CNL-16-092, Response to NRC Request for Additional Information Related to License Amendment Request for Adding New Specifications to Technical Specification 3.3.8.3 (BFN-TS-486) (CAC Nos. MF6738, MF6739, and MF6740)- Letter 5

From kanterella
Jump to navigation Jump to search

Response to NRC Request for Additional Information Related to License Amendment Request for Adding New Specifications to Technical Specification 3.3.8.3 (BFN-TS-486) (CAC Nos. MF6738, MF6739, and MF6740)- Letter 5
ML16169A179
Person / Time
Site: Browns Ferry  Tennessee Valley Authority icon.png
Issue date: 06/16/2016
From: James Shea
Tennessee Valley Authority
To:
Document Control Desk, Office of Nuclear Reactor Regulation
References
CAC MF6738, CAC MF6739, CAC MF6740, CNL-16-092
Download: ML16169A179 (42)
v  d  e


Text

1101 Market Street, Chattanooga, Tennessee 37402 CNL-16-092 June 16, 2016 10 CFR 50.90 ATTN: Document Control Desk U.S. Nuclear Regulatory Commission Washington, D.C. 20555-0001 Browns Ferry Nuclear Plant, Units 1, 2, and 3 Renewed Facility Operating License Nos. DPR-33, DPR-52, and DPR-68 NRC Docket Nos. 50-259, 50-260, and 50-296

Subject:

Response to NRC Request for Additional Information Related to License Amendment Request for Adding New Specifications to Technical Specification 3.3.8.3 (BFN-TS-486) (CAC Nos. MF6738, MF6739, and MF6740) - Letter 5

References:

1. Letter from TVA to NRC, CNL-15-073, "Application to Modify the Browns Ferry Nuclear Plant, Units 1, and 2 Technical Specifications by Adding New Specification TS 3.3.8.3, 'Emergency Core Cooling System Preferred Pump Logic, Common Accident Signal (CAS) Logic, and Unit Priority Re-Trip Logic,' and Unit 3 TS by adding New Specification TS 3.3.8.3, 'Common Accident Signal (CAS) Logic, and Unit Priority Re-Trip Logic,' (BFN-TS-486)," dated September 16, 2015 (ML15260B125)
2. Letter from NRC to TVA, "Browns Ferry Nuclear Plant, Units 1, 2, and 3 -

Request for Additional Information Related to License Amendment Request for Adding New Specifications to Technical Specification 3.3.8.3 (CAC Nos. MF6738, MF6739, and MF6740)," dated March 21, 2016 (ML16074A126)

3. Letter from TVA to NRC, CNL-16-066, "Response to NRC Request for Additional Information Related to License Amendment Request for Adding New Specifications to Technical Specification 3.3.8.3 (BFN-TS-486) (CAC Nos. MF6738, MF6739, and MF6740) - Letter 1,"

dated April 15, 2016 (ML16106A323)

861XFOHDU5HJXODWRU\&RPPLVVLRQ

&1/

3DJH

-XQH







%\OHWWHUGDWHG6HSWHPEHU 5HIHUHQFH 7HQQHVVHH9DOOH\$XWKRULW\ 79$ 

VXEPLWWHGDOLFHQVHDPHQGPHQWUHTXHVW /$5 IRU%URZQV)HUU\1XFOHDU3ODQW %)1 

8QLWVDQGWRUHYLVHWKH%)18QLWVDQG7HFKQLFDO6SHFLILFDWLRQV 76 E\DGGLQJ

DQHZVSHFLILFDWLRQJRYHUQLQJWKHVDIHW\IXQFWLRQVIRUWKH(PHUJHQF\&RUH&RROLQJ6\VWHP

(&&6 3UHIHUUHG3XPS/RJLF&RPPRQ$FFLGHQW6LJQDO/RJLFDQGWKH8QLW3ULRULW\5H7ULS

/RJLF,QDGGLWLRQWKH/$5UHORFDWHGWKH%)18QLWUHTXLUHPHQWVIRU&RPPRQ$FFLGHQW

6LJQDO/RJLFDQG8QLW3ULRULW\5HWULS/RJLFWRDQHZVSHFLILFDWLRQJRYHUQLQJWKHVDIHW\

IXQFWLRQVIRUWKH&RPPRQ$FFLGHQW6LJQDO/RJLFDQGWKH8QLW3ULRULW\5H7ULS/RJLFIRU

FRQVLVWHQF\ZLWKWKHFKDQJHVWRWKH%)18QLWVDQG76



%\OHWWHUGDWHG0DUFK 5HIHUHQFH WKH1XFOHDU5HJXODWRU\&RPPLVVLRQ 15& 

UHTXHVWHGDGGLWLRQDOLQIRUPDWLRQWRVXSSRUWWKHUHYLHZRIWKH/$57KHUHTXLUHGGDWHVIRU

UHVSRQGLQJWRWKHUHTXHVWVIRUDGGLWLRQDOLQIRUPDWLRQYDULHGIURP$SULOWR

0D\



(QFORVXUHSURYLGHVWKHILIWKVHWRI79$UHVSRQVHVWRVRPHRIWKHUHTXHVWVIRUDGGLWLRQDO

LQIRUPDWLRQ 5$,V LGHQWLILHGLQWKH5HIHUHQFHOHWWHU7KHGXHGDWHVIRUWKH5$,VZHUH

UHYLVHGIURPWKH5HIHUHQFHOHWWHUDQGGHWDLOHGLQWKH5HIHUHQFHOHWWHU$VVWDWHGLQWKH

5HIHUHQFHOHWWHUWKHUHVSRQVHVSURYLGHGLQ(QFORVXUHWRWKLVOHWWHUDUHGXHE\

-XQH(QFORVXUHSURYLGHVDOLVWLQJRIWKH5$,VFRQWDLQHGLQWKH5HIHUHQFH

OHWWHUDQGWKHGDWHRIWKH79$UHVSRQVHWRHDFKRIWKH5$,V(QFORVXUHSURYLGHVUHYLVHG

SURSRVHG76(PHUJHQF\&RUH&RROLQJ6\VWHP (&&6 3UHIHUUHG3XPS&RPPRQ

$FFLGHQW6LJQDO &$6 DQG8QLW3ULRULW\5H7ULS/RJLFSDJHVDQGDVVRFLDWHG%DVHVDV

GHVFULEHGLQWKH79$UHVSRQVHWR,QVWUXPHQWDWLRQDQG&RQWUROV%UDQFK (,&% 5$,



&RQVLVWHQWZLWKWKHVWDQGDUGVVHWIRUWKLQ7LWOHRIWKH&RGHRI)HGHUDO5HJXODWLRQV

&)5 3DUW F 79$KDVGHWHUPLQHGWKDWWKHDGGLWLRQDOLQIRUPDWLRQDVSURYLGHGLQ

WKLVOHWWHUGRHVQRWDIIHFWWKHQRVLJQLILFDQWKD]DUGVFRQVLGHUDWLRQDVVRFLDWHGZLWKWKH

SURSRVHGDSSOLFDWLRQSUHYLRXVO\SURYLGHGLQ5HIHUHQFH



7KHUHDUHQRQHZUHJXODWRU\FRPPLWPHQWVDVVRFLDWHGZLWKWKLVVXEPLWWDO3OHDVHDGGUHVV

DQ\TXHVWLRQVUHJDUGLQJWKLVUHTXHVWWR0U(GZDUG'6FKUXOODW  



,GHFODUHXQGHUSHQDOW\RISHUMXU\WKDWWKHIRUHJRLQJLVWUXHDQGFRUUHFW([HFXWHGRQWKLV

WKGD\RI-XQH



5HVSHFWIXOO\



-:6KHD

9LFH3UHVLGHQW1XFOHDU/LFHQVLQJ



(QFORVXUH

FF6HH3DJH

U. S. Nuclear Regulatory Commission CNL-16-092 Page 3 June 16, 2016

Enclosures:

1. TVA Responses to NRC Request for Additional Information: Set 5
2. Summary of BFN Request for Additional Information Response Dates
3. Revised Proposed Technical Specifications and Associated Bases Enclosure cc (Enclosure):

NRC Regional Administrator - Region II NRC Resident Inspector - Browns Ferry Nuclear Plant NRC Project Manager - Browns Ferry Nuclear Plant State Health Officer, Alabama Department of Public Health

ENCLOSURE 1 TENNESSEE VALLEY AUTHORITY BROWNS FERRY NUCLEAR PLANT UNITS 1, 2, AND 3 TVA Responses to NRC Request for Additional Information: Set 5 Probabilistic Risk Assessment (PRA) Licensing Branch (APLA) Request for Additional Information (RAl) 5 The CAS and the PAS are initiated by the core spray (CS) initiation logic, the UPRTL [Unit Priority Re-Trip Logic] is initiated by the residual heat removal (RHR) logic, and the PPL is initiated by the CS and RHR initiation logic, according to the public meeting slides dated February 1, 2016 (ADAMS Accession No. ML16028A096). Since PPL division(s) inoperable concurrently with failures of CS and RHR initiation logic impacts the plant response, the PRA should model (1) maintenance and testing of the PPL, CS, and RHR initiation logic if allowed when PPL division(s) are inoperable; and (2) the unreliability of the PPL, CAS, PAS, and UPRTL, conservatively or in detail. Update the internal events PRA as necessary.

Discuss the updates and explain the impact on the PRA results reported in the LAR as part of APLA-RAl-14.

Tennessee Valley Authority (TVA) Response The current PRA model of record (MOR) Revision 7 includes logic for Reactor Pressure Vessel (RPV) low reactor level, and Drywell (DW) high pressure transmitters and relays associated with automatic Core Spray (CS) and Residual Heat Removal (RHR) initiation and support systems. The test and maintenance terms in the PRA model are included as part of the train level unavailability. In addition, the prior version of the ECCS PPL PRA analysis described in the TVA License Amendment Request (LAR) dated September 16, 2015 (ML15260B125), included a single event for ECCS PPL unavailability. For the evaluation in response to APLA RAI 5, PRA MOR Revision 7 was updated to address Emergency Core Cooling System (ECCS) Preferred Pump Logic (PPL) divisional unavailability and unreliability basic events. The updated PRA model assumes that divisional ECCS PPL unavailability or unreliability during fast-acting scenarios (e.g., Loss of Coolant Accidents (LOCAs), Breaks Outside of Containment, and Inadvertent Open Relief Valves), results in the failure (overloading) of the two 4kV Shutdown Boards (SDBDs) associated with the ECCS PPL divisions. That is, Division I of ECCS PPL is now modeled under each load that requires 4kV SDBDs A and B, and Division II ECCS PPL is now modeled under each load that requires 4kV SDBDs C and D.

The CS relays that initiate Common Accident Signal (CAS) (relays 14A-K11A/B) are considered in the logic developed for ECCS PPL. The internal events PRA model used in this evaluation does not include logic for CAS, Pre-Accident Signal (PAS), or Unit Priority Re-Trip Logic (UPRTL). The PAS signal is a redundant signal and therefore not credited in the model. This modeling approach is consistent with the discussions in the TVA responses to Instrumentation and Controls Branch (EICB) RAI 1 and APLA RAI 4 provided in the TVA letter dated May 11, 2016 (ML16133A566).

CNL-16-092 Enclosure 1, Page 1 of 11

The TVA response to EICB RAI 1 states:

The Common Accident Signal logic (CASA and CASB) and the Pre-Accident Signal (PASA and PASC) are generated by the same low reactor vessel water level (Level 1 setpoint) or high drywell pressure transmitters and analog trip unit (ATU) signals.

However, the core spray relays that initiate the CAS and PAS logic are different.

The PAS sends a signal (redundant to the CAS start signal) to start all eight Unit 1/2 and Unit 3 diesel generators. PAS is considered a defense in depth feature and as such, was not included in the License Amendment Request (LAR).

In addition, the TVA response to APLA RAI 4 states:

The RHR and Core Spray components that only provide an ECCS PPL function have no effect on the functions of the CAS and PAS logic. However, there is an effect on the function of the UPRT for Unit 1 and 2 accident signals.

The effect of ECCS PPL unavailability and unreliability on UPRTL is not relevant because the PRA model used in this evaluation conservatively assumes that unavailability or unreliability of an ECCS PPL division causes failure of the two 4kV SDBDs associated with that division in scenarios with simultaneous accident signals. The updated PRA model simplified logic is consistent with the TVA response to APLA RAI 4 and APLA RAI 6 provided in the TVA letter dated May 11, 2016 (ML16133A566).

The Internal Events (IE) PRA results presented below in APLA RAI 14 indicate that ECCS PPL unavailability or unreliability are not risk significant.

APLA-RAl-6 The LAR in Section 3.0, "Background," discusses (1) a potential overloading of diesel generators if the ECCS pumps were started out of their required sequence; and (2) overloading of a diesel if an RHR pump was allowed to start on a diesel that was already loaded with any large 4 kV load, as well as the potential to overload affected shutdown boards with normal power available if an RHR pump were to start on a board already loaded with a CS pump and an emergency equipment cooling water pump.

The LAR also states:

Following the shutdown of all three BFN units in 1986, a Condition Adverse to Quality Report was initiated to document that the AC power supply system and ECCS initiation logic could not accommodate various combinations of spurious and real accident signals as described in the UFSAR Section 8.5.2. As part of the Base Line Commitment process, TVA identified that modification of the BFN Accident Signal Logic and Unit 1/2 Preferred Pump Logic would be required to support continued multi-unit operations.

The PPL modification appears to be part of the resolution of the power reliability issues. It is not clear that the reliability of normal and emergency power has been analyzed with respect to the CAS, PAS, or UPRTL functions, or for additional equipment out-of-service for maintenance (other than PPL-related components) that would not load onto the bus. The CNL-16-092 Enclosure 1, Page 2 of 11

reliability of normal and emergency power, given PPL division(s) inoperable as allowed by the proposed TS LCO, should be appropriately accounted for in the PRA.

Address the following related to the reliability of the power sources:

d. If power reliability can be affected as in parts i[a], ii[b], or iii[c], describe how your PRA models the impact on normal and emergency power reliability, if any. If there is a reliability impact that is not modeled in the PRA, update your internal events PRA.

Discuss the updates, if any, and explain the impact on the PRA results reported in the LAR as part of APLA-RAl-14.

TVA Response The revision of the PRA used for the LAR (i.e., MOR Revision 6) modeled ECCS PPL failures under the RHR and CS pumps. The evaluation performed in response to APLA RAI 6 used PRA MOR Revision 7 as the starting point. Logic was added under each of the 4kV SDBD loads that would effectively fail these SDBDs during fast-acting scenarios that involved an accident in one unit, a simultaneous accident or spurious accident signal in the other unit, and ECCS PPL unavailability or unreliability events. By failing the SDBDs, the model represents separation from normal power and emergency power.

The ECCS PPL PRA models for Browns Ferry Nuclear Plant (BFN), Units 1 and 2 are conservative for the following reasons:

The initiating event in the accident unit must occur simultaneously with a fast-acting initiating event or a spurious accident signal in the opposite unit for the ECCS PPL to be required. However, this evaluation assumes yearly probabilities for the concurrent accident signals in the other unit. This is conservative by several orders of magnitude because the actual exposure time is relatively short and the accident signals for both units must occur either simultaneously or relatively close in time.

No credit is given to power restoration to the 4kV SDBD.

Divisional PPL unavailability or unreliability during fast-acting scenarios results in the failure of the two 4kV SDBDs associated with the PPL division. That is, Division I of PPL is now modeled under each load that requires 4kV SDBDs A and B, and Division II PPL is now modeled under every load that requires 4kV SDBDs C and D.

Note that the ECCS PPL does not apply to BFN, Unit 3.

APLA-RAl-13 Regulatory Guide (RG) 1.177, "An Approach for Plant-Specific, Risk-Informed Decisionmaking: Technical Specifications," Section 2.3.3, states the following:

As a minimum, evaluations of CDF [core damage frequency] and LERF [large early release frequency] should be performed to support any risk-informed changes to TS.

The scope of the analysis should include all hazard groups (i.e., internal events, internal flood, internal fires, seismic events, high winds, transportation events, and other external hazards) unless it can be shown that the contribution from specific hazard groups does not affect the decision.

Section 4.4.3.5 of the LAR addresses risk from external events.

CNL-16-092 Enclosure 1, Page 3 of 11

a. The LAR states that the fire model considers spurious operation of the ECCS PPL and that adding unavailability of the ECCS PPL to the fire model would decrease CDF/LERF. The LAR does not provide sufficient information for the NRC staff to find this conclusion reasonable. If the fire PRA does not include the PPL unavailability, update the fire PRA to include the PPL unavailability associated with the proposed TS changes, as well as its unreliability, consistent with the American Society of Mechanical Engineers (ASME)/American Nuclear Society (ANS) PRA Standard ASME/ANS RA-Sa-2009, as endorsed by RG 1.200, Revision 2, "An Approach for Determining the Technical Adequacy of Probabilistic Risk Assessment Results for Risk-Informed Activities." In addition, include changes to the internal events PRA, as appropriate, for the fire PRA. Discuss the changes made and include the results for the proposed TS changes as part of APLA-RAl-14.

TVA Response As described in the TVA letter dated May 11, 2016 (ML16133A566), Unit 1 RHR relay 10A-K73A(B) and CS relay 14A-K11A(B) provide redundant initiation signals to both the Unit 2 RHR and CS ECCS PPL logic. Actuation of the 10A-K73A relay or 14A-K11A relay energizes the 10A-K216A, 10A-K217A, and 10A-K219A relays shedding the RHR 1A and 1C pumps and energizes the 14A-K127A, 14A-K129A, and 14A-K130A relays shedding the CS 1A and 1C pumps. Similar logic is provided for Division II.

In the BFN Fire PRA, a significant amount of effort was put into modeling the conditions that would cause an overload of the SDBDs. Consideration was given to both spurious dual unit accident signals and actual dual unit accident signals. This logic was placed under new fire gates for SDBD overloads which are not contained in the BFN IE PRA models. The ECCS PPL was not intended to provide protection for overload conditions during plant fires.

However, due to the function of the system, this logic can be either a benefit or a detriment under fire conditions. For conditions where there is an actual or spurious dual accident signal, the ECCS PPL relays may prevent an SDBD overload condition, by limiting the loads on the SDBD. However, fire events that would cause significant enough damage to cause a dual unit accident signal could also affect the ECCS PPL logic function limiting its effectiveness during a fire. As can be seen from the section of the ECCS control logic figure below, there are a number of areas in the circuit where fire damage may prevent the ECCS PPL logic from blocking unwanted ECCS pumps starts which could overload the credited SDBDs. Conversely, there are also numerous locations where a spurious signal could prohibit valid ECCS system start signals, limiting the available ECCS systems to mitigate a fire event.

In the event of a fire in Fire Area 01-01, 01-02, 01-03, 01-04, 01-05, 02-01, 02-02, 02-03, 02-04, 02-05, 04, 05, 08, 09, 16, 17, or 18, credited BFN Fire PRA operator actions include inhibiting the Unit 1 and Unit 2 Low Pressure Coolant Injecti-n (LPCI) and CS auto-initiations to prevent undesired actuations. With respect to ECCS PPL, inhibiting the Unit 1 and Unit 2 LPCI and CS auto-initiations also:

1. Inhibits the auto start of CS Pumps and the auto opening of CS injection valves for the respective division,
2. Inhibits the auto start of RHR Pumps and the auto opening of LPCI injection valves for the respective division, and
3. Inhibits the ECCS PPL for CS and RHR for the respective division in the opposite Unit.

CNL-16-092 Enclosure 1, Page 4 of 11

The BFN Fire PRA cable section included overloads considering spurious accident signals and spurious start signals of large loads on the SDBDs including consideration of multiple spurious operations. Some credit was given to the ECCS PPL circuitry in the Nuclear Safety Capability Assessment (NSCA) analysis for failed equipment that was considered recovered OK-AS-IS, however, that logic (credit) was not translated into the BFN Fire PRA (i.e.,

credited only in the NSCA). Therefore, the BFN Fire PRA cable selection and circuit failure evaluations were not performed to the level that would credit the ECCS PPL logic relays listed above from preventing an SDBD overload, and is therefore considered conservative with respect to ECCS PPL logic. This is consistent with the requirements of American Society of Mechanical Engineers (ASME)/American Nuclear Society (ANS) PRA Standard ASME/ANS RA-Sa-2009, as endorsed by NRC Regulatory Guide 1.200, Revision 2.

Inclusion of the credit for the ECCS PPL logic relays would require consideration of unavailability and unreliability data, per the ASME standard. However, removal of the ECCS PPL logic from service would have no calculable effect with respect to the BFN Fire PRA because this function is not specifically credited. Detailed modeling of the ECCS PPL logic system relays, cable routing and circuit failure probabilities is expected to result in a slight change in the BFN Fire PRA Core Damage Frequency (CDF) and Large Early Release Fraction (LERF). Therefore, detailed modeling of the ECCS PPL in the BFN Fire PRA is not considered beneficial based on the expected level of effort to include this level of detail and the limited, if any, expected benefit.

In order to demonstrate that the ECCS PPL logic addition is not warranted per ASME/ANS RA-Sa-2009 and that the proposed change in Completion Time from 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to seven days is acceptable, TVA performed a sensitivity analysis that included the ECCS PPL under the SDBD overload gates in the BFN Fire PRA model. This modeling prevents an SDBD overload due to the start of the large ECCS pumps if the ECCS PPL is in service. This is a very conservative approach, given that it ignores any potential fire damage to the ECCS PPL logic and the operator actions to inhibit the ECCS PPL in the event of a fire. For example, under the Unit 1 SDBD A overload gate, the non-credited RHR, RHR Service Water (RHRSW) and CS pumps are prevented from overloading the SDBD by the inclusion of the ECCS PPL logic gates. The ECCS PPL gates contain both unavailability and unreliability Basic Events. The ECCS PPL logic is assumed to be free of fire damage and allowed to function for all fire scenarios evaluated.

Due to the extensive runtimes associated with the BFN Fire PRA, only the BFN Unit 1 CDF was evaluated for this sensitivity analysis. This approach is reasonable, given that past evaluations of the ECCS PPL logic importance showed similar results (i.e., acceptability) between the CDF and LERF of BFN Units 1 and 2. Additionally, the results of the CDF evaluation provided in the table below, demonstrate that with the very conservative modeling used in response to APLA RAI 13.a, the risk effects of the ECCS PPL logic are not significant with respect to fire at BFN.

Delta CDF for ECCS PPL Completion Time Incremental Conditional Core Damage Probability (ICCDP) for Unit 1 Base CDF Unit 1 CDF w/ECCS PPL Seven Day Completion Time 5.03E-05 3.97E-05 2.03E-07 Based on the sensitivity analysis performed for Unit 1 CDF, TVA concludes that the ECCS PPL does not warrant inclusion into the BFN Fire PRA model. Because the beneficial CNL-16-092 Enclosure 1, Page 5 of 11



DVSHFWVRIWKH(&&633/ORJLFDUHQRWLQFOXGHGLQWKHPRGHOWKHUHLVQRFDOFXODEOH

LQFUHDVHLQ&')GXHWRUHPRYLQJWKH(&&633/ORJLFIURPVHUYLFHZLWKUHVSHFWWRWKH%)1

)LUH35$$GGLWLRQDOO\HYHQZLWKYHU\FRQVHUYDWLYHDVVXPSWLRQVDVVRFLDWHGZLWKWKH

EHQHILWVRILQFOXGLQJWKH(&&633/LQWKH%)1)LUH35$PRGHODVGHVFULEHGDERYHWKHULVN

RIUHPRYLQJWKLVV\VWHPIURPVHUYLFHIRUVHYHQGD\VZRXOGEHZHOOEHORZ(\HDUIRU&')



,QFRQFOXVLRQ79$KDVGHWHUPLQHGWKDWQRFKDQJHVDUHUHTXLUHGWREHPDGHWRWKH%)1

)LUH35$LQUHVSRQVHWR$3/$5$,DDQGQRDGGLWLRQDOLQIRUPDWLRQLVSURYLGHGLQWKH

UHVSRQVHWR$3/$





&1/ (QFORVXUH3DJHRI

APLA-RAl-14 If changes were made to the PRAs or other risk assessments related to APLA-RAls 5, 6.iv[6.d], 7, 8, 9, 10.d[10.c], 12, 13.a, 13.b, or 13.c, provide updated CDF, CDF, LERF, and LERF results for the LAR.

TVA Response The evaluation performed in response to APLA RAI 14 uses PRA MOR Revision 7 as a starting point. The baseline PRA MOR Revision 7 was updated to conservatively address the ECCS PPL effect on power reliability. In the NRC RAI letter dated March 21, 2016 (ML16074A126), several of the specific RAIs requested that TVA describe changes made to the PRA model in response to the RAI and include the results of the changes in the TVA response to APLA RAI 14. Each of the specific RAIs is summarized below.

The evaluation includes the following IE PRA model changes as described in the TVA responses.

The ECCS PPL fault tree logic was updated to include ECCS PPL divisional unavailability and unreliability basic events as discussed in the TVA response to APLA RAI 5 provided in this enclosure.

The effect on power reliability is addressed by including the ECCS PPL logic that essentially fails the appropriate 4kV SDBDs as discussed in the TVA response to APLA RAI 6.d provided in this enclosure. Division I of ECCS PPL is now modeled under each load that requires 4kV SDBDs A and B and Division II of ECCS PPL is modeled under each load that requires 4kV SDBDs C and D.

The baseline PRA MOR Revision 7 uses a minimum Joint Human Error Probability (JHEP) of 1E-7. However, for this evaluation, the minimum JHEP value was updated as described in the TVA response to APLA RAI 10.b provided in Enclosure 1 to the TVA letter dated April 29, 2016 (ML16123A071).

The PRA model update used in this evaluation does not include changes for the RAIs listed below. A summary of the rationale provided in the TVA RAI response is provided for each.

BFN does not have a shutdown risk PRA and uses a deterministic model to evaluate shutdown risk. As discussed in the TVA response to APLA RAI 7 provided in Enclosure 1 to the TVA letter dated May 11, 2016 (ML16133A566), there is sufficient time for operators to restore shutdown cooling without adversely affecting the unit in shutdown cooling.

The failure or unavailability of PPL is not significant for loss of decay removal scenarios in the outage unit because there is adequate time to realign power sources and load the diesel. Shutdown risk is dominated by times early in the outage when decay heat levels are high and lower-capacity decay heat removal systems are not viable. The heat load to the suppression pool during loss of decay heat removal scenarios in shutdown (i.e., during shutdown phases with the RPV intact) is also lower because of the low decay heat level. However, the time available to respond to loss of heat removal scenarios during shutdown operations is many hours long.

Early in an outage, the time available is approximately 5-10 hours; later in an outage, the time available is dozens of hours. The estimated time to uncover the core with the current licensed thermal power level is 9.9 hours1.041667e-4 days <br />0.0025 hours <br />1.488095e-5 weeks <br />3.4245e-6 months <br /> (8.8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> following implementation of extended power uprate (EPU)) at one day into the outage with the CNL-16-092 Enclosure 1, Page 7 of 11

RPV level at the flange. The estimated time to uncover the core exceeds 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> when the water level is flooded up into the refueling cavity.

As described in the TVA response to APLA RAI 8 provided in Enclosure 1 to the TVA letter dated April 15, 2016 (ML16106A323), the proposed changes providing explicit requirements for the UPRTL are not risk-informed. As noted in TVA response to APLA RAI 5 in this enclosure, the effect on UPRTL is not relevant because the PRA model used in this evaluation conservatively assumes that unavailability or unreliability of an ECCS PPL division causes failure of the two 4kV SDBDs associated with that division in scenarios with simultaneous accident signals.

As described in the TVA response to APLA RAI 9 provided in Enclosure 1 to the TVA letter dated April 15, 2016, the six-hour allowance in the proposed SR 3.3.8.3.1 is not a risk-informed change. The six-hour allowance that currently applies to the ECCS PPL, CAS Logic and UPRTL is not a change from the current requirements.

As described in the TVA response to APLA RAI 10.c provided in Enclosure 1 to the TVA letter dated April 29, 2016 (ML16123A071), high pressure coolant injection (HPCI) steamline breaks outside containment are excluded as an initiator from the PRA based on analysis showing that these are insignificant contributors. The calculated probabilities of HPCI, Reactor Core Isolation Cooling (RCIC) and Reactor Water Cleanup (RWCU) for an individual cutset is less than 1% of the internal events hazard group contribution. The sum of the contribution for RWCU, HPCI and RCIC breaks outside containment (i.e., ~1.5E-8) is less than 95% of the internal events hazard group. Therefore, the HPCI, RCIC, and RWCU breaks outside containment initiators are insignificant contributors to CDF and LERF and are not included in the BFN PRA model.

As described in the TVA response to APLA RAI 12 provided in Enclosure 1 to the TVA letter dated May 25, 2016 (ML16146A725), the IE PRA MOR Revision 7 represents the as-operated plant including all design changes up to the evaluation cutoff of September 2015, and there have been no modifications that meet the threshold required for an IE PRA update. As noted in the TVA response to APLA RAI 12, there are a significant number of modifications that have not been installed to date that are credited in the Fire PRA. However, interim compensatory measures were implemented, in addition to the currently existing BFN fire protection requirements and compensatory measures, that apply until the modifications are installed. Based on the TVA response to APLA RAI 12, no changes are made to the Fire PRA because the change in CDF and LERF without the credited modifications or interim compensatory measures will mask any actual risk insights related to the change in the ECCS PPL Completion Time.

As described in the TVA response to APLA RAI 13.a in this enclosure, based on the sensitivity analysis performed for BFN, Unit 1 CDF, TVA concludes that the ECCS PPL does not warrant inclusion into the BFN Fire PRA model.

As described in the TVA responses to APLA RAI 13.b and 13.c provided in Enclosure 1 to the TVA letter dated May 25, 2016 (ML16146A725), the contribution from the subject hazard groups (i.e., high winds, tornadoes, external floods, transportation, and nearby facility accidents) does not affect the risk insights for evaluation of the proposed change and is not included in the ECCS PPL evaluation.

CNL-16-092 Enclosure 1, Page 8 of 11

The ECCS PPL logic is part of the BFN Units 1 and 2 current design and the current Completion Time for ECCS PPL being out of service (i.e., inoperable) is 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. The evaluation calculates the change in risk (i.e., CDF and LERF) that results from changing the Completion Time for one or more inoperable divisions of ECCS PPL from 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to the proposed seven days. As noted above, this evaluation used PRA MOR Revision 7 as the starting point. ECCS PPL logic was added under each of the 4kV SDBD loads that would effectively fail these boards in scenarios involving simultaneous accident signals. In addition, the minimum JHEP was changed to 1E-5 for scenarios with initial injection to the RPV failure, and 1E-6 for scenarios with initial successful RPV injection, but either injection or decay heat removal fail in the long term. The results representing divisional unavailability and unreliability are presented in the table below.

Internal Events Change in CDF/LERF for ECCS PPL Completion Time extension Baseline CDF/LERF CDF/LERF for CDF/LERF

(/year) seven day (/year)

Completion Time

(/year)

Unit 1 CDF 1.0890E-5 1.0918E-5 2.80E-8 Unit 2 CDF 9.8571E-6 9.8790E-6 2.19E-8 Unit 1 LERF 2.4312E-6 2.4363E-6 5.10E-9 Unit 2 LERF 2.3008E-6 2.3044E-6 3.60E-9 A term representing simultaneous unavailability of both divisions is not explicitly included in the model because it potentially impacts all 4kV SDBDs and would not be normally entered voluntarily. The significance is estimated using importance measures of logically equivalent events. However, if the change in CDF and LERF included this term, the change in CDF would still be very small (approximately 1.5E-7). Similarly, the change in LERF would be very small (approximately 2.4E-8). As discussed in NRC Regulatory Guide (RG) 1.177, "An Approach for Plant-Specific, Risk-Informed Decisionmaking: Technical Specifications,"

section 2.3, the guidelines discussed in sections 2.4 and 2.5 of RG 1.174, "An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis," are applicable to permanent Technical Specification (TS)

Completion Time change requests. RG 1.174 provides the following acceptance guidelines.

CDF 1E no change allowed CDF 1E-6 and < 1E small change CDF < 1E very small change LERF 1E no change allowed LERF 1E-7 and < 1E small change LERF < 1E very small change Therefore, the changes in risks (i.e., CDF and LERF) presented in the table above demonstrate that the updated evaluation still yields a very small risk per RG 1.174.

CNL-16-092 Enclosure 1, Page 9 of 11

Instrumentation and Controls Branch (EICB) RAI 3 The BACKGROUND in the BASES for the new TS 3.3.8.3 for BFN, Unit 1 {page B 3.3-275; page 117 of the LAR} states, "In the event of an accident signal in either Unit 1 or Unit 2, all of the ECCS equipment associated with the accident unit will start." It further states:

The diesel generators and Standby AC Power System are designed to accommodate spurious accident signals from any unit and in any order, real followed by a spurious signal, real coincident with a spurious signal, and spurious followed by a real accident signal. If the ECCS loads for both Units 1 and 2 were allowed to start during combinations of real and spurious accident signals, the combined Unit 1 /2 ECCS pumps would overload the 4KV shutdown boards and their associated diesel generators." In CONDITIONS B and C, when one of the two logic division is inoperable (there are 2 CAS logic division and 2 unit priority re-trip logic divisions}

COMPLETION TIME to repair is 7 days, justified by the fact the other division is available. In CONDITION A, both divisions of ECCS PPL can be INOPERABLE with up to 7 days to restore, in which time there is no automatic logic and, from BFN own BASES, the plant is at risk of, "overload(ing) the 4KV shutdown boards and their associated diesel generators."

Provide an explanation why CONDITION A should not be the same as CONDITIONS B AND C in allowing only one INOPERABLE ECCS PPL.

TVA Response In response to EICB RAI 3, TVA has revised the proposed BFN, Units 1 and 2, TS 3.3.8.3, "Emergency Core Cooling System (ECCS) Preferred Pump, Common Accident Signal (CAS), and Unit Priority Re-Trip Logic," Actions Table for the ECCS PPL.

The proposed TS 3.3.8.3 Condition A entry condition stating "One or more required ECCS Preferred Pump Logic divisions inoperable," is replaced with four entry conditions as follows:

One required ECCS Preferred Pump Logic - RHR division inoperable.

OR One required ECCS Preferred Pump Logic - Core Spray division inoperable.

OR Required ECCS Preferred Pump Logic - RHR Division I and required ECCS Preferred Pump Logic - Core Spray Division I inoperable.

OR Required ECCS Preferred Pump Logic - RHR Division II and required ECCS Preferred Pump Logic - Core Spray Division II inoperable.

The proposed TS 3.3.8.3, Condition A, Required Action and Completion Time continue to require restoration of the required ECCS Preferred Pump Logic division(s) to operable status within seven days.

CNL-16-092 Enclosure 1, Page 10 of 11

Proposed TS 3.3.8.3, Condition F is revised to include an additional entry condition stating "Two or more required ECCS Preferred Pump Logic divisions inoperable for reasons other than Condition A." The proposed TS 3.3.8.3, Condition F, Required Action and Completion Time continue to require entry into Limiting Condition for Operation 3.0.3 immediately upon entry into Condition F.

In addition, proposed TS 3.3.8.3, Table 3.3.8.3-1 is revised to include entries for the ECCS Preferred Pump Logic - RHR Function and the ECCS Preferred Pump Logic - Core Spray Function for clarity.

The TVA response to APLA RAI 6.b provided in Enclosure 1 to the TVA letter dated May 11, 2016 (ML16133A566), discussed the normal and emergency power reliability effects of inoperable ECCS PPL divisions. The changes to the proposed TS 3.3.8.3, Required Actions Table are consistent with the discussions provided in the TVA response to APLA RAI 6.b.

The results documented above in the TVA response to APLA RAI 14 show that allowing the affected unit to operate for seven days both ECCS PPL divisions inoperable is acceptable and therefore bound continued operation for seven days while operating in accordance with proposed TS 3.3.8.3, Condition A. The change in risks (i.e., CDF and LERF) determined for the TVA response to APLA RAI 14 are very small per RG. 1.174. The ICCDP and incremental conditional large early release probability (ICLERP) are calculated as the product of the change in risk multiplied by the completion time. Assuming all ECCS PPL is out of service for seven days yields very low ICCDP and ICLERP values when compared to the RG 1.177 acceptance guidelines.

In addition, the instantaneous configuration risk for all ECCS PPL out of service was examined to determine if it is acceptable. Importance measure reports for each of the cutset files were generated and the Risk Achievement Worth (RAW) value for events associated with either a single division or two divisions out of service were used to determine the risk significance for ECCS PPL out of service. The RAW importance measures for each of the components is less than two and the corresponding Fussell-Vesely (FV) is less than 0.005.

These results demonstrate that the risk associated with taking ECCS PPL out of service is not significant. This is based on comparing the FV and RAW values for the components to the basic event importance criteria defined in the ASME/ANS RA-SB-2013 PRA Standard.

The revised proposed TS 3.3.8.3 and associated Bases for BFN Units 1 and 2 are provided in Enclosure 3 to this letter.

CNL-16-092 Enclosure 1, Page 11 of 11

ENCLOSURE 2 Tennessee Valley Authority Browns Ferry Nuclear Plant, Units 1, 2, and 3 Summary of BFN Request for Additional Information Response Dates CNL-16-092 Enclosure 2, Page 1 of 3

Request for Additional Due Date Information (RAI) Question Actual Date of Response Number Electrical Engineering Branch (EEEB)

EEEB RAI 1 May 11, 2016 CNL-16-078, May 11, 2016 EEEB RAI 2 May 11, 2016 CNL-16-078, May 11, 2016 EEEB RAI 3 May 11, 2016 CNL-16-078, May 11, 2016 EEEB RAI 4 May 11, 2016 CNL-16-078, May 11, 2016 Instrumentation and Controls Branch (EICB)

EICB RAI 1 May 11, 2016 CNL-16-078, May 11, 2016 EICB RAI 2 May 11, 2016 CNL-16-078, May 11, 2016 EICB RAI 3 June 16, 2016 CNL-16-092, June 16, 2016 Probabilistic Risk Assessment Branch (PRA) Licensing Branch (APLA)

APLA RAI 1 April 15, 2016 CNL-16-066, April 15, 2016 APLA RAI 2 April 15, 2016 CNL-16-066, April 15, 2016 APLA RAI 3 April 15, 2016 CNL-16-066, April 15, 2016 APLA RAI 4 May 11, 2016 CNL-16-078, May 11, 2016 APLA RAI 5 June 16, 2016 CNL-16-092, June 16, 2016 APLA RAI 6a May 11, 2016 CNL-16-078, May 11, 2016 APLA RAI 6b May 11, 2016 CNL-16-078, May 11, 2016 APLA RAI 6c May 11, 2016 CNL-16-078, May 11, 2016 APLA RAI 6d June 16, 2016 CNL-16-092, June 16, 2016 APLA RAI 7 May 11, 2016 CNL-16-078, May 11, 2016 APLA RAI 8 April 15, 2016 CNL-16-066, April 15, 2016 APLA RAI 9 April 15, 2016 CNL-16-066, April 15, 2016 CNL-16-092 Enclosure 2, Page 2 of 3

Request for Additional Due Date Information (RAI) Question Actual Date of Response Number APLA RAI 10 April 29, 2016 CNL-16-076, April 29, 2016 APLA RAI 11 April 29, 2016 CNL-16-076, April 29, 2016 APLA RAI 12 May 25, 2016 CNL-16-082, May 25, 2015 APLA RAI 13a June 16, 2016 CNL-16-092, June 16, 2016 APLA RAI 13b May 25, 2016 CNL-16-082, May 25, 2015 APLA RAI 13c May 25, 2016 CNL-16-082, May 25, 2015 APLA RAI 14 June 16, 2016 CNL-16-092, June 16, 2016 APLA RAI 15 May 25, 2016 CNL-16-082, May 25, 2015 APLA RAI 16 April 29, 2016 CNL-16-076, April 29, 2016 Summary April 15, 2016: APLA RAI 1, 2, 3, 8, 9 April 29, 2016: APLA RAI 10, 11, 16 May 11, 2016: APLA RAI 4, 6a, 6b, 6c, 7; EEEB RAI 1, 2, 3, 4; EICB RAI 1, 2 May 25, 2016: APLA RAI 12, 13b, 13c, 15 June 16, 2016: APLA RAI 5, 6d,13a, 14; EICB RAI 3 CNL-16-092 Enclosure 2, Page 3 of 3

ENCLOSURE 3 Tennessee Valley Authority Browns Ferry Nuclear Plant, Units 1, 2, and 3 Revised Proposed Technical Specifications and Associated Bases provides the revised proposed Browns Ferry Nuclear Plant Unit 1 and Unit 2 Technical Specification 3.3.8.3, "Emergency Core Cooling System (ECCS) Preferred Pump, Common Accident Signal (CAS), and Unit Priority Re-Trip Logic," and associated revised proposed Bases as discussed in the TVA response to Instrumentation and Controls Branch (EICB) Request for Additional Information RAI 3 provided in Enclosure 1 to this letter.

CNL-16-092 Enclosure 3, Page 1 of 25

ENCLOSURE 3 Tennessee Valley Authority Browns Ferry Nuclear Plant, Units 1, 2, and 3 Revised Proposed Technical Specifications and Associated Bases Attachment 1 Revised Proposed BFN, Unit 1 TS 3.3.8.3 CNL-16-092 Enclosure 3, Page 2 of 25

ECCS Preferred Pump, CAS, and Unit Priority Re-Trip Logic 3.3.8.3 3.3 INSTRUMENTATION 3.3.8.3 Emergency Core Cooling System (ECCS) Preferred Pump, Common Accident Signal (CAS), and Unit Priority Re-Trip Logic LCO 3.3.8.3 The logic systems for each FUNCTION in Table 3.3.8.3-1 shall be OPERABLE.

APPLICABILITY: According to Table 3.3.8.3-1.

ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME A. One required ECCS A.1 Restore required ECCS 7 days Preferred Pump Logic - Preferred Pump Logic RHR division inoperable. division(s) to OPERABLE.

OR One required ECCS Preferred Pump Logic -

Core Spray division inoperable.

OR Required ECCS Preferred Pump Logic -

RHR Division I and required ECCS Preferred Pump Logic -

Core Spray Division I inoperable.

OR Required ECCS Preferred Pump Logic -

RHR Division II and required ECCS Preferred Pump Logic -

Core Spray Division II inoperable.

(continued)

BFN-Unit 1 3.3-78 CNL-16-092 Enclosure 3, Page 3 of 25

ECCS Preferred Pump, CAS, and Unit Priority Re-Trip Logic 3.3.8.3 ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION TIME B. One CAS Logic division B.1 Restore logic division to 7 days inoperable. OPERABLE status.

C. One Unit Priority Re-Trip C.1 Restore logic division to 7 days Logic division OPERABLE status.

inoperable.

D. Required Action and D.1 Be in MODE 3. 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> associated Completion Time of Condition A, B, AND or C not met in MODE 1, 2, or 3. D.2 Be in MODE 4. 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br /> E. Required Action and E.1 ------------NOTE-------------- Immediately associated Completion Only applicable in MODE 4 Time of Condition A not and 5.

met in MODE 4 or 5 with -----------------------------------

Unit 2 in MODE 1, 2, or 3. Declare associated ECCS components inoperable.

F. Two or more required F.1 Enter LCO 3.0.3. Immediately ECCS Preferred Pump Logic divisions inoperable for reasons other than Condition A.

OR Two divisions of CAS Logic inoperable.

OR Two divisions of Unit Priority Re-Trip Logic inoperable.

BFN-Unit 1 3.3-79 CNL-16-092 Enclosure 3, Page 4 of 25

ECCS Preferred Pump, CAS, and Unit Priority Re-Trip Logic 3.3.8.3 SURVEILLANCE REQUIREMENTS SURVEILLANCE FREQUENCY SR 3.3.8.3.1 -----------------------------NOTES-----------------------------

1. When a division is placed in an inoperable status solely for performance of required Surveillance, entry into associated Conditions and Required Actions may be delayed for up to 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> provided the associated redundant division is OPERABLE.
2. Breakers associated with Unit 2 are not required 24 months to actuate for proper completion of this Surveillance.

Perform LOGIC SYSTEM FUNCTIONAL TEST including breaker actuation.

BFN-Unit 1 3.3-80 CNL-16-092 Enclosure 3, Page 5 of 25

ECCS Preferred Pump, CAS, and Unit Priority Re-Trip Logic 3.3.8.3 Table 3.3.8.3-1 (page 1 of 1)

Emergency Core Cooling System (ECCS) Preferred Pump, Common Accident Signal (CAS),

and Unit Priority Re-Trip Logic APPLICABLE MODES OR OTHER SPECIFIED FUNCTION CONDITIONS REQUIRED DIVISIONS

1. ECCS Preferred Pump 1,2,3 2 Logic - RHR 4(a),5(a) (b)
2. ECCS Preferred Pump 1,2,3 2 Logic - Core Spray 4(a),5(a) (b)
3. CAS Logic 1,2,3 2
4. Unit Priority Re-Trip Logic 1,2,3 2 (a) When associated RHR or Core Spray pumps are required to be OPERABLE, or are in operation, and Unit 2 is in MODE 1, 2, or 3.

(b) The number of Required Divisions is dependent on the configuration of the RHR or Core Spray pumps required to be OPERABLE, or are in operation.

BFN-Unit 1 3.3-81 CNL-16-092 Enclosure 3, Page 6 of 25

ENCLOSURE 3 Tennessee Valley Authority Browns Ferry Nuclear Plant, Units 1, 2, and 3 Revised Proposed Technical Specifications and Associated Bases Attachment 2 Revised Proposed BFN, Unit 2 TS 3.3.8.3 CNL-16-092 Enclosure 3, Page 7 of 25

ECCS Preferred Pump, CAS, and Unit Priority Re-Trip Logic 3.3.8.3 3.3 INSTRUMENTATION 3.3.8.3 Emergency Core Cooling System (ECCS) Preferred Pump, Common Accident Signal (CAS), and Unit Priority Re-Trip Logic LCO 3.3.8.3 The logic systems for each FUNCTION in Table 3.3.8.3-1 shall be OPERABLE.

APPLICABILITY: According to Table 3.3.8.3-1.

ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME A. One required ECCS A.1 Restore required ECCS 7 days Preferred Pump Logic - Preferred Pump Logic RHR division inoperable. division(s) to OPERABLE.

OR One required ECCS Preferred Pump Logic -

Core Spray division inoperable.

OR Required ECCS Preferred Pump Logic -

RHR Division I and required ECCS Preferred Pump Logic -

Core Spray Division I inoperable.

OR Required ECCS Preferred Pump Logic -

RHR Division II and required ECCS Preferred Pump Logic -

Core Spray Division II inoperable.

(continued)

BFN-Unit 2 3.3-80 CNL-16-092 Enclosure 3, Page 8 of 25

ECCS Preferred Pump, CAS, and Unit Priority Re-Trip Logic 3.3.8.3 ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION TIME B. One CAS Logic division B.1 Restore logic division to 7 days inoperable. OPERABLE status.

C. One Unit Priority Re-Trip C.1 Restore logic division to 7 days Logic division OPERABLE status.

inoperable.

D. Required Action and D.1 Be in MODE 3. 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> associated Completion Time of Condition A, B, AND or C not met in MODE 1, 2, or 3. D.2 Be in MODE 4. 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br /> E. Required Action and E.1 ------------NOTE-------------- Immediately associated Completion Only applicable in MODE 4 Time of Condition A not and 5.

met in MODE 4 or 5 with -----------------------------------

Unit 1 in MODE 1, 2, or 3. Declare associated ECCS components inoperable.

F. Two or more required F.1 Enter LCO 3.0.3. Immediately ECCS Preferred Pump Logic divisions inoperable for reasons other than Condition A.

OR Two divisions of CAS Logic Inoperable.

OR Two divisions of Unit Priority Re-Trip Logic inoperable.

BFN-Unit 2 3.3-81 CNL-16-092 Enclosure 3, Page 9 of 25

ECCS Preferred Pump, CAS, and Unit Priority Re-Trip Logic 3.3.8.3 SURVEILLANCE REQUIREMENTS SURVEILLANCE FREQUENCY SR 3.3.8.3.1 -----------------------------NOTES-----------------------------

1. When a division is placed in an inoperable status solely for performance of required Surveillance, entry into associated Conditions and Required Actions may be delayed for up to 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> provided the associated redundant division is OPERABLE.
2. Breakers associated with Unit 1 are not required 24 months to actuate for proper completion of this Surveillance.

Perform LOGIC SYSTEM FUNCTIONAL TEST including breaker actuation.

BFN-Unit 2 3.3-82 CNL-16-092 Enclosure 3, Page 10 of 25

ECCS Preferred Pump, CAS, and Unit Priority Re-Trip Logic 3.3.8.3 Table 3.3.8.3-1 (page 1 of 1)

Emergency Core Cooling System (ECCS) Preferred Pump, Common Accident Signal (CAS),

and Unit Priority Re-Trip Logic APPLICABLE MODES OR OTHER SPECIFIED FUNCTION CONDITIONS REQUIRED DIVISIONS

1. ECCS Preferred Pump 1,2,3 2 Logic 4(a),5(a) (b)
2. CAS Logic 1,2,3 2
3. Unit Priority Re-Trip Logic 1,2,3 2 (a) When associated RHR or Core Spray pumps are required to be OPERABLE, or are in operation, and Unit 1 is in MODE 1, 2, or 3.

(b) The number of Required Divisions is dependent on the configuration of the RHR or Core Spray pumps required to be OPERABLE, or are in operation.

BFN-Unit 2 3.3-83 CNL-16-092 Enclosure 3, Page 11 of 25

ENCLOSURE 3 Tennessee Valley Authority Browns Ferry Nuclear Plant, Units 1, 2, and 3 Revised Proposed Technical Specifications and Associated Bases Attachment 3 Revised Proposed BFN, Unit 1 TS 3.3.8.3 Bases CNL-16-092 Enclosure 3, Page 12 of 25

ECCS Preferred Pump, CAS, and Unit Priority Re-Trip Logic B 3.3.8.3 B 3.3.8.3 INSTRUMENTATION B 3.3.8.3 Emergency Core Cooling System (ECCS) Preferred Pump, Common Accident Signal (CAS), and Unit Priority Re-Trip Logic BASES BACKGROUND In the event of an accident signal in either Unit 1 or Unit 2, all of the ECCS equipment associated with the accident unit will start. All eight diesel generators in the plant will be started on an accident signal in any unit as a pre-emergency action in case of a subsequent power blackout.

The diesel generators and Standby AC Power System are designed to accommodate spurious accident signals from any unit and in any order, real followed by a spurious signal, real coincident with a spurious signal, and spurious followed by a real accident signal. If the ECCS loads for both Units 1 and 2 were allowed to start during combinations of real and spurious accident signals, the combined Unit 1/2 ECCS pumps would overload the 4KV shutdown boards and their associated diesel generators.

During combinations of real and spurious accident signals, the Units 1 and 2 ECCS preferred pump logic will assign the Unit 1 ECCS loads to the Division I 4KV shutdown boards and the Unit 2 ECCS loads to the Division II 4KV shutdown boards. If any Residual Heat Removal (RHR) or Core Spray pumps were already running in the opposite unit (e.g., for shutdown cooling), the core spray and low pressure coolant injection (LPCI) logic (i.e., LCO 3.3.5.1 Functions 1.a, 1.b, 1.c, 2.a, 2.b, 2.c) would send redundant signals to initiate the ECCS preferred pump logic to trip the opposite units running RHR and Core Spray pumps. The ECCS preferred pump logic signal also inhibits the RHR and Core Spray pumps automatic start logic in the opposite unit (after 60 seconds, manual control of the pumps is restored). This ensures that any running RHR or Core Spray pumps in the opposite unit would be tripped, unloading the Unit 1/2 4KV shutdown boards prior to the accident unit starting its ECCS pumps on a real accident signal. For combinations of real and spurious accident signals, the Unit 1 and 2 ECCS preferred pump logic would allow the Unit 1 Division I RHR and Core Spray pumps (1A and 1C) to start and load on the Division I 4KV shutdown boards, and the Unit 2 Division II RHR and Core Spray pumps (2B and 2D) to start and load on the Division II 4KV shutdown boards. This action would ensure that the shared Unit 1/2 4KV shutdown boards are not overloaded while still maintaining the minimum number of required ECCS injection subsystems.

If an accident signal were initiated in only one unit (Unit 1 or 2) and any RHR or Core Spray pumps were already running in the opposite non-accident unit (e.g., for shutdown cooling), the Core Spray and LPCI logic would send redundant signals to initiate the ECCS preferred pump logic BFN-UNIT 1 B 3.3-275 Rev.

CNL-16-092 Enclosure 3, Page 13 of 25

ECCS Preferred Pump, CAS, and Unit Priority Re-Trip Logic B 3.3.8.3 BASES to trip all of the non-accident units running RHR and Core Spray pumps.

This ensures that any running RHR or Core Spray pumps in the non-accident unit would be tripped, unloading the Unit 1 and 2 4kV shutdown boards prior to the accident unit starting all of its ECCS pumps (both divisions) on an accident signal, with or without a loss of offsite power.

The Core Spray low reactor vessel water level (LCO 3.3.5.1 Function 1.a) or high drywell pressure (LCO 3.3.5.1 Function 1.b) coincident with low reactor pressure signals (LCO 3.3.5.1 Function 1.c) are used to generate a CAS, which affects the operation of components associated with all three units. The CAS performs the following functions:

  • sends a signal to start all eight diesel generators for Unit 1/2 and Unit 3
  • trips the diesel generator output breakers (if closed)
  • defeats selected diesel generator protective trips
  • blocks the 4kV Shutdown Board auto transfer logic
  • trips and blocks the fire pumps A, B, and C auto start logic
  • blocks subsequent RHRSW (aligned to EECW) pump start signal (if already running)
  • blocks the 4kV degraded voltage trips
  • trips the RHRSW pumps A2 and C2
  • trips the Raw Cooling Water (RCW) pump 1D Following the initiation of a CAS on either Unit 2 or 3 (which trips all eight diesel breakers), subsequent accident signal trips of the diesel breakers are blocked. A second diesel breaker trip on a "unit priority" basis is provided to ensure that during combinations of spurious and real accident signals, the diesel supplied buses are stripped prior to starting the RHR pumps and other ECCS loads. This diesel breaker re-trip would only occur if a spurious accident signal or a real accident signal from the other unit had previously tripped the diesel breakers. Inputs from the LPCI initiation circuitry indicating low reactor vessel water level (LCO 3.3.5.1 Function 2.a) or high drywell pressure (LCO 3.3.5.1 Function 2.b) coincident with low reactor pressure (LCO 3.3.5.1 Function 2.c),

combined with an existing CAS trip signal, will re-trip the diesel breakers on the unit where the LPCI initiation signal originated. The other unit's diesels would be unaffected by this second trip. Thus each unit is given priority over the block of subsequent CAS diesel breaker trips for its diesels. This diesel breaker Unit Priority Re-Trip ensures that the diesel buses are stripped prior to starting the RHR (LPCI) pumps, Core Spray pumps and other required loads. For Units 1 and 2 only, with a real and spurious accident signal present, the Unit 1 initiated unit priority re-trip signal will only re-trip the Division I diesel breakers while the Unit 2 initiated unit priority re-trip signal will only re-trip the Division II diesel breakers. This would ensure that a spurious unit priority re-trip signal BFN-UNIT 1 B 3.3-276 Rev.

CNL-16-092 Enclosure 3, Page 14 of 25

ECCS Preferred Pump, CAS, and Unit Priority Re-Trip Logic B 3.3.8.3 BASES would not re-trip all four Unit 1/2 diesel breakers, which would result in interrupting both divisions RHR and Core Spray pumps supplying the opposite unit in a real accident.

The ECCS Preferred Pump, CAS, and Unit Priority Re-Trip logics are discussed in the UFSAR, Sections 7.4.3 and 8.5.4 (Refs. 1 and 2, respectively).

APPLICABLE For Units 1 and 2 only, the RHR and Core Spray pumps for both units are SAFETY powered from the same 4kV shutdown boards. If the ECCS loads for ANALYSES, both Units 1 and 2 were allowed to start during combinations of real and LCO, and spurious accident signals, the combined Unit 1/2 ECCS pumps would APPLICABILITY overload the 4kV shutdown boards and their associated diesel generators on a loss of offsite power, and the 4kV shutdown buses if normal power were available. Two ECCS Preferred Pump Logic - RHR divisions and two ECCS Preferred Pump Logic - Core Spray divisions are required to be OPERABLE to ensure that at least one is available, assuming that a single failure disables the other division coincident with a DBA. The Unit 1/2 ECCS Preferred Pump Logic ensures that the shared Unit 1/2 kV shutdown boards are not overloaded while still maintaining the minimum number of required ECCS injection subsystems.

The Core Spray logic initiated CAS and the LPCI logic initiated Unit Priority Re-Trip are required to ensure that the shared Unit 1/2 4KV shutdown boards are stripped prior to starting the RHR pumps, Core Spray pumps, and other required loads when the shutdown boards are being supplied by the diesel generators.

The ECCS Preferred Pump, CAS, and Unit Priority Re-Trip Logic satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).

The OPERABILITY of the ECCS Preferred Pump, CAS, and Unit Priority Re-Trip Logic is dependent upon the OPERABILITY of the individual logic Functions specified in Table 3.3.8.3-1. Each Function must have the required number of divisions. In general, the individual Functions are required to be OPERABLE in the MODES or other specified conditions that may require ECCS initiation to mitigate the consequences of a design basis transient or accident. There are no Allowable Values associated with these logic systems.

Table 3.3.8.3-1 Footnote (a) is added to address ECCS Preferred Pump Logic OPERABILITY requirements in MODES 4 and 5 and Unit 2 is in MODE 1, 2, or 3. Table 3.3.8.3-1 Footnote (b) is added to address the number of Required Divisions in MODES 4 and 5. Either Division I, Division II, or both may be required to be OPERABLE in MODE 4 or 5.

RHR and Core Spray Pumps 1A and 1C, respectively, are associated BFN-UNIT 1 B 3.3-277 Rev.

CNL-16-092 Enclosure 3, Page 15 of 25

ECCS Preferred Pump, CAS, and Unit Priority Re-Trip Logic B 3.3.8.3 BASES with Division I, while RHR and Core Spray pumps 1B and 1D, respectively, are associated with Division II.

Two divisions of CAS and Unit Priority Re-Trip Logics are required to be OPERABLE to ensure that at least one is available, assuming that a single failure disables the other division coincident with a DBA. These logic systems must be OPERABLE to ensure the DGs would perform and alignments would occur as assumed during a DBA.

In MODES 1, 2, and 3, the CAS and Unit Priority Re-Trip Logics are required to be OPERABLE consistent with the OPERABILITY requirements of the diesel generators.

In MODES 4, and 5, the CAS and Unit Priority Re-Trip Logic are not required to be OPERABLE because the diesel generators are not required to be OPERABLE.

ACTIONS A.1 With one required division of ECCS Preferred Pump Logic -RHR or ECCS Preferred Pump Logic -Core Spray inoperable, or with ECCS Preferred Pump Logic - RHR and ECCS Preferred Pump Logic - Core Spray in the same division inoperable, the plant electrical system response is degraded, and the potential for inappropriate electrical system alignment is increased with attendant potential challenge to plant safety systems. In this condition, however, the remaining division(s) of ECCS Preferred Pump Logic is capable of performing its intended function.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. The 7 day Completion Time takes into account a reasonable time for repairs, and the low probability of a DBA occurring during this period.

B.1 With one division of CAS Logic inoperable, the plant electrical system response is degraded, and the potential for inappropriate electrical system alignment is increased with attendant potential challenge to plant safety systems. In this condition, however, the remaining division of CAS Logic is capable of performing its intended function.

The 7 day Completion Time takes into account the capability of the remaining division of common accident signal logic, reasonable time for repairs, and the low probability of a DBA occurring during this period.

BFN-UNIT 1 B 3.3-278 Rev.

CNL-16-092 Enclosure 3, Page 16 of 25

ECCS Preferred Pump, CAS, and Unit Priority Re-Trip Logic B 3.3.8.3 BASES C.1 With one division of Unit Priority Re-Trip Logic inoperable, the plant electrical system response is degraded, and the potential for inappropriate electrical system alignment is increased with attendant potential challenge to plant safety systems. In this condition, however, the remaining division of Unit Priority Re-Trip Logic is capable of performing its intended function.

The 7 day Completion Time takes into account the capability of the remaining division of common accident signal logic, reasonable time for repairs, and the low probability of a DBA occurring during this period.

D.1 and D.2 If the required ECCS Preferred Pump, CAS, or Unit Priority Re-Trip Logic division(s) cannot be restored to OPERABLE status within the associated Completion Time in MODE 1, 2, or 3, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE 3 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />, and in MODE 4 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

E.1 If the required ECCS Preferred Pump Logic division(s) cannot be restored to OPERABLE status within the associated Completion Time in MODE 4 or 5, the associated ECCS components must be declared inoperable.

F.1 Condition F corresponds to a level of degradation in which all redundancy in the AC electrical power supplies has been lost. At this severely degraded level, any further losses in the AC electrical power system will cause a loss of function. Therefore, no additional time is justified for continued operation. The unit is required by LCO 3.0.3 to commence a controlled shutdown.

SURVEILLANCE SR 3.3.8.3.1 REQUIREMENTS The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the ECCS Preferred Pump Logic for a specific division.

The system functional test of the breakers is included as a part of this test, overlapping the LOGIC SYSTEM FUNCTIONAL TEST, to provide complete testing of the safety function. Therefore, if a breaker is BFN-UNIT 1 B 3.3-279 Rev.

CNL-16-092 Enclosure 3, Page 17 of 25

ECCS Preferred Pump, CAS, and Unit Priority Re-Trip Logic B 3.3.8.3 BASES incapable of operating, the associated logic would also be inoperable.

The LOGIC SYSTEM FUNCTIONAL TEST performed in LCO 3.3.5.1 overlaps this Surveillance to complete testing of the assumed safety function.

The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the CAS and Unit Priority Re-Trip Logics for a specified division. The LOGIC SYSTEM FUNCTIONAL TEST performed in LCO 3.3.5.1 and the DG testing performed by SR 3.8.1.6 overlap this Surveillance to complete testing of the assumed safety function.

The 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. Operating experience with these components supports performance of the Surveillance at the 24 month Frequency.

SR 3.3.8.3.1 is modified by two Notes. Note 1 indicates that when a channel is placed in an inoperable status solely for performance of Surveillance, entry into associated Conditions and Required Actions may be delayed for up to 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> provided the associated redundant division is OPERABLE Upon completion of the Surveillance, or expiration of the 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> allowance, the division must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on Probabilistic Risk Assessment (PRA) performed by TVA (Ref. 3) in accordance with RG 1.177 (Ref. 4). The PRA demonstrated that the 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> testing allowance does not significantly reduce the probability that the ECCS Preferred Pump, CAS, and Unit Priority Re-Trip Logics will initiate when necessary.

Note 2 indicates that testing of the Unit 2 breakers is not required for a successful test. This allowance is necessary to preclude unnecessary challenges to an operating unit. Testing of the Unit 2 breakers is required by Unit 2 SR 3.3.8.3.1.

REFERENCES 1. UFSAR, Section 7.4.3.

2. UFSAR, Section 8.5.4.
3. PRA Evaluation Response BFN-0-14-042, Revision 2.
4. Regulatory Guide (RG) 1.177, "An Approach For Plant-Specific Decision Making: Technical Specifications."

BFN-UNIT 1 B 3.3-280 Rev.

CNL-16-092 Enclosure 3, Page 18 of 25

ENCLOSURE 3 Tennessee Valley Authority Browns Ferry Nuclear Plant, Units 1, 2, and 3 Revised Proposed Technical Specifications and Associated Bases Attachment 4 Revised Proposed BFN, Unit 2 TS 3.3.8.3 Bases CNL-16-092 Enclosure 3, Page 19 of 25

ECCS Preferred Pump, CAS, and Unit Priority Re-Trip Logic B 3.3.8.3 B 3.3.8.3 INSTRUMENTATION B 3.3.8.3 Emergency Core Cooling System (ECCS) Preferred Pump, Common Accident Signal (CAS), and Unit Priority Re-Trip Logic BASES BACKGROUND In the event of an accident signal in either Unit 1 or Unit 2, all of the ECCS equipment associated with the accident unit will start. All eight diesel generators in the plant will be started on an accident signal in any unit as a pre-emergency action in case of a subsequent power blackout.

The diesel generators and Standby AC Power System are designed to accommodate spurious accident signals from any unit and in any order, real followed by a spurious signal, real coincident with a spurious signal, and spurious followed by a real accident signal. If the ECCS loads for both Units 1 and 2 were allowed to start during combinations of real and spurious accident signals, the combined Unit 1/2 ECCS pumps would overload the 4KV shutdown boards and their associated diesel generators.

During combinations of real and spurious accident signals, the Units 1 and 2 ECCS preferred pump logic will assign the Unit 1 ECCS loads to the Division I 4KV shutdown boards and the Unit 2 ECCS loads to the Division II 4KV shutdown boards. If any Residual Heat Removal (RHR) or Core Spray pumps were already running in the opposite unit (e.g., for shutdown cooling), the core spray and low pressure coolant injection (LPCI) logic (i.e., LCO 3.3.5.1 Functions 1.a, 1.b, 1.c, 2.a, 2.b, 2.c) would send redundant signals to initiate the ECCS preferred pump logic to trip the opposite units running RHR and Core Spray pumps. The ECCS preferred pump logic signal also inhibits the RHR and Core Spray pumps automatic start logic in the opposite unit (after 60 seconds, manual control of the pumps is restored). This ensures that any running RHR or Core Spray pumps in the opposite unit would be tripped, unloading the Unit 1/2 4KV shutdown boards prior to the accident unit starting its ECCS pumps on a real accident signal. For combinations of real and spurious accident signals, the Unit 1 and 2 ECCS preferred pump logic would allow the Unit 1 Division I RHR and Core Spray pumps (1A and 1C) to start and load on the Division I 4KV shutdown boards, and the Unit 2 Division II RHR and Core Spray pumps (2B and 2D) to start and load on the Division II 4KV shutdown boards. This action would ensure that the shared Unit 1/2 4KV shutdown boards are not overloaded while still maintaining the minimum number of required ECCS injection subsystems.

If an accident signal were initiated in only one unit (Unit 1 or 2) and any RHR or Core Spray pumps were already running in the opposite non-accident unit (e.g., for shutdown cooling), the Core Spray and LPCI logic would send redundant signals to initiate the ECCS preferred pump logic BFN-UNIT 2 B 3.3-278 Rev.

CNL-16-092 Enclosure 3, Page 20 of 25

ECCS Preferred Pump, CAS, and Unit Priority Re-Trip Logic B 3.3.8.3 BASES to trip all of the non-accident units running RHR and Core Spray pumps.

This ensures that any running RHR or Core Spray pumps in the non-accident unit would be tripped, unloading the Unit 1 and 2 4kV shutdown boards prior to the accident unit starting all of its ECCS pumps (both divisions) on an accident signal, with or without a loss of offsite power.

The Core Spray low reactor vessel water level (LCO 3.3.5.1 Function 1.a) or high drywell pressure (LCO 3.3.5.1 Function 1.b) coincident with low reactor pressure signals (LCO 3.3.5.1 Function 1.c) are used to generate a CAS, which affects the operation of components associated with all three units. The CAS performs the following functions:

  • sends a signal to start all eight diesel generators for Unit 1/2 and Unit 3
  • trips the diesel generator output breakers (if closed)
  • defeats selected diesel generator protective trips
  • blocks the 4kV Shutdown Board auto transfer logic
  • trips and blocks the fire pumps A, B, and C auto start logic
  • blocks subsequent RHRSW (aligned to EECW) pump start signal (if already running)
  • blocks the 4kV degraded voltage trips
  • trips the RHRSW pumps A2 and C2
  • trips the Raw Cooling Water (RCW) pump 1D Following the initiation of a CAS on either Unit 2 or 3 (which trips all eight diesel breakers), subsequent accident signal trips of the diesel breakers are blocked. A second diesel breaker trip on a "unit priority" basis is provided to ensure that during combinations of spurious and real accident signals, the diesel supplied buses are stripped prior to starting the RHR pumps and other ECCS loads. This diesel breaker re-trip would only occur if a spurious accident signal or a real accident signal from the other unit had previously tripped the diesel breakers. Inputs from the LPCI initiation circuitry indicating low reactor vessel water level (LCO 3.3.5.1 Function 2.a) or high drywell pressure (LCO 3.3.5.1 Function 2.b) coincident with low reactor pressure (LCO 3.3.5.1 Function 2.c),

combined with an existing CAS trip signal, will re-trip the diesel breakers on the unit where the LPCI initiation signal originated. The other unit's diesels would be unaffected by this second trip. Thus each unit is given priority over the block of subsequent CAS diesel breaker trips for its diesels. This diesel breaker Unit Priority Re-Trip ensures that the diesel buses are stripped prior to starting the RHR (LPCI) pumps, Core Spray pumps and other required loads. For Units 1 and 2 only, with a real and spurious accident signal present, the Unit 1 initiated unit priority re-trip signal will only re-trip the Division I diesel breakers while the Unit 2 initiated unit priority re-trip signal will only re-trip the Division II diesel breakers. This would ensure that a spurious unit priority re-trip signal BFN-UNIT 2 B 3.3-279 Rev.

CNL-16-092 Enclosure 3, Page 21 of 25

ECCS Preferred Pump, CAS, and Unit Priority Re-Trip Logic B 3.3.8.3 BASES would not re-trip all four Unit 1/2 diesel breakers, which would result in interrupting both divisions RHR and Core Spray pumps supplying the opposite unit in a real accident.

The ECCS Preferred Pump, CAS, and Unit Priority Re-Trip logics are discussed in the UFSAR, Sections 7.4.3 and 8.5.4 (Refs. 1 and 2, respectively).

APPLICABLE For Units 1 and 2 only, the RHR and Core Spray pumps for both units are SAFETY powered from the same 4kV shutdown boards. If the ECCS loads for ANALYSES, both Units 1 and 2 were allowed to start during combinations of real and LCO, and spurious accident signals, the combined Unit 1/2 ECCS pumps would APPLICABILITY overload the 4kV shutdown boards and their associated diesel generators on a loss of offsite power, and the 4kV shutdown buses if normal power were available. Two ECCS Preferred Pump Logic - RHR divisions and two ECCS Preferred Pump Logic - Core Spray divisions are required to be OPERABLE to ensure that at least one is available, assuming that a single failure disables the other division coincident with a DBA. The Unit 1/2 ECCS Preferred Pump Logic ensures that the shared Unit 1/2 kV shutdown boards are not overloaded while still maintaining the minimum number of required ECCS injection subsystems.

The Core Spray logic initiated CAS and the LPCI logic initiated Unit Priority Re-Trip are required to ensure that the shared Unit 1/2 4KV shutdown boards are stripped prior to starting the RHR pumps, Core Spray pumps, and other required loads when the shutdown boards are being supplied by the diesel generators.

The ECCS Preferred Pump, CAS, and Unit Priority Re-Trip Logic satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).

The OPERABILITY of the ECCS Preferred Pump, CAS, and Unit Priority Re-Trip Logic is dependent upon the OPERABILITY of the individual logic Functions specified in Table 3.3.8.3-1. Each Function must have the required number of divisions. In general, the individual Functions are required to be OPERABLE in the MODES or other specified conditions that may require ECCS initiation to mitigate the consequences of a design basis transient or accident. There are no Allowable Values associated with these logic systems.

Table 3.3.8.3-1 Footnote (a) is added to address ECCS Preferred Pump Logic OPERABILITY requirements in MODES 4 and 5 and Unit 1 is in MODE 1, 2, or 3. Table 3.3.8.3-1 Footnote (b) is added to address the number of Required Divisions in MODES 4 and 5. Either Division I, Division II, or both may be required to be OPERABLE in MODE 4 or 5.

RHR and Core Spray Pumps 2A and 2C, respectively, are associated BFN-UNIT 2 B 3.3-280 Rev.

CNL-16-092 Enclosure 3, Page 22 of 25

ECCS Preferred Pump, CAS, and Unit Priority Re-Trip Logic B 3.3.8.3 BASES with Division I, while RHR and Core Spray pumps 2B and 2D, respectively, are associated with Division II.

Two divisions of CAS and Unit Priority Re-Trip Logics are required to be OPERABLE to ensure that at least one is available, assuming that a single failure disables the other division coincident with a DBA. These logic systems must be OPERABLE to ensure the DGs would perform and alignments would occur as assumed during a DBA.

In MODES 1, 2, and 3, the CAS and Unit Priority Re-Trip Logics are required to be OPERABLE consistent with the OPERABILITY requirements of the diesel generators.

In MODES 4, and 5, the CAS and Unit Priority Re-Trip Logic are not required to be OPERABLE because the diesel generators are not required to be OPERABLE.

ACTIONS A.1 With one required division of ECCS Preferred Pump Logic -RHR or ECCS Preferred Pump Logic -Core Spray inoperable, or with ECCS Preferred Pump Logic - RHR and ECCS Preferred Pump Logic - Core Spray in the same division inoperable, the plant electrical system response is degraded, and the potential for inappropriate electrical system alignment is increased with attendant potential challenge to plant safety systems.

In this condition, however, the remaining division(s) of ECCS Preferred Pump Logic is capable of performing its intended function.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. The 7 day Completion Time takes into account a reasonable time for repairs, and the low probability of a DBA occurring during this period.

B.1 With one division of CAS Logic inoperable, the plant electrical system response is degraded, and the potential for inappropriate electrical system alignment is increased with attendant potential challenge to plant safety systems. In this condition, however, the remaining division of CAS Logic is capable of performing its intended function.

The 7 day Completion Time takes into account the capability of the remaining division of common accident signal logic, reasonable time for repairs, and the low probability of a DBA occurring during this period.

BFN-UNIT 2 B 3.3-281 Rev.

CNL-16-092 Enclosure 3, Page 23 of 25

ECCS Preferred Pump, CAS, and Unit Priority Re-Trip Logic B 3.3.8.3 BASES C.1 With one division of Unit Priority Re-Trip Logic inoperable, the plant electrical system response is degraded, and the potential for inappropriate electrical system alignment is increased with attendant potential challenge to plant safety systems. In this condition, however, the remaining division of Unit Priority Re-Trip Logic is capable of performing its intended function.

The 7 day Completion Time takes into account the capability of the remaining division of common accident signal logic, reasonable time for repairs, and the low probability of a DBA occurring during this period.

D.1 and D.2 If the required ECCS Preferred Pump, CAS, or Unit Priority Re-Trip Logic division(s) cannot be restored to OPERABLE status within the associated Completion Time in MODE 1, 2, or 3, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE 3 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />, and in MODE 4 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

E.1 If the required ECCS Preferred Pump Logic division(s) cannot be restored to OPERABLE status within the associated Completion Time in MODE 4 or 5, the associated ECCS components must be declared inoperable.

F.1 Condition F corresponds to a level of degradation in which all redundancy in the AC electrical power supplies has been lost. At this severely degraded level, any further losses in the AC electrical power system will cause a loss of function. Therefore, no additional time is justified for continued operation. The unit is required by LCO 3.0.3 to commence a controlled shutdown.

SURVEILLANCE SR 3.3.8.3.1 REQUIREMENTS The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the ECCS Preferred Pump Logic for a specific division.

The system functional test of the breakers is included as a part of this test, overlapping the LOGIC SYSTEM FUNCTIONAL TEST, to provide complete testing of the safety function. Therefore, if a breaker is BFN-UNIT 2 B 3.3-282 Rev.

CNL-16-092 Enclosure 3, Page 24 of 25

ECCS Preferred Pump, CAS, and Unit Priority Re-Trip Logic B 3.3.8.3 BASES incapable of operating, the associated logic would also be inoperable.

The LOGIC SYSTEM FUNCTIONAL TEST performed in LCO 3.3.5.1 overlaps this Surveillance to complete testing of the assumed safety function.

The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the CAS and Unit Priority Re-Trip Logics for a specified division. The LOGIC SYSTEM FUNCTIONAL TEST performed in LCO 3.3.5.1 and the DG testing performed by SR 3.8.1.6 overlap this Surveillance to complete testing of the assumed safety function.

The 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. Operating experience with these components supports performance of the Surveillance at the 24 month Frequency.

SR 3.3.8.3.1 is modified by two Notes. Note 1 indicates that when a channel is placed in an inoperable status solely for performance of Surveillance, entry into associated Conditions and Required Actions may be delayed for up to 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> provided the associated redundant division is OPERABLE Upon completion of the Surveillance, or expiration of the 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> allowance, the division must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on Probabilistic Risk Assessment (PRA) performed by TVA (Ref. 3) in accordance with RG 1.177 (Ref. 4). The PRA demonstrated that the 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> testing allowance does not significantly reduce the probability that the ECCS Preferred Pump, CAS, and Unit Priority Re-Trip Logics will initiate when necessary.

Note 2 indicates that testing of the Unit 1 breakers is not required for a successful test. This allowance is necessary to preclude unnecessary challenges to an operating unit. Testing of the Unit 1 breakers is required by Unit 1 SR 3.3.8.3.1.

REFERENCES 1. UFSAR, Section 7.4.3.

2. UFSAR, Section 8.5.4.
3. PRA Evaluation Response BFN-0-14-042, Revision 2.
4. Regulatory Guide (RG) 1.177, "An Approach For Plant-Specific Decision Making: Technical Specifications."

BFN-UNIT 2 B 3.3-283 Rev.

CNL-16-092 Enclosure 3, Page 25 of 25

Retrieved from "https://kanterella.com/w/index.php?title=CNL-16-092,_Response_to_NRC_Request_for_Additional_Information_Related_to_License_Amendment_Request_for_Adding_New_Specifications_to_Technical_Specification_3.3.8.3_(BFN-TS-486)_(CAC_Nos._MF6738,_MF6739,_and_MF6740)-_Letter_5&oldid=2443714"