Difference between revisions of "ML021190131"

From kanterella
Jump to navigation Jump to search
(StriderTol Bot insert)
 
(No difference)

Latest revision as of 02:28, 27 March 2020

Part F - Submittal of All Peach Bottom Atomic Power Station Unit 2 & Unit 3 Technical Specifications Bases Changes Through Unit 2 Bases Revision 39 & Unit 3 Bases Revision 40
ML021190131
Person / Time
Site: Peach Bottom Exelon icon.png
Issue date: 04/19/2002
From: Gallagher M
Exelon Nuclear
To:
Document Control Desk, Office of Nuclear Reactor Regulation
References
Download: ML021190131 (179)


Text

WRNM Instrumentation B 3.3.1.2 B 3.3 INSTRUMENTATION I B 3.3.1.2 Wide Range Neutron Monitor (WRNM) Instrumentation BASES I BACKGROUND The WRNMs are capable of providing the operator with information relative to the neutron flux level at very low flux levels in the core. As such, the WRNM indication is used by the operator to monitor the approach to criticality and determine when criticality is achieved.

The WRNM subsystem of the Neutron Monitoring System (NMS) consists of eight channels. Each of the WRNM channels can be bypassed, but only one at any given time per RPS trip system, by the operation of a bypass switch. Each channel includes one detector that is permanently positioned in the core. Each detector assembly consists of a miniature fission chamber with associated cabling, signal conditioning equipment, and electronics associated with the various WRNM functions. The signal conditioning equipment converts the current pulses from the fission chamber to analog DC currents that correspond to the count rate. Each channel also includes indication, alarm, and control rod blocks.

However, this LCO specifies OPERABILITY requirements only for the monitoring and indication functions of the WRNMs.

During refueling, shutdown, and low power operations, the primary indication of neutron flux levels is provided by the WRNMs or special movable detectors connected to the normal WRNM circuits. The WRNMs provide monitoring of reactivity changes during fuel or control rod movement and give the control room operator early indication of unexpected subcritical multiplication that could be indicative of an approach to criticality.

APPLICABLE Prevention and mitigation of prompt reactivity excursions SAFETY ANALYSES during refueling and low power operation is provided by LCO 3.9.1, "Refueling Equipment Interlocks"; LCO 3.1.1, "SHUTDOWN MARGIN (SDM)"; LCO 3.3.1.1, "Reactor Protection System (RPS) Instrumentation"; WRNM Period-Short and (continued)

PBAPS UNIT 3 8 3.3-37 Revision No. 17

WRNM Instrumentation B 3.3.1.2 BASES APPLICABLE Average Power Range Monitor (APR4) Startup High Flux Scram SAFETY ANALYSES Functions; and LCO 3.3.2.1, "Control Rod Block (continued) Instrumentation."

The WRNMs have no safety function associated with monitoring neutron flux at very low levels and are not assumed to function during any UFSAR design basis accident or transient analysis which would occur at very low neutron flux levels.

However, the WRNMs provide the only on-scale monitoring of neutron flux levels during startup and refueling.

Therefore, they are being retained in Technical Specifications.

LCO During startup in MODE 2, three of the eight WRNM channels are required to be OPERABLE to monitor the reactor flux level and reactor period prior to and during control rod withdrawal, subcritical multiplication and reactor criticality. These three required channels must be located in different core quadrants in order to provide a representation of the overall core response during those periods when reactivity changes are occurring throughout the core.

In MODES 3 and 4, with the reactor shut down, two WRNM channels in two different quadrants provide redundant monitoring of flux levels in the core.

In MODE 5, during a spiral offload or reload, a WRNM outside the fueled region will no longer be required to be OPERABLE, since it is not capable of monitoring neutron flux in the fueled region of the core. Thus, CORE ALTERATIONS are allowed in a quadrant with no OPERABLE WRNM in an adjacent quadrant provided the Table 3.3.1.2-1, footnote (b),

requirement that the bundles being spiral reloaded or spiral offloaded are all in a single fueled region containing at least one OPERABLE WRNM is met. Spiral reloading and offloading encompass reloading or offloading a cell on the edge of a continuous fueled region (the cell can be reloaded or offloaded in any sequence).

In nonspiral routine operations, two WRNMs are required to be OPERABLE to provide redundant monitoring of reactivity changes in the reactor core. Because of the local nature of reactivity changes during refueling, adequate coverage is provided by requiring one WRNM to be OPERABLE for the connected fuel in the quadrant of the reactor core where (continued)

PBAPS UNIT 3 B 3.3-38 Revision No. 17

WRNM Instrumentation I B 3.3.1.2 BASES LCO CORE ALTERATIONS are being performed. There are two WRNMs (continued) in each quadrant. Any CORE ALTERATIONS must be performed in a region of fuel that is connected to an OPERABLE WRNM to ensure that the reactivity changes are monitored within the fueled region(s) of the quadrant. The other WRNM that is required to be OPERABLE must be in an adjacent quadrant containing fuel. These requirements ensure that the reactivity of the core will be continuously monitored during CORE ALTERATIONS.

Special movable detectors, according to footnote (c) of Table 3.3.1.2-1, may be used in place of the normal WRNH nuclear detectors. These special detectors must be connected to the normal WRNM circuits in the NMS, such that the applicable neutron flux indication can be generated.

These special detectors provide more flexibility in monitoring reactivity changes during fuel loading, since they can be positioned anywhere within the core during refueling. They must still meet the location requirements of SR 3.3.1.2.2 and all other required SRs for WRNMs.

The Table 3.3.1.2-1, footnote (d), requirement provides for conservative spatial core coverage.

For a WRNM channel to be considered OPERABLE, it must be providing neutron flux monitoring indication.

APPLICABILITY The WRNMs are required to be OPERABLE in MODES 2, 3, 4, and 5 prior to the WRNMs reading 125E-5 % power to provide for neutron monitoring. In MODE 1, the APRMs provide adequate monitoring of reactivity changes in the core; therefore, the WRNMs are not required. In MODE 2, with WRNMs reading greater than 125E-5 % power, the WRNM Period Short function provides adequate monitoring and the WRNMs monitoring indication is not required.

ACTIONS A.1 and B.1 I In MODE 2, the WRNM channels provide the means of monitoring I core reactivity and criticality. With any number of the required WRNMs inoperable, the ability to monitor neutron flux is degraded. Therefore, a limited time is allowed to restore the inoperable channels to OPERABLE status.

(continued)

PBAPS UNIT 3 B 3.3-39 Revision No. 17

WRNM Instrumentation B 3.3.1.2 BASES ACTIONS A.1 and B.1 (continued)

Provided at least one WRNM remains OPERABLE, Required Action A.1 allows 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> to restore the required WRNMs to OPERABLE status. This time is reasonable because there is adequate capability remaining to monitor the core, there is limited risk of an event during this time, and there is sufficient time to take corrective actions to restore the required WRNMs to OPERABLE status. During this time, control rod withdrawal and power increase is not precluded by this Required Action. Having the ability to monitor the core with at least one WRNM, proceeding to WRNM indication greater than 125E-5 % power, and thereby exiting the Applicability of this LCO, is acceptable for ensuring adequate core monitoring and allowing continued operation.

With three required WRNMs inoperable, Required Action B.1 allows no positive changes in reactivity (control rod withdrawal must be immediately suspended) due to inability to monitor the changes. Required Action A.1 still applies.

and allows 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> to restore monitoring capability prior to requiring control rod insertion. This allowance is based on the limited risk of an event during this time, provided that no control rod withdrawals are allowed, and the desire to concentrate efforts on repair, rather than to immediately shut down, with no WRNMs OPERABLE.

C.'

In MODE 2, if the required number of WRNMs is not restored to OPERABLE status within the allowed Completion Time, the reactor shall be placed in MODE 3. With all control rods fully inserted, the core is in its least reactive state with the most margin to criticality. The allowed Completion Time of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging plant systems.

D.1 and D.2 With one or more required WRNMs inoperable in MODE 3 or 4, the neutron flux monitoring capability is degraded or nonexistent. The requirement to fully insert all insertable control rods ensures that the reactor will be at its minimum reactivity level while no neutron monitoring capability is (continued)

PBAPS UNIT 3 B 3.3-40 Revision No. 17

WRNM Instrumentation B 3.3.1.2 BASES ACTIONS D.1 and D.2 (continued) available. Placing the reactor mode switch in the shutdown position prevents subsequent control rod withdrawal by maintaining a control rod block. The allowed Completion Time of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> is sufficient to accomplish the Required Action, and takes into account the low probability of an event requiring the WRNM occurring during this interval.

E.1 and E.2 With one or more required WRNMs inoperable in MODE 5, the ability to detect local reactivity changes in the core during refueling is degraded. CORE ALTERATIONS must be immediately suspended and action must be immediately initiated to fully insert all insertable control rods in core cells containing one or more fuel assemblies.

Suspending CORE ALTERATIONS prevents the two most probable causes of reactivity changes, fuel loading and control rod withdrawal, from occurring. Inserting all insertable control rods ensures that the reactor will be at its minimum reactivity given that fuel is present in the core.

Suspension of CORE ALTERATIONS shall not preclude completion of the movement of a component to a safe, conservative position.

Action (once required to be initiated) to insert control rods must continue until all insertable rods in core cells containing one or more fuel assemblies are inserted.

I SURVEILLANCE As noted at the beginning of the SRs, the SRs for each WRNM REQUIREMENTS Applicable MODE or other specified conditions are found in the SRs column of Table 3.3.1.2-1.

SR 3.3.1.2.1 and SR 3.3.1.2.3 Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on another channel. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious.

(continued)

PBAPS UNIT 3 R 3.3-41 Revision No. 17

WRNM Instrumentation B 3.3.1.2 BASES SURVEILLANCE SR 3.3.1.2.1 and SR 3.3.1.2.3 (continued)

REQUIREMENTS A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the plant staff based on a combination of the-channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit.

The Frequency of once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for SR 3.3.1.2.1 is based on operating experience that demonstrates channel failure is rare. While in MODES 3 and 4, reactivity changes are not expected; therefore, the 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> Frequency is relaxed to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> for SR 3.3.1.2.3. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the channels required by the LCO.

SR 3.3.1.2.2 To provide adequate coverage of potential reactivity changes in the core, one WRNM is required to be OPERABLE for the connected fuel in the quadrant where the CORE ALTERATIONS are being performed, and the other OPERABLE WRNM must be in an adjacent quadrant containing fuel. Note 1 states that the SR is required to be met only during CORE ALTERATIONS.

It is not required to be met at other times in MODE 5 since core reactivity changes are not occurring. This Surveillance consists of a review of plant logs to ensure that WRNMs required to be OPERABLE for given CORE ALTERATIONS are, in fact, OPERABLE. In the event that only one WRNM is required to be OPERABLE, per Table 3.3.1.2-1, footnote (b), only the a. portion of this SR is required.

Note 2 clarifies that more than one of the three requirements can be met by the same OPERABLE WRNM. The 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> Frequency is based upon operating experience and supplements operational controls over refueling activities that include steps to ensure that the WRNMs required by the LCO are in the proper quadrant.

(continuedl PBAPS UNIT 3 B 3.3-42 Revision No. 17

WRNM Instrumentation I B 3.3.1.2 BASES SURVEILLANCE SR 3.3.1.2.4 REQUIREMENTS (continued) This Surveillance consists of a verification of the WRNM instrument readout to ensure that the WRNM reading is greater than a specified minimum count rate, which ensures that the detectors are indicating count rates indicative of neutron flux levels within the core. The signal-to-noise ratio shown in Figure 3.3.1.2-1 is the WRNM count rate at which there is a 95% probability that the WRNM signal indicates the presence of neutrons and only a 5% probability that the WRNM signal is the result of noise (Ref. 1). With few fuel assemblies loaded, the WRNMs will not have a high enough count rate to satisfy the SR. Therefore, allowances are made for loading sufficient "source" material, in the form of irradiated fuel assemblies, to establish the minimum count rate.

To accomplish this, the SR is modified by Note 1 that states I that the count rate is not required to be met on a WRNM that I has less than or equal to four fuel assemblies adjacent to the WRNM and no other fuel assemblies are in the associated I core quadrant. With four or less fuel assemblies loaded around each WRNM and no other fuel assemblies in the associated core quadrant, even with a control rod withdrawn, the configuration will not be critical. In addition, Note 2 states that this requirement does not have to be met during spiral unloading. If the core is being unloaded in this manner, the various core configurations encountered will not be critical.

The Frequency is based upon channel redundancy and other information available in the control room, and ensures that the required channels are frequently monitored while core reactivity changes are occurring. When no reactivity changes are in progress, the Frequency is relaxed from 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.

SR 3.3.1.2.5 Performance of a CHANNEL FUNCTIONAL TEST demonstrates the associated channel will function properly. SR 3.3.1.2.5 is required in MODES 2,3,4 and 5 and the 31 day Frequency ensures that the channels are OPERABLE while core reactivity (continued)

PBAPS UNIT 3 B 3.3-43 Revision No. 17

WRNM Instrumentation B 3.3.1.2 BASES SURVEILLANCE SR 3.3.1.2.5 (continued)

REQUIREMENTS changes could be in progress. This Frequency is reasonable, based on operating experience, fixed incore detectors, overall reliability, self-monitoring features, and on other Surveillances (such as a CHANNEL CHECK), that ensure proper functioning between CHANNEL FUNCTIONAL TESTS.

Verification of the signal to noise ratio also ensures that the detectors are correctly monitoring the neutron fux.

The Note to the Surveillance allows the Surveillance to be delayed until entry into the specified condition of the Applicability (THERMAL POWER decreased to WRNM reading of 125E-5 % power or below). The SR must be performed within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> after WRNMs are reading 125E-5 % power or below.

The allowance to enter the Applicability with the 31 day Frequency not met is reasonable, based on the limited time of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> allowed after entering the Applicability.

Although the Surveillance could be performed while at higher power, the plant would not be expected to maintain steady state operation at this power level. In this event, the 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> Frequency is reasonable, based on the WRNMs being otherwise verified to be OPERABLE (i.e., satisfactorily performing the CHANNEL CHECK) and the time required to perform the Surveillances.

SR 3.3.1.2.6 Performance of a CHANNEL CALIBRATION at a Frequency of 24 months verifies the performance of the WRNM detectors and associated circuitry. The Frequency considers the plant conditions required to perform the test, the ease of performing the test, and the likelihood of a change in the system or component status. Note 1 excludes the neutron detectors from the CHANNEL CALIBRATION because they cannot readily be adjusted. The detectors are fission chambers that are designed to have a relatively constant sensitivity over the range and with an accuracy specified for a fixed useful life.

(continued)

PBAPS UNIT 3 B 3.3-44 Revision No. 17

WRNM Instrumentation B 3.3.1.2 BASES I SURVEILLANCE SR 3.3.1.2.6 (continued)

REQUIREMENTS Note 2 to the Surveillance allows the Surveillance to be delayed until entry into the specified condition of the Applicability. The SR must be performed in MODE 2 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> of entering MODE 2 with WRNMs reading 125E-5 %

power or below. The allowance to enter the Applicability with the 24 month Frequency not met is reasonable, based on the limited time of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> allowed after entering the Applicability. Although the Surveillance could be performed while at higher power, the plant would not be expected to maintain steady state operation at this power level. In this event, the 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> Frequency is reasonable, based on the WRNMs being otherwise verified to be OPERABLE (i.e.,

satisfactorily performing the CHANNEL CHECK) and the time required to perform the Surveillance.

REFERENCES 1. NRC Safety Evaluation Report for Amendment Numbers 147 and 149 to Facility Operating License Numbers DPR-44 and DPR-56, Peach Bottom Atomic Power Station, Unit Nos. 2 and 3, August 28, 1989.

PBAPS UNIT 3 B 3.3-45 Revision No. 17

Control Rod Block Instrumentation B 3.3.2.1 B 3.3 INSTRUMENTATION B 3.3.2.1 Control Rod Block Instrumentation BASES BACKGROUND Control rods provide the primary means for control of reactivity changes. Control rod block instrumentation includes channel sensors, logic circuitry, switches, and relays that are designed to ensure that specified fuel design limits are not exceeded for postulated transients and accidents. During high power operation, the rod block monitor (RBM) provides protection for control rod withdrawal error events. During low power operations, control rod blocks from the rod worth minimizer (RWM) enforce specific control rod sequences designed to mitigate the consequences of the control rod drop accident (CRDA). During shutdown conditions, control rod blocks from the Reactor Mode Switch-Shutdown Position Function ensure that all control rods remain inserted to prevent inadvertent criticalities.

The purpose of the RBM is to limit control rod withdrawal if localized neutron flux exceeds a predetermined setpoint during control rod manipulations. It is assumed to function to block further control rod withdrawal to preclude a MCPR Safety Limit (SL) violation. The RBM supplies a trip signal to the Reactor Manual Control System (RMCS) to appropriately inhibit control rod withdrawal during power operation above the low power range setpoint. The RBM has two channels, either of which can initiate a control rod block when the channel output exceeds the control rod block setpoint. One RBM channel inputs into one RMCS rod block circuit and the other RBM channel inputs into the second RMCS rod block circuit. The RBM channel signal is generated by averaging a set of local power range monitor (LPRM) signals at various core heights surrounding the control rod being withdrawn. A signal from one of the four redundant average power range monitor (APRM) channels supplies a reference signal for one of the RBM channels and a signal from another of the APRM channels supplies the reference signal to the second RBM channel. This reference signal is used to determine which RBM range setpoint (low, intermediate, or high) is enabled.

If the APRM is indicating less than the low power range setpoint, the RBM is automatically bypassed. The RBM is also automatically bypassed if a peripheral control rod is selected (Ref. 1). A rod block signal is also generated if an RBM inoperable trip occurs, since this could indicate a problem with the RBM channel.

(continued)

PBAPS UNIT 3 B 3.3-46 Revision No. 30

Control Rod Block Instrumentation B 3.3.2.1 BASES BACKGROUND The inoperable trip will occur if, during the nulling (continued) (normalization) sequence, the RBM channel fails to null or too few LPRM inputs are available, if a critical self-test fault has been detected, or the RBM instrument mode switch is moved to any position other than "Operate".

The purpose of the RWM is to control rod patterns during startup and shutdown, such that only specified control rod sequences and relative positions are allowed over the operating range from all control rods inserted to 10% RTP.

The sequences effectively limit the potential amount and rate of reactivity increase during a CRDA. Prescribed control rod sequences are stored in the RWM, which will initiate control rod withdrawal and insert blocks when the actual sequence deviates beyond allowances from the stored sequence. The RWM determines the actual sequence based position indication for each control rod. The RWM also uses feedwater flow and steam flow signals to determine when the reactor power is above the preset power level at which the RWM is automatically bypassed (Ref. 2). The RWM is a single channel system that provides input into both RMCS rod block circuits.

With the reactor mode switch in the shutdown position, a control rod withdrawal block is applied to all control rods to ensure that the shutdown condition is maintained. This Function prevents inadvertent criticality as the result of a control rod withdrawal during MODE 3 or 4, or during MODE 5 when the reactor mode switch is required to be in the shutdown position. The reactor mode switch has two channels, each inputting into a separate RMCS rod block circuit. A rod block in either RMCS circuit will provide a control rod block to all control rods.

APPLICABLE 1. Rod Block Monitor SAFETY ANALYSES, LCO, and The RBM is designed to prevent violation of the MCPR APPLICABILITY SL and the cladding 1% plastic strain fuel design limit that may result from a single control rod withdrawal error (RWE) event. The analytical methods and assumptions used in evaluating the RWE event are summarized in Reference 1. A (continued)

PBAPS UNIT 3 B 3.3-47 Revision No. 31

Control Rod Block Instrumentation B 3.3.2.1 BASES APPLICABLE 1. Rod Block Monitor (continued)

SAFETY ANALYSES, LCO, and statistical analysis of RWE events was performed to APPLICABILITY determine the RBM response for both channels for each event.

From these responses, the fuel thermal performance as a function of RBM Allowable Value was determined. The Allowable Values are chosen as a function of power level.

The Allowable Values are specified in the CORE OPERATING LIMITS REPORT (COLR). Based on the specified Allowable Values, operating limits are established.

The RBM Function satisfies Criterion 3 of the NRC Policy Statement.

Two channels of the RBM are required to be OPERABLE, with their setpoints within the appropriate Allowable Values to ensure that no single instrument failure can preclude a rod block from this Function. The actual setpoints are calibrated consistent with applicable setpoint methodology.

Trip setpoints are specified in the setpoint calculations.

The trip setpoints are selected to ensure that the setpoints do not exceed the Allowable Values between successive CHANNEL CALIBRATIONS. Operation with a trip setting less conservative than the trip setpoint, but within its Allowable Value, is acceptable. Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor power), and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g., trip unit) changes state. The analytic or design limits are derived from the limiting values of the process parameters obtained from the safety analysis or other appropriate documents. The Allowable Values are derived from the analytic or design limits, corrected for calibration, process, and instrument errors. The trip setpoints are determined from analytical or design limits, corrected for calibration, process, and instrument errors, as well as, instrument drift. In selected cases, the Allowable Values and trip setpoints are determined by engineering judgement or historically accepted practice relative to the intended function of the channel.

The trip setpoints determined in this manner provide adequate protection by assuring instrument and process uncertainties expected for the environments during the operating time of the channels are accounted for.

(continued)

PBAPS UNIT 3 B 3.3-48 Revision No. 3

Control Rod Block Instrumentation B 3.3.2.1 BASES APPLICABLE 1. Rod Block Monitor (continued)

SAFETY ANALYSES, LCO, and The RBM is assumed to mitigate the consequences of an RWE APPLICABILITY event when operating t 30% RTP. Below this power level, the consequences of an RWE event will not exceed the MCPR SL and, therefore, the RBM is not required to be OPERABLE (Ref. 1). When operating < 90% RTP, analyses (Ref. 1) have shown that with an initial MCPR k 1.70, no RWE event will result in exceeding the MCPR SL. Also, the analyses demonstrate that when operating at k 90% RTP with MCPR k 1.40, no RWE event will result in exceeding the MCPR SL (Ref. 1). Therefore, under these conditions, the RBM is also not required to be OPERABLE.

2. Rod Worth Minimizer The RWM enforces the banked position withdrawal sequence (BPWS) to ensure that the initial conditions of the CRDA analysis are not violated. The analytical methods and assumptions used in evaluating the CRDA are summarized in References 3, 4, 5, and 6. The BPWS requires that control rods be moved in groups, with all control rods assigned to a specific group required to be within specified banked positions. Requirements that the control rod sequence is in compliance with the BPWS are specified in LCO 3.1.6, "Rod Pattern Control."

The RWM Function satisfies Criterion 3 of the NRC Policy Statement.

Since the RWM is a hardwired system designed to act as a backup to operator control of the rod sequences, only one channel of the RWM is available and required to be OPERABLE (Ref. 6). Special circumstances provided for in the Required Action of LCO 3.1.3, "Control Rod OPERABILITY," and LCO 3.1.6 may necessitate bypassing the RWM to allow continued operation with inoperable control rods, or to allow correction of a control rod pattern not in compliance with the BPWS. The RWM may be bypassed as required by these conditions, but then it must be considered inoperable and the Required Actions of this LCO followed.

(continued)

PBAPS UNIT 3 B 3.3-49 Revision No. 3

Control Rod Block Instrumentation B 3.3.2.1 BASES APPLICABLE 2. Rod Worth Minimizer (continued)

SAFETY ANALYSES, LCO, and Compliance with the BPWS, and therefore OPERABILITY of the APPLICABILITY RWM, is required in MODES I and 2 when THERMAL POWER is

< 10% RTP. When THERMAL POWER is > 10% RTP, there is no possible control rod configuration that results in a control rod worth that could exceed the 280 cal/gm fuel damage limit during a CRDA (Refs. 4 and 6). In MODES 3 and 4, all control rods are required to be inserted into the core; therefore, a CRDA cannot occur. In MODE 5, since only a single control rod can be withdrawn from a core cell containing fuel assemblies, adequate SDM ensures that the consequences of a CRDA are acceptable, since the reactor will be subcritical.

3. Reactor Mode Switch-Shutdown Position During MODES 3 and 4, and during MODE 5 when the reactor mode switch is required to be in the shutdown position, the core is assumed to be subcritical; therefore, no positive reactivity insertion events are analyzed. The Reactor Mode Switch-Shutdown Position control rod withdrawal block ensures that the reactor remains subcritical by blocking control rod withdrawal, thereby preserving the assumptions of the safety analysis.

The Reactor Mode Switch-Shutdown Position Function satisfies Criterion 3 of the NRC Policy Statement.

Two channels are required to be OPERABLE to ensure that no single channel failure will preclude a rod block when required. There is no Allowable Value for this Function since the channels are mechanically actuated based solely on reactor mode switch position.

During shutdown conditions (MODE 3, 4, or 5), no positive reactivity insertion events are analyzed because assumptions are that control rod withdrawal blocks are provided to prevent criticality. Therefore, when the reactor mode switch is in the shutdown position, the control rod withdrawal block is required to be OPERABLE. During MODE 5 with the reactor mode switch in the refueling position, the refuel position one-rod-out interlock (LCO 3.9.2, "Refuel Position One-Rod-Out Interlock") provides the required control rod withdrawal blocks.

(continued)

PBAPS UNIT 3 R 3-3-50 Revision No. 3

Control Rod Block Instrumentation B 3.3.2.1 BASES (continued)

ACTIONS A.1 With one RBM channel inoperable, the remaining OPERABLE channel is adequate to perform the control rod block function; however, overall reliability is reduced because a single failure in the remaining OPERABLE channel can result in no control rod block capability for the RBM. For this reason, Required Action A.1 requires restoration of the inoperable channel to OPERABLE status. The Completion Time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is based on the low probability of an event occurring coincident with a failure in the remaining OPERABLE channel.

B._1 If Required Action A.1 is not met and the associated Completion Time has expired, the inoperable channel must be placed in trip within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. If both RBM channels are inoperable, the RBM is not capable of performing its intended function; thus, one channel must also be placed in trip. This initiates a control rod withdrawal block, thereby ensuring that the RBM function is met.

The I hour Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities and is acceptable because it minimizes risk while allowing time for restoration or tripping of inoperable channels.

C.I. C.2.1.1, C.2.1.2, and C.2.2 With the RWM inoperable during a reactor startup, the operator is still capable of enforcing the prescribed control rod sequence. However, the overall reliability is reduced because a single operator error can result in violating the control rod sequence. Therefore, control rod movement must be immediately suspended except by scram.

Alternatively, startup may continue if at least 12 control rods have already been withdrawn, or a reactor startup with an inoperable RWM was not performed in the last 12 months.

These requirements minimize the number of reactor startups initiated with the RWM inoperable. Required Actions C.2.1.1 and C.2.1.2 require verification of these conditions by review of plant logs and control room indications. Once Required Action C.2.1.1 or C.2.1.2 is satisfactorily (continued)

PBAPS UNIT 3 B 3.3-51 Revision No. 3

Control Rod Block Instrumentation B 3.3.2.1 BASES ACTIONS C.I. C.2.1.1, C.2.1.2. and C.2.2 (continued) completed, control rod withdrawal may proceed in accordance with the restrictions imposed by Required Action C.2.2.

Required Action C.2.2 allows for the RWM Function to be performed manually and requires a double check of compliance with the prescribed rod sequence by a second licensed operator (Reactor Operator or Senior Reactor Operator) or other qualified member of the technical staff. The RWM may be bypassed under these conditions to allow continued operations. In addition, Required Actions of LCO 3.1.3 and LCO 3.1.6 may require bypassing the RWM, during which time the RWM must be considered inoperable with Condition C entered and its Required Actions taken.

D._1 With the RWM inoperable during a reactor shutdown, the operator is still capable of enforcing the prescribed control rod sequence. Required Action D.1 allows for the RWM Function to be performed manually and requires a double check of compliance with the prescribed rod sequence by a second licensed operator (Reactor Operator or Senior Reactor Operator) or other qualified member of the technical staff.

The RWM may be bypassed under these conditions to allow the reactor shutdown to continue.

E.1 and E.2 With one Reactor Mode Switch-Shutdown Position control rod withdrawal block channel inoperable, the remaining OPERABLE channel is adequate to perform the control rod withdrawal block function. However, since the Required Actions are consistent with the normal action of an OPERABLE Reactor Mode Switch-Shutdown Position Function (i.e., maintaining all control rods inserted), there is no distinction between having one or two channels inoperable.

In both cases (one or both channels inoperable), suspending all control rod withdrawal and initiating action to fully insert all insertable control rods in core cells containing one or more fuel assemblies will ensure that the core is subcritical with adequate SDM ensured by LCO 3.1.1. Control rods in core cells containing no fuel assemblies do not (continued)

PBAPS UNIT 3 B 3.3-52 Revision No. 3

Control Rod Block Instrumentation B 3.3.2.1 BASES ACTIONS E.1 and E.2 (continued) affect the reactivity of the core and are therefore not required to be inserted. Action must continue until all insertable control rods in core cells containing one or more fuel assemblies are fully inserted.

SURVEILLANCE As noted at the beginning of the SRs, the SRs for each REQUIREMENTS Control Rod Block instrumentation Function are found in the SRs column of Table 3.3.2.1-1.

The Surveillances are modified by a Note to indicate that when an RBM channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> provided the associated Function maintains control rod block capability. Upon completion of the Surveillance, or expiration of the 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken.

This Note is based on the reliability analysis (Refs. 8, 9,

& 10) assumptions of the average time required to perform channel surveillances. That analysis demonstrated that the 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> testing allowance does not significantly reduce the probability that a control rod block will be initiated when necessary.

SR 3.3.2.1.1 A CHANNEL FUNCTIONAL TEST is performed for each RBM channel to ensure that the entire channel will perform the intended function. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology. The Frequency of 184 days is based on reliability analyses (Refs. 7, 9 & 10).

(continued)

PBAPS UNIT 3 B 3.3-53 Revision No. 30

Control Rod Block Instrumentation B 3.3.2.1 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.2.1.2 and SR 3.3.2.1.3 A CHANNEL FUNCTIONAL TEST is performed for the RWM to ensure that the entire system will perform the intended function.

The CHANNEL FUNCTIONAL TEST for the RWM is performed by attempting to withdraw a control rod not in compliance with the prescribed sequence and verifying a control rod blockoccurs. SR 3.3.2.1.2 is performed during a startup and SR 3.3.2.1.3 is performed during a shutdown (or power reduction to

  • 10% RTP). As noted in the SRs, SR 3.3.2.1.2 is not required to be performed until I hour after any control rod is withdrawn at
  • 10% RTP in MODE 2. As noted, SR 3.3.2.1.3 is not required to be performed until 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> after THERMAL POWER is
  • 10% RTP in MODE 1. This allows entry at g 10% RTP in MODE 2 for SR 3.3.2.1.2 and entry into MODE I when THERMAL POWER is
  • 10% RTP for SR 3.3.2.1.3 to perform the required Surveillance if the 92 day Frequency is not met per SR 3.0.2. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> allowance is based on operating experience and in consideration of providing a reasonable time in which to complete the SRs. The Frequencies are based on reliability analysis (Ref. 7).

SR 3.3.2.1.4 The RBM setpoints are automatically varied as a function of power. Three Allowable Values are specified in the COLR, each within a specific power range. The power at which the control rod block Allowable Values automatically change are based on the APRM signal's input to each RBM channel. Below the minimum power setpoint, the RBM is automatically bypassed. These power Allowable Values must be verified using a simulated or actual signal periodically to be less than or equal to the specified values. If any power range setpoint is nonconservative, then the affected RBM channel is considered inoperable. Alternatively, the power range (continued)

PBAPS UNIT 3 B 3.3-54 Revision No. 30

Control Rod Block Instrumentation B 3.3.2.1 BASES SURVEILLANCE SR 3.3.2.1.4 (continued)

REQUIREMENTS channel can be placed in the conservative condition (i.e.,

enabling the proper RBM setpoint). If placed in this condition, the SR is met and the RBM channel is not considered inoperable. As noted, neutron detectors are excluded from the Surveillance because they are passive devices, with minimal drift, and because of the difficulty of simulating a meaningful signal.

Neutron detectors are adequately tested in SR 3.3.1.1.2 and SR 3.3.1.1.8. The 24 month Frequency is based on the actual trip setpoint methodology utilized for these channels.

SR 3.3.2.1.5 A CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations consistent with the plant specific setpoint methodology.

As noted, neutron detectors are excluded from the CHANNEL CALIBRATION because they are passive devices, with minimal drift, and because of the difficulty of simulating a meaningful signal. Neutron detectors are adequately tested in SR 3.3.1.1.2 and SR 3.3.1.1.8. The Frequency is based upon the assumption of a 24 month calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis.

(continued)

PBAPS UNIT 3 B 3.3-55 Revision No. 30

Control Rod Block Instrumentation B 3.3.2.1 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.2.1.6 The RWM is automatically bypassed when power is above a specified value. The power level is determined from feedwater flow and steam flow signals. The automatic bypass setpoint must be verified periodically to be > 10% RTP. If the RWM low power setpoint is nonconservative, then the RWM is considered inoperable. Alternately, the low power setpoint channel can be placed in the conservative condition (nonbypass). If placed in the nonbypassed condition, the SR is met and the RWM is not considered inoperable. The Frequency is based on the trip setpoint methodology utilized for the low power setpoint channel.

SR 3.3.2.1.7 A CHANNEL FUNCTIONAL TEST is performed for the Reactor Mode Switch-Shutdown Position Function to ensure that the entire channel will perform the intended function. The CHANNEL FUNCTIONAL TEST for the Reactor Mode Switch-Shutdown Position Function is performed by attempting to withdraw any control rod with the reactor mode switch in the shutdown position and verifying a control rod block occurs.

As noted in the SR, the Surveillance is not required to be performed until 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> after the reactor mode switch is in the shutdown position, since testing of this interlock with the reactor mode switch in any other position cannot be performed without using jumpers, lifted leads, or movable links. This allows entry into MODES 3 and 4 if the 24 month Frequency is not met per SR 3.0.2. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> allowance is based on operating experience and in consideration of providing a reasonable time in which to complete the SR.

(continued)

PBAPS UNIT 3 B 3.3-56 Revision No. 30

Control Rod Block Instrumentation B 3.3.2.1 BASES SURVEILLANCE SR 3.3.2.1.7 (continued)

REQUIREMENTS The 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power.

Operating experience has shown these components will pass the Surveillance when performed at the 24 month Frequency.

SR 3.3.2.1.8 The RWM will only enforce the proper control rod sequence if the rod sequence is properly input into the RWM computer.

This SR ensures that the proper sequence is loaded into the RWM so that it can perform its intended function. The Surveillance is performed once prior to declaring RWM OPERABLE following loading of sequence into RWM, since this is when rod sequence input errors are possible.

REFERENCES 1. NEDC-32162-P, "Maximum Extended Load Line Limit and ARTS Improvement Program Analysis for Peach Bottom Atomic Power Station, Units 2 and 3," Revision 1, February 1993.

2. UFSAR, Sections 7.10.3.4.8 and 7.16.3.
3. NEDE-24011-P-A-1O-US, "General Electric Standard Application for Reload Fuel," Supplement for United States, Section S 2.2.3.1, February 1991.
4. "Modifications to the Requirements for Control Rod Drop Accident Mitigating Systems," BWR Owners' Group, July 1986.
5. NEDO-21231, "Banked Position Withdrawal Sequence,"

January 1977.

6. NRC SER, "Acceptance of Referencing of Licensing Topical Report NEDE-24011-P-A," "General Electric Standard Application for Reactor Fuel, Revision 8, Amendment 17," December 27, 1987.

(continued)

PBAPS UNIT 3 B 3.3-57 Revision No. 3

Control Rod Block Instrumentation B 3.3.2.1 BASES REFERENCES 7. NEDC-30851-P-A, "Technical Specification Improvement (continued) Analysis for BWR Control Rod Block Instrumentation,"

October 1988.

8. GENE-770-06-1, ."Addendum to Bases for Changes to Surveillance Test Intervals and Allowed Out-of-Service Times for Selected Instrumentation Technical Specifications," February 1991.
9. NEDC-32410P-A, "Nuclear Measurement Analysis and Control Power Range Neutron Monitor (NUMAC PRNM)

Retrofit Plus Option III Stability Trip Function",

March 1995.

10. NEDC-32410P Supplement 1, "Nuclear Measurement Analysis and Control Power Range Neutron Monitor (NUMAC PRNM) Retrofit Plus Option III Stability Trip Function, Supplement 1", November 1997.

PBAPS UNIT 3 B 3.3-58 Revision No. 30

Feedwater and Main Turbine High Water Level Trip Instrumentation B 3.3.2.2 B 3.3 INSTRUMENTATION B 3.3.2.2 Feedwater and Main Turbine High Water Level Trip Instrumentation BASES BACKGROUND The feedwater and main turbine high water level trip instrumentation is designed to detect a potential failure of the Feedwater Level Control System that causes excessive feedwater flow.

With excessive feedwater flow, the water level in the reactor vessel rises toward the high water level setpoint, causing the trip of the three feedwater pump turbines and the main turbine.

Digital Feedwater Control System (DFCS) high water level signals are provided by six level sensors. However, only three narrow range level sensors are required to perform the function with sufficient redundancy. The three level sensors sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level in the reactor vessel (variable leg). The three level signals are input into two redundant digital control computers. Any one of the three signals is automatically selected (by the digital control computer) as the signal to be used for the high level trip.

Each digital control computer has two redundant digital outputs (channels) to provide redundant signals to an associated trip system. Each digital control computer processes input signals and compares them to pre-established setpoints. When the setpoint is exceeded, the two digital outputs actuate two contacts arranged in parallel so that either digital output can trip the associated trip system.

The tripping of both digital computer trip systems will initiate a trip of the feedwater pump turbines and the main turbine.

A trip of the feedwater pump turbines limits further increase in reactor vessel water level by limiting further addition of feedwater to the reactor vessel. A trip of the main turbine and closure of the stop valves protects the turbine from damage due to water entering the turbine.

(continued)

PBAPS UNIT 3 B 3.3-59 Revision No. 3

Feedwater and Main Turbine High Water Level Trip Instrumentation B 3.3.2.2 BASES (continued)

APPLICABLE The feedwater and main turbine high water level trip SAFETY ANALYSES instrumentation is assumed to be capable of providing a turbine trip in the design basis transient analysis for a feedwater controller failure, maximum demand event (Ref. 1).

The high water level trip indirectly initiates a reactor scram from the main turbine trip (above 30% RTP) and trips the feedwater pumps, thereby terminating the event. The reactor scram mitigates the reduction in MCPR.

Feedwater and main turbine high water level trip instrumentation satisfies Criterion 3 of the NRC Policy Statement.

LCO The LCO requires two DFCS channels per trip system of high water level trip instrumentation to be OPERABLE to ensure the feedwater pump turbines and main turbine will trip on a valid reactor vessel high water level signal. Two DFCS channels (one per trip system) are needed to provide trip signals in order for the feedwater and main turbine trips to occur.

Two level signals are also required to ensure a single sensor failure will not prevent the trips of the feedwater pump turbines and main turbine when reactor vessel water level is at the high water level reference point.

Each channel must have its setpoint set within the specified Allowable Value of SR 3.3.2.2.3. The Allowable Value is set to ensure that the thermal limits are not exceeded during the event. The actual setpoint is calibrated to be consistent with the applicable setpoint methodology assumptions. Trip setpoints are specified in the setpoint calculations. The trip setpoints are selected to ensure that the setpoints do not exceed the Allowable Value between successive CHANNEL CALIBRATIONS. Operation with a trip setting less conservative than the trip setpoint, but within its Allowable Value, is acceptable.

Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor vessel water level), and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g., trip unit) changes state. The analytic or design limits are derived from the limiting values of the process parameters obtained from the safety analysis or (continued)

PBAPS UNIT 3 B 3.3-60 Revision No. 3

Feedwater and Main Turbine High Water Level Trip Instrumentation B 3.3.2.2 BASES LCO other appropriate documents. The Allowable Values are (continued) derived from the analytic or design limits, corrected for calibration, process, and instrument errors. A channel is inoperable if its actual trip setting is not within its required Allowable Value. The trip setpoints are determined from analytical or design limits, corrected for calibration, process and instrument errors, as well as, instrument drift.

The trip setpoints determined in this manner provide adequate protection by assuring instrument and process uncertainties expected for the environment during the operating time for the associated channels are accounted for.

APPLICABILITY The feedwater and main turbine high water level trip instrumentation is required to be OPERABLE at k 25% RTP to ensure that the fuel cladding integrity Safety Limit and the cladding 1% plastic strain limit are not violated during the feedwater controller failure, maximum demand event. As discussed in the Bases for LCO 3.2.1, "Average Planar Linear Heat Generation Rate (APLHGR)," and LCO 3.2.2, "MINIMUM CRITICAL POWER RATIO (MCPR)," sufficient margin to these limits exists below 25% RTP; therefore, these requirements are only necessary when operating at or above this power level.

ACTIONS A Note has been provided to modify the ACTIONS related to feedwater and main turbine high water level trip instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable feedwater and main turbine high water level trip instrumentation channels provide appropriate compensatory measures for separate inoperable channels. As such, a Note has been provided that allows separate Condition entry for each inoperable feedwater and main turbine high water level trip instrumentation channel.

(continued)

PBAPS UNIT 3 B 3.3-61 Revision No. 3

Feedwater and Main Turbine High Water Level Trip Instrumentation B 3.3.2.2 BASES ACTIONS A. 1 (continued)

With one or more feedwater and main turbine high water level trip channels inoperable, but with feedwater and main turbine high water level trip capability maintained (refer to Required Action B.1 Bases), the remaining OPERABLE channels can provide the required trip signal. However, overall instrumentation reliability is reduced because a single active instrument failure in one of the remaining channels may result in the instrumentation not being able to perform its intended function. Therefore, continued operation is only allowed for a limited time with one or more channels inoperable. If the inoperable channels cannot be restored to OPERABLE status within the Completion Time, the channels must be placed in the tripped condition per Required Action A.1. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single active instrument failure, and allow operation to continue with no further restrictions. Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in the feedwater and main turbine trip), Condition C must be entered and its Required Action taken.

The Completion Time of 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> is based on the low probability of the event occurring coincident with a single failure in a remaining OPERABLE channel.

B._1 Required Action B.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels result in the High Water Level Function of DFCS not maintaining feedwater and main turbine trip capability. In this condition, the feedwater and main turbine high water level trip instrumentation cannot perform its design function. Therefore, continued operation is only permitted for a 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> period, during which feedwater and main turbine high water level trip capability must be restored. The trip capability is considered maintained when sufficient channels are OPERABLE or in trip such that the feedwater and main turbine high water level trip logic will generate a trip (continued)

PBAPS UNIT 3 B 3.3-62 Revision No. 3

Feedwater and Main Turbine High Water Level Trip Instrumentation B 3.3.2.2 BASES ACTIONS B.1 (continued) signal on a valid signal. This requires one channel per trip system to be OPERABLE or in trip. If the required channels cannot be restored to OPERABLE status or placed in trip, Condition C must be entered and its Required Action taken.

The 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> Completion Time is sufficient for the operator to take corrective action, and takes into account the likelihood of an event requiring actuation of feedwater and main turbine high water level trip instrumentation occurring during this period. It is also consistent with the 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> Completion Time provided in LCO 3.2.2 for Required Action A.1, since this instrumentation's purpose is to preclude a MCPR violation.

C.1 With any Required Action and associated Completion Time not met, the plant must be brought to a MODE or other specified condition in which the LCO does not apply. To achieve this status, THERMAL POWER must be reduced to < 25% RTP within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />. As discussed in the Applicability section of the Bases, operation below 25% RTP results in sufficient margin to the required limits, and the feedwater and main turbine high water level trip instrumentation is not required to protect fuel integrity during the feedwater controller failure, maximum demand event. The allowed Completion Time of 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> is based on operating experience to reduce THERMAL POWER to < 25% RTP from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE The Surveillances are modified by a Note to indicate that REQUIREMENTS when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> provided the associated Function maintains feedwater and main turbine high water level trip capability. Upon completion of the Surveillance, or expiration of the 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Ref. 2) assumption of the average time required to perform (continued')

PBAPS UNIT 3 B 3.3-63 Revision No. 3

Feedwater and Main Turbine High Water Level Trip Instrumentation B 3.3.2.2 BASES SURVEILLANCE channel Surveillance. That analysis demonstrated that the REQUIREMENTS 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> testing allowance does not significantly reduce the (continued) probability that the feedwater pump turbines and main turbine will trip when necessary.

SR 3.3.2.2.1 Performance of the CHANNEL CHECK once every 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. The CHANNEL CHECK may be performed by comparing indication or by verifying the absence of the DFCS "TROUBLE" alarm in the control room. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between instrument channels could be an indication of excessive instrument drift in one of the channels, or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limits.

The Frequency is based on operating experience that demonstrates channel failure is rare. The CHANNEL CHECK supplements less formal, but more frequent, checks of channel status during normal operational use of the displays associated with the channels required by the LCO.

SR 3.3.2.2.2 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended function. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology. The Frequency of 92 days is based on reliability analysis (Ref. 2).

(continued)

PBAPS UNIT 3 B 3.3-64 Revision No. 3

Feedwater and Main Turbine High Water Level Trip Instrumentation B 3.3.2.2 BASES SURVEILLANCE SR 3.3.2.2.3 REQUIREMENTS (continued) CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations, consistent with the assumptions of the current plant specific setpoint methodology.

The Frequency is based upon the assumption of a 24 month calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis.

SR 3.3.2.2.4 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required trip logic for a specific channel. The system functional test of the feedwater and main turbine stop valves is included as part of this Surveillance and overlaps the LOGIC SYSTEM FUNCTIONAL TEST to provide complete testing of the assumed safety function.

Therefore, if a stop valve is incapable of operating, the associated instrumentation channels would be inoperable.

The 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power.

Operating experience has shown that these components will pass the Surveillance when performed at the 24 month Frequency.

REFERENCES 1. UFSAR, Section 14.5.2.2.

2. GENE-770-06-1, "Bases for Changes to Surveillance Test Intervals and Allowed Out-Of-Service Times for Selected Instrumentation Technical Specifications,"

February 1991.

PBAPS UNIT 3 B 3.3-65 Revision No. 3

PAM Instrumentation B 3.3.3.1 B 3.3 INSTRUMENTATION B 3.3.3.1 Post Accident Monitoring (PAM) Instrumentation BASES BACKGROUND The primary purpose of the PAM instrumentation is to display plant variables that provide information required by the control room operators during accident situations. This information provides the necessary support for the operator to take the manual actions for which no automatic control is provided and that are required for safety systems to accomplish their safety functions for Design Basis Events.

The instruments that monitor these variables are designated as Type A, Category I, and non-Type A, Category I, in accordance with Regulatory Guide 1.97 (Ref. 1).

The OPERABILITY of the accident monitoring instrumentation ensures that there is sufficient information available on selected plant parameters to monitor and assess plant status and behavior following an accident. This capability is consistent with the recommendations of Reference 1.

APPLICABLE The PAM instrumentation LCO ensures the OPERABILITY of SAFETY ANALYSES Regulatory Guide 1.97, Type A variables so that the control room operating staff can:

Perform the diagnosis specified in the Emergency Operating Procedures (EOPs). These variables are restricted to preplanned actions for the primary success path of Design Basis Accidents (DBAs), (e.g.,

loss of coolant accident (LOCA)), and Take the specified, preplanned, manually controlled actions for which no automatic control is provided, which are required for safety systems to accomplish their safety function.

The PAM instrumentation LCO also ensures OPERABILITY of Category I, non-Type A, variables so that the control room operating staff can:

Determine whether systems important to safety are performing their intended functions; (continued)

PBAPS UNIT 3 B 3.3-66 Revision No. 3

PAM Instrumentation B 3.3.3.1 BASES APPLICABLE 0 Determine the potential for causing a gross breach of SAFETY ANALYSES the barriers to radioactivity release; (continued)

"* Determine whether a gross breach of a barrier has occurred; and

"* Initiate action necessary to protect the public and for an estimate of the magnitude of any impending threat.

The plant specific Regulatory Guide 1.97 Analysis (Refs. 2, 3, and 4) documents the process that identified Type A and Category I, non-Type A, variables.

Accident monitoring instrumentation that satisfies the definition of Type A in Regulatory Guide 1.97 meets Criterion 3 of the NRC Policy Statement. Category I, non-Type A, instrumentation is retained in Technical Specifications (TS) because they are intended to assist operators in minimizing the consequences of accidents.

Therefore, these Category I variables are important for reducing public risk.

LCO LCO 3.3.3.1 requires two OPERABLE channels for all but one Function to ensure that no single failure prevents the operators from being presented with the information necessary to determine the status of the plant and to bring the plant to, and maintain it in, a safe condition following that accident. Furthermore, provision of two channels allows a CHANNEL CHECK during the post accident phase to confirm the validity of displayed information.

The exception to the two channel requirement is primary containment isolation valve (PCIV) position. In this case, the important information is the status of the primary containment penetrations. The LCO requires one position indicator for each active PCIV. This is sufficient to redundantly verify the isolation status of each isolable penetration either via indicated status of the active valve and prior knowledge of passive valve or via system boundary status. If a normally active PCIV is known to be closed and deactivated, position indication is not needed to determine status. Therefore, the position indication for valves in this state is not required to be OPERABLE.

(continued)

B 3.3-67 Revision No. 3 PBAPS UNIT 3

PAM Instrumentation B 3.3.3.1 BASES LCO The following list is a discussion of the specified (continued) instrument Functions listed in Table 3.3.3.1-1 in the accompanying LCO.

1. Reactor Pressure Instruments: PR-3-2-3-404 A, B Reactor pressure is a Category I variable provided to support monitoring of Reactor Coolant System (RCS) integrity and to verify operation of the Emergency Core Cooling Systems (ECCS). Two independent pressure transmitters with a range of 0 psig to 1500 psig monitor pressure and associated independent Wide range recorders are the primary indication used by the operator during an accident.

Therefore, the PAM Specification deals specifically with this portion of the instrument channel.

2. 3. Reactor Vessel Water Level (Wide Range and Fuel Zone)

Instruments: Wide Range: LR-3-2-3-110 A, B (Green Pen)

Fuel Zone: LR-3-2-3-110 A, B (Blue Pen)

Reactor vessel water level is a Category I variable provided to support monitoring of core cooling and to verify operation of the ECCS. The wide range and fuel zone water level channels provide the PAM Reactor Vessel Water Level Functions. The ranges of the wide range water level channels and the fuel zone water level channels overlap to cover a range of -325 inches (just below the bottom of the active fuel) to +50 inches (above the normal water level).

Reactor vessel water level is measured by separate differential pressure transmitters. The output from these channels is recorded on two independent pen recorders, which is the primary indication used by the operator during an accident. Each recorder has two channels, one for wide range reactor vessel water level and one for fuel zone reactor vessel water level. Therefore, the PAM Specification deals specifically with these portions of the instrument channels.

(continued)

B 3.3-68 Revision No. 7 PBAPS UNIT 3

PAM Instrumentation B 3.3.3.1 BASES LCO 4. Suppression Chamber Water Level (Wide Range)

(continued)

Instruments: LR-9123 A, B Suppression chamber water level is a Category I variable provided to detect a breach in the reactor coolant pressure boundary (RCPB). This variable is also used to verify and provide long term surveillance of ECCS function. The wide range suppression chamber water level measurement provides the operator with sufficient information to assess the status of both the RCPB and the water supply to the ECCS.

The wide range water level recorders monitor the suppression chamber water level from the bottom of the ECCS suction lines to five feet above normal water level. Two wide range suppression chamber water level signals are transmitted from separate differential pressure transmitters and are continuously recorded on two recorders in the control room.

These recorders are the primary indication used by the operator during an accident. Therefore, the PAM Specification deals specifically with this portion of the instrument channel.

5. 6. Drywell Pressure (Wide Range and Subatmospheric Range)

Instruments: Wide Range: PR-9102 A, B (Red Pen)

Subatmospheric Range: PR-9102 A, B (Green Pen)

Drywell pressure is a Category I variable provided to detect breach of the RCPB and to verify ECCS functions that operate to maintain RCS integrity. The wide range and subatmospheric range drywell pressure channels provide the PAM Drywell Pressure Functions. The wide range and subatmospheric range drywell pressure channels overlap to cover a range of 5 psia to 225 psig (in excess of four times the design pressure of the drywell). Drywell pressure signals are transmitted from separate pressure transmitters and are continuously recorded and displayed on two independent control room recorders. Each recorder has two channels, one for wide range drywell pressure and one for subatmospheric range drywell pressure. These recorders are the primary indication used by the operator during an accident. Therefore, the PAM Specification deals specifically with these portions of the instrument channels.

(continued)

B 3.3-69 Revision No. 3 PBAPS UNIT 3

PAM Instrumentation B 3.3.3.1 BASES LCO 7. Drywell High Ranqe Radiation (continued) Instruments: RR-9103 A, B (Green Pen)

Drywell high range radiation is a Category I variable provided to-monitor the potential of significant radiation releases and to provide release assessment for use by operators in determining the need to invoke site emergency plans. Post accident drywell radiation levels are monitored by four instrument channels each with a range of 1 to Wx1O' R/hr. These radiation monitors drive two dual channel recorders located in the control room. Each recorder and the two associated channels are in a separate division. As such, two recorders and two channels of radiation monitoring instrumentation (one per recorder) are required to be OPERABLE for compliance with this LCO. Therefore, the PAM Specification deals specifically with these portions of the instrument channels.

8. Primary Containment Isolation Valve (PCIV) Position PCIV position is a Category I variable provided for verification of containment integrity. In the case of PCIV position, the important information is the isolation status of the containment penetration. The LCO requires one channel of valve position indication in the control room to be OPERABLE for each active PCIV in a containment penetration flow path, i.e., two total channels of PCIV position indication for a penetration flow path with two active valves. For containment penetrations with only one active PCIV having control room indication, Note (b) requires a single channel of valve position indication to be OPERABLE. This is sufficient to redundantly verify the isolation status of each isolable penetration via indicated status of the active valve, as applicable, and prior knowledge of passive valve or system boundary status. If a penetration flow path is isolated, position indication for the PCIV(s) in the associated penetration flow path is not needed to determine status. Therefore, the position indication for valves in an isolated penetration flow path is not required to be OPERABLE. The PCIV position PAM instrumentation consists of position switches, associated wiring and control room indicating lamps for active PCIVs (check valves and manual valves are not required to have position indication). Therefore, the PAM Specification deals specifically with these instrument channels.

(continued)

B 3.3-70 Revision No. 3 PBAPS UNIT 3

PAN Instrumentation B 3.3.3.1 BASES LCO 9. 10. Drywell and Suppression Chamber Hydrogen and Oxygen (continued) Analyzers Instruments: XR-90411A, XR-90411B Drywell and suppression chamber hydrogen and oxygen analyzers are Category I instruments provided to detect high hydrogen or oxygen concentration conditions that represent a potential for containment breach. This variable is also important in verifying the adequacy of mitigating actions.

The drywell and suppression chamber hydrogen and oxygen analyzer PAN instrumentation consists of two independent gas analyzers. Each gas analyzer can determine either hydrogen or oxygen concentration. The analyzers are capable of determining hydrogen concentration in the range of 0 to 30%

by volume and oxygen concentration in the range of 0 to 10%

by volume. Each gas analyzer must be capable of sampling either the drywell or the suppression chamber. The hydrogen and oxygen concentration from each analyzer are displayed on its associated control room recorder. Therefore, the PAM Specification deals specifically with these portions of the analyzer channels.

11. Suppression Chamber Water Temperature Instruments: TR-9123 A, B TIS-3-2-71 A, B Suppression chamber water temperature is a Category I variable provided to detect a condition that could potentially lead to containment breach and to verify the effectiveness of ECCS actions taken to prevent containment breach. The suppression chamber water temperature instrumentation allows operators to detect trends in suppression chamber water temperature in sufficient time to take action to prevent steam quenching vibrations in the suppression pool. Suppression chamber water temperature is monitored by two redundant channels. Each channel is assigned to a separate safeguard power division. Each channel consists of 13 resistance temperature detectors (RTDs) mounted in thermowells installed in the suppression chamber shell below the minimum water level, a processor, and control room recorder. The RTDs are mounted in each of 13 of the 16 segments of the suppression chamber. The RTD (continued)

PBAPS UNIT 3 B 3.3-71 Revision No. 7

PAM Instrumentation B 3.3.3.1 BASES LCO inputs are averaged by the processor to provide a bulk (continued) average temperature output to the associated control room recorder. The allowance that only 10 RTDs are required to be OPERABLE for a channel to be considered OPERABLE provided no 2 adjacent RTDs are inoperable is acceptable based on engineering judgement considering the temperature response profile of the suppression chamber water volume for previously analyzed events and the most challenging RTDs inoperable. These recorders are the primary indication used by the operator during an accident. Therefore, the PAM Specification deals specifically with this portion of the instrument channels.

APPLICABILITY The PAM instrumentation LCO is applicable in MODES 1 and 2.

These variables are related to the diagnosis and preplanned actions required to mitigate DBAs. The applicable DBAs are assumed to occur in MODES I and 2. In MODES 3, 4, and 5, plant conditions are such that the likelihood of an event that would require PAM instrumentation is extremely low; therefore, PAM instrumentation is not required to be OPERABLE in these MODES.

ACTIONS Note I has been added to the ACTIONS to exclude the MODE change restriction of LCO 3.0.4. This exception allows entry into the applicable MODE while relying on the ACTIONS even though the ACTIONS may eventually require plant shutdown. This exception is acceptable due to the passive function of the instruments, the operator's ability to diagnose an accident using alternative instruments and methods, and the low probability of an event requiring these instruments.

Note 2 has been provided to modify the ACTIONS related to PAM instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for (continued)

B 3.3-72 Revision No. 3 PBAPS UNIT 3

PAM Instrumentation B 3.3.3.1 BASES Actions inoperable PAM instrumentation channels provide appropriate (continued) compensatory measures for separate Functions. As such, a Note has been provided that allows separate Condition entry for each inoperable PAM Function.

A.1 When one or more Functions have one required channel that is inoperable, the required inoperable channel must be restored to OPERABLE status within 30 days. The 30 day Completion Time is based on operating experience and takes into account the remaining OPERABLE channels (or, in the case of a Function that has only one required channel, other non-Regulatory Guide 1.97 instrument channels to monitor the Function), the passive nature of the instrument (no critical automatic action is assumed to occur from these instruments), and the low probability of an event requiring PAM instrumentation during this interval.

B.1 If a channel has not been restored to OPERABLE status in 30 days, this Required Action specifies initiation of action in accordance with Specification 5.6.6, which requires a written report to be submitted to the NRC. This report discusses the results of the root cause evaluation of the inoperability and identifies proposed restorative actions.

This action is appropriate in lieu of a shutdown requirement, since alternative actions are identified before loss of functional capability, and given the likelihood of plant conditions that would require information provided by this instrumentation.

C.1 When one or more Functions have two required channels that are inoperable (i.e., two channels inoperable in the same Function), one channel in the Function should be restored to OPERABLE status within 7 days. The Completion Time of 7 days is based on the relatively low probability of an event requiring PAM instrument operation and the availability of alternate means to obtain the required information. Continuous operation with two required (continued)

B 3.3-73 Revision No. 3 PBAPS UNIT 3

PAM Instrumentation B 3.3.3.1 BASES Actions C.1 (continued) channels inoperable in a Function is not acceptable because the alternate indications may not fully meet all performance qualification requirements applied to the PAM instrumentation. Therefore, requiring restoration of one inoperable channel of the Function limits the risk that the PAM Function will be in a degraded condition should an accident occur.

D._1 This Required Action directs entry into the appropriate Condition referenced in Table 3.3.3.1-1. The applicable Condition referenced in the Table is Function dependent.

Each time an inoperable channel has not met the Required Action of Condition C and the associated Completion Time has expired, Condition D is entered for that channel and provides for transfer to the appropriate subsequent Condition.

E.1 For the majority of Functions in Table 3.3.3.1-1, if the Required Action and associated Completion Time of Condition C is not met, the plant must be brought to a MODE in which the LCO not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />.

The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

F.1 Since alternate means of monitoring drywell high range radiation have been developed and tested, the Required Action is not to shut down the plant, but rather to follow the directions of Specification 5.6.6. These alternate means may be temporarily installed if the normal PAM channel cannot be restored to OPERABLE status within the allotted time. The report provided to the NRC should discuss the alternate means used, describe the degree to which the alternate means are equivalent to the installed PAM channels, justify the areas in which they are not equivalent, and provide a schedule for restoring the normal PAM channels.

(continued)

B 3.3-74 Revision No. 3 PBAPS UNIT 3

PAM Instrumentation B 3.3.3.1 BASES (continued)

SURVEILLANCE SR 3.3.3.1.1 REQUIREMENTS Performance of the CHANNEL CHECK once every 31 days ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel against a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION. The high radiation instrumentation should be compared to similar plant instruments located throughout the plant.

Agreement criteria are determined by the plant staff, based on a combination of the channel instrument uncertainties, including isolation, indication, and readability. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit.

The Frequency of 31 days is based upon plant operating experience, with regard to channel OPERABILITY and drift, which demonstrates that failure of more than one channel of a given Function in any 31 day interval is rare. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of those displays associated with the channels required by the LCO.

SR 3.3.3.1.2 and SR 3.3.3.1.3 These SRs require CHANNEL CALIBRATIONs to be performed. A CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor. The test verifies the channel responds to measured parameter with the necessary range and accuracy. For the PCIV Position Function, the CHANNEL CALIBRATION consists of verifying the remote indication conforms to actual valve position.

(continued)

PBAPS UNIT 3 B 3.3-75 Revision No. 3

PAM Instrumentation B 3.3.3.1 BASES SURVEILLANCE SR 3.3.3.1.2 and SR 3.3.3.1.3 (continued)

REQU IREM ENTS The 92 day Frequency for CHANNEL CALIBRATION of the drywell and suppression chamber hydrogen and oxygen analyzers is based on vendor recommendations. The 24 month Frequency for CHANNEL CALIBRATION of all other PAM instrumentation of Table 3.3.3.1-1 is based on operating experience and consistency with the Peach Bottom Atomic Power Station refueling cycles.

REFERENCES 1. Regulatory Guide 1.97, "Instrumentation for Light Water Cooled Nuclear Power Plants to Assess Plant and Environs Conditions During and Following an Accident,"

Revision 3, May 1983.

2. NRC Safety Evaluation Report, "Peach Bottom Atomic Power Station, Unit Nos. 2 and 3, Conformance to Regulatory Guide 1.97," January 15, 1988.
3. Letter from G. Y. Suh (NRC) to G. J. Beck (PECo) dated February 13, 1991 concerning "Conformance to Regulatory Guide 1.97 for Peach Bottom Atomic Power Station, Units 2 and 3".
4. Letter from S. Dembek (NRC) to G. A. Hunger (PECO Energy) dated March 7, 1994 concerning "Regulatory Guide 1.97 - Boiling Water Reactor Neutron Flux Monitoring, Peach Bottom Atomic Power Station (PBAPS),

Units 2 and 3".

B 3.3-76 Revision No. 3 PBAPS UNIT 3

Remote Shutdown System B 3.3.3.2 B 3.3 INSTRUMENTATION B 3.3.3.2 Remote Shutdown System BASES BACKGROUND The Remote Shutdown System provides the control room operator with sufficient instrumentation and controls to place and maintain the plant in a safe shutdown condition from a location other than the control room. This capability is necessary to protect against the possibility of the control room becoming inaccessible. A safe shutdown condition is defined as MODE 3. With the plant in MODE 3, the Reactor Core Isolation Cooling (RCIC) System, the safety/relief valves, and the Residual Heat Removal (RHR)

Shutdown Cooling System can be used to remove core decay heat and meet all safety requirements. The long term supply of water for the RCIC and the ability to operate shutdown cooling from outside the control room allow extended operation in MODE 3.

In the event that the control room becomes inaccessible, the operators can establish control at the remote shutdown panel and place and maintain the plant in MODE 3. The plant automatically reaches MODE 3 following a plant shutdown and can be maintained safely in MODE 3 for at least 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. If control room operations cannot be resumed within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />, the control capability available at the remote shutdown panel and locally does not prevent cooling down the reactor.

The OPERABILITY of the Remote Shutdown System control and instrumentation Functions ensures that there is sufficient information available on selected plant parameters to place and maintain the plant in MODE 3 should the control room become inaccessible.

APPLICABLE The Remote Shutdown System is required to provide SAFETY ANALYSES instrumentation and controls at appropriate locations outside the control room with a design capability to promptly shut down the reactor to MODE 3, including the necessary instrumentation and controls, to maintain the plant in a safe condition in MODE 3.

(continued)

B 3.3-77 Revision No. 3 PBAPS UNIT 3

Remote Shutdown System B 3.3.3.2 BASES APPLICABLE The criteria governing the design and the specific system SAFETY ANALYSES requirements of the Remote Shutdown System are located in (continued) the UFSAR (Refs. 1 and 2).

The Remote Shutdown System is considered an important contributor to reducing the risk of accidents; as such, it meets Criterion 4 of the NRC Policy Statement.

LCO The Remote Shutdown System LCO provides the requirements for the OPERABILITY of the instrumentation and controls necessary to place and maintain the plant in MODE 3 from a location other than the control room. The instrumentation and controls required are listed in Table B 3.3.3.2-1.

The controls, instrumentation, and transfer switches are those required for:

0 Reactor pressure vessel (RPV) pressure control;

  • Decay heat removal;
  • RPV inventory control; and Safety support systems for the above functions, including emergency service water (ESW) and emergency switch gear.

The Remote Shutdown System is OPERABLE if all instrument and control channels needed to support the remote shutdown function are OPERABLE.

The Remote Shutdown System instruments and control circuits covered by this LCO do not need to be energized to be considered OPERABLE. This LCO is intended to ensure that the instruments and control circuits will be OPERABLE if plant conditions require that the Remote Shutdown System be placed in operation.

APPLICABILITY The Remote Shutdown System LCO is applicable in MODES 1 and 2. This is required so that the plant can be placed and maintained in MODE 3 for an extended period of time from a location other than the control room.

(continued)

PBAPS UNIT 3 B 3.3-78 Revision No. 3

Remote Shutdown System B 3.3.3.2 BASES APPLICABILITY This LCO is not applicable in MODES 3, 4, and 5. In these (continued) MODES, the plant is already subcritical and in a condition of reduced Reactor Coolant System energy. Under these conditions, considerable time is available to restore necessary instrument control Functions if control room instruments or control becomes unavailable. Consequently, the TS do not require OPERABILITY in MODES 3, 4, and 5.

ACTIONS A Note is included that excludes the MODE change restriction of LCO 3.0.4. This exception allows entry into an applicable MODE while relying on the ACTIONS even though the ACTIONS may eventually require a plant shutdown. This exception is acceptable due to the low probability of an event requiring this system.

Note 2 has been provided to modify the ACTIONS related to Remote Shutdown System Functions. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable Remote Shutdown System Functions provide appropriate compensatory measures for separate Functions.

As such, a Note has been provided that allows separate Condition entry for each inoperable Remote Shutdown System Function.

A._1 Condition A addresses the situation where one or more required Functions of the Remote Shutdown System is inoperable. This includes the control and transfer switches for any required function.

The Required Action is to restore the Function (all required channels) to OPERABLE status within 30 days. The Completion Time is based on operating experience and the low probability of an event that would require evacuation of the control room.

(continued)

B 3.3-79 Revision No. 3 PBAPS UNIT 3

Remote Shutdown System B 3.3.3.2 BASES ACTIONS B.1 (continued) If the Required Action and associated Completion Time of Condition A are not met, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. The allowed Completion Time is reasonable, based on operating experience, to reach the required MODE from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE SR 3.3.3.2.1 REQUIREMENTS SR 3.3.3.2.1 verifies each required Remote Shutdown System transfer switch and control circuit performs the intended function. This verification is performed from the remote shutdown panel and locally, as appropriate. Operation of equipment from the remote shutdown panel is not necessary.

The Surveillance can be satisfied by performance of a continuity check of the circuitry. This will ensure that if the control room becomes inaccessible, the plant can be placed and maintained in MODE 3 from the remote shutdown panel and the local control stations. The 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. Operating experience indicates that Remote Shutdown System control channels will pass the Surveillance when performed at the 24 month Frequency.

SR 3.3.3.2.2 CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. The test verifies the channel responds to measured parameter values with the necessary range and accuracy. The 24 month Frequency is based upon operating experience and consistency with the plant refueling cycle.

REFERENCES 1. UFSAR, Section 1.5.1.

2. UFSAR, Section 7.18.

B 3.3-80 Revision No. 3 PBAPS UNIT 3

Remote Shutdown System B 3.3.3.2 Table B 3.3.3.2-1 (page 1 of 3)

Remote Shutdown System Instrumentation FUNCTION REQUIRED NUMBER OF CHANNELS Instrument Parameter

1. Reactor Pressure 2 2
2. Reactor Level (Wide Range) 2
3. Torus Temperature
4. Torus Level I
5. Condensate Storage Tank Level 1
6. RCIC Flow 1
7. RCIC Turbine Speed 1
8. RCIC Pump Suction Pressure 1
9. RCIC Pump Discharge Pressure 1
10. RCIC Turbine Supply Pressure 1 2
11. RCIC Turbine Exhaust Pressure 1
12. Drywell Pressure 1

Transfer/Control Parameter

13. RCIC Pump Flow 1
14. RCIC Drain Isolation to Radwaste 1
15. RCIC Steam Pot Drain Steam Trap Bypass 1
16. RCIC Drain Isolation to Main Condenser 2
17. RCIC Exhaust Line Drain Isolation (1/val ve) 2
18. RCIC Steam Isolation (1/valve)

(continuedl B 3.3-81 Revision No. 3 PBAPS UNIT 3

Remote Shutdown System B 3.3.3.2 Table B 3.3.3.2-1 (page 2 of 3)

Remote Shutdown System Instrumentation FUNCTION REQUIRED NUMBER OF CHANNELS Transfer/Control Parameter (continued)

19. RCIC Suction from Condensate Storage Tank 1
20. RCIC Pump Discharge 2 (1/valve) 1
21. RCIC Minimum Flow
22. RCIC Pump Discharge to Full Flow TestLine 1
23. RCIC Suction from Torus 2 (1/valve)

RCIC Steam Supply 1 24.

25. RCIC Lube Oil Cooler Valve 1 1
26. RCIC Trip Throttle Valve Operator Position 1
27. RCIC Trip Throttle Valve Position 1
28. RCIC Vacuum Breaker 1
29. RCIC Condensate Pump 1
30. RCIC Vacuum Pump Safety/Relief Valves (S/RVs) 3 31.

(1/valve)

32. "A" CRD Pump I
33. "B" CRD Pump
34. RHR Shutdown Cooling Isolation 2 (1/valve)

Auto Isolation Reset 2 35.

(1/division)

(conti nued' PBAPS UNIT 3 B 3.3-82 Revision No. 3

Remote Shutdown System B 3.3.3.2 Table B 3.3.3.2-1 (page 3 of 3)

Remote Shutdown System Instrumentation FUNCTION REQUIRED NUMBER OF CHANNELS Transfer/Control Parameter (continued)

36. Instrument Transfer 5 switch)

(1/transfer 1

37. E223 Breaker 1
38. E323 Breaker 1
39. E243 Breaker 1
40. E343 Breaker 1
41. E234 Breaker 1
42. E213 Breaker 1
43. E313 Breaker 1
44. E233 Breaker 1
45. E333 Breaker PBAPS UNIT 3 B 3.3-83 Revision No. 3

ATWS-RPT Instrumentation B 3.3.4.1 B 3.3 INSTRUMENTATION B 3.3.4.1 Anticipated Transient Without Scram Recirculation Pump Trip (ATWS-RPT) Instrumentation BASES BACKGROUND The ATWS-RPT System initiates an RPT, adding negative reactivity, following events in which a scram does not (but should) occur, to lessen the effects of an AThlS event.

Tripping the recirculation pumps adds negative reactivity from the increase in steam voiding in the core area as core flow decreases. When Reactor Vessel Water Level -Low Low (Level 2) or Reactor Pressure-High setpoint is reached, the recirculation pump drive motor breakers trip.

The ATWS-RPT System includes sensors, relays, and switches that are necessary to cause initiation of an RPT. The channels include electronic equipment that compares measured input signals with pre-established setpoints. When the setpoint is exceeded, the channel output relay actuates, which then outputs an ATWS-RPT signal to the trip logic.

The ATWS-RPT consists of two trip systems. There are two ATWS-RPT Functions: Reactor Pressure-High and Reactor Vessel Water Level-Low Low (Level 2). Each trip system has two channels of Reactor Pressure -High and two channels of Reactor Vessel Water Level -Low Low (Level 2). Each ATWS-RPT trip system is a one-out-of-two logic for each Function. Thus, one Reactor Water Level-Low Low (Level 2) or one Reactor Pressure-High signal is needed to trip a trip system. Both trip systems must be in a tripped condition to initiate the trip of both recirculation pumps (by tripping the respective recirculation pump drive motor breakers). There is one recirculation pump drive motor breaker provided for each of the two recirculation pumps for a total of two breakers.

APPLICABLE The ATWS-RPT is not assumed in the safety analysis. The SAFETY ANALYSES, ATWS-RPT initiates an RPT to aid in preserving the integrity LCO, and of the fuel cladding following events in which a scram does APPLICABILITY not, but should, occur. Based on its contribution to the reduction of overall plant risk, however, the instrumentation meets Criterion 4 of the NRC Policy Statement.

(continued)

PBAPS UNIT 3 B 3.3-84 Revision No. 3

ATWS-RPT Instrumentation B 3.3.4.1 BASES APPLICABLE The OPERABILITY of the ATWS-RPT is dependent on the SAFETY ANALYSES, OPERABILITY of the individual instrumentation channel LCO, and Functions. Each Function must have a required number of APPLICABILITY OPERABLE channels in each trip system, with their (continued) setpoints within the specified Allowable Value of SR 3.3.4.1.3. The actual setpoint is calibrated consistent with applicable setpoint methodology assumptions. Channel OPERABILITY also includes the associated recirculation pump drive motor breakers. A channel is inoperable if its actual trip setting is not within its required Allowable Value.

Allowable Values are specified for each ATWS-RPT Function specified in the LCO. Trip setpoints are specified in the setpoint calculations. The trip setpoints are selected to ensure that the setpoints do not exceed the Allowable Value between CHANNEL CALIBRATIONS. Operation with a trip setting less conservative than the trip setpoint, but within its Allowable Value, is acceptable. Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor vessel water level), and when the measured output value of the process parameter exceeds the setpoint, the associated device changes state.

The analytic or design limits are derived from the limiting values of the process parameters obtained from the safety analysis. The Allowable Values are derived from the analytic or design limits, corrected for calibration, process, and instrument errors as well as instrument drift.

In selected cases, the Allowable Values and trip setpoints are determined by engineering judgement or historically accepted practice relative to the intended function of the channel. The trip setpoints determined in this manner provide adequate protection by. assuring instrument and process uncertainties expected for the environments during the operating time of the associated channels are accounted for.

The individual Functions are required to be OPERABLE in MODE 1 to protect against common mode failures of the Reactor Protection System by providing a diverse trip to mitigate the consequences of a postulated ATWS event. The Reactor Pressure-High and Reactor Vessel Water Level -Low Low (Level 2) Functions are required to be OPERABLE in MODE 1 since the reactor is producing significant power and (continued)

B 3.3-85 Revision No. 3 PBAPS UNIT 3

ATWS-RPT Instrumentation B 3.3.4.1 BASES APPLICABLE the recirculation system could be at high flow. During this SAFETY ANALYSES, MODE, the potential exists for pressure increases or low LCO, and water level, assuming an ATWS event. In MODE 2, the reactor APPLICABILITY is at low power and the recirculation system is at low flow; (continued) thus, the potential is low for a pressure increase or low water level, assuming an ATWS event. Therefore, the ATWS-RPT is not necessary. In MODES 3 and 4, the reactor is shut down with all control rods inserted; thus, an ATWS event is not significant and the possibility of a significant pressure increase or low water level is negligible. In MODE 5, the one rod out interlock ensures that the reactor remains subcritical; thus, an ATWS event is not significant. In addition, the reactor pressure vessel (RPV) head is not fully tensioned and no pressure transient threat to the reactor coolant pressure boundary (RCPB) exists.

The specific Applicable Safety Analyses and LCO discussions are listed below on a Function by Function basis.

a. Reactor Vessel Water Level -Low Low (Level 2)

Low RPV water level indicates that a reactor scram should have occurred and the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. The ATWS-RPT System is initiated at Level 2 to assist in the mitigation of the ATWS event. The resultant reduction of core flow reduces the neutron flux and THERMAL POWER and, therefore, the rate of coolant boiloff.

Reactor vessel water level signals are initiated from four level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel.

Four channels of Reactor Vessel Water Level -Low Low (Level 2), with two channels in each trip system, are available and required to be OPERABLE to ensure that no single instrument failure can preclude an ATWS-RPT from this Function on a valid signal. The Reactor Vessel Water Level -Low Low (Level 2) Allowable Value (continued)

PBAPS UNIT 3 B 3.3-86 Revision No. 3

ATWS-RPT Instrumentation B 3.3.4.1 BAS ES APPLICABLE a. Reactor Vessel Water Level -Low Low (Level 2)

SAFETY ANALYSES, (continued)

LCO, and APPLICABILITY is chosen so that the system will not be initiated after a Level 3 scram with feedwater still available, and for convenience with the reactor core isolation cooling initiation.

b. Reactor Pressure-High Excessively high RPV pressure may rupture the RCPB.

An increase in the RPV pressure during reactor operation compresses the steam voids and results in a positive reactivity insertion. This increases neutron flux and THERMAL POWER, which could potentially result in fuel failure and overpressurization. The Reactor Pressure-High Function initiates an RPT for transients that result in a pressure increase, counteracting the pressure increase by rapidly reducing core power generation. For the overpressurization event, the RPT aids in the termination of the ATWS event and, along with the safety/relief valves, limits the peak RPV pressure to less than the ASME Section III Code limits.

The Reactor Pressure-High signals are initiated from four pressure transmitters that monitor reactor steam dome pressure. Four channels of Reactor Pressure High, with two channels in each trip system, are available and are required to be OPERABLE to ensure that no single instrument failure can preclude an ATWS-RPT from this Function on a valid signal. The Reactor Pressure-High Allowable Value is chosen to provide an adequate margin to the ASME Section III Code limits.

ACTIONS A Note has been provided to modify the ACTIONS related to ATWS-RPT instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each (continued)

PBAPS UNIT 3 B 3.3-87 Revision No. 3

ATWS-RPT Instrumentation B 3.3.4.1 BASES ACTIONS additional failure, with Completion Times based on initial (continued) entry into the Condition. However, the Required Actions for inoperable ATWS-RPT instrumentation channels provide appropriate compensatory measures for separate inoperable channels. As such, a Note has been provided that allows separate Condition entry for each inoperable ATWS-RPT instrumentation channel.

A.1 and A.2 With one or more channels inoperable, but with ATWS-RPT trip capability for each Function maintained (refer to Required Actions B.1 and C.1 Bases), the ATWS-RPT System is capable of performing the intended function. However, the reliability and redundancy of the ATWS-RPT instrumentation is reduced, such that a single failure in the remaining trip system could result in the inability of the ATWS-RPT System to perform the intended function. Therefore, only a limited time is allowed to restore the inoperable channels to OPERABLE status. Because of the diversity of sensors available to provide trip signals, the low probability of extensive numbers of inoperabilities affecting all diverse Functions, and the low probability of an event requiring the initiation of ATWS-RPT, 14 days is provided to restore the inoperable channel (Required Action A.1). Alternately, the inoperable channel may be placed in trip (Required Action A.2), since this would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue. As noted, placing the channel in trip with no further restrictions is not allowed if the inoperable channel is the result of an inoperable breaker, since this may not adequately compensate for the inoperable breaker (e.g., the breaker may be inoperable such that it will not open). If it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel would result in an RPT), or if the inoperable channel is the result of an inoperable breaker, Condition D must be entered and its Required Actions taken.

B._1 Required Action B.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in the Function not (continuedl PBAPS UNIT 3 B 3.3-88 Revision No. 3

ATWS-RPT Instrumentation B 3.3.4.1 BASES ACTIONS B.1 (continued) maintaining ATWS-RPT trip capability. A Function is considered to be maintaining ATWS-RPT trip capability when sufficient channels are OPERABLE or in trip such that the ATWS-RPT System will generate a trip signal from the given Function on a valid signal, and both recirculation pumps can be tripped. This requires one channel of the Function in each trip system to be OPERABLE or in trip, and the recirculation pump drive motor breakers to be OPERABLE or in trip.

The 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> Completion Time is sufficient for the operator to take corrective action(e.g., restoration or tripping of channels) and takes into account the likelihood of an event requiring actuation of the ATWS-RPT instrumentation during this period and that one Function is still maintaining ATWS-RPT trip capability.

C.1 Required Action C.1 is intended to ensure that appropriate Actions are taken if multiple, inoperable, untripped channels within both Functions result in both Functions not maintaining ATWS-RPT trip capability. The description of a Function maintaining ATWS-RPT trip capability is discussed in the Bases for Required Action B.1 above.

The I hour Completion Time is sufficient for the operator to take corrective action and takes into account the likelihood of an event requiring actuation of the ATWS-RPT instrumentation during this period.

D.1 and D.2 With any Required Action and associated Completion Time not met, the plant must be brought to a MODE or other specified condition in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 2 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> (Required Action D.2). Alternately, the associated recirculation pump may be removed from service since this performs the intended function of the instrumentation (Required Action D.1). The allowed Completion Time of (continued)

B 3.3-89 Revision No. 3 PBAPS UNIT 3

ATWS-RPT Instrumentation B 3.3.4.1 BASES ACTIONS D.1 and D.2 (continued) 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable, based on operating experience, both to reach MODE 2 from full power conditions and to remove a recirculation pump from service in an orderly manner and without challenging plant systems.

SURVEILLANCE The Surveillances are modified by a Note to indicate that REQUIREMENTS when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into the associated Conditions and Required Actions may be delayed for up to 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> provided the associated Function maintains ATWS-RPT trip capability. Upon completion of the Surveillance, or expiration of the 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken.

This Note is based on the reliability analysis (Ref. 1) assumption of the average time required to perform channel Surveillance. That analysis demonstrated that the 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> testing allowance does not significantly reduce the probability that the recirculation pumps will trip when necessary.

SR 3.3.4.1.1 Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit.

(continued)

PBAPS UNIT 3 B 3.3-90 Revision No. 3

ATWS-RPT Instrumentation B 3.3.4.1 BASES SURVEILLANCE SR 3.3.4.1.1 (continued)

REQU IREMENTS The Frequency is based upon operating experience that demonstrates channel failure is rare. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the required channels of this LCO.

SR 3.3.4.1.2 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended function. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology.

The Frequency of 92 days is based on the reliability analysis of Reference 1.

SR 3.3.4.1.3 A CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations, consistent with the assumptions of the current plant specific setpoint methodology.

The Frequency is based upon the assumption of a 24 month calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis.

SR 3.3.4.1.4 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required trip logic for a specific channel. The system functional test of the pump breakers is included as part of this Surveillance and overlaps the LOGIC SYSTEM FUNCTIONAL TEST to provide complete testing of the assumed safety function. Therefore, if a breaker is incapable of operating, the associated instrument channel(s) would be inoperable.

(continued)

PBAPS UNIT 3 B 3.3-91 Revision No. 3

ATWS-RPT Instrumentation B 3.3.4.1 BASES SURVEILLANCE SR 3.3.4.1.4 (continued)

REQUIREMENTS The 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power.

Operating experience has shown these components will pass the Surveillance when performed at the 24 month Frequency.

REFERENCES 1. GENE-770-06-1, "Bases for Changes To Surveillance Test Intervals and Allowed Out-of-Service Times For Selected Instrumentation Technical Specifications,"

February 1991.

PBAPS UNIT 3 B 3.3-92 Revision No. 3

EOC-RPT Instrumentation B 3.3.4.2 B 3.3 INSTRUMENTATION B 3.3.4.2 End of Cycle Recirculation Pump Trip (EOC-RPT) Instrumentation BASES BACKGROUND The EOC-RPT instrumentation initiates a recirculation pump trip (RPT) to reduce the peak reactor pressure and power resulting from turbine trip or generator load rejection transients and to minimize the decrease in core MCPR during these transients.

The benefit of the additional negative reactivity in excess of that normally inserted on a scram reflects end of cycle reactivity considerations. Flux shapes at the end of cycle are such that the control rods insert only a small amount of negative reactivity during the first few feet of rod travel upon a scram caused by Turbine Control Valve (TCV) Fast Closure, Trip Oil Pressure-Low or Turbine Stop Valve (TSV) -Closure. The physical phenomenon involved is that the void reactivity feedback due to a pressurization transient can add positive reactivity at a faster rate than the control rods can add negative reactivity.

The EOC-RPT instrumentation, as shown in Reference 1, is composed of sensors that detect initiation of closure of the TSVs or fast closure of the TCVs, combined with relays, logic circuits, and fast acting circuit breakers that interrupt power from the recirculation pump motor generator (MG) set generators to each of the recirculation pump motors. When the setpoint is exceeded, the channel output relay actuates, which then outputs an EOC-RPT signal to the trip logic. When the RPT breakers trip open, the recirculation pumps coast down under their own inertia. The EOC-RPT has two identical trip systems, either of which can actuate an RPT.

Each EOC-RPT trip system is a two-out-of-two logic for each Function; thus, either two TSV-Closure or two TCV Fast Closure, Trip Oil Pressure-Low signals are required for a trip system to actuate. If either trip system actuates, both recirculation pumps will trip. There are two EOC-RPT breakers in series per recirculation pump. One trip system trips one of the two EOC-RPT breakers for each recirculation (continued)

PBAPS UNIT 3 B 3.3-92a Revision No. 28

EOC-RPT Instrumentation B 3.3.4.2

) BASES BACKGROUND pump, and the second trip system trips the other EOC-RPT (continued) breaker for each recirculation pump.

APPLICABLE The TSV-Closure and the TCV Fast Closure, Trip Oil SAFETY ANALYSES Pressure-Low Functions are designed to trip the LCO, and recirculation pumps in the event of a turbine trip or APPLICABILITY generator load rejection to mitigate the neutron flux, heat flux, and pressurization transients, and to minimize the decrease in MCPR. The analytical methods and assumptions used in evaluating the turbine trip and generator load rejection, as well as other safety analyses that utilize EOC-RPT, are summarized in References 2, 3, and 4.

To mitigate pressurization transient effects, the EOC-RPT must trip the recirculation pumps after initiation of closure movement of either the TSVs or the TCVs. The combined effects of this trip and a scram reduce fuel bundle power more rapidly than a scram alone so that the Safety Limit MCPR is not exceeded. Alternatively, APLHGR limits (power-dependent APLHGR multiplier, MAPFACo of LCO 3.2.1, "AVERAGE PLANAR LINEAR HEAT GENERATION RATE (APLHGR)"), the

"-) MCPR operating limits and the power-dependent MCPR limits (MCPR,) (LCO 3.2.2, "MINIMUM CRITICAL POWER RATIO (MCPR)")

for an inoperable EOC-RPT, as specified in the COLR, are sufficient to allow this LCO to be met. The EOC-RPT function is automatically disabled when turbine first stage pressure is < 30% RTP.

EOC-RPT instrumentation satisfies Criterion 3 of the NRC Policy Statement.

The OPERABILITY of the EOC-RPT is dependent on the OPERABILITY of the individual instrumentation channel Functions, i.e., the TSV-Closure and the TCV Fast Closure, Trip Oil Pressure-Low Functions. Each Function must have a required number of OPERABLE channels in each trip system, with their setpoints within the specified Allowable Value of SR 3.3.4.2.3. Channel OPERABILITY also includes the associated EOC-RPT breakers. Each channel (including the associated EOC-RPT breakers) must also respond within its assumed response time.

Allowable Values are specified for each EOC-RPT Function specified in the LCO. Trip setpoints are specified in the plant design documentation. The trip setpoints are selected (continued)

PBAPS UNIT 3 B 3.3-92b Revision No. 28

EOC-RPT Instrumentation B 3.3.4.2 BASES APPLICABLE to ensure that the actual setpoints do not exceed the SAFETY ANALYSES, Allowable Value between successive CHANNEL CALIBRATIONS.

LCO, and Operation with a trip setpoint less conservative than the APPLICABILITY trip setpoint, but within its Allowable Value, is (continued) acceptable. A channel is inoperable if its actual trip setting is not within its required Allowable Value. Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameters (e.g. TSV position), and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g., limit switch) changes state. The analytic limit for the TCV Fast Closure, Trip Oil Pressure-Low Function was determined based on the TCV hydraulic oil circuit design. The Allowable Value is derived from the analytic limit, corrected for calibration, process, and instrument errors. The trip setpoint is determined from the analytical limit corrected for calibration, process, and instrumentation errors, as well as instrument drift, as applicable. The Allowable Value and trip setpoint for the TSV-Closure Function was determined by engineering judgment and historically accepted practice for similar trip functions.

The specific Applicable Safety Analysis, LCO, and Applicability discussions are listed below on a Function by Function basis.

Alternatively, since the instrumentation protects against a MCPR SL violation, with the instrumentation inoperable, modifications to the APLHGR limits (power-dependent APLHGR multiplier, MAPFACP of LCO 3.2.1, "AVERAGE PLANAR LINEAR HEAT GENERATION RATE (APLHGR)"), the MCPR operating limits and the power-dependent MCPR limits (MCPR) (LCO 3.2.2, "MINIMUM CRITICAL POWER RATIO (MCPR)") may be applied to allow this LCO to be met. The appropriate MCPR operating limits and power-dependent thermal limit adjustments for the EOC-RPT inoperable condition are specified in the COLR.

Turbine Stop Valve-Closure Closure of the TSVs and a main turbine trip result in the loss of a heat sink that produces reactor pressure, neutron flux, and heat flux transients that must be limited.

Therefore, an RPT is initiated on TSV-Closure in anticipation of the transients that would result from closure of these valves. EOC-RPT decreases peak reactor power and aids the reactor scram in ensuring that the MCPR SL is not exceeded during the worst case transient.

(continued)

PBAPS UNIT 3 B 3.3-92c Revision No. 28

EOC-RPT Instrumentation B 3.3.4.2 BASES APPLICABLE Turbine Stop Valve- Closure (continued)

SAFETY ANALYSIS, LCO, and Closure of the TSVs is determined by measuring the position APPLICABILITY of each valve. There are position switches associated with each stop valve, the signal from each switch being assigned to a separate trip channel. The logic for the TSV-Closure Function is such that two or more TSVs must be closed to produce an EOC-RPT. This Function must be enabled at THERMAL POWER ; 30% RTP as measured at the turbine first stage pressure. This is normally accomplished automatically by pressure switches sensing turbine first stage pressure; therefore, opening of the turbine bypass valves may affect this Function. Four channels of TSV-Closure, with two channels in each trip system, are available and required to be OPERABLE to ensure that no single instrument failure will preclude an EOC-RPT from this Function on a valid signal.

The TSV-Closure Allowable Value is selected to detect imminent TSV closure.

This EOC-RPT Function is required, consistent with the safety analysis assumptions, whenever THERMAL POWER is 2 30% RTP. Below 30% RTP, the Reactor Pressure-High and the Average Power Range Monitor (APRM) Scram Clamp Functions of the Reactor Protection System (RPS) are adequate to maintain the necessary safety margins.

Turbine Control Valve Fast Closure. Trip Oil Pressure-Low Fast closure of the TCVs during a generator load rejection results in the loss of a heat sink that produces reactor pressure, neutron flux, and heat flux transients that must be limited. Therefore, an RPT is initiated on TCV Fast Closure, Trip Oil Pressure-Low in anticipation of the transients that would result from the closure of these valves. The EOC-RPT decreases peak reactor power and aids the reactor scram in ensuring that the MCPR SL is not exceeded during the worst case transient.

Fast closure of the TCVs is determined by measuring the electrohydraulic control fluid pressure at each control valve. There is one pressure switch associated with each control valve, and the signal from each switch is assigned to a separate trip channel. The logic for the TCV Fast Closure, Trip Oil Pressure-Low Function is such that two or more TCVs must be closed (pressure switch trips)

(continued)

PBAPS UNIT 3 B 3.3-92d Revision No. 28

EOC-RPT Instrumentation B 3.3.4.2 BASES APPLICABLE Turbine Control Valve Fast Closure. Trip Oil Pressure-Low SAFETY ANALYSIS, (continued)

LCO, and APPLICABILITY to produce an EOC-RPT. This Function must be enabled at THERMAL POWER 2 30% RTP as measured at the turbine first stage pressure. This is normally accomplished automatically by pressure switches sensing turbine first stage pressure; therefore, opening of the turbine bypass valves may affect this Function. Four channels of TCV Fast Closure, Trip Oil Pressure-Low, with two channels in each trip system, are available and required to be OPERABLE to ensure that no single instrument failure will preclude an EOC-RPT from this Function on a valid signal. The TCV Fast Closure, Trip Oil Pressure-Low Allowable Value is selected high enough to detect imminent TCV fast closure.

This protection is required consistent with the safety analysis whenever THERMAL POWER is k 30% RTP. Below 30% RTP, the Reactor Pressure-High and the APRM Scram Clamp Functions of the RPS are adequate to maintain the necessary safety margins.

ACTIONS A Note has been provided to modify the ACTIONS related to EOC-RPT instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable EOC-RPT instrumentation channels provide appropriate compensatory measures for separate inoperable channels. As such, a Note has been provided that allows separate Condition entry for each inoperable EOC-RPT instrumentation channel.

(continued)

PBAPS UNIT 3 B 3.3-92e Revision No. 28

EOC-RPT Instrumentation B 3.3.4.2 BASES ACTIONS A.1 (continued) With one or more channels inoperable, but with EOC-RPT trip capability maintained (refer to Required Action B.1 Bases),

the EOC-RPT System is capable of performing the intended function. However, the reliability and redundancy of the EOC-RPT instrumentation is reduced such that a single failure in the remaining trip system could result in the inability of the EOC-RPT System to perform the intended function. Therefore, only a limited time is allowed to restore compliance with the LCO. Because of the diversity of sensors available to provide trip signals, the low probability of extensive numbers of inoperabilities affecting all diverse Functions, and the low probability of an event requiring the initiation of an EOC-RPT, 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> is provided to restore the inoperable channels (Required Action A.1). Alternately, the inoperable channels may be placed in trip (Required Action A.2) since this would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue. As noted, placing the channel in trip with no further restrictions is not allowed if the inoperable channel is the result of an inoperable breaker, since this may not adequately compensate for the inoperable breaker (e.g., the breaker may be inoperable such that it will not open). If it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in an RPT, or if the inoperable channel is the result of an inoperable breaker), Condition C must be entered and its Required Actions taken.

B.1 Required Action B.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in the Function not maintaining EOC-RPT trip capability. A Function is considered to be maintaining EOC-RPT trip capability when sufficient channels are OPERABLE or in trip, such that the EOC-RPT System will generate a trip signal from the given Function on a valid signal and both recirculation pumps can be tripped. This requires two channels of the Function in the same trip system, to each be OPERABLE or in trip, and the associated EOC-RPT breakers to be OPERABLE.

(continued)

PBAPS UNIT 3 B 3.3-92f Revision No. 28

EOC-RPT Instrumentation B 3.3.4.2 BASES ACTIONS B.1 (continued)

The 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> Completion Time is sufficient time for the operator to take corrective action, and takes into account the likelihood of an event requiring actuation of the EOC-RPT instrumentation during this period. It is also consistent with the 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> Completion Time provided in LCO 3.2.1 and 3.2.2 for Required Action A.1, since this instrumentation's purpose is to preclude a thermal limit violation.

C.1 and C.2 With any Required Action and associated Completion Time not met, THERMAL POWER must be reduced to < 30% RTP within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />. Alternately, for an inoperable breaker (e.g., the breaker may be inoperable such that it will not open) the associated recirculation pump may be removed from service, since this performs the intended function of the instrumentation. The allowed Completion Time of 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> is reasonable, based on operating experience, to reduce THERMAL POWER to < 30% RTP from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE The Surveillances are modified by a Note to indicate that REQUIREMENTS when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> provided the associated Function maintains EOC-RPT trip capability. Upon completion of the Surveillance, or expiration of the 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Ref. 5) assumption of the average time required to perform channel Surveillance. That analysis demonstrated that the 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> testing allowance does not significantly reduce the probability that the recirculation pumps will trip when necessary.

(continued)

PBAPS UNIT 3 B 3.3-92g Revision No. 28

EOC-RPT Instrumentation B 3.3.4.2 BASES SURVEILLANCE SR 3.3.4.2.1 REQUIREMENTS (continued) A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended function.

The Frequency of 92 days is based on reliability analysis of Reference 5.

SR 3.3.4.2.2 CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations consistent with the plant specific setpoint methodology.

The Frequency is based upon the assumption of a 24 month calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis.

SR 3.3.4.2.3 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required trip logic for a specific channel. The system functional test of the pump breakers is included as a part of this test, overlapping the LOGIC SYSTEM FUNCTIONAL TEST, to provide complete testing of the associated safety function. Therefore, if a breaker is incapable of operating, the associated instrument channel(s) would also be inoperable.

The 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power.

Operating experience has shown these components usually pass the Surveillance when performed at the 24 month Frequency.

(continued)

PBAPS UNIT 3 B 3.3-92h Revision No. 28

EOC-RPT Instrumentation B 3.3.4.2 BASES SURVEILLANCE SR 3.3.4.2.4 REQUIREMENTS (continued) This SR ensures that an EOC-RPT initiated from the TSV-Closure and TCV Fast Closure, Trip Oil Pressure-Low Functions will not be inadvertently bypassed when THERMAL POWER is > 30% RTP. This involves calibration of the bypass channels. Adequate margins for the instrument setpoint methodologies are incorporated into the actual setpoint.

Because main turbine bypass flow can affect this setpoint nonconservatively (THERMAL POWER is derived from first stage pressure) the main turbine bypass valves must remain closed during the calibration at THERMAL POWER a 30% RTP to ensure that the calibration remains valid. If any bypass channel's setpoint is nonconservative (i.e., the Functions are bypassed at > 30% RTP, either due to open main turbine bypass valves or other reasons), the affected TSV-Closure and TCV Fast Closure, Trip Oil Pressure-Low Functions are considered inoperable. Alternatively, the bypass channel can be placed in the conservative condition (nonbypass). If placed in the nonbypass condition, this SR is met with the channel considered OPERABLE.

The Frequency of 24 months is based on engineering judgement and reliability of the components.

SR 3.3.4.2.5 This SR ensures that the individual channel response times are less than or equal to the maximum values assumed in the accident analysis. The EOC-RPT SYSTEM RESPONSE TIME acceptance criterion is included in Reference 6.

A Note to the Surveillance states that breaker interruption time may be assumed from the most recent performance of SR 3.3.4.2.6. This is allowed since the time to open the contacts after energization of the trip coil and the arc suppression time are short and do not appreciably change, due to the design of the breaker opening device and the fact that the breaker is not routinely cycled.

(continued)

PBAPS UNIT 3 B 3.3-92i Revision No. 28

EOC-RPT Instrumentation B 3.3.4.2 BASES SURVEILLANCE SR 3.3.4.2.5 (continued)

REQUIREMENTS EOC-RPT SYSTEM RESPONSE TIME tests are conducted on a 24 month STAGGERED TEST BASIS. Response times cannot be determined at power because operation of final actuated devices is required. Therefore, the 24 month Frequency is consistent with the typical industry refueling cycle and is based upon plant operating experience, which shows that random failures of instrumentation components that cause serious response time degradation, but not channel failure, are infrequent occurrences.

SR 3.3.4.2.6 This SR ensures that the RPT breaker interruption time (arc suppression time plus time to open the contacts) is provided to the EOC-RPT SYSTEM RESPONSE TIME test. The 60 month Frequency of the testing is based on the difficulty of performing the test and the reliability of the circuit breakers.

REFERENCES 1. UFSAR, Figure 7.9.4A, Sheet 3 of 3 (EOC-RPT logic diagram).

2. UFSAR, Section 7.9.4.4.3.
3. UFSAR, Section 14.5.1.2.4.
4. NEDE-24011-P-A, "General Electric Standard Application for Reactor Fuel," latest approved version.
5. GENE-770-06-1-A, "Bases for Changes to Surveillance Test Intervals and Allowed Out-Of-Service Times for Selected Instrumentation Technical Specifications,"

December 1992.

6. Core Operating Limits Report.

PBAPS UNIT 3 B 3.3-92j Revision No. 28

ECCS Instrumentation B 3.3.5.1 B 3.3 INSTRUMENTATION B 3.3.5.1 Emergency Core Cooling System (ECCS) Instrumentation BASES BACKGROUND The purpose of the ECCS instrumentation is to initiate appropriate responses from the systems to ensure that the fuel is adequately cooled in the event of a design basis accident or transient.

For most abnormal operational transients and Design Basis Accidents (DBAs), a wide range of dependent and independent parameters are monitored.

The ECCS instrumentation actuates core spray (CS), low pressure coolant injection (LPCI), high pressure coolant injection (HPCI), Automatic Depressurization System (ADS),

and the diesel generators (DGs). The equipment involved with each of these systems is described in the Bases for LCO 3.5.1, "ECCS-Operating."

Core Spray System The CS System may be initiated by automatic means.

Automatic initiation occurs for conditions of Reactor Vessel Water Level -Low Low Low (Level 1) or Drywell Pressure-High with a Reactor Pressure-Low permissive. The reactor vessel water level and the reactor pressure variables are monitored by four redundant transmitters, which are, in turn, connected to four pressure compensation instruments. The drywell pressure variable is monitored by four redundant transmitters, which are, in turn, connected to four trip units. The outputs of the pressure compensation instruments and the trip units are connected to relays which send signals to two trip systems, with each trip system arranged in a one-out-of-two taken twice logic (each trip unit sends a signal to both trip systems.) Each trip system initiates two of the four CS pumps.

Upon receipt of an initiation signal, if normal AC power is available, CS pumps A and C start after a time delay of approximately 13 seconds and CS pumps B and D start after a time delay of approximately 23 seconds. If normal AC power is not available, the four CS pumps start simultaneously after a time delay of approximately 6 seconds after the respective DG is ready to load.

(continued)

PBAPS UNIT 3 B 3.3-93 Revision No. 3

ECCS Instrumentation B 3.3.5.1 BASES BACKGROUND Core Spray System (continued)

The CS test line isolation valve, which is also a primary containment isolation valve (PCIV), is closed on a CS initiation signal to allow full system flow assumed in the accident analyses and maintain primary containment isolated in the event CS is not operating.

The CS pump discharge flow is monitored by a differential pressure indicating switch. When the pump is running and discharge flow is low enough so that pump overheating may occur, the minimum flow return line valve is opened. The valve is automatically closed if flow is above the minimum flow setpoint to allow the full system flow assumed in the accident analysis.

The CS System also monitors the pressure in the reactor to ensure that, before the injection valves open, the reactor pressure has fallen to a value below the CS System's maximum design pressure. The variable is monitored by four redundant transmitters, which are, in turn, connected to four pressure compensation instruments. The outputs of the pressure compensation instruments are connected to relays whose contacts are arranged in a one-out-of-two taken twice logic.

Low Pressure Coolant Injection System The LPCI is an operating mode of the Residual Heat Removal (RHR) System, with two LPCI subsystems. The LPCI subsystems may be initiated by automatic means. Automatic initiation occurs for conditions of Reactor Vessel Water Level -Low Low Low (Level 1); Drywell Pressure-High with a Reactor Pressure-Low (Injection Permissive). The drywell pressure variable is monitored by four redundant transmitters, which, in turn, are connected to four trip units. The reactor vessel water level and the reactor pressure variables are monitored by four redundant transmitters, which are, in turn, connected to four pressure compensation instruments.

The outputs of the trip units and pressure compensation instruments are connected to relays which send signals to two trip systems, with each trip system arranged in a one out-of-two taken twice logic (each trip unit sends a signal to both trip systems). Each trip system can initiate all four LPCI pumps.

(continued)

PBAPS UNIT 3 B 3.3-94 Revision No. 3

ECCS Instrumentation B 3.3.5.1 BASES BACKGROUND Low Pressure Coolant Injection System (continued)

Upon receipt of an initiation signal if normal AC power is available, the LPCI A and B pumps start after a delay of approximately 2 seconds. The LPCI C and D pumps are started after a delay of approximately 8 seconds. If normal AC power is not available, the four LPCI pumps start simultaneously with no delay as soon as the standby power source is available.

Each LPCI subsystem's discharge flow is monitored by a differential pressure indicating switch. When a pump is running and discharge flow is low enough so that pump overheating may occur, the respective minimum flow return line valve is opened. If flow is above the minimum flow setpoint, the valve is automatically closed to allow the full system flow assumed in the analyses.

The RHR test line suppression pool cooling isolation valve, suppression pool spray isolation valves, and containment spray isolation valves (which are also PCIVs) are also closed on a LPCI initiation signal to allow the full system flow assumed in the accident analyses and maintain primary containment isolated in the event LPCI is not operating.

The LPCI System monitors the pressure in the reactor to ensure that, before an injection valve opens, the reactor pressure has fallen to a value below the LPCI System's maximum design pressure. The variable is monitored by four redundant transmitters, which are, in turn, connected to four pressure compensation instruments. The outputs of the pressure compensation instruments are connected to relays whose contacts are arranged in a one-out-of-two taken twice logic. Additionally, instruments are provided to close the recirculation pump discharge valves to ensure that LPCI flow does not bypass the core when it injects into the recirculation lines. The variable is monitored by four redundant transmitters, which are, in turn, connected to four pressure compensation instruments. The outputs of the pressure compensation instruments are connected to relays whose contacts are arranged in a one-out-of-two taken twice logic.

(continued)

PBAPS UNIT 3 .B 3.3-95 Revision No. 3

ECCS Instrumentation B 3.3.5.1 BASES BACKGROUND Low Pressure Coolant Injection System (continued)

Low reactor water level in the shroud is detected by two additional instruments. When the level is greater than the low level setpoint LPCI may no longer be required, therefore other modes of RHR (e.g., suppression pool cooling) are allowed. Manual overrides for the isolations below the low level setpoint are provided.

High Pressure Coolant Injection System The HPCI System may be initiated by automatic means.

Automatic initiation occurs for conditions of Reactor Vessel Water Level-Low Low (Level 2) or Drywell Pressure-High.

The reactor vessel water level variable is monitored by four redundant transmitters, which are, in turn, connected to four pressure compensation instruments. The drywell pressure variable is monitored by four redundant transmitters, which are, in turn, connected to four trip units. The outputs of the pressure compensation instruments and the trip units are connected to relays whose contacts are arranged in a one-out-of-two taken twice logic for each Function.

The HPCI pump discharge flow is monitored by a flow switch.

When the pump is running and discharge flow is low enough so that pump overheating may occur, the minimum flow return line valve is opened. The valve is automatically closed if flow is above the minimum flow setpoint to allow the full system flow assumed in the safety analysis.

The HPCI test line isolation valve (which is also a PCIV) is closed upon receipt of a HPCI initiation signal to allow the full system flow assumed in the accident analysis and maintain primary containment isolated in the event HPCI is not operating.

The HPCI System also monitors the water levels in the condensate storage tank (CST) and the suppression pool because these are the two sources of water for HPCI operation. Reactor grade water in the CST is the normal source. Upon receipt of a HPCI initiation signal, the CST (continued)

PBAPS UNIT 3 B 3.3-96 Revision No. 3

ECCS Instrumentation B 3.3.5.1 BASES BACKGROUND High Pressure Coolant Injection System (continued) suction valve is automatically signaled to open (it is normally in the open position) unless both suppression pool suction valves are open. If the water level in the CST falls below a preselected level, first the suppression pool suction valves automatically open, and then the CST suction valve automatically closes. Two level switches are used to detect low water level in the CST. Either switch can cause the suppression pool suction valves to open and the CST suction valve to close. The suppression pool suction valves also automatically open and the CST suction valve closes if high water level is detected in the suppression pool. To prevent losing suction to the pump, the suction valves are interlocked so that one suction path must be open before the other automatically closes.

The HPCI provides makeup water to the reactor until the reactor vessel water level reaches the Reactor Vessel Water Level-High (Level 8) trip, at which time the HPCI turbine trips, which causes the turbine's stop valve and the control valves to close. The logic is two-out-of-two to provide high reliability of the HPCI System. The HPCI System automatically restarts if a Reactor Vessel Water Level -Low Low (Level 2) signal is subsequently received.

Automatic Depressurization System The ADS may be initiated by automatic means. Automatic initiation occurs when signals indicating Reactor Vessel Water Level-Low Low Low (Level 1); Drywell Pressure-High or ADS Bypass Low Water Level Actuation Timer; Reactor Vessel Water Confirmatory Level -Low (Level 4); and CS or LPCI Pump Discharge Pressure-High are all present and the ADS Initiation Timer has timed out. There are two transmitters each for Reactor Vessel Water Level-Low Low Low (Level 1) and Drywell Pressure-High, and one transmitter for Reactor Vessel Water Confirmatory Level - Low (Level 4) in each of the two ADS trip systems. Each of these transmitters connects to a trip unit, which then drives a relay whose contacts form the initiation logic.

Each ADS trip system includes a time delay between satisfying the initiation logic and the actuation of the ADS valves. The ADS Initiation Timer time delay setpoint chosen is long enough that the HPCI has sufficient operating time (continued)

PBAPS UNIT 3 B 3.3-97 Revision No. 3

ECCS Instrumentation B 3.3.5.1 BASES BACKGROUND Automatic Depressurization System (continued) to recover to a level above Level 1, yet not so long that the LPCI and CS Systems are unable to adequately cool the fuel if the HPCI fails to maintain that level. An alarm in the control room is annunciated when either of the timers is timing. Resetting the ADS initiation signals resets the ADS Initiation Timers.

The ADS also monitors the discharge pressures of the four LPCI pumps and the four CS pumps. Each ADS trip system includes two discharge pressure permissive switches from all four LPCI pumps and one discharge pressure permissive switch from all four CS pumps. The signals are used as a permissive for ADS actuation, indicating that there is a source of core coolant available once the ADS has depressurized the vessel. Two CS pumps in proper combination (C or D and A or B) or any one of the four LPCI pumps is sufficient to permit automatic depressurization.

The ADS logic in each trip system is arranged in two strings. Each string has a contact from each of the following variables: Reactor Vessel Water Level -Low Low Low (Level 1); Drywell Pressure-High; Low Water Level Actuation Timer; and Reactor Vessel Water Level -Low Low Low (Level 1) Permissive. One of the two strings in each trip system must also have a Reactor Vessel Water Confirmatory Level-Low (Level 4). After the contacts for the initiation signal from either drywell pressure or reactor vessel level (and the timer for reactor vessel level timing out) close, the following must be present to initiate an ADS trip system: all other contacts in both logic strings must close, the ADS initiation timer must time out, and a CS or LPCI pump discharge pressure signal must be present. Either the A or B trip system will cause all the ADS relief valves to open. Once the Drywell Pressure-High signal, the ADS Low Water Level Actuation Timer, or the ADS initiation signal is present, it is individually sealed in until manually reset.

Manual inhibit switches are provided in the control room for the ADS; however, their function is not required for ADS OPERABILITY (provided ADS is not inhibited when required to be OPERABLE).

(continued)

PBAPS UNIT 3 B 3.3-98 Revision No. 3

ECCS Instrumentation B 3.3.5.1 BASES BACKGROUND Diesel Generators (continued)

The DGs may be initiated by automatic means. Automatic initiation occurs for conditions of Reactor Vessel Water Level-Low Low Low (Level 1) or Drywell Pressure-High. The DGs are also initiated upon loss of voltage signals. (Refer to the Bases for LCO 3.3.8.1, "Loss of Power (LOP)

Instrumentation," for a discussion of these signals.) The reactor vessel water level variable is monitored by four redundant transmitters, which are, in turn, connected to four pressure compensation instruments. The drywell pressure variable is monitored by four redundant transmitters, which are, in turn, connected to four trip units. The outputs of the four pressure compensation instruments and the trip units are connected to relays which send signals to two trip systems, with each trip system arranged in a one-out-of-two taken twice logic (each trip unit sends a signal to both trip systems). The B trip system initiates all four DGs, and the A trip system initiates all four DGs. The DGs receive their initiation signals from the CS System initiation logic. The DGs can also be started manually from the control room and locally from the associated DG room. Upon receipt of a loss of coolant accident (LOCA) initiation signal, each DG is automatically started, is ready to load in approximately 10 seconds, and will run in standby conditions (rated voltage and speed, with the DG output breaker open). The DGs will only energize their respective Engineered Safety Feature buses if a loss of offsite power occurs. (Refer to Bases for LCO 3.3.8.1.)

APPLICABLE The actions of the ECCS are explicitly assumed in the safety SAFETY ANALYSES, analyses of References 1, 2, and 3. The ECCS is initiated LCO, and to preserve the integrity of the fuel cladding by limiting APPLICABILITY the post LOCA peak cladding temperature to less than the 10 CFR 50.46 limits.

ECCS instrumentation satisfies Criterion 3 of the NRC Policy Statement. Certain instrumentation Functions are retained for other reasons and are described below in the individual Functions discussion.

The OPERABILITY of the ECCS instrumentation is dependent upon the OPERABILITY of the individual instrumentation channel Functions specified in Table 3.3.5.1-1. Each Function must have a required number of OPERABLE channels, (continued)

I PBAPS UNIT 3 B 3.3-99 Revision No. 23

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE with their setpoints within the specified Allowable Values, SAFETY ANALYSES, where appropriate. The actual setpoint is calibrated LCO, and consistent with applicable setpoint methodology assumptions.

APPLICABILITY Table 3.3.5.1-1, footnote (b), is added to show that certain (continued) ECCS instrumentation Functions are also required to be OPERABLE to perform DG initiation.

Allowable Values are specified for each ECCS Function specified in the Table. Trip setpoints are specified in the setpoint calculations. The trip setpoints are selected to ensure that the settings do not exceed the Allowable Value between CHANNEL CALIBRATIONS. Operation with a trip setting less conservative than the trip setpoint, but within its Allowable Value, is acceptable. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor vessel water level), and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g., trip unit) changes state. The analytic or design limits are derived from the limiting values of the process parameters obtained from the safety analysis or other appropriate documents. The Allowable Values are derived from the analytic or design limits, corrected for calibration, process, and instrument errors.

The trip setpoints are determined from analytical or design limits, corrected for calibration, process, and instrument errors, as well as, instrument drift. In selected cases, the Allowable Values and trip setpoints are determined from engineering judgement or historically accepted practice relative to the intended functions of the channel. The trip setpoints determined in this manner provide adequate protection by assuming instrument and process uncertainties expected for the environments during the operating time of the associated channels are accounted for. For the Core Spray and LPCI Pump Start-Time Delay Relays, adequate margins for applicable setpoint methodologies are incorporated into the Allowable Values and actual setpoints.

In general, the individual Functions are required to be OPERABLE in the MODES or other specified conditions that may require ECCS (or DG) initiation to mitigate the consequences of a design basis transient or accident. To ensure reliable ECCS and DG function, a combination of Functions is required to provide primary and secondary initiation signals.

(continued)

PBAPS UNIT 3 B 3.3-100 Revision No. 3

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE The specific Applicable Safety Analyses, LCO, and SAFETY ANALYSES, Applicability discussions are listed below on a Function by LCO, and Function basis.

APPLICABILITY (continued)

Core Spray and Low Pressure Coolant Injection Systems l.a. 2.a. Reactor Vessel Water Level-Low Low Low (Level 1)

Low reactor pressure vessel (RPV) water level indicates that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result.

The low pressure ECCS and associated DGs are initiated at Reactor Vessel Water Level -Low Low Low (Level 1) to ensure that core spray and flooding functions are available to prevent or minimize fuel damage. The DGs are initiated from Function 1.a signals. This Function, in conjunction with a Reactor Pressure-Low (Injection Permissive) signal, also initiates the closure of the Recirculation Discharge Valves to ensure the LPCI subsystems inject into the proper RPV location. The Reactor Vessel Water Level- Low Low Low (Level 1) is one of the Functions assumed to be OPERABLE and capable of initiating the ECCS during the transients analyzed in References 1 and 3. In addition, the Reactor Vessel Water Level -Low Low Low (Level 1) Function is directly assumed in the analysis of the recirculation line break (Ref. 4) and the control rod drop accident (CRDA) analysis. The core cooling function of the ECCS, along with the scram action of the Reactor Protection System (RPS),

ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

Reactor Vessel Water Level-Low Low Low (Level 1) signals are initiated from four level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel.

The Reactor Vessel Water Level -Low Low Low (Level 1)

Allowable Value is chosen to allow time for the low pressure core flooding systems to activate and provide adequate cooling.

Four channels of ReactorVessel Water Level -Low Low Low (Level 1) Function are only required to be OPERABLE when the ECCS or DG(s) are required to be OPERABLE to ensure that no single instrument failure can preclude ECCS and DG (continued)

PBAPS UNIT 3 B 3.3-101 Revision No. 3

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE l.a. 2.a. Reactor Vessel Water Level-Low Low Low (Level 1)

SAFETY ANALYSES, (continued)

LCO, and APPLICABILITY initiation. Refer to LCO 3.5.1 and LCO 3.5.2, "ECCS Shutdown," for Applicability Bases for the low pressure ECCS subsystems; LCO 3.8.1, "AC Sources-Operating"; and LCO 3.8.2, "AC Sources-Shutdown," for Applicability Bases for the DGs.

I.b. 2.b. Drywell Pressure-High High pressure in the drywell could indicate a break in the reactor coolant pressure boundary (RCPB). The low pressure ECCS and associated DGs are initiated upon receipt of the Drywell Pressure-High Function with a Reactor Pressure-Low (Injection Permissive) in order to minimize the possibility of fuel damage. The DGs are initiated from Function I.b signals. This Function also initiates the closure of the recirculation discharge valves to ensure the LPCI subsystems inject into the proper RPV location. The Drywell Pressure-High Function with a Reactor Pressure-Low (Injection Permissive), along with the Reactor Water Level -Low Low Low (Level 1) Function, is directly assumed in the analysis of the recirculation line break (Ref. 4).

The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

High drywell pressure signals are initiated from four pressure transmitters that sense drywell pressure. The Allowable Value was selected to be as low as possible and be indicative of a LOCA inside primary containment.

The Drywell Pressure-High Function is required to be OPERABLE when the ECCS or DG is required to be OPERABLE in conjunction with times when the primary containment is required to be OPERABLE. Thus, four channels of the CS and LPCI Drywell Pressure-High Function are required to be OPERABLE in MODES 1, 2, and 3 to ensure that no single instrument failure can preclude ECCS and DG initiation. In MODES 4 and 5, the Drywell Pressure-High Function is not required, since there is insufficient energy in the reactor to pressurize the primary containment to Drywell Pressure High setpoint. Refer to LCO 3.5.1 for Applicability Bases for the low pressure ECCS subsystems and to LCO 3.8.1 for Applicability Bases for the DGs.

(continued)

PBAPS UNIT 3 B 3.3-102 Revision No. 3

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 1.c. 2.c. Reactor Pressure-Low (Injection Permissive)

SAFETY ANALYSES, LCO, and Low reactor pressure signals are used as permissives for the APPLICABILITY low pressure ECCS subsystems. This ensures that, prior to (continued) opening the injection valves of the low pressure ECCS subsystems or initiating the low pressure ECCS subsystems on a Drywell Pressure-High signal, the reactor pressure has fallen to a value below these subsystems' maximum design pressure and a break inside the RCPB has occurred respectively. This Function also provides permissive for the closure of the recirculation discharge valves to ensure the LPCI subsystems inject into the proper RPV location.

The Reactor Pressure-Low is one of the Functions assumed to be OPERABLE and capable of permitting initiation of the ECCS during the transients analyzed in References 1 and 3. In addition, the Reactor Pressure-Low Function is directly assumed in the analysis of the recirculation line break (Ref. 4). The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

The Reactor Pressure-Low signals are initiated from four pressure transmitters that sense the reactor dome pressure.

The Allowable Value is low enough to prevent overpressuring the equipment in the low pressure ECCS, but high enough to ensure that the ECCS injection prevents the fuel peak cladding temperature from exceeding the limits of 10 CFR 50.46.

Four channels of Reactor Pressure- Low Function are only required to be OPERABLE when the ECCS is required to be OPERABLE to ensure that no single instrument failure can preclude ECCS initiation. Refer to LCO 3.5.1 and LCO 3.5.2 for Applicability Bases for the low pressure ECCS subsystems.

I.d. 2.g. Core Spray and Low Pressure Coolant Injection Pump Discharqe Flow- Low (Bypass)

The minimum flow instruments are provided to protect the associated low pressure ECCS pump from overheating when the pump is operating and the associated injection valve is not fully open. The minimum flow line valve is opened when low flow is sensed, and the valve is automatically closed when the flow rate is adequate to protect the pump. The LPCI and (continued)

PBAPS UNIT 3 B 3.3-103 Revision No. 3

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE I.d. 2.q. Core Spray and Low Pressure Coolant Injection SAFETY ANALYSES Pump Discharge Flow-Low (Bypass) (continued)

LCO, and APPLICABILITY CS Pump Discharge Flow-Low Functions are assumed to be OPERABLE and capable of closing the minimum flow valves to ensure that the low pressure ECCS flows assumed during the transients and accidents analyzed in References 1, 2, and 3 are met. The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

One differential pressure switch per ECCS pump is used to detect the associated subsystems' flow rates. The logic is arranged such that each switch causes its associated minimum flow valve to open. The logic will close the minimum flow valve once the closure setpoint is exceeded. The LPCI minimum flow valves are time delayed such that the valves will not open for 10 seconds after the switches detect low flow. The time delay is provided to limit reactor vessel inventory loss during the startup of the RHR shutdown cooling mode. The Pump Discharge Flow- Low Allowable Values are high enough to ensure that the pump flow rate is sufficient to protect the pump, yet low enough to ensure that the closure of the minimum flow valve is initiated to allow full flow into the core.

Each channel of Pump Discharge Flow-Low Function (four CS channels and four LPCI channels) is only required to be OPERABLE when the associated ECCS is required to be OPERABLE to ensure that no single instrument failure can preclude the ECCS function. Refer to LCO 3.5.1 and LCO 3.5.2 for Applicability Bases for the low pressure ECCS subsystems.

I.e. 1.f. Core Spray Pump Start-Time Delay Relay The purpose of this time delay is to stagger the start of the CS pumps that are in each of Divisions I and II to prevent overloading the power source. This Function is necessary when power is being supplied from the offsite sources or the standby power sources (DG). The CS Pump Start-Time Delay Relays are assumed to be OPERABLE in the accident and transient analyses requiring ECCS initiation.

That is, the analyses assume that the pumps will initiate when required and excess loading will not cause failure of the power sources.

(continued)

PBAPS UNIT 3 B 3.3-104 Revision No. 3

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 1.e. 1.f. Core Spray Pump Start-Time Delay Relay SAFETY ANALYSES, (continued)

LCO, and APPLICABILITY There are eight-Core Spray Pump Start-Time Delay Relays, two in each of the CS pump start logic circuits (one for when offsite power is available and one for when offsite power is not available). One of each type of time delay relay is dedicated to a single pump start logic, such that a single failure of a Core Spray Pump Start-Time Delay Relay will not result in the failure of more than one CS pump. In this condition, three of the four CS pumps will remain OPERABLE; thus, the single failure criterion is met (i.e.,

loss of one instrument does not preclude ECCS initiation).

The Allowable Value for the Core Spray Pump Start-Time Delay Relays is chosen to be long enough so that the power source will not be overloaded and short enough so that ECCS operation is not degraded.

Each channel of Core Spray Pump Start-Time Delay Relay Function is required to be OPERABLE only when the associated CS subsystem is required to be OPERABLE. Refer to LCO 3.5.1 and LCO 3.5.2 for Applicability Bases for the CS subsystems.

2.d. Reactor Pressure-Low Low (Recirculation Discharge Valve Permissive)

Low reactor pressure signals are used as permissives for recirculation discharge valve closure. This ensures that the LPCI subsystems inject into the proper RPV location assumed in the safety analysis. The Reactor Pressure-Low Low is one of the Functions assumed to be OPERABLE and capable of closing the valve during the transients analyzed in References 1 and 3. The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. The Reactor Pressure-Low Low Function is directly assumed in the analysis of the recirculation line break (Ref. 4).

The Reactor Pressure-Low Low signals are initiated from four pressure transmitters that sense the reactor pressure.

The Allowable Value is chosen to ensure that the valves close prior to commencement of LPCI injection flow into the core, as assumed in the safety analysis.

(continued)

PBAPS UNIT 3 B 3.3-105 Revision No. 3

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 2.d. Reactor Pressure-Low Low (Recirculation Discharge SAFETY ANALYSES, Valve Permissive) (continued)

LCO, and APPLICABILITY Four channels of the Reactor Pressure- Low Low Function are only required to be OPERABLE in MODES 1, 2, and 3 with the associated recirculation pump discharge valve open. With the valve(s) closed, the function of the instrumentation has been performed; thus, the Function is not required. In MODES 4 and 5, the loop injection location is not critical since LPCI injection through the recirculation loop in either direction will still ensure that LPCI flow reaches the core (i.e., there is no significant reactor back pressure).

2.e. Reactor Vessel Shroud Level -Level 0 The Reactor Vessel Shroud Level-Level 0 Function is provided as a permissive to allow the RHR System to be manually aligned from the LPCI mode to the suppression pool cooling/spray or drywell spray modes. The reactor vessel shroud level permissive ensures that water in the vessel is approximately two thirds core height before the manual transfer is allowed. This ensures that LPCI is available to prevent or minimize fuel damage. This function may be overridden during accident conditions as allowed by plant procedures. Reactor Vessel Shroud Level-Level 0 Function is implicitly assumed in the analysis of the recirculation line break (Ref. 4) since the analysis assumes that no LPCI flow diversion occurs when reactor water level is below Level 0.

Reactor Vessel Shroud Level -Level 0 signals are initiated from two level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. The Reactor Vessel Shroud Level -Level 0 Allowable Value is chosen to allow the low pressure core flooding systems to activate and provide adequate cooling before allowing a manual transfer.

(continued)

PBAPS UNIT 3 B 3.3-106 Revision No. 3

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 2.e. Reactor Vessel Shroud Level -Level 0 (continued)

SAFETY ANALYSES, LCO, and Two channels of the Reactor Vessel Shroud Level-Level 0 APPLICABILITY Function are only required to be OPERABLE in MODES 1, 2, and 3. In MODES 4 and 5, the specified initiation time of the LPCI subsystems is not assumed, and other administrative controls are adequate to control the valves associated with this Function (since the systems that the valves are opened for are not required to be OPERABLE in MODES 4 and 5 and are normally not used).

2.f. Low Pressure Coolant Injection Pump Start-Time Delay Relay The purpose of this time delay is to stagger the start of the LPCI pumps that are in each of Divisions I and II, to prevent overloading the power source. This Function is only necessary when power is being supplied from offsite sources.

The LPCI pumps start simultaneously with no time delay as soon as the standby source is available. The LPCI Pump Start-Time Delay Relays are assumed to be OPERABLE in the accident and transient analyses requiring ECCS initiation.

That is, the analyses assume that the pumps will initiate when required and excess loading will not cause failure of the power sources.

There are eight LPCI Pump Start-Time Delay Relays, two in each of the RHR pump start logic circuits. Two time delay relays are dedicated to a single pump start logic. Both timers in the RHR pump start logic would have to fail to prevent an RHR pump from starting within the required time; therefore, the low pressure ECCS pumps will remain OPERABLE; thus, the single failure criterion is met (i.e., loss of one instrument does not preclude ECCS initiation). The Allowable Values for the LPCI Pump Start-Time Delay Relays are chosen to be long enough so that most of the starting transient of the first pump is complete before starting the second pump on the same 4 kV emergency bus and short enough so that ECCS operation is not degraded.

Each channel of LPCI Pump Start-Time Delay Relay Function is required to be OPERABLE only when the associated LPCI subsystem is required to be OPERABLE. Refer to LCO 3.5.1 and LCO 3.5.2 for Applicability Bases for the LPCI subsystems.

(continued)

PBAPS UNIT 3 B 3.3-107 Revision No. 3

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE High Pressure Coolant Injection (HPCI) System SAFETY ANALYSES, LCO, and 3.a. Reactor Vessel Water Level -Low Low (Level 2)

APPLICABILITY (continued) Low RPV water level indicates that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, the HPCI System is initiated at Level 2 to maintain level above the top of the active fuel. The Reactor Vessel Water Level -Low Low (Level 2) is one of the Functions assumed to be OPERABLE and capable of initiating HPCI during the transients analyzed in References I and 3. Additionally, the Reactor Vessel Water Level -Low Low (Level 2) Function associated with HPCI is credited as a backup to the Drywell Pressure-High Function for initiating HPCI in the analysis of the recirculation line break. The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

Reactor Vessel Water Level -Low Low (Level 2) signals are initiated from four level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel.

The Reactor Vessel Water Level-Low Low (Level 2) Allowable Value is high enough such that for complete loss of feedwater flow, the Reactor Core Isolation Cooling (RCIC)

System flow with HPCI assumed to fail will be sufficient to avoid initiation of low pressure ECCS at Reactor Vessel Water Level -Low Low Low (Level 1).

Four channels of Reactor Vessel Water Level -Low Low (Level 2) Function are required to be OPERABLE only when HPCI is required to be OPERABLE to ensure that no single instrument failure can preclude HPCI initiation. Refer to LCO 3.5.1 for HPCI Applicability Bases.

3.b. Drvwell Pressure-HiQh High pressure in the drywell could indicate a break in the RCPB. The HPCI System is initiated upon receipt of the Drywell Pressure-High Function in order to minimize the possibility of fuel damage. The Drywell Pressure-High Function is directly assumed in the analysis of the (continued)

PBAPS UNIT 3 B 3.3-108 Revision No. 3

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 3.b. Drywell Pressure-High (continued)

SAFETY ANALYSES, LCO, and recirculation line break (Ref. 4). The core cooling APPLICABILITY function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

High drywell pressure signals are initiated from four pressure transmitters that sense drywell pressure. The Allowable Value was selected to be as low as possible to be indicative of a LOCA inside primary containment.

Four channels of the Drywell Pressure-High Function are required to be OPERABLE when HPCI is required to be OPERABLE to ensure that no single instrument failure can preclude HPCI initiation. Refer to LCO 3.5.1 for the Applicability Bases for the HPCI System.

3.c. Reactor Vessel Water Level -High (Level 8)

High RPV water level indicates that sufficient cooling water inventory exists in the reactor vessel such that there is no danger to the fuel. Therefore, the Level 8 signal is used to trip the HPCI turbine to prevent overflow into the main steam lines (MSLs). The Reactor Vessel Water Level -High (Level 8) Function is assumed to trip the HPCI turbine in the feedwater controller failure transient analysis if HPCI is initiated.

Reactor Vessel Water Level -High (Level 8) signals for HPCI are initiated from two level transmitters from the wide range water level measurement instrumentation. Both Level 8 signals are required in order to trip the HPCI turbine.

This ensures that no single instrument failure can preclude HPCI initiation. The Reactor Vessel Water Level -High (Level 8) Allowable Value is chosen to prevent flow from the HPCI System from overflowing into the MSLs.

Two channels of Reactor Vessel Water Level -High (Level 8)

Function are required to be OPERABLE only when HPCI is required to be OPERABLE. Refer to LCO 3.5.1 and LCO 3.5.2 for HPCI Applicability Bases.

(continued)

PBAPS UNIT 3 B 3.3-109 Revision No. 3

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 3.d. Condensate Storage Tank Level -Low SAFETY ANALYSES, LCO, and Low level in the CST indicates the unavailability of an APPLICABILITY adequate supply of makeup water from this normal source.

(continued) Normally the suction valves between HPCI and the CST are open and, upon receiving a HPCI initiation signal, water for HPCI injection would be taken from the CST. However, if the water level in the CST falls below a preselected level, first the suppression pool suction valves automatically open, and then the CST suction valve automatically closes.

This ensures that an adequate supply of makeup water is available to the HPCI pump. To prevent losing suction to the pump, the suction valves are interlocked so that the suppression pool suction valves must be open before the CST suction valve automatically closes. The Function is implicitly assumed in the accident and transient analyses (which take credit for HPCI) since the analyses assume that the HPCI suction source is the suppression pool.

Condensate Storage Tank Level -Low signals are initiated from two level switches. The logic is arranged such that either level switch can cause the suppression pool suction valves to open and the CST suction valve to close. The Condensate Storage Tank Level -Low Function Allowable Value is high enough to ensure adequate pump suction head while water is being taken from the CST.

Two channels of the Condensate Storage Tank Level -Low Function are required to be OPERABLE only when HPCI is required to be OPERABLE to ensure that no single instrument failure can preclude HPCI swap to suppression pool source.

Refer to LCO 3.5.1 for HPCI Applicability Bases.

3.e. Suppression Pool Water Level -High Excessively high suppression pool water could result in the loads on the suppression pool exceeding design values should there be a blowdown of the reactor vessel pressure through the safety/relief valves. Therefore, signals indicating high suppression pool water level are used to transfer the suction source of HPCI from the CST to the suppression pool to eliminate the possibility of HPCI continuing to provide additional water from a source outside containment. To prevent losing suction to the pump, the suction valves are interlocked so that the suppression pool suction valves must be open before the CST suction valve automatically closes.

(continued)

PBAPS UNIT 3 B 3.3-110 Revision No. 3

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 3.e. Suppression Pool Water Level-High (continued)

SAFETY ANALYSES, LCO, and This Function is implicitly assumed in the accident and APPLICABILITY transient analyses (which take credit for HPCI) since the analyses assume that the HPCI suction source is the suppression pool.

Suppression Pool Water Level-High signals are initiated from two level switches. The logic is arranged such that either switch can cause the suppression pool suction valves to open and the CST suction valve to close. The Allowable Value for the Suppression Pool Water Level -High Function is chosen to ensure that HPCI will be aligned for suction from the suppression pool to prevent HPCI from contributing to any further increase in the suppression pool level.

Two channels of Suppression Pool Water Level -High Function are required to be OPERABLE only when HPCI is required to be OPERABLE to ensure that no single instrument failure can preclude HPCI swap to suppression pool source. Refer to LCO 3.5.1 for HPCI Applicability Bases.

3.f. High Pressure Coolant Injection Pump Discharge Flow-Low (Bypass)

The minimum flow instrument is provided to protect the HPCI pump from overheating when the pump is operating at reduced flow. The minimum flow line valve is opened when low flow is sensed, and the valve is automatically closed when the flow rate is adequate to protect the pump. The High Pressure Coolant Injection Pump Discharge Flow-Low Function is assumed to be OPERABLE and capable of closing the minimum flow valve to ensure that the ECCS flow assumed during the transients analyzed in Reference 4 is met. The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

One flow switch is used to detect the HPCI System's flow rate. The logic is arranged such that the transmitter causes the minimum flow valve to open. The logic will close the minimum flow valve once the closure setpoint is exceeded.

(continuedl PBAPS UNIT 3 B 3.3-111 Revision No. 3

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 3.f. High Pressure Coolant Injection Pump Discharge SAFETY ANALYSES, Flow-Low (Bypass) (continued)

LCO, and APPLICABILITY The High Pressure Coolant Injection Pump Discharge Flow-Low Allowable Value is highenough to ensure that pump flow rate is sufficient to protect the pump, yet low enough to ensure that the closure of the minimum flow valve is initiated to allow full flow into the core.

One channel is required to be OPERABLE when the HPCI is required to be OPERABLE. Refer to LCO 3.5.1 for HPCI Applicability Bases.

Automatic Depressurization System 4.a. 5.a. Reactor Vessel Water Level-Low Low Low (Level 1)

Low RPV water level indicates that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, ADS receives one of the signals necessary for initiation from this Function. The Reactor Vessel Water Level-Low Low Low (Level 1) is one of the Functions assumed to be OPERABLE and capable of initiating the ADS during the accident analyzed in Reference 4. The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

Reactor Vessel Water Level -Low Low Low (Level 1) signals are initiated from four level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Four channels of Reactor Vessel Water Level -Low Low Low (Level 1) Function are required to be OPERABLE only when ADS is required to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation. Two channels input to ADS trip system A, while the other two channels input to ADS trip system B. Refer to LCO 3.5.1 for ADS Applicability Bases.

The Reactor Vessel Water Level-Low Low Low (Level 1)

Allowable Value is chosen to allow time for the low pressure core flooding systems to initiate and provide adequate cooling.

(continued)

PBAPS UNIT 3 B 3.3-112 Revision No. 3

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 4.b. 5.b. Drywell Pressure-High SAFETY ANALYSES, LCO, and High pressure in the drywell could indicate a break in the APPLICABILITY RCPB. Therefore, ADS receives one of the signals necessary (continued) for initiation from this Function in order to minimize the possibility of fuel damage. The Drywell Pressure-High is assumed to be OPERABLE and capable of initiating the ADS during the accidents analyzed in Reference 4. The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

Drywell Pressure-High signals are initiated from four pressure transmitters that sense drywell pressure. The Allowable Value was selected to be as low as possible and be indicative of a LOCA inside primary containment.

Four channels of Drywell Pressure-High Function are only required to be OPERABLE when ADS is required to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation. Two channels input to ADS trip system A, while the other two channels input to ADS trip system B. Refer to LCO 3.5.1 for ADS Applicability Bases.

4.c. 5.c. Automatic Depressurization System Initiation Timer The purpose of the Automatic Depressurization System Initiation Timer is to delay depressurization of the reactor vessel to allow the HPCI System time to maintain reactor vessel water level. Since the rapid depressurization caused by ADS operation is one of the most severe transients on the reactor vessel, its occurrence should be limited. By delaying initiation of the ADS Function, the operator is given the chance to monitor the success or failure of the HPCI System to maintain water level, and then to decide whether or not to allow ADS to initiate, to delay initiation further by recycling the timer, or to inhibit initiation permanently. The Automatic Depressurization System Initiation Timer Function is assumed to be OPERABLE for the accident analysis of Reference 4 that requires ECCS initiation and assumes failure of the HPCI System.

(continued)

PBAPS UNIT 3 B 3.3-113 Revision No. 3

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 4.c. 5.c. Automatic Depressurization System Initiation SAFETY ANALYSES, Timer (continued)

LCO, and APPLICABILITY There are two Automatic Depressurization System Initiation Timer relays, one in each of the two ADS trip systems. The Allowable Value for the Automatic Depressurization System Initiation Timer is chosen so that there is still time after depressurization for the low pressure ECCS subsystems to provide adequate core cooling.

Two channels of the Automatic Depressurization System Initiation Timer Function are only required to be OPERABLE when the ADS is required to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation. (One channel inputs to ADS trip system A, while the other channel inputs to ADS trip system B. Refer to LCO 3.5.1 for ADS Applicability Bases.

4.d. 5.d. Reactor Vessel Water Level - Low Low Low (Level 1) (Permissivel Low reactor water level signals are used as permissives in the ADS trip systems. This ensures after a high drywell pressure signal or a low reactor water level signal (Level 1) is received and the timer times out that a low reactor water level (Level 1), signal is present to allow the ADS initiation (after a confirmatory Level 4 signal, see Bases for Functions 4.e, 5.e, Reactor Vessel Water Confirmatory Level-Low (Level 4).

Reactor Vessel Water Level-Low Low Low (Level 1), signals are initiated from four level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure doe to the actual water level (variable leg) in the vessel. The Reactor Vessel Water Level-Low Low Low (Level 1) Allowable Value is chosen to allow time for the low pressure core flooding system to initiate and provide adequate cooling.

Four channels of the Reactor Vessel Water Level -Low Low Low (Level 1) Function are required to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation. Two channels input to ADS trip system A while the other two channels input to ADS trip system B. Refer to LCO 3.5.1 for ADS Applicability Bases.

(continued)

PBAPS UNIT 3 B 3.3-114 Revision No. 3

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 4.e. 5.e. Reactor Vessel Water Confirmatory Level -Low SAFETY ANALYSES, (Level 4)

LCO, and APPLICABILITY The Reactor Vessel Water Confirmatory Level -Low (Level 4)

(continued) Function is used by the ADS only as a confirmatory low water level signal. ADS receives one of the signals necessary for initiation from Reactor Vessel Water Level -Low Low Low (Level 1) signals. In order to prevent spurious initiation of the ADS due to spurious Level I signals, a Level 4 signal must also be received before ADS initiation commences.

Reactor Vessel Water Confirmatory Level-Low (Level 4) signals are initiated from two level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. The Allowable Value for Reactor Vessel Water Confirmatory Level -Low (Level 4) is selected to be above the RPS Level 3 scram Allowable Value for convenience.

Two channels of Reactor Vessel Water Confirmatory Level -Low (Level 4) Function are only required to be OPERABLE when the ADS is required to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation. One channel inputs to ADS trip system A, while the other channel inputs to ADS trip system B. Refer to LCO 3.5.1 for ADS Applicability Bases.

4.f. 4.q. 5.f. 5.q. Core Spray and Low Pressure Coolant Injection Pump Discharge Pressure-High The Pump Discharge Pressure-High signals from the CS and LPCI pumps are used as permissives for ADS initiation, indicating that there is a source of low pressure cooling water available once the ADS has depressurized the vessel.

Pump Discharge Pressure-High is one of the Functions assumed to be OPERABLE and capable of permitting ADS initiation during the events analyzed in Reference 4 with an assumed HPCI failure. For these events the ADS depressurizes the reactor vessel so that the low pressure ECCS can perform the core cooling functions. This core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

(continued)

PBAPS UNIT 3 B 3.3-115 Revision No. 3

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 4.f. 4.g. 5.f. 5.g. Core Spray and Low Pressure Coolant SAFETY ANALYSES, Injection Pump Discharge Pressure-High (continued)

LCO, and APPLICABILITY Pump discharge pressure signals are initiated from twelve pressure transmitters, two on the discharge side of each of the four LPCI pumps and one on the discharge side of each CS pump. There are two ADS low pressure ECCS pump permissives in each trip system. Each of the permissives receives inputs from all four LPCI pumps (different signals for each permissive) and two CS pumps, one from each subsystem (different pumps for each permissive). In order to generate an ADS permissive in one trip system, it is necessary that only one LPCI pump or two CS pumps in proper combination (C or D and A or B) indicate the high discharge pressure condition in each of the two permissives. The Pump Discharge Pressure-High Allowable Value is less than the pump discharge pressure when the pump is operating in a full flow mode and high enough to avoid any condition that results in a discharge pressure permissive when the CS and LPCI pumps are aligned for injection and the pumps are not running. The actual operating point of this function is not assumed in any transient or accident analysis. However, this Function is indirectly assumed to operate (in Reference

4) to provide the ADS permissive to depressurize the RCS to allow the ECCS low pressure systems to operate.

Twelve channels of Core Spray and Low Pressure Coolant Injection Pump Discharge Pressure -High Function are only required to be OPERABLE when the ADS is required to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation. Four CS channels associated with CS pumps A through D and eight LPCI channels associated with LPCI pumps A through D are required for both trip systems.

Refer to LCO 3.5.1 for ADS Applicability Bases.

4.h. 5.h. Automatic Depressurization System Low Water Level Actuation Timer One of the signals required for ADS initiation is Drywell Pressure-High. However, if the event requiring ADS initiation occurs outside the drywell (e.g., main steam line break outside containment), a high drywell pressure signal may never be present. Therefore, the Automatic Depressurization System Low Water Level Actuation Timer is used to bypass the Drywell Pressure-High Function after a (continued)

PBAPS UNIT 3 B 3.3-116 Revision No. 3

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 4.h. 5.h. Automatic Depressurization System Low Water Level SAFETY ANALYSES, Actuation Timer (continued)

LCO, and APPLICABILITY certain time period has elapsed. Operation of the Automatic Depressurization System Low Water Level Actuation Timer Function is assumed in the accident analysis of Reference 4 that requires ECCS initiation and assumes failure of the HPCI system.

There are four Automatic Depressurization System Low Water Level Actuation Timer relays, two in each of the two ADS trip systems. The Allowable Value for the Automatic Depressurization System Low Water Level Actuation Timer is chosen to ensure that there is still time after depressurization for the low pressure ECCS subsystems to provide adequate core cooling.

Four channels of the Automatic Depressurization System Low Water Level Actuation Timer Function are only required to be OPERABLE when the ADS is required to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation. Refer to LCO 3.5.1 for ADS Applicability Bases.

ACTIONS A Note has been provided to modify the ACTIONS related to ECCS instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition discovered to be inoperable or not within limits will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable ECCS instrumentation channels provide appropriate compensatory measures for separate inoperable Condition entry for each inoperable ECCS instrumentation channel.

A.1 Required Action A.1 directs entry into the appropriate Condition referenced in Table 3.3.5.1-1. The applicable Condition referenced in the table is Function dependent.

Each time a channel is discovered inoperable, Condition A is entered for that channel and provides for transfer to the appropriate subsequent Condition.

(continued)

PBAPS UNIT 3 B 3.3-117 Revision No. 3

ECCS Instrumentation B 3.3.5.1 BASES ACTIONS B.I. B.2. and B.3 (continued) Required Actions B.1 and B.2 are intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in redundant automatic initiation capability being lost for the feature(s). Required Action B.1 features would be those that are initiated by Functions L.a, L.b, 2.a, and 2.b (e.g., low pressure ECCS). The Required Action B.2 system would be HPCI. For Required Action B.1, redundant automatic initiation capability is lost if (a) two or more Function l.a channels are inoperable and untripped such that both trip systems lose initiation capability, (b) two or more Function 2.a channels are inoperable and untripped such that both trip systems lose initiation capability, (c) two or more Function I.b channels are inoperable and untripped such that both trip systems lose initiation capability, or (d) two or more Function 2.b channels are inoperable and untripped such that both trip systems lose initiation capability. For low pressure ECCS, since each inoperable channel would have Required Action B.1 applied separately (refer to ACTIONS Note), each inoperable channel would only require the affected portion of the associated system of low pressure ECCS and DGs to be declared inoperable. However, since channels in both associated low pressure ECCS subsystems (e.g., both CS subsystems) are inoperable and untripped, and the Completion Times started concurrently for the channels in both subsystems, this results in the affected portions in the associated low pressure ECCS and DGs being concurrently declared inoperable.

For Required Action B.2, redundant automatic HPCI initiation capability is lost if two or more Function 3.a or two Function 3.b channels are inoperable and untripped such that the trip system loses initiation capability. In this situation (loss of redundant automatic initiation capability), the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> allowance of Required Action B.3 is not appropriate and the HPCI System must be declared inoperable within I hour. As noted (Note I to Required Action B.I), Required Action B.1 is only applicable in MODES 1, 2, and 3. In MODES 4 and 5, the specific initiation time of the low pressure ECCS is not assumed and the probability of a LOCA is lower. Thus, a total loss of (continued)

PBAPS UNIT 3 B 3.3-118 Revision No. 3

ECCS Instrumentation B 3.3.5.1 BASES ACTIONS B.], B.2. and B.3 (continued) initiation capability for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> (as allowed by Required Action B.3) is allowed during MODES 4 and 5. There is no similar Note provided for Required Action B.2 since HPCI instrumentation is not required in MODES 4 and 5; thus, a Note is not necessary.

Notes are also provided (Note 2 to Required Action B.1 and the Note to Required Action B.2) to delineate which Required Action is applicable for each Function that requires entry into Condition B if an associated channel is inoperable.

This ensures that the proper loss of initiation capability check is performed. Required Action B.1 (the Required Action for certain inoperable channels in the low pressure ECCS subsystems) is not applicable to Function 2.e, since this Function provides backup to administrative controls ensuring that operators do not divert LPCI flow from injecting into the core when needed. Thus, a total loss of Function 2.e capability for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is allowed, since the LPCI subsystems remain capable of performing their intended function.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock."

For Required Action B.1, the Completion Time only begins upon discovery that a redundant feature in the same system (e.g., both CS subsystems) cannot be automatically initiated due to inoperable, untripped channels within the same Function as described in the paragraph above. For Required Action B.2, the Completion Time only begins upon discovery that the HPCI System cannot be automatically initiated due to two inoperable, untripped channels for the associated Function in the same trip system. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.

Because of the diversity of sensors available to provide initiation signals and the redundancy of the ECCS design, an allowable out of service time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> has been shown to be acceptable (Ref. 5) to permit restoration of any inoperable channel to OPERABLE status. If the inoperable channel cannot be restored to OPERABLE status within the (continuedl PBAPS UNIT 3 B 3.3-119 Revision No. 3

ECCS Instrumentation B 3.3.5.1 BASES ACTIONS B.1, B.2. and B.3 (continued) allowable out of service time, the channel must be placed in the tripped condition per Required Action B.3. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue.

Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in an initiation), Condition H must be entered and its Required Action taken.

C.1 and C.2 Required Action C.1 is intended to ensure that appropriate actions are taken if multiple, inoperable channels within the same Function result in redundant automatic initiation capability being lost for the feature(s). Required Action C.1 features would be those that are initiated by Functions 1.c, i.e, 1.f, 2.c, 2.d, and 2.f (i.e., low pressure ECCS). Redundant automatic initiation capability is lost if either (a) two or more Function 1.c channels are inoperable in the same trip system such that the trip system loses initiation capability, (b) two or more Function I.e channels are inoperable affecting CS pumps in different subsystems, (c) two or more Function 1.f channels are inoperable affecting CS pumps in different subsystems, (d) two or more Function 2.c channels are inoperable in the same trip system such that the trip system loses initiation capability, (e) two or more Function 2.d channels are inoperable in the same trip system such that the trip system loses initiation capability, or (f) three or more Function 2.f channels are inoperable. In this situation (loss of redundant automatic initiation capability), the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> allowance of Required Action C.2 is not appropriate and the feature(s) associated with the inoperable channels must be declared inoperable within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. Since each inoperable channel would have Required Action C.1 applied separately (refer to ACTIONS Note), each inoperable channel would only require the affected portion of the associated system to be declared inoperable. However, since channels for both low pressure ECCS subsystems are inoperable (e.g.,

both CS subsystems), and the Completion Times started concurrently for the channels in both subsystems, this results in the affected portions in both subsystems being (continued)

PBAPS UNIT 3 B 3.3-120 Revision No. 3

ECCS Instrumentation B 3.3.5.1 BASES ACTIONS C.1 and C.2 (continued) concurrently declared inoperable. For Functions 1.c, 1.e, 1.f, 2.c, 2.d, and 2.f, the affected portions are the associated low pressure ECCS pumps. As noted (Note 1),

Required Action C.1 is only applicable in MODES 1, 2, and 3.

In MODES 4 and 5, the specific initiation time of the ECCS is not assumed and the probability of a LOCA is lower.

Thus, a total loss of automatic initiation capability for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> (as allowed by Required Action C.2) is allowed during MODES 4 and 5.

Note 2 states that Required Action C.1 is only applicable for Functions 1.c, l.e, 1.f, 2.c, 2.d, and 2.f. Required Action C.1 is not applicable to Function 3.c (which also requires entry into this Condition if a channel in this Function is inoperable), since the loss of one channel results in a loss of the Function (two-out-of-two logic).

This loss was considered during the development of Reference 5 and considered acceptable for the 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> allowed by Required Action C.2.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock."

For Required Action C.1, the Completion Time only begins upon discovery that the same feature in both subsystems (e.g., both CS subsystems) cannot be automatically initiated due to inoperable channels within the same Function as described in the paragraph above. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration of channels.

Because of the diversity of sensors available to provide initiation signals and the redundancy of the ECCS design, an allowable out of service time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> has been shown to be acceptable (Ref. 5) to permit restoration of any inoperable channel to OPERABLE status. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, Condition H must be entered and its Required Action taken. The Required Actions do not allow placing the channel in trip since this action would either cause the initiation or it would not necessarily result in a safe state for the channel in all events.

(continued)

PBAPS UNIT 3 B 3.3-121 Revision No. 3

ECCS Instrumentation B 3.3.5.1 BASES ACTIONS D.1, D.2.1. and D.2.2 (continued)

Required Action D.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in a complete loss of automatic component initiation capability for the HPCI System. Automatic component initiation capability is lost if two Function 3.d channels or two Function 3.e channels are inoperable and untripped. In this situation (loss of automatic suction swap), the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> allowance of Required Actions D.2.1 and D.2.2 is not appropriate and the HPCI System must be declared inoperable within I hour after discovery of loss of HPCI initiation capability. As noted, Required Action D.1 is only applicable if the HPCI pump suction is not aligned to the suppression pool, since, if aligned, the Function is already performed.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock."

For Required Action D.1, the Completion Time only begins upon discovery that the HPCI System cannot be automatically aligned to the suppression pool due to two inoperable, untripped channels in the same Function. The I hour Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.

Because of the diversity of sensors available to provide initiation signals and the redundancy of the ECCS design, an allowable out of service time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> has been shown to be acceptable (Ref. 5) to permit restoration of any inoperable channel to OPERABLE status. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action 0.2.1 or the suction source must be aligned to the suppression pool per Required Action D.2.2. Placing the inoperable channel in trip performs the intended function of the channel (shifting the suction source to the suppression pool). Performance of either of these two Required Actions will allow operation to continue. If Required Action D.2.1 or D.2.2 is performed, measures should be taken to ensure that the HPCI System (continued)

PBAPS UNIT 3 B 3.3-122 Revision No. 3

ECCS Instrumentation B 3.3.5.1 BASES ACTIONS D.1, D.2.1, and D.2.2 (continued) piping remains filled with water. Alternately, if it is not desired to perform Required Actions D.2.1 and. D.2.2 (e.g.,

as in the case where shifting the suction source could drain down the HPCI suction piping), Condition H must be entered and its Required Action taken.

E.1 and E.2 Required Action E.1 is intended to ensure that appropriate actions are taken if multiple, inoperable channels within the Core Spray and Low Pressure Coolant Injection Pump, Discharge Flow - Low (Bypass) Functions result in redundant automatic initiation capability being lost for the feature(s). For Required Action E.1, the features would be those that are initiated by Functions 1.d and 2.g (e.g., low pressure ECCS). Redundant automatic initiation capability is lost if (a) two or more Function 1.d channels are inoperable affecting CS pumps in different subsystems or (b) three or more Function 2.g channels are inoperable.

Since each inoperable channel would have Required Action E.1 applied separately (refer to ACTIONS Note), each inoperable channel would only require the affected low pressure ECCS pump to be declared inoperable. However, since channels for more than one low pressure ECCS pump are inoperable, and the Completion Times started concurrently for the channels of the low pressure ECCS pumps, this results in the affected low pressure ECCS pumps being concurrently declared inoperable.

In this situation (loss of redundant automatic initiation capability), the 7 day allowance of Required Action E.2 is not appropriate and the subsystem associated with each inoperable channel must be declared inoperable within I hour. As noted (Note I to Required Action E.1), Required Action E.1 is only applicable in MODES 1, 2, and 3. In MODES 4 and 5, the specific initiation time of the ECCS is not assumed and the probability of a LOCA is lower. Thus, a total loss of initiation capability for 7 days (as allowed by Required Action E.2) is allowed during MODES 4 and 5. A Note is also provided (Note 2 to Required Action E.1) to delineate that Required Action E.1 is only applicable to low (continued)

PBAPS UNIT 3 B 3.3-123 Revision No. 3

ECCS Instrumentation B 3.3.5.1 BASES ACTIONS E.1 and E.2 (continued) pressure ECCS Functions. Required Action E.1 is not applicable to HPCI Function 3.f since the loss of one channel results in a loss of function (one-out-of-one logic). This loss was considered during the development of Reference 5 and considered acceptable for the 7 days allowed by Required Action E.2.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock."

For Required Action E.1, the Completion Time only begins upon discovery that a redundant feature in the same system (e.g., both CS subsystems) cannot be automatically initiated due to inoperable channels within the same Function as described in the paragraph above. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration of channels.

If the instrumentation that controls the pump minimum flow valve is inoperable, such that the valve will not automatically open, extended pump operation with no injection path available could lead to pump overheating and failure. If there were a failure of the instrumentation, such that the valve would. not automatically close, a portion of the pump flow could be diverted from the reactor vessel injection path, causing insufficient core cooling. These consequences can be averted by the operator's manual control of the valve, which would be adequate to maintain ECCS pump protection and required flow. Furthermore, other ECCS pumps would be sufficient to complete the assumed safety function if no additional single failure were to occur. The 7 day Completion Time of Required Action E.2 to restore the inoperable channel to OPERABLE status is reasonable based on the remaining capability of the associated ECCS subsystems, the redundancy available in the ECCS design, and the low probability of a DBA occurring during the allowed out of service time. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, Condition H must be entered and its Required Action taken.

The Required Actions do not allow placing the channel in trip since this action would not necessarily result in a safe state for the channel in all events.

(continued)

PBAPS UNIT 3 B 3.3-124 Revision No. 3

ECCS Instrumentation B 3.3.5.1 BASES ACTIONS F.1 and F.2 (continued)

Required Action F.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within similar ADS trip system A and B Functions result in redundant automatic initiation capability being lost for the ADS. Redundant automatic initiation capability is lost if either (a) one or more Function 4.a channel and one or more Function 5.a channel are inoperable and untripped, (b) one or more Function 4.b channel and one or more Function 5.b channel are inoperable and untripped, (c) one or more Function 4.d channel and one or more Function 5.d channel are inoperable and untripped, or (d) one Function 4.e channel and one Function 5.e channel are inoperable and untripped.

In this situation (loss of automatic initiation capability),

the 96 hour0.00111 days <br />0.0267 hours <br />1.587302e-4 weeks <br />3.6528e-5 months <br /> or 8 day allowance, as applicable, of Required Action F.2 is not appropriate and all ADS valves must be declared inoperable within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> after discovery of loss of ADS initiation capability.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock."

For Required Action F.1, the Completion Time only begins upon discovery that the ADS cannot be automatically initiated due to inoperable, untripped channels within similar ADS trip system Functions as described in the paragraph above. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.

Because of the diversity of sensors available to provide initiation signals and the redundancy of the ECCS design, an allowable out of service time of 8 days has been shown to be acceptable (Ref. 5) to permit restoration of any inoperable channel to OPERABLE status if both HPCI and RCIC are OPERABLE. If either HPCI or RCIC is inoperable, the time is shortened to 96 hours0.00111 days <br />0.0267 hours <br />1.587302e-4 weeks <br />3.6528e-5 months <br />. If the status of HPCI or RCIC changes such that the Completion Time changes from 8 days to 96 hours0.00111 days <br />0.0267 hours <br />1.587302e-4 weeks <br />3.6528e-5 months <br />, the 96 hours0.00111 days <br />0.0267 hours <br />1.587302e-4 weeks <br />3.6528e-5 months <br /> begins upon discovery of HPCI or RCIC inoperability. However, the total time for an inoperable, untripped channel cannot exceed 8 days. If the status of (continued)

PBAPS UNIT 3 B 3.3-125 Revision No. 3

ECCS Instrumentation B 3.3.5.1 BASES ACTIONS F.1 and F.2 (continued)

HPCI or RCIC changes such that the Completion Time changes from 96 hours0.00111 days <br />0.0267 hours <br />1.587302e-4 weeks <br />3.6528e-5 months <br /> to 8 days, the "time zero" for beginning the 8 day "clock" begins upon discovery of the inoperable, untripped channel. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action F.2. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue. Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in an initiation), Condition H must be entered and its Required Action taken.

G.1 and G.2 Required Action G.1 is intended to ensure that appropriate actions are taken if multiple, inoperable channels within similar ADS trip system Functions result in automatic initiation capability being lost for the ADS. Automatic initiation capability is lost if either (a) one Function 4.c channel and one Function 5.c channel are inoperable, (b) a combination of Function 4.f, 4.g, 5.f, and 5.g channels are inoperable such that channels associated with five or more low pressure ECCS pumps are inoperable, or (c) one or more Function 4.h channels and one or more Function 5.h channels are inoperable.

In this situation (loss of automatic initiation capability),

the 96 hour0.00111 days <br />0.0267 hours <br />1.587302e-4 weeks <br />3.6528e-5 months <br /> or 8 day allowance, as applicable, of Required Action G.2 is not appropriate, and all ADS valves must be declared inoperable within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> after discovery of loss of ADS initiation capability. The Note to Required Action G.1 states that Required Action G.1 is only applicable for Functions 4.c, 4.f, 4.g, 4.h, 5.c, 5.f, 5.g, and 5.h.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock."

For Required Action G.1, the Completion Time only begins (continued)

PBAPS UNIT 3 B 3.3-126 Revision No. 3

ECCS Instrumentation B 3.3.5.1 BASES ACTIONS G.1 and G.2 (continued) upon discovery that the ADS cannot be automatically initiated due to inoperable channels within similar ADS trip system Functions as described in the paragraph above. The I hour Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.

Because of the diversity of sensors available to provide initiation signals and the redundancy of the ECCS design, an allowable out of service time of 8 days has been shown to be acceptable (Ref. 5) to permit restoration of any inoperable channel to OPERABLE status if both HPCI and RCIC are OPERABLE (Required Action G.2). If either HPCI or RCIC is inoperable, the time shortens to 96 hours0.00111 days <br />0.0267 hours <br />1.587302e-4 weeks <br />3.6528e-5 months <br />. If the status of HPCI or RCIC changes such that the Completion Time changes from 8 days to 96 hours0.00111 days <br />0.0267 hours <br />1.587302e-4 weeks <br />3.6528e-5 months <br />, the 96 hours0.00111 days <br />0.0267 hours <br />1.587302e-4 weeks <br />3.6528e-5 months <br /> begins upon discovery of HPCI or RCIC inoperability. However, the total time for an inoperable channel cannot exceed 8 days. If the status of HPCI or RCIC changes such that the Completion Time changes from 96 hours0.00111 days <br />0.0267 hours <br />1.587302e-4 weeks <br />3.6528e-5 months <br /> to 8 days, the "time zero" for beginning the 8 day "clock" begins upon discovery of the inoperable channel. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, Condition H must be entered and its Required Action taken. The Required Actions do not allow placing the channel in trip since this action would not necessarily result in a safe state for the channel in all events.

H.1 With any Required Action and associated Completion Time not met, the associated feature(s) may be incapable of performing the intended function, and the supported feature(s) associated with inoperable untripped channels must be declared inoperable immediately.

(continued)

PBAPS UNIT 3 B 3.3-127 Revision No. 3

ECCS Instrumentation B 3.3.5.1 BASES (continued)

SURVEILLANCE As noted in the beginning of the SRs, the SRs for each ECCS REQUIREMENTS instrumentation Function are found in the SRs column of Table 3.3.5.1-1.

The Surveillances are modified by a Note to indicate that when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> as follows: (a) for Functions 3.c and 3.f; and (b) for Functions other than 3.c and 3.f provided the associated Function or the redundant Function maintains ECCS initiation capability. Upon completion of the Surveillance, or expiration of the 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Ref. 5) assumption of the average time required to perform channel surveillance. That analysis demonstrated that the 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> testing allowance does not significantly reduce the probability that the ECCS will initiate when necessary.

SR 3.3.5.1.1 Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK guarantees that undetected outright channel failure is limited to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the plant staff, based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit.

(continued)

PBAPS UNIT 3 B 3.3-128 Revision No. 3

ECCS Instrumentation B 3.3.5.1 BASES SURVEILLANCE SR 3.3.5.1.1 (continued)

REQUIREMENTS The Frequency is based upon operating experience that demonstrates channel failure is rare. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the channels required by the LCO.

SR 3.3.5.1.2 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended function. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology.

The Frequency of 92 days is based on the reliability analyses of Reference 5.

SR 3.3.5.1.3 and SR 3.3.5.1.4 A CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations, consistent with the assumptions of the current plant specific setpoint methodology.

The 92 day Frequency of SR 3.3.5.1.3 is conservative with respect to the magnitude of equipment drift assumed in the setpoint analysis.

The Frequency of SR 3.3.5.1.4 is based upon the assumption of a 24 month calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis.

(continued)

PBAPS UNIT 3 B 3.3-129 Revision No. 3

ECCS Instrumentation B 3.3.5.1 BASES SURVEILLANCE SR 3.3.5.1.5 REQUIREMENTS (continued) The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required initiation logic for a specific channel. The system functional testing performed in LCO 3.5.1, LCO 3.5.2, LCO 3.8.1, and LCO 3.8.2 overlaps this Surveillance to complete testing of the assumed safety function.

While this Surveillance can be performed with the reactor at power for some of the Functions, operating experience has shown that these components will pass the Surveillance when performed at the 24 month Frequency. Therefore, the Frequency was found to be acceptable from a reliability standpoint.

REFERENCES 1. UFSAR, Section 6.5.

2. UFSAR, Section 7.4.
3. UFSAR, Chapter 14.
4. NEDC-32163-P, "Peach Bottom Atomic Power Station Units 2 and 3, SAFER/GESTR-LOCA, Loss-of-Coolant Accident Analysis," January 1993.
5. NEDC-30936-P-A, "BWR Owners' Group Technical Specification Improvement Analyses for ECCS Actuation Instrumentation, Part 2," December 1988.

PBAPS UNIT 3 B 3.3-130 Revision No. 3

RCIC System Instrumentation B 3.3.5.2 B 3.3 INSTRUMENTATION B 3.3.5.2 Reactor Core Isolation Cooling (RCIC) System Instrumentation BASES BACKGROUND The purpose of the RCIC System instrumentation is to initiate actions to ensure adequate core cooling when the reactor vessel is isolated from its primary heat sink (the main condenser) and normal coolant makeup flow from the Reactor Feedwater System is insufficient or unavailable, such that RCIC System initiation occurs and maintains sufficient reactor water level such that an initiation of the low pressure Emergency Core Cooling Systems (ECCS) pumps does not occur. A more complete discussion of RCIC System operation is provided in the Bases of LCO 3.5.3, "RCIC System."

The RCIC System may be initiated by automatic means.

Automatic initiation occurs for conditions of Reactor Vessel Water Level-Low Low (Level 2). The variable is monitored by four transmitters that are connected to four pressure compensation instruments. The outputs of the pressure compensation instruments are connected to relays whose contacts are arranged in a one-out-of-two taken twice logic arrangement. Once initiated, the RCIC logic seals in and can be reset by the operator only when the reactor vessel water level signals have cleared.

The RCIC test line isolation valve is closed on a RCIC initiation signal to allow full system flow and maintain primary containment isolated in the event RCIC is not operating.

The RCIC System also monitors the water level in the condensate storage tank (CST) since this is the initial source of water for RCIC operation. Reactor grade water in the CST is the normal source. Upon receipt of a RCIC initiation signal, the CST suction valve is automatically signaled to open (it is normally in the open position) unless the pump suction from the suppression pool valves is open. If the water level in the CST falls below a preselected level, first the suppression pool suction valves automatically open, and then the CST suction valve automatically closes. Two level switches are used to detect low water level in the CST. Either switch can cause the suppression pool suction valves to open. The opening of the (continued)

PBAPS UNIT 3 B 3.3-131 Revision No. 3

RCIC System Instrumentation B 3.3.5.2 BASES BACKGROUND suppression pool suction valves causes the CST suction valve (continued) to close. This prevents losing suction to the pump when automatically transferring suction from the CST to the suppression pool on low CST level.

The RCIC System provides makeup water to the reactor until the reactor vessel water level reaches the high water level (Level 8) setting (two-out-of-two logic), at which time the RCIC steam supply valve closes. The RCIC System restarts if vessel level again drops to the low level initiation point (Level 2).

APPLICABLE The function of the RCIC System is to respond to transient SAFETY ANALYSES, events by producing makeup coolant to the reactor. The RCIC LCO, and System is not an Engineered Safeguard System and no credit APPLICABILITY is taken in the safety analyses for RCIC System operation.

Based on its contribution to the reduction of overall plant risk, however, the system, and therefore its instrumentation meets Criterion 4 of NRC Policy Statement.

The OPERABILITY of the RCIC System instrumentation is dependent upon the OPERABILITY of the individual instrumentation channel Functions specified in Table 3.3.5.2-1. Each Function must have a required number of OPERABLE channels with their setpoints within the specified Allowable Values, where appropriate. A channel is inoperable if its actual trip setting is not within its required Allowable Value. The actual setpoint is calibrated consistent with applicable setpoint methodology assumptions.

Allowable Values are specified for each RCIC System instrumentation Function specified in the Table. Trip setpoints are specified in the setpoint calculations. The setpoints are selected to ensure that the settings do not exceed the Allowable Value between CHANNEL CALIBRATIONS.

Operation with a trip setting less conservative than the trip setpoint, but within its Allowable Value, is acceptable. Each Allowable Value specified accounts for instrument uncertainties appropriate to the Function. These uncertainties are described in the setpoint methodology.

(continued)

PBAPS UNIT 3 B 3.3-132 Revision No. 3

RCIC System Instrumentation B 3.3.5.2 BASES APPLICABLE The individual Functions are required to be OPERABLE in SAFETY ANALYSES, MODE 1, and in MODES 2 and 3 with reactor steam dome LCO, and pressure > 150 psig since this is when RCIC is required to APPLICABILITY be OPERABLE. (Refer to LCO 3.5.3 for Applicability Bases (continued) for the RCIC System.)

The specific Applicable Safety Analyses, LCO, and Applicability discussions are listed below on a Function by Function basis.

1. Reactor Vessel Water Level -Low Low (Level 2)

Low reactor pressure vessel (RPV) water level indicates that normal feedwater flow is insufficient to maintain reactor vessel water level and that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, the RCIC System is initiated at Level 2 to assist in maintaining water level above the top of the active fuel.

Reactor Vessel Water Level -Low Low (Level 2) signals are initiated from four level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel.

The Reactor Vessel Water Level -Low Low (Level 2) Allowable Value is set high enough such that for complete loss of feedwater flow, the RCIC System flow with high pressure coolant injection assumed to fail will be sufficient to avoid initiation of low pressure ECCS at Level 1.

Four channels of Reactor Vessel Water Level - Low Low (Level 2) Function are available and are required to be OPERABLE when RCIC is required to be OPERABLE to ensure that no single instrument failure can preclude RCIC initiation.

Refer to LCO 3.5.3 for RCIC Applicability Bases.

(continued)

PBAPS UNIT 3 B 3.3-133 Revision No. 3

RCIC System Instrumentation B 3.3.5.2 BASES APPLICABLE 2. Reactor Vessel Water Level -High (Level 8)

SAFETY ANALYSES, LCO, and High RPV water level indicates that sufficient cooling water APPLICABILITY inventory exists in the reactor vessel such that there is no (continued) danger to the fuel. Therefore, the Level 8 signal is used to close the RCIC steam supply valve to prevent overflow into the main steam lines (MSLs).

Reactor Vessel Water Level-High (Level 8) signals for RCIC are initiated from four level transmitters, which sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. These four level transmitters are connected to two pressure compensation instruments (channels).

The Reactor Vessel Water Level -High (Level 8) Allowable Value is high enough to preclude isolating the injection valve of the RCIC during normal operation, yet low enough to trip the RCIC System prior to water overflowing into the MSLs.

Two channels of Reactor Vessel Water Level-High (Level 8)

Function are available and are required to be OPERABLE when RCIC is required to be OPERABLE to ensure that no single instrument failure can preclude RCIC initiation. Refer to LCO 3.5.3 for RCIC Applicability Bases.

3. Condensate Storage Tank Level -Low Low level in the CST indicates the unavailability of an adequate supply of makeup water from this normal source.

Normally, the suction valve between the RCIC pump and the CST is open and, upon receiving a RCIC initiation signal, water for RCIC injection would be taken from the CST.

However, if the water level in the CST falls below a preselected level, first the suppression pool suction valves automatically open, and then the CST suction valve automatically closes. This ensures that an adequate supply of makeup water is available to the RCIC pump. To prevent losing suction to the pump, the suction valves are interlocked so that the suppression pool suction valves must be open before the CST suction valve automatically closes.

(continued)

PBAPS UNIT 3 B 3.3-134 Revision No. 3

RCIC System Instrumentation B 3.3.5.2 BASES APPLICABLE 3. Condensate Storage Tank Level -Low (continued)

SAFETY ANALYSES, LCO, and Two level switches are used to detect low water level in the APPLICABILITY CST. The Condensate Storage Tank Level-Low Function Allowable Value is set high enough to ensure adequate pump suction head while water is being taken from the CST.

Two channels of the CST Level-Low Function are available and are required to be OPERABLE when RCIC is required to be OPERABLE to ensure that no single instrument failure can preclude RCIC swap to suppression pool source. Refer to LCO 3.5.3 for RCIC Applicability Bases.

ACTIONS A Note has been provided to modify the ACTIONS related to RCIC System instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition discovered to be inoperable or not within limits will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable RCIC System instrumentation channels provide appropriate compensatory measures for separate inoperable channels. As such, a Note has been provided that allows separate Condition entry for each inoperable RCIC System instrumentation channel.

A.1 Required Action A.1 directs entry into the appropriate Condition referenced in Table 3.3.5.2-1. The applicable Condition referenced in the Table is Function dependent.

Each time a channel is discovered to be inoperable, Condition A is entered for that channel and provides for transfer to the appropriate subsequent Condition.

(continued)

PBAPS UNIT 3 B 3.3-135 Revision No. 3

RCIC System Instrumentation B 3.3.5.2 BASES ACTIONS B.1 and B.2 (continued)

Required Action B.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in a complete loss of automatic initiation capability for the RCIC System. In this case, automatic initiation capability is lost if two Function 1 channels in the same trip system are inoperable and untripped. In this situation (loss of automatic initiation capability), the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> allowance of Required Action B.2 is not appropriate, and the RCIC System must be declared inoperable within I hour after discovery of loss of RCIC initiation capability.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock."

For Required Action B.1, the Completion Time only begins upon discovery that the RCIC System cannot be automatically initiated due to two or more inoperable, untripped Reactor Vessel Water Level-Low Low (Level 2) channels such that the trip system loses initiation capability. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.

Because of the redundancy of sensors available to provide initiation signals and the fact that the RCIC System is not assumed in any accident or transient analysis, an allowable out of service time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> has been shown to be acceptable (Ref. 1) to permit restoration of any inoperable channel to OPERABLE status. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action B.2. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue.

Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in an initiation), Condition E must be entered and its Required Action taken.

(continued)

PBAPS UNIT 3 B 3.3-136 Revision No. 3

RCIC System Instrumentation B 3.3.5.2 BASES ACTIONS C.1 (continued)

A risk based analysis was performed and determined that an allowable out of service time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> (Ref. 1) is acceptable to permit restoration of any inoperable channel to OPERABLE status (Required Action C.1). A Required Action (similar to Required Action B.1) limiting the allowable out of service time, if a loss of automatic RCIC initiation capability exists, is not required. This Condition applies to the Reactor Vessel Water Level -High (Level 8) Function whose logic is arranged such that any inoperable channel will result in a loss of automatic RCIC initiation capability (closure of the RCIC steam supply valve). As stated above, this loss of automatic RCIC initiation capability was analyzed and determined to be acceptable.

The Required Action does not allow placing a channel in trip since this action would not necessarily result in a safe state for the channel in all events.

D.I. D.2.1, and D.2.2 Required Action D.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in automatic component initiation capability being lost for the feature(s). For Required Action D.1, the RCIC System is the only associated feature. In this case, automatic initiation capability is lost if two Function 3 channels are inoperable and untripped. In this situation (loss of automatic suction swap), the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> allowance of Required Actions D.2.1 and D.2.2 is only appropriate after Action D.1 has been performed. Action D.1 requires that the RCIC System be declared inoperable within I hour from discovery of loss of RCIC initiation capability. As noted, Required Action D.1 is only applicable if the RCIC pump suction is not aligned to the suppression pool since, if aligned, the Function is already performed.

(continued)

PBAPS UNIT 3 B 3.3-137 Revision No. 3

RCIC System Instrumentation B 3.3.5.2 BASES ACTIONS D.]. D.2.1. and D.2.2 (continued)

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock."

For Required Action D.1, the Completion Time only begins upon discovery that the RCIC System cannot be automatically aligned to the suppression pool due to two inoperable, untripped channels in the same Function. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.

Because the RCIC System is not assumed in any accident or transient analysis, an allowable out of service time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> has been shown to be acceptable (Ref. 1) to permit restoration of any inoperable channel to OPERABLE status.

If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action D.2.1, which performs the intended function of the channel. Alternatively, Required Action D.2.2 allows the manual alignment of the RCIC suction to the suppression pool, which also performs the intended function. If Required Action D.2.1 or D.2.2 is performed, measures should be taken to ensure that the RCIC System piping remains filled with water. If it is not desired to perform Required Actions D.2.1 and D.2.2 (e.g., as in the case where shifting the suction source could drain down the RCIC suction piping), Condition E must be entered and its Required Action taken.

E. 1 With any Required Action and associated Completion Time not met, the RCIC System may be incapable of performing the intended function, and the RCIC System must be declared inoperable immediately.

(continued)

PBAPS UNIT 3 B 3.3-138 Revision No. 3

RCIC System Instrumentation B 3.3.5.2 BASES (continued)

SURVEILLANCE As noted in the beginning of the SRs, the SRs for each RCIC REQUIREMENTS System instrumentation Function are found in the SRs column of Table 3.3.5.2-1.

The Surveillances are modified by a Note to indicate that when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed as follows:

(a) for up to 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> for Function 2 and (b) for up to 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> for Functions 1 and 3, provided the associated Function maintains trip capability. Upon completion of the Surveillance, or expiration of the 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken.

This Note is based on the reliability analysis (Ref. 1) assumption of the average time required to perform channel surveillance. That analysis demonstrated that the 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> testing allowance does not significantly reduce the probability that the RCIC will initiate when necessary.

SR 3.3.5.2.1 Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a parameter on other similar channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit.

(continued)

PBAPS UNIT 3 B 3.3-139 Revision No. 3

RCIC System Instrumentation B 3.3.5.2 BASES SURVEILLANCE SR 3.3.5.2.1 (continued)

REQU IREMENTS The Frequency is based upon operating experience that demonstrates channel failure is rare. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the channels required by the LCO.

SR 3.3.5.2.2 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended function. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology.

The Frequency of 92 days is based on the reliability analysis of Reference 1.

SR 3.3.5.2.3 A CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations, consistent with the plant specific setpoint methodology.

The Frequency of SR 3.3.5.2.3 is based upon the assumption of a 24 month calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis.

SR 3.3.5.2.4 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required initiation logic for a specific channel. The system functional testing performed in LCO 3.5.3 overlaps this Surveillance to provide complete testing of the safety function.

(continued)

PBAPS UNIT 3 B 3.3-140 Revision No. 3

RCIC System Instrumentation B 3.3.5.2 BASES SURVEILLANCE SR 3.3.5.2.4 (continued)

REQUIREMENTS While this Surveillance can be performed with the reactor at power for some of the Functions, operating experience has shown that these components will pass the Surveillance when performed at the 24 month Frequency. Therefore, the Frequency was found to be acceptable from a reliability standpoint.

REFERENCES 1. GENE-770-06-2, "Addendum to Bases for Changes to Surveillance Test Intervals and Allowed Out-of-Service Times for Selected Instrumentation Technical Specifications," February 1991.

PBAPS UNIT 3 B 3.3-141 Revision No. 3

Primary Containment Isolation Instrumentation B 3.3.6.1 B 3.3 INSTRUMENTATION B 3.3.6.1 Primary Containment Isolation Instrumentation BASES BACKGROUND The primary containment isolation instrumentation automatically initiates closure of appropriate primary containment isolation valves (PCIVs). The function of the PCIVs, in combination with other accident mitigation systems, is to limit fission product release during and following postulated Design Basis Accidents (DBAs). Primary containment isolation within the time limits specified for those isolation valves designed to close automatically ensures that the release .of radioactive material to the environment will be consistent with the assumptions used in the analyses for a DBA.

The isolation instrumentation includes the sensors, relays, and switches that are necessary to cause initiation of primary containment and reactor coolant pressure boundary (RCPB) isolation. Most channels include electronic equipment (e.g., trip units) that compares measured input signals with pre-established setpoints. When the setpoint is exceeded, the channel output relay actuates, which then outputs a primary containment isolation signal to the isolation logic. Functional diversity is provided by monitoring a wide range of independent parameters. The input parameters to the isolation logics are (a) reactor vessel water level, (b) reactor pressure, (c) main steam line (MSL) flow measurement, (d) main steam line radiation, (e) main steam line pressure, (f) drywell pressure, (g) high pressure coolant injection (HPCI) and reactor core isolation cooling (RCIC) steam line flow, (h) HPCI and RCIC steam line pressure, (i) reactor water cleanup (RWCU) flow, (j) Standby Liquid Control (SLC) System initiation, (k) area ambient temperatures, (1) reactor building ventilation and refueling floor ventilation exhaust radiation, and (m) main stack radiation. Redundant sensor input signals from each parameter are provided for initiation of isolation.

Primary containment isolation instrumentation has inputs to the trip logic of the isolation functions listed below.

(continued)

PBAPS UNIT 3 B 3.3-142 Revision No. 3

Primary Containment Isolation Instrumentation B 3.3.6.1 BASES BACKGROUND 1. Main Steam Line Isolation (continued)

Most MSL Isolation Functions receive inputs from four channels. The outputs from these channels are combined in a one-out-of-two taken twice logic to initiate isolation of the Group I isolation valves (MSIVs and MSL drains, MSL sample lines, and recirculation loop sample line valves).

To initiate a Group I isolation, both trip systems must be tripped.

The exceptions to this arrangement are the Main Steam Line Flow-High Function and Main Steam Tunnel Temperature-High Functions. The Main Steam Line Flow-High Function uses 16 flow channels, four for each steam line. One channel from each steam line inputs to one of the four trip strings.

Two trip strings make up each trip system and both trip systems must trip to cause an MSL isolation. Each trip string has four inputs (one per MSL), any one of which will trip the trip string. The trip systems are arranged in a one-out-of-two taken twice logic. This is effectively a one-out-of-eight taken twice logic arrangement to initiate a Group I isolation. The Main Steam Tunnel Temperature-High Function receives input from 16 channels. The logic is arranged similar to the Main Steam Line Flow-High Function except that high temperature on any channel is not related to a specific MSL.

2. Primary Containment Isolation Most Primary Containment Isolation Functions receive inputs from four channels. The outputs from these channels are arranged in a one-out-of-two taken twice logic. Isolation of inboard and outboard primary containment isolation valves occurs when both trip systems are in trip.

The exception to this arrangement is the Main Stack Monitor Radiation-High Function. This Function has two channels, whose outputs are arranged in two trip systems which use a one-out-of-one logic. Each trip system isolates one valve per associated penetration. The Main Stack Monitor Radiation-High Function will isolate vent and purge valves greater than two inches in diameter during containment purging (Ref. 2).

The valves isolated by each of the Primary Containment Isolation Functions are listed in Reference 1.

(continued)

PBAPS UNIT 3 B 3.3-143 Revision No. 3

Primary Containment Isolation Instrumentation B 3.3.6.1 BASES BACKGROUND 3., 4. High Pressure Coolant Injection System Isolation and (continued) Reactor Core Isolation Cooling System Isolation The Steam Line Flow-High Functions that isolate HPCI and RCIC receive input from two channels, with each channel comprising one trip system using a one-out-of-one logic.

Each of the two trip systems in each isolation group (HPCI and RCIC) is connected to the two valves on each associated penetration. Each HPCI and RCIC Steam Line Flow-High channel has a time delay relay to prevent isolation due to flow transients during startup.

The HPCI and RCIC Isolation Functions for Drywell Pressure-High and Steam Supply Line Pressure-Low receive inputs from four channels. The outputs from these channels are combined in a one-out-of-two taken twice logic to initiate isolation of the associated valves.

The HPCI and RCIC Compartment and Steam Line Area Temperature-High Functions receive input from 16 channels.

The logic is similar to the Main Steam Tunnel Temperature -High Function.

The HPCI and RCIC Steam Line Flow-High Functions, Steam Supply Line Pressure- Low Functions, and Compartment and Steam Line Area Temperature -High Functions isolate the associated steam supply and turbine exhaust valves and pump suction valves. The HPCI and RCIC Drywell Pressure-High Functions isolate the HPCI and RCIC test return line valves.

The HPCI and RCIC Drywell Pressure-High Functions, in conjunction with the Steam Supply Line Pressure-Low Functions, isolate the HPCI and RCIC turbine exhaust vacuum relief valves.

5. Reactor Water Cleanup System Isolation The Reactor Vessel Water Level-Low (Level 3) Isolation Function receives input from four reactor vessel water level channels. The outputs from the reactor vessel water level channels are connected into a one-out-of-two taken twice logic which isolates both the inboard and outboard isolation valves. The RWCU Flow-High Function receives input from two channels, with each channel in one trip system using a one-out-of-one logic, with one channel tripping the inboard valve and one channel tripping the outboard valves. The SLC (continued)

PBAPS UNIT 3 B 3.3-144 Revision No. 3

Primary Containment Isolation Instrumentation B 3.3.6.1 BASES BACKGROUND 5. Reactor Water Cleanup System Isolation (continued)

System Isolation Function receives input from two channels with each channel in one trip system using a one-out-of-one logic. When either SLC pump is started remotely, one channel trips the inboard isolation valve and one channel isolates the outboard isolation valves.

The RWCU Isolation Function isolates the inboard and outboard RWCU pump suction penetration and the outboard valve at the RWCU connection to reactor feedwater.

6. Shutdown Coolinq System Isolation The Reactor Vessel Water Level -Low (Level 3) Function receives input from four reactor vessel water level channels. The outputs from the channels are connected to a one-out-of-two taken twice logic, which isolates both valves on the RHR shutdown cooling pump suction penetration. The Reactor Pressure-High Function receives input from two channels, with each channel in one trip system using a one-out-of-one logic. Each trip system is connected to both valves on the RHR shutdown cooling pump suction penetration.
7. Feedwater Recirculation Isolation The Reactor Pressure-High Function receives inputs from four channels. The outputs from the four channels are connected into a one-out-of-two taken twice logic which isolates the feedwater recirculation valves.

APPLICABLE The isolation signals generated by the primary containment SAFETY ANALYSES, isolation instrumentation are implicitly assumed in the LCO, and safety analyses of References I and 3 to initiate closure APPLICABILITY of valves to limit offsite doses. Refer to LCO 3.6.1.3, "Primary Containment Isolation Valves (PCIVs)," Applicable Safety Analyses Bases for more detail of the safety analyses.

Primary containment isolation instrumentation satisfies Criterion 3 of the NRC Policy Statement. Certain instrumentation Functions are retained for other reasons and are described below in the individual Functions discussion.

(continued)

PBAPS UNIT 3 B 3.3-145 Revision No. 3

Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE The OPERABILITY of the primary containment instrumentation SAFETY ANALYSES, is dependent on the OPERABILITY of the individual LCO, and instrumentation channel Functions specified in APPLICABILITY Table 3.3.6.1-1. Each Function must have a required number (continued) of OPERABLE channels, with their setpoints within the specified Allowable Values, where appropriate. A channel is inoperable if its actual trip setting is not within its required Allowable Value. The actual setpoint is calibrated consistent with applicable setpoint methodology assumptions.

Allowable Values, where applicable, are specified for each Primary Containment Isolation Function specified in the Table. Trip setpoints are specified in the setpoint calculations. The trip setpoints are selected to ensure that the setpoints do not exceed the Allowable Value between CHANNEL CALIBRATIONS. Operation with a trip setting less conservative than the trip setpoint, but within its Allowable Value, is acceptable. Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor vessel water level), and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g., trip unit) changes state. The analytic or design limits are derived from the limiting values of the process parameters obtained from the safety analysis or other appropriate documents. The Allowable Values are derived from the analytic or design limits, corrected for calibration, process, and instrument errors. The trip setpoints are determined from analytical or design limits, corrected for calibration, process, and instrument errors, as well as, instrument drift. In selected cases, the Allowable Values and trip setpoints are determined by engineering judgement or historically accepted practice relative to the intended function of the channel. The trip setpoints determined in this manner provide adequate protection by assuring instrument and process uncertainties expected for the environments during the operating time of the associated channels are accounted for.

Certain Emergency Core Cooling Systems (ECCS) and RCIC valves (e.g., minimum flow) also serve the dual function of automatic PCIVs. The signals that isolate these valves are also associated with the automatic initiation of the ECCS (continued)

PBAPS UNIT 3 B 3.3-146 Revision No. 3

Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE and RCIC. The instrumentation requirements and ACTIONS SAFETY ANALYSES, associated with these signals are addressed in LCO 3.3.5.1, LCO, and "Emergency Core Cooling Systems (ECCS) Instrumentation," and APPLICABILITY LCO 3.3.5.2,."Reactor Core Isolation Cooling (RCIC) System (continued) Instrumentation," and are not included in this LCO.

In general, the individual Functions are required to be OPERABLE in MODES 1, 2, and 3 consistent with the Applicability for LCO 3.6.1.1, "Primary Containment."

Functions that have different Applicabilities are discussed below in the individual Functions discussion.

The specific Applicable Safety Analyses, LCO, and Applicability discussions are listed below on a Function by Function basis.

Main Steam Line Isolation 1.a. Reactor Vessel Water Level -Low Low Low (Level 1)

Low reactor pressure vessel (RPV) water level indicates that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result.

Therefore, isolation of the MSIVs and other interfaces with the reactor vessel occurs to prevent offsite dose limits from being exceeded. The Reactor Vessel Water Level -Low Low Low (Level 1) Function is one of the many Functions assumed to be OPERABLE and capable of providing isolation signals.

The Reactor Vessel Water Level-Low Low Low (Level 1)

Function associated with isolation is assumed in the analysis of the recirculation line break (Ref. 1). The isolation of the MSLs on Level 1 supports actions to ensure that offsite dose limits are not exceeded for a DBA.

Reactor vessel water level signals are initiated from four level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Four channels of Reactor Vessel Water Level -Low Low Low (Level 1) Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

(continued)

PBAPS UNIT 3 B 3.3-147 Revision No. 3

Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE I.a. Reactor Vessel Water Level-Low Low Low (Level 1)

SAFETY ANALYSES, (continued)

LCO, and APPLICABILITY The Reactor Vessel Water Level -Low Low Low (Level 1)

Allowable Value is chosen to be the same as the ECCS Level I Allowable Value (LCO 3.3.5.1) to ensure that the MSLs isolate on a potential loss of coolant accident (LOCA) to prevent offsite doses from exceeding 10 CFR 100 limits.

This Function isolates MSIVs, MSL drains, MSL sample lines and recirculation loop sample line valves.

L.b. Main Steam Line Pressure-Low Low MSL pressure indicates that there may be a problem with the turbine pressure regulation, which could result in a low reactor vessel water level condition and the RPV cooling down more than 100 0F/hr if the pressure loss is allowed to continue. The Main Steam Line Pressure -Low Function is directly assumed in the analysis of the pressure regulator failure (Ref. 3). For this event, the closure of the MSIVs ensures that the RPV temperature change limit (100*F/hr) is not reached. In addition, this Function supports actions to ensure that Safety Limit 2.1.1.1 is not exceeded. (This Function closes the MSIVs prior to pressure decreasing below 785 psig, which results in a scram due to MSIV closure, thus reducing reactor power to < 25% RTP.)

The MSL low pressure signals are initiated from four transmitters that are connected to the MSL header. The transmitters are arranged such that, even though physically separated from each other, each transmitter is able to detect low MSL pressure. Four channels of Main Steam Line Pressure-Low Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The Allowable Value was selected to be high enough to prevent excessive RPV depressurization.

The Main Steam Line Pressure- Low Function is only required to be OPERABLE in MODE I since this is when the assumed transient can occur (Ref. 1).

This Function isolates MSIVs, MSL drains, MSL sample lines and recirculation loop sample line valves.

(continued)

PBAPS UNIT 3 B 3.3-148 Revision No. 3

Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE 1.c. Main Steam Line Flow-High SAFETY ANALYSES, LCO, and Main Steam Line Flow-High is provided to detect a break of APPLICABILITY the MSL and to initiate closure of the MSIVs. If the steam (continued) were allowed to continue flowing out of the break, the reactor would depressurize and the core could uncover. If the RPV water level decreases too far, fuel damage could occur. Therefore, the isolation is initiated on high flow to prevent or minimize core damage. The Main Steam Line Flow-High Function is directly assumed in the analysis of the main steam line break (MSLB) (Ref. 3). The isolation action, along with the scram function of the Reactor Protection System (RPS), ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46 and offsite doses do not exceed the 10 CFR 100 limits.

The MSL flow signals are initiated from 16 transmitters that are connected to the four MSLs. The transmitters are arranged such that, even though physically separated from each other, all four connected to one MSL would be able to detect the high flow. Four channels of Main Steam Line Flow-High Function for each MSL (two channels per trip system) are available and are required to be OPERABLE so that no single instrument failure will preclude detecting a break in any individual MSL.

The Allowable Value is chosen to ensure that offsite dose limits are not exceeded due to the break.

This Function isolates MSIVs, MSL drains, MSL sample lines and recirculation loop sample line valves.

1.d. Main Steam Line-Hiah Radiation The Main Steam Line-High Radiation Function is provided to detect gross release of fission products from the fuel and to initiate closure of the MSIVs. The trip setting is set low enough so that a high radiation trip results from a design basis rod drop accident and high enough above background radiation levels in the vicinity of the main steam lines so that spurious trips at rated power are avoided. The Main Steam Line-High Radiation Function is directly assumed in the analysis of the control rod drop accident (Ref. 3).

(continued)

PBAPS UNIT 3 B 3.3-149 Revision No. 3

Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE I.d. Main Steam Line-High Radiation (continued)

SAFETY ANALYSES, LCO, and The Main Steam Line-High Radiation signals are initiated APPLICABILITY from four gamma sensitive instruments. Four channels are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The Allowable Value is chosen to ensure that offsite dose limits are not exceeded.

This Function isolates MSIVs, MSL drains, MSL sample lines and recirculation loop sample line valves.

I.e. Main Steam Tunnel Temperature-Hiqh The Main Steam Tunnel Temperature Function is provided to detect a break in a main steam line and provides diversity to the high flow instrumentation.

Main Steam Tunnel Temperature signals are initiated from resistance temperature detectors (RTDs) located along the main steam line between the drywell wall and the turbine.

Sixteen channels of Main Steam Tunnel Temperature-High Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The Allowable Value is chosen to detect a leak equivalent to between 1% and 10% rated steam flow.

This Function isolates MSIVs, MSL drains, MSL sample lines and recirculation loop sample line valves.

Primary Containment Isolation 2.a. Reactor Vessel Water Level -Low (Level 3)

Low RPV water level indicates that the capability to cool the fuel may be threatened. The valves whose penetrations communicate with the primary containment are isolated to limit the release of fission products. The isolation of the primary containment on Level 3 supports actions to ensure that offsite dose limits of 10 CFR 100 are not exceeded.

(continued)

PBAPS UNIT 3 B 3.3-150 Revision No. 3

Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE 2.a. Reactor Vessel Water Level -Low (Level 3) (continued)

SAFETY ANALYSES, LCO, and The Reactor Vessel Water Level-Low (Level 3) Function APPLICABILITY associated with isolation is implicitly assumed in the UFSAR analysis as these leakage paths are assumed to be isolated post LOCA.

Reactor Vessel Water Level-Low (Level 3) signals are initiated from level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Four channels of Reactor Vessel Water Level-Low (Level 3) Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The Reactor Vessel Water Level-Low (Level 3) Allowable Value was chosen to be the same as the RPS Level 3 scram Allowable Value (LCO 3.3.1.1), since isolation of these valves is not critical to orderly plant shutdown.

This Function isolates the Group I!(A) valves listed in Reference I with the exception of RWCU isolation valves and RHR shutdown cooling pump suction valves which are addressed in Functions 5.c and 6.b, respectively.

2.b. Drywell Pressure-High High drywell pressure can indicate a break in the RCPB inside the primary containment. The isolation of some of the primary containment isolation valves on high drywell pressure supports actions to ensure that offsite dose limits of 10 CFR 100 are not exceeded. The Drywell Pressure-High Function, associated with isolation of the primary containment, is implicitly assumed in the UFSAR accident analysis as these leakage paths are assumed to be isolated post LOCA.

High drywell pressure signals are initiated from pressure transmitters that sense the pressure in the drywell. Four channels of Drywell Pressure-High are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

(continued)

PBAPS UNIT 3 B 3.3-151 Revision No. 3

Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE 2.b. Drywell Pressure-High (continued)

SAFETY ANALYSES, LCO, and The Allowable Value was selected to be the same as the ECCS APPLICABILITY Drywell Pressure-High Allowable Value (LCO 3.3.5.1), since this may be indicative of a LOCA inside primary containment.

This Function isolates the Group II(B) valves listed in Reference 1.

2.c. Main Stack Monitor Radiation-High Main stack monitor radiation is an indication that the release of radioactive material may exceed established limits. Therefore, when Main Stack Monitor Radiation-High is detected when there is flow through the Standby Gas Treatment System, an isolation of primary containment purge supply and exhaust penetrations is initiated to limit the release of fission products. However, this Function is not assumed in any accident or transient analysis in the UFSAR because other leakage paths (e.g., MSIVs) are more limiting.

The drywell radiation signals are initiated from radiation detectors that isokinetically sample the main stack utilizing sample pumps. Two channels of Main Stack Radiation-High Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The Allowable Value is set below the maximum allowable release limit in accordance with the Offsite Dose Calculation Manual (ODCM).

This Function isolates the containment vent and purge valves and other Group III(E) valves listed in Reference 1.

2.d., 2.e. Reactor Building Ventilation and Refueling Floor Ventilation Exhaust Radiation-High High secondary containment exhaust radiation is an indication of possible gross failure of the fuel cladding.

The release may have originated from the primary containment due to a break in the RCPB. When Reactor Building or Refueling Floor Ventilation Exhaust Radiation -High is detected, the affected ventilation pathway and primary (continued)

PBAPS UNIT 3 B 3.3-152 Revision No. 22

Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE 2.d., 2.e. Reactor Building Ventilation- and Refueling Floor SAFETY ANALYSES, Ventilation Exhaust Radiation-High (continued)

LCO, and APPLICABILITY containment purge supply and exhaust valves are isolated to limit the release of fission products. Additionally, Ventilation Exhaust Radiation-High Function initiates Standby Gas Treatment System.

The Ventilation Exhaust Radiation-High signals are initiated from radiation detectors that are located on the ventilation exhaust piping coming from the reactor building and the refueling floor zones, respectively. The signal from each detector is input to an individual monitor whose trip outputs are assigned to an isolation channel. Four channels of Reactor Building Ventilation Exhaust-High Function and four channels of Refueling Floor Ventilation Exhaust-High Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The Allowable Values are chosen to promptly detect gross failure of the fuel cladding during a refueling accident.

These Functions isolate the Group III(C) and III(D) valves listed in Reference 1.

High Pressure Coolant Injection and Reactor Core Isolation Cooling Systems Isolation 3.a., 3.b., 4.a., 4.b. HPCI and RCIC Steam Line Flow-High and Time Delay Relays Steam Line Flow-High Functions are provided to detect a break of the RCIC or HPCI steam lines and initiate closure of the steam line isolation valves of the appropriate system. If the steam is allowed to continue flowing out of the break, the reactor will depressurize and the core can uncover. Therefore, the isolations are initiated on high flow to prevent or minimize core damage. The isolation action, along with the scram function of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. Specific credit for these Functions is not assumed in any UFSAR accident analyses since the (continued)

PBAPS UNIT 3 B 3.3-153 Revision No. 3

Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE 3.a., 3.b., 4.a., 4.b. HPCI and RCIC Steam Line Flow-High SAFETY ANALYSES, and Time Delay Relays (continued)

LCO, and APPLICABILITY bounding analysis is performed for large breaks such as recirculation and MSL breaks. However, these instruments prevent the RCIC or HPCI steam line breaks from becoming bounding.

The HPCI and RCIC Steam Line Flow-High signals are initiated from transmitters (two for HPCI and two for RCIC) that are connected to the system steam lines. A time delay is provided to prevent isolation due to high flow transients during startup with one Time Delay Relay channel associated with each Steam Line Flow-High channel. Two channels of both HPCI and RCIC Steam Line Flow-High Functions and the associated Time Delay Relays are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The Allowable Values for Steam Line Flow-High Function and associated Time Delay Relay Function are chosen to be low enough to ensure that the trip occurs to maintain the MSLB event as the bounding event.

These Functions isolate the associated HPCI and RCIC steam supply and turbine exhaust valves and pump suction valves.

3.c.. 4.c. HPCI and RCIC Steam Supply Line Pressure-Low Low MSL pressure indicates that the pressure of the steam in the HPCI or RCIC turbine may be too low to continue operation of the associated system's turbine. These isolations prevent radioactive gases and steam from escaping through the pump shaft seals into the reactor building but are primarily for equipment protection and are also assumed for long term containment isolation. However, they also provide a diverse signal to indicate a possible system break. These instruments are included in Technical Specifications (TS) because of the potential for risk due to possible failure of the instruments preventing HPCI and RCIC initiations (Ref. 4).

The HPCI and RCIC Steam Supply Line Pressure-Low signals are initiated from transmitters (four for HPCI and four for RCIC) that are connected to the system steam line. Four (continued)

PBAPS UNIT 3 B 3.3-154 Revision No. 3

Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE 3.c., 4.c. HPCI and RCIC Steam Supply Line Pressure-Low SAFETY ANALYSES, (continued)

LCO, and APPLICABILITY channels of both HPCI and RCIC Steam Supply Line Pressure-Low Functions are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The Allowable Values are selected to be high enough to prevent damage to the system's turbine.

These Functions isolate the associated HPCI and RCIC steam supply and turbine exhaust valves and pump suction valves.

3.d., 4.d. Drywell Pressure-High (Vacuum Breakers)

High drywell pressure can indicate a break in the RCPB. The HPCI and RCIC isolation of the turbine exhaust vacuum breakers is provided to prevent communication with the drywell when high drywell pressure exists. The HPCI and RCIC turbine exhaust vacuum breaker isolation occurs following a permissive from the associated Steam Supply Line Pressure-Low Function which indicates that the system is no longer required or capable of performing coolant injection.

The isolation of the HPCI and RCIC turbine exhaust vacuum breakers by Drywell Pressure-High is indirectly assumed in the UFSAR accident analysis because the turbine exhaust leakage path is not assumed to contribute to offsite doses.

High drywell pressure signals are initiated from pressure transmitters that sense the pressure in the drywell. Four channels for both HPCI and RCIC Drywell Pressure-High (Vacuum Breakers) Functions are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The Allowable Value was selected to be the same as the ECCS Drywell Pressure-High Allowable Value (LCO 3.3.5.1), since this is indicative of a LOCA inside primary containment.

This Function isolates the associated HPCI and RCIC vacuum relief valves and test return line valves.

(continued)

PBAPS UNIT 3 B 3.3-155 Revision No. 3

Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE 3.e.. 4.e. HPCI and RCIC Compartment and Steam Line Area SAFETY ANALYSES, Temperature-High LCO, and APPLICABILITY HPCI and RCIC Compartment and Steam Line Area temperatures (continued) are provided to detect a leak from the associated system steam piping. The isolation occurs when a very small leak has occurred and is diverse to the high flow instrumentation. If the small leak is allowed to continue without isolation, offsite dose limits may be reached.

These Functions are not assumed in any UFSAR transient or accident analysis, since bounding analyses are performed for large breaks such as recirculation or MSL breaks.

HPCI and RCIC Compartment and Steam Line Area Temperature-High signals are initiated from resistance temperature detectors (RTDs) that are appropriately located to protect the system that is being monitored. The HPCI and RCIC Compartment and Steam Line Area Temperature-High Functions each use 16 temperature channels. Sixteen channels for each HPCI and RCIC Compartment and Steam Line Area Temperature-High Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The Allowable Values are set low enough to detect a leak.

These Functions isolate the associated HPCI and RCIC steam supply and turbine exhaust valves and pump suction valves.

Reactor Water Cleanup (RWCU) System Isolation 5.a. RWCU Flow-High The high flow signal is provided to detect a break in the RWCU System. Should the reactor coolant continue to flow out of the break, offsite dose limits may be exceeded.

Therefore, isolation of the RWCU System is initiated when high RWCU flow is sensed to prevent exceeding offsite doses.

This Function is not assumed in any UFSAR transient or accident analysis, since bounding analyses are performed for large breaks such as MSLBs.

(continued)

PBAPS UNIT 3 B 3.3-156 Revision No. 34

Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE 5.a. RWCU Flow-High (continued)

SAFETY ANALYSES, LCO, and The high RWCU flow signals are initiated from transmitters APPLICABILITY that are connected to the pump suction line of the RWCU System. Two channels of RWCU Flow-High Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The RWCU Flow-High Allowable Value ensures that a break of the RWCU piping is detected.

This Function isolates the inboard and outboard RWCU pump suction penetration and the outboard valve at the RWCU connection to reactor feedwater.

5.b. Standby Liquid Control (SLC) System Initiation The isolation of the RWCU System is required when the SLC System has been initiated to prevent dilution and removal of the boron solution by the RWCU System (Ref. 5). SLC System initiation signals are initiated from the remote SLC System start switch.

There is no Allowable Value associated with this Function since the channels are mechanically actuated based solely on the position of the SLC System initiation switch.

Two channels of the SLC System Initiation Function are available and are required to be OPERABLE only in MODES 1 and 2, since these are the only MODES where the reactor can be critical, and these MODES are consistent with the Applicability for the SLC System (LCO 3.1.7).

This Function isolates the inboard and outboard RWCU pump suction penetration and the outboard valve at the RWCU connection to reactor feedwater.

5.c. Reactor Vessel Water Level-Low (Level 3)

Low RPV water level indicates that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, isolation of some interfaces with the reactor vessel occurs to isolate the potential sources of a break. The isolation of the RWCU System on Level 3 supports actions to ensure that the fuel (continued)

PBAPS UNIT 3 B 3.3-157 Revision No. 3

Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE 5.c. Reactor Vessel Water Level-Low (Level 3) (continued)

SAFETY ANALYSES, LCO, and peak cladding temperature remains below the limits of APPLICABILITY 10 CFR 50.46. The Reactor Vessel Water Level-Low (Level 3)

Function associated with RWCU isolation is not directly assumed in the UFSAR safety analyses because the RWCU System line break is bounded by breaks of larger systems (recirculation and NSL breaks are more limiting).

Reactor Vessel Water Level -Low (Level 3) signals are initiated from four level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Four channels of Reactor Vessel Water Level-Low (Level 3) Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The Reactor Vessel Water Level -Low (Level 3) Allowable Value was chosen to be the same as the RPS Reactor Vessel Water Level-Low (Level 3) Allowable Value (LCO 3.3.1.1),

since the capability to cool the fuel may be threatened.

This Function isolates the inboard and outboard RWCU suction penetration and the outboard valve at the RWCU connection to reactor feedwater.

Shutdown Cooling System Isolation 6.a. Reactor Pressure-High The Reactor Pressure-High Function is provided to isolate the shutdown cooling portion of the Residual Heat Removal (RHR) System. This Function is provided only for equipment protection to prevent an intersystem LOCA scenario, and credit for the Function is not assumed in the accident or transient analysis in the UFSAR.

The Reactor Pressure-High signals are initiated from two switches that are connected to different taps on the RPV.

Two channels of Reactor Pressure-High Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function. The Function is only required to be OPERABLE in (continued)

PBAPS UNIT 3 B 3.3-158 Revision No. 3

Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE 6.a. Reactor Pressure-High (continued)

SAFETY ANALYSES, LCO, and MODES 1, 2, and 3, since these are the only MODES in which APPLICABILITY the reactor can be pressurized; thus, equipment protection is needed. The Allowable Value was chosen to be low enough to protect the system equipment from overpressurization.

This Function isolates both RHR shutdown cooling pump suction valves.

6.b. Reactor Vessel Water Level-Low (Level 3)

Low RPV water level indicates that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, isolation of some reactor vessel interfaces occurs to begin isolating the potential sources of a break. The Reactor Vessel Water Level-Low (Level 3) Function associated with RHR Shutdown Cooling System isolation is not directly assumed in safety analyses because a break of the RHR Shutdown Cooling System is bounded by breaks of the recirculation and MSL. The RHR Shutdown Cooling System isolation on Level 3 supports actions to ensure that the RPV water level does not drop below the top of the active fuel during a vessel draindown event caused by a leak (e.g., pipe break or inadvertent valve opening) in the RHR Shutdown Cooling System.

Reactor Vessel Water Level -Low (Level 3) signals are initiated from four level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Four channels (two channels per trip system) of the Reactor Vessel Water Level-Low (Level 3) Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function. As noted (footnote (a) to Table 3.3.6.1-1), only one channel per trip system (with an isolation signal available to one shutdown cooling pump suction isolation valve) of the Reactor Vessel Water Level-Low (Level 3) Function are required to be OPERABLE in MODES 4 and 5, provided the RHR Shutdown Cooling System integrity is maintained. System integrity is maintained provided the piping is intact and no maintenance is being performed that has the potential for draining the reactor vessel through the system.

(continued)

PBAPS UNIT 3 B 3.3-159 Revision No. 3

Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE 6.b. Reactor Vessel Water Level-Low (Level 3) (continued)

SAFETY ANALYSES, LCO, and The Reactor Vessel Water Level-Low (Level 3) Allowable APPLICABILITY Value was chosen to be the same as the RPS Reactor Vessel Water Level-Low (Level 3) Allowable Value (LCO 3.3.1.1),

since the capability to cool the fuel may be threatened.

The Reactor Vessel Water Level-Low (Level 3) Function is only required to be OPERABLE in MODES 3, 4, and 5 to prevent this potential flow path from lowering the reactor vessel level to the top of the fuel. In MODES 1 and 2, another isolation (i.e., Reactor Pressure-High) and administrative controls ensure that this flow path remains isolated to prevent unexpected loss of inventory via this flow path.

This Function isolates both RHR shutdown cooling pump suction valves.

Feedwater Recirculation Isolation 7.a. Reactor Pressure-High The Reactor Pressure-High Function is provided to isolate the feedwater recirculation line. This interlock is provided only for equipment protection to prevent an intersystem LOCA scenario, and credit for the interlock is not assumed in the accident or transient analysis in the UFSAR.

The Reactor Pressure-High signals are initiated from four transmitters that are connected to different taps on the RPV. Four channels of Reactor Pressure-High Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function. The Function is only required to be OPERABLE in MODES 1, 2, and 3, since these are the only MODES in which the reactor can be pressurized; thus, equipment protection is needed. The Allowable Value was chosen to be low enough to protect the system equipment from overpressurization.

This Function isolates the feedwater recirculation valves.

(continued)

PBAPS UNIT 3 B 3.3-160 Revision No. 3

Primary Containment Isolation Instrumentation B 3.3.6.1 BASES (continued)

ACTIONS A Note has been provided to modify the ACTIONS related to primary containment isolation instrumentation channels.

Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition.

Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable primary containment isolation instrumentation channels provide appropriate compensatory measures for separate inoperable channels. As such, a Note has been provided that allows separate Condition entry for each inoperable primary containment isolation instrumentation channel.

A._1 Because of the diversity of sensors available to provide isolation signals and the redundancy of the isolation design, an allowable out of service time of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for Functions I.d, 2.a, and 2.b and 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> for Functions other than Functions 1.d, 2.a, and 2.b has been shown to be acceptable (Refs. 6 and 7) to permit restoration of any inoperable channel to OPERABLE status. This out of service time is only acceptable provided the associated Function is still maintaining isolation capability (refer to Required Action B.1 Bases). If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action A.1. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue with no further restrictions. Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in an isolation),

Condition C must be entered and its Required Action taken.

(continued)

PBAPS UNIT 3 B 3.3-161 Revision No. 3

Primary Containment Isolation Instrumentation B 3.3.6.1 BASES ACTIONS B.1 (continued)

Required Action B.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in redundant isolation capability being lost for the associated penetration flow path(s). For those MSL, Primary Containment, HPCI, RCIC, RWCU, SDC, and Feedwater Recirculation Isolation Functions, where actuation of both trip systems is needed to isolate a penetration, the Functions are considered to be maintaining isolation capability when sufficient channels are OPERABLE or in trip (or the associated trip system in trip), such that both trip systems will generate a trip signal from the given Function on a valid signal. For those Primary Containment, HPCI, RCIC, RWCU, and SDC isolation functions, where actuation of one trip system is needed to isolate a penetration, the Functions are considered to be maintaining isolation capability when sufficient channels are OPERABLE or in trip, such that one trip system will generate a trip signal from the given function on a valid signal. This ensures that at least one of the PCIVs in the associated penetration flow path can receive an isolation signal from the given Function. For all Functions except 1.c, i.e, 2.c, 3.a, 3.b, 3.e, 4.a, 4.b, 4.e, 5.a, 5.b, and 6.a, this would require both trip systems to have one channel OPERABLE or in trip.

For Function 1.c, this would require both trip systems to have one channel, associated with each MSL, OPERABLE or in trip. For Functions I.e, 3.e and 4.e, each Function consists of channels that monitor several locations within a given area (e.g., different locations within the main steam tunnel area). Therefore, this would require both trip systems to have one channel per location OPERABLE or in trip. For Functions 2.c, 3.a, 3.b, 4.a, 4.b, 5.a, and 6.a, this would require one trip system to have one channel OPERABLE or in trip.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. The I hour Completion Time is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.

(continued)

PBAPS UNIT 3 B 3.3-162 Revision No. 3

Primary Containment Isolation Instrumentation B 3.3.6.1 BASES ACTIONS B.1 (continued)

Entry into Condition B and Required Action B.1 may be necessary to avoid an MSL isolation transient when recovering from a temporary loss of ventilation in the main steam line tunnel area. As allowed by LCO 3.0.2 (and discussed in the Bases of LCO 3.0.2), the plant may intentionally enter this Condition to avoid an MSL isolation transient during the restoration of ventilation flow, and then raise the setpoints for the Main Steam Tunnel Temperature-High Function to 250°F causing all channels of Main Steam Tunnel Temperature-High Function to be inoperable. However, during the period that multiple Main Steam Tunnel Temperature-High Function channels are inoperable due to this intentional action, an additional compensatory measure is deemed necessary and shall be taken:

an operator shall observe control room indications of the duct temperature so the main steam line isolation valves may be promptly closed in the event of a rapid increase in MSL tunnel temperature indicative of a steam line break.

C.1 Required Action C.1 directs entry into the appropriate Condition referenced in Table 3.3.6.1-1. The applicable Condition specified in Table 3.3.6.1-1 is Function and MODE or other specified condition dependent and may change as the Required Action of a previous Condition is completed. Each time an inoperable channel has not met any Required Action of Condition A or B and the associated Completion Time has expired, Condition C will be entered for that channel and provides for transfer to the appropriate subsequent Condition.

D.1. D.2.1. and D.2.2 If the channel is not restored to OPERABLE status or placed in trip within the allowed Completion Time, the plant must be placed in a MODE or other specified condition in which the LCO does not apply. This is done by placing the plant in at least MODE 3 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> and in MODE 4 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br /> (Required Actions D.2.1 and D.2.2). Alternately, the associated MSLs may be isolated (Required Action D.1),

(continued)

PBAPS UNIT 3 B 3.3-163 Revision No. 3

Primary Containment Isolation Instrumentation B 3.3.6.1 BASES ACTIONS D.I. D.2.1. and D.2.2 (continued) and, if allowed (i.e., plant safety analysis allows operation with an MSL isolated), operation with that MSL isolated may continue. Isolating the affected MSL accomplishes the safety function of the inoperable channel.

The Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

E._1 If the channel is not restored to OPERABLE status or placed in trip within the allowed Completion Time, the plant must be placed in a MODE or other specified condition in which the LCO does not apply. This is done by placing the plant in at least MODE 2 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.

The allowed Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable, based on operating experience, to reach MODE 2 from full power conditions in an orderly manner and without challenging plant systems.

F.1 If the channel is not restored to OPERABLE status or placed in trip within the allowed Completion Time, plant operations may continue if the affected penetration flow path(s) is isolated. Isolating the affected penetration flow path(s) accomplishes the safety function of the inoperable channels.

Alternately, if it is not desired to isolate the affected penetration flow path(s) (e.g., as in the case where isolating the penetration flow path(s) could result in a reactor scram), Condition G must be entered and its Required Actions taken. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time is acceptable because it minimizes risk while allowing sufficient time for plant operations personnel to isolate the affected penetration flow path(s).

(continued)

PBAPS UNIT 3 B 3.3-164 Revision No. 3

Primary Containment Isolation Instrumentation B 3.3.6.1 BASES ACTIONS G.1 and G.2 (continued) If the channel is not restored to OPERABLE status or placed in trip within the allowed Completion Time, or the Required Action of Condition F is not met and the associated Completion Time has expired, the plant must be placed in a MODE or other specified condition in which the LCO does not apply. This is done by placing the plant in at least MODE 3 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> and in MODE 4 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

H.1 and H.2 If the channel is not restored to OPERABLE status or placed in trip within the allowed Completion Time, the associated SLC subsystem(s) is declared inoperable or the RWCU System is isolated. Since this Function is required to ensure that the SLC System performs its intended function, sufficient remedial measures are provided by declaring the associated SLC subsystems inoperable or isolating the RWCU System.

The I hour Completion Time is acceptable because it minimizes risk while allowing sufficient time for personnel to isolate the RWCU System.

1.1 and 1.2 If the channel is not restored to OPERABLE status or placed in trip within the allowed Completion Time, the associated penetration flow path should be closed. However, if the shutdown cooling function is needed to provide core cooling, these Required Actions allow the penetration flow path to remain unisolated provided action is immediately initiated to restore the channel to OPERABLE status or to isolate the RHR Shutdown Cooling System (i.e., provide alternate decay heat removal capabilities so the penetration flow path can be isolated). Actions must continue until the channel is restored to OPERABLE status or the RHR Shutdown Cooling System is isolated.

(continued)

PBAPS UNIT 3 B 3.3-165 Revision No. 3

Primary Containment Isolation Instrumentation B 3.3.6.1 BASES (continued)

SURVEILLANCE As noted at the beginning of the SRs, the SRs for each REQUIREMENTS Primary Containment Isolation instrumentation Function are found in the SRs column of Table 3.3.6.1-1.

The Surveillances are modified by a Note to indicate that when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> provided the associated Function maintains trip capability. Upon completion of the Surveillance, or expiration of the 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Refs. 6 and 7) assumption of the average time required to perform channel surveillance. That analysis demonstrated that the 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> testing allowance does not significantly reduce the probability that the PCIVs will isolate the penetration flow path(s) when necessary.

SR 3.3.6.1.1 Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit.

The Frequency is based on operating experience that demonstrates channel failure is rare. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the channels required by the LCO.

(continued)

PBAPS UNIT 3 B 3.3-166 Revision No. 3

Primary Containment Isolation Instrumentation B 3.3.6.1 BASES SURVEILLANCE SR 3.3.6.1.2 REQUIREMENTS (continued) A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended function. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology.

The 92 day Frequency of SR 3.3.6.1.2 is based on the reliability analysis described in Reference 7.

SR 3.3.6.1.3. SR 3.3.6.1.4. SR 3.3.6.1.5. and SR 3.3.6.1.6 A CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations, consistent with the assumptions of the current setpoint methodology. SR 3.3.6.1.6, however, is only a calibration of the radiation detectors using a standard radiation source.

As noted for SR 3.3.6.1.3, the main steam line radiation detectors (Function 1.d) are excluded from CHANNEL CALIBRATION due to ALARA reasons (when the plant is operating, the radiation detectors are generally in a high radiation area; the steam tunnel). This exclusion is acceptable because the radiation detectors are passive devices, with minimal drift. The radiation detectors are calibrated in accordance with SR 3.3.6.1.6 on a 24 month Frequency.

The 92 day Frequency of SR 3.3.6.1.3 is conservative with respect to the magnitude of equipment drift assumed in the setpoint analysis. The Frequency of SR 3.3.6.1.4 is based on the assumption of an 18 month calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis. The Frequencies of SR 3.3.6.1.5 and SR 3.3.6.1.6 are based on the assumption of a 24 month calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis.

(continued)

PBAPS UNIT 3 B 3.3-167 Revision No. 22

Primary Containment Isolation Instrumentation B 3.3.6.1 BASES SURVEILLANCE SR 3.3.6.1.7 REQUIREMENTS (continued) The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required isolation logic for a specific channel. The system functional testing performed on PCIVs in LCO 3.6.1.3 overlaps this Surveillance to provide complete testing of the assumed safety function.

While this Surveillance can be performed with the reactor at power for some of the Functions, operating experience has shown these components will pass the Surveillance when performed at the 24 month Frequency. Therefore, the Frequency was found to be acceptable from a reliability standpoint.

REFERENCES 1. UFSAR, Section 7.3.

2. NRC Safety Evaluation Report for Amendment Numbers 156 and 158 to Facility Operating License Numbers DPR-44 and DPR-56, Peach Bottom Atomic Power Station, Unit Nos. 2 and 3, September 7, 1990.
3. UFSAR, Chapter 14.
4. NEDO-31466, nTechnical Specification Screening Criteria Application and Risk Assessment,"

November 1987.

5. UFSAR, Section 4.9.3.
6. NEDC-31677P-A, "Technical Specification Improvement Analysis for BWR Isolation Actuation Instrumentation,"

July 1990.

7. NEDC-30851P-A Supplement 2, "Technical Specifications Improvement Analysis for BWR Isolation Instrumentation Common to RPS and ECCS Instrumentation," March 1989.

PBAPS UNIT 3 B 3.3-168 Revision No. 3

Secondary Containment Isolation Instrumentation B 3.3.6.2 B 3.3 INSTRUMENTATION B 3.3.6.2 Secondary Containment Isolation Instrumentation BASES BACKGROUND The secondary containment isolation instrumentation automatically initiates closure of appropriate secondary containment isolation valves (SCIVs) and starts the Standby Gas Treatment (SGT) System. The function of these systems, in combination with other accident mitigation systems, is to limit fission product release during and following postulated Design Basis Accidents (DBAs) (Ref. 1).

Secondary containment isolation and establishment of vacuum with the SGT System within the required time limits ensures that fission products that leak from primary containment following a DBA, or are released outside primary containment, or are released during certain operations when primary containment is not required to be OPERABLE are maintained within applicable limits.

The isolation instrumentation includes the sensors, relays, and switches that are necessary to cause initiation of secondary containment isolation. Most channels include electronic equipment (e.g., trip units) that compares measured input signals with pre-established setpoints. When the setpoint is exceeded, the channel output relay actuates, which then outputs a secondary containment isolation signal to the isolation logic. Functional diversity is provided by monitoring a wide range of independent parameters. The input parameters to the isolation logic are (1) reactor vessel water level, (2) drywell pressure, (3) reactor building ventilation exhaust high radiation, and (4) refueling floor ventilation exhaust high radiation.

Redundant sensor input signals from each parameter are provided for initiation of isolation.

The outputs of the channels are arranged in a one-out-of-two taken twice logic. Automatic isolation valves (dampers) isolate and SGT subsystems start when both trip systems are in trip. Operation of both trip systems is required to isolate the secondary containment and provide for the necessary filtration of fission products.

(continued)

PBAPS UNIT 3 B 3.3-169 Revision No. 3

Secondary Containment Isolation Instrumentation B 3.3.6.2 BASES (continued)

APPLICABLE The isolation signals generated by the secondary containment SAFETY ANALYSES, isolation instrumentation are implicitly assumed in the LCO, and safety analyses of References 1 and 2 to initiate closure APPLICABILITY of valves and start the SGT System to limit offsite doses.

Refer to LCO 3.6.4.2, "Secondary Containment Isolation Valves (SCIVs)," and LCO 3.6.4.3, "Standby Gas Treatment (SGT) System," Applicable Safety Analyses Bases for more detail of the safety analyses.

The secondary containment isolation instrumentation satisfies Criterion 3 of the NRC Policy Statement. Certain instrumentation Functions are retained for other reasons and are described below in the individual Functions discussion.

The OPERABILITY of the secondary containment isolation instrumentation is dependent on the OPERABILITY of the individual instrumentation channel Functions. Each Function must have the required number of OPERABLE channels with their setpoints set within the specified Allowable Values, as shown in Table 3.3.6.2-1. The actual setpoint is calibrated consistent with applicable setpoint methodology assumptions. A channel is inoperable if its actual trip setting is not within its required Allowable Value.

Allowable Values are specified for each Function specified in the Table. Trip setpoints are specified in the setpoint calculations. The trip setpoints are selected to ensure that the setpoints do not exceed the Allowable Value between CHANNEL CALIBRATIONS. Operation with a trip setting less conservative than the trip setpoint, but within its Allowable Value, is acceptable.

Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor vessel water level), and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g., trip unit) changes state. The analytic or design limits are derived from the limiting values of the process parameters obtained from the safety analysis or other appropriate documents. The Allowable Values are derived from the analytic or design limits, corrected for calibration, process, and instrument errors. The trip setpoints are then determined from analytical or design limits, corrected for calibration, process, and instrument (continued)

PBAPS UNIT 3 B 3.3-170 Revision No. 3

Secondary Containment Isolation Instrumentation B 3.3.6.2 BASES APPLICABLE errors, as well as, instrument drift. In selected cases, SAFETY ANALYSES, the Allowable Values and trip setpoints are determined by LCO, and engineering judgement or historically accepted practice APPLICABILITY relative to the intended function of the channel. The (continued) trip setpoints determined in this manner provide adequate protection by assuring instrument and process uncertainties expected for the environments during the operating time of the associated channels are accounted for.

In general, the individual Functions are required to be OPERABLE in the MODES or other specified conditions when SCIVs and the SGT System are required.

The specific Applicable Safety Analyses, LCO, and Applicability discussions are listed below on a Function by Function basis.

1. Reactor Vessel Water Level -Low (Level 3)

Low reactor pressure vessel (RPV) water level indicates that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result.

An isolation of the secondary containment and actuation of the SGT System are initiated in order to minimize the potential of an offsite dose release. The Reactor Vessel Water Level -Low (Level 3) Function is one of the Functions assumed to be OPERABLE and capable of providing isolation and initiation signals. The isolation and initiation systems on Reactor Vessel Water Level -Low (Level 3) support actions to ensure that any offsite releases are within the limits calculated in the safety analysis.

Reactor Vessel Water Level -Low (Level 3) signals are initiated from level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Four channels of Reactor Vessel Water Level-Low (Level 3) Function are available and are required to be OPERABLE in MODES 1, 2, and 3 to ensure that no single instrument failure can preclude the isolation function.

(continued)

PBAPS UNIT 3 B 3.3-171 Revision No. 3

Secondary Containment Isolation Instrumentation B 3.3.6.2 BASES APPLICABLE 1. Reactor Vessel Water Level -Low (Level 3) (continued)

SAFETY ANALYSES, LCO, and The Reactor Vessel Water Level-Low (Level 3) Allowable APPLICABILITY Value was chosen to be the same as the RPS Level 3 scram Allowable Value (LCO 3.3.1.1), since isolation of these valves and SGT System start are not critical to orderly plant shutdown.

The Reactor Vessel Water Level-Low (Level 3) Function is required to be OPERABLE in MODES 1, 2, and 3 where considerable energy exists in the Reactor Coolant System (RCS); thus, there is a probability of pipe breaks resulting in significant releases of radioactive steam and gas. In MODES 4 and 5, the probability and consequences of these events are low due to the RCS pressure and temperature limitations of these MODES; thus, this Function is not required. In addition, the Function is also required to be OPERABLE during operations with a potential for draining the reactor vessel (OPDRVs) because the capability of isolating potential sources of leakage must be provided to ensure that offsite dose limits are not exceeded if core damage occurs.

2. Drywell Pressure-High High drywell pressure can indicate a break in the reactor coolant pressure boundary (RCPB). An isolation of the secondary containment and actuation of the SGT System are initiated in order to minimize the potential of an offsite dose release. The isolation on high drywell pressure supports actions to ensure that any offsite releases are within the limits calculated in the safety analysis. The Drywell Pressure-High Function associated with isolation is not assumed in any UFSAR accident or transient analyses but will provide an isolation and initiation signal. It is retained for the overall redundancy and diversity of the secondary containment isolation instrumentation as required by the NRC approved licensing basis.

(continued)

PBAPS UNIT 3 B 3.3-172 Revision No. 3

Secondary Containment Isolation Instrumentation B 3.3.6.2 BASES APPLICABLE 2. Drywell Pressure-High (continued)

SAFETY ANALYSES, LCO, and High drywell pressure signals are initiated from pressure APPLICABILITY transmitters that sense the pressure in the drywell. Four channels of Drywell Pressure-High Functions are available and are required to be OPERABLE to ensure that no single instrument failure can preclude performance of the isolation function.

The Allowable Value was chosen to be the same as the ECCS Drywell Pressure-High Function Allowable Value (LCO 3.3.5.1) since this is indicative of a loss of coolant accident (LOCA).

The Drywell Pressure-High Function is required to be OPERABLE in MODES 1, 2, and 3 where considerable energy exists in the RCS; thus, there is a probability of pipe breaks resulting in significant releases of radioactive steam and gas. This Function is not required in MODES 4 and 5 because the probability and consequences of these events are low due to the RCS pressure and temperature limitations of these MODES.

3., 4. Reactor Building Ventilation and Refueling Floor Ventilation Exhaust Radiation-High High secondary containment exhaust radiation is an indication of possible gross failure of the fuel cladding.

The release may have originated from the primary containment due to a break in the RCPB or during refueling due to a fuel handling accident. When Ventilation Exhaust Radiation -High is detected, secondary containment isolation and actuation of the SGT System are initiated to limit the release of fission products as assumed in the UFSAR safety analyses (Ref. 4).

The Ventilation Exhaust Radiation-High signals are initiated from radiation detectors that are located on the ventilation exhaust piping coming from the reactor building and the refueling floor zones, respectively. The signal from each detector is input to an individual monitor whose trip outputs are assigned to an isolation channel. Four (continued)

PBAPS UNIT 3 B 3.3-173 Revision No. 3

Secondary Containment Isolation Instrumentation B 3.3.6.2 BASES APPLICABLE 3. 4. Reactor Building Ventilation and Refueling Floor SAFETY ANALYSES, Ventilation Exhaust Radiation-High (continued)

LCO, and APPLICABILITY channels of Reactor Building Ventilation Exhaust Radiation-High Function and four channels of Refueling Floor Ventilation Exhaust Radiation-High Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The Allowable Values are chosen to promptly detect gross failure of the fuel cladding.

The Reactor Building Ventilation and Refueling Floor Ventilation Exhaust Radiation-High Functions are required to be OPERABLE in MODES 1, 2, and 3 where considerable energy exists; thus, there is a probability of pipe breaks resulting in significant releases of radioactive steam and gas. In MODES 4 and 5, the probability and consequences of these events are low due to the RCS pressure and temperature limitations of these MODES; thus, these Functions are not required. In addition, the Functions are also required to be OPERABLE during CORE ALTERATIONS, OPDRVs, and movement of irradiated fuel assemblies in the secondary containment, because the capability of detecting radiation releases due to fuel failures (due to fuel uncovery or dropped fuel assemblies) must be provided to ensure that offsite dose limits are not exceeded.

ACTIONS A Note has been provided to modify the ACTIONS related to secondary containment isolation instrumentation channels.

Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition.

Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable secondary containment isolation instrumentation channels provide appropriate compensatory measures for separate inoperable channels. As such, a Note has been provided that allows separate Condition entry for each inoperable secondary containment isolation instrumentation channel.

(continued)

B 3.3-174 Revision No. 3 PBAPS UNIT 3

Secondary Containment Isolation Instrumentation B 3.3.6.2 BASES ACTIONS A.1 (continued) Because of the diversity of sensors available to provide isolation signals and the redundancy of the isolation design, an allowable out of service time of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for Functions 1 and 2, and 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> for Functions other than Functions 1 and 2, has been shown to be acceptable (Refs. 5 and 6) to permit restoration of any inoperable channel to OPERABLE status. This out of service time is only acceptable provided the associated Function is still maintaining isolation capability (refer to Required Action B.1 Bases). If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action A.I. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue. Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in an isolation), Condition C must be entered and its Required Actions taken.

B._1 Required Action B.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in a complete loss of isolation capability for the associated penetration flow path(s) or a complete loss of automatic initiation capability for the SGT System. A Function is considered to be maintaining secondary containment isolation capability when sufficient channels are OPERABLE or in trip, such that both trip systems will generate a trip signal from the given Function on a valid signal. This ensures that at least one of the two SCIVs in the associated penetration flow path and at least one SGT subsystem can be initiated on an isolation signal from the given Function. For Functions 1, 2, 3, and 4, this would require both trip systems to have one channel OPERABLE or in trip.

(continued)

PBAPS UNIT 3 B 3.3-175 Revision No. 3

Secondary Containment Isolation Instrumentation B 3.3.6.2 BASES ACTIONS B.1 (continued)

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. The I hour Completion Time is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.

C.I.I. C.1.2, C.2.1, and C.2.2 If any Required Action and associated Completion Time of Condition A or B are not met, the ability to isolate the secondary containment and start the SGT System cannot be ensured. Therefore, further actions must be performed to ensure the ability to maintain the secondary containment function. Isolating the associated secondary containment penetration flow path(s) and starting the associated SGT subsystem (Required Actions C.1.1 and C.2.1) performs the intended function of the instrumentation and allows operation to continue.

Alternately, declaring the associated SCIVs or SGT subsystem(s) inoperable (Required Actions C.1.2 and C.2.2) is also acceptable since the Required Actions of the respective LCOs (LCO 3.6.4.2 and LCO 3.6.4.3) provide appropriate actions for the inoperable components.

One hour is sufficient for plant operations personnel to establish required plant conditions or to declare the associated components inoperable without unnecessarily challenging plant systems.

SURVEILLANCE As noted at the beginning of the SRs, the SRs for each REQUIREMENTS Secondary Containment Isolation instrumentation Function are located in the SRs column of Table 3.3.6.2-1.

(continuedl PBAPS UNIT 3 B 3.3-176 Revision No. 3

Secondary Containment Isolation Instrumentation B 3.3.6.2 BASES SURVEILLANCE The Surveillances are modified by a Note to indicate that REQUIREMENTS when a channel is placed in an inoperable status solely for (continued) performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> provided the associated Function maintains secondary containment isolation capability. Upon completion of the Surveillance, or expiration of the 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken.

This Note is based on the reliability analysis (Refs. 5 and 6) assumption that of the average time required to perform channel surveillance. That analysis demonstrated the 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> testing allowance does not significantly reduce the probability that the SCIVs will isolate the associated penetration flow paths and that the SGT System will initiate when necessary.

SR 3.3.6.2.1 Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit.

The Frequency is based on operating experience that demonstrates channel failure is rare. The CHANNEL CHECK supplements less formal, but more frequent, checks of channel status during normal operational use of the displays associated with channels required by the LCO.

(continued)

PBAPS UNIT 3 B 3.3-177 Revision No. 3

Secondary Containment Isolation Instrumentation B 3.3.6.2 BASES SURVEILLANCE SR 3.3.6.2.2 REQUIREMENTS (continued) A CHANNEL FUNCTIONAL TEST is performed on each requiredthe channel to ensure that the entire channel will perform be intended function. Any setpoint adjustment shall plant consistent with the assumptions of the current of 92 days for specific setpoint methodology. The Frequency of SR 3.3.6.2.2 is based on the reliability analysis References 5 and 6.

SR 3.3.6.2.3 and SR 3.3.6.2.4 instrument A CHANNEL CALIBRATION is a complete check of the loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary the channel range and accuracy. CHANNEL CALIBRATION leaves successive adjusted to account for instrument drifts betweenspecific calibrations, consistent with the current plant setpoint methodology.

are based The Frequencies of SR 3.3.6.2.3 and SR 3.3.6.2.4 drift in the on the assumption of the magnitude of equipment setpoint analysis.

SR 3.3.6.2.5 the The LOGIC SYSTEM FUNCTIONAL TEST demonstratesfor a specific OPERABILITY of the required isolation logic on SCIVs channel. The system functional testing performed and the SGT System in LCO 3.6.4.2 and LCO 3.6.4.3, complete respectively, overlaps this Surveillance to provide testing of the assumed safety function.

reactor at While this Surveillance can be performed with the has power for some of the Functions, operating experience the Surveillance when shown that these components will pass the performed at the 24 month Frequency. Therefore, Frequency was found to be acceptable from a reliability standpoint.

(continued)

B 3.3-178 Revision No. 3 PBAPS UNIT 3

Secondary Containment Isolation Instrumentation B 3.3.6.2 BASES (continued)

REFERENCES 1. UFSAR, Section 14.6.

2. UFSAR, Chapter 14.
3. UFSAR, Section 14.6.5.
4. UFSAR, Sections 14.6.3 and 14.6.4.
5. NEDC-31677P-A, "Technical Specification Improvement Analysis for BWR Isolation Actuation Instrumentation,"

July 1990.

6. NEDC-30851P-A Supplement 2, "Technical Specifications Improvement Analysis for BWR Isolation Instrumentation Common to RPS and ECCS Instrumentation," March 1989.

PBAPS UNIT 3 B 3.3-179 Revision No. 3

MCREV System Instrumentation B 3.3.7.1 B 3.3 INSTRUMENTATION B 3.3.7.1 Main Control Room Emergency Ventilation (MCREV) System Instrumentation BASES BACKGROUND The MCREV System is designed to provide a radiologically controlled environment to ensure the habitability of the control room for the safety of control room operators under all plant conditions. Two independent MCREV subsystems are each capable of fulfilling the stated safety function. The instrumentation and controls for the MCREV System automatically initiate action to pressurize the main control room (MCR) to minimize the consequences of radioactive material in the control room environment.

In the event of a Control Room Air Intake Radiation-High signal, the MCREV System is automatically started in the pressurization mode. The outside air from the normal ventilation intake is then passed through one of the charcoal filter subsystems. Sufficient outside air is drawn in through the normal ventilation intake to maintain the MCR slightly pressurized with respect to the turbine building.

The MCREV System instrumentation has two trip systems with two Control Room Air Intake Radiation-High channels in each trip system. The outputs of the Control Room Air Intake Radiation-High channels are arranged in two trip systems, which use a one-out-of-two logic. The tripping of both trip systems will initiate both MCREV subsystems. The channels include electronic equipment (e.g., trip units) that compares measured input signals with pre-established setpoints. When the setpoint is exceeded, the channel output relay actuates, which then outputs a MCREV System initiation signal to the initiation logic.

APPLICABLE The ability of the MCREV System to maintain the habitability SAFETY ANALYSES, of the MCR is explicitly assumed for certain accidents as LCO, and discussed in the UFSAR safety analyses (Refs. 1, 2, and 3).

APPLICABILITY MCREV System operation ensures that the radiation exposure of control room personnel, through the duration of any one of the postulated accidents, does not exceed acceptable limits.

(continued)

PBAPS UNIT 3 B 3.3-180 Revision No. 3

MCREV System Instrumentation B 3.3.7.1 BASES APPLICABLE MCREV System instrumentation satisfies Criterion 3 of the SAFETY ANALYSES, NRC Policy Statement.

LCO, and APPLICABILITY The OPERABILITY of the MCREV System instrumentation is (continued) dependent upon the OPERABILITY of the Control Room Air Intake Radiation-High instrumentation channel Function.

The Function must have a required number of OPERABLE channels, with their setpoints within the specified Allowable Values, where appropriate. A channel is inoperable if its actual trip setting is not within its required Allowable Value. The actual setpoint is calibrated consistent with applicable setpoint methodology assumptions.

Allowable Values are specified for the MCREV System Control Room Air Intake Radiation-High Function. Trip setpoints are specified in the setpoint calculations. The trip setpoints are selected to ensure that the setpoints do not exceed the Allowable Value between successive CHANNEL CALIBRATIONS. Operation with a trip setting less conservative than the trip setpoint, but within its Allowable Value, is acceptable. Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., control room air intake radiation),

and when the measured output value of the process parameter exceeds the setpoint, the associated device changes state.

The analytic limits are derived from the limiting values of the process parameters obtained from the safety analysis.

The Allowable Values are derived from the analytic limits, corrected for calibration, process, and instrument errors.

The trip setpoints are determined from analytical or design limits, corrected for calibration, process, and instrument errors, as well as, instrument drift. The trip setpoints derived in this manner provide adequate protection by ensuring instrument and process uncertainties expected for the environments during the operating time of the associated channels are accounted for.

The control room air intake radiation monitors measure radiation levels in the fresh air supply plenum. A high radiation level may pose a threat to MCR personnel; thus, automatically initiating the MCREV System.

(continued)

PBAPS UNIT 3 B 3.3-181 Revision No. 3

MCREV System Instrumentation B 3.3.7.1 BASES APPLICABLE The Control Room Air Intake Radiation -High Function SAFETY ANALYSES, consists of four independent monitors. Two channels of LCO, and Control Room Air Intake Radiation-High per trip system are APPLICABILITY available and are required to be OPERABLE to ensure that no (continued) single instrument failure can preclude MCREV System initiation. The Allowable Value was selected to ensure protection of the control room personnel.

The Control Room Air Intake Radiation -High Function is required to be OPERABLE in MODES 1, 2, and 3 and during CORE ALTERATIONS, OPDRVs, and movement of irradiated fuel assemblies in the secondary containment, to ensure that control room personnel are protected during a LOCA, fuel handling event, or vessel draindown event. During MODES 4 and 5, when these specified conditions are not in progress (e.g., CORE ALTERATIONS), the probability of a LOCA or fuel damage is low; thus, the Function is not required.

ACTIONS A Note has been provided to modify the ACTIONS related to MCREV System instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable MCREV System instrumentation channels provide appropriate compensatory measures for separate inoperable channels. As such, a Note has been provided that allows separate Condition entry for each inoperable MCREV System instrumentation channel.

A.1 and A.2 Because of the redundancy of sensors available to provide initiation signals and the redundancy of the MCREV System design, an allowable out of service time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> has been shown to be acceptable (Ref. 4), to permit restoration of any inoperable channel to OPERABLE status. However, this out of service time is only acceptable provided the Control Room Air Intake Radiation-High Function is still maintaining MCREV System initiation capability. The Function is considered to be maintaining MCREV System (continued)

PBAPS UNIT 3 B 3.3-182 Revision No. 3

MCREV System Instrumentation B 3.3.7.1 BASES ACTIONS A.1 and A.2 (continued) initiation capability when sufficient channels are OPERABLE or in trip such that the two trip systems will generate an initiation signal from the given Function on a valid signal.

For the Control Room Air Intake Radiation-High Function, this would require the two trip systems to have one channel per trip system OPERABLE or in trip. In this situation (loss of MCREV System initiation capability), the 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> allowance of Required Action A.2 is not appropriate. If the Function is not maintaining MCREV System initiation capability, the MCREV System must be declared inoperable within I hour of discovery of the loss of MCREV System initiation capability in both trip systems.

The I hour Completion Time (A.1) is acceptable because it minimizes risk while allowing time for restoring or tripping of channels.

If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action A.2. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue. Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in an initiation), Condition B must be entered and its Required Action taken.

B.1 and B.2 With any Required Action and associated Completion Time not met, the associated MCREV subsystem(s) must be placed in operation per Required Action B.1 to ensure that control room personnel will be protected in the event of a Design Basis Accident. The method used to place the MCREV subsystem(s) in operation must provide for automatically re-initiating the subsystem(s) upon restoration of power following a loss of power to the MCREV subsystem(s).

Alternately, if it is not desired to start the subsystem(s),

the MCREV subsystem(s) associated with inoperable, untripped (continued)

PBAPS UNIT 3 B 3.3-183 Revision No. 3

MCREV System Instrumentation B 3.3.7.1 BASES ACTIONS B.1 and B.2 (continued) channels must be declared inoperable within I hour. Since each trip system can affect both MCREV subsystems, Required Actions B.1 and B.2 can be performed independently on each MCREV subsystem. That is, one MCREV subsystem can be placed in operation (Required Action B.1) while the other MCREV subsystem can be declared inoperable (Required Action B.2).

The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time is intended to allow the operator time to place the MCREV subsystem(s) in operation. The I hour Completion Time is acceptable because it minimizes risk while allowing time for placing the associated MCREV subsystem(s) in operation- or for entering the applicable Conditions and Required Actions for the inoperable MCREV subsystem(s).

SURVEILLANCE The Surveillances are modified by a Note to indicate that REQUIREMENTS when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />, provided the associated Function maintains MCREV System initiation capability. Upon completion of the Surveillance, or expiration of the 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken.

This Note is based on the reliability analysis (Ref. 4) assumption of the average time required to perform channel surveillance. That analysis demonstrated that the 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> testing allowance does not significantly reduce the probability that thepM6aEVi3Ytjem will initiate when necessary.

SR 3.3.7.1.1 Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK will detect (continued)

PBAPS UNIT 3 B 3.3-184 Revision No. 3

MCREV System Instrumentation B 3.3.7.1 BASES SURVEILLANCE SR 3.3.7.1.1 (continued)

REQU IREMENTS gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the plant staff, based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit.

The Frequency is based upon operating experience that demonstrates channel failure is rare. The CHANNEL CHECK supplements less formal, but more frequent, checks of channel status during normal operational use of the displays associated with channels required by the LCO.

SR 3.3.7.1.2 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended function. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology.

The Frequency of 92 days is based on the reliability analyses of Reference 4.

SR 3.3.7.1.3 A CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations, consistent with the assumptions of the plant specific setpoint methodology.

The Frequency is based upon the assumption of an 18 month calibration interval in the determination of the magnitude of the equipment drift in the setpoint analysis.

(continued)

PBAPS UNIT 3 B 3.3-185 Revision No. 3

MCREV System Instrumentation B 3.3.7.1 BASES SURVEILLANCE SR 3.3.7.1.4 REQUIREMENTS (continued) The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required initiation logic for a specific channel. The system functional testing performed in LCO 3.7.4, "Main Control Room Emergency Ventilation (MCREV)

System," overlaps this Surveillance to provide complete testing of the assumed safety function.

While this Surveillance can be performed with the reactor at power, operating experience has shown these components will pass the Surveillance when performed at the 24 month Frequency. Therefore, the Frequency was found to be acceptable from a reliability standpoint.

REFERENCES I. UFSAR, Section 10.13.

2. UFSAR, Section 12.3.4.
3. UFSAR, Section 14.9.1.5.
4. GENE-770-06-1, "Bases for Changes to Surveillance Test Intervals and Allowed Out-of-Service Times for Selected Instrumentation Technical Specifications,"

February 1991.

B 3.3-186 Revision No. 3 PBAPS UNIT 3

LOP Instrumentation B 3.3.8.1 B 3.3 INSTRUMENTATION B 3.3.8.1 Loss of Power (LOP) Instrumentation BASES BACKGROUND Successful operation of the required safety functions of the Emergency Core Cooling Systems (ECCS) is dependent upon the availability of adequate power for energizing various components such as pump motors, motor operated valves, and I the associated control components. The LOP instrumentation I monitors the 4 kV emergency buses voltage. Offsite power is the preferred source of power for the 4 kV emergency buses.

If the LOP instrumentation detects that voltage levels are too low, the buses are disconnected from the offsite power sources and connected to the onsite diesel generator (DG) power sources.

Each Unit 3 4 kV emergency bus has its own independent LOP instrumentation and associated trip logic. The voltage for each bus is monitored at five levels, which can be considered as two different undervoltage Functions: one level of loss of voltage and four levels of degraded voltage. The Functions cause various bus transfers and disconnects. The degraded voltage Function is monitored by four undervoltage relays per source and the loss of voltage Function is monitored by one undervoltage relay for each emergency bus. The degraded voltage outputs and the loss of voltage outputs are arranged in a one-out-of-one trip logic configuration. Each channel consists of four protective relays that compare offsite source voltages with pre-established setpoints. When the sensed voltage is below the setpoint for a degraded voltage channel, the preferred offsite source breaker to the 4 kV emergency bus is tripped and autotransfer to the alternate offsite source is initiated. If the alternate source does not provide I adequate voltage to the bus as sensed by its degraded grid relays, a diesel generator start signal is initiated.

A description of the Unit 2 LOP instrumentation is provided in the Bases for Unit 2 LCO 3.3.8.1.

(continued)

PBAPS UNIT 3 8 3.3-187 Revision No. 5

LOP Instrumentati on B 3.3.8.1 BASES (continued)

APPLICABLE The LOP instrumentation is required for Engineered Safety SAFETY ANALYSES, Features to function in any accident with a loss of offsite LCO, and power. The required channels of LOP instrumentation ensure APPLICABILITY that the ECCS and other assumed systems powered from the DGs, provide plant protection in the event of any of the Reference 1 (UFSAR) analyzed accidents in which a loss of offsite power is assumed. The first level is loss of voltage. This loss of voltage level detects and disconnects the Class 1E buses from the offsite power source upon a total loss of voltage. The second level of undervoltage protection is provided by the four levels of degraded grid voltage relays which are set to detect a sustained low voltage condition. These degraded grid relays disconnect the Class 1E buses from the offsite power source if the degraded voltage condition exists for a time interval which could prevent the Class 1E equipment from achieving its safety function. The degraded grid relays also prevent the Class IE equipment from sustaining damage from prolonged operation at reduced voltage. The combination of the loss of voltage relaying and the degraded grid relaying provides protection to the Class IE distribution system for all credible conditions of voltage collapse or sustained voltage degradation. The initiation of the DGs on loss of offsite power, and subsequent initiation of the ECCS, ensure that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

Accident analyses credit the loading of the DG based on the loss of offsite power during a loss of coolant accident.

The diesel starting and loading times have been included in the delay time associated with each safety system component requiring DG supplied power following a loss of offsite power.

The LOP instrumentation satisfies Criterion 3 of the NRC Policy Statement.

The OPERABILITY of the LOP instrumentation is dependent upon the OPERABILITY of the individual instrumentation relay channel Functions specified in Table 3.3.8.1-1. Each Function must have a required number of OPERABLE channels per 4 kV emergency bus, with their setpoints within the specified Allowable Values except the bus undervoltage relay which does not have an Allowable Value. A degraded voltage channel is inoperable if its actual trip setpoint is not within its required Allowable Value. Setpoints are calibrated consistent with the Improved Instrument Setpoint Control Program (IISCP) methodology assumptions. (Note:

Table 3.3.8.1-1 contains a note that prior to the implementation of modification 96-01511, the relay voltage and timer trip setpoint Allowable Vaulues for the indicated (continued)

PBAPS UNIT-3 ,B 3.3-188 Revision No. 32

LOP Instrumentation B 3.3.8.1 BASES APPLICABLE functions remain at the previously approved values on a SAFETY ANALYSES, relay by relay basis.) The loss of voltage channel is LCO, and inoperable if it will not start the diesel on a loss of APPLICABILITY power to a 4 kV emergency bus.

(continued) The Allowable Values are specified for each applicable Function in the Table 3.3.8.1-1. The nominal setpoints are selected to ensure that the setpoints do not exceed the Allowable Value between CHANNEL CALIBRATIONS. Operation with a trip setpoint within the Allowable Value, is acceptable. Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., voltage), and when the measured output value of the process parameter exceeds the setpoint, the protective relay output changes state. The Allowable Values were set equal to the limiting values determined by the voltage regulation calculation. The setpoints were corrected using IISCP methodology to account for relay drift, relay accuracy, potential transformer accuracy, measuring and test equipment accuracy margin, and includes a calibration leave alone zone. IISCP methodology utilizes the square root of the sum of the squares to combine random non-directional accuracy values. IISCP then includes relay drift, calibration leave alone zones, and margins. (Note: Table 3.3.8.1-1 contains a note that prior to the implementation of modification 96 01511, the relay voltage and timer trip setpoint Allowable Values for the indicated functions remain at the previously approved values on a relay by relay basis.) The setpoint assumes a nominal 35/1 potential transformer ratio.

The specific Applicable Safety Analyses, LCO, and Applicability discussions for Unit 3 LOP instrumentation are listed below on a Function by Function basis.

In addition, since some equipment required by Unit 3 is powered from Unit 2 sources, the Unit 2 LOP instrumentation supporting the required sources must also be OPERABLE. The OPERABILITY requirements for the Unit 2 LOP instrumentation is the same as described in this section, except Function 4 (4 kV Emergency Bus Undervoltage, Degraded Voltage LOCA) is not required to be OPERABLE, since this Function is related to a LOCA on Unit 2 only. The Unit 2 instrumentation is listed in Unit 2 Table 3.3.8.1-1.

1. 4 kV Emergency Bus Undervoltaqe (Loss of Voltage)

When both offsite sources are lost, a loss of voltage condition on a 4 kV emergency bus indicates that the respective emergency bus is unable to supply sufficient power for proper operation of the applicable equipment.

herefore, the power supply to the bus is transferred from offsite power to DG power. This ensures that adequate power will be available to the required equipment. (continued)

PBAP UNI 3 B3.3-89 Rvisontino.e32 PBAPS UNIT 3 B 3.3-189 Revision No. 32

LOP Instrumentation B 3.3.8.1 BASES APPLICABLE 1. 4 kV Emergency Bus Undervoltaqe (Loss of Voltage)

SAFETY ANALYSIS, (continued)

LCO, and APPLICABILITY The single channel of 4 kV Emergency Bus Undervoltage (Loss of Voltage) Function per associated emergency bus is only required to be OPERABLE when the associated DG and offsite circuit are required to be OPERABLE. This ensures no single instrument failure can preclude the start of three of four DGs. (One channel inputs to each of the four DGs.) Refer to LCO 3.8.1, "AC Sources-Operating," and 3.8.2, "AC Sources-Shutdown," for Applicability Bases for the DGs.

2., 3., 4., 5. 4 kV Emergency Bus Undervoltage (Degraded Voltage)

A degraded voltage condition on a 4 kV emergency bus indicates that, while offsite power may not be completely lost to the respective emergency bus, available power may be insufficient for starting large ECCS motors without risking damage to the motors that could disable the ECCS function.

Therefore, power to the bus is transferred from offsite power to onsite DG power when there is insufficient offsite power to the bus. This transfer will occur only if the voltage of the preferred and alternate power sources drop below the Degraded Voltage Function Allowable Values (degraded voltage with a time delay) and the source breakers trip which causes the bus undervoltage relay to initiate the DG. This ensures that adequate power will be available to the required equipment.

Four Functions are provided to monitor degraded voltage at four different levels. These Functions are the Degraded Voltage Non-LOCA, Degraded Voltage LOCA, Degraded Voltage High Setting, and Degraded Voltage Low Setting. These relays monitor the following voltage levels with the following time delays: the Function 2 relay, 2286 - 2706 volts in approximately 2 seconds when source voltage is reduced abruptly to zero volts (inverse time delay); the Function 3 relay, 3409 - 3829 volts in approximately 30 seconds when source voltage is reduced abruptly to 2940 volts (inverse time delay); the Function 4 relay, 3766 3836 volts in approximately 10 seconds; and the Function 5 relay, 4116 - 4186 volts in approximately 60 seconds.

(Note: Table 3.3.8.1-1 contains a note that prior to the implementation of modification 96-01511, the relay voltage and timer trip setpoint Allowable Values for the indicated functions remain at the previously approved values on a relay by relay basis.) The Function 2 and 3 relays are inverse time delay relays. These relays operate along a repeatable characteristic curve. With relay operation being inverse with time, for (continued)

PBAPS UNIT 3 B 3.3-190 Revision No. 32

LOP Instrumentation B 3.3.8.1 BASES APPLICABLE 2.. 3., 4., 5. 4 kV Emergency Bus Undervoltaie (Degraded SAFETY ANALYSES, Voltaae) (continued)

LCO, and APPLICABILITY an abrupt reduction in voltage the relay operating time will be short; conversely, for a slight reduction in voltage, the operating time delay will be long.

The Degraded Voltage LOCA Function preserves the assumptions of the LOCA analysis and the combined Functions of the other relays preserves the assumptions of the accident sequence analysis in the UFSAR. The Degraded Voltage Non-LOCA Function provides assurance that equipment powered from the 4kV emergency buses is not damaged by degraded voltage that might occur under other than LOCA conditions. This degraded grid non-LOCA relay has an associated 60 second timer. This timer allows for offsite source transformer load tap changer operation. Degraded voltage conditions can be mitigated by tap changer operations and other manual actions. The 60 second timer provides the time for these actions to take pl ace.

The degraded grid voltage Allowable Values are low enough to prevent inadvertent power supply transfer, but high enough to ensure that sufficient power is available to the required equipment. The Time Delay Allowable Values are long enough to provide time for the offsite power supply to recover to normal voltages, but short enough to ensure that sufficient power is available to the required equipment.

Two channels (one channel per source) of 4 kV Emergency Bus Degraded Voltage (Functions 2, 3, 4, and 5) per associated bus are required to be OPERABLE when the associated DG and offsite circuit are required to be OPERABLE. This ensures no single instrument failure can preclude the start of three of four DGs (each logic inputs to each of the four DGs).

Refer to LCO 3.8.1 and LCO 3.8.2 for Applicability Bases for the DGs.

ACTIONS A Note has been provided (Note 1) to modify the ACTIONS related to LOP instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial (continued)

PBAPS UNIT 3 B 3.3-191 Revision No. 5

LOP Instrumentation B 3.3.8.1 BASES ACTIONS entry into the Condition. However, the Required Actions for (continued) inoperable LOP instrumentation channels provide appropriate compensatory measures for separate inoperable channels. As such, a Note has been provided that allows separate Condition entry for each inoperable LOP instrumentation channel.

A.1 Pursuant to LCO 3.0.6, the AC Sources-Operating ACTIONS would not have to be entered even if the LOP instrumentation inoperability resulted in an inoperable offsite circuit.

Therefore, the Required Action of Condition A is modified by a Note to indicate that when performance of a Required Action results in the inoperability of an offsite circuit, Actions for LCO 3.8.1, "AC Sources-Operating," must be immediately entered. A Unit 3 offsite circuit is considered to be inoperable if it is not supplying or not capable of supplying (due to loss of autotransfer capability) at least three Unit 3 4 kV emergency buses when the other offsite circuit is providing power or capable of supplying power to all four Unit 3 4 kV emergency buses. A Unit 3 offsite circuit is also considered to be inoperable if the Unit 3 4 kV emergency buses being powered or capable of being powered from the two offsite circuits are all the same when at least one of the two circuits does not provide power or is not capable of supplying power to all four Unit 3 4 kV emergency buses. Inoperability of a Unit 2 offsite circuit is the same as described for a Unit 3 offsite circuit, except that the circuit path is to the Unit 2 4 kV emergency buses required to be OPERABLE by LCO 3.8.7, "Distribution Systems - Operating." The Note allows Condition A to provide requirements for the loss of a LOP instrumentation channel without regard to whether an offsite circuit is rendered inoperable. LCO 3.8.1 provides appropriate restriction for an inoperable offsite circuit.

Required Action A.1 is applicable when one 4 kV emergency bus has one or two required Function 3 (Degraded Voltage High Setting) channels inoperable or when one 4 kV emergency bus has one or two required Function 5 (Degraded Voltage Non-LOCA) channels inoperable. In this Condition, the affected Function may not be capable of performing its intended function automatically for these buses. However, the operators would still receive indication in the control room of a degraded voltage condition on the unaffected buses and a manual transfer of the affected bus power supply to (continued)

PBAPS UNIT 3 B 3.3-192 Revision No. 5

LOP Instrumentation B 3.3.8.1 BASES ACTIONS A.1 (continued) the alternate source could be made without damaging plant equipment. Therefore, Required Action A.1 allows 14 days to restore the inoperable channel(s) to OPERABLE status or place the inoperable channel(s) in trip. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore design trip capability to the LOP instrumentation, and allow operation to continue.

Alternatively, if it is not desired to place the channel in trip (e.g., as in the case where placing the channel in trip would result in DG initiation), Condition D must be entered and its Required Action taken.

The 14 day Completion Time is intended to allow time to restore the channel(s) to OPERABLE status. The Completion Time takes into consideration the diversity of the Degraded Voltage Functions, the capabilities of the remaining OPERABLE LOP Instrumentation Functions on the affected 4 kV emergency bus and on the other 4 kV emergency buses (only one 4 kV emergency bus is affected by the inoperable channels), the fact that the Degraded Voltage High Setting and Degraded Voltage Non-LOCA Functions provide only a marginal increase in the protection provided by the voltage monitoring scheme, the low probability of the grid operating in the voltage band protected by these Functions, and the ability of the operators to perform the Functions manually.

B.1 Pursuant to LCO 3.0.6, the AC Sources-Operating ACTIONS would not have to be entered even if the LOP instrumentation inoperability resulted in an inoperable offsite circuit.

Therefore, the Required Action of Condition B is modified by a Note to indicate that when performance of a Required Action results in the inoperability of an offsite circuit, Actions for LCO 3.8.1, "AC Sources-Operating," must be immediately entered. A Unit 3 offsite circuit is considered to be inoperable if it is not supplying or not capable of supplying (due to loss of autotransfer capability) at least three Unit 3 4 kV emergency buses when the other offsite circuit is providing power or capable of supplying power to all four Unit 3 4 kV emergency buses. A Unit 3 offsite circuit is also considered to be inoperable if the Unit 3 4 kV emergency buses being powered or capable of being powered from the two offsite circuits are all the same when at least one of the two circuits does not provide power or (continued)

PBAPS UNIT 3 B 3.3-193 Revision No. 5

LOP Instrumentation B 3.3.8.1 BASES ACTIONS B.1 (continued) is not capable of supplying power to all four Unit 3 4 kV emergency buses. Inoperability of a Unit 2 offsite circuit is the same as described for a Unit 3 offsite circuit, except that the circuit path is to the Unit 2 4 kV emergency buses required to be OPERABLE by LCO 3.8.7, "Distribution Systems - Operating." This allows Condition B to provide requirements for the loss of a LOP instrumentation channel without regard to whether an offsite circuit is rendered inoperable. LCO 3.8.1 provides appropriate restriction for an inoperable offsite circuit.

Required Action B.1 is applicable when two 4 kV emergency buses have one required Function 3 (Degraded Voltage High Setting) channel inoperable, or when two 4 kV emergency buses have one required Function 5 (Degraded Voltage Non LOCA) channel inoperable, or when one 4 kV emergency bus has one required Function 3 channel inoperable and a different 4 kV emergency bus has one required Function 5 channel inoperable. In this Condition, the affected Function may not be capable of performing its intended function automatically for these buses. However, the operators would still receive indication in the control room of a degraded voltage condition on the unaffected buses and a manual transfer of the affected bus power supply to the alternate source could be made without damaging plant equipment.

Therefore, Required Action B.1 allows 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to restore the inoperable channels to OPERABLE status or place the inoperable channels in trip. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore design trip capability to the LOP instrumentation, and allow operation to continue.

Alternatively, if it is not desired to place the channel in trip (e.g., as in the case where placing the channel in trip would result in DG initiation), Condition D must be entered and its Required Action taken.

The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Completion Time is intended to allow time to restore the channel(s) to OPERABLE status. The Completion Time takes into consideration the diversity of the Degraded Voltage Functions, the capabilities of the remaining OPERABLE LOP Instrumentation Functions on the affected 4 kV emergency buses and on the other 4 kV emergency buses (only two 4 kV emergency buses are affected by the inoperable channels), the fact that the Degraded Voltage High Setting and Degraded Voltage Non-LOCA Functions provide only a (continued)

B 3.3-194 Revision No. 5 PBAPS UNIT 3

LOP Instrumentation B 3.3.8.1 BASES ACTIONS B.1 (continued) marginal increase in the protection provided by the voltage monitoring scheme, the low probability of the grid operating in the voltage band protected by these Functions, and the ability of the operators to perform the Functions manually.

C.1 Pursuant to LCO 3.0.6, the AC Sources-Operating ACTIONS would not have to be entered even if the LOP Instrumentation inoperability resulted in an inoperable offsite circuit.

Therefore, the Required Action of Condition C is modified by a Note to indicate that when performance of the Required Action results in the inoperability of an offsite circuit, Actions for LCO 3.8.1, "AC Sources-Operating," must be immediately entered. A Unit 3 offsite circuit is considered to be inoperable if it is not supplying or not capable of supplying (due to loss of autotransfer capability) at least three Unit 3 4 kV emergency buses when the other offsite circuit is providing power or capable of supplying power to all four Unit 3 4 kV emergency buses. A Unit 3 offsite circuit is also considered to be inoperable if the Unit 3 4 kV emergency buses being powered or capable of being powered from the two offsite circuits are all the same when at least one of the two circuits does not provide power or is not capable of supplying power to all four Unit 3 4 kV emergency buses. Inoperability of a Unit 2 offsite circuit is the same as described for a Unit 3 offsite circuit, except that the circuit path is to the Unit 2 4 kV emergency buses required to be OPERABLE by LCO 3.8.7, "Distribution Systems - Operating." The Note allows Condition C to provide requirements for the loss of a LOP instrumentation channel without regard to whether an offsite circuit is rendered inoperable. LCO 3.8.1 provides appropriate restriction for an inoperable offsite circuit.

Required Action C.1 is applicable when one or more 4 kV emergency buses have one or more required Function 1, 2, or 4 (the Loss of Voltage, the Degraded Voltage Low Setting, and the Degraded Voltage LOCA Functions, respectively) channels inoperable, or when one 4 kV emergency bus has one required Function 3 (Degraded Voltage High Setting) channel and one required Function 5 (Degraded Voltage Non-LOCA) channel inoperable, or when any combination of three or more required Function 3 and Function 5 channels are inoperable.

In this Condition, the affected Function may not be capable (continued)

PBAPS UNIT 3 B 3.3-195 Revision No. 5

LOP Instrumentation B 3.3.8.1 BASES ACTIONS C.1 (continued) of performing the intended function and the potential consequences associated with the inoperable channel(s) are greater than those resulting from Condition A or Condition B. Therefore, only 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> is allowed to restore the inoperable channel to OPERABLE status. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action C.1.

Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore design trip capability to the LOP instrumentation, and allow operation to continue. Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the channel in trip would result in a DG initiation),

Condition D must be entered and its Required Action taken.

The Completion Time is based on the potential consequences associated with the inoperable channel(s) and is intended to allow the operator time to evaluate and repair any discovered inoperabilities. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.

D._1 If any Required Action and associated Completion Time are not met, the associated Function is not capable of performing the intended function. Therefore, the associated DG(s) is declared inoperable immediately. This requires entry into applicable Conditions and Required Actions of LCO 3.8.1 and LCO 3.8.2, which provide appropriate actions for the inoperable DG(s).

SURVEILLANCE As noted at the beginning of the SRs, the SRs for each REQUIREMENTS Unit 3 LOP instrumentation Function are located in the SRs column of Table 3.3.8.1-1. SR 3.3.8.1.5 is applicable only to the Unit 2 LOP instrumentation.

The Surveillance are also modified by a Note to indicate that when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> provided: (a) for Function 1, the associated Function maintains initiation capability for (continued)

PBAPS UNIT 3 B 3.3-196 Revision No. 5

LOP Instrumentation B 3.3.8.1 BASES SURVEILLANCE REQUIREMENTS three DGs; and (b) for Functions 2, 3, 4, 5, the associated (continued) Function maintains undervoltage transfer capability for three 4 kV emergency buses. The loss of function for one DG or undervoltage transfer capability for the 4 kV emergency bus for this short period is appropriate since only three of four DGs are required to start within the required times and because there is no appreciable impact on risk. Also, upon completion of the Surveillance, or expiration of the 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken.

SR 3.3.8.1.1 and SR 3.3.8.1.3 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended function. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology.

The Frequency of 31 days is based on operating experience with regard to channel OPERABILITY and drift, which demonstrates that failure of more than one degraded voltage channel of a given Function in any 31 day interval is a rare event. The Frequency of 24 months is based on operating experience with regard to channel OPERABILITY and drift, which demonstrates that failure of the loss of voltage channel in any 24 month interval is a rare event.

SR 3.3.8.1.2 A CHANNEL CALIBRATION is a complete check of the relay circuitry and associated time delay relays. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations, consistent with the assumptions of the current plant specific setpoint methodology.

The 18 month Frequency for the degraded voltage Functions is based upon the assumption of the magnitude of equipment drift in the setpoint analysis.

(continued)

PBAPS UNIT 3 B 3.3-197 Revision No. 5

LOP Instrumentation B 3.3.8.1 BASES SURVEILLANCE SR 3.3.8.1.4 REQUIREMENTS (continued) The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required actuation logic for a specific channel. The system functional testing performed in LCO 3.8.1 and LCO 3.8.2 overlaps this Surveillance to provide complete testing of the assumed safety functions.

The 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power.

SR 3.3.8.1.5 With the exception of this Surveillance, all other Surveillances of this Specification (SR 3.3.8.1.1 through SR 3.3.8.1.4) are applied only to the Unit 3 LOP instrumentation. This Surveillance is provided to direct that the appropriate Surveillance for the required Unit 2 LOP instrumentation are governed by the Unit 2 Technical Specifications. Performance of the applicable Unit 2 Surveillances will satisfy Unit 2 requirements, as well as satisfying this Unit 3 Surveillance Requirement.

The Frequency required by the applicable Unit 2 SR also governs performance of that SR for Unit 3.

REFERENCES 1. UFSAR, Chapter 14.

PBAPS UNIT 3 B 3.3-198 Revision No. 5

RPS Electric Power Monitoring B 3.3.8.2 B 3.3 INSTRUMENTATION B 3.3.8.2 Reactor Protection System (RPS) Electric Power Monitoring BASES BACKGROUND RPS Electric Power Monitoring System is provided to isolate the RPS bus from the motor generator (MG) set or an alternate power supply in the event of overvoltage, undervoltage, or underfrequency. This system protects the loads connected to the RPS bus against unacceptable voltage and frequency conditions (Ref. 1) and forms an important part of the primary success path of the essential safety circuits. Some of the essential equipment powered from the RPS buses includes the RPS logic and scram solenoids.

RPS electric power monitoring assembly will detect any in abnormal high or low voltage or low frequency condition the outputs of the two MG sets or the alternate power supply and will de-energize its respective RPS bus, thereby causing all safety functions normally powered by this bus to de-energize.

In the event of failure of an RPS Electric Power Monitoring System (e.g., both in series electric power monitoring assemblies), the RPS loads may experience significant effects from the unregulated power supply. Deviation from the nominal conditions can potentially cause damage to the scram solenoids and other Class 1E devices.

In the event of a low voltage condition, the scram solenoids can chatter and potentially lose their pneumatic control capability, resulting in a loss of primary scram action.

In the event of an overvoltage condition, the RPS logic relays and scram solenoids may experience a voltage higher than their design voltage. If the overvoltage condition persists for an extended time period, it may cause equipment degradation and the loss of plant safety function.

Two redundant Class 1E circuit breakers are connected in series between each RPS bus and its MG set, and between each RPS bus and its alternate power supply if in service. Each of these circuit breakers has an associated independent set (continued)

B 3.3-199 Revision No. 3 PBAPS UNIT 3

RPS Electric Power Monitoring B 3.3.8.2 BASES BACKGROUND of Class 1E overvoltage, undervoltage, underfrequency (continued) relays, time delay relays (MG sets only), and sensing logic.

Together, a circuit breaker, its associated relays, and sensing logic constitute an electric power monitoring assembly. If the output of the MG set or alternate power supply exceeds predetermined limits of overvoltage, undervoltage, or underfrequency, a trip coil driven by this logic circuitry opens the circuit breaker, which removes the associated power supply from service.

APPLICABLE The RPS electric power monitoring is necessary to meet the SAFETY ANALYSES assumptions of the safety analyses by ensuring that the equipment powered from the RPS buses can perform its intended function. RPS electric power monitoring provides protection to the RPS components that receive power from the RPS buses, by acting to disconnect the RPS from the power supply under specified conditions that could damage the RPS equipment.

RPS electric power monitoring satisfies Criterion 3 of the NRC Policy Statement.

LCO The OPERABILITY of each RPS electric power monitoring assembly is dependent on the OPERABILITY of the overvoltage, undervoltage, and underfrequency logic, as well as the OPERABILITY of the associated circuit breaker. Two electric power monitoring assemblies are required to be OPERABLE for each inservice power supply. This provides redundant protection against any abnormal voltage or frequency conditions to ensure that no single RPS electric power monitoring assembly failure can preclude the function of RPS components. Each inservice electric power monitoring assembly's trip logic setpoints are required to be within the specified Allowable Value. The actual setpoint is calibrated consistent with applicable setpoint methodology assumptions.

Allowable Values are specified for each RPS electric power monitoring assembly trip logic (refer to SR 3.3.8.2.2).

Trip setpoints are specified in design documents. The trip setpoints are selected based on engineering judgement and operational experience to ensure that the setpoints do not exceed the Allowable Value between CHANNEL CALIBRATIONS.

Operation with a trip setting less conservative than the trip setpoint, but within its Allowable Value, is (continued)

PBAPS UNIT 3 B 3.3-200 Revision No. 3

RPS Electric Power Monitoring B 3.3.8.2 BASES LCO acceptable. A channel is inoperable if its actual trip (continued) setting is not within its required Allowable Value. Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., overvoltage), and when the measured output value of the process parameter exceeds the setpoint, the associated device changes state.

The overvoltage Allowable Values for the RPS electrical power monitoring assembly trip logic are derived from vendor specified voltage requirements.

The underfrequency Allowable Values for the RPS electrical power monitoring assembly trip logic are based on tests performed at Peach Bottom which concluded that the lowest frequency which would be reached was 54.4 Hz in 7.5 to 11.0 seconds depending load. Bench tests were also performed on RPS components (HFA relays, scram contactors, and scram solenoid valves) under conditions more severe than those expected in the plant (53 Hz during 11.0 and 15.0 second intervals). Examination of these components concluded that the components functioned correctly under these conditions.

The undervoltage Allowable Values for the RPS electrical power monitoring assembly trip logic were confirmed to be acceptable through testing. Testing has shown the scram pilot solenoid valves can be subjected to voltages below 95 volts with no degradation in their ability to perform their safety function. It was concluded the RPS logic relays and scram contactors will not be adversely affected by voltage below 95 volts since these components will dropout under these voltage conditions thereby satisfying their safety function.

APPLICABILITY The operation of the RPS electric power monitoring assemblies is essential to disconnect the RPS components from the MG set or alternate power supply during abnormal voltage or frequency conditions. Since the degradation of a nonclass 1E source supplying power to the RPS bus can occur as a result of any random single failure, the OPERABILITY of the RPS electric power monitoring assemblies is required when the RPS components are required to be OPERABLE. This results in the RPS Electric Power Monitoring System OPERABILITY being required in MODES I and 2; and in MODES 3, 4, and 5 with any control rod withdrawn from a core cell containing one or more fuel assemblies.

(continued)

B 3.3-201 Revision No. 3 PBAPS UNIT 3

RPS Electric Power Monitoring B 3.3.8.2 BASES (continued)

ACTIONS A.I If one RPS electric power monitoring assembly for an inservice power supply (MG set or alternate) is inoperable, or one RPS electric power monitoring assembly on each inservice power supply is inoperable, the OPERABLE assembly will still provide protection to the RPS components under degraded voltage or frequency conditions. However, the reliability and redundancy of the RPS Electric Power Monitoring System is reduced, and only a limited time (72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />) is allowed to restore the inoperable assembly to OPERABLE status. If the inoperable assembly cannot be restored to OPERABLE status, the associated power supply(s) must be removed from service (Required Action A.1). This places the RPS bus in a safe condition. An alternate power supply with OPERABLE powering monitoring assemblies may then be used to power the RPS bus.

The 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> Completion Time takes into account the remaining OPERABLE electric power monitoring assembly and the low probability of an event requiring RPS electric power monitoring protection occurring during this period. It allows time for plant operations personnel to take corrective actions or to place the plant in the required condition in an orderly manner and without challenging plant systems.

Alternately, if it is not desired to remove the power supply from service (e.g., as in the case where removing the power supply(s) from service would result in a scram or isolation), Condition C or D, as applicable, must be entered and its Required Actions taken.

B.1_

If both power monitoring assemblies for an inservice power supply (MG set or alternate) are inoperable or both power monitoring assemblies in each inservice power supply are inoperable, the system protective function is lost. In this condition, 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> is allowed to restore one assembly to OPERABLE status for each inservice power supply. If one inoperable assembly for each inservice power supply cannot be restored to OPERABLE status, the associated power supply(s) must be removed from service within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> (Required Action B.1). An alternate power supply with OPERABLE assemblies may then be used to power one RPS bus.

(continued)

B 3.3-202 Revision No. 3 PBAPS UNIT 3

RPS Electric Power Monitoring B 3.3.8.2 BASES ACTIONS B.1 (continued)

The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time is sufficient for the plant operations personnel to take corrective actions and is acceptable because it minimizes risk while allowing time for restoration or removal from service of the electric power monitoring assemblies.

Alternately, if it is not desired to remove the power supply(s) from service (e.g., as in the case where removing the power supply(s) from service would result in a scram or isolation), Condition C or D, as applicable, must be entered and its Required Actions taken.

C.1 and C.2 If any Required Action and associated Completion Time of Condition A or B are not met in MODE I or 2, a plant shutdown must be performed. This places the plant in a condition where minimal equipment, powered through the inoperable RPS electric power monitoring assembly(s), is required and ensures that the safety function of the RPS (e.g., scram of control rods) is not required. The plant shutdown is accomplished by placing the plant in MODE 3 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

D.1 If any Required Action and associated Completion Time of Condition A or B are not met in MODE 3, 4, or 5 with any control rod withdrawn from a core cell containing one or more fuel assemblies, the operator must immediately initiate action to fully insert all insertable control rods in core cells containing one or more fuel assemblies. Required Action D.1 results in the least reactive condition for the reactor core and ensures that the safety function of the RPS (e.g., scram of control rods) is not required.

(continued)

PBAPS UNIT 3 B 3.3-203 Revision No. 3

RPS Electric Power Monitoring B 3.3.8.2 BASES (continued)

SURVEILLANCE SR 3.3.8.2.1 REQUIREMENTS A CHANNEL FUNCTIONAL TEST is performed on each overvoltage, that the undervoltage, and underfrequency channel to ensure Any entire channel will perform the intended function.

setpoint adjustment shall be consistent with design documents.

TEST is As noted in the Surveillance, the CHANNEL FUNCTIONAL is in a only required to be performed while the plant not condition in which the loss of the RPS bus will of the jeopardize steady state power operation (the design must be removed from system is such that the power source this service to conduct the Surveillance). As such, the unit is in Surveillance is required to be performed when performed in MODE 4 for k 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> and the test has not been must be performed the previous 184 days. This Surveillance prior to entering MODE 2 or 3 from MODE 4 if a performance an outage is required. The 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is intended to indicate proper of sufficient duration to allow for scheduling and performance of the Surveillance.

are The 184 day Frequency and the Note in the Surveillance (Ref. 2).

based on guidance provided in Generic Letter 91-09 SR 3.3.8.2.2 and SR 3.3.8.2.3 CHANNEL CALIBRATION is a complete check of the relay test circuitry and applicable time delay relays. This parameter verifies that the channel responds to the measured within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted between successive calibrations consistent with the plant design documents.

month The Frequency is based on the assumption of a 24 magnitude calibration interval in the determination of the of equipment drift in the setpoint analysis.

SR 3.3.8.2.4 that, Performance of a system functional test demonstrates with a required system actuation (simulated or actual) trip open signal, the logic of the system will automatically one signal the associated power monitoring assembly. Only (continued)

B 3.3-204 Revision No. 3 PBAPS UNIT 3

RPS Electric Power Monitoring B 3.3.8.2 BASES SURVEILLANCE SR 3.3.8.2.4 (continued)

REQUIREMENTS per power monitoring assembly is required to be tested.

This Surveillance overlaps with the CHANNEL CALIBRATION to provide complete testing of the safety function. The system functional test of the Class 1E circuit breakers is included as part of this test to provide complete testing of the safety function. If the breakers are incapable of operating, the associated electric power monitoring assembly would be inoperable.

The 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power.

Operating experience has shown that these components will pass the Surveillance when performed at the 24 month Frequency.

REFERENCES 1. UFSAR, Section 7.2.3.2.

2. NRC Generic Letter 91-09, "Modification of Surveillance Interval for the Electrical Protective Assemblies in Power Supplies for the Reactor Protection System."

0 0

B 3.3-205 Revision No. 3 PBAPS UNIT 3