Catawba, Units 1 and 2 - Technical Specification Bases Changes

ML15350A393
Person / Time
Site:	Catawba
Issue date:	12/14/2015
From:	Henderson K Duke Energy Carolinas
To:	Document Control Desk, Office of Nuclear Reactor Regulation
References
CNS-15-098
Download: ML15350A393 (85)
v • d • e

Text

S_ %DUKEKelvin HendersonVice PresidentSENERGY catawba Nuclear StationDuke EnergyCNO1VP I 4800 Concord RoadYork, SC 29745o: 803,701.4251CNS-1 5-098 f: 803.701.3221December 14, 2015U.S. Nuclear Regulatory CommissionDocument Control DeskWashington, DC 20555-0001

Subject:

Duke Energy Carolinas, LLCCatawba Nuclear Station, Units 1 and 2Docket Nos. 50-413 and 50-414Technical Specification Bases ChangesPursuant to 10OCFR 50.4, please find attached changes to the Catawba Nuclear StationTechnical Specification Bases. These Bases changes were made according to the provisionsof Technical Specification 5.5.14, "Technical Specifications (TS) Bases Control Program."Any questions regarding this information should be directed to Larry Rudy, Regulatory Affairs, at(803) 701-3084.I certify that I am a duly authorized officer of Duke Energy Carolinas, LLC, and that theinformation contained herein accurately represents changes made to the TechnicalSpecification Bases since the previous submittal.Kelvin HendersonVice President, Catawba Nuclear StationAttachment A Lwww.duke-energy.com U.S. Nuclear Regulatory CommissionDecember 14, 2015Page 2xc: L. D. Wert, Jr., Acting Regional AdministratorU. S. Nuclear Regulatory Commission, Region IIMarquis One Tower245 Peachtree Center Ave., NE Suite 1200Atlanta, GA 30303-1257Mr. G.E. MillerNRC Project Manager (CNS)U.S. Nuclear Regulatory CommissionOne White Flint North, Mail Stop O-8G9A11555 Rockville PikeRockville, MD 20852-2746G. A. Hutto, Senior Resident InspectorCatawba Nuclear Station ENERGY~Catawba Nuclear StationDuke Energy4800 Concord Rd.York, SC 29745December 14, 2015Re: Catawba Nuclear StationTechnical Specifications BasesPlease replace the corresponding pages in your copy of the Catawba TechnicalSpecifications Manual as follows:REMOVE THESE PAGESINSERT THESE PAGESLIST OF EFFECTIVE PAGESEntire Section (19 pages)Entire Section (19 pages)TAB 3.3.2B 3.3.2-1 thru B 3.3.2-49Revision 10B 3.3.2-1 thru B 3.3.2-49Revision 11TAB 3.4.12B 3.4.12-1 thru B 3.4.12-14Revision 4B 3.4.12-1 thru B 3.4.12-14Revision 5If you have any questions concerning the contents of this Technical Specificationupdate, contact Kristi Byers at (803)701-3758.Cecil FletcherRegulatory Affairs Managerwww.duke-energy.com Catawba Nuclear *Station Technical SpecificationsList of Effective PagesPage Numberiiiiiiv1.1-11.1-21.1-31.1-41.1-51.1-61.1.71.2-11.2-21.2-31.3-11.3-21.3-31.3-41.3-51.3-61.3-71.3-81.3-91.3-101.3-111.3-121.3-131.4-11.4-2Amendment1771169219/214215/209173/1 65173/1 65268/264268/264268/264268/264268/264179/171173/1 65173/165173/165173/1 65173/165173/165173/1 65173/1 65173/1 65173/1 65173/1 65173/165173/165173/1 65173/1 65173/1 65173/165173/1 65Revision Date4/08/993/01/056/2 1/049/30/98*9/30/986/25/126/25/126/25/126/25/126/25/128/13/999/30/989/30/989/3 0/9 89/30/989/30/989/30/989/30/989/30/989/30/989/30/989/30/989/30/989/30/989/30/989/30/989/30/989/30/989/30/98Catawba Units 1 and 2Pge11/25Page 111/12/15 01.4-31.4-42.0-13.0-13.0-23.0-33.0-43.0-53,0-63.1.1-13.1.2-13.1.2-23.1.3-13.1.3-23.1.3-33.1.4-13.i1.4-23.1.4-33.1.4-43.1.5-13.1.5-23.1,6-13.1.6-23.1.6-33.1.7-13.1.7-23.1.8-13.1.8-23.2.1-13.2.1-23.2.1-33.2,1-4173/165173/1 65210/204235/231235/23 1235/231235/231235/231235/231263/ 259173/165263/259173/165275/271173/1 65173/1 65i173/i 6526 3/25 9263/259173/16526 3/259173/1 65173/1 65263/259173/1 65173/1 65173/1 65263/259173/1 65173/1 65263/259263/2599/30/989/30/9812/19/033/19/073/19/073/19/073/19/073/19/073/19/073/29/119/30/983/29/I19/30/9804/14/159/30/989/30/989/30/983/29/113/29/119/30/983/29/119/30/989(30/983/29/119/30/989/30/989/30/983/29/119/30/989/30/983/29/113/29/11Catawba Units 1 and 2Pae21//5Page 211/12/15 3.2.1-53.2.2-13.2.2-23.2.2-33.2.2-43.2.3-13.2.4-13.2.4-23.2.4-33.2.4-43.3.1-13.3.1-23.3.1-33.3.1-43.3.1-53.3.1-63.3.1-73.3.1=83.3.1-93.3. 1-103.3.1-113.3.1-123.3.1-133.3.1-143.3. 1-153.3.1-163.3. 1-173.3.1-183.3. 1-193.3. 1-203.3.1-213.3.1-223.3.2-1263/259173/165173/165263/259263/25926 3/25 9173/165173/1 65173/1 65263/259173/1 65247/240247/240207/201247/240247/240247/240!173/1 65263/259263/259263/259263/259263/259263/259263/25926 3/25926 3/2 59263/25926 3/25 926 3/2 59263/259263/259173/1653/29/119/30/989/30/983/29/113/29/113/29/119/30/989/30/989/30/983/29/119/30/9812/30/0812/30/087/29/0312/30/0812/30/0812/30/089/30/983/29/113/29/113/29/113/29/113/29/113/29/113/29/113/29/113/29/113/29/113/29/113/29/113/29/113/29/119/30/98Catawba Units 1 and 2Pae31125Page 311/12/15 3.3.2-23.3.2-33.3.2-43.3.2-53.3.2-63.3.2-73.3.2-83.3.2-93.3.2-103.3.2-113.3.2-123.3.2-133.3.2-143.3.2-153.3.2-163.3.2-173.3.3-13.3.3-23.3.3-33.3.3-43.3.4-13.3.4-23.3.4-33.3.5-13.3.5-23.3.6-13.3.6-23.3.6-33.3.9-13.3.9-23.3.9-33.3.9-4247/240247/240247/240264/260264/26 0249/243249/243249/243263/259263/259263/259269/265*263/259263/259264/26 0269/265219/214219/214263/259219/214213/207263/2592 72/26 8173/1 65263/259196/189263/259196/189207/201207/201263/259263/25912/30/0812/30/0812/30/086/13/116/13/114/2/094/2/094/2/093/29/113/29/li3/29/117/25/123/29/113/29/116/13/117/25/123/1/053/1/053/29/113/1/054/29/043/29/112/27/149/30/983/29/113/20/023/29/1113/20/027/29/037/29/033/29/113/29/11Catawba Units 1 and 2Pae41/25Page 411/12/15 3.4.1-1 210/204 12/19/0303.4.1i-2 210/204 12/19/033.4.1-3 263/259 3/29/113.4.1-4 210/204 12/19/033.4.1-5 (deleted) 184/176 3/01/003.4.1-6 (deleted) 184/1 76 3/01/003.4.2-1 173/165 9/30/983.4.3-1 173/165 9/30/983.4.3-2 263/259 3/29/113.4.3-3 212/206 3/4/043.4.3-4 212/206 3/4/043.4.3 -5 212/206 3/4/043.4.3-6 21 2/206 3/4/043.4.4-1 263/259 3/29/113.4.5-1 207/201 7/29/033.4.5-2 207/201 7/29/033453263/259 3/29/11,3.4.6-1 212/206 3/4/043.4.6-2 263/259 3/29/11i3.4.6-3 263/259 3/29/113.4.7-1 212/206 3/4/043.4.7-2 263/259 3/29/11-'3.4.7-3 263/259 3/29/113.4.8-1 207/201 7/29/033.4.8-2 263/259 3/29/113.4.9-1 173/165 9/30/983.4.9-2 263/259 3/29/113.4.10-1 212/206 3/4/043.4.10-2 173/165 9/30/983.4-11-1 213/207 4/29/043.4.11-2 173/1 65 9/30/98*3.4.11-3 263/259 3/29/11Catawba Units 1 and 2Pae51/25Page 511/12/15 3.4.11-4 263/259 3/29/113.4.12-1 212/206 3/4/043.4.12-2 213/207 4/29/043.4.12-3 212/206 3/4/043.4.12-4 212/206 3/4/043.4.12-5 263/259 3/29/113.4.12-6 263/259 3/29/113.4.12-7 263/259 3/29/113.4.12-8 263/259 3/29/113.4.13-1 267/263 3/12/123.4.13-2 267/263 3/12/123.4.14-1 173/165 9/30/983.4.14-2 173/165 9/30/983.4.14-3 263/259 3/29/113.4.14-4 263/259 3/29/113.4.15-1 234/230 9/30/063.4.1i5-2 234/230 9/30/063.4.15-3 234/230 9/30/063.4.15-4 263/259 3/29/113.4.16-1 268/264 6/25/123.4.16-2 268/264 6/25/123.4.16-3(deleted) 268/264 6/25/123.4.1 6-4(deleted) 268/264 6/25/123.4.17-1 263/259 3/29/113.4.18-1 218/212 1/13/053.4.18-2 218/212 1/13/053.5.1-1 21 1/205 12/23/033.5.1-2 263/259 3/29/113.5.1-3 263/259 3/29/113.5.2-1 253/248 10/30/093.5.2-2 263/259 3/29/113.5.2-3 263/259 3/29/11Catawba Units 1 and 2Pae61/25Page 611/12/15 3.5.3-13.5.3-23.5.4-13.5.4-23.5.5-13.5.5-23.6.1-13.6.1-23.6.2-13.6.2-23.6.2-33.6.2-43.6.2-53.6.3-13.6.3-23.6.3-33.6.3-43.6.3-53.6.3-63.6.3-73.6.4-13.6.5-13.6.5-23.6.6-13.6.6-23.6.8-13.6.8-23.6.9-13.6.10-23.6.10-13.6.11-1213/207173/165173/16526 9/265173/1 65263/259173/165192/1 84173/1 65173/165173/1 65173/1 6526 3/2 59173/165173/1 65173/1 65i173/1 65263/259263/259192/1 84263/259173/1 65263/259269/26526 9/265213/20726 3/2 59253/248263/259173/1 6526 3/2 5926 3/2 594/29/049/30/989/30/987/25/129/30/983/29/119/30/987/31/019/30/989/30/989/30/989/30/983/29/119/30/989/30/989/30/989/30/983/29/113/29/117/31/013/29/119/30/983/29/117/25/127/25/124/29/043/29/1110/30/093/29/119/30/983/29/113/29/11Catawba Units 1 and 2Pae71125Page 711/12/15 3.6.11-23.6.12-13.6.12-23.6.12-33.6.13-13.6.13-23.6.13-33.6.14-13.6.14-23.6.14-33.6.15-13.6.15-23.6.16-13.6.16-23.6.17-13.7.1-13.7.1=23.7.1-33.7.2-13.7.2-23.7.3-13.7.3-23.7.4-13.7.4-23.7.5-13.7.5-23.7.5-33.7.5-43.7.6-13.7.6-23.7.7-13.7.7-2263/259263/259263/259263/259256/251263/259263/259173/165263/259270/266173/1 65263/259263/259263/259253/248173/1 65173/165173/1 65173/1 65244/238173/1 65244/238213/207263/259253/248173/1 65263/259263/259173/1 65263/25925 3/248263/2593/29/113/29/113/29/113/29/116/28/103/29/113/29/119/30/983/29/118/6/139/30/983/29/113/29/113/29/1110/30/099/30/989/30/989/30/989/30/989/08/089/30/989/08/084/29/043/29/1110/30/099/30/983/29/113/29/119/3 0/9 83/29/1110/30/093/29/11Catawba Units 1 and 2Pae81/25Page 811/12/15 3.7.8-13.7.8-23.7.8-33.7.8-43.7.9-13.7.9-23. 7.10-13.7.10-23.7.10-33.7.11-13.7.11-23.7.12-13.7.12-23.7.13-13.7.13-23.7.14-13,7.1!5-13.7.16-13.7.16-23.7.16-33.7.17-13.8.1-13.8.1-23.8.1-33.8.1-43.8.1-53.8.1-63.8.1-73.8.1-83.8.1-93.8.1-103.8.1-11271/267271/267271/267271/267263/259263/259250/245260/255263/259198/19126 3/2 59253/248263/259198/19 126 3/2 59263/259263/259Q233/229233/229233/229263/259253/248173/1 65253/248173/1 65263/259263/259263/259263/259263/259263/259263/25908/09/1308/09/1308/09/1308/09/133/29/113/29/117/30/098/9/103/29/114/23/023/29/1110/30/093/29/114/23/023/29/113/29/113/29/119/27/069/27/069/27/063/29/1110/30/099/30/9810/30/099/30/983/29/113/29/113/29/113/29/113/29/113/29/113/29/11Catawba Units 1 and 2Pae91/25Page 911/12/15 3.8.1-123.8.1-133.8.1-143.8.1-153.8.2-13.8.2-23.8.2-33.8.3-13.8.3-23.8.3-33.8.4-13.8.4-23.8.4-33.8.4-43.8.4-53.8.5-13.8.5-23.8.6-13.8.6-23.8.6-33.8.6-43.8.6-53.8.7-13.8.7-23.8.8-13.8.8-23.8.9-13.8.9-23.8.9-33.8.10-13.8.10-23.9.1-1263/259263/259263/259263/259173/1 65207/201173/1 65175/167263/259263/259173/1 65263/259263/2 59263/259262/258173/1 65207/201253/248253/248253/248263/259223/218173/1 65263/259173/1 6526 3/2 59173/1 65173/1 6526 3/25 9207/201263/25926 3/2 593/29/113/29/113/29/113/29/119/30/987/29/039/30/981/15/993/29/113/29/119/30/983/29/113/29/113/29/1112/20/109/30/987/29/0310/30/0910/30/0910/30/093/29/114/27/059/30/983/29/119/30/983/29/119/30/989/30/983/29/117/29/033/29/113/29/11Catawba Units 1 and 2 Pg 01/21Page 1011/12/15 03.9.2-13.9.2-23.9.3-13.9.3-23.9.4-13.9.4-23.9.5-13.9.5-23.9.6-13.9.7-14.0-14.0-25.1-15.2-15.2-25.2-35.4-15.5-15.5-25.5-35.5-45.5-55.5-65.5-75.5-7a5.5-85.5-95.5-105.5-115.5-125.5-13215/20926 3/25 9227/22226 3/25 9207/201263/259207/201263/259263/259263/259220/215233/229273/269273/269273/269Deleted273 /2=69173/1 65273/269205/1 98173/1 65173/1 65216/210252/247218/21226 7/26 3267/263218/212227/22222 7/222218/212218/21.26/21/043/29/119/30/053/29/117/29/033/29/117/29/033/29/113/29/113/29/1113/03/059/27/062/12/152/12/152/12/159/21/09,-/i-/159/30/982/12/153/12/039/30/989/30/988/5/0410/30/091/13/053/12/123/12/121 /13/059/30/059/30/051 /13/051/13/05Catawba Units 1 and 2 Pg 11/21Page 1111/12/15 05.5-145.5-155.5-165.6-15.6-25.6-35.6-45.6-55.6-65.7-15.7-2218/212263/259263/259222/217253/248222/217275/271275/271275/271273/269173/1 651/13/053/29/113/29/113/31/0510/30/093/31/054/14/154/14/154/14/152/12/159"/30/98Catawba Units 1 and 2 Pg 21/21Page 1211/12/15 iiiiiBii1i -B 2.1.1-2B 2.1.1-3B 2.1.21-B 2.1.2-2B 2.1.2-3B 3.01.-B 3.0-2B 3.0-3B 3.0-4B 3.0-5B 3.0-6B 3.0-7B 3.0-8B 3.0-9B 3.0-10B 3.0-11B 3.0-12B 3.0-13B 3.0-14B 3.0-15B 3.0-16B 3.0-17B 3.0-18B 3.0-19B 3.1.1-1 thruB 3.1.1-6BASESRevision 1Revision 2Revision 1Revision 0Revision 1Revision IRevision 0Revision 0Revision 0Revision 1Revision 1Revision 2Revision 3Revision 3Revision 2Revision 2Revision 3Revision 2Revision 3Revision 3Revision 3Revision 3Revision 3Revision 1Revision 1Revision 0Revision 0Revision 0Re~iision 34/081993/01/056/21/049/30/9812/19/0312/19/039/30/989/30/989/30/983/19/073/19/073/19/073/19/073/19/073/19/073/1 9/073/19/073/19/073/19/073/19/073/19/073/19/073/19/073/19/073/19/073/19/073/19/073/19/075/05/11Catawba Units 1 and 2 Pg 31/21Page 1311/12/15 B 3.1.2-1 thruB 3.1.2-5B 3.1.3-1 thruB 3.1.3-6B 3,1.4-1 thruB 3.1.4-9B 3.1.5-1 thruB 3.1.5-4B 3.1.6-1 thruB 3.1.6-6B 3.1.7-1B 3.1.7-2B 3.1.7-3B 3.1.7-4B 3.1.7-5B 3.1.7-6B 3.1.8-1 thruB 3.1.8-6B 3.2.1-1 thruB 3.2.1 .-IlB 3.2.2-1 thruB 3.2.2-10B 3.2.3-1 thruB 3.2.3-4B 3.2.4-1 thruB 3.2.4-7B 3.3.1-1 thruB.3.3. 1-55B 3.3.2-1 thruB 3.3.2-49B 3.3.3-1 thruB.3.3.3-1 6B 3.3.4-1 thruB 3.3.4-5Revision 2Revision 2*Revision 1Revision 2Revision 1*Revision 0Revision 2Revision 2Revision 2Revision 2Revision 2Revision 2Revision 4Revision 3Revision 2Revision 2Revision 7Revision 11Revision 6Revision 2*5/05/114/14/155/05/115/05/115/05/119/30/981/08/041/08/041/08/041/08/041/08/045/05/115/05/115/05/115/05/115/05/1111/15/118/9/154/11/145/05/11Catawba Units 1 and 2 Pg 41/21Page 1411/12/15 0B 3.3.5-1 thruB 3.3.5-6B 3.3.6-1 thruB 3.3.6-5B 3.3.9-1 thruB 3.3.9-5B 3.4.1-1 thruB 3.4.1-5B 3.4.2-1B 3.4.2-2B 3.4.2-3B 3.4.3-1 thruB 3.4.3-6B 3.4.4-1 thruB 3.4.4-3B 3.4.5-1 thruB 3.4.5-6B 3.4.6-1 thruB 3.4.6-5B 3.4.7-1 thruB 3.4.7-5B 3.4.8-1 thruB 3.4.8-3B 3.4.9-1 thruB 3.4.9-5B 3.4.10-1B 3.4.10-2B 3.4.10-3B 3.4.10-4B 3.4.11-1 thruB 3.4.11-7B 3.4.12-1 thruB 3.4.12-14B 3.4.13-1 thruB 3.4.13-7B 3.4.14-1 thruB 3.4.14-6B 3.4.15-1 thruB 3.4.15-10Catawba Units 1 and 2Revision 2Revision 6Revision 3Revision 3Revision 0Revision 0Revision 0Revision 2Revision 2Revision 3Revision 4Revision 6Revision 3Revision 3Revision 1Revision 0Revision 1Revision 2Revision 4Revision 5Revision 7Revision 3Revision 65/05/1108/02/1206/02/145/05/119/30/ 989/30/989/30/ 985/05/115/05/115/05/115/05/112/10/1 55/05/1108/02/123/4/049/30/983/4/0410/30/095/05/118/19/153/15/125/05/115/05/11Page 15Page 1511/12/15 B 3.4.16-1 thruB 3.4.16-5B 3.4.17-1 thruB 3.4.17-3B 3.4.18-1B 3,4.18-2B 3.4.18-3B 3.4.18-4B 3.4.18-5B 3.4.18-6B 3.4.18-7B 3.4.18-8B 3.5.1-1 thruB 3.5.1-8B 3.5.2-1 thruB 3.5.2-10B 3.5.3-1B 3.5.3-2B 3.5.3-3B 3.5.4-1 thruB. 3.5 .4-5B 3.5.5-1 thruB 3.5.5-4B 3.6.1-1B 3.6.1-2B 3.6.1-3B 3.6.1-4B 3.6.1-5B 3.6.2-1 thruB 3.6.2-8B 3.6.3-1 thruB 3.6.3-14B 3.6.4-1 thruB 3.6.4-4B 3.6.5-1 thruB 3.6.5-4Revision 4Revision 2Revision 0Revision 0Revision 1Revision 0Revision 0Revision 0Revision 0Revision 1Revision 3Revision 3Revision 0Revision 1Revision 1Revision 5Revision 1Revision 1Revision 1Revision 1Revision 1Revision 1Revision 2Revision 4Revision 2Revision 310/23/125/05/111113/051/13/053/18/081/13/051/13/051/13/051/13/053/18/085/05/115/05/119/30/984/29/044/29/044/11/145/05/117/31/017/31/017/31/017/31/017/3 1/0 15/05/115/05/115/05/1107/27/13Catawba Units 1 and 2 Pg 61/21Page 1611/12/15 0B 3.6.6-1 thruB 3.6.6-7B 3.6.8-1 thruB 3.6.8-5B 3.6.9-1 thruB 3.6.9-5B 3.6.10-1 thruB 3.6.10-6B 3.6.11-1 thruB 3.6.11-6B 3.6.12-1 thruB 3.6.12-11B 3.6.13-1 thruB 3.6.13-9B 3.6.14-1 thruB 3.6.14-5B 3.6.15-1 thruB 3.6.15-4B 3.6.16-1 thruB 3.6.16-4B 3.6.17-iB 3.6.17-2B 3.6.17-3B 3.6.17-4B 3.6.17-5B 3.7.1-1B 3.7.1-2B 3.7.1-3B 3.7.1-4B 3.7.1-5B 3.7.2-1B 3.7.2-2B 3.7.2-3B 3.7.2-4B 3.7.2-5B 3.7.3-1B 3.7.3-2Catawba Units 1 and 2Revision 6Revision 3Revision 6Revision 2Revision 5Revision 5Revision 4Revision 2Revision 1Revision 3Revision iRevision 0Revision 0Revision 0Revision 1Revision 0Revision 0Revision 0Revision 1Revision 1Revision 0Revision 0Revision 2Revision 1Revision 3Revision 0Revision 0Page 175/05/115/05/115/05/115/05/115/05/115/05/115/05/114/11/145/05/115/05/113/13/089/30/989/30/989/30/983/13/089/30/989/30/989/30/9810/30/0910/30/099/30/989/30/986/23/109/08/0810/30/099/30/989/30/9811/12/15 B 3.7.3-3B 3,7.3-4,B 3.7.3-5B 3.7.3-6B 3.7.4-1 thruB 3.7.4-4B 3.7.5-1 thruB 3.7.5-9B 3.7.6-1 thruB 3.7.6-3B 3.7.7-1 thruB 3.7.7-5B 3.7,8-1 thruB 3.7.8-8B 3.7.9-1 thru3.7.9-4B 3.7.10-1 thruB 3.7.10-9B 3.7.11-1 thruB 3.7,1!-4B 3.7.12-1 thruB 3.7.12-7B 3.7.13-1 thruB 3.7.13-5B 3.7.14-1 thruB 3.7.14-3B 3.7.15-1 thruB 3.7.15-4B 3.7.16-1B 3.7.16-2B 3.7.16-3B 3.7.16-4B 3.7.17-1 thruB3 3.7.17-3B 3.8.1-1 thruB.3.8. 1-29B 3.8.2-1B 3.8.2-2Revision 0Revision 0Revision 1Revision 2Revision 2Revision 3Revision 4Revision 2Revision 5Revision 3Revision 10Revision 3Revision 6Revision 4Revision 2Revision 2Revision 2Revision 2Revision 2Revision 0Revision 2Revision 5Revision 0Revision 09/ 30/989/30/989/08/0810/30/095/05/115/05/1108/02/125/05/1108/09/135/05/1110/24/1110/24/111/09/135/05/115/05/115/05/119/27/069/27/069/27/069/27/065/05/1107/27/139/30/989/30/98Catawba Units 1 and 2 Pg 81/21Page 1811/12/15 B 3.8.2-3B 3.8.2-4B 3.8.2-5B 3.8.2-6B 3.8.3-1 thruB 3.8.3-8B 3.8.4-1 thruB3.8.4. 10B 3.8.5-1B 3.8.5-2B 3.8.5-3B 3.8.6-1 thruB 3.8.6-7B 3.8.7-1 thruB 3.8.7-4B 3.8.8-1 thruB 3.8.8-4B 3.8.9-1 thruB 3.8.9-10B 3.8.10-1 thruB 3.8.10-4B 3.9.1-1 thruB 3.9.1-4B 3.9.2-1 thruB 3.9.2.4B 3.9.3-1 thruB 3.9.3-5B 3.9.4-1 thruB 3.9.4-4B 3.9.5-1 thruB 3.9.5-4B 3.9.6-1 thruB 3.9.6-3B 3.9.7-1 thruB 3.9.7-3Revision 0Revision 1Revision 2Revision 1Revision 4Revision 10Revision 0Revision 2Revision 1Revision 4Revision 3Revision 3Revision 2Revision 3Revision 3Revision 4Revision 4Revision 4Revision 3Revision 2Revision 19/30/985/10/055/10/055/10/055/05/115/05/119/30/987/29/037/29/035/05/115/05/115/05/115/05/115/05/115/05/115/05/115/05/115/05/115/05/115/05/115/05/11Catawba Units 1 and 2Pae1Page 1911/12/15 ESFAS InstrumentationB 3.3.2B 3.3 INSTRUMENTATIONB 3.3.2 Engineered Safety Feature Actuation System (ESFAS) InstrumentationBASESBACKGROUND The ESFAS initiates necessary safety systems, based on the values ofselected unit parameters, to protect against violating core design limitsand the Reactor Coolant System (RCS) pressure boundary, and tomitigate accidents.The ESFAS instrumentation is segmented into three distinct butinterconnected modules as identified below:* Field transmitters or process sensors and instrumentation: providea measurable electronic signal based on the physicalcharacteristics of the parameter being measured;* Signal processing equipment including analog protection system,field contacts, and protection channel sets: provide signalconditioning, bistable setpoint comparison, process algorithmactuation, compatible electrical signal output to protection systemdevices, and control board/control room/miscellaneous indications;and* Solid State Protection System (SSPS) including input, logic, andoutput bays: initiates the proper unit shutdown or engineeredsafety feature (ESF) actuation in accordance with the defined logicand based on the bistable outputs from the signal process controland protection system.Field Transmitters or SensorsTo meet the design demands for redundancy and reliability, more thanone, and often as many as four, field transmitters or sensors are used tomeasure unit parameters. In many cases, field transmitters or sensorsthat input to the ESFAS are shared with the Reactor Trip System (RTS).In some cases, the same channels also provide control system inputs.To account for calibration tolerances and instrument drift, which isassumed to occur between calibrations, statistical allowances areCatawba Units 1 and 2B332-ReionN.1B 3.3.2-1 ESFAS InstrumentationB 3.3.2BASESBACKGROUND (continued)provided in the NOMINAL TRIP SETPOINT. The OPERABILITY of eachtransmitter or sensor can be evaluated when its "as found" calibrationdata are compared against its documented acceptance criteria.Siginal Processinqi EqiuipmentGenerally, three or four channels of process control equipment are usedfor the signal processing of unit parameters measured by the fieldinstruments. The process control equipment provides signal conditioning,comparable output signals for instruments located on the main controlboard, and comparison of measured input signals with setpointsestablished by safety analyses. These setpoints are defined in UFSAR,Chapter 6 (Ref. 1), Chapter 7 (Ref. 2), and Chapter 15 (Ref. 3). If themeasured value of a unit parameter exceeds the predetermined setpoint,an output from a bistable is forwarded to the SSPS for decision logicprocessing. Channel separation is maintained up to and through theinput bays. However, not all unit parameters require four channels ofsensor measurement and signal processing. Some unit parametersprovide input only to the SSPS, while others provide input to the SSPS,the main control board, the unit computer, and one or more controlsystems.Generally, if a parameter is used only for input to the protection circuits,three channels with a two-out-of-three logic are sufficient to provide therequired reliability and redundancy. If one channel fails in a direction thatwould not result in a partial Function trip, the Function is still OPERABLEwith a two-out-of-two logic. If one channel fails such that a partialFunction trip occurs, a trip will not occur and the Function is stillOPERABLE with a one-out-of- two logic.Generally, if a parameter is used for input to the SSPS and a controlfunction, four channels with a two-out-of-four logic are sufficient toprovide the required reliability and redundancy. The circuit must be ableto withstand both an input failure to the control system, which may thenrequire the protection function actuation, and a single failure in the otherchannels providing the protection function actuation. Again, a singlefailure will neither cause nor prevent the protection function actuation.These requirements are described in IEEE-279-1 971 (Ref. 4). The actualnumber of channels required for each unit parameter is specified in theUFSAR.Catawba Units 1 and 2B3322ReionN.1B 3.3.2-2 ESFAS InstrumentationB 3.3.2BASESBACKGROUND (continued)Trip Setpoints and Allowable ValuesThe NOMINAL TRIP SETPOINTS are the nominal values at which thebistables are set. Any bistable is considered to be properly adjustedwhen the "as left" value is within the band for CHANNEL CALIBRATIONtolerance.The NOMINAL TRIP SETPOINTS used in the bistables are based on theanalytical limits (Ref. 1, 2, and 3). The selection of these NOMINAL TRIPSETPOINTS is such that adequate protection is provided when all sensorand processing time delays, calibration tolerances, instrumentationuncertainties, instrument drift, and severe environment errors for thoseESFAS channels that must function in harsh environments as defined by10 CFR 50.49 (Ref. 5) are taken into account. The actual as-left setpointof the bistable assures that the actual trip occurs before the AllowableValue is reached. The Allowable Value accounts for changes in randommeasurement errors detectable by a COT. One example of such achange in measurement error is drift during the surveillance interval. Ifthe point at which the loop trips does not exceed the Allowable Value, theloop is considered OPERABLE.A trip within the Allowable Value ensures that the consequences ofDesign Basis Accidents (DBAs) will be acceptable, providing the unit isoperated from within the LCOs at the onset of the DBA and theequipment functions as designed.Each channel can be tested on line to verify that the signal processingequipment and setpoint accuracy is within the specified allowancerequirements. Once a designated channel is taken out of service fortesting, a simulated signal is injected in place of the field instrumentsignal. The process equipment for the channel in test is then tested,verified, and calibrated. SRs for the channels are specified in the SRsection.The determination of the NOMINAL TRIP SETPOINTS and AllowableValues listed in Table 3.3.2-1 incorporates all of the known uncertaintiesapplicable for each channel. The magnitudes of these uncertainties arefactored into the determination of each NOMINAL TRIP SETPOINT. Allfield sensors and signal processing equipment for these channels areassumed to operate within the allowances of these-uncertaintymagnitudes.Catawba Units 1 and 2B3323ReionN.1B3.3.2-3 ESFAS InstrumentationB 3.3.2BASESBACKGROUND (continued)Solid State Protection SystemThe SSPS equipment is used for the decision logic processing of outputsfrom the signal processing equipment bistables. To meet the redundancyrequirements, two trains of SSPS, each performing the same functions,are provided. If one train is taken out of service for maintenance or testpurposes, the second train will provide ESE actuation for the unit. If bothtrains are taken out of service or placed in test, a reactor trip will result.Each train is packaged in its own cabinet for physical and electricalseparation to satisfy separation and independence requirements.The SSPS performs the decision logic for most ESF= equipment actuation;generates the electrical output signals that initiate the required actuation;and provides the status, permissive, and annunciator output signals tothe main control room of the unit.The bistable outputs from the signal processing equipment are sensed bythe SSPS equipment and combined into logic matrices that representcombinations indicative of various transients. If a required logic matrixcombination is completed, the system will send actuation signals viamaster and slave relays to those components whose aggregate Functionbest serves to alleviate the condition and restore the unit to a safecondition. Examples are given in the Applicable Safety Analyses, LCO,and Applicability sections of this Bases.Each SSPS train has a built in testing device that can test the decisionlogic matrix functions and the actuation devices while the unit is at power.When any one train is taken out of service for testing, the other train iscapable of providing unit monitoring and protection until the testing hasbeen completed. The testing device is semiautomatic to minimize testingtime.The actuation of ESE components is accomplished through master andslave relays. The SSPS energizes the master relays appropriate for thecondition of the unit. Each master relay then energizes one or moreslave relays, which then cause actuation of the end devices. The masterand slave relays are routinely tested to ensure operation. The test of themaster relays energizes the relay, which then operates the contacts andapplies a low voltage to the associated slave relays. The low voltage isnot sufficient to actuate the slave relays but only demonstrates signalCatawba Units 1 and 2B332-ReionN.1B3.3.2-4 ESFAS InstrumentationB 3.3.2BASESBACKGROUND (continued)path continuity. The SLAVE RELAY TEST actuates the devices if theiroperation will not interfere with continued unit operation. For the lattercase, actual component operation is prevented by the SLAVE RELAYTEST circuit, and slave relay contact operation is verified by a continuitycheck of the circuit containing the slave relay.APPLICABLE Each of the analyzed accidents can be detected by one orSAFETY ANALYSES, more ESFAS Functions. One of the ESFAS Functions is theLCO, AND primary actuation signal for that accident. An ESFAS FunctionAPPLICABILITY may be the primary actuation signal for more than one type of accident.An ESFAS Function may also be a secondary, or backup, actuationsignal for one or more other accidents. For example, PressurizerPressure--Low is a primary actuation signal for small loss of coolantaccidents (LOCAs) and a backup actuation signal for steam line breaks(SLBs) outside containment. Functions such as manual initiation, notspecifically credited in the accident safety analysis, are qualitativelycredited in the safety analysis and the NRC staff approved licensing basisfor the unit. These Functions may provide protection for conditions thatdo not require dynamic transient analysis to demonstrate Functionperformance. These Functions may also serve as backups to Functionsthat were credited in the accident analysis (Ref. 3).The LCO requires all instrumentation performing an ESFAS Function tobe OPERABLE. Failure of any instrument renders the affectedchannel(s) inoperable and reduces the reliability of the affectedFunctions.The LCO generally requires OPERABILITY of three or four channels ineach instrumentation function and two channels in each logic and manualinitiation function. The two-out-of-three and the two-out-of-fourconfigurations allow one channel to be tripped during maintenance ortesting without causing an ESFAS initiation. Two logic or manualinitiation channels are required to ensure no single random failuredisables the ESFAS.The required channels of ESFAS instrumentation provide unit protectionin the event of any of the analyzed accidents. ESFAS protectionfunctions are as follows:Catawba Units 1 and 2B3325ReionN.1B 3.3.2-5 ESFAS InstrumentationB 3.3.2BASESAPPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)1. .Safety InjectionSafety Injection (SI) provides two primary functions:1. Primary side water addition to ensure maintenance orrecovery of reactor vessel water level (coverage of the activefuel for heat removal, clad integrity, and for limiting peak cladtemperature to < 2200°F); and2. Boration to ensure recovery and maintenance ofSDM (kerr < 1.0).These functions are necessary to mitigate the effects of highenergy line breaks (HELBs) both inside and outside ofcontainment. The SI signal is also used to initiate other Functionssuch as:* Phase A Isolation;* Containment Purge and Exhaust Isolation;* Reactor Trip;* Turbine Trip;* Feedwater Isolation;* Start of motor driven auxiliary feedwater (AFW)pumps;* Start of control room area ventilation filtration trains;* Enabling automatic switchover of Emergency Core CoolingSystems (ECCS) suction to containment sump;* Start of annulus ventilation system filtration trains;* Start of auxiliary building filtered ventilation exhaust systemtrains;* Start of diesel generatorsCatawba Units 1 and 2B332-ReionN.1B 3.3.2-6 ESFAS InstrumentationB 3.3.2BASESAPPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)* Start of nuclear service water system pumps; and* Start of component cooling water system pumps.These other functions ensure:* Isolation of nonessential systems through containmentpenetrations;* Trip of the turbine and reactor to limit power generation;* Isolation of main feedwater (MEW) to limit secondary sidemass losses;* Start of AFW to ensure secondary side cooling capability;* Filtration of the control room to ensure habitability;* Enabling ECCS suction from the refueling water storage tank(RWST) switchover on low RWST level to ensure continuedcooling via use of the containment sump;* Starting of annulus ventilation and auxiliary building filteredventilation to limit offsite releases;* Starting of diesel generators for loss of offsite powerconsiderations; and* Starting of component cooling water and nuclear servicewater systems for heat removal.a. Safety Iniection-Manual InitiationThe LCO requires two channels to be OPERABLE. Theoperator can initiate SI at any time by using either of twoswitches in the control room. This action will cause actuationof all components in the same manner as any of theautomatic actuation signals.The LCO for the Manual Initiation Function ensures theproper amount of redundancy is maintained in the manualESFAS actuation circuitry to ensure the operator has manualESFAS initiation capability.Catawba Units 1 and 2B332-ReionN.1B3.3.2-7 ESFAS InstrumentationB 3.3.2BASESAPPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)Each train consists of one push button and theinterconnecting wiring to the actuation logic cabinet. Thisconfiguration does not allow testing at power.b. Safety Iniection-Automatic Actuation Loqic andActuation RelaysThis LCO requires two trains to be OPERABLE. Actuationlogic consists of all circuitry housed within the actuationsubsystems, including the initiating relay contactsresponsible for actuating the ESF equipment.Manual and automatic initiation of SI must be OPERABLE inMODES 1, 2, and 3. In these MODES, there is sufficientenergy in the primary and secondary systems to warrantautomatic initiation of ESF systems. In MODE 4, adequatetime is available to manually actuate required components inthe event of a DBA, but because of the large number ofcomponents actuated on a SI, actuation is simplified by theuse of the manual actuation push buttons. Automaticactuation logic and actuation relays must be OPERABLE inMODE 4 to support system level manual initiation.These Functions are not required to be OPERABLE inMODES 5 and 6 because there is adequate time for theoperator to evaluate unit conditions and resPond by manuallystarting individual systems, pumps, and other equipment tomitigate the consequences of an abnormal condition oraccident. Unit pressure and temperature are very low andmany ESF components are administratively locked out orotherwise prevented from actuating to prevent inadvertentoverpressurization of unit systems.c. Safety Iniection-Containment Pressure-Hi~qhThis signal provides protection against thefollowing accidents:*SLB inside containment;* LOCA; and*Feed line break inside containment.Catawba Units 1 and 2B332-ReionN.1B3.3.2-8 ESFAS InstrumentationB 3.3.2BASESAPPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)Containment Pressure-High provides no input to any controlfunctions. Thus, three OPERABLE channels are sufficient tosatisfy protective requirements with a two-out-of-three logic:Containment Pressure-High must be OPERABLE inMODES 1, 2, and 3 when there is sufficient energy in theprimary and secondary systems to pressurize thecontainment following a pipe break. In MODES 4, 5, and 6,there is insufficient energy in the primary or secondarysystems to pressurize the containment.d. Safety Iniection-Pressurizer Pressure-LowThis signal provides protection against the followingaccidents:* Inadvertent opening of a steam generator (SG) reliefor safety valve;* SLB;* A spectrum of rod cluster control assembly ejectionaccidents (rod ejection);* Inadvertent opening of a pressurizer relief or safetyvalve;* LOCAs; and* SG Tube Rupture.Pressurizer pressure provides both control and protectionfunctions: input to the Pressurizer Pressure Control System,reactor trip, and SI. Therefore, the actuation logic must beable to withstand both an input failure to control system,which may then require the protection function actuation, anda single failure in the other channels providing the protectionfunction actuation. Thus, four OPERABLE channels arerequired to satisfy the requirements with a two-out-of-fourlogic.Catawba Units 1 and 2B332-ReionN.1B3.3.2-9 ESFAS InstrumentationB 3.3.2BASESAPPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)This Function must be OPERABLE in MODES 1, 2, and 3(above P-I11) to mitigate the consequences of an HELBinside containment. This signal may be manually blocked bythe operator below the P-1 1 setpoint. Automatic SI actuationbelow this pressure setpoint is then performed by theContainment Pressure-High signal.This Function is not required to be OPERABLE in MODE 3below the P-Il setpoint. Other ESF functions are used todetect accident conditions and actuate the ESF systems inthis MODE. In MODES 4, 5, and 6, this Function is notneeded for accident detection and mitigation.2. Deleted.3. Containment IsolationContainment Isolation provides isolation of the containmentatmosphere, and all process systems that penetrate containment,from the environment. This Function is necessary to prevent orlimit the release of radioactivity to the environment in the event of alarge break LOCA.There are two separate Containment Isolation signals, Phase Aand Phase B. Phase A isolation isolates all automatically isolableprocess lines, except component cooling water (CCW) and nuclearservice water system (NSWS), at a relatively low containmentpressure indicative of primary or secondary system leaks. Forthese types of events, forced circulation cooling using the reactorcoolant pumps (RCPs) and SGs is the preferred (but not required)method of decay heat removal. Since CCW and NSWS arerequired to support ROP operation, not isolating CCW and NSWSon the low pressure Phase A signal enhances unit safety byallowing operators to use forced RCS circulation to cool the unit.Isolating CCW and NSWS on the low pressure signal may forcethe use of feed and bleed cooling, which could prove more difficultto control.Catawba Units 1 and 2 B3321 eiinN.1B 3.3.2-10 ESFAS InstrumentationB 3.3.2BASESAPPLICABLE SAFETY ANALYSES, LOCO, and APPLICABILITY (continued)Phase A containment isolation is actuated automatically by SI, ormanually via the actuation circuitry. All process lines penetratingcontainment, with the exception of CCW and NSWS, are isolated.CCW is not isolated at this time to permit continued operation ofthe RCPs with cooling water flow to the thermal barrier heatexchangers and air or oil coolers. All process lines not equippedwith remote operated isolation valves are manually closed, orotherwise isolated, prior to reaching MODE 4.Manual Phase A Containment Isolation is accomplished by either oftwo switches in the control room. Either switch actuates itsassociated train.The Phase B signal isolates CCW and NSWS. This occurs at arelatively high containment pressure that is indicative of a largebreak LOCA or an SLB. For these events, forced circulation usingthe RCPs is no longer desirable. Isolating the CCW and NSWS atthe higher pressure does not pose a challenge to the containmentboundary because the CCW System and NSWS are closed loopsinside containment. Although some system components do notmeet all of the ASME Code requirements applied to thecontainment itself, the systems are continuously pressurized to apressure greater than the Phase B setpoint. Thus, routineoperation demonstrates the integrity of the system pressureboundary for pressures exceeding the Phase B setpoint.Furthermore, because system pressure exceeds the Phase Bsetpoint, any system leakage prior to initiation of Phase B isolationwould be into containment. Therefore, the combination of CCWSystem and NSWS design and Phase B isolation ensures there isnot a potential path for radioactive release from containment.Catawba Units 1 and 2 B3321 eiinN.1B 3.3.2-11 ESFAS InstrumentationB 3.3.2BASESAPPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)Phase B containment isolation is actuated by ContainmentPressure-High High, or manually, via the automatic actuation logic,as previously discussed. For containment pressure to reach avalue high enough to actuate Containment Pressure-High High, alarge break LOCA or SLB must have occurred. RCP operation willno longer be required and CCW to the RCPs and NSWS to theRCP motor coolers are, therefore, no longer necessary. TheRCPs can be operated with seal injection flow alone and withoutCCW flow to the thermal barrier heat exchanger.Manual Phase B Containment Isolation is accomplished bypushbuttons on the main control board. In addition to manuallyinitiating a Phase B Containment Isolation, the pushbuttons alsoisolate the containment ventilation system.a. Containment Isolation-Phase A Isolation(1) Phase A Isolation-Manual InitiationManual Phase A Containment Isolation is actuated byeither of two switches in the control room. Eachswitch actuates its respective train.(2) Phase A Isolation-Automatic Actuation Lo~qic andActuation RelaysAutomatic Actuation Logic and Actuation Relaysconsist of the same features and operate in the samemanner as described for ESFAS Function 1 .b.Manual and automatic initiation of Phase A ContainmentIsolation must be OPERABLE in MODES 1, 2, and 3, whenthere is a potential for an accident to occur. In MODE 4,adequate time is available to manually actuate requiredcomponents in the event of a DBA, but because of the largenumber of components actuated on a Phase A ContainmentIsolation, actuation is simplified by the use of the manualactuation push buttons. Automatic actuation logic andactuation relays must be OPERABLE in MODE 4 to supportCatawba Units 1 and 2 B3321 eiinN.1B 3.3.2-12 ESFAS InstrumentationB 3.3.2BASESAPPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)system level manual initiation. In MODES 5 and 6, there isinsufficient energy in the primary or secondary systems topressurize the containment to require Phase A ContainmentIsolation. There also is adequate time for the operator toevaluate unit conditions and manually actuate individualisolation valves in response to abnormal or accidentconditions.(3) Phase A Isolation-Safety IniectionPhase A Containment Isolation is also initiated by allFunctions that initiate SI. The Phase A ContainmentIsolation requirements for these Functions are thesame as the requirements for their SI function.Therefore, the requirements are not repeated inTable 3.3.2-1. Instead, Function 1, SI, is referencedfor all initiating Functions and requirements.b. Containment Isolation-Phase B IsolationPhase B Containment Isolation is accomplished by manualInitiation, Automatic Actuation Logic and Actuation Relays,and by Containment Pressure channels. The ContainmentPressure trip of Phase B Containment Isolation is energizedto trip in order to minimize the potential of spurious trips thatmay damage the RCPs.(1) Phase B Isolation-Manual Initiation(2) Phase B Isolation-Automatic Actuation Loqjic andActuation RelaysManual and automatic initiation of Phase Bcontainment isolation must be OPERABLE inMODES 1, 2, and 3, when there is a potential for anaccident to occur. In MODE 4, adequate time isavailable to manually actuate required components inthe event of a DBA. However, because of the largenumber of components actuated on a Phase BCatawba Units 1 and 2 B3321 eiinN.1B 3.3.2-13 ESFAS InstrumentationB 3.3.2BASESAPPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)containment isolation, actuation is simplified by theuse of the manual actuation push buttons. Automaticactuation logic and actuation relays must beOPERABLE in MODE 4 to support system levelmanual initiation. In MODES 5 and 6, there isinsufficient energy in the primary or secondarysystems to pressurize the containment to requirePhase B containment isolation. There also isadequate time for the operator to evaluate unitconditions and manually actuate individual isolationvalves in response to abnormal or accidentconditions.(3) Phase B Isolation-Containment Pressure -High-HighContainment Pressure -High-High uses fourchannels in a two-out-of-four logic configuration.Since containment pressure is not used for control,this arrangement exceeds the minimum redundancyrequirements. Additional redundancy is warrantedbecause this Function is energize to trip.Containment Pressure -High-High must beOPERABLE in MODES 1, 2, and 3 when there issufficient energy in the primary and secondary sidesto pressurize the containment following a pipe break.In MODES 4, 5, and 6, there is insufficient energy inthe primary and secondary sides to pressurize thecontainment and reach the Containment Pressure -High-High setpoints.4. Steam Line IsolationIsolation of the main steam lines provides protection in the event ofan SLB inside or outside containment. Rapid isolation of the steamlines will limit the steam break accident to the blowdown from oneSG, at most. For an SLB upstream of the main steam isolationvalves (MSIVs), inside or outside of containment, closure of theMSIVs limits the accident to the blowdown from only the affectedSG. For an SLB downstream of the MSIVs, closure of the MSIVsterminates the accident as soon as the steam lines depressurize.Steam Line Isolation also mitigates the effects of a feed line breakand ensures a source of steam for the turbine driven AFW pumpduring a feed line break.Catawba Units 1 and 2.B3321ReionN.1B 3.3.2-14 ESFAS InstrumentationB 3.3.2BASESAPPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)a. Steam Line Isolation-Manual InitiationManual initiation of Steam Line Isolation can beaccomplished from the control room. There are two systemlevel switches in the control room and either switch caninitiate action to immediately close all MSIVs. The LCOrequires two channels to be OPERABLE. Individual valvesmay also be closed using individual hand switches in thecontrol room. The LCO requires four individual channels tobe OPERABLE.b. Steam Line Isolation-Automatic Actuation Loqic andActuation RelaysAutomatic actuation logic and actuation relays consist of thesame features and operate in the same manner as describedfor ESFAS Function 1 .b.Manual and automatic initiation of steam line isolation must beOPERABLE in MODES 1, 2, and 3 when there is sufficient energyin the RCS and SGs to have an SLB or other accident. This couldresult in the release of significant quantities of energy and cause acooldown of the primary system. The Steam Line IsolationFunction is required in MODES 2 and 3 unless all MSIVs areclosed and de-activated. In MODES 4, 5, and 6, there isinsufficient energy in the RCS and SGs to experience an SLB orother accident releasing significant quantities of energy.c. Steam Line Isolation-Containment Pressure-Higqh HighThis Function actuates closure of the MSIVs in the event of aLOCA or an SLB inside containment to maintain threeunfaulted SGs as a heat sink for the reactor, and to limit themass and energy release to containment. ContainmentPressure-High High uses four channels in a two-out-of-fourlogic configuration. Since containment pressure is not usedfor control, this arrangement exceeds the minimumredundancy requirements. Additional redundancy iswarranted because this Function is energize to trip.Containment Pressure-High High must be OPERABLE inMODES 1, 2, and 3, when there is sufficient energy in theprimary and secondary side to pressurize the containmentfollowing a pipe break. This would cause a significantincrease in the containment pressure, thus allowing detectionCatawba Units 1 and 2 B3321 eiinN.1B3.3.2-15 ESFAS InstrumentationB 3.3.2BASESAPPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)and closure of the MSIVs. The Steam Line IsolationFunction remains OPERABLE in MODES 2 and 3 unless allMSIVs are closed and de-activated. In MODES 4, 5, and 6,there is not enough energy. in the primary and secondarysides to pressurize the containment to the ContainmentPressure-High High setpoint.d. Steam Line Isolation-Steam Line PressureSteam Line Pressure channels provide both protection andcontrol functions. The protection functions include: SteamLine Pressure-Low and Steam Line Pressure-Negative Ratefunctions. The control functions include: Digital FeedwaterControl System (DECS) which controls SG level.(1) Steam Line Pressure-LowSteam Line Pressure-Low provides closure of theMSIVs in the event of an SLB to maintain threeunfaulted SGs as a heat sink for the reactor, and tolimit the mass and energy release to containment.This Function provides closure of the MSIVs in theevent of a feed line break to ensure a supply of steamfor the turbine driven AFW pump.DFCS receives steam pressure inputs from threeseparate protection channels for each SG. The threeinputs are median selected for each SG, with theresultant output being used by the automatic controlalgorithm. The median select feature prevents thefailure of an input signal from affecting the controlsystem. A loss of two or more input signals will placethe control system in manual and alert the operator.DFCS will maintain a steady control function duringthe switch to manual operation; therefore, a failure ofone or more input signals will not cause a controlsystem action that would result in a conditionrequiring protective actions. Thus, three OPERABLEchannels on each steam line, with a two-out-of-threelogic on each steam line, are sufficient to satisfyprotective requirements.Steam Line Pressure-Low Function must beOPERABLE in MODES 1, 2, and 3 (above P-i11), withany main steam valve open, when a secondary sideCatawba Units 1 and 2 B3321 eiinN.1B 3.3.2-16 ESFAS InstrumentationB 3.3.2BASESAPPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)break or stuck open valve could result in the rapiddepressurization of the steam lines. This signal maybe manually blocked by the operator below the P-i11setpoint. Below P-i11, an inside containment SLB willbe terminated by automatic actuation viaContainment Pressure-High High. Stuck valvetransients and outside containment SLBs will beterminated by the Steam Line Pressure-NegativeRate-High signal for Steam Line Isolation below P-i11when SI has been manually blocked. The SteamLine Isolation Function is required in MODES 2 and 3unless all MSlVs are closed and de-activated. ThisFunction is not required to be OPERABLE inMODES 4, 5, and 6 because there is insufficientenergy in the secondary side of the unit to have anaccident.(2) Steam Line Pressure-Neciative Rate-HicjhSteam Line Pressure-Negative Rate-High providesclosure of the MSlVs for an SLB when less than theP-i11 setpoint, to maintain at least one unfaulted SGas a heat sink for the reactor, and to limit the massand energy release to containment. When theoperator manually blocks the Steam Line Pressure-Low main steam isolation signal when less than theP-1 1 setpoint, the Steam Line Pressure-NegativeRate-High signal is automatically enabled. DFCSreceives steam pressure inputs from three separateprotection channels for each SG. The three inputsare median selected for each SG, with the resultantoutput being used by the automatic control algorithm.The median select feature prevents the failure of aninput signal from affecting the control system. A lossof two or more input signals will place the controlsystem in manual and alert the operator. DFCS willmaintain a steady control function during the switch tomanual operation; therefore, a failure of one or moreinput signals will not cause a control system actionthat would result in a condition requiring protectiveactions. Thus, three OPERABLE channels on eachsteam line, with a two-out-of-three logic on eachsteam line, are sufficient to satisfy protectiverequirements.Catawba Units 1 and 2 B3321 eiinN.iB 3.3.2-17 ESFAS InstrumentationB 3.3.2BASESAPPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)Steam Line Pressure-Negative Rate-High must beOPERABLE in MODE 3 when less than the P-i11setpoint, when a secondary side break or stuck openvalve could result in the rapid depressurization of thesteam line(s). In MODES 1 and 2, and in MODE 3,when above the P-11I setpoint, this signal isautomatically disabled and the Steam Line Pressure-Low signal is automatically enabled. The Steam LineIsolation Function is required to be OPERABLE inMODES 2 and 3 unless all MSIVs are closed and de-activated. In MODES 4, 5, and 6, there is insufficientenergy in the primary and secondary sides to have anSLB or other accident that would result in a release ofsignificant enough quantities of energy to cause acooldown of the RCS.5. Turbine Trip and Feedwater IsolationThe primary functions of the Turbine Trip and Feedwater Isolationsignals are to prevent damage to the turbine due to water in thesteam lines, stop the excessive flow of feedwater into the SGs, andto limit the energy released into containment. These Functions arenecessary to mitigate the effects of a high water level in the SGs,which could result in carryover of water into the steam lines andexcessive cooldown of the primary system. The SG high waterlevel is due to excessive feedwater flows. Feedwater Isolationserves to limit the energy released into containment upon afeedwater line or steam line break inside containment.The Functions are actuated when the level in any SG exceeds thehigh high setpoint, and performs the following functions:* Trips the main turbine;* Trips the MFW pumps;* Initiates feedwater isolation; and* Shuts the MFW regulating valves and the bypass feedwaterregulating valves.Turbine Trip and Feedwater Isolation signals are both actuated bySG Water Level-High High, or by an SI signal. The RTS alsoinitiates a turbine trip signal whenever a reactor trip (P-4) isgenerated. A Feedwater Isolation signal is also generated by aCatawba Units 1 and 2 B3321 eiinN.1B 3.3.2-18 ESFAS InstrumentationB 3.3.2BASESAPPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)reactor trip (P-4) coincident with Ta,,gLow and on a high water levelin the reactor building doghouse. The MEW System is also takenout of operation and the AFW System is automatically started. TheSI signal was discussed previously.a. Turbine Trip(1) Turbine Tripj-Automatic Actuation Loqic and ActuationRelaysAutomatic Actuation Logic and Actuation Relaysconsist of the same features and operate in the samemanner as described for ESFAS Function 1 .b.(2) Turbine Tripj-Steam Generator Water Level-Higqh Higqh(P-14)This signal prevents damage to the turbine due towater in the steam lines. The ESFAS SG water levelinstruments provide input to the SG Water LevelControl System. Therefore, the actuation logic mustbe able to withstand both an input failure to thecontrol system (which may then require the protectionfunction actuation) and a single failure in the otherchannels providing the protection function actuation.Thus, four OPERABLE channels are required tosatisfy the requirements with a two-out-of-four logic.The setpoints are based on percent of narrow rangeinstrument span.(3) Turbine Trip-Safety IniectionTurbine Trip is also initiated by all Functions thatinitiate SI. Therefore, the requirements are notrepeated in Table 3.3.2-1. Instead Function 1, SI, isreferenced for all initiating functions andrequirements. Item 5.a.(1) is referenced for theapplicable MODES.The Turbine Trip Function must be OPERABLE in MODES 1and 2. In lower MODES, the turbine generator is not inservice and this Function is not required to be OPERABLE.b. Feedwater IsolationCatawba Units 1 and 2 B3321 eiinN.1B3.3.2-19 ESFAS InstrumentationB 3.3.2BASESAPPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)(1) Feedwater Isolation-Automatic Actuation Loqic andActuation RelaysAutomatic Actuation Logic and Actuation Relaysconsist of the same features and operate in the samemanner as described for ESFAS Function 1 .b.(2) Feedwater Isolation-Steam Generator Water Level-Hi~qh Hicqh (P-14)This signal provides protection against excessivefeedwater flow. The ESFAS SG water levelinstruments provide input to the SG Water LevelControl System. Therefore, the actuation logic mustbe able to withstand both an input failure to thecontrol system (which may then require the protectionfunction actuation) and a single failure in the otherchannels providing the protection function actuation.Thus, four OPERABLE channels are required tosatisfy the requirements with a two-out-of-four logic.The setpoints are based on percent of narrow rangeinstrument span.(3) Feedwater Isolation-Safety IniectionFeedwater Isolation is also initiated by all Functionsthat initiate SI. The Feedwater Isolation Functionrequirements for these Functions are the same as therequirements for their SI function. Therefore, therequirements are not repeated in Table 3.3.2-1.Instead Function 1, SI, is referenced for all initiatingfunctions and requirements. Item 5.b.(1) isreferenced for the applicable MODES.(4) Feedwater Isolation -RCS Low coincident withReactor Trip (P-4)This signal provides protection against excessivecooldown, which could subsequently introduce apositive reactivity excursion after a plant trip. Thereare four channels of RCS Tavg -Low (one per loop),with a two-out-of-four logic required coincident with areactor trip signal (P-4) to initiate a feedwaterisolation. The P-4 interlock is discussed in Function8.a.Catawba Units 1 and 2 B3322 eiinN.1B 3.3.2-20 ESFAS InstrumentationB 3.3.2BASESAPPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)(5) Feedwater Isolation -Doqhouse Water Level -HiqhThis signal initiates a Feedwater Isolation. Thesignal terminates forward feedwater flow in the eventof a postulated pipe break in the main feedwaterpiping in the doghouses to prevent flooding safetyrelated equipment essential to the safe shutdown ofthe plant. Each doghouse contains two trains of levelinstrumentation. The level instrumentation consistsof six level switches (three per train) in each of thetwo reactor building doghouses. A high-high leveldetected by two-out-of-three switches, in either theinboard or outboard doghouse, will initiate adoghouse isolation. This signal initiates FeedwaterIsolation for the specific doghouse where the High-High level is detected and trips both main feedwaterpumps thus causing a main turbine trip.The Feedwater Isolation Function must be OPERABLE inMODES 1 and 2 and also in MODE 3 (except for thefunctions listed in Table 3.3.2-1). Feedwater Isolation is notrequired OPERABLE when all MFIVs, MFCVs, andassociated bypass valves are closed and de-activated orisolated by a closed manual valve. In lower MODES, theMFW System is not in service and this Function is notrequired to be OPERABLE.6. Auxiliary FeedwaterThe AFW System is designed to provide a secondary side heatsink for the reactor in the event that the MFW System is notavailable. The system has two motor driven pumps and a turbinedriven pump, making it available during normal and accidentoperation. The normal source of water for the AFW System is thecondensate storage system (not safety related). A low suctionpressure to the AFW pumps will automatically realign the pumpsuctions to the Nuclear Service Water System (NSWS)(safetyrelated). The AFW System is aligned so that upon a pump start,flow is initiated to the respective SGs immediately.a. Auxiliary Feedwater-Automatic Actuation Loq icand Actuation RelaysAutomatic actuation logic and actuation relays consist of theCatawba Units 1 and 2 B3322 eiinN.1B 3.3.2-21 ESFAS InstrumentationB 3.3.2BASESAPPLICABLE SAFETY ANALYSES, LCD, and APPLICABILITY (continued)same features and operate in the same manner as describedfor ESFAS Function 1 .b.b. Auxiliary Feedwater-Steam Generator WaterLevel-Low LowSG Water Level-Low Low provides protection against a lossof heat sink. A feed line break, inside or outside ofcontainment, or a loss of MFW, would result in a loss of SGwater level. SG Water Level-Low Low provides input to theSG Level Control System. Therefore, the actuation logicmust be able to withstand both an input failure to the controlsystem which may then require a protection functionactuation and a single failure in the other channels providingthe protection function actuation. Thus, four OPERABLEchannels are required to satisfy the requirements with two-out-of-four logic. The setpoints are based on percent ofnarrow range instrument span.SG Water Level--Low Low in any operating SG will causethe motor driven AFW pumps to start. The system is alignedso that upon a start of the pump, water immediately begins toflow to the SGs. SG Water Level--Low Low in any twooperating SGs will cause the turbine driven pumps to start.c. Auxiliary Feedwater--Safety IniectionAn SI signal starts the motor driven AFW pumps. The AFWinitiation functions are the same as the requirements for theirSI function. Therefore, the requirements are not repeated inTable 3.3.2-1. Instead, Function 1, SI, is referenced for allinitiating functions and requirements.d. Auxiliary Feedwater-Loss of Offsite PowerA loss of offsite power to the service buses will beaccompanied by a loss of reactor coolant pumping powerand the subsequent need for some method of decay heatremoval. The loss of offsite power is detected by a voltagedrop on each essential service bus. Loss of power to eitheressential service bus will start the turbine driven and motordriven AFW pumps to ensure that at least two SGs containenough water to serve as the heat sink for reactor decayheat and sensible heat removal following the reactor trip.Catawba Units 1 and 2B332-2RvsoNo1B 3.3.2-22 ESFAS InstrumentationB 3.3.2BASESAPPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)Functions 6.a through 6.d must be OPERABLE in MODES 1, 2,and 3 to ensure that the SGs remain the heat sink for the reactor.These Functions do not have to be OPERABLE in MODES 5 and 6because there is not enough heat being generated in the reactor torequire the SGs as a heat sink. In MODE 4, AFW actuation doesnot need to be OPERABLE because either AFW or residual heatremoval (RHR) will already be in operation to remove decay heat orsufficient time is available to manually place either system inoperation.e. Auxiliary Feedwater-Trip of All Main Feedwater PumpsA Trip of all MFW pumps is an indication of a loss of MEWand the subsequent need for some method of decay heatand sensible heat removal to bring the reactor back to noload temperature and pressure. Each turbine driven MFWpump is equipped with three pressure switches on the trip oilsystem. A low pressure signal from two-out-of-three of thesepressure switches indicates a trip of that pump. ThreeOPERABLE channels per pump satisfy redundancyrequirements with two-out-of-three logic. A trip of all MEWpumps starts the motor driven AFW pumps to ensure that atleast two SGs are available with water to act as the heat sinkfor the reactor. This function must be OPERABLE inMODES 1 and 2. This ensures that at least two SGs areprovided with water to serve as the heat sink to removereactor decay heat and sensible heat in the event of anaccident. In MODES 3, 4, and 5, the MEW pumps may benormally shut down, and thus neither pump trip is indicativeof a condition requiring automatic AFW initiation.f. Auxiliary Feedwater-Pump Suction Transfer onSuction Pressure-LowA low pressure signal in the AFW pump suction line protectsthe AFW pumps against a loss of the normal supply of waterfor the pumps, the condensate storage system. Threepressure switches per train are located on the AFW pumpsuction line from the condensate storage system. A lowpressure signal sensed by two-out-of-three switches will aligntheir train related motor driven AFW pump and the turbinedriven AFW pump to the assured water supply (NSWS). TheNSWS (safety grade) is then lined up to supply the AFWpumps to ensure an adequate supply of water for the AFWCatawba Units 1 and 2 B3322 eiinN.1B 3.3.2-23 ESFAS InstrumentationB 3.3.2BASESAPPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)System to maintain at least two of the SGs as the heat sinkfor reactor decay heat and sensible heat removal.This Function must be OPERABLE in MODES 1, 2, and 3 toensure a safety grade supply of water for the AFW System tomaintain the SGs as the heat sink for the reactor. ThisFunction does not have to be OPERABLE in MODES 5 and 6because there is not enough heat being generated in thereactor to require the SGs as a heat sink. In MODE 4, AFWautomatic suction transfer does not need to be OPERABLEbecause RHR will already be in operation, or sufficient timeis available to place RHR in operation, to remove decay heat.7. Automatic Switchover to Containment SumpAt the end of the injection phase of a LOCA, the RWST will benearly empty. Continued cooling must be provided by the ECOS toremove decay heat. The source of water for the ECCS pumps isautomatically switched to the containment recirculation sump. Thelow head residual heat removal (RHR) pumps and containmentspray pumps draw the water from the containment recirculationsump, the RHR pumps pump the water through the RHR heatexchanger, inject the water back into the RCS, and supply thecooled water to the other ECCS pumps. Switchover from theRWST to the-containment sump must occur before the RWSTempties to prevent damage to the RHR pumps and a loss of corecooling capability.a. Automatic Switchover to Containment Sump-Automatic Actuation Locqic and Actuation RelaysAutomatic actuation logic and actuation relays consist of thesame features and operate in the same manner as describedfor ESFAS Function 1 .b.b. Automatic Switchover to ContainmentSump-Refuelinq Water Stora~qe Tank (RWST)Level-Low Coincident With Safety IniectionDuring the injection phase of a LOCA, the RWST is thesource of water for all ECCS pumps. A low level in theRWST coincident with an SI signal provides protectionagainst a loss of water for the ECCS pumps and indicatesthe end of the injection phase of the LOCA. The RWST isequipped with four level transmitters. These transmittersCatawba Units 1 and 2 B3322 eiinN.1B 3.3.2-24 ESFAS InstrumentationB 3.3.2BASESAPPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)provide no control functions. Since an inadvertentswitchover to the containment sump could have a significantsafety impact, this instrumentation is placed in a bypasscondition for testing. Therefore, four channels are suppliedsuch that, during testing, the remaining three channels couldperform the intended function, and no single failure couldresult in either a failure to accomplish the intended function,or in an inadvertent switchover to the containment sump.Automatic switchover occurs only if the RWST low levelsignal is coincident with SI. This prevents accidentalswitchover during normal operation. Accidental switchovercould damage ECCS pumps if they are attempting to takesuction from an empty sump. The automatic switchoverFunction requirements for the SI Functions are the same asthe requirements for their SI function. Therefore, therequirements are not repeated in Table 3.3.2-1. Instead,Function 1, SI, is referenced for all initiating Functions andrequirements.These Functions must be OPERABLE in MODES 1, 2, 3,and 4 when there is a potential for a LOCA to occur, toensure a continued supply of water for the ECOS pumps.These Functions are not required to be OPERABLE inMODES 5 and 6 because there is adequate time for theoperator to evaluate unit conditions and respond by manuallystarting systems, pumps, and other equipment to mitigate theconsequences of an abnormal condition or accident. Systempressure and temperature are very low and many ESFcomponents are administratively locked out or otherwiseprevented from actuating to prevent inadvertentoverpressurization of unit systems.8. Engqineered Safety Feature Actuation System InterlocksTo allow some flexibility in unit operations, several interlocks areincluded as part of the ESFAS. These interlocks permit theoperator to block some signals, automatically enable other signals,prevent some actions from occurring, and cause other actions tooccur. The interlock Functions back up manual actions to ensurebypassable functions are in operation under the conditionsassumed in the safety analyses.Catawba Units 1 and 2 B3322 eiinN.1B 3.3.2-25 ESFAS InstrumentationB 3.3.2BASESAPPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)a. Engineered Safety Feature Actuation SystemInterlocks--Reactor Trip. P-4The P-4 interlock is enabled when a reactor trip breaker(RTB) and its associated bypass breaker is open. Operatorsare able to reset SI 60 seconds after initiation. If a P-4 ispresent when SI is reset, subsequent automatic SI initiationswill be blocked until the RTBs have been manually closed.This Function allows operators to take manual control of SIsystems after the initial phase of injection is complete whileavoiding multiple SI initiations. The functions of the P-4interlock are:* Trip the main turbine;* Isolate MFW with coincident low Tavg;* Prevent reactuation of SI after a manual reset of SI;* Transfer the steam dump from the load rejectioncontroller to the unit trip controller; and* Prevent opening of the MFW isolation valves if theywere closed on SI or SG Water Level--High High.Each of the above Functions is interlocked with P-4 to avertor reduce the continued cooldown of the RCS following areactor trip. An excessive cooldown of the RCS following areactor trip could cause an insertion of positive reactivity witha subsequent increase in generated power. To avoid such asituation, the noted Functions have been interlocked with P-4as part of the design of the unit control and protectionsystem.None of the noted Functions serves a mitigation function inthe unit licensing basis safety analyses. Only the turbine tripFunction is explicitly assumed since it is an immediateconsequence of the reactor trip Function. Neither turbinetrip, nor any of the other four Functions associated with thereactor trip signal, is required to show that the unit licensingbasis safety analysis acceptance criteria are not exceeded.The RTB position switches that provide input to the P-4interlock only function to energize or de-energize or open orclose contacts. Therefore, this Function has no adjustableCatawba Units 1 and 2 B3322 eiinN.1B 3.3.2-26 ESFAS InstrumentationB 3.3.2BASESAPPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)trip setpoint with which to associate a Trip Setpoint andAllowable Value.This Function must be OPERABLE in MODES 1, 2, and 3when the reactor may be critical or approaching criticality.This Function does not have to be OPERABLE in MODE 4,5, or 6 because the main turbine, the MFW System, and theSteam Dump System are not in operation.b. Engqineered Safety Feature Actuation SystemInterlocks-Pressurizer Pressure. P-11IThe P-i1I interlock permits a normal unit cooldown anddepressurization without actuation of SI or main steam lineisolation. With two-out-of-three pressurizer pressurechannels (discussed previously) less than the P-i11 setpoint,the operator can manually block the Pressurizer Pressure-Low SI signal and the Steam Line Pressure-Low steam lineisolation signal (previously discussed). When the SteamLine Pressure-Low steam line isolation signal is manuallyblocked, a main steam isolation signal on Steam LinePressure-Negative Rate-High is enabled. This providesprotection for an SLB by closure of the MSIVs. With two-out-of-three pressurizer pressure channels above the P-i11setpoint, the Pressurizer Pressure-Low SI signal and theSteam Line Pressure-Low steam line isolation signal areautomatically enabled. The operator can also enable thesetrips by use of the respective manual reset buttons. Whenthe Steam Line Pressure-Low steam line isolation signal isenabled, the main steam isolation on Steam Line Pressure-Negative Rate--High is disabled.This Function must be OPERABLE in MODES 1, 2, and 3 toallow an orderly cooldown and depressurization of the unitwithout the actuation of SI or main steam isolation. ThisFunction does not have to be OPERABLE in MODE 4, 5, or 6because system pressure must already be below the P-i1!setpoint for the requirements of the heatup and cooldowncurves to be met.c. Engqineered Safety Feature Actuation Systemlnterlocks-T~v-Low Low. P-i12On increasing reactor coolant temperature, the P-12 interlockprovides an arming signal to the Steam Dump System. On aCatawba Units 1 and 2 B3322 eiinN.1B 3.3.2-27 ESFAS InstrumentationB 3.3.2BASESAPPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)decreasing temperature, the P-i12 interlock removes thearming signal to the Steam Dump System to prevent anexcessive cooidown of the RCS due to a malfunctioningSteam Dump System.Since Tavg is used as an indication of bulk RCS temperature,this Function meets redundancy requirements with oneOPERABLE channel in each loop. These channels are usedin two-out-of-four logic. This Function must be OPERABLEin MODES 1, 2, and 3 when a secondary side break or stuckopen valve could result in the rapid depressurization of thesteam lines. This Function does not have to be OPERABLEin MODE 4, 5, or 6 because there is insufficient energy in thesecondary side of the unit to have an accident.9. Containment Pressure Control System PermissivesThe Containment Pressure Control System (CPCS) protects theContainment Building from excessive depressurization bypreventing inadvertent actuation or continuous operation of theContainment Spray and Containment Air Return Systems whencontainment pressure is at or less than the CPCS permissivesetpoint. The control scheme of CPCS is comprised of eightindependent control circuits (4 per train), each having a separateand independent pressure transmitter and current alarm module.Each pressure transmitter monitors the containment pressure andprovides input to its respective current alarm. The current alarmsare set to inhibit or terminate containment spray and containmentair return systems when containment pressure falls to or below0.25 psid. The alarm modules switch back to the permissive state(allowing the systems to operate) when containment pressure isgreater than or equal to 1.0 psid.This function must be OPERABLE in MODES 1, 2, :3, and 4 whenthere is sufficient energy in the primary and secondary sides topressurize containment following a pipe break. In MODES 5 and 6,there is insufficient energy in the primary and secondary sides tosignificantly pressurize the containment.10. Nuclear Service Water System Suction Transfer -Low Pit LevelUpon an emergency low pit level signal from either NSWS pit,interlocks isolate the NSWS from Lake Wylie, align NSWS to thestandby nuclear service water pond, close particular crossoverCatawba Units 1 and 2 B3322 eiinN.1B 3.3.2-28 ESFAS InstrumentationB 3.3.2BASESAPPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)valves, and start the NSWS pumps. This function is initiated on atwo-out-of-three logic from either NSWS pump pit.This function must be OPERABLE in MODES 1, 2, 3, and 4 toensure cooling water remains available to essential componentsduring a DBA. In MODES 5 and 6, the sufficient time exists formanual operator action to realign the NSWS pump suction, ifrequired.Unlike other shared NSWS equipment, the pit level interlocks donot require both normal and emergency power for OPERABILITY.This is because unlike mechanical components such as pumps andvalves, the interlocks are designed to fail safe upon a loss ofpower, initiating a transfer from Lake Wylie to the standby nuclearservice water pond. The definition of OPERABILITY, whichrequires either normal or emergency power, provides sufficientpower supply requirements and these interlocks can be consideredOPERABLE provided they are powered from either an inverter orregulated power.The ESFAS instrumentation satisfies Criterion 3 of 10 CFR 50.36 (Ref.6).ACTIONS A Note has been added in the ACTIONS to clarify the application ofCompletion Time rules. The Conditions of this Specification may beentered independently for each Function listed on Table 3.3.2-1. Whenthe Required Channels in Table 3.3.2-1 are specified (e.g., on a persteam line, per loop, per SG, etc., basis), then the Condition may beentered separately for each steam line, loop, SG, etc., as appropriate.A channel shall be OPERABLE if the point at which the channel trips isfound more conservative than the Allowable Value. In the event achannel's trip setpoint is found less conservative than the AllowableValue, or the transmitter, instrument loop, signal processing electronics,or bistable is found inoperable, then all affected Functions provided bythat channel must be declared inoperable and the LCO Condition(s)entered for the protection Function(s) affected. If plant conditionswarrant, the trip setpoint may be set outside the NOMINAL TRIPSETPOINT calibration tolerance band as long as the trip setpoint isconservative with respect to the NOMINAL TRIP SETPOINT. If the tripsetpoint is found outside of the NOMINAL TRIP SETPOINT calibrationtolerance band and non-conservative with respect to the NOMINAL TRIPSETPOINT, the setpoint shall be re-adjusted.Catawba Units 1 and 2 B3322 eiinN.1B 3.3.2-29 ESFAS InstrumentationB 3.3.2BASESACTIONS (continued)When the number of inoperable channels in a trip function exceed thosespecified in one or other related Conditions associated with a tripfunction, then the unit is outside the safety analysis. Therefore,LCO 3.0.3 should be immediately entered if applicable in the currentMODE of operation.A.__1Condition A applies to all ESFAS protection functions.Condition A addresses the situation where one or more channels or trainsfor one or more Functions are inoperable at the same time. TheRequired Action is to refer to Table 3.3.2-1 and to take the RequiredActions for the protection functions affected. The Completion Times arethose from the referenced Conditions and Required Actions.B.1, B.2.1 and B.2.2Condition B applies to manual initiation of:* SI;* Containment Spray;* Phase A Isolation; and* Phase B Isolation.This action addresses the train orientation of the SSPS for the functionslisted above. If a channel or train is inoperable, 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> is allowed toreturn it to an OPERABLE status. Note that for containment spray andPhase B isolation, failure of one or both channels in one train renders thetrain inoperable. Condition B, therefore, encompasses both situations.The specified Completion Time is reasonable considering that there aretwo automatic actuation trains and another manual initiation trainOPERABLE for each Function, and the low probability of an eventoccurring during this interval. If the train cannot be restored toOPERABLE status, the unit must be placed in a MODE in which the LCOdoes not apply. This is done by placing the unit in at least MODE 3 withinan additional 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> (54 hours6.25e-4 days <br />0.015 hours <br />8.928571e-5 weeks <br />2.0547e-5 months <br /> total time) and in MODE 5 within anadditional 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br /> (84 hours9.722222e-4 days <br />0.0233 hours <br />1.388889e-4 weeks <br />3.1962e-5 months <br /> total time). The allowable CompletionTimes are reasonable, based on operating experience, to reach therequired unit conditions from full power conditions in an orderly mannerand without challenging unit systems.Catawba Units 1 and 2 B3323 eiinN.1B 3.3.2-30 ESFAS InstrumentationB 3.3.2BASESACTIONS (continued)0.1. 0.2.1 and 0.2.2Condition C applies to the automatic actuation logic and actuation relaysfor the following functions:* SI;* Phase A Isolation;* Phase B Isolation; and* Automatic Switchover to Containment Sump.This action addresses the train orientation of the SSPS and the masterand slave relays. If one train is inoperable, 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> are allowed torestore the train to OPERABLE status. The 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> allowed forrestoring the inoperable train to OPERABLE status is justified inReference 13. The specified Completion Time is reasonable consideringthat there is another train OPERABLE, and the low probability of an eventoccurring during this interval. If the train cannot be restored toOPERABLE status, the unit must be placed in a MODE in which the LCOdoes not apply. This is done by placing the unit in at least MODE 3 withinan additional 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> (30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br /> total time) and in MODE 5 within anadditional 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br /> (60 hours6.944444e-4 days <br />0.0167 hours <br />9.920635e-5 weeks <br />2.283e-5 months <br /> total time). The Completion Times arereasonable, based on operating experience, to reach the required unitconditions from full power conditions in an orderly manner and withoutchallenging unit systems.The Required Actions are modified by a Note that allows one train to bebypassed for up to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> for surveillance testing, provided the othertrain is OPERABLE. The Required Actions are not required to be metduring this time, unless the train is discovered inoperable during thetesting. This allowance is based on the reliability analysis assumption ofWCAP-1 0271-P-A (Ref. 7) that 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> is the average time required toperform train surveillance.Catawba Units 1 and 2 B3323 eiinN.1B 3.3.2-31 ESFAS InstrumentationB 3.3.2BASESACTIONS (continued)0.1, D.2.1. and D.2.2Condition 0 applies to:* Containment Pressure-High;* Pressurizer Pressure-Low;* Steam Line Pressure-Low;* Steam Line Pressure-Negative Rate-High;* Loss of offsite power (refer to Condition D footnote);* SG Water level--Low Low; and* SG Water level--High High (P-14) for the Feedwater IsolationFunction.If one channel is inoperable, 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> are allowed to restore the channelto OPERABLE status or to place it in the tripped condition. Generally thisCondition applies to functions that operate on two-out-of-three logic.Therefore, failure of one channel places the Function in a two-out-of-twoconfiguration. One channel must be tripped to place the Function in aone-out-of-two configuration that satisfies redundancy requirements. The72 hours allowed to restore the channel to OPERABLE status or to placeit in the tripped condition is justified in Reference 13.Failure to restore the inoperable channel to OPERABLE status or place itin the tripped condition within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> requires the unit be placed inMODE 3 within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and MODE 4 within the next6 hours.The allowed Completion Times are reasonable, based on operatingexperience, to reach the required unit conditions from full powerconditions in an orderly manner and without challenging unit systems. InMODE 4, these Functions are no longer required OPERABLE.The Required Actions are modified by a Note that allows the inoperablechannel to be bypassed for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for surveillance testing ofother channels. The 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> allowed for testing is justified inReference 13.Catawba Units 1 and 2 B3323 eiinN.1B 3.3.2-32 ESFAS InstrumentationB 3.3.2BASESACTIONS (continued)E.1. E.2.1, and E.2.2Condition E applies to:* Containment Phase B Isolation Containment Pressure-High High;and* Steam Line Isolation Containment Pressure -High High.Neither of these signals has input to a control function. Thus, two-out-of-.three logic is necessary to meet acceptable protective requirements.However, a two-out-of-three design would require tripping a failedchannel. This is undesirable because a single failure would then causespurious isolation initiation. Therefore, these channels are designed withtwo-out-of-four logic so that a failed channel may be bypassed ratherthan tripped. Note that one channel may be bypassed and still satisfy thesingle failure criterion. Furthermore, with one channel bypassed, a singleinstrumentation channel failure will not spuriously initiate isolation.To avoid the inadvertent actuation of Phase B containment isolation, theinoperable channel should not be placed in the tripped condition. Insteadit is bypassed. Restoring the channel to OPERABLE status, or placingthe inoperable channel in the bypass condition within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, issufficient to assure that the Function remains OPERABLE and minimizesthe time that the Function may be in a partial trip condition (assuming theinoperable channel has failed high). The Completion Time is furtherjustified based on the low probability of an event occurring during thisinterval. Failure to restore the inoperable channel to OPERABLE status,or place it in the bypassed condition within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, requires the unit beplaced in MODE 3 within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and MODE 4 within thenext 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. The allowed Completion Times are reasonable, based onoperating experience, to reach the required unit conditions from fullpower conditions in an orderly manner and without challenging unitsystems. In MODE 4, these Functions are no longer requiredOPERABLE.The Required Actions are modified by a Note that allows one additionalchannel to be bypassed for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for surveillance testing.Placing a second channel in the bypass condition for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> fortesting purposes is acceptable based on the results of Reference 13.Catawba Units 1 and 2 B3323 eiinN.1B 3.3.2-33 ESFAS InstrumentationB 3.3.2BASESACTIONS (continued)F.1, F.2.1, and F.2.2Condition F applies to:* Manual Initiation of Steam Line Isolation; and* P-4 Interlock.For the Manual Initiation and the P-4 Interlock Functions, this actionaddresses the train orientation of the SSPS. If a train or channel isinoperable, 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> is allowed to return it to OPERABLE status. Thespecified Completion Time is reasonable considering the nature of theseFunctions, the available redundancy, and the low probability of an eventoccurring during this interval. If the Function cannot be returned toOPERABLE status, the unit must be placed in MODE 3 within the next6 hours and MODE 4 within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. The allowedCompletion Times are reasonable, based on operating experience, toreach the required unit conditions from full power in an orderly mannerand without challenging unit systems. In MODE 4, the unit does not haveany analyzed transients or conditions that require the explicit use of theprotection functions noted above.G.1 and G.2Condition G applies to manual initiation of Steam Line Isolation.This action addresses the operability of the manual steam line isolationfunction for each individual main steam isolation valve. If a channel isinoperable, 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> is allowed to return it to an OPERABLE status. Ifthe train cannot be restored to OPERABLE status, the Conditions andRequired Actions of LCO 3.7.2, "Main Steam Isolation Valves," must beentered for the associated inoperable valve. The specified CompletionTime is reasonable considering that there is a system level manualinitiation train for this Function and the low probability of an eventoccurring during this interval.Catawba Units 1 and 2 B3323 eiinN.1B 3.3.2-34 ESFAS InstrumentationB 3.3.2BASESACTIONS (continued)H.1, H.2.1 and H.2.2Condition H applies to the automatic actuation logic and actuation relaysfor the Steam Line Isolation, Feedwater Isolation, and AFW actuationFunctions.The action addresses the train orientation of the SSPS and the masterand slave relays for these functions. If one train is inoperable, 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />sare allowed to restore the train to OPERABLE status. The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />sallowed for restoring the inoperable train to OPERABLE status is justifiedin Reference 13. The Completion Time for restoring a train toOPERABLE status is reasonable considering that there is another trainOPERABLE, and the low probability of an event occurring during thisinterval. If the train cannot be returned to OPERABLE status, the unitmust be brought to MODE 3 within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and MODE 4 withinthe following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. The allowed Completion Times are reasonable,based on operating experience, to reach the required unit conditions fromfull power conditions in an orderly manner and without challenging unitsystems. Placing the unit in MODE 4 removes all requirements forOPERABILITY of the protection channels and actuation functions. In thisMODE, the unit does not have analyzed transients or conditions thatrequire the explicit use of the protection functions noted above.The Required Actions are modified by a Note that allows one train to bebypassed for up to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> for surveillance testing provided the othertrain is OPERABLE. This allowance is based on the reliability analysis(Ref. 7) assumption that 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> is the average time required to performchannel surveillance.Catawba Units 1 and 2 B3323 eiinN.1B 3.3.2-35 ESFAS InstrumentationB 3.3.2BASESACTIONS (continued)1.1 and 1.2Condition I appiies to the automatic actuation logic and actuation relaysfor the Turbine Trip Function.This action addresses the train orientation of the SSPS and the masterand slave relays for this Function. If one train is inoperable, 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> areallowed to restore the train to OPERABLE status or the unit must beplaced in MODE 3 within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. The 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> allowed forrestoring the inoperable train to OPERABLE status is justified inReference 13. The Completion Time for restoring a train to OPERABLEstatus is reasonable considering that there is another train OPERABLE,and the low probability of an event occurring during this interval. Theallowed Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable, based on operatingexperience, to reach MODE 3 from full power conditions in an orderlymanner and without challenging unit systems. These Functions are nolonger required in MODE 3. Placing the unit in MODE 3 removes allrequirements for OPERABILITY of the protection channels and actuationfunctions. In this MODE, the unit does not have analyzed transients orconditions that require the explicit use of the protection functions notedabove.The Required Actions are modified by a Note that allows one train to bebypassed for up to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> for surveillance testing provided the othertrain is OPERABLE. This allowance is based on the reliability analysis(Ref. 7) assumption that 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> is the average time required to performchannel surveillance.J.1 and J.2Condition J applies to:* SG Water Level--High High (P-14) for the Turbine Trip Function;and* Tavg-LOw.Catawba Units 1 and 2 B3323 eiinN.1B 3.3.2-36 ESFAS InstrumentationB 3.3.2BASESACTIONS (continued)If one channel is inoperable, 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> are allowed to restore one channelto OPERABLE status or to place it in the tripped condition. If placed inthe tripped condition, the Function is then in a partial trip condition whereone-out-of-three logic will result in actuation. The 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> allowed torestore the channel to OPERABLE status or place it in the trippedcondition is justified in Reference 13. Failure to restore the inoperablechannel to OPERABLE status or place it in the tripped condition within72 hours requires the unit to be placed in MODE 3 within the following6 hours. The allowed Completion Time of 78 hours9.027778e-4 days <br />0.0217 hours <br />1.289683e-4 weeks <br />2.9679e-5 months <br /> is reasonable, basedon operating experience, to reach MODE 3 from full power conditions inan orderly manner and without challenging unit systems. In MODE 3,these Functions are no longer required OPERABLE.The Required Actions are modified by a Note that allows the inoperablechannel to be bypassed for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for surveillance testing ofother channels. The 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> allowed to place the inoperable channel inthe tripped condition, and the 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> allowed for a second channel tobe in the bypassed condition for testing, are justified in Reference 13.K.1 and K.2Condition K applies to the AFW pump start on trip of all MFW pumps.This action addresses the auto start function of the AFW System on lossof all MFW pumps. The OPERABILITY of the AFW System must beassured by allowing automatic start of the AFW System pumps. If achannel is inoperable, 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> is allowed to return it to an OPERABLEstatus or to place the channel in trip. If the function cannot be returned toan OPERABLE status or placed in a trip condition, 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> are allowed toplace the unit in MODE 3. The allowed Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> isreasonable, based on operating experience, to reach MODE 3 from fullpower conditions in an orderly manner and without challenging unitsystems. In MODE 3, the unit does not have any analyzed transients orconditions that require the explicit use of the protection function notedabove.Catawba Units 1 and 2 B3323 eiinN.1B 3.3.2-37 ESFAS InstrumentationB 3.3.2BASESACTIONS (continued)L.1 and L.2Condition L applies to the Doghouse Water Level -High High.If one channel is inoperable, 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> are allowed to restore the channel toOPERABLE status or to place it in the tripped condition. Therefore,failure of one channel places the Function in a two-out-of-twoconfiguration. One channel must be tripped to place the Function in aone-out-of-two configuration that satisfies redundancy requirements.Alternatively, if the inoperable channel is not restored to OPERABLEstatus or placed in the tripped condition within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />, the unit must beplaced in MODE 3 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />.The allowed Completion Times are reasonable, based on operatingexperience, to reach the required unit conditions from full powerconditions in an orderly manner and without challenging unit systems. InMODE 3, this Function is no longer required OPERABLE.Required Action L.1 is modified by a Note that allows the inoperablechannel to be bypassed for up to 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> for surveillance testing of otherchannels.M.1, M.2.1 and M.2.2Condition M applies to the Auxiliary Feedwater Pumps Suction Transferon Suction Pressure Low.If one channel is inoperable, 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> is allowed to restore the channel toOPERABLE status or to place it in the tripped condition. The failure ofone channel places the Function in a two-out-of-two configuration. Onechannel must be tripped to place the Function in a one-out-of-threeconfiguration that satisfies redundancy requirements.Failure to restore the inoperable channel to OPERABLE status or place itin the tripped condition within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> requires the unit to be placed inMODE 3 within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and MODE 4 within the next 6hours.Catawba Units 1 and 2 B3323 eiinN.1B 3.3.2-38 ESFAS InstrumentationB 3.3.2BASESACTIONS (continued)The allowed Completion Times are reasonable, based on operatingexperience, to reach the required unit conditions from full powerconditions in an orderly manner and without challenging unit systems. InMODE 4, this Function is no longer required OPERABLE.N.1, N.2.1 and N.2.2Condition N applies to:* RWST Level--Low Coincident with Safety Injection.RWST Level--Low Coincident With SI provides actuation of switchover tothe containment sump. Note that this Function requires the bistables toenergize to perform their required action. The failure of up to twochannels will not prevent the operation of this Function. However, placinga failed channel in the tripped condition could result in a prematureswitchover to the sump, prior to the injection of the minimum volume fromthe RWST. Placing the inoperable channel in bypass results in a two-out-of-three logic configuration, which satisfies the requirement to allowanother failure without disabling actuation of the switchover whenrequired. Restoring the channel to OPERABLE status or placing theinoperable channel in the bypass condition within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is sufficient toensure that the Function remains OPERABLE, and minimizes the timethat the Function may be in a partial trip condition (assuming theinoperable channel has failed high). The 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> Completion Time isjustified in Reference 7. If the channel cannot be returned to OPERABLEstatus or placed in the bypass condition within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />, the unit must bebrought to MODE 3 within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and MODE 5 within thenext 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />. The allowed Completion Times are reasonable, based onoperating experience, to reach the required unit conditions from fullpower conditions in an orderly manner and without challenging unitsystems. In MODE 5, the unit does not have any analyzed transients orconditions that require the explicit use of the protection functions notedabove.The Required Actions are modified by a Note that allows placing asecond channel in the bypass condition for up to 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> for surveillancetesting. The total of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> to reach MODE 3 and 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> for a secondchannel to be bypassed is acceptable based on the results ofReference 7.Catawba Units 1 and 2 B3323 eiinN.1B 3.3.2-39 ESFAS InstrumentationB 3.3.2BASESACTIONS (continued)0.1, 0.2.1 and 0.2.2Condition 0 applies to the P-11 and P-12 interlocks.With one channel inoperable, the operator must verify that the interlock isin the required state for the existing unit condition. This action manuallyaccomplishes the function of the interlock. Determination must be madewithin 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time is equal to the time allowedby LCO 3.0.3 to initiate shutdown actions in the event of a complete lossof ESFAS function. If the interlock is not in the required state (or placedin the required state) for the existing unit condition, the unit must beplaced in MODE 3 within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and MODE 4 within thefollowing 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. The allowed Completion Times are reasonable, basedon operating experience, to reach the required unit conditions from fullpower conditions in an orderly manner and without challenging unitsystems. Placing the unit in MODE 4 removes all requirements forOPERABILITY of these interlocks.P.1Condition P applies to the Containment Pressure Control System Startand Terminate Permissives.With one or more channels inoperable, the affected containment sprayand containment air return systems components must be declaredinoperable immediately. The supported system LCOs provide theappropriate Required Actions and Completion Times for the equipmentmade inoperable by the inoperable channel. The immediate CompletionTime is appropriate since the inoperable channel could prevent thesupported equipment from starting when required. Additionally,protection from an inadvertent actuation may not be provided if theterminate function is not OPERABLE.Catawba Units 1 and 2 B3324 eiinN.1B 3.3.2-40 ESFAS InstrumentationB 3.3.2BASESACTIONS (continued)Q.1, Q.2. Q.3.1. and Q.3.2With one channel of NSWS Suction Transfer -Low Pit Level inoperable inone or more NSWS pits, 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> are allowed to place it in the trippedcondition or align the NSWS to the Standby NSWS Pond. The failure ofone channel places the Function in a two-out-of-two configuration. Thefailed channel must either be tripped to place the Function in a one-out-of-two configuration that satisfies redundancy requirements, or the NSWSrealigned to fulfill the safety function.Failure to place the channel in the tripped condition or to realign theNSWS suction and discharge within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> requires the unit be placed inMODE 3 within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and MODE 5 within the next 30hours.The requirement to align the NSWS to the Standby NSWS Pond onlyapplies to OPERABLE trains of the system.The allowed Completion Times are reasonable, based on operatingexperience, to reach the required unit conditions from full powerconditions in an orderly manner and without challenging unit systems. InMODE 5, this Function is no longer required OPERABLE.R.1. R.2.1, and R.2.2With two or more channels of NSWS Suction Transfer -Low Pit Levelinoperable in one or more pits, the NSWS must be aligned to the StandbyNSWS Pond within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />. Failure to accomplish the realignment within4 hours requires the unit be placed in MODE 3 within the following 6hours and MODE 5 within the next 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />.The requirement to align the NSWS to the Standby NSWS Pond onlyapplies to OPERABLE trains of the system.The allowed Completion Times are reasonable, based on operatingexperience, to reach the required unit conditions from full powerconditions in an orderly manner and without challenging unit systems. InMODE 5, this Function is no longer required OPERABLE.Catawba Units 1 and 2 B3324 eiinN.1B 3.3.2-41 ESFAS InstrumentationB 3.3.2BASESSURVEILLANCE The SRs for each ESFAS Function are identified by the SRs columnREQUIREMENTS of Table 3.3.2-1.A Note has been added to the SR Table to clarify that Table 3.3.2-1determines which SRs apply to which ESFAS Functions.Note that each channel of process protection supplies both trains of theESFAS. When testing channel I, train A and train B must be examined.Similarly, train A and train B must be examined when testing channel II,channel Ill, and channel IV (if applicable). The CHANNELCALIBRATION and COTs are performed in a manner that is consistentwith the assumptions used in analytically calculating the required channelaccuracies.SR 3.3.2.1Performance of the CHANNEL CHECK ensures that a gross failure ofinstrumentation has not occurred. A CHANNEL CHECK is normally acomparison of the parameter indicated on one channel to a similarparameter on other channels. It is based on the assumption thatinstrument channels monitoring the same parameter should readapproximately the same value. Significant deviations between the twoinstrument channels could be an indication of excessive instrument driftin one of the channels or of something even more serious. A CHANNELCHECK will detect gross channel failure; thus, it is key to verifying theinstrumentation continues to operate properly between each CHANNELCALIBRATION.Agreement criteria are determined by the unit staff, based on acombination of the channel instrument uncertainties, including indicationand reliability. If a channel is outside the criteria, it may be an indicationthat the sensor or the signal processing equipment has drifted outside itslimit.The Surveillance Frequency is based on operating experience,equipment reliability, and plant risk and is controlled under theSurveillance Frequency Control Program.SR 3.3.2.2SR 3.3.2.2 is the performance of an ACTUATION LOGIC TEST. TheSSPS is tested using the semiautomatic tester. The train being tested isplaced in the bypass condition, thus preventing inadvertent actuation.Catawba Units 1 and 2 B3324 eiinN.1B 3.3.2-42 ESFAS InstrumentationB 3.3.2BASESSURVEILLANCE REQUIREMENTS (continued)Through the semiautomatic tester, all possible logic combinations, withand without applicable permissives, are tested for each protectionfunction. In addition, the master relay coil is pulse tested for continuity.This verifies that the logic modules are OPERABLE and that there is anintact voltage signal path to the master relay coils. The SurveillanceFrequency is based on operating experience, equipment reliability, andplant risk and is controlled under the Surveillance Frequency ControlProgram.SR 3.3.2.3SR 3.3.2.3 is the performance of a TADOT. This test is a check of theLoss of Offsite Power Function. Each Function is tested up to, andincluding, the master transfer relay coils.This test also includes trip devices that provide actuation signals directlyto the SSPS. The SR is modified by a Note that excludes final actuationof pumps and valves to minimize plant upsets that would occur. TheSurveillance Frequency is based on operating experience, equipmentreliability, and plant risk and is controlled under the SurveillanceFrequency Control Program.SR 3.3.2.4SR 3.3.2.4 is the performance of a MASTER RELAY TEST. TheMASTER RELAY TEST is the energizing of the master relay, verifyingcontact operation and a low voltage continuity check of the slave relaycoil. Upon master relay contact operation, a low voltage is injected to theslave relay coil. This voltage is insufficient to pick up the slave relay, butlarge enough to demonstrate signal path continuity. The time allowed forthe testing (4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />) is justified in Reference 7. The SurveillanceFrequency is based on operating experience, equipment reliability, andplant risk and is controlled under the Surveillance Frequency ControlProgram.SR 3.3.2.5SR 3.3.2.5 is the performance of a COT.A COT is performed on each required channel to ensure the channel willperform the intended Function. The tested portion of the loop must tripwithin the Allowable Values specified in Table 3.3.2-1.Catawba Units 1 and 2 B3324 eiinN.1B 3.3.2-43 ESFAS InstrumentationB 3.3.2BASESSURVEILLANCE REQUIREMENTS (continued)The setpoint shall be left set consistent with the assumptions of thesetpoint methodology.The Surveillance Frequency is based on operating experience,equipment reliability, and plant risk and is controlled under theSurveillance Frequency Control Program.SR 3.3.2.6SR 3.3.2.6 is the performance of a SLAVE RELAY TEST. The SLAVERELAY TEST is the energizing of the slave relays. Contact operation isverified in one of two ways. Actuation equipment that may be operated inthe design mitigation MODE is either allowed to function, or is placed in acondition where the relay contact operation can be verified withoutoperation of the equipment. Actuation equipment that may not beoperated in the design mitigation MODE is prevented from operation bythe SLAVE RELAY TEST circuit. For this latter case, contact operation isverified by a continuity check of the circuit containing the slave relay. TheSurveillance Frequency is based on operating experience, equipmentreliability, and plant risk and is controlled under the SurveillanceFrequency Control Program.For slave relays or any auxiliary relays in the ESFAS circuit that are of thetype Westinghouse AR or Potter & Brumfield MDR, the SLAVE RELAYTEST Frequency is based on operating experience, equipment reliability,and plant risk and is controlled under the Surveillance Frequency ControlProgram.SR 3.3.2.7SR 3.3.2.7 is the performance of a COT on the RWST level andContainment Pressure Control Start and Terminate Permissives.A COT is performed on each required channel to ensure the entirechannel will perform the intended Function. Setpoints must be foundconservative with respect to the Allowable Values specified in Table3.3.2-1. The Surveillance Frequency is based on operating experience,equipment reliability, and plant risk and is controlled under theSurveillance Frequency Control Program.Catawba Units 1 and 2 B3324 eiinN.1B 3.3.2-44 ESFAS InstrumentationB 3.3.2BASESSURVEILLANCE REQUIREMENTS (continued)For Functions for which TSTF-493, "Clarify Application of SetpointMethodology for LSSS Functions" has been implemented, this SR ismodified by two Notes as identified in Table 3.3.2-1. The first Noterequires evaluation of channel performance for the condition where theas-found setting for the channel setpoint is outside its as-found tolerancebut conservative with respect to the Allowable Value. Evaluation ofchannel performance will verify that the channel will continue to behave inaccordance with safety analysis assumptions and the channelperformance assumptions in the setpoint methodology. The purpose ofthe assessment is to ensure confidence in the channel performance priorto returning the channel to service. For channels determined to beOPERABLE but degraded, after returning the channel to service theperformance of these channels will be evaluated under the plantCorrective Action Program. Entry into the Corrective Action Program willensure required review and documentation of the condition. The secondNote requires that the as-left setting for the channel be returned to withinthe as-left tolerance of the NOMINAL TRIP SETPOINT (NTSP). Where asetpoint more conservative than the NTSP is used in the plantsurveillance procedures (field setting), the as-left and as-foundtolerances, as applicable, will be applied to the surveillance proceduresetpoint. This will ensure that sufficient margin to the Safety Limit and/orAnalytical Limit is maintained. If the as-left channel setting cannot bereturned to a setting within the as-left tolerance of the NTSP, then thechannel shall be declared inoperable. The second Note also requiresthat the methodologies for calculating the as-left and the as-foundtolerances be in the UFSAR.SR 3.3.2.8SR 3.3.2.8 is the performance of a TADOT. This test is a check of theManual Actuation Functions, AFW pump start on trip of all MFW pumps,AFW low suction pressure, Reactor Trip (P-4) Interlock, and DoghouseWater Level -High High Feedwater Isolation. Each Manual ActuationFunction is tested up to, and including, the master relay coils. In someinstances, the test includes actuation of the end device (i.e., pump starts,valve cycles, etc.). The Surveillance Frequency is based on operatingexperience, equipment reliability, and plant risk and is controlled underthe Surveillance Frequency Control Program. The SR is modified by aNote that excludes verification of setpoints during the TADOT for manualinitiation Functions. The manual initiation Functions have no associatedsetpoints.Catawba Units 1 and 2 B3324 eiinN.1B 3.3.2-45 ESFAS InstrumentationB 3.3.2BASESSURVEILLANCE REQUIREMENTS (continued)SIR 3.3.2.9SIR 3.3.2.9 is the performance of a CHANNEL CALIBRATION.CHANNEL CALIBRATION is a complete check of the instrument ioop,including the sensor. The test verifies that the channel responds tomeasured parameter within the necessary range and accuracy.CHANNEL CALIBRATIONS must be performed consistent with theassumptions of the unit specific setpoint methodology.The Surveillance Frequency is based on operating experience,equipment reliability, and plant risk and is controlled under theSurveillance Frequency Control Program.This SR is modified by a Note stating that this test should includeverification that the time constants are adjusted to the prescribed valueswhere applicable. The applicable time constants are shown in Table3.3.2-1.For Functions for which TSTF-493, "Clarify Application of SetpointMethodology for LSSS Functions" has been implemented, this SR ismodified by two Notes as identified in Table 3.3.2-1. The first Noterequires evaluation of channel performance for the condition where theas-found setting for the channel setpoint is outside its as-found tolerancebut conservative with respect to the Allowable Value. Evaluation ofchannel performance will verify that the channel will continue to behave inaccordance with safety analysis assumptions and the channelperformance assumptions in the setpoint methodology. The purpose ofthe assessment is to ensure confidence in the channel performance priorto returning the channel to service. For channels determined to beOPERABLE but degraded, after returning the channel to service theperformance of these channels will be evaluated under the plantCorrective Action Program. Entry into the Corrective Action Program willensure required review and documentation of the condition. The secondNote requires that the as-left setting for the channel be returned to withinthe as-left tolerance of the NOMINAL TRIP SETPOINT (NTSP). Where asetpoint more conservative than the NTSP is used in the plantsurveillance procedures (field setting), the as-left and as-foundtolerances, as applicable, will be applied to the surveillance proceduresetpoint. This will ensure that sufficient margin to the Safety Limit and/orAnalytical Limit is maintained. If the as-left channel setting cannot bereturned to a setting within the as-left tolerance of the NTSP, then theCatawba Units 1 and 2 B3324 eiinN.1B 3.3.2-46 ESFAS InstrumentationB 3.3.2BASESSURVEILLANCE REQUIREMENTS (continued)channel shall be declared inoperable. The second Note also requiresthat the methodologies for calculating the as-left and the as-foundtolerances be in the UFSAR.SR 3.3.2.10This SR ensures the individual channel ESE RESPONSE TIMES are lessthan or equal to the maximum values assumed in the accident analysis.Response Time testing acceptance criteria are included in the UFSAR(Ref. 2). Individual component response times are not modeled in theanalyses. The analyses model the overall or total elapsed time, from thepoint at which the parameter exceeds the Trip Setpoint value at thesensor, to the point at which the equipment in both trains reaches therequired functional state (e.g., pumps at rated discharge pressure, valvesin full open or closed position).For channels that include dynamic transfer functions (e.g., lag, lead/lag,rate/lag, etc.), the response time test may be performed with the transferfunctions set to one with the resulting measured response time comparedto the appropriate UFSAR response time. Alternately, the response timetest can be performed with the time constants set to their nominal valueprovided the required response time is analytically calculated assumingthe time constants are set at their nominal values. The response timemay be measured by a series of overlapping tests such that the entireresponse time is measured.Response time may be verified by actual response time tests in anyseries of sequential, overlapping or total channel measurements, or bythe summation of allocated sensor, signal processing and actuation logicresponse times with actual response time tests on the remainder of thechannel. Allocations for sensor response times may be obtained from:(1) historical records based on acceptable response time tests (hydraulic,noise, or power interrupt tests), (2) inplace, onsite, or offsite (e.g. vendor)test measurements, or (3) utilizing vendor engineering specifications.WCAP-13632-P-A Revision 2, "Elimination of Pressure Sensor ResponseTime Testing Requirements" provides the basis and methodology forusing allocated sensor response times in the overall verification of thechannel response time for specific sensors identified in the WCAP. Inaddition, while not specifically identified in the WCAP, ITT Barton 386Aand 580A-0 sensors were compared to sensors which were identified. Itwas concluded that the WCAP results could be applied to these twosensor types as well. Response time verification for other sensor typesmust be demonstrated by test.Catawba Units 1 and 2 B3324 eiinN.1B 3.3.2-47 ESFAS InstrumentationB 3.3.2BASESSURVEILLANCE REQUIREMENTS (continued)WCAP-1 4036-P-A Revision 1, "Elimination of Periodic ProtectionChannel Response Time Tests" provides the basis and methodology forusing allocated signal processing and actuation logic response times inthe overall verification of the protection system channel response time.The allocations for sensor, signal conditioning and actuation logicresponse times must be verified prior to placing the component inoperational service and re-verified following maintenance that mayadversely affect response time. In general, electrical repair work doesnot impact response time provided the parts used for repair are of thesame type and value. Specific components identified in the WCAP maybe replaced without verification testing. One example where responsetime could be affected is replacing the sensing assembly of a transmitter.The Surveillance Frequency is based on operating experience,equipment reliability, and plant risk and is controlled under theSurveillance Frequency Control Program.This SR is modified by a Note that clarifies that the turbine driven AEWpump is tested within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> after reaching 600 psig in the SGs.SR 3.3.2.11SR 3.3.2.11 is the performance of a COT on the NSWS Suction Transfer-Low Pit Level.A COT is performed on each required channel to ensure the entirechannel will perform the intended Function. Setpoints must be foundwithin the Allowable Values specified in Table 3.3.2-1. The SurveillanceFrequency is based on operating experience, equipment reliability, andplant risk and is controlled under the Surveillance Frequency ControlProgram.Catawba Units 1 and 2 B3324 eiinN.1B 3.3.2-48 ESFAS InstrumentationB 3.3.2BASESSURVEILLANCE REQUIREMENTS (continued)SR 3.3.2.12SR 3.3.2.12 is the performance of an ACTUATION LOGIC TEST on theDoghouse Water Level-High High and NSWS Suction Transfer-Emergency Low Pit Level Functions.An ACTUATION LOGIC TEST to satisfy the requirements of GL 96-01 isperformed on each instrumentation to ensure all logic combinations willinitiate the appropriate Function. The Surveillance Frequency is basedon operating experience, equipment reliability, and plant risk and iscontrolled under the Surveillance Frequency Control Program.REFERENCES 1. UFSAR, Chapter 6.2. UFSAR, Chapter 7.3. UFSAR, Chapter 15.4. IEEE-279-1971.5. 10 CFR 50.49.6. 10 CFR 50.36, Technical Specifications, (c)(2)(ii).7. WCAP-1 0271-P-A, Supplement 1 and Supplement 2, Rev. 1, May1986 and June 1990.8. WCAP-1 3632-P-A Revision 2, "Elimination of Pressure SensorResponse Time Testing Requirements" Sep., 1995.9. WCAP-1 4036-P-A Revision 1, "Elimination of Periodic ProtectionChannel Response Time Tests" Oct., 1998.10. Not used.11. Not used.12. Not used.13. WCAP-14333-P-A, Revision 1, October 1998.14. Not used.Catawba Units 1 and 2 B3324 eiinN.1B 3.3.2-49 LTOP SystemB 3.4.12B 3.4 REACTOR COOLANT SYSTEM (RCS)B 3.4.12 Low Temperature Overpressure Protection (LTOP) SystemBASESBACKGROUNDThe LTOP System controls RCS pressure at low temperatures so theintegrity of the reactor coolant pressure boundary (RCPB) is notcompromised by violating the pressure and temperature (PIT) limits of10 CFR 50, Appendix G (Ref. 1 ). The reactor vessel is the limiting RCPBcomponent for demonstrating such protection. This specification providesthe maximum allowable actuation logic setpoints for the power operatedrelief valves (PORVs) and LCO 3.4.3, "RCS Pressure and Temperature(P/T) Limits," provides the maximum RCS pressure for the existing RCScold leg temperature during cooldown, shutdown, and heatup to meet theReference 1 requirements during the LTOP MODES.The reactor vessel material is less tough at low temperatures than atnormal operating temperature. As the vessel neutron exposureaccumulates, the material toughness decreases and becomes lessresistant to pressure stress at low temperatures (Ref. 2). RCS pressure,therefore, is maintained low at low temperatures and is increased only astemperature is increased.The potential for vessel overpressurization is most acute when the RCS iswater solid, occurring only while shutdown; a pressure fluctuation canoccur more quickly than an operator can react to relieve the condition.Exceeding the RCS P/T limits by a significant amount could cause brittlecracking of the reactor vessel. LCO 3.4.3 requires administrative controlof RCS pressure and temperature during heatup and cooldown to preventexceeding the specified limits.This LCO provides RCS overpressure protection by having a minimumcoolant input capability and having adequate pressure relief capacity.Limiting coolant input capability requires all but two pumps incapable ofinjection into the RCS, isolating the accumulators, and limiting reactorcoolant pump operation at low temperatures. The pressure relief capacityrequires two redundant RCS relief valves. One RCS relief valve is theoverpressure protection device that acts to terminate an increasingpressure event.With minimum coolant input capability, the ability to provide core coolantaddition is restricted. The LCO does not require the makeup controlCatawba Units 1 and 2B34121RvsoN.5B 3.4.12-1Revision No. 5 LTOP SystemB 3.4.12BASESBACKGROUND (continued)system deactivated or the safety injection (SI) actuation circuits blocked.Due to the lower pressures in the LTOP MODES and the expected coredecay heat levels, the makeup system can provide adequate flow via themakeup control valve. If conditions require the use of more than onecharging pump for makeup in the event of loss of inventory, thenadditional pumps can be made available through manual actions.The LTOP System for pressure relief consists of two PORVs with reducedlift settings or two residual heat removal (RHR) suction relief valves or onePORV and one RHR suction relief valve. Two RCS relief valves arerequired for redundancy. One RCS relief valve has adequate relievingcapability to keep from overpressurization for the required coolant inputcapability.PORV RequirementsAs designed for the LTOP System, each PORV is signaled to open if theRCS pressure reaches 400 psig (as left calibrated), allowable value < 425psig (as found), when the PORVS are in the "io-press" mode of operation.If the PORVs are being used to meet the requirements of thisSpecification, then indicated ROS cold leg temperature is limited to >_ 70°Fin accordance with the LTOP analysis. When all Reactor Coolant Pumpsare secured, this temperature is measured at the outlet of the residualheat removal heat exchanger. This location will provide the mostconservative (lower) temperature measurement of water capable of beingdelivered into the Reactor Coolant System. The LTOP actuation logicmonitors both RCS temperature and RCS pressure. The signals used togenerate the pressure setpoints originate from the wide range pressuretransmitters. The signals used to generate the temperature permissivesoriginate from the wide range RTDs. Each signal is input to theappropriate NSSS protection system cabinet where it is converted to aninternal signal and then input to a comparator to generate an actuationsignal. If the indicated pressure meets or exceeds the calculated value, aPORV is signaled to open.This Specification presents the PORV setpoints for LTOP. Having thesetpoints of both valves within the limits ensures that the Reference 1limits will not be exceeded in any analyzed event.When a PORV is opened in an increasing pressure transient, the releaseof coolant will cause the pressure increase to slow and reverse. As thePORV releases coolant, the RCS pressure decreases until a resetpressure is reached and the valve is signaled to close. The pressurecontinues to decrease below the reset pressure as the valve closes.Catawba Units 1 and 2B34122RvsoN.5B 3.4.12-2Revision No. 5 LTOP SystemB 3.4.12BASESBACKGROUND (continued)RHR Suction Relief Valve RequirementsDuring LTOP MODES, the RHR system is operated for decay heatremoval and low-pressure letdown control. Therefore, the RHR suctionisolation valves (there are two suction isolation valves per line) are open inthe piping from the ROS hot legs to the inlets of the RHR pumps. Whilethese valves are open, the RHR suction relief valves are exposed to theRCS and are able to relieve pressure transients in the RCS.The RHR suction isolation valves must be open with operator powerremoved to make the RHR suction relief valves OPERABLE for RCSoverpressure mitigation. The RHR suction relief valves are spring loaded,bellows type water relief valve with pressure tolerances and accumulationlimits established by Section III of the American Society of MechanicalEngineers (ASME) Code (Ref. 8) for Class 2 relief valves.APPLICABLE Safety analyses (Ref. 3) demonstrate that the reactor vessel is adequatelySAFETY ANALYSES protected against exceeding the Reference 1 P/T limits. In MODES 1, 2,and 3, and in MODE 4 with RCS cold leg temperature exceeding 210°F,the pressurizer safety valves will prevent RCS pressure from exceedingthe Reference 1 limits. At about 21 00F and below, overpressureprevention falls to two OPERABLE RCS relief valves. Each of thesemeans has a limited overpressure relief capability.The actual temperature at which the pressure in the P/T limit curve fallsbelow the pressurizer safety valve setpoint increases as the reactor vesselmaterial toughness decreases due to neutron embrittlement. Each timethe P/T curves are revised, the LTOP System must be re-evaluated toensure its functional requirements can still be met using the RCS reliefvalve method.Any change to the RCS must be evaluated against the Reference 3analyses to determine the impact of the change on the LTOP acceptancelimits.Transients that are capable of overpressurizing the ROS are categorizedas either mass or heat input transients, examples of which follow:Mass Input Type Transientsa. Inadvertent safety injection of one safety injection pump and onecharging pump; orb. Charging/letdown flow mismatch.Catawba Units 1 and 2B34123RvsoN.5B 3.4.12-3Revision No. 5 LTOP SystemB 3.4.12BASESAPPLICABLE SAFETY ANALYSES (continued)Heat Input Type Transientsa. Inadvertent actuation of pressurizer heaters;b. Loss of RHR cooling; orc. Reactor coolant pump (RCP) startup with temperature asymmetrywithin the RCS or between the RCS and steam generators.The following are required during the LTOP MODES to ensure that massand heat input transients do not occur, which either of the LTOPoverpressure protection means cannot handle:a. Rendering all but two pumps incapable of injection;b. Deactivating the accumulator discharge isolation valves in theirclosed positions;c. Limiting RCP operation based on the existing temperature in theROS cold legs; andd. Disallowing start of an RCP if secondary temperature is more than50°F above primary temperature in any one loop. LCO 3.4.6, "RCSLoops--MODE 4," and LCO 3.4.7, "RCS Loops--MODE 5, LoopsFilled," provide this protection'.The Reference 3 analyses demonstrate that one RCS relief valve canmaintain RCS pressure below limits when any two pumps (chargingand/or safety injection) are actuated. Thus, the LCO allows two pumpsOPERABLE during the LTOP MODES. The LCO also requires theaccumulators be isolated when accumulator pressure is greater than orequal to the maximum ROS pressure for the existing RCS cold legtemperature allowed in LCO 3.4.3.The isolated accumulators must have their discharge valves closed andpower removed.The restrictions on the number of RCPs in operation at a giventemperature ensures that during a LTOP mass injection event that thepressure/temperature (PIT) limits of 10 CFR 50, Appendix G to protect theCatawba Units 1 and 2B34124RvsoN.5B 3.4.12-4Revision No. 5 LTOP SystemB 3.4.12BASESAPPLICABLE SAFETY ANALYSES (continued)reactor vessel are not exceeded. During startup and shutdown, when theRCPs are operated, their induced flows create a pressure drop across thevessel. This pressure drop along with the difference in elevation betweenthe beitline region and the instrumentation locations are additive to thepeak pressure from the mass injection event.The amount of the pressure at the reactor vessel beltline region from theRCPs is dependent on the number of RCPs operated. Adequate marginto prevent exceeding the P/T limits is assured by restricting the number ofRCPs operated. Since LTOP events are basically acknowledged as beingsteady-state events, these RCP operating restrictions are designed towork with the LTOP setpoint to provide protection from exceeding thesteady-state Appendix G P/T limits.Fracture mechanics analyses established the temperature of LTOPApplicability at 210°F.The consequences of a small break loss of coolant accident (LOCA) inLTOP MODE 4 conform to 10 CFR 50.46 and 10 CFR 50, Appendix K(Refs. 4 and 5), requirements by having a maximum of two pumps(charging and/or safety injection) OPERABLE and SI actuation enabled.PORV PerformanceThe fracture mechanics analyses show that the vessel is protected whenthe PORVs are set to open at or below the specified limit. The setpointsare derived by analyses that model the performance of the LTOP System,assuming the limiting LTOP transient of one charging pump and onesafety injection pump injecting into the RCS. These analyses considerpressure overshoot and undershoot beyond the PORV opening andclosing, resulting from signal processing and valve stroke times. ThePORV setpoints at or below the derived limit ensures the Reference 1 PITlimits will be met.The PORV setpoints will be updated when the revised P/T limits conflictwith the LTOP analysis limits. The P/T limits are periodically modified asthe reactor vessel material toughness decreases due to neutronembrittlement caused by neutron irradiation. Revised limits aredetermined using neutron fluence projections and the results ofexaminations of the reactor vessel material irradiation surveillancespecimens. The Bases for LCO 3.4.3, "RCS Pressure and Temperature(P/T) Limits," discuss these examinations.Catawba Units 1 and 2B34125RvsoN.5B 3.4.12-5Revision No. 5 LTOP SystemB 3.4.12BAS ESAPPLICABLE SAFETY ANALYSES (continued)The PORVs are considered active components. Thus, the failure of onePORV is assumed to represent the worst case, single active failure.RHR Suction Relief Valve PerformanceThe RHR suction relief valves do not have variable pressure andtemperature lift setpoints like the PORVs. Analyses show that one RHRsuction relief valve with a setpoint at or between 417 psig and 509 psigwill pass flow greater than that required for the limiting LTOP transientwhile maintaining RCS pressure less than the P/T limit curve. Assumingall relief flow requirements during the limiting LTOP event, an RHRsuction relief valve will maintain RCS pressure to within the valve rated liftsetpoint, plus an accumulation < 10% of the rated lift setpoint.Although each RHR suction relief valve may itself meet single failurecriteria, its inclusion and location within the RHR system does not allow itto meet single failure criteria when spurious RHR suction isolation valveclosure is postulated. Also, as the RCS P/T limits are decreased to reflectthe loss of embrittlement, the RHR suction relief valves must be analyzedto still accommodate the design basis transients for LTOP.The RHR suction relief valves are considered to be active components.Thus, the failure of one valve is assumed to represent the worst casesingle active failure.The LTOP System satisfies Criterion 2 of 10 CFR 50.36(Ref. 6).LCO This LCO requires that the LTOP System is OPERABLE. The LTOPSystem is OPERABLE when the minimum coolant input and pressurerelief capabilities are OPERABLE. Violation of this LCO could lead to theloss of low temperature overpressure mitigation and violation of theReference 1 limits as a result of an operational transient.To limit the coolant input capability, the LCO permits a maximum of twopumps (charging and/or safety injection) capable of injecting into the RCSand requires all accumulator discharge isolation valves closed andimmobilized when accumulator pressure is greater than or equal to themaximum ROS pressure for the existing RCS cold leg temperatureallowed in LCO 3.4.3. The LCO also limits ROP operation based onexisting RCS cold leg temperature as required by the LTOP analysis.The elements of the LCO that provide low temperature overpressuremitigation through pressure relief are:Catawba Units 1 and 2B34126RvsoN.5B 3.4.12-6Revision No. 5 LTOP SystemB 3.4.12BASESLCO (continued)a. Two OPERABLE PORVs (NC-32B and NC-34A); orA PORV is OPERABLE for LTOP when its block valve is open, itslift setpoint is set to the specified limit and testing proves itsautomatic ability to open at this setpoint, and motive power isavailable to the valve and its control circuit. The followingrestrictions are placed on PORV OPERABILITY for LTOP due tocommonalities between the PORV power supplies and letdownisolation:* NC-32B is not OPERABLE for LTOP if excess letdown is inservice.* NC-32B is not OPERABLE for LTOP if normal letdown is inservice and centrifugal charging pump B is in operation.* NC-34A is not OPERABLE for LTOP if normal letdown is inservice.b. Two OPERABLE RHR suction relief valves (ND-3 and ND-38); orAn RHR suction relief valve is OPERABLE for LTOP when both ofits RHR suction isolation valves are open, its setpoint is at orbetween 417 psig and 509 psig, and testing has proven its ability toopen in this pressure range.c. One OPERABLE PORV and one OPERABLE RHR suction reliefvalve.Each of these methods of overpressure prevention is capable ofmitigating the limiting LTOP transient.APPLICABILITY This LCO is applicable in MODE 4 when any ROS cold leg temperature is< 210°F, in MODE 5, and in MODE 6 when the reactor vessel head is on.The pressurizer safety valves provide overpressure protection that meetsthe Reference 1 P/T limits above 21 0°F. When the reactor vessel head isoff, overpressurization cannot occur.LCO 3.4.3 provides the operational P/T limits for all MODES. LCO 3.4.10,"Pressurizer Safety Valves," requires the OPERABILITY of the pressurizersafety valves that provide overpressure protection during MODES 1, 2,and 3, and MODE 4 above 21 0°F.Low temperature overpressure prevention is most critical during shutdownwhen the RCS is water solid, and a mass or heat input transient cancause a very rapid increase in RCS pressure when little or no time allowsCatawba Units 1 and 2B34127RvsoN.5B 3.4.12-7Revision No. 5 LTOP SystemB 3.4.12BASESAPPLICABILITY (continued)operator action to mitigate the event.The Applicability is modified by a Note stating that accumulator isolation isonly required when the accumulator pressure is more than or at themaximum RCS pressure for the existing temperature, as allowed by theP/T limit curves. This Note permits the accumulator discharge isolationvalve Surveillance to be performed only under these pressure andtemperature conditions.ACTIONS A Note prohibits the application of LCO 3.0.4.b to an inoperable LTOPsystem. There is an increased risk associated with entering MODE 4 fromMODE 5 with LTOP inoperable and the provisions of LCO 3.0.4.b, whichallow entry into a MODE or other specified condition in the Applicabilitywith the LCO not met after performance of a risk assessment addressinginoperable systems and components, should not be applied in thiscircumstance.A.1With more than two pumps (charging and/or safety injection) capable ofinjecting into the RCS, ROS overpressurization is possible.To immediately initiate action to restore restricted coolant input capabilityto the RCS reflects the urgency.of removing the RCS from this condition.B._11With RCP operation not limited in accordance with Table 3.4.12-1, RCSoverpressurization is possible.To immediately initiate action to limit pump operation reflects the urgencyof removing the RCS from this condition.C.1, D.1, and D.2An unisolated accumulator requires isolation within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. This is onlyrequired when the accumulator pressure is at or more than the maximumRCS pressure for the existing temperature allowed by the P/T limit curves.If isolation is needed and cannot be accomplished in 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />, RequiredAction D.1 and Required Action D.2 provide two options, either of whichmust be performed in the next 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. By increasing the ROSCatawba Units 1 and 2B34128RvsoN.5B 3.4.12-8Revision No. 5 LTOP SystemB 3.4.12BASESACTIONS (continued)temperature to > 21 0°F, an accumulator pressure of 678 psig cannotexceed the LTOP limits if the accumulators are fully injected.Depressurizing the accumulators below the LTOP limit also gives thisprotection.The Completion Times are based on operating experience that theseactivities can be accomplished in these time periods and on engineeringevaluations indicating that an event requiring LTOP is not likely in theallowed times.E.1IIn MODE 4 when any RCS cold leg temperature is < 210°F, with one RCSrelief valve inoperable, the RCS relief valve must be restored toOPERABLE status within a Completion Time of 7 days. Two RCS reliefvalves (in any combination of the PORVs and RHR suction relief valves)are required to provide low temperature overpressure mitigation whilewithstanding a single failure of an active component.The Completion Time considers the facts that only one of the RCS reliefvalves is required to mitigate an overpressure transient and that thelikelihood of an active failure of the remaining valve path during this timeperiod is very low.F. 1The consequences of operational events that will overpressurize the RCSare more severe at lower temperature (Ref. 7). Thus, with one of the twoRCS relief valves inoperable in MODE 5 or in MODE 6 with the head onCompletion Time to restore two valves to OPERABLE status is 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.The Completion Time represents a reasonable time to investigate andrepair several types of relief valve failures without exposure to a lengthyperiod with only one OPERABLE RCS relief valve to protect againstoverpressure events.Catawba Units 1 and 2B34129RvsoN.5B 3.4.12-9Revision No. 5 LTOP SystemB 3.4.12BASESACTIONS (continued)G.1 and G.2Steps must be taken immediately to limit potential mass input into theRCS, and the RCS must be depressurized and a vent must beestablished within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> when:a. Both required RCS relief valves are inoperable; orb. A Required Action and associated Completion Time of Condition A,0, E, or F is not met; orc. The LTOP System is inoperable for any reason other thanCondition A, C, D, E, or F.The Reference 3 analyses demonstrate that with the mass input into theRCS reduced to that of one injection pump (charging or safety injection)an RCS vent of> 4.5 square inches can maintain RCS pressure belowlimits. Therefore the Condition requires action to be taken immediately toreduce the input to that of one injection pump (charging or safety injection)prior to commencing RCS pressure reduction and establishing therequired RCS vent. This action is needed to protect the RCPB from a lowtemperature overpressure event and a possible brittle fracture of thereactor vessel.The capacity of a vent this size is greater than the flow of the limitingtransient for the LTOP configuration, one charging pump or one safetyinjection pump OPERABLE, maintaining RCS pressure less than themaximum pressure on the P/T limit curve. The required vent capacitymay be provided by one or more vent paths. The vent path(s) must beabove the level of reactor coolant, so as not to drain the RCS when open.The RCS vent size will be re-evaluated for compliance each time the P/Tlimit curves are revised based on the results of the vessel materialsu rveil lance.The ROS vent is passive and is not subject to active failure.The Completion Time considers the time required to place the plant in thisCondition and the relatively low probability of an overpressure eventduring this time period due to increased operator awareness ofadministrative control requirements.Catawba Units 1 and 2 B341-0Rvso oB 3.4.12-10Revision No. 5 LTOP SystemB 3.4.12BASESACTIONS (continued)G.3The ROS vent of > 4.5 square inches is proven OPERABLE by verifyingits open condition either:a. Once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for a valve that is not locked, (valves that aresealed or secured in the open position are considered "locked" inthis context); orb. Once every 31 days for other vent path(s) (e.g., a vent valve that islocked, sealed or secured in position or a removed pressurizersafety valve or open manway also fits this category).The passive vent valve arrangement must only be open to beOPERABLE. This Required Action is required to be performed if the ventis being used to satisfy the pressure relief requirements of RequiredAction G.2.Catawba Units 1 and 2 B341-1Rvso oB 3.4.12-11Revision No. 5 LTOP SystemB 3.4.12BASESSURVEILLANCE SR 3.4.12.1 and SR 3.4.12.2REQU IREMENTSTo minimize the potential for a low temperature overpressure event bylimiting the mass input capability, a maximum of two pumps (chargingand/or safety injection) are verified capable of injecting into the RCS andthe accumulator discharge isolation valves are verified closed and powerremoved.The pumps are rendered incapable of injecting into the RCS throughremoving the power from the pumps by racking the breakers out underadministrative control. An alternate method of LTOP control may beemployed using at least two independent means to prevent a pump startsuch that a single failure or single action will not result in an injection intothe RCS. This may be accomplished through two valves in the dischargeflow path being closed.The Surveillance Frequency is based on operating experience, equipmentreliability, and plant risk and is controlled under the SurveillanceFrequency Control Program.SR 3.4.12.3Each required RHR suction relief valve shall be demonstratedOPERABLE by verifying its RHR suction isolation valves are open and bytesting it in accordance with the Inservice Testing Program. ThisSurveillance is only required to be performed if the RHR suction reliefvalve is being used to meet this LCO.The RHR suction isolation valves are verified to be opened. TheSurveillance Frequency is based on operating experience, equipmentreliability, and plant risk and is controlled under the SurveillanceFrequency Control Program.The ASME Code (Ref. 9), test per Inservice Testing Program verifiesOPERABILITY by proving relief valve mechanical motion and bymeasuring and,. if required, adjusting the lift setpoint.SR 3.4.12.4The PORV block valve must be verified open to provide the flow path foreach required PORV to perform its function when actuated. The valvemust be remotely verified open in the main control room. ThisSurveillance is performed if the PORV satisfies the LCO.The block valve is a remotely controlled, motor operated valve. TheCatawba Units 1 and 2 B341-2Rvso oB 3.4.12-12 LTOP SystemB 3.4.12BASESSURVEILLANCE REQUIREMENTS (continued)power to the valve operator is not required removed, and the manualoperator is not required locked in the inactive position. Thus, the blockvalve can be closed in the event the PORV develops excessive leakageor does not close (sticks open) after relieving an overpressure situation.The Surveillance Frequency is based on operating experience, equipmentreliability, and plant risk and is controlled under the SurveillanceFrequency Control Program.SR 3.4.12.5Performance of a COT is required within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> after decreasing RCStemperature to < 21 0°F and periodically on each required PORV to verifyand, as necessary, adjust its lift setpoint. The COT will verify the setpointis within the allowed maximum limits. PORV actuation could depressurizethe RCS and is not required. The Surveillance Frequency is based onoperating experience, equipment reliability, and plant risk and is controlledunder the Surveillance Frequency Control Program.The 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> Frequency considers the unlikelihood of a low temperatureoverpressure event during this time.A Note has been added indicating that this SR is required to be met12 hours after decreasing RCS cold leg temperature to < 210°F. TheCOT cannot be performed until in the LTOP MODES when the PORV liftsetpoint can be reduced to the LTOP setting. The test must be performedwithin 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> after entering the LTOP MODES.SR 3.4.12.6Performance of a CHANNEL CALIBRATION on each required PORVactuation channel is required to adjust the whole channel so that itresponds and the valve opens within the required range and accuracy toknown input. The Surveillance Frequency is based on operatingexperience, equipment reliability, and plant risk and is controlled under theSurveillance Frequency Control Program.Catawba Units 1 and 2 B341-3Rvso oB 3.4.12-13Revision No. 5 LTOP SystemB 3.4.12BAS ESSURVEILLANCE REQUIREMENTS (continued)SR 3.4.12.7Each required RHR suction relief valve shall be demonstratedOPERABLE by verifying its RHR suction isolation valves are open and bytesting it in accordance with the Inservice Testing Program. (Refer to SR3.4.12.3 for the RHR suction isolation valves Surveillance and for adescription of the Inservice Testing Program.) This Surveillance is onlyrequired to be performed if the RHR suction relief valve is being used tomeet this LCO.The RHR suction isolation valves are verified open, with power to thevalve operator removed and locked in the removed position, to ensurethat accidental closure will not occur. The "locked open in the removedposition" power supply must be locally verified in its open position with thepower supply to the valve locked in its inactive position. The SurveillanceFrequency is based on operating experience, equipment reliability, andplant risk and is controlled under the Surveillance Frequency ControlProgram.REFERENCES 1. 10 CFR 50, Appendix G.2. Generic Letter 88-1 1.3. UFSAR, Section 5.24. 10 CFR 50, Section 50.46.5. 10 CFR 50, Appendix K.6. 10 CFR 50.36, Technical Specifications, (c)(2)(ii).7. Generic Letter 90-06.8. ASME, Boiler and Pressure Vessel Code,Section III.9. ASME Code for Operation and Maintenance of Nuclear PowerPlants.Catawba Units 1 and 2 B341-4Rvso oB 3.4.12-14Revision No. 5 S_ %DUKEKelvin HendersonVice PresidentSENERGY catawba Nuclear StationDuke EnergyCNO1VP I 4800 Concord RoadYork, SC 29745o: 803,701.4251CNS-1 5-098 f: 803.701.3221December 14, 2015U.S. Nuclear Regulatory CommissionDocument Control DeskWashington, DC 20555-0001

Subject:

Duke Energy Carolinas, LLCCatawba Nuclear Station, Units 1 and 2Docket Nos. 50-413 and 50-414Technical Specification Bases ChangesPursuant to 10OCFR 50.4, please find attached changes to the Catawba Nuclear StationTechnical Specification Bases. These Bases changes were made according to the provisionsof Technical Specification 5.5.14, "Technical Specifications (TS) Bases Control Program."Any questions regarding this information should be directed to Larry Rudy, Regulatory Affairs, at(803) 701-3084.I certify that I am a duly authorized officer of Duke Energy Carolinas, LLC, and that theinformation contained herein accurately represents changes made to the TechnicalSpecification Bases since the previous submittal.Kelvin HendersonVice President, Catawba Nuclear StationAttachment A Lwww.duke-energy.com U.S. Nuclear Regulatory CommissionDecember 14, 2015Page 2xc: L. D. Wert, Jr., Acting Regional AdministratorU. S. Nuclear Regulatory Commission, Region IIMarquis One Tower245 Peachtree Center Ave., NE Suite 1200Atlanta, GA 30303-1257Mr. G.E. MillerNRC Project Manager (CNS)U.S. Nuclear Regulatory CommissionOne White Flint North, Mail Stop O-8G9A11555 Rockville PikeRockville, MD 20852-2746G. A. Hutto, Senior Resident InspectorCatawba Nuclear Station ENERGY~Catawba Nuclear StationDuke Energy4800 Concord Rd.York, SC 29745December 14, 2015Re: Catawba Nuclear StationTechnical Specifications BasesPlease replace the corresponding pages in your copy of the Catawba TechnicalSpecifications Manual as follows:REMOVE THESE PAGESINSERT THESE PAGESLIST OF EFFECTIVE PAGESEntire Section (19 pages)Entire Section (19 pages)TAB 3.3.2B 3.3.2-1 thru B 3.3.2-49Revision 10B 3.3.2-1 thru B 3.3.2-49Revision 11TAB 3.4.12B 3.4.12-1 thru B 3.4.12-14Revision 4B 3.4.12-1 thru B 3.4.12-14Revision 5If you have any questions concerning the contents of this Technical Specificationupdate, contact Kristi Byers at (803)701-3758.Cecil FletcherRegulatory Affairs Managerwww.duke-energy.com Catawba Nuclear *Station Technical SpecificationsList of Effective PagesPage Numberiiiiiiv1.1-11.1-21.1-31.1-41.1-51.1-61.1.71.2-11.2-21.2-31.3-11.3-21.3-31.3-41.3-51.3-61.3-71.3-81.3-91.3-101.3-111.3-121.3-131.4-11.4-2Amendment1771169219/214215/209173/1 65173/1 65268/264268/264268/264268/264268/264179/171173/1 65173/165173/165173/1 65173/165173/165173/1 65173/1 65173/1 65173/1 65173/1 65173/165173/165173/1 65173/1 65173/1 65173/165173/1 65Revision Date4/08/993/01/056/2 1/049/30/98*9/30/986/25/126/25/126/25/126/25/126/25/128/13/999/30/989/30/989/3 0/9 89/30/989/30/989/30/989/30/989/30/989/30/989/30/989/30/989/30/989/30/989/30/989/30/989/30/989/30/989/30/98Catawba Units 1 and 2Pge11/25Page 111/12/15 01.4-31.4-42.0-13.0-13.0-23.0-33.0-43.0-53,0-63.1.1-13.1.2-13.1.2-23.1.3-13.1.3-23.1.3-33.1.4-13.i1.4-23.1.4-33.1.4-43.1.5-13.1.5-23.1,6-13.1.6-23.1.6-33.1.7-13.1.7-23.1.8-13.1.8-23.2.1-13.2.1-23.2.1-33.2,1-4173/165173/1 65210/204235/231235/23 1235/231235/231235/231235/231263/ 259173/165263/259173/165275/271173/1 65173/1 65i173/i 6526 3/25 9263/259173/16526 3/259173/1 65173/1 65263/259173/1 65173/1 65173/1 65263/259173/1 65173/1 65263/259263/2599/30/989/30/9812/19/033/19/073/19/073/19/073/19/073/19/073/19/073/29/119/30/983/29/I19/30/9804/14/159/30/989/30/989/30/983/29/113/29/119/30/983/29/119/30/989(30/983/29/119/30/989/30/989/30/983/29/119/30/989/30/983/29/113/29/11Catawba Units 1 and 2Pae21//5Page 211/12/15 3.2.1-53.2.2-13.2.2-23.2.2-33.2.2-43.2.3-13.2.4-13.2.4-23.2.4-33.2.4-43.3.1-13.3.1-23.3.1-33.3.1-43.3.1-53.3.1-63.3.1-73.3.1=83.3.1-93.3. 1-103.3.1-113.3.1-123.3.1-133.3.1-143.3. 1-153.3.1-163.3. 1-173.3.1-183.3. 1-193.3. 1-203.3.1-213.3.1-223.3.2-1263/259173/165173/165263/259263/25926 3/25 9173/165173/1 65173/1 65263/259173/1 65247/240247/240207/201247/240247/240247/240!173/1 65263/259263/259263/259263/259263/259263/259263/25926 3/25926 3/2 59263/25926 3/25 926 3/2 59263/259263/259173/1653/29/119/30/989/30/983/29/113/29/113/29/119/30/989/30/989/30/983/29/119/30/9812/30/0812/30/087/29/0312/30/0812/30/0812/30/089/30/983/29/113/29/113/29/113/29/113/29/113/29/113/29/113/29/113/29/113/29/113/29/113/29/113/29/113/29/119/30/98Catawba Units 1 and 2Pae31125Page 311/12/15 3.3.2-23.3.2-33.3.2-43.3.2-53.3.2-63.3.2-73.3.2-83.3.2-93.3.2-103.3.2-113.3.2-123.3.2-133.3.2-143.3.2-153.3.2-163.3.2-173.3.3-13.3.3-23.3.3-33.3.3-43.3.4-13.3.4-23.3.4-33.3.5-13.3.5-23.3.6-13.3.6-23.3.6-33.3.9-13.3.9-23.3.9-33.3.9-4247/240247/240247/240264/260264/26 0249/243249/243249/243263/259263/259263/259269/265*263/259263/259264/26 0269/265219/214219/214263/259219/214213/207263/2592 72/26 8173/1 65263/259196/189263/259196/189207/201207/201263/259263/25912/30/0812/30/0812/30/086/13/116/13/114/2/094/2/094/2/093/29/113/29/li3/29/117/25/123/29/113/29/116/13/117/25/123/1/053/1/053/29/113/1/054/29/043/29/112/27/149/30/983/29/113/20/023/29/1113/20/027/29/037/29/033/29/113/29/11Catawba Units 1 and 2Pae41/25Page 411/12/15 3.4.1-1 210/204 12/19/0303.4.1i-2 210/204 12/19/033.4.1-3 263/259 3/29/113.4.1-4 210/204 12/19/033.4.1-5 (deleted) 184/176 3/01/003.4.1-6 (deleted) 184/1 76 3/01/003.4.2-1 173/165 9/30/983.4.3-1 173/165 9/30/983.4.3-2 263/259 3/29/113.4.3-3 212/206 3/4/043.4.3-4 212/206 3/4/043.4.3 -5 212/206 3/4/043.4.3-6 21 2/206 3/4/043.4.4-1 263/259 3/29/113.4.5-1 207/201 7/29/033.4.5-2 207/201 7/29/033453263/259 3/29/11,3.4.6-1 212/206 3/4/043.4.6-2 263/259 3/29/11i3.4.6-3 263/259 3/29/113.4.7-1 212/206 3/4/043.4.7-2 263/259 3/29/11-'3.4.7-3 263/259 3/29/113.4.8-1 207/201 7/29/033.4.8-2 263/259 3/29/113.4.9-1 173/165 9/30/983.4.9-2 263/259 3/29/113.4.10-1 212/206 3/4/043.4.10-2 173/165 9/30/983.4-11-1 213/207 4/29/043.4.11-2 173/1 65 9/30/98*3.4.11-3 263/259 3/29/11Catawba Units 1 and 2Pae51/25Page 511/12/15 3.4.11-4 263/259 3/29/113.4.12-1 212/206 3/4/043.4.12-2 213/207 4/29/043.4.12-3 212/206 3/4/043.4.12-4 212/206 3/4/043.4.12-5 263/259 3/29/113.4.12-6 263/259 3/29/113.4.12-7 263/259 3/29/113.4.12-8 263/259 3/29/113.4.13-1 267/263 3/12/123.4.13-2 267/263 3/12/123.4.14-1 173/165 9/30/983.4.14-2 173/165 9/30/983.4.14-3 263/259 3/29/113.4.14-4 263/259 3/29/113.4.15-1 234/230 9/30/063.4.1i5-2 234/230 9/30/063.4.15-3 234/230 9/30/063.4.15-4 263/259 3/29/113.4.16-1 268/264 6/25/123.4.16-2 268/264 6/25/123.4.16-3(deleted) 268/264 6/25/123.4.1 6-4(deleted) 268/264 6/25/123.4.17-1 263/259 3/29/113.4.18-1 218/212 1/13/053.4.18-2 218/212 1/13/053.5.1-1 21 1/205 12/23/033.5.1-2 263/259 3/29/113.5.1-3 263/259 3/29/113.5.2-1 253/248 10/30/093.5.2-2 263/259 3/29/113.5.2-3 263/259 3/29/11Catawba Units 1 and 2Pae61/25Page 611/12/15 3.5.3-13.5.3-23.5.4-13.5.4-23.5.5-13.5.5-23.6.1-13.6.1-23.6.2-13.6.2-23.6.2-33.6.2-43.6.2-53.6.3-13.6.3-23.6.3-33.6.3-43.6.3-53.6.3-63.6.3-73.6.4-13.6.5-13.6.5-23.6.6-13.6.6-23.6.8-13.6.8-23.6.9-13.6.10-23.6.10-13.6.11-1213/207173/165173/16526 9/265173/1 65263/259173/165192/1 84173/1 65173/165173/1 65173/1 6526 3/2 59173/165173/1 65173/1 65i173/1 65263/259263/259192/1 84263/259173/1 65263/259269/26526 9/265213/20726 3/2 59253/248263/259173/1 6526 3/2 5926 3/2 594/29/049/30/989/30/987/25/129/30/983/29/119/30/987/31/019/30/989/30/989/30/989/30/983/29/119/30/989/30/989/30/989/30/983/29/113/29/117/31/013/29/119/30/983/29/117/25/127/25/124/29/043/29/1110/30/093/29/119/30/983/29/113/29/11Catawba Units 1 and 2Pae71125Page 711/12/15 3.6.11-23.6.12-13.6.12-23.6.12-33.6.13-13.6.13-23.6.13-33.6.14-13.6.14-23.6.14-33.6.15-13.6.15-23.6.16-13.6.16-23.6.17-13.7.1-13.7.1=23.7.1-33.7.2-13.7.2-23.7.3-13.7.3-23.7.4-13.7.4-23.7.5-13.7.5-23.7.5-33.7.5-43.7.6-13.7.6-23.7.7-13.7.7-2263/259263/259263/259263/259256/251263/259263/259173/165263/259270/266173/1 65263/259263/259263/259253/248173/1 65173/165173/1 65173/1 65244/238173/1 65244/238213/207263/259253/248173/1 65263/259263/259173/1 65263/25925 3/248263/2593/29/113/29/113/29/113/29/116/28/103/29/113/29/119/30/983/29/118/6/139/30/983/29/113/29/113/29/1110/30/099/30/989/30/989/30/989/30/989/08/089/30/989/08/084/29/043/29/1110/30/099/30/983/29/113/29/119/3 0/9 83/29/1110/30/093/29/11Catawba Units 1 and 2Pae81/25Page 811/12/15 3.7.8-13.7.8-23.7.8-33.7.8-43.7.9-13.7.9-23. 7.10-13.7.10-23.7.10-33.7.11-13.7.11-23.7.12-13.7.12-23.7.13-13.7.13-23.7.14-13,7.1!5-13.7.16-13.7.16-23.7.16-33.7.17-13.8.1-13.8.1-23.8.1-33.8.1-43.8.1-53.8.1-63.8.1-73.8.1-83.8.1-93.8.1-103.8.1-11271/267271/267271/267271/267263/259263/259250/245260/255263/259198/19126 3/2 59253/248263/259198/19 126 3/2 59263/259263/259Q233/229233/229233/229263/259253/248173/1 65253/248173/1 65263/259263/259263/259263/259263/259263/259263/25908/09/1308/09/1308/09/1308/09/133/29/113/29/117/30/098/9/103/29/114/23/023/29/1110/30/093/29/114/23/023/29/113/29/113/29/119/27/069/27/069/27/063/29/1110/30/099/30/9810/30/099/30/983/29/113/29/113/29/113/29/113/29/113/29/113/29/11Catawba Units 1 and 2Pae91/25Page 911/12/15 3.8.1-123.8.1-133.8.1-143.8.1-153.8.2-13.8.2-23.8.2-33.8.3-13.8.3-23.8.3-33.8.4-13.8.4-23.8.4-33.8.4-43.8.4-53.8.5-13.8.5-23.8.6-13.8.6-23.8.6-33.8.6-43.8.6-53.8.7-13.8.7-23.8.8-13.8.8-23.8.9-13.8.9-23.8.9-33.8.10-13.8.10-23.9.1-1263/259263/259263/259263/259173/1 65207/201173/1 65175/167263/259263/259173/1 65263/259263/2 59263/259262/258173/1 65207/201253/248253/248253/248263/259223/218173/1 65263/259173/1 6526 3/2 59173/1 65173/1 6526 3/25 9207/201263/25926 3/2 593/29/113/29/113/29/113/29/119/30/987/29/039/30/981/15/993/29/113/29/119/30/983/29/113/29/113/29/1112/20/109/30/987/29/0310/30/0910/30/0910/30/093/29/114/27/059/30/983/29/119/30/983/29/119/30/989/30/983/29/117/29/033/29/113/29/11Catawba Units 1 and 2 Pg 01/21Page 1011/12/15 03.9.2-13.9.2-23.9.3-13.9.3-23.9.4-13.9.4-23.9.5-13.9.5-23.9.6-13.9.7-14.0-14.0-25.1-15.2-15.2-25.2-35.4-15.5-15.5-25.5-35.5-45.5-55.5-65.5-75.5-7a5.5-85.5-95.5-105.5-115.5-125.5-13215/20926 3/25 9227/22226 3/25 9207/201263/259207/201263/259263/259263/259220/215233/229273/269273/269273/269Deleted273 /2=69173/1 65273/269205/1 98173/1 65173/1 65216/210252/247218/21226 7/26 3267/263218/212227/22222 7/222218/212218/21.26/21/043/29/119/30/053/29/117/29/033/29/117/29/033/29/113/29/113/29/1113/03/059/27/062/12/152/12/152/12/159/21/09,-/i-/159/30/982/12/153/12/039/30/989/30/988/5/0410/30/091/13/053/12/123/12/121 /13/059/30/059/30/051 /13/051/13/05Catawba Units 1 and 2 Pg 11/21Page 1111/12/15 05.5-145.5-155.5-165.6-15.6-25.6-35.6-45.6-55.6-65.7-15.7-2218/212263/259263/259222/217253/248222/217275/271275/271275/271273/269173/1 651/13/053/29/113/29/113/31/0510/30/093/31/054/14/154/14/154/14/152/12/159"/30/98Catawba Units 1 and 2 Pg 21/21Page 1211/12/15 iiiiiBii1i -B 2.1.1-2B 2.1.1-3B 2.1.21-B 2.1.2-2B 2.1.2-3B 3.01.-B 3.0-2B 3.0-3B 3.0-4B 3.0-5B 3.0-6B 3.0-7B 3.0-8B 3.0-9B 3.0-10B 3.0-11B 3.0-12B 3.0-13B 3.0-14B 3.0-15B 3.0-16B 3.0-17B 3.0-18B 3.0-19B 3.1.1-1 thruB 3.1.1-6BASESRevision 1Revision 2Revision 1Revision 0Revision 1Revision IRevision 0Revision 0Revision 0Revision 1Revision 1Revision 2Revision 3Revision 3Revision 2Revision 2Revision 3Revision 2Revision 3Revision 3Revision 3Revision 3Revision 3Revision 1Revision 1Revision 0Revision 0Revision 0Re~iision 34/081993/01/056/21/049/30/9812/19/0312/19/039/30/989/30/989/30/983/19/073/19/073/19/073/19/073/19/073/19/073/1 9/073/19/073/19/073/19/073/19/073/19/073/19/073/19/073/19/073/19/073/19/073/19/073/19/075/05/11Catawba Units 1 and 2 Pg 31/21Page 1311/12/15 B 3.1.2-1 thruB 3.1.2-5B 3.1.3-1 thruB 3.1.3-6B 3,1.4-1 thruB 3.1.4-9B 3.1.5-1 thruB 3.1.5-4B 3.1.6-1 thruB 3.1.6-6B 3.1.7-1B 3.1.7-2B 3.1.7-3B 3.1.7-4B 3.1.7-5B 3.1.7-6B 3.1.8-1 thruB 3.1.8-6B 3.2.1-1 thruB 3.2.1 .-IlB 3.2.2-1 thruB 3.2.2-10B 3.2.3-1 thruB 3.2.3-4B 3.2.4-1 thruB 3.2.4-7B 3.3.1-1 thruB.3.3. 1-55B 3.3.2-1 thruB 3.3.2-49B 3.3.3-1 thruB.3.3.3-1 6B 3.3.4-1 thruB 3.3.4-5Revision 2Revision 2*Revision 1Revision 2Revision 1*Revision 0Revision 2Revision 2Revision 2Revision 2Revision 2Revision 2Revision 4Revision 3Revision 2Revision 2Revision 7Revision 11Revision 6Revision 2*5/05/114/14/155/05/115/05/115/05/119/30/981/08/041/08/041/08/041/08/041/08/045/05/115/05/115/05/115/05/115/05/1111/15/118/9/154/11/145/05/11Catawba Units 1 and 2 Pg 41/21Page 1411/12/15 0B 3.3.5-1 thruB 3.3.5-6B 3.3.6-1 thruB 3.3.6-5B 3.3.9-1 thruB 3.3.9-5B 3.4.1-1 thruB 3.4.1-5B 3.4.2-1B 3.4.2-2B 3.4.2-3B 3.4.3-1 thruB 3.4.3-6B 3.4.4-1 thruB 3.4.4-3B 3.4.5-1 thruB 3.4.5-6B 3.4.6-1 thruB 3.4.6-5B 3.4.7-1 thruB 3.4.7-5B 3.4.8-1 thruB 3.4.8-3B 3.4.9-1 thruB 3.4.9-5B 3.4.10-1B 3.4.10-2B 3.4.10-3B 3.4.10-4B 3.4.11-1 thruB 3.4.11-7B 3.4.12-1 thruB 3.4.12-14B 3.4.13-1 thruB 3.4.13-7B 3.4.14-1 thruB 3.4.14-6B 3.4.15-1 thruB 3.4.15-10Catawba Units 1 and 2Revision 2Revision 6Revision 3Revision 3Revision 0Revision 0Revision 0Revision 2Revision 2Revision 3Revision 4Revision 6Revision 3Revision 3Revision 1Revision 0Revision 1Revision 2Revision 4Revision 5Revision 7Revision 3Revision 65/05/1108/02/1206/02/145/05/119/30/ 989/30/989/30/ 985/05/115/05/115/05/115/05/112/10/1 55/05/1108/02/123/4/049/30/983/4/0410/30/095/05/118/19/153/15/125/05/115/05/11Page 15Page 1511/12/15 B 3.4.16-1 thruB 3.4.16-5B 3.4.17-1 thruB 3.4.17-3B 3.4.18-1B 3,4.18-2B 3.4.18-3B 3.4.18-4B 3.4.18-5B 3.4.18-6B 3.4.18-7B 3.4.18-8B 3.5.1-1 thruB 3.5.1-8B 3.5.2-1 thruB 3.5.2-10B 3.5.3-1B 3.5.3-2B 3.5.3-3B 3.5.4-1 thruB. 3.5 .4-5B 3.5.5-1 thruB 3.5.5-4B 3.6.1-1B 3.6.1-2B 3.6.1-3B 3.6.1-4B 3.6.1-5B 3.6.2-1 thruB 3.6.2-8B 3.6.3-1 thruB 3.6.3-14B 3.6.4-1 thruB 3.6.4-4B 3.6.5-1 thruB 3.6.5-4Revision 4Revision 2Revision 0Revision 0Revision 1Revision 0Revision 0Revision 0Revision 0Revision 1Revision 3Revision 3Revision 0Revision 1Revision 1Revision 5Revision 1Revision 1Revision 1Revision 1Revision 1Revision 1Revision 2Revision 4Revision 2Revision 310/23/125/05/111113/051/13/053/18/081/13/051/13/051/13/051/13/053/18/085/05/115/05/119/30/984/29/044/29/044/11/145/05/117/31/017/31/017/31/017/31/017/3 1/0 15/05/115/05/115/05/1107/27/13Catawba Units 1 and 2 Pg 61/21Page 1611/12/15 0B 3.6.6-1 thruB 3.6.6-7B 3.6.8-1 thruB 3.6.8-5B 3.6.9-1 thruB 3.6.9-5B 3.6.10-1 thruB 3.6.10-6B 3.6.11-1 thruB 3.6.11-6B 3.6.12-1 thruB 3.6.12-11B 3.6.13-1 thruB 3.6.13-9B 3.6.14-1 thruB 3.6.14-5B 3.6.15-1 thruB 3.6.15-4B 3.6.16-1 thruB 3.6.16-4B 3.6.17-iB 3.6.17-2B 3.6.17-3B 3.6.17-4B 3.6.17-5B 3.7.1-1B 3.7.1-2B 3.7.1-3B 3.7.1-4B 3.7.1-5B 3.7.2-1B 3.7.2-2B 3.7.2-3B 3.7.2-4B 3.7.2-5B 3.7.3-1B 3.7.3-2Catawba Units 1 and 2Revision 6Revision 3Revision 6Revision 2Revision 5Revision 5Revision 4Revision 2Revision 1Revision 3Revision iRevision 0Revision 0Revision 0Revision 1Revision 0Revision 0Revision 0Revision 1Revision 1Revision 0Revision 0Revision 2Revision 1Revision 3Revision 0Revision 0Page 175/05/115/05/115/05/115/05/115/05/115/05/115/05/114/11/145/05/115/05/113/13/089/30/989/30/989/30/983/13/089/30/989/30/989/30/9810/30/0910/30/099/30/989/30/986/23/109/08/0810/30/099/30/989/30/9811/12/15 B 3.7.3-3B 3,7.3-4,B 3.7.3-5B 3.7.3-6B 3.7.4-1 thruB 3.7.4-4B 3.7.5-1 thruB 3.7.5-9B 3.7.6-1 thruB 3.7.6-3B 3.7.7-1 thruB 3.7.7-5B 3.7,8-1 thruB 3.7.8-8B 3.7.9-1 thru3.7.9-4B 3.7.10-1 thruB 3.7.10-9B 3.7.11-1 thruB 3.7,1!-4B 3.7.12-1 thruB 3.7.12-7B 3.7.13-1 thruB 3.7.13-5B 3.7.14-1 thruB 3.7.14-3B 3.7.15-1 thruB 3.7.15-4B 3.7.16-1B 3.7.16-2B 3.7.16-3B 3.7.16-4B 3.7.17-1 thruB3 3.7.17-3B 3.8.1-1 thruB.3.8. 1-29B 3.8.2-1B 3.8.2-2Revision 0Revision 0Revision 1Revision 2Revision 2Revision 3Revision 4Revision 2Revision 5Revision 3Revision 10Revision 3Revision 6Revision 4Revision 2Revision 2Revision 2Revision 2Revision 2Revision 0Revision 2Revision 5Revision 0Revision 09/ 30/989/30/989/08/0810/30/095/05/115/05/1108/02/125/05/1108/09/135/05/1110/24/1110/24/111/09/135/05/115/05/115/05/119/27/069/27/069/27/069/27/065/05/1107/27/139/30/989/30/98Catawba Units 1 and 2 Pg 81/21Page 1811/12/15 B 3.8.2-3B 3.8.2-4B 3.8.2-5B 3.8.2-6B 3.8.3-1 thruB 3.8.3-8B 3.8.4-1 thruB3.8.4. 10B 3.8.5-1B 3.8.5-2B 3.8.5-3B 3.8.6-1 thruB 3.8.6-7B 3.8.7-1 thruB 3.8.7-4B 3.8.8-1 thruB 3.8.8-4B 3.8.9-1 thruB 3.8.9-10B 3.8.10-1 thruB 3.8.10-4B 3.9.1-1 thruB 3.9.1-4B 3.9.2-1 thruB 3.9.2.4B 3.9.3-1 thruB 3.9.3-5B 3.9.4-1 thruB 3.9.4-4B 3.9.5-1 thruB 3.9.5-4B 3.9.6-1 thruB 3.9.6-3B 3.9.7-1 thruB 3.9.7-3Revision 0Revision 1Revision 2Revision 1Revision 4Revision 10Revision 0Revision 2Revision 1Revision 4Revision 3Revision 3Revision 2Revision 3Revision 3Revision 4Revision 4Revision 4Revision 3Revision 2Revision 19/30/985/10/055/10/055/10/055/05/115/05/119/30/987/29/037/29/035/05/115/05/115/05/115/05/115/05/115/05/115/05/115/05/115/05/115/05/115/05/115/05/11Catawba Units 1 and 2Pae1Page 1911/12/15 ESFAS InstrumentationB 3.3.2B 3.3 INSTRUMENTATIONB 3.3.2 Engineered Safety Feature Actuation System (ESFAS) InstrumentationBASESBACKGROUND The ESFAS initiates necessary safety systems, based on the values ofselected unit parameters, to protect against violating core design limitsand the Reactor Coolant System (RCS) pressure boundary, and tomitigate accidents.The ESFAS instrumentation is segmented into three distinct butinterconnected modules as identified below:* Field transmitters or process sensors and instrumentation: providea measurable electronic signal based on the physicalcharacteristics of the parameter being measured;* Signal processing equipment including analog protection system,field contacts, and protection channel sets: provide signalconditioning, bistable setpoint comparison, process algorithmactuation, compatible electrical signal output to protection systemdevices, and control board/control room/miscellaneous indications;and* Solid State Protection System (SSPS) including input, logic, andoutput bays: initiates the proper unit shutdown or engineeredsafety feature (ESF) actuation in accordance with the defined logicand based on the bistable outputs from the signal process controland protection system.Field Transmitters or SensorsTo meet the design demands for redundancy and reliability, more thanone, and often as many as four, field transmitters or sensors are used tomeasure unit parameters. In many cases, field transmitters or sensorsthat input to the ESFAS are shared with the Reactor Trip System (RTS).In some cases, the same channels also provide control system inputs.To account for calibration tolerances and instrument drift, which isassumed to occur between calibrations, statistical allowances areCatawba Units 1 and 2B332-ReionN.1B 3.3.2-1 ESFAS InstrumentationB 3.3.2BASESBACKGROUND (continued)provided in the NOMINAL TRIP SETPOINT. The OPERABILITY of eachtransmitter or sensor can be evaluated when its "as found" calibrationdata are compared against its documented acceptance criteria.Siginal Processinqi EqiuipmentGenerally, three or four channels of process control equipment are usedfor the signal processing of unit parameters measured by the fieldinstruments. The process control equipment provides signal conditioning,comparable output signals for instruments located on the main controlboard, and comparison of measured input signals with setpointsestablished by safety analyses. These setpoints are defined in UFSAR,Chapter 6 (Ref. 1), Chapter 7 (Ref. 2), and Chapter 15 (Ref. 3). If themeasured value of a unit parameter exceeds the predetermined setpoint,an output from a bistable is forwarded to the SSPS for decision logicprocessing. Channel separation is maintained up to and through theinput bays. However, not all unit parameters require four channels ofsensor measurement and signal processing. Some unit parametersprovide input only to the SSPS, while others provide input to the SSPS,the main control board, the unit computer, and one or more controlsystems.Generally, if a parameter is used only for input to the protection circuits,three channels with a two-out-of-three logic are sufficient to provide therequired reliability and redundancy. If one channel fails in a direction thatwould not result in a partial Function trip, the Function is still OPERABLEwith a two-out-of-two logic. If one channel fails such that a partialFunction trip occurs, a trip will not occur and the Function is stillOPERABLE with a one-out-of- two logic.Generally, if a parameter is used for input to the SSPS and a controlfunction, four channels with a two-out-of-four logic are sufficient toprovide the required reliability and redundancy. The circuit must be ableto withstand both an input failure to the control system, which may thenrequire the protection function actuation, and a single failure in the otherchannels providing the protection function actuation. Again, a singlefailure will neither cause nor prevent the protection function actuation.These requirements are described in IEEE-279-1 971 (Ref. 4). The actualnumber of channels required for each unit parameter is specified in theUFSAR.Catawba Units 1 and 2B3322ReionN.1B 3.3.2-2 ESFAS InstrumentationB 3.3.2BASESBACKGROUND (continued)Trip Setpoints and Allowable ValuesThe NOMINAL TRIP SETPOINTS are the nominal values at which thebistables are set. Any bistable is considered to be properly adjustedwhen the "as left" value is within the band for CHANNEL CALIBRATIONtolerance.The NOMINAL TRIP SETPOINTS used in the bistables are based on theanalytical limits (Ref. 1, 2, and 3). The selection of these NOMINAL TRIPSETPOINTS is such that adequate protection is provided when all sensorand processing time delays, calibration tolerances, instrumentationuncertainties, instrument drift, and severe environment errors for thoseESFAS channels that must function in harsh environments as defined by10 CFR 50.49 (Ref. 5) are taken into account. The actual as-left setpointof the bistable assures that the actual trip occurs before the AllowableValue is reached. The Allowable Value accounts for changes in randommeasurement errors detectable by a COT. One example of such achange in measurement error is drift during the surveillance interval. Ifthe point at which the loop trips does not exceed the Allowable Value, theloop is considered OPERABLE.A trip within the Allowable Value ensures that the consequences ofDesign Basis Accidents (DBAs) will be acceptable, providing the unit isoperated from within the LCOs at the onset of the DBA and theequipment functions as designed.Each channel can be tested on line to verify that the signal processingequipment and setpoint accuracy is within the specified allowancerequirements. Once a designated channel is taken out of service fortesting, a simulated signal is injected in place of the field instrumentsignal. The process equipment for the channel in test is then tested,verified, and calibrated. SRs for the channels are specified in the SRsection.The determination of the NOMINAL TRIP SETPOINTS and AllowableValues listed in Table 3.3.2-1 incorporates all of the known uncertaintiesapplicable for each channel. The magnitudes of these uncertainties arefactored into the determination of each NOMINAL TRIP SETPOINT. Allfield sensors and signal processing equipment for these channels areassumed to operate within the allowances of these-uncertaintymagnitudes.Catawba Units 1 and 2B3323ReionN.1B3.3.2-3 ESFAS InstrumentationB 3.3.2BASESBACKGROUND (continued)Solid State Protection SystemThe SSPS equipment is used for the decision logic processing of outputsfrom the signal processing equipment bistables. To meet the redundancyrequirements, two trains of SSPS, each performing the same functions,are provided. If one train is taken out of service for maintenance or testpurposes, the second train will provide ESE actuation for the unit. If bothtrains are taken out of service or placed in test, a reactor trip will result.Each train is packaged in its own cabinet for physical and electricalseparation to satisfy separation and independence requirements.The SSPS performs the decision logic for most ESF= equipment actuation;generates the electrical output signals that initiate the required actuation;and provides the status, permissive, and annunciator output signals tothe main control room of the unit.The bistable outputs from the signal processing equipment are sensed bythe SSPS equipment and combined into logic matrices that representcombinations indicative of various transients. If a required logic matrixcombination is completed, the system will send actuation signals viamaster and slave relays to those components whose aggregate Functionbest serves to alleviate the condition and restore the unit to a safecondition. Examples are given in the Applicable Safety Analyses, LCO,and Applicability sections of this Bases.Each SSPS train has a built in testing device that can test the decisionlogic matrix functions and the actuation devices while the unit is at power.When any one train is taken out of service for testing, the other train iscapable of providing unit monitoring and protection until the testing hasbeen completed. The testing device is semiautomatic to minimize testingtime.The actuation of ESE components is accomplished through master andslave relays. The SSPS energizes the master relays appropriate for thecondition of the unit. Each master relay then energizes one or moreslave relays, which then cause actuation of the end devices. The masterand slave relays are routinely tested to ensure operation. The test of themaster relays energizes the relay, which then operates the contacts andapplies a low voltage to the associated slave relays. The low voltage isnot sufficient to actuate the slave relays but only demonstrates signalCatawba Units 1 and 2B332-ReionN.1B3.3.2-4 ESFAS InstrumentationB 3.3.2BASESBACKGROUND (continued)path continuity. The SLAVE RELAY TEST actuates the devices if theiroperation will not interfere with continued unit operation. For the lattercase, actual component operation is prevented by the SLAVE RELAYTEST circuit, and slave relay contact operation is verified by a continuitycheck of the circuit containing the slave relay.APPLICABLE Each of the analyzed accidents can be detected by one orSAFETY ANALYSES, more ESFAS Functions. One of the ESFAS Functions is theLCO, AND primary actuation signal for that accident. An ESFAS FunctionAPPLICABILITY may be the primary actuation signal for more than one type of accident.An ESFAS Function may also be a secondary, or backup, actuationsignal for one or more other accidents. For example, PressurizerPressure--Low is a primary actuation signal for small loss of coolantaccidents (LOCAs) and a backup actuation signal for steam line breaks(SLBs) outside containment. Functions such as manual initiation, notspecifically credited in the accident safety analysis, are qualitativelycredited in the safety analysis and the NRC staff approved licensing basisfor the unit. These Functions may provide protection for conditions thatdo not require dynamic transient analysis to demonstrate Functionperformance. These Functions may also serve as backups to Functionsthat were credited in the accident analysis (Ref. 3).The LCO requires all instrumentation performing an ESFAS Function tobe OPERABLE. Failure of any instrument renders the affectedchannel(s) inoperable and reduces the reliability of the affectedFunctions.The LCO generally requires OPERABILITY of three or four channels ineach instrumentation function and two channels in each logic and manualinitiation function. The two-out-of-three and the two-out-of-fourconfigurations allow one channel to be tripped during maintenance ortesting without causing an ESFAS initiation. Two logic or manualinitiation channels are required to ensure no single random failuredisables the ESFAS.The required channels of ESFAS instrumentation provide unit protectionin the event of any of the analyzed accidents. ESFAS protectionfunctions are as follows:Catawba Units 1 and 2B3325ReionN.1B 3.3.2-5 ESFAS InstrumentationB 3.3.2BASESAPPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)1. .Safety InjectionSafety Injection (SI) provides two primary functions:1. Primary side water addition to ensure maintenance orrecovery of reactor vessel water level (coverage of the activefuel for heat removal, clad integrity, and for limiting peak cladtemperature to < 2200°F); and2. Boration to ensure recovery and maintenance ofSDM (kerr < 1.0).These functions are necessary to mitigate the effects of highenergy line breaks (HELBs) both inside and outside ofcontainment. The SI signal is also used to initiate other Functionssuch as:* Phase A Isolation;* Containment Purge and Exhaust Isolation;* Reactor Trip;* Turbine Trip;* Feedwater Isolation;* Start of motor driven auxiliary feedwater (AFW)pumps;* Start of control room area ventilation filtration trains;* Enabling automatic switchover of Emergency Core CoolingSystems (ECCS) suction to containment sump;* Start of annulus ventilation system filtration trains;* Start of auxiliary building filtered ventilation exhaust systemtrains;* Start of diesel generatorsCatawba Units 1 and 2B332-ReionN.1B 3.3.2-6 ESFAS InstrumentationB 3.3.2BASESAPPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)* Start of nuclear service water system pumps; and* Start of component cooling water system pumps.These other functions ensure:* Isolation of nonessential systems through containmentpenetrations;* Trip of the turbine and reactor to limit power generation;* Isolation of main feedwater (MEW) to limit secondary sidemass losses;* Start of AFW to ensure secondary side cooling capability;* Filtration of the control room to ensure habitability;* Enabling ECCS suction from the refueling water storage tank(RWST) switchover on low RWST level to ensure continuedcooling via use of the containment sump;* Starting of annulus ventilation and auxiliary building filteredventilation to limit offsite releases;* Starting of diesel generators for loss of offsite powerconsiderations; and* Starting of component cooling water and nuclear servicewater systems for heat removal.a. Safety Iniection-Manual InitiationThe LCO requires two channels to be OPERABLE. Theoperator can initiate SI at any time by using either of twoswitches in the control room. This action will cause actuationof all components in the same manner as any of theautomatic actuation signals.The LCO for the Manual Initiation Function ensures theproper amount of redundancy is maintained in the manualESFAS actuation circuitry to ensure the operator has manualESFAS initiation capability.Catawba Units 1 and 2B332-ReionN.1B3.3.2-7 ESFAS InstrumentationB 3.3.2BASESAPPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)Each train consists of one push button and theinterconnecting wiring to the actuation logic cabinet. Thisconfiguration does not allow testing at power.b. Safety Iniection-Automatic Actuation Loqic andActuation RelaysThis LCO requires two trains to be OPERABLE. Actuationlogic consists of all circuitry housed within the actuationsubsystems, including the initiating relay contactsresponsible for actuating the ESF equipment.Manual and automatic initiation of SI must be OPERABLE inMODES 1, 2, and 3. In these MODES, there is sufficientenergy in the primary and secondary systems to warrantautomatic initiation of ESF systems. In MODE 4, adequatetime is available to manually actuate required components inthe event of a DBA, but because of the large number ofcomponents actuated on a SI, actuation is simplified by theuse of the manual actuation push buttons. Automaticactuation logic and actuation relays must be OPERABLE inMODE 4 to support system level manual initiation.These Functions are not required to be OPERABLE inMODES 5 and 6 because there is adequate time for theoperator to evaluate unit conditions and resPond by manuallystarting individual systems, pumps, and other equipment tomitigate the consequences of an abnormal condition oraccident. Unit pressure and temperature are very low andmany ESF components are administratively locked out orotherwise prevented from actuating to prevent inadvertentoverpressurization of unit systems.c. Safety Iniection-Containment Pressure-Hi~qhThis signal provides protection against thefollowing accidents:*SLB inside containment;* LOCA; and*Feed line break inside containment.Catawba Units 1 and 2B332-ReionN.1B3.3.2-8 ESFAS InstrumentationB 3.3.2BASESAPPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)Containment Pressure-High provides no input to any controlfunctions. Thus, three OPERABLE channels are sufficient tosatisfy protective requirements with a two-out-of-three logic:Containment Pressure-High must be OPERABLE inMODES 1, 2, and 3 when there is sufficient energy in theprimary and secondary systems to pressurize thecontainment following a pipe break. In MODES 4, 5, and 6,there is insufficient energy in the primary or secondarysystems to pressurize the containment.d. Safety Iniection-Pressurizer Pressure-LowThis signal provides protection against the followingaccidents:* Inadvertent opening of a steam generator (SG) reliefor safety valve;* SLB;* A spectrum of rod cluster control assembly ejectionaccidents (rod ejection);* Inadvertent opening of a pressurizer relief or safetyvalve;* LOCAs; and* SG Tube Rupture.Pressurizer pressure provides both control and protectionfunctions: input to the Pressurizer Pressure Control System,reactor trip, and SI. Therefore, the actuation logic must beable to withstand both an input failure to control system,which may then require the protection function actuation, anda single failure in the other channels providing the protectionfunction actuation. Thus, four OPERABLE channels arerequired to satisfy the requirements with a two-out-of-fourlogic.Catawba Units 1 and 2B332-ReionN.1B3.3.2-9 ESFAS InstrumentationB 3.3.2BASESAPPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)This Function must be OPERABLE in MODES 1, 2, and 3(above P-I11) to mitigate the consequences of an HELBinside containment. This signal may be manually blocked bythe operator below the P-1 1 setpoint. Automatic SI actuationbelow this pressure setpoint is then performed by theContainment Pressure-High signal.This Function is not required to be OPERABLE in MODE 3below the P-Il setpoint. Other ESF functions are used todetect accident conditions and actuate the ESF systems inthis MODE. In MODES 4, 5, and 6, this Function is notneeded for accident detection and mitigation.2. Deleted.3. Containment IsolationContainment Isolation provides isolation of the containmentatmosphere, and all process systems that penetrate containment,from the environment. This Function is necessary to prevent orlimit the release of radioactivity to the environment in the event of alarge break LOCA.There are two separate Containment Isolation signals, Phase Aand Phase B. Phase A isolation isolates all automatically isolableprocess lines, except component cooling water (CCW) and nuclearservice water system (NSWS), at a relatively low containmentpressure indicative of primary or secondary system leaks. Forthese types of events, forced circulation cooling using the reactorcoolant pumps (RCPs) and SGs is the preferred (but not required)method of decay heat removal. Since CCW and NSWS arerequired to support ROP operation, not isolating CCW and NSWSon the low pressure Phase A signal enhances unit safety byallowing operators to use forced RCS circulation to cool the unit.Isolating CCW and NSWS on the low pressure signal may forcethe use of feed and bleed cooling, which could prove more difficultto control.Catawba Units 1 and 2 B3321 eiinN.1B 3.3.2-10 ESFAS InstrumentationB 3.3.2BASESAPPLICABLE SAFETY ANALYSES, LOCO, and APPLICABILITY (continued)Phase A containment isolation is actuated automatically by SI, ormanually via the actuation circuitry. All process lines penetratingcontainment, with the exception of CCW and NSWS, are isolated.CCW is not isolated at this time to permit continued operation ofthe RCPs with cooling water flow to the thermal barrier heatexchangers and air or oil coolers. All process lines not equippedwith remote operated isolation valves are manually closed, orotherwise isolated, prior to reaching MODE 4.Manual Phase A Containment Isolation is accomplished by either oftwo switches in the control room. Either switch actuates itsassociated train.The Phase B signal isolates CCW and NSWS. This occurs at arelatively high containment pressure that is indicative of a largebreak LOCA or an SLB. For these events, forced circulation usingthe RCPs is no longer desirable. Isolating the CCW and NSWS atthe higher pressure does not pose a challenge to the containmentboundary because the CCW System and NSWS are closed loopsinside containment. Although some system components do notmeet all of the ASME Code requirements applied to thecontainment itself, the systems are continuously pressurized to apressure greater than the Phase B setpoint. Thus, routineoperation demonstrates the integrity of the system pressureboundary for pressures exceeding the Phase B setpoint.Furthermore, because system pressure exceeds the Phase Bsetpoint, any system leakage prior to initiation of Phase B isolationwould be into containment. Therefore, the combination of CCWSystem and NSWS design and Phase B isolation ensures there isnot a potential path for radioactive release from containment.Catawba Units 1 and 2 B3321 eiinN.1B 3.3.2-11 ESFAS InstrumentationB 3.3.2BASESAPPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)Phase B containment isolation is actuated by ContainmentPressure-High High, or manually, via the automatic actuation logic,as previously discussed. For containment pressure to reach avalue high enough to actuate Containment Pressure-High High, alarge break LOCA or SLB must have occurred. RCP operation willno longer be required and CCW to the RCPs and NSWS to theRCP motor coolers are, therefore, no longer necessary. TheRCPs can be operated with seal injection flow alone and withoutCCW flow to the thermal barrier heat exchanger.Manual Phase B Containment Isolation is accomplished bypushbuttons on the main control board. In addition to manuallyinitiating a Phase B Containment Isolation, the pushbuttons alsoisolate the containment ventilation system.a. Containment Isolation-Phase A Isolation(1) Phase A Isolation-Manual InitiationManual Phase A Containment Isolation is actuated byeither of two switches in the control room. Eachswitch actuates its respective train.(2) Phase A Isolation-Automatic Actuation Lo~qic andActuation RelaysAutomatic Actuation Logic and Actuation Relaysconsist of the same features and operate in the samemanner as described for ESFAS Function 1 .b.Manual and automatic initiation of Phase A ContainmentIsolation must be OPERABLE in MODES 1, 2, and 3, whenthere is a potential for an accident to occur. In MODE 4,adequate time is available to manually actuate requiredcomponents in the event of a DBA, but because of the largenumber of components actuated on a Phase A ContainmentIsolation, actuation is simplified by the use of the manualactuation push buttons. Automatic actuation logic andactuation relays must be OPERABLE in MODE 4 to supportCatawba Units 1 and 2 B3321 eiinN.1B 3.3.2-12 ESFAS InstrumentationB 3.3.2BASESAPPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)system level manual initiation. In MODES 5 and 6, there isinsufficient energy in the primary or secondary systems topressurize the containment to require Phase A ContainmentIsolation. There also is adequate time for the operator toevaluate unit conditions and manually actuate individualisolation valves in response to abnormal or accidentconditions.(3) Phase A Isolation-Safety IniectionPhase A Containment Isolation is also initiated by allFunctions that initiate SI. The Phase A ContainmentIsolation requirements for these Functions are thesame as the requirements for their SI function.Therefore, the requirements are not repeated inTable 3.3.2-1. Instead, Function 1, SI, is referencedfor all initiating Functions and requirements.b. Containment Isolation-Phase B IsolationPhase B Containment Isolation is accomplished by manualInitiation, Automatic Actuation Logic and Actuation Relays,and by Containment Pressure channels. The ContainmentPressure trip of Phase B Containment Isolation is energizedto trip in order to minimize the potential of spurious trips thatmay damage the RCPs.(1) Phase B Isolation-Manual Initiation(2) Phase B Isolation-Automatic Actuation Loqjic andActuation RelaysManual and automatic initiation of Phase Bcontainment isolation must be OPERABLE inMODES 1, 2, and 3, when there is a potential for anaccident to occur. In MODE 4, adequate time isavailable to manually actuate required components inthe event of a DBA. However, because of the largenumber of components actuated on a Phase BCatawba Units 1 and 2 B3321 eiinN.1B 3.3.2-13 ESFAS InstrumentationB 3.3.2BASESAPPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)containment isolation, actuation is simplified by theuse of the manual actuation push buttons. Automaticactuation logic and actuation relays must beOPERABLE in MODE 4 to support system levelmanual initiation. In MODES 5 and 6, there isinsufficient energy in the primary or secondarysystems to pressurize the containment to requirePhase B containment isolation. There also isadequate time for the operator to evaluate unitconditions and manually actuate individual isolationvalves in response to abnormal or accidentconditions.(3) Phase B Isolation-Containment Pressure -High-HighContainment Pressure -High-High uses fourchannels in a two-out-of-four logic configuration.Since containment pressure is not used for control,this arrangement exceeds the minimum redundancyrequirements. Additional redundancy is warrantedbecause this Function is energize to trip.Containment Pressure -High-High must beOPERABLE in MODES 1, 2, and 3 when there issufficient energy in the primary and secondary sidesto pressurize the containment following a pipe break.In MODES 4, 5, and 6, there is insufficient energy inthe primary and secondary sides to pressurize thecontainment and reach the Containment Pressure -High-High setpoints.4. Steam Line IsolationIsolation of the main steam lines provides protection in the event ofan SLB inside or outside containment. Rapid isolation of the steamlines will limit the steam break accident to the blowdown from oneSG, at most. For an SLB upstream of the main steam isolationvalves (MSIVs), inside or outside of containment, closure of theMSIVs limits the accident to the blowdown from only the affectedSG. For an SLB downstream of the MSIVs, closure of the MSIVsterminates the accident as soon as the steam lines depressurize.Steam Line Isolation also mitigates the effects of a feed line breakand ensures a source of steam for the turbine driven AFW pumpduring a feed line break.Catawba Units 1 and 2.B3321ReionN.1B 3.3.2-14 ESFAS InstrumentationB 3.3.2BASESAPPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)a. Steam Line Isolation-Manual InitiationManual initiation of Steam Line Isolation can beaccomplished from the control room. There are two systemlevel switches in the control room and either switch caninitiate action to immediately close all MSIVs. The LCOrequires two channels to be OPERABLE. Individual valvesmay also be closed using individual hand switches in thecontrol room. The LCO requires four individual channels tobe OPERABLE.b. Steam Line Isolation-Automatic Actuation Loqic andActuation RelaysAutomatic actuation logic and actuation relays consist of thesame features and operate in the same manner as describedfor ESFAS Function 1 .b.Manual and automatic initiation of steam line isolation must beOPERABLE in MODES 1, 2, and 3 when there is sufficient energyin the RCS and SGs to have an SLB or other accident. This couldresult in the release of significant quantities of energy and cause acooldown of the primary system. The Steam Line IsolationFunction is required in MODES 2 and 3 unless all MSIVs areclosed and de-activated. In MODES 4, 5, and 6, there isinsufficient energy in the RCS and SGs to experience an SLB orother accident releasing significant quantities of energy.c. Steam Line Isolation-Containment Pressure-Higqh HighThis Function actuates closure of the MSIVs in the event of aLOCA or an SLB inside containment to maintain threeunfaulted SGs as a heat sink for the reactor, and to limit themass and energy release to containment. ContainmentPressure-High High uses four channels in a two-out-of-fourlogic configuration. Since containment pressure is not usedfor control, this arrangement exceeds the minimumredundancy requirements. Additional redundancy iswarranted because this Function is energize to trip.Containment Pressure-High High must be OPERABLE inMODES 1, 2, and 3, when there is sufficient energy in theprimary and secondary side to pressurize the containmentfollowing a pipe break. This would cause a significantincrease in the containment pressure, thus allowing detectionCatawba Units 1 and 2 B3321 eiinN.1B3.3.2-15 ESFAS InstrumentationB 3.3.2BASESAPPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)and closure of the MSIVs. The Steam Line IsolationFunction remains OPERABLE in MODES 2 and 3 unless allMSIVs are closed and de-activated. In MODES 4, 5, and 6,there is not enough energy. in the primary and secondarysides to pressurize the containment to the ContainmentPressure-High High setpoint.d. Steam Line Isolation-Steam Line PressureSteam Line Pressure channels provide both protection andcontrol functions. The protection functions include: SteamLine Pressure-Low and Steam Line Pressure-Negative Ratefunctions. The control functions include: Digital FeedwaterControl System (DECS) which controls SG level.(1) Steam Line Pressure-LowSteam Line Pressure-Low provides closure of theMSIVs in the event of an SLB to maintain threeunfaulted SGs as a heat sink for the reactor, and tolimit the mass and energy release to containment.This Function provides closure of the MSIVs in theevent of a feed line break to ensure a supply of steamfor the turbine driven AFW pump.DFCS receives steam pressure inputs from threeseparate protection channels for each SG. The threeinputs are median selected for each SG, with theresultant output being used by the automatic controlalgorithm. The median select feature prevents thefailure of an input signal from affecting the controlsystem. A loss of two or more input signals will placethe control system in manual and alert the operator.DFCS will maintain a steady control function duringthe switch to manual operation; therefore, a failure ofone or more input signals will not cause a controlsystem action that would result in a conditionrequiring protective actions. Thus, three OPERABLEchannels on each steam line, with a two-out-of-threelogic on each steam line, are sufficient to satisfyprotective requirements.Steam Line Pressure-Low Function must beOPERABLE in MODES 1, 2, and 3 (above P-i11), withany main steam valve open, when a secondary sideCatawba Units 1 and 2 B3321 eiinN.1B 3.3.2-16 ESFAS InstrumentationB 3.3.2BASESAPPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)break or stuck open valve could result in the rapiddepressurization of the steam lines. This signal maybe manually blocked by the operator below the P-i11setpoint. Below P-i11, an inside containment SLB willbe terminated by automatic actuation viaContainment Pressure-High High. Stuck valvetransients and outside containment SLBs will beterminated by the Steam Line Pressure-NegativeRate-High signal for Steam Line Isolation below P-i11when SI has been manually blocked. The SteamLine Isolation Function is required in MODES 2 and 3unless all MSlVs are closed and de-activated. ThisFunction is not required to be OPERABLE inMODES 4, 5, and 6 because there is insufficientenergy in the secondary side of the unit to have anaccident.(2) Steam Line Pressure-Neciative Rate-HicjhSteam Line Pressure-Negative Rate-High providesclosure of the MSlVs for an SLB when less than theP-i11 setpoint, to maintain at least one unfaulted SGas a heat sink for the reactor, and to limit the massand energy release to containment. When theoperator manually blocks the Steam Line Pressure-Low main steam isolation signal when less than theP-1 1 setpoint, the Steam Line Pressure-NegativeRate-High signal is automatically enabled. DFCSreceives steam pressure inputs from three separateprotection channels for each SG. The three inputsare median selected for each SG, with the resultantoutput being used by the automatic control algorithm.The median select feature prevents the failure of aninput signal from affecting the control system. A lossof two or more input signals will place the controlsystem in manual and alert the operator. DFCS willmaintain a steady control function during the switch tomanual operation; therefore, a failure of one or moreinput signals will not cause a control system actionthat would result in a condition requiring protectiveactions. Thus, three OPERABLE channels on eachsteam line, with a two-out-of-three logic on eachsteam line, are sufficient to satisfy protectiverequirements.Catawba Units 1 and 2 B3321 eiinN.iB 3.3.2-17 ESFAS InstrumentationB 3.3.2BASESAPPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)Steam Line Pressure-Negative Rate-High must beOPERABLE in MODE 3 when less than the P-i11setpoint, when a secondary side break or stuck openvalve could result in the rapid depressurization of thesteam line(s). In MODES 1 and 2, and in MODE 3,when above the P-11I setpoint, this signal isautomatically disabled and the Steam Line Pressure-Low signal is automatically enabled. The Steam LineIsolation Function is required to be OPERABLE inMODES 2 and 3 unless all MSIVs are closed and de-activated. In MODES 4, 5, and 6, there is insufficientenergy in the primary and secondary sides to have anSLB or other accident that would result in a release ofsignificant enough quantities of energy to cause acooldown of the RCS.5. Turbine Trip and Feedwater IsolationThe primary functions of the Turbine Trip and Feedwater Isolationsignals are to prevent damage to the turbine due to water in thesteam lines, stop the excessive flow of feedwater into the SGs, andto limit the energy released into containment. These Functions arenecessary to mitigate the effects of a high water level in the SGs,which could result in carryover of water into the steam lines andexcessive cooldown of the primary system. The SG high waterlevel is due to excessive feedwater flows. Feedwater Isolationserves to limit the energy released into containment upon afeedwater line or steam line break inside containment.The Functions are actuated when the level in any SG exceeds thehigh high setpoint, and performs the following functions:* Trips the main turbine;* Trips the MFW pumps;* Initiates feedwater isolation; and* Shuts the MFW regulating valves and the bypass feedwaterregulating valves.Turbine Trip and Feedwater Isolation signals are both actuated bySG Water Level-High High, or by an SI signal. The RTS alsoinitiates a turbine trip signal whenever a reactor trip (P-4) isgenerated. A Feedwater Isolation signal is also generated by aCatawba Units 1 and 2 B3321 eiinN.1B 3.3.2-18 ESFAS InstrumentationB 3.3.2BASESAPPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)reactor trip (P-4) coincident with Ta,,gLow and on a high water levelin the reactor building doghouse. The MEW System is also takenout of operation and the AFW System is automatically started. TheSI signal was discussed previously.a. Turbine Trip(1) Turbine Tripj-Automatic Actuation Loqic and ActuationRelaysAutomatic Actuation Logic and Actuation Relaysconsist of the same features and operate in the samemanner as described for ESFAS Function 1 .b.(2) Turbine Tripj-Steam Generator Water Level-Higqh Higqh(P-14)This signal prevents damage to the turbine due towater in the steam lines. The ESFAS SG water levelinstruments provide input to the SG Water LevelControl System. Therefore, the actuation logic mustbe able to withstand both an input failure to thecontrol system (which may then require the protectionfunction actuation) and a single failure in the otherchannels providing the protection function actuation.Thus, four OPERABLE channels are required tosatisfy the requirements with a two-out-of-four logic.The setpoints are based on percent of narrow rangeinstrument span.(3) Turbine Trip-Safety IniectionTurbine Trip is also initiated by all Functions thatinitiate SI. Therefore, the requirements are notrepeated in Table 3.3.2-1. Instead Function 1, SI, isreferenced for all initiating functions andrequirements. Item 5.a.(1) is referenced for theapplicable MODES.The Turbine Trip Function must be OPERABLE in MODES 1and 2. In lower MODES, the turbine generator is not inservice and this Function is not required to be OPERABLE.b. Feedwater IsolationCatawba Units 1 and 2 B3321 eiinN.1B3.3.2-19 ESFAS InstrumentationB 3.3.2BASESAPPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)(1) Feedwater Isolation-Automatic Actuation Loqic andActuation RelaysAutomatic Actuation Logic and Actuation Relaysconsist of the same features and operate in the samemanner as described for ESFAS Function 1 .b.(2) Feedwater Isolation-Steam Generator Water Level-Hi~qh Hicqh (P-14)This signal provides protection against excessivefeedwater flow. The ESFAS SG water levelinstruments provide input to the SG Water LevelControl System. Therefore, the actuation logic mustbe able to withstand both an input failure to thecontrol system (which may then require the protectionfunction actuation) and a single failure in the otherchannels providing the protection function actuation.Thus, four OPERABLE channels are required tosatisfy the requirements with a two-out-of-four logic.The setpoints are based on percent of narrow rangeinstrument span.(3) Feedwater Isolation-Safety IniectionFeedwater Isolation is also initiated by all Functionsthat initiate SI. The Feedwater Isolation Functionrequirements for these Functions are the same as therequirements for their SI function. Therefore, therequirements are not repeated in Table 3.3.2-1.Instead Function 1, SI, is referenced for all initiatingfunctions and requirements. Item 5.b.(1) isreferenced for the applicable MODES.(4) Feedwater Isolation -RCS Low coincident withReactor Trip (P-4)This signal provides protection against excessivecooldown, which could subsequently introduce apositive reactivity excursion after a plant trip. Thereare four channels of RCS Tavg -Low (one per loop),with a two-out-of-four logic required coincident with areactor trip signal (P-4) to initiate a feedwaterisolation. The P-4 interlock is discussed in Function8.a.Catawba Units 1 and 2 B3322 eiinN.1B 3.3.2-20 ESFAS InstrumentationB 3.3.2BASESAPPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)(5) Feedwater Isolation -Doqhouse Water Level -HiqhThis signal initiates a Feedwater Isolation. Thesignal terminates forward feedwater flow in the eventof a postulated pipe break in the main feedwaterpiping in the doghouses to prevent flooding safetyrelated equipment essential to the safe shutdown ofthe plant. Each doghouse contains two trains of levelinstrumentation. The level instrumentation consistsof six level switches (three per train) in each of thetwo reactor building doghouses. A high-high leveldetected by two-out-of-three switches, in either theinboard or outboard doghouse, will initiate adoghouse isolation. This signal initiates FeedwaterIsolation for the specific doghouse where the High-High level is detected and trips both main feedwaterpumps thus causing a main turbine trip.The Feedwater Isolation Function must be OPERABLE inMODES 1 and 2 and also in MODE 3 (except for thefunctions listed in Table 3.3.2-1). Feedwater Isolation is notrequired OPERABLE when all MFIVs, MFCVs, andassociated bypass valves are closed and de-activated orisolated by a closed manual valve. In lower MODES, theMFW System is not in service and this Function is notrequired to be OPERABLE.6. Auxiliary FeedwaterThe AFW System is designed to provide a secondary side heatsink for the reactor in the event that the MFW System is notavailable. The system has two motor driven pumps and a turbinedriven pump, making it available during normal and accidentoperation. The normal source of water for the AFW System is thecondensate storage system (not safety related). A low suctionpressure to the AFW pumps will automatically realign the pumpsuctions to the Nuclear Service Water System (NSWS)(safetyrelated). The AFW System is aligned so that upon a pump start,flow is initiated to the respective SGs immediately.a. Auxiliary Feedwater-Automatic Actuation Loq icand Actuation RelaysAutomatic actuation logic and actuation relays consist of theCatawba Units 1 and 2 B3322 eiinN.1B 3.3.2-21 ESFAS InstrumentationB 3.3.2BASESAPPLICABLE SAFETY ANALYSES, LCD, and APPLICABILITY (continued)same features and operate in the same manner as describedfor ESFAS Function 1 .b.b. Auxiliary Feedwater-Steam Generator WaterLevel-Low LowSG Water Level-Low Low provides protection against a lossof heat sink. A feed line break, inside or outside ofcontainment, or a loss of MFW, would result in a loss of SGwater level. SG Water Level-Low Low provides input to theSG Level Control System. Therefore, the actuation logicmust be able to withstand both an input failure to the controlsystem which may then require a protection functionactuation and a single failure in the other channels providingthe protection function actuation. Thus, four OPERABLEchannels are required to satisfy the requirements with two-out-of-four logic. The setpoints are based on percent ofnarrow range instrument span.SG Water Level--Low Low in any operating SG will causethe motor driven AFW pumps to start. The system is alignedso that upon a start of the pump, water immediately begins toflow to the SGs. SG Water Level--Low Low in any twooperating SGs will cause the turbine driven pumps to start.c. Auxiliary Feedwater--Safety IniectionAn SI signal starts the motor driven AFW pumps. The AFWinitiation functions are the same as the requirements for theirSI function. Therefore, the requirements are not repeated inTable 3.3.2-1. Instead, Function 1, SI, is referenced for allinitiating functions and requirements.d. Auxiliary Feedwater-Loss of Offsite PowerA loss of offsite power to the service buses will beaccompanied by a loss of reactor coolant pumping powerand the subsequent need for some method of decay heatremoval. The loss of offsite power is detected by a voltagedrop on each essential service bus. Loss of power to eitheressential service bus will start the turbine driven and motordriven AFW pumps to ensure that at least two SGs containenough water to serve as the heat sink for reactor decayheat and sensible heat removal following the reactor trip.Catawba Units 1 and 2B332-2RvsoNo1B 3.3.2-22 ESFAS InstrumentationB 3.3.2BASESAPPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)Functions 6.a through 6.d must be OPERABLE in MODES 1, 2,and 3 to ensure that the SGs remain the heat sink for the reactor.These Functions do not have to be OPERABLE in MODES 5 and 6because there is not enough heat being generated in the reactor torequire the SGs as a heat sink. In MODE 4, AFW actuation doesnot need to be OPERABLE because either AFW or residual heatremoval (RHR) will already be in operation to remove decay heat orsufficient time is available to manually place either system inoperation.e. Auxiliary Feedwater-Trip of All Main Feedwater PumpsA Trip of all MFW pumps is an indication of a loss of MEWand the subsequent need for some method of decay heatand sensible heat removal to bring the reactor back to noload temperature and pressure. Each turbine driven MFWpump is equipped with three pressure switches on the trip oilsystem. A low pressure signal from two-out-of-three of thesepressure switches indicates a trip of that pump. ThreeOPERABLE channels per pump satisfy redundancyrequirements with two-out-of-three logic. A trip of all MEWpumps starts the motor driven AFW pumps to ensure that atleast two SGs are available with water to act as the heat sinkfor the reactor. This function must be OPERABLE inMODES 1 and 2. This ensures that at least two SGs areprovided with water to serve as the heat sink to removereactor decay heat and sensible heat in the event of anaccident. In MODES 3, 4, and 5, the MEW pumps may benormally shut down, and thus neither pump trip is indicativeof a condition requiring automatic AFW initiation.f. Auxiliary Feedwater-Pump Suction Transfer onSuction Pressure-LowA low pressure signal in the AFW pump suction line protectsthe AFW pumps against a loss of the normal supply of waterfor the pumps, the condensate storage system. Threepressure switches per train are located on the AFW pumpsuction line from the condensate storage system. A lowpressure signal sensed by two-out-of-three switches will aligntheir train related motor driven AFW pump and the turbinedriven AFW pump to the assured water supply (NSWS). TheNSWS (safety grade) is then lined up to supply the AFWpumps to ensure an adequate supply of water for the AFWCatawba Units 1 and 2 B3322 eiinN.1B 3.3.2-23 ESFAS InstrumentationB 3.3.2BASESAPPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)System to maintain at least two of the SGs as the heat sinkfor reactor decay heat and sensible heat removal.This Function must be OPERABLE in MODES 1, 2, and 3 toensure a safety grade supply of water for the AFW System tomaintain the SGs as the heat sink for the reactor. ThisFunction does not have to be OPERABLE in MODES 5 and 6because there is not enough heat being generated in thereactor to require the SGs as a heat sink. In MODE 4, AFWautomatic suction transfer does not need to be OPERABLEbecause RHR will already be in operation, or sufficient timeis available to place RHR in operation, to remove decay heat.7. Automatic Switchover to Containment SumpAt the end of the injection phase of a LOCA, the RWST will benearly empty. Continued cooling must be provided by the ECOS toremove decay heat. The source of water for the ECCS pumps isautomatically switched to the containment recirculation sump. Thelow head residual heat removal (RHR) pumps and containmentspray pumps draw the water from the containment recirculationsump, the RHR pumps pump the water through the RHR heatexchanger, inject the water back into the RCS, and supply thecooled water to the other ECCS pumps. Switchover from theRWST to the-containment sump must occur before the RWSTempties to prevent damage to the RHR pumps and a loss of corecooling capability.a. Automatic Switchover to Containment Sump-Automatic Actuation Locqic and Actuation RelaysAutomatic actuation logic and actuation relays consist of thesame features and operate in the same manner as describedfor ESFAS Function 1 .b.b. Automatic Switchover to ContainmentSump-Refuelinq Water Stora~qe Tank (RWST)Level-Low Coincident With Safety IniectionDuring the injection phase of a LOCA, the RWST is thesource of water for all ECCS pumps. A low level in theRWST coincident with an SI signal provides protectionagainst a loss of water for the ECCS pumps and indicatesthe end of the injection phase of the LOCA. The RWST isequipped with four level transmitters. These transmittersCatawba Units 1 and 2 B3322 eiinN.1B 3.3.2-24 ESFAS InstrumentationB 3.3.2BASESAPPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)provide no control functions. Since an inadvertentswitchover to the containment sump could have a significantsafety impact, this instrumentation is placed in a bypasscondition for testing. Therefore, four channels are suppliedsuch that, during testing, the remaining three channels couldperform the intended function, and no single failure couldresult in either a failure to accomplish the intended function,or in an inadvertent switchover to the containment sump.Automatic switchover occurs only if the RWST low levelsignal is coincident with SI. This prevents accidentalswitchover during normal operation. Accidental switchovercould damage ECCS pumps if they are attempting to takesuction from an empty sump. The automatic switchoverFunction requirements for the SI Functions are the same asthe requirements for their SI function. Therefore, therequirements are not repeated in Table 3.3.2-1. Instead,Function 1, SI, is referenced for all initiating Functions andrequirements.These Functions must be OPERABLE in MODES 1, 2, 3,and 4 when there is a potential for a LOCA to occur, toensure a continued supply of water for the ECOS pumps.These Functions are not required to be OPERABLE inMODES 5 and 6 because there is adequate time for theoperator to evaluate unit conditions and respond by manuallystarting systems, pumps, and other equipment to mitigate theconsequences of an abnormal condition or accident. Systempressure and temperature are very low and many ESFcomponents are administratively locked out or otherwiseprevented from actuating to prevent inadvertentoverpressurization of unit systems.8. Engqineered Safety Feature Actuation System InterlocksTo allow some flexibility in unit operations, several interlocks areincluded as part of the ESFAS. These interlocks permit theoperator to block some signals, automatically enable other signals,prevent some actions from occurring, and cause other actions tooccur. The interlock Functions back up manual actions to ensurebypassable functions are in operation under the conditionsassumed in the safety analyses.Catawba Units 1 and 2 B3322 eiinN.1B 3.3.2-25 ESFAS InstrumentationB 3.3.2BASESAPPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)a. Engineered Safety Feature Actuation SystemInterlocks--Reactor Trip. P-4The P-4 interlock is enabled when a reactor trip breaker(RTB) and its associated bypass breaker is open. Operatorsare able to reset SI 60 seconds after initiation. If a P-4 ispresent when SI is reset, subsequent automatic SI initiationswill be blocked until the RTBs have been manually closed.This Function allows operators to take manual control of SIsystems after the initial phase of injection is complete whileavoiding multiple SI initiations. The functions of the P-4interlock are:* Trip the main turbine;* Isolate MFW with coincident low Tavg;* Prevent reactuation of SI after a manual reset of SI;* Transfer the steam dump from the load rejectioncontroller to the unit trip controller; and* Prevent opening of the MFW isolation valves if theywere closed on SI or SG Water Level--High High.Each of the above Functions is interlocked with P-4 to avertor reduce the continued cooldown of the RCS following areactor trip. An excessive cooldown of the RCS following areactor trip could cause an insertion of positive reactivity witha subsequent increase in generated power. To avoid such asituation, the noted Functions have been interlocked with P-4as part of the design of the unit control and protectionsystem.None of the noted Functions serves a mitigation function inthe unit licensing basis safety analyses. Only the turbine tripFunction is explicitly assumed since it is an immediateconsequence of the reactor trip Function. Neither turbinetrip, nor any of the other four Functions associated with thereactor trip signal, is required to show that the unit licensingbasis safety analysis acceptance criteria are not exceeded.The RTB position switches that provide input to the P-4interlock only function to energize or de-energize or open orclose contacts. Therefore, this Function has no adjustableCatawba Units 1 and 2 B3322 eiinN.1B 3.3.2-26 ESFAS InstrumentationB 3.3.2BASESAPPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)trip setpoint with which to associate a Trip Setpoint andAllowable Value.This Function must be OPERABLE in MODES 1, 2, and 3when the reactor may be critical or approaching criticality.This Function does not have to be OPERABLE in MODE 4,5, or 6 because the main turbine, the MFW System, and theSteam Dump System are not in operation.b. Engqineered Safety Feature Actuation SystemInterlocks-Pressurizer Pressure. P-11IThe P-i1I interlock permits a normal unit cooldown anddepressurization without actuation of SI or main steam lineisolation. With two-out-of-three pressurizer pressurechannels (discussed previously) less than the P-i11 setpoint,the operator can manually block the Pressurizer Pressure-Low SI signal and the Steam Line Pressure-Low steam lineisolation signal (previously discussed). When the SteamLine Pressure-Low steam line isolation signal is manuallyblocked, a main steam isolation signal on Steam LinePressure-Negative Rate-High is enabled. This providesprotection for an SLB by closure of the MSIVs. With two-out-of-three pressurizer pressure channels above the P-i11setpoint, the Pressurizer Pressure-Low SI signal and theSteam Line Pressure-Low steam line isolation signal areautomatically enabled. The operator can also enable thesetrips by use of the respective manual reset buttons. Whenthe Steam Line Pressure-Low steam line isolation signal isenabled, the main steam isolation on Steam Line Pressure-Negative Rate--High is disabled.This Function must be OPERABLE in MODES 1, 2, and 3 toallow an orderly cooldown and depressurization of the unitwithout the actuation of SI or main steam isolation. ThisFunction does not have to be OPERABLE in MODE 4, 5, or 6because system pressure must already be below the P-i1!setpoint for the requirements of the heatup and cooldowncurves to be met.c. Engqineered Safety Feature Actuation Systemlnterlocks-T~v-Low Low. P-i12On increasing reactor coolant temperature, the P-12 interlockprovides an arming signal to the Steam Dump System. On aCatawba Units 1 and 2 B3322 eiinN.1B 3.3.2-27 ESFAS InstrumentationB 3.3.2BASESAPPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)decreasing temperature, the P-i12 interlock removes thearming signal to the Steam Dump System to prevent anexcessive cooidown of the RCS due to a malfunctioningSteam Dump System.Since Tavg is used as an indication of bulk RCS temperature,this Function meets redundancy requirements with oneOPERABLE channel in each loop. These channels are usedin two-out-of-four logic. This Function must be OPERABLEin MODES 1, 2, and 3 when a secondary side break or stuckopen valve could result in the rapid depressurization of thesteam lines. This Function does not have to be OPERABLEin MODE 4, 5, or 6 because there is insufficient energy in thesecondary side of the unit to have an accident.9. Containment Pressure Control System PermissivesThe Containment Pressure Control System (CPCS) protects theContainment Building from excessive depressurization bypreventing inadvertent actuation or continuous operation of theContainment Spray and Containment Air Return Systems whencontainment pressure is at or less than the CPCS permissivesetpoint. The control scheme of CPCS is comprised of eightindependent control circuits (4 per train), each having a separateand independent pressure transmitter and current alarm module.Each pressure transmitter monitors the containment pressure andprovides input to its respective current alarm. The current alarmsare set to inhibit or terminate containment spray and containmentair return systems when containment pressure falls to or below0.25 psid. The alarm modules switch back to the permissive state(allowing the systems to operate) when containment pressure isgreater than or equal to 1.0 psid.This function must be OPERABLE in MODES 1, 2, :3, and 4 whenthere is sufficient energy in the primary and secondary sides topressurize containment following a pipe break. In MODES 5 and 6,there is insufficient energy in the primary and secondary sides tosignificantly pressurize the containment.10. Nuclear Service Water System Suction Transfer -Low Pit LevelUpon an emergency low pit level signal from either NSWS pit,interlocks isolate the NSWS from Lake Wylie, align NSWS to thestandby nuclear service water pond, close particular crossoverCatawba Units 1 and 2 B3322 eiinN.1B 3.3.2-28 ESFAS InstrumentationB 3.3.2BASESAPPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)valves, and start the NSWS pumps. This function is initiated on atwo-out-of-three logic from either NSWS pump pit.This function must be OPERABLE in MODES 1, 2, 3, and 4 toensure cooling water remains available to essential componentsduring a DBA. In MODES 5 and 6, the sufficient time exists formanual operator action to realign the NSWS pump suction, ifrequired.Unlike other shared NSWS equipment, the pit level interlocks donot require both normal and emergency power for OPERABILITY.This is because unlike mechanical components such as pumps andvalves, the interlocks are designed to fail safe upon a loss ofpower, initiating a transfer from Lake Wylie to the standby nuclearservice water pond. The definition of OPERABILITY, whichrequires either normal or emergency power, provides sufficientpower supply requirements and these interlocks can be consideredOPERABLE provided they are powered from either an inverter orregulated power.The ESFAS instrumentation satisfies Criterion 3 of 10 CFR 50.36 (Ref.6).ACTIONS A Note has been added in the ACTIONS to clarify the application ofCompletion Time rules. The Conditions of this Specification may beentered independently for each Function listed on Table 3.3.2-1. Whenthe Required Channels in Table 3.3.2-1 are specified (e.g., on a persteam line, per loop, per SG, etc., basis), then the Condition may beentered separately for each steam line, loop, SG, etc., as appropriate.A channel shall be OPERABLE if the point at which the channel trips isfound more conservative than the Allowable Value. In the event achannel's trip setpoint is found less conservative than the AllowableValue, or the transmitter, instrument loop, signal processing electronics,or bistable is found inoperable, then all affected Functions provided bythat channel must be declared inoperable and the LCO Condition(s)entered for the protection Function(s) affected. If plant conditionswarrant, the trip setpoint may be set outside the NOMINAL TRIPSETPOINT calibration tolerance band as long as the trip setpoint isconservative with respect to the NOMINAL TRIP SETPOINT. If the tripsetpoint is found outside of the NOMINAL TRIP SETPOINT calibrationtolerance band and non-conservative with respect to the NOMINAL TRIPSETPOINT, the setpoint shall be re-adjusted.Catawba Units 1 and 2 B3322 eiinN.1B 3.3.2-29 ESFAS InstrumentationB 3.3.2BASESACTIONS (continued)When the number of inoperable channels in a trip function exceed thosespecified in one or other related Conditions associated with a tripfunction, then the unit is outside the safety analysis. Therefore,LCO 3.0.3 should be immediately entered if applicable in the currentMODE of operation.A.__1Condition A applies to all ESFAS protection functions.Condition A addresses the situation where one or more channels or trainsfor one or more Functions are inoperable at the same time. TheRequired Action is to refer to Table 3.3.2-1 and to take the RequiredActions for the protection functions affected. The Completion Times arethose from the referenced Conditions and Required Actions.B.1, B.2.1 and B.2.2Condition B applies to manual initiation of:* SI;* Containment Spray;* Phase A Isolation; and* Phase B Isolation.This action addresses the train orientation of the SSPS for the functionslisted above. If a channel or train is inoperable, 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> is allowed toreturn it to an OPERABLE status. Note that for containment spray andPhase B isolation, failure of one or both channels in one train renders thetrain inoperable. Condition B, therefore, encompasses both situations.The specified Completion Time is reasonable considering that there aretwo automatic actuation trains and another manual initiation trainOPERABLE for each Function, and the low probability of an eventoccurring during this interval. If the train cannot be restored toOPERABLE status, the unit must be placed in a MODE in which the LCOdoes not apply. This is done by placing the unit in at least MODE 3 withinan additional 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> (54 hours6.25e-4 days <br />0.015 hours <br />8.928571e-5 weeks <br />2.0547e-5 months <br /> total time) and in MODE 5 within anadditional 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br /> (84 hours9.722222e-4 days <br />0.0233 hours <br />1.388889e-4 weeks <br />3.1962e-5 months <br /> total time). The allowable CompletionTimes are reasonable, based on operating experience, to reach therequired unit conditions from full power conditions in an orderly mannerand without challenging unit systems.Catawba Units 1 and 2 B3323 eiinN.1B 3.3.2-30 ESFAS InstrumentationB 3.3.2BASESACTIONS (continued)0.1. 0.2.1 and 0.2.2Condition C applies to the automatic actuation logic and actuation relaysfor the following functions:* SI;* Phase A Isolation;* Phase B Isolation; and* Automatic Switchover to Containment Sump.This action addresses the train orientation of the SSPS and the masterand slave relays. If one train is inoperable, 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> are allowed torestore the train to OPERABLE status. The 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> allowed forrestoring the inoperable train to OPERABLE status is justified inReference 13. The specified Completion Time is reasonable consideringthat there is another train OPERABLE, and the low probability of an eventoccurring during this interval. If the train cannot be restored toOPERABLE status, the unit must be placed in a MODE in which the LCOdoes not apply. This is done by placing the unit in at least MODE 3 withinan additional 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> (30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br /> total time) and in MODE 5 within anadditional 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br /> (60 hours6.944444e-4 days <br />0.0167 hours <br />9.920635e-5 weeks <br />2.283e-5 months <br /> total time). The Completion Times arereasonable, based on operating experience, to reach the required unitconditions from full power conditions in an orderly manner and withoutchallenging unit systems.The Required Actions are modified by a Note that allows one train to bebypassed for up to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> for surveillance testing, provided the othertrain is OPERABLE. The Required Actions are not required to be metduring this time, unless the train is discovered inoperable during thetesting. This allowance is based on the reliability analysis assumption ofWCAP-1 0271-P-A (Ref. 7) that 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> is the average time required toperform train surveillance.Catawba Units 1 and 2 B3323 eiinN.1B 3.3.2-31 ESFAS InstrumentationB 3.3.2BASESACTIONS (continued)0.1, D.2.1. and D.2.2Condition 0 applies to:* Containment Pressure-High;* Pressurizer Pressure-Low;* Steam Line Pressure-Low;* Steam Line Pressure-Negative Rate-High;* Loss of offsite power (refer to Condition D footnote);* SG Water level--Low Low; and* SG Water level--High High (P-14) for the Feedwater IsolationFunction.If one channel is inoperable, 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> are allowed to restore the channelto OPERABLE status or to place it in the tripped condition. Generally thisCondition applies to functions that operate on two-out-of-three logic.Therefore, failure of one channel places the Function in a two-out-of-twoconfiguration. One channel must be tripped to place the Function in aone-out-of-two configuration that satisfies redundancy requirements. The72 hours allowed to restore the channel to OPERABLE status or to placeit in the tripped condition is justified in Reference 13.Failure to restore the inoperable channel to OPERABLE status or place itin the tripped condition within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> requires the unit be placed inMODE 3 within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and MODE 4 within the next6 hours.The allowed Completion Times are reasonable, based on operatingexperience, to reach the required unit conditions from full powerconditions in an orderly manner and without challenging unit systems. InMODE 4, these Functions are no longer required OPERABLE.The Required Actions are modified by a Note that allows the inoperablechannel to be bypassed for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for surveillance testing ofother channels. The 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> allowed for testing is justified inReference 13.Catawba Units 1 and 2 B3323 eiinN.1B 3.3.2-32 ESFAS InstrumentationB 3.3.2BASESACTIONS (continued)E.1. E.2.1, and E.2.2Condition E applies to:* Containment Phase B Isolation Containment Pressure-High High;and* Steam Line Isolation Containment Pressure -High High.Neither of these signals has input to a control function. Thus, two-out-of-.three logic is necessary to meet acceptable protective requirements.However, a two-out-of-three design would require tripping a failedchannel. This is undesirable because a single failure would then causespurious isolation initiation. Therefore, these channels are designed withtwo-out-of-four logic so that a failed channel may be bypassed ratherthan tripped. Note that one channel may be bypassed and still satisfy thesingle failure criterion. Furthermore, with one channel bypassed, a singleinstrumentation channel failure will not spuriously initiate isolation.To avoid the inadvertent actuation of Phase B containment isolation, theinoperable channel should not be placed in the tripped condition. Insteadit is bypassed. Restoring the channel to OPERABLE status, or placingthe inoperable channel in the bypass condition within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, issufficient to assure that the Function remains OPERABLE and minimizesthe time that the Function may be in a partial trip condition (assuming theinoperable channel has failed high). The Completion Time is furtherjustified based on the low probability of an event occurring during thisinterval. Failure to restore the inoperable channel to OPERABLE status,or place it in the bypassed condition within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, requires the unit beplaced in MODE 3 within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and MODE 4 within thenext 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. The allowed Completion Times are reasonable, based onoperating experience, to reach the required unit conditions from fullpower conditions in an orderly manner and without challenging unitsystems. In MODE 4, these Functions are no longer requiredOPERABLE.The Required Actions are modified by a Note that allows one additionalchannel to be bypassed for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for surveillance testing.Placing a second channel in the bypass condition for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> fortesting purposes is acceptable based on the results of Reference 13.Catawba Units 1 and 2 B3323 eiinN.1B 3.3.2-33 ESFAS InstrumentationB 3.3.2BASESACTIONS (continued)F.1, F.2.1, and F.2.2Condition F applies to:* Manual Initiation of Steam Line Isolation; and* P-4 Interlock.For the Manual Initiation and the P-4 Interlock Functions, this actionaddresses the train orientation of the SSPS. If a train or channel isinoperable, 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> is allowed to return it to OPERABLE status. Thespecified Completion Time is reasonable considering the nature of theseFunctions, the available redundancy, and the low probability of an eventoccurring during this interval. If the Function cannot be returned toOPERABLE status, the unit must be placed in MODE 3 within the next6 hours and MODE 4 within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. The allowedCompletion Times are reasonable, based on operating experience, toreach the required unit conditions from full power in an orderly mannerand without challenging unit systems. In MODE 4, the unit does not haveany analyzed transients or conditions that require the explicit use of theprotection functions noted above.G.1 and G.2Condition G applies to manual initiation of Steam Line Isolation.This action addresses the operability of the manual steam line isolationfunction for each individual main steam isolation valve. If a channel isinoperable, 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> is allowed to return it to an OPERABLE status. Ifthe train cannot be restored to OPERABLE status, the Conditions andRequired Actions of LCO 3.7.2, "Main Steam Isolation Valves," must beentered for the associated inoperable valve. The specified CompletionTime is reasonable considering that there is a system level manualinitiation train for this Function and the low probability of an eventoccurring during this interval.Catawba Units 1 and 2 B3323 eiinN.1B 3.3.2-34 ESFAS InstrumentationB 3.3.2BASESACTIONS (continued)H.1, H.2.1 and H.2.2Condition H applies to the automatic actuation logic and actuation relaysfor the Steam Line Isolation, Feedwater Isolation, and AFW actuationFunctions.The action addresses the train orientation of the SSPS and the masterand slave relays for these functions. If one train is inoperable, 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />sare allowed to restore the train to OPERABLE status. The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />sallowed for restoring the inoperable train to OPERABLE status is justifiedin Reference 13. The Completion Time for restoring a train toOPERABLE status is reasonable considering that there is another trainOPERABLE, and the low probability of an event occurring during thisinterval. If the train cannot be returned to OPERABLE status, the unitmust be brought to MODE 3 within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and MODE 4 withinthe following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. The allowed Completion Times are reasonable,based on operating experience, to reach the required unit conditions fromfull power conditions in an orderly manner and without challenging unitsystems. Placing the unit in MODE 4 removes all requirements forOPERABILITY of the protection channels and actuation functions. In thisMODE, the unit does not have analyzed transients or conditions thatrequire the explicit use of the protection functions noted above.The Required Actions are modified by a Note that allows one train to bebypassed for up to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> for surveillance testing provided the othertrain is OPERABLE. This allowance is based on the reliability analysis(Ref. 7) assumption that 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> is the average time required to performchannel surveillance.Catawba Units 1 and 2 B3323 eiinN.1B 3.3.2-35 ESFAS InstrumentationB 3.3.2BASESACTIONS (continued)1.1 and 1.2Condition I appiies to the automatic actuation logic and actuation relaysfor the Turbine Trip Function.This action addresses the train orientation of the SSPS and the masterand slave relays for this Function. If one train is inoperable, 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> areallowed to restore the train to OPERABLE status or the unit must beplaced in MODE 3 within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. The 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> allowed forrestoring the inoperable train to OPERABLE status is justified inReference 13. The Completion Time for restoring a train to OPERABLEstatus is reasonable considering that there is another train OPERABLE,and the low probability of an event occurring during this interval. Theallowed Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable, based on operatingexperience, to reach MODE 3 from full power conditions in an orderlymanner and without challenging unit systems. These Functions are nolonger required in MODE 3. Placing the unit in MODE 3 removes allrequirements for OPERABILITY of the protection channels and actuationfunctions. In this MODE, the unit does not have analyzed transients orconditions that require the explicit use of the protection functions notedabove.The Required Actions are modified by a Note that allows one train to bebypassed for up to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> for surveillance testing provided the othertrain is OPERABLE. This allowance is based on the reliability analysis(Ref. 7) assumption that 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> is the average time required to performchannel surveillance.J.1 and J.2Condition J applies to:* SG Water Level--High High (P-14) for the Turbine Trip Function;and* Tavg-LOw.Catawba Units 1 and 2 B3323 eiinN.1B 3.3.2-36 ESFAS InstrumentationB 3.3.2BASESACTIONS (continued)If one channel is inoperable, 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> are allowed to restore one channelto OPERABLE status or to place it in the tripped condition. If placed inthe tripped condition, the Function is then in a partial trip condition whereone-out-of-three logic will result in actuation. The 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> allowed torestore the channel to OPERABLE status or place it in the trippedcondition is justified in Reference 13. Failure to restore the inoperablechannel to OPERABLE status or place it in the tripped condition within72 hours requires the unit to be placed in MODE 3 within the following6 hours. The allowed Completion Time of 78 hours9.027778e-4 days <br />0.0217 hours <br />1.289683e-4 weeks <br />2.9679e-5 months <br /> is reasonable, basedon operating experience, to reach MODE 3 from full power conditions inan orderly manner and without challenging unit systems. In MODE 3,these Functions are no longer required OPERABLE.The Required Actions are modified by a Note that allows the inoperablechannel to be bypassed for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for surveillance testing ofother channels. The 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> allowed to place the inoperable channel inthe tripped condition, and the 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> allowed for a second channel tobe in the bypassed condition for testing, are justified in Reference 13.K.1 and K.2Condition K applies to the AFW pump start on trip of all MFW pumps.This action addresses the auto start function of the AFW System on lossof all MFW pumps. The OPERABILITY of the AFW System must beassured by allowing automatic start of the AFW System pumps. If achannel is inoperable, 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> is allowed to return it to an OPERABLEstatus or to place the channel in trip. If the function cannot be returned toan OPERABLE status or placed in a trip condition, 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> are allowed toplace the unit in MODE 3. The allowed Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> isreasonable, based on operating experience, to reach MODE 3 from fullpower conditions in an orderly manner and without challenging unitsystems. In MODE 3, the unit does not have any analyzed transients orconditions that require the explicit use of the protection function notedabove.Catawba Units 1 and 2 B3323 eiinN.1B 3.3.2-37 ESFAS InstrumentationB 3.3.2BASESACTIONS (continued)L.1 and L.2Condition L applies to the Doghouse Water Level -High High.If one channel is inoperable, 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> are allowed to restore the channel toOPERABLE status or to place it in the tripped condition. Therefore,failure of one channel places the Function in a two-out-of-twoconfiguration. One channel must be tripped to place the Function in aone-out-of-two configuration that satisfies redundancy requirements.Alternatively, if the inoperable channel is not restored to OPERABLEstatus or placed in the tripped condition within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />, the unit must beplaced in MODE 3 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />.The allowed Completion Times are reasonable, based on operatingexperience, to reach the required unit conditions from full powerconditions in an orderly manner and without challenging unit systems. InMODE 3, this Function is no longer required OPERABLE.Required Action L.1 is modified by a Note that allows the inoperablechannel to be bypassed for up to 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> for surveillance testing of otherchannels.M.1, M.2.1 and M.2.2Condition M applies to the Auxiliary Feedwater Pumps Suction Transferon Suction Pressure Low.If one channel is inoperable, 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> is allowed to restore the channel toOPERABLE status or to place it in the tripped condition. The failure ofone channel places the Function in a two-out-of-two configuration. Onechannel must be tripped to place the Function in a one-out-of-threeconfiguration that satisfies redundancy requirements.Failure to restore the inoperable channel to OPERABLE status or place itin the tripped condition within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> requires the unit to be placed inMODE 3 within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and MODE 4 within the next 6hours.Catawba Units 1 and 2 B3323 eiinN.1B 3.3.2-38 ESFAS InstrumentationB 3.3.2BASESACTIONS (continued)The allowed Completion Times are reasonable, based on operatingexperience, to reach the required unit conditions from full powerconditions in an orderly manner and without challenging unit systems. InMODE 4, this Function is no longer required OPERABLE.N.1, N.2.1 and N.2.2Condition N applies to:* RWST Level--Low Coincident with Safety Injection.RWST Level--Low Coincident With SI provides actuation of switchover tothe containment sump. Note that this Function requires the bistables toenergize to perform their required action. The failure of up to twochannels will not prevent the operation of this Function. However, placinga failed channel in the tripped condition could result in a prematureswitchover to the sump, prior to the injection of the minimum volume fromthe RWST. Placing the inoperable channel in bypass results in a two-out-of-three logic configuration, which satisfies the requirement to allowanother failure without disabling actuation of the switchover whenrequired. Restoring the channel to OPERABLE status or placing theinoperable channel in the bypass condition within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is sufficient toensure that the Function remains OPERABLE, and minimizes the timethat the Function may be in a partial trip condition (assuming theinoperable channel has failed high). The 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> Completion Time isjustified in Reference 7. If the channel cannot be returned to OPERABLEstatus or placed in the bypass condition within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />, the unit must bebrought to MODE 3 within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and MODE 5 within thenext 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />. The allowed Completion Times are reasonable, based onoperating experience, to reach the required unit conditions from fullpower conditions in an orderly manner and without challenging unitsystems. In MODE 5, the unit does not have any analyzed transients orconditions that require the explicit use of the protection functions notedabove.The Required Actions are modified by a Note that allows placing asecond channel in the bypass condition for up to 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> for surveillancetesting. The total of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> to reach MODE 3 and 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> for a secondchannel to be bypassed is acceptable based on the results ofReference 7.Catawba Units 1 and 2 B3323 eiinN.1B 3.3.2-39 ESFAS InstrumentationB 3.3.2BASESACTIONS (continued)0.1, 0.2.1 and 0.2.2Condition 0 applies to the P-11 and P-12 interlocks.With one channel inoperable, the operator must verify that the interlock isin the required state for the existing unit condition. This action manuallyaccomplishes the function of the interlock. Determination must be madewithin 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time is equal to the time allowedby LCO 3.0.3 to initiate shutdown actions in the event of a complete lossof ESFAS function. If the interlock is not in the required state (or placedin the required state) for the existing unit condition, the unit must beplaced in MODE 3 within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and MODE 4 within thefollowing 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. The allowed Completion Times are reasonable, basedon operating experience, to reach the required unit conditions from fullpower conditions in an orderly manner and without challenging unitsystems. Placing the unit in MODE 4 removes all requirements forOPERABILITY of these interlocks.P.1Condition P applies to the Containment Pressure Control System Startand Terminate Permissives.With one or more channels inoperable, the affected containment sprayand containment air return systems components must be declaredinoperable immediately. The supported system LCOs provide theappropriate Required Actions and Completion Times for the equipmentmade inoperable by the inoperable channel. The immediate CompletionTime is appropriate since the inoperable channel could prevent thesupported equipment from starting when required. Additionally,protection from an inadvertent actuation may not be provided if theterminate function is not OPERABLE.Catawba Units 1 and 2 B3324 eiinN.1B 3.3.2-40 ESFAS InstrumentationB 3.3.2BASESACTIONS (continued)Q.1, Q.2. Q.3.1. and Q.3.2With one channel of NSWS Suction Transfer -Low Pit Level inoperable inone or more NSWS pits, 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> are allowed to place it in the trippedcondition or align the NSWS to the Standby NSWS Pond. The failure ofone channel places the Function in a two-out-of-two configuration. Thefailed channel must either be tripped to place the Function in a one-out-of-two configuration that satisfies redundancy requirements, or the NSWSrealigned to fulfill the safety function.Failure to place the channel in the tripped condition or to realign theNSWS suction and discharge within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> requires the unit be placed inMODE 3 within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and MODE 5 within the next 30hours.The requirement to align the NSWS to the Standby NSWS Pond onlyapplies to OPERABLE trains of the system.The allowed Completion Times are reasonable, based on operatingexperience, to reach the required unit conditions from full powerconditions in an orderly manner and without challenging unit systems. InMODE 5, this Function is no longer required OPERABLE.R.1. R.2.1, and R.2.2With two or more channels of NSWS Suction Transfer -Low Pit Levelinoperable in one or more pits, the NSWS must be aligned to the StandbyNSWS Pond within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />. Failure to accomplish the realignment within4 hours requires the unit be placed in MODE 3 within the following 6hours and MODE 5 within the next 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />.The requirement to align the NSWS to the Standby NSWS Pond onlyapplies to OPERABLE trains of the system.The allowed Completion Times are reasonable, based on operatingexperience, to reach the required unit conditions from full powerconditions in an orderly manner and without challenging unit systems. InMODE 5, this Function is no longer required OPERABLE.Catawba Units 1 and 2 B3324 eiinN.1B 3.3.2-41 ESFAS InstrumentationB 3.3.2BASESSURVEILLANCE The SRs for each ESFAS Function are identified by the SRs columnREQUIREMENTS of Table 3.3.2-1.A Note has been added to the SR Table to clarify that Table 3.3.2-1determines which SRs apply to which ESFAS Functions.Note that each channel of process protection supplies both trains of theESFAS. When testing channel I, train A and train B must be examined.Similarly, train A and train B must be examined when testing channel II,channel Ill, and channel IV (if applicable). The CHANNELCALIBRATION and COTs are performed in a manner that is consistentwith the assumptions used in analytically calculating the required channelaccuracies.SR 3.3.2.1Performance of the CHANNEL CHECK ensures that a gross failure ofinstrumentation has not occurred. A CHANNEL CHECK is normally acomparison of the parameter indicated on one channel to a similarparameter on other channels. It is based on the assumption thatinstrument channels monitoring the same parameter should readapproximately the same value. Significant deviations between the twoinstrument channels could be an indication of excessive instrument driftin one of the channels or of something even more serious. A CHANNELCHECK will detect gross channel failure; thus, it is key to verifying theinstrumentation continues to operate properly between each CHANNELCALIBRATION.Agreement criteria are determined by the unit staff, based on acombination of the channel instrument uncertainties, including indicationand reliability. If a channel is outside the criteria, it may be an indicationthat the sensor or the signal processing equipment has drifted outside itslimit.The Surveillance Frequency is based on operating experience,equipment reliability, and plant risk and is controlled under theSurveillance Frequency Control Program.SR 3.3.2.2SR 3.3.2.2 is the performance of an ACTUATION LOGIC TEST. TheSSPS is tested using the semiautomatic tester. The train being tested isplaced in the bypass condition, thus preventing inadvertent actuation.Catawba Units 1 and 2 B3324 eiinN.1B 3.3.2-42 ESFAS InstrumentationB 3.3.2BASESSURVEILLANCE REQUIREMENTS (continued)Through the semiautomatic tester, all possible logic combinations, withand without applicable permissives, are tested for each protectionfunction. In addition, the master relay coil is pulse tested for continuity.This verifies that the logic modules are OPERABLE and that there is anintact voltage signal path to the master relay coils. The SurveillanceFrequency is based on operating experience, equipment reliability, andplant risk and is controlled under the Surveillance Frequency ControlProgram.SR 3.3.2.3SR 3.3.2.3 is the performance of a TADOT. This test is a check of theLoss of Offsite Power Function. Each Function is tested up to, andincluding, the master transfer relay coils.This test also includes trip devices that provide actuation signals directlyto the SSPS. The SR is modified by a Note that excludes final actuationof pumps and valves to minimize plant upsets that would occur. TheSurveillance Frequency is based on operating experience, equipmentreliability, and plant risk and is controlled under the SurveillanceFrequency Control Program.SR 3.3.2.4SR 3.3.2.4 is the performance of a MASTER RELAY TEST. TheMASTER RELAY TEST is the energizing of the master relay, verifyingcontact operation and a low voltage continuity check of the slave relaycoil. Upon master relay contact operation, a low voltage is injected to theslave relay coil. This voltage is insufficient to pick up the slave relay, butlarge enough to demonstrate signal path continuity. The time allowed forthe testing (4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />) is justified in Reference 7. The SurveillanceFrequency is based on operating experience, equipment reliability, andplant risk and is controlled under the Surveillance Frequency ControlProgram.SR 3.3.2.5SR 3.3.2.5 is the performance of a COT.A COT is performed on each required channel to ensure the channel willperform the intended Function. The tested portion of the loop must tripwithin the Allowable Values specified in Table 3.3.2-1.Catawba Units 1 and 2 B3324 eiinN.1B 3.3.2-43 ESFAS InstrumentationB 3.3.2BASESSURVEILLANCE REQUIREMENTS (continued)The setpoint shall be left set consistent with the assumptions of thesetpoint methodology.The Surveillance Frequency is based on operating experience,equipment reliability, and plant risk and is controlled under theSurveillance Frequency Control Program.SR 3.3.2.6SR 3.3.2.6 is the performance of a SLAVE RELAY TEST. The SLAVERELAY TEST is the energizing of the slave relays. Contact operation isverified in one of two ways. Actuation equipment that may be operated inthe design mitigation MODE is either allowed to function, or is placed in acondition where the relay contact operation can be verified withoutoperation of the equipment. Actuation equipment that may not beoperated in the design mitigation MODE is prevented from operation bythe SLAVE RELAY TEST circuit. For this latter case, contact operation isverified by a continuity check of the circuit containing the slave relay. TheSurveillance Frequency is based on operating experience, equipmentreliability, and plant risk and is controlled under the SurveillanceFrequency Control Program.For slave relays or any auxiliary relays in the ESFAS circuit that are of thetype Westinghouse AR or Potter & Brumfield MDR, the SLAVE RELAYTEST Frequency is based on operating experience, equipment reliability,and plant risk and is controlled under the Surveillance Frequency ControlProgram.SR 3.3.2.7SR 3.3.2.7 is the performance of a COT on the RWST level andContainment Pressure Control Start and Terminate Permissives.A COT is performed on each required channel to ensure the entirechannel will perform the intended Function. Setpoints must be foundconservative with respect to the Allowable Values specified in Table3.3.2-1. The Surveillance Frequency is based on operating experience,equipment reliability, and plant risk and is controlled under theSurveillance Frequency Control Program.Catawba Units 1 and 2 B3324 eiinN.1B 3.3.2-44 ESFAS InstrumentationB 3.3.2BASESSURVEILLANCE REQUIREMENTS (continued)For Functions for which TSTF-493, "Clarify Application of SetpointMethodology for LSSS Functions" has been implemented, this SR ismodified by two Notes as identified in Table 3.3.2-1. The first Noterequires evaluation of channel performance for the condition where theas-found setting for the channel setpoint is outside its as-found tolerancebut conservative with respect to the Allowable Value. Evaluation ofchannel performance will verify that the channel will continue to behave inaccordance with safety analysis assumptions and the channelperformance assumptions in the setpoint methodology. The purpose ofthe assessment is to ensure confidence in the channel performance priorto returning the channel to service. For channels determined to beOPERABLE but degraded, after returning the channel to service theperformance of these channels will be evaluated under the plantCorrective Action Program. Entry into the Corrective Action Program willensure required review and documentation of the condition. The secondNote requires that the as-left setting for the channel be returned to withinthe as-left tolerance of the NOMINAL TRIP SETPOINT (NTSP). Where asetpoint more conservative than the NTSP is used in the plantsurveillance procedures (field setting), the as-left and as-foundtolerances, as applicable, will be applied to the surveillance proceduresetpoint. This will ensure that sufficient margin to the Safety Limit and/orAnalytical Limit is maintained. If the as-left channel setting cannot bereturned to a setting within the as-left tolerance of the NTSP, then thechannel shall be declared inoperable. The second Note also requiresthat the methodologies for calculating the as-left and the as-foundtolerances be in the UFSAR.SR 3.3.2.8SR 3.3.2.8 is the performance of a TADOT. This test is a check of theManual Actuation Functions, AFW pump start on trip of all MFW pumps,AFW low suction pressure, Reactor Trip (P-4) Interlock, and DoghouseWater Level -High High Feedwater Isolation. Each Manual ActuationFunction is tested up to, and including, the master relay coils. In someinstances, the test includes actuation of the end device (i.e., pump starts,valve cycles, etc.). The Surveillance Frequency is based on operatingexperience, equipment reliability, and plant risk and is controlled underthe Surveillance Frequency Control Program. The SR is modified by aNote that excludes verification of setpoints during the TADOT for manualinitiation Functions. The manual initiation Functions have no associatedsetpoints.Catawba Units 1 and 2 B3324 eiinN.1B 3.3.2-45 ESFAS InstrumentationB 3.3.2BASESSURVEILLANCE REQUIREMENTS (continued)SIR 3.3.2.9SIR 3.3.2.9 is the performance of a CHANNEL CALIBRATION.CHANNEL CALIBRATION is a complete check of the instrument ioop,including the sensor. The test verifies that the channel responds tomeasured parameter within the necessary range and accuracy.CHANNEL CALIBRATIONS must be performed consistent with theassumptions of the unit specific setpoint methodology.The Surveillance Frequency is based on operating experience,equipment reliability, and plant risk and is controlled under theSurveillance Frequency Control Program.This SR is modified by a Note stating that this test should includeverification that the time constants are adjusted to the prescribed valueswhere applicable. The applicable time constants are shown in Table3.3.2-1.For Functions for which TSTF-493, "Clarify Application of SetpointMethodology for LSSS Functions" has been implemented, this SR ismodified by two Notes as identified in Table 3.3.2-1. The first Noterequires evaluation of channel performance for the condition where theas-found setting for the channel setpoint is outside its as-found tolerancebut conservative with respect to the Allowable Value. Evaluation ofchannel performance will verify that the channel will continue to behave inaccordance with safety analysis assumptions and the channelperformance assumptions in the setpoint methodology. The purpose ofthe assessment is to ensure confidence in the channel performance priorto returning the channel to service. For channels determined to beOPERABLE but degraded, after returning the channel to service theperformance of these channels will be evaluated under the plantCorrective Action Program. Entry into the Corrective Action Program willensure required review and documentation of the condition. The secondNote requires that the as-left setting for the channel be returned to withinthe as-left tolerance of the NOMINAL TRIP SETPOINT (NTSP). Where asetpoint more conservative than the NTSP is used in the plantsurveillance procedures (field setting), the as-left and as-foundtolerances, as applicable, will be applied to the surveillance proceduresetpoint. This will ensure that sufficient margin to the Safety Limit and/orAnalytical Limit is maintained. If the as-left channel setting cannot bereturned to a setting within the as-left tolerance of the NTSP, then theCatawba Units 1 and 2 B3324 eiinN.1B 3.3.2-46 ESFAS InstrumentationB 3.3.2BASESSURVEILLANCE REQUIREMENTS (continued)channel shall be declared inoperable. The second Note also requiresthat the methodologies for calculating the as-left and the as-foundtolerances be in the UFSAR.SR 3.3.2.10This SR ensures the individual channel ESE RESPONSE TIMES are lessthan or equal to the maximum values assumed in the accident analysis.Response Time testing acceptance criteria are included in the UFSAR(Ref. 2). Individual component response times are not modeled in theanalyses. The analyses model the overall or total elapsed time, from thepoint at which the parameter exceeds the Trip Setpoint value at thesensor, to the point at which the equipment in both trains reaches therequired functional state (e.g., pumps at rated discharge pressure, valvesin full open or closed position).For channels that include dynamic transfer functions (e.g., lag, lead/lag,rate/lag, etc.), the response time test may be performed with the transferfunctions set to one with the resulting measured response time comparedto the appropriate UFSAR response time. Alternately, the response timetest can be performed with the time constants set to their nominal valueprovided the required response time is analytically calculated assumingthe time constants are set at their nominal values. The response timemay be measured by a series of overlapping tests such that the entireresponse time is measured.Response time may be verified by actual response time tests in anyseries of sequential, overlapping or total channel measurements, or bythe summation of allocated sensor, signal processing and actuation logicresponse times with actual response time tests on the remainder of thechannel. Allocations for sensor response times may be obtained from:(1) historical records based on acceptable response time tests (hydraulic,noise, or power interrupt tests), (2) inplace, onsite, or offsite (e.g. vendor)test measurements, or (3) utilizing vendor engineering specifications.WCAP-13632-P-A Revision 2, "Elimination of Pressure Sensor ResponseTime Testing Requirements" provides the basis and methodology forusing allocated sensor response times in the overall verification of thechannel response time for specific sensors identified in the WCAP. Inaddition, while not specifically identified in the WCAP, ITT Barton 386Aand 580A-0 sensors were compared to sensors which were identified. Itwas concluded that the WCAP results could be applied to these twosensor types as well. Response time verification for other sensor typesmust be demonstrated by test.Catawba Units 1 and 2 B3324 eiinN.1B 3.3.2-47 ESFAS InstrumentationB 3.3.2BASESSURVEILLANCE REQUIREMENTS (continued)WCAP-1 4036-P-A Revision 1, "Elimination of Periodic ProtectionChannel Response Time Tests" provides the basis and methodology forusing allocated signal processing and actuation logic response times inthe overall verification of the protection system channel response time.The allocations for sensor, signal conditioning and actuation logicresponse times must be verified prior to placing the component inoperational service and re-verified following maintenance that mayadversely affect response time. In general, electrical repair work doesnot impact response time provided the parts used for repair are of thesame type and value. Specific components identified in the WCAP maybe replaced without verification testing. One example where responsetime could be affected is replacing the sensing assembly of a transmitter.The Surveillance Frequency is based on operating experience,equipment reliability, and plant risk and is controlled under theSurveillance Frequency Control Program.This SR is modified by a Note that clarifies that the turbine driven AEWpump is tested within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> after reaching 600 psig in the SGs.SR 3.3.2.11SR 3.3.2.11 is the performance of a COT on the NSWS Suction Transfer-Low Pit Level.A COT is performed on each required channel to ensure the entirechannel will perform the intended Function. Setpoints must be foundwithin the Allowable Values specified in Table 3.3.2-1. The SurveillanceFrequency is based on operating experience, equipment reliability, andplant risk and is controlled under the Surveillance Frequency ControlProgram.Catawba Units 1 and 2 B3324 eiinN.1B 3.3.2-48 ESFAS InstrumentationB 3.3.2BASESSURVEILLANCE REQUIREMENTS (continued)SR 3.3.2.12SR 3.3.2.12 is the performance of an ACTUATION LOGIC TEST on theDoghouse Water Level-High High and NSWS Suction Transfer-Emergency Low Pit Level Functions.An ACTUATION LOGIC TEST to satisfy the requirements of GL 96-01 isperformed on each instrumentation to ensure all logic combinations willinitiate the appropriate Function. The Surveillance Frequency is basedon operating experience, equipment reliability, and plant risk and iscontrolled under the Surveillance Frequency Control Program.REFERENCES 1. UFSAR, Chapter 6.2. UFSAR, Chapter 7.3. UFSAR, Chapter 15.4. IEEE-279-1971.5. 10 CFR 50.49.6. 10 CFR 50.36, Technical Specifications, (c)(2)(ii).7. WCAP-1 0271-P-A, Supplement 1 and Supplement 2, Rev. 1, May1986 and June 1990.8. WCAP-1 3632-P-A Revision 2, "Elimination of Pressure SensorResponse Time Testing Requirements" Sep., 1995.9. WCAP-1 4036-P-A Revision 1, "Elimination of Periodic ProtectionChannel Response Time Tests" Oct., 1998.10. Not used.11. Not used.12. Not used.13. WCAP-14333-P-A, Revision 1, October 1998.14. Not used.Catawba Units 1 and 2 B3324 eiinN.1B 3.3.2-49 LTOP SystemB 3.4.12B 3.4 REACTOR COOLANT SYSTEM (RCS)B 3.4.12 Low Temperature Overpressure Protection (LTOP) SystemBASESBACKGROUNDThe LTOP System controls RCS pressure at low temperatures so theintegrity of the reactor coolant pressure boundary (RCPB) is notcompromised by violating the pressure and temperature (PIT) limits of10 CFR 50, Appendix G (Ref. 1 ). The reactor vessel is the limiting RCPBcomponent for demonstrating such protection. This specification providesthe maximum allowable actuation logic setpoints for the power operatedrelief valves (PORVs) and LCO 3.4.3, "RCS Pressure and Temperature(P/T) Limits," provides the maximum RCS pressure for the existing RCScold leg temperature during cooldown, shutdown, and heatup to meet theReference 1 requirements during the LTOP MODES.The reactor vessel material is less tough at low temperatures than atnormal operating temperature. As the vessel neutron exposureaccumulates, the material toughness decreases and becomes lessresistant to pressure stress at low temperatures (Ref. 2). RCS pressure,therefore, is maintained low at low temperatures and is increased only astemperature is increased.The potential for vessel overpressurization is most acute when the RCS iswater solid, occurring only while shutdown; a pressure fluctuation canoccur more quickly than an operator can react to relieve the condition.Exceeding the RCS P/T limits by a significant amount could cause brittlecracking of the reactor vessel. LCO 3.4.3 requires administrative controlof RCS pressure and temperature during heatup and cooldown to preventexceeding the specified limits.This LCO provides RCS overpressure protection by having a minimumcoolant input capability and having adequate pressure relief capacity.Limiting coolant input capability requires all but two pumps incapable ofinjection into the RCS, isolating the accumulators, and limiting reactorcoolant pump operation at low temperatures. The pressure relief capacityrequires two redundant RCS relief valves. One RCS relief valve is theoverpressure protection device that acts to terminate an increasingpressure event.With minimum coolant input capability, the ability to provide core coolantaddition is restricted. The LCO does not require the makeup controlCatawba Units 1 and 2B34121RvsoN.5B 3.4.12-1Revision No. 5 LTOP SystemB 3.4.12BASESBACKGROUND (continued)system deactivated or the safety injection (SI) actuation circuits blocked.Due to the lower pressures in the LTOP MODES and the expected coredecay heat levels, the makeup system can provide adequate flow via themakeup control valve. If conditions require the use of more than onecharging pump for makeup in the event of loss of inventory, thenadditional pumps can be made available through manual actions.The LTOP System for pressure relief consists of two PORVs with reducedlift settings or two residual heat removal (RHR) suction relief valves or onePORV and one RHR suction relief valve. Two RCS relief valves arerequired for redundancy. One RCS relief valve has adequate relievingcapability to keep from overpressurization for the required coolant inputcapability.PORV RequirementsAs designed for the LTOP System, each PORV is signaled to open if theRCS pressure reaches 400 psig (as left calibrated), allowable value < 425psig (as found), when the PORVS are in the "io-press" mode of operation.If the PORVs are being used to meet the requirements of thisSpecification, then indicated ROS cold leg temperature is limited to >_ 70°Fin accordance with the LTOP analysis. When all Reactor Coolant Pumpsare secured, this temperature is measured at the outlet of the residualheat removal heat exchanger. This location will provide the mostconservative (lower) temperature measurement of water capable of beingdelivered into the Reactor Coolant System. The LTOP actuation logicmonitors both RCS temperature and RCS pressure. The signals used togenerate the pressure setpoints originate from the wide range pressuretransmitters. The signals used to generate the temperature permissivesoriginate from the wide range RTDs. Each signal is input to theappropriate NSSS protection system cabinet where it is converted to aninternal signal and then input to a comparator to generate an actuationsignal. If the indicated pressure meets or exceeds the calculated value, aPORV is signaled to open.This Specification presents the PORV setpoints for LTOP. Having thesetpoints of both valves within the limits ensures that the Reference 1limits will not be exceeded in any analyzed event.When a PORV is opened in an increasing pressure transient, the releaseof coolant will cause the pressure increase to slow and reverse. As thePORV releases coolant, the RCS pressure decreases until a resetpressure is reached and the valve is signaled to close. The pressurecontinues to decrease below the reset pressure as the valve closes.Catawba Units 1 and 2B34122RvsoN.5B 3.4.12-2Revision No. 5 LTOP SystemB 3.4.12BASESBACKGROUND (continued)RHR Suction Relief Valve RequirementsDuring LTOP MODES, the RHR system is operated for decay heatremoval and low-pressure letdown control. Therefore, the RHR suctionisolation valves (there are two suction isolation valves per line) are open inthe piping from the ROS hot legs to the inlets of the RHR pumps. Whilethese valves are open, the RHR suction relief valves are exposed to theRCS and are able to relieve pressure transients in the RCS.The RHR suction isolation valves must be open with operator powerremoved to make the RHR suction relief valves OPERABLE for RCSoverpressure mitigation. The RHR suction relief valves are spring loaded,bellows type water relief valve with pressure tolerances and accumulationlimits established by Section III of the American Society of MechanicalEngineers (ASME) Code (Ref. 8) for Class 2 relief valves.APPLICABLE Safety analyses (Ref. 3) demonstrate that the reactor vessel is adequatelySAFETY ANALYSES protected against exceeding the Reference 1 P/T limits. In MODES 1, 2,and 3, and in MODE 4 with RCS cold leg temperature exceeding 210°F,the pressurizer safety valves will prevent RCS pressure from exceedingthe Reference 1 limits. At about 21 00F and below, overpressureprevention falls to two OPERABLE RCS relief valves. Each of thesemeans has a limited overpressure relief capability.The actual temperature at which the pressure in the P/T limit curve fallsbelow the pressurizer safety valve setpoint increases as the reactor vesselmaterial toughness decreases due to neutron embrittlement. Each timethe P/T curves are revised, the LTOP System must be re-evaluated toensure its functional requirements can still be met using the RCS reliefvalve method.Any change to the RCS must be evaluated against the Reference 3analyses to determine the impact of the change on the LTOP acceptancelimits.Transients that are capable of overpressurizing the ROS are categorizedas either mass or heat input transients, examples of which follow:Mass Input Type Transientsa. Inadvertent safety injection of one safety injection pump and onecharging pump; orb. Charging/letdown flow mismatch.Catawba Units 1 and 2B34123RvsoN.5B 3.4.12-3Revision No. 5 LTOP SystemB 3.4.12BASESAPPLICABLE SAFETY ANALYSES (continued)Heat Input Type Transientsa. Inadvertent actuation of pressurizer heaters;b. Loss of RHR cooling; orc. Reactor coolant pump (RCP) startup with temperature asymmetrywithin the RCS or between the RCS and steam generators.The following are required during the LTOP MODES to ensure that massand heat input transients do not occur, which either of the LTOPoverpressure protection means cannot handle:a. Rendering all but two pumps incapable of injection;b. Deactivating the accumulator discharge isolation valves in theirclosed positions;c. Limiting RCP operation based on the existing temperature in theROS cold legs; andd. Disallowing start of an RCP if secondary temperature is more than50°F above primary temperature in any one loop. LCO 3.4.6, "RCSLoops--MODE 4," and LCO 3.4.7, "RCS Loops--MODE 5, LoopsFilled," provide this protection'.The Reference 3 analyses demonstrate that one RCS relief valve canmaintain RCS pressure below limits when any two pumps (chargingand/or safety injection) are actuated. Thus, the LCO allows two pumpsOPERABLE during the LTOP MODES. The LCO also requires theaccumulators be isolated when accumulator pressure is greater than orequal to the maximum ROS pressure for the existing RCS cold legtemperature allowed in LCO 3.4.3.The isolated accumulators must have their discharge valves closed andpower removed.The restrictions on the number of RCPs in operation at a giventemperature ensures that during a LTOP mass injection event that thepressure/temperature (PIT) limits of 10 CFR 50, Appendix G to protect theCatawba Units 1 and 2B34124RvsoN.5B 3.4.12-4Revision No. 5 LTOP SystemB 3.4.12BASESAPPLICABLE SAFETY ANALYSES (continued)reactor vessel are not exceeded. During startup and shutdown, when theRCPs are operated, their induced flows create a pressure drop across thevessel. This pressure drop along with the difference in elevation betweenthe beitline region and the instrumentation locations are additive to thepeak pressure from the mass injection event.The amount of the pressure at the reactor vessel beltline region from theRCPs is dependent on the number of RCPs operated. Adequate marginto prevent exceeding the P/T limits is assured by restricting the number ofRCPs operated. Since LTOP events are basically acknowledged as beingsteady-state events, these RCP operating restrictions are designed towork with the LTOP setpoint to provide protection from exceeding thesteady-state Appendix G P/T limits.Fracture mechanics analyses established the temperature of LTOPApplicability at 210°F.The consequences of a small break loss of coolant accident (LOCA) inLTOP MODE 4 conform to 10 CFR 50.46 and 10 CFR 50, Appendix K(Refs. 4 and 5), requirements by having a maximum of two pumps(charging and/or safety injection) OPERABLE and SI actuation enabled.PORV PerformanceThe fracture mechanics analyses show that the vessel is protected whenthe PORVs are set to open at or below the specified limit. The setpointsare derived by analyses that model the performance of the LTOP System,assuming the limiting LTOP transient of one charging pump and onesafety injection pump injecting into the RCS. These analyses considerpressure overshoot and undershoot beyond the PORV opening andclosing, resulting from signal processing and valve stroke times. ThePORV setpoints at or below the derived limit ensures the Reference 1 PITlimits will be met.The PORV setpoints will be updated when the revised P/T limits conflictwith the LTOP analysis limits. The P/T limits are periodically modified asthe reactor vessel material toughness decreases due to neutronembrittlement caused by neutron irradiation. Revised limits aredetermined using neutron fluence projections and the results ofexaminations of the reactor vessel material irradiation surveillancespecimens. The Bases for LCO 3.4.3, "RCS Pressure and Temperature(P/T) Limits," discuss these examinations.Catawba Units 1 and 2B34125RvsoN.5B 3.4.12-5Revision No. 5 LTOP SystemB 3.4.12BAS ESAPPLICABLE SAFETY ANALYSES (continued)The PORVs are considered active components. Thus, the failure of onePORV is assumed to represent the worst case, single active failure.RHR Suction Relief Valve PerformanceThe RHR suction relief valves do not have variable pressure andtemperature lift setpoints like the PORVs. Analyses show that one RHRsuction relief valve with a setpoint at or between 417 psig and 509 psigwill pass flow greater than that required for the limiting LTOP transientwhile maintaining RCS pressure less than the P/T limit curve. Assumingall relief flow requirements during the limiting LTOP event, an RHRsuction relief valve will maintain RCS pressure to within the valve rated liftsetpoint, plus an accumulation < 10% of the rated lift setpoint.Although each RHR suction relief valve may itself meet single failurecriteria, its inclusion and location within the RHR system does not allow itto meet single failure criteria when spurious RHR suction isolation valveclosure is postulated. Also, as the RCS P/T limits are decreased to reflectthe loss of embrittlement, the RHR suction relief valves must be analyzedto still accommodate the design basis transients for LTOP.The RHR suction relief valves are considered to be active components.Thus, the failure of one valve is assumed to represent the worst casesingle active failure.The LTOP System satisfies Criterion 2 of 10 CFR 50.36(Ref. 6).LCO This LCO requires that the LTOP System is OPERABLE. The LTOPSystem is OPERABLE when the minimum coolant input and pressurerelief capabilities are OPERABLE. Violation of this LCO could lead to theloss of low temperature overpressure mitigation and violation of theReference 1 limits as a result of an operational transient.To limit the coolant input capability, the LCO permits a maximum of twopumps (charging and/or safety injection) capable of injecting into the RCSand requires all accumulator discharge isolation valves closed andimmobilized when accumulator pressure is greater than or equal to themaximum ROS pressure for the existing RCS cold leg temperatureallowed in LCO 3.4.3. The LCO also limits ROP operation based onexisting RCS cold leg temperature as required by the LTOP analysis.The elements of the LCO that provide low temperature overpressuremitigation through pressure relief are:Catawba Units 1 and 2B34126RvsoN.5B 3.4.12-6Revision No. 5 LTOP SystemB 3.4.12BASESLCO (continued)a. Two OPERABLE PORVs (NC-32B and NC-34A); orA PORV is OPERABLE for LTOP when its block valve is open, itslift setpoint is set to the specified limit and testing proves itsautomatic ability to open at this setpoint, and motive power isavailable to the valve and its control circuit. The followingrestrictions are placed on PORV OPERABILITY for LTOP due tocommonalities between the PORV power supplies and letdownisolation:* NC-32B is not OPERABLE for LTOP if excess letdown is inservice.* NC-32B is not OPERABLE for LTOP if normal letdown is inservice and centrifugal charging pump B is in operation.* NC-34A is not OPERABLE for LTOP if normal letdown is inservice.b. Two OPERABLE RHR suction relief valves (ND-3 and ND-38); orAn RHR suction relief valve is OPERABLE for LTOP when both ofits RHR suction isolation valves are open, its setpoint is at orbetween 417 psig and 509 psig, and testing has proven its ability toopen in this pressure range.c. One OPERABLE PORV and one OPERABLE RHR suction reliefvalve.Each of these methods of overpressure prevention is capable ofmitigating the limiting LTOP transient.APPLICABILITY This LCO is applicable in MODE 4 when any ROS cold leg temperature is< 210°F, in MODE 5, and in MODE 6 when the reactor vessel head is on.The pressurizer safety valves provide overpressure protection that meetsthe Reference 1 P/T limits above 21 0°F. When the reactor vessel head isoff, overpressurization cannot occur.LCO 3.4.3 provides the operational P/T limits for all MODES. LCO 3.4.10,"Pressurizer Safety Valves," requires the OPERABILITY of the pressurizersafety valves that provide overpressure protection during MODES 1, 2,and 3, and MODE 4 above 21 0°F.Low temperature overpressure prevention is most critical during shutdownwhen the RCS is water solid, and a mass or heat input transient cancause a very rapid increase in RCS pressure when little or no time allowsCatawba Units 1 and 2B34127RvsoN.5B 3.4.12-7Revision No. 5 LTOP SystemB 3.4.12BASESAPPLICABILITY (continued)operator action to mitigate the event.The Applicability is modified by a Note stating that accumulator isolation isonly required when the accumulator pressure is more than or at themaximum RCS pressure for the existing temperature, as allowed by theP/T limit curves. This Note permits the accumulator discharge isolationvalve Surveillance to be performed only under these pressure andtemperature conditions.ACTIONS A Note prohibits the application of LCO 3.0.4.b to an inoperable LTOPsystem. There is an increased risk associated with entering MODE 4 fromMODE 5 with LTOP inoperable and the provisions of LCO 3.0.4.b, whichallow entry into a MODE or other specified condition in the Applicabilitywith the LCO not met after performance of a risk assessment addressinginoperable systems and components, should not be applied in thiscircumstance.A.1With more than two pumps (charging and/or safety injection) capable ofinjecting into the RCS, ROS overpressurization is possible.To immediately initiate action to restore restricted coolant input capabilityto the RCS reflects the urgency.of removing the RCS from this condition.B._11With RCP operation not limited in accordance with Table 3.4.12-1, RCSoverpressurization is possible.To immediately initiate action to limit pump operation reflects the urgencyof removing the RCS from this condition.C.1, D.1, and D.2An unisolated accumulator requires isolation within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. This is onlyrequired when the accumulator pressure is at or more than the maximumRCS pressure for the existing temperature allowed by the P/T limit curves.If isolation is needed and cannot be accomplished in 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />, RequiredAction D.1 and Required Action D.2 provide two options, either of whichmust be performed in the next 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. By increasing the ROSCatawba Units 1 and 2B34128RvsoN.5B 3.4.12-8Revision No. 5 LTOP SystemB 3.4.12BASESACTIONS (continued)temperature to > 21 0°F, an accumulator pressure of 678 psig cannotexceed the LTOP limits if the accumulators are fully injected.Depressurizing the accumulators below the LTOP limit also gives thisprotection.The Completion Times are based on operating experience that theseactivities can be accomplished in these time periods and on engineeringevaluations indicating that an event requiring LTOP is not likely in theallowed times.E.1IIn MODE 4 when any RCS cold leg temperature is < 210°F, with one RCSrelief valve inoperable, the RCS relief valve must be restored toOPERABLE status within a Completion Time of 7 days. Two RCS reliefvalves (in any combination of the PORVs and RHR suction relief valves)are required to provide low temperature overpressure mitigation whilewithstanding a single failure of an active component.The Completion Time considers the facts that only one of the RCS reliefvalves is required to mitigate an overpressure transient and that thelikelihood of an active failure of the remaining valve path during this timeperiod is very low.F. 1The consequences of operational events that will overpressurize the RCSare more severe at lower temperature (Ref. 7). Thus, with one of the twoRCS relief valves inoperable in MODE 5 or in MODE 6 with the head onCompletion Time to restore two valves to OPERABLE status is 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.The Completion Time represents a reasonable time to investigate andrepair several types of relief valve failures without exposure to a lengthyperiod with only one OPERABLE RCS relief valve to protect againstoverpressure events.Catawba Units 1 and 2B34129RvsoN.5B 3.4.12-9Revision No. 5 LTOP SystemB 3.4.12BASESACTIONS (continued)G.1 and G.2Steps must be taken immediately to limit potential mass input into theRCS, and the RCS must be depressurized and a vent must beestablished within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> when:a. Both required RCS relief valves are inoperable; orb. A Required Action and associated Completion Time of Condition A,0, E, or F is not met; orc. The LTOP System is inoperable for any reason other thanCondition A, C, D, E, or F.The Reference 3 analyses demonstrate that with the mass input into theRCS reduced to that of one injection pump (charging or safety injection)an RCS vent of> 4.5 square inches can maintain RCS pressure belowlimits. Therefore the Condition requires action to be taken immediately toreduce the input to that of one injection pump (charging or safety injection)prior to commencing RCS pressure reduction and establishing therequired RCS vent. This action is needed to protect the RCPB from a lowtemperature overpressure event and a possible brittle fracture of thereactor vessel.The capacity of a vent this size is greater than the flow of the limitingtransient for the LTOP configuration, one charging pump or one safetyinjection pump OPERABLE, maintaining RCS pressure less than themaximum pressure on the P/T limit curve. The required vent capacitymay be provided by one or more vent paths. The vent path(s) must beabove the level of reactor coolant, so as not to drain the RCS when open.The RCS vent size will be re-evaluated for compliance each time the P/Tlimit curves are revised based on the results of the vessel materialsu rveil lance.The ROS vent is passive and is not subject to active failure.The Completion Time considers the time required to place the plant in thisCondition and the relatively low probability of an overpressure eventduring this time period due to increased operator awareness ofadministrative control requirements.Catawba Units 1 and 2 B341-0Rvso oB 3.4.12-10Revision No. 5 LTOP SystemB 3.4.12BASESACTIONS (continued)G.3The ROS vent of > 4.5 square inches is proven OPERABLE by verifyingits open condition either:a. Once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for a valve that is not locked, (valves that aresealed or secured in the open position are considered "locked" inthis context); orb. Once every 31 days for other vent path(s) (e.g., a vent valve that islocked, sealed or secured in position or a removed pressurizersafety valve or open manway also fits this category).The passive vent valve arrangement must only be open to beOPERABLE. This Required Action is required to be performed if the ventis being used to satisfy the pressure relief requirements of RequiredAction G.2.Catawba Units 1 and 2 B341-1Rvso oB 3.4.12-11Revision No. 5 LTOP SystemB 3.4.12BASESSURVEILLANCE SR 3.4.12.1 and SR 3.4.12.2REQU IREMENTSTo minimize the potential for a low temperature overpressure event bylimiting the mass input capability, a maximum of two pumps (chargingand/or safety injection) are verified capable of injecting into the RCS andthe accumulator discharge isolation valves are verified closed and powerremoved.The pumps are rendered incapable of injecting into the RCS throughremoving the power from the pumps by racking the breakers out underadministrative control. An alternate method of LTOP control may beemployed using at least two independent means to prevent a pump startsuch that a single failure or single action will not result in an injection intothe RCS. This may be accomplished through two valves in the dischargeflow path being closed.The Surveillance Frequency is based on operating experience, equipmentreliability, and plant risk and is controlled under the SurveillanceFrequency Control Program.SR 3.4.12.3Each required RHR suction relief valve shall be demonstratedOPERABLE by verifying its RHR suction isolation valves are open and bytesting it in accordance with the Inservice Testing Program. ThisSurveillance is only required to be performed if the RHR suction reliefvalve is being used to meet this LCO.The RHR suction isolation valves are verified to be opened. TheSurveillance Frequency is based on operating experience, equipmentreliability, and plant risk and is controlled under the SurveillanceFrequency Control Program.The ASME Code (Ref. 9), test per Inservice Testing Program verifiesOPERABILITY by proving relief valve mechanical motion and bymeasuring and,. if required, adjusting the lift setpoint.SR 3.4.12.4The PORV block valve must be verified open to provide the flow path foreach required PORV to perform its function when actuated. The valvemust be remotely verified open in the main control room. ThisSurveillance is performed if the PORV satisfies the LCO.The block valve is a remotely controlled, motor operated valve. TheCatawba Units 1 and 2 B341-2Rvso oB 3.4.12-12 LTOP SystemB 3.4.12BASESSURVEILLANCE REQUIREMENTS (continued)power to the valve operator is not required removed, and the manualoperator is not required locked in the inactive position. Thus, the blockvalve can be closed in the event the PORV develops excessive leakageor does not close (sticks open) after relieving an overpressure situation.The Surveillance Frequency is based on operating experience, equipmentreliability, and plant risk and is controlled under the SurveillanceFrequency Control Program.SR 3.4.12.5Performance of a COT is required within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> after decreasing RCStemperature to < 21 0°F and periodically on each required PORV to verifyand, as necessary, adjust its lift setpoint. The COT will verify the setpointis within the allowed maximum limits. PORV actuation could depressurizethe RCS and is not required. The Surveillance Frequency is based onoperating experience, equipment reliability, and plant risk and is controlledunder the Surveillance Frequency Control Program.The 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> Frequency considers the unlikelihood of a low temperatureoverpressure event during this time.A Note has been added indicating that this SR is required to be met12 hours after decreasing RCS cold leg temperature to < 210°F. TheCOT cannot be performed until in the LTOP MODES when the PORV liftsetpoint can be reduced to the LTOP setting. The test must be performedwithin 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> after entering the LTOP MODES.SR 3.4.12.6Performance of a CHANNEL CALIBRATION on each required PORVactuation channel is required to adjust the whole channel so that itresponds and the valve opens within the required range and accuracy toknown input. The Surveillance Frequency is based on operatingexperience, equipment reliability, and plant risk and is controlled under theSurveillance Frequency Control Program.Catawba Units 1 and 2 B341-3Rvso oB 3.4.12-13Revision No. 5 LTOP SystemB 3.4.12BAS ESSURVEILLANCE REQUIREMENTS (continued)SR 3.4.12.7Each required RHR suction relief valve shall be demonstratedOPERABLE by verifying its RHR suction isolation valves are open and bytesting it in accordance with the Inservice Testing Program. (Refer to SR3.4.12.3 for the RHR suction isolation valves Surveillance and for adescription of the Inservice Testing Program.) This Surveillance is onlyrequired to be performed if the RHR suction relief valve is being used tomeet this LCO.The RHR suction isolation valves are verified open, with power to thevalve operator removed and locked in the removed position, to ensurethat accidental closure will not occur. The "locked open in the removedposition" power supply must be locally verified in its open position with thepower supply to the valve locked in its inactive position. The SurveillanceFrequency is based on operating experience, equipment reliability, andplant risk and is controlled under the Surveillance Frequency ControlProgram.REFERENCES 1. 10 CFR 50, Appendix G.2. Generic Letter 88-1 1.3. UFSAR, Section 5.24. 10 CFR 50, Section 50.46.5. 10 CFR 50, Appendix K.6. 10 CFR 50.36, Technical Specifications, (c)(2)(ii).7. Generic Letter 90-06.8. ASME, Boiler and Pressure Vessel Code,Section III.9. ASME Code for Operation and Maintenance of Nuclear PowerPlants.Catawba Units 1 and 2 B341-4Rvso oB 3.4.12-14Revision No. 5