CNL-15-073, Application to Modify the Technical Specifications by Adding New Specification TS 3.3.8.3, Emergency Core Cooling System Preferred Pump Logic, Common Accident Signal (CAS) Logic, and Unit Priority Re-Trip Logic, And.

From kanterella
Jump to navigation Jump to search

Application to Modify the Technical Specifications by Adding New Specification TS 3.3.8.3, Emergency Core Cooling System Preferred Pump Logic, Common Accident Signal (CAS) Logic, and Unit Priority Re-Trip Logic, And.
ML15260B125
Person / Time
Site: Browns Ferry  Tennessee Valley Authority icon.png
Issue date: 09/16/2015
From: James Shea
Tennessee Valley Authority
To:
Document Control Desk, Office of Nuclear Reactor Regulation
References
BFN-TS-486, CNL-15-073
Download: ML15260B125 (193)
v  d  e


Text

1101 Market Street, Chattanooga, Tennessee 37402 CNL-15-073 September 16, 2015 10 CFR 50.90 ATTN: Document Control Desk U.S. Nuclear Regulatory Commission Washington, D.C. 20555-0001 Browns Ferry Nuclear Plant, Units 1, 2, and 3 Renewed Facility Operating License Nos. DPR-33, DPR-52, and DPR-68 NRC Docket Nos. 50-259, 50-260, and 50-296

Subject:

Application to Modify the Browns Ferry Nuclear Plant, Units 1, and 2 Technical Specifications by Adding New Specification TS 3.3.8.3, "Emergency Core Cooling System Preferred Pump Logic, Common Accident Signal (CAS) Logic, and Unit Priority Re-Trip Logic," and Unit 3 TS by adding New Specification TS 3.3.8.3, "Common Accident Signal (CAS) Logic, and Unit Priority Re-Trip Logic," (BFN-TS-486)

Reference:

Regulatory Guide 1.177, "An Approach for Plant-Specific, Risk-Informed Decisionmaking: Technical Specifications," Revision 1, May 2011, ADAMS Accession No. ML100910008.

In accordance with the provisions of 10 Code of Federal Regulations (10CFR) 10 CFR 50.90, "Application for amendment of license, construction permit, or early site permit," Tennessee Valley Authority (TVA) is submitting a request for an amendment to Renewed Facility Operating License Nos. DPR-33, DPR-52, and DPR-68 for Browns Ferry Nuclear Plant (BFN) Units 1, 2 and 3, respectively.

The proposed changes revise the BFN, Units 1 and 2, Technical Specifications (TS) by adding a new specification governing the safety functions for the Emergency Core Cooling System (ECCS) Preferred Pump Logic, Common Accident Signal Logic, and the Unit Priority Re-Trip Logic. TVA has determined that the BFN, Units 1 and 2, ECCS Preferred Pump Logic meets the requirements of 10 CFR 50.36(c)(2)(ii), Criterion 3. TVA is voluntarily proposing to include a Limiting Condition for Operation (LCO) for the ECCS Preferred Pump Logic in the BFN, Units 1 and 2 TS.

U. S. Nuclear Regulatory Commission CNL-15-073 Page 2 September 16, 2015 In addition, TVA has determined that combining the ECCS Preferred Pump Logic in a new LCO along with the Common Accident Signal Logic relocated from TS 3.8.1 and the Unit Priority Re-Trip Logic implicitly required by TS 3.8.1 enhances the usability of the requirements by the BFN Operations staff. The changes proposed for BFN, Unit 3, i.e.,

relocating the requirements for Common Accident Signal Logic and Unit Priority Re-trip Logic, are made for consistency with the changes to the BFN, Units 1 and 2 TS.

The proposed amendment is considered risk-informed. An evaluation has been performed to assess the risk effect of the proposed change. The risk assessment follows the guidelines of Regulatory Guide 1.177, "An Approach for Plant-Specific, Risk-Informed Decisionmaking: Technical Specifications" (Reference).

The Enclosure to this letter provides a description of the proposed changes, technical evaluation of the proposed changes, regulatory evaluation, and a discussion of environmental considerations. Attachment 1 to the enclosure provides the existing TS pages marked-up to show the proposed changes. Attachment 2 to the enclosure provides the retyped TS pages incorporating the proposed changes. Attachment 3 to the enclosure provides existing TS Bases pages marked to show the proposed change for information only. Changes to the existing TS Bases, consistent with the technical and regulatory analyses, will be implemented under the Technical Specification Bases Control Program.

The license amendment will be implemented within 150 days of U.S. Nuclear Regulatory Commission approval.

TVA has determined that there are no significant hazards considerations associated with the proposed change and that the change qualifies for a categorical exclusion from environmental review pursuant to the provisions of 10 CFR 51.22(c)(9).

The BFN Plant Operations Review Committee and the TVA Nuclear Safety Review Board have reviewed this proposed change and determined that operation of BFN in accordance with the proposed change will not endanger the health and safety of the public.

Additionally, in accordance with 10 CFR 50.91(b)(1), TVA is sending a copy of this letter and the enclosure to the Alabama Department of Environment and Conservation.

There are no new regulatory commitments associated with this submittal. Please address any questions regarding this request to Mr. Edward D. Schrull at (423) 751 3850.

U.S . Nuclear Regulatory Commission CNL-15-073 Page 3 September 16, 2015 I declare under penalty of perjury that the foregoing is true and correct. Executed on this 16th day of September 2015.

)

11y, e President, Nuclear Licensing

Enclosure:

Evaluation of Proposed Change Enclosure cc (Enclosure):

NRC Regional Administrator - Region II NRC Resident Inspector - Browns Ferry Nuclear Plant NRC Project Manager - Browns Ferry Nuclear Plant State Health Officer, Alabama Department of Public Health

ENCLOSURE TENNESSEE VALLEY AUTHORITY BROWNS FERRY NUCLEAR PLANT UNITS 1, 2, AND 3 EVALUATION OF PROPOSED CHANGE

Subject:

Application to Modify the Browns Ferry Nuclear Plant, Units 1, and 2 Technical Specifications by Adding New Specification TS 3.3.8.3, "Emergency Core Cooling System Preferred Pump Logic, Common Accident Signal (CAS) Logic, and Unit Priority Re-Trip Logic," and Unit 3 TS by adding New Specification TS 3.3.8.3, "Common Accident Signal (CAS) Logic, and Unit Priority Re-Trip-Logic," (BFN-TS-486) 1.0

SUMMARY

DESCRIPTION 2.0 DETAILED DESCRIPTION

3.0 BACKGROUND

4.0 TECHNICAL EVALUATION

4.1 System Description 4.2 Detailed Discussion of Proposed TS Changes 4.3 Technical Analysis 4.4 Risk Assessment 4.4.1 Introduction 4.4.2 RG 1.200 Technical Adequacy 4.4.3 PRA Analysis of Preferred Pump Logic Allowable Out-of-Service Times and Surveillance Test Intervals 4.4.4 Conclusion of Plant-Specific Risk Assessment Results

5.0 REGULATORY EVALUATION

5.1 Applicable Regulatory Requirements and Criteria 5.2 Precedent 5.3 Significant Hazard Consideration 5.4 Conclusions

6.0 ENVIRONMENTAL CONSIDERATION

7.0 REFERENCES

ATTACHMENTS:

1. Proposed Technical Specifications Pages (Markups) for BFN, Units 1, 2 and 3
2. Proposed Retyped Technical Specifications Pages for BFN, Units 1, 2, and 3
3. Proposed Technical Specifications Bases Pages (Markups) for BFN, Units 1, 2, and 3 Page E-1 of 28

1.0

SUMMARY

DESCRIPTION This evaluation supports a request to revise the current licensing basis of Renewed Facility Operating License Nos. DPR-33, DPR-52, and DPR-68 for Browns Ferry Nuclear Plant (BFN) Units 1, 2, and 3, respectively. The proposed change revises the Technical Specifications (TS) for BFN, Units 1 and 2, by adding a new Specification (i.e., TS 3.3.8.3) to consolidate the requirements governing the safety functions for the Emergency Core Cooling System (ECCS) Preferred Pump Logic, Common Accident Signal (CAS) Logic, and the Unit Priority Re-Trip Logic and for BFN, Unit 3, by adding a new Specification (i.e., TS 3.3.8.3) to consolidate the requirements governing the safety functions for the CAS Logic, and the Unit Priority Re-Trip Logic for consistency with the changes to the BFN, Units 1 and 2 TS. The proposed change relocates the existing requirements for the Common Accident Signal Logic from BFN, Units 1, 2, and 3, TS 3.8.1, "AC Sources - Operating," to the proposed TS 3.3.8.3. In addition, TS 3.3.5.1, "Emergency Core Cooling System (ECCS) Instrumentation, Table 3.3.5.1-1, "Emergency Core Cooling System Instrumentation," is revised to incorporate references to the proposed TS 3.3.8.3.

2.0 DETAILED DESCRIPTION The Tennessee Valley Authority (TVA) proposes to revise the BFN, Units 1, 2, and 3 TS as follows:

BFN, Units 1 and 2

1. TS 3.3.5.1, Table 3.3.5.1-1, Footnote (b) is revised from "Channels affect Common Accident Signal Logic. Refer to LCO 3.8.1, 'AC Sources - Operating,'" to "Channels affect ECCS Preferred Pump Logic and Common Accident Signal Logic. Refer to LCO 3.3.8.3, 'Emergency Core Cooling System (ECCS) Preferred Pump, Common Accident Signal (CAS), and Unit Priority Re-Trip Logic.'"
2. TS 3.3.5.1, Table 3.3.5.1-1, Functions 2.a, 2.b, and 2.c "Required Channels Per Function," are revised to reflect new Footnote (f) that states "Channels affect ECCS Preferred Pump Logic and Unit Priority Re-trip Logic. Refer to LCO 3.3.8.3,

'Emergency Core Cooling System (ECCS) Preferred Pump, Common Accident Signal (CAS), and Unit Priority Re-Trip Logic.'"

3. TS 3.3.8.3, "Emergency Core Cooling System (ECCS) Preferred Pump, Common Accident Signal (CAS), and Unit Priority Re-Trip Logic," is added to specify Limiting Conditions for Operation (LCO), Applicability, Actions and Surveillance Requirements governing the operability of the subject logic systems. In addition, the Completion Time associated with one or more required ECCS Preferred Pump Logic divisions inoperable is revised from 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> to 7 days.
4. TS 3.8.1, LCO 3.8.1.b is revised to delete "and common accident signal logic," delete Condition D and renumber subsequent Conditions and Required Actions. Common Accident Signal Logic requirements are relocated to the proposed TS 3.3.8.3.

Page E-2 of 28

BFN, Unit 3

1. TS 3.3.5.1, Table 3.3.5.1-1, Footnote (b) is revised from "Channels affect Common Accident Signal Logic. Refer to LCO 3.8. 1, 'AC Sources - Operating '" to "Channels affect Common Accident Signal Logic. Refer to LCO 3.3.8.3, 'Common Accident Signal (CAS) and Unit Priority Re-Trip Logic.'"
2. TS 3.3.5.1, Table 3.3.5.1-1, Functions 2.a, 2.b, and 2.c "Required Channels Per Function," are revised to reflect new Footnote (g) that states "Channels affect Unit Priority Re-trip Logic. Refer to LCO 3.3.8.3, 'Common Accident Signal (CAS) and Unit Priority Re-Trip Logic.'"
3. TS 3.3.8.3, "Common Accident Signal (CAS) and Unit Priority Re-Trip Logic," is added to specify LCO, Applicability, Actions and Surveillance Requirements governing the operability of the subject logic systems.
4. TS 3.8.1, LCO 3.8.1.b is revised to delete "and common accident signal logic," delete Condition D and renumber subsequent Conditions and Required Actions. Common Accident Signal Logic requirements are relocated to the proposed TS 3.3.8.3.

The associated TS 3.3.5.1 and TS 3.8.1 Bases for each BFN unit are revised to reflect the changes described for the TS. New Bases are proposed for the new TS 3.3.8.3.

Changes to the existing TS Bases, consistent with the technical and regulatory analyses, are implemented under the Technical Specification Bases Control Program upon approval of this amendment request.

3.0 BACKGROUND

As part of the original licensing basis for the operation of BFN Units 1, 2 and 3, the Safety Evaluation Report (SER), dated June 26, 1972 (Reference 1), and Supplement No. 1 to the SER, dated December 21, 1972 (Reference 2), evaluated the emergency electrical power system for multi-unit operation and also addressed the original Units 1 and 2 ECCS system inter-tie logic. SER Supplement No. 1 stated that the redesigned emergency standby AC power system has the capability to provide emergency power to accommodate any combination of accident signals (real or spurious) in any unit without operator action for the short term (0-10 minutes) within the ECCS interim criteria established for calculating peak fuel cladding temperatures.

Supplement No. 4 to the SER, dated September 10, 1973 (Reference 3) evaluated the final design details of the emergency electrical power systems, stating:

"In the event an accident signal appears in both Unit 1 and Unit 2 at the same time, the intertie signal between the two units will give priority to Division I of the ECCS equipment for Unit 1 and Division II of the ECCS equipment to Unit 2. In the event of an accident signal in Unit 1, all the ECCS equipment associated with this unit will start on both Division I and II. However, if an accident signal in Unit 2 follows, it will strip the ECCS Division II loads and assign this division to Unit 2. The converse will also be true with the first accident signal occurring in Unit 2 followed by an accident signal in Unit 1."

Page E-3 of 28

Following initial startup and operation, TVA modified the Low Pressure Coolant Injection (LPCI) initiation logic to satisfy various regulatory requirements imposed by changes to the BFN ECCS thermal limits calculation model required by 10 CFR 50, Appendix K.

These modifications added a redundant start signal to a LPCI pump in the opposite division to ensure that at least one pump would be operating in each loop and modified the Unit 1 and 2 ECCS inter-tie (ECCS Preferred Pump) logic. Redundant signals were also added to isolate the opposite division's Recirculation Pump Discharge Valves and the Residual Heat Removal (RHR) Test / Isolation Valves. Following these modifications, in the event of a real and spurious accident signal occurring in Units 1 and 2, the Unit 1/2 ECCS initiation and Preferred Pump Logic would assign Core Spray pumps 1A and 1C and RHR pumps 1A and 1B to Unit 1. Unit 2 would be assigned Core Spray pumps 2B and 2D and RHR pumps 2C and 2D. However, these modifications failed to account for the potential overloading of the diesel generators (DGs) if the ECCS pumps were started out of their required sequence (i.e., RHR pump at 0.1 seconds, Core Spray pump at 7 seconds, and Emergency Equipment Cooling Water (EECW) pump at 14 seconds). In the event of a real and spurious accident signal occurring on Units 1 and 2, the LPCI modifications would have allowed an RHR pump to start on a DG that was already loaded by a Core Spray pump and EECW pump, or a Core Spray pump to start on a DG loaded by an RHR pump and EECW pump. In the event of a real and spurious accident signal occurring on Unit 3 and Unit 1 or 2, the LPCI modifications would have allowed an RHR pump and Core Spray pump to start on a board already loaded with an EECW pump. TVA reviewed the BFN diesel load analysis and determined that if an RHR pump was allowed to start on a diesel that was already loaded with any large 4KV load such as an EECW pump, the high starting current of the RHR pump would overload the DG and result in the loss of the DG and its four kilovolt (4KV) shutdown board. If a RHR pump were to start on a board already loaded with a Core Spray pump and an EECW pump with normal power available, an evaluation of the loads showed that this would also overload the affected shutdown boards. This would result in the temporary loss of the board while it de-energized and sequenced onto its associated DG.

Following the shutdown of all three BFN units in 1986, a Condition Adverse to Quality Report was initiated to document that the AC power supply system and ECCS initiation logic could not accommodate various combinations of spurious and real accident signals as described in the UFSAR Section 8.5.2. As part of the Base Line Commitment process, TVA identified that modification of the BFN Accident Signal Logic and Unit 1/2 Preferred Pump Logic would be required to support continued multi-unit operations.

To support the restart of Unit 2, the accident signal logic inputs for Units 1 and 3 were temporarily disabled by plant procedures and design change. Prior to the re-start of Unit 3, TVA performed an evaluation of the Units 2 and 3 accident signal logic to determine the consequences of a spurious accident signal initiation on the combined operation of Units 2 and 3. TVA modified the Unit 2 and 3 logic to install the DG output breakers Unit Priority Re-Trip logic to ensure that the diesels were able to support the required ECCS loads in the event of a spurious accident signal from the non-accident unit as described in the UFSAR, Section 8.5.4.2. The initiation of CAS from the Core Spray initiation logic results in starting all eight Unit 1/2 and Unit 3 DGs. The non accident unit's DGs are required to supply common equipment such as EECW, Secondary Building Gas Treatment (SBGT) and Control Room Emergency Ventilation System (CREVs) that is needed to support the accident unit. Any DG output breakers Page E-4 of 28

that are closed are tripped open by the CAS logic so that the accident loads are properly sequenced onto the 4KV shutdown boards. Any subsequent trips by the CAS logic are blocked. If a second accident signal initiation signal is received (real or spurious), the DG output breakers of the unit having the RHR initiation signal would be re-opened for that unit only by the Unit Priority Re-Trip signal to strip any running loads off of the DGs.

The loads in the unit with the second accident signal would then be re-sequenced onto the diesels for that unit. The accident signal logic for Unit 1 remained temporarily disabled.

To support the restart of Unit 1, TVA performed an analysis of the ECCS and CAS initiation logic to evaluate the consequences of a design basis spurious accident signal (due to process variable transients in the non-accident unit) with all three units operating.

Although not required to be postulated by the single failure design criteria, the spurious actuation of components in a non-accident unit were also evaluated to verify that the consequences of a spurious initiation of the non-accident unit's ECCS logic due to a component failure, maintenance activity or operator error were bounded by the design basis spurious accident signal. TVA-implemented modifications to ensure that the consequences of a spurious accident signal during combined operation of Units 1, 2 and 3 would be mitigated and that the accident signal logic would satisfy the minimum ECCS requirements in the UFSAR Table 6-5.3. There were no changes to the Unit 3 accident signal logic required to support Unit 1 restart. However, the implementation of the Unit 1 and Unit 2 modifications created a significant operational difference in the accident signal initiation logic between Units 1 and 2, and Unit 3. Therefore, TVA modified the Unit 3 accident signal logic to minimize these operational differences.

Following these modifications, with an accident signal present in both Units 1 and 2 (one real and one spurious), the ECCS Preferred Pump Logic dedicates RHR pumps 1A and 1C to Unit 1 and pumps 2B and 2D to Unit 2. The Division I Core Spray pumps 1A and 1C are dedicated to Unit 1, while the Division II pumps 2B and 2D are dedicated to Unit 2. These are considered the preferred pumps. The non-preferred pumps, Unit 1 Division II and Unit 2 Division I, will be tripped if running and will be blocked from automatically starting.

Another scenario that was evaluated was that the RHR or Core Spray pumps could be running in the opposite (non-accident) unit for shutdown cooling or testing at the time that an accident occurred. If there is only an accident signal present in one unit, all RHR and Core Spray pumps in the opposite unit are tripped (if running) by the modified Preferred Pump Logic so that all of the RHR and Core Spray pumps in the accident unit can start to mitigate the consequences of the accident. However, the Preferred Pump Logic would block the non-preferred pumps from automatically starting in the accident unit if an accident signal is subsequently received in the opposite unit.

The opposite unit RHR pumps that are tripped by the ECCS Preferred Pump Logic are locked out from manually re-starting for 60 seconds. This same time delay is also applied to the Core Spray pumps. This time delay allows the major ECCS loads that are automatically started (and most of the 480V loads that are load shed then automatically re-started) to load onto the boards prior to allowing the operators to manually re-start the RHR or Core Spray pumps. However, prior to re-starting any loads in the non-accident unit, the operators must coordinate with the accident unit's operators to ensure that electrical loads have been reduced enough to support re-starting any tripped pumps in the non-accident unit.

Page E-5 of 28

TVA submitted a License Amendment Request (LAR) dated April 11, 2003 (Reference 4), to reduce the number of ECCS subsystems that are actually available in response to certain design basis Loss of Coolant Accident (LOCA) scenarios. The LAR was necessary to support the restart of BFN Unit 1 by eliminating the potential overloading of a 4KV shutdown board or emergency DG in the event of both a real and a spurious accident signal in both Units 1 and 2. The LAR proposed changes to TS Table 3.3.5.1, Function 2.f, "Low Pressure Coolant Injection Pump Start - Time Delay Relay and the associated TS Bases. The changes proposed in TVA's April 11, 2003, letter were subsequently approved by the NRC by the Safety Evaluation dated April 1, 2004 (Reference 5).

The April 11, 2003, LAR also provided a description of the revised ECCS Preferred Pump Logic described above. However, the ECCS Preferred Pump Logic was not explicitly included in the changes to TS Table 3.3.5.1 or the TS Bases proposed by TVA and approved by the NRC.

Title 10 Code of Federal Regulations Chapter 50, Part 36 (10 CFR 50.36) requires LCOs be included for items meeting any of four specified criteria. As stated in 10 CFR 50.36(c)(2)(iii), licensees are not required to modify TS that were included in any license issued before August 18, 1995, to satisfy the criteria provided in 10 CFR 50.36(c)(2)(ii). TVA has determined that the BFN, Units 1 and 2 ECCS Preferred Pump Logic meets the requirements of 10 CFR 50.36(c)(2)(ii), Criterion 3.

TVA is voluntarily proposing to include an LCO for the ECCS Preferred Pump Logic in the BFN, Units 1 and 2 TS.

Although not explicitly required by TS Table 3.3.5.1-1 nor described in the associated TS Bases, Logic System Functional Testing for the BFN Units 1 and 2 ECCS Preferred Pump logic is currently performed once per 24 months in accordance with Surveillance Requirement (SR) 3.3.5.1.6 as specified in TS Table 3.3.5.1-1 for Core Spray Functions 1.a, 1.b, and 1.c and LPCI Functions 2.a, 2.b and 2.c. The proposed changes explicitly require Logic System Functional Testing to be performed for the BFN Units 1 and 2 ECCS Preferred Pump Logic, thus clarifying the testing requirement.

In addition, TVA has determined that combining the ECCS Preferred Pump Logic in a new LCO along with the Common Accident Signal Logic relocated from TS 3.8.1 and the Unit Priority Re-Trip Logic implicitly required by TS 3.8.1 enhances the usability of the requirements by BFN Operations. The changes proposed for BFN, Unit 3, i.e.,

relocating the requirements for Common Accident Signal Logic and Unit Priority Re-trip Logic, are made for consistency with the changes to the BFN, Units 1 and 2 TS.

4.0 TECHNICAL EVALUATION

4.1 System Description

In the event of an accident signal in either Unit 1 or Unit 2, all of the ECCS equipment associated with the accident unit is designed to start. All eight DGs in the plant are started on receipt of an accident signal in any one of the three BFN Units as a pre-emergency action in case of a subsequent loss of offsite power.

Page E-6 of 28

ECCS Preferred Pump Logic The DGs and Standby AC Power System are designed to accommodate spurious accident signals from any unit and in any order, i.e., real accident signal followed by a spurious signal, real accident signal coincident with a spurious signal, and spurious followed by a real accident signal. If the ECCS loads for both Units 1 and 2 were allowed to start during combinations of real and spurious accident signals, the combined Unit 1/2 ECCS pumps would overload the 4KV shutdown boards and their associated DGs.

During combinations of real and spurious accident signals, the Units 1 and 2 ECCS Preferred Pump Logic assign the Unit 1 ECCS loads to the Division I 4KV shutdown boards and the Unit 2 ECCS loads to the Division II 4KV shutdown boards. If any RHR or Core Spray pumps were already running in the opposite unit (e.g., for shutdown cooling), the Core Spray and LPCI logic send redundant signals to initiate the ECCS Preferred Pump Logic to trip the opposite units running RHR and Core Spray pumps.

The ECCS Preferred Pump Logic signal also inhibits the RHR and Core Spray pumps automatic start logic in the opposite unit (after 60 seconds manual control of the pumps is restored). This action ensures that any running RHR or Core Spray pumps in the opposite unit will be tripped, unloading the Unit 1/2 4KV shutdown boards prior to the accident unit starting its ECCS pumps on a real accident signal. For combinations of real and spurious accident signals, the Unit 1 and 2 ECCS Preferred Pump Logic allows the Unit 1 Division I RHR and Core Spray pumps (1A and 1C) to start and load on the Division I 4KV shutdown boards, and the Unit 2 Division II RHR and Core Spray pumps (2B and 2D) to load on the Division II 4KV shutdown boards. This action ensures that the shared Unit 1/2 4KV shutdown boards are not overloaded while still maintaining the minimum number of required ECCS injection subsystems.

If an accident signal is initiated in only one unit (Unit 1 or 2) and any RHR pump or Core Spray pump is already running in the opposite non-accident unit (e.g., for shutdown cooling), the Core Spray and LPCI logic sends redundant signals to initiate the ECCS Preferred Pump Logic to trip all of the non-accident units running RHR and Core Spray pumps. This action ensures that any running RHR or Core Spray pumps in the non-accident unit will be tripped, unloading the Unit 1 and 2 4kV shutdown boards prior to the accident unit starting all of its ECCS pumps (both divisions) on an accident signal, with or without a loss of offsite power.

Common Accident Signal (CAS) Logic The Core Spray low reactor vessel water level signal or high drywell pressure signal coincident with low reactor pressure signals are used to generate a CAS, which affects the operation of components associated with all three units. The CAS performs the following functions:

sends a signal to start all eight DGs for Unit 1/2 and Unit 3 trips the DG output breakers (if closed) defeats selected DG protective trips blocks the 4kV Shutdown Board auto transfer logic trips and blocks the fire pumps A, B, and C auto start logic starts the RHR Service Water (RHRSW) (aligned to EECW) pumps Page E-7 of 28

blocks subsequent RHRSW (aligned to EECW) pump start signal (if already running) blocks the 4kV degraded voltage trips trips the RHRSW pumps A2 and C2 trips the Raw Cooling Water (RCW) pump 1D Unit Priority Re-Trip Logic Following an initiation of a CAS on either Unit 2 or 3 (which trips all eight DG output breakers), subsequent accident signal trips of the DG output breakers are blocked. A second DG output breaker trip on a "unit priority" basis is provided to ensure that during combinations of spurious and real accident signals, the DG-supplied buses are stripped prior to starting the RHR pumps and other ECCS loads. This DG output breaker re-trip will only occur if a spurious accident signal or a real accident signal from the other unit has previously tripped the DG output breakers. Inputs from the LPCI initiation circuitry indicating low reactor vessel water level or high drywell pressure coincident with low reactor pressure, combined with an existing CAS trip signal, will re-trip the DG output breakers on the unit where the LPCI initiation signal originated. The other unit's DG output breakers will be unaffected by this second trip. Thus each unit is given priority over the block of subsequent CAS DG output breaker trips for its DGs. This DG output breaker Unit Priority Re-Trip ensures that the DG-supplied buses are stripped prior to starting the RHR (LPCI) pumps, Core Spray pumps and other required loads. For Units 1 and 2 only, with a real and spurious accident signal present, the Unit 1 initiated unit priority re-trip signal will only re-trip the Division I DG output breakers while the Unit 2 initiated unit priority re-trip signal will only re-trip the Division II DG output breakers. This will ensure that a spurious unit priority re-trip signal will not re-trip all four Unit 1/2 DG output breakers, which would result in interrupting both divisions RHR and Core Spray pumps supplying the opposite unit in a real accident.

4.2 Detailed Discussion of Proposed TS Changes BFN, Units 1 and 2 This proposed change adds new TS 3.3.8.3, "Emergency Core Cooling System (ECCS)

Preferred Pump, Common Accident Signal (CAS), and Unit Priority Re-Trip Logic," to specify LCO, Applicability, Actions and Surveillance Requirements governing the operability of the subject logic systems.

The proposed TS 3.3.8.3 LCO requires:

Two divisions of ECCS Preferred Pump Logic be operable in Modes 1, 2, and 3 The division(s) of ECCS Preferred Pump Logic required to be operable during operation in Modes 4 and 5 dependent on the configuration of the RHR or Core Spray pumps required to be operable, or in operation Two divisions of CAS Logic be operable in Modes 1, 2, and 3 Two divisions of Unit Priority Re-Trip Logic be operable in Modes 1, 2, and 3 Proposed TS 3.3.8.3 Condition A is entered with one or more required ECCS Preferred Pump Logic divisions inoperable. Condition A requires that the ECCS Preferred Pump Logic division be restored to operable within seven days.

Page E-8 of 28

Proposed TS 3.3.8.3 Condition B is entered with one CAS Logic division inoperable.

Condition B requires that the logic division be restored to operable within seven days.

Proposed TS 3.3.8.3 Condition C is entered with one Unit Priority Re-Trip Logic division inoperable. Condition C requires that the logic division be restored to operable within seven days.

In the event that the Required Action and associated Completion Time of proposed Condition A, B, or C are not met during operation in Mode 1, 2, or 3, proposed Condition D requires placing the affected unit in Mode 3 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> and Mode 4 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />.

For Unit 1, proposed Condition E is entered in the event that the Required Action and associated Completion Time of proposed Condition A is not met during operation in Mode 4 or 5 with Unit 2 in Mode 1, 2, or 3. Proposed Condition E, for Unit 1, requires declaring the associated ECCS components inoperable immediately if Unit 1 is in Mode 4 or 5 and Unit 2 is in Mode 1, 2, or 3.

For Unit 2, proposed Condition E is entered in the event that the Required Action and associated Completion Time of proposed Condition A is not met during operation in Mode 4 or 5 with Unit 1 in Mode 1, 2, or 3. Proposed Condition E, for Unit 2, requires declaring the associated ECCS components inoperable immediately if Unit 2 is in Mode 4 or 5 when Unit 1 is in Mode 1, 2, or 3.

Proposed Condition F is entered in the event that two divisions of CAS Logic or two divisions of Unit Priority Re-Trip Logic are inoperable. Proposed Condition F requires that LCO 3.0.3 be entered immediately.

Proposed SR 3.3.8.3.1 requires performance of a Logic Systems Functional Test once per 24 months for the ECCS Preferred Pump logic, CAS Logic, and Unit Priority Re-Trip Logic. SR 3.3.8.3.1 is modified by a note allowing entry into the associated Conditions and Required Actions to be delayed for up to six hours when a division is placed in an inoperable status solely for the performance of required surveillance testing, provided the associated redundant division is operable.

This proposed change revises TS 3.3.5.1, Table 3.3.5.1-1 to incorporate references to the proposed TS 3.3.8.3 LCO.

Footnote (b) is revised from "Channels affect Common Accident Signal Logic. Refer to LCO 3.8.1, 'AC Sources - Operating,'" to "Channels affect ECCS Preferred Pump Logic and Common Accident Signal Logic. Refer to LCO 3.3.8.3, 'Emergency Core Cooling System (ECCS) Preferred Pump, Common Accident Signal (CAS), and Unit Priority Re-Trip Logic.'"

TS 3.3.5.1, Table 3.3.5.1-1, Functions 2.a, 2.b, and 2.c "Required Channels Per Function," are revised to reflect new Footnote (f) stating "Channels affect ECCS Preferred Pump Logic and Unit Priority Re-trip Logic. Refer to LCO 3.3.8.3,

'Emergency Core Cooling System (ECCS) Preferred Pump, Common Accident Signal (CAS), and Unit Priority Re-Trip Logic.'"

Page E-9 of 28

BFN, Unit 3 This proposed change adds new TS 3.3.8.3, "Common Accident Signal (CAS) and Unit Priority Re-Trip Logic," to specify LCO, Applicability, Actions and Surveillance Requirements governing the operability of the subject logic systems.

The proposed TS 3.3.8.3 LCO requires:

Two divisions of CAS Logic be operable in Modes 1, 2, and 3 Two divisions of Unit priority Re-Trip Logic be operable in Modes 1, 2, and 3 Proposed TS 3.3.8.3 Condition A is entered with one CAS Logic division inoperable.

Condition A requires that the logic division be restored to operable within seven days.

Proposed TS 3.3.8.3 Condition B is entered with one Unit Priority Re-Trip Logic division inoperable. Condition B requires that the logic division be restored to operable within seven days.

In the event that the Required Action and associated Completion Time of proposed Condition A or B are not met during operation in Mode 1, 2, or 3, proposed Condition C requires placing the affected unit in Mode 3 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> and Mode 4 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />.

Proposed Condition D is entered in the event that two divisions of CAS Logic or two divisions of Unit Priority Re-Trip Logic are inoperable. Proposed Condition D requires that LCO 3.0.3 be entered immediately.

Proposed SR 3.3.8.3.1 requires performance of a Logic Systems Functional Test once per 24 months for the CAS Logic and Unit Priority Re-Trip Logic. SR 3.3.8.3.1 is modified by a note allowing entry into the associated Conditions and Required Actions to be delayed for up to six hours when a division is placed in an inoperable status solely for the performance of required surveillance testing, provided the associated redundant division is operable.

This proposed change revises TS 3.3.5.1, Table 3.3.5.1-1 to incorporate references to the proposed TS 3.3.8.3 LCO.

Footnote (b) is revised from "Channels affect Common Accident Signal Logic. Refer to LCO 3.8.1, 'AC Sources - Operating,'" to "Channels affect Common Accident Signal Logic. Refer to LCO 3.3.8.3, 'Common Accident Signal (CAS) and Unit Priority Re-Trip Logic.'"

TS 3.3.5.1, Table 3.3.5.1-1, Functions 2.a, 2.b, and 2.c "Required Channels Per Function," are revised to reflect new Footnote (g) stating "Channels affect Unit Priority Re-trip Logic. Refer to LCO 3.3.8.3, 'Common Accident Signal (CAS) and Unit Priority Re-Trip Logic.'"

Page E-10 of 28

BFN Units 1, 2, and 3 This proposed change relocates the requirements for CAS Logic and Unit Priority Re-Trip Logic implicitly required by TS 3.8.1 to the new TS 3.3.8.3. Specifically, TS 3.8.1 is revised as follows:

TS 3.8.1 LCO 3.8.1.b is revised to delete "and common accident signal logic."

Condition D, applicable to one inoperable division of CAS Logic, and the associated Required Action and Completion Time are deleted. Subsequent Conditions and Required Actions are renumbered.

Condition J is revised to delete the entry condition related to two inoperable divisions of CAS Logic.

4.3 Technical Analysis BFN Units 1 and 2 Incorporation of ECCS Preferred Pump Logic in Proposed TS 3.3.8.3 Proposed TS 3.3.8.3 LCO and Applicability There are two divisions of ECCS Preferred Pump Logic, each consisting of two channels: a LPCI channel and a Core Spray channel. ECCS Preferred Pump Logic is initiated by TS Table 3.3.5.1-1, Core Spray Functions 1a, 1b, and 1c and LPCI Functions 2a, 2b, and 2c. With an accident signal present in both Units 1 and 2 (one real and one spurious), the ECCS Preferred Pump Logic dedicates RHR pumps 1A and 1C to Unit 1 and RHR pumps 2B and 2D to Unit 2. The Division I Core Spray pumps 1A and 1C are dedicated to Unit 1, while the Division II Core Spray pumps 2B and 2D are dedicated to Unit 2. These are considered the preferred pumps. The non-preferred pumps, Unit 1 Division II and Unit 2 Division I, are tripped if running and are blocked from automatically starting.

The proposed TS 3.3.8.3 specifies the required Functions, required divisions and Modes of Applicability in Table 3.3.8.3-1. TS Table 3.3.8.3-1 requires two divisions of the ECCS Preferred Pump Logic to be operable in Modes 1, 2, and 3. The requirement for two divisions to be operable in Modes 1, 2, and 3 is consistent with the design of the logic system as previously described in this enclosure.

During operation in Modes 4 or 5, TS Table 3.3.8.3-1 references two footnotes.

Footnote (a) in the Unit 1 table modifies the Applicability of Modes 4 and 5 to apply when the associated RHR or Core Spray pumps are required to be operable, or are in operation, and BFN, Unit 2 is in Mode 1, 2, or 3. Footnote (a) is necessary because the ECCS Preferred Pump Logic from BFN, Unit 2 supplies a signal to the BFN, Unit 1 ECCS Preferred Pump Logic to ensure that in the event of an accident on BFN, Unit 2, any running RHR or Core Spray pumps in the non-accident unit would be tripped, unloading the BFN, Unit 1 and 2 4kV shutdown boards prior to the accident unit starting all of its ECCS pumps (both divisions) on an accident signal, with or without a loss of offsite power. Footnote (a) in the Unit 2 table is similar to Footnote (a) in the Unit 1 table but refers to Unit 1 being in Mode 1, 2, or 3. Footnote (b) states that the required number of operable divisions is dependent upon the configuration of the RHR or Core Spray pumps required to be operable, or are in operation. This is consistent with other Page E-11 of 28

requirements such as the existing TS Table 3.3.5.1-1 footnote (a) stating that Functions are only required to be operable when the associated subsystem(s) are required to be operable.

Proposed TS 3.3.8.3 Conditions, Required Actions and Completion Times Currently, in the event one Core Spray channel of the ECCS Preferred Pump Logic is inoperable (i.e., SR 3.3.5.1.6 is not satisfied), the associated TS Table 3.3.5.1-1 Functions are inoperable. Therefore, TS Table 3.3.5.1-1, Functions 1a, 1b, and 1c would be declared inoperable and TS 3.3.5.1 Condition B and Condition C must be entered. The Required Actions for both of these conditions require declaring the supported ECCS feature(s) inoperable within one hour when the redundant feature ECCS initiation capability is inoperable. However, Condition B also requires placing the Function in trip within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, while Condition C requires restoring the Function to operable status within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. In the event the Required Actions and associated Completion Times of Condition B or Condition C are not met, TS 3.3.5.1, Condition H requires declaring the associated ECCS feature(s) inoperable immediately.

Likewise, in the event one LPCI channel of the ECCS Preferred Pump Logic is inoperable (i.e., SR 3.3.5.1.6 is not satisfied), the associated TS Table 3.3.5.1-1 Functions are inoperable. Therefore, TS Table 3.3.5.1-1, Functions 2a, 2b, and 2c would be declared inoperable and TS 3.3.5.1 Condition B and Condition C must be entered. The Required Actions for both of these conditions require declaring the supported ECCS feature(s) inoperable within one hour when the redundant feature ECCS initiation capability is inoperable during operation in Modes 1, 2, and 3. This action could result in entering TS 3.5.1, Condition H, requiring immediate entry into LCO 3.0.3. However, Condition B also requires placing the Function in trip within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, while Condition C requires restoring the Function to operable status within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. In the event the Required Actions and associated Completion Times of Condition B or Condition C are not met, TS 3.3.5.1, Condition H requires declaring the associated ECCS feature(s) inoperable immediately. This action could result in entering TS 3.5.1, Condition A, requiring restoration of the ECCS injection/spray subsystem(s) to operable status within seven days.

The associated TS 3.3.5.1 Bases do not describe the ECCS Preferred Pump Logic.

Therefore, as shown by the two inoperabilities discussed above, the current TS requirements require a high degree of interpretation of the TS requirements in order to determine the appropriate actions to be taken for an inoperable division of ECCS Preferred Pump Logic. The complexity of the current TS requirements could distract the Operator from other actions that may be required to be taken, and could result in taking incorrect or inappropriate actions for the inoperable logic function.

Proposed TS 3.3.8.3 Condition A would be entered with one or more divisions of ECCS Preferred Pump Logic inoperable. Required Action A.1 requires that the ECCS Preferred Pump Logic division be restored to operable status within seven days. If the Required Action and associated Completion Time of Condition A is not met during operation in Mode 1, 2, or 3, Condition D would require the unit to be placed in Mode 3 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> and Mode 4 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. The proposed changes allow additional time for diagnosis of the failure and repairs for restoration of the logic function. The Risk Assessment discussed in Section 4.4 of this enclosure determined that the risk of Page E-12 of 28

changing the Completion Time for the ECCS Preferred Pump Logic from 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to seven days is acceptable.

TS 3.3.5.1 does not specify Conditions, Required Actions and Completion Times in the event the Functions associated with the ECCS Preferred Pump Logic are inoperable during operation in Mode 4 or 5 when the other Unit is in Mode 1, 2, or 3, for example, Unit 1 in Mode 5 with Unit 2 in Mode 1. Proposed BFN Unit 1 TS 3.3.8.3 Condition E would be entered if the Required Action and associated Completion Time of Condition A are not met in Mode 4 or 5 with Unit 2 in Mode 1, 2, or 3. Similarly, proposed BFN Unit 2 TS 3.3.8.3 Condition E would be entered if the Required Action and associated Completion Time of Condition A are not met in Mode 4 or 5 with Unit 1 in Mode 1, 2, or 3. This action is meant to prevent disruptions to activities in the shutdown unit, such as core cooling or operations with the potential to drain the reactor vessel, should an accident occur on the operating unit and to ensure sufficient capacity exists on the 4 kV shutdown boards for the accident unit. Therefore during operation in Mode 4 and 5, Required Action E.1 requires immediately declaring the associated ECCS components inoperable. The applicable Conditions of TS 3.5.2 would then be entered. This change results in a more restrictive requirement than previously specified.

BFN Units 1, 2, and 3 Relocation of CAS Logic Requirements from TS 3.8.1 to Proposed TS 3.3.8.3 TS 3.8.1 currently requires two operable divisions of CAS Logic in Modes 1, 2, and 3.

With one division of CAS Logic inoperable, TS 3.8.1 Required Action D.1 requires restoring the required division of CAS Logic to operable status within seven days. If the Required Action and associated Completion Time of Condition D is not met, Condition I requires placing the unit in Mode 3 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> and Mode 4 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. With two divisions of CAS inoperable, TS 3.8.1 Required Action J.1 requires immediate entry into LCO 3.0.3. TS 3.8.1 does not specify a Surveillance Requirement for CAS Logic.

The Unit Priority Re-Trip Logic is not explicitly addressed by TS 3.8.1. However, Unit Priority Re-Trip Logic is addressed in the TS 3.8.1 Bases discussion of CAS Logic.

The proposed TS 3.3.8.3 requires that two divisions of CAS Logic and two divisions of Unit Priority Re-Trip Logic be operable during Modes 1, 2, and 3. This relocation retains the current TS 3.8.1 LCO and Applicability requirements.

With one division of CAS Logic inoperable, proposed Required Action B.1 (BFN Units 1 and 2) and proposed Required Action A.1 (BFN Unit 3) limit operation to seven days.

With one division of Unit Priority Re-trip Logic inoperable, proposed Required Action C.1 (BFN Units 1 and 2) and proposed Required Action B.1 (BFN Unit 3) limit operation to seven days. There is no change to either the Required Action or Completion Time.

Therefore, this relocation retains the current Required Actions specified by TS 3.8.1.

If the Required Action and associated Completion Time of Condition B or C (BFN Units 1 and 2) and Condition A or B (BFN Unit 3) is not met in MODE 1, 2, or 3, Condition D (BFN Units 1 and 2) and Condition C (BFN Unit 3) require placing the respective unit in Mode 3 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> and Mode 4 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. There is no change in either the Required Action or Completion Time. Therefore, this relocation retains the current Required Actions specified by TS 3.8.1.

Page E-13 of 28

With two divisions of CAS Logic inoperable or two divisions of Unit Priority Re-Trip Logic inoperable, Required Action F.1 (BFN Units 1 and 2) and Required Action D.1 (BFN Unit 3) require immediate entry into LCO 3.0.3. There is no change in either the Required Action or Completion Time. Therefore, this relocation retains the current Required Actions specified by TS 3.8.1.

BFN Units 1, 2, and 3 Proposed Surveillance Requirement 3.3.8.3.1 Proposed SR 3.3.8.3.1 requires performance of a Logic Systems Functional Test once per 24 months for the ECCS Preferred Pump logic (BFN Units 1 and 2, only), CAS Logic, and Unit Priority Re-Trip Logic. Logic System Functional Testing for the ECCS Preferred Pump logic (for BFN Units 1 and 2, only), CAS Logic, and Unit Priority Re-Trip Logic (for BFN Units 1, 2, and 3) is currently performed once per 24 months in accordance with SR 3.3.5.1.6 as specified in TS Table 3.3.5.1-1 for Core Spray Functions 1.a, 1.b, and 1.c and LPCI Functions 2.a, 2.b and 2.c. The proposed TS 3.3.8.3 Bases state that the Logic System Functional Test performed in LCO 3.3.5.1 and the DG testing performed by SR 3.8.1.6 overlap the testing required by SR 3.3.8.3.1. Therefore, the proposed SR 3.3.8.3.1 retains the current testing interval.

Proposed SR 3.3.8.3.1, for BFN Units 1 and 2, is modified by two Notes.

Note 1 indicates that when a channel is placed in an inoperable status solely for performance of Surveillance, entry into associated Conditions and Required Actions may be delayed for up to six hours provided the associated redundant division is OPERABLE. Upon completion of the Surveillance, or expiration of the six hour allowance, the division must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the Risk Assessment discussed in Section 4.4 of this enclosure. That analysis demonstrates that the six hour testing allowance does not significantly reduce the probability that the ECCS Preferred Pump, CAS, and Unit Priority Re-Trip Logics will initiate when necessary.

Note 2 indicates that testing of the Unit 2 breakers is not required for a successful test.

This allowance is necessary to preclude unnecessary challenges to an operating unit.

Testing of the Unit 2 breakers is required by Unit 2 SR 3.3.8.3.1.

Proposed SR 3.3.8.3.1, for BFN Unit 3, is modified by a Note indicating that when a channel is placed in an inoperable status solely for performance of a surveillance, entry into associated Conditions and Required Actions may be delayed for up to six hours provided the associated redundant division is OPERABLE. Upon completion of the Surveillance, or expiration of the six hour allowance, the division must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken.

This Note is based on the Risk Assessment discussed in Section 4.4 of this enclosure.

That analysis demonstrates that the six hour testing allowance does not significantly reduce the probability that the CAS, and Unit Priority Re-Trip Logics will initiate when necessary.

Summary The proposed incorporation of TS 3.3.8.3 explicitly addresses the ECCS Preferred Pump Logic (for BFN Units 1 and 2) and clarifies the TS requirements for operability for ECCS Page E-14 of 28

Preferred Pump logic (BFN Units 1 and 2, only), CAS Logic, and Unit Priority Re-Trip Logic. Because the changes proposed in this LAR do not require modification of the plant or change the way the logic systems are used, the changes proposed in this LAR do not affect the current LOCA analysis of record.

4.4 Risk Assessment 4.4.1 Introduction 4.4.1.1 Method of Analysis NRC Regulatory Guide (RG) 1.177 (Reference 6) provides an approach for plant-specific, risk-informed decision-making for changes to the technical specifications.

A three-tiered approach for evaluation of the risk associated with the proposed TS change follows:

Tier 1 - An evaluation of the plant-specific risk of the proposed TS change, as shown by:

Change in core damage frequency (CDF)

Incremental conditional core damage probability (ICCDP)

Change in large early release frequency (LERF)

Incremental conditional large early release probability (ICLERP)

The Tier 1 analysis was completed consistent with RG 1.174 (Reference 7) and RG 1.177 and included Internal Events & Flooding, Fire, Seismic and Tornado Analyses.

Tier 2 - Identifies and evaluates, with respect to defense-in-depth, any potential risk-significant plant equipment outage configurations associated with the proposed change.

Tier 3 - Provides for the establishment of an overall configuration risk management program (CRMP) and confirmation that its insights are incorporated into the decision-making process before taking equipment out-of-service prior to or during the completion time (CT).

4.4.1.2 Application of Tiers 1, 2, and 3 4.4.1.2.1 Tier 1 - Probabilistic Risk Assessment (PRA) Applicability and Insights The BFN PRA was subjected to a full scope peer review in accordance with the requirements of NRC RG 1.200, "An Approach for Determining the Technical Adequacy of Probabilistic Risk Assessment Results for Risk-Informed Activities," (Reference 8) in 2009 (Reference 9). A second follow-on limited scope peer review was conducted later in 2009 (Reference 10) to address the internal flooding model elements due to the fact that the internal flooding analysis was not complete at the time of the initial peer review.

Page E-15 of 28

The following areas were addressed:

1. Assurance that the plant-specific PRA reflects the as-built, as-operated plant.

A key attribute to the ASME/ANS Standard (Reference 11) is to assess how the PRA modeled the as-built, as-operated plant. The facts and observations (F&Os) generated during the peer review were each addressed such that the BFN internal events PRA meets at least a Capability Category II for each individual sub-element of the ASME/ANS Standard, and high-level requirement HLR-MU-B stated that a PRA configuration control process is in place, and governed by procedure which provides a reasonable assurance that the as-built, as-operated plant is reflected through routine maintenance and upgrades to the PRA.

2. Assurance that the applicable PRA updates include the findings from the individual plant evaluation (IPE) and the IPE for External Events (IPEEE).

The BFN PRA has been updated several times since the completion of the IPE and IPEEE from the 1990s. The technical adequacy of the PRA was established by peer review in 2009. The current model of record represents a significantly more mature PRA as compared to the IPE and IPEEE.

3. Assurance that conclusions from the peer review, including facts and observations that are applicable to this application have been resolved.

For areas where the peer review determined work was necessary to meet Capability Category II, an F&O item was initiated. The resolutions to the F&Os are documented in the PRA Summary Notebook (Reference 12). Note that subsequent revisions of the summary notebook removed this table on the assumption that the responses to the F&Os would not change.

4. Assurance that there is PRA configuration control and updating, including PRA quality assurance programs, associated procedures, and PRA revision schedules.

TVA procedure NPG-SPP-09.11, "Probabilistic Risk Assessment (PRA) Program,"

covers the management of PRA applications and periodic PRA updates. Periodic changes made to the base plant-specific PRA model are required to incorporate system, structure, component and operating philosophy changes, and new plant-specific data.

5. Assurance that there is PRA adequacy, completeness, and applicability with respect to evaluating the risk associated with the proposed technical specification change.

BFN specific parameters and PRA results applicable to the proposed technical specification change are documented in References 12, 13, 14, and 15. The BFN internal events PRA was subjected to a peer review in 2009 that assessed its technical adequacy.

Page E-16 of 28

6. Assurance that plant design or operational modifications that are related to or could impact the proposed technical specification change are reflected in the PRA revision used in the plant-specific application, or a justification for not including those modifications in the PRA is provided.

In accordance with TVA procedure NPG-SPP-09.11, plant modifications or design changes that result in new configurations, alignments, and capabilities of plant systems are assessed for inclusion in model updates. Furthermore TVA procedure NEDP-26, Probabilistic Risk Assessment (PRA), provides the requirements for the cumulative impact of plant configuration changes, including plant-specific design, procedure and operational changes that require an update to the Model of Record (MOR).

4.4.1.2.2 Tier 2 - Avoidance of Risk-Significant Plant Configurations The process BFN uses to avoid risk-significant plant configurations is governed by TVA procedure NPG-SPP-07.1, On-Line Risk Management. The procedure applies to all work activities that affect or have the potential to affect a plant component, system, or unit configuration. A risk assessment methodology is used for on-line maintenance and shutdown operations. For on-line maintenance, a risk assessment is performed prior to implementation and emergent work is evaluated against the assessed scope.

Furthermore, TVA procedure NPG-SPP- 07.3, Work Activity Risk Management Process, provides an integrated process for assessing and reducing the likelihood and/or consequences of an adverse event.

4.4.1.2.3 Tier 3 - Risk-Informed Configuration Risk Management In accordance with the requirements of 10 CFR 50.65(a)(4), BFN assesses and manages plant configurations prior to taking the maintenance configuration. The proposed plant configuration is modeled in the computer code EOOS (Equipment Out Of Service) to determine the CDF and LERF. The initial risk assessment is performed six to nine weeks prior to implementation to allow for risk-informed sequencing of activities as necessary and for other actions determined based on risk insights gleaned from the initial assessment. This well-defined process is governed by TVA procedure NPG-SPP-07.1. The quantified change in risk is used as one input with respect to configuration risk management. Furthermore, the process prescribes successively higher levels of management approval for plant configurations resulting in an increase in risk at various levels. Although not quantified, work management compensatory measures are prescribed as the risk level increases to limit the likelihood of entering an unplanned configuration (i.e., protected trains/equipment) or to limit the consequences of an unattended action. Outage Risk Management is controlled in accordance with TVA procedure NPG-SPP-7.2.11, "Shutdown Risk Management."

Page E-17 of 28

4.4.2 RG 1.200 Technical Adequacy To demonstrate that the technical adequacy of the PRA used in an application is of sufficient quality, RG 1.200 states that the staff expects the following information to be submitted to the NRC. RG 1.200 also states that previously submitted documentation may be referenced if it is adequate for the subject submittal:

1. [Assurance that] the PRA model represents the as-designed or as-built, as-operated plant.

The BFN PRA was subjected to a full scope peer review in accordance with RG 1.200 requirements in 2009. A second follow-on limited scope peer review was conducted later in 2009 to address the internal flooding model elements due to the fact that the internal flooding analysis was not complete at the time of the initial peer review.

The ASME Standard endorsed by RG 1.200 (i.e., ASME/ANS RA-Sa-2009) includes High Level Requirements (HLRs) that address the PRA with respect to representing the as-built, as-operated plant, i.e., HLR-DA-B and HLR-MU-B. There are six Supporting Level Requirements (SLRs) for those sub-elements. The Peer Review Team characterization of these SLRs is that the BFN PRA meets the supporting requirements with a Capability Category (CC) I - III.

Furthermore, to ensure the PRA model is maintained to represent the as-built, as-operated plant, TVA Procedure NEDP-26 states, "Various information sources shall be monitored by the Corporate/Site PRA Specialist on an ongoing basis to determine changes or new information that will affect the model, model assumptions, or quantification. Information sources include Operating Experience, Technical Specification changes, plant modifications, Maintenance Rule changes, engineering calculation revisions, procedure changes, industry studies, NRC information and

[Problem Evaluation Reports]."

2. Identification of permanent plant changes (such as design or operational practices) that have an impact on those things modeled in the PRA but have not been incorporated in the baseline PRA model. If a plant change has not been incorporated, the licensee provides a justification of why the change does not impact the PRA results used to support the application. This justification should be in the form of a sensitivity study that demonstrates the accident sequences or contributors significant to the application decision were not adversely impacted (remained the same).

TVA procedure NPG-SPP-09.3, "Plant Modifications and Engineering Change Control," governs the process for making changes across the TVA fleet. This procedure includes checklists that require the engineer to assess the potential effect on PRA criteria. If there is a "yes" response to any of the questions, an interface with the PRA group is required, and a review of the proposed design modification is performed in accordance with the PRA Program. As of the date of this submittal, there are no outstanding plant changes that necessitate a change to the BFN MOR Revision 6, except for the modifications submitted as part of the transition to National Fire Protection Association Standard 805 (NFPA 805) by TVA letter dated March 27, 2013 (Reference 16). As the NFPA 805 modifications are completed they Page E-18 of 28

will be reviewed with this process and the PRA will be modified accordingly. All PRA updates will be reviewed to assure that a Peer Review is performed if required.

3. Documentation that the parts of the PRA required to produce the results used in the decision are performed consistently with the standard as endorsed in the appendices of this regulatory guide [RG 1.200, Revision 2]. If a requirement of the standard (as endorsed in the appendix to this guide [RG 1.200, Revision 2]) has not been met, the licensee is to provide a justification of why it is acceptable that the requirement has not been met. This justification should be in the form of a sensitivity study that demonstrates the accident sequences or contributors significant to the application were not impacted (remained the same).

The Peer Review Team determined that of the 264 supporting requirements, 262 were applicable to the BFN PRA. Of these, all but 63 were met at CC II or higher (i.e., CC-II, CC-III, CC-I/II, CC-II/III). The 63 supporting requirements are further divided as 53 not met, and 10 met at CC-I. The proposed resolutions for the F&Os associated with these 63 supporting requirements were resolved and incorporated as recommended by the Peer Team and are documented in the Summary Notebook.

4. A summary of the risk assessment methodology used to assess the risk of the application, including how the base PRA model was modified to appropriately model the risk impact of the application and results. (Note that this is the same as that required in the application-specific regulatory guides.)

The BFN PRA approach uses computer aided fault tree analysis (CAFTA) and provides a quantitative assessment of the identified risk in terms of scenarios that result in undesired consequences (e.g., core damage and/or large early release) and their frequencies, and is comprised of specific technical elements (e.g., data, HRA, initiators) in performing the quantification.

5. Identification of the key assumptions and approximations relevant to the results used in the decision-making process. Also, include the peer reviewers assessment of those assumptions. These assessments provide information to the NRC staff in their determination of whether the use of these assumptions and approximations is appropriate for the application, or whether sensitivity studies performed to support the decision are appropriate.

The Peer Review Team characterized the internal events SRs associated with key assumptions and approximations and graded these at either CC II or higher or generated an F&O. Technical elements included initiating events (IE), accident sequence analysis (AS), success criteria (SC), data analysis (DA), systems analysis (SY), human reliability (HRA), quantification (QU) and large early release (LE). If an F&O was generated, it was resolved as shown in the Summary Notebook.

Page E-19 of 28

6. A discussion of the resolution of the peer review (or self-assessment, for peer reviews performed using the criteria in NEI 00-02) findings and observations that are applicable to the parts of the PRA required for the applications. This decision should take the following forms:
a. a discussion of how the PRA model has been changed
b. a justification in the form of a sensitivity study that demonstrates the accident sequences or contributors significant to the application decision were not adversely impacted (remained the same) by the particular issue.

The Peer Review Team reviewed an initial revision of the PRA model using CAFTA.

The CAFTA model replaced the RiskMan model previously used at BFN. Because the Team reviewed a draft model, their recommendations did not make a change to the model, but rather supplemented the completion of the model to a Revision 0 status.

For those recommendations that resulted in an F&O, a resolution was documented and can be seen in the Summary Notebook. All F&Os were either disputed or the model was revised as described in the resolution.

7. The standards or peer review process documents may recognize different capability categories or grades that are related to level of detail, degree of plant specificity, and degree of realism. The licensees documentation is to identify the use of the parts of the PRA that conform to capability categories or grades lower than deemed required for the given application (Section 1-3 of ASME/ANS RA-Sa-2009).

The proposed application requires a quality level of CC II. The Peer Review Team reviewed the BFN PRA and concluded that some supporting requirements did not meet the CC II Requirement. For the supporting requirements that did not meet CC II an F&O was generated to state why the supporting requirement did not meet this requirement.

For each of the F&Os generated by the Peer Review Team, a resolution was documented and can be seen in the Summary Notebook.

4.4.3 PRA Analysis of Preferred Pump Logic Allowable Out-of-Service Times and Surveillance Test Intervals 4.4.3.1 Purpose This purpose of this evaluation is to document the risk analysis for a proposed TS Change Request for BFN. This evaluation is to support changing the Completion Time for the ECCS Preferred Pump Logic from 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to seven days, adding a Completion Time for CAS and Unit Priority Re-Trip Logic for seven days, and maintaining Surveillance Test Intervals (STI) as the current STIs for the rest of the ECCS Instrumentation in the TS.

4.4.3.2 Background TVA is proposing to add a new TS 3.3.8.3 to specify the requirements for CAS and Unit Priority Re-Trip Logic for all three units. In addition the proposed TS 3.3.8.3 specifies the requirements for ECCS Preferred Pump Logic for Units 1 and 2. Unit 3 does not utilize ECCS Preferred Pump Logic so the proposed TS 3.3.8.3 for Unit 3 does not address ECCS Preferred Pump Logic. The ECCS Preferred Pump Logic analysis for Page E-20 of 28

BFN Units 1 and 2 ECCS Instrumentation, reflected in BWR Owners Group (BWROG)

Topical Report NEDC-30936P-A, Parts 1 and 2 (References 17 and 18, respectively),

was not applied to the ECCS Preferred Pump Logic. Therefore, the current ECCS-LOCA analysis of record does not support the BFN Units 1 and 2 ECCS Preferred Pump Logic. A PRA evaluation (Reference 19) was previously performed to maintain the current completion time, mode applicability, and surveillance requirement times for the ECCS Preferred Pump Logic.

The ECCS Preferred Pump Logic prevents the combined Units 1 and 2 ECCS Pumps from overloading the 4kV shutdown boards and their associated DGs on a loss of offsite power. This is necessary because the Units 1 and 2 ECCS pumps are powered from the same 4-kV shutdown board. During an accident, the ECCS Preferred Pump Logic would assign the Unit 1 ECCS pumps to the Division I 4kV shutdown boards and the Unit 2 ECCS pumps to the Division II 4kV shutdown boards. This action would ensure that the shared Unit 1/2 4kV shutdown boards are not overloaded while still maintaining the minimum number of required ECCS injection subsystems.

4.4.3.3 Analysis The ECCS Preferred Pump Logic is required in the PRA only for initiating events involving:

Large or medium LOCAs Small LOCAs (including Inadvertently Open Relief Valves (IORV)) along with loss of High Pressure Coolant Injection (HPCI) and Reactor Core Isolation Cooling (RCIC)

Main steamline or feedwater line breaks outside of containment The initiating event must be concurrent with a simultaneous accident involving one of the above listed initiating events on the opposite unit, or a spurious accident signal from the opposite unit must occur in order for the ECCS Preferred Pump Logic to be required.

The probabilities for the concurrent initiating events in the opposite unit are based on a 365-day exposure rather than the seven day period of the ECCS Preferred Pump Logic Completion Time, so the CDF/LERF and ICCDP/ICLERP values presented below are conservative.

Other internal initiating events and external initiating events are not affected by the ECCS Preferred Pump Logic, because the above listed initiating events are the only initiators that activate the ECCS Preferred Pump Logic.

The effect of adding the ECCS Preferred Pump Logic was demonstrated in Reference 20, but since that time, the model of record has been updated. Because the model was updated before the incorporation of the ECCS Preferred Pump Logic Completion Time of seven days, this analysis was updated using the current PRA model of record. The current PRA MOR for BFN models the ECCS Preferred Pump Logic with a Completion Time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. The probability of event ECCS_PPL_UA was updated to account for the Completion Time of seven days (i.e., 7/365 = 1.92E-2).

The current MOR does not model the CAS or Unit Priority Re-Trip Logic explicitly, but the model does take into account the effect of what would occur should there be a a CAS or Unit Priority Re-Trip failure. Accident signals are modeled under the appropriate Page E-21 of 28

ECCS pump. The model includes a sequencer under each of the diesels and a breaker failure-to-trip event is used for load-shedding. These, along with the ECCS Preferred Pump Logic modifications, model the appropriate failure mechanisms that the plant would experience given a failure of the CAS or Unit Priority Re-Trip Logic.

4.4.3.4 Results As discussed in Reference 20, the inclusion of ECCS Preferred Pump Logic into the PRA model has no adverse impact on CDF and LERF. The failure of the RHR and Core Spray pumps due to failure of the ECCS Preferred Pump Logic has no adverse impact on CDF and LERF. The following table shows the impact due to including ECCS Preferred Pump Logic failures to the model which was modified as discussed in the previous section.

Table 1: Change in CDF/LERF for ECCS Preferred Pump Logic Failures CDF/LERF per year (Baseline Model Plus Parameter Baseline CDF/LERF per year ECCS PPL Failures) Change Unit 1 CDF 6.06E-06 6.06E-06 negligible Unit 2 CDF 5.25E-06 5.25E-06 negligible Unit 1 LERF 1.07E-06 1.07E-06 negligible Unit 2 LERF 1.02E-06 1.02E-06 negligible Note that Unit 3 does not utilize ECCS Preferred Pump Logic so no ECCS Preferred Pump Logic-related changes were made to the Unit 3 model.

The CDF and LERF for both Unit 1 and Unit 2 are negligible. To calculate the ICCDP and ICLERP values, the CDF and LERF are multiplied by the proposed Completion Time of seven days (7*(24/8760)=1.92E-2) the results are also negligible.

This result falls below the criteria for a small change recommended by RG 1.177 of 1E-6 for ICCDP and 1E-7 for ICLERP. This also falls within the criteria recommended by RG 1.174 for a very small risk increase for both CDF (less than 1E-6/yr) and LERF (less than 1E-7/yr).

4.4.3.5 External Events Because the ECCS Preferred Pump Logic is only initiated by small and medium LOCAs, large LOCAs involving loss of HPCI and RCIC, and main steamline or feedwater breaks outside of containment, external events are not affected by the ECCS Preferred Pump Logic.

Fire The ECCS Preferred Pump Logic was designed to prevent DG overload due to LOCA ECCS initiation on Units 1 and 2 simultaneously. Therefore, this system will provide little to no benefit during a fire event and spurious operation could complicate fire impacts mitigation by tripping unaffected systems in the safe shutdown path. BFN is currently transitioning to NFPA 805 and is developing a full Fire PRA. However, this PRA model Page E-22 of 28

does not represent the currently as-operated plant. The current BFN IPEEE (Reference 21) evaluates the impacts of fires at BFN. The ECCS Preferred Pump Logic is not currently credited in the IPEEE, therefore, the inclusion of a seven day Completion Time for the ECCS Preferred Pump Logic has no quantifiable impact on the fire risk for BFN. Additionally, the approved revision to the transition Fire PRA model was also reviewed.

Fire scenarios were examined using the BFN fire PRA FRANX model (Reference 22).

The fire model considers spurious operation of the ECCS Preferred Pump Logic, but not unavailability. Adding unavailability to the fire logic could potentially remove the spurious operation of the ECCS Preferred Pump Logic, which would actually decrease total CDF/LERF.

Seismic The BFN Seismic IPEEE reports (References 23 and 24) used a seismic margins analysis, and therefore did not calculate an earthquake-induced CDF or LERF. The reports concluded that the BFN High Confidence of Low Probability of Failure (HCLPF) earthquake is at least as great as the 0.30g review level earthquake for Unit 1 and at least 0.26g for Units 2 and 3.

The BFN design basis safe shutdown earthquake (SSE) is 0.20g. The mean annual frequency of exceedance for a SSE at BFN is 5.26E-5 (Reference 25). The probability of an SSE occurring during the seven day (7*(24/8760)= 0.0192 years) period of the proposed ECCS Preferred Pump Logic Completion Time can be determined from the equation:

P = 1 - e-t Therefore, P(SSE in seven days) = 1 - exp(-5.26E-5)(0.0192) = 1.01E-6.

There is a very small probability of having an SSE concurrent with the ECCS Preferred Pump Logic being out of service, which is:

(probability that ECCS Preferred Pump Logic is out of service) * (probability of a safe-shutdown level earthquake in seven days), or 1.92E-2

  • 1.01E-6 = 1.94E-8 High Winds/Tornadoes The BFN IPEEE (Reference 21) did not calculate a CDF or LERF due to high winds/tornadoes. The BFN IPEEE Analysis concluded that the CDF from high winds was judged to be less than 1E-6/yr.

4.4.4 Conclusion of Plant-Specific Risk Assessment Results Based on the results of this evaluation, The risk of changing the Completion Time for the ECCS Preferred Pump Logic from 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to seven days, and maintaining the current STIs as the current STI for the rest of the ECCS Instrumentation in the TS is acceptable.

Page E-23 of 28

5.0 REGULATORY EVALUATION

5.1 Applicable Regulatory Requirements and Criteria The NRC's regulatory requirements related to the content of the TSs are contained in 10 CFR 50.36. The TS requirements in 10 CFR 50.36 include the following categories:

(1) safety limits, limiting safety systems settings, and control settings; (2) LCO; (3) surveillance requirements; (4) design features; and (5) administrative controls.

A TS LCO of a nuclear reactor must be established for each item meeting one or more of the following criteria:

Criterion 1: Installed instrumentation that is used to detect, and indicate in the control room, a significant abnormal degradation of the reactor coolant pressure boundary.

Criterion 2: A process variable, design feature, or operating restriction that is an initial condition of a design basis accident or transient analysis that either assumes the failure of or presents a challenge to the integrity of a fission product barrier.

Criterion 3: A structure, system, or component that is part of the primary success path and which functions or actuates to mitigate a design basis accident or transient that either assumes the failure of or presents a challenge to the integrity of a fission product barrier.

Criterion 4: A structure, system, or component which operating experience or probabilistic risk assessment has shown to be significant to public health and safety.

The proposed changes clarify and relocate the requirements currently addressed in the BFN TS governing the safety functions for the ECCS Preferred Pump Logic (BFN, Units 1 and 2 only), Common Accident Signal Logic, and the Unit Priority Re-Trip Logic.

Requirements are neither added or deleted. The proposed TS 3.3.8.3 continues to provide LCO, Required Actions and Completion Times, and Surveillance Requirements for ECCS Preferred Pump Logic (BFN, Units 1 and 2 only), Common Accident Signal Logic, and the Unit Priority Re-Trip Logic.

5.2 Precedent TVA has not identified a suitable precedent for this proposed change.

5.3 Significant Hazard Consideration The Tennessee Valley Authority (TVA) proposes to revise the current licensing basis of Renewed Facility Operating License Nos. DPR-33, DPR-52, and DPR-68 for Browns Ferry Nuclear Plant (BFN) Units 1, 2, and 3, respectively. The proposed change Revises the Technical Specifications (TS) for BFN, Units 1, 2, and 3, by adding a new Specification (i.e., TS 3.3.8.3) to consolidate the requirements governing the safety functions for the Emergency Core Cooling System (ECCS) Preferred Pump Logic (BFN, Units 1 and 2 only), Common Accident Signal Logic, and the Unit Priority Re-Trip Logic.

Page E-24 of 28

The proposed change relocates the existing requirements for the Common Accident Signal Logic from BFN, Units 1, 2, and 3, TS 3.8.1, "AC Sources - Operating," to the proposed TS 3.3.8.3. In addition, TS 3.3.5.1, "Emergency Core Cooling System (ECCS)

Instrumentation, Table 3.3.5.1-1 is revised to incorporate references to the proposed TS 3.3.8.3.

TVA has concluded that the proposed changes to the BFN, Units 1, 2, and 3 TS do not involve a significant hazards consideration. TVAs conclusion is based on its evaluation in accordance with 10 CFR 50.91(a)(1) of the three standards set forth in 10 CFR 50.92, "Issuance of Amendment," as discussed below:

1. Does the proposed amendment involve a significant increase in the probability or consequence of an accident previously evaluated?

Response: No.

The proposed changes relocate and clarify the requirements currently addressed in the BFN TS governing the safety functions for the ECCS Preferred Pump Logic (BFN, Units 1 and 2 only), Common Accident Signal Logic, and the Unit Priority Re-Trip Logic. Requirements are neither added nor deleted. The proposed TS 3.3.8.3 continues to provide LCO, Required Actions and Completion Times, and Surveillance Requirements for ECCS Preferred Pump Logic (BFN, Units 1 and 2 only), Common Accident Signal Logic, and the Unit Priority Re-Trip Logic. A TVA risk assessment has determined that the risk of changing the Completion Time for the ECCS Preferred Pump Logic from 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to seven days, and maintaining the current Surveillance Test Intervals as the current Surveillance Test Interval for the rest of the ECCS Instrumentation in the technical specifications is acceptable. Because the proposed changes do not require modification of the plant or change the way the logic systems are used, the proposed changes do not affect the current LOCA analysis of record.

Based on the above discussions, the proposed changes do not involve an increase in the probability or consequences of an accident previously evaluated.

2. Does the proposed amendment create the possibility of a new or different kind of accident from any accident previously evaluated?

Response: No.

The proposed changes relocate and clarify the requirements currently addressed in the BFN TS governing the safety functions for the ECCS Preferred Pump Logic (BFN, Units 1 and 2 only), Common Accident Signal Logic, and the Unit Priority Re-Trip Logic. Requirements are neither added nor deleted. The proposed TS 3.3.8.3 continues to provide LCO, Required Actions and Completion Times, and Surveillance Requirements for ECCS Preferred Pump Logic (BFN, Units 1 and 2 only), Common Accident Signal Logic, and the Unit Priority Re-Trip Logic. The proposed changes result in no physical change to the plant configuration or method of operation.

Therefore, the proposed changes do not create the possibility of a new or different kind of accident from any accident previously evaluated.

Page E-25 of 28

3. Does the proposed amendment involve a significant reduction in a margin of safety?

Response: No.

The proposed changes relocate and clarify the requirements currently addressed in the BFN TS governing the safety functions for the ECCS Preferred Pump Logic (BFN, Units 1 and 2 only), Common Accident Signal Logic, and the Unit Priority Re-Trip Logic. Requirements are neither added nor deleted. The proposed TS 3.3.8.3 continues to provide LCO, Required Actions and Completion Times, and Surveillance Requirements for ECCS Preferred Pump Logic (BFN, Units 1 and 2 only), Common Accident Signal Logic, and the Unit Priority Re-Trip Logic. A TVA risk assessment has determined that the risk of changing the Completion Time for the ECCS Preferred Pump Logic from 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to seven days, and maintaining the current Surveillance Test Intervals as the current Surveillance Test Interval for the rest of the ECCS Instrumentation in the technical specifications is acceptable.

Accordingly, the proposed changes do not involve a significant reduction in a margin of safety.

5.4 Conclusions In conclusion, based on the considerations discussed above, (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) such activities will be conducted in compliance with the Commissions regulations, and (3) the issuance of the amendment will not be inimical to the common defense and security or to the health and safety of the public.

6.0 ENVIRONMENTAL CONSIDERATION

A review has determined that the proposed amendment would change a requirement with respect to installation or use of a facility component located within the restricted area, as defined in 10 CFR 20. However, the proposed amendment does not involve (i) a significant hazards consideration, (ii) a significant change in the types or significant increase in the amounts of any effluents that may be released offsite, or (iii) a significant increase in individual or cumulative occupational radiation exposure. Accordingly, the proposed amendment meets the eligibility criterion for categorical exclusion set forth in 10 CFR 51.22(c)(9). Therefore, pursuant to 10 CFR 51.22(b), no environmental impact statement or environmental assessment need be prepared in connection with the proposed amendment.

Page E-26 of 28

7.0 REFERENCES

1. "Safety Evaluation of the Tennessee Valley Authority Browns Ferry Nuclear Plant Units 1, 2, 3," dated June 26, 1972.
2. "Supplement No. 1 to the Safety Evaluation by the Directorate of Licensing U. S.

Atomic Energy Commission in the Matter of Tennessee Valley Authority Browns Ferry Nuclear Plant Units 1, 2 and 3 Docket Nos. 50-259, 260 and 296," dated December 21, 1972.

3. "Supplement No. 4 to the Safety Evaluation by the Directorate of Licensing U. S.

Atomic Energy Commission in the Matter of Tennessee Valley Authority Browns Ferry Nuclear Plant Units 1, 2 and 3 Docket Nos. 50-259, 260 and 296," dated September 10, 1973.

4. TVA letter to NRC, "Browns Ferry Nuclear Plant (BFN) - Units 1, 2 and 3 - License Amendments and Technical Specification Changes - Revision in the Number of Emergency Core Cooling Systems Required in Response to a Loss of Coolant Accident (TS-424)," dated April 11, 2003 (ADAMS Accession No. ML031050093).
5. NRC Letter to TVA, "Browns Ferry Nuclear Plant, Units 1, 2 and 3 - Issuance of Amendments Regarding the Emergency Core Cooling Systems (TAC Nos. MB8423, MB8424 AND MB8425) (TS-424)," dated April 1, 2004 (ADAMS Accession No. ML040710126).
6. Regulatory Guide 1.177, An Approach for Plant-Specific, Risk-Informed Decisionmaking: Technical Specifications, Revision1, dated May 2011 (ADAMS Accession No. ML100910008).
7. Regulatory Guide 1.174, An Approach For Using Probabilistic Risk Assessment In Risk-Informed Decisions On Plant-Specific Changes To The Licensing Basis, Revision 2, dated May 2011 (ADAMS Accession No. ML100910006).
8. NRC Regulatory Guide 1.200, An Approach for Determining the Technical Adequacy of Probabilistic Risk Assessment Results for Risk-Informed Activities, Revision 2, dated March 2009 (ADAMS Accession No. ML090410014).
9. Browns Ferry Units 1,2,3 PRA Peer Review Report Using ASME PRA Standard Requirements, dated May 2009.
10. Internal Flood PRA Peer Review for Browns Ferry Nuclear Plant, ABS Consulting, dated October 2009.
11. American Society of Mechanical Engineers/American National Standard (ASME/ANS) RA-Sa-2009, Addenda to ASME/ANS RA-S-2008, Standard for Level 1/Large Early Release Frequency Probabilistic Risk Assessment for Nuclear Power Plant Applications, dated February 2009.
12. NDN-000-999-2010-0001, Revision 6, BFN Probabilistic Risk Assessment -

Summary Notebook.

Page E-27 of 28

13. NDN-000-999-2007-0033, Revision 7, DA.01 - BFN Probabilistic Risk Assessment -

Data Analysis.

14. NDN-000-999-2007-0031, Revision 0, IF-BFN Probabilistic Risk Assessment-Internal Flooding Analysis.
15. NDN-000-999-2007-0041, Revision 5, QU-BFN Probabilistic Risk Assessment-Quantification.
16. Letter from TVA to NRC, "License Amendment Request to Adopt NFPA 805 Performance-Based Standard for Fire Protection for Light Water Reactor Electric Generating Plants (2001 Edition) (Technical Specification Change TS-480)," dated March 27, 2013 (ADAMS Accession No. ML13092A393).
17. BWR Owners Group (BWROG) Topical Report NEDC-30936P, BWR Owners Group Technical Specification Improvement Methodology (with Demonstration for BWR ECCS Actuation Instrumentation), Part 1, dated November 1985.
18. BWROG Topical Report NEDC-30936P, BWR Owners Group Technical Specification Improvement Methodology (with Demonstration for BWR ECCS Actuation Instrumentation), Part 2, dated February 1987.
19. PRA Evaluation Response BFN-0-14-004, Revision 0, Plant Specific Risk Assessment for ECCS Preferred Pump Logic, dated January 17, 2014 (EDMS B45 140113 004).
20. PRA Evaluation Response BFN-0-14-042, Revision 2, Risk Evaluation to determine the effects of including ECCS Preferred Pump Logic, dated May 7, 2015 (EDMS B45 150507 002).
21. R08 950724 976, Revision 0, Browns Ferry Nuclear Plant Individual Plant Examination For External Events (IPEEE).
22. NDN0009992012000096, Revision 5, BFN Fire Probabilistic Risk Assessment -

Summary Document.

23. W87 041014 001, TVA/BFN-01-R-005, Revision 0, Browns Ferry Nuclear Plant Unit 1 Seismic IPEEE Report.
24. R92 960624 851, Revision 0, Seismic IPEEE Report Browns Ferry Nuclear Plant.
25. Seismic Hazard Results Using USGS 2008 Seismic Source Model- Bellefonte, Browns Ferry, Sequoyah and Watts Bar Nuclear Sites, EPRI, dated October 2011.

Page E-28 of 28

ATTACHMENT 1 Proposed Technical Specifications Pages (Markups) for BFN, Units 1, 2 and 3 (38 pages including cover sheet)

Proposed Technical Specifications Pages (Markups) for BFN, Unit 1 (13 pages including cover sheet)

BROWNS FERRY NUCLEAR PLANT TECHNICAL SPECIFICATIONS (REQUIREMENTS)

TABLE OF CONTENTS (continued)

Section Page No.

3.3 INSTRUMENTATION ................................................................ 3.3-1 3.3.1.1 Reactor Protection System (RPS) Instrumentation .............. 3.3-1 3.3.1.2 Source Range Monitor (SRM) Instrumentation .................... 3.3-9 3.3.2.1 Control Rod Block Instrumentation ...................................... 3.3-15 3.3.2.2 Feedwater and Main Turbine High Water Level Trip Instrumentation........................................................ 3.3-21 3.3.3.1 Post Accident Monitoring (PAM) Instrumentation................. 3.3-23 3.3.3.2 Backup Control System........................................................ 3.3-27 3.3.4.1 End of Cycle Recirculation Pump Trip (EOC-RPT)

Instrumentation ............................................................... 3.3-29 3.3.4.2 Anticipated Transient Without Scram Recirculation Pump Trip (ATWS-RPT) Instrumentation ....................... 3.3-32 3.3.5.1 Emergency Core Cooling System (ECCS)

Instrumentation ............................................................... 3.3-35 3.3.5.2 Reactor Core Isolation Cooling (RCIC) System Instrumentation ............................................................... 3.3-48 3.3.6.1 Primary Containment Isolation Instrumentation ................... 3.3-52 3.3.6.2 Secondary Containment Isolation Instrumentation .............. 3.3-61 3.3.7.1 Control Room Emergency Ventilation (CREV)

System Instrumentation .................................................. 3.3-65 3.3.8.1 Loss of Power (LOP) Instrumentation .................................. 3.3-70 3.3.8.2 Reactor Protection System (RPS) Electric Power Monitoring ....................................................................... 3.3-75 3.4 REACTOR COOLANT SYSTEM (RCS) .................................... 3.4-1 3.4.1 Recirculation Loops Operating............................................. 3.4-1 3.4.2 Jet Pumps ............................................................................ 3.4-5 3.4.3 Safety/Relief Valves (S/RVs) ............................................... 3.4-7 3.4.4 RCS Operational LEAKAGE ................................................ 3.4-9 3.4.5 RCS Leakage Detection Instrumentation ............................. 3.4-12 3.4.6 RCS Specific Activity............................................................ 3.4-15 3.4.7 Residual Heat Removal (RHR) Shutdown Cooling System - Hot Shutdown .................................................. 3.4-18 3.3.8.3 Emergency Core Cooling System (ECCS) Preferred Pump, Common Accident Signal (CAS), and Unit Priority Re-Trip Logic.................3.3-78 (continued)

BFN-UNIT 1 ii Amendment No. 234

ECCS Instrumentation 3.3.5.1 Table 3.3.5.1-1 (page 1 of 6)

Emergency Core Cooling System Instrumentation APPLICABLE CONDITIONS MODES REQUIRED REFERENCED FUNCTION OR OTHER CHANNELS FROM SURVEILLANCE ALLOWABLE SPECIFIED PER REQUIRED REQUIREMENTS VALUE CONDITIONS FUNCTION ACTION A.1

1. Core Spray System
a. Reactor Vessel Water 1,2,3, 4(b) B SR 3.3.5.1.1 398 inches Level - Low Low Low, 4(a), 5(a) SR 3.3.5.1.2 above vessel Level 1(e) SR 3.3.5.1.5 zero SR 3.3.5.1.6
b. Drywell Pressure - 1,2,3 4(b) B SR 3.3.5.1.2 2.5 psig High(e) SR 3.3.5.1.5 SR 3.3.5.1.6
c. Reactor Steam Dome 1,2,3 4(b) C SR 3.3.5.1.2 435 psig Pressure - Low (Injection 2 per trip SR 3.3.5.1.4 and Permissive and ECCS system SR 3.3.5.1.6 465 psig Initiation)(e) 4(a), 5(a) 4 B SR 3.3.5.1.2 435 psig 2 per trip SR 3.3.5.1.4 and ECCS Preferred system SR 3.3.5.1.6 465 psig Pump Logic and
d. Core Spray Pump 1,2,3, 2 E SR 3.3.5.1.2 1647 gpm Common SR 3.3.5.1.5 Discharge Flow - Low 4(a), 5(a) 1 per and Accident Signal (Bypass) subsystem 2910 gpm Logic. Refer to e. Core Spray Pump Start -

LCO 3.3.8.3, Time Delay Relay "Emergency Pumps A,B,C,D (with 1,2,3, 4 C SR 3.3.5.1.5 6 seconds Core Cooling diesel power) 4(a), 5(a) 1 per pump SR 3.3.5.1.6 and System (ECCS) 8 seconds Preferred Pump, Pump A (with normal 1,2,3, 1 C SR 3.3.5.1.5 0 seconds Common power) 4(a), 5(a) SR 3.3.5.1.6 and Accident Signal 1 second (CAS), and Unit Pump B (with normal 1,2,3, 1 C SR 3.3.5.1.5 6 seconds Priority Re-Trip power) 4(a), 5(a) SR 3.3.5.1.6 and 8 seconds Logic."

(continued)

(a) When associated subsystem(s) are required to be OPERABLE.

(b) Channels affect Common Accident Signal Logic. Refer to LCO 3.8.1, "AC Sources - Operating."

(e) During instrument calibrations, if the As Found channel setpoint is conservative with respect to the Allowable Value but outside its acceptable As Found band as defined by its associated Surveillance Requirement procedure, then there shall be an initial determination to ensure confidence that the channel can perform as required before returning the channel to service in accordance with the Surveillance. If the As Found instrument channel setpoint is not conservative with respect to the Allowable Value, the channel shall be declared inoperable.

Prior to returning a channel to service, the instrument channel setpoint shall be calibrated to a value that is within the acceptable As Left tolerance of the setpoint; otherwise, the channel shall be declared inoperable.

The nominal Trip Setpoint shall be specified on design output documentation which is incorporated by reference in the Updated Final Safety Analysis Report. The methodology used to determine the nominal Trip Setpoint, the predefined As Found Tolerance, and the As Left Tolerance band, and a listing of the setpoint design output documentation shall be specified in Chapter 7 of the Updated Final Safety Analysis Report.

BFN-UNIT 1 3.3-42 Amendment No. 234, 257 September 14, 2006

ECCS Instrumentation 3.3.5.1 Table 3.3.5.1-1 (page 2 of 6)

Emergency Core Cooling System Instrumentation APPLICABLE CONDITIONS MODES REQUIRED REFERENCED FUNCTION OR OTHER CHANNELS FROM SURVEILLANCE ALLOWABLE SPECIFIED PER REQUIRED REQUIREMENTS VALUE CONDITIONS FUNCTION ACTION A.1

1. Core Spray System (continued)
e. Core Spray Pump Start -

Time Delay Relay (continued)

Pump C (with normal power) 1,2,3, 1 C SR 3.3.5.1.5 12 seconds 4(a), 5(a) SR 3.3.5.1.6 and 16 seconds Pump D (with normal power) 1,2,3, 1 C SR 3.3.5.1.5 18 seconds 4(a), 5(a) SR 3.3.5.1.6 and 24 seconds

2. Low Pressure Coolant Injection (LPCI) System
a. Reactor Vessel Water Level 1,2,3, 4 B SR 3.3.5.1.1 398 inches

- Low Low Low, Level 1(e) 4(a), 5(a) SR 3.3.5.1.2 above vessel SR 3.3.5.1.5 zero (f) SR 3.3.5.1.6

b. Drywell Pressure - High(e) 1,2,3 4 B SR 3.3.5.1.2 2.5 psig SR 3.3.5.1.5 SR 3.3.5.1.6
c. Reactor Steam Dome 1,2,3 4 C SR 3.3.5.1.2 435 psig Pressure - Low (Injection SR 3.3.5.1.4 and (f) Channels Permissive and ECCS SR 3.3.5.1.6 465 psig affect ECCS Initiation)(e)

Preferred 4(a), 5(a) 4 B SR 3.3.5.1.2 435 psig SR 3.3.5.1.4 and Pump Logic SR 3.3.5.1.6 465 psig and Unit (continued)

Priority Re- (a) When associated subsystem(s) are required to be OPERABLE.

trip Logic.

Refer to LCO (b) Deleted.

3.3.8.3, (e) During instrument calibrations, if the As Found channel setpoint is conservative with respect to the Allowable Value but outside its "Emergency acceptable As Found band as defined by its associated Surveillance Requirement procedure, then there shall be an initial Core Cooling determination to ensure confidence that the channel can perform as required before returning the channel to service in accordance with the Surveillance. If the As Found instrument channel setpoint is not conservative with respect to the Allowable System Value, the channel shall be declared inoperable.

(ECCS)

Prior to returning a channel to service, the instrument channel setpoint shall be calibrated to a value that is within the acceptable Preferred As Left tolerance of the setpoint; otherwise, the channel shall be declared inoperable.

Pump, Common The nominal Trip Setpoint shall be specified on design output documentation which is incorporated by reference in the Updated Final Safety Analysis Report. The methodology used to determine the nominal Trip Setpoint, the predefined As Found Tolerance, Accident and the As Left Tolerance band, and a listing of the setpoint design output documentation shall be specified in Chapter 7 of the Signal (CAS), Updated Final Safety Analysis Report.

and Unit Priority Re-Trip Logic."

BFN-UNIT 1 3.3-43 Amendment No. 234, 257 September 14, 2006

<TS 3.3.8.3 INSERT>

ECCS Preferred Pump, CAS, and Unit Priority Re-Trip Logic 3.3.8.3 3.3 INSTRUMENTATION 3.3.8.3 Emergency Core Cooling System (ECCS) Preferred Pump, Common Accident Signal (CAS), and Unit Priority Re-Trip Logic LCO 3.3.8.3 The logic systems for each FUNCTION in Table 3.3.8.3-1 shall be OPERABLE.

APPLICABILITY: According to Table 3.3.8.3-1.

ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME A. One or more required A.1 Restore ECCS Preferred 7 days ECCS Preferred Pump Pump Logic division to Logic divisions OPERABLE.

inoperable.

B. One CAS Logic division B.1 Restore logic division to 7 days inoperable. OPERABLE status.

C. One Unit Priority Re-Trip C.1 Restore logic division to 7 days Logic division OPERABLE status.

inoperable.

D. Required Action and D.1 Be in MODE 3. 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> associated Completion Time of Condition A, B, AND or C not met in MODE 1, 2, or 3. D.2 Be in MODE 4. 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br /> (continued)

BFN-Unit 1 3.3-78

<TS 3.3.8.3 INSERT>

ECCS Preferred Pump, CAS, and Unit Priority Re-Trip Logic 3.3.8.3 ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION TIME E. Required Action and E.1 ------------NOTE-------------- Immediately associated Completion Only applicable in MODE 4 Time of Condition A not and 5.

met in MODE 4 or 5 with -----------------------------------

Unit 2 in MODE 1, 2, or 3. Declare associated ECCS components inoperable.

F. Two divisions of CAS F.1 Enter LCO 3.0.3. Immediately Logic inoperable.

OR Two divisions of Unit Priority Re-Trip Logic inoperable.

BFN-Unit 1 3.3-79

<TS 3.3.8.3 INSERT>

ECCS Preferred Pump, CAS, and Unit Priority Re-Trip Logic 3.3.8.3 SURVEILLANCE REQUIREMENTS SURVEILLANCE FREQUENCY SR 3.3.8.3.1 -----------------------------NOTES-----------------------------

1. When a division is placed in an inoperable status solely for performance of required Surveillance, entry into associated Conditions and Required Actions may be delayed for up to 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> provided the associated redundant division is OPERABLE.
2. Breakers associated with Unit 2 are not required 24 months to actuate for proper completion of this Surveillance.

Perform LOGIC SYSTEM FUNCTIONAL TEST including breaker actuation.

BFN-Unit 1 3.3-80

<TS 3.3.8.3 INSERT>

ECCS Preferred Pump, CAS, and Unit Priority Re-Trip Logic 3.3.8.3 Table 3.3.8.3-1 (page 1 of 1)

Emergency Core Cooling System (ECCS) Preferred Pump, Common Accident Signal (CAS),

and Unit Priority Re-Trip Logic APPLICABLE MODES OR OTHER SPECIFIED FUNCTION CONDITIONS REQUIRED DIVISIONS

1. ECCS Preferred Pump 1,2,3 2 Logic 4(a),5(a) (b)
2. CAS Logic 1,2,3 2
3. Unit Priority Re-Trip Logic 1,2,3 2 (a) When associated RHR or Core Spray pumps are required to be OPERABLE, or are in operation, and Unit 2 is in MODE 1, 2, or 3.

(b) The number of Required Divisions is dependent on the configuration of the RHR or Core Spray pumps required to be OPERABLE, or are in operation.

BFN-Unit 1 3.3-81

AC Sources - Operating 3.8.1 3.8 ELECTRICAL POWER SYSTEMS 3.8.1 AC Sources - Operating LCO 3.8.1 The following AC electrical power sources shall be OPERABLE:

a. Two qualified circuits between the offsite transmission network and the onsite Class 1E AC Electrical Power Distribution System;
b. Unit 1 and 2 diesel generators (DGs) with two divisions of 480 V load shed logic and common accident signal logic OPERABLE; and
c. Unit 3 DG(s) capable of supplying the Unit 3 4.16 kV shutdown board(s) required by LCO 3.8.7, "Distribution Systems -

Operating."

APPLICABILITY: MODES 1, 2, and 3.

ACTIONS

NOTE---------------------------------------------------

LCO 3.0.4.b is not applicable to DGs.

CONDITION REQUIRED ACTION COMPLETION TIME A. One required offsite A.1 Verify power availability 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> circuit inoperable. from the remaining OPERABLE offsite AND transmission network.

Once per 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> thereafter AND (continued)

BFN-UNIT 1 3.8-1 Amendment No. 234, 249 December 1, 2003

AC Sources - Operating 3.8.1 ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION TIME C. One division of 480 V C.1 Restore required division 7 days load shed logic of 480 V load shed logic inoperable. to OPERABLE status.

D. One division of common D.1 Restore required division 7 days accident signal logic of common accident inoperable. signal logic to OPERABLE status.

E. Two required offsite E.1 Declare required 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> from D circuits inoperable. feature(s) inoperable discovery of when the redundant Condition E D required feature(s) are concurrent with inoperable. inoperability of redundant required feature(s)

AND E.2 Restore one required 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> offsite circuit to OPERABLE status.

(continued)

BFN-UNIT 1 3.8-4 Amendment No. 234

AC Sources - Operating 3.8.1 ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION TIME

NOTE------------- -------------------NOTE----------------

Only applicable when more Enter applicable Conditions and than one 4.16 kV shutdown Required Actions of LCO 3.8.7, E

board is affected. "Distribution Systems -

Operating," when Condition F is entered with no AC power source F. One required offsite to any 4.16 kV shutdown board.

circuit inoperable. --------------------------------------------

AND F.1 Restore required offsite 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> E circuit to OPERABLE One Unit 1 and 2 DG status.

inoperable.

OR F.2 Restore Unit 1 and 2 DG 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> to OPERABLE status.

NOTE-------------

Applicable when only one 4.16 kV shutdown board is affected.

G. One required offsite G.1 Declare the affected Immediately circuit inoperable. 4.16 kV shutdown board inoperable.

F AND One Unit 1 and 2 DG inoperable.

(continued)

BFN-UNIT 1 3.8-5 Amendment No. 234

AC Sources - Operating 3.8.1 ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION G TIME H. Two or more Unit 1 H.1 Restore all but one Unit 1 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> and 2 DGs and 2 DG to OPERABLE inoperable. status.

H I. Required Action and I.1 Be in MODE 3. 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> Associated Completion Time of AND H Condition A, B, C, D, E, F, or H not met. I.2 Be in MODE 4. 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br /> G

I J. One or more required J.1 Enter LCO 3.0.3. Immediately offsite circuits and two or more Unit 1 and 2 DGs I inoperable.

OR Two required offsite circuits and one or more Unit 1 and 2 DGs inoperable.

OR Two divisions of 480 V load shed logic inoperable.

OR Two divisions of common accident signal logic inoperable.

(continued)

BFN-UNIT 1 3.8-6 Amendment No. 234

AC Sources - Operating 3.8.1 ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION TIME K. One or more required K.1 Declare required 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> from Unit 3 DGs feature(s) supported by discovery of J inoperable. the inoperable Unit 3 DG Condition K inoperable when the concurrent with redundant required inoperability of J feature(s) are inoperable. redundant required feature(s)

AND K.2 Declare affected SGT and 30 days CREVs subsystem(s) inoperable.

BFN-UNIT 1 3.8-7 Amendment No. 234

Proposed Technical Specifications Pages (Markups) for BFN, Unit 2 (13 pages including cover sheet)

BROWNS FERRY NUCLEAR PLANT TECHNICAL SPECIFICATIONS (REQUIREMENTS)

TABLE OF CONTENTS (continued)

Section Page No.

3.3 INSTRUMENTATION ............................................................... 3.3-1 3.3.1.1 Reactor Protection System (RPS) Instrumentation ............. 3.3-1 3.3.1.2 Source Range Monitor (SRM) Instrumentation ................... 3.3-10 3.3.2.1 Control Rod Block Instrumentation ..................................... 3.3-16 3.3.2.2 Feedwater and Main Turbine High Water Level Trip Instrumentation ....................................................... 3.3-22 3.3.3.1 Post Accident Monitoring (PAM) Instrumentation ............... 3.3-24 3.3.3.2 Backup Control System ...................................................... 3.3-28 3.3.4.1 End of Cycle Recirculation Pump Trip (EOC-RPT)

Instrumentation .............................................................. 3.3-30 3.3.4.2 Anticipated Transient Without Scram Recirculation Pump Trip (ATWS-RPT) Instrumentation ...................... 3.3-33 3.3.5.1 Emergency Core Cooling System (ECCS)

Instrumentation .............................................................. 3.3-36 3.3.5.2 Reactor Core Isolation Cooling (RCIC) System Instrumentation .............................................................. 3.3-49 3.3.6.1 Primary Containment Isolation Instrumentation .................. 3.3-53 3.3.6.2 Secondary Containment Isolation Instrumentation ............. 3.3-62 3.3.7.1 Control Room Emergency Ventilation (CREV)

System Instrumentation ................................................. 3.3-66 3.3.8.1 Loss of Power (LOP) Instrumentation ................................. 3.3-71 3.3.8.2 Reactor Protection System (RPS) Electric Power Monitoring ...................................................................... 3.3-76 3.4 REACTOR COOLANT SYSTEM (RCS) ................................... 3.4-1 3.4.1 Recirculation Loops Operating ............................................ 3.4-1 3.4.2 Jet Pumps ........................................................................... 3.4-5 3.4.3 Safety/Relief Valves (S/RVs) .............................................. 3.4-7 3.4.4 RCS Operational LEAKAGE ............................................... 3.4-9 3.4.5 RCS Leakage Detection Instrumentation ............................ 3.4-12 3.4.6 RCS Specific Activity .......................................................... 3.4-15 3.4.7 Residual Heat Removal (RHR) Shutdown Cooling System - Hot Shutdown ................................................. 3.4-18 3.3.8.3 Emergency Core Cooling System (ECCS) Preferred Pump, Common Accident Signal (CAS), and Unit Priority Re-Trip Logic.................3.3-80 (continued)

BFN-UNIT 2 ii Amendment No. 253

ECCS Instrumentation 3.3.5.1 Table 3.3.5.1-1 (page 1 of 6)

Emergency Core Cooling System Instrumentation APPLICABLE CONDITIONS MODES REQUIRED REFERENCED FUNCTION OR OTHER CHANNELS FROM SURVEILLANCE ALLOWABLE SPECIFIED PER REQUIRED REQUIREMENTS VALUE CONDITIONS FUNCTION ACTION A.1

1. Core Spray System
a. Reactor Vessel Water 1,2,3, 4(b) B SR 3.3.5.1.1 t 398 inches Level - Low Low Low, 4(a), 5(a) SR 3.3.5.1.2 above vessel Level 1(e) SR 3.3.5.1.5 zero SR 3.3.5.1.6
b. Drywell Pressure - 1,2,3 4(b) B SR 3.3.5.1.2 d 2.5 psig High(e) SR 3.3.5.1.5 SR 3.3.5.1.6
c. Reactor Steam Dome 1,2,3 4(b) C SR 3.3.5.1.2 t 435 psig Pressure - Low (Injection 2 per trip SR 3.3.5.1.4 and Permissive and ECCS system SR 3.3.5.1.6 d 465 psig Initiation)(e) 4(a), 5(a) 4 B SR 3.3.5.1.2 t 435 psig 2 per trip SR 3.3.5.1.4 and ECCS Preferred system SR 3.3.5.1.6 d 465 psig Pump Logic and d. Core Spray Pump 1,2,3, 2 E SR 3.3.5.1.2 t 1647 gpm Common Discharge Flow - Low 4(a), 5(a) 1 per SR 3.3.5.1.5 and (Bypass) subsystem d 2910 gpm Accident Signal Logic. Refer to e. Core Spray Pump Start -

Time Delay Relay LCO 3.3.8.3, "Emergency Pumps A,B,C,D (with 1,2,3, 4 C SR 3.3.5.1.5 t 6 seconds Core Cooling diesel power) 4(a), 5(a) 1 per pump SR 3.3.5.1.6 and d 8 seconds System (ECCS)

Preferred Pump, Pump A (with normal 1,2,3, 1 C SR 3.3.5.1.5 t 0 seconds power) 4(a), 5(a) SR 3.3.5.1.6 and Common d 1 second Accident Signal (CAS), and Unit Pump B (with normal 1,2,3, 1 C SR 3.3.5.1.5 t 6 seconds power) 4 , 5(a)

(a) SR 3.3.5.1.6 and Priority Re-Trip d 8 seconds Logic."

(continued)

(a) When associated subsystem(s) are required to be OPERABLE.

(b) Channels affect Common Accident Signal Logic. Refer to LCO 3.8.1, "AC Sources - Operating."

(e) During instrument calibrations, if the As Found channel setpoint is conservative with respect to the Allowable Value but outside its acceptable As Found band as defined by its associated Surveillance Requirement procedure, then there shall be an initial determination to ensure confidence that the channel can perform as required before returning the channel to service in accordance with the Surveillance. If the As Found instrument channel setpoint is not conservative with respect to the Allowable Value, the channel shall be declared inoperable.

Prior to returning a channel to service, the instrument channel setpoint shall be calibrated to a value that is within the acceptable As Left tolerance of the setpoint; otherwise, the channel shall be declared inoperable.

The nominal Trip Setpoint shall be specified on design output documentation which is incorporated by reference in the Updated Final Safety Analysis Report. The methodology used to determine the nominal Trip Setpoint, the predefined As Found Tolerance, and the As Left Tolerance band, and a listing of the setpoint design output documentation shall be specified in Chapter 7 of the Updated Final Safety Analysis Report.

BFN-UNIT 2 3.3-44 Amendment No. 253, 296 September 14, 2006

ECCS Instrumentation 3.3.5.1 Table 3.3.5.1-1 (page 2 of 6)

Emergency Core Cooling System Instrumentation APPLICABLE CONDITIONS MODES REQUIRED REFERENCED FUNCTION OR OTHER CHANNELS FROM SURVEILLANCE ALLOWABLE SPECIFIED PER REQUIRED REQUIREMENTS VALUE CONDITIONS FUNCTION ACTION A.1

1. Core Spray System (continued)
e. Core Spray Pump Start -

Time Delay Relay (continued)

Pump C (with normal power) 1,2,3, 1 C SR 3.3.5.1.5 t 12 seconds 4(a), 5(a) SR 3.3.5.1.6 and d 16 seconds Pump D (with normal power) 1,2,3, 1 C SR 3.3.5.1.5 t 18 seconds 4(a), 5(a) SR 3.3.5.1.6 and d 24 seconds

2. Low Pressure Coolant Injection (LPCI) System
a. Reactor Vessel Water Level - 1,2,3, 4 B SR 3.3.5.1.1 t 398 inches Low Low Low, Level 1(e) 4(a), 5(a) SR 3.3.5.1.2 above vessel SR 3.3.5.1.5 zero (f) SR 3.3.5.1.6
b. Drywell Pressure - High(e) 1,2,3 4 B SR 3.3.5.1.2 d 2.5 psig SR 3.3.5.1.5 SR 3.3.5.1.6
c. Reactor Steam Dome 1,2,3 4 C SR 3.3.5.1.2 t 435 psig and Pressure - Low (Injection SR 3.3.5.1.4 d 465 psig Permissive and ECCS SR 3.3.5.1.6 Initiation)(e) 4(a), 5(a) 4 B SR 3.3.5.1.2 t 435 psig and SR 3.3.5.1.4 d 465 psig SR 3.3.5.1.6 (continued)

(a) When associated subsystem(s) are required to be OPERABLE.

(b) Deleted.

(e) During instrument calibrations, if the As Found channel setpoint is conservative with respect to the Allowable Value but outside its acceptable As Found band as defined by its associated Surveillance Requirement procedure, then there shall be an initial determination to ensure confidence that the channel can perform as required before returning the channel to service in accordance with the Surveillance. If the As Found instrument channel setpoint is not conservative with respect to the Allowable Value, the channel shall be declared inoperable.

Prior to returning a channel to service, the instrument channel setpoint shall be calibrated to a value that is within the acceptable As Left tolerance of the setpoint; otherwise, the channel shall be declared inoperable.

The nominal Trip Setpoint shall be specified on design output documentation which is incorporated by reference in the Updated Final Safety Analysis Report. The methodology used to determine the nominal Trip Setpoint, the predefined As Found Tolerance, and the As Left Tolerance band, and a listing of the setpoint design output documentation shall be specified in Chapter 7 of the Updated Final Safety Analysis Report.

(f) Channels affect ECCS Preferred Pump Logic and Unit Priority Re-trip Logic.

Refer to LCO 3.3.8.3, "Emergency Core Cooling System (ECCS) Preferred Pump, Common Accident Signal (CAS), and Unit Priority Re-Trip Logic."

BFN-UNIT 2 3.3-45 Amendment No. 253, 296 September 14, 2006

<TS 3.3.8.3 INSERT>

ECCS Preferred Pump, CAS, and Unit Priority Re-Trip Logic 3.3.8.3 3.3 INSTRUMENTATION 3.3.8.3 Emergency Core Cooling System (ECCS) Preferred Pump, Common Accident Signal (CAS), and Unit Priority Re-Trip Logic LCO 3.3.8.3 The logic systems for each FUNCTION in Table 3.3.8.3-1 shall be OPERABLE.

APPLICABILITY: According to Table 3.3.8.3-1.

ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME A. One or more required A.1 Restore ECCS Preferred 7 days ECCS Preferred Pump Pump Logic division to Logic divisions OPERABLE.

inoperable.

B. One CAS Logic division B.1 Restore logic division to 7 days inoperable. OPERABLE status.

C. One Unit Priority Re-Trip C.1 Restore logic division to 7 days Logic division OPERABLE status.

inoperable.

D. Required Action and D.1 Be in MODE 3. 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> associated Completion Time of Condition A, B, AND or C not met in MODE 1, 2, or 3. D.2 Be in MODE 4. 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br /> (continued)

BFN-Unit 2 3.3-80

<TS 3.3.8.3 INSERT>

ECCS Preferred Pump, CAS, and Unit Priority Re-Trip Logic 3.3.8.3 ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION TIME E. Required Action and E.1 ------------NOTE-------------- Immediately associated Completion Only applicable in MODE 4 Time of Condition A not and 5.

met in MODE 4 or 5 with -----------------------------------

Unit 1 in MODE 1, 2, or 3. Declare associated ECCS components inoperable.

F. Two divisions of CAS F.1 Enter LCO 3.0.3. Immediately Logic Inoperable.

OR Two divisions of Unit Priority Re-Trip Logic inoperable.

BFN-Unit 2 3.3-81

<TS 3.3.8.3 INSERT>

ECCS Preferred Pump, CAS, and Unit Priority Re-Trip Logic 3.3.8.3 SURVEILLANCE REQUIREMENTS SURVEILLANCE FREQUENCY SR 3.3.8.3.1 -----------------------------NOTES-----------------------------

1. When a division is placed in an inoperable status solely for performance of required Surveillance, entry into associated Conditions and Required Actions may be delayed for up to 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> provided the associated redundant division is OPERABLE.
2. Breakers associated with Unit 1 are not required 24 months to actuate for proper completion of this Surveillance.

Perform LOGIC SYSTEM FUNCTIONAL TEST including breaker actuation.

BFN-Unit 2 3.3-82

<TS 3.3.8.3 INSERT>

ECCS Preferred Pump, CAS, and Unit Priority Re-Trip Logic 3.3.8.3 Table 3.3.8.3-1 (page 1 of 1)

Emergency Core Cooling System (ECCS) Preferred Pump, Common Accident Signal (CAS),

and Unit Priority Re-Trip Logic APPLICABLE MODES OR OTHER SPECIFIED FUNCTION CONDITIONS REQUIRED DIVISIONS

1. ECCS Preferred Pump 1,2,3 2 Logic 4(a),5(a) (b)
2. CAS Logic 1,2,3 2
3. Unit Priority Re-Trip Logic 1,2,3 2 (a) When associated RHR or Core Spray pumps are required to be OPERABLE, or are in operation, and Unit 1 is in MODE 1, 2, or 3.

(b) The number of Required Divisions is dependent on the configuration of the RHR or Core Spray pumps required to be OPERABLE, or are in operation.

BFN-Unit 2 3.3-83

AC Sources - Operating 3.8.1 3.8 ELECTRICAL POWER SYSTEMS 3.8.1 AC Sources - Operating LCO 3.8.1 The following AC electrical power sources shall be OPERABLE:

a. Two qualified circuits between the offsite transmission network and the onsite Class 1E AC Electrical Power Distribution System;
b. Unit 1 and 2 diesel generators (DGs) with two divisions of 480 V load shed logic and common accident signal logic OPERABLE; and
c. Unit 3 DG(s) capable of supplying the Unit 3 4.16 kV shutdown board(s) required by LCO 3.8.7, "Distribution Systems -

Operating."

APPLICABILITY: MODES 1, 2, and 3.

ACTIONS

NOTE---------------------------------------------------

LCO 3.0.4.b is not applicable to DGs.

CONDITION REQUIRED ACTION COMPLETION TIME A. One required offsite A.1 Verify power availability 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> circuit inoperable. from the remaining OPERABLE offsite AND transmission network.

Once per 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> thereafter AND (continued)

BFN-UNIT 2 3.8-1 Amendment No. 253, 286 December 1, 2003

AC Sources - Operating 3.8.1 ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION TIME C. One division of 480 V C.1 Restore required division 7 days load shed logic of 480 V load shed logic inoperable. to OPERABLE status.

D. One division of common D.1 Restore required division 7 days accident signal logic of common accident inoperable. signal logic to OPERABLE status.

E. Two required offsite E.1 Declare required 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> from D circuits inoperable. feature(s) inoperable discovery of when the redundant Condition E D required feature(s) are concurrent with inoperable. inoperability of redundant required feature(s)

AND E.2 Restore one required 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> offsite circuit to OPERABLE status.

(continued)

BFN-UNIT 2 3.8-4 Amendment No. 253

AC Sources - Operating 3.8.1 ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION TIME

NOTE------------- -------------------NOTE----------------

Only applicable when more Enter applicable Conditions and than one 4.16 kV shutdown Required Actions of LCO 3.8.7, E board is affected. "Distribution Systems -

Operating," when Condition F is entered with no AC power source F. One required offsite to any 4.16 kV shutdown board.

circuit inoperable. --------------------------------------------

AND F.1 Restore required offsite 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> E circuit to OPERABLE One Unit 1 and 2 DG status.

inoperable.

OR F.2 Restore Unit 1 and 2 DG 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> to OPERABLE status.

NOTE-------------

Applicable when only one 4.16 kV shutdown board is affected.

G. One required offsite G.1 Declare the affected Immediately circuit inoperable. 4.16 kV shutdown board inoperable.

F AND One Unit 1 and 2 DG inoperable.

(continued)

BFN-UNIT 2 3.8-5 Amendment No. 253

AC Sources - Operating 3.8.1 ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION G TIME H. Two or more Unit 1 H.1 Restore all but one Unit 1 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> and 2 DGs and 2 DG to OPERABLE inoperable. status.

H I. Required Action and I.1 Be in MODE 3. 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> Associated Completion Time of AND H Condition A, B, C, D, E, F, or H not met. I.2 Be in MODE 4. 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br /> G

I J. One or more required J.1 Enter LCO 3.0.3. Immediately offsite circuits and two or more Unit 1 and 2 DGs I inoperable.

OR Two required offsite circuits and one or more Unit 1 and 2 DGs inoperable.

OR Two divisions of 480 V load shed logic inoperable.

OR Two divisions of common accident signal logic inoperable.

(continued)

BFN-UNIT 2 3.8-6 Amendment No. 253

AC Sources - Operating 3.8.1 ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION TIME K. One or more required K.1 Declare required 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> from J

Unit 3 DGs feature(s) supported by discovery of inoperable. the inoperable Unit 3 DG Condition K J inoperable when the concurrent with redundant required inoperability of feature(s) are inoperable. redundant required feature(s)

AND K.2 Declare affected SGT and 30 days CREVs subsystem(s) inoperable.

BFN-UNIT 2 3.8-7 Amendment No. 253

Proposed Technical Specifications Pages (Markups) for BFN, Unit 3 (11 pages including cover sheet)

BROWNS FERRY NUCLEAR PLANT TECHNICAL SPECIFICATIONS (REQUIREMENTS)

TABLE OF CONTENTS (continued)

Section Page No.

3.3 INSTRUMENTATION ................................................................ 3.3-1 3.3.1.1 Reactor Protection System (RPS) Instrumentation .............. 3.3-1 3.3.1.2 Source Range Monitor (SRM) Instrumentation..................... 3.3-10 3.3.2.1 Control Rod Block Instrumentation ....................................... 3.3-16 3.3.2.2 Feedwater and Main Turbine High Water Level Trip Instrumentation ........................................................ 3.3-22 3.3.3.1 Post Accident Monitoring (PAM) Instrumentation ................. 3.3-24 3.3.3.2 Backup Control System ........................................................ 3.3-28 3.3.4.1 End of Cycle Recirculation Pump Trip (EOC-RPT)

Instrumentation ............................................................... 3.3-30 3.3.4.2 Anticipated Transient Without Scram Recirculation Pump Trip (ATWS-RPT) Instrumentation ........................ 3.3-33 3.3.5.1 Emergency Core Cooling System (ECCS)

Instrumentation ............................................................... 3.3-36 3.3.5.2 Reactor Core Isolation Cooling (RCIC) System Instrumentation ............................................................... 3.3-49 3.3.6.1 Primary Containment Isolation Instrumentation .................... 3.3-53 3.3.6.2 Secondary Containment Isolation Instrumentation ............... 3.3-62 3.3.7.1 Control Room Emergency Ventilation (CREV)

System Instrumentation .................................................. 3.3-66 3.3.8.1 Loss of Power (LOP) Instrumentation .................................. 3.3-71 3.3.8.2 Reactor Protection System (RPS) Electric Power Monitoring ....................................................................... 3.3-76 3.4 REACTOR COOLANT SYSTEM (RCS) .................................... 3.4-1 3.4.1 Recirculation Loops Operating ............................................. 3.4-1 3.4.2 Jet Pumps ............................................................................ 3.4-5 3.4.3 Safety/Relief Valves (S/RVs) ................................................ 3.4-7 3.4.4 RCS Operational LEAKAGE ................................................ 3.4-9 3.4.5 RCS Leakage Detection Instrumentation ............................. 3.4-12 3.4.6 RCS Specific Activity ............................................................ 3.4-15 3.4.7 Residual Heat Removal (RHR) Shutdown Cooling System - Hot Shutdown .................................................. 3.4-18 3.3.8.3 Common Accident Signal (CAS) and Unit Priority Re-Trip Logic.................3.3-78 (continued)

BFN-UNIT 3 ii Amendment No. 213 September 03, 1998

ECCS Instrumentation 3.3.5.1 Table 3 3.5 1-1 (page 1 of 6)

Emergency Core Cooling System Instrumentation APPLICABLE CONDITIONS MOOES REQUIRED REFERENCED FUNCTION OR OTHER CHANNELS FROM SURVEILLANCE ALLOWABLE SPECIFIED PER REQUIRED REQUIREMENTS VALUE CONDITIONS FUNCTION ACTIONA1 Core Spray System a Reactor Vessel Water Level I 2.3, 4(b) B SR 3 3 5.1 1 ~ 398 Inches

- Low Low Low, Level ,CO 4(a) 5(a) SR 3 3.51 2 above vessel SR 3 35 15 zero SR 3 3 51 6 b Drywell Pressure - H191i(f) 1,2,3 4(b) B SR 3.3.5.1.2 s 2.5 ps!g SR 3 3.5 1.5 SR 3 3.5.1 6 Q Reactor Steam Dome 1.2 ,3 4(b) c SR 3 3 5 1 2 ~ 435 ps1g and Pressure - Low (lnJection 2 per tflp SR 3 3 514

  • 465 ps19 Permissive and ECCS system SR 3 3 5 1.6 lnlltatlon)(f) 4(a), 5(a) 4 B SR 3 3 51 2 ~ 435 psig and 2 per tnp SR 3 3.5 1.4 s. 465 ps1g system SR 3 3 51 6 d Core Spray Purnp Discharge 1,2,3. 2 E SR 3 3 512 ~ 1647 gpm Flow - Low (Bypass) 4Ca>, 5(a) t per SR 3 3 5 1 5 and subsystem ~ 2910gpm e Core Spray Pump Sta11 -

Time Delay Relay Pumps A,B,C,D (with diesel 1.2,3, 4 c SR 3 3 5 1 5 I? 6 seconds power) 4(a) 5(a) 1 per pump SR 3 3.5 1,6 and

~ 8 seconds Pump A (with normal power) 123, c SR 3 3 5 1 5  :- 0 seconds 4(8), 5(8) SR 3 3 5 1 6 and

~ 1 second Pump B (with normal power) 1,2.3, c SR 3 3 .5.1 5 ~ 6 seconds 4(e>, 5(a) SR 3351 .6 and 3.3.8.3, "Common Accident Signal (CAS) and ~ 8 seconds Unit Priority Re-Trip Logics."

continued (a) Wl'len associated subsysternts) are required to be OPERABLE (b) Channels affect Common Accident Signal Logic. Refer to LCO 3.8 1, "AC Sources

  • Operating -

(f) During Instrument callbrahons, 1f the As Found channel setpolnt 1s conservative with respect to the Allowable Value but outside Its acceptable As Found band as defined by Its associated Surveillance Requirement procedure. then there shall be an lnltial determination to ensure confidence that the channel can perform as required before returning the channel to service 1n accordance with the Survelllance If the As Found instrument cnannel selpolnt IS not conservative with respect to the Allowable Value. the channel shall be declared inoperable Prtor to returning .a chAnnel tn service, the instrument channel setpoint shall be calibrated tu a value that 1s within the acceptable As Left tolerance o1 the setpo1nt, otherwise, the channel shall be declared inoperable The nominal Trlp Setpolnt shall be specified on design output documentation which ts incorporated by reference in the Updated Final Safety Analysis Report The methodology used to determine the nominal Trip Setpolnt, the predefined As found Tolerance, and the As Left Tolerance band, and a listing oftlie setpolnt design output documentation shall be speo1f1ed ln Chapter 7 of the Updated Final Safety Analysfs Report BFN-UNIT 3 3.3-43 Amendment No. 2-1-3,254 September 14, 2006

ECCS Instrumentation 3.3. 5.1

'Tat>le 3.3.5 1-1 (page 2 of 6)

Emergency Core Cooling System Instrumental.Jon APPLICABLE CONDITIONS MODES REQUIRED REFERENCED FUNCTION OR OTHER CHANNELS FROM SURVEILLANCE ALLOWABLE SPECIFIED PER REQUIRED REQUIREMENTS VALUE CONDITIONS FUNCTION ACTION A 1 Core Spray System (continued) e Core Spray Pump Stan -

Time Delay Relay (continued)

Pump C (with normal power) c SR 3.3 5.1.5 a 12 seconds SR 3 3 5 1 6 and l> 16 seconds Pump D (with normal power) c SR 3 3 5 1 5 " 18 seconds SR 3 3 5 1 6 and

~ 24 seconds 2 Low Pressure Coolant ln1ection (l PCI) System a Reactor Vessel Water Level 1.2.3, 4 B SR 3 3 5 1 I ~ 398 inches

- Low Low Low Level 1 (f) 4(a) 5(a) SR 3 3 5 1 2 above vessel (g) SR 3 3 51 5 zero SR 3 3 5 1 6 b Drywall Pressure - H1yh(f) 1 2,3 4 6 SR 3 3 5 1 2 ~ 2 5 ps19 SR 3 3 5 l 5 SR 3.3.5.1 6 c Reactor Steam Dome 1,2,3 4 c SR 3 3 5.1 2 > 435 ps1g and Pressure - Low (lnJectlon SR 3 3 5 1 4 465 pslg Peomss1ve and ECCS SR33516 lnlt1at1on)<I) 4 B SR 3 3 5 1 2 ~ 435 ps1g and SR 3.351.4 .. 465 ps1g SR 3.3.5 1,6 continued (a) When associated subsystem(s) are required to be OPERABLE (b) Deleted (I} Ounng instrument calibrations If the As Found channel selpoinl is conservauve with respect to the Allowable Value oul outside its acceptable As Found band as defined by its associated Surveillance ReQuirement procedure, then there snail oe an in1ttal delerm1natlon to ensure confidence that the channel can perform as required before returnrng the channel to service In accordance with lhe Surveillance If the As Found Instrument channel setpo1nt Is nol conservative with respect to the Allowable Value. the channel shall be declared Inoperable.

Prior to returning a channel to service, the instrument channel setpo1nt shall be calibrated to a value that 1s w1th1n the acceptable As Left tolerance of the setpo1nt. othe1W1se, the channel shall be declared inoperable The nominal Tnp Setpolnl shall be specified on design output documelllallon which IS incorporated by reference tn lhe Updated Final Safety Analysis Report The methodology used lo determine the nominal Tnp Setpoint, the predefined As Found Tolerance. and the As Left Tolerance band, and a listing of the selpo1nl design output documentation shall be specified In Chapter 7 of the Updated Fina! Safety Analysls Repor1 (g) Channels affect Unit Priority Re-trip Logic. Refer to LCO 3.3.8.3, "Common Accident Signal (CAS) and Unit Priority Re-Trip Logics."

BFN-UNIT 3 3.3-44 Amendment No. 243,-254 September 14, 2006

<TS 3.3.8.3 INSERT>

CAS and Unit Priority Re-Trip Logic 3.3.8.3 3.3 INSTRUMENTATION 3.3.8.3 Common Accident Signal (CAS) and Unit Priority Re-Trip Logic LCO 3.3.8.3 Two divisions of the following logic shall be OPERABLE:

a. CAS Logic, and
b. Unit Priority Re-Trip Logic.

APPLICABILITY: MODES 1, 2, and 3.

ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME A. One CAS Logic division A.1 Restore logic division to 7 days inoperable. OPERABLE status.

B. One Unit Priority Re-Trip B.1 Restore logic division to 7 days Logic division OPERABLE status.

inoperable.

C. Required Action and C.1 Be in MODE 3. 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> associated Completion Time of Condition A or B AND not met.

C.2 Be in MODE 4. 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br /> D. Two divisions of CAS D.1 Enter LCO 3.0.3. Immediately Logic inoperable.

OR Two divisions of Unit Priority Re-Trip Logic inoperable.

BFN-Unit 3 3.3-78

<TS 3.3.8.3 INSERT>

CAS and Unit Priority Re-Trip Logic 3.3.8.3 SURVEILLANCE REQUIREMENTS SURVEILLANCE FREQUENCY SR 3.3.8.3.1 -----------------------------NOTE------------------------------ 24 months When a division is placed in an inoperable status solely for performance of required Surveillance, entry into associated Conditions and Required Actions may be delayed for up to 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> provided the associated redundant division is OPERABLE.

Perform LOGIC SYSTEM FUNCTIONAL TEST including breaker actuation.

BFN-Unit 3 3.3-79

AC Sources - Operating 3.8.1 3.8 ELECTRICAL POWER SYSTEMS 3.8.1 AC Sources - Operating LCO 3.8.1 The following AC electrical power sources shall be OPERABLE:

a. Two qualified circuits between the offsite transmission network and the onsite Class 1E AC Electrical Power Distribution System;
b. Unit 3 diesel generators (DGs) with two divisions of 480 V load shed logic and common accident signal logic OPERABLE; and
c. Unit 1 and 2 DG(s) capable of supplying the Unit 1 and 2 4.16 kV shutdown board(s) required by LCO 3.8.7, "Distribution Systems - Operating."

APPLICABILITY: MODES 1, 2, and 3.

ACTIONS

NOTE---------------------------------------------------

LCO 3.0.4.b is not applicable to DGs.

CONDITION REQUIRED ACTION COMPLETION TIME A. One required offsite A.1 Verify power availability 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> circuit inoperable. from the remaining OPERABLE offsite AND transmission network.

Once per 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> thereafter AND (continued)

BFN-UNIT 3 3.8-1 Amendment No. 212, 244 December 1, 2003

AC Sources - Operating 3.8.1 ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION TIME C. One division of 480 V C.1 Restore required division 7 days load shed logic of 480 V load shed logic inoperable. to OPERABLE status.

D. One division of common D.1 Restore required division 7 days accident signal logic of common accident inoperable. signal logic to OPERABLE status.

E. Two required offsite E.1 Declare required 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> from D circuits inoperable. feature(s) inoperable discovery of when the redundant Condition E D required feature(s) are concurrent with inoperable. inoperability of redundant required feature(s)

AND E.2 Restore one required 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> offsite circuit to OPERABLE status.

(continued)

BFN-UNIT 3 3.8-4 Amendment No. 212

AC Sources - Operating 3.8.1 ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION TIME

NOTE------------- -------------------NOTE----------------

Only applicable when more Enter applicable Conditions and than one 4.16 kV shutdown Required Actions of LCO 3.8.7, E board is affected. "Distribution Systems -

Operating," when Condition F is entered with no AC power source F. One required offsite to any 4.16 kV shutdown board.

circuit inoperable. --------------------------------------------

AND F.1 Restore required offsite 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> E circuit to OPERABLE One Unit 3 DG status.

inoperable.

OR F.2 Restore Unit 3 DG to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> OPERABLE status.

NOTE-------------

Applicable when only one 4.16 kV shutdown board is affected.

G. One required offsite G.1 Declare the affected Immediately circuit inoperable. 4.16 kV shutdown board inoperable.

F AND One Unit 3 DG inoperable.

(continued)

BFN-UNIT 3 3.8-5 Amendment No. 212

AC Sources - Operating 3.8.1 ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION G TIME H. Two or more Unit 3 H.1 Restore all but one Unit 3 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> DGs inoperable. DG to OPERABLE status.

H I. Required Action and I.1 Be in MODE 3. 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> Associated Completion Time of AND H Condition A, B, C, D, E, F, or H not met. I.2 Be in MODE 4. 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br /> G

I J. One or more required J.1 Enter LCO 3.0.3. Immediately offsite circuits and two or more Unit 3 DGs inoperable. I OR Two required offsite circuits and one or more Unit 3 DGs inoperable.

OR Two divisions of 480 V load shed logic inoperable.

OR Two divisions of common accident signal logic inoperable.

(continued)

BFN-UNIT 3 3.8-6 Amendment No. 212

AC Sources - Operating 3.8.1 ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION TIME K. One or more required K.1 Declare required 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> from J

Unit 1 and 2 DGs feature(s) supported by discovery of inoperable. the inoperable Unit 1 and Condition K J 2 DG inoperable when the concurrent with redundant required inoperability of feature(s) are inoperable. redundant required feature(s)

AND K.2 Declare affected SGT and 30 days CREVs subsystem(s) inoperable.

BFN-UNIT 3 3.8-7 Amendment No. 212

ATTACHMENT 2 Proposed Retyped Technical Specifications Pages for BFN, Units 1, 2, and 3 (38 pages including cover sheet)

Proposed Retyped Technical Specifications Pages for BFN, Unit 1 (13 pages including cover sheet)

BROWNS FERRY NUCLEAR PLANT TECHNICAL SPECIFICATIONS (REQUIREMENTS)

TABLE OF CONTENTS (continued)

Section Page No.

3.3 INSTRUMENTATION ................................................................ 3.3-1 3.3.1.1 Reactor Protection System (RPS) Instrumentation .............. 3.3-1 3.3.1.2 Source Range Monitor (SRM) Instrumentation..................... 3.3-9 3.3.2.1 Control Rod Block Instrumentation ....................................... 3.3-15 3.3.2.2 Feedwater and Main Turbine High Water Level Trip Instrumentation ........................................................ 3.3-21 3.3.3.1 Post Accident Monitoring (PAM) Instrumentation ................. 3.3-23 3.3.3.2 Backup Control System ........................................................ 3.3-27 3.3.4.1 End of Cycle Recirculation Pump Trip (EOC-RPT)

Instrumentation ............................................................... 3.3-29 3.3.4.2 Anticipated Transient Without Scram Recirculation Pump Trip (ATWS-RPT) Instrumentation ........................ 3.3-32 3.3.5.1 Emergency Core Cooling System (ECCS)

Instrumentation ............................................................... 3.3-35 3.3.5.2 Reactor Core Isolation Cooling (RCIC) System Instrumentation ............................................................... 3.3-48 3.3.6.1 Primary Containment Isolation Instrumentation .................... 3.3-52 3.3.6.2 Secondary Containment Isolation Instrumentation ............... 3.3-61 3.3.7.1 Control Room Emergency Ventilation (CREV)

System Instrumentation .................................................. 3.3-65 3.3.8.1 Loss of Power (LOP) Instrumentation .................................. 3.3-70 3.3.8.2 Reactor Protection System (RPS) Electric Power Monitoring ....................................................................... 3.3-75 3.3.8.3 Emergency Core Cooling System (ECCS) Preferred Pump, Common Accident Signal (CAS), and Unit Priority Re-Trip Logic . 3.3-78 3.4 REACTOR COOLANT SYSTEM (RCS) .................................... 3.4-1 3.4.1 Recirculation Loops Operating ............................................. 3.4-1 3.4.2 Jet Pumps ............................................................................ 3.4-5 3.4.3 Safety/Relief Valves (S/RVs) ................................................ 3.4-7 3.4.4 RCS Operational LEAKAGE ................................................ 3.4-9 3.4.5 RCS Leakage Detection Instrumentation ............................. 3.4-12 3.4.6 RCS Specific Activity ............................................................ 3.4-15 3.4.7 Residual Heat Removal (RHR) Shutdown Cooling System - Hot Shutdown .................................................. 3.4-18 (continued)

BFN-UNIT 1 ii Amendment No. 234, 000

ECCS Instrumentation 3.3.5.1 Table 3.3.5.1-1 (page 1 of 6)

Emergency Core Cooling System Instrumentation APPLICABLE CONDITIONS MODES REQUIRED REFERENCED FUNCTION OR OTHER CHANNELS FROM SURVEILLANCE ALLOWABLE SPECIFIED PER REQUIRED REQUIREMENTS VALUE CONDITIONS FUNCTION ACTION A.1

1. Core Spray System
a. Reactor Vessel Water 1,2,3, 4(b) B SR 3.3.5.1.1 398 inches Level - Low Low Low, 4(a), 5(a) SR 3.3.5.1.2 above vessel Level 1(e) SR 3.3.5.1.5 zero SR 3.3.5.1.6
b. Drywell Pressure - 1,2,3 4(b) B SR 3.3.5.1.2 2.5 psig High(e) SR 3.3.5.1.5 SR 3.3.5.1.6
c. Reactor Steam Dome 1,2,3 4(b) C SR 3.3.5.1.2 435 psig Pressure - Low (Injection 2 per trip SR 3.3.5.1.4 and Permissive and ECCS system SR 3.3.5.1.6 465 psig Initiation)(e) 4(a), 5(a) 4 B SR 3.3.5.1.2 435 psig 2 per trip SR 3.3.5.1.4 and system SR 3.3.5.1.6 465 psig
d. Core Spray Pump 1,2,3, 2 E SR 3.3.5.1.2 1647 gpm Discharge Flow - Low 4(a), 5(a) 1 per SR 3.3.5.1.5 and (Bypass) subsystem 2910 gpm
e. Core Spray Pump Start -

Time Delay Relay Pumps A,B,C,D (with 1,2,3, 4 C SR 3.3.5.1.5 6 seconds diesel power) 4(a), 5(a) 1 per pump SR 3.3.5.1.6 and 8 seconds Pump A (with normal 1,2,3, 1 C SR 3.3.5.1.5 0 seconds power) 4(a), 5(a) SR 3.3.5.1.6 and 1 second Pump B (with normal 1,2,3, 1 C SR 3.3.5.1.5 6 seconds power) 4(a), 5(a) SR 3.3.5.1.6 and 8 seconds (continued)

(a) When associated subsystem(s) are required to be OPERABLE.

(b) Channels affect ECCS Preferred Pump Logic and Common Accident Signal Logic. Refer to LCO 3.3.8.3, Emergency Core Cooling System (ECCS) Preferred Pump, Common Accident Signal (CAS), and Unit Priority Re-Trip Logic."

(e) During instrument calibrations, if the As Found channel setpoint is conservative with respect to the Allowable Value but outside its acceptable As Found band as defined by its associated Surveillance Requirement procedure, then there shall be an initial determination to ensure confidence that the channel can perform as required before returning the channel to service in accordance with the Surveillance. If the As Found instrument channel setpoint is not conservative with respect to the Allowable Value, the channel shall be declared inoperable.

Prior to returning a channel to service, the instrument channel setpoint shall be calibrated to a value that is within the acceptable As Left tolerance of the setpoint; otherwise, the channel shall be declared inoperable.

The nominal Trip Setpoint shall be specified on design output documentation which is incorporated by reference in the Updated Final Safety Analysis Report. The methodology used to determine the nominal Trip Setpoint, the predefined As Found Tolerance, and the As Left Tolerance band, and a listing of the setpoint design output documentation shall be specified in Chapter 7 of the Updated Final Safety Analysis Report.

BFN-UNIT 1 3.3-42 Amendment No. 234, 257, 000

ECCS Instrumentation 3.3.5.1 Table 3.3.5.1-1 (page 2 of 6)

Emergency Core Cooling System Instrumentation APPLICABLE CONDITIONS MODES REQUIRED REFERENCED FUNCTION OR OTHER CHANNELS FROM SURVEILLANCE ALLOWABLE SPECIFIED PER REQUIRED REQUIREMENTS VALUE CONDITIONS FUNCTION ACTION A.1

1. Core Spray System (continued)
e. Core Spray Pump Start -

Time Delay Relay (continued)

Pump C (with normal power) 1,2,3, 1 C SR 3.3.5.1.5 12 seconds 4(a), 5(a) SR 3.3.5.1.6 and 16 seconds Pump D (with normal power) 1,2,3, 1 C SR 3.3.5.1.5 18 seconds 4(a), 5(a) SR 3.3.5.1.6 and 24 seconds

2. Low Pressure Coolant Injection (LPCI) System
a. Reactor Vessel Water 1,2,3, 4(f) B SR 3.3.5.1.1 398 inches Level - Low Low Low, 4(a), 5(a) SR 3.3.5.1.2 above vessel Level 1(e) SR 3.3.5.1.5 zero SR 3.3.5.1.6
b. Drywell Pressure - High(e) 1,2,3 4(f) B SR 3.3.5.1.2 2.5 psig SR 3.3.5.1.5 SR 3.3.5.1.6
c. Reactor Steam Dome 1,2,3 4(f) C SR 3.3.5.1.2 435 psig and Pressure - Low (Injection SR 3.3.5.1.4 465 psig Permissive and ECCS SR 3.3.5.1.6 Initiation)(e) 4(a), 5(a) 4 B SR 3.3.5.1.2 435 psig and SR 3.3.5.1.4 465 psig SR 3.3.5.1.6 (continued)

(a) When associated subsystem(s) are required to be OPERABLE.

(b) Deleted.

(e) During instrument calibrations, if the As Found channel setpoint is conservative with respect to the Allowable Value but outside its acceptable As Found band as defined by its associated Surveillance Requirement procedure, then there shall be an initial determination to ensure confidence that the channel can perform as required before returning the channel to service in accordance with the Surveillance. If the As Found instrument channel setpoint is not conservative with respect to the Allowable Value, the channel shall be declared inoperable.

Prior to returning a channel to service, the instrument channel setpoint shall be calibrated to a value that is within the acceptable As Left tolerance of the setpoint; otherwise, the channel shall be declared inoperable.

The nominal Trip Setpoint shall be specified on design output documentation which is incorporated by reference in the Updated Final Safety Analysis Report. The methodology used to determine the nominal Trip Setpoint, the predefined As Found Tolerance, and the As Left Tolerance band, and a listing of the setpoint design output documentation shall be specified in Chapter 7 of the Updated Final Safety Analysis Report.

(f) Channels affect ECCS Preferred Pump Logic and Unit Priority Re-trip Logic. Refer to LCO 3.3.8.3, Emergency Core Cooling System (ECCS) Preferred Pump, Common Accident Signal (CAS), and Unit Priority Re-Trip Logic.

BFN-UNIT 1 3.3-43 Amendment No. 234, 257, 000

ECCS Preferred Pump, CAS, and Unit Priority Re-Trip Logic 3.3.8.3 3.3 INSTRUMENTATION 3.3.8.3 Emergency Core Cooling System (ECCS) Preferred Pump, Common Accident Signal (CAS), and Unit Priority Re-Trip Logic LCO 3.3.8.3 The logic systems for each FUNCTION in Table 3.3.8.3-1 shall be OPERABLE.

APPLICABILITY: According to Table 3.3.8.3-1.

ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME A. One or more required A.1 Restore ECCS Preferred 7 days ECCS Preferred Pump Pump Logic division to Logic divisions OPERABLE.

inoperable.

B. One CAS Logic division B.1 Restore logic division to 7 days inoperable. OPERABLE status.

C. One Unit Priority Re-Trip C.1 Restore logic division to 7 days Logic division inoperable. OPERABLE status.

D. Required Action and D.1 Be in MODE 3. 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> associated Completion Time of Condition A, B, or AND C not met in MODE 1, 2, or 3. D.2 Be in MODE 4. 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br /> (continued)

BFN-UNIT 1 3.3-78 Amendment No. 000

ECCS Preferred Pump, CAS, and Unit Priority Re-Trip Logic 3.3.8.3 ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME E. Required Action and E.1 -----------NOTE----------- Immediately associated Completion Only applicable in Time of Condition A not MODE 4 and 5.

met in MODE 4 or 5 with ------------------------------

Unit 2 in MODE 1, 2, or 3.

Declare associated ECCS components inoperable.

F. Two divisions of CAS F.1 Enter LCO 3.0.3. Immediately Logic inoperable.

OR Two divisions of Unit Priority Re-Trip Logic inoperable.

BFN-UNIT 1 3.3-79 Amendment No. 000

ECCS Preferred Pump, CAS, and Unit Priority Re-Trip Logic 3.3.8.3 SURVEILLANCE REQUIREMENTS SURVEILLANCE FREQUENCY SR 3.3.8.3.1 -----------------------NOTES-------------------------

1. When a division is placed in an inoperable status solely for performance of required Surveillance, entry into associated Conditions and Required Actions may be delayed for up to 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> provided the associated redundant division is OPERABLE.

24 months

2. Breakers associated with Unit 2 are not required to actuate for proper completion of this Surveillance.

Perform LOGIC SYSTEM FUNCTIONAL TEST including breaker actuation.

BFN-UNIT 1 3.3-80 Amendment No. 000

ECCS Preferred Pump, CAS, and Unit Priority Re-Trip Logic 3.3.8.3 Table 3.3.8.3-1 (page 1 of 1)

Emergency Core Cooling System (ECCS) Preferred Pump, Common Accident Signal (CAS),

and Unit Priority Re-Trip Logic APPLICABLE MODES OR OTHER SPECIFIED FUNCTION CONDITIONS REQUIRED DIVISIONS

1. ECCS Preferred Pump Logic 1,2,3 2 (a) (a) (b) 4 ,5
2. CAS Logic 1,2,3 2
3. Unit Priority Re-Trip Logic 1,2,3 2 (a) When associated RHR or Core Spray Pumps are required to be OPERABLE, or are in operation, and Unit 2 is in MODE 1, 2, or 3.

(b) The number of Required Divisions is dependent on the configuration of the RHR or Core Spray pumps required to be OPERABLE, or are in operation.

BFN-UNIT 1 3.3-81 Amendment No. 000

AC Sources - Operating 3.8.1 3.8 ELECTRICAL POWER SYSTEMS 3.8.1 AC Sources - Operating LCO 3.8.1 The following AC electrical power sources shall be OPERABLE:

a. Two qualified circuits between the offsite transmission network and the onsite Class 1E AC Electrical Power Distribution System;
b. Unit 1 and 2 diesel generators (DGs) with two divisions of 480 V load shed logic OPERABLE; and
c. Unit 3 DG(s) capable of supplying the Unit 3 4.16 kV shutdown board(s) required by LCO 3.8.7, "Distribution Systems -

Operating."

APPLICABILITY: MODES 1, 2, and 3.

ACTIONS

NOTE---------------------------------------------------

LCO 3.0.4.b is not applicable to DGs.

CONDITION REQUIRED ACTION COMPLETION TIME A. One required offsite A.1 Verify power availability 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> circuit inoperable. from the remaining OPERABLE offsite AND transmission network.

Once per 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> thereafter AND (continued)

BFN-UNIT 1 3.8-1 Amendment No. 234, 249, 000

AC Sources - Operating 3.8.1 ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION TIME C. One division of 480 V C.1 Restore required division 7 days load shed logic of 480 V load shed logic inoperable. to OPERABLE status.

D. Two required offsite D.1 Declare required 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> from circuits inoperable. feature(s) inoperable discovery of when the redundant Condition D required feature(s) are concurrent with inoperable. inoperability of redundant required feature(s)

AND D.2 Restore one required 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> offsite circuit to OPERABLE status.

(continued)

BFN-UNIT 1 3.8-4 Amendment No. 234, 000

AC Sources - Operating 3.8.1 ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION TIME

NOTE------------- -------------------NOTE----------------

Only applicable when more Enter applicable Conditions and than one 4.16 kV shutdown Required Actions of LCO 3.8.7, board is affected. "Distribution Systems -

Operating," when Condition E is entered with no AC power source E. One required offsite to any 4.16 kV shutdown board.

circuit inoperable. --------------------------------------------

AND E.1 Restore required offsite 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> circuit to OPERABLE One Unit 1 and 2 DG status.

inoperable.

OR E.2 Restore Unit 1 and 2 DG 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> to OPERABLE status.

NOTE-------------

Applicable when only one 4.16 kV shutdown board is affected.

F. One required offsite F.1 Declare the affected Immediately circuit inoperable. 4.16 kV shutdown board inoperable.

AND One Unit 1 and 2 DG inoperable.

(continued)

BFN-UNIT 1 3.8-5 Amendment No. 234, 000

AC Sources - Operating 3.8.1 ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION TIME G. Two or more Unit 1 and 2 G.1 Restore all but one Unit 1 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> DGs inoperable. and 2 DG to OPERABLE status.

H. Required Action and H.1 Be in MODE 3. 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> Associated Completion Time of Condition A, B, AND C, D, E, or G not met.

H.2 Be in MODE 4. 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br /> I. One or more required I.1 Enter LCO 3.0.3. Immediately offsite circuits and two or more Unit 1 and 2 DGs inoperable.

OR Two required offsite circuits and one or more Unit 1 and 2 DGs inoperable.

OR Two divisions of 480 V load shed logic inoperable.

(continued)

BFN-UNIT 1 3.8-6 Amendment No. 234, 000

AC Sources - Operating 3.8.1 ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION TIME J. One or more required J.1 Declare required 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> from Unit 3 DGs inoperable. feature(s) supported by discovery of the inoperable Unit 3 DG Condition J inoperable when the concurrent with redundant required inoperability of feature(s) are inoperable. redundant required feature(s)

AND J.2 Declare affected SGT and 30 days CREVs subsystem(s) inoperable.

BFN-UNIT 1 3.8-7 Amendment No. 234, 000

Proposed Retyped Technical Specifications Pages for BFN, Unit 2 (13 pages including cover sheet)

BROWNS FERRY NUCLEAR PLANT TECHNICAL SPECIFICATIONS (REQUIREMENTS)

TABLE OF CONTENTS (continued)

Section Page No.

3.3 INSTRUMENTATION ................................................................ 3.3-1 3.3.1.1 Reactor Protection System (RPS) Instrumentation .............. 3.3-1 3.3.1.2 Source Range Monitor (SRM) Instrumentation..................... 3.3-10 3.3.2.1 Control Rod Block Instrumentation ....................................... 3.3-16 3.3.2.2 Feedwater and Main Turbine High Water Level Trip Instrumentation ........................................................ 3.3-22 3.3.3.1 Post Accident Monitoring (PAM) Instrumentation ................. 3.3-24 3.3.3.2 Backup Control System ........................................................ 3.3-28 3.3.4.1 End of Cycle Recirculation Pump Trip (EOC-RPT)

Instrumentation ............................................................... 3.3-30 3.3.4.2 Anticipated Transient Without Scram Recirculation Pump Trip (ATWS-RPT) Instrumentation ........................ 3.3-33 3.3.5.1 Emergency Core Cooling System (ECCS)

Instrumentation ............................................................... 3.3-36 3.3.5.2 Reactor Core Isolation Cooling (RCIC) System Instrumentation ............................................................... 3.3-49 3.3.6.1 Primary Containment Isolation Instrumentation .................... 3.3-53 3.3.6.2 Secondary Containment Isolation Instrumentation ............... 3.3-62 3.3.7.1 Control Room Emergency Ventilation (CREV)

System Instrumentation .................................................. 3.3-66 3.3.8.1 Loss of Power (LOP) Instrumentation .................................. 3.3-71 3.3.8.2 Reactor Protection System (RPS) Electric Power Monitoring ....................................................................... 3.3-76 3.3.8.3 Emergency Core Cooling System (ECCS) Preferred Pump, Common Accident Signal (CAS), and Unit Priority Re-Trip Logic ....3.3-80 3.4 REACTOR COOLANT SYSTEM (RCS) .................................... 3.4-1 3.4.1 Recirculation Loops Operating ............................................. 3.4-1 3.4.2 Jet Pumps ............................................................................ 3.4-5 3.4.3 Safety/Relief Valves (S/RVs) ................................................ 3.4-7 3.4.4 RCS Operational LEAKAGE ................................................ 3.4-9 3.4.5 RCS Leakage Detection Instrumentation ............................. 3.4-12 3.4.6 RCS Specific Activity ............................................................ 3.4-15 3.4.7 Residual Heat Removal (RHR) Shutdown Cooling System - Hot Shutdown .................................................. 3.4-18 (continued)

BFN-UNIT 2 ii Amendment No. 253, 000

ECCS Instrumentation 3.3.5.1 Table 3.3.5.1-1 (page 1 of 6)

Emergency Core Cooling System Instrumentation APPLICABLE CONDITIONS MODES REQUIRED REFERENCED FUNCTION OR OTHER CHANNELS FROM SURVEILLANCE ALLOWABLE SPECIFIED PER REQUIRED REQUIREMENTS VALUE CONDITIONS FUNCTION ACTION A.1

1. Core Spray System
a. Reactor Vessel Water 1,2,3, 4(b) B SR 3.3.5.1.1 398 inches Level - Low Low Low, 4(a), 5(a) SR 3.3.5.1.2 above vessel Level 1(e) SR 3.3.5.1.5 zero SR 3.3.5.1.6
b. Drywell Pressure - 1,2,3 4(b) B SR 3.3.5.1.2 2.5 psig High(e) SR 3.3.5.1.5 SR 3.3.5.1.6
c. Reactor Steam Dome 1,2,3 4(b) C SR 3.3.5.1.2 435 psig Pressure - Low (Injection 2 per trip SR 3.3.5.1.4 and Permissive and ECCS system SR 3.3.5.1.6 465 psig Initiation)(e) 4(a), 5(a) 4 B SR 3.3.5.1.2 435 psig 2 per trip SR 3.3.5.1.4 and system SR 3.3.5.1.6 465 psig
d. Core Spray Pump 1,2,3, 2 E SR 3.3.5.1.2 1647 gpm Discharge Flow - Low 4(a), 5(a) 1 per SR 3.3.5.1.5 and (Bypass) subsystem 2910 gpm
e. Core Spray Pump Start - Time Delay Relay Pumps A,B,C,D (with 1,2,3, 4 C SR 3.3.5.1.5 6 seconds diesel power) 4(a), 5(a) 1 per pump SR 3.3.5.1.6 and 8 seconds Pump A (with normal 1,2,3, 1 C SR 3.3.5.1.5 0 seconds power) 4(a), 5(a) SR 3.3.5.1.6 and 1 second Pump B (with normal 1,2,3, 1 C SR 3.3.5.1.5 6 seconds power) 4(a), 5(a) SR 3.3.5.1.6 and 8 seconds (continued)

(a) When associated subsystem(s) are required to be OPERABLE.

(b) Channels affect ECCS Preferred Pump Logic and Common Accident Signal Logic. Refer to LCO 3.3.8.3, Emergency Core Cooling System (ECCS) Preferred Pump, Common Accident Signal (CAS), and Unit Priority Re-Trip Logic."

(e) During instrument calibrations, if the As Found channel setpoint is conservative with respect to the Allowable Value but outside its acceptable As Found band as defined by its associated Surveillance Requirement procedure, then there shall be an initial determination to ensure confidence that the channel can perform as required before returning the channel to service in accordance with the Surveillance. If the As Found instrument channel setpoint is not conservative with respect to the Allowable Value, the channel shall be declared inoperable.

Prior to returning a channel to service, the instrument channel setpoint shall be calibrated to a value that is within the acceptable As Left tolerance of the setpoint; otherwise, the channel shall be declared inoperable.

The nominal Trip Setpoint shall be specified on design output documentation which is incorporated by reference in the Updated Final Safety Analysis Report. The methodology used to determine the nominal Trip Setpoint, the predefined As Found Tolerance, and the As Left Tolerance band, and a listing of the setpoint design output documentation shall be specified in Chapter 7 of the Updated Final Safety Analysis Report.

BFN-UNIT 2 3.3-44 Amendment No. 253, 296, 000

ECCS Instrumentation 3.3.5.1 Table 3.3.5.1-1 (page 2 of 6)

Emergency Core Cooling System Instrumentation APPLICABLE CONDITIONS MODES REQUIRED REFERENCED FUNCTION OR OTHER CHANNELS FROM SURVEILLANCE ALLOWABLE SPECIFIED PER REQUIRED REQUIREMENTS VALUE CONDITIONS FUNCTION ACTION A.1

1. Core Spray System (continued)
e. Core Spray Pump Start -

Time Delay Relay (continued)

Pump C (with normal power) 1,2,3, 1 C SR 3.3.5.1.5 12 seconds 4(a), 5(a) SR 3.3.5.1.6 and 16 seconds Pump D (with normal power) 1,2,3, 1 C SR 3.3.5.1.5 18 seconds 4(a), 5(a) SR 3.3.5.1.6 and 24 seconds

2. Low Pressure Coolant Injection (LPCI) System
a. Reactor Vessel Water 1,2,3, 4(f) B SR 3.3.5.1.1 398 inches Level - Low Low Low, 4(a), 5(a) SR 3.3.5.1.2 above vessel Level 1(e) SR 3.3.5.1.5 zero SR 3.3.5.1.6
b. Drywell Pressure - High(e) 1,2,3 4(f) B SR 3.3.5.1.2 2.5 psig SR 3.3.5.1.5 SR 3.3.5.1.6
c. Reactor Steam Dome 1,2,3 4(f) C SR 3.3.5.1.2 435 psig and Pressure - Low (Injection SR 3.3.5.1.4 465 psig Permissive and ECCS SR 3.3.5.1.6 Initiation)(e) 4(a), 5(a) 4 B SR 3.3.5.1.2 435 psig and SR 3.3.5.1.4 465 psig SR 3.3.5.1.6 (continued)

(a) When associated subsystem(s) are required to be OPERABLE.

(b) Deleted.

(e) During instrument calibrations, if the As Found channel setpoint is conservative with respect to the Allowable Value but outside its acceptable As Found band as defined by its associated Surveillance Requirement procedure, then there shall be an initial determination to ensure confidence that the channel can perform as required before returning the channel to service in accordance with the Surveillance. If the As Found instrument channel setpoint is not conservative with respect to the Allowable Value, the channel shall be declared inoperable.

Prior to returning a channel to service, the instrument channel setpoint shall be calibrated to a value that is within the acceptable As Left tolerance of the setpoint; otherwise, the channel shall be declared inoperable.

The nominal Trip Setpoint shall be specified on design output documentation which is incorporated by reference in the Updated Final Safety Analysis Report. The methodology used to determine the nominal Trip Setpoint, the predefined As Found Tolerance, and the As Left Tolerance band, and a listing of the setpoint design output documentation shall be specified in Chapter 7 of the Updated Final Safety Analysis Report.

(f) Channels affect ECCS Preferred Pump Logic and Unit Priority Re-trip Logic. Refer to LCO 3.3.8.3, Emergency Core Cooling System (ECCS) Preferred Pump, Common Accident Signal (CAS), and Unit Priority Re-Trip Logic.

BFN-UNIT 2 3.3-45 Amendment No. 253, 296,

ECCS Preferred Pump, CAS, and Unit Priority Re-Trip Logic 3.3.8.3 3.3 INSTRUMENTATION 3.3.8.3 Emergency Core Cooling System (ECCS) Preferred Pump, Common Accident Signal (CAS), and Unit Priority Re-Trip Logic LCO 3.3.8.3 The logic systems for each FUNCTION in Table 3.3.8.3-1 shall be OPERABLE.

APPLICABILITY: According to Table 3.3.8.3-1.

ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME A. One or more required A.1 Restore ECCS Preferred 7 days ECCS Preferred Pump Pump Logic division to Logic divisions OPERABLE.

inoperable.

B. One CAS Logic division B.1 Restore logic division to 7 days inoperable. OPERABLE status.

C. One Unit Priority Re-Trip C.1 Restore logic division to 7 days Logic division inoperable. OPERABLE status.

D. Required Action and D.1 Be in MODE 3. 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> associated Completion Time of Condition A, B, or AND C not met in MODE 1, 2, or 3. D.2 Be in MODE 4. 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br /> (continued)

BFN-UNIT 2 3.3-80 Amendment No. 000 000

ECCS Preferred Pump, CAS, and Unit Priority Re-Trip Logic 3.3.8.3 ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME E. Required Action and E.1 -----------NOTE----------- Immediately associated Completion Only applicable in Time of Condition A not MODE 4 and 5.

met in MODE 4 or 5 with -------------------------------

Unit 1 in MODE 1, 2, or 3.

Declare associated ECCS components inoperable.

F. Two divisions of CAS F.1 Enter LCO 3.0.3. Immediately Logic inoperable.

OR Two divisions of Unit Priority Re-Trip Logic inoperable.

BFN-UNIT 2 3.3-81 Amendment No. 000

ECCS Preferred Pump, CAS, and Unit Priority Re-Trip Logic 3.3.8.3 SURVEILLANCE REQUIREMENTS SURVEILLANCE FREQUENCY SR 3.3.8.3.1 -----------------------NOTES-------------------------

1. When a division is placed in an inoperable status solely for performance of required Surveillance, entry into associated Conditions and Required Actions may be delayed for up to 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> provided the associated redundant division is OPERABLE.

24 months

2. Breakers associated with Unit 1 are not required to actuate for proper completion of this Surveillance.

Perform LOGIC SYSTEM FUNCTIONAL TEST including breaker actuation.

BFN-UNIT 2 3.3-82 Amendment No. 000

ECCS Preferred Pump, CAS, and Unit Priority Re-Trip Logic 3.3.8.3 Table 3.3.8.3-1 (page 1 of 1)

Emergency Core Cooling System (ECCS) Preferred Pump, Common Accident Signal (CAS),

and Unit Priority Re-Trip Logic APPLICABLE MODES OR OTHER SPECIFIED FUNCTION CONDITIONS REQUIRED DIVISIONS

1. ECCS Preferred Pump Logic 1,2,3 2 (a) (a) (b) 4 ,5
2. CAS Logic 1,2,3 2
3. Unit Priority Re-Trip Logic 1,2,3 2 (a) When associated RHR or Core Spray Pumps are required to be OPERABLE, or are in operation, and Unit 1 is in MODE 1, 2, or 3.

(b) The number of Required Divisions is dependent on the configuration of the RHR or Core Spray pumps required to be OPERABLE, or are in operation.

BFN-UNIT 2 3.3-83 Amendment No. 000

AC Sources - Operating 3.8.1 3.8 ELECTRICAL POWER SYSTEMS 3.8.1 AC Sources - Operating LCO 3.8.1 The following AC electrical power sources shall be OPERABLE:

a. Two qualified circuits between the offsite transmission network and the onsite Class 1E AC Electrical Power Distribution System;
b. Unit 1 and 2 diesel generators (DGs) with two divisions of 480 V load shed logic OPERABLE; and
c. Unit 3 DG(s) capable of supplying the Unit 3 4.16 kV shutdown board(s) required by LCO 3.8.7, "Distribution Systems -

Operating."

APPLICABILITY: MODES 1, 2, and 3.

ACTIONS

NOTE---------------------------------------------------

LCO 3.0.4.b is not applicable to DGs.

CONDITION REQUIRED ACTION COMPLETION TIME A. One required offsite A.1 Verify power availability 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> circuit inoperable. from the remaining OPERABLE offsite AND transmission network.

Once per 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> thereafter AND (continued)

BFN-UNIT 2 3.8-1 Amendment No. 253, 286, 000

AC Sources - Operating 3.8.1 ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION TIME C. One division of 480 V C.1 Restore required division 7 days load shed logic of 480 V load shed logic inoperable. to OPERABLE status.

D. Two required offsite D.1 Declare required 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> from circuits inoperable. feature(s) inoperable discovery of when the redundant Condition D required feature(s) are concurrent with inoperable. inoperability of redundant required feature(s)

AND D.2 Restore one required 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> offsite circuit to OPERABLE status.

(continued)

BFN-UNIT 2 3.8-4 Amendment No. 253, 000

AC Sources - Operating 3.8.1 ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION TIME

NOTE------------- -------------------NOTE----------------

Only applicable when more Enter applicable Conditions and than one 4.16 kV shutdown Required Actions of LCO 3.8.7, board is affected. "Distribution Systems -

Operating," when Condition E is entered with no AC power source E. One required offsite to any 4.16 kV shutdown board.

circuit inoperable. --------------------------------------------

AND E.1 Restore required offsite 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> circuit to OPERABLE One Unit 1 and 2 DG status.

inoperable.

OR E.2 Restore Unit 1 and 2 DG 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> to OPERABLE status.

NOTE-------------

Applicable when only one 4.16 kV shutdown board is affected.

F. One required offsite F.1 Declare the affected Immediately circuit inoperable. 4.16 kV shutdown board inoperable.

AND One Unit 1 and 2 DG inoperable.

(continued)

BFN-UNIT 2 3.8-5 Amendment No. 253, 000

AC Sources - Operating 3.8.1 ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION TIME G. Two or more Unit 1 and 2 G.1 Restore all but one Unit 1 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> DGs inoperable. and 2 DG to OPERABLE status.

H. Required Action and H.1 Be in MODE 3. 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> Associated Completion Time of Condition A, B, AND C, D, E, or G not met.

H.2 Be in MODE 4. 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br /> I. One or more required I.1 Enter LCO 3.0.3. Immediately offsite circuits and two or more Unit 1 and 2 DGs inoperable.

OR Two required offsite circuits and one or more Unit 1 and 2 DGs inoperable.

OR Two divisions of 480 V load shed logic inoperable.

(continued)

BFN-UNIT 2 3.8-6 Amendment No. 253, 000

AC Sources - Operating 3.8.1 ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION TIME J. One or more required J.1 Declare required 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> from Unit 3 DGs inoperable. feature(s) supported by discovery of the inoperable Unit 3 DG Condition J inoperable when the concurrent with redundant required inoperability of feature(s) are inoperable. redundant required feature(s)

AND J.2 Declare affected SGT and 30 days CREVs subsystem(s) inoperable.

BFN-UNIT 2 3.8-7 Amendment No. 253, 000

Proposed Retyped Technical Specifications Pages for BFN, Unit 3 (11 pages including cover sheet)

BROWNS FERRY NUCLEAR PLANT TECHNICAL SPECIFICATIONS (REQUIREMENTS)

TABLE OF CONTENTS (continued)

Section Page No.

3.3 INSTRUMENTATION ................................................................ 3.3-1 3.3.1.1 Reactor Protection System (RPS) Instrumentation .............. 3.3-1 3.3.1.2 Source Range Monitor (SRM) Instrumentation..................... 3.3-10 3.3.2.1 Control Rod Block Instrumentation ....................................... 3.3-16 3.3.2.2 Feedwater and Main Turbine High Water Level Trip Instrumentation ........................................................ 3.3-22 3.3.3.1 Post Accident Monitoring (PAM) Instrumentation ................. 3.3-24 3.3.3.2 Backup Control System ........................................................ 3.3-28 3.3.4.1 End of Cycle Recirculation Pump Trip (EOC-RPT)

Instrumentation ............................................................... 3.3-30 3.3.4.2 Anticipated Transient Without Scram Recirculation Pump Trip (ATWS-RPT) Instrumentation ........................ 3.3-33 3.3.5.1 Emergency Core Cooling System (ECCS)

Instrumentation ............................................................... 3.3-36 3.3.5.2 Reactor Core Isolation Cooling (RCIC) System Instrumentation ............................................................... 3.3-49 3.3.6.1 Primary Containment Isolation Instrumentation .................... 3.3-53 3.3.6.2 Secondary Containment Isolation Instrumentation ............... 3.3-62 3.3.7.1 Control Room Emergency Ventilation (CREV)

System Instrumentation .................................................. 3.3-66 3.3.8.1 Loss of Power (LOP) Instrumentation .................................. 3.3-71 3.3.8.2 Reactor Protection System (RPS) Electric Power Monitoring ....................................................................... 3.3-76 3.3.8.3 Common Accident Signal (CAS) and Unit Priority Re-Trip Logic . 3.3-78 3.4 REACTOR COOLANT SYSTEM (RCS) .................................... 3.4-1 3.4.1 Recirculation Loops Operating ............................................. 3.4-1 3.4.2 Jet Pumps ............................................................................ 3.4-5 3.4.3 Safety/Relief Valves (S/RVs) ................................................ 3.4-7 3.4.4 RCS Operational LEAKAGE ................................................ 3.4-9 3.4.5 RCS Leakage Detection Instrumentation ............................. 3.4-12 3.4.6 RCS Specific Activity ............................................................ 3.4-15 3.4.7 Residual Heat Removal (RHR) Shutdown Cooling System - Hot Shutdown .................................................. 3.4-18 (continued)

BFN-UNIT 3 ii Amendment No. 213, 000

ECCS Instrumentation 3.3.5.1 Table 3.3.5.1-1 (page 1 of 6)

Emergency Core Cooling System Instrumentation APPLICABLE CONDITIONS MODES REQUIRED REFERENCED FUNCTION OR OTHER CHANNELS FROM SURVEILLANCE ALLOWABLE SPECIFIED PER REQUIRED REQUIREMENTS VALUE CONDITIONS FUNCTION ACTION A.1

1. Core Spray System
a. Reactor Vessel Water Level 1,2,3, 4(b) B SR 3.3.5.1.1 398 inches Low Low Low, Level 1(f) 4(a), 5(a) SR 3.3.5.1.2 above vessel SR 3.3.5.1.5 zero SR 3.3.5.1.6
b. Drywell Pressure High(f) 1,2,3 4(b) B SR 3.3.5.1.2 2.5 psig SR 3.3.5.1.5 SR 3.3.5.1.6
c. Reactor Steam Dome 1,2,3 4(b) C SR 3.3.5.1.2 435 psig and Pressure Low (Injection 2 per trip SR 3.3.5.1.4 465 psig Permissive and ECCS system SR 3.3.5.1.6 Initiation)(f) 4(a), 5(a) 4 B SR 3.3.5.1.2 435 psig and 2 per trip SR 3.3.5.1.4 465 psig system SR 3.3.5.1.6
d. Core Spray Pump Discharge 1,2,3, 2 E SR 3.3.5.1.2 1647 gpm Flow Low (Bypass) 4(a), 5(a) 1 per SR 3.3.5.1.5 and subsystem 2910 gpm
e. Core Spray Pump Start Time Delay Relay Pumps A,B,C,D (with diesel 1,2,3, 4 C SR 3.3.5.1.5 6 seconds power) 4(a), 5(a) 1 per pump SR 3.3.5.1.6 and 8 seconds Pump A (with normal power) 1,2,3, 1 C SR 3.3.5.1.5 0 seconds 4(a), 5(a) SR 3.3.5.1.6 and 1 second Pump B (with normal power) 1,2,3, 1 C SR 3.3.5.1.5 6 seconds 4(a), 5(a) SR 3.3.5.1.6 and 8 seconds (continued)

(a) When associated subsystem(s) are required to be OPERABLE.

(b) Channels affect Common Accident Signal Logic. Refer to LCO 3.3.8.3, Common Accident Signal (CAS) and Unit Priority Re-Trip Logic.

(f) During instrument calibrations, if the As Found channel setpoint is conservative with respect to the Allowable Value but outside its acceptable As Found band as defined by its associated Surveillance Requirement procedure, then there shall be an initial determination to ensure confidence that the channel can perform as required before returning the channel to service in accordance with the Surveillance. If the As Found instrument channel setpoint is not conservative with respect to the Allowable Value, the channel shall be declared inoperable.

Prior to returning a channel to service, the instrument channel setpoint shall be calibrated to a value that is within the acceptable As Left tolerance of the setpoint; otherwise, the channel shall be declared inoperable.

The nominal Trip Setpoint shall be specified on design output documentation which is incorporated by reference in the Updated Final Safety Analysis Report. The methodology used to determine the nominal Trip Setpoint, the predefined As Found Tolerance, and the As Left Tolerance band, and a listing of the setpoint design output documentation shall be specified in Chapter 7 of the Updated Final Safety Analysis Report.

BFN-UNIT 3 3.3-43 Amendment No. 213, 254, 000

ECCS Instrumentation 3.3.5.1 Table 3.3.5.1-1 (page 2 of 6)

Emergency Core Cooling System Instrumentation APPLICABLE CONDITIONS MODES REQUIRED REFERENCED FUNCTION OR OTHER CHANNELS FROM SURVEILLANCE ALLOWABLE SPECIFIED PER REQUIRED REQUIREMENTS VALUE CONDITIONS FUNCTION ACTION A.1

1. Core Spray System (continued)
e. Core Spray Pump Start Time Delay Relay (continued)

Pump C (with normal power) 1,2,3, 1 C SR 3.3.5.1.5 12 seconds 4(a), 5(a) SR 3.3.5.1.6 and 16 seconds Pump D (with normal power) 1,2,3, 1 C SR 3.3.5.1.5 18 seconds 4(a), 5(a) SR 3.3.5.1.6 and 24 seconds

2. Low Pressure Coolant Injection (LPCI) System
a. Reactor Vessel Water Level 1,2,3, 4(g) B SR 3.3.5.1.1 398 inches Low Low Low, Level 1(f) 4 , 5(a)

(a) SR 3.3.5.1.2 above vessel SR 3.3.5.1.5 zero SR 3.3.5.1.6

b. Drywell Pressure High(f) 1,2,3 4(g) B SR 3.3.5.1.2 2.5 psig SR 3.3.5.1.5 SR 3.3.5.1.6
c. Reactor Steam Dome 1,2,3 4(g) C SR 3.3.5.1.2 435 psig and Pressure Low (Injection SR 3.3.5.1.4 465 psig Permissive and ECCS SR 3.3.5.1.6 Initiation)(f) 4(a), 5(a) 4 B SR 3.3.5.1.2 435 psig and SR 3.3.5.1.4 465 psig SR 3.3.5.1.6 (continued)

(a) When associated subsystem(s) are required to be OPERABLE.

(b) Deleted.

(f) During instrument calibrations, if the As Found channel setpoint is conservative with respect to the Allowable Value but outside its acceptable As Found band as defined by its associated Surveillance Requirement procedure, then there shall be an initial determination to ensure confidence that the channel can perform as required before returning the channel to service in accordance with the Surveillance. If the As Found instrument channel setpoint is not conservative with respect to the Allowable Value, the channel shall be declared inoperable.

Prior to returning a channel to service, the instrument channel setpoint shall be calibrated to a value that is within the acceptable As Left tolerance of the setpoint; otherwise, the channel shall be declared inoperable.

The nominal Trip Setpoint shall be specified on design output documentation which is incorporated by reference in the Updated Final Safety Analysis Report. The methodology used to determine the nominal Trip Setpoint, the predefined As Found Tolerance, and the As Left Tolerance band, and a listing of the setpoint design output documentation shall be specified in Chapter 7 of the Updated Final Safety Analysis Report.

(g) Channels affect Unit Priority Re-Trip Logic. Refer to LCO 3.3.8.3, Common Accident Signal (CAS) and Unit Priority Re-Trip Logic.

BFN-UNIT 3 3.3-44 Amendment No. 213, 254, 000

CAS and Unit Priority Re-Trip Logic 3.3.8.3 3.3 INSTRUMENTATION 3.3.8.3 Common Accident Signal (CAS) and Unit Priority Re-Trip Logic LCO 3.3.8.3 Two divisions of the following logic shall be OPERABLE.

a. CAS Logic, and
b. Unit Priority Re-Trip Logic APPLICABILITY: MODES 1, 2, and 3 ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME A. One CAS Logic Division A.1 Restore logic division to 7 days inoperable. OPERABLE status.

B. One Unit Priority Re-Trip B.1 Restore logic division to 7 days Logic Division inoperable. OPERABLE status.

C. Required Action and C.1 Be in MODE 3. 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> associated Completion Time of Condition A or B not met. AND C.2 Be in MODE 4. 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br /> D. Two divisions of CAS D.1 Enter LCO 3.0.3. Immediately Logic inoperable.

OR Two divisions of Unit Priority Re-Trip Logic inoperable.

(continued)

BFN-UNIT 3 3.3-79 Amendment No. 000 000

CAS and Unit Priority Re-Trip Logic 3.3.8.3 SURVEILLANCE REQUIREMENTS SURVEILLANCE FREQUENCY SR 3.3.8.3.1 --------------------------NOTE------------------------- 24 months When a division is placed in an inoperable status solely for performance of required Surveillance, entry into associated Conditions and Required Actions may be delayed for up to 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> provided the associated redundant division is OPERABLE.

Perform LOGIC SYSTEM FUNCTIONAL TEST including breaker actuation.

BFN-UNIT 3 3.3-80 Amendment No. 000

AC Sources - Operating 3.8.1 3.8 ELECTRICAL POWER SYSTEMS 3.8.1 AC Sources - Operating LCO 3.8.1 The following AC electrical power sources shall be OPERABLE:

a. Two qualified circuits between the offsite transmission network and the onsite Class 1E AC Electrical Power Distribution System;
b. Unit 3 diesel generators (DGs) with two divisions of 480 V load shed logic OPERABLE; and
c. Unit 1 and 2 DG(s) capable of supplying the Unit 1 and 2 4.16 kV shutdown board(s) required by LCO 3.8.7, "Distribution Systems - Operating."

APPLICABILITY: MODES 1, 2, and 3.

ACTIONS

NOTE---------------------------------------------------

LCO 3.0.4.b is not applicable to DGs.

CONDITION REQUIRED ACTION COMPLETION TIME A. One required offsite A.1 Verify power availability 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> circuit inoperable. from the remaining OPERABLE offsite AND transmission network.

Once per 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> thereafter AND (continued)

BFN-UNIT 3 3.8-1 Amendment No. 212, 244, 000

AC Sources - Operating 3.8.1 ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION TIME C. One division of 480 V C.1 Restore required division 7 days load shed logic of 480 V load shed logic inoperable. to OPERABLE status.

D. Two required offsite D.1 Declare required 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> from circuits inoperable. feature(s) inoperable discovery of when the redundant Condition D required feature(s) are concurrent with inoperable. inoperability of redundant required feature(s)

AND D.2 Restore one required 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> offsite circuit to OPERABLE status.

(continued)

BFN-UNIT 3 3.8-4 Amendment No. 212, 000

AC Sources - Operating 3.8.1 ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION TIME

NOTE------------- -------------------NOTE----------------

Only applicable when more Enter applicable Conditions and than one 4.16 kV shutdown Required Actions of LCO 3.8.7, board is affected. "Distribution Systems -

Operating," when Condition E is entered with no AC power source E. One required offsite to any 4.16 kV shutdown board.

circuit inoperable. --------------------------------------------

AND E.1 Restore required offsite 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> circuit to OPERABLE One Unit 3 DG status.

inoperable.

OR E.2 Restore Unit 3 DG to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> OPERABLE status.

NOTE-------------

Applicable when only one 4.16 kV shutdown board is affected.

F. One required offsite F.1 Declare the affected Immediately circuit inoperable. 4.16 kV shutdown board inoperable.

AND One Unit 3 DG inoperable.

(continued)

BFN-UNIT 3 3.8-5 Amendment No. 212, 000

AC Sources - Operating 3.8.1 ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION TIME G. Two or more Unit 3 DGs G.1 Restore all but one Unit 3 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> inoperable. DG to OPERABLE status.

H. Required Action and H.1 Be in MODE 3. 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> Associated Completion Time of Condition A, B, AND C, D, E, or G not met.

H.2 Be in MODE 4. 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br /> I. One or more required I.1 Enter LCO 3.0.3. Immediately offsite circuits and two or more Unit 3 DGs inoperable.

OR Two required offsite circuits and one or more Unit 3 DGs inoperable.

OR Two divisions of 480 V load shed logic inoperable.

(continued)

BFN-UNIT 3 3.8-6 Amendment No. 212, 000

AC Sources - Operating 3.8.1 ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION TIME J. One or more required J.1 Declare required 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> from Unit 1 and 2 DGs feature(s) supported by discovery of inoperable. the inoperable Unit 1 and Condition J 2 DG inoperable when the concurrent with redundant required inoperability of feature(s) are inoperable. redundant required feature(s)

AND J.2 Declare affected SGT and 30 days CREVs subsystem(s) inoperable.

BFN-UNIT 3 3.8-7 Amendment No. 212, 000

ATTACHMENT 3 Proposed Technical Specifications Bases Pages (Markups) for BFN, Units 1, 2, and 3 (86 pages including cover sheet)

Proposed Technical Specifications Bases Pages (Markups) for BFN, Unit 1 (30 pages including cover sheet)

BROWNS FERRY NUCLEAR PLANT TECHNICAL SPECIFICATIONS (BASES)

TABLE OF CONTENTS (continued)

Section Page No.

B 3.3.4.1 End of Cycle Recirculation Pump Trip (EOC-RPT)

Instrumentation ............................................................... B 3.3-105 B 3.3.4.2 Anticipated Transient Without Scram Recirculation Pump Trip (ATWS-RPT) Instrumentation ....................... B 3.3-117 B 3.3.5.1 Emergency Core Cooling System (ECCS)

Instrumentation ............................................................... B 3.3-128 B 3.3.5.2 Reactor Core Isolation Cooling (RCIC) System Instrumentation ............................................................... B 3.3-176 B 3.3.6.1 Primary Containment Isolation Instrumentation ................... B 3.3-187 B 3.3.6.2 Secondary Containment Isolation Instrumentation .............. B 3.3-223 B 3.3.7.1 Control Room Emergency Ventilation (CREV)

System Instrumentation .................................................. B 3.3-237 B 3.3.8.1 Loss of Power (LOP) Instrumentation .................................. B 3.3-253 B 3.3.8.2 Reactor Protection System (RPS) Electric Power Monitoring............................................................ B 3.3-266 B 3.4 REACTOR COOLANT SYSTEM (RCS) .................................... B 3.4-1 B 3.4.1 Recirculation Loops Operating............................................. B 3.4-1 B 3.4.2 Jet Pumps ............................................................................ B 3.4-11 B 3.4.3 Safety/Relief Valves (S/RVs) ............................................... B 3.4-17 B 3.4.4 RCS Operational LEAKAGE ................................................ B 3.4-23 B 3.4.5 RCS Leakage Detection Instrumentation ............................. B 3.4-30 B 3.4.6 RCS Specific Activity............................................................ B 3.4-37 B 3.4.7 Residual Heat Removal (RHR) Shutdown Cooling System - Hot Shutdown ..................................... B 3.4-42 B 3.4.8 Residual Heat Removal (RHR) Shutdown Cooling System - Cold Shutdown ................................... B 3.4-49 B 3.4.9 RCS Pressure and Temperature (P/T) Limits ...................... B 3.4-55 B 3.4.10 Reactor Steam Dome Pressure............................................ B 3.4-67 3.3.8.3 Emergency Core Cooling System (ECCS) Preferred Pump, Common Accident Signal (CAS), and Unit Priority Re-Trip Logic...............B 3.3-275 (continued)

BFN-UNIT 1 ii Revision 0

ECCS Instrumentation B 3.3.5.1 B 3.3 INSTRUMENTATION B 3.3.5.1 Emergency Core Cooling System (ECCS) Instrumentation BASES BACKGROUND The purpose of the ECCS instrumentation is to initiate appropriate responses from the systems to ensure that the fuel is adequately cooled in the event of a design basis accident or transient.

For most anticipated operational occurrences and Design Basis Accidents (DBAs), a wide range of dependent and independent parameters are monitored.

The ECCS instrumentation actuates core spray (CS), low pressure coolant injection (LPCI), high pressure coolant signals for ECCS injection (HPCI), and the Automatic Depressurization System Preferred Pump Logic, (ADS). The equipment involved with each of these systems is Common Accident described in the Bases for LCO 3.5.1, "ECCS - Operating."

Signal Logic, and Unit Priority Re-trip Logic Portions of the ECCS instrumentation also provide for the generation of the Common Accident Signal which initiate the DGs and EECW System. Refer to LCO 3.8.1, "AC Systems-Operating," for operability requirements of the ECCS Preferred Common Accident Signal Logic. LCO 3.3.8.3, "Emergency Core Cooling Pump Logic, System (ECCS) Preferred Pump, Common Accident Core Spray System Common Accident Signal (CAS), and Signal Logic, and Unit Priority Re-trip Logic,"

Unit Priority Re-trip Logic The CS System may be initiated by automatic means. Each pump can be controlled manually by a control room remote switch. Automatic initiation occurs for conditions of Reactor Vessel Water Level - Low Low Low, Level 1 or both Drywell Pressure - High and Reactor Steam Dome Pressure - Low.

Reactor water level and drywell pressure are each monitored by four redundant transmitters, which are, in turn, connected to four trip units. The outputs of these trip units are connected to (continued)

BFN-UNIT 1 B 3.3-128 Revision 0

ECCS Instrumentation B 3.3.5.1 BASES (continued)

APPLICABLE The actions of the ECCS are explicitly assumed in the safety SAFETY ANALYSES, analyses of References 1, 2, and 3. The ECCS is initiated LCO, and to preserve the integrity of the fuel cladding by limiting APPLICABILITY the post LOCA peak cladding temperature to less than the 10 CFR 50.46 limits.

ECCS instrumentation satisfies Criterion 3 of the NRC Policy Statement (Ref. 5). Certain instrumentation Functions are retained for other reasons and are described below in the individual Functions discussion.

The OPERABILITY of the ECCS instrumentation is dependent upon the OPERABILITY of the individual instrumentation channel Functions specified in Table 3.3.5.1-1. Each Function ECCS Preferred Pump Logic must have a required number of OPERABLE channels, with and Common Accident their setpoints within the specified Allowable Values, where Signal Logic which are appropriate. The setpoint is calibrated consistent with addressed in LCO 3.3.8.3, applicable setpoint methodology assumptions (nominal trip "Emergency Core Cooling setpoint). Table 3.3.5.1-1, footnote (b), is added to show that System (ECCS) Preferred certain ECCS instrumentation Function channels affect Pump, Common Accident Common Accident Signal Logic which is addressed in Signal (CAS), and Unit LCO 3.8.1, "AC Sources - Operating."

Priority Re-Trip Logic."

Table 3.3.5.1-1, footnote (f), Allowable Values are specified for each ECCS Function is added to show that certain specified in the table and contained in design output ECCS instrumentation documents, which for instrument functions that have a specific Function channels affect ECCS Preferred Pump Logic footnote in Table 3.3.1.1-1, is incorporated by reference in and Unit Priority Re-trip Chapter 7 of the Updated Final Safety Analysis Report Logic which are addressed (UFSAR). For these, the methodology used to determine the in LCO 3.3.8.3. nominal trip setpoint, the predefined as-found tolerance, the as-left tolerance band, and a listing of the setpoint design output documentation is specified in Chapter 7 of the UFSAR.

Nominal trip setpoints are specified in the setpoint calculations.

The nominal setpoints are selected to ensure that the setpoints do not exceed the Allowable Value between CHANNEL CALIBRATIONS. Operation with a trip setpoint less (continued)

BFN-UNIT 1 B 3.3-136 Revision 0, 41 November 09, 2006

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE Core Spray and Low Pressure Coolant Injection Systems SAFETY ANALYSES, LCO, and 1.a, 2.a. Reactor Vessel Water Level - Low Low Low, Level 1 APPLICABILITY (LS-3-58A-D)

(continued)

Low reactor pressure vessel (RPV) water level indicates that ECCS Preferred Pump the capability to cool the fuel may be threatened. Should RPV Logic, Common Accident water level decrease too far, fuel damage could result. The low Signal Logic, and Unit pressure ECCS are initiated at Level 1 to ensure that core Priority Re-trip Logic (Refer spray and flooding functions are available to prevent or to LCO 3.3.8.3, "Emergency minimize fuel damage. The Reactor Vessel Water Level - Low Core Cooling System Low Low, Level 1 is also utilized in the development of the (ECCS) Preferred Pump, Common Accident Signal which initiates the DGs and EECW Common Accident Signal System. (Refer to LCO 3.8.1, "AC Sources - Operating," for (CAS), and Unit Priority Re- operability requirements of the Common Accident Signal Logic).

Trip Logic," for operability The Reactor Vessel Water Level - Low Low Low, Level 1 is requirements of the ECCS one of the Functions assumed to be OPERABLE and capable Preferred Pump Logic, Common Accident Signal of initiating the ECCS during the transients analyzed in Logic, and Unit Priority Re- References 1 and 3. In addition, the Reactor Vessel Water trip Logic) Level - Low Low Low, Level 1 Function is directly assumed in the analysis of the recirculation line break (Ref. 2). The core cooling function of the ECCS, along with the scram action of the Reactor Protection System (RPS), ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

Reactor Vessel Water Level - Low Low Low, Level 1 signals are initiated from four level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel.

(continued)

BFN-UNIT 1 B 3.3-138 Revision 0

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 1.a, 2.a. Reactor Vessel Water Level - Low Low Low, Level 1 SAFETY ANALYSES, (LS-3-58A-D) (continued)

LCO, and APPLICABILITY acceptable as-left tolerance, the channel shall be declared inoperable. Also, after the Surveillance is completed, the channel's as-found condition will be documented in the Corrective Action Program. As part of the activities of the Corrective Action Program, additional evaluations and potential corrective actions will be performed as necessary to ensure that any as-found setting, which is conservative to the Allowable Value, but outside the acceptable as-found band is evaluated for long-term reliability trends.

1.b, 2.b. Drywell Pressure - High (PIS-64-58A-D)

ECCS Preferred Pump High pressure in the drywell could indicate a break in the Logic, Common Accident reactor coolant pressure boundary (RCPB). The low pressure Signal Logic, and Unit ECCS is initiated upon receipt of the Drywell Pressure - High Priority Re-trip Logic (Refer Function in order to minimize the possibility of fuel damage.

to LCO 3.3.8.3, "Emergency The Drywell Pressure - High is also utilized in the development Core Cooling System of the Common Accident Signal which initiates the DGs and (ECCS) Preferred Pump, EECW System. (Refer to LCO 3.8.1, "AC Sources - Operating" Common Accident Signal for operability requirements of the Common Accident Signal (CAS), and Unit Priority Re-Trip Logic," for operability Logic). The Drywell Pressure - High Function, along with the requirements of the ECCS Reactor Steam Dome Pressure - Low Function, are directly Preferred Pump Logic, assumed in the analysis of the recirculation line break (Ref. 2).

Common Accident Signal The core cooling function of the ECCS, along with the scram Logic, and Unit Priority Re- action of the RPS, ensures that the fuel peak cladding trip Logic) temperature remains below the limits of 10 CFR 50.46.

High drywell pressure signals are initiated from four pressure transmitters that sense drywell pressure. The Allowable Value was selected to be as low as possible and be indicative of a LOCA inside primary containment.

(continued)

BFN-UNIT 1 B 3.3-140 Revision 0, 41 November 09, 2006

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 1.b, 2.b. Drywell Pressure - High (PIS-64-58A-D) (continued)

SAFETY ANALYSES, LCO, and acceptable as-left tolerance, the channel shall be declared APPLICABILITY inoperable. Also, after the Surveillance is completed, the channel's as-found condition will be documented in the Corrective Action Program. As part of the activities of the Corrective Action Program, additional evaluations and potential corrective actions will be performed as necessary to ensure that any as-found setting, which is conservative to the Allowable Value, but outside the acceptable as-found band is evaluated for long-term reliability trends.

1.c, 2.c. Reactor Steam Dome Pressure - Low (Injection Permissive and ECCS Initiation)

(PIS-3-74A and B; PIS-68-95 and 96)

Low reactor steam dome pressure signals are used as ECCS Preferred Pump permissives for the low pressure ECCS subsystems. This Logic, Common Accident ensures that, prior to opening the injection valves of the low Signal Logic, and Unit pressure ECCS subsystems, the reactor pressure has fallen to Priority Re-trip Logic (Refer a value below these subsystems' maximum design pressure.

to LCO 3.3.8.3, "Emergency The Reactor Steam Dome Pressure - Low is also utilized in the Core Cooling System (ECCS) Preferred Pump, development of the Common Accident Signal which initiates the Common Accident Signal DGs and EECW System. (Refer to LCO 3.8.1, "AC Sources -

(CAS), and Unit Priority Re- Operating," for operability requirements of the Common Trip Logic," for operability Accident Signal Logic). The Reactor Steam Dome Pressure -

requirements of the ECCS Low is one of the Functions assumed to be OPERABLE and Preferred Pump Logic, capable of permitting initiation of the ECCS during the Common Accident Signal transients analyzed in References 1 and 3. In addition, the Logic, and Unit Priority Re- Reactor Steam Dome Pressure - Low Function is directly trip Logic) assumed in the analysis of the recirculation line break (Ref. 2).

The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

(continued)

BFN-UNIT 1 B 3.3-141a Revision 41 November 09, 2006

ECCS Instrumentation B 3.3.5.1 BASES SURVEILLANCE SR 3.3.5.1.3, SR 3.3.5.1.4, and SR 3.3.5.1.5 REQUIREMENTS (continued) A CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations consistent with the plant specific setpoint methodology.

The Frequencies of SR 3.3.5.1.3, SR 3.3.5.1.4, and SR 3.3.5.1.5 are based upon the magnitude of equipment drift in the setpoint analysis.

SR 3.3.5.1.6 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required initiation for a specific channel.

The LOGIC SYSTEM The system functional testing performed in LCO 3.5.1, FUNCTIONAL TEST LCO 3.5.2, LCO 3.7.2, and LCO 3.8.1 overlaps this performed in LCO 3.3.8.3 Surveillance to complete testing of the assumed safety function.

overlaps this Surveillance to The LOGIC SYSTEM FUNCTIONAL TEST shall include a assure complete testing of calibration of time delay relays and timers necessary for proper the assumed safety function functioning of the logic.

The 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power.

Operating experience with these components supports performance of the Surveillance at the 24 month Frequency.

(continued)

BFN-UNIT 1 B 3.3-174 Revision 1. 43, 47, 65 May 31, 2012

<TS Bases 3.3.8.3 INSERT>

ECCS Preferred Pump, CAS, and Unit Priority Re-Trip Logic B 3.3.8.3 B 3.3.8.3 INSTRUMENTATION B 3.3.8.3 Emergency Core Cooling System (ECCS) Preferred Pump, Common Accident Signal (CAS), and Unit Priority Re-Trip Logic BASES BACKGROUND In the event of an accident signal in either Unit 1 or Unit 2, all of the ECCS equipment associated with the accident unit will start. All eight diesel generators in the plant will be started on an accident signal in any unit as a pre-emergency action in case of a subsequent power blackout.

The diesel generators and Standby AC Power System are designed to accommodate spurious accident signals from any unit and in any order, real followed by a spurious signal, real coincident with a spurious signal, and spurious followed by a real accident signal. If the ECCS loads for both Units 1 and 2 were allowed to start during combinations of real and spurious accident signals, the combined Unit 1/2 ECCS pumps would overload the 4KV shutdown boards and their associated diesel generators.

During combinations of real and spurious accident signals, the Units 1 and 2 ECCS preferred pump logic will assign the Unit 1 ECCS loads to the Division I 4KV shutdown boards and the Unit 2 ECCS loads to the Division II 4KV shutdown boards. If any Residual Heat Removal (RHR) or Core Spray pumps were already running in the opposite unit (e.g., for shutdown cooling), the core spray and low pressure coolant injection (LPCI) logic (i.e., LCO 3.3.5.1 Functions 1.a, 1.b, 1.c, 2.a, 2.b, 2.c) would send redundant signals to initiate the ECCS preferred pump logic to trip the opposite units running RHR and Core Spray pumps. The ECCS preferred pump logic signal also inhibits the RHR and Core Spray pumps automatic start logic in the opposite unit (after 60 seconds, manual control of the pumps is restored). This ensures that any running RHR or Core Spray pumps in the opposite unit would be tripped, unloading the Unit 1/2 4KV shutdown boards prior to the accident unit starting its ECCS pumps on a real accident signal. For combinations of real and spurious accident signals, the Unit 1 and 2 ECCS preferred pump logic would allow the Unit 1 Division I RHR and Core Spray pumps (1A and 1C) to start and load on the Division I 4KV shutdown boards, and the Unit 2 Division II RHR and Core Spray pumps (2B and 2D) to start and load on the Division II 4KV shutdown boards. This action would ensure that the shared Unit 1/2 4KV shutdown boards are not overloaded while still maintaining the minimum number of required ECCS injection subsystems.

If an accident signal were initiated in only one unit (Unit 1 or 2) and any RHR or Core Spray pumps were already running in the opposite non-accident unit (e.g., for shutdown cooling), the Core Spray and LPCI logic would send redundant signals to initiate the ECCS preferred pump logic BFN-UNIT 1 B 3.3-275 Rev.

<TS Bases 3.3.8.3 INSERT>

ECCS Preferred Pump, CAS, and Unit Priority Re-Trip Logic B 3.3.8.3 BASES to trip all of the non-accident units running RHR and Core Spray pumps.

This ensures that any running RHR or Core Spray pumps in the non-accident unit would be tripped, unloading the Unit 1 and 2 4kV shutdown boards prior to the accident unit starting all of its ECCS pumps (both divisions) on an accident signal, with or without a loss of offsite power.

The Core Spray low reactor vessel water level (LCO 3.3.5.1 Function 1.a) or high drywell pressure (LCO 3.3.5.1 Function 1.b) coincident with low reactor pressure signals (LCO 3.3.5.1 Function 1.c) are used to generate a CAS, which affects the operation of components associated with all three units. The CAS performs the following functions:

  • sends a signal to start all eight diesel generators for Unit 1/2 and Unit 3
  • trips the diesel generator output breakers (if closed)
  • defeats selected diesel generator protective trips
  • blocks the 4kV Shutdown Board auto transfer logic
  • trips and blocks the fire pumps A, B, and C auto start logic
  • blocks subsequent RHRSW (aligned to EECW) pump start signal (if already running)
  • blocks the 4kV degraded voltage trips
  • trips the RHRSW pumps A2 and C2
  • trips the Raw Cooling Water (RCW) pump 1D Following the initiation of a CAS on either Unit 2 or 3 (which trips all eight diesel breakers), subsequent accident signal trips of the diesel breakers are blocked. A second diesel breaker trip on a "unit priority" basis is provided to ensure that during combinations of spurious and real accident signals, the diesel supplied buses are stripped prior to starting the RHR pumps and other ECCS loads. This diesel breaker re-trip would only occur if a spurious accident signal or a real accident signal from the other unit had previously tripped the diesel breakers. Inputs from the LPCI initiation circuitry indicating low reactor vessel water level (LCO 3.3.5.1 Function 2.a) or high drywell pressure (LCO 3.3.5.1 Function 2.b) coincident with low reactor pressure (LCO 3.3.5.1 Function 2.c),

combined with an existing CAS trip signal, will re-trip the diesel breakers on the unit where the LPCI initiation signal originated. The other unit's diesels would be unaffected by this second trip. Thus each unit is given priority over the block of subsequent CAS diesel breaker trips for its diesels. This diesel breaker Unit Priority Re-Trip ensures that the diesel buses are stripped prior to starting the RHR (LPCI) pumps, Core Spray pumps and other required loads. For Units 1 and 2 only, with a real and spurious accident signal present, the Unit 1 initiated unit priority re-trip signal will only re-trip the Division I diesel breakers while the Unit 2 initiated unit priority re-trip signal will only re-trip the Division II diesel breakers. This would ensure that a spurious unit priority re-trip signal BFN-UNIT 1 B 3.3-276 Rev.

<TS Bases 3.3.8.3 INSERT>

ECCS Preferred Pump, CAS, and Unit Priority Re-Trip Logic B 3.3.8.3 BASES would not re-trip all four Unit 1/2 diesel breakers, which would result in interrupting both divisions RHR and Core Spray pumps supplying the opposite unit in a real accident.

The ECCS Preferred Pump, CAS, and Unit Priority Re-Trip logics are discussed in the UFSAR, Sections 7.4.3 and 8.5.4 (Refs. 1 and 2, respectively).

APPLICABLE For Units 1 and 2 only, the RHR and Core Spray pumps for both units are SAFETY powered from the same 4kV shutdown boards. If the ECCS loads for ANALYSES, both Units 1 and 2 were allowed to start during combinations of real and LCO, and spurious accident signals, the combined Unit 1/2 ECCS pumps would APPLICABILITY overload the 4kV shutdown boards and their associated diesel generators on a loss of offsite power, and the 4kV shutdown buses if normal power were available. The Unit 1/2 ECCS Preferred Pump Logic ensures that the shared Unit 1/2 kV shutdown boards are not overloaded while still maintaining the minimum number of required ECCS injection subsystems.

The Core Spray logic initiated CAS and the LPCI logic initiated Unit Priority Re-Trip are required to ensure that the shared Unit 1/2 4KV shutdown boards are stripped prior to starting the RHR pumps, Core Spray pumps, and other required loads when the shutdown boards are being supplied by the diesel generators.

The ECCS Preferred Pump, CAS, and Unit Priority Re-Trip Logic satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).

The OPERABILITY of the ECCS Preferred Pump, CAS, and Unit Priority Re-Trip Logic is dependent upon the OPERABILITY of the individual logic Functions specified in Table 3.3.8.3-1. Each Function must have the required number of divisions. In general, the individual Functions are required to be OPERABLE in the MODES or other specified conditions that may require ECCS initiation to mitigate the consequences of a design basis transient or accident. There are no Allowable Values associated with these logic systems.

Table 3.3.8.3-1 Footnote (a) is added to address ECCS Preferred Pump Logic OPERABILITY requirements in MODES 4 and 5 and Unit 2 is in MODE 1, 2, or 3. Table 3.3.8.3-1 Footnote (b) is added to address the number of Required Divisions in MODES 4 and 5. Either Division I, Division II, or both may be required to be OPERABLE in MODE 4 or 5.

RHR and Core Spray Pumps 1A and 1C, respectively, are associated with Division I, while RHR and Core Spray pumps 1B and 1D, respectively, are associated with Division II.

Two divisions of CAS and Unit Priority Re-Trip Logics are required to be OPERABLE to ensure that at least one is available, assuming that a BFN-UNIT 1 B 3.3-277 Rev.

<TS Bases 3.3.8.3 INSERT>

ECCS Preferred Pump, CAS, and Unit Priority Re-Trip Logic B 3.3.8.3 BASES single failure disables the other division coincident with a DBA. These logic systems must be OPERABLE to ensure the DGs would perform and alignments would occur as assumed during a DBA.

In MODES 1, 2, and 3, the CAS and Unit Priority Re-Trip Logics are required to be OPERABLE consistent with the OPERABILITY requirements of the diesel generators.

In MODES 4, and 5, the CAS and Unit Priority Re-Trip Logic are not required to be OPERABLE because the diesel generators are not required to be OPERABLE.

ACTIONS A.1 With one or more division(s) of ECCS Preferred Pump Logic inoperable, the plant electrical system response is degraded, and the potential for inappropriate electrical system alignment is increased with attendant potential challenge to plant safety systems.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. The 7 day Completion Time takes into account a reasonable time for repairs, and the low probability of a DBA occurring during this period.

B.1 With one division of CAS Logic inoperable, the plant electrical system response is degraded, and the potential for inappropriate electrical system alignment is increased with attendant potential challenge to plant safety systems. In this condition, however, the remaining division of CAS Logic is capable of performing its intended function.

The 7 day Completion Time takes into account the capability of the remaining division of common accident signal logic, reasonable time for repairs, and the low probability of a DBA occurring during this period.

C.1 With one division of Unit Priority Re-Trip Logic inoperable, the plant electrical system response is degraded, and the potential for inappropriate electrical system alignment is increased with attendant potential challenge to plant safety systems. In this condition, however, the remaining division of Unit Priority Re-Trip Logic is capable of performing its intended function.

BFN-UNIT 1 B 3.3-278 Rev.

<TS Bases 3.3.8.3 INSERT>

ECCS Preferred Pump, CAS, and Unit Priority Re-Trip Logic B 3.3.8.3 BASES The 7 day Completion Time takes into account the capability of the remaining division of common accident signal logic, reasonable time for repairs, and the low probability of a DBA occurring during this period.

D.1 and D.2 If the required ECCS Preferred Pump, CAS, or Unit Priority Re-Trip Logic division(s) cannot be restored to OPERABLE status within the associated Completion Time in MODE 1, 2, or 3, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE 3 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />, and in MODE 4 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

E.1 and E.2 If the required ECCS Preferred Pump Logic division(s) cannot be restored to OPERABLE status within the associated Completion Time in MODE 4 or 5, the associated ECCS components must be declared inoperable.

F.1 Condition F corresponds to a level of degradation in which all redundancy in the AC electrical power supplies has been lost. At this severely degraded level, any further losses in the AC electrical power system will cause a loss of function. Therefore, no additional time is justified for continued operation. The unit is required by LCO 3.0.3 to commence a controlled shutdown.

SURVEILLANCE SR 3.3.8.3.1 REQUIREMENTS The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the ECCS Preferred Pump Logic for a specific division.

The system functional test of the breakers is included as a part of this test, overlapping the LOGIC SYSTEM FUNCTIONAL TEST, to provide complete testing of the safety function. Therefore, if a breaker is incapable of operating, the associated logic would also be inoperable.

The LOGIC SYSTEM FUNCTIONAL TEST performed in LCO 3.3.5.1 overlaps this Surveillance to complete testing of the assumed safety function.

The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the CAS and Unit Priority Re-Trip Logics for a specified division. The LOGIC SYSTEM FUNCTIONAL TEST performed in BFN-UNIT 1 B 3.3-279 Rev.

<TS Bases 3.3.8.3 INSERT>

ECCS Preferred Pump, CAS, and Unit Priority Re-Trip Logic B 3.3.8.3 BASES LCO 3.3.5.1 and the DG testing performed by SR 3.8.1.6 overlap this Surveillance to complete testing of the assumed safety function.

The 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. Operating experience with these components supports performance of the Surveillance at the 24 month Frequency.

SR 3.3.8.3.1 is modified by two Notes. Note 1 indicates that when a channel is placed in an inoperable status solely for performance of Surveillance, entry into associated Conditions and Required Actions may be delayed for up to 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> provided the associated redundant division is OPERABLE Upon completion of the Surveillance, or expiration of the 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> allowance, the division must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on Probabilistic Risk Assessment (PRA) performed by TVA (Ref. 3) in accordance with RG 1.177 (Ref. 4). The PRA demonstrated that the 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> testing allowance does not significantly reduce the probability that the ECCS Preferred Pump, CAS, and Unit Priority Re-Trip Logics will initiate when necessary.

Note 2 indicates that testing of the Unit 2 breakers is not required for a successful test. This allowance is necessary to preclude unnecessary challenges to an operating unit. Testing of the Unit 2 breakers is required by Unit 2 SR 3.3.8.3.1.

REFERENCES 1. UFSAR, Section 7.4.3.

2. UFSAR, Section 8.5.4.
3. PRA Evaluation Response BFN-0-14-042, Revision 2.
4. Regulatory Guide (RG) 1.177, "An Approach For Plant-Specific Decision Making: Technical Specifications."

BFN-UNIT 1 B 3.3-280 Rev.

ECCS - Operating B 3.5.1 BASES BACKGROUND at 0.2 seconds when offsite power is available and B, C, and D (continued) pumps approximately 7, 14, and 21 seconds afterwards and if offsite power is not available all pumps 7 seconds after diesel generator power is available). When the RPV pressure drops sufficiently, CS System flow to the RPV begins. A full flow test line is provided to route water from and to the suppression pool to allow testing of the CS System without spraying water in the RPV.

LPCI is an independent operating mode of the RHR System.

There are two LPCI subsystems (Ref. 2), each consisting of two motor driven pumps and piping and valves to transfer water from the suppression pool to the RPV via the corresponding recirculation loop.

The two LPCI pumps and associated motor operated valves in each LPCI subsystem are powered from separate 4 kV shutdown boards. Both pumps in a LPCI subsystem inject water into the reactor vessel through a common inboard injection valve and depend on the closure of the recirculation pump discharge valve following a LPCI injection signal.

Therefore, each LPCI subsystem's common inboard injection valve and recirculation pump discharge valve are powered from one of the two 4 kV shutdown boards associated with that subsystem.

ECCS Preferred Pump Logic In the event of a spurious accident signal in Unit 2 combined with a real accident in Unit 1 (or a spurious accident signal in Unit 1 with a real accident in Unit 2) the CS and LPCI preferred pump logic will dedicate the Division I CS and LPCI pumps to Unit 1 (1A and 1C) and the Division II pumps to Unit 2 (2B and 2D). Therefore, a spurious accident signal from Unit 2 (which is considered a single failure) results in two RHR pumps and one CS loop (two CS pumps) OPERABLE for Unit 1 (refer to Bases Section B 3.8.1). This is acceptable in 3.3.8.3 (continued)

BFN-UNIT 1 B 3.5-3 Revision 0, 33, 47, 65 May 31, 2012

AC Sources - Operating B 3.8.1 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.1 AC Sources - Operating BASES BACKGROUND The unit Class 1E AC Electrical Power Distribution System AC circuits consist of the offsite power sources (preferred power sources, normal and alternates), and the onsite standby power sources (Unit 1 and 2 diesel generators (DGs) A, B, C, and D, and Unit 3 DGs 3A, 3B, 3C, and 3D). As required by 10 CFR 50, Appendix A, GDC 17 (Ref. 1), the design of the AC electrical power system provides independence and redundancy to ensure an available source of power to the Engineered Safety Feature (ESF) systems.

The Class 1E AC distribution system is divided into redundant divisions, so loss of any one division does not prevent the minimum safety functions from being performed. Each of four 4.16 kV shutdown boards has two offsite power circuits available and a single DG. Only offsite power delivered through the normal feeder breakers can be credited since common accident signal (CAS) logic (CAS A/CAS B) will trip the alternate breaker. This prevents an overload condition if all (See LCO 3.3.8.3, shutdown boards had been aligned to the same shutdown bus, "Emergency Core and thus to the same transformer winding.

Cooling System (ECCS) Preferred An offsite circuit consists of all breakers, transformers, Pump, Common switches, interrupting devices, cabling, and controls required to Accident Signal transmit power from the offsite transmission network to the A (CAS), and Unit and B (Division I) or C and D (Division II) 4.16 kV shutdown Priority Re-Trip Logic.")

boards. Offsite power is supplied to the 161 kV and 500 kV (continued)

BFN-UNIT 1 B 3.8-1 Revision 0, 52 May 11, 2007

AC Sources - Operating B 3.8.1 BASES BACKGROUND Shutdown bus 1 normally feeds 4.16 kV shutdown boards A and (continued) B and shutdown bus 2 normally feeds 4.16 kV shutdown boards C and D. The 4.16 kV shutdown boards are normally aligned to power associated divisional 480 V safety equipment (two divisions per unit). This results in one DG powering only one 480 V division of one unit, and some of that same division's 4.16 kV loads for both Units 1 and 2. A detailed description of the offsite power network and circuits to the onsite Class 1E ESF buses is found in the FSAR, Chapter 8 (Ref. 2).

USST 1B and 2B are sized to accommodate all required ESF loads on receipt of an accident signal on Unit 1, while also (LCO 3.3.8.3) carrying all the required safety loads of Unit 2 operating at full power. The Common Accident Signal (CAS) logic is initiated by a Loss of Coolant Accident (LOCA) from either Units 1, 2, or 3 on a low reactor water level signal or on a high drywell pressure signal coincident with a low reactor pressure signal. The CAS logic trips non-essential 4kV loads to ensure that the 4.16 kV shutdown buses are not overloaded during a LOCA with normal power available.

If a LOCA were to occur on Unit 1 with a loss of the normal 500 kV offsite circuit from USST 1B, the 4.16 kV Shutdown Buses and safety related ESF loads would automatically transfer to the alternate 500 kV offsite circuit supplied from USST 2B. The Unit 1 non-safety related loads on 4.16 kV Unit Boards 1A, 1B, 1C, and 4.16 kV Common Board A would automatically transfer to the CSST supplied 4.16 kV Start Buses. The offsite power circuits through the CSSTs have sufficient capacity to support the automatic transfer of the Unit 1 non-safety related loads when there are no loads from the other units already aligned to the 4.16 kV Start Buses.

The CSSTs do not have sufficient capacity to support the automatic transfer of the Unit 1 non-safety related and safety-related ESF loads during plant conditions where the alternate 500 kV circuit is not available. Nor do they have (continued)

BFN-UNIT 1 B 3.8-3 Revision 0, 10, 37, 42 November 16, 2006

AC Sources - Operating B 3.8.1 BASES BACKGROUND the trip of offsite power, an under or degraded voltage activated (continued) load shed logic strips all loads from the 4.16 kV Shutdown Board. Feeder breakers to transformers supplying auxiliary power system distribution boards are not load shed on undervoltage. When the DG is tied to the 4.16 kV shutdown board, large loads are then sequentially connected to its respective 4.16 kV shutdown board by individual pump timers.

The individual pump timers control the permissive and starting signals to motor breakers to prevent overloading the DG.

In the event of a loss of offsite power, the ESF electrical loads are automatically connected to the DGs in sufficient time to provide for safe reactor shutdown and to mitigate the consequences of a Design Basis Accident (DBA) such as a LOCA.

Certain required plant loads are returned to service in a predetermined sequence in order to prevent overloading of the DGs in the process. Within 40 seconds after the initiating signal (DG breaker closure with accident signal) is received, all automatic and permanently connected loads needed to recover the unit or maintain it in a safe condition are returned to service.

In the event that the DGs were already running and loaded on (LCO 3.3.8.3) the receipt of a spurious or real common accident signal (CAS A/CAS B) from Unit 3, any diesel generator output breakers which are closed are signaled to open to load shed the running loads off of the DG. After the DG breaker closing springs recharge, the DG breakers will reclose and tie the DG to the 4.16 kV shutdown board. Loads are then sequentially connected to its respective 4.16 kV shutdown board by individual pump timers as described above. Any subsequent common accident signal DG breaker trip signals are blocked.

Should a second RHR initiation signal be received (i.e., from a spurious or real accident signal from Unit 1), the Unit 1/2 diesel generator output breakers will be reopened on a unit priority (continued)

BFN-UNIT 1 B 3.8-4 Revision 0, 10, 30, 42 47 March 22, 2007

AC Sources - Operating B 3.8.1 (LCO 3.3.8.3)

BASES BACKGROUND re-trip signal to ensure that the diesels are load shed to allow (continued) the Unit 1 pumps to correctly sequence onto the boards. With a real and spurious accident signal present between Units 1 and 2, the ECCS preferred pump logic ensures that the Unit 1 initiated unit priority re-trip signal will only re-trip the Division I Unit 1/2 diesel breakers while the Unit 2 initiated unit priority re-trip signal will only re-trip the Division II diesel breakers.

This will ensure that a spurious unit priority re-trip signal will not re-trip all four Unit 1/2 diesel breakers, which would result in interrupting both divisions RHR and Core Spray pumps supplying the opposite unit in a real accident. After the DG breakers reclose, loads are then sequentially connected to its respective 4.16 kV shutdown board by individual pump timers as described above.

Rating for the DGs satisfies the intent of Safety Guide 9 (Reference 3). DG engine continuous and short-time maximum steady state active power output (running kW) is denoted below as non-derated rating/derated rating. Non-derated rating is for intake air temperatures less than or equal to 90qF. The derated rating is for either intake air temperatures greater than 90qF or a combination of intake air temperatures greater than 90qF and engine cooling heater outlet temperature greater than 190qF.

For the DG engine, instantaneous cold and hot maximum instantaneous active power (running kW plus starting kW) is denoted in the table as non-derated rating. Due to BFNs elevation is less than 800 feet above sea level with maximum intake air temperatures of less than 115qF, the maximum instantaneous active power output does not require derating for temperature at BFN (Reference 12):

(continued)

BFN-UNIT 1 B 3.8-4a Revision 47 March 22, 2007

AC Sources - Operating B 3.8.1 BASES (continued)

LCO Two qualified circuits between the offsite transmission network and the onsite Class 1E Distribution System, four separate and independent Unit 1 and 2 DGs (A, B, C, and D), and the Unit 3 DG(s) needed to support required Standby Gas Treatment (SGT) trains and Control Room Emergency Ventilation System (CREVS) trains are required to be OPERABLE. Two divisions of 480 V load shed logic and two divisions of CAS logic are required to be OPERABLE to support Unit 1 and 2 DG OPERABILITY and post-accident loads. Unit 3 Technical Specifications will require the operability of all Unit 3 DGs and provide appropriate compensatory actions for inoperable Unit 3 DGs in support of Unit 3 operations. To support the operation of Unit 1, the Unit 1 LCO for AC Sources - Operating also requires the necessary Unit 3 DG(s) to support SGT and CREVS required by LCO 3.8.7, Distribution Systems -

Operating, for supplying the Unit 3 4.16 kV shutdown boards.

These requirements ensure availability of the required power to shut down the reactor and maintain it in a safe shutdown condition after an abnormal operational transient or a postulated DBA.

Qualified offsite circuits are those that are described in the FSAR, and are part of the licensing basis for the unit. Each offsite circuit must be capable of maintaining rated frequency and voltage, and accepting required loads during an accident, while connected to the 4.16 kV shutdown boards.

(continued)

BFN-UNIT 1 B 3.8-6 Revision 0, 52 May 11, 2007

AC Sources - Operating B 3.8.1 BASES LCO Each DG must be capable of starting, accelerating to rated (continued) speed and voltage, and connecting to its respective 4.16 kV shutdown board on detection of bus undervoltage. This sequence must be accomplished within 10 seconds. Each DG must also be capable of accepting required loads within the assumed loading sequence intervals, and must continue to operate until offsite power can be restored to the 4.16 kV shutdown board. The Unit 1 and 2 DGs are provided with a common 480 V load shed logic system with two redundant divisions. The common accident signal logic system, with two redundant divisions, is common to the Unit 1, 2, and 3 DGs.

This These logic systems must be OPERABLE to ensure the DGs will perform and alignments will occur as assumed during a DBA.

Proper sequencing of loads, including tripping of nonessential loads, is a required function for DG OPERABILITY.

The AC sources must be separate and independent (to the extent possible) of other AC sources. For the DGs, the separation and independence are complete. For the offsite AC sources, the separation and independence are to the extent practical. A qualified offsite circuit may be connected to more than one division of 4.16 kV shutdown boards and not violate separation criteria. A circuit that is not connected to the Division I or II 4.16 kV shutdown boards is required to have the capability to be connected to at least one division of 4.16 kV shutdown boards to be considered OPERABLE.

(continued)

BFN-UNIT 1 B 3.8-9 Revision 0, 52 May 11, 2007

AC Sources - Operating B 3.8.1 BASES ACTIONS C.1 (continued)

With one division of Unit 1 and 2 480 V load shed logic inoperable, the reliability of the DGs is degraded, and the potential for the loss of all four Unit 1 and 2 DGs is increased with attendant potential challenge to plant safety systems. In this condition, however, the remaining division of Unit 1 and 2 480 V load shed logic is capable of performing its intended function of limiting the loads on the Unit 1 and 2 DGs.

The 7 day Completion Time takes into account the capability of the remaining division of Unit 1 and 2 480 V load shed logic, reasonable time for repairs, and the low probability of a DBA occurring during this period.

D.1 With one division of common accident signal logic inoperable (including the DG breaker unit priority re-trip function and the CS and LPCI preferred pump logic function described in Bases Section B 3.8.1), the plant electrical system response is degraded, and the potential for inappropriate electrical system alignment is increased with attendant potential challenge to plant safety systems. In this condition, however, the remaining division of common accident signal logic is capable of performing its intended function of providing a start signal to the Unit 1 and 2 DGs during a DBA.

The 7 day Completion Time takes into account the capability of the remaining division of common accident signal logic, reasonable time for repairs, and the low probability of a DBA occurring during this period.

(continued)

BFN-UNIT 1 B 3.8-19 Revision 0, 47 March 22, 2007

AC Sources - Operating B 3.8.1 D

BASES ACTIONS E.1 and E.2 (continued)

Required Action E.1 addresses actions to be taken in the event of inoperability of redundant required features concurrent with inoperability of two required offsite circuits. Required D Action E.1 reduces the vulnerability to a loss of function. The Completion Time for taking these actions is reduced to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> from that allowed with one or both 4.16 kV shutdown boards in a division without offsite power (Required Action A.2). The rationale for the reduction to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is that Regulatory Guide 1.93 (Ref. 6) allows a Completion Time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> for two required offsite circuits inoperable, based upon the assumption that two complete safety divisions are OPERABLE.

When a concurrent redundant required feature failure exists, this assumption is not the case, and a shorter Completion Time of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is appropriate. These features are designed with redundant safety related divisions, (i.e., single division systems are not included in the list). Redundant required features failures consist of any of these features that are inoperable because any inoperability is on a division redundant to a division with inoperable offsite circuits. D The Completion Time for Required Action E.1 is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." In this Required Action, the Completion Time only begins on discovery that both:

a. All required offsite circuits are inoperable; and
b. A required feature is inoperable.

(continued)

BFN-UNIT 1 B 3.8-20 Revision 0

AC Sources - Operating B 3.8.1 D

BASES ACTIONS E.1 and E.2 (continued)

If, at any time during the existence of this Condition (two offsite circuits inoperable), a required feature subsequently becomes inoperable, this Completion Time begins to be tracked.

According to Regulatory Guide 1.93 (Ref. 6), operation may D continue in Condition E for a period that should not exceed 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. This level of degradation means that the offsite electrical power system does not have the capability to effect a safe shutdown and to mitigate the effects of an accident; however, the onsite AC sources have not been degraded. This level of degradation generally corresponds to a total loss of accessible offsite power sources.

Because of the normally high availability of the offsite sources, this level of degradation may appear to be more severe than other combinations of two AC sources inoperable that involve one or more DGs inoperable. However, two factors tend to decrease the severity of this degradation level:

a. The configuration of the redundant AC electrical power system that remains available is not susceptible to a single bus or switching failure; and
b. The time required to detect and restore an unavailable offsite power source is generally much less than that required to detect and restore an unavailable onsite AC source.

(continued)

BFN-UNIT 1 B 3.8-21 Revision 0

AC Sources - Operating B 3.8.1 D

BASES ACTIONS E.1 and E.2 (continued)

With both of the required offsite circuits inoperable, sufficient onsite AC sources are available to maintain the unit in a safe shutdown condition in the event of a DBA or transient. In fact, a simultaneous loss of offsite AC sources, a LOCA, and a worst case single failure were postulated as a part of the design basis in the safety analysis. Thus, the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Completion Time provides a period of time to effect restoration of one of the offsite circuits commensurate with the importance of maintaining an AC electrical power system capable of meeting its design criteria.

According to Regulatory Guide 1.93 (Ref. 6), with the available offsite AC sources two less than required by the LCO, operation may continue for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. If two offsite sources are restored within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, unrestricted operation may continue. If only one offsite source is restored within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, power operation E continues in accordance with Condition A.

F.1 and F.2 Pursuant to LCO 3.0.6, the Distribution System ACTIONS would not be entered even if all AC sources to it were inoperable, resulting in de-energization. Therefore, the Required Actions of Condition F are modified by a Note to E indicate that when Condition F is entered with no AC source to any 4.16 kV shutdown board, ACTIONS for LCO 3.8.7, "Distribution Systems - Operating," must be immediately entered. This allows Condition F to provide requirements for the loss of the offsite circuit and one DG without regard to whether a 4.16 kV shutdown board is de-energized. LCO 3.8.7 provides the appropriate restrictions for a de-energized 4.16 kV shutdown board.

(continued)

BFN-UNIT 1 B 3.8-22 Revision 0

AC Sources - Operating B 3.8.1 BASES E

ACTIONS F.1 and F.2 (continued)

According to Regulatory Guide 1.93 (Ref. 6), operation may E continue in Condition F for a period that should not exceed 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. In Condition F, individual redundancy is lost in both the offsite electrical power system and the onsite AC electrical power system. Since power system redundancy is provided by two diverse sources of power, however, the reliability of the power systems in this Condition may appear higher than that in D Condition E (loss of both required offsite circuits). This difference in reliability is offset by the susceptibility of this power system configuration to a single bus or switching failure.

The 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> Completion Time takes into account the capacity and capability of the remaining AC sources, reasonable time for repairs, and the low probability of a DBA occurring during this period. E A Note has been added to Condition F to clarify that the Condition is only applicable when more than one shutdown board is affected. The situation where only one shutdown board is affected is covered by Condition G. F G.1 F

Condition G addresses the situation where both one required offsite circuit and one DG are inoperable and affect only one 4.16 kV shutdown board. The Note clarifies the applicability.

The Required Action is to declare the affected 4.16 kV shutdown board inoperable immediately. This requires entry into the applicable Conditions and Required Actions of LCO 3.8.7, "Distribution Systems - Operating," which provides the appropriate restrictions for the affected 4.16 kV shutdown board. LCO 3.8.1 Conditions and Required Actions continue to apply until the required offsite circuit and DG are made OPERABLE.

(continued)

BFN-UNIT 1 B 3.8-23 Revision 0

AC Sources - Operating B 3.8.1 BASES G

ACTIONS H.1 (continued)

With two or more DGs inoperable, an assumed loss of offsite electrical power may result in insufficient standby AC sources available to power the minimum required ESF functions. Since the offsite electrical power system may be the only source of AC power for the majority of ESF equipment at this level of degradation, the risk associated with continued operation for a very short time could be less than that associated with an immediate controlled shutdown. (The immediate shutdown could cause grid instability, which could result in a total loss of AC power.) Since any inadvertent unit generator trip could also result in a total loss of offsite AC power, however, the time allowed for continued operation is severely restricted. The intent here is to avoid the risk associated with an immediate controlled shutdown and to minimize the risk associated with this level of degradation.

According to Regulatory Guide 1.93 (Ref. 6), with all DGs inoperable, operation may continue for a period that should not exceed 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />.

H I.1 and I.2 If the inoperable AC electrical power sources cannot be restored to OPERABLE status within the associated Completion Time, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> and to MODE 4 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

(continued)

BFN-UNIT 1 B 3.8-24 Revision 0

AC Sources - Operating B 3.8.1 BASES I

ACTIONS J.1 (continued)

Condition J corresponds to a level of degradation in which all redundancy in the AC electrical power supplies has been lost.

At this severely degraded level, any further losses in the AC electrical power system will cause a loss of function. Therefore, no additional time is justified for continued operation. The unit is required by LCO 3.0.3 to commence a controlled shutdown.

J K.1 Required Action K.1 is intended to provide assurance that a loss of offsite power, during the period that a required Unit 3 DG is inoperable, does not result in a complete loss of safety function of critical systems (i.e., SGT or CREVS). These features consist of SGT or CREVS trains redundant to trains supported by the inoperable Unit 3 DG.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." In this Required Action the Completion Time only begins on discovery that both:

a. An inoperable required Unit 3 DG exists; and
b. An SGT or CREVS train supported by another DG, is inoperable.

(continued)

BFN-UNIT 1 B 3.8-25 Revision 0

AC Sources - Operating B 3.8.1 BASES J

ACTIONS K.1 (continued)

If, at any time during the existence of this Condition (a required Unit 3 DG inoperable), a required SGT or CREVS train subsequently becomes inoperable, this Completion Time begins to be tracked.

Discovering a required Unit 3 DG inoperable coincident with an inoperable SGT or CREVS train, or both, that are associated with the OPERABLE DGs results in starting the Completion Time for the Required Action. Four hours from the discovery of these events existing concurrently is acceptable because it minimizes risk while allowing time for restoration before subjecting the unit to transients associated with shutdown.

The remaining OPERABLE DGs and offsite circuits are adequate to supply electrical power to the onsite Class 1E Distribution System. Thus, on a component basis, single failure protection for the required feature's function may have been lost; however, function has not been lost. The 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> Completion Time takes into account the component OPERABILITY of the redundant counterpart to the inoperable required feature. Additionally, the 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> Completion Time takes into account the capacity and capability of the remaining AC sources, reasonable time for repairs, and low probability of a DBA occurring during this period.

(continued)

BFN-UNIT 1 B 3.8-26 Revision 0

AC Sources - Operating B 3.8.1 BASES J

ACTIONS K.2 (continued)

In Condition K, the remaining OPERABLE DGs and offsite circuits are adequate to supply electrical power to the onsite Class 1E Distribution System to support operation of Unit 1.

The 30 day Completion Time is commensurate with the importance of the affected system considering the low probability of a DBA in these conditions and the availability of the remaining power sources. If the inoperable Unit 3 DG cannot be restored to OPERABLE status within the associated Completion Time, the associated SGT or CREVS subsystem must be declared inoperable, and the ACTIONS in the appropriate system Specification taken.

SURVEILLANCE The AC sources are designed to permit inspection and testing REQUIREMENTS of all important areas and features, especially those that have a standby function. Periodic component tests are supplemented by extensive functional tests (under simulated accident conditions). The SRs for demonstrating the OPERABILITY of the DGs meet the intent of Safety Guide 9 (Ref. 3), as addressed by References 13 and 14.

Where the SRs discussed herein specify voltage and frequency tolerances, the following summary is applicable. A minimum steady state output voltage of t 3940 V is required for proper operation of the safety related loads supplied, as determined by BFN design bases analyses. This value allows for voltage drop to the terminals of 4000 V motors whose minimum operating voltage is specified as 90% or 3600 V in ANSI C84.1 (Ref. 9). It also allows for voltage drops to motors and other equipment down through the 120 V level where minimum operating voltage is also usually specified as 90% of (continued)

BFN-UNIT 1 B 3.8-27 Revision 0, 28 August 26, 2004

Proposed Technical Specifications Bases Pages (Markups) for BFN, Unit 2 (30 pages including cover sheet)

BROWNS FERRY NUCLEAR PLANT TECHNICAL SPECIFICATIONS (BASES)

TABLE OF CONTENTS (continued)

Section Page No.

B 3.3.4.1 End of Cycle Recirculation Pump Trip (EOC-RPT)

Instrumentation ............................................................... B 3.3-108 B 3.3.4.2 Anticipated Transient Without Scram Recirculation Pump Trip (ATWS-RPT) Instrumentation ....................... B 3.3-120 B 3.3.5.1 Emergency Core Cooling System (ECCS)

Instrumentation ............................................................... B 3.3-131 B 3.3.5.2 Reactor Core Isolation Cooling (RCIC) System Instrumentation ............................................................... B 3.3-179 B 3.3.6.1 Primary Containment Isolation Instrumentation ................... B 3.3-190 B 3.3.6.2 Secondary Containment Isolation Instrumentation .............. B 3.3-226 B 3.3.7.1 Control Room Emergency Ventilation (CREV)

System Instrumentation .................................................. B 3.3-240 B 3.3.8.1 Loss of Power (LOP) Instrumentation .................................. B 3.3-256 B 3.3.8.2 Reactor Protection System (RPS) Electric Power Monitoring............................................................ B 3.3-269 B 3.4 REACTOR COOLANT SYSTEM (RCS) .................................... B 3.4-1 B 3.4.1 Recirculation Loops Operating............................................. B 3.4-1 B 3.4.2 Jet Pumps ............................................................................ B 3.4-11 B 3.4.3 Safety/Relief Valves (S/RVs) ............................................... B 3.4-17 B 3.4.4 RCS Operational LEAKAGE ................................................ B 3.4-23 B 3.4.5 RCS Leakage Detection Instrumentation ............................. B 3.4-30 B 3.4.6 RCS Specific Activity............................................................ B 3.4-37 B 3.4.7 Residual Heat Removal (RHR) Shutdown Cooling System - Hot Shutdown ..................................... B 3.4-42 B 3.4.8 Residual Heat Removal (RHR) Shutdown Cooling System - Cold Shutdown ................................... B 3.4-49 B 3.4.9 RCS Pressure and Temperature (P/T) Limits ...................... B 3.4-55 B 3.4.10 Reactor Steam Dome Pressure............................................ B 3.4-67 3.3.8.3 Emergency Core Cooling System (ECCS) Preferred Pump, Common Accident Signal (CAS), and Unit Priority Re-Trip Logic................B 3.3-278 (continued)

BFN-UNIT 2 ii Revision 0

ECCS Instrumentation B 3.3.5.1 B 3.3 INSTRUMENTATION B 3.3.5.1 Emergency Core Cooling System (ECCS) Instrumentation BASES BACKGROUND The purpose of the ECCS instrumentation is to initiate appropriate responses from the systems to ensure that the fuel is adequately cooled in the event of a design basis accident or transient.

For most anticipated operational occurrences and Design Basis Accidents (DBAs), a wide range of dependent and independent parameters are monitored.

The ECCS instrumentation actuates core spray (CS), low pressure coolant injection (LPCI), high pressure coolant signals for ECCS injection (HPCI), and the Automatic Depressurization System Preferred Pump Logic, (ADS). The equipment involved with each of these systems is Common Accident described in the Bases for LCO 3.5.1, "ECCS - Operating."

Signal Logic, and Unit Priority Re-trip Logic Portions of the ECCS instrumentation also provide for the generation of the Common Accident Signal which initiate the DGs and EECW System. Refer to LCO 3.8.1, "AC Systems-Operating," for operability requirements of the ECCS Preferred Common Accident Signal Logic. LCO 3.3.8.3, "Emergency Core Cooling Pump Logic, System (ECCS) Preferred Pump, Common Accident Core Spray System Common Accident Signal (CAS), and Signal Logic, and Unit Priority Re-trip Logic,"

Unit Priority Re-trip The CS System may be initiated by automatic means. Each Logic pump can be controlled manually by a control room remote switch. Automatic initiation occurs for conditions of Reactor Vessel Water Level - Low Low Low, Level 1 or both Drywell Pressure - High and Reactor Steam Dome Pressure - Low.

Reactor water level and drywell pressure are each monitored by four redundant transmitters, which are, in turn, connected to four trip units. The outputs of these trip units are connected to (continued)

BFN-UNIT 2 B 3.3-131 Revision 0

ECCS Instrumentation B 3.3.5.1 BASES (continued)

APPLICABLE The actions of the ECCS are explicitly assumed in the safety SAFETY ANALYSES, analyses of References 1, 2, and 3. The ECCS is initiated LCO, and to preserve the integrity of the fuel cladding by limiting APPLICABILITY the post LOCA peak cladding temperature to less than the 10 CFR 50.46 limits.

ECCS instrumentation satisfies Criterion 3 of the NRC Policy Statement (Ref. 5). Certain instrumentation Functions are retained for other reasons and are described below in the individual Functions discussion.

The OPERABILITY of the ECCS instrumentation is dependent upon the OPERABILITY of the individual instrumentation channel Functions specified in Table 3.3.5.1-1. Each Function ECCS Preferred Pump Logic must have a required number of OPERABLE channels, with and Common Accident their setpoints within the specified Allowable Values, where Signal Logic which are appropriate. The setpoint is calibrated consistent with addressed in LCO 3.3.8.3, applicable setpoint methodology assumptions (nominal trip "Emergency Core Cooling setpoint). Table 3.3.5.1-1, footnote (b), is added to show that System (ECCS) Preferred certain ECCS instrumentation Function channels affect Pump, Common Accident Common Accident Signal Logic which is addressed in Signal (CAS), and Unit LCO 3.8.1, "AC Sources - Operating."

Priority Re-Trip Logic."

Table 3.3.5.1-1, footnote (f), Allowable Values are specified for each ECCS Function is added to show that certain specified in the table and contained in design output documents, ECCS instrumentation which for instrument functions that have a specific footnote in Function channels affect Table 3.3.1.1-1, is incorporated by reference in Chapter 7 of the ECCS Preferred Pump Logic Updated Final Safety Analysis Report (UFSAR). For these, the and Unit Priority Re-trip methodology used to determine the nominal trip setpoint, the Logic which are addressed predefined as-found tolerance, the as-left tolerance band, and a in LCO 3.3.8.3.

listing of the setpoint design output documentation is specified in Chapter 7 of the UFSAR. Nominal trip setpoints are specified in the setpoint calculations. The nominal setpoints are selected to ensure that the setpoints do not exceed the Allowable Value between CHANNEL CALIBRATIONS. Operation with a trip setpoint less (continued)

BFN-UNIT 2 B 3.3-139 Revision 0, 41 November 09, 2006

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE Core Spray and Low Pressure Coolant Injection Systems SAFETY ANALYSES, LCO, and 1.a, 2.a. Reactor Vessel Water Level - Low Low Low, Level 1 APPLICABILITY (LS-3-58A-D)

(continued)

Low reactor pressure vessel (RPV) water level indicates that the ECCS Preferred Pump capability to cool the fuel may be threatened. Should RPV Logic, Common Accident water level decrease too far, fuel damage could result. The low Signal Logic, and Unit pressure ECCS are initiated at Level 1 to ensure that core spray Priority Re-trip Logic (Refer and flooding functions are available to prevent or minimize fuel to LCO 3.3.8.3, "Emergency damage. The Reactor Vessel Water Level - Low Low Low, Core Cooling System Level 1 is also utilized in the development of the Common (ECCS) Preferred Pump, Common Accident Signal Accident Signal which initiates the DGs and EECW System.

(CAS), and Unit Priority Re- (Refer to LCO 3.8.1, "AC Sources - Operating," for operability Trip Logic," for operability requirements of the Common Accident Signal Logic). The requirements of the ECCS Reactor Vessel Water Level - Low Low Low, Level 1 is one of Preferred Pump Logic, the Functions assumed to be OPERABLE and capable of Common Accident Signal initiating the ECCS during the transients analyzed in Logic, and Unit Priority Re- References 1 and 3. In addition, the Reactor Vessel Water trip Logic) Level - Low Low Low, Level 1 Function is directly assumed in the analysis of the recirculation line break (Ref. 2). The core cooling function of the ECCS, along with the scram action of the Reactor Protection System (RPS), ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

Reactor Vessel Water Level - Low Low Low, Level 1 signals are initiated from four level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel.

(continued)

BFN-UNIT 2 B 3.3-141 Revision 0

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 1.a, 2.a. Reactor Vessel Water Level - Low Low Low, Level 1 SAFETY ANALYSES, (LS-3-58A-D) (continued)

LCO, and APPLICABILITY acceptable as-left tolerance, the channel shall be declared inoperable. Also, after the Surveillance is completed, the channel's as-found condition will be documented in the Corrective Action Program. As part of the activities of the Corrective Action Program, additional evaluations and potential corrective actions will be performed as necessary to ensure that any as-found setting, which is conservative to the Allowable Value, but outside the acceptable as-found band is evaluated for long-term reliability trends.

1.b, 2.b. Drywell Pressure - High (PIS-64-58A-D)

ECCS Preferred Pump Logic, Common Accident High pressure in the drywell could indicate a break in the reactor Signal Logic, and Unit coolant pressure boundary (RCPB). The low pressure ECCS is Priority Re-trip Logic (Refer initiated upon receipt of the Drywell Pressure - High Function in to LCO 3.3.8.3, "Emergency order to minimize the possibility of fuel damage. The Drywell Core Cooling System Pressure - High is also utilized in the development of the (ECCS) Preferred Pump, Common Accident Signal which initiates the DGs and EECW Common Accident Signal System. (Refer to LCO 3.8.1, "AC Sources - Operating" for (CAS), and Unit Priority Re- operability requirements of the Common Accident Signal Logic).

Trip Logic," for operability The Drywell Pressure - High Function, along with the Reactor requirements of the ECCS Steam Dome Pressure - Low Function, are directly assumed in Preferred Pump Logic, the analysis of the recirculation line break (Ref. 2). The core Common Accident Signal cooling function of the ECCS, along with the scram action of the Logic, and Unit Priority Re-RPS, ensures that the fuel peak cladding temperature remains trip Logic) below the limits of 10 CFR 50.46.

High drywell pressure signals are initiated from four pressure transmitters that sense drywell pressure. The Allowable Value was selected to be as low as possible and be indicative of a LOCA inside primary containment.

(continued)

BFN-UNIT 2 B 3.3-143 Revision 0, 41 November 09, 2006

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 1.b, 2.b. Drywell Pressure - High (PIS-64-58A-D) (continued)

SAFETY ANALYSES, LCO, and acceptable as-left tolerance, the channel shall be declared APPLICABILITY inoperable. Also, after the Surveillance is completed, the channel's as-found condition will be documented in the Corrective Action Program. As part of the activities of the Corrective Action Program, additional evaluations and potential corrective actions will be performed as necessary to ensure that any as-found setting, which is conservative to the Allowable Value, but outside the acceptable as-found band is evaluated for long-term reliability trends.

1.c, 2.c. Reactor Steam Dome Pressure - Low (Injection Permissive and ECCS Initiation)

(PIS-3-74A and B; PIS-68-95 and 96)

Low reactor steam dome pressure signals are used as ECCS Preferred Pump permissives for the low pressure ECCS subsystems. This Logic, Common Accident ensures that, prior to opening the injection valves of the low Signal Logic, and Unit pressure ECCS subsystems, the reactor pressure has fallen to Priority Re-trip Logic (Refer to LCO 3.3.8.3, "Emergency a value below these subsystems' maximum design pressure.

Core Cooling System The Reactor Steam Dome Pressure - Low is also utilized in the (ECCS) Preferred Pump, development of the Common Accident Signal which initiates the Common Accident Signal DGs and EECW System. (Refer to LCO 3.8.1, "AC Sources -

(CAS), and Unit Priority Re- Operating," for operability requirements of the Common Trip Logic," for operability Accident Signal Logic). The Reactor Steam Dome Pressure -

requirements of the ECCS Low is one of the Functions assumed to be OPERABLE and Preferred Pump Logic, capable of permitting initiation of the ECCS during the transients Common Accident Signal analyzed in References 1 and 3. In addition, the Reactor Steam Logic, and Unit Priority Re- Dome Pressure - Low Function is directly assumed in the trip Logic) analysis of the recirculation line break (Ref. 2). The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

(continued)

BFN-UNIT 2 B 3.3-144a Revision 41 November 09, 2006

ECCS Instrumentation B 3.3.5.1 BASES SURVEILLANCE SR 3.3.5.1.3, SR 3.3.5.1.4, and SR 3.3.5.1.5 REQUIREMENTS (continued) A CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations consistent with the plant specific setpoint methodology.

The Frequencies of SR 3.3.5.1.3, SR 3.3.5.1.4, and SR 3.3.5.1.5 are based upon the magnitude of equipment drift in the setpoint analysis.

SR 3.3.5.1.6 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required initiation for a specific channel.

The LOGIC SYSTEM The system functional testing performed in LCO 3.5.1, FUNCTIONAL TEST LCO 3.5.2, LCO 3.7.2, and LCO 3.8.1 overlaps this Surveillance performed in LCO 3.3.8.3 to complete testing of the assumed safety function. The LOGIC overlaps this Surveillance to SYSTEM FUNCTIONAL TEST shall include a calibration of time assure complete testing of delay relays and timers necessary for proper functioning of the the assumed safety function logic.

The 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power.

Operating experience with these components supports performance of the Surveillance at the 24 month Frequency.

(continued)

BFN-UNIT 2 B 3.3-177 Revision 47, 65 Amendment No. 255 May 31, 2012

<TS Bases 3.3.8.3 INSERT>

ECCS Preferred Pump, CAS, and Unit Priority Re-Trip Logic B 3.3.8.3 B 3.3.8.3 INSTRUMENTATION B 3.3.8.3 Emergency Core Cooling System (ECCS) Preferred Pump, Common Accident Signal (CAS), and Unit Priority Re-Trip Logic BASES BACKGROUND In the event of an accident signal in either Unit 1 or Unit 2, all of the ECCS equipment associated with the accident unit will start. All eight diesel generators in the plant will be started on an accident signal in any unit as a pre-emergency action in case of a subsequent power blackout.

The diesel generators and Standby AC Power System are designed to accommodate spurious accident signals from any unit and in any order, real followed by a spurious signal, real coincident with a spurious signal, and spurious followed by a real accident signal. If the ECCS loads for both Units 1 and 2 were allowed to start during combinations of real and spurious accident signals, the combined Unit 1/2 ECCS pumps would overload the 4KV shutdown boards and their associated diesel generators.

During combinations of real and spurious accident signals, the Units 1 and 2 ECCS preferred pump logic will assign the Unit 1 ECCS loads to the Division I 4KV shutdown boards and the Unit 2 ECCS loads to the Division II 4KV shutdown boards. If any Residual Heat Removal (RHR) or Core Spray pumps were already running in the opposite unit (e.g., for shutdown cooling), the core spray and low pressure coolant injection (LPCI) logic (i.e., LCO 3.3.5.1 Functions 1.a, 1.b, 1.c, 2.a, 2.b, 2.c) would send redundant signals to initiate the ECCS preferred pump logic to trip the opposite units running RHR and Core Spray pumps. The ECCS preferred pump logic signal also inhibits the RHR and Core Spray pumps automatic start logic in the opposite unit (after 60 seconds, manual control of the pumps is restored). This ensures that any running RHR or Core Spray pumps in the opposite unit would be tripped, unloading the Unit 1/2 4KV shutdown boards prior to the accident unit starting its ECCS pumps on a real accident signal. For combinations of real and spurious accident signals, the Unit 1 and 2 ECCS preferred pump logic would allow the Unit 1 Division I RHR and Core Spray pumps (1A and 1C) to start and load on the Division I 4KV shutdown boards, and the Unit 2 Division II RHR and Core Spray pumps (2B and 2D) to start and load on the Division II 4KV shutdown boards. This action would ensure that the shared Unit 1/2 4KV shutdown boards are not overloaded while still maintaining the minimum number of required ECCS injection subsystems.

If an accident signal were initiated in only one unit (Unit 1 or 2) and any RHR or Core Spray pumps were already running in the opposite non-accident unit (e.g., for shutdown cooling), the Core Spray and LPCI logic would send redundant signals to initiate the ECCS preferred pump logic BFN-UNIT 2 B 3.3-278 Rev.

<TS Bases 3.3.8.3 INSERT>

ECCS Preferred Pump, CAS, and Unit Priority Re-Trip Logic B 3.3.8.3 BASES to trip all of the non-accident units running RHR and Core Spray pumps.

This ensures that any running RHR or Core Spray pumps in the non-accident unit would be tripped, unloading the Unit 1 and 2 4kV shutdown boards prior to the accident unit starting all of its ECCS pumps (both divisions) on an accident signal, with or without a loss of offsite power.

The Core Spray low reactor vessel water level (LCO 3.3.5.1 Function 1.a) or high drywell pressure (LCO 3.3.5.1 Function 1.b) coincident with low reactor pressure signals (LCO 3.3.5.1 Function 1.c) are used to generate a CAS, which affects the operation of components associated with all three units. The CAS performs the following functions:

  • sends a signal to start all eight diesel generators for Unit 1/2 and Unit 3
  • trips the diesel generator output breakers (if closed)
  • defeats selected diesel generator protective trips
  • blocks the 4kV Shutdown Board auto transfer logic
  • trips and blocks the fire pumps A, B, and C auto start logic
  • blocks subsequent RHRSW (aligned to EECW) pump start signal (if already running)
  • blocks the 4kV degraded voltage trips
  • trips the RHRSW pumps A2 and C2
  • trips the Raw Cooling Water (RCW) pump 1D Following the initiation of a CAS on either Unit 2 or 3 (which trips all eight diesel breakers), subsequent accident signal trips of the diesel breakers are blocked. A second diesel breaker trip on a "unit priority" basis is provided to ensure that during combinations of spurious and real accident signals, the diesel supplied buses are stripped prior to starting the RHR pumps and other ECCS loads. This diesel breaker re-trip would only occur if a spurious accident signal or a real accident signal from the other unit had previously tripped the diesel breakers. Inputs from the LPCI initiation circuitry indicating low reactor vessel water level (LCO 3.3.5.1 Function 2.a) or high drywell pressure (LCO 3.3.5.1 Function 2.b) coincident with low reactor pressure (LCO 3.3.5.1 Function 2.c),

combined with an existing CAS trip signal, will re-trip the diesel breakers on the unit where the LPCI initiation signal originated. The other unit's diesels would be unaffected by this second trip. Thus each unit is given priority over the block of subsequent CAS diesel breaker trips for its diesels. This diesel breaker Unit Priority Re-Trip ensures that the diesel buses are stripped prior to starting the RHR (LPCI) pumps, Core Spray pumps and other required loads. For Units 1 and 2 only, with a real and spurious accident signal present, the Unit 1 initiated unit priority re-trip signal will only re-trip the Division I diesel breakers while the Unit 2 initiated unit priority re-trip signal will only re-trip the Division II diesel breakers. This would ensure that a spurious unit priority re-trip signal BFN-UNIT 2 B 3.3-279 Rev.

<TS Bases 3.3.8.3 INSERT>

ECCS Preferred Pump, CAS, and Unit Priority Re-Trip Logic B 3.3.8.3 BASES would not re-trip all four Unit 1/2 diesel breakers, which would result in interrupting both divisions RHR and Core Spray pumps supplying the opposite unit in a real accident.

The ECCS Preferred Pump, CAS, and Unit Priority Re-Trip logics are discussed in the UFSAR, Sections 7.4.3 and 8.5.4 (Refs. 1 and 2, respectively).

APPLICABLE For Units 1 and 2 only, the RHR and Core Spray pumps for both units are SAFETY powered from the same 4kV shutdown boards. If the ECCS loads for ANALYSES, both Units 1 and 2 were allowed to start during combinations of real and LCO, and spurious accident signals, the combined Unit 1/2 ECCS pumps would APPLICABILITY overload the 4kV shutdown boards and their associated diesel generators on a loss of offsite power, and the 4kV shutdown buses if normal power were available. The Unit 1/2 ECCS Preferred Pump Logic ensures that the shared Unit 1/2 kV shutdown boards are not overloaded while still maintaining the minimum number of required ECCS injection subsystems.

The Core Spray logic initiated CAS and the LPCI logic initiated Unit Priority Re-Trip are required to ensure that the shared Unit 1/2 4KV shutdown boards are stripped prior to starting the RHR pumps, Core Spray pumps, and other required loads when the shutdown boards are being supplied by the diesel generators.

The ECCS Preferred Pump, CAS, and Unit Priority Re-Trip Logic satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).

The OPERABILITY of the ECCS Preferred Pump, CAS, and Unit Priority Re-Trip Logic is dependent upon the OPERABILITY of the individual logic Functions specified in Table 3.3.8.3-1. Each Function must have the required number of divisions. In general, the individual Functions are required to be OPERABLE in the MODES or other specified conditions that may require ECCS initiation to mitigate the consequences of a design basis transient or accident. There are no Allowable Values associated with these logic systems.

Table 3.3.8.3-1 Footnote (a) is added to address ECCS Preferred Pump Logic OPERABILITY requirements in MODES 4 and 5 and Unit 1 is in MODE 1, 2, or 3. Table 3.3.8.3-1 Footnote (b) is added to address the number of Required Divisions in MODES 4 and 5. Either Division I, Division II, or both may be required to be OPERABLE in MODE 4 or 5.

RHR and Core Spray Pumps 2A and 2C, respectively, are associated with Division I, while RHR and Core Spray pumps 2B and 2D, respectively, are associated with Division II.

Two divisions of CAS and Unit Priority Re-Trip Logics are required to be OPERABLE to ensure that at least one is available, assuming that a BFN-UNIT 2 B 3.3-280 Rev.

<TS Bases 3.3.8.3 INSERT>

ECCS Preferred Pump, CAS, and Unit Priority Re-Trip Logic B 3.3.8.3 BASES single failure disables the other division coincident with a DBA. These logic systems must be OPERABLE to ensure the DGs would perform and alignments would occur as assumed during a DBA.

In MODES 1, 2, and 3, the CAS and Unit Priority Re-Trip Logics are required to be OPERABLE consistent with the OPERABILITY requirements of the diesel generators.

In MODES 4, and 5, the CAS and Unit Priority Re-Trip Logic are not required to be OPERABLE because the diesel generators are not required to be OPERABLE.

ACTIONS A.1 With one or more division(s) of ECCS Preferred Pump Logic inoperable, the plant electrical system response is degraded, and the potential for inappropriate electrical system alignment is increased with attendant potential challenge to plant safety systems.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. The 7 day Completion Time takes into account a reasonable time for repairs, and the low probability of a DBA occurring during this period.

B.1 With one division of CAS Logic inoperable, the plant electrical system response is degraded, and the potential for inappropriate electrical system alignment is increased with attendant potential challenge to plant safety systems. In this condition, however, the remaining division of CAS Logic is capable of performing its intended function.

The 7 day Completion Time takes into account the capability of the remaining division of common accident signal logic, reasonable time for repairs, and the low probability of a DBA occurring during this period.

C.1 With one division of Unit Priority Re-Trip Logic inoperable, the plant electrical system response is degraded, and the potential for inappropriate electrical system alignment is increased with attendant potential challenge to plant safety systems. In this condition, however, the remaining division of Unit Priority Re-Trip Logic is capable of performing its intended function.

BFN-UNIT 2 B 3.3-281 Rev.

<TS Bases 3.3.8.3 INSERT>

ECCS Preferred Pump, CAS, and Unit Priority Re-Trip Logic B 3.3.8.3 BASES The 7 day Completion Time takes into account the capability of the remaining division of common accident signal logic, reasonable time for repairs, and the low probability of a DBA occurring during this period.

D.1 and D.2 If the required ECCS Preferred Pump, CAS, or Unit Priority Re-Trip Logic division(s) cannot be restored to OPERABLE status within the associated Completion Time in MODE 1, 2, or 3, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE 3 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />, and in MODE 4 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

E.1 and E.2 If the required ECCS Preferred Pump Logic division(s) cannot be restored to OPERABLE status within the associated Completion Time in MODE 4 or 5, the associated ECCS components must be declared inoperable.

F.1 Condition F corresponds to a level of degradation in which all redundancy in the AC electrical power supplies has been lost. At this severely degraded level, any further losses in the AC electrical power system will cause a loss of function. Therefore, no additional time is justified for continued operation. The unit is required by LCO 3.0.3 to commence a controlled shutdown.

SURVEILLANCE SR 3.3.8.3.1 REQUIREMENTS The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the ECCS Preferred Pump Logic for a specific division.

The system functional test of the breakers is included as a part of this test, overlapping the LOGIC SYSTEM FUNCTIONAL TEST, to provide complete testing of the safety function. Therefore, if a breaker is incapable of operating, the associated logic would also be inoperable.

The LOGIC SYSTEM FUNCTIONAL TEST performed in LCO 3.3.5.1 overlaps this Surveillance to complete testing of the assumed safety function.

The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the CAS and Unit Priority Re-Trip Logics for a specified division. The LOGIC SYSTEM FUNCTIONAL TEST performed in BFN-UNIT 2 B 3.3-282 Rev.

<TS Bases 3.3.8.3 INSERT>

ECCS Preferred Pump, CAS, and Unit Priority Re-Trip Logic B 3.3.8.3 BASES LCO 3.3.5.1 and the DG testing performed by SR 3.8.1.6 overlap this Surveillance to complete testing of the assumed safety function.

The 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. Operating experience with these components supports performance of the Surveillance at the 24 month Frequency.

SR 3.3.8.3.1 is modified by two Notes. Note 1 indicates that when a channel is placed in an inoperable status solely for performance of Surveillance, entry into associated Conditions and Required Actions may be delayed for up to 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> provided the associated redundant division is OPERABLE Upon completion of the Surveillance, or expiration of the 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> allowance, the division must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on Probabilistic Risk Assessment (PRA) performed by TVA (Ref. 3) in accordance with RG 1.177 (Ref. 4). The PRA demonstrated that the 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> testing allowance does not significantly reduce the probability that the ECCS Preferred Pump, CAS, and Unit Priority Re-Trip Logics will initiate when necessary.

Note 2 indicates that testing of the Unit 1 breakers is not required for a successful test. This allowance is necessary to preclude unnecessary challenges to an operating unit. Testing of the Unit 1 breakers is required by Unit 1 SR 3.3.8.3.1.

REFERENCES 1. UFSAR, Section 7.4.3.

2. UFSAR, Section 8.5.4.
3. PRA Evaluation Response BFN-0-14-042, Revision 2.
4. Regulatory Guide (RG) 1.177, "An Approach For Plant-Specific Decision Making: Technical Specifications."

BFN-UNIT 2 B 3.3-283 Rev.

ECCS - Operating B 3.5.1 BASES BACKGROUND ECCS Preferred Pump Logic (continued)

In the event of a spurious accident signal in Unit 1 combined with a real accident in Unit 2 (or a spurious accident signal in Unit 2 with a real accident in Unit 1) the CS and LPCI preferred pump logic will dedicate the Division I CS and LPCI pumps to Unit 1 (1A and 1C) and the Division II pumps to Unit 2 (2B and 2D). Therefore, a spurious accident signal from Unit 1 (which is considered a single failure) results in two RHR pumps and one CS loop (two CS pumps) OPERABLE for Unit 2 (refer to Bases Section B 3.8.1). This is acceptable in accordance with the 3.3.8.3 BFN LOCA analysis; consequently, the single failure criterion is satisfied.

(continued)

BFN-UNIT 2 B 3.5-3a Revision 47, 65 May 31, 2012

AC Sources - Operating B 3.8.1 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.1 AC Sources - Operating BASES BACKGROUND The unit Class 1E AC Electrical Power Distribution System AC circuits consist of the offsite power sources (preferred power sources, normal and alternates), and the onsite standby power sources (Unit 1 and 2 diesel generators (DGs) A, B, C, and D, and Unit 3 DGs 3A, 3B, 3C, and 3D). As required by 10 CFR 50, Appendix A, GDC 17 (Ref. 1), the design of the AC electrical power system provides independence and redundancy to ensure an available source of power to the Engineered Safety Feature (ESF) systems.

The Class 1E AC distribution system is divided into redundant divisions, so loss of any one division does not prevent the minimum safety functions from being performed. Each of four 4.16 kV shutdown boards has two offsite power circuits available and a single DG. Only offsite power delivered through the normal feeder breakers can be credited since common accident signal (CAS) logic (CAS A/CAS B) will trip the alternate breaker. This prevents an overload condition if all (See LCO 3.3.8.3, shutdown boards had been aligned to the same shutdown bus, "Emergency Core and thus to the same transformer winding.

Cooling System (ECCS) Preferred An offsite circuit consists of all breakers, transformers, Pump, Common switches, interrupting devices, cabling, and controls required to Accident Signal transmit power from the offsite transmission network to the A (CAS), and Unit and B (Division I) or C and D (Division II) 4.16 kV shutdown Priority Re-Trip boards. Offsite power is supplied to the 161 kV and 500 kV Logic.")

(continued)

BFN-UNIT 2 B 3.8-1 Revision 0, 52 May 11, 2007

AC Sources - Operating B 3.8.1 BASES BACKGROUND Shutdown bus 1 normally feeds 4.16 kV shutdown boards A and (continued) B and shutdown bus 2 normally feeds 4.16 kV shutdown boards C and D. The 4.16 kV shutdown boards are normally aligned to power associated divisional 480 V safety equipment (two divisions per unit). This results in one DG powering only one 480 V division of one unit, and some of that same division's 4.16 kV loads for both Units 1 and 2. A detailed description of the offsite power network and circuits to the onsite Class 1E ESF buses is found in the FSAR, Chapter 8 (Ref. 2).

USST 1B and 2B are sized to accommodate all required ESF loads on receipt of an accident signal on Unit 2, while also (LCO 3.3.8.3) carrying all the required safety loads of Unit 1 operating at full power. The Common Accident Signal (CAS) logic is initiated by a Loss of Coolant Accident (LOCA) from either Units 1, 2, or 3 on a low reactor water level signal or on a high drywell pressure signal coincident with a low reactor pressure signal. The CAS logic trips non-essential 4kV loads to ensure that the 4.16 kV shutdown buses are not overloaded during a LOCA with normal power available.

If a LOCA were to occur on Unit 2 with a loss of the normal 500 kV offsite circuit from USST 2B, the 4.16 kV Shutdown Buses and safety related ESF loads would automatically transfer to the alternate 500 kV offsite circuit supplied from USST 1B. The Unit 1 non-safety related loads on 4.16 kV Unit Boards 2A, 2B, 2C, and 4.16 kV Common Board B would automatically transfer to the CSST supplied 4.16 kV Start Buses. The offsite power circuits through the CSSTs have sufficient capacity to support the automatic transfer of the Unit 2 non-safety related loads when there are no loads from the other units already aligned to the 4.16 kV Start Buses.

The CSSTs do not have sufficient capacity to support the automatic transfer of the Unit 2 non-safety related and safety-related ESF loads during plant conditions where the alternate 500 kV circuit is not available. Nor do they have (continued)

BFN-UNIT 2 B 3.8-3 Revision 0, 10, 37, 42 November 16, 2006

AC Sources - Operating B 3.8.1 BASES BACKGROUND the trip of offsite power, an under or degraded voltage activated (continued) load shed logic strips all loads from the 4.16 kV Shutdown Board. Feeder breakers to transformers supplying auxiliary power system distribution boards are not load shed on undervoltage. When the DG is tied to the 4.16 kV shutdown board, large loads are then sequentially connected to its respective 4.16 kV shutdown board by individual pump timers.

The individual pump timers control the permissive and starting signals to motor breakers to prevent overloading the DG.

In the event of a loss of offsite power, the ESF electrical loads are automatically connected to the DGs in sufficient time to provide for safe reactor shutdown and to mitigate the consequences of a Design Basis Accident (DBA) such as a LOCA.

Certain required plant loads are returned to service in a predetermined sequence in order to prevent overloading of the DGs in the process. Within 40 seconds after the initiating signal (DG breaker closure with accident signal) is received, all automatic and permanently connected loads needed to recover the unit or maintain it in a safe condition are returned to service.

In the event that the DGs were already running and loaded on (LCO 3.3.8.3) the receipt of a spurious or real common accident signal (CAS A/CAS B) from Unit 3, any diesel generator output breakers which are closed are signaled to open to load shed the running loads off of the DG. After the DG breaker closing springs recharge, the DG breakers will reclose and tie the DG to the 4.16 kV shutdown board. Loads are then sequentially connected to its respective 4.16 kV shutdown board by individual pump timers as described above. Any subsequent common accident signal DG breaker trip signals are blocked.

Should a second RHR initiation signal be received (i.e., from a spurious or real accident signal from Unit 2), the Unit 1/2 diesel generator output breakers will be reopened on a unit priority (continued)

BFN-UNIT 2 B 3.8-4 Revision 0, 10, 30, 42 47 March 22, 2007

AC Sources - Operating B 3.8.1 (LCO 3.3.8.3)

BASES BACKGROUND re-trip signal to ensure that the diesels are load shed to allow (continued) the Unit 2 pumps to correctly sequence onto the boards. With a real and spurious accident signal present between Units 1 and 2, the ECCS preferred pump logic ensures that the Unit 1 initiated unit priority re-trip signal will only re-trip the Division I Unit 1/2 diesel breakers while the Unit 2 initiated unit priority re-trip signal will only re-trip the Division II diesel breakers.

This will ensure that a spurious unit priority re-trip signal will not re-trip all four Unit 1/2 diesel breakers, which would result in interrupting both divisions RHR and Core Spray pumps supplying the opposite unit in a real accident. After the DG breakers reclose, loads are then sequentially connected to its respective 4.16 kV shutdown board by individual pump timers as described above.

Rating for the DGs satisfies the intent of Safety Guide 9 (Reference 3). DG engine continuous and short-time maximum steady state active power output (running kW) is denoted below as non-derated rating/derated rating. Non-derated rating is for intake air temperatures less than or equal to 90qF. The derated rating is for either intake air temperatures greater than 90qF or a combination of intake air temperatures greater than 90qF and engine cooling heater outlet temperature greater than 190qF.

For the DG engine, instantaneous cold and hot maximum instantaneous active power (running kW plus starting kW) is denoted in the table as non-derated rating. Due to BFNs elevation is less than 800 feet above sea level with maximum intake air temperatures of less than 115qF, the maximum instantaneous active power output does not require derating for temperature at BFN (Reference 12):

(continued)

BFN-UNIT 2 B 3.8-4a Revision 47 March 22, 2007

AC Sources - Operating B 3.8.1 BASES (continued)

LCO Two qualified circuits between the offsite transmission network and the onsite Class 1E Distribution System, four separate and independent Unit 1 and 2 DGs (A, B, C, and D), and the Unit 3 DG(s) needed to support required Standby Gas Treatment (SGT) trains and Control Room Emergency Ventilation System (CREVS) trains are required to be OPERABLE. Two divisions of 480 V load shed logic and two divisions of CAS logic are required to be OPERABLE to support Unit 1 and 2 DG OPERABILITY and post-accident loads. Unit 3 Technical Specifications will require the operability of all Unit 3 DGs and provide appropriate compensatory actions for inoperable Unit 3 DGs in support of Unit 3 operations. To support the operation of Unit 2, the Unit 2 LCO for AC Sources - Operating also requires the necessary Unit 3 DG(s) to support SGT and CREVS required by LCO 3.8.7, Distribution Systems -

Operating, for supplying the Unit 3 4.16 kV shutdown boards.

These requirements ensure availability of the required power to shut down the reactor and maintain it in a safe shutdown condition after an abnormal operational transient or a postulated DBA.

Qualified offsite circuits are those that are described in the FSAR, and are part of the licensing basis for the unit. Each offsite circuit must be capable of maintaining rated frequency and voltage, and accepting required loads during an accident, while connected to the 4.16 kV shutdown boards.

(continued)

BFN-UNIT 2 B 3.8-6 Revision 0, 52 May 11, 2007

AC Sources - Operating B 3.8.1 BASES LCO Each DG must be capable of starting, accelerating to rated (continued) speed and voltage, and connecting to its respective 4.16 kV shutdown board on detection of bus undervoltage. This sequence must be accomplished within 10 seconds. Each DG must also be capable of accepting required loads within the assumed loading sequence intervals, and must continue to operate until offsite power can be restored to the 4.16 kV shutdown board. The Unit 1 and 2 DGs are provided with a common 480 V load shed logic system with two redundant divisions. The common accident signal logic system, with two redundant divisions, is common to the Unit 1, 2, and 3 DGs.

This These logic systems must be OPERABLE to ensure the DGs will perform and alignments will occur as assumed during a DBA.

Proper sequencing of loads, including tripping of nonessential loads, is a required function for DG OPERABILITY.

The AC sources must be separate and independent (to the extent possible) of other AC sources. For the DGs, the separation and independence are complete. For the offsite AC sources, the separation and independence are to the extent practical. A qualified offsite circuit may be connected to more than one division of 4.16 kV shutdown boards and not violate separation criteria. A circuit that is not connected to the Division I or II 4.16 kV shutdown boards is required to have the capability to be connected to at least one division of 4.16 kV shutdown boards to be considered OPERABLE.

(continued)

BFN-UNIT 2 B 3.8-9 Revision 0, 52 May 11, 2007

AC Sources - Operating B 3.8.1 BASES ACTIONS B.5 (continued)

As in Required Action B.3, the Completion Time allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." This exception results in establishing the "time zero" at the time that the LCO was initially not met, instead of the time that Condition B was entered.

C.1 With one division of Unit 1 and 2 480 V load shed logic inoperable, the reliability of the DGs is degraded, and the potential for the loss of all four Unit 1 and 2 DGs is increased with attendant potential challenge to plant safety systems. In this condition, however, the remaining division of Unit 1 and 2 480 V load shed logic is capable of performing its intended function of limiting the loads on the Unit 1 and 2 DGs.

The 7 day Completion Time takes into account the capability of the remaining division of Unit 1 and 2 480 V load shed logic, reasonable time for repairs, and the low probability of a DBA occurring during this period.

D.1 With one division of common accident signal logic inoperable (including the DG breaker unit priority re-trip function and the CS and LPCI preferred pump logic function described in Bases Section B 3.8.1), the plant electrical system response is degraded, and the potential for inappropriate electrical system alignment is increased with attendant potential challenge to plant safety systems. In this condition, however, the remaining division of common accident signal logic is capable of performing its intended function of providing a start signal to the Unit 1 and 2 DGs during a DBA.

The 7 day Completion Time takes into account the capability of the remaining division of common accident signal logic, (continued)

BFN-UNIT 2 B 3.8-19 Revision 0, 7, 47, Amendment 307 October 5, 2011

AC Sources - Operating B 3.8.1 BASES ACTIONS D.1 (continued) reasonable time for repairs, and the low probability of a DBA occurring during this period.

E.1 and E.2 D

Required Action E.1 addresses actions to be taken in the event of inoperability of redundant required features concurrent with inoperability of two required offsite circuits. Required Action E.1 reduces the vulnerability to a loss of function. The Completion Time for taking these actions is reduced to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> from that allowed with one or both 4.16 kV shutdown boards in a division without offsite power (Required Action A.2). The rationale for the reduction to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is that Regulatory Guide 1.93 (Ref. 6) allows a Completion Time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> for two required offsite circuits inoperable, based upon the assumption that two complete safety divisions are OPERABLE.

When a concurrent redundant required feature failure exists, this assumption is not the case, and a shorter Completion Time of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is appropriate. These features are designed with redundant safety related divisions, (i.e., single division systems are not included in the list). Redundant required features failures consist of any of these features that are inoperable because any inoperability is on a division redundant to a division with inoperable offsite circuits. D The Completion Time for Required Action E.1 is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." In this Required Action, the Completion Time only begins on discovery that both:

a. All required offsite circuits are inoperable; and
b. A required feature is inoperable.

(continued)

BFN-UNIT 2 B 3.8-20 Revision 0, Revision 7 September 17, 1999

AC Sources - Operating B 3.8.1 D

BASES ACTIONS E.1 and E.2 (continued)

If, at any time during the existence of this Condition (two offsite circuits inoperable), a required feature subsequently becomes inoperable, this Completion Time begins to be tracked.

According to Regulatory Guide 1.93 (Ref. 6), operation may D continue in Condition E for a period that should not exceed 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. This level of degradation means that the offsite electrical power system does not have the capability to effect a safe shutdown and to mitigate the effects of an accident; however, the onsite AC sources have not been degraded. This level of degradation generally corresponds to a total loss of accessible offsite power sources.

Because of the normally high availability of the offsite sources, this level of degradation may appear to be more severe than other combinations of two AC sources inoperable that involve one or more DGs inoperable. However, two factors tend to decrease the severity of this degradation level:

a. The configuration of the redundant AC electrical power system that remains available is not susceptible to a single bus or switching failure; and
b. The time required to detect and restore an unavailable offsite power source is generally much less than that required to detect and restore an unavailable onsite AC source.

(continued)

BFN-UNIT 2 B 3.8-21 Revision 0

AC Sources - Operating B 3.8.1 D

BASES ACTIONS E.1 and E.2 (continued)

With both of the required offsite circuits inoperable, sufficient onsite AC sources are available to maintain the unit in a safe shutdown condition in the event of a DBA or transient. In fact, a simultaneous loss of offsite AC sources, a LOCA, and a worst case single failure were postulated as a part of the design basis in the safety analysis. Thus, the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Completion Time provides a period of time to effect restoration of one of the offsite circuits commensurate with the importance of maintaining an AC electrical power system capable of meeting its design criteria.

According to Regulatory Guide 1.93 (Ref. 6), with the available offsite AC sources two less than required by the LCO, operation may continue for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. If two offsite sources are restored within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, unrestricted operation may continue. If only one offsite source is restored within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, power operation E continues in accordance with Condition A.

F.1 and F.2 Pursuant to LCO 3.0.6, the Distribution System ACTIONS would not be entered even if all AC sources to it were inoperable, resulting in de-energization. Therefore, the Required Actions of Condition F are modified by a Note to E indicate that when Condition F is entered with no AC source to any 4.16 kV shutdown board, ACTIONS for LCO 3.8.7, "Distribution Systems - Operating," must be immediately entered. This allows Condition F to provide requirements for the loss of the offsite circuit and one DG without regard to whether a 4.16 kV shutdown board is de-energized. LCO 3.8.7 provides the appropriate restrictions for a de-energized 4.16 kV shutdown board.

(continued)

BFN-UNIT 2 B 3.8-22 Revision 0

AC Sources - Operating B 3.8.1 BASES E ACTIONS F.1 and F.2 (continued)

According to Regulatory Guide 1.93 (Ref. 6), operation may E

continue in Condition F for a period that should not exceed 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. In Condition F, individual redundancy is lost in both the offsite electrical power system and the onsite AC electrical power system. Since power system redundancy is provided by two diverse sources of power, however, the reliability of the power systems in this Condition may appear higher than that in D Condition E (loss of both required offsite circuits). This difference in reliability is offset by the susceptibility of this power system configuration to a single bus or switching failure.

The 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> Completion Time takes into account the capacity and capability of the remaining AC sources, reasonable time for repairs, and the low probability of a DBA occurring during this period. E A Note has been added to Condition F to clarify that the Condition is only applicable when more than one shutdown board is affected. The situation where only one shutdown board is affected is covered by Condition G. F G.1 F

Condition G addresses the situation where both one required offsite circuit and one DG are inoperable and affect only one 4.16 kV shutdown board. The Note clarifies the applicability.

The Required Action is to declare the affected 4.16 kV shutdown board inoperable immediately. This requires entry into the applicable Conditions and Required Actions of LCO 3.8.7, "Distribution Systems - Operating," which provides the appropriate restrictions for the affected 4.16 kV shutdown board. LCO 3.8.1 Conditions and Required Actions continue to apply until the required offsite circuit and DG are made OPERABLE.

(continued)

BFN-UNIT 2 B 3.8-23 Revision 0

AC Sources - Operating B 3.8.1 BASES G

ACTIONS H.1 (continued)

With two or more DGs inoperable, an assumed loss of offsite electrical power may result in insufficient standby AC sources available to power the minimum required ESF functions. Since the offsite electrical power system may be the only source of AC power for the majority of ESF equipment at this level of degradation, the risk associated with continued operation for a very short time could be less than that associated with an immediate controlled shutdown. (The immediate shutdown could cause grid instability, which could result in a total loss of AC power.) Since any inadvertent unit generator trip could also result in a total loss of offsite AC power, however, the time allowed for continued operation is severely restricted. The intent here is to avoid the risk associated with an immediate controlled shutdown and to minimize the risk associated with this level of degradation.

According to Regulatory Guide 1.93 (Ref. 6), with all DGs inoperable, operation may continue for a period that should not exceed 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />.

H I.1 and I.2 If the inoperable AC electrical power sources cannot be restored to OPERABLE status within the associated Completion Time, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> and to MODE 4 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

(continued)

BFN-UNIT 2 B 3.8-24 Revision 0

AC Sources - Operating B 3.8.1 BASES I

ACTIONS J.1 (continued)

Condition J corresponds to a level of degradation in which all redundancy in the AC electrical power supplies has been lost.

At this severely degraded level, any further losses in the AC electrical power system will cause a loss of function. Therefore, no additional time is justified for continued operation. The unit is required by LCO 3.0.3 to commence a controlled shutdown.

J K.1 Required Action K.1 is intended to provide assurance that a loss of offsite power, during the period that a required Unit 3 DG is inoperable, does not result in a complete loss of safety function of critical systems (i.e., SGT or CREVS). These features consist of SGT or CREVS trains redundant to trains supported by the inoperable Unit 3 DG.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." In this Required Action the Completion Time only begins on discovery that both:

a. An inoperable required Unit 3 DG exists; and
b. An SGT or CREVS train supported by another DG, is inoperable.

(continued)

BFN-UNIT 2 B 3.8-25 Revision 0

AC Sources - Operating B 3.8.1 BASES J

ACTIONS K.1 (continued)

If, at any time during the existence of this Condition (a required Unit 3 DG inoperable), a required SGT or CREVS train subsequently becomes inoperable, this Completion Time begins to be tracked.

Discovering a required Unit 3 DG inoperable coincident with an inoperable SGT or CREVS train, or both, that are associated with the OPERABLE DGs results in starting the Completion Time for the Required Action. Four hours from the discovery of these events existing concurrently is acceptable because it minimizes risk while allowing time for restoration before subjecting the unit to transients associated with shutdown.

The remaining OPERABLE DGs and offsite circuits are adequate to supply electrical power to the onsite Class 1E Distribution System. Thus, on a component basis, single failure protection for the required feature's function may have been lost; however, function has not been lost. The 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> Completion Time takes into account the component OPERABILITY of the redundant counterpart to the inoperable required feature. Additionally, the 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> Completion Time takes into account the capacity and capability of the remaining AC sources, reasonable time for repairs, and low probability of a DBA occurring during this period.

(continued)

BFN-UNIT 2 B 3.8-26 Revision 0

AC Sources - Operating B 3.8.1 BASES J

ACTIONS K.2 (continued)

In Condition K, the remaining OPERABLE DGs and offsite circuits are adequate to supply electrical power to the onsite Class 1E Distribution System to support operation of Unit 2.

The 30 day Completion Time is commensurate with the importance of the affected system considering the low probability of a DBA in these conditions and the availability of the remaining power sources. If the inoperable Unit 3 DG cannot be restored to OPERABLE status within the associated Completion Time, the associated SGT or CREVS subsystem must be declared inoperable, and the ACTIONS in the appropriate system Specification taken.

SURVEILLANCE The AC sources are designed to permit inspection and testing REQUIREMENTS of all important areas and features, especially those that have a standby function. Periodic component tests are supplemented by extensive functional tests (under simulated accident conditions). The SRs for demonstrating the OPERABILITY of the DGs meet the intent of Safety Guide 9 (Ref. 3), as addressed by References 13 and 14.

Where the SRs discussed herein specify voltage and frequency tolerances, the following summary is applicable. A minimum steady state output voltage of t 3940 V is required for proper operation of the safety related loads supplied, as determined by BFN design bases analyses. This value allows for voltage drop to the terminals of 4000 V motors whose minimum operating voltage is specified as 90% or 3600 V in ANSI C84.1 (Ref. 9). It also allows for voltage drops to motors and other equipment down through the 120 V level where minimum operating voltage is also usually specified as 90% of (continued)

BFN-UNIT 2 B 3.8-27 Revision 0, 28 August 26, 2004

Proposed Technical Specifications Bases Pages (Markups) for BFN, Unit 3 (25 pages including cover sheet)

BROWNS FERRY NUCLEAR PLANT TECHNICAL SPECIFICATIONS (BASES)

TABLE OF CONTENTS (continued)

Section Page No.

B 3.3.4.1 End of Cycle Recirculation Pump Trip (EOC-RPT)

Instrumentation ............................................................... B 3.3-108 B 3.3.4.2 Anticipated Transient Without Scram Recirculation Pump Trip (ATWS-RPT) Instrumentation ....................... B 3.3-120 B 3.3.5.1 Emergency Core Cooling System (ECCS)

Instrumentation ............................................................... B 3.3-131 B 3.3.5.2 Reactor Core Isolation Cooling (RCIC) System Instrumentation ............................................................... B 3.3-179 B 3.3.6.1 Primary Containment Isolation Instrumentation ................... B 3.3-190 B 3.3.6.2 Secondary Containment Isolation Instrumentation .............. B 3.3-226 B 3.3.7.1 Control Room Emergency Ventilation (CREV)

System Instrumentation .................................................. B 3.3-240 B 3.3.8.1 Loss of Power (LOP) Instrumentation .................................. B 3.3-256 B 3.3.8.2 Reactor Protection System (RPS) Electric Power Monitoring............................................................ B 3.3-269 B 3.4 REACTOR COOLANT SYSTEM (RCS) .................................... B 3.4-1 B 3.4.1 Recirculation Loops Operating............................................. B 3.4-1 B 3.4.2 Jet Pumps ............................................................................ B 3.4-11 B 3.4.3 Safety/Relief Valves (S/RVs) ............................................... B 3.4-17 B 3.4.4 RCS Operational LEAKAGE ................................................ B 3.4-23 B 3.4.5 RCS Leakage Detection Instrumentation ............................. B 3.4-30 B 3.4.6 RCS Specific Activity............................................................ B 3.4-37 B 3.4.7 Residual Heat Removal (RHR) Shutdown Cooling System - Hot Shutdown ..................................... B 3.4-42 B 3.4.8 Residual Heat Removal (RHR) Shutdown Cooling System - Cold Shutdown ................................... B 3.4-49 B 3.4.9 RCS Pressure and Temperature (P/T) Limits ...................... B 3.4-55 B 3.4.10 Reactor Steam Dome Pressure............................................ B 3.4-67 3.3.8.3 Common Accident Signal (CAS) and Unit Priority Re-Trip Logic................B 3.3-278 (continued)

BFN-UNIT 3 ii Amendment No. 213 September 03, 1998

ECCS Instrumentation B 3.3.5.1 B 3.3 INSTRUMENTATION B 3.3.5.1 Emergency Core Cooling System (ECCS) Instrumentation BASES BACKGROUND The purpose of the ECCS instrumentation is to initiate appropriate responses from the systems to ensure that the fuel is adequately cooled in the event of a design basis accident or transient.

For most anticipated operational occurrences and Design Basis Accidents (DBAs), a wide range of dependent and independent parameters are monitored.

The ECCS instrumentation actuates core spray (CS), low pressure coolant injection (LPCI), high pressure coolant injection (HPCI), and the Automatic Depressurization System (ADS). The equipment involved with each of these systems is described in the Bases for LCO 3.5.1, "ECCS - Operating."

Logic and Unit Priority Re-trip Logic Portions of the ECCS instrumentation also provide for the generation of the Common Accident Signal which initiate the DGs and EECW System. Refer to LCO 3.8.1, "AC Systems-Operating," for operability requirements of the and Unit Priority Re- Common Accident Signal Logic. LCO 3.3.8.3, "Common Accident Signal trip Logic (CAS) and Unit Priority Re-trip Logic,"

Core Spray System The CS System may be initiated by automatic means. Each pump can be controlled manually by a control room remote switch. Automatic initiation occurs for conditions of Reactor Vessel Water Level - Low Low Low, Level 1 or both Drywell Pressure - High and Reactor Steam Dome Pressure - Low.

Reactor water level and drywell pressure are each monitored by four redundant transmitters, which are, in turn, connected to four trip units. The outputs of these trip units are connected to (continued)

BFN-UNIT 3 B 3.3-131 Amendment No. 213 September 03, 1998

ECCS Instrumentation B 3.3.5.1 BASES (continued)

APPLICABLE The actions of the ECCS are explicitly assumed in the safety SAFETY ANALYSES, analyses of References 1, 2, and 3. The ECCS is initiated LCO, and to preserve the integrity of the fuel cladding by limiting APPLICABILITY the post LOCA peak cladding temperature to less than the 10 CFR 50.46 limits.

ECCS instrumentation satisfies Criterion 3 of the NRC Policy Statement (Ref. 5). Certain instrumentation Functions are retained for other reasons and are described below in the individual Functions discussion.

The OPERABILITY of the ECCS instrumentation is dependent upon the OPERABILITY of the individual instrumentation channel Functions specified in Table 3.3.5.1-1. Each Function must have a required number of OPERABLE channels, with their setpoints within the specified Allowable Values, where appropriate. The setpoint is calibrated consistent with 3.3.8.3, "Common Accident applicable setpoint methodology assumptions (nominal trip Signal (CAS) and Unit setpoint). Table 3.3.5.1-1, footnote (b), is added to show that Priority Re-Trip Logic." certain ECCS instrumentation Function channels affect Table 3.3.5.1-1, footnote (g), Common Accident Signal Logic which is addressed in is added to show that certain LCO 3.8.1, "AC Sources - Operating."

ECCS instrumentation Function channels affect Unit Priority Re-trip Logic Allowable Values are specified for each ECCS Function which is addressed in LCO specified in the table and contained in design output 3.3.8.3. documents, which for instrument functions that have a specific footnote in Table 3.3.1.1-1, is incorporated by reference in Chapter 7 of the Updated Final Safety Analysis Report (UFSAR). For these, the methodology used to determine the nominal trip setpoint, the predefined as-found tolerance, the as-left tolerance band, and a listing of the setpoint design output documentation is specified in Chapter 7 of the UFSAR.

Nominal trip setpoints are specified in the setpoint calculations.

The nominal setpoints are selected to ensure that the setpoints do not exceed the Allowable Value between CHANNEL CALIBRATIONS. Operation with a trip setpoint less (continued)

BFN-UNIT 3 B 3.3-139 Amendment No. 213, Revision 41 November 09, 2006

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE Core Spray and Low Pressure Coolant Injection Systems SAFETY ANALYSES, LCO, and 1.a, 2.a. Reactor Vessel Water Level - Low Low Low, Level 1 APPLICABILITY (LS-3-58A-D)

(continued)

Low reactor pressure vessel (RPV) water level indicates that the capability to cool the fuel may be threatened. Should RPV Logic and Unit Priority Re- water level decrease too far, fuel damage could result. The low trip Logic (Refer to LCO pressure ECCS are initiated at Level 1 to ensure that core 3.3.8.3, "Common Accident spray and flooding functions are available to prevent or Signal (CAS) and Unit minimize fuel damage. The Reactor Vessel Water Level - Low Priority Re-Trip Logic," for Low Low, Level 1 is also utilized in the development of the operability requirements of Common Accident Signal which initiates the DGs and EECW the Common Accident System. (Refer to LCO 3.8.1, "AC Sources - Operating," for Signal Logic and Unit operability requirements of the Common Accident Signal Logic).

Priority Re-trip Logic)

The Reactor Vessel Water Level - Low Low Low, Level 1 is one of the Functions assumed to be OPERABLE and capable of initiating the ECCS during the transients analyzed in References 1 and 3. In addition, the Reactor Vessel Water Level - Low Low Low, Level 1 Function is directly assumed in the analysis of the recirculation line break (Ref. 2). The core cooling function of the ECCS, along with the scram action of the Reactor Protection System (RPS), ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

Reactor Vessel Water Level - Low Low Low, Level 1 signals are initiated from four level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel.

(continued)

BFN-UNIT 3 B 3.3-141 Amendment No. 213 September 03, 1998

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 1.a, 2.a. Reactor Vessel Water Level - Low Low Low, Level 1 SAFETY ANALYSES, (LS-3-58A-D) (continued)

LCO, and APPLICABILITY acceptable as-left tolerance, the channel shall be declared inoperable. Also, after the Surveillance is completed, the channel's as-found condition will be documented in the Corrective Action Program. As part of the activities of the Corrective Action Program, additional evaluations and potential corrective actions will be performed as necessary to ensure that any as-found setting, which is conservative to the Allowable Value, but outside the acceptable as-found band is evaluated for long-term reliability trends.

1.b, 2.b. Drywell Pressure - High (PIS-64-58A-D)

Logic and Unit Priority Re- High pressure in the drywell could indicate a break in the trip Logic (Refer to LCO reactor coolant pressure boundary (RCPB). The low pressure 3.3.8.3, "Common Accident ECCS is initiated upon receipt of the Drywell Pressure - High Signal (CAS) and Unit Function in order to minimize the possibility of fuel damage.

Priority Re-Trip Logic," for The Drywell Pressure - High is also utilized in the development operability requirements of of the Common Accident Signal which initiates the DGs and the Common Accident EECW System. (Refer to LCO 3.8.1, "AC Sources - Operating" Signal Logic and Unit Priority Re-trip Logic) for operability requirements of the Common Accident Signal Logic). The Drywell Pressure - High Function, along with the Reactor Steam Dome Pressure - Low Function, are directly assumed in the analysis of the recirculation line break (Ref. 2).

The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

High drywell pressure signals are initiated from four pressure transmitters that sense drywell pressure. The Allowable Value was selected to be as low as possible and be indicative of a LOCA inside primary containment.

(continued)

BFN-UNIT 3 B 3.3-143 Amendment No. 213, Revision 41 November 09, 2006

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 1.b, 2.b. Drywell Pressure - High (PIS-64-58A-D) (continued)

SAFETY ANALYSES, LCO, and acceptable as-left tolerance, the channel shall be declared APPLICABILITY inoperable. Also, after the Surveillance is completed, the channel's as-found condition will be documented in the Corrective Action Program. As part of the activities of the Corrective Action Program, additional evaluations and potential corrective actions will be performed as necessary to ensure that any as-found setting, which is conservative to the Allowable Value, but outside the acceptable as-found band is evaluated for long-term reliability trends.

1.c, 2.c. Reactor Steam Dome Pressure - Low (Injection Permissive and ECCS Initiation)

(PIS-3-74A and B; PIS-68-95 and 96)

Low reactor steam dome pressure signals are used as Logic and Unit Priority Re- permissives for the low pressure ECCS subsystems. This trip Logic (Refer to LCO ensures that, prior to opening the injection valves of the low 3.3.8.3, "Common Accident pressure ECCS subsystems, the reactor pressure has fallen to Signal (CAS) and Unit a value below these subsystems' maximum design pressure.

Priority Re-Trip Logic," for The Reactor Steam Dome Pressure - Low is also utilized in the operability requirements of development of the Common Accident Signal which initiates the the Common Accident Signal Logic and Unit DGs and EECW System. (Refer to LCO 3.8.1, "AC Sources -

Priority Re-trip Logic) Operating," for operability requirements of the Common Accident Signal Logic). The Reactor Steam Dome Pressure -

Low is one of the Functions assumed to be OPERABLE and capable of permitting initiation of the ECCS during the transients analyzed in References 1 and 3. In addition, the Reactor Steam Dome Pressure - Low Function is directly assumed in the analysis of the recirculation line break (Ref. 2).

The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

(continued)

BFN-UNIT 3 B 3.3-144a Revision 41 November 09, 2006

ECCS Instrumentation B 3.3.5.1 BASES SURVEILLANCE SR 3.3.5.1.3, SR 3.3.5.1.4, and SR 3.3.5.1.5 REQUIREMENTS (continued) A CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations consistent with the plant specific setpoint methodology.

The Frequencies of SR 3.3.5.1.3, SR 3.3.5.1.4, and SR 3.3.5.1.5 are based upon the magnitude of equipment drift in the setpoint analysis.

SR 3.3.5.1.6 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required initiation logic for a specific The LOGIC SYSTEM channel. The system functional testing performed in LCO 3.5.1, FUNCTIONAL TEST LCO 3.5.2, LCO 3.7.2, and LCO 3.8.1 overlaps this performed in LCO 3.3.8.3 Surveillance to complete testing of the assumed safety function.

overlaps this Surveillance to The LOGIC SYSTEM FUNCTIONAL TEST shall include a assure complete testing of calibration of time delay relays and timers necessary for proper the assumed safety function functioning of the logic.

The 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power.

Operating experience with these components supports performance of the Surveillance at the 24 month Frequency.

(continued)

BFN-UNIT 3 B 3.3-177 Amendment No. 215 November 30, 1998

<TS Bases 3.3.8.3 INSERT>

CAS and Unit Priority Re-Trip Logic B 3.3.8.3 B 3.3.8.3 INSTRUMENTATION B 3.3.8.3 Common Accident Signal (CAS) and Unit Priority Re-Trip Logic BASES BACKGROUND In the event of an accident signal in either Unit 1 or Unit 2, all of the ECCS equipment associated with the accident unit will start. All eight diesel generators in the plant will be started on an accident signal in any unit as a pre-emergency action in case of a subsequent power blackout.

The diesel generators and Standby AC Power System are designed to accommodate spurious accident signals from any unit and in any order, real followed by a spurious signal, real coincident with a spurious signal, and spurious followed by a real accident signal.

The Core Spray low reactor vessel water level (LCO 3.3.5.1 Function 1.a) or high drywell pressure (LCO 3.3.5.1 Function 1.b) coincident with low reactor pressure signals (LCO 3.3.5.1 Function 1.c) are used to generate a CAS, which affects the operation of components associated with all three units. The CAS performs the following functions:

  • sends a signal to start all eight Unit 1/2 and Unit 3 diesel generators
  • trips the diesel generator output breakers (if closed)
  • defeats selected diesel generator protective trips
  • blocks the 4kV Shutdown Board auto transfer logic
  • trips and blocks the fire pumps A, B, and C auto start logic
  • blocks subsequent RHRSW (aligned to EECW) pump start signal (if already running)
  • blocks the 4kV degraded voltage trips
  • trips the Raw Cooling Water (RCW) pump 1D Following the initiation of a CAS on either Unit 2 or 3 (which trips all eight diesel breakers), subsequent accident signal trips of the diesel breakers are blocked. A second diesel breaker trip on a "unit priority" basis is provided to ensure that during combinations of spurious and real accident signals, the diesel supplied buses are stripped prior to starting the RHR pumps and other ECCS loads. This diesel breaker re-trip would only occur if a spurious accident signal or a real accident signal from the other unit had previously tripped the diesel breakers. Inputs from the LPCI initiation circuitry indicating low reactor vessel water level (LCO 3.3.5.1 Function 2.a) or high drywell pressure (LCO 3.3.5.1 Function 2.b) coincident with low reactor pressure (LCO 3.3.5.1 Function 2.c),

combined with an existing CAS trip signal, will re-trip the diesel breakers on the unit where the LPCI initiation signal originated. The other unit's diesels would be unaffected by this second trip. Thus each unit is given BFN-UNIT 3 B 3.3-278 Rev.

<TS Bases 3.3.8.3 INSERT>

ECCS Preferred Pump, CAS, and Unit Priority Re-Trip Logic B 3.3.8.3 BASES priority over the block of subsequent CAS diesel breaker trips for its diesels. This diesel breaker Unit Priority Re-Trip ensures that the diesel buses are stripped prior to starting the RHR (LPCI) pumps, Core Spray pumps and other required loads. For Units 1 and 2 only, with a real and spurious accident signal present the Unit 1 initiated unit priority re-trip signal will only re-trip the Division I diesel breakers while the Unit 2 initiated unit priority re-trip signal will only re-trip the Division II diesel breakers. This would ensure that a spurious unit priority re-trip signal would not re-trip all four Unit 1/2 diesel breakers, which would result in interrupting both divisions RHR and Core Spray pumps supplying the opposite unit in a real accident.

The CAS and Unit Priority Re-Trip logics are discussed in the UFSAR, Sections 7.4.3 and 8.5.4 (Refs. 1 and 2, respectively).

APPLICABLE The Core Spray logic initiated CAS and the LPCI logic initiated Unit SAFETY Priority Re-Trip are required to ensure that the shared Unit 1/2 4KV ANALYSES, shutdown boards are stripped prior to starting the RHR pumps, Core LCO, and Spray pumps, and other required loads when the shutdown boards are APPLICABILITY being supplied by the diesel generators.

The CAS and Unit Priority Re-Trip Logic satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).

Two divisions of CAS and Unit Priority Re-Trip Logics are required to be OPERABLE to ensure that at least one is available, assuming that a single failure disables the other division coincident with a DBA. These logic systems must be OPERABLE to ensure the DGs would perform and alignments would occur as assumed during a DBA. There are no Allowable Values associated with these logic systems.

In MODES 1, 2, and 3, the CAS and Unit Priority Re-Trip Logics are required to be OPERABLE consistent with the OPERABILITY requirements of the diesel generators.

In MODES 4, and 5, the CAS and Unit Priority Re-Trip Logic are not required to be OPERABLE because the diesel generators are not required to be OPERABLE.

ACTIONS A.1 With one division of CAS Logic inoperable, the plant electrical system response is degraded, and the potential for inappropriate electrical system alignment is increased with attendant potential challenge to plant safety systems. In this condition, however, the remaining division of CAS Logic is capable of performing its intended function.

BFN-UNIT 3 B 3.3-279 Rev.

<TS Bases 3.3.8.3 INSERT>

ECCS Preferred Pump, CAS, and Unit Priority Re-Trip Logic B 3.3.8.3 BASES The 7 day Completion Time takes into account the capability of the remaining division of common accident signal logic, reasonable time for repairs, and the low probability of a DBA occurring during this period.

B.1 With one division of Unit Priority Re-Trip Logic inoperable, the plant electrical system response is degraded, and the potential for inappropriate electrical system alignment is increased with attendant potential challenge to plant safety systems. In this condition, however, the remaining division of Unit Priority Re-Trip Logic is capable of performing its intended function.

The 7 day Completion Time takes into account the capability of the remaining division of common accident signal logic, reasonable time for repairs, and the low probability of a DBA occurring during this period.

C.1 and C.2 If the required CAS or Unit Priority Re-Trip Logic division(s) cannot be restored to OPERABLE status within the associated Completion Time in MODE 1, 2, or 3, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE 3 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />, and in MODE 4 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

D.1 Condition D corresponds to a level of degradation in which all redundancy in the AC electrical power supplies has been lost. At this severely degraded level, any further losses in the AC electrical power system will cause a loss of function. Therefore, no additional time is justified for continued operation. The unit is required by LCO 3.0.3 to commence a controlled shutdown.

SURVEILLANCE SR 3.3.8.3.1 REQUIREMENTS The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the ECCS Preferred Pump Logic for a specific division.

The system functional test of the breakers is included as a part of this test, overlapping the LOGIC SYSTEM FUNCTIONAL TEST, to provide complete testing of the safety function. Therefore, if a breaker is BFN-UNIT 3 B 3.3-280 Rev.

<TS Bases 3.3.8.3 INSERT>

ECCS Preferred Pump, CAS, and Unit Priority Re-Trip Logic B 3.3.8.3 BASES incapable of operating, the associated logic would also be inoperable.

The LOGIC SYSTEM FUNCTIONAL TEST performed in LCO 3.3.5.1 overlaps this Surveillance to complete testing of the assumed safety function.

The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the CAS and Unit Priority Re-Trip Logics for a specified division. The LOGIC SYSTEM FUNCTIONAL TEST performed in LCO 3.3.5.1 and the DG testing performed by SR 3.8.1.6 overlap this Surveillance to complete testing of the assumed safety function.

The 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. Operating experience with these components supports performance of the Surveillance at the 24 month Frequency.

SR 3.3.8.3.1 is modified by a Note that indicates that when a channel is placed in an inoperable status solely for performance of Surveillance, entry into associated Conditions and Required Actions may be delayed for up to 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> provided the associated redundant division is OPERABLE Upon completion of the Surveillance, or expiration of the 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> allowance, the division must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on Probabilistic Risk Assessment (PRA) performed by TVA (Ref.

3) in accordance with RG 1.177 (Ref. 4). The PRA demonstrated that the 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> testing allowance does not significantly reduce the probability that the CAS and Unit Priority Re-Trip Logics will initiate when necessary.

REFERENCES 1. UFSAR, Section 7.4.3.

2. UFSAR, Section 8.5.4.
3. PRA Evaluation Response BFN-0-14-042, Revision 2.
4. Regulatory Guide (RG) 1.177, "An Approach For Plant-Specific Decision Making: Technical Specifications."

BFN-UNIT 3 B 3.3-281 Rev.

AC Sources - Operating B 3.8.1 BASES BACKGROUND The onsite standby power source for 4.16 kV shutdown boards (continued) 3EA, 3EB, 3EC, and 3ED consists of four Unit 3 DGs, each dedicated to a shutdown board. Each DG starts automatically on a loss of coolant accident (LOCA) signal (i.e., low reactor water level signal or high drywell pressure signal), or on its respective 4.16 kV shutdown board degraded voltage or (See LCO 3.3.8.3, undervoltage signal. Common Accident Signal Logic (CAS "Common Accident A/CAS B) actuates on high drywell pressure with low reactor Signal (CAS) and pressure, or low water level.

Unit Priority Re-Trip Logic.") After the DG has started, it automatically ties to its respective bus after offsite power is tripped as a consequence of 4.16 kV shutdown board undervoltage or degraded voltage, independent of or coincident with a LOCA signal. The DGs also start and operate in the standby mode without tying to the 4.16 kV shutdown board on a LOCA signal alone. Following the trip of offsite power, an under or degraded voltage activated load shed logic strips all loads from the 4.16 kV Shutdown Board except transformer feeds. When the DG is tied to the 4.16 kV shutdown board, large loads are then sequentially connected to its respective 4.16 kV shutdown board by individual pump timers. The individual pump timers control the permissive and starting signals to motor breakers to prevent overloading the DG.

In the event of a loss of offsite power, the ESF electrical loads are automatically connected to the DGs in sufficient time to provide for safe reactor shutdown and to mitigate the consequences of a Design Basis Accident (DBA) such as a LOCA.

(continued)

BFN-UNIT 3 B 3.8-3 Revision 0

AC Sources - Operating B 3.8.1 BASES BACKGROUND Certain required plant loads are returned to service in a (continued) predetermined sequence in order to prevent overloading of the DGs in the process. Within 40 seconds after the initiating signal (DG breaker closure with accident signal) is received, all automatic and permanently connected loads needed to recover the unit or maintain it in a safe condition are returned to service.

In the event that the DGs were already running and loaded on the receipt of a spurious or real common accident signal (CAS A/CAS B) from Units 1 or 2, any diesel generator output breakers which are closed are signaled to open to load shed the running loads off of the DG. After the DG breaker closing springs recharge, the DG breakers will reclose and tie the DG to the 4.16 kV shutdown board. Loads are then sequentially connected to its respective 4.16 kV shutdown board by individual pump timers as described above. Any subsequent common accident signal DG breaker trip signals are blocked.

Should a second RHR initiation signal be received (i.e., from a spurious or real accident signal from Unit 3), the Unit 3 diesel (LCO 3.3.8.3) generator output breakers will be reopened on a unit priority retrip signal to ensure that the diesels are load shed to allow the Unit 3 pumps to correctly sequence onto the boards. After the DG breakers reclose, loads are then sequentially connected to its respective 4.16 kV shutdown board by individual pump timers as described above.

Rating for the DGs satisfies the intent of Safety Guide 9 (Reference 3). DG engine continuous and short-time maximum steady state active power output (running kW) is denoted below as non-derated rating/derated rating. Non-derated rating is for intake air temperatures less than or equal to 90°F. The derated rating is for either intake air temperatures greater than 90°F or a combination of intake air temperatures greater than 90°F and engine cooling heater outlet temperature greater than 190°F.

For the DG engine, instantaneous cold and hot maximum instantaneous active power (running kW plus starting kW) is denoted in the table as non-derated rating. Due to BFNs (continued)

BFN-UNIT 3 B 3.8-4 Revision 0, 30, 57 April 10, 2008

AC Sources - Operating B 3.8.1 BASES (continued)

LCO Two qualified circuits between the offsite transmission network and the onsite Class 1E Distribution System, four separate and independent Unit 3 DGs (3A, 3B, 3C, and 3D), and the Unit 1 and 2 DG(s) needed to support required Standby Gas Treatment (SGT) trains and Control Room Emergency Ventilation System (CREVS) trains are required to be OPERABLE. Two divisions of 480 V load shed logic and two divisions of CAS logic are required to be OPERABLE to support Unit 3 DG OPERABILITY and post-accident loads. Unit 1 and 2 Technical Specifications will require the operability of all Unit 1 and 2 DGs and provide appropriate compensatory actions for inoperable Unit 1 and 2 DGs in support of Unit 1 and 2 operations. To support the operation of Unit 3, the Unit 3 LCO for AC Sources - Operating also requires the necessary Unit 1 and 2 DG(s) to support SGT and CREVS required by LCO 3.8.7, Distribution Systems - Operating, for supplying the Unit 1 and 2 4.16 kV shutdown boards. These requirements ensure availability of the required power to shut down the reactor and maintain it in a safe shutdown condition after an abnormal operational transient or a postulated DBA.

Qualified offsite circuits are those that are described in the FSAR, and are part of the licensing basis for the unit. Each offsite circuit must be capable of maintaining rated frequency and voltage, and accepting required loads during an accident, while connected to the 4.16 kV shutdown boards.

(continued)

BFN-UNIT 3 B 3.8-6 Revision 0, 52 May 11, 2007

AC Sources - Operating B 3.8.1 BASES LCO Each DG must be capable of starting, accelerating to rated (continued) speed and voltage, and connecting to its respective 4.16 kV shutdown board on detection of bus undervoltage. This sequence must be accomplished within 10 seconds. Each DG must also be capable of accepting required loads within the assumed loading sequence intervals, and must continue to operate until offsite power can be restored to the 4.16 kV shutdown board. The Unit 3 DGs are provided with a 480 V load shed logic system with two redundant divisions. The common accident signal logic system, with two redundant This divisions, is common to the Unit 1, 2, and 3 DGs. These logic systems must be OPERABLE to ensure the DGs will perform and alignments will occur as assumed during a DBA.

Proper sequencing of loads, including tripping of nonessential loads, is a required function for DG OPERABILITY.

The AC sources must be separate and independent (to the extent possible) of other AC sources. For the DGs, the separation and independence are complete. For the offsite AC sources, the separation and independence are to the extent practical. A qualified offsite circuit may be connected to more than one division of 4.16 kV shutdown boards and not violate separation criteria. A circuit that is not connected to the Division I or II 4.16 kV shutdown boards is required to have the capability to be connected to at least one division of 4.16 kV shutdown boards to be considered OPERABLE.

(continued)

BFN-UNIT 3 B 3.8-9 Revision 0, 52 May 11, 2007

AC Sources - Operating B 3.8.1 BASES ACTIONS B.5 (continued)

As in Required Action B.3, the Completion Time allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." This exception results in establishing the "time zero" at the time that the LCO was initially not met, instead of the time that Condition B was entered.

C.1 With one division of Unit 3 480 V load shed logic inoperable, the reliability of the DGs is degraded, and the potential for the loss of the affected Unit 3 DG is increased with attendant potential challenge to plant safety systems. In this condition, however, the remaining division of Unit 3 480 V load shed logic is capable of performing its intended function of limiting the load on the affected Unit 3 DG.

The 7 day Completion Time takes into account the capability of the remaining division of Unit 3 480 V load shed logic, reasonable time for repairs, and the low probability of a DBA occurring during this period.

D.1 With one division of common accident signal logic inoperable, the plant electrical system response is degraded (including the DG breaker unit priority retrip function described in Bases Section B 3.8.1), and the potential for inappropriate electrical system alignment is increased with attendant potential challenge to plant safety systems. In this condition, however, the remaining division of common accident signal logic is capable of performing its intended function of providing a start signal to the Unit 3 DGs during a DBA.

The 7 day Completion Time takes into account the capability of the remaining division of common accident signal logic, (continued)

BFN-UNIT 3 B 3.8-19 Revision 0, 7, 57, Amendment 266 October 5, 2011

AC Sources - Operating B 3.8.1 BASES ACTIONS D.1 (continued) reasonable time for repairs, and the low probability of a DBA occurring during this period.

D D E.1 and E.2 Required Action E.1 addresses actions to be taken in the event of inoperability of redundant required features concurrent with inoperability of two required offsite circuits. Required Action E.1 reduces the vulnerability to a loss of function. The Completion Time for taking these actions is reduced to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> from that allowed with one or both 4.16 kV shutdown boards in a division without offsite power (Required Action A.2). The rationale for the reduction to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is that Regulatory Guide 1.93 (Ref. 6) allows a Completion Time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> for two required offsite circuits inoperable, based upon the assumption that two complete safety divisions are OPERABLE. When a concurrent redundant required feature failure exists, this assumption is not the case, and a shorter Completion Time of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is appropriate. These features are designed with redundant safety related divisions, (i.e., single division systems are not included in the list). Redundant required features failures consist of any of these features that are inoperable because any inoperability is on a division redundant to a division with inoperable offsite circuits. D The Completion Time for Required Action E.1 is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." In this Required Action, the Completion Time only begins on discovery that both:

a. All required offsite circuits are inoperable; and
b. A required feature is inoperable.

(continued)

BFN-UNIT 3 B 3.8-20 Revision 0, Revision 7 September 17, 1999

AC Sources - Operating B 3.8.1 D

BASES ACTIONS E.1 and E.2 (continued)

If, at any time during the existence of this Condition (two offsite circuits inoperable), a required feature subsequently becomes inoperable, this Completion Time begins to be tracked.

According to Regulatory Guide 1.93 (Ref. 6), operation may D continue in Condition E for a period that should not exceed 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. This level of degradation means that the offsite electrical power system does not have the capability to effect a safe shutdown and to mitigate the effects of an accident; however, the onsite AC sources have not been degraded. This level of degradation generally corresponds to a total loss of accessible offsite power sources.

Because of the normally high availability of the offsite sources, this level of degradation may appear to be more severe than other combinations of two AC sources inoperable that involve one or more DGs inoperable. However, two factors tend to decrease the severity of this degradation level:

a. The configuration of the redundant AC electrical power system that remains available is not susceptible to a single bus or switching failure; and
b. The time required to detect and restore an unavailable offsite power source is generally much less than that required to detect and restore an unavailable onsite AC source.

(continued)

BFN-UNIT 3 B 3.8-21 Revision 0

AC Sources - Operating B 3.8.1 D

BASES ACTIONS E.1 and E.2 (continued)

With both of the required offsite circuits inoperable, sufficient onsite AC sources are available to maintain the unit in a safe shutdown condition in the event of a DBA or transient. In fact, a simultaneous loss of offsite AC sources, a LOCA, and a worst case single failure were postulated as a part of the design basis in the safety analysis. Thus, the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Completion Time provides a period of time to effect restoration of one of the offsite circuits commensurate with the importance of maintaining an AC electrical power system capable of meeting its design criteria.

According to Regulatory Guide 1.93 (Ref. 6), with the available offsite AC sources two less than required by the LCO, operation may continue for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. If two offsite sources are restored within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, unrestricted operation may continue. If only one offsite source is restored within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, power operation E continues in accordance with Condition A.

F.1 and F.2 Pursuant to LCO 3.0.6, the Distribution System ACTIONS would not be entered even if all AC sources to it were inoperable, resulting in de-energization. Therefore, the Required Actions of Condition F are modified by a Note to indicate that when E Condition F is entered with no AC source to any 4.16 kV shutdown board, ACTIONS for LCO 3.8.7, "Distribution Systems

- Operating," must be immediately entered. This allows Condition F to provide requirements for the loss of the offsite circuit and one DG without regard to whether a 4.16 kV shutdown board is de-energized. LCO 3.8.7 provides the appropriate restrictions for a de-energized 4.16 kV shutdown board.

(continued)

BFN-UNIT 3 B 3.8-22 Revision 0

AC Sources - Operating B 3.8.1 BASES E ACTIONS F.1 and F.2 (continued)

According to Regulatory Guide 1.93 (Ref. 6), operation may continue in Condition F for a period that should not exceed E

12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. In Condition F, individual redundancy is lost in both the offsite electrical power system and the onsite AC electrical power system. Since power system redundancy is provided by two diverse sources of power, however, the reliability of the power systems in this Condition may appear higher than that in D Condition E (loss of both required offsite circuits). This difference in reliability is offset by the susceptibility of this power system configuration to a single bus or switching failure. The 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> Completion Time takes into account the capacity and capability of the remaining AC sources, reasonable time for repairs, and the low probability of a DBA occurring during this period. E A Note has been added to Condition F to clarify that the Condition is only applicable when more than one shutdown board is affected. The situation where only one shutdown board is affected is covered by Condition G. F G.1 F

Condition G addresses the situation where both one required offsite circuit and one DG are inoperable and affect only one 4.16 kV shutdown board. The Note clarifies the applicability.

The Required Action is to declare the affected 4.16 kV shutdown board inoperable immediately. This requires entry into the applicable Conditions and Required Actions of LCO 3.8.7, "Distribution Systems - Operating," which provides the appropriate restrictions for the affected 4.16 kV shutdown board. LCO 3.8.1 Conditions and Required Actions continue to apply until the required offsite circuit and DG are made OPERABLE.

(continued)

BFN-UNIT 3 B 3.8-23 Revision 0

AC Sources - Operating B 3.8.1 BASES G

ACTIONS H.1 (continued)

With two or more DGs inoperable, an assumed loss of offsite electrical power may result in insufficient standby AC sources available to power the minimum required ESF functions. Since the offsite electrical power system may be the only source of AC power for the majority of ESF equipment at this level of degradation, the risk associated with continued operation for a very short time could be less than that associated with an immediate controlled shutdown. (The immediate shutdown could cause grid instability, which could result in a total loss of AC power.) Since any inadvertent unit generator trip could also result in a total loss of offsite AC power, however, the time allowed for continued operation is severely restricted. The intent here is to avoid the risk associated with an immediate controlled shutdown and to minimize the risk associated with this level of degradation.

According to Regulatory Guide 1.93 (Ref. 6), with all DGs inoperable, operation may continue for a period that should not exceed 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />.

H I.1 and I.2 If the inoperable AC electrical power sources cannot be restored to OPERABLE status within the associated Completion Time, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> and to MODE 4 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />.

The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

(continued)

BFN-UNIT 3 B 3.8-24 Revision 0

AC Sources - Operating B 3.8.1 BASES I

ACTIONS J.1 (continued)

Condition J corresponds to a level of degradation in which all redundancy in the AC electrical power supplies has been lost.

At this severely degraded level, any further losses in the AC electrical power system will cause a loss of function. Therefore, no additional time is justified for continued operation. The unit is required by LCO 3.0.3 to commence a controlled shutdown.

J K.1 Required Action K.1 is intended to provide assurance that a loss of offsite power, during the period that a required Unit 1 and 2 DG is inoperable, does not result in a complete loss of safety function of critical systems (i.e., SGT or CREVS). These features consist of SGT or CREVS trains redundant to trains supported by the inoperable Unit 1 and 2 DG.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." In this Required Action the Completion Time only begins on discovery that both:

a. An inoperable required Unit 1 and 2 DG exists; and
b. An SGT or CREVS train supported by another DG, is inoperable.

(continued)

BFN-UNIT 3 B 3.8-25 Revision 0

AC Sources - Operating B 3.8.1 BASES J

ACTIONS K.1 (continued)

If, at any time during the existence of this Condition (a required Unit 1 and 2 DG inoperable), a required SGT or CREVS train subsequently becomes inoperable, this Completion Time begins to be tracked.

Discovering a required Unit 1 and 2 DG inoperable coincident with an inoperable SGT or CREVS train, or both, that are associated with the OPERABLE DGs results in starting the Completion Time for the Required Action. Four hours from the discovery of these events existing concurrently is acceptable because it minimizes risk while allowing time for restoration before subjecting the unit to transients associated with shutdown.

The remaining OPERABLE DGs and offsite circuits are adequate to supply electrical power to the onsite Class 1E Distribution System. Thus, on a component basis, single failure protection for the required feature's function may have been lost; however, function has not been lost. The 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> Completion Time takes into account the component OPERABILITY of the redundant counterpart to the inoperable required feature. Additionally, the 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> Completion Time takes into account the capacity and capability of the remaining AC sources, reasonable time for repairs, and low probability of a DBA occurring during this period.

(continued)

BFN-UNIT 3 B 3.8-26 Revision 0

AC Sources - Operating B 3.8.1 BASES J

ACTIONS K.2 (continued)

In Condition K, the remaining OPERABLE DGs and offsite circuits are adequate to supply electrical power to the onsite Class 1E Distribution System to support operation of Unit 3.

The 30 day Completion Time is commensurate with the importance of the affected system considering the low probability of a DBA in these conditions and the availability of the remaining power sources. If the inoperable Unit 1 and 2 DG cannot be restored to OPERABLE status within the associated Completion Time, the associated SGT or CREVS subsystem must be declared inoperable, and the ACTIONS in the appropriate system Specification taken.

SURVEILLANCE The AC sources are designed to permit inspection and testing REQUIREMENTS of all important areas and features, especially those that have a standby function. Periodic component tests are supplemented by extensive functional tests (under simulated accident conditions). The SRs for demonstrating the OPERABILITY of the DGs meet the intent of Safety Guide 9 (Ref. 3), as addressed by References 13 and 14.

Where the SRs discussed herein specify voltage and frequency tolerances, the following summary is applicable. A minimum steady state output voltage of 3940 V is required for proper operation of the safety related loads supplied, as determined by BFN design bases analyses. This value allows for voltage drop to the terminals of 4000 V motors whose minimum operating voltage is specified as 90% or 3600 V in ANSI C84.1 (Ref. 9). It also allows for voltage drops to motors and other equipment down through the 120 V level where minimum operating voltage is also usually specified as 90% of (continued)

BFN-UNIT 3 B 3.8-27 Revision 0, 28 August 26, 2004

Retrieved from "https://kanterella.com/w/index.php?title=CNL-15-073,_Application_to_Modify_the_Technical_Specifications_by_Adding_New_Specification_TS_3.3.8.3,_Emergency_Core_Cooling_System_Preferred_Pump_Logic,_Common_Accident_Signal_(CAS)_Logic,_and_Unit_Priority_Re-Trip_Logic,_And.&oldid=2447016"