|
|
| Line 17: |
Line 17: |
|
| |
|
| =Text= | | =Text= |
| {{#Wiki_filter:LIST OF EFFECTIVE PAGES PAGE REV. NO. PAGE REV. NO. PAGE REV. NO. | | {{#Wiki_filter:}} |
| Bi 111 B 3.1.4-2 73 B 3.3.1.1-15 97 B ii 111 B 3.1.4-3 73 B 3.3.1.1-16 98 B iii 111 B 3.1.4-4 93 B 3.3.1.1-17 98 B 3.1.4-5 73 B 3.3.1.1-18 87 B 2.1.1-1 73 B 3.1.4-6 92 B 3.3.1.1-19 87 B 2.1.1-2 100 B 3.1.5-1 73 B 3.3.1.1-20 87 B 2.1.1-3 73 B 3.1.5-2 73 B 3.3.1.1-21 87 B 2.1.1-4 87 B 3.1.5-3 73 B 3.3.1.1-22 87 B 2.1.2-1 73 B 3.1.5-4 102 B 3.3.1.1-23 93 B 2.1.2-2 103 B 3.1.5-5 73 B 3.3.1.1-24 93 B 3.1.6-1 73 B 3.3.1.1-25 93 B 3.0-1 91 B 3.1.6-2 73 B 3.3.1.1-26 93 B 3.0-2 73 B 3.1.6-3 73 B 3.3.1.1-27 98 B 3.0-3 73 B 3.1.6-4 93 B 3.3.1.1-28 98 B 3.0-4 73 B 3.1.7-1 87 B 3.3.1.1-29 103 B 3.0-5 73 B 3.1.7-2 87 B 3.3.1.1-30 93 B 3.0-6 73 B 3.1.7-3 93 B 3.3.1.1-31 93 B 3.0-7 82 B 3.1.7-4 93 B 3.3.1.1-32 93 B 3.0-8 73 B 3.1.7-5 101 B 3.3.1.2-1 87 B 3.0-9 73 B 3.1.7-6 92 B 3.3.1.2-2 73 B 3.0-10 91 B 3.1.8-1 73 B 3.3.1.2-3 73 B 3.0-11 91 B 3.1.8-2 73 B 3.3.1.2-4 73 B 3.0-12 91 B 3.1.8-3 93 B 3.3.1.2-5 93 B 3.0-13 91 B 3.1.8-4 93 B 3.3.1.2-6 93 B 3.0-14 91 B 3.3.1.2-7 93 B 3.0-15 110 B 3.2.1-1 98 B 3.3.1.2-8 93 B 3.0-16 110 B 3.2.1-2 93 B 3.3.2.1-1 87 B 3.0-17 110 B 3.2.1-3 87 B 3.3.2.1-2 87 B 3.0-18 110 B 3.2.2-1 103 B 3.3.2.1-3 87 B 3.0-19 110 B 3.2.2-2 87 B 3.3.2.1-4 73 B 3.0-20 110 B 3.2.2-3 93 B 3.3.2.1-5 73 B 3.2.2-4 87 B 3.3.2.1-6 73 B 3.1.1-1 73 B 3.2.3-1 87 B 3.3.2.1-7 93 B 3.1.1-2 73 B 3.2.3-2 87 B 3.3.2.1-8 93 B 3.1.1-3 73 B 3.2.3-3 93 B 3.3.2.1-9 93 B 3.1.1-4 73 B 3.2.3-4 87 B 3.3.2.1-10 93 B 3.1.1-5 73 B.3.3.2.1-11 93 B 3.1.2-1 73 B 3.3.1.1-1 97 B 3.3.2.2-1 98 B 3.1.2-2 73 B 3.3.1.1-2 97 B 3.3.2.2-2 73 B 3.1.2-3 73 B 3.3.1.1-3 97 B 3.3.2.2-3 73 B 3.1.2-4 73 B 3.3.1.1-4 97 B 3.3.2.2-4 93 B 3.1.3-1 73 B 3.3.1.1-5 97 B 3.3.2.2-5 93 B 3.1.3-2 73 B 3.3.1.1-6 97 B 3.3.2.2-6 93 B 3.1.3-3 73 B 3.3.1.1-7 97 B 3.3.3.1-1 73 B 3.1.3-4 73 B 3.3.1.1-8 97 B 3.3.3.1-2 73 B 3.1.3-5 73 B 3.3.1.1-9 97 B 3.3.3.1-3 73 B 3.1.3-6 73 B 3.3.1.1-10 89 B 3.3.3.1-4 73 B 3.1.3-7 93 B 3.3.1.1-11 89 B 3.3.3.1-5 108 B 3.1.3-8 73 B 3.3.1.1-12 87 B 3.3.3.1-6 91 B 3.1.3-9 73 B 3.3.1.1-13 100 B 3.3.3.1-7 73 B 3.1.4-1 87 B 3.3.1.1-14 100 B 3.3.3.1-8 93 TSB LEP-1 Revision No. 113
| |
| | |
| LIST OF EFFECTIVE PAGES PAGE REV. NO. PAGE REV. NO. PAGE REV. NO.
| |
| B 3.3.3.1-9 93 B 3.3.5.1-29 73 B 3.3.6.1-27 73 B 3.3.3.2-1 73 B 3.3.5.1-30 73 B 3.3.6.1-28 73 B 3.3.3.2-2 73 B 3.3.5.1-31 93 B 3.3.6.1-29 73 B 3.3.3.2-3 73 B 3.3.5.1-32 93 B 3.3.6.1-30 73 B 3.3.3.2-4 93 B 3.3.5.1-33 73 B 3.3.6.1-31 73 B 3.3.3.2-5 93 B 3.3.5.2-1 111 B 3.3.6.1-32 93 B 3.3.4.1-1 73 B 3.3.5.2-2 111 B 3.3.6.1-33 93 B 3.3.4.1-2 98 B 3.3.5.2-3 111 B 3.3.6.1-34 93 B 3.3.4.1-3 98 B 3.3.5.2-4 111 B 3.3.6.2-1 73 B 3.3.4.1-4 98 B 3.3.5.2-5 111 B 3.3.6.2-2 73 B 3.3.4.1-5 73 B 3.3.5.2-6 111 B 3.3.6.2-3 111 B 3.3.4.1-6 98 B 3.3.5.2-7 111 B 3.3.6.2-4 73 B 3.3.4.1-7 98 B 3.3.5.2-8 111 B 3.3.6.2-5 111 B 3.3.4.1-8 93 B 3.3.5.2-9 111 B 3.3.6.2-6 111 B 3.3.4.1-9 93 B 3.3.5.2-10 111 B 3.3.6.2-7 73 B 3.3.4.2-1 73 B 3.3.5.2-11 111 B 3.3.6.2-8 93 B 3.3.4.2-2 73 B 3.3.5.3-1 111 B 3.3.6.2-9 93 B 3.3.4.2-3 73 B 3.3.5.3-2 111 B 3.3.6.2-10 93 B 3.3.4.2-4 73 B 3.3.5.3-3 111 B 3.3.7.1-1 73 B 3.3.4.2-5 73 B 3.3.5.3-4 111 B 3.3.7.1-2 73 B 3.3.4.2-6 93 B 3.3.5.3-5 111 B 3.3.7.1-3 111 B 3.3.4.2-7 93 B 3.3.5.3-6 111 B 3.3.7.1-4 111 B 3.3.4.2-8 93 B 3.3.5.3-7 111 B 3.3.7.1-5 73 B 3.3.5.1-1 73 B 3.3.5.3-8 111 B 3.3.7.1-6 73 B 3.3.5.1-2 73 B 3.3.5.3-9 111 B 3.3.7.1-7 93 B 3.3.5.1-3 73 B 3.3.6.1-1 73 B 3.3.7.1-8 93 B 3.3.5.1-4 73 B 3.3.6.1-2 73 B 3.3.7.1-9 73 B 3.3.5.1-5 73 B 3.3.6.1-3 113 B 3.3.8.1-1 78 B 3.3.5.1-6 73 B 3.3.6.1-4 73 B 3.3.8.1-2 73 B 3.3.5.1-7 73 B 3.3.6.1-5 73 B 3.3.8.1-3 73 B 3.3.5.1-8 111 B 3.3.6.1-6 111 B 3.3.8.1-4 73 B 3.3.5.1-9 73 B 3.3.6.1-7 100 B 3.3.8.1-5 78 B 3.3.5.1-10 73 B 3.3.6.1-8 73 B 3.3.8.1-6 73 B 3.3.5.1-11 111 B 3.3.6.1-9 73 B 3.3.8.1-7 73 B 3.3.5.1-12 111 B 3.3.6.1-10 73 B 3.3.8.1-8 93 B 3.3.5.1-13 111 B 3.3.6.1-11 73 B 3.3.8.1-9 93 B 3.3.5.1-14 111 B 3.3.6.1-12 113 B 3.3.8.2-1 73 B 3.3.5.1-15 73 B 3.3.6.1-13 73 B 3.3.8.2-2 73 B 3.3.5.1-16 111 B 3.3.6.1-14 73 B 3.3.8.2-3 73 B 3.3.5.1-17 111 B 3.3.6.1-15 73 B 3.3.8.2-4 90 B 3.3.5.1-18 111 B 3.3.6.1-16 73 B 3.3.8.2-5 90 B 3.3.5.1-19 82 B 3.3.6.1-17 73 B 3.3.8.2-6 93 B 3.3.5.1-20 111 B 3.3.6.1-18 73 B 3.3.8.2-7 93 B 3.3.5.1-21 73 B 3.3.6.1-19 73 B 3.3.5.1-22 73 B 3.3.6.1-20 73 B 3.4.1-1 73 B 3.3.5.1-23 111 B 3.3.6.1-21 73 B 3.4.1-2 73 B 3.3.5.1-24 73 B 3.3.6.1-22 73 B 3.4.1-3 87 B 3.3.5.1-25 111 B 3.3.6.1-23 111 B 3.4.1-4 87 B 3.3.5.1-26 73 B 3.3.6.1-24 111 B 3.4.1-5 93 B 3.3.5.1-27 111 B 3.3.6.1-25 73 B 3.4.2-1 73 B 3.3.5.1-28 73 B 3.3.6.1-26 73 B 3.4.2-2 73 TSB LEP-2 Revision No. 113
| |
| | |
| LIST OF EFFECTIVE PAGES PAGE REV. NO. PAGE REV. NO. PAGE REV. NO.
| |
| B 3.4.2-3 93 B 3.4.11-9 73 B 3.6.1.3-4 73 B 3.4.2-4 73 B 3.4.12-1 73 B 3.6.1.3-5 73 B 3.4.3-1 73 B 3.4.12-2 93 B 3.6.1.3-6 73 B 3.4.3-2 95 B 3.6.1.3-7 73 B 3.4.3-3 101 B 3.5.1-1 111 B 3.6.1.3-8 93 B 3.4.3-4 96 B 3.5.1-2 73 B 3.6.1.3-9 93 B 3.4.4-1 73 B 3.5.1-3 73 B 3.6.1.3-10 101 B 3.4.4-2 95 B 3.5.1-4 106 B 3.6.1.3-11 101 B 3.4.4-3 101 B 3.5.1-5 111 B 3.6.1.3-12 93 B 3.4.4-4 96 B 3.5.1-6 90 B 3.6.1.3-13 73 B 3.4.4-5 96 B 3.5.1-7 90 B 3.6.1.4-1 73 B 3.4.5-1 73 B 3.5.1-8 90 B 3.6.1.4-2 93 B 3.4.5-2 73 B 3.5.1-9 105 B 3.6.1.5-1 73 B 3.4.5-3 73 B 3.5.1-10 106 B 3.6.1.5-2 105 B 3.4.5-4 93 B 3.5.1-11 106 B 3.6.1.5-3 90 B 3.4.5-5 93 B 3.5.1-12 106 B 3.6.1.5-4 105 B 3.4.6-1 73 B 3.5.1-13 105 B 3.6.1.5-5 105 B 3.4.6-2 73 B 3.5.1-14 105 B 3.6.1.6-1 73 B 3.4.6-3 73 B 3.5.1-15 105 B 3.6.1.6-2 73 B 3.4.6-4 101 B 3.5.2-1 111 B 3.6.1.6-3 73 B 3.4.6-5 73 B 3.5.2-2 111 B 3.6.1.6-4 90 B 3.4.7-1 73 B 3.5.2-3 111 B 3.6.1.6-5 101 B 3.4.7-2 73 B 3.5.2-4 111 B 3.6.1.6-6 93 B 3.4.7-3 73 B 3.5.2-5 111 B 3.6.1.7-1 73 B 3.4.7-4 73 B 3.5.2-6 111 B 3.6.1.7-2 73 B 3.4.7-5 73 B 3.5.2-7 111 B 3.6.1.7-3 90 B 3.4.7-6 93 B 3.5.2-8 111 B 3.6.1.7-4 90 B 3.4.7-7 93 B 3.5.2-9 111 B 3.6.1.7-5 93 B 3.4.8-1 73 B 3.5.3-1 111 B 3.6.1.7-6 93 B 3.4.8-2 73 B 3.5.3-2 111 B 3.6.2.1-1 73 B 3.4.8-3 93 B 3.5.3-3 111 B 3.6.2.1-2 73 B 3.4.8-4 73 B 3.5.3-4 111 B 3.6.2.1-3 73 B 3.4.9-1 105 B 3.5.3-5 105 B 3.6.2.1-4 93 B 3.4.9-2 73 B 3.5.3-6 111 B 3.6.2.1-5 73 B 3.4.9-3 73 B 3.6.2.2-1 73 B 3.4.9-4 105 B 3.6.1.1-1 73 B 3.6.2.2-2 111 B 3.4.9-5 105 B 3.6.1.1-2 73 B 3.6.2.2-3 93 B 3.4.9-6 105 B 3.6.1.1-3 73 B 3.6.2.3-1 73 B 3.4.10-1 105 B 3.6.1.1-4 93 B 3.6.2.3-2 105 B 3.4.10-2 73 B 3.6.1.1-5 93 B 3.6.2.3-3 90 B 3.4.10-3 73 B 3.6.1.1-6 73 B 3.6.2.3-4 105 B 3.4.10-4 105 B 3.6.1.2-1 73 B 3.6.2.3-5 105 B 3.4.10-5 105 B 3.6.1.2-2 73 B 3.6.3.2-1 73 B 3.4.11-1 73 B 3.6.1.2-3 73 B 3.6.3.2-2 73 B 3.4.11-2 73 B 3.6.1.2-4 73 B 3.6.3.2-3 73 B 3.4.11-3 73 B 3.6.1.2-5 73 B 3.6.3.2-4 93 B 3.4.11-4 73 B 3.6.1.2-6 93 B 3.6.3.3-1 73 B 3.4.11-5 73 B 3.6.1.2-7 73 B 3.6.3.3-2 93 B 3.4.11-6 93 B 3.6.1.3-1 73 B 3.6.4.1-1 73 B 3.4.11-7 73 B 3.6.1.3-2 73 B 3.6.4.1-2 111 B 3.4.11-8 93 B 3.6.1.3-3 111 B 3.6.4.1-3 111 TSB LEP-3 Revision No. 113
| |
| | |
| LIST OF EFFECTIVE PAGES PAGE REV. NO. PAGE REV. NO. PAGE REV. NO.
| |
| B 3.6.4.1-4 109 B 3.8.1-6 73 B 3.8.4-7 73 B 3.6.4.1-5 109 B 3.8.1-7 73 B 3.8.4-8 90 B 3.6.4.2-1 73 B 3.8.1-8 73 B 3.8.4-9 93 B 3.6.4.2-2 111 B 3.8.1-9 104 B 3.8.4-10 93 B 3.6.4.2-3 73 B 3.8.1-10 104 B 3.8.5-1 111 B 3.6.4.2-4 111 B 3.8.1-11 104 B 3.8.5-2 111 B 3.6.4.2-5 101 B 3.8.1-12 73 B 3.8.5-3 73 B 3.6.4.2-6 93 B 3.8.1-13 82 B 3.8.5-4 111 B 3.6.4.3-1 73 B 3.8.1-14 73 B 3.8.6-1 80 B 3.6.4.3-2 73 B 3.8.1-15 93 B 3.8.6-2 73 B 3.6.4.3-3 111 B 3.8.1-16 107 B 3.8.6-3 73 B 3.6.4.3-4 111 B 3.8.1-17 93 B 3.8.6-4 73 B 3.6.4.3-5 111 B 3.8.1-18 93 B 3.8.6-5 73 B 3.6.4.3-6 93 B 3.8.1-19 93 B 3.8.6-6 93 B 3.8.1-20 93 B 3.8.6-7 93 B 3.7.1-1 75 B 3.8.1-21 73 B 3.8.6-8 112 B 3.7.1-2 73 B 3.8.1-22 93 B 3.8.6-9 112 B 3.7.1-3 86 B 3.8.1-23 93 B 3.8.7-1 73 B 3.7.1-4 88 B 3.8.1-24 73 B 3.8.7-2 73 B 3.7.1-5 90 B 3.8.1-25 93 B 3.8.7-3 73 B 3.7.1-6 93 B 3.8.1-26 93 B 3.8.7-4 73 B 3.7.1-7 93 B 3.8.1-27 73 B 3.8.7-5 73 B 3.7.2-1 88 B 3.8.1-28 93 B 3.8.7-6 90 B 3.7.2-2 93 B 3.8.1-29 93 B 3.8.7-7 90 B 3.7.2-3 93 B 3.8.1-30 93 B 3.8.7-8 93 B 3.7.3-1 73 B 3.8.1-31 93 B 3.8.7-9 90 B 3.7.3-2 85 B 3.8.1-32 93 B 3.8.8-1 111 B 3.7.3-3 111 B 3.8.1-33 93 B 3.8.8-2 111 B 3.7.3-4 90 B 3.8.1-34 93 B 3.8.8-3 111 B 3.7.3-5 111 B 3.8.1-35 107 B 3.7.3-6 111 B 3.8.2-1 111 B 3.9.1-1 73 B 3.7.3-7 93 B 3.8.2-2 111 B 3.9.1-2 73 B 3.7.3-8 90 B 3.8.2-3 111 B 3.9.1-3 93 B 3.7.4-1 84 B 3.8.2-4 111 B 3.9.2-1 73 B 3.7.4-2 111 B 3.8.2-5 111 B 3.9.2-2 73 B 3.7.4-3 90 B 3.8.3-1 73 B 3.9.2-3 93 B 3.7.4-4 111 B 3.8.3-2 73 B 3.9.3-1 73 B 3.7.5-1 73 B 3.8.3-3 73 B 3.9.3-2 93 B 3.7.5-2 90 B 3.8.3-4 73 B 3.9.4-1 73 B 3.7.5-3 93 B 3.8.3-5 73 B 3.9.4-2 73 B 3.7.6-1 98 B 3.8.3-6 93 B 3.9.4-3 73 B 3.7.6-2 93 B 3.8.3-7 73 B 3.9.4-4 99 B 3.7.6-3 93 B 3.8.3-8 93 B 3.9.5-1 73 B 3.7.7-1 73 B 3.8.3-9 93 B 3.9.5-2 93 B 3.7.7-2 93 B 3.8.3-10 73 B 3.9.6-1 73 B 3.8.4-1 73 B 3.9.6-2 93 B 3.8.1-1 73 B 3.8.4-2 73 B 3.9.7-1 73 B 3.8.1-2 73 B 3.8.4-3 73 B 3.9.7-2 93 B 3.8.1-3 73 B 3.8.4-4 73 B 3.9.8-1 105 B 3.8.1-4 76 B 3.8.4-5 73 B 3.9.8-2 105 B 3.8.1-5 83 B 3.8.4-6 73 B 3.9.8-3 105 TSB LEP-4 Revision No. 113
| |
| | |
| LIST OF EFFECTIVE PAGES PAGE REV. NO. PAGE REV. NO. PAGE REV. NO.
| |
| B 3.9.8-4 105 B 3.9.8-5 105 B 3.9.9-1 105 B 3.9.9-2 73 B 3.9.9-3 105 B 3.9.9-4 105 B 3.9.9-5 105 B 3.9.10-1 73 B 3.9.10-2 73 B 3.10.1-1 73 B 3.10.1-2 111 B 3.10.1-3 73 B 3.10.1-4 73 B 3.10.1-5 73 B 3.10.2-1 73 B 3.10.2-2 73 B 3.10.2-3 73 B 3.10.2-4 93 B 3.10.3-1 73 B 3.10.3-2 73 B 3.10.3-3 73 B 3.10.3-4 93 B 3.10.4-1 73 B 3.10.4-2 73 B 3.10.4-3 73 B 3.10.4-4 73 B 3.10.4-5 93 B 3.10.5-1 73 B 3.10.5-2 73 B 3.10.5-3 73 B 3.10.5-4 93 B 3.10.6-1 73 B 3.10.6-2 73 B 3.10.6-3 93 B 3.10.7-1 73 B 3.10.7-2 73 B 3.10.7-3 73 B 3.10.8-1 73 B 3.10.8-2 87 B 3.10.8-3 73 B 3.10.8-4 93 B 3.10.8-5 93 TSB LEP-5 Revision No. 113
| |
| | |
| TABLE OF CONTENTS B 2.0 SAFETY LIMITS (SLs)
| |
| B 2.1.1 Reactor Core SLs ..................................................................................... B 2.1.1-1 B 2.1.2 Reactor Coolant System (RCS) Pressure SL ........................................... B 2.1.2-1 B 3.0 LIMITING CONDITION FOR OPERATION (LCO) APPLICABILITY .......... B 3.0-1 B 3.0 SURVEILLANCE REQUIREMENT (SR) APPLICABILITY ........................ B 3.0-10 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.1 SHUTDOWN MARGIN (SDM) .................................................................. B 3.1.1-1 B 3.1.2 Reactivity Anomalies ................................................................................ B 3.1.2-1 B 3.1.3 Control Rod OPERABILITY ...................................................................... B 3.1.3-1 B 3.1.4 Control Rod Scram Times ........................................................................ B 3.1.4-1 B 3.1.5 Control Rod Scram Accumulators ............................................................ B 3.1.5-1 B 3.1.6 Rod Pattern Control .................................................................................. B 3.1.6-1 B 3.1.7 Standby Liquid Control (SLC) System ...................................................... B 3.1.7-1 B 3.1.8 Scram Discharge Volume (SDV) Vent and Drain Valves ......................... B 3.1.8-1 B 3.2 POWER DISTRIBUTION LIMITS B 3.2.1 AVERAGE PLANAR LINEAR HEAT GENERATION RATE (APLHGR)........................................................................................... B 3.2.1-1 B 3.2.2 MINIMUM CRITICAL POWER RATIO (MCPR) ....................................... B 3.2.2-1 B 3.2.3 LINEAR HEAT GENERATION RATE (LHGR) ......................................... B 3.2.3-1 B 3.2.4 Deleted ....................................................................................................................
| |
| B 3.3 INSTRUMENTATION B 3.3.1.1 Reactor Protection System (RPS) Instrumentation ............................... B 3.3.1.1-1 B 3.3.1.2 Source Range Monitor (SRM) Instrumentation ..................................... B 3.3.1.2-1 B 3.3.1.3 Deleted ....................................................................................................................
| |
| B 3.3.2.1 Control Rod Block Instrumentation ........................................................ B 3.3.2.1-1 B 3.3.2.2 Feedwater and Main Turbine High Water Level Trip Instrumentation ... B 3.3.2.2-1 B 3.3.3.1 Post Accident Monitoring (PAM) Instrumentation .................................. B 3.3.3.1-1 B 3.3.3.2 Remote Shutdown System .................................................................... B 3.3.3.2-1 B 3.3.4.1 End of Cycle Recirculation Pump Trip (EOC-RPT) Instrumentation...... B 3.3.4.1-1 B 3.3.4.2 Anticipated Transient Without Scram Recirculation Pump Trip (ATWS-RPT) Instrumentation .......................................................... B 3.3.4.2-1 B 3.3.5.1 Emergency Core Cooling System (ECCS) Instrumentation .................. B 3.3.5.1-1 B 3.3.5.2 Reactor Pressure Vessel (RPV) Water Inventory Control Instrumentation ................................................................... B 3.3.5.2-1 B 3.3.5.3 Reactor Core Isolation Cooling (RCIC) System Instrumentation ........... B 3.3.5.3-1 B 3.3.6.1 Primary Containment Isolation Instrumentation ..................................... B 3.3.6.1-1 B 3.3.6.2 Secondary Containment Isolation Instrumentation ................................ B 3.3.6.2-1 B 3.3.7.1 Control Room Emergency Filtration (CREF) System Instrumentation .. B 3.3.7.1-1 B 3.3.8.1 Loss of Power (LOP) Instrumentation ................................................... B 3.3.8.1-1 B 3.3.8.2 Reactor Protection System (RPS) Electric Power Monitoring ............... B 3.3.8.2-1 B 3.4 REACTOR COOLANT SYSTEM (RCS)
| |
| B 3.4.1 Recirculation Loops Operating ................................................................. B 3.4.1-1 B 3.4.2 Jet Pumps................................................................................................. B 3.4.2-1 B 3.4.3 Safety/Relief Valves (SRVs) - 25% RTP ............................................... B 3.4.3-1 Columbia Generating Station Bi Rev. 111
| |
| | |
| TABLE OF CONTENTS B 3.4.4 Safety/Relief Valves (SRVs) - < 25% RTP ................................................B 3.4.4-1 B 3.4.5 RCS Operational LEAKAGE .....................................................................B 3.4.5-1 B 3.4 REACTOR COOLANT SYSTEM (RCS) (continued)
| |
| B 3.4.6 RCS Pressure Isolation Valve (PIV) Leakage ...........................................B 3.4.6-1 B 3.4.7 RCS Leakage Detection Instrumentation ..................................................B 3.4.7-1 B 3.4.8 RCS Specific Activity .................................................................................B 3.4.8-1 B 3.4.9 Residual Heat Removal (RHR) Shutdown Cooling System - Hot Shutdown .......................................................................B 3.4.9-1 B 3.4.10 Residual Heat Removal (RHR) Shutdown Cooling System - Cold Shutdown ...................................................................B 3.4.10-1 B 3.4.11 RCS Pressure and Temperature (P/T) Limits .........................................B 3.4.11-1 B 3.4.12 Reactor Steam Dome Pressure ..............................................................B 3.4.12-1 B 3.5 EMERGENCY CORE COOLING SYSTEMS (ECCS), RPV WATER INVENTORY CONTROL, AND REACTOR CORE ISOLATION COOLING (RCIC) SYSTEM B 3.5.1 ECCS - Operating .....................................................................................B 3.5.1-1 B 3.5.2 Reactor Pressure Vessel (RPV) Water Inventory Control .........................B 3.5.2-1 B 3.5.3 RCIC System.............................................................................................B 3.5.3-1 B 3.6 CONTAINMENT SYSTEMS B 3.6.1.1 Primary Containment..............................................................................B 3.6.1.1-1 B 3.6.1.2 Primary Containment Air Lock................................................................B 3.6.1.2-1 B 3.6.1.3 Primary Containment Isolation Valves (PCIVs) ......................................B 3.6.1.3-1 B 3.6.1.4 Drywell Air Temperature.........................................................................B 3.6.1.4-1 B 3.6.1.5 Residual Heat Removal (RHR) Drywell Spray .......................................B 3.6.1.5-1 B 3.6.1.6 Reactor Building-to-Suppression Chamber Vacuum Breakers ..............B 3.6.1.6-1 B 3.6.1.7 Suppression Chamber-to-Drywell Vacuum Breakers .............................B 3.6.1.7-1 B 3.6.2.1 Suppression Pool Average Temperature ...............................................B 3.6.2.1-1 B 3.6.2.2 Suppression Pool Water Level ...............................................................B 3.6.2.2-1 B 3.6.2.3 Residual Heat Removal (RHR) Suppression Pool Cooling ....................B 3.6.2.3-1 B 3.6.3.1 Deleted B 3.6.3.2 Primary Containment Atmosphere Mixing System .................................B 3.6.3.2-1 B 3.6.3.3 Primary Containment Oxygen Concentration .........................................B 3.6.3.3-1 B 3.6.4.1 Secondary Containment .........................................................................B 3.6.4.1-1 B 3.6.4.2 Secondary Containment Isolation Valves (SCIVs) .................................B 3.6.4.2-1 B 3.6.4.3 Standby Gas Treatment (SGT) System .................................................B 3.6.4.3-1 B 3.7 PLANT SYSTEMS B 3.7.1 Standby Service Water (SW) System and Ultimate Heat Sink (UHS) ..........................................................................................B 3.7.1-1 B 3.7.2 High Pressure Core Spray (HPCS) Service Water (SW) System .............B 3.7.2-1 B 3.7.3 Control Room Emergency Filtration (CREF) System ................................B 3.7.3-1 B 3.7.4 Control Room Air Conditioning (AC) System ............................................B 3.7.4-1 B 3.7.5 Main Condenser Offgas ............................................................................B 3.7.5-1 B 3.7.6 Main Turbine Bypass System....................................................................B 3.7.6-1 B 3.7.7 Spent Fuel Storage Pool Water Level .......................................................B 3.7.7-1 Columbia Generating Station B ii Rev. 111
| |
| | |
| TABLE OF CONTENTS B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.1 AC Sources - Operating ........................................................................... B 3.8.1-1 B 3.8.2 AC Sources - Shutdown ........................................................................... B 3.8.2-1 B 3.8.3 Diesel Fuel Oil, Lube Oil, and Starting Air ................................................ B 3.8.3-1 B 3.8.4 DC Sources - Operating ........................................................................... B 3.8.4-1 B 3.8.5 DC Sources - Shutdown ........................................................................... B 3.8.5-1 B 3.8.6 Battery Cell Parameters ........................................................................... B 3.8.6-1 B 3.8.7 Distribution Systems - Operating .............................................................. B 3.8.7-1 B 3.8.8 Distribution Systems - Shutdown .............................................................. B 3.8.8-1 B 3.9 REFUELING OPERATIONS B 3.9.1 Refueling Equipment Interlocks ................................................................ B 3.9.1-1 B 3.9.2 Refuel Position One-Rod-Out Interlock .................................................... B 3.9.2-1 B 3.9.3 Control Rod Position................................................................................. B 3.9.3-1 B 3.9.4 Control Rod Position Indication ................................................................ B 3.9.4-1 B 3.9.5 Control Rod OPERABILITY - Refueling ................................................... B 3.9.5-1 B 3.9.6 Reactor Pressure Vessel (RPV) Water Level - Irradiated Fuel ................ B 3.9.6-1 B 3.9.7 Reactor Pressure Vessel (RPV) Water Level - New Fuel or Control Rods........................................................................... B 3.9.7-1 B 3.9.8 Residual Heat Removal (RHR) - High Water Level .................................. B 3.9.8-1 B 3.9.9 Residual Heat Removal (RHR) - Low Water Level ................................... B 3.9.9-1 B 3.9.10 Decay Time ............................................................................................ B 3.9.10-1 B 3.10 SPECIAL OPERATIONS B 3.10.1 Inservice Leak and Hydrostatic Testing Operation ................................. B 3.10.1-1 B 3.10.2 Reactor Mode Switch Interlock Testing .................................................. B 3.10.2-1 B 3.10.3 Single Control Rod Withdrawal - Hot Shutdown .................................... B 3.10.3-1 B 3.10.4 Single Control Rod Withdrawal - Cold Shutdown .................................. B 3.10.4-1 B 3.10.5 Single control Rod Drive (CRD) Removal - Refueling ........................... B 3.10.5-1 B 3.10.6 Multiple Control Rod Withdrawal - Refueling ......................................... B 3.10.6-1 B 3.10.7 Control Rod Testing - Operating ............................................................ B 3.10.7-1 B 3.10.8 SHUTDOWN MARGIN (SDM) Test - Refueling .................................... B 3.10.8-1 Columbia Generating Station B iii Rev. 111
| |
| | |
| Reactor Core SLs B 2.1.1 B 2.0 SAFETY LIMITS (SLs)
| |
| B 2.1.1 Reactor Core SLs BASES BACKGROUND GDC 10 (Ref. 1) requires, and SLs ensure, that specified acceptable fuel design limits are not exceeded during steady state operation, normal operational transients, and anticipated operational occurrences (AOOs).
| |
| The fuel cladding integrity SL is set such that no fuel damage is calculated to occur if the limit is not violated. Because fuel damage is not directly observable, a stepback approach is used to establish an SL, such that the Minimum Critical Power Ratio (MCPR) is not less than the limit specified in Specification 2.1.1.2. MCPR greater than the specified limit represents a conservative margin relative to the conditions required to maintain fuel cladding integrity.
| |
| The fuel cladding is one of the physical barriers that separate the radioactive materials from the environs. The integrity of this cladding barrier is related to its relative freedom from perforations or cracking.
| |
| Although some corrosion or use related cracking may occur during the life of the cladding, fission product migration from this source is incrementally cumulative and continuously measurable. Fuel cladding perforations, however, can result from thermal stresses, which occur from reactor operation significantly above design conditions.
| |
| While fission product migration from cladding perforation is just as measurable as that from use related cracking, the thermally caused cladding perforations signal a threshold beyond which still greater thermal stresses may cause gross, rather than incremental, cladding deterioration. Therefore, the fuel cladding SL is defined with a margin to the conditions that would produce onset of transition boiling (i.e.,
| |
| MCPR = 1.00). These conditions represent a significant departure from the condition intended by design for planned operation. The MCPR fuel cladding integrity SL ensures that during normal operation and during AOOs, at least 99.9% of the fuel rods in the core do not experience transition boiling.
| |
| Operation above the boundary of the nucleate boiling regime could result in excessive cladding temperature because of the onset of transition boiling and the resultant sharp reduction in heat transfer coefficient.
| |
| Inside the steam film, high cladding temperatures are reached, and a cladding water (zirconium water) reaction may take place. This chemical reaction results in oxidation of the fuel cladding to a structurally weaker form. This weaker form may lose its integrity, resulting in an uncontrolled release of activity to the reactor coolant.
| |
| Columbia Generating Station B 2.1.1-1 Revision 73
| |
| | |
| Reactor Core SLs B 2.1.1 BASES BACKGROUND (continued)
| |
| The reactor vessel water level SL ensures that adequate core cooling capability is maintained during all MODES of reactor operation.
| |
| Establishment of Emergency Core Cooling System initiation setpoints higher than this safety limit provides margin such that the safety limit will not be reached or exceeded.
| |
| APPLICABLE The fuel cladding must not sustain damage as a result of normal SAFETY operation and AOOs. The reactor core SLs are established to preclude ANALYSES violation of the fuel design criterion that a MCPR limit is to be established, such that at least 99.9% of the fuel rods in the core would not be expected to experience the onset of transition boiling.
| |
| The Reactor Protection System setpoints (LCO 3.3.1.1, "Reactor Protection System (RPS) Instrumentation"), in combination with other LCOs, are designed to prevent any anticipated combination of transient conditions for Reactor Coolant System water level, pressure, and THERMAL POWER level that would result in reaching the MCPR limit.
| |
| 2.1.1.1 Fuel Cladding Integrity GE critical power correlations are applicable for all critical power calculations at pressures > 686 psig and core flows > 10% of rated flow.
| |
| For operation at low pressures or low flows, another basis is used, as follows:
| |
| Since the pressure drop in the bypass region is essentially all elevation head, the core pressure drop at low power and flows will always be
| |
| > 4.5 psi. Analyses (Ref. 2) show that with a bundle flow of 28 E3 lb/hr, bundle pressure drop is nearly independent of bundle power and has a value of 3.5 psi. Thus, the bundle flow with a 4.5 psi driving head will be
| |
| > 28 E3 lb/hr. Full scale ATLAS test data taken at pressures from 14.7 psia to 800 psia indicate that the fuel assembly critical power at this flow is approximately 3.35 MWt. With the design peaking factors, this corresponds to a THERMAL POWER > 50% RTP. Thus, a THERMAL POWER limit of 25% RTP for reactor pressure < 686 psig is conservative.
| |
| Columbia Generating Station B 2.1.1-2 Revision 100
| |
| | |
| Reactor Core SLs B 2.1.1 BASES APPLICABLE SAFETY ANALYSES (continued) 2.1.1.2 MCPR The fuel cladding integrity SL is set such that no significant fuel damage is calculated to occur if the limit is not violated. Since the parameters that result in fuel damage are not directly observable during reactor operation, the thermal and hydraulic conditions that result in the onset of transition boiling have been used to mark the beginning of the region in which fuel damage could occur. Although it is recognized that the onset of transition boiling would not result in damage to BWR fuel rods, the critical power at which boiling transition is calculated to occur has been adopted as a convenient limit. However, the uncertainties in monitoring the core operating state and in the procedures used to calculate the critical power result in an uncertainty in the value of the critical power. Therefore, the fuel cladding integrity SL is defined as the critical power ratio in the limiting fuel assembly for which more than 99.9% of the fuel rods in the core are expected to avoid boiling transition, considering the power distribution within the core and all uncertainties.
| |
| The MCPR SL is determined using a statistical model that combines all the uncertainties in operating parameters and the procedures used to calculate critical power. The probability of the occurrence of boiling transition is determined using the approved GE critical power correlations.
| |
| Details of the fuel cladding integrity SL calculation are given in Reference 2. Reference 2 also includes a tabulation of the uncertainties used in the determination of the MCPR SL and of the nominal values of the parameters used in the MCPR SL statistical analysis.
| |
| 2.1.1.3 Reactor Vessel Water Level During MODES 1 and 2, the reactor vessel water level is required to be above the top of the active irradiated fuel to provide core cooling capability. With fuel in the reactor vessel during periods when the reactor is shut down, consideration must be given to water level requirements due to the effect of decay heat. If the water level should drop below the top of the active irradiated fuel during this period, the ability to remove decay heat is reduced. This reduction in cooling capability could lead to elevated cladding temperatures and clad perforation in the event that the water level becomes < 2/3 of the core height. The reactor vessel water level SL has been established at the top of the active irradiated fuel to provide a point that can be monitored and to also provide adequate margin for effective action.
| |
| Columbia Generating Station B 2.1.1-3 Revision 73
| |
| | |
| Reactor Core SLs B 2.1.1 BASES SAFETY LIMITS The reactor core SLs are established to protect the integrity of the fuel clad barrier to prevent the release of radioactive materials to the environs.
| |
| SL 2.1.1.1 and SL 2.1.1.2 ensure that the core operates within the fuel design criteria. SL 2.1.1.3 ensures that the reactor vessel water level is greater than the top of the active irradiated fuel in order to prevent elevated clad temperatures and resultant clad perforations.
| |
| APPLICABILITY SLs 2.1.1.1, 2.1.1.2, and 2.1.1.3 are applicable in all MODES.
| |
| SAFETY LIMIT Exceeding an SL may cause fuel damage and create a potential for VIOLATIONS radioactive releases in excess of 10 CFR 50.67 limits (Ref. 3). Therefore, it is required to insert all insertable control rods and restore compliance with the SL within 2 hours. The 2 hour Completion Time ensures that the operators take prompt remedial action and the probability of an accident occurring during this period is minimal.
| |
| REFERENCES 1. 10 CFR 50, Appendix A, GDC 10.
| |
| : 2. NEDE-24011-P-A, General Electric Standard Application for Reactor Fuel,(most recent approved version referenced in COLR).
| |
| : 3. 10 CFR 50.67, Accident Source Term.
| |
| Columbia Generating Station B 2.1.1-4 Revision 87
| |
| | |
| RCS Pressure SL B 2.1.2 B 2.0 SAFETY LIMITS (SLs)
| |
| B 2.1.2 Reactor Coolant System (RCS) Pressure SL BASES BACKGROUND The SL on reactor steam dome pressure protects the RCS against overpressurization. In the event of fuel cladding failure, fission products are released into the reactor coolant. The RCS then serves as the primary barrier in preventing the release of fission products into the atmosphere. Establishing an upper limit on reactor steam dome pressure ensures continued RCS integrity. According to 10 CFR 50, Appendix A, GDC 14, "Reactor Coolant Pressure Boundary," and GDC 15, "Reactor Coolant System Design" (Ref. 1), the reactor coolant pressure boundary (RCPB) shall be designed with sufficient margin to ensure that the design conditions are not exceeded during normal operation and anticipated operational occurrences (AOOs).
| |
| During normal operation and AOOs, RCS pressure is limited from exceeding the design pressure by more than 10%, in accordance with Section III of the ASME Code (Ref. 2). To ensure system integrity, all RCS components are hydrostatically tested at 125% of design pressure, in accordance with ASME Code requirements, prior to initial operation when there is no fuel in the core. Any further hydrostatic testing with fuel in the core may be done under LCO 3.10.1, "Inservice Leak and Hydrostatic Testing Operation." Following inception of unit operation, RCS components shall be pressure tested in accordance with the requirements of ASME Code, Section XI (Ref. 3).
| |
| Overpressurization of the RCS could result in a breach of the RCPB reducing the number of protective barriers designed to prevent radioactive releases from exceeding the limits specified in 10 CFR 50.67 (Ref. 4). If this occurred in conjunction with a fuel cladding failure, the number of protective barriers designed to prevent radioactive releases from exceeding the limits would be reduced.
| |
| APPLICABLE The RCS safety/relief valves and the Reactor Protection System SAFETY Reactor Vessel Steam Dome Pressure - High Function have settings ANALYSES established to ensure that the RCS pressure SL will not be exceeded.
| |
| The RCS pressure SL has been selected such that it is at a pressure below which it can be shown that the integrity of the system is not endangered. The reactor pressure vessel is designed to ASME, Boiler and Pressure Vessel Code, Section III, 1971 Edition, including Addenda through the summer of 1971 (Ref. 5), which permits a maximum pressure transient of 110%, 1375 psig, of design pressure 1250 psig. The SL of 1325 psig, as measured in the reactor steam dome, is equivalent to Columbia Generating Station B 2.1.2-1 Revision 73
| |
| | |
| RCS Pressure SL B 2.1.2 BASES APPLICABLE SAFETY ANALYSES (continued) 1375 psig at the lowest elevation of the RCS. The RCS is designed to ASME Code, Section III, 1971 Edition, including Addenda through the summer of 1971 (Ref. 5), for the reactor recirculation piping, which permits a maximum pressure transient of 125% of design pressures of 1250 psig for suction piping and 1550 psig for discharge piping. The RCS pressure SL is selected to be the lowest transient overpressure allowed by the applicable codes.
| |
| SAFETY LIMITS The maximum transient pressure allowable in the RCS pressure vessel under the ASME Code, Section III, is 110% of design pressure. The maximum transient pressure allowable in the RCS piping, valves, and fittings is 125% of design pressures of 1250 psig for suction piping and 1550 psig for discharge piping. The most limiting of these allowances is the 110% of design pressure; therefore, the SL on maximum allowable RCS pressure is established at 1325 psig as measured at the reactor steam dome.
| |
| APPLICABILITY SL 2.1.2 applies in all MODES.
| |
| SAFETY LIMIT Exceeding the RCS pressure SL may cause RCS failure and create a VIOLATIONS potential for radioactive releases in excess of 10 CFR 50.67 limits (Ref. 4). Therefore, it is required to insert all insertable control rods and restore compliance with the SL within 2 hours. The 2 hour Completion Time ensures that the operators take prompt remedial action and the probability of an accident occurring during this period is minimal.
| |
| REFERENCES 1. 10 CFR 50, Appendix A, GDC 14, GDC 15, and GDC 28.
| |
| : 2. ASME, Boiler and Pressure Vessel Code, Section III, Article NB-7000.
| |
| : 3. ASME, Boiler and Pressure Vessel Code, Section XI, Article IWB-5000.
| |
| : 4. 10 CFR 50.67, "Accident Source Term."
| |
| : 5. ASME, Boiler and Pressure Vessel Code, 1971 Edition, Addenda, summer of 1971.
| |
| Columbia Generating Station B 2.1.2-2 Revision 103
| |
| | |
| LCO Applicability B 3.0 B 3.0 LIMITING CONDITION FOR OPERATION (LCO) APPLICABILITY BASES LCOs LCO 3.0.1 through LCO 3.0.9 establish the general requirements applicable to all Specifications in Sections 3.1 through 3.10 and apply at all times, unless otherwise stated.
| |
| LCO 3.0.1 LCO 3.0.1 establishes the Applicability statement within each individual Specification as the requirement for when the LCO is required to be met (i.e., when the unit is in the MODES or other specified conditions of the Applicability statement of each Specification).
| |
| LCO 3.0.2 LCO 3.0.2 establishes that upon discovery of a failure to meet an LCO, the associated ACTIONS shall be met. The Completion Time of each Required Action for an ACTIONS Condition is applicable from the point in time that an ACTIONS Condition is entered. The Required Actions establish those remedial measures that must be taken within specified Completion Times when the requirements of an LCO are not met. This Specification establishes that:
| |
| : a. Completion of the Required Actions within the specified Completion Times constitutes compliance with a Specification; and
| |
| : b. Completion of the Required Actions is not required when an LCO is met within the specified Completion Time, unless otherwise specified.
| |
| There are two basic types of Required Actions. The first type of Required Action specifies a time limit in which the LCO must be met. This time limit is the Completion Time to restore an inoperable system or component to OPERABLE status or to restore variables to within specified limits. If this type of Required Action is not completed within the specified Completion Time, a shutdown may be required to place the unit in a MODE or condition in which the Specification is not applicable. (Whether stated as a Required Action or not, correction of the entered Condition is an action that may always be considered upon entering ACTIONS.) The second type of Required Action specifies the remedial measures that permit continued operation of the unit that is not further restricted by the Completion Time. In this case, compliance with the Required Actions provides an acceptable level of safety for continued operation.
| |
| Completing the Required Actions is not required when an LCO is met or is no longer applicable, unless otherwise stated in the individual Specifications.
| |
| Columbia Generating Station B 3.0-1 Revision 91
| |
| | |
| LCO Applicability B 3.0 BASES LCO 3.0.2 (continued)
| |
| The nature of some Required Actions of some Conditions necessitates that, once the Condition is entered, the Required Actions must be completed even though the associated Condition no longer exists. The individual LCO's ACTIONS specify the Required Actions where this is the case. An example of this is in LCO 3.4.11, "RCS Pressure and Temperature (P/T) Limits."
| |
| The Completion Times of the Required Actions are also applicable when a system or component is removed from service intentionally. The reasons for intentionally relying on the ACTIONS include, but are not limited to, performance of Surveillances, preventive maintenance, corrective maintenance, or investigation of operational problems.
| |
| Entering ACTIONS for these reasons must be done in a manner that does not compromise safety. Intentional entry into ACTIONS should not be made for operational convenience. Alternatives that would not result in redundant equipment being inoperable should be used instead. Doing so limits the time both subsystems/divisions of a safety function are inoperable and limits the time other conditions exist which result in LCO 3.0.3 being entered. Individual Specifications may specify a time limit for performing an SR when equipment is removed from service or bypassed for testing. In this case, the Completion Times of the Required Actions are applicable when this time limit expires, if the equipment remains removed from service or bypassed.
| |
| When a change in MODE or other specified condition is required to comply with Required Actions, the unit may enter a MODE or other specified condition in which another Specification becomes applicable. In this case, the Completion Times of the associated Required Actions would apply from the point in time that the new Specification becomes applicable and the ACTIONS Condition(s) are entered.
| |
| LCO 3.0.3 LCO 3.0.3 establishes the actions that must be implemented when an LCO is not met and:
| |
| : a. An associated Required Action and Completion Time is not met and no other Condition applies; or
| |
| : b. The condition of the unit is not specifically addressed by the associated ACTIONS. This means that no combination of Conditions stated in the ACTIONS can be made that exactly corresponds to the actual condition of the unit. Sometimes, possible combinations of Conditions are such that entering LCO 3.0.3 is warranted; in such cases, the ACTIONS specifically state a Condition corresponding to such combinations and also that LCO 3.0.3 be entered immediately.
| |
| Columbia Generating Station B 3.0-2 Revision 73
| |
| | |
| LCO Applicability B 3.0 BASES LCO 3.0.3 (continued)
| |
| This Specification delineates the time limits for placing the unit in a safe MODE or other specified condition when operation cannot be maintained within the limits for safe operation as defined by the LCO and its ACTIONS. It is not intended to be used as an operational convenience that permits routine voluntary removal of redundant systems or components from service in lieu of other alternatives that would not result in redundant systems or components being inoperable.
| |
| Upon entering LCO 3.0.3, 1 hour is allowed to prepare for an orderly shutdown before initiating a change in unit operation. This includes time to permit the operator to coordinate the reduction in electrical generation with the load dispatcher to ensure the stability and availability of the electrical grid. The time limits specified to reach lower MODES of operation permit the shutdown to proceed in a controlled and orderly manner that is well within the specified maximum cooldown rate and within the capabilities of the unit, assuming that only the minimum required equipment is OPERABLE. This reduces thermal stresses on components of the Reactor Coolant System and the potential for a plant upset that could challenge safety systems under conditions to which this Specification applies. The use and interpretation of specified times to complete the actions of LCO 3.0.3 are consistent with the discussion of Section 1.3, Completion Times.
| |
| A unit shutdown required in accordance with LCO 3.0.3 may be terminated and LCO 3.0.3 exited if any of the following occurs:
| |
| : a. The LCO is now met.
| |
| : b. A Condition exists for which the Required Actions have now been performed.
| |
| : c. ACTIONS exist that do not have expired Completion Times. These Completion Times are applicable from the point in time that the Condition is initially entered and not from the time LCO 3.0.3 is exited.
| |
| The time limits of Specification 3.0.3 allow 37 hours for the unit to be in MODE 4 when a shutdown is required during MODE 1 operation. If the unit is in a lower MODE of operation when a shutdown is required, the time limit for reaching the next lower MODE applies. If a lower MODE is reached in less time than allowed, however, the total allowable time to reach MODE 4, or other applicable MODE, is not reduced. For example, Columbia Generating Station B 3.0-3 Revision 73
| |
| | |
| LCO Applicability B 3.0 BASES LCO 3.0.3 (continued) if MODE 2 is reached in 2 hours, then the time allowed for reaching MODE 3 is the next 11 hours, because the total time for reaching MODE 3 is not reduced from the allowable limit of 13 hours. Therefore, if remedial measures are completed that would permit a return to MODE 1, a penalty is not incurred by having to reach a lower MODE of operation in less than the total time allowed.
| |
| In MODES 1, 2, and 3, LCO 3.0.3 provides actions for Conditions not covered in other Specifications. The requirements of LCO 3.0.3 do not apply in MODES 4 and 5 because the unit is already in the most restrictive Condition required by LCO 3.0.3. The requirements of LCO 3.0.3 do not apply in other specified conditions of the Applicability (unless in MODE 1, 2, or 3) because the ACTIONS of individual Specifications sufficiently define the remedial measures to be taken.
| |
| Exceptions to LCO 3.0.3 are provided in instances where requiring a unit shutdown, in accordance with LCO 3.0.3, would not provide appropriate remedial measures for the associated condition of the unit. An example of this is in LCO 3.7.7, "Spent Fuel Pool Water Level." LCO 3.7.7 has an Applicability of "During movement of irradiated fuel assemblies in the associated fuel storage pool." Therefore, this LCO can be applicable in any or all MODES. If the LCO and the Required Actions of LCO 3.7.7 are not met while in MODE 1, 2, or 3, there is no safety benefit to be gained by placing the unit in a shutdown condition. The Required Action of LCO 3.7.7 of "Suspend movement of irradiated fuel assemblies in the spent fuel storage pool" is the appropriate Required Action to complete in lieu of the actions of LCO 3.0.3. These exceptions are addressed in the individual Specifications.
| |
| LCO 3.0.4 LCO 3.0.4 establishes limitations on changes in MODES or other specified conditions in the Applicability when an LCO is not met. It allows placing the unit in a MODE or other specified condition stated in that Applicability (i.e., the Applicability desired to be entered) when unit conditions are such that the requirements of the LCO would not be met, in accordance with LCO 3.0.4.a, LCO 3.0.4.b, or LCO 3.0.4.c.
| |
| LCO 3.0.4.a allows entry into a MODE or other specified condition in the Applicability with the LCO not met when the associated ACTIONS to be entered permit continued operation in the MODE or other specified condition in the Applicability for an unlimited period of time. Compliance with Required Actions that permit continued operation of the unit for an unlimited period of time in a MODE or other specified condition provides Columbia Generating Station B 3.0-4 Revision 73
| |
| | |
| LCO Applicability B 3.0 BASES LCO 3.0.4 (continued) an acceptable level of safety for continued operation. This is without regard to the status of the unit before or after the MODE change.
| |
| Therefore, in such cases, entry into a MODE or other specified condition in the Applicability may be made in accordance with the provisions of the Required Action.
| |
| LCO 3.0.4.b allows entry into a MODE or other specified condition in the Applicability with the LCO not met after performance of a risk assessment addressing inoperable systems and components, consideration of the results, determination of the acceptability of entering the MODE or other specified condition in the Applicability, and establishment of risk management actions, if appropriate.
| |
| The risk assessment may use quantitative, qualitative, or blended approaches, and the risk assessment will be conducted using the plant program, procedures, and criteria in place to implement 10 CFR 50.65(a)(4), which requires risk impacts of maintenance activities to be assessed and managed. The risk assessment, for the purposes of LCO 3.0.4.b, must take into account all inoperable Technical Specification equipment regardless of whether the equipment is included in the normal 10 CFR 50.65(a)(4) risk assessment scope. The risk assessments will be conducted using the procedures and guidance endorsed by Regulatory Guide 1.182, "Assessing and Managing Risk Before Maintenance Activities at Nuclear Power Plants." Regulatory Guide 1.182 endorses the guidance in Section 11 of NUMARC 93-01, "Industry Guideline for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants."
| |
| These documents address general guidance for conduct of the risk assessment, quantitative and qualitative guidelines for establishing risk management actions, and example risk management actions. These include actions to plan and conduct other activities in a manner that controls overall risk, increased risk awareness by shift and management personnel, actions to reduce the duration of the condition, actions to minimize the magnitude of risk increases (establishment of backup success paths or compensatory measures), and determination that the proposed MODE change is acceptable. Consideration should also be given to the probability of completing restoration such that the requirements of the LCO would be met prior to the expiration of ACTIONS Completion Times that would require exiting the Applicability.
| |
| LCO 3.0.4.b may be used with single, or multiple systems and components unavailable. NUMARC 93-01 provides guidance relative to consideration of simultaneous unavailability of multiple systems and components.
| |
| Columbia Generating Station B 3.0-5 Revision 73
| |
| | |
| LCO Applicability B 3.0 BASES LCO 3.0.4 (continued)
| |
| The results of the risk assessment shall be considered in determining the acceptability of entering the MODE or other specified condition in the Applicability and any corresponding risk management actions. The LCO 3.0.4.b risk assessments do not have to be documented.
| |
| The Technical Specifications allow continued operation with equipment unavailable in MODE 1 for the duration of the Completion Time. Since this is allowable, and since in general the risk impact in that particular MODE bounds the risk of transitioning into and through the applicable MODES or other specified conditions in the Applicability of the LCO, the use of the LCO 3.0.4.b allowance should be generally acceptable, as long as the risk is assessed and managed as stated above. However, there is a small subset of systems and components that have been determined to be more important to risk and use of the LCO 3.0.4.b allowance is prohibited. The LCOs governing these system and components contain Notes prohibiting the use of LCO 3.0.4.b by stating that LCO 3.0.4.b is not applicable.
| |
| LCO 3.0.4.c allows entry into a MODE or other specified condition in the Applicability with the LCO not met based on a Note in the Specification which states LCO 3.0.4.c is applicable. These specific allowances permit entry into MODES or other specified conditions in the Applicability when the associated ACTIONS to be entered do not provide for continued operation for an unlimited period of time and a risk assessment has not been performed. This allowance may apply to all the ACTIONS or to a specific Required Action of a Specification. The risk assessments performed to justify the use of LCO 3.0.4.b usually only consider systems and components. For this reason, LCO 3.0.4.c is typically applied to Specifications, which describe values and parameters (e.g., RCS Specific Activity), and may be applied to other Specifications based on NRC plant-specific approval.
| |
| The provisions of this Specification should not be interpreted as endorsing the failure to exercise the good practice of restoring systems or components to OPERABLE status before entering an associated MODE or other specified condition in the Applicability.
| |
| The provisions of LCO 3.0.4 shall not prevent changes in MODES or other specified conditions in the Applicability that are required to comply with ACTIONS. In addition, the provisions of LCO 3.0.4 shall not prevent changes in MODES or other specified conditions in the Applicability that result from any unit shutdown. In this context, a unit shutdown is defined as a change in MODE or other specified condition in the Applicability associated with transitioning from MODE 1 to MODE 2, MODE 2 to MODE 3, and MODE 3 to MODE 4.
| |
| Columbia Generating Station B 3.0-6 Revision 73
| |
| | |
| LCO Applicability B 3.0 BASES LCO 3.0.4 (continued)
| |
| Upon entry into a MODE or other specified condition in the Applicability with the LCO not met, LCO 3.0.1 and LCO 3.0.2 require entry into the applicable Conditions and Required Actions until the Condition is resolved, until the LCO is met, or until the unit is not within the Applicability of the Technical Specification.
| |
| Surveillances do not have to be performed on the associated inoperable equipment (or on variables outside the specified limits), as permitted by SR 3.0.1. Therefore, utilizing LCO 3.0.4 is not a violation of SR 3.0.1 or SR 3.0.4 for any Surveillances that have not been performed on inoperable equipment. However, SRs must be met to ensure OPERABILITY prior to declaring the associated equipment OPERABLE (or variable within limits) and restoring compliance with the affected LCO.
| |
| LCO 3.0.5 LCO 3.0.5 establishes the allowance for restoring equipment to service under administrative controls when it has been removed from service or declared inoperable to comply with ACTIONS. The sole purpose of this Specification is to provide an exception to LCO 3.0.2 (e.g., to not comply with the applicable Required Action(s)) to allow the performance of SRs to demonstrate:
| |
| : a. The OPERABILITY of the equipment being returned to service; or
| |
| : b. The OPERABILITY of other equipment.
| |
| The administrative controls ensure the time the equipment is returned to service in conflict with the requirements of the ACTIONS is limited to the time absolutely necessary to perform the required testing to demonstrate OPERABILITY. This Specification does not provide time to perform any other preventive or corrective maintenance.
| |
| An example of demonstrating the OPERABILITY of the equipment being returned to service is reopening a containment isolation valve that has been closed to comply with Required Actions, and must be reopened to perform the required testing.
| |
| An example of demonstrating the OPERABILITY of other equipment is taking an inoperable channel or trip system out of the tripped condition to prevent the trip function from occurring during the performance of required testing on another channel in the other trip system. A similar example of demonstrating the OPERABILITY of other equipment is taking an inoperable channel or trip system out of the tripped condition to permit the logic to function and indicate the appropriate response during the performance of required testing on another channel in the same trip system.
| |
| Columbia Generating Station B 3.0-7 Revision 82
| |
| | |
| LCO Applicability B 3.0 BASES LCO 3.0.6 LCO 3.0.6 establishes an exception to LCO 3.0.2 for support systems that have an LCO specified in the Technical Specifications (TS). This exception is provided because LCO 3.0.2 would require that the Conditions and Required Actions of the associated inoperable supported system's LCO be entered solely due to the inoperability of the support system. This exception is justified because the actions that are required to ensure the plant is maintained in a safe condition are specified in the support system's LCO's Required Actions. These Required Actions may include entering the supported system's Conditions and Required Actions or may specify other Required Actions.
| |
| When a support system is inoperable and there is an LCO specified for it in the TS, the supported system(s) are required to be declared inoperable if determined to be inoperable as a result of the support system inoperability. However, it is not necessary to enter into the supported systems' Conditions and Required Actions unless directed to do so by the support system's Required Actions. The potential confusion and inconsistency of requirements related to the entry into multiple support and supported systems' LCO's Conditions and Required Actions are eliminated by providing all the actions that are necessary to ensure the plant is maintained in a safe condition in the support system's Required Actions.
| |
| However, there are instances where a support system's Required Action may either direct a supported system to be declared inoperable or direct entry into Conditions and Required Actions for the supported system.
| |
| This may occur immediately or after some specified delay to perform some other Required Action. Regardless of whether it is immediate or after some delay, when a support system's Required Action directs a supported system to be declared inoperable or directs entry into Conditions and Required Actions for a supported system, the applicable Conditions and Required Actions shall be entered in accordance with LCO 3.0.2.
| |
| Specification 5.5.11, "Safety Function Determination Program (SFDP),"
| |
| ensures loss of safety function is detected and appropriate actions are taken. Upon entry into LCO 3.0.6, an evaluation shall be made to determine if loss of safety function exists. Additionally, other limitations, remedial actions, or compensatory actions may be identified as a result of the support system inoperability and corresponding exception to entering supported system Conditions and Required Actions. The SFDP implements the requirements of LCO 3.0.6.
| |
| Columbia Generating Station B 3.0-8 Revision 73
| |
| | |
| LCO Applicability B 3.0 BASES LCO 3.0.6 (continued)
| |
| Cross division checks to identify a loss of safety function for those support systems that support safety systems are required. The cross division check verifies that the supported systems of the redundant OPERABLE support system are OPERABLE, thereby ensuring safety function is retained. If this evaluation determines that a loss of safety function exists, the appropriate Conditions and Required Actions of the LCO in which the loss of safety function exists are required to be entered.
| |
| LCO 3.0.7 There are certain special tests and operations required to be performed at various times over the life of the unit. These special tests and operations are necessary to demonstrate select unit performance characteristics, to perform special maintenance activities, and to perform special evolutions.
| |
| Special Operations LCOs in Section 3.10 allow specified TS requirements to be changed to permit performances of these special tests and operations, which otherwise could not be performed if required to comply with the requirements of these TS. Unless otherwise specified, all the other TS requirements remain unchanged. This will ensure all appropriate requirements of the MODE or other specified condition not directly associated with or required to be changed to perform the special test or operation will remain in effect.
| |
| The Applicability of a Special Operations LCO represents a condition not necessarily in compliance with the normal requirements of the TS.
| |
| Compliance with Special Operations LCOs is optional. A special operation may be performed either under the provisions of the appropriate Special Operations LCO or under the other applicable TS requirements. If it is desired to perform the special operation under the provisions of the Special Operations LCO, the requirements of the Special Operations LCO shall be followed. When a Special Operations LCO requires another LCO to be met, only the requirements of the LCO statement are required to be met regardless of that LCO's Applicability (i.e., should the requirements of this other LCO not be met, the ACTIONS of the Special Operations LCO apply, not the ACTIONS of the other LCO). However, there are instances where the Special Operations LCO's ACTIONS may direct the other LCO's ACTIONS be met. The Surveillances of the other LCO are not required to be met, unless specified in the Special Operations LCO. If conditions exist such that the Applicability of any other LCO is met, all the other LCO's requirements (ACTIONS and SRs) are required to be met concurrent with the requirements of the Special Operations LCO.
| |
| Columbia Generating Station B 3.0-9 Revision 73
| |
| | |
| LCO Applicability B 3.0 BASES LCO 3.0.8 LCO 3.0.8 establishes conditions under which systems are considered to remain capable of performing their intended safety function when associated snubbers are not capable of providing their associated support function(s). This LCO states that the supported system is not considered to be inoperable solely due to one or more snubbers not capable of performing their associated support function(s). This is appropriate because a limited length of time is allowed for maintenance, testing, or repair of one or more snubbers not capable of performing their associated support function(s) and appropriate compensatory measures are specified in the snubber requirements, which are located outside of the Technical Specifications under licensee control. The snubber requirements do not meet the criteria in 10 CFR 50.36(c)(2)(ii), and, as such, are appropriate for control by the licensee.
| |
| If the allowed time expires and the snubber(s) are unable to perform their associated support function(s), the affected supported systems LCO(s) must be declared not met and the Conditions and Required Actions entered in accordance with LCO 3.0.2.
| |
| LCO 3.0.8 only applies to snubber support functions that are seismic related. In MODES 4 and 5, snubbers only perform seismic support functions. In MODES 1, 2, and 3, some snubbers inside the drywell and in the Turbine Building also perform non-seismic support functions (e.g.,
| |
| hydrodynamic loads, turbine trip loads, etc.). These snubbers are normally inaccessible in MODES 1, 2, and 3.
| |
| For snubbers that are being addressed in accordance with this LCO, a record of the design function of the inoperable snubber (i.e., seismic vs.
| |
| non-seismic), the implementation of any applicable restrictions, and the associated plant configuration must all be available on a recoverable basis for NRC inspection.
| |
| LCO 3.0.8.a applies when one or more snubbers are not capable of providing their associated support function(s) to a single division or subsystem of a multiple division or subsystem supported system or to a single division or subsystem supported system. LCO 3.0.8.a allows 72 hours to restore the snubber(s) before declaring the supported system inoperable. The 72 hour Completion Time is reasonable based on the low probability of a seismic event concurrent with an event that would require operation of the supported system occurring while the snubber(s) are not capable of performing their associated support function and due to the availability of the redundant division of the supported system.
| |
| Columbia Generating Station B 3.0-10 Revision 91
| |
| | |
| LCO Applicability B 3.0 BASES LCO 3.0.8 (continued)
| |
| When LCO 3.0.8.a is used, one of the following two means of heat removal must be available:
| |
| At least one high-pressure makeup path (i.e., using high-pressure core spray or reactor core isolation cooling) and heat removal capability (e.g., suppression pool cooling), including a minimum set of supporting equipment required for success, not associated with the inoperable snubber(s), or At least one low-pressure makeup path (e.g., low-pressure coolant injection or core spray) and heat removal capability (e.g.,
| |
| suppression pool cooling or shutdown cooling), including a minimum set of supporting equipment required for success, not associated with the inoperable snubber(s).
| |
| LCO 3.0.8.b applies when one or more snubbers are not capable of providing their associated support function(s) to more than one division or subsystem of a multiple division or subsystem supported system.
| |
| LCO 3.0.8.b allows 12 hours to restore the snubber(s) before declaring the supported system inoperable. The 12 hour Completion Time is reasonable based on the low probability of a seismic event concurrent with an event that would require operation of the supported system occurring while the snubber(s) are not capable of performing their associated support function.
| |
| When LCO 3.0.8.b is used, it must be verified that at least one success path exists, using equipment not associated with the inoperable snubber(s), to provide makeup and core cooling needed to mitigate loss of offsite power (LOOP) accident sequences.
| |
| LCO 3.0.8 requires that risk be assessed and managed. Industry and NRC guidance on the implementation of 10 CFR 50.65(a)(4) (the Maintenance Rule) does not address seismic risk. However, use of LCO 3.0.8 should be considered with respect to other plant maintenance activities, and integrated into the existing Maintenance Rule process to the extent possible so that maintenance on any unaffected division or subsystem is properly controlled, and emergent issues are properly addressed. The risk assessment need not be quantified, but may be a qualitative awareness of the vulnerability of systems and components when one or more snubbers are not able to perform their associated support function.
| |
| Columbia Generating Station B 3.0-11 Revision 91
| |
| | |
| LCO Applicability B 3.0 BASES LCO 3.0.9 LCO 3.0.9 establishes conditions under which systems described in the Technical Specifications are considered to remain OPERABLE when required barriers are not capable of providing their related support function(s).
| |
| Barriers are doors, walls, floor plugs, curbs, hatches, installed structures or components, or other devices, not explicitly described in Technical Specifications, that support the performance of the safety function of systems described in the Technical Specifications. This LCO states that the supported system is not considered to be inoperable solely due to required barriers not capable of performing their related support function(s) under the described conditions. LCO 3.0.9 allows 30 days before declaring the supported system(s) inoperable and the LCO(s) associated with the supported system(s) not met. A maximum time is placed on each use of this allowance to ensure that as required barriers are found or are otherwise made unavailable, they are restored.
| |
| However, the allowable duration may be less than the specified maximum time based on risk assessment.
| |
| If the allowed time expires and the barriers are unable to perform their related support function(s), the supported systems LCO(s) must be declared not met and the Conditions and Required Actions entered in accordance with LCO 3.0.2.
| |
| This provision does not apply to barriers which support ventilation systems or to fire barriers. The Technical Specifications for ventilation systems provide specific Conditions for inoperable barriers. Fire barriers are addressed by other regulatory requirements and associated plant programs. This provision does not apply to barriers which are not required to support system OPERABILITY (see NRC Regulatory Issue Summary 2001-09, Control of Hazard Barriers, dated April 2, 2001).
| |
| The provisions of LCO 3.0.9 are justified because of the low risk associated with required barriers not being capable of performing their related support function. This provision is based on consideration of the following initiating event categories:
| |
| Loss of coolant accidents:
| |
| High energy line breaks:
| |
| Feedwater line breaks; Internal flooding; External flooding; Turbine missile ejection; and Tornado or high wind.
| |
| Columbia Generating Station B 3.0-12 Revision 91
| |
| | |
| LCO Applicability B 3.0 BASES LCO 3.0.9 (continued)
| |
| The risk impact of the barriers which cannot perform their related support function(s) must be addressed pursuant to the risk assessment and management provision of the Maintenance Rule, 10 CFR 50.65(a)(4), and the associated implementation guidance, Regulatory Guide 1.160, Monitoring the Effectiveness of Maintenance at Nuclear Power Plants.
| |
| Regulatory Guide 1.160 endorses the guidance in Section 11 of NUMARC 93-01, Industry Guideline for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants. This guidance provides for the consideration of dynamic plant configuration issues, emergent conditions, and other aspects pertinent to plant operation with the barriers unable to perform their related support function(s). Additionally, the Risk Assessment and Management Considerations described in NEI 04-08 must be used whenever a barrier is considered unavailable and the requirements of LCO 3.0.9 are to be applied. These considerations may result in risk management and other compensatory actions being required during the period that barriers are unable to perform their related support function(s).
| |
| LCO 3.0.9 may be applied to one or more divisions or subsystems of a system supported by barriers that cannot provide their related support function(s), provided that risk is assessed and managed (including consideration of the effects on Large Early Release and from external events). If applied concurrently to more than one division or subsystem of a multiple division or subsystem supported system, the barriers supporting each of these divisions or subsystems must provide their related support function(s) for different categories of initiating events. For example, LCO 3.0.9 may be applied for up to 30 days for more than one division of a multiple division supported system if the affected barrier for one division protects against internal flooding and the affected barrier of the other division protects against tornado missiles. In this example, the affected barrier may be the same physical barrier but serve different protection functions for each division.
| |
| The HPCS (High Pressure Core Spray) and RCIC (Reactor Core Injection Cooling) systems are single division systems for injecting makeup water into the reactor during an accident or transient event. The RCIC system is not a safety system, nor required to operate during a transient, therefore, it does not have to meet the single failure criterion. The HPCS system provides backup in case of a RCIC system failure. The ADS (Automatic Depressurization System) and low pressure ECCS coolant injection provide the core cooling function in the event of failure of the HPCS system during an accident. Thus, for the purposes of LCO 3.0.9, the HPCS system, the RCIC system, and the ADS are considered independent subsystems of a single system and LCO 3.0.9 can be used on these single division systems in a manner similar to multiple division or subsystem systems.
| |
| Columbia Generating Station B 3.0-13 Revision 91
| |
| | |
| LCO Applicability B 3.0 BASES LCO 3.0.9 (continued)
| |
| If during the time that LCO 3.0.9 is being used, the required OPERABLE division or subsystem becomes inoperable, it must be restored to OPERABLE status within 24 hours. Otherwise, the division(s) or subsystem(s) supported by barriers that cannot perform their related support function(s) must be declared inoperable and the associated LCOs declared not met. This 24 hour period provides time to respond to emergent conditions that would otherwise likely lead to entry into LCO 3.0.3 and a rapid plant shutdown, which is not justified given the low probability of an initiating event which would require the barrier(s) not capable of performing their related support function(s). During this 24 hour period, the plant risk associated with the existing conditions is assessed and managed in accordance with 10 CFR 50.65(a)(4).
| |
| Columbia Generating Station B 3.0-14 Revision 91
| |
| | |
| SR APPLICABILITY B 3.0 B 3.0 SURVEILLANCE REQUIREMENT (SR) APPLICABILITY BASES SRs SR 3.0.1 through SR 3.0.4 establish the general requirements applicable to all Specifications in Sections 3.1 through 3.10 and apply at all times, unless otherwise stated. SR 3.0.2 and 3.0.3 apply in Chapter 5 only when invoked by a Chapter 5 Specification.
| |
| SR 3.0.1 SR 3.0.1 establishes the requirement that SRs must be met during the MODES or other specified conditions in the Applicability for which the requirements of the LCO apply, unless otherwise specified in the individual SRs. This Specification is to ensure that Surveillances are performed to verify the OPERABILITY of systems and components, and that variables are within specified limits. Failure to meet a Surveillance within the specified Frequency, in accordance with SR 3.0.2, constitutes a failure to meet an LCO.
| |
| Systems and components are assumed to be OPERABLE when the associated SRs have been met. Nothing in this Specification, however, is to be construed as implying that systems or components are OPERABLE when:
| |
| : a. The systems or components are known to be inoperable, although still meeting the SRs; or
| |
| : b. The requirements of the Surveillance(s) are known to be not met between required Surveillance performances.
| |
| Surveillances do not have to be performed when the unit is in a MODE or other specified condition for which the requirements of the associated LCO are not applicable, unless otherwise specified. The SRs associated with a Special Operations LCO are only applicable when the Special Operations LCO is used as an allowable exception to the requirements of a Specification.
| |
| Surveillances, including Surveillances invoked by Required Actions, do not have to be performed on inoperable equipment because the ACTIONS define the remedial measures that apply. Surveillances have to be met and performed in accordance with SR 3.0.2, prior to returning equipment to OPERABLE status.
| |
| Upon completion of maintenance, appropriate post maintenance testing is required to declare equipment OPERABLE. This includes ensuring applicable Surveillances are not failed and their most recent performance is in accordance with SR 3.0.2. Post maintenance testing may not be possible in the current MODE or other specified conditions in the Applicability due to the necessary unit parameters not having been Columbia Generating Station B 3.0-15 Revision 110
| |
| | |
| SR APPLICABILITY B 3.0 BASES SR 3.0.1 (continued) established. In these situations, the equipment may be considered OPERABLE provided testing has been satisfactorily completed to the extent possible and the equipment is not otherwise believed to be incapable of performing its function. This will allow operation to proceed to a MODE or other specified condition where other necessary post maintenance tests can be completed. Some examples of this process are:
| |
| : a. Control rod drive maintenance during refueling that requires scram testing at > 800 psi. However, if other appropriate testing is satisfactorily completed and the scram time testing of SR 3.1.4.3 is satisfied, the control rod can be considered OPERABLE. This allows startup to proceed to reach 800 psi to perform other necessary testing.
| |
| : b. Reactor Core Isolation Cooling (RCIC) maintenance during shutdown that requires system functional tests at a specified pressure.
| |
| Provided other appropriate testing is satisfactorily completed, startup can proceed with RCIC considered OPERABLE. This allows operation to reach the specified pressure to complete the necessary post maintenance testing.
| |
| SR 3.0.2 SR 3.0.2 establishes the requirements for meeting the specified Frequency for Surveillances and any Required Action with a Completion Time that requires the periodic performance of the Required Action on a "once per..." interval.
| |
| SR 3.0.2 permits a 25% extension of the interval specified in the Frequency. This extension facilitates Surveillance scheduling and considers plant operating conditions that may not be suitable for conducting the Surveillance (e.g., transient conditions or other ongoing Surveillance or maintenance activities).
| |
| When a Section 5.5, Programs and Manuals, specification states that the provisions of SR 3.0.2 are applicable, a 25% extension of the testing interval, whether stated in the specification or incorporated by reference is permitted.
| |
| The 25% extension does not significantly degrade the reliability that results from performing the Surveillance at its specified Frequency. This is based on the recognition that the most probable result of any particular Surveillance being performed is the verification of conformance with the SRs. The exceptions to SR 3.0.2 are those Surveillances for which the 25% extension of the interval specified in the Frequency does not apply.
| |
| These exceptions are stated in the individual Specifications. The requirements of regulations take precedence over the TS. Examples of Columbia Generating Station B 3.0-16 Revision 110
| |
| | |
| SR APPLICABILITY B 3.0 BASES SR3.0.2 (continued) where SR 3.0.2 does not apply are the Primary Containment Leakage Rate Testing Program required by 10 CFR 50, Appendix J, and the inservice testing of pumps and valves in accordance with applicable American Society of Mechanical Engineers Operation and Maintenance Code, as required by 10 CFR 50.55a. These programs establish testing requirements and Frequencies in accordance with the requirements of regulations. The TS cannot, in and of themselves, extend a test interval specified in the regulations directly or by reference.
| |
| As stated in SR 3.0.2, the 25% extension also does not apply to the initial portion of a periodic Completion Time that requires performance on a "once per..." basis. The 25% extension applies to each performance after the initial performance. The initial performance of the Required Action, whether it is a particular Surveillance or some other remedial action, is considered a single action with a single Completion Time. One reason for not allowing the 25% extension to this Completion Time is that such an action usually verifies that no loss of function has occurred by checking the status of redundant or diverse components or accomplishes the function of the inoperable equipment in an alternative manner.
| |
| The provisions of SR 3.0.2 are not intended to be used repeatedly merely as an operational convenience to extend Surveillance intervals (other than those consistent with refueling intervals) or periodic Completion Time intervals beyond those specified.
| |
| SR 3.0.3 SR 3.0.3 establishes the flexibility to defer declaring affected equipment inoperable or an affected variable outside the specified limits when a Surveillance has not been completed within the specified Frequency. A delay period of up to 24 hours or up to the limits of the specified Frequency, whichever is greater, applies from the point in time it is discovered that the Surveillance has not been performed in accordance with SR 3.0.2, and not at the time that the specified Frequency was not met.
| |
| When a Section 5.5, Programs and Manuals, specification states that the provisions of SR 3.0.3 are applicable, it permits the flexibility to defer declaring the testing requirement not met in accordance with SR 3.0.3 when the testing has not been completed within the testing interval (including the allowance of SR 3.0.2 if invoked by the Section 5.5 specification).
| |
| This delay period provides adequate time to complete Surveillances that have been missed. This delay period permits the completion of a Surveillance, or allows time to obtain a temporary waiver of the Surveillance Requirement (Ref.1), before complying with Required Columbia Generating Station B 3.0-17 Revision 110
| |
| | |
| SR APPLICABILITY B 3.0 BASES SR 3.0.3 (continued)
| |
| Actions or other remedial measures that might preclude completion of the Surveillance.
| |
| The basis for this delay period includes consideration of unit conditions, adequate planning, availability of personnel, the time required to perform the Surveillance, the safety significance of the delay in completing the required Surveillance, and the recognition that the most probable result of any particular Surveillance being performed is the verification of conformance with the requirements.
| |
| When a Surveillance with a Frequency based not on time intervals, but upon specified unit conditions, operating situations, or requirements of regulations (e.g., prior to entering MODE 1 after each fuel loading, or in accordance with 10 CFR 50, Appendix J, as modified by approved exemptions, etc.) is discovered to not have been performed when specified, SR 3.0.3 allows for the full delay period of up to the specified Frequency to perform the Surveillance. However, since there is not a time interval specified, the missed Surveillance should be performed at the first reasonable opportunity SR 3.0.3 provides a time limit for, and allowances for the performance of, Surveillances that become applicable as a consequence of MODE changes imposed by Required Actions.
| |
| Failure to comply with specified Frequencies for SRs is expected to be an infrequent occurrence. Use of the delay period established by SR 3.0.3 is a flexibility which is not intended to be used as an operational convenience to extend Surveillance intervals. While up to 24 hours or the limit of the specified Frequency is provided to perform the missed Surveillance, it is expected that the missed Surveillance will be performed at the first reasonable opportunity. The determination of the first reasonable opportunity should include consideration of the impact on plant risk (from delaying the Surveillances as well as any plant configuration changes required or shutting the plant down to perform the Surveillance) and impact on any analysis assumptions, in addition to unit conditions, planning, availability of personnel, and the time required to perform the surveillance. This risk impact should be managed through the program in place to implement 10 CFR 50.65(a)(4) and its implementation guidance, NRC Regulatory Guide 1.182, "Assessing and Managing Risk Before Maintenance Activities at Nuclear Power Plants."
| |
| This Regulatory Guide addresses consideration of temporary and aggregate risk impacts, determination of risk management action thresholds, and risk management action up to and including plant shutdown. The missed Surveillance should be treated as an emergent condition as discussed in the Regulatory Guide. The risk evaluation may use quantitative, qualitative, or blended methods. The degree of depth Columbia Generating Station B 3.0-18 Revision 110
| |
| | |
| SR APPLICABILITY B 3.0 BASES SR 3.0.3 (continued) and rigor of the evaluation should be commensurate with the importance of the component. Missed Surveillances for important components should be analyzed quantitatively. If the results of the risk evaluation determine the risk increase is significant, this evaluation should be used to determine the safest course of action. All missed Surveillances will be placed in the licensees Corrective Action Program.
| |
| If a Surveillance is not completed within the allowed delay period, then the equipment is considered inoperable or the variable then is considered outside the specified limits and the Completion Times of the Required Actions for the applicable LCO Conditions begin immediately upon expiration of the delay period. If a Surveillance is failed within the delay period, then the equipment is inoperable, or the variable is outside the specified limits and the Completion Times of the Required Actions for the applicable LCO Conditions begin immediately upon the failure of the Surveillance.
| |
| Completion of the Surveillance within the delay period allowed by this Specification, or within the Completion Time of the ACTIONS, restores compliance with SR 3.0.1.
| |
| SR 3.0.4 SR 3.0.4 establishes the requirement that all applicable SRs must be met before entry into a MODE or other specified condition in the Applicability.
| |
| This Specification ensures that system and component OPERABILITY requirements and variable limits are met before entry into MODES or other specified conditions in the Applicability for which these systems and components ensure safe operation of the unit. The provisions of this Specification should not be interpreted as endorsing the failure to exercise the good practice of restoring systems or components to OPERABLE status before entering an associated MODE or other specified condition in the Applicability.
| |
| A provision is included to allow entry into a MODE or other specified condition in the Applicability when an LCO is not met due to Surveillance not being met in accordance with LCO 3.0.4.
| |
| However, in certain circumstances, failing to meet an SR will not result in SR 3.0.4 restricting a MODE change or other specified condition change.
| |
| When a system, subsystem, division, component, device, or variable is inoperable or outside its specified limits, the associated SR(s) are not required to be performed, per SR 3.0.1, which states that surveillances do not have to be performed on inoperable equipment. When equipment is inoperable, SR 3.0.4 does not apply to the associated SR(s) since the requirement for the SR(s) to be performed is removed. Therefore, failing to perform the Surveillance(s) within the specified Frequency does not result in an SR 3.0.4 restriction to changing MODES or other specified.
| |
| Columbia Generating Station B 3.0-19 Revision 110
| |
| | |
| SR APPLICABILITY B 3.0 BASES SR 3.0.4 (continued) conditions of the Applicability. However, since the LCO is not met in this instance, LCO 3.0.4 will govern any restrictions that may (or may not) apply to MODE or other specified condition changes. SR 3.0.4 does not restrict changing MODES or other specified conditions of the Applicability when a Surveillance has not been performed within the specified Frequency, provided the requirement to declare the LCO not met has been delayed in accordance with SR 3.0.3.
| |
| The provisions of SR 3.0.4 shall not prevent entry into MODES or other specified conditions in the Applicability that are required to comply with ACTIONS. In addition, the provisions of SR 3.0.4 shall not prevent changes in MODES or other specified conditions in the Applicability that result from any unit shutdown. In this context, a unit shutdown is defined as a change in MODE or other specified condition in the Applicability associated with transitioning from MODE 1 to MODE 2, MODE 2 to MODE 3, and MODE 3 to MODE 4 The precise requirements for performance of SRs are specified such that exceptions to SR 3.0.4 are not necessary. The specific time frames and conditions necessary for meeting the SRs are specified in the Frequency, in the Surveillance, or both. This allows performance of Surveillances when the prerequisite condition(s) specified in a Surveillance procedure require entry into the MODE or other specified condition in the Applicability of the associated LCO prior to the performance or completion of a Surveillance. A Surveillance that could not be performed until after entering the LCOs Applicability, would have its Frequency specified such that it is not "due" until the specific conditions needed are met.
| |
| Alternately, the Surveillance may be stated in the form of a Note, as not required (to be met or performed) until a particular event, condition, or time has been reached. Further discussion of the specific formats of SRs' annotation is found in Section 1.4, Frequency.
| |
| REFERENCES 1. NRC Generic Letter 87-09, "Sections 3.0 and 4.0 of the Standard Technical Specifications (STS) on the Applicability of Limiting Conditions for Operation and Surveillance Requirements."
| |
| Columbia Generating Station B 3.0-20 Revision 110
| |
| | |
| SDM B 3.1.1 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.1 SHUTDOWN MARGIN (SDM)
| |
| BASES BACKGROUND SDM requirements are specified to ensure:
| |
| : a. The reactor can be made subcritical from all operating conditions and transients and Design Basis Events;
| |
| : b. The reactivity transients associated with postulated accident conditions are controllable within acceptable limits; and
| |
| : c. The reactor will be maintained sufficiently subcritical to preclude inadvertent criticality in the shutdown condition.
| |
| These requirements are satisfied by the control rods, as described in GDC 26 (Ref. 1), which can compensate for the reactivity effects of the fuel and water temperature changes experienced during all operating conditions.
| |
| APPLICABLE Having sufficient SDM assures that the reactor will become and remain SAFETY subcritical after all design basis accidents and transients. For example, ANALYSES SDM is assumed as an initial condition for the control rod removal error during a refueling accident (Ref. 2). The analysis of this reactivity insertion event assumes the refueling interlocks are OPERABLE when the reactor is in the refueling mode of operation. These interlocks prevent the withdrawal of more than one control rod from the core during refueling. (Special consideration and requirements for multiple control rod withdrawal during refueling are covered in Special Operations LCO 3.10.6, "Multiple Control Rod Withdrawal Refueling.") The analysis assumes this condition is acceptable since the core will be shut down with the highest worth control rod withdrawn, if adequate SDM has been demonstrated.
| |
| SDM satisfies Criterion 2 of Reference 3.
| |
| LCO The specified SDM limit accounts for the uncertainty in the demonstration of SDM by testing. Separate SDM limits are provided for testing where the highest worth control rod is determined analytically or by measurement. This is due to the reduced uncertainty in the SDM test when the highest worth control rod is determined by measurement.
| |
| When SDM is demonstrated by calculations not associated with a test (e.g., to confirm SDM during the fuel loading sequence), additional margin is included to account for uncertainties in the calculation. To ensure adequate SDM, a design margin is included to account for uncertainties in the design calculations (Ref. 4).
| |
| Columbia Generating Station B 3.1.1-1 Revision 73
| |
| | |
| SDM B 3.1.1 BASES APPLICABILITY In MODES 1 and 2, SDM must be provided to assure shutdown capability. In MODES 3 and 4, SDM is required to ensure the reactor will be held subcritical with margin for a single withdrawn control rod. SDM is required in MODE 5 to prevent an inadvertent criticality during the withdrawal of a single control rod from a core cell containing one or more fuel assemblies (Ref. 2).
| |
| ACTIONS A.1 With SDM not within the limits of the LCO in MODE 1 or 2, SDM must be restored within 6 hours. Failure to meet the specified SDM may be caused by a control rod that cannot be inserted. The 6 hour Completion time is acceptable, considering that the reactor can still be shut down, assuming no additional failures of control rods to insert, and the low probability of an event occurring during this interval.
| |
| B.1 If the SDM cannot be restored, the plant must be brought to MODE 3 within 12 hours, to prevent the potential for further reductions in available SDM (e.g., additional stuck control rods). The allowed Completion Time of 12 hours is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging plant systems.
| |
| C.1 With SDM not within limits in MODE 3, the operator must immediately initiate action to fully insert all insertable control rods. Action must continue until all insertable control rods are fully inserted. This action results in the least reactive condition for the core.
| |
| D.1, D.2, D.3, and D.4 With SDM not within limits in MODE 4, the operator must immediately initiate action to fully insert all insertable control rods. Action must continue until all insertable control rods are fully inserted. This action results in the least reactive condition for the core. Actions must also be initiated within 1 hour to provide means for control of potential radioactive releases. This includes ensuring secondary containment is OPERABLE; at least one Standby Gas Treatment (SGT) subsystem is OPERABLE; Columbia Generating Station B 3.1.1-2 Revision 73
| |
| | |
| SDM B 3.1.1 BASES ACTIONS (continued) and secondary containment isolation capability is available in each associated secondary containment penetration flow path not isolated that is assumed to be isolated to mitigate radioactivity releases (i.e., at least one secondary containment isolation valve and associated instrumentation are OPERABLE, or other acceptable administrative controls to assure isolation capability. These administrative controls consist of stationing a dedicated operator, who is in continuous communication with the control room, at the controls of the isolation device. In this way, the penetration can be rapidly isolated when a need for secondary containment isolation is indicated). This may be performed as an administrative check, by examining logs or other information, to determine if the components are out of service for maintenance or other reasons. It is not necessary to perform the Surveillances needed to demonstrate the OPERABILITY of the components. If, however, any required component is inoperable, then it must be restored to OPERABLE status. In this case, SRs may need to be performed to restore the component to OPERABLE status. Actions must continue until all required components are OPERABLE.
| |
| E.1, E.2, E.3, E.4, and E.5 With SDM not within limits in MODE 5, the operator must immediately suspend CORE ALTERATIONS that could reduce SDM, e.g., insertion of fuel in the core or the withdrawal of control rods. Suspension of these activities shall not preclude completion of movement of a component to a safe condition. Inserting control rods or removing fuel from the core will reduce the total reactivity and are therefore excluded from the suspended actions.
| |
| Action must also be immediately initiated to fully insert all insertable control rods in core cells containing one or more fuel assemblies. Action must continue until all insertable control rods in core cells containing one or more fuel assemblies have been fully inserted. Control rods in core cells containing no fuel assemblies do not affect the reactivity of the core and therefore do not have to be inserted.
| |
| Action must also be initiated within 1 hour to provide means for control of potential radioactive releases. This includes ensuring secondary containment is OPERABLE; at least one SGT subsystem is OPERABLE; and secondary containment isolation capability is available in each associated secondary containment penetration flow path not isolated that is assumed to be isolated to mitigate radioactivity releases (i.e., at least Columbia Generating Station B 3.1.1-3 Revision 73
| |
| | |
| SDM B 3.1.1 BASES ACTIONS (continued) one secondary containment isolation valve and associated instrumentation are OPERABLE or other acceptable administrative controls to assure isolation capability. These administrative controls consist of stationing a dedicated operator, who is in continuous communication with the control room, at the controls of the isolation device. In this way, the penetration can be rapidly isolated when a need for secondary containment isolation is indicated). This may be performed as an administrative check, by examining logs or other information, to determine if the components are out of service for maintenance or other reasons. It is not necessary to perform the Surveillances needed to demonstrate the OPERABILITY of the components. If, however, any required component is inoperable, then it must be restored to OPERABLE status. In this case, SRs may need to be performed to restore the component to OPERABLE status. Actions must continue until all required components are OPERABLE.
| |
| SURVEILLANCE SR 3.1.1.1 REQUIREMENTS Adequate SDM must be verified to ensure the reactor can be made subcritical from any initial operating condition. This can be accomplished by a test, an evaluation, or a combination of the two. Adequate SDM is demonstrated by testing before or during the first startup after fuel movement or shuffling within the reactor pressure vessel, or control rod replacement. Control rod replacement refers to the decoupling and removal of a control rod from a core location, and subsequent replacement with a new control rod or a control rod from another core location. Since core reactivity will vary during the cycle as a function of fuel depletion and poison burnup, the beginning of cycle (BOC) test must also account for changes in core reactivity during the cycle. Therefore, to obtain the SDM, the initial measured value must be increased by an adder, "R", which is the difference between the calculated value of maximum core reactivity during the operating cycle and the calculated BOC core reactivity. If the value of R is negative (i.e., BOC is the most reactive point in the cycle), no correction to the BOC measured value is required (Ref. 5). For the SDM demonstrations that rely solely on calculation of the highest worth control rod, additional margin (0.10% )k/k) must be added to the SDM limit of 0.28% )k/k to account for uncertainties in the calculation.
| |
| Columbia Generating Station B 3.1.1-4 Revision 73
| |
| | |
| SDM B 3.1.1 BASES SURVEILLANCE REQUIREMENTS (continued)
| |
| The SDM may be demonstrated during an in-sequence control rod withdrawal, in which the highest worth control rod is analytically determined, or during local criticals, where the highest worth control rod is determined by testing. Local critical tests require the withdrawal of out of sequence control rods. This testing would therefore require bypassing of the rod worth minimizer to allow the out of sequence withdrawal, and therefore additional requirements must be met (see LCO 3.10.7, "Control Rod Testing - Operating").
| |
| The Frequency of 4 hours after reaching criticality is allowed to provide a reasonable amount of time to perform the required calculations and appropriate verification.
| |
| During MODES 3 and 4, analytical calculation of SDM may be used to assure the requirements of SR 3.1.1.1 are met. During MODE 5, adequate SDM is also required to ensure the reactor does not reach criticality during control rod withdrawals. An evaluation of each in-vessel fuel movement during fuel loading (including shuffling fuel within the core) is required to ensure adequate SDM is maintained during refueling. This evaluation ensures the intermediate loading patterns are bounded by the safety analyses for the final core loading pattern. For example, bounding analyses that demonstrate adequate SDM for the most reactive configurations during the refueling may be performed to demonstrate acceptability of the entire fuel movement sequence. These bounding analyses include additional margins to the associated uncertainties.
| |
| Spiral offload or reload sequences inherently satisfy the SR, provided the fuel assemblies are reloaded in the same configuration analyzed for the new cycle. Removing fuel from the core will always result in an increase in SDM.
| |
| REFERENCES 1. 10 CFR 50, Appendix A, GDC 26.
| |
| : 2. FSAR, Section 15.4.1.1.
| |
| : 3. 10 CFR 50.36(c)(2)(ii).
| |
| : 4. FSAR, Section 4.3.2.4.1.
| |
| : 5. NEDE-24011-P-A-9, General Electric Standard Application for Reactor Fuel, Section 3.2.4.1, September 1988.
| |
| Columbia Generating Station B 3.1.1-5 Revision 73
| |
| | |
| Reactivity Anomalies B 3.1.2 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.2 Reactivity Anomalies BASES BACKGROUND In accordance with GDC 26, GDC 28, and GDC 29 (Ref. 1), reactivity shall be controllable such that subcriticality is maintained under cold conditions and acceptable fuel design limits are not exceeded during normal operation and anticipated operational occurrences. Reactivity Anomalies is used as a measure of the predicted versus measured core reactivity during power operation. The continual confirmation of core reactivity is necessary to ensure that the Design Basis Accident (DBA) and transient safety analyses remain valid. A large reactivity anomaly could be the result of unanticipated changes in fuel reactivity, control rod worth, or operation at conditions not consistent with those assumed in the predictions of core reactivity, and could potentially result in a loss of SDM or violation of acceptable fuel design limits. Comparing predicted versus measured core reactivity validates the nuclear methods used in the safety analysis and supports the SDM demonstrations (LCO 3.1.1, "SHUTDOWN MARGIN (SDM)") in ensuring the reactor can be brought safely to cold, subcritical conditions.
| |
| When the reactor core is critical or in normal power operation, a reactivity balance exists and the net reactivity is zero. A comparison of predicted and measured reactivity is convenient under such a balance, since parameters are being maintained relatively stable under steady state power conditions. The positive reactivity inherent in the core design is balanced by the negative reactivity of the control components, thermal feedback, neutron leakage, and materials in the core that absorb neutrons, such as burnable absorbers, producing zero net reactivity.
| |
| In order to achieve the required fuel cycle energy output, the uranium enrichment in the new fuel loading and the fuel loaded in the previous cycles provide excess positive reactivity beyond that required to sustain steady state operation at the beginning of cycle (BOC). When the reactor is critical at RTP and operating moderator temperature, the excess positive reactivity is compensated by burnable absorbers (e.g., gadolinia),
| |
| control rods, and whatever neutron poisons (mainly xenon and samarium) are present in the fuel.
| |
| The predicted core reactivity, as represented by k effective (keff), is calculated by a 3D core simulator code as a function of cycle exposure.
| |
| This calculation is performed for projected operating states and conditions throughout the cycle. The monitored keff is calculated by the core monitoring system for actual plant conditions and is then compared to the predicted value for the cycle exposure.
| |
| Columbia Generating Station B 3.1.2-1 Revision 73
| |
| | |
| Reactivity Anomalies B 3.1.2 BASES APPLICABLE Accurate prediction of core reactivity is either an explicit or implicit SAFETY assumption in the accident analysis evaluations (Ref. 2). In particular, ANALYSES SDM and reactivity transients, such as control rod withdrawal accidents or rod drop accidents, are very sensitive to accurate prediction of core reactivity. These accident analysis evaluations rely on computer codes that have been qualified against available test data, operating plant data, and analytical benchmarks. Monitoring reactivity anomaly provides additional assurance that the nuclear methods provide an accurate representation of the core reactivity.
| |
| The comparison between measured and predicted initial core reactivity provides a normalization for the calculational models used to predict core reactivity. If the measured and predicted keff for identical core conditions at BOC do not reasonably agree, then the assumptions used in the reload cycle design analysis or the calculation models used to predict keff may not be accurate. If reasonable agreement between measured and predicted core reactivity exists at BOC, then the prediction may be normalized to the measured value. Thereafter, any significant deviations in the measured keff from the predicted keff that develop during fuel depletion may be an indication that the assumptions of the DBA and transient analyses are no longer valid, or that an unexpected change in core conditions has occurred.
| |
| Reactivity Anomalies satisfy Criterion 2 of Reference 3.
| |
| LCO The reactivity anomaly limit is established to ensure plant operation is maintained within the assumptions of the safety analyses. Large differences between monitored and predicted core reactivity may indicate that the assumptions of the DBA and transient analyses are no longer valid, or that the uncertainties in the Nuclear Design Methodology are larger than expected. A limit on the difference between the monitored core keff and the predicted core keff of 1% )k/k has been established based on engineering judgment. A > 1% deviation in reactivity from that predicted is larger than expected for normal operation and should therefore be evaluated.
| |
| APPLICABILITY In MODE 1, most of the control rods are withdrawn and steady state operation is typically achieved. Under these conditions, the comparison between predicted and monitored core reactivity provides an effective measure of the reactivity anomaly. In MODE 2, control rods are typically being withdrawn during a startup. In MODES 3 and 4, all control rods are fully inserted, and, therefore, the reactor is in the least reactive state, where monitoring core reactivity is not necessary. In MODE 5, fuel loading results in a continually changing core reactivity. SDM requirements (LCO 3.1.1) ensure that fuel movements are performed Columbia Generating Station B 3.1.2-2 Revision 73
| |
| | |
| Reactivity Anomalies B 3.1.2 BASES APPLICABILITY (continued) within the bounds of the safety analysis, and an SDM demonstration is required during the first startup following operations that could have altered core reactivity (e.g., fuel movement, control rod replacement, control rod shuffling). The SDM test, required by LCO 3.1.1, provides a direct comparison of the predicted and monitored core reactivity at cold conditions; therefore, Reactivity Anomalies is not required during these conditions.
| |
| ACTIONS A.1 Should an anomaly develop between measured and predicted core reactivity, the core reactivity difference must be restored to within the limit to ensure continued operation is within the core design assumptions.
| |
| Restoration to within the limit could be performed by an evaluation of the core design and safety analysis to determine the reason for the anomaly.
| |
| This evaluation normally reviews the core conditions to determine their consistency with input to design calculations. Measured core and process parameters are also normally evaluated to determine that they are within the bounds of the safety analysis, and safety analysis calculational models may be reviewed to verify that they are adequate for representation of the core conditions. The required Completion Time of 72 hours is based on the low probability of a DBA during this period, and allows sufficient time to assess the physical condition of the reactor and complete the evaluation of the core design and safety analysis.
| |
| B.1 If the core reactivity cannot be restored to within the 1% )k/k limit, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours. The allowed Completion Time of 12 hours is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging plant systems.
| |
| Columbia Generating Station B 3.1.2-3 Revision 73
| |
| | |
| Reactivity Anomalies B 3.1.2 BASES SURVEILLANCE SR 3.1.2.1 REQUIREMENTS Verifying the reactivity difference between the monitored and predicted core keff is within the limits of the LCO provides further assurance that plant operation is maintained within the assumptions of the DBA and transient analyses. The core monitoring system calculates the core keff for the reactor conditions obtained from plant instrumentation. A comparison of the monitored core keff to the predicted core keff at the same cycle exposure is used to calculate the reactivity difference. The comparison is required when the core reactivity has potentially changed by a significant amount. This may occur following a refueling in which new fuel assemblies are loaded, fuel assemblies are shuffled within the core, or control rods are replaced or shuffled. Control rod replacement refers to the decoupling and removal of a control rod from a core location, and subsequent replacement with a new control rod or a control rod from another core location. Also, core reactivity changes during the cycle.
| |
| The 24 hour interval after reaching equilibrium conditions following a startup is based on the need for equilibrium xenon concentrations in the core, such that an accurate comparison between the monitored and predicted core keff values can be made. For the purposes of this SR, the reactor is assumed to be at equilibrium conditions when steady state operations (no control rod movement or core flow changes) at > 75% RTP have been obtained. The 1000 MWD/T Frequency was developed, considering the relatively slow change in core reactivity with exposure and operating experience related to variations in core reactivity. This comparison requires the core to be operating at power levels which minimize the uncertainties and measurement errors, in order to obtain meaningful results. Therefore, the comparison is only done when in MODE 1.
| |
| REFERENCES 1. 10 CFR 50, Appendix A, GDC 26, GDC 28, and GDC 29.
| |
| : 2. FSAR, Chapter 15.
| |
| : 3. 10 CFR 50.36(c)(2)(ii).
| |
| Columbia Generating Station B 3.1.2-4 Revision 73
| |
| | |
| Control Rod OPERABILITY B 3.1.3 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.3 Control Rod OPERABILITY BASES BACKGROUND Control rods are components of the Control Rod Drive (CRD) System, which is the primary reactivity control system for the reactor. In conjunction with the Reactor Protection System, the CRD System provides the means for the reliable control of reactivity changes to ensure that under conditions of normal operation, including anticipated operational occurrences, specified acceptable fuel design limits are not exceeded. In addition, the control rods provide the capability to hold the reactor core subcritical under all conditions and to limit the potential amount and rate of reactivity increase caused by a malfunction in the CRD System. The CRD System is designed to satisfy the requirements of GDC 26, GDC 27, GDC 28, and GDC 29, (Ref. 1).
| |
| The CRD System consists of 185 locking piston control rod drive mechanisms (CRDMs) and a hydraulic control unit for each drive mechanism. The locking piston type CRDM is a double-acting hydraulic piston, which uses condensate water as the operating fluid.
| |
| Accumulators provide additional energy for scram. An index tube and piston, coupled to the control rod, are locked at fixed increments by a collet mechanism. The collet fingers engage notches in the index tube to prevent unintentional withdrawal of the control rod, but without restricting insertion.
| |
| This Specification, along with LCO 3.1.4, "Control Rod Scram Times," and LCO 3.1.5, "Control Rod Scram Accumulators," ensure that the performance of the control rods in the event of a Design Basis Accident (DBA) or transient meets the assumptions used in the safety analyses of References 2, 3, 4, 5, and 6.
| |
| APPLICABLE The analytical methods and assumptions used in the evaluations SAFETY involving control rods are presented in References 2, 3, 4, 5, and 6.
| |
| ANALYSES The control rods provide the primary means for rapid reactivity control (reactor scram), for maintaining the reactor subcritical, and for limiting the potential effects of reactivity insertion events caused by malfunctions in the CRD System.
| |
| Columbia Generating Station B 3.1.3-1 Revision 73
| |
| | |
| Control Rod OPERABILITY B 3.1.3 BASES APPLICABLE SAFETY ANALYSES (continued)
| |
| The capability of inserting the control rods provides assurance that the assumptions for scram reactivity in the DBA and transient analyses are not violated. Since the SDM ensures the reactor will be subcritical with the highest worth control rod withdrawn (assumed single failure), the additional failure of a second control rod to insert could invalidate the demonstrated SDM and potentially limit the ability of the CRD System to hold the reactor subcritical. If the control rod is stuck at an inserted position and becomes decoupled from the CRD, a control rod drop accident (CRDA) can possibly occur. Therefore, the requirement that all control rods be OPERABLE ensures the CRD System can perform its intended function.
| |
| The control rods also protect the fuel from damage that could result in release of radioactivity. The limits protected are the MCPR Safety Limit (SL) (see Bases for SL 2.1.1, "Reactor Core SLs," and LCO 3.2.2, "MINIMUM CRITICAL POWER RATIO (MCPR)"), the 1% cladding plastic strain fuel design limit (see Bases for LCO 3.2.3, "LINEAR HEAT GENERATION RATE (LHGR)"), and the fuel damage limit (see Bases for LCO 3.1.6, "Rod Pattern Control") during reactivity insertion events.
| |
| The negative reactivity insertion (scram) provided by the CRD System provides the analytical basis for determination of plant thermal limits and provides protection against fuel damage limits during a CRDA. Bases for LCO 3.1.4, LCO 3.1.5, and LCO 3.1.6 discuss in more detail how the SLs are protected by the CRD System.
| |
| Control rod OPERABILITY satisfies Criterion 3 of Reference 7.
| |
| LCO OPERABILITY of an individual control rod is based on a combination of factors, primarily the scram insertion times, the control rod coupling integrity, and the ability to determine the control rod position.
| |
| Accumulator OPERABILITY is addressed by LCO 3.1.5. The associated scram accumulator status for a control rod only affects the scram insertion times and therefore an inoperable accumulator does not immediately require declaring a control rod inoperable. Although not all control rods are required to be OPERABLE to satisfy the intended reactivity control requirements, strict control over the number and distribution of inoperable control rods is required to satisfy the assumptions of the DBA and transient analyses.
| |
| Columbia Generating Station B 3.1.3-2 Revision 73
| |
| | |
| Control Rod OPERABILITY B 3.1.3 BASES APPLICABILITY In MODES 1 and 2, the control rods are assumed to function during a DBA or transient and are therefore required to be OPERABLE in these MODES. In MODES 3 and 4, control rods are not able to be withdrawn since the reactor mode switch is in shutdown and a control rod block is applied. This provides adequate requirements for control rod OPERABILITY during these conditions. Control rod requirements in MODE 5 are located in LCO 3.9.5, "Control Rod OPERABILITY -
| |
| Refueling."
| |
| ACTIONS The ACTIONS Table is modified by a Note indicating that a separate Condition entry is allowed for each control rod. This is acceptable, since the Required Actions for each Condition provide appropriate compensatory actions for each inoperable control rod. Complying with the Required Actions may allow for continued operation, and subsequent inoperable control rods are governed by subsequent Condition entry and application of associated Required Actions.
| |
| A.1, A.2, A.3, and A.4 A control rod is considered stuck if it will not insert by either CRD drive water or scram pressure. With a fully inserted control rod stuck, no actions are required as long as the control rod remains fully inserted. The Required Actions are modified by a Note that allows the rod worth minimizer (RWM) to be bypassed if required to allow continued operation.
| |
| LCO 3.3.2.1, "Control Rod Block Instrumentation," provides additional requirements when the RWM is bypassed to ensure compliance with the CRDA analysis. With one withdrawn control rod stuck, the local scram reactivity rate assumptions may not be met if the stuck control rod separation criteria are not met. Therefore, a verification that the separation criteria are met must be performed immediately. The separation criteria are not met if: a) the stuck control rod occupies a location adjacent to two "slow" control rods, b) the stuck control rod occupies a location adjacent to one "slow" control rod, and the one "slow" control rod is also adjacent to another "slow" control rod, or c) if the stuck control rod occupies a location adjacent to one "slow" control rod when there is another pair of "slow" control rods adjacent to one another. The description of "slow" control rods is provided in LCO 3.1.4, "Control Rod Scram Times." In addition, the associated control rod drive must be disarmed within 2 hours. The allowed Completion Time of 2 hours is acceptable, considering the reactor can still be shut down, assuming no additional control rods fail to insert, and provides a reasonable amount of time to perform the Required Action in an orderly manner. The control rod must be isolated from both scram and normal insert and withdraw pressure. Isolating the control rod from scram and normal insert and withdraw pressure prevents damage to the CRDM. The control rod Columbia Generating Station B 3.1.3-3 Revision 73
| |
| | |
| Control Rod OPERABILITY B 3.1.3 BASES ACTIONS (continued) should be isolated from scram by isolating the hydraulic control unit from scram and normal insert and withdraw pressure, while maintaining cooling water to the CRD.
| |
| Monitoring of the insertion capability for each withdrawn control rod must also be performed within 24 hours from discovery of Condition A concurrent with THERMAL POWER greater than the low power setpoint (LPSP) of the RWM. SR 3.1.3.2 performs periodic tests of the control rod insertion capability of withdrawn control rods. Testing each withdrawn control rod ensures that a generic problem does not exist. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." The Required Action A.3 Completion Time only begins upon discovery of Condition A concurrent with THERMAL POWER greater than the actual LPSP of the RWM, since the notch insertions may not be compatible with the requirements of rod pattern control (LCO 3.1.6) and the RWM (LCO 3.3.2.1). The allowed Completion Time of 24 hours from discovery of Condition A, concurrent with THERMAL POWER greater than the LPSP of the RWM, provides a reasonable time to test the control rods, considering the potential for a need to reduce power to perform the tests.
| |
| To allow continued operation with a withdrawn control rod stuck, an evaluation of adequate SDM is also required within 72 hours. Should a DBA or transient require a shutdown, to preserve the single failure criterion an additional control rod would have to be assumed to have failed to insert when required.
| |
| Therefore, the original SDM demonstration may not be valid. The SDM must therefore be evaluated (by measurement or analysis) with the stuck control rod at its stuck position and the highest worth OPERABLE control rod assumed to be fully withdrawn.
| |
| The allowed Completion Time of 72 hours to verify SDM is adequate, considering that with a single control rod stuck in a withdrawn position, the remaining OPERABLE control rods are capable of providing the required scram and shutdown reactivity. Failure to reach MODE 4 is only likely if an additional control rod adjacent to the stuck control rod also fails to insert during a required scram. Even with the postulated additional single failure of an adjacent control rod to insert, sufficient reactivity control remains to reach and maintain MODE 3 conditions (Ref. 8).
| |
| Columbia Generating Station B 3.1.3-4 Revision 73
| |
| | |
| Control Rod OPERABILITY B 3.1.3 BASES ACTIONS (continued)
| |
| B.1 With two or more withdrawn control rods stuck, the plant must be brought to MODE 3 within 12 hours. The occurrence of more than one control rod stuck at a withdrawn position increases the probability that the reactor cannot be shut down if required. Insertion of all insertable control rods eliminates the possibility of an additional failure of a control rod to insert.
| |
| The allowed Completion Time of 12 hours is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging plant systems.
| |
| C.1 and C.2 With one or more control rods inoperable for reasons other than being stuck in the withdrawn position, operation may continue, provided the control rods are fully inserted within 3 hours and disarmed (electrically or hydraulically) within 4 hours. Inserting a control rod ensures the shutdown and scram capabilities are not adversely affected. The control rod is disarmed to prevent inadvertent withdrawal during subsequent operations. The control rods can be hydraulically disarmed by closing the drive water and exhaust water isolation valves.
| |
| Electrically, the control rods can be disarmed by disconnecting power from all four directional control valve solenoids. Required Action C.1 is modified by a Note that allows the RWM to be bypassed if required to allow insertion of the inoperable control rods and continued operation.
| |
| LCO 3.3.2.1 provides additional requirements when the RWM is bypassed to ensure compliance with the CRDA analysis.
| |
| The allowed Completion Times are reasonable, considering the small number of allowed inoperable control rods, and provide time to insert and disarm the control rods in an orderly manner and without challenging plant systems.
| |
| D.1 and D.2 Out of sequence control rods may increase the potential reactivity worth of a dropped control rod during a CRDA. At 10% RTP, the generic banked position withdrawal sequence (BPWS) analysis (Ref. 8) requires inserted control rods not in compliance with BPWS to be separated by at least two OPERABLE control rods in all directions, including the diagonal.
| |
| Therefore, if two or more inoperable control rods are not in compliance with BPWS and not separated by at least two OPERABLE control rods, Columbia Generating Station B 3.1.3-5 Revision 73
| |
| | |
| Control Rod OPERABILITY B 3.1.3 BASES ACTIONS (continued) action must be taken to restore compliance with BPWS or restore the control rods to OPERABLE status. Condition D is modified by a Note indicating that the Condition is not applicable when > 10% RTP since the BPWS is not required to be followed under these conditions, as described in the Bases for LCO 3.1.6. The allowed Completion Time of 4 hours is acceptable, considering the low probability of a CRDA occurring.
| |
| E.1 In addition to the separation requirements for inoperable control rods, an assumption in the CRDA analysis for Framatome - ANP fuel is that no more than three inoperable control rods are allowed in any one BPWS group. Therefore, with one or more BPWS groups having four or more inoperable control rods, the control rods must be restored to OPERABLE status.
| |
| Required Action E.1 is modified by a Note indicating that the Condition is not applicable when THERMAL POWER is > 10% RTP since the BPWS is not required to be followed under these conditions, as described in the Bases for LCO 3.1.6. The allowed Completion Time of 4 hours is acceptable, considering the low probability of a CRDA occurring.
| |
| F.1 If any Required Action and associated Completion Time of Condition A, C, D, or E are not met or there are nine or more inoperable control rods, the plant must be brought to a MODE in which the LCO does not apply.
| |
| To achieve this status, the plant must be brought to MODE 3 within 12 hours. This ensures all insertable control rods are inserted and places the reactor in a condition that does not require the active function (i.e.,
| |
| scram) of the control rods. The number of control rods permitted to be inoperable when operating above 10% RTP (i.e., no CRDA considerations) could be more than the value specified, but the occurrence of a large number of inoperable control rods could be indicative of a generic problem, and investigation and resolution of the potential problem should be undertaken. The allowed Completion Time of 12 hours is reasonable, based on operating experience, to reach MODE 3 from full power in an orderly manner and without challenging plant systems.
| |
| Columbia Generating Station B 3.1.3-6 Revision 73
| |
| | |
| Control Rod OPERABILITY B 3.1.3 BASES SURVEILLANCE SR 3.1.3.1 REQUIREMENTS The position of each control rod must be determined, to ensure adequate information on control rod position is available to the operator for determining control rod OPERABILITY and controlling rod patterns.
| |
| Control rod position may be determined by the use of OPERABLE position indicators, by moving control rods to a position with an OPERABLE indicator, or by the use of other appropriate methods. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| SR 3.1.3.2 Control rod insertion capability is demonstrated by inserting each partially or fully withdrawn control rod at least one notch and observing that the control rod moves. The control rod may then be returned to its original position. This ensures the control rod is not stuck and is free to insert on a scram signal. This Surveillance is not required when THERMAL POWER is less than or equal to the actual LPSP of the RWM since the notch insertions may not be compatible with the requirements of the Banked Position Withdrawal Sequence (BPWS) (LCO 3.1.6) and the RWM (LCO 3.3.2.1). At any time, if a control rod is immovable, a determination of that control rod's trippability (OPERABILITY) must be made and appropriate action taken. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| This SR is modified by a Note that allows 31 days, after withdrawal of the control rod and increasing power to above the LPSP, to perform the Surveillance. This acknowledges that the control rod must be first withdrawn and THERMAL POWER must be increased to above the LPSP before performance of the Surveillance, and therefore the Note avoids potential conflicts with SR 3.0.3 and SR 3.0.4.
| |
| Columbia Generating Station B 3.1.3-7 Revision 93
| |
| | |
| Control Rod OPERABILITY B 3.1.3 BASES SURVEILLANCE REQUIREMENTS (continued)
| |
| SR 3.1.3.3 Verifying the scram time for each control rod to notch position 5 is 7 seconds provides reasonable assurance that the control rod will insert when required during a DBA or transient, thereby completing its shutdown function. This SR is performed in conjunction with the control rod scram time testing of SR 3.1.4.1, SR 3.1.4.2, SR 3.1.4.3, and SR 3.1.4.4. The LOGIC SYSTEM FUNCTIONAL TEST in LCO 3.3.1.1, "Reactor Protection System (RPS) Instrumentation," and the functional testing of SDV vent and drain valves in LCO 3.1.8, "Scram Discharge Volume (SDV) Vent and Drain Valves," overlap this Surveillance to provide complete testing of the assumed safety function. The associated Frequencies are acceptable, considering the more frequent testing performed to demonstrate other aspects of control rod OPERABILITY and operating experience, which shows scram times do not significantly change over an operating cycle.
| |
| SR 3.1.3.4 Coupling verification is performed to ensure the control rod is connected to the CRDM and will perform its intended function when necessary. The Surveillance requires verifying that a control rod does not go to the withdrawn overtravel position when it is fully withdrawn. The overtravel position feature provides a positive check on the coupling integrity, since only an uncoupled CRD can reach the overtravel position. The verification is required to be performed anytime a control rod is withdrawn to the "full out" position (notch position 48) or prior to declaring the control rod OPERABLE after work on the control rod or CRD System that could affect coupling. This includes control rods inserted one notch and then returned to the "full out" position during the performance of SR 3.1.3.2.
| |
| This Frequency is acceptable, considering the low probability that a control rod will become uncoupled when it is not being moved and operating experience related to uncoupling events.
| |
| Columbia Generating Station B 3.1.3-8 Revision 73
| |
| | |
| Control Rod OPERABILITY B 3.1.3 BASES REFERENCES 1. 10 CFR 50, Appendix A, GDC 26, GDC 27, GDC 28, and GDC 29.
| |
| : 2. FSAR, Section 4.3.2.5.
| |
| : 3. FSAR, Section 4.6.1.1.2.5.3.
| |
| : 4. FSAR, Section 5.2.2.2.3.
| |
| : 5. FSAR, Section 15.0.
| |
| : 6. FSAR, Section 15.4.9.
| |
| : 7. 10 CFR 50.36(c)(2)(ii).
| |
| : 8. NEDO-21231, "Banked Position Withdrawal Sequence," Section 7.2, January 1977.
| |
| Columbia Generating Station B 3.1.3-9 Revision 73
| |
| | |
| Control Rod Scram Times B 3.1.4 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.4 Control Rod Scram Times BASES BACKGROUND The scram function of the Control Rod Drive (CRD) System controls reactivity changes during abnormal operational transients to ensure that specified acceptable fuel design limits are not exceeded (Ref. 1). The control rods are scrammed by positive means, using hydraulic pressure exerted on the CRD piston.
| |
| When a scram signal is initiated, control air is vented from the scram valves, allowing them to open by spring action. Opening the exhaust valves reduces the pressure above the main drive piston to atmospheric pressure, and opening the inlet valve applies the accumulator or reactor pressure to the bottom of the piston. Since the notches in the index tube are tapered on the lower edge, the collet fingers are forced open by cam action, allowing the index tube to move upward without restriction because of the high differential pressure across the piston. As the drive moves upward and accumulator pressure drops below the reactor pressure, a ball check valve opens, letting the reactor pressure complete the scram action. If the reactor pressure is low, such as during startup, the accumulator will fully insert the control rod within the required time without assistance from reactor pressure.
| |
| APPLICABLE The analytical methods and assumptions used in evaluating the control SAFETY rod scram function are presented in References 2, 3, 4, 5, and 6. The ANALYSES Design Basis Accident (DBA) and transient analyses assume that all of the control rods scram at a specified insertion rate. The resulting negative scram reactivity forms the basis for the determination of plant thermal limits (e.g., the MCPR). Other distributions of scram times (e.g.,
| |
| several control rods scramming slower than the average time, with several control rods scramming faster than the average time) can also provide sufficient scram reactivity. Surveillance of each individual control rod's scram time ensures the scram reactivity assumed in the DBA and transient analyses can be met.
| |
| The scram function of the CRD System protects the MCPR Safety Limit (SL) (see Bases for SL 2.1.1, "Reactor Core SLs," and LCO 3.2.2, "MINIMUM CRITICAL POWER RATIO (MCPR)") and the 1%
| |
| circumferential cladding plastic strain fuel design limit (see Bases for LCO 3.2.3, "LINEAR HEAT GENERATION RATE (LHGR)"), which ensure that no fuel damage will occur if these limits are not exceeded. Above 800 psig, the scram function is designed to insert negative reactivity at a rate fast enough to prevent the actual MCPR from becoming less than the MCPR SL during Columbia Generating Station B 3.1.4-1 Revision 87
| |
| | |
| Control Rod Scram Times B 3.1.4 BASES APPLICABLE SAFETY ANALYSES (continued) the analyzed limiting power transient. Below 800 psig, the scram function is assumed to perform during the control rod drop accident (Ref. 6) and, therefore, also provides protection against violating fuel damage limits during reactivity insertion accidents (see Bases for LCO 3.1.6, "Rod Pattern Control"). For the reactor vessel overpressure protection analysis (Ref. 4), the scram function, along with the safety/relief valves, ensure that the peak vessel pressure is maintained within the applicable ASME Code limits.
| |
| Control rod scram times satisfy Criterion 3 of Reference 7.
| |
| LCO The scram times specified in Table 3.1.4-1 are required to ensure that the scram reactivity assumed in the DBA and transient analysis is met (Ref. 6) To account for single failures and "slow" scramming control rods, the scram times specified in Table 3.1.4-1 are faster than those assumed in the design basis analysis. The scram times have a margin that allows up to approximately 7% of the control rods (e.g., 185 x 7% = 13) to have scram times exceeding the specified limits (i.e., "slow" control rods) assuming a single stuck control rod (as allowed by LCO 3.1.3, "Control Rod OPERABILITY") and an additional control rod failing to scram per the single failure criterion. The scram times are specified as a function of reactor steam dome pressure to account for the pressure dependence of the scram times. The scram times are specified relative to measurements based on reed switch positions, which provide the control rod position indication. The reed switch closes ("pickup") when the index tube passes a specific location and then opens ("dropout") as the index tube travels upward. Verification of the specified scram times in Table 3.1.4-1 is accomplished through measurement of the "dropout" times. To ensure that local scram reactivity rates are maintained within acceptable limits, no more than two of the allowed slow control rods may occupy adjacent locations.
| |
| Table 3.1.4-1 is modified by two Notes, which state that control rods with scram times not within the limits of the Table are considered "slow" and that control rods with scram times > 7 seconds are considered inoperable as required by SR 3.1.3.3.
| |
| This LCO applies only to OPERABLE control rods since inoperable control rods will be inserted and disarmed (LCO 3.1.3). Slow scramming control rods may be conservatively declared inoperable and not accounted for as "slow" control rods.
| |
| Columbia Generating Station B 3.1.4-2 Revision 73
| |
| | |
| Control Rod Scram Times B 3.1.4 BASES APPLICABILITY In MODES 1 and 2, a scram is assumed to function during transients and accidents analyzed for these plant conditions. These events are assumed to occur during startup and power operation; therefore, the scram function of the control rods is required during these MODES. In MODES 3 and 4, the control rods are not able to be withdrawn since the reactor mode switch is in shutdown and a control rod block is applied.
| |
| This provides adequate requirements for control rod scram capability during these conditions. Scram requirements in MODE 5 are contained in LCO 3.9.5, "Control Rod OPERABILITY - Refueling."
| |
| ACTIONS A.1 When the requirements of this LCO are not met, the rate of negative reactivity insertion during a scram may not be within the assumptions of the safety analyses. Therefore, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to MODE 3 within 12 hours. The allowed Completion Time of 12 hours is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging plant systems.
| |
| SURVEILLANCE The four SRs of this LCO are modified by a Note stating that during a REQUIREMENTS single control rod scram time surveillance, the CRD pumps shall be isolated from the associated scram accumulator. With the CRD pump isolated (i.e., charging valve closed), the influence of the CRD pump head does not affect the single control rod scram times. During a full core scram, the CRD pump head would be seen by all control rods and would have a negligible effect on the scram insertion times.
| |
| SR 3.1.4.1 The scram reactivity used in DBA and transient analyses is based on an assumed control rod scram time. Measurement of the scram times with reactor steam dome pressure 800 psig demonstrates acceptable scram times for the transients analyzed in References 4 and 5.
| |
| Maximum scram insertion times occur at a reactor pressure of approximately 800 psig because of the competing effects of reactor steam dome pressure and stored accumulator energy. Therefore, demonstration of adequate scram times at reactor steam dome pressure 800 psig ensures that the scram times will be within the specified limits at higher pressures. Limits are specified as a function of reactor pressure to account for the sensitivity of the scram insertion times with pressure and to allow a range of pressures over which scram time testing can be performed. To ensure scram time testing is performed within a reasonable time following a shutdown 120 days, control rods are Columbia Generating Station B 3.1.4-3 Revision 73
| |
| | |
| Control Rod Scram Times B 3.1.4 BASES SURVEILLANCE REQUIREMENTS (continued) required to be tested before exceeding 40% RTP. This Frequency is acceptable, considering the additional surveillances performed for control rod OPERABILITY, the frequent verification of adequate accumulator pressure, and the required testing of control rods affected by fuel movement within the associated core cell and by work on control rods or the CRD System.
| |
| SR 3.1.4.2 Additional testing of a sample of control rods is required to verify the continued performance of the scram function during the cycle. A representative sample contains at least 10% of the control rods. The sample remains representative if no more than 7.5% of the control rods in the sample tested are determined to be "slow." If more than 7.5% of the sample is declared to be "slow" per the criteria in Table 3.1.4-1, additional control rods are tested until this 7.5% criterion (i.e., 7.5% of the entire sample size) is satisfied, or until the total number of "slow" control rods (throughout the core, from all Surveillances) exceeds the LCO limit. For planned testing, the control rods selected for the sample should be different for each test. Data from inadvertent scrams should be used whenever possible to avoid unnecessary testing at power, even if the control rods with data were previously tested in a sample. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| SR 3.1.4.3 When work that could affect the scram insertion time is performed on a control rod or the CRD System, testing must be done to demonstrate that each affected control rod retains adequate scram performance over the range of applicable reactor pressures from zero to the maximum permissible pressure. The scram testing must be performed once before declaring the control rod OPERABLE. The required scram time testing must demonstrate that the affected control rod is still within acceptable limits. The limits for reactor pressures < 800 psig are found in the Licensee Controlled Specifications Manual (Ref. 8), and are established based on a high probability of meeting the acceptance criteria at reactor pressures 800 psig. Limits for 800 psig are found in Table 3.1.4-1. If testing demonstrates the affected control rod does not meet these limits, but is within the 7 second limit of Table 3.1.4-1, Note 2 the control rod can be declared OPERABLE and "slow."
| |
| Columbia Generating Station B 3.1.4-4 Revision 93
| |
| | |
| Control Rod Scram Times B 3.1.4 BASES SURVEILLANCE REQUIREMENTS (continued)
| |
| Specific examples of work that could affect the scram times include (but are not limited to) the following: removal of any CRD for maintenance or modification; replacement of a control rod; and maintenance or modification of a scram solenoid pilot valve, scram valve, accumulator, isolation valve, or check valves in the piping required for scram.
| |
| The Frequency of once prior to declaring the affected control rod OPERABLE is acceptable because of the capability of testing the control rod over a range of operating conditions and the more frequent surveillances on other aspects of control rod OPERABILITY.
| |
| SR 3.1.4.4 When work that could affect the scram insertion time is performed on a control rod or CRD System, or when fuel movement within the reactor pressure vessel occurs, testing must be done to demonstrate each affected control rod is still within the limits of Table 3.1.4-1 with the reactor steam dome pressure 800 psig. Where work has been performed at high reactor pressure, the requirements of SR 3.1.4.3 and SR 3.1.4.4 will be satisfied with one test. For a control rod affected by work performed while shut down, however, a zero pressure and a high pressure test may be required. This testing ensures that the control rod scram performance is acceptable for operating reactor pressure conditions prior to withdrawing the control rod for continued operation.
| |
| Alternatively, a test during hydrostatic pressure testing could also satisfy both criteria. When fuel movement within the reactor pressure vessel occurs, only those control rods associated with the core cells affected by the fuel movement are required to be scram time tested. During a routine refueling outage, it is expected that all control rods will be affected.
| |
| The Frequency of once prior to exceeding 40% RTP is acceptable because of the capability to test the control rod over a range of operating conditions and the more frequent surveillances on other aspects of control rod OPERABILITY.
| |
| Columbia Generating Station B 3.1.4-5 Revision 73
| |
| | |
| Control Rod Scram Times B 3.1.4 BASES REFERENCES 1. 10 CFR 50, Appendix A, GDC 10.
| |
| : 2. FSAR, Section 4.3.2.5.
| |
| : 3. FSAR, Section 4.6.1.1.2.5.3.
| |
| : 4. FSAR, Section 5.2.2.2.3.
| |
| : 5. FSAR, Section 15.0.
| |
| : 6. FSAR, Section 15.4.9.
| |
| : 7. 10 CFR 50.36(c)(2)(ii).
| |
| : 8. Licensee Controlled Specifications Manual.
| |
| : 9. Letter from R.F. Janecck (BWROG) to R. W. Starostecki (NRC),
| |
| "BWR Owners Group Revised Reactivity Control System Technical specifications," BWROG-8754, September 17, 1987.
| |
| Columbia Generating Station B 3.1.4-6 Revision 92
| |
| | |
| Control Rod Scram Accumulators B 3.1.5 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.5 Control Rod Scram Accumulators BASES BACKGROUND The control rod scram accumulators are part of the Control Rod Drive (CRD) System and are provided to ensure that the control rods scram under varying reactor conditions. The control rod scram accumulators store sufficient energy to fully insert a control rod at any reactor vessel pressure. The accumulator is a hydraulic cylinder with a free floating piston. The piston separates the water used to scram the control rods from the nitrogen, which provides the required energy. The scram accumulators are necessary to scram the control rods within the required insertion times of LCO 3.1.4, "Control Rod Scram Times."
| |
| APPLICABLE The analytical methods and assumptions used in evaluating the control SAFETY rod scram function are presented in References 1, 2, 3, 4, and 5. The ANALYSES Design Basis Accident (DBA) and transient analyses assume that all of the control rods scram at a specified insertion rate. OPERABILITY of each individual control rod scram accumulator, along with LCO 3.1.3, "Control Rod OPERABILITY," and LCO 3.1.4, ensures that the scram reactivity assumed in the DBA and transient analyses can be met. The existence of an inoperable accumulator may invalidate prior scram time measurements for the associated control rod.
| |
| The scram function of the CRD System, and, therefore, the OPERABILITY of the accumulators, protects the MCPR Safety Limit (see Bases for SL 2.1.1, "Reactor Core SLs," and LCO 3.2.2, "MINIMUM CRITICAL POWER RATIO (MCPR)") and the 1% cladding plastic strain fuel design limit (see Bases for LCO 3.2.3, "LINEAR HEAT GENERATION RATE (LHGR)"), which ensure that no fuel damage will occur if these limits are not exceeded (see Bases for LCO 3.1.4). Also, the scram function at low reactor vessel pressure (i.e., startup conditions) provides protection against violating fuel design limits during reactivity insertion accidents (see Bases for LCO 3.1.6, "Rod Pattern Control").
| |
| Control rod scram accumulators satisfy Criterion 3 of Reference 6.
| |
| LCO The OPERABILITY of the control rod scram accumulators is required to ensure that adequate scram insertion capability exists when needed over the entire range of reactor pressures. The OPERABILITY of the scram accumulators is based on maintaining adequate accumulator pressure.
| |
| Columbia Generating Station B 3.1.5-1 Revision 73
| |
| | |
| Control Rod Scram Accumulators B 3.1.5 BASES APPLICABILITY In MODES 1 and 2, the scram function is required for mitigation of DBAs and transients and, therefore, the scram accumulators must be OPERABLE to support the scram function. In MODES 3 and 4, control rods are not able to be withdrawn since the reactor mode switch is in shutdown and a control rod block is applied. This provides adequate requirements for control rod scram accumulator OPERABILITY under these conditions. Requirements for scram accumulators in MODE 5 are contained in LCO 3.9.5, "Control Rod OPERABILITY - Refueling."
| |
| ACTIONS The ACTIONS Table is modified by a Note indicating that a separate Condition entry is allowed for each control rod scram accumulator. This is acceptable since the Required Actions for each Condition provide appropriate compensatory action for each inoperable accumulator.
| |
| Complying with the Required Actions may allow for continued operation and subsequent inoperable accumulators governed by subsequent Condition entry and application of associated Required Actions.
| |
| A.1 and A.2 With one control rod scram accumulator inoperable and the reactor steam dome pressure 900 psig, the control rod may be declared "slow", since the control rod will still scram at the reactor operating pressure but may not satisfy the required scram times in Table 3.1.4-1. Required Action A.1 is modified by a Note, indicating that declaring the control rod "slow" only applies if the associated control rod scram time was within the limits of Table 3.1.4-1 during the last scram time test. Otherwise, the control rod may already be considered "slow" and the further degradation of scram performance with an inoperable accumulator could result in excessive scram times. In this event, the associated control rod is declared inoperable (Required Action A.2) and LCO 3.1.3 is entered.
| |
| This would result in requiring the affected control rod to be fully inserted and disarmed, thereby satisfying its intended function in accordance with ACTIONS of LCO 3.1.3.
| |
| The allowed Completion Time of 8 hours is reasonable, based on the large number of control rods available to provide the scram function and the ability of the affected control rod to scram only with reactor pressure at high reactor pressures.
| |
| Columbia Generating Station B 3.1.5-2 Revision 73
| |
| | |
| Control Rod Scram Accumulators B 3.1.5 BASES ACTIONS (continued)
| |
| B.1, B.2.1, and B.2.2 With two or more control rod scram accumulators inoperable and reactor steam dome pressure 900 psig, adequate pressure must be supplied to the charging water header. With inadequate charging water pressure, all of the accumulators could become inoperable, resulting in a potentially severe degradation of the scram performance. Therefore, within 20 minutes from discovery of charging water header pressure < 940 psig concurrent with Condition B, adequate charging water header pressure must be restored. The allowed Completion Time of 20 minutes is reasonable, to place a CRD pump into service to restore the charging header pressure, if required. This Completion Time is based on the ability of the reactor pressure alone to fully insert all control rods.
| |
| The control rod may be declared "slow" since the control rod will still scram using only reactor pressure, but may not satisfy the times in Table 3.1.4-1. Required Action B.2.1 is modified by a Note indicating that declaring the control rod "slow" only applies if the associated control rod scram time is within the limits of Table 3.1.4-1 during the last scram time Surveillance. Otherwise, the control rod may already be considered "slow" and the further degradation of scram performance with an inoperable accumulator could result in excessive scram times. In this event, the associated control rod is declared inoperable (Required Action B.2.2) and LCO 3.1.3 entered.
| |
| This would result in requiring the affected control rod to be fully inserted and disarmed, thereby satisfying its intended function in accordance with ACTIONS of LCO 3.1.3.
| |
| The allowed Completion Time of 1 hour is considered reasonable, based on the ability of only the reactor pressure to scram the control rods and the low probability of a DBA or transient occurring while the affected accumulators are inoperable.
| |
| C.1 and C.2 With one or more control rod scram accumulators inoperable and the reactor steam dome pressure < 900 psig, the pressure supplied to the charging water header must be adequate to ensure that accumulators remain charged. With the reactor steam dome pressure < 900 psig, the function of the accumulators in providing the scram force becomes much Columbia Generating Station B 3.1.5-3 Revision 73
| |
| | |
| Control Rod Scram Accumulators B 3.1.5 BASES ACTIONS (continued) more important since the scram function could become severely degraded during a depressurization event or at low reactor pressures.
| |
| Therefore, immediately upon discovery of charging water header pressure < 940 psig, concurrent with Condition C, all control rods associated with inoperable accumulators must be verified to be fully inserted. Withdrawn control rods with inoperable scram accumulators may fail to scram under these low pressure conditions. The associated control rods must also be declared inoperable within 1 hour. The allowed Completion Time of 1 hour is reasonable for Required Action C.2, considering the low probability of a DBA or transient occurring during the time the accumulator is inoperable.
| |
| D.1 The reactor mode switch must be immediately placed in the shutdown position if either Required Action and associated Completion Time associated with loss of the CRD charging pump (Required Actions B.1 and C.1) cannot be met. This ensures that all insertable control rods are inserted and that the reactor is in a condition that does not require the active function (i.e., scram) of the control rods. This Required Action is modified by a Note stating that the Required Action is not applicable if all control rods associated with the inoperable scram accumulators are fully inserted, since the function of the control rods has been performed.
| |
| SURVEILLANCE SR 3.1.5.1 REQUIREMENTS SR 3.1.5.1 requires that the accumulator pressure be checked periodically to ensure adequate accumulator pressure exists to provide sufficient scram force. The primary indicator of accumulator OPERABILITY is the accumulator pressure. A minimum accumulator pressure is specified, below which the capability of the accumulator to perform its intended function becomes degraded and the accumulator is considered inoperable. The minimum accumulator pressure of 940 psig is well below the expected pressure of 1000 - 1200 psig (Ref. 2).
| |
| Declaring the accumulator inoperable when the minimum pressure is not maintained ensures that significant degradation in scram times does not occur. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| Columbia Generating Station B 3.1.5-4 Revision 102
| |
| | |
| Control Rod Scram Accumulators B 3.1.5 BASES REFERENCES 1. FSAR, Section 4.3.2.5.
| |
| : 2. FSAR, Section 4.6.1.1.2.5.3.
| |
| : 3. FSAR, Section 5.2.2.2.3.
| |
| : 4. FSAR, Section 15.0.
| |
| : 5. FSAR, Section 15.4.9.
| |
| : 6. 10 CFR 50.36(c)(2)(ii).
| |
| Columbia Generating Station B 3.1.5-5 Revision 73
| |
| | |
| Rod Pattern Control B 3.1.6 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.6 Rod Pattern Control BASES BACKGROUND Control rod patterns during startup conditions are controlled by the operator and the rod worth minimizer (RWM) (LCO 3.3.2.1, "Control Rod Block Instrumentation"), so that only specified control rod sequences and relative positions are allowed over the operating range of all control rods inserted to 10% RTP. The sequences effectively limit the potential amount of reactivity addition that could occur in the event of a control rod drop accident (CRDA).
| |
| This Specification assures that the control rod patterns are consistent with the assumptions of the CRDA analyses of References 1 and 2.
| |
| APPLICABLE The analytical methods and assumptions used in evaluating (the CRDA SAFETY are summarized in References 1 and 2. CRDA analyses assume that the ANALYSES reactor operator follows prescribed withdrawal sequences. These sequences define the potential initial conditions for the CRDA analysis.
| |
| The RWM (LCO 3.3.2.1) provides backup to operator control of the withdrawal sequences to ensure that the initial conditions of the CRDA analysis are not violated.
| |
| Prevention or mitigation of positive reactivity insertion events is necessary to limit the energy deposition in the fuel, thereby preventing significant fuel damage, which could result in undue release of radioactivity. Since the failure consequences for UO2 have been shown to be insignificant below fuel energy depositions of 300 cal/gm (Ref. 3), the fuel damage limit of 280 cal/gm provides a margin of safety from significant core damage, which would result in release of radioactivity (Refs. 4 and 5).
| |
| Generic evaluations (Refs. 6 and 7) of a design basis CRDA (i.e., a CRDA resulting in a peak fuel energy deposition of 280 cal/gm) have shown that if the peak fuel enthalpy remains below 280 cal/gm, then the maximum reactor pressure will be less than the required ASME Code limits (Ref. 8) and the calculated offsite doses will be well within the required limits (Ref. 5).
| |
| Control rod patterns analyzed in Reference 2 follow the banked position withdrawal sequence (BPWS) described in Reference 9. The BPWS is applicable from the condition of all control rods fully inserted to 10% RTP (Ref. 1). For the BPWS, the control rods are required to be moved in groups, with all control rods assigned to a specific group required to be within specified banked positions (e.g., between notches 08 and 12). The Columbia Generating Station B 3.1.6-1 Revision 73
| |
| | |
| Rod Pattern Control B 3.1.6 BASES APPLICABLE SAFETY ANALYSES (continued) banked positions are defined to minimize the maximum incremental control rod worths without being overly restrictive during normal plant operation. The generic BPWS analysis (Ref. 9) also evaluated the effect of fully inserted, inoperable control rods not in compliance with the sequence, to allow a limited number (i.e., eight) and distribution of fully inserted, inoperable control rods.
| |
| Rod pattern control satisfies the requirements of Criterion 3 of Reference 10.
| |
| LCO Compliance with the prescribed control rod sequences minimizes the potential consequences of a CRDA by limiting the initial conditions to those consistent with the BPWS. This LCO only applies to OPERABLE control rods. For inoperable control rods required to be inserted, separate requirements are specified in LCO 3.1.3, "Control Rod OPERABILITY," consistent with the allowances for inoperable control rods in the BPWS.
| |
| APPLICABILITY In MODES 1 and 2, when THERMAL POWER is 10% RTP, the CRDA is a Design Basis Accident (DBA) and, therefore, compliance with the assumptions of the safety analysis is required. When THERMAL POWER is > 10% RTP, there is no credible control rod configuration that results in a control rod worth that could exceed the 280 cal/gm fuel damage limit during a CRDA (Ref. 1). In MODES 3, 4, and 5, since the reactor is shut down and only a single control rod can be withdrawn from a core cell containing fuel assemblies, adequate SDM ensures that the consequences of a CRDA are acceptable, since the reactor will remain subcritical with a single control rod withdrawn.
| |
| ACTIONS A.1 and A.2 With one or more OPERABLE control rods not in compliance with the prescribed control rod sequence, action may be taken to either correct the control rod pattern or declare the associated control rods inoperable within 8 hours. Noncompliance with the prescribed sequence may be the result of "double notching," drifting from a control rod drive cooling water transient, leaking scram valves, or a power reduction to 10% RTP before establishing the correct control rod pattern. The number of OPERABLE control rods not in compliance with the prescribed sequence is limited to eight to prevent the operator from attempting to correct a control rod pattern that significantly deviates from the prescribed sequence.
| |
| Columbia Generating Station B 3.1.6-2 Revision 73
| |
| | |
| Rod Pattern Control B 3.1.6 BASES ACTIONS (continued)
| |
| Required Action A.1 is modified by a Note, which allows the RWM to be bypassed to allow the affected control rods to be returned to their correct position. LCO 3.3.2.1 requires verification of control rod movement by a second licensed operator (Reactor Operator or Senior Reactor Operator) or by a qualified member of the technical staff. This ensures that the control rods will be moved to the correct position. A control rod not in compliance with the prescribed sequence is not considered inoperable except as required by Required Action A.2. The allowed Completion Time of 8 hours is reasonable, considering the restrictions on the number of allowed out of sequence control rods and the low probability of a CRDA occurring during the time the control rods are out of sequence.
| |
| B.1 and B.2 If nine or more OPERABLE control rods are out of sequence, the control rod pattern significantly deviates from the prescribed sequence. Control rod withdrawal should be suspended immediately to prevent the potential for further deviation from the prescribed sequence. Control rod insertion to correct control rods withdrawn beyond their allowed position is allowed since, in general, insertion of control rods has less impact on control rod worth than withdrawals have. Required Action B.1 is modified by a Note that allows the RWM to be bypassed to allow the affected control rods to be returned to their correct position.
| |
| LCO 3.3.2.1 requires verification of control rod movement by a second licensed operator (Reactor Operator or Senior Reactor Operator) or by a qualified member of the technical staff.
| |
| With nine or more OPERABLE control rods not in compliance with BPWS, the reactor mode switch must be placed in the shutdown position within 1 hour. With the reactor mode switch in shutdown, the reactor is shut down, and therefore does not meet the applicability requirements of this LCO. The allowed Completion Time of 1 hour is reasonable to allow insertion of control rods to restore compliance, and is appropriate relative to the low probability of a CRDA occurring with the control rods out of sequence.
| |
| Columbia Generating Station B 3.1.6-3 Revision 73
| |
| | |
| Rod Pattern Control B 3.1.6 BASES SURVEILLANCE SR 3.1.6.1 REQUIREMENTS The control rod pattern is periodically verified to be in compliance with the BPWS, ensuring the assumptions of the CRDA analyses are met. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The RWM provides control rod blocks to enforce the required control rod sequence and is required to be OPERABLE when operating at 10% RTP.
| |
| REFERENCES 1. Letter from T.A. Pickens (BWROG) to G.C. Laines (NRC),
| |
| "Amendment 17 to General Electric Licensing Topical Report NEDE-24011-P-A," BWROG-8644, August 15, 1988.
| |
| : 2. FSAR, Section 15.4.9.
| |
| : 3. NUREG-0979, "NRC Safety Evaluation Report for GESSAR II BWR/6 Nuclear Island Design, Docket No. 50-447," Section 4.2.1.3.2, April 1983.
| |
| : 4. NUREG-0800, "Standard Review Plan," Section 15.4.9, "Radiological Consequences of Control Rod Drop Accident (BWR)," Revision 2, July 1981.
| |
| : 5. 10 CFR 50.67, "Accident Source Term."
| |
| : 6. NEDO-10527, "Rod Drop Accident Analysis for Large Boiling Water Reactors, (March 1972); Supplement 1, (July 1972); Supplement 2, (January 1973).
| |
| : 7. NEDO-21778-A, "Transient Pressure Rises Affected Fracture Toughness Requirements for Boiling Water Reactors,"
| |
| December 1978.
| |
| : 8. ASME, Boiler and Pressure Vessel Code, Section III.
| |
| : 9. NEDO-21231, "Banked Position Withdrawal Sequence,"
| |
| January 1977.
| |
| : 10. 10 CFR 50.36(c)(2)(ii).
| |
| Columbia Generating Station B 3.1.6-4 Revision 93
| |
| | |
| SLC System B 3.1.7 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.7 Standby Liquid Control (SLC) System BASES BACKGROUND The SLC System is designed to provide the capability of bringing the reactor, at any time in a fuel cycle, from full power and minimum control rod inventory (which is at the peak of the xenon transient) to a subcritical condition with the reactor in the most reactive xenon free state without taking credit for control rod movement. The SLC System satisfies the requirements of 10 CFR 50.62 (Ref. 1) on anticipated transient without scram (ATWS).
| |
| The SLC System is also used to maintain suppression pool pH at or above 7 following a loss of coolant accident (LOCA) involving significant fission product releases. Maintaining suppression pool pH levels at or above 7 following an accident ensures that iodine will be retained in the suppression pool water (Ref. 4).
| |
| The SLC System consists of a boron solution storage tank, two positive displacement pumps, two explosive valves, which are provided in parallel for redundancy, and associated piping and valves used to transfer borated water from the storage tank to the reactor pressure vessel (RPV).
| |
| The borated solution is discharged through the high pressure core spray system sparger.
| |
| APPLICABLE The SLC System is manually initiated from the main control room, as SAFETY directed by the emergency operating procedures, if the operator ANALYSES believes the reactor cannot be shut down, or kept shut down, with the control rods. The SLC System is used in the event that not enough control rods can be inserted to accomplish shutdown and cooldown in the normal manner. The SLC System injects borated water into the reactor core to compensate for all of the various reactivity effects that could occur during plant operation. To meet this objective, it is necessary to inject, using one SLC pump, a quantity of boron equivalent in Boron-10 to a concentration of 780 ppm of natural boron in the reactor core, including recirculation loops, at 70°F and normal reactor water level.
| |
| To allow for potential leakage and imperfect mixing in the reactor system, an additional amount of boron equal to 25% of the amount cited above is added (Ref. 2). The volume limit in SR 3.1.7.1 and the temperature versus concentration limits in Figure 3.1.7-1 are calculated such that the required concentration is achieved accounting for dilution in the RPV with normal water level and including the water volume in the residual heat removal shutdown cooling piping and in the recirculation loop piping.This quantity of borated solution is the amount that is above the pump suction shutoff level in the boron solution storage tank. No credit is taken for the portion of the tank volume that cannot be injected.
| |
| Columbia Generating Station B 3.1.7-1 Revision 87
| |
| | |
| SLC System B 3.1.7 BASES APPLICABLE SAFETY ANALYSES (continued)
| |
| Following a LOCA, offsite doses from the accident will remain within 10 CFR 50.67, "Accident Source Term," limits (Ref. 5) provided sufficient iodine activity is retained in the suppression pool. Credit for iodine deposition in the suppression pool is allowed (Ref. 4) as long as suppression pool pH is maintained at or above 7. Alternative Source Term analyses credit the use of the SLC System for maintaining the pH of the suppression pool at or above 7.
| |
| The SLC System satisfies Criteria 3 and 4 of Reference 3.
| |
| LCO The OPERABILITY of the SLC System provides backup capability for reactivity control, independent of normal reactivity control provisions provided by the control rods. Additionally, an OPERABLE SLC System has the ability to inject boron under post LOCA conditions to maintain the suppression pool pH above 7. The OPERABILITY of the SLC System is based on the conditions of the borated solution in the storage tank and the availability of a flow path to the RPV, including the OPERABILITY of the pumps and valves. Two SLC subsystems are required to be OPERABLE, each containing an OPERABLE pump, an explosive valve and associated piping, valves, and instruments and controls to ensure an OPERABLE flow path.
| |
| APPLICABILITY In MODES 1 and 2, shutdown capability is required. In MODES 3 and 4, control rods are not able to be withdrawn since the reactor mode switch is in shutdown and a control rod block is applied. This provides adequate controls to ensure the reactor remains subcritical. In MODE 5, only a single control rod can be withdrawn from a core cell containing fuel assemblies. Demonstration of adequate SDM (LCO 3.1.1, "SHUTDOWN MARGIN (SDM)") ensures that the reactor will not become critical.
| |
| Therefore, the SLC System is not required to perform its ATWS function during MODES 3, 4, or 5.
| |
| In MODES 1, 2, and 3, the SLC System must be OPERABLE to ensure that offsite doses remain within 10 CFR 50.67 (Ref. 5) limits following a LOCA involving significant fission product releases. The SLC System is used to maintain suppression pool pH at or above 7 following a LOCA to ensure that iodine will be retained in the suppression pool water (Ref. 4).
| |
| ACTIONS A.1 If one SLC System subsystem is inoperable, the inoperable subsystem must be restored to OPERABLE status within 7 days. In this condition, the remaining OPERABLE subsystem is adequate to perform the original licensing basis shutdown function. However, the overall reliability is reduced because a single failure in the remaining OPERABLE subsystem Columbia Generating Station B 3.1.7-2 Revision 87
| |
| | |
| SLC System B 3.1.7 BASES ACTIONS (continued) could result in reduced SLC System shutdown capability. The 7 day Completion Time is based on the availability of an OPERABLE subsystem capable of performing the original licensing basis SLC System function and the low probability of a Design Basis Accident (DBA) or severe transient occurring concurrent with the failure of the Control Rod Drive System to shut down the plant.
| |
| B.1 If both SLC subsystems are inoperable, at least one subsystem must be restored to OPERABLE status within 8 hours. The allowed Completion Time of 8 hours is considered acceptable, given the low probability of a DBA or transient occurring concurrent with the failure of the control rods to shut down the reactor.
| |
| C.1 and C.2 If any Required Action and associated Completion Time is not met, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours and to MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.
| |
| SURVEILLANCE SR 3.1.7.1 and SR 3.1.7.2 REQUIREMENTS SR 3.1.7.1 and SR 3.1.7.2 verify certain characteristics of the SLC System (e.g., the volume and temperature of the borated solution in the storage tank), thereby ensuring the SLC System OPERABILITY without disturbing normal plant operation. These Surveillances ensure the proper borated solution and temperature are maintained. Maintaining a minimum specified borated solution temperature is important in ensuring that the boron remains in solution and does not precipitate out in the storage tank. The Surveillance Frequencies are controlled under the Surveillance Frequency Control Program.
| |
| Columbia Generating Station B 3.1.7-3 Revision 93
| |
| | |
| SLC System B 3.1.7 BASES SURVEILLANCE REQUIREMENTS (continued)
| |
| SR 3.1.7.3 and SR 3.1.7.5 SR 3.1.7.3 verifies the continuity of the explosive charges in the injection valves to ensure proper operation will occur if required. Other administrative controls, such as those that limit the shelf life of the explosive charges, must be followed. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| SR 3.1.7.5 verifies each valve in the system is in its correct position, but does not apply to the squib (i.e., explosive) valves. Verifying the correct alignment for manual and power operated valves in the SLC System flow path ensures that the proper flow paths will exist for system operation. A valve is also allowed to be in the nonaccident position, provided it can be aligned to the accident position from the control room, or locally by a dedicated operator at the valve control. This is acceptable since the SLC System is a manually initiated system. This Surveillance does not apply to valves that are locked, sealed, or otherwise secured in position, since they were verified to be in the correct position prior to locking, sealing, or securing. This verification of valve alignment does not apply to valves that cannot be inadvertently misaligned, such as check valves. This SR does not require any testing or valve manipulation; rather, it involves verification that those valves capable of being mispositioned are in the correct positions. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| SR 3.1.7.4 This Surveillance requires an examination of the sodium pentaborate solution by using chemical analysis to ensure the proper concentration of boron (measured in weight % sodium pentaborate decahydrate) exists in the storage tank. SR 3.1.7.4 must be performed anytime boron or water is added to the storage tank solution to establish that the boron solution concentration is within the specified limits. This Surveillance must be performed anytime the temperature is restored to within the limits of Figure 3.1.7-1, to ensure no significant boron precipitation occurred. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| Columbia Generating Station B 3.1.7-4 Revision 93
| |
| | |
| SLC System B 3.1.7 BASES SURVEILLANCE REQUIREMENTS (continued)
| |
| SR 3.1.7.6 Demonstrating each SLC System pump develops a flow rate 41.2 gpm at a discharge pressure 1220 psig ensures that pump performance has not degraded during the fuel cycle. This minimum pump flow rate requirement ensures that, when combined with the sodium pentaborate solution concentration requirements, the rate of negative reactivity insertion from the SLC System will adequately compensate for the positive reactivity effects encountered during power reduction, cooldown of the moderator, and xenon decay. This test confirms one point on the pump design curve, and is indicative of overall performance. Such inservice tests confirm component OPERABILITY and detect incipient failures by indicating abnormal performance. The Frequency of this Surveillance is in accordance with the INSERVICE TESTING PROGRAM.
| |
| SR 3.1.7.7 and SR 3.1.7.8 These Surveillances ensure that there is a functioning flow path from the boron solution storage tank to the RPV, including the firing of an explosive valve. The replacement charge for the explosive valve shall be from the same manufactured batch as the one fired or from another batch that has been certified by having one of that batch successfully fired. The Surveillance may be performed in separate steps to prevent injecting boron into the RPV. An acceptable method for verifying flow from the pump to the RPV is to pump demineralized water from a test tank through one SLC subsystem and into the RPV. The Surveillance Frequency for SR 3.1.7.7 is controlled under the Surveillance Frequency Control Program.
| |
| Demonstrating that all heat traced piping between the boron solution storage tank and the suction valve to the injection pumps is unblocked ensures that there is a functioning flow path for injecting the sodium pentaborate solution. An acceptable method for verifying that the suction piping up to the suction valve is unblocked is to pump from the storage tank to the test tank. Upon completion of this verification, the pump suction piping must be drained and flushed with demineralized water since the suction piping between the pump suction valve and pump suction is not heat traced. The Surveillance Frequency for SR 3.1.7.8 is controlled under the Surveillance Frequency Control Program.
| |
| Columbia Generating Station B 3.1.7-5 Revision 101
| |
| | |
| SLC System B 3.1.7 BASES SURVEILLANCE REQUIREMENTS (continued)
| |
| However, if, in performing SR 3.1.7.2, it is determined that the temperature of the solution in the storage tank has fallen below the specified minimum, SR 3.1.7.8 must be performed once within 24 hours after the solution temperature is restored within the limits of Figure 3.1.7-1.
| |
| SR 3.1.7.9 Enriched sodium pentaborate solution is made by mixing granular, enriched sodium pentaborate with water. Isotopic tests on the granular sodium pentaborate to verify the actual B-10 enrichment must be performed prior to addition to the SLC tank in order to ensure that the proper B-10 atom percentage is being used.
| |
| REFERENCES 1. 10 CFR 50.62.
| |
| : 2. FSAR, Section 9.3.5.3.
| |
| : 3. 10 CFR 50.36(c)(2)(ii).
| |
| : 4. Regulatory Guide 1.183, July 2000.
| |
| : 5. 10 CFR 50.67, "Accident Source Term."
| |
| Columbia Generating Station B 3.1.7-6 Revision 92
| |
| | |
| SDV Vent and Drain Valves B 3.1.8 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.8 Scram Discharge Volume (SDV) Vent and Drain Valves BASES BACKGROUND The SDV vent and drain valves are normally open and discharge any accumulated water in the SDV to ensure that sufficient volume is available at all times to allow a complete scram. During a scram, the SDV vent and drain valves close to contain reactor water. The SDV consists of header piping that connects to each hydraulic control unit (HCU) and drains into an instrument volume. There are two headers and two instrument volumes, each receiving approximately one half of the control rod drive (CRD) discharges. The two instrument volumes are connected to a common drain line with two valves in series. Each header is connected to a common vent line with two valves in series. The header piping is sized to receive and contain all the water discharged by the CRDs during a scram. The design and functions of the SDV are described in Reference 1.
| |
| APPLICABLE The Design Basis Accident and transient analyses assume all the control SAFETY rods are capable of scramming. The primary function of the SDV is to ANALYSES limit the amount of reactor coolant discharged during a scram. The acceptance criteria for the SDV vent and drain valves are that they operate automatically to:
| |
| : a. Close during scram to limit the amount of reactor coolant discharged so that adequate core cooling is maintained and offsite doses remain within the limits of 10 CFR 50.67 (Ref. 2); and
| |
| : b. Open on scram reset to maintain the SDV vent and drain path open so there is sufficient volume to accept the reactor coolant discharged during a scram.
| |
| Isolation of the SDV can also be accomplished by manual closure of the SDV valves. Additionally, the discharge of reactor coolant to the SDV can be terminated by scram reset or closure of the HCU manual isolation valves. For a bounding leakage case, the offsite doses are well within the limits of 10 CFR 50.67 (Ref. 2) and adequate core cooling is maintained (Ref. 3). The SDV vent and drain valves also allow continuous drainage of the SDV during normal plant operation to ensure the SDV has sufficient capacity to contain the reactor coolant discharge during a full core scram.
| |
| To automatically ensure this capacity, a reactor scram (LCO 3.3.1.1, "Reactor Protection System (RPS) Instrumentation") is initiated if the SDV water level exceeds a specified setpoint. The setpoint is chosen such that all control rods are inserted before the SDV has insufficient volume to accept a full scram.
| |
| SDV vent and drain valves satisfy Criterion 3 of Reference 4.
| |
| Columbia Generating Station B 3.1.8-1 Revision 73
| |
| | |
| SDV Vent and Drain Valves B 3.1.8 BASES LCO The OPERABILITY of all SDV vent and drain valves ensures that, during a scram, the SDV vent and drain valves will close to contain reactor water discharged to the SDV piping. Since the vent and drain lines are provided with two valves in series, the single failure of one valve in the open position will not impair the isolation function of the system.
| |
| Additionally, the valves are required to be open to ensure that a path is available for the SDV piping to drain freely at other times.
| |
| APPLICABILITY In MODES 1 and 2, scram may be required, and therefore, the SDV vent and drain valves must be OPERABLE. In MODES 3 and 4, control rods are not able to be withdrawn since the reactor mode switch is in shutdown and a control rod block is applied. During MODE 5, only a single control rod can be withdrawn from a core cell containing fuel assemblies.
| |
| Therefore, the SDV vent and drain valves are not required to be OPERABLE in these MODES since the reactor is subcritical and only one rod may be withdrawn and subject to scram.
| |
| ACTIONS The ACTIONS Table is modified by a Note indicating that a separate Condition entry is allowed for each SDV vent and drain line. This is acceptable, since the Required Actions for each Condition provide appropriate compensatory actions for each inoperable SDV line.
| |
| Complying with the Required Actions may allow for continued operation, and subsequent inoperable SDV lines are governed by subsequent Condition entry and application of associated Required Actions.
| |
| The ACTIONS Table is modified by a second Note stating that an isolated line may be unisolated under administrative control to allow draining and venting of the SDV. When a line is isolated, the potential for an inadvertent scram due to high SDV level is increased. During these periods, the line may be unisolated under administrative control. This allows any accumulated water in the line to be drained, to preclude a reactor scram on SDV high level. This is acceptable, since administrative controls ensure the valve can be closed quickly, by a dedicated operator, if a scram occurs with the valve open.
| |
| A.1 When one SDV vent or drain valve is inoperable in one or more lines, the line must be isolated to contain the reactor coolant during a scram. The 7 day Completion Time is reasonable, given the level of redundancy in the lines and the low probability of a scram occurring during the time the valve(s) are inoperable and the line(s) not isolated. The SDV is still isolable since the redundant valve in the affected line is OPERABLE.
| |
| During these periods, the single failure criterion may not be preserved, and a higher risk exists to allow reactor water out of the primary system during a scram.
| |
| Columbia Generating Station B 3.1.8-2 Revision 73
| |
| | |
| SDV Vent and Drain Valves B 3.1.8 BASES ACTIONS (continued)
| |
| B.1 If both valves in a line are inoperable, the line must be isolated to contain the reactor coolant during a scram. The 8 hour Completion Time to isolate the line is based on the low probability of a scram occurring while the line is not isolated and unlikelihood of significant CRD seal leakage.
| |
| C.1 If any Required Action and associated Completion Time is not met, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to MODE 3 within 12 hours.
| |
| The allowed Completion Time of 12 hours is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging plant systems.
| |
| SURVEILLANCE SR 3.1.8.1 REQUIREMENTS During normal operation, the SDV vent and drain valves should be in the open position (except when performing SR 3.1.8.2) to allow for drainage of the SDV piping. Verifying that each valve is in the open position ensures that the SDV vent and drain valves will perform their intended function during normal operation. This SR does not require any testing or valve manipulation; rather, it involves verification that the valves are in the correct position. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| SR 3.1.8.2 During a scram, the SDV vent and drain valves should close to contain the reactor water discharged to the SDV piping. Cycling each valve through its complete range of motion (closed and open) ensures that the valve will function properly during a scram. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| Columbia Generating Station B 3.1.8-3 Revision 93
| |
| | |
| SDV Vent and Drain Valves B 3.1.8 BASES SURVEILLANCE REQUIREMENTS (continued)
| |
| SR 3.1.8.3 SR 3.1.8.3 is an integrated test of the SDV vent and drain valves to verify total system performance. After receipt of a simulated or actual scram signal, the closure of the SDV vent and drain valves is verified. The closure time of 30 seconds after a receipt of a scram signal is based on the bounding leakage case evaluated in the accident analysis. Similarly, after receipt of a simulated or actual scram reset signal, the opening of the SDV vent and drain valves is verified. The LOGIC SYSTEM FUNCTIONAL TEST in LCO 3.3.1.1 and the scram time testing of control rods in LCO 3.1.3, "Control Rod - OPERABILITY," overlap this Surveillance to provide complete testing of the assumed safety function.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| REFERENCES 1. FSAR, Section 4.6.1.1.2.4.2.5.
| |
| : 2. 10 CFR 50.67, "Accident Source Term."
| |
| : 3. NUREG-0803, "Generic Safety Evaluation Report Regarding Integrity of BWR Scram System Piping," August 1981.
| |
| : 4. 10 CFR 50.36(c)(2)(ii).
| |
| Columbia Generating Station B 3.1.8-4 Revision 93
| |
| | |
| APLHGR B 3.2.1 B 3.2 POWER DISTRIBUTION LIMITS B 3.2.1 AVERAGE PLANAR LINEAR HEAT GENERATION RATE (APLHGR)
| |
| BASES BACKGROUND The APLHGR is a measure of the average LHGR of all the fuel rods in a fuel assembly at any axial location. Limits on the APLHGR are specified to ensure that the fuel design limits identified in References 1 and 2 are not exceeded and that the peak cladding temperature (PCT) during the postulated design basis loss of coolant accident (LOCA) does not exceed the limits specified in 10 CFR 50.46. As a result, core geometry will be maintained by minimizing gross fuel cladding failure due to heatup following a design basis LOCA.
| |
| APPLICABLE The analytical methods and assumptions used in evaluating the fuel SAFETY design limits are presented in References 1 and 2. The analytical ANALYSES methods and assumptions used in evaluating Design Basis Accidents (DBAs) and normal operations that determine APLHGR limits are presented in FSAR, Chapters 4, 6, and 15 and in Reference 1.
| |
| LOCA analyses are performed to ensure that the specified APLHGR limits are adequate to meet the PCT and maximum oxidation limits of 10 CFR 50.46. The analysis is performed using calculational models that are consistent with the requirements of 10 CFR 50, Appendix K. A complete discussion of the analysis codes is provided in References1 and 2. The PCT following a postulated LOCA is a function of the average heat generation rate of all the rods of a fuel assembly at any axial location and is not strongly influenced by the rod to rod power distribution within an assembly. The APLHGR limits specified are equivalent to the LHGR of the highest powered fuel rod assumed in the LOCA analysis divided by its local peaking factor. A conservative multiplier is applied to the LHGR assumed in the LOCA analysis to account for the uncertainty associated with the measurement of the APLHGR. For single recirculation loop operation, APLHGR limits are determined when two-loop limits are not bounding.
| |
| The APLHGR satisfies Criterion 2 of Reference 2.
| |
| LCO The APLHGR limits specified in the COLR are the result of the fuel design and design basis accident analyses. Limits have been provided in the COLR for two recirculation loop operation and single recirculation loop operation. The limits on single recirculation loop operation are provided to allow operation in this condition in conformance with the requirements of LCO 3.4.1, "Recirculation Loops Operating."
| |
| Columbia Generating Station B 3.2.1-1 Revision 87
| |
| | |
| APLHGR B 3.2.1 BASES APPLICABILITY The APLHGR limits are primarily derived from fuel design evaluations and LOCA analyses that are assumed to occur at high power levels. Studies and operating experience have shown that as power is reduced, the margin to the required APLHGR limits increases. This trend continues down to the power range of 5% to 15% RTP when entry into MODE 2 occurs, thereby effectively removing any APLHGR limit compliance concern in MODE 2. Therefore, at THERMAL POWER levels 25% RTP, the reactor operates with substantial margin to the APLHGR limits; thus, this LCO is not required.
| |
| ACTIONS A.1 If any APLHGR exceeds the required limits, an assumption regarding an initial condition of the DBA analyses may not be met. Therefore, prompt action is taken to restore the APLHGR(s) to within the required limits such that the plant will be operating within analyzed conditions and within the design limits of the fuel rods. The 2 hour Completion Time is sufficient to restore the APLHGR(s) to within its limits and is acceptable based on the low probability of a DBA occurring simultaneously with the APLHGR out of specification.
| |
| B.1 If the APLHGR cannot be restored to within its required limits within the associated Completion Time, the plant must be brought to a MODE or other specified condition in which the LCO does not apply. To achieve this status, THERMAL POWER must be reduced to < 25% RTP within 4 hours. The allowed Completion Time is reasonable, based on operating experience, to reduce THERMAL POWER to < 25% RTP in an orderly manner and without challenging plant systems.
| |
| SURVEILLANCE SR 3.2.1.1 REQUIREMENTS APLHGRs are required to be initially calculated within 12 hours after THERMAL POWER is 25% RTP and periodically thereafter. They are compared to the specified limits in the COLR to ensure that the reactor is operating within the assumptions of the safety analysis. The 12 hour allowance after THERMAL POWER 25% RTP is achieved is acceptable given the large inherent margin to operating limits at low power levels.
| |
| The periodic Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| Columbia Generating Station B 3.2.1-2 Revision 93
| |
| | |
| APLHGR B 3.2.1 BASES REFERENCES 1. NEDE-24011-P-A, "General Electric Standard Application for Reactor Fuel," (most recent approved version referenced in COLR). I
| |
| ================== I
| |
| : 2. 10 CFR 50.36(c)(2)(ii).
| |
| Columbia Generating Station B 3.2.1-3 Revision 87
| |
| | |
| MCPR B 3.2.2 B 3.2 POWER DISTRIBUTION LIMITS B 3.2.2 MINIMUM CRITICAL POWER RATIO (MCPR)
| |
| BASES BACKGROUND MCPR is a ratio of the fuel assembly power that would result in the onset of boiling transition to the actual fuel assembly power. The MCPR Safety Limit (SL) is such that 99.9% of the fuel rods avoid boiling transition if the limit is not violated (refer to the Bases for SL 2.1.1.2). The operating limit MCPR is established to ensure that no fuel damage results during anticipated operational occurrences (AOOs). Although fuel damage does not necessarily occur if a fuel rod actually experiences boiling transition (Ref. 5), the critical power at which boiling transition is calculated to occur has been adopted as a fuel design criterion.
| |
| The onset of transition boiling is a phenomenon that is readily detected during the testing of various fuel bundle designs. Based on these experimental data, correlations have been developed to predict critical bundle power (i.e., the bundle power level at the onset of transition boiling) for a given set of plant parameters (e.g., reactor vessel pressure, flow, and subcooling). Because plant operating conditions and bundle power levels are monitored and determined relatively easily, monitoring the MCPR is a convenient way of ensuring that fuel failures due to inadequate cooling do not occur.
| |
| APPLICABLE The analytical methods and assumptions used in evaluating the AOOs to SAFETY establish the operating limit MCPR are presented in the FSAR, Chapters ANALYSES 4, 6, and 15, and References 6, 7, 8 and 9. To ensure that the MCPR SL is not exceeded during any transient event that occurs with moderate frequency, limiting transients have been analyzed to determine the largest reduction in critical power ratio (CPR). The types of transients evaluated are loss of flow, increase in pressure and power, positive reactivity insertion, and coolant temperature decrease. The limiting transient yields the largest change in CPR (CPR). When the largest CPR is added to the MCPR SL, the required operating limit MCPR is obtained.
| |
| The MCPR operating limits derived from the transient analysis are dependent on the operating core flow and power rate (MCPRf and MCPRp, respectively) to ensure adherence to fuel design limits during the worst transient that occurs with moderate frequency as identified in FSAR, Chapter 15.
| |
| Columbia Generating Station B 3.2.2-1 Revision 103
| |
| | |
| MCPR B 3.2.2 BASES APPLICABLE SAFETY ANALYSES (continued)
| |
| Flow dependent MCPR limits are determined by steady-state thermal hydraulic methods using the three-dimensional BWR simulator code (Ref. 7) and a multi-channel thermal-hydraulic code (Refs. 8 and 9).
| |
| MCPRf curves are provided based on the maximum credible flow runout transient for ASD operation (i.e., runout of both loops).
| |
| Power dependent MCPR limits (MCPRp) are determined by the three-dimensional BWR simulator code (Ref. 7) and a multi-channel thermal-hydraulic code (Refs. 8 and 9). Due to the sensitivity of the transient response to initial core flow levels at power levels below those at which the turbine stop valve closure and turbine control valve fast closure scram trips are bypassed, high and low flow MCPRp operating limits are provided for operating between 25% RTP and the previously mentioned bypass power level.
| |
| The MCPR satisfies Criterion 2 of Reference 4.
| |
| LCO The MCPR operating limits specified in the COLR are the result of the Design Basis Accident (DBA) and transient analysis. MCPR operating limits that include the effects of analyzed equipment out-of-service are also included in the COLR. The MCPR operating limits are determined by the larger of the MCPRf and MCPRp limits.
| |
| APPLICABILITY The MCPR operating limits are primarily derived from transient analyses that are assumed to occur at high power levels. Below 25% RTP, the reactor is operating at a slow recirculation pump speed and the moderator void ratio is small. Surveillance of thermal limits below 25% RTP is unnecessary due to the large inherent margin that ensures that the MCPR SL is not exceeded even if a limiting transient occurs.
| |
| Statistical analyses indicate that the nominal value of the initial MCPR at 25% RTP is expected to be very large. Studies of the variation of limiting transient behavior have been performed over the range of power and flow conditions. These studies encompass the range of key actual plant parameter values important to typically limiting transients. The results of these studies demonstrate that a margin is expected between performance and the MCPR requirements, and that margins increase as power is reduced to 25% RTP. This trend is expected to continue to the 5% to 15% power range when entry into MODE 2 occurs. When in MODE 2, the intermediate range monitor (IRM) provides rapid scram initiation for any significant power increase transient, which effectively eliminates any MCPR compliance concern. Therefore, at THERMAL POWER levels < 25% RTP, the reactor is operating with substantial margin to the MCPR limits and this LCO is not required.
| |
| Columbia Generating Station B 3.2.2-2 Revision 87
| |
| | |
| MCPR B 3.2.2 BASES ACTIONS A.1 If any MCPR is outside the required limits, an assumption regarding an initial condition of the design basis transient analyses may not be met.
| |
| Therefore, prompt action should be taken to restore the MCPR(s) to within the required limits such that the plant remains operating within analyzed conditions. The 2 hour Completion Time is normally sufficient to restore the MCPR(s) to within its limits and is acceptable based on the low probability of a transient or DBA occurring simultaneously with the MCPR out of specification.
| |
| B.1 If the MCPR cannot be restored to within the required limits within the associated Completion Time, the plant must be brought to a MODE or other specified condition in which the LCO does not apply. To achieve this status, THERMAL POWER must be reduced to < 25% RTP within 4 hours. The allowed Completion Time is reasonable, based on operating experience, to reduce THERMAL POWER to < 25% RTP in an orderly manner and without challenging plant systems.
| |
| SURVEILLANCE SR 3.2.2.1 REQUIREMENTS The MCPR is required to be initially calculated within 12 hours after THERMAL POWER is 25% RTP and periodically thereafter. It is compared to the specified limits in the COLR to ensure that the reactor is operating within the assumptions of the safety analysis. The 12 hour allowance after THERMAL POWER reaches 25% RTP is acceptable given the large inherent margin to operating limits at low power levels.
| |
| The periodic Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| SR 3.2.2.2 Because the transient analysis takes credit for conservatism in the scram speed performance, it must be demonstrated that the specific scram speed distribution is consistent with that used in the transient analysis.
| |
| SR 3.2.2.2 determines the value of , which is a measure of the actual scram speed distribution compared with the assumed distribution. The MCPR operating limit is then determined based on an interpolation between the applicable limits for Option A (scram times of LCO 3.1.4, "Control Rod Scram Times") and Option B (realistic scram times) analysis. The parameter must be determined once within 72 hours after each set of scram time tests required by SR 3.1.4.1, SR 3.1.4.2, and SR 3.1.4.4 because the effective scram speed distribution may change during the cycle or after maintenance that could affect scram times.
| |
| Columbia Generating Station B 3.2.2-3 Revision 93
| |
| | |
| MCPR B 3.2.2 BASES SURVEILLANCE REQUIREMENTS (continued)
| |
| The 72 hour Completion Time is acceptable due to the relatively minor changes in expected during the fuel cycle.
| |
| REFERENCES 1. DELETED.
| |
| : 2. DELETED.
| |
| : 3. DELETED.
| |
| : 4. 10 CFR 50.36(c)(2)(ii).
| |
| : 5. NUREG-0562, June 1979.
| |
| : 6. NEDE-24011-P-A and NEDE-24011-P-A-US, "General Electric Standard Application for Reactor Fuel (GESTAR II) and Supplement for United States," Global Nuclear Fuel.
| |
| : 7. NEDO-30130-A, "Steady State Nuclear Methods," May 1985.
| |
| : 8. NEDO-24154, "Qualification of the One-Dimensional Core Transient Model for Boiling Water Reactors," October 1978.
| |
| : 9. NEDE-32906P-A, TRACG Application for Anticipated Operational Occurrences Transient Analyses, Revision 3, September 2006.
| |
| Columbia Generating Station B 3.2.2-4 Revision 87
| |
| | |
| LHGR B 3.2.3 B 3.2 POWER DISTRIBUTION LIMITS B 3.2.3 LINEAR HEAT GENERATION RATE (LHGR)
| |
| BASES BACKGROUND The LHGR is a measure of the heat generation rate of a fuel rod in a fuel assembly at any axial location. Limits on the LHGR are specified to ensure that fuel design limits are not exceeded anywhere in the core during normal operation, including anticipated operational occurrences (AOOs). Exceeding the LHGR limit could potentially result in fuel damage and subsequent release of radioactive materials. Fuel design limits are specified to ensure that fuel system damage, fuel rod failure or inability to cool the fuel does not occur during the anticipated operating conditions identified in References 1 and 2.
| |
| APPLICABLE The analytical methods and assumptions used in evaluating the fuel SAFETY system design are presented in References 3, 4, 5, and 6. The fuel ANALYSES assembly is designed to ensure (in conjunction with the core nuclear and thermal hydraulic design, plant equipment, instrumentation, and protection system) that fuel damage will not result in the release of radioactive materials in excess of the guidelines of 10 CFR, Parts 20, 50, and 50.67. The mechanisms that could cause fuel damage during operational transients and that are considered in fuel evaluations are:
| |
| : a. Rupture of the fuel rod cladding caused by strain from the relative expansion of the UO2 pellet; and
| |
| : b. Severe overheating of the fuel rod cladding caused by inadequate cooling.
| |
| A value of 1% circumferential cladding plastic strain has been defined as the limit below which fuel damage caused by overstraining of the fuel cladding is not expected to occur (Ref. 8).
| |
| Fuel design evaluations have been performed and demonstrate that the 1% circumferential cladding plastic strain design limit is not exceeded during continuous operation with LHGRs up to the operating limit specified in the COLR. The analysis also includes allowances for short term transient operation above the operating limit to account for AOOs.
| |
| LHGR limits are developed as a function of exposure, core flow and power to ensure adherence to fuel design limits during the limiting AOOs (Ref. 10). The exposure dependent LHGR limits are reduced by power-dependent (LHGRFACp) and core flow-dependent (LHGRFACf) multipliers for operation below rated power and flow. This will result in a lower LHGR thermal limit at reduced power and flow. A step change in the LHGR limit occurs when scram trips are bypassed for turbine throttle valve closure and turbine governor valve fast closure.
| |
| Columbia Generating Station B 3.2.3-1 Revision 87
| |
| | |
| LHGR B 3.2.3 BASES APPLICABLE SAFETY ANALYSES (continued)
| |
| LHGRFACf multipliers are determined using the three dimensional BWR simulator code (Ref. 11) to analyze slow flow runout transients.
| |
| LHGRFACf, is dependent on the maximum core flow runout capability.
| |
| LHGRFACp multipliers are determined based on analyses of limiting plant transients (other than core flow increases) over a range of power and flow conditions. The transient response is sensitive to initial core flow at power levels below those at which turbine throttle valve closure and turbine governor valve fast closure scram trips are bypassed (Pbypass).
| |
| Both high and low core flow LHGRFACp multipliers are provided for operation at power levels between 25% and Pbypass. A complete discussion of the analysis code is provided in Reference 12. The exposure, core flow and power dependent LHGR limits ensure that all fuel design limits are met for normal operation and AOOs.
| |
| The LHGR satisfies Criterion 2 of Reference 9.
| |
| LCO The LHGR is a basic assumption in the fuel design analysis. The fuel has been designed to operate at rated core power with sufficient design margin to the LHGR calculated to cause a 1% circumferential cladding plastic strain. The operating limit to accomplish this objective is specified in the COLR.
| |
| APPLICABILITY The LHGR limits are derived from fuel design analysis that is limiting at high power level conditions. At core thermal power levels < 25% RTP, the reactor is operating with a substantial margin to the LHGR limits and, therefore, the Specification is only required when the reactor is operating at 25% RTP.
| |
| ACTIONS A.1 If any LHGR exceeds its required limit, an assumption regarding an initial condition of the fuel design analysis is not met. Therefore, prompt action should be taken to restore the LHGR(s) to within its required limits such that the plant is operating within analyzed conditions. The 2 hour Completion Time is normally sufficient to restore the LHGR(s) to within its limits and is acceptable based on the low probability of a transient or Design Basis Accident occurring simultaneously with the LHGR out of specification.
| |
| B.1 If the LHGR cannot be restored to within its required limits within the associated Completion Time, the plant must be brought to a MODE or other specified condition in which the LCO does not apply. To achieve this status, THERMAL POWER must be reduced to < 25% RTP within Columbia Generating Station B 3.2.3-2 Revision 87
| |
| | |
| LHGR B 3.2.3 BASES ACTIONS (continued) 4 hours. The allowed Completion Time is reasonable, based on operating experience, to reduce THERMAL POWER to < 25% RTP in an orderly manner and without challenging plant systems.
| |
| SURVEILLANCE SR 3.2.3.1 REQUIREMENTS The LHGRs are required to be initially calculated within 12 hours after THERMAL POWER is 25% RTP and periodically thereafter. They are compared with the specified limits in the COLR to ensure that the reactor is operating within the assumptions of the safety analysis. The 12 hour allowance after THERMAL POWER 25% RTP is achieved is acceptable given the large inherent margin to operating limits at lower power levels.
| |
| The periodic Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| REFERENCES 1. FSAR, Chapter 4.
| |
| : 2. FSAR, Chapter 15.
| |
| : 3. NEDC-32868P, "GE14 Compliance with Amendment 22 of NEDE-24011-P-A (GESTAR II)," Revision 5, May 2013.
| |
| : 4. NEDC-33241P, "GE14 Fuel Rod Thermal-Mechanical Design Report," Revision 1, January 2006.
| |
| : 5. NEDC-33236P, "GE14 Fuel Assembly Mechanical Design Report,"
| |
| November 2005.
| |
| : 6. NEDC-33270P, GNF2 Advantage Generic Compliance with NEDE-24011-P-A (GESTAR II), Revision 5, May 2013.
| |
| : 7. DELETED
| |
| : 8. NUREG-0800, Chapter 4.2, Section II A.2(g), Revision 2, July 1981.
| |
| : 9. 10 CFR 50.36(c)(2)(ii).
| |
| : 10. NEDC-33507P, Revision 1, Energy Northwest Columbia Generating Station APRM/RBM/Technical Specifications/Maximum Extended Load Line Limit Analysis (ARTS/MELLLA), January 2012.
| |
| Columbia Generating Station B 3.2.3-3 Revision 93
| |
| | |
| LHGR B 3.2.3 BASES REFERENCES (continued)
| |
| : 11. NEDO-30130-A, Stead State Nuclear Methods, May 1985
| |
| : 12. NEDE-32906P-A, TRACG Application for Anticipated Operational Occurrences Transient Analyses, Revision 3, September 2006.
| |
| Columbia Generating Station B 3.2.3-4 Revision 87
| |
| | |
| RPS Instrumentation B 3.3.1.1 B 3.3 INSTRUMENTATION B 3.3.1.1 Reactor Protection System (RPS) Instrumentation BASES BACKGROUND The RPS initiates a reactor scram when one or more monitored parameters exceed their specified limit to preserve the integrity of the fuel cladding and the reactor coolant pressure boundary (RCPB) and minimize the energy that must be absorbed following a loss of coolant accident (LOCA). This can be accomplished either automatically or manually.
| |
| The protection and monitoring functions of the RPS have been designed to ensure safe operation of the reactor. This is achieved by specifying limiting safety system settings (LSSS) in terms of parameters directly monitored by the RPS, as well as LCOs on other reactor system parameters, and equipment performance. Technical Specifications are required by 10 CFR 50.36 to include LSSS for variables that have significant safety functions. LSSS are defined by the regulation as where a LSSS is specified for a variable on which a safety limit has been placed, the setting must be chosen so that automatic protective actions will correct the abnormal situation before a Safety Limit (SL) is exceeded.
| |
| Safety analyses establish Analytical Limits (AL) for process variables associated with initiation of protective actions to ensure the SL is not exceeded. For instruments subject to TSTF-493 methodologies, Plant calculations (performed in accordance with Licensee Controlled Specifications [LCS] Appendix A) establish a Limiting Trip Setpoint (LTSP) as the limiting setting for a channel trip setpoint which ensures that the associated AL will not be exceeded. The LTSP factors in credible instrument errors associated with the instrument channel. To accommodate uncertainties in setting the physical instrument channel a setting tolerance, known as the As-Left Tolerance (ALT), is established around the LTSP.
| |
| For instruments subject to TSTF-493 methodologies, an As-Found Tolerance (AFT) is determined per the methods described in the LCS.
| |
| The AFT defines the bounds within which the setpoint is expected to be found between surveillances. Applying the AFT to the LTSP or other more conservative setpoint provides high confidence that the channels performance will be acceptable between surveillances.
| |
| The TS operability limit is known as the Allowable Value (AV). For cases where a setpoint has exceeded the AFT but remains within the allowable value, the channel is OPERABLE but degraded and should be reset to within the ALT of the channels prescribed setpoint. Additionally the unexpected as found condition should be entered into the corrective action program for further evaulation.
| |
| Columbia Generating Station B 3.3.1.1-1 Revision 97
| |
| | |
| RPS Instrumentation B 3.3.1.1 BASES BACKGROUND (continued)
| |
| The RPS, as described in the FSAR, Section 7.2 (Ref. 1), includes sensors, relays, bypass circuits, and switches that are necessary to cause initiation of a reactor scram. Functional diversity is provided by monitoring a wide range of dependent and independent parameters. The input parameters to the scram logic are from instrumentation that monitors reactor vessel water level; reactor vessel pressure; neutron flux; main steam line isolation valve position; turbine governor valve (TGV) fast closure, trip oil pressure low; turbine throttle valve (TTV) position; primary containment pressure and scram discharge volume (SDV) water level; as well as reactor mode switch in shutdown position and manual scram signals. There are at least four redundant sensor input signals from each of these parameters. Most channels include equipment (e.g., pressure switches) that compares measured input signals with pre-established setpoints. When a setpoint is exceeded, the channel outputs an RPS trip signal to the trip logic.
| |
| The RPS is comprised of two independent trip systems (A and B), with two logic channels in each trip system (logic channels A1 and A2, B1 and B2), as shown in Reference 1. The outputs of the logic channels in a trip system are combined in a one-out-of-two logic so either channel can trip the associated trip system. The tripping of both trip systems will produce a reactor scram. This logic arrangement is referred to as one-out-of-two taken twice logic. Each trip system can be reset by use of a reset switch. If a full scram occurs (both trip systems trip), a relay prevents reset of the trip systems for 10 seconds after the full scram signal is received. This 10 second delay on reset ensures that the scram function will be completed.
| |
| Two pilot scram valves are located in the hydraulic control unit (HCU) for each control rod drive (CRD). Each pilot scram valve is solenoid operated, with the solenoids normally energized. The pilot scram valves control the air supply to the scram inlet and outlet valves for the associated CRD. When either pilot scram valve solenoid is energized, air pressure holds the scram valves closed and, therefore, both pilot scram valve solenoids must be de-energized to cause a control rod to scram.
| |
| The scram valves control the supply and discharge paths for the CRD water during a scram. One of the pilot scram valve solenoids for each CRD is controlled by trip system A, and the other solenoid is controlled by trip system B. Any trip of trip system A in conjunction with any trip in trip system B results in de-energizing both solenoids, air bleeding off, scram valves opening, and control rod scram.
| |
| The backup scram valves, which energize on a scram signal to depressurize the scram air header, are also controlled by the RPS.
| |
| Additionally, the RPS System controls the SDV vent and drain valves such that when both trip systems trip, the SDV vent and drain valves close to isolate the SDV.
| |
| Columbia Generating Station B 3.3.1.1-2 Revision 97
| |
| | |
| RPS Instrumentation B 3.3.1.1 BASES APPLICABLE The actions of the RPS are assumed in the safety analyses of SAFETY References 2, 3, 4, and 5. The RPS initiates a reactor scram when ANALYSES, LCO, monitored parameter values are exceeded to preserve the integrity of and APPLICABILITY the fuel cladding, the RCPB, and the containment by minimizing the energy that must be absorbed following a LOCA.
| |
| RPS instrumentation satisfies Criterion 3 of Reference 6. Functions not specifically credited in the accident analysis are retained for the overall redundancy and diversity of the RPS as required by the NRC approved licensing basis.
| |
| The OPERABILITY of the RPS is dependent on the OPERABILITY of the individual instrumentation channel Functions specified in Table 3.3.1.1-1.
| |
| Each Function must have a required number of OPERABLE channels per RPS trip system, with their setpoints within the specified Allowable Value, where appropriate. Setpoints for functions subject to TSTF-493 methodology (Functions 2.a, 2.b, 2.c, 2.f & 7.b) should be within the setting tolerance of the prescribed setpoint. The actual setpoint is calibrated consistent with applicable setpoint methodology assumptions.
| |
| Each channel must also respond within its assumed response time, where appropriate Allowable Values are specified for each RPS Function specified in the Table. Nominal trip setpoints are specified in the setpoint calculations.
| |
| The nominal setpoints are selected to ensure that the actual setpoints do not exceed the Allowable Value between successive CHANNEL CALIBRATIONS. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value.
| |
| Allowable values for Functions 2.a, 2.b, 2.c, 2.f and 7.b are specified in Table 3.3.1.1-1. LTSPs and the methodologies for calculation of the ALT and AFT are described in the Licensee Controlled Specifications. To ensure that setpoints remain within the AFT between successive CHANNEL CALIBRATIONS, the trip setpoint shall be set within the ALT around the LTSP after each calibration.
| |
| Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor vessel water level), and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g., differential pressure switch) changes state.
| |
| The analytic limits are derived from the limiting values of the process parameters obtained from the safety analysis. The Allowable Values are derived from the analytic limits, corrected for process and all instrument uncertainties, except drift and calibration. The trip setpoints or LTSPs are derived from the analytic limits, corrected for process and all instrument uncertainties, including drift and calibration. The trip setpoints or LTSPs Columbia Generating Station B 3.3.1.1-3 Revision 97
| |
| | |
| RPS Instrumentation B 3.3.1.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) derived in this manner provide adequate protection because all instrumentation uncertainties and process effects are taken into account.
| |
| The OPERABILITY of pilot scram valves and associated solenoids, backup scram valves, and SDV valves, described in the Background section, are not addressed by this LCO.
| |
| The individual Functions are required to be OPERABLE in the MODES or other specified conditions specified in the Table that may require an RPS trip to mitigate the consequences of a design basis accident or transient.
| |
| To ensure a reliable scram function, a combination of Functions is required in each MODE to provide primary and diverse initiation signals.
| |
| The only MODES specified in Table 3.3.1.1-1 are MODES 1 and 2, and MODE 5 with any control rod withdrawn from a core cell containing one or more fuel assemblies. No RPS Function is required in MODES 3 and 4 since all control rods are fully inserted and the Reactor Mode Switch Shutdown Position control rod withdrawal block (LCO 3.3.2.1) does not allow any control rod to be withdrawn. In MODE 5, control rods withdrawn from a core cell containing no fuel assemblies do not affect the reactivity of the core and, therefore, are not required to have the capability to scram. Provided all other control rods remain inserted, no RPS Function is required. In this condition, the required SDM (LCO 3.1.1) and refuel position one-rod-out interlock (LCO 3.9.2) ensure that no event requiring RPS will occur.
| |
| The specific Applicable Safety Analyses, LCO, and Applicability discussions are listed below on a Function by Function basis.
| |
| 1.a. Intermediate Range Monitor (IRM) Neutron Flux - High The IRMs monitor neutron flux levels from the upper range of the source range monitors (SRMs) to the lower range of the average power range monitors (APRMs). The IRMs are capable of generating trip signals that can be used to prevent fuel damage resulting from abnormal operating transients in the intermediate power range. In this power range, the most significant source of reactivity change is due to control rod withdrawal.
| |
| The IRM provides diverse protection from the rod worth minimizer (RWM), which monitors and controls the movement of control rods at low power. The RWM prevents the withdrawal of an out of sequence control rod during startup that could result in an unacceptable neutron flux excursion (Ref. 7). The IRM provides mitigation of the neutron flux excursion. To demonstrate the capability of the IRM System to mitigate control rod withdrawal events, a generic analysis has been performed (Ref. 8) to evaluate the consequences of control rod withdrawal during startup that are mitigated only by the IRM. This analysis, which assumes that one IRM channel in each trip system is bypassed, demonstrates that the IRMs provide protection against local control rod withdrawal errors Columbia Generating Station B 3.3.1.1-4 Revision 97
| |
| | |
| RPS Instrumentation B 3.3.1.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) and results in peak fuel enthalpy below the 170 cal/gm fuel failure threshold criterion.
| |
| The IRMs are also capable of limiting other reactivity excursions during startup, such as cold water injection events, although no credit is specifically assumed.
| |
| The IRM System is divided into two groups of IRM channels, with four IRM channels inputting to each trip system. The analysis of Reference 7 assumes that one channel in each trip system is bypassed. Therefore, six channels with three channels in each trip system are required for IRM OPERABILITY to ensure that no single instrument failure will preclude a scram from this Function on a valid signal. This trip is active in each of the 10 ranges of the IRM, which must be selected by the operator to maintain the neutron flux within the monitored level of an IRM range.
| |
| The analysis of Reference 7 has adequate conservatism to permit the IRM Allowable Value specified in the Table.
| |
| The Intermediate Range Monitor Neutron Flux - High Function must be OPERABLE during MODE 2 when control rods may be withdrawn and the potential for criticality exists. In MODE 5, when a cell with fuel has its control rod withdrawn, the IRMs provide monitoring for and protection against unexpected reactivity excursions. In MODE 1, the APRM System, the RWM and Rod Block Monitor provide protection against control rod withdrawal error events and the IRMs are not required. The IRMs are automatically bypassed when the mode switch is in the run position.
| |
| 1.b. Intermediate Range Monitor (IRM) - Inop This trip signal provides assurance that a minimum number of IRMs are OPERABLE. Anytime an IRM mode switch is moved to any position other than "Operate," the detector voltage drops below a preset level, loss of the negative DC voltage, or a module is not plugged in, an inoperative trip signal will be received by the RPS unless the IRM is bypassed. Since only one IRM in each trip system may be bypassed, only one IRM in each RPS trip system may be inoperable without resulting in an RPS trip signal.
| |
| This Function was not specifically credited in the accident analysis, but it is retained for the overall redundancy and diversity of the RPS as required by the NRC approved licensing basis.
| |
| Six channels of Intermediate Range Monitor - Inop with three channels in each trip system are required to be OPERABLE to ensure that no single instrument failure will preclude a scram from this Function on a valid signal.
| |
| Columbia Generating Station B 3.3.1.1-5 Revision 97
| |
| | |
| RPS Instrumentation B 3.3.1.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
| |
| Since this Function is not assumed in the safety analysis, there is no Allowable Value for this Function.
| |
| This Function is required to be OPERABLE when the Intermediate Range Monitor Neutron Flux - High Function is required.
| |
| : 2. Average Power Range Monitor (APRM)
| |
| The APRM channels provide the primary indication of neutron flux within the core and respond almost instantaneously to neutron flux increases.
| |
| The APRM channels receive input signals from the local power range monitors (LPRMs) within the reactor core to provide an indication of the power distribution and local power changes. The APRM channels average these LPRM signals to provide a continuous indication of average reactor power from a few percent to greater to RTP. Each APRM also includes an Oscillation Power Range Monitor (OPRM)
| |
| Upscale function which monitor small groups of LPRM signals to detect thermal-hydraulic instabilities.
| |
| The APRM System is divided into four APRM channels and four 2-Out-of-4 Voter channels. Each APRM channel provides inputs to each of the four voter channels. The four voter channels are divided into two groups of two each; with each group of two providing inputs to one RPS trip system. The system is designed to allow one APRM channel, but no voter channels, to be bypassed. A trip from any one unbypassed APRM will result in a single vote in all of the voter channels, but no trip inputs to either RPS trip system. Since APRM trip Functions 2.a, 2.b, 2.c, and 2.f are implemented in the same hardware, these trip Functions are combined with APRM Inop trip Function 2.d. Any Function 2.a, 2.b, 2.c, or 2.d trip from any two unbypassed APRM channels will result in a full trip in each of the four voter channels, which in turn results in two trip inputs into each RPS trip system logic channel (A1, A2, B1, and B2).
| |
| Similarly, any Function 2.d or 2.f trip from any two unbypassed APRM channels will result in a full trip from each of the four voter channels.
| |
| Three of the four APRM channels and all four of the voter channels are required to be OPERABLE to ensure that no single failure will preclude a scram on a valid signal. In addition, to provide adequate coverage of the entire core, consistent with the design bases for the APRM Functions 2.a, 2.b, and 2.c, at least 20 LPRM inputs, with at least three LPRM inputs from each of the four axial levels at which the LPRMs are located, must be operable for each APRM channel. For the OPRM Upscale, Function 2.f, LPRMs are assigned to cells of 4 detectors. A minimum of 25 cells, each with a minimum of 2 LPRMs, must be operable for the OPRM Upscale Function 2.f to be OPERABLE.
| |
| Columbia Generating Station B 3.3.1.1-6 Revision 97
| |
| | |
| RPS Instrumentation B 3.3.1.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) 2.a. Average Power Range Monitor Neutron Flux - High (Setdown)
| |
| For operation at low power (i.e., MODE 2), the Average Power Range Monitor Neutron Flux - High (Setdown) Function is capable of generating a trip signal that prevents fuel damage resulting from abnormal operating transients in this power range. For most operation at low power levels, the Average Power Range Monitor Neutron Flux - High (Setdown)
| |
| Function will provide a secondary scram to the Intermediate Range Monitor Neutron Flux - High Function because of the relative setpoints.
| |
| With the IRMs at Range 9 or 10, it is possible that the Average Power Range Monitor Neutron Flux - High (Setdown) Function will provide the primary trip signal for a core-wide increase in power.
| |
| No specific safety analyses take direct credit for the Average Power Range Monitor Neutron Flux - High (Setdown) Function. However, this Function indirectly ensures that, before the reactor mode switch is placed in the run position, reactor power does not exceed 25% RTP (SL 2.1.1.1)when operating at low reactor pressure and low core flow.
| |
| Therefore, it indirectly prevents fuel damage during significant reactivity increases with THERMAL POWER < 25% RTP.
| |
| The Allowable Value is based on preventing significant increases in power when THERMAL POWER is < 25% RTP.
| |
| The Average Power Range Monitor Neutron Flux - High (Setdown)
| |
| Function must be OPERABLE during MODE 2 when control rods may be withdrawn. In MODE 1, the Average Power Range Monitor Neutron Flux - High Function provides protection against reactivity transients and the RWM and Rod Block Monitor protect against control rod withdrawal error events. See Section 2, Average Power Range Monitor, for additional information.
| |
| 2.b. Average Power Range Monitor Simulated Thermal Power - High The Average Power Range Monitor Simulated Thermal Power - High Function monitors neutron flux to approximate the THERMAL POWER being transferred to the reactor coolant. The APRM calculates the Simulated Thermal Power (STP) level of the reactor core by applying a single-pole infinite impulse response (IIR) filter with a fixed 6.0 second time constant to the average neutron flux level. The trip level is varied as a function of recirculation drive flow (i.e., at lower core flows the setpoint is reduced proportional to the reduction in power experienced as core flow is reduced with a fixed control rod pattern) but is clamped at an upper limit that is always lower than the Average Power Range Monitor Neutron Flux - High Function Allowable Value. A note is included, applicable when the plant is in single recirculation loop operation per LCO Columbia Generating Station B 3.3.1.1-7 Revision 97
| |
| | |
| RPS Instrumentation B 3.3.1.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) 3.4.1, which requires a change in the Allowable Value equation. The Allowable Value is established to conservatively bound the inaccuracy created in the core flow/drive flow relationship due to back flow in the jet pumps associated with the inactive recirculation loop. This adjusted Allowable Value thus maintains thermal margins essentially unchanged from those for two-loop operation. No specific safety analyses take credit for the Average Power Range Monitor Simulated Thermal Power - High Function. However, this Function is retained for overall redundancy and diversity of the APRM function and provides protection against transients where THERMAL POWER increases slowly (such as the loss of feedwater heating event) and protects the fuel cladding integrity by ensuring that the Minimum Critical Power Ratio (MCPR) SL is not exceeded. During these events, the THERMAL POWER increase does not significantly lag the neutron flux response and, because of a lower trip setpoint, will initiate a scram before the high neutron flux scram. For rapid neutron flux increase events, the THERMAL POWER lags the neutron flux and the Average Power Range Monitor Neutron Flux - High Function will provide a scram signal before the Average Power Range Monitor Simulated Thermal Power - High Function setpoint is exceeded.
| |
| Each APRM channel uses one total drive flow signal representative of total core flow. The total drive flow signal is generated by the flow processing logic, part of the APRM channel, by summing up the flow calculated from two flow transmitter signal inputs, one from each of the two recirculation loop flows. The flow processing logic OPERABILITY is part of the APRM channel OPERABILITY requirements for this Function.
| |
| No specific safety analyses take direct credit for the Average Power Range Monitor Simulated Thermal Power - High Function. Originally, the clamped Allowable Value was based on analyses that took credit for the Average Power Range Monitor Simulated Thermal Power - High Function for the mitigation of the loss of feedwater heater event. However, the current methodology for this event is based on a steady state analysis that allows power to increase beyond the clamped Allowable Value.
| |
| Therefore, applying a clamp is conservative. The THERMAL POWER time constant of 6 seconds is based on the fuel heat transfer dynamics and provides a signal that is proportional to the THERMAL POWER. The THERMAL POWER time constant is stored as a digital value in the firmware of the Average Power Range Monitor System.
| |
| The Average Power Range Monitor Simulated Thermal Power - High Function is required to be OPERABLE in MODE 1 when there is the possibility of generating excessive THERMAL POWER and potentially exceeding the SL applicable to high pressure and core flow conditions (MCPR SL). During MODES 2 and 5, other IRM and APRM Functions Columbia Generating Station B 3.3.1.1-8 Revision 97
| |
| | |
| RPS Instrumentation B 3.3.1.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) provide protection for fuel cladding integrity. See Section 2, Average Power Range Monitor, for additional information.
| |
| 2.c. Average Power Range Monitor Neutron Flux - High The Average Power Range Monitor Neutron Flux - High Function is capable of generating a trip signal to prevent fuel damage or excessive Reactor Coolant System (RCS) pressure. For the overpressurization protection analyses of References 2 and 3, the Average Power Range Monitor Neutron Flux - High Function is assumed to terminate the main steam isolation valve (MSIV) closure event and, along with the safety/relief valves (SRVs), limits the peak reactor pressure vessel (RPV) pressure to less than the ASME Code limits. The control rod drop accident (CRDA) analysis (Ref. 9) takes credit for the Average Power Range Monitor Neutron Flux - High Function to terminate the CRDA.
| |
| The Allowable Value is based on the Analytical Limit assumed in the CRDA analyses.
| |
| The Average Power Range Monitor Neutron Flux - High Function is required to be OPERABLE in MODE 1 where the potential consequences of the analyzed transients could result in the SLs (e.g., MCPR and RCS pressure) being exceeded. The Average Power Range Monitor Neutron Flux - High Function is assumed in the CRDA analysis (Ref. 9) that is applicable in MODE 2. However, the Average Power Range Monitor Neutron Flux - High (Setdown) Function conservatively bounds the assumed trip and, together with the assumed IRM trips, provides adequate protection. Therefore, the Average Power Range Monitor Neutron Flux - High Function is not required in MODE 2. See Section 2, Average Power Range Monitor, for additional information.
| |
| 2.d. Average Power Range Monitor - Inop This signal provides assurance that a minimum number of APRMs are OPERABLE. Anytime an APRM mode switch is moved to any position other than "Operate," an APRM module is unplugged, or the automatic self-test system detects a critical fault with the APRM channel, an Inop trip is sent to all four voter channels. Inop trips from two or more non-bypassed APRM channels result in a trip output from all four voter channels to their associated trip system. This Function was not specifically credited in the accident analysis, but it is retained for the overall redundancy and diversity of the RPS as required by the NRC approved licensing basis.
| |
| There is no Allowable Value for this Function.
| |
| This Function is required to be OPERABLE in the MODES where the APRM Functions are required. See Section 2, Average Power Range Monitor, for additional information.
| |
| Columbia Generating Station B 3.3.1.1-9 Revision 97
| |
| | |
| RPS Instrumentation B 3.3.1.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) 2.e. 2-Out-of-4 Voter The 2-Out-of-4 Voter Function provides the interface between the APRM Functions, including the OPRM Upscale Function, and the final RPS trip system logic. As such, it is required to be OPERABLE in the MODES where the APRM Functions are required and is necessary to support the safety analysis applicable to each of those Functions. Therefore, the 2-Out-of-4 Voter Function needs to be OPERABLE in MODES 1 and 2.
| |
| All four-voter channels are required to be OPERABLE. Each voter channel includes self-diagnostic functions. If any voter channel detects a critical fault in its own processing, a trip is issued from that voter channel to the associated trip system.
| |
| The 2-Out-of-4 Voter Function votes APRM Functions 2.a, 2.b, and 2.c independently of Function 2.f. The voter also includes separate outputs to RPS for the two independently voted sets of Functions, each of which is redundant (four total outputs). The Voter Function 2.e must be declared inoperable if any of its functionality is inoperable.
| |
| There is no Allowable Value for this Function.
| |
| 2.f. Oscillation Power Range Monitor (OPRM) Upscale The OPRM Upscale Function provides compliance with GDC 10 and GDC 12, thereby providing protection from exceeding the fuel MCPR safety limit (SL) due to anticipated thermal-hydraulic power oscillations.
| |
| References 15, 16, and 17 describe three algorithms for detecting thermal-hydraulic instability related neutron flux oscillations: the period based detection algorithm, the amplitude based algorithm, and the growth rate algorithm. All three are implemented in the OPRM Upscale Function, but the safety analysis takes credit only for the period based detection algorithm. The remaining algorithms provide defense in depth and additional protection against unanticipated oscillations. OPRM Upscale Function OPERABILITY for Technical Specification purposes is based only on the period based detection algorithm.
| |
| The OPRM Upscale Function receives input signals from the local power range monitors (LPRMs) within the reactor core, which are combined into cells for evaluation by the OPRM algorithms. Automatic trip is enabled when THERMAL POWER, as indicated by the APRM Simulated Thermal Power, is greater than or equal to the value specified in the COLR and core flow, as indicated by recirculation drive flow, is less than the value specified in the COLR. Within this operating region actual thermal-hydraulic oscillations may occur.
| |
| Columbia Generating Station B 3.3.1.1-10 Revision 89
| |
| | |
| RPS Instrumentation B 3.3.1.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
| |
| The OPRM Upscale Function is required to be OPERABLE when the power is greater than or equal to the OPRM OPERABLE value specified in the COLR. This is the region of power-flow operation where anticipated events could lead to thermal-hydraulic instability and related neutron flux oscillations. The lower bound, as noted in the COLR, is chosen to provide margin in the unlikely event of loss of feedwater heating while the plant is operating below the automatic OPRM Upscale trip enable point. Loss of feedwater heating is the only identified event that could cause reactor power to increase into the region of concern without operator action.
| |
| An OPRM Upscale trip is issued from an APRM channel when the period based detection algorithm in that channel detects oscillatory changes in the neutron flux. This is indicated by the combined signals of the LPRM detectors in a cell, with period confirmations and relative cell amplitude exceeding setpoints specified in the COLR. One or more cells in a channel exceeding the trip conditions will result in a channel trip. An OPRM Upscale trip is also issued from the channel if either the growth rate or amplitude based algorithms detect growing oscillatory changes in the neutron flux for one or more cells in that channel.
| |
| Three of the four channels are required to be operable. Each channel is capable of detecting thermal-hydraulic instabilities, by detecting the related neutron flux oscillations, and issuing a trip signal before the MCPR SL is exceeded. There is no allowable value for this function.
| |
| The cycle-specific thermal-hydraulic detection algorithms trip settings are nominal settings determined by applying the stability analysis licensing methodology (Reference 20) developed by GE Hitachi. There is no Allowable Value for this Function. The settings are not traditional instrumentation setpoints determined under an instrument setpoint methodology. Since the settings may very cycle-to-cycle, a note indicates the OPRM Upscale Function trip settings, i.e., the period based detection algorithm, are specified in the COLR.
| |
| : 3. Reactor Vessel Steam Dome Pressure - High An increase in the RPV pressure during reactor operation compresses the steam voids and results in a positive reactivity insertion. This causes the neutron flux and THERMAL POWER transferred to the reactor coolant to increase, which could challenge the integrity of the fuel cladding and the RCPB. No specific safety analysis takes direct credit for this Function. However, the Reactor Vessel Steam Dome Pressure -
| |
| High Function initiates a scram for transients that result in a pressure increase, counteracting the pressure increase by rapidly reducing core power. For the overpressurization protection analyses of References 2 Columbia Generating Station B 3.3.1.1-11 Revision 89
| |
| | |
| RPS Instrumentation B 3.3.1.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) and 3, the reactor scram (the analyses conservatively assume scram on the Average Power Range Monitor Neutron Flux - High signal, not the Reactor Vessel Steam Dome Pressure - High signal), along with the SRVs, limits the peak RPV pressure to less than the ASME Section III Code limits.
| |
| High reactor pressure signals are initiated from four pressure switches that sense reactor pressure. The Reactor Vessel Steam Dome Pressure - High Allowable Value is chosen to provide a sufficient margin to the ASME Section III Code limits during the event.
| |
| Four channels of Reactor Vessel Steam Dome Pressure - High Function, with two channels in each trip system arranged in a one-out-of-two logic, are required to be OPERABLE to ensure that no single instrument failure will preclude a scram from this Function on a valid signal. The Function is required to be OPERABLE in MODES 1 and 2 since the RCS is pressurized and the potential for pressure increase exists.
| |
| : 4. Reactor Vessel Water Level - Low, Level 3 Low RPV water level indicates the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, a reactor scram is initiated at Level 3 to substantially reduce the heat generated in the fuel from fission. The Reactor Vessel Water Level - Low, Level 3 Function is assumed in the analysis of the recirculation line break (Ref. 4). The reactor scram reduces the amount of energy required to be absorbed and, along with the actions of the Emergency Core Cooling Systems (ECCS), ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.
| |
| Reactor Vessel Water Level - Low, Level 3 signals are initiated from four differential pressure switches that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel.
| |
| Four channels of Reactor Vessel Water Level - Low, Level 3 Function, with two channels in each trip system arranged in a one-out-of-two logic, are required to be OPERABLE to ensure that no single instrument failure will preclude a scram from this Function on a valid signal.
| |
| The Reactor Vessel Water Level - Low, Level 3 Allowable Value is selected to ensure that, for transients involving loss of all normal feedwater flow, initiation of the low pressure ECCS at RPV Water Level 1 will not be required.
| |
| Columbia Generating Station B 3.3.1.1-12 Revision 87
| |
| | |
| RPS Instrumentation B 3.3.1.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
| |
| The Function is required in MODES 1 and 2 where considerable energy exists in the RCS resulting in the limiting transients and accidents. ECCS initiations at Reactor Vessel Water Level - Low Low, Level 2 and Low Low Low, Level 1 provide sufficient protection for level transients in all other MODES.
| |
| : 5. Main Steam Isolation Valve - Closure MSIV closure results in loss of the main turbine and the condenser as a heat sink for the Nuclear Steam Supply System and indicates a need to shut down the reactor to reduce heat generation. Therefore, a reactor scram is initiated on a Main Steam Isolation Valve - Closure signal before the MSIVs are completely closed in anticipation of the complete loss of the normal heat sink and subsequent overpressurization transient.
| |
| However, for the overpressurization protection analyses of References 2 and 3, the Average Power Range Monitor Neutron Flux - High Function, along with the SRVs, limits the peak RPV pressure to less than the ASME Code limits. That is, the direct scram on position switches for MSIV closure events is not assumed in the overpressurization analysis.
| |
| Additionally, MSIV closure is assumed in the transients analyzed in Reference 5 (e.g., low steam line pressure, manual closure of MSIVs, high steam line flow). The reactor scram reduces the amount of energy required to be absorbed and, along with the actions of the ECCS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. The reactor scram resulting from an MSIV closure due to a Low Main Steam Line Pressure Isolation also ensures reactor power is less than 25% RTP before reactor pressure decreases below the Safety Limit 2.1.1 Low Pressure Limit of 686 psig.
| |
| MSIV closure signals are initiated from position switches located on each of the eight MSIVs. Each MSIV has two position switches; one inputs to RPS trip system A while the other inputs to RPS trip system B. Thus, each RPS trip system receives an input from eight Main Steam Isolation Valve - Closure channels, each consisting of one position switch. The logic for the Main Steam Isolation Valve - Closure Function is arranged such that either the inboard or outboard valve on three or more of the main steam lines (MSLs) must close in order for a scram to occur. In addition, certain combinations of valves closed in two lines will result in a half-scram.
| |
| The Main Steam Isolation Valve - Closure Allowable Value is specified to ensure that a scram occurs prior to a significant reduction in steam flow, thereby reducing the severity of the subsequent pressure transient.
| |
| Sixteen channels of the Main Steam Isolation Valve - Closure Function with eight channels in each trip system are required to be OPERABLE to Columbia Generating Station B 3.3.1.1-13 Revision 100
| |
| | |
| RPS Instrumentation B 3.3.1.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) ensure that no single instrument failure will preclude the scram from this Function on a valid signal. This Function is only required in MODE 1 since, with the MSIVs open and the heat generation rate high, a pressurization transient can occur if the MSIVs close. In MODE 2, the heat generation rate is low enough so that the other diverse RPS functions provide sufficient protection.
| |
| : 6. Primary Containment Pressure - High High pressure in the drywell could indicate a break in the RCPB. A reactor scram is initiated to minimize the possibility of fuel damage and to reduce the amount of energy being added to the coolant and the drywell.
| |
| The Primary Containment Pressure - High Function is a secondary scram signal to Reactor Vessel Water Level - Low, Level 3 for LOCA events inside the drywell. This function was not specifically credited in the accident analysis, but is retained for the overall redundancy and diversity of the RPS as required by the NRC approved licensing basis.
| |
| The reactor scram reduces the amount of energy required to be absorbed and along with the actions of the ECCS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.
| |
| High primary containment pressure signals are initiated from four pressure switches that sense drywell pressure. The Allowable Value was selected to be as low as possible and be indicative of a LOCA inside primary containment.
| |
| Four channels of Primary Containment Pressure - High Function, with two channels in each trip system, are required to be OPERABLE to ensure that no single instrument failure will preclude a scram from this Function on a valid signal. The Function is required in MODES 1 and 2 where considerable energy exists in the RCS, resulting in the limiting transients and accidents.
| |
| 7.a, b. Scram Discharge Volume Water Level - High The SDV receives the water displaced by the motion of the CRD pistons during a reactor scram. Should this volume fill to a point where there is insufficient volume to accept the displaced water, control rod insertion would be hindered. Therefore, a reactor scram is initiated when the remaining free volume is still sufficient to accommodate the water from a full core scram. However, even though the two types of Scram Discharge Volume Water Level - High Functions are an input to the RPS logic, no credit is taken for a scram initiated from these Functions for any of the design basis accidents or transients analyzed in the FSAR. However, they are retained to ensure that the RPS remains OPERABLE.
| |
| Columbia Generating Station B 3.3.1.1-14 Revision 100
| |
| | |
| RPS Instrumentation B 3.3.1.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
| |
| SDV water level is measured by two diverse methods. The level in each of the two SDV instrument volumes is measured by two transmitters and associated level switches and two transmitters and associated level indicating switches. Different manufacturers and sensing methods are utilized to maintain diversity. The outputs of these devices are arranged so that there is a signal from a transmitter/level switch and a transmitter/level indicating switch to each RPS logic channel for each SDV instrument volume. The level measurement instrumentation satisfies the recommendations of Reference 10.
| |
| The Allowable Value is chosen low enough to ensure that there is sufficient volume in the SDV to accommodate the water from a full scram.
| |
| Four channels of each type of Scram Discharge Volume Water Level -
| |
| High Function, with two channels of each type in each trip system, are required to be OPERABLE to ensure that no single instrument failure will preclude a scram from these Functions on a valid signal. These Functions are required in MODES 1 and 2, and in MODE 5 with any control rod withdrawn from a core cell containing one or more fuel assemblies, since these are the MODES and other specified conditions when control rods are withdrawn. At all other times, this Function may be bypassed.
| |
| : 8. Turbine Throttle Valve - Closure Closure of the TTVs results in the loss of a heat sink that produces reactor pressure, neutron flux, and heat flux transients that must be limited. Therefore, a reactor scram is initiated at the start of TTV closure in anticipation of the transients that would result from the closure of these valves. The Turbine Throttle Valve - Closure Function is the primary scram signal for the turbine trip event analyzed in Reference 5. For this event, the reactor scram reduces the amount of energy required to be absorbed and, along with the actions of the End of Cycle Recirculation Pump Trip (EOC-RPT) System, ensures that the MCPR SL is not exceeded.
| |
| Turbine Throttle Valve - Closure signals are initiated by valve stem position switches at each throttle valve. Two switches are associated with each throttle valve. One of the two provides input to RPS trip system A; the other, to RPS trip system B. Thus, each RPS trip system receives an input from four Turbine Throttle Valve - Closure channels, each consisting of one valve stem position switch. The logic for the Turbine Throttle Valve - Closure Function is such that three or more TTVs must close to produce a scram. In addition, certain combinations of two valves closed will result in a half-scram.
| |
| Columbia Generating Station B 3.3.1.1-15 Revision 97
| |
| | |
| RPS Instrumentation B 3.3.1.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
| |
| This Function must be enabled at THERMAL POWER 29.5% RTP.
| |
| This is accomplished automatically by pressure switches sensing turbine first stage pressure; therefore, opening the turbine bypass valves may affect this Function.
| |
| The Turbine Throttle Valve - Closure Allowable Value is selected to detect imminent TTV closure thereby reducing the severity of the subsequent pressure transient.
| |
| Eight channels of Turbine Throttle Valve - Closure Function, with four channels in each trip system, are required to be OPERABLE to ensure that no single instrument failure will preclude a scram from this Function if any three TTVs should close. This Function is required, consistent with analysis assumptions, whenever THERMAL POWER is 29.5% RTP.
| |
| This Function is not required when THERMAL POWER is < 29.5% RTP since the Reactor Vessel Steam Dome Pressure - High and the Average Power Range Monitor Neutron Flux - High Functions are adequate to maintain the necessary safety margins.
| |
| : 9. Turbine Governor Valve Fast Closure, Trip Oil Pressure - Low Fast closure of the TGVs results in the loss of a heat sink that produces reactor pressure, neutron flux, and heat flux transients that must be limited. Therefore, a reactor scram is initiated on TGV fast closure in anticipation of the transients that would result from the closure of these valves. The Turbine Governor Valve Fast Closure, Trip Oil Pressure -
| |
| Low Function is the primary scram signal for the generator load rejection event analyzed in Reference 5. For this event, the reactor scram reduces the amount of energy required to be absorbed and, along with the actions of the EOC-RPT System, ensures that the MCPR SL is not exceeded.
| |
| Turbine Governor Valve Fast Closure, Trip Oil Pressure - Low signals are initiated by the digital-electro hydraulic fluid pressure at each governor valve. There is one pressure switch associated with each governor valve, the signal from each switch being assigned to a separate RPS logic channel. This Function must be enabled at THERMAL POWER 29.5% RTP. This is normally accomplished automatically by pressure switches sensing turbine first stage pressure; therefore, opening the turbine bypass valves may affect this Function. The basis for the setpoint of this automatic bypass is identical to that described for the Turbine Throttle Valve - Closure Function.
| |
| Columbia Generating Station B 3.3.1.1-16 Revision 98
| |
| | |
| RPS Instrumentation B 3.3.1.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
| |
| The Turbine Governor Valve Fast Closure, Trip Oil Pressure - Low Allowable Value is selected high enough to detect imminent TGV fast closure.
| |
| Four channels of Turbine Governor Valve Fast Closure, Trip Oil Pressure
| |
| - Low Function, with two channels in each trip system arranged in a one-out-of-two logic, are required to be OPERABLE to ensure that no single instrument failure will preclude a scram from this Function on a valid signal. This Function is required, consistent with the analysis assumptions, whenever THERMAL POWER is 29.5% RTP. This Function is not required when THERMAL POWER is < 29.5% RTP since the Reactor Vessel Steam Dome Pressure - High and the Average Power Range Monitor Neutron Flux - High Functions are adequate to maintain the necessary safety margins.
| |
| : 10. Reactor Mode Switch - Shutdown Position The Reactor Mode Switch - Shutdown Position Function provides signals, via the manual scram logic channels, that are redundant to the automatic protective instrumentation channels and provide manual reactor trip capability. This Function was not specifically credited in the accident analysis, but it is retained for the overall redundancy and diversity of the RPS as required by the NRC approved licensing basis.
| |
| The reactor mode switch is a single switch with four channels (one from each of the four independent banks of contacts), each of which inputs into one of the RPS logic channels.
| |
| There is no Allowable Value for this Function since the channels are mechanically actuated based solely on reactor mode switch position.
| |
| Four channels of Reactor Mode Switch - Shutdown Position Function, with two channels in each trip system, are available and required to be OPERABLE. The Reactor Mode - Switch Shutdown Position Function is required to be OPERABLE in MODES 1 and 2, and in MODE 5 with any control rod withdrawn from a core cell containing one or more fuel assemblies, since these are the MODES and other specified conditions when control rods are withdrawn.
| |
| Columbia Generating Station B 3.3.1.1-17 Revision 98
| |
| | |
| RPS Instrumentation B 3.3.1.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
| |
| : 11. Manual Scram The Manual Scram push button channels provide signals, via the manual scram logic channels, to each of the four RPS logic channels that are redundant to the automatic protective instrumentation channels and provide manual reactor trip capability. This Function was not specifically credited in the accident analysis, but it is retained for the overall redundancy and diversity of the RPS as required by the NRC approved licensing basis.
| |
| There is one Manual Scram push button channel for each of the four RPS logic channels. In order to cause a scram it is necessary that at least one channel in each trip system be actuated.
| |
| There is no Allowable Value for this Function since the channels are mechanically actuated based solely on the position of the push buttons.
| |
| Four channels of Manual Scram with two channels in each trip system arranged in a one-out-of-two logic, are available and required to be OPERABLE in MODES 1 and 2, and in MODE 5 with any control rod withdrawn from a core cell containing one or more fuel assemblies, since these are the MODES and other specified conditions when control rods are withdrawn.
| |
| ACTIONS A Note has been provided to modify the ACTIONS related to RPS instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable RPS instrumentation channels provide appropriate compensatory measures for separate, inoperable channels. As such, a Note has been provided that allows separate Condition entry for each inoperable RPS instrumentation channel.
| |
| A.1 and A.2 Because of the diversity of sensors available to provide trip signals and the redundancy of the RPS design, an allowable out of service time of 12 hours has been shown to be acceptable (Refs. 11 and 14) to permit restoration of any inoperable channel to OPERABLE status. However, this out of Columbia Generating Station B 3.3.1.1-18 Revision 87
| |
| | |
| RPS Instrumentation B 3.3.1.1 BASES ACTIONS (continued) service time is only acceptable provided the associated Functions inoperable channel is in one trip system and the Function still maintains RPS trip capability (refer to Required Actions B.1, B.2, and C.1 Bases). If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel or the associated trip system must be placed in the tripped condition per Required Actions A.1 and A.2. Placing the inoperable channel in trip (or the associated trip system in trip) would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue. Alternately, if it is not desired to place the channel (or trip system) in trip (e.g., as in the case where placing the inoperable channel in trip would result in a full scram), Condition D must be entered and its Required Action taken.
| |
| As noted, Action A.2 is not applicable for APRM Functions 2.a, 2.b, 2.c, 2.d, or 2.f. Inoperability of one required APRM channel affects both trip systems. For that condition, Required Action A.1 must be satisfied, and is the only action (other than restoring OPERABILITY) that will restore capability to accommodate a single failure. Inoperability of more than one required APRM channel of the same trip function results in loss of trip capability and entry into Condition C, as well as entry into Condition A for each channel.
| |
| B.1 and B.2 Condition B exists when, for any one or more Functions, at least one required channel is inoperable in each trip system. In this condition, provided at least one channel per trip system is OPERABLE, the RPS still maintains trip capability for that Function, but cannot accommodate a single failure in either trip system.
| |
| Required Actions B.1 and B.2 limit the time the RPS scram logic for any Function would not accommodate single failure in both trip systems (e.g.,
| |
| one-out-of-one and one-out-of-one arrangement for a typical four channel Function). The reduced reliability of this logic arrangement was not evaluated in Reference 11 for the 12 hour Completion Time. Within the 6 hour allowance, the associated Function will have all required channels either OPERABLE or in trip (or in any combination) in one trip system.
| |
| Completing one of these Required Actions restores RPS to an equivalent reliability level as that evaluated in References 11 and 14, which justified a 12 hour allowable out of service time as presented in Condition A. The trip system in the more degraded state should be placed in trip or, alternatively, all the inoperable channels in that trip system should be placed in trip (e.g., a trip system with two inoperable channels could be in Columbia Generating Station B 3.3.1.1-19 Revision 87
| |
| | |
| RPS Instrumentation B 3.3.1.1 BASES ACTIONS (continued) a more degraded state than a trip system with four inoperable channels, if the two inoperable channels are in the same Function while the four inoperable channels are all in different Functions). The decision as to which trip system is in the more degraded state should be based on prudent judgment and current plant conditions (i.e., what MODE the plant is in). If this action would result in a scram or recirculation pump trip, it is permissible to place the other trip system or its inoperable channels in trip.
| |
| The 6 hour Completion Time is judged acceptable based on the remaining capability to trip, the diversity of the sensors available to provide the trip signals, the low probability of extensive numbers of inoperabilities affecting all diverse Functions, and the low probability of an event requiring the initiation of a scram.
| |
| Alternately, if it is not desired to place the inoperable channels (or one trip system) in trip (e.g., as in the case where placing the inoperable channel or associated trip system in trip would result in a scram or RPT),
| |
| Condition D must be entered and its Required Action taken.
| |
| As noted, Condition B is not applicable for APRM Functions 2.a, 2.b, 2.c, 2.d, or 2.f. Inoperability of an APRM channel affects both trip systems and is not associated with a specific trip system as are the APRM 2-Out-of-4 Voter and other non-APRM channels for which Condition B applies.
| |
| For an inoperable APRM channel, Required Action A.1 must be satisfied, and is the only action (other than restoring OPERABILITY) that will restore capability to accommodate a single failure. Inoperability of a Function in more than one required APRM channel results in loss of trip capability for that Function and entry into Condition C, as well as entry into Condition A for each channel. Because Conditions A and C provide Required Actions that are appropriate for the inoperability of APRM Functions 2.a, 2.b, 2.c, 2.d, or 2.f, and these functions are not associated with specific trip systems as are the APRM 2-Out-of-4 Voter and other non-APRM channels, Condition B does not apply.
| |
| C.1 Required Action C.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same trip system for the same Function result in the Function not maintaining RPS trip capability. A Function is considered to be maintaining RPS trip capability when sufficient channels are OPERABLE or in trip (or the associated trip system is in trip), such that both trip systems will generate a trip signal from the given Function on a valid signal. For the typical Function with one-out-of-two taken twice logic and the IRM and APRM Functions, this would require both trip systems to have one channel Columbia Generating Station B 3.3.1.1-20 Revision 87
| |
| | |
| RPS Instrumentation B 3.3.1.1 BASES ACTIONS (continued)
| |
| OPERABLE or in trip (or the associated trip system in trip). For Function 5 (Main Steam Isolation Valve - Closure), this would require both trip systems to have each channel associated with the MSIVs in three MSLs (not necessarily the same MSLs for both trip systems), OPERABLE or in trip (or the associated trip system in trip).
| |
| For Function 8 (Turbine Throttle Valve - Closure), this would require both trip systems to have three channels, each OPERABLE or in trip (or the associated trip system in trip).
| |
| The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities . The 1 hour Completion Time is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.
| |
| D.1 Required Action D.1 directs entry into the appropriate Condition referenced in Table 3.3.1.1-1. The applicable Condition specified in the Table is Function and MODE or other specified condition dependent and may change as the Required Action of a previous Condition is completed.
| |
| Each time an inoperable channel has not met any Required Action of Condition A, B, or C, and the associated Completion Time has expired, Condition D will be entered for that channel and provides for transfer to the appropriate subsequent Condition.
| |
| E.1, F.1, G.1, and J.1 If the channel(s) is not restored to OPERABLE status or placed in trip (or the associated trip system placed in trip) within the allowed Completion Time, the plant must be placed in a MODE or other specified condition in which the LCO does not apply. The Completion Times are reasonable, based on operating experience, to reach the specified condition from full power conditions in an orderly manner and without challenging plant systems. In addition, the Completion Times of Required Actions E.1 and J.1 are consistent with the Completion Time provided in LCO 3.2.2, "MINIMUM CRITICAL POWER RATIO (MCPR)."
| |
| H.1 If the channel(s) is not restored to OPERABLE status or placed in trip (or the associated trip system placed in trip) within the allowed Completion Time, the plant must be placed in a MODE or other specified condition in Columbia Generating Station B 3.3.1.1-21 Revision 87
| |
| | |
| RPS Instrumentation B 3.3.1.1 BASES ACTIONS (continued) which the LCO does not apply. This is done by immediately initiating action to fully insert all insertable control rods in core cells containing one or more fuel assemblies. Control rods in core cells containing no fuel assemblies do not affect the reactivity of the core and are, therefore, not required to be inserted. Action must continue until all insertable control rods in core cells containing one or more fuel assemblies are fully inserted.
| |
| I.1 If OPRM Upscale trip capability is not maintained, Condition I exists.
| |
| Reference 14 justified use of alternate methods to detect and suppress oscillations for a limited period of time. The alternate methods are procedurally established consistent with the guidelines identified in Reference 18 requiring manual operator action to scram the plant if certain predefined events occur. The 12 hour allowed action time is based on engineering judgment to allow orderly transition to the alternate methods while limiting the period of time during which no automatic or alternate detect and suppress trip capability is formally in place. Based on the small probability of an instability event occurring at all, the 12 hours is judged to be reasonable.
| |
| I.2 The alternate method to detect and suppress oscillations implemented in accordance with l.1 was evaluated (Reference 14) based on use up to 120 days only. The evaluation, based on engineering judgment, concluded that the likelihood of an instability event that could not be adequately handled by the alternate methods during this 120 day period was negligibly small. The 120 day period is intended to be an outside limit to allow for the case where design changes or extensive analysis might be required to understand or correct some unanticipated characteristic of the instability detection algorithms or equipment.
| |
| A note is provided to indicate that LCO 3.0.4 is not applicable. The intent of that note is to allow plant startup while operating within the 120-day completion time for Action I.2. The primary purpose of this exclusion is to allow an orderly completion of design and verification activities, in the event of a required design change, without undue impact on plant operation.
| |
| Columbia Generating Station B 3.3.1.1-22 Revision 87
| |
| | |
| RPS Instrumentation B 3.3.1.1 BASES SURVEILLANCE As noted at the beginning of the SRs, the SRs for each RPS REQUIREMENTS instrumentation Function are located in the SRs column of Table 3.3.1.1-1.
| |
| The Surveillances are modified by a Note to indicate that, when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours, provided the associated Function maintains trip capability. Upon completion of the Surveillance, or expiration of the 6 hour allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the RPS reliability analysis (Ref. 11) assumption of the average time required to perform channel surveillance. That analysis demonstrated that the 6 hour testing allowance does not significantly reduce the probability that the RPS will trip when necessary.
| |
| SR 3.3.1.1.1 Performance of a CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a qualitative assessment, by observation, of channel behavior during operation. This determination includes, where possible, comparison of the channel indication and status to other indications or status derived from independent instrument channels measuring the same parameter. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A significant deviation could indicate gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.
| |
| Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the channels required by the LCO.
| |
| Columbia Generating Station B 3.3.1.1-23 Revision 93
| |
| | |
| RPS Instrumentation B 3.3.1.1 BASES SURVEILLANCE REQUIREMENTS (continued)
| |
| SR 3.3.1.1.2 To ensure that the APRMs are accurately indicating the true core average power, the APRMs are calibrated to the reactor power calculated from a heat balance. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| A restriction to satisfying this SR when < 25% RTP is provided that requires the SR to be met only at 25% RTP because it is difficult to accurately maintain APRM indication of core THERMAL POWER consistent with a heat balance when < 25% RTP. At low power levels, a high degree of accuracy is unnecessary because of the large inherent margin to thermal limits (MCPR and APLHGR). At 25% RTP, the Surveillance is required to have been satisfactorily performed in accordance with SR 3.0.2. A Note is provided which allows an increase in THERMAL POWER above 25% if the Frequency is not met per SR 3.0.2. In this event, the SR must be performed within 12 hours after reaching or exceeding 25% RTP. Twelve hours is based on operating experience and in consideration of providing a reasonable time in which to complete the SR.
| |
| SR 3.3.1.1.3 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended function. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology.
| |
| As noted, SR 3.3.1.1.3 is not required to be performed when entering MODE 2 from MODE 1 since testing of the MODE 2 required IRM Functions cannot be performed in MODE 1 without utilizing jumpers, lifted leads, or movable links. This allows entry into MODE 2 if the Frequency is not met per SR 3.0.2. In this event, the SR must be performed within 12 hours after entering MODE 2 from MODE 1. Twelve hours is based on operating experience and in consideration of providing a reasonable time in which to complete the SR.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| Columbia Generating Station B 3.3.1.1-24 Revision 93
| |
| | |
| RPS Instrumentation B 3.3.1.1 BASES SURVEILLANCE REQUIREMENTS (continued)
| |
| SR 3.3.1.1.4 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the channel will perform the intended Function. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| SR 3.3.1.1.5 and SR 3.3.1.1.6 These Surveillances are established to ensure that no gaps in neutron flux indication exist from subcritical to power operation for monitoring core reactivity status.
| |
| The overlap between SRMs and IRMs is required to be demonstrated to ensure that reactor power will not be increased into a region without adequate neutron flux indication. This is required prior to withdrawing SRMs from the fully inserted position since indication is being transitioned from the SRMs to the IRMs.
| |
| The overlap between IRMs and APRMs is of concern when reducing power into the IRM range. On power increases, the system design will prevent further increases (initiate a rod block) if adequate overlap is not maintained. Overlap between IRMs and APRMs exists when sufficient IRMs and APRMs concurrently have onscale readings such that the transition between MODE 1 and MODE 2 can be made without either APRM downscale rod block, or IRM upscale rod block. Overlap between SRMs and IRMs similarly exists when, prior to withdrawing the SRMs from the fully inserted position, IRMs are above mid-scale on range 1 before SRMs have reached the upscale rod block. The IRM/APRM and SRM/IRM overlaps are also acceptable if a 1/2 decade overlap exists.
| |
| As noted, SR 3.3.1.1.6 is only required to be met during entry into MODE 2 from MODE 1. That is, after the overlap requirement has been met and indication has transitioned to the IRMs, maintaining overlap is not required (APRMs may be reading downscale once in MODE 2).
| |
| If overlap for a group of channels is not demonstrated (e.g., IRM/APRM overlap), the reason for the failure of the Surveillance should be determined and the appropriate channel(s) declared inoperable. Only those appropriate channel(s) that are required in the current MODE or condition should be declared inoperable.
| |
| The Surveillance Frequency for SR 3.3.1.1.6 is controlled under the Surveillance Frequency Control Program.
| |
| Columbia Generating Station B 3.3.1.1-25 Revision 93
| |
| | |
| RPS Instrumentation B 3.3.1.1 BASES SURVEILLANCE REQUIREMENTS (continued)
| |
| SR 3.3.1.1.7 LPRM gain settings are determined from the local flux profiles measured by the Traversing Incore Probe (TIP) System. This establishes the relative local flux profile for appropriate representative input to the APRM System. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| SR 3.3.1.1.8 and SR 3.3.1.1.13 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the channel will perform the intended function. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology.
| |
| The Surveillance Frequencies are controlled under the Surveillance Frequency Control Program.
| |
| SR 3.3.1.1.9 - Not Used SR 3.3.1.1.10 A CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations consistent with the plant specific setpoint methodology. For the APRM Simulated Thermal Power - High Function, this SR also includes calibrating the associated recirculation loop flow channel.
| |
| Note 1 states that neutron detectors are excluded from CHANNEL CALIBRATION because of the difficulty of simulating a meaningful signal.
| |
| Changes in neutron detector sensitivity are compensated for by performing the calorimetric calibration (SR 3.3.1.1.2) and the LPRM calibration against the TIPs (SR 3.3.1.1.7). A second Note is provided that requires the IRM SRs to be performed within 12 hours of entering MODE 2 from MODE 1. Testing of the MODE 2 IRM Functions cannot be performed in MODE 1 without utilizing jumpers, lifted leads, or moveable links. This Note allows entry into MODE 2 from MODE 1 if the associated Columbia Generating Station B 3.3.1.1-26 Revision 93
| |
| | |
| RPS Instrumentation B 3.3.1.1 BASES SURVEILLANCE REQUIREMENTS (continued)
| |
| Frequency is not met per SR 3.0.2. Twelve hours is based on operating experience and in consideration of providing a reasonable time in which to complete the SR. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| Note (d) requires evaluation of channel performance for the condition where the as-found setting for the channel setpoint is not the Limiting Trip Setpoint (LTSP) but is conservative with respect to the Allowable Value.
| |
| For digital channel components, no as-found tolerance or as-left tolerance can be specified. Where a setpoint more conservative than the LTSP is used in the plant surveillance procedures (i.e. nominal trip setpoint, or NTSP), the as-left and as-found tolerances, as applicable, will be applied to the surveillance procedure setpoint. Evaluation of instrument performance will verify that the instrument will continue to behave in accordance with design basis assumptions. The purpose of the assessment is to ensure confidence in the instrument performance prior to returning the instrument to service. Any nonconformance will be entered into the Corrective Action Program which will ensure required review and documentation of the condition for continued OPERABILITY.
| |
| Note (e) requires that the as-left setting for the instrument be returned to within an acceptable as-left tolerance around the LTSP. Where a setpoint more conservative than the LTSP is used in the plant surveillance procedures (i.e., nominal trip setpoint, or NTSP), the as-left and as-found tolerances, as applicable, will be applied to the surveillance procedure setpoint. This will ensure that sufficient margin to the Safety Limit and/or Analytical limit is maintained. If the as-left instrument setting cannot be returned to the LTSP, then the instrument channel shall be declared inoperable. The LTSPs are specified in the Licensee Controlled Specifications.
| |
| SR 3.3.1.1.11 - Not Used SR 3.3.1.1.12 This SR ensures that scrams initiated from the Turbine Throttle Valve -
| |
| Closure and Turbine Governor Valve Fast Closure, Trip Oil Pressure -
| |
| Low Functions will not be inadvertently bypassed when THERMAL POWER is 29.5% RTP. This involves calibration of the bypass channels. Adequate margins for the instrument setpoint methodology are Columbia Generating Station B 3.3.1.1-27 Revision 98
| |
| | |
| RPS Instrumentation B 3.3.1.1 BASES SURVEILLANCE REQUIREMENTS (continued) incorporated into the Allowable Value and the actual setpoint. Because main turbine bypass flow can affect this setpoint nonconservatively (THERMAL POWER is derived from turbine first stage pressure), the main turbine bypass valves must remain closed during an in-service calibration at THERMAL POWER 29.5% RTP to ensure that the calibration is valid.
| |
| If any bypass channel setpoint is nonconservative (i.e., the Functions are bypassed at 29.5% RTP, either due to open main turbine bypass valve(s) or other reasons), then the affected Turbine Throttle Valve -
| |
| Closure and Turbine Governor Valve Fast Closure, Trip Oil Pressure -
| |
| Low Functions are considered inoperable. Alternatively, the bypass channel can be placed in the conservative condition (nonbypass). If placed in the nonbypass condition, this SR is met and the channel is considered OPERABLE.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| SR 3.3.1.1.14 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required trip logic for a specific channel. The functional testing of control rods, in LCO 3.1.3, "Control Rod OPERABILITY," and SDV vent and drain valves, in LCO 3.1.8, "Scram Discharge Volume (SDV) Vent and Drain Valves," overlaps this Surveillance to provide complete testing of the assumed safety function.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| The LOGIC SYSTEM FUNCTIONAL TEST for APRM Function 2.e simulates APRM or OPRM trip conditions at the 2-Out-of-4 Voter channel inputs to check all combinations of two tripped inputs to the 2-Out-of-4 logic in the voter channels and APRM related redundant RPS relays. The initiation of the input to the RPS logic commences in the 2-Out-of-4 Voter as a vote either for the APRM UPSC/Inop or OPRM UPSC/Inop. The APRM modules are not divisional and do not provide a direct input to RPS.
| |
| Columbia Generating Station B 3.3.1.1-28 Revision 98
| |
| | |
| RPS Instrumentation B 3.3.1.1 BASES SURVEILLANCE REQUIREMENTS (continued)
| |
| SR 3.3.1.1.15 This SR ensures that the individual channel response times are less than or equal to the maximum values assumed in the accident analysis. This test may be performed in one measurement or in overlapping segments, with verification that all components are tested. The RPS RESPONSE TIME acceptance criteria are included in Reference 12.
| |
| As noted (Note 1), neutron detectors for Function 2 are excluded from RPS RESPONSE TIME testing because the principles of detector operation virtually ensure an instantaneous response time. In addition, Note 2 states that channel sensors for Functions 3 and 4 are excluded and therefore, it is not required to quantitatively measure the sensor response time to satisfy the requirement to verify RPS RESPONSE TIME.
| |
| This is acceptable since the sensor response time can be qualitatively verified by other methods (Ref. 13). If the response time of the sensor is not quantitatively measured, the acceptance criteria must be reduced by the time assumed for sensor response in the design analyses, as verified by statistical analyses or vendor data.
| |
| RPS RESPONSE TIME for the APRM 2-Out-of-4 Voter function (Function 2.e) includes the output relays of the voter and the associated RPS relays and contractors. (The digital portion of the APRM and 2-Out-of-4 Voter channels are excluded from RPS RESPONSE TIME testing because self-testing and calibration checks the time base of the digital electronics.
| |
| Confirmation of the time base is adequate to assure required response times are met. Neutron detectors are excluded from RPS RESPONSE TIME testing because the principles of detector operation virtually ensure an instantaneous response time.)
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| SR 3.3.1.1.16 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended function. For the APRM Functions, this test supplements the automatic self-test functions that operate continuously in the APRM and voter channels. The APRM CHANNEL FUNCTIONAL TEST covers the APRM channels Columbia Generating Station B 3.3.1.1-29 Revision 103
| |
| | |
| RPS Instrumentation B 3.3.1.1 BASES SURVEILLANCE REQUIREMENTS (continued)
| |
| (including recirculation flow processing - applicable to Functions 2.b and 2.f only), the 2-Out-of-4 Voter channels, and the interface connections into the RPS trip system from the voter channels. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. (NOTE: The actual voting logic of the 2-Out-of-4 Voter Function is tested as part of SR 3.3.1.1.14.)
| |
| A Note is provided for Function 2.a that requires this SR to be performed within 12 hours of entering MODE 2 from MODE 1. Testing of the MODE 2 APRM Function cannot be performed in MODE 1 without utilizing jumpers or lifted leads. This Note allows entry into MODE 2 from MODE 1 if the associated frequency is not met per SR 3.0.2.
| |
| SR 3.3.1.1.17 This SR ensures that scrams initiated from OPRM Upscale Function (Function 2.f) will not be inadvertently bypassed when APRM Simulated Thermal Power is greater than or equal to the value specified in the COLR and recirculation drive flow is less than the value specified in the COLR. This normally involves confirming the bypass setpoints, which are considered to be nominal values as discussed in Reference 21. The actual surveillance ensures that the OPRM Upscale Function is enabled (not bypassed) for the correct values of APRM Simulated Thermal Power and recirculation drive flow. Other surveillances ensure that the APRM Simulated Thermal Power and recirculation flow properly correlate with THERMAL POWER (SR 3.3.1.1.2) and core flow (SR 3.3.1.1.10),
| |
| respectively.
| |
| If any bypass setpoint is non-conservative (i.e., the OPRM Upscale Function is bypassed when APRM Simulated Thermal Power is greater than or equal to and recirculation drive flow is less than the values in the COLR), then the affected channel is considered inoperable for the OPRM Upscale Function. Alternatively, the bypass setpoint may be adjusted to place the channel in a conservative condition (non-bypass). If placed in the non-bypass condition, this SR is met and the channel is considered OPERABLE.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| Columbia Generating Station B 3.3.1.1-30 Revision 93
| |
| | |
| RPS Instrumentation B 3.3.1.1 BASES REFERENCES 1. FSAR, Section 7.2.
| |
| : 2. FSAR, Section 5.2.2.
| |
| : 3. Columbia Generating Station Calculation NE-02-94-66, Revision 0, November 13, 1995.
| |
| : 4. FSAR, Section 6.3.3.
| |
| : 5. FSAR, Chapter 15.
| |
| : 6. 10 CFR 50.36(c)(2)(ii).
| |
| : 7. FSAR, Section 15.4.1.
| |
| : 8. NEDO-23842, "Continuous Control Rod Withdrawal in the Startup Range," April 18, 1978.
| |
| : 9. FSAR, Section 15.4.9.
| |
| : 10. Letter, P. Check (NRC) to G. Lainas (NRC), "BWR Scram Discharge System Safety Evaluation," December 1, 1980.
| |
| : 11. NEDC-30851-P-A, "Technical Specification Improvement Analyses for BWR Reactor Protection System," March 1988.
| |
| : 12. Licensee Controlled Specifications Manual.
| |
| : 13. NEDO 32291-A, "System Analyses for Elimination of Selected Response Time Testing Requirements," October 1995.
| |
| : 14. NEDC-32410P-A, "Nuclear Measurement Analysis and Control Power Range Neutron Monitor (NUMAC PRNM) Retrofit Plus Option III Stability Trip Function", October 1995.
| |
| : 15. NEDO-31960-A, "BWR Owners' Group Long-Term Stability Solutions Licensing Methodology," November 1995.
| |
| : 16. NEDO-31960-A, Supplement 1, "BWR Owners' Group Long-Term Stability Solutions Licensing Methodology," November 1995.
| |
| : 17. NEDO-32465-A, "BWR Owners' Group Long-Term Stability Detect and Suppress Solutions Licensing Basis Methodology And Reload Applications," March 1996.
| |
| Columbia Generating Station B 3.3.1.1-31 Revision 93
| |
| | |
| RPS Instrumentation B 3.3.1.1 BASES REFERENCES (continued)
| |
| : 18. Letter, LA England (BWROG) to MJ Virgilio, "BWR Owners' Group Guidelines for Stability Interim Corrective Action", June 6, 1994.
| |
| : 19. BWROG Letter 96113, K. P. Donovan (BWROG) to L.E. Phillips (NRC),"Guidelines for Stability Option III 'Enable Region' (TAC M92882)," dated September 17, 1996.
| |
| : 20. NEDE-33766P-A, Revision 1, GEH Simplified Stability Solution (GS3), March 2015.
| |
| Columbia Generating Station B 3.3.1.1-32 Revision 93
| |
| | |
| SRM Instrumentation B 3.3.1.2 B 3.3 INSTRUMENTATION B 3.3.1.2 Source Range Monitor (SRM) Instrumentation BASES BACKGROUND The SRMs provide the operator with information relative to the neutron level at very low flux levels in the core. As such, the SRM indication is used by the operator to monitor the approach to criticality and to determine when criticality is achieved. The SRMs are maintained fully inserted until the count rate is greater than a minimum allowed count rate (a control rod block is set at this condition). After SRM to intermediate range monitor (IRM) overlap is demonstrated (as required by SR 3.3.1.1.5) and the IRMs are on Range 3, the SRMs are normally fully withdrawn from the core.
| |
| The SRM subsystem of the Neutron Monitoring System (NMS) consists of four channels. Each of the SRM channels can be bypassed, but only one at any given time, by the operation of a bypass switch. Each channel includes one detector that can be physically positioned in the core. Each detector assembly consists of a miniature fission chamber with associated cabling, signal conditioning equipment, and electronics associated with the various SRM functions. The signal conditioning equipment converts the current pulses from the fission chamber to analog DC currents that correspond to the count rate. Each channel also includes indication, alarm, and control rod blocks. However, this LCO specifies OPERABILITY requirements only for the monitoring and indication functions of the SRMs.
| |
| During refueling, shutdown, and low power operations, the primary indication of neutron flux levels is provided by the SRMs or special movable detectors connected to the normal SRM circuits. The SRMs provide monitoring of reactivity changes during fuel or control rod movement and give the control room operator early indication of unexpected subcritical multiplication that could be indicative of an approach to criticality.
| |
| APPLICABLE Prevention and mitigation of prompt reactivity excursions during refueling SAFETY and low power operation are provided by LCO 3.9.1, "Refueling ANALYSES Equipment Interlocks"; LCO 3.1.1, "SHUTDOWN MARGIN (SDM)";
| |
| LCO 3.3.1.1, "Reactor Protection System (RPS) Instrumentation,"
| |
| Intermediate Range Monitor (IRM) Neutron Flux High and Average Power Range Monitor (APRM) Neutron Flux - High (Setdown) Functions; and LCO 3.3.2.1, "Control Rod Block Instrumentation."
| |
| Columbia Generating Station B 3.3.1.2-1 Revision 87
| |
| | |
| SRM Instrumentation B 3.3.1.2 BASES APPLICABLE SAFETY ANLAYSES (continued)
| |
| The SRMs have no safety function and are not assumed to function during any design basis accident or transient analysis. However, the SRMs provide the only on scale monitoring of neutron flux levels during startup and refueling. Therefore, they are being retained in the Technical Specifications.
| |
| LCO During startup in MODE 2, three of the four SRM channels are required to be OPERABLE to monitor the reactor flux level prior to and during control rod withdrawal, to monitor subcritical multiplication and reactor criticality, and to monitor neutron flux level and reactor period until the flux level is sufficient to maintain the IRMs on Range 3 or above. All channels but one are required in order to provide a representation of the overall core response during those periods when reactivity changes are occurring throughout the core.
| |
| In MODES 3 and 4, with the reactor shut down, two SRM channels provide redundant monitoring of flux levels in the core.
| |
| In MODE 5, during a spiral offload or reload, an SRM outside the fueled region is not required to be OPERABLE, since it is not capable of monitoring neutron flux in the fueled region of the core. Thus, CORE ALTERATIONS are allowed in a quadrant with no OPERABLE SRM in an adjacent quadrant, provided the Table 3.3.1.2-1, footnote (b), requirement that the bundles being spiral reloaded or spiral offloaded are all in a single fueled region containing at least one OPERABLE SRM is met. Spiral reloading and offloading encompass reloading or offloading a cell on the edges of a continuous fueled region (the cell can be reloaded or offloaded in any sequence).
| |
| In nonspiral routine operations, two SRMs are required to be OPERABLE to provide redundant monitoring of reactivity changes occurring in the reactor core. Because of the local nature of reactivity changes during refueling, adequate coverage is provided by requiring one SRM to be OPERABLE in the quadrant of the reactor core where CORE ALTERATIONS are being performed and the other SRM to be OPERABLE in an adjacent quadrant containing fuel. These requirements ensure that the reactivity of the core will be continuously monitored during CORE ALTERATIONS.
| |
| Special movable detectors, according to Table 3.3.1.2-1, footnote (c),
| |
| may be used in place of the normal SRM nuclear detectors. These special detectors must be connected to the normal SRM circuits in the NMS such that the applicable neutron flux indication can be generated.
| |
| These special detectors provide more flexibility in monitoring reactivity Columbia Generating Station B 3.3.1.2-2 Revision 73
| |
| | |
| SRM Instrumentation B 3.3.1.2 BASES LCO (continued) changes during fuel loading, since they can be positioned anywhere within the core during refueling. They must still meet the location requirements of SR 3.3.1.2.2, and all other required SRs for SRMs.
| |
| For an SRM channel to be considered OPERABLE, it must be providing neutron flux monitoring indication.
| |
| APPLICABILITY The SRMs are required to be OPERABLE in MODE 2 prior to the IRMs being on scale on Range 3 and MODES 3, 4, and 5, to provide for neutron monitoring. In MODE 1, the APRMs provide adequate monitoring of reactivity changes in the core; therefore, the SRMs are not required. In MODE 2, with IRMs on Range 3 or above, the IRMs provide adequate monitoring and the SRMs are not required.
| |
| ACTIONS A.1 and B.1 In MODE 2, with the IRMs on Range 2 or below, SRMs provide the means of monitoring core reactivity and criticality. With any number of the required SRMs inoperable, the ability to monitor is degraded.
| |
| Therefore, a limited time is allowed to restore the inoperable channels to OPERABLE status.
| |
| Providing that at least one SRM remains OPERABLE, Required Action A.1 allows 4 hours to restore the required SRMs to OPERABLE status. This is a reasonable time since there is adequate capability remaining to monitor the core, limited risk of an event during this time, and sufficient time to take corrective actions to restore the required SRMs to OPERABLE status or to establish alternate IRM monitoring capability.
| |
| During this time, control rod withdrawal and power increase are not precluded by this Required Action. Having the ability to monitor the core with at least one SRM, proceeding to IRM Range 3 or greater (with overlap required by SR 3.3.1.1.6) and thereby exiting the Applicability of this LCO, is acceptable for ensuring adequate core monitoring and allowing continued operation.
| |
| With three required SRMs inoperable, Required Action B.1 allows no positive changes in reactivity (control rod withdrawal must be immediately suspended) due to the inability to monitor the changes. Required Action A.1 still applies and allows 4 hours to restore monitoring capability prior to requiring control rod insertion. This allowance is based on the limited risk of an event during this time, provided that no control rod withdrawals are allowed, and the desire to concentrate efforts on repair, rather than to immediately shut down, with no SRMs OPERABLE.
| |
| Columbia Generating Station B 3.3.1.2-3 Revision 73
| |
| | |
| SRM Instrumentation B 3.3.1.2 BASES ACTIONS (continued)
| |
| C.1 In MODE 2, if the required number of SRMs is not restored to OPERABLE status within the allowed Completion Time, the reactor shall be placed in MODE 3. With all control rods fully inserted, the core is in its least reactive state with the most margin to criticality. The allowed Completion Time of 12 hours is reasonable, based on operating experience, to reach MODE 3 in an orderly manner and without challenging plant systems.
| |
| D.1 and D.2 With one or more required SRM channels inoperable in MODE 3 or 4, the neutron flux monitoring capability is degraded or nonexistent. The requirement to fully insert all insertable control rods ensures that the reactor will be at its minimum reactivity level while no neutron monitoring capability is available. Placing the reactor mode switch in the shutdown position prevents subsequent control rod withdrawal by maintaining a control rod block. The allowed Completion Time of 1 hour is sufficient to accomplish the Required Action, and takes into account the low probability of an event requiring the SRM occurring during this time.
| |
| E.1 and E.2 With one or more required SRMs inoperable in MODE 5, the capability to detect local reactivity changes in the core during refueling is degraded.
| |
| CORE ALTERATIONS must be immediately suspended, and action must be immediately initiated to fully insert all insertable control rods in core cells containing one or more fuel assemblies. Suspending CORE ALTERATIONS prevents the two most probable causes of reactivity changes, fuel loading and control rod withdrawal, from occurring.
| |
| Inserting all insertable control rods ensures that the reactor will be at its minimum reactivity, given that fuel is present in the core. Suspension of CORE ALTERATIONS shall not preclude completion of the movement of a component to a safe, conservative position.
| |
| Action (once required to be initiated) to insert control rods must continue until all insertable rods in core cells containing one or more fuel assemblies are inserted.
| |
| Columbia Generating Station B 3.3.1.2-4 Revision 73
| |
| | |
| SRM Instrumentation B 3.3.1.2 BASES SURVEILLANCE As noted at the beginning of the SRs, the SRs for each SRM Applicable REQUIREMENTS MODE or other specified condition are found in the SRs column of Table 3.3.1.2-1.
| |
| SR 3.3.1.2.1 and SR 3.3.1.2.3 Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a qualitative assessment, by observation, of channel behavior during operation. This determination includes, where possible, comparison of the channel indication and status to other indications or status derived from independent instrument channels measuring the same parameter. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.
| |
| Agreement criteria are determined by the plant staff, based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit.
| |
| The Surveillance Frequencies are controlled under the Surveillance Frequency Control Program. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the channels required by the LCO.
| |
| SR 3.3.1.2.2 To provide adequate coverage of potential reactivity changes in the core when the fueled region encompasses more than one SRM, one SRM is required to be OPERABLE in the quadrant where CORE ALTERATIONS are being performed, and the other OPERABLE SRM must be in an adjacent quadrant containing fuel. Note 1 states that this SR is required to be met only during CORE ALTERATIONS. It is not required to be met at other times in MODE 5 since core reactivity changes are not occurring.
| |
| This Surveillance consists of a review of plant logs to ensure that SRMs required to be OPERABLE for given CORE ALTERATIONS are, in fact, OPERABLE. In the event that only one SRM is required to be OPERABLE (when the fueled region encompasses only one SRM), per Columbia Generating Station B 3.3.1.2-5 Revision 93
| |
| | |
| SRM Instrumentation B 3.3.1.2 BASES SURVEILLANCE REQUIREMENTS (continued)
| |
| Table 3.3.1.2-1, footnote (b), only the a. portion of this SR is required.
| |
| Note 2 clarifies that more than one of the three requirements can be met by the same OPERABLE SRM. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| SR 3.3.1.2.4 This Surveillance consists of a verification of the SRM instrument readout to ensure that the SRM reading is greater than a specified minimum count rate with the detector full in. This ensures that the detectors are indicating count rates indicative of neutron flux levels within the core.
| |
| With few fuel assemblies loaded, the SRMs will not have a high enough count rate to satisfy the SR. Therefore, allowances are made for loading sufficient "source" material, in the form of irradiated fuel assemblies, to establish the minimum count rate.
| |
| To accomplish this, the SR is modified by a Note that states that the count rate is not required to be met on an SRM that has less than or equal to four fuel assemblies adjacent to the SRM and no other fuel assemblies are in the associated core quadrant. With four or less fuel assemblies loaded around each SRM and no other fuel assemblies in the associated quadrant, even with a control rod withdrawn the configuration will not be critical.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| SR 3.3.1.2.5 and SR 3.3.1.2.6 Performance of a CHANNEL FUNCTIONAL TEST demonstrates the associated channel will function properly. SR 3.3.1.2.5 is required in MODE 5, and ensures that the channels are OPERABLE while core reactivity changes could be in progress. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| SR 3.3.1.2.6 is required in MODE 2 with IRMs on Range 2 or below and in MODES 3 and 4. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| Columbia Generating Station B 3.3.1.2-6 Revision 93
| |
| | |
| SRM Instrumentation B 3.3.1.2 BASES SURVEILLANCE REQUIREMENTS (continued)
| |
| The signal to noise ratio is determined to ensure adequate SRM response to reactivity changes while shutdown. This determination is performed by comparing an SRM countrate including neutrons to an SRM countrate not including neutrons. One method is to compare the SRM countrate with the detector in the core to the SRM countrate with the SRM withdrawn from the core. Another method electronically eliminates the SRM countrate signal due to neutrons. This signal and a normal SRM signal are then compared to determine the signal to noise ratio.
| |
| With few fuel assemblies loaded, the SRMs will not have a high enough count rate to determine the signal to noise ratio. Therefore, allowances are made for loading sufficient "source" material, in the form of irradiated fuel assemblies, to establish the conditions necessary to determine the signal to noise ratio. To accomplish this, SR 3.3.1.2.5 is modified by a Note that states that the determination of signal to noise ratio is not required to be met on an SRM that has less than or equal to four fuel assemblies adjacent to the SRM and no other fuel assemblies are in the associated core quadrant. With four or less fuel assemblies loaded around each SRM, even with a control rod withdrawn the configuration will not be critical.
| |
| The Note to the SR 3.3.1.2.6 allows the Surveillance to be delayed until entry into the specified condition of the Applicability. The SR must be performed in MODE 2 within 12 hours of entering MODE 2 with IRMs on Range 2 or below. The allowance to enter the Applicability with the Frequency not met is reasonable, based on the limited time of 12 hours allowed after entering the Applicability and the inability to perform the Surveillance while at higher power levels. Although the Surveillance could be performed while on IRM Range 3, the plant would not be expected to maintain steady state operation at this power level. In this event, the 12 hour Frequency is reasonable, based on the SRMs being otherwise verified to be OPERABLE (i.e., satisfactorily performing the CHANNEL CHECK) and the time required to perform the Surveillances.
| |
| SR 3.3.1.2.7 Performance of a CHANNEL CALIBRATION verifies the performance of the SRM detectors and associated circuitry. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The neutron detectors are excluded from the CHANNEL CALIBRATION (Note 1) because they cannot readily be adjusted. The detectors are fission chambers that are designed to have a relatively constant sensitivity over the range, and with an accuracy specified for a fixed useful life.
| |
| Columbia Generating Station B 3.3.1.2-7 Revision 93
| |
| | |
| SRM Instrumentation B 3.3.1.2 BASES SURVEILLANCE REQUIREMENTS (continued)
| |
| Note 2 to the Surveillance allows the Surveillance to be delayed until entry into the specified condition of the Applicability. The SR must be performed in MODE 2 within 12 hours of entering MODE 2 with IRMs on Range 2 or below. The allowance to enter the Applicability with the Frequency not met is reasonable, based on the limited time of 12 hours allowed after entering the Applicability and the inability to perform the Surveillance while at higher power levels. Although the Surveillance could be performed while on IRM Range 3, the plant would not be expected to maintain steady state operation at this power level. In this event, the 12 hour Frequency is reasonable, based on the SRMs being otherwise verified to be OPERABLE (i.e., satisfactorily performing the CHANNEL CHECK) and the time required to perform the Surveillances.
| |
| REFERENCES None.
| |
| Columbia Generating Station B 3.3.1.2-8 Revision 93
| |
| | |
| Control Rod Block Instrumentation B 3.3.2.1 B 3.3 INSTRUMENTATION B 3.3.2.1 Control Rod Block Instrumentation BASES BACKGROUND Control rods provide the primary means for control of reactivity changes.
| |
| Control rod block instrumentation includes channel sensors, logic circuitry, switches, and relays that are designed to ensure that specified fuel design limits are not exceeded for postulated transients and accidents. During high power operation, the rod block monitor (RBM) provides protection for control rod withdrawal error events. During low power operations, control rod blocks from the rod worth minimizer (RWM) enforce specific control rod sequences designed to mitigate the consequences of the control rod drop accident (CRDA). During shutdown conditions, control rod blocks from the Reactor Mode Switch - Shutdown Position Function ensure that all control rods remain inserted to prevent inadvertent criticalities.
| |
| The purpose of the RBM is to limit control rod withdrawal if localized neutron flux exceeds a predetermined setpoint during control rod manipulations (Ref. 1). It is assumed to function to block further control rod withdrawal to preclude a MCPR Safety Limit (SL) violation. The RBM supplies a trip signal to the Reactor Manual Control System (RMCS) to appropriately inhibit control rod withdrawal during power operation above the low power range setpoint. The RBM has two channels, either of which can initiate a control rod block when the channel output exceeds the control rod block setpoint or an RBM inop condition exists. One RBM channel inputs into one RMCS rod block circuit and the other RBM channel inputs into the second RMCS rod block circuit.
| |
| The RBM channel signal is generated by averaging a set of local power range monitor (LPRM) signals at various core heights surrounding the control rod being withdrawn. Each RBM uses all available C level LPRM inputs and half of the available B and D level LPRM inputs for the rod selected. RBM channel A uses the opposite B and D level LPRM inputs from RBM channel B. A simulated thermal power signal from one of the four redundant average power range monitor (APRM) channels supplies a reference signal for one of the RBM channels and a simulated thermal power signal from another of the APRM channels supplies the reference signal to the second RBM channel. This reference signal is used to determine which RBM range setpoint (low, intermediate, or high) is enabled. If the APRM simulated thermal power is indicating less than the low power range setpoint, the RBM is automatically bypassed. The RBM is also automatically bypassed if a peripheral control rod is selected (Ref.
| |
| 1). When a control rod is selected the initial RBM LPRM averaged value is set and held constant until another rod is selected. Each subsequent RBM LPRM averaged value is normalized to the initial RBM LPRM Columbia Generating Station B 3.3.2.1-1 Revision 87
| |
| | |
| Control Rod Block Instrumentation B 3.3.2.1 BASES BACKGROUND (continued) averaged value (RBM flux). The RBM flux, in percent, is used to provide indication and actuation of automatic functions based on the change in the relative local power level.
| |
| The purpose of the RWM is to control rod patterns during startup and shutdown, such that only specified control rod sequences and relative positions are allowed over the operating range from all control rods inserted to 10% RTP. The sequences effectively limit the potential amount and rate of reactivity increase during a CRDA. A prescribed control rod sequence is stored in the RWM, which will initiate control rod withdrawal and insert blocks when the actual sequence deviates beyond allowances from the stored sequence. The RWM determines the actual sequence based position indication for each control rod. The RWM also uses steam flow signals to determine when the reactor power is above the preset power level at which the RWM is automatically bypassed (Ref. 2). The RWM is a single channel system that provides input into one RMCS rod block circuit.
| |
| With the reactor mode switch in the shutdown position, a control rod withdrawal block is applied to all control rods to ensure that the shutdown condition is maintained. This Function prevents inadvertent criticality as the result of a control rod withdrawal during MODE 3 or 4, or during MODE 5 when the reactor mode switch is required to be in the shutdown position. The reactor mode switch has two channels, each inputting into a separate RMCS rod block circuit. A rod block in either RMCS circuit will provide a control rod block to all control rods.
| |
| APPLICABLE 1. Rod Block Monitor SAFETY ANALYSES, LCO, The RBM is designed to prevent violation of the MCPR SL and the and APPLICABILITY cladding 1% plastic strain fuel design limit that may result from a single control rod withdrawal error (RWE) event. The analytical methods and assumptions used in evaluating the RWE event are summarized in Reference 3. A statistical analysis of RWE events was performed to determine the RBM response for both channels for each event. From these responses, the fuel thermal performance as a function of RBM Allowable Value was determined. The Allowable Values are chosen as a function of power level. The Allowable Values and nominal trip setpoints are established in the COLR because they are confirmed or modified on a cycle-specific basis to support the operating limits established in the COLR.
| |
| The RBM Function satisfies Criterion 3 of Reference 4. The Rod Block Monitor Low, Intermediate and High Power Range - Upscale functions (Functions 1.a, 1.b and 1.c, respectively) are Limiting Safety System Columbia Generating Station B 3.3.2.1-2 Revision 87
| |
| | |
| Control Rod Block Instrumentation B 3.3.2.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
| |
| Settings (LSSS) as they protect the MCPR SL during a postulated Rod Withdrawal Error (RWE) event.
| |
| Two channels of the RBM are required to be OPERABLE, with their setpoints within the appropriate Allowable Values to ensure that no single instrument failure can preclude a rod block from this Function. The actual setpoints are calibrated consistent with applicable setpoint methodology.
| |
| The Analytical Limits are derived from the limiting values determined from the safety analysis. The Allowable Values are derived from the Analytical Limits correcting for all process and instrument uncertainties, excluding drift and calibration, using the setpoint methodology specified in the Licensee Controlled Specifications. The Limiting Trip Setpoints (LTSPs) are derived from the Analytical Limits in the same way as the Allowable Values except the LTSPs include drift and calibration uncertainties. The LTSPs thus ensure the setpoints don't exceed the Allowable Values between successive CHANNEL CALIBRATIONS. Operation with a trip setpoint less conservative than the LTSP but within its Allowable Value, is acceptable. For the RBM system there is no drift characteristic since it only performs digital calculations on the digitized input signals from the APRMs. Therefore the LTSP is the LSSS. The RBM also undergoes a normalization process after each rod selection. Therefore the only instrument signal variation that is considered in the setpoint methodology which determines the LTSP for the RBM is the actual process changes that take place between rod selection and rod movement. The RBM is assumed to mitigate the consequences of an RWE event when operating 28% RTP. Below this power level, the consequences of an RWE event will not exceed the MCPR SL and, therefore, the RBM is not required to be OPERABLE (Ref. 3). When operating with the MCPR greater than or equal to the RBM MCPR Limits specified in the COLR, analyses have shown that no RWE event will result in exceeding the MCPR SL.
| |
| Therefore, under these conditions, the RBM is also not required to be OPERABLE.
| |
| : 2. Rod Worth Minimizer The RWM enforces the banked position withdrawal sequence (BPWS) to ensure that the initial conditions of the CRDA analysis are not violated.
| |
| The analytical methods and assumptions used in evaluating the CRDA are summarized in Reference 5. The BPWS requires that control rods be moved in groups, with all control rods assigned to a specific group required to be within specified banked positions. Requirements that the control rod sequence is in compliance with the BPWS are specified in LCO 3.1.6, "Rod Pattern Control."
| |
| The RWM Function satisfies Criterion 3 of Reference 4.
| |
| Columbia Generating Station B 3.3.2.1-3 Revision 87
| |
| | |
| Control Rod Block Instrumentation B 3.3.2.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
| |
| Since the RWM is a system designed to act as a backup to operator control of the rod sequences, only one channel of the RWM is available and required to be OPERABLE (Ref. 6). Special circumstances provided for in the Required Action of LCO 3.1.3, "Control Rod OPERABILITY,"
| |
| and LCO 3.1.6 may necessitate bypassing the RWM to allow continued operation with inoperable control rods, or to allow correction of a control rod pattern not in compliance with the BPWS. The RWM may be bypassed as required by these conditions, but then it must be considered inoperable and the Required Actions of this LCO followed.
| |
| Compliance with the BPWS, and therefore OPERABILITY of the RWM, is required in MODES 1 and 2 when THERMAL POWER is 10% RTP.
| |
| When THERMAL POWER is > 10% RTP, there is no possible control rod configuration that results in a control rod worth that could exceed the 280 cal/gm fuel damage limit during a CRDA (Ref. 5). In MODES 3 and 4, all control rods are required to be inserted into the core; therefore, a CRDA cannot occur. In MODE 5, since only a single control rod can be withdrawn from a core cell containing fuel assemblies, adequate SDM ensures that the consequences of a CRDA are acceptable, since the reactor will be subcritical.
| |
| : 3. Reactor Mode Switch - Shutdown Position During MODES 3 and 4, and during MODE 5 when the reactor mode switch is in the shutdown position, the core is assumed to be subcritical; therefore, no positive reactivity insertion events are analyzed. The Reactor Mode Switch - Shutdown Position control rod withdrawal block ensures that the reactor remains subcritical by blocking control rod withdrawal, thereby preserving the assumptions of the safety analysis.
| |
| The Reactor Mode Switch - Shutdown Position Function satisfies Criterion 3 of Reference 4.
| |
| Two channels are required to be OPERABLE to ensure that no single channel failure will preclude a rod block when required. There is no Allowable Value for this Function since the channels are mechanically actuated based solely on reactor mode switch position.
| |
| During shutdown conditions (MODE 3, 4, or 5), no positive reactivity insertion events are analyzed because assumptions are that control rod withdrawal blocks are provided to prevent criticality. Therefore, when the reactor mode switch is in the shutdown position, the control rod withdrawal block is required to be OPERABLE. During MODE 5 with the reactor mode switch in the refueling position, the refuel position one-rod-out interlock (LCO 3.9.2 "Refuel Position One-Rod-Out Interlock")
| |
| provides the required control rod withdrawal blocks.
| |
| Columbia Generating Station B 3.3.2.1-4 Revision 73
| |
| | |
| Control Rod Block Instrumentation B 3.3.2.1 BASES ACTIONS A.1 With one RBM channel inoperable, the remaining OPERABLE channel is adequate to perform the control rod block function; however, overall reliability is reduced because a single failure in the remaining OPERABLE channel can result in no control rod block capability for the RBM. For this reason, Required Action A.1 requires restoration of the inoperable channel to OPERABLE status. The Completion Time of 24 hours is based on the low probability of an event occurring coincident with a failure in the remaining OPERABLE channel.
| |
| B.1 If Required Action A.1 is not met and the associated Completion Time has expired, the inoperable channel must be placed in trip within 1 hour.
| |
| If both RBM channels are inoperable, the RBM is not capable of performing its intended function; thus, one channel must also be placed in trip. This initiates a control rod withdrawal block, thereby ensuring that the RBM function is met.
| |
| The 1 hour Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities and is acceptable because it minimizes risk while allowing time for restoration or tripping of inoperable channels.
| |
| C.1, C.2.1.1, C.2.1.2, and C.2.2 With the RWM inoperable during a reactor startup, the operator is still capable of enforcing the prescribed control rod sequence. However, the overall reliability is reduced because a single operator error can result in violating the control rod sequence. Therefore, control rod movement must be immediately suspended except by scram. Alternatively, startup may continue if at least 12 control rods have already been withdrawn, or a reactor startup with an inoperable RWM during withdrawal of one or more of the first 12 rods was not performed in the last calendar year. These requirements minimize the number of reactor startups initiated with RWM inoperable. Required Actions C.2.1.1 and C.2.1.2 require verification of these conditions by review of plant logs and control room indications.
| |
| Once Required Action C.2.1.1 or C.2.1.2 is satisfactorily completed, control rod withdrawal may proceed in accordance with the restrictions imposed by Required Action C.2.2.
| |
| Columbia Generating Station B 3.3.2.1-5 Revision 73
| |
| | |
| Control Rod Block Instrumentation B 3.3.2.1 BASES ACTIONS (continued)
| |
| Required Action C.2.2 allows for the RWM Function to be performed manually and requires a double check of compliance with the prescribed rod sequence by a second licensed operator (Reactor Operator or Senior Reactor Operator) or other qualified member of the technical staff.
| |
| The RWM may be bypassed under these conditions to allow continued operations. In addition, Required Actions of LCO 3.1.3 and LCO 3.1.6 may require bypassing the RWM, during which time the RWM must be considered inoperable with Condition C entered and its Required Actions taken.
| |
| D.1 With the RWM inoperable during a reactor shutdown, the operator is still capable of enforcing the prescribed control rod sequence. Required Action D.1 allows for the RWM Function to be performed manually and requires a double check of compliance with the prescribed rod sequence by a second licensed operator (Reactor Operator or Senior Reactor Operator) or other qualified member of the technical staff. The RWM may be bypassed under these conditions to allow the reactor shutdown to continue.
| |
| E.1 and E.2 With one Reactor Mode Switch - Shutdown Position control rod withdrawal block channel inoperable, the remaining OPERABLE channel is adequate to perform the control rod withdrawal block function.
| |
| However, since the Required Actions are consistent with the normal action of an OPERABLE Reactor Mode Switch - Shutdown Position Function (i.e., maintaining all control rods inserted), there is no distinction between having one or two channels inoperable.
| |
| In both cases (one or both channels inoperable), suspending all control rod withdrawal and initiating action to fully insert all insertable control rods in core cells containing one or more fuel assemblies will ensure that the core is subcritical with adequate SDM ensured by LCO 3.1.1. Control rods in core cells containing no fuel assemblies do not affect the reactivity of the core and are therefore not required to be inserted. Action must continue until all insertable control rods in core cells containing one or more fuel assemblies are fully inserted.
| |
| Columbia Generating Station B 3.3.2.1-6 Revision 73
| |
| | |
| Control Rod Block Instrumentation B 3.3.2.1 BASES SURVEILLANCE As noted at the beginning of the SRs, the SRs for each Control Rod Block REQUIREMENTS instrumentation Function are found in the SRs column of Table 3.3.2.1-1.
| |
| The Surveillances are modified by a second Note to indicate that when an RBM channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours provided the associated Function maintains control rod block capability. Upon completion of the Surveillance, or expiration of the 6 hour allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Ref. 7) assumption of the average time required to perform channel Surveillance. That analysis demonstrated that the 6 hour testing allowance does not significantly reduce the probability that a control rod block will be initiated when necessary.
| |
| SR 3.3.2.1.1 A CHANNEL FUNCTIONAL TEST is performed for each RBM channel to ensure that the channel will perform the intended function. It includes the Reactor Manual Control Multiplexing System input.
| |
| Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| SR 3.3.2.1.2 and SR 3.3.2.1.3 A CHANNEL FUNCTIONAL TEST is performed for the RWM to ensure that the entire system will perform the intended function. The CHANNEL FUNCTIONAL TEST for the RWM is performed by attempting to withdraw a control rod not in compliance with the prescribed sequence and verifying a control rod block occurs and, for SR 3.3.2.1.2 only, by attempting to select a control rod not in compliance with the prescribed sequence and verifying a selection error occurs. As noted in the SRs, SR 3.3.2.1.2 is not required to be performed until 1 hour after any control rod is withdrawn at 10% RTP in MODE 2, and SR 3.3.2.1.3 is not required to be performed until 1 hour after THERMAL POWER is 10% RTP in MODE 1. This allows entry into MODE 2 (and if entering during a shutdown, concurrent power reduction to 10% RTP) for SR 3.3.2.1.2, and THERMAL POWER reduction to 10% RTP in MODE 1 for SR 3.3.2.1.3, to perform the required Surveillances if the Frequency is not met per SR 3.0.2. The 1 hour allowance is based on Columbia Generating Station B 3.3.2.1-7 Revision 93
| |
| | |
| Control Rod Block Instrumentation B 3.3.2.1 BASES SURVEILLANCE REQUIREMENTS (continued) operating experience and in consideration of providing a reasonable time in which to complete the SRs. The Surveillance Frequencies are controlled under the Surveillance Frequency Control Program.
| |
| SR 3.3.2.1.4 The RBM setpoints are automatically varied as a function of power. The RBM Allowable Values required in Table 3.3.2.1-1, each within a specific power range, are specified in the COLR. The power at which the control rod block Allowable Values automatically change are based on the APRM simulated thermal power input to each RBM channel. Below the minimum power setpoint, the RBM is automatically bypassed. These control rod block bypass setpoints must be verified periodically to be less than or equal to the specified values. If any power range setpoint is nonconservative, then the affected RBM channel is considered inoperable. Alternatively, the power range channel can be placed in the conservative condition (i.e., enabling the proper RBM setpoint). If placed in this condition, the SR is met and the RBM channel is not considered inoperable. As noted, neutron detectors are excluded from the Surveillance because they are passive devices, with minimal drift, and because of the difficulty of simulating a meaningful signal. Neutron detectors are adequately tested in SR 3.3.1.1.2 and SR 3.3.1.1.7. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| SR 3.3.2.1.5 A CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations consistent with the plant specific setpoint methodology.
| |
| As noted, neutron detectors are excluded from the CHANNEL CALIBRATION because they are passive devices, with minimal drift, and because of the difficulty of simulating a meaningful signal. Neutron detectors are adequately tested in SR 3.3.1.1.2 and SR 3.3.1.1.7.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| Columbia Generating Station B 3.3.2.1-8 Revision 93
| |
| | |
| Control Rod Block Instrumentation B 3.3.2.1 BASES SURVEILLANCE REQUIREMENTS (continued)
| |
| SR 3.3.2.1.5 for RBM Functions 1.a, 1.b and 1.c is modified by two Notes as identified in Table 3.3.2.1-1. Note (d) requires evaluation of channel performance for the condition where the as-found setting for the channel setpoint is not the Limiting Trip Setpoint (LTSP) but is conservative with respect to the Allowable Value. For digital channel components, no as-found tolerance or as-left tolerance can be specified. Evaluation of instrument performance will verify that the instrument will continue to behave in accordance with design basis assumptions. The purpose of the assessment is to ensure confidence in the instrument performance prior to returning the instrument to service. Any nonconformance will be entered into the Corrective Action Program which will ensure required review and documentation of the condition for continued OPERABILITY.
| |
| Note (e) requires that the as-left setting for the instrument be returned to within an acceptable as-left tolerance around the LTSP. If the as-left instrument setting cannot be returned to the LTSP, then the instrument channel shall be declared inoperable. The Allowable Values for Rod Block Monitor Functions 1.a, 1.b and 1.c are specified in the COLR. The LTSPs are specified in the Licensee Controlled Specifications.
| |
| SR 3.3.2.1.6 The RWM is automatically bypassed when power is above a specified value. The power level is determined from a steam flow signal. The automatic bypass setpoint must be verified periodically to be > 10% RTP.
| |
| If the RWM low power setpoint is nonconservative, then the RWM is considered inoperable. Alternately, the low power setpoint channel can be placed in the conservative condition (nonbypass). If placed in the nonbypassed condition, the SR is met and the RWM is not considered inoperable. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| SR 3.3.2.1.7 A CHANNEL FUNCTIONAL TEST is performed for the Reactor Mode Switch - Shutdown Position Function to ensure that the entire channel will perform the intended function. The CHANNEL FUNCTIONAL TEST for the Reactor Mode Switch - Shutdown Position Function is performed by attempting to withdraw any control rod with the reactor mode switch in the shutdown position and verifying a control rod block occurs.
| |
| Columbia Generating Station B 3.3.2.1-9 Revision 93
| |
| | |
| Control Rod Block Instrumentation B 3.3.2.1 BASES SURVEILLANCE REQUIREMENTS (continued)
| |
| As noted in the SR, the Surveillance is not required to be performed until 1 hour after the reactor mode switch is in the shutdown position, since testing of this interlock with the reactor mode switch in any other position cannot be performed without using jumpers, lifted leads, or movable links.
| |
| This allows entry into MODES 3 and 4 if the Frequency is not met per SR 3.0.2. The 1 hour allowance is based on operating experience and in consideration of providing a reasonable time in which to complete the SRs.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| SR 3.3.2.1.8 The RWM will only enforce the proper control rod sequence if the rod sequence is properly input into the RWM computer. This SR ensures that the proper sequence is loaded into the RWM so that it can perform its intended function. The Surveillance is performed once prior to declaring RWM OPERABLE following loading of sequence into RWM, since this is when rod sequence input errors are possible.
| |
| REFERENCES 1. FSAR, Section 7.7.1.8.
| |
| : 2. FSAR, Section 7.7.1.10.
| |
| : 3. NEDC-33507P, Revision 1, Energy Northwest Columbia Generating Station APRM/RBM/Technical Specifications/Maximum Extended Load Line Limit Analysis (ARTS/MELLLA), January 2012.
| |
| : 4. 10 CFR 50.36(c)(2)(ii).
| |
| : 5. FSAR, Section 15.4.9.
| |
| : 6. NRC SER, "Acceptance of Referencing of Licensing Topical Report NEDE-24011-P-A," "General Electric Standard Application for Reactor Fuel, Revision 8, Amendment 17," December 27, 1987.
| |
| : 7. GENE-770-06-1-A, "Addendum to Bases for Changes to Surveillance Test Intervals and Allowed Out-of-Service Times for Selected Instrumentation Technical Specifications," December 1992.
| |
| Columbia Generating Station B 3.3.2.1-10 Revision 93
| |
| | |
| Control Rod Block Instrumentation B 3.3.2.1 BASES REFERENCES (continued)
| |
| : 8. NEDC-30851-P-A, Supplement 1, "Technical Specification Improvement Analysis for BWR Control Rod Block Instrumentation,"
| |
| October 1988.
| |
| : 9. NEDC-32410P, Nuclear Measurement Analysis and Control Power Range Neutron Monitor (NUMAC PRNM) Retrofit Plus Option III Stability Trip Function, October 1995.
| |
| Columbia Generating Station B 3.3.2.1-11 Revision 93
| |
| | |
| Feedwater and Main Turbine High Water Level Trip Instrumentation B 3.3.2.2 B 3.3 INSTRUMENTATION B 3.3.2.2 Feedwater and Main Turbine High Water Level Trip Instrumentation BASES BACKGROUND The feedwater and main turbine high water level trip instrumentation is designed to detect a potential failure of the Feedwater Level Control System that causes excessive feedwater flow.
| |
| With excessive feedwater flow, the water level in the reactor vessel rises toward the high water level, Level 8 reference point, causing the trip of the two feedwater pump turbines and the main turbine.
| |
| Reactor Vessel Water Level - High, Level 8 signals are provided by level sensors that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level in the reactor vessel (variable leg). Three channels of Reactor Vessel Water Level - High, Level 8 instrumentation are provided as input to a two-out-of-three initiation logic that trips the two feedwater pump turbines and the main turbine. The channels include electronic equipment (e.g., trip relays) that compares measured input signals with pre-established setpoints. When the setpoint is exceeded, the channel outputs a main feedwater and main turbine trip signal to the trip logic.
| |
| A trip of the feedwater pump turbines limits further increase in reactor vessel water level by limiting further addition of feedwater to the reactor vessel. A trip of the main turbine and closure of the throttle valves protects the turbine from damage due to water entering the turbine.
| |
| APPLICABLE The feedwater and main turbine high water level trip instrumentation is SAFETY assumed to be capable of providing a turbine trip in the design basis ANALYSES transient analysis for a feedwater controller failure, maximum demand event (Ref. 1). The Level 8 trip indirectly initiates a reactor scram from the main turbine trip (above 29.5% RTP) and trips the feedwater pumps, thereby terminating the event. The reactor scram mitigates the reduction in MCPR.
| |
| Feedwater and main turbine high water level trip instrumentation satisfies Criterion 3 of Reference 2.
| |
| LCO The LCO requires three channels of the Reactor Vessel Water Level -
| |
| High, Level 8 instrumentation to be OPERABLE to ensure that no single instrument failure will prevent the feedwater pump turbines and main turbine trip on a valid Level 8 signal. Two of the three channels are needed to provide trip signals in order for the feedwater and main turbine trips to occur. Each channel must have its setpoint set within the specified Allowable Value of SR 3.3.2.2.3. The Allowable Value is set to Columbia Generating Station B 3.3.2.2-1 Revision 98
| |
| | |
| Feedwater and Main Turbine High Water Level Trip Instrumentation B 3.3.2.2 BASES LCO (continued) ensure that the thermal limits are not exceeded during the event. The actual setpoint is calibrated to be consistent with the applicable setpoint methodology assumptions. Nominal trip setpoints are specified in the setpoint calculations. The nominal setpoints are selected to ensure that the setpoints do not exceed the Allowable Value between successive CHANNEL CALIBRATIONS. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value.
| |
| Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor vessel water level), and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g., trip relay) changes state. The analytic limits are derived from the limiting values of the process parameters obtained from the safety analysis. The Allowable Values are derived from the analytic limits, corrected for process and all instrument uncertainties, except drift and calibration. The trip setpoints are derived from the analytic limits, corrected for process and all instrument uncertainties, including drift and calibration. The trip setpoints derived in this manner provide adequate protection because all instrumentation uncertainties and process effects are taken into account.
| |
| APPLICABILITY The feedwater and main turbine high water level trip instrumentation is required to be OPERABLE at > 25% RTP to ensure that the fuel cladding integrity Safety Limit and the cladding 1% plastic strain limit are not violated during the feedwater controller failure, maximum demand event.
| |
| As discussed in the Bases for LCO 3.2.1, "Average Planar Linear Heat Generation Rate (APLHGR)," and LCO 3.2.2, "MINIMUM CRITICAL POWER RATIO (MCPR)," sufficient margin to these limits exists below 25% RTP; therefore, these requirements are only necessary when operating at or above this power level.
| |
| ACTIONS A Note has been provided to modify the ACTIONS related to feedwater and main turbine high water level trip instrumentation channels.
| |
| Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent trains, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into Columbia Generating Station B 3.3.2.2-2 Revision 73
| |
| | |
| Feedwater and Main Turbine High Water Level Trip Instrumentation B 3.3.2.2 BASES ACTIONS (continued) the Condition. However, the Required Actions for inoperable feedwater and main turbine high water level trip instrumentation channels provide appropriate compensatory measures for separate inoperable channels.
| |
| As such, a Note has been provided that allows separate Condition entry for each inoperable feedwater and main turbine high water level trip instrumentation channel.
| |
| A.1 With one channel inoperable, the remaining two OPERABLE channels can provide the required trip signal. However, overall instrumentation reliability is reduced because a single failure in one of the remaining channels concurrent with feedwater controller failure, maximum demand event, may result in the instrumentation not being able to perform its intended function. Therefore, continued operation is only allowed for a limited time with one channel inoperable. If the inoperable channel cannot be restored to OPERABLE status within the Completion Time, the channel must be placed in the tripped condition per Required Action A.1.
| |
| Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue with no further restrictions. Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in a feedwater or main turbine trip), Condition C must be entered and its Required Action taken.
| |
| The Completion Time of 7 days is based on the low probability of the event occurring coincident with a single failure in a remaining OPERABLE channel.
| |
| B.1 With two or more channels inoperable, the feedwater and main turbine high water level trip instrumentation cannot perform its design function (feedwater and main turbine high water level trip capability is not maintained). Therefore, continued operation is only permitted for a 2 hour period, during which feedwater and main turbine high water level trip capability must be restored. The trip capability is considered maintained when sufficient channels are OPERABLE or in trip such that the feedwater and main turbine high water level trip logic will generate a trip signal on a valid signal. This requires two channels to each be OPERABLE or in trip. If the required channels cannot be restored to OPERABLE status or placed in trip, Condition C must be entered and its Required Action taken.
| |
| Columbia Generating Station B 3.3.2.2-3 Revision 73
| |
| | |
| Feedwater and Main Turbine High Water Level Trip Instrumentation B 3.3.2.2 BASES ACTIONS (continued)
| |
| The 2 hour Completion Time is sufficient for the operator to take corrective action, and takes into account the likelihood of an event requiring actuation of feedwater and main turbine high water level trip instrumentation occurring during this period. It is also consistent with the 2 hour Completion Time provided in LCO 3.2.2 for Required Action A.1, since this instrumentation's purpose is to preclude a MCPR violation.
| |
| C.1 With the required channels not restored to OPERABLE status or placed in trip, THERMAL POWER must be reduced to < 25% RTP within 4 hours.
| |
| As discussed in the Applicability section of the Bases, operation below 25% RTP results in sufficient margin to the required limits, and the feedwater and main turbine high water level trip instrumentation is not required to protect fuel integrity during the feedwater controller failure, maximum demand event. The allowed Completion Time of 4 hours is based on operating experience to reduce THERMAL POWER to
| |
| < 25% RTP from full power conditions in an orderly manner and without challenging plant systems.
| |
| SURVEILLANCE The Surveillances are modified by a Note to indicate that when a channel REQUIREMENTS is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours provided the associated Function maintains feedwater and main turbine high water level trip capability. Upon completion of the Surveillance, or expiration of the 6 hour allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Ref. 3) assumption that 6 hours is the average time required to perform channel Surveillance. That analysis demonstrated that the 6 hour testing allowance does not significantly reduce the probability that the feedwater pump turbines and main turbine will trip when necessary.
| |
| SR 3.3.2.2.1 Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a qualitative assessment, by observation, of channel behavior during operation. This determination includes, where possible, comparison of the channel indication and status to other indications or status derived from independent channels measuring the same parameter. It is based on the assumption that instrument channels monitoring the same Columbia Generating Station B 3.3.2.2-4 Revision 93
| |
| | |
| Feedwater and Main Turbine High Water Level Trip Instrumentation B 3.3.2.2 BASES SURVEILLANCE REQUIREMENTS (continued) parameter should read approximately the same value. Significant deviations between instrument channels could be an indication of excessive instrument drift in one of the channels, or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.
| |
| Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limits.
| |
| The Frequency is based on operating experience that demonstrates channel failure is rare. The CHANNEL CHECK supplements less formal, but more frequent, checks of channel status during normal operational use of the displays associated with the channels required by the LCO.
| |
| SR 3.3.2.2.2 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the channel will perform the intended function. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| SR 3.3.2.2.3 CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations consistent with the plant specific setpoint methodology.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| Columbia Generating Station B 3.3.2.2-5 Revision 93
| |
| | |
| Feedwater and Main Turbine High Water Level Trip Instrumentation B 3.3.2.2 BASES SURVEILLANCE REQUIREMENTS (continued)
| |
| SR 3.3.2.2.4 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required trip logic for a specific channel. The system functional test of the feedwater stop valves and main turbine throttle valves is included as part of this Surveillance and overlaps the LOGIC SYSTEM FUNCTIONAL TEST to provide complete testing of the assumed safety function. Therefore, if a valve is incapable of operating, the associated instrumentation would also be inoperable. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| REFERENCES 1. FSAR, Section 15.1.2.
| |
| : 2. 10 CFR 50.36(c)(2)(ii).
| |
| : 3. GENE-770-06-1-A, "Bases for Changes to Surveillance Test Intervals and Allowed Out-Of-Service Times for Selected Instrumentation Technical Specifications," December 1992.
| |
| Columbia Generating Station B 3.3.2.2-6 Revision 93
| |
| | |
| PAM Instrumentation B 3.3.3.1 B 3.3 INSTRUMENTATION B 3.3.3.1 Post Accident Monitoring (PAM) Instrumentation BASES BACKGROUND The primary purpose of the PAM instrumentation is to display, in the control room, plant variables that provide information required by the control room operators during accident situations. This information provides the necessary support for the operator to take the manual actions for which no automatic control is provided and that are required for safety systems to accomplish their safety functions for Design Basis Events. The instruments that monitor these variables are designated as Type A, Category I, and non-Type A, Category I in accordance with Regulatory Guide 1.97 (Ref. 1).
| |
| The OPERABILITY of the accident monitoring instrumentation ensures that there is sufficient information available on selected plant parameters to monitor and assess plant status and behavior following an accident.
| |
| This capability is consistent with the recommendations of Reference 1.
| |
| APPLICABLE The PAM instrumentation LCO ensures the OPERABILITY of Regulatory SAFETY Guide 1.97, Type A, variables so that the control room operating staff ANALYSES can:
| |
| Perform the diagnosis specified in the Emergency Operating Procedures (EOPs). These variables are restricted to preplanned actions for the primary success path of Design Basis Accidents (DBAs) (e.g., loss of coolant accident (LOCA)); and Take the specified, preplanned, manually controlled actions for which no automatic control is provided, which are required for safety systems to accomplish their safety function.
| |
| The PAM instrumentation LCO also ensures OPERABILITY of Category I, non-Type A, variables. This ensures the control room operating staff can:
| |
| Determine whether systems important to safety are performing their intended functions; Determine the potential for causing a gross breach of the barriers to radioactivity release; Determine whether a gross breach of a barrier has occurred; and Initiate action necessary to protect the public and to obtain an estimate of the magnitude of any impending threat.
| |
| Columbia Generating Station B 3.3.3.1-1 Revision 73
| |
| | |
| PAM Instrumentation B 3.3.3.1 BASES APPLICABLE SAFETY ANALYSES (continued)
| |
| The plant specific Regulatory Guide 1.97 analysis (Ref. 2) documents the process that identified Type A and Category I, non-Type A, variables.
| |
| PAM instrumentation that meets the definition of Type A in Regulatory Guide 1.97 satisfies Criterion 3 of Reference 3. Category I, non-Type A, instrumentation is retained in the Technical Specifications (TS) because it is intended to assist operators in minimizing the consequences of accidents. Therefore, these Category I, non-Type A, variables are important for reducing public risk.
| |
| LCO LCO 3.3.3.1 requires two OPERABLE channels for most of the Functions to ensure no single failure prevents the operators from being presented with the information necessary to determine the status of the unit and to bring the unit to, and maintain it in, a safe condition following that accident. Furthermore, providing two channels allows a CHANNEL CHECK during the post accident phase to confirm the validity of displayed information.
| |
| The exceptions of the two channel requirement are the primary containment isolation valve (PCIV) position and the ECCS Pump Room Flood Level. For the PCIV position, the important information is the status of the primary containment penetrations. The LCO requires one position indicator for each active (e.g., automatic) PCIV. This is sufficient to redundantly verify the isolation status of each isolable penetration either via indicated status of the active valve and prior knowledge of passive valve or via system boundary status. If a normally active PCIV is known to be closed and deactivated, position indication is not needed to determine status. Therefore, the position indication for closed and deactivated valves is not required to be OPERABLE. For the ECCS Pump Room Flood Level one level switch is provided in each of the five ECCS pump rooms to monitor room flood conditions, due to leaks in the rooms.
| |
| Listed below is a discussion of the specified instrument Functions listed in Table 3.3.3.1-1.
| |
| : 1. Reactor Vessel Pressure Reactor vessel pressure is a Type A and Category I variable provided to support monitoring of Reactor Coolant System (RCS) integrity and to verify operation of the Emergency Core Cooling Systems (ECCS). Two independent pressure transmitters with a range of 0 psig to 1500 psig monitor pressure. Wide range recorders are the primary indication used by the operator during an accident. Therefore, the PAM Specification deals specifically with this portion of the instrument channel.
| |
| Columbia Generating Station B 3.3.3.1-2 Revision 73
| |
| | |
| PAM Instrumentation B 3.3.3.1 BASES LCO (continued) 2.a, 2.b Reactor Vessel Water Level Reactor vessel water level is a Type A and Category I variable provided to support monitoring of core cooling and to verify operation of the ECCS.
| |
| Two different range channels (wide range and fuel zone range) provide the PAM Reactor Vessel Water Level Function. The water level channels measure from 60 inches above the bottom of the dryer skirt to 150 inches below the top of the active fuel. Water level is measured by independent differential pressure transmitters for each required channel. The output from these channels is recorded on independent pen recorders or read on indicators. These instruments are the primary indication used by the operator during an accident. Therefore, the PAM Specification deals specifically with this portion of the instrument channel.
| |
| The reactor vessel water level instruments are uncompensated for variation in reactor water density and are calibrated to be most accurate at a specific vessel pressure and temperature. The wide range instruments are calibrated to be accurate at the normal operating pressure and temperature. The fuel zone range instruments are calibrated to be accurate at 0 psig and 212°F.
| |
| 3.a, 3.b Suppression Pool Water Level Suppression pool water level is a Category I variable provided to detect a breach in the reactor coolant pressure boundary (RCPB). This variable is also used to verify and provide long term surveillance of ECCS function.
| |
| Two different range channels provide the PAM Suppression Pool Water Level Function. The wide range and narrow range suppression pool water level measurement provides the operator with sufficient information to assess the status of the RCPB and to assess the status of the water supply to the ECCS. The wide range water level indicators monitor the suppression pool level from the center line of the ECCS suction lines to the top of the pool (2 ft to 52 ft), while the narrow range water level indicators monitor the water level around its normal level (-25 inches to
| |
| +25 inches). Two wide range and two narrow range suppression pool water level signals are transmitted from separate transmitters and are continuously recorded on two recorders in the control room. These recorders are the primary indication used by the operator during an accident. Therefore, the PAM Specification deals specifically with this portion of the instrument channel.
| |
| Columbia Generating Station B 3.3.3.1-3 Revision 73
| |
| | |
| PAM Instrumentation B 3.3.3.1 BASES LCO (continued)
| |
| : 4. Suppression Chamber Pressure Suppression chamber pressure is a Type A and Category I variable provided to determine whether or not drywell spray initiation will be required, given a high drywell pressure condition. This variable is also used to indicate suppression pool spray flow has been established.
| |
| Suppression chamber pressure is recorded in the control room from two separate pressure transmitter systems. The range of recording is from 0 psig to 100 psig. These recorders are the primary indication used by the operator during an accident. Therefore, the PAM Specification deals specifically with this portion of the instrument channel.
| |
| 5.a, 5.b, 5.c. Drywell Pressure Drywell pressure is a Type A and Category I variable provided to detect breach of the RCPB and to verify ECCS functions that operate to maintain RCS integrity. Three different range drywell pressure channels receive signals that are transmitted from separate pressure transmitters and are continuously recorded and displayed on two control room recorders. The range of recording is from -5 psig to 180 psig. These recorders are the primary indication used by the operator during an accident. Therefore, the PAM Specification deals specifically with this portion of the instrument channel.
| |
| : 6. Primary Containment Area Radiation (High Range)
| |
| Primary containment area radiation (high range) is a Category I variable provided to monitor for the potential of significant radiation releases and to provide release assessment for use by operators in determining the need to invoke site emergency plans.
| |
| Two detectors are located inside containment that have a range from 100 R/hr to 107 R/hr. These monitors respond to gamma radiation of 60 KeV as required by Regulatory Guide 1.97 to see the Xe-133 gases.
| |
| These radiation monitors display on recorders located in the control room.
| |
| Therefore, the PAM Specification deals specifically with this portion of the instrument channel.
| |
| Columbia Generating Station B 3.3.3.1-4 Revision 73
| |
| | |
| PAM Instrumentation B 3.3.3.1 BASES LCO (continued)
| |
| : 7. Penetration Flow Path Primary Containment Isolation Valve (PCIV)
| |
| Position PCIV (excluding check valves) position is a Category I variable provided for verification of containment integrity. In the case of PCIV position, the important information is the isolation status of the containment penetration. The LCO requires one channel of valve position indication in the control room to be OPERABLE for each active PCIV in a containment penetration flow path, i.e., two total channels of PCIV position indication for a penetration flow path with two active valves. For containment penetrations with only one active PCIV having control room indication, Note (b) requires a single channel of valve position indication to be OPERABLE. This is sufficient to verify redundantly the isolation status of each isolable penetration via indicated status of the active valve, as applicable, and prior knowledge of passive valve or system boundary status. If a penetration is isolated, position indication for the PCIV(s) in the associated penetration flow path is not needed to determine status.
| |
| Therefore, the position indication for valves in an isolated penetration is not required to be OPERABLE. Each penetration is treated separately and each penetration flow path is considered a separate function.
| |
| Therefore, separate Condition entry is allowed for each inoperable penetration flow path.
| |
| The indication for each PCIV is provided at the valve controls in the control room. Each indication consists of green and red indicator lights that illuminate to indicate whether the PCIV is fully open, fully closed, or in a mid-position. Since the required range for PAM is closed-not closed, the PAM specification deals specifically with the fully closed indication and either the mid-position indication or the full open position indication portion of the instrumentation channel (Ref. 1). Either the mid-position or the fully open position indication fulfills the not closed portion of the range.
| |
| Both are not required.
| |
| 8, 9. Deleted
| |
| : 10. ECCS Pump Room Flood Level ECCS pump room flood level is a Type A and Category I variable provided to indicate ECCS pump room flooding. High water level in the ECCS pump rooms is indicated on five (one for each room) separate annunciators in the control room. Each annunciator alarms at a setpoint of 6 inches above the room's floor level. These annunciators are the primary indication used by the operator during an accident. Therefore, the PAM Specification deals specifically with this portion of the instrument channel.
| |
| Columbia Generating Station B 3.3.3.1-5 Revision 108
| |
| | |
| PAM Instrumentation B 3.3.3.1 BASES APPLICABILITY The PAM instrumentation LCO is applicable in MODES 1 and 2. These variables are related to the diagnosis and preplanned actions required to mitigate DBAs. The applicable DBAs are assumed to occur in MODES 1 and 2. In MODES 3, 4, and 5, plant conditions are such that the likelihood of an event that would require PAM instrumentation is extremely low; therefore, PAM instrumentation is not required to be OPERABLE in these MODES.
| |
| ACTIONS A Note has also been provided to modify the ACTIONS related to PAM instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable PAM instrumentation channels provide appropriate compensatory measures for separate inoperable functions. As such, a Note has been provided that allows separate Condition entry for each inoperable PAM Function.
| |
| A.1 When one or more Functions have one required channel that is inoperable, the required inoperable channel must be restored to OPERABLE status within 30 days. The 30 day Completion Time is based on operating experience and takes into account the remaining OPERABLE channel, the passive nature of the instrument (no critical automatic action is assumed to occur from these instruments), and the low probability of an event requiring PAM instrumentation during this interval.
| |
| B.1 If a channel has not been restored to OPERABLE status in 30 days, this Required Action specifies initiation of actions in accordance with Specification 5.6.4, which requires a written report to be submitted to the Columbia Generating Station B 3.3.3.1-6 Revision 91
| |
| | |
| PAM Instrumentation B 3.3.3.1 BASES ACTIONS (continued)
| |
| NRC. This report discusses the results of the root cause evaluation of the inoperability and identifies proposed restorative actions. This Required Action is appropriate in lieu of a shutdown requirement since another OPERABLE channel is monitoring the Function, and given the likelihood of plant conditions that would require information provided by this instrumentation.
| |
| C.1 When one or more Functions have two or more required channels that are inoperable (i.e., two or more channels inoperable in the same Function), all but one channel in the Function should be restored to OPERABLE status within 7 days. The Completion Time of 7 days is based on the relatively low probability of an event requiring PAM instrument operation and the availability of alternate means to obtain the required information. Continuous operation with two required channels inoperable in a Function is not acceptable because the alternate indications may not fully meet all performance qualification requirements applied to the PAM instrumentation. Therefore, requiring restoration of one inoperable channel of the Function limits the risk that the PAM Function will be in a degraded condition should an accident occur.
| |
| D.1 This Required Action directs entry into the appropriate Condition referenced in Table 3.3.3.1-1. The applicable Condition referenced in the Table is Function dependent. Each time an inoperable channel has not met the Required Action of Condition C and the associated Completion Time has expired, Condition D is entered for that channel and provides for transfer to the appropriate subsequent Condition.
| |
| E.1 For the majority of Functions in Table 3.3.3.1-1, if any Required Action and associated Completion Time of Condition C is not met, the plant must be placed in a MODE in which the LCO does not apply. This is done by placing the plant in at least MODE 3 within 12 hours.
| |
| The allowed Completion Times are reasonable, based on operating experience, to reach the required plant condition from full power conditions in an orderly manner and without challenging plant systems.
| |
| Columbia Generating Station B 3.3.3.1-7 Revision 73
| |
| | |
| PAM Instrumentation B 3.3.3.1 BASES ACTIONS (continued)
| |
| F.1 Since alternate means of monitoring primary containment area radiation have been developed and tested, the Required Action is not to shut down the plant but rather to follow the directions of Specification 5.6.4. These alternate means may be temporarily installed if the normal PAM channel cannot be restored to OPERABLE status within the allotted time. The report provided to the NRC should discuss the alternate means used, describe the degree to which the alternate means are equivalent to the installed PAM channels, justify the areas in which they are not equivalent, and provide a schedule for restoring the normal PAM channels.
| |
| SURVEILLANCE As noted at the beginning of the SRs, the following SRs apply to each REQUIREMENTS PAM instrumentation Function in Table 3.3.3.1-1.
| |
| The Surveillances are modified by a second Note to indicate that when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours, provided the other required channel(s) in the associated Function are OPERABLE. Upon completion of the Surveillance, or expiration of the 6 hour allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. The 6 hour testing allowance is acceptable since it does not significantly reduce the probability of properly monitoring post-accident parameters, when necessary.
| |
| SR 3.3.3.1.1 Performance of a CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a qualitative assessment, by observation, of channel behavior during operation. This determination includes, where possible, comparison of the channel indication and status to other indications or status derived from independent instrument channels measuring the same parameter.
| |
| Significant deviations between instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. A significant deviation could indicate gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION. The high radiation instrumentation should be compared to similar plant instruments located throughout the plant.
| |
| Columbia Generating Station B 3.3.3.1-8 Revision 93
| |
| | |
| PAM Instrumentation B 3.3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)
| |
| Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of those displays associated with the channels required by the LCO.
| |
| SR 3.3.3.1.3 and SR 3.3.3.1.4 CHANNEL CALIBRATION is a complete check of the instrument loop including the sensor. The test verifies that the channel responds to the measured parameter with the necessary range and accuracy. For Function 6, the CHANNEL CALIBRATION shall consist of an electronic calibration of the channel, excluding the detector, for range decades 10 R/hour and a one point calibration check of the detector with an installed or portable gamma source for range decades < 10 R/hour. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| REFERENCES 1. Regulatory Guide 1.97, "Instrumentation for Light-Water Cooled Nuclear Power Plants to Assess Plant and Environs Conditions During and Following an Accident," Revision 2, December 1980.
| |
| : 2. NRC Safety Evaluation Report, "Washington Public Power Supply System, Nuclear Project No. 2, Conformance to Regulatory Guide 1.97," dated March 23, 1988.
| |
| : 3. 10 CFR 50.36(c)(2)(ii).
| |
| Columbia Generating Station B 3.3.3.1-9 Revision 93
| |
| | |
| Remote Shutdown System B 3.3.3.2 B 3.3 INSTRUMENTATION B 3.3.3.2 Remote Shutdown System BASES BACKGROUND The Remote Shutdown System provides the control room operator with sufficient instrumentation and controls to place and maintain the plant in a safe shutdown condition from a location other than the control room. This capability is necessary to protect against the possibility of the control room becoming inaccessible. At Columbia Generating Station, the remote shutdown system is comprised of the remote shutdown panel (preferred) and the alternate remote shutdown panel. The preferred panel uses the Residual Heat Removal System loop B (RHR B) while the alternate panel uses RHR A. A safe shutdown condition is defined as MODE 3. With the plant in MODE 3, the Reactor Core Isolation Cooling (RCIC) System, the safety/relief valves, and the Residual Heat Removal System can be used to remove core decay heat and meet all safety requirements. The long term supply of water for the RCIC System and the ability to operate shutdown cooling from outside the control room allow extended operation in MODE 3.
| |
| In the event that the control room becomes inaccessible, the operators can establish control at the remote shutdown panel and place and maintain the plant in MODE 3. Not all controls and necessary transfer switches are located at the remote shutdown panel. Some controls and transfer switches will have to be operated locally at the switchgear, motor control panels, or other local stations. The plant is in MODE 3 following a plant shutdown and can be maintained safely in MODE 3 for an extended period of time.
| |
| The OPERABILITY of the Remote Shutdown System control and instrumentation Functions ensures that there is sufficient information available on selected plant parameters to place and maintain the plant in MODE 3 should the control room become inaccessible.
| |
| APPLICABLE The Remote Shutdown System is required to provide equipment at SAFETY appropriate locations outside the control room with a design capability to ANALYSES promptly shut down the reactor to MODE 3, including the necessary instrumentation and controls, to maintain the plant in a safe condition MODE 3.
| |
| The criteria governing the design and the specific system requirements of the Remote Shutdown System are located in 10 CFR 50, Appendix A, GDC 19 (Ref. 1).
| |
| The Remote Shutdown System is considered an important contributor to reducing the risk of accidents; as such, it meets Criterion 4 of Reference 2.
| |
| Columbia Generating Station B 3.3.3.2-1 Revision 73
| |
| | |
| Remote Shutdown System B 3.3.3.2 BASES LCO The Remote Shutdown System LCO provides the requirements for the OPERABILITY of the instrumentation and controls necessary to place and maintain the plant in MODE 3 from a location other than the control room. The instrumentation and controls required are listed in Reference 3.
| |
| The controls, instrumentation, and transfer switches are those required for:
| |
| Reactor pressure vessel (RPV) pressure control; Decay heat removal; RPV inventory control; and Standby Service Water System.
| |
| The Remote Shutdown System is OPERABLE if all instrument and control channels needed to support the remote shutdown function are OPERABLE. In some cases, the required information or control capability may be available from several alternate sources. In these cases, the Remote Shutdown System is OPERABLE as long as one channel of any of the alternate information or control sources for each Function is OPERABLE.
| |
| The Remote Shutdown System instruments and control circuits covered by this LCO do not need to be energized to be considered OPERABLE.
| |
| This LCO is intended to ensure that the instruments and control circuits will be OPERABLE if plant conditions require that the Remote Shutdown System be placed in operation.
| |
| APPLICABILITY The Remote Shutdown System LCO is applicable in MODES 1 and 2.
| |
| This is required so that the plant can be placed and maintained in MODE 3 for an extended period of time from a location other than the control room.
| |
| This LCO is not applicable in MODES 3, 4, and 5. In these MODES, the plant is already subcritical and in a condition of reduced Reactor Coolant System energy. Under these conditions, considerable time is available to restore necessary instrument control Functions if control room instruments or control becomes unavailable. Consequently, the LCO does not require OPERABILITY in MODES 3, 4, and 5.
| |
| Columbia Generating Station B 3.3.3.2-2 Revision 73
| |
| | |
| Remote Shutdown System B 3.3.3.2 BASES ACTIONS A Note has been provided to modify the ACTIONS related to Remote Shutdown System Functions. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable Remote Shutdown System Functions provide appropriate compensatory measures for separate Functions.
| |
| As such, a Note has been provided that allows separate Condition entry for each inoperable Remote Shutdown System Function.
| |
| A.1 Condition A addresses the situation where one or more required Functions of the Remote Shutdown System is inoperable. This includes any Function listed in Reference 3, as well as the control and transfer switches.
| |
| The Required Action is to restore the Function (both divisions, if applicable) to OPERABLE status within 30 days. The Completion Time is based on operating experience and the low probability of an event that would require evacuation of the control room.
| |
| B.1 If the Required Action and associated Completion Time of Condition A are not met, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours. The allowed Completion Time is reasonable, based on operating experience, to reach the required MODE from full power conditions in an orderly manner and without challenging plant systems.
| |
| Columbia Generating Station B 3.3.3.2-3 Revision 73
| |
| | |
| Remote Shutdown System B 3.3.3.2 BASES SURVEILLANCE The Surveillances are modified by a Note to indicate that when an REQUIREMENTS instrument channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours. Upon completion of the Surveillance, or expiration of the 6 hour allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. The 6 hour testing allowance is acceptable since it does not significantly reduce the probability of properly operating the associated equipment, when necessary.
| |
| SR 3.3.3.2.1 Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a qualitative assessment, by observation, of channel behavior during operation. This determination includes, where possible, comparison of the channel indication and status to other indications or status derived from independent instrument channels measuring the same parameter. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.
| |
| Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit. As specified in the Surveillance, a CHANNEL CHECK is only required for those channels that are normally energized.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| SR 3.3.3.2.2 and SR 3.3.3.2.3 CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. The test verifies the channel responds to measured parameter values with the necessary range and accuracy.
| |
| The Surveillance Frequencies are controlled under the Surveillance Frequency Control Program.
| |
| Columbia Generating Station B 3.3.3.2-4 Revision 93
| |
| | |
| Remote Shutdown System B 3.3.3.2 BASES SURVEILLANCE REQUIREMENTS (continued)
| |
| SR 3.3.3.2.4 SR 3.3.3.2.4 verifies each required Remote Shutdown System transfer switch and control circuit performs the intended function. This verification is performed from the remote and alternate shutdown panels, as appropriate. Operation of the equipment from the remote shutdown panel or alternate remote shutdown panel is not necessary. The Surveillance can be satisfied by performance of a continuity check. This will ensure that if the control room becomes inaccessible, the plant can be placed and maintained in MODE 3 from the remote or alternate shutdown panels. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| REFERENCES 1. 10 CFR 50, Appendix A, GDC 19.
| |
| : 2. 10 CFR 50.36(c)(2)(ii).
| |
| : 3. Licensee Controlled Specifications Manual.
| |
| Columbia Generating Station B 3.3.3.2-5 Revision 93
| |
| | |
| EOC-RPT Instrumentation B 3.3.4.1 B 3.3 INSTRUMENTATION B 3.3.4.1 End of Cycle Recirculation Pump Trip (EOC-RPT) Instrumentation BASES BACKGROUND The EOC-RPT instrumentation initiates a recirculation pump trip (RPT) to reduce the peak reactor pressure and power resulting from turbine trip or generator load rejection transients to provide additional margin to the core thermal MCPR Safety Limit (SL).
| |
| The need for the additional negative reactivity in excess of that normally inserted on a scram reflects end of cycle reactivity considerations. Flux shapes at the end of cycle are such that the control rods may not be able to ensure that thermal limits are maintained by inserting sufficient negative reactivity during the first few feet of rod travel upon a scram caused by Turbine Governor Valve (TGV) Fast Closure, Trip Oil Pressure - Low, or Turbine Throttle Valve (TTV) - Closure. The physical phenomenon involved is that the void reactivity feedback due to a pressurization transient can add positive reactivity at a faster rate than the control rods can add negative reactivity.
| |
| The EOC-RPT instrumentation as described in Reference 1 is comprised of sensors that detect initiation of closure of the TTVs, or fast closure of the TGVs, combined with relays, logic circuits, and fast acting circuit breakers that interrupt the power to each of the recirculation pump motors. The channels include electronic equipment (e.g., trip relays) that compares measured input signals with pre-established setpoints. When the setpoint is exceeded, the channel outputs an EOC-RPT signal to the trip logic. When the drive motor breakers trip open, the recirculation pumps coast down under their own inertia. The EOC-RPT has two identical trip systems, either of which can actuate an RPT.
| |
| Each EOC-RPT trip system is a two-out-of-two logic for each Function; thus, either two TTV - Closure or two TGV Fast Closure, Trip Oil Pressure - Low signals are required for a trip system to actuate. If either trip system actuates, both recirculation pumps will trip. There are two drive motor breakers in series per recirculation pump. One trip system trips one of the two drive motor breakers for each recirculation pump and the second trip system trips the other drive motor breaker for each recirculation pump.
| |
| Columbia Generating Station B 3.3.4.1-1 Revision 73
| |
| | |
| EOC-RPT Instrumentation B 3.3.4.1 BASES APPLICABLE The TTV - Closure and the TGV Fast Closure, Trip Oil Pressure - Low SAFETY Functions are designed to trip the recirculation pumps in the event of a ANALYSES, LCO, turbine trip or generator load rejection to mitigate the neutron flux, heat and APPLICABILITY flux and pressurization transients, and to increase the margin to the MCPR SL. The analytical methods and assumptions used in evaluating the turbine trip and generator load rejection, as well as other safety analyses that assume EOC-RPT, are summarized in References 2 and 3.
| |
| To mitigate pressurization transient effects, the EOC-RPT must trip the recirculation pumps after initiation of initial closure movement of either the TTVs or the TGVs. The combined effects of this trip and a scram reduce fuel bundle power more rapidly than does a scram alone, resulting in an increased margin to the MCPR SL. Alternatively, MCPR limits for an inoperable EOC-RPT as specified in the COLR are sufficient to mitigate pressurization transient effects. The EOC-RPT function is automatically disabled when THERMAL POWER, as sensed by turbine first stage pressure, is < 29.5% RTP.
| |
| EOC-RPT instrumentation satisfies Criterion 3 of Reference 4.
| |
| The OPERABILITY of the EOC-RPT is dependent on the OPERABILITY of the individual instrumentation channel Functions. Each Function must have a required number of OPERABLE channels in each trip system, with their setpoints within the specified Allowable Value of SR 3.3.4.1.2. The actual setpoint is calibrated consistent with applicable setpoint methodology assumptions. Channel OPERABILITY also includes the associated EOC-RPT breakers. Each channel (including the associated EOC-RPT breakers) must also respond within its assumed response time.
| |
| Allowable Values are specified for each EOC-RPT Function specified in the LCO. Nominal trip setpoints are specified in the setpoint calculations.
| |
| The nominal setpoints are selected to ensure the setpoints do not exceed the Allowable Value between successive CHANNEL CALIBRATIONS.
| |
| Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., TGV digital-electro hydraulic (DEH) pressure),
| |
| and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g., trip relay) changes state. The analytic limits are derived from the limiting values of the process parameters obtained from the safety analysis. The Allowable Values are derived from the analytic limits, corrected for process and all instrument uncertainties, except drift and calibration. The trip setpoints are derived Columbia Generating Station B 3.3.4.1-2 Revision 98
| |
| | |
| EOC-RPT Instrumentation B 3.3.4.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) from the analytic limits, corrected for process and all instrument uncertainties, including drift and calibration. The trip setpoints derived in this manner provide adequate protection because all instrumentation uncertainties and process effects are taken into account.
| |
| The specific Applicable Safety Analysis, LCO, and Applicability discussions are listed below on a Function by Function basis.
| |
| Alternately, since this instrumentation protects against a MCPR SL violation with the instrumentation inoperable, modifications to the MCPR limits (LCO 3.2.2) may be applied to allow this LCO to be met. The MCPR penalty for the condition EOC-RPT inoperable is specified in the COLR.
| |
| Turbine Throttle Valve - Closure Closure of the TTVs and a main turbine trip result in the loss of a heat sink that produces reactor pressure, neutron flux, and heat flux transients that must be limited. Therefore, an RPT is initiated on TTV - Closure in anticipation of the transients that would result from closure of these valves. EOC-RPT decreases reactor power and aids the reactor scram in ensuring the MCPR SL is not exceeded during the worst case transient.
| |
| Closure of the TTVs is determined by measuring the position of each throttle valve. While there are two separate position switches associated with each throttle valve, only the signal from one switch for each TTV is used, with each of the four channels being assigned to a separate trip channel. The logic for the TTV - Closure Function is such that two or more TTVs must be closed to produce an EOC-RPT. This Function must be enabled at THERMAL POWER 29.5% RTP. This is normally accomplished automatically by pressure switches sensing turbine first stage pressure; therefore, opening of the turbine bypass valves may affect this Function. Four channels of TTV - Closure, with two channels in each trip system, are available and required to be OPERABLE to ensure that no single instrument failure will preclude an EOC-RPT from this Function on a valid signal. The TTV - Closure Allowable Value is selected to detect imminent TTV closure.
| |
| This protection is required, consistent with the safety analysis assumptions, whenever THERMAL POWER is 29.5% RTP. Below 29.5% RTP, the Reactor Vessel Steam Dome Pressure - High and the Average Power Range Monitor (APRM) Neutron Flux - High Functions of the Reactor Protection System (RPS) are adequate to maintain the necessary safety margins.
| |
| Columbia Generating Station B 3.3.4.1-3 Revision 98
| |
| | |
| EOC-RPT Instrumentation B 3.3.4.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
| |
| TGV Fast Closure, Trip Oil Pressure - Low Fast closure of the TGVs during a generator load rejection results in the loss of a heat sink that produces reactor pressure, neutron flux, and heat flux transients that must be limited. Therefore, an RPT is initiated on TGV Fast Closure, Trip Oil Pressure - Low in anticipation of the transients that would result from the closure of these valves. The EOC-RPT decreases reactor power and aids the reactor scram in ensuring that the MCPR SL is not exceeded during the worst case transient.
| |
| Fast closure of the TGVs is determined by measuring the DEH fluid pressure at each control valve. There is one pressure switch associated with each control valve, and the signal from each switch is assigned to a separate trip channel. The logic for the TGV Fast Closure, Trip Oil Pressure - Low Function is such that two or more TGVs must be closed (pressure switch trips) to produce an EOC-RPT. This Function must be enabled at THERMAL POWER 29.5% RTP. This is normally accomplished automatically by pressure switches sensing turbine first stage pressure; therefore, opening of the turbine bypass valves may affect this Function. Four channels of TGV Fast Closure, Trip Oil Pressure - Low, with two channels in each trip system, are available and required to be OPERABLE to ensure that no single instrument failure will preclude an EOC-RPT from this Function on a valid signal. The TGV Fast Closure, Trip Oil Pressure - Low Allowable Value is selected high enough to detect imminent TGV fast closure.
| |
| This protection is required consistent with the analysis, whenever the THERMAL POWER is 29.5% RTP. Below 29.5% RTP, the Reactor Vessel Steam Dome Pressure - High and the APRM Neutron Flux - High Functions of the RPS are adequate to maintain the necessary safety margins. The turbine first stage pressure/reactor power relationship for the setpoint of the automatic enable is identical to that described for TTV closure.
| |
| ACTIONS A Note has been provided to modify the ACTIONS related to EOC-RPT instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Columbia Generating Station B 3.3.4.1-4 Revision 98
| |
| | |
| EOC-RPT Instrumentation B 3.3.4.1 BASES ACTIONS (continued)
| |
| Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable EOC-RPT instrumentation channels provide appropriate compensatory measures for separate inoperable channels.
| |
| As such, a Note has been provided that allows separate Condition entry for each inoperable EOC-RPT instrumentation channel.
| |
| A.1 and A.2 With one or more channels inoperable, but with EOC-RPT trip capability maintained (refer to Required Action B.1 and B.2 Bases), the EOC-RPT System is capable of performing the intended function. However, the reliability and redundancy of the EOC-RPT instrumentation is reduced such that a single failure in the remaining trip system could result in the inability of the EOC-RPT System to perform the intended function.
| |
| Therefore, only a limited time is allowed to restore compliance with the LCO. Because of the diversity of sensors available to provide trip signals, the low probability of extensive numbers of inoperabilities affecting all diverse Functions, and the low probability of an event requiring the initiation of an EOC-RPT, 72 hours is allowed to restore the inoperable channels (Required Action A.1) or apply the EOC-RPT inoperable MCPR limit. Alternately, the inoperable channels may be placed in trip (Required Action A.2) since this would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue. As noted in Required Action A.2, placing the channel in trip with no further restrictions is not allowed if the inoperable channel is the result of an inoperable breaker, since this may not adequately compensate for the inoperable breaker (e.g., the breaker may be inoperable such that it will not open). If it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in an RPT), or if the inoperable channel is the result of an inoperable breaker, Condition C must be entered and its Required Actions taken.
| |
| B.1 and B.2 Required Actions B.1 and B.2 are intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in the Function not maintaining EOC-RPT trip capability. A Function is considered to be maintaining EOC-RPT trip capability when sufficient channels are OPERABLE or in trip, such that the EOC-RPT System will generate a trip signal from the given Function Columbia Generating Station B 3.3.4.1-5 Revision 73
| |
| | |
| EOC-RPT Instrumentation B 3.3.4.1 BASES ACTIONS (continued) on a valid signal and both recirculation pumps can be tripped. This requires two channels of the Function, in the same trip system, to each be OPERABLE or in trip, and the associated drive motor breakers to be OPERABLE or in trip. Alternatively, Required Action B.2 requires the MCPR limit for inoperable EOC-RPT, as specified in the COLR, to be applied. This also restores the margin to MCPR assumed in the safety analysis.
| |
| The 2 hour Completion Time is sufficient for the operator to take corrective action, and takes into account the likelihood of an event requiring actuation of the EOC-RPT instrumentation during this period. It is also consistent with the 2 hour Completion Time provided in LCO 3.2.2, Required Action A.1, since this instrumentation's purpose is to preclude a MCPR violation.
| |
| C.1 and C.2 With any Required Action and associated Completion Time not met, THERMAL POWER must be reduced to < 29.5% RTP within 4 hours.
| |
| Alternately, the associated recirculation pump may be removed from service since this performs the intended function of the instrumentation.
| |
| The allowed Completion Time of 4 hours is reasonable, based on operating experience, to reduce THERMAL POWER to < 29.5% RTP from full power conditions in an orderly manner and without challenging plant systems.
| |
| SURVEILLANCE The Surveillances are modified by a Note to indicate that when a channel REQUIREMENTS is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours, provided the associated Function maintains EOC-RPT trip capability. Upon completion of the Surveillance, or expiration of the 6 hour allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Ref. 5) assumption of the average time required to perform channel surveillance.
| |
| That analysis demonstrated that the 6 hour testing allowance does not significantly reduce the probability that the recirculation pumps will trip when necessary.
| |
| Columbia Generating Station B 3.3.4.1-6 Revision 98
| |
| | |
| EOC-RPT Instrumentation B 3.3.4.1 BASES SURVEILLANCE REQUIREMENTS (continued)
| |
| SR 3.3.4.1.1 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the channel will perform the intended function. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| SR 3.3.4.1.2 CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations consistent with the plant specific setpoint methodology.
| |
| The Surveillance Frequencies are controlled under the Surveillance Frequency Control Program.
| |
| SR 3.3.4.1.3 This SR ensures that an EOC-RPT initiated from the TTV - Closure and TGV Fast Closure, Trip Oil Pressure - Low Functions will not be inadvertently bypassed when THERMAL POWER is 29.5% RTP. This involves calibration of the bypass channels. Adequate margins for the instrument setpoint methodologies are incorporated into the actual setpoint. Because main turbine bypass flow can affect this setpoint nonconservatively (THERMAL POWER is derived from first stage pressure), the main turbine bypass valves must remain closed during an in-service calibration at THERMAL POWER 29.5% RTP to ensure that the calibration is valid. If any bypass channel's setpoint is nonconservative (i.e., the Functions are bypassed at 29.5% RTP either due to open main turbine bypass valves or other reasons), the affected TTV - Closure and TGV Fast Closure, Trip Oil Pressure - Low Functions are considered inoperable. Alternatively, the bypass channel can be placed in the conservative condition (nonbypass). If placed in the nonbypass condition, this SR is met and the channel considered OPERABLE.
| |
| Columbia Generating Station B 3.3.4.1-7 Revision 98
| |
| | |
| EOC-RPT Instrumentation B 3.3.4.1 BASES SURVEILLANCE REQUIREMENTS (continued)
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| SR 3.3.4.1.4 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required trip logic for a specific channel. The system functional test of the pump breakers is included as a part of this test, overlapping the LOGIC SYSTEM FUNCTIONAL TEST, to provide complete testing of the associated safety function. Therefore, if a breaker is incapable of operating, the associated instrument channel would also be inoperable.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| SR 3.3.4.1.5 This SR ensures that the individual channel response times are less than or equal to the maximum values assumed in the accident analysis. The EOC-RPT SYSTEM RESPONSE TIME acceptance criteria are included in Reference 6.
| |
| A Note to the Surveillance states that breaker arc suppression time may be assumed from the most recent performance of SR 3.3.4.1.6. This is allowed since the arc suppression time is short and does not appreciably change, due to the design of the breaker opening device and the fact that the breaker is not routinely cycled.
| |
| Response times cannot be determined at power because operation of final actuated devices is required. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| SR 3.3.4.1.6 This SR ensures that the RPT breaker arc suppression time is provided to the EOC-RPT SYSTEM RESPONSE TIME test. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| Columbia Generating Station B 3.3.4.1-8 Revision 93
| |
| | |
| EOC-RPT Instrumentation B 3.3.4.1 BASES REFERENCES 1. FSAR, Section 7.6.1.5.
| |
| : 2. FSAR, Section 5.2.2.
| |
| : 3. FSAR, Sections 15.2.2, 15.2.3, 15.2.5, and 15.2.6.
| |
| : 4. 10 CFR 50.36(c)(2)(ii).
| |
| : 5. GENE-770-06-1-A, "Bases for Changes To Surveillance Test Intervals And Allowed Out-Of-Service Times For Selected Instrumentation Technical Specifications," December 1992.
| |
| : 6. Licensee Controlled Specifications Manual.
| |
| Columbia Generating Station B 3.3.4.1-9 Revision 93
| |
| | |
| ATWS-RPT Instrumentation B 3.3.4.2 B 3.3 INSTRUMENTATION B 3.3.4.2 Anticipated Transient Without Scram Recirculation Pump Trip (ATWS-RPT)
| |
| Instrumentation BASES BACKGROUND The ATWS-RPT System initiates a recirculation pump trip, adding negative reactivity, following events in which a scram does not, but should occur, to lessen the effects of an ATWS event. Tripping the recirculation pumps adds negative reactivity from the increase in steam voiding in the core area as core flow decreases. When Reactor Vessel Water Level -
| |
| Low Low, Level 2 or Reactor Vessel Steam Dome Pressure - High setpoint is reached, the recirculation pump motor breakers trip.
| |
| The ATWS-RPT System (Ref. 1) includes sensors, relays, bypass capability, circuit breakers, and switches that are necessary to cause initiation of a recirculation pump trip. The channels include electronic equipment (e.g., trip relays) that compares measured input signals with pre-established setpoints. When the setpoint is exceeded, the channel outputs an ATWS-RPT signal to the trip logic.
| |
| The ATWS-RPT consists of two independent trip systems, with two channels of Reactor Vessel Steam Dome Pressure - High and two channels of Reactor Vessel Water Level - Low Low, Level 2, in each trip system. Each ATWS-RPT trip system is a two-out-of-two logic for each Function. Thus, either two Reactor Water Level - Low Low, Level 2 or two Reactor Vessel Steam Dome Pressure - High signals are needed to trip a trip system. The outputs of the channels in a trip system are combined in a logic so that one trip system trips one recirculation pump (by tripping one of the respective drive motor breakers) while the other trip system trips the other recirculation pump.
| |
| APPLICABLE The ATWS-RPT initiates an RPT to aid in preserving the integrity of the SAFETY fuel cladding following events in which scram does not, but should, occur.
| |
| ANALYSES, LCO, The ATWS-RPT is credited in the ASME overpressure analysis in FSAR and APPLICABILITY Section 5.2.2. Based on its contribution to the reduction of overall plant risk, however, the instrumentation meets Criterion 4 of Reference 2.
| |
| The OPERABILITY of the ATWS-RPT is dependent on the OPERABILITY of the individual instrumentation channel Functions. Each Function must have a required number of OPERABLE channels in each trip system, with their setpoints within the specified Allowable Value of SR 3.3.4.2.3. The actual setpoint is calibrated consistent with applicable setpoint methodology assumptions. Channel OPERABILITY also includes the associated recirculation pump drive motor breaker.
| |
| Columbia Generating Station B 3.3.4.2-1 Revision 73
| |
| | |
| ATWS-RPT Instrumentation B 3.3.4.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
| |
| Allowable Values are specified for each ATWS-RPT Function specified in the LCO. Nominal trip setpoints are specified in the setpoint calculations.
| |
| The nominal setpoints are selected to ensure the setpoints do not exceed the Allowable Value between CHANNEL CALIBRATIONS. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor vessel water level), and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g., trip relay) changes state. The analytic limits are derived from the limiting values of the process parameters obtained from the analysis. The Allowable Values are derived from the analytic limits corrected for process and all instrument uncertainties, except drift and calibration. The trip setpoints are derived from the analytic limits, corrected for process and all instrument uncertainties, including drift and calibration. The trip setpoints derived in this manner provide adequate protection because all instrumentation uncertainties and process effects are taken into account.
| |
| The individual Functions are required to be OPERABLE in MODE 1 to protect against common mode failures of the Reactor Protection System by providing a diverse trip to mitigate the consequences of a postulated ATWS event. The Reactor Vessel Steam Dome Pressure - High and Reactor Vessel Water Level - Low Low, Level 2 Functions are required to be OPERABLE in MODE 1, since the reactor is producing significant power and the recirculation system could be at high flow. During this MODE, the potential exists for pressure increases or low water level, assuming an ATWS event. In MODE 2, the reactor is at low power and the recirculation system is at low flow; thus, the potential is low for a pressure increase or low water level, assuming an ATWS event.
| |
| Therefore, the ATWS-RPT is not necessary. In MODES 3 and 4, the reactor is shut down with all control rods inserted; thus, an ATWS event is not significant and the possibility of a significant pressure increase or low water level is negligible. In MODE 5, the one-rod-out interlock ensures the reactor remains subcritical; thus, an ATWS event is not significant. In addition, the reactor pressure vessel (RPV) head is not fully tensioned and no pressure transient threat to the reactor coolant pressure boundary (RCPB) exists.
| |
| The specific Applicable Safety Analyses and LCO discussions are listed below on a Function by Function basis.
| |
| Columbia Generating Station B 3.3.4.2-2 Revision 73
| |
| | |
| ATWS-RPT Instrumentation B 3.3.4.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
| |
| : a. Reactor Vessel Water Level - Low Low, Level 2 Low RPV water level indicates the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, the ATWS-RPT System is initiated at Level 2 to aid in maintaining level above the top of the active fuel. The reduction of core flow reduces the neutron flux and THERMAL POWER and, therefore, the rate of coolant boiloff.
| |
| Reactor vessel water level signals are initiated from four differential pressure switches that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel.
| |
| Four channels of Reactor Vessel Level - Low Low, Level 2, with two channels in each trip system, are available and required to be OPERABLE to ensure that no single instrument failure can preclude an ATWS-RPT from this Function on a valid signal. The Reactor Vessel Water Level - Low Low, Level 2, Allowable Value is chosen so that the system will not initiate after a Level 3 scram with feedwater still available, and for convenience with the reactor core isolation cooling (RCIC) initiation.
| |
| : b. Reactor Steam Dome Pressure - High Excessively high RPV pressure may rupture the RCPB. An increase in the RPV pressure during reactor operation compresses the steam voids and results in a positive reactivity insertion. This increases neutron flux and THERMAL POWER, which could potentially result in fuel failure and RPV overpressurization. The Reactor Vessel Steam Dome Pressure - High Function initiates an RPT for transients that result in a pressure increase, counteracting the pressure increase by rapidly reducing core power generation. For the overpressurization event, the RPT aids in the termination of the ATWS event and, along with the safety/relief valves (SRVs), limits the peak RPV pressure to less than the ASME Section III Code Service Level C limits (1500 psig).
| |
| Columbia Generating Station B 3.3.4.2-3 Revision 73
| |
| | |
| ATWS-RPT Instrumentation B 3.3.4.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
| |
| The Reactor Vessel Steam Dome Pressure - High signals are initiated from four pressure switches that monitor reactor steam dome pressure.
| |
| Four channels of Reactor Vessel Steam Dome Pressure - High, with two channels in each trip system, are available and required to be OPERABLE to ensure that no single instrument failure can preclude an ATWS-RPT from this Function on a valid signal. The Reactor Vessel Steam Dome Pressure - High Allowable Value is chosen to provide an adequate margin to the ASME Section III Code Service Level C allowable Reactor Coolant System pressure.
| |
| ACTIONS A Note has been provided to modify the ACTIONS related to ATWS-RPT instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable ATWS-RPT instrumentation channels provide appropriate compensatory measures for separate inoperable channels.
| |
| As such, a Note has been provided that allows separate Condition entry for each inoperable ATWS-RPT instrumentation channel.
| |
| A.1 and A.2 With one or more channels inoperable, but with ATWS-RPT trip capability for each Function maintained (refer to Required Action B.1 and C.1 Bases), the ATWS-RPT System is capable of performing the intended function for one of the recirculation pumps. However, the reliability and redundancy of the ATWS-RPT instrumentation is reduced, such that a single failure in the remaining trip system could result in the inability of the ATWS-RPT System to perform the intended function for both of the recirculation pumps. Therefore, only a limited time is allowed to restore the inoperable channels to OPERABLE status. Because of the diversity of sensors available to provide trip signals, the low probability of extensive numbers of inoperabilities affecting all diverse Functions, and the low probability of an event requiring the initiation of ATWS-RPT, 7 days is provided to restore the inoperable channel (Required Action A.1). Alternately, the inoperable channel may be placed in trip (Required Action A.2), since this would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue. As noted, placing the channel in trip with no further restrictions is not allowed if the inoperable channel is the result of an Columbia Generating Station B 3.3.4.2-4 Revision 73
| |
| | |
| ATWS-RPT Instrumentation B 3.3.4.2 BASES ACTIONS (continued) inoperable breaker, since this may not adequately compensate for the inoperable breaker (e.g., the breaker may be inoperable such that it will not open). If it is not desirable to place the channel in trip (e.g., as in the case where placing the inoperable channel would result in an RPT), or if the inoperable channel is the result of an inoperable breaker, Condition D must be entered and its Required Actions taken.
| |
| B.1 Required Action B.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in the Function not maintaining ATWS-RPT trip capability. A Function is considered to be maintaining ATWS-RPT trip capability when sufficient channels are OPERABLE or in trip such that the ATWS-RPT System will generate a trip signal from the given Function on a valid signal, and one recirculation pump can be tripped. This requires two channels of the Function in the same trip system to each be OPERABLE or in trip, and the associated drive motor breaker to be OPERABLE or in trip.
| |
| The 72 hour Completion Time is sufficient for the operator to take corrective action (e.g., restoration or tripping of channels) and takes into account the likelihood of an event requiring actuation of the ATWS-RPT instrumentation during this period and the fact that one Function is still maintaining ATWS-RPT trip capability.
| |
| C.1 Required Action C.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within both Functions result in both Functions not maintaining ATWS-RPT trip capability. The description of a Function maintaining ATWS-RPT trip capability is discussed in the Bases for Required Action B.1, above.
| |
| The 1 hour Completion Time is sufficient for the operator to take corrective action and takes into account the likelihood of an event requiring actuation of the ATWS-RPT instrumentation during this period.
| |
| Columbia Generating Station B 3.3.4.2-5 Revision 73
| |
| | |
| ATWS-RPT Instrumentation B 3.3.4.2 BASES ACTIONS (continued)
| |
| D.1 and D.2 With any Required Action and associated Completion Time not met, the plant must be brought to a MODE or other specified condition in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 2 within 6 hours (Required Action D.2). Alternately, the associated recirculation pump may be removed from service since this performs the intended Function of the instrumentation (Required Action D.1). The allowed Completion Time of 6 hours is reasonable, based on operating experience, both to reach MODE 2 from full power conditions and to remove a recirculation pump from service in an orderly manner and without challenging plant systems.
| |
| SURVEILLANCE The Surveillances are modified by a Note to indicate that when a channel REQUIREMENTS is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours provided the associated Function maintains ATWS-RPT trip capability. Upon completion of the Surveillance, or expiration of the 6 hour allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Ref. 3) assumption of the average time required to perform channel surveillance.
| |
| That analysis demonstrated that the 6 hour testing allowance does not significantly reduce the probability that the recirculation pumps will trip when necessary.
| |
| SR 3.3.4.2.1 Performance of the CHANNEL CHECK ensures that gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a qualitative assessment, by observation, of channel behavior during operation. This determination includes, where possible, comparison of the channel indication and status to other indications or status derived from independent instrument channels measuring the same parameter. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying that the instrumentation continues to operate properly between each CHANNEL CALIBRATION.
| |
| Columbia Generating Station B 3.3.4.2-6 Revision 93
| |
| | |
| ATWS-RPT Instrumentation B 3.3.4.2 BASES SURVEILLANCE REQUIREMENTS (continued)
| |
| Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the required channels of this LCO.
| |
| SR 3.3.4.2.2 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the channel will perform the intended function. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| SR 3.3.4.2.3 A CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies that the channel responds to the measured parameter within the necessary range and accuracy.
| |
| CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations consistent with the plant specific setpoint methodology.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| SR 3.3.4.2.4 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required trip logic for a specific channel. The system functional test of the pump breakers, included as part of this Surveillance, overlaps the LOGIC SYSTEM FUNCTIONAL TEST to provide complete testing of the assumed safety function. Therefore, if a breaker is incapable of operating, the associated instrument channel(s) would be inoperable.
| |
| Columbia Generating Station B 3.3.4.2-7 Revision 93
| |
| | |
| ATWS-RPT Instrumentation B 3.3.4.2 BASES SURVEILLANCE REQUIREMENTS (continued)
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| REFERENCES 1. FSAR, Section 15.8.
| |
| : 2. 10CFR 50.36(c)(2)(ii).
| |
| : 3. GENE-770-06-1-A, "Bases For Changes To Surveillance Test Intervals and Allowed Out-of-Service Times For Selected Instrumentation Technical Specifications," December 1992.
| |
| Columbia Generating Station B 3.3.4.2-8 Revision 93
| |
| | |
| ECCS Instrumentation B 3.3.5.1 B 3.3 INSTRUMENTATION B 3.3.5.1 Emergency Core Cooling System (ECCS) Instrumentation BASES BACKGROUND The purpose of the ECCS instrumentation is to initiate appropriate responses from the systems to ensure that fuel is adequately cooled in the event of a design basis accident or transient.
| |
| For most anticipated operational occurrences (AOOs) and Design Basis Accidents (DBAs), a wide range of dependent and independent parameters are monitored.
| |
| The ECCS instrumentation actuates low pressure core spray (LPCS), low pressure coolant injection (LPCI), high pressure core spray (HPCS),
| |
| Automatic Depressurization System (ADS), and the diesel generators (DGs). The equipment involved with each of these systems is described in the Bases for LCO 3.5.1, "ECCS - Operating" or LCO 3.8.1, "AC Sources - Operating."
| |
| Low Pressure Core Spray System The LPCS System may be initiated by either automatic or manual means.
| |
| Automatic initiation occurs for conditions of Reactor Vessel Water Level -
| |
| Low Low Low, Level 1 or Drywell Pressure - High. Reactor vessel water level is monitored by two redundant differential pressure switches and drywell pressure is monitored by two redundant pressure switches, which are, in turn, connected to two level switch and two pressure switch contacts, respectively. The outputs of the four switches (two switches from each of the two variables) are connected to relays whose contacts are arranged in a one-out-of-two taken twice logic. The LPCS initiation signal is a sealed-in signal and must be manually reset. The logic can also be initiated by use of a manual switch and push button, whose two contacts are arranged in a two-out-of-two logic. Upon receipt of an initiation signal, the LPCS pump is automatically started in approximately 9.5 seconds if normal AC power (from TR-S) is available; otherwise the pump is started immediately after AC power (from TR-B or the DG) is available.
| |
| The LPCS test line isolation valve, which is also a primary containment isolation valve (PCIV), is closed on a LPCS initiation signal to allow full system flow assumed in the accident analysis and to maintain containment isolation in the event LPCS is not operating.
| |
| Columbia Generating Station B 3.3.5.1-1 Revision 73
| |
| | |
| ECCS Instrumentation B 3.3.5.1 BASES BACKGROUND (continued)
| |
| The LPCS pump discharge flow is monitored by a flow indicating switch.
| |
| When the pump is running and discharge flow is low enough that pump overheating may occur, the minimum flow return line valve is opened.
| |
| The valve is automatically closed if flow is above the minimum flow setpoint to allow the full system flow assumed in the accident analysis.
| |
| The LPCS System also monitors the pressure in the reactor vessel to ensure that, before the injection valve opens, the reactor pressure has fallen to a value below the LPCS Systems maximum design pressure.
| |
| The variable is monitored by one pressure switch whose contact is arranged in a one-out-of-one logic.
| |
| Low Pressure Coolant Injection Subsystems The LPCI is an operating mode of the Residual Heat Removal (RHR)
| |
| System, with three LPCI subsystems. The LPCI subsystems may be initiated by automatic or manual means. Automatic initiation occurs for conditions of Reactor Vessel Water Level - Low Low Low, Level 1 or Drywell Pressure - High. Reactor vessel water level is monitored by two redundant differential pressure switches per division and drywell pressure is monitored by two redundant pressure switches per division, which are, in turn, connected to two level switch and two pressure switch contacts, respectively. The outputs of the four Division 2 LPCI (loops B and C) switches (two switches from each of the two variables) are connected to relays whose contacts are arranged in a one-out-of-two taken twice logic.
| |
| The Division 1 LPCI (loop A) receives its initiation signal from the LPCS logic, which uses a similar one-out-of-two taken twice logic. The two divisions can also be initiated by use of a manual switch and push button (one per division, with the LPCI A manual switch and push button being common with LPCS), whose two contacts are arranged in a two-out-of-two logic. Once an initiation signal is received by the LPCI control circuitry, the signal is sealed in until manually reset.
| |
| Upon receipt of an initiation signal, each LPCI pump is automatically started, (LPCI Pump C in approximately 9.5 seconds and LPCI Pumps A and B in approximately 19.4 seconds if normal AC power (from TR-S) is available; otherwise LPCI Pump C is started immediately after AC power (from TR-B or the DG) is available while LPCI Pumps A and B are started after a 5 second delay), to limit the loading on the normal and standby power sources.
| |
| Columbia Generating Station B 3.3.5.1-2 Revision 73
| |
| | |
| ECCS Instrumentation B 3.3.5.1 BASES BACKGROUND (continued)
| |
| Each LPCI subsystems discharge flow is monitored by a flow indicating switch. When a pump is running and discharge flow is low enough that pump overheating may occur, the respective minimum flow return line valve is opened after approximately 8 seconds. The valve is automatically closed if flow is above the minimum flow setpoint to allow the full system flow assumed in the analyses.
| |
| The RHR test line suppression pool cooling and spray isolation valves, which are also PCIVs, are closed on a LPCI initiation signal to allow full system flow assumed in the accident analysis and to maintain containment isolated in the event LPCI is not operating.
| |
| The LPCI subsystems monitor the pressure in the reactor vessel to ensure that, prior to an injection valve opening, the reactor pressure has fallen to a value below the LPCI subsystems maximum design pressure.
| |
| The variable is monitored by three redundant switches (one per valve),
| |
| whose contacts are arranged in a one-out-of-one logic for each valve.
| |
| High Pressure Core Spray System The HPCS System may be initiated by either automatic or manual means.
| |
| Automatic initiation occurs for conditions of Reactor Vessel Water Level -
| |
| Low Low, Level 2 or Drywell Pressure - High. Reactor vessel water level is monitored by four redundant differential pressure switches and drywell pressure is monitored by four redundant pressure switches. The outputs of the switches are connected to relays whose contacts are arranged in a one-out-of-two taken twice logic for each variable. The logic can also be initiated by use of a manual switch and push button, whose two contacts are arranged in a two-out-of-two logic. The HPCS System initiation signal is a sealed in signal and must be manually reset.
| |
| The HPCS pump discharge flow is monitored by a flow switch. When the pump is running and discharge flow is low enough that pump overheating may occur, the minimum flow return line valve is opened. The valve is automatically closed if flow is above the minimum flow setpoint to allow full system flow assumed in the accident analyses.
| |
| The HPCS test line isolation valves, of which the suppression pool test line isolation valve is also a PCIV, are closed on a HPCS initiation signal to allow full system flow assumed in the accident analyses and to maintain containment isolated in the event HPCS is not operating.
| |
| Columbia Generating Station B 3.3.5.1-3 Revision 73
| |
| | |
| ECCS Instrumentation B 3.3.5.1 BASES BACKGROUND (continued)
| |
| The HPCS System also monitors the water levels in the condensate storage tanks (CST) and the suppression pool, since these are the two sources of water for HPCS operation. Reactor grade water in the CST is the normal and preferred source. Upon receipt of a HPCS initiation signal, the CST suction valve is automatically signaled to open (it is normally in the open position), unless the suppression pool suction valve is open. If the water level in the CST falls below a preselected level, first the suppression pool suction valve automatically opens, and then the CST suction valve automatically closes. Two level switches are used to detect low water level in the CST. Either switch can cause the suppression pool suction valve to open and the CST suction valve to close (one-out-of-two logic). The suppression pool suction valve also automatically opens and the CST suction valve closes if high water level is detected in the suppression pool. Two level switches are also used to detect high suppression pool water level, with a one-out-of-two logic similar to the CST water level logic. To prevent losing suction to the pump, the suction valves are interlocked so that one suction path must be open before the other automatically closes.
| |
| The HPCS System provides makeup water to the reactor until the reactor vessel water level reaches the high water level (Level 8) trip, at which time the HPCS injection valve closes. The HPCS pump will continue to run on minimum flow. The logic is two-out-of-two to provide high reliability of the HPCS System. The injection valve automatically reopens if a low low water level signal is subsequently received.
| |
| Automatic Depressurization System ADS may be initiated by either automatic or manual means. Automatic initiation occurs when signals indicating Reactor Vessel Water Level -
| |
| Low Low Low, Level 1; confirmed Reactor Vessel Water Level - Low, Level 3; and either LPCS or LPCI Pump Discharge Pressure - High are all present, and the ADS Initiation Timer has timed out. There are two differential pressure switches for Reactor Vessel Water Level - Low Low Low, Level 1 and one differential pressure switch for confirmed Reactor Vessel Water Level - Low, Level 3 in each of the two ADS trip systems.
| |
| Each of these differential pressure switches connects to a level switch, which then drives a relay whose contacts form the initiation logic.
| |
| Each ADS trip system (trip system A and trip system B) includes a time delay between satisfying the initiation logic and the actuation of the ADS valves. The time delay chosen is long enough that the HPCS has time to operate to recover to a level above Level 1, yet not so long that the LPCI Columbia Generating Station B 3.3.5.1-4 Revision 73
| |
| | |
| ECCS Instrumentation B 3.3.5.1 BASES BACKGROUND (continued) and LPCS systems are unable to adequately cool the fuel if the HPCS fails to maintain level. An alarm in the control room is annunciated when either of the timers is running. Resetting the ADS initiation signals resets the ADS Initiation Timers.
| |
| The ADS also monitors the discharge pressures of the three LPCI pumps and the LPCS pump. Each ADS trip system includes two discharge pressure permissive switches from each of the two low pressure ECCS pumps in the associated Division (i.e., Division 1 ECCS inputs to ADS trip system A and Division 2 ECCS inputs to ADS trip system B). The signals are used as a permissive for ADS actuation, indicating that there is a source of core coolant available once the ADS has depressurized the vessel. Any one of the four low pressure pumps provides sufficient core coolant flow to permit automatic depressurization.
| |
| The ADS logic in each trip system is arranged in two strings. One string has a contact from each of the following variables: Reactor Vessel Water Level - Low Low Low, Level 1; Reactor Vessel Water Level - Low, Level 3; ADS Initiation Timer; and two low pressure ECCS Discharge Pressure - High contacts (one from each divisional pump). The other string has a contact from each of the following variables: Reactor Vessel Water Level - Low Low Low, Level 1; and two low pressure ECCS Discharge Pressure - High contacts (one from each divisional pump). To initiate an ADS trip system, the following applicable contacts must close in the associated string: Reactor Vessel Water Level - Low Low Low, Level 1; Reactor Vessel Water Level - Low, Level 3 (one string only);
| |
| ADS Initiation Timer; and one of the two low pressure ECCS Discharge Pressure - High contacts.
| |
| Either ADS trip system A or trip system B will cause all the ADS relief valves to open. Once an ADS trip system is initiated, it is sealed in until manually reset.
| |
| Manual initiation for each trip system is accomplished by use of two manual switches and push buttons, whose four contacts (two per manual switch and push button) are arranged in a four-out-of-four logic (two contacts per ADS logic string). Manual inhibit switches are provided in the control room for ADS; however, their function is not required for ADS OPERABILITY (provided ADS is not inhibited when required to be OPERABLE).
| |
| Columbia Generating Station B 3.3.5.1-5 Revision 73
| |
| | |
| ECCS Instrumentation B 3.3.5.1 BASES BACKGROUND (continued)
| |
| In addition to the ADS initiation instrumentation, the ADS accumulator backup compressed gas system is automatically aligned when the normal, non-safety related nitrogen supply pressure is low to ensure a safety related supply of air is provided to the ADS valves during post LOCA conditions. Each subsystem is actuated when two of the three pressure signals (one pressure signal closes the normal air supply valve, which then sends the trip signal) indicate a low ADS air header pressure.
| |
| Diesel Generators The Division 1, 2, and 3 DGs may be initiated by either automatic or manual means. Automatic initiation occurs for conditions of Reactor Vessel Water Level - Low Low Low, Level 1 or Drywell Pressure - High for DGs 1 and 2, and Reactor Vessel Water Level - Low Low, Level 2 or Drywell Pressure - High for DG 3. The DGs are also initiated upon loss of voltage signals. (Refer to Bases for LCO 3.3.8.1, "Loss of Power (LOP)
| |
| Instrumentation," for a discussion of these signals.) Reactor vessel water level is monitored by two redundant differential pressure switches and drywell pressure is monitored by two redundant pressure switches per DG, which are, in turn, connected to two level switch and two pressure switch contacts, respectively. The outputs of the four divisionalized switches (two switches from each of the two variables) are connected to relays whose contacts are connected to a one-out-of-two taken twice logic. The DGs receive their initiation signals from the associated Divisions' ECCS logic (i.e., DG 1 receives an initiation signal from Division 1 ECCS (LPCS and LPCI A); DG 2 receives an initiation signal from Division 2 ECCS (LPCI B and LPCI C); and DG 3 receives an initiation signal from Division 3 ECCS (HPCS)). The DGs can also be started manually from the control room and locally in the associated DG room. The DG initiation signal is a sealed in signal and must be manually reset. The DG initiation logic is reset by resetting the associated ECCS initiation logic. Upon receipt of an ECCS initiation signal, each DG is automatically started, is ready to load in approximately 15 seconds, and will run in standby conditions (rated voltage and speed, with the DG output breaker open). The DGs will only energize their respective Engineered Safety Feature (ESF) buses if a loss of offsite power occurs (Refer to Bases for LCO 3.3.8.1).
| |
| APPLICABLE The actions of the ECCS are explicitly assumed in the safety analyses of SAFETY References 1, 2, and 3. The ECCS is initiated to preserve the integrity of ANALYSES, LCO, the fuel cladding by limiting the post LOCA peak cladding temperature to and APPLICABILITY less than the 10 CFR 50.46 limits.
| |
| Columbia Generating Station B 3.3.5.1-6 Revision 73
| |
| | |
| ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
| |
| ECCS instrumentation satisfies Criterion 3 of Reference 4. Certain instrumentation Functions are retained for other reasons and are described below in the individual Functions discussion.
| |
| The OPERABILITY of the ECCS instrumentation is dependent and upon the OPERABILITY of the individual instrumentation channel Functions specified in Table 3.3.5.1-1. Each Function must have a required number of OPERABLE channels, with their setpoints within the specified Allowable Values, where appropriate. The actual setpoint is calibrated consistent with applicable setpoint methodology assumptions. Each ECCS injection/spray subsystem must also respond within its assumed response time. Table 3.3.5.1-1, footnote (b), is added to show that certain ECCS instrumentation Functions are also required to be OPERABLE to perform DG initiation.
| |
| Allowable Values are specified for each ECCS Function specified in the Table. Nominal trip setpoints are specified in the setpoint calculations.
| |
| The nominal setpoints are selected to ensure that the setpoints do not exceed the Allowable Value between CHANNEL CALIBRATIONS.
| |
| Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor vessel water level), and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g., trip relay) changes state. The analytic limits are derived from the limiting values of the process parameters obtained from the safety analysis. The Allowable Values are derived from the analytic limits, corrected for process and all instrument uncertainties, except drift and calibration. The trip setpoints are derived from the analytic limits, corrected for process and all instrument uncertainties, including drift and calibration. The trip setpoints derived in this manner provide adequate protection because all instrumentation uncertainties and process effects are taken into account. Some functions have both an upper and lower analytic limit that must be evaluated. The Allowable Values and the trip setpoints are derived from both an upper and lower analytic limit using the methodology described above. Due to the upper and lower analytic limits, Allowable Values of these Functions appear to incorporate a range. However, the upper and lower Allowable Values are unique, with each Allowable Value associated with one unique analytic limit and trip setpoint.
| |
| Columbia Generating Station B 3.3.5.1-7 Revision 73
| |
| | |
| ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
| |
| In general, the individual Functions are required to be OPERABLE in the MODES or other specified conditions that may require ECCS (or DG) initiation to mitigate the consequences of a design basis accident or transient. To ensure reliable ECCS and DG function, a combination of Functions is required to provide primary and secondary initiation signals.
| |
| The specific Applicable Safety Analyses, LCO, and Applicability discussions are listed below on a Function by Function basis.
| |
| Low Pressure Core Spray and Low Pressure Coolant Injection Systems 1.a, 2.a. Reactor Vessel Water Level - Low Low Low, Level 1 Low reactor pressure vessel (RPV) water level indicates that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. The low pressure ECCS and associated DGs are initiated at Level 1 to ensure that core spray and flooding functions are available to prevent or minimize fuel damage. The Reactor Vessel Water Level - Low Low Low, Level 1 is one of the Functions assumed to be OPERABLE and capable of initiating the ECCS during the transients analyzed in References 1, 2, and 3. In addition, the Reactor Vessel Water Level - Low Low Low, Level 1 Function is directly assumed in the analysis of the recirculation line break (Refs. 1, 2, and 3).
| |
| The core cooling function of the ECCS, along with the scram action of the Reactor Protection System (RPS), ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.
| |
| Reactor Vessel Water Level - Low Low Low, Level 1 signals are initiated from four differential pressure switches that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. The Reactor Vessel Water Level - Low Low Low, Level 1 Allowable Value is chosen to allow time for the low pressure core flooding systems to activate and provide adequate cooling.
| |
| Two channels of Reactor Vessel Water Level - Low Low Low, Level 1 Function per associated Division are only required to be OPERABLE when the associated ECCS or DG is required to be OPERABLE, to ensure that no single instrument failure can preclude ECCS initiation.
| |
| (Two channels input to LPCS, LPCI A, and DG 1, while the other two channels input to LPCI B, LPCI C, and DG 2.)
| |
| Columbia Generating Station B 3.3.5.1-8 Revision 111
| |
| | |
| ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) 1.b, 2.b. Drywell Pressure - High High pressure in the drywell could indicate a break in the reactor coolant pressure boundary (RCPB). The low pressure ECCS and associated DGs are initiated upon receipt of the Drywell Pressure - High Function in order to minimize the possibility of fuel damage. However, no credit is taken for the Drywell Pressure - High Function to start the low pressure ECCS in any design basis accident or transient analyses. It is retained for overall redundancy and diversity of the low pressure ECCS function as required by the NRC in the plant licensing basis. The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.
| |
| High drywell pressure signals are initiated from four pressure switches that sense drywell pressure. The Allowable Value was selected to be as low as possible and be indicative of a LOCA inside primary containment.
| |
| Negative barometric fluctuations are accounted for in the Allowable Value.
| |
| The Drywell Pressure - High Function is required to be OPERABLE when the associated ECCS and DGs are required to be OPERABLE in conjunction with times when the primary containment is required to be OPERABLE. Thus, four channels of the LPCS and LPCI Drywell Pressure - High Function are required to be OPERABLE in MODES 1, 2, and 3 to ensure that no single instrument failure can preclude ECCS initiation. (Two channels input to LPCS, LPCI A, and DG 1, while the other two channels input to LPCI B, LPCI C, and DG 2.) In MODES 4 and 5, the Drywell Pressure - High Function is not required since there is insufficient energy in the reactor to pressurize the primary containment to Drywell Pressure - High setpoint. Refer to LCO 3.5.1 for Applicability Bases for the low pressure ECCS subsystems and to LCO 3.8.1 for Applicability Bases for the DGs.
| |
| 1.c, 1.d, 1.e, 2.c, 2.d, 2.e. LPCS and LPCI Pumps A, B, and C Start -
| |
| LOCA Time Delay Relay and LPCI Pumps A and B Start - LOCA/LOOP Time Delay Relay The purpose of these time delays is to stagger the start of the ECCS pumps that are in each of Divisions 1 and 2, thus limiting the starting transients on the 4.16 kV emergency buses. The LOCA Time Delay Relay Function is only necessary when the power is being supplied from the TR-S transformer, and the LOCA/LOOP Time Delay Relay Function is only necessary when power is being supplied from the standby power Columbia Generating Station B 3.3.5.1-9 Revision 73
| |
| | |
| ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) sources (DG). However, since the LOCA/LOOP time delay does not degrade ECCS operation, it remains in the pump start logic at all times.
| |
| The Pump Start - LOCA and LOCA/LOOP Time Delay Relays are assumed to be OPERABLE in the accident and transient analyses requiring ECCS initiation. That is, the analysis assumes that the pumps will initiate when required and excess loading will not cause failure of the power sources due to a degraded voltage condition (see Table 3.3.8.1-1).
| |
| There are four Pump Start - LOCA Time Delay Relay channels, one in each of the low pressure ECCS pump start logic circuits. Each of the LOCA Time Delay Relay channels consists of a Drywell Pressure - High and Reactor Level 2 sensor, auxiliary relay logic, and circuit breaker position switches to initiate the LOCA time delay relay when on TR-S.
| |
| The LOCA Time Delay Relay channel sensors also provide Drywell Pressure - High RPS Trip (Table 3.3.1.1-1 Function 6) and Drywell Pressure/Level 2 Primary Containment and RWCU Isolation (Table 3.3.6.1-1 Functions 2.b, 2.c, and 4.j) and Secondary Containment Isolation (Table 3.3.6.2-1 Functions 1 and 2) channel signals. A Drywell Pressure - High and a Level 2 sensor are in series and deenergize (either instrument) to initiate a LOCA Time Delay Relay channel. Two LOCA Time Delay Relay channels are provided for each division low pressure ECCS Function. Initiation of one LOCA Time Delay Relay channel will result in the other LOCA Time Delay Relay channel in the division initiating simultaneously to assure a nominal 9.9 second difference in low pressure ECCS subsystem starts within each ECCS function (LPCS/LPCI-C are set at 9.5 seconds and LPCI-A/LPCI-B are set at 19.4 seconds with appropriate allowable values.) While each channel is dedicated to a single pump start logic, a single failure of an instrument sensor or logic relay could potentially result in failure of the offsite 230 kV supply. One low pressure ECCS pump on either ESF bus could start simultaneously with the HPCS pump followed shortly by a second low pressure ECCS pump start while powered from the 230 kV offsite supply and potentially trip the 230 kV circuit supply to both ESF buses and HPCS. The transfer would occur due to degraded voltage relay operation. If loss of the 230 kV source occurs, transfer to the 115 kV or DGs will occur within the ECCS RESPONSE TIME (for MODE 1, 2, or 3).
| |
| Thus, single failure criteria is met for this condition. However, the supported ECCS features are impacted and appropriate Actions and Completion Times have been established in LCO 3.3.5.1, Action C.
| |
| Additionally, the 230 kV offsite supply is a supported feature by the LOCA Time Delay Relay channels for use in meeting LCO 3.8.1 or LCO 3.8.2. A Note (e) has been provided to Table 3.3.5.1-1 that identifies Functions 1c, 1d, 2c, and 2d as supporting OPERABILITY of the 230 kV offsite power source. This assumes HPCS or the low pressure ECCS pumps on the Columbia Generating Station B 3.3.5.1-10 Revision 73
| |
| | |
| ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) affected division are not disabled to prevent automatic loading. Use of the Safety Function Determination Program (TS 5.5.11) provides the means for AC Sources OPERABILITY determination.
| |
| There are two Pump Start - LOCA/LOOP Time Delay Relay channels, one in each of the RHR "A" and RHR "B" pump start logic circuits. The LOCA/LOOP Time Delay Relay channels consist of Level 1 and Drywell Pressure - High sensors (Table 3.3.5.1-1 Functions 1.a, 1.b, 2.a, and 2.b), auxiliary relay logic, circuit breaker position switches and power available relays. While each time delay is dedicated to a single pump start logic, a single failure of a Pump Start LOCA/LOOP Time Delay Relay could result in the failure of the two low pressure ECCS pumps, powered from the same ESF bus, to perform their intended function within the assumed ECCS RESPONSE TIMES (MODE 1, 2, or 3). In this case, both ECCS pumps on one ESF bus could start simultaneously when powered by the associated onsite DG due to an inoperable LOCA/LOOP Time Delay Relay and cause loss of the ESF bus. In the case of simultaneous starts of both ECCS pumps on a DG, this still leaves two of the four low pressure ECCS pumps OPERABLE; thus, single failure criterion is met (i.e., loss of one instrument does not preclude ECCS initiation within the ECCS RESPONSE TIME requirements).
| |
| The Allowable Values for the Pump Start - LOCA and LOCA/LOOP Time Delay Relay channels are chosen to be long enough so that most of the starting transient of the first pump is complete before starting the second pump on the same 4.16 kV emergency bus, and short enough so that ECCS operation is not degraded. Appropriate Actions and Completion Times are specified to limit the time a LOCA or a LOCA/LOOP Time Delay Relay channel can be inoperable.
| |
| Columbia Generating Station B 3.3.5.1-11 Revision 111
| |
| | |
| ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
| |
| Only the Reactor Vessel Water - Low Low, Level 2 (Function 2b LCO Table 3.3.6.1-1) is required for input to the LOCA Time Delay Relay Channels. The Drywell Pressure - High Function is not required for input to the LOCA and LOCA/LOOP Time Delay Relay Channels since there is insufficient energy in the reactor to pressurize the primary containment to Drywell Pressure - High setpoint.
| |
| 1.f, 2.f. Reactor Vessel Pressure - Low (Injection Permissive)
| |
| Low reactor vessel pressure signals are used as permissives for the low pressure ECCS subsystems. This ensures that, prior to opening the injection valves of the low pressure ECCS subsystems, the reactor pressure has fallen to a value below these subsystems' maximum design pressure. The Reactor Vessel Pressure - Low is one of the Functions assumed to be OPERABLE and capable of permitting initiation of the ECCS during the transients analyzed in References 1, 2, and 3. In addition, the Reactor Vessel Pressure - Low Function is directly assumed in the analysis of the recirculation line break (Refs. 1, 2, and 3). The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.
| |
| The Reactor Vessel Pressure - Low signals are initiated from four pressure switches that sense the reactor dome pressure (one pressure switch for each low pressure ECCS injection valve).
| |
| The Allowable Value is low enough to prevent overpressurizing the equipment in the low pressure ECCS, but high enough to ensure that the ECCS injection prevents the fuel peak cladding temperature from exceeding the limits of 10 CFR 50.46.
| |
| Each channel of Reactor Vessel Pressure - Low Function (one per valve) is only required to be OPERABLE when the associated ECCS is required to be OPERABLE to ensure that no single instrument failure can preclude ECCS initiation.
| |
| Columbia Generating Station B 3.3.5.1-12 Revision 111
| |
| | |
| ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) 1.g, 1.h, 2.g. LPCS and LPCI Pump Discharge Flow - Low (Minimum Flow)
| |
| The minimum flow instruments are provided to protect the associated low pressure ECCS pump from overheating when the pump is operating and the associated injection valve is not sufficiently open. The minimum flow line valve is opened when low flow is sensed, and the valve is automatically closed when the flow rate is adequate to protect the pump.
| |
| The LPCI and LPCS Pump Discharge Flow - Low Functions are assumed to be OPERABLE and capable of closing the minimum flow valves to ensure that the low pressure ECCS flows assumed during the transients and accidents analyzed in References 1, 2, and 3 are met. The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.
| |
| One flow indicating switch per ECCS pump is used to detect the associated subsystem's flow rate. The logic is arranged such that each indicating switch causes its associated minimum flow valve to open when flow is low with the pump running. The logic will close the minimum flow valve once the closure setpoint is exceeded. The LPCI minimum flow valves are time delayed such that the valves will not open for 8 seconds after the switches detect low flow. The time delay is provided to limit reactor vessel inventory loss during the startup of the RHR shutdown cooling mode. The Pump Discharge Flow - Low Allowable Values are high enough to ensure that the pump flow rate is sufficient to protect the pump, yet low enough to ensure that the closure of the minimum flow valve is initiated to allow full flow into the core.
| |
| Each channel of Pump Discharge Flow - Low Function (one LPCS channel and three LPCI channels) is only required to be OPERABLE when the associated ECCS is required to be OPERABLE, to ensure that no single instrument failure can preclude the ECCS function.
| |
| 1.i, 2.h. Manual Initiation The Manual Initiation switch and push button channels introduce signals into the appropriate ECCS logic to provide manual initiation capability and are redundant to the automatic protective instrumentation. There is one switch and push button (with two channels per switch and push button) for each of the two Divisions of low pressure ECCS (i.e., Division 1 ECCS, LPCS and LPCI A; Division 2 ECCS, LPCI B and LPCI C).
| |
| Columbia Generating Station B 3.3.5.1-13 Revision 111
| |
| | |
| ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
| |
| The Manual Initiation Function is not assumed in any accident or transient analyses in the FSAR. However, the Function is retained for overall redundancy and diversity of the low pressure ECCS function as required by the NRC in the plant licensing basis.
| |
| There is no Allowable Value for this Function since the channels are mechanically actuated based solely on the position of the switch and push buttons. Each channel of the Manual Initiation Function (two channels per Division) is only required to be OPERABLE when the associated ECCS is required to be OPERABLE.
| |
| High Pressure Core Spray System 3.a. Reactor Vessel Water Level - Low Low, Level 2 Low RPV water level indicates that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, the HPCS System and associated DG is initiated at Level 2 to maintain level above the top of the active fuel. The Reactor Vessel Water Level - Low Low, Level 2 is one of the Functions assumed to be OPERABLE and capable of initiating HPCS during the transients analyzed in References 1, 2, and 3. The Reactor Vessel Water Level -
| |
| Low Low, Level 2 Function associated with HPCS is directly assumed in the analysis of the recirculation line break (Refs. 1, 2, and 3). The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.
| |
| Reactor Vessel Water Level - Low Low, Level 2 signals are initiated from four differential pressure switches that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel.
| |
| The Reactor Vessel Water Level - Low Low, Level 2 Allowable Value is chosen such that for complete loss of feedwater flow, the Reactor Core Isolation Cooling (RCIC) System flow with HPCS assumed to fail will be sufficient to avoid initiation of low pressure ECCS at Reactor Vessel Water Level - Low Low Low, Level 1.
| |
| Columbia Generating Station B 3.3.5.1-14 Revision 111
| |
| | |
| ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
| |
| Four channels of Reactor Vessel Water Level - Low Low, Level 2 Function are only required to be OPERABLE when HPCS is required to be OPERABLE to ensure that no single instrument failure can preclude HPCS initiation. Refer to LCO 3.5.1 and LCO 3.5.2 for HPCS Applicability Bases.
| |
| 3.b. Drywell Pressure - High High pressure in the drywell could indicate a break in the RCPB. The HPCS System and associated DG are initiated upon receipt of the Drywell Pressure - High Function in order to minimize the possibility of fuel damage. However, no credit is taken for the Drywell Pressure - High Function to start the HPCS System in any DBA or transient analyses; that is, HPCS is assumed to be initiated on Reactor Water Level - Low Low, Level 2. It is retained for overall redundancy and diversity of the HPCS function as required by the NRC in the plant licensing basis. The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.
| |
| Drywell Pressure - High signals are initiated from four pressure switches that sense drywell pressure. The Allowable Value was selected to be as low as possible and be indicative of a LOCA inside primary containment.
| |
| The Drywell Pressure - High Function is required to be OPERABLE when HPCS is required to be OPERABLE in conjunction with times when the primary containment is required to be OPERABLE. Thus, four channels of the HPCS Drywell Pressure - High Function are required to be OPERABLE in MODES 1, 2, and 3, to ensure that no single instrument failure can preclude ECCS initiation. In MODES 4 and 5, the Drywell Pressure - High Function is not required since there is insufficient energy in the reactor to pressurize the drywell to the Drywell Pressure - High Function's setpoint. Refer to LCO 3.5.1 for the Applicability Bases for the HPCS System.
| |
| 3.c Reactor Vessel Water Level - High, Level 8 High RPV water level indicates that sufficient cooling water inventory exists in the reactor vessel such that there is no danger to the fuel.
| |
| Therefore, the Level 8 signal is used to close the HPCS injection valve to prevent overflow into the main steam lines (MSLs). The Reactor Vessel Water Level - High, Level 8 Function is not assumed in the accident and transient analyses. It was retained since it is a potentially significant contributor to risk, thus it meets Criterion 4 of Reference 4.
| |
| Columbia Generating Station B 3.3.5.1-15 Revision 73
| |
| | |
| ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
| |
| Reactor Vessel Water Level - High, Level 8 signals for HPCS are initiated from two differential pressure switches from the narrow range water level measurement instrumentation. The Reactor Vessel Water Level - High, Level 8 Allowable Value is chosen to isolate flow from the HPCS System prior to water overflowing into the MSLs. Two channels of Reactor Vessel Water Level - High, Level 8 Function are only required to be OPERABLE when HPCS is required to be OPERABLE to ensure that no single instrument failure can preclude HPCS initiation. Refer to LCO 3.5.1 for HPCS Applicability Bases.
| |
| 3.d. Condensate Storage Tank Level - Low Low level in the CST indicates the unavailability of an adequate supply of makeup water from this normal source. Normally the suction valves between HPCS and the CST are open and, upon receiving a HPCS initiation signal, water for HPCS injection would be taken from the CST.
| |
| However, if the water level in the CST falls below a preselected level, first the suppression pool suction valve automatically opens, and then the CST suction valve automatically closes. This ensures that an adequate supply of makeup water is available to the HPCS pump. To prevent losing suction to the pump, the suction valves are interlocked so that the suppression pool suction valve must be open before the CST suction valve automatically closes. The Function is implicitly assumed in the accident and transient analyses (which take credit for HPCS) since the analyses assume that the HPCS suction source is the suppression pool.
| |
| Condensate Storage Tank Level - Low signals are initiated from two level switches mounted on a Seismic Category I standpipe in the reactor building (the two switches mounted on the CST cannot be credited since they are not Seismic Category I). The Condensate Storage Tank Level -
| |
| Low Function Allowable Value is high enough to ensure adequate pump suction head while water is being taken from the CST. The low water level limit in the CST is based on vortexing and potential air ingestion by the pump.
| |
| Two channels of the Condensate Storage Tank Level - Low Function are only required to be OPERABLE when HPCS is required to be OPERABLE to ensure that no single instrument failure can preclude HPCS swap to suppression pool source. Thus, the Function is required to be OPERABLE in MODES 1, 2, and 3. With CST water level within limits, a sufficient supply of water exists Columbia Generating Station B 3.3.5.1-16 Revision 111
| |
| | |
| ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) for injection to minimize the consequences of a vessel draindown event.
| |
| Refer to LCO 3.5.1 for HPCS Applicability Bases.
| |
| 3.e. Suppression Pool Water Level - High Excessively high suppression pool water could result in the loads on the suppression pool exceeding design values should there be a blowdown of the reactor vessel pressure through the SRVs. Therefore, signals indicating high suppression pool water level are used to transfer the suction source of HPCS from the CST to the suppression pool to eliminate the possibility of HPCS continuing to provide additional water from a source outside containment. To prevent losing suction to the pump, the suction valves are interlocked so that the suppression pool suction valve must be open before the CST suction valve automatically closes. This Function is implicitly assumed in the accident and transient analyses (which take credit for HPCS) since the analyses assume that the HPCS suction source is the suppression pool.
| |
| Suppression Pool Water Level - High signals are initiated from two level switches. The Allowable Value for the Suppression Pool Water Level -
| |
| High Function is chosen to ensure that HPCS will be aligned for suction from the suppression pool before the water level reaches the point at which suppression pool design loads would be exceeded.
| |
| Two channels of Suppression Pool Water Level - High Function are only required to be OPERABLE in MODES 1, 2, and 3 when HPCS is required to be OPERABLE to ensure that no single instrument failure can preclude HPCS swap to suppression pool source. In MODES 4 and 5, the Function is not required to be OPERABLE since the reactor is depressurized and vessel blowdown, which could cause the design values of the containment to be exceeded, cannot occur. Refer to LCO 3.5.1 for HPCS Applicability Bases.
| |
| 3.f. HPCS System Flow Rate - Low (Minimum Flow)
| |
| The minimum flow instrument is provided to protect the HPCS pump from overheating when the pump is operating and the associated injection valve is not sufficiently open. The minimum flow line valve is opened when low flow is sensed, and the valve is automatically closed when the flow rate is adequate to protect the pump. The HPCS System Flow Rate - Low Function is assumed to be OPERABLE and capable of closing the minimum flow valve to ensure that the ECCS flow assumed during the transients and accidents analyzed in References 1, 2, and 3 are met.
| |
| The core cooling function of the ECCS, along with the scram action Columbia Generating Station B 3.3.5.1-17 Revision 111
| |
| | |
| ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.
| |
| One flow switch is used to detect the HPCS Systems flow rate. The logic is arranged such that the flow switch causes the minimum flow valve to open when flow is low with the pump running. The logic will close the minimum flow valve once the closure setpoint is exceeded.
| |
| The HPCS System Flow Rate - Low Allowable Value is high enough to ensure that pump flow rate is sufficient to protect the pump, yet low enough to ensure that the closure of the minimum flow valve is initiated to allow full flow into the core.
| |
| One channel of HPCS System Flow Rate - Low Function is required to be OPERABLE when the HPCS is required to be OPERABLE. Refer to LCO 3.5.1 for HPCS Applicability Bases.
| |
| 3.g. Manual Initiation The Manual Initiation switch and push button channels introduce a signal into the HPCS logic to provide manual initiation capability and is redundant to the automatic protective instrumentation. There is one switch and push button (with two channels) for the HPCS System.
| |
| The Manual Initiation Function is not assumed in any accident or transient analyses in the FSAR. However, the Function is retained for overall redundancy and diversity of the HPCS function as required by the NRC in the plant licensing basis.
| |
| There is no Allowable Value for this Function since the channels are mechanically actuated based solely on the position of the switch and push button. Two channels of the Manual Initiation Function are only required to be OPERABLE when the HPCS System are required to be OPERABLE. Refer to LCO 3.5.1 and LCO 3.5.2 for HPCS Applicability Bases.
| |
| Automatic Depressurization System 4.a, 5.a. Reactor Vessel Water Level - Low Low Low, Level 1 Low RPV water level indicates that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, ADS receives one of the signals necessary for initiation from this Function. The Reactor Vessel Water Level - Low Low Low, Columbia Generating Station B 3.3.5.1-18 Revision 111
| |
| | |
| ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
| |
| Level 1 is one of the Functions assumed to be OPERABLE and capable of initiating the ADS during the accidents analyzed in References 1, 2, and 3. The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.
| |
| The Reactor Vessel Water Level - Low Low Low, Level 1 signals are initiated from four differential pressure switches that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel.
| |
| The Reactor Vessel Water Level - Low Low Low, Level 1 Allowable Value is chosen to allow time for the low pressure core spray and flooding systems to initiate and provide adequate cooling.
| |
| Four channels of Reactor Vessel Water Level - Low Low Low, Level 1 Function are only required to be OPERABLE when ADS is required to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation. (Two channels input to ADS trip system A while the other two channels input to ADS trip system B). Refer to LCO 3.5.1 for ADS Applicability Bases.
| |
| 4.b, 5.b. ADS Initiation Timer The purpose of the ADS Initiation Timer is to delay depressurization of the reactor vessel to allow the HPCS System time to maintain reactor vessel water level. Since the rapid depressurization caused by ADS operation is one of the most severe transients on the reactor vessel, its occurrence should be limited. By delaying initiation of the ADS Function, the operator is given the chance to monitor the success or failure of the HPCS System to maintain water level, and then to decide whether or not to allow ADS to initiate, to delay initiation further by recycling the timer, or to inhibit initiation permanently. The ADS Initiation Timer Function is assumed to be OPERABLE for the accident analyses of References 1, 2, and 3 that require ECCS initiation and assume failure of the HPCS System.
| |
| There are two ADS Initiation Timer relays, one in each of the two ADS trip systems. The Allowable Value for the ADS Initiation Timer is chosen to be short enough so that there is still time after depressurization for the low pressure ECCS subsystems to provide adequate core cooling. Two channels of the ADS Initiation Timer Function are only required to be OPERABLE when the ADS is required to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation. (One channel inputs to ADS trip system A while the other channel inputs to ADS trip system B.) Refer to LCO 3.5.1 for ADS Applicability Bases.
| |
| Columbia Generating Station B 3.3.5.1-19 Revision 82
| |
| | |
| ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) 4.c, 5.c. Reactor Vessel Water Level - Low, Level 3 (Permissive)
| |
| The Reactor Vessel Water Level - Low, Level 3 Function is used by the ADS only as a confirmatory low water level signal. ADS receives one of the signals necessary for initiation from Reactor Vessel Water Level - Low Low Low, Level 1 signals. In order to prevent spurious initiation of the ADS due to spurious Level 1 signals, a Level 3 signal must also be received before ADS initiation commences.
| |
| Reactor Vessel Water Level - Low, Level 3 signals are initiated from two differential pressure switches that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. The Allowable Value for Reactor Vessel Water Level - Low, Level 3 is selected at the RPS Level 3 scram Allowable Value for convenience.
| |
| Refer to LCO 3.3.1.1, "Reactor Protection System (RPS)
| |
| Instrumentation," for Bases discussion of this Function.
| |
| Two channels of Reactor Vessel Water Level - Low, Level 3 Function are only required to be OPERABLE when the ADS is required to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation. (One channel inputs to ADS trip system A while the other channel inputs to ADS trip system B.) Refer to LCO 3.5.1 for ADS Applicability Bases.
| |
| 4.d, 4.e, 5.d. LPCS and LPCI Pump Discharge Pressure - High The Pump Discharge Pressure - High signals (indicating that the pump is running) from the LPCS and LPCI pumps are used as permissives for ADS initiation, indicating that there is a source of low pressure cooling water available once the ADS has depressurized the vessel. Pump Discharge Pressure - High is one of the Functions assumed to be OPERABLE and capable of permitting ADS initiation during the events analyzed in References 1, 2, and 3 with an assumed HPCS failure. For these events, the ADS depressurizes the reactor vessel so that the low pressure ECCS can perform the core cooling functions. This core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.
| |
| Columbia Generating Station B 3.3.5.1-20 Revision 111
| |
| | |
| ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
| |
| Pump discharge pressure signals are initiated from eight pressure switches, two on the discharge side of each of the four low pressure ECCS pumps. In order to generate an ADS permissive in one trip system, it is necessary that only one pump (both channels for the pump) indicate the high discharge pressure condition. The Pump Discharge Pressure - High Allowable Value is less than the pump discharge pressure when the pump is operating in a full flow mode, and high enough to avoid any condition that results in a discharge pressure permissive when the LPCS and LPCI pumps are aligned for injection and the pumps are not running. The actual operating point of this Function is not assumed in any transient or accident analysis.
| |
| Eight channels of LPCS and LPCI Pump Discharge Pressure - High Function (two LPCS and two LPCI A channels input to ADS trip system A, while two LPCI B and two LPCI C channels input to ADS trip system B) are only required to be OPERABLE when the ADS is required to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation. Refer to LCO 3.5.1 for ADS Applicability Bases.
| |
| 4.f, 5.e. Accumulator Backup Compressed Gas System Pressure - Low The purpose of the Accumulator Backup Compressed Gas System Pressure - Low Function is to ensure that a safety related supply of air is available to the ADS valves during post LOCA conditions. The normal air supply to the ADS valves is non-safety related and may not be available following a LOCA. If the normal air supply pressure is low, the Accumulator Backup Compressed Gas System Pressure - Low Function will automatically align the Accumulator Backup Compressed Gas System to provide the necessary air supply to the ADS valves. The Accumulator Backup Compressed Gas System Pressure - Low Function is assumed to be OPERABLE and capable of automatically aligning the Accumulator Backup Compressed Gas System during the accidents analyzed in References 1, 2, and 3.
| |
| Accumulator Backup Compressed Gas System Pressure - Low signals are initiated from six pressure switches that sense the ADS air header supply pressure. The Accumulator Backup Compressed Gas System Pressure - Low Allowable Value is chosen to ensure an adequate air supply is available to the ADS valves.
| |
| Six channels of Accumulator Backup Compressed Gas System Pressure - Low Function are only required to be OPERABLE when ADS is required to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation. (Three channels input to Division 1 Columbia Generating Station B 3.3.5.1-21 Revision 73
| |
| | |
| ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
| |
| Accumulator Backup Compressed Gas subsystem and the other three channels input to Division 2 Accumulator Backup Compressed Gas subsystem.) Refer to LCO 3.5.1 for ADS Applicability Bases.
| |
| 4.g, 5.f. Manual Initiation The Manual Initiation switch and push button channels introduce signals into the ADS logic to provide manual initiation capability and are redundant to the automatic protective instrumentation. There are two switch and push buttons (with two channels per switch and push button) for each ADS trip system (total of four).
| |
| The Manual Initiation Function is not assumed in any accident or transient analyses in the FSAR. However, the Function is retained for overall redundancy and diversity of the ADS function as required by the NRC in the plant licensing basis.
| |
| There is no Allowable Value for this Function since the channels are mechanically actuated based solely on the position of the switch and push buttons. Eight channels of the Manual Initiation Function (four channels per ADS trip system) are only required to be OPERABLE when the ADS is required to be OPERABLE. Refer to LCO 3.5.1 for ADS Applicability Bases.
| |
| ACTIONS A Note has been provided to modify the ACTIONS related to ECCS instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable ECCS instrumentation channels provide appropriate compensatory measures for separate inoperable Condition entry for each inoperable ECCS instrumentation channel.
| |
| A.1 Required Action A.1 directs entry into the appropriate Condition referenced in Table 3.3.5.1-1. The applicable Condition specified in the Table is Function dependent. Each time a channel is discovered to be inoperable, Condition A is entered for that channel and provides for transfer to the appropriate subsequent Condition.
| |
| Columbia Generating Station B 3.3.5.1-22 Revision 73
| |
| | |
| ECCS Instrumentation B 3.3.5.1 BASES ACTIONS (continued)
| |
| B.1, B.2, and B.3 Required Actions B.1 and B.2 are intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same variable result in redundant automatic initiation capability being lost for the feature(s). Required Action B.1 features would be those that are initiated by Functions 1.a, 1.b, 2.a, and 2.b (e.g., low pressure ECCS).
| |
| The Required Action B.2 feature would be HPCS. For Required Action B.1, redundant automatic initiation capability is lost if either (a) one or more Function 1.a channels and one or more Function 2.a channels are inoperable and untripped, or (b) one or more Function 1.b channels and one or more Function 2.b channels are inoperable and untripped.
| |
| For Divisions 1 and 2, since each inoperable channel would have Required Action B.1 applied separately (refer to ACTIONS Note), each inoperable channel would only require the affected portion of the associated Division of low pressure ECCS and DG to be declared inoperable. However, since channels in both Divisions are inoperable and untripped, and the Completion Times started concurrently for the channels in both Divisions, this results in the affected portions in both Divisions of ECCS and DG being concurrently declared inoperable. For Required Action B.2, redundant automatic initiation capability is lost if two Function 3.a or two Function 3.b channels are inoperable and untripped in the same trip system.
| |
| In this situation (loss of redundant automatic initiation capability), the 24 hour allowance of Required Action B.3 is not appropriate and the feature(s) associated with the inoperable, untripped channels must be declared inoperable within 1 hour. Notes are provided ( the Note to Required Action B.1 and Required Action B.2) to delineate which Required Action is applicable for each Function that requires entry into Condition B if an associated channel is inoperable. This ensures that the proper loss of initiation capability check is performed.
| |
| The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock."
| |
| Columbia Generating Station B 3.3.5.1-23 Revision 111
| |
| | |
| ECCS Instrumentation B 3.3.5.1 BASES ACTIONS (continued)
| |
| For Required Action B.1, the Completion Time only begins upon discovery that a redundant feature in both Divisions (e.g., any Division 1 ECCS and Division 2 ECCS) cannot be automatically initiated due to inoperable, untripped channels within the same variable as described in the paragraph above. For Required Action B.2, the Completion Time only begins upon discovery that the HPCS System cannot be automatically initiated due to two inoperable, untripped channels for the associated Function in the same trip system. The 1 hour Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.
| |
| Because of the diversity of sensors available to provide initiation signals and the redundancy of the ECCS design, an allowable out of service time of 24 hours has been shown to be acceptable (Ref. 5) to permit restoration of any inoperable channel to OPERABLE status. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action B.3. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue.
| |
| Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in an initiation), Condition H must be entered and its Required Action taken.
| |
| C.1 and C.2 Required Action C.1 is intended to ensure that appropriate actions are taken if multiple, inoperable channels within the same variable result in redundant automatic initiation capability being lost for the feature(s).
| |
| Required Action C.1 features would be those that are initiated by Functions 1.c, 1.d, 1.e, 1.f, 2.c, 2.d, 2.e, and 2.f (i.e., low pressure ECCS). For Functions 1.c, 1.d, 2.c, and 2.d, redundant automatic initiation capability is lost if the Function 1.c or 1.d channel concurrent with the Function 2.c or 2.d channel are inoperable. For Functions 1.e and 2.e, redundant automatic initiation capability is lost if the Function 1.e and Function 2.e channels are inoperable. For Functions 1.f and 2.f, redundant automatic initiation capability is lost if one Function 1.f channel and one Function 2.f channel are inoperable. Since each inoperable channel would have Required Action C.1 applied separately (refer to ACTIONS Note), each inoperable channel would only require the affected portion of the associated Division to be declared inoperable. However, since channels in both Divisions are inoperable, and the Completion Times started concurrently for the channels in both Divisions, this results Columbia Generating Station B 3.3.5.1-24 Revision 73
| |
| | |
| ECCS Instrumentation B 3.3.5.1 BASES ACTIONS (continued) in the affected portions in both Divisions being concurrently declared inoperable. For Functions 1.c, 1.d, 2.c, and 2.d, the affected portion of the Divisions are LPCS, LPCI A, LPCI B, and LPCI C, respectively. For Functions 1.e and 2.e, the affected portions of the Division are LPCI A and LPCI B, respectively. For Functions 1.f and 2.f, the affected portions of the Division are the associated low pressure ECCS pumps (Divisions 1 and 2, respectively).
| |
| In this situation (loss of redundant automatic initiation capability), the 24 hour allowance of Required Action C.2 is not appropriate and the feature(s) associated with the inoperable channels must be declared inoperable within 1 hour.
| |
| The Note states that Required Action C.1 is only applicable for Functions 1.c, 1.d, 1.e, 1.f, 2.c, 2.d, 2.e, and 2.f. The Required Action is not applicable to Functions 1.i, 2.h, and 3.g (which also require entry into this Condition if a channel in these Functions is inoperable), since they are the Manual Initiation Functions and are not assumed in any accident or transient analysis. Thus, a total loss of manual initiation capability for 24 hours (as allowed by Required Action C.2) is allowed. Required Action C.1 is also not applicable to Function 3.c (which also requires entry into this Condition if a channel in this Function is inoperable), since the loss of one channel results in a loss of the Function (two-out-of-two logic).
| |
| This loss was considered during the development of Reference 5 and considered acceptable for the 24 hours allowed by Required Action C.2.
| |
| The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action C.1, the Completion Time only begins upon discovery that the same feature in both Divisions (e.g., any Division 1 ECCS and Division 2 ECCS) cannot be automatically initiated due to inoperable channels within the same variable as described in the paragraph above. The 1 hour Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration of channels.
| |
| Columbia Generating Station B 3.3.5.1-25 Revision 111
| |
| | |
| ECCS Instrumentation B 3.3.5.1 BASES ACTIONS (continued)
| |
| Because of the diversity of sensors available to provide initiation signals and the redundancy of the ECCS design, an allowable out of service time of 24 hours has been shown to be acceptable (Ref. 5) to permit restoration of any inoperable channel to OPERABLE status. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, Condition H must be entered and its Required Action taken.
| |
| The Required Actions do not allow placing the channel in trip since this action would either cause the initiation or would not necessarily result in a safe state for the channel in all events.
| |
| D.1, D.2.1, and D.2.2 Required Action D.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in a complete loss of automatic component initiation capability for the HPCS System. Automatic component initiation capability is lost if two Function 3.d channels or two Function 3.e channels are inoperable and untripped. In this situation (loss of automatic suction swap), the 24 hour allowance of Required Actions D.2.1 and D.2.2 is not appropriate and the HPCS System must be declared inoperable within 1 hour after discovery of loss of HPCS initiation capability. As noted, the Required Action is only applicable if the HPCS pump suction is not aligned to the suppression pool, since, if aligned, the Function is already performed.
| |
| The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action D.1, the Completion Time only begins upon discovery that the HPCS System cannot be automatically aligned to the suppression pool due to two inoperable, untripped channels in the same Function. The 1 hour Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.
| |
| Because of the diversity of sensors available to provide initiation signals and the redundancy of the ECCS design, an allowable out of service time of 24 hours has been shown to be acceptable (Ref. 5) to permit restoration of any inoperable channel to OPERABLE status. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action D.2.1 or the suction source must be aligned to the Columbia Generating Station B 3.3.5.1-26 Revision 73
| |
| | |
| ECCS Instrumentation B 3.3.5.1 BASES ACTIONS (continued) suppression pool per Required Action D.2.2. Placing the inoperable channel in trip performs the intended function of the channel (shifting the suction source to the suppression pool). Performance of either of these two Required Actions will allow operation to continue. If Required Action D.2.1 or Required Action D.2.2 is performed, measures should be taken to ensure that the HPCS System piping remains filled with water.
| |
| Alternately, if it is not desired to perform Required Actions D.2.1 and D.2.2 (e.g., as in the case where shifting the suction source could drain down the HPCS suction piping), Condition H must be entered and its Required Action taken.
| |
| E.1 and E.2 Required Action E.1 is intended to ensure that appropriate actions are taken if multiple, inoperable channels within the LPCS and LPCI Pump Discharge Flow - Low (Minimum Flow) Functions result in redundant automatic initiation capability being lost for the feature(s). For Required Action E.1, the features would be those that are initiated by Functions 1.g, 1.h, and 2.g (e.g., low pressure ECCS). Redundant automatic initiation capability is lost if three of the four channels associated with Functions 1.g, 1.h, and 2.g are inoperable. Since each inoperable channel would have Required Action E.1 applied separately (refer to ACTIONS Note), each inoperable channel would only require the affected low pressure ECCS pump to be declared inoperable. However, since channels for more than one low pressure ECCS pump are inoperable, and the Completion Times started concurrently for the channels of the low pressure ECCS pumps, this results in the affected low pressure ECCS pumps being concurrently declared inoperable.
| |
| In this situation (loss of redundant automatic initiation capability), the 7 day allowance of Required Action E.2 is not appropriate and the feature(s) associated with each inoperable channel must be declared inoperable within 1 hour after discovery of loss of initiation capability for feature(s) in both Divisions. A Note is provided (the Note to Required Action E.1) to delineate that Required Action E.1 is only applicable to low pressure ECCS Functions. Required Action E.1 is not applicable to HPCS Function 3.f since the loss of one channel results in a loss of the Function (one-out-of-one logic). This loss was considered during the development of Reference 5 and considered acceptable for the 7 days allowed by Required Action E.2.
| |
| Columbia Generating Station B 3.3.5.1-27 Revision 111
| |
| | |
| ECCS Instrumentation B 3.3.5.1 BASES ACTIONS (continued)
| |
| The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action E.1, the Completion Time only begins upon discovery that three channels of the variable (Pump Discharge Flow - Low) cannot be automatically initiated due to inoperable channels. The 1 hour Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration of channels.
| |
| If the instrumentation that controls the pump minimum flow valve is inoperable such that the valve will not automatically open, extended pump operation with no injection path available could lead to pump overheating and failure. If there were a failure of the instrumentation such that the valve would not automatically close, a portion of the pump flow could be diverted from the reactor injection path, causing insufficient core cooling.
| |
| These consequences can be averted by the operator's manual control of the valve, which would be adequate to maintain ECCS pump protection and required flow. Furthermore, other ECCS pumps would be sufficient to complete the assumed safety function if no additional single failure were to occur. The 7 day Completion Time of Required Action E.2 to restore the inoperable channel to OPERABLE status is reasonable based on the remaining capability of the associated ECCS subsystems, the redundancy available in the ECCS design, and the low probability of a DBA occurring during the allowed out of service time. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, Condition H must be entered and its Required Action taken. The Required Actions do not allow placing the channel in trip since this action would not necessarily result in a safe state for the channel in all events.
| |
| F.1 and F.2 Required Action F.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within similar ADS trip system Functions result in automatic initiation capability being lost for the ADS. Automatic initiation capability is lost if either (a) one or more Function 4.a channel and one or more Function 5.a channel are inoperable and untripped, (b) one Function 4.c channel and one Function 5.c channel are inoperable and untripped, or (c) two or more Function 4.f channels and two or more Function 5.e channels are inoperable and untripped.
| |
| Columbia Generating Station B 3.3.5.1-28 Revision 73
| |
| | |
| ECCS Instrumentation B 3.3.5.1 BASES ACTIONS (continued)
| |
| In this situation (loss of automatic initiation capability), the 96 hour or 8 day allowance, as applicable, of Required Action F.2 is not appropriate, and all ADS valves must be declared inoperable within 1 hour after discovery of loss of ADS initiation capability in both trip systems.
| |
| The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action F.1, the Completion Time only begins upon discovery that the ADS cannot be automatically initiated due to inoperable, untripped channels within similar ADS trip system Functions as described in the paragraph above. The 1 hour Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.
| |
| Because of the diversity of sensors available to provide initiation signals and the redundancy of the ECCS design, an allowable out of service time of 8 days has been shown to be acceptable (Ref. 5) to permit restoration of any inoperable channel to OPERABLE status if both HPCS and RCIC are OPERABLE. If either HPCS or RCIC is inoperable, the time is shortened to 96 hours. If the status of HPCS or RCIC changes such that the Completion Time changes from 8 days to 96 hours, the 96 hours begins upon discovery of HPCS or RCIC inoperability. However, total time for an inoperable, untripped channel cannot exceed 8 days. If the status of HPCS or RCIC changes such that the Completion Time changes from 96 hours to 8 days, the "time zero" for beginning the 8 day "clock" begins upon discovery of the inoperable, untripped channel. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action F.2. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue.
| |
| Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in an initiation), Condition H must be entered and its Required Action taken.
| |
| G.1 and G.2 Required Action G.1 is intended to ensure that appropriate actions are taken if multiple, inoperable channels within similar ADS trip system Functions result in automatic initiation capability being lost for the ADS.
| |
| Automatic initiation capability is lost if either (a) one Function 4.b Columbia Generating Station B 3.3.5.1-29 Revision 73
| |
| | |
| ECCS Instrumentation B 3.3.5.1 BASES ACTIONS (continued) channel and one Function 5.b channel are inoperable, (b) one or more Function 4.d channels and one or more Function 5.d channels are inoperable, or (c) one or more Function 4.e channels and one or more Function 5.d channels are inoperable.
| |
| In this situation (loss of automatic initiation capability), the 96 hour or 8 day allowance, as applicable, of Required Action G.2 is not appropriate, and all ADS valves must be declared inoperable within 1 hour after discovery of loss of ADS initiation capability in both trip systems. The Note to Required Action G.1 states that Required Action G.1 is only applicable for Functions 4.b, 4.d, 4.e, 5.b, and 5.d. Required Action G.1 is not applicable to Functions 4.g and 5.f (which also require entry into this Condition if a channel in these Functions is inoperable), since they are the Manual Initiation Functions and are not assumed in any accident or transient analysis. Thus, a total loss of manual initiation capability for 96 hours or 8 days (as allowed by Required Action G.2) is allowed.
| |
| The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action G.1, the Completion Time only begins upon discovery that the ADS cannot be automatically initiated due to inoperable channels within similar ADS trip system Functions, as described in the paragraph above. The 1 hour Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.
| |
| Because of the diversity of sensors available to provide initiation signals and the redundancy of the ECCS design, an allowable out of service time of 8 days has been shown to be acceptable (Ref. 5) to permit restoration of any inoperable channel to OPERABLE status if both HPCS and RCIC are OPERABLE (Required Action G.2). If either HPCS or RCIC is inoperable, the time is reduced to 96 hours. If the status of HPCS or RCIC changes such that the Completion Time changes from 8 days to 96 hours, the 96 hours begins upon discovery of HPCS or RCIC inoperability. However, total time for an inoperable channel cannot exceed 8 days. If the status of HPCS or RCIC changes such that the Completion Time changes from 96 hours to 8 days, the "time zero" for beginning the 8 day "clock" begins upon discovery of the inoperable channel. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, Condition H must be entered and its Required Action taken. The Required Actions do not allow placing the channel in trip since this action would not necessarily result in a safe state for the channel in all events.
| |
| Columbia Generating Station B 3.3.5.1-30 Revision 73
| |
| | |
| ECCS Instrumentation B 3.3.5.1 BASES ACTIONS (continued)
| |
| H.1 With any Required Action and associated Completion Time not met, the associated feature(s) may be incapable of performing the intended function and the supported feature(s) associated with the inoperable untripped channels must be declared inoperable immediately.
| |
| SURVEILLANCE As noted at the beginning of the SRs, the SRs for each ECCS REQUIREMENTS instrumentation Function are found in the SRs column of Table 3.3.5.1-1.
| |
| The Surveillances are modified by a Note to indicate that when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours as follows: (a) for Functions 3.c, 3.f, and 3.g; and (b) for Functions other than 3.c, 3.f, and 3.g provided the associated Function or redundant Function maintains ECCS initiation capability.
| |
| Upon completion of the Surveillance, or expiration of the 6 hour allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Ref. 5) assumption of the average time required to perform channel Surveillance. That analysis demonstrated that the 6 hour testing allowance does not significantly reduce the probability that the ECCS will initiate when necessary.
| |
| SR 3.3.5.1.1 Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a qualitative assessment, by observation, of channel behavior during operation. This determination includes, where possible, comparison of the channel indication and status to other indications or status derived from independent instrument channels measuring the same parameter.
| |
| It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.
| |
| Agreement criteria are determined by the plant staff, based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit.
| |
| Columbia Generating Station B 3.3.5.1-31 Revision 93
| |
| | |
| ECCS Instrumentation B 3.3.5.1 BASES SURVEILLANCE REQUIREMENTS (continued)
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the channels required by the LCO.
| |
| SR 3.3.5.1.2 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the channel will perform the intended function. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| SR 3.3.5.1.3, SR 3.3.5.1.4, and SR 3.3.5.1.5 CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations consistent with the plant specific setpoint methodology.
| |
| The Surveillance Frequencies are controlled under the Surveillance Frequency Control Program.
| |
| SR 3.3.5.1.6 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required initiation logic for a specific channel. The system functional testing performed in LCO 3.5.1, LCO 3.5.2, LCO 3.8.1, and LCO 3.8.2 overlaps this Surveillance to provide complete testing of the assumed safety function.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| Columbia Generating Station B 3.3.5.1-32 Revision 93
| |
| | |
| ECCS Instrumentation B 3.3.5.1 BASES REFERENCES 1. FSAR, Section 6.2.
| |
| : 2. FSAR, Section 6.3.
| |
| : 3. FSAR, Chapter 15.
| |
| : 4. 10 CFR 50.36(c)(2)(ii).
| |
| : 5. NEDC-30936-P-A, "BWR Owners' Group Technical Specification Improvement Analyses for ECCS Actuation Instrumentation, Part 2,"
| |
| December 1988.
| |
| Columbia Generating Station B 3.3.5.1-33 Revision 73
| |
| | |
| RPV Water Inventory Control Instrumentation B 3.3.5.2 B 3.3 INSTRUMENTATION B 3.3.5.2 Reactor Pressure Vessel (RPV) Water Inventory Control Instrumentation BASES BACKGROUND The RPV contains penetrations below the top of the active fuel (TAF) that have the potential to drain the reactor coolant inventory to below the TAF.
| |
| If the water level should drop below the TAF, the ability to remove decay heat is reduced, which could lead to elevated cladding temperatures and clad perforation. Safety Limit 2.1.1.3 requires the RPV water level to be above the top of the active irradiated fuel at all times to prevent such elevated cladding temperatures.
| |
| Technical Specifications are required by 10 CFR 50.36 to include limiting safety system settings (LSSS) for variables that have significant safety functions. LSSS are defined by the regulation as "Where a LSSS is specified for a variable on which a safety limit has been placed, the setting must be chosen so that automatic protective actions will correct the abnormal situation before a Safety Limit (SL) is exceeded." The Analytical Limit is the limit of the process variable at which a safety action is initiated to ensure that a SL is not exceeded. Any automatic protection action that occurs on reaching the Analytical Limit therefore ensures that the SL is not exceeded. However, in practice, the actual settings for automatic protection channels must be chosen to be more conservative than the Analytical Limit to account for instrument loop uncertainties related to the setting at which the automatic protective action would actually occur. The actual settings for the automatic isolation channels are the same as those established for the same functions in MODES 1, 2, and 3 in LCO 3.3.5.1, "Emergency Core Cooling System (ECCS)
| |
| Instrumentation," or LCO 3.3.6.1, "Primary Containment Isolation instrumentation".
| |
| With the unit in MODE 4 or 5, RPV water inventory control is not required to mitigate any events or accidents evaluated in the safety analyses.
| |
| RPV water inventory control is required in MODES 4 and 5 to protect Safety Limit 2.1.1.3 and the fuel cladding barrier to prevent the release of radioactive material should a draining event occur. Under the definition of DRAIN TIME, some penetration flow paths may be excluded from the DRAIN TIME calculation if they will be isolated by valves that will close automatically without offsite power prior to the RPV water level being equal to the TAF when actuated by RPV water level isolation instrumentation.
| |
| Columbia Generating Station B 3.3.5.2-1 Revision 111
| |
| | |
| RPV Water Inventory Control Instrumentation B 3.3.5.2 BASES BACKGROUND (continued)
| |
| The purpose of the RPV Water Inventory Control Instrumentation is to support the requirements of LCO 3.5.2, Reactor Pressure Vessel (RPV)
| |
| Water Inventory Control, and the definition of DRAIN TIME. There are functions that are required for manual initiation or operation of the ECCS injection/spray subsystem required to be OPERABLE by LCO 3.5.2 and other functions that support automatic isolation of Residual Heat Removal subsystem and Reactor Water Cleanup system penetration flow path(s) on low RPV water level.
| |
| The RPV Water Inventory Control Instrumentation supports operation of low pressure core spray (LPCS), low pressure coolant injection (LPCI),
| |
| and high pressure core spray (HPCS). The equipment involved with each of these systems is described in the Bases for LCO 3.5.2.
| |
| APPLICABLE With the unit in MODE 4 or 5, RPV water inventory control is not required SAFETY to mitigate any events or accidents evaluated in the safety analyses. RPV ANALYSES, LCO, water inventory control is required in MODES 4 and 5 to protect and APPLICABILITY Safety Limit 2.1.1.3 and the fuel cladding barrier to prevent the release of radioactive material should a draining event occur.
| |
| A double-ended guillotine break of the Reactor Coolant System (RCS) is not postulated in MODES 4 and 5 due to the reduced RCS pressure, reduced piping stresses, and ductile piping systems. Instead, an event is postulated in which a single operator error or initiating event allows draining of the RPV water inventory through a single penetration flow path with the highest flow rate, or the sum of the drain rates through multiple penetration flow paths susceptible to a common mode failure (e.g.,
| |
| seismic event, loss of normal power, single human error). It is assumed, based on engineering judgment, that while in MODES 4 and 5, one ECCS injection/spray subsystem can be manually initiated to maintain adequate reactor vessel water level.
| |
| As discussed in References 1, 2, 3, 4, and 5, operating experience has shown RPV water inventory to be significant to public health and safety.
| |
| Therefore, RPV Water Inventory Control satisfies Criterion 4 of 10 CFR 50.36(c)(2)(ii).
| |
| Permissive and interlock setpoints are generally considered as nominal values without regard to measurement accuracy.
| |
| The specific Applicable Safety Analyses, LCO, and Applicability discussions are listed below on a Function by Function basis.
| |
| Columbia Generating Station B 3.3.5.2-2 Revision 111
| |
| | |
| RPV Water Inventory Control Instrumentation B 3.3.5.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
| |
| Low Pressure Core Spray and Low Pressure Coolant Injection Systems 1.a, 2.a. Reactor Vessel Pressure - Low (Injection Permissive)
| |
| Low reactor vessel pressure signals are used as permissives for the low pressure ECCS subsystems. This ensures that, prior to opening the injection valves of the low pressure ECCS subsystems, the reactor pressure has fallen to a value below these subsystems' maximum design pressure. While it is assured during Modes 4 and 5 that the reactor vessel pressure will be below the ECCS maximum design pressure, the Reactor Vessel Pressure - Low signals are assumed to be operable and capable of permitting initiation of the ECCS.
| |
| The Reactor Vessel Pressure - Low signals are initiated from four pressure switches that sense the reactor dome pressure (one pressure switch for each low pressure ECCS injection valve).
| |
| The Allowable Value is low enough to prevent overpressuring the equipment in the low pressure ECCS.
| |
| Three channels of Reactor Vessel Pressure - Low Function (one per valve) are only required to be OPERABLE in MODES 4 and 5 when ECCS Manual Initiation is required to be OPERABLE, since these channels support the manual initiation Function. In addition, the channels are only required when the associated ECCS subsystem is required to be OPERABLE by LCO 3.5.2.
| |
| 1.b, 1.c, 2.b. Low Pressure Coolant Injection and Low Pressure Core Spray Pump Discharge Flow - Low (Minimum Flow)
| |
| The minimum flow instruments are provided to protect the associated low pressure ECCS pump from overheating when the pump is operating and the associated injection valve is not fully open. The minimum flow line valve is opened when low flow is sensed, and the valve is automatically closed when the flow rate is adequate to protect the pump.
| |
| One flow indicating switch per ECCS pump is used to detect the associated subsystems' flow rates. The logic is arranged such that each indicating switch causes its associated minimum flow valve to open when flow is low with the pump running. The logic will close Columbia Generating Station B 3.3.5.2-3 Revision 111
| |
| | |
| RPV Water Inventory Control Instrumentation B 3.3.5.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) the minimum flow valve once the closure setpoint is exceeded. The LPCI minimum flow valves are time delayed such that the valves will not open for 8 seconds after the switches detect low flow. The time delay is provided to limit reactor vessel inventory loss during the startup of the Residual Heat Removal (RHR) shutdown cooling mode (for RHR A and RHR B).
| |
| The Pump Discharge Flow - Low Allowable Values are high enough to ensure that the pump flow rate is sufficient to protect the pump, yet low enough to ensure that the closure of the minimum flow valve is initiated to allow full flow into the core.
| |
| One channel of the Pump Discharge Flow - Low Function is required to be OPERABLE in MODES 4 and 5 when the associated LPCS or LPCI pump is required to be OPERABLE by LCO 3.5.2 to ensure the pumps are capable of injecting into the Reactor Pressure Vessel when manually initiated.
| |
| 1.d, 2.c. Manual Initiation The Manual Initiation switch and push button channels introduce signals into the appropriate ECCS logic to provide manual initiation capability and are redundant to the automatic protective instrumentation. There is one switch and push button (with two channels per switch and push button) for each of the two Divisions of low pressure ECCS (i.e., Division 1 ECCS, LPCS and LPCI A; Division 2 ECCS, LPCI B and LPCI C). Only the manual initiation function required to be OPERABLE is that associated with the ECCS subsystem required to be OPERABLE by LCO 3.5.2.
| |
| There is no Allowable Value for this Function since the channels are mechanically actuated based solely on the position of the push buttons.
| |
| If SM-7 or SM-8 is powered from TR-S, then the LPCS, LPCI A/B/C pump will not start unless there is an associated valid Drywell Pressure - High or Reactor Vessel Water Level - Low Low, Level 2 signal. Only the Reactor Vessel Water Level - Low Low, Level 2 input to the Manual Initiation logic is required when SM-7 or SM-8 is powered from TR-S.
| |
| The Drywell Pressure - High Function is not required since there is insufficient energy in the reactor to pressurize the primary containment to the Drywell Pressure - High setpoint.
| |
| Columbia Generating Station B 3.3.5.2-4 Revision 111
| |
| | |
| RPV Water Inventory Control Instrumentation B 3.3.5.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
| |
| High Pressure Core Spray System 3.a. Condensate Storage Tank Level - Low Low level in the CST indicates the unavailability of an adequate supply of makeup water from this normal source. Normally the suction valves between HPCS and the CST are open and water for HPCS injection would be taken from the CST. However, if the water level in the CST falls below a preselected level, first the suppression pool suction valve automatically opens, and then the CST suction valve automatically closes. This ensures that an adequate supply of makeup water is available to the HPCS pump. To prevent losing suction to the pump, the suction valves are interlocked so that the suppression pool suction valve must be open before the CST suction valve automatically closes.
| |
| Condensate Storage Tank Level - Low signals are initiated from two level switches mounted on a Seismic Category I standpipe in the reactor building (the two switches mounted on the CST cannot be credited since they are not Seismic Category I). Only one of the two switches is required to be OPERABLE in MODES 4 and 5.
| |
| The Condensate Storage Tank Level - Low Function Allowable Value is high enough to ensure adequate pump suction head while water is being taken from the CST. The low water level limit in the CST is based on vortexing and potential air ingestion by the pump.
| |
| One channel of the Condensate Storage Tank Level - Low Function is only required to be OPERABLE when HPCS is required to be OPERABLE to fulfill the requirements of LCO 3.5.2 and HPCS is aligned to the CST.
| |
| 3.b, HPCS System Flow Rate - Low (Minimum flow)
| |
| The minimum flow instrument is provided to protect the HPCS pump from overheating when the pump is operating and the associated injection valve is not fully open. The minimum flow line valve is opened when low flow is sensed, and the valve is automatically closed when the flow rate is adequate to protect the pump.
| |
| One flow switch is used to detect the HPCS System's flow rate. The logic is arranged such that the flow switch causes the minimum flow valve to open when flow is low with the pump running. The logic will close the minimum flow valve once the closure setpoint is exceeded.
| |
| The HPCS System Flow Rate - Low is high enough to ensure that pump flow rate is sufficient to protect the pump, yet low enough to ensure that Columbia Generating Station B 3.3.5.2-5 Revision 111
| |
| | |
| RPV Water Inventory Control Instrumentation B 3.3.5.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) the closure of the minimum flow valve is initiated to allow full flow into the core.
| |
| One channel of HPCS System Flow Rate - Low is required to be OPERABLE when HPCS is required to be OPERABLE by LCO 3.5.2 in MODES 4 and 5.
| |
| RHR System Isolation 4.a - Reactor Vessel Water Level - Low, Level 3 The definition of DRAIN TIME allows crediting the closing of penetration flow paths that are capable of being automatically isolated by RPV water level isolation instrumentation prior to the RPV water level being equal to the TAF. The Reactor Vessel Water Level - Low, Level 3 Function is only required to be OPERABLE when automatic isolation of the associated RHR penetration flow path is credited in calculating DRAIN TIME.
| |
| Reactor Vessel Water Level - Low, Level 3 signals are initiated from differential pressure switches that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel.
| |
| While four channels (two channels per trip system) of the Reactor Vessel Water Level - Low, Level 3 Function are available, only two channels (all in the same trip system) are required to be OPERABLE.
| |
| The Reactor Vessel Water Level - Low, Level 3 Allowable Value was chosen to be the same as the RPS Reactor Vessel Water Level - Low, Level 3 Allowable Value (LCO 3.3.1.1), since the capability to cool the fuel may be threatened.
| |
| This Function isolates Group 5 and Group 6 valves.
| |
| Reactor Water Cleanup (RWCU) System Isolation 5.a - Reactor Vessel Water level - Low Low, Level 2 The definition of DRAIN TIME allows crediting the closing of penetration flow paths that are capable of being automatically isolated by RPV water level isolation instrumentation prior to the RPV water level being equal to the TAF. The Reactor Vessel Water Level - Low Low, Level 2 Function associated with RWCU System isolation may be credited for automatic isolation of penetration flow paths associated with the RWCU System.
| |
| Columbia Generating Station B 3.3.5.2-6 Revision 111
| |
| | |
| RPV Water Inventory Control Instrumentation B 3.3.5.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
| |
| Reactor Vessel Water Level - Low Low, Level 2 are initiated from differential pressure transmitters with trip units that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel.
| |
| While four channels (two channels per trip system) of the Reactor Vessel Water Level - Low, Level 2 Function are available, only two channels (all in the same trip system) are required to be OPERABLE.
| |
| The Reactor Vessel Water Level - Low Low, Level 2 Allowable Value was chosen to be the same as the ECCS Reactor Vessel Water Level - Low Low, Level 2 Allowable Value (LCO 3.3.5.1), since the capability to cool the fuel may be threatened.
| |
| The Reactor Vessel Water Level - Low Low, Level 2 Function is only required to be OPERABLE when automatic isolation of the associated penetration flow path is credited in calculating DRAIN TIME.
| |
| This Function isolates the Group 7 valves.
| |
| A Note has been provided to modify the ACTIONS related to RPV Water Inventory Control instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition discovered to be inoperable or not within limits will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable RPV Water Inventory Control instrumentation channels provide appropriate compensatory measures for separate inoperable Condition entry for each inoperable RPV Water Inventory Control instrumentation channel.
| |
| ACTIONS A.1 Required Action A.1 directs entry into the appropriate Condition referenced in Table 3.3.5.2-1. The applicable Condition referenced in the Table is Function dependent. Each time a channel is discovered inoperable, Condition A is entered for that channel and provides for transfer to the appropriate subsequent Condition.
| |
| B.1 and B.2 RHR System Isolation, Reactor Vessel Water Level - Low, Level 3, and Reactor Water Cleanup System, Reactor Vessel Water Level - Low Low, Columbia Generating Station B 3.3.5.2-7 Revision 111
| |
| | |
| RPV Water Inventory Control Instrumentation B 3.3.5.2 BASES ACTIONS (continued)
| |
| Level 2 functions are applicable when automatic isolation of the associated penetration flow path is credited in calculating Drain Time. If the instrumentation is inoperable, Required Action B.1 directs an immediate declaration that the associated penetration flow path(s) are incapable of automatic isolation. Required Action B.2 directs calculation of DRAIN TIME. The calculation cannot credit automatic isolation of the affected penetration flow paths.
| |
| C.1 Low reactor vessel pressure signals are used as permissives for the low pressure ECCS injection/spray subsystem manual initiation functions. If this permissive is inoperable, manual initiation of ECCS is prohibited.
| |
| Therefore, the permissive must be placed in the trip condition within 1 hour. With the permissive in the trip condition, manual initiation may be performed. Prior to placing the permissive in the tripped condition, the operator can take manual control of the pump and the injection valve to inject water into the RPV.
| |
| The Completion Time of 1 hour is intended to allow the operator time to evaluate any discovered inoperabilities and to place the channel in trip.
| |
| D.1 and D.2 Required Actions D.1 and D.2 are intended to ensure that appropriate actions are taken if multiple, inoperable channels within the same Function result in a loss of automatic suction swap for the HPCS system from the condensate storage tank to the suppression pool. The HPCS system must be declared inoperable within 1 hour or the HPCS pump suction must be aligned to the suppression pool, since, if aligned, the function is already performed.
| |
| The 1 hour Completion Time is acceptable because it minimizes the risk of HPCS being needed without an adequate water source while allowing time for restoration or alignment of HPCS pump suction to the suppression pool.
| |
| E.1 If an LPCI or LPCS Discharge Flow - Low (Minimum Flow) function is inoperable, there is a risk that the associated ECCS pump could overheat when the pump is operating and the associated injection valve is not fully open. In this condition, the operator can take manual control of the pump and the injection valve to ensure the pump does not overheat. If a Columbia Generating Station B 3.3.5.2-8 Revision 111
| |
| | |
| RPV Water Inventory Control Instrumentation B 3.3.5.2 BASES ACTIONS (continued) manual initiation function is inoperable, the ECCS subsystem pumps can be started manually and the valves can be opened manually, but this is not the preferred condition.
| |
| The 24 hour Completion Time was chosen to allow time for the operator to evaluate and repair any discovered inoperabilities. The Completion Time is appropriate given the ability to manually start the ECCS pumps and open the injection valves and to manually ensure the pump does not overheat F.1 With the Required Action and associated Completion Time of Conditions C, D, or E not met, the associated ECCS injection/spray subsystem may be incapable of performing the intended function, and must be declared inoperable immediately.
| |
| SURVEILLANCE As noted in the beginning of the SRs, the SRs for each RPV Water REQUIREMENTS Inventory Control instrument Functions are found in the SRs column of Table 3.3.5.2-1.
| |
| SR 3.3.5.2.1 Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK guarantees that undetected outright channel failure is limited; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL FUNCTIONAL TEST.
| |
| Agreement criteria are determined by the plant staff, based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| Columbia Generating Station B 3.3.5.2-9 Revision 111
| |
| | |
| RPV Water Inventory Control Instrumentation B 3.3.5.2 BASES SURVEILLANCE REQUIREMENTS (continued)
| |
| The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the channels required by the LCO.
| |
| SR 3.3.5.2.2 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended function. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL FUNCTIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests.
| |
| Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| SR 3.3.5.2.3 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required initiation logic for a specific channel. The system functional testing performed in LCO 3.5.2 overlaps this Surveillance to complete testing of the assumed safety function.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| REFERENCES 1. Information Notice 84-81 "Inadvertent Reduction in Primary Coolant Inventory in Boiling Water Reactors During Shutdown and Startup,"
| |
| November 1984.
| |
| : 2. Information Notice 86-74, "Reduction of Reactor Coolant Inventory Because of Misalignment of RHR Valves," August 1986.
| |
| : 3. Generic Letter 92-04, "Resolution of the Issues Related to Reactor Vessel Water Level Instrumentation in BWRs Pursuant to 10 CFR 50.54(F), " August 1992.
| |
| : 4. NRC Bulletin 93-03, "Resolution of Issues Related to Reactor Vessel Water Level Instrumentation in BWRs," May 1993.
| |
| Columbia Generating Station B 3.3.5.2-10 Revision 111
| |
| | |
| RPV Water Inventory Control Instrumentation B 3.3.5.2 BASES REFERENCES (continued)
| |
| : 5. Information Notice 94-52, "Inadvertent Containment Spray and Reactor Vessel Draindown at Millstone 1," July 1994.
| |
| Columbia Generating Station B 3.3.5.2-11 Revision 111
| |
| | |
| RCIC System Instrumentation B 3.3.5.3 B 3.3 INSTRUMENTATION B 3.3.5.3 Reactor Core Isolation Cooling (RCIC) System Instrumentation BASES BACKGROUND The purpose of the RCIC System instrumentation is to initiate actions to ensure adequate core cooling when the reactor vessel is isolated from its primary heat sink (the main condenser) and normal coolant makeup flow from the Reactor Feedwater System is insufficient or unavailable, such that RCIC System initiation occurs and maintains sufficient reactor water level such that initiation of the low pressure Emergency Core Cooling Systems (ECCS) pumps does not occur. A more complete discussion of RCIC System operation is provided in the Bases of LCO 3.5.3, "RCIC System."
| |
| The RCIC System may be initiated by either automatic or manual means.
| |
| Automatic initiation occurs for conditions of Reactor Vessel Water Level -
| |
| Low Low, Level 2. The variable is monitored by four differential pressure switches. The switch contacts are arranged in a one-out-of-two taken twice logic arrangement. The logic can also be initiated by use of a manual switch and push button, whose two contacts are arranged in a two-out-of-two logic. Once initiated, the RCIC logic seals in and can be reset by the operator only when the reactor vessel water level signals have cleared.
| |
| The RCIC test line isolation valve is closed on a RCIC initiation signal to allow full system flow.
| |
| The RCIC System also monitors the water levels in the condensate storage tanks (CST) since this is the initial source of water for RCIC operation. Reactor grade water in the CST is the normal source. Upon receipt of a RCIC initiation signal, the CST suction valve is automatically signaled to open (it is normally in the open position) unless the pump suction valve from the suppression pool is open. If the water level in the CST falls below a preselected level, first the suppression pool suction valve automatically opens and then the CST suction valve automatically closes. Two level switches are used to detect low water level in the CST.
| |
| Either switch can cause the suppression pool suction valve to open and the CST suction valve to close (one-out-of-two logic). To prevent losing suction to the pump, the suction valves are interlocked so that one suction path must be open before the other automatically closes.
| |
| The RCIC System provides makeup water to the reactor until the reactor vessel water level reaches the high water level (Level 8) trip (two-out-of-two logic), at which time the RCIC steam supply valve closes (the injection valve also closes due to the closure of the steam supply valve).
| |
| The RCIC System restarts if vessel level again drops to the low level initiation point (Level 2).
| |
| Columbia Generating Station B 3.3.5.3-1 Revision 111
| |
| | |
| RCIC System Instrumentation B 3.3.5.3 BASES APPLICABLE The function of the RCIC System, to provide makeup coolant to the SAFETY reactor, is to respond to transient events. The RCIC System is not an ANALYSES, LCO, Engineered Safety Feature System and no credit is taken in the safety and APPLICABILITY analysis for RCIC System operation. Based on its contribution to the reduction of overall plant risk, however, the RCIC System, and therefore its instrumentation, meets Criterion 4 of Reference 1. Certain instrumentation Functions are retained for other reasons and are described below in the individual Functions discussion.
| |
| The OPERABILITY of the RCIC System instrumentation is dependent on the OPERABILITY of the individual instrumentation channel Functions specified in Table 3.3.5.3-1. Each Function must have a required number of OPERABLE channels with their setpoints within the specified Allowable Values, where appropriate. The actual setpoint is calibrated consistent with applicable setpoint methodology assumptions.
| |
| Allowable Values are specified for each RCIC System instrumentation Function specified in the Table. Nominal trip setpoints are specified in the setpoint calculations. The nominal setpoints are selected to ensure that the setpoints do not exceed the Allowable Value between CHANNEL CALIBRATIONS. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor vessel water level), and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g., trip relay) changes state. The analytic limits are derived from the limiting values of the process parameters obtained from the analysis. The Allowable Values are derived from the analytic limits, corrected for process and all instrument uncertainties, except drift and calibration. The trip setpoints are derived from the analytic limits, corrected for process and all instrument uncertainties, including drift and calibration. The trip setpoints derived in this manner provide adequate protection because all instrumentation uncertainties and process effects are taken into account.
| |
| The individual Functions are required to be OPERABLE in MODE 1, and in MODES 2 and 3 with reactor steam dome pressure > 150 psig, since this is when RCIC is required to be OPERABLE. Refer to LCO 3.5.3 for Applicability Bases for the RCIC System.
| |
| The specific Applicable Safety Analyses, LCO, and Applicability discussions are listed below on a Function by Function basis.
| |
| Columbia Generating Station B 3.3.5.3-2 Revision 111
| |
| | |
| RCIC System Instrumentation B 3.3.5.3 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
| |
| : 1. Reactor Vessel Water Level - Low Low, Level 2 Low reactor pressure vessel (RPV) water level indicates that normal feedwater flow is insufficient to maintain reactor vessel water level and that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, the RCIC System is initiated at Level 2 to assist in maintaining water level above the top of the active fuel.
| |
| Reactor Vessel Water Level - Low Low, Level 2 signals are initiated from four differential pressure switches that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel.
| |
| The Reactor Vessel Water Level - Low Low, Level 2 Allowable Value is set high enough such that for complete loss of feedwater flow, the RCIC System flow with high pressure core spray assumed to fail will be sufficient to avoid initiation of low pressure ECCS at Level 1.
| |
| Four channels of Reactor Vessel Water Level - Low Low, Level 2 Function are available and are required to be OPERABLE when RCIC is required to be OPERABLE to ensure that no single instrument failure can preclude RCIC initiation. Refer to LCO 3.5.3 for RCIC Applicability Bases.
| |
| : 2. Reactor Vessel Water Level - High, Level 8 High RPV water level indicates that sufficient cooling water inventory exists in the reactor vessel such that there is no danger to the fuel.
| |
| Therefore, the Level 8 signal is used to close the RCIC steam supply valve to prevent overflow into the main steam lines (MSLs). (The injection valve also closes due to the closure of the steam supply valve.)
| |
| Reactor Vessel Water Level - High, Level 8 signals for RCIC are initiated from two differential pressure switches from the narrow range water level measurement instrumentation, which sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel.
| |
| The Reactor Vessel Water Level - High, Level 8 Allowable Value is high enough to preclude isolating the injection valve of the RCIC during normal operation, yet low enough to trip the RCIC System prior to water overflowing into the MSLs.
| |
| Columbia Generating Station B 3.3.5.3-3 Revision 111
| |
| | |
| RCIC System Instrumentation B 3.3.5.3 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
| |
| Two channels of Reactor Vessel Water Level - High, Level 8 Function are available and are required to be OPERABLE when RCIC is required to be OPERABLE to ensure that no single instrument failure can preclude RCIC initiation. Refer to LCO 3.5.3 for RCIC Applicability Bases.
| |
| : 3. Condensate Storage Tank Level - Low Low level in the CST indicates the unavailability of an adequate supply of makeup water from this normal source. Normally the suction valve between the RCIC pump and the CST is open and, upon receiving a RCIC initiation signal, water for RCIC injection would be taken from the CST. However, if the water level in the CST falls below a preselected level, first the suppression pool suction valve automatically opens and then the CST suction valve automatically closes. This ensures that an adequate supply of makeup water is available to the RCIC pump. To prevent losing suction to the pump, the suction valves are interlocked so that the suppression pool suction valve must be open before the CST suction valve automatically closes.
| |
| Two level switches are used to detect low water level in the CST. The Condensate Storage Tank Level - Low Function Allowable Value is set high enough to ensure adequate pump suction head while water is being taken from the CST. The low water level limit in the CST is based on vortexing and potential air ingestion by the pump.
| |
| Two channels of Condensate Storage Tank Level - Low Function are available and are required to be OPERABLE when RCIC is required to be OPERABLE to ensure that no single instrument failure can preclude RCIC swap to suppression pool source. Refer to LCO 3.5.3 for RCIC Applicability Bases.
| |
| : 4. Manual Initiation The Manual Initiation switch and push button channels introduce a signal into the RCIC System initiation logic that is redundant to the automatic protective instrumentation and provides manual initiation capability.
| |
| There is one switch and push button (with two channels) for the RCIC System.
| |
| The Manual Initiation Function is not assumed in any accident or transient analyses in the FSAR. However, the Function is retained for overall redundancy and diversity of the RCIC function as required by the NRC in the plant licensing basis.
| |
| Columbia Generating Station B 3.3.5.3-4 Revision 111
| |
| | |
| RCIC System Instrumentation B 3.3.5.3 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
| |
| There is no Allowable Value for this Function since the channels are mechanically actuated based solely on the position of the switch and push button. Two channels of Manual Initiation are required to be OPERABLE when RCIC is required to be OPERABLE. Refer to LCO 3.5.3 for RCIC Applicability Bases.
| |
| ACTIONS A Note has been provided to modify the ACTIONS related to RCIC System instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition discovered to be inoperable or not within limits will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable RCIC System instrumentation channels provide appropriate compensatory measures for separate inoperable channels. As such, a Note has been provided that allows separate Condition entry for each inoperable RCIC System instrumentation channel.
| |
| A.1 Required Action A.1 directs entry into the appropriate Condition referenced in Table 3.3.5.3-1 in the accompanying LCO. The applicable Condition referenced in the Table is Function dependent. Each time a channel is discovered to be inoperable, Condition A is entered for that channel and provides for transfer to the appropriate subsequent Condition.
| |
| B.1 and B.2 Required Action B.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in a complete loss of automatic initiation capability for the RCIC System. In this case, automatic initiation capability is lost if two Function 1 channels in the same trip system are inoperable and untripped. In this situation (loss of automatic initiation capability), the 24 hour allowance of Required Action B.2 is not appropriate, and the RCIC System must be declared inoperable within 1 hour after discovery of loss of RCIC initiation capability.
| |
| Columbia Generating Station B 3.3.5.3-5 Revision 111
| |
| | |
| RCIC System Instrumentation B 3.3.5.3 BASES ACTIONS (continued)
| |
| The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock."
| |
| For Required Action B.1, the Completion Time only begins upon discovery that the RCIC System cannot be automatically initiated due to two inoperable, untripped Reactor Vessel Water Level - Low Low, Level 2 channels in the same trip system. The 1 hour Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.
| |
| Because of the redundancy of sensors available to provide initiation signals and the fact that the RCIC System is not assumed in any accident or transient analysis, an allowable out of service time of 24 hours has been shown to be acceptable (Ref. 2) to permit restoration of any inoperable channel to OPERABLE status. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action B.2. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue.
| |
| Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in an initiation), Condition E must be entered and its Required Action taken.
| |
| C.1 A risk based analysis was performed and determined that an allowable out of service time of 24 hours (Ref. 2) is acceptable to permit restoration of any inoperable channel to OPERABLE status (Required Action C.1). A Required Action (similar to Required Action B.1), limiting the allowable out of service time if a loss of automatic RCIC initiation capability exists, is not required. This Condition applies to the Reactor Vessel Water Level -
| |
| High, Level 8 Function, whose logic is arranged such that any inoperable channel will result in a loss of automatic RCIC initiation capability (loss of high water level trip capability). As stated above, this loss of automatic RCIC initiation capability was analyzed and determined to be acceptable.
| |
| This Condition also applies to the Manual Initiation Function. Since this Function is not assumed in any accident or transient analysis, a total loss of manual initiation capability (Required Action C.1) for 24 hours is allowed. The Required Action does not allow placing a channel in trip since this action would not necessarily result in the safe state for the channel in all events.
| |
| Columbia Generating Station B 3.3.5.3-6 Revision 111
| |
| | |
| RCIC System Instrumentation B 3.3.5.3 BASES ACTIONS (continued)
| |
| D.1, D.2.1, and D.2.2 Required Action D.1 is intended to ensure that appropriate actions are taken if multiple inoperable, untripped channels within the same Function result in automatic component initiation capability being lost for the feature(s). For Required Action D.1, the RCIC System is the only associated feature. In this case, automatic component initiation capability is lost if two Function 3 channels are inoperable and untripped. In this situation (loss of automatic suction swap), the 24 hour allowance of Required Actions D.2.1 and D.2.2 is not appropriate, and the RCIC System must be declared inoperable within 1 hour from discovery of loss of RCIC initiation capability. As noted, Required Action D.1 is only applicable if the RCIC pump suction is not aligned to the suppression pool since, if aligned, the Function is already performed.
| |
| The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action D.1, the Completion Time only begins upon discovery that the RCIC System cannot be automatically aligned to the suppression pool due to two inoperable, untripped channels in the same Function. The 1 hour Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.
| |
| Because of the redundancy of sensors available to provide initiation signals and the fact that the RCIC System is not assumed in any accident or transient analysis, an allowable out of service time of 24 hours has been shown to be acceptable (Ref. 2) to permit restoration of any inoperable channel to OPERABLE status. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action D.2.1, which performs the intended function of the channel (shifting the suction source to the suppression pool).
| |
| Alternatively, Required Action D.2.2 allows the manual alignment of the RCIC suction to the suppression pool, which also performs the intended function. If Required Action D.2.1 or D.2.2 is performed, measures should be taken to ensure that the RCIC System piping remains filled with water. If it is not desired to perform Required Actions D.2.1 and D.2.2 (e.g., as in the case where shifting the suction source could drain down the RCIC suction piping), Condition E must be entered and its Required Action taken.
| |
| Columbia Generating Station B 3.3.5.3-7 Revision 111
| |
| | |
| RCIC System Instrumentation B 3.3.5.3 BASES ACTIONS (continued)
| |
| E.1 With any Required Action and associated Completion Time not met, the RCIC System may be incapable of performing the intended function, and the RCIC System must be declared inoperable immediately.
| |
| SURVEILLANCE As noted in the beginning of the SRs, the SRs for each RCIC System REQUIREMENTS instrumentation Function are found in the SRs column of Table 3.3.5.3-1.
| |
| The Surveillances are modified by a Note to indicate that when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed as follows: (a) for up to 6 hours for Functions 2 and 4; and (b) for up to 6 hours for Functions 1 and 3 provided the associated Function maintains trip capability. Upon completion of the Surveillance, or expiration of the 6 hour allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Ref. 2) assumption of the average time required to perform channel Surveillance.
| |
| That analysis demonstrated that the 6 hour testing allowance does not significantly reduce the probability that the RCIC will initiate when necessary.
| |
| SR 3.3.5.3.1 Performance of a CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a qualitative assessment, by observation, of channel behavior during operation. This determination includes, where possible, comparison of the channel indication and status to other indications or status derived from independent instrument channels measuring the same parameter. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A significant deviation could indicate gross channel failure; thus, it is key to verifying that the instrumentation continues to operate properly between each CHANNEL CALIBRATION.
| |
| Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit.
| |
| Columbia Generating Station B 3.3.5.3-8 Revision 111
| |
| | |
| RCIC System Instrumentation B 3.3.5.3 BASES SURVEILLANCE REQUIREMENTS (continued)
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the channels required by the LCO.
| |
| SR 3.3.5.3.2 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the channel will perform the intended function. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| SR 3.3.5.3.3 CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter with the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations consistent with the plant specific setpoint methodology.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| SR 3.3.5.3.4 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required initiation logic for a specific channel. The system functional testing performed in LCO 3.5.3 overlaps this Surveillance to provide complete testing of the safety function.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| REFERENCES 1. 10 CFR 50.36(c)(2)(ii).
| |
| : 2. GENE-770-06-2-A, "Addendum to Bases for Changes to Surveillance Test Intervals and Allowed Out-of-Service Times for Selected Instrumentation Technical Specifications," December 1992.
| |
| Columbia Generating Station B 3.3.5.3-9 Revision 111
| |
| | |
| Primary Containment Isolation Instrumentation B 3.3.6.1 B 3.3 INSTRUMENTATION B 3.3.6.1 Primary Containment Isolation Instrumentation BASES BACKGROUND The primary containment isolation instrumentation automatically initiates closure of appropriate primary containment isolation valves (PCIVs). The function of the PCIVs, in combination with other accident mitigation systems, is to limit fission product release during and following postulated Design Basis Accidents (DBAs). Primary containment isolation within the time limits specified for those isolation valves designed to close automatically ensures that the release of radioactive material to the environment will be consistent with the assumptions used in the analyses for a DBA.
| |
| The isolation instrumentation includes the sensors, relays, and switches that are necessary to cause initiation of primary containment and reactor coolant pressure boundary (RCPB) isolation. Most channels include electronic equipment (e.g., trip relays) that compares measured input signals with pre-established setpoints. When the setpoint is exceeded, the channel outputs a primary containment isolation signal to the isolation logic. Functional diversity is provided by monitoring a wide range of independent parameters. The input parameters to the isolation logic are (a) reactor vessel water level, (b) area and differential temperatures, (c) main steam line (MSL) flow measurement, (d) Standby Liquid Control (SLC) System initiation, (e) condenser vacuum loss, (f) main steam line pressure, (g) reactor core isolation cooling (RCIC) steam line flow and time delay relay, (h) ventilation exhaust plenum radiation, (i) RCIC steam line pressure, (j) RCIC turbine exhaust diaphragm pressure, (k) reactor water cleanup (RWCU) differential and blowdown flows and time delay relay, (l) reactor vessel pressure, and (m) drywell pressure. Redundant sensor input signals are provided from each such isolation initiation parameter. In addition, manual isolation of the logics is provided.
| |
| The primary containment isolation instrumentation has inputs to the trip logic from the isolation Functions listed below.
| |
| : 1. Main Steam Line Isolation Most Main Steam Line Isolation Functions receive inputs from four channels. The outputs from these channels are combined in one-out-of-two taken twice logic to initiate isolation of all main steam isolation valves (MSIVs). The outputs from the same channels are arranged into two two-out-of-two trip systems to isolate all MSL drain valves. One two-out-of-two trip system is associated with the inboard valve and the other two-out-of-two logic trip system is associated with the outboard valves.
| |
| Columbia Generating Station B 3.3.6.1-1 Revision 73
| |
| | |
| Primary Containment Isolation Instrumentation B 3.3.6.1 BASES BACKGROUND (continued)
| |
| The exceptions to this arrangement are the Main Steam Line Flow - High and the Manual Initiation Functions. The Main Steam Line Flow - High Function uses 16 flow channels, four for each steam line. One channel from each steam line inputs to one of four trip strings. Two trip strings make up each trip system, and both trip systems must trip to cause an MSL isolation. Each trip string has four inputs (one per MSL), any one of which will trip the trip string. The trip strings within a trip system are arranged in a one-out-of-two taken twice logic. Therefore, this is effectively a one-out-of-eight taken twice logic arrangement to initiate isolation of the MSIVs. Similarly, the 16 flow channels are connected into two two-out-of-two logic trip systems (effectively, two one-out-of-four twice logic), with one trip system isolating the inboard MSL drain valve and the other trip system isolating the outboard MSL drain valves. The Manual Initiation Function uses eight channels, two per each switch and push button. The four channels from two switch and push buttons input into one trip system and the four channels from the other two switch and push buttons input into the other trip system. To close all MSIVs, both trip systems must actuate, similar to all the other Functions described above.
| |
| However, the logic of each trip system is arranged such that both channels from one of the associated switch and push buttons are required to actuate the trip system (i.e., the switch and push button must be both armed and depressed for the trip system to actuate). To close the MSL drain valves, all channels in both trip systems must actuate (i.e.,
| |
| both channels from each of the two associated switch and push buttons are required to actuate the inboard valve trip system and both channels from each of the two associated switch and push buttons are required to actuate the outboard valve trip system).
| |
| MSL Isolation Functions isolate the Group 1 valves.
| |
| : 2. Primary Containment Isolation Most Primary Containment Isolation Functions receive inputs from four channels. The outputs from these channels are arranged into two-out-of-two logic trip systems. For the Manual Initiation Function of the Group 3 PCIVs, four channels are required to actuate a trip system (a four-out-of-four logic trip system). One trip system initiates isolation of all inboard PCIVs, while the other trip system initiates isolation of all outboard PCIVs.
| |
| Each trip system logic closes one of the two valves on each penetration so that operation of either trip system isolates the penetration.
| |
| The exceptions to this arrangement are the Group 5. The Group 5 PCIVs need only one trip system (the inboard valve system) to isolate all Group 5 valves.
| |
| Columbia Generating Station B 3.3.6.1-2 Revision 73
| |
| | |
| Primary Containment Isolation Instrumentation B 3.3.6.1 BASES BACKGROUND (continued)
| |
| Reactor Vessel Level - Low, Level 3 Function isolates the Group 5 valves.
| |
| Reactor Vessel Water Level - Low, Low, Level 2 Function isolates the Group 2, 3, and 4 valves. Drywell Pressure - High isolates the Group 3, 4, and 5 valves. Manual Initiation isolates the Group 2, 3, 4, and 5 valves. Reactor Building Vent Exhaust Plenum Radiation - High Function isolates the Group 3 valves.
| |
| : 3. Reactor Core Isolation Cooling System Isolation Most Functions receive input from two channels, with each channel in one trip system using one-out-of-one logic. One of the two trip systems is connected to the inboard valves and the other trip system is connected to the outboard valve on the RCIC penetration so that operation of either trip system isolates the penetration. The exceptions to this arrangement are the RCIC Steam Supply Pressure - Low and the RCIC Turbine Exhaust Diaphragm Pressure - High Functions. These Functions receive input from four steam supply pressure and four turbine exhaust diaphragm pressure channels, respectively. The outputs from these channels are connected into two-out-of-two trip systems, each trip system isolating the inboard or outboard RCIC valves. In addition, the RCIC System Isolation Manual Initiation Function has only one channel, which isolates the outboard RCIC valve only (provided an automatic initiation signal is present).
| |
| RCIC Isolation Functions isolate the Group 8 valves.
| |
| : 4. Reactor Water Cleanup System Isolation Most Functions receive input from two channels with each channel in one trip system using one-out-of-one logic. Functions 4.f and 4.g (Pump Room Area Temperature and Differential Temperature - High) have one channel in each trip system in each room for a total of four channels per Function, and Function 4.i (RWCU Line Routing Area Temperature -
| |
| High) has one channel in each trip system in each room for a total of eight channels per Function, but the logic is the same (one-out-of-one). Each of the two trip systems is connected to one of the two valves on the RWCU penetration so that operation of either trip system isolates the penetration. The exceptions to this arrangement are the Reactor Vessel Water Level - Low Low, Level 2, the SLC System Initiation, and the Manual Initiation Functions. The Reactor Vessel Water Level - Low Low, Level 2 Function receives input from four reactor vessel water level channels. The outputs from the reactor vessel water level channels are Columbia Generating Station B 3.3.6.1-3 Revision 113
| |
| | |
| Primary Containment Isolation Instrumentation B 3.3.6.1 BASES BACKGROUND (continued) connected into two-out-of-two trip systems, each trip system isolating one of the two RWCU valves. The SLC System Initiation Function receives input from two channels (one from each SLC pump). The outputs are connected into a one-out-of-two trip system, with the trip system closing only the outboard valve. The Manual Initiation Function uses four channels, two per each switch and push button. Both channels from one switch and push button input into one trip system and both channels from the other switch and push button input into the other trip system, with the channels connected in a two-out-of-two logic. Each trip system isolates one of the two RWCU valves.
| |
| RWCU Isolation Functions isolate the Group 7 valves.
| |
| : 5. RHR Shutdown Cooling System Isolation Most Functions receive input from two channels with each channel in one trip system using one-out-of-one logic. Functions 5.a and 5.b (Pump Room Area Temperature and Pump Room Area Ventilation Differential Temperature - High) have one channel in each trip system in each room for a total of four channels per Function, and Function 5.c (Heat Exchanger Area Temperature - High) has one channel in each trip system in each room for a total of eight channels per Function, but the logic is the same (one-out-of-one). One of the two trip systems is connected to the outboard valves on each shutdown cooling penetration (reactor vessel head spray, shutdown cooling return, and shutdown cooling suction lines) and the other trip system is connected to the inboard valve on the shutdown cooling suction line penetration so that operation of either trip system isolates the penetrations. The exceptions to this arrangement are the Reactor Vessel Water Level - Low, Level 3 and the Manual Initiation Functions. The Reactor Vessel Water Level - Low, Level 3 Function receives input from four reactor vessel water level channels. The outputs from the reactor vessel water level channels are connected into two two-out-of-two trip systems, each trip system isolating the inboard or outboard valves. The Manual Initiation Function uses four channels, two per each switch and push button. Both channels from one switch and push button input into one trip system and both channels from the other switch and push button input into the other trip system, with the channels connected in a two-out-of-two logic. One trip system isolates the inboard valve and the other trip system isolates the outboard valves.
| |
| The RHR Shutdown Cooling Isolation Functions isolate the Group 6 valves.
| |
| Columbia Generating Station B 3.3.6.1-4 Revision 73
| |
| | |
| Primary Containment Isolation Instrumentation B 3.3.6.1 BASES BACKGROUND (continued)
| |
| : 6. Traversing Incore Probe System Isolation The Reactor Vessel Water Level - Low Low, Level 2 Isolation Function receives input from two reactor vessel water level channels. The Drywell Pressure - High Isolation Function receives input from two drywell pressure channels. These channels provide input to two logic trip circuits grouped in one-out-of-two logic. Each of these trip circuits is connected in one-out-of-two taken twice logic such that a Low Low, Level 2 (C) or Drywell Pressure - High (C) input and a Low Low, Level 2 (D) or Drywell Pressure - High (D) input will initiate an isolation of the TIP valves.
| |
| When either Isolation Function actuates, the TIP drive mechanisms will withdraw the TIPs, if inserted, and close the inboard TIP system isolation ball valves when the TIPs are fully withdrawn. The outboard TIP system isolation valves are manual shear valves.
| |
| TIP System Isolation Functions isolate the inboard isolation ball valves that are in Group 4.
| |
| APPLICABLE The isolation signals generated by the primary containment isolation SAFETY instrumentation are implicitly assumed in the safety analyses of ANALYSES, LCO, References 1 and 2 to initiate closure of valves to limit offsite doses.
| |
| and APPLICABILITY Refer to LCO 3.6.1.3, "Primary Containment Isolation Valves (PCIVs),"
| |
| Applicable Safety Analyses Bases, for more detail.
| |
| Primary containment isolation instrumentation satisfies Criterion 3 of Reference 3. Certain instrumentation Functions are retained for other reasons and are described below in the individual Functions discussion.
| |
| The OPERABILITY of the primary containment instrumentation is dependent on the OPERABILITY of the individual instrumentation channel Functions specified in Table 3.3.6.1-1. Each Function must have a required number of OPERABLE channels, with their setpoints within the specified Allowable Values, where appropriate. The actual setpoint is calibrated consistent with applicable setpoint methodology assumptions.
| |
| Each channel must also respond within its assumed response time, where appropriate.
| |
| Allowable Values are specified for each Primary Containment Isolation Function specified in the Table. Nominal trip setpoints are specified in the setpoint calculations. The nominal setpoints are selected to ensure that the setpoints do not exceed the Allowable Value between CHANNEL CALIBRATIONS. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable.
| |
| Columbia Generating Station B 3.3.6.1-5 Revision 73
| |
| | |
| Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
| |
| A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor vessel water level), and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g., trip relay) changes state. The analytic limits are derived from the limiting values of the process parameters obtained from the safety analysis. The Allowable Values are derived from the analytic limits, corrected for process and all instrument uncertainties, except drift and calibration. The trip setpoints are derived from the analytic limits, corrected for process and all instrument uncertainties, including drift and calibration. The trip setpoints derived in this manner provide adequate protection because all instrumentation uncertainties and process effects are taken into account.
| |
| Certain Emergency Core Cooling Systems (ECCS) and RCIC valves (e.g., minimum flow) also serve the dual function of automatic PCIVs.
| |
| The signals that isolate these valves are also associated with the automatic initiation of the ECCS and RCIC. Some instrumentation and ACTIONS associated with these signals are addressed in LCO 3.3.5.1, "ECCS Instrumentation," and LCO 3.3.5.3, "RCIC System Instrumentation," and are not included in this LCO.
| |
| In general, the individual Functions are required to be OPERABLE in MODES 1, 2, and 3 consistent with the Applicability for LCO 3.6.1.1, "Primary Containment." Functions that have different Applicabilities are discussed below in the individual Functions discussion.
| |
| The specific Applicable Safety Analyses, LCO, and Applicability discussions are listed below on a Function by Function basis.
| |
| : 1. Main Steam Line Isolation 1.a. Reactor Vessel Water Level - Low Low Low, Level 1 Low reactor pressure vessel (RPV) water level indicates that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, isolation of the MSIVs and other interfaces with the reactor vessel occurs to prevent offsite dose limits from being exceeded. The Reactor Vessel Water Level - Low Low Low, Level 1 Function is one of the many Functions assumed to be OPERABLE and capable of providing isolation signals.
| |
| Columbia Generating Station B 3.3.6.1-6 Revision 111
| |
| | |
| Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
| |
| The Reactor Vessel Water Level - Low Low Low, Level 1 Function associated with isolation is assumed in the analysis of the recirculation line break (Ref. 1). The isolation of the MSL on Level 1 supports actions to ensure that offsite dose limits are not exceeded for a DBA.
| |
| Reactor vessel water level signals are initiated from four differential pressure transmitters with trip units that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Four channels of Reactor Vessel Water Level - Low Low Low, Level 1 Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.
| |
| The Reactor Vessel Water Level - Low Low Low, Level 1 Allowable Value is chosen to be the same as the ECCS Level 1 Allowable Value (LCO 3.3.5.1) to ensure that the MSLs isolate on a potential loss of coolant accident (LOCA) to prevent offsite doses from exceeding 10 CFR 50.67 limits.
| |
| This Function isolates the Group 1 valves.
| |
| 1.b. Main Steam Line Pressure - Low Low MSL pressure indicates that there may be a problem with the turbine pressure regulation, which could result in a low reactor vessel water level condition and the RPV cooling down more than 100°F/hour if the pressure loss is allowed to continue. The Main Steam Line Pressure - Low Function is directly assumed in the analysis of the pressure regulator failure (Ref. 4). For this event, the closure of the MSIVs ensures that the RPV temperature change limit (100°F/hour) is not reached. In addition, this Function supports actions to ensure that Safety Limit 2.1.1.1 is not exceeded. (This Function closes the MSIVs during the depressurization transient in order to maintain reactor steam dome pressure 686 psig, The MSIV closure results in a scram, thus reducing reactor power to
| |
| < 25% RTP.)
| |
| The MSL low pressure signals are initiated from four sensors that are connected to the MSL header. The sensors are arranged such that, even though physically separated from each other, each sensor is able to detect low MSL pressure.
| |
| Four channels of Main Steam Line Pressure - Low Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.
| |
| Columbia Generating Station B 3.3.6.1-7 Revision 100
| |
| | |
| Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
| |
| The Allowable Value was selected to be high enough to prevent excessive RPV depressurization.
| |
| The Main Steam Line Pressure - Low Function is only required to be OPERABLE in MODE 1 since this is when the assumed transient can occur (Ref. 4).
| |
| This Function isolates the Group 1 valves.
| |
| 1.c. Main Steam Line Flow - High Main Steam Line Flow - High is provided to detect a break of the MSL and to initiate closure of the MSIVs. If the steam were allowed to continue flowing out of the break, the reactor would depressurize and the core could uncover. If the RPV water level decreases too far, fuel damage could occur. Therefore, the isolation is initiated on high flow to prevent or minimize core damage. The Main Steam Line Flow - High Function is directly assumed in the analysis of the main stream line break (MSLB) accident (Ref. 5). The isolation action, along with the scram function of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46 and offsite doses do not exceed the 10 CFR 50.67 limits.
| |
| The MSL flow signals are initiated from 16 differential pressure switches that are connected to the four MSLs (the differential pressure switches sense d/p across a flow restrictor). The differential pressure switches are arranged such that, even though physically separated from each other, all four connected to one steam line would be able to detect the high flow.
| |
| Four channels of Main Steam Line Flow - High Function for each MSL (two channels per trip system) are available and are required to be OPERABLE so that no single instrument failure will preclude detecting a break in any individual MSL.
| |
| The Allowable Value is chosen to ensure that offsite dose limits are not exceeded due to the break.
| |
| This Function isolates the Group 1 valves.
| |
| 1.d. Condenser Vacuum - Low The Condenser Vacuum - Low Function is provided to prevent overpressurization of the main condenser in the event of a loss of the main condenser vacuum (Ref. 6). Since the integrity of the condenser is an assumption in offsite dose calculations (Ref. 7), the Condenser Columbia Generating Station B 3.3.6.1-8 Revision 73
| |
| | |
| Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
| |
| Vacuum - Low Function is assumed to be OPERABLE and capable of initiating closure of the MSIVs. The closure of the MSIVs is initiated to prevent the addition of steam that would lead to additional condenser pressurization and possible rupture of the diaphragm installed to protect the turbine exhaust hood, thereby preventing a potential radiation leakage path following an accident.
| |
| Condenser vacuum pressure signals are derived from four vacuum switches that sense the vacuum in the condenser. Four channels of Condenser Vacuum - Low Function are available and are required to be OPERABLE to ensure no single instrument failure can preclude the isolation function.
| |
| The Allowable Value is chosen to prevent damage to the condenser due to pressurization, thereby ensuring its integrity for offsite dose analysis.
| |
| As noted (footnote (a) to Table 3.3.6.1-1), the channels are not required to be OPERABLE in MODES 2 and 3, when all turbine throttle valves (TTVs) are closed, since the potential for condenser overpressurization is minimized. Switches are provided to manually bypass the channels when all TTVs are closed.
| |
| This Function isolates the Group 1 valves.
| |
| 1.e, 1.f. Main Steam Tunnel Temperature and Differential Temperature -
| |
| High Temperature and Differential Temperature - High is provided to detect a leak in a main steam line, and provides diversity to the high flow instrumentation. The isolation occurs when a very small leak has occurred. If the small leak is allowed to continue without isolation, offsite dose limits may be reached. However, credit for these instruments is not taken in any transient or accident analysis in the FSAR, since bounding analyses are performed for large breaks such as MSLBs.
| |
| Temperature - High signals are initiated from thermocouples located in the area being monitored. Four channels of Main Steam Tunnel Temperature - High Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function. Each Function has one temperature element.
| |
| Eight thermocouples provide input to the Main Steam Tunnel Differential Temperature - High Function. The output of these thermocouples is used to determine the differential temperature. Each channel consists of a differential temperature instrument that receives inputs from thermocouples that are located in the inlet and outlet of Columbia Generating Station B 3.3.6.1-9 Revision 73
| |
| | |
| Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) the area cooling system. Four channels of Main Steam Tunnel Differential Temperature - High Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.
| |
| The ambient and differential temperature monitoring Allowable Value is chosen to detect a leak equivalent to 25 gpm.
| |
| These Functions isolate the Group 1 valves.
| |
| 1.g. Manual Initiation The Manual Initiation switch and push button channels introduce signals into the MSL isolation logic that are redundant to the automatic protective instrumentation and provide manual isolation capability. There is no specific FSAR safety analysis that takes credit for this Function.
| |
| It is retained for overall redundancy and diversity of the isolation function as required by the NRC in the plant licensing basis.
| |
| There are four switch and push buttons (with two channels per switch and push button) for the logic, with two switch and push buttons per trip system. Eight channels of Manual Initiation Function are available and are required to be OPERABLE in MODES 1, 2, and 3, since these are the MODES in which the MSL Isolation automatic Functions are required to be OPERABLE.
| |
| There is no Allowable Value for this Function since the channels are mechanically actuated based solely on the position of the switch and push buttons.
| |
| This Function isolates the Group 1 valves.
| |
| : 2. Primary Containment Isolation 2.a, 2.b. Reactor Vessel Water Level - Low, Level 3 and Reactor Vessel Water Level - Low Low, Level 2 Low RPV water level indicates the capability to cool the fuel may be threatened. The valves whose penetrations communicate with the primary containment are isolated to limit the release of fission products.
| |
| The isolation of the primary containment on Level 3 and 2 supports actions to ensure that offsite dose limits of 10 CFR 50.67 are not exceeded. The Reactor Vessel Water Level - Low, Level 3 and Reactor Columbia Generating Station B 3.3.6.1-10 Revision 73
| |
| | |
| Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
| |
| Vessel Water Level - Low Low, Level 2 Functions associated with isolation are implicitly assumed in the FSAR analysis as these leakage paths are assumed to be isolated post LOCA.
| |
| Reactor Vessel Water Level - Low, Level 3 is initiated from differential pressure switches. Reactor water Level 2 signals are initiated by differential pressure transmitters with trip units. These devices sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Four channels of Reactor Vessel Water Level - Low, Level 3 Function and four channels of Reactor Vessel Water Level - Low Low, Level 2 Function are available and are required to be OPERABLE to ensure no single instrument failure can preclude the isolation function.
| |
| The Reactor Vessel Water Level - Low, Level 3 Allowable Value was chosen to be the same as the RPS Reactor Vessel Water Level - Low, Level 3 Allowable Value (LCO 3.3.1.1), and the Reactor Vessel Water Level - Low Low, Level 2 Allowable Value was chosen to be the same as the ECCS Reactor Vessel Water Level - Low Low, Level 2 Allowable Value (LCO 3.3.5.1), since isolation of these valves is not critical to orderly plant shutdown.
| |
| The Reactor Vessel Water Level - Low, Level 3 Function isolates the Group 5 valves. The Reactor Vessel Water Level - Low Low, Level 2 Function isolates the Group 2, 3, 4, and 7 valves.
| |
| The Reactor Vessel Water Level - Low Low, Level 2 Function is also used to initiate the LOCA Time Delay Relays of LCO 3.3.5.1. These LOCA Time Delay Relays stagger ECCS pump loading when the ECCS power source is aligned to the 230 kV offsite circuit to assure ECCS loading, during pump starts, does not overload the offsite source transformer.
| |
| This branching to LCO 3.3.5.1 requires instrument OPERABILITY when LCO 3.3.5.1 LOCA Time Delay Relay Function is required to be OPERABLE. A Note (e) has been provided to Table 3.3.6.1-1 that identifies Function 2b channels provide one set of initiation signals to the LCO3.3.5.1 LOCA Time Delay Relay function. Actuation of either required instrument channel per trip system will initiate the LOCA Time Delay Logic for the low pressure ECCS Function (LPCS/LPCI-A or LPCS-B/LPCI-C).
| |
| The LCO Actions of 3.3.6.1 (place the channel in trip) may not be the more restrictive Action and Completion Times required of these Level 2 instruments. The LOCA Time Delay Relay channel Actions in LCO 3.3.5.1 are more restrictive if the associated ECCS subsystems are required to be OPERABLE. This is because the LCO 3.3.6.1 Action to place the channel in trip will complete part of the logic for both ECCS Columbia Generating Station B 3.3.6.1-11 Revision 73
| |
| | |
| Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) subsystems in the division (assuming the instrument failure does not already result in the channel being in a tripped condition). If the 230 kV offsite source is supplying the safety buses, the LOCA Time Delay Relays will start timing out immediately and will no longer sequence the delay after HPCS pump starts. If the 230 kV offsite source is not supplying safety buses, the LOCA Time Delay Relays will begin timing out upon transfer to the 230 kV source supply rather than initiating on a LOCA signal at the same time because the HPCS pump starts from different reactor Level 2 instruments. In either case, the LOCA Time Delay Relays may not be properly sequenced to delay start of the low pressure ECCS subsystems tied to when the HPCS pump starts.
| |
| 2.c. Drywell Pressure - High High drywell pressure can indicate a break in the RCPB inside the drywell. The isolation of some of the PCIVs on high drywell pressure supports actions to ensure that offsite dose limits of 10 CFR 50.67 are not exceeded. The Drywell Pressure - High Function associated with isolation of the primary containment is implicitly assumed in the FSAR accident analysis as these leakage paths are assumed to be isolated post LOCA.
| |
| High drywell pressure signals are initiated from pressure switches that sense the pressure in the drywell. Four channels of Drywell Pressure -
| |
| High are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.
| |
| The Allowable Value was selected to be the same as the RPS Drywell Pressure - High Allowable Value (LCO 3.3.1.1), since this may be indicative of a LOCA inside primary containment.
| |
| The above Function isolates the Group 3, 4, and 5 valves.
| |
| The Drywell Pressure - High Function is also used to initiate the LOCA Time Delay Relays of LCO 3.3.5.1. These LOCA Time Delay Relays stagger ECCS pump loading when the ECCS power source is aligned to the 230 kV offsite circuit to assure ECCS loading, during pump starts, does not overload the offsite source transformer. This branching to LCO 3.3.5.1 requires instrument OPERABILITY when LCO 3.3.5.1 LOCA Time Delay Relay Function is required to be OPERABLE. A Note (e) has been provided to Table 3.3.6.1-1 that identifies Function 2.c channels provide one set of initiation signals to the LCO 3.3.5.1 LOCA Time Delay Relay function. Actuation of either required instrument channel per trip system will initiate the LOCA Time Delay Logic for the low pressure ECCS Function (LPCS/LPCI-A or LPCI-B/LPCI-C). Thus, actuation of Columbia Generating Station B 3.3.6.1-12 Revision 113
| |
| | |
| Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) either Drywell Pressure - High instrument will complete the logic for both subsystems in the division.
| |
| The LCO Actions of 3.3.6.1 (place the channel in trip) may not be the more restrictive Action and Completion Times required of these Drywell Pressure - High instruments. The LOCA Time Delay Relay channel Actions in LCO 3.3.5.1 are more restrictive if the associated ECCS subsystems are required to be OPERABLE. This is because the LCO 3.3.6.1 Action to place the channel in trip will complete part of the logic for both ECCS subsystems in the division (assuming the instrument failure does not already result in the channel being in a tripped condition).
| |
| If the 230 kV offsite source is supplying the safety buses, the LOCA Time Delay Relays will start timing out immediately and will no longer sequence the delay after HPCS pump starts. If the 230 kV offsite source is not supplying safety buses, the LOCA Time Delay Relays will begin timing out upon transfer to the 230 kV source supply rather than initiating on a LOCA signal at the same time as HPCS (pump starts from different Drywell Pressure - High instruments). In either case, the LOCA Time Delay Relays may not be properly sequenced to delay start of the low pressure ECCS subsystems tied to when the HPCS pump starts.
| |
| 2.d. Reactor Building Vent Exhaust Plenum Radiation - High High ventilation exhaust radiation is an indication of possible gross failure of the fuel cladding. The release may have originated from the primary containment due to a break in the RCPB. When Exhaust Radiation - High is detected, valves whose penetrations communicate with the primary containment atmosphere are isolated to limit the release of fission products. Reactor Building Vent Exhaust Plenum Radiation - High signals are initiated from four radiation monitors that measure radiation outside the reactor building vent. The signal from each detector is input to an individual monitor whose trip outputs are assigned to an isolation channel. Four channels of Reactor Building Vent Exhaust Plenum Radiation - High Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.
| |
| There are no specific FSAR safety analysis that takes credit for this function. It is retained for defense-in-depth of the specific function as required by the NRC in the plant licensing basis. The Reactor Building Vent Exhaust Plenum Radiation - High Allowable Value was originally chosen assuming flow is present in the exhaust plenum because that required faster response time for the function to ensure that offsite dose remained below 10 CFR 50.67 limits. When no flow is present, the Allowable Value is conservative.
| |
| Columbia Generating Station B 3.3.6.1-13 Revision 73
| |
| | |
| Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
| |
| This Function isolates the Group 3 valves.
| |
| 2.e. Manual Initiation The Manual Initiation switch and push button channels introduce signals into the primary containment isolation logic that are redundant to the automatic protective instrumentation and provide manual isolation capability. There is no specific FSAR safety analysis that takes credit for this Function. It is retained for overall redundancy and diversity of the isolation function as required by the NRC in the plant licensing basis.
| |
| For the Group 3 valves, there are four switch and push buttons (with two channels per switch and push button) for the logic, with two switch and push buttons per trip system. For the Group 2, 4, and 5 valves, there are two switch and push buttons (with two channels per switch and push button) for the logic, one switch and push button per trip system. Eight channels of the Manual Initiation Function are available and are required to be OPERABLE in MODES 1, 2, and 3, since these are the MODES in which the Primary Containment Isolation automatic Functions are required to be OPERABLE.
| |
| There is no Allowable Value for this Function since the channels are mechanically actuated based solely on the position of the switch and push buttons.
| |
| This Function isolates the Group 2, 3, 4, and 5 valves.
| |
| : 3. Reactor Core Isolation Cooling System Isolation 3.a. RCIC Steam Line Flow - High RCIC Steam Line Flow - High Function is provided to detect a break of the RCIC steam lines and initiates closure of the steam line isolation valves. If the steam is allowed to continue flowing out of the break, the reactor will depressurize and core uncovery can occur. Therefore, the isolation is initiated on high flow to prevent or minimize core damage.
| |
| The isolation action, along with the scram function of the Reactor Protection System (RPS), ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. Specific credit for this Function is not assumed in any FSAR accident analyses since the bounding analysis is performed for large breaks such as Columbia Generating Station B 3.3.6.1-14 Revision 73
| |
| | |
| Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) recirculation and MSL breaks. However, these instruments prevent the RCIC steam line break from becoming bounding.
| |
| The RCIC Steam Line Flow - High signals are initiated from two differential pressure switches that are connected to the system steam lines. Two channels of RCIC Steam Line Flow - High Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.
| |
| The Allowable Value is chosen to be low enough to ensure that the trip occurs to prevent fuel damage and maintains the MSLB event as the bounding event.
| |
| This Function isolates the Group 8 valves.
| |
| 3.b. RCIC Steam Line Flow - Time Delay The RCIC Steam Line Flow - Time Delay is provided to prevent false isolations on RCIC Steam Line Flow - High during system startup transients and therefore improves system reliability. This Function is not assumed in any FSAR transient or accident analyses since the bounding analysis is performed for large breaks such as recirculation and MSL breaks. However, these instruments prevent the RCIC steam line break from becoming bounding.
| |
| The RCIC Steam Line Flow - Time Delay Function delays the RCIC Steam Line Flow - High signals by use of time delay relays. When an RCIC Steam Line Flow - High signal is generated, the time delay relays delay the tripping of the associated RCIC isolation trip system for a short time. Two channels of RCIC Steam Line Flow - Time Delay Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.
| |
| The Allowable Value was chosen to be long enough to prevent false isolations due to system starts but not so long as to impact offsite dose calculations.
| |
| This Function isolates the Group 8 valves.
| |
| 3.c. RCIC Steam Supply Pressure - Low Low RCIC steam supply pressure indicates that the pressure of the steam in the RCIC turbine may be too low to continue operation of the RCIC turbine. This isolation is for equipment protection and is not Columbia Generating Station B 3.3.6.1-15 Revision 73
| |
| | |
| Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) assumed in any transient or accident analysis in the FSAR. However, it also provides a diverse signal to indicate a possible system break. These instruments are included in the Technical Specifications (TS) because of the potential for risk due to possible failure of the instruments preventing RCIC initiations. Therefore, they meet Criterion 4 of Reference 3.
| |
| The RCIC Steam Supply Pressure - Low signals are initiated from four pressure switches that are connected to the RCIC steam line. Two channels of RCIC Steam Supply Pressure - Low Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.
| |
| The Allowable Value is selected to be high enough to prevent damage to the RCIC turbine.
| |
| This Function isolates the Group 8 valves.
| |
| 3.d. RCIC Turbine Exhaust Diaphragm Pressure - High High turbine exhaust diaphragm pressure indicates that the pressure may be too high to continue operation of the RCIC turbine. That is, one of two exhaust diaphragms has ruptured and pressure is reaching turbine casing pressure limits. This isolation is for equipment protection and is not assumed in any transient or accident analysis in the FSAR. These instruments are included in the TS because of the potential for risk due to possible failure of the instruments preventing RCIC initiations. Therefore, they meet Criterion 4 of Reference 3.
| |
| The RCIC Turbine Exhaust Diaphragm Pressure - High signals are initiated from four pressure switches that are connected to the area between the rupture diaphragms on the RCIC turbine exhaust line. Four channels of RCIC Turbine Exhaust Diaphragm Pressure - High Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.
| |
| The Allowable Value is selected to be low enough to prevent damage to the RCIC turbine.
| |
| This Function isolates the Group 8 valves.
| |
| Columbia Generating Station B 3.3.6.1-16 Revision 73
| |
| | |
| Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) 3.e, 3.f, 3.g. Area Temperature and Differential Temperature - High Area Temperature and Differential Temperatures are provided to detect a leak from the associated system steam piping. The isolation occurs when a very small leak has occurred and is diverse to the high flow instrumentation. If the small leak is allowed to continue without isolation, offsite dose limits may be reached. These Functions are not assumed in any FSAR transient or accident analysis, since bounding analyses are performed for large breaks such as recirculation or MSL breaks.
| |
| Area Temperature - High signals are initiated from thermocouples that are located in the room that is being monitored. Two instruments for each Function monitor each associated area. Four channels of Area Temperature - High Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function. There are two channels for the RCIC equipment room area and two channels for the RWCU/RCIC steam line routing area.
| |
| There are four thermocouples that provide input to the RCIC Equipment Room Area Differential Temperature - High Function. The output of these thermocouples is used to determine the differential temperature. Each channel consists of a differential temperature instrument that receives inputs from thermocouples that are located in the inlet and outlet of the area cooling system for a total of two available channels. Two channels are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.
| |
| The Allowable Values are set low enough to detect a leak equivalent to 25 gpm.
| |
| This Function isolates the Group 8 valves.
| |
| 3.h. Manual Initiation The Manual Initiation push button channel introduces a signal into the RCIC System isolation logic that is redundant to the automatic protective instrumentation and provide manual isolation capability. There is no specific FSAR safety analysis that takes credit for this Function. It is retained for overall redundancy and diversity of the isolation function as required by the NRC in the plant licensing basis.
| |
| There is one push button for RCIC. One channel of Manual Initiation Function is available and is required to be OPERABLE in MODES 1, 2, and 3 since these are the MODES in which the RCIC System Isolation automatic Functions are required to be OPERABLE. As noted (footnote Columbia Generating Station B 3.3.6.1-17 Revision 73
| |
| | |
| Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
| |
| (b) to Table 3.3.6.1-1), this Function is only required to close the outboard Group 8 RCIC isolation valve since the signal only provides input into one of the two trip systems.
| |
| There is no Allowable Value for this Function since the channel is mechanically actuated based solely on the position of the push button.
| |
| This Function isolates the outboard Group 8 valve.
| |
| : 4. Reactor Water Cleanup System Isolation 4.a, 4.c. Differential Flow and Blowdown Flow - High The high differential flow signal is provided to detect a break in the RWCU System. This will detect leaks in the RWCU System when area or differential temperature would not provide detection (i.e., a cold leg or blowdown piping break). Should the reactor coolant continue to flow out of the break, offsite dose limits may be exceeded. Therefore, isolation of the RWCU System is initiated when high differential flow or high blowdown flow is sensed to prevent exceeding offsite doses. A time delay (Function 4.b, described below) is provided to prevent spurious trips of the Differential Flow - High Function during most RWCU operational transients. These Functions are not assumed in any FSAR transient or accident analysis, since bounding analyses are performed for large breaks such as MSLBs.
| |
| The high differential flow signals are initiated from one flow element and transmitter that are connected to the inlet (from the reactor vessel) and two flow elements and transmitters from the outlets (to condenser and feedwater) of the RWCU System. The outputs of the transmitters are compared (in a common summer) and the output is sent to two flow switches. If the difference between the inlet and outlet flow is too large, each flow switch generates an isolation signal. Two channels of Differential Flow - High Function are available and are required to be OPERABLE to ensure that no single instrument failure in the logic downstream of the common summer can preclude the isolation function.
| |
| Since some portions of the two channels are common (e.g., flow elements, transmitters, summer), both channels must be considered inoperable if a common component is inoperable.
| |
| The high blowdown flow signals are initiated from one flow element and two flow transmitters that are connected to the outlet (to condenser and radwaste) of the RWCU System. The outputs of the transmitters are sent to two flow switches.
| |
| Columbia Generating Station B 3.3.6.1-18 Revision 73
| |
| | |
| Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
| |
| Two channels of Blowdown Flow - High Function are available and are required to be OPERABLE to ensure that no single instrument failure downstream of the common flow element can preclude the isolation function. Since the flow element is common, both channels must be considered inoperable if the flow element is inoperable.
| |
| The Differential Flow - High Allowable Value ensures that the break of the RWCU piping is detected. The Blowdown Flow - High Allowable Value ensures that the break of the RWCU blowdown piping is detected.
| |
| This Function isolates the Group 7 valves.
| |
| 4.b. Differential Flow - Time Delay The Differential Flow - Time Delay is provided to avoid RWCU System isolations due to operational transients (such as pump starts and mode changes). During these transients the inlet and return flows become unbalanced for short time periods and Differential Flow - High will be sensed without an RWCU System break being present. Credit for this Function is not assumed in the FSAR accident or transient analysis, since bounding analyses are performed for large breaks such as MSLBs.
| |
| The RWCU Differential Flow - Time Delay Function delays the RWCU Differential Flow - High signals by use of time delay relays. When an RWCU Differential Flow - High signal is generated, the time delay relays delay the tripping of the associated RWCU isolation trip system for a short time. Two channels for Differential Flow - Time Delay Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.
| |
| The Differential Flow - Time Delay Allowable Value is selected to ensure that the MSLB outside containment remains the limiting break for FSAR analysis for offsite dose calculations.
| |
| This Function isolates the Group 7 valves.
| |
| 4.d, 4.e, 4.f, 4.g, 4.h, 4.i. Area Temperature and Differential Temperature - High Area Temperature and Differential Temperature - High is provided to detect a leak from the RWCU System. The isolation occurs even when very small leaks have occurred and is diverse to the high differential flow instrumentation for the hot portions of the RWCU System. If the small leak continues without isolation, offsite dose limits may be reached.
| |
| Columbia Generating Station B 3.3.6.1-19 Revision 73
| |
| | |
| Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
| |
| Credit for these instruments is not taken in any transient or accident analysis in the FSAR, since bounding analyses are performed for large breaks such as MSLBs.
| |
| Area Temperature - High signals are initiated from thermocouples that are located in the room that is being monitored. There are 16 thermocouples that provide input to the Area Temperature - High Functions (two per area). Sixteen channels are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function. There are two channels for the heat exchanger room area, four channels for the pump room areas (two per room), two channels for the RWCU/RCIC line routing area, and eight channels for the RWCU line routing areas (two per room).
| |
| There are 12 thermocouples that provide input to the Differential Temperature - High Functions. The output of these thermocouples is used to determine the differential temperature. Each channel consists of a differential temperature instrument that receives inputs from thermocouples that are located in the inlet and outlet of the area cooling system for a total of six available channels (two per area). Six channels are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function. There are two channels for the heat exchanger area and four channels for the pump room areas (two per room).
| |
| The Area Temperature and Differential Temperature - High Allowable Values are set low enough to detect a leak equivalent to 25 gpm.
| |
| These Functions isolate the Group 7 valves.
| |
| 4.j. Reactor Vessel Water Level - Low Low, Level 2 Low RPV water level indicates the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, isolation of some reactor vessel interfaces occurs to isolate the potential sources of a break. The isolation of the RWCU System on Level 2 supports actions to ensure that fuel peak cladding temperature remains below the limits of 10 CFR 50.46. The Reactor Vessel Water Level - Low Low, Level 2 Function associated with RWCU isolation is not directly assumed in any transient or accident analysis, since bounding analyses are performed for large breaks such as MSLBs.
| |
| Columbia Generating Station B 3.3.6.1-20 Revision 73
| |
| | |
| Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
| |
| Reactor Vessel Water Level - Low Low, Level 2 signals are initiated from differential pressure transmitters with trip units that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel.
| |
| Four channels of Reactor Vessel Water Level - Low Low, Level 2 Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.
| |
| The Reactor Vessel Water Level - Low Low, Level 2 Allowable Value was chosen to be the same as the ECCS Reactor Vessel Water Level - Low Low, Level 2 Allowable Value (LCO 3.3.5.1), since the capability to cool the fuel may be threatened.
| |
| This Function isolates the Group 7 valves.
| |
| 4.k. SLC System Initiation The isolation of the RWCU System is required when the SLC System has been initiated to prevent dilution and removal of the boron solution by the RWCU System (Ref. 8). SLC System initiation signals are initiated from the two SLC pump start signals.
| |
| Two channels (one from each pump) of SLC System Initiation Function are available and are required to be OPERABLE in MODES 1 and 2, since these are the only MODES where the reactor can be critical. Both channels are also required to be OPERABLE in MODES 1, 2, and 3, since the SLC System is used to maintain suppression pool pH at or above 7 following a LOCA to ensure iodine will be retained in the suppression pool water. These MODES are consistent with the Applicability for the SLC System (LCO 3.1.7). Compliance with Reference 9 (Columbia Generating Station requires both SLC pumps be started to inject boron) ensures no single instrument failure can preclude the isolation function. As noted (footnote (c) to Table 3.3.6.1-1), this Function is only required to close the outboard Group 7 RWCU isolation valve since the signal only provides input into one of the two trip systems.
| |
| There is no Allowable Value associated with this Function since the channels are mechanically actuated based solely on the position of the SLC System initiation switch.
| |
| This Function isolates the Group 7 valves.
| |
| Columbia Generating Station B 3.3.6.1-21 Revision 73
| |
| | |
| Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) 4.l. Manual Initiation The Manual Initiation switch and push button channels introduce signals into the RWCU System isolation logic that are redundant to the automatic protective instrumentation and provide manual isolation capability. There is no specific FSAR safety analysis that takes credit for this Function. It is retained for overall redundancy and diversity of the isolation function as required by the NRC in the plant licensing basis.
| |
| There are two switch and push buttons (with two channels per switch and push button) for the logic, one switch and push button per trip system.
| |
| Four channels of the Manual Initiation Function are available and are required to be OPERABLE in MODES 1, 2, and 3 since these are the MODES in which the RWCU System Isolation automatic Functions are required to be OPERABLE.
| |
| There is no Allowable Value for this Function, since the channels are mechanically actuated based solely on the position of the switch and push buttons.
| |
| This Function isolates the Group 7 valves.
| |
| : 5. RHR Shutdown Cooling System Isolation 5.a, 5.b, 5.c. Area Temperature and Differential Temperature - High Area Temperature and Differential Temperature - High is provided to detect a leak from the associated system piping. The isolation occurs when a very small leak has occurred and is diverse to the high flow instrumentation. If the small leak is allowed to continue without isolation, offsite dose limits may be reached. These Functions are not assumed in any FSAR transient or accident analysis, since bounding analyses are performed for large breaks such as MSLBs.
| |
| Area Temperature - High signals are initiated from thermocouples that are located in the room that is being monitored. Two instruments for each Function monitor each area. Twelve channels for Area Temperature -
| |
| High Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.
| |
| There are four channels for the pump room areas (two per room) and eight channels for the heat exchanger areas (two per room).
| |
| Eight thermocouples provide input to the Differential Temperature - High Function. The output of these thermocouples is used to determine the differential temperature. Each channel consists of a differential Columbia Generating Station B 3.3.6.1-22 Revision 73
| |
| | |
| Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) temperature instrument that receives inputs from thermocouples that are located in the inlet and outlet of the area cooling system for a total of four available channels (two per pump room). Four channels are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.
| |
| The Area Temperature and Differential Temperature - High Functions are only required to be OPERABLE in MODE 3. In MODES 1, and 2, the Reactor Vessel Pressure - High Function and other administrative controls ensure that this flow path remains isolated to prevent unexpected loss of inventory via this flow path.
| |
| The Allowable Values are set low enough to detect a leak equivalent to 25 gpm.
| |
| This Function isolates the Group 6 valves.
| |
| 5.d. Reactor Vessel Water Level - Low, Level 3 Low RPV water level indicates the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, isolation of some reactor vessel interfaces occurs to begin isolating the potential sources of a break. The Reactor Vessel Water Level - Low, Level 3 Function associated with RHR Shutdown Cooling System isolation is not directly assumed in any transient or accident analysis, since bounding analyses are performed for large breaks such as MSLBs. The RHR Shutdown Cooling System isolation on Level 3 supports actions to ensure that the RPV water level does not drop below the top of the active fuel during a vessel draindown event caused by a leak (e.g., pipe break or inadvertent valve opening) in the RHR Shutdown Cooling System.
| |
| Reactor Vessel Water Level - Low, Level 3 signals are initiated from differential pressure switches that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Four channels (two channels per trip system) of the Reactor Vessel Water Level - Low, Level 3 Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.
| |
| Columbia Generating Station B 3.3.6.1-23 Revision 111
| |
| | |
| Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
| |
| The Reactor Vessel Water Level - Low, Level 3 Function is only required to be OPERABLE in MODE 3 to prevent this potential flow path from lowering reactor vessel level to the top of the fuel. In MODES 1 and 2, the Reactor Vessel Pressure - High Function and administrative controls ensure that this flow path remains isolated to prevent unexpected loss of inventory via this flow path.
| |
| The Reactor Vessel Water Level - Low, Level 3 Allowable Value was chosen to be the same as the RPS Reactor Vessel Water Level - Low, Level 3 Allowable Value (LCO 3.3.1.1) since the capability to cool the fuel may be threatened.
| |
| This Function isolates the Group 6 valves.
| |
| 5.e. Reactor Vessel Pressure - High The Shutdown Cooling System Reactor Vessel Pressure - High Function is provided to isolate the shutdown cooling portion of the RHR System.
| |
| This interlock is provided only for equipment protection to prevent an intersystem LOCA scenario and credit for the interlock is not assumed in the accident or transient analysis in the FSAR.
| |
| The Reactor Steam Dome - High pressure signals are initiated from two pressure switches. Two channels of Reactor Steam Dome Pressure -
| |
| High Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.
| |
| The Allowable Value was chosen to be low enough to protect the system equipment from overpressurization.
| |
| This Function isolates the Group 6 valves.
| |
| 5.f. Manual Initiation The Manual Initiation switch and push button channels introduce signals into the RHR Shutdown Cooling System isolation logic that are redundant to the automatic protective instrumentation and provide manual isolation capability. There is no specific FSAR safety analysis that takes credit for this Function. It is retained for overall redundancy and diversity of the isolation function as required by the NRC in the plant licensing basis.
| |
| Columbia Generating Station B 3.3.6.1-24 Revision 111
| |
| | |
| Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
| |
| There are two switch and push buttons (with two channels per switch and push button) for the logic, one switch and push button per trip system.
| |
| Four channels of the Manual Initiation Function are available and are required to be OPERABLE in MODES 1, 2, and 3 since these are the MODES in which the RHR Shutdown Cooling System Isolation automatic Functions are required to be OPERABLE. While certain automatic Functions are required in MODES 4 and 5, the Manual Initiation Function is not required in MODES 4 and 5, since there are other means (i.e.,
| |
| means other than the Manual Initiation switch and push buttons) to manually isolate the RHR Shutdown Cooling System from the control room.
| |
| There is no Allowable Value for this Function, since the channels are mechanically actuated based solely on the position of the switch and push buttons.
| |
| This Function isolates the Group 6 valves.
| |
| : 6. Traversing Incore Probe System Isolation 6.a Reactor Vessel Water Level - Low Low, Level 2 Low RPV water level indicates that the capability to cool the fuel may be threatened. The valves whose penetrations communicate with the primary containment are isolated to limit the release of fission products.
| |
| The isolation of the primary containment on Level 2 supports actions to ensure that offsite dose limits of 10 CFR 50.67 are not exceeded. The Reactor Vessel Water Level - Low Low, Level 2 Function associated with isolation is implicitly assumed in the FSAR analysis as these leakage paths are assumed to be isolated post LOCA.
| |
| Reactor Vessel Water Level - Low Low, Level 2 signals are initiated from four differential pressure transmitters with trip units that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Two channels of Reactor Vessel Water Level - Low Low, Level 2 Function are available and are required to be OPERABLE to ensure that no single instrument failure can initiate an inadvertent isolation actuation. The isolation function is ensured by the manual shear valve in each penetration.
| |
| Columbia Generating Station B 3.3.6.1-25 Revision 73
| |
| | |
| Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
| |
| The Reactor Vessel Water Level - Low Low, Level 2 Allowable Value was chosen to be the same as the ECCS Reactor Vessel Water Level - Low Low, Level 2 Allowable Value (LCO 3.3.5.1), since isolation of these valves is not critical to orderly plant shutdown.
| |
| This Function isolates the Group 4 valves.
| |
| 6.b Drywell Pressure - High High drywell pressure can indicate a break in the RCPB inside the primary containment. The isolation of some of the primary containment isolation valves on high drywell pressure supports actions to ensure that offsite dose limits of 10 CFR 50.67 are not exceeded. The Drywell Pressure - High Function, associated with isolation of the primary containment, is implicitly assumed in the FSAR accident analysis as these leakage paths are assumed to be isolated post LOCA.
| |
| High drywell pressure signals are initiated from pressure transmitters that sense the pressure in the drywell. Two channels of Drywell Pressure -
| |
| High per Function are available and are required to be OPERABLE to ensure that no single instrument failure can initiate an inadvertent actuation. The isolation function is ensured by the manual shear valve in each penetration.
| |
| The Allowable Value was selected to be the same as the ECCS Drywell Pressure - High Allowable Value (LCO 3.3.5.1), since this may be indicative of a LOCA inside primary containment.
| |
| This Function isolates the Group 4 valves.
| |
| ACTIONS The ACTIONS are modified to two Notes. Note 1 allows penetration flow paths to be unisolated intermittently under administrative controls. These controls consist of stationing a dedicated operator at the controls of the valve, who is in continuous communication with the control room. In this way, the penetration can be rapidly isolated when a need for primary containment isolation is indicated. Note 2 has been provided to modify the ACTIONS related to primary containment isolation instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition discovered to be inoperable or not within limits will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable primary Columbia Generating Station B 3.3.6.1-26 Revision 73
| |
| | |
| Primary Containment Isolation Instrumentation B 3.3.6.1 BASES ACTIONS (continued) containment isolation instrumentation channels provide appropriate compensatory measures for separate inoperable channels. As such, a Note has been provided that allows separate Condition entry for each inoperable primary containment isolation instrumentation channel.
| |
| A.1 Because of the diversity of sensors available to provide isolation signals and the redundancy of the isolation design, an allowable out of service time of 12 hours or 24 hours, depending on the Function (12 hours for those Functions that have channel components common to RPS instrumentation and 24 hours for those Functions that do not have channel components common to RPS instrumentation), has been shown to be acceptable (Refs. 10 and 11) to permit restoration of any inoperable channel to OPERABLE status. This out of service time is only acceptable provided the associated Function is still maintaining isolation capability (refer to Required Action B.1 Bases). If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action A.1.
| |
| Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue with no further restrictions. Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in an isolation),
| |
| Condition C must be entered and its Required Action taken.
| |
| B.1 Required Action B.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in redundant automatic isolation capability being lost for the associated penetration flow path(s). The MSIV portions of the MSL isolation Functions are considered to be maintaining isolation capability when sufficient channels are OPERABLE or in trip such that both trip systems will generate a trip signal from the given Function on a valid signal. The other isolation Functions and the MSL drain valves portion of the MSL isolation Functions are considered to be maintaining isolation capability when sufficient channels are OPERABLE or in trip such that one trip system will generate a trip signal from the given Function on a valid signal. This ensures that one of the two PCIVs in the associated penetration flow path can receive an isolation signal from the given Function. For Functions 1.a, 1.b, 1.d, 1.e, and 1.f, this would require Columbia Generating Station B 3.3.6.1-27 Revision 73
| |
| | |
| Primary Containment Isolation Instrumentation B 3.3.6.1 BASES ACTIONS (continued) both trip systems to have one channel OPERABLE or in trip. For Function 1.c, this would require both trip systems to have one channel, associated with each MSL, OPERABLE or in trip. For Functions 2.a, 2.b, 2.c, 2.d, 3.c, 3.d, 4.j, and 5.d, this would require one trip system to have two channels, each OPERABLE or in trip. For Functions 3.a, 3.b, 3.e, 3.f, 3.g, 4.a, 4.b, 4.c, 4.d, 4.e, 4.h, 4.k, and 5.e, this would require one trip system to have one channel OPERABLE or in trip. For Functions 4.f, 4.g, 4.i, 5.a, 5.b, and 5.c, each Function consists of channels that monitor several different locations. Therefore, this would require one channel per location to be OPERABLE or in trip (the channels are not required to be in the same trip system). The Condition does not include the Manual Initiation Functions (Functions 1.g, 2.e, 3.h, 4.l, and 5.f), since they are not assumed in any accident or transient analysis. Thus, a total loss of manual initiation capability for 24 hours (as allowed by Required Action A.1) is allowed.
| |
| The channels in the trip system in the more degraded state should be placed in trip. The decision as to which trip system is in the more degraded state should be based on prudent judgment and current plant conditions (i.e., what MODE the plant is in).
| |
| The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. The Completion Time is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.
| |
| C.1 Required Action C.1 directs entry into the appropriate Condition referenced in Table 3.3.6.1-1. The applicable Condition specified in Table 3.3.6.1-1 is Function and MODE or other specified condition dependent and may change as the Required Action of a previous Condition is completed. Each time an inoperable channel has not met any Required Action of Condition A or B and the associated Completion Time has expired, Condition C will be entered for that channel and provides for transfer to the appropriate subsequent Condition.
| |
| D.1, D.2.1, and D.2.2 If the channel is not restored to OPERABLE status or placed in trip within the allowed Completion Time, the associated MSLs may be isolated (Required Action D.1), and if allowed (i.e., plant safety analysis allows operation with an MSL isolated), plant operation with the MSL isolated may continue. Isolating the affected MSL accomplishes the safety function of the inoperable channel. This Required Action will generally Columbia Generating Station B 3.3.6.1-28 Revision 73
| |
| | |
| Primary Containment Isolation Instrumentation B 3.3.6.1 BASES ACTIONS (continued) only be used if a Function 1.c channel is inoperable and untripped. The associated MSL(s) to be isolated are those whose Main Steam Line Flow - High Function channel(s) are inoperable. Alternately, the plant must be placed in a MODE or other specified condition in which the LCO does not apply. This is done by placing the plant in at least MODE 3 within 12 hours and in MODE 4 within 36 hours (Required Actions D.2.1 and D.2.2). The Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.
| |
| E.1 If the channel is not restored to OPERABLE status or placed in trip within the allowed Completion Time, the plant must be placed in a MODE or other specified condition in which the LCO does not apply. This is done by placing the plant in at least MODE 2 within 6 hours.
| |
| The allowed Completion Time of 6 hours is reasonable, based on operating experience, to reach MODE 2 from full power conditions in an orderly manner and without challenging plant systems.
| |
| F.1 If the channel is not restored to OPERABLE status or placed in trip within the allowed Completion Time, plant operation may continue if the affected penetration flow path(s) is isolated. Isolating the affected penetration flow path(s) accomplishes the safety function of the inoperable channel. For some of the Area Temperature and Differential Temperature Functions, the affected penetration flow path(s) may be considered isolated by isolating only that portion of the system in the associated room monitored by the inoperable channel. That is, if the RWCU pump room A Area Temperature channel is inoperable, the A pump room area can be isolated while allowing continued RWCU operation utilizing the B RWCU pump. For the RWCU Blowdown Flow - High Function, the affected penetration flow path(s) may be considered isolated by isolating only the RWCU blowdown piping.
| |
| Alternatively, if it is not desired to isolate the affected penetration flow path(s) (e.g., as in the case where isolating the penetration flow path(s) could result in a reactor scram), Condition H must be entered and its Required Actions taken.
| |
| Columbia Generating Station B 3.3.6.1-29 Revision 73
| |
| | |
| Primary Containment Isolation Instrumentation B 3.3.6.1 BASES ACTIONS (continued)
| |
| The Completion Time is acceptable because it minimizes risk while allowing sufficient time for plant operations personnel to isolate the affected penetration flow path(s).
| |
| G.1 If the channel is not restored to OPERABLE status or placed in trip within the allowed Completion Time, plant operations may continue if the affected penetration flow path(s) is isolated. Isolating the affected penetration flow path(s) accomplishes the safety function of the inoperable channel.
| |
| The 24 hour Completion Time is acceptable due to the fact that these Functions are either not assumed in any accident or transient analysis in the FSAR, (Manual Initiation) or, in the case of the TIP System isolation, the TIP system penetration is a small bore (approximately 3/8 inch), its isolation in a design basis event (with loss of offsite power) would be via the manually operated shear valves, and the ability to manually isolate by either the normal isolation valve or the shear valve is unaffected by the inoperable instrumentation.
| |
| Alternately, if it is not desired to isolate the affected penetration flow path(s) (e.g., as in the case where isolating the penetration flow path(s) could result in a reactor scram), Condition H must be entered and its Required Actions taken.
| |
| H.1 and H.2 If the channel is not restored to OPERABLE status or placed in trip, or any Required Action of Condition F or G is not met and the associated Completion Time has expired, the plant must be placed in a MODE or other specified condition in which the LCO does not apply. This is done by placing the plant in at least MODE 3 within 12 hours and in MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.
| |
| Columbia Generating Station B 3.3.6.1-30 Revision 73
| |
| | |
| Primary Containment Isolation Instrumentation B 3.3.6.1 BASES ACTIONS (continued)
| |
| I.1 and I.2 If the channel is not restored to OPERABLE status within the allowed Completion Time, the associated SLC subsystem is declared inoperable or the RWCU System is isolated. Since this Function is required to ensure that the SLC System performs its intended function, sufficient remedial measures are provided by declaring the associated SLC subsystem inoperable or isolating the RWCU System.
| |
| The Completion Time of 1 hour is acceptable because it minimizes risk while allowing sufficient time for personnel to isolate the RWCU System.
| |
| J.1 and J.2 If the channel is not restored to OPERABLE status or placed in trip within the allowed Completion Time, the associated penetration flow path should be closed. However, if the shutdown cooling function is needed to provide core cooling, these Required Actions allow the penetration flow path to remain unisolated provided action is immediately initiated to restore the channel to OPERABLE status or to isolate the RHR Shutdown Cooling System (i.e., provide alternate decay heat removal capabilities so the penetration flow path can be isolated). Actions must continue until the channel is restored to OPERABLE status or the RHR Shutdown Cooling System is isolated.
| |
| SURVEILLANCE As noted at the beginning of the SRs, the SRs for each Primary REQUIREMENTS Containment Isolation Instrumentation Function are found in the SRs column of Table 3.3.6.1-1.
| |
| The Surveillances are also modified by a Note to indicate that when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours provided the associated Function maintains isolation capability. Upon completion of the Surveillance, or expiration of the 6 hour allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Refs. 10 and 11) assumption of the average time required to perform channel Surveillance. That analysis demonstrated that the 6 hour testing allowance does not significantly reduce the probability that the PCIVs will isolate the penetration flow path(s) when necessary.
| |
| Columbia Generating Station B 3.3.6.1-31 Revision 73
| |
| | |
| Primary Containment Isolation Instrumentation B 3.3.6.1 BASES SURVEILLANCE REQUIREMENTS (continued)
| |
| SR 3.3.6.1.1 Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a qualitative assessment, by observation, of channel behavior during operation. This determination includes, where possible, comparison of the channel indication and status to other indications or status derived from independent instrument channels measuring the same parameter. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.
| |
| Agreement criteria are determined by the plant staff, based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the channels required by the LCO.
| |
| SR 3.3.6.1.2 and SR 3.3.6.1.3 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the channel will perform the intended function. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology.
| |
| The Surveillance Frequencies are controlled under the Surveillance Frequency Control Program.
| |
| SR 3.3.6.1.4 and SR 3.3.6.1.5 CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument Columbia Generating Station B 3.3.6.1-32 Revision 93
| |
| | |
| Primary Containment Isolation Instrumentation B 3.3.6.1 BASES SURVEILLANCE REQUIREMENTS (continued) drifts between successive calibrations, consistent with the plant specific setpoint methodology. The Surveillance Frequencies are controlled under the Surveillance Frequency Control Program.
| |
| SR 3.3.6.1.6 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required isolation logic for a specific channel. The system functional testing performed on PCIVs in LCO 3.6.1.3 overlaps this Surveillance to provide complete testing of the assumed safety function. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| SR 3.3.6.1.7 This SR ensures that the individual channel response times are less than or equal to the maximum values assumed in the accident analysis.
| |
| Testing is performed only on channels where the assumed response time does not correspond to the diesel generator (DG) start time. For channels assumed to respond within the DG start time, sufficient margin exists in the 15 second start time when compared to the typical channel response time (milliseconds) so as to assure adequate response time without a specific measurement test (Ref. 12). A note to the surveillance states that channel sensors for Functions 1.a, 1.b, and 1.c are excluded and therefore, it is not required to quantitatively measure the sensor response time to satisfy the requirement to verify ISOLATION INSTRUMENTATION RESPONSE TIME. This is acceptable since the sensor response time can be qualitatively verified by other methods (Ref. 12). If the response time of the sensor is not quantitatively measured, the acceptance criteria must be reduced by the time assumed for sensor response in the design analyses, as verified by statistical analysis or vendor data. The instrument response times must be added to the PCIV closure times to obtain the ISOLATION SYSTEM RESPONSE TIME. However, failure to meet an ISOLATION SYSTEM RESPONSE TIME due to a PCIV closure time not within limits does not require the associated instrumentation to be declared inoperable; only the PCIV is required to be declared inoperable.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| Columbia Generating Station B 3.3.6.1-33 Revision 93
| |
| | |
| Primary Containment Isolation Instrumentation B 3.3.6.1 BASES REFERENCES 1. FSAR, Section 6.2.1.1.
| |
| : 2. FSAR, Chapter 15.
| |
| : 3. 10 CFR 50.36(c)(2)(ii).
| |
| : 4. FSAR, Section 15.1.3.
| |
| : 5. FSAR, Section 15.6.4.
| |
| : 6. FSAR, Section 15.2.5.
| |
| : 7. FSAR, Section 11.3.2.
| |
| : 8. FSAR, Section 9.3.5.2.
| |
| : 9. 10 CFR 50.62.
| |
| : 10. NEDC-31677-P-A, "Technical Specification Improvement Analysis for BWR Isolation Actuation Instrumentation," June 1989.
| |
| : 11. NEDC-30851-P-A, Supplement 2, "Technical Specifications Improvement Analysis for BWR Isolation Instrumentation Common to RPS and ECCS Instrumentation," March 1989.
| |
| : 12. NEDO-32291-A, "System Analyses for the Elimination of Selected Response Time Testing Requirements," October 1995.
| |
| Columbia Generating Station B 3.3.6.1-34 Revision 93
| |
| | |
| Secondary Containment Isolation Instrumentation B 3.3.6.2 B 3.3 INSTRUMENTATION B 3.3.6.2 Secondary Containment Isolation Instrumentation BASES BACKGROUND The secondary containment isolation instrumentation automatically initiates closure of appropriate secondary containment isolation valves (SCIVs) and starts the Standby Gas Treatment (SGT) System. The function of these systems, in combination with other accident mitigation systems, is to limit fission product release during and following postulated Design Basis Accidents (DBAs) (Ref. 1), such that offsite radiation exposures are maintained within the requirements of 10 CFR 50.67 that are part of the NRC staff approved licensing basis. Secondary containment isolation and establishment of vacuum with the SGT System within the assumed time limits ensures that fission products that are released during certain operations that take place inside primary containment, when primary containment is not required to be OPERABLE, or that take place outside primary containment are maintain within applicable limits.
| |
| The isolation instrumentation includes the sensors, relays, and switches that are necessary to cause initiation of secondary containment isolation.
| |
| Most channels include electronic equipment (e.g., trip relays) that compares measured input signals with pre-established setpoints. When the setpoint is exceeded, the channel outputs a secondary containment isolation signal to the isolation logic. Functional diversity is provided by monitoring a wide range of independent parameters. The input parameters to the isolation logic are (a) reactor vessel water level, (b) drywell pressure, and (c) reactor building vent exhaust plenum radiation. Redundant sensor input signals from each parameter are provided for initiation of isolation parameters. In addition, manual initiation of the logic is provided.
| |
| Most Secondary Containment Isolation instrumentation Functions receive input from four channels. The output from these channels are arranged into two two-out-of-two logic trip systems. For the Manual Initiation Function, four channels are required to actuate a trip system (a four-out-of-four logic trip system). In addition to the isolation function, the SGT subsystems are initiated. Each trip system will start one fan in each SGT subsystem, but will only align one SGT subsystem filter train.
| |
| Automatically isolated secondary containment penetrations are isolated by two isolation valves. Each trip system initiates isolation of one of the two valves on each penetration so that operation of either trip system isolates the penetrations.
| |
| Columbia Generating Station B 3.3.6.2-1 Revision 73
| |
| | |
| Secondary Containment Isolation Instrumentation B 3.3.6.2 BASES APPLICABLE The isolation signals generated by the secondary containment isolation SAFETY instrumentation are implicitly assumed in the safety analyses of ANALYSES, LCO, Reference 1 to initiate closure of valves and start the SGT System to and APPLICABILITY limit offsite doses.
| |
| Refer to LCO 3.6.4.2, "Secondary Containment Isolation Valves (SCIVs),"
| |
| and LCO 3.6.4.3, "Standby Gas Treatment (SGT) System," Applicable Safety Analyses Bases for more detail of the safety analyses.
| |
| The secondary containment isolation instrumentation satisfies Criterion 3 of Reference 2. Certain instrumentation Functions are retained for other reasons and are described below in the individual Functions discussion.
| |
| The OPERABILITY of the secondary containment isolation instrumentation is dependent upon the OPERABILITY of the individual instrumentation channel Functions. Each Function must have the required number of OPERABLE channels with their setpoints set within the specified Allowable Values, as shown in Table 3.3.6.2-1. The actual setpoint is calibrated consistent with applicable setpoint methodology assumptions.
| |
| Allowable Values are specified for each Function specified in the Table.
| |
| Nominal trip setpoints are specified in setpoint calculations. The nominal setpoints are selected to ensure that the setpoints do not exceed the Allowable Values between CHANNEL CALIBRATIONS. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value.
| |
| Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor vessel water level), and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g., trip relay) changes state. The analytic limits are derived from the limiting values of the process parameters obtained from the safety analysis. The Allowable Values are derived from the analytic limits, corrected for process and all instrument uncertainties, except drift and calibration. The trip setpoints are derived from the analytic limits, corrected for process and all instrument uncertainties, including drift and calibration. The trip setpoints derived in this manner provide adequate protection because all instrumentation uncertainties and process effects are taken into account.
| |
| In general, the individual Functions are required to be OPERABLE in the MODES or other specified conditions when SCIVs and the SGT System are required.
| |
| Columbia Generating Station B 3.3.6.2-2 Revision 73
| |
| | |
| Secondary Containment Isolation Instrumentation B 3.3.6.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
| |
| The specific Applicable Safety Analyses, LCO, and Applicability discussions are listed below on a Function by Function basis.
| |
| : 1. Reactor Vessel Water Level - Low Low, Level 2 Low reactor pressure vessel (RPV) water level indicates that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. An isolation of the secondary containment and actuation of the SGT System are initiated in order to minimize the potential of an offsite dose release. The Reactor Vessel Water Level - Low Low, Level 2 Function is one of the Functions assumed to be OPERABLE and capable of providing isolation and initiation signals. The isolation and initiation of systems on Reactor Vessel Water Level - Low Low, Level 2 support actions to ensure that any offsite releases are within the limits calculated in the safety analysis (Ref. 1).
| |
| Reactor Vessel Water Level - Low Low, Level 2 signals are initiated from differential pressure transmitters with trip units that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel.
| |
| Four channels of Reactor Vessel Water Level - Low Low, Level 2 Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.
| |
| The Reactor Vessel Water Level - Low Low, Level 2 Allowable Value was chosen to be the same as the High Pressure Core Spray (HPCS)/Reactor Core Isolation Cooling (RCIC) Reactor Vessel Water Level - Low Low, Level 2 Allowable Value (LCO 3.3.5.1, "Emergency Core Cooling System (ECCS) Instrumentation," and LCO 3.3.5.3, "Reactor Core Isolation Cooling (RCIC) System Actuation"), since this could indicate the capability to cool the fuel is being threatened.
| |
| The Reactor Vessel Water Level - Low Low, Level 2 Function is required to be OPERABLE in MODES 1, 2, and 3 where considerable energy exists in the Reactor Coolant System (RCS); thus, there is a probability of pipe breaks resulting in significant releases of radioactive steam and gas.
| |
| In MODES 4 and 5, the probability and consequences of these events are low due to the RCS pressure and temperature limitations of these MODES; thus, this Function is not required.
| |
| Columbia Generating Station B 3.3.6.2-3 Revision 111
| |
| | |
| Secondary Containment Isolation Instrumentation B 3.3.6.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
| |
| The Reactor Water Level-Low Low Level Function is also used to initiate the LOCA Time Delay Relays of LCO 3.3.5.1. A Note (c) is provided to Table 3.3.6.2-1 that identifies Function 1 channels provide one set of initiation signals to the LCO 3.3.5.1 LOCA Time Delay Relay function.
| |
| : 2. Drywell Pressure - High High drywell pressure can indicate a break in the reactor coolant pressure boundary (RCPB). An isolation of the secondary containment and actuation of the SGT System are initiated in order to minimize the potential of an offsite dose release. The isolation on high drywell pressure supports actions to ensure that any offsite releases are within the limits calculated in the safety analysis. However, the Drywell Pressure - High Function associated with isolation is not assumed in any FSAR accident or transient analysis. It is retained for the overall redundancy and diversity of the secondary containment isolation instrumentation as required by the NRC approved licensing basis. High drywell pressure signals are initiated from pressure switches that sense the pressure in the drywell. Four channels of Drywell - High Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.
| |
| The Allowable Value was chosen to be the same as the RPS Drywell Pressure - High Function Allowable Value (LCO 3.3.1.1) since this is indicative of a loss of coolant accident.
| |
| The Drywell Pressure - High Function is required to be OPERABLE in MODES 1, 2, and 3 where considerable energy exists in the RCS; thus, there is a probability of pipe breaks resulting in significant releases of radioactive steam and gas. This Function is not required in MODES 4 and 5 because the probability and consequences of these events are low due to the RCS pressure and temperature limitations of these MODES.
| |
| : 3. Reactor Building Vent Exhaust Plenum Radiation - High High secondary containment exhaust radiation is an indication of possible gross failure of the fuel cladding. The release may have originated from the primary containment due to a break in the RCPB or the refueling floor due to a fuel handling accident. When Reactor Building Vent Exhaust Plenum Radiation - High is detected, secondary containment isolation and actuation of the SGT System are initiated to limit the release of fission products (Ref. 1).
| |
| Columbia Generating Station B 3.3.6.2-4 Revision 73
| |
| | |
| Secondary Containment Isolation Instrumentation B 3.3.6.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
| |
| Reactor Building Vent Exhaust Plenum Radiation - High signals are initiated from four radiation monitors that measure radiation outside the reactor building vent, which is the collection point of all reactor building and refueling floor air flow prior to its exhaust to atmosphere. The signal from each detector is input to an individual monitor whose trip outputs are assigned to an isolation channel. Four channels of Reactor Building Vent Exhaust Plenum Radiation - High Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.
| |
| There is no specific FSAR safety analysis that takes credit for this Function. It is retained for defense-in-depth of the specific function as required by the NRC in the plant licensing basis. The Reactor Building Vent Exhaust Plenum Radiation - High Allowable Value was originally chosen assuming flow is present in the exhaust plenum because that required a faster response time for the function to ensure that offsite dose remained below 10 CFR 50.67 limits. When no flow is present, the Allowable Value is conservative.
| |
| The Reactor Building Vent Plenum Exhaust Radiation - High Function is required to be OPERABLE in MODES 1, 2, and 3 where considerable energy exists; thus, there is a probability of pipe breaks resulting in significant releases of radioactive steam and gas. In MODES 4 and 5, the probability and consequences of these events are low due to the RCS pressure and temperature limitations of these MODES; thus, this Function is not required.
| |
| : 4. Manual Initiation The Manual Initiation switch and push button channels introduce signals into the secondary containment isolation logic that are redundant to the automatic protective instrumentation channels, and provide manual isolation capability. There is no specific FSAR safety analysis that takes credit for this Function. It is retained for the overall redundancy and diversity of the secondary containment isolation instrumentation as required by the NRC approved licensing basis.
| |
| Columbia Generating Station B 3.3.6.2-5 Revision 111
| |
| | |
| Secondary Containment Isolation Instrumentation B 3.3.6.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
| |
| There are four switch and push buttons (with two channels per switch and push button) for the logic, two switch and push buttons per trip system.
| |
| Eight channels of the Manual Initiation Function are available and are required to be OPERABLE in MODES 1, 2, and 3.
| |
| There is no Allowable Value for this Function since the channels are mechanically actuated based solely on the position of the switch and push buttons.
| |
| ACTIONS A Note has been provided to modify the ACTIONS related to secondary containment isolation instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition discovered to be inoperable or not within limits will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition.
| |
| However, the Required Actions for inoperable secondary containment isolation instrumentation channels provide appropriate compensatory measures for separate inoperable channels. As such, a Note has been provided that allows separate Condition entry for each inoperable secondary containment isolation instrumentation channel.
| |
| A.1 Because of the diversity of sensors available to provide isolation signals and the redundancy of the isolation design, an allowable out of service time of 12 hours or 24 hours, depending on the Function (12 hours for those Functions that have channel components common to RPS instrumentation and 24 hours for those Functions that do not have channel components common to RPS instrumentation), has been shown to be acceptable (Refs. 3 and 4) to permit restoration of any inoperable channel to OPERABLE status. This out of service time is only acceptable provided the associated Function is still maintaining isolation capability (refer to Required Action B.1 Bases). If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action A.1.
| |
| Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue. Alternately, if it is not desired to place Columbia Generating Station B 3.3.6.2-6 Revision 111
| |
| | |
| Secondary Containment Isolation Instrumentation B 3.3.6.2 BASES ACTIONS (continued) the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in an isolation), Condition C must be entered and its Required Actions taken.
| |
| B.1 Required Action B.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in a complete loss of automatic isolation capability for the associated penetration flow path(s) or a complete loss of automatic initiation capability for the SGT System. A Function is considered to be maintaining isolation capability when sufficient channels are OPERABLE or in trip, such that one trip system will generate a trip signal from the given Function on a valid signal.
| |
| This ensures that one of the two SCIVs in the associated penetration flow path and one SGT subsystem can be initiated on an isolation signal from the given Function. For the Functions with two two-out-of-two logic trip systems (Functions 1, 2, and 3), this would require one trip system to have two channels, each OPERABLE or in trip. The Condition does not include the Manual Initiation Function (Function 4), since it is not assumed in any accident or transient analysis. Thus, a total loss of manual initiation capability for 24 hours (as allowed by Required Action A.1) is allowed.
| |
| The channels in the trip system in the more degraded state should be placed in trip. The decision as to which trip system is in the more degraded state should be based on prudent judgment and current plant conditions (i.e., what MODE the plant is in).
| |
| The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. The 1 hour Completion Time is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.
| |
| C.1.1, C.1.2, C.2.1, and C.2.2 If any Required Action and associated Completion Time of Condition A or B are not met, the ability to isolate the secondary containment and start the SGT System cannot be ensured. Therefore, further actions must be performed to ensure the ability to maintain the secondary containment function. Isolating the associated valves and starting the associated SGT subsystem (Required Actions C.1.1 and C.2.1) performs the intended function of the instrumentation and allows operations to continue.
| |
| Columbia Generating Station B 3.3.6.2-7 Revision 73
| |
| | |
| Secondary Containment Isolation Instrumentation B 3.3.6.2 BASES ACTIONS (continued)
| |
| Alternatively, declaring the associated SCIVs or SGT subsystem inoperable (Required Actions C.1.2 and C.2.2) is also acceptable since the Required Actions of the respective LCOs (LCO 3.6.4.2 and LCO 3.6.4.3) provide appropriate actions for the inoperable components.
| |
| One hour is sufficient for plant operations personnel to establish required plant conditions or to declare the associated components inoperable without challenging plant systems.
| |
| SURVEILLANCE As noted at the beginning of the SRs, the SRs for each Secondary REQUIREMENTS Containment Isolation instrumentation Function are located in the SRs column of Table 3.3.6.2-1.
| |
| The Surveillances are also modified by a Note to indicate that when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours, provided the associated Function maintains isolation capability. Upon completion of the Surveillance, or expiration of the 6 hour allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Action(s) taken.
| |
| This Note is based on the reliability analysis (Refs. 3 and 4) assumption of the average time required to perform channel Surveillance. That analysis demonstrated that the 6 hour testing allowance does not significantly reduce the probability that the SCIVs will isolate the associated penetration flow paths and the SGT System will initiate when necessary.
| |
| SR 3.3.6.2.1 Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a qualitative assessment, by observation, of channel behavior during operation. This determination includes, where possible, comparison of the channel indication and status to other indications or status derived from independent instrument channels measuring the same parameter. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.
| |
| Columbia Generating Station B 3.3.6.2-8 Revision 93
| |
| | |
| Secondary Containment Isolation Instrumentation B 3.3.6.2 BASES SURVEILLANCE REQUIREMENTS (continued)
| |
| Agreement criteria are determined by the plant staff, based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the channels required by the LCO.
| |
| SR 3.3.6.2.2 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the channel will perform the intended function. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| SR 3.3.6.2.3 CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations, consistent with the plant specific setpoint methodology.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| SR 3.3.6.2.4 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required isolation logic for a specific channel. The system functional testing, performed on SCIVs and the SGT System in LCO 3.6.4.2 and LCO 3.6.4.3, respectively, overlaps this Surveillance to provide complete testing of the assumed safety function.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| Columbia Generating Station B 3.3.6.2-9 Revision 93
| |
| | |
| Secondary Containment Isolation Instrumentation B 3.3.6.2 BASES REFERENCES 1. FSAR, Section 15.6.5.
| |
| : 2. 10 CFR 50.36(c)(2)(ii).
| |
| : 3. NEDO-31677-P-A, "Technical Specification Improvement Analysis for BWR Isolation Actuation Instrumentation," July 1990.
| |
| : 4. NEDC-30851-P-A, Supplement 2, "Technical Specifications Improvement Analysis for BWR Isolation Instrumentation Common to RPS and ECCS Instrumentation," March 1989.
| |
| Columbia Generating Station B 3.3.6.2-10 Revision 93
| |
| | |
| CREF System Instrumentation B 3.3.7.1 B 3.3 INSTRUMENTATION B 3.3.7.1 Control Room Environmental Filtration (CREF) System Instrumentation BASES BACKGROUND The CREF System is designed to provide a radiologically controlled environment to ensure the habitability of the control room for the safety of control room operators under all plant conditions. Two independent CREF subsystems are each capable of fulfilling the stated safety function.
| |
| The instrumentation and controls for the CREF System automatically initiate action to pressurize the main control room (MCR) to minimize the consequences of radioactive material in the control room environment.
| |
| In the event of a loss of coolant accident (LOCA) signal (Reactor Vessel Water Level - Low Low, Level 2, Drywell Pressure - High, or Reactor Building Vent Exhaust Plenum Radiation - High), the CREF System is automatically started in the pressurization mode. Sufficient outside air is drawn in through two separate remote fresh air intakes to keep the MCR slightly pressurized with respect to the radwaste and turbine buildings.
| |
| The outside air is then circulated through the charcoal filter. Both intakes are physically remote from all plant structures.
| |
| The CREF System automatic initiation instrumentation has two trip systems: one trip system initiates one CREF subsystem, while the second trip system initiates the other CREF subsystem (Ref. 1). Each trip system receives input from the automatic initiation Functions listed above. Each of these Functions are arranged in a two-out-of-two logic for each trip system. The channels include electronic equipment (e.g., trip relays) that compares measured input signals with pre-established setpoints. When the setpoint is exceeded, the channel outputs a CREF System initiation signal to the initiation logic.
| |
| APPLICABLE The ability of the CREF System to maintain the habitability of the MCR is SAFETY explicitly assumed for certain accidents as discussed in the FSAR safety ANALYSES, LCO, analyses (Refs. 2 and 3). CREF System operation ensures that the and APPLICABILITY radiation exposure of control room personnel, through the duration of any one of the postulated accidents, does not exceed the limits set by GDC 19 of 10 CFR 50, Appendix A and 10 CFR 50.67.
| |
| CREF instrumentation satisfies Criterion 3 of Reference 4.
| |
| The OPERABILITY of the CREF System instrumentation is dependent upon the OPERABILITY of the individual instrumentation channel Functions specified in Table 3.3.7.1-1. Each Function must have a required number of OPERABLE channels, with their setpoints within the specified Allowable Values, where appropriate. The actual setpoint is calibrated consistent with applicable setpoint methodology assumptions.
| |
| Columbia Generating Station B 3.3.7.1-1 Revision 73
| |
| | |
| CREF System Instrumentation B 3.3.7.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
| |
| Allowable Values are specified for each CREF System Function specified in the Table. Nominal trip setpoints are specified in the setpoint calculations. These nominal setpoints are selected to ensure that the setpoints do not exceed the Allowable Value between successive CHANNEL CALIBRATIONS. Operation with a trip setpoint that is less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value.
| |
| Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor vessel water level), and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g., trip relay) changes state. The analytic limits are derived from the limiting values of the process parameters obtained from the safety analysis. The Allowable Values are derived from the analytic limits, corrected for process and all instrument uncertainties, except drift and calibration. The trip setpoints are derived from the analytic limits, corrected for process and all instrument uncertainties, including drift and calibration. The trip setpoints derived in this manner provide adequate protection because all instrumentation uncertainties and process effects are taken into account.
| |
| The specific Applicable Safety Analyses, LCO, and Applicability discussions are listed below on a Function by Function basis.
| |
| : 1. Reactor Vessel Water Level - Low Low, Level 2 Low reactor pressure vessel (RPV) water level indicates that the capability to cool the fuel may be threatened. A low reactor vessel water level could indicate a LOCA, and will automatically initiate the CREF System, since this could be a precursor to a potential radiation release and subsequent radiation exposure to control room personnel.
| |
| Reactor Vessel Water Level - Low Low, Level 2 signals are initiated from four differential pressure transmitters with trip units that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Four channels of Reactor Vessel Water Level - Low Low, Level 2 Function are available (two channels per trip system) and are required to be OPERABLE to ensure that no single instrument failure can preclude CREF System initiation. The Allowable Value for the Reactor Vessel Water Level - Low Low, Level 2 is chosen to be the same as the Secondary Containment Isolation Reactor Vessel Water Level -
| |
| Low Low, Level 2 Allowable Value (LCO 3.3.6.2).
| |
| Columbia Generating Station B 3.3.7.1-2 Revision 73
| |
| | |
| CREF System Instrumentation B 3.3.7.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
| |
| The Reactor Vessel Water Level - Low Low, Level 2 Function is required to be OPERABLE in MODES 1, 2, and 3 to ensure that the control room personnel are protected.
| |
| : 2. Drywell Pressure - High High pressure in the drywell could indicate a break in the reactor coolant pressure boundary (RCPB). A high drywell pressure signal could indicate a LOCA and will automatically initiate the CREF System, since this could be a precursor to a potential radiation release and subsequent radiation exposure to control room personnel.
| |
| Drywell Pressure - High signals are initiated from four pressure switches that sense drywell pressure. Four channels of Drywell Pressure - High Function are available (two channels per trip system) and are required to be OPERABLE to ensure that no single instrument failure can preclude CREF System initiation.
| |
| The Drywell Pressure - High Allowable Value was chosen to be the same as the Secondary Containment Isolation Drywell Pressure - High Allowable Value (LCO 3.3.6.2).
| |
| The Drywell Pressure - High Function is required to be OPERABLE in MODES 1, 2, and 3 to ensure that control room personnel are protected during a LOCA. In MODES 4 and 5, the Drywell Pressure - High Function is not required since there is insufficient energy in the reactor to pressurize the drywell to the Drywell Pressure - High setpoint.
| |
| : 3. Reactor Building Vent Exhaust Plenum Radiation - High High secondary containment exhaust radiation is an indication of possible gross failure of the fuel cladding. The release may have originated from the primary containment due to a break in the RCPB or the refueling floor due to a fuel handling accident. When Reactor Building Vent Exhaust Plenum Radiation - High is detected, the CREF System is automatically initiated since this radiation release could result in radiation exposure to control room personnel.
| |
| Columbia Generating Station B 3.3.7.1-3 Revision 111
| |
| | |
| CREF System Instrumentation B 3.3.7.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
| |
| Reactor Building Vent Exhaust Plenum Radiation - High signals are initiated from four radiation monitors that measure radiation in the reactor building vent. Four channels of Reactor Building Vent Exhaust Plenum Radiation - High Function are available (two channels per trip system) and are required to be OPERABLE to ensure that no single instrument failure can preclude CREF System initiation.
| |
| There is no specific FSAR safety analysis that takes credit for this Function. It is retained for defense-in-depth of the specific function as required by the NRC in the plant licensing basis. The Reactor Building Vent Exhaust Plenum Radiation - High Allowable Value was originally chosen to be the same as the Secondary Containment Isolation Reactor Building Vent Exhaust Plenum Radiation - High Allowable Value (LCO 3.3.6.2).
| |
| The Reactor Building Vent Exhaust Plenum Radiation - High Function is required to be OPERABLE in MODES 1, 2, and 3 to ensure that control room personnel are protected during a LOCA.
| |
| ACTIONS A Note has been provided to modify the ACTIONS related to CREF System instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition discovered to be inoperable or not within limits will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable CREF System instrumentation channels provide appropriate compensatory measures for separate inoperable channels. As such, a Note has been provided that allows separate Condition entry for each inoperable CREF System instrumentation channel.
| |
| A.1 Required Action A.1 directs entry into the appropriate Condition referenced in Table 3.3.7.1-1. The applicable Condition specified in the Table is Function dependent. Each time an inoperable channel is discovered, Condition A is entered for that channel and provides for transfer to the appropriate subsequent Condition.
| |
| Columbia Generating Station B 3.3.7.1-4 Revision 111
| |
| | |
| CREF System Instrumentation B 3.3.7.1 BASES ACTIONS (continued)
| |
| B.1 and B.2 Because of the diversity of sensors available to provide initiation signals and the redundancy of the CREF System design, an allowable out of service time of 24 hours has been shown to be acceptable (Refs. 5 and 6) to permit restoration of any inoperable channel to OPERABLE status.
| |
| However, this out of service time is only acceptable provided the associated Function is still maintaining CREF System initiation capability.
| |
| A Function is considered to be maintaining CREF System initiation capability when sufficient channels are OPERABLE or in trip, such that one trip system will generate an initiation signal from the given Function on a valid signal. This would require one trip system to have two channels, each OPERABLE or in trip. In this situation (loss of CREF System initiation capability), the 24 hour allowance of Required Action B.2 is not appropriate. If the Function is not maintaining CREF System initiation capability, the CREF System must be declared inoperable within 1 hour of discovery of loss of CREF System initiation capability in both trip systems (Required Action B.1). This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action B.1, the Completion Time only begins upon discovery that the CREF System cannot be automatically initiated due to inoperable, untripped channels in the same Function in both trip systems.
| |
| The 1 hour Completion Time is acceptable because it minimizes risk while allowing time for restoring or tripping of channels.
| |
| If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action B.2. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue. Alternately, if it is not desired to place the channel in trip (e.g.,
| |
| as in the case where placing the inoperable channel in trip would result in an initiation), Condition D must be entered and its Required Actions taken.
| |
| C.1 and C.2 Because of the diversity of sensors available to provide initiation signals and the redundancy of the CREF System design, an allowable out of service time of 12 hours has been shown to be acceptable (Refs. 5 and 7) to permit restoration of any inoperable channel to OPERABLE status.
| |
| However, this out of service time is only acceptable provided the associated Function is still maintaining CREF System initiation capability.
| |
| A Function is considered to be maintaining CREF System initiation Columbia Generating Station B 3.3.7.1-5 Revision 73
| |
| | |
| CREF System Instrumentation B 3.3.7.1 BASES ACTIONS (continued) capability when sufficient channels are OPERABLE or in trip, such that one trip system will generate an initiation signal from the given Function on a valid signal. This would require one trip system to have two channels, each OPERABLE or in trip. In this situation (loss of CREF System initiation capability), the 12 hour allowance of Required Action C.2 is not appropriate. If the Function is not maintaining CREF System initiation capability, the CREF System must be declared inoperable within 1 hour of discovery of loss of CREF System initiation capability in both trip systems (Required Action C.1). This Completion time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action C.1, the Completion Time only begins upon discovery that the CREF System cannot be automatically initiated due to inoperable, untripped Drywell Pressure -
| |
| High channels in both trip systems. The 1 hour Completion Time is acceptable because it minimizes risk while allowing time for restoring or tripping of channels.
| |
| If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition, per Required Action C.2. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue. Alternately, if it is not desired to place the channel in trip (e.g.,
| |
| as in the case where placing the inoperable channel in trip would result in an initiation), Condition D must be entered and its Required Actions taken.
| |
| D.1 and D.2 With any Required Action and associated Completion Time of Condition B, C, or D not met, the associated CREF subsystem must be placed in the pressurization mode of operation (Required Action D.1) to ensure that control room personnel will be protected in the event of a Design Basis Accident. The method used to place the CREF subsystem in operation must provide for automatically reinitiating the subsystem upon restoration of power following a loss of power to the CREF subsystem(s). Alternately, if it is not desired to start the subsystem, the CREF subsystem associated with inoperable, untripped channels must be declared inoperable within 1 hour.
| |
| The 1 hour Completion Time is intended to allow the operator time to place the CREF subsystem in operation. The 1 hour Completion Time is acceptable because it minimizes risk while allowing time for restoration or tripping of channels, or for placing the associated CREF subsystem in operation.
| |
| Columbia Generating Station B 3.3.7.1-6 Revision 73
| |
| | |
| CREF System Instrumentation B 3.3.7.1 BASES SURVEILLANCE As noted at the beginning of the SRs, the SRs for each CREF System REQUIREMENTS instrumentation Function are located in the SRs column of Table 3.3.7.1-1.
| |
| The Surveillances are also modified by a Note to indicate that when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours, provided the associated Function maintains CREF System initiation capability. Upon completion of the Surveillance, or expiration of the 6 hour allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken.
| |
| This Note is based on the reliability analysis (Refs. 5, 6, and 7) assumption of the average time required to perform channel surveillance.
| |
| That analysis demonstrated that the 6 hour testing allowance does not significantly reduce the probability that the CREF System will initiate when necessary.
| |
| SR 3.3.7.1.1 Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a qualitative assessment, by observation, of channel behavior during operation. This determination includes, where possible, comparison of the channel indication and status to other indications or status derived from independent instrument channels measuring the same parameter. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.
| |
| Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with channels required by the LCO.
| |
| Columbia Generating Station B 3.3.7.1-7 Revision 93
| |
| | |
| CREF System Instrumentation B 3.3.7.1 BASES SURVEILLANCE REQUIREMENTS (continued)
| |
| SR 3.3.7.1.2 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the channel will perform the intended function. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| SR 3.3.7.1.3 A CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations, consistent with the plant specific setpoint methodology.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program..
| |
| SR 3.3.7.1.4 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required initiation logic for a specific channel. The system functional testing performed in LCO 3.7.3, "Control Room Emergency Filtration (CREF) System," overlaps this Surveillance to provide complete testing of the assumed safety function.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| Columbia Generating Station B 3.3.7.1-8 Revision 93
| |
| | |
| CREF System Instrumentation B 3.3.7.1 BASES REFERENCES 1. FSAR, Section 7.3.1.1.7.
| |
| : 2. FSAR, Section 6.4.
| |
| : 3. FSAR, Chapter 15.
| |
| : 4. 10CFR50.36(c)(2)(ii).
| |
| : 5. GENE-770-06-1-A, "Bases for Changes to Surveillance Test Intervals and Allowed Out-of-Service Times for Selected Instrumentation Technical Specifications," December 1992.
| |
| : 6. NEDC-31677P-A, "Technical Specification Improvement Analysis for BWR Isolation Actuation Instrumentation," July 1990.
| |
| : 7. NEDC-30851P-A, Supplement 2, "Technical Specification Improvement Analysis for BWR Isolation Instrumentation Common to RPS and ECCS Instrumentation," March 1989.
| |
| Columbia Generating Station B 3.3.7.1-9 Revision 73
| |
| | |
| LOP Instrumentation B 3.3.8.1 B 3.3 INSTRUMENTATION B 3.3.8.1 Loss of Power (LOP) Instrumentation BASES BACKGROUND Successful operation of the required safety functions of the Emergency Core Cooling Systems (ECCS) is dependent upon the availability of adequate power sources for energizing the various components such as pump motors, motor operated valves, and the associated control components. The LOP instrumentation monitors the 4.16 kV emergency buses. Offsite power is the preferred source of power for the 4.16 kV emergency buses. If the monitors determine that insufficient power is available, the buses are disconnected from the offsite power sources and connected to the onsite diesel generator (DG) power sources.
| |
| Each 4.16 kV emergency bus has its own independent LOP instrumentation and associated trip logic. The voltage for the Division 1, 2, and 3 buses is monitored at two levels, which can be considered as two different undervoltage functions: loss of voltage and degraded voltage.
| |
| The Division 1 and 2 TR-S Loss of Voltage and the Division 3 Loss of Voltage Functions are monitored by two instruments per bus whose output trip contacts are arranged in a one-out-of-two logic configuration per bus. The Division 1 and 2 TR-B Loss of Voltage Function is monitored by one instrument per bus where output trip contacts are arranged in a one-out-of-one logic configuration per bus. The Degraded Voltage Function for Divisions 1, 2 and 3 4.16 kV Engineered Safety Feature (ESF) buses is monitored by three instruments per bus whose output trip contacts are arranged in a two-out-of-three logic configuration per bus (Ref. 1).
| |
| Upon a TR-S loss of voltage signal on the Division 1 and 2 4.16 kV ESF buses, the associated DG is started and a 3.5 second timer is initiated to allow recovery time for the TR-S source of power. If the loss of voltage was caused by an electrical fault, this timer is long enough to coordinate with the overcurrent protection relays. At the end of the 3.5 second timer, if bus voltage is still below the setpoint (as sensed by one of the two channels), the Division 1 and 2 1E bus breakers for TR-N1 and TR-S are tripped, the bus ESF loads are shed (except for the 480 V buses) and an additional timer is initiated (a 2 second timer). After the 2 second time delay an attempt is made to close the TR-B breaker if the backup source is available. These two timers constitute the Division 1 and 2 TR-S Loss of Voltage - Time Delay Function. In addition, at the end of the 3.5 second timer, a third timer is initiated that inhibits the DG breakers Columbia Generating Station B 3.3.8.1-1 Revision 78
| |
| | |
| LOP Instrumentation B 3.3.8.1 BASES BACKGROUND (continued) close signal for 4 seconds. This provides enough time for the 4.16 kV ESF buses to connect to the backup source if it is available. After the 4 second delay the DG breaker is allowed to close (if the TR-B breaker did not close) once the DG attains the proper frequency and voltage. This timer is not considered part of the LOP Instrumentation (it is tested in LCO 3.8.1, "AC Sources - Operating," and LCO 3.8.2, "AC Sources -
| |
| Shutdown").
| |
| Upon a TR-B loss of voltage signal on the Division 1 and 2 4.16 kV ESF buses while these buses are tied to TR-B, a 3.5 second timer is initiated to allow time to verify loss of voltage and to establish the TR-B source of power. At the end of the 3.5 second timer, if bus voltage is still below the setpoint, the Division 1 and 2 1E bus breakers for TR-B are tripped. This timer constitutes the Division 1 and 2 TR-B Loss of Voltage - Time Delay Function. The associated DG is started and the bus ESF loads are shed (except the 480 V buses) by the TR-S Loss of Voltage Function, as described earlier.
| |
| Upon a loss of voltage signal on the Division 3 4.16 kV ESF bus, a 2 second timer starts to allow recovery time for the failing source. If the loss of voltage was caused by an electrical fault, this timer is long enough to coordinate with the overcurrent protection relays. At the end of the 2 second time delay the preferred source breaker is tripped if bus voltage is still below the setpoint (as sensed by one of the two channels). In addition, at the end of the two second time delay, a 1.3 second timer is initiated. At the end of the 1.3 second timer the HPCS DG is started and the DG breaker closes as the DG reaches rated frequency. These two timers constitute the Division 3 Loss of Voltage - Time Delay Function.
| |
| Upon degraded voltage on Division 1, 2, or 3 4.16 kV ESF buses there is an eight second time delay before any action is taken to allow the degraded condition to recover. The Division 1 and 2 8 second time delay is further divided into a primary time delay of 5 seconds and a secondary time delay of 3 seconds. There are two primary time delay relays, but only one secondary time delay relay. The secondary time delay relay is started when both degraded voltage relays are tripped and their respective primary time delays have timed out. After the 8 second time delay the feeder breakers connecting the sources to the respective 4.16 kV ESF buses are tripped. The actions for Division 1 and 2 at this point during the degraded voltage condition are the same (utilizes the same timers) as the loss of voltage condition for Division 1 and 2 except the first three and one half second timer is bypassed. The actions for Division 3 at this point during the degraded voltage condition are the same (utilizes the same timers) as the loss of voltage condition for Division 3 except the first two second timer is bypassed.
| |
| Columbia Generating Station B 3.3.8.1-2 Revision 73
| |
| | |
| LOP Instrumentation B 3.3.8.1 BASES APPLICABLE The LOP instrumentation is required for the Engineered Safety Features SAFETY to function in any accident with a loss of offsite power. The required ANALYSES, LCO, channels of LOP instrumentation ensure that the ECCS and other and APPLICABILITY assumed systems powered from the DGs provide plant protection in the event of any of the analyzed accidents in References 2, 3, and 4 in which a loss of offsite power is assumed. The initiation of the DGs on loss of offsite power, and subsequent initiation of the ECCS, ensure that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.
| |
| Accident analyses credit the loading of two of the three DGs (i.e., the DG function) based on the loss of offsite power during a loss of coolant accident (LOCA). The diesel starting and loading times have been included in the delay time associated with each safety system component requiring DG supplied power following a loss of offsite power.
| |
| The LOP instrumentation satisfies Criterion 3 of Reference 5.
| |
| The OPERABILITY of the LOP instrumentation is dependent upon the OPERABILITY of the individual instrumentation channel Functions specified in Table 3.3.8.1-1. Each Function must have a required number of OPERABLE channels per 4.16 kV emergency bus, with their setpoints within the specified Allowable Values. The actual setpoint is calibrated consistent with applicable setpoint methodology assumptions.
| |
| The Allowable Values are specified for each Function in the Table.
| |
| Nominal trip setpoints are specified in the setpoint calculations. The nominal setpoints are selected to ensure that the setpoint does not exceed the Allowable Value between CHANNEL CALIBRATIONS.
| |
| Operation with a trip setpoint less conservative than the nominal trip setpoint, but within the Allowable Value, is acceptable. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., degraded voltage), and when the measured output value of the process parameter exceeds the setpoint, the associated device changes state. The analytic limits are derived from the limiting values of the process parameters obtained from the safety analysis. The Allowable Values are derived from the analytic limits, corrected for process and all instrument uncertainties, except drift and calibration. The trip setpoints are derived from the analytic limits, corrected for process and all instrument uncertainties, including drift and calibration. The trip setpoints derived in this manner provide adequate protection because all instrumentation uncertainties and process effects are taken into account. Some functions have both an upper and lower Columbia Generating Station B 3.3.8.1-3 Revision 73
| |
| | |
| LOP Instrumentation B 3.3.8.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) analytic limit that must be evaluated. The Allowable Values and the trip setpoints are derived from both an upper and lower analytic limit using the methodology described above. Due to the upper and lower analytic limits, Allowable Values of these Functions appear to incorporate a range.
| |
| However, the upper and lower Allowable Values are unique, with each Allowable Value associated with one unique analytic limit and trip setpoint.
| |
| The specific Applicable Safety Analyses, LCO, and Applicability discussions are listed below on a Function by Function basis 1.a, 1.b, 1.c, 1.d, 2.a, 2.b. 4.16 kV Emergency Bus Undervoltage (Loss of Voltage)
| |
| Loss of voltage on a 4.16 kV emergency bus indicates that offsite power may be completely lost to the respective emergency bus and is unable to supply sufficient power for proper operation of the applicable equipment.
| |
| Therefore, the power supply to the bus is transferred from offsite power to DG power when the voltage on the bus drops below the Loss of Voltage Function Allowable Values (loss of voltage with a short time delay). This ensures that adequate power will be available to the required equipment.
| |
| The Bus Undervoltage Allowable Values are low enough to prevent inadvertent power supply transfer, but high enough to ensure power is available to the required equipment. The Time Delay Allowable Values are long enough to provide time for the offsite power supply to recover to normal voltages, shed certain loads, and coordinate with overcurrent protection relays, but short enough to ensure that power is available to the required equipment.
| |
| Two channels of Division 1 and 2 TR-S and Division 3 4.16 kV Emergency Bus Undervoltage (Loss of Voltage) Function and Time Delay Function per associated emergency bus are available and are required to be OPERABLE when the associated DG is required to be OPERABLE.
| |
| One channel of Division 1 and 2 TR-B 4.16 kV Emergency Bus Undervoltage (Loss of Voltage) Function and Time Delay Function per associated emergency bus is available and is required to be OPERABLE when the associated DG is required to be OPERABLE. Refer to LCO 3.8.1, and LCO 3.8.2, for Applicability Bases for the DGs.
| |
| Columbia Generating Station B 3.3.8.1-4 Revision 73
| |
| | |
| LOP Instrumentation B 3.3.8.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) 1.e, 1.f, 1.g, 2.c, 2.d. 4.16 kV Emergency Bus Undervoltage (Degraded Voltage)
| |
| A reduced voltage condition on a 4.16 kV emergency bus indicates that while offsite power may not be completely lost to the respective emergency bus, power may be insufficient for starting large motors without risking damage to the motors that could disable the ECCS function. Therefore, power supply to the bus is transferred from offsite power to onsite DG power when the voltage on the bus drops below the Degraded Voltage Function Allowable Values (degraded voltage with a time delay). This ensures that adequate power will be available to the required equipment.
| |
| The Bus Undervoltage Allowable Values are low enough to prevent inadvertent power supply transfer, but high enough to ensure that sufficient power is available to the required equipment. The Time Delay Allowable Values are long enough to provide time for the offsite power supply to recover to normal voltages, but short enough to ensure that sufficient power is available to the required equipment.
| |
| Three channels of the Division 1 and 2 4.16 kV Emergency Bus Undervoltage (Degraded Voltage) - 4.16 kV Basis and - Primary Time Delay Functions per associated emergency bus are available, but only two channels of Division 1 and 2 4.16 kV Emergency Bus Undervoltage (Degraded Voltage) - 4.16 kV Basis and - Primary Time Delay Functions per associated emergency bus are required to be OPERABLE when the associated DG is required to be OPERABLE. One channel of Division 1 and 2 4.16 kV Emergency Bus Undervoltage (Degraded Voltage) -
| |
| Secondary Time Delay Function per associated emergency bus is available and required to be OPERABLE when the associated DG is required to be OPERABLE. Three channels of Division 3 4.16 kV Emergency Bus Undervoltage (Degraded Voltage) Function and Time Delay Function are available but only two are required to be OPERABLE when the associated DG is required to be OPERABLE. Note (a) has been added for the Division 1 and 2 4.16 kV Emergency Bus Undervoltage (Degraded Voltage) protection requirements to ensure the required Degraded Voltage - 4.16 kV Basis and - Primary Time Delay Functions are associated with one another, since only two of the available channels for each Function are required to be OPERABLE. Refer to LCO 3.8.1 and LCO 3.8.2 for Applicability Bases for the DGs.
| |
| Columbia Generating Station B 3.3.8.1-5 Revision 78
| |
| | |
| LOP Instrumentation B 3.3.8.1 BASES ACTIONS A Note has been provided to modify the ACTIONS related to LOP instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition discovered to be inoperable or not within limits will not result in separate entry into Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable LOP instrumentation channels provide appropriate compensatory measures for separate inoperable channels. As such, a Note has been provided that allows separate Condition entry for each inoperable LOP instrumentation channel.
| |
| A.1 Required Action A.1 directs entry into the appropriate Condition referenced in Table 3.3.8.1-1. The applicable Condition specified in the Table is Function dependent. Each time a channel is discovered to be inoperable, Condition A is entered for that channel and provides for transfer to the appropriate subsequent Condition.
| |
| B.1 and B.2 Required Action B.1 is intended to ensure that appropriate actions are taken if multiple, inoperable channels within the same Function result in loss of voltage initiation capability being lost for a DG. Initiation capability is lost if a) both Function 1.a channels for a division are inoperable, b) both Function 1.b channels for a division are inoperable, c) both Function 2.a channels are inoperable, or d) both Function 2.b channels are inoperable. In this situation (loss of initiation capability for a division),
| |
| the 24 hour allowance of Required Action B.2 is not appropriate and the DG associated with the inoperable channels must be declared inoperable within 1 hour. This ensures that the proper loss of initiation capability check is performed.
| |
| The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." The Completion Time only begins upon discovery that a DG cannot be automatically initiated due to inoperable channels within the Function as described in the paragraph above. The 1 hour Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration of channels.
| |
| Columbia Generating Station B 3.3.8.1-6 Revision 73
| |
| | |
| LOP Instrumentation B 3.3.8.1 BASES ACTIONS (continued)
| |
| Because of the redundancy of sensors available to provide initiation signals and the redundancy of the onsite AC power source design, an allowable out of service time of 24 hours is provided to permit restoration of any inoperable channel to OPERABLE status. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, Condition D must be entered and its Required Action taken. The Required Actions do not allow placing the channel in trip since this action would cause the initiation.
| |
| C.1 With one or more channels of a Function inoperable, the Function is not capable of performing the intended function. Therefore, only 1 hour is allowed to restore the inoperable channel to OPERABLE status. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action C.1. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue.
| |
| Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the channel in trip would result in a bus transfer and DG initiation), Condition D must be entered and its Required Action taken.
| |
| The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. The 1 hour Completion Time is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.
| |
| D.1, D.2.1, and D.2.2 If any Required Action and associated Completion Time of Condition B or C is not met, the associated Function may not be capable of performing the intended function. Therefore, the associated DG(s) are declared inoperable immediately (Required Action D.1). This requires entry into applicable Conditions and Required Actions of LCO 3.8.1 and LCO 3.8.2, which provide appropriate actions for the inoperable DG(s).
| |
| Alternately, for Functions 1.c and 1.d only, the TR-B loss of voltage instrumentation, the offsite circuit supply breaker to the associated 4.16 kV ESF bus must be opened immediately (Required Action D.2.1) and the associated offsite circuit declared inoperable immediately (Required Action D.2.2). These alternate Required Actions also provide appropriate compensatory measures since the TR-B loss of voltage instrumentation only affects the loss of voltage trip capability of the alternate offsite circuit.
| |
| Columbia Generating Station B 3.3.8.1-7 Revision 73
| |
| | |
| LOP Instrumentation B 3.3.8.1 BASES SURVEILLANCE As noted at the beginning of the SRs, the SRs for each LOP REQUIREMENTS Instrumentation Function are located in the SRs column of Table 3.3.8.1-1.
| |
| The Surveillances are modified by a Note to indicate that when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 2 hours provided the associated Function maintains initiation capability. Initiation capability is maintained provided the following can be initiated by the Function (i.e., Loss of Voltage and Degraded Voltage) for two of the three DGs and 4.16 kV ESF buses: DG start, disconnect from the offsite power source, transfer to the alternate offsite power source, if available, DG output breaker closure, and load shed. Upon completion of the Surveillance, or expiration of the 2 hour allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken.
| |
| SR 3.3.8.1.1 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the channel will perform the intended function. Any setpoint adjustments shall be consistent with the assumptions of the current plant specific setpoint methodology.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| SR 3.3.8.1.2 and SR 3.3.8.1.3 A CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations, consistent with the plant specific setpoint methodology.
| |
| The Surveillance Frequencies are controlled under the Surveillance Frequency Control Program.
| |
| Columbia Generating Station B 3.3.8.1-8 Revision 93
| |
| | |
| LOP Instrumentation B 3.3.8.1 BASES SURVEILLANCE REQUIREMENTS (continued)
| |
| SR 3.3.8.1.4 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required actuation logic for a specific channel. The system functional testing performed in LCO 3.8.1 and LCO 3.8.2 overlaps this Surveillance to provide complete testing of the assumed safety functions.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| REFERENCES 1. FSAR, Section 8.3.1.1.1.
| |
| : 2. FSAR, Section 5.2.
| |
| : 3. FSAR, Section 6.3.
| |
| : 4. FSAR, Chapter 15.
| |
| : 5. 10 CFR 50.36(c)(2)(ii).
| |
| Columbia Generating Station B 3.3.8.1-9 Revision 93
| |
| | |
| RPS Electric Power Monitoring B 3.3.8.2 B 3.3 INSTRUMENTATION B 3.3.8.2 Reactor Protection System (RPS) Electric Power Monitoring BASES BACKGROUND The RPS Electric Power Monitoring System is provided to isolate the RPS bus from the motor generator (MG) set or an alternate power supply in the event of overvoltage, undervoltage, or underfrequency. This system protects the loads connected to the RPS bus against unacceptable voltage and frequency conditions (Ref. 1) and forms an important part of the primary success path for the essential safety circuits. Some of the essential equipment powered from the RPS buses includes the RPS logic, scram solenoids, and various valve isolation logic.
| |
| The RPS Electric Power Monitoring assembly will detect any abnormal high or low voltage or low frequency condition in the outputs of the two MG sets or the alternate power supply and will de-energize its respective RPS bus, thereby causing all safety functions normally powered by this bus to de-energize.
| |
| In the event of failure of an RPS Electric Power Monitoring System (e.g.,
| |
| both inseries electric power monitoring assemblies), the RPS loads may experience significant effects from the unregulated power supply.
| |
| Deviation from the nominal conditions can potentially cause damage to the scram solenoids and other Class 1E devices.
| |
| In the event of a low voltage condition for an extended period of time, the scram solenoids can chatter and potentially lose their pneumatic control capability, resulting in a loss of primary scram action.
| |
| In the event of an overvoltage condition the RPS logic relays and scram solenoids, as well as the main steam isolation valve solenoids, may experience a voltage higher than their design voltage. If the overvoltage condition persists for an extended time period, it may cause equipment degradation and the loss of plant safety function.
| |
| Two redundant Class 1E circuit breakers are connected in series between each RPS bus and its MG set, and between each RPS bus and its alternate power supply. Each of these circuit breakers has an associated independent set of Class 1E overvoltage, undervoltage, and underfrequency sensing logic. Together, a circuit breaker and its sensing logic constitute an electric power monitoring assembly. If the output of the MG set or the alternate power supply exceeds the predetermined limits of overvoltage, undervoltage, or underfrequency, a trip coil driven by this logic circuitry opens the circuit breaker, which removes the associated power supply from service.
| |
| Columbia Generating Station B 3.3.8.2-1 Revision 73
| |
| | |
| RPS Electric Power Monitoring B 3.3.8.2 BASES APPLICABLE RPS electric power monitoring is necessary to meet the assumptions of SAFETY the safety analyses by ensuring that the equipment powered from the ANALYSES RPS buses can perform its intended function. RPS electric power monitoring provides protection to the RPS and other systems that receive power from the RPS buses, by disconnecting the RPS from the power supply under specified conditions that could damage the RPS bus powered equipment.
| |
| RPS electric power monitoring satisfies Criterion 3 of Reference 2.
| |
| LCO The OPERABILITY of each RPS electric power monitoring assembly is dependent upon the OPERABILITY of the overvoltage, undervoltage, and underfrequency logic, as well as the OPERABILITY of the associated circuit breaker. Two electric power monitoring assemblies are required to be OPERABLE for each inservice power supply that supports equipment required to be OPERABLE (i.e., if the inservice power supply is not supporting any equipment required to be OPERABLE by Technical Specifications, then the associated electric power monitoring assemblies are not required to be OPERABLE). This provides redundant protection against any abnormal voltage or frequency conditions to ensure that no single RPS electric power monitoring assembly failure can preclude the function of RPS bus powered components. Each of the inservice electric power monitoring assembly trip logic setpoints is required to be within the specific Allowable Value. The actual setpoint is calibrated consistent with applicable setpoint methodology assumptions.
| |
| Allowable Values are specified for each RPS electric power monitoring assembly trip logic (refer to SR 3.3.8.2.2). Nominal trip setpoints are specified in the setpoint calculations. The nominal setpoints are selected to ensure that the setpoints do not exceed the Allowable Value between CHANNEL CALIBRATIONS. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g.,
| |
| overvoltage), and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g., trip relay) changes state. The analytic limits are derived from the limiting values of the process parameters, including associated line losses, obtained from the safety analysis. The Allowable Values are derived from the analytic limits, corrected for process and all instrument uncertainties, except drift and calibration. The trip setpoints are derived from the analytic limits, corrected for process, and all instrument uncertainties, including drift and calibration. The trip setpoints derived in this manner provide adequate protection because all instrumentation uncertainties and process effects are taken into account.
| |
| Columbia Generating Station B 3.3.8.2-2 Revision 73
| |
| | |
| RPS Electric Power Monitoring B 3.3.8.2 BASES LCO (continued)
| |
| The Allowable Values for the instrument settings are based on the RPS providing 57 Hz, 120 V +/- 10% (to all equipment), and 115 V +/- 10 V (to scram and MSIV solenoids). The most limiting voltage requirement determines the settings of the electric power monitoring instrument channels. The settings are calculated based on the loads on the buses and RPS MG set or alternate power supply being 120 VAC and 60 Hz.
| |
| APPLICABILITY The operation of the RPS electric power monitoring assemblies is essential to disconnect the RPS bus powered components from the MG set or alternate power supply during abnormal voltage or frequency conditions. Since the degradation of a nonclass 1E source supplying power to the RPS bus can occur as a result of any random single failure, the OPERABILITY of the RPS electric power monitoring assemblies is required when the RPS bus powered components are required to be OPERABLE. This results in the RPS Electric Power Monitoring System OPERABILITY being required in MODES 1, 2, and 3, MODES 4 and 5 with both residual heat removal (RHR) shutdown cooling suction isolation valves open, and MODE 5 with any control rod withdrawn from a core cell containing one or more fuel assemblies.
| |
| ACTIONS A.1 If one RPS electric power monitoring assembly for an inservice power supply (MG set or alternate) is inoperable, or one RPS electric power monitoring assembly on each inservice power supply is inoperable, the OPERABLE assembly will still provide protection to the RPS bus powered components under degraded voltage or frequency conditions. However, the reliability and redundancy of the RPS Electric Power Monitoring System are reduced and only a limited time (72 hours) is allowed to restore the inoperable assembly(s) to OPERABLE status. If the inoperable assembly(s) cannot be restored to OPERABLE status, the associated power supply must be removed from service (Required Action A.1). This places the RPS bus in a safe condition. An alternate power supply with OPERABLE power monitoring assemblies may then be used to power the RPS bus.
| |
| The 72 hour Completion Time takes into account the remaining OPERABLE electric power monitoring assembly and the low probability of an event requiring RPS Electric Power Monitoring protection occurring during this period. It allows time for plant operations personnel to take corrective actions or to place the plant in the required condition in an orderly manner and without challenging plant systems.
| |
| Columbia Generating Station B 3.3.8.2-3 Revision 73
| |
| | |
| RPS Electric Power Monitoring B 3.3.8.2 BASES ACTIONS (continued)
| |
| Alternatively, if it is not desired to remove the power supply(s) from service (e.g., as in the case where removing the power supply(s) from service would result in a scram or isolation), Condition C or D, as applicable, must be entered and its Required Actions taken.
| |
| B.1 If both power monitoring assemblies for an inservice power supply (MG set or alternate) are inoperable, or both power monitoring assemblies in each inservice power supply are inoperable, the system protective function is lost. In this condition, 1 hour is allowed to restore one assembly to OPERABLE status for each inservice power supply. If one inoperable assembly for each inservice power supply cannot be restored to OPERABLE status, the associated power supplies must be removed from service within 1 hour (Required Action B.1). An alternate power supply with OPERABLE assemblies may then be used to power one RPS bus. The 1 hour Completion Time is sufficient for the plant operations personnel to take corrective actions and is acceptable because it minimizes risk while allowing time for restoration or removal from service of the electric power monitoring assemblies.
| |
| Alternately, if it is not desired to remove the power supply(s) from service (e.g., as in the case where removing the power supply(s) from service would result in a scram or isolation), Condition C or D, as applicable, must be entered and its Required Actions taken.
| |
| C.1 If any Required Action and associated Completion Time of Condition A or B are not met in MODE 1, 2, or 3, the plant must be brought to a MODE in which overall plant risk is minimized. The plant shutdown is accomplished by placing the plant in MODE 3 within 12 hours.
| |
| Remaining in the Applicability of the LCO is acceptable because the plant risk in MODE 3 is similar to or lower than the risk in MODE 4 (Ref. 4) and because the time spent in MODE 3 to perform the necessary repairs to restore the system to OPERABLE status will be short. However, voluntary entry into MODE 4 may be made as it is also an acceptable low-risk state.
| |
| Required Action C.1 is modified by a Note that states that LCO 3.0.4.a is not applicable when entering MODE 3. This Note prohibits the use of LCO 3.0.4.a to enter MODE 3 during startup with the LCO not met.
| |
| Columbia Generating Station B 3.3.8.2-4 Revision 90
| |
| | |
| RPS Electric Power Monitoring B 3.3.8.2 BASES ACTIONS (continued)
| |
| However, there is no restriction on the use of LCO 3.0.4.b, if applicable, because LCO 3.0.4.b requires performance of a risk assessment addressing inoperable systems and components, consideration of the results, determination of the acceptability of entering MODE 3, and establishment of risk management actions, if appropriate. LCO 3.0.4 is not applicable to, and the Note does not preclude, changes in MODES or other specified conditions in the Applicability that are required to comply with ACTIONS or that are part of a shutdown of the unit.
| |
| The allowed Completion Time is reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.
| |
| D.1 and D.2 If any Required Action and associated Completion Time of Condition A or B are not met in MODE 4 or 5 with both RHR shutdown cooling suction isolation valves open, action must be immediately initiated to either restore one electric power monitoring assembly to OPERABLE status for the inservice power source supplying the required instrumentation powered from the RPS bus (Required Action D.1) or to isolate the RHR Shutdown Cooling System (Required Action D.2). Required Action D.1 is provided because the RHR Shutdown Cooling System may be needed to provide core cooling. All actions must continue until the applicable Required Actions are completed.
| |
| E.1 If any Required Action and associated Completion Time of Condition A or B are not met in MODE 5 with any control rod withdrawn from a core cell containing one or more fuel assemblies, the operator must immediately initiate action to fully insert all insertable control rods in core cells containing one or more fuel assemblies (Required Action E.1). This Required Action results in the least reactive condition for the reactor core and ensures that the safety function of the RPS (e.g., scram of control rods) is not required.
| |
| SURVEILLANCE The Surveillances are modified by a Note to indicate that when an RPS REQUIREMENTS electric power monitoring assembly is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours provided the other RPS electric power monitoring assembly for the Columbia Generating Station B 3.3.8.2-5 Revision 90
| |
| | |
| RPS Electric Power Monitoring B 3.3.8.2 BASES SURVEILLANCE REQUIREMENTS (continued) associated power supply maintains trip capability. Upon completion of the Surveillance, or expiration of the 6 hour allowance, the assembly must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This 6 hour allowance is acceptable since it does not significantly reduce the probability that the RPS electric power monitoring assembly function will initiate when necessary.
| |
| SR 3.3.8.2.1 A CHANNEL FUNCTIONAL TEST is performed on each overvoltage, undervoltage, and underfrequency channel to ensure that the channel will perform the intended function. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology.
| |
| The CHANNEL FUNCTIONAL TEST is only required to be performed while the plant is in a condition in which the loss of the RPS bus will not jeopardize operation (the design of the system is such that the power source must be removed from service to conduct the Surveillance). In addition, if the plant will be shutdown in MODE 4 or 5 for an extended period of time it is acceptable to postpone the Surveillance until the plant is ready to go back to MODE 2 or 3. Performance of the SR immediately after shutdown would jeopardize the reliability of shutdown cooling during a time of high decay heat load. However, prior to restart it is reasonable to perform the surveillance to provide further assurance of the operability of equipment before returning to MODE 1. The 24 hours is intended to indicate an outage of sufficient duration to allow for scheduling and proper performance of the Surveillance. The Note in the Surveillance is based on guidance provided in Generic Letter 91-09 (Ref. 3).
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| SR 3.3.8.2.2 CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations, consistent with the plant specific setpoint methodology.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| Columbia Generating Station B 3.3.8.2-6 Revision 93
| |
| | |
| RPS Electric Power Monitoring B 3.3.8.2 BASES SURVEILLANCE REQUIREMENTS (continued)
| |
| SR 3.3.8.2.3 Performance of a system functional test demonstrates a required system actuation (simulated or actual) signal. The logic of the system will automatically trip open the associated power monitoring assembly circuit breaker. Only one signal per power monitoring assembly is required to be tested. This Surveillance overlaps with the CHANNEL CALIBRATION to provide complete testing of the safety function. The system functional test of the Class 1E circuit breakers is included as part of this test to provide complete testing of the safety function. If the breakers are incapable of operating, the associated electric power monitoring assembly would be inoperable.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| REFERENCES 1. FSAR, Section 8.3.1.1.6.
| |
| : 2. 10 CFR 50.36(c)(2)(ii).
| |
| : 3. NRC Generic Letter 91-09, "Modification of Surveillance Interval for the Electric Protective Assemblies in Power Supplies for the Reactor Protection System."
| |
| : 4. NEDC-32988-A, Revision 2, Technical Justification to Support Risk-Informed Modification to Selected Required End States for BWR Plants, December 2002.
| |
| Columbia Generating Station B 3.3.8.2-7 Revision 93
| |
| | |
| Recirculation Loops Operating B 3.4.1 B 3.4 REACTOR COOLANT SYSTEM (RCS)
| |
| B 3.4.1 Recirculation Loops Operating BASES BACKGROUND The Reactor Recirculation (RRC) System is designed to provide a forced coolant flow through the core to remove heat from the fuel. The forced coolant flow removes heat at a faster rate from the fuel than would be possible with just natural circulation. The forced flow, therefore, allows operation at significantly higher power than would otherwise be possible.
| |
| The RRC system also controls reactivity over a wide span of reactor power by varying the recirculation flow rate to control the void content of the moderator. The RRC System consists of two recirculation pump loops external to the reactor vessel. These loops provide the piping path for the driving flow of water to the reactor vessel jet pumps. Each external loop contains one variable speed motor driven recirculation pump, a two channel adjustable speed drive (ASD) unit to control pump speed, and associated piping, jet pumps, valves, and instrumentation.
| |
| The recirculation loops are part of the reactor coolant pressure boundary and are located inside the drywell structure. The jet pumps are reactor vessel internals.
| |
| The recirculated coolant consists of saturated water from the steam separators and dryers that has been subcooled by incoming feedwater.
| |
| This water passes down the annulus between the reactor vessel wall and the core shroud. A portion of the coolant flows from the vessel, through the two external recirculation loops, and becomes the driving flow for the jet pumps. Each of the two external recirculation loops discharges high pressure flow into an external manifold, from which individual recirculation inlet lines are routed to the jet pump risers within the reactor vessel. The remaining portion of the coolant mixture in the annulus becomes the driven flow for the jet pumps. This flow enters the jet pump at suction inlets and is accelerated by the driving flow. The drive flow and driven flow are mixed in the jet pump throat section and result in partial pressure recovery. The total flow then passes through the jet pump diffuser section into the area below the core (lower plenum), gaining sufficient head in the process to drive the required flow upward through the core.
| |
| The subcooled water enters the bottom of the fuel channels and contacts the fuel cladding, where heat is transferred to the coolant. As it rises, the coolant begins to boil, creating steam voids within the fuel channel that continue until the coolant exits the core. Because of reduced moderation, the steam voiding introduces negative reactivity that must be compensated for to maintain or to increase reactor power. The recirculation flow control allows operators to increase recirculation flow and sweep some of the voids from the fuel channel, overcoming the Columbia Generating Station B 3.4.1-1 Revision 73
| |
| | |
| Recirculation Loops Operating B 3.4.1 BASES BACKGROUND (continued) negative reactivity void effect. Thus, the reason for having variable recirculation flow is to compensate for reactivity effects of boiling over a wide range of power generation (i.e., 65 to 100% RTP) without having to move control rods and disturb desirable flux patterns. In addition, the combination of core flow and THERMAL POWER is normally maintained such that core thermal-hydraulic oscillations do not occur. These oscillations can occur during two-loop operation, as well as single-loop and no-loop operation. Plant procedures include requirements of this LCO as well as other vendor and NRC recommended requirements and actions to minimize the potential of core thermal-hydraulic oscillations.
| |
| Each recirculation loop is manually started from the control room. The ASD provides regulation of individual recirculation loop drive flows. The flow in each loop is manually controlled.
| |
| APPLICABLE The operation of the RRC System is an initial condition assumed in the SAFETY design basis loss of coolant accident (LOCA) (Ref. 1). During a LOCA ANALYSES caused by a recirculation loop pipe break, the intact loop is assumed to provide coolant flow during the first few seconds of the accident. The initial core flow decrease is rapid because the recirculation pump in the broken loop ceases to pump reactor coolant to the vessel almost immediately. The pump in the intact loop coasts down relatively slowly.
| |
| This pump coastdown governs the core flow response for the next several seconds until the jet pump suction is uncovered (Ref. 2). The analyses assume that both loops are operating at the same flow prior to the accident. However, the LOCA analysis was reviewed for the case with a flow mismatch between the two loops, with the pipe break assumed to be in the loop with the higher flow. While the flow coastdown and core response are potentially more severe in this assumed case (since the intact loop starts at a lower flow rate and the core response is the same as if both loops were operating at a lower flow rate), a small mismatch has been determined to be acceptable (Ref. 2). The recirculation system is also assumed to have sufficient flow coastdown characteristics to maintain fuel thermal margins during abnormal operational transients (Ref. 3), which are analyzed in Chapter 15 of the FSAR.
| |
| A plant specific LOCA analysis has been performed assuming only one operating recirculation loop. This analysis has demonstrated that, in the event of a LOCA caused by a pipe break in the operating recirculation loop, the Emergency Core Cooling System response will provide adequate core cooling, provided the APLHGR requirements are modified accordingly (Ref. 4).
| |
| Columbia Generating Station B 3.4.1-2 Revision 73
| |
| | |
| Recirculation Loops Operating B 3.4.1 BASES APPLICABLE SAFETY ANALYSES (continued)
| |
| The transient analyses in Chapter 15 of the FSAR have also been performed for single recirculation loop operation (Ref. 4) and demonstrate sufficient flow coastdown characteristics to maintain fuel thermal margins during the abnormal operational transients analyzed provided the MCPR requirements are modified. The APLHGR and MCPR limits for single loop operation are specified in the COLR. During single recirculation loop operation, modification to the Reactor Protection System (RPS) average power range monitor (APRM) instrument setpoints is also required to account for the different relationships between recirculation drive flow and reactor core flow. The ARPM Simulated Thermal Power- High Allowable Value is in LCO 3.3.1.1, Reactor Protection System (RPS)
| |
| Insturmentation.
| |
| Recirculation loops operating satisfies Criterion 2 of Reference 5.
| |
| LCO Two recirculation loops are normally required to be in operation with their flows matched within the limits specified in SR 3.4.1.1 to ensure that during a LOCA caused by a break of the piping of one recirculation loop the assumptions of the LOCA analysis are satisfied. Alternately, with only one recirculation loop in operation, modifications to the required APLHGR limits (LCO 3.2.1, "AVERAGE PLANAR LINEAR HEAT GENERATION RATE (APLHGR)"), MCPR limits (LCO 3.2.2, "MINIMUM CRITICAL POWER RATIO (MCPR)"), and APRM Simulated Thermal Power -
| |
| Upscale Allowable Value (LCO 3.3.1.1) must be applied to allow continued operation.
| |
| APPLICABILITY In MODES 1 and 2, requirements for operation of the Reactor Coolant Recirculation System are necessary since there is considerable energy in the reactor core and the limiting design basis transients and accidents are assumed to occur.
| |
| In MODES 3, 4, and 5, the consequences of an accident are reduced and the coastdown characteristics of the recirculation loops are not important.
| |
| ACTIONS A.1 and B.1 With both recirculation loops operating but the flows not matched, the recirculation loops must be restored to operation within 2 hours. If matched flows are not restored, the recirculation loop with lower flow must be declared "not in operation," as required by Required Action A.1.
| |
| This Required Action does not require tripping the recirculation pump in the lowest flow loop when the mismatch between total jet pump flows of the two loops is greater than the required limits. However, in cases where large flow mismatches occur, low flow or reverse flow can occur in the low flow loop jet pumps, causing vibration of the jet pumps. If zero or Columbia Generating Station B 3.4.1-3 Revision 87
| |
| | |
| Recirculation Loops Operating B 3.4.1 BASES ACTIONS (continued) reverse flow is detected, the condition should be alleviated by changing pump speeds to re-establish forward flow or by tripping the pump.
| |
| With the requirements of the LCO not met for reasons other than Condition A (e.g., one loop is "not in operation"), the recirculation loops must be restored to operation with matched flows within 4 hours. A recirculation loop is considered not in operation when the pump in that loop is idle or when the mismatch between total jet pump flows of the two loops is greater than required limits for greater than 2 hours (i.e.,
| |
| Required Action A.1 has been taken). Should a LOCA occur with one recirculation loop not in operation, the core flow coastdown and resultant core response may not be bounded by the LOCA analyses. Therefore, only a limited time is allowed to restore the inoperable loop to operating status.
| |
| Alternatively, if the single loop requirements of the LCO are applied to operating limits and RPS setpoints, operation with only one recirculation loop would satisfy the requirements of the LCO and the initial conditions of the accident sequence.
| |
| The 2 and 4 hour Completion Times are based on the low probability of an accident occurring during this time period, on a reasonable time to complete the Required Action, and on frequent core monitoring by operators allowing abrupt changes in core flow conditions to be quickly detected.
| |
| C.1 With the Required Action and associated Completion Time of Condition A or B not met, the unit is required to be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to MODE 3 within 12 hours. In this condition, the recirculation loops are not required to be operating because of the reduced severity of DBAs and minimal dependence on the recirculation loop coastdown characteristics.
| |
| The allowed Completion Time of 12 hours is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging plant systems.
| |
| SURVEILLANCE SR 3.4.1.1 REQUIREMENTS This SR ensures the recirculation loop flows are within the allowable limits for mismatch. At low core flow (i.e., < 70% of rated core flow, 75.95 x 106 lbm/hr), the MCPR requirements provide larger margins to the fuel cladding integrity Safety Limit such that the potential adverse effect of Columbia Generating Station B 3.4.1-4 Revision 87
| |
| | |
| Recirculation Loops Operating B 3.4.1 BASES SURVEILLANCE REQUIREMENTS (continued) early boiling transition during a LOCA is reduced. A larger flow mismatch can therefore be allowed when core flow is < 70% of rated core flow.
| |
| The mismatch is measured in terms of percent of rated recirculation loop drive flow. If the flow mismatch exceeds the specified limits, the loop with the lower flow is considered not in operation. This SR is not required when both loops are not in operation since the mismatch limits are meaningless during single loop or natural circulation operation. The Surveillance must be performed within 24 hours after both loops are in operation. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| REFERENCES 1. FSAR, Sections 6.3 and 15.6.
| |
| : 2. FSAR, Section 6.3.3.7.2.
| |
| : 3. FSAR, Section 5.4.1.
| |
| : 4. FSAR, Section 6.3.3.8 and 15.0.2.1.
| |
| : 5. 10 CFR 50.36(c)(2)(ii).
| |
| Columbia Generating Station B 3.4.1-5 Revision 93
| |
| | |
| Jet Pumps B 3.4.2 B 3.4 REACTOR COOLANT SYSTEM (RCS)
| |
| B 3.4.2 Jet Pumps BASES BACKGROUND The Reactor Recirculation (RRC) System is described in the Background section of the Bases for LCO 3.4.1, "Recirculation Loops Operating,"
| |
| which discusses the operating characteristics of the system and how these characteristics affect the Design Basis Accident (DBA) analyses.
| |
| The jet pumps are part of the RRC System and are designed to provide forced circulation through the core to remove heat from the fuel. The jet pumps are located in the annular region between the core shroud and the vessel inner wall. Because the jet pump suction elevation is at two thirds core height, the vessel can be reflooded and coolant level maintained at two thirds core height even with the complete break of the recirculation loop pipe that is located below the jet pump suction elevation.
| |
| Each reactor coolant recirculation loop contains 10 jet pumps.
| |
| Recirculated coolant passes down the annulus between the reactor vessel wall and the core shroud. A portion of the coolant flows from the vessel, through the two external recirculation loops, and becomes the driving flow for the jet pumps. Each of the two external recirculation loops discharges high pressure flow into an external manifold from which individual recirculation inlet lines are routed to the jet pump risers within the reactor vessel. The remaining portion of the coolant mixture in the annulus becomes the suction flow for the jet pumps. This flow enters the jet pump at suction inlets and is accelerated by the drive flow. The drive flow and suction flow are mixed in the jet pump throat section. The total flow then passes through the jet pump diffuser section into the area below the core (lower plenum), gaining sufficient head in the process to drive the required flow upward through the core.
| |
| APPLICABLE Jet pump OPERABILITY is an explicit assumption in the design basis loss SAFETY of coolant accident (LOCA) analysis evaluated in Reference 1.
| |
| ANALYSES The capability of reflooding the core to two-thirds core height is dependent upon the structural integrity of the jet pumps. If the structural system, including the beam holding a jet pump in place, fails, jet pump displacement and performance degradation could occur, resulting in an increased flow area through the jet pump and a lower core flooding elevation. This could adversely affect the water level in the core during the reflood phase of a LOCA as well as the assumed blowdown flow during a LOCA.
| |
| Jet pumps satisfy Criterion 2 of Reference 2.
| |
| Columbia Generating Station B 3.4.2-1 Revision 73
| |
| | |
| Jet Pumps B 3.4.2 BASES LCO The structural failure of any of the jet pumps could cause significant degradation in the ability of the jet pumps to allow reflooding to two thirds core height during a LOCA. OPERABILITY of all jet pumps is required to ensure that operation of the RRC System will be consistent with the assumptions used in the licensing basis analysis (Ref. 1).
| |
| APPLICABILITY In MODES 1 and 2, the jet pumps are required to be OPERABLE since there is a large amount of energy in the reactor core and since the limiting DBAs are assumed to occur in these MODES. This is consistent with the requirements for operation of the RRC System (LCO 3.4.1).
| |
| In MODES 3, 4, and 5, the RRC System is not required to be in operation, and when not in operation sufficient flow is not available to evaluate jet pump OPERABILITY.
| |
| ACTIONS A.1 An inoperable jet pump can increase the blowdown area and reduce the capability to reflood during a design basis LOCA. If one or more of the jet pumps are inoperable, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to MODE 3 within 12 hours. The allowed Completion Time of 12 hours is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging plant systems.
| |
| SURVEILLANCE SR 3.4.2.1 REQUIREMENTS This SR is designed to detect significant degradation in jet pump performance that precedes jet pump failure (Ref. 3). This SR is required to be performed only when the loop has forced recirculation flow since Surveillance checks and measurements can only be performed during jet pump operation. The jet pump failure of concern is a complete mixer displacement due to jet pump beam failure. Jet pump plugging is also of concern since it adds flow resistance to the recirculation loop. Significant degradation is indicated if any two of the three specified criteria confirm unacceptable deviations from established patterns or relationships. The allowable deviations from the established patterns have been developed based on the variations experienced at plants during normal operation and with jet pump assembly failures (Refs. 3 and 4). Since refueling activities (fuel assembly replacement or shuffle, as well as any modifications to fuel support orifice size or core plate bypass flow) can affect the relationship between core flow, jet pump flow, and recirculation Columbia Generating Station B 3.4.2-2 Revision 73
| |
| | |
| Jet Pumps B 3.4.2 BASES SURVEILLANCE REQUIREMENTS (continued) loop flow, these relationships may need to be re-established each cycle.
| |
| Similarly, initial entry into extended single loop operation may also require establishment of these relationships. During the initial weeks of operation under such conditions, while base-lining new "established patterns,"
| |
| engineering judgement of the Surveillance results is used to detect significant abnormalities which could indicate a jet pump failure.
| |
| The recirculation pump speed operating characteristics (loop flow versus pump speed) are determined by the flow resistance from the loop suction through the jet pump nozzles. A change in the relationship may indicate a flow restriction, loss in pump hydraulic performance, leak, or new flow path between the recirculation pump discharge and jet pump nozzle. For this criterion, the loop flow versus pump speed relationship must be verified.
| |
| Total core flow can be determined from measurements of the recirculation loop drive flows. Once this relationship has been established, increased or reduced total core flow for the same recirculation loop drive flow may be an indication of failures in one or several jet pumps.
| |
| Individual jet pumps in a recirculation loop typically do not have the same flow. The unequal flow is due to the drive flow manifold, which does not distribute flow equally to all risers. The flow (or jet pump diffuser to lower plenum differential pressure) pattern or relationship of one jet pump to the loop average is repeatable. An appreciable change in this relationship is an indication that increased (or reduced) resistance has occurred in one of the jet pumps.
| |
| The deviations from normal are considered indicative of a potential problem in the recirculation drive flow or jet pump system (Ref. 3).
| |
| Normal flow ranges and established jet pump flow and differential pressure patterns are established by plotting historical data as discussed in Reference 3.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| This SR is modified by two Notes. Note 1 allows this Surveillance not to be performed until 4 hours after the associated recirculation loop is in operation, since these checks can only be performed during jet pump operation. The 4 hours is an acceptable time to establish conditions appropriate for data collection and evaluation.
| |
| Columbia Generating Station B 3.4.2-3 Revision 93
| |
| | |
| Jet Pumps B 3.4.2 BASES SURVEILLANCE REQUIREMENTS (continued)
| |
| Note 2 allows this SR not to be performed until 24 hours after THERMAL POWER exceeds 25% RTP. During low flow conditions, jet pump noise approaches the threshold response of the associated flow instrumentation and precludes the collection of repeatable and meaningful data. The 24 hours is an acceptable time to establish conditions appropriate to perform this SR.
| |
| REFERENCES 1. FSAR, Section 6.3 and Chapter 15.
| |
| : 2. 10 CFR 50.36(c)(2)(ii).
| |
| : 3. GE Service Information Letter No. 330, including Supplement 1, "Jet Pump Beam Cracks," June 9, 1980.
| |
| : 4. NUREG/CR-3052, "Closeout of IE Bulletin 80-07: BWR Jet Pump Assembly Failure," November 1984.
| |
| Columbia Generating Station B 3.4.2-4 Revision 73
| |
| | |
| SRVs - 25% RTP B 3.4.3 B 3.4 REACTOR COOLANT SYSTEM (RCS)
| |
| B 3.4.3 Safety/Relief Valves (SRVs) - 25% RTP BASES BACKGROUND The American Society of Mechanical Engineers (ASME) Boiler and Pressure Vessel Code (Ref. 1) requires the Reactor Pressure Vessel be protected from overpressure during upset conditions by self actuated safety valves. As part of the nuclear pressure relief system, the size and number of safety/relief valves (SRVs) are selected such that peak pressure in the nuclear system will not exceed the ASME Code limits for the reactor coolant pressure boundary (RCPB).
| |
| The SRVs are located on the main steam lines between the reactor vessel and the first isolation valve within the drywell. Each SRV discharges steam through a discharge line to a point below the minimum water level in the suppression pool.
| |
| The SRVs can actuate by either of two modes: the safety mode or the relief mode. (However, for the purposes of this LCO, only the safety mode is required.) In the safety mode (or spring mode of operation), the direct action of the steam pressure in the main steam lines will act against a spring loaded disk that will pop open when the valve inlet pressure exceeds the spring force. In the relief mode (or power actuated mode of operation), a pneumatic piston/cylinder and mechanical linkage assembly are used to open the valve by overcoming the spring force, even with the valve inlet pressure equal to 0 psig. The pneumatic operator is arranged so that its malfunction will not prevent the valve disk from lifting if steam inlet pressure reaches the spring lift set pressures. In the relief mode, valves may be opened manually or automatically at the selected preset pressure. Seven of the SRVs that provide the safety and relief function are part of the Automatic Depressurization System specified in LCO 3.5.1, "ECCS - Operating."
| |
| APPLICABLE The overpressure protection system must accommodate the most severe SAFETY pressure transient. Evaluations have determined that the most severe ANALYSES transient is the closure of all main steam isolation valves (MSIVsfollowed by reactor scram on high neutron flux (i.e., failure of the direct scram associated with MSIV position) (Ref. 2). For the purpose of the overpressure protection analysis, 12 of the SRVs with the highest setpoints are assumed to operate in the safety mode. The analysis results demonstrate that the design SRV capacity is capable of maintaining reactor pressure below the ASME Code limit (Ref. 1) of 110%
| |
| of vessel design pressure (110% x 1250 psig = 1375 psig). This LCO helps to ensure that the acceptance limit of 1375 psig is met during the most severe pressure transient.
| |
| Columbia Generating Station B 3.4.3-1 Revision 73
| |
| | |
| SRVs - 25% RTP B 3.4.3 BASES APPLICABLE SAFETY ANALYSES (continued)
| |
| From an overpressure standpoint, the design basis events are bounded by the MSIV closure with flux scram event described above.
| |
| References 3, 4, and 5 discuss additional events that are expected to actuate the SRVs. The analysis described in Reference 5 also assumes that, for certain events (e.g., ECCS performance during a small break LOCA), of the 12 required OPERABLE SRVs, two SRVs with lift setpoints in the lowest two lift setpoint groups are OPERABLE.
| |
| SRVs - 25% RTP satisfy Criterion 3 of Reference 6.
| |
| LCO The safety function of 12 SRVs is required to be OPERABLE, with two SRVs in the lowest two lift setpoint groups OPERABLE. The requirements of this LCO are applicable only to the capability of the SRVs to mechanically open to relieve excess pressure when the lift setpoint is exceeded (safety mode). In Reference 2, an evaluation was performed to establish the parametric relationship between the peak vessel pressure and the number of OPERABLE SRVs. The results show that with a minimum of 12 SRVs in the safety mode OPERABLE, the ASME Code limit of 1375 psig is not exceeded. While the analysis assumes the overpressurization event is mitigated by SRVs with the highest setpoints (Ref. 2), the small break LOCA analysis (Ref. 5) assumes two of the 12 required OPERABLE SRVs have lift setpoints in the lowest two lift setpoint groups.
| |
| The SRV safety setpoints are established to ensure the ASME Code limit on peak reactor pressure is satisfied. The ASME Code specifications require the lowest safety valve be set at or below vessel design pressure (1250 psig) and the highest safety valve be set so the total accumulated pressure does not exceed 110% of the design pressure for overpressurization conditions. The transient evaluations in References 3, 4, 5, and 7 involving the safety mode are based on these setpoints, but also include the additional uncertainties of + 3% /-5% of the nominal setpoint to account for potential setpoint drift to provide an added degree of conservatism.
| |
| Operation with fewer valves OPERABLE than specified, or with setpoints outside the ASME limits, could result in a more severe reactor response to a transient than predicted, possibly resulting in the ASME Code limit on reactor pressure being exceeded or unacceptable core thermal margins.
| |
| Columbia Generating Station B 3.4.3-2 Revision 95
| |
| | |
| SRVs - 25% RTP B 3.4.3 BASES APPLICABILITY With THERMAL POWER 25% RTP, the specified number of SRVs must be OPERABLE since there is considerable energy in the reactor core and the limiting design basis transients are assumed to occur. The SRVs may be required to provide pressure relief to limit peak reactor pressure.
| |
| The requirements for SRVs in MODE 1 with THERMAL POWER
| |
| < 25% RTP and in MODES 2 and 3 are discussed in LCO 3.4.4, "SRVs -
| |
| < 25% RTP." In MODE 4, decay heat is low enough for the RHR System to provide adequate cooling, and reactor pressure is low enough that the overpressure limit is unlikely to be approached by assumed operational transients or accidents. In MODE 5, the reactor vessel head is unbolted or removed and the reactor is at atmospheric pressure. The SRV function is not needed during these conditions.
| |
| ACTIONS A.1 With less than the minimum number of required SRVs OPERABLE, a transient may result in the violation of the ASME Code limit on reactor pressure, or core thermal margins may be challenged. If one or more required SRVs are inoperable, the plant must be brought to a MODE or other specified Condition in which the LCO does not apply. To achieve this status, THERMAL POWER must be reduced to < 25% RTP within 4 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.
| |
| SURVEILLANCE SR 3.4.3.1 REQUIREMENTS This Surveillance demonstrates that the required SRVs will open at the pressures assumed in the safety analysis of Reference 2. The demonstration of the SRV safety function lift settings is in accordance with the INSERVICE TESTING PROGRAM. The lift setting pressure shall correspond to ambient conditions of the valves at nominal operating temperatures and pressures.
| |
| Columbia Generating Station B 3.4.3-3 Revision 101
| |
| | |
| SRVs - 25% RTP B 3.4.3 BASES SURVEILLANCE REQUIREMENTS (continued)
| |
| SR 3.4.3.2 A manual actuation of each required SRV is performed to verify that, mechanically, the valve is functioning properly. This can be demonstrated by one of the two methods described below. Foreign material exclusion during maintenance is used to verify that no blockage exists in the SRV discharge line.
| |
| The preferred method is by manual actuation of the SRV at atmospheric temperature and pressure during cold shutdown. When using this method, proper functioning of the valve and solenoid is demonstrated by visual observation of actuator movement and a change in position indication as read from the Main Control Room using the Valve Position Indication (VPI) Linear Variable Differential Transformer (LVDT) mounted on each SRV. Lifting the valve at atmospheric pressure requires controlling the actuator to set the valve disc softly on its seat to prevent valve damage. This is the preferred method because lifting the valves with steam flow increases the likelihood that the valve will leak.
| |
| Another method is by manual actuation of the SRV under hot conditions.
| |
| Proper functioning of the valve and solenoid is demonstrated by the response of the turbine governor valves or bypass valves, by a change in the measured steam flow, or any other method suitable to verify steam flow. If the valve fails to actuate due only to the failure of the solenoid but is capable of opening on overpressure, the safety function of the SRV is not considered inoperable.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| REFERENCES 1. ASME, Boiler and Pressure Vessel Code, Section III.
| |
| : 2. FSAR, Section 15.2.4.
| |
| : 3. FSAR, Chapter 15.
| |
| : 4. GE-NE-187-24-0992, "WPPSS Nuclear Project 2 SRV Setpoint Tolerance and Out-of-Service Analysis," Revision 2, July 1993.
| |
| : 5. NEDC-32115P, Columbia Generating Station, "SAFER/GESTR-LOCA Loss-of-Coolant Accident Analysis," Revision 2, July 1993.
| |
| : 6. 10 CFR 50.36(c)(2)(ii).
| |
| : 7. 003N3650-RB, CGS SRV Safety Valve Setting Tolerance Change Supplement to GE-NE-187-24-0992, Rev2.
| |
| Columbia Generating Station B 3.4.3-4 Revision 96
| |
| | |
| SRVs - < 25% RTP B 3.4.4 B 3.4 REACTOR COOLANT SYSTEM (RCS)
| |
| B 3.4.4 Safety/Relief Valves (SRVs) - < 25% RTP BASES BACKGROUND A description of the safety/relief valves (SRVs) is provided in the Bases for LCO 3.4.3, "Safety/Relief Valves (SRVs) - 25% RTP."
| |
| APPLICABLE The overpressure protection system must accommodate the most severe SAFETY pressure transient. Evaluations have determined that the most severe ANALYSES transient is the closure of all main steam isolation valves (MSIVs) followed by reactor scram on high neutron flux (i.e., failure of the direct scram associated with MSIV position) (Ref. 1). OPERABILITY of SRVs is normally demonstrated during low power operation since an SRV test facility is not available at Columbia Generating Station. Therefore, in order to facilitate testing during power operations, an overpressure transient analysis was performed for the bounding accident at 25% RTP.
| |
| The analysis assumptions were similar to that in Reference 1; closure of all MSIVs followed by a reactor scram on high neutron flux (i.e., failure of the direct scram associated with MSIV position). For the purpose of the analysis, four of the SRVs with the highest setpoints are assumed to operate in the safety mode (Ref. 2). The analysis results demonstrate that the design SRV capacity is capable of maintaining reactor pressure below the ASME Code limit (Ref. 3) of 110% of vessel design pressure (110% x 1250 psig = 1375 psig). This LCO helps to ensure that the acceptance limit of 1375 psig is met during the most severe pressure transient.
| |
| From an overpressure standpoint, these design basis events are bounded by the MSIV closure with flux scram event described above.
| |
| References 4 and 5 discuss additional events that are expected to actuate the SRVs.
| |
| SRVs - < 25% RTP satisfy Criterion 3 of Reference 6.
| |
| LCO The safety function of four SRVs is required to be OPERABLE. The requirements of this LCO are applicable only to the capability of the SRVs to mechanically open to relieve excess pressure when the lift setpoint is exceeded (safety mode). In Reference 2, an evaluation was performed to establish the parametric relationship between the peak vessel pressure and the number of OPERABLE SRVs. The results show that with a minimum of four SRVs in the safety mode OPERABLE, the ASME Code limit of 1375 psig is not exceeded. Since the analysis assumes the overpressurization event is mitigated by SRVs with the highest setpoints, any four of the 18 SRVs can be used to meet this LCO.
| |
| Columbia Generating Station B 3.4.4-1 Revision 73
| |
| | |
| SRVs - < 25% RTP B 3.4.4 BASES LCO (continued)
| |
| The SRV safety setpoints are established to ensure the ASME Code limit on peak reactor pressure is satisfied. The ASME Code specifications require the lowest safety valve be set at or below vessel design pressure (1250 psig) and the highest safety valve be set so the total accumulated pressure does not exceed 110% of the design pressure for overpressurization conditions. The transient evaluations in References 4, 5, and 8 involving the safety mode are based on these setpoints, but also include the additional uncertainties of + 3% / -5%of the nominal setpoint to account for potential setpoint drift to provide an added degree of conservatism.
| |
| Operation with fewer valves OPERABLE than specified, or with setpoints outside the ASME limits, could result in a more severe reactor response to a transient than predicted, possibly resulting in the ASME Code limit on reactor pressure being exceeded.
| |
| APPLICABILITY In MODE 1 with THERMAL POWER < 25% RTP and MODES 2 and 3, the specified number of SRVs must be OPERABLE since there may be considerable energy in the reactor core and the limiting design basis transients are assumed to occur. The SRVs may be required to limit peak reactor pressure.
| |
| The requirements for SRVs with THERMAL POWER 25% RTP are discussed in LCO 3.4.3. In MODE 4, decay heat is low enough for the RHR System to provide adequate cooling, and reactor pressure is low enough that the overpressure limit cannot be approached by assumed operational transients or accidents. In MODE 5, the reactor vessel head is unbolted or removed and the reactor is at atmospheric pressure. The SRV function is not needed during these conditions.
| |
| ACTIONS A.1 With less than the minimum number of required SRVs OPERABLE, a transient may result in the violation of the ASME Code limit on reactor pressure. If one required SRV is inoperable, the plant must be brought to a MODE in which overall plant risk is minimized. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours.
| |
| Remaining in the Applicability of the LCO is acceptable because the plant risk in MODE 3 is similar to or lower than the risk in MODE 4 (Ref. 7) and because the time spent in MODE 3 to perform the necessary repairs to restore the system to OPERABLE status will be short. However, voluntary entry into MODE 4 may be made as it is also an acceptable low-risk state.
| |
| Columbia Generating Station B 3.4.4-2 Revision 95
| |
| | |
| SRVs - < 25% RTP B 3.4.4 BASES ACTIONS (continued)
| |
| Required Action A.1 is modified by a Note that states that LCO 3.0.4.a is not applicable when entering MODE 3. This Note prohibits the use of LCO 3.0.4.a to enter MODE 3 during startup with the LCO not met.
| |
| However, there is no restriction on the use of LCO 3.0.4.b, if applicable, because LCO 3.0.4.b requires performance of a risk assessment addressing inoperable systems and components, consideration of the results, determination of the acceptability of entering MODE 3, and establishment of risk management actions, if appropriate. LCO 3.0.4 is not applicable to, and the Note does not preclude, changes in MODES or other specified conditions in the Applicability that are required to comply with ACTIONS or that are part of a shutdown of the unit.
| |
| The allowed Completion Time is reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.
| |
| B.1 and B.2 If two or more required SRVs are inoperable, a transient may result in the violation of the ASME Code limit on reactor pressure. The plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to MODE 3 within 12 hours and to MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach required plant conditions from full power conditions in an orderly manner and without challenging plant systems.
| |
| SURVEILLANCE SR 3.4.4.1 REQUIREMENTS This Surveillance demonstrates that the required SRVs will open at the pressures assumed in the safety analysis of Reference 2. The demonstration of the SRV safety function lift settings is in accordance with the INSERVICE TESTING PROGRAM. The lift setting pressure shall correspond to ambient conditions of the valves at nominal operating temperatures and pressures.
| |
| SR 3.4.4.2 A manual actuation of each required SRV is performed to verify that, mechanically, the valve is functioning properly. This can be demonstrated by one of the two methods described below. Foreign material exclusion during maintenance is used to verify that no blockage exists in the SRV discharge line.
| |
| Columbia Generating Station B 3.4.4-3 Revision 101
| |
| | |
| SRVs - < 25% RTP B 3.4.4 BASES SURVEILLANCE REQUIREMENTS (continued)
| |
| The preferred method is by manual actuation of the SRV at atmospheric temperature and pressure during cold shutdown. When using this method, proper functioning of the valve and solenoid is demonstrated by visual observation of actuator movement and a change in position indication as read from the Main Control Room using the Valve Position Indication (VPI) Linear Variable Differential Transformer (LVDT) mounted on each SRV. Lifting the valve at atmospheric pressure requires controlling the actuator to set the valve disc softly on its seat to prevent valve damage. This is the preferred method because lifting the valves with steam flow increases the likelihood that the valve will leak. The Note that modifies this SR is not needed when this method is used because the SR is performed during cold shutdown.
| |
| Another method is by manual actuation of the SRV under hot conditions.
| |
| Proper functioning of the valve and solenoid is demonstrated by the response of the turbine governor valves or bypass valves, by a change in the measured steam flow, or any other method suitable to verify steam flow. Adequate reactor steam dome pressure must be available to perform this test to avoid damaging the valve due to seat impact during closure. Also, adequate steam flow must be passing through the main turbine or turbine bypass valves to continue to control reactor pressure and flow when the SRVs divert steam flow upon opening. Sufficient time is therefore allowed after the required pressure and flow are achieved to perform this test. Adequate pressure at which this test is to be performed is 900 psig (consistent with the recommendations of the vendor).
| |
| Adequate steam flow is represented by THERMAL POWER 10% RTP.
| |
| Plant startup is allowed prior to performing this test by this method because valve OPERABILITY and the setpoints for overpressure protection are verified, per ASME requirements, prior to reactor startup.
| |
| Therefore, this SR is modified by a Note that states the Surveillance is not required to be performed until 12 hours after reactor steam pressure and flow are adequate to perform the test. The 12 hours allowed for manual actuation after the required pressure and flow are reached is sufficient to achieve stable conditions for testing and provides a reasonable time to complete the SR. If the valve fails to actuate due only to the failure of the solenoid but is capable of opening on overpressure, the safety function of the SRV is not considered inoperable.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| Columbia Generating Station B 3.4.4-4 Revision 96
| |
| | |
| SRVs - < 25% RTP B 3.4.4 BASES REFERENCES 1. FSAR, Section 15.2.4.
| |
| : 2. Columbia Generating Station Calculation NE-02-94-66, Revision 0, November 13, 1995.
| |
| : 3. ASME, Boiler and Pressure Vessel Code, Section III.
| |
| : 4. FSAR, Chapter 15.
| |
| : 5. GE-NE-187-24-0992, "WPPSS Nuclear Project 2 SRV Setpoint Tolerance and Out-of-Service Analysis," Revision 2, July 1993.
| |
| : 6. 10 CFR 50.36(c)(2)(ii).
| |
| : 7. NEDC-32988-A, Revision 2, Technical Justification to Support Risk-Informed Modification to Selected Required End States for BWR Plants, December 2002.
| |
| : 8. 003N3650-RB, CGS SRV Safety Valve Setting Tolerance Change Supplement to GE-NE-187-24-0992, Rev2.
| |
| Columbia Generating Station B 3.4.4-5 Revision 96
| |
| | |
| RCS Operational LEAKAGE B 3.4.5 B 3.4 REACTOR COOLANT SYSTEM (RCS)
| |
| B 3.4.5 RCS Operational LEAKAGE BASES BACKGROUND The RCS includes systems and components that contain or transport the coolant to or from the reactor core. The pressure containing components of the RCS and the portions of connecting systems out to and including the isolation valves define the reactor coolant pressure boundary (RCPB).
| |
| The joints of the RCPB components are welded or bolted.
| |
| During plant life, the joint and valve interfaces can produce varying amounts of reactor coolant LEAKAGE, through either normal operational wear or mechanical deterioration. Limits on RCS operational LEAKAGE are required to ensure appropriate action is taken before the integrity of the RCPB is impaired. This LCO specifies the types and limits of LEAKAGE. This protects the RCS pressure boundary described in 10 CFR 50.2, 10 CFR 50.55a(c), and GDC 55 of 10 CFR 50, Appendix A (Refs. 1, 2, and 3).
| |
| The safety significance of leaks from the RCPB varies widely depending on the source, rate, and duration. Therefore, detection of LEAKAGE in the drywell is necessary. Methods for quickly separating the identified LEAKAGE from the unidentified LEAKAGE are necessary to provide the operators quantitative information to permit them to take corrective action should a leak occur detrimental to the safety of the facility or the public.
| |
| A limited amount of leakage inside the drywell is expected from auxiliary systems that cannot be made 100% leaktight. Leakage from these systems should be detected and isolated from the drywell atmosphere, if possible, so as not to mask RCS operational LEAKAGE detection.
| |
| This LCO deals with protection of the RCPB from degradation and the core from inadequate cooling, in addition to preventing the accident analyses radiation release assumptions from being exceeded. The consequences of violating this LCO include the possibility of a loss of coolant accident.
| |
| APPLICABLE The allowable RCS operational LEAKAGE limits are based on the SAFETY predicted and experimentally observed behavior of pipe cracks. The ANALYSES normally expected background LEAKAGE due to equipment design and the detection capability of the instrumentation for determining system LEAKAGE were also considered. The evidence from experiments suggests, for LEAKAGE even greater than the specified unidentified LEAKAGE limits, the probability is small that the imperfection or crack associated with such LEAKAGE would grow rapidly.
| |
| Columbia Generating Station B 3.4.5-1 Revision 73
| |
| | |
| RCS Operational LEAKAGE B 3.4.5 BASES APPLICABLE SAFETY ANALYSES (continued)
| |
| The unidentified LEAKAGE flow limit allows time for corrective action before the RCPB could be significantly compromised. The 5 gpm limit is a small fraction of the calculated flow from a critical crack in the primary system piping. Crack behavior from experimental programs (Refs. 4 and 5) shows leak rates of hundreds of gallons per minute will precede crack instability (Ref. 6).
| |
| The low limit on increase in unidentified LEAKAGE assumes a failure mechanism of intergranular stress corrosion cracking (IGSCC) that produces tight cracks. This flow increase limit is capable of providing an early warning of such deterioration.
| |
| No applicable safety analysis assumes the total LEAKAGE limit. The total LEAKAGE limit considers RCS inventory makeup capability and drywell floor sump capacity.
| |
| RCS operational LEAKAGE satisfies Criterion 2 of Reference 7.
| |
| LCO RCS operational LEAKAGE shall be limited to:
| |
| : a. Pressure Boundary LEAKAGE No pressure boundary LEAKAGE is allowed, being indicative of material degradation. LEAKAGE of this type is unacceptable as the leak itself could cause further deterioration, resulting in higher LEAKAGE. Violation of this LCO could result in continued degradation of the RCPB. LEAKAGE past seals and gaskets is not pressure boundary LEAKAGE.
| |
| : b. Unidentified LEAKAGE Five gpm of unidentified LEAKAGE is allowed as a reasonable minimum detectable amount that the drywell atmosphere monitoring and drywell floor drain sump flow monitoring equipment can detect within a reasonable time period. Violation of this LCO could result in continued degradation of the RCPB.
| |
| : c. Total LEAKAGE The total LEAKAGE limit is based on a reasonable minimum detectable amount. The limit also accounts for LEAKAGE from known sources (identified LEAKAGE). Violation of this LCO indicates an unexpected amount of LEAKAGE and, therefore, could indicate new or additional degradation in an RCPB component or system.
| |
| Columbia Generating Station B 3.4.5-2 Revision 73
| |
| | |
| RCS Operational LEAKAGE B 3.4.5 BASES LCO (continued)
| |
| : d. Unidentified LEAKAGE Increase An unidentified LEAKAGE increase of > 2 gpm within the previous 24 hour period indicates a potential flaw in the RCPB and must be quickly evaluated to determine the source and extent of the LEAKAGE. The increase is measured relative to the steady state value; temporary changes in LEAKAGE rate as a result of transient conditions (e.g., startup) are not considered. As such, the 2 gpm increase limit is only applicable in MODE 1 when operating pressures and temperatures are established. Violation of this LCO could result in continued degradation of the RCPB.
| |
| APPLICABILITY In MODES 1, 2, and 3, the RCS operational LEAKAGE LCO applies because the potential for RCPB LEAKAGE is greatest when the reactor is pressurized.
| |
| In MODES 4 and 5, RCS operational LEAKAGE limits are not required since the reactor is not pressurized and stresses in the RCPB materials and potential for LEAKAGE are reduced.
| |
| ACTIONS A.1 With RCS unidentified or total LEAKAGE greater than the limits, actions must be taken to reduce the leak. Because the LEAKAGE limits are conservatively below the LEAKAGE that would constitute a critical crack size, 4 hours is allowed to reduce the LEAKAGE rates before the reactor must be shut down. If an unidentified LEAKAGE has been identified and quantified, it may be reclassified and considered as identified LEAKAGE.
| |
| However, the total LEAKAGE limit would remain unchanged.
| |
| B.1 and B.2 An unidentified LEAKAGE increase of > 2 gpm within a 24 hour period is an indication of a potential flaw in the RCPB and must be quickly evaluated. Although the increase does not necessarily violate the absolute unidentified LEAKAGE limit, certain susceptible components must be determined not to be the source of the LEAKAGE increase within the required Completion Time. For an unidentified LEAKAGE increase greater than required limits, an alternative to reducing LEAKAGE increase to within limits (i.e., reducing the leakage rate such that the current rate is less than the "2 gpm increase in the previous 24 hours" limit; either by isolating the source or other possible methods) is to evaluate RCS Columbia Generating Station B 3.4.5-3 Revision 73
| |
| | |
| RCS Operational LEAKAGE B 3.4.5 BASES ACTIONS (continued) type 304 and type 316 austenitic stainless steel piping that is subject to high stress or that contains relatively stagnant or intermittent flow fluids and determine it is not the source of the increased LEAKAGE. This type of piping is very susceptible to IGSCC.
| |
| The 4 hour Completion Time is needed to properly reduce the LEAKAGE increase or verify the source before the reactor must be shut down.
| |
| C.1 and C.2 If any Required Action and associated Completion Time of Condition A or B is not met or if pressure boundary LEAKAGE exists, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to MODE 3 within 12 hours and to MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.
| |
| SURVEILLANCE SR 3.4.5.1 REQUIREMENTS The RCS LEAKAGE is monitored by a variety of instruments designed to provide alarms when LEAKAGE is indicated and to quantify the various types of LEAKAGE. Leakage detection instrumentation is discussed in more detail in the Bases for LCO 3.4.7, "RCS Leakage Detection Instrumentation." Sump flow rate is typically monitored to determine actual LEAKAGE rates. However, any method may be used to quantify LEAKAGE within the guidelines of Reference 8. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| REFERENCES 1. 10 CFR 50.2.
| |
| : 2. 10 CFR 50.55a(c).
| |
| : 3. 10 CFR 50, Appendix A, GDC 55.
| |
| : 4. GEAP-5620, "Failure Behavior in ASTM A106B Pipes Containing Axial Through-Wall Flaws," April 1968.
| |
| : 5. NUREG-75/067, "Investigation and Evaluation of Cracking in Austenitic Stainless Steel Piping of Boiling Water Reactors,"
| |
| October 1975.
| |
| Columbia Generating Station B 3.4.5-4 Revision 93
| |
| | |
| RCS Operational LEAKAGE B 3.4.5 BASES REFERENCES (continued)
| |
| : 6. FSAR, Section 5.2.5.5.2.
| |
| : 7. 10 CFR 50.36(c)(2)(ii).
| |
| : 8. Regulatory Guide 1.45, May 1973.
| |
| Columbia Generating Station B 3.4.5-5 Revision 93
| |
| | |
| RCS PIV Leakage B 3.4.6 B 3.4 REACTOR COOLANT SYSTEM (RCS)
| |
| B 3.4.6 RCS Pressure Isolation Valve (PIV) Leakage BASES BACKGROUND RCS PIVs are defined as any two normally closed valves in series within the reactor coolant pressure boundary (RCPB). The function of RCS PIVs is to separate the high pressure RCS from an attached low pressure system. This protects the RCS pressure boundary described in 10 CFR 50.2, 10 CFR 50.55a(c), and GDC 55 of 10 CFR 50, Appendix A (Refs. 1, 2, and 3). PIVs are designed to meet the requirements of Reference 4. During their lives, these valves can produce varying amounts of reactor coolant leakage through either normal operational wear or mechanical deterioration.
| |
| The RCS PIV LCO allows RCS high pressure operation when leakage through these valves exists in amounts that do not compromise safety.
| |
| The PIV leakage limit applies to each individual valve. Leakage through these valves is not included in any allowable LEAKAGE specified in LCO 3.4.5, "RCS Operational LEAKAGE."
| |
| Although this Specification provides a limit on allowable PIV leakage rate, its main purpose is to prevent overpressure failure of the low pressure portions of connecting systems. The leakage limit is an indication that the PIVs between the RCS and the connecting systems are degraded or degrading. PIV leakage could lead to overpressure of the low pressure piping or components. Failure consequences could be a loss of coolant accident (LOCA) outside of containment, an unanalyzed accident which could degrade the ability for low pressure injection.
| |
| A study (Ref. 5) evaluated various PIV configurations to determine the probability of intersystem LOCAs. This study concluded that periodic leakage testing of the PIVs can substantially reduce intersystem LOCA probability.
| |
| PIVs are provided to isolate the RCS from the following connected systems:
| |
| : a. Residual Heat Removal (RHR) System;
| |
| : b. Low Pressure Core Spray System;
| |
| : c. High Pressure Core Spray System; and
| |
| : d. Reactor Core Isolation Cooling System.
| |
| The PIVs are listed in Reference 6.
| |
| Columbia Generating Station B 3.4.6-1 Revision 73
| |
| | |
| RCS PIV Leakage B 3.4.6 BASES APPLICABLE Reference 5 evaluated various PIV configurations, leakage testing of the SAFETY valves, and operational changes to determine the effect on the ANALYSES probability of intersystem LOCAs. This study concluded that periodic leakage testing of the PIVs can substantially reduce the probability of an intersystem LOCA.
| |
| PIV leakage is not considered in any Design Basis Accident analyses.
| |
| This Specification provides for monitoring the condition of the RCPB to detect PIV degradation that has the potential to cause a LOCA outside of containment. RCS PIV leakage satisfies Criterion 2 of Reference 7.
| |
| LCO RCS PIV leakage is leakage into closed systems connected to the RCS.
| |
| Isolation valve leakage is usually on the order of drops per minute.
| |
| Leakage that increases significantly suggests that something is operationally wrong and corrective action must be taken. Violation of this LCO could result in continued degradation of a PIV, which could lead to overpressurization of a low pressure system and the loss of the integrity of a fission product barrier.
| |
| The LCO PIV leakage limit is 0.5 gpm per nominal inch of valve size with a maximum limit of 5 gpm (Ref. 4).
| |
| Reference 4 permits leakage testing at a lower pressure differential than between the specified maximum RCS pressure and the normal pressure of the connected system during RCS operation (the maximum pressure differential). The observed rate may be adjusted to the maximum pressure differential by assuming leakage is directly proportional to the pressure differential to the one-half power.
| |
| APPLICABILITY In MODES 1, 2, and 3, this LCO applies because the PIV leakage potential is greatest when the RCS is pressurized. In MODE 3, valves in the RHR flowpath are not required to meet the requirements of this LCO when in, or during transition to or from, the RHR shutdown cooling mode of operation.
| |
| In MODES 4 and 5, leakage limits are not provided because the lower reactor coolant pressure results in a reduced potential for leakage and for a LOCA outside the containment. Accordingly, the potential for the consequences of reactor coolant leakage is far lower during these MODES.
| |
| Columbia Generating Station B 3.4.6-2 Revision 73
| |
| | |
| RCS PIV Leakage B 3.4.6 BASES ACTIONS The ACTIONS are modified by two Notes. Note 1 has been provided to modify the ACTIONS related to RCS PIV flow paths. Section 1.3, Completion Times, specifies once a Condition has been entered, subsequent divisions, subsystems, components or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition.
| |
| However, the Required Actions for the Condition of RCS PIV leakage limits exceeded provide appropriate compensatory measures for separate, affected RCS PIV flow paths. As such, a Note has been provided that allows separate Condition entry for each affected RCS PIV flow path. Note 2 requires an evaluation of affected systems if a PIV is inoperable. The leakage may have affected system OPERABILITY, or isolation of a leaking flow path with an alternate valve may have degraded the ability of the interconnected system to perform its safety function. As a result, the applicable Conditions and Required Actions for systems made inoperable by PIVs must be entered. This ensures appropriate remedial actions are taken, if necessary, for the affected systems.
| |
| A.1 If leakage from one or more RCS PIVs is not within limit, the flow path must be isolated by at least one closed manual, de-activated, automatic, or check valve within 4 hours. Required Action A.1 is modified by a Note stating that a check valve used for isolation must meet the same leakage requirements as the PIVs and must be on the RCPB.
| |
| Four hours provides time to reduce leakage in excess of the allowable limit and to isolate the flow path if leakage cannot be reduced while corrective actions to reseat the leaking PIVs are taken. The 4 hours allows time for these actions, restricts the time of operation with leaking valves, and considers the low probability of a second valve failing during this time period and the low probability of a pressure boundary rupture of the low pressure ECCS piping when overpressurized to reactor pressure (Ref. 8).
| |
| B.1 and B.2 If leakage cannot be reduced or the system isolated, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to MODE 3 within 12 hours and to MODE 4 within 36 hours. This action may reduce the leakage and also Columbia Generating Station B 3.4.6-3 Revision 73
| |
| | |
| RCS PIV Leakage B 3.4.6 BASES ACTIONS (continued) reduces the potential for a LOCA outside the containment. The Completion Times are reasonable, based on operating experience, to achieve the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.
| |
| SURVEILLANCE SR 3.4.6.1 REQUIREMENTS Performance of leakage testing on each RCS PIV is required to verify that leakage is below the specified limit and to identify each leaking valve.
| |
| The leakage limit of 0.5 gpm per inch of nominal valve diameter up to 5 gpm maximum applies to each valve. Leakage testing requires a stable pressure condition. As stated in the LCO section of the Bases, the test pressure may be at a lower pressure than the maximum pressure differential (at the RCS maximum pressure of 1035 psig), provided the observed leakage rate is adjusted in accordance with Reference 4. The actual test pressure shall be 935 psig. For the two PIVs in series, the leakage requirement applies to each valve individually and not to the combined leakage across both valves. If the PIVs are not individually leakage tested, one valve may have failed completely and not be detected if the other valve in series meets the leakage requirement. In this situation, the protection provided by redundant valves would be lost.
| |
| The Frequency required by the INSERVICE TESTING PROGRAM is within the ASME OM Code Frequency requirement and is based on the need to perform this Surveillance under the conditions that apply during an outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power.
| |
| Therefore, this SR is modified by a Note that states the leakage Surveillance is only required to be performed in MODES 1 and 2. Entry into MODE 3 is permitted for leakage testing at high differential pressures with stable conditions not possible in the lower MODES.
| |
| Columbia Generating Station B 3.4.6-4 Revision 101
| |
| | |
| RCS PIV Leakage B 3.4.6 BASES REFERENCES 1. 10 CFR 50.2.
| |
| : 2. 10 CFR 50.55a(c).
| |
| : 3. 10 CFR 50, Appendix A, GDC 55.
| |
| : 4. ASME Code for Operation and Maintenance of Nuclear Power Plants.
| |
| : 5. NUREG-0677, "The Probability of Intersystem LOCA: Impact Due to Leak Testing and Operational Changes," May 1980.
| |
| : 6. Licensee Controlled Specifications Manual.
| |
| : 7. 10 CFR 50.36(c)(2)(ii).
| |
| : 8. NEDC-31339, "BWR Owners' Group Assessment of Emergency Core Cooling System Pressurization in Boiling Water Reactors,"
| |
| November 1986.
| |
| Columbia Generating Station B 3.4.6-5 Revision 73
| |
| | |
| RCS Leakage Detection Instrumentation B 3.4.7 B 3.4 REACTOR COOLANT SYSTEM (RCS)
| |
| B 3.4.7 RCS Leakage Detection Instrumentation BASES BACKGROUND GDC 30 of 10 CFR 50, Appendix A (Ref. 1), requires means for detecting and, to the extent practical, identifying the location of the source of RCS LEAKAGE. Regulatory Guide 1.45 (Ref. 2) describes acceptable methods for selecting leakage detection systems.
| |
| Limits on LEAKAGE from the reactor coolant pressure boundary (RCPB) are required so that appropriate action can be taken before the integrity of the RCPB is impaired (Ref. 2). Leakage detection systems for the RCS are provided to alert the operators when leakage rates above normal background levels are detected and also to supply quantitative measurement of rates. The Bases for LCO 3.4.5, "RCS Operational LEAKAGE," discuss the limits on RCS LEAKAGE rates.
| |
| Systems for separating the LEAKAGE of an identified source from an unidentified source are necessary to provide prompt and quantitative information to the operators to permit them to take immediate corrective action.
| |
| LEAKAGE from the RCPB inside the drywell is detected by at least one of two independently monitored variables, such as sump drain flow changes and drywell gaseous and particulate radioactivity levels. The primary means of quantifying LEAKAGE in the drywell is the drywell floor drain sump flow monitoring system.
| |
| The drywell floor drain sump flow monitoring system monitors the LEAKAGE collected in the floor drain sump. This unidentified LEAKAGE consists of LEAKAGE from control rod drives, valve flanges or packings, floor drains, the Reactor Building Closed Cooling Water System, and drywell air cooling unit condensate drains, and any LEAKAGE not collected in the drywell equipment drain sump. The drywell floor drain sump gravity drains to a reactor building floor drain sump. The drywell floor drain sump piping to the reactor building floor drain sump has a transmitter that supplies flow indication in the main control room. If the sump drain flow increases to the high flow alarm setpoint, an alarm sounds in the main control room, indicating a LEAKAGE rate from the sump in excess of a preset limit.
| |
| Columbia Generating Station B 3.4.7-1 Revision 73
| |
| | |
| RCS Leakage Detection Instrumentation B 3.4.7 BASES BACKGROUND (continued)
| |
| The drywell atmosphere monitoring systems (particulate and gaseous) continuously monitor the drywell atmosphere for airborne particulate and gaseous radioactivity. A sudden increase of radioactivity, which may be attributed to RCPB steam or reactor water LEAKAGE, is annunciated in the control room.
| |
| APPLICABLE A threat of significant compromise to the RCPB exists if the barrier SAFETY contains a crack that is large enough to propagate rapidly. LEAKAGE ANALYSES rate limits are set low enough to detect the LEAKAGE emitted from a single crack in the RCPB (Refs. 4 and 5).
| |
| A control room alarm allows the operators to evaluate the significance of the indicated LEAKAGE and, if necessary, shut down the reactor for further investigation and corrective action. The allowed LEAKAGE rates are well below the rates predicted for critical crack sizes (Ref. 6).
| |
| Therefore, these actions provide adequate response before a significant break in the RCPB can occur.
| |
| RCS leakage detection instrumentation satisfies Criterion 1 of Reference 7.
| |
| LCO This LCO requires instruments of diverse monitoring principles to be OPERABLE to provide confidence that small amounts of unidentified LEAKAGE are detected in time to allow actions to place the plant in a safe condition, when RCS LEAKAGE indicates possible RCPB degradation.
| |
| The LCO requires two instruments to be OPERABLE.
| |
| The drywell floor drain sump flow monitoring system is (continued) required to quantify the unidentified LEAKAGE rate from the RCS. The identification of an increase in unidentified LEAKAGE will be delayed by the time required for the unidentified LEAKAGE to travel to the drywell floor drain sump and it may take longer than 1 hour to detect a 1 gpm increase in unidentified LEAKAGE, depending on the origin and magnitude of the LEAKAGE. This sensitivity is acceptable for drywell floor drain sump flow monitor OPERABILITY.
| |
| Columbia Generating Station B 3.4.7-2 Revision 73
| |
| | |
| RCS Leakage Detection Instrumentation B 3.4.7 BASES LCO (continued)
| |
| The reactor coolant contains radioactivity that, when released to the drywell, can be detected by the gaseous or particulate drywell atmospheric radioactivity monitor. Only one of the two detectors is required to be OPERABLE. Radioactivity detection systems are included for monitoring both particulate and gaseous activities because of their sensitivities and rapid responses to RCS LEAKAGE, but have recognized limitations. Reactor coolant radioactivity levels will be low during initial reactor startup and for a few weeks thereafter, until activated corrosion products have been formed and fission products appear from fuel element cladding contamination or cladding defects. If there are few fuel element cladding defects and low levels of activation products, it may not be possible for the gaseous or particulate drywell atmospheric radioactivity monitors to detect a 1 gpm increase within 1 hour during normal operation. The particulate drywell atmospheric radioactivity monitor is OPERABLE when it is capable of detecting a 1 gpm increase in unidentified LEAKAGE within 1 hour given an RCS activity equivalent to that assumed in the design calculation for the monitor. The gaseous drywell atmospheric radioactivity monitor is OPERABLE when it is capable of detecting a 1 gpm increase in unidentified LEAKAGE within 10 hours given an RCS activity equivalent to that assumed in the design calculations for the monitor (Ref. 8).
| |
| The LCO is satisfied when monitors of diverse measurement means are available. Thus, the drywell floor drain sump flow monitor, in combination with a gaseous or particulate drywell atmospheric radioactivity monitor, provides an acceptable minimum.
| |
| APPLICABILITY In MODES 1, 2, and 3, leakage detection systems are required to be OPERABLE to support LCO 3.4.5. This Applicability is consistent with that for LCO 3.4.5.
| |
| Columbia Generating Station B 3.4.7-3 Revision 73
| |
| | |
| RCS Leakage Detection Instrumentation B 3.4.7 BASES ACTIONS A.1 With the drywell floor drain sump flow monitoring system inoperable, no other form of sampling can provide the equivalent information to quantify leakage. However, the drywell atmospheric activity monitor will provide indications of changes in leakage.
| |
| With the drywell floor drain sump flow monitoring system inoperable, but with RCS unidentified and total LEAKAGE being determined every 12 hours (SR 3.4.5.1), operation may continue for 30 days. The 30 day Completion Time of Required Action A.1 is acceptable, based on operating experience, considering the multiple forms of leakage detection that are still available.
| |
| B.1 and B.2 With both gaseous and particulate drywell atmospheric monitoring channels inoperable (i.e., the required drywell atmospheric monitoring system), grab samples of the drywell atmosphere shall be taken and analyzed to provide periodic leakage information. Provided a sample is obtained and analyzed every 12 hours, the plant may be operated for up to 30 days to allow restoration of at least one of the required monitors.
| |
| The 12 hour interval provides periodic information that is adequate to detect LEAKAGE. The 30 day Completion Time for restoration recognizes that at least one other form of leakage detection is available.
| |
| C.1, C.2, and C.3 With neither the drywell floor drain sump flow monitoring system nor the atmospheric particulate radioactivity monitor OPERABLE, the only means of detecting LEAKAGE is the drywell atmospheric gaseous radiation monitor. A Note clarifies this applicability of the Condition. The drywell atmospheric gaseous radiation monitor typically cannot detect a 1 gpm leak within 1 hour when RCS activity is low. In addition, this configuration does not provide the required diverse means of leakage detection.
| |
| Indirect methods of monitoring RCS leakage must be implemented. Grab samples of the drywell atmosphere must be taken and analyzed and monitoring of RCS leakage by administrative means must be performed every 12 hours to provide alternate periodic information.
| |
| Columbia Generating Station B 3.4.7-4 Revision 73
| |
| | |
| RCS Leakage Detection Instrumentation B 3.4.7 BASES ACTIONS (continued)
| |
| Administrative means of monitoring RCS leakage include monitoring and trending parameters that may indicate an increase in RCS leakage.
| |
| There are diverse alternative mechanisms from which appropriate indicators may be selected based on plant conditions. It is not necessary to utilize all of these methods, but a method or methods should be selected considering the current plant conditions and historical or expected sources of unidentified leakage. The administrative methods are drywell pressure and temperature, reactor building floor drain sump level alarm and fill-up and pump-out rates, reactor building closed cooling water system differential temperatures, drywell cooling fan inlet and outlet temperatures and safety relief valves tailpipe temperature. These indications, coupled with the atmospheric grab samples, are sufficient to alert the operating staff to an unexpected increase in unidentified LEAKAGE.
| |
| The 12 hour interval is sufficient to detect increasing RCS leakage. The Required Action provides 7 days to restore the drywell floor drain sump flow monitoring system to OPERABLE status to regain the intended leakage detection diversity. The 7 day Completion Time ensures that the plant will not be operated in a degraded configuration for a lengthy time period.
| |
| D.1 and D.2 If any Required Action and associated Completion Time of Condition A, B or C cannot be met, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours and to MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions in an orderly manner and without challenging plant systems.
| |
| E.1 With all required monitors inoperable, no required automatic means of monitoring LEAKAGE are available, and immediate plant shutdown in accordance with LCO 3.0.3 is required.
| |
| Columbia Generating Station B 3.4.7-5 Revision 73
| |
| | |
| RCS Leakage Detection Instrumentation B 3.4.7 BASES SURVEILLANCE The Surveillances are modified by a Note to indicate that when a channel REQUIREMENTS is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours, provided the other required instrumentation (either the drywell floor drain sump flow monitoring system or the drywell atmospheric monitoring channel, as applicable) is OPERABLE. Upon completion of the Surveillance, or expiration of the 6 hour allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. The 6 hour testing allowance is acceptable since it does not significantly reduce the probability of properly monitoring drywell leakage.
| |
| SR 3.4.7.1 This SR requires the performance of a CHANNEL CHECK of the required drywell atmospheric monitoring system. Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred.
| |
| A CHANNEL CHECK is normally a qualitative assessment, by observation, of channel behavior during operation. This determination includes, where possible, comparison of the channel indication and status to other indications or status derived from independent instrument channels measuring the same parameter. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK will detect gross channel failure, thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| SR 3.4.7.2 This SR requires the performance of a CHANNEL FUNCTIONAL TEST of the required RCS leakage detection instrumentation. The test ensures that the monitors can perform their function in the desired manner. The test also verifies the alarm setpoint and relative accuracy of the instrument string. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| SR 3.4.7.3 This SR requires the performance of a CHANNEL CALIBRATION of the required RCS leakage detection instrumentation channels. The calibration verifies the accuracy of the instrument string, including the Columbia Generating Station B 3.4.7-6 Revision 93
| |
| | |
| RCS Leakage Detection Instrumentation B 3.4.7 BASES SURVEILLANCE REQUIREMENTS (continued) instruments located inside the drywell. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| REFERENCES 1. 10 CFR 50, Appendix A, GDC 30.
| |
| : 2. Regulatory Guide 1.45, Revision 0, Reactor Coolant Pressure Boundary Leakage Detection Systems, May 1973.
| |
| : 3. Deleted
| |
| : 4. GEAP-5620, "Failure Behavior in ASTM A106B Pipes Containing Axial Through-Wall Flaws," April 1968.
| |
| : 5. NUREG-75/067, "Investigation and Evaluation of Cracking in Austenitic Stainless Steel Piping of Boiling Water Reactors,"
| |
| October 1975.
| |
| : 6. FSAR, Section 5.2.5.5.
| |
| : 7. 10 CFR 50.36(c)(2)(ii).
| |
| : 8. FSAR 7.6.2.4.
| |
| Columbia Generating Station B 3.4.7-7 Revision 93
| |
| | |
| RCS Specific Activity B 3.4.8 B 3.4 REACTOR COOLANT SYSTEM (RCS)
| |
| B 3.4.8 RCS Specific Activity BASES BACKGROUND During circulation, the reactor coolant acquires radioactive materials due to release of fission products from fuel leaks into the coolant and activation of corrosion products in the reactor coolant. These radioactive materials in the coolant can plate out in the RCS, and, at times, an accumulation will break away to spike the normal level of radioactivity.
| |
| The release of coolant during a Design Basis Accident (DBA) could send radioactive materials into the environment.
| |
| Limits on the maximum allowable level of radioactivity in the reactor coolant are established to ensure, in the event of a release of any radioactive material to the environment during a DBA, radiation doses are maintained within the limits of 10 CFR 50.67 (Ref. 1).
| |
| This LCO contains iodine specific activity limits. The iodine isotopic activities per gram of reactor coolant are expressed in terms of a DOSE EQUIVALENT I-131. The allowable levels are intended to limit the 2 hour radiation dose to an individual at the site boundary to 10% of the 10 CFR 50.67 limit.
| |
| APPLICABLE Analytical methods and assumptions involving radioactive material in the SAFETY primary coolant are presented in the FSAR (Ref. 2). The specific activity ANALYSES in the reactor coolant (the source term) is an initial condition for evaluation of the consequences of an accident due to a main steam line break (MSLB) outside containment. No fuel damage is postulated in the MSLB accident, and the release of radioactive material to the environment is assumed to end when the main steam isolation valves (MSIVs) close completely.
| |
| This MSLB release forms the basis for determining offsite doses (Ref. 2).
| |
| The limits on the specific activity of the primary coolant ensure that the 2 hour thyroid and whole body doses at the site boundary, resulting from an MSLB outside containment during steady state operation, will not exceed the dose guidelines of 10 CFR 50.67. The MSLB analysis (Ref. 2) evaluates two source term cases. The source term for the first case is based on the Dose Equivalent I-131 limit of 0.2 µCi/gm provided in the LCO. The second case postulates a pre-accident iodine spike and uses a 4.0 µCi/gm Dose Equivalent I-131 source term. For the first case, the regulatory limit for the offsite dose is 10% of the limit specified in 10 CFR 50.67. The full offsite dose limit of 10 CFR 50.67 is applicable to the pre-accident iodine spiking case.
| |
| Columbia Generating Station B 3.4.8-1 Revision 73
| |
| | |
| RCS Specific Activity B 3.4.8 BASES APPLICABLE SAFETY ANALYSES (continued)
| |
| The limit on specific activity is a value from a parametric evaluation of typical site locations. This limit is conservative because the evaluation considered more restrictive parameters than for a specific site, such as the location of the site boundary and the meteorological conditions of the site.
| |
| RCS specific activity satisfies Criterion 2 of Reference 3.
| |
| LCO The specific iodine activity is limited to 0.2 µCi/gm DOSE EQUIVALENT I-131. This limit ensures the source term assumed in the safety analysis for the MSLB is not exceeded, so any release of radioactivity to the environment during an MSLB is less than a small fraction of the 10 CFR 50.67 limits.
| |
| APPLICABILITY In MODE 1, and MODES 2 and 3 with any main steam line not isolated, limits on the primary coolant radioactivity are applicable since there is an escape path for release of radioactive material from the primary coolant to the environment in the event of an MSLB outside of primary containment.
| |
| In MODES 2 and 3 with the main steam lines isolated, such limits do not apply since an escape path does not exist. In MODES 4 and 5, no limits are required since the reactor is not pressurized and the potential for leakage is reduced.
| |
| ACTIONS A.1 and A.2 When the reactor coolant specific activity exceeds the LCO DOSE EQUIVALENT I-131 limit, but is 4.0 µCi/gm, samples must be analyzed for DOSE EQUIVALENT I-131 at least once every 4 hours. In addition, the specific activity must be restored to the LCO limit within 48 hours.
| |
| The Completion Time of once every 4 hours is based on the time needed to take and analyze a sample. The 48 hour Completion Time to restore the activity level provides a reasonable time for temporary coolant activity increases (iodine spikes or crud bursts) to be cleaned up with the normal processing systems.
| |
| A Note permits the use of the provisions of LCO 3.0.4.c. This allowance permits entry into the applicable MODE(S) while relying on the ACTIONS.
| |
| Columbia Generating Station B 3.4.8-2 Revision 73
| |
| | |
| RCS Specific Activity B 3.4.8 BASES ACTIONS (continued)
| |
| This allowance is acceptable due to the significant conservatism incorporated into the specific activity limit, the low probability of an event which is limiting due to exceeding this limit, and the ability to restore transient specific activity excursions while the plant remains at, or proceeds to power operation.
| |
| B.1, B.2.1, B.2.2.1, and B.2.2.2 If the DOSE EQUIVALENT I-131 cannot be restored to 0.2 µCi/gm within 48 hours, or if at any time it is > 4.0 µCi/gm, it must be determined at least every 4 hours and all the main steam lines must be isolated within 12 hours. Isolating the main steam lines precludes the possibility of releasing radioactive material to the environment in an amount that is more than the requirements of 10 CFR 50.67 during a postulated MSLB accident.
| |
| Alternately, the plant can be brought to MODE 3 within 12 hours and to MODE 4 within 36 hours. This option is provided for those instances when isolation of main steam lines is not desired (e.g., due to the decay heat loads). In MODE 4, the requirements of the LCO are no longer applicable.
| |
| The Completion Time of once every 4 hours is the time needed to take and analyze a sample. The 12 hour Completion Time is reasonable, based on operating experience, to isolate the main steam lines in an orderly manner and without challenging plant systems. Also, the allowed Completion Times for Required Actions B.2.2.1 and B.2.2.2 for bringing the plant to MODES 3 and 4 are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.
| |
| SURVEILLANCE SR 3.4.8.1 REQUIREMENTS This Surveillance is performed to ensure iodine remains within limit during normal operation. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. This SR is modified by a Note that requires this Surveillance to be performed only in MODE 1 because the level of fission products generated in other MODES is much less.
| |
| Columbia Generating Station B 3.4.8-3 Revision 93
| |
| | |
| RCS Specific Activity B 3.4.8 BASES REFERENCES 1. 10 CFR 50.67, "Accident Source Term."
| |
| : 2. FSAR, Section 15.6.4.
| |
| : 3. 10 CFR 50.36(c)(2)(ii).
| |
| Columbia Generating Station B 3.4.8-4 Revision 73
| |
| | |
| RHR Shutdown Cooling System - Hot Shutdown B 3.4.9 B 3.4 REACTOR COOLANT SYSTEM (RCS)
| |
| B 3.4.9 Residual Heat Removal (RHR) Shutdown Cooling System - Hot Shutdown BASES BACKGROUND Irradiated fuel in the shutdown reactor core generates heat during the decay of fission products and increases the temperature of the reactor coolant. This decay heat must be removed to reduce the temperature of the reactor coolant to 200°F in preparation for performing Refueling or Cold Shutdown maintenance operations, or the decay heat must be removed for maintaining the reactor in the Hot Shutdown condition.
| |
| The two redundant, manually controlled shutdown cooling subsystems of the RHR System provide decay heat removal. Each loop consists of a motor driven pump, a heat exchanger, and associated piping and valves.
| |
| Both loops have a common suction from the same recirculation loop.
| |
| Each pump discharges the reactor coolant, after circulation through the respective heat exchanger, to the reactor via the associated recirculation loop. The RHR heat exchangers transfer heat to the Standby Service Water System (LCO 3.7.1, "Standby Service Water (SW) System and Ultimate Heat Sink (UHS)").
| |
| APPLICABLE Decay heat removal by the RHR System in the shutdown cooling mode is SAFETY not required for mitigation of any event or accident evaluated in the ANALYSES safety analyses. Decay heat removal is, however, an important safety function that must be accomplished or core damage could result. The RHR Shutdown Cooling System meets Criterion 4 of Reference 1.
| |
| LCO Two RHR shutdown cooling subsystems are required to be OPERABLE, and, when no recirculation pump is in operation, one shutdown cooling subsystem must be in operation. An OPERABLE RHR shutdown cooling subsystem consists of one OPERABLE RHR pump, one heat exchanger, and the associated piping and valves. Each shutdown cooling subsystem is considered OPERABLE if it can be manually aligned (remote or local) in the shutdown cooling mode for removal of decay heat. In MODE 3, one RHR shutdown cooling subsystem can provide the required cooling, but two subsystems are required to be OPERABLE to provide redundancy. Operation of one subsystem can maintain or reduce the reactor coolant temperature as required. However, to ensure adequate core flow to allow for accurate average reactor coolant temperature monitoring, nearly continuous operation is required. Management of gas voids is important to RHR Shutdown Cooling System OPERABILITY.
| |
| Columbia Generating Station B 3.4.9-1 Revision 105
| |
| | |
| RHR Shutdown Cooling System - Hot Shutdown B 3.4.9 BASES LCO (continued)
| |
| Note 1 permits both RHR shutdown cooling subsystems and recirculation pumps to be shut down for a period of 2 hours in an 8 hour period.
| |
| Note 2 allows one RHR shutdown cooling subsystem to be inoperable for up to 2 hours for performance of surveillance tests. These tests may be on the affected RHR System or on some other plant system or component that necessitates placing the RHR System in an inoperable status during the performance. This is permitted because the core heat generation can be low enough and the heatup rate slow enough to allow some changes to the RHR subsystems or other operations requiring RHR flow interruption and loss of redundancy.
| |
| APPLICABILITY In MODE 3 with reactor steam dome pressure below 48 psig (with an associated saturation temperature of 295°F), the RHR Shutdown Cooling System must be OPERABLE and shall be operated in the shutdown cooling mode to remove decay heat to reduce or maintain coolant temperature. Otherwise, a recirculation pump is required to be in operation.
| |
| In MODES 1 and 2, and in MODE 3 with reactor steam dome pressure greater than or equal to 48 psig, this LCO is not applicable. Operation of the RHR System in the shutdown cooling mode is not allowed above 295°F because this temperature may exceed the analyzed value of the shutdown cooling mode of the RHR System. Decay heat removal at reactor pressures greater than or equal to 48 psig is typically accomplished by condensing the steam in the main condenser.
| |
| Additionally, in MODE 2 below this pressure, the OPERABILITY requirements for the Emergency Core Cooling Systems (ECCS)
| |
| (LCO 3.5.1, "ECCS - Operating") do not allow placing the RHR shutdown cooling subsystem into operation.
| |
| The requirements for decay heat removal in MODES 4 and 5 are discussed in LCO 3.4.10, "Residual Heat Removal (RHR) Shutdown Cooling System - Cold Shutdown"; LCO 3.9.8, "Residual Heat Removal (RHR) - High Water Level"; and LCO 3.9.9, "Residual Heat Removal (RHR) - Low Water Level."
| |
| Columbia Generating Station B 3.4.9-2 Revision 73
| |
| | |
| RHR Shutdown Cooling System - Hot Shutdown B 3.4.9 BASES ACTIONS A Note has been provided to modify the ACTIONS related to RHR shutdown cooling subsystems. Section 1.3, Completion Times, specifies once a Condition has been entered, subsequent divisions, subsystems, components or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable shutdown cooling subsystems provide appropriate compensatory measures for separate inoperable shutdown cooling subsystems. As such, a Note has been provided that allows separate Condition entry for each inoperable RHR shutdown cooling subsystem.
| |
| A.1, A.2, and A.3 With one RHR shutdown cooling subsystem inoperable for decay heat removal, except as permitted by LCO Note 2, the inoperable subsystem must be restored to OPERABLE status without delay. In this condition, the remaining OPERABLE subsystem can provide the necessary decay heat removal. The overall reliability is reduced, however, because a single failure in the OPERABLE subsystem could result in reduced RHR shutdown cooling capability. Therefore an alternate method of decay heat removal must be provided.
| |
| With both RHR shutdown cooling subsystems inoperable, an alternate method of decay heat removal must be provided in addition to that provided for the initial RHR shutdown cooling subsystem inoperability.
| |
| This re-establishes backup decay heat removal capabilities, similar to the requirements of the LCO. The 1 hour Completion Time is based on the decay heat removal function and the probability of a loss of the available decay heat removal capabilities.
| |
| The required cooling capacity of the alternate method should be ensured by verifying (by calculation or demonstration) its capability to maintain or reduce temperature. Decay heat removal by ambient losses can be considered as, or contributing to, the alternate method capability.
| |
| Alternate methods that can be used include (but are not limited to) the Condensate and Main Steam Systems, the Reactor Water Cleanup System (by itself, or using feed and bleed in combination with the Control Rod Drive System or Condensate System) and, a combination of an ECCS pump and a safety/relief valve.
| |
| However, due to the potentially reduced reliability of the alternate methods of decay heat removal, it is also required to reduce the reactor coolant temperature to the point where MODE 4 is entered.
| |
| Columbia Generating Station B 3.4.9-3 Revision 73
| |
| | |
| RHR Shutdown Cooling System - Hot Shutdown B 3.4.9 BASES ACTIONS (continued)
| |
| B.1, B.2, and B.3 With no RHR shutdown cooling subsystem and no recirculation pump in operation, except as is permitted by LCO Note 1, reactor coolant circulation by the RHR shutdown cooling subsystem or one recirculation pump must be restored without delay.
| |
| Until RHR or recirculation pump operation is re-established, an alternate method of reactor coolant circulation must be placed into service. This will provide the necessary circulation for monitoring coolant temperature.
| |
| The 1 hour Completion Time is based on the coolant circulation function and is modified such that the 1 hour is applicable separately for each occurrence involving a loss of circulation. Furthermore, verification of the functioning of the alternate method must be reconfirmed every 12 hours thereafter. This will provide assurance of continued temperature monitoring capability.
| |
| During the period when the reactor coolant is being circulated by an alternate method (other than by the required RHR shutdown cooling subsystem or recirculation pump), the reactor coolant temperature and pressure must be periodically monitored to ensure proper function of the alternate method. The once per hour Completion Time is deemed appropriate.
| |
| SURVEILLANCE SR 3.4.9.1 REQUIREMENTS This Surveillance verifies that one RHR shutdown cooling subsystem or recirculation pump is in operation and circulating reactor coolant. The required flow rate is determined by the flow rate necessary to provide sufficient decay heat removal capability. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| This Surveillance is modified by a Note allowing sufficient time to align the RHR System for shutdown cooling operation after achieving less than 48 psig reactor steam dome pressure, or for placing a recirculation pump in operation. The Note takes exception to the requirements of the Surveillance being met (i.e., forced coolant circulation is not required for this initial 2 hour period), which also allows entry into the Applicability of this Specification in accordance with SR 3.0.4 since the Surveillance will not be "not met" at the time of entry into the Applicability.
| |
| Columbia Generating Station B 3.4.9-4 Revision 105
| |
| | |
| RHR Shutdown Cooling System - Hot Shutdown B 3.4.9 BASES SURVEILLANCE REQUIREMENTS (continued)
| |
| SR 3.4.9.2 RHR Shutdown Cooling System piping and components have the potential to develop voids and pockets of entrained gases. Preventing and managing gas intrusion and accumulation is necessary for proper operation of the RHR shutdown cooling subsystems and may also prevent water hammer, pump cavitation, and pumping of noncondensible gas into the reactor vessel.
| |
| Selection of RHR Shutdown Cooling System locations susceptible to gas accumulation is based on a review of system design information, including piping and instrumentation drawings, isometric drawings, plan and elevation drawings, and calculations. The design review is supplemented by system walk downs to validate the system high points and to confirm the location and orientation of important components that can become sources of gas or could otherwise cause gas to be trapped or difficult to remove during system maintenance or restoration.
| |
| Susceptible locations depend on plant and system configuration, such as stand-by versus operating conditions.
| |
| The RHR Shutdown Cooling System is OPERABLE when it is sufficiently filled with water. Acceptance criteria are established for the volume of accumulated gas at susceptible locations. If accumulated gas is discovered that exceeds the acceptance criteria for the susceptible location (or the volume of accumulated gas at one or more susceptible locations exceeds an acceptance criteria for gas volume at the suction or discharge of a pump), the Surveillance is not met. If it is determined by subsequent evaluation that the RHR Shutdown Cooling System is not rendered inoperable by the accumulated gas (i.e., the system is sufficiently filled with water), the Surveillance may be declared met.
| |
| Accumulated gas should be eliminated or brought within the acceptance criteria limits.
| |
| RHR Shutdown Cooling System locations susceptible to gas accumulation are monitored and, if gas is found, the gas volume is compared to the acceptance criteria for the location. Susceptible locations in the same system flow path which are subject to the same gas intrusion mechanisms may be verified by monitoring a representative sub-set of susceptible locations. Monitoring may not be practical for locations that are inaccessible due to radiological or environmental conditions, the plant configuration, or personnel safety. For these locations alternative methods (e.g., operating parameters, remote monitoring) may be used to monitor the susceptible location. Monitoring is not required for susceptible locations where the maximum potential accumulated gas void volume has been evaluated and determined to not challenge system OPERABILITY. The accuracy of the method used for monitoring the Columbia Generating Station B 3.4.9-5 Revision 105
| |
| | |
| RHR Shutdown Cooling System - Hot Shutdown B 3.4.9 BASES SURVEILLANCE REQUIREMENTS (continued) susceptible locations and trending of the results should be sufficient to assure system OPERABILITY during the Surveillance interval.
| |
| This SR is modified by a Note that states the SR is not required to be performed until 12 hours after reactor steam dome pressure is < 48 psig.
| |
| In a rapid shutdown, there may be insufficient time to verify all susceptible locations prior to entering the Applicability.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The Surveillance Frequency may vary by location susceptible to gas accumulation.
| |
| REFERENCES 1. 10 CFR 50.36(c)(2)(ii).
| |
| Columbia Generating Station B 3.4.9-6 Revision 105
| |
| | |
| RHR Shutdown Cooling System - Cold Shutdown B 3.4.10 B 3.4 REACTOR COOLANT SYSTEM (RCS)
| |
| B 3.4.10 Residual Heat Removal (RHR) Shutdown Cooling System - Cold Shutdown BASES BACKGROUND Irradiated fuel in the shutdown reactor core generates heat during the decay of fission products and increases the temperature of the reactor coolant. This decay heat must be removed to maintain the temperature of the reactor coolant at 200°F in preparation for performing Refueling maintenance operations, or the decay heat must be removed for maintaining the reactor in the Cold Shutdown condition.
| |
| The two redundant, manually controlled shutdown cooling subsystems of the RHR System provide decay heat removal. Each loop consists of a motor driven pump, a heat exchanger, and associated piping and valves.
| |
| Both loops have a common suction from the same recirculation loop.
| |
| Each pump discharges the reactor coolant, after circulation through the respective heat exchanger, to the reactor via the associated recirculation loop. The RHR heat exchangers transfer heat to the Standby Service Water (SW) System.
| |
| APPLICABLE Decay heat removal by the RHR System in the shutdown cooling mode is SAFETY not required for mitigation of any event or accident evaluated in the ANALYSES safety analyses. Decay heat removal is, however, an important safety function that must be accomplished or core damage could result. The RHR Shutdown Cooling System meets Criterion 4 of Reference 1.
| |
| LCO Two RHR shutdown cooling subsystems are required to be OPERABLE, and, when no recirculation pump is in operation, one RHR shutdown cooling subsystem must be in operation. An OPERABLE RHR shutdown cooling subsystem consists of one OPERABLE RHR pump, one heat exchanger, one SW pump providing cooling to the heat exchanger, and the associated piping and valves. Each shutdown cooling subsystem is considered OPERABLE if it can be manually aligned (remote or local) in the shutdown cooling mode for removal of decay heat. In MODE 4, one RHR shutdown cooling subsystem can provide the required cooling, but two subsystems are required to be OPERABLE to provide redundancy.
| |
| Operation of one subsystem can maintain and reduce the reactor coolant temperature as required. To ensure adequate core flow to allow for accurate average reactor coolant temperature monitoring, nearly continuous operation is required. Management of gas voids is important to RHR Shutdown Cooling System OPERABILITY.
| |
| Note 1 permits both RHR shutdown cooling subsystems and recirculation pumps to be shut down for a period of 2 hours in an 8 hour period.
| |
| Note 2 allows one RHR shutdown cooling subsystem to be inoperable for up to 2 hours for performance of Surveillance tests. These tests may be Columbia Generating Station B 3.4.10-1 Revision 105
| |
| | |
| RHR Shutdown Cooling System - Cold Shutdown B 3.4.10 BASES LCO (continued) on the affected RHR System or on some other plant system or component that necessitates placing the RHR System in an inoperable status during the performance. This is permitted because the core heat generation can be low enough and the heatup rate slow enough to allow some changes to the RHR subsystems or other operations requiring RHR flow interruption and loss of redundancy.
| |
| APPLICABILITY In MODE 4, the RHR Shutdown Cooling System must be OPERABLE and shall be operated in the shutdown cooling mode to remove decay heat to maintain coolant temperature below 200°F. Otherwise, a recirculation pump is required to be in operation.
| |
| The requirements for decay heat removal in MODE 3 below 48 psig reactor steam dome pressure and in MODE 5 are discussed in LCO 3.4.9, "Residual Heat Removal (RHR) Shutdown Cooling System -
| |
| Hot Shutdown"; LCO 3.9.8, "Residual Heat Removal (RHR) - High Water Level"; and LCO 3.9.9, "Residual Heat Removal (RHR) - Low Water Level."
| |
| ACTIONS A Note has been provided to modify the ACTIONS related to RHR shutdown cooling subsystems. Section 1.3, Completion Times, specifies once a Condition has been entered, subsequent divisions, subsystems, components or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable shutdown cooling subsystems provide appropriate compensatory measures for separate inoperable shutdown cooling subsystems. As such, a Note has been provided that allows separate Condition entry for each inoperable RHR shutdown cooling subsystem.
| |
| A.1 With one of the two RHR shutdown cooling subsystems inoperable, except as permitted by LCO Note 2, the remaining subsystem is capable of providing the required decay heat removal. However, the overall reliability is reduced. Therefore, an alternate method of decay heat removal must be provided. With both RHR shutdown cooling subsystems inoperable, an alternate method of decay heat removal must be provided in addition to that provided for the initial RHR shutdown cooling subsystem inoperability. This re-establishes backup decay heat removal Columbia Generating Station B 3.4.10-2 Revision 73
| |
| | |
| RHR Shutdown Cooling System - Cold Shutdown B 3.4.10 BASES ACTIONS (continued) capabilities, similar to the requirements of the LCO. The 1 hour Completion Time is based on the decay heat removal function and the probability of a loss of the available decay heat removal capabilities.
| |
| Furthermore, verification of the functional availability of these alternate method(s) must be reconfirmed every 24 hours thereafter. This will provide assurance of continued heat removal capability.
| |
| The required cooling capacity of the alternate method should be ensured by verifying (by calculation or demonstration) its capability to maintain or reduce temperature. Decay heat removal by ambient losses can be considered as, or contributing to, the alternate method capability.
| |
| Alternate methods that can be used include (but are not limited to) the Reactor Water Cleanup System (by itself, or using and bleed in combination with the Control Rod Drive System or Condensate System) and a combination of an ECCS pump and a safety/relief valve.
| |
| B.1 and B.2 With no RHR shutdown cooling subsystem and no recirculation pump in operation, except as is permitted by LCO Note 1, and until RHR or recirculation pump operation is re-established, an alternate method of reactor coolant circulation must be placed into service. This will provide the necessary circulation for monitoring coolant temperature. The 1 hour Completion Time is based on the coolant circulation function and is modified such that the 1 hour is applicable separately for each occurrence involving a loss of coolant circulation. Furthermore, verification of the functioning of the alternate method must be reconfirmed every 12 hours thereafter. This will provide assurance of continued temperature monitoring capability.
| |
| During the period when the reactor coolant is being circulated by an alternate method (other than by the required RHR shutdown cooling subsystem or recirculation pump), the reactor coolant temperature and pressure must be periodically monitored to ensure proper function of the alternate method. The once per hour Completion Time is deemed appropriate.
| |
| Columbia Generating Station B 3.4.10-3 Revision 73
| |
| | |
| RHR Shutdown Cooling System - Cold Shutdown B 3.4.10 BASES SURVEILLANCE SR 3.4.10.1 REQUIREMENTS This Surveillance verifies that one RHR shutdown cooling subsystem or recirculation pump is in operation and circulating reactor coolant. The required flow rate is determined by the flow rate necessary to provide sufficient decay heat removal capability. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| SR 3.4.10.2 RHR Shutdown Cooling System piping and components have the potential to develop voids and pockets of entrained gases. Preventing and managing gas intrusion and accumulation is necessary for proper operation of the RHR shutdown cooling subsystems and may also prevent water hammer, pump cavitation, and pumping of noncondensible gas into the reactor vessel.
| |
| Selection of RHR Shutdown Cooling System locations susceptible to gas accumulation is based on a review of system design information, including piping and instrumentation drawings, isometric drawings, plan and elevation drawings, and calculations. The design review is supplemented by system walk downs to validate the system high points and to confirm the location and orientation of important components that can become sources of gas or could otherwise cause gas to be trapped or difficult to remove during system maintenance or restoration.
| |
| Susceptible locations depend on plant and system configuration, such as stand-by versus operating conditions.
| |
| The RHR Shutdown Cooling System is OPERABLE when it is sufficiently filled with water. Acceptance criteria are established for the volume of accumulated gas at susceptible locations. If accumulated gas is discovered that exceeds the acceptance criteria for the susceptible location (or the volume of accumulated gas at one or more susceptible locations exceeds an acceptance criteria for gas volume at the suction or discharge of a pump), the Surveillance is not met. If it is determined by subsequent evaluation that the RHR Shutdown Cooling System is not rendered inoperable by the accumulated gas (i.e., the system is sufficiently filled with water), the Surveillance may be declared met.
| |
| Accumulated gas should be eliminated or brought within the acceptance criteria limits.
| |
| RHR Shutdown Cooling System locations susceptible to gas accumulation are monitored and, if gas is found, the gas volume is compared to the acceptance criteria for the location. Susceptible locations in the same system flow path which are subject to the same gas Columbia Generating Station B 3.4.10-4 Revision 105
| |
| | |
| RHR Shutdown Cooling System - Cold Shutdown B 3.4.10 BASES SURVEILLANCE REQUIREMENTS (continued) intrusion mechanisms may be verified by monitoring a representative sub-set of susceptible locations. Monitoring may not be practical for locations that are inaccessible due to radiological or environmental conditions, the plant configuration, or personnel safety. For these locations alternative methods (e.g., operating parameters, remote monitoring) may be used to monitor the susceptible location. Monitoring is not required for susceptible locations where the maximum potential accumulated gas void volume has been evaluated and determined to not challenge system OPERABILITY. The accuracy of the method used for monitoring the susceptible locations and trending of the results should be sufficient to assure system OPERABILITY during the Surveillance interval.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The Surveillance Frequency may vary by location susceptible to gas accumulation.
| |
| REFERENCES 1. 10 CFR 50.36(c)(2)(ii).
| |
| Columbia Generating Station B 3.4.10-5 Revision 105
| |
| | |
| RCS P/T Limits B 3.4.11 B 3.4 REACTOR COOLANT SYSTEM (RCS)
| |
| B 3.4.11 RCS Pressure and Temperature (P/T) Limits BASES BACKGROUND All components of the RCS are designed to withstand effects of cyclic loads due to system pressure and temperature changes. These loads are introduced by startup (heatup) and shutdown (cooldown) operations, power transients, and reactor trips. This LCO limits the pressure and temperature changes during RCS heatup and cooldown, within the design assumptions and the stress limits for cyclic operation.
| |
| The Specification contains P/T limit curves for heatup, cooldown, inservice leak and hydrostatic testing, and criticality, and also limits the maximum rate of change of reactor coolant temperature.
| |
| Each P/T limit curve defines an acceptable region for normal operation.
| |
| The usual use of the curves is operational guidance during heatup or cooldown maneuvering, when pressure and temperature indications are monitored and compared to the applicable curve to determine that operation is within the allowable region.
| |
| The metal temperature represented in the P/T curves is for the beltline region of the vessel. The beltline region is the area of the vessel that surrounds the active fuel. Since there are no thermocouples in this section of the vessel the reactor coolant temperature is used to monitor the vessel metal temperature. The coolant temperature in the annulus space is assumed to be equal to the inside metal temperature. The inside metal temperature is used in the calculation to derive the P/T limit curves. Monitoring the reactor water cleanup (RWCU) or the reactor recirculation (RRC) coolant temperature allows the beltline metal temperature to be determined.
| |
| The RRC suction is taken from the annulus space between the vessel beltline region and the core shroud. This fluid temperature would represent the inside metal temperature for the beltline region.
| |
| The RWCU bottom head drain (which measures the fluid temperature) can be used if RRC is running. This allows mixing of the fluid in the bottom head area. The temperature measurement would be conservative due to the mixing of the annulus space fluid, feedwater, and control rod drive (CRD) return water.
| |
| The LCO establishes operating limits that provide a margin to brittle failure of the reactor vessel and piping of the reactor coolant pressure boundary (RCPB). The vessel is the component most subject to brittle failure. Therefore, the LCO limits apply mainly to the vessel.
| |
| Columbia Generating Station B 3.4.11-1 Revision 73
| |
| | |
| RCS P/T Limits B 3.4.11 BASES BACKGROUND (continued) 10 CFR 50, Appendix G (Ref. 1), requires the establishment of P/T limits for material fracture toughness requirements of the RCPB materials.
| |
| Reference 1 requires an adequate margin to brittle failure during normal operation, anticipated operational occurrences, and system hydrostatic tests. It mandates the use of the American Society of Mechanical Engineers (ASME) Code, Section III, Appendix G (Ref. 2).
| |
| The plant-specific reactor pressure vessel (RPV) materials surveillance program is replaced by the NRC approved BWR Vessel and Internals Project (BWRVIP) Integrated Surveillance Program (Ref. 11). The integrated surveillance program (ISP) meets the requirements of 10 CFR 50, Appendix H (Ref. 4) and addresses ASTM E 185 (Ref. 3) and Regulatory Guide 1.99 (Ref. 5). No capsules from the vessel are included in the ISP. The withdrawal of capsules for the plant-specific surveillance program is permanently deferred by participation in the ISP.
| |
| Capsules from other plants will be removed and tested in accordance with the ISP implementation plan. The results from these tests will provide the necessary data to monitor embrittlement for the vessel. The operating P/T limit curves will be adjusted, as necessary, based on the evaluation of the test results provided by the ISP.
| |
| The P/T limit curves are composite curves established by superimposing limits derived from linear elastic fracture mechanics (LEFM) analyses of those portions of the reactor vessel and head that are the most restrictive.
| |
| At any specific pressure, temperature, and temperature rate of change, one location within the reactor vessel will dictate the most restrictive limit.
| |
| Across the span of the P/T limit curves, different locations are more restrictive, and, thus, the curves are composites of the most restrictive regions.
| |
| The heatup curve represents a different set of restrictions than the cooldown curve because the directions of the thermal gradients through the vessel wall are reversed. The thermal gradient reversal alters the location of the tensile stress between the outer and inner walls. However, only the more restrictive of the two curves is used.
| |
| The P/T criticality limits include the Reference 1 requirement that they be at least 40°F above the heatup curve or the cooldown curve and not lower than the minimum permissible temperature for the inservice leak and hydrostatic testing.
| |
| Columbia Generating Station B 3.4.11-2 Revision 73
| |
| | |
| RCS P/T Limits B 3.4.11 BASES BACKGROUND (continued)
| |
| The consequence of violating the LCO limits is that the RCS has been operated under conditions that can result in brittle failure of the RCPB, possibly leading to a nonisolable leak or loss of coolant accident. In the event these limits are exceeded, an evaluation must be performed to determine the effect on the structural integrity of the RCPB components.
| |
| The ASME Code, Section XI, Appendix E (Ref. 6), provides a recommended methodology for evaluating an operating event that causes an excursion outside the limits.
| |
| APPLICABLE The P/T limits are not derived from Design Basis Accident (DBA)
| |
| SAFETY analyses. They are prescribed during normal operation to avoid ANALYSES encountering pressure, temperature, and temperature rate of change conditions that might cause undetected flaws to propagate and cause nonductile failure of the RCPB, a condition that is unanalyzed.
| |
| References 7 and 8 approved the curves and limits required by this Specification. Since the P/T limits are not derived from any DBA, there are no acceptance limits related to the P/T limits. Rather, the P/T limits are acceptance limits themselves since they preclude operation in an unanalyzed condition.
| |
| RCS P/T limits satisfy Criterion 2 of Reference 9.
| |
| LCO The elements of this LCO are:
| |
| : a. RCS pressure and temperature are within the limits specified in Figures 3.4.11-1, 3.4.11-2, and 3.4.11-3 and heatup and cooldown rates are 100°F in any 1 hour period during RCS heatup, cooldown, and inservice leak and hydrostatic testing, and the RCS temperature change during inservice leak and hydrostatic testing is 20°F in any 1 hour period when the RCS pressure and RCS temperature are not within the limits of Figure 3.4.11-2;
| |
| : b. The temperature difference between the reactor vessel bottom head coolant and the reactor pressure vessel (RPV) coolant is 145°F during recirculation pump startup, and during increases in THERMAL POWER or loop flow while operating at low THERMAL POWER or loop flow;
| |
| : c. The temperature difference between the reactor coolant in the respective recirculation loop and in the reactor vessel is 50°F during recirculation pump startup, and during increases in THERMAL POWER or loop flow while operating at low THERMAL POWER or loop flow; Columbia Generating Station B 3.4.11-3 Revision 73
| |
| | |
| RCS P/T Limits B 3.4.11 BASES LCO (continued)
| |
| : d. RCS pressure and temperature are within the limits specified in Figure 3.4.11-3, prior to achieving criticality; and
| |
| : e. The reactor vessel flange and the head flange temperatures are 80°F when tensioning the reactor vessel head bolting studs.
| |
| These limits define allowable operating regions and permit a large number of operating cycles while also providing a wide margin to nonductile failure.
| |
| The rate of change of temperature limits controls the thermal gradient through the vessel wall and is used as input for calculating the heatup, cooldown, and inservice leak and hydrostatic testing P/T limit curves.
| |
| Thus, the LCO for the rate of change of temperature restricts stresses caused by thermal gradients and also ensures the validity of the P/T limit curves.
| |
| Violation of the limits places the reactor vessel outside of the bounds of the LEFM analyses and can increase stresses in other RCS components.
| |
| The consequences depend on several factors, as follows:
| |
| : a. The severity of the departure from the allowable operating pressure temperature regime or the severity of the rate of change of temperature;
| |
| : b. The length of time the limits were violated (longer violations allow the temperature gradient in the thick vessel walls to become more pronounced); and
| |
| : c. The existence, size, and orientation of flaws in the vessel material.
| |
| APPLICABILITY The potential for violating a P/T limit exists at all times. For example, P/T limit violations could result from ambient temperature conditions that result in the reactor vessel metal temperature being less than the minimum allowed temperature for boltup. Therefore, this LCO is applicable even when fuel is not loaded in the core.
| |
| ACTIONS A.1 and A.2 Operation outside the P/T limits while in MODE 1, 2, or 3 must be corrected so that the RCPB is returned to a condition that has been verified by LEFM analyses.
| |
| Columbia Generating Station B 3.4.11-4 Revision 73
| |
| | |
| RCS P/T Limits B 3.4.11 BASES ACTIONS (continued)
| |
| The 30 minute Completion Time reflects the urgency of restoring the parameters to within the analyzed range. Most violations will not be severe, and the activity can be accomplished in this time in a controlled manner.
| |
| Besides restoring operation within limits, an evaluation is required to determine if RCS operation can continue. The evaluation must verify the RCPB integrity remains acceptable and must be completed if continued operation is desired.
| |
| Several methods may be used, including comparison with pre-analyzed transients, new analyses, or inspection of the components. ASME Code, Section XI, Appendix E (Ref. 6), may be used to support the evaluation.
| |
| However, its use is restricted to evaluation of the vessel beltline.
| |
| The 72 hour Completion Time is reasonable to accomplish the evaluation of a mild violation. More severe violations may require special, event specific stress analyses or inspections. A favorable evaluation must be completed if continued operation is desired.
| |
| Condition A is modified by a Note requiring Required Action A.2 be completed whenever the Condition is entered. The Note emphasizes the need to perform the evaluation of the effects of the excursion outside the allowable limits.
| |
| Restoration alone per Required Action A.1 is insufficient because higher than analyzed stresses may have occurred and may have affected the RCPB integrity.
| |
| B.1 and B.2 If a Required Action and associated Completion Time of Condition A are not met, the plant must be brought to a lower MODE because either the RCS remained in an unacceptable P/T region for an extended period of increased stress, or a sufficiently severe event caused entry into an unacceptable region. Either possibility indicates a need for more careful examination of the event, best accomplished with the RCS at reduced pressure and temperature. With the reduced pressure and temperature conditions, the possibility of propagation of undetected flaws is decreased.
| |
| Pressure and temperature are reduced by bringing the plant to at least MODE 3 within 12 hours and to MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.
| |
| Columbia Generating Station B 3.4.11-5 Revision 73
| |
| | |
| RCS P/T Limits B 3.4.11 BASES ACTIONS (continued)
| |
| C.1 and C.2 Operation outside the P/T limits in other than MODES 1, 2, and 3 (including defueled conditions) must be corrected so that the RCPB is returned to a condition that has been verified by LEFM analyses. The Required Action must be initiated without delay and continued until the limits are restored.
| |
| Besides restoring the P/T limit parameters to within limits, an evaluation is required to determine if RCS operation is allowed. This evaluation must verify that the RCPB integrity is acceptable and must be completed before approaching criticality or heating up to > 200°F. Several methods may be used, including comparison with pre-analyzed transients, new analyses, or inspection of the components. ASME Section XI, Appendix E (Ref. 6), may be used to support the evaluation; however, its use is restricted to evaluation of the beltline.
| |
| Condition C is modified by a Note requiring Required Action C.2 be completed whenever the Condition is entered. The Note emphasizes the need to perform the evaluation of the effects of the excursion outside the allowable limits. Restoration alone per Required Action C.1 is insufficient because higher than analyzed stresses may have occurred and may have affected the RCPB integrity.
| |
| SURVEILLANCE SR 3.4.11.1 REQUIREMENTS Verification that operation is within limits is required when RCS pressure and temperature conditions are undergoing planned changes. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The limits of Figures 3.4.11-1, 3.4.11-2, and 3.4.11-3 are met when operation is to the right of the applicable limit curves.
| |
| Surveillance for heatup, cooldown, or inservice leakage and hydrostatic testing may be discontinued when the criteria given in the relevant plant procedure for ending the activity are satisfied.
| |
| This SR has been modified by a Note that requires this Surveillance to be performed only during system heatup and cooldown operations and inservice leakage and hydrostatic testing.
| |
| Columbia Generating Station B 3.4.11-6 Revision 93
| |
| | |
| RCS P/T Limits B 3.4.11 BASES SURVEILLANCE REQUIREMENTS (continued)
| |
| SR 3.4.11.2 A separate limit is used when the reactor is approaching criticality.
| |
| Consequently, the RCS pressure and temperature must be verified within the appropriate limits before withdrawing control rods that will make the reactor critical. The limits of Figure 3.4.11-3 are met when operation is to the right of the limit curve.
| |
| Performing the Surveillance within 15 minutes before control rod withdrawal for the purpose of achieving criticality provides adequate assurance that the limits will not be exceeded between the time of the Surveillance and the time of the control rod withdrawal.
| |
| SR 3.4.11.3 and SR 3.4.11.4 Differential temperatures within the applicable limits ensure that thermal stresses resulting from the startup of an idle recirculation pump will not exceed design allowances. In addition, compliance with these limits ensures that the assumptions of the analysis for the startup of an idle recirculation loop (Ref. 10) are satisfied.
| |
| Performing the Surveillance within 15 minutes before starting the idle recirculation pump provides adequate assurance that the limits will not be exceeded between the time of the Surveillance and the time of the idle pump start.
| |
| An acceptable means of demonstrating compliance with the temperature differential requirement in SR 3.4.11.4 is to compare the temperatures of the operating recirculation loop and the idle loop.
| |
| SR 3.4.11.3 and SR 3.4.11.4 have been modified by a Note that requires the Surveillance to be met only in MODES 1, 2, 3, and 4 during a recirculation pump startup, since this is when the stresses occur. In MODE 5, the overall stress on limiting components is lower; therefore, T limits are not required.
| |
| SR 3.4.11.5 and SR 3.4.11.6 Differential temperatures within the applicable limits ensure that thermal stresses resulting from increases in THERMAL POWER or recirculation loop flow during single recirculation loop operation will not exceed design allowances. Performing the Surveillance within 15 minutes before beginning such an increase in power or flow rate provides adequate assurance that the limits will not be exceeded between the time of the Surveillance and the time of the change in operation.
| |
| Columbia Generating Station B 3.4.11-7 Revision 73
| |
| | |
| RCS P/T Limits B 3.4.11 BASES SURVEILLANCE REQUIREMENTS (continued)
| |
| An acceptable means of demonstrating compliance with the temperature differential requirement in SR 3.4.11.6 is to compare the temperatures of the operating recirculation loop and the idle loop.
| |
| Plant specific startup test data has determined that the bottom head is not subject to temperature stratification at power levels > 25% of RTP and with single loop flow rate > 10% of rated loop flow. Therefore, SR 3.4.11.5 and SR 3.4.11.6 have been modified by a Note that requires the Surveillance to be met only under these conditions. The Note for SR 3.4.11.6 further limits the requirement for this Surveillance to exclude comparison of the idle loop temperature if the idle loop is isolated from the RPV since the water in the loop can not be introduced into the remainder of the Reactor Coolant System.
| |
| SR 3.4.11.7, SR 3.4.11.8, and SR 3.4.11.9 Limits on the reactor vessel flange and head flange temperatures are generally bounded by the other P/T limits during system heatup and cooldown. However, operations approaching MODE 4 from MODE 5 and in MODE 4 with RCS temperature less than or equal to certain specified values require assurance that these temperatures meet the LCO Limits.
| |
| The flange temperatures must be verified to be above the limits before and while tensioning the vessel head bolting studs to ensure that once the head is tensioned the limits are satisfied. When in MODE 4 with RCS temperature 90°F, checks of the flange temperatures are required because of the reduced margin to the limits. When in MODE 4 with RCS temperature 100°F, monitoring of the flange temperature is required to ensure the temperatures are within the specified limits.
| |
| The Surveillance Frequencies are controlled under the Surveillance Frequency Control Program.
| |
| SR 3.4.11.7 is modified by a Note that requires the Surveillance to be performed only when tensioning the reactor vessel head bolting studs.
| |
| SR 3.4.11.8 is modified by a Note that requires the Surveillance to be initiated 30 minutes after RCS temperature 90°F in MODE 4.
| |
| Columbia Generating Station B 3.4.11-8 Revision 93
| |
| | |
| RCS P/T Limits B 3.4.11 BASES SURVEILLANCE REQUIREMENTS (continued)
| |
| SR 3.4.11.9 is modified by a Note that requires the Surveillance to be initiated 12 hours after RCS temperature 100°F in MODE 4. The Notes contained in these SRs are necessary to specify when the reactor vessel flange and head flange temperatures are required to be verified to be within the specified limits.
| |
| REFERENCES 1. 10 CFR 50, Appendix G.
| |
| : 2. ASME, Boiler and Pressure Vessel Code, Section III, Appendix G.
| |
| : 3. ASTM E 185-82, July 1982.
| |
| : 4. 10 CFR 50, Appendix H.
| |
| : 5. Regulatory Guide 1.99, Revision 2, May 1988.
| |
| : 6. ASME, Boiler and Pressure Vessel Code, Section XI, Appendix E.
| |
| : 7. Letter from D.G. Eisenhut (NRC) to D.W. Mazur (WPPSS), "Issuance of Facility Operating License NPF WPPSS Nuclear Project No. 2," dated December 20, 1983.
| |
| : 8. Letter from B.J. Benney (NRC) to J.V. Parrish (EN), "Columbia Generating Station - Issuance of Amendment Re: Reactor Coolant System (RCS) Pressure and Temperature Limits (TAC No. MC3591)," Issuance of Amendment No. 193, dated May 12, 2005.
| |
| : 9. 10 CFR 50.36(c)(2)(ii).
| |
| : 10. FSAR, Section 15.4.4.
| |
| : 11. FSAR, Section 5.3.1.6.
| |
| Columbia Generating Station B 3.4.11-9 Revision 73
| |
| | |
| Reactor Steam Dome Pressure B 3.4.12 B 3.4 REACTOR COOLANT SYSTEM (RCS)
| |
| B 3.4.12 Reactor Steam Dome Pressure BASES BACKGROUND The reactor steam dome pressure is an assumed value in the determination of compliance with reactor pressure vessel overpressure protection criteria and is also an assumed initial condition of Design Basis Accidents (DBAs) and transients.
| |
| APPLICABLE The reactor steam dome pressure of 1035 psig is an initial condition of SAFETY the vessel overpressure protection analysis of Reference 1. This ANALYSES analysis assumes an initial maximum reactor steam dome pressure and evaluates the response of the pressure relief system, primarily the safety/relief valves, during the limiting pressurization transient. The determination of compliance with the overpressure criteria is dependent on the initial reactor steam dome pressure; therefore, the limit on this pressure ensures that the assumptions of the overpressure protection analysis are conserved. Reference 2 also assumes an initial reactor steam dome pressure for the analyses of DBAs and transients used to determine the limits for fuel cladding integrity (see Bases for LCO 3.2.2, "MINIMUM CRITICAL POWER RATIO (MCPR)") and 1% fuel cladding plastic strain (see Bases for LCO 3.2.3, "LINEAR HEAT GENERATION RATE (LHGR)"). While the transient analyses assume an initial reactor steam dome pressure of 1020 psig, this value is more conservative than a higher reactor pressure, e.g., 1035 psig, with respect to the thermal limits attained during the transients. Therefore, the reactor steam dome pressure assumed in these analyses is bounded by the vessel overpressure protection analysis.
| |
| Reactor steam dome pressure satisfies the requirements of Criterion 2 of Reference 3.
| |
| LCO The specified reactor steam dome pressure limit of < 1035 psig ensures the plant is operated within the assumptions of the reactor overpressure analyses. Operation above the limit may result in a response more severe than analyzed.
| |
| APPLICABILITY In MODES 1 and 2, the reactor steam dome pressure is required to be less than or equal to the limit. In these MODES, the reactor may be generating significant steam, and events that may challenge the overpressure limits are possible.
| |
| In MODES 3, 4, and 5, the limit is not applicable because the reactor is shut down. In these MODES, the reactor pressure is well below the required limit, and no anticipated events will challenge the overpressure limits.
| |
| Columbia Generating Station B 3.4.12-1 Revision 73
| |
| | |
| Reactor Steam Dome Pressure B 3.4.12 BASES ACTIONS A.1 With the reactor steam dome pressure greater than the limit, prompt action should be taken to reduce pressure to below the limit and return the reactor to operation within the bounds of the analyses. The 15 minute Completion Time is reasonable considering the importance of maintaining the pressure within limits. This Completion Time also ensures that the probability of an accident while pressure is greater than the limit is minimal.
| |
| B.1 If the reactor steam dome pressure cannot be restored to within the limit within the associated Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours. The allowed Completion Time of 12 hours is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging plant systems.
| |
| SURVEILLANCE SR 3.4.12.1 REQUIREMENTS Verification that reactor steam dome pressure is 1035 psig ensures that the initial conditions of the vessel overpressure protection analysis is met.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| REFERENCES 1. FSAR, Section 5.2.2.
| |
| : 2. FSAR, Chapter 15.
| |
| : 3. 10 CFR 50.36(c)(2)(ii).
| |
| Columbia Generating Station B 3.4.12-2 Revision 93
| |
| | |
| ECCS - Operating B 3.5.1 B 3.5 EMERGENCY CORE COOLING SYSTEMS (ECCS), RPV WATER INVENTORY CONTROL, AND REACTOR CORE ISOLATION COOLING (RCIC) SYSTEM B 3.5.1 ECCS - Operating BASES BACKGROUND The ECCS is designed, in conjunction with the primary and secondary containment, to limit the release of radioactive materials to the environment following a loss of coolant accident (LOCA). The ECCS uses two independent methods (flooding and spraying) to cool the core during a LOCA. The ECCS network is composed of the High Pressure Core Spray (HPCS) System, the Low Pressure Core Spray (LPCS)
| |
| System, and the low pressure coolant injection (LPCI) mode of the Residual Heat Removal (RHR) System. The ECCS also consists of the Automatic Depressurization System (ADS). The suppression pool provides the required source of water for the ECCS. Although no credit is taken in the safety analyses for the condensate storage tank (CST), it is capable of providing a source of water for the HPCS System.
| |
| On receipt of an initiation signal, ECCS pumps automatically start; simultaneously the system aligns, and the pumps inject water, taken either from the CST or suppression pool, into the Reactor Coolant System (RCS) as RCS pressure is overcome by the discharge pressure of the ECCS pumps. Although the system is initiated, ADS action is delayed, allowing the operator to interrupt the timed sequence if the system is not needed. The HPCS pump discharge pressure almost immediately exceeds that of the RCS, and the pump injects coolant into the spray sparger above the core. If the break is small, HPCS will maintain coolant inventory, as well as vessel level, while the RCS is still pressurized. If HPCS fails, it is backed up by ADS in combination with LPCI and LPCS.
| |
| In this event, the ADS timed sequence would be allowed to time out and open the selected safety/relief valves (SRVs), depressurizing the RCS and allowing the LPCI and LPCS to overcome RCS pressure and inject coolant into the vessel. If the break is large, RCS pressure initially drops rapidly, and the LPCI and LPCS systems cool the core.
| |
| Water from the break returns to the suppression pool where it is used again and again. Water in the suppression pool is circulated through a heat exchanger cooled by the Standby Service Water (SW) System.
| |
| Depending on the location and size of the break, portions of the ECCS may be ineffective; however, the overall design is effective in cooling the core regardless of the size or location of the piping break.
| |
| All ECCS subsystems are designed to ensure that no single active component failure will prevent automatic initiation and successful operation of the minimum required ECCS subsystems.
| |
| Columbia Generating Station B 3.5.1-1 Revision 111
| |
| | |
| ECCS - Operating B 3.5.1 BASES BACKGROUND (continued)
| |
| The LPCS System (Ref. 1) consists of a motor driven pump, a spray sparger above the core, piping, and valves to transfer water from the suppression pool to the sparger. The LPCS System is designed to provide cooling to the reactor core when the reactor pressure is low.
| |
| Upon receipt of an initiation signal, the LPCS pump is automatically started in approximately 9.5 seconds if normal AC power (from TR-S) is available; otherwise the pump is started immediately after AC power (from TR-B or the diesel generator (DG)) is available. When the RPV pressure drops sufficiently, LPCS flow to the RPV begins. A full flow test line is provided to route water to the suppression pool to allow testing of the LPCS System without spraying water into the RPV.
| |
| LPCI is an independent operating mode of the RHR System. There are three LPCI subsystems. Each LPCI subsystem (Ref. 2) consists of a motor driven pump, piping, and valves to transfer water from the suppression pool to the core. Each LPCI subsystem has its own suction and discharge piping and separate vessel nozzle that connects with the core shroud through internal piping. The LPCI subsystems are designed to provide core cooling at low RPV pressure. Upon receipt of an initiation signal, LPCI pump C is automatically started in approximately 9.5 seconds and A and B pumps in approximately 19.4 seconds if normal AC power (from TR-S) is available. Otherwise, C pump is started immediately after AC power (from TR-B or the DG) is available while A and B pumps are started after a 5 second delay). When the RPV pressure drops sufficiently, LPCI flow to the RPV begins. RHR System valves in the LPCI flow path are automatically positioned to ensure the proper flow path for water from the suppression pool to inject into the core. A full flow test line is provided to route water to the suppression pool to allow testing of each LPCI pump without injecting water into the RPV.
| |
| The HPCS System (Ref. 3) consists of a single motor driven pump, a spray sparger above the core, and piping and valves to transfer water from the suction source to the sparger. Suction piping is provided from the CST and the suppression pool. Pump suction is normally aligned to the CST source to minimize injection of suppression pool water into the RPV. However, if the CST water supply is low or the suppression pool level is high, an automatic transfer to the suppression pool water source ensures a water supply for continuous operation of the HPCS System.
| |
| The HPCS System is designed to provide core cooling over the full range of RPV pressures (0 psid to 1160 psid, vessel to drywell). Upon receipt of an initiation signal, the HPCS pump automatically starts (when AC power is available) and valves in the flow path begin to open. Since the HPCS System is designed to operate over the full range of expected RPV Columbia Generating Station B 3.5.1-2 Revision 73
| |
| | |
| ECCS - Operating B 3.5.1 BASES BACKGROUND (continued) pressures, HPCS flow begins as soon as the necessary valves are open.
| |
| A full flow test line is provided to route water to the CST to allow testing of the HPCS System during normal operation without spraying water into the RPV.
| |
| The ECCS pumps are provided with minimum flow bypass lines, which discharge to the suppression pool. The valves in these lines automatically open to prevent pump damage due to overheating when other discharge line valves are closed or RPV pressure is greater than the LPCS or LPCI pump discharge pressures following system initiation.
| |
| To ensure rapid delivery of water to the RPV and to minimize water hammer effects, the ECCS discharge line "keep fill" systems are designed to maintain all pump discharge lines filled with water.
| |
| The ADS (Ref. 4) consists of 7 of the 18 SRVs. It is designed to provide depressurization of the primary system during a small break LOCA if HPCS fails or is unable to maintain required water level in the RPV. ADS operation reduces the RPV pressure to within the operating pressure range of the low pressure ECCS subsystems, so that these subsystems can provide core cooling. Each ADS valve is supplied with pneumatic power from a cryogenic nitrogen supply system, which includes accumulators located in the drywell. In addition, during post LOCA conditions, if the normal, non-safety related, nitrogen supply becomes unavailable, the gas supply piping to the ADS function accumulators will automatically isolate from the cryogenic nitrogen supply. The ADS accumulator backup compressed gas manifold subsystems will then provide a nominal pressure of 180 psig nitrogen from banks of high pressure compressed nitrogen cylinders. These cylinders provide a 30 day supply of nitrogen for the ADS function during a post LOCA condition.
| |
| APPLICABLE The ECCS performance is evaluated for the entire spectrum of break SAFETY sizes for a postulated LOCA. The accidents for which ECCS operation is ANALYSES required are presented in References 5, 6, and 7. The required analyses and assumptions are defined in 10 CFR 50 (Ref. 8), and the results of these analyses are described in Reference 9.
| |
| This LCO helps to ensure that the following acceptance criteria for the ECCS, established by 10 CFR 50.46 (Ref. 10), will be met following a LOCA assuming the worst case single active component failure in the ECCS:
| |
| : a. Maximum fuel element cladding temperature is 2200°F;
| |
| : b. Maximum cladding oxidation is 0.17 times the total cladding thickness before oxidation; Columbia Generating Station B 3.5.1-3 Revision 73
| |
| | |
| ECCS - Operating B 3.5.1 BASES APPLICABLE SAFETY ANALYSES (continued)
| |
| : c. Maximum hydrogen generation from zirconium water reaction is 0.01 times the hypothetical amount that would be generated if all of the metal in the cladding surrounding the fuel, excluding the cladding surrounding the plenum volume, were to react;
| |
| : d. The core is maintained in a coolable geometry; and
| |
| : e. Adequate long term cooling capability is maintained.
| |
| The limiting single failures are discussed in Reference 11. For a large break LOCA, failure of ECCS subsystems in Division 1 (LPCS and LPCI A) or Division 2 (LPCI B and LPCI C) due to failure of its associated diesel generator is, in general, the most severe failure. For a small break LOCA, HPCS System failure is the most severe failure. The small break analysis also assumes two ADS valves are inoperable at the time of the accident. The remaining OPERABLE ECCS subsystems provide the capability to adequately cool the core and prevent excessive fuel damage.
| |
| The ECCS satisfy Criterion 3 of Reference 12.
| |
| LCO Each ECCS injection/spray subsystem and six ADS valves are required to be OPERABLE. The ECCS injection/spray subsystems are defined as the three LPCI subsystems, the LPCS System, and the HPCS System.
| |
| The low pressure ECCS injection/spray subsystems are defined as the LPCS System and the three LPCI subsystems. Management of gas voids is important to ECCS injection/spray subsystem OPERABILITY.
| |
| With less than the required number of ECCS subsystems OPERABLE during a limiting design basis LOCA concurrent with the worst case single failure, the limits specified in 10 CFR 50.46 (Ref. 10) could potentially be exceeded. All ECCS subsystems must therefore be OPERABLE to satisfy the single failure criterion required by 10 CFR 50.46 (Ref. 10).
| |
| Columbia Generating Station B 3.5.1-4 Revision 106
| |
| | |
| ECCS - Operating B 3.5.1 BASES APPLICABILITY All ECCS subsystems are required to be OPERABLE during MODES 1, 2, and 3 when there is considerable energy in the reactor core and core cooling would be required to prevent fuel damage in the event of a break in the primary system piping. In MODES 2 and 3, the ADS function is not required when pressure is 150 psig because the low pressure ECCS subsystems (LPCS and LPCI) are capable of providing flow into the RPV below this pressure. Requirements for MODES 4 and 5 are specified in LCO 3.5.2, "RPV Water Inventory Control."
| |
| ACTIONS A Note prohibits the application of LCO 3.0.4.b to an inoperable HPCS subsystem. There is an increased risk associated with entering a MODE or other specified condition in the Applicability with an inoperable HPCS subsystem and the provisions of LCO 3.0.4.b, which allow entry into a MODE or other specified condition in the Applicability with the LCO not met after performance of a risk assessment addressing inoperable systems and components, should not be applied in this circumstance.
| |
| A.1 If any one low pressure ECCS injection/spray subsystem is inoperable, the inoperable subsystem must be restored to OPERABLE status within 7 days. In this condition, the remaining OPERABLE subsystems provide adequate core cooling during a LOCA. However, overall ECCS reliability is reduced because a single failure in one of the remaining OPERABLE subsystems concurrent with a LOCA may result in the ECCS not being able to perform its intended safety function. The 7 day Completion Time is based on a reliability study (Ref. 13) that evaluated the impact on ECCS availability by assuming that various components and subsystems were taken out of service. The results were used to calculate the average availability of ECCS equipment needed to mitigate the consequences of a LOCA as a function of allowed outage times (i.e., Completion Times).
| |
| B.1 and B.2 If the HPCS System is inoperable, and the RCIC System is immediately verified to be OPERABLE (when RCIC is required to be OPERABLE), the HPCS System must be restored to OPERABLE status within 14 days. In this condition, adequate core cooling is ensured by the OPERABILITY of the redundant and diverse low pressure ECCS injection/spray subsystems in conjunction with the ADS. Also, the RCIC System will automatically provide makeup water at most reactor operating pressures.
| |
| Immediate verification of RCIC OPERABILITY is therefore required when HPCS is inoperable and RCIC is required to be OPERABLE. This may be performed by an administrative check, by examining logs or other Columbia Generating Station B 3.5.1-5 Revision 111
| |
| | |
| ECCS - Operating B 3.5.1 BASES ACTIONS (continued) information, to determine if RCIC is out of service for maintenance or other reasons. It is not necessary to perform the Surveillances needed to demonstrate the OPERABILITY of the RCIC System. However, if the OPERABILITY of the RCIC System cannot be immediately verified and RCIC is required to be OPERABLE, Condition D must be immediately entered. If a single active component fails concurrent with a design basis LOCA, there is a potential, depending on the specific failure, that the minimum required ECCS equipment will not be available. A 14 day Completion Time is based on the results of a reliability study (Ref. 13) and has been found to be acceptable through operating experience.
| |
| C.1 With two ECCS injection subsystems inoperable or one ECCS injection and one ECCS spray subsystem inoperable, at least one ECCS injection/spray subsystem must be restored to OPERABLE status within 72 hours. In this condition, the remaining OPERABLE subsystems provide adequate core cooling during a LOCA. However, overall ECCS reliability is reduced in this Condition because a single failure in one of the remaining OPERABLE subsystems concurrent with a design basis LOCA may result in the ECCS not being able to perform its intended safety function. Since the ECCS availability is reduced relative to Condition A, a more restrictive Completion Time is imposed. The 72 hours Completion Time is based on a reliability study, as provided in Reference 13.
| |
| D.1 If any Required Action and associated Completion Time of Condition A, B, or C are not met, the plant must be brought to a MODE in which overall plant risk is minimizied. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours.
| |
| Remaining in the Applicability of the LCO is acceptable because the plant risk in MODE 3 is similar to or lower than the risk in MODE 4 (Ref. 17) and because the time spent in MODE 3 to perform the necessary repairs to restore the system to OPERABLE status will be short. However, voluntary entry into MODE 4 may be made as it is also an acceptable low-risk state.
| |
| Required Action D.1 is modified by a Note that states that LCO 3.0.4.a is not applicable when entering MODE 3. This Note prohibits the use of LCO 3.0.4.a to enter MODE 3 during startup with the LCO not met.
| |
| However, there is no restriction on the use of LCO 3.0.4.b, if applicable, Columbia Generating Station B 3.5.1-6 Revision 90
| |
| | |
| ECCS - Operating B 3.5.1 BASES ACTIONS (continued) because LCO 3.0.4.b requires performance of a risk assessment addressing inoperable systems and components, consideration of the results, determination of the acceptability of entering MODE 3, and establishment of risk management actions, if appropriate. LCO 3.0.4 is not applicable to, and the Note does not preclude, changes in MODES or other specified conditions in the Applicability that are required to comply with ACTIONS or that are part of a shutdown of the unit.
| |
| The allowed Completion Time is reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.
| |
| E.1 The LCO requires six ADS valves to be OPERABLE to provide the ADS function. Reference 14 contains the results of an analysis that evaluated the effect of two ADS valves being out of service. This analysis showed that assuming a failure of the HPCS System, operation of only five ADS valves will provide the required depressurization. However, overall reliability of the ADS is reduced because a single failure in the OPERABLE ADS valves could result in a reduction in depressurization capability. Therefore, operation is only allowed for a limited time. The 14 day Completion Time is based on a reliability study (Ref. 13) and has been found to be acceptable through operating experience.
| |
| F.1 and F.2 If any one low pressure ECCS injection/spray subsystem is inoperable in addition to one required ADS valve inoperable, adequate core cooling is ensured by the OPERABILITY of HPCS and the remaining low pressure ECCS injection/spray subsystems. However, the overall ECCS reliability is reduced because a single active component failure concurrent with a design basis LOCA could result in the minimum required ECCS equipment not being available. Since both a high pressure (ADS) and low pressure subsystem are inoperable, a more restrictive Completion Time of 72 hours is required to restore either the low pressure ECCS injection/spray subsystem or the ADS valve to OPERABLE status. This Completion Time is based on a reliability study (Ref. 13) and has been found to be acceptable through operating experience.
| |
| Columbia Generating Station B 3.5.1-7 Revision 90
| |
| | |
| ECCS - Operating B 3.5.1 BASES ACTIONS (continued)
| |
| G.1 If any Required Action and associated Completion Time of Condition E or F are not met or if two or more required ADS valves are inoperable, the plant must be brought to a MODE in which overall plant risk is minimizied.
| |
| To achieve this status, the plant must be brought to at least MODE 3 within 12 hours.
| |
| Remaining in the Applicability of the LCO is acceptable because the plant risk in MODE 3 is similar to or lower than the risk in MODE 4 (Ref. 17) and because the time spent in MODE 3 to perform the necessary repairs to restore the system to OPERABLE status will be short. However, voluntary entry into MODE 4 may be made as it is also an acceptable low-risk state.
| |
| Required Action G.1 is modified by a Note that states that LCO 3.0.4.a is not applicable when entering MODE 3. This Note prohibits the use of LCO 3.0.4.a to enter MODE 3 during startup with the LCO not met.
| |
| However, there is no restriction on the use of LCO 3.0.4.b, if applicable, because LCO 3.0.4.b requires performance of a risk assessment addressing inoperable systems and components, consideration of the results, determination of the acceptability of entering MODE 3, and establishment of risk management actions, if appropriate. LCO 3.0.4 is not applicable to, and the Note does not preclude, changes in MODES or other specified conditions in the Applicability that are required to comply with ACTIONS or that are part of a shutdown of the unit.
| |
| The allowed Completion Time is reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.
| |
| H.1 When multiple ECCS subsystems are inoperable, as stated in Condition H, the plant is in a condition outside of the accident analyses.
| |
| Therefore, LCO 3.0.3 must be entered immediately.
| |
| Columbia Generating Station B 3.5.1-8 Revision 90
| |
| | |
| ECCS - Operating B 3.5.1 BASES SURVEILLANCE SR 3.5.1.1 REQUIREMENTS The ECCS injection/spray subsystem flow path piping and components have the potential to develop voids and pockets of entrained gases.
| |
| Preventing and managing gas intrusion and accumulation is necessary for proper operation of the ECCS injection/spray subsystems and may also prevent a water hammer, pump cavitation, and pumping of noncondensible gas into the reactor vessel.
| |
| Selection of ECCS injection/spray subsystem locations susceptible to gas accumulation is based on a review of system design information, including piping and instrumentation drawings, isometric drawings, plan and elevation drawings, and calculations. The design review is supplemented by system walk downs to validate the system high points and to confirm the location and orientation of important components that can become sources of gas or could otherwise cause gas to be trapped or difficult to remove during system maintenance or restoration.
| |
| Susceptible locations depend on plant and system configuration, such as stand-by versus operating conditions.
| |
| The ECCS injection/spray subsystem is OPERABLE when it is sufficiently filled with water. Acceptance criteria are established for the volume of accumulated gas at susceptible locations. If accumulated gas is discovered that exceeds the acceptance criteria for the susceptible location (or the volume of accumulated gas at one or more susceptible locations exceeds an acceptance criteria for gas volume at the suction or discharge of a pump), the Surveillance is not met. If it is determined by subsequent evaluation that the ECCS injection/spray subsystems are not rendered inoperable by the accumulated gas (i.e., the system is sufficiently filled with water), the Surveillance may be declared met.
| |
| Accumulated gas should be eliminated or brought within the acceptance criteria limits.
| |
| ECCS injection/spray subsystem locations susceptible to gas accumulation are monitored and, if gas is found, the gas volume is compared to the acceptance criteria for the location. Susceptible locations in the same system flow path which are subject to the same gas intrusion mechanisms may be verified by monitoring a representative sub-set of susceptible locations. Monitoring may not be practical for locations that are inaccessible due to radiological or environmental conditions, the plant configuration, or personnel safety. For these locations alternative methods (e.g., operating parameters, remote monitoring) may be used to monitor the susceptible location. Monitoring is not required for susceptible locations where the maximum potential accumulated gas void Columbia Generating Station B 3.5.1-9 Revision 105
| |
| | |
| ECCS - Operating B 3.5.1 BASES SURVEILLANCE REQUIREMENTS (continued) volume has been evaluated and determined to not challenge system OPERABILITY. The accuracy of the method used for monitoring the susceptible locations and trending of the results should be sufficient to assure system OPERABILITY during the Surveillance interval.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The Surveillance Frequency may vary by location susceptible to gas accumulation.
| |
| SR 3.5.1.2 Verifying the correct alignment for manual, power operated, and automatic valves in the ECCS flow paths provides assurance that the proper flow paths will exist for ECCS operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position since these valves were verified to be in the correct position prior to locking, sealing, or securing. A valve that receives an initiation signal is allowed to be in a nonaccident position provided the valve will automatically reposition in the proper stroke time. This SR does not require any testing or valve manipulation; rather, it involves verification that those valves potentially capable of being mispositioned are in the correct position.
| |
| This SR does not apply to valves that cannot be inadvertently misaligned, such as check valves.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| The Surveillance is modified by a Note which exempts system vent flow paths opened under administrative control. The administrative control should be proceduralized and include stationing a dedicated individual at the system vent flow path who is in continuous communication with the operators in the control room. This individual will have a method to rapidly close the system vent flow path if directed.
| |
| Columbia Generating Station B 3.5.1-10 Revision 106
| |
| | |
| ECCS - Operating B 3.5.1 BASES SURVEILLANCE REQUIREMENTS (continued)
| |
| SR 3.5.1.3 Verification that ADS accumulator backup compressed gas system average pressure in the required bottles is 2200 psig assures an adequate and OPERABLE air supply to the ADS valves. The minimum number of required bottles is 14 bottles in Division 1 and 17 in Division 2.
| |
| The remote nitrogen cylinder connection in the DG corridor may be used to make up the minimum number of required bottles, provided the bottle(s) is properly installed to satisfy the seismic Category 1 restraint requirements and the bottle(s) capacity is greater than or equal to the capacity of the bottle being replaced. The nitrogen banks are sized to provide a 30 day supply of nitrogen for the ADS function. The ADS function is required to provide a flow path for alternate shutdown cooling.
| |
| Alternate shutdown cooling is accomplished utilizing one RHR subsystem and the ADS to provide a path to the suppression pool for decay heat removal. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| SR 3.5.1.4 The performance requirements of the ECCS pumps are determined through application of the 10 CFR 50, Appendix K, criteria (Ref. 8). This periodic Surveillance is performed (in accordance with the ASME OM Code requirements for the ECCS pumps) to verify that the ECCS pumps will develop the flow rates required by the respective analyses. The ECCS pump flow rates ensure that adequate core cooling is provided to satisfy the acceptance criteria of 10 CFR 50.46 (Ref. 10).
| |
| The pump flow rates are verified against a system pressure difference.
| |
| For the LPCS and LPCI pumps the pressure difference is equivalent to that between the reactor and the suppression pool air volume. For the HPCS pump it is equivalent to the differential above the suction source (suppression pool or condensate storage tank). Under these conditions the total system pump outlet pressure is adequate to overcome the elevation head pressure between the pump suction and the vessel discharge, the piping friction losses, and RPV pressure present during LOCAs. A 92 day Frequency for this Surveillance is in accordance with the Inservice Testing Program requirements.
| |
| Columbia Generating Station B 3.5.1-11 Revision 106
| |
| | |
| ECCS - Operating B 3.5.1 BASES SURVEILLANCE REQUIREMENTS (continued)
| |
| SR 3.5.1.5 The ECCS subsystems are required to actuate automatically to perform their design functions. This Surveillance test verifies that, with a required system initiation signal (actual or simulated), the automatic initiation logic of HPCS, LPCS, and LPCI will cause the systems or subsystems to operate as designed, including actuation of the system throughout its emergency operating sequence, automatic pump startup, and actuation of all automatic valves to their required positions. This Surveillance also ensures that the HPCS System will automatically restart on an RPV low water level (Level 2) signal received subsequent to an RPV high water level (Level 8) trip and that the suction is automatically transferred from the CST to the suppression pool. The LOGIC SYSTEM FUNCTIONAL TEST performed in LCO 3.3.5.1 overlaps this Surveillance to provide complete testing of the assumed safety function.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| This SR is modified by a Note that excludes vessel injection/spray during the Surveillance. Since all active components are testable and full flow can be demonstrated by recirculation through the test line, coolant injection into the RPV is not required during the Surveillance.
| |
| SR 3.5.1.6 The ADS designated SRVs are required to actuate automatically upon receipt of specific initiation signals. A system functional test is performed to demonstrate that the mechanical portions of the ADS function (i.e.,
| |
| solenoids) operate as designed when initiated either by an actual or simulated initiation signal, causing proper actuation of all the required components. This Surveillance also ensures the automatic alignment of the ADS accumulator backup compressed gas system on an actual or simulated ADS header pressure low signal. SR 3.5.1.7 and the LOGIC SYSTEM FUNCTIONAL TEST performed in LCO 3.3.5.1 overlap this Surveillance to provide complete testing of the assumed safety function.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| Columbia Generating Station B 3.5.1-12 Revision 106
| |
| | |
| ECCS - Operating B 3.5.1 BASES SURVEILLANCE REQUIREMENTS (continued)
| |
| This SR is modified by a Note that excludes valve actuation since the valves are individually tested in accordance with SR 3.5.1.7. This also prevents an RPV pressure blowdown.
| |
| SR 3.5.1.7 A manual actuation of each required ADS valve is performed to verify that the valve and solenoids are functioning properly. This is demonstrated by one of the two methods described below. Foreign material exclusion during maintenance is used to verify that no blockage exists in the SRV discharge line.
| |
| The preferred method is by manual actuation of the ADS valve at atmospheric temperature and pressure during cold shutdown. When using this method, proper functioning of the valve and solenoid is demonstrated by visual observation of actuator movement and a change in position indication as read from the Main Control Room using the Valve Position Indication (VPI) Linear Variable Differential Transformer (LVDT) mounted on each SRV. Lifting the valve at atmospheric pressure requires controlling the actuator to set the valve disc softly on its seat to prevent valve damage. This is the preferred method because lifting the valves with steam flow increases the likelihood that the valve will leak.
| |
| The Note that modifies this SR is not needed when this method is used because the SR is performed during cold shutdown.
| |
| Another method is by manual actuation of the SRV under hot conditions.
| |
| Proper functioning of the valve and solenoid is demonstrated by the response of the turbine control or bypass valve, by a change in the measured steam flow, or by any other method suitable to verify steam flow. Adequate reactor steam dome pressure must be available to perform this test to avoid damaging the valve due to seat impact during closure. Also, adequate steam flow must be passing through the main turbine or turbine bypass valves to continue to control reactor pressure when the ADS valves divert steam flow upon opening. Sufficient time is therefore allowed, after the required pressure and flow are achieved, to perform this test. Adequate pressure at which this test is to be performed is 900 psig (consistent with the recommendations of the vendor).
| |
| Adequate steam flow is represented by THERMAL POWER 10% RTP.
| |
| Reactor startup is allowed prior to performing this test by this method because valve OPERABILITY and the setpoints for overpressure protection are verified, per ASME requirements, prior to reactor startup.
| |
| Therefore, this SR is modified by a Note that states the Surveillance is not required to be performed until 12 hours after reactor steam pressure and flow are adequate to perform the test. The 12 hours allowed for manual actuation after the required pressure and flow are reached is sufficient to Columbia Generating Station B 3.5.1-13 Revision 105
| |
| | |
| ECCS - Operating B 3.5.1 BASES SURVEILLANCE REQUIREMENTS (continued) achieve stable conditions and provides adequate time to complete the SR.
| |
| SR 3.5.1.6 and the LOGIC SYSTEM FUNCTIONAL TEST performed in LCO 3.3.5.1 overlap this Surveillance to provide complete testing of the assumed safety function.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| SR 3.5.1.8 This SR ensures that the ECCS RESPONSE TIME for each ECCS injection/spray subsystem is less than or equal to the maximum value assumed in the accident analysis. Response time testing acceptance criteria are included in Reference 15. This SR has been modified by a Note that allows the instrumentation portion of the response time to be excluded and therefore, it is not required to quantitatively measure the sensor response time to satisfy the requirement to verify ECCS RESPONSE TIME. This is acceptable since the instrumentation response time is a small part of the response time and can be qualitatively verified by other methods (Reference 16.) If the response time of the instrumentation is not quantitatively measured, the acceptance criteria must be reduced by a minimum of the time assumed for the instrumentation response in the design analyses, as supported by operating experience.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| REFERENCES 1. FSAR, Section 6.3.2.2.3.
| |
| : 2. FSAR, Section 6.3.2.2.4.
| |
| : 3. FSAR, Section 6.3.2.2.1.
| |
| : 4. FSAR, Section 6.3.2.2.2.
| |
| : 5. FSAR, Section 15.6.6.
| |
| : 6. FSAR, Section 15.6.4.
| |
| : 7. FSAR, Section 15.6.5.
| |
| : 8. 10 CFR 50, Appendix K.
| |
| Columbia Generating Station B 3.5.1-14 Revision 105
| |
| | |
| ECCS - Operating B 3.5.1 BASES REFERENCES (continued)
| |
| : 9. FSAR, Section 6.3.3.
| |
| : 10. 10 CFR 50.46.
| |
| : 11. FSAR, Section 6.3.3.3.
| |
| : 12. 10 CFR 50.36(c)(2)(ii).
| |
| : 13. Memorandum from R.L. Baer (NRC) to V. Stello, Jr. (NRC),
| |
| "Recommended Interim Revisions to LCOs for ECCS Components,"
| |
| December 1, 1975.
| |
| : 14. NEDC-32115P, Columbia Generating Station, "SAFER/GESTR-LOCA Loss-of-Coolant Accident Analysis," Revision 2, July 1993.
| |
| : 15. Licensee Controlled Specifications Manual.
| |
| : 16. NEDO 32291-A, "System Analyses for the Elimination of Selected Response Time Testing Requirements," October 1995.
| |
| : 17. NEDC-32988-A, Revision 2, Technical Justification to Support Risk-Informed Modification to Selected Required End States for BWR Plants, December 2002.
| |
| Columbia Generating Station B 3.5.1-15 Revision 105
| |
| | |
| RPV Water Inventory Control B 3.5.2 B 3.5 EMERGENCY CORE COOLING SYSTEM (ECCS), RPV WATER INVENTORY CONTROL, AND REACTOR CORE ISOLATION COOLING (RCIC) SYSTEM B 3.5.2 Reactor Pressure Vessel (RPV) Water Inventory Control BASES BACKGROUND The RPV contains penetrations below the top of the active fuel (TAF) that have the potential to drain the reactor coolant inventory to below the TAF.
| |
| If the water level should drop below the TAF, the ability to remove decay heat is reduced, which could lead to elevated cladding temperatures and clad perforation. Safety Limit 2.1.1.3 requires the RPV water level to be above the top of the active irradiated fuel at all times to prevent such elevated cladding temperatures.
| |
| APPLICABLE With the unit in MODE 4 or 5, RPV water inventory control is not SAFETY required to mitigate any events or accidents evaluated in the safety ANALYSES analyses. RPV water inventory control is required in MODES 4 and 5 to protect Safety Limit 2.1.1.3 and the fuel cladding barrier to prevent the release of radioactive material to the environment should an unexpected draining event occur.
| |
| A double-ended guillotine break of the Reactor Coolant System (RCS) is not postulated in MODES 4 and 5 due to the reduced RCS pressure, reduced piping stresses, and ductile piping systems. Instead, an event is considered in which single operator error or initiating event allows draining of the RPV water inventory through a single penetration flow path with the highest flow rate, or the sum of the drain rates through multiple penetration flow paths susceptible to a common mode failure (e.g.,
| |
| seismic event, loss of normal power, single human error). It is assumed, based on engineering judgment, that while in MODES 4 and 5, one low pressure ECCS injection/spray subsystem can maintain adequate reactor vessel water level.
| |
| As discussed in References 1, 2, 3, 4, and 5, operating experience has shown RPV water inventory to be significant to public health and safety.
| |
| Therefore, RPV Water Inventory Control satisfies Criterion 4 of 10 CFR 50.36(c)(2)(ii).
| |
| LCO The RPV water level must be controlled in MODES 4 and 5 to ensure that if an unexpected draining event should occur, the reactor coolant water level remains above the top of the active irradiated fuel as required by Safety Limit 2.1.1.3.
| |
| The Limiting Condition for Operation (LCO) requires the DRAIN TIME of RPV water inventory to the TAF to be 36 hours. A DRAIN TIME of 36 hours is considered reasonable to identify and initiate action to mitigate unexpected draining of reactor coolant. An event that could cause loss of RPV water inventory and result in the RPV water level reaching the TAF Columbia Generating Station B 3.5.2-1 Revision 111
| |
| | |
| RPV Water Inventory Control B 3.5.2 BASES LCO (continued) in greater than 36 hours does not represent a significant challenge to Safety Limit 2.1.1.3 and can be managed as part of normal plant operation.
| |
| One ECCS injection/spray subsystem is required to be OPERABLE and capable of being manually started to provide defense-in-depth should an unexpected draining event occur. An ECCS injection/spray subsystem is defined as either one of the three Low Pressure Coolant Injection (LPCI) subsystems, one Low Pressure Core spray (LPCS) System, or one High Pressure Core Spray (HPCS) System. The LPCS System and each LPCI subsystem consist of one motor driven pump, piping, and valves to transfer water from the suppression pool to the RPV. The HPCS System consists of one motor driven pump, piping, and valves to transfer water from the suppression pool or condensate storage tank (CST) to the RPV.
| |
| The necessary portions of the Standby Service Water and HPCS Service Water Systems, as applicable, are also required to provide appropriate cooling to each required ECCS injection/spray subsystem.
| |
| The LCO is modified by a Note which allows a required LPCI subsystem (A or B) to be considered OPERABLE during alignment and operation for decay heat removal, if capable of being manually realigned (remote or local) to the LPCI mode and not otherwise inoperable. Alignment and operation for decay heat removal includes when the RHR pump is not operating or when the system is being realigned from or to the RHR shutdown cooling mode. This allowance is necessary since the RHR System may be required to operate in the shutdown cooling mode to remove decay heat and sensible heat from the reactor. Because of the restrictions on DRAIN TIME, sufficient time will be available following an unexpected draining event to manually align and initiate LPCI subsystem operation to maintain RPV water inventory prior to the RPV water level reaching the TAF.
| |
| APPLICABILITY RPV water inventory control is required in MODES 4 and 5.
| |
| Requirements on water inventory control in other MODES are contained in LCOs in Section 3.3, Instrumentation, and other LCOs in Section 3.5, ECCS, RCIC, and RPV Water Inventory Control. RPV water inventory control is required to protect Safety Limit 2.1.1.3 which is applicable whenever irradiated fuel is in the reactor vessel.
| |
| Columbia Generating Station B 3.5.2-2 Revision 111
| |
| | |
| RPV Water Inventory Control B 3.5.2 BASES ACTIONS A.1 and B.1 If the required ECCS injection/spray subsystem is inoperable, it must be restored to OPERABLE status within 4 hours. In this condition, the LCO controls on DRAIN TIME minimize the possibility that an unexpected draining event could necessitate the use of the ECCS injection/spray subsystem, however the defense-in-depth provided by the ECCS injection/spray subsystem is lost. The 4 hour Completion Time for restoring the required ECCS injection/spray subsystem to OPERABLE status is based on engineering judgment that considers the LCO controls on DRAIN TIME and the low probability of an unexpected draining event that would result in loss of RPV water inventory.
| |
| If the inoperable ECCS injection/spray subsystem is not restored to OPERABLE status within the required Completion Time, action must be initiated immediately to establish a method of water injection capable of operating without offsite electrical power. The method of water injection includes the necessary instrumentation and controls, water sources, and pumps and valves needed to add water to the RPV or refueling cavity should an unexpected draining event occur. The method of water injection may be manually initiated and may consist of one or more systems or subsystems, and must be able to access water inventory capable of maintaining the RPV water level above the TAF for 36 hours.
| |
| If recirculation of injected water would occur, it may be credited in determining the necessary water volume.
| |
| C.1, C.2, and C.3 With the DRAIN TIME less than 36 hours but greater than or equal to 8 hours, compensatory measures should be taken to ensure the ability to implement mitigating actions should an unexpected draining event occur.
| |
| Should a draining event lower the reactor coolant level to below the TAF, there is potential for damage to the reactor fuel cladding and release of radioactive material. Additional actions are taken to ensure that radioactive material will be contained, diluted, and processed prior to being released to the environment.
| |
| The secondary containment provides a controlled volume in which fission products can be contained, diluted, and processed prior to release to the environment. Required Action C.1 requires verification of the capability to establish the secondary containment boundary in less than the DRAIN TIME. The required verification confirms actions to establish the secondary containment boundary are preplanned and necessary materials are available. The secondary containment boundary is considered established when one Standby Gas Treatment (SGT) subsystem is capable of maintaining a negative pressure in the secondary containment with respect to the environment.
| |
| Columbia Generating Station B 3.5.2-3 Revision 111
| |
| | |
| RPV Water Inventory Control B 3.5.2 BASES ACTIONS (continued)
| |
| Verification that the secondary containment boundary can be established must be performed within 4 hours. The required verification is an administrative activity and does not require manipulation or testing of equipment. Secondary containment penetration flow paths form a part of the secondary containment boundary. Required Action C.2 requires verification of the capability to isolate each secondary containment penetration flow path in less than the DRAIN TIME. The required verification confirms actions to isolate the secondary containment penetration flow paths are preplanned and necessary materials are available. Power operated valves are not required to receive automatic isolation signals if they can be closed manually within the required time.
| |
| Verification that the secondary containment penetration flow paths can be isolated must be performed within 4 hours. The required verification is an administrative activity and does not require manipulation or testing of equipment.
| |
| One SGT subsystem is capable of maintaining the secondary containment at a negative pressure with respect to the environment and filter gaseous releases. Required Action C.3 requires verification of the capability to place one SGT subsystem in operation in less than the DRAIN TIME. The required verification confirms actions to place a SGT subsystem in operation are preplanned and necessary materials are available. Verification that a SGT subsystem can be placed in operation must be performed within 4 hours. The required verification is an administrative activity and does not require manipulation or testing of equipment.
| |
| D.1, D.2, D.3, and D.4 With the DRAIN TIME less than 8 hours, mitigating actions are implemented in case an unexpected draining event should occur. Note that if the DRAIN TIME is less than 1 hour, Required Action E.1 is also applicable.
| |
| Required Action D.1 requires immediate action to establish an additional method of water injection augmenting the ECCS injection/spray subsystem required by the LCO. The additional method of water injection includes the necessary instrumentation and controls, water sources, and pumps and valves needed to add water to the RPV or refueling cavity should an unexpected draining event occur. The Note to Required Action D.1 states that either the ECCS injection/spray subsystem or the additional method of water injection must be capable of operating without offsite electrical power. The additional method of water injection may be manually initiated and may consist of one or more systems or Columbia Generating Station B 3.5.2-4 Revision 111
| |
| | |
| RPV Water Inventory Control B 3.5.2 BASES ACTIONS (continued) subsystems. The additional method of water injection must be able to access water inventory capable of being injected to maintain the RPV water level above the TAF for 36 hours. The additional method of water injection and the ECCS injection/spray subsystem may share all or part of the same water sources. If recirculation of injected water would occur, it may be credited in determining the required water volume.
| |
| Should a draining event lower the reactor coolant level to below the TAF, there is potential for damage to the reactor fuel cladding and release of radioactive material. Additional actions are taken to ensure that radioactive material will be contained, diluted, and processed prior to being released to the environment.
| |
| The secondary containment provides a control volume in which fission products can be contained, diluted, and processed prior to release to the environment. Required Action D.2 requires that actions be immediately initiated to establish the secondary containment boundary. With the secondary containment boundary established, one SGT subsystem is capable of maintaining a negative pressure in the secondary containment with respect to the environment.
| |
| The secondary containment penetrations form a part of the secondary containment boundary. Required Action D.3 requires that actions be immediately initiated to verify that each secondary containment penetration flow path is isolated or to verify that it can be manually isolated from the control room.
| |
| One SGT subsystem is capable of maintaining the secondary containment at a negative pressure with respect to the environment and filter gaseous releases. Required Action D.4 requires that actions be immediately initiated to verify that at least one SGT subsystem is capable of being placed in operation. The required verification is an administrative activity and does not require manipulation or testing of equipment.
| |
| E.1 If the Required Actions and associated Completion times of Conditions C or D are not met or if the DRAIN TIME is less than 1 hour, actions must be initiated immediately to restore the DRAIN TIME to 36 hours. In this condition, there may be insufficient time to respond to an unexpected draining event to prevent the RPV water inventory from reaching the TAF.
| |
| Note that Required Actions D.1, D.2, D.3, and D.4 are also applicable when DRAIN TIME is less than 1 hour.
| |
| Columbia Generating Station B 3.5.2-5 Revision 111
| |
| | |
| RPV Water Inventory Control B 3.5.2 BASES SURVEILLANCE SR 3.5.2.1 REQUIREMENTS This Surveillance verifies that the DRAIN TIME of RPV water inventory to the TAF is 36 hours. The period of 36 hours is considered reasonable to identify and initiate action to mitigate draining of reactor coolant. Loss of RPV water inventory that would result in the RPV water level reaching the TAF in greater than 36 hours does not represent a significant challenge to Safety Limit 2.1.1.3 and can be managed as part of normal plant operation.
| |
| The definition of DRAIN TIME states that realistic cross-sectional areas and drain rates are used in the calculation. A realistic drain rate may be determined using a single, step-wise, or integrated calculation considering the changing RPV water level during a draining event. For a Control Rod RPV penetration flow path with the Control Rod Drive Mechanism removed and not replaced with a blank flange, the realistic cross-sectional area is based on the control rod blade seated in the control rod guide tube. If the control rod blade will be raised from the penetration to adjust or verify seating of the blade, the exposed cross-sectional area of the RPV penetration flow path is used.
| |
| The definition of DRAIN TIME excludes from the calculation those penetration flow paths connected to an intact closed system, or isolated by manual or automatic valves that are locked, sealed, or otherwise secured in the closed position, blank flanges, or other devices that prevent flow of reactor coolant through the penetration flow paths. A blank flange or other bolted device must be connected with a sufficient number of bolts to prevent draining in the event of an Operating Basis Earthquake. Normal or expected leakage from closed systems or past isolation devices is permitted. Determination that a system is intact and closed or isolated must consider the status of branch lines and ongoing plant maintenance and testing activities.
| |
| The Residual Heat Removal (RHR) Shutdown Cooling System is only considered an intact closed system when misalignment issues (Reference 6) have been precluded by functional valve interlocks or by isolation devices, such that redirection of RPV water out of an RHR subsystem is precluded. Further, RHR Shutdown Cooling System is only considered an intact closed system if its controls have not been transferred to Remote Shutdown, which disables the interlocks and isolation signals.
| |
| The exclusion of penetration flow paths from the determination of DRAIN TIME must consider the potential effects of a single operator error or initiating event on items supporting maintenance and testing (rigging, scaffolding, temporary shielding, piping plugs, snubber removal, freeze seals, etc.). If failure of such items could result and would cause a draining event from a closed system or between the RPV and the Columbia Generating Station B 3.5.2-6 Revision 111
| |
| | |
| RPV Water Inventory Control B 3.5.2 BASES SURVEILLANCE REQUIREMENTS (continued) isolation device, the penetration flow path may not be excluded from the DRAIN TIME calculation.
| |
| Surveillance Requirement 3.0.1 requires SRs to be met between performances. Therefore, any changes in plant conditions that would change the DRAIN TIME requires that a new DRAIN TIME be determined.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| SR 3.5.2.2 and SR 3.5.2.3 The minimum water level of 18 ft 6 inches required for the suppression pool is periodically verified to ensure that the suppression pool will provide adequate net positive suction head (NPSH) for the ECCS pump, recirculation volume (135,000 gallons consistent with the CST volume requirements described below), and vortex prevention. With the suppression pool water level less than the required limit, the required ECCS injection/spray subsystem is inoperable unless aligned to an OPERABLE CST (Ref. 9).
| |
| When the suppression pool level is < 18 ft 6 inches, the HPCS System is considered OPERABLE only if it can take suction from the CST and the CST water level is sufficient to provide the required NPSH for the HPCS pump. Therefore, a verification that either the suppression pool water level is 18 ft 6 inches or the HPCS System is aligned to take suction from the CST and the CST contains 135,000 gallons of water. This volume of water is equivalent to a level of 16.5 ft in a single CST or 10.5 ft in each CST above the top of the suction line. This ensures that the HPCS System can supply makeup water to the RPV. Calculations that determine this water level are listed as References 7 and 8.
| |
| The Surveillance Frequencies are controlled under the Surveillance Frequency Control Program.
| |
| SR 3.5.2.4 The flow path piping has the potential to develop voids and pockets of entrained air. Maintaining the pump discharge lines of the required ECCS injection/spray subsystems full of water ensures that the ECCS subsystem will perform properly. This may also prevent a water hammer following an ECCS initiation signal. One acceptable method of ensuring that the lines are full is to vent at the high points.
| |
| Columbia Generating Station B 3.5.2-7 Revision 111
| |
| | |
| RPV Water Inventory Contol B 3.5.2 BASES SURVEILLANCE REQUIREMENTS (continued)
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| SR 3.5.2.5 Verifying the correct alignment for manual, power operated, and automatic valves in the required ECCS subsystem flow path provides assurance that the proper flow path will be available for ECCS operation.
| |
| This SR does not apply to valves that are locked, sealed, or otherwise secured in position since these valves were verified to be in the correct position prior to locking, sealing, or securing. A valve that receives an initiation signal is allowed to be in a nonaccident position provided the valve will automatically reposition in the proper stroke time. This SR does not require any testing or valve manipulation; rather, it involves verification that those valves capable of potentially being mispositioned are in the correct position. This SR does not apply to valves that cannot be inadvertently misaligned, such as check valves. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| SR 3.5.2.6 Verifying that the required ECCS injection/spray subsystem can be manually started and operate for at least 10 minutes demonstrates that the subsystem is available to mitigate a draining event. Testing the ECCS injection/spray subsystem must be done in such a way to avoid overfilling the refueling cavity. Thus, this SR is modified by a Note that states that injection into the vessel is not required. The minimum operating time of 10 minutes was based on engineering judgement.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| SR 3.5.2.7 Verifying that each valve credited for automatically isolating a penetration flow path actuates to the isolation position on an actual or simulated RPV water level isolation signal is required to prevent RPV water inventory from dropping below the TAF should an unexpected draining event occur.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| Columbia Generating Station B 3.5.2-8 Revision 111
| |
| | |
| RPV Water Inventory Contol B 3.5.2 BASES SURVEILLANCE REQUIREMENTS (continued)
| |
| SR 3.5.2.8 The required ECCS subsystem is required to have a manual start capability. This Surveillance verifies that a manual initiation signal will cause the required LPCI subsystem or LPCS System to start and operate as designed, including pump startup and actuation of all automatic valves to their required positions. The HPCS system is verified to start manually from a standby configuration, and includes the ability to override the RPV Level 8 injection valve isolation.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| This SR is modified by a Note that excludes vessel injection/spray during the Surveillance. Since all active components are testable and full flow can be demonstrated by recirculation through the test line, coolant injection into the RPV is not required during the Surveillance.
| |
| REFERENCES 1. Information Notice 84-81 "Inadvertent Reduction in Primary Coolant Inventory in Boiling Water Reactors During Shutdown and Startup,"
| |
| November 1984.
| |
| : 2. Information Notice 86-74, "Reduction of Reactor Coolant Inventory Because of Misalignment of RHR Valves," August 1986.
| |
| : 3. Generic Letter 92-04, "Resolution of the Issues Related to Reactor Vessel Water Level Instrumentation in BWRs Pursuant to 10 CFR 50.54(f), " August 1992.
| |
| : 4. NRC Bulletin 93-03, "Resolution of Issues Related to Reactor Vessel Water Level Instrumentation in BWRs," May 1993.
| |
| : 5. Information Notice 94-52, "Inadvertent Containment Spray and Reactor Vessel Draindown at Millstone 1," July 1994.
| |
| : 6. General Electric Service Information Letter No. 388, "RHR Valve Misalignment During Shutdown Cooling Operation for BWR 3/4/5/6,"
| |
| February 1983.
| |
| : 7. E/I-02-91-1011.
| |
| : 8. E/I-02-98-1002.
| |
| : 9. TM 2092.
| |
| Columbia Generating Station B 3.5.2-9 Revision 111
| |
| | |
| RCIC System B 3.5.3 B 3.5 EMERGENCY CORE COOLING SYSTEM (ECCS), RPV WATER INVENTORY CONTROL, AND REACTOR CORE ISOLATIONCOOLING (RCIC) SYSTEM B 3.5.3 RCIC System BASES BACKGROUND The RCIC System is not part of the ECCS; however, the RCIC System is included with the ECCS section because of their similar functions.
| |
| The RCIC System is designed to operate either automatically or manually following reactor pressure vessel (RPV) isolation accompanied by a loss of coolant flow from the feedwater system to provide adequate core cooling and control of RPV water level. Under these conditions, the High Pressure Core Spray (HPCS) and RCIC systems perform similar functions. The RCIC System design requirements ensure that the criteria of Reference 1 are satisfied.
| |
| The RCIC System (Ref. 2) consists of a steam driven turbine pump unit, piping and valves to provide steam to the turbine, as well as piping and valves to transfer water from the suction source to the core via the head spray nozzle. Suction piping is provided from the condensate storage tank (CST) and the suppression pool. Pump suction is normally aligned to the CST to minimize injection of suppression pool water into the RPV.
| |
| However, if the CST water supply is low an automatic transfer to the suppression pool water source ensures a water supply for continuous operation of the RCIC System. The steam supply to the turbine is piped from main steam line B, upstream of the inboard main steam line isolation valve.
| |
| The RCIC System is designed to provide core cooling for a wide range of reactor pressures, 165 psia to 1225 psia. Upon receipt of an initiation signal, the RCIC turbine accelerates to a specified speed. As the RCIC flow increases, the turbine control valve is automatically adjusted to maintain design flow. Exhaust steam from the RCIC turbine is discharged to the suppression pool. A full flow test line is provided to route water to the CST to allow testing of the RCIC System during normal operation without injecting water into the RPV.
| |
| The RCIC pump is provided with a minimum flow bypass line, which discharges to the suppression pool. The valve in this line automatically opens to prevent pump damage due to overheating when other discharge line valves are closed. To ensure rapid delivery of water to the RPV and to minimize water hammer effects, the RCIC System discharge line "keep fill" system is designed to maintain the pump discharge line filled with water.
| |
| Columbia Generating Station B 3.5.3-1 Revision 111
| |
| | |
| RCIC System B 3.5.3 BASES APPLICABLE The function of the RCIC System is to respond to transient events by SAFETY providing makeup coolant to the reactor. The RCIC System is not an ANALYSES Engineered Safety Feature System and no credit is taken in the safety analyses for RCIC System operation. Based on its contribution to the reduction of overall plant risk, however, the system satisfies Criterion 4 of Reference 3.
| |
| LCO The OPERABILITY of the RCIC System provides adequate core cooling such that actuation of any of the ECCS subsystems is not required in the event of RPV isolation accompanied by a loss of feedwater flow. The RCIC System has sufficient capacity to maintain RPV inventory during an isolation event. Management of gas voids is important to RCIC System OPERABILITY.
| |
| APPLICABILITY The RCIC System is required to be OPERABLE in MODE 1, and MODES 2 and 3 with reactor steam dome pressure > 150 psig since RCIC is the primary non-ECCS water source for core cooling when the reactor is isolated and pressurized. In MODES 2 and 3 with reactor steam dome pressure 150 psig, the ECCS injection/spray subsystems can provide sufficient flow to the vessel. In MODES 4 and 5, RCIC is not required to be OPERABLE since RPV water inventory control is required by LCO 3.5.2, "RPV Water Level Inventory Control."
| |
| ACTIONS A Note prohibits the application of LCO 3.0.4.b to an inoperable RCIC system. There is an increased risk associated with entering a MODE or other specified condition in the Applicability with an inoperable RCIC system and the provisions of LCO 3.0.4.b, which allow entry into a MODE or other specified condition in the Applicability with the LCO not met after performance of a risk assessment addressing inoperable systems and components, should not be applied in this circumstance.
| |
| A.1 and A.2 If the RCIC System is inoperable during MODE 1, or MODES 2 or 3 with reactor steam dome pressure > 150 psig, and the HPCS System is immediately verified to be OPERABLE, the RCIC System must be restored to OPERABLE status within 14 days. In this Condition, loss of the RCIC System will not affect the overall plant capability to provide makeup inventory at high RPV pressure since the HPCS System is the only high pressure system assumed to function during a loss of coolant accident (LOCA). OPERABILITY of the HPCS is therefore immediately verified when the RCIC System is inoperable. This may be performed as an administrative check, by examining logs or other information, to determine if the HPCS is out of service for maintenance or other reasons.
| |
| Verification does not require performing the Surveillances needed to demonstrate the OPERABILITY of the HPCS System. If the Columbia Generating Station B 3.5.3-2 Revision 111
| |
| | |
| RCIC System B 3.5.3 BASES ACTIONS (continued)
| |
| OPERABILITY of the HPCS System cannot be immediately verified, however, Condition B must be immediately entered. For transients and certain abnormal events with no LOCA, RCIC (as opposed to HPCS) is the preferred source of makeup coolant because of its relatively small capacity, which allows easier control of RPV water level. Therefore, a limited time is allowed to restore the inoperable RCIC to OPERABLE status.
| |
| The 14 day Completion Time is based on a reliability study (Ref. 4) that evaluated the impact on ECCS availability, assuming that various components and subsystems were taken out of service. The results were used to calculate the average availability of ECCS equipment needed to mitigate the consequences of a LOCA as a function of allowed outage times (AOTs). Because of the similar functions of the HPCS and RCIC, the AOTs (i.e., Completion Times) determined for the HPCS are also applied to RCIC.
| |
| B.1 and B.2 If the RCIC System cannot be restored to OPERABLE status within the associated Completion Time, or if the HPCS System is simultaneously inoperable, the plant must be brought to a condition in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours and reactor steam dome pressure reduced to 150 psig within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.
| |
| SURVEILLANCE SR 3.5.3.1 REQUIREMENTS The RCIC System flow path piping and components have the potential to develop voids and pockets of entrained gases. Preventing and managing gas intrusion and accumulation is necessary for proper operation of the RCIC System and may also prevent a water hammer, pump cavitation, and pumping of noncondensible gas.
| |
| Selection of RCIC System locations susceptible to gas accumulation is based on a self-assessment of the piping configuration to identify where gases may accumulate and remain even after the system is filled and vented, and to identify vulnerable potential degassing flow paths. The review is supplemented by verification that installed high-point vents are actually at the system high points, including field verification to ensure pipe shapes and construction tolerances have not inadvertently created Columbia Generating Station B 3.5.3-3 Revision 111
| |
| | |
| RCIC System B 3.5.3 BASES SURVEILLANCE REQUIREMENTS (continued) additional high points. Susceptible locations depend on plant and system configuration, such as stand-by versus operating conditions.
| |
| The RCIC System is OPERABLE when it is sufficiently filled with water.
| |
| Acceptance criteria are established for the volume of accumulated gas at susceptible locations. If accumulated gas is discovered that exceeds the acceptance criteria for the susceptible location (or the volume of accumulated gas at one or more susceptible locations exceeds an acceptance criteria for gas volume at the suction or discharge of a pump),
| |
| the Surveillance is not met. If it is determined by subsequent evaluation that the RCIC System is not rendered inoperable by the accumulated gas (i.e., the system is sufficiently filled with water), the Surveillance may be declared met. Accumulated gas should be eliminated or brought within the acceptance criteria limits.
| |
| RCIC System locations susceptible to gas accumulation are monitored and, if gas is found, the gas volume is compared to the acceptance criteria for the location. Susceptible locations in the same system flow path which are subject to the same gas intrusion mechanisms may be verified by monitoring a representative sub-set of susceptible locations.
| |
| Monitoring may not be practical for locations that are inaccessible due to radiological or environmental conditions, the plant configuration, or personnel safety. For these locations alternative methods (e.g., operating parameters, remote monitoring) may be used to monitor the susceptible location. Monitoring is not required for susceptible locations where the maximum potential accumulated gas void volume has been evaluated and determined to not challenge system OPERABILITY. The accuracy of the method used for monitoring the susceptible locations and trending of the results should be sufficient to assure system OPERABILITY during the Surveillance interval.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The Surveillance Frequency may vary by location susceptible to gas accumulation.
| |
| SR 3.5.3.2 Verifying the correct alignment for manual, power operated, and automatic valves in the RCIC flow path provides assurance that the proper flow path will exist for RCIC operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position since these were verified to be in the correct position prior to locking, sealing, or securing. A valve that receives an initiation signal is allowed to be in a Columbia Generating Station B 3.5.3-4 Revision 111
| |
| | |
| RCIC System B 3.5.3 BASES SURVEILLANCE REQUIREMENTS (continued) nonaccident position provided the valve will automatically reposition in the proper stroke time. This SR does not require any testing or valve manipulation; rather, it involves verification that those valves capable of potentially being mispositioned are in the correct position. This SR does not apply to valves that cannot be inadvertently misaligned, such as check valves. For the RCIC System, this SR also includes the steam flow path for the turbine and the flow controller position.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| The Surveillance is modified by a Note which exempts system vent flow paths opened under administrative control. The administrative control should be proceduralized and include stationing a dedicated individual at the system vent flow path who is in continuous communication with the operators in the control room. This individual will have a method to rapidly close the system vent flow path if directed.
| |
| SR 3.5.3.3 and SR 3.5.3.4 The RCIC pump flow rates ensure that the system can maintain reactor coolant inventory during pressurized conditions with the RPV isolated.
| |
| The flow tests for the RCIC System are performed at two different pressure ranges such that system capability to provide rated flow against a system head corresponding to reactor pressure is tested both at the higher and lower operating ranges of the system. The required system head should overcome the RPV pressure and associated discharge line losses. Adequate reactor steam pressure must be available to perform these tests. Additionally, adequate steam flow must be passing through the main turbine or turbine bypass valves to continue to control reactor pressure when the RCIC System diverts steam flow. Therefore, sufficient time is allowed after adequate pressure and flow are achieved to perform these SRs. Adequate reactor steam pressure to perform SR 3.5.3.3 is 935 psig and to perform SR 3.5.3.4 is 150 psig. Adequate steam flow to perform SR 3.5.3.3 is represented by THERMAL POWER 10% RTP and to perform SR 3.5.3.4 is represented by turbine bypass valves 10%
| |
| open. Reactor startup is allowed prior to performing the low pressure Surveillance because the reactor pressure is low and the time to satisfactorily perform the Surveillance is short. The reactor pressure is allowed to be increased to normal operating pressure since it is assumed that the low pressure test has been satisfactorily completed and there is no indication or reason to believe that RCIC is inoperable. Therefore, Columbia Generating Station B 3.5.3-5 Revision 105
| |
| | |
| RCIC System B 3.5.3 BASES SURVEILLANCE REQUIREMENTS (continued) these SRs are modified by Notes that state the Surveillances are not required to be performed until 12 hours after the reactor steam pressure and flow are adequate to perform the test. The 12 hours allowed for the flow tests after the required pressure and flow are reached is sufficient to achieve stable conditions for testing and provides a reasonable time to complete the SRs.
| |
| The Surveillance Frequencies are controlled under the Surveillance Frequency Control Program.
| |
| SR 3.5.3.5 The RCIC System is required to actuate automatically to perform its design function. This Surveillance verifies that with a required system initiation signal (actual or simulated) the automatic initiation logic of RCIC will cause the system to operate as designed, including actuation of the system throughout its emergency operating sequence, automatic pump startup and actuation of all automatic valves to their required positions.
| |
| This Surveillance test also ensures that the RCIC System will automatically restart on an RPV low water level (Level 2) signal received subsequent to an RPV high water level (Level 8) trip and that the suction is automatically transferred from the CST to the suppression pool. The LOGIC SYSTEM FUNCTIONAL TEST performed in LCO 3.3.5.3 overlaps this Surveillance to provide complete testing of the assumed design function.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| This SR is modified by a Note that excludes vessel injection during the Surveillance. Since all active components are testable and full flow can be demonstrated by recirculation through the test line, coolant injection into the RPV is not required during the Surveillance.
| |
| REFERENCES 1. 10 CFR 50, Appendix A, GDC 33.
| |
| : 2. FSAR, Section 5.4.6.2.
| |
| : 3. 10 CFR 50.36(c)(2)(ii).
| |
| : 4. Memorandum from R.L. Baer (NRC) to V. Stello, Jr. (NRC),
| |
| "Recommended Interim Revisions to LCOs for ECCS Components,"
| |
| December 1, 1975.
| |
| Columbia Generating Station B 3.5.3-6 Revision 111
| |
| | |
| Primary Containment B 3.6.1.1 B 3.6 CONTAINMENT SYSTEMS B 3.6.1.1 Primary Containment BASES BACKGROUND The function of the primary containment is to isolate and contain fission products released from the Reactor Primary System following a Design Basis Accident (DBA) and to confine the postulated release of radioactive material to within limits. The primary containment consists of a free-standing steel pressure vessel, which surrounds the Reactor Primary System and provides an essentially leak tight barrier against an uncontrolled release of radioactive material to the environment.
| |
| Additionally, this structure is enclosed in a reinforced concrete vessel, which provides shielding from the fission products that may be present in the primary containment atmosphere following accident conditions.
| |
| The isolation devices for the penetrations in the primary containment boundary are a part of the primary containment leak tight barrier. To maintain this leak tight barrier:
| |
| : a. All penetrations required to be closed during accident conditions are either:
| |
| : 1. capable of being closed by an OPERABLE automatic containment isolation system, or
| |
| : 2. closed by manual valves, blind flanges, or de-activated automatic valves secured in their closed positions, except as provided in LCO 3.6.1.3, "Primary Containment Isolation Valves (PCIVs)";
| |
| : b. Primary containment air locks are OPERABLE, except as provided in LCO 3.6.1.2, "Primary Containment Air Locks"; and
| |
| : c. All equipment hatches are closed.
| |
| This Specification ensures that the performance of the primary containment, in the event of a DBA, meets the assumptions used in the safety analyses of References 1 and 2. SR 3.6.1.1.1 leakage rate requirements are in conformance with 10 CFR 50, Appendix J, Option B (Ref. 3), as modified by approved exemptions.
| |
| Columbia Generating Station B 3.6.1.1-1 Revision 73
| |
| | |
| Primary Containment B 3.6.1.1 BASES APPLICABLE The safety design basis for the primary containment is that it must SAFETY withstand the pressures and temperatures of the limiting DBA without ANALYSES exceeding the design leakage rate.
| |
| The DBA that postulates the maximum release of radioactive material within primary containment is an inadequate core cooling event that degraded into core damage. In the analysis of this accident, it is assumed that primary containment is OPERABLE such that release of fission products to the environment is controlled by the rate of primary containment leakage.
| |
| Analytical methods and assumptions involving the primary containment are presented in References 1 and 2. The safety analyses assume a nonmechanistic fission product release following a DBA, which forms the basis for determination of offsite doses. The fission product release is, in turn, based on an assumed leakage rate from the primary containment.
| |
| OPERABILITY of the primary containment ensures that the leakage rate assumed in the safety analyses is not exceeded.
| |
| The maximum allowable leakage rate for the primary containment (La) is 0.5% by weight of the containment air per 24 hours at the design basis LOCA maximum peak containment pressure (Pa) of 38 psig (Ref. 4).
| |
| Primary containment satisfies Criterion 3 of Reference 5.
| |
| LCO Primary containment OPERABILITY is maintained by limiting leakage to 1.0 La, except prior to the first startup after performing a required Primary Containment Leakage Rate Testing Program leakage test. At this time, applicable leakage limits must be met. In addition, the leakage from the drywell to the suppression chamber must be limited to ensure the pressure suppression function is accomplished and the suppression chamber pressure does not exceed design limits. Compliance with this LCO will ensure a primary containment configuration, including equipment hatches, that is structurally sound and that will limit leakage to those leakage rates assumed in the safety analysis. Individual leakage rates specified for the primary containment air locks are addressed in LCO 3.6.1.2.
| |
| APPLICABILITY In MODES 1, 2, and 3, a DBA could cause a release of radioactive material to primary containment. In MODES 4 and 5, the probability and consequences of these events are reduced due to the pressure and temperature limitations of these MODES. Therefore, primary containment is not required to be OPERABLE in MODES 4 and 5 to prevent leakage of radioactive material from primary containment.
| |
| Columbia Generating Station B 3.6.1.1-2 Revision 73
| |
| | |
| Primary Containment B 3.6.1.1 BASES ACTIONS A.1 In the event that primary containment is inoperable, primary containment must be restored to OPERABLE status within 1 hour. The 1 hour Completion Time provides a period of time to correct the problem that is commensurate with the importance of maintaining primary containment OPERABILITY during MODES 1, 2, and 3. This time period also ensures that the probability of an accident (requiring primary containment OPERABILITY) occurring during periods where primary containment is inoperable is minimal.
| |
| B.1 and B.2 If primary containment cannot be restored to OPERABLE status within the associated Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours and to MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.
| |
| SURVEILLANCE SR 3.6.1.1.1 REQUIREMENTS Maintaining the primary containment OPERABLE requires compliance with the visual examinations and leakage rate test requirements of the Primary Containment Leakage Rate Testing Program. Failure to meet air lock leakage (SR 3.6.1.2.1), secondary containment bypass leakage (SR 3.6.1.3.10), or main steam isolation valve leakage (SR 3.6.1.3.10) limit does not necessarily result in a failure of this SR. The impact of the failure to meet these SRs must be evaluated against the Type A, B, and C acceptance criteria of the Primary Containment Leakage Rate Testing Program.
| |
| As left leakage prior to the first startup after performing a required leakage test is required to be < 0.6 La for combined Type B and C leakage, and < 0.75 La for overall Type A leakage. At all other times between required leakage rate tests, the acceptance criteria is based on an overall Type A leakage limit of 1.0 La. At 1.0 La the offsite dose consequences are bounded by the assumptions of the safety analysis.
| |
| The Frequency is required by the Primary Containment Leakage Rate Testing Program.
| |
| Columbia Generating Station B 3.6.1.1-3 Revision 73
| |
| | |
| Primary Containment B 3.6.1.1 BASES SURVEILLANCE REQUIREMENTS (continued)
| |
| SR 3.6.1.1.2 Maintaining the pressure suppression function of primary containment requires limiting the leakage from the drywell to the suppression chamber.
| |
| Thus, if an event were to occur that pressurized the drywell, the steam would be directed through the downcomers into the suppression pool.
| |
| This SR measures drywell to suppression chamber differential pressure during a 4 hour period to ensure that the leakage paths that would bypass the suppression pool are within allowable limits.
| |
| Satisfactory performance of this SR can be achieved by establishing a known differential pressure ( 1.5 psid) between the drywell and the suppression chamber and verifying that the bypass leakage is equivalent to that through an area 10% of the acceptable design value of 0.050 ft2. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. One test failure increases the Surveillance Frequency to 48 months. Two consecutive as found test failures, however, would indicate unexpected primary containment degradation; in this event increasing the Frequency to once every 24 months is required until the situation is remedied as evidenced by passing two consecutive tests.
| |
| SR 3.6.1.1.3 Maintaining the pressure suppression function of the primary containment requires limiting the leakage from the drywell to the suppression chamber.
| |
| Thus, if an event were to occur that pressurizes the drywell, the steam would be directed through the downcomers into the suppression pool.
| |
| This SR measures the drywell to suppression chamber vacuum relief valve bypass leakage to ensure that these leakage paths that would bypass the suppression pool are within allowable limits.
| |
| Satisfactory performance of this SR can be achieved by establishing a known initial differential pressure (> 1.5 psid) between the drywell side and the suppression chamber side of the suppression to drywell chamber vacuum relief valve and verifying that the measured bypass leakage is
| |
| < 1.2% of the acceptable design value of 0.050 ft2. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| Columbia Generating Station B 3.6.1.1-4 Revision 93
| |
| | |
| Primary Containment B 3.6.1.1 BASES SURVEILLANCE REQUIREMENTS (continued)
| |
| The SR is modified by a Note stating that performance of SR 3.6.1.1.2 satisfies this Surveillance Requirement. This is acceptable since drywell to suppression chamber vacuum relief valve leakage is included in the measurement of the drywell to suppression chamber bypass leakage required by SR 3.6.1.1.2.
| |
| SR 3.6.1.1.4 Maintaining the pressure suppression function of the primary containment requires limiting the leakage from the drywell to the suppression chamber.
| |
| Thus, if an event were to occur that pressurizes the drywell, the steam would be directed through the downcomers into the suppression pool.
| |
| This SR determines the total drywell to suppression chamber vacuum relief valve bypass leakage to ensure that these leakage paths that would bypass the suppression pool are within allowable limits.
| |
| For those outages where the drywell to suppression chamber bypass leak rate test (BLRT) is not conducted, the suppression chamber to drywell vacuum breaker (CVB) leakage test verifies that even with the maximum allowable CVB leakage, a margin of 70% remains for potential passive structural leakage. Previous drywell to suppression chamber bypass test data indicates that the bypass leakage through the passive structural components will be a small fraction of the remaining 70% margin. The CVB leakage limit, combined with negligible leakage from the passive structural area, ensures that the drywell to suppression chamber bypass leakage limit is met for those outages in which the BLRT is not performed.
| |
| Satisfactory performance of this SR is achieved by summing the individual drywell to suppression chamber vacuum relief valve bypass leakages from SR 3.6.1.1.3 and verifying that the total measured bypass leakage is < 3.0% of the acceptable design value of 0.050 ft2. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| The SR is modified by a Note stating that performance of SR 3.6.1.1.2 satisfies this Surveillance Requirement. This is acceptable since drywell to suppression changer vacuum relief valve leakage is included in the measurement of the drywell to suppression chamber bypass leakage required by SR 3.6.1.1.2.
| |
| Columbia Generating Station B 3.6.1.1-5 Revision 93
| |
| | |
| Primary Containment B 3.6.1.1 BASES REFERENCES 1. FSAR, Section 6.2.1.1.3.
| |
| : 2. FSAR, Section 15.6.5.
| |
| : 3. 10 CFR 50, Appendix J, Option B.
| |
| : 4. FSAR, Section 6.2.6.1.
| |
| : 5. 10 CFR 50.36(c)(2)(ii).
| |
| Columbia Generating Station B 3.6.1.1-6 Revision 73
| |
| | |
| Primary Containment Air Lock B 3.6.1.2 B 3.6 CONTAINMENT SYSTEMS B 3.6.1.2 Primary Containment Air Lock BASES BACKGROUND One double door primary containment air lock has been built into the primary containment to provide personnel access to the primary containment and to provide primary containment isolation during the process of personnel entry and exit. The air lock is designed to withstand the same loads, temperatures, and peak design internal and external pressures as the primary containment (Refs. 1 and 2). As part of the primary containment, the air lock limits the release of radioactive material to the environment during normal unit operation and through a range of transients and accidents up to and including postulated Design Basis Accidents (DBAs).
| |
| Each air lock door has been designed and tested to certify its ability to withstand pressure in excess of the maximum expected pressure following a DBA in primary containment. Each of the doors has double, compressible seals and local leak rate testing capability to ensure pressure integrity. To effect a leak tight seal, the air lock design uses pressure sealed doors (i.e., an increase in primary containment internal pressure results in increased sealing on each door).
| |
| The air lock is nominally a right circular cylinder, approximately 9 ft in diameter, with doors at each end that are interlocked to prevent simultaneous opening. The air lock is provided with limit switches on both doors that provide local indication of door position. During periods when primary containment is not required to be OPERABLE, the air lock interlock mechanism may be disabled, allowing both doors of the air lock to remain open for extended periods when frequent primary containment entry is necessary. Under some conditions, as allowed by this LCO, the primary containment may be accessed through the air lock when the door interlock mechanism has failed, by manually performing the interlock function.
| |
| The primary containment air lock forms part of the primary containment pressure boundary. As such, air lock integrity and leak tightness are essential for maintaining the primary containment leakage rate to within limits in the event of a DBA. Not maintaining air lock integrity or leak tightness may result in a leakage rate in excess of that assumed in the safety analysis.
| |
| Columbia Generating Station B 3.6.1.2-1 Revision 73
| |
| | |
| Primary Containment Air Lock B 3.6.1.2 BASES APPLICABLE The DBA that postulates the maximum release of radioactive material SAFETY within primary containment is a LOCA. In the analysis of this accident, it ANALYSES is assumed that primary containment is OPERABLE, such that release of fission products to the environment is controlled by the rate of primary containment leakage. The primary containment is designed with a maximum allowable leakage rate (La) of 0.5% by weight of the containment air per 24 hours at the calculated maximum peak containment pressure (Pa) of 38 psig (Ref. 3). This allowable leakage rate forms the basis for the acceptance criteria imposed on the SRs associated with the air lock.
| |
| Primary containment air lock OPERABILITY is also required to minimize the amount of fission product gases that may escape primary containment through the air lock and contaminate and pressurize the secondary containment.
| |
| Primary containment air lock satisfies Criterion 3 of Reference 4.
| |
| LCO As part of the primary containment, the air lock safety function is related to control of containment leakage following a DBA. Thus, the air lock structural integrity and leak tightness are essential to the successful mitigation of such an event.
| |
| The primary containment air lock is required to be OPERABLE. For the air lock to be considered OPERABLE, the air lock interlock mechanism must be OPERABLE, the air lock must be in compliance with the Type B air lock leakage test, and both air lock doors must be OPERABLE. The interlock allows only one air lock door to be open at a time. This provision ensures that a gross breach of primary containment does not exist when primary containment is required to be OPERABLE. Closure of a single door in the air lock is sufficient to provide a leak tight barrier following postulated events. Nevertheless, both doors are kept closed when the air lock is not being used for normal entry into and exit from primary containment.
| |
| APPLICABILITY In MODES 1, 2, and 3, a DBA could cause a release of radioactive material to primary containment. In MODES 4 and 5, the probability and consequences of these events are reduced due to the pressure and temperature limitations of these MODES. Therefore, the primary containment air lock is not required to be OPERABLE in MODES 4 and 5 to prevent leakage of radioactive material from primary containment.
| |
| Columbia Generating Station B 3.6.1.2-2 Revision 73
| |
| | |
| Primary Containment Air Lock B 3.6.1.2 BASES ACTIONS The ACTIONS are modified by Note 1, which allows entry and exit to perform repairs of the affected air lock component. If the outer door is inoperable, then it may be easily accessed to repair. If the inner door is the one that is inoperable, however, then a short time exists when the primary containment boundary is not intact (during access through the outer door). The allowance to open the OPERABLE door, even if it means the primary containment boundary is temporarily not intact, is acceptable due to the low probability of an event that could pressurize the primary containment during the short time in which the OPERABLE door is expected to be open. After each entry and exit, the OPERABLE door must be immediately closed.
| |
| The ACTIONS are modified by a second Note, which ensures appropriate remedial actions are taken when necessary, if air lock leakage results in exceeding overall containment leakage rate acceptance criteria.
| |
| Pursuant to LCO 3.0.6, ACTIONS are not required even if primary containment leakage is exceeding La. Therefore, the Note is added to require ACTIONS for LCO 3.6.1.1, "Primary Containment," to be taken in this event.
| |
| A.1, A.2, and A.3 With one primary containment air lock door inoperable, the OPERABLE door must be verified closed (Required Action A.1) in the air lock. This ensures that a leak tight primary containment barrier is maintained by the use of an OPERABLE air lock door. This action must be completed within 1 hour. The 1 hour Completion Time is consistent with the ACTIONS of LCO 3.6.1.1, which requires that primary containment be restored to OPERABLE status within 1 hour.
| |
| In addition, the air lock penetration must be isolated by locking closed the OPERABLE air lock door within the 24 hour Completion Time. The 24 hour Completion Time is considered reasonable for locking the OPERABLE air lock door, considering the OPERABLE door is being maintained closed.
| |
| Required Action A.3 ensures that the air lock penetration has been isolated by the use of a locked closed OPERABLE air lock door. This ensures that an acceptable primary containment leakage boundary is maintained. The Completion Time of once per 31 days is based on engineering judgment and is considered adequate given the low likelihood of a locked door being mispositioned and other administrative controls. Required Action A.3 is modified by a Note that applies to air lock doors located in high radiation areas or areas with limited access due to inerting and allows these doors to be verified locked closed by use of Columbia Generating Station B 3.6.1.2-3 Revision 73
| |
| | |
| Primary Containment Air Lock B 3.6.1.2 BASES ACTIONS (continued) administrative controls. Allowing verification by administrative controls is considered acceptable, since access to these areas is typically restricted.
| |
| Therefore, the probability of misalignment of the door, once it has been verified to be in the proper position, is small.
| |
| The Required Actions have been modified by two Notes. Note 1 ensures that only the Required Actions and associated Completion Times of Condition C are required if both doors in the air lock are inoperable. With both doors in the air lock inoperable, an OPERABLE door is not available to be closed. Required Actions C.1 and C.2 are the appropriate remedial actions. The exception of Note 1 does not affect tracking the Completion Time from the initial entry into Condition A; only the requirement to comply with the Required Actions. Note 2 allows use of the air lock for entry and exit for 7 days under administrative controls.
| |
| Primary containment entry may be required to perform Technical Specifications (TS) Surveillances and Required Actions, as well as other activities inside primary containment that are required by TS or activities that support TS-required equipment. This Note is not intended to preclude performing other activities (i.e., non-TS-related activities) if the primary containment was entered, using the inoperable air lock, to perform an allowed activity listed above. The required administrative controls consist of stationing a dedicated individual to assure closure of the OPERABLE door except during the entry and exit, and to assure the OPERABLE door is relocked after completion of the containment entry and exit. This allowance is acceptable due to the low probability of an event that could pressurize the primary containment during the short time that the OPERABLE door is expected to be open.
| |
| B.1, B.2, and B.3 With an air lock interlock mechanism inoperable, the Required Actions and associated Completion Times are consistent with those specified in Condition A.
| |
| The Required Actions have been modified by two Notes. Note 1 ensures that only the Required Actions and associated Completion Times of Condition C are required if both doors in the air lock are inoperable. With both doors in the air lock inoperable, an OPERABLE door is not available to be closed. Required Actions C.1 and C.2 are the appropriate remedial actions. Note 2 allows entry into and exit from the primary containment under the control of a dedicated individual stationed at the air lock to ensure that only one door is opened at a time (i.e., the individual performs the function of the interlock).
| |
| Columbia Generating Station B 3.6.1.2-4 Revision 73
| |
| | |
| Primary Containment Air Lock B 3.6.1.2 BASES ACTIONS (continued)
| |
| Required Action B.3 is modified by a Note that applies to air lock doors located in high radiation areas or areas with limited access due to inerting and allows these doors to be verified locked closed by use of administrative controls. Allowing verification by administrative controls is considered acceptable, since access to these areas is typically restricted.
| |
| Therefore, the probability of misalignment of the door, once it has been verified to be in the proper position, is small.
| |
| C.1, C.2, and C.3 If the air lock is inoperable for reasons other than those described in Condition A or B, Required Action C.1 requires action to be immediately initiated to evaluate containment overall leakage rates using current air lock leakage test results. An evaluation is acceptable since it is overly conservative to immediately declare the primary containment inoperable if both doors in the air lock have failed a seal test or if the overall air lock leakage is not within limits. In many instances (e.g., only one seal per door has failed) primary containment remains OPERABLE, yet only 1 hour (according to LCO 3.6.1.1) would be provided to restore the air lock door to OPERABLE status prior to requiring a plant shutdown. In addition, even with both doors failing the seal test, the overall containment leakage rate can still be within limits.
| |
| Required Action C.2 requires that one door in the primary containment air lock must be verified closed. This Required Action must be completed within the 1 hour Completion Time. This specified time period is consistent with the ACTIONS of LCO 3.6.1.1, which require that primary containment be restored to OPERABLE status within 1 hour.
| |
| Additionally, the air lock must be restored to OPERABLE status within 24 hours (Required Action C.3). The 24 hour Completion Time is reasonable for restoring the inoperable air lock to OPERABLE status considering that at least one door is maintained closed in the air lock.
| |
| D.1 and D.2 If the inoperable primary containment air lock cannot be restored to OPERABLE status within the associated Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours and to MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.
| |
| Columbia Generating Station B 3.6.1.2-5 Revision 73
| |
| | |
| Primary Containment Air Lock B 3.6.1.2 BASES SURVEILLANCE SR 3.6.1.2.1 REQUIREMENTS Maintaining the primary containment air lock OPERABLE requires compliance with the leakage rate test requirements of the Primary Containment Leakage Rate Testing Program. This SR reflects the leakage rate testing requirements with regard to air lock leakage (Type B leakage tests). The acceptance criteria were established as a small fraction of the total allowable primary containment leakage. The periodic testing requirements verify that the air lock leakage does not exceed the allowed fraction of the overall primary containment leakage rate. The Frequency is required by the Primary Containment Leakage Rate Testing Program.
| |
| The SR has been modified by two Notes. Note 1 states that an inoperable air lock door does not invalidate the previous successful performance of the overall air lock leakage test. This is considered reasonable since either air lock door is capable of providing a fission product barrier in the event of a DBA. Note 2 has been added to this SR, requiring the results to be evaluated against the acceptance criteria of SR 3.6.1.1.1 (the Primary Containment Leakage Rate Testing Program).
| |
| This ensures that air lock leakage is properly accounted for in determining the combined Type B and C primary containment leakage.
| |
| SR 3.6.1.2.2 The air lock interlock mechanism is designed to prevent simultaneous opening of both doors in the air lock. Since both the inner and outer doors of the air lock are designed to withstand the maximum expected post accident primary containment pressure (Ref. 6), closure of either door will support primary containment OPERABILITY. Thus, the interlock feature supports primary containment OPERABILITY while the air lock is being used for personnel transit in and out of the containment. Periodic testing of this interlock demonstrates that the interlock will function as designed and that simultaneous inner and outer door opening will not inadvertently occur. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| Columbia Generating Station B 3.6.1.2-6 Revision 93
| |
| | |
| Primary Containment Air Lock B 3.6.1.2 BASES REFERENCES 1. FSAR, Section 3.8.2.1.1.4.
| |
| : 2. FSAR, Section 3.8.2.7.5.
| |
| : 3. FSAR, Section 6.2.6.1.
| |
| : 4. 10 CFR 50.36(c)(2)(ii).
| |
| : 5. 10 CFR 50, Appendix J, Option B.
| |
| : 6. FSAR, Section 3.8.2.7.3.
| |
| Columbia Generating Station B 3.6.1.2-7 Revision 73
| |
| | |
| PCIVs B 3.6.1.3 B 3.6 CONTAINMENT SYSTEMS B 3.6.1.3 Primary Containment Isolation Valves (PCIVs)
| |
| BASES BACKGROUND The function of the PCIVs, in combination with other accident mitigation systems, is to limit fission product release during and following postulated Design Basis Accidents (DBAs) to within limits. Primary containment isolation within the time limits specified for those PCIVs designed to close automatically ensures that the release of radioactive material to the environment will be consistent with the assumptions used in the analyses for a DBA.
| |
| The OPERABILITY requirements for PCIVs help ensure that an adequate primary containment boundary is maintained during and after an accident by minimizing potential paths to the environment. Therefore, the OPERABILITY requirements provide assurance that the primary containment function assumed in the safety analysis will be maintained.
| |
| These isolation devices consist of either passive devices or active (automatic) devices. Manual valves, de-activated automatic valves secured in their closed position (including check valves with flow through the valve secured), blind flanges, and closed systems are considered passive devices. Check valves, or other automatic valves designed to close without operator action following an accident, are considered active devices. Two barriers in series are provided for each penetration so that no single credible failure or malfunction of an active component can result in a loss of isolation or leakage that exceeds limits assumed in the safety analysis. One of these barriers may be a closed system.
| |
| The reactor building-to-suppression chamber vacuum breakers serve a dual function, one of which is primary containment isolation. However, since the other safety function of the vacuum breakers would not be available if the normal PCIV actions were taken, the PCIV OPERABILITY requirements are not applicable to the reactor building-to-suppression chamber vacuum breaker valves. Similar Surveillance Requirements in the LCO for reactor building-to-suppression chamber vacuum breakers provide assurance that the isolation capability is available without conflicting with the vacuum relief function.
| |
| The 24 and 30 inch primary containment purge valves are PCIVs that are qualified for use during all operational conditions. The 24 and 30 inch primary containment purge valves are normally maintained closed in MODES 1, 2, and 3 to ensure the primary containment boundary is maintained. However, these purge valves may be open when being used for pressure control, inerting, de-inerting, ALARA, or air quality considerations since they are fully qualified. Two inch bypass lines with isolation valves bypass each primary containment purge valve when the 24 and 30 inch purge valves cannot be open.
| |
| Columbia Generating Station B 3.6.1.3-1 Revision 73
| |
| | |
| PCIVs B 3.6.1.3 BASES APPLICABLE The PCIVs LCO was derived from the assumptions related to minimizing SAFETY the loss of reactor coolant inventory and establishing the primary ANALYSES containment boundary during major accidents. As part of the primary containment boundary, PCIV OPERABILITY supports leak tightness of primary containment. Therefore, the safety analysis of any event requiring isolation of primary containment is applicable to this LCO.
| |
| The DBAs that result in a release of radioactive material for which the consequences are mitigated by PCIVs are a loss of coolant accident (LOCA) and a main steam line break (MSLB) (Ref. 1). In the analysis for each of these accidents, it is assumed that PCIVs are either closed or function to close within the required isolation time following event initiation. This ensures that potential paths to the environment through PCIVs (including primary containment purge valves) are minimized. Of the events analyzed in Reference 1, the LOCA is the most limiting event due to radiological consequences. The closure time of the main steam isolation valves (MSIVs) is a significant variable from a radiological standpoint. The MSIVs are required to close within 3 to 5 seconds since the 3 second closure time is assumed in the MSIV closure (the most severe overpressurization transient) analysis (Ref. 2) and 6 second closure time is assumed in the MSLB analysis (Ref. 6). The safety analyses assume that the purge valves are closed at event initiation.
| |
| Likewise, it is assumed that the primary containment isolates such that release of fission products to the environment is controlled.
| |
| The single failure criterion required to be imposed in the conduct of unit safety analyses was considered in the original design of the primary containment purge valves. Two valves in series on each purge line provide assurance that both the supply and exhaust lines could be isolated even if a single failure occurred.
| |
| PCIVs satisfy Criterion 3 of Reference 3.
| |
| LCO PCIVs form a part of the primary containment boundary. The PCIV safety function is related to minimizing the loss of reactor coolant inventory and establishing the primary containment boundary during a DBA.
| |
| The power operated, automatic isolation valves are required to have isolation times within limits and actuate on an automatic isolation signal.
| |
| While the reactor building-to-suppression chamber vacuum breakers isolate primary containment penetrations, they are excluded from this Specification. Controls on their isolation function are adequately addressed in LCO 3.6.1.6, "Reactor Building-to-Suppression Chamber Vacuum Breakers." The valves covered by this LCO are listed with their associated stroke times in Reference 4.
| |
| Columbia Generating Station B 3.6.1.3-2 Revision 73
| |
| | |
| PCIVs B 3.6.1.3 BASES LCO (continued)
| |
| The normally closed PCIVs are considered OPERABLE when manual valves are closed or open in accordance with appropriate administrative controls, automatic valves are de-activated and secured in their closed position, blind flanges are in place, and closed systems are intact. These passive isolation valves and devices are those listed in Reference 4.
| |
| MSIV and hydrostatically tested valve leakage are exempt from Type C testing limits and must meet specific leakage rate requirements, and secondary containment bypass valves must meet additional leakage rate requirements. Other PCIV leakage rates are addressed by LCO 3.6.1.1, "Primary Containment," as Type B or C testing.
| |
| This LCO provides assurance that the PCIVs will perform their designed safety functions to minimize the loss of reactor coolant inventory and establish the primary containment boundary during accidents.
| |
| APPLICABILITY In MODES 1, 2, and 3, a DBA could cause a release of radioactive material to primary containment.
| |
| ACTIONS The ACTIONS are modified by a Note allowing penetration flow path(s) to be unisolated intermittently under administrative controls. These controls consist of stationing a dedicated operator at the controls of the valve, who is in continuous communication with the control room. In this way, the penetration can be rapidly isolated when a need for primary containment isolation is indicated.
| |
| A second Note has been added to provide clarification that, for the purpose of this LCO, separate Condition entry is allowed for each penetration flow path. This is acceptable, since the Required Actions for each Condition provide appropriate compensatory actions for each inoperable PCIV. Complying with the Required Actions may allow for continued operation, and subsequent inoperable PCIVs are governed by subsequent Condition entry and application of associated Required Actions.
| |
| Columbia Generating Station B 3.6.1.3-3 Revision 111
| |
| | |
| PCIVs B 3.6.1.3 BASES ACTIONS (continued)
| |
| The ACTIONS are modified by Notes 3 and 4. Note 3 ensures appropriate remedial actions are taken, if necessary, if the affected system(s) are rendered inoperable by an inoperable PCIV (e.g., an Emergency Core Cooling System subsystem is inoperable due to a failed open test return valve). Note 4 ensures appropriate remedial actions are taken when the primary containment leakage limits are exceeded.
| |
| Pursuant to LCO 3.0.6, these ACTIONS are not required even when the associated LCO is not met. Therefore, Notes 3 and 4 are added to require the proper actions be taken.
| |
| A.1 and A.2 With one or more penetration flow paths with one PCIV inoperable except for secondary containment bypass leakage rate, MSIV leakage rate, or hydrostatically tested lines leakage rate not within limits, the affected penetration flow path must be isolated. The method of isolation must include the use of at least one isolation barrier that cannot be adversely affected by a single active failure. Isolation barriers that meet this criterion are a closed and de-activated automatic valve, a closed manual valve, a blind flange, and a check valve with flow through the valve secured. For penetrations isolated in accordance with Required Action A.1, the device used to isolate the penetration should be the closest available one to the primary containment. The Required Action must be completed within the 4 hour Completion Time (8 hours for main steam lines). The specified time period of 4 hours is reasonable considering the time required to isolate the penetration and the relative importance of supporting primary containment OPERABILITY during MODES 1, 2, and 3. For main steam lines, an 8 hour Completion Time is allowed. The Completion Time of 8 hours for the main steam lines allows a period of time to restore the MSIVs to OPERABLE status given the fact that MSIV closure will result in isolation of the main steam line(s) and a potential for plant shutdown.
| |
| For affected penetrations that have been isolated in accordance with Required Action A.1, the affected penetration flow path must be verified to be isolated on a periodic basis. This is necessary to ensure that primary containment penetrations required to be isolated following an accident, and no longer capable of being automatically isolated, will be in the isolation position should an event occur. This Required Action does not require any testing or device manipulation. Rather, it involves verification that those devices outside primary containment and capable of being mispositioned are in the correct position. The Completion Time for this verification of "once per 31 days for isolation devices outside primary containment, drywell, and steam tunnel," is appropriate because the Columbia Generating Station B 3.6.1.3-4 Revision 73
| |
| | |
| PCIVs B 3.6.1.3 BASES ACTIONS (continued) devices are operated under administrative controls and the probability of their misalignment is low. For devices inside primary containment, the specified time period of "prior to entering MODE 2 or 3 from MODE 4 if primary containment was de-inerted while in MODE 4, if not performed within the previous 92 days," is based on engineering judgment and is considered reasonable in view of the inaccessibility of the devices and the existence of other administrative controls ensuring that device misalignment is an unlikely possibility.
| |
| Condition A is modified by a Note indicating that this Condition is only applicable to those penetration flow paths with two PCIVs. For penetration flow paths with one PCIV, Condition C provides appropriate Required Actions.
| |
| Required Action A.2 is modified by two Notes. Note 1 applies to isolation devices located in high radiation areas and allows them to be verified by use of administrative means. Allowing verification by administrative means is considered acceptable, since access to these areas is typically restricted. Note 2 applies to isolation devices that are locked, sealed, or otherwise secured in position and allows these devices to be verified closed by use of administrative means. Allowing verification by administrative means is considered acceptable, since the function of locking, sealing, or securing components is to ensure that these devices are not inadvertently repositioned. Therefore, the probability of misalignment, once they have been verified to be in the proper position, is low.
| |
| B.1 With one or more penetration flow paths with two PCIVs inoperable except for secondary containment bypass leakage rate, MSIV leakage rate, or hydrostatically tested lines leakage rate not within limits, either the inoperable PCIVs must be restored to OPERABLE status or the affected penetration flow path must be isolated within 1 hour. The method of isolation must include the use of at least one isolation barrier that cannot be adversely affected by a single active failure. Isolation barriers that meet this criterion are a closed and de-activated automatic valve, a closed manual valve, and a blind flange. The 1 hour Completion Time is consistent with the ACTIONS of LCO 3.6.1.1.
| |
| Condition B is modified by a Note indicating this Condition is only applicable to penetration flow paths with two PCIVs. For penetration flow paths with one PCIV, Condition C provides the appropriate Required Actions.
| |
| Columbia Generating Station B 3.6.1.3-5 Revision 73
| |
| | |
| PCIVs B 3.6.1.3 BASES ACTIONS (continued)
| |
| C.1 and C.2 When one or more penetration flow paths with one PCIV inoperable except for secondary containment bypass leakage rate, MSIV leakage rate, or hydrostatically tested lines leakage rate not within limits, the inoperable valve must be restored to OPERABLE status or the affected penetration flow path must be isolated. The method of isolation must include the use of at least one isolation barrier that cannot be adversely affected by a single active failure. Isolation barriers that meet this criterion are a closed and de-activated automatic valve, a closed manual valve, and a blind flange. A check valve may not be used to isolate the affected penetration. Required Action C.1 must be completed within 4 hours for lines other than excess flow check valve (EFCV) lines and 72 hours for EFCV lines. The 4 hour Completion Time is reasonable considering the relative stability of the closed system (hence, reliability) to act as a penetration isolation boundary and the relative importance of supporting primary containment OPERABILITY during MODES 1, 2, and 3. The Completion Time of 72 hours for EFCVs is also reasonable considering the mitigating effects of the small pipe diameter and restricting orifice, and the isolation boundary provided by the instrument.
| |
| In the event the affected penetration is isolated in accordance with Required Action C.1, the affected penetration flow path must be verified to be isolated on a periodic basis. This is necessary to ensure that primary containment penetrations required to be isolated following an accident are isolated. This Required Action does not require any testing or valve manipulation. Rather, it involves verification that those devices outside containment and capable of potentially being mispositioned are in the correct position. The Completion Time of "once per 31 days for isolation devices outside primary containment" is appropriate because the devices are operated under administrative controls and the probability of their misalignment is low. For the valves inside primary containment, the time period specified "prior to entering MODE 2 or 3 from MODE 4 if primary containment was de-inerted while in MODE 4, if not performed within the previous 92 days" is based on engineering judgement and is considered reasonable in view of the inaccessibility of the devices and other administrative controls ensuring that device misalignment is an unlikely possibility.
| |
| Condition C is modified by a Note indicating this Condition is applicable only to those penetration flow paths with only one PCIV. For penetration flow paths with two PCIVs, Conditions A and B provide the appropriate Required Actions. This Note is necessary since this Condition is written specifically to address those penetrations with a single PCIV.
| |
| Columbia Generating Station B 3.6.1.3-6 Revision 73
| |
| | |
| PCIVs B 3.6.1.3 BASES ACTIONS (continued)
| |
| Required Action C.2 is modified by two Notes. Note 1 applies to isolation devices located in high radiation areas and allows them to be verified by use of administrative means. Allowing verification by administrative means is considered acceptable, since access to these areas is typically restricted. Note 2 applies to isolation devices that are locked, sealed, or otherwise secured in position and allows these devices to be verified closed by use of administrative means. Allowing verification by administrative means is considered acceptable, since the function of locking, sealing, or securing components is to ensure that these devices are not inadvertently repositioned. Therefore, the probability of misalignment, once they have been verified to be in the proper position, is low.
| |
| D.1 With the secondary containment bypass leakage rate (SR 3.6.1.3.10),
| |
| MSIV leakage rate (SR 3.6.1.3.11), or hydrostatically tested lines leakage rate (SR 3.6.1.3.12) not within limit, the assumptions of the safety analysis may not be met. Therefore, the leakage must be restored to within limit within 4 hours (8 hours for main steam lines). Restoration can be accomplished by isolating the penetration that caused the limit to be exceeded by use of one closed and de-activated automatic valve, closed manual valve, or blind flange. When a penetration is isolated, the leakage rate for the isolated penetration is assumed to be the actual pathway leakage through the isolation device. If two isolation devices are used to isolate the penetration, the leakage rate is assumed to be the lesser actual pathway leakage of the two devices. The 4 hour Completion Time for hydrostatically tested line leakage not on a closed system and for secondary containment bypass leakage is reasonable considering the time required to restore the leakage by isolating the penetration and the relative importance of leakage to the overall containment function. For MSIV leakage, an 8 hour Completion Time is allowed. The Completion Time of 8 hours for MSIV leakage allows a period of time to restore the MSIVs to OPERABLE status given the fact that MSIV closure will result in isolation of the main steam line(s) and a potential for plant shutdown.
| |
| The 72 hour Completion Time for hydrostatically tested line leakage on a closed system is acceptable based on the available water seal expected to remain as a gaseous fission product boundary during the accident and an associated closed system.
| |
| Columbia Generating Station B 3.6.1.3-7 Revision 73
| |
| | |
| PCIVs B 3.6.1.3 BASES ACTIONS (continued)
| |
| E.1 and E.2 If any Required Action and associated Completion Time cannot be met in MODE 1, 2, or 3, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours and to MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.
| |
| SURVEILLANCE SR 3.6.1.3.1 REQUIREMENTS This SR verifies that the 24 inch and 30 inch primary containment purge valves are closed as required or, if open, opened for an allowable reason.
| |
| The SR is modified by a Note stating that the SR is not required to be met when the purge valves are open for the stated reasons. The Note states that these valves may be opened for inerting, de-inerting, pressure control, ALARA, or air quality considerations for personnel entry, or for surveillances that require the valves to be open. These primary containment purge valves are capable of closing in the environment following a LOCA. Therefore, these valves are allowed to be open for limited periods of time. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| Columbia Generating Station B 3.6.1.3-8 Revision 111
| |
| | |
| PCIVs B 3.6.1.3 BASES SURVEILLANCE REQUIREMENTS (continued)
| |
| SR 3.6.1.3.2 This SR verifies that each primary containment isolation manual valve and blind flange that is located outside primary containment and not locked, sealed, or otherwise secured and is required to be closed during accident conditions, is closed. The SR helps to ensure that post accident leakage of radioactive fluids or gases outside of the primary containment boundary is within design limits. This SR does not require any testing or valve manipulation. Rather, it involves verification that those isolation devices outside primary containment, and not locked, are in the correct position. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. This SR does not apply to valves that are locked, sealed, or otherwise secured in the closed position, since these were verified to be in the correct position upon locking, sealing, or securing.
| |
| Two Notes are added to this SR. The first Note applies to valves and blind flanges located in high radiation areas and allows them to be verified by use of administrative controls. Allowing verification by administrative controls is considered acceptable, since access to these areas is typically restricted during MODES 1, 2, and 3 for ALARA reasons. Therefore, the probability of misalignment of these isolation devices, once they have been verified to be in the proper position, is low.
| |
| A second Note is included to clarify that PCIVs open under administrative controls are not required to meet the SR during the time the PCIVs are open. These controls consist of stationing a dedicated operator at the controls of the valve, who is in continuous communication with the control room. In this way, the penetration can be rapidly isolated when a need for primary containment isolation is indicated.
| |
| SR 3.6.1.3.3 This SR verifies that each primary containment manual isolation valve and blind flange located inside primary containment and not locked, sealed, or otherwise secured and required to be closed during accident conditions, is closed. The SR helps to ensure that post accident leakage of radioactive fluids or gases outside the primary containment boundary is within design limits. For isolation devices inside primary containment, the Frequency of "prior to entering MODE 2 or 3 from MODE 4 if primary containment was de-inerted while in MODE 4, if not performed within the previous 92 days," is appropriate since these isolation devices are operated under administrative controls and the probability of their misalignment is low. This SR does not apply to valves that are locked, Columbia Generating Station B 3.6.1.3-9 Revision 93
| |
| | |
| PCIVs B 3.6.1.3 BASES SURVEILLANCE REQUIREMENTS (continued) sealed, or otherwise secured in the closed position, since these were verified to be in the correct position upon locking, sealing, or securing.
| |
| Two Notes are added to this SR. The first Note allows valves and blind flanges located in high radiation areas to be verified by use of administrative controls. Allowing verification by administrative controls is considered acceptable since the primary containment is inerted and access to these areas is typically restricted during MODES 1, 2, and 3 for ALARA and personnel safety. Therefore, the probability of misalignment of these isolation devices, once they have been verified to be in their proper position, is low. A second Note is included to clarify that PCIVs that are open under administrative controls are not required to meet the SR during the time that the PCIVs are open. These controls consist of stationing a dedicated operator at the controls of the valve, who is in continuous communication with the control room. In this way, the penetration can be rapidly isolated when a need for primary containment isolation is indicated.
| |
| SR 3.6.1.3.4 The traversing incore probe (TIP) shear isolation valves are actuated by explosive charges. Surveillance of explosive charge continuity provides assurance that TIP valves will actuate when required. Other administrative controls, such as those that limit the shelf life and operating life, as applicable, of the explosive charges, must be followed. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| SR 3.6.1.3.5 Verifying the isolation time of each power operated, automatic PCIV is within limits is required to demonstrate OPERABILITY. MSIVs may be excluded from this SR since MSIV full closure isolation time is demonstrated by SR 3.6.1.3.6. The isolation time test ensures that each valve will isolate in a time period less than or equal to that assumed in the safety analysis. The Frequency of this SR is in accordance with the INSERVICE TESTING PROGRAM.
| |
| Columbia Generating Station B 3.6.1.3-10 Revision 101
| |
| | |
| PCIVs B 3.6.1.3 BASES SURVEILLANCE REQUIREMENTS (continued)
| |
| SR 3.6.1.3.6 Verifying that the full closure isolation time of each MSIV is within the specified limits is required to demonstrate OPERABILITY. The full closure isolation time test ensures that the MSIV will isolate in a time period that does not exceed the times assumed in the DBA and transient analyses. The Frequency of this SR is in accordance with the INSERVICE TESTING PROGRAM.
| |
| SR 3.6.1.3.7 Automatic PCIVs close on a primary containment isolation signal to prevent leakage of radioactive material from primary containment following a DBA. This SR ensures that each automatic PCIV will actuate to its isolation position on a primary containment isolation signal. The LOGIC SYSTEM FUNCTIONAL TEST in LCO 3.3.6.1, "Primary Containment Isolation Instrumentation," overlaps this SR to provide complete testing of the safety function. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| SR 3.6.1.3.8 This SR requires a demonstration that a representative sample of reactor instrument lines excess flow check valves (EFCVs) are OPERABLE by verifying that each tested valve actuates to the isolation position on an actual or simulated instrument line break condition. The representative sample consists of an approximately equal number of EFCVs, such that each EFCV is tested at least once during the interval. In addition, the EFCVs in the sample are representative of the various plant configurations, models, sizes and operating environments. This ensures that any potentially common problem with a specific type or application of EFCV is detected at the earliest possible time. This SR provides assurance that the reactor instrumentation lines EFCVs will perform as designed. The excess flow check valves in reactor instrument lines are tested by providing an instrument line break signal with pressure at 85 psig to 1050 psig, and at no more than 212°F, RPV coolant temperature, while the EFCV is being exercised. Testing within this pressure range provides a high degree of assurance that these valves will close during an instrument line break while at normal operating pressure.
| |
| Columbia Generating Station B 3.6.1.3-11 Revision 101
| |
| | |
| PCIVs B 3.6.1.3 BASES SURVEILLANCE REQUIREMENTS (continued)
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The interval is based on performance testing. Furthermore, any EFCV failures will be evaluated to determine if additional testing in that test interval is warranted to ensure overall reliability is maintained. Operating experience has demonstrated that these components are highly reliable and that failures to isolate are very infrequent. Therefore, testing of a representative sample was concluded to be acceptable from a reliability standpoint (Reference 5). In addition, due to operational concerns, the Surveillance should not be performed during MODES 1, 2, or 3. This restriction has been established to limit the thermal cycles at the containment penetration.
| |
| SR 3.6.1.3.9 The TIP shear isolation valves are actuated by explosive charges. An in place functional test is not possible with this design. The explosive squib is removed and tested to provide assurance that the valves will actuate when required. The replacement charge for the explosive squib shall be from the same manufactured batch as the one fired or from another batch that has been certified by having one of the batch successfully fired.
| |
| Other administrative controls, such as those that limit the shelf life and operating life, as applicable, of the explosive charges, must be followed.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| SR 3.6.1.3.10 This SR ensures that the leakage rate of secondary containment bypass leakage paths is less than the specified leakage rate. This provides assurance that the assumptions in the radiological evaluations that form the basis of the FSAR (Ref. 1) are met. The leakage rate of each bypass leakage path is assumed to be the maximum pathway leakage (leakage through the worse of the two isolation valves) unless the penetration is isolated by use of one closed and de-activated automatic valve, closed manual valve, or blind flange. In this case, the leakage rate of the isolated bypass leakage path is assumed to be the actual pathway leakage through the isolation device. If both isolation valves in the penetration are closed, the actual leakage rate is the lesser leakage rate of the two valves. The Frequency is required by the Primary Containment Leakage Rate Testing Program. This SR simply imposes additional acceptance criteria.
| |
| Columbia Generating Station B 3.6.1.3-12 Revision 93
| |
| | |
| PCIVs B 3.6.1.3 BASES SURVEILLANCE REQUIREMENTS (continued)
| |
| SR 3.6.1.3.11 The radiological consequences associated with MSIV leakage following the design basis LOCA, is based on the testing leakage limit of 16.0 scfh as specified in this Surveillance. The test pressure, Pt (25 psig) specified in this Surveillance is less than the peak accident pressure, Pa. The specified Pt is less than Pa due to testing configuration constraints. The leakage assumed in the design basis LOCA analysis (Ref. 7) is calculated by converting the specified test leakage limit to the equivalent leakage rate for Pa conditions. This Surveillance ensures that MSIV leakage is properly accounted for in determining the overall primary containment leakage rate. The Frequency is required by the Primary Containment Leakage Rate Testing Program.
| |
| SR 3.6.1.3.12 Surveillance of hydrostatically tested lines provides assurance that the calculation assumptions of Reference 1 are met. The acceptance criteria for the combined leakage of all hydrostatically tested lines is 1.0 gpm times the total number of hydrostatically tested PCIVs when tested at 1.1 Pa (41.8 psig). The combined leakage rates must be tested at the Frequency required by the Primary Containment Leakage Rate Testing Program.
| |
| REFERENCES 1. FSAR, Chapter 6.2.
| |
| : 2. FSAR, Section 15.2.4.
| |
| : 3. 10 CFR 50.36(c)(2)(ii).
| |
| : 4. Licensee Controlled Specifications Manual.
| |
| : 5. NEDO-32977-A, "Excess Flow Check Valve Testing Relaxation,"
| |
| dated June 2000.
| |
| : 6. FSAR, Section 15.6.4.
| |
| : 7. FSAR, Section 15.6.5.
| |
| : 8. Regulatory Guide 1.183, Appendix A, July 2000.
| |
| Columbia Generating Station B 3.6.1.3-13 Revision 73
| |
| | |
| Drywell Air Temperature B 3.6.1.4 B 3.6 CONTAINMENT SYSTEMS B 3.6.1.4 Drywell Temperature BASES BACKGROUND Heat loads from the drywell, as well as piping and equipment, add energy to the airspace and raise airspace temperature. Coolers included in the unit design remove this energy and maintain an appropriate average temperature. The average airspace temperature affects the calculated response to postulated Design Basis Accidents (DBAs). This drywell air temperature limit is an initial condition input for the Reference 1 safety analyses.
| |
| APPLICABLE Primary containment performance for the DBA is evaluated for an entire SAFETY spectrum of break sizes for postulated loss of coolant accidents (LOCAs)
| |
| ANALYSES inside containment (Ref. 1). Among the inputs to the design basis analysis is the initial drywell average air temperature. Analyses assume an initial average drywell air temperature of 135°F. Maintaining the expected initial conditions ensures that safety analyses remain valid and ensures that the peak LOCA drywell temperature does not exceed the maximum allowable temperature of 340°F (Ref. 1). Exceeding this design temperature may result in the degradation of the primary containment structure under accident loads. Equipment inside primary containment, and needed to mitigate the effects of a DBA, is designed to operate and be capable of operating under environmental conditions expected for the accident.
| |
| Drywell air temperature satisfies Criterion 2 of Reference 2.
| |
| LCO With an initial drywell average air temperature less than or equal to the LCO temperature limit, the peak accident temperature is maintained below the drywell design temperature. As a result, the ability of drywell to perform its design function is ensured.
| |
| APPLICABILITY In MODES 1, 2, and 3, a DBA could cause a release of radioactive material to primary containment. In MODES 4 and 5, the probability and consequences of these events are reduced due to the pressure and temperature limitations of these MODES. Therefore, maintaining drywell average air temperature within the limit is not required in MODE 4 or 5.
| |
| ACTIONS A.1 When drywell average air temperature is not within the limit of the LCO, it must be restored within 8 hours. This Required Action is necessary to return operation to within the bounds of the primary containment analysis.
| |
| The 8 hour Completion Time is acceptable, considering the sensitivity of the analysis to variations in this parameter, and provides sufficient time to correct minor problems.
| |
| Columbia Generating Station B 3.6.1.4-1 Revision 73
| |
| | |
| Drywell Air Temperature B 3.6.1.4 BASES ACTIONS (continued)
| |
| B.1 and B.2 If the drywell average air temperature cannot be restored to within the limit within the required Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours and to MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.
| |
| SURVEILLANCE SR 3.6.1.4.1 REQUIREMENTS Verifying that the drywell average air temperature is within the LCO limit ensures that operation remains within the limits assumed for the primary containment analyses. In order to determine the drywell average air temperature, an arithmetic average is calculated, using inlet air temperature measurements taken from a minimum of three operating drywell cooling units. This provides a representative sample of the overall drywell atmosphere.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| REFERENCES 1. FSAR, Section 6.2.1.1.3.3.
| |
| : 2. 10 CFR 50.36(c)(2)(ii).
| |
| Columbia Generating Station B 3.6.1.4-2 Revision 93
| |
| | |
| RHR Drywell Spray B 3.6.1.5 B 3.6 CONTAINMENT SYSTEMS B 3.6.1.5 Residual Heat Removal (RHR) Drywell Spray BASES BACKGROUND The primary containment is designed with a suppression pool so that, in the event of a loss of coolant accident (LOCA), steam released from the primary system is channeled through the suppression pool water and condensed without producing significant pressurization of the primary containment. The primary containment is designed so that with the pool initially at the minimum water volume and the worst single failure of the primary containment heat removal systems, suppression pool energy absorption combined with subsequent operator controlled pool cooling will prevent the primary containment pressure from exceeding its design value. However, the primary containment must also withstand a postulated bypass leakage pathway that allows the passage of steam from the drywell directly into the suppression pool airspace, bypassing the suppression pool. The RHR Drywell Spray System is designed to mitigate the effects of bypass leakage.
| |
| The RHR drywell spray is operated post-LOCA to wash inorganic iodines and particulates from the drywell atmosphere into the suppression pool and to reduce primary containment pressure.
| |
| There are two redundant, 100% capacity RHR drywell spray subsystems.
| |
| Each subsystem consists of a suction line from the suppression pool, an RHR pump, an RHR heat exchanger, and one spray sparger inside the drywell. Dispersion of the spray water is accomplished by spray nozzles in each subsystem.
| |
| The RHR drywell spray mode will be manually initiated, if required, following a LOCA, according to emergency procedures.
| |
| APPLICABLE Reference 1 contains the results of analyses that predict the primary SAFETY containment pressure response for a LOCA with the maximum allowable ANALYSES bypass leakage area.
| |
| The equivalent flow path area for bypass leakage has been specified to be 0.05 ft2. The analysis demonstrates that with drywell spray operation the primary containment pressure remains within design limits.
| |
| The RHR drywell spray is credited for two functions in the LOCA analysis (Ref. 3). The RHR drywell spray is credited for scrubbing inorganic iodines and particulates from the primary containment atmosphere. This function reduces the amount of airborne activity available for leakage from primary containment. The RHR drywell spray is also credited for primary containment pressure reduction. This function reduces the leak rate of airborne activity from primary containment.
| |
| Columbia Generating Station B 3.6.1.5-1 Revision 73
| |
| | |
| RHR Drywell Spray B 3.6.1.5 BASES APPLICABLE SAFETY ANALYSIS (continued)
| |
| The RHR drywell spray satisfies Criterion 3 of Reference 2.
| |
| LCO In the event of a Design Basis Accident (DBA), a minimum of one RHR drywell spray subsystem is required to mitigate the effects of potential bypass leakage paths and maintain the primary containment peak pressure below design limits. To ensure that these requirements are met, two RHR drywell spray subsystems must be OPERABLE. Therefore, in the event of an accident, at least one subsystem is OPERABLE assuming the worst case single active failure. An RHR drywell spray subsystem is OPERABLE when the pump and associated piping, valves, instrumentation, and controls are OPERABLE. Management of gas voids is important to RHR Drywell Spray System OPERABILITY.
| |
| APPLICABILITY In MODES 1, 2, and 3, a DBA (line break inside primary containment) could cause pressurization of primary containment. In MODES 4 and 5, the probability and consequences of these events are reduced due to the pressure and temperature limitations in these MODES. Therefore, maintaining RHR drywell spray subsystems OPERABLE is not required in MODE 4 or 5.
| |
| ACTIONS A.1 With one RHR drywell spray subsystem inoperable, the inoperable subsystem must be restored to OPERABLE status within 7 days. In this condition, the remaining OPERABLE RHR drywell spray subsystem is adequate to perform the primary containment bypass leakage mitigation function. However, the overall reliability is reduced because a single failure in the OPERABLE subsystem could result in reduced primary containment bypass leakage mitigation capability. The 7 day Completion Time was chosen in light of the redundant RHR drywell spray capabilities afforded by the OPERABLE subsystem and the low probability of a DBA occurring during this period.
| |
| B.1 With two RHR drywell spray subsystems inoperable, one subsystem must be restored to OPERABLE status within 8 hours. In this condition, there is a substantial loss of the primary containment bypass leakage mitigation function.
| |
| The 8 hour Completion Time is based on this loss of function and is considered acceptable due to the low probability of a DBA and because alternative methods to reduce primary containment pressure are available.
| |
| Columbia Generating Station B 3.6.1.5-2 Revision 105
| |
| | |
| RHR Drywell Spray B 3.6.1.5 BASES ACTIONS (continued)
| |
| C.1 If any Required Action and associated Completion Time cannot be met, the plant must be brought to a MODE in which overall plant risk is minimized. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours.
| |
| Remaining in the Applicability of the LCO is acceptable because the plant risk in MODE 3 is similar to or lower than the risk in MODE 4 (Ref. 4) and because the time spent in MODE 3 to perform the necessary repairs to restore the system to OPERABLE status will be short. However, voluntary entry into MODE 4 may be made as it is also an acceptable low-risk state.
| |
| Required Action C.1 is modified by a Note that states that LCO 3.0.4.a is not applicable when entering MODE 3. This Note prohibits the use of LCO 3.0.4.a to enter MODE 3 during startup with the LCO not met.
| |
| However, there is no restriction on the use of LCO 3.0.4.b, if applicable, because LCO 3.0.4.b requires performance of a risk assessment addressing inoperable systems and components, consideration of the results, determination of the acceptability of entering MODE 3, and establishment of risk management actions, if appropriate. LCO 3.0.4 is not applicable to, and the Note does not preclude, changes in MODES or other specified conditions in the Applicability that are required to comply with ACTIONS or that are part of a shutdown of the unit.
| |
| The allowed Completion Time is reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.
| |
| SURVEILLANCE SR 3.6.1.5.1 REQUIREMENTS Verifying the correct alignment for manual and power operated valves in the RHR drywell spray mode flow path provides assurance that the proper flow paths will exist for system operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position, since these were verified to be in the correct position prior to locking, sealing, or securing. A valve is also allowed to be in the nonaccident position, provided it can be aligned to the accident position within the time assumed in the accident analysis. This is acceptable, since the RHR drywell spray mode is manually initiated. This SR does not require any testing or valve manipulation; rather, it involves verification that those valves capable of being mispositioned are in the correct position. This SR does not apply to valves that cannot be inadvertently misaligned, such as check valves.
| |
| Columbia Generating Station B 3.6.1.5-3 Revision 90
| |
| | |
| RHR Drywell Spray B 3.6.1.5 BASES SURVEILLANCE REQUIREMENTS (continued)
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| A Note has been added to the SR. The Note exempts system vent flow paths opened under administrative control. The administrative control should be proceduralized and include stationing a dedicated individual at the system vent flow path who is in continuous communication with the operators in the control room. This individual will have a method to rapidly close the system vent flow path if directed.
| |
| SR 3.6.1.5.2 This Surveillance is performed to verify, by performance of an air or smoke flow test, that the spray nozzles are not obstructed and that flow will be provided when required. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| SR 3.6.1.5.3 RHR Drywell Spray System piping and components have the potential to develop voids and pockets of entrained gases. Preventing and managing gas intrusion and accumulation is necessary for proper operation of the RHR suppression pool spray subsystems and may also prevent water hammer and pump cavitation.
| |
| Selection of RHR Drywell Spray System locations susceptible to gas accumulation is based on a review of system design information, including piping and instrumentation drawings, isometric drawings, plan and elevation drawings, and calculations. The design review is supplemented by system walk downs to validate the system high points and to confirm the location and orientation of important components that can become sources of gas or could otherwise cause gas to be trapped or difficult to remove during system maintenance or restoration.
| |
| Susceptible locations depend on plant and system configuration, such as stand-by versus operating conditions.
| |
| The RHR Drywell Spray System is OPERABLE when it is sufficiently filled with water. Acceptance criteria are established for the volume of accumulated gas at susceptible locations. If accumulated gas is discovered that exceeds the acceptance criteria for the susceptible location (or the volume of accumulated gas at one or more susceptible locations exceeds an acceptance criteria for gas volume at the suction or Columbia Generating Station B 3.6.1.5-4 Revision 105
| |
| | |
| RHR Drywell Spray B 3.6.1.5 BASES SURVEILLANCE REQUIREMENTS (continued) discharge of a pump), the Surveillance is not met. If it is determined by subsequent evaluation that the RHR Drywell Spray System is not rendered inoperable by the accumulated gas (i.e., the system is sufficiently filled with water), the Surveillance may be declared met.
| |
| Accumulated gas should be eliminated or brought within the acceptance criteria limits.
| |
| RHR Drywell Spray System locations susceptible to gas accumulation are monitored and, if gas is found, the gas volume is compared to the acceptance criteria for the location. Susceptible locations in the same system flow path which are subject to the same gas intrusion mechanisms may be verified by monitoring a representative sub-set of susceptible locations. Monitoring may not be practical for locations that are inaccessible due to radiological or environmental conditions, the plant configuration, or personnel safety. For these locations alternative methods (e.g., operating parameters, remote monitoring) may be used to monitor the susceptible location. Monitoring is not required for susceptible locations where the maximum potential accumulated gas void volume has been evaluated and determined to not challenge system OPERABILITY. The accuracy of the method used for monitoring the susceptible locations and trending of the results should be sufficient to assure system OPERABILITY during the Surveillance interval.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The Surveillance Frequency may vary by location susceptible to gas accumulation.
| |
| REFERENCES 1. FSAR, Section 6.2.1.1.5.4.
| |
| : 2. 10 CFR 50.36(c)(2)(ii).
| |
| : 3. FSAR, Section 15.6.5.
| |
| : 4. NEDC-32988-A, Revision 2, Technical Justification to Support Risk-Informed Modification to Selected Required End States for BWR Plants, December 2002.
| |
| Columbia Generating Station B 3.6.1.5-5 Revision 105
| |
| | |
| Reactor Building-to-Suppression Chamber Vacuum Breakers B 3.6.1.6 B 3.6 CONTAINMENT SYSTEMS B 3.6.1.6 Reactor Building-to-Suppression Chamber Vacuum Breakers BASES BACKGROUND The function of the reactor building-to-suppression chamber vacuum breakers is to relieve vacuum when primary containment depressurizes below reactor building pressure. If the drywell depressurizes below reactor building pressure, the negative differential pressure is mitigated by flow through the reactor building-to-suppression chamber vacuum breakers and through the suppression chamber-to-drywell vacuum breakers. The design of the external (reactor building-to-suppression chamber) vacuum relief provisions consists of two vacuum breakers (a mechanical vacuum breaker and an air operated butterfly valve), located in series in each of three 24 inch lines from the reactor building to the suppression chamber airspace. The butterfly valve is actuated by a differential pressure switch. The mechanical vacuum breaker is self actuating similar to a check valve. Both can be remotely operated for testing purposes. The two vacuum breakers in series must be closed to maintain a leak tight primary containment boundary.
| |
| A negative differential pressure across the drywell wall is caused by rapid depressurization of the drywell. Events that cause this rapid depressurization are cooling cycles, inadvertent primary containment spray actuation, and steam condensation in the event of a primary system rupture. Reactor building-to-suppression chamber vacuum breakers prevent an excessive negative differential pressure across the primary containment boundary. Cooling cycles result in minor pressure transients in the drywell, which occur slowly and are normally controlled by heating and ventilation equipment. Inadvertent spray actuation results in a more significant pressure transient and is important in sizing the external (reactor building-to-suppression chamber) vacuum breakers.
| |
| The external vacuum breakers are sized on the basis of the air flow from the secondary containment that is required to mitigate the depressurization transient and limit the maximum negative containment (drywell and suppression chamber) pressure to within design limits. The maximum depressurization rate is a function of the primary containment spray flow rate and temperature and the assumed initial conditions of the primary containment atmosphere. Low spray temperatures and atmospheric conditions that yield the minimum amount of contained noncondensible gases are assumed for conservatism.
| |
| Columbia Generating Station B 3.6.1.6-1 Revision 73
| |
| | |
| Reactor Building-to-Suppression Chamber Vacuum Breakers B 3.6.1.6 BASES APPLICABLE Analytical methods and assumptions involving the reactor building-to-SAFETY suppression chamber vacuum breakers are presented in Reference 1 as ANALYSES part of the accident response of the containment systems. Internal (suppression chamber-to-drywell) and external (reactor building-to-suppression chamber) vacuum breakers are provided as part of the primary containment to limit the negative differential pressure across the drywell and suppression chamber walls, which form part of the primary containment boundary.
| |
| The safety analyses assume the external vacuum breakers to be closed initially and to be fully open at 0.5 psid (Ref. 1). Additionally, of the six reactor building-to-suppression chamber vacuum breakers, one is assumed to fail in a closed position to satisfy the single active failure criterion. Design Basis Accident (DBA) analyses assume the vacuum breakers to be closed initially and to remain closed and leak tight with positive primary containment pressure.
| |
| The reactor building-to-suppression chamber vacuum breakers satisfy Criterion 3 of Reference 2.
| |
| LCO All reactor building-to-suppression chamber vacuum breakers are required to be OPERABLE to satisfy the assumptions used in the safety analyses. This requirement ensures both vacuum breakers in each line (mechanical vacuum breaker and air operated butterfly valve) will open to relieve negative pressure in the suppression chamber. This LCO also ensures that the two vacuum breakers in each of the three lines from the reactor building to the suppression chamber airspace are closed (except when performing their intended function).
| |
| APPLICABILITY In MODES 1, 2, and 3, a DBA could result in excessive negative differential pressure across the drywell wall caused by the rapid depressurization of the drywell. The event that results in the limiting rapid depressurization of the drywell is the primary system rupture, which purges the drywell of air and fills the drywell free airspace with steam.
| |
| Subsequent condensation of the steam would result in depressurization of the drywell, which, after the suppression chamber-to-drywell vacuum breakers open (due to differential pressure between the suppression chamber and drywell), would result in depressurization of the suppression chamber. The limiting pressure and temperature of the primary system prior to a DBA occur in MODES 1, 2, and 3. Excessive negative pressure inside primary containment could also occur due to inadvertent initiation of the Drywell Spray System.
| |
| In MODES 4 and 5, the probability and consequences of these events are reduced due to the pressure and temperature limitations in these MODES. Therefore, maintaining reactor building-to-suppression chamber vacuum breakers OPERABLE is not required in MODE 4 or 5.
| |
| Columbia Generating Station B 3.6.1.6-2 Revision 73
| |
| | |
| Reactor Building-to-Suppression Chamber Vacuum Breakers B 3.6.1.6 BASES ACTIONS A Note has been added to provide clarification that, for the purpose of this LCO, separate Condition entry is allowed for each penetration flow path.
| |
| A.1 With one or more lines with one vacuum breaker not closed, the leak tight primary containment boundary may be threatened. Therefore, the inoperable vacuum breakers must be restored to OPERABLE status or the open vacuum breaker closed within 72 hours. The 72 hour Completion Time is consistent with requirements for inoperable suppression chamber-to-drywell vacuum breakers in LCO 3.6.1.7, "Suppression Chamber-to-Drywell Vacuum Breakers." The 72 hour Completion Time takes into account the redundant capability afforded by the remaining breakers, the fact that the OPERABLE breaker in each of the lines is closed, and the low probability of an event occurring that would require the vacuum breakers to be OPERABLE during this period.
| |
| B.1 With one or more lines with two vacuum breakers not closed, primary containment integrity is not maintained. Therefore, one open vacuum breaker must be closed within 1 hour. This Completion Time is consistent with the ACTIONS of LCO 3.6.1.1, "Primary Containment," which requires that primary containment be restored to OPERABLE status within 1 hour.
| |
| C.1 With one line with one or more vacuum breakers inoperable for opening, the leak tight primary containment boundary is intact and the remaining vacuum breakers in the other two lines are capable of providing the vacuum relief function. However, overall system reliability is reduced because a single failure in one of the vacuum breakers in the remaining two lines could threaten the ability to mitigate an event that causes a containment depressurization. Therefore, the inoperable vacuum breaker must be restored to OPERABLE status within 72 hours. This is consistent with the Completion Time for Condition A and the fact that the leak tight primary containment boundary is being maintained.
| |
| Columbia Generating Station B 3.6.1.6-3 Revision 73
| |
| | |
| Reactor Building-to-Suppression Chamber Vacuum Breakers B 3.6.1.6 BASES ACTIONS (continued)
| |
| D.1 If one line has one or more reactor building-to-suppression chamber vacuum breakers inoperable for opening and they are not restored within the Completion Time in Condition C, the remaining breakers in the remaining lines can provide the opening function. The plant must be brought to a condition in which overall plant risk is minimized. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours.
| |
| Remaining in the Applicability of the LCO is acceptable because the plant risk in MODE 3 is similar to or lower than the risk in MODE 4 (Ref. 3) and because the time spent in MODE 3 to perform the necessary repairs to restore the system to OPERABLE status will be short. However, voluntary entry into MODE 4 may be made as it is also an acceptable low-risk state.
| |
| Required Action D.1 is modified by a Note that states that LCO 3.0.4.a is not applicable when entering MODE 3. This Note prohibits the use of LCO 3.0.4.a to enter MODE 3 during startup with the LCO not met.
| |
| However, there is no restriction on the use of LCO 3.0.4.b, if applicable, because LCO 3.0.4.b requires performance of a risk assessment addressing inoperable systems and components, consideration of the results, determination of the acceptability of entering MODE 3, and establishment of risk management actions, if appropriate. LCO 3.0.4 is not applicable to, and the Note does not preclude, changes in MODES or other specified conditions in the Applicability that are required to comply with ACTIONS or that are part of a shutdown of the unit.
| |
| The allowed Completion Time is reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.
| |
| E.1 With two or more lines with one or more vacuum breakers inoperable for opening, the primary containment boundary is intact. However, in the event of a containment depressurization, the function of the vacuum breakers is lost. Therefore, all vacuum breakers in two lines must be restored to OPERABLE status within 1 hour. This Completion Time is consistent with the ACTIONS of LCO 3.6.1.1, which requires that primary containment be restored to OPERABLE status within 1 hour.
| |
| Columbia Generating Station B 3.6.1.6-4 Revision 90
| |
| | |
| Reactor Building-to-Suppression Chamber Vacuum Breakers B 3.6.1.6 BASES ACTIONS (continued)
| |
| F. 1 and F.2 If the vacuum breakers in one or more lines cannot be closed or restored to OPERABLE status within the required Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours and to MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.
| |
| SURVEILLANCE SR 3.6.1.6.1 REQUIREMENTS Each vacuum breaker is verified to be closed to ensure that a potential breach in the primary containment boundary is not present. This Surveillance is performed by observing local or control room indications of vacuum breaker position or by verifying a differential pressure of
| |
| > 0.5 psid is maintained between the reactor building and suppression chamber. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| Two Notes are added to this SR. The first Note allows reactor building-to-suppression chamber vacuum breakers opened in conjunction with the performance of a surveillance to not be considered as failing this SR.
| |
| These periods of opening vacuum breakers are controlled by plant procedures and do not represent inoperable vacuum breakers. The second Note is included to clarify that vacuum breakers open due to an actual differential pressure, are not considered as failing this SR.
| |
| SR 3.6.1.6.2 Each vacuum breaker must be cycled to ensure that it opens properly to perform its design function and returns to its fully closed position. This ensures that the safety analysis assumptions are valid. The Frequency of this SR is in accordance with the INSERVICE TESTING PROGRAM.
| |
| SR 3.6.1.6.3 Demonstration of vacuum breaker opening setpoint is necessary to ensure that the safety analysis assumption regarding vacuum breaker full open differential pressure of < 0.5 psid is valid.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| Columbia Generating Station B 3.6.1.6-5 Revision 101
| |
| | |
| Reactor Building-to-Suppression Chamber Vacuum Breakers B 3.6.1.6 BASES REFERENCES 1. FSAR, Section 6.2.1.1.4.
| |
| : 2. 10 CFR 50.36(c)(2)(ii).
| |
| : 3. NEDC-32988-A, Revision 2, Technical Justification to Support Risk-Informed Modification to Selected Required End States for BWR Plants, December 2002.
| |
| Columbia Generating Station B 3.6.1.6-6 Revision 93
| |
| | |
| Suppression Chamber-to-Drywell Vacuum Breakers B 3.6.1.7 B 3.6 CONTAINMENT SYSTEMS B 3.6.1.7 Suppression Chamber-to-Drywell Vacuum Breakers BASES BACKGROUND The function of the suppression chamber-to-drywell vacuum breakers is to relieve vacuum in the drywell. There are 9 internal vacuum breakers located on the vent header of the vent system between the drywell and the suppression chamber, which allow air and steam flow from the suppression chamber to the drywell when the drywell is at a negative pressure with respect to the suppression chamber. Therefore, suppression chamber-to-drywell vacuum breakers prevent an excessive negative differential pressure across the wetwell drywell boundary. Each vacuum breaker is a self actuating valve consisting of two discs and seats, similar to a check valve, which can be remotely operated for testing purposes.
| |
| A negative differential pressure across the drywell wall is caused by rapid depressurization of the drywell. Events that cause this rapid depressurization are cooling cycles, inadvertent drywell spray actuation, and steam condensation from sprays or subcooled water reflood of a break in the event of a primary system rupture. Cooling cycles result in minor pressure transients in the drywell that occur slowly and are normally controlled by heating and ventilation equipment. Spray actuation or spill of subcooled water out of a break results in more significant pressure transients and becomes important in sizing the internal vacuum breakers.
| |
| In the event of a primary system rupture, steam condensation within the drywell results in the most severe pressure transient. Following a primary system rupture, air in the drywell is purged into the suppression chamber free airspace, leaving the drywell full of steam. Subsequent condensation of the steam can be caused in two possible ways, namely, Emergency Core Cooling Systems flow from a recirculation line break, or drywell spray actuation following a loss of coolant accident (LOCA). These two cases determine the maximum depressurization rate of the drywell.
| |
| In addition, the waterleg in the Mark II Vent System downcomer is controlled by the drywell-to-suppression chamber differential pressure. If the drywell pressure is less than the suppression chamber pressure, there will be an increase in the vent waterleg. This will result in an increase in the water clearing inertia in the event of a postulated LOCA, resulting in an increase in the peak drywell pressure. This in turn will result in an increase in the pool swell dynamic loads. The internal vacuum breakers limit the height of the waterleg in the vent system during normal operation.
| |
| Columbia Generating Station B 3.6.1.7-1 Revision 73
| |
| | |
| Suppression Chamber-to-Drywell Vacuum Breakers B 3.6.1.7 BASES APPLICABLE Analytical methods and assumptions involving the suppression chamber-SAFETY to-drywell vacuum breakers are presented in Reference 1 as part of the ANALYSES accident response of the primary containment systems. Internal (suppression chamber-to-drywell) and external (reactor building- to-suppression chamber) vacuum breakers are provided as part of the primary containment to limit the negative differential pressure across the drywell and suppression chamber walls that form part of the primary containment boundary.
| |
| The safety analyses assume that the internal vacuum breakers are closed initially and are fully open at a differential pressure of 0.5 psid (Ref. 1).
| |
| Additionally, 2 of the 9 internal vacuum breakers are assumed to fail in a closed position (Ref. 1). The failure of a third internal vacuum breaker is also acceptable since the resulting pressure differential is bounded by the failure of an external vacuum breaker. The results of the analyses show that the design pressure is not exceeded even under the worst case accident scenario. The vacuum breaker opening differential pressure setpoint and the requirement that 7 of 9 vacuum breakers be OPERABLE (the additional vacuum breaker is required to meet the single failure criterion) are a result of the requirement placed on the vacuum breakers to limit the vent system waterleg height. Design Basis Accident (DBA) analyses assume the vacuum breakers to be closed initially and to remain closed and leak tight until the suppression pool is at a positive pressure relative to the drywell.
| |
| The suppression chamber-to-drywell vacuum breakers satisfy Criterion 3 of Reference 2.
| |
| LCO Only 7 of the 9 vacuum breakers must be OPERABLE for opening. All suppression chamber-to-drywell vacuum breakers, however, are required to be closed (except when the vacuum breakers are performing their intended design function). A vacuum breaker is OPERABLE for opening and closed when both disks in the vacuum breaker are OPERABLE for opening and closed. The vacuum breaker OPERABILITY requirement provides assurance that the drywell-to-suppression chamber negative differential pressure remains below the design value. The requirement that the vacuum breakers be closed ensures that there is no excessive bypass leakage should a LOCA occur.
| |
| APPLICABILITY In MODES 1, 2, and 3, a DBA could result in excessive negative differential pressure across the drywell wall, caused by the rapid depressurization of the drywell. The event that results in the limiting rapid depressurization of the drywell is the primary system rupture that purges the drywell of air and fills the drywell free airspace with steam.
| |
| Subsequent condensation of the steam would result in depressurization Columbia Generating Station B 3.6.1.7-2 Revision 73
| |
| | |
| Suppression Chamber-to-Drywell Vacuum Breakers B 3.6.1.7 BASES APPLICABILITY (continued) of the drywell. The limiting pressure and temperature of the primary system prior to a DBA occur in MODES 1, 2, and 3. Excessive negative pressure inside the drywell could also occur due to inadvertent actuation of the Drywell Spray System.
| |
| In MODES 4 and 5, the probability and consequences of these events are reduced by the pressure and temperature limitations in these MODES; therefore, maintaining suppression chamber-to-drywell vacuum breakers OPERABLE is not required in MODE 4 or 5.
| |
| ACTIONS A.1 With one of the required vacuum breakers inoperable for opening (e.g., a vacuum breaker disk is not open and may be stuck closed or not within its opening setpoint limit, so that it would not function as designed during an event that depressurized the drywell), the remaining six OPERABLE vacuum breakers are capable of providing the vacuum relief function.
| |
| However, overall system reliability is reduced because a single failure in one of the remaining vacuum breakers could result in an excessive suppression chamber-to-drywell differential pressure during a DBA.
| |
| Therefore, with one of the seven required vacuum breakers inoperable, 72 hours is allowed to restore at least one of the inoperable vacuum breakers to OPERABLE status so that plant conditions are consistent with those assumed for the design basis analysis. The 72 hour Completion Time is considered acceptable due to the low probability of an event in which the remaining vacuum breaker capability would not be adequate.
| |
| B.1 If a required suppression chamber-to-drywell vacuum breaker is inoperable for opening and is not restored to OPERABLE status within the required Completion Time, the plant must be brought to a condition in which overall plant risk is minimized. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours.
| |
| Remaining in the Applicability of the LCO is acceptable because the plant risk in MODE 3 is similar to or lower than the risk in MODE 4 (Ref. 3) and because the time spent in MODE 3 to perform the necessary repairs to restore the system to OPERABLE status will be short. However, voluntary entry into MODE 4 may be made as it is also an acceptable low-risk state.
| |
| Required Action B.1 is modified by a Note that states that LCO 3.0.4.a is not applicable when entering MODE 3. This Note prohibits the use of LCO 3.0.4.a to enter MODE 3 during startup with the LCO not met.
| |
| Columbia Generating Station B 3.6.1.7-3 Revision 90
| |
| | |
| Suppression Chamber-to-Drywell Vacuum Breakers B 3.6.1.7 BASES ACTIONS (continued)
| |
| However, there is no restriction on the use of LCO 3.0.4.b, if applicable, because LCO 3.0.4.b requires performance of a risk assessment addressing inoperable systems and components, consideration of the results, determination of the acceptability of entering MODE 3, and establishment of risk management actions, if appropriate. LCO 3.0.4 is not applicable to, and the Note does not preclude, changes in MODES or other specified conditions in the Applicability that are required to comply with ACTIONS or that are part of a shutdown of the unit.
| |
| The allowed Completion Time is reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.
| |
| C.1 With one or more vacuum breakers with one disk not closed, communication between the drywell and suppression chamber airspace could occur, and, as a result, there is the potential for primary containment overpressurization due to this bypass leakage if a LOCA were to occur. Therefore, the open vacuum breaker disk must be closed.
| |
| 72 hours is allowed to close the vacuum breaker due to the redundant capability afforded by the other vacuum breaker disk, (the fact that the other disk is closed), and the low probability of an event that would pressurize primary containment. If vacuum breaker position indication is not reliable, an alternate method of verifying that the vacuum breakers are closed is to verify that a differential pressure of 0.5 psid between the suppression chamber and drywell is maintained for 1 hour without makeup. As Noted, separate Condition entry is allowed for each vacuum breaker.
| |
| D.1 With one or more vacuum breakers with two disks not closed, this allows communication between the drywell and suppression chamber, and, as a result, there is the potential for primary containment overpressurization due to this bypass leakage if a LOCA were to occur. Therefore, one open vacuum breaker disk must be closed. A short time is allowed to close one of the vacuum breaker disks due to the low probability of an event that would pressurize primary containment. If vacuum breaker position indication is not reliable, an alternate method of verifying that the vacuum breaker disks are closed is to verify that a differential pressure of 0.5 psid between the suppression chamber and drywell is maintained for 1 hour without makeup. The required 2 hour Completion Time is considered adequate to perform this test.
| |
| Columbia Generating Station B 3.6.1.7-4 Revision 90
| |
| | |
| Suppression Chamber-to-Drywell Vacuum Breakers B 3.6.1.7 BASES ACTIONS (continued)
| |
| E.1 and E.2 If the open suppression chamber-to-drywell vacuum breaker cannot be closed within the required Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours and to MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.
| |
| SURVEILLANCE SR 3.6.1.7.1 REQUIREMENTS Each vacuum breaker is verified closed (except when the vacuum breaker is performing its intended design function) to ensure that this potential large bypass leakage path is not present. This Surveillance is performed by observing the vacuum breaker position indication or by verifying that a differential pressure of 0.5 psid between the suppression chamber and drywell is maintained for 1 hour without makeup. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| A Note is added to this SR which allows suppression chamber-to-drywell vacuum breakers opened in conjunction with the performance of a surveillance to not be considered as failing this SR. These periods of opening vacuum breakers are controlled by plant procedures and do not represent inoperable vacuum breakers.
| |
| SR 3.6.1.7.2 Each required vacuum breaker must be cycled to ensure that it opens adequately to perform its design function and returns to the fully closed position. This ensures that the safety analysis assumptions are valid.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. In addition, this functional test is required within 12 hours after a discharge of steam to the suppression chamber from the safety/relief valves.
| |
| Columbia Generating Station B 3.6.1.7-5 Revision 93
| |
| | |
| Suppression Chamber-to-Drywell Vacuum Breakers B 3.6.1.7 BASES SURVEILLANCE REQUIREMENTS (continued)
| |
| SR 3.6.1.7.3 Verification of the vacuum breaker opening setpoint is necessary to ensure that the safety analysis assumption regarding vacuum breaker full open differential pressure of 0.5 psid is valid. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| REFERENCES 1. FSAR, Section 6.2.1.1.4.
| |
| : 2. 10 CFR 50.36(c)(2)(ii).
| |
| : 3. NEDC-32988-A, Revision 2, Technical Justification to Support Risk-Informed Modification to Selected Required End States for BWR Plants, December 2002.
| |
| Columbia Generating Station B 3.6.1.7-6 Revision 93
| |
| | |
| Suppression Pool Average Temperature B 3.6.2.1 B 3.6 CONTAINMENT SYSTEMS B 3.6.2.1 Suppression Pool Average Temperature BASES BACKGROUND The primary containment utilizes a Mark II over/under pressure suppression configuration with the suppression pool located at the bottom of the primary containment. The suppression pool is designed to absorb the decay heat and sensible heat released during a reactor blowdown from safety/relief valve discharges or from a loss of coolant accident (LOCA). The suppression pool must also condense steam from the Reactor Core Isolation Cooling System turbine exhaust and provides the main emergency water supply source for the reactor vessel. The suppression pool must quench all the steam released through the downcomer lines during a loss of coolant accident (LOCA). This is the essential mitigative feature of a pressure suppression containment that ensures that the peak containment pressure is maintained below the maximum allowable pressure for DBAs (45 psig). Suppression pool average temperature (along with LCO 3.6.2.2, "Suppression Pool Water Level") is a key indication of the capacity of the suppression pool to fulfill these requirements.
| |
| The technical concerns that lead to the development of suppression pool average temperature limits are as follows:
| |
| : a. Complete steam condensation;
| |
| : b. Primary containment peak pressure and temperature;
| |
| : c. Condensation oscillation (CO) loads; and
| |
| : d. Chugging loads.
| |
| APPLICABLE The postulated DBA against which the primary containment performance SAFETY is evaluated is the entire spectrum of postulated pipe breaks within the ANALYSES primary containment. Inputs to the safety analyses include initial suppression pool water volume and suppression pool temperature (Reference 1 for LOCAs and Reference 2 for the suppression pool temperature analyses required by Reference 3). An initial pool temperature of 90°F is assumed for the Reference 1 and 2 analyses.
| |
| Reactor shutdown at a pool temperature of 110°F and vessel depressurization at a pool temperature of 120°F are assumed for the Reference 2 analyses. The limit of 105°F, at which testing is terminated, is not used in the safety analyses because DBAs are assumed to not initiate during plant testing.
| |
| Suppression pool average temperature satisfies Criteria 2 and 3 of Reference 4.
| |
| Columbia Generating Station B 3.6.2.1-1 Revision 73
| |
| | |
| Suppression Pool Average Temperature B 3.6.2.1 BASES LCO A limitation on the suppression pool average temperature is required to assure that the primary containment conditions assumed for the safety analyses are met. This limitation subsequently ensures that peak primary containment pressures and temperatures do not exceed maximum allowable values during a postulated DBA or any transient resulting in heatup of the suppression pool. The LCO requirements are as follows:
| |
| : a. Average temperature 90°F when THERMAL POWER is > 1% RTP and no testing that adds heat to the suppression pool is being performed. This requirement ensures that licensing bases initial conditions are met.
| |
| : b. Average temperature 105°F when THERMAL POWER is
| |
| > 1% RTP and testing that adds heat to the suppression pool is being performed. This requirement ensures that the plant has testing flexibility, and was selected to provide margin below the 110°F limit at which reactor shutdown is required. When testing ends, temperature must be restored to 90°F within 24 hours according to Required Action A.2. Therefore, the time period that the temperature is > 90°F is short enough not to cause a significant increase in plant risk.
| |
| : c. Average temperature 110°F when THERMAL POWER is 1% RTP. This requirement ensures that the plant will be shut down at > 110°F. The pool is designed to absorb decay heat and sensible heat but could be heated beyond design limits by the steam generated if the reactor is not shut down.
| |
| Note that 25/40 divisions of full scale on IRM Range 7 is a convenient measure of when the reactor is producing power essentially equivalent to 1% RTP. At this power level, heat input is approximately equal to normal system heat losses.
| |
| APPLICABILITY In MODES 1, 2, and 3, a DBA could cause significant heatup of the suppression pool. In MODES 4 and 5, the probability and consequences of these events are reduced due to the pressure and temperature limitations in these MODES. Therefore, maintaining suppression pool average temperature within limits is not required in MODE 4 or 5.
| |
| ACTIONS A.1 and A.2 With the suppression pool average temperature above the specified limit when not performing testing that adds heat to the suppression pool and when above the specified power indication, the initial conditions exceed the conditions assumed for the Reference 1 and 2 analyses. However, primary containment cooling capability still exists, and the primary Columbia Generating Station B 3.6.2.1-2 Revision 73
| |
| | |
| Suppression Pool Average Temperature B 3.6.2.1 BASES ACTIONS (continued) containment pressure suppression function will occur at temperatures well above that assumed for safety analyses. Therefore, continued operation is allowed for a limited time. The 24 hour Completion Time is adequate to allow the suppression pool temperature to be restored to below the limit. Additionally, when pool temperature is > 90°F, increased monitoring of the pool temperature is required to ensure it remains 110°F. The once per hour Completion Time is adequate based on past experience, which has shown that suppression pool temperature increases relatively slowly except when testing that adds heat to the pool is being performed. Furthermore, the once per hour Completion Time is considered adequate in view of other indications in the control room, including alarms, to alert the operator to an abnormal suppression pool average temperature condition.
| |
| B.1 If the suppression pool average temperature cannot be restored to within limits within the required Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, THERMAL POWER must be reduced to 1% RTP within 12 hours. The 12 hour Completion Time is reasonable, based on operating experience, to reduce reactor power from full power in an orderly manner and without challenging plant systems.
| |
| C.1 Suppression pool average temperature is allowed to be > 90°F with THERMAL POWER > 1% RTP when testing that adds heat to the suppression pool is being performed. However, if temperature is > 105°F, the testing must be immediately suspended to preserve the pool heat absorption capability. With the testing suspended, Condition A is entered and the Required Actions and associated Completion Times are applicable.
| |
| D.1 and D.2 Suppression pool average temperature > 110°F requires that the reactor be shut down immediately. This is accomplished by placing the reactor mode switch in the shutdown position. Further cooldown to MODE 4 within 36 hours is required at normal cooldown rates (provided pool temperature remains 120°F). Additionally, when pool temperature is Columbia Generating Station B 3.6.2.1-3 Revision 73
| |
| | |
| Suppression Pool Average Temperature B 3.6.2.1 BASES ACTIONS (continued)
| |
| > 110°F, increased monitoring of pool temperature is required to ensure that it remains 120°F. The once per 30 minute Completion Time is adequate, based on operating experience. Given the high pool temperature in this condition, the monitoring Frequency is increased to twice that of Condition A. Furthermore, the 30 minute Completion Time is considered adequate in view of other indications available in the control room, including alarms, to alert the operator to an abnormal suppression pool average temperature condition.
| |
| E.1 and E.2 If suppression pool average temperature cannot be maintained 120°F, the plant must be brought to a MODE in which the LCO does not apply.
| |
| To achieve this status, the reactor pressure must be reduced to
| |
| < 200 psig within 12 hours and the plant must be brought to MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner without challenging plant systems.
| |
| Continued addition of heat to the suppression pool with pool temperature
| |
| > 120°F could result in exceeding the design basis maximum allowable values for primary containment temperature or pressure. Furthermore, if a blowdown were to occur when temperature was > 120°F, the maximum allowable bulk and local temperatures could be exceeded very quickly.
| |
| SURVEILLANCE SR 3.6.2.1.1 REQUIREMENTS The suppression pool average temperature is regularly monitored to ensure that the required limits are satisfied. Average temperature is determined by taking an arithmetic average of eight functional suppression pool water temperature channels, two per sector (there is no divisional requirement for this SR). The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. When heat is being added to the suppression pool by testing, however, it is necessary to monitor suppression pool temperature more frequently. The 5 minute Frequency during testing is justified by the rates at which testing will heat up the suppression pool, has been shown to be acceptable based on operating experience, and provides assurance that allowable pool temperatures are not exceeded. The Frequency is further justified in view of other indications available in the control room, including alarms, to alert the operator to an abnormal suppression pool average temperature condition.
| |
| Columbia Generating Station B 3.6.2.1-4 Revision 93
| |
| | |
| Suppression Pool Average Temperature B 3.6.2.1 BASES REFERENCES 1. FSAR, Section 6.2.1.1.3.3.
| |
| : 2. FSAR, Section 3A.3.1.2.3.
| |
| : 3. NUREG-0783.
| |
| : 4. 10 CFR 50.36(c)(2)(ii).
| |
| Columbia Generating Station B 3.6.2.1-5 Revision 73
| |
| | |
| Suppression Pool Water Level B 3.6.2.2 B 3.6 CONTAINMENT SYSTEMS B 3.6.2.2 Suppression Pool Water Level BASES BACKGROUND The primary containment utilizes a Mark II over/under pressure suppression configuration, with the suppression pool located at the bottom of the primary containment. The suppression pool is designed to absorb the decay heat and sensible heat released during a reactor blowdown from safety/relief valve (SRV) discharges or from a loss of coolant accident (LOCA). The suppression pool must also condense steam from the Reactor Core Isolation Cooling (RCIC) System turbine exhaust and provides the main emergency water supply source for the reactor vessel. The suppression pool volume ranges between approximately 112,000 ft3 at the low water level limit of 30 ft 9.75 inches and approximately 114,000 ft3 at the high water level limit of 31 ft 1.75 inches.
| |
| If the suppression pool water level is too low, an insufficient amount of water would be available to adequately condense the steam from the SRV quenchers, main vents, or RCIC turbine exhaust lines. Low suppression pool water level could also result in an inadequate emergency makeup water source to the Emergency Core Cooling System. The lower volume would also absorb less steam energy before heating up excessively. Therefore, a minimum suppression pool water level is specified.
| |
| If the suppression pool water level is too high, it could result in excessive clearing loads from SRV discharges and excessive pool swell loads resulting from a Design Basis Accident (DBA) LOCA. Therefore, a maximum pool water level is specified. This LCO specifies an acceptable range to prevent the suppression pool water level from being either too high or too low.
| |
| APPLICABLE Initial suppression pool water level affects suppression pool temperature SAFETY response calculations, calculated drywell pressure during vent clearing for ANALYSES a DBA, calculated pool swell loads for a DBA LOCA, and calculated loads due to SRV discharges. Suppression pool water level must be maintained within the limits specified so that the safety analysis of Reference 1 remains valid.
| |
| Suppression pool water level satisfies Criteria 2 and 3 of Reference 2.
| |
| Columbia Generating Station B 3.6.2.2-1 Revision 73
| |
| | |
| Suppression Pool Water Level B 3.6.2.2 BASES LCO A limit that suppression pool water level be 30 ft 9.75 inches and 31 ft 1.75 inches is required to ensure that the primary containment conditions assumed for the safety analysis are met. Either the high or low water level limits were used in the safety analysis, depending upon which is conservative for a particular calculation.
| |
| APPLICABILITY In MODES 1, 2, and 3, a DBA could cause significant loads on the primary containment. In MODES 4 and 5, the probability and consequences of these events are reduced because of the pressure and temperature limitations in these MODES. The requirements for maintaining suppression pool water level within limits in MODE 4 or 5 are addressed in LCO 3.5.2, "RPV Water Inventory Control."
| |
| ACTIONS A.1 With suppression pool water level outside the limits, the conditions assumed for the safety analysis are not met. If water level is below the minimum level, the pressure suppression function still exists as long as main vents are covered, RCIC turbine exhausts are covered, and SRV quenchers are covered. If suppression pool water level is above the maximum level, protection against overpressurization still exists due to the margin in the peak containment pressure analysis and the capability of the Drywell Spray System. Therefore, continued operation for a limited time is allowed. The 2 hour Completion Time is sufficient to restore suppression pool water level to within specified limits. Also, it takes into account the low probability of an event impacting the suppression pool water level occurring during this interval.
| |
| B.1 and B.2 If suppression pool water level cannot be restored to within limits within the required Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours and to MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.
| |
| Columbia Generating Station B 3.6.2.2-2 Revision 111
| |
| | |
| Suppression Pool Water Level B 3.6.2.2 BASES SURVEILLANCE SR 3.6.2.2.1 REQUIREMENTS Verification of the suppression pool water level is to ensure that the required limits are satisfied. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| REFERENCES 1. FSAR, Section 6.2.
| |
| : 2. 10 CFR 50.36(c)(2)(ii Columbia Generating Station B 3.6.2.2-3 Revision 93
| |
| | |
| RHR Suppression Pool Cooling B 3.6.2.3 B 3.6 CONTAINMENT SYSTEMS B 3.6.2.3 Residual Heat Removal (RHR) Suppression Pool Cooling BASES BACKGROUND Following a Design Basis Accident (DBA), the RHR Suppression Pool Cooling System removes heat from the suppression pool. The suppression pool is designed to absorb the sudden input of heat from the primary system. In the long term, the pool continues to absorb residual heat generated by fuel in the reactor core. Some means must be provided to remove heat from the suppression pool so that the temperature inside the primary containment remains within design limits.
| |
| This function is provided by two redundant RHR suppression pool cooling subsystems. The purpose of this LCO is to ensure that both subsystems are OPERABLE in applicable MODES.
| |
| Each RHR subsystem contains a pump and a heat exchanger and is manually initiated and independently controlled. The two RHR subsystems perform the suppression pool cooling function by circulating water from the suppression pool through the RHR heat exchangers and returning it to the suppression pool. Standby service water, circulating through the tube side of the heat exchangers, exchanges heat with the suppression pool water and discharges this heat to the ultimate heat sink.
| |
| The heat removal capability of one RHR subsystem is sufficient to meet the overall DBA pool cooling requirement to limit peak temperature to 220°F for loss of coolant accidents (LOCAs) and transient events such as a turbine trip or a stuck open safety/relief valve (SRV). SRV leakage and Reactor Core Isolation Cooling System testing increase suppression pool temperature more slowly. The RHR Suppression Pool Cooling System is also used to lower the suppression pool water bulk temperature following such events.
| |
| APPLICABLE Reference 1 contains the results of analyses used to predict primary SAFETY containment pressure and temperature following large and small break ANALYSES LOCAs. The intent of the analyses is to demonstrate that the heat removal capacity of the RHR Suppression Pool Cooling System is adequate to maintain the primary containment conditions within design limits. The suppression pool temperature is calculated to remain below the design limit (Ref. 2).
| |
| The RHR Suppression Pool Cooling System satisfies Criterion 3 of Reference 3.
| |
| Columbia Generating Station B 3.6.2.3-1 Revision 73
| |
| | |
| RHR Suppression Pool Cooling B 3.6.2.3 BASES LCO During a DBA, a minimum of one RHR suppression pool cooling subsystem is required to maintain the primary containment peak pressure and temperature below the design limits (Ref. 2). To ensure that these requirements are met, two RHR suppression pool cooling subsystems must be OPERABLE. Therefore, in the event of an accident, at least one subsystem is OPERABLE, assuming the worst case single active failure.
| |
| An RHR suppression pool cooling subsystem is OPERABLE when the pump, a heat exchanger, and associated piping, valves, instrumentation, and controls are OPERABLE. Management of gas voids is important to RHR Suppression Pool Cooling System OPERABILITY.
| |
| APPLICABILITY In MODES 1, 2, and 3, a DBA could cause both a release of radioactive material to primary containment and a heatup and pressurization of primary containment. In MODES 4 and 5, the probability and consequences of these events are reduced due to the pressure and temperature limitations in these MODES. Therefore, the RHR Suppression Pool Cooling System is not required to be OPERABLE in MODE 4 or 5.
| |
| ACTIONS A.1 With one RHR suppression pool cooling subsystem inoperable, the inoperable subsystem must be restored to OPERABLE status within 7 days. In this condition, the remaining RHR suppression pool cooling subsystem is adequate to perform the primary containment cooling function. However, the overall reliability is reduced because a single failure in the OPERABLE subsystem could result in reduced primary containment cooling capability. The 7 day Completion Time is acceptable in light of the redundant RHR suppression pool cooling capabilities afforded by the OPERABLE subsystem and the low probability of a DBA occurring during this period.
| |
| B.1 If one RHR suppression pool cooling subsystem is inoperable and is not restored to OPERABLE status within the required Completion Time, the plant must be brought to a condition in which overall plant risk is minimized. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours.
| |
| Remaining in the Applicability of the LCO is acceptable because the plant risk in MODE 3 is similar to or lower than the risk in MODE 4 (Ref. 5) and because the time spent in MODE 3 to perform the necessary repairs to restore the system to OPERABLE status will be short. However, voluntary entry into MODE 4 may be made as it is also an acceptable low-risk state.
| |
| Columbia Generating Station B 3.6.2.3-2 Revision 105
| |
| | |
| RHR Suppression Pool Cooling B 3.6.2.3 BASES ACTIONS (continued)
| |
| Required Action B.1 is modified by a Note that states that LCO 3.0.4.a is not applicable when entering MODE 3. This Note prohibits the use of LCO 3.0.4.a to enter MODE 3 during startup with the LCO not met.
| |
| However, there is no restriction on the use of LCO 3.0.4.b, if applicable, because LCO 3.0.4.b requires performance of a risk assessment addressing inoperable systems and components, consideration of the results, determination of the acceptability of entering MODE 3, and establishment of risk management actions, if appropriate. LCO 3.0.4 is not applicable to, and the Note does not preclude, changes in MODES or other specified conditions in the Applicability that are required to comply with ACTIONS or that are part of a shutdown of the unit.
| |
| The allowed Completion Time is reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.
| |
| C.1 and C.2 If two RHR suppression pool cooling subsystems are inoperable, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours and to MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.
| |
| SURVEILLANCE SR 3.6.2.3.1 REQUIREMENTS Verifying the correct alignment for manual, power operated, and automatic valves, in the RHR suppression pool cooling mode flow path provides assurance that the proper flow path exists for system operation.
| |
| This SR does not apply to valves that are locked, sealed, or otherwise secured in position since these valves were verified to be in the correct position prior to being locked, sealed, or secured. A valve is also allowed to be in the nonaccident position, provided it can be aligned to the accident position within the time assumed in the accident analysis. This is acceptable, since the RHR suppression pool cooling mode is manually initiated. This SR does not require any testing or valve manipulation; rather, it involves verification that those valves capable of being mispositioned are in the correct position. This SR does not apply to valves that cannot be inadvertently misaligned, such as check valves.
| |
| Columbia Generating Station B 3.6.2.3-3 Revision 90
| |
| | |
| RHR Suppression Pool Cooling B 3.6.2.3 BASES SURVEILLANCE REQUIREMENTS (continued)
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| SR 3.6.2.3.2 Verifying each RHR pump develops a flow rate 7100 gpm, while operating in the suppression pool cooling mode with flow through the associated heat exchanger, ensures that the primary containment peak pressure and temperature can be maintained below the design limits during a DBA (Ref. 2). The normal test of centrifugal pump performance required by the ASME OM Code (Ref. 4) is covered by the requirements of LCO 3.5.1, "ECCS - Operating." Such inservice tests confirm component OPERABILITY, and detect incipient failures by indicating abnormal performance. The Frequency of this SR is in accordance with the Inservice Testing Program.
| |
| SR 3.6.2.3.3 RHR Suppression Pool Cooling System piping and components have the potential to develop voids and pockets of entrained gases. Preventing and managing gas intrusion and accumulation is necessary for proper operation of the RHR suppression pool cooling subsystems and may also prevent water hammer and pump cavitation.
| |
| Selection of RHR Suppression Pool Cooling System locations susceptible to gas accumulation is based on a review of system design information, including piping and instrumentation drawings, isometric drawings, plan and elevation drawings, and calculations. The design review is supplemented by system walk downs to validate the system high points and to confirm the location and orientation of important components that can become sources of gas or could otherwise cause gas to be trapped or difficult to remove during system maintenance or restoration.
| |
| Susceptible locations depend on plant and system configuration, such as stand-by versus operating conditions.
| |
| The RHR Suppression Pool Cooling System is OPERABLE when it is sufficiently filled with water. Acceptance criteria are established for the volume of accumulated gas at susceptible locations. If accumulated gas is discovered that exceeds the acceptance criteria for the susceptible location (or the volume of accumulated gas at one or more susceptible Columbia Generating Station B 3.6.2.3-4 Revision 105
| |
| | |
| RHR Suppression Pool Cooling B 3.6.2.3 BASES SURVEILLANCE REQUIREMENTS (continued) locations exceeds an acceptance criteria for gas volume at the suction or discharge of a pump), the Surveillance is not met. If it is determined by subsequent evaluation that the RHR Suppression Pool Cooling System is not rendered inoperable by the accumulated gas (i.e., the system is sufficiently filled with water), the Surveillance may be declared met.
| |
| Accumulated gas should be eliminated or brought within the acceptance criteria limits.
| |
| RHR Suppression Pool Cooling System locations susceptible to gas accumulation are monitored and, if gas is found, the gas volume is compared to the acceptance criteria for the location. Susceptible locations in the same system flow path which are subject to the same gas intrusion mechanisms may be verified by monitoring a representative sub-set of susceptible locations. Monitoring may not be practical for locations that are inaccessible due to radiological or environmental conditions, the plant configuration, or personnel safety. For these locations alternative methods (e.g., operating parameters, remote monitoring) may be used to monitor the susceptible location. Monitoring is not required for susceptible locations where the maximum potential accumulated gas void volume has been evaluated and determined to not challenge system OPERABILITY. The accuracy of the method used for monitoring the susceptible locations and trending of the results should be sufficient to assure system OPERABILITY during the Surveillance interval.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The Surveillance Frequency may vary by location susceptible to gas accumulation.
| |
| REFERENCES 1. FSAR, Section 6.2.1.1.3.3.
| |
| : 2. FSAR, Section 6.2.2.3.
| |
| : 3. 10 CFR 50.36(c)(2)(ii).
| |
| : 4. ASME Code for Operation and Maintenance of Nuclear Power Plants.
| |
| : 5. NEDC-32988-A, Revision 2, Technical Justification to Support Risk-Informed Modification to Selected Required End States for BWR Plants, December 2002.
| |
| Columbia Generating Station B 3.6.2.3-5 Revision 105
| |
| | |
| Primary Containment Atmosphere Mixing System B 3.6.3.2 B 3.6 CONTAINMENT SYSTEMS B 3.6.3.2 Primary Containment Atmosphere Mixing System BASES BACKGROUND The Primary Containment Atmosphere Mixing System ensures a uniformly mixed post accident primary containment atmosphere, thereby minimizing the potential for local hydrogen burns due to a pocket of hydrogen above the flammable concentration.
| |
| The Primary Containment Atmosphere Mixing System is designed to withstand a loss of coolant accident (LOCA) in post accident environments without loss of function. The system has two independent subsystems consisting of head area return fans, motors, controls, and ducting. Each subsystem is sized to circulate 5000 scfm. The Primary Containment Atmosphere Mixing System employs forced circulation to ensure the proper mixing of hydrogen and oxygen in primary containment. The two subsystems are automatically initiated upon reactor scram signal. However, for the purposes of this LCO, the subsystems are only required to be initiated manually since flammability limits would not be reached until several days after a LOCA. Each subsystem is powered from a separate emergency power supply. Since each subsystem can provide 100% of the mixing requirements, the system will provide its design function with a worst case single active failure.
| |
| APPLICABLE The Primary Containment Atmosphere Mixing System provides the SAFETY capability for reducing the local hydrogen and oxygen concentrations to ANALYSES approximately the bulk average concentrations following a Design Basis Accident (DBA). The limiting DBA relative to hydrogen and oxygen generation is a LOCA.
| |
| Oxygen may accumulate in the primary containment following a LOCA as a result of radiolytic decomposition of water in the Reactor Coolant System.
| |
| Hydrogen may accumulate in primary containment following a LOCA as a result of:
| |
| : a. A metal steam reaction between the zirconium fuel rod cladding and the reactor coolant;
| |
| : b. Radiolytic decomposition of water in the Reactor Coolant System; or Columbia Generating Station B 3.6.3.2-1 Revision 73
| |
| | |
| Primary Containment Atmosphere Mixing System B 3.6.3.2 BASES APPLICABLE SAFETY ANALYSES (continued)
| |
| : c. A reaction between the reactor coolant and the zinc rich paints used in the primary containment. However, since Columbia Generating Station is an oxygen control plant, this form of hydrogen generation is not assumed (minimizing hydrogen production is conservative in calculating peak oxygen concentration).
| |
| To evaluate the potential for hydrogen and oxygen accumulation in primary containment following a LOCA, the hydrogen and oxygen generation as a function of time following the initiation of the accident is calculated. Conservative assumptions recommended by Reference 1 are used to maximize the amount of oxygen calculated.
| |
| The calculation confirms that one head area return fan started in accordance with plant procedures will ensure adequate mixing of hydrogen and oxygen within the primary containment atmosphere (Refs. 2 and 3).
| |
| The Primary Containment Atmosphere Mixing System satisfies Criterion 3 of Reference 4.
| |
| LCO Two head area return fans must be OPERABLE to ensure operation of at least one fan in the event of a worst case single active failure. Operation with at least one fan provides the capability of controlling the bulk hydrogen and oxygen concentrations in primary containment without exceeding the flammability limits.
| |
| APPLICABILITY In MODES 1 and 2, the two head area return fans ensure the capability to prevent localized hydrogen and oxygen concentrations above the flammability limits of 4.0 v/o and 5.0 v/o, respectively, in the primary containment, assuming a worst case single active failure.
| |
| In MODE 3, both the hydrogen and oxygen production rates and the total hydrogen and oxygen produced after a LOCA would be less than that calculated for the DBA LOCA. Also, because of the limited time in this MODE, the probability of an accident requiring the Containment Atmosphere Mixing System is low. Therefore, the Primary Containment Atmosphere Mixing System is not required in MODE 3. In MODES 4 and 5, the probability and consequences of a LOCA are reduced due to the pressure and temperature limitations in these MODES. Therefore, the Primary Containment Atmosphere Mixing System is not required in these MODES.
| |
| Columbia Generating Station B 3.6.3.2-2 Revision 73
| |
| | |
| Primary Containment Atmosphere Mixing System B 3.6.3.2 BASES ACTIONS A.1 With one head area return fan inoperable, the inoperable fan must be restored to OPERABLE status within 30 days. In this condition, the remaining OPERABLE fan is adequate to perform the hydrogen and oxygen mixing function. However, the overall reliability is reduced because a single failure in the OPERABLE fan could result in reduced hydrogen and oxygen mixing capability. The 30 day Completion Time is based on the availability of the second fan, the low probability of the occurrence of a LOCA that would generate hydrogen and oxygen in amounts capable of exceeding the flammability limits, the amount of time available after the event for operator action to prevent exceeding these limits, and the availability of the Residual Heat Removal (RHR) Drywell Spray System.
| |
| B.1 and B.2 With two head area return fans inoperable, the ability to perform the hydrogen and oxygen control function via alternate capabilities must be verified by administrative means within 1 hour. The alternate hydrogen and oxygen control capability is provided by one RHR Drywell Spray subsystem. The 1 hour Completion Time allows a reasonable period of time to verify that a loss of hydrogen and oxygen control function does not exist. The verification may be performed as an administrative check by examining logs or other information to determine the availability of the alternate hydrogen and oxygen control system. It does not mean to perform the Surveillances needed to demonstrate OPERABILITY of the alternate hydrogen and oxygen control system. If the ability to perform the hydrogen and oxygen control function is maintained, continued operation is permitted with two head area return fans inoperable for up to 7 days. Seven days is a reasonable time to allow two head area return fans to be inoperable because the hydrogen and oxygen control function is maintained and because of the low probability of the occurrence of a LOCA that would generate hydrogen and oxygen in amounts capable of exceeding the flammability limits.
| |
| C.1 If any Required Action and associated Completion Time cannot be met, the plant must be brought to a MODE in which the LCO does not apply.
| |
| To achieve this status, the plant must be brought to at least MODE 3 within 12 hours. The allowed Completion Time of 12 hours is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging plant systems.
| |
| Columbia Generating Station B 3.6.3.2-3 Revision 73
| |
| | |
| Primary Containment Atmosphere Mixing System B 3.6.3.2 BASES SURVEILLANCE SR 3.6.3.2.1 REQUIREMENTS Operating each head area return fan for 15 minutes ensures that each subsystem is OPERABLE and that all associated controls are functioning properly. It also ensures that blockage or fan or motor failure can be detected for corrective action. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| REFERENCES 1. Regulatory Guide 1.7, Revision 1, September 1976.
| |
| : 2. FSAR, Section 6.2.5.2.1.
| |
| : 3. Columbia Generating Station Technical Memo TM-2065, "Requirements for Containment Mixing Fans," Revision 0, July 15, 1994.
| |
| : 4. 10 CFR 50.36(c)(2)(ii).
| |
| Columbia Generating Station B 3.6.3.2-4 Revision 93
| |
| | |
| Primary Containment Oxygen Concentration B 3.6.3.3 B 3.6 CONTAINMENT SYSTEMS B 3.6.3.3 Primary Containment Oxygen Concentration BASES BACKGROUND The primary containment is designed to withstand events that generate hydrogen either due to the zirconium metal water reaction in the core or due to radiolysis. The primary method to control hydrogen is to inert the primary containment. With the primary containment inert, that is, oxygen concentration < 3.5 volume percent (v/o), a combustible mixture cannot be present in the primary containment for any hydrogen concentration.
| |
| An event that rapidly generates hydrogen from zirconium metal water reaction will result in excessive hydrogen in primary containment, but oxygen concentration will remain < 5.0 v/o and no combustion can occur.
| |
| This LCO ensures that oxygen concentration does not exceed 3.5 v/o during operation in the applicable conditions.
| |
| APPLICABLE The Reference 1 calculations assume that the primary containment is SAFETY inerted when a Design Basis Accident loss of coolant accident occurs.
| |
| ANALYSES Thus, the hydrogen assumed to be released to the primary containment as a result of metal water reaction in the reactor core will not produce combustible gas mixtures in the primary containment.
| |
| Primary containment oxygen concentration satisfies Criterion 2 of Reference 2.
| |
| LCO The primary containment oxygen concentration is maintained < 3.5 v/o to ensure that an event that produces any amount of hydrogen and oxygen does not result in a combustible mixture inside primary containment.
| |
| APPLICABILITY The primary containment oxygen concentration must be within the specified limit when primary containment is inerted, except as allowed by the relaxations during startup and shutdown addressed below. The primary containment must be inert in MODE 1, since this is the condition with the highest probability of an event that could produce hydrogen and oxygen.
| |
| Inerting the primary containment is an operational problem because it prevents containment access without an appropriate breathing apparatus.
| |
| Therefore, the primary containment is inerted as late as possible in the plant startup and de-inerted as soon as possible in the plant shutdown.
| |
| As long as reactor power is < 15% RTP, the potential for an event that generates significant hydrogen and oxygen is low and the primary containment need not be inert. Furthermore, the probability of an event that generates hydrogen occurring within the first 24 hours of a startup, or Columbia Generating Station B 3.6.3.3-1 Revision 73
| |
| | |
| Primary Containment Oxygen Concentration B 3.6.3.3 BASES APPLICABILITY (continued) within the last 24 hours before a shutdown, is low enough that these "windows," when the primary containment is not inerted, are also justified.
| |
| The 24 hour time period is a reasonable amount of time to allow plant personnel to perform inerting or de-inerting.
| |
| ACTIONS A.1 If oxygen concentration is 3.5 v/o at any time while operating in MODE 1, with the exception of the relaxations allowed during startup and shutdown, oxygen concentration must be restored to < 3.5 v/o within 24 hours. The 24 hour Completion Time is allowed when oxygen concentration is 3.5 v/o because of the low probability and long duration of an event that would generate significant amounts of hydrogen and oxygen occurring during this period.
| |
| B.1 If oxygen concentration cannot be restored to within limits within the required Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, power must be reduced to 15% RTP within 8 hours. The 8 hour Completion Time is reasonable, based on operating experience, to reduce reactor power from full power conditions in an orderly manner and without challenging plant systems.
| |
| SURVEILLANCE SR 3.6.3.3.1 REQUIREMENTS The primary containment must be determined to be inerted by verifying that oxygen concentration is < 3.5 v/o. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| REFERENCES 1. FSAR, Section 6.2.5.
| |
| : 2. 10 CFR 50.36(c)(2)(ii).
| |
| Columbia Generating Station B 3.6.3.3-2 Revision 93
| |
| | |
| Secondary Containment B 3.6.4.1 B 3.6 CONTAINMENT SYSTEMS B 3.6.4.1 Secondary Containment BASES BACKGROUND The function of the secondary containment is to contain, dilute, and hold up fission products that may leak from primary containment following a Design Basis Accident (DBA). In conjunction with operation of the Standby Gas Treatment (SGT) System and closure of certain valves whose lines penetrate the secondary containment, the secondary containment is designed to reduce the activity level of the fission products prior to release to the environment and to isolate and contain fission products.
| |
| The secondary containment is a structure that completely encloses the primary containment and those components that may be postulated to contain primary system fluid. This structure forms a control volume that serves to hold up and dilute the fission products. It is possible for the pressure in the control volume to rise relative to the environmental pressure (e.g., due to pump/motor heat load additions). To prevent ground level exfiltration while allowing the secondary containment to be designed as a conventional structure, the secondary containment requires support systems to maintain the control volume pressure at less than the external pressure. Requirements for these systems are specified separately in LCO 3.6.4.2, "Secondary Containment Isolation Valves (SCIVs)," and LCO 3.6.4.3, "Standby Gas Treatment (SGT)
| |
| System."
| |
| APPLICABLE The accident for which credit is taken for secondary containment SAFETY OPERABILITY is a loss of coolant accident (LOCA) (Ref. 1). The ANALYSES secondary containment performs no active function in response to this limiting event; however, its leak tightness is required to ensure that the release of radioactive materials from the primary containment is restricted to those leakage paths and associated leakage rates assumed in the accident analysis, and that fission products entrapped within the secondary containment structure will be treated by the SGT System prior to discharge to the environment. Credit for the filtration of the secondary containment effluents by the SGT system is not taken in the design basis LOCA analysis until the secondary containment pressure has been drawn down by the SGT system to a vacuum condition of at least 0.25 inches of water gauge on all surfaces. The design basis drawdown time for Columbia is 20 minutes (Ref. 1).
| |
| Secondary containment satisfies Criterion 3 of Reference 2.
| |
| Columbia Generating Station B 3.6.4.1-1 Revision 73
| |
| | |
| Secondary Containment B 3.6.4.1 BASES LCO An OPERABLE secondary containment provides a control volume into which fission products that bypass or leak from primary containment, or are released from the reactor coolant pressure boundary components located in secondary containment, can be diluted and processed prior to release to the environment. For the secondary containment to be considered OPERABLE, it must have adequate leak tightness to ensure that the required vacuum can be established and maintained.
| |
| APPLICABILITY In MODES 1, 2, and 3, a LOCA could lead to a fission product release to primary containment that leaks to secondary containment. Therefore, secondary containment OPERABILITY is required during the same operating conditions that require primary containment OPERABILITY.
| |
| In MODES 4 and 5, the probability and consequences of the LOCA are reduced due to the pressure and temperature limitations in these MODES. Therefore, maintaining secondary containment OPERABLE is not required in MODE 4 or 5 to ensure a control volume.
| |
| ACTIONS A.1 If secondary containment is inoperable, it must be restored to OPERABLE status within 4 hours. The 4 hour Completion Time provides a period of time to correct the problem that is commensurate with the importance of maintaining secondary containment during MODES 1, 2, and 3. This time period ensures that the probability of an accident (requiring secondary containment OPERABILITY) occurring during periods where secondary containment is inoperable is minimal.
| |
| B.1 If the secondary containment cannot be restored to OPERABLE status within the required Completion Time, the plant must be brought to a MODE in which overall plant risk is minimized. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours.
| |
| Remaining in the Applicability of the LCO is acceptable because the plant risk in MODE 3 is similar to or lower than the risk in MODE 4 (Ref. 3) and because the time spent in MODE 3 to perform the necessary repairs to restore the system to OPERABLE status will be short. However, voluntary entry into MODE 4 may be made as it is also an acceptable low-risk state.
| |
| Required Action B.1 is modified by a Note that states that LCO 3.0.4.a is not applicable when entering MODE 3. This Note prohibits the use of Columbia Generating Station B 3.6.4.1-2 Revision 111
| |
| | |
| Secondary Containment B 3.6.4.1 BASES ACTIONS (continued)
| |
| LCO 3.0.4.a to enter MODE 3 during startup with the LCO not met.
| |
| However, there is no restriction on the use of LCO 3.0.4.b, if applicable, because LCO 3.0.4.b requires performance of a risk assessment addressing inoperable systems and components, consideration of the results, determination of the acceptability of entering MODE 3, and establishment of risk management actions, if appropriate. LCO 3.0.4 is not applicable to, and the Note does not preclude, changes in MODES or other specified conditions in the Applicability that are required to comply with ACTIONS or that are part of a shutdown of the unit.
| |
| The allowed Completion Time is reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.
| |
| SURVEILLANCE SR 3.6.4.1.1 REQUIREMENTS This SR verifies the secondary containment boundary is being maintained in a sufficiently leak tight condition to preclude exfiltration under normal operating conditions. This is accomplished by verifying the indicated secondary containment pressure is greater than or equal to 0.25 inches of vacuum water gauge. The value of greater than or equal to 0.25 inches of water gauge is an indication of pressure at one location in the secondary containment and not a value maintained at every surface within the secondary containment. The containment drawn down to 0.25 inches of vacuum water gauge, as determined by a single representative location, is sufficient to demonstrate adequate performance. Minor amounts of exfiltration under these conditions are expected to have a minimal impact on the radiological consequences and does not present a safety concern. The instrument used to perform this surveillance measures pressure at reactor building elevation 572' in an Columbia Generating Station B 3.6.4.1-3 Revision 111
| |
| | |
| Secondary Containment B 3.6.4.1 BASES SURVEILLANCE REQUIREMENTS (continued) area that has open communication with the rest of the secondary containment volume. The use of 0.25 inches of vacuum water gauge includes margin to account for uncertainties.
| |
| The SR is modified by a Note which states the SR is not required to be met for up to 4 hours if an analysis demonstrates that one SGT subsystem remains capable of establishing the required secondary containment vacuum. Use of the Note is expected to be infrequent but may be necessitated by situations in which secondary containment vacuum may be less than the required containment vacuum, such as, but not limited to, wind gusts or failure or change of operating normal ventilation subsystems. These conditions do not indicate any change in the leak tightness of the secondary containment boundary. The analysis should consider the actual conditions (equipment configuration, temperature, atmospheric pressure, wind conditions, measured secondary containment vacuum, etc.) to determine whether, if an accident requiring secondary containment to be OPERABLE were to occur, one train of SGT could establish the assumed secondary containment vacuum within the time assumed in the accident analysis. If so, the SR may be considered met for a period up to 4 hours. The 4 hour limit is based on the expected short duration of the situations when the Note would be applied.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| SR 3.6.4.1.2 Verifying that secondary containment equipment hatches are closed at all times when secondary containment is required ensures that the infiltration of outside air of such a magnitude as to prevent maintaining the desired negative pressure does not occur and provides adequate assurance that exfiltration from the secondary containment will not occur. SR 3.6.4.1.2 also requires equipment hatches to be sealed. In this application, the term "sealed" has no connotation of leak tightness. The Surveillance Frequencies are controlled under the Surveillance Frequency Control Program.
| |
| SR 3.6.4.1.3 Verifying that each inner access door or each outer access door in each access opening is closed provides adequate assurance that exfiltration from the secondary containment will not occur. An access opening contains at least one inner and one outer door. The intent is to not breach the secondary containment, which is achieved by maintaining the Columbia Generating Station B 3.6.4.1-4 Revision 109
| |
| | |
| Secondary Containment B 3.6.4.1 BASES SURVEILLANCE REQUIREMENTS (continued) inner or outer portion of the barrier closed except when the access opening is being used for entry and exit.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| SR 3.6.4.1.4 and SR 3.6.4.1.5 The SGT System exhausts the secondary containment atmosphere to the environment through appropriate treatment equipment. To ensure that all fission products are treated, SR 3.6.4.1.4 verifies that the SGT System will rapidly establish and maintain a pressure in the secondary containment that is less than the pressure external to the secondary containment boundary. This is accomplished by verifying the secondary containment can be drawn down to an indicated pressure of greater than or equal to 0.25 inches of vacuum water gauge in less than or equal to 120 seconds, following the start of a single SGT fan.
| |
| SR 3.6.4.1.5 demonstrates that each SGT subsystem can maintain an indicated secondary containment pressure of 0.25 inches of vacuum water gauge for 1 hour at an indicated flow rate 2240 cfm. The 1 hour test period allows secondary containment to be in thermal equilibrium at steady state conditions.
| |
| The value of greater than or equal to 0.25 inches of vacuum water gauge in these Surveillances is an indication of pressure at one location in the secondary containment and not a value maintained at every surface within the secondary containment. The instrument used to perform these Surveillances measures pressure at reactor building elevation 572' in an area that has open communication with the rest of the secondary containment volume. The use of 0.25 inches of vacuum water gauge includes margin to account for uncertainties.
| |
| Therefore, these two tests are used to assess secondary containment boundary integrity. The inoperability of the SGT System does not necessarily constitute a failure of these Surveillance(s) relative to the secondary containment boundary. The Surveillance Frequencies are controlled under the Surveillance Frequency Control Program.
| |
| REFERENCES 1. FSAR, Sections 15.6.5.
| |
| : 2. 10 CFR 50.36(c)(2)(ii).
| |
| : 3. NEDC-32988-A, Revision 2, Technical Justification to Support Risk-Informed Modification to Selected Required End States for BWR Plants, December 2002.
| |
| Columbia Generating Station B 3.6.4.1-5 Revision 109
| |
| | |
| SCIVs B 3.6.4.2 B 3.6 CONTAINMENT SYSTEMS B 3.6.4.2 Secondary Containment Isolation Valves (SCIVs)
| |
| BASES BACKGROUND The function of the SCIVs, in combination with other accident mitigation systems, is to limit fission product release during and following postulated Design Basis Accidents (DBAs) (Ref. 1). Secondary containment isolation within the time limits specified for those isolation valves designed to close automatically ensures that fission products that leak from primary containment following a DBA are maintained within the secondary containment boundary.
| |
| The OPERABILITY requirements for SCIVs help ensure that an adequate secondary containment boundary is maintained during and after an accident by minimizing potential paths to the environment. These isolation devices are either passive or active (automatic). Manual valves, de-activated automatic valves secured in their closed position (including check valves with flow through the valve secured), and blind flanges are considered passive devices. Isolation barrier(s) for the penetration are discussed in Reference 2.
| |
| Automatic SCIVs close on a secondary containment isolation signal to establish a boundary for untreated radioactive material within secondary containment following a DBA or other accidents.
| |
| Other penetrations are isolated by the use of valves in the closed position or blind flanges.
| |
| APPLICABLE The SCIVs must be OPERABLE to ensure the secondary containment SAFETY barrier to fission product releases is established. The accident for which ANALYSES the secondary containment boundary is required is a loss of coolant accident (Ref. 1). The secondary containment performs no active function in response to this limiting event, the boundary established by SCIVs is required to ensure that leakage from the primary containment is processed by the Standby Gas Treatment (SGT) System before being released to the environment.
| |
| Maintaining SCIVs OPERABLE with isolation times within limits ensures that fission products will remain trapped inside secondary containment so that they can be treated by the SGT System prior to discharge to the environment.
| |
| SCIVs satisfy Criterion 3 of Reference 3.
| |
| Columbia Generating Station B 3.6.4.2-1 Revision 73
| |
| | |
| SCIVs B 3.6.4.2 BASES LCO SCIVs form a part of the secondary containment boundary. The SCIV safety function is related to control of offsite radiation releases resulting from DBAs.
| |
| The power operated, automatic isolation valves are considered OPERABLE when their isolation times are within limits and the valves actuate on an automatic isolation signal. The valves covered by this LCO, along with their associated stroke times, are listed in Reference 4.
| |
| The normally closed isolation valves or blind flanges are considered OPERABLE when manual valves are closed or open in accordance with appropriate administrative controls, automatic SCIVs are de-activated and secured in their closed position, and blind flanges are in place. These passive isolation valves or devices are listed in Reference 4.
| |
| APPLICABILITY In MODES 1, 2, and 3, a DBA could lead to a fission product release to the primary containment that leaks to the secondary containment.
| |
| Therefore, OPERABILITY of SCIVs is required.
| |
| In MODES 4 and 5, the probability and consequences of these events are reduced due to pressure and temperature limitations in these MODES.
| |
| Therefore, maintaining SCIVs OPERABLE is not required in MODE 4 or 5.
| |
| ACTIONS The ACTIONS are modified by three Notes. The first Note allows penetration flow paths to be unisolated intermittently under administrative controls. These controls consist of stationing a dedicated operator, who is in continuous communication with the control room, at the controls of the isolation device. In this way, the penetration can be rapidly isolated when the need for secondary containment isolation is indicated.
| |
| The second Note provides clarification that, for the purpose of this LCO, separate Condition entry is allowed for each penetration flow path. This is acceptable, since the Required Actions for each Condition provide appropriate compensatory actions for each inoperable SCIV. Complying with the Required Actions may allow for continued operation, and subsequent inoperable SCIVs are governed by subsequent Condition entry and application of associated Required Actions.
| |
| The third Note ensures appropriate remedial actions are taken, if necessary, if the affected system(s) are rendered inoperable by an inoperable SCIV.
| |
| Columbia Generating Station B 3.6.4.2-2 Revision 111
| |
| | |
| SCIVs B 3.6.4.2 BASES ACTIONS (continued)
| |
| A.1 and A.2 In the event that there are one or more penetration flow paths with one SCIV inoperable, the affected penetration flow path(s) must be isolated.
| |
| The method of isolation must include the use of at least one isolation barrier that cannot be adversely affected by a single active failure.
| |
| Isolation barriers that meet this criteria are a closed and de-activated automatic SCIV, a closed manual valve, and a blind flange. For penetrations isolated in accordance with Required Action A.1, the device used to isolate the penetration should be the closest available device to secondary containment. This Required Action must be completed within the 8 hour Completion Time. The specified time period is reasonable considering the time required to isolate the penetration and the low probability of a DBA, which requires the SCIVs to close, occurring during this short time.
| |
| For affected penetrations that have been isolated in accordance with Required Action A.1, the affected penetration must be verified to be isolated on a periodic basis. This is necessary to ensure that secondary containment penetrations required to be isolated following an accident, but no longer capable of being automatically isolated, will be in the isolation position should an event occur. The Completion Time of once per 31 days is appropriate because the isolation devices are operated under administrative controls and the probability of their misalignment is low. This Required Action does not require any testing or device manipulation. Rather, it involves verification that the affected penetration remains isolated.
| |
| Required Action A.2 is modified by two Notes. Note 1 applies to devices located in high radiation areas and allows them to be verified by use of administrative controls. Allowing verification by administrative controls is considered acceptable, since access to these areas is typically restricted.
| |
| Note 2 applies to isolation devices that are locked, sealed, or otherwise secured in position and allows these devices to be verified closed by the use of administrative means. Allowing verification by administrative means is considered acceptable, since the function of locking, sealing, or securing components is to ensure that these devices are not inadvertently repositioned. Therefore, the probability of misalignment, once they have been verified to be in the proper position, is low.
| |
| Columbia Generating Station B 3.6.4.2-3 Revision 73
| |
| | |
| SCIVs B 3.6.4.2 BASES ACTIONS (continued)
| |
| B.1 With two SCIVs in one or more penetration flow paths inoperable, the affected penetration flow path must be isolated within 4 hours. The method of isolation must include the use of at least one isolation barrier that cannot be adversely affected by a single active failure. Isolation barriers that meet this criterion are a closed and de-activated automatic valve, a closed manual valve, and a blind flange. The 4 hour Completion Time is reasonable, considering the time required to isolate the penetration and the low probability of a DBA, which requires the SCIVs to close, occurring during this short time.
| |
| The Condition has been modified by a Note stating that Condition B is only applicable to penetration flow paths with two isolation valves. This clarifies that only Condition A is entered if one SCIV is inoperable in each of two penetrations.
| |
| C.1 and C.2 If any Required Action and associated Completion Time cannot be met, the plant must be brought to a MODE in which the LCO does not apply.
| |
| To achieve this status, the plant must be brought to at least MODE 3 within 12 hours and to MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.
| |
| Columbia Generating Station B 3.6.4.2-4 Revision 111
| |
| | |
| SCIVs B 3.6.4.2 BASES SURVEILLANCE SR 3.6.4.2.1 REQUIREMENTS This SR verifies each secondary containment isolation manual valve and blind flange that is not locked, sealed, or otherwise secured, and is required to be closed during accident conditions is closed. The SR helps to ensure that post accident leakage of radioactive fluids or gases outside of the secondary containment boundary is within design limits. This SR does not require any testing or valve manipulation. Rather, it involves verification that those SCIVs in secondary containment that are capable of being mispositioned are in the correct position.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. This SR does not apply to valves that are locked, sealed, or otherwise secured in the closed position, since these were verified to be in the correct position upon locking, sealing, or securing.
| |
| Two Notes have been added to this SR. The first Note applies to valves and blind flanges located in high radiation areas and allows them to be verified by use of administrative controls. Allowing verification by administrative controls is considered acceptable, since access to these areas is typically restricted during MODES 1, 2, and 3 for ALARA reasons. Therefore, the probability of misalignment of these isolation devices, once they have been verified to be in the proper position, is low.
| |
| A second Note has been included to clarify that SCIVs that are open under administrative controls are not required to meet the SR during the time the SCIVs are open. These controls consist of stationing a dedicated operator at the controls of the valve, who is in continuous communication with the control room. In this way, the penetration can be rapidly isolated when a need for secondary containment isolation is indicated.
| |
| SR 3.6.4.2.2 Verifying the isolation time of each power operated, automatic SCIV listed in Licensee Controlled Specification Table 1.6.4.2-1 is within limits is required to demonstrate OPERABILITY. The isolation time test ensures that the SCIV will isolate in a time period less than or equal to that assumed in the safety analyses. The Frequency of this SR is in accordance with the INSERVICE TESTING PROGRAM.
| |
| Columbia Generating Station B 3.6.4.2-5 Revision 101
| |
| | |
| SCIVs B 3.6.4.2 BASES SURVEILLANCE REQUIREMENTS (continued)
| |
| SR 3.6.4.2.3 Verifying that each automatic SCIV closes on a secondary containment isolation signal is required to prevent leakage of radioactive material from secondary containment following a DBA or other accidents. This SR ensures that each automatic SCIV will actuate to the isolation position on a secondary containment isolation signal. The LOGIC SYSTEM FUNCTIONAL TEST in LCO 3.3.6.2, "Secondary Containment Isolation Instrumentation," overlaps this SR to provide complete testing of the safety function. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| REFERENCES 1. FSAR, Section 15.6.5.
| |
| : 2. FSAR, Section 6.2.3.2.
| |
| : 3. 10 CFR 50.36(c)(2)(ii).
| |
| : 4. Licensee Controlled Specifications Manual.
| |
| Columbia Generating Station B 3.6.4.2-6 Revision 93
| |
| | |
| SGT System B 3.6.4.3 B 3.6 CONTAINMENT SYSTEMS B 3.6.4.3 Standby Gas Treatment (SGT) System BASES BACKGROUND The SGT System is required by 10 CFR 50, Appendix A, GDC 41, "Containment Atmosphere Cleanup" (Ref. 1). The function of the SGT System is to ensure that radioactive materials that leak from the primary containment into the secondary containment following a Design Basis Accident (DBA) are filtered and adsorbed prior to exhausting to the environment.
| |
| The SGT System consists of two fully redundant subsystems, each with its own set of ductwork, dampers, charcoal filter train, and controls.
| |
| Each charcoal filter train consists of (components listed in order of the direction of the air flow):
| |
| : a. A moisture separator;
| |
| : b. Two electric heater banks (one primary and one backup);
| |
| : c. A prefilter bank;
| |
| : d. A high efficiency particulate air (HEPA) filter bank;
| |
| : e. Two charcoal adsorber banks;
| |
| : f. A second HEPA filter bank; and
| |
| : g. Two centrifugal fans (one primary and one backup) each with inlet flow control vanes.
| |
| The sizing of the SGT System equipment and components is based on the results of an infiltration analysis, as well as an exfiltration analysis.
| |
| The internal pressure of the secondary containment boundary region is maintained at a negative pressure of 0.25 inch water gauge when the SGT system is in operation, which represents the internal pressure required to ensure zero exfiltration of air from the building under adverse weather conditions.
| |
| The moisture separator is provided to remove entrained water in the air, while the electric heaters reduce the relative humidity of the airstream to less than 70% (Ref. 2). The prefilter removes large particulate matter, while the HEPA filter is provided to remove fine particulate matter and Columbia Generating Station B 3.6.4.3-1 Revision 73
| |
| | |
| SGT System B 3.6.4.3 BASES BACKGROUND (continued) protect the charcoal from fouling. The charcoal adsorber removes gaseous elemental iodine and organic iodides, and the final HEPA filter is provided to collect any carbon fines exhausted from the charcoal adsorber.
| |
| The SGT System automatically starts and operates in response to actuation signals indicative of conditions or an accident that could require operation of the system. Following initiation, one fan per subsystem starts. SGT System flows are controlled automatically by modulating inlet vanes installed on the SGT fans.
| |
| APPLICABLE The design basis for the SGT System is to mitigate the consequences of SAFETY a loss of coolant accident (Ref. 3). The SGT System is automatically ANALYSES initiated to reduce, via filtration and adsorption, the radioactive material released to the environment.
| |
| The SGT System satisfies Criterion 3 of Reference 4.
| |
| LCO Following a DBA, a minimum of one SGT subsystem is required to maintain the secondary containment at a negative pressure with respect to the environment and to process gaseous releases. Meeting the LCO requirements for two OPERABLE subsystems ensures operation of at least one SGT subsystem in the event of a single active failure. In addition, only the primary electric heater bank and centrifugal fan are required for OPERABILITY of each SGT subsystem.
| |
| If a primary heater bank or centrifugal fan is inoperable, the LCO requirements can be met with the backup equipment. Reliance on the backup equipment in both SGT subsystems, rather than the primary equipment, ensures operation of at least one SGT subsystem in the event of the single active failure. OPERABILITY is based on the primary heater and fan in both SGT subsystems or the backup heater and fan in both SGT subsystems. Two SGT subsystems are not OPERABLE if one subsystem depends on primary equipment while the other depends on backup equipment. For OPERABILITY, power supplies from different divisional busses must support the electrical equipment in the two SGT subsystems.
| |
| Columbia Generating Station B 3.6.4.3-2 Revision 73
| |
| | |
| SGT System B 3.6.4.3 BASES APPLICABILITY In MODES 1, 2, and 3, a DBA could lead to a fission product release to primary containment that leaks to secondary containment. Therefore, SGT System OPERABILITY is required during these MODES.
| |
| In MODES 4 and 5, the probability and consequences of these events are reduced due to the pressure and temperature limitations in these MODES. Therefore, maintaining the SGT System OPERABLE is not required in MODE 4 or 5.
| |
| ACTIONS A.1 With one SGT subsystem inoperable, the inoperable subsystem must be restored to OPERABLE status within 7 days. In this condition, the remaining OPERABLE SGT subsystem is adequate to perform the required radioactivity release control function. However, the overall system reliability is reduced because a single failure in the OPERABLE subsystem could result in the radioactivity release control function not being adequately performed. The 7 day Completion Time is based on consideration of such factors as the availability of the OPERABLE redundant SGT subsystem and the low probability of a DBA occurring during this period.
| |
| B.1 If the SGT subsystem cannot be restored to OPERABLE status within the required Completion Time in MODE 1, 2, or 3, the plant must be brought to a MODE in which overall plant risk is minimized. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours.
| |
| Remaining in the Applicability of the LCO is acceptable because the plant risk in MODE 3 is similar to or lower than the risk in MODE 4 (Ref. 6) and because the time spent in MODE 3 to perform the necessary repairs to restore the system to OPERABLE status will be short. However, voluntary entry into MODE 4 may be made as it is also an acceptable low-risk state.
| |
| Required Action B.1 is modified by a Note that states that LCO 3.0.4.a is not applicable when entering MODE 3. This Note prohibits the use of LCO 3.0.4.a to enter MODE 3 during startup with the LCO not met.
| |
| However, there is no restriction on the use of LCO 3.0.4.b, if applicable, because LCO 3.0.4.b requires performance of a risk assessment addressing inoperable systems and components, consideration of the results, determination of the acceptability of entering MODE 3, and Columbia Generating Station B 3.6.4.3-3 Revision 111
| |
| | |
| SGT System B 3.6.4.3 BASES ACTIONS (continued) establishment of risk management actions, if appropriate. LCO 3.0.4 is not applicable to, and the Note does not preclude, changes in MODES or other specified conditions in the Applicability that are required to comply with ACTIONS or that are part of a shutdown of the unit.
| |
| The allowed Completion Time is reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.
| |
| C.1 If both SGT subsystems are inoperable in MODE 1, 2, or 3, the SGT System may not be capable of supporting the required radioactive release control function. Therefore, the plant must be brought to a MODE in which the overall plant risk is minimized. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours.
| |
| Remaining in the Applicability of the LCO is acceptable because the plant risk in MODE 3 is similar to or lower than the risk in MODE 4 (Ref. 6) and because the time spent in MODE 3 to perform the necessary repairs to restore the system to OPERABLE status will be short. However, voluntary entry into MODE 4 may be made as it is also an acceptable low-risk state.
| |
| Required Action C.1 is modified by a Note that states that LCO 3.0.4.a is not applicable when entering MODE 3. This Note prohibits the use of LCO 3.0.4.a to enter MODE 3 during startup with the LCO not met.
| |
| Columbia Generating Station B 3.6.4.3-4 Revision 111
| |
| | |
| SGT System B 3.6.4.3 BASES ACTIONS (continued)
| |
| However, there is no restriction on the use of LCO 3.0.4.b, if applicable, because LCO 3.0.4.b requires performance of a risk assessment addressing inoperable systems and components, consideration of the results, determination of the acceptability of entering MODE 3, and establishment of risk management actions, if appropriate. LCO 3.0.4 is not applicable to, and the Note does not preclude, changes in MODES that are required to comply with ACTIONS or that are part of a shutdown of the unit.
| |
| The allowed Completion Time is reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.
| |
| SURVEILLANCE SR 3.6.4.3.1 REQUIREMENTS Operating (from the control room) each SGT subsystem for 15 continuous minutes with heaters operating ensures that both subsystems are OPERABLE and that all associated controls are functioning properly.
| |
| It also ensures that blockage, fan or motor failure, or excessive vibration can be detected for corrective action. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| SR 3.6.4.3.2 This SR verifies that the required SGT filter testing is performed in accordance with the Ventilation Filter Testing Program (VFTP). The SGT System filter tests are in accordance with Regulatory Guide 1.52 (Ref. 5).
| |
| The VFTP includes testing HEPA filter performance, charcoal adsorber efficiency, minimum system flow rate, and the physical properties of the activated charcoal (general use and following specific operations).
| |
| Specified test frequencies and additional information are discussed in detail in the VFTP.
| |
| Columbia Generating Station B 3.6.4.3-5 Revision 111
| |
| | |
| SGT System B 3.6.4.3 BASES SURVEILANCE REQUIREMENTS (continued)
| |
| SR 3.6.4.3.3 This SR requires verification that each SGT subsystem starts upon receipt of an actual or simulated initiation signal. The LOGIC SYSTEM FUNCTIONAL TEST in LCO 3.3.6.2, "Secondary Containment Isolation Instrumentation," overlaps this SR to provide complete testing of the safety function. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| SR 3.6.4.3.4 This SR requires verification that the primary SGT filter cooling recirculation valve can be opened and the primary fan started. This ensures that the ventilation mode of SGT System operation is available.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| REFERENCES 1. 10 CFR 50, Appendix A, GDC 41.
| |
| : 2. FSAR, Section 6.5.1.2.
| |
| : 3. FSAR, Section 15.6.5.
| |
| : 4. 10 CFR 50.36(c)(2)(ii).
| |
| : 5. Regulatory Guide 1.52, Rev. 2.
| |
| : 6. NEDC-32988-A, Revision 2, Technical Justification to Support Risk-Informed Modification to Selected Required End States for BWR Plants, December 2002.
| |
| Columbia Generating Station B 3.6.4.3-6 Revision 93
| |
| | |
| SW System and UHS B 3.7.1 B 3.7 PLANT SYSTEMS B 3.7.1 Standby Service Water (SW) System and Ultimate Heat Sink (UHS)
| |
| BASES BACKGROUND The SW System is designed to remove heat from plant systems that are required for a safe reactor shutdown following a design basis accident (DBA) or transient. The SW System provides cooling water for the removal of heat from unit auxiliaries, such as Residual Heat Removal (RHR) System heat exchangers, standby diesel generators (DGs), and heat exchangers/room coolers for Emergency Core Cooling System equipment and critical electrical equipment. The SW System also provides cooling to unit components (e.g., Reactor Core Isolation Cooling (RCIC) System), as required, during normal shutdown and reactor isolation modes.
| |
| The SW System consists of two independent cooling water headers (subsystems A and B), and their associated pumps, piping, valves, and instrumentation. The two SW pumps, or one SW pump and the high pressure core spray service water pump (LCO 3.7.2, "High Pressure Core Spray (HPCS) Service Water (SW) System"), are sized to provide sufficient cooling capacity to support the required safety related systems during safe shutdown of the unit following a loss of coolant accident (LOCA). Subsystems A and B are redundant and service equipment in SW Divisions 1 and 2, respectively.
| |
| The UHS consists of two concrete spray ponds with redundant pumping and spray facilities. A siphon between the ponds allows for water flow from one pond to the other. The combined volume of the two ponds is sized such that sufficient water inventory is available for all SW System post LOCA cooling requirements for a 30 day period with no external makeup water source available (Regulatory Guide 1.27, Ref. 1). Normal makeup for each spray pond is provided by the tower makeup water pumps.
| |
| Cooling water is pumped from the spray ponds by the two SW pumps to the essential components through the two main redundant supply headers (subsystems A and B). After removing heat from the components, the water is discharged to the spray ponds via the spray rings, where the heat is rejected through evaporation.
| |
| Subsystems A and B supply cooling water to redundant equipment required for a safe reactor shutdown. Additional information on the design and operation of the SW System and UHS along with the specific Columbia Generating Station B 3.7.1-1 Revision 75
| |
| | |
| SW System and UHS B 3.7.1 BASES BACKGROUND (continued) equipment for which the SW System supplies cooling water is provided in the FSAR, Sections 9.2.5 and 9.2.7 and the FSAR, Table 9.2-5 (Refs. 2 and 3, respectively). The SW System is designed to withstand a single active failure, coincident with a loss of offsite power, without losing the capability to supply adequate cooling water to equipment required for safe reactor shutdown.
| |
| Following a DBA or transient, the SW System will operate automatically upon receipt of an ECCS, DG, or RCIC start signal without operator action.
| |
| APPLICABLE The volume of the water source incorporated in a UHS complex is sized SAFETY so that sufficient water inventory is available for all SW System post ANALYSES LOCA cooling requirements for a 30 day period with no additional makeup water source available (Ref. 1). The ability of the SW System to support long term cooling of the reactor or containment is assumed in evaluations of the equipment required for safe reactor shutdown presented in the FSAR, Sections 9.2.5, 9.2.7, 6.2.2.3 and Chapter 15 (Refs. 2, 4, and 5, respectively). These analyses include the evaluation of the long term primary containment response after a design basis LOCA. The SW System provides cooling water for the RHR suppression pool cooling mode to limit suppression pool temperature and primary containment pressure following a LOCA. This ensures that the primary containment can perform its intended function of limiting the release of radioactive materials to the environment following a LOCA. The SW System also provides cooling to other components assumed to function during a LOCA (e.g., RHR and Low Pressure Core Spray systems). Also, the ability to provide onsite emergency AC power is dependent on the ability of the SW System to cool the DGs.
| |
| The safety analyses for long term containment cooling were performed, as discussed in the FSAR, Section 6.2.2.3 (Ref. 4), for a LOCA, concurrent with a loss of offsite power, and minimum available DG power.
| |
| The worst case single failure affecting the performance of the SW System is the failure of one of the two standby DGs, which would in turn affect one SW subsystem. The SW flow assumed in the analyses is 7400 gpm per pump to the heat exchanger (FSAR, Table 6.2-2, Ref. 6).
| |
| Reference 2 discusses SW System performance during these conditions.
| |
| The SW System, together with the UHS, satisfy Criterion 3 of Reference 7.
| |
| Columbia Generating Station B 3.7.1-2 Revision 73
| |
| | |
| SW System and UHS B 3.7.1 BASES LCO The OPERABILITY of subsystem A (Division 1) and subsystem B (Division 2) of the SW System is required to ensure the effective operation of the RHR System in removing heat from the reactor, and the effective operation of other safety related equipment during a DBA or transient. Requiring both subsystems to be OPERABLE ensures that either subsystem A or B will be available to provide adequate capability to meet cooling requirements of the equipment required for safe shutdown in the event of a single failure.
| |
| A subsystem is considered OPERABLE when:
| |
| : a. The associated pump is OPERABLE; and
| |
| : b. The associated piping (including the suction piping and spray ring in the associated UHS spray pond), valves, instrumentation, and controls required to perform the safety related function are OPERABLE.
| |
| OPERABILITY of the UHS is based on a maximum water temperature of 77°F and a minimum average water level of the ponds at or above elevation 432 feet 9 inches mean sea level and an average sediment depth of < 0.5 ft, consistent with the analysis of Ref. 2, and an OPERABLE siphon line between the two spray ponds.
| |
| The isolation of the SW System to components or systems may render those components or systems inoperable, but does not affect the OPERABILITY of the SW System if those component's or system's applicable LCO Conditions and Required Actions are entered. For example, if SW cooling to the LPCS pump motor was isolated, entry into LCO 3.5.1 or 3.5.2 Conditions and Required Actions, as applicable, would be sufficient and SW OPERABILITY would not be affected.
| |
| OPERABILITY of the High Pressure Core Spray (HPCS) Service Water (SW) System is addressed by LCO 3.7.2.
| |
| Columbia Generating Station B 3.7.1-3 Revision 86
| |
| | |
| SW System and UHS B 3.7.1 BASES APPLICABILITY In MODES 1, 2, and 3, the SW System and UHS are required to be OPERABLE to support OPERABILITY of equipment serviced by the SW System and UHS that is required to be OPERABLE in these MODES.
| |
| Although the LCO for the SW System and UHS are not applicable in Modes 4 and 5, the capability of the SW System and the UHS to perform their necessary related support functions may be required for OPERABILITY of supported systems.
| |
| ACTIONS A.1 With average sediment depth in either or both spray ponds 0.5 and
| |
| < 1.0 ft, water inventory is reduced such that the combined cooling capability of both spray ponds may be less than required for 30 days of operation after a LOCA. Therefore, action must be taken to restore average sediment depth to < 0.5 ft. The Completion Time of 30 days is based on engineering judgment and plant operating experience and takes into consideration the low probability of a design basis accident occurring in this time period.
| |
| B.1 If one SW subsystem is inoperable, it must be restored to OPERABLE status within 72 hours. With the unit in this condition, the remaining OPERABLE SW subsystem is adequate to perform the heat removal function. However, the overall reliability is reduced because a single failure in the OPERABLE SW subsystem could result in loss of SW function. The 72 hour Completion Time was developed taking into account the redundant capabilities afforded by the OPERABLE subsystem and the low probability of a DBA occurring during this period.
| |
| The Required Action is modified by two Notes indicating that the applicable Conditions of LCO 3.8.1, "AC Sources - Operating," and LCO 3.4.9, "Residual Heat Removal (RHR) Shutdown Cooling System -
| |
| Hot Shutdown," be entered and the Required Actions taken if the inoperable SW subsystem results in an inoperable DG or RHR shutdown cooling subsystem, respectively. This is in accordance with LCO 3.0.6 and ensures the proper actions are taken for these components.
| |
| Columbia Generating Station B 3.7.1-4 Revision 88
| |
| | |
| SW System and UHS B 3.7.1 BASES ACTIONS (continued)
| |
| C.1 If one SW subsystem is inoperable and not restored within the provided Completion Time of Condition B, the plant must be brought to a condition in which overall plant risk is minimized. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours.
| |
| Remaining in the Applicability of the LCO is acceptable because the plant risk in MODE 3 is similar to or lower than the risk in MODE 4 (Ref. 8) and because the time spent in MODE 3 to perform the necessary repairs to restore the system to OPERABLE status will be short. However, voluntary entry into MODE 4 may be made as it is also an acceptable low-risk state.
| |
| Required Action C.1 is modified by a Note that states that LCO 3.0.4.a is not applicable when entering MODE 3. This Note prohibits the use of LCO 3.0.4.a to enter MODE 3 during startup with the LCO not met.
| |
| However, there is no restriction on the use of LCO 3.0.4.b, if applicable, because LCO 3.0.4.b requires performance of a risk assessment addressing inoperable systems and components, consideration of the results, determination of the acceptability of entering MODE 3, and establishment of risk management actions, if appropriate. LCO 3.0.4 is not applicable to, and the Note does not preclude, changes in MODES or other specified conditions in the Applicability that are required to comply with ACTIONS or that are part of a shutdown of the unit.
| |
| The allowed Completion Time is reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.
| |
| D.1 and D.2 If Condition A is not met, or both SW subsystems are inoperable or the UHS is determined inoperable for reasons other than Condition A, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status the unit must be placed in at least MODE 3 within 12 hours and MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.
| |
| SURVEILLANCE SR 3.7.1.1 REQUIREMENTS Verification of the UHS spray pond level ensures adequate long term (30 days) cooling can be maintained. The water level is determined by Columbia Generating Station B 3.7.1-5 Revision 90
| |
| | |
| SW System and UHS B 3.7.1 BASES SURVEILLANCE REQUIREMENTS (continued) taking the average of both ponds. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| SR 3.7.1.2 Verification of the UHS spray pond temperature ensures that the heat removal capability of the SW System is within the assumptions of the DBA analysis. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| SR 3.7.1.3 Verifying the correct alignment for each manual, power operated, and automatic valve in each SW subsystem flow path provides assurance that the proper flow paths will exist for SW operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position, since these valves were verified to be in the correct position prior to locking, sealing, or securing. A valve is also allowed to be in the nonaccident position and yet considered in the correct position, provided it can be automatically realigned to its accident position within the required time.
| |
| This SR does not require any testing or valve manipulation; rather, it involves verification that those valves capable of potentially being mispositioned are in the correct position. This SR does not apply to valves that cannot be inadvertently misaligned, such as check valves.
| |
| This SR is modified by a Note indicating that isolation of the associated SW subsystem to components or systems may render those components or systems inoperable, but does not affect the OPERABILITY of the SW subsystem. As such, when all SW pumps, valves, and piping are OPERABLE, but a branch connection off the main header is isolated, the SW subsystem is still OPERABLE.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| Columbia Generating Station B 3.7.1-6 Revision 93
| |
| | |
| SW System and UHS B 3.7.1 BASES SURVEILLANCE REQUIREMENTS (continued)
| |
| SR 3.7.1.4 Verification of the average sedimentation depth in each UHS spray pond ensures that adequate long term (30 days) cooling can be maintained.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| SR 3.7.1.5 This SR verifies that the automatic isolation valves of the SW System will automatically switch to the safety or emergency position to provide cooling water exclusively to the safety related equipment during an accident event. This is demonstrated by use of an actual or simulated initiation signal. This SR also verifies the automatic start capability of the SW pump in each subsystem.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| REFERENCES 1. Regulatory Guide 1.27, Revision 1, March 1974.
| |
| : 2. FSAR, Sections 9.2.5 and 9.2.7.
| |
| : 3. FSAR, Table 9.2-5.
| |
| : 4. FSAR, Section 6.2.2.3.
| |
| : 5. FSAR, Chapter 15.
| |
| : 6. FSAR, Table 6.2-2.
| |
| : 7. 10 CFR 50.36(c)(2)(ii).
| |
| : 8. NEDC-32988-A, Revision 2, Technical Justification to Support Risk-Informed Modification to Selected Required End States for BWR Plants, December 2002.
| |
| Columbia Generating Station B 3.7.1-7 Revision 93
| |
| | |
| HPCS SW System B 3.7.2 B 3.7 PLANT SYSTEMS B 3.7.2 High Pressure Core Spray (HPCS) Service Water (SW) System BASES BACKGROUND The HPCS SW System is designed to provide cooling water for the removal of heat from components of the Division 3 HPCS System.
| |
| The HPCS SW System consists of one cooling water header and the associated pump, piping, and valves. The Ultimate Heat Sink (UHS) is considered part of the SW System and UHS Specification (LCO 3.7.1, "Standby Service Water (SW) System and Ultimate Heat Sink (UHS)").
| |
| Cooling water is pumped from a UHS spray pond by the HPCS service water pump to the essential components through the HPCS service water supply header. After removing heat from the components, the water is discharged directly to the spray pond without spray, where the heat is dissipated.
| |
| The HPCS SW System specifically supplies cooling water to the Division 3 HPCS diesel generator engine coolers, diesel generator building coolers, and HPCS pump room cooler. The HPCS SW pump is sized such that it will provide adequate cooling water to the equipment required for safe shutdown. Following a Design Basis Accident or transient, the HPCS SW System will operate automatically upon receipt of an HPCS DG start signal and without operator action as described in the FSAR, Section 9.2.7 (Ref. 1).
| |
| APPLICABLE The ability of the HPCS SW System to provide adequate cooling to the SAFETY HPCS System is an implicit assumption for safety analyses evaluated in ANALYSES the FSAR, Chapters 6 and 15 (Refs. 2 and 3, respectively).
| |
| The HPCS SW System satisfies Criterion 3 of Reference 4.
| |
| LCO The HPCS SW System is required to be OPERABLE to ensure that the HPCS System will operate as required. An OPERABLE HPCS SW System consists of an OPERABLE pump and an OPERABLE UHS flow path, capable of taking suction from the associated UHS spray pond and transferring the water to the appropriate unit equipment. The OPERABILITY of the UHS is discussed in LCO 3.7.1.
| |
| APPLICABILITY In MODES 1, 2, and 3, the HPCS SW System is required to be OPERABLE to support OPERABILITY of the HPCS System since it is required to be OPERABLE in these MODES.
| |
| Although the LCO for the HPCS SW System is not applicable in Modes 4 and 5, the capability of the HPCS SW System to perform its necessary related support functions may be required for OPERABILITY of HPCS system.
| |
| Columbia Generating Station B 3.7.2-1 Revision 88
| |
| | |
| HPCS SW System B 3.7.2 BASES ACTIONS A.1 When the HPCS SW System is inoperable, the capability of the HPCS System to perform its intended function cannot be ensured. Therefore, if the HPCS SW System is inoperable, the HPCS System must be declared inoperable immediately and the applicable Condition(s) of LCO 3.5.1, "ECCS - Operating," entered.
| |
| SURVEILLANCE SR 3.7.2.1 REQUIREMENTS Verifying the correct alignment for each manual, power operated, and automatic valve in the HPCS SW System flow path provides assurance that the proper flow paths will exist for HPCS SW System operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position, since these valves are verified to be in the correct position prior to locking, sealing, or securing.
| |
| A valve is also allowed to be in the nonaccident position and yet considered in the correct position, provided it can be automatically realigned to its accident position within the required time. This SR does not require any testing or valve manipulation; rather, it involves verification that those valves capable of potentially being mispositioned are in the correct position. This SR does not apply to valves that cannot be inadvertently misaligned, such as check valves.
| |
| This SR is modified by a Note indicating that isolation of the HPCS SW System to components or systems may render those components or systems inoperable, but does not affect the OPERABILITY of the HPCS SW System. As such, when the HPCS SW System pump and all valves and piping are OPERABLE, but a branch connection off the main header is isolated, the HPCS SW System is still OPERABLE.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| SR 3.7.2.2 This SR verifies that the automatic valves of the HPCS SW System will automatically switch to the safety or emergency position to provide cooling water exclusively to the safety related equipment during an accident event. This is demonstrated by use of an actual or simulated initiation signal. This SR also verifies the automatic start capability of the HPCS SW pump.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| Columbia Generating Station B 3.7.2-2 Revision 93
| |
| | |
| HPCS SW System B 3.7.2 BASES REFERENCES 1. FSAR, Section 9.2.7.
| |
| : 2. FSAR, Chapter 6.
| |
| : 3. FSAR, Chapter 15.
| |
| : 4. 10 CFR 50.36(c)(2)(ii).
| |
| Columbia Generating Station B 3.7.2-3 Revision 93
| |
| | |
| CREF System B 3.7.3 B 3.7 PLANT SYSTEMS B 3.7.3 Control Room Emergency Filtration (CREF) System BASES BACKGROUND The CREF System provides a protected environment from which occupants can control the unit following an uncontrolled release of radioactivity, hazardous chemicals, or smoke.
| |
| The safety related function of the CREF System used to control radiation exposure consists of two independent and redundant high efficiency air filtration subsystems for treatment of outside supply air and a Control Room Envelope (CRE) boundary that limits the inleakage of unfiltered air.
| |
| Each subsystem consists of an electric heater, a prefilter, a high efficiency particulate air (HEPA) filter, an activated charcoal adsorber section, a filter unit fan, a control room recirculation fan, and the associated ductwork, valves or dampers, doors, barriers, and instrumentation. The electric heater is used to limit the relative humidity of the air entering the filter train. Prefilters and HEPA filters remove particulate matter which may be radioactive. The charcoal adsorbers provide a holdup period for gaseous iodine, allowing time for decay.
| |
| The CRE is the area within the confines of the CRE boundary that contains the spaces that control room occupants inhabit to control the unit for normal and accident conditions. This area encompasses the control room, and may encompass other non-critical areas to which frequent personnel access or continuous occupancy is not necessary in the event of an accident. The CRE is protected for normal operation, natural events, and accident conditions. The CRE boundary is the combination of walls, floor, roof, ducting, doors, penetrations and equipment that physically form the CRE. The OPERABILITY of the CRE boundary must be maintained to ensure that the inleakage of unfiltered air into the CRE will not exceed the inleakage assumed in the licensing basis analysis of design basis accident (DBA) consequences to CRE occupants. The CRE and its boundary are defined in the Control Room Envelope Habitability Program.
| |
| The safety related CREF System is a standby system, but most of the ductwork is common to the Control Room Heating, Ventilation, and Air Conditioning (HVAC) System, which is operated to maintain the CRE environment during normal operation. Upon receipt of the initiation signal(s) (indicative of conditions that could result in radiation exposure to CRE occupants), the CREF System automatically switches to the pressurization mode of operation to minimize infiltration of contaminated air into the CRE. A system of dampers isolates the CRE (from the normal intake and exhaust), and CRE outside air flow is redirected and processed through either of the two filter subsystems.
| |
| Columbia Generating Station B 3.7.3-1 Revision 73
| |
| | |
| CREF System B 3.7.3 BASES BACKGROUND (continued)
| |
| The CREF System is designed to maintain a habitable environment in the CRE for a 30 day continuous occupancy after a DBA, without exceeding a 5 rem total effective dose equivalent (TEDE) dose. CREF System operation in maintaining the CRE habitability is discussed in the FSAR, Sections 6.4.1 and 9.4.1 (Refs. 1 and 2, respectively).
| |
| APPLICABLE The ability of the CREF System to maintain the habitability of the CRE SAFETY is an explicit assumption for the DBA LOCA analysis presented in the ANALYSES FSAR, Chapters 6, and 15 (Refs. 3 and 4, respectively). The pressurization mode of the CREF System is assumed to operate following a DBA. The radiological doses to CRE occupants as a result of the various DBAs are summarized in Reference 4. No single active failure will cause the loss of outside or recirculated air from the CRE.
| |
| The CREF System provides protection to the CRE occupants from smoke or hazardous chemical releases internal to the Radiological Controlled Area but external to the CRE. The analysis of hazardous chemical releases demonstrates that the toxicity limits are not exceeded in the CRE following a hazardous chemical release (Ref. 5). The evaluation of a smoke challenge demonstrates that it will not result in the inability of the CRE occupants to control the reactor either from the control room or from the remote shutdown panels (Ref. 6).
| |
| The CREF System satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii).
| |
| LCO Two redundant subsystems of the CREF System are required to be OPERABLE to ensure that at least one is available if a single active failure disables the other subsystem. Total CREF System failure, such as from a loss of both ventilation subsystems or from an inoperable CRE boundary, could result in exceeding a dose of 5 rem TEDE to CRE occupants in the event of a DBA.
| |
| Each CREF subsystem is considered OPERABLE when the individual components necessary to limit CRE occupant exposure are OPERABLE.
| |
| A subsystem is considered OPERABLE when its associated:
| |
| : a. Filter unit fan is OPERABLE;
| |
| : b. HEPA filter and charcoal adsorber are not excessively restricting flow and are capable of performing their filtration functions;
| |
| : c. Heater, ductwork, valves, and dampers are OPERABLE, and air circulation can be maintained; and
| |
| : d. Control room recirculation fan is OPERABLE.
| |
| Columbia Generating Station B 3.7.3-2 Revision 85
| |
| | |
| CREF System B 3.7.3 BASES LCO (continued)
| |
| In order for the CREF subsystems to be considered OPERABLE, the CRE boundary must be maintained such that the CRE occupant dose from a large radioactive release does not exceed the calculated dose in the licensing basis consequence analyses for DBAs, and that CRE occupants are protected from hazardous chemicals and smoke. The LCO is modified by a Note allowing the CRE boundary to be opened intermittently under administrative controls. This Note only applies to openings in the CRE boundary that can be rapidly restored to the design condition, such as doors, hatches, floor plugs, and access panels. For entry and exit through doors, the administrative control of the opening is performed by the person(s) entering and exiting the area. For other openings, these controls should be proceduralized and consist of stationing a dedicated individual at the opening who is in continuous communication with the operators in the CRE. This individual will have a method to rapidly close the opening and to restore the CRE boundary to a condition equivalent to the design condition when a need for CRE boundary integrity is required.
| |
| APPLICABILITY In MODES 1, 2, and 3, the CREF System must be OPERABLE to ensure that the CRE will remain habitable during and following a DBA, since the DBA could lead to a fission product release.
| |
| In MODES 4 and 5, the probability and consequences of a DBA are reduced due to the pressure and temperature limitations in these MODES. Therefore, maintaining the CREF System OPERABLE is not required in MODE 4 or 5.
| |
| ACTIONS A.1 With one CREF subsystem inoperable for reasons other than an inoperable CRE boundary, the inoperable CREF subsystem must be restored to OPERABLE status within 7 days. With the unit in this condition, the remaining OPERABLE CREF subsystem is adequate to perform the CRE occupant radiation protection function. However, the overall reliability is reduced because a failure in the OPERABLE subsystem could result in loss of CREF System function. The 7 day Completion Time is based on the low probability of a DBA occurring during this time period, and that the remaining subsystem can provide the required capabilities.
| |
| Columbia Generating Station B 3.7.3-3 Revision 111
| |
| | |
| CREF System B 3.7.3 BASES ACTIONS (continued)
| |
| B.1, B.2, and B.3 If the unfiltered inleakage of potentially contaminated air past the CRE boundary and into the CRE can result in CRE occupant radiological dose greater than the calculated dose of the licensing basis analyses of DBA consequences (allowed to be up to 5 rem TEDE), or inadequate protection of CRE occupants from hazardous chemicals or smoke, the CRE boundary is inoperable. Actions must be taken to restore an OPERABLE CRE boundary within 90 days.
| |
| During the period that the CRE boundary is considered inoperable, action must be initiated to implement mitigating actions to lessen the effect on CRE occupants from the potential hazards of a radiological or chemical event or a challenge from smoke. Actions must be taken within 24 hours to verify that in the event of a DBA, the mitigating actions will ensure that CRE occupant radiological exposures will not exceed the calculated dose of the licensing basis analyses of DBA consequences, and that CRE occupants are protected from hazardous chemicals and smoke. These mitigating actions (i.e., actions that are taken to offset the consequences of the inoperable CRE boundary) should be preplanned for implementation upon entry into the condition, regardless of whether entry is intentional or unintentional. The 24 hour Completion Time is reasonable based on the low probability of a DBA occurring during this time period, and the use of mitigating actions. The 90 day Completion Time is reasonable based on the determination that the mitigating actions will ensure protection of CRE occupants within analyzed limits while limiting the probability that CRE occupants will have to implement protective measures that may adversely affect their ability to control the reactor and maintain it in a safe shutdown condition in the event of a DBA. In addition, the 90 day Completion Time is a reasonable time to diagnose, plan and possibly repair, and test most problems with the CRE boundary.
| |
| C.1 In MODE 1, 2, or 3, if the inoperable CREF subsystem or CRE boundary cannot be restored to OPERABLE status within the required Completion Time, the unit must be placed in a MODE that minimizes overall plant risk. To achieve this status, the unit must be placed in at least MODE 3 within 12 hours.
| |
| Remaining in the Applicability of the LCO is acceptable because the plant risk in MODE 3 is similar to or lower than the risk in MODE 4 (Ref. 10) and because the time spent in MODE 3 to perform the necessary repairs Columbia Generating Station B 3.7.3-4 Revision 90
| |
| | |
| CREF System B 3.7.3 BASES ACTIONS (continued) to restore the system to OPERABLE status will be short. However, voluntary entry into MODE 4 may be made as it is also an acceptable low-risk state.
| |
| Required Action C.1 is modified by a Note that states that LCO 3.0.4.a is not applicable when entering MODE 3. This Note prohibits the use of LCO 3.0.4.a to enter MODE 3 during startup with the LCO not met.
| |
| However, there is no restriction on the use of LCO 3.0.4.b, if applicable, because LCO 3.0.4.b requires performance of a risk assessment addressing inoperable systems and components, consideration of the results, determination of the acceptability of entering MODE 3, and establishment of risk management actions, if appropriate. LCO 3.0.4 is not applicable to, and the Note does not preclude, changes in MODES that are required to comply with ACTIONS or that are part of a shutdown of the unit.
| |
| The allowed Completion Time is reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.
| |
| D.1 If both CREF subsystems are inoperable in MODE 1, 2, or 3, for reasons other than an inoperable CRE boundary (i.e., Condition B) the CREF System may not be capable of performing the intended function and the unit is in a condition outside of the accident analyses. Therefore, the plant must be brought to a MODE in which the overall plant risk is minimized. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours.
| |
| Columbia Generating Station B 3.7.3-5 Revision 111
| |
| | |
| CREF System B 3.7.3 BASES ACTIONS (continued)
| |
| Remaining in the Applicability of the LCO is acceptable because the plant risk in MODE 3 is similar to or lower than the risk in MODE 4 (Ref. 10) and because the time spent in MODE 3 to perform the necessary repairs to restore the system to OPERABLE status will be short. However, voluntary entry into MODE 4 may be made as it is also an acceptable low-risk state.
| |
| Required Action D.1 is modified by a Note that states that LCO 3.0.4.a is not applicable when entering MODE 3. This Note prohibits the use of LCO 3.0.4.a to enter MODE 3 during startup with the LCO not met.
| |
| However, there is no restriction on the use of LCO 3.0.4.b, if applicable, because LCO 3.0.4.b requires performance of a risk assessment addressing inoperable systems and components, consideration of the results, determination of the acceptability of entering MODE 3, and establishment of risk management actions, if appropriate. LCO 3.0.4 is not applicable to, and the Note does not preclude, changes in MODES that are required to comply with ACTIONS or that are part of a shutdown of the unit.
| |
| The allowed Completion Time is reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.
| |
| SURVEILLANCE SR 3.7.3.1 REQUIREMENTS Operating (from the control room) each CREF subsystem for 15 continuous minutes with heaters operating ensures that both subsystems are OPERABLE and that all associated controls are functioning properly.
| |
| It also ensures that blockage, fan or motor failure, or excessive vibration can be detected for corrective action. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| Columbia Generating Station B 3.7.3-6 Revision 111
| |
| | |
| CREF System B 3.7.3 BASES SURVEILLANCE REQUIREMENTS (continued)
| |
| SR 3.7.3.2 This SR verifies that the required CREF testing is performed in accordance with the Ventilation Filter Testing Program (VFTP). The CREF filter tests are in accordance with Regulatory Guide 1.52 (Ref. 6).
| |
| The VFTP includes testing HEPA filter performance, charcoal adsorber efficiency, system flow rate, and the physical properties of the activated charcoal (general use and following specific operations). Specific test-Frequencies and additional information are discussed in detail in the VFTP.
| |
| SR 3.7.3.3 This SR verifies that each CREF subsystem starts and operates on an actual or simulated initiation signal. This SR also includes ensuring the control room isolates (i.e., the normal intake dampers close and the exhaust fan trips and associated discharge damper closes). The LOGIC SYSTEM FUNCTIONAL TEST in SR 3.3.7.1.4 overlaps this SR to provide complete testing of the safety function. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| SR 3.7.3.4 This SR verifies the OPERABILITY of the CRE boundary by testing for unfiltered air inleakage past the CRE boundary and into the CRE. The details of the testing are specified in the Control Room Envelope Habitability Program.
| |
| The CRE is considered habitable when the radiological dose to CRE occupants calculated in the licensing basis analyses of DBA consequences is no more than 5 rem TEDE and the CRE occupants are protected from hazardous chemicals and smoke. This SR verifies that the unfiltered air inleakage into the CRE is no greater than the flow rate assumed in the licensing basis analyses of DBA consequences. When unfiltered air inleakage is greater than the assumed flow rate, Condition B must be entered. Required Action B.3 allows time to restore the CRE boundary to OPERABLE status provided mitigating actions can ensure that the CRE remains within the licensing basis habitability limits for the occupants following an accident. Compensatory measures are discussed in Regulatory Guide 1.196, Section C.2.7.3, (Ref. 7) which endorses, with exceptions, NEI 99-03, Section 8.4 and Appendix F (Ref. 8). These Columbia Generating Station B 3.7.3-7 Revision 93
| |
| | |
| CREF System B 3.7.3 BASES SURVEILLANCE REQUIREMENTS (continued) compensatory measures may also be used as mitigating actions as required by Required Action B.2. Temporary analytical methods may also be used as compensatory measures to restore OPERABILITY (Ref. 9).
| |
| Options for restoring the CRE boundary to OPERABLE status include changing the licensing bases DBA consequence analysis, repairing the CRE boundary, or a combination of these actions. Depending upon the nature of the problem and the corrective action, a full scope inleakage test may not be necessary to establish that the CRE boundary has been restored to OPERABLE status.
| |
| REFERENCES 1. FSAR, Section 6.4.1.
| |
| : 2. FSAR, Section 9.4.1.
| |
| : 3. FSAR, Chapter 6.
| |
| : 4. FSAR, Chapter 15.
| |
| : 5. FSAR, Section 6.4.
| |
| : 6. FSAR, Section 9.5.
| |
| : 7. Regulatory Guide 1.196, May 2003.
| |
| : 8. NEI 99-03, "Control Room Habitability Assessment," June 2001.
| |
| : 9. Letter from Eric J. Leeds (NRC) to James W. Davis (NEI) dated January 30, 2004, "NEI Draft White Paper, Use of Generic Letter 91-18 Process and Alternative Source Terms in the Context of Control Room Habitability." (ADAMS Accession No. ML040300694).
| |
| : 10. NEDC-32988-A, Revision 2, Technical Justification to Support Risk-Informed Modification to Selected Required End States for BWR Plants, December 2002.
| |
| Columbia Generating Station B 3.7.3-8 Revision 90
| |
| | |
| Control Room AC System B 3.7.4 B 3.7 PLANT SYSTEMS B 3.7.4 Control Room Air Conditioning (AC) System BASES BACKGROUND The Control Room AC portion of the Control Room Heating, Ventilation, and Air Conditioning (HVAC) System (hereafter referred to as the Control Room AC System) provides temperature control for the control room following isolation of the control room (from the normal intake and exhaust).
| |
| The Control Room AC System consists of two independent, redundant subsystems that provide cooling of recirculated control room air. Each subsystem consists of an air filter, two cooling coils (one normal and one emergency), a control room recirculation fan, ductwork, dampers, and instrumentation and controls to provide for control room temperature control. While there are two cooling coils, only the emergency cooling coil is required by this LCO. The emergency cooling coils are cooled by either the Emergency Chilled Water System, which consists of two chillers and two pumps (one chiller and pump combination for each emergency cooling coil) or by the Standby Service Water (SW) System.
| |
| The SW System also provides cooling to the Emergency Chilled Water System chillers.
| |
| The Control Room AC System is designed to provide a controlled environment under both normal (using the non-safety related normal cooling coils) and accident (using the safety related emergency cooling coils) conditions. A single subsystem provides the required temperature control to maintain a suitable control room environment with a sustained occupancy of 10 persons. The design condition for the control room environment is 85°F for control room habitability. The environmental qualification temperature for control room equipment is 104°F. When the Emergency Chilled Water System is not functional, an evaluation of the capability of the SW System to maintain control room temperature 85°F is required per Licensee Controlled Specification (LCS) 1.7.2 (Ref.1).
| |
| The Control Room AC System operation in maintaining the control room temperature is discussed in the FSAR, Sections 6.4 and 9.4.1 (Refs. 2 and 3, respectively).
| |
| APPLICABLE The design basis of the Control Room AC System is to maintain the SAFETY control room temperature for a 30 day continuous occupancy.
| |
| ANALYSES The Control Room AC System components are arranged in redundant safety related subsystems. During emergency operation, the Control Room AC System maintains a habitable environment and ensures the OPERABILITY of components in the control room. A single active failure Columbia Generating Station B 3.7.4-1 Revision 84
| |
| | |
| Control Room AC System B 3.7.4 BASES APPLICABLE SAFETY ANALYSES (continued) of a component of the Control Room AC System, assuming a loss of offsite power, does not impair the ability of the system to perform its design function. Redundant detectors and controls are provided for control room temperature control when the emergency cooling coils are cooled by the Emergency Chilled Water System. The Control Room AC System is designed in accordance with Seismic Category I requirements.
| |
| The Control Room AC System is capable of removing sensible and latent heat loads from the control room, including consideration of equipment heat loads and personnel occupancy requirements to ensure equipment OPERABILITY.
| |
| The Control Room AC System satisfies Criterion 3 of Reference 4.
| |
| LCO Two independent and redundant subsystems of the Control Room AC System are required to be OPERABLE to ensure that at least one is available, assuming a single failure disables the other subsystem. Total system failure could result in the equipment operating temperature exceeding limits.
| |
| The Control Room AC System is considered OPERABLE when the individual components necessary to maintain the control room temperature are OPERABLE in both subsystems. These components include the emergency cooling coils (either cooled by the Emergency Chilled Water System or the SW System), control room recirculation fans, Emergency Chilled Water System chillers and pumps (if the Emergency Chilled Water System is being credited with providing cooling to the emergency cooling coils), ductwork, dampers, and associated instrumentation and controls.
| |
| APPLICABILITY In MODE 1, 2, or 3, the Control Room AC System must be OPERABLE to ensure that the control room temperature will not exceed equipment OPERABILITY limits following control room isolation.
| |
| In MODES 4 and 5, the probability and consequences of a Design Basis Accident are reduced due to the pressure and temperature limitations in these MODES. Therefore, maintaining the Control Room AC System OPERABLE is not required in MODE 4 or 5.
| |
| Columbia Generating Station B 3.7.4-2 Revision 111
| |
| | |
| Control Room AC System B 3.7.4 BASES ACTIONS A.1 With one control room AC subsystem inoperable, the inoperable control room AC subsystem must be restored to OPERABLE status within 30 days. With the unit in this condition, the remaining OPERABLE control room AC subsystem is adequate to perform the control room air conditioning function. However, the overall reliability is reduced because a single failure in the OPERABLE subsystem could result in loss of the control room air conditioning function. The 30 day Completion Time is based on the low probability of an event occurring requiring control room isolation, the consideration that the remaining subsystem can provide the required protection, and the availability of alternate cooling methods.
| |
| B.1 and B.2 If both control room AC subsystems are inoperable, the Control Room AC System may not be capable of performing its intended function.
| |
| Therefore, the control room area temperature is required to be monitored to ensure that temperature is being maintained low enough that equipment in the control room is not adversely affected. With the control room temperature being maintained within the temperature limit, 72 hours is allowed to restore a Control Room AC subsystem to OPERABLE status. This Completion Time is reasonable considering that the control room temperature is being maintained within limits and the low probability of an event occurring requiring control room isolation.
| |
| C.1 In MODE 1, 2, or 3, if the inoperable control room AC subsystem(s) cannot be restored to OPERABLE status within the associated Completion Time, the unit must be placed in a MODE that minimizes overall plant risk. To achieve this status the unit must be placed in at least MODE 3 within 12 hours.
| |
| Remaining in the Applicability of the LCO is acceptable because the plant risk in MODE 3 is similar to or lower than the risk in MODE 4 (Ref. 4) and because the time spent in MODE 3 to perform the necessary repairs to restore the system to OPERABLE status will be short. However, voluntary entry into MODE 4 may be made as it is also an acceptable low-risk state.
| |
| Required Action C.1 is modified by a Note that states that LCO 3.0.4.a is not applicable when entering MODE 3. This Note prohibits the use of LCO 3.0.4.a to enter MODE 3 during startup with the LCO not met.
| |
| However, there is no restriction on the use of LCO 3.0.4.b, if applicable, because LCO 3.0.4.b requires performance of a risk assessment Columbia Generating Station B 3.7.4-3 Revision 90
| |
| | |
| Control Room AC System B 3.7.4 BASES ACTIONS (continued) addressing inoperable systems and components, consideration of the results, determination of the acceptability of entering MODE 3, and establishment of risk management actions, if appropriate. LCO 3.0.4 is not applicable to, and the Note does not preclude, changes in MODES that are required to comply with ACTIONS or that are part of a shutdown of the unit.
| |
| The allowed Completion Time is reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.
| |
| SURVEILLANCE SR 3.7.4.1 REQUIREMENTS This SR verifies that the heat removal capability of the system is sufficient to remove the control room heat load assumed in the safety analyses.
| |
| The SR consists of a combination of testing and calculation. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| REFERENCES 1. LCS 1.7.2.
| |
| : 2. FSAR, Section 6.4.
| |
| : 3. FSAR, Section 9.4.1.
| |
| : 4. 10 CFR 50.36(c)(2)(ii).
| |
| : 5. NEDC-32988-A, Revision 2, Technical Justification to Support Risk-Informed Modification to Selected Required End States for BWR Plants, December 2002.
| |
| Columbia Generating Station B 3.7.4-4 Revision 111
| |
| | |
| Main Condenser Offgas B 3.7.5 B 3.7 PLANT SYSTEMS B 3.7.5 Main Condenser Offgas BASES BACKGROUND During unit operation, steam from the low pressure turbine is exhausted directly into the main condenser. Air and noncondensible gases are collected in the main condenser, then exhausted through the steam jet air ejectors (SJAEs) to the Main Condenser Offgas System. The offgas from the main condenser normally includes radioactive gases.
| |
| The Main Condenser Offgas System has been incorporated into the unit design to reduce the gaseous radwaste emission. This system uses a catalytic recombiner to recombine radiolytically dissociated hydrogen and oxygen. The gaseous mixture is cooled by the offgas condenser; the water and condensibles are stripped out by the offgas condenser and moisture separator. The radioactivity of the remaining gaseous mixture (i.e., the offgas recombiner effluent) is monitored downstream of the moisture separator prior to entering the holdup line.
| |
| APPLICABLE The main condenser offgas gross gamma activity rate is an initial SAFETY condition of the Main Condenser Offgas System failure event as ANALYSES discussed in the FSAR, Section 11.3 (Ref. 1). The analysis assumes a single failure of a single component in the Main Condenser Offgas System. The gross gamma activity rate is controlled to ensure that during the event, the calculated offsite doses will be well within the limits (NUREG-0800, Ref. 2) of 10 CFR 50.67 (Ref. 3).
| |
| The main condenser offgas limits satisfy Criterion 2 of Reference 4.
| |
| LCO To ensure compliance with the assumptions of the Main Condenser Offgas System failure event (Ref. 1), the fission product release rate should be consistent with a noble gas release to the reactor coolant of 100 Ci/Mwt-second after decay of 30 minutes. The LCO is established consistent with this requirement (3323 Mwt x 100 Ci/Mwt-second =
| |
| 332 mCi/second) and is based on the original licensed RATED THERMAL POWER.
| |
| APPLICABILITY The LCO is applicable when steam is being exhausted to the main condenser and the resulting noncondensibles are being processed via the Main Condenser Offgas System. This occurs during MODE 1, and during MODES 2 and 3 with any main steam line not isolated and the SJAE in operation. In MODES 4 and 5, main steam is not being exhausted to the main condenser and the requirements are not applicable.
| |
| Columbia Generating Station B 3.7.5-1 Revision 73
| |
| | |
| Main Condenser Offgas B 3.7.5 BASES ACTIONS A.1 If the offgas radioactivity rate limit is exceeded, 72 hours is allowed to restore the gross gamma activity rate to within the limit. The 72 hour Completion Time is reasonable, based on engineering judgment considering the time required to complete the Required Action, the large margins associated with permissible dose and exposure limits, and the low probability of a Main Condenser Offgas System failure occurring.
| |
| B.1, B.2, and B.3 If the gross gamma activity rate is not restored to within the limits within the associated Completion Time, all main steam lines or the SJAE must be isolated. This isolates the Main Condenser Offgas System from significant sources of radioactive steam. The main steam lines are considered isolated if at least one main steam isolation valve in each main steam line is closed, and at least one main steam line drain valve in each drain line is closed. The 12 hour Completion Time is reasonable, based on operating experience, to perform the actions from full power conditions in an orderly manner and without challenging unit systems.
| |
| An alternative to Required Actions B.1 and B.2 is to place the unit in a MODE in which overall plant risk is minimized. To achieve this status, the unit must be placed in at least MODE 3 within 12 hours.
| |
| Remaining in the Applicability of the LCO is acceptable because the plant risk in MODE 3 is similar to or lower than the risk in MODE 4 (Ref. 5) and because the time spent in MODE 3 to perform the necessary repairs to restore the system to OPERABLE status will be short. However, voluntary entry into MODE 4 may be made as it is also an acceptable low-risk state.
| |
| Required Action B.3 is modified by a Note that states that LCO 3.0.4.a is not applicable when entering MODE 3. This Note prohibits the use of LCO 3.0.4.a to enter MODE 3 during startup with the LCO not met.
| |
| However, there is no restriction on the use of LCO 3.0.4.b, if applicable, because LCO 3.0.4.b requires performance of a risk assessment addressing inoperable systems and components, consideration of the results, determination of the acceptability of entering MODE 3, and establishment of risk management actions, if appropriate. LCO 3.0.4 is not applicable to, and the Note does not preclude, changes in MODES or other specified conditions in the Applicability that are required to comply with ACTIONS or that are part of a shutdown of the unit.
| |
| The allowed Completion Time is reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.
| |
| Columbia Generating Station B 3.7.5-2 Revision 90
| |
| | |
| Main Condenser Offgas B 3.7.5 BASES SURVEILLANCE SR 3.7.5.1 REQUIREMENTS This SR requires an isotopic analysis of an offgas sample (taken at the discharge of the main condenser air ejector prior to dilution) to ensure that the required limits are satisfied. The noble gases to be sampled are Xe-133, Xe-135, Xe-138, Kr-85, Kr-87, and Kr-88. If the measured rate of radioactivity increases significantly (by 50% after correcting for expected increases due to changes in THERMAL POWER), an isotopic analysis is also performed within 4 hours after the increase is noted, to ensure that the increase is not indicative of a sustained increase in the radioactivity rate. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| This SR is modified by a Note indicating that the SR is not required to be performed until 31 days after any main steam line is not isolated and the SJAE is in operation. Only in this condition can radioactive fission gases be in the Main Condenser Offgas System at significant rates.
| |
| REFERENCES 1. FSAR, Section 11.3.
| |
| : 2. NUREG-0800.
| |
| : 3. 10 CFR 50.67, "Accident Source Term."
| |
| : 4. 10 CFR 50.36(c)(2)(ii).
| |
| : 5. NEDC-32988-A, Revision 2, Technical Justification to Support Risk-Informed Modification to Selected Required End States for BWR Plants, December 2002.
| |
| Columbia Generating Station B 3.7.5-3 Revision 93
| |
| | |
| Main Turbine Bypass System B 3.7.6 B 3.7 PLANT SYSTEMS B 3.7.6 Main Turbine Bypass System BASES BACKGROUND The Main Turbine Bypass System is designed to control steam pressure when reactor steam generation exceeds turbine requirements during unit startup, sudden load reduction, and cooldown. It allows excess steam flow from the reactor to the condenser without going through the turbine.
| |
| The bypass capacity of the system is 23.35% of the Nuclear Steam Supply System rated steam flow. Sudden load reductions within the capacity of the steam bypass can be accommodated without reactor scram. The Main Turbine Bypass System consists of a four valve manifold connected to the main steam lines between the main steam isolation valves and the turbine throttle valves. Each of these valves is sequentially operated by hydraulic cylinders. The bypass valves are controlled by the pressure regulation function of the Digital-Electro Hydraulic Control System, as discussed in the FSAR, Section 7.7.1.5 (Ref. 1). The bypass valves are normally closed, and the pressure regulator controls the turbine control valves, directing all steam flow to the turbine. If the speed governor or the load limiter restricts steam flow to the turbine, the pressure regulator controls the system pressure by opening the bypass valves. When the bypass valves open, the steam flows from the valve manifold, through connecting piping, to the pressure-reducing perforated pipes located in the condenser shell.
| |
| APPLICABLE The Main Turbine Bypass System is assumed to function during the SAFETY design basis feedwater controller failure, maximum demand event, ANALYSES described in the FSAR, Section 15.1.2 (Ref. 2). Opening the bypass valves during the pressurization event mitigates the increase in reactor vessel pressure, which affects the MCPR during the event. An inoperable Main Turbine Bypass System may result in an MCPR penalty.
| |
| The Main Turbine Bypass System satisfies Criterion 3 of Reference 3 LCO The Main Turbine Bypass System is required to be OPERABLE to limit peak pressure in the main steam lines and maintain reactor pressure within acceptable limits during events that cause rapid pressurization, such that the Safety Limit MCPR is not exceeded. With the Main Turbine Bypass System inoperable, modifications to the MCPR limits (LCO 3.2.2, "MINIMUM CRITICAL POWER RATIO (MCPR)") may be applied to allow continued operation.
| |
| An OPERABLE Main Turbine Bypass System requires the bypass valves to open in response to increasing main steam line pressure. This response is within the assumptions of the applicable analysis (Ref. 2).
| |
| The MCPR limit for the inoperable Main Turbine Bypass System is specified in the COLR.
| |
| Columbia Generating Station B 3.7.6-1 Revision 98
| |
| | |
| Main Turbine Bypass System B 3.7.6 BASES APPLICABILITY The Main Turbine Bypass System is required to be OPERABLE at 25% RTP to ensure that the fuel cladding integrity Safety Limit is not violated during the feedwater controller failure, maximum demand event.
| |
| As discussed in the Bases for LCO 3.2.2, sufficient margin to this limit exists < 25% RTP. Therefore, these requirements are only necessary when operating at or above this power level.
| |
| ACTIONS A.1 If the Main Turbine Bypass System is inoperable (one or more bypass valves inoperable), and the MCPR limits for an inoperable Main Turbine Bypass System, as specified in the COLR, are not applied, the assumptions of the design basis transient analysis may not be met.
| |
| Under such circumstances, prompt action should be taken to restore the Main Turbine Bypass System to OPERABLE status or adjust the MCPR limits accordingly. The 2 hour Completion Time is reasonable, based on the time to complete the Required Action and the low probability of an event occurring during this period requiring the Main Turbine Bypass System.
| |
| B.1 If the Main Turbine Bypass System cannot be restored to OPERABLE status and the MCPR limits for an inoperable Main Turbine Bypass System are not applied, THERMAL POWER must be reduced to
| |
| < 25% RTP. As discussed in the Applicability section, operation at
| |
| < 25% RTP results in sufficient margin to the required limits, and the Main Turbine Bypass System is not required to protect fuel integrity during the feedwater controller failure, maximum demand event. The 4 hour Completion Time is reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.
| |
| SURVEILLANCE SR 3.7.6.1 REQUIREMENTS Cycling each main turbine bypass valve through one complete cycle of full travel demonstrates that the valves are mechanically OPERABLE and will function when required. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| Columbia Generating Station B 3.7.6-2 Revision 93
| |
| | |
| Main Turbine Bypass System B 3.7.6 BASES SURVEILLANCE REQUIREMENTS (continued)
| |
| SR 3.7.6.2 The Main Turbine Bypass System is required to actuate automatically to perform its design function. This SR demonstrates that, with the required system initiation signals, the valves will actuate to their required position.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| SR 3.7.6.3 This SR ensures that the TURBINE BYPASS SYSTEM RESPONSE TIME is in compliance with the assumptions of the appropriate safety analysis. The response time limits are specified in the Licensee Controlled Specifications Manual (Ref. 4). The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| REFERENCES 1. FSAR, Section 7.7.1.5.
| |
| : 2. FSAR, Section 15.1.2.
| |
| : 3. 10 CFR 50.36(c)(2)(ii).
| |
| : 4. Licensee Controlled Specifications Manual Columbia Generating Station B 3.7.6-3 Revision 93
| |
| | |
| Spent Fuel Storage Pool Water Level B 3.7.7 B 3.7 PLANT SYSTEMS B 3.7.7 Spent Fuel Storage Pool Water Level BASES BACKGROUND The minimum water level in the spent fuel storage pool meets the assumptions of iodine decontamination factors following a fuel handling accident.
| |
| A general description of the spent fuel storage pool design is found in the FSAR, Section 9.1.2 (Ref. 1). The assumptions of the fuel handling accident are found in the FSAR, Section 15.7.4 (Ref. 2).
| |
| APPLICABLE The water level above the irradiated fuel assemblies is an explicit SAFETY assumption of the fuel handling accident (Ref. 2). A fuel handling ANALYSES accident is evaluated to ensure that the radiological consequences are within the limits of 10 CFR 50.67 (Ref. 3) and the guidelines of RG 1.183 (Ref. 4). A fuel handling accident could release a fraction of the fission product inventory by breaching the fuel rod cladding as discussed in the Regulatory Guide 1.183 (Ref. 4).
| |
| The fuel handling accident is evaluated for the dropping of an irradiated fuel assembly onto the reactor core. The consequences of a fuel handling accident over the spent fuel storage pool are no more severe than those of the fuel handling accident over the reactor core (Ref. 2).
| |
| The water level in the spent fuel storage pool provides for absorption of water soluble fission product gases and transport delays of soluble and insoluble gases that must pass through the water before being released to the secondary containment atmosphere. This absorption and transport delay reduces the potential radioactivity of the release during a fuel handling accident.
| |
| The spent fuel storage pool water level satisfies Criterion 2 of Reference 5.
| |
| LCO The specified water level preserves the assumption of the fuel handling accident analysis (Ref. 2). As such, it is the minimum required for fuel movement within the spent fuel storage pool.
| |
| APPLICABILITY This LCO applies whenever movement of irradiated fuel assemblies occurs in the spent fuel storage pool since the potential for a release of fission products exists.
| |
| Columbia Generating Station B 3.7.7-1 Revision 73
| |
| | |
| Spent Fuel Storage Pool Water Level B 3.7.7 BASES ACTIONS A.1 LCO 3.0.3 is not applicable while in MODE 4 or 5. However, since irradiated fuel assembly movement can occur in MODE 1, 2, or 3, Required Action A.1 is modified by a Note indicating that LCO 3.0.3 does not apply. If moving irradiated fuel assemblies while in MODE 1, 2, or 3, the fuel movement is independent of reactor operations. Therefore, inability to suspend movement of irradiated fuel assemblies is not a sufficient reason to require a reactor shutdown.
| |
| When the initial conditions for an accident cannot be met, steps should be taken to preclude the accident from occurring. With the spent fuel storage pool level less than required, the movement of irradiated fuel assemblies in the spent fuel storage pool is suspended immediately.
| |
| Suspension of this activity shall not preclude completion of movement of an irradiated fuel assembly to a safe position. This effectively precludes a spent fuel handling accident from occurring.
| |
| SURVEILLANCE SR 3.7.7.1 REQUIREMENTS This SR verifies that sufficient water is available in the event of a fuel handling accident. The water level in the spent fuel storage pool must be checked periodically. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| REFERENCES 1. FSAR, Section 9.1.2.
| |
| : 2. FSAR, Section 15.7.4.
| |
| : 3. 10 CFR 50.67, "Accident Source Term."
| |
| : 4. Regulatory Guide 1.183, July 2000.
| |
| : 5. 10 CFR 50.36(cd)(2)(ii).
| |
| Columbia Generating Station B 3.7.7-2 Revision 93
| |
| | |
| AC Sources - Operating B 3.8.1 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.1 AC Sources - Operating BASES BACKGROUND The unit Class 1E AC Electrical Power Distribution System AC sources consist of the offsite power sources and the onsite standby power sources (diesel generators (DGs) 1, 2, and 3). As required by 10 CFR 50, Appendix A, GDC 17 (Ref. 1), the design of the AC electrical power system provides independence and redundancy to ensure an available source of power to the Engineered Safety Feature (ESF) systems.
| |
| The Class 1E AC distribution system supplies electrical power to three divisional load groups, Divisions 1, 2, and 3, with each division powered by an independent Class 1E 4.16 kV ESF bus (refer to LCO 3.8.7, "Distribution Systems - Operating"). Divisions 1 and 2 4.16 kV ESF buses have two separate and independent offsite sources of power. Division 3 4.16 kV ESF bus has one offsite source of power. Each 4.16 kV ESF bus has a dedicated onsite DG. The ESF systems of any two of the three divisions provide for the minimum safety functions necessary to shut down the unit and maintain it in a safe shutdown condition.
| |
| Offsite power is supplied to the switchyard from the transmission network.
| |
| From the switchyard two qualified, electrically and physically separated circuits provide AC power to the Divisions 1 and 2 4.16 kV ESF buses (SM-7 and SM-8), while only one qualified circuit provides AC power to the Division 3 4.16 kV ESF bus (SM-4). One qualified circuit (to all 4.16 kV ESF buses) is from the 230 kV Ashe substation stepped down through the 230 kV/4.16 kV windings of a 230 kV/6.9 kV/4.16 kV transformer (the startup transformer, TR-S). The other qualified circuit (to Divisions 1 and 2 4.16 kV ESF buses only) is from the 115 kV Benton substation stepped down through a 115 kV/4.16 kV transformer (the backup transformer, TR-B). The offsite AC electrical power sources are designed and located so as to minimize to the extent practicable the likelihood of their simultaneous failure under operating and postulated accident and environmental conditions. A detailed description of the offsite power network and circuits to the onsite Class 1E 4.16 kV ESF buses is found in FSAR, Chapter 8 (Ref. 2).
| |
| The ASHE 230 kV bus has two transmission network connections, one from the Midway 230 kV substation via the HEW--ASHE Tap 230 kV transmission line and one from the White Bluffs 115 kV substation via ASHEBWhite Bluffs #1 230 kV transmission line. The 230 kV source from Midway to ASHE via the HEW--ASHE Tap 230 kV transmission line is the analyzed and credited path for Columbia Generating Station service which supports the Design Bases/Licensing Bases requirements for separate offsite power system interconnections.
| |
| Columbia Generating Station B 3.8.1-1 Revision 73
| |
| | |
| AC Sources - Operating B 3.8.1 BASES BACKGROUND (continued)
| |
| The 230 kV transmission line from the White Bluffs substation to the ASHE 230 kV bus is derived from a 115 kV/230 kV transformer at White Bluffs substation. With the Midway 230 kV connection to ASHE substation out of service and the ASHE bus energized entirely from the White Bluffs #1 230 kV line would mean the 230 kV source to Columbia Generating Station is locally derived from the 115 kV network. In this configuration, Columbia Generating Station service would be entirely supported by the 115 kV transmission system, (via the BENTON and White Bluffs Switchyards) which is contrary to Columbia Generating Station Design Bases/Licensing Bases requirements.
| |
| A qualified offsite circuit consists of all breakers, transformers, switches, interrupting devices, cabling, and controls required to transmit power from the offsite transmission network to the onsite Class 1E ESF bus(es).
| |
| The startup transformer normally provides power to all 4.16 kV ESF buses when the main generator is not tied to the grid. An automatic transfer feature is provided for Divisions 1 and 2 such that if power is lost to a 4.16 kV ESF bus (SM-7 and SM-8) due to a loss of the startup transformer supply, the backup transformer supply breaker to the bus will automatically close and provide power. Manual live transfer capability of power between the startup and backup transformer sources is also provided. Power is provided to all the 4.16 kV ESF buses, when the main generator is tied to the grid, by a 25 kV/4.16 kV auxiliary transformer (TR-N1) fed from the main generator 25 kV isolated phase bus.
| |
| However, this power source is not allowed to be credited with meeting the requirements of LCO 3.8.1. a since it does not come from an offsite circuit (it is generated onsite, yet is not a standby source that can function under all conditions).
| |
| Automatic transfer capability is provided so that failure of the auxiliary transformer supply (from TR-N1) causes immediate tripping of the auxiliary transformer supply breakers and simultaneous closing of the startup transformer supply breakers to the ESF buses. Each startup transformer supply breaker is interlocked to close only if the associated auxiliary transformer supply breaker is not locked out, thus preventing closing onto a fault or tieing a credited source to a non-credited source.
| |
| Manual live transfer capability of power between the auxiliary transformer source and the startup and backup (Divisions 1 and 2 only) transformer sources is also provided.
| |
| Following an accident signal, certain required Division 1 and 2 plant loads are started in a predetermined sequence in order to prevent overloading the startup transformer supplying offsite power to the onsite Class 1E Distribution System.
| |
| Columbia Generating Station B 3.8.1-2 Revision 73
| |
| | |
| AC Sources - Operating B 3.8.1 BASES BACKGROUND (continued)
| |
| The onsite standby power source for each 4.16 kV ESF bus is a dedicated DG. A DG starts automatically on loss of coolant accident (LOCA) signal (i.e., low reactor water level signal; Level 1 for DG-1 and DG-2, Level 2 for DG-3, or high drywell pressure signal) or on an ESF bus degraded voltage or undervoltage signal (refer to LCO 3.3.8.1, "Loss of Power (LOP) Instrumentation"). After the DG has started, it automatically ties to its respective ESF bus after offsite power is tripped as a consequence of emergency bus undervoltage or degraded voltage, independent of or coincident with a LOCA signal. The DGs also start and operate in the standby mode without tying to the ESF bus on a LOCA signal alone.
| |
| In the event of a loss of offsite power, the ESF electrical loads are automatically connected to the DGs in sufficient time to provide for safe reactor shutdown and to mitigate the consequences of a Design Basis Accident (DBA) such as a LOCA.
| |
| Certain required plant loads are returned to service or started in a predetermined sequence in order to prevent overloading the DG (Ref. 4).
| |
| Division 1 and 2 DGs (DG-1 and DG-2) satisfy the following Safety Guide 9 (Ref. 5) ratings:
| |
| : a. 4400 kW - continuous;
| |
| : b. 4650 kW - 2000 hours;
| |
| : c. 4900 kW - 168 hours; and
| |
| : d. 5150 kW - 30 minutes.
| |
| Division 3 DG (DG-3) satisfies the following Safety Guide 9 (Ref. 5) ratings:
| |
| : a. 2600 kW - continuous;
| |
| : b. 2850 kW - 2000 hours; and
| |
| : c. 3030 kW - 30 minutes.
| |
| Columbia Generating Station B 3.8.1-3 Revision 73
| |
| | |
| AC Sources - Operating B 3.8.1 BASES APPLICABLE The initial conditions of DBA and transient analyses in the FSAR, SAFETY Chapter 6 (Ref. 6) and Chapter 15 (Ref. 7), assume ESF ANALYSES systems are OPERABLE. The AC electrical power sources are designed to provide sufficient capacity, capability, redundancy, and reliability to ensure the availability of necessary power to ESF systems so that the fuel, Reactor Coolant System (RCS), and containment design limits are not exceeded. These limits are discussed in more detail in the Bases for Section 3.2, Power Distribution Limits; Section 3.5, Emergency Core Cooling Systems (ECCS) and Reactor Core Isolation Cooling (RCIC)
| |
| System; and Section 3.6, Containment Systems.
| |
| The OPERABILITY of the AC electrical power sources is consistent with the initial assumptions of the accident analyses and is based upon meeting the design basis of the unit. This includes maintaining the onsite or offsite AC sources OPERABLE during accident conditions in the event of:
| |
| : a. An assumed loss of all offsite power or all onsite AC power; and
| |
| : b. A worst case single failure.
| |
| AC sources satisfy the requirements of Criterion 3 of Reference 8.
| |
| LCO Two qualified circuits between the offsite transmission network and the onsite Class 1E Distribution System, and three separate and independent DGs (1, 2, and 3), ensure availability of the required power to shut down the reactor and maintain it in a safe shutdown condition after an anticipated operational occurrence (AOO) or a postulated DBA.
| |
| Qualified offsite circuits are those that are described in the FSAR and are part of the licensing basis for the unit.
| |
| The two circuits from offsite are from the Ashe substation and the Benton substation (via transformers TR-S and TR-B, respectively). To ensure the requirements of Reference 1 are met, the TR-S offsite circuit must be capable of providing power to the Division 3 4.16 kV ESF bus (SM-4) and both the Division 1 (SM-7) and Division 2 (SM-8) 4.16 kV ESF buses.
| |
| The TR-B offsite circuit must be capable of providing power to both Divisions 1 and 2 4.16 kV ESF buses. The qualified offsite circuits include the circuit path and disconnect to the respective transformers, the circuit path and breakers to the respective non-Class 1E 4.16 kV switchgear, SM-1, SM-2, and SM-3 (for the TR-S offsite circuit only), and the circuit path and breakers to the respective Class 1E switchgear (SM-4, SM-7, and SM-8). Each offsite circuit must be capable of maintaining rated frequency and voltage, and accepting required loads during an accident, while connected to the ESF buses.
| |
| Columbia Generating Station B 3.8.1-4 Revision 76
| |
| | |
| AC Sources - Operating B 3.8.1 BASES LCO (continued)
| |
| Each DG must be capable of starting, accelerating to rated speed and voltage, and connecting to its respective ESF bus on detection of bus undervoltage. This sequence must be accomplished within 15 seconds for Division 1 and 2 DGs and 18 seconds for Division 3 DG.
| |
| The DG-3 18 second start time includes the Loss of Voltage - Time Delay Function specified in LCO 3.3.8.1. Each DG must also be capable of accepting required loads within the assumed loading sequence intervals, and must continue to operate until offsite power can be restored to the ESF buses. These capabilities are required to be met from a variety of initial conditions such as DG in standby with engine hot and DG in standby with the engine at ambient conditions. Additional DG capabilities must be demonstrated to meet required Surveillances, e.g., capability of the DG to revert to standby status on an ECCS signal while operating in parallel test mode. Proper sequencing of loads, including tripping of nonessential loads, is a required function for DG OPERABILITY.
| |
| The AC sources in one division must be separate and independent (to the extent possible) of the AC sources in the other division(s). For the DGs, the separation and independence are complete. For the offsite AC sources, the separation and independence are to the extent practicable.
| |
| One offsite circuit is allowed to be tied to all ESF buses, and not violate the separation criteria, provided the necessary automatic transfer capability is OPERABLE. That is, power can be supplied to SM-7 and SM-8 via TR-S provided the automatic transfer capability to TR-B exists for both of the ESF buses. However, if power is supplied to SM-7 or SM-8 via TR-B, then one offsite circuit is inoperable (TR-S) since no automatic transfer capability from TR-B to TR-S exists. Additionally, power to the ESF buses is allowed to be supplied from the auxiliary transformer (TR-N1). In this case, the TR-S offsite circuit is considered OPERABLE provided the automatic transfer capability from TR-N1 to TR-S is OPERABLE for SM-4 and both SM-7 and SM-8. For TR-B to be considered OPERABLE, the automatic transfer capability to TR-B must be OPERABLE for both SM-7 and SM-8. (The automatic transfer capability from TR-N1 to TR-B is allowed to go through an intermediate step of transferring to the first offsite source, i.e., TR-S).
| |
| APPLICABILITY The AC sources are required to be OPERABLE in MODES 1, 2, and 3 to ensure that:
| |
| : a. Acceptable fuel design limits and reactor coolant pressure boundary limits are not exceeded as a result of AOOs or abnormal transients; and Columbia Generating Station B 3.8.1-5 Revision 83
| |
| | |
| AC Sources - Operating B 3.8.1 BASES APPLICABILITY (continued)
| |
| : b. Adequate core cooling is provided and containment OPERABILITY and other vital functions are maintained in the event of a postulated DBA.
| |
| A Note has been added taking exception to the Applicability requirements for Division 3 sources, provided the HPCS System is declared inoperable.
| |
| This exception is intended to allow declaring of the Division 3 inoperable either in lieu of declaring the Division 3 source inoperable, or at any time subsequent to entering ACTIONS for an inoperable Division 3 source.
| |
| This exception is acceptable since, with the Division 3 inoperable and the associated ACTIONS entered, the Division 3 AC sources provide no additional assurance of meeting the above criteria.
| |
| AC power requirements for MODES 4 and 5 and other conditions in which AC sources are required are covered in LCO 3.8.2, "AC Sources -
| |
| Shutdown."
| |
| ACTIONS A Note prohibits the application of LCO 3.0.4.b to an inoperable DG.
| |
| There is an increased risk associated with entering a MODE or other specified condition in the Applicability with an inoperable DG and the provisions of LCO 3.0.4.b, which allow entry into a MODE or other specified condition in the Applicability with the LCO not met after performance of a risk assessment addressing inoperable systems and components, should not be applied in this circumstance.
| |
| A.1 To ensure a highly reliable power source remains, it is necessary to verify the availability of the remaining offsite circuits on a more frequent basis.
| |
| Since the Required Action only specifies "perform," a failure of SR 3.8.1.1 acceptance criteria does not result in the Required Action not met.
| |
| However, if a second circuit fails SR 3.8.1.1, the second offsite circuit is inoperable, and Condition C, for two offsite circuits inoperable, is entered.
| |
| A.2 Required Action A.2, which only applies if the division cannot be powered from an offsite source, is intended to provide assurance that an event with a coincident single failure of the associated DG does not result in a complete loss of safety function of critical systems. These features are designed with redundant safety related divisions (i.e., single division systems are not included, although, for this Required Action, Division 3 (HPCS) is considered redundant to Division 1 and 2 Emergency Core Cooling Systems (ECCS)). Redundant required features failures consist Columbia Generating Station B 3.8.1-6 Revision 73
| |
| | |
| AC Sources - Operating B 3.8.1 BASES ACTIONS (continued) of inoperable features associated with a division redundant to the division that has no offsite power.
| |
| The Completion Time for Required Action A.2 is intended to allow time for the operator to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." In this Required Action, the Completion Time only begins on discovery that both:
| |
| : a. The division has no offsite power supplying its loads; and
| |
| : b. A redundant required feature on another division is inoperable.
| |
| If, at any time during the existence of this Condition (one offsite circuit inoperable), a redundant required feature subsequently becomes inoperable, this Completion Time begins to be tracked.
| |
| Discovering no offsite power to one division of the onsite Class 1E Power Distribution System coincident with one or more inoperable required support or supported features, or both, that are associated with the other division that has offsite power, results in starting the Completion Times for the Required Action. Twenty-four hours is acceptable because it minimizes risk while allowing time for restoration before the unit is subjected to transients associated with shutdown.
| |
| The remaining OPERABLE offsite circuit and DGs are adequate to supply electrical power to the onsite Class 1E Distribution System. Thus, on a component basis, single failure protection may have been lost for the required feature's function; however, function is not lost. The 24 hour Completion Time takes into account the component OPERABILITY of the redundant counterpart to the inoperable required feature. Additionally, the 24 hour Completion Time takes into account the capacity and capability of the remaining AC sources, a reasonable time for repairs, and the low probability of a DBA occurring during this period.
| |
| A.3 According to Regulatory Guide 1.93 (Ref. 9), operation may continue in Condition A for a period that should not exceed 72 hours. With one offsite circuit inoperable, the reliability of the offsite system is degraded, and the potential for a loss of offsite power is increased, with attendant potential for a challenge to the plant safety systems. In this Condition, however, the remaining OPERABLE offsite circuit and DGs are adequate to supply electrical power to the onsite Class 1E distribution system.
| |
| Columbia Generating Station B 3.8.1-7 Revision 73
| |
| | |
| AC Sources - Operating B 3.8.1 BASES ACTIONS (continued)
| |
| The Completion Time takes into account the capacity and capability of the remaining AC sources, reasonable time for repairs, and the low probability of a DBA occurring during this period.
| |
| The second Completion Time for Required Action A.3 establishes a limit on the maximum time allowed for any combination of required AC power sources to be inoperable during any single contiguous occurrence of failing to meet the LCO when not associated with Required Action B.4.2.2. The reason for this limit and a third Completion Time limit is further explained below.
| |
| The third Completion Time for Required Action A.3 establishes a limit on the maximum time allowed for a combination of required AC power sources that are associated with Required Action B.4.2.2 to be inoperable during any single contiguous occurrence of failing to meet the LCO. If Condition A is entered while, for instance, a DG is inoperable and that DG is subsequently returned OPERABLE, the LCO may already have been not met for up to 14 days. This situation could lead to a total of 17 days, since initial failure to meet the LCO, to restore the offsite circuit. At this time, a DG could again become inoperable, the circuit restored OPERABLE, and an additional 14 days (for a total of 31 days) allowed prior to complete restoration of the LCO. The 17 day Completion Time provides a limit on the time allowed in a specified condition after discovery of failure to meet the LCO. This limit is considered reasonable for situations in which Conditions A and B are entered concurrently. The "AND" connector between the Completion Times means that all Completion Times apply simultaneously, and the more restrictive must be met.
| |
| Similar to Required Action A.2, the Completion Time of Required Action A.3 allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." This exception results in establishing the "time zero" at the time the LCO was initially not met, instead of at the time that Condition A was entered.
| |
| Columbia Generating Station B 3.8.1-8 Revision 73
| |
| | |
| AC Sources - Operating B 3.8.1 BASES ACTIONS (continued)
| |
| B.1 To ensure a highly reliable power source remains, it is necessary to verify the availability of the remaining offsite circuit on a more frequent basis.
| |
| Since Required Action only specifies "perform," a failure of SR 3.8.1.1 acceptance criteria does not result in a Required Action being not met.
| |
| However, if a circuit fails to pass SR 3.8.1.1, it is inoperable. Upon offsite circuit inoperability, additional Conditions must then be entered.
| |
| B.2 Required Action B.2 is intended to provide assurance that a loss of offsite power, during the period that a DG is inoperable, does not result in a complete loss of safety function of critical systems. These features are designed with redundant safety related divisions (i.e., single division systems are not included, although, for this Required Action, Division 3 (HPCS) is considered redundant to Division 1 and 2 ECCS). Redundant required features failures consist of inoperable features associated with a division redundant to the division that has an inoperable DG.
| |
| The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." In this Required Action, the Completion Time only begins on discovery that both:
| |
| : a. An inoperable DG exists; and
| |
| : b. A redundant required feature on another division is inoperable.
| |
| If, at any time during the existence of this Condition (one DG inoperable),
| |
| a redundant required feature subsequently becomes inoperable, this Completion Time begins to be tracked.
| |
| Discovering one required DG inoperable coincident with one or more required support or supported features, or both, that are associated with the OPERABLE DG(s), results in starting the Completion Time for the Required Action. Four hours from the discovery of these events existing concurrently is acceptable because it minimizes risk while allowing time for restoration before subjecting the unit to transients associated with shutdown.
| |
| The remaining OPERABLE DGs and offsite circuits are adequate to supply electrical power to the onsite Class 1E Distribution System. Thus, Columbia Generating Station B 3.8.1-9 Revision 104
| |
| | |
| AC Sources - Operating B 3.8.1 BASES ACTIONS (continued) on a component basis, single failure protection for the required feature's function may have been lost; however, function has not been lost. The 4 hour Completion Time takes into account the component OPERABILITY of the redundant counterpart to the inoperable required feature. Additionally, the 4 hour Completion Time takes into account the capacity and capability of the remaining AC sources, reasonable time for repairs, and low probability of a DBA occurring during this period.
| |
| B.3.1 and B.3.2 Required Action B.3.1 provides an allowance to avoid unnecessary testing of OPERABLE DGs. If it can be determined that the cause of the inoperable DG does not exist on the OPERABLE DG(s), SR 3.8.1.2 does not have to be performed. If the cause of inoperability exists on other DGs, the other DGs are declared inoperable upon discovery, and Condition E or G of LCO 3.8.1 is entered, as applicable. Once the failure is repaired, and the common cause failure no longer exists, Required Action B.3.1 is satisfied. If the cause of the initial inoperable DG cannot be confirmed not to exist on the remaining DG(s), performance of SR 3.8.1.2 within 24 hours, if not performed within the past 24 hours, suffices to provide assurance of continued OPERABILITY of those DG(s).
| |
| In the event the inoperable DG is restored to OPERABLE status prior to completing either B.3.1 or B.3.2, the corrective action program will continue to evaluate the common cause possibility. This continued evaluation, however, is no longer under the 24 hour constraint imposed while in Condition B.
| |
| If while the DG is inoperable, a new problem with the DG is discovered that would have prevented the DG from performing its specified safety function, a separate entry into Condition B is not required. The new DG problem should be addressed in accordance with the corrective action program.
| |
| According to Generic Letter 84-15 (Ref. 10), 24 hours is a reasonable time to confirm that the OPERABLE DG(s) are not affected by the same problem as the inoperable DG.
| |
| B.4 In Condition B, the remaining OPERABLE DGs and offsite circuits are adequate to supply electrical power to the onsite Class 1E distribution system. The 72 hour Completion Time for Required Action B.4.1 takes into account the capacity and capability of the remaining AC sources, a reasonable time for repairs, and the low probability of a DBA occurring during this period.
| |
| Columbia Generating Station B 3.8.1-10 Revision 104
| |
| | |
| AC Sources - Operating B 3.8.1 BASES ACTIONS (continued)
| |
| The second Completion Time for Required Action B.4.1 established a limit on the maximum time allowed for any combination of required AC power sources to be inoperable during any single contiguous occurrence of failing to meet the LCO. If Condition B is entered while, for instance, an offsite circuit is inoperable and that circuit is subsequently restored OPERABLE, the LCO may already have been not met for up to 72 hours.
| |
| This situation could lead to a total of 144 hours, since initial failure to meet the LCO, to restore the DG. At this time, an offsite circuit could again become inoperable, the DG restored OPERABLE, and an additional 72 hours (for a total of 9 days) allowed prior to complete restoration of the LCO. The 6 day Completion Time provides a limit on the time allowed in a specified condition after discovery of failure to meet the LCO when the required risk management action of B.4.2.1 is not in place. This limit is considered reasonable for situations in which Conditions A and B are entered concurrently. The "AND" connector between the 72 hour and 6 day Completion Times means that both Completion Times apply simultaneously, and the more restrictive Completion Time must be met.
| |
| A second optional set of Actions is provided, that if the risk management actions for establishing the alternate AC sources to division 1 or division 2 (AACS) occurs within the 72 hours Completion Time limit, an extended Completion Time up to 14 days from the DGs initial inoperability is allowed.
| |
| To establish the AACS, the DG-3 cross-connection to power selected safe shutdown loads is available and an additional AC source, a 480-volt diesel generator (DG-4), is staged and available. The AACS is considered available when DG-3 cross-connection can be implemented in accordance with the emergency procedures for a loss of offsite power or a station blackout event within 2 hours and DG-4 can be aligned and supplying the battery chargers within 4 hours. Additional risk management actions in accordance with the configuration risk management program required by 10 CFR 50.65a(4) are to be put in place to assure that significant risk configurations are avoided during the extended DG inoperability.
| |
| Similar to Action A.3 Completion Time, when the 14-day extended Completion Time is applicable, the 17 day Completion Time provides a limit on the time allowed in a specified condition after discovery of failure to meet the LCO.
| |
| Similar to Required Action B.2, the Completion Time of Required Actions B.4.1 and B.4.2.2 allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." This exception results in establishing the "time zero" at the time the LCO was initially not met, instead of the time Condition B was entered.
| |
| Columbia Generating Station B 3.8.1-11 Revision 104
| |
| | |
| AC Sources - Operating B 3.8.1 BASES ACTIONS (continued)
| |
| C.1 and C.2 Required Action C.1 addresses actions to be taken in the event of concurrent failure of redundant required features. Required Action C.1 reduces the vulnerability to a loss function. The Completion Time for taking these actions is reduced to 12 hours from that allowed with only one division without offsite power (Required Action A.2). The rationale for the reduction to 12 hours is that Regulatory Guide 1.93 (Ref. 9) allows a Completion Time of 24 hours for two required offsite circuits inoperable, based upon the assumption that two complete safety divisions are OPERABLE. When a concurrent redundant required feature failure exists, this assumption is not the case, and a shorter Completion Time of 12 hours is appropriate. These features are designed with redundant safety related divisions (i.e., single division systems are not included in the list, although, for this Required Action, Division 3 (HPCS) is considered redundant to Divisions 1 and 2 ECCS). Redundant required features failures consist of any of these features that are inoperable, because any inoperability is on a division redundant to a division with inoperable offsite circuits.
| |
| The Completion Time for Required Action C.1 is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." In this Required Action, the Completion Time only begins on discovery that both:
| |
| : a. Two offsite circuits are inoperable; and
| |
| : b. A redundant required feature is inoperable.
| |
| If, at any time during the existence of this Condition (two offsite circuits inoperable), a redundant required feature subsequently becomes inoperable, this Completion Time begins to be tracked.
| |
| According to Regulatory Guide 1.93 (Ref. 9), operation may continue in Condition C for a period that should not exceed 24 hours. This level of degradation means that the offsite electrical power system does not have the capability to effect a safe shutdown and to mitigate the effects of an accident; however, the onsite AC sources have not been degraded. This level of degradation generally corresponds to a total loss of the immediately accessible offsite power sources.
| |
| Because of the normally high availability of the offsite sources, this level of degradation may appear to be more severe than other combinations of two AC sources inoperable that involve one or more DGs inoperable.
| |
| Columbia Generating Station B 3.8.1-12 Revision 73
| |
| | |
| AC Sources - Operating B 3.8.1 BASES ACTIONS (continued)
| |
| However, two factors tend to decrease the severity of this degradation level:
| |
| : a. The configuration of the redundant AC electrical power system that remains available is not susceptible to a single bus or switching failure; and
| |
| : b. The time required to detect and restore an unavailable offsite power source is generally much less than that required to detect and restore an unavailable onsite AC source.
| |
| With both of the offsite circuits inoperable, sufficient onsite AC sources are available to maintain the unit in a safe shutdown condition in the event of a DBA or transient. In fact, a simultaneous loss of offsite AC sources, a LOCA, and a worst case single failure were postulated as a part of the design basis in the safety analysis. Thus, the 24 hour Completion Time provides a period of time to effect restoration of one of the offsite circuits commensurate with the importance of maintaining an AC electrical power system capable of meeting its design criteria.
| |
| According to Regulatory Guide 1.93 (Ref. 9), with the available offsite AC sources two less than required by the LCO, operation may continue for 24 hours. If two offsite sources are restored within 24 hours, unrestricted operation may continue. If only one offsite source is restored within 24 hours, power operation continues in accordance with Condition A.
| |
| D.1 and D.2 Pursuant to LCO 3.0.6, the Distribution System ACTIONS would not be entered even if all AC sources to it were inoperable, resulting in de-energization. Therefore, the Required Actions of Condition D are modified by a Note to indicate that when Condition D is entered with no AC source to any division, Actions for LCO 3.8.7, "Distribution Systems -
| |
| Operating," must be immediately entered. This allows Condition D to provide requirements for the loss of the offsite circuit and one DG without regard to whether a division is de-energized. LCO 3.8.7 provides the appropriate restrictions for a de-energized division.
| |
| Columbia Generating Station B 3.8.1-13 Revision 82
| |
| | |
| AC Sources - Operating B 3.8.1 BASES ACTIONS (continued)
| |
| According to Regulatory Guide 1.93 (Ref. 9), operation may continue in Condition D for a period that should not exceed 12 hours. In Condition D, individual redundancy is lost in electrical power system. Since power system redundancy is provided by two diverse sources of power, however, the reliability of the power systems in this Condition may appear higher than that in Condition C (loss of both offsite circuits). This difference in reliability is offset by the susceptibility of this power system configuration to a single bus or switching failure. The 12 hour Completion Time takes into account the capacity and capability of the remaining AC sources, reasonable time for repairs, and low probability of a DBA occurring during this period.
| |
| E.1 With two DGs inoperable, there is one remaining standby AC source.
| |
| Thus, with an assumed loss of offsite electrical power, insufficient standby AC sources are available to power the minimum required ESF functions.
| |
| Since the offsite electrical power system is the only source of AC power for the majority of ESF equipment at this level of degradation, the risk associated with continued operation for a very short time could be less than that associated with an immediate controlled shutdown (the immediate shutdown could cause grid instability, which could result in a total loss of AC power). Since any inadvertent generator trip could also result in a total loss of offsite AC power, however, the time allowed for continued operation is severely restricted. The intent here is to avoid the risk associated with an immediate controlled shutdown and to minimize the risk associated with this level of degradation.
| |
| According to Regulatory Guide 1.93 (Ref. 9), with both DGs inoperable, operation may continue for a period that should not exceed 2 hours. This Completion Time assumes complete loss of onsite (DG) AC capability to power the minimum loads needed to respond to analyzed events. In the event Division 3 DG in conjunction with Division 1 or 2 DG is inoperable, with the other Division 1 or 2 DG remaining, a significant spectrum of breaks would be capable of being responded to with onsite power. Even the worst case event would be mitigated to some extentan extent greater than a typical two division design in which this condition represents complete loss of onsite power function. Given the remaining function, a 24 hour Completion Time is appropriate. At the end of this 24 hour period, Division 3 systems (HPCS) could be declared inoperable (see Applicability Note) and this Condition could be exited with only one required DG remaining inoperable. However, with a Division 1 or 2 DG remaining inoperable and the HPCS declared inoperable, a redundant required feature failure exists, according to Required Action B.2.
| |
| Columbia Generating Station B 3.8.1-14 Revision 73
| |
| | |
| AC Sources - Operating B 3.8.1 BASES ACTIONS (continued)
| |
| F.1 If the inoperable AC electrical power sources cannot be restored to OPERABLE status within the associated Completion Time, the unit must be brought to a MODE in which overall plant risk is minimized. To achieve this status, the unit must be brought to MODE 3 within 12 hours.
| |
| Remaining in the Applicability of the LCO is acceptable because the plant risk in MODE 3 is similar to or lower than the risk in MODE 4 (Ref. 19) and because the time spent in MODE 3 to perform the necessary repairs to restore the system to OPERABLE status will be short. However, voluntary entry into MODE 4 may be made as it is also an acceptable low-risk state.
| |
| Required Action F.1 is modified by a Note that states that LCO 3.0.4.a is not applicable when entering MODE 3. This Note prohibits the use of LCO 3.0.4.a to enter MODE 3 during startup with the LCO not met.
| |
| However, there is no restriction on the use of LCO 3.0.4.b, if applicable, because LCO 3.0.4.b requires performance of a risk assessment addressing inoperable systems and components, consideration of the results, determination of the acceptability of entering MODE 3, and establishment of risk management actions, if appropriate. LCO 3.0.4 is not applicable to, and the Note does not preclude, changes in MODES or other specified conditions in the Applicability that are required to comply with ACTIONS or that are part of a shutdown of the unit.
| |
| The allowed Completion Time is reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.
| |
| G.1 Condition G corresponds to a level of degradation in which all redundancy in the AC electrical power supplies has been lost. At this severely degraded level, any further losses in the AC electrical power system will cause a loss of function. Therefore, no additional time is justified for continued operation. The unit is required by LCO 3.0.3 to commence a controlled shutdown.
| |
| SURVEILLANCE The AC sources are designed to permit inspection and testing of all REQUIREMENTS important areas and features, especially those that have a standby function, in accordance with 10 CFR 50, GDC 18 (Ref. 11). Periodic component tests are supplemented by extensive functional tests during refueling outages under simulated accident conditions. The SRs for demonstrating the OPERABILITY of the DGs are consistent with the Columbia Generating Station B 3.8.1-15 Revision 93
| |
| | |
| AC Sources - Operating B 3.8.1 BASES SURVEILLANCE REQUIREMENTS (continued) recommendations of Regulatory Guide 1.9 (Ref. 12) and Regulatory Guide 1.137 (Ref. 14). Where the SRs discussed herein specify voltage tolerances for EDG steady state performance, the following summary is applicable. For Division 1 and 2 DGs, the minimum steady state output voltage depends upon whether or not the DG is tied to its respective 4.16 kV ESF bus. If the SR does not require the DG to be tied to its bus, then the minimum steady state output voltage is 3910 V, which is the minimum voltage necessary to meet the DG breaker closure interlock.
| |
| If the SR requires the DG to be tied to its respective 4.16 kV ESF bus, then the minimum steady state output voltage is selected as 3910 Volts, a value that is also conservative to the maximum reset of the degraded voltage relays monitoring voltage on the Class 1E 4.16 kV ESF bus (Ref. 15). For the Division 3 DG, the minimum steady state output voltage is also 3910 V.
| |
| These voltage tolerances for EDG steady state performance are conservative with respect to a minimum steady state voltage of 3740 V which is 90% of the nominal 4160 V output voltage. This value, which is specified in ANSI C84.1 (Ref. 17), allows for voltage drop to the terminals of 4000 V motors whose minimum operating voltage is specified as 90%,
| |
| or 3600 V. It also allows for voltage drops to motors and other equipment down through the 120 V level, where minimum operating voltage is also usually specified as 90% of nameplate rating. A detailed description of the onsite Class 1E 4.16 kV ESF buses is found in FSAR chapter 8 (Ref. 2). The specified maximum steady state output voltage of 4400 V is equal to the maximum operating voltage specified for 4000 V motors. It ensures that for a lightly loaded distribution system, the voltage at the terminals of 4000 V motors is no more than the maximum rated operating voltages. Where the SRs discussed herein specify frequency tolerances the specified minimum and maximum frequencies of the DG are 58.8 Hz and 61.2 Hz, respectively. These values are equal to +/- 2% of the 60 Hz nominal frequency and are derived from the recommendations given in Safety Guide 9 (Ref. 5) and Regulatory Guide 1.9 (Ref. 12).
| |
| SR 3.8.1.1 This SR ensures proper circuit continuity for the offsite AC electrical power supply to the onsite distribution network and availability of offsite AC electrical power. The breaker alignment verifies that each breaker is in its correct position to ensure that distribution buses and loads are connected to their preferred power source and that appropriate Columbia Generating Station B 3.8.1-16 Revision 107
| |
| | |
| AC Sources - Operating B 3.8.1 BASES SURVEILLANCE REQUIREMENTS (continued) independence of offsite circuits is maintained. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| SR 3.8.1.2 and SR 3.8.1.7 These SRs help to ensure the availability of the standby electrical power supply to mitigate DBAs and transients and maintain the unit in a safe shutdown condition.
| |
| To minimize the wear on moving parts that do not get lubricated when the engine is not running, these SRs have been modified by Notes (Note 1 for SR 3.8.1.7 and Note 1 for SR 3.8.1.2) to indicate that all DG starts for these Surveillances may be preceded by an engine prelube period and followed by a warmup period prior to loading.
| |
| For the purposes of this testing, the DGs are started from standby conditions. Standby conditions for a DG mean that the diesel engine coolant and oil are being continuously circulated and temperature is being maintained consistent with manufacturer recommendations.
| |
| In order to reduce stress and wear on diesel engines, the manufacturer recommends that the starting speed of DGs be limited, that warmup be limited to this lower speed, and that DGs be gradually accelerated to synchronous speed prior to loading. These start procedures are the intent of Note 2 to SR 3.8.1.2, which is only applicable when such procedures are recommended by the manufacturer.
| |
| SR 3.8.1.7 requires that the DG starts from standby conditions and achieves required voltage and frequency within 15 seconds. The 15 second start requirement supports the assumptions in the design basis LOCA analysis (Ref. 7). The 15 second start requirement may not be applicable to SR 3.8.1.2 (see Note 2 of SR 3.8.1.2), when a modified start procedure as described above is used. If a modified start is not used, the 15 second start requirement of SR 3.8.1.7 applies.
| |
| The Surveillance Frequencies are controlled under the Surveillance Frequency Control Program.
| |
| Columbia Generating Station B 3.8.1-17 Revision 93
| |
| | |
| AC Sources - Operating B 3.8.1 BASES SURVEILLANCE REQUIREMENTS (continued)
| |
| SR 3.8.1.3 This Surveillance demonstrates that the DGs are capable of synchronizing and accepting a load approximately equivalent to that corresponding to the continuous rating. A minimum run time of 60 minutes is required to stabilize engine temperatures, while minimizing the time that the DG is connected to the offsite source.
| |
| Although no power factor requirements are established by this SR, the DG is normally operated at a power factor between 0.8 lagging and 1.0 when running synchronized with the grid. Since the generator is rated at a particular kVA at 0.8 power factor, the 0.8 value is the design rating of the machine. The 1.0 is an operational condition where the reactive power component is zero, which minimizes the reactive heating of the generator. Operating the generator at a power factor between 0.8 lagging and 1.0 avoids adverse conditions associated with underexciting the generator and more closely represents the generator operating requirements when performing its safety function (running isolated on its associated ESF bus). The load band is provided to avoid routine overloading of the DG. Routine overloading may result in more frequent teardown inspections in accordance with vendor recommendations in order to maintain DG OPERABILITY.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| Note 1 modifies this Surveillance to indicate that diesel engine runs for this Surveillance may include gradual loading, as recommended by the manufacturer, so that mechanical stress and wear on the diesel engine are minimized.
| |
| Note 2 modifies this Surveillance by stating that momentary transients because of changing bus loads do not invalidate this test.
| |
| Note 3 indicates that this Surveillance must be conducted on only one DG at a time in order to avoid common cause failures that might result from offsite circuit or grid perturbations.
| |
| Note 4 stipulates a prerequisite requirement for performance of this SR.
| |
| A successful DG start must precede this test to credit satisfactory performance.
| |
| Columbia Generating Station B 3.8.1-18 Revision 93
| |
| | |
| AC Sources - Operating B 3.8.1 BASES SURVEILLANCE REQUIREMENTS (continued)
| |
| Note 5 stipulates that performance of the endurance test of SR 3.8.1.14 can be used to satisfy the requirements of SR 3.8.1.3. The upper load limits of SR 3.8.1.3 may be exceeded provided the remaining requirements of SR 3.8.1.3 are met. The reason for this allowance is to avoid having to perform an unnecessary test on the DG.
| |
| SR 3.8.1.4 This SR ensures that the volume of fuel oil in the day tank provides for DG operation for a minimum of one hour at full load plus 10%. The minimum amount of fuel oil required to satisfy one hour at 110%
| |
| correlates to 390 gallons for the Division 1 DG, 397 gallons for the Division 2 DG, and 231 gallons for the Division 3 DG. The day tank low level alarm is set at 1400 gallons for all three DGs, which is higher than the above specified minimum required values. The volume of fuel that constitutes the differential from the alarm set point and the one hour at 110% discussed above is utilized to support the 7 day and 6 day fuel oil storage requirements (see Bases for SR 3.8.3.1). For DGs 1 and 2, 1400 gallons supports approximately 3.5 hours of operation at 110% of continuous rated load. For DG-3, 1400 gallons supports approximately 7 hours of operation at continuous rated load. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| SR 3.8.1.5 Microbiological fouling is a major cause of fuel oil degradation. There are numerous bacteria that can grow in fuel oil and cause fouling, but all must have a water environment in order to survive. Periodic removal of water from the fuel oil day tanks eliminates the necessary environment for bacterial survival. This is the most effective means in controlling microbiological fouling. In addition, it eliminates the potential for water entrainment in the fuel oil during DG operation. Water may come from any of several sources, including condensation, rain water, contaminated fuel oil, and breakdown of the fuel oil by bacteria. Frequent checking for and removal of accumulated water minimizes fouling and provides data regarding the watertight integrity of the fuel oil system. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. This SR is for preventive maintenance. The presence of water does not necessarily represent a failure of this SR provided that accumulated water is removed during performance of this Surveillance.
| |
| Columbia Generating Station B 3.8.1-19 Revision 93
| |
| | |
| AC Sources - Operating B 3.8.1 BASES SURVEILLANCE REQUIREMENTS (continued)
| |
| SR 3.8.1.6 This Surveillance demonstrates that each required fuel oil transfer pump operates and automatically transfers fuel oil from its associated storage tank to its associated day tank. It is required to support the continuous operation of standby power sources. This Surveillance provides assurance that the fuel oil transfer pump is OPERABLE, the fuel oil piping system is intact, the fuel delivery piping is not obstructed, and the controls and control systems for automatic fuel transfer systems are OPERABLE.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| SR 3.8.1.8 Transfer of Division 1 and 2 4.16 kV ESF buses (SM-7 and SM-8) power supply from the startup offsite circuit to the backup offsite circuit demonstrates the OPERABILITY of the alternate circuit distribution network to power the Division 1 and 2 shutdown loads.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| This SR is modified by a Note which applies to verification of the automatic transfer function. The reason for the Note is that, during operation with the reactor critical, performance of this SR could cause perturbations to the electrical distribution systems that could challenge continued steady state operation and, as a result, plant safety systems.
| |
| This restriction from normally performing the Surveillance in MODE 1 or 2 is further amplified to allow the Surveillance to be performed for the purpose of re-establishing OPERABILITY (e.g., post work testing following corrective maintenance, corrective modification, deficient or incomplete surveillance testing, and other unanticipated OPERABILITY concerns) provided an assessment determines plant safety is maintained or enhanced. This assessment shall, as a minimum, consider the potential outcomes and transients associated with a failed Surveillance, a successful Surveillance, and a perturbation of the offsite or onsite system when they are tied together or operated independently for the Surveillance; as well as the operator procedures available to cope with these outcomes. These shall be measured against the avoided risk of Columbia Generating Station B 3.8.1-20 Revision 93
| |
| | |
| AC Sources - Operating B 3.8.1 BASES SURVEILLANCE REQUIREMENTS (continued) plant shutdown and startup to determine that plant safety is maintained or enhanced when the Surveillance is performed in MODE 1 or 2. Risk insights or deterministic methods may be used for this assessment. If the assessment cannot demonstrate that plant safety is maintained or enhanced (i.e., that the proposed testing will not cause electrical perturbations that would challenge continued steady state operation or challenge plant safety systems), the Note shall not be invoked and the surveillance testing shall not be performed. Usage of the allowance of the Note shall be an invoked and the surveillance testing shall not be performed. Usage of the allowance of the Note shall be an infrequently performed test evolution.
| |
| The Note is not applicable to verification of manual transfer of the unit power supply from the preferred offsite circuit to the alternate offsite circuit, since this evolution does not cause perturbations of the electrical distribution systems.
| |
| Credit may be taken for unplanned events that satisfy this SR.
| |
| SR 3.8.1.9 Each DG is provided with an engine overspeed trip to prevent damage to the engine. Recovery from the transient caused by the loss of a large load could cause diesel engine overspeed, which, if excessive, might result in a trip of the engine. This Surveillance demonstrates the DG load response characteristics and capability to reject the largest single load without exceeding predetermined frequency and while maintaining a specified margin to the overspeed trip. The load referenced for DG-1 and 2 is the 1280 kW standby service water pump, and for DG-3 the 2380 kW HPCS pump. This Surveillance may be accomplished by:
| |
| : a. Tripping the DG output breaker with the DG carrying greater than or equal to its associated single largest post accident load while paralleled to offsite power, or while solely supplying the bus; or
| |
| : b. Tripping its associated single largest post accident load with the DG solely supplying the bus.
| |
| Consistent with Regulatory Guide 1.9 (Ref. 12), the load rejection test is acceptable if the diesel speed does not exceed the nominal synchronous speed plus 75% of the difference between nominal speed and the overspeed trip setpoint, or 115% of nominal speed, whichever is lower.
| |
| For all the DGs, this corresponds to 66.75 Hz, which is the nominal speed plus 75% of the difference between nominal speed and the overspeed trip setpoint.
| |
| Columbia Generating Station B 3.8.1-21 Revision 73
| |
| | |
| AC Sources - Operating B 3.8.1 BASES SURVEILLANCE REQUIREMENTS (continued)
| |
| Testing performed for this SR is normally conducted with the DG being tested (and the associated safety-related and/or non safety-related distribution buses) connected to one offsite source, while the remaining safety-related (and associated non safety-related) distribution buses are aligned to the unit auxiliary transformers (or other offsite source). This minimizes the possibility of common cause failures resulting from offsite/grid voltage perturbations.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| This SR has been modified by two Notes. The reason for Note 1 is that credit may be taken for unplanned events that satisfy this SR. In order to ensure that the DG is tested under load conditions that are as close to design basis conditions as possible, Note 2 requires that, if synchronized to offsite power, testing must be performed at a power factor as close to the power factor of the single largest post-accident load as practicable.
| |
| The approximate analyzed power factor value is 0.92 for DG-1, 0.86 for DG-2, and 0.92 for DG-3. These power factors are representative of the actual single largest inductive load that the DGs could experience when running isolated from offsite power. Under certain conditions, however, Note 2 allows the Surveillance to be conducted at a power factor other than these single largest load values. These conditions occur when grid voltage is high, and the additional field excitation needed to get the power factor to these levels results in voltages on the emergency busses that are higher than recommended. Under these conditions, the power factor should be maintained as close as practicable to these values while still maintaining acceptable voltage limits on the emergency busses. In other circumstances, the grid voltage may be such that the DG excitation levels needed to obtain a power factor as close as practicable to the analyzed value of 0.92 for DG-1, 0.86 for DG-2, and 0.92 for DG-3 may not cause unacceptable voltages on the emergency busses, but the excitation levels are in excess of those recommended for the DG.
| |
| In such cases, the power factor shall be maintained as close a practicable to these levels, allowing margin for changing grid conditions, without exceeding the DG excitation limits.
| |
| Therefore, to ensure the DG is not placed in an unsafe condition during this test, the power factor limit does not have to be met if grid voltage does not permit the power factor limit to be met when the DG is tied to the grid. When this occurs, the power factor should be maintained as close to the limit as practicable.
| |
| Columbia Generating Station B 3.8.1-22 Revision 93
| |
| | |
| AC Sources - Operating B 3.8.1 BASES SURVEILLANCE REQUIREMENTS (continued)
| |
| The requirements of SR 3.8.1.9 and SR 3.8.1.10 can be met with the performance of a single load reject test if the test methodology ensures that the acceptance criteria for both SRs is demonstrated.
| |
| SR 3.8.1.10 Consistent with Regulatory Guide 1.9 (Ref. 12), paragraph C.2.2.8, this Surveillance demonstrates the DG capability to reject a full load without overspeed tripping or exceeding the predetermined voltage limits. The DG full load rejection may occur because of a system fault or inadvertent breaker tripping. This Surveillance ensures proper engine generator load response under the simulated test conditions. This test simulates the loss of the total connected load that the DG experiences following a full load rejection and verifies that the DG does not trip upon loss of the load.
| |
| These acceptance criteria provide DG damage protection. While the DG is not expected to experience this transient during an event, and continues to be available, this response ensures that the DG is not degraded for future application, including reconnection to the bus if the trip initiator can be corrected or isolated.
| |
| In order to ensure that the DG is tested under load conditions that are as close to design basis conditions as possible, testing must be performed at a power factor as close to the accident load power factor as practicable.
| |
| The approximate analyzed power factor limit is 0.89 for DG-1, 0.88 for DG-2, and 0.91 for DG-3. These power factors are representative of the actual design basis inductive loading that the DGs could experience when running isolated from offsite power.
| |
| Testing performed for this SR is normally conducted with the DG being tested (and the associated safety-related and/or non safety-related distribution buses) connected to one offsite source, while the remaining safety-related (and associated non safety-related) distribution buses are aligned to the unit auxiliary transformers (or other offsite source). This minimizes the possibility of common cause failures resulting from offsite/grid voltage perturbations.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| Columbia Generating Station B 3.8.1-23 Revision 93
| |
| | |
| AC Sources - Operating B 3.8.1 BASES SURVEILLANCE REQUIREMENTS (continued)
| |
| This SR has been modified by two Notes. The reason for Note 1 is that credit may be taken for unplanned events that satisfy this SR. Note 2 ensures that the DG is tested under load conditions that are as close to design basis conditions as practicable. When synchronized with offsite power, testing should be performed as close as practicable to the analyzed value of the accident load power factor of 0.89 for DG-1, 0.88 for DG-2, and 0.91 for DG-3. This power factor is representative of the actual inductive loading that the DGs could experience when running isolated from offsite power. However, Note 2 allows the Surveillance to be conducted at a power factor other than these levels. These conditions occur when grid voltage is high, and the additional field excitation needed to get these power factors results in voltage on the emergency busses that are higher than recommended. Under these conditions, the power factor should be maintained as close as practicable to these levels while still maintaining acceptable voltage limits on the emergency busses.
| |
| In other circumstances, the grid voltage may be such that the DG excitation levels needed to obtain these power factors may not cause unacceptable voltages on the emergency busses, but the excitation levels are in excess of those recommended for the DG. In such cases, the power factor shall be maintained as close to practicable to these levels, allowing margin for changing grid conditions, without exceeding the DG excitation limits.
| |
| The requirements of SR 3.8.1.9 and SR 3.8.1.10 can be met with the performance of a single load reject test if the test methodology ensures that the acceptance criteria for both SRs is demonstrated.
| |
| SR 3.8.1.11 Consistent with Regulatory Guide 1.9 (Ref. 12), paragraph C.2.2.4, this Surveillance demonstrates the as designed operation of the standby power sources during loss of the offsite source. This test verifies all actions encountered from the loss of offsite power, including shedding of the nonessential loads and energization of the emergency buses and respective loads from the DG. It further demonstrates the capability of the DG to automatically achieve the required voltage and frequency within the specified time.
| |
| The DG auto-start and energization of permanently connected loads times of 15 seconds for Division 1 and 2 and 18 seconds for Division 3 are derived from requirements of the accident analysis for responding to a design basis large break LOCA (Ref. 7). The DG-3 18 second start time includes the Loss of Voltage - Time Delay Function specified in Columbia Generating Station B 3.8.1-24 Revision 73
| |
| | |
| AC Sources - Operating B 3.8.1 BASES SURVEILLANCE REQUIREMENTS (continued)
| |
| LCO 3.3.8.1. The Surveillance should be continued for a minimum of 5 minutes in order to demonstrate that all starting transients have decayed and stability has been achieved.
| |
| The requirement to verify the connection and power supply of permanent and auto-connected loads is intended to satisfactorily show the relationship of these loads to the DG loading logic. In certain circumstances, many of these loads cannot actually be connected or loaded without undue hardship or potential for undesired operation. For instance, ECCS injection valves are not desired to be stroked open, systems are not capable of being operated at full flow, or RHR systems performing a decay heat removal function are not desired to be realigned to the ECCS mode of operation. In lieu of actual demonstration of the connection and loading of these loads, testing that adequately shows the capability of the DG system to perform these functions is acceptable.
| |
| This testing may include any series of sequential, overlapping, or total steps so that the entire connection and loading sequence is verified.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| This SR is modified by two Notes. The reason for Note 1 is to minimize wear and tear on the DGs during testing. For the purpose of this testing, the DGs must be started from standby conditions, that is, with the engine coolant and oil being continuously circulated and temperature maintained consistent with manufacturer recommendations. The reason for Note 2 is that performing the Surveillance would remove a required offsite circuit from service, perturb the electrical distribution system, and challenge plant safety systems. This restriction from normally performing the Surveillance in MODE 1, 2, or 3 is further amplified to allow portions of the Surveillance to be performed for the purpose of re-establishing OPERABILITY (e.g., post work testing following corrective maintenance, corrective modification, deficient or incomplete surveillance testing, and other unanticipated OPERABILITY concerns) provided an assessment determines plant safety is maintained or enhanced.
| |
| This assessment shall, as a minimum, consider the potential outcomes and transients associated with a failed Surveillance, a successful partial Surveillance, and a perturbation of the offsite or onsite system when they are tied together or operated independently for the partial Surveillance; as well as the operator procedures available to cope with these outcomes.
| |
| These shall be measured against the avoided risk of plant shutdown and startup to determine that plant safety is maintained or enhanced when the Surveillance is performed in MODE 1, 2, or 3. Risk insights or deterministic methods may be used for this assessment. If the Columbia Generating Station B 3.8.1-25 Revision 93
| |
| | |
| AC Sources - Operating B 3.8.1 BASES SURVEILLANCE REQUIREMENTS (continued) assessment cannot demonstrate that plant safety is maintained or enhanced (i.e., that the proposed testing will not cause electrical perturbations that would challenge continued steady state operation or challenge plant safety systems), the Note shall not be invoked and the surveillance testing shall not be performed. Usage of the allowance of the Note shall be an invoked and the surveillance testing shall not be performed. Usage of the allowance of the Note shall be an infrequently performed test evolution. Credit may be taken for unplanned events that satisfy this SR.
| |
| SR 3.8.1.12 Consistent with Regulatory Guide 1.9 (Ref. 12), paragraph C.2.2.5, this Surveillance demonstrates that the DG automatically starts and achieves the required voltage and frequency within the specified time (15 seconds) from the design basis actuation signal (LOCA signal) and operates for 5 minutes. The 5 minute period provides sufficient time to demonstrate stability. SR 3.8.1.12.d and SR 3.8.1.12.e ensure that permanently connected loads and emergency loads are energized from the offsite electrical power system on an ECCS signal without loss of offsite power.
| |
| The requirement to verify the connection and power supply of permanent and autoconnected loads is intended to satisfactorily show the relationship of these loads to the loading logic for loading onto offsite power. In certain circumstances, many of these loads cannot actually be connected or loaded without undue hardship or potential for undesired operation.
| |
| For instance, ECCS injection valves are not desired to be stroked open, systems are not capable of being operated at full flow, or RHR systems performing a decay heat removal function are not desired to be realigned to the ECCS mode of operation. In lieu of actual demonstration of the connection and loading of these loads, testing that adequately shows the capability of the DG system to perform these functions is acceptable.
| |
| This testing may include any series of sequential, overlapping, or total steps so that the entire connection and loading sequence is verified.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| Columbia Generating Station B 3.8.1-26 Revision 93
| |
| | |
| AC Sources - Operating B 3.8.1 BASES SURVEILLANCE REQUIREMENTS (continued)
| |
| This SR is modified by two Notes. The reason for Note 1 is to minimize wear and tear on the DGs during testing. For the purpose of this testing, the DGs must be started from standby conditions, that is, with the engine coolant and oil being continuously circulated and temperature maintained consistent with manufacturer recommendations. The reason for Note 2 is that during operation with the reactor critical, performance of this SR could cause perturbations to the electrical distribution systems that could challenge continued steady state operation and, as a result, plant safety systems. This restriction from normally performing the Surveillance in MODE 1 or 2 is further amplified to allow portions of the Surveillance to be performed for the purpose of re-establishing OPERABILITY (e.g., post work testing following corrective maintenance, corrective modification, deficient or incomplete surveillance testing, and other unanticipated OPERABILITY concerns) provided an assessment determines plant safety is maintained or enhanced. This assessment shall, as a minimum, consider the potential outcomes and transients associated with a failed Surveillance, a successful partial Surveillance, and a perturbation of the offsite or onsite system when they are tied together or operated independently for the partial Surveillance; as well as the operator procedures available to cope with these outcomes.
| |
| These shall be measured against the avoided risk of plant shutdown and startup to determine that plant safety is maintained or enhanced when the Surveillance is performed in MODE 1 or 2. Risk insights or deterministic methods may be used for this assessment. If the assessment cannot demonstrate that plant safety is maintained or enhanced (i.e., that the proposed testing will not cause electrical perturbations that would challenge continued steady state operation or challenge plant safety systems), the Note shall not be invoked and the surveillance testing shall not be performed. Usage of the allowance of the Note shall be an invoked and the surveillance testing shall not be performed. Usage of the allowance of the Note shall be an infrequently performed test evolution.
| |
| Credit may be taken for unplanned events that satisfy this SR.
| |
| SR 3.8.1.13 Consistent with Regulatory Guide 1.9 (Ref. 12), paragraph C.2.2.12, this Surveillance demonstrates that DG non-critical protective functions (e.g.,
| |
| high jacket water temperature) are bypassed on a loss of voltage signal Columbia Generating Station B 3.8.1-27 Revision 73
| |
| | |
| AC Sources - Operating B 3.8.1 BASES SURVEILLANCE REQUIREMENTS (continued) concurrent with an ECCS initiation test signal and critical protective functions (engine overspeed, generator differential current, and incomplete starting sequence) trip the DG to avert substantial damage to the DG unit. The non-critical trips are bypassed during DBAs and provide an alarm on an abnormal engine condition. This alarm provides the operator with sufficient time to react appropriately.
| |
| The DG availability to mitigate the DBA is more critical than protecting the engine against minor problems that are not immediately detrimental to emergency operation of the DG.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| The SR is modified by a Note. The reason for the Note is that credit may be taken for unplanned events that satisfy this SR.
| |
| SR 3.8.1.14 Consistent with Regulatory Guide 1.9 (Ref. 12), paragraph C.2.2.9, this Surveillance requires demonstration that the DGs can start and run continuously at full load capability for an interval of not less than 24 hours, 22 hours of which is at a load equivalent to 90% to 100% of the continuous rating of the DG and 2 hours of which is at a load equivalent to 105% to 110% of the continuous duty rating of the DG. The DG starts for this Surveillance can be performed either from standby or hot conditions. The provisions for prelube and warmup, discussed in SR 3.8.1.2, and for gradual loading, discussed in SR 3.8.1.3, are applicable to this SR.
| |
| In order to ensure that the DG is tested under load conditions that are as close to design conditions as possible, testing must be performed at a power factor as close to the accident load power factor as practicable.
| |
| The approximate analyzed power factor value is 0.89 for DG-1, 0.88 for DG-2, and 0.91 for DG-3. These power factors are representative of the actual design basis inductive loading that the DGs could experience when running isolated from offsite power.
| |
| Columbia Generating Station B 3.8.1-28 Revision 93
| |
| | |
| AC Sources - Operating B 3.8.1 BASES SURVEILLANCE REQUIREMENTS (continued)
| |
| Testing performed for this SR is normally conducted with the DG being tested (and the associated safety-related and/or non safety-related distribution buses) connected to one offsite source, while the remaining safety-related (and associated non safety-related) distribution buses are aligned to the unit auxiliary transformers (or other offsite source). This minimizes the possibility of common cause failures resulting from offsite/grid voltage perturbations.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| This Surveillance is modified by three Notes. Note 1 states that momentary transients due to changing bus loads do not invalidate this test. The load band is provided to avoid routine overloading of the DG.
| |
| Routine overloading may result in more frequent teardown inspections in accordance with vendor recommendations in order to maintain DG OPERABILITY. Similarly, momentary transients of excitation current or power factor do not invalidate the test. The reason for Note 2 is that credit may be taken for unplanned events that satisfy this SR. Note 3 ensures that the DG is tested under load conditions that are as close to design basis conditions as practicable. When synchronized with offsite power, testing should be performed as close as practicable to the analyzed value of the accident load power factor of 0.89 for DG-1, 0.88 for DG-2, and 0.91 for DG-3. This power factor is representative of the actual inductive loading of DG would see under design bases accident conditions. Under these conditions, the power factor should be maintained as close as practicable to these levels while still maintaining acceptable voltage limits on the emergency busses. In other circumstances, the grid voltage may be such that the DG excitation levels needed to obtain power factors of these levels may not cause unacceptable voltages on the emergency busses, but the excitation levels are in excess of those recommended for the DG. In such cases, the power factor shall be maintained as close a practicable to these levels, allowing margin for changing grid conditions, without exceeding the DG excitation limits.
| |
| SR 3.8.1.15 This Surveillance demonstrates that the diesel engine can restart from a hot condition, such as subsequent to shutdown from normal Surveillances, and achieve the required voltage and frequency within 15 seconds. The 15 second time is derived from the requirements of the accident analysis for responding to a design basis large break LOCA (Ref. 7).
| |
| Columbia Generating Station B 3.8.1-29 Revision 93
| |
| | |
| AC Sources - Operating B 3.8.1 BASES SURVEILLANCE REQUIREMENTS (continued)
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| This SR has been modified by two Notes. Note 1 ensures that the test is performed with the diesel sufficiently hot. The requirement that the diesel has operated for at least 1 hour at full load conditions prior to performance of this Surveillance is based on manufacturer recommendations for achieving hot conditions. Momentary transients due to changing bus loads do not invalidate this test. Note 2 allows all DG starts to be preceded by an engine prelube period to minimize wear and tear on the diesel during testing.
| |
| SR 3.8.1.16 Consistent with Regulatory Guide 1.9 (Ref. 12), paragraph C.2.2.11, this Surveillance ensures that the manual synchronization and load transfer from the DG to the offsite source can be made and that the DG can be returned to ready-to-load status when offsite power is restored. It also ensures that the auto-start logic is reset to allow the DG to reload if a subsequent loss of offsite power occurs. The DG is considered to be in ready-to-load status when the DG is at rated speed and voltage, the output breaker is open and can receive an auto-close signal on bus undervoltage, and the individual load timers are reset.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| This SR is modified by a Note. The reason for the Note is that performing the Surveillance would remove a required offsite circuit from service, perturb the electrical distribution system, and challenge safety systems.
| |
| This restriction from normally performing the Surveillance in MODE 1, 2, or 3 is further amplified to allow the Surveillance to be performed for the purpose of re-establishing OPERABILITY (e.g., post work testing following corrective maintenance, corrective modification, deficient or incomplete surveillance testing, and other unanticipated OPERABILITY concerns) provided an assessment determines plant safety is maintained or enhanced.
| |
| Columbia Generating Station B 3.8.1-30 Revision 93
| |
| | |
| AC Sources - Operating B 3.8.1 BASES SURVEILLANCE REQUIREMENTS (continued)
| |
| This assessment shall, as a minimum, consider the potential outcomes and transients associated with a failed Surveillance, a successful Surveillance, and a perturbation of the offsite or onsite system when they are tied together or operated independently for the Surveillance; as well as the operator procedures available to cope with these outcomes.
| |
| These shall be measured against the avoided risk of plant shutdown and startup to determine that plant safety is maintained or enhanced when the Surveillance is performed in MODE 1, 2, or 3. Risk insights or deterministic methods may be used for this assessment. If the assessment cannot demonstrate that plant safety is maintained or enhanced (i.e., that the proposed testing will not cause electrical perturbations that would challenge continued steady state operation or challenge plant safety systems), the Note shall not be invoked and the surveillance testing shall not be performed. Usage of the allowance of the Note shall be an infrequently performed test evolution. Credit may be taken for unplanned events that satisfy this SR.
| |
| SR 3.8.1.17 Consistent with Regulatory Guide1.9 (Ref. 12), paragraph C.2.2.13, demonstration of the parallel test mode override ensures that the DG availability under accident conditions is not compromised as the result of testing. Interlocks to the LOCA sensing circuits cause the DG to automatically reset to ready-to-load operation if an ECCS initiation signal is received during operation in the test mode. Ready-to-load operation is defined as the DG running at rated speed and voltage with the DG output breaker open. These provisions for automatic switchover are required by IEEE-308 (Ref. 16), paragraph 6.2.6(2).
| |
| The requirement to automatically energize the emergency loads with offsite power is essentially identical to that of SR 3.8.1.12. The intent in the requirement associated with SR 3.8.1.17.b is to show that the emergency loading is not affected by the DG operation in test mode.
| |
| In lieu of actual demonstration of connection and loading of loads, testing that adequately shows the capability of the emergency loads to perform these functions is acceptable. This testing may include any series of sequential, overlapping, or total steps so that the entire connection and loading sequence is verified.
| |
| Columbia Generating Station B 3.8.1-31 Revision 93
| |
| | |
| AC Sources - Operating B 3.8.1 BASES SURVEILLANCE REQUIREMENTS (continued)
| |
| Testing performed for this SR is normally conducted with the DG being tested (and the associated safety-related and/or non safety-related distribution buses) connected to one offsite source, while the remaining safety-related (and associated non safety-related) distribution buses are aligned to the unit auxiliary transformers (or other offsite source). This minimizes the possibility of common cause failures resulting from offsite/grid voltage perturbations.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| This SR has been modified by a Note. The reason for the Note is that credit may be taken for unplanned events that satisfy this SR.
| |
| SR 3.8.1.18 Under accident conditions, loads are sequentially connected to the bus by the automatic load sequence time delay relays. The sequencing logic controls the permissive and starting signals to motor breakers to prevent overloading of the DGs due to high motor starting currents. The 10% load sequence time interval tolerance ensures that a sufficient time interval exists for the DG to restore frequency and voltage prior to applying the next load and that safety analysis assumptions regarding ESF equipment time delays are not violated. Reference 2 provides a summary of the automatic loading of ESF buses. Since only DG-1 and DG-2 have more than one load block, this SR is only applicable to these DGs.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. This SR is modified by a Note. The reason for the Note is that performing the Surveillance during these MODES would remove a required offsite circuit from service, perturb the electrical distribution system, and challenge plant safety systems. This restriction from normally performing the Surveillance in MODE 1, 2, or 3 is further amplified to allow the Surveillance to be performed for the purpose of re-establishing OPERABILITY (e.g., post work testing following corrective maintenance, corrective modification, deficient or incomplete surveillance testing, and other unanticipated OPERABILITY concerns) provided an assessment determines plant safety is maintained or enhanced. This assessment shall, as a minimum, consider the potential outcomes and transients associated with a failed Surveillance, a successful Surveillance, and a perturbation of the offsite or onsite system when they are tied together or operated independently for the Surveillance; as well Columbia Generating Station B 3.8.1-32 Revision 93
| |
| | |
| AC Sources - Operating B 3.8.1 BASES SURVEILLANCE REQUIREMENTS (continued) as the operator procedures available to cope with these outcomes.
| |
| These shall be measured against the avoided risk of plant shutdown and startup to determine that plant safety is maintained or enhanced when the Surveillance is performed in MODE 1, 2, or 3. Risk insights or deterministic methods may be used for this assessment. If the assessment cannot demonstrate that plant safety is maintained or enhanced (i.e., that the proposed testing will not cause electrical perturbations that would challenge continued steady state operation or challenge plant safety systems), the Note shall not be invoked and the surveillance testing shall not be performed. Usage of the allowance of the Note shall be an invoked and the surveillance testing shall not be performed. Usage of the allowance of the Note shall be an infrequently performed test evolution. Credit may be taken for unplanned events that satisfy this SR.
| |
| SR 3.8.1.19 In the event of a DBA coincident with a loss of offsite power, the DGs are required to supply the necessary power to ESF systems so that the fuel, RCS, and containment design limits are not exceeded.
| |
| This Surveillance demonstrates the DG operation, as discussed in the Bases for SR 3.8.1.11, during a loss of offsite power actuation test signal in conjunction with an ECCS initiation signal. Since the DG-3 Loss of Voltage - Time Delay Function is bypassed during an ECCS initiation signal, a 15 second DG-3 start time applies, consistent with the DBA LOCA analysis (Ref. 7). In lieu of actual demonstration of connection and loading of loads, testing that adequately shows the capability of the DG system to perform these functions is acceptable. This testing may include any series of sequential, overlapping, or total steps so that the entire connection and loading sequence is verified.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| This SR is modified by two Notes. The reason for Note 1 is to minimize wear and tear on the DGs during testing. For the purpose of this testing, the DGs must be started from standby conditions, that is, with the engine coolant and oil being continuously circulated and temperature maintained consistent with manufacturer recommendations. The reason for Note 2 is that performing the Surveillance would remove a required offsite circuit from service, perturb the electrical distribution system, and challenge plant safety systems. This restriction from normally performing the Surveillance in MODE 1, 2, or 3 is further amplified to allow portions of Columbia Generating Station B 3.8.1-33 Revision 93
| |
| | |
| AC Sources - Operating B 3.8.1 BASES SURVEILLANCE REQUIREMENTS (continued) the Surveillance to be performed for the purpose of re-establishing OPERABILITY (e.g., post work testing following corrective maintenance, corrective modification, deficient or incomplete surveillance testing, and other unanticipated OPERABILITY concerns) provided an assessment determines plant safety is maintained or enhanced.
| |
| This assessment shall, as a minimum, consider the potential outcomes and transients associated with a failed Surveillance, a successful partial Surveillance, and a perturbation of the offsite or onsite system when they are tied together or operated independently for the partial Surveillance; as well as the operator procedures available to cope with these outcomes.
| |
| These shall be measured against the avoided risk of plant shutdown and startup to determine that plant safety is maintained or enhanced when the Surveillance is performed in MODE 1, 2, or 3. Risk insights or deterministic methods may be used for this assessment. If the assessment cannot demonstrate that plant safety is maintained or enhanced (i.e., that the proposed testing will not cause electrical perturbations that would challenge continued steady state operation or challenge plant safety systems), the Note shall not be invoked and the surveillance testing shall not be performed. Usage of the allowance of the Note shall be an invoked and the surveillance testing shall not be performed. Usage of the allowance of the Note shall be an infrequently performed test evolution. Credit may be taken for unplanned events that satisfy this SR.
| |
| SR 3.8.1.20 This Surveillance demonstrates that the DG starting independence has not been compromised. Also, this Surveillance demonstrates that each engine can achieve proper speed within the specified time when the DGs are started simultaneously.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| This SR is modified by a Note. The reason for the Note is to minimize wear on the DG during testing. For the purpose of this testing, the DGs must be started from standby conditions, that is, with the engine coolant and oil continuously circulated and temperature maintained consistent with manufacturer recommendations.
| |
| Columbia Generating Station B 3.8.1-34 Revision 93
| |
| | |
| AC Sources - Operating B 3.8.1 BASES REFERENCES 1. 10 CFR 50, Appendix A, GDC 17.
| |
| : 2. FSAR, Chapter 8.
| |
| : 3. Deleted.
| |
| : 4. FSAR, Tables 8.3-1, 8.3-2, and 8.3-3.
| |
| : 5. Safety Guide 9, Revision 0, March 1971.
| |
| : 6. FSAR, Chapter 6.
| |
| : 7. FSAR, Chapter 15.
| |
| : 8. 10 CFR 50.36(c)(2)(ii).
| |
| : 9. Regulatory Guide 1.93, Revision 0, December 1974.
| |
| : 10. Generic Letter 84-15, July 2, 1984.
| |
| : 11. 10 CFR 50, Appendix A, GDC 18.
| |
| : 12. Regulatory Guide 1.9, July 1993.
| |
| : 13. Deleted.
| |
| : 14. Regulatory Guide 1.137, Revision 1, October 1979.
| |
| : 15. Calculations Nos. E/I-02-87-07 and 2-12-58.
| |
| : 16. IEEE Standard 308-1974.
| |
| : 17. ANSI C84.1, 1982.
| |
| : 18. Letter, GO2-13-043, Request for Technical Specification Interpretation Regarding the Offsite Power Supplies to the Onsite Class 1E AC Power Distribution System.
| |
| : 19. NEDC-32988-A, Revision 2, Technical Justification to Support Risk-Informed Modification to Selected Required End States for BWR Plants, December 2002.
| |
| Columbia Generating Station B 3.8.1-35 Revision 107
| |
| | |
| AC Sources - Shutdown B 3.8.2 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.2 AC Sources - Shutdown BASES BACKGROUND A description of the AC sources is provided in the Bases for LCO 3.8.1, "AC Sources - Operating."
| |
| APPLICABLE The OPERABILITY of the minimum AC sources during MODES 4 and 5 SAFETY ensures that:
| |
| ANALYSES
| |
| : a. The unit can be maintained in the shutdown or refueling condition for extended periods;
| |
| : b. Sufficient instrumentation and control capability is available for monitoring and maintaining the unit status; and
| |
| : c. Adequate AC electrical power is provided to mitigate events postulated during shutdown.
| |
| In general, when the unit is shutdown the Technical Specifications (TS) requirements ensure that the unit has the capability to mitigate the consequences of postulated accidents. However, assuming a single failure and concurrent loss of all offsite or loss of all onsite power is not required. The rationale for this is based on the fact that many Design Basis Accidents (DBAs), which are analyzed in MODES 1, 2, and 3, have no specific analyses in MODES 4 and 5. Worst case bounding events are deemed not credible in MODES 4 and 5 because the energy contained within the reactor pressure boundary, reactor coolant temperature and pressure, and the corresponding stresses result in the probabilities of occurrence significantly reduced or eliminated, and minimal consequences. These deviations from DBA analysis assumptions and design requirements during shutdown conditions are allowed by the LCO for required systems.
| |
| During MODES 1, 2, and 3, various deviations from the analysis assumptions and design requirements are allowed within the ACTIONS.
| |
| This allowance is in recognition that certain testing and maintenance activities must be conducted provided an acceptable level of risk is not exceeded.
| |
| During MODES 4 and 5, performance of a significant number of required testing and maintenance activities is also required. In MODES 4 and 5, the activities are generally planned and administratively controlled.
| |
| Relaxations from typical MODE 1, 2, and 3 LCO requirements are acceptable during shutdown MODES based on:
| |
| Columbia Generating Station B 3.8.2-1 Revision 111
| |
| | |
| AC Sources - Shutdown B 3.8.2 BASES APPLICABLE SAFETY ANALYSES (continued)
| |
| : a. The fact that time in an outage is limited. This is a risk prudent goal as well as utility economic consideration.
| |
| : b. Requiring appropriate compensatory measures for certain conditions.
| |
| These may include administrative controls, reliance on systems that do not necessarily meet typical design requirements applied to systems credited in operating MODE analyses, or both.
| |
| : c. Prudent utility consideration of the risk associated with multiple activities that could affect multiple systems.
| |
| : d. Maintaining, to the extent practicable, the ability to perform required functions (even if not meeting MODE 1, 2, and 3 OPERABILITY requirements) with systems assumed to function during an event.
| |
| In the event of an accident during shutdown, this LCO ensures the capability of supporting systems necessary to avoid immediate difficulty, assuming either a loss of all offsite power or a loss of all onsite (diesel generator (DG)) power.
| |
| The AC sources satisfy Criterion 3 of Reference 1.
| |
| LCO One offsite circuit supplying onsite Class 1E power distribution subsystem(s) of LCO 3.8.8, "Distribution Systems - Shutdown," ensures that all required loads are powered from offsite power. An OPERABLE DG, associated with a Division 1 or Division 2 Distribution System Engineered Safety Feature (ESF) bus required OPERABLE by LCO 3.8.8, ensures a diverse power source is available to provide electrical power support, assuming a loss of the offsite circuit. Similarly, when the high pressure core spray (HPCS) is required to be OPERABLE, an OPERABLE Division 3 DG ensures an additional source of power for the HPCS. Together, OPERABILITY of the required offsite circuit(s) and DG(s) ensures the availability of sufficient AC sources to operate the plant in a safe manner and to mitigate the consequences of postulated events during shutdown.
| |
| The qualified offsite circuit(s) must be capable of maintaining rated frequency and voltage while connected to their respective ESF bus(es),
| |
| and accepting required loads during an accident. Qualified offsite circuits are those that are described in the FSAR and are part of the licensing basis for the plant. The qualified offsite circuit includes the circuit path and disconnect to the respective transformer, the circuit path and breakers to the respective non-Class 1E 4.16 kV switchgear, SM-1, SM-2, and SM-3 (for the TR-S offsite circuit only), and the circuit path and breakers to the respective Class 1E switchgear (SM-4, SM-7, and SM-8) required by LCO 3.8.8.
| |
| Columbia Generating Station B 3.8.2-2 Revision 111
| |
| | |
| AC Sources - Shutdown B 3.8.2 BASES LCO (continued)
| |
| The required DG must be capable of starting, accelerating to rated speed and voltage, and connecting to its respective ESF bus on detection of bus undervoltage, and accepting required loads. This sequence must be accomplished within 15 seconds for Divisions 1 and 2, and 18 seconds for Division 3. The DG-3 18 second start time includes the Loss of Voltage - Time Delay Function specified in LCO 3.3.8.1, "Loss of Power (LOP) Instrumentation." Each DG must also be capable of accepting required loads within the assumed loading sequence intervals, and must continue to operate until offsite power can be restored to the ESF buses.
| |
| These capabilities are required to be met from a variety of initial conditions such as: DG in standby with the engine hot and DG in standby with the engine at ambient conditions. Additional DG capabilities must be demonstrated to meet required Surveillances, e.g., capability of the DG to revert to standby status on an ECCS signal while operating in parallel test mode.
| |
| Proper sequencing of loads, including tripping of nonessential loads, is a required function for DG OPERABILITY. The necessary portions of the Standby Service Water and HPCS Service Water systems are also required to provide appropriate cooling to each required DG.
| |
| It is acceptable for divisions to be cross tied during shutdown conditions, permitting a single offsite power circuit to supply all required divisions. No fast transfer capability is required for offsite circuits to be considered OPERABLE.
| |
| APPLICABILITY The AC sources required to be OPERABLE in MODES 4 and 5 provide assurance that:
| |
| : a. Systems that provide core cooling are available;
| |
| : b. Systems necessary to mitigate the effects of events that can lead to core damage during shutdown are available; and
| |
| : c. Instrumentation and control capability is available for monitoring and maintaining the unit in a cold shutdown condition or refueling condition.
| |
| The AC power requirements for MODES 1, 2, and 3 are covered in LCO 3.8.1.
| |
| Columbia Generating Station B 3.8.2-3 Revision 111
| |
| | |
| AC Sources - Shutdown B 3.8.2 BASES ACTIONS A.1, A.2, and B.1 An offsite circuit is considered inoperable if it is not available to one required ESF division. If two or more ESF 4.16 kV buses are required per LCO 3.8.8, division(s) with offsite power available may be capable of supporting sufficient required features. By the allowance of the option to declare required features inoperable that are not powered from offsite power, appropriate restrictions can be implemented in accordance with the required feature(s) LCOs' ACTIONS. Required features remaining powered from a qualified offsite power circuit, even if that circuit is considered inoperable because it is not powering other required features, are not declared inoperable by this Required Action.
| |
| With the offsite circuit not available to all required divisions, the option still exists to declare all required features inoperable per Required Action A.1.
| |
| Since this option may involve undesired administrative efforts, the allowance for sufficiently conservative actions is made, and Required Action A.2 requires action be initiated immediately to restore the required AC sources. With the required DG inoperable, the minimum required diversity of AC power sources is not available, and Required Action B.1 requires action be initiated immediately to restore the required DG.
| |
| These actions are continued until restoration is accomplished in order to provide the necessary AC power to the plant safety systems.
| |
| The Completion Time of immediately is consistent with the required times for actions requiring prompt attention. The restoration of the required AC electrical power sources should be completed as quickly as possible in order to minimize the time during which the plant safety systems may be without sufficient power.
| |
| Pursuant to LCO 3.0.6, the Distribution System ACTIONS are not entered even if all AC sources to it are inoperable, resulting in de-energization.
| |
| Therefore, the Required Actions of Condition A have been modified by a Note to indicate that when Condition A is entered with no AC power to any required ESF bus, ACTIONS for LCO 3.8.8 must be immediately entered. This Note allows Condition A to provide requirements for the loss of the offsite circuit whether or not a division is de-energized.
| |
| LCO 3.8.8 provides the appropriate restrictions for the situation involving a de-energized division.
| |
| Columbia Generating Station B 3.8.2-4 Revision 111
| |
| | |
| AC Sources - Shutdown B 3.8.2 BASES ACTIONS (continued)
| |
| C.1 When the HPCS is required to be OPERABLE, and the Division 3 DG is inoperable, the required diversity of AC power sources to the HPCS is not available. Since these sources only affect the HPCS, the HPCS is declared inoperable and the Required Actions of LCO 3.5.2, "RPV Water Inventory Control" entered.
| |
| In the event all sources of power to Division 3 are lost, Condition A will also be entered and direct that the ACTIONS of LCO 3.8.8 be taken. If only the Division 3 DG is inoperable, and power is still supplied to HPCS, 72 hours is allowed to restore the DG to OPERABLE. This is reasonable considering HPCS will still perform its function, absent an additional single failure.
| |
| SURVEILLANCE SR 3.8.2.1 REQUIREMENTS SR 3.8.2.1 requires the SRs from LCO 3.8.1 that are necessary for ensuring the OPERABILITY of the AC sources in other than MODES 1, 2, and 3. SR 3.8.1.8 is not required to be met since only one offsite circuit is required to be OPERABLE. SR 3.8.1.17 is not required to be met because the required OPERABLE DG(s) is not required to undergo periods of being synchronized to the offsite circuit. SR 3.8.1.20 is excepted because starting independence is not required with the DG(s) that is not required to be OPERABLE. Refer to the corresponding Bases for LCO 3.8.1 for a discussion of each SR.
| |
| This SR is modified by a Note. The reason for the Note is to preclude requiring the OPERABLE DG(s) from being paralleled with the offsite power network or otherwise rendered inoperable during the performance of SRs, and to preclude de-energizing a required 4160 V ESF bus or disconnecting a required offsite circuit during performance of SRs. With limited AC sources available, a single event could compromise both the required circuit and the DG. It is the intent that these SRs must still be capable of being met, but actual performance is not required during periods when the DG and offsite circuit are required to be OPERABLE.
| |
| REFERENCES 1. 10 CFR 50.36(c)(2)(ii).
| |
| Columbia Generating Station B 3.8.2-5 Revision 111
| |
| | |
| Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.3 Diesel Fuel Oil, Lube Oil, and Starting Air BASES BACKGROUND Each diesel generator (DG) is provided with a storage tank which, in combination with the associated day tank, has a fuel oil capacity sufficient to operate that DG for a period of 7 days while the DG is supplying maximum post loss of coolant accident load demand (Refs. 1 and 2). The maximum load demand is calculated using the assumption that at least two DGs are available. This onsite fuel oil capacity is sufficient to operate the DGs for longer than the time to replenish the onsite supply from outside sources. Additional onsite storage is also provided by the auxiliary boiler fuel storage tank. The quality of the fuel in this tank is maintained in accordance with the requirements for the fuel stored in the DG storage and day tanks. However, no credit for accident mitigation is allowed for the quantity of the fuel stored in the auxiliary boiler fuel storage tank.
| |
| Fuel oil is transferred from each storage tank to its respective day tank by a transfer pump associated with each storage tank. Redundancy of pumps and piping precludes the failure of one pump, or the rupture of any pipe, valve, or tank to result in the loss of more than one DG. All outside tanks, pumps, and piping are located underground. The fuel oil level in the storage tank is indicated locally and is provided with high and low level switches which actuate alarm annunciators in the main control room.
| |
| The transfer pump on the filter polishing skid is used to move fuel oil from the auxiliary boiler fuel storage tank to each of the DG storage tanks. The auxiliary boiler and filter polishing systems and associated components are not required to conform to all of the guidelines in Regulatory Guide 1.137 (Ref. 2), because failure of a component or rupture of the piping would not result in the loss of a DG.
| |
| For proper operation of the standby DGs, it is necessary to ensure the proper quality of the fuel oil. Regulatory Guide 1.137 (Ref. 2) and ANSI N195 (Ref. 3) address recommended fuel oil practices, as modified by 1) the ACTIONS and Surveillance Requirements (SRs) of Specification 3.8.3 and 2) the Bases for SR 3.8.3.3, which specifies the current fuel oil testing standards. The fuel oil properties governed by these SRs include the water and sediment content, the kinematic viscosity, specific gravity (or API gravity or absolute specific gravity), and impurity level, among others.
| |
| Columbia Generating Station B 3.8.3-1 Revision 73
| |
| | |
| Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES BACKGROUND (continued)
| |
| The DG lubrication system is designed to provide sufficient lubrication to permit proper operation of its associated DG under all loading conditions.
| |
| The system is required to circulate the lube oil to the diesel engine working surfaces and to remove excess heat generated by friction during operation. Each engine oil sump contains an inventory capable of supporting a minimum of 7 days of operation. This supply is sufficient to allow the operator to replenish lube oil from outside sources.
| |
| Division 1 and 2 DGs each have an air start subsystem that includes two air start receivers (each receiver has four air tanks), each with adequate capacity for five successive starts without recharging the air start receiver.
| |
| The Division 3 DG has an air start subsystem that includes two air start receivers, each with adequate capacity for three successive starts without recharging the air receivers.
| |
| APPLICABLE The initial conditions of Design Basis Accident (DBA) and transient SAFETY analyses in FSAR, Chapter 6 (Ref. 4) and Chapter 15 (Ref. 5),
| |
| ANALYSES assume Engineered Safety Feature (ESF) systems are OPERABLE. The DGs are designed to provide sufficient capacity, capability, redundancy, and reliability to ensure the availability of necessary power to ESF systems so that fuel, reactor coolant system, and containment design limits are not exceeded. These limits are discussed in more detail in the Bases for Section 3.2, Power Distribution Limits; Section 3.5, Emergency Core Cooling Systems (ECCS) and Reactor Core Isolation Cooling (RCIC) System; and Section 3.6, Containment Systems.
| |
| Since diesel fuel oil, lube oil, and starting air subsystems support the operation of the standby AC power sources, they satisfy Criterion 3 of Reference 6.
| |
| LCO Stored diesel fuel oil is required to have sufficient supply for 7 days of full load operation. It is also required to meet specific standards for quality.
| |
| Additionally, sufficient lube oil supply must be available to ensure capability to operate at full load for 7 days. This requirement, in conjunction with an ability to obtain replacement supplies within 7 days, supports the availability of DGs required to shut down the reactor and to maintain it in a safe condition for an anticipated operational occurrence (AOO) or a postulated DBA with loss of offsite power. DG day tank fuel requirements, as well as transfer capability from the storage tank to the day tank, are addressed in LCO 3.8.1, "AC Sources - Operating," and LCO 3.8.2, "AC Sources - Shutdown."
| |
| Columbia Generating Station B 3.8.3-2 Revision 73
| |
| | |
| Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES LCO (continued)
| |
| The starting air system is required to have a minimum capacity for five successive Division 1 and 2 DG starts and three successive Division 3 DG starts without recharging the air start receivers. Only one air start receiver (and associated air start header) per DG is required, since each air start receiver has the required capacity.
| |
| APPLICABILITY The AC sources (LCO 3.8.1 and LCO 3.8.2) are required to ensure the availability of the required power to shut down the reactor and maintain it in a safe shutdown condition after an AOO or a postulated DBA. Since stored diesel fuel oil, lube oil, and starting air subsystems support LCO 3.8.1 and LCO 3.8.2, stored diesel fuel oil, lube oil, and starting air are required to be within limits when the associated DG is required to be OPERABLE.
| |
| ACTIONS The ACTIONS Table is modified by a Note indicating that separate Condition entry is allowed for each DG. This is acceptable, since the Required Actions for each Condition provide appropriate compensatory actions for each inoperable DG subsystem. Complying with the Required Actions for one inoperable DG subsystem may allow for continued operation, and subsequent inoperable DG subsystem(s) are governed by separate Condition entry and application of associated Required Actions.
| |
| A.1 In this Condition, the 7 day fuel oil supply for a DG is not available.
| |
| However, the Condition is restricted to the fuel oil level reductions that maintain at least a 6 day supply. For the purposes of this LCO, the fuel oil storage subsystem includes the storage tank and the available volume in the day tank (see Bases for SR 3.8.1.4) for each respective DG. Table B 3.8.3-1 specifies the fuel oil storage subsystem equivalents for a 7 day and 6 day supply. These circumstances may be caused by events such as:
| |
| : a. Full load operation required after an inadvertent start while at minimum required level; or
| |
| : b. Feed and bleed operations that may be necessitated by increasing particulate levels or any number of other oil quality degradations.
| |
| This restriction allows sufficient time for obtaining the requisite replacement volume and performing the analyses required prior to addition of the fuel oil to the tank. A period of 48 hours is considered sufficient to complete restoration of the required level prior to declaring the DG inoperable. This period is acceptable based on the remaining Columbia Generating Station B 3.8.3-3 Revision 73
| |
| | |
| Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES ACTIONS (continued) capacity (> 6 days), the fact that procedures will be initiated to obtain replenishment, and the low probability of an event during this brief period.
| |
| B.1 In this Condition, the 7 day lube oil inventory, i.e. the combined inventory of the DG lube oil sump and lube oil stored in the warehouse to support 7 days of continuous DG operation at full load conditions, is not available.
| |
| However, the Condition is restricted to lube oil volume reductions that maintain at least a 6 day supply. The lube oil equivalent to a 7 day supply is 330 gallons for Division 1 or 2 DG (165 gallons for each engine sump),
| |
| and 165 gallons for the Division 3 DG. Available lube oil may be stored in the engine sumps, the warehouse, or in a combination of other storage locations. Lube oil sumps must be filled to at least the LOW dipstick level in order to be able to credit lube oil supplies in other locations. When engine sump level is greater than or equal to nine inches above the LOW dipstick level, all required oil is contained within the sump. The lube oil inventory equivalent to a 6 day supply is 283 gallons for Division 1 or 2 DG, and 142 gallons for Division 3 DG. This restriction allows sufficient time for obtaining the requisite replacement volume. A period of 48 hours is considered sufficient to complete restoration of the required volume prior to declaring the DG inoperable. This period is acceptable based on the remaining capacity (> 6 days), the low rate of usage, the fact that procedures will be initiated to obtain replenishment, and the low probability of an event during this brief period.
| |
| C.1 This Condition is entered as a result of a failure to meet the acceptance criterion for particulates. Normally, trending of particulate levels allows sufficient time to correct high particulate levels prior to reaching the limit of acceptability. Poor sample procedures (bottom sampling),
| |
| contaminated sampling equipment, and errors in laboratory analysis can produce failures that do not follow a trend. Since the presence of particulate does not mean failure of the fuel oil to burn properly in the diesel engine, since particulate concentration is unlikely to change significantly between Surveillance Frequency intervals, and since proper engine performance has been recently demonstrated (within 31 days), it is prudent to allow a brief period prior to declaring the associated DG inoperable. The 7 day Completion Time allows for further evaluation, resampling, and re-analysis of the DG fuel oil.
| |
| Columbia Generating Station B 3.8.3-4 Revision 73
| |
| | |
| Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES ACTIONS (continued)
| |
| D.1 With the new fuel oil properties defined in the Bases for SR 3.8.3.3 not within the required limits, a period of 30 days is allowed for restoring the stored fuel oil properties. This period provides sufficient time to test the stored fuel oil to determine that the new fuel oil, when mixed with previously stored fuel oil, remains acceptable, or to restore the stored fuel oil properties. This restoration may involve feed and bleed procedures, filtering, or a combination of these procedures. Even if a DG start and load was required during this time interval and the fuel oil properties were outside limits, there is high likelihood that the DG would still be capable of performing its intended function.
| |
| E.1 With required starting air receiver pressure < 230 psig for a Division 1 or 2 DG, or < 223 psig for the Division 3 DG, sufficient capacity for five successive DG starts for a Division 1 or 2 DG, and three successive DG starts for the Division 3 DG does not exist. However, as long as the receiver pressure is > 150 psig, there is adequate capacity for at least one start, and the DG can be considered OPERABLE while the air receiver pressure is restored to the required limit. A period of 48 hours is considered sufficient to complete restoration to the required pressure prior to declaring the DG inoperable. This period is acceptable based on the remaining air start capacity, the fact that most DG starts are accomplished on the first attempt, and the low probability of an event during this brief period.
| |
| F.1 With a Required Action and associated Completion Time of Condition A, B, C, D, or E not met, or the stored diesel fuel oil, lube oil, or starting air subsystem not within limits for reasons other than addressed by Conditions A through E, the associated DG may be incapable of performing its intended function and must be immediately declared inoperable.
| |
| Columbia Generating Station B 3.8.3-5 Revision 73
| |
| | |
| Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES SURVEILLANCE SR 3.8.3.1 REQUIREMENTS This SR provides verification that there is an adequate inventory of fuel oil in the storage subsystem to support each DGs operation for 7 days at full load. The fuel oil storage subsystem for each DG consist of the respective fuel storage tank and the volume in the day tank that is in excess of 1 hour at full load plus 10 % (see Bases for SR 3.8.1.4) Table B 3.8.3-1 specifies the fuel oil level equivalent to a 7 day supply for each storage subsystem when calculated in accordance with References 2, and 3. The required fuel storage volume is determined using the most limiting energy content of the stored fuel. Using the known correlation of diesel fuel oil absolute specific gravity or API gravity to energy content, the required diesel generator output, and the corresponding fuel consumption rate, the onsite fuel storage volume required for 7 days or operation can be determined. SR 3.8.3.3 requires new fuel to be tested in accordance with ASTM D975-08 (Ref. 7) to verify that the new fuel absolute specific gravity or API gravity is within the range assumed in the diesel fuel oil consumption calculations. The 7 day period is sufficient time to place the unit in a safe shutdown condition and to bring in replenishment fuel from an offsite location.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| SR 3.8.3.2 This Surveillance ensures that sufficient lube oil inventory (combined inventory in the DG lube oil sump(s) and in the warehouse) is available to support at least 7 days of full load operation for each DG. The lube oil level equivalent to a 7 day supply is 330 gallons for Division 1 or 2 DG, and 165 gallons for a Division 3 DG. The lube oil level equivalent to a 7 day supply is 330 gallons for Division 1 or 2 DG, and 165 gallons for Division 3 DG. The 330 gallon requirement for Divisions 1 and 2 DGs and the 165 gallon requirement for Division 3 DG are based on the DG manufacturer's consumption values for the run time of the DG. Normally, sufficient volume is maintained in the DG lube oil sump(s). However, implicit in this SR is the requirement to verify the capability to transfer the lube oil from its storage location to the DG when the DG lube oil sump(s) do not hold adequate inventory for 7 days of full load operation without the level reaching the manufacturer's recommended minimum level.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| Columbia Generating Station B 3.8.3-6 Revision 93
| |
| | |
| Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES SURVEILLANCE REQUIREMENTS (continued)
| |
| SR 3.8.3.3 The tests of new fuel oil prior to addition to the storage tanks are a means of determining whether new fuel oil is of the appropriate grade and has not been contaminated with substances that would have an immediate detrimental impact on diesel engine combustion and operation. If results from these tests are within acceptable limits, the fuel oil may be added to the storage tanks without concern for contaminating the entire volume of fuel oil in the storage tanks. These tests are to be conducted prior to adding the new fuel to the storage tank(s), but in no case is the time between the sample (and corresponding results) of new fuel and addition of new fuel oil to the storage tanks to exceed 31 days. The tests, limits, and applicable ASTM Standards are as follows:
| |
| : a. Sample the new fuel oil in accordance with ASTM D4057-06 (Ref. 7);
| |
| : b. Verify in accordance with the tests specified in ASTM D975-08 (Ref. 7) that: (1) the sample has an API gravity of within 0.3° at 60°F or a specific gravity of within 0.0016 at 60/60°F, when compared to the supplier's certificate, or the sample has an absolute specific gravity at 60/60°F of 0.84 and 0.89 or an API gravity at 60°F of 27° and < 38° when tested in accordance with ASTM D1298-99 (Ref. 7); (2) a kinematic viscosity at 40°C of 1.9 centistokes and 4.1 centistokes, if gravity was not determined by comparison with the supplier's certification; and (3) a flash point of 125°F; and
| |
| : c. Verify that the new fuel oil has a water and sediment content of 0.05% volume when tested in accordance with ASTM D2709-96 (Ref. 7) or a clear and bright appearance with proper color when tested in accordance with ASTM D4176-04 (Ref. 7).
| |
| Failure to meet any of the above limits is cause for rejecting the new fuel oil, but does not represent a failure to meet the LCO since the fuel oil is not added to the storage tanks.
| |
| Following the initial new fuel oil sample, the fuel oil is analyzed to establish that the other properties specified in Table 1 of ASTM D975-08 (Ref. 7) are met for new fuel oil when tested in accordance with ASTM D975-08 (Ref. 7), except that the analysis for sulfur may be performed in accordance with ASTM D2622-94 (Ref. 7), or ASTM D4294-08 (Ref. 7),
| |
| or ASTM D5453-08 (Ref. 7), or ASTM D3120-06 (Ref. 7). These additional analyses are required by Specification 5.5.9, Diesel Fuel Oil Columbia Generating Station B 3.8.3-7 Revision 73
| |
| | |
| Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES SURVEILLANCE REQUIREMENTS (continued)
| |
| Testing Program, to be performed within 31 days following sampling and addition. This 31 day requirement is intended to assure that:
| |
| : a. The new fuel oil sample taken is no more than 31 days old at the time of adding the new fuel oil to the DG storage tank; and
| |
| : b. The results of the new fuel oil sample are obtained within 31 days after addition of the new fuel oil to the DG storage tank.
| |
| The 31 day period is acceptable because the fuel oil properties of interest, even if not within stated limits, would not have an immediate effect on DG operation. This Surveillance ensures the availability of high quality fuel oil for the DGs.
| |
| Fuel oil degradation during long term storage shows up as an increase in particulate, mostly due to oxidation. The presence of particulate does not mean that the fuel oil will not burn properly in a diesel engine. However, the particulate can cause fouling of filters and fuel oil injection equipment, which can cause engine failure.
| |
| Particulate concentrations should be determined in accordance with ASTM D5452-06 (Ref. 7). This method involves a gravimetric determination of total particulate concentration in the fuel oil and has a limit of 10 mg/l. It is acceptable to obtain a field sample for subsequent laboratory testing in lieu of field testing.
| |
| The Frequency of this Surveillance takes into consideration fuel oil degradation trends indicating that particulate concentration is unlikely to change between Frequency intervals.
| |
| SR 3.8.3.4 This Surveillance ensures that, without the aid of the refill compressor, sufficient air start capacity for each DG is available. The system design requirements provide for a minimum of five engine start cycles for Division 1 and 2 DGs and three engine start cycles for the Division 3 DG without recharging. The pressure specified in this SR is intended to reflect the lowest value at which the five or three starts, as applicable, can be accomplished.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| Columbia Generating Station B 3.8.3-8 Revision 93
| |
| | |
| Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES SURVEILLANCE REQUIREMENTS (continued)
| |
| SR 3.8.3.5 Microbiological fouling is a major cause of fuel oil degradation. There are numerous bacteria that can grow in fuel oil and cause fouling, but all must have a water environment in order to survive. Periodic removal of water from the storage tanks eliminates the necessary environment for bacterial survival. This is the most effective means of controlling microbiological fouling. In addition, it eliminates the potential for water entrainment in the fuel oil during DG operation. Water may come from any of several sources, including condensation, rain water, contaminated fuel oil, and from breakdown of the fuel oil by bacteria. Frequent checking for and removal of accumulated water minimizes fouling and provides data regarding the watertight integrity of the fuel oil system. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. This SR is for preventive maintenance. The presence of water does not necessarily represent a failure of this SR provided that accumulated water is removed during performance of the Surveillance.
| |
| REFERENCES 1. FSAR, Section 9.5.4.
| |
| : 2. Regulatory Guide 1.137, Revision 1, October 1979.
| |
| : 3. ANSI N195, Appendix B, 1976.
| |
| : 4. FSAR, Chapter 6.
| |
| : 5. FSAR, Chapter 15.
| |
| : 6. 10 CFR 50.36(c)(2)(ii).
| |
| : 7. ASTM Standards: D4057-06; D975-08; D1298-99; D4176-04; D2709-96; D2622-94; D4294-08; D5453-08; D3120-06; D5452-06.
| |
| Columbia Generating Station B 3.8.3-9 Revision 93
| |
| | |
| Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES Table B 3.8.3-1 Minimum Required DG Fuel Oil Supply Fuel Oil Storage Division 1 Division 2 Division 3 Subsystem (1) DG DG DG (in Gallons) (in Gallons) (in Gallons) 7 Day supply Fuel Oil Storage Fuel Oil Tank 54182 55994 32758 Storage Subsystem (1)
| |
| Day Tank (2) 1010 1003 1169 6 Day supply Fuel Fuel Oil Storage Oil Tank 46302 47857 27917 Storage Subsystem (1)
| |
| Day Tank (2) 1010 1003 1169 (1) The fuel oil storage subsystem consists of the fuel oil storage tank and the available volume of the day tank for each respective DG. Due to the differential temperatures of the two tanks, it is conservative (and hence acceptable) to compensate for shortfalls in the day tank volume with a corresponding volume increase in the storage tank to satisfy the 7 or 6 day storage requirement.
| |
| Conversely, it is non-conservative to make up for shortfalls in the storage tank volume with a Aone-for-one@ increase in the day tank volume to satisfy the 7 day or 6 day storage requirement.
| |
| (2) The low level alarm for the day tank is 1400 gallons. The value reflected in this table represents the volume credited towards meeting the 7 day (or 6 day) storage requirement. The remainder of the day tank volume that is encompassed by the low level alarm is reserved to support one hour at 110% of full load (see Bases for SR 3.8.1.4).
| |
| Columbia Generating Station B 3.8.3-10 Revision 73
| |
| | |
| DC Sources - Operating B 3.8.4 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.4 DC Sources - Operating BASES BACKGROUND The station DC electrical power system provides the AC emergency power system with control power. It also provides both motive and control power to selected safety related equipment. As required by 10 CFR 50, Appendix A, GDC 17 (Ref. 1), the DC electrical power system is designed to have sufficient independence, redundancy, and testability to perform its safety functions, assuming a single failure. The DC electrical power system also conforms to the requirements of Regulatory Guide 1.6 (Ref. 2) and IEEE-308 (Ref. 3).
| |
| The 125 VDC electrical power system consists of three independent Class 1E DC electrical power subsystems, Divisions 1, 2, and 3. The 250 VDC electrical power system consists of one Class 1E DC electrical power subsystem, Division 1. Each subsystem consists of a battery, associated battery chargers, and all the associated control equipment and interconnecting cabling.
| |
| During normal operation, the DC loads are powered from the battery chargers with the batteries floating on the system. In case of loss of normal power to the battery charger, the DC loads are automatically powered from the Engineered Safety Feature (ESF) batteries.
| |
| The Division 1 safety related DC power source consists of one 125 V and one 250 V battery bank and associated full capacity battery chargers.
| |
| The 250 VDC subsystem has a single full capacity battery charger. The 125 VDC subsystem has two full capacity battery chargers, one of which is normally in service and the other is normally electrically isolated from the distribution system. The 125 V battery provides the control power for its associated Class 1E AC power load group, 4.16 kV switchgear and 480 V load centers. Also, the 125 V battery provides DC power to the emergency lighting system, diesel generator (DG) auxiliaries and the DC control power for DG-1. The 250 V battery supplies power to various reactor core isolation cooling system, residual heat removal and reactor water cleanup system valves. It also supplies power on an uninterruptible basis to plant controls, instrumentation, computer and communication equipment through a solid state inverter and the main and feedwater turbine auxiliary oil pumps; however, these loads are not TS related loads.
| |
| The Division 2 safety related DC power source consists of a 125 V battery bank and two full capacity chargers, one of which is normally in service and the other is normally electrically isolated from the distribution system.
| |
| This DC power source provides the control power for its associated Columbia Generating Station B 3.8.4-1 Revision 73
| |
| | |
| DC Sources - Operating B 3.8.4 BASES BACKGROUND (continued)
| |
| Class 1E AC power load group, 4.16 kV switchgear and 480 V load centers. Also, this DC power source provides DC power to the emergency lighting system, DG auxiliaries and the DC control power for DG-2.
| |
| The Division 3 125 VDC power system provides power for HPCS DG field flashing control logic and control and switching function of 4.16 kV Division 3 breakers. It also provides motive and control power for the HPCS System logic, HPCS DG control and protection, and all Division 3 related control.
| |
| The DC power distribution system is described in more detail in Bases for LCO 3.8.7, "Distribution Systems - Operating," and LCO 3.8.8, "Distribution Systems - Shutdown."
| |
| The Division 1 125 V and 250 V, and Division 2 125 VDC electrical power subsystem components are located in the radwaste/control building, a Seismic Category I structure. The Divisions 1 and 2 DC buses and the associated equipment are located such that redundant counterparts are physically separated from each other. The Division 3 DC electrical power subsystem components are located in the diesel generator building, also a Seismic Category I structure. There are no connections between DC systems of different divisions, and there is no sharing between redundant Class 1E subsystems such as batteries, battery chargers, or distribution panels.
| |
| Each Division 1, 2, and 3 battery has adequate storage capacity to meet the duty cycle(s) discussed in the FSAR, Chapter 8 (Ref. 4). The battery is designed with additional capacity above that required by the design duty cycle to allow for temperature variations, and other factors.
| |
| The 125 V batteries are sized to produce required capacity at 80% of nameplate rating. The 250 V battery is sized to produce the required capacity at 83.4% of the nameplate rating. These values correspond to warranted capacity at end-of-life cycles and the 100% design demand for each of the batteries. The minimum design voltage limit is 105 V for the 125 V batteries and 210 V for the 250 V battery.
| |
| The battery cells are of flooded lead acid construction with a nominal specific gravity of 1.215. This specific gravity corresponds to an open circuit battery voltage of approximately 120 V for a 58 cell battery (i.e.,
| |
| cell voltage of 2.06 volts per cell (Vpc)). The open circuit voltage is the Columbia Generating Station B 3.8.4-2 Revision 73
| |
| | |
| DC Sources - Operating B 3.8.4 BASES BACKGROUND (continued) voltage maintained when there is no charging or discharging. One fully charged with its open circuit voltage > 2.06 Vpc, the battery cell will maintain its capacity for 30 days without further charging per manufacturers instructions. Optimal long term performance however, is obtained by maintaining a float voltage 2.17 to 2.26 Vpc. This provides adequate over-potential which limits the formation of lead sulfate and self discharge. The nominal float voltage of 2.25 Vpc corresponds to a total float voltage output of 130.5 V for a 58 cell battery as discussed in the FSAR, Chapter 8 (Ref. 4).
| |
| Each DC electrical power subsystem battery charger has ample power output capacity for the steady state operation of connected loads required during normal operation, while at the same time maintaining its battery bank fully charged. Each battery charger has sufficient excess capacity to restore the battery bank from the design minimum charge to its fully charged state within 24 hours while supplying normal steady state loads (Ref. 4).
| |
| The battery charger is normally in the float-charge mode. Float-charge is the condition in which the charger is supplying the connected loads and the battery cells are receiving adequate current to optimally charge the battery. This assures the internal losses of a battery are overcome and the battery is maintained in a fully charged state.
| |
| When desired, the charger can be placed in the equalize mode. The equalize mode is at a higher voltage than the float mode and charging current is correspondingly higher.
| |
| The battery charger is operated in the equalize mode after a battery discharge or for routine maintenance. Following a battery discharge, the battery recharge characteristic accepts current at the current limit of the battery charger (if the discharge was significant, e.g., following a battery service test) until the battery terminal voltage approaches the charger voltage setpoint. Charging current then reduces exponentially during the remainder of the recharge cycle. Lead-calcium batteries have recharge efficiencies of greater than 95%, so once at least 105% of the ampere-hours discharged have been returned, the battery capacity would be restored to the same condition as it was prior to the discharge. This can be monitored by direct observation of the exponentially decaying charging current or by evaluating the amp-hours discharged from the battery and amp-hours returned to the battery.
| |
| Columbia Generating Station B 3.8.4-3 Revision 73
| |
| | |
| DC Sources - Operating B 3.8.4 BASES APPLICABLE The initial conditions of Design Basis Accident (DBA) and transient SAFETY analyses in the FSAR, Chapter 6 (Ref. 7) and Chapter 15 (Ref. 8),
| |
| ANALYSES assume that ESF systems are OPERABLE. The DC electrical power system provides normal and emergency DC electrical power for the DGs, emergency auxiliaries, and control and switching during all MODES of operation.
| |
| The OPERABILITY of the DC subsystems is consistent with the initial assumptions of the accident analyses and is based upon meeting the design basis of the unit. This includes maintaining DC sources OPERABLE during accident conditions in the event of:
| |
| : a. An assumed loss of all offsite AC power or of all onsite AC power; and
| |
| : b. A worst case single failure.
| |
| The DC sources satisfy Criterion 3 of Reference 9.
| |
| LCO The DC electrical power subsystems, each subsystem consisting of one battery, one battery charger, and the corresponding control equipment and interconnecting cabling supplying power to the associated bus within the divisions, are required to be OPERABLE to ensure the availability of the required power to shut down the reactor and maintain it in a safe condition after an anticipated operational occurrence (AOO) or a postulated DBA. Loss of any DC electrical power subsystem does not prevent the minimum safety function from being performed (Ref. 4).
| |
| APPLICABILITY The DC electrical power sources are required to be OPERABLE in MODES 1, 2, and 3 to ensure safe unit operation and to ensure that:
| |
| : a. Acceptable fuel design limits and reactor coolant pressure boundary limits are not exceeded as a result of AOOs or abnormal transients; and
| |
| : b. Adequate core cooling is provided, and containment integrity and other vital functions are maintained in the event of a postulated DBA The DC electrical power requirements for MODES 4 and 5 and other conditions in which the DC electrical power sources are required are addressed in LCO 3.8.5, "DC Sources - Shutdown."
| |
| Columbia Generating Station B 3.8.4-4 Revision 73
| |
| | |
| DC Sources - Operating B 3.8.4 BASES ACTIONS A.1, A.2, A.3, B.1, B.2, B.3, C.1, C.2, and C.3 Condition A, B, or C represents one division with one required battery charger inoperable (e.g., the voltage limit of SR 3.8.4.1 is not maintained).
| |
| The ACTIONS provide a tiered response that focuses on returning the battery to the fully charged state and restoring a fully qualified charger to OPERABLE status in a reasonable time period. Required Action A.1, B.1, or C.1 requires that the battery terminal voltage be restored to greater than or equal to the minimum established float voltage within 2 hours. This time provides for returning the inoperable charger to OPERABLE status or providing an alternate means of restoring battery terminal voltage to greater than or equal to the minimum established float voltage. The minimum float voltage for the Division 1, 2, and 3 125 VDC systems is 126 VDC. The minimum float voltage for the 250 VDC systems is 252 VDC. Restoring the battery terminal voltage to greater than or equal to the minimum established float voltage provides good assurance that, within 12 hours, the battery will be restored to its fully charged condition (Required Action A.2, B.2 or C.2) from any discharge that might have occurred due to the charger inoperability. A discharged battery having terminal voltage of at least the minimum established float voltage indicates that the battery is on the exponential charging current portion (the second part) of its recharge cycle. The time to return a battery to its fully charged state under this condition is simply a function of the amount of the previous discharge and the recharge characteristic of the battery. Thus, there is good assurance of fully recharging the battery within 12 hours, avoiding a premature shutdown with its own attendant risk.
| |
| If battery terminal float voltage cannot be restored to greater than or equal to the minimum established float voltage within 2 hours, and the charger is not operating in the current-limiting mode, a faulty charger is indicated.
| |
| A faulty charger that is incapable of maintaining established battery terminal float voltage does not provide adequate assurance that it can revert to and operate properly in the current limit mode that is necessary during the recovery period following a battery discharge event for which the DC system is designed.
| |
| If the charger is operating in the current limit mode after 2 hours, that is an indication that the battery is partially discharged and its capacity margins will be reduced. The time to return the battery to its fully charged condition, in this case, is a function of the battery charger capacity, the amount of loads on the associated DC system, the amount of the previous discharge, and the recharge characteristic of the battery. The charge time can be extensive, and there is not adequate assurance that it can be recharged within 12 hours (Required Action A.2, B.2, or C.2).
| |
| Columbia Generating Station B 3.8.4-5 Revision 73
| |
| | |
| DC Sources - Operating B 3.8.4 BASES ACTIONS (continued)
| |
| Required Action A.2, B.2, or C.2 requires that the battery float current be verified as less than or equal to 2 amps. This indicates that, if the battery had been discharged as the result of the inoperable battery charger, it has now been fully recharged. If, at the expiration of the initial 12 hour period, the battery float current is not less than or equal to 2 amps, this indicates there may be additional battery problems and the battery must be declared inoperable.
| |
| Required Action A.3, B.3, or C.3 limits the restoration time for the inoperable battery charger to 72 hours. This action is applicable if an alternate means of restoring battery terminal voltage to greater than or equal to the minimum established float voltage has been used (e.g.,
| |
| balance of plant non-Class 1E battery charger). The alternate means will be a charger of sufficient capacity such that it is fully capable of restoring the battery voltage to the minimum acceptable limits, carrying respective DC bus loads, and maintaining the battery in a fully charged condition.
| |
| The 72 hour Completion Time is aligned with the standard 72 hour Completion Time of Technical Specification LCO 3.8.1 Required Action B.4.1.
| |
| D.1, E.1, and F.1 Condition D, E, or F represents one division with one battery inoperable.
| |
| With one battery inoperable, the DC bus is being supplied by the OPERABLE battery charger(s). Any event that results in a loss of the AC bus supporting the battery charger(s) will also result in loss of DC to that division. Recovery of the AC bus, especially if it is due to a loss of offsite power, will be hampered by the fact that many of the components necessary for the recovery (e.g., diesel generator control and field flash, AC load shed and diesel generator output circuit breakers, etc.) likely rely upon the battery. In addition, the energization transients of any DC loads that are beyond the capability of the battery charger(s) and normally require the assistance of the battery will not be able to be brought online.
| |
| The 2 hour limit allows sufficient time to effect restoration of an inoperable battery given that the majority of the conditions that lead to battery inoperability (e.g., loss of battery charger, battery cell voltage less than 2.07 V, etc.) are identified in Specifications 3.8.4, 3.8.5, and 3.8.6 together with additional specific completion times.
| |
| Columbia Generating Station B 3.8.4-6 Revision 73
| |
| | |
| DC Sources - Operating B 3.8.4 BASES ACTIONS (continued)
| |
| G.1 Condition G represents one division with a loss of ability to completely respond to an event, and a potential loss of ability to remain energized during normal operation. It is, therefore, imperative that the operator's attention focus on stabilizing the unit, minimizing the potential for complete loss of 125 VDC power to the affected division. The 2 hour limit is consistent with the allowed time for an inoperable DC distribution system division.
| |
| If one of the required Division 1 or 2 125 VDC electrical power subsystems is inoperable for reasons other than Condition A or D (e.g.,
| |
| inoperable battery charger and associated inoperable battery), the remaining 125 VDC electrical power subsystems have the capacity to support a safe shutdown and to mitigate an accident condition. Since a subsequent worst case single failure could, however, result in the loss of minimum necessary 125 VDC electrical subsystems, continued power operation should not exceed 2 hours. The 2 hour Completion Time is based on Regulatory Guide 1.93 (Ref. 10) and reflects a reasonable time to assess unit status as a function of the inoperable DC electrical power subsystem and, if the DC electrical power subsystem is not restored to OPERABLE status, to prepare to effect an orderly and safe unit shutdown.
| |
| H.1 If the Required Actions and associated Completion Times of Condition B or E are not met, the Division 3 DC electrical power subsystem inoperable for reasons other than Condition B or E, or any combination of these condition exists, the HPCS System may be incapable of performing its intended function and must be immediately declared inoperable. This declaration also requires entry into applicable Conditions and Required Actions of LCO 3.5.1, "ECCS - Operating."
| |
| I.1 If the Required Actions and associated Completion Times of Condition C or F are not met, the Division 1 250 VDC electrical power subsystem inoperable for reasons other than Condition C or F, or any combination of these conditions exists, the RCIC and other associated supported features may be incapable of performing their intended functions and must be immediately declared inoperable. This declaration also requires entry into applicable Conditions and Required Actions for the associated supported features.
| |
| Columbia Generating Station B 3.8.4-7 Revision 73
| |
| | |
| DC Sources - Operating B 3.8.4 BASES ACTIONS (continued)
| |
| J.1 If the inoperable Division 1 or Division 2 125 VDC electrical power subsystem cannot be restored to OPERABLE status within the associated Completion Time, the unit must be brought to a MODE in which the overall plant risk is minimized. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours.
| |
| Remaining in the Applicability of the LCO is acceptable because the plant risk in MODE 3 is similar to or lower than the risk in MODE 4 (Ref. 13) and because the time spent in MODE 3 to perform the necessary repairs to restore the system to OPERABLE status will be short. However, voluntary entry into MODE 4 may be made as it is also an acceptable low-risk state.
| |
| Required Action J.1 is modified by a Note that states that LCO 3.0.4.a is not applicable when entering MODE 3. This Note prohibits the use of LCO 3.0.4.a to enter MODE 3 during startup with the LCO not met.
| |
| However, there is no restriction on the use of LCO 3.0.4.b, if applicable, because LCO 3.0.4.b requires performance of a risk assessment addressing inoperable systems and components, consideration of the results, determination of the acceptability of entering MODE 3, and establishment of risk management actions, if appropriate. LCO 3.0.4 is not applicable to, and the Note does not preclude, changes in MODES or other specified conditions in the Applicability that are required to comply with ACTIONS or that are part of a shutdown of the unit.
| |
| The allowed Completion Time is reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.
| |
| SURVEILLANCE SR 3.8.4.1 REQUIREMENTS Verifying battery terminal voltage while on float charge helps to ensure the effectiveness of the battery chargers, which support the ability of the batteries to perform their intended function. Float charge is the condition in which the charger is supplying the continuous charge required to overcome the internal losses of a battery and maintain the battery in a fully charged state while supplying the continuous steady state loads of the associated DC subsystem. On float charge, battery cells will receive adequate current to optimally charge the battery. The voltage requirements are based on the nominal design voltage of the battery and are consistent with the minimum float voltage established by the battery manufacturer 2.17 Vpc or 126.0 V for the 125 V batteries and 252.0 V for the 250 V battery at the battery terminals. This voltage maintains the battery plates in a condition that supports maintaining the grid life Columbia Generating Station B 3.8.4-8 Revision 90
| |
| | |
| DC Sources - Operating B 3.8.4 BASES SURVEILLANCE REQUIREMENTS (continued)
| |
| (expected to be approximately 20 years). The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| SR 3.8.4.2 Battery charger capability requirements are based on the design capacity of the chargers (Ref. 4). According to Regulatory Guide 1.32 (Ref. 12),
| |
| the battery charger supply is required to be based on the largest combined demands of the various steady state loads and the charging capacity to restore the battery from the design minimum charge state to the fully charged state, irrespective of the status of the unit during these demand occurrences. The minimum required amperes and duration ensure that these requirements can be satisfied. The charger shall be loaded, to a minimum, at three separate and sequential load ratings, 50%, 75%, and 100%, for > 30 minutes at each load rating. The 100%
| |
| load rating for the Divisions 1 and 2 125 V battery chargers is 200 amps, for the Division 3 125 V battery charger is 50 amps, and for the Division 1 250 V battery charger is 400 amps.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| SR 3.8.4.3 A battery service test is a special test of the battery's capability, as found, to satisfy the design requirements (battery duty cycle) of the DC electrical power system. The discharge rate and test length correspond to the design duty cycle requirements as specified in Reference 4.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| This SR is modified by two Notes. Note 1 allows the performance of a modified performance discharge test in lieu of a service test. This substitution is acceptable because a modified performance discharge test represents a more severe test of battery capacity than SR 3.8.4.3. The reason for Note 2 is that performing the Surveillance would remove a required DC electrical power subsystem from service, perturb the electrical distribution system, and challenge safety systems. Credit may be taken for unplanned events that satisfy the Surveillance.
| |
| Columbia Generating Station B 3.8.4-9 Revision 93
| |
| | |
| DC Sources - Operating B 3.8.4 BASES REFERENCES 1. 10 CFR 50, Appendix A, GDC 17.
| |
| : 2. Regulatory Guide 1.6, Revision 0, March 10, 1971.
| |
| : 3. IEEE Standard 308, 1974.
| |
| : 4. FSAR, Chapter 8.
| |
| : 5. Columbia Generating Station Calculation 2.05.01, Rev. 8, February 1990.
| |
| : 6. Columbia Generating Station Calculation E/I 02-85-02, Rev. 1, April 1989.
| |
| : 7. FSAR, Chapter 6.
| |
| : 8. FSAR, Chapter 15.
| |
| : 9. 10 CFR 50.36(c)(2)(ii).
| |
| : 10. Regulatory Guide 1.93, December 1974.
| |
| : 11. IEEE Standard 450, 2002.
| |
| : 12. Regulatory Guide 1.32, February 1977.
| |
| : 13. NEDC-32988-A, Revision 2, Technical Justification to Support Risk-Informed Modification to Selected Required End States for BWR Plants, December 2002.
| |
| Columbia Generating Station B 3.8.4-10 Revision 93
| |
| | |
| DC Sources - Shutdown B 3.8.5 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.5 DC Sources - Shutdown BASES BACKGROUND A description of the DC sources is provided in the Bases for LCO 3.8.4, "DC Sources - Operating."
| |
| APPLICABLE The initial conditions of Design Basis Accident and transient analyses in SAFETY the FSAR, Chapter 6 (Ref. 1) and Chapter 15 (Ref. 2), assume that ANALYSES Engineered Safety Feature systems are OPERABLE. The DC electrical power system provides normal and emergency DC electrical power for the diesel generators, emergency auxiliaries, and control and switching during all MODES of operation.
| |
| The OPERABILITY of the DC subsystems is consistent with the initial assumptions of the accident analyses and the requirements for the supported systems' OPERABILITY.
| |
| The OPERABILITY of the minimum DC electrical power sources during MODES 4 and 5 ensures that:
| |
| : a. The facility can be maintained in the shutdown or refueling condition for extended periods;
| |
| : b. Sufficient instrumentation and control capability is available for monitoring and maintaining the unit status; and The DC sources satisfy Criterion 3 of Reference 3.
| |
| LCO The DC electrical power subsystems, each consisting of one required battery, one battery charger, and the corresponding control equipment and interconnecting cabling supplying power to the associated bus within the division, are required to be OPERABLE to support required Distribution System divisions required OPERABLE by LCO 3.8.8, "Distribution Systems - Shutdown." This ensures the availability of sufficient DC electrical power sources to operate the unit in a safe manner.
| |
| Columbia Generating Station B 3.8.5-1 Revision 111
| |
| | |
| DC Sources - Shutdown B 3.8.5 BASES APPLICABILITY The DC electrical power sources required to be OPERABLE in MODES 4 and 5 provide assurance that:
| |
| : a. Required features to provide core cooling are available;
| |
| : b. Required features necessary to mitigate the effects of events that can lead to core damage during shutdown are available; and
| |
| : c. Instrumentation and control capability is available for monitoring and maintaining the unit in a cold shutdown condition or refueling condition.
| |
| The DC electrical power requirements for MODES 1, 2, and 3 are covered in LCO 3.8.4.
| |
| ACTIONS A.1, A.2, and A.3 Condition A represents one required division with one required battery charger inoperable (e.g., the voltage limit of SR 3.8.4.1 is not maintained).
| |
| This condition is only entered under plant conditions in which LCO 3.8.8, "Distribution Systems - Shutdown," requires more than one division of class 1E DC Electrical Power Distribution (e.g., during CORE ALTERATIONS, LCO 3.8.8 requires the operability of necessary portions of Division 1, Division 2, and Division 3 electrical power distribution subsystems).
| |
| Although the High Pressure Core Spray (HPCS) System is typically considered a single division system, for this condition, Division 3 (HPCS System) is considered redundant to Division 1 and 2 Emergency Core Cooling Systems. If the redundant required division(s) battery or battery charger is inoperable, or LCO 3.8.8 does not require a redundant DC electrical power distribution subsystem, then Condition B must be entered. The ACTIONS provide a tiered response that focuses on returning the battery to the fully charged state and restoring a fully qualified charger to OPERABLE status in a reasonable time period.
| |
| Required Action A.1 requires that the battery terminal voltage be restored to greater than or equal to the minimum established float voltage within 2 hours. This time provides for returning the inoperable charger to OPERABLE status or providing an alternate means of restoring battery terminal voltage to greater than or equal to the minimum established float voltage. Restoring the battery terminal voltage to greater than or equal to the minimum established float voltage provides good assurance that, Columbia Generating Station B 3.8.5-2 Revision 111
| |
| | |
| DC Sources - Shutdown B 3.8.5 BASES ACTIONS (continued) within 12 hours, the battery will be restored to its fully charged condition (Required Action A.2) from any discharge that might have occurred due to the charger inoperability. A discharged battery having terminal voltage of at lest the minimum established portion (the second part) of its recharge cycle. The time to return a battery to its fully charged state under this condition is simply a function of the amount of the previous discharge and the recharge characteristic of the battery. Thus, there is good assurance of fully recharging the battery within 12 hours, avoiding a premature shutdown with its own attendant risk.
| |
| If battery terminal float voltage cannot be restored to greater than or equal to the minimum established float voltage within 2 hours, and the charger is not operating in the current-limiting mode, a faulty charger is indicated.
| |
| A faulty charger is that is incapable of maintaining established battery terminal float voltage does not provide assurance that it can revert to and operate properly in the current limit mode that is necessary during the recovery period following a battery discharge event that the DC system is designed for.
| |
| If the charger is operating in the current limit mode after 2 hours, this is an indication the battery is partially discharged and its capacity margins will be reduced. The time to return the battery to its fully charged condition in this case is a function of the battery charger capacity, the amount of loads on the associated DC system, the amount of the previous discharge, and the recharge characteristic of the battery. The charge time can be extensive, and there is not adequate assurance that it can be recharged within 12 hours (Required Action A.2).
| |
| Required Action A.2 requires that the battery float current be verified as less than or equal to 2 amps. This indicates that if the battery had been discharged as the result of the inoperable battery charger, it has now been fully recharged. If, at the expiration of the initial 12 hour period the battery float current is not less than or equal to 2 amps, this indicates there may be additional battery problems and the battery must be declared inoperable.
| |
| Required Action A.3 limits the restoration time for the inoperable battery charger to 7 days. This action is applicable if an alternate means of restoring battery terminal voltage to greater than or equal to the minimum established float voltage has been used (e.g., balance of plant non-Class 1E battery charger). The 7 day completion time reflects a reasonable time to effect restoration of the qualified battery charger to operable status.
| |
| Columbia Generating Station B 3.8.5-3 Revision 73
| |
| | |
| DC Sources - Shutdown B 3.8.5 BASES ACTIONS (continued)
| |
| B.1 and B.2 If more than one DC distribution subsystem is required according to LCO 3.8.8, the DC electrical power subsystems remaining OPERABLE with one or more DC electrical power subsystems inoperable may be capable of supporting sufficient required features. By allowing the option to declare required features inoperable with associated DC electrical power subsystem(s) inoperable, appropriate restrictions are implemented in accordance with the affected system LCOs' ACTIONS. Since this option may involve undesired administrative efforts, the allowance for sufficiently conservative actions is made, and Required Action B.2 requires action be initiated immediately to restore the required DC electrical power subsystems and to continue this action until restoration is accomplished in order to provide the necessary DC electrical power to the plant safety systems.
| |
| The Completion Time of immediately is consistent with the required times for actions requiring prompt attention. The restoration of the required DC electrical power subsystems should be completed as quickly as possible in order to minimize the time during which the plant safety systems may be without sufficient power.
| |
| SURVEILLANCE SR 3.8.5.1 REQUIREMENTS SR 3.8.5.1 requires performance of all Surveillances required by SR 3.8.4.1 through SR 3.8.4.3. Therefore, see the corresponding Bases for LCO 3.8.4 for a discussion of each SR.
| |
| This SR is modified by a Note. The reason for the Note is to preclude requiring OPERABLE DC sources from being discharged below their capability to provide the required power supply or otherwise rendered inoperable during performance of SRs. It is the intent that these SRs must still be capable of being met, but actual performance is not required.
| |
| REFERENCES 1. FSAR, Chapter 6.
| |
| : 2. FSAR, Chapter 15.
| |
| : 3. 10 CFR 50.36(c)(2)(ii).
| |
| Columbia Generating Station B 3.8.5-4 Revision 111
| |
| | |
| Battery Parameters B 3.8.6 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.6 Battery Parameters BASES BACKGROUND This LCO delineates the limits on battery float current as well as electrolyte temperature, level, and float voltage for the DC power source batteries. A discussion of these batteries and their OPERABILITY requirements is provided in the Bases for LCO 3.8.4, "DC Sources -
| |
| Operating," and LCO 3.8.5, "DC Sources - Shutdown." In addition to the limitations of this Specification, the Battery Monitoring and Maintenance Program also implements the program specified in Technical Specification 5.5.13 for monitoring various battery parameters that is based on the recommendations of IEEE Standard 450-2002, "IEEE Recommended Practice for Maintenance, Testing, and Replacement of Vented Lead-Acid Batteries for Stationary Applications" (Ref. 7).
| |
| The battery cells are flooded lead acid construction with a nominal specific gravity of 1.215. This specific gravity corresponds to an open circuit battery voltage of approximately 120 V for a 58 cell battery and 240 V for a 116 cell battery (i.e., cell voltage of 2.06 volts per cell (Vpc)).
| |
| The open circuit voltage is the voltage maintained when there is no charging or discharging. Once fully charged with its open circuit voltage
| |
| > 2.06 Vpc, the battery cell will maintain its capacity for 30 days without further charging per manufacturers instructions. Optimal long-term performance, however, is obtained by maintaining a float voltage 2.17 to 2.26 Vpc. This provides adequate over-potential which limits the formation of lead sulfates and self discharge. The nominal float voltage of 2.25 Vpc corresponds to a total float voltage output of 130.5 V for a 58 cell battery and 261 V for a 116 cell battery as discussed in the FSAR, Chapter 8 (Ref. 2).
| |
| APPLICABLE The initial conditions of Design Basis Accident (DBA) and transient SAFETY analyses in FSAR, Chapter 6 (Ref. 1) and Chapter 15 (Ref. 3),
| |
| ANALYSES assume Engineered Safety Feature systems are OPERABLE. The DC electrical power subsystems provide normal and emergency DC electrical power for the diesel generators, emergency auxiliaries, and control and switching during all MODES of operation.
| |
| The OPERABILITY of the DC subsystems is consistent with the initial assumptions of the accident analyses and is based upon meeting the design basis of the unit as discussed in the Bases for LCO 3.8.4, "DC Sources - Operating," and LCO 3.8.5, "DC Sources - Shutdown."
| |
| Since battery parameters support the operation of the DC power sources, they satisfy Criterion 3 of Reference 4.
| |
| Columbia Generating Station B 3.8.6-1 Revision 80
| |
| | |
| Battery Parameters B 3.8.6 BASES LCO Battery parameters must remain within acceptable limits to ensure availability of the required DC power to shut down the reactor and maintain it in a safe condition after an anticipated operational occurrence or a postulated DBA. Battery parameter limits are conservatively established, allowing continued DC electrical system function even with limits not met. Additional preventative maintenance, testing, and monitoring performed in accordance with the Battery Monitoring and Maintenance Program is conducted as specified in Technical Specification 5.5.13.
| |
| APPLICABILITY The battery parameters are required solely for the support of the associated DC electrical power subsystem. Therefore, battery parameter limits are only required when the associated DC electrical power subsystem is required to be OPERABLE. Refer to the Applicability discussion in Bases for LCO 3.8.4 and LCO 3.8.5.
| |
| ACTIONS A.1, A.2, and A.3 With one or more cells of a battery < 2.07 V, the battery cell is degraded.
| |
| Within 2 hours, verification of the required battery charger OPERABILITY is made by monitoring the battery terminal voltage (SR 3.8.4.1) and the overall battery state of charge by monitoring the battery float charge current (SR 3.8.6.1). This assures that there is still sufficient battery capacity to perform the intended function. Therefore, the affected battery is not required to be considered inoperable solely as a result of one or more cells in one or more batteries < 2.07 V, and continued operation is permitted for a limited period up to 24 hours.
| |
| Since the Required Actions only specify perform, a failure of SR 3.8.4.1 or SR 3.8.6.1 acceptance criteria does not result in this Required Action not met. However, if one of the SRs is failed, the appropriate Condition(s), depending on the cause of the failure, is entered.
| |
| If SR 3.8.6.1 is failed, then there is not assurance that there is still sufficient battery capacity to perform the intended function and the battery must be declared inoperable immediately as specified in Condition F.
| |
| B.1 and B.2 One or more batteries with float current > 2 amps indicates that a partial discharge of the battery capacity has occurred. This may be due to a temporary loss of battery charger or possible due to one or more battery cells in a low voltage condition reflecting some loss of capacity. Within 2 hours, verification of the required battery charger OPERABILITY is made by monitoring the battery terminal voltage. If the terminal voltage is Columbia Generating Station B 3.8.6-2 Revision 73
| |
| | |
| Battery Parameters B 3.8.6 BASES ACTIONS (continued) found to be less than the minimum established float voltage, there are two possibilities; the battery charger is inoperable or is operating in the current limit mode. Conditions A and B of LCO 3.8.4 and Condition A of LCO 3.8.5 address charger inoperability. If the charger is operating in the current limit mode after 2 hours, that is an indication the battery has been substantially discharged and likely cannot perform its required design functions. The time to return the battery to its fully charged condition in this case is a function of the battery charger capacity, the amount of loads on the associated DC system, the amount of the previous discharge, and the recharge characteristics of the battery. The charge time can be extensive, and there is not adequate assurance that it can be recharged within 12 hours (Required Action B.2). The battery must therefore be declared inoperable as specified in Condition F.
| |
| If the float voltage is found to be satisfactory but there are one or more battery cells with float voltage < 2.07 V, the associated "OR" statement in Condition F is applicable and the battery must be declared inoperable immediately. If float voltage is satisfactory and there are no cells less than 2.07 V, there is good assurance that, within 12 hours, the battery will be restored to its fully charged condition (Required Action B.2) from any discharge that might have occurred due to a temporary loss of the battery charger. A discharged battery with float voltage (the charger setpoint) across its terminals indicates the battery is on the exponential charging current potion (the second part) of its recharge cycle. The time to return a battery to its fully charged state under this condition is simply a function of the amount of the previous discharge and the recharge characteristic of the battery. Thus, there is good assurance of fully recharging the battery within 12 hours, avoiding a premature shutdown with its own attendant risk.
| |
| If the condition is due to one or more cells in a low voltage condition but still greater than 2.07 V and float voltage is found to be satisfactory, this is not indication of a substantially discharged battery and 12 hours is a reasonable time prior to declaring the battery inoperable.
| |
| Since Required Action B.1 only specifies perform, a failure of SR 3.8.4.1 acceptance criteria does not result in the Required Action not met.
| |
| However, if SR 3.8.4.1 is failed, the appropriate Condition(s), depending on the cause of the failure is entered.
| |
| Columbia Generating Station B 3.8.6-3 Revision 73
| |
| | |
| Battery Parameters B 3.8.6 BASES ACTIONS (continued)
| |
| C.1, C.2, and C.3 With one or more batteries with one or more cells electrolyte level above the top of the plates but below the minimum established design limits, the battery still retains sufficient capacity to perform the intended function.
| |
| Therefore, the affected battery is not required to be considered inoperable solely as a result of electrolyte level not met. Within 31 days, the minimum established design limits for electrolyte level must be re-established.
| |
| The minimum established design limit for electrolyte level for the Division 1, 2, and 3 125 VDC systems and for the 250 VDC system is the low level mark. With electrolyte level below the top of the plates, there is a potential for dryout and plate degradation. Required Actions C.1 and C.2 address this potential (as well as provisions in Technical Specification 5.5.13 "Battery Monitoring and Maintenance Program").
| |
| They are modified by a Note that indicates they are only applicable if electrolyte level is below the top of the plates. Within 8 hours, level is required to be restored to above the top of the plates. The required Action C.2 requirement to verify that there is no leakage by visual inspection and the Technical Specification 5.5.13.b item to initiate action to equalize and test in accordance with manufacturers recommendation are taken from Annex D of IEEE Standard 450-2002. They are performed following the restoration of the electrolyte level to above the top of the plates. Based on the results of the manufacturers recommended testing, the battery may have to be declared inoperable and the affected cell(s) replaced.
| |
| D.1 With one or more batteries with pilot cell temperature less than the minimum established design limits, 12 hours is allowed to restore the temperature to within limits. The minimum established design limit for cell temperature for the Division 1, 2, and 3 125 VDC systems and for the 250 VDC system is 60°F. A low electrolyte temperature limits the current and power available. Since the battery is sized with margin, while battery capacity is degraded, sufficient capacity exists to perform the intended function and the affected battery is not required to be considered inoperable solely as a result of the pilot cell temperature not met.
| |
| Columbia Generating Station B 3.8.6-4 Revision 73
| |
| | |
| Battery Parameters B 3.8.6 BASES ACTIONS (continued)
| |
| E.1 Given that redundant batteries are involved, the longer completion times specified for battery parameters on non-redundant batteries not within limits are not appropriate, and the parameters must be restored to within limits on at least one train within 2 hours. Although the High Pressure Core Spray (HPCS) System is typically considered a single division system, for this condition, the Division 3 (HPCS System) battery is considered redundant to Division 1 and 2 batteries for the Emergency Core Cooling function.
| |
| F.1 When any battery parameter is outside the allowance of the Required Actions for Conditions A, B, C, D, or E, sufficient capacity to supply the maximum expected load requirement is not assured and the corresponding battery must be declared inoperable. Additionally, when a TS LCO required battery parameter is not met for reasons other than Condition A, B, C, D, or E, such as the performance discharge test described in SR 3.8.6.6, sufficient capacity to supply the maximum expected load requirement is not assured and the corresponding battery must be declared inoperable. When any battery parameter is outside the allowance of the Required Actions for Conditions A, B, C, D, or E, sufficient capacity to supply the maximum expected load requirement is not assured and the corresponding battery must be declared inoperable.
| |
| Additionally, discovering a battery with one or more battery cells float voltage less than 2.07 V and float current greater than 2 amps indicates that the battery capacity may not be sufficient to perform the intended functions. The battery must therefore be declared inoperable immediately.
| |
| SURVEILLANCE SR 3.8.6.1 REQUIREMENTS Verifying battery float current while on float charge is used to determine the state of charge of the battery. Float charge is the condition in which the charger is supplying the continuous charge required to overcome the initial losses of a battery and maintain the battery in a charged state. The float current requirements are based on the float current indicative of a charged battery. The charging current for a large station battery is highly reactive to a change in battery voltage. A charging current less than 2 amps is indicative of a fully charged battery when charging at normal float voltage. At a float voltage greater than minimum float voltage, the battery will be maintained in its fully charged state for an extended period Columbia Generating Station B 3.8.6-5 Revision 73
| |
| | |
| Battery Parameters B 3.8.6 BASES SURVEILLANCE REQUIREMENTS (continued) of time. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. A measuring device accuracy of + 10% of reading is adequate to verify float current to be within nominal values.
| |
| This SR is modified by a Note that states the float current requirement is not required to be met when battery terminal voltage is less than the minimum established float voltage of SR 3.8.4.1. When this float voltage is not maintained, the Required Action of LCO 3.8.4 ACTION A are being taken, which provide the necessary and appropriate verifications of the battery condition. Furthermore, the float current limit of 2 amps is established based on the nominal float voltage value and is not directly applicable when the voltage is not maintained.
| |
| SR 3.8.6.2 and SR 3.8.6.5 Optimal long term battery performance is obtained by maintaining a float voltage greater than or equal to the minimum established design limits provided by the battery manufacturer, which corresponds to 126.0 V for the 125 V batteries and 252.0 V for the 250 V battery at the battery terminals, or 2.17 Vpc. This provides adequate over-potential, which limits the formation of lead sulfate and self discharge, which could eventually render the battery inoperable. Float voltage in this range or less, but greater than 2.07 Vpc, are addressed in Technical Specification 5.5.13. SRs 3.8.6.2 and 3.8.6.5 require verification that the cell float voltages are equal to or greater than the short term absolute minimum voltage of 2.07 V. The Surveillance Frequencies are controlled under the Surveillance Frequency Control Program.
| |
| SR 3.8.6.3 The minimum established design limit for electrolyte level is the low level mark. This limit ensures that the plates suffer no physical damage and maintains adequate electron transfer capability. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| Columbia Generating Station B 3.8.6-6 Revision 93
| |
| | |
| Battery Parameters B 3.8.6 BASES SURVEILLANCE REQUIREMENTS (continued)
| |
| SR 3.8.6.4 This Surveillance verifies that the pilot cell temperature is greater than or equal to the minimum established design limit (i.e., 60°F). Pilot cell electrolyte temperature is maintained above this temperature to assure the battery can provide the required current and voltage to meet the design requirements. Temperatures lower than assumed in battery sizing calculations may act to inhibit or reduce battery capacity. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| SR 3.8.6.6 A battery performance discharge test is a test of constant current capacity of a battery, normally done in the as found condition, after having been in service, to detect any change in the capacity determined by the acceptance test. The test is intended to determine overall battery degradation due to age and usage.
| |
| Either the battery performance discharge test or the modified performance discharge test is acceptable for satisfying SR 3.8.6.6; however, only the modified performance discharge test may be used to satisfy the battery service test requirements of SR 3.8.4.3.
| |
| A modified performance discharge test is a test of the battery capacity and its ability to provide a high rate, short duration load (usually the highest rate of the duty cycle). This will often confirm the battery's ability to meet the critical period of the load duty cycle, in addition to determining its percentage of rated capacity. Initial conditions for the modified performance discharge test should be identical to those specified for a service test when the modified performance discharge test is performed in lieu of a service test.
| |
| A battery modified performance discharge test is a simulated duty cycle normally consisting of just two rates; the one minute rate published for the battery or the largest current load of the duty cycle, followed by the test rate employed for the performance discharge test, both of which envelope the duty cycle of the service test. Since the ampere-hours removed at a rated one minute discharge represents a very small portion of the battery capacity, the test rate can be changed to that for the performance test without compromising the results of the performance discharge test. The battery terminal voltage for the modified performance discharge test must remain above the minimum battery terminal voltage specified in the battery service test for the duration of time equal to that of the service test.
| |
| Columbia Generating Station B 3.8.6-7 Revision 93
| |
| | |
| Battery Parameters B 3.8.6 BASES SURVEILLANCE REQUIREMENTS (continued)
| |
| The acceptance criteria for this Surveillance are consistent with IEEE 485 (Ref. 5) for the 125 V batteries. This reference recommends that the battery be replaced if its capacity is below 80% of the manufacturer's rating, since IEEE 485 (Ref. 5) recommends using an aging factor of 125% in the battery sizing calculations. The acceptance criteria for this Surveillance for the 250 V battery is consistent with Reference 6. This reference recommended that the battery be replaced if its capacity is below 83.4% of the manufacturer's rating in lieu of Reference 5 recommendation of 80%, since the battery sizing calculation in Reference 6 uses an aging factor of 120%. A capacity of 80% for the 125 V battery and 83.4% for the 250 V battery shows that the battery rate of deterioration is increasing even if there is ample capacity to meet the load requirements. Furthermore, the battery is sized to meet the assumed duty cycle loads when the battery design capacity reaches this 80% limit.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. If the battery shows degradation, or if the battery has reached 85% of its expected life and capacity is < 100% of the manufacturer's rating, the Surveillance Frequency is reduced to 12 months. However, if the battery shows no degradation but has reached 85% of its expected life, the Surveillance Frequency is only reduced to 24 months for batteries that retain capacity > 100% of the manufacturer's rating. Degradation is indicated, when the battery capacity drops by more than 10% relative to its previous performance test or when it is below 90% of the manufactures rating. This is consistent with the normal aging curve for lead-acid batteries because at 90% (or a 10% change), the slope of the aging curve has started to increase. For the 250 V battery, degradation is indicated when it is below 93.4% of the manufacturer's rating in lieu of 90%. This ensures the accelerated testing schedule is implemented when the 250 V battery capacity decreases to 10% above the capacity at which the battery must be replaced (consistent with the 125 V batteries), since the 250 V battery must be replaced when the capacity falls to 83.4%. The 12 month and 60 month Frequencies are consistent with the normal aging curve of lead-acid batteries. The 24 month Frequency is also derived from the aging curve.
| |
| This SR is modified by a Note. The reason for the Note is that performing the Surveillance would remove a required DC electrical power subsystem from service, perturb the electrical distribution system, and challenge safety systems. Credit may be taken for unplanned events that satisfy the Surveillance.
| |
| Columbia Generating Station B 3.8.6-8 Revision 112
| |
| | |
| Battery Parameters B 3.8.6 BASES REFERENCES 1. FSAR, Chapter 6.
| |
| : 2. FSAR, Chapter 8.
| |
| : 3. FSAR, Chapter 15.
| |
| : 4. 10 CFR 50.36(c)(2)(ii).
| |
| : 5. IEEE Standard 485, 1983.
| |
| : 6. Columbia Generating Station Calculation 2.05.01.
| |
| : 7. IEEE Standard 450, 2002.
| |
| Columbia Generating Station B 3.8.6-9 Revision 112
| |
| | |
| Distribution Systems - Operating B 3.8.7 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.7 Distribution Systems - Operating BASES BACKGROUND The onsite Class 1E AC and DC electrical power distribution system is divided by division into three independent AC and DC electrical power distribution subsystems.
| |
| The primary AC Distribution System consists of three 4.16 kV Engineered Safety Feature (ESF) buses that are supplied from the transmission system by two physically independent circuits. Each 4.16 kV ESF bus also has a dedicated onsite diesel generator (DG) source. Each 4.16 kV ESF bus is normally (when the main generator is on line) connected to the auxiliary transformer TR-N1, or a qualified offsite source. If the main generator and all qualified offsite sources are unavailable, the onsite emergency DGs supply power to the 4.16 kV ESF buses. Control power for the 4.16 kV breakers is supplied from the Class 1E batteries.
| |
| Additional description of this system may be found in the Bases for LCO 3.8.1, "AC Sources - Operating," and the Bases for LCO 3.8.4, "DC Sources - Operating."
| |
| The secondary plant AC distribution system includes 480 V ESF load centers and associated loads, motor control centers, and transformers.
| |
| Control power for the 480 V breakers is from the Class 1E batteries.
| |
| There are three independent 125 VDC electrical power distribution subsystems. The list of required distribution buses is located in Table B 3.8.7-1.
| |
| APPLICABLE The initial conditions of Design Basis Accident (DBA) and transient SAFETY analyses in the FSAR, Chapter 6 (Ref. 1) and Chapter 15.
| |
| ANALYSES (Ref. 2), assume ESF systems are OPERABLE. The AC and DC electrical power distribution systems are designed to provide sufficient capacity, capability, redundancy, and reliability to ensure the availability of necessary power to ESF systems so that the fuel, Reactor Coolant System, and containment design limits are not exceeded. These limits are discussed in more detail in the Bases for Section 3.2, Power Distribution Limits; Section 3.5, Emergency Core Cooling System (ECCS) and Reactor Core Isolation Cooling (RCIC) System; and Section 3.6, Containment Systems.
| |
| The OPERABILITY of the AC and DC electrical power distribution systems is consistent with the initial assumptions of the accident analyses and is based upon meeting the design basis of the plant. This includes maintaining the AC and DC electrical power sources and associated distribution systems OPERABLE during accident conditions in the event of:
| |
| Columbia Generating Station B 3.8.7-1 Revision 73
| |
| | |
| Distribution Systems - Operating B 3.8.7 BASES APPLICABLE SAFETY ANALYSES (continued)
| |
| : a. An assumed loss of all offsite or onsite AC electrical power; and
| |
| : b. A worst case single failure.
| |
| The AC and DC electrical power distribution systems satisfy Criterion 3 of Reference 3.
| |
| LCO The required AC and DC power distribution subsystems listed in Table B 3.8.7-1 ensure the availability of AC and DC electrical power for the systems required to shut down the reactor and maintain it in a safe condition after an anticipated operational occurrence (AOO) or a postulated DBA. The Division 1, 2, and 3 AC and DC electrical power distribution subsystems are required to be OPERABLE.
| |
| Maintaining the Division 1, 2, and 3 AC and DC electrical power distribution subsystems OPERABLE ensures that the redundancy incorporated into the design of ESF is not defeated. Any two of the three divisions of the distribution system are capable of providing the necessary electrical power to the associated ESF components. Therefore, a single failure within any system or within the electrical power distribution subsystems does not prevent safe shutdown of the reactor.
| |
| OPERABLE AC electrical power distribution subsystems require the associated buses to be energized to their proper voltages. OPERABLE DC electrical power distribution subsystems require the associated buses to be energized to their proper voltage from either the associated battery or charger.
| |
| Based on the number of safety significant electrical loads associated with each bus listed in Table B 3.8.7-1, if one or more of the buses becomes inoperable, entry into the appropriate ACTIONS of LCO 3.8.7 is required.
| |
| Other buses, such as motor control centers (MCC) and distribution panels, which help comprise the AC and DC distribution systems are not listed in Table B 3.8.7-1. The loss of electrical loads associated with these buses may not result in a complete loss of a redundant safety function necessary to shut down the reactor and maintain it in a safe condition. Therefore, should one or more of these buses become inoperable due to a failure not affecting the OPERABILITY of a bus listed in Table B 3.8.7-1 (e.g., a breaker supplying a single MCC fails open), the individual loads on the bus would be considered inoperable, and the appropriate Conditions and Required Actions of the LCOs governing the individual loads would be entered. However, if one or more of these buses is inoperable due to a failure also affecting the OPERABILITY of a bus listed in Table B 3.8.7-1 (e.g., loss of a 4.16 kV ESF, which results in Columbia Generating Station B 3.8.7-2 Revision 73
| |
| | |
| Distribution Systems - Operating B 3.8.7 BASES LCO (continued) de-energization of all buses powered from the 4.16 kV ESF bus), then although the individual loads are still considered inoperable, the Conditions and Required Actions of the LCO for the individual loads are not required to be entered, since LCO 3.0.6 allows this exception (i.e., the loads are inoperable due to the inoperability of a support system governed by a Technical Specification; the 4.16 kV ESF bus).
| |
| In addition, tie breakers between redundant safety related AC power distribution subsystems, if they exist, must be open. This prevents any electrical malfunction in any power distribution subsystem from propagating to the redundant subsystem, which could cause the failure of a redundant subsystem and a loss of essential safety function(s). If any tie breakers are closed, the electrical power distribution subsystems that are not being powered from their normal source (i.e., they are being powered from their redundant electrical power distribution subsystems) are considered inoperable. This applies to the onsite, safety related, redundant electrical power distribution subsystems. It does not, however, preclude redundant Class 1E 4.16 kV buses from being powered from the same offsite circuit.
| |
| APPLICABILITY The electrical power distribution subsystems are required to be OPERABLE in MODES 1, 2, and 3 to ensure that:
| |
| : a. Acceptable fuel design limits and reactor coolant pressure boundary limits are not exceeded as a result of AOOs or abnormal transients; and
| |
| : b. Adequate core cooling is provided, and containment OPERABILITY and other vital functions are maintained, in the event of a postulated DBA.
| |
| Electrical power distribution subsystem requirements for MODES 4 and 5 and other conditions in which AC and DC electrical power distribution subsystems are required are covered in LCO 3.8.8, "Distribution Systems - Shutdown."
| |
| Columbia Generating Station B 3.8.7-3 Revision 73
| |
| | |
| Distribution Systems - Operating B 3.8.7 BASES ACTIONS A.1 With one or more Division 1 or 2 required AC buses, load centers, motor control centers, or distribution panels, in one division inoperable, the remaining AC electrical power distribution subsystems are capable of supporting the minimum safety functions necessary to shut down the reactor and maintain it in a safe shutdown condition, assuming no single failure. The overall reliability is reduced, however, because a single failure in the remaining power distribution subsystems could result in the minimum required ESF functions not being supported. Therefore, the required AC buses, load centers, motor control centers, and distribution panels must be restored to OPERABLE status within 8 hours.
| |
| The Condition A worst scenario is one division without AC power (i.e., no offsite power to the division and the associated DG inoperable). In this Condition, the unit is more vulnerable to a complete loss of AC power. It is, therefore, imperative that the unit operators' attention be focused on minimizing the potential for loss of power to the remaining division by stabilizing the unit and restoring power to the affected division. The 8 hour time limit before requiring a unit shutdown in this Condition is acceptable because of:
| |
| : a. The potential for decreased safety if the unit operators' attention is diverted from the evaluations and actions necessary to restore power to the affected division to the actions associated with taking the unit to shutdown within this time limit.
| |
| : b. The low potential for an event in conjunction with a single failure of a redundant component in the division with AC power. (The redundant component is verified OPERABLE in accordance with Specification 5.5.11, "Safety Function Determination Program (SFDP).")
| |
| The second Completion Time for Required Action A.1 establishes a limit on the maximum time allowed for any combination of required distribution subsystems to be inoperable during any single contiguous occurrence of failing to meet the LCO. If Condition A is entered while, for instance, a DC bus is inoperable and subsequently returned OPERABLE, the LCO may already have been not met for up to 2 hours. This situation could lead to a total duration of 10 hours, since initial failure of the LCO, to restore the AC electrical power distribution system. At this time, a DC bus could again become inoperable, and the AC electrical power distribution system could be restored OPERABLE. This could continue indefinitely.
| |
| Columbia Generating Station B 3.8.7-4 Revision 73
| |
| | |
| Distribution Systems - Operating B 3.8.7 BASES ACTIONS (continued)
| |
| This Completion Time allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." This results in establishing the "time zero" at the time the LCO was initially not met, instead of at the time Condition A was entered. The 16 hour Completion Time is an acceptable limitation on this potential to fail to meet the LCO indefinitely.
| |
| B.1 With Division 1 or 2 125 VDC buses in one division inoperable, the remaining DC electrical power distribution subsystems are capable of supporting the minimum safety functions necessary to shut down the reactor and maintain it in a safe shutdown condition, assuming no single failure. The overall reliability is reduced, however, because a single failure in the remaining DC electrical power distribution subsystems could result in the minimum required ESF functions not being supported.
| |
| Therefore, the required DC electrical power distribution subsystem must be restored to OPERABLE status within 2 hours by powering the bus from the associated battery or charger.
| |
| Condition B represents one division without adequate 125 VDC power, potentially with both the battery significantly degraded and the associated charger nonfunctioning. In this situation, the plant is significantly more vulnerable to a complete loss of all DC power. It is, therefore, imperative that the operator's attention focus on stabilizing the plant, minimizing the potential for loss of power to the remaining divisions, and restoring power to the affected division.
| |
| This 2 hour limit is more conservative than Completion Times allowed for the majority of components that could be without power. Taking exception to LCO 3.0.2 for components without adequate DC power, that would have Required Action Completion Times shorter than 2 hours, is acceptable because of:
| |
| : a. The potential for decreased safety when requiring a change in plant conditions (i.e., requiring a shutdown) while not allowing stable operations to continue;
| |
| : b. The potential for decreased safety when requiring entry into numerous applicable Conditions and Required Actions for components without DC power while not providing sufficient time for the operators to perform the necessary evaluations and actions for restoring power to the affected division; and Columbia Generating Station B 3.8.7-5 Revision 73
| |
| | |
| Distribution Systems - Operating B 3.8.7 BASES ACTIONS (continued)
| |
| : c. The potential for an event in conjunction with a single failure of a redundant component.
| |
| The 2 hour Completion Time for DC electrical power distribution subsystems is consistent with Regulatory Guide 1.93 (Ref. 4).
| |
| The second Completion Time for Required Action B.1 establishes a limit on the maximum time allowed for any combination of required distribution subsystems to be inoperable during any single contiguous occurrence of failing to meet the LCO. If Condition B is entered while, for instance, an AC bus is inoperable and subsequently returned OPERABLE, the LCO may already have been not met for up to 8 hours. This situation could lead to a total duration of 10 hours, since initial failure of the LCO, to restore the DC electrical power distribution system. At this time, an AC bus could again become inoperable, and DC electrical power distribution could be restored OPERABLE. This could continue indefinitely.
| |
| This Completion Time allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." This allowance results in establishing the "time zero" at the time the LCO was initially not met, instead of the time Condition B was entered. The 16 hour Completion Time is an acceptable limitation on this potential of failing to meet the LCO indefinitely.
| |
| C.1 If the inoperable electrical power distribution system cannot be restored to OPERABLE status within the associated Completion Times, the plant must be brought to a MODE in which overall plant risk is minimized. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours.
| |
| Remaining in the Applicability of the LCO is acceptable because the plant risk in MODE 3 is similar to or lower than the risk in MODE 4 (Ref. 5) and because the time spent in MODE 3 to perform the necessary repairs to restore the system to OPERABLE status will be short. However, voluntary entry into MODE 4 may be made as it is also an acceptable low-risk state.
| |
| Required Action C.1 is modified by a Note that states that LCO 3.0.4.a is not applicable when entering MODE 3. This Note prohibits the use of LCO 3.0.4.a to enter MODE 3 during startup with the LCO not met.
| |
| However, there is no restriction on the use of LCO 3.0.4.b, if applicable, because LCO 3.0.4.b requires performance of a risk assessment addressing inoperable systems and components, consideration of the Columbia Generating Station B 3.8.7-6 Revision 90
| |
| | |
| Distribution Systems - Operating B 3.8.7 BASES ACTIONS (continued) results, determination of the acceptability of entering MODE 3, and establishment of risk management actions, if appropriate. LCO 3.0.4 is not applicable to, and the Note does not preclude, changes in MODES or other specified conditions in the Applicability that are required to comply with ACTIONS or that are part of a shutdown of the unit.
| |
| The allowed Completion Time is reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.
| |
| D.1 With the Division 1 250 VDC electrical power distribution subsystem inoperable, the RCIC System and other associated supported features are not capable of performing their intended functions. Immediately declaring the RCIC System and other associated supported features inoperable allows the ACTIONS of the associated LCOs to apply appropriate limitations on continued reactor operation.
| |
| E.1 With the Division 3 electrical power distribution system inoperable, the Division 3 powered systems are not capable of performing their intended functions. Immediately declaring the High Pressure Core Spray System inoperable allows the ACTIONS of LCO 3.5.1, "ECCS - Operating," to apply appropriate limitations on continued reactor operation.
| |
| F.1 Condition F corresponds to a level of degradation in the electrical power distribution system that causes a required safety function to be lost.
| |
| When more than one Condition is entered and this results in the loss of a required function, the plant is in a condition outside the accident analysis.
| |
| Therefore, no additional time is justified for continued operation.
| |
| LCO 3.0.3 must be entered immediately to commence a controlled shutdown.
| |
| Columbia Generating Station B 3.8.7-7 Revision 90
| |
| | |
| Distribution Systems - Operating B 3.8.7 BASES SURVEILLANCE SR 3.8.7.1 REQUIREMENTS This Surveillance verifies that the AC and DC electrical power distribution systems are functioning properly, with the correct circuit breaker alignment. The correct breaker alignment ensures the appropriate separation and independence of the electrical divisions is maintained, and power is available to each required bus. The verification of energization of the buses ensures that the required power is readily available for motive as well as control functions for critical system loads connected to these buses. This may be performed by verification of absence of low voltage alarms or by verifying a load powered from the bus is operating.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| REFERENCES 1. FSAR, Chapter 6.
| |
| : 2. FSAR, Chapter 15.
| |
| : 3. 10 CFR 50.36(c)(2)(ii).
| |
| : 4. Regulatory Guide 1.93, December 1974.
| |
| : 5. NEDC-32988-A, Revision 2, Technical Justification to Support Risk-Informed Modification to Selected Required End States for BWR Plants, December 2002.
| |
| Columbia Generating Station B 3.8.7-8 Revision 93
| |
| | |
| Distribution Systems - Operating B 3.8.7 Table B 3.8.7-1 (page 1 of 1)
| |
| AC and DC Electrical Power Distribution Systems TYPE VOLTAGE DIVISION 1 (a) DIVISION 2 (a) DIVISION 3 (a)
| |
| AC 4160 V SM-7 SM-8 SM-4 buses 480 V SL-71 and SL-73 SL-81 and SL-83 3 Phase Engine Motor Control Motor Control and Generator Centers 7A, 7A-A, Centers 8A, 8A-A, Auxiliary 7B, 7B-A, 7B-B, 8B, 8B-A, 8B-B, Loads Power and 7F and 8F Panel Power Panel Power Panel Motor Control PP-7A-B PP-8A-B Center 4A 120/240 V 1 Phase Power 1 Phase Power 1 Phase Power Panels PP-7A-A, Panels PP-8A-A Panel PP-4A PP-7A-F, PP-7A-E, PP-8A-F, PP-8A-E, and PP-7A and PP-8A 120/208 V 3 Phase Power 3 Phase Power Panels PP-7A-G Panels PP-8A-G and PP-7A-A-A and PP-8A-A-A DC 250V Main Distribution buses Panel S2-1 Motor Control Center MC-S2-1A, Part A and Part B 125 V S1-1 S1-2 HPCS Motor Control Motor Control Distribution Center MC-S1-1D Center MC-S1-2D Panel Instrument and Instrument and Control NSSS Control NSSS Board Board Distribution Distribution Panel DP-S1-1A Panel DP-S1-2A Remote Shutdown Critical Distribution Switchgear and Panel DP-S1-1D Remote Shutdown Diesel Generator 1 Distribution Distribution Panel DP-S1-2D Panel DP-S1-1E Diesel Generator 2 Critical Distribution Switchgear Panel DP-S1-2E Distribution Panel DP-S1-1F (a) Each division of the AC and DC electrical power distribution system is a subsystem.
| |
| Columbia Generating Station B 3.8.7-9 Revision 90
| |
| | |
| Distribution Systems - Shutdown B 3.8.8 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.8 Distribution Systems - Shutdown BASES BACKGROUND A description of the AC and DC electrical power distribution systems is provided in the Bases for LCO 3.8.7, "Distribution Systems - Operating."
| |
| APPLICABLE The initial conditions of Design Basis Accident and transient analyses SAFETY in the FSAR, Chapter 6 (Ref. 1) and Chapter 15 (Ref. 2), assume ANALYSES Engineered Safety Feature (ESF) systems are OPERABLE. The AC and DC electrical power distribution systems are designed to provide sufficient capacity, capability, redundancy, and reliability to ensure the availability of necessary power to ESF systems so that the fuel, Reactor Coolant System, and containment design limits are not exceeded.
| |
| The OPERABILITY of the AC and DC electrical power distribution system is consistent with the initial assumptions of the accident analyses and the requirements for the supported systems' OPERABILITY.
| |
| The OPERABILITY of the minimum AC and DC electrical power sources and associated power distribution subsystems during MODES 4 and 5 ensures that:
| |
| : a. The facility can be maintained in the shutdown or refueling condition for extended periods;
| |
| : b. Sufficient instrumentation and control capability is available for monitoring and maintaining the unit status; and
| |
| : c. Adequate power is provided to mitigate events postulated during shutdown.
| |
| The AC and DC electrical power distribution systems satisfy Criterion 3 of Reference 3.
| |
| LCO Various combinations of subsystems, equipment, and components are required OPERABLE by other LCOs, depending on the specific plant condition. Implicit in those requirements is the required OPERABILITY of necessary support features. This LCO explicitly requires energization of the portions of the electrical distribution system necessary to support OPERABILITY of Technical Specifications' required systems, equipment, and componentsboth specifically addressed by their own LCOs, and implicitly required by the definition of OPERABILITY.
| |
| Columbia Generating Station B 3.8.8-1 Revision 111
| |
| | |
| Distribution Systems - Shutdown B 3.8.8 BASES LCO (continued)
| |
| In addition, it is acceptable for required buses to be cross-tied during shutdown conditions, permitting a single source to supply multiple redundant buses, provided the source is capable of maintaining proper frequency (if required) and voltage.
| |
| Maintaining these portions of the distribution system energized ensures the availability of sufficient power to operate the plant in a safe manner to mitigate the consequences of postulated events during shutdown.
| |
| APPLICABILITY The AC and DC electrical power distribution subsystems required to be OPERABLE in MODES 4 and 5 provide assurance that:
| |
| : a. Systems that provide core cooling are available;
| |
| : b. Systems necessary to mitigate the effects of events that can lead to core damage during shutdown are available; and
| |
| : c. Instrumentation and control capability is available for monitoring and maintaining the unit in a cold shutdown or refueling condition.
| |
| The AC and DC electrical power distribution subsystem requirements for MODES 1, 2, and 3 are covered in LCO 3.8.7.
| |
| ACTIONS A.1, A.2.1, and A.2.2 Although redundant required features may require redundant divisions of electrical power distribution subsystems to be OPERABLE, one OPERABLE distribution subsystem division may be capable of supporting sufficient required features. By allowing the option to declare required features associated with an inoperable distribution subsystem inoperable, appropriate restrictions are implemented in accordance with the affected distribution subsystem LCO's Required Actions. In many instances, this option may involve undesired administrative efforts. Therefore, the allowance for sufficiently conservative actions is made.
| |
| Columbia Generating Station B 3.8.8-2 Revision 111
| |
| | |
| Distribution Systems - Shutdown B 3.8.8 BASES ACTIONS (continued)
| |
| It is further required to immediately initiate action to restore the required AC and DC electrical power distribution subsystems and to continue this action until restoration is accomplished in order to provide the necessary power to the plant safety systems.
| |
| Notwithstanding performance of the above conservative Required Actions, a required residual heat removal-shutdown cooling (RHR-SDC) subsystem may be inoperable. In this case, Required Action A.2.1 does not adequately address the concerns relating to coolant circulation and heat removal. Pursuant to LCO 3.0.6, the RHR-SDC ACTIONS would not be entered. Therefore, Required Action A.2.2 is provided to direct declaring RHR-SDC inoperable, which results in taking the appropriate RHR-SDC ACTIONS.
| |
| The Completion Time of immediately is consistent with the required times for actions requiring prompt attention. The restoration of the required distribution subsystems should be completed as quickly as possible in order to minimize the time the plant safety systems may be without power.
| |
| SURVEILLANCE SR 3.8.8.1 REQUIREMENTS This Surveillance verifies that the AC and DC electrical power distribution subsystems are functioning properly, with the correct breaker alignment.
| |
| The correct breaker alignment ensures power is available to each required bus. The verification of energization of the buses ensures that the required power is readily available for motive as well as control functions for critical system loads connected to these buses. This may be performed by verification of absence of low voltage alarms or by verifying a load powered from the bus is operating. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| REFERENCES 1. FSAR, Chapter 6.
| |
| : 2. FSAR, Chapter 15.
| |
| : 3. 10 CFR 50.36(c)(2)(ii).
| |
| Columbia Generating Station B 3.8.8-3 Revision 111
| |
| | |
| Refueling Equipment Interlocks B 3.9.1 B 3.9 REFUELING OPERATIONS B 3.9.1 Refueling Equipment Interlocks BASES BACKGROUND Refueling equipment interlocks restrict the operation of the refueling equipment or the withdrawal of control rods to reinforce unit procedures in preventing the reactor from achieving criticality during refueling. The refueling interlock circuitry senses the conditions of the refueling equipment and the control rods. Depending on the sensed conditions, interlocks are actuated to prevent the operation of the refueling equipment or the withdrawal of control rods.
| |
| GDC 26 of 10 CFR 50, Appendix A, requires that one of the two required independent reactivity control systems be capable of holding the reactor core subcritical under cold conditions (Ref. 1). The control rods, when fully inserted, serve as the system capable of maintaining the reactor subcritical in cold conditions during all fuel movement activities and accidents.
| |
| Two channels of instrumentation are provided to sense the position of the refueling platform, the loading of the refueling platform fuel grapple (main hoist), and the full insertion of all control rods. Additionally, inputs are provided for the loading of the refueling platform frame-mounted (auxiliary) hoist and the loading of the refueling platform trolley-mounted (monorail) hoist. With the reactor mode switch in the shutdown or refuel position, the indicated conditions are combined in logic circuits to determine if all restrictions on refueling equipment operations and control rod insertion are satisfied.
| |
| A control rod not at its full-in position interrupts power to the refueling equipment to prevent operating the equipment over the reactor core when loaded with a fuel assembly. Conversely, the refueling equipment located over the core and loaded with fuel inserts a control rod withdrawal block in the Reactor Manual Control System to prevent withdrawing a control rod.
| |
| The refueling platform has two mechanical switches that open before the platform or any of its hoists are physically located over the reactor vessel.
| |
| Each hoist load is sensed by an electronic load cell. The fuel grapple and frame-mounted hoist load signals are inputs to a programmable logic controller (PLC). The PLC performs the associated interlock and load functions. The trolley-mounted hoist load cell inputs to setpoint modules that perform their associated interlock and load functions. The PLC and setpoint modules open the associated fuel-loaded circuits at a load lighter Columbia Generating Station B 3.9.1-1 Revision 73
| |
| | |
| Refueling Equipment Interlocks B 3.9.1 BASES BACKGROUND (continued) than the weight of a single fuel assembly in water. The refueling interlocks use these indications to prevent operation of the refueling equipment with fuel loaded over the core whenever any control rod is withdrawn, or to prevent control rod withdrawal whenever fuel loaded refueling equipment is over the core (Ref. 2).
| |
| APPLICABLE The refueling interlocks are explicitly assumed in the FSAR analysis of SAFETY the control rod removal error during refueling (Ref. 3). This analysis ANALYSES evaluates the consequences of control rod withdrawal during refueling. A prompt reactivity excursion during refueling could potentially result in fuel failure with subsequent release of radioactive material to the environment.
| |
| Criticality and, therefore, subsequent prompt reactivity excursions are prevented during the insertion of fuel, provided all control rods are fully inserted during the fuel insertion. The refueling interlocks accomplish this by preventing loading fuel into the core with any control rod withdrawn, or by preventing withdrawal of a rod from the core during fuel loading.
| |
| The refueling platform location switches activate at a point outside of the reactor core, such that, with a fuel assembly loaded and a control rod withdrawn, the fuel is not over the core.
| |
| Refueling equipment interlocks satisfy Criterion 3 of Reference 4.
| |
| LCO To prevent criticality during refueling, the refueling interlocks associated with the refuel position ensure that fuel assemblies are not loaded into the core with any control rod withdrawn.
| |
| To prevent these conditions from developing, the all-rods-in, the refueling platform position, the refueling platform fuel grapple fuel-loaded, the refueling platform frame-mounted hoist fuel-loaded, and the refueling platform trolley-mounted hoist fuel-loaded inputs are required to be OPERABLE. These inputs are combined in logic circuits that provide refueling equipment or control rod blocks to prevent operations that could result in criticality during refueling operations.
| |
| APPLICABILITY In MODE 5, a prompt reactivity excursion could cause fuel damage and subsequent release of radioactive material to the environment. The refueling equipment interlocks protect against prompt reactivity excursions during MODE 5. The interlocks are only required to be OPERABLE during in-vessel fuel movement with refueling equipment associated with the interlocks when the reactor mode switch is in the refuel position. The interlocks are not required when the reactor mode switch is in the shutdown position since a control rod block (LCO 3.3.2.1, "Control Rod Block Instrumentation") ensures control rod withdrawals cannot occur simultaneously with in-vessel fuel movements.
| |
| Columbia Generating Station B 3.9.1-2 Revision 73
| |
| | |
| Refueling Equipment Interlocks B 3.9.1 BASES APPLICABILITY (continued)
| |
| In MODES 1, 2, 3, and 4, the reactor pressure vessel head is on, and no fuel loading activities are possible. Therefore, the refueling interlocks are not required to be OPERABLE in these MODES.
| |
| ACTIONS A.1 With one or more of the required refueling equipment interlocks inoperable, the unit must be placed in a condition in which the LCO does not apply. In-vessel fuel movement with the affected refueling equipment must be immediately suspended. This action ensures that operations are not performed with equipment that would potentially not be blocked from unacceptable operations (e.g., loading fuel into a cell with a control rod withdrawn). Suspension of in-vessel fuel movement shall not preclude completion of movement of a component to a safe position.
| |
| SURVEILLANCE SR 3.9.1.1 REQUIREMENTS Performance of a CHANNEL FUNCTIONAL TEST demonstrates each required refueling equipment interlock will function properly when a simulated or actual signal indicative of a required condition is injected into the logic. The CHANNEL FUNCTIONAL TEST may be performed by any series of sequential, overlapping, or total channel steps so that the entire channel is tested.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| REFERENCES 1. 10 CFR 50, Appendix A, GDC 26.
| |
| : 2. FSAR, Section 7.7.1.13.
| |
| : 3. FSAR, Section 15.4.1.1.
| |
| : 4. 10 CFR 50.36(c)(2)(ii).
| |
| Columbia Generating Station B 3.9.1-3 Revision 93
| |
| | |
| Refuel Position One-Rod-Out Interlock B 3.9.2 B 3.9 REFUELING OPERATIONS B 3.9.2 Refuel Position One-Rod-Out Interlock BASES BACKGROUND The refuel position one-rod-out interlock restricts the movement of control rods to reinforce unit procedures that prevent the reactor from becoming critical during refueling operations. During refueling operations, no more than one control rod is permitted to be withdrawn.
| |
| GDC 26 of 10 CFR 50, Appendix A, requires that one of the two required independent reactivity control systems be capable of holding the reactor core subcritical under cold conditions (Ref. 1). The control rods serve as the system capable of maintaining the reactor subcritical in cold conditions.
| |
| The refuel position one-rod-out interlock prevents the selection of a second control rod for movement when any other control rod is not fully inserted (Ref. 2). It is a logic circuit that has redundant channels. It uses the all-rods-in signal (from the control rod full-in position indicators discussed in LCO 3.9.4, "Control Rod Position Indication") and a rod selection signal (from the Reactor Manual Control System).
| |
| This Specification ensures that the performance of the refuel position one-rod-out interlock in the event of a Design Basis Accident meets the assumptions used in the safety analysis of Reference 3.
| |
| APPLICABLE The refuel position one-rod-out interlock is explicitly assumed in the SAFETY FSAR analysis of the control rod removal error during refueling (Ref. 3).
| |
| ANALYSES This analysis evaluates the consequences of control rod withdrawal during refueling. A prompt reactivity excursion during refueling could potentially result in fuel failure with subsequent release of radioactive material to the environment.
| |
| The refuel position one-rod-out interlock and adequate SDM (LCO 3.1.1, "SHUTDOWN MARGIN (SDM)") prevent criticality by preventing withdrawal of more than one control rod. With one control rod withdrawn, the core will remain subcritical, thereby preventing any prompt critical excursion.
| |
| The refuel position one-rod-out interlock Criterion 3 of Reference 4.
| |
| Columbia Generating Station B 3.9.2-1 Revision 73
| |
| | |
| Refuel Position One-Rod-Out Interlock B 3.9.2 BASES LCO To prevent criticality during MODE 5, the refuel position one-rod-out interlock ensures no more than one control rod may be withdrawn. Both channels of the refuel position one-rod-out interlock are required to be OPERABLE and the reactor mode switch must be locked in the refuel position to support the OPERABILITY of these channels.
| |
| APPLICABILITY In MODE 5, with the reactor mode switch in the refuel position, the OPERABLE refuel position one-rod-out interlock provides protection against prompt reactivity excursions.
| |
| In MODES 1, 2, 3, and 4, the refuel position one-rod-out interlock is not required to be OPERABLE and is bypassed. In MODES 1 and 2, the Reactor Protection System (LCO 3.3.1.1, "Reactor Protection System (RPS) Instrumentation") and the control rods (LCO 3.1.3, "Control Rod OPERABILITY") provide mitigation of potential reactivity excursions. In MODES 3 and 4, with the reactor mode switch in the shutdown position, a control rod block (LCO 3.3.2.1, "Control Rod Block Instrumentation")
| |
| ensures all control rods are inserted, thereby preventing criticality during shutdown conditions.
| |
| ACTIONS A.1 and A.2 With one or both channels of the refuel position one-rod-out interlock inoperable, the refueling interlocks may not be capable of preventing more than one control rod from being withdrawn. This condition may lead to criticality.
| |
| Control rod withdrawal must be immediately suspended, and action must be immediately initiated to fully insert all insertable control rods in core cells containing one or more fuel assemblies. Action must continue until all such control rods are fully inserted. Control rods in core cells containing no fuel assemblies do not affect the reactivity of the core and, therefore, do not have to be inserted.
| |
| SURVEILLANCE SR 3.9.2.1 REQUIREMENTS Proper functioning of the refueling position one-rod-out interlock requires the reactor mode switch to be in Refuel. During control rod withdrawal in MODE 5, improper positioning of the reactor mode switch could, in some instances, allow improper bypassing of required interlocks. Therefore, this Surveillance imposes an additional level of assurance that the refueling position one-rod-out interlock will be OPERABLE when required.
| |
| By "locking" the reactor mode switch in the proper position (i.e., removing the mode switch key from the console while the reactor mode switch is positioned in refuel), an additional administrative control is in place to preclude operator errors from resulting in unanalyzed operation.
| |
| Columbia Generating Station B 3.9.2-2 Revision 73
| |
| | |
| Refuel Position One-Rod-Out Interlock B 3.9.2 BASES SURVEILLANCE REQUIREMENTS (continued)
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| SR 3.9.2.2 Performance of a CHANNEL FUNCTIONAL TEST on each channel demonstrates the associated refuel position one-rod-out interlock will function properly when a simulated or actual signal indicative of a required condition is injected into the logic. The CHANNEL FUNCTIONAL TEST may be performed by any series of sequential, overlapping, or total channel steps so that the entire channel is tested.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. To perform the required testing, the applicable condition must be entered (i.e., a control rod must be withdrawn from its full-in position). Therefore, SR 3.9.2.2 has been modified by a Note that states the CHANNEL FUNCTIONAL TEST is not required to be performed until 1 hour after any control rod is withdrawn.
| |
| REFERENCES 1. 10 CFR 50, Appendix A, GDC 26.
| |
| : 2. FSAR, Section 7.7.1.13.
| |
| : 3. FSAR, Section 15.4.1.1.
| |
| : 4. 10 CFR 50.36(c)(2)(ii).
| |
| Columbia Generating Station B 3.9.2-3 Revision 93
| |
| | |
| Control Rod Position B 3.9.3 B 3.9 REFUELING OPERATIONS B 3.9.3 Control Rod Position BASES BACKGROUND Control rods provide the capability to maintain the reactor subcritical under all conditions and to limit the potential amount and rate of reactivity increase caused by a malfunction in the Reactor Manual Control System.
| |
| During refueling, movement of control rods is limited by the refueling interlocks (LCO 3.9.1, "Refueling Equipment Interlocks" and LCO 3.9.2, "Refuel Position One-Rod-Out Interlock") or the control rod block with the reactor mode switch in the shutdown position (LCO 3.3.2.1, "Control Rod Block Instrumentation").
| |
| GDC 26 of 10 CFR 50, Appendix A, requires that one of the two required independent reactivity control systems be capable of holding the reactor core subcritical under cold conditions (Ref. 1). The control rods serve as the system capable of maintaining the reactor subcritical in cold conditions.
| |
| The refueling interlocks allow a single control rod to be withdrawn at any time unless fuel is being loaded into the core. To preclude loading fuel assemblies into the core with a control rod withdrawn, all control rods must be fully inserted. This prevents the reactor from achieving criticality during refueling operations.
| |
| APPLICABLE Prevention and mitigation of prompt reactivity excursions during refueling SAFETY are provided by the refueling interlocks (LCO 3.9.1 and LCO 3.9.2), the ANALYSES SDM (LCO 3.1.1, "SHUTDOWN MARGIN (SDM)"), the intermediate range monitor neutron flux scram (LCO 3.3.1.1, "Reactor Protection System (RPS) Instrumentation"), and the control rod block instrumentation (LCO 3.3.2.1).
| |
| The safety analysis of the control rod removal error during refueling in the FSAR (Ref. 2) assumes the functioning of the refueling interlocks and adequate SDM. Additionally, prior to fuel reload, all control rods must be fully inserted to minimize the probability of an inadvertent criticality.
| |
| Control rod position satisfies Criterion 3 of Reference 3.
| |
| LCO All control rods must be fully inserted during applicable refueling conditions to minimize the probability of an inadvertent criticality during refueling.
| |
| Columbia Generating Station B 3.9.3-1 Revision 73
| |
| | |
| Control Rod Position B 3.9.3 BASES APPLICABILITY During MODE 5, loading fuel into core cells with control rods withdrawn may result in inadvertent criticality. Therefore, the control rods must be inserted before loading fuel into a core cell. All control rods must be inserted before loading fuel to ensure that a fuel loading error does not result in loading fuel into a core cell with the control rod withdrawn.
| |
| In MODES 1, 2, 3, and 4, the reactor pressure vessel head is on, and no fuel loading activities are possible. Therefore, this Specification is not applicable in these MODES.
| |
| ACTIONS A.1 With all control rods not fully inserted during the applicable conditions, an inadvertent criticality could occur that is not analyzed in the FSAR. All fuel loading operations must be immediately suspended. Suspension of these activities shall not preclude completion of movement of a component to a safe position.
| |
| SURVEILLANCE SR 3.9.3.1 REQUIREMENTS During refueling, to ensure that the reactor remains subcritical, all control rods must be fully inserted prior to and during fuel loading. Periodic checks of the control rod position ensure this condition is maintained.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| REFERENCES 1. 10 CFR 50, Appendix A, GDC 26.
| |
| : 2. FSAR, Section 15.4.1.1.
| |
| : 3. 10 CFR 50.36(c)(2)(ii).
| |
| Columbia Generating Station B 3.9.3-2 Revision 93
| |
| | |
| Control Rod Position Indication B 3.9.4 B 3.9 REFUELING OPERATIONS B 3.9.4 Control Rod Position Indication BASES BACKGROUND The full-in position indication channels for each control rod provide information necessary to the refueling interlocks to prevent inadvertent criticalities during refueling operations. During refueling, the refueling interlocks (LCO 3.9.1, "Refueling Equipment Interlocks," and LCO 3.9.2, "Refuel Position One-Rod-Out Interlock") use the full-in position indication channels to limit the operation of the refueling equipment and the movement of the control rods. Three full-in position indication channels are provided for each control rod (switch S00, the 00 readout; switch S51, overtravel - scram water applied; and switch S52, normal green light). All three full-in position indication channels provide input to the all-rods-in logic. If any one of the three full-in position indication channels indicates full-in, the all-rods-in logic will receive a full-in signal for that control rod.
| |
| The absence of all full-in position indication channels signal for any control rod removes the all-rods-in permissive for the refueling equipment interlocks and prevents fuel loading. Also, this condition causes the refuel position one-rod-out interlock to not allow the selection of any other control rod. The all-rods-in logic provides two signals, one to each of the two Reactor Manual Control System rod block logic circuits. A channel provides correct position indication to the refueling interlock logic when all three full-in position indication channel signals for the control rod are absent when the rod is withdrawn past the 00 rod position. Additionally, disconnecting the position indication probe causes indication to be absent for all control rod positions. The Rod Position Indication System (RPIS) interprets a loss of position indication as a withdrawn position, indicating that the control rod is not in the full-in position which satisfies the RODS NOT FULL-IN Condition.
| |
| GDC 26 of 10 CFR 50, Appendix A, requires that one of the two required independent reactivity control systems be capable of holding the reactor core subcritical under cold conditions (Ref. 1). The control rods serve as the system capable of maintaining the reactor subcritical in cold conditions.
| |
| Columbia Generating Station B 3.9.4-1 Revision 73
| |
| | |
| Control Rod Position Indication B 3.9.4 BASES APPLICABLE Prevention and mitigation of prompt reactivity excursions during refueling SAFETY are provided by the refueling interlocks (LCO 3.9.1 and LCO 3.9.2), the ANALYSES SDM (LCO 3.1.1, "SHUTDOWN MARGIN (SDM)"), the intermediate range monitor neutron flux scram (LCO 3.3.1.1, "Reactor Protection System (RPS) Instrumentation"), and the control rod block instrumentation (LCO 3.3.2.1, "Control Rod Block Instrumentation").
| |
| The safety analysis for the control rod removal error during refueling (Ref. 2) assumes the functioning of the refueling interlocks and adequate SDM. The full-in position indication channel is required to be OPERABLE so that the refueling interlocks can ensure that fuel cannot be loaded with any control rod withdrawn and that no more than one control rod can be withdrawn at a time.
| |
| Control rod position indication satisfies Criterion 3 of Reference 3.
| |
| LCO Each control rod full-in position indication channel must be OPERABLE to provide the required inputs to the refueling interlocks. A channel is OPERABLE if it provides correct position indication to the refueling interlock logic.
| |
| APPLICABILITY During MODE 5, the control rods must have OPERABLE full-in position indication channels to ensure the applicable refueling interlocks will be OPERABLE.
| |
| In MODES 1 and 2, requirements for control rod position are specified in LCO 3.1.3, "Control Rod OPERABILITY." In MODES 3 and 4, with the reactor mode switch in the shutdown position, a control rod block (LCO 3.3.2.1) ensures all control rods are inserted, thereby preventing criticality during shutdown conditions.
| |
| ACTIONS A Note has been provided to modify the ACTIONS related to control rod position indication channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition.
| |
| Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable control rod position indication channels provide appropriate compensatory measures for separate inoperable channels. As such, this Note has been provided, which allows separate Condition entry for each inoperable required control rod position indication channel.
| |
| Columbia Generating Station B 3.9.4-2 Revision 73
| |
| | |
| Control Rod Position Indication B 3.9.4 BASES ACTIONS (continued)
| |
| A.1.1, A.1.2, A.1.3, A.2.1, and A.2.2 With one or more required full-in position indication channels inoperable, compensating actions must be taken to protect against potential reactivity excursions from fuel assembly insertions or control rod withdrawals. This may be accomplished by immediately suspending in-vessel fuel movement and control rod withdrawal, and immediately initiating action to fully insert all insertable control rods in core cells containing one or more fuel assemblies. Actions must continue until all insertable control rods in core cells containing one or more fuel assemblies are fully inserted.
| |
| Control rods in core cells containing no fuel assemblies do not affect the reactivity of the core and, therefore, do not have to be inserted.
| |
| Suspension of in-vessel fuel movements and control rod withdrawal shall not preclude moving a component to a safe position.
| |
| Alternatively, actions may be immediately initiated to fully insert the control rod(s) associated with the inoperable full-in position indicators(s) and to disarm (electrically or hydraulically) the drive(s) to ensure that the control rod is not withdrawn. A control rod can be hydraulically disarmed by closing the drive water and exhaust water isolation valves. A control rod can be electrically disarmed by disconnecting power from all four directional control valve solenoids or by removing all four directional control valve solenoids from their respective directional control valves.
| |
| Actions must continue until all associated control rods are fully inserted and drives are disarmed. Under these conditions (control rod fully inserted and disarmed), an inoperable full-in channel may be bypassed to allow refueling operations to proceed. An alternate method must be used to ensure the control rod is fully inserted (e.g., use the "00" notch position indication).
| |
| Columbia Generating Station B 3.9.4-3 Revision 73
| |
| | |
| Control Rod Position Indication B 3.9.4 BASES SURVEILLANCE SR 3.9.4.1 REQUIREMENTS The full-in position indication channels provide input to the one-rod-out interlock and other refueling interlocks that require an all-rods-in permissive.
| |
| Three full-in position indication channels are provided for each control rod (switch S00, the 00 readout; switch S51, overtravel - scram water applied; and switch S52, normal green light). All three full-in position indication channels provide input to the all-rods-in logic.
| |
| The interlocks are activated when all three full-in position indications for any control rod are not present, since this indicates that all rods are not fully inserted.
| |
| Testing of the full-in position indication channels is performed to ensure that when a control rod is withdrawn, the full-in position indications are not present. This is performed by verifying the absence of the full-in position indications for the control on rod withdrawal.
| |
| If an "XX" is encountered during or following rod motion, steps should be taken to ensure that, when the rod is withdrawn, the S00, S51, and S52 reed switches are each providing the correct position indication to the refueling interlock logic.
| |
| A full-in position indication channel is considered inoperable even with the control rod fully inserted, if it would continue to indicate full-in with the control rod withdrawn.
| |
| Performing the SR each time a control rod is withdrawn from the full-in position is considered adequate because of the procedural controls on control rod withdrawals and the visual indications available in the control room that alert the operator to control rods that are not fully inserted.
| |
| REFERENCES 1. 10 CFR 50, Appendix A, GDC 26.
| |
| : 2. FSAR, Section 15.4.1.1.
| |
| : 3. 10 CFR 50.36(c)(2)(ii).
| |
| Columbia Generating Station B 3.9.4-4 Revision 99
| |
| | |
| Control Rod OPERABILITY - Refueling B 3.9.5 B 3.9 REFUELING OPERATIONS B 3.9.5 Control Rod OPERABILITY - Refueling BASES BACKGROUND Control rods are components of the Control Rod Drive (CRD) System, the primary reactivity control system for the reactor. In conjunction with the Reactor Protection System, the CRD System provides the means for the reliable control of reactivity changes during refueling operation. In addition, the control rods provide the capability to maintain the reactor subcritical under all conditions and to limit the potential amount and rate of reactivity increase caused by a malfunction in the CRD System.
| |
| GDC 26 of 10 CFR 50, Appendix A, requires that one of the two required independent reactivity control systems be capable of holding the reactor core subcritical under cold conditions (Ref. 1). The CRD System is the system capable of maintaining the reactor subcritical in cold conditions.
| |
| APPLICABLE Prevention and mitigation of prompt reactivity excursions during refueling SAFETY are provided by refueling interlocks (LCO 3.9.1, "Refueling Equipment ANALYSES Interlocks," and LCO 3.9.2, "Refuel Position One-Rod-Out Interlock"), the SDM (LCO 3.1.1, "SHUTDOWN MARGIN (SDM)"), the intermediate range monitor neutron flux scram (LCO 3.3.1.1, "Reactor Protection System (RPS) Instrumentation"), and the control rod block instrumentation (LCO 3.3.2.1, "Control Rod Block Instrumentation").
| |
| The safety analysis for the control rod removal error during refueling (Ref. 2) evaluates the consequences of control rod withdrawal during refueling and also fuel assembly insertion with a control rod withdrawn. A prompt reactivity excursion during refueling could potentially result in fuel failure with subsequent release of radioactive material to the environment.
| |
| Control rod scram provides protection should a prompt reactivity excursion occur.
| |
| Control rod OPERABILITY during refueling satisfies Criterion 3 of Reference 3.
| |
| LCO Each withdrawn control rod must be OPERABLE. The withdrawn control rod is considered OPERABLE if the scram accumulator pressure is 940 psig and the control rod is capable of being automatically inserted upon receipt of a scram signal. Inserted control rods have already completed their reactivity control function, and therefore, are not required to be OPERABLE.
| |
| APPLICABILITY During MODE 5, withdrawn control rods must be OPERABLE to ensure that in a scram the control rods will insert and provide the required negative reactivity to maintain the reactor subcritical.
| |
| Columbia Generating Station B 3.9.5-1 Revision 73
| |
| | |
| Control Rod OPERABILITY - Refueling B 3.9.5 BASES APPLICABILITY (continued)
| |
| For MODES 1 and 2, control rod requirements are found in LCO 3.1.2, "Reactivity Anomalies," LCO 3.1.3, "Control Rod OPERABILITY,"
| |
| LCO 3.1.4, "Control Rod Scram Times," and LCO 3.1.5, "Control Rod Scram Accumulators." During MODES 3 and 4, control rods are not able to be withdrawn since the reactor mode switch is in shutdown and a control rod block is applied. This provides adequate requirements for control rod OPERABILITY during these conditions.
| |
| ACTIONS A.1 With one or more withdrawn control rods inoperable, action must be immediately initiated to fully insert the inoperable control rod(s). Inserting the control rod(s) ensures that the shutdown and scram capabilities are not adversely affected. Actions must continue until the inoperable control rod(s) is fully inserted.
| |
| SURVEILLANCE SR 3.9.5.1 and SR 3.9.5.2 REQUIREMENTS During MODE 5, the OPERABILITY of control rods is primarily required to ensure that a withdrawn control rod will automatically insert if a signal requiring a reactor shutdown occurs. Because no explicit analysis exists for automatic shutdown during refueling, the shutdown function is satisfied if the withdrawn control rod is capable of automatic insertion and the associated CRD scram accumulator pressure is 940 psig.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| SR 3.9.5.1 is modified by a Note that allows 7 days after withdrawal of the control rod to perform the Surveillance. This acknowledges that the control rod must first be withdrawn before performance of the Surveillance, and therefore avoids potential conflicts with SR 3.0.3 and SR 3.0.4.
| |
| REFERENCES 1. 10 CFR 50, Appendix A, GDC 26.
| |
| : 2. FSAR, Section 15.4.1.1.
| |
| : 3. 10 CFR 50.36(c)(2)(ii).
| |
| Columbia Generating Station B 3.9.5-2 Revision 93
| |
| | |
| RPV Water Level - Irradiated Fuel B 3.9.6 B 3.9 REFUELING OPERATIONS B 3.9.6 Reactor Pressure Vessel (RPV) Water Level - Irradiated BASES BACKGROUND The movement of irradiated fuel assemblies within the RPV requires a minimum water level of 22 ft above the top of the RPV flange. During refueling, this maintains a sufficient water level in the reactor vessel cavity and spent fuel storage pool. Sufficient water is necessary to retain iodine fission product activity in the water in the event of a fuel handling accident (Refs. 1 and 2). Sufficient iodine activity would be retained to limit offsite doses from the accident to 6.3 rem TEDE, as provided by the guidance of Reference 3.
| |
| APPLICABLE During movement of irradiated fuel assemblies the water level in the RPV SAFETY is an initial condition design parameter in the analysis of fuel handling ANALYSES accident in containment postulated by Appendix B of RG 1.183 (Ref. 1).
| |
| The 22 feet above the top of the RPV flange equates to approximately 52 feet above the fuel seated in the vessel. The analyzed fuel drop is assumed to occur in the reactor vessel cavity, as a drop from this location would create the bounding amount of fuel damage. The source term for this accident is the fission product inventory contained in the gap of the damaged rods. The fraction of fission product inventory assumed in the gap is specified in Table 3 of RG 1.183 (Ref. 1). Analysis of the FHA is described in Reference 2. The number of rods damaged includes rods from the dropped bundle and rods from impacted bundles seated in the vessel. An unobstructed drop over the reactor cavity results in the greatest amount of kinetic energy and the bounding amount of rod damage. A bundle dropped over the spent fuel pool or onto the vessel flange would result in reduced releases of fission gases.
| |
| A minimum water level of 23 feet above the fuel seated in the vessel allows an overall decontamination factor of 200 for the iodine released from the damaged rods (Appendix B of Ref. 1). With the minimum water level of 22 feet above the RPV flange and a minimum decay time of 24 hours prior to fuel movement, the analysis demonstrates that the resulting radiological consequences are within the allowable limits (Refs. 1 and 3).
| |
| RPV water level satisfies Criterion 2 of Reference 4.
| |
| LCO A minimum water level of 22 ft above the top of the RPV flange is required to ensure that the radiological consequences of a postulated fuel handling accident are within acceptable limits, as provided by the guidance of Reference 1.
| |
| Columbia Generating Station B 3.9.6-1 Revision 73
| |
| | |
| RPV Water Level - Irradiated Fuel B 3.9.6 BASES APPLICABILITY LCO 3.9.6 is applicable when moving irradiated fuel assemblies within the RPV. The LCO minimizes the possibility of a fuel handling accident in containment that is beyond the assumptions of the safety analysis. If irradiated fuel is not present within the RPV, there can be no significant radioactivity release as a result of a postulated fuel handling accident.
| |
| Requirements for handling of new fuel assemblies or control rods (where water depth to the RPV flange is not of concern) are covered by LCO 3.9.7, "RPV Water Level - New Fuel or Control Rods."
| |
| Requirements for fuel handling accidents in the spent fuel storage pool are covered by LCO 3.7.7, "Fuel Pool Water Level."
| |
| ACTIONS A.1 If the water level is < 22 ft above the top of the RPV flange, all operations involving movement of irradiated fuel assemblies within the RPV shall be suspended immediately to ensure that a fuel handling accident cannot occur. The suspension of irradiated fuel movement shall not preclude completion of movement of a component to a safe position.
| |
| SURVEILLANCE SR 3.9.6.1 REQUIREMENTS Verification of a minimum water level of 22 ft above the top of the RPV flange ensures that the design basis for the postulated fuel handling accident analysis during refueling operations is met. Water at the required level limits the consequences of damaged fuel rods, which are postulated to result from a fuel handling accident in containment (Ref. 2).
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| REFERENCES 1. Regulatory Guide 1.183, July 2000.
| |
| : 2. FSAR, Section 15.7.4.
| |
| : 3. 10 CFR 50.67, "Accident Source Term."
| |
| : 4. 10 CFR 50.36(c)(2)(ii).
| |
| Columbia Generating Station B 3.9.6-2 Revision 93
| |
| | |
| RPV Water Level - New Fuel or Control Rods B 3.9.7 B 3.9 REFUELING OPERATIONS B 3.9.7 Reactor Pressure Vessel (RPV) Water Level - New Fuel or Control Rods BASES BACKGROUND The movement of new fuel assemblies or handling of control rods within the RPV when fuel assemblies seated within the reactor vessel are irradiated requires a minimum water level of 23 ft above the top of irradiated fuel assemblies seated within the RPV. During refueling, this maintains a sufficient water level above the irradiated fuel. Sufficient water is necessary to retain iodine fission product activity in the water in the event of a fuel handling accident (Refs. 1 and 2). Sufficient iodine activity would be retained to limit offsite doses from the accident to 6.3 rem TEDE, as provided by the guidance of Reference 1.
| |
| APPLICABLE During movement of new fuel assemblies or handling of control rods over SAFETY irradiated fuel assemblies, the water level in the RPV is an initial condition ANALYSES design parameter in the analysis of a fuel handling accident in containment postulated by RG 1.183 (Ref. 1). A minimum water level of 23 ft above the fuel seated in the RPV allows an overall decontamination factor (DF) of 200 for the iodine released from the damaged rods. This DF is used in the Fuel Handling Accident (FHA) analysis (Ref. 2). The source term for this accident is the fission product inventory contained in the gap of the damaged rods. The fraction of fission product inventory assumed to be in the gap is specified in Table 3 of RG 1.183 (Ref. 1).
| |
| With a minimum water level of 23 ft above the fuel seated in the RPV and a minimum decay time of 24 hours prior to fuel handling, the analysis demonstrates that the resulting radiological consequences are within the allowable limits (Refs. 1 and 3). The related assumptions include the worst case dropping of an irradiated fuel assembly onto the reactor core loaded with irradiated fuel assemblies.
| |
| RPV water level satisfies Criterion 2 of Reference 4.
| |
| LCO A minimum water level of 23 ft above the top of irradiated fuel assemblies seated within the RPV is required to ensure that the radiological consequences of a postulated fuel handling accident are within acceptable limits, as provided by the guidance of Reference 1.
| |
| Columbia Generating Station B 3.9.7-1 Revision 73
| |
| | |
| RPV Water Level - New Fuel or Control Rods B 3.9.7 BASES APPLICABILITY LCO 3.9.7 is applicable when moving new fuel assemblies or handling control rods (i.e., movement with other than the normal control rod drive) over irradiated fuel assemblies seated within the RPV. The LCO minimizes the possibility of a fuel handling accident in containment that is beyond the assumptions of the safety analysis. If irradiated fuel is not present within the RPV, there can be no significant radioactivity release as a result of a postulated fuel handling accident. Requirements for fuel handling accidents in the spent fuel storage pool are covered by LCO 3.7.7, "Fuel Pool Water Level." Requirements for handling irradiated fuel over the RPV are covered by LCO 3.9.6, "Reactor Pressure Vessel (RPV) Water Level - Irradiated Fuel."
| |
| ACTIONS A.1 If the water level is < 23 ft above the top of irradiated fuel assemblies seated within the RPV, all operations involving movement of new fuel assemblies and handling of control rods within the RPV shall be suspended immediately to ensure that a fuel handling accident cannot occur. The suspension of fuel movement and control rod handling shall not preclude completion of movement of a component to a safe position.
| |
| SURVEILLANCE SR 3.9.7.1 REQUIREMENTS Verification of a minimum water level of 23 ft above the top of the irradiated fuel assemblies seated within the RPV ensures that the design basis for the postulated fuel handling accident analysis during refueling operations is met. Water at the required level limits the consequences of damaged fuel rods, which are postulated to result from a fuel handling accident in containment (Ref. 2).
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| REFERENCES 1. Regulatory Guide 1.183, July 2000.
| |
| : 2. FSAR, Section 15.7.4.
| |
| : 3. 10 CFR 50.67, "Accident Source Term."
| |
| : 4. 10 CFR 50.36(c)(2)(ii).
| |
| Columbia Generating Station B 3.9.7-2 Revision 93
| |
| | |
| RHR - High Water Level B 3.9.8 B 3.9 REFUELING OPERATIONS B 3.9.8 Residual Heat Removal (RHR) - High Water Level BASES BACKGROUND The purpose of the RHR System in MODE 5 is to remove decay heat and sensible heat from the reactor coolant, as required by GDC 34 (Ref. 1).
| |
| Each of the two shutdown cooling loops of the RHR System can provide the required decay heat removal. Each loop consists of one motor driven pump, a heat exchanger, and associated piping and valves. Both loops have a common suction from the same recirculation loop. Each pump discharges the reactor coolant, after it has been cooled by circulation through the respective heat exchanger, to the reactor via the associated recirculation loop. The RHR heat exchangers transfer heat to the Standby Service Water (SW) System. The RHR shutdown cooling mode is manually controlled.
| |
| In addition to the RHR subsystems, the volume of water above the reactor pressure vessel (RPV) flange provides a heat sink for decay heat removal.
| |
| APPLICABLE With the unit in MODE 5, the RHR Shutdown Cooling System is not SAFETY required to mitigate any events or accidents evaluated in the safety ANALYSES analyses. The RHR Shutdown Cooling System is required for removing decay heat to maintain the temperature of the reactor coolant.
| |
| The RHR System satisfies Criterion 4 of Reference 2 LCO Only one RHR shutdown cooling subsystem is required to be OPERABLE in MODE 5 with irradiated fuel in the RPV and the water level 22 ft above the RPV flange. Only one subsystem is required because the volume of water above the RPV flange provides backup decay heat removal capability.
| |
| An OPERABLE RHR shutdown cooling subsystem consists of an RHR pump, a heat exchanger, a SW pump providing cooling to the heat exchanger, valves, piping, instruments, and controls to ensure an OPERABLE flow path. Management of gas voids is important to RHR Shutdown Cooling System OPERABILITY.
| |
| Additionally, each RHR shutdown cooling subsystem is considered OPERABLE if it can be manually aligned (remote or local) in the shutdown cooling mode for removal of decay heat. Operation (either continuous or intermittent) of one subsystem can maintain and reduce the Columbia Generating Station B 3.9.8-1 Revision 105
| |
| | |
| RHR - High Water Level B 3.9.8 BASES LCO (continued) reactor coolant temperature as required. However, to ensure adequate core flow to allow for accurate average reactor coolant temperature monitoring, nearly continuous operation is required. A Note is provided to allow a 2 hour exception for the operating subsystem to be removed from operation every 8 hours.
| |
| APPLICABILITY One RHR shutdown cooling subsystem must be OPERABLE in MODE 5, with irradiated fuel in the RPV and the water level 22 ft above the top of the RPV flange, to provide decay heat removal. RHR shutdown cooling subsystem requirements in other MODES are covered by LCOs in Section 3.4, Reactor Coolant System (RCS). RHR shutdown cooling subsystem requirements in MODE 5, with irradiated fuel in the RPV and the water level < 22 ft above the RPV flange, are given in LCO 3.9.9, "Residual Heat Removal (RHR) - Low Water Level."
| |
| ACTIONS A.1 With no RHR shutdown cooling subsystem OPERABLE, an alternate method of decay heat removal must be established within 1 hour. In this condition, the volume of water above the RPV flange provides adequate capability to remove decay heat from the reactor core. However, the overall reliability is reduced because loss of water level could result in reduced decay heat removal capability. The 1 hour Completion Time is based on the decay heat removal function and the probability of a loss of the available decay heat removal capabilities. Furthermore, verification of the functional availability of the alternate method must be reconfirmed every 24 hours thereafter. This will ensure continued heat removal capability.
| |
| Alternate decay heat removal methods are available to the operators for review and preplanning in the unit Operating Procedures. The required cooling capacity of the alternate method should be ensured by verifying (by calculation or demonstration) its capability to maintain or reduce temperature. For example, this may include the use of the Fuel Pool Cooling System, and the Reactor Water Cleanup System operating with the regenerative heat exchanger bypassed or in combination with the Control Rod Drive System or Condensate System. The method used to remove the decay heat should be the most prudent choice based on unit conditions.
| |
| Columbia Generating Station B 3.9.8-2 Revision 105
| |
| | |
| RHR - High Water Level B 3.9.8 BASES ACTIONS (continued)
| |
| B.1, B.2, B.3, and B.4 If no RHR shutdown cooling subsystem is OPERABLE and an alternate method of decay heat removal is not available in accordance with Required Action A.1, actions shall be taken immediately to suspend operations involving an increase in reactor decay heat load by suspending the loading of irradiated fuel assemblies into the RPV.
| |
| Additional actions are required to minimize any potential fission product release to the environment. This includes ensuring secondary containment is OPERABLE, one standby gas treatment subsystem is OPERABLE, and secondary containment isolation capability is available in each associated penetration flow path not isolated that is assumed to be isolated to mitigate radioactive releases (i.e., one secondary containment isolation valve and associated instrumentation are OPERABLE or other acceptable administrative controls to assure isolation capability. These administrative controls consist of stationing a dedicated operator, who is in continuous communication with the control room, at the controls of the isolation device. In this way, the penetration can be rapidly isolated when a need for secondary containment isolation is indicated). This may be performed as an administrative check, by examining logs or other information to determine whether the components are out of service for maintenance or other reasons. It does not mean to perform the surveillances needed to demonstrate the OPERABILITY of the components. If, however, any required component is inoperable, then it must be restored to OPERABLE status. In this case, a surveillance may need to be performed to restore the component to OPERABLE status. Actions must continue until all required components are OPERABLE.
| |
| C.1 and C.2 If no RHR shutdown cooling subsystem is in operation, an alternate method of coolant circulation is required to be established within 1 hour.
| |
| The Completion Time is modified such that 1 hour is applicable separately for each occurrence involving a loss of coolant circulation.
| |
| During the period when the reactor coolant is being circulated by an alternate method (other than by the required RHR shutdown cooling subsystem), the reactor coolant temperature must be periodically monitored to ensure proper functioning of the alternate method. The once per hour Completion Time is deemed appropriate.
| |
| Columbia Generating Station B 3.9.8-3 Revision 105
| |
| | |
| RHR - High Water Level B 3.9.8 BASES SURVEILLANCE SR 3.9.8.1 REQUIREMENTS This Surveillance demonstrates that the required RHR shutdown cooling subsystem is in operation and circulating reactor coolant. The required flow rate is determined by the flow rate necessary to provide sufficient decay heat removal capability. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| SR 3.9.8.2 RHR Shutdown Cooling System piping and components have the potential to develop voids and pockets of entrained gases. Preventing and managing gas intrusion and accumulation is necessary for proper operation of the required RHR shutdown cooling subsystem(s) and may also prevent water hammer, pump cavitation, and pumping of noncondensible gas into the reactor vessel.
| |
| Selection of RHR Shutdown Cooling System locations susceptible to gas accumulation is based on a review of system design information, including piping and instrumentation drawings, isometric drawings, plan and elevation drawings, and calculations. The design review is supplemented by system walk downs to validate the system high points and to confirm the location and orientation of important components that can become sources of gas or could otherwise cause gas to be trapped or difficult to remove during system maintenance or restoration.
| |
| Susceptible locations depend on plant and system configuration, such as stand-by versus operating conditions.
| |
| The RHR Shutdown Cooling System is OPERABLE when it is sufficiently filled with water. Acceptance criteria are established for the volume of accumulated gas at susceptible locations. If accumulated gas is discovered that exceeds the acceptance criteria for the susceptible location (or the volume of accumulated gas at one or more susceptible locations exceeds an acceptance criteria for gas volume at the suction or discharge of a pump), the Surveillance is not met. If it is determined by subsequent evaluation that the RHR Shutdown Cooling System is not rendered inoperable by the accumulated gas (i.e., the system is sufficiently filled with water), the Surveillance may be declared met.
| |
| Accumulated gas should be eliminated or brought within the acceptance criteria limits.
| |
| Columbia Generating Station B 3.9.8-4 Revision 105
| |
| | |
| RHR - High Water Level B 3.9.8 BASES SURVEILLANCE REQUIREMENTS (continued)
| |
| RHR Shutdown Cooling System locations susceptible to gas accumulation are monitored and, if gas is found, the gas volume is compared to the acceptance criteria for the location. Susceptible locations in the same system flow path which are subject to the same gas intrusion mechanisms may be verified by monitoring a representative sub-set of susceptible locations. Monitoring may not be practical for locations that are inaccessible due to radiological or environmental conditions, the plant configuration, or personnel safety. For these locations alternative methods (e.g., operating parameters, remote monitoring) may be used to monitor the susceptible location. Monitoring is not required for susceptible locations where the maximum potential accumulated gas void volume has been evaluated and determined to not challenge system OPERABILITY. The accuracy of the method used for monitoring the susceptible locations and trending of the results should be sufficient to assure system OPERABILITY during the Surveillance interval.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The Surveillance Frequency may vary by location susceptible to gas accumulation.
| |
| REFERENCES 1. 10 CFR 50, Appendix A, GDC 34.
| |
| : 2. 10 CFR 50.36(c)(2)(ii).
| |
| Columbia Generating Station B 3.9.8-5 Revision 105
| |
| | |
| RHR - Low Water Level B 3.9.9 B 3.9 REFUELING OPERATIONS B 3.9.9 Residual Heat Removal (RHR) - Low Water Level BASES BACKGROUND The purpose of the RHR System in MODE 5 is to remove decay heat and sensible heat from the reactor coolant, as required by GDC 34 (Ref. 1).
| |
| Each of the two shutdown cooling loops of the RHR System can provide the required decay heat removal. Each loop consists of one motor driven pump, a heat exchanger, and associated piping and valves. Both loops have a common suction from the same recirculation loop. Each pump discharges the reactor coolant, after it has been cooled by circulation through the respective heat exchanger, to the reactor via the associated recirculation loop. The RHR heat exchangers transfer heat to the Standby Service Water (SW) System. The RHR shutdown cooling mode is manually controlled.
| |
| APPLICABLE With the unit in MODE 5, the RHR Shutdown Cooling System is not SAFETY required to mitigate any events or accidents evaluated in the safety ANALYSES analyses. The RHR Shutdown Cooling System is required for removing decay heat to maintain the temperature of the reactor coolant.
| |
| The RHR System satisfies Criterion 4 of Reference 2.
| |
| LCO In MODE 5 with irradiated fuel in the reactor pressure vessel (RPV) and the water level < 22 ft above the reactor pressure vessel (RPV) flange both RHR shutdown cooling subsystems must be OPERABLE.
| |
| An OPERABLE RHR shutdown cooling subsystem consists of an RHR pump, a heat exchanger, a SW pump providing cooling to the heat exchanger, valves, piping, instruments, and controls to ensure an OPERABLE flow path. Management of gas voids is important to RHR Shutdown Cooling System OPERABILITY.
| |
| Additionally, each RHR shutdown cooling subsystem is considered OPERABLE if it can be manually aligned (remote or local) in the shutdown cooling mode for removal of decay heat. Operation (either continuous or intermittent) of one subsystem can maintain and reduce the reactor coolant temperature as required. However, to ensure adequate core flow to allow for accurate average reactor coolant temperature monitoring, nearly continuous operation is required. A Note is provided to allow a 2 hour exception to shut down the operating subsystem every 8 hours.
| |
| Columbia Generating Station B 3.9.9-1 Revision 105
| |
| | |
| RHR - Low Water Level B 3.9.9 BASES APPLICABILITY Two RHR shutdown cooling subsystems are required to be OPERABLE in MODE 5, with irradiated fuel in the RPV and the water level < 22 ft above the top of the RPV flange, to provide decay heat removal. RHR shutdown cooling subsystem requirements in other MODES are covered by LCOs in Section 3.4, Reactor Coolant System (RCS). RHR shutdown cooling subsystem requirements in MODE 5, with irradiated fuel in the RPV and the water level 22 ft above the RPV flange, are given in LCO 3.9.8, "Residual Heat Removal (RHR) - High Water Level."
| |
| ACTIONS A.1 With one of the two RHR shutdown cooling subsystems inoperable, the remaining subsystem is capable of providing the required decay heat removal. However, the overall reliability is reduced. Therefore, an alternate method of decay heat removal must be provided. With both RHR shutdown cooling subsystems inoperable, an alternate method of decay heat removal must be provided in addition to that provided for the initial RHR shutdown cooling subsystem inoperability. This re-establishes backup decay heat removal capabilities, similar to the requirements of the LCO. The 1 hour Completion Time is based on the decay heat removal function and the probability of a loss of the available decay heat removal capabilities. Furthermore, verification of the functional availability of these alternate method(s) must be reconfirmed every 24 hours thereafter. This will ensure continued heat removal capability.
| |
| Alternate decay heat removal methods are available to the operators for review and preplanning in the unit Operating Procedures. The required cooling capacity of the alternate method(s) should be ensured by verifying (by calculation or demonstration) their capacity to maintain or reduce temperature. For example, this may include the use of the Fuel Pool Cooling System, and the Reactor Water Cleanup System operating with the regenerative heat exchanger bypassed or in combination with the Control Rod Drive System or Condensate System. The method used to remove decay heat should be the most prudent choice based on unit conditions.
| |
| B.1, B.2, and B.3 With the required decay heat removal subsystem(s) inoperable and the required alternate method(s) of decay heat removal not available in accordance with Required Action A.1, additional actions are required to minimize any potential fission product release to the environment. This includes ensuring secondary containment is OPERABLE, one standby gas treatment subsystem is OPERABLE, and secondary containment isolation capability is available in each associated penetration flow path not isolated that is assumed to be isolated to mitigate radioactive releases Columbia Generating Station B 3.9.9-2 Revision 73
| |
| | |
| RHR - Low Water Level B 3.9.9 BASES ACTIONS (continued)
| |
| (i.e., one secondary containment isolation valve and associated instrumentation are OPERABLE or other acceptable administrative controls to assure isolation capability. These administrative controls consist of stationing a dedicated operator, who is in continuous communication with the control room, at the controls of the isolation device. In this way, the penetration can be rapidly isolated when a need for secondary containment isolation is indicated). This may be performed as an administrative check, by examining logs or other information to determine whether the components are out of service for maintenance or other reasons. It is not necessary to perform the surveillances needed to demonstrate the OPERABILITY of the components. If, however, any required component is inoperable, then it must be restored to OPERABLE status. In this case, the surveillance may need to be performed to restore the component to OPERABLE status. Actions must continue until all required components are OPERABLE.
| |
| C.1 and C.2 If no RHR shutdown cooling subsystem is in operation, an alternate method of coolant circulation is required to be established within 1 hour.
| |
| The Completion Time is modified such that the 1 hour is applicable separately for each occurrence involving a loss of coolant circulation.
| |
| During the period when the reactor coolant is being circulated by an alternate method (other than by the required RHR shutdown cooling subsystem), the reactor coolant temperature must be periodically monitored to ensure proper function of the alternate method. The once per hour Completion Time is deemed appropriate.
| |
| SURVEILLANCE SR 3.9.9.1 REQUIREMENTS This Surveillance demonstrates that one RHR shutdown cooling subsystem is in operation and circulating reactor coolant. The required flow rate is determined by the flow rate necessary to provide sufficient decay heat removal capability. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| SR 3.9.9.2 RHR Shutdown Cooling System piping and components have the potential to develop voids and pockets of entrained gases. Preventing and managing gas intrusion and accumulation is necessary for proper operation of the RHR shutdown cooling subsystems and may also Columbia Generating Station B 3.9.9-3 Revision 105
| |
| | |
| RHR - Low Water Level B 3.9.9 BASES SURVEILLANCE REQUIREMENTS (continued) prevent water hammer, pump cavitation, and pumping of noncondensible gas into the reactor vessel.
| |
| Selection of RHR Shutdown Cooling System locations susceptible to gas accumulation is based on a review of system design information, including piping and instrumentation drawings, isometric drawings, plan and elevation drawings, and calculations. The design review is supplemented by system walk downs to validate the system high points and to confirm the location and orientation of important components that can become sources of gas or could otherwise cause gas to be trapped or difficult to remove during system maintenance or restoration.
| |
| Susceptible locations depend on plant and system configuration, such as stand-by versus operating conditions.
| |
| The RHR Shutdown Cooling System is OPERABLE when it is sufficiently filled with water. Acceptance criteria are established for the volume of accumulated gas at susceptible locations. If accumulated gas is discovered that exceeds the acceptance criteria for the susceptible location (or the volume of accumulated gas at one or more susceptible locations exceeds an acceptance criteria for gas volume at the suction or discharge of a pump), the Surveillance is not met. If it is determined by subsequent evaluation that the RHR Shutdown Cooling System is not rendered inoperable by the accumulated gas (i.e., the system is sufficiently filled with water), the Surveillance may be declared met.
| |
| Accumulated gas should be eliminated or brought within the acceptance criteria limits.
| |
| RHR Shutdown Cooling System locations susceptible to gas accumulation are monitored and, if gas is found, the gas volume is compared to the acceptance criteria for the location. Susceptible locations in the same system flow path which are subject to the same gas intrusion mechanisms may be verified by monitoring a representative sub-set of susceptible locations. Monitoring may not be practical for locations that are inaccessible due to radiological or environmental conditions, the plant configuration, or personnel safety. For these locations alternative methods (e.g., operating parameters, remote monitoring) may be used to monitor the susceptible location. Monitoring is not required for susceptible locations where the maximum potential accumulated gas void volume has been evaluated and determined to not challenge system OPERABILITY. The accuracy of the method used for monitoring the susceptible locations and trending of the results should be sufficient to assure system OPERABILITY during the Surveillance interval.
| |
| The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The Surveillance Frequency may vary by location susceptible to gas accumulation.
| |
| Columbia Generating Station B 3.9.9-4 Revision 105
| |
| | |
| RHR - Low Water Level B 3.9.9 BASES REFERENCES 1. 10 CFR 50, Appendix A, GDC 34.
| |
| : 2. 10 CFR 50.36(c)(2)(ii).
| |
| Columbia Generating Station B 3.9.9-5 Revision 105
| |
| | |
| Decay Time B 3.9.10 B 3.9 REFUELING OPERATIONS B 3.9.10 Decay Time BASES BACKGROUND The postulated fuel handling accident involves the drop of a fuel assembly on top of the reactor core during refueling operations (Ref. 1).
| |
| The drop over the reactor core is more limiting than the drop over the spent fuel pool since the kinetic energy for the drop over the reactor core area (greater than 23 feet) produces a larger number of damaged fuel pins on impact than the shorter drops that could occur over the fuel pool.
| |
| The fuel handling accident is analyzed using Alternative Source Term methodology governed by 10 CFR 50.67 (Ref. 2) and the guidelines of Regulatory Guide 1.183 (Ref. 3).
| |
| The fuel handling accident analysis assumes that the accident occurs at least 24 hours after plant shutdown. Specifically, a 24-hour radioactive decay time of the fission product inventory is assumed during the interval between shutdown and movement of assemblies in the reactor core.
| |
| APPLICABLE The minimum requirement for 24 hours of reactor subcriticality prior to SAFETY movement of irradiated fuel assemblies in the reactor vessel ensures ANALYSES that sufficient time has elapsed to allow the radioactive decay of the short-lived fission products. This decay time is an initial condition of the fuel handling accident analysis.
| |
| Decay time satisfies the requirements of Criterion 2 of Reference 4.
| |
| LCO The specified decay time limit requires the reactor to be subcritical for at least 24 hours. Implicit in this TS is the Applicability (during movement of irradiated fuel in the reactor vessel). This ensures that sufficient time has elapsed to allow the radioactive decay of the short-lived fission products, thus reducing the fission product inventory and reducing the effects of a fuel handling accident.
| |
| APPLICABILITY This decay time restriction is applicable only during movement of irradiated fuel in the reactor vessel following reactor operation.
| |
| Therefore, it effectively prohibits movement of irradiated fuel in the reactor vessel during the first 24 hours following reactor shutdown.
| |
| ACTIONS A.1 With the reactor subcritical less than 24 hours, all movement of irradiated fuel in the reactor vessel must be suspended. As stated above, movement of irradiated fuel in the reactor vessel is prohibited during the first 24 hours following reactor shutdown.
| |
| Columbia Generating Station B 3.9.10-1 Revision 73
| |
| | |
| Decay Time B 3.9.10 BASES SURVEILLANCE SR 3.9.10.1 REQUIREMENTS This movement of irradiated fuel in the reactor vessel is prohibited during the first 24 hours following reactor shutdown. A verification of time subcritical must be made prior to movement of irradiated fuel in the reactor vessel. This is done by confirming the time and date of subcriticality, and verifying that at least 24 hours have elapsed. The Frequency of "once prior to movement of irradiated fuel in the reactor vessel" ensures that the operation within the design basis assumption for decay time in the fuel handling accident analysis.
| |
| REFERENCES 1. FSAR, Section 15.7.4.
| |
| : 2. 10 CFR 50.67, "Accident Source Term."
| |
| : 3. Regulatory Guide 1.183, July 2000.
| |
| : 4. 10 CFR 50.36(c)(2)(ii).
| |
| Columbia Generating Station B 3.9.10-2 Revision 73
| |
| | |
| Inservice Leak and Hydrostatic Testing Operation B 3.10.1 B 3.10 SPECIAL OPERATIONS B 3.10.1 Inservice Leak and Hydrostatic Testing Operation BASES BACKGROUND The purpose of this Special Operations LCO is to allow certain reactor coolant pressure tests to be performed in MODE 4 when the metallurgical characteristics of the reactor pressure vessel (RPV) require the pressure testing at temperatures > 200°F (normally corresponding to MODE 3) or allow completing these reactor coolant pressure tests when the initial conditions do not require temperatures > 200°F. Furthermore, the purpose is to allow continued performance of control rod scram time testing required by SR 3.1.4.1 or SR 3.1.4.4 if reactor coolant temperatures exceed 200°F when the control rod scram time testing is initiated in conjunction with an inservice leak test or hydrostatic test.
| |
| These control rod scram time tests would be performed in accordance with LCO 3.10.4, "Single Control Rod Withdrawal - Cold Shutdown,"
| |
| during MODE 4 operation.
| |
| Inservice hydrostatic testing and system leakage pressure tests required by Section XI of the American Society of Mechanical Engineers (ASME)
| |
| Boiler and Pressure Vessel Code (Ref. 1) are performed prior to the reactor going critical after a refueling outage. Recirculation pump operation, decay heat, and a water solid RPV (except for an air bubble for pressure control) are used to achieve the necessary temperatures and pressures required for these tests. The minimum temperatures (at the required pressures) allowed for these tests are determined from the RPV pressure and temperature (P/T) limits required by LCO 3.4.11, "Reactor Coolant System (RCS) Pressure and Temperature (P/T) Limits." These limits are conservatively based on the fracture toughness of the reactor vessel, taking into account anticipated vessel neutron fluence.
| |
| With increased reactor vessel fluence over time, the minimum allowable vessel temperature increases for a given pressure. Periodic updates to the RCS P/T limit curves are performed as necessary, based on the results of analyses of irradiated surveillance specimens removed from the vessel. Hydrostatic and leak testing may eventually be required with minimum reactor coolant temperatures > 200°F. However, even with required minimum reactor coolant temperatures < 200°F, maintaining RCS temperatures within a small band during the test can be impractical.
| |
| Removal of heat addition from recirculation pump operation and reactor core decay heat is coarsely controlled by control rod drive hydraulic system flow and reactor water cleanup system non-regenerative heat exchanger operation. Test conditions are focused on maintaining a steady state pressure, and tightly limited temperature control poses an unnecessary burden on the operator and may not be achievable in certain instances.
| |
| Columbia Generating Station B 3.10.1-1 Revision 73
| |
| | |
| Inservice Leak and Hydrostatic Testing Operation B 3.10.1 BASES BACKGROUND (continued)
| |
| The hydrostatic and leak tests require increasing pressure to approximately 1020 psig. Scram time testing required by SR 3.1.4.1 and SR 3.1.4.4 requires reactor pressures 800 psig.
| |
| Other testing may be performed in conjunction with the allowances for inservice leak or hydrostatic tests and control rod scram time tests.
| |
| APPLICABLE Allowing the reactor to be considered in MODE 4 when the reactor SAFETY coolant temperature is > 200°F, during, or as consequence ANALYSES of, hydrostatic or leak testing, or as a consequence of control rod scram time testing initiated in conjunction with an inservice leak or hydrostatic test, effectively provides an exception to MODE 3 requirements, including OPERABILITY of primary containment and the full complement of redundant Emergency Core Cooling Systems (ECCS). Since the leak tests are performed nearly water solid (except for an air bubble for pressure control), at low decay heat values, and near MODE 4 conditions, the stored energy in the reactor core will be very low. Under these conditions, the potential for failed fuel and a subsequent increase in coolant activity above the limits of LCO 3.4.8, "Reactor Coolant System (RCS) Specific Activity," are minimized. In addition, the secondary containment will be OPERABLE, in accordance with this Special Operations LCO, and will be capable of handling any airborne radioactivity or steam leaks that could occur during the performance of hydrostatic or leak testing. The required pressure testing conditions provide adequate assurance that the consequences of a steam leak will be conservatively bounded by the consequences of the postulated main steam line break outside of primary containment described in Reference 2. Therefore, these requirements will conservatively limit radiation releases to the environment.
| |
| In the unlikely event of any primary system leak that could result in draining the RPV, the reactor vessel would rapidly depressurize. The makeup capability of one of the ECCS subsystems required in MODE 4 by LCO 3.5.2, "RPV Water Inventory Control," would be more than adequate to keep the core flooded. Small system leaks would be detected by leakage inspections before significant inventory loss occurred.
| |
| For the purposes of this test, the protection provided by normally required MODE 4 applicable LCOs, in addition to the secondary containment requirements required to be met by this Special Operations LCO, will ensure acceptable consequences during normal hydrostatic test conditions and during postulated accident conditions.
| |
| Columbia Generating Station B 3.10.1-2 Revision 111
| |
| | |
| Inservice Leak and Hydrostatic Testing Operation B 3.10.1 BASES APPLICABLE SAFETY ANALYSES (continued)
| |
| As described in LCO 3.0.7, compliance with Special Operations LCOs is optional, and therefore, no criteria of Reference 3 apply. Special Operations LCOs provide flexibility to perform certain operations by appropriately modifying requirements of other LCOs. A discussion of the criteria satisfied for the other LCOs is provided in their respective Bases.
| |
| LCO As described in LCO 3.0.7, compliance with this Special Operations LCO is optional. Operation at reactor coolant temperatures > 200°F, can be in accordance with Table 1.1-1 for MODE 3 operation without meeting this Special Operations LCO or its ACTIONS. This option may be required due to P/T limits, however, which require testing at temperatures > 200°F, while performance of inservice leak and hydrostatic testing results in the inoperability of subsystems required when > 200°F (i.e., MODE 3).
| |
| Additionally, even with required minimum reactor coolant temperatures
| |
| < 200°F, RCS temperatures may drift above 200°F during the performance of inservice leak and hydrostatic testing or during subsequent control rod scram time testing, which is typically performed in conjunction with inservice leak and hydrostatic testing. While this Special Operations LCO is provided for inservice leak and hydrostatic testing, and for scram testing initiated in conjunction with an inservice leak or hydrostatic test, parallel performance of other tests and inspections is not precluded.
| |
| If it is desired to perform these tests while complying with this Special Operations LCO, then the MODE 4 applicable LCOs and specified MODE 3 LCOs must be met. This Special Operations LCO allows changing Table 1.1-1 temperature limits for MODE 4 to "NA" and suspending the requirements of LCO 3.4.10, "Residual Heat Removal (RHR) Shutdown Cooling System - Cold Shutdown." The additional requirements for secondary containment LCOs to be met will provide sufficient protection for operations at reactor coolant temperatures
| |
| > 200°F for the purposes of performing an inservice leak or hydrostatic test, and for control rod scram time testing initiated in conjunction with an inservice leak or hydrostatic test.
| |
| This LCO allows primary containment to be open for frequent unobstructed access to perform inspections, and for outage activities on various systems to continue consistent with the MODE 4 applicable requirements.
| |
| Columbia Generating Station B 3.10.1-3 Revision 73
| |
| | |
| Inservice Leak and Hydrostatic Testing Operation B 3.10.1 BASES APPLICABILITY The MODE 4 requirements may only be modified for the performance of, or as a consequence of, inservice leak or hydrostatic tests, or as a consequence of control rod scram time testing initiated in conjunction with an inservice leak or hydrostatic test, so that these operations can be considered as in MODE 4, even though the reactor coolant temperature is
| |
| > 200°F. The additional requirement for secondary containment OPERABILITY according to the imposed MODE 3 requirements provides conservatism in the response of the unit to any event that may occur.
| |
| Operations in all other MODES are unaffected by this LCO.
| |
| ACTIONS A Note has been provided to modify the ACTIONS related to inservice leak and hydrostatic testing operation. Section 1.3, Completion Times, specifies once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for each requirement of the LCO not met provide appropriate compensatory measures for separate requirements that are not met. As such, a Note has been provided that allows separate Condition entry for each requirement of the LCO.
| |
| A.1 If an LCO specified in LCO 3.10.1 is not met, the ACTIONS applicable to the stated requirements shall be entered immediately and complied with.
| |
| Required Action A.1 has been modified by a Note that clarifies the intent of another LCO's Required Action to be in MODE 4 includes reducing the average reactor coolant temperature to 200°F.
| |
| A.2.1 and A.2.2 Required Actions A.2.1 and A.2.2 are alternate Required Actions that can be taken instead of Required Action A.1 to restore compliance with the normal MODE 4 requirements, and thereby exit this Special Operations LCO's Applicability. Activities that could further increase reactor coolant temperature or pressure are suspended immediately, in accordance with Required Action A.2.1, and the reactor coolant temperature is reduced to establish normal MODE 4 requirements. The allowed Completion Time of 24 hours for Required Action A.2.2 is based on engineering judgment and provides sufficient time to reduce the average reactor coolant temperature from the highest expected value to 200°F with normal cooldown procedures. The Completion Time is also consistent with the time provided in LCO 3.0.3 for reaching MODE 4 from MODE 3.
| |
| Columbia Generating Station B 3.10.1-4 Revision 73
| |
| | |
| Inservice Leak and Hydrostatic Testing Operation B 3.10.1 BASES SURVEILLANCE SR 3.10.1.1 REQUIREMENTS The LCOs made applicable are required to have their Surveillances met to establish that this LCO is being met. A discussion of the applicable SRs is provided in their respective Bases.
| |
| REFERENCES 1. American Society of Mechanical Engineers, Boiler and Pressure Vessel Code, Section XI.
| |
| : 2. FSAR, Section 15.6.4.
| |
| : 3. 10 CFR 50.36(c)(2)(ii).
| |
| Columbia Generating Station B 3.10.1-5 Revision 73
| |
| | |
| Reactor Mode Switch Interlock Testing B 3.10.2 B 3.10 SPECIAL OPERATIONS B 3.10.2 Reactor Mode Switch Interlock Testing BASES BACKGROUND The purpose of this Special Operations LCO is to permit operation of the reactor mode switch from one position to another to confirm certain aspects of associated interlocks during periodic tests and calibrations in MODES 3, 4, and 5.
| |
| The reactor mode switch is a conveniently located, multiposition, keylock switch provided to select the necessary scram functions for various plant conditions (Ref. 1). The reactor mode switch selects the appropriate trip relays for scram functions and provides appropriate bypasses. The mode switch positions and related scram interlock functions are summarized as follows:
| |
| : a. Shutdown - Initiates a reactor scram; bypasses main steam line isolation scram;
| |
| : b. Refuel - Selects Neutron Monitoring System (NMS) scram function for low neutron flux level operation (but does not disable the average power range monitor scram); bypasses main steam line isolation scram;
| |
| : c. Startup/Hot Standby - Selects NMS scram function for low neutron flux level operation (intermediate range monitors and average power range monitors); bypasses main steam line isolation scram; and
| |
| : d. Run - Selects NMS scram function for power range operation.
| |
| The reactor mode switch also provides interlocks for such functions as control rod blocks, scram discharge volume trip bypass, refueling interlocks, and main steam isolation valve isolations.
| |
| APPLICABLE The acceptance criterion for reactor mode switch interlock testing is to SAFETY prevent fuel failure by precluding reactivity excursions or core criticality.
| |
| ANALYSES The interlock functions of the shutdown and refuel positions of the reactor mode switch in MODES 3, 4, and 5 are provided to preclude reactivity excursions that could potentially result in fuel failure. Interlock testing that requires moving the reactor mode switch to other positions (run, or startup/hot standby) while in MODE 3, 4, or 5, requires administratively maintaining all control rods inserted and no CORE ALTERATIONS in progress. With all control rods inserted in core cells containing one or more fuel assemblies and no CORE ALTERATIONS in progress, there are no credible mechanisms for unacceptable reactivity excursions during the planned interlock testing.
| |
| Columbia Generating Station B 3.10.2-1 Revision 73
| |
| | |
| Reactor Mode Switch Interlock Testing B 3.10.2 BASES APPLICABLE SAFETY ANALYSES (continued)
| |
| For postulated accidents, such as control rod removal error during refueling or loading of fuel with a control rod withdrawn, the accident analysis demonstrates that fuel failure will not occur (Ref. 2). The withdrawal of a single control rod will not result in criticality when adequate SDM is maintained. Also, loading fuel assemblies into the core with a single control rod withdrawn will not result in criticality, thereby preventing fuel failure.
| |
| As described in LCO 3.0.7, compliance with Special Operations LCOs is optional, and therefore no criteria of Reference 3 apply. Special Operations LCOs provide flexibility to perform certain operations by appropriately modifying requirements of other LCOs. A discussion of the criteria satisfied for the other LCOs is provided in their respective Bases.
| |
| LCO As described in LCO 3.0.7, compliance with this Special Operations LCO is optional. MODES 3, 4, and 5 operations not specified in Table 1.1-1 can be performed in accordance with other Special Operations LCOs (i.e., LCO 3.10.1, "Inservice Leak and Hydrostatic Testing Operation,"
| |
| LCO 3.10.3, "Single Control Rod Withdrawal - Hot Shutdown,"
| |
| LCO 3.10.4, "Single Control Rod Withdrawal - Cold Shutdown," and LCO 3.10.8 "SDM Test - Refueling") without meeting this LCO or its ACTIONS. If any testing is performed that involves the reactor mode switch interlocks and requires repositioning beyond that specified in Table 1.1-1 for the current MODE of operation, the testing can be performed, provided all interlock functions potentially defeated are administratively controlled. In MODES 3, 4, and 5 with the reactor mode switch in shutdown as specified in Table 1.1-1, all control rods are fully inserted and a control rod block is initiated. Therefore, all control rods in core cells that contain one or more fuel assemblies must be verified fully inserted while in MODES 3, 4, and 5 with the reactor mode switch in other than the shutdown position. The additional LCO requirement to preclude CORE ALTERATIONS is appropriate for MODE 5 operations, as discussed below, and is inherently met in MODES 3 and 4 by the definition of CORE ALTERATIONS, which cannot be performed with the vessel head in place.
| |
| In MODE 5, with the reactor mode switch in the refuel position, only one control rod can be withdrawn under the refuel position one rod out interlock (LCO 3.9.2, "Refuel Position One-Rod-Out Interlock"). The refueling equipment interlocks (LCO 3.9.1, "Refueling Equipment Interlocks") appropriately control other CORE ALTERATIONS. Due to the increased potential for error in controlling these multiple interlocks and the limited duration of tests involving the reactor mode switch position, Columbia Generating Station B 3.10.2-2 Revision 73
| |
| | |
| Reactor Mode Switch Interlock Testing B 3.10.2 BASES LCO (continued) conservative controls are required, consistent with MODES 3 and 4. The additional controls of administratively not permitting other CORE ALTERATIONS will adequately ensure that the reactor does not become critical during these tests.
| |
| APPLICABILITY Any required periodic interlock testing involving the reactor mode switch, while in MODES 1 and 2, can be performed without the need for Special Operations exceptions. Mode switch manipulations in these MODES would likely result in unit trips. In MODES 3, 4, and 5, this Special Operations LCO is only permitted to be used to allow reactor mode switch interlock testing that cannot conveniently be performed without this allowance or testing that must be performed prior to entering another MODE. Such interlock testing may consist of required Surveillances, or may be the result of maintenance, repair, or troubleshooting activities.
| |
| The mode switch may be left in other than the Table 1.1-1 position to support ongoing or planned testing if the required testing is scheduled to start within the next 12 hours. During the time period the mode switch is not in the Table 1.1-1 position, SRs 3.10.2.1 and 3.10.2.2 shall continue to be met. In MODES 3, 4, and 5, the interlock functions provided by the reactor mode switch in shutdown (i.e., all control rods inserted and incapable of withdrawal) and refueling (i.e., refueling interlocks to prevent inadvertent criticality during CORE ALTERATIONS) positions can be administratively controlled adequately during the performance of certain tests.
| |
| ACTIONS A.1, A.2, A.3.1, and A.3.2 These Required Actions are provided to restore compliance with the Technical Specifications overridden by this Special Operations LCO.
| |
| Restoring compliance will also result in exiting the Applicability of this Special Operations LCO.
| |
| All CORE ALTERATIONS, except control rod insertion, if in progress, are immediately suspended in accordance with Required Action A.1, and all insertable control rods in core cells that contain one or more fuel assemblies are fully inserted within 1 hour, in accordance with Required Action A.2. This will preclude potential mechanisms that could lead to criticality. Control rods in core cells containing no fuel assemblies do not affect the reactivity of the core and, therefore, do not have to be inserted.
| |
| Suspension of CORE ALTERATIONS shall not preclude the completion of movement of a component to a safe condition. Placing the reactor mode switch in the shutdown position will ensure that all inserted control rods remain inserted and result in operation in accordance with Columbia Generating Station B 3.10.2-3 Revision 73
| |
| | |
| Reactor Mode Switch Interlock Testing B 3.10.2 BASES ACTIONS (continued)
| |
| Table 1.1-1. Alternatively, if in MODE 5, the reactor mode switch may be placed in the refuel position, which will also result in operating in accordance with Table 1.1-1. A Note is added to Required Action A.3.2 to indicate that this Required Action is not applicable in MODES 3 and 4, since only the shutdown position is allowed in these MODES. The allowed Completion Time of 1 hour for Required Actions A.2, A.3.1, and A.3.2 provides sufficient time to normally insert the control rods and place the reactor mode switch in the required position, based on operating experience, and is acceptable given that all operations that could increase core reactivity have been suspended.
| |
| SURVEILLANCE SR 3.10.2.1 and SR 3.10.2.2 REQUIREMENTS Meeting the requirements of this Special Operations LCO maintains operation consistent with or conservative to operating with the reactor mode switch in the shutdown position (or the refuel position for MODE 5).
| |
| The functions of the reactor mode switch interlocks that are not in effect, due to the testing in progress, are adequately compensated for by the Special Operations LCO requirements. The administrative controls are to be periodically verified to ensure that the operational requirements continue to be met. In addition, the all rods fully inserted Surveillance (SR 3.10.2.1) must be verified by a second licensed operator (Reactor Operator or Senior Reactor Operator) or other qualified member of the technical staff. The Surveillance Frequencies are controlled under the Surveillance Frequency Control Program.
| |
| REFERENCES 1. FSAR, Section 7.2.
| |
| : 2. FSAR, Section 15.4.1.1.
| |
| : 3. 10 CFR 50.36(c)(2)(ii).
| |
| Columbia Generating Station B 3.10.2-4 Revision 93
| |
| | |
| Single Control Rod Withdrawal - Hot Shutdown B 3.10.3 B 3.10 SPECIAL OPERATIONS B 3.10.3 Single Control Rod Withdrawal - Hot Shutdown BASES BACKGROUND The purpose of this MODE 3 Special Operations LCO is to permit the withdrawal of a single control rod for testing while in hot shutdown, by imposing certain restrictions. In MODE 3, the reactor mode switch is in the shutdown position, and all control rods are inserted and blocked from withdrawal. Many systems and functions are not required in these conditions, due to other installed interlocks that are actuated when the reactor mode switch is in the shutdown position. However, circumstances may arise while in MODE 3 that present the need to withdraw a single control rod for various tests (e.g., friction tests, scram timing, and coupling integrity checks). These single control rod withdrawals are normally accomplished by selecting the refuel position for the reactor mode switch.
| |
| This Special Operations LCO provides the appropriate additional controls to allow a single control rod withdrawal in MODE 3 APPLICABLE With the reactor mode switch in the refuel position, the analyses for SAFETY control rod withdrawal during refueling are applicable and, provided the ANALYSES assumptions of these analyses are satisfied in MODE 3, these analyses will bound the consequences of an accident. Explicit safety analyses in the FSAR (Ref. 1) demonstrate that the functioning of the refueling interlocks and adequate SDM will preclude unacceptable reactivity excursions.
| |
| Refueling interlocks restrict the movement of control rods to reinforce operational procedures that prevent the reactor from becoming critical.
| |
| These interlocks prevent the withdrawal of more than one control rod.
| |
| Under these conditions, since only one control rod can be withdrawn, the core will always be shut down even with the highest worth control rod withdrawn if adequate SDM exists.
| |
| The control rod scram function provides backup protection to normal refueling procedures and the refueling interlocks, which prevent inadvertent criticalities during refueling.
| |
| Alternate backup protection can be obtained by ensuring that a five by five array of control rods, centered on the withdrawn control rod, are inserted and incapable of withdrawal.
| |
| As described in LCO 3.0.7, compliance with Special Operations LCOs is optional, and therefore, no criteria of Reference 2 apply. Special Operations LCOs provide flexibility to perform certain operations by appropriately modifying requirements of other LCOs. A discussion of the criteria satisfied for the other LCOs is provided in their respective Bases.
| |
| Columbia Generating Station B 3.10.3-1 Revision 73
| |
| | |
| Single Control Rod Withdrawal - Hot Shutdown B 3.10.3 BASES LCO As described in LCO 3.0.7, compliance with this Special Operations LCO is optional. Operation in MODE 3 with the reactor mode switch in the refuel position can be performed in accordance with other Special Operations LCOs (i.e., LCO 3.10.2, "Reactor Mode Switch Interlock Testing)" without meeting this Special Operations LCO or its ACTIONS.
| |
| However, if a single control rod withdrawal is desired in MODE 3, controls consistent with those required during refueling must be implemented and this Special Operations LCO applied. "Withdrawal" in this application includes the actual withdrawal of the control rod as well as maintaining the control rod in a position other than the full-in position, and reinserting the control rod. The refueling interlocks of LCO 3.9.2, "Refuel Position One-Rod-Out Interlock," required by this Special Operations LCO, will ensure that only one control rod can be withdrawn.
| |
| To back up the refueling interlocks (LCO 3.9.2), the ability to scram the withdrawn control rod in the event of an inadvertent criticality is provided by this Special Operations LCO's requirements in Item d.1. Alternately, provided a sufficient number of control rods in the vicinity of the withdrawn control rod are known to be inserted and incapable of withdrawal (Item d.2), the possibility of criticality on withdrawal of this control rod is sufficiently precluded, so as not to require the scram capability of the withdrawn control rod. Also, once this alternate (Item d.2) is completed, the SDM requirement to account for both the withdrawn-untrippable control rod and the highest worth control rod may be changed to allow the withdrawn-untrippable control rod to be the single highest worth control rod.
| |
| APPLICABILITY Control rod withdrawals are adequately controlled in MODES 1, 2, and 5 by existing LCOs. In MODES 3 and 4, control rod withdrawal is only allowed if performed in accordance with this Special Operations LCO or Special Operations LCO 3.10.4, and if limited to one control rod. This allowance is only provided with the reactor mode switch in the refuel position. For these conditions, the one-rod-out interlock (LCO 3.9.2),
| |
| control rod position indication (LCO 3.9.4, "Control Rod Position Indication") full insertion requirements for all other control rods, and scram functions (LCO 3.3.1.1, "Reaction Protection System (RPS)
| |
| Instrumentation," and LCO 3.9.5, "Control Rod OPERABILITY -
| |
| Refueling"), or the added administrative control in Item d.2 of this Special Operations LCO, minimizes potential reactivity excursions ACTIONS A Note has been provided to modify the ACTIONS related to a single control rod withdrawal while in MODE 3. Section 1.3, Completion Times, specifies once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies Required Actions of Columbia Generating Station B 3.10.3-2 Revision 73
| |
| | |
| Single Control Rod Withdrawal - Hot Shutdown B 3.10.3 BASES ACTIONS (continued) the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for each requirement of the LCO not met provide appropriate compensatory measures for separate requirements that are not met. As such, a Note has been provided that allows separate Condition entry for each requirement of the LCO.
| |
| A.1 If one or more of the requirements specified in this Special Operations LCO are not met, the ACTIONS applicable to the stated requirements of the affected LCOs are immediately entered as directed by Required Action A.1. This Required Action has been modified by a Note that clarifies the intent of any other LCO's Required Action to insert all control rods. The Required Action includes exiting this Special Operations Applicability LCO by returning the reactor mode switch to the shutdown position. A second Note has been added, which clarifies that this Required Action is only applicable if the requirements not met are for an affected LCO.
| |
| A.2.1 and A.2.2 Required Actions A.2.1 and A.2.2 are alternative Required Actions that can be taken instead of Required Action A.1 to restore compliance with the normal MODE 3 requirements, thereby exiting this Special Operations LCO's Applicability. Actions must be initiated immediately to insert all insertable control rods. Actions must continue until all such control rods are fully inserted. Placing the reactor mode switch in the shutdown position will ensure that all inserted rods remain inserted and restore operation in accordance with Table 1.1-1. The allowed Completion Time of 1 hour to place the reactor mode switch in the shutdown position provides sufficient time to normally insert the control rods.
| |
| SURVEILLANCE SR 3.10.3.1, SR 3.10.3.2, and SR 3.10.3.3 REQUIREMENTS The other LCOs made applicable in this Special Operations LCO are required to have their Surveillances met to establish that this Special Operations LCO is being met. If the local array of control rods is inserted and disarmed while the scram function for the withdrawn rod is not available, periodic verification in accordance with SR 3.10.3.2 is required to preclude the possibility of criticality. SR 3.10.3.2 has been modified by a Note, which clarifies that this SR is not required to be met if SR 3.10.3.1 Columbia Generating Station B 3.10.3-3 Revision 73
| |
| | |
| Single Control Rod Withdrawal - Hot Shutdown B 3.10.3 BASES SURVEILLANCE REQUIREMENTS (continued) is satisfied for LCO 3.10.3.d.1 requirements, since SR 3.10.3.2 demonstrates that the alternative LCO 3.10.3.d.2 requirements are satisfied. Also, SR 3.10.3.3 verifies that all control rods other than the control rod being withdrawn are fully inserted. The Surveillance Frequencies for SR 3.10.3.2 and SR 3.10.3.3 are controlled under the Surveillance Frequency Control Program.
| |
| REFERENCES 1. FSAR, Section 15.4.1.1.
| |
| : 2. 10 CFR 50.36(c)(2)(ii).
| |
| Columbia Generating Station B 3.10.3-4 Revision 93
| |
| | |
| Single Control Rod Withdrawal - Cold Shutdown B 3.10.4 B 3.10 SPECIAL OPERATIONS B 3.10.4 Single Control Rod Withdrawal - Cold Shutdown BASES BACKGROUND The purpose of this MODE 4 Special Operations LCO is to permit the withdrawal of a single control rod for testing or maintenance, while in cold shutdown, by imposing certain restrictions. In MODE 4, the reactor mode switch is in the shutdown position, and all control rods are inserted and blocked from withdrawal. Many systems and functions are not required in these conditions, due to the installed interlocks associated with the reactor mode switch in the shutdown position. Circumstances may arise while in MODE 4, however, that present the need to withdraw a single control rod for various tests (e.g., friction tests, scram time testing, and coupling integrity checks). Certain situations may also require the removal of the associated control rod drive (CRD). These single control rod withdrawals and possible subsequent removals are normally accomplished by selecting the refuel position for the reactor mode switch.
| |
| APPLICABLE With the reactor mode switch in the refuel position, the analyses for SAFETY control rod withdrawal during refueling are applicable and, provided the ANALYSES assumptions of these analyses are satisfied in MODE 4, these analyses will bound the consequences of an accident. Explicit safety analyses in the FSAR (Ref. 1) demonstrate that the functioning of the refueling interlocks and adequate SDM will preclude unacceptable reactivity excursions.
| |
| Refueling interlocks restrict the movement of control rods to reinforce operational procedures that prevent the reactor from becoming critical.
| |
| These interlocks prevent the withdrawal of more than one control rod.
| |
| Under these conditions, since only one control rod can be withdrawn, the core will always be shut down even with the highest worth control rod withdrawn if adequate SDM exists.
| |
| The control rod scram function provides backup protection in the event normal refueling procedures and the refueling interlocks fail to prevent inadvertent criticalities during refueling. Alternate backup protection can be obtained by ensuring that a five by five array of control rods, centered on the withdrawn control rod, are inserted and incapable of withdrawal.
| |
| This alternate backup protection is required when removing the CRD because this removal renders the withdrawn control rod incapable of being scrammed.
| |
| As described in LCO 3.0.7, compliance with Special Operations LCOs is optional, and therefore, no criteria of Reference 2 apply. Special Operations LCOs provide flexibility to perform certain operations by appropriately modifying requirements of other LCOs. A discussion of the criteria satisfied for the other LCOs is provided in their respective Bases.
| |
| Columbia Generating Station B 3.10.4-1 Revision 73
| |
| | |
| Single Control Rod Withdrawal - Cold Shutdown B 3.10.4 BASES LCO As described in LCO 3.0.7, compliance with this Special Operations LCO is optional. Operation in MODE 4 with the reactor mode switch in the refuel position can be performed in accordance with other LCOs (i.e.,
| |
| Special Operations LCO 3.10.2, "Reactor Mode Switch Interlock Testing" without meeting this Special Operations LCO or its ACTIONS. If a single control rod withdrawal is desired in MODE 4, controls consistent with those required during refueling must be implemented and this Special Operations LCO applied. "Withdrawal" in this application includes the actual withdrawal of the control rod as well as maintaining the control rod in a position other than the full-in position, and reinserting the control rod.
| |
| The refueling interlocks of LCO 3.9.2, "Refuel Position One-Rod-Out Interlock," required by this Special Operations LCO will ensure that only one control rod can be withdrawn. At the time CRD removal begins, the disconnection of the position indication probe will cause a loss of all position indication on the affected control rod. In order for LCO 3.9.4, "Control Rod Position Indication," and therefore, LCO 3.9.2 to be met in this condition, the withdrawn control rod must have the absence of all full-in position indication channels (switch S00, the 00 readout; switch S51, overtravel - scram water applied; and switch S52, normal green light),
| |
| thus maintaining the refuel position one-rod-out interlock. A channel is OPERABLE if it provides correct position indication to the refueling interlock logic.
| |
| Also, this condition causes the refuel position one-rod-out interlock to not allow the selection of any other control rod. If all full-in position indication channels for the withdrawn control rod are not absent (SR 3.9.4.1 requirements not met), a control rod withdrawal block is required to be inserted to ensure that no additional control rods can be withdrawn and that compliance with this Special Operations LCO is maintained.
| |
| To back up the refueling interlocks (LCO 3.9.2) or the control rod withdrawal block, the ability to scram the withdrawn control rod in the event of an inadvertent criticality is provided by the Special Operations LCO requirements in Item c.1. Alternatively, when the scram function is not OPERABLE, or the CRD is to be removed, a sufficient number of rods in the vicinity of the withdrawn control rod are required to be inserted and made incapable of withdrawal (Item c.2). This precludes the possibility of criticality upon withdrawal of this control rod. Also, once this alternate (Item c.2) is completed, the SDM requirement to account for both the withdrawn-untrippable control rod and the highest worth control rod may be changed to allow the withdrawn-untrippable control rod to be the single highest worth control rod.
| |
| Columbia Generating Station B 3.10.4-2 Revision 73
| |
| | |
| Single Control Rod Withdrawal - Cold Shutdown B 3.10.4 BASES APPLICABILITY Control rod withdrawals are adequately controlled in MODES 1, 2, and 5 by existing LCOs. In MODES 3 and 4, control rod withdrawal is only allowed if performed in accordance with Special Operations LCO 3.10.3, or this Special Operations LCO, and if limited to one control rod. This allowance is only provided with the reactor mode switch in the refuel position.
| |
| During these conditions, the full insertion requirements for all other control rods, the one-rod-out interlock (LCO 3.9.2), control rod position indication (LCO 3.9.4), and scram functions (LCO 3.3.1.1, "Reactor Protection System (RPS) Instrumentation," LCO 3.3.8.2, "Reactor Protection System (RPS) Electric Power Monitoring," and LCO 3.9.5, "Control Rod OPERABILITY - Refueling"), or the added administrative controls in Item b.2 and Item c.2 of this Special Operations LCO, provide mitigation of potential reactivity excursions.
| |
| ACTIONS A Note has been provided to modify the ACTIONS related to a single control rod withdrawal while in MODE 4. Section 1.3, Completion Times, specifies once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for each requirement of the LCO not met provide appropriate compensatory measures for separate requirements that are not met. As such, a Note has been provided that allows separate Condition entry for each requirement of the LCO.
| |
| Columbia Generating Station B 3.10.4-3 Revision 73
| |
| | |
| Single Control Rod Withdrawal - Cold Shutdown B 3.10.4 BASES ACTIONS (continued)
| |
| A.1, A.2.1, and A.2.2 If one or more of the requirements of this Special Operations LCO are not met with the affected control rod insertable, these Required Actions restore operation consistent with normal MODE 4 conditions (i.e., all rods inserted) or with the exceptions allowed in this Special Operations LCO.
| |
| Required Action A.1 has been modified by a Note that clarifies the intent of any other LCO's Required Action to insert all control rods. This Required Action includes exiting this Special Operations Applicability LCO by returning the reactor mode switch to the shutdown position. A second Note has been added to Required Action A.1 to clarify that this Required Action is only applicable if the requirements not met are for an affected LCO.
| |
| Required Actions A.2.1 and A.2.2 are specified, based on the assumption that the control rod is being withdrawn. If the control rod is still insertable, actions must be immediately initiated to fully insert all insertable control rods and within 1 hour place the reactor mode switch in the shutdown position. Action must continue until all such control rods are fully inserted. The allowed Completion Time of 1 hour for placing the reactor mode switch in the shutdown position provides sufficient time to normally insert the control rods.
| |
| B.1, B.2.1, and B.2.2 If one or more of the requirements of this Special Operations LCO are not met with the affected control rod not insertable, withdrawal of the control rod and removal of the associated CRD must immediately be suspended.
| |
| If the CRD has been removed, such that the control rod is not insertable, the Required Actions require the most expeditious action be taken to either initiate action to restore the CRD and insert its control rod, or restore compliance with this Special Operations LCO.
| |
| Columbia Generating Station B 3.10.4-4 Revision 73
| |
| | |
| Single Control Rod Withdrawal - Cold Shutdown B 3.10.4 BASES SURVEILLANCE SR 3.10.4.1, SR 3.10.4.2, SR 3.10.4.3, and SR 3.10.4.4 REQUIREMENTS The other LCOs made applicable by this Special Operations LCO are required to have their associated Surveillances met to establish that this Special Operations LCO is being met. If the local array of control rods is inserted and disarmed while the scram function for the withdrawn rod is not available, periodic verification is required to ensure that the possibility of criticality remains precluded. The control rods can be hydraulically disarmed by closing the drive water and exhaust water isolation valves.
| |
| Electrically, the control rods can be disarmed by disconnecting power from all four directional control valve solenoids. Verification that all the other control rods are fully inserted is required to meet the SDM requirements. Verification that a control rod withdrawal block has been inserted ensures that no other control rods can be inadvertently withdrawn under conditions when position indication instrumentation is inoperable for the affected control rod. The Surveillance Frequencies for SR 3.10.4.2, SR 3.10.4.3, and SR 3.10.4.4 are controlled under the Surveillance Frequency Control Program.
| |
| SR 3.10.4.2 and SR 3.10.4.4 have been modified by Notes, which clarify that these SRs are not required to be met if the alternative requirements demonstrated by SR 3.10.4.1 are satisfied.
| |
| REFERENCES 1. FSAR, Section 15.4.1.1.
| |
| : 2. 10 CFR 50.36(c)(2)(ii).
| |
| Columbia Generating Station B 3.10.4-5 Revision 93
| |
| | |
| Single CRD Removal - Refueling B 3.10.5 B 3.10 SPECIAL OPERATIONS B 3.10.5 Single Control Rod Drive (CRD) Removal - Refueling BASES BACKGROUND The purpose of this MODE 5 Special Operations LCO is to permit the removal of a single CRD during refueling operations by imposing certain administrative controls. Refueling interlocks restrict the movement of control rods and the operation of the refueling equipment to reinforce operational procedures that prevent the reactor from becoming critical during refueling operations. During refueling operations, no more than one control rod is permitted to be withdrawn from a core cell containing one or more fuel assemblies. The refueling interlocks use the "full-in" position indicators to determine the position of all control rods. If the "full-in" position signal is not present for every control rod, then the all rods in permissive for the refueling equipment interlocks is not present and fuel loading is prevented. Also, the refuel position one-rod-out interlock will not allow the withdrawal of a second control rod.
| |
| The control rod scram function provides backup protection in the event normal refueling procedures and the refueling interlocks described above fail to prevent inadvertent criticalities during refueling. The requirement for this function to be OPERABLE precludes the possibility of removing the CRD once a control rod is withdrawn from a core cell containing one or more fuel assemblies. This Special Operations LCO provides controls sufficient to ensure the possibility of an inadvertent criticality is precluded, while allowing a single CRD to be removed from a core cell containing one or more fuel assemblies. The removal of the CRD involves disconnecting the position indication probe, which causes noncompliance with LCO 3.9.4, "Control Rod Position Indication," and, therefore, LCO 3.9.1, "Refueling Equipment Interlocks," and LCO 3.9.2, "Refueling Position One-Rod-Out Interlock." The CRD removal also requires isolation of the CRD from the CRD Hydraulic System, thereby causing inoperability of the control rod (LCO 3.9.5, "Control Rod OPERABILITY -
| |
| Refueling").
| |
| APPLICABLE With the reactor mode switch in the refuel position, the analyses for SAFETY control rod withdrawal during refueling are applicable and, provided the ANALYSES assumptions of these analyses are satisfied, these analyses will bound the consequences of accidents. Explicit safety analyses in the FSAR (Ref. 1) demonstrate that the proper operation of the refueling interlocks and adequate SDM will preclude unacceptable reactivity excursions.
| |
| Columbia Generating Station B 3.10.5-1 Revision 73
| |
| | |
| Single CRD Removal - Refueling B 3.10.5 BASES APPLICABLE SAFETY ANALYSES (continued)
| |
| Refueling interlocks restrict the movement of control rods and the operation of the refueling equipment to reinforce operational procedures that prevent the reactor from becoming critical. These interlocks prevent the withdrawal of more than one control rod. Under these conditions, since only one control rod can be withdrawn, the core will always be shut down even with the highest worth control rod withdrawn if adequate SDM exists. By requiring all other control rods to be inserted and a control rod withdrawal block initiated, the function of the inoperable one-rod-out interlock (LCO 3.9.2) is adequately maintained. This Special Operations LCO requirement that no other CORE ALTERATIONS are in progress adequately compensates for the inoperable all rods in permissive for the refueling equipment interlocks (LCO 3.9.1).
| |
| The control rod scram function provides backup protection to normal refueling procedures and the refueling interlocks, which prevent inadvertent criticalities during refueling. Since the scram function and refueling interlocks may be suspended, alternate backup protection required by this Special Operations LCO is obtained by ensuring that a five by five array of control rods, centered on the withdrawn control rod, are inserted and are incapable of being withdrawn, and all other control rods are inserted and incapable of being withdrawn (by insertion of a control rod block).
| |
| As described in LCO 3.0.7, compliance with Special Operations LCOs is optional, and therefore, no criteria of Reference 2 apply. Special Operations LCOs provide flexibility to perform certain operations by appropriately modifying requirements of other LCOs. A discussion of the criteria satisfied for the other LCOs is provided in their respective Bases.
| |
| LCO As described in LCO 3.0.7, compliance with this Special Operations LCO is optional. Operation in MODE 5 with any of the following LCOs -
| |
| LCO 3.3.1.1, "Reactor Protection System (RPS) Instrumentation,"
| |
| LCO 3.3.8.2, "Reactor Protection System (RPS) Electric Power Monitoring," LCO 3.9.1, LCO 3.9.2, LCO 3.9.4, or LCO 3.9.5 - not met can be performed in accordance with the Required Actions of these LCOs without meeting this Special Operations LCO or its ACTIONS. However, if a single CRD removal from a core cell containing one or more fuel assemblies is desired in MODE 5, controls consistent with those required by LCO 3.3.1.1, LCO 3.3.8.2, LCO 3.9.1, LCO 3.9.2, LCO 3.9.4, and LCO 3.9.5 must be implemented and this Special Operations LCO applied.
| |
| Columbia Generating Station B 3.10.5-2 Revision 73
| |
| | |
| Single CRD Removal - Refueling B 3.10.5 BASES LCO (continued)
| |
| By requiring all other control rods to be inserted and a control rod withdrawal block initiated, the function of the inoperable one-rod-out interlock (LCO 3.9.2) is adequately maintained. This Special Operations LCO requirement that no other CORE ALTERATIONS are in progress adequately compensates for the inoperable all rods in permissive for the refueling equipment interlocks (LCO 3.9.1). Ensuring that the five by five array of control rods, centered on the withdrawn control rod, are inserted and incapable of withdrawal adequately satisfies the backup protection that LCO 3.3.1.1 and LCO 3.9.2 would have otherwise provided. Also, once these requirements (Items a, b, and c) are completed, the SDM requirement to account for both the withdrawn-untrippable control rod and the highest worth control rod may be changed to allow the withdrawn-untrippable control rod to be the single highest worth control rod.
| |
| APPLICABILITY Operation in MODE 5 is controlled by existing LCOs. The allowance to comply with this Special Operations LCO in lieu of the ACTIONS of LCO 3.3.1.1, LCO 3.3.8.2, LCO 3.9.1, LCO 3.9.2, LCO 3.9.4, and LCO 3.9.5 is appropriately controlled with the additional administrative controls required by this Special Operations LCO, which reduces the potential for reactivity excursions ACTIONS A.1, A.2.1, and A.2.2 If one or more of the requirements of this Special Operations LCO are not met, the immediate implementation of these Required Actions restores operation consistent with the normal requirements for failure to meet LCO 3.3.1.1, LCO 3.9.1, LCO 3.9.2, LCO 3.9.4, and LCO 3.9.5 (i.e., all control rods inserted) or with the allowances of this Special Operations LCO. The Completion Times for Required Action A.1, Required Action A.2.1, and Required Action A.2.2 are intended to require these Required Actions be implemented in a very short time and carried through in an expeditious manner to either initiate action to restore the CRD and insert its control rod, or initiate action to restore compliance with this Special Operations LCO. Actions must continue until either Required Action A.2.1 or Required Action A.2.2 is satisfied.
| |
| Columbia Generating Station B 3.10.5-3 Revision 73
| |
| | |
| Single CRD Removal - Refueling B 3.10.5 BASES SURVEILLANCE SR 3.10.5.1, SR 3.10.5.2, SR 3.10.5.3, SR 3.10.5.4, and SR 3.10.5.5 REQUIREMENTS Verification that all the control rods, other than the control rod withdrawn for the removal of the associated CRD, are fully inserted is required to ensure the SDM is within limits. Verification that the local five by five array of control rods other than the control rod withdrawn for the removal of the associated CRD, is inserted and disarmed, while the scram function for the withdrawn rod is not available, is required to ensure that the possibility of criticality remains precluded. The control rods can be hydraulically disarmed by closing the drive water and exhaust water isolation valves. Electrically, the control rods can be disarmed by disconnecting power from all four directional control valve solenoids.
| |
| Verification that a control rod withdrawal block has been inserted ensures that no other control rods can be inadvertently withdrawn under conditions when position indication instrumentation is inoperable for the withdrawn control rod. The Surveillance for LCO 3.1.1, which is made applicable by this Special Operations LCO, is required in order to establish that this Special Operations LCO is being met. Verification that no other CORE ALTERATIONS are being made is required to ensure the assumptions of the safety analysis are satisfied.
| |
| Periodic verification of the administrative controls established by this Special Operations LCO is prudent to preclude the possibility of an inadvertent criticality. The Surveillance Frequencies for SR 3.10.5.1, SR 3.10.5.2, SR 3.10.5.3, and SR 3.10.5.5 are controlled under the Surveillance Frequency Control Program.
| |
| REFERENCES 1. FSAR, Section 15.4.1.1.
| |
| : 2. 10 CFR 50.36(c)(2)(ii).
| |
| Columbia Generating Station B 3.10.5-4 Revision 93
| |
| | |
| Multiple Control Rod Withdrawal - Refueling B 3.10.6 B 3.10 SPECIAL OPERATIONS B 3.10.6 Multiple Control Rod Withdrawal - Refueling BASES BACKGROUND The purpose of this MODE 5 Special Operations LCO is to permit multiple control rod withdrawal during refueling by imposing certain administrative controls.
| |
| Refueling interlocks restrict the movement of control rods and the operation of the refueling equipment to reinforce operational procedures that prevent the reactor from becoming critical during refueling operations. During refueling operations, no more than one control rod is permitted to be withdrawn from a core cell containing one or more fuel assemblies. When all four fuel assemblies are removed from a cell, the control rods may be withdrawn with no restrictions. Any number of control rods may be withdrawn and removed from the reactor vessel if their cells contain no fuel.
| |
| The refueling interlocks use the "full-in" position indicators to determine the position of all control rods. If the "full-in" position signal is not present for every control rod, then the all rods in permissive for the refueling equipment interlocks is not present and fuel loading is prevented. Also, the refuel position one-rod-out interlock will not allow the withdrawal of a second control rod.
| |
| To allow more than one control rod to be withdrawn during refueling, these interlocks must be defeated. This Special Operations LCO establishes the necessary administrative controls to allow bypass of the "full-in" position indicators.
| |
| APPLICABLE Explicit safety analyses in the FSAR (Ref. 1) demonstrate that the SAFETY functioning of the refueling interlocks and adequate SDM will prevent ANALYSES unacceptable reactivity excursions during refueling. To allow multiple control rod withdrawals, control rod removals, associated control rod drive (CRD) removal, or any combination of these, the "full-in" position indication is allowed to be bypassed for each withdrawn control rod if all fuel has been removed from the cell. With no fuel assemblies in the core cell, the associated control rod has no reactivity control function and is not required to remain inserted. Prior to reloading fuel into the cell, however, the associated control rod must be inserted to ensure that an inadvertent criticality does not occur, as evaluated in the Reference 1 analysis.
| |
| Columbia Generating Station B 3.10.6-1 Revision 73
| |
| | |
| Multiple Control Rod Withdrawal - Refueling B 3.10.6 BASES APPLICABLE SAFETY ANALYSES (continued)
| |
| As described in LCO 3.0.7, compliance with Special Operations LCOs is optional, and therefore, no criteria of Reference 2 apply. Special Operations LCOs provide flexibility to perform certain operations by appropriately modifying requirements of other LCOs. A discussion of the criteria satisfied for the other LCOs is provided in their respective Bases.
| |
| LCO As described in LCO 3.0.7, compliance with this Special Operations LCO is optional. Operation in MODE 5 with LCO 3.9.3, "Control Rod Position,"
| |
| LCO 3.9.4, "Control Rod Position Indication," or LCO 3.9.5, "Control Rod OPERABILITY - Refueling," not met, can be performed in accordance with the Required Actions of these LCOs without meeting this Special Operations LCO or its ACTIONS. If multiple control rod withdrawal or removal, or CRD removal is desired, all four fuel assemblies are required to be removed from the associated cells. Prior to entering this LCO, any fuel remaining in a cell whose CRD was previously removed under the provisions of another LCO must be removed. "Withdrawal" in this application includes the actual withdrawal of the control rod as well as maintaining the control rod in a position other than the full-in position, and reinserting the control rod.
| |
| When loading fuel into the core with multiple control rods withdrawn, special spiral reload sequences are used to ensure that reactivity additions are minimized. Spiral reloading encompasses reloading a cell (four fuel locations immediately adjacent to a control rod) on the edge of a continuous fueled region (the cell can be loaded in any sequence).
| |
| Otherwise, all control rods must be fully inserted before loading fuel.
| |
| APPLICABILITY Operation in MODE 5 is controlled by existing LCOs. The exceptions from other LCO requirements (e.g., the ACTIONS of LCO 3.9.3, LCO 3.9.4 or LCO 3.9.5) allowed by this Special Operations LCO are appropriately controlled by requiring all fuel to be removed from cells whose "full-in" indicators are allowed to be bypassed.
| |
| ACTIONS A.1, A.2.1, and A.2.2 If one or more of the requirements of this Special Operations LCO are not met, the immediate implementation of these Required Actions restores operation consistent with the normal requirements for refueling (i.e., all control rods inserted in core cells containing one or more fuel assemblies) or with the exceptions granted by this Special Operations LCO. The Completion Times for Required Action A.1, Required Action A.2, Required Action A.3.1, and Required Action A.3.2 are intended to require that these Required Actions be implemented in a very short time and carried through in an expeditious manner to either initiate action to restore the affected CRDs and insert their control rods, or initiate action to restore compliance with this Special Operations LCO.
| |
| Columbia Generating Station B 3.10.6-2 Revision 73
| |
| | |
| Multiple Control Rod Withdrawal - Refueling B 3.10.6 BASES SURVEILLANCE SR 3.10.6.1, SR 3.10.6.2, and SR 3.10.6.3 REQUIREMENTS Periodic verification of the administrative controls established by this Special Operations LCO is prudent to preclude the possibility of an inadvertent criticality. The Surveillance Frequencies are controlled under the Surveillance Frequency Control Program.
| |
| REFERENCES 1. FSAR, Section 15.4.1.1.
| |
| : 2. 10 CFR 50.36(c)(2)(ii).
| |
| Columbia Generating Station B 3.10.6-3 Revision 93
| |
| | |
| Control Rod Testing - Operating B 3.10.7 B 3.10 SPECIAL OPERATIONS B 3.10.7 Control Rod Testing - Operating BASES BACKGROUND The purpose of this Special Operations LCO is to permit control rod testing, while in MODES 1 and 2, by imposing certain administrative controls. Control rod patterns during startup conditions are controlled by the operator and the rod worth minimizer (RWM) (LCO 3.3.2.1, "Control Rod Block Instrumentation"), such that only the specified control rod sequences and relative positions required by LCO 3.1.6, "Rod Pattern Control," are allowed over the operating range from all control rods inserted to the low power setpoint (LPSP) of the RWM. The sequences effectively limit the potential amount and rate of reactivity increase that could occur during a control rod drop accident (CRDA). During these conditions, control rod testing is sometimes required that may result in control rod patterns not in compliance with the prescribed sequences of LCO 3.1.6. These tests may include SDM demonstrations, control rod scram time testing, and control rod friction testing. This Special Operations LCO provides the necessary exceptions to the requirements of LCO 3.1.6 and provides additional administrative controls to allow the deviations in such tests from the prescribed sequences in LCO 3.1.6.
| |
| APPLICABLE The analytical methods and assumptions used in evaluating the CRDA SAFETY are summarized in Reference 1. CRDA analyses assume the reactor ANALYSES operator follows prescribed withdrawal sequences. These sequences define the potential initial conditions for the CRDA analyses. The RWM provides backup to operator control of the withdrawal sequences to ensure that the initial conditions of the CRDA analyses are not violated.
| |
| For special sequences developed for control rod testing, the initial control rod patterns assumed in the safety analysis of Reference 1 may not be preserved. Therefore, special CRDA analyses are required to demonstrate that these special sequences will not result in unacceptable consequences, should a CRDA occur during the testing. These analyses, performed in accordance with an NRC approved methodology, are dependent on the specific test being performed.
| |
| As described in LCO 3.0.7, compliance with Special Operations LCOs is optional, and therefore, no criteria of Reference 2 apply. Special Operations LCOs provide flexibility to perform certain operations by appropriately modifying requirements of other LCOs. A discussion of the criteria satisfied for the other LCOs is provided in their respective Bases.
| |
| Columbia Generating Station B 3.10.7-1 Revision 73
| |
| | |
| Control Rod Testing - Operating B 3.10.7 BASES LCO As described in LCO 3.0.7, compliance with this Special Operations LCO is optional. Control rod testing may be performed in compliance with the prescribed sequences of LCO 3.1.6, and during these tests, no exceptions to the requirements of LCO 3.1.6 are necessary. For testing performed with a sequence not in compliance with LCO 3.1.6, the requirements of LCO 3.1.6 may be suspended, provided additional administrative controls are placed on the test to ensure that the assumptions of the special safety analysis for the test sequence are satisfied. Assurance that the test sequence is followed can be provided by either programming the test sequence into the RWM, with conformance verified as specified in SR 3.3.2.1.8 and allowing the RWM to monitor control rod withdrawal and provide appropriate control rod blocks if necessary, or by verifying conformance to the approved test sequence by a second licensed operator (Reactor Operator or Senior Reactor Operator) or other qualified member of the technical staff. These controls are consistent with those normally applied to operation in the startup range as defined in the SRs and ACTIONS of LCO 3.3.2.1, "Control Rod Block Instrumentation."
| |
| APPLICABILITY Control rod testing, while in MODES 1 and 2 with THERMAL POWER greater than 10% RTP, is adequately controlled by the existing LCOs on power distribution limits and control rod block instrumentation. Control rod movement during these conditions is not restricted to prescribed sequences and can be performed within the constraints of LCO 3.2.1, "AVERAGE PLANAR LINEAR HEAT GENERATION RATE (APLHGR),"
| |
| LCO 3.2.2, "MINIMUM CRITICAL POWER RATIO (MCPR)," LCO 3.2.3, "LINEAR HEAT GENERATION RATE (LHGR)," and LCO 3.3.2.1. With THERMAL POWER less than or equal to 10% RTP, the provisions of this Special Operations LCO are necessary to perform special tests that are not in conformance with the prescribed control rod sequences of LCO 3.1.6. While in MODES 3 and 4, control rod withdrawal is only allowed if performed in accordance with Special Operations LCO 3.10.3, "Single Control Rod Withdrawal - Hot Shutdown" or Special Operations LCO 3.10.4, "Single Control Rod Withdrawal - Cold Shutdown," which provide adequate controls to ensure that the assumptions of the safety analyses of References 1 and 2 are satisfied. During these Special Operations and while in MODE 5, the one-rod-out interlock (LCO 3.9.2, "Refuel Position One-Rod-Out Interlock) and scram functions (LCO 3.3.1.1, "Reactor Protection System (RPS) Instrumentation," and LCO 3.9.5, "Control Rod OPERABILITY - Refueling"), or the added administrative controls prescribed in the applicable Special Operations LCOs, minimize potential reactivity excursions.
| |
| Columbia Generating Station B 3.10.7-2 Revision 73
| |
| | |
| Control Rod Testing - Operating B 3.10.7 BASES ACTIONS A.1 With the requirements of the LCO not met (e.g., the control rod pattern not in compliance with the special test sequence, the sequence is improperly loaded in the RWM), the testing is required to be immediately suspended. Upon suspension of the special test, the provisions of LCO 3.1.6 are no longer excepted, and appropriate actions are to be taken either to restore the control rod sequence to the prescribed sequence of LCO 3.1.6, or to shut down the reactor, if required by LCO 3.1.6.
| |
| SURVEILLANCE SR 3.10.7.1 REQUIREMENTS With the special test sequence not programmed into the RWM, a second licensed operator (Reactor Operator or Senior Reactor Operator) or other qualified member of the technical staff is required to verify conformance with the approved sequence for the test. This verification must be performed during control rod movement to prevent deviations from the specified sequence. A Note is added to indicate that this Surveillance does not need to be met if SR 3.10.7.2 is satisfied.
| |
| SR 3.10.7.2 When the RWM provides conformance to the special test sequence, the test sequence must be verified to be correctly loaded into the RWM prior to control rod movement. This Surveillance demonstrates compliance with SR 3.3.2.1.8, thereby demonstrating that the RWM is OPERABLE. A Note has been added to indicate that this Surveillance does not need to be met if SR 3.10.7.1 is satisfied.
| |
| REFERENCES 1. FSAR, Chapter 15.
| |
| : 2. 10 CFR 50.36(c)(2)(ii).
| |
| Columbia Generating Station B 3.10.7-3 Revision 73
| |
| | |
| SDM Test - Refueling B 3.10.8 B 3.10 SPECIAL OPERATIONS B 3.10.8 SHUTDOWN MARGIN (SDM) Test - Refueling BASES BACKGROUND The purpose of this MODE 5 Special Operations LCO is to permit SDM testing to be performed for those plant configurations in which the reactor pressure vessel (RPV) head is either not in place or the head bolts are not fully tensioned.
| |
| LCO 3.1.1, "SHUTDOWN MARGIN (SDM)," requires that adequate SDM be demonstrated following fuel movements or control rod replacement within the RPV. The demonstration must be performed prior to or within 4 hours after criticality is reached. This SDM test may be performed prior to or during the first startup following refueling. Performing the SDM test prior to startup requires the test to be performed while in MODE 5 with the vessel head bolts less than fully tensioned (and possibly with the vessel head removed). While in MODE 5, the reactor mode switch is required to be in the shutdown or refuel position, where the applicable control rod blocks ensure that the reactor will not become critical. The SDM test requires the reactor mode switch to be in the startup/hot standby position, since more than one control rod will be withdrawn for the purpose of demonstrating adequate SDM. This Special Operations LCO provides the appropriate additional controls to allow withdrawing more than one control rod from a core cell containing one or more fuel assemblies when the reactor vessel head bolts are less than fully tensioned.
| |
| APPLICABLE Prevention and mitigation of unacceptable reactivity excursions during SAFETY control rod withdrawal, with the reactor mode switch in the startup/hot ANALYSES standby position while in MODE 5, is provided by the Intermediate Range Monitor (IRM) neutron flux scram (LCO 3.3.1.1, "Reactor Protection System (RPS) Instrumentation") and control rod block instrumentation (LCO 3.3.2.1, "Control Rod Block Instrumentation"). The limiting reactivity excursion during startup conditions while in MODE 5 is the control rod drop accident (CRDA).
| |
| CRDA analyses assume that the reactor operator follows prescribed withdrawal sequences. For SDM tests performed within these defined sequences, the analysis of Reference 1 is applicable. However, for some sequences developed for the SDM testing, the control rod patterns assumed in the safety analysis of Reference 1 may not be met.
| |
| Therefore, special CRDA analyses, performed in accordance with an NRC approved methodology, are required to demonstrate that the SDM test sequence will not result in unacceptable consequences should a CRDA occur during the testing. For the purpose of this test, the protection provided by the normally required MODE 5 applicable LCOs, in Columbia Generating Station B 3.10.8-1 Revision 73
| |
| | |
| SDM Test - Refueling B 3.10.8 BASES APPLICABLE SAFETY ANALYSES (continued) addition to the requirements of this LCO, will maintain normal test operations as well as postulated accidents within the bounds of the appropriate safety analysis (Ref. 1). In addition to the added requirements for the Rod Worth Minimizer (RWM), APRM, and control rod coupling, the notch out mode is specified for out of sequence withdrawals.
| |
| Requiring the notch out mode limits withdrawal steps to a single notch, which limits inserted reactivity, and allows adequate monitoring of changes in neutron flux, which may occur during the test.
| |
| As described in LCO 3.0.7, compliance with Special Operations LCOs is optional, and therefore, no criteria of Reference 2 apply. Special Operations LCOs provide flexibility to perform certain operations by appropriately modifying requirements of other LCOs. A discussion of the criteria satisfied for the other LCOs is provided in their respective Bases.
| |
| LCO As described in LCO 3.0.7, compliance with this Special Operations LCO is optional. SDM tests may be performed while in MODE 2, in accordance with Table 1.1-1, without meeting this Special Operations LCO or its ACTIONS. For SDM tests performed while in MODE 5, additional requirements must be met to ensure that adequate protection against potential reactivity excursions is available. To provide additional scram protection, beyond the normally required IRMs, the APRMs are also required to be OPERABLE (LCO 3.3.1.1, Functions 2.a, 2.d, and 2.e) as though the reactor were in MODE 2. Because multiple control rods will be withdrawn and the reactor will potentially become critical, the approved control rod withdrawal sequence must be enforced by the RWM (LCO 3.3.2.1, Function 2, MODE 2), or must be verified by a second licensed operator (Reactor Operator or Senior Reactor Operator) or other qualified member of the technical staff. To provide additional protection against an inadvertent criticality, control rod withdrawals that do not conform to the banked position withdrawal sequence specified in LCO 3.1.6, "Rod Pattern Control" (i.e., out of sequence control rod withdrawals) must be made in the notched withdrawal mode to minimize the potential reactivity insertion associated with each movement.
| |
| Coupling integrity of withdrawn control rods is required to minimize the probability of a CRDA and ensure proper functioning of the withdrawn control rods, if they are required to scram. Because the reactor vessel head may be removed during these tests, no other CORE ALTERATIONS may be in progress. Furthermore, since the control rod scram function with the RCS at atmospheric pressure relies solely on the CRD accumulator, it is essential that the CRD charging water header remain pressurized. This Special Operations LCO then allows changing the Table 1.1-1 reactor mode switch position requirements to include the startup/hot standby position, such that the SDM tests may be performed while in MODE 5.
| |
| Columbia Generating Station B 3.10.8-2 Revision 87
| |
| | |
| SDM Test - Refueling B 3.10.8 BASES APPLICABILITY These SDM test Special Operations requirements are only applicable if the SDM tests are to be performed while in MODE 5 with the reactor vessel head removed or the head bolts not fully tensioned. Additional requirements during these tests to enforce control rod withdrawal sequences and restrict other CORE ALTERATIONS provide protection against potential reactivity excursions. Operations in all other MODES are unaffected by this LCO.
| |
| ACTIONS A.1 With one or more control rods discovered uncoupled during this Special Operation, a controlled insertion of each uncoupled control rod is required; either to attempt recoupling, or to preclude a control rod drop.
| |
| This controlled insertion is preferred since, if the control rod fails to follow the drive as it is withdrawn (i.e., is "stuck" in an inserted position), placing the reactor mode switch in the shutdown position per Required Action B.1 could cause substantial secondary damage. If recoupling is not accomplished, operation may continue, provided the control rods are fully inserted within 3 hours and disarmed (electronically or hydraulically) within 4 hours. Inserting a control rod ensures the shutdown and scram capabilities are not adversely affected. The control rod is disarmed to prevent inadvertent withdrawal during subsequent operations. The control rods can be hydraulically disarmed by closing the drive water and exhaust water isolation valves. Electrically, the control rods can be disarmed by disconnecting power from all four directional control valve solenoids. Required Action A.1 is modified by a Note that allows the RWM to be bypassed if required to allow insertion of the inoperable control rods and continued operation. LCO 3.3.2.1, "Control Rod Block Instrumentation," ACTIONS provide additional requirements when the RWM is bypassed to ensure compliance with the CRDA analysis.
| |
| The allowed Completion Times are reasonable, considering the small number of allowed inoperable control rods, and provide time to insert and disarm the control rods in an orderly manner and without challenging plant systems.
| |
| Condition A is modified by a Note allowing separate Condition entry for each uncoupled control rod. This is acceptable since the Required Actions for this Condition provide appropriate compensatory actions for each uncoupled control rod. Complying with the Required Actions may allow for continued operation. Subsequent uncoupled control rods are governed by subsequent entry into the Condition and application of the Required Actions.
| |
| Columbia Generating Station B 3.10.8-3 Revision 73
| |
| | |
| SDM Test - Refueling B 3.10.8 BASES ACTIONS (continued)
| |
| B.1 With one or more of the requirements of this LCO not met, for reasons other than an uncoupled control rod, the testing should be immediately stopped by placing the reactor mode switch in the shutdown or refuel position. This results in a condition that is consistent with the requirements for MODE 5 where the provisions of this Special Operations LCO are no longer required.
| |
| SURVEILLANCE SR 3.10.8.1, SR 3.10.8.2, and SR 3.10.8.3 REQUIREMENTS LCO 3.3.1.1, Functions 2.a, 2.d, and 2.e, made applicable in this Special Operations LCO, are required to have applicable Surveillances met to establish that this Special Operations LCO is being met (SR 3.10.8.1).
| |
| However, the control rod withdrawal sequences during the SDM tests may be enforced by the RWM (LCO 3.3.2.1, Function 2, MODE 2 requirements) or by a second licensed operator (Reactor Operator or Senior Reactor Operator) or other qualified member of the technical staff.
| |
| As noted, either the applicable SRs for the RWM (LCO 3.3.2.1) must be satisfied according to the applicable Frequencies (SR 3.10.8.2), or the proper movement of control rods must be verified (SR 3.10.8.3). This latter verification (i.e., SR 3.10.8.3) must be performed during control rod movement to prevent deviations from the specified sequence. These Surveillances provide adequate assurance that the specified test sequence is being followed.
| |
| SR 3.10.8.4 Periodic verification of the administrative controls established by this LCO will ensure that the reactor is operated within the bounds of the safety analysis. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| SR 3.10.8.5 Coupling verification is performed to ensure the control rod is connected to the control rod drive mechanism and will perform its intended function when necessary. The verification is required to be performed any time a control rod is withdrawn to the "full-out" notch position or prior to declaring the control rod OPERABLE after work on the control rod or CRD System Columbia Generating Station B 3.10.8-4 Revision 93
| |
| | |
| SDM Test - Refueling B 3.10.8 BASES SURVEILLANCE REQUIREMENTS (continued) that could affect coupling. This Frequency is acceptable, considering the low probability that a control rod will become uncoupled when it is not being moved as well as operating experience related to uncoupling events.
| |
| SR 3.10.8.6 CRD charging water header pressure verification is performed to ensure the motive force is available to scram the control rods in the event of a scram signal. Since the reactor is depressurized in MODE 5, there is insufficient reactor pressure to scram the control rods. Verification of charging water header pressure ensures that if a scram were required, capability for rapid control rod insertion would exist. The minimum pressure of 940 psig is well below the expected pressure of 1400 psig to 1500 psig while still ensuring sufficient pressure for rapid control rod insertion. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
| |
| REFERENCES 1. FSAR, Chapter 15.
| |
| : 2. 10 CFR 50.36(c)(2)(ii).
| |
| Columbia Generating Station B 3.10.8-5 Revision 93}}
| |
