR verifies the freedom of the rods to move, and requires the shutdown bank to move below the LCO limits, which would normally violate the LCO.ACTIONSA.1.1, A.1.2 and A.2 When one or more shutdown banks is not within insertion limits, 2hours is allowed to restore the shutdown banks to within the insertion limits. This is necessary because the available SDM may be significantly reduced, with one or more of the shutdown banks not within their insertion limits. Also, verification of SDM or initiation of boration within 1hour is required, since the SDM in MODES1 and2 is ensured by adhering to the control and shutdown bank insertion limits (see LCO3.1.1). If shutdown banks are not within their insertion limits, then SDM will be verified by performing a reactivity balance calculation, considering the effects listed in the BASES for SR3.1.1.1. When boration is initiated to restore SDM to within limits, it is assumed that boration will continue until SDM requirements are met.The allowed Completion Time of 2hours provides an acceptable time for evaluating and repairing minor problems without allowing the plant to remain in an unacceptable condition for an extended period of time.(continued)

Shutdown Bank Insertion Limits B 3.1.5 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.1-29Revision 57ACTIONSA.1.1, A.1.2 and A.2 (continued)The allowed Completion Time of 2hours provides an acceptable time for evaluating and repairing minor problems without allowing the plant to remain in an unacceptable condition for an extended period of time.

B.1If the shutdown banks cannot be restored to within their insertion limits within 2hours, the unit must be brought to MODE3 where the LCO is not applicable. The allowed Completion Time of 6hours is reasonable, based on operating experience, for reaching the required MODE from full power conditions in an orderly manner and without challenging plant systems.SURVEILLANCE

REQUIREMENTS SR 3.1.5.1Verification that the shutdown banks ar e within their insertion limits prior to an approach to criticality ensures that when the reactor is critical, or being taken critical, the shutdown banks will be available to shut down the reactor, and the required SDM will be maintained following a reactor trip. This SR and Frequency ensure that the shutdown banks are within limits during a unit startup and subsequent operation.

Since the shutdown banks are positi oned manually by the control room operator, a verification of shutdown bank position at a Frequency of 12hours is adequate to ensure that they are within their insertion limits. Also, the 12hour Frequency takes into account other information available in the control room for the purpose of monitoring the status of shutdown rods.REFERENCES1.10CFR50, AppendixA, GDC10, GDC26, and GDC 28.2.10CFR50.46.

3.FSAR, Chapter15

.

Control Bank Insertion Limits B 3.1.6COMANCHE PEAK - UNITS 1 AND 2B 3.1-30Revision 57 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.6 Control Bank Insertion Limits BASESBACKGROUNDThe insertion limits of the shutdown and control rods are initial assumptions in all safety analyses that assume rod insertion upon reactor trip. The insertion limits directly affect core power and fuel burnup distributions and assumptions of available SDM, a nd initial reactivity insertion rate. The applicable criteria for these reactivity and power distribution design requirements are 10CFR50, AppendixA, GDC10, "Reactor Design," GDC26, "Reactivity Control System Redundancy and Capability," GDC 28, "Reactivity Limits" (Ref.1), and 10CFR50.46, "Acceptance Criteria for Emergency Core Cooling Systems for Light Water Nuclear Power Reactors" (Ref.2). Limits on control rod insertion have been established, and all rod positions are monitored and controlled during power operation to ensure that the power distribution and reactivity limits defined by the design power

peaking and SDM limits are preserved.

The rod cluster control assemblies (RCCAs) are divided among four control banks and five shutdown banks. Each bank may be further subdivided into two groups to provide for precise reactivity control. A group consists of two or more RCCAs that are electrically paralleled to step simultaneously. A bank of RCCAs consists of two groups that are moved in a staggered fashion, but always within one step of each other. See LCO3.1.4 , "Rod Group Alignment Limits," for contr ol and shutdown rod OPERABILITY and alignment requirements, and LCO3.1.7, "Rod Position Indication," for position indication requirements.The control bank insertion limits are specified in the COLR. The control banks are required to be at or above the insertion limit lines.The COLR figure also indicates how the control banks are moved in an overlap pattern. Overlap is the distance travelled together by two control banks. The fully withdrawn position is defined in the COLR.The control banks are used for precise reactivity control of the reactor. The positions of the control banks can be controlled automatically by the Rod Control System, or manually by the reactor operators. They are capable of adding reactivity very quickly (compared to borating or diluting).The power density at any point in the core must be limited, so that the fuel design criteria are maintained. Together, LCO3.1.4 , LCO3.1.5 , "Shutdown Bank Insertion Limits," LCO 3.1.6 , LCO3.2.3 , "AXIAL FLUX DIFFERENCE (continued)

Control Bank Insertion Limits B 3.1.6 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.1-31Revision 57 BACKGROUND (continued)(AFD)," and LCO3.2.4 , "QUADRANT POWER TILT RATIO (QPTR)," provide limits on control component operation and on monitored process variables, which ensure that the core operates within the fuel design criteria.The shutdown and control bank insertion and alignment limits, AFD, and QPTR are process variables that together characterize and control the three dimensional power distribution of the reactor core. Additionally, the control bank insertion limits control the reactivity that could be added in the event of a rod ejection accident, and the shutdown and control bank insertion limits ensure the required SDM is maintained.Operation within the subject LCO limits will prevent fuel cladding failures that would breach the primary fission product barrier and release fission products to the reactor coolant in the event of a loss of coolant accident (LOCA), loss of flow, ejected rod, or other accident requiring termination by a Reactor Trip System (RTS) trip function.

APPLICABLE SAFETY ANALYSESThe shutdown and control bank insertion limits, AFD, and QPTR LCOs are required to prevent power distributions that could result in fuel cladding failures in the event of a LOCA, loss of flow, ejected rod, or other accident requiring termination by an RTS trip function.The acceptance criteria for addressing shutdown and control bank insertion limits and inoperability or misalignment are that:a.There be no violations of:1.specified acceptable fuel design limits, or2.Reactor Coolant System pressure boundary integrity; andb.The core remains subcritical after accident transients.

As such, the shutdown and control bank insertion limits affect safety analysis involving core reactivity and power distributions (Ref.3).The SDM requirement is ensured by limiting the control and shutdown bank insertion limits so that allowable inserted worth of the RCCAs is such that

sufficient reactivity is available in the rods to shut down the reactor to hot zero power with a reactivity margin that assumes the maximum worth RCCA remains fully withdrawn upon trip (Ref.3).(continued)

Control Bank Insertion Limits B 3.1.6 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.1-32Revision 57APPLICABLE SAFETY ANALYSES (continued)Operation at the insertion limits or AFD limits may approach the maximum allowable linear heat generation rate or peaking factor with the allowed QPTR present. Operation at the insertion limit may also indicate the maximum ejected RCCA worth could be equal to the limiting value in fuel cycles that have sufficiently high ejected RCCA worths.The control and shutdown bank insertion limits ensure that safety analyses assumptions for SDM, ejected rod worth, and power distribution peaking factors are preserved (Ref.3).Implicit in all calculations which involve the bank insertion limits is the assumption that normal control bank sequence and overlap are maintained.The insertion limits satisfy Criterion2 of 10CFR50.36(c)(2)(ii), in that they are initial conditions assumed in the safety analysis.LCOThe limits on control banks sequence, overlap, and physical insertion, as defined in the COLR, must be maintained because they serve the function of preserving power distribution, ensuring that the SDM is maintained, ensuring that ejected rod worth is maintained, and ensuring adequate negative reactivity insertion is available on trip. The overlap between control banks provides more uniform rates of reacti vity insertion and withdrawal and is imposed to maintain acceptable power peaking during control bank motion.APPLICABILITYThe control bank sequence, overlap, and physical insertion limits shall be maintained with the reactor in MODES1 and2 with k eff 1.0. These limits must be maintained, since they preserve the assumed power distribution, ejected rod worth, SDM, and reactivity rate insertion assumptions. Applicability in MODES3, 4, and5 is not required, since neither the power distribution nor ejected rod worth assumptions would be exceeded in these MODES.The applicability requirements have been modified by a Note indicating the LCO requirements are suspended during the performance of SR 3.1.4.2. This SR verifies the freedom of the rods to move, and requires the control bank to move below the LCO limits, which would violate the LCO.(continued)

Control Bank Insertion Limits B 3.1.6 BASES (continued)COMANCHE PEAK - UNITS 1 AND 2B 3.1-33Revision 57ACTIONSA.1.1, A.1.2, A.2, B.1.1, B.1.2, and B.2When the control banks are outside the acceptable insertion limits, they must be restored to within those limits. This restoration can occur in two ways:a.Reducing power to be consistent with rod position; or b.Moving rods to be consistent with power.Also, verification of SDM or initiation of boration to regain SDM is required within 1hour, since the SDM in MODES1 and2 normally ensured by adhering to the control and shutdown bank insertion limits (see LCO3.1.1 , "SHUTDOWN MARGIN (SDM)") has been upset. When boration is initiated to restore SDM to within limits, it is assumed that boration will continue until SDM requirements are met. If control banks are not within their insertion limits, then SDM will be verified by performing a reactivity balance calculation, considering the effects listed in the BASES for SR3.1.1.1.Similarly, if the control banks are found to be out of sequence or in the wrong overlap configuration, they must be restored to meet the limits. For Required Action B.1.1, verification of shut down banks fully wit hdrawn and control banks within the insertion limits ensure SDM is maintained.Operation beyond the LCO limits is allowed for a short time period in order to take conservative action because the simultaneous occurrence of either a

LOCA, loss of flow accident, ejected rod accident, or other accident during this short time period, together with an inadequate power distribution or reactivity capability, has an acceptably low probability.The allowed Completion Time of 2hours for restoring the banks to within the insertion, sequence, and overlaps limits provides an acceptable time for evaluating and repairing minor problems without allowing the plant to remain in an unacceptable condition for an extended period of time.

C.1If Required ActionsA.1 andA.2, orB.1 andB.2 cannot be completed within the associated Completion Times, the plant must be brought to MODE3, where the LCO is not applicable. The allowed Completion Time of 6hours is reasonable, based on operating experience, for reaching the required MODE from full power conditions in an orderly manner and without challenging plant systems.(continued)

Control Bank Insertion Limits B 3.1.6 BASES (continued)COMANCHE PEAK - UNITS 1 AND 2B 3.1-34Revision 57SURVEILLANCE REQUIREMENTS SR 3.1.6.1This Surveillance is required to ensure that the reactor does not achieve criticality with the control banks below their insertion limits.The estimated critical condition (ECC) depends upon a number of factors, one of which is xenon concentration. If the ECC was calculated long before criticality, xenon concentration could change to make the ECC substantially

in error. Conversely, determining the ECP immediately before criticality could be an unnecessary burden. There are a number of unit parameters requiring operator attention at that point. Performing the ECC calculation within 4hours prior to criticality avoids a large error from changes in xenon concentration, but allows the operator some flexibility to schedule the ECC calculation with other startup activities.SR 3.1.6.2Verification of the control bank insertion limits at a Frequency of 12hours is sufficient to ensure OPERABILITY and to detect control banks that may be approaching the insertion limits since, normally, very little rod motion occurs in 12hours.

SR 3.1.6.3There is a potential that, with only a limit on rod insertion, the RCCAs could be placed in a sequence or overlap position, perhaps during troubleshooting activities or other abnormal plant conditions, that would violate core flux

peaking factors while still satisfying the limits on rod insertion. This scenario is most likely to occur at reduced po wer following an automatic runback or due to an administrative power reduction in response to some rod control abnormality.This surveillance ensures that the rod configuration across the core for any given operating condition will not result in unanalyzed peaking factors. The surveillance is not designed to test or ve rify the function of the Rod Control sequence and overlap circuits. In practice, this surveillance will be satisfied as long as the rod positions are in the positions specified in the COLR , regardless of the operability of the sequence and overlap circuits. The intent is to check the rod position to verify that the rods are in the expected positions as described in the COLR. If all rods are out of the core when the check is made, then rod sequence and overlap limits are satisfied for the purpose of this surveillance. At all power levels, the rod positions should

conform to the requirements of the COLR for rod sequence and overlap. Implicit within the LCO is the assumption that bank sequence and overlap(continued)

Control Bank Insertion Limits B 3.1.6 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.1-35Revision 57SURVEILLANCE REQUIREMENTS SR 3.1.6.3 (continued)must be maintained during rod movement. When control banks are maintained within their insertion limits as checked by SR 3.1.6.2 above, it is unlikely that their sequence and overlap will not be in accordance with

requirements provided in the COLR. A Frequency of 12hours is consistent with the insertion limit check above in SR 3.1.6.2.REFERENCES1.10CFR50, AppendixA, GDC10, GDC26, GDC 28.2.10CFR50.46.

3.FSAR, Chapter 15

.

Rod Position Indication B 3.1.7COMANCHE PEAK - UNITS 1 AND 2B 3.1-36Revision 57 B 3.1 REACTIVITY CONTROL SYSTEM B 3.1.7 Rod Position Indication BASESBACKGROUNDAccording to GDC13 (Ref.1), instrumentation to monitor variables and systems over their operating ranges during normal operation, anticipated operational occurrences, and accident conditions must be OPERABLE.

LCO 3.1.7 is required to ensure OPERABIL ITY of the control rod position indicators to determine control rod positions and thereby ensure compliance with the control rod alignment and insertion limits.The OPERABILITY, including posit ion indication, of the shutdown and control rods is an initial assumption in all safety analyses that assume rod insertion upon reactor trip. Maximum rod misalignment is an initial assumption in the safety analysis that directly affects core power distributions and assumptions of available SDM. Rod position indication is required to assess OPERABILITY and misalignment.Mechanical or electrical failures may cause a control rod to become inoperable or to become misaligned from its group. Control rod inoperability or misalignment may cause increased power peaking, due to the asymmetric reactivity distribution and a reduction in the total available rod worth for reactor shutdown. Therefore, contr ol rod alignment and OPERABILITY are related to core operation in design p ower peaking limits and the core design requirement of a minimum SDM.Limits on control rod alignment and OPERABILITY have been established, and all rod positions are monitored and controlled du ring power operation to ensure that the power distribution and reactivity limits defined by the design power peaking and SDM limits are preserved.Rod cluster control assemblies (RCCAs), or rods, are moved out of the core (up or withdrawn) or into the core (down or inserted) by their control rod drive mechanisms. The RCCAs are divided among control banks and shutdown banks. Each bank may be further subdivided into two groups to provide for precise reactivity control.

The axial position of shutdown rods and control rods are determined by two separate and independent systems: the Bank Demand Position Indication System (commonly called group step counters) and the Digital Rod Position Indication (DRPI) System.The Bank Demand Position Indication System counts the pulses from the Rod Control System that move the rods. There is one step counter for each(continued)

Rod Position Indication B 3.1.7 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.1-37Revision 57 BACKGROUND (continued)group of rods. Individual rods in a group all receive the same signal to move and should, therefore, all be at the same position indicated by the group step counter for that group. The Bank Demand Position Indication System is

considered highly precise (1step or 5/8inch). If a rod does not move one step for each demand pulse, the step counter will still count the pulse and incorrectly reflect the position of the rod.The DRPI System provides a highly accurate indication of actual rod position, but at a lower precision than the step counters. This system is based on inductive analog signals from a series of coils spaced along a hollow tube. To increase the reliability of the system, the inductive coils are connected alternately to data systemA orB. Thus, if one system fails, the DRPI will go on half accuracy. The DRPI System is capable of monitoring rod position within at least 12 steps with either full accuracy or half accuracy.APPLICABLE

SAFETY ANALYSESControl and shutdown rod position accuracy is essential during power operation. Power peaking, ejected rod worth, or SDM limits may be violated in the event of a Design Basis Accident (Ref.2), with control or shutdown rods operating outside their limits undetected. Therefore, the acceptance criteria for rod position indication is that rod positions must be known with sufficient accuracy in order to verify the core is operating within the group sequence, overlap, design peaking limits, ejected rod worth, and with

minimum SDM (LCO 3.1.5, "Shutdown Bank Insertion Limits," and LCO3.1.6 , "Control Bank Insertion Limits"). The rod positions must also be known in order to verify the alignment limits are preserved (LCO3.1.4, "Rod Group Alignment Limits"). Control rod positions are continuously monitored to provide operators with information that ensures the plant is operating within the bounds of the accident analysis assumptions.The control rod position indicator channels satisfy Criterion2 of 10CFR50.36(c)(2)(ii). The control rod position indicators monitor control rod

position, which is an initial co ndition of the accident.LCOLCO3.1.7 specifies that the DRPI System and Bank Demand Position Indication System be OPERABLE for each control rod. For the control rod position indicators to be OPERABLE requires meeting the SR of the LCO and the following:a.The DRPI System, on either full accuracy or half accuracy, indicates within 12 steps of the group st ep counter demand position as (continued)

Rod Position Indication B 3.1.7 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.1-38Revision 57 LCO (continued) required by LCO 3.1.4 , "Rod Group Alignment Limits"; andb.The Bank Demand Indication System has been calibrated either in the fully inserted position or to the DRPI System.The 12 step agreement limit between the Bank Demand Position Indication System and the DRPI System indicates that the Bank Demand Position Indication System is adequately calibrated, and can be used for indication of the measurement of control rod bank position.A deviation of less than the allowable limit, given in LCO 3.1.4, in position indication for a single control rod, ensu res high confidence that the position uncertainty of the corresponding control rod group is within the assumed values used in the analysis (that specified control rod group insertion limits).

These requirements ensure that control rod position indication during power operation and PHYSICS TESTS is accurate, and that design assumptions are not challenged. OPERABILITY of the position indicator channels ensures that inoperable, misaligned, or mispositioned control rods can be detected. Therefore, power peaking, ejected rod worth, and SDM can be controlled within acceptable limits.APPLICABILITYThe requirements on the DRPI and step counters are only applicable in MODES 1 and 2 (consistent with LCO 3.1.4 , LCO 3.1.5 and LCO3.1.6), because these are the only MODES in which power is generated, and the OPERABILITY and alignment of rods have the potential to affect the safety of the plant. In the shutdown MODES, the OPERABILITY of the shutdown and control banks has the potential to affect the required SDM, but this effect can be compensated for by an increase in the boron concentration of the

Reactor Coolant System.ACTIONSThe ACTIONS table is modified by a Note indicating that a separate Condition entry is allowed for each inoperable rod position indicator and

each demand positio n indicator. This is acceptable because the Required Actions for each Condition provide appropriate compensatory actions for each inoperable position indicator. The note applies to an inoperable rod position indication (DRPI) on a "per group" basis and the demand position indication on a "per bank" basis. Applying the note to a "per group" and "per bank" basis is appropriate since t he only Conditions available for DRPI are "per group" (Conditions A and B), and for demand indication is "per bank" (Condition D).(continued)

Rod Position Indication B 3.1.7 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.1-39Revision 57 ACTIONS (continued)

A.1 When one DRPI per group fails, the po sition of the rod may still be indirectly determined by use of the incore movable detectors or an OPERABLE PDMS. The Required Action may also be satisfied by ensuring at least once per 8hours that F Q satisfies LCO3.2.1, satisfies LCO3.2.2 , and SHUTDOWN MARGIN is within the limits provided in the COLR , provided the nonindicating rods have not been moved. Based on experience, normal power operation does not require excessive movement of banks. If a bank has been significantly moved, the Required Action of C.1 orC.2 below is

required. Therefore, verification of RCCA position within the Completion Time of 8hours is adequate for allowing continued full power operation, since the probability of simultaneously having a rod significantly out of position and an event sensitive to that rod position is small.

A.2 Reduction of THERMAL POWER to 50%RTP puts the core into a condition where rod position is not significantly affecting core peaking factors (Ref. 2).The allowed Completion Time of 8hours is reasonable, based on operating experience, for reducing power to 50%RTP from full power conditions without challenging plant systems and allowing for rod position determination by Required ActionA.1 above.

B.1, B.2, B.3 and B.4When more than one DRPI per group fail, additional actions are necessary to ensure that acceptable power distribution limits are maintained, minimum SDM is maintained, and the potentia l effects of rod misalignment on associated accident analyses are limited. Placing the Rod Control System in

manual assures unplanned rod motion will not occur. Together with the indirect position determination available via movable incore detectors will minimize the potential for rod misalignment.The immediate Completion Time for placing the Rod Control System in manual reflects the urgency with which unplanned rod motion must be prevented while in this Condition. Monitoring and recording reactor coolant

T avg help assure that significant ch anges in power distribution and SDM are avoided. The once per hour Completion Time is acceptable because only minor fluctuations in RCS temperature are expected at steady state plant operating conditions.(continued)

FH Rod Position Indication B 3.1.7 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.1-40Revision 57ACTIONSB.1, B.2, B.3 and B.4 (continued)The position of the rods may be determined indirectly by use of the movable incore detectors or an OPERABLE PDMS. The Required Action may also be satisfied by ensuring at least once per 8hours that F Q satisfies LCO3.2.1, satisfies LCO3.2.2, and SHUTDOWN MARGIN is within the limits provided in the COLR , provided the nonindicating rods have not been moved. Verification of RCCA position once per 8hours is adequate for allowing continued full power operation for a limited, 24hour period, since the probability of simultaneously having a rod significantly out of position and an event sensitive to that rod position is small. The 24hour Completion Time provides sufficient time to troubleshoot and restore the DRPI system to operation while avoiding the plant challenges associated with a shutdown without full rod position indication (Ref.4).Based on operating experience, normal power operation does not require excessive rod movement. If one or more rods has been significantly moved, the Required Action of C.1 orC.2 below is required.C.1 andC.2These Required Actions clarify that when one or more rods with inoperable position indicators have been moved in excess of 24steps in one direction, since the position was last determined, the Required Actions of A.1 andA.2 or B.3 are still appropriate but must be initiated promptly under Required ActionC.1 to begin indirectly verifying that these rods are still properly positioned, relative to their group po sitions using the movable incore detectors.If, within 4hours, the rod positions have not been determined, THERMAL POWER must be reduced to 50%RTP within 8hours to avoid undesirable power distributions that could result from continued operation at 50%RTP, if one or more rods are misaligned by more than 24steps. The allowed Completion Time of 4hours provides an acceptable period of time to verify the rod positions.

D.1.1 and D.1.2With one demand position indicator per bank inoperable, the rod positions can be determined by the DRPI System. Since normal power operation does not require excessive movement of rods, verification by administrative means (e.g., observation of appropriate DRPI status indications) that the rod position indicators are OPERABLE and the most withdrawn rod and the least withdrawn rod are 12steps apart within the allowed Completion Time of once every 8hours is adequate.(continued)

FH Rod Position Indication B 3.1.7 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.1-41Revision 57 ACTIONS (continued)

D.2 Reduction of THERMAL POWER to 50%RTP puts the core into a condition where rod position is not significantly affecting core peaking factor limits (Ref.3). The allowed Completion Time of 8hours provides an acceptable period of time to verify the rod positions per Required ActionsC.1.1 andC.1.2 or reduce power to 50%RTP.E.1 If the Required Actions cannot be completed within the associated Completion Time, the plant must be brought to a MODE in which the requirement does not apply. To achieve this status, the plant must be brought to at least MODE3 within 6hours. The allowed Completion Time is reasonable, based on operating experience, for reaching the required MODE from full power conditions in an orderly manner and without challenging plant systems.SURVEILLANCE REQUIREMENTS SR 3.1.7.1Verification that the DRPI agrees with the demand position within 12steps ensures that the DRPI is operating correctly. Verification at 24, 48, 120, and 228 steps for the control banks and at 18, 210, and 228 steps for the shutdown banks provides assurance that the DRPI is operating correctly over the full range of indication. Since the DRPI does not display the actual shutdown rod positions between 18 and 210steps, only points within the indicated ranges are re quired in comparison.This surveillance is performed prior to reactor criticality after each removal of the reactor vessel head, since there is potential for unnecessary plant transients if the SR were performed with the reactor at power.REFERENCES1.10CFR50, AppendixA, GDC13.

2.FSAR, Chapter15

.

PHYSICS TESTS Exceptions - MODE 2 B 3.1.8COMANCHE PEAK - UNITS 1 AND 2B 3.1-42Revision 57 B 3.1 REACTIVITY CONTROL SYSTEMSB 3.1.8 PHYSICS TESTS Exceptions - MODE2 BASESBACKGROUNDThe primary purpose of the MODE2 PHYSICS TESTS exceptions is to permit relaxations of existing LCOs to allow certain PHYSICS TESTS to be performed.SectionXI of 10CFR50, AppendixB (Ref.1), requires that a test program be established to ensure that structures, systems, and components will perform satisfactorily in service. All functions necessary to ensure that the specified design conditions are not exceeded during normal operation and anticipated operational occurrences must be tested. This testing is an integral part of the design, construction, and operation of the plant. Requirements for notification of the NRC, for the purpose of conducting tests and experiments, are specified in 10CFR50.59 (Ref.2).The key objectives of a test program are to (Ref.3):a.Ensure that the facility has been adequately designed; b.Validate the analytical models used in the design and analysis;c.Verify the assumptions used to predict unit response;d.Ensure that installation of equipment in the facility has been accomplished in accordance with the design; ande.Verify that the operating and emergency procedures are adequate.

To accomplish these objectives, testing is performed prior to initial criticality, during startup, during low power operations, during power ascension, at high power, and after each refueling. The PHYSICS TESTS requirements for reload fuel cycles ensure that the operating characteristics of the core are consistent with the design predictions and that the core can be operated as designed.PHYSICS TESTS procedures are writte n and approved in accordance with established formats. The procedures include all information necessary to permit a detailed execution of the testing required to ensure that the design intent is met. PHYSICS TESTS are performed in accordance with these procedures and test results are approved prior to continued power escalation and long term power operation.(continued)

PHYSICS TESTS Exceptions - MODE 2 B 3.1.8 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.1-43Revision 57 BACKGROUND (continued)The PHYSICS TESTS required for reload fuel cycles in MODE2 typically include:a.Critical Boron Concentration;b.Control Rod Worth and c.Isothermal Temperature Coefficient (ITC).

These tests may cause t he operating controls and process variables to deviate from their LCO requirements during their performance.

APPLICABLE SAFETY ANALYSESThe fuel is protected by LCOs that preserve the initial conditions of the core assumed during the safety analyses.

The methods for development of the LCOs that are excepted by this LCO are described in the Core Operating Limits Report. The above mentioned PHYSICS TESTS, and other tests that may be required to calibrate nuclear instrumentation or to diagnose operational problems, may require the operating control or process variables to deviate from their LCO limitations.The FSAR defines requirements for testing of the facility, including PHYSICS TESTS. Reload fuel cycle PHYSICS TESTS are performed in accordance with Technical Specification requirements, fuel vendor guidelines, and established industry standards and practices. Although these PHYSICS TESTS are generally accomplished within the limits for all LCOs, conditions may occur when one or more LCOs must be suspended to make completion of PHYSICS TESTS possible or practical. This is acceptable as long as the fuel design criteria are not violated. When one or more of the requirements specified in LCO3.1.3, "Moderator Temperature Coefficient (MTC)", LCO3.1.4 , LCO3.1.5 , LCO3.1.6 , and LCO3.4.2 are suspended for PHYSICS TESTS, the fuel design criteria are preserved as long as the power level is limited to 5%RTP, the reactor coolant temperature is kept 541°F, and SDM is within the limits specified in the COLR.The PHYSICS TESTS include measurement of core nuclear parameters or the exercise of control components that affect process variables. Among the process variables involved are AFD and QPTR, which represent initial conditions of the unit safety analyses. Also involved are the movable control components (control and shutdown rods), which are required to shut down the reactor. The limits for these variables are specified for each fuel cycle in the COLR. PHYSICS TESTS meet the criteria for inclusion in the Technical Specifications, since the components and process variable LCOs suspended(continued)

PHYSICS TESTS Exceptions - MODE 2 B 3.1.8 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.1-44Revision 57APPLICABLE SAFETY ANALYSES (continued)during PHYSICS TESTS meet Criteria1, 2, and3 of the 10CFR50.36(c)(2)(ii).Reference6 allows special test exceptions (STEs) to be included as part of the LCO that they affect. It was decided, however, to retain this STE as a separate LCO because it was less cumbersome and provided additional

clarity.LCOThis LCO allows the reactor paramete rs of MTC and minimum temperature for criticality to be outside their specified limits. In addition, it allows selected control and shutdown rods to be pos itioned outside of their specified alignment and insertion limits. Operation beyond specified limits is permitted for the purpose of performing PHYSICS TESTS and poses no threat to fuel

integrity, provided the SRs are met.The requirements of LCO3.1.3 , 3.1.4 , LCO3.1.5 , LCO3.1.6 and LCO3.4.2 may be suspended during the performance of PHYSICS TESTS provided:a.RCS lowest operating loop average temperature is 541°F;b.SDM is within the limits specified in the COLR; andc.THERMAL POWER is 5% RTP.APPLICABILITYThis LCO is applicable in MODE2 when performing low power PHYSICS TESTS. The applicable PHYSICS TESTS are performed in MODE2 at HZP. ACTIONSA.1 and A.2If the SDM requirement is not met, boration must be initiated promptly. A Completion Time of 15minutes is adequate for an operator to correctly align and start the required systems and components. The operator should begin boration with the best source available for the plant conditions. Boration will be continued until SDM is within limit.Suspension of PHYSICS TESTS exceptions requires restoration of each of the applicable LCOs to within specification.(continued)

PHYSICS TESTS Exceptions - MODE 2 B 3.1.8 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.1-45Revision 57ACTIONS (continued)

B.1When THERMAL POWER is 5%RTP, the only acceptable action is to open the reactor trip breakers (RTBs) to prevent operation of the reactor beyond its design limits. Immediately opening the RTBs will shut down the reactor and prevent operation of the reactor outside of its design limits.

C.1When the RCS lowest operating loop Tavg is 541°F, the appropriate action is to restore Tavg to within its specified limit. The allowed Completion Time of 15minutes provides time for restoring T avg to within limits without allowing the plant to remain in an unacceptable condition for an extended period of time. Operation with the reactor critical and with temperature below 541°F could violate the assumptions for accidents analyzed in the safety analyses.

D.1 If the Required Actions cannot be completed within the associated Completion Time, the plant must be brought to a MODE in which the requirement does not apply. To achieve this status, the plant must be brought to at least MODE3 within an additional 15minutes. The Completion Time of 15additional minutes is reasonable, based on operating experience, for reaching MODE3 in an orderly manner and without challenging plant systems.SURVEILLANCE

REQUIREMENTS SR 3.1.8.1The power range and intermediate range neutron detectors must be verified to be OPERABLE in MODE2 by LCO3.3.1, "Reactor Trip System (RTS) Instrumentation." A CHANNEL OPERATIONAL TEST is performed on each power range and intermediate range channel prior to initiation of the PHYSICS TESTS. This will ensure that the RTS is properly aligned to provide the required degree of core protection during the performance of the PHYSICS TESTS.SR3.1.8.2Verification that the RCS lowest operating loop T avg is 541°F will ensure that the unit is not operating in a condition that could invalidate the safety analyses. Verification of the RCS temperature at a Frequency of 30minutes (continued)

PHYSICS TESTS Exceptions - MODE 2 B 3.1.8 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.1-46Revision 57SURVEILLANCE REQUIREMENTSSR3.1.8.2 (continued)during the performance of the PHYSICS TESTS will ensure that the initial conditions of the safety analyses are not violated.

SR 3.1.8.3Verification that the THERMAL POWER is 5% RTP will ensure that the plant is not operating in a condition that could invalidate the safety analyses. Verification of the THERMAL POWER at a Frequency of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> during the performance of the PHYSICS TESTS will ensure that the initial conditions of the safety analyses are not violated.SR3.1.8.4Verification that the SDM is within limits specified in the COLR ensures that, for the specific RCCA and RCS temperature manipulations performed during PHYSICS TESTS, the plant is not operating in a condition that could invalidate the safety analysis assumptions. The SDM verification can be

facilitated through the use of tables pr epared by the core designers in which the reactivity effects expected dur ing the Physics Testing have been previously considered.

The SDM is verified by performing a reactivity balance calculation, considering the following reactivity effects:a.RCS boron concentration;b.Shutdown and Control bank position; c.RCS average temperature;d.Fuel burnup based on gross thermal energy generation;e.Xenon concentration; f.Samarium concentration; andg.Isothermal temperature coefficient (ITC).Using the ITC accounts for Doppler reactivity in this calculation because the reactor is subcritical, and the fuel temperature will be changing at the same rate as the RCS.The Frequency of 24hours is based on the generally slow change in required boron concentration and on the low probability of an accident occurring without the required SDM.(continued)

PHYSICS TESTS Exceptions - MODE 2 B 3.1.8 BASES (continued)COMANCHE PEAK - UNITS 1 AND 2B 3.1-47Revision 57REFERENCES1.10CFR50, AppendixB, SectionXI.2.10CFR50.59.3.Regulatory Guide1.68, Revision2, August,1978.

()-------------()()----------()

()()()()()()()()()()()()()()()()

()()()()()()()

()()()()()()()()

()()()()

()()()()()()()()()()()()()()()()()

()()()()()()()

()()()()()--------------()

()

RTS Instrumentation B 3.3.1COMANCHE PEAK - UNITS 1 AND 2B 3.3-1Revision 62B 3.3 INSTRUMENTATIONB 3.3.1 Reactor Trip System (RTS) Instrumentation BASESBACKGROUNDThe RTS initiates a unit shutdown, based on the values of selected unit parameters, to protect against violating the core fuel design limits and Reactor Coolant System (RCS) pressure boundary during anticipated operational occurrences (AOOs) and to assist the Engineered Safety Features (ESF) Systems in mitigating accidents.The protection and monitoring systems have been designed to assure safe operation of the reactor. This is achieved by specifying limiting safety system settings (LSSS) in terms of parameters directly monitored by the RTS, as well as specifying LCOs on other reactor system parameters and

equipment performance.For the purposes of demonstrating compliance with 10CFR50.36, the Technical Specifications must specify Limiting Safety System Settings (LSSS). The Allowable Value specified in Table 3.3.1-1 serves as the LSSS except for Trip Functions 2a, 2b, 6, 7, and 14 (the Nominal Trip Setpoint defines the limiting safety system setting for these Trip Functions). The Allowable Value in conjunction with the trip setpoint and LCO establishes the threshold for protective system action to prevent exceeding acceptable limits during Design Basis Accidents (DBAs).The Allowable Value serves as the LSSS except for Trip Functions 2a, 2b, 6, 7, and 14 (the Nominal Trip Setpoint defines the limiting safety system setting for these Trip Functions) such that a channel is OPERABLE if the as found trip setpoint value does not to exceed the Allowable Value during the CHANNEL OPERATIONAL TEST (COT). Note that, although the channel is OPERABLE under these circumstances, the trip setpoint must be left

adjusted to a value within the established trip setpoint calibration tolerance

band in accordance with uncertainty assumptions stated in the referenced setpoint methodology (as-left criteria), and confirmed to be operating within the allowances of the uncertainty terms assigned.During AOOs, which are those events ex pected to occur one or more times during the unit life, the acceptable limits are:1.The Departure from Nucleate Boiling Ratio (DNBR) shall be maintained above the departure from nucleate boiling ratio (DNBR) limit;2.Fuel centerline melt shall not occur; and3.The RCS pressure Safety Limit of 2735 psig shall not be exceeded.(continued)

RTS Instrumentation B 3.3.1 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-2Revision 62 BACKGROUND (continued)

Operation within the limits of Specification2.0, "Safety Limits (SLs)," also maintains the above values and assures that offsite dose will be within the 10CFR50 and 10CFR100 criteria during AOOs. Accidents are events that are analyzed even though they are not expected to occur during the unit life.

The acceptable limit during accidents is that offsite dose shall be maintained within an acceptable fraction of 10CFR100 limits. Different accident categories are allowed a different fraction of these limits, based on probability of occurrence. Meeting the acceptable dose limit for an accident category is considered having acceptable consequences for that event.The RTS instrumentation is segmented into four distinct but interconnected modules as described in the FSAR, Chapter7 (Ref.1), and as identified below:1.Field transmitters or process sensors: provide a measurable electronic signal based upon the physical characteristics of the parameter being measured;2.Signal Process Control and Protection System, including the 7300 Process Instrumentation and Control System, Nuclear

Instrumentation System (NIS), field contacts, and protection channel sets: provides signal conditioning, bistable setpoint comparison, process algorithm actuation, compatible electrical signal output to protection system devices, and control board/control room/

miscellaneous indications or alarms;3.Solid State Protection System (SSPS), including input, logic, and output bays: initiates proper unit shutdown and/or ESF actuation in accordance with the defined logic, which is based on the bistable outputs from the signal process control and protection system; and4.Reactor trip switchgear, including reactor trip breakers (RTBs) and bypass breakers: provides the means to interrupt power to the control rod drive mechanisms (CRDMs) and allows the rod cluster control assemblies (RCCAs), or "rods," to fall into the core and shut down the reactor. The bypass breakers allow testing of the RTBs at

power.Field Transmitters or SensorsTo meet the design demands for redundancy and reliability, more than one, and often as many as four, field transmitters or sensors are used to measure unit parameters. To account for the calibration tolerances and instrument (continued)

RTS Instrumentation B 3.3.1 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-3Revision 62 BACKGROUND (continued)drift, which are assumed to occur between calibrations, statistical allowances are provided in the trip setpoint and Allowable Values. The OPERABILITY of each transmitter or sensor is determined by either "as-found" calibration data evaluated during CHANNEL CALIBRATION or by qualitative assessment of field transmitter or sensor as related to the channel behavior observed during performance of the CHANNEL CHECK.Signal Process Control and Protection SystemGenerally, three or four channels of process control equipment are used for the signal processing of unit parameters measured by the field instruments. The process control equipment provides signal conditioning, comparable output signals for instruments located on the main control board, and comparison of measured input signals with setpoints established by safety analyses. If the measured value of a unit parameter exceeds the

predetermined setpoint, an output from a bistable is forwarded to the SSPS for decision evaluation. Channel separation is maintained up to and through the input bays. However, not all unit parameters require four channels of sensor measurement and signal processing. Some unit parameters provide input only to the SSPS, while others provide input to the SSPS, the main control board, the unit computer, and one or more control systems.Generally, if a parameter is used only for input to the protection circuits, three channels with a two-out-of-three logic are sufficient to provide the required reliability and redundancy. If one channel fails in a direction that would not result in a partial Function trip, the Function is still OPERABLE with a two-out-of-two logic. If one channel fails, such that a partial Function

trip occurs, a trip will not occur and the Function is still OPERABLE with a one-out-of-two logic. Generally, if a parameter is used for input to the SSPS and a control function, four channels with a two-out-of-four logic are sufficient to provide

the required reliability and redundancy.

The circuit must be able to withstand both an input failure to the control system, which may then require the protection function actuation, and a

single failure in the other channels providing the protection function actuation. Again, a single failure will neither cause nor prevent the protection function actuation. These requirements are described in IEEE-279-1971

(Ref.3). The actual number of channels required for each unit parameter is specified in Reference1

.Two logic channels are required to ensure no single random failure of a logic channel will disable the RTS. The logic channels are designed such that (continued)

RTS Instrumentation B 3.3.1 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-4Revision 62 BACKGROUND (continued) testing required while the reactor is at power may be acco mplished without initiating protective action, unless a trip condition actually exists. This arises from the use of coincidence logic in generating reactor trip signals and from the capability to bypass a partial protective action while in test.

Allowable Values and Trip SetpointsThe trip setpoints used in the bistables are based on the analytical limits stated in Reference 2. The selection of these trip setpoints is such that adequate protection is provided when all sensor and processing time delays are taken into account. To allow for calibration tolerances, instrumentation uncertainties, instrument drift, and severe environment errors for those RTS channels that must function in harsh environments as defined by 10CFR50.49 (Ref. 4), the Allowable Values specified in Table3.3.1-1 in the accompanying LCO are conservative with respect to the analytical limits.The methodology to derive the Trip Setpoints is based upon combining all of the uncertainties in the channels. The essential elements of the methodology for all Trip Functions 2a, 2b, 6, 7, and 14 are described in Reference 9. Changes in accordance with this methodology have been reviewed by the staff in the original Unit 2 Technical Specifications and in

several subsequent licen se amendments (e.g., am endments 21/7 and 22/8 to the Unit 1/Unit 2 Technical Specifications). The actual nominal trip setpoint entered into the bistable is more conservative than that specified by the Allowable Value to account for changes in random measurement errors detectable by a COT. One example of such a change in measurement error is drift during the surveillance interval. If the measured setpoint does not exceed the Allowable Value, the bistable is considered OPERABLE. The trip setpoint is the value at which the bistable is set and is the expected value to be achieved during calibration. The trip setpoint value ensures the LSSS and the safety analysis limits are met for the time period of the surveillance interval when a channel is adjusted based on stated channel uncertainties.

Any bistable is considered to be properly adjusted when the "as left" setpoint value is within the band for CHANNEL CALIBRATION uncertainty allowance (i.e., +/-rack calibration + comparator setti ng uncertainties). The trip setpoint value of Table B3.3-1.1 is therefore considered a "nominal" value (i.e., expressed as a value without inequalities) for the purposes of COT and CHANNEL CALIBRATION for all Trip Functions 2a, 2b, 6, 7, and 14.The methodology used to calculate the Nominal Trip Setpoints 2a, 2b, 6, 7, and 14 in Table B 3.3.1-1 is the same basic square-root-sum-of-squares (SRSS) methodology with the inclusion of refinements to better reflect plant (continued)

RTS Instrumentation B 3.3.1 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-5Revision 62 BACKGROUND (continued) calibration practices and equipment performance. The actual Nominal Trip Setpoint entered into the bistable is more conservative than that specified by the Allowable Value to account for changes in random measurement errors detectable by a COT. If the measured setpoint does not exceed the

Allowable Value, the bistable is considered OPERABLE.Trip setpoints consistent with the requirements of the Allowable Value ensure that design limits are not violated during AOOs (and that the consequences of DBAs will be acceptable, providing the unit is operated

from within the LCOs at the onset of the AOO or DBA and the equipment functions as designed). Note that in the accompanying LCO3.3.1 , the Allowable Values of Table3.3.1-1 are the LSSS except for Trip Functions 2a, 2b, 6, 7, and 14 (the Nominal Trip Setpoint defines the limiting safety system setting for these Trip Functions).Each channel of the process control equipment can be tested on line to verify that the signal or setpoint accuracy is within the sp ecified allowance requirements. Once a designated channel is taken out of service for testing, a simulated signal is injected in place of the field instrument signal. The

process equipment for the channel in test is then tested, verified, and calibrated. SRs for the channels are specified in the SRs section.The Allowable Values listed in Table 3.3.1-1, except for Functions 2a, 2b, 6, 7, and 14 incorporates all of the known uncertainties applicable for each channel. The Allowable Values for Functions 2a, 2b, 6, 7, and 14 are based on the Nominal Trip Setpoints and are determined by subtracting or adding the rack calibration accuracy from the Nominal Trip Setpoint. The magnitudes of these uncertainties are factored into the determination of each Nominal Trip Setpoint. All field sensors and signal processing equipment for

these channels are assumed to operat e within the allowances of these uncertainty magnitudes.Solid State Protection SystemThe SSPS equipment is used for the decision logic processing of outputs from the signal processing equipment bistables. To meet the redundancy requirements, two trains of SSPS, each performing the same functions, are

provided. If one train is taken out of service for maintenance or test purposes, the second train will provide reactor trip and/or ESF actuation for the unit. If both trains are taken out of service or placed in test, a reactor trip will result. Each train is packaged in its own cabinet for physical and electrical separation to satisfy separation and independence requirements.

The system has been designed to trip in the event of a loss of power, directing the unit to a safe shutdown condition.(continued)

RTS Instrumentation B 3.3.1 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-6Revision 62 BACKGROUND (continued)The SSPS performs the decision logic for actuating a reactor or ESF actuation, generates the electrical output signal that will initiate the required trip or actuation, and provides the status, permissive, and annunciator output signals to the main control room of the unit.

The bistable outputs from the signal processing equipment are sensed by the SSPS equipment and combined into logic matrices that represent combinations indicative of various unit upset and accident transients. If a required logic matrix combination is completed, the system will initiate a reactor trip or send actuation signals via master and slave relays to those components whose aggregate Function best serves to alleviate the condition and restore the unit to a safe condition. Examples are given in the Applicable Safety Analyses, LCO, and Applicability sections of this Bases.

Reactor Trip SwitchgearThe RTBs are in the electrical power supply line from the control rod drive motor generator set power supply to the CRDMs. Opening of the RTBs interrupts power to the CRDMs, which allows the shutdown rods and control rods to fall into the core by gravity. Each RTB is equipped with a bypass breaker to allow testing of the RTB while the unit is at power. During normal operation the output from the SSPS is a voltage signal that energizes the undervoltage coils in the RTBs and bypass breakers, if in use. When the required logic matrix combination is completed, the SSPS output voltage

signal is removed, the undervoltage coils are de-energized, the breaker trip lever is actuated by the de-energized undervoltage coil, and the RTBs and bypass breakers are tripped open.

This allows the shutdown rods and control rods to fall into the core. In addition to the de-energization of the undervoltage coils, each reactor trip breaker is also equipped with a shunt trip device that is energized to trip the breaker open upon receipt of a reactor trip signal from the SSPS. Either the undervoltage coil or the shunt trip mechanism is sufficient by itself, thus providing a diverse trip mechanism.The decision logic matrix Functions are described in the functional diagrams included in Reference1. In addition to the reactor trip or ESF, these diagrams also describe the various "permissive interlocks" that are associated with unit conditions. Each train has a built in testing device that can automatically test the decision logi c matrix Functions and the actuation devices while the unit is at power. When any one train is taken out of service for testing, the other train is capable of providing unit monitoring and protection until the testing has been completed. The testing device is semiautomatic to minimize testing time.(continued)

RTS Instrumentation B 3.3.1 BASES (continued)COMANCHE PEAK - UNITS 1 AND 2B 3.3-7Revision 62 APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITYThe RTS functions to maintain the applicable Safety Limits during all AOOs and mitigates the consequences of DBAs in all MODES in which the Rod Control system is capable of rod withdrawal or one or more rods are not fully inserted.Each of the analyzed accidents and transients can be detected by one or more RTS Functions. The accident analysis described in Reference 2 takes credit for most RTS trip Functions. RTS trip Functions not specifically credited in the accident analysis are qualitatively credited in the safety analysis and the NRC staff approved licensing basis for the unit. These RTS trip Functions may provide protection for conditions that do not require dynamic transient analysis to demonstrate Function performance. They may also serve as backup or diverse trips to RTS trip Functions that were credited in the accident analysis.

The LCO requires all instrumentation performing an RTS Function, listed in Table3.3.1-1 in the accompanying LCO, to be OPERABLE. Failure of any instrument renders the affected channel(s) inoperable and reduces the

reliability of the affected Functions.A channel is OPERABLE with a trip setpoint value outside its calibration tolerance band provided the trip setpoint "as-found" value does not exceed its associated Allowable Value and provided the trip setpoint "as-left" value is adjusted to a value within the calibration tolerance band of the Nominal Trip Setpoint except for Trip Functions 2a, 2b, 6, 7, and 14. Note (r) requires the instrument channel setpoint for a channel in these Trip Functions to be reset to a value that is within the as-left setpoint tolerance of the Nominal Trip Setpoint. The conservative direction is indicated by the direction of the inequality sign applied to the Nominal Trip Setpoint in Bases Table B 3.3.1-1. Setpoint restoration and post-test verification assure that the assumptions in the plant setpoint methodology are satisfied in order to protect the safety analysis limits. Note (r) preserves the safety analysis limits. If the channel can not be reset to a value within its as-left setpoint tolerance band, or to a value that is more conservative than the Nominal Trip Setpoint if required based on plant conditions, the chann el shall be declared inoperable and the applicable Required Actions are taken. The methodology used to determine the as-left setpoint tolerance band is based on the square-root-sum-of-squares (SRSS) of the tolerances applicable to the instrument loop or sub-loop constituents being tested. The applicability of notes (q) and (r) for Unit 1, items 2a, 2b, 6, and 7 will begin following the completion of Cycle 13. A trip setpoint may be set more conservative than the Nominal Trip Setpoint as necessary in response to plant conditions.The LCO generally requires OPERABILITY of four or three channels in each instrumentation Function, two channels of Manual Reactor Trip in each logic (continued)

RTS Instrumentation B 3.3.1 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-8Revision 62APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Function, and two trains in each Automatic Trip Logic Function. Four OPERABLE instrumentation channels in a two-out-of-four configuration are required when one RTS channel is also used as a control system input. This configuration accounts for the possibility of the shared channel failing in such a manner that it creates a transient that requires RTS action. In this case, the RTS will still provide protection, ev en with a random failure of one of the other three protection channels. Th ree operable instrumentation channels in a two-of-three configuration are generally required when there is no potential for control system and protection system interaction that could simultaneously create a need for RTS tr ip and disable one RTS channel. The two-out-of-three and two-out-of-four configurations allow one channel to

be tripped or bypassed during maintenance or testing without causing a reactor trip. Specific exceptions to the above general philosophy exist and are discussed below.Reactor Trip System Functions The safety analyses and OPERABILITY requirements applicable to each RTS Function are discussed below:1.Manual Reactor TripThe Manual Reactor Trip ensures that the control room operator can initiate a reactor trip at any time by using either of two reactor trip

switches in the control room. A Manual Reactor Trip accomplishes the same results as any one of the automatic trip Functions. It is used by the reactor operator to shut down the reactor whenever any parameter is rapidly trending toward its Trip Setpoint.

The LCO requires two Manual React or Trip channels to be OPERABLE. Each channel is controlled by a manual reactor trip switch. Each channel activates the reactor trip breaker in both trains. Two independent channels are required to be OPERABLE so that no single random failure will disable the Manual Reactor Trip Function.In MODE1 or2, manual initiation of a reactor trip must be OPERABLE. These are the MODES in which the shutdown rods and/or control rods are partially or fully withdrawn from the core. In MODE3, 4, or5, the manual init iation Function must also be OPERABLE if one or more shutdown or control rods are withdrawn or the Rod Control System is capable of withdrawing the shutdown rods or the control rods. In this condition, inadvertent control rod (continued)

RTS Instrumentation B 3.3.1 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-9Revision 62APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)withdrawal is possible. In MODE3, 4, or5, manual initiation of a reactor trip does not have to be OPERABLE if the Rod Control System is not capable of withdrawing the shutdown rods or control rods and if all rods are fully inserted. If the rods cannot be withdrawn from the core and all the rods are fully inserted, there is no need to be able to trip the reactor, because all of the rods are inserted. In MODE6, neither the shutdown rods nor the control rods are permitted to be withdrawn and the CRDMs are disconnected from the control rods and shutdown rods. Therefore, the manual initiation

Function is not required.2.Power Range Neutron FluxThe NIS power range detectors are located external to the reactor vessel and measure neutrons leaking from the core. The NIS power range detectors provide input to the Rod Control System. Therefore, the actuation logic must be able to withstand an input failure to the control system, which may then require the protection function actuation, and a single failure in the other channels providing the protection function actuation. Note that this Function also provides a signal to prevent automatic and manual rod withdrawal prior to initiating a reactor trip. Limiting further rod withdrawal may terminate the transient and eliminate the need to trip the reactor.a.Power Range Neutron Flux-HighThe Power Range Neutron Flux-High trip Function ensures that protection is provided, from all power levels, against a positive reactivity excursion leading to DNB during power operations. These can be caused by rod withdrawal or reductions in RCS temperature.The LCO requires all four of the Power Range Neutron Flux-High channels to be OPERABLE.In MODE1 or2, when a positive reactivity excursion could occur, the Power Range Neutron Flux-High trip must be

OPERABLE. This Function will terminate the reactivity excursion and shut down the reactor prior to reaching a power level that could result in an un acceptable level of damage to the fuel. In MODE3, 4, 5, or6, the NIS power range detectors cannot detect neutron levels in this range. In these MODES, the Power Range Neutron Flux-High does not have (continued)

RTS Instrumentation B 3.3.1 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-10Revision 62APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)to be OPERABLE because the reactor is shut down and reactivity excursions into the power range are extremely unlikely. Other RTS Functions and administrative controls provide protection against reactivity additions when in MODE3, 4, 5, or6.b.Power Range Neutron Flux-LowThe LCO requirement for the Power Range Neutron Flux-Low trip Function ensures that protection is provided against a positive reactivity excursion from low power or subcritical conditions.The LCO requires all four of the Power Range Neutron Flux-Low channels to be OPERABLE.In MODE1, below the Power Range Neutron Flux (P-10 setpoint), and in MODE2, the Power Range Neutron Flux-Low trip must be OPERABLE. This Function may be manually blocked by the operator when two out of four power range channels are greater than approximately 10% RTP (P-10 setpoint). This Function is automatically unblocked when three out of four power range channels are below the P-10 setpoint. Above the P-10 setpoint, positive reactivity additions are mitigated by the Power Range Neutron Flux-High trip Function.In MODE3, 4, 5, or6, the Power Range Neutron Flux-Low trip Function does not have to be OPERABLE because the reactor is shut down and the NIS power range detectors cannot detect neutron levels in this range. Other RTS trip

Functions and administrative controls provide protection against positive reactivity additions or power excursions in MODE3, 4, 5, or6.3.Power Neutron Flux Rate-High Positive RateThe Power Range Neutron Flux Rate trips use the same channels as discussed for Function2 above.

The Power Range Neutron Flux-High Positive Rate trip Function ensures that protection is provided against rapid increases in neutron flux that are characteristic of an RCCA drive rod housing rupture and (continued)

RTS Instrumentation B 3.3.1 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-11Revision 62APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)the accompanying ejection of the RCCA or an uncontrolled RCCA bank withdrawal during power operation (RWAP). This Function complements the Power Range Neutron Flux-High and Low Setpoint trip Functions to ensure that the criteria are met for a rod ejection from the power range or an uncontrolled RCCA bank withdrawal during power operation (RWAP).The LCO requires all four of the Power Range Neutron Flux-High Positive Rate channels to be OPERABLE.In MODE1 or2, when there is a potential to add a large amount of positive reactivity from a rod ejection accident (REA) or an uncontrolled RCCA bank withdrawal during power operation (RWAP), the Power Range Neutron Flux-High Positive Rate trip must be OPERABLE. In MODE3, 4, 5, or6, the Power Range Neutron

Flux-High Positive Rate trip Function does not have to be

OPERABLE because other RTS trip Functions or administrative controls will provide protection against inadvertent positive reactivity additions. Also, since only the shutdown banks may be withdrawn in MODE3, 4, or5, the remaining complement of control bank worth ensures a sufficient degree of SDM in the event of an REA. In MODE6, no rods are withdrawn and the SDM is increased during refueling operations. The reactor vessel head is also removed or the closure bolts are detensioned preventing any pressure buildup. In addition, the NIS power range detectors cannot detect neutron levels present in this mode.4.Intermediate Range Neutron Flux The Intermediate Range Neutron Flux trip Function ensures that protection is provided against an uncontrolled RCCA bank rod withdrawal accident from a subcritical condition during startup. This trip Function provides redundant protection to the Power Range Neutron Flux-Low Setpoint trip Fu nction. The NIS intermediate range detectors are located external to the reactor vessel and measure neutrons leaking from the core. The NIS intermediate range detectors do not provide any input to control systems. Note

that this Function also provides a signal to prevent automatic and manual rod withdrawal prior to initiating a reactor trip. Limiting further rod withdrawal may terminate the transient and eliminate the need to trip the reactor.The LCO requires two channels of Intermediate Range Neutron Flux to be OPERABLE. Two OPERABLE channels are sufficient to ensure no single random failure will disable this trip Function.(continued)

RTS Instrumentation B 3.3.1 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-12Revision 62APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Because this trip Function is important only during startup, there is generally no need to disable channels for testing (generally performed at power levels greater than the P-10 setpoint or less than the P-6 setpoint) while the Function is required to be OPERABLE. Therefore, a third channel is unnecessary.In MODE1 below the P-10 setpoint, and in MODE2 above the P-6 setpoint, when there is a potential for an uncontrolled RCCA bank rod withdrawal accident during reactor startup, the Intermediate Range Neutron Flux trip must be OPERABLE. Above the P-10 setpoint, the Power Range Neutron Flux - High Setpoint trip and the Power Range Neutron Flux - High Positive Rate trip provide core protection for a rod withdrawal accident. In MODE2 below the P-6 setpoint, the Source Range Neutron Flux trip Function provides core protection for reactivity accidents. In MODE 3, 4, or5, the Intermediate Range Neutron Flux trip does not have to be OPERABLE because the control rods must be fully inserted and only the shutdown rods may be withdrawn. The reactor cannot be started up in this condition. The core also has the required SDM to mitigate the consequences of a positive reactivity addition accident. In MODE6, all rods are fully inserted and the core has a required increased SDM. Also, the NIS intermediate range detectors cannot det ect neutron levels present in this MODE.5.Source Range Neutron Flux The LCO requirement for the Source Range Neutron Flux trip Function ensures that protection is provided against an uncontrolled RCCA bank rod withdrawal accident from a subcritical condition during startup. This trip Function provides redundant protection to the Power Range Neutron Flux-Low and Intermediate Range Neutron Flux trip Functions. In MODES3, 4, and5, administrative controls also prevent the uncontrolled withdrawal of rods. The NIS source range detectors are located external to the reactor vessel and measure neutrons leaking from the core. The NIS source range detectors do not provide any inputs to control systems. The source range trip is the only RTS automatic protection function required in MODES3, 4, and5 with the Rod Control System capable of rod withdrawal or with one or more rods not fully inserted. Therefore, the functional capability at the specified Trip Setpoint is assumed to be

available.The LCO requires two channels of Source Range Neutron Flux to be (continued)

RTS Instrumentation B 3.3.1 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-13Revision 62APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)OPERABLE. Two OPERABLE channels are sufficient to ensure no single random failure will disable this trip Function. The outputs of the Function to RTS logic are not required OPERABLE in Mode 6 or when all rods are fully inserted and the Rod Control System is incapable of rod withdrawal.

The Source Range Neutron Flux Function provides protection for control rod withdrawal from subcritical and control rod ejection events. In MODE2 when below the P-6 setpoint during a reactor startup, the Source Range Neutron Flux trip must be OPERABLE. Above the P-6 setpoint, the Intermediate Range Neutron Flux trip and the Power Range Neutron Flux-Low trip will provide core protection for reactivity accidents. Above the P-6 setpoint, the NIS source range detectors may be manually blocked. After the source range trip function is

blocked, the high voltage power supply is removed.In MODES3, 4, and5 with the Rod Control System capable of rod withdrawal or one or more rods not fully inserted, the Source Range Neutron Flux trip Function must also be OPERABLE. If the Rod Control System is capable of rod withdrawal, the Source Range Neutron Flux trip must be OPERABLE to provide core protection against a rod withdrawal accident. If the Rod Control System is not

capable of rod withdrawal, the source range detectors are not required to trip the reactor. However, it is good practice for their monitoring Function to be OPERABLE to monitor core neutron levels and provide indication of reactivity changes that may occur as a result of events like an inadvertent boron dilution. The requirements for the NIS source range detectors in MODE6 are addressed in LCO3.9.3, "Nuclear Instrumentation."6.Overtemperature N-16 The Overtemperature N-16 trip Function is provided to ensure that the design limit DNBR is met. The inputs to the Overtemperature N-16 trip include pressure, co olant temperature, axial power distribution, and reactor power as indicated by loop N-16 power monitors, assuming full reactor coolant flow. Protection from violating the DNBR limit is assured for those transients that are slow with respect to delays from the core to the measurement system.

The Overtemperature N-16 trip Function uses each loop's N-16 power indication as a measure of reactor power and compares the compensated N-16 measured power with a setpoint that is automatically varied with the following parameters:(continued)

RTS Instrumentation B 3.3.1 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-14Revision 62APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)*reactor coolant cold leg temperature-the Trip Setpoint is varied to correct for changes in coolant density and specific heat capacity with changes in coolant temperature;*pressurizer pressure-the Trip Se tpoint is varied to correct for changes in system pressure; and*axial power distribution-f(q), the Trip Setpoint is varied to account for imbalances in the axial power distribution as detected by the NIS upper and lower power range detectors. If axial peaks are greater than the design limits, as indicated by the difference between the upper and lower NIS power range detectors, the Trip Setpoint is reduced in accordance with Note1 of Table3.3.1-1

.Dynamic compensation is included for system piping delays from the core to the N-16 power and temperature measurement systems.The Overtemperature N-16 power allowable value is calculated for each loop as described in Note1 of Table3.3.1-1. Trip occurs if the loop-specific Overtemperature N-16 setpoint is exceeded in two of the four RCS loops. The N-16 power, pressurizer pressure and cold leg temperature signals are used for other control functions; thus, the actuation logic must be able to withstand an input failure to the control system, which may then require the protection function

actuation, and a single failure in the other channels providing the protection function actuation. Note that this Function also provides a signal to generate a turbine runback prior to reaching the Trip Setpoint. A turbine runback will reduce turbine power and reactor power. A reduction in power will normally alleviate the Overtemperature N-16 condition and may prevent a reactor trip.

The LCO requires all four channels of the Overtemperature N-16 trip Function to be OPERABLE. Note that the Overtemperature N-16 Function receives input from channels shared with other RTS Functions. Failures that affect multiple Functions require entry into the Conditions applicable to all affected Functions.In MODE1 or2, the Overtemperature N-16 trip must be OPERABLE to prevent DNB. In MODE3, 4, 5, or6, this trip Function does not have to be OPERABLE because the reactor is not operating and

there is insufficient heat production to be concerned about DNB.(continued)

RTS Instrumentation B 3.3.1 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-15Revision 62APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)7.Overpower N-16The Overpower N-16 trip Function ensures that protection is provided to ensure the integrity of the fuel (i.e., no fuel pellet melting and less than 1% cladding str ain) under all possible overpower conditions. This trip Function als o limits the required range of the Overtemperature N-16 trip Functi on and provides a backup to the Power Range Neutron Flux-High Setpoint trip. This is because Overpower N-16 is not sensitive to changes in the density of the reactor vessel downcomer fluid and additionally, the overpower function is credited in the analyses of the decrease in feedwater temperature event and for some steamline break accidents.

The Overpower N-16 trip Function ensures that the allowable heat generation rate (kW/ft) of the fuel is not exceeded. It uses the N-16 power monitor indication of each loop as a measure of reactor power

with a constant value setpoint.

The Overpower N-16 power indication is calculated for each RCS loop. Trip occurs if the N-16 power exceeds the setpoint in any two loops. The actuation logic must be ab le to withstand an input failure to the control system, which may then require the protection function actuation and a single failure in the remaining channels providing the protection function actuation. Note that this Function also provides a signal to generate a turbine runback prior to reaching the Trip Setpoint. A turbine runback will reduce turbine power and reactor power. A reduction in power will normally alleviate the Overpower N-16 condition and may prevent a reactor trip.The LCO requires four channels of the Overpower N-16 trip Function to be OPERABLE. Note that the Overpower N-16 trip Function receives input from channels shared with other RTS Functions.

Failures that affect multiple Functions require entry into the Conditions applicable to all affected Functions.In MODE1 or2, the Overpower N-16 trip Function must be OPERABLE. These are the only times that enough heat is generated in the fuel to be concerned about the heat generation rates and overheating of the fuel. In MODE3, 4, 5, or6, this trip Function does not have to be OPERABLE because the reactor is not operating and there is insufficient heat production to be concerned about fuel overheating and fuel damage.(continued)

RTS Instrumentation B 3.3.1 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-16Revision 62APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)8.Pressurizer Pressure The same sensors provide input to the Pressurizer Pressure-High and -Low trips and the Overtemperat ure N-16 trip. The Pressurizer Pressure channels are also used to provide input to the Pressurizer Pressure Control System; thus, the actuation logic must be able to withstand an input failure to the control system, which may then require the protection function actuation, and a single failure in the other channels providing the protection function actuation.a.Pressurizer Pressure-LowThe Pressurizer Pressure-Low trip Function ensures that protection is provided against violating the DNBR limit due to low pressure.The LCO requires four channels of Pressurizer Pressure-Low to be OPERABLE.In MODE1, when DNB is a major concern, the Pressurizer Pressure-Low trip must be OPERABLE. This trip Function is automatically enabled on increasing power by the P-7

interlock (NIS power range P-10 or turbine impulse pressure greater than approximately 10% of full power equivalent (P-13)). On decreasing power, this trip Function is automatically blocked below P-7. Below the P-7 setpoint, there is insufficient heat production to be concerned about DNB.b.Pressurizer Pressure-HighThe Pressurizer Pressure-High trip Function ensures that protection is provided against overpressurizing the RCS. This trip Function operates in conjunction with the pressurizer relief and safety valves to prevent RCS overpressure conditions.The LCO requires four channels of the Pressurizer Pressure-High to be OPERABLE.The Pressurizer Pressure-High Allowable Value is selected to be below the pressurizer safety valve actuation pressure and

above the power operated relief valve (PORV) setting. This (continued)

RTS Instrumentation B 3.3.1 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-17Revision 62APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) setting minimizes challenges to safety valves while avoiding unnecessary reactor trip for those pressure increases that can be controlled by the PORVs.In MODE1 or2, the Pressurizer Pressure-High trip must be OPERABLE to help prevent RCS overpressurization and minimize challenges to the relief and safety valves. In MODE3, 4, 5, or6, the Pressurizer Pressure-High trip Function does not have to be OPERABLE because transients that could cause an overpressure condition will be slow to occur. Therefore, the operator will have sufficient time to evaluate unit conditions and take corrective actions.

Additionally, low temperature overpressure protection systems provide overpressure protection when in MODE4 or below.9.Pressurizer Water Level-HighThe Pressurizer Water Level-High trip Function provides a backup signal for the Pressurizer Pressure-High trip and also provides

protection against water re lief through the pressurizer safety valves. These valves are designed to pass steam in order to achieve their

design energy removal rate. A reactor trip is actuated prior to the pressurizer becoming water solid. The LCO requires three channels of Pressurizer Water Level-High to be OPERABLE. The pressurizer level channels are used as input to the Pressurizer Level Control System. A fourth channel is not required to address control/

protection interaction concerns. The level channels do not actuate the safety valves, and the high pressure reactor trip is set below the

safety valve setting. Therefore, with the slow rate of charging available, pressure overshoot due to level channel failure cannot cause the safety valve to lift before reactor high pressure trip.In MODE1, when there is a potential for overfilling the pressurizer, the Pressurizer Water Level-High trip must be OPERABLE. This trip Function is automatically enabled on increasing power by the P-7 interlock. On decreasing power, th is trip Function is automatically blocked below P-7. Below the P-7 setpoint, transients that could raise the pressurizer water level will be slow and the operator will have sufficient time to evaluate unit conditions and take corrective actions.(continued)

RTS Instrumentation B 3.3.1 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-18Revision 62APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)10.Reactor Coolant Flow-LowThe Reactor Coolant Flow-Low trip Function ensures that protection is provided against violating the DNBR limit due to low flow in one or more RCS loops, while avoiding reactor trips due to normal variations in loop flow. Above the P-7 setpoint, the reactor trip on low flow in two or more RCS loops is automatically enabled. Above the P-8 setpoint, a loss of flow in any RCS loop will actuate a reactor trip because of the higher power level and the reduced margin to the design limit DNBR. Each RCS loop has three flow detectors to monitor flow. The flow signals are not used for any control system input.Following plant heatup from a refueling outage, the RCS flow transmitters are adjusted (normaliz ed) with the reactor coolant pumps in service to indicate 100% flow (nominal). During the subsequent plant startup, the RCS flow is measured in accordance with SR 3.4.1.4 to confirm that the actual flow is greater than the value assumed in the accident analysis. At this time, it is also verified that the RCS flow instruments continue to indicate 100% flow (within established tolerances). If not, the flow transmitters are readjusted (normalized) to indicate 100% flow (nominal). The value for the RCS low flow setpoint, expressed as a percentage of indicated flow, is periodically verified to be within requ ired tolerances in accordance with SR 3.3.1.7 and SR 3.3.1.10. This process ensures that the nominal setpoint is consistent with the assumptions of the accident analysis.The LCO requires three Reactor Coolant Flow-Low channels per loop to be OPERABLE in MODE1 above P-7.In MODE1 above the P-8 setpoint, a loss of flow in one RCS loop could result in DNB conditions in the core because of the higher power level. In MODE1 below the P-8 setpoint and above the P-7 setpoint, a loss of flow in two or more loops is required to actuate a reactor trip (because of the lower power level and the greater margin to the design limit DNBR. Below the P-7 setpoint, all reactor trips on low flow are automatically blocked since there is insufficient heat production to generate DNB conditions.In MODE1 above the P-7 setpoint and below the P-8 setpoint, the Reactor Coolant Flow-Low (Two Loops) trip must be OPERABLE. (continued)

RTS Instrumentation B 3.3.1 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-19Revision 62APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)Below the P-7 setpoint, all reactor trips on low flow are automatically blocked since there is insufficient heat production to be concerned about DNB. 11.Not Used.12.Undervoltage Reactor Coolant PumpsThe Undervoltage RCPs reactor trip Function ensures that protection is provided against violating the DNBR limit due to a loss of flow in two or more RCS loops. The voltage to each RCP is monitored.

Above the P-7 setpoint, a loss of voltage detected on two or more RCP buses will initiate a reactor trip. This trip Function will generate a reactor trip before the Reactor Coolant Flow-Low Trip Setpoint is reached. Time delays are incorporated into the Undervoltage RCPs channels to prevent reactor trips due to momentary electrical power transients.The LCO requires four Undervoltage RCP channels (one per RCP) to be OPERABLE. The required channels are stated as one per bus because each bus has only one RCP.In MODE1 above the P-7 setpoint, the Undervoltage RCP trip must be OPERABLE. Below the P-7 setpoin t, all reactor trips on loss of flow are automatically blocked since the core is not producing sufficient power to generate DNB conditions. Above the P-7 setpoint, the reactor trip on Undervoltage - RCPs is automatically enabled.13.Underfrequency Reactor Coolant Pumps The Underfrequency RCPs reactor trip Function ensures that protection is provided against violating the DNBR limit due to a loss of flow in two or more RCS loops from a major network frequency disturbance. An underfrequency condition will slow down the pumps, thereby reducing their coastdown time following a pump trip. An adequate coastdown time is required so that reactor heat can be removed immediately after reactor trip. The frequency of each RCP bus is monitored. Above the P-7 setpoint, a loss of frequency

detected on two or more RCP buses will initiate a reactor trip. This trip Function will generate a reactor trip before the Reactor Coolant Flow-Low Trip Setpoint is reached. Time delays are incorporated into the Underfrequency RCPs channels to prevent reactor trips due to momentary electrical power transients.(continued)

RTS Instrumentation B 3.3.1 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-20Revision 62APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)The LCO requires four Underfrequency RCPs channels (1 per RCP) to be OPERABLE. The required channels are stated as one per bus because each bus has only one RCP.In MODE1 above the P-7 setpoint, the Underfrequency RCPs trip must be OPERABLE. Below the P-7 setpoint, all reactor trips on loss

of flow are automatically blocked since the core is not producing sufficient power to generate DNB conditions. Above the P-7 setpoint, the reactor trip on underfrequ ency is automatically enabled.14.Steam Generator Water Level-Low LowThe SG Water Level-Low Low trip Function ensures that protection is provided against a loss of heat sink and actuates the AFW System prior to uncovering the SG tubes. The SGs are the heat sink for the reactor. In order to act as a heat sink, the SGs must contain a minimum amount of water. A narrow range low low water level signal in any SG is indicative of a loss of heat sink for the reactor. The level transmitters provide input to the SG Level Control System.

Therefore, the actuation logic must be able to withstand an input failure to the control system, which may then require the protection function actuation, and a single failure in the other channels providing the protection function actuation. This Function also performs the ESFAS function of starting the AFW pumps on low low SG level.The LCO requires four channels of SG Water Level-Low Low per SG to be OPERABLE because these channels are shared between protection and control. The actuation logic must be able to withstand an input failure to the control system, which may then require the protection function actuation, and a single failure in the other channels providing the protection function actuation. This Function also performs the ESFAS function of starting the AFW pumps on low low SG level. The LCO requires four channels of SG Water Level-Low Low per SG to be OPERABLE.In MODE1 or2, when the reactor requires a heat sink, the SG Water Level-Low Low trip must be OPERABLE. The normal source of water for the SGs is the Main Feedwater (MFW) System (not safety related). The MFW System is only in operation in MODE1 or2 above the point of adding heat. The AFW System is the safety

related backup source of water to ensure that the SGs remain the heat sink for the reactor. During normal startups and shutdowns, the AFW System provides feedwater to maintain SG level. In MODE3, (continued)

RTS Instrumentation B 3.3.1 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-21Revision 62APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)4, 5, or6, the SG Water Level-Low Low reactor trip function does not have to be OPERABLE because the MFW System is not in operation and the reactor is not operating or even critical. Decay heat removal is accomplished by the AFW System in MODE3 and by the Residual Heat Removal (RHR) System in MODE4, 5, or6. Because this Function also performs an ESFAS Function a note is added to indicate that ESFAS APPLICABILITY is more restrictive.15. Not Used.

16.Turbine Tripa.Turbine Trip-Low Fluid Oil Pressure The Turbine Trip-Low Fluid Oil Pressure trip Function anticipates the loss of heat removal capabilities of the secondary system following a turbine trip. This trip Function acts to minimize the pressure/temperature transient on the reactor. Any turbine trip fr om a power level below the P-9 setpoint of 50% power will not actuate a reactor trip. Three pressure switches monitor the control oil pressure in the Turbine Electrohydraulic Control System. A low pressure condition sensed by two-out-of-three pressure switches will actuate a reactor trip. These pressure switches do not provide any input to the control system. The unit is designed to withstand a complete loss of load and not sustain core damage or challenge the RCS pressure limitations. Core protection is provided by the Pressurizer Pressure-High trip Function and RCS integrity is ensured by the pressurizer safety valves.

The LCO requires three channels of Turbine Trip-Low Fluid Oil Pressure to be OPERABLE in MODE1 above P-9.Below the P-9 setpoint, a turbine trip does not actuate a reactor trip. In MODE2, 3, 4, 5, or6, there is no potential for a turbine trip, and the Turbine Trip-Low Fluid Oil Pressure trip Function does not need to be OPERABLE.b.Turbine Trip-Turbine Stop Valve Closure The Turbine Trip-Turbine Stop Valve Closure trip Function anticipates the loss of heat removal capabilities of the(continued)

RTS Instrumentation B 3.3.1 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-22Revision 62APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)secondary system following a turbine trip. The trip Function anticipates the loss of secondary heat removal capability that occurs when the stop valves close. Tripping the reactor in

anticipation of loss of secondary heat removal acts to minimize the pressure and temperature transient on the reactor. A turbine trip from a power level below the P-9 setpoint will not actuate a reactor trip. This trip Function will not and is not required to operate in the presence of a single channel failure. The unit is designed to withstand a complete loss of load and not sustain core damage or challenge the RCS pressure limitations. Core protection is provided by the Pressurizer Pressure-High trip Function, and RCS integrity is ensured by the pressurizer safety valves. This trip Function is diverse to the Turbine Trip-Low Fluid Oil Pressure trip Function. Each turbine stop valve is equipped with one limit switch that inputs to the RTS. If all four limit switches indicate that the stop valves are all closed, a reactor trip is initiated.The Allowable Value for this Function is set to assure channel trip occurs when the associated stop valve is completely closed.The LCO requires four Turbine Trip-Turbine Stop Valve Closure channels, one per valve, to be OPERABLE in MODE1 above P-9. All four channels must trip to cause

reactor trip.Below the P-9 setpoint, a load rejection can be accommodated by the Steam Dump and Rod Control Systems. In MODE2, 3, 4, 5, or6, there is no potential for a load rejection, and the Turbine Trip-Stop Valve Closure trip Function does not need to be OPERABLE.17.Safety Injection Input from Engineered Safety Feature Actuation SystemThe SI Input from ESFAS ensures that if a reactor trip has not already been generated by the RTS, the ESFAS automatic actuation logic will initiate a reactor trip upon any automatic signal that initiates SI. This is a condition of acceptability for the LOCA. However, other

transients and accidents take credit for varying levels of ESF performance and rely upon rod insertion, except for the most reactive (continued)

RTS Instrumentation B 3.3.1 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-23Revision 62APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) rod that is assumed to be fu lly withdrawn, to ensure reactor shutdown. Therefore, a reactor trip is initiated every time an SI signal

is present.

Trip Setpoint and Allowable Val ues are not applicable to this Function. The SI Input is provided by logic in the SSPS circuitry of the ESFAS. Therefore, there is no measurement signal with which to associate an LSSS.The LCO requires two trains of SI Input from ESFAS to be OPERABLE in MODE1 or2.

A reactor trip is initiated every time an SI signal is present. Therefore, this trip Function must be OPERABLE in MODE1 or2, when the reactor is critical. In MODE3, 4, 5, or6, the reactor is not critical, and this trip Function does not need to be OPERABLE.18.Reactor Trip System InterlocksReactor protection interlocks are provided to ensure reactor trips are in the correct configuration for the current unit status. They back up operator actions to ensure protection system Functions are not bypassed during unit conditions under which the safety analysis assumes the Functions are not bypassed. Therefore, the interlock Functions do not need to be OPERABLE when the associated reactor trip functions are outside the applicable MODES. These are:a.Intermediate Range Neutron Flux, P-6The Intermediate Range Neutron Flux, P-6 interlock is actuated when any NIS intermediate range channel goes approximately one decade above the minimum channel reading. If both channels dr op below the setpoint, the permissive will automatically be defeated. The LCO requirement for the P-6 interlock ensures that the following Functions are performed:*on increasing power, the P-6 interlock allows the manual block of the NIS Source Range, Neutron Flux reactor trip. This prevents a premature block of the source range trip and allows the operator to ensure that the intermediate range is OPERABLE prior to leaving the source range. When the source range trip is blocked, the high voltage to the detectors is also

removed;(continued)

RTS Instrumentation B 3.3.1 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-24Revision 62APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)*on decreasing power, the P-6 interlock automatically energizes the NIS source range detectors and enables the NIS Source Range Neutron Flux reactor

trip; and*on increasing power, the P-6 interlock provides a backup block signal to the so urce range flux doubling circuit. Note that this function is not required for operability of the source range detectors. Normally, this Function is manually blocked by the control room operator during the reactor startup.The LCO requires two channels of Intermediate Range Neutron Flux, P-6 interlock to be OPERABLE in MODE2 when below the P-6 interlock setpoint.Above the P-6 interlock setpoint, the NIS Source Range Neutron Flux reactor trip will be blocked, and this Function will no longer be necessary. In MODE3, 4, 5, or6, the P-6 interlock does not have to be OPERABLE because the NIS Source Range is providing core protection.b.Low Power Reactor Trips Block, P-7The Low Power Reactor Trips Block, P-7 interlock is actuated by input from either the Power Range Neutron Flux, P-10, or the Turbine First Stage Pressure, P-13 interlock. The LCO requirement for the P-7 interlock ensures that the following Functions are performed:(1)on increasing power, the P-7 interlock automatically enables reactor trips on the following Functions:*Pressurizer Pressure-Low;*Pressurizer Water Level-High;*Reactor Coolant Flow-Low (low flow in two or more RCS loops);*Undervoltage RCPs; and*Underfrequency RCPs.(continued)

RTS Instrumentation B 3.3.1 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-25Revision 62APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)These reactor trips are only required when operating above the P-7 setpoint (approximately 10% power).

The reactor trips provide protection against violating the DNBR limit. Below the P-7 setpoint, the RCS is

capable of providing sufficient natural circulation without any RCP running.(2)on decreasing power, the P-7 interlock automatically blocks reactor trips on the following Functions:*Pressurizer Pressure-Low;

  • Pressurizer Water Level-High;*Reactor Coolant Flow-Low (low flow in two or more RCS loops);*Undervoltage RCPs; and
  • Underfrequency RCPs.

Allowable Values are not applicable to the P-7 interlock because it is a logic Function and thus has no parameter with which to associate an LSSS.

The P-7 interlock is a logic Function with train and not channel identity. Therefore, the LCO requires one channel per train of Low Power Reactor Trips Block, P-7 interlock to be OPERABLE in MODE1.The low power trips are blocked below the P-7 setpoint and unblocked above the P-7 setpoint. In MODE2, 3, 4, 5, or6, this Function does not have to be OPERABLE because the interlock performs its Function when power level drops below 10% power, which is in MODE1.c.Power Range Neutron Flux, P-8The Power Range Neutron Flux, P-8 interlock is actuated at approximately 48% power as determined by two-out-of-four NIS power range detectors. The P-8 interlock automatically enables the Reactor Coolant Flow-Low reactor trip on low (continued)

RTS Instrumentation B 3.3.1 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-26Revision 62APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) flow in one or more RCS loops on increasing power. The LCO requirement for this trip Function ensures that protection is provided against a loss of flow in any RCS loop that could

result in DNB conditions in the core when greater than 48% power. On decreasing power, the reactor trip on low flow in any loop is automatically blocked.The LCO requires four channels of Power Range Neutron Flux, P-8 interlock to be OPERABLE in MODE1.In MODE1, a loss of flow in one RCS loop could result in DNB conditions, so the Power Range Neutron Flux, P-8 interlock must be OPERABLE. In MODE2, 3, 4, 5, or6, this Function does not have to be OPERABLE because the core is not producing sufficient power to be concerned about DNB

conditions.d.Power Range Neutron Flux, P-9The Power Range Neutron Flux, P-9 interlock is actuated at approximately 50% power as determined by two-out-of-four NIS power range detectors. T he LCO requirement for this Function ensures that the Turbine Trip-Low Fluid Oil Pressure and Turbine Trip-Turbine Stop Va lve Closure reactor trips are enabled above the P-9 setpoint. Above the P-9 setpoint, a turbine trip will cause a load rejection beyond the capacities of the Steam Dump and Rod Control Systems. A reactor trip is automatically initiated on a turbine trip when it is above the P-9 setpoint, to minimize the transient on the reactor.The LCO requires four channels of Power Range Neutron Flux, P-9 interlock to be OPERABLE in MODE1.In MODE1, above P-9, a turbine trip could cause a load rejection beyond the capacities of the Steam Dump and Reactor Control Systems, so the Power Range Neutron Flux interlock must be OPERABLE. In MODE2, 3, 4, 5, or6, this Function does not have to be OPERABLE because the reactor is not at a power level sufficient to have a load rejection beyond the capacities of the Steam Dump and Rod Control Systems.(continued)

RTS Instrumentation B 3.3.1 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-27Revision 62APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)e.Power Range Neutron Flux, P-10 The Power Range Neutron Flux, P-10 interlock is actuated at 10% power, as determined by two-out-of-four NIS power range detectors. If power level falls below 10%RTP on3 of 4channels, the nuclear instrument trips will be automatically unblocked. The LCO requirement for the P-10 interlock ensures that the following Functions are performed:*on increasing power, the P-10 interlock allows the operator to manually blo ck the Intermediate Range Neutron Flux reactor trip. Note that blocking the reactor trip also blocks the signal to prevent automatic and manual rod withdrawal;*on increasing power, the P-10 interlock allows the operator to manually block the Power Range Neutron Flux-Low reactor trip;*on increasing power, the P-10 interlock automatically provides a backup signal to block the Source Range

Neutron Flux reactor trip, and also to de-energize the NIS source range detectors;*the P-10 interlock provides one of the two inputs to the P-7 interlock; and*on decreasing power, the P-10 interlock automatically enables the Power Range Neut ron Flux-Low reactor trip and the Intermediate Range Neutron Flux reactor trip (and rod stop).P-10 has two allowable v alues; one allowable value is associated with increasing power levels and the second allowable value is associated with decreasing power levels,The LCO requires four channels of Power Range Neutron Flux, P-10 interlock to be OPERABLE in MODE1 or2.OPERABILITY in MODE1 ensures the Function is available to perform its decreasing power Functions in the event of a

reactor shutdown. This Function must be OPERABLE in (continued)

RTS Instrumentation B 3.3.1 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-28Revision 62APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)MODE2 to ensure that core protection is provided during a startup or shutdown by the Power Range Neutron Flux-Low and Intermediate Range Neutron Flux reactor trips. In MODE3, 4, 5, or6, this Function does not have to be OPERABLE because the reactor is not at power and the

Source Range Neutron Flux reactor trip provides core

protection.f.The Turbine First Stage Pressure, P-13The Turbine First Stage Pressure, P-13 interlock is actuated when the pressure in the first stage of the high pressure

turbine is greater than approximately 10% of the full power pressure. The full power pressure corresponds to the first stage pressure at 100% RTP. The interlock is determined by

one-out-of-two pressure detecto rs. The LCO requirement for this Function ensures that one of the inputs to the P-7

interlock is available.The LCO requires two channels of Turbine First Stage Pressure, P-13 interlock to be OPERABLE in MODE1.The Turbine First Stage Pressure, P-13 interlock must be OPERABLE when the turbine generator is operating. The interlock Function is not required OPERABLE in MODE2, 3, 4, 5, or6 because the turbine generator is not operating.19.Reactor Trip Breakers This trip Function applies to the RTBs exclusive of individual trip mechanisms. The LCO requires two OPERABLE trains of trip breakers. A trip breaker train consists of all trip breakers associated with a single RTS logic train that are racked in, closed, and capable of supplying power to the CRD System. Thus, the train may consist of the main breaker or the main breaker and bypass breaker, depending upon the system configuration. Two OPERABLE trains ensure no single random failure can disable the RTS trip capability.These trip Functions must be OPERABLE in MODE1 or2. In MODE3, 4, or5, these RTS trip Functions must be OPERABLE when the Rod Control System is capable of rod withdrawal or one or more rods are not fully inserted.(continued)

RTS Instrumentation B 3.3.1 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-29Revision 62APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)20.Reactor Trip Breaker Undervoltage and Shunt Trip Mechanisms The LCO requires both the Undervoltage and Shunt Trip Mechanisms to be OPERABLE for each RTB that is in service. The trip mechanisms are not required to be OPERABLE for trip breakers that are open, racked out, incapable of supplying power to the Rod Control System, or declared inoperable under Function19 above. OPERABILITY of both trip mechanisms on each breaker ensures that no single trip mechanism failure will prevent opening any breaker on a valid signal.These trip Functions must be OPERABLE in MODE1 or2. In MODE3, 4, or5, these RTS trip Functions must be OPERABLE when the Rod Control System is capable of rod withdrawal or one or more rods are not fully inserted.21.Automatic Trip LogicThe LCO requirement for the RTBs (Functions19 and20) and Automatic Trip Logic (Function21) ensures that means are provided to interrupt the power to allow the rods to fall into the reactor core.

Each RTB is equipped with an undervoltage coil and a shunt trip coil to trip the breaker open when needed. Each RTB is equipped with a bypass breaker to allow testing of the trip breaker while the unit is at power. The reactor trip signals generated by the RTS Automatic Trip Logic cause the RTBs and associated bypass breakers to open and shut down the reactor.The LCO requires two trains of RTS Automatic Trip Logic to be OPERABLE. Having two OPERABLE channels ensures that random failure of a single logic channel will not prevent reactor trip.These trip Functions must be OPERABLE in MODE1 or2. In MODE3, 4, or5, these RTS trip Functions must be OPERABLE when the RTBs and associated bypass breakers are closed, and the the Rod Control System is capable of rod withdrawal or one or more rods are not fully inserted.The RTS instrumentation satisfies Criterion3 of 10CFR50.36(2)(c)(ii).(continued)

RTS Instrumentation B 3.3.1 BASES (continued)COMANCHE PEAK - UNITS 1 AND 2B 3.3-30Revision 62ACTIONSA Note has been added to the ACTIONS to clarify the application ofCompletion Time rules. The Conditions of this Specification may be entered independently for each Function listed in Table3.3.1-1. In the event a channel's Trip Setpoint is found nonconservative with respect to the Allowable Value, or the transmitter, instrument loop, signal processing electronics, or bistable is found inoperable, then all affected Functions provided by that channel must be declared inoperable and the LCO Condition(s) entered for the protection Function(s) affected. When the Required Channels in Table 3.3.1-1 are specified on a per loop, per SG, per bus, per train or per RTB basis, then the Condition may be entered separately for each loop, SG, bus, train or RTB, as appropriate.

When a single LCO addresses multiple Functions and allows separate Condition entry for each function, each Function is identified by a unique number/letter. A single Function may contain different requirements for different Applicabilities. In such cases, initial inoperability of a channel or train is based upon the Function independent of the applicability. For example, if a Function has one set of requirements for Modes 1 and 2 and a second set of requirements for M odes 3, 4 and 5, the same channel inoperability may result in entering separate Conditions at different times. If initially inoperability occurs in Modes 1 or 2, the Conditions for Modes 1 and 2 are entered. Completion times must be met unless the Condition is exited by restoring the inoperable channel to OPERABLE or by entry into Mode 3.

A note must so specify if any Required Action must be completed after a Condition is no longer applicable. Upon entry into Mode 3, the Conditions for Modes 3, 4, and 5 must be entered and completions times start upon entry into the Condition. If a Completion Time starts with initial inoperability of the channel, a note is required to so specify.When the number of inoperable channels in a trip Function exceed those specified in one or other related Conditions associated with a trip Function, then the unit is outside the safety analysis. Therefore, LCO3.0.3 must be immediately entered if applicable in the current MODE of operation.

A.1ConditionA applies to all RTS protection Functions. ConditionA addresses the situation where one or more required channels or trains for one or more Functions are inoperable at the same time. The Required Action is to refer

to Table3.3.1-1 and to take the Required Actions for the protection functions affected. The Completion Times are th ose from the referenced Conditions and Required Actions.(continued)

RTS Instrumentation B 3.3.1 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-31Revision 62 ACTIONS (continued)

B.1 and B.2ConditionB applies to the Manual Reactor Trip in MODE1 or2. This action addresses the train orientation of the SSPS for this Function. With one channel inoperable, the inoperable channel must be restored to OPERABLE status within 48hours. In this Co ndition, the remaining OPERABLE channel is adequate to perform the safety function.The Completion Time of 48hours is reasonable considering that there are two automatic actuation trains and another manual initiation channel OPERABLE, and the low probability of an event occurring during this interval.If the Manual Reactor Trip Function cannot be restored to OPERABLE status within the allowed 48 hour5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> Completion Time, the unit must be brought to a MODE in which the requirement does not apply. To achieve this status, the unit must be brought to at least MODE3 within 6additional hours (54hours total time). The 6additional hours to reach MODE3 are reasonable, based on operating experience, to reach MODE3 from full power operation in an orderly manner and without challenging unit systems. With the unit in MODE3, Condition C is entered if the Manual Reactor trip function has not been restored and the Rod Control System is capable of rod withdrawal or one or more rods are not fully inserted.C.1, C.2.1 and C.2.2ConditionC applies to the following reactor trip Functions in MODE3, 4, or5 with the Rod Control System capable of rod withdrawal or one or more rods

not fully inserted:*Manual Reactor Trip;

  • RTBs;*RTB Undervoltage and Shunt Trip Mechanisms; and*Automatic Trip Logic.This action addresses the train orientation of the SSPS for these Functions. With one channel or train inoperable, the inoperable channel or train must be restored to OPERABLE status within 48hours. If the affected Function(s) cannot be restored to OPERABLE status within the allowed 48hour (continued)

RTS Instrumentation B 3.3.1 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-32Revision 62ACTIONSC.1, C.2.1 and C.2.2 (continued)Completion Time, the unit must be placed in a MODE in which the requirement does not apply. To achieve this status, action must be initiated within the same 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> to fully insert all rods and the Rod Control System be rendered incapable of rod withdr awal within the next hour (e.g., by de-energizing all CRDMs, by opening the RTBs, or de-energizing the motor generator (MG) sets). The additional hour provides sufficient time to accomplish the action in an orderly manner. In this condition, these

Functions are no longer required.

The Completion Time is reasonable cons idering that in this Condition, the remaining OPERABLE train is adequate to perform the safety function, and given the low probability of an event occurring during this interval.ConditionC is modified by a Note stating that while the LCO is not met in MODE 5 making the Rod Control System capable of rod withdrawal is not permitted for Functions 19, 20, or 21. This Note specifies an exception to LCO3.0.4 and avoids placing the plant in a condition where control rods can be withdrawn while the reactor trip system is degraded.D.1.1, D.1.2, and D.2ConditionD applies to the Power Range Neutron Flux-High Function.With one of the NIS power range detectors inoperable, 1/4 of the radial power distribution monitoring capability is lost. Therefore, SR 3.2.4.2 must be performed (Required Action D.1.1) within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> of THERMAL POWER exceeding 75% RTP and once per 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> thereafter. If reactor power decreases to <

75% RTP, the measurement of both Completion Times for Required Action D.1.1 stops and SR 3.2.4.2 is no longer required.

Completion Time tracking recommences upon reactor power exceeding 75% RTP. Calculating QPTR every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> compensates for the lost monitoring capability due to the inoperable NIS power range channel and allows continued plant operation at power levels > 75% RTP. At power levels <

75% RTP, operation of the core with radial power distributions beyond the design limits, at a power level where DNB conditions may exist, is prevented.

The 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> Completion Time is consistent with the SR 3.2.4.2 Frequency in LCO 3.2.4, "QUADRANT POWER TILT RATIO (QPTR)."Required Action D.1.1 has been modified by a Note which only requires SR 3.2.4.2 to be performed if the P ower Range Neutron Flux input QPTR becomes inoperable. Failure of a co mponent in the Power Range Neutron Flux Channel which renders the High Flux Trip Function inoperable may not (continued)

RTS Instrumentation B 3.3.1 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-33Revision 62ACTIONSD.1.1, D.1.2, and D.2 (continued)affect the capability to monitor QPTR. As such, determining QPTR using the movable incore detectors or an OPERABLE PDMS once per 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> may not be necessary.The NIS power range detectors provide input to the CRD System and, therefore, have a two-out-of-four trip logic. A known inoperable channel must be placed in the tripped condition. This results in a partial trip condition requiring only one-out-of-three logic for actuation. The 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> allowed to place the inoperable channel in the trip ped condition is justified in WCAP-14333-P-A (Ref. 11).As an alternative to the above Actions, the plant must be placed in a MODE where this Function is no longer required OPERABLE. Seventy-eight (78) hours are allowed to place the plant in MODE 3. The 78-hour Completion Time includes 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> for channel corrective maintenance, and an additional 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> for the MODE reduction as required by Required Action D.2. This is a reasonable time, based on operating experience, to reach MODE 3 from full power in an orderly manner and without challenging plant systems. If Required Actions cannot be completed within their allowed Completion Times, LCO 3.0.3 must be entered.The Required Actions are modified by a Note that allows placing one channel in bypass for 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> while performing routine surveillance testing, and setpoint adjustments when a setpoint reduction is required by other

Technical Specifications. The 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> time limit is justified in Reference 11.E.1 and E.2ConditionE applies to the following reactor trip Functions:

  • Power Range Neutron Flux-Low;
  • Overtemperature N-16;
  • Power Range Neutron Flux-High Positive Rate;
  • Pressurizer Pressure-High; and
  • SG Water Level-Low Low.(continued)

RTS Instrumentation B 3.3.1 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-34Revision 62ACTIONSE.1 and E.2 (continued)

A known inoperable channel must be placed in the tripped condition within 72hours. Placing the channel in the tripped condition results in a partial trip condition requiring only one-out-of-two logic for actuation of the two-out-of-three trips and one-out-of-three logic for actuation of the two-out-of-four trips. The 72hours allowed to place the inoperable channel in the tripped condition is justified in Reference11

.If the operable channel cannot be placed in the trip condition within the specified Completion Time, the unit must be placed in a MODE where these Functions are not required OPERABLE. An additional 6hours is allowed to place the unit in MODE3. Six hours is a reasonable time, based on operating experience, to place the unit in MODE3 from full power in an orderly manner and without challenging unit systems.The Required Actions have been modified by a Note that allows placing one channel in bypass for up to 12hou rs while performing routine surveillance testing. The 12hour time limit is justified in References8 and 11

.F.1 and F.2ConditionF applies to the Intermediate Range Neutron Flux trip when THERMAL POWER is above the P-6 setpoint and below the P-10 setpoint and one channel is inoperable. Above the P-6 setpoint and below the P-10 setpoint, the NIS intermediate range detector performs the monitoring Functions. If THERMAL POWER is greater than the P-6 setpoint but less than the P-10 setpoint, 24hours is allowed to reduce THERMAL POWER below the P-6 setpoint or increase to THERMAL POWER above the P-10 setpoint. The NIS Intermediate Range Neutron Flux channels must be OPERABLE when the power level is above the capability of the source range, P-6, and below the capability of the power range, P-10. If THERMAL POWER is greater than the P-10 set point, the NIS power range detectors perform the monitoring and protection functions and the intermediate range is not required. The Completion Ti mes allow for a slow and controlled power adjustment above P-10 or below P-6 and take into account the redundant capability afforded by the redundant OPERABLE channel, the overlap of the Power Range detectors, and the low probability of its failure during this period. This action does not requir e the inoperable channel to be tripped because the Function uses one-out-of-two logic. Tripping one channel would trip the reactor. Thus, the Required Actions specified in this Condition are only applicable when channel failure does not result in reactor trip.(continued)

RTS Instrumentation B 3.3.1 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-35Revision 62 ACTIONS (continued)G.1 and G.2ConditionG applies to two inoperable Inte rmediate Range Neutron Flux trip channels in MODE2 when THERMAL POWER is above the P-6 setpoint and below the P-10 setpoint. Required Actions specified in this Condition are only applicable when channel failures do not result in reactor trip. Above

the P-6 setpoint and below the P-10 setpoint, the NIS intermediate range detector performs the monitoring Functions. With no intermediate range channels OPERABLE, the Required Actions are to suspend operations

involving positive reactivity additions immediately. This action will preclude any power level increase since there are no OPERABLE Intermediate Range Neutron Flux channels. The operator must also reduce THERMAL POWER below the P-6 setpoint within two hours.

This action may require the use of the NIS source range channels or the neutron flux channels discussed in LCO 3.3.3, with action to reduce power below the count rate equivalent to the P-6 setpoint.

Below P-6, the Source Range Neutron F lux channels will be able to monitor the core power level. The Completion Time of 2hours will allow a slow and controlled power reduction to less than the P-6 setpoint and takes into account the low probability of occurrence of an event during this period that may require the protection afforded by the NIS Intermediate Range Neutron

Flux trip. Required Action G.1 is modified by a Note to indicate that normal plant control operations that individually add limited positive reactivity (e.g.,

temperature or boron concentration fluctuations associated with RCS inventory or chemistry management or temperature control) are not precluded by this Action, provided the SDM limits specified in the COLR are met and the requirements of LCOs 3.1.5 , 3.1.6 , and 3.4.2 are met.H.1 Not Used.

I.1ConditionI applies to one inoperable Source Range Neutron Flux trip channel when in MODE2, below the P-6 setpoint. With the unit in this Condition, the NIS source range performs the monitoring and protection functions. With one of the two channels inoperable, operations involving positive reactivity additions shall be suspended immediately.(continued)

RTS Instrumentation B 3.3.1 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-36Revision 62ACTIONSI.1 (continued)This action will preclude any power escalation. With only one source range channel OPERABLE, core protection is severely reduced and any actions that add positive reactivity to the core must be suspended immediately.Required Action I.1 is modified by a Note to indicate that normal plant control operations that individually add limited positive reactivity (e.g.,

temperature or boron concentration fluctuations associated with RCS inventory or chemistry management or temperature control) are not precluded by this Action, provided the SDM limits specified in the COLR are met, the requirements of LCOs 3.1.5 , 3.1.6 , and 3.4.2 are met, and the initial and critical boron concen tration assumptions in FSAR Section 15 are satisfied.

J.1ConditionJ applies to two inoperable Source Range Neutron Flux trip channels when in MODE2, below the P-6 setpoint, or in MODE3, 4, or5 with the Rod Control System capable of rod withdrawal or one or more rods not fully inserted. With the unit in this Condition, below P-6, the NIS source range performs the protection functions. With both source range channels inoperable, the RTBs must be opened immediately. With the RTBs open, the core is in a more stable condition.K.1, K.2.1 and K.2.2ConditionK applies to one inoperable source range channel in MODE3, 4, or5 with the Rod Control System capable of rod withdrawal or one or more rods not fully inserted. With the unit in this Condition, belowP-6, the NIS source range performs the protection functions. With one of the source range channels inoperable, 48hours is allowed to restore it to an OPERABLE status. If the channel cannot be returned to an OPERABLE status, action must be initiated within the same 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> to fully insert all rods. 1additional hour is allowed to fully insert all rods and place the Rod Control System in a condition incapable of rod withdrawal (e.g., by de-energizing all CRDMs, by opening the RTBs, or de-energizing the motor generator (MG) sets). Once these ACTIONS are completed, the core is in a more stable condition. The allowance of 48hours to restore the channel to OPERABLE status, and the additional hour to place the Rod Control System in a condition incapable of rod withdrawal, are reasonable considering the other source range channel remains OPERABLE to perform the safety function and given the low probability of an event occurring during this interval. Normal plant control operations that individually add limited positive(continued)

RTS Instrumentation B 3.3.1 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-37Revision 62ACTIONSK.1, K.2.1 and K.2.2 (continued)reactivity (i.e., temperature or boron concentration fluctuations associated with RCS inventory or chemistry management or temperature control) are permitted provided the ADM limits specified in the COLR are met and the initial and critical boron concentration assumptions in FSAR Section 15 are satisfied.

L.1 Not Used.M.1 and M.2ConditionM applies to the following reactor trip Functions:*Pressurizer Pressure-Low;*Pressurizer Water Level-High;*Reactor Coolant Flow-Low;*Undervoltage RCPs; and*Underfrequency RCPs.

With one channel inoperable, the inoperable channel must be placed in the tripped condition within 72hours. For the Pressurizer Pressure-Low, Pressurizer Water Level-High, Undervotage RCPs, and Underfrequency RCPs trip Functions, placing the ch annel in the tripped condition when above the P-7 setpoint results in a partial trip condition requiring only one additional channel to initiate a reactor trip. For the Reactor Coolant Flow - Low trip Function, placing the channel in the tripped condition when above the P-8 setpoint results in a partial trip condition requiring only one additional channel in the same loop to initiate a reactor trip. Two tripped channels in two RCS loops are required to initiate a reactor trip when below the P-8 setpoint and above the P-7 setpoint.

These Functions do not have to be OPERABLE below the P-7 setpoint because there are no loss of flow trips below the P-7 setpoint. There is insufficient heat production to generate DNB conditions below the P-7 setpoint. The 72hours allowed to place the channel in the tripped condition is justified in Reference11. An additional 6hours is allowed to reduce TH ERMAL POWER to below P-7 if the inoperable channel cannot be restored to OPERABLE status or placed in trip within the specified Completion Time. (continued)

RTS Instrumentation B 3.3.1 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-38Revision 62ACTIONSM.1 and M.2 (continued)Allowance of this time interval takes into consideration the redundant capability provided by the remaining redundant OPERABLE channel, and the low probability of occurrence of an event during this period that may require the protection afforded by the Functions associated with ConditionM.The Required Actions are modified by a Note that allows placing one channel in bypass for up to 12hou rs while performing routine surveillance testing. The 12hour time limit is justified in References 8 and 11

.N.1 Not Used. O.1 and O.2Condition O applies to Turbine Trip on Low Fluid Oil Pressure. With one channel inoperable, the inoperable channel must be placed in the trip condition within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. If placed in the tripped condition, this results in a partial trip condition requiring only one additional channel to initiate a reactor trip. If the channel cannot be restored to OPERABLE status or placed in the trip condition, then power must be reduced below the P-9 setpoint within the next 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />. The 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> allowed to place the inoperable channel in the tripped condition and the 4 ho urs allowed for reducing power are justified in Reference 11

.The Required Actions are modified by a Note that allows placing one channel in bypass for up to 12 hou rs while performing routine surveillance testing. The 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> time limit is justified in Reference 11

.P.1 and P.2ConditionP applies to Turbine Trip on Turbine Stop Valve Closure. With one or more channels inoperable, the inoperable channel(s) must be placed in the trip condition within 72hours. If placed in the tripped condition, this results in a partial trip condition. For the Turbine Trip on Turbine Stop Valve Closure function, four of four channels are required to initiate a reactor trip; hence, more than one channel may be placed in trip. If the channels cannot be restored to OPERABLE status or placed in the trip condition, then power must be reduced below the P-9 setpoint within the next 4hours. The 72hours allowed to place the inoperable channels in the tripped condition and the 4hours allowed for reducing power are justified in Reference11

.(continued)

RTS Instrumentation B 3.3.1 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-39Revision 62 ACTIONS (continued)Q.1 and Q.2ConditionQ applies to the SI Input from ESFAS reactor trip and the RTS Automatic Trip Logic in MODES1 and2. These actions address the train orientation of the RTS for these Func tions. With one train inoperable, 24hours are allowed to restore the train to OPERABLE status (Required ActionQ.1) or the unit must be placed in MODE3 within the next 6hours. The Completion Time of 24hours (Required ActionQ.1) is reasonable considering that in this Conditi on, the remaining OPERABLE train is adequate to perform the safety function and given the low probability of an event during this interval. The 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> allowed to restore the inoperable train to OPERABLE status is justified in Reference11. The Completion Time of 6hours (Required ActionQ.2) is reasonable, based on operating experience, to reach MODE3 from full power in an orderly manner and without challenging unit systems.The Required Actions have been modified by a Note that allows bypassing one train up to 4hours for surveillance testing, provided the other train is OPERABLE.Consistent with the requirement in Reference 11 to include Tier 2 insights into the decision-making process before taking equipment out of service, restrictions on concurrent removal of certain equipment when a logic train is inoperable for maintenance are included (note that these restrictions do not apply when a logic train is being tested under the 4-hour bypass Note of Condition Q). Entry into Condition Q is not a typical, pre-planned evolution during power operation, other than for surveillance testing. Since Condition Q is typically entered due to equipment failure, it follows that some of the following restrictions may not be met at the time of Condition Q entry. If this situation were to occur during the 24-hour Completion Time of Required Action Q.1, the Configuration Risk Management Program will assess the emergent condition and direct activities to restore the inoperable logic train and exit Condition Q or fully implement these restrictions or perform a plant shutdown, as appropriate from a risk management perspective. The following restrictions will be observed:*To preserve ATWS mitigation capability, activities that degrade the availability of the auxiliary feedwater system, RCS pressure relief system (pressurizer PORVs and safety valves), AMSAC, or turbine trip should not be scheduled when a logic train is inoperable for maintenance.(continued)

RTS Instrumentation B 3.3.1 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-40Revision 62ACTIONSQ.1 and Q.2 (continued)*To preserve LOCA mitigation capability, one complete ECCS train that can be actuated automatically must be maintained when a logic train is inoperable for maintenance.*To preserve reactor trip and safeguards actuation capability, activities that cause master relays or slave relays in the available train to be unavailable and activities that cause analog channels to be unavailable should not be scheduled when a logic train is inoperable for maintenance.*Activities on electrical systems (e.g., AC and DC power) and cooling systems (e.g., station service water and component cooling water) that support the systems or functions listed in the first three bullets should not be scheduled when a logic train is inoperable for maintenance. That is, one complete train of a function that supports a complete train of a function noted above must be available.

R.1 and R.2ConditionR applies to the RTBs in MODES1 and2. These actions address the train orientation of the RTS for the RTBs. With one train inoperable, 24hours are allowed for train corrective maintenance to restore the train to OPERABLE status or the unit must be placed in MODE3 within the next 6hours. The 24hour Completion Time is justified in Reference 12. The Completion Time of 6hours is reasonable, based on operating experience, to reach MODE3 from full power in an orderly manner and without challenging unit systems. Placing the unit in MODE3 result s in Condition C entry if one RTB train is inoperable. The Required Actions have been modified by a Note. The Note allows one channel to be bypassed for up to 4hours for surveillance testing or maintenance provided the other channel is OPERABLE. The 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> time

limit is justified in reference 11

.Consistent with the requirement in Reference 12 to include Tier 2 insights into the decision-making process before taking equipment out of service, restrictions on concurrent removal of certain equipment when a RTB train is inoperable for maintenance are included (note that these restrictions do not apply when a RTB train is being tested under the 4-hour bypass Note for TS 3.3.1 Condition R). Entry into Condition R is not a typical, pre-planned evolution during power operation, other than for surveillance testing. Since Condition R is typically entered due to equipment failure, it follows that some of the following Tier 2 restrictions may not be met at the time of Condition R(continued)

RTS Instrumentation B 3.3.1 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-41Revision 62ACTIONSR.1 and R.2 (continued)entry. If this situation were to occur during the 24-hour Completion Time of Required Action R.1, the Configuration Risk Management Program will assess the emergent condition and direct activities to restore the inoperable RTB train and exit Condition R or fully implement these restrictions or

perform a plant shutdown, as appropriate from a risk management perspective. The following restrictions will be put in place:*The probability of failing to trip the reactor on demand will increase when a RTB is removed from service, therefore, systems designed for mitigating an ATWS event should be maintained available. RCS pressure relief (pressurizer PORVs and safeties), auxiliary feedwater flow (for RCS heat removal), AMSAC, and turbine trip are important to alternate ATWS mitigation. Therefore, activities that degrade the availability of the auxiliary feedwater system, RCS pressure relief system (pressurizer PORVs and safety valves), AMSAC, or turbine trip should be scheduled when a RTB train is inoperable for

maintenance.*Due to the increased dependence on the available reactor trip train when one logic train or one RTB train is inoperable for maintenance, activities that degrade other components of the RTS, including master relays or slave relays, and activities that cause analog channels to be unavailable, should not be scheduled when a logic train or RTB is inoperable for maintenance.*Activities on electrical systems (e.g., AC and DC power) and cooling systems (e.g., station service water and component cooling water) that support the systems or functions listed in the first two bullets should not be scheduled when a RTB train is inoperable for maintenance. That is, one complete train of a function that supports a complete train of a function noted above must be available.

S.1 and S.2ConditionS applies to the P-6 and P-10 interlocks. With one or more required channel(s) inoperable, the associated interlock must be verified to be in its required state for the existing unit condition within 1hour or the unit must be placed in MODE3 within the next 6hours. Verifying the interlock status manually, e.g., by observation of the permissive annunciator window, accomplishes the interlock's Function. The Completion Time of 1hour is based on operating experience and the minimum amount of time allowed for(continued)

RTS Instrumentation B 3.3.1 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-42Revision 62ACTIONSS.1 and S.2 (continued)manual operator actions. The Completion Time of 6hours is reasonable, based on operating experience, to reach MODE3 from full power in an orderly manner and without challenging unit systems. The 1hour and 6hour Completion Times are equal to the time allowed by LCO3.0.3 for shutdown actions in the event of a complete loss of RTS Function.T.1 and T.2ConditionT applies to the P-7, P-8, P-9, and P-13 interlocks. With one or more channel(s) inoperable, the associated interlock must be verified to be

in its required state for the existing unit condition by observation of the permissive annunciator window within 1hour or the unit must be placed in MODE2 within the next 6hours. These actions are conservative for the case where power level is being raised. Verifying the interlock status manually accomplishes the interlock's Fu nction. The Completion Time of 1hour is based on operating experience and the minimum amount of time allowed for manual operator actions. The Completion Time of 6hours is reasonable, based on operating experience, to reach MODE2 from full power in an orderly manner and without challenging unit systems.

U.1 and U.2ConditionU applies to the RTB Undervoltage and Shunt Trip Mechanisms, or diverse trip features, in MODES1 and2. With one of the diverse trip features inoperable, it must be restored to an OPERABLE status within 48hours or the unit must be placed in a MODE where the requirement does not apply. This is accomplished by placing the unit in MODE3 within the next 6hours (54hours total time). The Completion Time of 6hours is a reasonable time, based on operating experience, to reach MODE3 from full power in an orderly manner and without challenging unit systems. With the unit in MODE3, Condition C is entered if the Reactor Trip Breaker trip mechanism has not been restored and the Rod Control System is

capable of rod withdrawal or one or more rods are not fully inserted. The affected RTB shall not be bypassed while one of the diverse features is inoperable except for the time required to perform maintenance to one of the diverse features as described in ConditionR.The Completion Time of 48hours for Required ActionU.1 is reasonable considering that in this Condition there is one remaining diverse feature for the affected RTB, and one OPERABLE RTB capable of performing the safety function and given the low probability of an event occurring during this interval.(continued)

RTS Instrumentation B 3.3.1 BASES (continued)COMANCHE PEAK - UNITS 1 AND 2B 3.3-43Revision 62SURVEILLANCE REQUIREMENTS The SRs for each RTS Function are identified by the SRs column of Table3.3.1-1 for that Function.

A Note has been added to the SR Table stating that Table3.3.1-1 determines which SRs apply to which RTS Functions. Note that each channel of process protection supplies both trains of the RTS. When testing ChannelI, TrainA and TrainB must be examined. Similarly, TrainA and TrainB must be examined when testing ChannelII, ChannelIII, and ChannelIV (if applicable). The CHANNEL CALIBRATION and COTs are performed in a manner that is consistent with the assumptions used in analytically calculating the required channel accuracies.

SR 3.3.1.1Performance of the CHANNEL CHECK once every 12hours ensures that gross failure of instrumentation has not occurred. A CHANNEL CHECK is

normally a comparison of the parame ter indicated on one channel to a similar parameter on other channels. It is based on the assumption that

instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. A CHANNEL CHECK will detect gross channel failure; thus , it is key to verifying that the instrumentation continues to operate properly between each CHANNEL

CALIBRATION.Agreement criteria are determined by the unit staff based on a combination of the channel instrument uncertaint ies, including indicat ion and readability. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit.The Frequency is based on operating experience that demonstrates channel failure is rare. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays

associated with the LCO required channels.

SR 3.3.1.2SR3.3.1.2 compares the calorimetric heat balance calculation to the NIS and N-16 power indications every 24hours. If the calorimetric exceeds the NIS or N-16 power indications by more than +2% RTP, the affected NIS and N-16 functions are not declared inoperable, but the channel gains must be adjusted consistent with the calorimetric power. If the NIS or N-16 channel

outputs cannot be properly adjusted, the channel is declared inoperable.(continued)

RTS Instrumentation B 3.3.1 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-44Revision 62SURVEILLANCE REQUIREMENTS SR 3.3.1.2 (continued)

If the NIS and N-16 power indications are normalized to within 2% RTP of the calorimetric power, and reactor power is then reduced, the NIS power indication will be lower than actual due to downcomer temperature shielding and neutron flux redistribution effects. The N-16 power indication will not be influenced by these effects. If a calorimetric measurement is then performed, using the Leading Edge Flow Meter (LEFM) to determine the feedwater flow, the NIS power indication may be normalized to the

calorimetric power. Upon a subsequent return to near full power, the NIS power indication may become higher than actual due to the same downcomer temperature shielding and neu tron flux redistribution effects. Again, the N-16 power indication will not be influenced by these effects. The uncertainty associated with the calorimetric power measurement using the LEFM is independent of the reactor power level down to less than 20% RTP. However, if the LEFM is una vailable, and the ca lorimetric power measurement is performed using the feedwater venturis as the source of the feedwater flow information, additional considerations are required.If the venturi-based calorimetric is performed at reduced power (<55% RTP), adjusting the Power Range indication in the increasing power direction will assure a reactor trip below the safety analysis limit. Making no adjustment to the Power Range channel in the decreasing power direction due to a reduced power venturi-based calorimetri c assures a reactor trip consistent with the safety analyses. Based on plant calculations, 55% RTP is the lowest power at which the calorimetric uncertainty, performed with the feedwater venturis and the precisio n set of transmitters, results in an uncertainty of less than 2%.

This allowance does not preclude making indicated power adjustments, if desired, when the venturi-based calorimetric heat balance calculation is less than the NIS or N-16 channel outputs. To provide close agreement between indicated power and to preserve operating margin, the NIS and N-16 power indications are normally adjusted when operating at or near full power during steady-state conditions. However, discretion must be exercised if the NIS or N-16 power indications are adjusted in the decreasing power direction based

on a reduced power venturi-based calorimetric (<55% RTP). This action may introduce a non-conservative bias at higher power levels which may result in a reactor trip above the safety analysis limit. The most significant cause of the potential non-conservative bias is the decreased accuracy of the venturi-based calorimetric measurement at reduced power conditions. The primary error contributor to the instrument uncertainty for a secondary

side venturi-based power calorimetric measurement is the feedwater flow measurement, which is a differential pressure (P) measurement across a(continued)

RTS Instrumentation B 3.3.1 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-45Revision 62SURVEILLANCE REQUIREMENTS SR 3.3.1.2 (continued)feedwater venturi. While the measurement uncertainty remains constant in P as power decreases, when translated into flow, the uncertainty increases as a square term. Thus, a 1% flow error at 100% power can approach a 10% flow error at 30% RTP event though the P error has not changed.An evaluation of extended operations at reduced power conditions would likely conclude that it is prudent to ad ministratively adjust the setpoint of the Power Range Neutron Flux - High bistables to <

90% RTP when: 1) the Power Range channel output is adjusted in the decreasing power direction due to a reduced power venturi-based calorimetric below 55% RTP; or 2) for a post refueling startup (consistent with the Bases for SR 3.4.1.4). The evaluation of extended operation at reduced power conditions would also likely conclude that the potential need to adjust the indication of the Power Range Neutron Flux in the decreasing power direction is quite small, primarily to address operation in the intermediate range about P-10 (nominally 10% RTP) to allow enabling of the Power Range Neutron Flux - Low setpoint and the Intermediate Range Neutron Flux reactor trips. Before the Power Range Neutron Flux - High bistables are reset to their nominal value high setpoint, the NIS or N-16 p ower indication adjustment must be confirmed based on LEFM-based calorimetric or on a venturi-based

calorimetric performed at > 55% RTP. The Note clarifies that this Surveillance is required only if reactor power is 15%RTP and that 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> are allowed for performing the first Surveillance after reaching 15%RTP. A power level of 15% RTP is chosen based on plant stability; i.e., the turbine generator is synchronized to the grid and rod control is in the automatic mode. The 24-hour allowance after increasing THERMAL POWER above 15% RTP provides a reasonable time to attain a scheduled power plateau, es tablish the requisite conditions, perform the required calorimetric measurement and make any required adjustments in a controlled, orderly manner and without introducing the potential for extended op eration at high power levels with instrumentation that has not been verified to be acceptable for subsequent use. The Frequency of every 24hours is ade quate. It is based on unit operating experience, considering instrument reliability and operating history data for instrument drift. Together these factors demonstrate that a difference of more than +2% RTP between the calorimetric heat balance calculation and

NIS Power Range channel output or N-16 Power Monitor output is not expected in any 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> period.In addition, control room operators periodically monitor redundant indications and alarms to detect deviations in channel outputs.(continued)

RTS Instrumentation B 3.3.1 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-46Revision 62SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.1.3SR3.3.1.3 compares the incore system to the NIS channel output every 31EFPD. If the absolute difference is 3%, the NIS channel is still OPERABLE, but must be readjusted.

The excore NIS channel shall be adjusted if the absolute difference between the incore and excore AFD is >

3%.If the NIS channel cannot be properly readjusted, the channel is declared inoperable. This Surveillance is performed to verify the f(q) input to the overtemperature N-16 Function.

A Note clarifies that the Surveillance is required only if reactor power is 50% RTP and that 24hours is allowed for performing the first Surveillance after reaching 50% RTP. The Note allows power ascensions and associated testing to be conducted in a controlled and orderly manner, at conditions that provide acceptable results and without introducing the potent ial for extended operation at high power levels with instrumentation that has not been verified to be OPERABLE. Due to such effects as shadowing from the relatively deep control rod insertion and, to a lesser extent, the dependency of the axially-dependent radial leakage on the power level, the relationship between the incore and excore indications of axial flux difference (AFD) at lower power levels is variable. Thus, it is acceptable to defer the calibration of the excore AFD against the incor e AFD until more stable conditions are attained (i.e, withdrawn control rods and a higher power level). The AFD is used as an input to the Overtemperature N-16 reactor trip function and for assessing compliance with LCO 3.2.3, "Axial Flux Difference." Due to the DNB benefits gained by administratively restricting the power level to 50%

RTP, no limits on AFD are imposed below 50% RTP by LCO 3.2.3; thus, the proposed change is consistent with the LCO 3.2.3 requirements below 50% RTP. Similarly, sufficient DNB margins are realized through operation below 50% RTP that the intended function of the Overtemperature N-16 reactor trip function is maintained, even though the excore AFD indication may not exactly match the incore AFD indication. Based on plant operating experience, 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is a reasonable time frame to limit operation above 50% RTP while completing the procedural steps associated with the surveillance in an orderly manner.The Frequency of every 31EFPD is adequate. It is based on unit operating experience, considering instrument reliability and operating history data for instrument drift. Also, the slow changes in neutron flux during the fuel cycle can be detected during this interval.(continued)

RTS Instrumentation B 3.3.1 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-47Revision 62SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.1.4SR3.3.1.4 is the performance of a TADOT every 62days on a STAGGERED TEST BASIS. This test shall verify OPERABILITY by actuation of the end devices. The RTB test shall include separate verification of the undervoltage and shunt trip mechanisms. Independent verification of RTB undervoltage and shunt trip Function is not required for the bypass breakers. No capability is provided for performing such a test at power. The independent test for bypass breakers is included in SR3.3.1.14. The bypass breaker test shall include a local manual shunt trip. A Note has been added to indicate that this test must be performed on the bypass breaker prior to placing it in service.The Frequency of every 62 days on a STAGGERED TEST BASIS is justified in Reference 12.

SR 3.3.1.5SR3.3.1.5 is the performance of an ACTUATION LOGIC TEST. The SSPS is tested every 92days on a STAGGERED TEST BASIS, using the semiautomatic tester. The train b eing tested is placed in the bypass condition, thus preventing inadvertent actuation. Through the semiautomatic

tester, all possible logic combinations, with and without applicable permissives, are tested for each protection function. The Frequency of every 92days on a STAGGERED TEST BASIS is justified in Reference 12.

SR 3.3.1.6SR3.3.1.6 is a calibration of the excore channels to the core power distribution measurement. If the meas urements do not agree, the excore channels are not declared inoperable but must be calibrated to agree with the core power distribution measurements. If the excore channels cannot be adjusted, the channels are declared inoperable. This Surveillance is performed to verify the f(q) input to the overtemperature N-16 Function.A Note modifies SR3.3.1.6. The Note states that this Surveillance is required only if reactor power is 75% RTP and that 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> is allowed for performing the first surveillance after reaching equilibrium conditions at a THERMAL POWER 75% RTP. The SR is deferred until a scheduled testing plateau above 75% is attained during the post-outage power ascension. During a typical post-refueling power ascension, it is usually necessary to control the axial flux difference at lower power levels through control rod insertion. Due to rod s hadowing effects and, to a lesser degree, (continued)

RTS Instrumentation B 3.3.1 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-48Revision 62SURVEILLANCE REQUIREMENTS SR 3.3.1.6 (continued)the dependency of the axially-dependent radial leakage on the power level, the incore-excore AFD relationship well below 75% RTP may differ excessively from the incore-excore axial flux difference relationship at full power. Excore calibration adjustments should be based on the incore-

excore multipoint relationship established above 75% RTP by use of the developed calibration standard equations or by initiating an AFW swing and performing a direct multipoint measurement. After equilibrium conditions are achieved at the specified power plateau, a full core flux map must be taken, and the required data collected. The data is typically analyzed and the appropriate excore calibrations are completed within 48hours after achieving equilibrium conditions. An additional time allowance of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is provided during which the effects of equipment failures may be remedied and any required re-testing may be performed.The allowance of 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> after equilibrium conditions are attained at the testing plateau provides sufficient time to allow p ower ascensions and associated testing to be conducted in a controlled and orderly manner, at conditions that provide acceptable results and without introducing the potential for extended oper ation at high power leve ls with instrumentation that has not been verified to be acc eptable for subsequent use. The benefit gained by operating at reduced power level s is sufficient to offset potential differences between the incore and excore indications of q prior to completion of this surveillance.The Frequency of 92EFPD is adequate. It is based on industry operating experience, considering instrument reliability and operating history data for instrument drift.

SR 3.3.1.7SR3.3.1.7 is the performance of a COT every 184days. A COT is performed on each required channel to ensure the channel will perform the

intended Function. Setpoints must be within the Allowable Values specified in Table3.3.1-1

.SR 3.3.1.7 is modified by two Notes. Note 1 provides a 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> delay in the requirement to perform this Surveillance for source range instrumentation when entering MODE 3 from MODE 2. This Note allows a normal shutdown to proceed without a delay for testing in MODE 2 and for a short time in MODE 3 until the RTBs are open and SR 3.3.1.7 is no longer required to be performed. If the unit is to be in MODE 3 with the RTBs closed for > 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> this Surveillance must be performed prior to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> after entry into MODE 3. Note2 requires that the quarterly COT for the source range instrumentation include verification by observation of the associated permissive annunciator(continued)

RTS Instrumentation B 3.3.1 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-49Revision 62SURVEILLANCE REQUIREMENTS SR 3.3.1.7 (continued)window that the P-6 and P-10 interlocks are in their required state for the existing unit conditions.

SR 3.3.1.7 for selected Functions is also modified by two Notes (q and r) as identified in Table 3.3.1-1. The selected Functions are those Functions that are LSSS and whose instruments are not mechanical devices (i.e. limit switches, float switches, and proximity detectors). Mechanical devices are excluded since it is not possible to trend these devices and develop as-left or as-found limits in the same manner as other instrumentation. The first Note (q) requires evaluation of channel performance for the condition where the as-found setting for the channel setpoint is outside its as-found tolerance but conservative with respect to the Allowable Value. Evaluation of instrument performance will verify that the instrument will continue to behave in accordance with design-basis assumptions. The purpose of the assessment is to ensure confidence in the instrument performance prior to returning the instrument to service. These channels will also be identified in the

Corrective Action Program. In accordance with procedures, entry into the Corrective Action Program will require review and documentation of the condition for OPERABILITY. The second Note requires that the as-left setting for the instrument be returned to within the as-left tolerance of the Nominal Trip Setpoint. This will ensure that sufficient margin to the Safety Limit and/or Analytical Limit is maintained. If the as-left instrument setting cannot be returned to a setting within the as-left tolerance, then the instrument channel shall be declared inoperable. This second Note (r) requirement identifies the Limited Safety System Setting and allows an independent verification that the Allowable Value is the appropriate least conservative as-found value during SR testing.The Frequency of 184days is justified in Reference12

.SR 3.3.1.8SR3.3.1.8 is the performance of a COT as described in SR3.3.1.7, and it is modified by the same Note that this test shall include verification that the P-6 and P-10 interlocks are in their required state for the existing unit conditions. The Frequency is modified by a Note that allows this surveillance to be satisfied if it has been performed e.g., by observation of the associated permissive annunciator window, within 184 days of the Frequencies prior to reactor startup, up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> after reducing power below P-10, and four hours after reducing power below P-6, as discussed below. The Frequency of "prior to startup" ensures this surveillance is performed prior to critical

operations and applies to the source, intermediate and power range low instrument channels. The Frequency of "12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> after reducing power(continued)

RTS Instrumentation B 3.3.1 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-50Revision 62SURVEILLANCE REQUIREMENTS SR 3.3.1.8 (continued)below P-10" (applicable to intermediate and power range low channels) and "4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> after reducing power below P-6" (applicable to source range channels) allows a normal shutdown to be completed and the unit removed from the MODE of Applicability for this surveillance without a delay to perform the testing required by this surveillance. The Frequency of every 184 days thereafter applies if the plant remains in the MODE of Applicability

after the initial performances of prior to reactor startup, 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> after reducing power below P-10, and four ho urs after reducing power below P-6. The MODE of Applicability for this surveillance is < P-10 for the power range low and intermediate range channels and < P-6 for the source range channels. Once the unit is in MODE 3, this surveillance is no longer required. If power is to be maintained

< P-10 for more than 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> or < P-6 for more than 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, then the testing required by this surveillance must be performed prior to the expiration of the 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> or 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> limit, as

applicable. These time limits are reasonable, based on operating

experience, to complete the required test ing or place the unit in a MODE where this surveillance is no longer required.

This test ensures that the NIS source, intermediate, and power range low channels are OPERABLE prior to taking the reactor critical and after reducing power into the applicable MODE

(< P-10 or < P-6) for the periods discussed above. The Frequency of 184

days is justified in Reference 12.SR 3.3.1.9SR3.3.1.9 is the performance of a TADOT and is performed every 92days, as justified in Reference5

.This SR is modified by a Note that excludes verification of setpoints from the TADOT. Since this SR applies to RCP undervoltage and underfrequency relays, setpoint verification requires elaborate bench calibration and is accomplished during the CHANNEL CALIBRATION.SR3.3.1.10A CHANNEL CALIBRATION is performed every 18months, or approximately at every refueling. CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor. The test verifies that the channel responds to a measured para meter within the nec essary range and accuracy.

This SR is modified by Note 1 stating that N-16 detectors are excluded from the CHANNEL CALIBRATION because the unit must be in at least MODE1 to obtain N-16 indications. However, after achieving equilibrium conditions(continued)

RTS Instrumentation B 3.3.1 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-51Revision 62SURVEILLANCE REQUIREMENTSSR3.3.1.10 (continued)in MODE 1, detector plateau curves should be obtained, evaluated and compared to manufacturer's data.CHANNEL CALIBRATIONS must be performed consistent with the assumptions of the setpoint methodology.The Frequency of 18months is based on the assumption of an 18month calibration interval in the determination of the magnitude of equipment drift in the setpoint methodology.SR3.3.1.10 is modified by Note 2 stating that this test shall include verification that the time constants are adjusted to the prescribed values where applicable. This surveillance does not include verification of time delay relays. These relays are verified via response time testing per SR3.3.1.16. Whenever an RTD is replaced in Functions 6 or 7, the next required CHANNEL CALIBRATION of the RTDs is accomplished by an inplace cross calibration that compares other sensing elements with the recently installed element.The SR is modified by Note 3 stating that, prior to entry into MODES 2 or 1, power and intermediate ra nge detector plateau verification is not required to be performed until 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> after ac hieving equilibrium conditions with THERMAL POWER 90% RTP.SR 3.3.1.10 for selected Functions is also modified by two Notes (q and r) as identified in Table 3.3.1-1. The selected Functions are those Functions that are LSSS and whose instruments are not mechanical devices (i.e. limit switches, float switches, and proximity detectors). Mechanical devices are excluded since it is not possible to trend these devices and develop as-left or as-found limits in the same manner as other instrumentation. The first Note (q) requires evaluation of channel performance for the condition where the as-found setting for the channel setpoint is outside its as-found tolerance but conservative with respect to the Allowable Value. Evaluation of instrument performance will verify that the instrument will continue to behave in accordance with design-basis assumptions. The purpose of the assessment is to ensure confidence in the instrument performance prior to returning the instrument to service. These channels will also be identified in the

Corrective Action Program. In accordance with procedures, entry into the Corrective Action Program will require review and documentation of the condition for OPERABILITY. The second Note (r) requires that the as-left setting for the instrument be returned to within the as-left tolerance of the Nominal Trip Setpoint. This will ensure that sufficient margin to the Safety Limit and/or Analytical Limit is maintained. If the as-left instrument setting(continued)

RTS Instrumentation B 3.3.1 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-52Revision 62SURVEILLANCE REQUIREMENTSSR3.3.1.10 (continued)cannot be returned to a setting within the as-left tolerance, then the instrument channel shall be declared inoperable. This second Note (r) requirement identifies the Limited Safety System Setting and allows an independent verification that the Allowable Value is the appropriate least conservative as-found value during SR testing.

SR 3.3.1.11SR3.3.1.11 is the performance of a CHANNEL CALIBRATION, as described in SR3.3.1.10, every 18months. This SR is modified by a Note stating that neutron detectors are excluded from the CHANNEL CALIBRATION. For the intermediate and power range channels, detector plateau curves are obtained, evaluated and compared to manufacturer's data. For the source range neutron detectors, performance data is obtained and evaluated. Note 3 states that, prior to entry into MODES 2 or 1, the power and intermediate range detector plateau voltage verification is not required to be current until 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> after achieving equilibrium conditions with THERMAL POWER 90% RTP. Equilibrium conditions are achieved when the core is sufficiently stable at intended operating conditions to perform a meaningful detector plateau voltage verification. The allowance of 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> after equilibrium conditions are attained at the testing plateau provides sufficient time to allow power ascension testing to be conducted in a controlled and orderly manner at conditions that provide acceptable results and without introducing the potential fo r extended operation at high power levels with instrumentation that has not been verified to be OPERABLE for subsequent use. Operating experience has shown these components usually pass the Surveillance when performed on the 18month Frequency. SR3.3.1.11 is modified by Note 2 stating that this test shall include verification that the time constants are adjusted to the prescribed values where applicable. This surveillance does not include verification of time delay relays. These relays are verified via response time testing per SR3.3.1.16

.SR3.3.1.12 Not Used.SR 3.3.1.13SR3.3.1.13 is the performance of a COT of RTS interlocks every 18months.(continued)

RTS Instrumentation B 3.3.1 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-53Revision 62SURVEILLANCE REQUIREMENTS SR 3.3.1.13 (continued)The Frequency is based on the known reliability of the interlocks and the multichannel redundancy available, and has been shown to be acceptable through operating experience.SR3.3.1.14SR3.3.1.14 is the performance of a TADOT of the Manual Reactor Trip, and the SI Input from ESFAS, and the Reactor Trip Bypass Breaker undervoltage trip mechanisms. This TADOT is performed every 18months.

The Manual Reactor Trip TADOT shall independently verify the OPERABILITY of the handswitch undervoltage and shunt trip contacts for both the Reactor Trip Breakers and Reactor Trip Bypass Breakers. The Reactor Trip Bypass Breaker test shall include testing of the automatic

undervoltage trip mechanism.

The Frequency is based on the known reliability of the Functions and the multichannel redundancy available, and has been shown to be acceptable through operating experience.The SR is modified by a Note that excludes verification of setpoints from the TADOT. The Functions affected have no setpoints associated with them.SR3.3.1.15SR3.3.1.15 is the performance of a TADOT of Turbine Trip Functions. This TADOT is as described in SR3.3.1.4, except that this test is performed prior to exceeding the P-9 interlock whenever the unit has been in MODE 3. This Surveillance is not required if it has been performed within the previous 31days. Verification of the Trip Setpoint does not have to be performed for this Surveillance. Performance of this test will ensure that the turbine trip Function is OPERABLE prior to exceeding the P-9 interlock.

SR 3.3.1.16SR3.3.1.16 verifies that the individual channel/train actuation response times are less than or equal to the ma ximum values assumed in the accident analysis. The required trip initiation signals and acceptance criteria for response time testing are included in Technical Requirements Manual, (Ref.6). No credit was taken in the safety analyses for those channels with response time listed as N.A. No re sponse time testing requirements apply where N.A. is listed in the TRM. Individual component response times are not modeled in the analyses. The an alyses model the overall or total(continued)

RTS Instrumentation B 3.3.1 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-54Revision 62SURVEILLANCE REQUIREMENTS SR 3.3.1.16 (continued)elapsed time, from the point at which the parameter exceeds the trip setpoint value at the sensor until loss of stationary gripper coil voltage.For channels that include dynamic transfer Functions (e.g., lag, lead/lag, rate/lag, etc.), the response time test may be performed with the transfer Function time constants set at their nominal values. Response time may be verified by actual response time tests in any series of sequential, overlapping or total channel measurements, or by the summation of allocated sensor, signal processing and actuation logic response times with actual response time tests on the remainder of the channel. Allocations for sensor response times may be used for selected components provided

that the components and methodology fo r verification have been previously NRC approved. As appropriate, each channel's response time must be verified every 18months on a STAGGERED TEST BASIS. Each verification shall include at least one logic train such that both logic trains are verified at least once per 36 months. Testing of the final ac tuation devices is included in the testing. Some portions of the response time testing cannot be performed during unit operation because equipment operation is required to measure response times. Experience has shown that these components usually pass this surveillance when performed at the 18month Frequency. Therefore, the Frequency was concluded to be acceptable from a reliability standpoint.

Response time verification in lieu of actual testing may be performed on RTS

components in accordance with reference 10

.SR3.3.1.16 is modified by a Note stating that neutron and N-16 gamma detectors are excluded from RTS RESPONSE TIME testing. This Note is necessary because of the difficulty in generating an appropriate detector input signal. Excluding the detectors is acceptable because the principles of detector operation ensure a virtually instantaneous response. Response time of the neutron flux or N-16 signal portion of the channel shall be measured from detector output or input to the first electronic component in

the channel. SR 3.3.1.16 is applied to Power Neutron Flux Rate - High Positive Rate based on NSAL 09-01 [Ref. 14] in accordance with Administrative Letter 98-10.REFERENCES1.FSAR, Chapter7

.2.FSAR, Chapter15

.(continued)

RTS Instrumentation B 3.3.1 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-55Revision 62 REFERENCES (continued)3.IEEE-279-1971.4.10CFR50.49.

5.WCAP-10271-P-A, Supplement2, Rev.1, June1990.6.Technical Requirements Manual.7.Not Used.

8.WCAP-10271-P-A, Supplement 3, September 1990.9."Westinghouse Setpoint Methodology for Protection Systems Comanche Peak Unit 1, Revision 1," WCAP-12123, Revision 2, April, 1989.10."Elimination of Periodic Protection Channel Response Time Tests", WCAP-14036-P-A, Revision 1, October 6, 1998.11."Probabilistic Risk Analysis of the RTS and ESFAS Test Times and Completion Times," WCAP-14333-P-A, Revision 1, October 1998.12."Risk-Informed Assessment of the RTS and ESFAS Surveillance Test Intervals and Reactor Trip Breaker Test and Completion Times," WCAP-15376-P-A, Revision 1, March 2003.13.Westinghouse letter WOG-06-17, "WCAP-10271-P-A Justification for Bypass Time and Completion Time Technical Specification Changes for Reactor Trip on Turbine Trip (ITSWG Action Item #314)," dated January 20, 2006.14.Westinghouse Nuclear Safety Advisory Letter (NSAL) 09-1, "Rod Withdrawal at Power Analysis for Reactor Coolant System Overpres-sure," February 4, 2009.

RTS Instrumentation B 3.3.1COMANCHE PEAK - UNITS 1 AND 2B 3.3-56Revision 62Table B 3.3.1-1 (Page 1 of 2)Reactor Trip System SetpointsFUNCTIONNOMINAL TRIP SETPOINT1.Manual Rector TripN/A 2.a.Power Range Neutron Flux, High109% RTP 2.b.Power Range Neutron Flux, Low 25% RTP 3.Power Range Neutron Flux Rate, High Positive Rate 5% RTP with a time constant 2seconds4.Intermediate Range Neutron Flux, High 25% RTP5.Source Range Neutron Flux, High 10 5 cps6.Overtemperature N-16See Note 1, Table3.3.1-17.Overpower N-16 112% RTP 8.a.Pressurizer Pressure, Low 1880 psig 8.b.Pressurizer Pressure, High2385 psig 9.Pressurizer Water Level - High 92% span 10.Reactor Coolant Flow - Low 90% of nominal flow 11.Not Used.

12.Undervoltage RCPs4830 volts 13.Underfrequency RCPs 57.2 Hz 14.Steam Generator Water Level - Low-Low38% NR (Unit 1) 35.4% NR (Unit 2)15.Not Used.

16.Turbine Tripa.Low Fluid Oil Pressure59 psig b.Turbine Stop Valve Closure1% open RTS Instrumentation B 3.3.1COMANCHE PEAK - UNITS 1 AND 2B 3.3-57Revision 62Table B 3.3.1-1 (Page 2 of 2)Reactor Trip System SetpointsFUNCTIONNOMINAL TRIP SETPOINT17.SI Input form ESFASNA18.Reactor Trip System Interlocksa.Intermediate Range Neutron Flux, P-6 1 x 10-10 ampsb.Low Power Reactor Trips Block, P-7NAc.Power Range Neutron Flux, P-848% of RTPd.Power Range Neutron Flux, P-950% of RTP e.Power Range Neutron Flux, P-1010% of RTPf.Turbine First Stage Pressure, P-1310% turbine power19.Reactor Trip BreakersNA 20.Reactor Trip Breaker Un dervoltage and Shunt Trip Mechanisms NA21.Automatic Trip LogicNA ESFAS Instrumentation B 3.3.2COMANCHE PEAK - UNITS 1 AND 2B 3.3-58Revision 62B 3.3 INSTRUMENTATIONB 3.3.2 Engineered Safety Feature Actuation System (ESFAS) Instrumentation BASESBACKGROUNDThe ESFAS initiates necessary safe ty systems, based on the values of selected unit parameters, to protect against violating core design limits and the Reactor Coolant System (RCS) pressure boundary, and to mitigate

accidents.The ESFAS instrumentation is segmented into three distinct but interconnected modules as identified below:*Field transmitters or process sensors and instrumentation: provide a measurable electronic signal based on the physical characteristics of the parameter being measured;*Signal processing equipment including 7300 process Instrumentation and Control system, field contacts, and protection channel sets: provide signal conditioning, bistable setpoint comparison, process algorithm actuation, compatible electrical signal output to protection system devices, and control board/control room/miscellaneous

indications; and*Solid State Protection System (SSPS) including input, logic, and output bays: initiates the proper unit shutdown or engineered safety feature (ESF) actuation in accordance with the defined logic and based on the bistable outputs from the signal process control and protection system.The Allowable Value in conjunction with the trip setpoint and LCO establishes the threshold for ESFAS action to prevent exceeding acceptable limits such that the consequences of Design Basis Accidents (DBAs) will be

acceptable.The Allowable Value is considered a limiting value such that a channel is OPERABLE if the setpoint is found not to exceed the Allowable Value during the CHANNEL OPERATIONAL TEST (COT). Note that, although the channel is OPERABLE under these circumstances, the ESFAS setpoint must be left adjusted to a value within the established calibration tolerance band of the ESFAS setpoint in accordance with the uncertainty assumptions stated in the referenced setpoint methodology (as-left criteria), and confirmed to be operating within the allowances of the uncertainty terms

assigned.(continued)

ESFAS Instrumentation B 3.3.2 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-59Revision 62 BACKGROUND (continued)

Field Transmitters or SensorsTo meet the design demands for redundancy and reliability, more than one, and often as many as four, field transmitters or sensors are used to measure

unit parameters. In many cases, field transmitters or sensors that input to the ESFAS are shared with the Reactor Trip System (RTS). In some cases, the same channels also provide control system inputs. To account for calibration tolerances and instrument drift, which are assumed to occur between calibrations, statistical allowanc es are provided in the Trip Setpoint and Allowable Values is determined by either "as-found" calibration data evaluated during the CHANNEL CALIBRATION or by qualitative assessment of field transmitter or sensor as related to the channel behavior observed during performance of the CHANNEL CHECK.

Signal Processing EquipmentGenerally, three or four channels of process control equipment are used for the signal processing of unit parameters measured by the field instruments. The process control equipment provides signal conditioning, comparable output signals for instruments located on the main control board, and comparison of measured input signals with setpoints established by safety analyses. If the measured value of a unit parameter exceeds the

predetermined setpoint, an output from a bistable is forwarded to the SSPS for decision evaluation. Channel separation is maintained up to and through the input bays. However, not all unit parameters require four channels of sensor measurement and signal processing. Some unit parameters provide input only to the SSPS, while others provide input to the SSPS, the main control board, the unit computer, and one or more control systems.Generally, if a parameter is used only for input to the protection circuits, three channels with a two-out-of-three logic are sufficient to provide the required reliability and redundancy. If one channel fails in a direction that would not result in a partial Function trip, the Function is still OPERABLE with a two-out-of-two logic. If one channel fails such that a partial Function trip occurs, a trip will not occur and the Function is still OPERABLE with a one-out-of- two logic.Generally, if a parameter is used for input to the SSPS and a control function, four channels with a two-out-of-four logic are sufficient to provide the required reliability and redundancy. The circuit must be able to withstand both an input failure to the control system, which may then require the protection function actuation, and a single failure in the other channels providing the protection function actuation. Again, a single failure will neither cause nor prevent the protection function actuation.(continued)

ESFAS Instrumentation B 3.3.2 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-60Revision 62 BACKGROUND (continued)These requirements are described in IEEE-279-1971 (Ref.4). The actual number of channels required for each unit parameter is specified in Reference2. Allowable Values and Trip SetpointsThe trip setpoints used in the bistables are based on the analytical limits stated in Reference3. The selection of these trip setpoints is such that adequate protection is provided when all sensor and processing time delays are taken into account. To allow for calibration tolerances, instrumentation uncertainties, instrument drift, and severe environment errors for those ESFAS channels that must function in harsh environments as defined by 10CFR50.49 (Ref.5), the Allowable Values specified in Table3.3.2-1 in the accompanying LCO are conservative with respect to the analytical limits.

Detailed descriptions of the methodologies used to calculate the trip setpoints, including their explicit uncertainties, are provided in the setpoint calculations. The methodology to derive the trip setpoints is based upon combining all of the uncertainties in the channels. The essential elements of the methodology for all functions except 5b and 6c are described in Reference 9. Changes in accordance with this methodology have been reviewed by the staff in the original Unit 2 Technical Specifications and in several subsequent license amendments (e.g., amendments 21/7 and 22/8 to the Unit 1/Unit 2 Technical Specifications). The actual nominal ESFAS setpoint entered into the bistable is more conservative than that specified by the Allowable Value to account for changes in random measurement errors detectable by a COT.

The Allowable Value serves as the Technical Specification operability limit for the purpose of the COT. One example of such a change in measurement error is drift during the surveillance interval. If the measured setpoint does not exceed the Allowable Value, the bistable is considered OPERABLE.Setpoints adjusted consistent with the requirements of the Allowable Value ensure that the consequences of Design Basis Accidents (DBAs) will be acceptable, providing the unit is operated from within the LCOs at the onset of the DBA and the equipment functions as designed.The ESFAS setpoint is the value at which the bistable is set and is the expected value to be achieved during calibration. The ESFAS setpoint value ensures the safety analysis limits are met for the time period of the surveillance interval when a channel is adjusted based on stated channel uncertainties. Any bistable is considere d to be properly adjusted when the "as left" setpoint value is within the band for CHANNEL CALIBRATION uncertainty allowance (i.e., +/-rack calibration + comparator setting

uncertainties). The ESF AS setpoint value of Table B3.3.2-1 is therefore (continued)

ESFAS Instrumentation B 3.3.2 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-61Revision 62 BACKGROUND (continued)considered a "nominal" value (i.e., expressed as a value without inequalities) for the purposes of COT and CHANNEL CALIBRATION for all functions except 5b and 6c. The methodology used to calculate the Nominal Trip Setpoints for Functions 5b and 6c in Table B 3.3.2-1 is the same basic square-root-sum-of-squares (SRSS) methodology with the inclusion of refinements to better reflect plant calibration practices and equipment performance. The actual Nominal Trip Setpoint entered into the bistable is more conservative than that specifie d by the Allowable Value to account for changes in random measurement errors detectable by a COT. If the measured setpoint does not exceed the Allowable Value, the bistable is

considered OPERABLE.

Each channel can be tested on line to verify that the signal processing equipment and setpoint accuracy is within the specified allowance requirements. Once a designated channel is taken out of service for testing, a simulated signal is injected in place of the field instrument signal. The process equipment for the channel in test is then tested, verified, and calibrated. SRs for the channels are specified in the SR section.The Allowable Values for Functions 5b and 6c in the accompanying LCO are based on the Nominal Trip Setpoints and are determined by subtracting (for low setpoint trips) or adding (for high setpoint trips) the rack calibration accuracy from/to the Nominal Trip Setpoint. The magnitudes of these uncertainties are factored into the determination of each Nominal Trip Setpoint. All field sensors and signal processing equipment for these channels are assumed to operate within the allowances of these uncertainty

magnitudes.Solid State Protection SystemThe SSPS equipment is used for the decision logic processing of outputs from the signal processing equipment bistables. To meet the redundancy requirements, two trains of SSPS, each performing the same functions, are provided. If one train is taken out of service for maintenance or test purposes, the second train will provide ESF actuation for the unit. If both trains are taken out of service or placed in test, a reactor trip will result. Each train is packaged in its own cabinet for physical and electrical separation to satisfy separation and independence requirements. The SSPS performs the decision logic for most ESF equipment actuation; generates the electrical output signals that initiate the required actuation; and provides the status, permissive, and annunciator output signals to the

main control room of the unit.(continued)

ESFAS Instrumentation B 3.3.2 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-62Revision 62 BACKGROUND (continued)

The bistable outputs from the signal processing equipment are sensed by the SSPS equipment and combined into logic matrices that represent combinations indicative of various transients. If a required logic matrix combination is completed, the system will send actuation signals via master and slave relays to those component s whose aggregate Function best serves to alleviate the condition and restore the unit to a safe condition.

Examples are given in the Applicable Safety Analyses, LCO, and Applicability sections of this Bases.Each SSPS train has a built in testing device that can automatically test the decision logic matrix functions and the actuation devices while the unit is at power. When any one train is taken out of service for testing, the other train is capable of providing unit monitoring and protection until the testing has been completed. The testing device is semiautomatic to minimize testing time.The actuation of ESF components is accomplished through master and slave relays. The SSPS energizes the master relays appropriate for the condition of the unit. Each master relay then energizes one or more slave relays, which then cause actuation of the end devices. The master and slave relays are routinely test ed to ensure operation.

The test of the master relays energizes the relay, which then operates the contacts and applies a low voltage to the associated slave relays. The low voltage is not sufficient to actuate the slave relays but only demonstrates signal path continuity. The SLAVE RELAY TEST actuates the devices if their operation will not interfere with continued unit operation. For the latter case, actual component operation is prevented by the SLAVE RELAY TEST circuit, and slave relay contact operation is verified by a continuity check of the circuit containing the

slave relay.

APPLICABLE

SAFETY ANALYSES, LCO, and APPLICABILITYEach of the analyzed accidents can be detected by one or more ESFAS Functions. One of the ESFAS Functions is the primary actuation signal for that accident. An ESFAS Function may be the primary actuation signal for more than one type of accident. An ESFAS Function may also be a secondary, or backup, actuation signal for one or more other accidents. For example, Pressurizer Pressure-Low is a primary actuation signal for small loss of coolant accidents (LOCAs) and a backup actuation signal for steam line breaks (SLBs) outside containment. Functions such as manual

initiation, not specifically credited in the accident safety analysis, are qualitatively credited. These Functions may provide protection for conditions that do not require dynamic transient analysis to demonstrate Function performance. These Functions may also serve as backups to Functions that (continued)

ESFAS Instrumentation B 3.3.2 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-63Revision 62APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)were credited in the accident analysis (Ref.3).The LCO requires all instrumentation performing an ESFAS Function to be OPERABLE. Failure of any instrument renders the affected channel(s) inoperable and reduces the reliability of the affected Functions.A channel is OPERABLE with a setpoint value outside its calibration tolerance band provided the trip setpoint "as-found" value does not exceed its associated Allowable Value and provided the trip setpoint "as-left" value is adjusted to a value within the calibration tolerance band of the Nominal Trip Setpoint except for functions 5b and 6c. Note (q) requires the instrument channel setpoint for a channel in these Functions to be reset to a value within the as-left setpoint tolerance band for that channel on either side of the Nominal Trip Setpoint, or to a value that is more conservative than the Nominal Trip Setpoint. The conservative direction is indicated by the direction of the inequality sign applied to the Nominal Trip Setpoint in Bases Table B 3.3.2-1. Setpoint restoration and post-test verification assure that the assumptions in the plant setpoint methodology are satisfied in order to protect the safety analysis limits. Note (q) preserves the safety analysis limits. If the channel can not be reset to a value within its as-left setpoint tolerance band, or to a value that is more conservative than the Nominal Trip Setpoint if required based on plant conditions, the channel shall be declared inoperable and the applicable Required Actions are taken. The methodology used to determine the as-left setpoint tolerance band is based on the square-root-sum-of-squares (SRSS) of the tolerances applicable to the instrument loop or sub-loop constituents being tested. A trip setpoint may be set more conservative than the Nominal Trip Setpoint as necessary in response to plant conditions.The LCO generally requires OPERABILITY of four or three channels in each instrumentation function and two channels in each logic and manual initiation function. The two-out-of-three and the two-out-of-four configurations allow one channel to be tripped during mainte nance or testing without causing an ESFAS initiation. Two logic or manual initiation channels are required to ensure no single random failure disables the ESFAS. The required channels of ESFAS instrumentation provide unit protection in the event of any of the analyzed accidents. ESFAS protection functions are as follows:(continued)

ESFAS Instrumentation B 3.3.2 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-64Revision 62APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)1.Safety InjectionSafety Injection (SI) provides two primary functions:1.Primary side water addition to ensure maintenance or recovery of reactor vessel water level (e.g., coverage of the

active fuel for heat removal, clad integrity, and for limiting peak clad temperature to <2200°F); and2.Boration to ensure recovery and maintenance of SDM (k eff<1.0).These functions are necessary to mitigate the effects of certain high energy line breaks (HELBs) both inside and outside of containment as described in the FSAR [

Ref. 3]. The SI signal is also used to initiate other Functions such as:*PhaseA Isolation;*Containment Ventilation Isolation;

  • Start of component cooling water pumps;*Start of Containment Spray Pumps; and*Start of essential ventilation systems.(continued)

ESFAS Instrumentation B 3.3.2 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-65Revision 62APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)These other functions ensure:*Isolation of nonessential systems through containment penetrations;*Trip of the turbine and reactor to limit power generation;

  • Isolation of main feedwater (MF W) to limit secondary side mass losses;*Start of AFW to ensure secondary side cooling capability;*Isolation of the control room to ensure habitability; and*Enabling ECCS suction from the refueling water storage tank (RWST) switchover on low low RWST level to ensure continued cooling via use of the containment sump.*Emergency loads for LOCA are properly sequenced and powered;*Essential cooling for ESF/ESF support equipment; and
  • Start of SSW and CCW systems to service safety-related systems.a.Safety Injection - Manual Initiation The LCO requires one channel per train to be OPERABLE. The operator can initiate SI at any time by using either of two switches in the control room. This action will cause actuation of all components in the same manner as any of the automatic actuation signals.The LCO for the Manual Initiation Function ensures the proper amount of redundancy is maintained in the manual ESFAS actuation circuitry to ensure the operator has manual ESFAS initiation capability.Each channel consists of one handswitch and the interconnecting wiring to the ac tuation logic cabinet. Each handswitch actuates both trains. This configuration does not allow testing at power.(continued)

ESFAS Instrumentation B 3.3.2 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-66Revision 62APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)b.Safety Injection - Automati c Actuation Logic and Actuation Relays This LCO requires two trains to be OPERABLE. Actuation logic consists of all circuitry housed within the actuation subsystems, including the initiating relay contacts responsible for actuating the ESF equipment.Manual and automatic initiation of SI must be OPERABLE in MODES1, 2, and3. In these MODES, there is sufficient energy in the primary and secondary systems to warrant automatic initiation of ESF systems. Manual Initiation is also required in MODE4 even though automatic actuation is not required. In this MODE, ade quate time is available to manually actuate required components in the event of a DBA, but because of the large number of components actuated on a SI, actuation is simplified by the use of the manual actuation switches. Automatic actuation logic and actuation relays must be OPERABLE in MODE4 to support system level

manual initiation.

These Functions are not required to be OPERABLE in MODES5 and6 because there is adequate time for the operator to evaluate unit conditions and respond by manually starting individual systems, pumps, and other equipment to

mitigate the consequences of an abnormal condition or accident. Unit pressure and temperature are very low and many ESF components are administratively locked out or otherwise prevented from actuating to prevent inadvertent overpressurization of unit systems.c.Safety Injection - Containment Pressure-High 1This signal provides protection against the following accidents:*SLB inside containment;*LOCA; and*Feed line break inside containment.(continued)

ESFAS Instrumentation B 3.3.2 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-67Revision 62APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)Containment Pressure-High1 provides no input to any control functions. Thus, three OPERABLE channels are sufficient to satisfy protective requirements with a two-out-of-three logic.

The transmitters (d/p cells) and electronics are located outside of containment with the sensing line (high pressure side of the transmitter) located inside containment.Thus, the high pressure Function will not experience any adverse environmental conditions and the Trip Setpoint reflects only steady state instrument uncertainties.Containment Pressure-High1 must be OPERABLE in MODES1, 2, and3 when there is sufficient energy in the primary and secondary systems to pressurize the containment following a pipe break. In MODES4, 5, and6, there is insufficient energy in the primary or secondary systems to significantly pressurize the containment.d.Safety Injection - Pressurizer Pressure-LowThis signal provides protection against the following accidents:*Inadvertent opening of a steam generator (SG) relief or safety valve;*SLB;*A spectrum of rod cluster control assembly ejection accidents (rod ejection); *Inadvertent opening of a pressurizer relief or safety valve;*LOCAs; and

  • SG Tube Rupture.The pressurizer pressure provides both control and protection functions: input to the Pressurizer Pressure Control System, reactor trip, and SI. Therefore, the actuation logic must be able to withstand both an input failure to control system, which may then require the protection function actuation, and (continued)

ESFAS Instrumentation B 3.3.2 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-68Revision 62APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) a single failure in the other chan nels providing the protection function actuation. Thus, four OPERABLE channels are required to satisfy the requirements with a two-out-of-four

logic.The transmitters are located inside containment, with the taps in the vapor space region of the pressurizer, and thus possibly experiencing adverse environmental conditions (LOCA, SLB inside containment, rod ejection). Therefore, the Trip Setpoint reflects the inclusion of both steady state and adverse environmental instrument uncertainties.This Function must be OPERABLE in MODES1, 2, and3 (above P-11 and below P-11, unless the Safety Injection - Pressurizer Pressure-Low Function is blocked) to mitigate the

consequences of an HELB inside containment. This signal may be manually blocked by the operator below the P-11 setpoint. Automatic SI actuation below this pressure setpoint is then performed by the Containment Pressure-High1

signal.This Function is not required to be OPERABLE in MODE3 below the P-11 setpoint. Other ESF functions are used to detect accident conditions and actuate the ESF systems in this MODE. In MODES4, 5, and6, this Function is not

needed for accident detection and mitigation.e.Safety Injection - Steam Line Pressure-LowSteam Line Pressure-Low provides protection against the following accidents:*SLB;*Feed line break; and*Inadvertent opening of an SG relief or an SG safety valve.Steam Line Pressure-Low provides no input to any control functions. Thus, three OPERABLE channels on each steam line are sufficient to satisfy the protective requirements with a two-out-of-three logic on each steam line.(continued)

ESFAS Instrumentation B 3.3.2 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-69Revision 62APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)With the transmitters typically located inside the steam tunnels, it is possible for them to experience adverse environmental conditions during a secondary side break.

Therefore, the Trip Setpoint reflects both steady state and adverse environmental instrument uncertainties.This Function is anticipatory in nature and has a lead/lag ratio of 50/5.Steam Line Pressure-Low must be OPERABLE in MODES1, 2, and3 (above P-11 and below P-11, unless the Safety Injection - Steam Line Pressure-Low Function is blocked) when a secondary side break or stuck open valve could result in the rapid depressurization of the steam lines. This signal may be manually blocked by the operator below the P-11 setpoint. Below P-11, feed line break is not a concern. Inside containment SLB will be terminated by automatic SI actuation via Containment Pressure-High1, and outside containment SLB will be terminated by the Steam Line Pressure-Negative Rate-High signal for steam line isolation. This Function is not required to be OPERABLE in MODE4, 5, or6 because there is insufficient energy in the secondary side of the unit to be of concern.2.Containment Spray Containment Spray provides three primary functions:1.Lowers containment pressure and temperature after an HELB in containment;2.Reduces the amount of radioactive iodine in the containment atmosphere; and3.Adjusts the pH of the water in the containment recirculation sump after a large break LOCA.

These functions are necessary to:*Ensure the pressure boundary integrity of the containment structure;(continued)

ESFAS Instrumentation B 3.3.2 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-70Revision 62APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)*Limit the release of radioactive iodine to the environment in the event of a failure of the containment structure; and*Minimize corrosion of the components and systems inside containment following a LOCA.The containment spray actuation signal starts the containment spray pumps and aligns the discharge of the pumps to the containment spray nozzle headers in the upper levels of containment. Water is initially drawn from the RWST by the containment spray pumps and mixed with a sodium hydroxide solution from the spray additive tank. When the RWST reaches the empty level setpoint, the spray pump suctions are manually realigned to the containment sumps if continued containment spray is re quired. Containment spray is actuated by Containment Pressure-High3.a.Containment Spray - Manual Initiation The operator can initiate containment spray at any time from the control room by simultaneously turning two containment spray actuation switches in the same train. Because an inadvertent actuation of containment spray could have such

serious consequences, two switches must be turned simultaneously to initiate containment spray. There are two sets of two switches each in the control room.Simultaneously turning the two switches in either set will actuate containment spray in both trains in the same manner as the automatic actuation signal. Two Manual Initiation switches in each train are required to be OPERABLE to ensure no single failure disables the Manual Initiation Function. Note that Manual Initiation of containment spray also actuates PhaseB containment isolation.b.Containment Spray - Automatic Actuation Logic and Actuation Relays Automatic actuation logic and actuation relays consist of the same features and operate in the same manner as described for ESFAS Function1.b.Manual and automatic initiation of containment spray must be OPERABLE in MODES1, 2, and3 when there is a potential (continued)

ESFAS Instrumentation B 3.3.2 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-71Revision 62APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)for an accident to occur, and sufficient energy in the primary or secondary systems to pose a threat to containment integrity due to overpressure conditions. Manual initiation is also required in MODE4, even though automatic actuation is not required. In this MODE, adequate time is available to manually actuate required components in the event of a DBA.

However, because of the large number of components actuated on a containment spray, actuation is simplified by the use of the manual actuation hand switches. Automatic

actuation logic and actuation relays must be OPERABLE in MODE4 to support system level manual initiation. In MODES5 and6, there is insufficient energy in the primary and secondary systems to result in containment overpressure. In MODES5 and6, there is also adequate time for the operators to evaluate unit conditions and respond, to mitigate the consequences of abnormal conditions by manually starting individual components.c.Containment Spray - Containment PressureThis signal provides protection against a LOCA or an SLB inside containment. The transmitters (d/p cells) are located outside of containment with the sensing line (high pressure side of the transmitter) located inside containment. The transmitters and electronics are located outside of containment. Thus, they will not experience any adverse environmental conditions and the Trip Setpoint reflects only steady state instrument uncertainties.

This is one of the only Functions that requires the bistable output to energize to perform its required action. It is not desirable to have a loss of power actuate containment spray, since the consequences of an inadvertent actuation of containment spray could be serious. Note that this Function also has the inoperable channel placed in bypass rather than trip to decrease the probability of an inadvertent actuation.Four channels are used in a two-out-of-four logic configuration. This configuration is called the Containment Pressure-High3 Setpoint. (continued)

ESFAS Instrumentation B 3.3.2 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-72Revision 62APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Additional redundancy is warranted because this Function is energize to trip. Containment Pressure-High3 must be OPERABLE in MODES1, 2, and 3 when there is sufficient energy in the primary and secondary sides to pressurize the containment following a pipe break. In MODES4, 5, and 6, there is insufficient energy in the primary and secondary sides to pressurize the containment and reach the Containment Pressure-High3 setpoint.3.Containment IsolationContainment Isolation provides isolation of the containment atmosphere, and all process systems that penetrate containment, from the environment. This Function is necessary to prevent or limit the release of radioactivity to the environment in the event of a large

break LOCA.There are two separate Containment Isolation signals, PhaseA and PhaseB. PhaseA isolation isolates all automatically isolable process lines, except component cooling water (CCW) to the reactor coolant pumps, at a relatively low containment pressure indicative of primary or secondary system leaks. For these types of events, forced circulation cooling using the reactor coolant pumps (RCPs) and SGs is the preferred (but not required) method of decay heat removal. Since CCW is required to support RCP operation, not isolating CCW on the low pressure PhaseA signal enhances unit safety by allowing operators to use forced RCS circulation to cool the unit. Isolating CCW on the low pressure signal may force the use of feed and bleed cooling, which could prove more difficult to control.PhaseA containment isolation is actuated automatically by SI, or manually via the automatic actuation logic. All process lines penetrating containment, with the exception of CCW, are isolated. CCW is not isolated at this time to permit continued operation of the RCPs with cooling water flow to the thermal barrier heat exchangers, motor air coolers, and upper and lower bearing coolers. All process lines not equipped with remote operated isolation valves are manually closed, or otherwise isolated, prior to reaching MODE4.Manual PhaseA Containment Isolation is accomplished by either of two switches in the control room. Either switch actuates both trains. (continued)

ESFAS Instrumentation B 3.3.2 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-73Revision 62APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)Note that manual actuation of PhaseA Containment Isolation also actuates Containment Ventilation Isolation.The PhaseB signal isolates CCW. This occurs at a relatively high containment pressure that is indicative of a large break LOCA or an SLB. For these events, forced circulation using the RCPs is no longer desirable. Isolating the CCW at the higher pressure does not pose a challenge to the containment boundary because the CCW System is continuously pressurized to a pressure greater than the PhaseB setpoint. Thus, routine operation demonstrates the integrity of the system pressure boundary for pressures exceeding the PhaseB setpoint. Furthermore, because system pressure exceeds the PhaseB setpoint, any system leakage prior to initiation of PhaseB isolation would be into containment. Therefore, the combination of CCW System design and PhaseB isolation ensures the CCW System is not a potential path for radioactive release from containment.PhaseB containment isolation is ac tuated by Containment Pressure-High3 or manually, via the automatic actuation logic, as previously discussed. For containment pressure to reach a value high enough to actuate Containment Pressure-High3, a large break LOCA or SLB

must have occurred. RCP operation will no longer be required and CCW to the RCPs is, therefore, no longer necessary. The RCPs can be operated with seal injection flow alone and without CCW flow to the thermal barrier heat exchanger.Manual PhaseB Containment Isolation is accomplished by the same switches that actuate Containment Spray. When the two switches in either set are turned simultaneously, PhaseB Containment Isolation and Containment Spray will be actuated in both trains.a.Containment Isolation - Phase A Isolation(1)Phase A Isolation - Manual InitiationManual PhaseA Containment Isolation is actuated by either of two switches in the control room. Either switch actuates both trains. Note that manual initiation of PhaseA Containment Isolation also

actuates Containment Vent Isolation.(continued)

ESFAS Instrumentation B 3.3.2 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-74Revision 62APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)(2)Phase A Isolation - Automatic Actuation Logic and Actuation RelaysAutomatic Actuation Logic and Actuation Relays consist of the same features and operate in the same manner as described for ESFAS Function1.b.Manual and automatic initiation of PhaseA Containment Isolation must be OPERABLE in MODES1, 2, and3, when there is a potential for an accident to occur. Manual initiation is also required in MODE4 even though automatic actuation is not required. In this MODE, adequate time is available to manually actuate required components in the event of a DBA, but because of the large number of components actuated on a PhaseA Containment Isolation, actuation is simplified by the use of the manual actuation handswitches. Automatic actuation

logic and actuation relays must be OPERABLE in MODE4 to support system level manual initiation. In MODES5 and6, there is insufficient energy in the primary or secondary systems to pressurize the containment to require PhaseA Containment Isolation. There also is adequate time for the operator

to evaluate unit conditions and manually actuate individual isolation valves in response to abnormal or

accident conditions.(3)Phase A Isolation - Safety InjectionPhaseA Containment Isolation is also initiated by all Functions that initiate SI. The PhaseA Containment

Isolation requirements for these Functions are the same as the requirements for their SI function.

Therefore, the requirements are not repeated in Table3.3.2-1. Instead, Function1, SI, is referenced for all initiating Functions and requirements.b.Containment Isolation - PhaseB IsolationPhaseB Containment Isolation is accomplished by Manual Initiation, Automatic Actuation Logic and Actuation Relays, and by Containment Pressure ch annels (the same channels (continued)

ESFAS Instrumentation B 3.3.2 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-75Revision 62APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)that actuate Containment Spray, Function2). The Containment Pressure trip of PhaseB Containment Isolation is energized to trip in order to minimize the potential of

spurious trips that may damage the RCPs.(1)Phase B Isolation - Manual Initiation(2)Phase B Isolation - Automatic Actuation Logic and Actuation RelaysManual and automatic initiation of PhaseB containment isolation must be OPERABLE in MODES1, 2, and3, when there is a potential for an accident to occur. Manual initiation is also required in MODE4 even though automatic actuation is not required. In this MODE, adequate time is available to manually actuate required components in the event of a DBA. However, because of the large number of components actuated on a PhaseB containment isolation, actuation is simplified by the use of the manual actuation handswitches. Automatic actuation logic and actuation relays must be OPERABLE in MODE4 to support system level manual initiation. In MODES5 and6, there is insufficient energy in the primary or secondary systems to pressurize the containment to require PhaseB containment isolation. There also is adequate time for the operator to evaluate unit conditions and manually actuate individual isolation valves in response to abnormal or

accident conditions.(3)Phase B Isolation - Containment Pressure The basis for containment pressure MODE applicability is as discussed for ESFAS Function2.c above.4.Steam Line IsolationIsolation of the main steam lines provides protection in the event of an SLB inside or outside containment. Rapid isolation of the steam (continued)

ESFAS Instrumentation B 3.3.2 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-76Revision 62APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)lines will limit the steam break accident to the blowdown from one SG, at most. For an SLB upstream of the main steam isolation valves (MSIVs), inside or outside of containment, closure of the MSIVs limits the accident to the blowdown from only the affected SG. For an SLB downstream of the MSIVs, closure of the MSIVs terminates the accident as soon as the steam lines depressurize. Steam Line Isolation also mitigates the effects of a feed line break and ensures a source of steam for the turbine driven AFW pump during a feed line break.a.Steam Line Isolation - Manual InitiationManual initiation of Steam Line Isolation can be accomplished from the control room. There are two switches in the control room and either switch can initiate action to immediately close

all MSIVs. The LCO requires two channels to be OPERABLE.b.Steam Line Isolation - Automatic Actuation Logic and Actuation Relays Automatic actuation logic and actuation relays consist of the same features and operate in the same manner as described for ESFAS Function1.b.Manual and automatic initiation of steam line isolation must be OPERABLE in MODES1, 2, and3 when there is sufficient energy in the RCS and SGs to have an SLB or other accident.

This could result in the release of significant quantities of energy and cause a cooldown of the primary system. The Steam Line Isolation Function is required in MODES2 and3

unless all MSIVs and their associated upstream drip pot isolation valves are closed and deactivated. In this condition, the isolation function is complete; therefore, the isolation

actuation instrumentation is not required to be OPERABLE. In MODES4, 5, and6, there is insufficient energy in the RCS and SGs to experience an SLB or other accident releasing

significant quantities of energy.(continued)

ESFAS Instrumentation B 3.3.2 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-77Revision 62APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)c.Steam Line Isolation - Containment Pressure-High 2 This Function actuates closur e of the MSIVs in the event of a LOCA or an SLB inside containment to maintain at least one unfaulted SG as a heat sink for the reactor, and to limit the mass and energy release to containment. The transmitters (d/p cells) are located outside containment with the sensing line (high pressure side of the transmitter) located inside containment. Containment Pressure-High2 provides no input to any control functions. Thus, three OPERABLE channels are sufficient to satisfy protective requirements with two-out-of-three logic. The transmitters and electronics are located outside of containment. Thus, they will not experience any adverse enviro nmental conditions, and the Trip Setpoint reflects only steady state instrument

uncertainties.Containment Pressure-High2 must be OPERABLE in MODES1, 2, and3, when there is sufficient energy in the primary and secondary side to pressurize the containment following a pipe break. This would cause a significant increase in the containment pressure, thus allowing detection and closure of the MSIVs. The Steam Line Isolation Function remains OPERABLE in MODES2 and3 unless all MSIVs are closed and deactivated. In MODE 4 the increase in containment pressure following a pipe break would occur over a relatively long time period such that manual action could reasonably be expected to provide protection and ESFAS Function 4.c need not be OPERABLE. In MODES 5 and6, there is not enough energy in the primary and secondary sides to pressurize the c ontainment to the Containment Pressure-High2 setpoint.d.Steam Line Isolation - Steam Line Pressure(1)Steam Line Pressure-Low Steam Line Pressure-Low provides closure of the MSIVs in the event of an SLB to maintain at least one unfaulted SG as a heat sink for the reactor, and to limit the mass and energy release to containment. This Function provides closure of the MSIVs in the event of (continued)

ESFAS Instrumentation B 3.3.2 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-78Revision 62APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)a feed line break to ensure a supply of steam for the turbine driven AFW pump. Steam Line Pressure-Low was discussed previously under SI Function 1.e.1.

Steam Line Pressure-Low Function must be OPERABLE in MODES1, 2, and3 (above P-11), with any main steam valve open, when a secondary side break or stuck open valve could result in the rapid depressurization of the steam lines. This signal may be manually blocked by the operator below the P-11

setpoint. If not blocked below P-11, the Steam Line Pressure-Low Function must be OPERABLE. When blocked, an inside containment SLB will be terminated

by automatic actuation via Containment Pressure-High2. Stuck valve transients and outside containment SLBs will be terminated by the Steam Line Pressure - Negative Rate-High signal for Steam Line Isolation below P-11 when SI has been manually blocked. The Steam Line Isolation Function is required in MODES2 and3 unless all MSIVs are

closed and deactivated. Th is Function is not required to be OPERABLE in MODES4, 5, and6 because there is insufficient energy in the secondary side of the

unit to have a significant effect on required plant equipment. (2)Steam Line Pressure - Negative Rate-HighSteam Line Pressure - Negative Rate-High provides closure of the MSIVs for an SLB when less than the P-11 setpoint to maintain at least one unfaulted SG as a heat sink for the reactor, and to limit the mass and energy release to containment. When the operator manually blocks the Steam Line Pressure-Low main steam isolation signal when less than the P-11 setpoint, the Steam Line Pressure - Negative Rate-High signal is automatically enabled. Steam Line Pressure - Negative Rate-High provides no input to any control functions. Thus, three OPERABLE channels on each steam line are sufficient to satisfy requirements with a two-out-of-three logic.(continued)

ESFAS Instrumentation B 3.3.2 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-79Revision 62APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)Steam Line Pressure - Negative Rate-High must be OPERABLE in MODE3 when the Steamline Pressure-Low signal is blocked, when a secondary side break or stuck open valve could result in the rapid depressurization of the steam line(s). In MODES1 and2, and in MODE3, when above the P-11 setpoint, this signal is automatically disabled and the Steam Line Pressure-Low signal is automatically enabled.

The Steam Line Isolation Function is required to be OPERABLE in MODES2 and3 unless all MSIVs are closed and deactivated. In MODES4, 5, and6, there is insufficient energy in the primary and secondary sides to have an SLB or other accident that would

result in a release of significant enough quantities of energy to cause a significant cooldown of the RCS.

While the transmitters may experience elevated ambient temperatures due to an SLB, the trip function is based on rate of change, not the absolute accuracy

of the indicated steam pressure. Therefore, the Trip

Setpoint reflects only steady state instrument

uncertainties.5.Turbine Trip and Feedwater IsolationThe primary functions of the Turbine Trip and Feedwater Isolation signals are to prevent damage to the turbine due to water in the steam lines and to stop the excessive flow of feedwater into the SGs. These Functions are necessary to mitigate the effects of a high water level in the SGs, which could result in carryover of water into the steam lines and excessive cooldown of the primary system. The SG

high water level is due to excessive feedwater flows.Those functions that use the Turbine Trip and Feedwater Isolation signals are listed below; however, the LCO only requires the main turbine trip and feedwater isolation functions to be operable. The remaining functions use the Turbin e Trip and Feedwater Isolation signal, but are not credited in the accident analyses. The Function is actuated when the water level in any SG exceeds the high high setpoint and performs the following functions: *Trips the main turbine;(continued)

ESFAS Instrumentation B 3.3.2 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-80Revision 62APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)*Initiates feedwater isolation;*Trips the MFW pumps and initiates closure of the main feedwater pump discharge valves; and*Closes the MFW control valves and the bypass feedwater control valves.This Function is actuated by SG Water Level-High High or by an SI signal. The RTS also initiates a turbine trip signal whenever a reactor trip (P-4) is generated. In the event of SI, the unit is taken off line and the turbine generator must be tripped. The MFW System is also taken out of operation and the AFW System is automatically started. The SI signal was previously discussed.a.Turbine Trip and Feedwater Is olation - Automatic Actuation Logic and Actuation RelaysAutomatic Actuation Logic and Actuation Relays consist of the same features and operate in the same manner as described for ESFAS Function1.b.b.Turbine Trip and Feedwater Isolation - Steam Generator Water Level-High High (P-14)This signal provides protection against excessive feedwater flow. The SG water level instruments provide input to the SG Water Level Control System; however, the three SG water level instrument channels used for the P-14 function are not normally used for this function. The actuation logic must be able to withstand a single failure in the channels providing the protection function actuation. The number of operable channels is modified by a note which allows an alternate arrangement. The CPSES design has four SG water level channels. One channel is normally used as input to the SG water level controller and three channels are designated for use with the P-14 function. However, if the channel normally

used as input to the SG water level controller is inoperable, one of the channels providing input to the P-14 interlock may be used to provide input to the steam generator water level control signal on the condition that the P-14 bistable on that channel is declared inoperable. In this condition, the actuation logic is able to withstand both an input failure to the (continued)

ESFAS Instrumentation B 3.3.2 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-81Revision 62APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)control system, which may then require a protection function actuation, and a single failure in the other channels providing the protection function actuation. In this condition, three OPERABLE channels are required to satisfy the requirements with one-out-of-three logic. The transmitters (d/p cells) are located inside containment. However, the events that this Function protects against cannot cause a severe environment in containment. Therefore, the Trip Setpoint reflects only steady state instrument uncertainties.c.Turbine Trip and Feedwater Isolation - Safety Injection Turbine Trip and Feedwater Isolation are also initiated by all Functions that initiate SI. The Feedwater Isolation Function requirements for these Functions are the same as the requirements for their SI function. Therefore, the requirements are not repeated in Table3.3.2-1. Instead Function1, SI, is referenced for all initiating functions and requirements.

Turbine Trip and Feedwater Isolation Functions must be OPERABLE in MODES1 and2 except when all MFIVs, main feedwater control valves, and associated bypass valves (see B 3.7.3) are closed and deactivated or isolated by a closed manual valve when the MFW System is in operation. In MODES3, 4, 5, and6, this Function is not required to be OPERABLE.6.Auxiliary FeedwaterThe AFW System is designed to provide a secondary side heat sink for the reactor in the event that the MFW System is not available.

The system has two motor driven pumps and a turbine driven pump, making it available during normal unit operation, during a loss of AC power, a loss of MFW, and during a Feedwater System pipe break. The normal source of water for the AFW System is the condensate storage tank (CST). Upon low level in the CST, the pump suctions can be manually realigned to the safety-related Station Service Water (SSW) System. The AFW System is aligned so that upon a pump start, flow is initiated to the respective SGs immediately.(continued)

ESFAS Instrumentation B 3.3.2 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-82Revision 62APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)a.Auxiliary Feedwater - Automatic Actuation Logic and Actuation Relays (Solid State Protection System)

Automatic actuation logic and actuation relays consist of the similar features and operate in the similar manner as described for ESFAS Function1.b.b.Not used.c.Auxiliary Feedwater - Steam Generator Water Level-Low LowSG Water Level-Low Low provides protection against a loss of heat sink. A feed line break, inside or outside of containment, or a loss of MFW, would result in a loss of SG water level. SG Water Level-Low Low provides input to the SG Level Control System. Therefore, the actuation logic must be able to withstand both an input failure to the control system which may then require a protection function actuation and a single failure in the other channels providing the protection function actuation. Thus, four OPERABLE

channels are required to satisfy the requirements with two-out-of-four logic. Two-out-of-four low-low level signals in any SG starts the motor-driven AFW pumps; in two or more

SGs starts the turbine-driven AFW pump.With the transmitters (d/p cells) located inside containment and thus possibly experiencing adverse environmental conditions (feed line break), the Trip Setpoint reflects the inclusion of both steady state and adverse environmental instrument uncertainties.d.Auxiliary Feedwater - Safety InjectionAn SI signal starts the motor driven AFW pumps. The AFW initiation functions are the same as the requirements for their SI function. Therefore, the requirements are not repeated in Table3.3.2-1. Instead, Function1, SI, is referenced for all initiating functions and requirements.e.Auxiliary Feedwater - Loss of Offsite PowerA loss of power to the reactor coolant pumps will result in a reactor trip and the subsequent need for some method of (continued)

ESFAS Instrumentation B 3.3.2 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-83Revision 62APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)decay heat removal. During a loss of offsite power, to both safety related busses feeding the motor driven AFW pumps, the loss of power to the bus feeding the turbine driven AFW pump valve control motor will start the turbine driven AFW pump to ensure that at least one SG contains enough water to serve as the heat sink for reactor decay heat and sensible heat removal following the reactor trip. In addition, once the diesel generators are started and up to speed, the motor driven AFW pumps will be sequentially loaded onto the diesel generator busses.Functions6.a through6.e must be OPERABLE in MODES1, 2, and3 to ensure that the SGs remain the heat sink for the reactor. SG Water Level-Lo w Low in any operating SG will cause the motor driven AFW pumps to start. The system is aligned so that upon a start of the pump, water immediately begins to flow to the SGs. SG Water Level-Low Low in any two operating SGs will cause th e turbine driven pumps to start. These Functions do not have to be OPERABLE in MODES5 and6 because there is not enough heat being generated in the reactor to require the SGs as a heat sink. In MODE4, AFW actuation does not need to be OPERABLE because either AFW or residual heat removal (RHR) will already be in operation to remove decay heat or sufficient time is available to manually place either system in operation.f.Not Used g.Auxiliary Feedwater - Trip of All Main Feedwater PumpsA Trip of all MFW pumps is an indication of a loss of MFW and the subsequent need for some method of decay heat and sensible heat removal to bring the reactor back to no load temperature and pressure. Each turbine driven MFW pump is equipped with two pressure switches on the oil line for the speed control system. A Train "A" and a Train "B" sensor is on each MFW pump. The Train "A(B)" trip signals from both MFW pumps are required to actuate the Train "A(B)" motor-driven auxiliary feedwater pump. A trip of all MFW pumps starts the motor driven AFW pumps to ensure that at least

one SG is available with water to act as the heat sink for the reactor.(continued)

ESFAS Instrumentation B 3.3.2 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-84Revision 62APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)Function6.g must be OPERABLE in MODES1 and2. This ensures that at least one SG is provided with water to serve as the heat sink to remove reactor decay heat and sensible heat in the event of an accident. In MODES3, 4, and5, the MFW pumps may be normally shut down, and thus pump trip is not indicative of a condition requiring automatic AFW initiation.h.Not Used.7.Automatic Switchover to Containment SumpAt the end of the injection phase of a LOCA, the RWST will be nearly empty. Continued cooling must be provided by the ECCS to remove decay heat. The source of water for the RHR pumps is semi-automatically switched to the containment recirculation sumps. After switching the low head residual heat removal (RHR) pumps draw the

water from the containment re circulation sump, the RHR pumps pump the water through the RHR h eat exchanger, inject the water back into the RCS, and supply the cooled water to the suction of the other ECCS pumps. Switchover from the RWST to the containment sump must occur before the RWST Empty setpoint. Switchover of

the containment spray pumps from the RWST to the containment

sump is performed manually after completion of ECCS switchover, but before the Empty setpoint is reached. For similar reasons, switchover must not occur before there is sufficient water in the containment sump to support ESF pump suction. Furthermore, early switchover must not occur to ensure that sufficient borated water is

injected from the RWST. Raising the nominal RWST level at which Operations starts switchover (33%) would require prior NRC

approval. This ensures the reactor remains shut down in the recirculation mode.a.Automatic Switchover to Containment Sump - Automatic Actuation Logic and Actuation Relays Automatic actuation logic and actuation relays consist of the same features and operate in the same manner as described for ESFAS Function1.b.(continued)

ESFAS Instrumentation B 3.3.2 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-85Revision 62APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)b.Automatic Switchover to Containment Sump - Refueling Water Storage Tank (RWST) Level-Low Low Coincident With Safety InjectionDuring the injection phase of a LOCA, the RWST is the source of water for all ECCS pumps. A low low level in the RWST coincident with an SI signal provides protection against a loss of water for the ECCS pumps and indicates the end of the ECCS injection phase of the LOCA. The RWST is equipped with four level transmitters. These transmitters provide no control functions. Therefore, a two-out-of-four logic is adequate to initiate the protection function actuation. Although only three channels would be sufficient, a fourth channel has been added fo r increased reliability.The RWST - Low Low Allowable Value/Trip Setpoint is selected to ensure switchover manual actions are not required until 10 minutes after the event initiation. The transmitters are located in an area not affected by HELBs or post accident high radiation. Thus, they will not experience any adverse environmental conditions and the Trip Setpoint reflects only steady state instrument uncertainties.

Semi-Automatic switchover begins only if the RWST low low level signal is coincident with SI. This prevents accidental switchover during normal operation. Accidental switchover could result in backflow to an empty sump. The semi-automatic switchover Function requirements for the SI Functions are the same as the requirements for their SI function. Therefore, the requirements are not repeated in Table3.3.2-1. Instead, Function1, SI, is referenced for all initiating Functions and requirements.This Function must be OPERABLE in MODES1, 2, 3, and4 when there is a potential for a LOCA to occur, to ensure a

continued supply of water for the ECCS pumps. This Function is not required to be OPERABLE in MODES5 and6 because there is adequate time for the operator to evaluate unit conditions and respond by manually starting systems, pumps, and other equipment to mitigate the consequences of an abnormal condition or accident. System pressure and(continued)

ESFAS Instrumentation B 3.3.2 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-86Revision 62APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)temperature are very low and many ESF components are administratively locked out or otherwise prevented from actuating to prevent inadvertent overpressurization of unit systems.8.Engineered Safety Feature Actuation System InterlocksTo allow some flexibility in unit operations, several interlocks are included as part of the ESFAS. These interlocks permit the operator to block some signals, automatically enable other signals, prevent some actions from occurring, and cause other actions to occur. The interlock Functions back up manual actions to ensure by passable functions are in operation under the conditions assumed in the safety analyses.a.Engineered Safety Feature Actuation System Interlocks -

Reactor Trip, P-4 The P-4 interlock is enabled wh en a reactor trip breaker (RTB) and its associated bypass breaker is open. The P-4 permissive also prevents re-actuation of safety injection after a manual reset of safety injection following at least a 60second delay time. This Function allows operators to take manual control of SI systems after the initial phase of injection is complete. Once SI is blocked, automatic actuation of SI

cannot occur until the RTBs have been manually closed.Those functions that use the P-4 interlock are listed below; however, the LCO only requires the main turbine trip function to be operable. The remaining functions use a signal associated with the P-4 interlock, but are not credited in the

accident analyses. *Trips the main turbine;

  • Isolates MFW with coincident low Tavg;*Prevent automatic reactuat ion of SI after a manual reset of SI;*Allows arming of the steam dump valves and transfers the steam dump from the load rejection Tavg controller to the plant trip controller; and(continued)

ESFAS Instrumentation B 3.3.2 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-87Revision 62APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)*Prevents opening of the MFW isolation valves if they were closed on SI or SG Water Level-High High.Each of the above Functions is interlocked with P-4 to avert or reduce the continued cooldown of the RCS following a reactor trip. An excessive cooldown of the RCS following a reactor trip could cause an insertion of positive reactivity with a subsequent increase in core power. To avoid such a situation, the noted Functions have been interlocked with P-4 as part of the design of the unit control and protection system.None of the noted Functions serves a mitigation function in the unit licensing basis safety analyses. Only the turbine trip Function is explicitly assumed since it is an immediate consequence of the reactor trip Function. Neither turbine trip, nor any of the other four Functions associated with the reactor

trip signal, is required to show that the unit licensing basis safety analysis acceptance criteria are met.The RTB position switches that provide input to the P-4 interlock only function to energize or de-energize or open or close contacts. Therefore, this Function has no adjustable trip setpoint with which to associate a Trip Setpoint and Allowable Value.This Function must be OPERABLE in MODES1, 2, and3 when the reactor may be critical or approaching criticality.b.Engineered Safety Feature Actuation System Interlocks - Pressurizer Pressure, P-11The P-11 interlock permits a normal unit cooldown and depressurization without actuation of SI or main steam line isolation. With two-out-of-three pressurizer pressure channels (discussed previously) less than the P-11 setpoint, the operator can manually block the Pressurizer Pressure-Low and Steam Line Pressure-Low SI signals and the Steam Line Pressure-Low steam line isolation signal (previously discussed). When the Steam Line Pressure-Low steam line isolation signal is manually blocked, a main steam isolation

signal on Steam Line Pressure - Negative Rate-High is automatically enabled. This provides protection for an SLB by closure of the MSIVs. With two-out-of-three pressurizer(continued)

ESFAS Instrumentation B 3.3.2 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-88Revision 62APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) pressure channels above the P-11 setpoint, the Pressurizer Pressure-Low and Steam Line Pressure-Low SI signals and the Steam Line Pressure-Low steam line isolation signal are automatically enabled. The operator can also enable these trips by use of the respective manual reset. When the Steam Line Pressure-Low steam line isolation signal is enabled, the

main steam isolation on Steam Line Pressure - Negative Rate-High is disabled. The Trip Setpoint reflects only steady state instrument uncertainties.This Function must be OPERABLE in MODES1, 2, and3 to allow an orderly cooldown and depressurization of the unit

without the actuation of SI or main steam isolation. This Function does not have to be OPERABLE in MODE4,5, or6 because system pressure must already be below the P-11 setpoint for the requirements of the heatup and cooldown curves to be met.The ESFAS instrumentation satisfies Criterion3 of 10CFR50.36(c)(2)(ii).ACTIONSA Note has been added in the ACTIONS to clarify the application of Completion Time rules. The Conditions of this Specification may be entered independently for each Function listed on Table3.3.2-1. In the event a channel's Trip Setpoint is found nonconservative with respect to the Allowable Value, or the transmitter, instrument Loop, signal processing electronics, or bistable is found inoperable, then all affected Functions provided by that channel must be declared inoperable and the LCO Condition(s) entered for the protection Function(s) affected. When the

Required Channels in Table3.3.2-1 are specified (e.g., on a per steam line, per pump, per loop, per SG, etc., basis), then the Condition may be entered separately for each steam line, loop, SG, etc., as appropriate.When the number of inoperable channels in a trip function exceed those specified in one or other related Con ditions associated with a trip function, then the unit is outside the safety analysis. Therefore, LCO3.0.3 should be immediately entered if applicable in the current MODE of operation.

A.1ConditionA applies to all ESFAS protection functions.(continued)

ESFAS Instrumentation B 3.3.2 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-89Revision 62ACTIONSA.1 (continued)ConditionA addresses the situation where one or more channels or trains for one or more Functions are inoperable at the same time. The Required Action is to refer to Table3.3.2-1 and to take the Required Actions for the protection functions affected. The Completion Times are those from the

referenced Conditions and Required Actions.

B.1, B.2.1 and B.2.2ConditionB applies to manual initiation of:*SI;*Containment Spray;

  • PhaseA Isolation; and*PhaseB Isolation.This action addresses the train orientation of the SSPS for the functions listed above. If a channel or train is inoperable, 48hours is allowed to return it to an OPERABLE status. Note that for containment spray and PhaseB isolation, failure of one or both channels in one train renders the train inoperable. ConditionB, therefore, encompasses both situations. The specified Completion Time is reasonable considering that there are two automatic actuation trains and another manual initiation train OPERABLE for each Function, and the low probability of an event occurring during this interval. If the train cannot be restor ed to OPERABLE status, the unit must be placed in a MODE in which the LCO does not apply. This is done by placing the unit in at least MODE3 within an additional 6hours (54hours total time) and in MODE5 within an additional 30hours (84hours total time).

The allowable Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full po wer conditions in an orderly manner and without challenging unit systems.C.1, C.2.1 and C.2.2ConditionC applies to the automatic actuation logic and actuation relays for the following functions:*SI;*Containment Spray;(continued)

ESFAS Instrumentation B 3.3.2 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-90Revision 62ACTIONSC.1, C.2.1 and C.2.2 (continued)*PhaseA Isolation;*PhaseB Isolation; and*Semi-Automatic Switchover to Containment Sump.This action addresses the train orientation of the SSPS and the master and slave relays. If one train is inoperable, 24hours are allowed to restore the train to OPERABLE status. The 24hours allowed for restoring the inoperable train to OPERABLE status is justified in Reference 12. The

specified Completion Time is reasonable considering that there is another train OPERABLE, and the low probability of an event occurring during this interval. If the train cannot be restor ed to OPERABLE status, the unit must be placed in a MODE in which the LCO does not apply. This is done by placing the unit in at least MODE3 within an additional 6hours (30hours total time) and in MODE5 within an additional 30hours (60hours total time).

The Completion Times are reasonable, ba sed on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.The Required Actions are modified by a Note that allows one train to be bypassed for up to 4hours for surveillance testing, provided the other train is OPERABLE. This allowance is based on the reliability analysis assumption of WCAP-10271-P-A (Ref.6) that 4hours is the average time required to perform train surveillance.Consistent with the requirement in Reference 12 to include Tier 2 insights into the decision-making process before taking equipment out of service, restrictions on concurrent removal of certain equipment wh en a logic train is inoperable for maintenance are included (note that these restrictions do not apply when a logic train is being tested under the 4hour bypass Note of Condition C). Entry into Condition C is not a typical, pre-planned evolution during power operation, other than for surveillance testing. Since Condition C is typically entered due to equipment failure, it follows that some of the following restrictions may not be met at the time of Condition C entry. If this situation were to occur during the 24-hour Completion Time of Required Action C.2, the Configuration Risk Management Program will assess the emergent condition and direct activities to restore the inoperable logic train and exit Condition C or fully implement these restriction or perform a plant shutdown, as appropriate from a risk management perspective. The following restrictions will be observed:(continued)

ESFAS Instrumentation B 3.3.2 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-91Revision 62ACTIONSC.1, C.2.1 and C.2.2 (continued)*To preserve ATWS mitigation capability, activities that degrade the availability of the auxiliary feedwater system, RCS pressure relief system (pressurizer PORVs and safety valves), AMSAC, or turbine trip should not be scheduled when a logic train is inoperable for maintenance.*To preserve LOCA mitigation capability, one complete ECCS train that can be actuated automatically must be maintained when a logic train is inoperable for maintenance.*To preserve reactor trip and safeguards actuation capability, activities that cause master relays or slave relays in the available train to be unavailable and activities that cause analog channels to be unavailable should not be scheduled when a logic train is inoperable for maintenance.*Activities on electrical systems (e.g., AC and DC power) and cooling systems (e.g., station service water and component cooling water) that support the systems or functions listed in the first three bullets should not be scheduled when a logic train is inoperable for maintenance. That is, one complete train of a function that supports a complete train of a function noted above must be available.D.1, D.2.1, and D.2.2ConditionD applies to:

  • Containment Pressure-High1;
  • Pressurizer Pressure-Low; *Steam Line Pressure-Low;*Containment Pressure-High2;
  • Steam Line Pressure - Negative Rate-High; and*SG Water Level-Low Low. If one channel is inoperable, 72hours are allowed to restore the channel to OPERABLE status or to place it in the tripped condition. Generally this Condition applies to functions that operate on two-out-of-three logic. Therefore, failure of one channel place s the Function in a two-out-of-two(continued)

ESFAS Instrumentation B 3.3.2 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-92Revision 62ACTIONSD.1, D.2.1, and D.2.2 (continued)configuration. The inoperable channel must be tripped to place the Function in a one-out-of-two configuration that satisfies redundancy requirements.

The 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> allowed to restore the channel to OPERABLE status or to place it in the tripped condition is justified in Reference 12. Failure to restore the inoperable channel to OPERABLE status or place it in the tripped condition within 72hours requires the unit be placed in MODE3 within the following 6hours and MODE4 within the next 6hours.

The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full po wer conditions in an orderly manner and without challenging unit systems. In MODE4, these

Functions are no longer required OPERABLE.The Required Actions are modified by a Note that allows placing one channel in bypass for up to 12hours while performing routine surveillance testing. The 12hour time limit is justified in Reference12

.E.1, E.2.1, and E.2.2ConditionE applies to:*Containment Spray Containment Pressure-High3; and*Containment PhaseB Isolation Containment Pressure-High3.

None of these signals has input to a control function. Thus, two-out-of-three logic is necessary to meet acceptable protective requirements. However, a two-out-of-three design would require tripping a failed channel. This is undesirable because a single failure would then cause spurious containment spray initiation. Spurious spray actuation is undesirable because of the

cleanup problems presented. Therefore, these channels are designed with two-out-of-four logic so that a failed channel may be bypassed rather than tripped. Note that one channel may be bypassed and still satisfy the single failure criterion. Furthermore, with one channel bypassed, a single instrumentation channel failure will not spuriously initiate containment spray.To avoid the inadvertent actuation of containment spray and PhaseB containment isolation, the inoperable channel should not be placed in the tripped condition. Instead it is bypassed. Restoring the channel to OPERABLE status, or placing the inoperable channel in the bypass condition within 72hours, is sufficient to assure that the Function remains OPERABLE and minimizes the time that the Function may be in a partial trip(continued)

ESFAS Instrumentation B 3.3.2 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-93Revision 62ACTIONSE.1, E.2.1, and E.2.2 (continued)condition (assuming the inoperable channel has failed high). The completion Time is further justified based on th e low probability of an event occurring during this interval. Failure to restore the inoperable channel to OPERABLE status, or place it in the bypassed condition within 72hours, requires the unit be placed in MODE3 within the following 6hours and MODE4 within the next 6hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. In MODE4, these Functions are no longer required OPERABLE.The Required Actions are modified by a Note that allows placing one channel in bypass for up to 12hours wh ile performing routine surveillance testing. The channel to be tested can be tested in bypass with the inoperable channel also in bypass. The 12hour time limit is justified in Reference12

.F.1, F.2.1, and F.2.2ConditionF applies to:

  • Manual Initiation of Steam Line Isolation;*Loss of Offsite Power; and
  • P-4 Interlock.For the Manual Initiation and the P-4 Interlock Functions, this action addresses the train orientation of the SSPS. For the Loss of Offsite Power Function, this action recognizes the lack of manual trip provision for a failed channel. If a train or channel is inoperable, 48hours is allowed to return it to OPERABLE status. The specified Completion Time is reasonable considering the nature of these Functions, the available redundancy, and the low probability of an event occurring during this interval. If the Function cannot be returned to OPERABLE status, the unit must be placed in MODE3 within the next 6hours and MODE4 within the following 6hours.

The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power in an orderly manner and without challenging unit systems. In MODE4, the unit does not have any analyzed transients or conditions that require the explicit use of the protection functions noted above.(continued)

ESFAS Instrumentation B 3.3.2 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-94Revision 62 ACTIONS (continued)G.1, G.2.1 and G.2.2ConditionG applies to the automatic actuat ion logic and actuation relays for the Steam Line Isolation and AFW actuation Functions.The action addresses the train orientation of the SSPS and the master and slave relays for these functions. If one train is inoperable, 24hours are allowed to restore the train to OPERABLE status. The 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> allowed for restoring the inoperable train to OPERABLE status is justified in Reference

12. The Completion Time for restoring a train to OPERABLE status is reasonable considering that there is another train OPERABLE, and the low probability of an event occurring during this interval. If the train cannot be

returned to OPERABLE status, the unit must be brought to MODE3 within the next 6hours and MODE4 within the following 6hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. Placing the unit in MODE4 removes all requirements for OPERABILITY of the protection channels and actuation functions. In this MODE, the unit does not have analyzed transients or conditions that require the explicit us e of the protection functions noted above.The Required Actions are modified by a Note that allows one train to be bypassed for up to 4hours for surveillance testing provided the other train is OPERABLE. This allowance is based on the reliability analysis (Ref.6) assumption that 4hours is the average time required to perform train surveillance.Consistent with the requirement in Reference 12 to include Tier 2 insights into the decision-making process before taking equipment out of service, restrictions on concurrent removal of certain equipment when a logic train is inoperable for maintenance are included (note that these restriction do not apply when a logic train is being tested under the 4-hour bypass Note of Condition G). Entry into Condition G is not a typical, pre-planned evolution during power operation, other than for surveillance testing. Since Condition G is typically entered due to equipment failure, it follows that some of the following restrictions may not be met at the time of Condition G entry. If this situation were to occur during the 24-hour Completion Time of Required Action G.1, the Configuration Risk Management Program will assess the emergent condition and direct activities to restore the inoperable logic train and exit Condition G or fully implement these restrictions or perform a plant shutdown, as appropriate from a ri sk management perspective. The following restrictions will be observed:(continued)

ESFAS Instrumentation B 3.3.2 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-95Revision 62ACTIONSG.1, G.2.1 and G.2.2 (continued)*To preserve ATWS mitigation capability, activities that degrade the availability of the auxiliary feedwater system, RCS pressure relief system (pressurizer PORVs and safety valves), AMSAC, or turbine trip should not be scheduled when a log train is inoperable for maintenance.*To preserve LOCA mitigation capability, one complete ECCS train that can be actuated automatically must be maintained when a logic train is inoperable for maintenance.*To preserve reactor trip and safeguards actuation capability, activities that cause master relays or slave relays in the available train to be unavailable and activities that cause analog channels to be unavailable should not be scheduled when a logic train is inoperable for maintenance.*Activities on electrical systems (e.g., AC and DC power) and cooling systems (e.g., station service water and component cooling water) that support the systems or functions listed in the first three bullets should not be scheduled when a logic train is inoperable for maintenance. That is, one complete train of a function that supports a complete train of a function noted above must be available.

H.1 and H.2ConditionH applies to the automatic actuation logic and actuation relays for the Turbine Trip and Feedwater Isolation Function.

This action addresses the train orientation of the actuation logic for this Function. If one train is inoperable, 24hours are allowed to restore the train to OPERABLE status or the unit must be placed in MODE3 within the following 6hours. The 24hours allowed for restoring the inoperable train to OPERABLE status is justified in Reference 12. The Completion Time for restoring a train to OPERABLE status is reasonable considering that there is another train OPERABLE, and the low probability of an event occurring during this interval. The allowed Completion Time of 6hours is reasonable, based on operating experience, to reach MODE3 from full power conditions in an orderly manner and without challenging unit systems. These Functions are no longer required in MODE3. Placing the unit in MODE3 removes all requirements for OPERABILITY of the protection channels and actuation functions. In this MODE, the unit does not have analyzed transients or conditions that require the explicit us e of the protection functions noted above.(continued)

ESFAS Instrumentation B 3.3.2 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-96Revision 62ACTIONSH.1 and H.2 (continued)The Required Actions are modified by a Note that allows one train to be bypassed for up to 4hours for surveillance testing provided the other train is OPERABLE. This allowance is based on the reliability analysis (Ref.6) assumption that 4hours is the average time required to perform channel surveillance.I.1 and I.2ConditionI applies to:*SG Water Level-High High (P-14)If one channel is inoperable, 72hours are allowed to restore one channel to OPERABLE status or to place it in the tripped condition. If placed in the tripped condition, the Function is then in a partial trip condition where one-out-of-two or one-out-of-three logic will result in actuation. The 72hour Completion Time is justified in Reference12. Failure to restore the inoperable channel to OPERABLE status or place it in the tripped condition within 72hours requires the unit to be placed in MODE3 within the following 6hours. The allowed Completion Time of 6hours is reasonable, based on operating experience, to reach MODE3 from full power conditions in an orderly manner and without challenging unit systems. In MODE3, these

Functions are no longer required OPERABLE.The Required Actions are modified by a Note that allows placing one channel in bypass for up to 12hours while performing surveillance testing. The 72hours allowed to place the inoperable channel in the tripped condition, and the 12hours allowed for a second channel to be in the bypassed condition for testing, are justified in Reference12

.J.1 and J.2ConditionJ applies to the AFW pump start on trip of all MFW pumps.This action addresses the train orientation of the SSPS for the auto start function of the AFW System on loss of all MFW pumps. The OPERABILITY of the AFW System must be assured by allowing automatic start of the AFW System pumps. If a channel is inoperable, 6hours are allowed to place it in the tripped condition. If the channel cannot be tripped in 6hours, 6 additional hours are allowed to place the unit in MODE3. The allowed Completion Time of 6hours is reasonable, based on operating experience, to reach MODE3 from full power conditions in an orderly manner and(continued)

ESFAS Instrumentation B 3.3.2 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-97Revision 62ACTIONSJ.1 and J.2 (continued)without challenging unit systems. In MODE3, the unit does not have any analyzed transients or conditions that require the explicit use of the protection function noted above.

K.1, K.2.1 and K.2.2ConditionK applies to:

  • RWST Level-Low Low Coincident with Safety Injection.RWST Level-Low Low Coincident With SI provides semi-automatic actuation of switchover to the containment recirculation sumps. Note that this Function requires the bistables to energize to perform their required action. The failure of up to two channels will not prevent the operation of this Function. However, placing a failed channel in the tripped condition could result in a premature switchover to the sump, prior to the injection of the minimum volume from the RWST. Placing the inoperable channel in bypass results in a two-out-of-three logic configuration, which satisfies the requirement to allow another failure wit hout disabling act uation of the switchover when required. Restoring the channel to OPERABLE status or placing the inoperable channel in the bypass condition within 72hours is sufficient to ensure that the Function remains OPERABLE, and minimizes the time that the Function may be in a partial trip condition (assuming the inoperable channel has failed high). The 72hour and 78 hour9.027778e-4 days <br />0.0217 hours <br />1.289683e-4 weeks <br />2.9679e-5 months <br /> Completion Times are justified in References8 and 12. If the channel cannot be returned to OPERABLE status or placed in the bypass condition within 72hours, the unit must be brought to MODE3 within the following 6hours and MODE5 within the next 30hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. In MODE5, the unit does not have any analyzed transients or conditions that require the explicit use of the protection functions noted above.The Required Actions are modified by a Note that allows placing one channel in bypass for up to 12hou rs while performing routine surveillance testing. The channel to be tested can be tested in bypass with the inoperable channel also in bypass. The total of 78hours to reach MODE3 and 12hours for a second channel to be bypassed is acceptable based on the results of References8 and 12

.L.1, L.2.1 and L.2.2ConditionL applies to the P-11 interlock.(continued)

ESFAS Instrumentation B 3.3.2 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-98Revision 62ACTIONSL.1, L.2.1 and L.2.2 (continued)With one or more required channel(s) inoperable, the operator must verify that the interlock is in the required state for the existing unit condition by observation of the permissive annunciator windows. This action manually accomplishes the function of the interlock. Determination must be made within 1hour. The 1hour Completion Time is equal to the time allowed by LCO3.0.3 to initiate shutdown actions in the event of a complete loss of ESFAS function. If the interlock is not in the required state (or placed in the required state) for the existing unit condition, the unit must be placed in MODE3 within the next 6hours and MODE4 within the following 6hours.

The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. Placing the unit in MODE4 removes all requirements for OPERABILITY of these interlocks.SURVEILLANCE REQUIREMENTS The SRs for each ESFAS Function are identified by the SRs column of Table3.3.2-1. A Note has been added to the SR Table to clarify that Table3.3.2-1 determines which SRs apply to which ESFAS Functions. Note that each channel of process protection supplies both trains of the ESFAS. When testing channelI, trainA and trainB must be examined. Similarly, trainA and trainB must be examined when testing channelII, channelIII, and channelIV. The CHANNEL CALIBRATION and COTs are performed in a manner that is consistent with the assumptions used in analytically calculating the required channel accuracies.SR3.3.2.1Performance of the CHANNEL CHECK once every 12hours ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parame ter indicated on one channel to a similar parameter on other channels. It is based on the assumption that

instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.(continued)

ESFAS Instrumentation B 3.3.2 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-99Revision 62SURVEILLANCE REQUIREMENTSSR3.3.2.1 (continued)Agreement criteria are determined by the unit staff, based on a combination of the channel instrument uncertainties, including indication and reliability. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit.The Frequency is based on operating experience that demonstrates channel failure is rare. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the LCO required channels.SR3.3.2.2SR3.3.2.2 is the performance of an ACTUATION LOGIC TEST. The SSPS is tested every 92days on a STAGGERED TEST BASIS, using the semiautomatic tester. The train b eing tested is placed in the bypass condition, thus preventing inadvertent actuation. Through the semiautomatic tester, all possible logic combinations, with and without applicable permissives, are tested for each protection function. In addition, the master relay coil is pulse tested for continuity.

This verifies that the logic modules are OPERABLE and that there is an intact voltage signal path to the master relay coils. The Frequency of every 92 days on a STAGGERED TEST BASIS is justified in Reference 13.SR3.3.2.3 Not used.SR3.3.2.4SR3.3.2.4 is the performance of a MASTER RELAY TEST. The MASTER RELAY TEST is the energizing of the master relay, verifying contact operation and a low voltage continuity check of the slave relay coil. Upon master relay contact operation, a low voltage is injected to the slave relay coil. This voltage is insufficient to pick up the slave relay, but large enough to demonstrate signal path continuity. This test is performed every 92days on a STAGGERED TEST BASIS. The time allowed for the testing (4hours) is justified in Reference6. The Frequency of 92 days on a STAGGERED TEST BASIS is justified in Reference 13.SR3.3.2.5SR3.3.2.5 is the performance of a COT.(continued)

ESFAS Instrumentation B 3.3.2 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-100Revision 62SURVEILLANCE REQUIREMENTSSR3.3.2.5 (continued)A COT is performed on each required chan nel to ensure the entire channel will perform the intended Function. Setpoints must be found within the Allowable Values specified in Table 3.3.2-1

.The difference between the current "as found" values and the previous test "as left" values must be consistent with the drift allowance used in the setpoint calculation. The setpoint shall be left set consistent with the assumptions of the current unit specific setpoint calculation.

SR 3.3.2.5 for selected Functions is also modified by two Notes (q and r) as identified in Table 3.3.2-1. The selected Functions are those Functions that are LSSS and whose instruments are not mechanical devices (i.e. limit switches, float switches, and proximity detectors). Mechanical devices are excluded since it is not possible to trend these devices and develop as-left or as-found limits in the same manner as other instrumentation. The first Note (q) requires evaluation of channel performance for the condition where the as-found setting for the channel setpoint is outside its as-found tolerance but conservative with respect to the Allowable Value. Evaluation of instrument performance will verify that the instrument will continue to behave in accordance with design-basis assumptions. The purpose of the assessment is to ensure confidence in the instrument performance prior to returning the instrument to service. These channels will also be identified in the

Corrective Action Program. In accordance with procedures, entry into the Corrective Action Program will require review and documentation of the condition for OPERABILITY. The second Note requires that the as-left setting for the instrument be returned to within the as-left tolerance of the Nominal Trip Setpoint. This will ensure that sufficient margin to the Safety Limit and/or Analytical Limit is maintained. If the as-left instrument setting cannot be returned to a setting within the as-left tolerance, then the instrument channel shall be declared inoperable. This second Note (r) requirement identifies the Limited Safety System Setting and allows an independent verification that the Allowable Value is the appropriate least conservative as-found value during SR testing.The Frequency of 184days is justified in Reference13

.SR3.3.2.6 SR 3.3.2.6 is the performance of a SLAVE RELAY TEST. The SLAVE RELAY TEST is the energizing of th e slave relays. Contact operation is verified in one of two ways. Actuation equipment that may be operated in the design mitigation mode is either allowed to function, or is placed in a(continued)

ESFAS Instrumentation B 3.3.2 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-101Revision 62SURVEILLANCE REQUIREMENTSSR3.3.2.6 (continued)condition where the relay contact operation can be verified without operation of the equipment. Actuation equipment that may not be operated in the design mitigation mode is prevented from operation by the SLAVE RELAY TEST circuit. For this latter case, contact operation is verified by a continuity check of the circuit containing contacts operated by the slave relay. This test is performed every 92days. The Frequency is adequate, based on industry operating experience, considering instrument reliability and operating history

data.For ESFAS slave relays and auxiliary relays which are Westinghouse type AR relays, the SLAVE RELAY TEST is performed every 18 months. The Frequency is based on the slave relay reliability assessment presented in Reference 10. This reliability assessment is relay specific and applies only to Westinghouse type AR relays with AC coils. Note that, for normally energized applications, the relays may require periodic replacement in accordance with the guidance given in Reference 10

.SR3.3.2.7SR3.3.2.7 is the performance of a TADOT every 31 days. This test is a check of the Loss of Offsite Power Function.The SR is modified by a Note that excludes verification of setpoints for relays. Relay setpoints require elabor ate bench calibration and are verified during CHANNEL CALIBRATION. The SR is modified by a second note that excludes the actuation of final devices from the surveillance testing. The

start of the auxiliary feedwater pumps during this SR is unnecessary as these pumps are adequately tested by the SRs for LCO 3.7.5. The Frequency is adequate. It is based on industry operating experience, considering instrument reliability and operating history data.SR3.3.2.8SR3.3.2.8 is the performance of a TADOT. This test is a check of the Manual Actuation Functions and AFW pump start on trip of all MFW pumps. The Safety Injection TADOT shall independently verify the OPERABILITY of the handswitch undervoltage and shunt trip contacts for both the Reactor Trip Breakers and Reactor Trip Bypass Breakers as well as the contacts for safety injection actuation. It is performed every 18months. As a minimum, each Manual Actuation Function is tested up to, but not including, the master relay coils. This test overlaps with the master relay coil testing performed in accordance with SR 3.3.2.4. The Frequency is adequate, based on industry operating experience and is consistent with the typical refueling cycle. The(continued)

ESFAS Instrumentation B 3.3.2 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-102Revision 62SURVEILLANCE REQUIREMENTSSR3.3.2.8 (continued)SR is modified by a Note that excludes verification of setpoints during the TADOT for manual initiation Functions. The manual initiation Functions have no associated setpoints.SR3.3.2.9SR3.3.2.9 is the performance of a CHANNEL CALIBRATION.A CHANNEL CALIBRATION is performed every 18months, or approximately at every refueling. CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor. The test verifies that the channel responds to measured parameter within the necessary range and accuracy.CHANNEL CALIBRATIONS must be performed consistent with the assumptions of the unit specific setpoint methodology.The Frequency of 18months is based on the assumption of an 18month calibration interval in the determination of the magnitude of equipment drift in the setpoint methodology.This SR is modified by a Note stating that this test should include verification that the time constants are adjusted to the prescribed values where

applicable.

SR 3.3.2.9 for selected Functions is also modified by two Notes (q and r) as identified in Table 3.3.2-1. The selected Functions are those Functions that are LSSS and whose instruments are not mechanical devices (i.e. limit switches, float switches, and proximity detectors). Mechanical devices are excluded since it is not possible to trend these devices and develop as-left or as-found limits in the same manner as other instrumentation. The first Note (q) requires evaluation of channel performance for the condition where the as-found setting for the channel setpoint is outside its as-found tolerance but conservative with respect to the Allowable Value. Evaluation of instrument performance will verify that the instrument will continue to behave in accordance with design-basis assumptions. The purpose of the assessment is to ensure confidence in the instrument performance prior to returning the instrument to service. These channels will also be identified in the

Corrective Action Program. In accordance with procedures, entry into the Corrective Action Program will require review and documentation of the condition for OPERABILITY. The second Note (r) requires that the as-left setting for the instrument be returned to within the as-left tolerance of the Nominal Trip Setpoint. This will ensure that sufficient margin to the Safety(continued)

ESFAS Instrumentation B 3.3.2 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-103Revision 62SURVEILLANCE REQUIREMENTS SR 3.3.2.9 (continued)

Limit and/or Analytical Limit is maintained. If the as-left instrument setting cannot be returned to a setting within the as-left tolerance, then the instrument channel shall be declared inoperable. This second Note (r) requirement identifies the Limited Safety System Setting and allows an independent verification that the Allowable Value is the appropriate least conservative as-found value during SR testing.

SR 3.3.2.10This SR ensures the individual channel ESF RESPONSE TIMES are less than or equal to the maximum values assumed in the accident analysis.

Response Time testing, required channels, and acceptance criteria are included in the Technical Requirements Manual (Ref.7). For each Functional Unit to which this SR applies, at least one ESF function has a required response time but not necessarily all associated ESF functions. No credit was taken in the safety analyses for those channels with response time listed as N.A. When the response time for a function in the TRM is NA, no specific testing need be performe d to comply with this SR. Individual component response times are not modeled in the analyses. The analyses model the overall or total elapsed time, from the point at which the parameter exceeds the Trip Setpoint value at the sensor, to the point at which the

equipment in both trains reaches the required functional state (e.g., pumps at rated discharge pressure, valves in full open or closed position).For channels that include dynamic transfer functions (e.g., lag, lead/lag, rate/lag, etc.), the response time testing may be performed with the transfer functions set at their nominal values. The response time may be measured by a series of overlapping tests such that the entire response time is

measured.Response time may be verified by actual response time tests in any series of sequential, overlapping or total channel measurements, or by the summation of allocated sensor, signal processing and actuation logic response times with actual response time tests on the remainder of the channel. Allocations for sensor response times may be used for selected components provided

that the components and methodology for verification have been previously

NRC approved.ESF RESPONSE TIME tests are performed on an 18month STAGGERED TEST BASIS. The testing shall include at least one train such that both trains are tested at least once per 36months. Testing of the final actuation devices, which make up the bulk of the response time, is included in the

testing of each channel.

The final actuation device in one train is tested with(continued)

ESFAS Instrumentation B 3.3.2 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-104Revision 62SURVEILLANCE REQUIREMENTS SR 3.3.2.10 (continued)each channel. Therefore, staggered testing results in response time verification of these devices every 18months. The 18month Frequency is consistent with the typical refueling cycle and is based on unit operating experience, which shows that random failures of instrumentation

components causing serious response ti me degradation, but not channel failure, are infrequent occurrences. Response time verification in lieu of actual testing may be performed on ESF AS components in accordance with reference 11

.This SR is modified by a Note that clarifies that the turbine driven AFW pump is tested within 24hours after reaching 532psig in the SGs.SR3.3.2.11SR3.3.2.11 is the performance of a TADOT as described in SR3.3.2.8 , except that it is performed for the P-4 Reactor Trip Interlock. This Frequency is based on operating experience. The SR is modified by a Note that excludes verification of setpoints during the TADOT. The Function tested has no associated setpoint.REFERENCES1.FSAR, Chapter6

.2.FSAR, Chapter7

.3.FSAR, Chapter15

.4.IEEE-279-1971.

5.10CFR50.49.

6.WCAP-10271-P-A, Supplement2, Rev.1, June1990.

7.Technical Requirements Manual.

8.WCAP-10271-P-A, Supplement3, September1990.

9."Westinghouse Setpoint Methodology for Protection Systems Comanche Peak Unit 1, Revision 1," WCAP-12123, Revision 2,

April, 1989.10.WCAP-13877-P-A, Revision 2, August 2000.(continued)

ESFAS Instrumentation B 3.3.2 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-105Revision 62 REFERENCES (continued)11."Elimination of Periodic Protection Channel Response Time Tests", WCAP-14036-P-A, Revision 1, October 6, 1998.12."Probabilistic Risk Analysis of the RPS and ESFAS Test Times and Completion Times," WCAP-14333-P-A, Revision 1, October 1998.13."Risk-Informed Assessment of the RTS and ESFAS Surveillance Test Intervals and Reactor Trip Breaker Test and Completion Times," WCAP-15376-P-A, Revision 1, March 2003.

ESFAS Instrumentation B 3.3.2COMANCHE PEAK - UNITS 1 AND 2B 3.3-106Revision 62Table B 3.3.2-1 (Page 1 of 3)ESFAS Trip SetpointsFUNCTIONNOMINAL TRIP SETPOINT1.Safety Injectiona.Manual InitiationNA b.Automatic Actuation Logic and Actuation RelaysNA c.Containment Pressure - High 13.2 psig d.Pressurizer Pressure - Low1820 psig e.Steam Line Pressure - Low605 psig 1 10 seconds 2 5 seconds2.Containment Spraya.Manual InitiationNA b.Automatic Actuation Logic and Actuation RelaysNA c.Containment Pressure - High 318.2 psig3. Containment Isolationa.Phase A Isolation(1)Manual InitiationNA (2)Automatic Actuation Logic and Actuation RelaysNA (3)Safety InjectionSee Function 1b.Phase B Isolation(1)Manual InitiationNA(2)Automatic Actuation Logic and Actuation RelaysNA (3)Containment Pressure - High 318.2 psig ESFAS Instrumentation B 3.3.2COMANCHE PEAK - UNITS 1 AND 2B 3.3-107Revision 62Table B 3.3.2-1 (Page 2 of 3)ESFAS Trip SetpointsFUNCTIONNOMINAL TRIP SETPOINT4.Steam Line Isolationa.Manual InitiationNA b.Automatic Actuation Logic and Actuation RelaysNA c.Containment Pressure - High 26.2 psig d.Steam Line Pressure(1)Low605 psig 1 10 seconds 2 5 seconds(2)Negative Rate - High100 psi 50 seconds5.Turbine Trip and Feedwater Isolationa.Automatic Actuation Logic and Actuation RelaysNA b.SG Water Level - High-High (P-14)84% NR (Unit 1) 81.5% NR (Unit 2)c.Safety InjectionSee Function 1.6.Auxiliary Feedwatera.Automatic Actuating Logic and Actuation Relays (SSPS)NA

b.Not Usedc.SG Water Level - Low-Low38% NR (Unit 1) 35.4% NR (Unit 2)d.Safety InjectionSee Function 1.

e.Loss of PowerNA f.Not Used ESFAS Instrumentation B 3.3.2COMANCHE PEAK - UNITS 1 AND 2B 3.3-108Revision 62Table B 3.3.2-1 (Page 3 of 3)ESFAS Trip SetpointsFUNCTIONNOMINAL TRIP SETPOINT6.Auxiliary Feedwater (continued)g.Trip of All Main Feedwater PumpsNAh.Not Used.7.Automatic Switchover to Containment Sumpa.Automatic Actuation Logic and Actuation RelaysNAb.Refueling Water Storage Tank (RWST) Level -Low-Low Coincident with Safety Injection 33.0%8.ESFAS Interlocksa.Reactor Trip, P-4NAb.Pressurizer Pressure, P-111960 psig PAM Instrumentation B 3.3.3COMANCHE PEAK - UNITS 1 AND 2B 3.3-109Revision 62B 3.3 INSTRUMENTATIONB 3.3.3 Post Accident Monitoring (PAM) Instrumentation BASESBACKGROUNDThe primary purpose of the PAM instrumentation is to display unit variables that provide information required by the control room operators during accident situations. This information provides the necessary support for the

operator to take the manual actions for which no automatic control is provided and that are required for safety systems to accomplish their safety functions for Design Basis Accidents (DBAs).The OPERABILITY of the accident monitoring instrumentation ensures that there is sufficient information available on selected unit parameters to monitor and to assess unit status and behavior following an accident.The availability of accident monitoring instrumentation is important so that responses to corrective actions can be observed and the need for, and magnitude of, further actions can be determined. These essential instruments are identified by unit specific documents (Ref.1) addressing the recommendations of Regulatory Guide1.97 (Ref.2) as required by Supplement1 to NUREG-0737 (Ref.3).The instrument channels required to be OPERABLE by this LCO include two classes of parameters identified during unit specific implementation of Regulatory Guide1.97 as TypeA Category 1 variables and selected non-Type A Category 1 variables. All TypeA Category 1 variables are included in this LCO because they provide the primary information required for the control room operator to take

specific manually controlled actions for which no automatic control is provided, and that are required for safety systems to accomplish their safety functions for DBAs. Selected Non-Type A, Category1 variables are deemed risk significant because they are needed to:*Determine whether other systems important to safety are performing their intended functions;*Provide information to the operators that will enable them to determine the likelihood of a gross breach of the barriers to

radioactivity release; and*Provide information regarding the potential release of radioactive materials to allow for early indication of the need to initiate action necessary to protect the public, and to estimate the magnitude of any impending threat.(continued)

PAM Instrumentation B 3.3.3 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-110Revision 62 BACKGROUND (continued)These variables are identified by the unit specific Regulatory Guide1.97 analyses (Ref.1). These analyses identify the unit specific TypeA and non-Type A Category 1 variables and provide justification for deviating from the NRC proposed list of Category1 variables.The selected non-Type A Category 1 variables are Reactor Vessel Water Level and Containment Area Radiation (High Range). These selected variables are considered essential to the operator for LOCA management. Non-Type A Category 1 variables that are not included are Neutron Flux, Containment Pressure (Wide Range), Steam Generator Water Level (Wide Range), and Containment Isolation Valve Status. Although they are important variables, effectiveness of the operator response to a DBA would

not be reduced because other variables provide sufficient in formation for operator response. Neutron Flux is not required since reactor coolant temperatures provide sufficient confirmation of subcriticality. Containment Pressure (WR) is not required since the Containment Pressure intermediate range exceeds the containment design pressure and would provide sufficient confirmation of peak containment pressure. Steam Generator Water Level (WR) is not required since the Steam Generator water level narrow range would provide sufficient confirmation of level. The Wide range level is included as an alternative to auxiliary feedwater flow. Containment Isolation Valve Status is not a CPSES Category 1 variable.The specific instrument Functions listed in Table3.3.3-1 are discussed in the LCO section.

APPLICABLE SAFETY ANALYSESThe PAM instrumentation ensures the operability of Regulatory Guide1.97 TypeA and selected non-Type A Category1 variables so that the control room operating staff can:*Perform the diagnosis specified in the emergency operating procedures (these variables are restricted to preplanned actions for the primary success path of DBAs), e.g., loss of coolant accident (LOCA);*Take the specified, pre-planned, manually controlled actions, for which no automatic control is provided, and that are required for safety systems to accomplish their safety function;*Determine whether systems important to safety are performing their intended functions;(continued)

PAM Instrumentation B 3.3.3 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-111Revision 62APPLICABLE SAFETY ANALYSES (continued)*Determine the likelihood of a gross breach of the barriers to radioactivity release;*Determine if a gross breach of a barrier has occurred; and*Initiate action necessary to protect the public and to estimate the magnitude of any impending threat.PAM instrumentation that meets the definition of TypeA in Regulatory Guide1.97 satisfies Criterion3 of 10CFR50.36(c)(2)(ii). Selected Category1, non-TypeA, instrumentation must be retained in TS because it is intended to assist operators in minimizing the consequences of accidents. Therefore, selected Category1, non-TypeA, variables are important for reducing public risk and satisfies Criterion 4 of 10CFR50.36(c)(2)(ii).LCOThe PAM instrumentation LCO provides OPERABILITY requirements for Regulatory Guide1.97 TypeA instrumentation, which provide information required by the control room operators to perform certain manual actions

specified in the unit Emergency Oper ating Procedures. These manual actions ensure that a system can accomplish its safety function, and are credited in the safety analyses. Addi tionally, this LCO addresses selected Regulatory Guide1.97 instruments that have been designated Category1, non-TypeA.The OPERABILITY of the PAM instrumentation ensures there is sufficient information available on selected unit parameters to monitor and assess unit status following an accident. This capability is consistent with the recommendations of Reference1

.LCO 3.3.3 requires two OPERABLE channels to ensure no single failure prevents operators from getting the information necessary for them to determine the safety status of the unit, and to bring the unit to and maintain it in a safe condition following an acc ident. Even though only one RCS T cold and Thot indication per RCS loop is available, other PAM indications provide the necessary redundancy.

Furthermore, OPERABILITY of two channels allows a CHANNEL CHECK during the post accident phase to confirm the validity of displayed information.Additional channels and/or variables are normally available to resolve information ambiguity should the redundant displays disagree.(continued)

PAM Instrumentation B 3.3.3 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-112Revision 62 LCO (continued)Table3.3.3-1 provides a list of variables identified by the unit specific Regulatory Guide1.97 (Ref.1) analyses.Type A and Category1 variables are required to meet Regulatory Guide1.97 Category1 (Ref.2) design and qualification requirements for seismic and environmental qualification, single failure criterion, utilization of emergency standby power, immediat ely accessible dis play, continuous readout, and recording of display.Listed below are discussions of the specified instrument Functions listed in Table3.3.3-1. 1.Refueling Water Storage Tank (RWST) LevelRefueling Water Storage Tank Level is a Type A Category 1 variable for determining switchover of Containment Spray to the Containment Emergency Sump. This level indication is provided for the operators to assist in monitoring and ensuring an adequate supply of water for safety injection and containment spray. 2.Subcooling Monitors RCS Subcooling Monitors are Type A Category 1 variables for RCS subcooling (SI termination/reinitiation), natural circulation and RCP trip. RCS Subcooling Monitors are also Type B Category 1 variables for monitoring the core cooling status tree. RCS subcooling margin will allow termination of safety injection (SI), if still in progress, or reinitiation of SI if it has been stopped. RCS subcooling margin is also used for unit stabilization and cooldown control.3, 4.Reactor Coolant System (RCS) Hot and Cold Leg Temperatures (Wide Range)

RCS Hot and Cold Leg Temperatures are Type A, Category 1 variables for maintaining proper natural circulation conditions and to control heat removal rates. RCS Hot and Cold Leg Temperatures are also Type B Category1 variables provided for monitoring RCS integrity status tree.

RCS hot and cold leg temperatures (T hot and Tcold , respectively) are used to provide input to the Subcooling Monitor.(continued)

PAM Instrumentation B 3.3.3 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-113Revision 62LCO3,4.Reactor Coolant System (RCS) Hot and Cold Leg Temperatures (Wide Range) (continued)In addition, RCS cold leg temperature is used in conjunction with RCS hot leg temperature to verify the unit conditions necessary to

establish natural circulation in the RCS.Each of the four hot legs and each of the four RCS cold legs has one wide-range, fast response RTD. The channels are required to provide indication over a range of 50°F to 700°F (Ref. 2).5.Reactor Coolant System Pressure (Wide Range)RCS wide range pressure is a Type A Category 1 variable for RCS subcooling (SI termination/reinitiation), RCP trip and event diagnosis. RCS wide range pressure is also a Type B and C CategoryI variable provided for monitoring RCS integrity. RCS pressure is used to verify delivery of SI flow to RCS from at least one train when the RCS pressure is below the pump shutoff head. RCS pressure is also used to verify closure of manually closed spray line valves and pressurizer power operated relief valves (PORVs).In addition to these verification s, RCS pressure is used for determining RCS subcooling margin. RCS subcooling margin will allow termination of SI, if still in progress, or reinitiation of SI if it has been stopped. RCS pressure can also be used:*to determine whether to terminate actuated SI or to reinitiate stopped SI;*to determine when to reset SI and shut off low head SI;*to manually restart low head SI;*as reactor coolant pump (RCP) trip criteria; and*to make a determination on the nature of the accident in progress and where to go next in the procedure.RCS subcooling margin is also used for unit stabilization and cooldown control.(continued)

PAM Instrumentation B 3.3.3 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-114Revision 62LCO5.Reactor Coolant System Pressure (Wide Range) (continued)RCS pressure is also related to three decisions about depressurization. They are:*to determine whether to proceed with primary system depressurization;*to verify termination of depressurization; and

  • to determine whether to close accumulator isolation valves during a controlled cooldown/depressurization.

A final use of RCS pressure is to determine whether to operate the pressurizer heaters.RCS pressure is a TypeA variable because the operator uses this indication to monitor the coold own of the RCS following a steam generator tube rupture (SGTR) or small break LOCA. Operator actions to maintain a controlled cooldown, such as adjusting steam generator (SG) pressure or level, would use this indication. Furthermore, RCS pressure is one factor that may be used in

decisions to terminate RCP operation.6.Reactor Vessel Water LevelReactor Vessel Water Level is a Type B Category 1 variable for monitoring the core cooling and inventory status trees referenced in the Emergency Operating Procedures (EOPs). Reactor Vessel Water Level is provided for verifica tion and long term surveillance of core cooling. It is also used for accident diagnosis and to determine reactor coolant inventory adequacy.The Reactor Vessel Level Indicating System (RVLIS) provides a direct measurement of the collapsed liquid level above the fuel alignment plate. The collapsed level represents the amount of liquid mass that is in the reactor vessel above the core. Measurement of

the collapsed water level is selected because it is a direct indication of the water inventory.7.Containment Sump Water Level (Wide Range)Containment Sump Water Level (Wide Range) is a Type A Category 1 variable for event diagnosis and determining switchover of ECCS (continued)

PAM Instrumentation B 3.3.3 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-115Revision 62LCO7.Containment Sump Water Level (Wide Range) (continued)suction. It is also a Type B Category 1 variable for monitoring containment status tree. Containment Sump Water Level is provided for verification and long term surveillance of RCS integrity.Containment Sump Water Level is used to determine: *containment sump level accident diagnosis;*when to begin the recirculation procedure; and

  • whether to terminate SI, if still in progress.8.Containment Pressure (Intermediate Range)Containment Pressure (Intermediate Range) is a Type A Category 1 variable. It is a Type B Category 1 variable for monitoring containment status tree. Containment Pressure (Intermediate Range) is provided for verification of RCS and containment

OPERABILITY.Containment pressure is used to verify closure of main steam isolation valves (MSIVs), and containment spray PhaseB isolation when High-3 containment pressure is reached.9.Main Steam Line Pressure (Steam Generator Pressure)Main Steam Line Pressure (Steam Generator Pressure) is a Type A Category 1 variable for event diagnosis, natural circulation, and RCP trip criteria. It is also a Type B Category 1 variable for monitoring heat sink status tree. It is a variable for determining if a secondary pipe rupture has occurred. This indication is provided to aid the

operator in the identification of the faulted steam generator and to verify natural circulation.10.Containment Area Radiation (High Range)Containment Area Radiation Level (High Range) is a Type E Category 1 variable used to determine if an adverse containment

environment exists due to a high containment radiation level.

Containment Area Radiation is provided to monitor for the potential of significant radiation releases and to provide release assessment for use by operators in determining the need to invoke site emergency

plans.(continued)

PAM Instrumentation B 3.3.3 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-116Revision 62 LCO (continued)11.Deleted12.Pressurizer Water LevelPressurizer Water Level is Type A Category 1 variable for SI termination/reinitiation. It is also Type B Category 1 for monitoring RCS inventory status tree. Pressurizer Level is used to determine

whether to terminate SI, if still in progress, or to reinitiate SI if it has

been stopped. Knowledge of pressurizer water level is also used to verify the unit conditions necessary to establish natural circulation in the RCS and to verify that the un it is maintained in a safe shutdown condition.13.Steam Generator Water Level (Narrow Range)Steam Generator Water Level (Narrow Range) is a Type A Category1 variable for Steam Generator Tube Rupture event diagnosis and SI termination. It is also a Type B Category 1 variable for verification of heat sink.SG Water Level (Narrow Range) is used to:*identify the faulted SG following a tube rupture;*verify that the intact SGs are an adequate heat sink for the reactor;*determine the nature of the accident in progress (e.g., verify an SGTR); and*verify unit conditions for termination of SI during secondary unit HELBs outside containment.Operator action is based on the control room indication of SG level. The RCS response during a design basis small break LOCA depends on the break size. For a certain range of break sizes, the boiler condenser mode of heat transfer (reflux cooling) supplements other forms of decay heat removal. Steam generator water level (narrow range) is a Type A variable because the operator must manually

control SG level to establish an adequate heat sink. If the steam generator water level (narrow range) indication is on-scale (including uncertainties), adequate heat sink to support reflux cooling exists. (continued)

PAM Instrumentation B 3.3.3 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-117Revision 62 LCO (continued)14.Condensate Storage Tank (CST) LevelCondensate Storage tank Level is a Type A Category 1 variable for determining adequate water for auxiliary feedwater pumps and for switchover to station service water. CST Level is provided to ensure water supply for auxiliary feedwater (AFW). The CST provides a safety grade water supply for the AFW System. Inventory is monitored by redundant 0 to 100% level indication for each tank.

CST Level is displayed on a control room indicator and unit computer. In addition, a control room annunciator alarms on low level.The DBAs that require AFW are the loss of electric power, steam line break (SLB), feedline break (FLB), and small break LOCA. The CST is the initial source of water for the AFW System. However, as the CST is depleted, manual operator action is necessary to replenish the CST or align suction to the AFW pumps from station service water.15, 16, 17, 18.Core Exit TemperatureCore exit temperature is a Type A Category 1 variable for natural circulation, SI reduction/termination/reinitiation, and RCP trip. It is also a Type B Category 1 variable for monitoring core cooling status tree. It is a Type C Category 1 variable for monitoring the potential for fuel clad breach. Core Exit Temperature is provided for verification and long term surveillance of core cooling (Refs 1 , 2 and 3).An evaluation was made of the minimum number of valid core exit thermocouples (CET) necessary for measuring core cooling. The evaluation determined the reduced complement of CETs necessary to provide the emergency response guideline inputs for determination of inadequate core cooling and for determination of subcooling.

Based on these evaluations, adequate core cooling is ensured with a minimum of five CETs per train. These five CETs per train cannot be in the outer two rows of assemblies since they can receive significant cooling from steam generator drainage due to refluxing. Twenty CETs (8 Train A and 12 Train B) are in the outer two rows of assemblies. 30 CETS (17 Train A and 13 Train B) are not in the outer two rows of assemblies. The minimum set of five CETS should(continued)

PAM Instrumentation B 3.3.3 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-118Revision 62LCO15, 16, 17, 18Core Exit Temperature (continued) include one CET per quadrant per train and one additional CET per train centrally located in the core. Of the 30 available CETs, six CETs per Train are centrally located. Two trains of CETs ensure a single failure will not disable the ability to determine the adequacy of

core cooling.To satisfy the LCO:1.Two OPERABLE channels (consisting of at least two CETs each) of Core Exit Temperat ure are required in each quadrant,2.Of the CETs in 1 above, at least one per train per quadrant must be located in other than the two outer rows of

assemblies, and 3.Of the CETs in 1 above (but not one of the CETS in 2 above), at least one CET per train must be centrally located in core.

CETs also provide input to the Subcooling Monitor.19.Auxiliary Feedwater Flow Rate and Steam Generator Water Level (Wide Range)

Auxiliary Feedwater Flow is a Type A Category 1 variable for SI termination and determination of adequate/inadequate heat sink. It is also a Type B Category 1 variable for monitoring the heat sink status tree. Steam Generator water Level (Wide Range) is a Type B Category 1 variable for monitoring the heat sink status tree. It is also a backup for auxiliary feedwater flow. AFW Flow is provided to

monitor operation of decay heat removal via the SGs. The LCO requires that either 2 channels of AFW per SG are OPERABLE, or that one channel of AFW and one channel of SG water level (wide

range) be operable.The AFW Flow to each SG is determined from a differential pressure measurement calibrated for a range of 0gpm to 550gpm.

Redundant monitoring capability is provided by two independent trains of flow instrumentation for each SG. Each differential pressure transmitter provides an input to a control room indicator and the unit

computer. Since the primary indication used by the operator during an accident is the control room indicator, the PAM specification deals specifically with this portion of the instrument channel.(continued)

PAM Instrumentation B 3.3.3 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-119Revision 62LCO19.Auxiliary Feedwater Flow Rate and Steam Generator Water Level (Wide Range) (continued)

AFW flow is used three ways:*to verify delivery of AFW flow to the SGs;*to determine whether to terminate SI if still in progress, in conjunction with SG water level (narrow range); and*to regulate AFW flow so that the SG tubes remain covered.

AFW flow is also used by the operator to verify that the AFW System is delivering the correct flow to each SG. However, the primary indication used by the operator to ensure an adequate inventory is SG level. Therefore, steam generator water level (wide range) may be used in lieu of the same train of AFW flow for a given steam generator. Steam generators 1 and 3 have Train A wide range level, while steam generators 2 and 4 have Train B wide range level.APPLICABILITYThe PAM instrumentation LCO is applicable in MODES1, 2, and3. These variables are related to the diagnosi s and pre-planned actions required to mitigate DBAs. The applicable DBAs are assumed to occur in MODES1, 2, and3. In MODES4, 5, and6, unit conditions are such that the likelihood of an event that would require PAM instrumentation is low; therefore, the PAM

instrumentation is not required to be OPERABLE in these MODES.ACTIONSA Note has been added in the ACTIONS to clarify the application of Completion Time rules. The Conditions of this Specification may be entered independently for each Function listed on Table3.3.3-1. The Completion Time(s) of the inoperable channel(s) of a Function will be tracked separately for each Function starting from the time the Condition was entered for that Function. When the Required Channels in Table3.3.3-1 are specified on a per SG, per loop or per steamline basis, then the Condition may be entered separately for each SG, loop or steamline, as appropriate.

A.1ConditionA applies when one or more Functions have one required channel that is inoperable. Required ActionA.1 requires restoring the inoperable channel to OPERABLE status within 30days. The 30day Completion Time is based on operating experience and takes into accoun t the remaining OPERABLE channel (or in the case of a Function that has only one required(continued)

PAM Instrumentation B 3.3.3 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-120Revision 62ACTIONSA.1 (continued) channel, other non-Regulatory Guide 1.97 instrument channels to monitor the Function), the passive nature of the instrument (no critical automatic action is assumed to occur from these instruments), and the low probability of an event requiring PAM instrumentation during this interval.

B.1ConditionB applies when the Required Act ion and associated Completion Time for ConditionA are not met. This Required Action specifies initiation of actions in Specification 5.6.8, which requires a written report to be submitted to the NRC within the following 14 days. This action is appropriate in lieu of a shutdown requirement since alternative actions are identified before loss of functional capability, and given the lik elihood of unit conditions that would require information provided by this instrumentation.

C.1ConditionC applies when one or more Functions have two inoperable required channels (i.e., two channels inoperable in the same Function; one required Thot channel and one required Core Exit Temperature channel inoperable or one required Tcold channel and one required Steam Line Pressure channel for the associated loop inoperable). Required ActionC.1 requires restoring one channel in the Function(s) to OPERABLE status within 7days. The Completion Time of 7days is based on the relatively low probability of an event requiring PAM instrument operation and the availability of alternate means to obtain the required information. Continuous operation with two required channels inoperable in a Function is not acceptable because the alternate indications may not fully meet all performance qualification requirements applied to the PAM instrumentation. Therefore, requiring restoration of one inoperable channel of the Function limits the risk that the PAM Function will be in a degraded condition should an accident occur.

D.1ConditionD applies when the Required Action and associated Completion Time of Condition C is not met. Required ActionD.1 requires entering the appropriate Condition referenced in Table 3.3.3-1 for the channel immediately. The applicable Condition referenced in the Table is Function

dependent. Each time an inoperable channel has not met any Required Action of Condition C, and the associated Completion Time has expired, Condition D is entered for that channel and provides for transfer to the appropriate su bsequent Condition.(continued)

PAM Instrumentation B 3.3.3 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-121Revision 62 ACTIONS (continued)

E.1 and E.2If the Required Action and associated Completion Time of ConditionC is not met and Table 3.3.3-1 directs entry into Condition E, the unit must be brought to a MODE where the requirements of this LCO do not apply. To achieve this status, the unit must be brought to at least MODE 3 within 6

hours and MODE 4 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />.

The allowed Completion Times are reas onable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

F.1Alternate means of monitoring Reactor Vessel Water Level and Containment Area Radiation have been developed. These alternate means may be temporarily used if the normal PAM channel cannot be restored to OPERABLE status within the allotted time. If these alternate means are used, the Required Action is not to shut down the unit but rather to follow the

directions of Specification5.6.8, in the Administrative Controls section of the TS. The report provided to the NRC should discuss the alternate means used, describe the degree to which the alternate means are equivalent to the installed PAM channels, justify the areas in which they are not equivalent, and provide a schedule for restoring the normal PAM channels. SURVEILLANCE REQUIREMENTS A Note has been added to the SR Table to clarify that SR3.3.3.1 and SR3.3.3.3 apply to each PAM instrumentation Function in Table3.3.3-1

.SR 3.3.3.1Performance of the CHANNEL CHECK once every 31days ensures that a gross instrumentation failure has not occurred. A CHANNEL CHECK is

normally a comparison of the parame ter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.(continued)

PAM Instrumentation B 3.3.3 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-122Revision 62SURVEILLANCE REQUIREMENTS SR 3.3.3.1 (continued)Agreement criteria are determined by the unit staff, based on a combination of the channel instrument uncertainties, including isolation, indication, and readability. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit. If the channels are within the criteria, it is an indication that the channels are OPERABLE.As specified in the SR, a CHANNEL CHECK is only required for those channels that are normally energized. All of the instruments listed in Table3.3.3-1 are normally energized.The Frequency of 31days is based on operating experience that demonstrates that channel failu re is rare. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the LCO required channels.SR 3.3.3.2 DeletedSR3.3.3.3A CHANNEL CALIBRATION is performed every 18months, or approximately at every refueling. CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor. The test verifies that the channel responds to measured parameter with the necessary range and accuracy. The calibration method for neutron detectors is specified in the Bases of LCO3.3.1, "Reactor Trip System (RTS) Instrumentation." Whenever an RTD is replaced in Function 3 or 4, the next required CHANNEL CALIBRATION of the RTDs is accomplished by an inplace cross calibration that compares other sensing elements with the recently installed element. Whenever a core exit thermocouple replaced in Functions 15 thru 18, the next required CHANNEL CALIBRATION of the core exit thermocouples is accomplished by an in-place cross calibration that

compares the other sensing elements with the recently installed sensing element. The Frequency is based on operating experience and consistency with the typical industry refueling cycle. Containment Radiation Level (High Range) CHANNEL CALIBRATION may consist of an electronic calibration of the channel, not including the detector, for range decades above 10R/hr and a one point calibration check of the detector below 10R/hr with an installed or portable gamma source.(continued)

PAM Instrumentation B 3.3.3 BASES (continued)COMANCHE PEAK - UNITS 1 AND 2B 3.3-123Revision 62 REFERENCES1.FSAR Section 7.5

.2.Regulatory Guide1.97, Revision 2, December 1980.3.NUREG-0737, Supplement1, "TMI Action Items."4.Not used5.Generic Letter 83-37, NUREG-0373 Technical Specifications,November 1, 1983.

Remote Shutdown System B 3.3.4COMANCHE PEAK - UNITS 1 AND 2B 3.3-124Revision 62B 3.3 INSTRUMENTATIONB 3.3.4 Remote Shutdown System BASESBACKGROUNDA safe shutdown condition is defined as MODE3. With the unit in MODE3, the Auxiliary Feedwater (AFW) System and the steam generator (SG) safety valves or the SG atmospheric relief valves (ARVs) can be used to remove

core decay heat and meet all safety req uirements. The long term supply of water for the AFW System and the ability to borate the Reactor Coolant System (RCS) from outside the control room allows extended operation in MODE3.If the control room becomes inaccessible, the operators can establish control at the Hot Shutdown Panel, and place and maintain the unit in MODE3. Not all controls and necessary transfer switches are located at the Hot Shutdown Panel. Some controls and transfer switches will have to be operated locally at the switchgear, motor control panels, the shutdown transfer panel or other local stations. The unit automatically reaches MODE3 following a unit shutdown and can be maintained safely in MODE3 for an extended period of time.The OPERABILITY of the required remote shutdown controls and the following instrumentation functions ensures there is sufficient information

available on selected unit parameters to place and maintain the unit in MODE3 should the control room become inaccessible. The readout location for these instruments is at the Hot Shutdown Panel (HSP).The controls, instrumentation, and transfer switches are required for:*Core reactivity control (initial and long term);*RCS pressure control;

  • Decay heat removal via the AFW System and the SG safety valves or SG ARVs; and*RCS inventory control.(continued)

Remote Shutdown System B 3.3.4 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-125Revision 62 BACKGROUND (continued)*Safety support systems for the above Functions, including service water, component cooling water, and onsite power, including the diesel generators. The LCO applies to the following Remote

Shutdown Instrumentation. Also provided is the total number of available channels; the number of channels required by the LCO is provided in Table 3.3.4-1

.APPLICABLE SAFETY ANALYSESThe Remote Shutdown System is required to provide equipment at appropriate locations outside the control room with a capability to promptly shut down and maintain the unit in a safe condition in MODE3. The criteria governing the design and specific system requirements of the Remote Shutdown System are located in 10CFR50, AppendixA, GDC19 (Ref.1).The Remote Shutdown System satisfies Criterion4 of 10CFR50.36(c)(2)(ii).(continued)REMOTE SHUTDOWN MONITORING INSTRUMENTATION INSTRUMENTTOTAL NO. OF CHANNELS1.Neutron Flux Monitors22.Wide Range RCS Temp.-T c1/Loop3.Wide Range RCS Temp.-T h1/Loop4.Pressurizer Pressure15.Pressurizer Level26.Steam Generator Pressure1/SG7.Steam Generator Level1/SG 8.Auxiliary Feedwater Flow Rate to Steam Generator 2/SG9.Condensate Storage Tank Level 210.Charging Pump to CVCS Charging and RCP Seals - Flow Indication 1

Remote Shutdown System B 3.3.4 BASES (continued)COMANCHE PEAK - UNITS 1 AND 2B 3.3-126Revision 62LCOThe Remote Shutdown System LCO provides the OPERABILITY requirements of the instrumentation and controls necessary to place and maintain the unit in MODE3 from a location other than the control room. The readout location for these instruments is at the Hot Shutdown Panel (HSP). The instrumentation required is listed in Table3.3.4-1 in the accompanying LCO. A Function of a Remote Shutdown System in Table 3.3.4-1 is OPERABLE if all instrument and control channels needed to support the Remote Shutdown System Function are OPERABLE.The required controls are specified in Reference 2

.The remote shutdown instrument and control circuits covered by this LCO do not need to be energized to be considered OPERABLE. This LCO is intended to ensure the ins truments and control circuits will be OPERABLE if unit conditions require that the Remote Shutdown System be placed in

operation.APPLICABILITYThe Remote Shutdown System LCO is applicable in MODES1, 2, and3. This is required so that the unit can be placed and maintained in MODE3 for an extended period of time from a location other than the control room. This LCO is not applicable in MODE4, 5, or6. In these MODES, the facility is already subcritical and in a condition of reduced RCS energy. Under these conditions, considerable time is available to restore necessary instrument control functions if control room instruments or controls become unavailable.ACTIONSA Notehas been added to the ACTIONS to clarify the application of Completion Time rules. Separate Condition entry is allowed for each Function listed on Table3.3.4-1 and for each required Hot Shutdown Panel (HSP) control. The Completion Time(s) of the inoperable channel(s)/train(s) of a Function will be tracked separately for each Function starting from the time the Condition was entered for that Function. When the Required Channels in Table 3.3.4-1 are specified (e.g., on a per SG, per loop, etc. basis), then the Condition may be entered separately for each SG, loop, etc.

as appropriate.

A.1ConditionA addresses the situation where one or more required Functions of the Remote Shutdown System in Table3.3.4-1 or one or more required HSP controls are inoperable.(continued)

Remote Shutdown System B 3.3.4 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-127Revision 62 ACTIONS A.1 (continued)The Required Action is to restore the required Function and required HSP controls to OPERABLE status within 30days. The Completion Time is based on operating experience and the low probability of an event that would require evacuation of the control room.B.1 andB.2If the Required Action and associated Completion Time of ConditionA is not met, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE3 within 6hours and to MODE4 within 12hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.SURVEILLANCE REQUIREMENTSSR3.3.4.1Performance of the CHANNEL CHECK once every 31days ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parame ter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying that the instrumentation continues to operate properly between each CHANNEL CALIBRATION.Agreement criteria are determined by the unit staff, based on a combination of the channel instrument uncertaint ies, including indicat ion and readability. If the channels are within the criteria, it is an indication that the channels are OPERABLE. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit.As specified in the Surveillance, a CHANNEL CHECK is only required for those channels which are normally energized. With the exception of the charging pump to CVCS and RCP seals flow indication, all instruments listed in Table 3.3.4-1 are normally energized. The channels (recorders) for the RCS Hot Leg Temperature and RCS Co ld Leg Temperature functions may be de-energized during non-use with capability to be energized to obtain the necessary reading. The Frequency of 31days is based upon operating experience which demonstrates that channel failure is rare. (continued)

Remote Shutdown System B 3.3.4 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-128Revision 62SURVEILLANCE REQUIREMENTSSR3.3.4.1 (continued)The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the LCO required channels.

SR 3.3.4.2SR3.3.4.2 verifies each required Remote Shutdown System HSP power and control circuit and transfer switch performs the intended function. This verification is performed from the Hot Shutdown Panel and locally, as appropriate. Operation of the equipment from the remote shutdown panel is not necessary. The Surveillance can be satisfied by performance of a continuity check. This will ensure that if the control room becomes inaccessible, the unit can be placed and maintained in MODE3 from the remote shutdown panel and the local control stations. The 18month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance we re performed with the reactor at power. (However, this Surveillance is not required to be performed only during a unit outage.) Operating experience demonstrates that remote shutdown control channels usually pass the Surveillance test when performed at the 18month Frequency.SR3.3.4.3CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. The test verifies that the channel responds to a measured parameter within the necessary range and accuracy. Whenever a sensing element is replaced, the next req uired CHANNEL CALIBRATION of the resistance temperature detectors (RTD) sensors is accomplished by an in-place cross calibration that compares the other sensing elements with the recently installed sensing element. The Frequency of 18months is based upon operating experience and consistency with the typical industry refueling cycle.REFERENCES1.10CFR50, AppendixA, GDC 3 and19.

2.FSAR Section 7.4

LOP DG Start Instrumentation B 3.3.5COMANCHE PEAK - UNITS 1 AND 2B 3.3-129Revision 62B 3.3 INSTRUMENTATIONB 3.3.5 Loss of Power (LOP) Diesel Generator (DG) Start Instrumentation BASESBACKGROUNDThe DGs provide a source of emergency power when offsite power is either unavailable or is insufficiently stable to allow safe unit operation.

Undervoltage protection will generate an LOP start if a loss of voltage or degraded voltage condition occurs in the 6.9kv bus. Each unit has a designated Preferred offsite power source and a designated Alternate offsite power source. The Preferred offsite power source normally energizes the 6.9kV Class 1E buses. If the Preferred offsite power source is lost, the 6.9kV Class 1E buses are automatically energized from the Alternate offsite power source. If the transfer fails, or if the Alternate offsite power source is not available, the diesel generators are started to energize the 6.9kV Class 1E

buses.For each unit, the undervoltage protection system, leading to the start of the diesel generators on loss of power, consists of the following functional groups:*Preferred offsite source undervoltage,*Alternate offsite source undervoltage,*6.9kV Class 1E buses loss of voltage,

  • 480V Class 1E buses low grid undervoltage,
  • 6.9 kV Class 1E buses degraded voltage, and
  • 480V Class 1E buses degraded voltage.

Each of the above groups consists of two sensing relays per bus that provide input to two-out-of two logic. The LOP start actuation logic is described in FSAR, Section8.3 (Ref.1). In general, sensing relays for each train feed a network of logic and actuation relays for their respective trains. The network of logic and actuation relays actuate the offsite power source breakers and generator start signals as described in the FSAR.

Trip Setpoints and Allowable Values The Trip Setpoints and associated time delays used in the relays are consistent with the analytical limits presented in FSAR, Chapter15 (Ref.2). The selection of these Trip Setpoints is such that adequate protection is provided when all sensor and processing time delays are taken into account.(continued)

LOP DG Start Instrumentation B 3.3.5 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-130Revision 62 BACKGROUND (continued)

The actual nominal Trip Setpoint entered into the relays is within the allowable value or more conservative t han that required by the Allowable Value. If the measured setpoint does not exceed the Allowable Value, the relay is considered OPERABLE.Setpoints adjusted in accordance with the Allowable Value ensure that the consequences of accidents will be acceptable, provided the unit is operated from within the LCOs at the onset of the accident and that the equipment functions as designed.

Allowable Values are specified in Table 3.3.5-1 for each Function in SR3.3.5.3. The Trip Setpoints are listed in Table B 3.3.5-1. The nominal setpoints are selected to ensure that the setpoint measured by the surveillance procedure does not exceed the Allowable Value if the relay is performing as required. If the measured setpoint does not exceed the Allowable Value, the relay is considered OPERABLE. Operation with a Trip Setpoint less conservative than the nominal Trip Setpoint, but within the Allowable Value, is acceptable provide d that operation and testing is consistent with the assumptions of the unit specific setpoint calculation.

Each Allowable Value specified ta kes into account the instrument uncertainties appropriate to the trip function. These uncertainties are defined in the relay setting calculations.

APPLICABLE SAFETY ANALYSES The LOP DG start instrumentation is required for the Engineered Safety Features (ESF) Systems to function in any accident with a loss of offsite power or degraded power system. Its design basis is that of the ESF

Actuation System (ESFAS).Accident analyses credit the loading of the DG based on the loss of offsite power with or without a loss of coolant accident (LOCA). The actual DG start has historically been associated with the ESFAS actuation. The DG loading has been included in the delay time associated with each safety system component requiring DG supplied power following a loss of offsite power. The analyses assume a non-mechanistic DG loading, which does not explicitly account for each individual co mponent of loss of power detection and subsequent actions.The required channels of LOP DG start instrumentation, in conjunction with the ESF systems powered from the DGs, provide unit protection in the event of any of the analyzed accidents discussed in Reference2, in which a loss of offsite power is assumed.(continued)

LOP DG Start Instrumentation B 3.3.5 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-131Revision 62APPLICABLE SAFETY ANALYSES (continued)

The delay times assumed in the safety analysis for the ESF equipment include the 10second DG start delay, and the appropriate sequencing delay, if applicable. The response times for ESFAS actuated equipment include the appropriate DG loading and sequencing delay. The LOP DG start instrumentation channels satisfy Criterion3 of 10CFR50.36(c)(2)(ii).LCOThe LCO for LOP DG start instrumentation requires that two channels per bus of the loss of voltage and degraded voltage Functions shall be OPERABLE in MODES1, 2, 3, and4 when the LOP DG start instrumentation supports safety systems associated with the ESFAS. Two trains of Automatic Actuation L ogic and Actuation Relays shall also be OPERABLE in MODES 1, 2, 3 and 4. In MODES5 and6, there is sufficient time available such that manual loading of the DGs started by LOP DG start automatic logic, i.e. bus undervoltage signal, is acceptable. Loss of the LOP DG Start Instrumentation Function could result in the delay of safety systems initiation when required. This could lead to unacceptable consequences during accidents. During the loss of offsite power the DG powers the motor driven auxiliary feedwater pumps. Failure of these pumps to start would leave only one turbine driven pump, as well as an increased potential for a loss of decay heat removal through the secondary system.APPLICABILITYThe LOP DG Start Instrumentation Functions are required in MODES1, 2, 3, and4 because ESF Functions are designed to provide protection in these MODES.A Note has been added that limits the applicability of the 6.9 kV Preferred Offsite Voltage Source Undervoltage function to those times when the associated source breaker is closed. When this breaker is open, the Preferred Offsite Voltage Source is not supplying power to the unit; thus, it will not cause an undervoltage DG start signal and the preferred source

undervoltage functions are not required to be operable.ACTIONSIn the event a channel's Trip Setpoint is found nonconservative with respect to the Allowable Value, or the channel is found inoperable, then the function that channel provides must be declared inoperable and the LCO Condition entered for the particular protection function affected.Because the required channels are specified on a per bus basis, the Condition may be entered separately for each bus as appropriate.(continued)

LOP DG Start Instrumentation B 3.3.5 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-132Revision 62 ACTIONS (continued)A Note has been added in the ACTIONS to clarify the application of Completion Time rules. The Conditions of this Specification may be entered independently for each Function listed in the LCO. The Completion Time(s) of the inoperable channel(s) of a Function will be tracked separately for each Function starting from the time the Condition was entered for that Function.

A.1ConditionA applies to one or more LOP DG start Functions with one channel per bus inoperable.If one channel is inoperable, Required ActionA.1 requires that channel to be placed in trip within 6hours. With a channel in trip, the LOP DG start instrumentation channels are configured to provide a one-out-of-one logic to trip the incoming offsite power and initiate the LOP DG start logic.The specified Completion Time is reasonable considering the Function remains fully OPERABLE on every bus and the low probability of an event occurring during these intervals.A note has been added to clarify that this Condition is not applicable to the Automatic Actuation Logic and Actuation Re lay function. This function is addressed by Condition F.B.1, B.2.1, and B.2.2ConditionB applies when both loss of voltage channels on the Preferred Offsite Voltage Source bus are inoperable.Required ActionB.1 requires restoring one channel to OPERABLE status. The 1hour Completion Time should allow am ple time to repair most failures and takes into account the low probability of an event requiring an LOP start occurring during this interval.Alternatively, Required Actions B.2.1 and B.2.2 can be completed. Action B.2.1 requires the Preferred Offsite Voltage Source bus be declared inoperable and the appropriate condition(s) specified in LCO 3.8.1 , "AC Sources - Operating," be entered within one hour. This requires that the additional Required Actio ns associated with an inoperable monitored function (the preferred offsite power source) be taken. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />

completion time allows time to repair at least one channel and takes into account the low probability of an event requiring an LOP start occurring(continued)

LOP DG Start Instrumentation B 3.3.5 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-133Revision 62ACTIONSB.1, B.2.1, and B.2.2 (continued)during this interval. Action B.2.2 requires that the Preferred Offsite Voltage Source Breaker be opened within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. Opening this breaker separates the preferred offsite power source from the Class 1E system and thereby eliminates the need for any undervoltage monitoring and eliminates any potential impact resulting from having an unmonitored power source connected to the Class 1E distribution system. The 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> completion time allows additional time to repair at least one inoperable channel and takes into account the low probability of an event requiring an LOP start occurring during this interval.C.1, C.2.1, and C.2.2ConditionC applies when both loss of v oltage channels on the Alternate Offsite Voltage Source bus are inoperable.Required ActionC.1 requires restoring one channel to OPERABLE status. The 1hour Completion Time should allow am ple time to repair most failures and takes into account the low probability of an event requiring an LOP start occurring during this interval.Alternatively, Required Actions C.2.1 and C.2.2 can be completed. Action C.2.1 requires the Alternate Offsite Voltage Source bus be declared inoperable and the appropriate condition(s) specified in LCO 3.8.1 , "AC Sources - Operating," be entered within one hour. This requires that the additional Required Act ions associated with an inoperable monitored function (the alternate offsite power source) be taken. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> completion time allows time to repair at least one channel and takes into account the low probability of an event requiring an LOP start occurring during this interval. Action C.2.2 requires that the Alternate Offsite Voltage

Source Breaker be opened within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. Opening this breaker separates the alternate offsite power source from the Class 1E system and thereby eliminates the need for any undervoltage monitoring and eliminates any potential impact resulting from having an unmonitored power source connected to the Class 1E distribution system. The 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> completion time allows additional time to repair at least one inoperable channel and takes into account the low probability of an event requiring an LOP start occurring during this interval.

D.1 and D.2ConditionD applies when both loss of voltage channels on the 6.9kV safeguards bus are inoperable.(continued)

LOP DG Start Instrumentation B 3.3.5 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-134Revision 62ACTIONSD.1 and D.2 (continued)Required ActionD.1 requires restoring one channel to OPERABLE status. The 1hour Completion Time should allow ample time to repair most failures and takes into account the low probability of an event requiring an LOP start occurring during this interval.Alternatively, Required Actions D.2 can be completed. Action D.2 requires the affected 6.9 kV bus be dec lared inoperable and the appropriate condition(s) specified in LCO 3.8.9 , "Electrical Power Systems, Distribution Systems - Operating," be entered within one hour. This requires that the additional Required Actio ns associated with an inoperable monitored function (the affected 6.9kV bus) be taken. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> completion time allows time to repair at least one channel and takes into account the low

probability of an event requiring an LOP start occurring during this interval.

The affected bus remains available to support required components although automatically powering the bus from the associated diesel generator may not occur on bus undervoltage.

E.1, E.2.1, and E.2.2Condition E applies when two channels per bus with one or more degraded voltage or low grid undervoltage functions inoperable.Required Action E.1 requires restoring one channel per bus to OPERABLE status within one hour. The 1hour Completion Time should allow ample time to repair most failures and takes into account the low probability of an event requiring an LOP start occurring during this interval.Alternatively, Required Actions E.2.1 and E.2.2 can be completed. Action E.2.1 requires that the offsite power sources be declared inoperable and the appropriate condition(s) specified in LCO 3.8.1, "AC Sources - Operating," be entered within one hour. This requires that the additional Required Actions associated with the inoperable monitored functions (the offsite power sources) be taken. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> completion time allows time to repair at least one channel and takes into account the low probability of an event requiring an LOP start occurring during this interval. Action E.2.2 requires that the offsite power source breakers be opened within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. Opening these breakers separates the offsite power sources from the Class 1E system and thereby eliminates the need for any monitoring of degraded voltage or low grid undervoltage for the offsite power sources and eliminates any potential impact resulting from having unmonitored offsite power sources connected to the Class 1E distribution system. The 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> completion time allows additional time to repair at least one inoperable channel and takes into account the low probability of an event requiring an LOP start occurring during this interval.(continued)

LOP DG Start Instrumentation B 3.3.5 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-135Revision 62 ACTIONS (continued)

F.1 Condition F applies when one or more tr ains of Automatic Actuation Logic and Actuation Relay function are inoperable.Required Action F.1 requires restoring the inoperable train(s) to OPERABLE status. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> completion Time allows time to repair failures and takes into account the low probability of an event requiring LOP DG start occurring during this interval.

G.1ConditionG applies to each of the LOP DG start Functions when the Required Action and associated Completion Time for Conditions A through F are not met.In these circumstances the Conditions specified in LCO3.8.1, "AC Sources - Operating," for the DG made inoperable by failure of the LOP DG start instrumentation are required to be entered immediately. The actions of

those LCOs provide for adequate com pensatory actions to assure unit safety.SURVEILLANCE REQUIREMENTSSR3.3.5.1SR3.3.5.1 is the performance of an ACTUATION LOGIC TEST. The LOP DG Start Automatic Actuation Logic and Actuation Relays are tested prior to entering MODE 4 when in MODE 5 for greater than or equal to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> and if not performed in the previous 92 days. The Function is tested prior to entering MODE 4 to assure that the associated diesel generator is not unnecessarily started by the testing. Such unnecessary starts could be adverse to the reliability of the diesel generator. The testing verifies that the logic is OPERABLE. The Frequency of the testing is adequate. The 72hours assures that there is sufficient time during the shutdown to perform the testing. The 92 days is based on industry operating experience, considering instrument reliability and operating history data.SR3.3.5.2SR3.3.5.2 is the performance of a TADOT. This test is performed prior to entry into MODE 4 when in MODE 5 for 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> and if not performed in previous 92 days. The test checks trip devices that provide actuation signals directly, bypassing the analog process control equipment. The Frequency is(continued)

LOP DG Start Instrumentation B 3.3.5 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-136Revision 62SURVEILLANCE REQUIREMENTSSR3.3.5.2 (continued)based on the known reliability of the relays and controls and the multichannel redundancy available, and has been shown to be acceptable through operating experience.SR3.3.5.3SR3.3.5.3 is the performance of a CHANNEL CALIBRATION.A CHANNEL CALIBRATION is performed every 18months, or approximately at every refueling. CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor. The test verifies that the channel responds to a measured para meter within the nec essary range and accuracy.The Frequency of 18months is bas ed on operating experience and consistency with the typical industry refueling cycle and is justified by the assumption of an 18month calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis.SR3.3.5.4SR3.3.5.4 is the performance of the required response time verification (see also SR3.3.2.10) every 18months on a STAGGERED TEST BASIS on those functions with time limits provided in the Technical Requirements Manual. Each verification shall include at least one train such that both trains are verified at least once per 36months.REFERENCES1.FSAR, Section8.3

.2.FSAR, Chapter15

.

LOP DG Start Instrumentation B 3.3.5COMANCHE PEAK - UNITS 1 AND 2B 3.3-137Revision 62Table B 3.3.5-1 (Page 1 of 1)LOP DG Start Instrumentation Trip SetpointFUNCTIONTRIP SETPOINTOffsite Sources Undervoltage6.9 kV Preferred5185 Volts6.9 kV Alternate5185 Volts6.9 kV Class 1E Bus Loss of Voltage2022 Volts6.9 kV Class 1E Degraded Voltage6192 Volts480 V Class 1E Bus Low Grid Undervoltage449.6 Volts 480 V Degraded Voltage442.4 Volts Containment Ventilation Isolation Instrumentation B 3.3.6COMANCHE PEAK - UNITS 1 AND 2B 3.3-138Revision 62B 3.3 INSTRUMENTATIONB 3.3.6 Containment Ventilation Isolation Instrumentation BASESBACKGROUNDContainment ventilation isolation instrumentation closes the containment isolation valves in the Containment Purge, Hydrogen Purge, and Containment Pressure Relief Systems. This action isolates the containment atmosphere from the environment to minimize releases of radioactivity in the event of an accident. The Containment Pressure Relief System may be in use during reactor operation and the Containment Purge System will be in use with the reactor shutdown. The Hydrogen Purge System may only be used with the reactor shutdown and containment pressure less than 5 psig. For Modes 1 through 4, all Containment Ventilation isolation (CVI) valves are locked closed with the exception of the Containment Pressure Relief valves.

Containment ventilation isolation initiates on an automatic or manual safety injection (SI) signal through the Containment Isolation - PhaseA Function, or by manual actuation of PhaseA Isolation, or by manual actuation of Containment Spray. The Bases for LCO3.3.2, "Engineered Safety Feature Actuation System (ESFAS) Instrumentation," discuss these modes of initiation.One containment radiation monitor is also provided as input to the containment ventilation isolation. The monitor measures containment radiation at one location. The monitor samples the containment atmosphere and upon detection of high radiation level initiates containment ventilation isolation. Since the radiation monito r constitutes a sampling system, various components such as sample line valves , and sample pumps are required to support monitor OPERABILITY.The Containment Purge, Hydrogen Purge, and Containment Pressure Relief systems each have inner and outer containment isolation valves on their

containment penetration flow paths. A high radiation signal initiates containment ventilation isolation, wh ich closes both inner and outer containment isolation valves in the Containment Purge, Hydrogen Purge, and Containment Pressure Relief Systems. These systems are described in the Bases for LCO3.6.3 , "Containment Isolation Valves." (continued)

Containment Ventilation Isolation Instrumentation B 3.3.6 BASES (continued)COMANCHE PEAK - UNITS 1 AND 2B 3.3-139Revision 62 APPLICABLE SAFETY ANALYSESThe safety analyses for LOCA assume that the containment remains intactwith penetrations unnecessary for core cooling isolated early in the event.

Containment pressure relief is assumed to be isolated within 5 seconds of Pressurizer Pressure Low for LOCA. Containment isolation in turn ensures meeting the containment leakage rate assumptions of the safety analyses, and ensures that the calculated accidental offsite radiological doses are below 10CFR100 (Ref.1) limits.There is no credit taken for containment isolation by the radiation monitor in the accident analyses. There is no credit taken for containment isolation for a fuel handling accident. The containment ventilation isolation instrumentation satisfies Criterion3 of 10CFR50.36(c)(2)(ii).LCOThe LCO requirements ensure that the instrumentation necessary to initiate Containment Ventilation Isolation, listed in Table3.3.6-1 , is OPERABLE.1.Manual InitiationContainment Ventilation Isolation is manually initiated when the Phase "A" isolation function or the containment spray function is manually initiated. Refer to the Bases for LCO 3.3.2 , "ESFAS Instrumentation," Function 3.a.1 and 2.a, respectively, for applicability, required channels and surveillance requirements.2.Automatic Actuation Logic and Actuation RelaysThe LCO requires two trains of Automatic Actuation Logic and Actuation Relays OPERABLE to ensure that no single random failure can prevent automatic actuation.

Automatic Actuation Logic and Actuation Relays consist of the same features and operate in the same manner as described for ESFAS Function1.b, SI, and ESFAS Function3.a.(2), Containment PhaseA

Isolation. The applicable MODES a nd specified conditions for the containment ventilation isolation portion of these Functions are different and less restrictive than those for their PhaseA isolation and SI roles. If one or more of the SI or PhaseA isolation Functions becomes inoperable in such a manner that only the Containment Ventilation Isolation Function is affected, the Conditions applicable to their SI and PhaseA isolation Functions need not be entered. The less restrictive Actions specified for inoperability of the Containment Ventilation Isolation Functions specify sufficient compensatory measures for this case.(continued)

Containment Ventilation Isolation Instrumentation B 3.3.6 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-140Revision 62 LCO (continued)3.Containment RadiationThe LCO specifies one required radiation monitoring channel to ensure that the radiation monitoring instrumentation necessary to

initiate Containment Ventilation Isolation remains OPERABLE.For sampling systems, channel OPERABILITY involves more than OPERABILITY of the channel electronics. OPERABILITY may also require correct valve lineups, and sample pump operation, as well as detector OPERABILITY. These supporting features are necessary for a containment radiation trip to occur under the conditions assumed by the safety analyses. The Trip Setpoint for this Function is selected to satisfy the Gaseous Effluent Dose Rate requirements in Part I of the Offsite Dose Calculation Manual (ODCM).4.Containment Isolation-PhaseA Refer to LCO3.3.2, Function3.a., for all initiating Functions and requirements. The operator can initiate Containment Ventilation Isolation at any time by using either of two Containment Isolation Phase A manual switches in the control room. Either switch actuates both trains. This action will cause ac tuation of all components in the same manner as any of the automatic actuation signals.This function's requirements encompass the requirement to test the manual initiation which ensures the proper amount of redundancy is maintained in the manual actuation ci rcuitry to ensure the operator has manual initiation capability.APPLICABILITYThe Manual Initiation, Automatic Actuation Logic and Actuation Relays, Containment Isolation - PhaseA, a nd Containment Radiation Functions are required OPERABLE in MODES1, 2, 3, and4, and, for the radiation function, during CORE ALTERATIONS or movement of irradiated fuel assemblies within containment. Under these conditions, the potential exists for an accident that could release fission product radioactivity into containment. Therefore, the containment ventilation isolation

instrumentation must be OPERABLE in these MODES.While in MODES5 and6 without fuel handling in progress, the containment ventilation isolation instrumentation need not be OPERABLE since the (continued)

Containment Ventilation Isolation Instrumentation B 3.3.6 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-141Revision 62 APPLICABILITY (continued)potential for radioactive releases is minimized and operator action is sufficient to ensure post accident offsite doses are maintained within the limits of Reference1

.The Applicability for the containment ventilation isolation on the ESFAS Containment Isolation - PhaseA Function is specified in LCO3.3.2. Refer to the Bases for LCO3.3.2 for a discussion of the Containment Isolation - PhaseA Function Applicability.ACTIONSThe most common cause of channel inoperability is outright failure or drift of the bistable or process module sufficient to exceed the t olerance allowed by unit specific calibration procedures. Typically, the drift is found to be small and results in a delay of actuation rather than a total loss of function. This determination is generally made during the performance of a COT, when the process instrumentation is set up for adjustment to bring it within specification. A Note has been added to the ACTIONS to clarify the application of Completion Time rules. The Conditions of this Specification may be entered independently for each Function listed in Table3.3.6-1. The Completion Time(s) of the inoperable channel(s)/train(s) of a Function will be tracked separately for each Function starting from the time the Condition was entered for that Function.

A.1ConditionA applies to failure of the radiation monitor channel. Since the containment radiation monitor measures the containment atmosphere and provides an actuation si gnal, failure of the channel results in the loss of the radiation monitoring Function. Consequently, the channel must be restored to OPERABLE status. The 4hours allowed to restore the affected channel is justified by the low likelihood of events occurring during this interval.

B.1ConditionB applies to all Containment Ventilation Isolation Automatic Actuation Logic and Actuation relays and addresses the train orientation of the Solid State Protection System (SSPS) and the master and slave relays for this Function. Condition B also applies to the radiation monitoring channel if the required action and completion times of Condition A are not met.(continued)

Containment Ventilation Isolation Instrumentation B 3.3.6 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-142Revision 62 ACTIONS (continued)

B.1 (continued)If a train is inoperable, or the Required Action and associated Completion Time of ConditionA are not met, operation may continue as long as the Required Action for the applicable Conditions of LCO3.6.3 is met for each valve made inoperable by failure of isolation instrumentation.A Note is added to allow the containment pressure relief valves to be opened in compliance with the gaseous effluent monitoring instrumentation

requirements in Part I of the ODCM, for Required Action and associated Completion Time of Condition A not met.A Note is added stating that ConditionB is only applicable in MODE1, 2, 3, or4.C.1 and C.2ConditionC applies to the inability to restore the radiation monitoring channel to OPERABLE status in the time allowed for Required ActionA.1. If the Required Action and associated Completion Time of ConditionA are not met, operation may cont inue as long as the Required Action to place and maintain containment ventilation isolation valves in their closed position is met or the applicable Conditions of LCO3.9.4, "Containment Penetrations," are met for each valve made inoperable by failure of isolation instrumentation. A note allows the containment pressure relief valves to be opened in compliance with gaseous effluent monitoring instrumentation requirements in Part I of the ODCM. The Completion Time for these Required Actions is Immediately.A Note states that ConditionC is applicable during CORE ALTERATIONS and during movement of irradiated fuel assemblies within containment.SURVEILLANCE REQUIREMENTS A Note has been added to the SR Table to clarify that Table3.3.6-1 determines which SRs apply to which Containment Ventilation Isolation Functions. SR 3.3.6.1Performance of the CHANNEL CHECK once every 12hours ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.(continued)

Containment Ventilation Isolation Instrumentation B 3.3.6 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-143Revision 62SURVEILLANCE REQUIREMENTS (continued)SR 3.3.6.1 (continued)The Frequency is based on operating experience that demonstrates channel failure is rare. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the LCO required channels.SR3.3.6.2SR3.3.6.2 is the performance of an ACTUATION LOGIC TEST. The train being tested is placed in the bypass condition, thus preventing inadvertent actuation. Through the semiautomatic tester, all possible logic combinations, with and without applicable permissives, are tested for each protection function. In addition, the master relay coil is pulse tested for continuity. This verifies that the logic modules are OPERABLE and there is an intact voltage signal path to the master relay coils. This test is performed every 92days on a STAGGERED TEST BASIS. The Surveillance interval is justified in Reference 4.

SR 3.3.6.3SR3.3.6.3 is the performance of a MASTER RELAY TEST. The MASTER RELAY TEST is the energizing of the master relay, verifying contact operation and a low voltage continuity check of the slave relay coil. Upon master relay contact operation, a low voltage is injected to the slave relay coil. This voltage is insufficient to pick up the slave relay, but large enough to demonstrate signal path continuity. This test is performed every 92days on a STAGGERED TEST BASIS. The Surveillance interval is justified in Reference 4.SR3.3.6.4A COT is performed every 92days on each required channel to ensure the entire channel will perform the intended Function. The Frequency is based on the staff recommendation for increasing the availability of radiation monitors according to NUREG-1366 (Ref.2). This test verifies the capability of the instrumentation to provide the containment purge and exhaust system

isolation. The setpoint shall be left co nsistent with the current calibration procedure tolerance.SR3.3.6.5SR3.3.6.5 is the performance of a SLAVE RELAY TEST. The SLAVE RELAY TEST is the energizing of the slave relays. Contact operation is(continued)

Containment Ventilation Isolation Instrumentation B 3.3.6 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-144Revision 62SURVEILLANCE REQUIREMENTS (continued)SR3.3.6.5 (continued)verified in one of two ways. Actuation equipment that may be operated in the design mitigation mode is either allowe d to function or is placed in a condition where the relay contact operation can be verified without operation of the equipment. Actuation equipment that may not be operated in the design mitigation mode is prevented from operation by the SLAVE RELAY TEST circuit. For this latter case, contact operation is verified by a continuity check of the circuit containing contacts operated by the slave relay. This test is performed every 92days. The Frequency is acceptable based on instrument reliability and industry operating experience.For ESFAS slave relays and auxiliary relays which are Westinghouse type AR relays, the SLAVE RELAY TEST is performed every 18 months. The Frequency is based on the slave relay reliability assessment presented in Reference 3. This reliability assessment is relay specific and applies only to Westinghouse type AR relays with AC coils. Note that, for normally energized applications, the relays may require periodic replacement in accordance with the guidance given in Reference 3

.SR 3.3.6.6 Not Used.SR3.3.6.7A CHANNEL CALIBRATION is performed every 18months, or approximately at every refueling. CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor. The test verifies that the channel responds to a measured para meter within the nec essary range and accuracy.The Frequency is based on operating experience and is consistent with the typical industry refueling cycle.REFERENCES1.10CFR100.11.2.NUREG-1366, July 22, 1993.

3.WCAP-13877-P-A, Revision 2, August 2000.4.WCAP-15376-P-A, Revision 2, "Risk-Informed Assessment of the RTS and ESFAS Surveillance Test Intervals and Reactor Trip Breaker Test and Completion Times," March 2003.

CREFS Actuation Instrumentation B 3.3.7COMANCHE PEAK - UNITS 1 AND 2B 3.3-145Revision 62B 3.3 INSTRUMENTATIONB 3.3.7 Control Room Emergency Filtration System (CREFS) Actuation Instrumentation BASESBACKGROUNDThe CREFS provides an enclosed c ontrol room environment from which the unit can be operated following an uncontrolled release of radioactivity.

During normal operation, the control room is pressurized by the Control Room A/C System. Upon receipt of an actuation signal, the CREFS initiates filtered ventilation and continues pressurization of the control room. This system is described in the Bases for LCO3.7.10, "Control Room Emergency Filtration System."The actuation instrumentation consists of redundant radiation monitors in each of the two air intakes (one for each train in each intake). A high radiation signal from any of these detectors will initiate both trains of the CREFS. The control room operator can also initiate CREFS trains by a two

train common manual switch in the control room. The CREFS is also actuated by a safety injection (SI) signal. The SI Function is discussed in LCO3.3.2, "Engineered Safety Feature Actuation System (ESFAS)

Instrumentation." APPLICABLE SAFETY ANALYSESThe control room must be kept habitable for the operators stationed there during accident recovery and post accident operations.The CREFS acts to terminate the supply of unfiltered outside air to the control room, initiate filtration, and maintain the control room pressurization. These actions are necessary to ensure the control room is kept habitable for the operators stationed there during accident recovery and post accident operations by minimizing the radiation exposure of control room personnel

[Ref. 1].In MODES1, 2, 3, and4, the radiation monitor actuation of the CREFS is a backup for the SI signal actuation. This ensures initiation of the CREFS during a loss of coolant accident including rod ejection accidents, or steam generator tube rupture accidents.The radiation monitor actuation of the CREFS in MODES5 and6, during movement of irradiated fuel assemblies, is the primary means to ensure control room habitability in the event of a fuel handling or waste gas decay tank rupture accident. Since the Control room is common to both Unit 1 and Unit 2, the CREFS actuation instrumentation is required for the conditions and modes of both units.(continued)

CREFS Actuation Instrumentation B 3.3.7 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-146Revision 62APPLICABLE SAFETY ANALYSES (continued)The CREFS actuation instrumentation satisfies Criterion3 of 10CFR50.36(c)(2)(ii).LCOThe LCO requirements ensure that instrumentation necessary to initiate the CREFS is OPERABLE.1.Manual InitiationThe LCO requires two channels OPERABLE. The operator can initiate the CREFS at any time by using a common two-train switch module in the control room. This action will cause actuation of all components in the same manner as any of the automatic actuation signals. Separate reset switches are provided for Train A and for Train B CREFS.The LCO for Manual Initiation ensures the proper amount of redundancy is maintained in the manual actuation circuitry to ensure

the operator has manual initiation capability.

Each channel consists of one contact in the common switch and the interconnecting wiring to the actuation logic cabinet.

The surveillance testing of the manual initiation functions also tests the circuitry and relays that are actuated by the SI slave relays.2.Automatic Actuation Logic and Actuation RelaysThe LCO requires two trains of Actuation Logic and Relays OPERABLE to ensure that no single random failure can prevent automatic actuation.

Automatic Actuation Logic and Actuation Relays consist of a single radiation monitor output logic relay for each train 3.Control Room RadiationThe LCO specifies two required Control Room Air Intake Radiation Monitors per intake to ensure that the radiation monitoring

instrumentation necessary to initiate the CREFS remains

OPERABLE.Each Control room intake is a separate function because they are physically separated and each has redundant monitors for CREFS initiation.(continued)

CREFS Actuation Instrumentation B 3.3.7 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-147Revision 62 LCO3.Control Room Radiation (continued)For sampling systems, channel OPERABILITY involves more than OPERABILITY of channel electronics. OPERABILITY may also require correct valve lineups, sample pump operation as well as detector OPERABILITY, if these supporting features are necessary for trip to occur under the conditions assumed by the safety analyses.4.Safety Injection Refer to LCO3.3.2, Function1, for all initiating Functions and requirements.APPLICABILITYThe CREFS Functions must be OPERABLE in MODES1, 2, 3,4, 5, 6 and movement of irradiated fuel assemblies. The Functions must also be OPERABLE in MODES5 and6 when required for a waste gas decay tank rupture accident, to ensure a habitable environment for the control room

operators.ACTIONSThe most common cause of channel inoperability is outright failure or drift of the bistable or process module sufficient to exceed the t olerance allowed by the unit specific calibration procedures. Typically, the drift is found to be small and results in a delay of actuation rather than a total loss of function. This determination is generally made during the performance of a COT, when the process instrumentation is set up for adjustment to bring it within specification. If the Trip Setpoint is less conservative than the tolerance specified by the calibration procedure, the channel must be declared inoperable immediately and the appropriate Condition entered.A Note has been added to the ACTIONS indicating that separate Condition entry is allowed for each Function. The Conditions of this Specification may be entered independently fo r each Function listed in Table3.3.7-1 in the accompanying LCO. The Completion Time(s) of the inoperable channel(s)/

train(s) of a Function will be tracked separately for each Function starting from the time the Condition was entered for that Function.

A.1 and A.2ConditionA applies to the actuation logic train Function of the CREFS, the radiation monitor channel Functions, and the manual channel Functions.(continued)

CREFS Actuation Instrumentation B 3.3.7 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-148Revision 62ACTIONSA.1 and A.2 (continued)

If one train is inoperable, or one radiation monitor channel is inoperable in one or more Functions, 7days are permitted to restore it to OPERABLE status. The 7day Completion Time is the same as is allowed if one train of the mechanical portion of the system is inoperable. The basis for this Completion Time is the same as provided in LCO3.7.10. If the channel/train cannot be restored to OPERABLE status, the affected CREFS train must be placed in the emergency recirculation mode of operation. This accomplishes the actuation instrumentation Function and places the unit in a conservative mode of operation.Alternatively, the makeup air supply fan from the affected air intake may be secured. This action is modified by a note that states it is applicable only to

the control room radiation monitors. This action ensures that in the event of a radiological accident, the control room will not be supplied air through an unmonitored air intake.

B.1.1, B.1.2, and B.2ConditionB applies to the failure of two CREFS actuation trains, two radiation monitor channels, or two manual channels. The first Required Action is to place one CREFS train in the emergency recirculation mode of operation immediately. This accomplishes the actuation instrumentation Function that may have been lost and places the unit in a conservative mode of operation. The applicable Conditions and Required Actions of LCO3.7.10 must also be entered for one CREFS train made inoperable by inoperable actuation instrumentation. This ensures appropriate limits are placed upon train inoperability as discussed in the Bases for LCO3.7.10.Alternatively, as described in the Note, if the affected channels are both of the north air intake radiation monitors or both of the south air intake radiation monitors, the control room makeup supply fan from the affected air intake is required to be immediately secured.

C.1 and C.2ConditionC applies when the Required Action and associated Completion Time for ConditionA orB have not been met and the unit is in MODE1, 2, 3, or4. The unit must be brought to a MODE in which the LCO requirements are not applicable. To achieve this status, the unit must be brought to MODE3 within 6hours and MODE5 within 36hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.(continued)

CREFS Actuation Instrumentation B 3.3.7 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-149Revision 62ACTIONS (continued)

D.1 and D.2ConditionD applies when the Required Action and associated Completion Time for ConditionA orB have not been met during MODE 5 or 6 or when irradiated fuel assemblies are being moved. Movement of irradiated fuel assemblies and CORE ALTERATIONS must be suspended immediately to reduce the risk of accidents that would require CREFS actuationSURVEILLANCE REQUIREMENTS A Note has been added to the SR Table to clarify that Table3.3.7-1 determines which SRs apply to wh ich CREFS Actuation Functions.

SR 3.3.7.1Performance of the CHANNEL CHECK once every 12hours ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is

normally a comparison of the parame ter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.Agreement criteria are determined by the unit staff, based on a combination of the channel instrument uncertaint ies, including indicat ion and readability. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit.The Frequency is based on operating experience that demonstrates channel failure is rare. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the LCO required channels.

SR 3.3.7.2A COT is performed once every 92days on each required channel to ensure the entire channel will perform the intended function. This test verifies the capability of the instrumentation to provide the CREFS actuation. The setpoints shall be left consistent with the unit specific calibration procedure tolerance. The Frequency is based on the known reliability of the monitoring equipment and has been shown to be acceptable through operating(continued)

CREFS Actuation Instrumentation B 3.3.7 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.3-150Revision 62SURVEILLANCE REQUIREMENTS SR 3.3.7.2 (continued)experience. The COT surveillance of the control room air intake monitors verifies the contacts and circuitry between the monitors and the CREFS actuation circuits, and thereby satisfies the COT for Automatic Actuation Logic and Actuation Relays.

SR 3.3.7.3 Not Used.

SR 3.3.7.4 Not Used.SR 3.3.7.5 Not Used.

SR 3.3.7.6SR3.3.7.6 is the performance of a TADOT. This test is a check of the Manual Actuation Functions and is performed every 18months. Each Manual Actuation Function is tested up to , and including, the master relay coils. In some instances, the test includes actuation of the end device.

The test also includes trip devices that provide actuation signals directly to the Solid State Protection System, bypassing the analog process control equipment. The Frequency is based on the known reliability of the Function and the redundancy availab le, and has been shown to be acceptable through operating experience. The SR is modified by a Note that excludes verification of setpoints during the TADOT. The Functions tested have no setpoints associated with them.

SR 3.3.7.7A CHANNEL CALIBRATION is performed every 18months, or approximately at every refueling. CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor. The test verifies that the channel responds to a measured para meter within the nec essary range and accuracy.The Frequency is based on operating experience and is consistent with the typical industry refueling cycle.(continued)

CREFS Actuation Instrumentation B 3.3.7 BASES (continued)COMANCHE PEAK - UNITS 1 AND 2B 3.3-151Revision 62REFERENCES1.FSAR Section 6.4

.

°°

°

°

°°

°°

°

°

°°

°

°

+/-

°°

°

°°

°

°

°

°°°°

°

µµ

°

µµ

µµµµ

µµµ

µµ

Accumulators B 3.5.1COMANCHE PEAK - UNITS 1 AND 2B 3.5-1Revision 57 B 3.5 EMERGENCY CORE COOLING SYSTEMS (ECCS)B 3.5.1 Accumulators BASESBACKGROUNDThe functions of the ECCS accumulators are to supply water to the reactor vessel during the blowdown phase of a loss of coolant accident (LOCA), to provide inventory to help accomplish the refill phase that follows thereafter, and to provide Reactor Coolant System (RCS) makeup for a small break LOCA.The blowdown phase of a large break LOCA is the initial period of the transient during which the RCS departs from equilibrium conditions, and heat from fission product decay, hot internals, and the vessel continues to be

transferred to the reactor coolant. The blowdown phase of the transient ends when the RCS pressure falls to a value approaching that of the containment atmosphere.In the refill phase of a LOCA, which immediately follows the blowdown phase, reactor coolant inventory has vacated the core through steam flashing and ejection out through the break. The core is essentially in adiabatic heatup. The balance of accu mulator inventory is then available to help fill voids in the lower plenum and reactor vessel downcomer so as to establish a recovery level at the bottom of the core and ongoing reflood of the core with the addition of safety injection (SI) water.The accumulators are pressure vessels partially filled with borated water and pressurized with nitrogen gas. The accumulators are passive components, since no operator or control actions are required in order for them to perform their function. Internal accumulator tank pressure is sufficient to discharge the accumulator contents to the RCS, if RCS pressure decreases below the accumulator pressure.Each accumulator is piped into an RCS cold leg via an accumulator line and is isolated from the RCS by a motor operated isolation valve and two check valves in series.The motor operated isolation valves are required to be open with power removed in MODE 3 above 1000 psig to satisfy BTP ICSB-18 [Ref. 1] for small break LOCAs. They are requir ed to be open with power removed in MODES 1 and 2 for large break LOCA. The accumulator size, water volume, and nitrogen cover pressure are selected so that three of the four accumulators are sufficient to partially cover the core before significant clad melting or zirconium water reaction can occur (continued)

Accumulators B 3.5.1 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.5-2Revision 57 BACKGROUND (continued) following a LOCA. The need to ensure that three accumulators are adequate for this function is consistent with the LOCA assumption that the entire contents of one accumulator will be lost via the RCS pipe break during the blowdown phase of the LOCA.

APPLICABLE SAFETY ANALYSESThe accumulators are assumed OPERABLE in both the large and small break LOCA analyses at full power (Ref. 2). These are the Design Basis Accidents (DBAs) that establish the acceptance limits for the accumulators. Reference to the analyses for these DBAs is used to assess changes in the accumulators as they relate to the acceptance limits.In performing the LOCA calculations, conservative assumptions are made concerning the availability of ECCS flow. In the early stages of a LOCA, with or without a loss of offsite power, the accumulators provide the sole source of makeup water to the RCS. The assumption of loss of offsite power is required by regulations and conservatively imposes a delay wherein the ECCS pumps cannot deliver flow until the emergency diesel generators start, come to rated speed, and go through their timed loading sequence. In cold leg break scenarios, the entire contents of one accumulator are assumed to be lost through the break.

The limiting large break LOCA is a double ended guillotine break at the discharge of the reactor coolant pump. During this event, the accumulators discharge to the RCS as soon as RCS pressure decreases to below accumulator pressure.As a conservative estimate, no credit is taken for ECCS pump flow until an effective delay has elapsed. This delay accounts for the diesels starting and the pumps being loaded and delivering full flow. The delay time is conservatively set with an additional 2 seconds to account for SI signal generation. During this time, the accumulators are analyzed as providing the sole source of emergency core cooling. No operator action is assumed during the blowdown stage of a large break LOCA.The worst case small break LOCA analyses also assume a time delay before pumped flow reaches the core. For the larger range of small breaks, the rate of blowdown is such that the increase in fuel clad temperature is terminated primarily by the accumulators, wit h pumped flow then providing continued cooling. As break size decreases, the accumulators and centrifugal charging pumps both play a part in terminating the rise in clad temperature. As break size continues to decrease, the role of the accumulators continues to decrease until they are not required and the centrifugal charging pumps become solely responsible for terminating the temperature increase.(continued)

Accumulators B 3.5.1 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.5-3Revision 57APPLICABLE SAFETY ANALYSES (continued)This LCO helps to ensure that the following acceptance criteria established for the ECCS by 10 CFR 50.46 (Ref. 3) will be met following a LOCA:a.Maximum fuel element cladding temperature is 2200 F;b.Maximum cladding oxidation is 0.17 times the total cladding thickness before oxidation;c.Maximum hydrogen generation from a zirconium water reaction is 0.01 times the hypothetical amount that would be generated if all of the metal in the cladding cylinders surrounding the fuel, excluding the cladding surrounding the plenum volume, were to react; andd.Core is maintained in a coolable geometry.

Since the accumulators discharge during the blowdown phase of a LOCA, they do not contribute to the long term cooling requirements of 10CFR50.46.For both the large and small break LO CA analyses, a nominal contained accumulator water volume is used. The contained water volume is the same as the deliverable volume for the accumulators, since the accumulators are

emptied, once discharged. For sma ll breaks, an increase in water volume may be either a peak clad temperature penalty or benefit depending on the transient characteristics. Depending on the NRC-approved methodology used to analyze large breaks, an increase in water volume may be either a peak clad temperature penalty or benefit, depending on downcomer filling and subsequent spill through the break during the core reflooding portion of the transient. The analysis makes a conservative as sumption with respect to ignoring or taking credit for line water volume from the accumulator to the check valve. The safety analysis assumes values of 6119 gallons and 6597 gallons. The minimum boron concentration setpoint is used in the post LOCA boron concentration calculation. The calculation is performed to assure reactor subcriticality in a post LOCA environment. Of particular interest is the large break LOCA, since no credit is taken fo r control rod assembly insertion. A reduction in the accumulator minimum boron concentration would produce a subsequent reduction in the available containment sump concentration for post LOCA shutdown and an increase in the maximum sump pH. The maximum boron concentration is used in determining the cold leg to hot leg recirculation injection switchover time and minimum sump pH.(continued)

Accumulators B 3.5.1 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.5-4Revision 57APPLICABLE SAFETY ANALYSES (continued)The large and small break LOCA analyses are performed at the minimum nitrogen cover pressure (603 psia), since sensitivity analyses have demonstrated that higher nitrogen cover pressure results in a computed peak clad temperature benefit. The maximum nitrogen cover pressure limit (693 psia) prevents accumulator relief valve actuation, and ultimately preserves accumulator integrity. To allow for instrument inaccuracy, control room indicated values of 623psig and 644 psig are specified and used in surveillance.The effects on containment mass and energy releases from the accumulators are accounted for in the appropriate analyses (Refs. 2 and 4).The accumulators satisfy Criteria 2 and 3 of 10CFR50.36(c)(2)(ii). LCOThe LCO establishes the minimum conditions required to ensure that the accumulators are available to accomplish their core cooling safety function

following a LOCA. Four accumulators are required to ensure that 100% of the contents of three of the accumulators will reach the core during a LOCA. This is consistent with the assumption that the contents of one accumulator spill through the break. If less than three accumulators are injected during the blowdown phase of a LOCA, the ECCS acceptance criteria of 10CFR50.46 (Ref. 3) could be violated.For an accumulator to be consider ed OPERABLE, the isolation valve must be fully open, power removed above a nominal RCS pressure of 1000 psig, and the limits established in the SRs for contained volume, boron concentration, and nitrogen cover pressure must be met.APPLICABILITYIn MODES 1 and 2, and in MODE 3 with RCS pressure > 1000 psig, the accumulator OPERABILITY requirements are based on full power operation. Although cooling requirements decrease as power decreases, the accumulators are still required to provide core cooling as long as elevated RCS pressures and temperatures exist.This LCO is only applicable at pressures > 1000 psig. At pressures 1000psig, the rate of RCS blowdown is such that the ECCS pumps can provide adequate injection to ensure that peak clad temperature remains below the 10 CFR 50.46 (Ref. 3) limit of 2200 F.(continued)

Accumulators B 3.5.1 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.5-5Revision 57 APPLICABILITY (continued)In MODE 3, with RCS pressure 1000 psig, and in MODES 4, 5, and 6, the accumulator motor operated isolation valves are closed to isolate the accumulators from the RCS. Accumulator isolation is only required when the accumulator pressure is greater than or equal to the maximum RCS pressure for the existing RCS cold leg temperature, as allowed by the P/T curves provided in the PTLR. This allows RCS cooldown and

depressurization without discharging the accumulators into the RCS or requiring depressurization of the accumulators. ACTIONSA.1If the boron concentration of one accumulator is not within limits, it must be returned to within the limits within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. In this Condition, the ability to maintain subcriticality or minimum boron precipitation time may be reduced. The boron in the accumulators contributes to the assumption that the combined ECCS water in the partially recovered core during the early reflooding phase of a large break LOCA is sufficient to keep that portion of

the core subcritical. One accumulator below the minimum boron concentration limit, however, will have no effect on available ECCS water and an insignificant effect on core subcriticality during reflood. Boiling of ECCS water in the core during reflood concentrates boron in the saturated liquid that remains in the core. In addition, current analyses demonstrate that the accumulators do not disch arge following a large main steam line break. Even if they do discharge, their impact is minor and not a design limiting event. Thus, 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> is allowed to return the boron concentration to within limits.

B.1If one accumulator is inoperable for a reason other than boron concentration, the accumulator must be returned to OPERABLE status within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. In this Condition, the required conten ts of three accumulators cannot be assumed to reach the core during a LOCA. Due to the severity of the consequences should a LOCA occur in these conditions, the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Completion Time to open the valve, remove power to the valve, or restore the proper water volume or nitrogen cover pressure ensures that prompt action will be taken to return the inoperable accumulator to OPERABLE status. The Completion Time minimizes the potential for exposure of the plant to a LOCA under these conditions. The 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> allowed to restore an inoperable accumulator to OPERABLE status is justified - WCAP-15049, Rev. 1 (Ref. 5).(continued)

Accumulators B 3.5.1 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.5-6Revision 57 ACTIONS (continued)

C.1 and C.2 If the accumulator cannot be returned to OPERABLE status within the associated Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and RCS pressure reduced to 000 psig within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. The allowed Completion Time s are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

D.1If more than one accumulator is inoperable, the plant is in a condition outside the accident analyses; therefore, LCO 3.0.3 must be entered immediately.SURVEILLANCE REQUIREMENTS SR 3.5.1.1Each accumulator valve should be verified to be fully open every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. This verification ensures that the accumulators are available for injection and ensures timely discovery if a valve should be less than fully open. If an isolation valve is not fully open, the rate of injection to the RCS would be reduced. Although a motor operated valve position should not change with power removed, a closed valve could result in not meeting accident analyses assumptions. This Frequency is considered reasonable in view of other administrative controls that ensure a mispositioned isolation valve is unlikely.SR 3.5.1.2 and SR 3.5.1.3 Every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />, borated water volume and nitrogen cover pressure are verified for each accumulator. This Frequency is sufficient to ensure adequate injection during a LOCA. Because of the static design of the accumulator, a 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> Frequency usually allows the operator to identify

changes before limits are reached. Operating experience has shown this Frequency to be appropriate for early detection and correction of off normal trends.Each accumulator is equipped with two level and two pressure channels.

One channel of each is designated the primary channel and used for this surveillance except when declared inoperable. The second channel is used to perform channel checks and as backup to the primary channel. Surveillances are routinely performed on both channels.(continued)

Accumulators B 3.5.1 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.5-7Revision 57SURVEILLANCE REQUIREMENTSSR 3.5.1.2 and SR 3.5.1.3 (continued)Control Board indication may be used in the surveillances of the required indicated water volume. To allow for a 5% instrument inaccuracy and a 1% tank tolerance, control room indicated values of 39% and 61% are conservative and may be used in surveillance. Other means of surveillance which consider measurement uncertainty may also be used.

SR 3.5.1.4The boron concentration should be verified to be within required limits for each accumulator every 31 days since t he static design of the accumulators limits the ways in which the concentr ation can be changed. The 31 day Frequency is adequate to identify changes that could occur from mechanisms such as stratification or inleakage. Sampling the affected accumulator within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> after a 1% volume increase (101 gallons) will identify whether inleakage has caused a reduction in boron concentration to below the required limit. It is not necessary to verify boron concentration if the added water inventory is from the refueling water storage tank (RWST),

and the RWST has not been diluted since verifying that its boron concentration satisfies SR 3.5.4.3, because the water contained in the RWST is nominally within the accumulator boron concentration requirements. This is consistent with the recommendation of NUREG-1366 (Ref. 6).SR 3.5.1.5Verification every 31 days that power is removed from each accumulator isolation valve operator when the RCS pr essure is > 1000 psig ensures that an active failure could not result in the undetected closure of an accumulator motor operated isolation valve. If this were to occur, only two accumulators would be available for injection given a single failure coincident with a LOCA.

Since power is removed under administrative control, the 31 day Frequency will provide adequate assurance that power is removed.This SR allows power to be supplied to the motor operated isolation valves when RCS pressure is 1000 psig.(continued)

Accumulators B 3.5.1 BASES (continued)COMANCHE PEAK - UNITS 1 AND 2B 3.5-8Revision 57REFERENCES1.BTP ICSB-18 (Rev. 2, July 1981) "Application of the single failurecriterion to manually controlled electrically operated valves.

2.FSAR, Chapter 6

.3.10 CFR 50.46.

4.FSAR, Chapter 15

.5.WCAP-15049-A, Rev. 1, April 1999

.6.NUREG-1366, December 1992

.

ECCS - Operating B 3.5.2COMANCHE PEAK - UNITS 1 AND 2B 3.5-9Revision 57 B 3.5 EMERGENCY CORE COOLING SYSTEMS (ECCS)B 3.5.2 ECCS - Operating BASESBACKGROUNDThe function of the ECCS is to provide core cooling and negative reactivity to ensure that the reactor core is protected after any of the following accidents:a.Loss of coolant accident (LOCA), coolant leakage greater than the capability of the normal charging system;b.Rod ejection accident;c.Loss of secondary coolant accident, including uncontrolled steam release or loss of feedwater; andd.Steam generator tube rupture (SGTR).The addition of negative reactivity is designed primarily for the loss of secondary coolant accident where primary cooldown could add enough positive reactivity to achieve criticality and return to significant power.There are three phases of ECCS operation: injection, cold leg recirculation, and hot leg recirculation. In the injection phase, water is taken from the refueling water storage tank (RWST) and injected into the Reactor Coolant System (RCS) through the cold legs. When sufficient water is removed from the RWST to ensure that enough boron has been added to maintain the reactor subcritical and the containment sumps have enough water to supply the required net positive suction hea d to the ECCS pu mps, suction is switched to the containment sump for cold leg recirculation. After several hours, the ECCS flow is shifted to the hot leg recirculation phase to provide a backflush, which would reduce the boiling in the top of the core and any resulting boron precipitation.The ECCS consists of three separate subsystems: centrifugal charging (high head), safety injection (SI) (intermediat e head), and residual heat removal (RHR) (low head). Each subsystem consists of two redundant, 100% capacity trains. The ECCS accumulators and the RWST are also part of the ECCS, but are not considered part of an ECCS flow path as described by

this LCO.The ECCS flow paths consist of piping, valves, heat exchangers, and pumps such that water from the RWST can be injected into the RCS following the accidents described in this LCO. The major components of each subsystem are the centrifugal charging pumps, the RHR pumps, heat exchangers, and (continued)

ECCS - Operating B 3.5.2 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.5-10Revision 57 BACKGROUND (background)the SI pumps. Each of the three subsystems consists of two 100% capacity trains that are interconnected and redundant such that either train is capable of supplying 100% of the flow re quired to mitigate the accident consequences. This interconnecting and redundant subsystem design provides the operators with the ability to utilize components from opposite trains to achieve the required 100% flow to the core.During the injection phase of LOCA recovery, a suction header supplies water from the RWST to the ECCS pu mps. Separate piping supplies each subsystem and each train within the subsystem. The discharge from the centrifugal charging pumps combines in a common header and then divides again into four supply lines, each of which feeds the injection line to one RCS cold leg. The discharge from the SI and RHR pumps divides and feeds an injection line to each of the RCS cold legs. Throttle valves are set to balance the flow to the RCS. This balance ensures sufficient flow to the core to meet the analysis assumptions following a LOCA in one of the RCS cold legs. The

throttle valves also protect the SI pumps and centrifugal charging pumps from exceeding runout flow rates.For LOCAs that are too small to depressurize the RCS below the shutoff head of the SI pumps, the centrifugal charging pumps supply water until the RCS pressure decreases below the SI pump shutoff head. During this period, the steam generators are used to provide part of the core cooling function.During the recirculation phase of LOCA recovery, RHR pump suction is transferred to the containment sump. The RHR pumps then supply the other ECCS pumps. Initially, recirculation is through the same paths as the injection phase. Subsequently, recirculation alternates injection between the hot and cold legs.The centrifugal charging subsystem of the ECCS also functions to supply borated water to the reactor core following increased heat removal events, such as a main steam line break (MSLB). The limiting design conditions occur when the negative moderator temperature coefficient is highly negative, such as at the end of each cycle.During low temperature conditions in the RCS, limitations are placed on the maximum number of ECCS pumps that may be OPERABLE. Refer to the Bases for LCO 3.4.12, "Low Temperature Overpressure Protection (LTOP) System," for the basis of these requirements.(continued)

ECCS - Operating B 3.5.2 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.5-11Revision 57 BACKGROUND (background)The ECCS subsystems are actuated upon receipt of an SI signal. The actuation of safeguard loads is accomplished in a programmed time sequence. If offsite power is available, the safeguard loads start after a one second sequencer delay in the programmed time sequence. If offsite power is not available, the Engineered Safety Feature (ESF) buses shed normal operating loads and are connected to the emergency diesel generators (EDGs). Safeguard loads are then actuated in the programmed time sequence. The time delay associated with diesel starting, sequenced loading, and pump starting determines the time required before pumped flow is available to the core following a LOCA.

Each ECCS pump is provided with normally open miniflow lines for pump protection. The RHR miniflow isolation valves close on flow to the RCS and have a time delay to prevent them from closing until the RHR pumps are up to speed and capable of delivering fluid to the RCS. The SI pump minflow isolation valves are closed manually from the control room prior to transfer from injection to recirculation. The Charging Pump miniflow isolation valves close on receipt of a safety injection signal and alternate minflow isolation valves open.The active ECCS components, along with the passive accumulators and the RWST covered in LCO 3.5.1, "Accumulators," and LCO 3.5.4 , "Refueling Water Storage Tank (RWST)," provide the cooling water necessary to meet GDC 35 (Ref. 1).APPLICABLE SAFETY ANALYSESThe LCO helps to ensure that the following acceptance criteria for the ECCS, established by 10 CFR 50.46 (Ref. 2), will be met following a LOCA:a.Maximum fuel element cladding temperature is 2200 F;b.Maximum cladding oxidation is 0.17 times the total cladding thickness before oxidation;c.Maximum hydrogen generation from a zirconium water reaction is 0.01 times the hypothetical amount generated if all of the metal in the cladding cylinders surrounding the fuel, excluding the cladding surrounding the plenum volume, were to react;d.Core is maintained in a coolable geometry; ande.Adequate long term core cooling capability is maintained.(continued)

ECCS - Operating B 3.5.2 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.5-12Revision 57APPLICABLE SAFETY ANALYSES (continued)

The LCO also limits the potential for a post trip return to power following an MSLB event and ensures that containment temperature limits are met.Each ECCS subsystem is taken credit for in a large break LOCA event at full power (Refs. 3 and 4). This event establishes the requirement for runout flow for the ECCS pumps, as well as the maximum response time for their actuation. The centrifugal charging pumps and SI pumps are credited in a small break LOCA event. This event establishes the flow and discharge head at the design point for the centrifugal charging pumps. The SGTR and MSLB events also credit the centrifugal charging pumps. The OPERABILITY requirements for the ECCS are based on the following LOCA analysis assumptions:a.A large break LOCA event, with loss of offsite power and a single failure disabling one RHR pump (both EDG trains are assumed to operate due to requirements for modeling full active containment heat removal system operation); andb.A small break LOCA event, with a loss of offsite power and a single failure disabling one ECCS train. During the blowdown stage of a LOCA, the RCS depressurizes as primary coolant is ejected through the break into the containment. The nuclear reaction is terminated either by moderator voiding during large breaks or control rod insertion for small breaks. Following depressurization, emergency cooling water is injected into the cold legs, flows into the downcomer, fills the lower ple num, and refloods the core.The effects on containment mass and energy releases are accounted for in appropriate analyses (Refs. 3 and 4). The LCO ensures that an ECCS train will deliver sufficient water to match boiloff rates soon enough to minimize the consequences of the core being uncovered following a large LOCA. It also ensures that the centrifugal charging and SI pumps will deliver sufficient water and boron during a small LOCA to maintain core subcriticality. For

smaller LOCAs, the centrifugal charging pump delivers sufficient fluid to maintain RCS inventory. For a small break LOCA, the steam generators continue to serve as the heat sink, providing part of the required core cooling.The ECCS trains satisfy Criterion 3 of 10CFR50.36(c)(2)(ii). (continued)

ECCS - Operating B 3.5.2 BASES (continued)COMANCHE PEAK - UNITS 1 AND 2B 3.5-13Revision 57LCOIn MODES 1, 2, and 3, two independent (and redundant) ECCS trains arerequired to ensure that sufficient ECCS flow is available, assuming a single failure affecting either train. Additionally, individual components within the ECCS trains may be called upon to mitigate the consequences of other transients and accidents.In MODES 1, 2, and 3, an ECCS train consists of a centrifugal charging subsystem, an SI subsystem, and an RHR subsystem. Each train includes the piping, instruments, and controls to ensure an OPERABLE flow path capable of taking suction from the RWST upon an SI signal and initiating semi-automatic switchover of suction to the containment sump.

During an event requiring ECCS actuation, a flow path is required to provide an abundant supply of water from the RWST to the RCS via the ECCS pumps and their respective supply hea ders to each of the four cold leg injection nozzles. In the long term, this flow path may be switched to take its supply from the containment sump and to supply its flow to the RCS hot and cold legs.The flow path for each train must maintain its designed independence to ensure that no single failure can disable both ECCS trains.As indicated in Note 1, the SI flow paths may be isolated for 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> in MODE 3, under controlled conditions, to perform pressure isolation valve testing per SR 3.4.14.1. The flow path is readily restorable from the control room and a single active failure (Ref. 7) is not assumed coincident with this testing. Therefore the ECCS trains are considered Operable during this isolation.As indicated in Note 2, operation in MODE 3 with ECCS pumps made incapable of injecting, pursuant to LCO 3.4.12 , "Low Temperature Overpressure Protection (LTOP) System," is necessary for plants with an LTOP arming temperature at or near the MODE 3 boundary temperature of 350F. The note allows this condition up to 375 F to ensure conditions are above the LTOP arming temperature.

LCO 3.4.12 requires that certain pumps be rendered incapable of injecting at and below the LTOP arming temperature. When this temperatur e is at or near the MODE 3 boundary temperature, time is needed to restore the inoperable pumps to OPERABLE status.APPLICABILITYIn MODES 1, 2, and 3, the ECCS OPERABILITY requirements for the limiting Design Basis Accident, a large break LOCA, are based on full power

operation. Although reduced power would not require the same level of performance, the accident analysis does not provide for reduced cooling (continued)

ECCS - Operating B 3.5.2 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.5-14Revision 57 APPLICABILITY (continued)requirements in the lower MODES.

The centrifugal charging pump performance is based on a small break LOCA, which establishes the pump performance curve and has less dependence on power. The SI pump performance requirements are based on a small break LOCA. MODE 2 and MODE 3 requirements are bounded by the MODE 1 analysis.This LCO is only applicable in MODE 3 and above. Below MODE 3, the SI signal setpoint is manually bypassed by operator control, and system functional requirements are relaxed as described in LCO 3.5.3 , "ECCS-Shutdown."In MODES 5 and 6, plant conditions are such that the probability of an event requiring ECCS injection is extremely low. Core cooling requirements in MODE 5 are addressed by LCO 3.4.7, "RCS Loops - MODE 5, Loops Filled," and LCO 3.4.8, "RCS Loops - MODE 5, Loops Not Filled." MODE 6 core cooling requirements are addressed by LCO 3.9.5, "Residual Heat Removal (RHR) and Coolant Circulation - High Water Level," and LCO3.9.6 , "Residual Heat Removal (RHR) and Coolant Circulation - Low Water Level."ACTIONSA.1With one centrifugal charging pump (CCP) inoperable, the inoperable CCP must be returned to OPERABLE status within 7 days. The 7 day allowed outage time is based on a risk-informed assessment to manage the risk associated with the equipment in accordance with the Configuration Risk Management Program and is a reasonable time for the repair of a CCP.

B.1With one or more trains inoperable, for reasons other than one inoperable centrifugal charging pump, and at least 100% of the ECCS flow equivalent to a single OPERABLE ECCS train available, the inoperable components must

be returned to OPERABLE status within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. The 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> Completion Time is based on an NRC reliability evaluation (Ref. 5) and is a reasonable time for repair of many ECCS components.100% of the ECCS flow equivalent to a single OPERABLE ECCS train is considered available if the following conditions are met:

1) There must be one fully OPERABLE centrifugal charging pump, one fully OPERABLE safety injection pump and one fully OPERABLE RHR pump with associated heat exchanger at a minimum. 2) The flow paths associated with each pump and heat exchanger for which credit is being taken must be OPERABLE in (continued)

ECCS - Operating B 3.5.2 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.5-15Revision 57ACTIONSB.1 (continued)the injection and recirculation flow paths. 3) ECCS system alignment, with the exception of isolation valves for inoperable pumps and heat exchangers must be normal. 4) All automatic functions and interlocks must be

OPERABLE for the components for which credit is being taken. 5)All support systems for the pumps and heat exchangers for which credit is being taken are OPERABLE. 6) The combination of components must be such that a transition from cold leg to hot leg recirculation can be accomplished.An ECCS train is inoperable if it is not capable of delivering design flow to the RCS. Individual components ar e inoperable if they are not capable of performing their design function or supporting systems are not available.The LCO requires the OPERABILITY of a number of independent subsystems. Due to the redundancy of trains and the diversity of subsystems, the inoperability of one component in a train does not render the ECCS incapable of performing its function. Neither does the inoperability of two different components, each in a different train, necessarily result in a loss of function for the ECCS. The intent of this Condition is to maintain a combination of equipment such that 100% of the ECCS flow equivalent to a single OPERABLE ECCS train remains available. This allows increased

flexibility in plant operations under circumstances when components in opposite trains are inoperable.An event accompanied by a loss of offsite power and the failure of an EDG can disable one ECCS train until power is restored. A reliability analysis

(Ref. 5) has shown that the impact of having one full ECCS train inoperable is sufficiently small to justify continued operation for 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />.Reference 6 describes situations in which one component, such as an RHR crossover valve, can disable both ECCS trains. With one or more component(s) inoperable such that 100% of the flow equivalent to a single OPERABLE ECCS train is not available, the facility is in a condition outside the accident analysis. Therefore , LCO 3.0.3 must be immediately entered.

C.1 and C.2If the inoperable trains cannot be returned to OPERABLE status within the associated Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and MODE 4 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.(continued)

ECCS - Operating B 3.5.2 BASES (continued)COMANCHE PEAK - UNITS 1 AND 2B 3.5-16Revision 57SURVEILLANCE REQUIREMENTS SR 3.5.2.1Verification of proper valve position ensures that the flow path from the ECCS pumps to the RCS is maintained. Misalignment of these valves could render both ECCS trains inoperable. Securing these valves in position by removal of power by a control board switch in the correct position ensures that they cannot change position as a result of an active failure or be inadvertently misaligned. These valves are of the type, described in

References 6 and 7 , that can disable the funct ion of both ECCS trains and invalidate the accident analyses. A 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> Frequency is considered

reasonable in view of other administra tive controls that will ensure a mispositioned valve is unlikely. As noted in LCO Note 1, both Safety Injection pump flow paths may each be isolated for two hours in MODE 3 by closure of one or more of these valves to perform pressure isolation valve

testing.SR 3.5.2.2 Verifying the correct alignment for manual, power operated, and automatic valves in the ECCS flow paths provides assurance that the proper flow paths will exist for ECCS operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position, since these were verified to be in the correct position prior to locking, sealing, or securing. A valve that receives an actuation signal is allowed to be in a non-accident position provided the valve will automatically reposition within the proper stroke time. This Surveillance does not require any testing or valve manipulation.

Rather, it involves verification that those valves capable of being mispositioned are in the correct position. The 31 day Frequency is appropriate because the valves are operated under administrative control, and an improper valve position would only affect a single train. This Frequency has been shown to be acceptable through operating experience.

SR 3.5.2.3Venting of the ECCS pump casing and accessible discharge piping high points prior to entering MODE 3 and following any maintenance or operations activity which drains portions of the system, ensures the system is full of water and will perform properly (i.e., allows injecting the full ECCS capacity into the RCS on demand).The CCP design and attached piping configuration allow the CCP to vent the accumulated gases via the attached suction and discharge piping.

Continuous venting of the suction piping to the Volume Control tank (VCT) and manual venting of the discharge piping high points satisfies the pump

casing venting requirements for the CCPs.(continued)

ECCS - Operating B 3.5.2 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.5-17Revision 57SURVEILLANCE REQUIREMENTS (continued)

SR 3.5.2.4 Periodic surveillance testing of ECCS pumps to detect gross degradation caused by impeller structural damage or other hydraulic component problems is required by the ASME Code. This type of testing may be accomplished by measuring the pump developed head at only one point of the pump characteristic curve. The following ECCS pumps are required to develop the indicated differential pressure on recirculation flow:This verifies both that the measured performance is within an acceptable tolerance of the original pump baseline performance and that the

performance at the test flow is gr eater than or equal to the performance assumed in the plant safety analysis. SRs are specified in the InserviceTesting Program of the ASME Code. The ASME Code and the Technical Requirements Manual provides the activities and Frequencies necessary to satisfy the requirements.SR 3.5.2.5 and SR 3.5.2.6These Surveillances demonstrate that each automatic ECCS valve actuates to the required position on an actual or simulated SI signal and that each ECCS pump starts on receipt of an actual or simulated SI signal. This Surveillance is not required for valves that are locked, sealed, or otherwise secured in the required position under administrative controls. The 18 month Frequency is based on the need to pe rform these Surveillances under the conditions that apply during a plant outage and the pote ntial for unplanned plant transients if the Surveillances were performed with the reactor at power. The 18 month Frequency is also acceptable based on consideration of the design reliability (and confirming operating experience) of the equipment. The actuation logic is tested as part of ESF Actuation System testing, and equipment performance is monitored as part of the Inservice Testing Program

.SR 3.5.2.7The correct alignment of throttle valves in the ECCS flow path on an SI signal is necessary for proper ECCS performance. Valves 8810A, B, C, D(continued)1)Centrifugal charging pump 2370 psid,2)Safety injection pump 1440 psid, and3)RHR pump> 170 psid.

ECCS - Operating B 3.5.2 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.5-18Revision 57SURVEILLANCE REQUIREMENTS SR 3.5.2.7 (continued)are provided in the charging pump to cold leg injection lines. Valves 8822A, B, C, D are provided in the SI pump to cold leg injection lines. These manual throttle valves are positioned following flow balancing and have mechanical locks to ensure that the proper positioning for restricted flow to a ruptured cold leg is maintained and that the other cold legs receive at least the required minimum flow. Valves 8816A, B, C, D are provided in the SI pump to hot leg recirculation lines. These manual throttle valves are positioned following flow balancing and have mechanical locks to ensure flow balancing and to limit SI pump runout. The 18 month Frequency is based on the same reasons as those stated in SR 3.5.2.5 and SR 3.5.2.6

.SR 3.5.2.8 Periodic inspections of the containment sump suction inlet ensure that it is unrestricted and stays in proper operating condition. The 18 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage, on the need to have access to the location, and because of the potential for an unplanned transient if the Surveillance were performed with the reactor at power. This Frequency has been found to be sufficient to detect abnormal degradation and is confirmed by operating experience.REFERENCES1.10 CFR 50, Appendix A, GDC 35.2.10 CFR 50.46.

3.FSAR, Sections 6.3 and 7.6.4.FSAR, Chapter 15, "Accident Analysis."5.NRC Memorandum to V. Stello, Jr., from R.L. Baer, "Recommended Interim Revisions to LCOs for ECCS Components," December 1, 1975.6.IE Information Notice No. 87-01.7.BTP EICSB-18, Application of the Single Failure Criteria to Manually-Controlled Electrically-Operated Valves.

ECCS - Shutdown B 3.5.3COMANCHE PEAK - UNITS 1 AND 2B 3.5-19Revision 57 B 3.5 EMERGENCY CORE COOLING SYSTEMS (ECCS)B 3.5.3 ECCS - Shutdown BASESBACKGROUNDThe Background section for Bases 3.5.2, "ECCS-Operating," is applicable to these Bases, with the following modifications.In MODE 4, the required ECCS train consists of two separate subsystems: centrifugal charging (high head) and residual heat removal (RHR) (low head).The ECCS flow paths consist of piping, valves, heat exchangers, and pumps such that water from the refueling water storage tank (RWST) can be injected into the Reactor Coolant System (RCS) following the accidents described in Bases 3.5.2

.APPLICABLE SAFETY ANALYSES The Applicable Safety Analyses section of Bases 3.5.2 also applies to this Bases section.

Due to the stable conditions associated with operation in MODE 4 and the reduced probability of occurrence of a Design Basis Accident (DBA), the ECCS operational requirements are reduced. It is understood in these reductions that certain automatic safety injection (SI) actuation is not available. In this MODE, sufficient time exists for manual actuation of the required ECCS to mitigate the consequences of a DBA.Only one train of ECCS is required for MODE 4. This requirement dictates that single failures are not considered during this MODE of operation. The ECCS trains satisfy Criterion 3 of 10CFR50.36(c)(2)(ii). LCOIn MODE 4, one of the two independent (and redundant) ECCS trains is required to be OPERABLE to ensure that sufficient ECCS flow is available to the core following a DBA.In MODE 4, an ECCS train consists of a centrifugal charging subsystem and an RHR subsystem. Each train includes the piping, instruments, and controls to ensure an OPERABLE flow path capable of taking suction from the RWST and transferring suction to the containment sump.

During an event requiring ECCS actuation, a flow path is required to provide an abundant supply of water from the RWST to the RCS via the ECCS pumps and their respective supply head ers to each of the four cold leg (continued)

ECCS - Shutdown B 3.5.3 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.5-20Revision 57 LCO (continued)injection nozzles. In the long term, this flow path may be switched to take its supply from the containment sump and to deliver its flow to the RCS hot and cold legs.

This LCO is modified by a Note that allows an RHR train to be considered OPERABLE during alignment and operation for decay heat removal, if capable of being manually realigned (remote or local) to the ECCS mode of operation and not otherwise inoperable. This allows operation in the RHR mode during MODE 4.APPLICABILITYIn MODES 1, 2, and 3, the OPERABILITY requirements for ECCS are covered by LCO 3.5.2.In MODE 4 with RCS temperature below 350F, one OPERABLE ECCS train is acceptable without single failure consideration, on the basis of the stable reactivity of the reactor and th e limited core cooling requirements.In MODES 5 and 6, plant conditions are such that the probability of an event requiring ECCS injection is extremely low. Core cooling requirements in MODE 5 are addressed by LCO 3.4.7, "RCS Loops - MODE 5, Loops Filled," and LCO 3.4.8, "RCS Loops - MODE 5, Loops Not Filled." MODE 6 core cooling requirements are addressed by LCO 3.9.5, "Residual Heat Removal (RHR) and Coolant Circulation - High Water Level," and LCO3.9.6 , "Residual Heat Removal (RHR) and Coolant Circulation - Low Water Level."ACTIONSA Note prohibits the application of LCO 3.0.4.b to an inoperable ECCS centrifugal charging pump subsystem when entering MODE 4. There is an increased risk associated with entering MODE 4 from MODE 5 with an inoperable ECCS centrifugal charging pump subsystem and the provisions of LCO 3.0.4.b, which allow entry into a MODE or other specified condition in the Applicability with the LCO not met after performance of a risk assessment addressing inoperable systems and components, should not be applied in this circumstance.

A.1With no ECCS RHR subsystem OPERABLE, the plant is not prepared to respond to a loss of coolant accident or to continue a cooldown using the RHR pumps and heat exchangers. The Completion Time of immediately to initiate actions that would restore at least one ECCS RHR subsystem to OPERABLE status ensures that prompt action is taken to restore the(continued)

ECCS - Shutdown B 3.5.3 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.5-21Revision 57ACTIONSA.1 (continued)required cooling capacity. Normally, in MODE 4, reactor decay heat is removed from the RCS by an RHR loop. If no RHR loop is OPERABLE for this function, reactor decay heat must be removed by some alternate method, such as use of the steam generators. The alternate means of heat removal must continue until the inoperable RHR loop components can be restored to operation so that decay heat removal is continuous.

With both RHR pumps and heat exchangers inoperable, it would be unwise to require the plant to go to MODE 5, where the only available heat removal system is the RHR. Therefore, the appropriate action is to initiate measures to restore one ECCS RHR subsystem and to continue the actions until the subsystem is restored to OPERABLE status.

B.1With no ECCS high head subsystem OPERABLE, due to the inoperability of the centrifugal charging pump or flow path from the RWST, the plant is not prepared to provide high pressure response to Design Basis Events requiring SI. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time to restore at least one ECCS high head subsystem to OPERABLE status ensures that prompt action is taken to provide the required cooling capacity or to initiate actions to place the plant in MODE 5, where an ECCS train is not required.

C.1When the Required Actions of Condition B cannot be completed within the required Completion Time, a controlled shutdown should be initiated. Twenty-four hours is a reasonable time, based on operating experience, to reach MODE 5 in an orderly manner and without challenging plant systems or operators.SURVEILLANCE REQUIREMENTS SR 3.5.3.1The applicable Surveillance descriptions from Bases 3.5.2 apply. REFERENCESThe applicable references from Bases 3.5.2 apply.

RWST B 3.5.4COMANCHE PEAK - UNITS 1 AND 2B 3.5-22Revision 57 B 3.5 EMERGENCY CORE COOLING SYSTEMS (ECCS)

B 3.5.4 Refueling Water Storage Tank (RWST)

BASESBACKGROUNDThe RWST supplies borated water to the Chemical and Volume Control System (CVCS) during abnormal operating conditions, to the refueling pool during refueling, and to the ECCS and the Containment Spray System during accident conditions.

The RWST supplies both trains of the ECCS and the Containment Spray System through a common suction line to each system's supply header during the injection phase of a loss of c oolant accident (LOCA) recovery. A motor operated isolation valve is provided in each header to isolate the RWST from the ECCS once the system has been transferred to the recirculation mode. The recirculation mode is entered when pump suction is transferred to the containment sump following receipt of the RWST - Low Low signal. Use of a single RWST to supply both trains of the ECCS and Containment Spray System is acceptable since the RWST is a passive component, and passive failures are not required to be assumed to occur coincidentally with Design Basis Events.

The switchover from normal operation to the injection phase of ECCS operation requires changing centrif ugal charging pump su ction from the CVCS volume control tank (VCT) to the RWST through the use of isolation valves. Each set of isolation valves is interlocked so that the VCT isolation valves will not begin to close until the RW ST isolation valves are fully open. Since the VCT is under pressure, the preferred pump suction will be from the VCT until the tank is isolated. This will result in a delay in obtaining the RWST borated water. The effects of this delay are discussed in the Applicable Safety Analyses section of these Bases.

During normal operation in MODES 1, 2, and 3, the safety injection (SI) and residual heat removal (RHR) pumps are aligned to take suction from the RWST.The ECCS and Containment Spray System pumps are provided with recirculation lines that ensure each pump can maintain minimum flow requirements when operating at or near shutoff head conditions.When the suction for the ECCS and Containment Spray System pumps is transferred to the containment sump, the RWST flow paths must be isolated to prevent a release of the containment sump contents to the RWST, which could result in a release of contaminants to the atmosphere and the eventual loss of suction head fo r the ECCS pumps.(continued)

RWST B 3.5.4 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.5-23Revision 57 BACKGROUND (continued)

This LCO ensures that:a.The RWST contains sufficient borated water to support the ECCS during the injection phase;b.Sufficient water volume exists in the containment sump to support continued operation of the ECCS and Containment Spray System pumps at the time of transfer to the recirculation mode of cooling; andc.The reactor remains subcritical following a LOCA.Insufficient water in the RWST could result in insufficient cooling capacity when the transfer to the recirculation mode occurs. Improper boron concentrations could result in a reduction of SDM or excessive boric acid precipitation in the core following the LOCA, as well as excessive caustic stress corrosion of mechanical components and systems inside the

containment.

APPLICABLE

SAFETY ANALYSESDuring accident conditions, the RWST provides a source of borated water to the ECCS and Containment Spray System pumps. As such, it provides

containment cooling and depressurization, core cooling, and replacement inventory and is a source of negative reactivity for reactor shutdown (Ref.1). The design basis transients and applicable safety analyses concerning each of these systems are discussed in the Applicable Safety Analyses section of B 3.5.2, "ECCS - Operating";

B 3.5.3, "ECCS-Shutdown"; and B 3.6.6 , "Containment Spray Systems." These analyses are used to assess changes to the RWST in order to evaluate their effects in relation to the acceptance limits in the analyses.

The RWST must also meet volume, boron concentration, and temperature requirements for non-LOCA events. The volume is not an explicit assumption in non-LOCA events since the required volume is a small

fraction of the available volume. The deliverable volume limit is set by the LOCA and containment analyses. For the RWST, the deliverable volume is different from the total volume contained since, due to the design of the tank, more water can be contained than can be delivered. The minimum boron concentration is an explicit assumption in the main steam line break (MSLB) analysis to ensure the required shutdown capability. The minimum boron concentration limit is an important assumption in ensuring the required shutdown capability. The maximum boron concentration is an explicit assumption in the inadvertent ECCS actuation analysis, although it is typically a non-limiting event and the re sults are very insensitive to boron(continued)

RWST B 3.5.4 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.5-24Revision 57APPLICABLE SAFETY ANALYSES (continued)concentrations. Although it only has a minor effect, the maximum temperature is used in the feedline break and small break LOCA analyses; the minimum temperature is an assumption in both the MSLB and

inadvertent ECCS actuation analyse s, although the inadvertent ECCS actuation event is typically non-limiting.The MSLB analysis has considered a delay associated with the interlock between the VCT and RWST isolation valves, and the results show that the departure from nucleate boiling design basis is met. The delay has been established as 27 seconds, with offsite power available, or 37 seconds without offsite power. This response time includes 2 seconds for electronics delay, a 15 second stroke time for the RWST valves, and a 10second stroke time for the VCT valves. For a large break LOCA analysis, the minimum contained water volume limit of 483,731 gallons and the lower boron concentration limit of 2400ppm are used to compute the post LOCA sump boron concentration necessary to assure subcriticality. The large break LOCA is the limiting case since the safety analysis assumes that all control rods are out of the core. The limits on minimum contained water volume and maximum boron concentration of the RWST also ensure a maximum equilibrium sump pH for the solution recirculated within containment after a LOCA which limits corrosion and hydrogen production. The limit on maximum boron concentration is also used to determine a minimum equilibrium sump pH. This minimum pH level minimizes the evolution of iodine and minimizes the effect of chloride stress corrosion on mechanical systems and components.The upper limit on boron concentration of 2600 ppm is used to determine the maximum allowable time to switch to hot leg recirculation following a LOCA. The purpose of switching from cold leg to hot leg injection is to avoid boron precipitation in the core following the accident.In the ECCS analysis, the containment spray temperature is assumed to be equal to the RWST lower temperature limit of 40°F. If the lower temperature limit is violated, the containment spray further reduces containment pressure, which decreases the rate at which steam can be vented out the break and increases peak clad temperature. The upper temperature limit of 120°F is used in the small break LOCA analysis and containment analysis.

Exceeding this temperature will result in a higher peak clad temperature, because there is less heat transfer from the core to the injected water for the small break LOCA and higher contai nment pressures due to reduced(continued)

RWST B 3.5.4 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.5-25Revision 57APPLICABLE SAFETY ANALYSES (continued)containment spray cooling capacity. For the containment response following an MSLB, the lower limit on boron concentration and the upper limit on RWST water temperature are used to maximize the total energy release to

containment.The RWST satisfies Criteria 2 and 3 of 10CFR50.36(c)(2)(ii).LCOThe RWST ensures that an adequate supply of borated water is available to cool and depressurize the containment in the event of a Design Basis Accident (DBA), to cool and cover the core in the event of a LOCA, to

maintain the reactor subcritical f ollowing a DBA, and to ensure adequate level in the contain ment sump to support ECCS and Containment Spray System pump operation in the recirculation mode.To be considered OPERABLE, the RWST must meet the water volume, boron concentration, and temperature limits established in the SRs.APPLICABILITYIn MODES 1, 2, 3, and 4, RWST OPERABILITY requirements are dictated by ECCS and Containment Spray System OPERABILITY requirements. Since both the ECCS and the Containment Spray System must be OPERABLE in MODES 1, 2, 3, and 4, the RWST must also be OPERABLE to support their operation. Core cooling requirements in MODE 5 are addressed by LCO 3.4.7, "RCS Loops - MODE 5, Loops Filled," and LCO3.4.8, "RCS Loops - MODE 5, Loops Not Filled." MODE 6 core cooling requirements are addressed by LCO 3.9.5, "Residual Heat Removal (RHR) and Coolant Circulation - High Water Level," and LCO 3.9.6 , "Residual Heat Removal (RHR) and Coolant Circulation - Low Water Level."ACTIONSA.1 With RWST boron concentration or borated water temperature not within limits, they must be returned to within limits within 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />. Under these conditions neither the ECCS nor the Containment Spray System can perform its design function. Therefore, prompt action must be taken to restore the tank to OPERABLE condition. The 8 hour9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> limit to restore the RWST temperature or boron concentration to within limits was developed considering the time required to change either the boron concentration or temperature and the fact that the contents of the tank are still available for injection.(continued)

RWST B 3.5.4 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.5-26Revision 57 ACTIONS (continued)

B.1With the RWST inoperable for reasons other than Condition A (e.g., water volume), it must be restored to OPERABLE status within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />.In this Condition, neither the ECCS nor the Containment Spray System can perform its design function. Therefore, prompt action must be taken to restore the tank to OPERABLE status or to place the plant in a MODE in which the RWST is not required. The short time limit of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> to restore the RWST to OPERABLE status is based on this condition simultaneously affecting redundant trains.

C.1 and C.2If the RWST cannot be returned to OPERABLE status within the associated Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and to MODE 5 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.SURVEILLANCE REQUIREMENTS SR 3.5.4.1 The RWST borated water temperature should be verified every 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to be within the limits assumed in the accident analyses band. This Frequency is sufficient to identify a temperature change that would approach either limit and has been shown to be acceptable through operating experience.The SR is modified by a Note that eliminates the requirement to perform this Surveillance when ambient air temperatures are within the operating limits of the RWST. With ambient air temperatures within the band, the RWST temperature should not exceed the limits.

SR 3.5.4.2 The RWST water volume should be verified every 7 days to be above the required minimum level in order to ensure that a sufficient initial supply is available for injection and to suppor t continued ECCS and Containment Spray System pump operation on recirculation. Since the RWST volume is normally stable and the contained volume required is protected by an alarm, a 7 day Frequency is appropriate and has been shown to be acceptable through operating experience.(continued)

RWST B 3.5.4 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.5-27Revision 57SURVEILLANCE REQUIREMENTS SR 3.5.4.2 (continued)Control Board indication may be used in the surveillances of the required indicated RWST water volume. The indicated level of 95%, which includes 5% measurement uncertainty, is a conservative verification of contained volume. Other means of surveillan ce which consider measurement uncertainty may also be used.

SR 3.5.4.3The boron concentration of the RWST should be verified every 7 days to be within the required limits. This SR ensures that the reactor will remain subcritical following a LOCA. Further, it assures that the resulting sump pH will be maintained in an acceptable range so that boron precipitation in the core will not occur and the effect of chloride and caustic stress corrosion on mechanical systems and components will be minimized. Since the RWST volume is normally stable, a 7 day sampling Frequency to verify boron concentration is appropriate and has been shown to be acceptable through operating experience.REFERENCES1.

FSAR, Chapter 6 and Chapter 15

.

Seal Injection Flow B 3.5.5COMANCHE PEAK - UNITS 1 AND 2B 3.5-28Revision 57 B 3.5 EMERGENCY CORE COOLING SYSTEMS (ECCS)

B 3.5.5 Seal Injection Flow BASESBACKGROUNDThe function of the seal injection throttle valves during an accident is similar to the function of the ECCS throttle valves in that each restricts flow from the centrifugal charging pump header to the Reactor Coolant System (RCS).

The restriction on reactor coolant pump (RCP) seal injection flow limits the amount of ECCS flow that would be diverted from the injection path following

an accident. This limit is based on safety analysis assumptions that are required because RCP seal injection flow is not isolated during SI.

APPLICABLE SAFETY ANALYSESAll ECCS subsystems are taken credit for in the large break loss of coolant accident (LOCA) at full power (Ref. 1). The LOCA analysis establishes the minimum flow for the ECCS pumps.

The centrifugal charging pumps are also credited in the small break LOCA analysis. This analysis establishes the flow and discharge head at the design point for the centrifugal charging pumps. The steam generator tube rupture and main steam line break event analyses also credit the ce ntrifugal charging pumps. Reference to these analyses is made in assessing changes to the Seal Injection System for evaluation of their effects in relat ion to the acceptance limits in these analyses.The ECCS flow balance assumes RCP seal injection is limited to 40 gpm with FCV-121 full open and centrifugal charging pump header at 130 psig or greater than the Reactor Coolant System pressure (i.e., the pressurizer).This LCO ensures that seal injection flow of 40 gpm, with RCS pressure 2215 psig and 2255 psig and charging flow control valve full open, will be sufficient for RCP seal integrity but limited so that the ECCS trains will be capable of delivering sufficient water to match boiloff rates soon enough to minimize uncovering of the core following a large LOCA. It also ensures that the centrifugal charging pumps will deliver sufficient water for a small LOCA and sufficient boron to maintain the core subcritical. For smaller LOCAs, the charging pumps alone deliver sufficient fluid to overcome the loss and

maintain RCS inventory.

Seal injection flow satisfies Criterion 2 of 10CFR50.36(c)(2)(ii). LCOThe intent of the LCO limit on seal injection flow is to make sure that flow through the RCP seal water injection line is low enough to ensure that sufficient centrifugal charging pump injection flow is directed to the RCS via

the injection points (Ref. 1).(continued)

Seal Injection Flow B 3.5.5 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.5-29Revision 57 LCO (continuedThe LCO is not strictly a flow limit, but rather a flow limit based on a flow line resistance. In order to establish the proper flow line resistance, a differential pressure and flow must be known. The flow line resistance is determined by assuming that the differential pressure between the RCS pressure and the centrifugal charging pump discharge pressure is greater than or equal to 145 psid above the RCS pressure. The valve settings established at the

prescribed differential pressure result in a conservative valve position. The additional modifier of this LCO, the charging flow control valve being full open, is required since the valve is designed to fail open for the accident condition. With the differential pressure greater than or equal to 145 psid above the RCS pressure and control valve position as specified by the LCO, a flow restriction is established. It is this flow restriction that is used in the

accident analyses.

The limit on seal injection flow, combined with the differential pressure limit and an open wide condition of the charging flow control valve, must be met to render the ECCS OPERABLE. If these conditions are not met, the ECCS flow will not be as assumed in the accident analyses.APPLICABILITYIn MODES 1, 2, and 3, the seal injection flow limit is dictated by ECCS flow requirements, which are specified for MODES 1, 2, 3, and 4. The seal injection flow limit is not applicable for MODE 4 and lower, however, because high seal injection flow is less critical as a result of the lower initial RCS pressure and decay heat removal requirements in these MODES. Therefore, RCP seal injection flow must be limited in MODES 1, 2, and 3 to ensure adequate ECCS performance.ACTIONSA.1With the seal injection flow exceeding its limit, the amount of charging flow available to the RCS may be reduced. Under this Condition, action must be taken to restore the flow to below its limit. The operator has 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> from the time the flow is known to be above the limit to correctly position the manual valves and thus be in compliance with the accident analysis. The Completion Time minimizes the potential exposure of the plant to a LOCA with insufficient injection flow and prov ides a reasonable time to restore seal injection flow within limits. This time is conservative with respect to the Completion Times of other ECCS LCOs; it is based on operating experience and is sufficient for taking corrective actions by operations personnel.(continued)

Seal Injection Flow B 3.5.5 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.5-30Revision 57 ACTIONS (continued)

B.1 and B.2When the Required Actions cannot be completed within the required Completion Time, a controlled shutdown must be initiated. The Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> for reaching MODE 3 from MODE 1 is a reasonable time for a controlled shutdown, based on operating experience and normal cooldown rates, and does not challenge plant safety systems or operators. Continuing the plant shutdown begun in Required Act ion B.1, an additional 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is a reasonable time, based on operating experience and normal cooldown rates, to reach MODE 4, where this LCO is no longer applicable.SURVEILLANCE

REQUIREMENTS SR 3.5.5.1 The surveillance ensures the seal injection flow is less than 40 gpm with charging header pressure greater than or equal to 145 psig (130 psig + 15psig for instrument uncertainty) above RCS pressure.Verification every 31 days that the ma nual seal injection throttle valves are adjusted to give a flow within the limit ensures that proper manual seal injection throttle valve position, and hence, proper seal injection flow, is maintained. The Frequency of 31 days is based on engineering judgment and is consistent with other ECCS valve Surveillance Frequencies. The Frequency has proven to be accepta ble through operating experience.As noted, the Surveillance is not required to be performed until 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> after the RCS pressure has stabilized within a +/- 20 psig range of normal operating pressure. The RCS pressure requ irement is specified since this configuration will produce the required pressure conditions necessary to assure that the manual valves are set correctly. The exception is limited to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> to ensure that the Surveillance is timely.REFERENCES1.

FSAR, Chapter 6 and Chapter 15

.2.10 CFR 50.46.

+/-+/-

µ

µ

µ

+/-

Boron Concentration B 3.9.1COMANCHE PEAK - UNITS 1 AND 2B 3.9-1Revision 60 B 3.9 REFUELING OPERATIONSB 3.9.1 Boron Concentration BASESBACKGROUNDThe limit on the boron concentrations of filled portions of the Reactor Coolant System (RCS), the refueling canal, and the refueling cavity that have direct access to the reactor vessel during refueling ensures that the reactor remains subcritical during MODE 6. Refueling boron concentration is the soluble boron concentration in the coolant in each of these volumes having direct access to the reactor core during refueling.The soluble boron concentration offsets the core reactivity and is measured by chemical analysis of a representative sample of the coolant in each of the volumes. The refueling boron concentration limit is specified in the COLR. Plant procedures ensure the specified boron concentration in order to maintain an overall core reactivity of k eff 0.95 during fuel handling, with control rods and fuel assemblies assumed to be in the most adverse configuration (least negative reactivity) allowed by plant procedures.GDC 26 of 10 CFR 50, Appendix A, requires that two independent reactivity control systems of different design principles be provided (Ref. 1). One of these systems must be capable of holding the reactor core subcritical under cold conditions. The Chemical and Volume Control System (CVCS) is the main system capable of maintaining the reactor subcritical in cold conditions

by maintaining the boron concentration.The reactor is brought to shutdown conditions before beginning operations to open the reactor vessel for refueling.

After the RCS is cooled and depressurized and the vessel head is unbolted, the head is slowly removed to form the refueling cavity. The refueling canal and the refueling cavity are then flooded with borated water from the refueling water storage tank

through the open reactor vessel by gravity feeding or by the use of the Residual Heat Removal (RHR) System pumps.The pumping action of the RHR System in the RCS and the natural circulation due to thermal driving h eads in the reactor vessel and refueling cavity mix the added concentrated bo ric acid with the water in the refueling canal. The RHR System is in operation during refueling (see LCO 3.9.5 , "Residual Heat Removal (RHR) and Coolant Circulation - High Water Level," and LCO 3.9.6 , "Residual Heat Removal (RHR) and Coolant Circulation - Low Water Level") to provide forced circulation in the RCS and assist in maintaining the boron concentrations in the RCS, the refueling canal, and the refueling cavity above the COLR limit.(continued)

Boron Concentration B 3.9.1 BASES (continued)COMANCHE PEAK - UNITS 1 AND 2B 3.9-2Revision 60 APPLICABLE SAFETY ANALYSESDuring refueling operations, the reactivity condition of the core is consistentwith the initial conditions assumed for the boron dilution accident in the accident analysis and is conservative for MODE 6. The boron concentration limit specified in the COLR is based on the core reactivity at the beginning of each fuel cycle (the end of refueling) and includes an uncertainty allowance.

The required boron concentration and the plant refueling procedures that verify the correct fuel loading plan (including full core mapping) ensure that the keff of the core will remain 0.95 during the refueling operation. Hence, at least a 5% k/k margin of safety is established during refueling.During refueling, the water volume in the spent fuel pool, the transfer canal, the refueling canal, the refueling cavity, and the reactor vessel form a single mass. As a result, the soluble boron concentration is relatively the same in each of these volumes.

The limiting boron dilution accident analyzed occurs in MODE 5 (Ref. 2). Boron dilution accidents are precluded in MODE 6 by isolating potential dilution flow paths. See LCO 3.9.2 , "Unborated Water Source Isolation Valves."The RCS boron concentration satisfies Criterion 2 of 10CFR50.36(c)(2)(ii).LCOThe LCO requires that a minimum uniform boron conc entration be maintained in the filled portions of the RCS, the refueling canal, and the refueling cavity that have direct access to the reactor vessel while in MODE6. The boron concentration limit specified in the COLR ensures that a core keff of 0.95 is maintained during fuel handling operations. Violation of the LCO could lead to an inadvertent criticality during MODE 6.APPLICABILITYThis LCO is applicable in MODE 6 to ensure that the fuel in the reactor vessel will remain subcritical. The re quired boron concentration ensures a k eff 0.95. Above MODE 6, LCO 3.1.1, "SHUTDOWN MARGIN (SDM)" LCO 3.1.5, "Shutdown Bank Insertion Limits," and LCO, "Control Bank Insertion Limits," ensure that an adequate amount of negative reactivity is available to shut down the reactor and maintain it subcritical.The applicability is modified by a Note stating that transition from MODE 5 to MODE 6 is not permitted. This Note specifies an exception to LCO 3.0.4 and prohibits the transition when boron concentration limits are not met. This note assures that core reactivity is maintained within limits during fuel handling operations.(continued)

Boron Concentration B 3.9.1 BASES (continued)COMANCHE PEAK - UNITS 1 AND 2B 3.9-3Revision 60ACTIONSA.1 and A.2Continuation of CORE ALTERATIONS or positive reactivity additions (including actions to reduce boro n concentration) is contingent upon maintaining the unit in compliance with t he LCO. If the boron concentration of any coolant volume in the filled portions of the RCS, the refueling canal or the refueling cavity, that have direct access to the reactor vessel is less than its limit, all operations involving CORE ALTERATIONS or positive reactivity additions must be suspended immediately.Suspension of CORE ALTERATIONS and positive reactivity additions shall not preclude moving a component to a safe position. Operations that individually add limited positive reactivity (e.g., temperature fluctuations, inventory addition, or temperature control fluctuations), but when combined with all other operations affecting core reactivity (e.g., intentional boration) result in overall net negative reactivity addition, are not precluded by this action.When determining compliance with actions, addition of borated water with a concentration greater than or equal to the minimum required RWST concentration shall not be considered a positive reactivity change (Ref.3).A.3In addition to immediately suspending CORE ALTERATIONS and positive reactivity additions, boration to restore the concentration must be initiated immediately.In determining the required combination of boration flow rate and concentration, no unique Design Basis Event must be satisfied. The only requirement is to restore the boron concentration to its required value as soon as possible. In order to raise the boron concentration as soon as possible, the operator s hould begin boration with the best source available for unit conditions.Once actions have been initiated, they must be continued until the boron concentration is restored. The restoration time depends on the amount of boron that must be injected to reach the required concentration.SURVEILLANCE REQUIREMENTS SR 3.9.1.1This SR ensures that the coolant boron concentration in the filled portions of the RCS, and all the filled portions of the refueling can al and the refueling cavity, that have direct access to the reactor vessel is within the COLR limits. (continued)

Boron Concentration B 3.9.1 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.9-4Revision 60SURVEILLANCE REQUIREMENTS SR 3.9.1.1 (continued)

The boron concentration of the coolant in each volume is determined periodically by chemical analysis.A minimum Frequency of once every 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> is a reasonable amount of time to verify the boron concentration of representative samples. The Frequency is based on operating experience, which has shown 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> to be adequate.REFERENCES1.10 CFR 50, Appendix A, GDC 26.

2.FSAR, Chapter 15

.3.NRC letter (W. Reckley to N. Carns) dated November 22, 1993: "Wolf Creek Generating Station - Positive Reactivity Addition; Technical Specification Bases Changes" Unborated Water Source Isolation Valves B 3.9.2COMANCHE PEAK - UNITS 1 AND 2B 3.9-5Revision 60 B 3.9 REFUELING OPERATIONS B 3.9.2 Unborated Water Source Isolation Valves BASESBACKGROUNDDuring MODE 6 operations, all isolation valves for reactor makeup water sources containing unborated water that are connected to the Reactor Coolant System (RCS) must be closed to prevent unplanned boron dilution of the reactor coolant. The isolation valves (either CS-8455 or CS-8560, CS-8439, FCV-111B, CS-8441 and CS-8453) must be secured in the closed position.The Chemical and Volume Control System is capable of supplying borated and unborated water to the RCS through various flow paths. Since a positive reactivity addition made by reducing the boron concentration is inappropriate during MODE 6, isolation of all unborated water sources prevents an unplanned boron dilution.

APPLICABLE SAFETY ANALYSESThe possibility of an inadvertent boron dilution event (Ref. 1) occurring during MODE 6 refueling operations is pr ecluded by adherence to this LCO, which requires that potential dilution sources be isolated. Closing the required valves during refueling operations prevents the flow of unborated water to the filled portion of the RCS. The valves are used to isolate unborated water sources. These valves have the potential to indirectly allow dilution of the RCS boron concentration in MODE 6. By isolating unborated water sources, a safety analysis for an uncontrolled boron dilution accident in accordance with the Standard Review Plan (Ref. 2) is not required for MODE 6.The RCS boron concentration satisfies Criterion 2 of 10CFR50.36(c)(2)(ii).LCOThis LCO requires that flow paths to the RCS from unborated water sources be isolated to prevent unplanned boron dilution during MODE 6 and thus avoid a reduction in SDM.APPLICABILITYIn MODE 6, this LCO is applicable to prevent an inadvertent boron dilution event by ensuring isolation of all sources of unborated water to the RCS.For all other MODES, the boron dilution accident was analyzed and was found to be capable of being mitigated.(continued)

Unborated WAer Source Isolation Valves B 3.9.2 BASES (continued)COMANCHE PEAK - UNITS 1 AND 2B 3.9-6Revision 60ACTIONSThe ACTIONS table has been modified by a Note that allows separate Condition entry for each unborated water source isolation valve.

A.1 and A.2Continuation of CORE ALTERATIONS or positive reactivity additions is contingent upon maintaining the unit in compliance with this LCO. With any valve used to isolate unborated water sources not secured in the closed position, all operations involving CORE ALTERATIONS or positive reactivity additions must be suspended immedia tely. The Completion Time of "immediately" for performance of Required Action A.1 shall not preclude completion of movement of a component to a safe position.Condition A has been modified by a Note to require that Required Action A.4 be completed whenever Cond ition A is entered.

A.3Preventing inadvertent dilution of the reactor coolant boron concentration is dependent on maintaining the unborated water isolation valves secured closed. Securing the valves in the closed position, under administrative controls, ensures that the valves are not inadvertently opened. The Completion Time of "immediately" requires an operator to initiate actions to close an open valve and secure the isolation valve in the closed position immediately. Once actions are initiated, they must be continued until the valves are secured in the closed position.

A.4Due to the potential of having diluted the boron concentration of the reactor coolant, SR 3.9.1.1 (verification of boron concentration) must be performed whenever Condition A is entered to demonstrate that the required boron concentration exists. The Completion Time of 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> is sufficient to obtain and analyze a reactor coolant sample for boron concentration.SURVEILLANCE REQUIREMENTS SR 3.9.2.1These valves are to be secured closed to isolate possible dilution paths. Secured closed includes a mechanical stop for the manual isolation valve CS-8455 or mechanical stops for the manual isolation valves CS-8439, CS-8441, CS-8560, and CS-8453 and removal of air or electrical power from the fail-closed, air operated valve FCV-111B. The likelihood of a significant reduction in the boron concentration during MODE 6 operations is remote due to the large mass of borated water in the refueling cavity and the fact(continued)

Unborated WAer Source Isolation Valves B 3.9.2 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.9-7Revision 60SURVEILLANCE REQUIREMENTS SR 3.9.2.1 (continued) that all unborated water sources are isolated, precluding a dilution. The boron concentration is checked every 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> during MODE 6 under SR3.9.1.1. This Surveillance demonstrates that the valves are closed through a system walkdown (which may include the use of local or remote indicators). The 31 day Frequency is based on engineering judgment and is considered reasonable in view of other administrative controls that will ensure that the valve open ing is an unlikely possibility.REFERENCES1.

FSAR, Section 15

.2.NUREG-0800, Section 15.4.6.

Nuclear Instrumentation B 3.9.3COMANCHE PEAK - UNITS 1 AND 2B 3.9-8Revision 60 B 3.9 REFUELING OPERATIONS B 3.9.3 Nuclear Instrumentation BASESBACKGROUNDThe source range neutron flux monitors are used during refueling operations to monitor the core reactivity condition. These detectors are located external to the reactor vessel and detect neutrons leaking from the core. Either of two functionally-equivalent sets of neutron flux monitors may be used.The installed Westinghouse BF 3 source range neutron flux monitors are part of the Nuclear Instrumentation System (NIS). The installed source range neutron flux monitors are BF 3 detectors operating in the proportional region of the gas filled detector characteristic curve. The detectors monitor the neutron flux in counts per second. The instrument range covers six decades of neutron flux (1E+6 cps). The detectors also provide continuous visual indication in the control room. The NI S is designed in accordance with the criteria presented in Reference 1. Each portion of the Westinghouse source range neutron flux monitors has two trains and each is assigned to an independent Class 1E electrical train. These trains are physically and electrically separated in accordance with applicable IEEE Standards.A separate Gamma-Metrics Neutron Flux Monitoring System (NFMS) is installed to satisfy the requirements of Regulatory Guide 1.97, "Instrumentation For Light-Watered-Cooled Nuclear Power Plants To Assess Plant And Environs Conditions During And Following An Accident." The Gamma-Metrics NFMS monitors neutron flux from the source range through 200% Rated Thermal Power (RTP) during all Modes of plant operation. This system utilizes two separate Safety Category I (Class 1E) fission chamber neutron detectors for all ranges of neutron flux indication. Each portion of the Gamma-Metrics instrumentation has two trains and each is assigned to a

separate Class 1E electrical train. These trains are physically and electrically separated in accordance with applicable IEEE Standards.The source range neutron flux monitors do not provide a Reactor Protection System function in Mode 6.Because it is considered important to use detectors on opposing sides of the core to effectively monitor the core reactivity, the use of one BF 3 detector and one Gamma-Metrics detector is not permitted.

APPLICABLE SAFETY ANALYSESTwo OPERABLE source range neutron flux monitors from either set of source range neutron flux monitor systems are required to provide a visual (continued)

Nuclear Instrumentation B 3.9.3 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.9-9Revision 60APPLICABLE SAFETY ANALYSES (continued) signal to alert the operator to unexpected changes in core reactivity such as with a boron dilution accident (Ref. 2) or an improperly loaded fuel assembly.The source range neutron flux monitors satisfy Criterion 3 of 10CFR50.36(c)(2)(ii).LCOThis LCO requires that two sour ce range neutron flux monitors be OPERABLE to ensure that redundant monitoring capability is available to detect changes in core reactivity.

To be OPERABLE, each monitor must provide visual indication in the control room. Both monitors used to satisfy this LCO must be from the same set of available neutron flux monitoring systems.APPLICABILITYIn MODE 6, the source range neutron flux monitors must be OPERABLE to determine changes in core reactivity. There are no other direct means available to check core reactivity levels. In other MODES, the source range monitors are governed by LCO 3.3.1 , LCO 3.3.3, and LCO 3.3.4.ACTIONSA.1 and A.2 With only one required source range neutron flux monitor OPERABLE, redundancy has been lost. Since these instruments are the only direct means of monitoring core reactivity conditions, CORE ALTERATIONS and introduction of coolant into the RCS with boron concentration less than required to meet the minimum boron concentration of LCO 3.9.1 must be suspended immediately. Suspending positiv e reactivity additions that could result in failure to meet the minimum boron concentration limit is required to assure continued safe operation. Introduction of coolant inventory must be from sources that have a boron concentration greater than that required in the RCS for minimum refueling boron concen tration. This may result in an overall reduction in RCS boron concentration, but provides acceptable margin to maintaining subcritical operation. Performance of Required Action A.1 shall not preclude completion of movement of a component to a safe position. Addition to the RCS of bo rated water with a concentration greater than or equal to the minimum required RWST concentration shall not be considered to be a positive reactivity change (Ref 3).(continued)

Nuclear Instrumentation B 3.9.3 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.9-10Revision 60 ACTIONS (continued)

B.1With no required source range neutron flux monitor OPERABLE, action to restore a monitor to OPERABLE status shall be initiated immediately. Once initiated, action shall be continued until a source range neutron flux monitor is restored to OPERABLE status.

B.2With no required source range neutron flux monitor OPERABLE, there are no direct means of detecting changes in core reactivity. However, since CORE ALTERATIONS and boron concentration changes inconsistent with Required Action A.2 are not to be made, the core reactivity condition is stabilized until the source range neutron flux monitors are OPERABLE. This stabilized condition is determined by performing SR 3.9.1.1 to ensure that the required boron concentration exists. The Completion Time of once per 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is sufficient to obtain and analyze a reactor coolant sample for boron concentration and ensures that unplanned changes in boron concentration would be identified. The 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> Frequency is reasonable, considering the low probability of a change in core reactivity during this time period.SURVEILLANCE REQUIREMENTS SR 3.9.3.1 SR 3.9.3.1 is the performance of a CHANNEL CHECK, which is a comparison of the parameter indi cated on one channel to a similar parameter on other channels. It is based on the assumption that the two indication channels should be consistent with core conditions. Changes in fuel loading and core geometry can result in significant differences between source range channels, but each channel should be consistent with its local conditions.

The Frequency of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is consistent with the CHANNEL CHECK Frequency specified similarly for the same instruments in LCO 3.3.1.SR 3.9.3.2SR 3.9.3.2 is the performance of a CHANNEL CALIBRATION every 18 months. This SR is modified by a Note stating that neutron detectors are excluded from the CHANNEL CALIBRATION. For the source range neutron detectors, performance data is obtained and evaluated. The 18 month (continued)

Nuclear Instrumentation B 3.9.3 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.9-11Revision 60SURVEILLANCE REQUIREMENTS SR 3.9.3.2 (continued)Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage. Operating experience has shown these components usually pass the Surveillance when performed at the 18 month Frequency.REFERENCES1.10 CFR 50, Appendix A, GDC 13, GDC 26, GDC 28, and GDC 29.

2.FSAR, Section [15.2.4]

.3.NRC letter (W. Reckley to N. Carns) dated November 22, 1993 "WolfCreek Generating Station - Positive Reactivity Addition; Technical Specification Bases Changes".

Containment Penetrations B 3.9.4COMANCHE PEAK - UNITS 1 AND 2B 3.9-12Revision 60 B 3.9 REFUELING OPERATIONS B 3.9.4 Containment Penetrations BASESBACKGROUNDDuring CORE ALTERATIONS or movement of irradiated fuel assemblies within containment, a release of fission product radioactivity within containment will be restricted from escaping to the environment when the

LCO requirements are met. In MODES 1, 2, 3, and 4, this is accomplished by maintaining containment OPERABLE as described in LCO 3.6.1 , "Containment." In MODE 6, the potential for containment pressurization as a result of an accident is not likely; therefore, requirements to isolate the containment from the outside atmospher e can be less stringent. The LCO requirements are referred to as "containment closure" rather than "containment OPERABILITY." Containment closure means that all potential escape paths are closed or capable of being closed. Since there is no potential for containment pressurization, the 10CFR50, Appendix J leakage criteria and tests are not required.The containment serves to contain fission product radioactivity that may be released from the reactor core following an accident, such that offsite radiation exposures are maintained well within the requirements of 10CFR100. Additionally, the containment provides radiation shielding from the fission products that may be present in the containment atmosphere

following accident conditions.The containment equipment hatch, which is part of the containment pressure boundary, provides a means for moving large equipment and components into and out of containment. If closed, the equipment hatch must be held in place by at least four bolts. Good engineering practice dictates that the bolts required by this LCO be approximately equally spaced. Alternatively, the equipment hatch can be open provided it can be installed with a minimum of four bolts holding it in place.The containment air locks, which are also part of the containment pressure boundary, provide a means for personnel access during MODES 1, 2, 3, and 4 unit operation in accordance with LCO 3.6.2, "Containment Air Locks." Each air lock has a door at both ends. The doors are normally interlocked to prevent simultaneous opening when containment OPERABILITY is required.

During periods of unit shutdown when co ntainment closure is not required, the door interlock mechanism may be disabled, allowing both doors of an air lock to remain open for extended periods when frequent containment entry is necessary. During CORE ALTERATIONS or movement of irradiated fuel assemblies within containment, containment closure is required; however both personnel air lock doors may be open provided that one personnel air(continued)

Containment Penetrations B 3.9.4 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.9-13Revision 60 BACKGROUND (continued)lock door is capable of being closed, and one emergency air lock door is closed.The requirements for containment penetration closure ensure that a release of fission product radioactivity within containment will be restricted from escaping to the environment. The closure restrictions are sufficient to

restrict fission product radioactivity release from containment due to a fuel handling accident during refueling.The containment ventilation isolation system includes three subsystems. The Containment Purge System includes a 48 inch supply penetration and a 48 inch exhaust penetration. The Containment Pressure Relief System includes an 18 inch exhaust penetration. The Hydrogen Purge System includes a 12 inch supply penetration and a 12 inch exhaust penetration. During MODES 1, 2, 3, and 4, the two valves in each of the Containment Purge System and Hydrogen Purge System supply and exhaust penetrations are secured in the closed position. The two valves in the Containment Pressure Relief System penetration can be opened continuously, but are closed automatically by the Engineered Safety Features Actuation System (ESFAS). None of the subsystems are subject to a Specification in MODE 5.In MODE 6, large air exchangers are necessary to conduct refueling operations. The normal 48 inch Containment Purge System is used for this purpose, and all four valves are closed by the Containment Radiation Monitor in accordance with LCO 3.3.6 , "Containment Ventilation Isolation Instrumentation."The Containment Pressure Relief System remain operational in MODE 6, and both valves are also closed by the Containment Ventilation Isolation Instrumentation.The Hydrogen Purge System is not normally used in MODE 6. However, all six of the twelve inch valves are also closed by the Containment Ventilation Isolation Instrumentation.The other containment penetrations that provide direct access from containment atmosphere to outside atmosphere must be isolated on at least one side. Isolation may be achieved by a closed automatic isolation valve or manual isolation valve, or by a blind flange or equivalent. Equivalent isolation methods must be approved and may include use of a material that can provide a temporary, atmospheric pressure, ventilation barrier for the other containment penetrations during fuel movements.(continued)

Containment Penetrations B 3.9.4 BASES (continued)COMANCHE PEAK - UNITS 1 AND 2B 3.9-14Revision 60 APPLICABLE SAFETY ANALYSESDuring CORE ALTERATIONS or movement of irradiated fuel assemblieswithin containment, the most severe radiological consequences result from a fuel handling accident. The fuel handling accident is a postulated event that involves damage to irradiated fuel (Ref. 1). Fuel handling accidents, analyzed in Reference 2, include dropp ing a single irradiated fuel assembly in either the containment or fuel building with no credit for isolation or filtration. The requirements of LCO 3.9.7, "Refueling Cavity Water Level," and the minimum decay time of the Technical Requirements Manual (Ref. 4) prior to CORE ALTERATIONS ensure that the release of fission product radioactivity, subsequent to a fuel handling accident, results in doses that are well within the guideline values spec ified in 10 CFR 100. Standard Review Plan, Section 15.7.4, Rev. 1 (Ref. 2), defines "well within" 10 CFR 100 to be 25% or less of the 10 CFR 100 values. Containment penetration closure is not required to meet the acceptance limits for offsite radiation exposure of 25% of 10 CFR 100 values (Ref 3). Containment penetrations satisfy Criterion 4 of 10CFR50.36(c)(2)(ii).LCOThis LCO limits the consequences of a fuel handling accident in containment by limiting the potential escape paths for fission product radioactivity released within containment. The LCO requires any penetration providing direct access from the containment atmosphere to the outside atmosphere to be closed except for the OPERABLE containment ventilation penetrations, the personnel air locks, and the equipment hatch, which must be capable of being closed. For the OPERABLE containment ventilation penetrations, this LCO ensures that these penetrations are isolable by the Containment Ventilation Isolation System. The OPERABILITY requirements for this LCO ensure that the automatic ventilation isolation valve closure function specified in the FSAR can be achieved and, therefore, meet the assumptions used in the safety analysis to ensure that releases through the valves are terminated, such that radiological doses are within the acceptance limit.Both containment personnel air lock doors may be open during movement of irradiated fuel or CORE ALTERATION, provided an air lock door is capable of being closed and the water level in t he refueling pool is maintained as required. Administrative controls ensure that: 1) appropriate personnel are aware of the open status of the containment during movement of irradiated fuel or CORE ALTERATIONS, 2) specified individuals are designated and readily available to close the air lock following an evacuation that would occur in the event of a fuel handling accident, and 3) any obstructions (e.g., cables and hoses) that would prevent rapid closure of an open air lock can be quickly removed. (continued)

Containment Penetrations B 3.9.4 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.9-15Revision 60 LCO (continued)

The LCO is modified by a NOTE allowing penetration flow paths with direct access from the containment atmosphere to the outside atmosphere to be unisolated under administrative controls. Administrative controls ensure that

1) appropriate personnel are aware of the open status of the penetration flow path during CORE ALTERNATIONS or movement of irradiated fuel assemblies within containment, and 2) specified individuals are designated and readily available to isolate the flow path in the event of a fuel handling accident.The equipment hatch may be open during movement of irradiated fuel or CORE ALTERNATIONS provided the hatch is capable of being closed and the water level in the refueling pool is maintained as required. Administrative controls ensure that 1) appropriate personnel are aware of the open status of the containment during movement of irradiated fuel or CORE ALTERNATIONS, 2) specified individuals are designated and readily

available to close the equipment hatch following an evacuation that would occur in the event of a fuel handling accident, and 3) any obstructions (e.g., cables and hoses) that would prevent rapid closure of the equipment hatch can be quickly removed.APPLICABILITYThe containment penetration requirements are applicable during CORE ALTERATIONS or movement of irradiated fuel assemblies within containment because this is when there is a potential for a fuel handling accident. In MODES 1, 2, 3, and 4, containment penetration requirements are addressed by LCO 3.6.1. In MODES 5 and 6, when CORE ALTERATIONS or movement of irradiated fuel assemblies within containment are not being conducted, the potential for a fuel handling accident does not exist. Therefore, under these conditions no requirements are placed on containment penetration status.ACTIONSA.1 and A.2If the containment equipment hatch, air locks, or any containment penetration that provides direct access fr om the containment atmosphere to the outside atmosphere is not in the required status, including the containment ventilation isolation system not capable of automatic actuation when the isolation valves are open, the unit must be placed in a condition where the isolation function is not needed. This is accomplished by immediately suspending CORE ALTERATIONS and movement of irradiated

fuel assemblies within containment. Performance of these actions shall not preclude completion of movement of a component to a safe position.(continued)

Containment Penetrations B 3.9.4 BASES (continued)COMANCHE PEAK - UNITS 1 AND 2B 3.9-16Revision 60SURVEILLANCE REQUIREMENTS SR 3.9.4.1This Surveillance demonstrates that each of the containment penetrations required to be in its closed position is in that position. The Surveillance on the open isolation valves will demonstrate that the required valves are not blocked from closing. Also the Surveillance will demonstrate that each valve operator has motive power, which will ensure that each required valve is capable of being closed by an OPERABLE automatic containment ventilation isolation signal.The Surveillance is performed every 7 days during CORE ALTERATIONS or movement of irradiated fuel a ssemblies within containment. The Surveillance interval is selected to be commensurate with the normal duration of time to complete fuel h andling operations. A surveillance before the start of refueling operations will provide two or three surveillance verifications during the applicable period for this LCO. As such, this Surveillance ensures that a postulated fuel handling accident that releases fission product radioactivity within the containment will not result in a release of fission product radioactivity to the environment.

SR 3.4.9.2 This Surveillance demonstrates that the necessary hardware, tools, and equipment are available to install t he equipment hatch. The equipment hatch is provided with a set of hardware, tools, and equipment for moving the hatch from its storage location and installing it in the opening. The required set of hardware, tools, and equipment shall be inspected to ensure that they can perform the required functions.The Surveillance is performed every 7 days during CORE ALTERATIONS or movement of irradiated fuel assemblies within the containment. The Surveillance interval is selected to be commensurate with the normal duration of time to complete the fuel handling operations. The Surveillance is modified by a Note which only requires that the Surveillance be met for an open equipment hatch. If the equipment hatch is installed in its opening, the availability of the means to install the hatch is not required. The 7 day Frequency is adequate considering that the hardware, tools, and equipment are dedicated to the equipment hatch and not used for any other function.

SR 3.9.4.3This Surveillance demonstrates that each required containment ventilation valve actuates to its isolation position on manual initiation or on an actual or simulated high radiation signal from a containment atmosphere gaseous(continued)

Containment Penetrations B 3.9.4 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.9-17Revision 60SURVEILLANCE REQUIREMENTS SR 3.9.4.3 (continued)monitoring instrumentation channel. The 18 month Frequency maintains consistency with other similar instrumentation and valve testing requirements. In LCO 3.3.6 , the Containment Ventilation Isolation instrumentation requires a CHANNEL CHECK every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> and a COT every 92 days to ensure the channel OPERABILITY during refueling operations. Every 18 months a CHANNEL CALIBRATION is performed. These Surveillances performed during MODE 6 will ensure that the valves are capable of closing after a postulated fuel handling accident to limit a release of fission product radioactivity from the containment.REFERENCES1.FSAR, Section 15.7.4

.2.NUREG-0800, Section 15.7.4, Rev. 1, July 1981.3.NUREG-0797, Section 15.4.8, Supplement 22, January 1990.4.Technical Requirements Manual RHR and Coolant Circulation - High Water Level B 3.9.5COMANCHE PEAK - UNITS 1 AND 2B 3.9-18Revision 60 B 3.9 REFUELING OPERATIONSB 3.9.5 Residual Heat Removal (RHR) and Coolant Circulation - High Water Level BASESBACKGROUNDThe purpose of the RHR System in MODE 6 is to remove decay heat and sensible heat from the Reactor Coolant System (RCS), as required by GDC 34, to provide mixing of borated coolant and to prevent boron stratification (Ref. 1). Heat is removed from the RCS by circulating reactor coolant through the RHR heat exchanger(s), where the heat is transferred to the Component Cooling Water System. The coolant is then returned to the RCS via the RCS cold leg(s). Operation of the RHR System for normal cooldown or decay heat removal is manually accomplished from the control room. The heat removal rate is adjusted by controlling the flow of reactor coolant through the RHR heat exchanger(s) and the bypass. Mixing of the reactor coolant is maintained by this continuous circulation of reactor coolant through the RHR System.

APPLICABLE

SAFETY ANALYSES If the reactor coolant temperature is not maintained below 200°F, boiling of the reactor coolant could result. T his could lead to a loss of coolant in the reactor vessel. Additionally, boiling of the reactor coolant could lead to boron plating out on components near the areas of the boiling activity. The loss of reactor coolant and the subsequent plate out of boron would eventually challenge the integrity of the fuel cladding, which is a fission product barrier. One train of the RHR System is required to be operational in MODE 6, with

the water level 23 ft above the top of the reactor vessel flange, to prevent this challenge. The LCO does permit de-energizing the RHR pump for short durations, under the condition that the boron concen tration is not diluted. This conditional de-energizing of the RHR pump does not result in a challenge to the fission product barrier.The RHR System in MODE 6 satisfies criterion 4 of 10CFR50.36(c)(2)(ii).LCOOnly one RHR loop is required for decay heat removal in MODE 6, with the water level 23 ft above the top of the reactor vessel flange. Only one RHR loop is required to be OPERABLE, because the volume of water above the reactor vessel flange provides backup decay heat removal capability. At least one RHR loop must be OPERABLE and in operation to provide:a.Removal of decay heat;b.Mixing of borated coolant to minimize the possibility of criticality; and(continued)

RHR and Coolant Circulation - High Water Level B 3.9.5 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.9-19Revision 60 LCO (continued)c.Indication of reactor coolant temperature.An OPERABLE RHR loop includes an RHR pump, a heat exchanger, valves, piping, instruments, and controls to ensure an OPERABLE flow path and to determine the low end temperature. The flow path starts in one of the RCS hot legs and is returned to the RCS cold legs.The LCO is modified by a Note that allows the required operating RHR loop to be removed from service for up to 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> per 8 hour9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> period, provided no operations are permitted that would dilute the RCS boron concentration with coolant at boron concentrations less than required to meet the minimum boron concentration of LCO 3.9.1. Boron concentration reduction with coolant at boron concentrations less than required to assure the minimum required RCS boron concentration is maintained is prohibited because uniform concentration distribution c annot be ensured without forced circulation. This permits operations such as core mapping or alterations in the vicinity of the reactor vessel hot leg nozzles and RCS to RHR isolation valve testing. During this 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> period, decay heat is removed by natural convection to the large mass of water in the refueling cavity.

NoteThe acceptability of the LCO and the LCO Note is based on preventing boiling in the core in the event of the loss of RHR cooling. It has been determined, however, that when the up per internals package is in place in the reactor vessel there is insuffic ient communication with the water above the core for adequate decay heat removal by natural convection (see SMF-2002-2676). As a result boiling could occur in a relatively short time if RHR cooling is lost. As an interim measure, temporary administrative processes are implemented to reduce the risk of core boiling. The availability of additional cooling equipment, including equipment not required to be OPERABLE by the specifications, contributes to this risk reduction. This strategy is consistent with NUMARC 91-06, "Guidelines for Industry Actions to Assess Shutdown Management," for management of shutdown tasks to maintain risk at an acceptable low level. This may require the availability of additional equipment beyond that required by the shutdown Technical Specifications which can be used to provide the needed cooling. The plant staff assesses these cooling sources to assure that the desired level of minimal risk is maintained (frequently referred to as maintaining a desired defense in depth). The level of detail involved in the assessment will be commensurate with the equipment affected. Because of its generic nature, any required TS and/or TS Bases changes will be determined by the industry Tec hnical Specification Task Force (TSTF).(continued)

RHR and Coolant Circulation - High Water Level B 3.9.5 BASES (continued)COMANCHE PEAK - UNITS 1 AND 2B 3.9-20Revision 60APPLICABILITYOne RHR loop must be OPERABLE and in operation in MODE 6, with thewater level 23 ft above the top of the r eactor vessel flange, to provide decay heat removal. The 23 ft water level was selected because it corresponds to the 23 ft requirement established for fuel movement in LCO3.9.7 , "Refueling Cavity Water Level." Requirements for the RHR System in other MODES are covered by LCOs in Section 3.4, Reactor Coolant System (RCS), and Section 3.5, Emergency Core Cooling Systems (ECCS). RHR loop requirements in MODE 6 with the water level < 23 ft are located in LCO 3.9.6 , "Residual Heat Removal (RHR) and Coolant Circulation - Low Water Level."ACTIONSRHR loop requirements are met by having one RHR loop OPERABLE and in operation, except as permitted in the Note to the LCO.

A.1If RHR loop requirements are not met, there will be no forced circulation to provide mixing to establish uniform boron concentrations. Suspending positive reactivity additions that could result in failure to meet the minimum boron concentration limit is required to assure co ntinued safe operation. Introduction of coolant inventory must be from sources that have a boron concentration greater than that required in the RCS for minimum refueling

boron concentration. T his may result in an overall reduction in RCS boron concentration, but provides acceptable margin to maintaining subcritical operation.

A.2If RHR loop requirements are not met, actions shall be taken immediately to suspend loading of irradiated fuel assemblies in the core. With no forced circulation cooling, decay heat removal from the core occurs by natural convection to the heat sink provided by the water above the core. A minimum refueling water level of 23 ft above the reactor vessel flange provides an adequate available heat sink. Suspending any operation that would increase decay heat load, such as loading a fuel assembly, is a prudent action under this condition. Performance of Required Action A2 shall not preclude completion of movement of a component to a safe condition.

A.3If RHR loop requirements are not met, actions shall be initiated and continued in order to satisfy RHR loop requirements. With the unit in MODE(continued)

RHR and Coolant Circulation - High Water Level B 3.9.5 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.9-21Revision 60ACTIONSA.3 (continued) 6 and the refueling water level 23 ft above the top of the reactor vessel flange, corrective actions shall be initiated immediately.

A.4If RHR loop requirements are not met, all containment penetrations providing direct access from the containment atmosphere to the outside atmosphere must be closed within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />. With the RHR loop requirements not met, the potential exists for the coolant to bo il and release radioactive gas to the containment atmosphere. Closing containment penetrations that are open to the outside atmosphere ensures dose limits are not exceeded.

The Completion Time of 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> is reasonable, based on the low probability of the coolant boiling in that time.SURVEILLANCE REQUIREMENTS SR 3.9.5.1This Surveillance demonstrates that the RHR loop is in operation and circulating reactor coolant. The flow rate is determined by the flow rate necessary to provide sufficient decay heat removal capability and to prevent thermal and boron stratification in the core. The Frequency of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is sufficient, considering the flow, temperature, pump control, and alarm indications available to the operator in the control room for monitoring the RHR System.REFERENCES1.FSAR, Section 5.4.7

.

RHR and Coolant Circulation - Low Water Level B 3.9.6COMANCHE PEAK - UNITS 1 AND 2B 3.9-22Revision 60 B 3.9 REFUELING OPERATIONSB 3.9.6 Residual Heat Removal (RHR) and Coolant Circulation - Low Water Level BASESBACKGROUNDThe purpose of the RHR System in MODE 6 is to remove decay heat and sensible heat from the Reactor Coolant System (RCS), as required by GDC34, to provide mixing of borated coolant, and to prevent boron

stratification (Ref. 1). Heat is removed from the RCS by circulating reactor coolant through the RHR heat exchangers where the heat is transferred to the Component Cooling Water System. The coolant is then returned to the RCS via the RCS cold leg(s). Operation of the RHR System for normal

cooldown decay heat remo val is manually accomplished from the control room. The heat removal rate is adjusted by controlling the flow of reactor coolant through the RHR heat exchanger(s) and the bypass lines. Mixing of the reactor coolant is maintained by this continuous circulation of reactor coolant through the RHR System.

APPLICABLE SAFETY ANALYSES If the reactor coolant temperature is not maintained below 200°F, boiling of the reactor coolant could result. T his could lead to a loss of coolant in the reactor vessel. Additionally, boiling of the reactor coolant could lead to boron plating out on components near the areas of the boiling activity. The loss of reactor coolant and the subsequent plate out of boron will eventually challenge the integrity of the fuel cladding, which is a fission product barrier.

Two trains of the RHR System are required to be OPERABLE, and one train in operation, in order to prevent this challenge.The RHR System in MODE 6 satisfies criterion 4 of 10CFR50.36(c)(2)(ii).LCOIn MODE 6, with the water level < 23 ft above the top of the reactor vessel flange, both RHR loops must be OPERABLE. Additionally, one loop of RHR must be in operation in order to provide:a.Removal of decay heat;b.Mixing of borated coolant to minimi ze the possibility of criticality; andc.Indication of reactor coolant temperature.

An OPERABLE RHR loop consists of an RHR pump, a heat exchanger, valves, piping, instruments and controls to ensure an OPERABLE flow path and to determine the low end temperature. The flow path starts in one of the RCS hot legs and is returned to the RCS cold legs. An OPERABLE RHR loop must be capable of being realigned to provide an OPERABLE flow path. (continued)

RHR and Coolant Circulation - Low Water Level B 3.9.6 BASES (continued)COMANCHE PEAK - UNITS 1 AND 2B 3.9-23Revision 60APPLICABILITYTwo RHR loops are required to be OPERABLE, and one RHR loop must bein operation in MODE 6, with the water level < 23 ft above the top of the reactor vessel flange, to provide decay heat removal. Requirements for the RHR System in other MODES are covered by LCOs in Section 3.4 , Reactor Coolant System (RCS), and Section 3.5 , Emergency Core Cooling Systems (ECCS). RHR loop requirements in MODE 6 with the water level 23 ft are located in LCO 3.9.5 , "Residual Heat Removal (RHR) and Coolant Circulation - High Water Level." ACTIONSA.1 and A.2 If less than the required number of RHR loops are OPERABLE, action shall be immediately initiated and continue d until the RHR loop is restored to OPERABLE status and to operation or until 23 ft of water level is established above the reactor vessel flange. When the water level is 23 ft above the reactor vessel flange, t he Applicability changes to that of LCO3.9.5, and only one RHR loop is required to be OPERABLE and in operation. An immediate Completion Time is necessary for an operator to initiate corrective actions.

B.1If no RHR loop is in operation, there will be no forced circulation to provide mixing to establish uniform boron concentrations. Suspending positive reactivity additions that could result in failure to meet the minimum boron concentration limit is required to a ssure continued safe operation. Introduction of coolant inventory must be from sources that have a boron concentration greater than that required in the RCS for minimum refueling boron concentration. T his may result in an overall reduction in RCS boron concentration, but provides acceptable margin to maintaining subcritical operation.

B.2If no RHR loop is in operation, actions shall be initiated immediately, and continued, to restore one RHR loop to operation. Since the unit is in Conditions A and B concurrently, the restoration of two OPERABLE RHR loops and one operating RHR loop should be accomplished expeditiously.

B.3If no RHR loop is in operation, all containment penetrations providing direct access from the containment atmosphere to the outside atmosphere must be (continued)

RHR and Coolant Circulation - Low Water Level B 3.9.6 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.9-24Revision 60ACTIONSB.3 (continued)closed within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />. With the RHR loop requirements not met, the potential exists for the coolant to bo il and release radioactive gas to the containment atmosphere. Closing containment penetrations that are open to the outside atmosphere ensures that dose limits are not exceeded.

The Completion Time of 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> is reasonable, based on the low probability of the coolant boiling in that time.SURVEILLANCE REQUIREMENTS SR 3.9.6.1 This Surveillance demonstrates that one RHR loop is in operation and circulating reactor coolant. The flow rate is determined by the flow rate necessary to provide sufficient decay heat removal capability and to prevent thermal and boron stratification in the core. In addition, during operation of the RHR loop with the water level in the vicinity of the reactor vessel nozzles, the RHR pump suction requirements must be met. The Frequency of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is sufficient, considering the flow, temperature, pump control, and alarm indications available to the operator for monitoring the RHR System in the control room.

SR 3.9.6.2Verification that the required pump is OPERABLE ensures that an additional RHR pump can be placed in operation, if needed, to maintain decay heat

removal and reactor coolant circulation. Verification is performed by verifying proper breaker alignment and power available to the required pump. The Frequency of 7 days is considered reasonable in view of other administrative controls available and has been shown to be acceptable by operating experience.REFERENCES1.FSAR, Section 5.4.7

.

Refueling Cavity Water Level B 3.9.7COMANCHE PEAK - UNITS 1 AND 2B 3.9-25Revision 60 B 3.9 REFUELING OPERATIONS B 3.9.7 Refueling Cavity Water Level BASESBACKGROUNDThe movement of irradiated fuel assemblies, within containment requires a minimum water level of 23 ft above the top of the reactor vessel flange.

During refueling, this maintains sufficient water level in the containment. Sufficient water is necessary to retain iodine fission product activity in the water in the event of a fuel handling accident (Refs. 1 and 2). Sufficient iodine activity would be retained to limit offsite doses from the accident to

<25% of 10 CFR 100 limits, as provided by the guidance of Reference 3 and acceptance in Reference 6

. APPLICABLE SAFETY ANALYSES During movement of irradiated fuel assemblies, the water level in the refueling cavity is an initial condition design parameter in the analysis of a fuel handling accident in containment, as postulated by Regulatory Guide 1.195 (Ref. 1). A minimum water level of 23 ft allows a decontamination factor of 200 to be used in the accident analysis for iodine.

This relates to the assumption that 99.5% of the to tal iodine released from the pellet to cladding gap of all the dropped fuel assembly rods is retained by the refueling cavity water. The fuel pellet to cladding gap is assumed to contain the following fractions of the total fuel rod inventory (Ref. 1):0.08 for I-131, 0.10 for Kr-85, 0.05 for all other iodines and noble gases.

The fuel handling accident analysis is described in Reference 2. With a minimum water level of 23 ft and a minimum decay time as described in the

Technical Requirements Manual (Ref. 7) prior to fuel handling, the analysis and test programs demonstrate that the iodine release due to a postulated fuel handling accident is adequately captured by the water and offsite doses are maintained within allowable limits (Refs.4, 5 and 6

).Refueling cavity water level satisfies Criterion 2 of 10CFR50.36(c)(2)(ii).

LCOA minimum refueling cavity water level of 23 ft above the reactor vessel flange is required to ensure that the radiological consequences of a postulated fuel handling accident inside containment are within acceptable

limits, as provided by the guidance of Reference 3

.(continued)

Refueling Cavity Water Level B 3.9.7 BASES (continued)COMANCHE PEAK - UNITS 1 AND 2B 3.9-26Revision 60 APPLICABILITY LCO 3.9.7 is applicable when moving irradiated fuel assemblies withincontainment. The LCO minimizes the possibility of a fuel handling accident in containment that is beyond the assumptions of the safety analysis. If irradiated fuel assemblies are not present in containment, there can be no significant radioactivity release as a result of a postulated fuel handling accident. Requirements for fuel handling accidents in the spent fuel pool are covered by LCO 3.7.15, "Fuel Storage Pool Water Level."ACTIONSA.1With a water level of < 23 ft above the top of the reactor vessel flange, all operations involving movement of irradiated fuel assemblies within the containment shall be suspended immediately to ensure that a fuel handling accident cannot occur.The suspension of fuel movement shall not preclude completion of movement of a component to a safe position.SURVEILLANCE REQUIREMENTS SR 3.9.7.1Verification of a minimum water level of 23 ft above the top of the reactor vessel flange ensures that the design basis for the analysis of the postulated fuel handling accident during refueling operations is met. Water at the required level above the top of the reactor vessel flange limits the consequences of damaged fuel rods that are postulated to result from a fuel handling accident inside containment (Ref. 2).The Frequency of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is based on engineering judgment and is considered adequate in view of the large volume of water and the normal procedural controls of valve position s, which make significant unplanned level changes unlikely.REFERENCES1.Regulatory Guide 1.195, May 2003.

2.FSAR, Section 15.7.4 3.NUREG-0800, Section 15.7.4.

4.10 CFR 100.10.(continued)

Refueling Cavity Water Level B 3.9.7 BASESCOMANCHE PEAK - UNITS 1 AND 2B 3.9-27Revision 60 REFERENCES (continued)5.Malinowski, D. D., Bell, M. J., Duhn, E., and Locante, J., WCAP-828, Radiological Consequences of a Fuel Handling Accident, December 1971.6.NUREG-0797, Section 15.4.8, Supplement 22, January 1990.7.Technical Requirements Manual.

REVISION 51REVISION 52

REVISION 53

REVISION 54

REVISION 55

REVISION 56

REVISION 57 REVISION 58 REVISION 59 REVISION 60 REVISION 61REVISION 62 REVISION 63

REVISION 64

Retrieved from "https://kanterella.com/w/index.php?title=ML11237A127&oldid=1366099"