Text

Technical Specification Bases, Revision 37, Reactor Coolant System (RCS) (Part 2 of 2)
	ML20160A080
Person / Time
Site:	Beaver Valley
Issue date:	05/20/2020
From:	; Energy Harbor Nuclear Corp
To:	; Office of Nuclear Reactor Regulation
Shared Package
ML20160A057	List: L-20-051, Technical Specification Bases, Revision 37, Reactor Coolant System (RCS) (Part 2 of 2); ML20160A058; ML20160A059; ML20160A060; ML20160A062; ML20160A063; ML20160A064; ML20160A065; ML20160A066; ML20160A067; ML20160A068; ML20160A069; ML20160A070; ML20160A071; ML20160A072; ML20160A073; ML20160A074; ML20160A075; ML20160A076; ML20160A077; ML20160A078; ML20160A079;
References
	L-20-051
	Download: ML20160A080 (348)
	v • d • e

Pressurizer Safety Valves B 3.4.10 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.10 Pressurizer Safety Valves BASES BACKGROUND The pressurizer safety valves provide, in conjunction with the Reactor Protection System, overpressure protection for the RCS. The Unit 1 pressurizer safety valves are totally enclosed, pilot-actuated, self-actuated valves. The Unit 2 pressurizer safety valves are totally enclosed pop type, spring loaded, self actuated valves with backpressure compensation. The safety valves are designed to prevent the system pressure from exceeding the system Safety Limit (SL), 2735 psig, which is 110% of the design pressure.

Because the safety valves are totally enclosed and self actuating, they are considered independent components. The rated relief capacity for each valve at both units is 345,000 lbm/hr. The capacity of the pressurizer safety valves is based on the valve geometry. The pressurizer safety valve capacity is used in the analysis of the complete loss of steam flow to the turbine event, to demonstrate that the capacity is sufficient to maintain RCS pressure below 110% of the design pressure.

The discharge flow from the pressurizer safety valves is directed to the pressurizer relief tank. This discharge flow is indicated by an increase in temperature downstream of the pressurizer safety valves or increase in the pressurizer relief tank temperature or level.

Overpressure protection is required in MODES 1, 2, 3, 4, and 5; however, in MODE 4, with one or more RCS cold leg temperatures the enable temperature specified in the PTLR, and MODE 5 and MODE 6 with the reactor vessel head on, overpressure protection is provided by operating procedures and by meeting the requirements of LCO 3.4.12, "Overpressure Protection System (OPPS)."

The upper and lower pressure limits are based on the 1% tolerance requirement (Ref. 1) for lifting pressures above 1000 psig. The 1% ASME tolerance requirement is met by assuring the as left lift setting is within 1% of 2485 psig. The lift setting is for the ambient conditions associated with MODES 1, 2, and 3. This requires either that the valves be set hot or that a correlation between hot and cold settings be established.

The pressurizer safety valves are part of the primary success path and mitigate the effects of postulated accidents. OPERABILITY of the safety valves ensures that the RCS pressure will be limited to 110% of design pressure. The consequences of exceeding the American Society of Mechanical Engineers (ASME) pressure limit (Ref. 1) could include damage to RCS components, increased leakage, or a requirement to perform additional stress analyses prior to resumption of reactor operation.

Beaver Valley Units 1 and 2 B 3.4.10 - 1 Revision 24

Pressurizer Safety Valves B 3.4.10 BASES APPLICABLE All accident and safety analyses in the UFSAR (Ref. 2) that require safety SAFETY valve actuation assume operation of three pressurizer safety valves to ANALYSES limit increases in RCS pressure. The overpressure protection analysis (Ref. 3) is also based on operation of three safety valves. Accidents that could result in overpressurization if not properly terminated include:

a. Uncontrolled rod withdrawal at power,

b. Loss of reactor coolant flow,

c. Loss of external electrical load,

d. Loss of normal feedwater,

e. Loss of all AC power to station auxiliaries, and

f. Locked rotor.

Detailed analyses of the above transients are contained in Reference 2.

Safety valve actuation is required in events a, c, d, e, and f (above) to limit the pressure increase. The analysis for some of these events also model the PORVs, because modeling the PORVs leads to more limiting analysis results. Therefore, pressurizer safety valve actuation may not be required in the analysis of these events. Compliance with this LCO is consistent with the design bases and accident analyses assumptions.

Pressurizer safety valves satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).

LCO The three pressurizer safety valves are set to open at the RCS design pressure (2485 psig), and within the ASME specified tolerance, to avoid exceeding the maximum design pressure SL, to maintain accident analyses assumptions, and to comply with ASME requirements. The safety valves are OPERABLE if the lift settings are found within +/- 3% for Unit 1 and +1.6%/-3% for Unit 2. The upper and lower pressure tolerance limits are based on the +/- 1% tolerance requirements (Reference 1) for lifting pressures above 1000 psig. The 1% ASME tolerance requirement is met by assuring the as left lift setting is within 1% of 2485 psig. The limit protected by this Specification is the reactor coolant pressure boundary (RCPB) SL of 110% of design pressure. Inoperability of one or more valves could result in exceeding the SL if a transient were to occur.

The consequences of exceeding the ASME pressure limit could include damage to one or more RCS components, increased leakage, or additional stress analysis being required prior to resumption of reactor operation.

Beaver Valley Units 1 and 2 B 3.4.10 - 2 Revision 0

Pressurizer Safety Valves B 3.4.10 BASES APPLICABILITY In MODES 1, 2, and 3, and portions of MODE 4 above the OPPS enable temperature, OPERABILITY of three valves is required because the combined capacity is required to keep reactor coolant pressure below 110% of its design value during certain accidents. MODE 3 and portions of MODE 4 are conservatively included, although the listed accidents may not require the safety valves for protection.

The LCO is not applicable in MODE 4 when any RCS cold leg temperature is the enable temperature specified in the PTLR or in MODE 5 because overpressure protection is provided by the OPPS.

Overpressure protection is not required in MODE 6 with the reactor vessel head off.

The Applicability is modified by a Note that allows the lift settings of the safety valves to be verified and set in place when the plant is hot if this method of setting the valves is to be used. Alternate methods of verifying the lift settings (i.e., sending the valves to a test facility) may be used as well, in which case the Note may be ignored. The Note allows entry into MODES 3 and 4 with the lift settings outside the LCO limits. This permits testing and examination of the safety valves at high pressure and temperature near their normal operating range, but only after the valves have had a preliminary cold setting. The cold setting gives assurance that the valves are OPERABLE near their design condition. Only one valve at a time will be removed from service for testing. The 54 hour6.25e-4 days 0.015 hours 8.928571e-5 weeks 2.0547e-5 months exception is based on 18 hour2.083333e-4 days 0.005 hours 2.97619e-5 weeks 6.849e-6 months outage time for each of the three valves.

The 18 hour2.083333e-4 days 0.005 hours 2.97619e-5 weeks 6.849e-6 months period is derived from operating experience that hot testing can be performed in this timeframe.

ACTIONS A.1 With one pressurizer safety valve inoperable, restoration must take place within 15 minutes. The Completion Time of 15 minutes reflects the importance of maintaining the RCS Overpressure Protection System. An inoperable safety valve coincident with an RCS overpressure event could challenge the integrity of the pressure boundary.

B.1 and B.2 If the Required Action of A.1 cannot be met within the required Completion Time or if two or more pressurizer safety valves are inoperable, the plant must be brought to a MODE in which the requirement does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and to MODE 4 with any RCS cold leg temperatures the enable temperature specified in the PTLR within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant Beaver Valley Units 1 and 2 B 3.4.10 - 3 Revision 0

Pressurizer Safety Valves B 3.4.10 BASES ACTIONS (continued) systems. With any RCS cold leg temperatures at or below the enable temperature specified in the PTLR, overpressure protection is provided by the OPPS. The change from MODE 1, 2, or 3 to MODE 4 reduces the RCS energy (core power and pressure), lowers the potential for large pressurizer insurges, and thereby removes the need for overpressure protection by three pressurizer safety valves.

SURVEILLANCE SR 3.4.10.1 REQUIREMENTS SRs are specified in the INSERVICE TESTING PROGRAM. Pressurizer safety valves are to be tested in accordance with the requirements of the ASME Code (Ref. 4), which provides the activities and Frequencies necessary to satisfy the SRs. The lift setting shall correspond to ambient conditions of the valve at nominal temperature and pressure. Nominal temperature and pressure includes MODE 3 operating conditions as provided in the Applicability Note allowing 54 hours6.25e-4 days 0.015 hours 8.928571e-5 weeks 2.0547e-5 months for testing and examination of the valves in MODE 3. No additional requirements are specified.

The pressurizer safety valve setpoints are +/- 3% of 2485 psig for Unit 1 and +1.6%/-3% of 2485 psig for Unit 2 for OPERABILITY; however, the valves are reset to +/- 1% of 2485 psig during the Surveillance to allow for drift.

REFERENCES 1. ASME, Boiler and Pressure Vessel Code,Section III.

2. UFSAR Chapter 14 (Unit 1), and UFSAR Chapter 15 (Unit 2).

3. WCAP-7769, October 1971 (Unit 1) and WCAP-7769, Rev. 1, June 1972 (Unit 2).

4. ASME code for Operation and Maintenance of Nuclear Power Plants.

Beaver Valley Units 1 and 2 B 3.4.10 - 4 Revision 34

Pressurizer PORVs B 3.4.11 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.11 Pressurizer Power Operated Relief Valves (PORVs)

BASES BACKGROUND The pressurizer is equipped with two types of devices for pressure relief:

pressurizer safety valves and PORVs. The PORVs are controlled to open at a specific set pressure when the pressurizer pressure increases and close when the pressurizer pressure decreases. The PORVs may also be manually operated from the control room.

Block valves, which are normally open, are located between the pressurizer and the PORVs. The block valves are used to isolate the PORVs in case of excessive leakage or a stuck open PORV. Block valve closure is accomplished manually using controls in the control room. A stuck open PORV is, in effect, a small break loss of coolant accident (LOCA). As such, block valve closure terminates the RCS depressurization and coolant inventory loss.

The PORVs and their associated block valves may be used by plant operators to depressurize the RCS to recover from certain transients if normal pressurizer spray is not available. Additionally, the series arrangement of the PORVs and their block valves permit performance of surveillances on the valves during power operation.

The PORVs may also be used for feed and bleed core cooling in the case of multiple equipment failure events that are not within the design basis, such as a total loss of feedwater.

Unit 1 has three air-operated DC powered PORVs. Each PORV is provided with a separate nitrogen backup supply in addition to the normal air supply. Two of the three PORVs are powered from separate trains of DC power. The associated block valves are powered from 480 VAC 1E power supplies. Two of the three block valves are powered from separate trains of AC Power.

Unit 2 has three solenoid-operated DC powered PORVs. Two of the three PORVs are powered from separate trains of DC power. The associated block valves are powered from 480 VAC 1E power supplies.

Two of the three block valves are powered from separate trains of AC power such that each PORV and associated block valve are powered from the same train (Ref. 1).

Each PORV has a relief capacity of 210,000 lbm/hr at 2500 psia for Unit 1, and 232,000 lbm/hr at 2350 psia for Unit 2. The functional design of the PORVs is based on maintaining pressure below the Pressurizer Beaver Valley Units 1 and 2 B 3.4.11 - 1 Revision 0

Pressurizer PORVs B 3.4.11 BASES BACKGROUND (continued)

Pressure - High reactor trip setpoint following a step reduction of 50% of full load with steam dump. In addition, the PORVs minimize challenges to the pressurizer safety valves and also may be used for low temperature overpressure protection. See LCO 3.4.12, "Overpressure Protection System (OPPS)."

APPLICABLE Plant operators employ the PORVs to depressurize the RCS in response SAFETY to certain plant transients if normal pressurizer spray is not available. For ANALYSES the Steam Generator Tube Rupture (SGTR) event, the safety analysis assumes that manual operator actions are required to mitigate the event.

A loss of offsite power is assumed to accompany the event, and thus, normal pressurizer spray is unavailable to reduce RCS pressure. The PORVs are assumed to be used for RCS depressurization, which is one of the steps performed to equalize the primary and secondary pressures in order to terminate the primary to secondary break flow and the radioactive releases from the affected steam generator.

The PORVs are also modeled in safety analyses for events that result in increasing RCS pressure for which departure from nucleate boiling ratio (DNBR) criteria are critical (Ref. 2). By assuming PORV actuation, the primary pressure remains below the high pressurizer pressure trip setpoint; thus, the DNBR calculation is more conservative. As such, this actuation is not required to mitigate these events, and PORV automatic operation is, therefore, not an assumed safety function.

Pressurizer PORVs satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).

LCO The LCO requires the PORVs and their associated block valves to be OPERABLE for manual operation to mitigate the effects associated with an SGTR.

By maintaining at least two PORVs and their associated block valves OPERABLE, two flow paths are provided for RCS pressure control. An OPERABLE block valve may be either open and energized with the capability to be closed, or closed and energized with the capability to be opened, since the required safety function is accomplished by manual operation. Although typically open to allow PORV operation, the block valves may be OPERABLE when closed to isolate the flow path of an inoperable PORV that is capable of being manually cycled (e.g., as in the case of excessive PORV leakage). Similarly, isolation of an OPERABLE PORV does not render that PORV or block valve inoperable provided the relief function remains available with manual action.

Beaver Valley Units 1 and 2 B 3.4.11 - 2 Revision 0

Pressurizer PORVs B 3.4.11 BASES LCO (continued)

An OPERABLE PORV is required to be capable of manually opening and closing, and not experiencing excessive seat leakage. Excessive seat leakage, although not associated with a specific acceptance criteria, exists when conditions dictate closure of the block valve to limit leakage.

Satisfying the LCO helps minimize challenges to fission product barriers.

APPLICABILITY In MODES 1, 2, and 3, the PORV and its block valve are required to be OPERABLE to limit the potential for a small break LOCA through the flow path. The most likely cause for a PORV small break LOCA is a result of a pressure increase transient that causes the PORV to open. Imbalances in the energy output of the core and heat removal by the secondary system can cause the RCS pressure to increase to the PORV opening setpoint. The most rapid increases will occur at the higher operating power and pressure conditions of MODES 1 and 2. The PORVs are also required to be OPERABLE in MODES 1, 2, and 3 for manual actuation to mitigate a steam generator tube rupture event.

Pressure increases are less prominent in MODE 3 because the core input energy is reduced, but the RCS pressure is high. Therefore, the LCO is applicable in MODES 1, 2, and 3. The LCO is not applicable in MODES 4, 5, and 6 with the reactor vessel head in place when both pressure and core energy are decreased and the pressure surges become much less significant. LCO 3.4.12 addresses the PORV requirements in these MODES.

ACTIONS A Note has been added to clarify that all pressurizer PORVs and block valves are treated as separate entities, each with separate Completion Times (i.e., the Completion Time is on a component basis).

A.1 PORVs may be inoperable and capable of being manually cycled (e.g.,

excessive seat leakage). In this condition, either the PORVs must be restored or the flow path isolated within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . The associated block valve is required to be closed, but power must be maintained to the associated block valve, since removal of power would render the block valve inoperable. This permits operation of the plant until the next refueling outage (MODE 6) so that maintenance can be performed on the PORVs to eliminate the problem condition.

Quick access to the PORV for pressure control can be made when power remains on the closed block valve. The Completion Time of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months is based on plant operating experience that has shown that minor problems can be corrected or closure accomplished in this time period.

Beaver Valley Units 1 and 2 B 3.4.11 - 3 Revision 0

Pressurizer PORVs B 3.4.11 BASES ACTIONS (continued)

B.1, B.2, and B.3 If one or two PORVs is inoperable and not capable of being manually cycled, it must be either restored, or isolated by closing the associated block valve and removing the power to the associated block valve. The Completion Times of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months are reasonable, based on challenges to the PORVs during this time period, and provide the operator adequate time to correct the situation. If the inoperable valve cannot be restored to OPERABLE status, it must be isolated within the specified time. With only one PORV inoperable and not capable of being manually cycled and Required Actions B.1 and B.2 met, operation may continue until the next refueling outage (MODE 6) when the inoperable PORV can be repaired.

Continued operation is acceptable because the two remaining PORVs are OPERABLE and provide two flow paths for RCS pressure control.

In addition to the isolation requirements described above, Required Action B.3 requires that one PORV be restored to OPERABLE status in 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . The Required Action is modified by a Note that specifies that Required Action B.3 is only applicable if two PORVs are inoperable. With two of the three PORVs inoperable, one PORV must be restored to OPERABLE status or capable of being manually cycled in order to assure redundant PORV flow paths are available. The Completion Time of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months to restore the required PORV to OPERABLE status or capable of being manually cycled is reasonable because one PORV remains OPERABLE during this time. If the required PORV cannot be restored within this additional time, the plant must be brought to a MODE in which the LCO does not apply, as required by Condition D.

C.1, C.2.1, and C.2.2 If one PORV block valve is inoperable, either the block valve must be closed or the associated PORV placed in manual control in one hour. If the block valve is closed, it is accomplishing the prime functional requirement (to isolate the associated PORV to prevent an inadvertent RCS depressurization). In this case, operation may continue until the next refueling outage (MODE 6) when the inoperable block valve can be repaired. Continued operation is acceptable because the two remaining block valves and PORVs are OPERABLE and provide two flow paths for RCS pressure control.

Beaver Valley Units 1 and 2 B 3.4.11 - 4 Revision 0

Pressurizer PORVs B 3.4.11 BASES ACTIONS (continued)

If the inoperable block valve can not be closed, it is incapable of performing the prime functional requirement of isolating an inoperable PORV to prevent an inadvertent RCS depressurization. Therefore, if the block valve cannot be restored to OPERABLE status within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months , the Required Action is to place the PORV in manual control to preclude its automatic opening for an overpressure event and to avoid the potential for a stuck open PORV at a time that the block valve is inoperable. The Completion Time of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months is reasonable, based on the small potential for challenges to the system during this time period, and provides the operator time to correct the situation. Because two PORVs remain OPERABLE, the operator is permitted a Completion Time of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months to restore the inoperable block valve to OPERABLE status. The time allowed to restore the block valve is based upon the Completion Time for restoring an inoperable PORV in Condition B, since the PORV may not be capable of mitigating an event if the inoperable block valve is not full open. If the block valve is restored within the Completion Time of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months , the PORV may be restored to automatic operation. If it cannot be restored within this additional time, the plant must be brought to a MODE in which the LCO does not apply, as required by Condition D.

The Required Actions C.1, C.2.1, and C.2.2 are modified by a Note stating that the Required Actions do not apply if the sole reason for the block valve being declared inoperable is as a result of power being removed to comply with other Required Actions. In this event, the Required Actions for inoperable PORV(s) (which require the block valve power to be removed once it is closed) are adequate to address the condition. While it may be desirable to also place the PORV(s) in manual control, this may not be possible for all causes of Condition B or E entry with PORV(s) inoperable and not capable of being manually cycled (e.g.,

as a result of failed control power fuse(s) or control switch malfunction(s)).

D.1 and D.2 If the Required Action of Condition A, B, or C is not met, then the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and to MODE 4 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. In MODES 4 and 5, automatic PORV OPERABILITY may be required. See LCO 3.4.12.

Beaver Valley Units 1 and 2 B 3.4.11 - 5 Revision 0

Pressurizer PORVs B 3.4.11 BASES ACTIONS (continued)

E.1, E.2, E.3, and E.4 If three PORVs are inoperable and not capable of being manually cycled, it is necessary to either restore at least one valve within the Completion Time of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months or isolate the flow path by closing and removing the power to the associated block valves. The Completion Time of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months is reasonable, based on the small potential for challenges to the system during this time and provides the operator time to correct the situation. If no PORVs are restored within the Completion Time, then the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and to MODE 4 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. In MODES 4 and 5, automatic PORV OPERABILITY may be required. See LCO 3.4.12.

F.1, F.2, and F.3 If more than one block valve is inoperable, Required Action F.1 requires that the associated PORVs be placed in manual control within one hour.

Placing the PORVs in manual control precludes automatic opening for an overpressure event and avoids the potential for a stuck open PORV at a time that the block valve(s) are inoperable.

Required Action F.2 requires one block valve to be restored to OPERABLE status within 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months . The Required Action is modified by a Note that specifies Required Action F.2 is only applicable if three block valves are inoperable. With three block valves inoperable, no fully OPERABLE PORV flow path exists and Action must be taken to restore at least one block valve to OPERABLE status in two hours. The Completion Time of 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months is reasonable, based on the small potential for challenges to the system during this time and provide the operator some time to correct the situation.

Required Action F.3 requires that one block valve be restored to OPERABLE status within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . The Required Action is modified by a Note that specifies that Required Action F.3 is applicable if two block valves are inoperable. With two of the three block valves inoperable, one block valve must be restored to OPERABLE status in order to assure redundant PORV flow paths are available. The Completion Time of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months to restore the required block valve to OPERABLE status is reasonable because one other block valve remains OPERABLE during this time.

Beaver Valley Units 1 and 2 B 3.4.11 - 6 Revision 0

Pressurizer PORVs B 3.4.11 BASES ACTIONS (continued)

The Required Actions F.1, F.2, and F.3 are modified by a Note stating that the Required Actions do not apply if the sole reason for the block valve being declared inoperable is a result of power being removed to comply with other Required Actions. In this event, the Required Actions for inoperable PORV(s) (which require the block valve power to be removed once it is closed) are adequate to address the condition. While it may be desirable to also place the PORV(s) in manual control, this may not be possible for all causes of Condition B or E entry with PORV(s) inoperable and not capable of being manually cycled (e.g., as a result of failed control power fuse(s) or control switch malfunctions(s)).

G.1 and G.2 If the Required Actions of Condition F are not met, then the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and to MODE 4 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. In MODES 4 and 5, automatic PORV OPERABILITY may be required. See LCO 3.4.12.

SURVEILLANCE SR 3.4.11.1 REQUIREMENTS Block valve cycling verifies that the valve(s) can be opened and closed if needed. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

This SR is modified by a Note. The Note modifies this SR by stating that it is not required to be performed with the block valve closed in accordance with the Required Actions of this LCO. Opening the block valve in this condition increases the risk of an unisolable leak from the RCS since the PORV is already inoperable.

SR 3.4.11.2.1 and SR 3.4.11.2.2 These Unit 1 and 2 surveillances require a complete cycle of each PORV.

Operating a PORV through one complete cycle ensures that the PORV can be manually actuated for mitigation of an SGTR. In addition, the Unit 1 Surveillance (SR 3.4.11.2.1) requires that each PORV be cycled using both the normal air supply and the backup nitrogen supply. Cycling the Unit 1 PORVs using both the normal and backup supply systems actuates the solenoid control valves and check valves to ensure that both Beaver Valley Units 1 and 2 B 3.4.11 - 7 Revision 29

Pressurizer PORVs B 3.4.11 BASES SURVEILLANCE REQUIREMENTS (continued) the normal and backup supplies are fully functional. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

The surveillances are modified by Notes that identify the Unit for which each Surveillance is applicable.

REFERENCES 1. Regulatory Guide 1.32, February 1977.

2. UFSAR Chapter 14 (Unit 1), and UFSAR Chapter 15 (Unit 2).

Beaver Valley Units 1 and 2 B 3.4.11 - 8 Revision 29

OPPS B 3.4.12 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.12 Overpressure Protection System (OPPS)

BASES BACKGROUND The OPPS controls RCS pressure at low temperatures so the integrity of the reactor coolant pressure boundary (RCPB) is not compromised by violating the pressure and temperature (P/T) limits of 10 CFR 50, Appendix G (Ref. 1). The reactor vessel is the limiting RCPB component for demonstrating such protection. The PTLR provides the maximum allowable actuation logic setpoints for the power operated relief valves (PORVs) and the maximum RCS pressure for the existing RCS cold leg temperature during cooldown, shutdown, and heatup to meet the Reference 1 requirements during the MODES when low temperature overpressure protection is required.

The reactor vessel material is less resistant to pressure stress at low temperatures than at normal operating temperature. As the vessel neutron exposure accumulates, the material toughness decreases (Ref. 2). RCS pressure, therefore, is maintained low at low temperatures and is increased only as temperature is increased.

The potential for vessel overpressurization is most acute when the RCS is water solid, occurring only while shutdown; a pressure fluctuation can occur more quickly than an operator can react to relieve the condition.

Exceeding the RCS P/T limits by a significant amount could cause brittle cracking of the reactor vessel. LCO 3.4.3, "RCS Pressure and Temperature (P/T) Limits," requires administrative control of RCS pressure and temperature during heatup and cooldown to prevent exceeding the PTLR limits.

This LCO provides RCS overpressure protection by having a minimum coolant input capability and having adequate pressure relief capacity.

Limiting coolant input capability requires all but one charging pump incapable of injection into the RCS and isolating the accumulators. In addition, the Unit 1 ECCS automatic high head safety injection (HHSI) flow path must be isolated. The pressure relief capacity requires either two redundant RCS relief valves or a depressurized RCS and an RCS vent of sufficient size. One RCS relief valve or the open RCS vent is the overpressure protection device that acts to terminate an increasing pressure event.

With coolant input capability limited to one charging pump, the ability to provide additional core coolant is restricted. Due to the lower pressures in the MODES when low temperature overpressure protection is required and the lower core decay heat levels, the makeup system can provide Beaver Valley Units 1 and 2 B 3.4.12 - 1 Revision 0

OPPS B 3.4.12 BASES BACKGROUND (continued) adequate flow via the makeup control valve. If conditions require the use of more than one charging pump for makeup in the event of loss of inventory, then additional pumps can be made available through manual actions.

The OPPS for pressure relief consists of two PORVs with reduced lift settings, or a depressurized RCS and an RCS vent of sufficient size. Two RCS relief valves are required for redundancy. One RCS relief valve has adequate relieving capability to keep from overpressurization for the required coolant input capability.

PORV Requirements As designed for the OPPS, each PORV is signaled to open if the RCS pressure approaches a limit determined by the OPPS actuation logic.

The OPPS actuation logic monitors both RCS temperature and RCS pressure (Unit 2) and RCS pressure (Unit 1) and determines when a condition not acceptable in the PTLR limits is approached. For Unit 2, the wide range RCS temperature indications are auctioneered to select the lowest temperature signal.

In Unit 2, the lowest RCS temperature signal is processed through a function generator that calculates a pressure limit for that temperature.

The calculated pressure limit is then compared with the indicated RCS pressure from a wide range pressure channel. If the indicated pressure meets or exceeds the calculated value, a PORV is signaled to open.

The PTLR presents the PORV setpoints for OPPS. In Unit 1, each PORV has the same setpoint. In Unit 2, the setpoints are staggered so only one valve opens during a low temperature overpressure transient. Having the setpoints of both valves within the limits in the PTLR ensures that the Reference 1 limits will not be exceeded in any analyzed event.

When a PORV is opened in an increasing pressure transient, the release of coolant will cause the pressure increase to slow and reverse. As the PORV releases coolant, the RCS pressure decreases until a reset pressure is reached and the valve is signaled to close. The pressure continues to decrease below the reset pressure as the valve closes.

Beaver Valley Units 1 and 2 B 3.4.12 - 2 Revision 0

OPPS B 3.4.12 BASES BACKGROUND (continued)

RCS Vent Requirements Once the RCS is depressurized, a vent exposed to the containment atmosphere or pressurizer relief tank will maintain the RCS at containment ambient pressure in an RCS overpressure transient, if the relieving requirements of the transient do not exceed the capabilities of the vent. Thus, the vent path must be capable of relieving the flow resulting from the limiting low temperature overpressure mass or heat input transient, and maintaining pressure below the P/T limits. The required vent capacity may be provided by one or more vent paths.

For an RCS vent to meet the flow capacity requirement, it must be the required size. The RCS vent requirement may be satisfied by removing a pressurizer safety valve, or similarly establishing a vent by opening an RCS vent valve of the required size. The vent must be above the level of reactor coolant, so as not to drain the RCS when open.

APPLICABLE In MODES 1, 2, and 3, and in MODE 4 with all RCS cold leg SAFETY temperatures > the OPPS enable temperature specified in the PTLR, ANALYSES the pressurizer safety valves will prevent RCS pressure from exceeding the Reference 1 limits. Analyses (Ref. 3) demonstrate that the reactor vessel is adequately protected against exceeding the Reference 1 P/T limits. When any RCS cold leg temperature is the OPPS enable temperature specified in the PTLR, overpressure prevention is provided by two OPERABLE RCS PORVs or a depressurized and vented RCS with a sufficient sized RCS vent. Each of these means has a limited overpressure relief capability.

The actual temperature at which the pressure in the P/T limit curve falls below the pressurizer safety valve setpoint increases as the reactor vessel material toughness decreases due to neutron embrittlement. Each time the PTLR curves are revised, the OPPS must be re-evaluated to ensure its functional requirements can still be met using the RCS relief valve method or the depressurized and vented RCS condition.

The PTLR contains the acceptance limits that define the OPPS requirements. Any change to the RCS must be evaluated against the Reference 3 analyses to determine the impact of the change on the low temperature overpressure protection acceptance limits.

Transients that are capable of overpressurizing the RCS are categorized as either mass or heat input transients. The OPPS design basis mass and heat input transients are discussed below.

Beaver Valley Units 1 and 2 B 3.4.12 - 3 Revision 0

OPPS B 3.4.12 BASES APPLICABLE SAFETY ANALYSES (continued)

Mass Input Type Transients

a. Inadvertent safety injection with one charging pump injecting into the RCS via the automatic SI header for Unit 2 or

b. One charging pump injecting into the RCS via the normal charging header with letdown flow isolated for Unit 1.

Heat Input Type Transients Reactor coolant pump (RCP) startup with temperature asymmetry between the RCS and steam generators.

The following are required during the MODES when low temperature overpressure protection is required to ensure that mass and heat input transients do not occur, which either of the low temperature overpressure protection means cannot provide sufficient relief capacity:

a. Rendering all but one charging pump incapable of injection,

b. Deactivating the accumulator discharge isolation valves in their closed positions,

c. Deactivating the Unit 1 ECCS automatic HHSI isolation valves in their closed positions (to isolate the SI flow path) and

d. Disallowing the start of an RCP if the secondary temperature is more than the limit specified in LCO 3.4.6, "RCS Loops - MODE 4,"

and LCO 3.4.7, "RCS Loops - MODE 5, Loops Filled."

The Reference 3 analyses demonstrate that either one RCS relief valve or the depressurized RCS and RCS vent can maintain RCS pressure below the P/T limits when only one charging pump is capable of injecting into the RCS. Thus, the LCO allows only one charging pump capable of injecting into the RCS during the MODES when low temperature overpressure protection is required. The LCO also requires the accumulators isolation when accumulator pressure is greater than or equal to the maximum RCS pressure for the existing RCS cold leg temperature allowed in the PTLR.

The isolated accumulators must have their discharge valves closed with the valve power removed. In addition to the isolation of the accumulators, the Unit 1 ECCS automatic HHSI flow path must be isolated with power removed from the isolation valves. The isolation of the Unit 1 automatic HHSI flow path is necessary to prevent an inadvertent SI actuation from potentially overpressurizing the RCS. The SI flow path was not Beaver Valley Units 1 and 2 B 3.4.12 - 4 Revision 0

OPPS B 3.4.12 BASES APPLICABLE SAFETY ANALYSES (continued) considered in the Unit 1 OPPS setpoint analysis. The isolation of the Unit 2 SI flow path is not required as the Unit 2 OPPS setpoint analysis considers an inadvertent SI actuation and demonstrates that the Unit 2 OPPS has sufficient capacity to prevent an overpressurization event.

Fracture mechanics and the OPPS setpoint analyses established the temperature of OPPS Applicability, which is the OPPS enable temperature specified in the PTLR.

PORV Performance The fracture mechanics analyses show that the vessel is protected when the PORVs are set to open at or below the limit shown in the PTLR. The setpoints are verified by analyses that model the performance of the OPPS, for the low temperature overpressure transients of one charging pump injecting into the RCS and the start of an RCP when the steam generator secondary side temperature is less than or equal to 50°F higher than the RCS cold leg temperatures. These analyses consider pressure overshoot and undershoot beyond the PORV opening and closing, resulting from signal processing and valve stroke times. The PORV setpoints at or below the derived limit ensure the Reference 1 P/T limits will be met.

The PORV setpoints in the PTLR will be updated when the revised P/T limits are no longer protected by the low temperature overpressure analysis limits. The P/T limits are periodically modified as the reactor vessel material toughness decreases due to neutron embrittlement caused by neutron irradiation. Revised limits are determined using neutron fluence projections and the results of examinations of the reactor vessel material irradiation surveillance specimens. The Bases for LCO 3.4.3, "RCS Pressure and Temperature (P/T) Limits," discuss these examinations.

The PORVs are considered active components. Thus, the failure of one PORV is assumed to represent the worst case, single active failure.

RCS Vent Performance With the RCS depressurized, analyses show a vent size of 2.07 square inches for Unit 1 or 3.14 square inches for Unit 2 is capable of mitigating the allowed low temperature overpressure transient. The capacity of a vent this size is greater than the flow of the limiting transient for the OPPS configuration, one charging pump capable of injecting into the RCS, maintaining RCS pressure less than the maximum pressure on the P/T limit curve.

Beaver Valley Units 1 and 2 B 3.4.12 - 5 Revision 0

OPPS B 3.4.12 BASES APPLICABLE SAFETY ANALYSES (continued)

The RCS vent is passive and is not subject to active failure.

The OPPS satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).

LCO This LCO requires that the OPPS is OPERABLE. The OPPS is OPERABLE when the minimum coolant input is limited and pressure relief capabilities are OPERABLE. Violation of this LCO could lead to the loss of low temperature overpressure mitigation and violation of the Reference 1 limits as a result of an operational transient.

To limit the coolant input capability, the LCO requires that a maximum of one charging pump be capable of injecting into the RCS, and all accumulator discharge isolation valves be closed and immobilized (when accumulator pressure is greater than or equal to the maximum RCS pressure for the existing RCS cold leg temperature allowed in the PTLR).

In addition, the Unit 1 ECCS automatic HHSI flow path must be isolated with power removed from the isolation valves to prevent an inadvertent SI from overpressurizing the RCS.

The LCO is modified by three Notes. Note 1 allows two charging pumps to be made capable of injecting for 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months during pump swap operations. One hour provides sufficient time to safely complete the actual transfer and to complete the administrative controls and surveillance requirements associated with the swap. The intent is to minimize the actual time that more than one charging pump is physically capable of injection. Note 2 states that an accumulator may be unisolated when the accumulator pressure is less than the maximum RCS pressure for the existing RCS cold leg temperature, as allowed by the P/T limit curves. This Note permits the accumulator discharge isolation valve Surveillance to be performed only under these pressure and temperature conditions. Note 3 pertains to the Unit 1 specific requirement for the ECCS automatic HHSI flow path to be isolated. The Note provides an allowance for the isolation valves to be opened for the purposes of flow testing or valve stroke testing. The allowance provided by this Note is acceptable as valve position is administratively controlled during testing activities such that the valves can be closed if necessary.

Beaver Valley Units 1 and 2 B 3.4.12 - 6 Revision 0

OPPS B 3.4.12 BASES LCO (continued)

The elements of the LCO that provide low temperature overpressure mitigation through pressure relief are:

a. Two OPERABLE PORVs, A PORV is OPERABLE for OPPS when its block valve is open, its lift setpoint is set to the limit required by the PTLR and testing proves its ability to open at this setpoint, and motive power is available to the two valves and their control circuits, or

b. A depressurized RCS and an RCS vent.

An RCS vent is OPERABLE when open with an area of 2.07 square inches for Unit 1 or 3.14 square inches for Unit 2.

Each of these methods of overpressure prevention is capable of mitigating the limiting low temperature overpressure transient.

APPLICABILITY This LCO is applicable in MODE 4 when any RCS cold leg temperature is the OPPS enable temperature specified in the PTLR, in MODE 5, and in MODE 6 when the reactor vessel head is on. The pressurizer safety valves provide overpressure protection that meets the Reference 1 P/T limits above the OPPS enable temperature specified in the PTLR. When the reactor vessel head is off, overpressurization cannot occur.

LCO 3.4.3 provides the operational P/T limits for all MODES.

LCO 3.4.10, "Pressurizer Safety Valves," requires the OPERABILITY of the pressurizer safety valves that provide overpressure protection during MODES 1, 2, and 3, and MODE 4 above the OPPS enable temperature specified in the PTLR.

Low temperature overpressure prevention is most critical during shutdown when the RCS is water solid, and a mass or heat input transient can cause a very rapid increase in RCS pressure when little or no time allows operator action to mitigate the event.

Beaver Valley Units 1 and 2 B 3.4.12 - 7 Revision 0

OPPS B 3.4.12 BASES ACTIONS A Note prohibits the application of LCO 3.0.4.b to an inoperable OPPS.

There is an increased risk associated with entering MODE 4 from MODE 5 and MODE 5 from MODE 6 with OPPS inoperable and the provisions of LCO 3.0.4.b, which allow entry into a MODE or other specified condition in the Applicability with the LCO not met after performance of a risk assessment addressing inoperable systems and components, should not be applied in this circumstance.

A.1 With two or more charging pumps capable of injecting into the RCS, RCS overpressurization is possible.

To immediately initiate action to restore restricted coolant input capability to the RCS reflects the urgency of removing the RCS from this condition.

B.1, C.1, and C.2 An unisolated accumulator requires isolation within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . This is only required when the accumulator pressure is greater than or equal to the maximum RCS pressure for the existing temperature allowed by the P/T limit curves.

If isolation is needed and cannot be accomplished in 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months , Required Action C.1 and Required Action C.2 provide two options, either of which must be performed in the next 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . The two options are increasing the RCS temperature to > the OPPS enable temperature specified in the PTLR or depressurizing the accumulators below the OPPS limit in the PTLR.

The Completion Times are based on operating experience that these activities can be accomplished in these time periods and on the low likelihood that an event requiring the OPPS will occur during the allowed times.

D.1 In MODE 4 when any RCS cold leg temperature is the OPPS enable temperature specified in the PTLR, with one required RCS PORV inoperable, the RCS PORV must be restored to OPERABLE status within a Completion Time of 7 days. Two RCS PORVs are required to provide low temperature overpressure mitigation while withstanding a single failure of an active component.

The Completion Time considers the facts that only one of the RCS PORVs is required to mitigate an overpressure transient and that the likelihood of an active failure of the remaining valve path during this time period is very low.

Beaver Valley Units 1 and 2 B 3.4.12 - 8 Revision 0

OPPS B 3.4.12 BASES ACTIONS (continued)

E.1 The consequences of operational events that will overpressurize the RCS are more severe at lower temperature (Ref. 4). Thus, with one of the two RCS PORVs inoperable in MODE 5 or in MODE 6 with the head on, the Completion Time to restore two PORVs to OPERABLE status is 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months .

The Completion Time represents a reasonable time to investigate and repair several types of PORV failures without exposure to a lengthy period with only one OPERABLE RCS PORV to protect against overpressure events.

F.1 Action Condition F is only applicable to Unit 1. If the Unit 1 ECCS automatic HHSI flow path is unisolated for reasons other than permitted in LCO Note 3, action must be taken to isolate the flow path and remove power from the valve(s) used to isolate the flow path. One hour is allowed to accomplish this action.

The Completion Time of one hour is a reasonable time to accomplish the required task and considers the low likelihood of an overpressure event occurring in this time.

Condition F is modified by a Note. The Note identifies that Condition F is only applicable to Unit 1.

G.1 The RCS must be depressurized and a vent must be established within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months when:

a. Both required RCS PORVs are inoperable,

b. A Required Action and associated Completion Time of Condition D, E, or F is not met, or

c. The OPPS is inoperable for any reason other than Condition A, B, C, D, E, or F.

The vent must be sized 2.07 square inches for Unit 1 or 3.14 square inches for Unit 2 to ensure that the flow capacity is greater than that required for the design basis mass input transient during the MODES when low temperature overpressure protection is required. This action is needed to protect the RCPB from a low temperature overpressure event and a possible brittle failure of the reactor vessel.

Beaver Valley Units 1 and 2 B 3.4.12 - 9 Revision 0

OPPS B 3.4.12 BASES ACTIONS (continued)

The Completion Time considers the time required to place the plant in this Condition and the relatively low probability of an overpressure event during this time period due to increased operator awareness of administrative control requirements.

SURVEILLANCE SR 3.4.12.1 and SR 3.4.12.2 REQUIREMENTS To minimize the potential for a low temperature overpressure event by limiting the mass input capability, a maximum of one charging pump is verified capable of injecting into the RCS and the accumulator discharge isolation valves are verified closed with power removed from the valve operator. A charging pump is rendered incapable of injecting into the RCS through removing the power from the pump by racking the breaker out under administrative control or by tagging the control switch in the pull to lock position. An alternate method of low temperature overpressure protection control may be employed using at least two independent means to prevent a pump from injecting into the RCS such that a single failure or single action will not result in an injection into the RCS. This may be accomplished by such means as isolating the discharge of the pump by a closed valve that is tagged in the closed position.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.4.12.3 The RCS vent of 2.07 square inches for Unit 1 or 3.14 square inches for Unit 2 is proven OPERABLE by verifying its open condition.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

The passive vent path arrangement must only be open to be OPERABLE.

This Surveillance is required to be met if the vent is being used to satisfy the pressure relief requirements of the LCO 3.4.12.c.2.

Beaver Valley Units 1 and 2 B 3.4.12 - 10 Revision 29

OPPS B 3.4.12 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.4.12.4 The PORV block valve must be verified open to provide the flow path for each required PORV to perform its function when actuated. The valve may be remotely verified open in the main control room. This Surveillance is performed if the PORV satisfies the LCO.

The block valve is a remotely controlled, motor operated valve. The power to the valve operator is not required removed, and the manual operator is not required locked in the inactive position. Thus, the block valve can be closed in the event the PORV develops excessive leakage or does not close (sticks open) after relieving an overpressure situation.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.4.12.5 This SR is only applicable to Unit 1. The Unit 1 ECCS automatic HHSI flow path must be verified to be isolated by confirming that the required isolation valve(s) are closed and de-energized. The valve(s) utilized to isolate the flow path must be de-energized to prevent an inadvertent SI signal from unisolating the flow path and injecting into the RCS. As this flow path was not specifically evaluated in the Unit 1 OPPS setpoint analysis, the flow path must be maintained isolated to prevent a possible overpressurization of the RCS by an inadvertent SI actuation.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.4.12.6 Performance of a COT is required within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months after decreasing RCS temperature in any cold leg to the OPPS enable temperature specified in the PTLR if the COT was not previously performed within the Frequency specified in the Surveillance Frequency Control Program on each required PORV to verify and, as necessary, adjust its lift setpoint. A successful test of any required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable COT of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specification Surveillance Requirements. The Beaver Valley Units 1 and 2 B 3.4.12 - 11 Revision 29

OPPS B 3.4.12 BASES SURVEILLANCE REQUIREMENTS (continued)

COT will verify the setpoint is within the PTLR allowed maximum limits in the PTLR. PORV actuation could depressurize the RCS and is not required. The COT Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

A Note has been added indicating that this SR is not required to be performed until 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months after decreasing any RCS cold leg temperature to the OPPS enable temperature specified in the PTLR. This Note provides an exception that allows the COT to be performed when the PORV lift setpoint can be reduced to the OPPS setting if desired. The COT is also met if the Surveillance has been successfully performed in accordance with the Surveillance Frequency Control Program prior to entering the applicable OPPS MODES.

SR 3.4.12.7 Performance of a CHANNEL CALIBRATION on each required PORV actuation channel is required to adjust the whole channel so that it responds and the valve opens within the required range and accuracy to known input. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. 10 CFR 50, Appendix G.

2. Generic Letter 88-11.

3. UFSAR Section 4.2.3 (Unit 1) and UFSAR Section 5.2.2.11 (Unit 2).

4. Generic Letter 90-06.

Beaver Valley Units 1 and 2 B 3.4.12 - 12 Revision 29

RCS Operational LEAKAGE B 3.4.13 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.13 RCS Operational LEAKAGE BASES BACKGROUND Components that contain or transport the coolant to or from the reactor core make up the RCS. Component joints are made by welding, bolting, rolling, or pressure loading, and valves isolate connecting systems from the RCS.

During plant life, the joint and valve interfaces can produce varying amounts of reactor coolant LEAKAGE, through either normal operational wear or mechanical deterioration. The purpose of the RCS Operational LEAKAGE LCO is to limit system operation in the presence of LEAKAGE from these sources to amounts that do not compromise safety. This LCO specifies the types and amounts of LEAKAGE.

10 CFR 50, Appendix A, GDC 30, as discussed in Reference 1, requires means for detecting and, to the extent practical, identifying the source of reactor coolant LEAKAGE. Regulatory Guide 1.45, as discussed in Reference 2, describes acceptable methods for selecting leakage detection systems.

The safety significance of RCS LEAKAGE varies widely depending on its source, rate, and duration. Therefore, detecting and monitoring reactor coolant LEAKAGE into the containment area is necessary. Quickly separating the identified LEAKAGE from the unidentified LEAKAGE is necessary to provide quantitative information to the operators, allowing them to take corrective action should a leak occur that is detrimental to the safety of the facility and the public.

A limited amount of leakage inside containment is expected from auxiliary systems that cannot be made 100% leaktight. Leakage from these systems should be detected, located, and isolated from the containment atmosphere, if possible, to not interfere with RCS leakage detection.

This LCO deals with protection of the reactor coolant pressure boundary (RCPB) from degradation and the core from inadequate cooling, in addition to preventing the accident analyses radiation release assumptions from being exceeded. The consequences of violating this LCO include the possibility of a loss of coolant accident (LOCA).

Beaver Valley Units 1 and 2 B 3.4.13 - 1 Revision 0

RCS Operational LEAKAGE B 3.4.13 BASES APPLICABLE Except for primary to secondary LEAKAGE, the safety analyses do not SAFETY address operational LEAKAGE. However, other operational LEAKAGE is ANALYSES related to the safety analyses for LOCA; the amount of leakage can affect the probability of such an event.

Primary to secondary LEAKAGE is a factor in the dose assessment of accidents or transients that involve secondary steam release to the atmosphere, such as a main steam line break (MSLB), a locked rotor accident (LRA), a Loss of AC Power (LACP), a Control Rod Ejection Accident (CREA) and to a lesser extent, a Steam Generator Tube Rupture (SGTR). The leakage contaminates the secondary fluid. The limit on the primary to secondary LEAKAGE ensures that the dose contribution at the site boundary from tube leakage following such accidents are limited to appropriate fractions of the 10 CFR 50.67 limit of 25 Rem TEDE as allowable by Regulatory Guide 1.183. The limit on the primary to secondary leakage also ensures that the dose contribution from tube leakage in the control room is limited to the 10 CFR 50.67 limit of 5 Rem TEDE. Among all of the analyses that release primary side activity to the environment via tube leakage, the MSLB is of particular concern because the ruptured main steam line provides a pathway to release the primary to secondary leakage directly to the environment without dilution in the secondary fluid.

For Unit 1, the safety analysis for an event resulting in steam discharge to the atmosphere conservatively assumes that primary to secondary LEAKAGE from all steam generators is 450 gallons per day (gpd) (i.e.,

150 gpd per steam generator) or increases to 450 gpd as a result of accident induced conditions. Currently, the Unit 1 safety analyses do not specifically assume additional primary to secondary LEAKAGE due to accident induced conditions.

For Unit 2, due to adoption of the voltage based steam generator tube repair criteria per guidance provided by Generic Letter (GL) 95-05 (Reference 3), the safety analysis for an event resulting in steam discharge to the atmosphere conservatively assumes that primary to secondary LEAKAGE from all steam generators is 450 gallons per day (gpd) (i.e., 150 gpd per steam generator) or increases to 450 gpd as a result of accident induced conditions for all accidents other than the MSLB. Currently, the Unit 2 MSLB safety analysis is the only analysis that specifically assumes additional primary to secondary LEAKAGE due to accident induced conditions.

The Unit 2 dose consequences associated with the MSLB addresses an additional 2.1 gpm leakage, which, per GL 95-05, is postulated to occur (via pre-existing tube defects) as a result of the rapid depressurization of the secondary side due to the MLSB, and the consequent high differential pressure across the faulted steam generator. The maximum allowed Unit 2 total accident induced leakage is 2.4 gpm.

Beaver Valley Units 1 and 2 B 3.4.13 - 2 Revision 0

RCS Operational LEAKAGE B 3.4.13 BASES APPLICABLE SAFETY ANALYSIS (continued)

The RCS operational LEAKAGE satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).

LCO RCS operational LEAKAGE shall be limited to:

a. Pressure Boundary LEAKAGE No pressure boundary LEAKAGE is allowed, being indicative of material deterioration. LEAKAGE of this type is unacceptable as the leak itself could cause further deterioration, resulting in higher LEAKAGE. Violation of this LCO could result in continued degradation of the RCPB. LEAKAGE past seals and gaskets is not pressure boundary LEAKAGE. Should pressure boundary LEAKAGE occur through a component which can be isolated from the balance of the Reactor Coolant System, plant operation may continue provided the leaking component is promptly isolated from the Reactor Coolant System since isolation removes the source of potential failure.

b. Unidentified LEAKAGE One gallon per minute (gpm) of unidentified LEAKAGE is allowed as a reasonable minimum detectable amount that the containment air monitoring and containment sump level monitoring equipment can detect within a reasonable time period. Violation of this LCO could result in continued degradation of the RCPB, if the LEAKAGE is from the pressure boundary.

c. Identified LEAKAGE Up to 10 gpm of identified LEAKAGE is considered allowable because LEAKAGE is from known sources that do not interfere with detection of unidentified LEAKAGE and is well within the capability of the RCS Makeup System. Identified LEAKAGE includes LEAKAGE to the containment from specifically known and located sources, but does not include pressure boundary LEAKAGE or controlled reactor coolant pump (RCP) seal leakoff (a normal function not considered LEAKAGE). Violation of this LCO could result in continued degradation of a component or system.

Beaver Valley Units 1 and 2 B 3.4.13 - 3 Revision 0

RCS Operational LEAKAGE B 3.4.13 BASES LCO (continued)

d. Primary to Secondary LEAKAGE through Any One SG The limit of 150 gallons per day per SG is based on the operational LEAKAGE performance criterion in NEI 97-06, Steam Generator Program Guidelines (Ref. 4). The Steam Generator Program operational LEAKAGE performance criterion in NEI 97-06 states, "The RCS operational primary to secondary leakage through any one SG shall be limited to 150 gallons per day." The limit is based on operating experience with SG tube degradation mechanisms that result in tube leakage. The operational leakage rate criterion in conjunction with the implementation of the Steam Generator Program is an effective measure for minimizing the frequency of steam generator tube ruptures.

APPLICABILITY In MODES 1, 2, 3, and 4, the potential for RCPB LEAKAGE is greatest when the RCS is pressurized.

In MODES 5 and 6, LEAKAGE limits are not required because the reactor coolant pressure is far lower, resulting in lower stresses and reduced potentials for LEAKAGE.

LCO 3.4.14, "RCS Pressure Isolation Valve (PIV) Leakage," measures leakage through each individual PIV and can impact this LCO. Of the two PIVs in series in each isolated line, leakage measured through one PIV does not result in RCS LEAKAGE when the other is leak tight. If both valves leak and result in a loss of mass from the RCS, the loss must be included in the allowable identified LEAKAGE.

ACTIONS A.1 Unidentified LEAKAGE or identified LEAKAGE in excess of the LCO limits must be reduced to within limits within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months . This Completion Time allows time to verify leakage rates and either identify unidentified LEAKAGE or reduce LEAKAGE to within limits before the reactor must be shut down. This action is necessary to prevent further deterioration of the RCPB.

B.1 and B.2 If any pressure boundary LEAKAGE exists, or primary to secondary LEAKAGE is not within limit, or if unidentified or identified LEAKAGE cannot be reduced to within limits within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months , the reactor must be brought to lower pressure conditions to reduce the severity of the Beaver Valley Units 1 and 2 B 3.4.13 - 4 Revision 0

RCS Operational LEAKAGE B 3.4.13 BASES ACTIONS (continued)

LEAKAGE and its potential consequences. It should be noted that LEAKAGE past seals and gaskets is not pressure boundary LEAKAGE.

The reactor must be brought to MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and MODE 5 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . This action reduces the LEAKAGE and also reduces the factors that tend to degrade the pressure boundary.

The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

In MODE 5, the pressure stresses acting on the RCPB are much lower, and further deterioration is much less likely.

SURVEILLANCE SR 3.4.13.1 REQUIREMENTS Verifying RCS LEAKAGE to be within the LCO limits ensures the integrity of the RCPB is maintained. Pressure boundary LEAKAGE would at first appear as unidentified LEAKAGE and can only be positively identified by inspection. It should be noted that LEAKAGE past seals and gaskets is not pressure boundary LEAKAGE. Unidentified LEAKAGE and identified LEAKAGE are determined by performance of an RCS water inventory balance.

The RCS water inventory balance must be met with the reactor at steady state operating conditions (stable temperature, power level, pressurizer and makeup tank levels, makeup and letdown and RCP seal injection and return flows) and near operating pressure. The Surveillance is modified by two Notes. Note 1 states that this SR is not required to be performed until 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months after establishing steady state operation. The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months allowance provides sufficient time to collect and process all necessary data after stable plant conditions are established.

Note 2 states that this SR is not applicable to primary to secondary LEAKAGE because LEAKAGE of 150 gallons per day cannot be measured accurately by an RCS water inventory balance.

Steady state operation is required to perform a proper inventory balance since calculations during maneuvering are not useful. For RCS operational LEAKAGE determination by water inventory balance, steady state is defined as stable RCS pressure, temperature, power level, pressurizer and makeup tank levels, makeup and letdown, and RCP seal injection and return flows.

Beaver Valley Units 1 and 2 B 3.4.13 - 5 Revision 0

RCS Operational LEAKAGE B 3.4.13 BASES SURVEILLANCE REQUIREMENTS (continued)

An early warning of pressure boundary LEAKAGE or unidentified LEAKAGE is provided by the instrumentation systems that monitor the containment atmosphere radioactivity and the containment sump level. It should be noted that LEAKAGE past seals and gaskets is not pressure boundary LEAKAGE. These leakage detection systems are specified in LCO 3.4.15, "RCS Leakage Detection Instrumentation."

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.4.13.2 This SR verifies that primary to secondary LEAKAGE is less than or equal to 150 gallons per day through any one SG. Satisfying the primary to secondary LEAKAGE limit ensures that the operational LEAKAGE performance criterion in the Steam Generator Program is met. If this SR is not met, compliance with LCO 3.4.20, "Steam Generator Tube Integrity," should be evaluated. The 150 gallons per day limit is measured at room temperature (25°C) as described in Reference 5. The operational LEAKAGE rate limit applies to LEAKAGE through any one SG. If it is not practical to assign the LEAKAGE to an individual SG, all the primary to secondary LEAKAGE should be conservatively assumed to be from one SG.

The Surveillance is modified by a Note which states that the Surveillance is not required to be performed until 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months after establishment of steady state operation. For RCS primary to secondary LEAKAGE determination, steady state is defined as stable RCS pressure, temperature, power level, pressurizer and makeup tank levels, makeup and letdown, and RCP seal injection and return flows.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The primary to secondary LEAKAGE is determined using continuous process radiation monitors or radiochemical grab sampling in accordance with the EPRI guidelines (Ref. 5).

REFERENCES 1. Unit 1 UFSAR Appendix 1A, "1971 AEC General Design Criteria Conformance" and Unit 2 UFSAR Section 3.1, "Conformance with U.S. Nuclear Regulatory Commission General Design Criteria."

2. UFSAR Section 4.2.7.1 (Unit 1) and UFSAR Section 5.2.5 (Unit 2).

Beaver Valley Units 1 and 2 B 3.4.13 - 6 Revision 29

RCS Operational LEAKAGE B 3.4.13 BASES REFERENCES (continued)

3. NRC Generic Letter 95-05: Voltage-Based Repair Criteria For Westinghouse Steam Generator Tubes Affected By Outside Diameter Stress Corrosion Cracking.

4. NEI 97-06, "Steam Generator Program Guidelines."

5. EPRI, "Pressurized Water Reactor Primary-to-Secondary Leak Guidelines."

Beaver Valley Units 1 and 2 B 3.4.13 - 7 Revision 0

RCS PIV Leakage B 3.4.14 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.14 RCS Pressure Isolation Valve (PIV) Leakage BASES BACKGROUND 10 CFR 50.2, 10 CFR 50.55a(c), and GDC 55 of 10 CFR 50, Appendix A, as discussed in Reference 1, define RCS PIVs as any two normally closed valves in series within the reactor coolant pressure boundary (RCPB), which separate the high pressure RCS from an attached low pressure system. During their lives, these valves can produce varying amounts of reactor coolant leakage through either normal operational wear or mechanical deterioration. The RCS PIV Leakage LCO allows RCS high pressure operation when leakage through these valves exists in amounts that do not compromise safety.

The PIV leakage limit applies to each individual valve. Leakage through both series PIVs in a line must be included as part of the identified LEAKAGE, governed by LCO 3.4.13, "RCS Operational LEAKAGE." This is true during operation only when the loss of RCS mass through two series valves is determined by a water inventory balance (SR 3.4.13.1).

A known component of the identified LEAKAGE before operation begins is the least of the two individual leak rates determined for leaking series PIVs during the required surveillance testing; leakage measured through one PIV in a line is not RCS operational LEAKAGE if the other is leaktight.

Although this specification provides a limit on allowable PIV leakage rate, its main purpose is to prevent overpressure failure of the low pressure portions of connecting systems. The leakage limit is an indication that the PIVs between the RCS and the connecting systems are degraded or degrading. PIV leakage could lead to overpressure of the low pressure piping or components. Failure consequences could be a loss of coolant accident (LOCA) outside of containment, an unanalyzed accident, that could degrade the ability for low pressure injection.

The basis for this LCO is the 1975 NRC "Reactor Safety Study" (Ref. 2) that identified potential intersystem LOCAs as a significant contributor to the risk of core melt. A subsequent study (Ref. 3) evaluated various PIV configurations to determine the probability of intersystem LOCAs.

The specific PIVs addressed by this LCO are listed in the Licensing Requirements Manual (LRM).

Violation of this LCO could result in continued degradation of a PIV, which could lead to overpressurization of a low pressure system and the loss of the integrity of a fission product barrier.

Beaver Valley Units 1 and 2 B 3.4.14 - 1 Revision 0

RCS PIV Leakage B 3.4.14 BASES APPLICABLE Reference 2 identified potential intersystem LOCAs as a significant SAFETY contributor to the risk of core melt. The dominant accident sequence in ANALYSES the intersystem LOCA category is the failure of the low pressure portion of the Emergency Core Cooling System Low Head Injection System outside of containment. The accident is the result of a postulated failure of the PIVs, which are part of the RCPB, and the subsequent pressurization of the Low Head Injection System downstream of the PIVs from the RCS. Because the low pressure portion of the system is not designed for RCS pressure, overpressurization failure of the low pressure line would result in a LOCA outside containment and subsequent risk of core melt.

Reference 3 evaluated various PIV configurations, leakage testing of the valves, and operational changes to determine the effect on the probability of intersystem LOCAs. This study concluded that periodic leakage testing of the PIVs can substantially reduce the probability of an intersystem LOCA.

RCS PIV leakage satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).

LCO The specific PIVs for which this LCO applies are listed in the LRM. RCS PIV leakage is identified LEAKAGE into closed systems connected to the RCS. Isolation valve leakage is usually on the order of drops per minute.

Leakage that increases significantly suggests that something is operationally wrong and corrective action must be taken.

The LCO PIV leakage limit is 0.5 gpm per nominal inch of valve size with a maximum limit of 5 gpm. Note 4 in SR 3.4.14.1 provides an exception to the 0.5 gpm/inch diameter limit under certain circumstances.

Reference 4 permits leakage testing at a lower pressure differential than between the specified maximum RCS pressure and the normal pressure of the connected system during RCS operation (the maximum pressure differential) in those types of valves in which the higher service pressure will tend to diminish the overall leakage channel opening. In such cases, the observed rate may be adjusted to the maximum pressure differential by assuming leakage is directly proportional to the pressure differential to the one half power. This allowance is consistent with that provided by Note 3 in SR 3.4.14.1.

Beaver Valley Units 1 and 2 B 3.4.14 - 2 Revision 0

RCS PIV Leakage B 3.4.14 BASES APPLICABILITY In MODES 1, 2, 3, and 4, this LCO applies because the PIV leakage potential is greatest when the RCS is pressurized. In MODE 4, valves in the RHR flow path are not required to meet the requirements of this LCO when in, or during the transition to or from, the RHR mode of operation.

In MODES 5 and 6, leakage limits are not provided because the lower reactor coolant pressure results in a reduced potential for leakage and for a LOCA outside the containment.

ACTIONS The Actions are modified by two Notes. Note 1 provides clarification that each flow path allows separate entry into a Condition. This is allowed based upon the functional independence of the flow path. Note 2 requires an evaluation of affected systems if a PIV is inoperable. The leakage may have affected system operability, or isolation of a leaking flow path with an alternate valve may have degraded the ability of the interconnected system to perform its safety function.

A.1 The flow path must be isolated. Required Action A.1 is modified by a Note that the valves used for isolation must meet the same leakage requirements as the PIVs and must be within the RCPB or the high pressure portion of the system.

Required Action A.1 requires that the isolation with one valve must be performed within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months . Four hours provides time to reduce leakage in excess of the allowable limit and to isolate the affected system if leakage cannot be reduced. The 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Completion Time allows the actions and restricts the operation with leaking isolation valves.

Motor-operated valves used to meet this isolation requirement shall be placed in the closed position with power supplies de-energized.

B.1 and B.2 If leakage cannot be reduced, or the other Required Actions accomplished, the plant must be brought to a MODE in which the requirement does not apply. To achieve this status, the plant must be brought to MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and MODE 5 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . This Action may reduce the leakage and also reduces the potential for a LOCA outside the containment. The allowed Completion Times are reasonable based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

Beaver Valley Units 1 and 2 B 3.4.14 - 3 Revision 0

RCS PIV Leakage B 3.4.14 BASES SURVEILLANCE SR 3.4.14.1 REQUIREMENTS The list of valves for which this Surveillance is applicable is contained in the LRM. Performance of leakage testing on each RCS PIV or isolation valve used to satisfy Required Action A.1 is required to verify that leakage is below the specified limit and to identify each leaking valve. The leakage limit of 0.5 gpm per inch of nominal valve diameter up to 5 gpm maximum applies to each valve. Leakage testing requires a stable pressure condition. To satisfy ALARA requirements, leakage may be measured indirectly (as from the performance of pressure indicators) if accomplished in accordance with approved procedures and supported by computations showing that the method is capable of demonstrating compliance within the valve leakage criteria. In addition, for those valves where the leakage rate can be continuously monitored during plant operation, no other leakage rate testing is required. The leakage rate of valves continously monitored shall be recorded at intervals that satisfy the required Surveillance Frequency.

For the two PIVs in series, the leakage requirement applies to each valve individually and not to the combined leakage across both valves. If the PIVs are not individually leakage tested, one valve may have failed completely and not be detected if the other valve in series meets the leakage requirement. In this situation, the protection provided by redundant valves would be lost.

Testing is to be performed for all PIVs listed in the LRM prior to entering MODE 2 after the plant is placed in MODE 5 for refueling. The Frequency, which results in testing the PIVs approximately every 18 months, is within the requirements of 10 CFR 50.55a(f) as contained in the INSERVICE TESTING PROGRAM, and is also within the frequency allowed by the American Society of Mechanical Engineers (ASME) Code (Ref. 4), which is based on the need to perform such surveillances under the conditions that apply during an outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. However, this does not preclude performance of this Surveillance at power, if necessary to confirm OPERABILITY, when it can be accomplished in a safe manner.

An additional Frequency of "prior to entering MODE 2 whenever the unit has been in MODE 5 for 7 days or more, if leakage testing has not been performed in the previous 9 months" is applicable to certain PIVs. This additional Frequency is modified by a Note that clarifies that this Frequency is only applicable to PIVs specifically identified in the list of PIVs in the LRM. The additional testing is specified for PIVs identified as "Event V" (potential loss of coolant accident outside containment) type PIVs consistent with References 2 and 3.

Beaver Valley Units 1 and 2 B 3.4.14 - 4 Revision 34

RCS PIV Leakage B 3.4.14 BASES SURVEILLANCE REQUIREMENTS (continued)

The leakage limit is to be met at the RCS pressure associated with MODES 1 and 2. This permits leakage testing at high differential pressures not possible in the MODES with lower temperature restrictions.

Entry into MODES 3 and 4 is allowed to establish higher differential pressures if necessary for performance of this Surveillance. The Note that allows this provision is complementary to the Frequency of prior to entry into MODE 2, if leakage testing has not been performed in the previous 9 months. In addition, this Surveillance is not required to be performed on the RHR System when the RHR System is aligned to the RCS in the shutdown cooling mode of operation. PIVs contained in the RHR shutdown cooling flow path must be leakage rate tested after RHR is secured and stable unit conditions and the necessary differential pressures are established.

Note 3 provides the allowance that the RCS PIV leakage may be verified at a pressure lower than the required RCS pressure range provided the observed leakage rates are adjusted to the function maximum pressure in accordance with ASME OM Code (Ref. 4).

Note 4 provides an exception to the 0.5 gpm/inch diameter leakage limit of the LCO. The Note allows leakage rates > 0.5 gpm/inch diameter but 5.0 gpm total provided the latest measured rate has not exceeded the rate determined by the previous test by an amount that reduces the margin between measured leakage rate and the maximum permissible rate of 5.0 gpm by 50%.

REFERENCES 1. Unit 1 UFSAR Appendix 1A, "1971 AEC General Design Criteria Conformance" and Unit 2 UFSAR Section 3.1, "Conformance with U. S. Nuclear Regulatory Commission General Design Criteria"

2. WASH-1400 (NUREG-75/014), Appendix V, October 1975.

3. NUREG-0677, May 1980.

4. ASME code for Operation and Maintenance of Nuclear Power Plants.

Beaver Valley Units 1 and 2 B 3.4.14 - 5 Revision 0

RCS Leakage Detection Instrumentation B 3.4.15 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.15 RCS Leakage Detection Instrumentation BASES BACKGROUND GDC 30 of Appendix A to 10 CFR 50, as discussed in Reference 1, requires means for detecting and, to the extent practical, identifying the location of the source of RCS LEAKAGE. Regulatory Guide 1.45, Revision 0, as discussed in Reference 2, describes acceptable methods for selecting leakage detection systems.

Leakage detection systems must have the capability to detect significant reactor coolant pressure boundary (RCPB) degradation as soon after occurrence as practical to minimize the potential for propagation to a gross failure. Thus, an early indication or warning signal is necessary to permit proper evaluation of all unidentified LEAKAGE. In addition to meeting the OPERABILITY requirements, the monitors are typically set to provide the most sensitive response without causing an excessive number of spurious alarms.

The non-Emergency Core Cooling System (ECCS) portion of the containment sump used to collect unidentified LEAKAGE is capable of indicating increases above the normal level.

The reactor coolant contains radioactivity that, when released to the containment, may be detected by radiation monitoring instrumentation.

Radioactivity detection systems are included for monitoring both particulate and gaseous activities because of their sensitivities and rapid responses to RCS LEAKAGE.

Other indications may be used to detect an increase in unidentified LEAKAGE; however, they are not required to be OPERABLE by this LCO. An increase in humidity of the containment atmosphere would indicate release of water vapor to the containment. Dew point temperature measurements can thus be used to monitor humidity levels of the containment atmosphere as an indicator of potential RCS LEAKAGE.

Since the humidity level is influenced by several factors, a quantitative evaluation of an indicated leakage rate by this means may be questionable and should be compared to observed increases in liquid flow into or from the containment sump. Humidity level monitoring is considered most useful as an indirect indication to inform the operator to a potential problem. Humidity monitors are not required by this LCO.

Beaver Valley Units 1 and 2 B 3.4.15 - 1 Revision 18

RCS Leakage Detection Instrumentation B 3.4.15 BASES BACKGROUND (continued)

Air temperature and pressure monitoring methods may also be used to infer unidentified LEAKAGE to the containment. Containment temperature and pressure fluctuate slightly during plant operation, but a rise above the normally indicated range of values may indicate RCS leakage into the containment. The relevance of temperature and pressure measurements is affected by containment free volume and, for temperature, detector location. Alarm signals from these instruments can be valuable in recognizing rapid and sizable leakage to the containment.

Temperature and pressure monitors are not required by this LCO.

The above-mentioned LEAKAGE detection methods or systems differ in sensitivity and response time. Some of these systems could serve as early warning systems signaling the operators that closer examination of other detection systems is necessary to determine the extent of any corrective action that may be required.

APPLICABLE The need to evaluate the severity of an alarm or an indication is important SAFETY to the operators, and the ability to compare and verify with indications ANALYSES from other systems is necessary.

The safety significance of RCS LEAKAGE varies widely depending on its source, rate, and duration. Therefore, detecting and monitoring RCS LEAKAGE into the containment area is necessary. Quickly separating the identified LEAKAGE from the unidentified LEAKAGE provides quantitative information to the operators, allowing them to take corrective action should a leakage occur detrimental to the safety of the unit and the public.

RCS leakage detection instrumentation satisfies Criterion 1 of 10 CFR 50.36(c)(2)(ii).

LCO This LCO requires instruments of diverse monitoring principles to be OPERABLE to provide confidence that small amounts of unidentified LEAKAGE are detected in time to allow actions to place the plant in a safe condition, when RCS LEAKAGE indicates possible RCPB degradation.

The LCO requires two instruments to be OPERABLE.

Beaver Valley Units 1 and 2 B 3.4.15 - 2 Revision 18

RCS Leakage Detection Instrumentation B 3.4.15 BASES LCO (continued)

The non-ECCS portion of the containment sump is used to collect unidentified LEAKAGE. The monitor on the containment sump detects level or flow rate and is instrumented to detect when there is an increase above the normal value. The identification of an increase in unidentified LEAKAGE will be delayed by the time required for the unidentified LEAKAGE to travel to the containment sump and it may take longer than one hour to detect a 1 gpm increase in unidentified LEAKAGE, depending on the origin and magnitude of the LEAKAGE. This sensitivity is acceptable for containment sump monitor OPERABILITY.

The reactor coolant contains radioactivity that, when released to the containment, can be detected by the gaseous or particulate containment atmosphere radioactivity monitor. Only one of the two detectors is required to be OPERABLE. Radioactivity detection systems are included for monitoring both particulate and gaseous activities because of their sensitivities and rapid responses to RCS LEAKAGE, but have recognized limitations. Reactor coolant radioactivity levels will be low during initial reactor startup and for a few weeks thereafter, until activated corrosion products have been formed and fission products appear from fuel element cladding contamination or cladding defects. If there are few fuel element cladding defects and low levels of activation products, it may not be possible for the gaseous or particulate containment atmosphere radioactivity monitors to detect a 1 gpm increase within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months during normal operation. However, the gaseous or particulate containment atmosphere radioactivity monitor is OPERABLE when it is capable of detecting a 1 gpm increase in unidentified LEAKAGE within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months given an RCS activity equivalent to that assumed in the design calculations for the monitors (Reference 3).

The LCO is satisfied when monitors of diverse measurement means are available. Thus, the containment sump monitor, in combination with a gaseous or particulate radioactivity monitor, provides an acceptable minimum. The containment sump monitor is comprised of the instruments associated with the non-ECCS portion of the containment sump which monitor narrow range level and sump pump discharge flow.

The LCO only requires that the sump level or discharge flow monitor be OPERABLE. The required particulate and gaseous radioactivity monitors are RM-1RM-215A&B (Unit 1) and 2RMR-RQ303A&B (Unit 2).

APPLICABILITY Because of elevated RCS temperature and pressure in MODES 1, 2, 3, and 4, RCS leakage detection instrumentation is required to be OPERABLE.

Beaver Valley Units 1 and 2 B 3.4.15 - 3 Revision 18

RCS Leakage Detection Instrumentation B 3.4.15 BASES APPLICABILITY (continued)

In MODE 5 or 6, the temperature is to be 200F and pressure is maintained low or at atmospheric pressure. Since the temperatures and pressures are far lower than those for MODES 1, 2, 3, and 4, the likelihood of leakage and crack propagation are much smaller. Therefore, the requirements of this LCO are not applicable in MODES 5 and 6.

ACTIONS A.1 and A.2 With the required containment sump monitor inoperable, no other form of sampling can provide the equivalent information; however, the containment atmosphere radioactivity monitor will provide indications of changes in leakage. Together with the containment atmosphere radioactivity monitor, the periodic surveillance for RCS water inventory balance, SR 3.4.13.1, must be performed at an increased frequency of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months to provide information that is adequate to detect leakage. A Note is added allowing that SR 3.4.13.1 is not required to be performed until 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months after establishing steady state operation (stable temperature, power level, pressurizer and makeup tank levels, makeup and letdown, and RCP seal injection and return flows). The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months allowance provides sufficient time to collect and process all necessary data after stable plant conditions are established.

Restoration of the required sump monitor to OPERABLE status within a Completion Time of 30 days is required to regain the function after the monitor's failure. This time is acceptable, considering the Frequency and adequacy of the RCS water inventory balance required by Required Action A.1.

B.1.1, B.1.2, and B.2 With both gaseous and particulate containment atmosphere radioactivity monitoring instrumentation channels inoperable, alternative action is required. Either grab samples of the containment atmosphere must be taken and analyzed or water inventory balances, in accordance with SR 3.4.13.1, must be performed to provide alternate periodic information.

With a sample obtained and analyzed or water inventory balance performed every 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , the reactor may be operated for up to 30 days to allow restoration of the required containment atmosphere radioactivity monitors.

Beaver Valley Units 1 and 2 B 3.4.15 - 4 Revision 18

RCS Leakage Detection Instrumentation B 3.4.15 BASES ACTIONS (continued)

The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months interval provides periodic information that is adequate to detect leakage. A Note is added allowing that SR 3.4.13.1 is not required to be performed until 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months after establishing steady state operation (stable temperature, power level, pressurizer and makeup tank levels, makeup and letdown, and RCP seal injection and return flows). The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months allowance provides sufficient time to collect and process all necessary data after stable plant conditions are established. The 30 day Completion Time recognizes at least one other form of leakage detection is available.

C.1 and C.2 With the required containment sump monitor inoperable, the only means of detecting LEAKAGE is the required containment atmosphere radiation monitor. A Note clarifies that this Condition is applicable when the containment atmosphere gaseous radioactivity monitor is the only OPERABLE monitor. The containment atmosphere gaseous radioactivity monitor typically cannot detect a 1 gpm leak within one hour when RCS activity is low. In addition, this configuration does not provide the required diverse means of leakage detection. Indirect methods of monitoring RCS leakage must be implemented. Grab samples of the containment atmosphere must be obtained to provide alternate periodic information.

The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months interval is sufficient to detect increasing RCS leakage. The Required Action provides 7 days to restore another RCS leakage monitor to OPERABLE status to regain the intended leakage detection diversity.

The 7 day Completion Time ensures that the plant will not be operated in a degraded configuration for a lengthy time period.

D.1 and D.2 If a Required Action of Condition A, B, or C cannot be met, the plant must be brought to a MODE in which the requirement does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and to MODE 5 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

E.1 With all required monitors inoperable, no automatic means of monitoring leakage are available, and immediate plant shutdown in accordance with LCO 3.0.3 is required.

Beaver Valley Units 1 and 2 B 3.4.15 - 5 Revision 18

RCS Leakage Detection Instrumentation B 3.4.15 BASES SURVEILLANCE SR 3.4.15.1 REQUIREMENTS SR 3.4.15.1 requires the performance of a CHANNEL CHECK of the required containment atmosphere radioactivity monitor. The check gives reasonable confidence that the channel is operating properly. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.4.15.2 SR 3.4.15.2 requires the performance of a COT on the required containment atmosphere radioactivity monitor. The test ensures that the monitor can perform its function in the desired manner. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable COT of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specification Surveillance Requirements. The test verifies the alarm setpoint and relative accuracy of the instrument string. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.4.15.3 and SR 3.4.15.4 These SRs require the performance of a CHANNEL CALIBRATION for each of the RCS leakage detection instrumentation channels. The calibration verifies the accuracy of the instrument string, including the instruments located inside containment. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. Unit 1 UFSAR Appendix 1A, "1971 AEC General Design Criteria Conformance" and Unit 2 UFSAR Section 3.1, "Conformance with U.S. Nuclear Regulatory Commission General Design Criteria."

2. Regulatory Guide 1.45, Revision 0, Reactor Coolant Pressure Boundary Leakage Detection Systems, May 1973.

3. UFSAR Section 4.2.7.1 (Unit 1) and UFSAR Section 5.2.5 (Unit 2).

Beaver Valley Units 1 and 2 B 3.4.15 - 6 Revision 29

RCS Specific Activity B 3.4.16 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.16 RCS Specific Activity BASES BACKGROUND The total effective dose equivalent (TEDE) that an individual at the site boundary can receive for 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months during an accident and the total effective dose equivalent that a resident at the low population zone can receive during the course of an accident are specified in 10 CFR 50.67 (Ref. 1). The limits on specific activity ensure that the doses are held to an appropriate fraction of the 10 CFR 50.67 limits during analyzed transients and accidents. The TS limits also ensure that the total effective dose equivalent to a control room operator is within the dose limits specified by 10 CFR 50.67.

The RCS specific activity LCO limits the allowable concentration level of radionuclides in the reactor coolant. The LCO limits are established to minimize the offsite radioactivity dose consequences in the event of a steam line break (SLB) or steam generator tube rupture (SGTR) accident.

The LCO contains specific activity limits for both DOSE EQUIVALENT I-131 and gross specific activity. The allowable levels are intended to limit the TEDE at the site boundary and in the control room to an appropriate fraction of the 10 CFR 50.67 dose guideline limits. The limits in the LCO are based on BVPS specific radiological consequence analyses.

APPLICABLE The LCO limits on the specific activity of the reactor coolant ensure that SAFETY the resulting TEDE at the site boundary and in the control room will not ANALYSES exceed an appropriate fraction of the 10 CFR 50.67 dose guideline limits following a SLB or SGTR accident. The SLB or SGTR safety analysis (Ref. 2) assumes the specific activity of the reactor coolant at the LCO limit and an existing reactor coolant steam generator (SG) tube leakage rate of 150 gallons per day (gpd) in each of the three steam generators. In addition, the Unit 2 SLB analysis assumes additional leakage that is calculated as described in Generic Letter 95-05 (Ref. 3) for facilities that have implemented steam generator alternate repair criteria. The safety analysis also assumes the specific activity of the secondary coolant at its limit of DOSE EQUIVALENT I-131 specified in LCO 3.7.13, "Secondary Specific Activity."

The analysis for the SLB or SGTR accident establishes the acceptance limits for RCS specific activity. References to these analyses are used to assess changes to the unit that could affect RCS specific activity, as they relate to the acceptance limits.

Beaver Valley Units 1 and 2 B 3.4.16 - 1 Revision 0

RCS Specific Activity B 3.4.16 BASES APPLICABLE SAFETY ANALYSES (continued)

The analyses are for two cases of reactor coolant specific activity. One case assumes specific activity at 0.35 Ci/gm DOSE EQUIVALENT I-131 with a concurrent large iodine spike that increases the I-131 activity appearance rate in the reactor coolant by a factor of 500 (SLB) or 335 (SGTR) immediately after the accident. The second case assumes the initial reactor coolant iodine activity at 21 Ci/gm DOSE EQUIVALENT I-131 due to a pre-accident iodine spike caused by an RCS transient. In both cases, the noble gas activity in the reactor coolant is based on the equilibrium concentrations predicted while operating with 1% failed fuel, and proportionately reduced to correspond to the reduced concentrations of DOSE EQUIVALENT I-131.

The safety analyses show the radiological consequences of an SLB or SGTR accident are within the Reference 1 dose guideline limits for the pre-accident iodine spike case, and well within the 10 CFR 50.67 dose guidelines for the concurrent iodine spike case. Operation with iodine specific activity levels greater than the LCO limit is permissible for up to 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months , if the activity levels do not exceed the limits shown in Figure 3.4.16-1. The safety analysis has pre-accident iodine spiking levels up to 21 Ci/gm DOSE EQUIVALENT I-131.

The remainder of the above limit permissible iodine levels shown in Figure 3.4.16-1 are acceptable because of the low probability of a SLB or SGTR accident occurring during the established 48 hour5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months time limit. The occurrence of an SLB or SGTR accident at the permissible levels applicable from 80 to 100% power could increase the site boundary dose levels, but still be within 10 CFR 50.67 dose guideline limits.

RCS specific activity satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).

LCO The specific iodine activity is limited to 0.35 Ci/gm DOSE EQUIVALENT I-131, and the gross specific activity in the reactor coolant is limited to the number of Ci/gm equal to 100 divided by E (average disintegration energy of the sum of the average beta and gamma energies of the non-iodine coolant nuclides). The limit on DOSE EQUIVALENT I-131 ensures the TEDE at the site boundary and in the control room during the Design Basis Accident (DBA) will be an appropriate fraction of the allowed TEDE dose. The limit on gross specific activity provides an additional indication of radionuclides (excluding iodines) that corresponds closely to the noble gas activity in the RCS and helps to ensure the effective doses during the DBA will be an appropriate fraction of the allowed dose.

Beaver Valley Units 1 and 2 B 3.4.16 - 2 Revision 0

RCS Specific Activity B 3.4.16 BASES LCO (continued)

The SLB and SGTR accident analyses (Ref. 2) show that the resultant dose levels are within acceptable limits. Violation of the LCO may result in reactor coolant radioactivity levels that could, in the event of an SLB or SGTR, lead to site boundary or control room doses that exceed the 10 CFR 50.67 dose guideline limits.

APPLICABILITY In MODES 1 and 2, and in MODE 3 with RCS average temperature 500°F, operation within the LCO limits for DOSE EQUIVALENT I-131 and gross specific activity are necessary to limit the potential radiological consequences of an SLB or SGTR to within the acceptable site boundary and control room dose values.

For operation in MODE 3 with RCS average temperature < 500°F, and in MODES 4 and 5, the secondary side steam pressure is significantly reduced which in turn reduces the probability and severity of a SLB or a SGTR.

ACTIONS A.1 and A.2 With the DOSE EQUIVALENT I-131 greater than the LCO limit, samples at intervals of 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months must be taken to demonstrate that the limits of Figure 3.4.16-1 are not exceeded. The Completion Time of 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months is required to obtain and analyze a sample. Sampling is done to continue to provide a trend.

The DOSE EQUIVALENT I-131 must be restored to within limits within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months . The Completion Time of 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months is required, if the limit violation resulted from normal iodine spiking.

A Note permits the use of the provisions of LCO 3.0.4.c. This allowance permits entry into the applicable MODE(S) while relying on the ACTIONS.

This allowance is acceptable due to the significant conservatism incorporated into the specific activity limit, the low probability of an event which is limiting due to exceeding this limit, and the ability to restore transient specific activity excursions while the plant remains at, or proceeds to power operation.

Beaver Valley Units 1 and 2 B 3.4.16 - 3 Revision 0

RCS Specific Activity B 3.4.16 BASES ACTIONS (continued)

B.1 With the gross specific activity in excess of the allowed limit, the unit must be placed in a MODE in which the requirement does not apply.

The change within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months to MODE 3 and RCS average temperature

< 500°F lowers the secondary side steam pressure which in turn reduces the probability and severity of a SLB or SGTR. The allowed Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is reasonable, based on operating experience, to reach MODE 3 below 500°F from full power conditions in an orderly manner and without challenging plant systems.

C.1 If a Required Action and the associated Completion Time of Condition A is not met or if the DOSE EQUIVALENT I-131 is in the unacceptable region of Figure 3.4.16-1, the reactor must be brought to MODE 3 with RCS average temperature < 500°F within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months . The Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is reasonable, based on operating experience, to reach MODE 3 below 500°F from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE SR 3.4.16.1 REQUIREMENTS SR 3.4.16.1 requires performing a gamma isotopic analysis as a measure of the gross specific activity of the reactor coolant. While basically a quantitative measure of radionuclides with half lives longer than 15 minutes, excluding iodines, this measurement is the sum of the degassed gamma activities and the gaseous gamma activities in the sample taken. This Surveillance provides an indication of any increase in gross specific activity.

Trending the results of this Surveillance allows proper remedial action to be taken before reaching the LCO limit under normal operating conditions. The Surveillance is applicable in MODES 1 and 2, and in MODE 3 with Tavg at least 500°F. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

Beaver Valley Units 1 and 2 B 3.4.16 - 4 Revision 29

RCS Specific Activity B 3.4.16 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.4.16.2 This Surveillance is required to be performed in MODE 1 only to ensure iodine remains within limit during normal operation and following fast power changes when fuel failure is more apt to occur. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The Frequency, between 2 and 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months after a power change 15% RTP within a 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months period, is established because the iodine levels peak during this time following fuel failure; samples at other times would provide inaccurate results.

SR 3.4.16.3 A radiochemical analysis for E determination is required with the plant operating in MODE 1 equilibrium conditions. The E determination directly relates to the LCO and is required to verify plant operation within the specified gross activity LCO limit. The analysis for E is a measurement of the average energies per disintegration for isotopes with half lives longer than 15 minutes, excluding iodines. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

This SR has been modified by a Note that indicates sampling is not required to be performed until 31 days after a minimum of 2 effective full power days and 20 days of MODE 1 operation have elapsed since the reactor was last subcritical for 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months . This ensures that the radioactive materials are at equilibrium so the analysis for E is representative and not skewed by a crud burst or other similar abnormal event.

REFERENCES 1. 10 CFR 50.67.

2. UFSAR Section 14.2.5 and 14.2.4 (Unit 1) and UFSAR Section 15.1.5 and 15.6.3 (Unit 2).

3. NRC Generic Letter 95-05: Voltage-Based Repair Criteria For Westinghouse Steam Generator Tubes Affected By Outside Diameter Stress Corrosion Cracking.

Beaver Valley Units 1 and 2 B 3.4.16 - 5 Revision 29

RCS Loop Isolation Valves B 3.4.17 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.17 RCS Loop Isolation Valves BASES BACKGROUND The reactor coolant loops are equipped with loop isolation valves that permit any loop to be isolated from the reactor vessel. One valve is installed on each hot leg and one on each cold leg. The loop isolation valves may be used to perform tasks such as maintenance or inspections on an isolated loop. Power operation with a loop isolated is not permitted.

To ensure that inadvertent closure of a loop isolation valve does not occur, the valves must be open with power to the valve operators removed in MODES 1, 2, 3 and 4. If the valves are closed, a set of administrative controls must be satisfied prior to opening the isolation valves as described in LCO 3.4.18, "RCS Isolated Loop Startup."

APPLICABLE The safety analyses performed for the reactor at power assume that all SAFETY reactor coolant loops are initially in operation and the loop isolation valves ANALYSES are open. This LCO places controls on the loop isolation valves to ensure that the valves are not inadvertently closed in MODES 1, 2, 3 and 4. The inadvertent closure of a loop isolation valve when the Reactor Coolant Pumps (RCPs) are operating will result in a partial loss of forced reactor coolant flow (Ref. 1). If the reactor is at power at the time of the event, the effect of the partial loss of forced coolant flow is a rapid increase in the coolant temperature which could result in DNB with subsequent fuel damage if the reactor is not tripped by the Low Flow reactor trip. If the reactor is shutdown and an RCS loop is in operation removing decay heat, closure of the loop isolation valve associated with the operating loop could also result in increasing coolant temperature and the possibility of fuel damage.

RCS Loop Isolation Valves satisfy Criterion 2 of 10 CFR 50.36(c)(2)(ii).

LCO This LCO ensures that the loop isolation valves are open and power to the valve operators is removed. Loop isolation valves may be used for tasks such as performing maintenance or inspections in MODES 5 and 6.

The safety analyses assume that the loop isolation valves are open in any RCS loops required to be OPERABLE by LCO 3.4.4, "RCS Loops -

MODES 1 and 2," LCO 3.4.5, "RCS Loops - MODE 3," or LCO 3.4.6, "RCS Loops - MODE 4."

Beaver Valley Units 1 and 2 B 3.4.17 - 1 Revision 0

RCS Loop Isolation Valves B 3.4.17 BASES APPLICABILITY In MODES 1 through 4, this LCO ensures that the loop isolation valves are open and power to the valve operators is removed. The safety analyses assume that the loop isolation valves are open in any RCS loops required to be OPERABLE.

In MODES 5 and 6, the loop isolation valves may be closed. Controlled startup of an isolated loop is governed by the requirements of LCO 3.4.18, "RCS Isolated Loop Startup."

ACTIONS The Actions have been provided with a Note to clarify that all RCS loop isolation valves for this LCO are treated as separate entities, each with separate Completion Times, i.e., the Completion Time is on a component basis.

A.1 If power is inadvertently restored to one or more loop isolation valve operators, the potential exists for accidental isolation of a loop. The loop isolation valves have motor operators. Therefore, these valves will maintain their last position when power is removed from the valve operator. With power applied to the valve operators, only the controls and surveillances required by the Technical Specifications prevent the valve from being operated. Although the controls and surveillances required by the Technical Specifications make the occurrence of this event unlikely, the prudent action is to remove power from the loop isolation valve operators. The Completion Time of 30 minutes to remove power from the loop isolation valve operators is sufficient considering the complexity of the task.

B.1, B.2, and B.3 Should a loop isolation valve be closed in MODES 1 through 4, the affected loop isolation valve(s) must remain closed and the plant placed in MODE 5. Once in MODE 5, the isolated loop may be started in a controlled manner in accordance with LCO 3.4.18, "RCS Isolated Loop Startup." Opening the closed isolation valve in MODES 1 through 4 could result in colder water or water at a lower boron concentration being mixed with the operating RCS loops resulting in positive reactivity insertion. The Completion Time of Condition B allows time for borating the operating loops to a shutdown boration level such that the plant can be brought to MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and MODE 5 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

Beaver Valley Units 1 and 2 B 3.4.17 - 2 Revision 0

RCS Loop Isolation Valves B 3.4.17 BASES SURVEILLANCE SR 3.4.17.1 REQUIREMENTS The Surveillance is performed to ensure that the RCS loop isolation valves are open, with power removed from the loop isolation valve operators. The primary function of this Surveillance is to ensure that power is removed from the valve operators, since SR 3.4.4.1 of LCO 3.4.4, "RCS Loops - MODES 1 and 2," ensures that the loop isolation valves are open by verifying every 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months that all loops are operating and circulating reactor coolant. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. UFSAR Section 14.1.5 (Unit 1) and UFSAR Section 15.3.1 (Unit 2).

Beaver Valley Units 1 and 2 B 3.4.17 - 3 Revision 29

RCS Isolated Loop Startup B 3.4.18 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.18 RCS Isolated Loop Startup BASES BACKGROUND The RCS may be operated with loops isolated in MODES 5 and 6 in order to perform tasks such as maintenance or inspections. While operating with a loop isolated, there is potential for inadvertently opening the isolation valves in the isolated loop. In this event, the coolant in the isolated loop would suddenly begin to mix with the coolant in the operating loops. This situation has the potential of causing a positive reactivity addition with a corresponding reduction of SDM if:

a. The boron concentration in the isolated loop is lower than the boron concentration required to meet the SDM of LCO 3.1.1 when in MODE 5 or the boron concentration of LCO 3.9.1 when in MODE 6 (boron dilution incident), and

b. The isolated portion of the RCS loop has not been drained and refilled from the refueling water storage tank (RWST) or RCS.

As discussed in the UFSAR (Ref. 1), the startup of an isolated loop is done in a controlled manner that virtually eliminates any undesirable reactivity addition from cold water or boron dilution because:

a. This LCO and plant operating procedures require that the boron concentration in the isolated loop be maintained the boron concentration required to maintain SDM, thus eliminating the potential for introducing coolant from the isolated loop that could dilute the boron concentration in the operating loops, below the concentration necessary to maintain the required SDM.

b. In addition, this LCO and plant operating procedures require that the isolated portion of the RCS loop be drained and refilled with water from the RWST or RCS. These requirements ensure the loop is filled with water that has a boron concentration and a temperature that are within the limits assumed in the applicable SDM calculation.

In addition, the refilling of the loop ensures that the borated water in the loop is well mixed prior to unisolating the loop.

Beaver Valley Units 1 and 2 B 3.4.18 - 1 Revision 0

RCS Isolated Loop Startup B 3.4.18 BASES APPLICABLE During startup of an isolated loop, the controls required by this LCO SAFETY prevent opening the loop isolation valves until the isolated loop is drained ANALYSES and refilled from the RWST or the RCS. In addition, the boron concentration of the isolated loop is verified to be within the limit for the required SDM. This ensures that any undesirable reactivity effect from the isolated loop does not occur.

The safety analyses assume a minimum SDM as an initial condition for Design Basis Accidents. Violation of this LCO could result in the SDM being reduced in the operating loops to less than that assumed in the safety analyses.

The boron concentration of an isolated loop may affect SDM. Therefore, RCS isolated loop startup satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).

LCO Loop isolation valves may be used for performing tasks such as maintenance or inspections when the plant is in MODE 5 or 6. This LCO ensures that the loop isolation valves remain closed until the affected loop is drained and refilled from the RWST or RCS and the boron concentration of the isolated loops is verified to be within acceptable limit to maintain the required SDM.

APPLICABILITY In MODES 5 and 6, when an RCS loop has been isolated for > 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months or drained this LCO becomes applicable to recover the affected loop. In MODES 5 and 6, the required SDM is large enough to permit operation with isolated loops. Controlled startup of isolated loops is possible without significant risk of inadvertent criticality. This LCO is applicable under these conditions.

In MODES 1, 2, 3, and 4 LCO 3.4.17, "RCS Loop Isolation Valves,"

requires that all loop isolation valves be open with power removed from the valve operator. In MODES 5 and 6 if a loop is isolated for 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months and not drained the condition of the isolated loop has not changed significantly. Therefore, under these conditions, LCO 3.4.18 is not applicable.

ACTIONS A.1 Required Action A.1 assumes that the prerequisites of the LCO are not met and a loop isolation valve has been inadvertently opened. Therefore, the Actions require immediate closure of isolation valves to preclude a boron dilution event or a cold water event.

Beaver Valley Units 1 and 2 B 3.4.18 - 2 Revision 0

RCS Isolated Loop Startup B 3.4.18 BASES SURVEILLANCE SR 3.4.18.1 REQUIREMENTS This Surveillance verifies the isolated portion of the affected RCS loop is drained and refilled with water from the RWST or RCS. This verification provides assurance that the loop is filled with water that has a boron concentration and a temperature that are within the limits assumed in the applicable SDM calculation. The Frequency of prior to opening the isolated loop hot or cold leg isolation valve provides additional assurance an isolated loop is returned to service in accordance with the provisions of LCO 3.4.18.

SR 3.4.18.2 To ensure that the boron concentration of the isolated loop is greater than or equal to the boron concentration required to meet the SDM of LCO 3.1.1 or boron concentration of LCO 3.9.1, this Surveillance is performed 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months prior to opening either the hot or cold leg isolation valve. Performing the Surveillance 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months prior to opening either the hot or cold leg isolation valve provides reasonable assurance the boron concentration will stay within acceptable limits until the loop is unisolated.

This Frequency has been shown to be acceptable through operating experience.

SR 3.4.18.3 This Surveillance verifies the isolated loop hot or cold leg isolation valve is opened within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months following completion of the isolated loop refill.

This verification confirms that the loop being returned to service has been recently refilled in accordance with SR 3.4.18.1. The Frequency of within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months after completion of the refill provides assurance that there is no significant change in boron concentration or temperature of the water in the loop since refill and that the contents of the loop remain well mixed when the loop is unisolated.

REFERENCES 1. UFSAR Section 14.1.6 (Unit 1) and Section 15.4.4 (Unit 2).

Beaver Valley Units 1 and 2 B 3.4.18 - 3 Revision 0

RCS Loops - Test Exceptions B 3.4.19 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.19 RCS Loops - Test Exceptions BASES BACKGROUND The primary purpose of this test exception is to provide an exception to LCO 3.4.4, "RCS Loops - MODES 1 and 2," to permit reactor criticality under no flow conditions during certain PHYSICS TESTS (natural circulation demonstration, station blackout, and loss of offsite power) to be performed while at low THERMAL POWER levels.Section XI of 10 CFR 50, Appendix B (Ref. 1), requires that a test program be established to ensure that structures, systems, and components will perform satisfactorily in service. All functions necessary to ensure that the specified design conditions are not exceeded during normal operation and anticipated operational occurrences must be tested. This testing is an integral part of the design, construction, and operation of the power plant as specified in GDC 1, "Quality Standards and Records" (Ref. 2).

The key objectives of a test program are to provide assurance that the facility has been adequately designed to validate the analytical models used in the design and analysis, to verify the assumptions used to predict plant response, to provide assurance that installation of equipment at the unit has been accomplished in accordance with the design, and to verify that the operating and emergency procedures are adequate. Testing may be performed prior to initial criticality, during startup, and following low power operations.

The tests may include verifying the ability to establish and maintain natural circulation following a plant trip between 10% and 20% RTP, performing natural circulation cooldown on emergency power, and during the cooldown, showing that adequate boron mixture occurs and that pressure can be controlled using auxiliary spray and pressurizer heaters powered from the emergency power sources.

APPLICABLE The tests described above require operating the plant without forced SAFETY convection flow and as such are not bounded by any safety analyses.

ANALYSES However, operating experience has demonstrated this exception to be safe under the present applicability.

As described in LCO 3.0.7, compliance with Test Exception LCOs is optional, and therefore no criteria of 10 CFR 50.36(c)(2)(ii) apply. Test Exception LCOs provide flexibility to perform certain operations by appropriately modifying requirements of other LCOs. A discussion of the criteria satisfied for the other LCOs is provided in their respective Bases.

Beaver Valley Units 1 and 2 B 3.4.19 - 1 Revision 0

RCS Loops - Test Exceptions B 3.4.19 BASES LCO This LCO provides an exemption to the requirements of LCO 3.4.4.

The LCO is provided to allow for the performance of PHYSICS TESTS in MODE 2 (after a refueling), where the core cooling requirements are significantly different than after the core has been operating. Without the LCO, plant operations would be held bound to the normal operating LCOs for reactor coolant loops and circulation (MODES 1 and 2), and the appropriate tests could not be performed.

In MODE 2, where core power level is considerably lower and the associated PHYSICS TESTS must be performed, operation is allowed under no flow conditions provided THERMAL POWER is P-7 and the reactor trip setpoints of the OPERABLE power level channels are set in accordance with the nominal trip setpoints specified in the Licensing Requirements Manual (LRM). This ensures, if some problem caused the plant to enter MODE 1 and start increasing plant power, the Reactor Trip System (RTS) would automatically shut it down before power became too high, and thereby prevent violation of fuel design limits.

The exemption is allowed even though there are no bounding safety analyses. However, these tests are performed under close supervision during the test program and provide valuable information on the plant's capability to cool down without offsite power available to the reactor coolant pumps.

APPLICABILITY This LCO is applicable when performing low power PHYSICS TESTS without any forced convection flow. This testing is performed to establish that heat input from nuclear heat does not exceed the natural circulation heat removal capabilities. Therefore, no safety or fuel design limits will be violated as a result of the associated tests.

ACTIONS A.1 When THERMAL POWER is the P-7 interlock setpoint (as specified for P-10 and P-13 in the LRM), the only acceptable action is to ensure the reactor trip breakers (RTBs) are opened immediately in accordance with Required Action A.1 to prevent operation of the fuel beyond its design limits. Opening the RTBs will shut down the reactor and prevent operation of the fuel outside of its design limits.

Beaver Valley Units 1 and 2 B 3.4.19 - 2 Revision 0

RCS Loops - Test Exceptions B 3.4.19 BASES SURVEILLANCE SR 3.4.19.1 REQUIREMENTS Verification that the power level is < the P-7 interlock setpoint (as specified for P-10 and P-13 in the LRM) will ensure that the fuel design criteria are not violated during the performance of the PHYSICS TESTS.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.4.19.2 The specified power range and intermediate range neutron flux channels and the P-10 and P-13 interlock setpoints must be verified to be OPERABLE and adjusted to the proper value. The Low Power Reactor Trips Block, P-7 interlock, is actuated from either the Power Range Neutron Flux, P-10, or the Turbine First Stage Pressure, P-13 interlock.

The P-7 interlock is a logic Function with train, not channel identity. A COT is performed prior to initiation of the PHYSICS TESTS. The purpose of this Surveillance is to verify the required COT has been performed on the specified channels consistent with the requirements of LCO 3.3.1, "Reactor Trip System." If the Surveillance Requirements of LCO 3.3.1 are current, no additional testing is required by this Surveillance. This will ensure that the RTS is properly aligned to provide the required degree of core protection during the performance of the PHYSICS TESTS. A successful test of any required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable COT of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specification Surveillance Requirements. The SR 3.3.1.7 and SR 3.3.1.11 Frequencies are sufficient for the specified channels to ensure the instrumentation is OPERABLE before initiating PHYSICS TESTS.

SR 3.4.19.3 The Low Power Reactor Trips Block, P-7 interlock, must be verified to be OPERABLE in MODE 1 by LCO 3.3.1, "Reactor Trip System Instrumentation." The P-7 interlock is actuated from either the Power Range Neutron Flux, P-10, or the Turbine First Stage Pressure, P-13 interlock. The P-7 interlock is a logic Function. An ACTUATION LOGIC TEST is performed to verify OPERABILITY of the P-7 interlock prior to initiation of startup and PHYSICS TESTS. The purpose of this Surveillance is to verify the required ACTUATION LOGIC TEST has been Beaver Valley Units 1 and 2 B 3.4.19 - 3 Revision 29

RCS Loops - Test Exceptions B 3.4.19 BASES SURVEILLANCE REQUIREMENTS (continued) performed on the P-7 interlock consistent with the requirements of LCO 3.3.1, "Reactor Trip System." If the Surveillance Requirements of LCO 3.3.1 are current, no additional testing is required by this Surveillance. This will ensure that the RTS is properly functioning to provide the required degree of core protection during the performance of the PHYSICS TESTS. The SR 3.3.1.5 Frequency is sufficient for the P-7 interlock to ensure the instrumentation is OPERABLE before initiating PHYSICS TESTS.

REFERENCES 1. 10 CFR 50, Appendix B, Section XI.

2. 10 CFR 50, Appendix A, GDC 1, 1988.

Beaver Valley Units 1 and 2 B 3.4.19 - 4 Revision 0

SG Tube Integrity B 3.4.20 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.20 Steam Generator (SG) Tube Integrity BASES BACKGROUND Steam generator (SG) tubes are small diameter, thin walled tubes that carry primary coolant through the primary to secondary heat exchangers.

The SG tubes have a number of important safety functions. Steam generator tubes are an integral part of the reactor coolant pressure boundary (RCPB) and, as such, are relied on to maintain the primary systems pressure and inventory. The SG tubes isolate the radioactive fission products in the primary coolant from the secondary system. In addition, as part of the RCPB, the SG tubes are unique in that they act as the heat transfer surface between the primary and secondary systems to remove heat from the primary system. This Specification addresses only the RCPB integrity function of the SG. The SG heat removal function is addressed by LCO 3.4.4, "RCS Loops - MODES 1 and 2," LCO 3.4.5, "RCS Loops - MODE 3," LCO 3.4.6, "RCS Loops - MODE 4," and LCO 3.4.7, "RCS Loops - MODE 5, Loops Filled."

SG tube integrity means that the tubes are capable of performing their intended RCPB safety function consistent with the licensing basis, including applicable regulatory requirements.

Steam generator tubing is subject to a variety of degradation mechanisms. Depending upon materials and design, steam generator tubes may experience tube degradation related to corrosion phenomena, such as wastage, pitting, intergranular attack, and stress corrosion cracking, along with other mechanically induced phenomena such as denting and wear. These degradation mechanisms can impair tube integrity if they are not managed effectively. The SG performance criteria are used to manage SG tube degradation.

Specification 5.5.5, "Steam Generator (SG) Program," requires that a program be established and implemented to ensure that SG tube integrity is maintained. Pursuant to Specification 5.5.5, tube integrity is maintained when the SG performance criteria are met. There are three SG performance criteria: structural integrity, accident induced leakage, and operational LEAKAGE. The SG performance criteria are described in Specification 5.5.5. Meeting the SG performance criteria provides reasonable assurance of maintaining tube integrity at normal and accident conditions.

The processes used to meet the SG performance criteria are defined by the Steam Generator Program Guidelines (Ref. 1).

Beaver Valley Units 1 and 2 B 3.4.20 - 1 Revision 0

SG Tube Integrity B 3.4.20 BASES APPLICABLE The steam generator tube rupture (SGTR) accident is the limiting design SAFETY basis event for SG tubes and avoiding an SGTR is the basis for this ANALYSES Specification. The analysis of a SGTR event assumes a bounding primary to secondary LEAKAGE rate equal to the operational LEAKAGE rate limits in LCO 3.4.13, "RCS Operational LEAKAGE," plus the leakage rate associated with a double-ended rupture of a single tube. The accident analysis for a SGTR assumes that following reactor trip the contaminated secondary fluid is released to the atmosphere via safety valves.

Environmental releases before reactor trip are discharged through the main condenser.

For accidents that do not involve fuel damage, the primary coolant activity level of DOSE EQUIVALENT I-131 is assumed to be equal to the LCO 3.4.16, "RCS Specific Activity," limits. Pre-accident and concurrent iodine spikes are assumed in accordance with applicable regulatory guidance. For accidents that assume fuel damage, the primary coolant activity is a function of the amount of activity released from the damaged fuel. The dose consequences of these events are within the limits of 10 CFR 50.67 (Ref. 2) as supplemented by Regulatory Guide 1.183 (Ref. 3) and within GDC-19 (Ref. 4) values.

Unit 1:

The analysis for design basis accidents and transients other than a SGTR assume the SG tubes retain their structural integrity (i.e., they are assumed not to rupture.) In these analyses, the steam discharge to the atmosphere is conservatively assumed to include the total primary to secondary LEAKAGE from all SGs of 450 gpd (i.e., 150 gpd per steam generator) or is assumed to increase to 450 gpd as a result of accident induced conditions.

Currently, the Unit 1 safety analyses do not specifically assume additional primary to secondary LEAKAGE due to accident induced conditions.

Unit 2:

The analysis for design basis accidents and transients other than a SGTR assume the SG tubes retain their structural integrity (i.e., they are assumed not to rupture). In these analyses, the steam discharge to the atmosphere is conservatively assumed to include the total primary to secondary LEAKAGE from all SGs of 450 gpd (i.e., 150 gpd per steam generator) or is assumed to increase to 450 gpd as a result of accident induced conditions for all accidents other than the Unit 2 main steam line break (MSLB).

Currently, the Unit 2 MSLB safety analysis is the only analysis that specifically assumes additional primary to secondary LEAKAGE due to accident induced conditions.

For the Unit 2 main steam line break (MSLB) analysis, an increased leakage assumption is applied. In support of voltage based repair criteria pursuant to Generic Letter 95-05 (Ref. 5) analyses were performed to Beaver Valley Units 1 and 2 B 3.4.20 - 2 Revision 0

SG Tube Integrity B 3.4.20 BASES APPLICABLE SAFETY ANALYSES (continued) determine the maximum MSLB induced primary to secondary leak rate that could occur without offsite doses exceeding the limits of 10 CFR 50.67 (Ref. 2) as supplemented by Regulatory Guide 1.183 (Ref. 3) and without control room doses exceeding GDC-19 (Ref. 4). An additional 2.1 gpm leakage is assumed in the Unit 2 MSLB analysis resulting from accident conditions. Therefore, in the MSLB analysis, the steam discharge to the atmosphere includes primary to secondary LEAKAGE equivalent to the operational leakage limit of 150 gpd per SG and an additional 2.1 gpm which results in a total assumed accident induced leakage of 2.4 gpm.

The combined projected leak rate from all sources (i.e., voltage based repair criteria, application of F*, freespan crack, leaking plug, leakage past sleeves, etc.) for each SG must be less than the maximum allowable steam line break leak rate limit in any one steam generator (i.e., 2.2 gpm) in order to maintain a total assumed accident induced leakage of 2.4 gpm as explained above. Maintaining the total assumed accident induced leakage to 2.4 gpm limits the resulting dose to within the requirements of 10 CFR 50.67 (Ref. 2) as supplemented by Regulatory Guide 1.183 (Ref. 3) and within GDC-19 (Ref. 4) values during a postulated steam line break event.

Steam generator tube integrity satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).

LCO A Note modifies the LCO to indicate that any reference to the repair of SG tubes is only applicable to Unit 2 at this time. The Unit 1 "Steam Generator Program" (in Specification 5.5.5) has no provision for SG tube repair.

The LCO requires that SG tube integrity be maintained. The LCO also requires that all SG tubes that satisfy the plugging or repair criteria be plugged or repaired in accordance with the Steam Generator Program.

During an SG inspection, any inspected tube that satisfies the Steam Generator Program plugging or repair criteria is repaired or removed from service by plugging. If a tube was determined to satisfy the plugging or repair criteria but was not plugged or repaired, the tube may still have tube integrity.

In the context of this Specification, a SG tube is defined as the entire length of the tube, including the tube wall and any repairs made to it, between the tube-to-tubesheet weld at the tube inlet and the tube-to-tubesheet weld at the tube outlet. The tube-to-tubesheet weld is not considered part of the tube.

A SG tube has tube integrity when it satisfies the SG performance criteria.

The SG performance criteria are defined in Specification 5.5.5, "Steam Beaver Valley Units 1 and 2 B 3.4.20 - 3 Revision 32

SG Tube Integrity B 3.4.20 BASES LCO (continued)

Generator Program," and describe acceptable SG tube performance. The Steam Generator Program also provides the evaluation process for determining conformance with the SG performance criteria.

There are three SG performance criteria: structural integrity, accident induced leakage, and operational LEAKAGE. Failure to meet any one of these criteria is considered failure to meet the LCO.

The structural integrity performance criterion provides a margin of safety against tube burst or collapse under normal and accident conditions, and ensures structural integrity of the SG tubes under all anticipated transients included in the design specification. Tube burst is defined as, "The gross structural failure of the tube wall. The condition typically corresponds to an unstable opening displacement (e.g., opening area increased in response to constant pressure) accompanied by ductile (plastic) tearing of the tube material at the ends of the degradation." Tube collapse is defined as, "For the load displacement curve for a given structure, collapse occurs at the top of the load versus displacement curve where the slope of the curve becomes zero." The structural integrity performance criterion provides guidance on assessing loads that have a significant effect on burst or collapse. In that context, the term "significant" is defined as "An accident loading condition other than differential pressure is considered significant when the addition of such loads in the assessment of the structural integrity performance criterion could cause a lower structural limit or limiting burst/collapse condition to be established." For tube integrity evaluations, except for circumferential degradation, axial thermal loads are classified as secondary loads. For circumferential degradation, the classification of axial thermal loads as primary or secondary loads will be evaluated on a case-by-case basis. The division between primary and secondary classifications will be based on detailed analysis and/or testing.

Structural integrity requires that the primary membrane stress intensity in a tube not exceed the yield strength for all ASME Code,Section III, Service Level A (normal operating conditions) and Service Level B (upset or abnormal conditions) transients included in the design specification. This includes safety factors and applicable design basis loads based on ASME Code,Section III, Subsection NB (Ref. 6) and Draft Regulatory Guide 1.121 (Ref. 7).

The accident induced leakage performance criterion ensures that the primary to secondary LEAKAGE caused by a design basis accident, other than a SGTR, is within the accident analysis assumptions as described in the Applicable Safety Analyses section of this Bases. The accident induced leakage rate includes any primary to secondary LEAKAGE existing prior to the accident in addition to primary to secondary LEAKAGE induced during the accident.

Beaver Valley Units 1 and 2 B 3.4.20 - 4 Revision 0

SG Tube Integrity B 3.4.20 BASES LCO (continued)

The operational LEAKAGE performance criterion provides an observable indication of SG tube conditions during plant operation. The limit on operational LEAKAGE is contained in LCO 3.4.13, "RCS Operational LEAKAGE," and limits primary to secondary LEAKAGE through any one SG to 150 gallons per day. This limit is based on the assumption that a single crack leaking this amount would not propagate to a SGTR under the stress conditions of a LOCA or a main steam line break. If this amount of LEAKAGE is due to more than one crack, the cracks are very small, and the above assumption is conservative.

APPLICABILITY Steam generator tube integrity is challenged when the pressure differential across the tubes is large. Large differential pressures across SG tubes can only be experienced in MODE 1, 2, 3, or 4.

RCS conditions are far less challenging in MODES 5 and 6 than during MODES 1, 2, 3, and 4. In MODES 5 and 6, primary to secondary differential pressure is low, resulting in lower stresses and reduced potential for LEAKAGE.

ACTIONS The ACTIONS are modified by a Note clarifying that the Conditions may be entered independently for each SG tube. This is acceptable because the Required Actions provide appropriate compensatory actions for each affected SG tube. Complying with the Required Actions may allow for continued operation, and subsequent affected SG tubes are governed by subsequent Condition entry and application of associated Required Actions.

A.1 and A.2 A Note modifies Condition A and Required Action A.2 to indicate that any reference to the repair of SG tubes is only applicable to Unit 2 at this time.

The Unit 1 "Steam Generator Program" (in Specification 5.5.5) has no provision for SG tube repair.

Condition A applies if it is discovered that one or more SG tubes examined in an inservice inspection satisfy the tube plugging or repair criteria but were not plugged or repaired in accordance with the Steam Generator Program as required by SR 3.4.20.2. An evaluation of SG tube integrity of the affected tube(s) must be made. Steam generator tube integrity is based on meeting the SG performance criteria described in the Steam Generator Program. The SG plugging or repair criteria define limits on SG tube degradation that allow for flaw growth between inspections while still providing assurance that the SG performance criteria will continue to be met. In order to determine if a SG tube Beaver Valley Units 1 and 2 B 3.4.20 - 5 Revision 32

SG Tube Integrity B 3.4.20 BASES ACTIONS (continued) that should have been plugged or repaired has tube integrity, an evaluation must be completed that demonstrates that the SG performance criteria will continue to be met until the next refueling outage or SG tube inspection. The tube integrity determination is based on the estimated condition of the tube at the time the situation is discovered and the estimated growth of the degradation prior to the next SG tube inspection. If it is determined that tube integrity is not being maintained, Condition B applies.

A Completion Time of 7 days is sufficient to complete the evaluation while minimizing the risk of plant operation with a SG tube that may not have tube integrity.

If the evaluation determines that the affected tube(s) have tube integrity, Required Action A.2 allows plant operation to continue until the next refueling outage or SG inspection provided the inspection interval continues to be supported by an operational assessment that reflects the affected tubes. However, the affected tube(s) must be plugged or repaired prior to entering MODE 4 following the next refueling outage or SG inspection. This Completion Time is acceptable since operation until the next inspection is supported by the operational assessment.

B.1 and B.2 If the Required Actions and associated Completion Times of Condition A are not met or if SG tube integrity is not being maintained, the reactor must be brought to MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and MODE 5 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months .

The allowed Completion Times are reasonable, based on operating experience, to reach the desired plant conditions from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE SR 3.4.20.1 REQUIREMENTS During shutdown periods the SGs are inspected as required by this SR and the Steam Generator Program. NEI 97-06, Steam Generator Program Guidelines (Ref. 1), and its referenced EPRI Guidelines, establish the content of the Steam Generator Program. Use of the Steam Generator Program ensures that the inspection is appropriate and consistent with accepted industry practices.

During SG inspections a condition monitoring assessment of the SG tubes is performed. The condition monitoring assessment determines the "as found" condition of the SG tubes. The purpose of the condition monitoring assessment is to ensure that the SG performance criteria have been met for the previous operating period.

Beaver Valley Units 1 and 2 B 3.4.20 - 6 Revision 32

SG Tube Integrity B 3.4.20 BASES SURVEILLANCE REQUIREMENTS (continued)

The Steam Generator Program in conjunction with the degradation assessment determines the scope of the inspection and the methods used to determine whether the tubes contain flaws satisfying the tube plugging or repair criteria. Inspection scope (i.e., which tubes or areas of tubing within the SG are to be inspected) is a function of existing and potential degradation locations. The Steam Generator Program and the degradation assessment also specify the inspection methods to be used to find potential degradation. Inspection methods are a function of degradation morphology, non-destructive examination (NDE) technique capabilities, and inspection locations.

The Steam Generator Program defines the Frequency of SR 3.4.20.1.

The Frequency is determined by the operational assessment and other limits in the SG examination guidelines (Ref. 8). The Steam Generator Program uses information on existing degradations and growth rates to determine an inspection Frequency that provides reasonable assurance that the tubing will meet the SG performance criteria at the next scheduled inspection. In addition, Specification 5.5.5 contains prescriptive requirements concerning inspection intervals to provide added assurance that the SG performance criteria will be met between scheduled inspections. If crack indications are found in any SG tube, the maximum inspection interval for all affected and potentially affected SGs is restricted by Specification 5.5.5 until subsequent inspections support extending the inspection interval.

SR 3.4.20.2 A Note modifies SR 3.4.20.2 to indicate that any reference to the repair of SG tubes is only applicable to Unit 2 at this time. The Unit 1 "Steam Generator Program" (in Specification 5.5.5) has no provision for SG tube repair.

During an SG inspection, any inspected tube that satisfies the Steam Generator Program plugging or repair criteria is repaired or removed from service by plugging. The tube plugging or repair criteria delineated in Specification 5.5.5 are intended to ensure that tubes accepted for continued service satisfy the SG performance criteria with allowance for error in the flaw size measurement and for future flaw growth. In addition, the tube plugging or repair criteria, in conjunction with other elements of the Steam Generator Program, ensure that the SG performance criteria will continue to be met until the next inspection of the subject tube(s).

Reference 1 provides guidance for performing operational assessments to verify that the tubes remaining in service will continue to meet the SG performance criteria.

Beaver Valley Units 1 and 2 B 3.4.20 - 7 Revision 32

SG Tube Integrity B 3.4.20 BASES SURVEILLANCE REQUIREMENTS (continued)

Steam generator tube repairs are only performed using approved repair methods as described in the Steam Generator Program (Specification 5.5.5).

The Frequency of prior to entering MODE 4 following a SG inspection ensures that the Surveillance has been completed and all tubes meeting the plugging or repair criteria are plugged or repaired prior to subjecting the SG tubes to significant primary to secondary pressure differential.

REFERENCES 1. NEI 97-06, "Steam Generator Program Guidelines."

2. 10 CFR 50.67, Accident Source Term.

3. Regulatory Guide 1.183, "Alternative Radiological Source Terms For Evaluating Design Basis Accidents At Nuclear Power Reactors."

4. 10 CFR 50 Appendix A, GDC 19.

5. NRC Generic Letter 95-05, "Voltage-Based Repair Criteria For Westinghouse Steam Generator Tubes Affected By Outside Diameter Stress Corrosion Cracking."

6. ASME Boiler and Pressure Vessel Code,Section III, Subsection NB.

7. Draft Regulatory Guide 1.121, "Basis for Plugging Degraded Steam Generator Tubes," August 1976.

8. EPRI, "Pressurized Water Reactor Steam Generator Examination Guidelines."

Beaver Valley Units 1 and 2 B 3.4.20 - 8 Revision 32

Accumulators B 3.5.1 B 3.5 EMERGENCY CORE COOLING SYSTEMS (ECCS)

B 3.5.1 Accumulators BASES BACKGROUND The functions of the ECCS accumulators are to supply water to the reactor vessel during the blowdown phase of a large break loss of coolant accident (LOCA), to provide inventory to help accomplish the refill phase that follows thereafter, and to provide Reactor Coolant System (RCS) makeup for a small break LOCA.

The blowdown phase of a large break LOCA is the initial period of the transient during which the RCS departs from equilibrium conditions, and heat from fission product decay, hot internals, and the vessel continues to be transferred to the reactor coolant. The blowdown phase of the transient ends when the RCS pressure falls to a value approaching that of the containment atmosphere.

In the refill phase of a large break LOCA, which immediately follows the blowdown phase, reactor coolant inventory has vacated the core through steam flashing and ejection out through the break. The core is essentially in adiabatic heatup. The balance of accumulator inventory is then available to help fill voids in the lower plenum and reactor vessel downcomer so as to establish a recovery level at the bottom of the core and ongoing reflood of the core with the addition of safety injection (SI) water.

The accumulators are pressure vessels partially filled with borated water and pressurized with nitrogen gas. The accumulators are passive components, since no operator or control actions are required in order for them to perform their function. Internal accumulator tank pressure is sufficient to discharge the accumulator contents to the RCS, if RCS pressure decreases below the accumulator pressure.

Each accumulator is piped into an RCS cold leg via an accumulator line and is isolated from the RCS by a motor operated isolation valve and two check valves in series.

The accumulator size, water volume, and nitrogen cover pressure are selected so that two of the three accumulators are sufficient to partially cover the core before significant clad melting or zirconium water reaction can occur following a LOCA. The need to ensure that two accumulators are adequate for this function is consistent with the large break LOCA assumption that the entire contents of one accumulator will be lost via the RCS pipe break during the blowdown phase of a large break LOCA.

Beaver Valley Units 1 and 2 B 3.5.1 - 1 Revision 0

Accumulators B 3.5.1 BASES APPLICABLE The accumulators are assumed to be OPERABLE in both the large and SAFETY small break LOCA analyses at full power and hot zero power (HZP)

ANALYSES steam line break (SLB) analysis (Ref. 1). These are the Design Basis Accidents (DBAs) that establish the acceptance limits for the accumulators. Reference to the analyses for these DBAs is used to assess changes in the accumulators as they relate to the acceptance limits.

In performing the LOCA calculations, conservative assumptions are made concerning the availability of ECCS flow. In the early stages of a large break LOCA, with or without a loss of offsite power, the accumulators provide the sole source of makeup water to the RCS. The assumption of loss of offsite power is required by regulations and conservatively imposes a delay wherein the ECCS pumps cannot deliver flow until the emergency diesel generators start, come to rated speed, and go through their timed loading sequence. In cold leg large break scenarios, the entire contents of one accumulator are assumed to be lost through the break.

The limiting large break LOCA is a double ended guillotine break in the cold leg for both Units 1 and 2. During this event, the accumulators discharge to the RCS as soon as RCS pressure decreases to below accumulator pressure.

No credit is taken for ECCS pump flow in the analysis until full flow is available. If offsite power is not available, the analysis accounts for the diesels starting and the pumps being loaded and delivering full flow.

During this time, the accumulators are analyzed as providing the sole source of emergency core cooling. No operator action is assumed during the blowdown stage of a large break LOCA.

The worst case small break LOCA analyses also assume a time delay before pumped flow reaches the core. For the larger range of small breaks, the rate of blowdown is such that the increase in fuel clad temperature is terminated solely by the accumulators, with pumped flow then providing continued cooling. As break size decreases, the accumulators and charging pumps both play a part in terminating the rise in clad temperature. As break size continues to decrease, the role of the accumulators continues to decrease until they are not required and the charging pumps become solely responsible for terminating the temperature increase.

This LCO helps to ensure that the following acceptance criteria established for the ECCS by 10 CFR 50.46 (Ref. 2) will be met following a LOCA:

a. Maximum fuel element cladding temperature is 2200F, Beaver Valley Units 1 and 2 B 3.5.1 - 2 Revision 15

Accumulators B 3.5.1 BASES APPLICABLE SAFETY ANALYSES (continued)

b. Maximum cladding oxidation is 0.17 times the total cladding thickness before oxidation,

c. Maximum hydrogen generation from a zirconium water reaction is 0.01 times the hypothetical amount that would be generated if all of the metal in the cladding cylinders surrounding the fuel, excluding the cladding surrounding the plenum volume, were to react, and

d. Core is maintained in a coolable geometry.

Since the accumulators discharge during the blowdown phase of a large break LOCA, they do not contribute to the long term cooling requirements of 10 CFR 50.46.

For both the large and small break LOCA analyses, a nominal contained accumulator water volume is used. The nominal water volume assumed in the analyses is within the range of accumulator volumes specified in Surveillance Requirement 3.5.1.2. The contained water volume is not the same as the usable volume of the accumulators, since the accumulators are not completely emptied after discharge. For large breaks, an increase in water volume can be either a peak clad temperature penalty or benefit, depending on downcomer filling and subsequent spill through the break during the core reflooding portion of the transient. Therefore, the large break LOCA analyses use a range of accumulator volumes.

The Unit 1 ASTRUM large break LOCA analysis statistically calculates the accumulator water volume over the range of accumulator volumes specified in Surveillance Requirement 3.5.1.2. For Unit 2, the large break LOCA analysis assumes values of 6898 gallons and 8019 gallons for accumulator volume. The large break LOCA analyses also credit the line water volume from the accumulator to the check valve.

The minimum boron concentration is used in the post LOCA boron concentration calculation. The calculation is performed to assure reactor subcriticality in a post LOCA environment. Of particular interest is the large break LOCA, since no credit is taken for control rod assembly insertion. A reduction in the accumulator minimum boron concentration would produce a subsequent reduction in the available containment sump concentration for post LOCA shutdown and an increase in the maximum sump pH. The maximum boron concentration is used in determining the cold leg to hot leg recirculation injection switchover time and minimum sump pH.

The small break LOCA analysis is performed at the minimum nitrogen cover pressure, since sensitivity analyses have demonstrated that a higher nitrogen cover pressure results in a computed peak clad Beaver Valley Units 1 and 2 B 3.5.1 - 3 Revision 15

Accumulators B 3.5.1 BASES APPLICABLE SAFETY ANALYSES (continued) temperature benefit. The maximum nitrogen cover pressure limit prevents accumulator relief valve actuation, and ultimately preserves accumulator integrity. The accumulators also discharge following a SLB; however, their impact is minor with respect to meeting the design basis DNB limit.

The specified Technical Specification values for the usable accumulator volume, boron concentration, and minimum nitrogen pressure are analysis values. Also, the values specified for nitrogen pressure and volume do not account for instrument uncertainty.

The effects on containment mass and energy releases from the accumulators are accounted for in the appropriate analyses (Ref 3).

The accumulators satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).

LCO The LCO establishes the minimum conditions required to ensure that the accumulators are available to accomplish their core cooling safety function following a LOCA. Three accumulators are required to ensure that 100% of the contents of two of the accumulators will reach the core during a LOCA. This is consistent with the assumption that the contents of one accumulator spill through the break. If less than two accumulators are injected during the blowdown phase of a LOCA, the ECCS acceptance criteria of 10 CFR 50.46 (Ref. 2) could be violated.

For an accumulator to be considered OPERABLE, the isolation valve must be fully open, power removed above 2000 psig, and the limits established in the SRs for usable volume, boron concentration, and nitrogen cover pressure must be met.

APPLICABILITY In MODES 1 and 2, and in MODE 3 with RCS pressure > 1000 psig, the accumulator OPERABILITY requirements are based on full power operation. Although cooling requirements decrease as power decreases, the accumulators are still required to provide core cooling as long as elevated RCS pressures and temperatures exist.

This LCO is only applicable at pressures > 1000 psig. At pressures 1000 psig, the rate of RCS blowdown is such that the ECCS pumps can provide adequate injection to ensure that peak clad temperature remains below the 10 CFR 50.46 (Ref. 2) limit of 2200°F.

Beaver Valley Units 1 and 2 B 3.5.1 - 4 Revision 0

Accumulators B 3.5.1 BASES APPLICABILITY (continued)

In MODE 3, with RCS pressure 1000 psig, and in MODES 4, 5, and 6, the accumulator motor operated isolation valves are closed to isolate the accumulators from the RCS. This allows RCS cooldown and depressurization without discharging the accumulators into the RCS or requiring depressurization of the accumulators.

ACTIONS A.1 If the boron concentration of one accumulator is not within limits, it must be returned to within the limits within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . In this Condition, ability to maintain subcriticality or minimum boron precipitation time may be reduced. The boron in the accumulators contributes to the assumption that the combined ECCS water in the partially recovered core during the early reflooding phase of a large break LOCA is sufficient to keep that portion of the core subcritical. One accumulator below the minimum boron concentration limit, however, will have no effect on available ECCS water and an insignificant effect on core subcriticality during reflood.

Boiling of ECCS water in the core during reflood concentrates boron in the saturated liquid that remains in the core. In addition, current analysis techniques demonstrate that the accumulators discharge following a large main steam line break at hot zero power (HZP); however, their impact is minor with respect to meeting the design basis departure from nucleate boiling (DNB) limit. Thus, 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months is allowed to return the boron concentration to within limits.

B.1 If one accumulator is inoperable for a reason other than boron concentration, the accumulator must be returned to OPERABLE status within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . In this Condition, the required contents of two accumulators cannot be assumed to reach the core during a LOCA. Due to the severity of the consequences should a LOCA occur in these conditions, the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time to open the valve, remove power from the valve operator control circuit, or restore the proper water volume or nitrogen cover pressure ensures that prompt action will be taken to return the inoperable accumulator to OPERABLE status. The Completion Time minimizes the potential for exposure of the plant to a LOCA under these conditions and is justified in Reference 4.

C.1 and C.2 If the accumulator cannot be returned to OPERABLE status within the associated Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be Beaver Valley Units 1 and 2 B 3.5.1 - 5 Revision 0

Accumulators B 3.5.1 BASES ACTIONS (continued) brought to MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and RCS pressure reduced to 1000 psig within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

D.1 If more than one accumulator is inoperable, the plant is in a condition outside the accident analyses; therefore, LCO 3.0.3 must be entered immediately.

SURVEILLANCE SR 3.5.1.1 REQUIREMENTS Each accumulator isolation valve should be verified to be fully open. This verification ensures that the accumulators are available for injection and ensures timely discovery if a valve should be less than fully open. If an isolation valve is not fully open, the rate of injection to the RCS would be reduced. Although a motor operated valve position should not change once power is removed from the control circuit, a closed valve could result in not meeting accident analyses assumptions. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.5.1.2 and SR 3.5.1.3 The usable borated water volume and nitrogen cover pressure are verified for each accumulator. The required accumulator water volumes and minimum nitrogen pressure value are analysis values. The values specified for accumulator water volume do not include the line water volume from the accumulator to the check valve and do not account for instrumentation uncertainty. Similarly, the values specified for the nitrogen cover pressure also do not account for instrumentation uncertainty. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

Beaver Valley Units 1 and 2 B 3.5.1 - 6 Revision 29

Accumulators B 3.5.1 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.5.1.4 The value specified for boron concentration is an analysis value. The boron concentration should be verified to be within required limits for each accumulator since the static design of the accumulators limits the ways in which the concentration can be changed. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. Sampling the affected accumulator within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months after a 1% accumulator volume increase will identify whether inleakage has caused a reduction in boron concentration to below the required limit. It is not necessary to verify boron concentration if the added water inventory is from the refueling water storage tank (RWST), because the water contained in the RWST is within the accumulator boron concentration requirements. This is consistent with the recommendation of NUREG-1366 (Ref. 5).

SR 3.5.1.5 Verification that power is removed from each accumulator isolation valve operator control circuit when the RCS pressure is > 2000 psig ensures that an active failure could not result in the undetected closure of an accumulator motor operated isolation valve. If this were to occur, only one accumulator would be available for injection given a single failure coincident with a LOCA. Power is removed from the accumulator motor operated isolation valves control circuits by removing the plug in the lock out jack from the associated control circuits. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

This SR allows power to be supplied to the motor operated isolation valves control circuits when RCS pressure is 2000 psig, thus allowing operational flexibility by avoiding unnecessary delays to remove control power during plant startups or shutdowns.

REFERENCES 1. UFSAR, Chapter 14 (Unit 1) and UFSAR, Chapter 15 (Unit 2).

2. 10 CFR 50.46.

3. UFSAR, Chapter 14 (Unit 1) and UFSAR, Chapter 6 (Unit 2).

4. WCAP-15049-A, Risk-Informed Evaluation of an Extension to Accumulator Completion Times, Rev. 1, April 1999.

5. NUREG-1366, February 1990.

Beaver Valley Units 1 and 2 B 3.5.1 - 7 Revision 29

ECCS - Operating B 3.5.2 B 3.5 EMERGENCY CORE COOLING SYSTEMS (ECCS)

B 3.5.2 ECCS - Operating BASES BACKGROUND The function of the ECCS is to provide core cooling and negative reactivity to ensure that the reactor core is protected after any of the following accidents:

a. Loss of coolant accident (LOCA), coolant leakage greater than the capability of the normal charging system,

b. Rod ejection accident,

c. Loss of secondary coolant accident, including uncontrolled steam release or loss of feedwater, and

d. Steam generator tube rupture (SGTR).

The addition of negative reactivity is designed primarily for the loss of secondary coolant accident where primary cooldown could add enough positive reactivity to achieve criticality and return to power.

There are three phases of ECCS operation: injection, cold leg recirculation, and hot leg recirculation. In the injection phase, water is taken from the refueling water storage tank (RWST) and injected into the Reactor Coolant System (RCS) through the cold legs. When sufficient water is removed from the RWST to ensure that enough boron has been added to maintain the reactor subcritical and the containment sumps have enough water to supply the required net positive suction head to the ECCS pumps, suction is switched to the containment sump for cold leg recirculation. After approximately 6.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months (Unit 1) or 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months (Unit 2),

the ECCS flow is shifted to the hot leg recirculation phase to provide a backflush, which would reduce the boiling in the top of the core and any resulting boron precipitation.

The ECCS consists of two redundant, 100% capacity trains. Each ECCS train consists of two subsystems: the High Head Safety Injection (HHSI) subsystem and a Low Head Safety Injection (LHSI) subsystem. The ECCS accumulators and the RWST are also part of the ECCS, but are not considered part of an ECCS flow path as described by this LCO.

The ECCS flow paths consist of piping, valves, and pumps such that water from the RWST can be injected into the RCS following the accidents described in this LCO. The Chemical and Volume Control System charging pumps in both units are also utilized as HHSI pumps during a safety injection. For Unit 1, the major component of the HHSI Beaver Valley Units 1 and 2 B 3.5.2 - 1 Revision 0

ECCS - Operating B 3.5.2 BASES BACKGROUND (continued) subsystem is a charging pump (HHSI pump) and the major component of the LHSI subsystem is the LHSI pump. For Unit 2, the major component of the HHSI subsystem is a charging pump (HHSI pump). The Unit 2 LHSI subsystem is comprised of a LHSI pump used for the ECCS injection mode of operation and a recirculation spray pump (2RSS-P21C or 2RSS-P21D) and associated recirculation spray heat exchanger used for the ECCS recirculation mode of operation. The HHSI and LHSI subsystems of each ECCS train are interconnected such that each ECCS train may utilize HHSI or LHSI subsystem components from the other ECCS train. This interconnecting and redundant subsystem design provides the operators with the ability to utilize components from opposite trains to achieve the required 100% flow to the core.

For Unit 1, during the injection phase of LOCA recovery, a suction header supplies water from the RWST to the ECCS pumps. Water from the supply header enters the LHSI pumps through parallel, normally open, motor operated valves. Water to the HHSI pumps is supplied via parallel motor operated valves to ensure that at least one valve opens on receipt of a safety injection actuation signal. The supply header then branches to the three HHSI pumps. The discharge from the HHSI pumps divides into three supply lines, each of which feeds the injection line to one RCS cold leg. One HHSI pump is dedicated to each train of ECCS. The third pump is a "swing" pump that can be substituted for either dedicated HHSI pump in an ECCS train. The discharge from the LHSI pumps combines into one line and then divides to feed an injection line to each of the RCS cold legs. Throttle valves in the HHSI injection lines are set to balance the flow to the RCS. This balance ensures sufficient flow to the core to meet the analysis assumptions following a LOCA in one of the RCS cold legs.

For Unit 2, during the injection phase of LOCA recovery, a suction header supplies water from the RWST to the ECCS pumps. Water from the supply header enters the LHSI pumps through parallel, normally open, motor operated valves. Water to the HHSI pumps is supplied via parallel motor operated valves to ensure that at least one valve opens on receipt of a safety injection actuation signal. The supply header then branches to the three HHSI pumps. The discharge from the HHSI pumps is provided to two separate discharge lines, each of which then divides into three supply lines. Each of these supply lines feeds the injection line to one RCS cold leg. One HHSI pump is dedicated to each train of ECCS. The third pump is a "swing" pump that can be substituted for either dedicated HHSI pump in an ECCS train. The discharge from the LHSI pumps is provided to two separate lines that combine into one line and then divide to feed an injection line to each of the RCS cold legs. Throttle valves in the HHSI lines are set to balance the flow to the RCS and limit pump runout. This balance ensures sufficient flow to the core to meet the analysis assumptions following a LOCA in one of the RCS cold legs.

Beaver Valley Units 1 and 2 B 3.5.2 - 2 Revision 0

ECCS - Operating B 3.5.2 BASES BACKGROUND (continued)

For LOCAs that are too small to depressurize the RCS below the shutoff head of the LHSI pumps, the HHSI pumps supply water until the RCS pressure decreases below the LHSI pump shutoff head. During this period, the steam generators provide part of the core cooling function.

For Unit 1, during the recirculation phase of LOCA recovery, LHSI pump suction is transferred to the containment sump. The LHSI pumps can also supply the HHSI pumps. Initially, recirculation is through the same paths as the injection phase. Subsequently, recirculation alternates injection between the hot and cold legs.

For Unit 2, during the recirculation phase of LOCA recovery, LHSI pumps are stopped and the LHSI function is provided by two of the four recirculation spray pumps (2RSS-P21C and 2RSS-P21D). The discharge of the two recirculation spray pumps is automatically aligned to the LHSI piping and recirculation spray pump suction is provided from the containment sump. The two recirculation spray pumps can also supply the HHSI pumps. Initially, recirculation is through the same paths as the injection phase. Subsequently, recirculation alternates injection between the hot and cold legs.

The HHSI subsystem of the ECCS also functions to supply borated water to the reactor core following increased heat removal events, such as a main steam line break (MSLB). The limiting design conditions occur when the negative moderator temperature coefficient is highly negative, such as at the end of each cycle.

The ECCS subsystems are actuated upon receipt of an SI signal. If offsite power is available, the safeguard loads start immediately. If offsite power is not available, the Engineered Safety Feature (ESF) buses shed normal operating loads and are connected to the emergency diesel generators (EDGs). Safeguard loads are then actuated in the programmed time sequence. The time delay associated with diesel starting, sequenced loading, and pump starting determines the time required before pumped flow is available to the core following a LOCA.

The HHSI pumps "A" and "B" are capable of being automatically started and are powered from separate ESF buses. HHSI pump "C" can be powered from either of the ESF buses that HHSI pump "A" or "B" is powered from. An interlock prevents HHSI pump "C" from being powered from both ESF buses simultaneously. In the event of a safety injection actuation signal coincident with a loss of offsite power, interlocks prevent operation of two HHSI pumps on the same bus to prevent overloading the EDGs.

Beaver Valley Units 1 and 2 B 3.5.2 - 3 Revision 0

ECCS - Operating B 3.5.2 BASES BACKGROUND (continued)

The active ECCS components, along with the passive accumulators and the RWST covered in LCO 3.5.1, "Accumulators," and LCO 3.5.4, "Refueling Water Storage Tank (RWST)," provide the cooling water necessary to meet GDC 35 as discussed in Reference 1.

APPLICABLE The LCO helps to ensure that the following acceptance criteria for the SAFETY ECCS, established by 10 CFR 50.46 (Ref. 2), will be met following a ANALYSES LOCA:

a. Maximum fuel element cladding temperature is 2200°F,

b. Maximum cladding oxidation is 0.17 times the total cladding thickness before oxidation,

c. Maximum hydrogen generation from a zirconium water reaction is 0.01 times the hypothetical amount generated if all of the metal in the cladding cylinders surrounding the fuel, excluding the cladding surrounding the plenum volume, were to react,

d. Core is maintained in a coolable geometry, and

e. Adequate long term core cooling capability is maintained.

The LCO also limits the potential for a post trip return to power following an MSLB event and ensures that containment temperature limits are met.

Each ECCS subsystem is taken credit for in a large break LOCA event at full power (Ref. 3). This event establishes the requirement for runout flow for the ECCS pumps, as well as the maximum response time for their actuation. The HHSI pumps are credited in a small break LOCA event.

The small break LOCA is an important consideration in determining the performance requirements of the HHSI pumps. The SGTR and MSLB events also credit the HHSI pumps. The OPERABILITY requirements for the ECCS are based on the following LOCA analysis assumptions:

a. A large break LOCA event, with a loss of offsite power or offsite power available and a single failure disabling one ECCS train and

b. A small break LOCA event, with a loss of offsite power and a single failure disabling one ECCS train.

Beaver Valley Units 1 and 2 B 3.5.2 - 4 Revision 0

ECCS - Operating B 3.5.2 BASES APPLICABLE SAFETY ANALYSES (continued)

During the blowdown stage of a LOCA, the RCS depressurizes as primary coolant is ejected through the break into the containment. The nuclear reaction is terminated either by moderator voiding during large breaks or control rod insertion for small breaks. Following depressurization, emergency cooling water is injected into the cold legs, flows into the downcomer, fills the lower plenum, and refloods the core.

The effects on containment mass and energy releases are accounted for in appropriate analyses (Ref. 4). The LCO ensures that an ECCS train will deliver sufficient water to match boiloff rates soon enough to minimize the consequences of the core being uncovered following a large LOCA. It also ensures that the HHSI pumps will deliver sufficient water during a small LOCA to maintain RCS inventory. For smaller LOCAs, the HHSI pump delivers sufficient fluid to maintain RCS inventory. For a small break LOCA, the steam generators continue to serve as a heat sink, providing part of the required core cooling.

The ECCS trains satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).

LCO In MODES 1, 2, and 3, two independent (and redundant) ECCS trains are required to ensure that sufficient ECCS flow is available, assuming a single failure affecting either train. Additionally, individual components within the ECCS trains may be called upon to mitigate the consequences of other transients and accidents.

For Unit 1, in MODES 1, 2, and 3, an ECCS train consists of an HHSI subsystem and an LHSI subsystem. Each train includes the piping, instruments, and controls to ensure an OPERABLE flow path capable of taking suction from the RWST upon a safety injection actuation signal and transferring suction to the containment sump during the recirculation phase of operation.

For Unit 2, in MODES 1, 2, and 3, an ECCS train consists of an HHSI subsystem and an LHSI subsystem. The Unit 2 LHSI subsystem includes a recirculation spray pump capable of supplying the SI flow path during the recirculation phase of operation. Each train includes the piping, instruments, and controls to ensure an OPERABLE flow path capable of taking suction from the RWST upon an SI signal and transferring suction to the containment sump during the recirculation phase of operation.

Beaver Valley Units 1 and 2 B 3.5.2 - 5 Revision 0

ECCS - Operating B 3.5.2 BASES LCO (continued)

During an event requiring ECCS actuation, a flow path is required to provide an abundant supply of water from the RWST to the RCS via the ECCS pumps and their respective supply headers to each of the three cold leg injection nozzles. In the long term, this flow path may be switched to take its supply from the containment sump and to supply its flow simultaneously to both the RCS hot or cold legs for Unit 1. The flow path from the containment sump is cycled alternatively between the RCS cold legs or hot legs for Unit 2.

The flow path for each train must maintain its designed independence to ensure that no single failure can disable both ECCS trains.

The LCO is modified by three Notes. Note 1 provides an exception allowing the LHSI flow paths to be isolated for 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months in MODE 3, under controlled conditions, to perform pressure isolation valve testing per SR 3.4.14.1. The flow path is readily restorable from the control room.

As indicated in Note 2, operation in MODE 3 with one required charging pump made incapable of injecting in order to facilitate entry into or exit from the Applicability of LCO 3.4.12, "Overpressure Protection System (OPPS)," is necessary when OPPS enable temperature is at or near the MODE 3 boundary temperature of 350°F. LCO 3.4.12 requires that one required charging pump be rendered incapable of injecting at and below the OPPS enable temperature. When this temperature is at or near the MODE 3 boundary temperature, time is needed to make a required charging pump incapable of injecting prior to entering the OPPS Applicability, and provide time to restore the inoperable pump to OPERABLE status on exiting the OPPS Applicability.

Note 3 is only applicable to Unit 1. As indicated in Note 3, operation in MODE 3 with the Unit 1 ECCS automatic high head safety injection (HHSI) flow path isolated in order to facilitate entry into or exit from the Applicability of LCO 3.4.12, "Overpressure Protection System (OPPS)," is necessary when the OPPS enable temperature is at or near the MODE 3 boundary temperature of 350°F. LCO 3.4.12 requires that the Unit 1 ECCS automatic HHSI flow path be isolated when any RCS cold leg temperature is the enable temperature specified in the PTLR. When this temperature is near the MODE 3 boundary temperature, Note 3 provides time to isolate the ECCS automatic HHSI flow path prior to entering the OPPS Applicability, and to restore the flow path on exiting the OPPS Applicability.

Beaver Valley Units 1 and 2 B 3.5.2 - 6 Revision 0

ECCS - Operating B 3.5.2 BASES APPLICABILITY In MODES 1, 2, and 3, the ECCS OPERABILITY requirements for the limiting Design Basis Accident, a large break LOCA, are based on full power operation. Although reduced power would not require the same level of performance, the accident analysis does not provide for reduced cooling requirements in the lower MODES. MODE 2 and MODE 3 requirements are bounded by the MODE 1 analysis.

This LCO is only applicable in MODE 3 and above. Below MODE 3, the SI signal setpoint is manually bypassed by operator control, and system functional requirements are relaxed as described in LCO 3.5.3, "ECCS -

Shutdown."

In MODES 5 and 6, plant conditions are such that the probability of an event requiring ECCS injection is extremely low. Core cooling requirements in MODE 5 are addressed by LCO 3.4.7, "RCS Loops -

MODE 5, Loops Filled," and LCO 3.4.8, "RCS Loops - MODE 5, Loops Not Filled." MODE 6 core cooling requirements are addressed by LCO 3.9.4, "Residual Heat Removal (RHR) and Coolant Circulation - High Water Level," and LCO 3.9.5, "Residual Heat Removal (RHR) and Coolant Circulation - Low Water Level."

ACTIONS A.1 With one or more trains inoperable and at least 100% of the ECCS flow equivalent to a single OPERABLE ECCS train available, the inoperable components must be returned to OPERABLE status within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time is based on an NRC reliability evaluation (Ref. 5) and is a reasonable time for repair of many ECCS components.

An ECCS train is inoperable if it is not capable of delivering design flow to the RCS. Individual components are inoperable if they are not capable of performing their design function or supporting systems are not available.

The LCO requires the OPERABILITY of a number of independent subsystems. Due to the redundancy of trains and the diversity of subsystems, the inoperability of one active component in a train does not render the ECCS incapable of performing its function. Neither does the inoperability of two different components, each in a different train, necessarily result in a loss of function for the ECCS (e.g., an inoperable HHSI pump in one train and an inoperable LHSI pump in the other train).

This allows increased flexibility in plant operations under circumstances when components in opposite trains are inoperable.

An event accompanied by a loss of offsite power and the failure of an EDG can disable one ECCS train until power is restored. A reliability analysis (Ref. 5) has shown that the impact of having one full ECCS train inoperable is sufficiently small to justify continued operation for 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months .

Beaver Valley Units 1 and 2 B 3.5.2 - 7 Revision 0

ECCS - Operating B 3.5.2 BASES ACTIONS (continued)

B.1 and B.2 If the inoperable trains cannot be returned to OPERABLE status within the associated Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and MODE 4 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

C.1 Condition A is applicable with one or more trains inoperable. The allowed Completion Time is based on the assumption that at least 100% of the ECCS flow equivalent to a single OPERABLE ECCS train is available.

With less than 100% of the ECCS flow equivalent to a single OPERABLE ECCS train available, the facility is in a condition outside of the accident analyses. Therefore, LCO 3.0.3 must be entered immediately.

SURVEILLANCE SR 3.5.2.1 REQUIREMENTS Verification of proper valve position ensures that the flow path from the ECCS pumps to the RCS is maintained. Misalignment of these valves could render both ECCS trains inoperable. Securing these valves by removing the plug from the lockout circuit of valve operator control circuit ensures they cannot change position as a result of active failure or be inadvertently misaligned. These valves are of the type that can disable the function of both ECCS trains and invalidate the accident analyses.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.5.2.2 Verification that the HHSI pump minimum flow valve (MOV-1CH-373 for Unit 1 and 2CHS*MOV373 for Unit 2) is open with power removed ensures that spurious or inadvertent closure of this valve is prevented.

Closure of this valve could cause overheating of each of the HHSI pumps (potentially rendering both ECCS trains inoperable). Securing this valve in position by removal of power ensures that it cannot change position as a result of an active failure or be inadvertently misaligned. The verification that the valve is in the open position may be accomplished by verifying flow through the minimum flow path using control room indication, by local verification of correct valve stem position, or by local flow verification using temporary instruments. The verification that the Beaver Valley Units 1 and 2 B 3.5.2 - 8 Revision 29

ECCS - Operating B 3.5.2 BASES SURVEILLANCE REQUIREMENTS (continued) valve motor operator is de-energized may be accomplished by verifying the absence of valve position indicator lights. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.5.2.3 Verifying the correct alignment for manual, power operated, and automatic valves in the ECCS flow paths provides assurance that the proper flow paths will exist for ECCS operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position, since these were verified to be in the correct position prior to locking, sealing, or securing. A valve that receives an actuation signal is allowed to be in a nonaccident position provided the valve will automatically reposition within the proper stroke time. This Surveillance does not require any testing or valve manipulation. Rather, it involves verification that those valves capable of being mispositioned are in the correct position. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.5.2.4 Periodic surveillance testing of ECCS pumps to detect gross degradation caused by impeller structural damage or other hydraulic component problems is required by the ASME Code. This type of testing may be accomplished by measuring the pump developed head at only one point of the pump characteristic curve. This verifies both that the measured performance is within an acceptable tolerance of the original pump baseline performance and that the performance at the test flow is greater than or equal to the performance assumed in the ECCS Flow Analysis excluding the Unit 2 recirculation spray pumps 2RSS-P21C and 2RSS-P21D. The specific acceptance criteria of the "required developed head" for each ECCS pump may be found in the INSERVICE TESTING PROGRAM and the ECCS Flow Analysis, as applicable. The term "required developed head" refers to the pump performance at a given flow point that is assumed in the ECCS Flow Analysis. This is possible since the analysis assumes the pump delivers different flows at different times during accident mitigation. These multiple points are represented by a curve. The values at various flow points are defined by the Minimum Operating Point (MOP) curve in the INSERVICE TESTING PROGRAM.

The verification that the pumps developed head at the flow test point is greater than or equal to the required developed head is performed by using the MOP curve.

Beaver Valley Units 1 and 2 B 3.5.2 - 9 Revision 34

ECCS - Operating B 3.5.2 BASES SURVEILLANCE REQUIREMENTS (continued)

For the Unit 2 recirculation spray pumps 2RSS-P21C and 2RSS-P21D, the term "required developed head" refers to the value that is assumed in the Containment Integrity Safety Analysis for the recirculation spray pumps developed head at a specific flow point. This value for the required developed head at a flow point is defined as the MOP in the INSERVICE TESTING PROGRAM. The verification that the pumps developed head at the flow test point is greater than or equal to the required developed head is performed by using a MOP curve. The MOP curve is contained in the INSERVICE TESTING PROGRAM and was developed using the required developed head at a specific flow point as a reference point. From the reference point, a curve was drawn which is a constant percentage below the current pump performance curve. Based on the MOP curve, a verification is performed to ensure that the pumps developed head at the flow test point is greater than or equal to the required developed head. SRs are specified in the INSERVICE TESTING PROGRAM of the ASME Code. The ASME Code provides the activities and frequencies necessary to satisfy the requirements.

SR 3.5.2.5 and SR 3.5.2.6 These Surveillances demonstrate that each automatic ECCS valve actuates to the required position on an actual or simulated SI signal and that each ECCS pump, except 2RSS-P21C and 2RSS-P21D, starts on receipt of an actual or simulated SI signal. The Unit 2 recirculation spray pumps 2RSS-P21C and 2RSS-P21D start on a receipt of an actual or simulated coincidence Containment Pressure - High High signal and RWST Level Low signal or a coincidence RWST Level Extreme Low and SI signal.

For the Automatic Switchover to the Containment Sump function of the ECCS, these Surveillances include a verification of the associated required slave relay operation. The Automatic Switchover to the Containment Sump, Function 7 in LCO 3.3.2, "Engineered Safety Feature Actuation System (ESFAS) Instrumentation," does not include a requirement to perform a SLAVE RELAY TEST due to equipment safety concerns if such a test was performed at power. Therefore, verification of the required slave relay OPERABILITY for the Automatic Switchover to the Containment Sump ESFAS function is included in these ECCS Surveillances. This Surveillance is not required for valves that are locked, sealed, or otherwise secured in the required position under administrative controls.

The actuation logic is tested as part of ESF Actuation System testing, and equipment performance is monitored as part of the INSERVICE TESTING PROGRAM. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

Beaver Valley Units 1 and 2 B 3.5.2 - 10 Revision 34

ECCS - Operating B 3.5.2 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.5.2.7 Periodic inspections of the accessible regions of the containment sump suction inlet strainers ensure that they are unrestricted, free of structural distress or abnormal corrosion, and stay in proper operating condition.

Accessible regions of the sump strainers are those regions that can be visually examined without disassembling the strainer assembly or the grating and cover plates over the strainer assembly. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. UFSAR, Appendix 1A, "1971 AEC General Design Criteria Conformance, " (Unit 1) and UFSAR, Section 3.1, "Conformance with U.S. Nuclear Regulatory Commission General Design Criteria, "

(Unit 2).

2. 10 CFR 50.46.

3. UFSAR, Section 14.3 (Unit 1) and UFSAR, Section 15.6.5 (Unit 2).

4. UFSAR, Section 14.3.4 (Unit 1) and UFSAR, Section 6.2.1 (Unit 2).

5. NRC Memorandum to V. Stello, Jr., from R.L. Baer, "Recommended Interim Revisions to LCOs for ECCS Components,"

December 1, 1975.

Beaver Valley Units 1 and 2 B 3.5.2 - 11 Revision 29

ECCS - Shutdown B 3.5.3 B 3.5 EMERGENCY CORE COOLING SYSTEMS (ECCS)

B 3.5.3 ECCS - Shutdown BASES BACKGROUND The Background section for Bases 3.5.2, "ECCS - Operating," is applicable to these Bases, with the following modifications.

For Unit 1, in MODE 4, the required ECCS train consists of two subsystems: High Head Safety Injection (HHSI) and the Low Head Safety Injection (LHSI). For Unit 2, in MODE 4, the required ECCS train consists of two subsystems: HHSI and the LHSI (which includes a LHSI pump and recirculation spray pump 2RSS-P21C or 2RSS-P21D and associated heat exchanger).

The ECCS flow paths consist of piping, valves, and pumps such that water from the refueling water storage tank (RWST) can be injected into the Reactor Coolant System (RCS) following the accidents described in Bases 3.5.2.

APPLICABLE The Applicable Safety Analyses section of Bases 3.5.2 also applies to SAFETY this Bases section.

ANALYSES Due to the stable conditions associated with operation in MODE 4 and the reduced probability of occurrence of a Design Basis Accident (DBA), the ECCS operational requirements are reduced. It is understood in these reductions that certain automatic safety injection (SI) actuation is not available. In this MODE, sufficient time exists for manual actuation of the required ECCS to mitigate the consequences of a DBA.

Only one train of ECCS is required for MODE 4. This requirement dictates that single failures are not considered during this MODE of operation. The ECCS trains satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).

LCO In MODE 4, one of the two independent (and redundant) ECCS trains is required to be OPERABLE to ensure that sufficient ECCS flow is available to the core following a DBA.

For Unit 1, in MODE 4, an ECCS train consists of an HHSI subsystem and an LHSI subsystem. The train includes the piping, instruments, and controls to ensure an OPERABLE flow path capable of taking suction from the RWST upon being manually realigned and transferring suction to the containment sump during the recirculation phase of operation. For Unit 2, in MODE 4, an ECCS train consists of an HHSI subsystem and a LHSI subsystem that includes a LHSI pump used in the injection mode of Beaver Valley Units 1 and 2 B 3.5.3 - 1 Revision 0

ECCS - Shutdown B 3.5.3 BASES LCO (continued) operation and recirculation spray pumps 2RSS-P21C or 2RSS-P21D (as applicable) and associated heat exchangers capable of supplying the SI flow path during the recirculation mode of operation. The train includes the piping, instruments, and controls to ensure an OPERABLE flow path capable of taking suction from the RWST upon being manually realigned and transferring suction to the containment sump during the recirculation mode of operation.

During an event requiring ECCS actuation, a flow path is required to provide an abundant supply of water from the RWST to the RCS via the ECCS pumps and their respective supply headers to each of the three cold leg injection nozzles. In the long term, this flow path may be switched to take its supply from the containment sump and to deliver its flow simultaneously to both the RCS hot or cold legs for Unit 1. The flow path from the containment sump is cycled alternately between the RCS cold legs or hot legs for Unit 2.

APPLICABILITY In MODES 1, 2, and 3, the OPERABILITY requirements for ECCS are covered by LCO 3.5.2.

In MODE 4 with RCS temperature below 350°F, one OPERABLE ECCS train is acceptable without single failure consideration, on the basis of the stable reactivity of the reactor and the limited core cooling requirements.

In MODES 5 and 6, plant conditions are such that the probability of an event requiring ECCS injection is extremely low. Core cooling requirements in MODE 5 are addressed by LCO 3.4.7, "RCS Loops -

MODE 5, Loops Filled," and LCO 3.4.8, "RCS Loops - MODE 5, Loops Not Filled." MODE 6 core cooling requirements are addressed by LCO 3.9.4, "Residual Heat Removal (RHR) and Coolant Circulation - High Water Level," and LCO 3.9.5, "Residual Heat Removal (RHR) and Coolant Circulation - Low Water Level."

ACTIONS A Note prohibits the application of LCO 3.0.4.b to an inoperable ECCS high head subsystem when entering MODE 4. There is an increased risk associated with entering MODE 4 from MODE 5 with an inoperable ECCS high head subsystem and the provisions of LCO 3.0.4.b, which allow entry into a MODE or other specified condition in the Applicability with the LCO not met after performance of a risk assessment addressing inoperable systems and components, should not be applied in this circumstance.

Beaver Valley Units 1 and 2 B 3.5.3 - 2 Revision 0

ECCS - Shutdown B 3.5.3 BASES ACTIONS (continued)

A.1 With no ECCS train OPERABLE, the plant is not prepared to respond to Design Basis Events requiring SI. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time to restore at least one ECCS train to OPERABLE status ensures that prompt action is taken to provide the required cooling capacity or to initiate actions to place the plant in MODE 5, where an ECCS train is not required.

B.1 When the Required Actions of Condition A cannot be completed within the required Completion Time, the plant must be placed in MODE 5.

Twenty-four hours is a reasonable time, based on operating experience, to reach MODE 5 in an orderly manner and without challenging plant systems or operators.

SURVEILLANCE SR 3.5.3.1 REQUIREMENTS The applicable Surveillance descriptions from Bases 3.5.2 apply.

REFERENCES The applicable references from Bases 3.5.2 apply.

Beaver Valley Units 1 and 2 B 3.5.3 - 3 Revision 0

RWST B 3.5.4 B 3.5 EMERGENCY CORE COOLING SYSTEMS (ECCS)

B 3.5.4 Refueling Water Storage Tank (RWST)

BASES BACKGROUND The RWST supplies borated water to the Chemical and Volume Control System (CVCS) during abnormal operating conditions, to the refueling cavity during refueling, and to the ECCS and the Quench Spray System during accident conditions.

The RWST supplies water to the ECCS pumps through a common supply header. Water from the supply header enters the Low Head Safety Injection (LHSI) pumps through parallel, normally open, motor operated valves. Water to the charging pumps (i.e., the High Head Safety Injection (HHSI) pumps) is supplied via parallel motor operated valves to ensure that at least one valve opens on receipt of a safety injection actuation signal. The supply header then branches to the three HHSI pumps. The RWST supplies water to the quench spray pumps via separate redundant lines. A motor operated isolation valve is provided to isolate the RWST from the ECCS once the system has been transferred to the recirculation mode. The recirculation mode is entered when pump suction is transferred to the containment sump following receipt of the RWST Low level signal (Unit 1) or the RWST Extreme level signal (Unit 2). Use of a single RWST to supply both trains of the ECCS and Quench Spray System is acceptable since the RWST is a passive component used for a short period of time following an accident, and passive failures are not required to be assumed to occur during the time the RWST is needed following Design Basis Events.

The switchover from normal operation to the injection phase of ECCS operation requires changing HHSI pump suction from the CVCS volume control tank (VCT) to the RWST through the use of isolation valves. Each set of isolation valves is interlocked so that the VCT isolation valves will begin to close once the RWST isolation valves are fully open. Since the VCT is under pressure, the preferred pump suction will be from the VCT until the tank is isolated. This will result in a delay in obtaining the RWST borated water. The effects of this delay are discussed in the Applicable Safety Analyses section of these Bases.

During normal operation, the LHSI pumps of the ECCS and the quench spray pumps are aligned to take suction from the RWST.

The ECCS pumps are provided with recirculation lines that ensure each pump can maintain minimum flow requirements when operating at or near shutoff head conditions.

Beaver Valley Units 1 and 2 B 3.5.4 - 1 Revision 0

RWST B 3.5.4 BASES BACKGROUND (continued)

When the suction for the ECCS pumps is transferred to the containment sump, the recirculation flow paths are isolated from the RWST to prevent a release of the containment sump contents to the RWST, which could result in a release of contaminants to the atmosphere.

This LCO ensures that:

a. The RWST contains sufficient borated water to support the ECCS during the injection phase and the Quench Spray System,

b. Sufficient water volume exists in the containment sump to support continued operation of the ECCS and Recirculation Spray System pumps at the time of transfer to the recirculation mode of cooling, and

c. The reactor remains subcritical following a loss of coolant accident (LOCA).

Insufficient water volume in the RWST could result in insufficient cooling capacity when the transfer to the recirculation mode occurs. Improper boron concentrations could result in a reduction of SDM or excessive boric acid precipitation in the core following the LOCA, as well as excessive caustic stress corrosion of mechanical components and systems inside the containment.

APPLICABLE During accident conditions, the RWST provides a source of borated SAFETY water to the ECCS and Quench Spray System pumps. As such, it ANALYSES provides containment cooling and depressurization, core cooling, and replacement inventory and is a source of negative reactivity for reactor shutdown (Ref. 1). The design basis transients and applicable safety analyses concerning each of these systems are discussed in the Applicable Safety Analyses section of B 3.5.2, "ECCS - Operating,"

B 3.5.3, "ECCS - Shutdown," and B 3.6.6, "Quench Spray System."

These analyses are used to assess changes to the RWST in order to evaluate their effects in relation to the acceptance limits in the analyses.

The RWST must also meet volume, boron concentration, and temperature requirements for certain non-LOCA events. The volume is not an explicit assumption in non-LOCA events since the required volume is a small fraction of the available volume. The usable volume limit is set by the LOCA and containment analyses. For the RWST, the usable volume is different from the total volume contained since, due to the design of the tank, more water can be contained than can be delivered.

Beaver Valley Units 1 and 2 B 3.5.4 - 2 Revision 0

RWST B 3.5.4 BASES APPLICABLE SAFETY ANALYSES (continued)

The minimum boron concentration is an explicit assumption in the main steam line break (MSLB) analysis to ensure the required shutdown capability. The minimum boron concentration limit is an important assumption in ensuring the required shutdown capability. The maximum boron concentration is an explicit assumption in "Spurious Operation of the Safety Injection System at Power" (Unit 1) and "Inadvertent Operation of the ECCS During Power Operation" (Unit 2), however, the results are very insensitive to boron concentration. The maximum temperature ensures that the amount of cooling provided from the RWST during the heatup phase of a feedline break is consistent with safety analysis assumptions; the minimum temperature is an assumption in both the MSLB analysis and the "Spurious Operation of the Safety Injection System at Power" (Unit 1) and "Inadvertent Operation of the ECCS During Power Operation" (Unit 2).

The RWST temperature impacts the large and small break LOCA peak cladding temperature (PCT) calculations, and the LOCA and MSLB containment peak pressure calculations.

LOCA PCT Calculations:

The large break LOCA analysis assumes that the quench spray temperature is equal to the RWST lower limit of 45°F. The lower RWST temperature results in a reduced containment backpressure, which increases steam binding, reducing the flooding rate and results in an increased PCT. The small break LOCA analysis assumes an RWST temperature of 65°F.

Containment Integrity Calculations:

Both the LOCA and MSLB containment integrity analyses credit the quench spray to reduce the containment pressure following the accident.

The LOCA and MSLB containment analyses assume that the quench spray temperature is greater than or equal to the upper RWST temperature limit of 65°F. A higher RWST temperature results in a reduced cooling and condensation spray capability, and therefore higher calculated containment pressures.

The MSLB analysis has considered a delay associated with the interlock between the VCT and RWST isolation valves, and the results show that the departure from nucleate boiling design basis is met. The assumed response times are provided in the Licensing Requirements Manual.

Beaver Valley Units 1 and 2 B 3.5.4 - 3 Revision 0

RWST B 3.5.4 BASES APPLICABLE SAFETY ANALYSES (continued)

For a large break LOCA analysis, the minimum usable water volume of 317,000 gallons (Unit 1) and 368,000 gallons (Unit 2) and the lower boron concentration limit of 2400 ppm are used to compute the post LOCA sump boron concentration necessary to assure subcriticality. The large break LOCA is the limiting case with respect to assuring subcriticality, since the safety analysis assumes that all control rods are out of the core.

The containment iodine removal offsite dose radiological analysis and containment sump pH analysis and HHSI pump net positive suction head calculation assume a minimum useable volume of 430,500 gallons (Unit 1) and 859,248 gallons (Unit 2), and therefore establish the required limit.

The upper limit on boron concentration of 2600 ppm is used to determine the maximum allowable time to switch to hot leg recirculation following a large break LOCA. The purpose of switching from cold leg to hot leg injection is to avoid boron precipitation in the core following the accident.

The RWST satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii).

LCO The RWST ensures that an adequate supply of borated water is available to cool and depressurize the containment in the event of a Design Basis Accident (DBA), to cool and cover the core in the event of a LOCA, to maintain the reactor subcritical following a DBA, and to ensure adequate level in the containment sump to support ECCS and Recirculation Spray System pump operation in the recirculation mode.

To be considered OPERABLE, the RWST must meet the usable water volume, boron concentration, and temperature limits established in the SRs.

APPLICABILITY In MODES 1, 2, 3, and 4, RWST OPERABILITY requirements are dictated by ECCS and Quench Spray System OPERABILITY requirements. Since both the ECCS and the Quench Spray System must be OPERABLE in MODES 1, 2, 3, and 4, the RWST must also be OPERABLE to support their operation. Core cooling requirements in MODE 5 are addressed by LCO 3.4.7, "RCS Loops - MODE 5, Loops Filled," and LCO 3.4.8, "RCS Loops - MODE 5, Loops Not Filled."

MODE 6 core cooling requirements are addressed by LCO 3.9.4, "Residual Heat Removal (RHR) and Coolant Circulation - High Water Level," and LCO 3.9.5, "Residual Heat Removal (RHR) and Coolant Circulation - Low Water Level."

Beaver Valley Units 1 and 2 B 3.5.4 - 4 Revision 0

RWST B 3.5.4 BASES ACTIONS A.1 With RWST boron concentration or borated water temperature not within limits, they must be returned to within limits within 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months . Under these conditions neither the ECCS nor the Quench Spray System can perform its design function. Therefore, prompt action must be taken to restore the tank to OPERABLE status. The 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months limit to restore the RWST temperature or boron concentration to within limits was developed considering the time required to change either the boron concentration or temperature and the fact that the contents of the tank are still available for injection and spray.

B.1 With the RWST inoperable for reasons other than Condition A (e.g., water volume), it must be restored to OPERABLE status within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months .

In this Condition, neither the ECCS nor the Quench Spray System can perform its design function. Therefore, prompt action must be taken to restore the tank to OPERABLE status or to place the plant in a MODE in which the RWST is not required. The short time limit of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months to restore the RWST to OPERABLE status is based on this condition simultaneously affecting redundant trains.

C.1 and C.2 If the RWST cannot be returned to OPERABLE status within the associated Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and to MODE 5 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

Beaver Valley Units 1 and 2 B 3.5.4 - 5 Revision 0

RWST B 3.5.4 BASES SURVEILLANCE SR 3.5.4.1 REQUIREMENTS The RWST borated water temperature should be verified to be within the limits assumed in the accident analyses band. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

The SR is modified by a Note that eliminates the requirement to perform this Surveillance when ambient air temperatures are within the operating limits of the RWST. With ambient air temperatures within the band, the RWST temperature should not exceed the limits.

SR 3.5.4.2 The RWST water volume should be verified to be above the required usable level in order to ensure that a sufficient initial supply is available for injection and the Quench Spray System and to support continued ECCS and Recirculation Spray System pump operation on recirculation.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.5.4.3 The boron concentration of the RWST should be verified to be within the required limits. This SR ensures that the reactor will remain subcritical following a LOCA. Further, it assures that boron precipitation in the core will not occur and that the resulting sump pH will be maintained in an acceptable range so the effect of chloride and caustic stress corrosion on mechanical systems and components will be minimized. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. UFSAR, Chapter 14 (Unit 1) and UFSAR, Chapter 6 and Chapter 15 (Unit 2).

Beaver Valley Units 1 and 2 B 3.5.4 - 6 Revision 29

Seal Injection Flow B 3.5.5 B 3.5 EMERGENCY CORE COOLING SYSTEMS (ECCS)

B 3.5.5 Seal Injection Flow BASES BACKGROUND The function of the seal injection throttle valves during an accident is similar to the function of the ECCS throttle valves in that each restricts flow from the charging pump header to the Reactor Coolant System (RCS).

The restriction on reactor coolant pump (RCP) seal injection flow limits the amount of ECCS flow that would be diverted from the injection path following an accident. This limit is based on safety analysis assumptions that are required because RCP seal injection flow is not isolated during SI.

The RCP seal injection flow is restricted by the seal injection line flow resistance which is adjusted through positioning of the manual seal injection throttle valves. The RCP seal injection flow is determined by measuring the charging pump discharge pressure, and the RCP seal injection flow rate.

The seal injection flow control valve fails open to ensure that, in the event of either loss of air or loss of control signal to the valve, when the charging pumps are supplying charging flow, seal injection to the RCP seals is maintained. Positioning of the seal injection flow control valve may vary during normal plant operating conditions, resulting in a proportional change to RCP seal injection flow. The flow provided by seal injection throttle valves will remain fixed when seal injection flow control valve is repositioned provided the throttle valve position(s) are not adjusted.

APPLICABLE ECCS subsystems are taken credit for in the large break loss of SAFETY coolant accident (LOCA) at full power (Ref. 1). The minimum flow ANALYSES provided by the ECCS pumps is modeled in the LOCA analysis. The charging pumps are also credited in the small break LOCA analysis. The small break LOCA analysis establishes the flow and discharge head at the design point for the charging pumps. The steam generator tube rupture, feedline break and main steam line break event analyses also credit the charging pumps, but are not limiting in their design. Reference to these analyses is made in assessing changes to the Seal Injection System for evaluation of their effects in relation to the acceptance limits in these analyses.

This LCO ensures that seal injection flow will be sufficient for RCP seal integrity but limited so that the ECCS trains will be capable of delivering sufficient water to match boiloff rates soon enough to minimize uncovering of the core following a large LOCA. It also ensures that the Beaver Valley Units 1 and 2 B 3.5.5 - 1 Revision 0

Seal Injection Flow B 3.5.5 BASES APPLICABLE SAFETY ANALYSES (continued) charging pumps will deliver sufficient water for a small LOCA and sufficient boron to maintain the core subcritical. For smaller LOCAs, the charging pumps alone deliver sufficient fluid to overcome the loss and maintain RCS inventory.

Seal injection flow satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).

LCO The intent of the LCO limit on seal injection flow is to make sure that flow through the RCP seal water injection line is low enough to ensure that sufficient charging pump injection flow is directed to the RCS via the injection points.

The LCO is not strictly a flow limit, but rather a flow limit based on a flow line resistance. In order to establish the proper flow line resistance, a pressure and flow must be known. The flow line resistance is determined by assuming that the RCS pressure is at normal operating pressure and that the charging pump discharge pressure is greater than or equal to the value specified in this LCO. The charging pump discharge pressure remains essentially constant through all the applicable MODES of this LCO. A reduction in RCS pressure would result in more flow being diverted to the RCP seal injection line than at normal operating pressure.

The valve settings established at the prescribed charging pump discharge pressure result in a conservative valve position should RCS pressure decrease. The additional modifier of this LCO, the seal injection flow control valve being full open, is required since the valve is designed to fail open for the accident condition. With the discharge pressure and control valve position as specified by the LCO, a flow limit is established. It is this flow limit that is used in the accident analyses.

The limit on seal injection flow must be met to ensure that the ECCS is OPERABLE. If these conditions are not met, the ECCS flow will not be as assumed in the accident analyses.

APPLICABILITY In MODES 1, 2, and 3, the seal injection flow limit is dictated by ECCS flow requirements, which are specified for MODES 1, 2, 3, and 4. The seal injection flow limit is not applicable for MODE 4 and lower; however, because high seal injection flow is less critical as a result of the lower initial RCS pressure and decay heat removal requirements in these MODES. Therefore, RCP seal injection flow must be limited in MODES 1, 2, and 3 to ensure adequate ECCS performance.

Beaver Valley Units 1 and 2 B 3.5.5 - 2 Revision 0

Seal Injection Flow B 3.5.5 BASES ACTIONS A.1 With the seal injection flow outside its limit, the amount of charging flow available to the RCS may be reduced. In this Condition, action must be taken to restore the flow to within its limit with charging pump discharge pressure 2457 psig and the seal injection control valve full open. The operator has 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months from the time the flow is known to be outside the limit to correctly position the manual valves and thus be in compliance with the accident analysis. The Completion Time minimizes the potential exposure of the plant to a LOCA with insufficient injection flow and provides a reasonable time to restore seal injection flow within limits.

This time is conservative with respect to the Completion Times of other ECCS LCOs; it is based on operating experience and is sufficient for taking corrective actions by operations personnel.

B.1 and B.2 When the Required Actions cannot be completed within the required Completion Time, a controlled shutdown must be initiated. The Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months for reaching MODE 3 from MODE 1 is a reasonable time for a controlled shutdown, based on operating experience and normal cooldown rates, and does not challenge plant safety systems or operators. Continuing the shutdown begun in Required Action B.1, an additional 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is a reasonable time, based on operating experience and normal cooldown rates, to reach MODE 4, where this LCO is no longer applicable.

SURVEILLANCE SR 3.5.5.1 REQUIREMENTS Verification that the manual seal injection throttle valves are adjusted to give a flow within the limit ensures that the ECCS injection flows stay within the safety analysis assumptions. The flow shall be verified by confirming seal injection flow 28 gpm with the RCS at normal operating pressure, the seal injection flow control valve full open, and the charging pump discharge pressure 2457 psig. The seal injection flow control valve in the flow path between the charging pump discharge and the RCS must be fully open during this Surveillance to correlate with the acceptance criteria. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

Beaver Valley Units 1 and 2 B 3.5.5 - 3 Revision 29

Seal Injection Flow B 3.5.5 BASES SURVEILLANCE REQUIREMENTS (continued)

As noted, the Surveillance is not required to be performed until 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months after the RCS pressure has stabilized within a +/- 20 psig range of normal operating pressure. The RCS pressure requirement is specified since this configuration will produce the required pressure conditions necessary to assure that the manual valves are set correctly. The exception is limited to 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months to ensure that the Surveillance is timely.

REFERENCES 1. UFSAR, Chapter 14 (Unit 1) and UFSAR, Chapter 6 and Chapter 15 (Unit 2).

Beaver Valley Units 1 and 2 B 3.5.5 - 4 Revision 0

Containment B 3.6.1 B 3.6 CONTAINMENT SYSTEMS B 3.6.1 Containment BASES BACKGROUND The containment consists of the concrete reactor building, its steel liner, and the penetrations through this structure. The structure is designed to contain radioactive material that may be released from the reactor core following a design basis loss of coolant accident (LOCA). Additionally, this structure provides shielding from the fission products that may be present in the containment atmosphere following accident conditions.

The containment is a reinforced concrete structure with a cylindrical wall, a flat foundation mat, and a dome roof. The inside surface of the containment is lined with a carbon steel liner to ensure a high degree of leak tightness during operating and accident conditions.

The concrete reactor building is required for structural integrity of the containment under Design Basis Accident (DBA) conditions. The steel liner and its penetrations establish the leakage limiting boundary of the containment. Maintaining the containment OPERABLE limits the leakage of fission product radioactivity from the containment to the environment.

SR 3.6.1.1 leakage rate requirements comply with 10 CFR 50, Appendix J, Option B (Ref. 1), as modified by approved exemptions.

The isolation devices for the penetrations in the containment boundary are a part of the containment leak tight barrier. To maintain this leak tight barrier:

a. All penetrations required to be closed during accident conditions are either:

1. Capable of being closed by an OPERABLE automatic containment isolation system or

2. Closed by manual valves, blind flanges, or de-activated automatic valves secured in their closed positions, except as provided in LCO 3.6.3, "Containment Isolation Valves,"

b. Each air lock is OPERABLE, except as provided in LCO 3.6.2, "Containment Air Locks,"

c. The equipment hatch is closed, and

d. The sealing mechanism associated with each penetration (e.g.,

welds, bellows, or O-rings) is OPERABLE.

Beaver Valley Units 1 and 2 B 3.6.1 - 1 Revision 0

Containment B 3.6.1 BASES APPLICABLE The safety design basis for the containment is that the containment must SAFETY withstand the pressures and temperatures of the limiting Design Basis ANALYSES Accident (DBA) without exceeding the design leakage rate.

The DBAs that result in a challenge to containment OPERABILITY from high pressures and temperatures are a LOCA, a steam line break, and a rod ejection accident (REA) (Ref. 2). In addition, release of significant fission product radioactivity within containment can occur from a LOCA or REA. In the DBA analyses, it is assumed that the containment is OPERABLE such that, for the DBAs involving release of fission product radioactivity, release to the environment is controlled by the rate of containment leakage. A main steam line break inside containment is not evaluated as the dose consequences are bounded by a main steam line break outside containment. The containment was designed with an allowable leakage rate of 0.1% of containment air weight per day (Ref. 3).

This leakage rate, used to evaluate offsite doses resulting from accidents, is defined in 10 CFR 50, Appendix J, Option B (Ref. 1), as La: the maximum allowable containment leakage rate at the calculated peak containment internal pressure (Pa) resulting from the limiting design basis LOCA. The allowable leakage rate represented by La forms the basis for the acceptance criteria imposed on all containment leakage rate testing.

La is assumed to be 0.1% per day in the safety analysis at Pa = 43.1 psig (for Unit 1) and 44.8 psig (for Unit 2) (Ref. 3).

Satisfactory leakage rate test results are a requirement for the establishment of containment OPERABILITY.

The containment satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii).

LCO Containment OPERABILITY is maintained by limiting leakage to 1.0 La, except during the first unit startup prior to entering MODE 4 after performing a required Containment Leakage Rate Testing Program leakage test. At this time the other applicable leakage limits specified in the Containment Leakage Rate Testing Program must be met.

Compliance with this LCO will ensure a containment configuration, including equipment hatch, that is structurally sound and that will limit leakage to those leakage rates assumed in the safety analysis.

Individual leakage rates for the containment air lock (LCO 3.6.2) are specified in the Containment Leakage Rate Testing Program and are not specifically part of the acceptance criteria of 10 CFR 50, Appendix J.

Therefore, leakage rates exceeding the air lock limits only result in the containment being inoperable when the leakage results in exceeding the overall acceptance criteria of 1.0 La.

Beaver Valley Units 1 and 2 B 3.6.1 - 2 Revision 6

Containment B 3.6.1 BASES APPLICABILITY In MODES 1, 2, 3, and 4, a DBA could cause a release of radioactive material into containment. In MODES 5 and 6, the probability and consequences of these events are reduced due to the pressure and temperature limitations of these MODES. Therefore, containment is not required to be OPERABLE in MODE 5 to prevent leakage of radioactive material from containment. The requirements for containment during MODE 6 are addressed in LCO 3.9.3, "Containment Penetrations."

ACTIONS A.1 In the event containment is inoperable, containment must be restored to OPERABLE status within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time provides a period of time to correct the problem commensurate with the importance of maintaining containment during MODES 1, 2, 3, and 4. This time period also ensures that the probability of an accident (requiring containment OPERABILITY) occurring during periods when containment is inoperable is minimal.

B.1 and B.2 If containment cannot be restored to OPERABLE status within the required Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and to MODE 5 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE SR 3.6.1.1 REQUIREMENTS Maintaining the containment OPERABLE requires compliance with the visual examinations and leakage rate test requirements of the Containment Leakage Rate Testing Program. Failure to meet air lock leakage limits specified in LCO 3.6.2 does not invalidate the acceptability of these overall leakage determinations unless the air lock leakage contribution to overall Type A, B, and C leakage causes that leakage to exceed the following limits. As-left leakage prior to entering MODE 4 during the first unit startup after performing a required Containment Leakage Rate Testing Program leakage test is required to be < 0.6 La for combined Type B and C leakage, and 0.75 La for overall Type A leakage. At all other times between required leakage rate tests, the acceptance criteria is based on the overall integrated containment leakage limit of 1.0 La. At 1.0 La the offsite dose consequences are bounded by the assumptions of the safety analysis. SR Frequencies Beaver Valley Units 1 and 2 B 3.6.1 - 3 Revision 0

Containment B 3.6.1 BASES SURVEILLANCE REQUIREMENTS (continued) are as required by the Containment Leakage Rate Testing Program.

These periodic testing requirements verify that the containment leakage rate does not exceed the leakage rate assumed in the safety analysis.

REFERENCES 1. 10 CFR 50, Appendix J, Option B.

2. UFSAR, Chapter 14 (Unit 1), and UFSAR, Chapter 15 (Unit 2).

3. UFSAR, Section 5.2 (Unit 1), and UFSAR, Section 6.2 (Unit 2).

Beaver Valley Units 1 and 2 B 3.6.1 - 4 Revision 0

Containment Air Locks B 3.6.2 B 3.6 CONTAINMENT SYSTEMS B 3.6.2 Containment Air Locks BASES BACKGROUND Containment air locks form part of the containment pressure boundary and provide a means for personnel access during all MODES of operation.

Each air lock is nominally a right circular cylinder with a door at each end.

The emergency air lock is significantly smaller than the personnel airlock and is not used for routine containment entry and exit. The doors are interlocked to prevent simultaneous opening. During periods when containment is not required to be OPERABLE, the door interlock mechanism may be disabled, allowing both doors of an air lock to remain open for extended periods when frequent containment entry is necessary.

The emergency air lock, which is located in the equipment hatch opening, is normally removed from the containment building during a refueling outage. Each air lock door has been designed and tested to certify its ability to withstand a pressure in excess of the maximum expected pressure following a Design Basis Accident (DBA) in containment. As such, closure of a single door supports containment OPERABILITY.

Each of the doors contains double o-ring seals and local leakage rate testing capability to ensure pressure integrity. DBA conditions that increase containment pressure will result in increased sealing forces on the personnel air lock inner door and both doors on the emergency air lock. As the outer door on the personnel air lock is the only one of these doors that opens outward from containment, it is periodically tested in a manner where the containment DBA pressure is attempting to overcome the door sealing forces.

The containment air locks form part of the containment pressure boundary. As such, air lock integrity and leak tightness is essential for maintaining the containment leakage rate within limit in the event of a DBA. Not maintaining air lock integrity or leak tightness may result in a leakage rate in excess of that assumed in the unit safety analyses.

APPLICABLE The DBAs that result in a release of radioactive material within SAFETY containment and containment pressurization are a loss of coolant ANALYSES accident (LOCA) and a rod ejection accident (REA) (Ref. 1). A main steam line break inside containment is not evaluated as the dose consequences are bounded by a main steam line break outside containment. In the analysis of a design basis LOCA or REA, it is assumed that containment is OPERABLE such that release of fission products to the environment is controlled by the rate of containment leakage. The containment was designed with an allowable leakage rate Beaver Valley Units 1 and 2 B 3.6.2 - 1 Revision 0

Containment Air Locks B 3.6.2 BASES APPLICABLE SAFETY ANALYSES (continued) of 0.1% of containment air weight per day (Ref. 2). This leakage rate is defined in 10 CFR 50, Appendix J, Option B (Ref. 3), as La = 0.1% of containment air weight per day, the maximum allowable containment leakage rate at the calculated peak containment internal pressure Pa = 43.1 psig (for Unit 1) and 44.8 psig (for Unit 2) following a design basis LOCA. This allowable leakage rate forms the basis for the acceptance criteria imposed on the SRs associated with the air locks.

The containment air locks satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).

LCO Each containment air lock forms part of the containment pressure boundary. As part of the containment pressure boundary, the air lock safety function is related to control of the containment leakage rate resulting from a DBA. Thus, each air lock's structural integrity and leak tightness are essential to the successful mitigation of such an event.

Each air lock is required to be OPERABLE. For the air lock to be considered OPERABLE, the air lock interlock mechanism must be OPERABLE, the air lock must be in compliance with the Type B air lock leakage test, and both air lock doors must be OPERABLE. The interlock allows only one air lock door of an air lock to be opened at one time. This provision ensures that a gross breach of containment does not exist when containment is required to be OPERABLE. Closure of a single door in each air lock is sufficient to provide a leak tight barrier following postulated events. Nevertheless, both doors are kept closed when the air lock is not being used for normal entry into or exit from containment.

APPLICABILITY In MODES 1, 2, 3, and 4, a DBA could cause a release of radioactive material to containment. In MODES 5 and 6, the probability and consequences of these events are reduced due to the pressure and temperature limitations of these MODES. Therefore, the containment air locks are not required in MODE 5 to prevent leakage of radioactive material from containment. The requirements for the containment air locks during MODE 6 are addressed in LCO 3.9.3, "Containment Penetrations."

ACTIONS The ACTIONS are modified by a Note that allows entry and exit to perform repairs on the affected air lock component. If the outer door is inoperable, then it may be easily accessed for most repairs. However, if the inner door is inoperable it is permissible to enter the air lock through the OPERABLE door, which means there is a short time during which the containment boundary is not intact (during access through the OPERABLE door). The ability to open the OPERABLE door, even if it means the containment boundary is temporarily not intact, is acceptable Beaver Valley Units 1 and 2 B 3.6.2 - 2 Revision 6

Containment Air Locks B 3.6.2 BASES ACTIONS (continued) due to the low probability of an event that could pressurize the containment during the short time in which the OPERABLE door is expected to be open. After each entry and exit, the OPERABLE door must be immediately closed.

A second Note has been added to provide clarification that, for this LCO, separate Condition entry is allowed for each air lock. This is acceptable, since the Required Actions for each Condition provide appropriate compensatory actions for each inoperable air lock. Complying with the Required Actions may allow for continued operation, and a subsequent inoperable air lock is governed by subsequent Condition entry and application of associated Required Actions.

In the event the air lock leakage results in exceeding the overall containment leakage rate acceptance criteria, Note 3 directs entry into the applicable Conditions and Required Actions of LCO 3.6.1, "Containment."

A.1, A.2, and A.3 With one air lock door in one or more containment air locks inoperable, the OPERABLE door must be verified closed (Required Action A.1) in each affected containment air lock. This ensures that a leak tight containment barrier is maintained by the use of an OPERABLE air lock door. This action must be completed within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . This specified time period is consistent with the ACTIONS of LCO 3.6.1, which requires containment be restored to OPERABLE status within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months .

In addition, the affected air lock penetration must be isolated by locking closed the OPERABLE air lock door within the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time.

The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time is reasonable for locking the OPERABLE air lock door, considering the OPERABLE door of the affected air lock is being maintained closed.

Required Action A.3 verifies that an air lock with an inoperable door has been isolated by the use of a locked and closed OPERABLE air lock door. This ensures that an acceptable containment leakage boundary is maintained. The Completion Time of once per 31 days is based on engineering judgment and is considered adequate in view of the low likelihood of a locked door being mispositioned and other administrative controls. Required Action A.3 is modified by a Note that applies to air lock doors located in high radiation areas and allows these doors to be verified locked closed by use of administrative means. Allowing verification by administrative means is considered acceptable, since access to these areas is typically restricted. Therefore, the probability of misalignment of the door, once it has been verified to be in the proper position, is small.

Beaver Valley Units 1 and 2 B 3.6.2 - 3 Revision 0

Containment Air Locks B 3.6.2 BASES ACTIONS (continued)

The Required Actions have been modified by two Notes. Note 1 ensures that only the Required Actions and associated Completion Times of Condition C are required if both doors in the same air lock are inoperable.

With both doors in the same air lock inoperable, an OPERABLE door is not available to be closed. Required Actions C.1 and C.2 are the appropriate remedial actions. The exception of Note 1 does not affect tracking the Completion Time from the initial entry into Condition A; only the requirement to comply with the Required Actions. Note 2 allows use of the air lock for entry and exit for 7 days under administrative controls to perform activities not related to the repair of affected air lock components.

Containment entry may be required on a periodic basis to perform Technical Specifications (TS) Surveillances and Required Actions, as well as other activities on equipment inside containment that are required by TS or activities on equipment that support TS-required equipment. This Note is not intended to preclude performing other activities (i.e., non-TS required activities) if the containment is entered, using the inoperable air lock, to perform an allowed activity listed above. This allowance is acceptable due to the low probability of an event that could pressurize the containment during the short time that the OPERABLE door is expected to be open.

B.1, B.2, and B.3 With an air lock interlock mechanism inoperable in one or more air locks, the Required Actions and associated Completion Times are consistent with those specified in Condition A.

The Required Actions have been modified by two Notes. Note 1 ensures that only the Required Actions and associated Completion Times of Condition C are required if both doors in the same air lock are inoperable.

With both doors in the same air lock inoperable, an OPERABLE door is not available to be closed. Required Actions C.1 and C.2 are the appropriate remedial actions. Note 2 allows entry into and exit from containment under the control of a dedicated individual stationed at the air lock to ensure that only one door is opened at a time (i.e., the individual performs the function of the interlock).

Required Action B.3 is modified by a Note that applies to air lock doors located in high radiation areas and allows these doors to be verified locked closed by use of administrative means. Allowing verification by administrative means is considered acceptable, since access to these areas is typically restricted. Therefore, the probability of misalignment of the door, once it has been verified to be in the proper position, is small.

Beaver Valley Units 1 and 2 B 3.6.2 - 4 Revision 0

Containment Air Locks B 3.6.2 BASES ACTIONS (continued)

C.1, C.2, and C.3 With one or more air locks inoperable for reasons other than those described in Condition A or B, Required Action C.1 requires action to be initiated immediately to evaluate previous combined leakage rates using current air lock test results. An evaluation is acceptable, since it is overly conservative to immediately declare the containment inoperable if both doors in an air lock have failed a seal test or if the overall air lock leakage is not within limits. In many instances (e.g., only one seal per door has failed), containment remains OPERABLE, yet only 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months (per LCO 3.6.1) would be provided to restore the air lock door to OPERABLE status prior to requiring a plant shutdown. In addition, even with both doors failing the seal test, the overall containment leakage rate can still be within limits.

Required Action C.2 requires that one door in the affected containment air lock must be verified to be closed within the 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time.

This specified time period is consistent with the ACTIONS of LCO 3.6.1, which requires that containment be restored to OPERABLE status within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months .

Additionally, the affected air lock(s) must be restored to OPERABLE status within the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time. The specified time period is considered reasonable for restoring an inoperable air lock to OPERABLE status, assuming that at least one door is maintained closed in each affected air lock.

D.1 and D.2 If the inoperable containment air lock cannot be restored to OPERABLE status within the required Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and to MODE 5 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE SR 3.6.2.1 REQUIREMENTS Maintaining containment air locks OPERABLE requires compliance with the leakage rate test requirements of the Containment Leakage Rate Testing Program. This SR reflects the leakage rate testing requirements with regard to air lock leakage (Type B leakage tests). The acceptance criteria were established by Technical Specification requirements. The periodic testing requirements verify that the air lock leakage does not Beaver Valley Units 1 and 2 B 3.6.2 - 5 Revision 0

Containment Air Locks B 3.6.2 BASES SURVEILLANCE REQUIREMENTS (continued) exceed the allowed fraction of the overall containment leakage rate. The Frequency is required by the Containment Leakage Rate Testing Program.

The SR has been modified by two Notes. Note 1 states that an inoperable air lock door does not invalidate the previous successful performance of the overall air lock leakage test. This is considered reasonable since either air lock door is capable of providing a fission product barrier in the event of a DBA. Note 2 has been added to this SR requiring the results to be evaluated against the acceptance criteria which is applicable to SR 3.6.1.1. This ensures that air lock leakage is properly accounted for in determining the containment leakage rate is within the acceptance criteria specified in the Containment Leakage Rate Testing Program.

SR 3.6.2.2 The air lock interlock is designed to prevent simultaneous opening of both doors in a single air lock. Since both the inner and outer doors of an air lock are designed to withstand the maximum expected post accident containment pressure, closure of either door will support containment OPERABILITY. Thus, the door interlock feature supports containment OPERABILITY while the air lock is being used for personnel transit in and out of the containment. Periodic testing of this interlock demonstrates that the interlock will function as designed and that simultaneous opening of the inner and outer doors will not inadvertently occur. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. UFSAR, Chapter 14 (Unit 1), and UFSAR, Chapter 15 (Unit 2).

2. UFSAR, Section 5.2 (Unit 1), and UFSAR, Section 6.2 (Unit 2).

3. 10 CFR 50, Appendix J, Option B.

Beaver Valley Units 1 and 2 B 3.6.2 - 6 Revision 29

Containment Isolation Valves B 3.6.3 B 3.6 CONTAINMENT SYSTEMS B 3.6.3 Containment Isolation Valves BASES BACKGROUND The containment isolation valves form part of the containment pressure boundary and provide a means for fluid penetrations not serving accident consequence limiting systems to be provided with two isolation barriers that are closed on a containment isolation signal. These isolation devices are either passive or active (automatic). Manual valves, de-activated automatic valves secured in their closed position (including check valves with flow through the valve secured), blind flanges, and closed systems are considered passive devices. Check valves, or other automatic valves designed to close without operator action following an accident, are considered active devices. Two barriers in series are typically provided for each penetration so that no single credible failure or malfunction of an active component can result in a loss of isolation or leakage that exceeds limits assumed in the safety analyses. One of these barriers may be a closed system. These barriers (typically containment isolation valves) make up the Containment Isolation System.

The list of containment penetrations and the associated isolation devices credited for each penetration is specified in the Licensing Requirements Manual (LRM).

Automatic isolation signals are produced during accident conditions.

Containment Phase "A" isolation occurs upon receipt of a safety injection signal. The Phase "A" isolation signal isolates nonessential process lines in order to minimize leakage of fission product radioactivity. Containment Phase "B" isolation occurs upon receipt of a containment pressure-High High signal and isolates the remaining process lines, except systems required for accident mitigation. As a result, the containment isolation valves (and blind flanges) help ensure that the containment atmosphere will be isolated from the environment in the event of a release of fission product radioactivity to the containment atmosphere as a result of a Design Basis Accident (DBA).

The OPERABILITY requirements for containment isolation valves help ensure that containment is isolated within the time limits assumed in the safety analyses. Therefore, the OPERABILITY requirements provide assurance that the containment function assumed in the safety analyses will be maintained.

Beaver Valley Units 1 and 2 B 3.6.3 - 1 Revision 0

Containment Isolation Valves B 3.6.3 BASES BACKGROUND (continued)

The Shutdown Purge System operates to supply outside air into the containment for ventilation and heating and may also be used to reduce the concentration of noble gases within containment prior to and during personnel access. The supply and exhaust lines each contain two 42 inch isolation valves. Because of their large size, the 42 inch purge valves are not qualified for automatic closure from their open position under DBA conditions. Therefore, the 42 inch purge valves are maintained closed in MODES 1, 2, 3, and 4 to ensure the containment boundary is maintained.

APPLICABLE The containment isolation valve LCO was derived from the assumptions SAFETY related to minimizing the loss of reactor coolant inventory and ANALYSES establishing the containment boundary during major accidents. As part of the containment boundary, containment isolation valve OPERABILITY supports leak tightness of the containment. Therefore, the safety analyses of any event requiring isolation of containment is applicable to this LCO.

The DBAs that result in a release of radioactive material within containment and containment pressurization are a loss of coolant accident (LOCA) and a rod ejection accident (REA) (Ref. 1). A main steam line break inside containment is not evaluated as the dose consequences are bounded by a steam line break outside containment.

In the analyses for a design basis LOCA or REA, it is assumed that containment isolation valves are either closed or function to close within the required isolation time following event initiation. This ensures that potential paths to the environment through containment isolation valves (including containment purge valves) are minimized. The safety analyses assume that the 42 inch purge valves are closed at event initiation.

The DBA radiological dose analysis, is based on the alternate source term methodology (Ref. 2). Although the analysis assumes the containment is isolated to achieve the design leakage rate, the analysis only specifically models the release from, and isolation of, those valves that provide direct access to the outside atmosphere and which may be open during operation (i.e., vacuum pump suction isolation valves). Due to the timing of fission product releases assumed in the radiological dose analyses (per Reference 2) and the relatively fast operation of the containment isolation valves, the operation of other containment isolation valves, after a DBA, is not specifically modeled. However, the required stroke times for containment isolation valves, required to be closed after a DBA, are specified in the LRM and are conservatively maintained consistent with the guidance of Reference 3. The radiological dose Beaver Valley Units 1 and 2 B 3.6.3 - 2 Revision 0

Containment Isolation Valves B 3.6.3 BASES APPLICABLE SAFETY ANALYSES (continued) analysis conservatively assumes a post DBA containment leakage at the design leakage rate (La) for the first 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months and one half the design leakage rate for the next 29 days after the DBA.

The 42 inch containment purge and exhaust valves have not been evaluated to ensure they can be closed automatically in MODES 1, 2, 3, and 4 to mitigate the effects of a DBA inside containment. Therefore, the 42 inch containment purge and exhaust valves are maintained deactivated in the closed position in MODES 1, 2, 3, and 4 to prevent spurious or inadvertent operation of the valves.

The containment isolation valves satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).

LCO Containment isolation valves form a part of the containment boundary.

The containment isolation valves' safety function is related to minimizing the loss of reactor coolant inventory and establishing the containment boundary during a DBA.

The automatic power operated isolation valves are required to have isolation times within limits and to actuate on an automatic isolation signal. The 42-inch purge valves must be maintained deactivated in the closed position. The valves covered by this LCO are listed along with their associated stroke times in the LRM.

The normally closed isolation valves and other passive isolation devices are considered OPERABLE when manual valves are closed, automatic valves are de-activated and secured in their closed position, blind flanges or pipe caps are in place, and closed systems and hydraulic isolator bellows are intact. However, ACTIONS Note 1 and SR 3.6.3.2 and SR 3.6.3.3 contain exceptions to this requirement that allow valves to be open under administrative control. These passive isolation valves/devices are those listed in the LRM.

The containment isolation valve leakage rates are addressed by LCO 3.6.1, "Containment," as Type C testing.

This LCO provides assurance that the containment isolation valves and purge valves will perform their designed safety functions to minimize the loss of reactor coolant inventory and establish the containment boundary during accidents.

Beaver Valley Units 1 and 2 B 3.6.3 - 3 Revision 0

Containment Isolation Valves B 3.6.3 BASES APPLICABILITY In MODES 1, 2, 3, and 4, a DBA could cause a release of radioactive material to containment. In MODES 5 and 6, the probability and consequences of these events are reduced due to the pressure and temperature limitations of these MODES. Therefore, the containment isolation valves are not required to be OPERABLE in MODE 5. The requirements for containment isolation valves during MODE 6 are addressed in LCO 3.9.3, "Containment Penetrations."

ACTIONS The ACTIONS are modified by a Note allowing penetration flow paths, except for 42-inch purge and exhaust valve penetration flow paths, to be unisolated intermittently under administrative controls. These administrative controls consist of stationing a dedicated operator at the valve controls, who is in continuous communication with the control room.

In this way, the penetration can be rapidly isolated when a need for containment isolation is indicated. Due to the size of the containment purge and exhaust line penetration and the fact that those penetrations exhaust directly from the containment atmosphere to the environment, the penetration flow path containing these valves may not be opened under administrative controls.

A second Note has been added to provide clarification that, for this LCO, separate Condition entry is allowed for each penetration flow path. This is acceptable, since the Required Actions for each Condition provide appropriate compensatory actions for each inoperable containment isolation valve. Complying with the Required Actions may allow for continued operation, and subsequent inoperable containment isolation valves are governed by subsequent Condition entry and application of associated Required Actions.

The term "penetration flow path" utilized in the ACTIONS, refers to flow paths through the containment wall that are isolated by at least one containment isolation valve or equivalent (i.e., a closed system, blind flange, etc.). The term "flow paths" used in the ACTIONS is intended to more accurately address containment penetrations that may have more than one flow path. For example, the RCS letdown penetration has three parallel inside power-operated automatic containment isolation valves and a single series outside power-operated automatic containment isolation valve. This penetration has three normal flow paths associated with it. Each inside power-operated automatic containment isolation valve is in series with the single outside containment isolation valve and constitutes a separate flow path. The ACTIONS specifically require the "affected" flow path to be isolated. The ACTIONS may be applied separately to each flow path in this penetration. In the example of the RCS letdown penetration described above, if one of the three inside containment isolation valves is inoperable, it becomes the "affected" flow path and in accordance with the ACTIONS must be isolated. Isolating the Beaver Valley Units 1 and 2 B 3.6.3 - 4 Revision 0

Containment Isolation Valves B 3.6.3 BASES ACTIONS (continued)

"affected" flow path in this example may be accomplished by closing the inoperable inside containment isolation valve. As the inside and outside containment isolation valves, in this case, are associated with opposite trains, for both the electric power source and the isolation signal, the remaining two flow paths associated with this penetration may remain inservice since the capability to isolate these remaining flow paths, assuming a single active failure, is unaffected. However, if the single outside RCS letdown isolation valve becomes inoperable, the capability to isolate all the flow paths associated with this penetration, assuming a single failure, would no longer exist. Therefore, all flow paths associated with this penetration would be "affected" and the ACTION to isolate the "affected" flow paths would be applicable to all flow paths associated with this penetration.

The ACTIONS are further modified by a third Note, which ensures appropriate remedial actions are taken, if necessary, if the affected systems are rendered inoperable by an inoperable containment isolation valve.

A.1 and A.2 In the event one containment isolation valve in one or more penetration flow paths is inoperable, the affected penetration flow path must be isolated. The method of isolation must include the use of at least one isolation barrier that cannot be adversely affected by a single active failure. Isolation barriers that meet this criterion are a closed and de-activated automatic containment isolation valve, a closed manual valve, a blind flange, and a check valve with flow through the valve secured. For a penetration flow path isolated in accordance with Required Action A.1, the device used to isolate the penetration should be the closest available one to containment. Required Action A.1 must be completed within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months . The 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Completion Time is reasonable, considering the time required to isolate the penetration and the relative importance of supporting containment OPERABILITY during MODES 1, 2, 3, and 4.

The use of check valves with flow through the valve secured as an isolation barrier per Required Action A.1 is limited to those check valves used as the inside containment isolation valve for the affected penetration flow path. This limitation ensures that the use of check valves as an isolation barrier is consistent with the requirements of 10 CFR 50, Appendix A, Criterion 55 and 56. When using check valves as the isolation barrier, action must be taken to secure flow through the check valve. The action taken to secure flow may use methods such as (but not limited to) the closure of another valve in the affected penetration flow Beaver Valley Units 1 and 2 B 3.6.3 - 5 Revision 0

Containment Isolation Valves B 3.6.3 BASES ACTIONS (continued) path. The method used to secure flow to the check valve must not be adversely affected by a single active failure.

For affected penetration flow paths that cannot be restored to OPERABLE status within the 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Completion Time and that have been isolated in accordance with Required Action A.1, the affected penetration flow paths must be verified to be isolated on a periodic basis. This is necessary to ensure that containment penetrations required to be isolated following an accident and no longer capable of being automatically isolated will be in the isolation position should an event occur. This Required Action does not require any testing or device manipulation. Rather, it involves verification that those isolation devices outside containment and capable of being mispositioned are in the correct position. The Completion Time of "once per 31 days for isolation devices outside containment" is appropriate considering the fact that the devices are operated under administrative controls and the probability of their misalignment is low. For the isolation devices inside containment, the time period specified as "prior to entering MODE 4 from MODE 5 if not performed within the previous 92 days" is based on engineering judgment and is considered reasonable in view of the inaccessibility of the isolation devices and other administrative controls that will ensure that isolation device misalignment is an unlikely possibility.

Condition A has been modified by a Note indicating that this Condition is not applicable to penetration flow paths addressed by Condition C. For penetration flow paths with only one containment isolation valve and a closed system inside containment, Condition C provides the appropriate actions when the single containment isolation valve associated with this type of penetration flow path is inoperable.

Required Action A.2 is modified by two Notes. Note 1 applies to isolation devices located in high radiation areas and allows these devices to be verified closed by use of administrative means. Allowing verification by administrative means is considered acceptable, since access to these areas is typically restricted. Note 2 applies to isolation devices that are locked, sealed, or otherwise secured in position and allows these devices to be verified closed by use of administrative means. Allowing verification by administrative means is considered acceptable, since the function of locking, sealing, or securing components is to ensure that these devices are not inadvertently repositioned. Therefore, the probability of misalignment of these devices once they have been verified to be in the proper position, is small.

Beaver Valley Units 1 and 2 B 3.6.3 - 6 Revision 0

Containment Isolation Valves B 3.6.3 BASES ACTIONS (continued)

B.1 With two containment isolation valves in one or more penetration flow paths inoperable, the affected penetration flow path must be isolated within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . The method of isolation must include the use of at least one isolation barrier that cannot be adversely affected by a single active failure. Isolation barriers that meet this criterion are a closed and de-activated automatic valve, a closed manual valve, and a blind flange.

The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time is consistent with the ACTIONS of LCO 3.6.1. In the event the affected penetration is isolated in accordance with Required Action B.1, the affected penetration must be verified to be isolated on a periodic basis per Required Action A.2, which remains in effect. This periodic verification is necessary to assure leak tightness of containment and that penetrations requiring isolation following an accident are isolated. The Completion Time of once per 31 days for verifying each affected penetration flow path is isolated is appropriate considering the fact that the valves are operated under administrative control and the probability of their misalignment is low.

C.1 and C.2 With one or more penetration flow paths with one containment isolation valve inoperable, the inoperable valve flow path must be restored to OPERABLE status or the affected penetration flow path must be isolated.

The method of isolation must include the use of at least one isolation barrier that cannot be adversely affected by a single active failure.

Isolation barriers that meet this criterion are a closed and de-activated automatic valve, a closed manual valve, and a blind flange. A check valve may not be used to isolate the affected penetration flow path.

Required Action C.1 must be completed within the 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time. The specified time period is reasonable considering the relative stability of the closed system (hence, reliability) to act as a penetration isolation boundary and the relative importance of maintaining containment integrity during MODES 1, 2, 3, and 4. In the event the affected penetration flow path is isolated in accordance with Required Action C.1, the affected penetration flow path must be verified to be isolated on a periodic basis. This periodic verification is necessary to assure leak tightness of containment and that containment penetrations requiring isolation following an accident are isolated. The Completion Time of once per 31 days for verifying that each affected penetration flow path is isolated is appropriate because the valves are operated under administrative controls and the probability of their misalignment is low.

Beaver Valley Units 1 and 2 B 3.6.3 - 7 Revision 0

Containment Isolation Valves B 3.6.3 BASES ACTIONS (continued)

Condition C is modified by a Note indicating that this Condition is only applicable to those penetration flow paths with one inoperable containment isolation valve connected to a closed system inside containment. Containment penetrations that credit a closed system for the isolation barrier inside containment are those penetrations that have the inside containment isolation valve identified as a closed system in the LRM. This Note is necessary since this Condition is written to specifically address an inoperable containment isolation valve in those penetration flow paths that use one containment isolation valve connected to a closed system inside containment for the required isolation barriers.

Required Action C.2 is modified by two Notes. Note 1 applies to valves and blind flanges located in high radiation areas and allows these devices to be verified closed by use of administrative means. Allowing verification by administrative means is considered acceptable, since access to these areas is typically restricted. Note 2 applies to isolation devices that are locked, sealed, or otherwise secured in position and allows these devices to be verified closed by use of administrative means. Allowing verification by administrative means is considered acceptable, since the function of locking, sealing, or securing components is to ensure that these devices are not inadvertently repositioned. Therefore, the probability of misalignment of these valves, once they have been verified to be in the proper position, is small.

D.1 and D.2 If the Required Actions and associated Completion Times are not met, the plant must be brought to a MODE in which the LCO does not apply.

To achieve this status, the plant must be brought to at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and to MODE 5 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE SR 3.6.3.1 REQUIREMENTS Each 42-inch containment purge and exhaust valve is required to be verified deactivated in the closed position for valves outside containment and prior to entering MODE 4 from MODE 5 if not performed within the previous 92 days for valves inside containment. This Surveillance is designed to ensure that a gross breach of containment is not caused by an inadvertent or spurious opening of a containment purge or exhaust valve. The operation of the containment purge and exhaust valves has not been evaluated to confirm the ability to close during a LOCA in time to Beaver Valley Units 1 and 2 B 3.6.3 - 8 Revision 29

Containment Isolation Valves B 3.6.3 BASES SURVEILLANCE REQUIREMENTS (continued) limit offsite doses. Therefore, these valves are required to be deactivated in the closed position during MODES 1, 2, 3, and 4. A containment purge or exhaust valve that is deactivated in the closed position must have motive power to the valve operator removed. This can be accomplished by de-energizing the source of electric power or by removing control power to the valve operator. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.6.3.2 This SR requires verification that each containment isolation manual valve and blind flange located outside containment and not locked, sealed, or otherwise secured and required to be closed during accident conditions is closed. The SR helps to ensure that post accident leakage of radioactive fluids or gases outside of the containment boundary is within design limits. This SR does not require any testing or valve manipulation. Rather, it involves verification that those containment isolation valves outside containment and capable of being mispositioned are in the correct position. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The SR specifies that containment isolation valves that are open under administrative controls are not required to meet the SR during the time the valves are open. This SR does not apply to valves that are locked, sealed, or otherwise secured in the closed position, since these were verified to be in the correct position upon locking, sealing, or securing.

The Note applies to valves and blind flanges located in high radiation areas and allows these devices to be verified closed by use of administrative means. Allowing verification by administrative means is considered acceptable, since access to these areas is typically restricted during MODES 1, 2, 3 and 4 for ALARA reasons. Therefore, the probability of misalignment of these containment isolation valves, once they have been verified to be in the proper position, is small.

SR 3.6.3.3 This SR requires verification that each containment isolation manual valve and blind flange located inside containment and not locked, sealed, or otherwise secured and required to be closed during accident conditions is closed. The SR helps to ensure that post accident leakage of radioactive fluids or gases outside of the containment boundary is within design limits. For containment isolation valves inside containment, the Frequency of "prior to entering MODE 4 from MODE 5 if not performed Beaver Valley Units 1 and 2 B 3.6.3 - 9 Revision 29

Containment Isolation Valves B 3.6.3 BASES SURVEILLANCE REQUIREMENTS (continued) within the previous 92 days" is appropriate since these containment isolation valves are operated under administrative controls and the probability of their misalignment is low. The SR specifies that containment isolation valves that are open under administrative controls are not required to meet the SR during the time they are open. This SR does not apply to valves that are locked, sealed, or otherwise secured in the closed position, since these were verified to be in the correct position upon locking, sealing, or securing.

This Note allows valves and blind flanges located in high radiation areas to be verified closed by use of administrative means. Allowing verification by administrative means is considered acceptable, since access to these areas is typically restricted during MODES 1, 2, 3, and 4, for ALARA reasons. Therefore, the probability of misalignment of these containment isolation valves, once they have been verified to be in their proper position, is small.

SR 3.6.3.4 Verifying that the isolation time of each automatic power operated containment isolation valve required to be closed during accident conditions (i.e., Containment Isolation Phase A or B signal) is within limits is required to demonstrate OPERABILITY. The isolation time test ensures that each valve required to automatically isolate on a Containment Isolation Phase A or B signal will isolate in a time period consistent with the assumptions of the safety analyses. The required isolation times are specified in the LRM. This Surveillance is not required for valves that are locked, sealed, or otherwise secured in the required position under administrative controls. The Frequency of this SR is in accordance with the INSERVICE TESTING PROGRAM.

SR 3.6.3.5 Automatic power operated containment isolation valves required to be closed during accident conditions close on a Phase A or Phase B containment isolation signal to prevent leakage of radioactive material from containment following a DBA. This SR ensures that each automatic power operated containment isolation valve required to be closed during accident conditions will actuate to its isolation position on a Phase A or Phase B containment isolation signal. This Surveillance is not required for valves that are locked, sealed, or otherwise secured in the required position under administrative controls. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

Beaver Valley Units 1 and 2 B 3.6.3 - 10 Revision 34

Containment Isolation Valves B 3.6.3 BASES REFERENCES 1. UFSAR, Chapter 14 (Unit 1), and UFSAR, Chapter 15 (Unit 2).

2. Regulatory Guide 1.183, July 2000.

3. Standard Review Plan 6.2.4.

Beaver Valley Units 1 and 2 B 3.6.3 -11 Revision 29

Containment Pressure B 3.6.4 B 3.6 CONTAINMENT SYSTEMS B 3.6.4 Containment Pressure BASES BACKGROUND The containment pressure is limited during normal operation to preserve the initial conditions assumed in the accident analyses for a loss of coolant accident (LOCA) or steam line break (SLB). These limits also prevent the containment pressure from exceeding the containment design negative pressure differential with respect to the outside atmosphere in the event of inadvertent actuation of the Quench Spray System. In addition, the lower containment pressure limit provides assurance that sufficient net positive suction head exists for the pumps taking suction from the containment sump during the recirculation phase of operation after a LOCA.

Containment pressure is a process variable that is monitored and controlled. The containment pressure limits are derived from the input conditions used in the containment functional analyses and the containment structure external pressure analysis. Should operation occur outside these limits coincident with a Design Basis Accident (DBA), post accident containment pressures could exceed calculated values.

APPLICABLE Containment internal pressure is an initial condition used in the DBA SAFETY analyses to establish the maximum peak containment internal pressure.

ANALYSES The limiting DBAs considered, relative to containment pressure, are the LOCA and SLB, which are analyzed using computer codes. The worst case LOCA results in a higher containment pressure than the worst case SLB. Thus, the LOCA event bounds the SLB event from the containment peak pressure standpoint (Ref. 1).

The initial pressure assumed in the containment analysis was 14.2 psia.

This resulted in a maximum peak pressure from a LOCA of 43.1 psig (Unit 1) and 44.8 psig (Unit 2). The containment analysis (Ref. 1) shows that the maximum peak calculated containment pressure, Pa, results from the limiting LOCA. The maximum containment pressure resulting from the worst case LOCA, 43.1 psig (Unit 1) and 44.8 psig (Unit 2), does not exceed the containment design pressure, 45 psig.

The containment was also designed for an internal pressure of 8.0 psia.

The inadvertent actuation of the Quench Spray System was evaluated to determine the resulting reduction in containment pressure. The initial pressure condition used in this evaluation was 12.8 psia. This resulted in a minimum pressure inside containment of 11.38 psia, which is within the containment design capability.

Beaver Valley Units 1 and 2 B 3.6.4 - 1 Revision 6

Containment Pressure B 3.6.4 BASES APPLICABLE SAFETY ANALYSES (continued)

For certain aspects of transient accident analyses, maximizing the calculated containment pressure is not conservative. In particular, the cooling effectiveness of the Emergency Core Cooling System during the core reflood phase of a LOCA analysis increases with increasing containment backpressure. Therefore, for the reflood phase, the containment backpressure is calculated in a manner designed to conservatively minimize, rather than maximize, the containment pressure response in accordance with 10 CFR 50, Appendix K (Ref. 2).

Containment pressure satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).

LCO Maintaining containment pressure at less than or equal to the LCO upper pressure limit ensures that, in the event of a DBA, the resultant peak containment accident pressure will remain below the containment design pressure. Maintaining containment pressure at greater than or equal to the LCO lower pressure limit ensures that the containment will not exceed the design negative differential pressure following the inadvertent actuation of the Quench Spray System. Maintaining containment pressure at greater than or equal to the LCO lower pressure limit also ensures that sufficient net positive suction head will be available for the Unit 1 recirculation spray and low head safety injection pumps and the Unit 2 recirculation spray pumps.

APPLICABILITY In MODES 1, 2, 3, and 4, a DBA could cause a release of radioactive material to containment. Since maintaining containment pressure within limits is essential to ensure initial conditions assumed in the accident analyses are maintained, the LCO is applicable in MODES 1, 2, 3 and 4.

In MODES 5 and 6, the probability and consequences of these events are reduced due to the pressure and temperature limitations of these MODES. Therefore, maintaining containment pressure within the limits of the LCO is not required in MODE 5 or 6.

ACTIONS A.1 When containment pressure is not within the limits of the LCO, it must be restored to within these limits within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . The Required Action is necessary to return operation to within the bounds of the containment analysis. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time is consistent with the ACTIONS of LCO 3.6.1, "Containment," which requires that containment be restored to OPERABLE status within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months .

Beaver Valley Units 1 and 2 B 3.6.4 - 2 Revision 0

Containment Pressure B 3.6.4 BASES ACTIONS (continued)

B.1 and B.2 If containment pressure cannot be restored to within limits within the required Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and to MODE 5 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE SR 3.6.4.1 REQUIREMENTS Verifying that containment pressure is within limits ensures that unit operation remains within the limits assumed in the containment analysis.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. UFSAR, Chapter 14 (Unit 1), and UFSAR, Section 6.2 (Unit 2).

2. 10 CFR 50, Appendix K.

Beaver Valley Units 1 and 2 B 3.6.4 - 3 Revision 29

Containment Air Temperature B 3.6.5 B 3.6 CONTAINMENT SYSTEMS B 3.6.5 Containment Air Temperature BASES BACKGROUND The containment structure serves to contain radioactive material that may be released from the reactor core following a Design Basis Accident (DBA). The containment average air temperature is limited during normal operation to preserve the initial conditions assumed in the accident analyses for a loss of coolant accident (LOCA) or steam line break (SLB).

The containment average air temperature limits are derived from the input conditions used in the containment functional analyses and the containment structure external pressure analyses. This LCO ensures that initial conditions assumed in the analysis of containment response to a DBA are not violated during unit operations. The total amount of energy to be removed from containment by the Quench and Recirculation Spray systems during post accident conditions is dependent upon the energy released to the containment due to the event. Higher initial temperature results in higher peak containment pressure and temperature. Exceeding containment design pressure may result in leakage greater than that assumed in the accident analysis. Too low a containment temperature would adversely impact the small break LOCA safety analysis assumptions regarding the automatic actuation of Phase B containment isolation on containment high-high pressure. As such, operation with containment temperature outside the LCO limits violates an initial condition assumed in the accident analysis.

APPLICABLE Containment average air temperature is an initial condition used in the SAFETY DBA analyses and is important in establishing environmental qualification ANALYSES (EQ) requirements to assure the required equipment inside containment performs as designed during and after a DBA. The upper limit for containment average air temperature ensures that operation is maintained within the assumptions used in the DBA analyses for containment (Ref. 1). The lower containment temperature limit ensures that Containment Isolation Phase B will be actuated by the Containment Pressure - High High setpoint consistent with the assumptions of the small break LOCA analysis.

The limiting DBAs considered relative to containment OPERABILITY are the LOCA and SLB. The DBA LOCA and SLB are analyzed using computer codes designed to predict the resultant containment pressure transients. No two DBAs are assumed to occur simultaneously or consecutively. The SLB resulted in the maximum calculated peak containment temperature and containment liner temperature. The Unit 1 SLB that resulted in the peak containment temperature occurred at Beaver Valley Units 1 and 2 B 3.6.5 - 1 Revision 0

Containment Air Temperature B 3.6.5 BASES APPLICABLE SAFETY ANALYSES (continued) 100% RTP, with the worst case single failure of a main steam check valve. The Unit 1 SLB that resulted in the peak containment liner temperature occurred at 30% RTP, with the worst case single failure of a main steam check valve. The Unit 2 SLB that resulted in the peak containment temperature occurred at 100% RTP, with the worst case single failure of a main steam isolation valve. The Unit 2 SLB that resulted in the peak containment liner temperature occurred at 0% RTP, with the worst case single failure of a main steam isolation valve.

The initial upper containment average air temperature assumed in the design basis analyses (Ref. 1) is 108F. This resulted in a maximum containment air temperature of 355.9F (for Unit 1) and 345.6F (for Unit 2) and a maximum containment liner temperature of 257.9F (for Unit 1) and 249.4F (for Unit 2). The design temperature of the containment liner is 280F.

The containment air temperatures resulting from DBAs are used to establish EQ requirements (Ref. 2) for equipment inside containment.

The EQ requirements provide assurance the equipment inside containment required to function during and after a DBA performs as designed during the adverse environmental conditions resulting from a DBA. Air temperature profiles (containment air temperature vs time) are calculated for each DBA to establish EQ design requirements for the equipment inside containment. The equipment inside containment required to function during and after a DBA is confirmed to be capable of performing its design function under the applicable EQ requirement (i.e.,

air temperature profile). Maintaining the initial containment air temperature within the required limits preserves the initial conditions assumed in the accident analyses which limits the containment air temperature and pressure resulting from various DBAs. Limiting the containment air temperature and pressure that result from various DBAs ensures the equipment inside containment will continue to perform as designed during and after a DBA. Therefore, it is concluded that the calculated transient containment air temperature resulting from various DBAs, including the most limiting temperature from a SLB, are acceptable.

The upper temperature limit is also used in the depressurization evaluation to ensure that the minimum pressure limit is maintained following an inadvertent actuation of the Quench Spray System (Ref. 3).

The containment pressure transient is sensitive to the initial air mass in containment and, therefore, to the initial containment air temperature.

The limiting DBA for establishing the maximum peak containment internal Beaver Valley Units 1 and 2 B 3.6.5 - 2 Revision 16

Containment Air Temperature B 3.6.5 BASES APPLICABLE SAFETY ANALYSES (continued) pressure is a LOCA. The temperature limit is used in this analysis to ensure that in the event of an accident the design containment internal pressure will not be exceeded.

Containment average air temperature satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).

LCO During a DBA, with an initial containment average air temperature within the LCO temperature limits, the resultant accident temperature profile assures that the containment structural temperature is maintained below its design temperature and that required safety related equipment will continue to perform their function.

APPLICABILITY In MODES 1, 2, 3, and 4, a DBA could cause a release of radioactive material to containment. In MODES 5 and 6, the probability and consequences of these events are reduced due to the pressure and temperature limitations of these MODES. Therefore, maintaining containment average air temperature within the limit is not required in MODE 5 or 6.

ACTIONS A.1 When containment average air temperature is not within the limits of the LCO, it must be restored to within limits within 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months . This Required Action is necessary to return operation to within the bounds of the containment analysis. The 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months Completion Time is acceptable considering the sensitivity of the analysis to variations in this parameter and provides sufficient time to correct minor problems.

B.1 and B.2 If the containment average air temperature cannot be restored to within its limit within the required Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and to MODE 5 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

Beaver Valley Units 1 and 2 B 3.6.5 - 3 Revision 6

Containment Air Temperature B 3.6.5 BASES SURVEILLANCE SR 3.6.5.1 REQUIREMENTS Verifying that containment average air temperature is within the LCO limits ensures that containment operation remains within the limit assumed for the containment analyses. In order to determine the containment average air temperature, an arithmetic average is calculated using measurements taken at locations within the containment selected to provide a representative sample of the overall containment atmosphere.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. UFSAR, Chapter 14 (Unit 1), and UFSAR, Section 6.2 (Unit 2).

2. 10 CFR 50.49.

3. UFSAR, Section 5.2 (Unit 1) and UFSAR, Section 6.2 (Unit 2).

Beaver Valley Units 1 and 2 B 3.6.5 - 4 Revision 29

QS System B 3.6.6 B 3.6 CONTAINMENT SYSTEMS B 3.6.6 Quench Spray (QS) System BASES BACKGROUND The QS System is designed to provide containment atmosphere cooling to limit post accident pressure and temperature in containment to less than the design values. The QS System, operating in conjunction with the Recirculation Spray (RS) System, is designed to cool and depressurize the containment structure to less than 50% of the peak calculated containment pressure within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months following a Design Basis Accident (DBA). Reduction of containment pressure and the iodine removal capability of the spray limit the release of fission product radioactivity from containment to the environment in the event of a DBA.

The QS System consists of two separate trains of adequate capacity, each capable of meeting the design bases. Each train includes a spray pump, spray headers, nozzles, valves, and piping. The two Unit 2 containment spray ring headers are shared by both QS System trains.

Each train is powered from a separate Engineered Safety Features (ESF) bus. The refueling water storage tank (RWST) supplies borated water to the QS System.

The QS System is actuated either automatically by a Containment High-High pressure signal or manually. The QS System provides a spray of cold borated water into the upper regions of containment to reduce the containment pressure and temperature during a DBA. Each train of the QS System provides adequate spray coverage to meet the system design requirements for containment heat and iodine fission product removal.

The Unit 1 QS System also provides flow to the containment sump to improve the net positive suction head available to the RS System pumps.

The Containment Sump pH Control System provides sodium tetraborate (NaTB) to the containment sump. The NaTB added to the containment sump water ensures an alkaline pH for the solution recirculated in the containment sump. Control of the containment sump water pH minimizes the evolution of iodine and minimizes the occurrence of chloride and caustic stress corrosion on mechanical systems and components exposed to the fluid.

The QS System is a containment ESF system. It is designed to ensure that the heat removal capability required during the post accident period can be attained. Operation of the QS System and RS System provides the required heat removal capability to limit post accident conditions to Beaver Valley Units 1 and 2 B 3.6.6 - 1 Revision 20

QS System B 3.6.6 BASES BACKGROUND (continued) less than the containment design values and depressurize the containment structure to less than 50% of the peak calculated containment pressure within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months following a DBA.

The QS and RS Systems limit the temperature and pressure that could be expected following a DBA and ensures that containment leakage is maintained consistent with the accident analysis.

APPLICABLE The limiting DBAs considered are the loss of coolant accident (LOCA)

SAFETY and the steam line break (SLB). The LOCA and SLB are analyzed using ANALYSES computer codes designed to predict the resultant containment pressure and temperature transients. No DBAs are assumed to occur simultaneously or consecutively. The postulated DBAs are analyzed, with respect to the worst case single active failure. The appropriate single failure is assumed in the safety analysis. However, the maximum calculated peak containment pressure results from a LOCA postulated to occur in the RCS hot leg. The calculated peak containment pressure from this location occurs during the blowdown phase, prior to the actuation of any safety related equipment, consequently there is no single failure assumed in this analysis. The SLB resulted in the maximum calculated peak containment temperature and containment liner temperature. The Unit 1 SLB that resulted in the peak containment temperature occurred at 100% RTP, with the worst case single failure of a main steam check valve. The Unit 1 SLB that resulted in the peak containment liner temperature occurred at 30% RTP, with the worst case single failure of a main steam check valve. The Unit 2 SLB that resulted in the peak containment temperature occurred at 100% RTP and peak containment liner temperature occurred at 0% RTP, with the worst case single failure of a main steam isolation valve.

During normal operation, the containment internal pressure is maintained within the limits of LCO 3.6.4, "Containment Pressure." Maintaining containment pressure within the required limits during operation ensures the capability to depressurize the containment to less than 50% of the peak calculated containment pressure within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months after a DBA.

The DBA analyses (Ref. 1) show that the maximum peak containment pressure of 43.1 psig (Unit 1) and 44.8 psig (Unit 2) results from the LOCA analysis and is calculated to be less than the containment design pressure. The maximum peak containment atmosphere temperature of 355.9F (Unit 1) and 345.6F (Unit 2) and the maximum containment liner temperature of 257.9F (Unit 1) and 249.4F (Unit 2) results from the SLB analysis. The containment liner design temperature is 280F. The containment air temperatures resulting from DBAs are used to establish Beaver Valley Units 1 and 2 B 3.6.6 - 2 Revision 16

QS System B 3.6.6 BASES APPLICABLE SAFETY ANALYSES (continued)

EQ requirements (Ref. 2) for equipment inside containment. The EQ requirements provide assurance the equipment inside containment required to function during and after a DBA performs as designed during the adverse environmental conditions resulting from a DBA. Air temperature profiles (containment air temperature vs time) are calculated for each DBA to establish EQ design requirements for the equipment inside containment. The equipment inside containment required to function during and after a DBA is confirmed to be capable of performing its design function under the applicable EQ requirement (i.e., air temperature profile). Therefore, it is concluded that the calculated transient containment atmosphere temperatures resulting from various DBAs, including the most limiting temperature from a SLB, are acceptable.

The modeled QS System actuation from the containment analysis is based upon a response time associated with exceeding the Containment High-High pressure signal setpoint to achieving full flow through the quench spray nozzles. A delayed response time initiation provides conservative analyses of peak calculated containment temperature and pressure responses. The QS System total response time is specified in the Licensing Requirements Manual (LRM) and includes the signal delay, diesel generator startup time, and system startup time.

For certain aspects of accident analyses, maximizing the calculated containment pressure is not conservative. In particular, the cooling effectiveness of the Emergency Core Cooling System during the core reflood phase of a LOCA analysis increases with increasing containment backpressure. For these calculations, the containment backpressure is calculated in a manner designed to conservatively minimize, rather than maximize, the calculated transient containment pressures in accordance with 10 CFR 50, Appendix K (Ref. 3).

Inadvertent actuation of the QS System is also evaluated, and the resultant reduction in containment pressure is calculated. The maximum calculated reduction in containment pressure does not reduce containment pressure below the minimum containment design pressure of 8.0 psia.

The QS System satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii).

Beaver Valley Units 1 and 2 B 3.6.6 - 3 Revision 0

QS System B 3.6.6 BASES LCO During a DBA, one train of the QS System is required to provide the heat removal capability assumed in the safety analyses for containment. To ensure that requirements for heat removal are met, two QS System trains must be OPERABLE with power from two safety related, independent power supplies. Therefore, in the event of an accident, at least one train in each system will operate, assuming that the worst case single active failure occurs.

Each QS System includes a spray pump, spray headers, nozzles, valves, piping, instruments, and controls to ensure an OPERABLE flow path capable of taking suction from the RWST.

APPLICABILITY In MODES 1, 2, 3, and 4, a DBA could cause a release of radioactive material to containment and an increase in containment pressure and temperature requiring the operation of the QS System.

In MODES 5 and 6, the probability and consequences of these events are reduced due to the pressure and temperature limitations of these MODES. Thus, the QS System is not required to be OPERABLE in MODE 5 or 6.

ACTIONS A.1 If one QS train is inoperable, it must be restored to OPERABLE status within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . The components in this degraded condition are capable of providing 100% of the heat removal needs after an accident. The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time was developed taking into account the redundant heat removal capabilities afforded by the OPERABLE train and the low probability of a DBA occurring during this period.

B.1 and B.2 If the Required Action and associated Completion Time are not met, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and to MODE 5 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

Beaver Valley Units 1 and 2 B 3.6.6 - 4 Revision 20

QS System B 3.6.6 BASES SURVEILLANCE SR 3.6.6.1 REQUIREMENTS Verifying the correct alignment of manual, power operated, and automatic valves, excluding check valves, in the QS System provides assurance that the proper flow path exists for QS System operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position, since they were verified to be in the correct position prior to being secured. This SR does not require any testing or valve manipulation. Rather, it involves verification that those valves outside containment and capable of potentially being mispositioned are in the correct position. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.6.6.2 Verifying that each QS System pumps developed head at the flow test point is greater than or equal to the required developed head ensures that QS System pump performance has not degraded during the cycle. The term "required developed head" refers to the value that is assumed in the Containment Integrity Safety Analysis for the QS pumps developed head at a specific flow point. This value for the required developed head at a flow point is defined as the Minimum Operating Point (MOP) in the INSERVICE TESTING PROGRAM. The verification that the pumps developed head at the flow test point is greater than or equal to the required developed head is performed by using a MOP curve. The MOP curve is contained in the INSERVICE TESTING PROGRAM and was developed using the required developed head at a specific flow point as a reference point. From the reference point, a curve was drawn which is a constant percentage below the current pump performance curve. Based on the MOP curve, a verification is performed to ensure that the pumps developed head at the flow test point is greater than or equal to the required developed head. Flow and differential head are normal test parameters of centrifugal pump performance required by the ASME Code (Ref. 4). Since the QS System pumps cannot be tested with flow through the spray headers, they are tested on bypass flow. This test confirms one point on the pump design curve and is indicative of overall performance.

Such inservice tests confirm component OPERABILITY, trend performance, and detect incipient failures by indicating abnormal performance. The Frequency of this SR is in accordance with the INSERVICE TESTING PROGRAM.

Beaver Valley Units 1 and 2 B 3.6.6 - 5 Revision 34

QS System B 3.6.6 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.6.6.3 and SR 3.6.6.4 These SRs ensure that each QS automatic valve actuates to its correct position and each QS pump starts upon receipt of an actual or simulated containment spray actuation signal. This Surveillance is not required for valves that are locked, sealed, or otherwise secured in the required position under administrative controls. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.6.6.5 This SR is performed following maintenance when the potential for nozzle blockage has been determined to exist by an engineering evaluation.

The required evaluation will also specify an appropriate test method for determining the spray header OPERABILITY. This SR ensures that each spray nozzle is unobstructed and that spray coverage of the containment during an accident is not degraded. Due to the passive nature of the design of the nozzle, a test following maintenance that results in the potential for nozzle blockage is considered adequate to detect obstruction of the nozzles.

REFERENCES 1. UFSAR, Chapter 14 (Unit 1), and UFSAR, Section 6.2 (Unit 2).

2. 10 CFR 50.49.

3. 10 CFR 50, Appendix K.

4. ASME code for Operation and Maintenance of Nuclear Power Plants.

Beaver Valley Units 1 and 2 B 3.6.6 - 6 Revision 29

RS System B 3.6.7 B 3.6 CONTAINMENT SYSTEMS B 3.6.7 Recirculation Spray (RS) System BASES BACKGROUND The RS System, operating in conjunction with the Quench Spray (QS)

System, is designed to limit the post accident pressure and temperature in the containment to less than the design values and to depressurize the containment structure to less than 50% of the peak calculated containment pressure within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months following a Design Basis Accident (DBA). The reduction of containment pressure and the removal of iodine from the containment atmosphere by the spray limit the release of fission product radioactivity from containment to the environment in the event of a DBA.

The RS System consists of two separate trains of adequate capacity, each capable of meeting the design and accident analysis bases.

Unit 1 The Unit 1 Recirculation Spray System consists of four 50 percent capacity subsystems (2 per train). Each subsystem is composed of a spray pump, associated heat exchanger and flow path. Two of the recirculation spray pumps are located outside containment (RS-P-2A and RS-P-2B) and two pumps are located inside containment (RS-P-1A and RS-P-1B). The flow path from each pump is piped to an individual 180° recirculation spray header inside containment. Train "A" electrical power and river water is supplied to the subsystems containing recirculation spray pumps RS-P-1A and RS-P-2A. Train "B" electrical power and river water is supplied to the subsystems containing recirculation spray pumps RS-P-1B and RS-P-2B.

Unit 2 The Unit 2 Recirculation Spray System consists of four 50 percent capacity subsystems (2 per train). Each subsystem is composed of a spray pump, associated heat exchanger and flow path. All recirculation spray pumps are located outside containment and supply flow to two 360° recirculation spray ring headers located in containment. One spray ring is supplied by the "A" train subsystem containing recirculation spray pump 2RSS-P21A and the "B" train subsystem containing recirculation spray pump 2RSS-P21D with the other spray ring being supplied by the "A" train subsystem containing recirculation spray pump 2RSS-P21C and the "B" train subsystem containing recirculation spray pump 2RSS-P21B.

When the water in the refueling water storage tank has reached a predetermined Level Extreme Low setpoint, the C and D subsystems are automatically switched to the cold leg recirculation mode of Emergency Core Cooling System (ECCS) operation.

Beaver Valley Units 1 and 2 B 3.6.7 - 1 Revision 3

RS System B 3.6.7 BASES BACKGROUND (continued)

Each train of the RS System provides adequate spray coverage to meet the system design requirements for containment heat and iodine fission product removal.

The RS System provides a spray of subcooled water into the upper regions of containment to reduce the containment pressure and temperature during a DBA. At Unit 1, upon receipt of a coincident High High Containment Pressure signal (Containment Isolation Phase B (CIB))

and a RWST Level Low signal, the Unit 1 RS-P-1A and RS-P-1B pumps immediately start. The Unit 1 RS-P-2A and RS-P-2B pumps start after a 15 +/- 3 second time delay for emergency generator loading considerations. At Unit 2, upon receipt of a High-High Containment Pressure signal (Containment Isolation Phase B (CIB)) coincident with an RWST Level Low, all the Unit 2 RS pumps start immediately following receipt of the actuations signal. The RS pumps take suction from the containment sump and discharge through their respective spray coolers to the spray headers and into the containment atmosphere. Heat is transferred from the containment sump water to river/service water in the spray coolers.

The Containment Sump pH Control System provides sodium tetraborate to the containment sump. The sodium tetraborate added to the containment sump ensures an alkaline pH for the solution recirculated in the containment sump. The resulting alkaline pH of the RS spray (pumped from the sump) enhances the ability of the spray to scavenge iodine fission products from the containment atmosphere. Control of the containment sump water pH minimizes the evolution of iodine and minimizes the occurrence of chloride and caustic stress corrosion on mechanical systems and components exposed to the fluid.

The RS System is a containment ESF system. It is designed to ensure that the heat removal capability required during the post accident period can be attained. Operation of the QS and RS systems provides the required heat removal capability to limit post accident conditions to less than the containment design values and depressurize the containment structure to less than 50% of the peak calculated containment pressure within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months following a DBA.

The RS System limits the temperature and pressure that could be expected following a DBA and ensures that containment leakage is maintained consistent with the accident analysis.

Beaver Valley Units 1 and 2 B 3.6.7 - 2 Revision 20

RS System B 3.6.7 BASES APPLICABLE The limiting DBAs considered are the loss of coolant accident (LOCA)

SAFETY and the steam line break (SLB). The LOCA and SLB are analyzed using ANALYSES computer codes designed to predict the resultant containment pressure and temperature transients; DBAs are assumed not to occur simultaneously or consecutively. The postulated DBAs are analyzed assuming the worst case single active failure. The appropriate single failure is assumed in the safety analysis. However, the maximum calculated peak containment pressure results from a LOCA postulated to occur in the RCS hot leg. The calculated peak containment pressure from this location occurs during the blowdown phase, prior to the actuation of any safety related equipment, consequently there is no single failure assumed in this analysis. The SLB resulted in the maximum calculated peak containment temperature and containment liner temperature. The Unit 1 SLB that resulted in the peak containment temperature occurred at 100% RTP, with the worst case single failure of a main steam check valve. The Unit 1 SLB that resulted in the peak containment liner temperature occurred at 30% RTP, with the worst case single failure of a main steam check valve. The Unit 2 SLB that resulted in the peak containment temperature occurred at 100% RTP, with the worst case single failure of a main steam isolation valve (Ref. 1). The Unit 2 SLB that resulted in the peak containment liner temperature occurred at 0% RTP, with the worst case single failure of a main steam isolation valve (Ref. 1).

The peak containment pressure following a high energy line break is affected by the initial total pressure and temperature of the containment atmosphere. Maximizing the initial containment total pressure and average atmospheric temperature maximizes the calculated peak pressure.

During normal operation, the containment internal pressure is maintained within the limits of LCO 3.6.4, "Containment Pressure." Maintaining containment pressure within the required limits during operation ensures the capability to depressurize the containment to less than 50% of the peak calculated containment pressure within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months after a DBA. This capability and the variation of containment pressure are functions of river/service water temperature, RWST water temperature, and the containment air temperature.

The DBA analyses show that the maximum peak containment pressure of 43.1 psig (Unit 1) and 44.8 psig (Unit 2) results from the LOCA analysis and is calculated to be less than the containment design pressure. The maximum containment atmosphere temperature of 355.9F (Unit 1) and 346.6F (Unit 2) and the maximum containment liner temperature of 257.9F (Unit 1) and 249.4F (Unit 2) result from the SLB analysis. The containment liner design temperature is 280F. The containment air temperatures resulting from DBAs are used to establish equipment qualification (EQ) requirements (Ref. 2) for equipment inside containment.

Beaver Valley Units 1 and 2 B 3.6.7 - 3 Revision 16

RS System B 3.6.7 BASES APPLICABLE SAFETY ANALYSES (continued)

The EQ requirements provide assurance the equipment inside containment required to function during and after a DBA performs as designed during the adverse environmental conditions resulting from a DBA. Air temperature profiles (containment air temperature vs time) are calculated for each DBA to establish EQ design requirements for the equipment inside containment. The equipment inside containment required to function during and after a DBA is confirmed to be capable of performing its design function under the applicable EQ requirement (i.e.,

air temperature profile). Therefore, it is concluded that the calculated transient containment atmosphere temperatures resulting from various DBAs, including the most limiting temperature from a SLB, are acceptable. The RS System is not credited in the SLB containment analysis.

The RS System actuation model from the containment analysis is based upon a response time between receipt of the RWST Level Low signal in coincidence with the Containment Pressure High High to achieving full flow through the RS System spray nozzles. A delay in response time initiation provides conservative analyses of peak calculated containment temperature and pressure. The RS System maximum time from coincidence of Containment Pressure High High and RWST Level Low to the start of effective RS spray is 65 seconds for Unit 1 and 77 seconds for Unit 2.

In the case of the Unit 2 RS System, the containment safety analysis models the operation of the system consistent with the system design.

The Unit 2 analysis models the RS subsystems starting in the spray mode of operation. When the unit is shifted to the ECCS recirculation mode of operation the containment analysis models a reduction in recirculation spray flow to account for the Unit 2 RS subsystems used for the ECCS low head recirculation function.

For certain aspects of accident analyses, maximizing the calculated containment pressure is not conservative. In particular, the cooling effectiveness of the Emergency Core Cooling System during the core reflood phase of a LOCA analysis increases with increasing containment backpressure. For these calculations, the containment backpressure is calculated in a manner designed to conservatively minimize, rather than maximize, the calculated transient containment pressures in accordance with 10 CFR 50, Appendix K (Ref. 3).

The RS System satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii).

Beaver Valley Units 1 and 2 B 3.6.7 - 4 Revision 6

RS System B 3.6.7 BASES LCO During a DBA, one train (two subsystems) of the RS System is required to provide the minimum heat removal capability assumed in the safety analysis. To ensure that this requirement is met, four RS subsystems must be OPERABLE. This will ensure that at least one train will operate assuming the worst case single failure occurs.

APPLICABILITY In MODES 1, 2, 3, and 4, a DBA could cause an increase in containment pressure and temperature requiring the operation of the RS System.

In MODES 5 and 6, the probability and consequences of these events are reduced due to the pressure and temperature limitations of these MODES. Thus, the RS System is not required to be OPERABLE in MODE 5 or 6.

ACTIONS The ACTIONS are modified by a Note that is only applicable to Unit 2.

The Note states that in addition to the applicable Required Actions of LCO 3.6.7, "RS System," the Conditions and Required Actions of LCO 3.5.2, "ECCS Operating," or LCO 3.5.3, "ECCS Shutdown," may also be applicable when subsystem(s) containing RS pumps 2RSS-P21C or 2RSS-P21D are inoperable. The Note is provided to identify the relationship of these RS subsystems to the Unit 2 ECCS design.

Although the affected subsystems are identified as part of the RS System, they also provide an ECCS safety function (low head recirculation).

Therefore, depending on the inoperable condition of these Unit 2 RS subsystems the Actions of one or both of the affected LCOs (RS System and ECCS) may be applicable.

A.1 This Required Action is only applicable to Unit 1. With one of the RS subsystems inoperable, the inoperable subsystem must be restored to OPERABLE status within 7 days. The components in this degraded condition are capable of providing more than 100% of the heat removal needs (i.e., three of the four RS subsystems remain OPERABLE) after an accident. The 7 day Completion Time was developed taking into account the redundant heat removal capabilities afforded by combinations of the RS and QS systems and the low probability of a DBA occurring during this period.

The Action Condition is modified by a Note that identifies the Action as only applicable to Unit 1.

Beaver Valley Units 1 and 2 B 3.6.7 - 5 Revision 0

RS System B 3.6.7 BASES ACTIONS (continued)

B.1 This Required Action is only applicable to Unit 1. With two of the required RS subsystems inoperable in the one train, at least one of the inoperable RS subsystems must be restored to OPERABLE status within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months .

The components in this degraded condition are capable of providing 100% of the heat removal needs after an accident. The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time was developed taking into account the redundant heat removal capability afforded by the OPERABLE subsystems, a reasonable amount of time for repairs, and the low probability of a DBA occurring during this period.

The Action Condition is modified by a Note that identifies the Action as only applicable to Unit 1.

C.1 This Required Action is only applicable to Unit 2. With a single RS subsystem inoperable or two subsystems inoperable in the same train, the inoperable subsystem(s) must be restored to OPERABLE status within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . The remaining OPERABLE subsystems in this degraded condition are capable of providing 100% of the required heat removal and ECCS low head recirculation functions after an accident. The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time was developed taking into account the redundant capability afforded by the remaining OPERABLE subsystems, a reasonable amount of time for repairs, and the low probability of a DBA occurring during this period.

The Action Condition is modified by a Note that identifies the Action as only applicable to Unit 2.

D.1 and D.2 If the inoperable RS subsystem(s) cannot be restored to OPERABLE status within the required Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and to MODE 5 within 84 hours9.722222e-4 days 0.0233 hours 1.388889e-4 weeks 3.1962e-5 months . The allowed Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging plant systems.

The extended interval to reach MODE 5 allows additional time and is reasonable considering that the driving force for a release of radioactive material from the Reactor Coolant System is reduced in MODE 3.

Beaver Valley Units 1 and 2 B 3.6.7 - 6 Revision 0

RS System B 3.6.7 BASES ACTIONS (continued)

E.1 With three or more RS subsystems inoperable, the unit is in a condition outside the accident analysis. Therefore, LCO 3.0.3 must be entered immediately.

SURVEILLANCE SR 3.6.7.1 REQUIREMENTS Verifying the correct alignment of manual, power operated, and automatic valves, excluding check valves, in the RS System provides assurance that the proper flow path exists for operation of the RS System. This SR does not apply to valves that are locked, sealed, or otherwise secured in position, since they are verified as being in the correct position prior to being secured. This SR does not require any testing or valve manipulation. Rather, it involves verification that those valves outside containment and capable of potentially being mispositioned are in the correct position. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.6.7.2 Verifying that each RS System pumps developed head at the flow test point is greater than or equal to the required developed head ensures that RS System pump performance has not degraded during the cycle. The term "required developed head" refers to the value that is assumed in the Containment Integrity Safety Analysis for the RS pumps developed head at a specific flow point. This value for the required developed head at a flow point is defined as the Minimum Operating Point (MOP) in the INSERVICE TESTING PROGRAM. The verification that the pumps developed head at the flow test point is greater than or equal to the required developed head is performed by using a MOP curve. The MOP curve is contained in the INSERVICE TESTING PROGRAM and was developed using the required developed head at a specific flow point as a reference point. From the reference point, a curve was drawn which is a constant percentage below the current pump performance curve. Based on the MOP curve, a verification is performed to ensure that the pumps developed head at the flow test point is greater than or equal to the required developed head. Flow and differential head are normal test parameters of centrifugal pump performance required by the ASME Code (Ref. 4). Since the RS System pumps cannot be tested with flow through the spray headers, they are tested on bypass flow. This test confirms one point on the pump design curve and is indicative of overall performance.

Such inservice tests confirm component OPERABILITY, trend performance, and detect incipient failures by indicating abnormal performance.

Beaver Valley Units 1 and 2 B 3.6.7 - 7 Revision 34

RS System B 3.6.7 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.6.7.3 These SRs ensure that each automatic valve actuates and that the RS System pumps start upon receipt of an actual or simulated coincident with a Containment Pressure High High/RWST Level Low signal. However, the Unit 1 RS-P-2A and RS-P-2B pumps start after an additional delay of 15 +/- 3 seconds for emergency diesel generator loading considerations.

The start delay time is also verified for the RS System pumps.

For the RS function of the Containment Spray System, this Surveillance includes a verification of the associated required slave relay operation.

Recirculation Spray - Automatic Actuation, Function 2.b.1 in LCO 3.3.2, "Engineered Safety Feature Actuation System (ESFAS) Instrumentation,"

does not include a requirement to perform a SLAVE RELAY TEST due to equipment safety concerns if such a test was performed at power.

Therefore, verification of the required slave relay OPERABILITY for the Recirculation Spray-Automatic Actuation, Function 2.b.1 in LCO 3.3.2 is included in this Surveillance.

This Surveillance is not required for valves that are locked, sealed, or otherwise secured in the required position under administrative controls.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.6.7.4 This SR is performed following maintenance when the potential for nozzle blockage has been determined to exist by an engineering evaluation.

The required evaluation will also specify an appropriate test method for determining the spray ring OPERABILITY. Due to the passive design of the spray rings and their normally dry state, a test following maintenance that results in the potential for nozzle blockage is considered adequate for detecting obstruction of the nozzles.

Beaver Valley Units 1 and 2 B 3.6.7 - 8 Revision 29

RS System B 3.6.7 BASES REFERENCES 1. UFSAR, Chapter 14 (Unit 1), and UFSAR, Section 6.2 (Unit 2).

2. 10 CFR 50.49.

3. 10 CFR 50, Appendix K.

4. ASME code for Operation and Maintenance of Nuclear Power Plants.

Beaver Valley Units 1 and 2 B 3.6.7 - 9 Revision 3

Containment Sump pH Control System B 3.6.8 B 3.6 CONTAINMENT SYSTEMS B 3.6.8 Containment Sump pH Control System BASES BACKGROUND The Containment Sump pH Control System is a passive system consisting of six baskets of sodium tetraborate (NaTB) that assist in reducing the iodine fission product inventory in the containment atmosphere resulting from a Design Basis Accident (DBA) (Refs. 1 and 2).

Radioiodine in its various forms is the fission product of primary concern in the evaluation of a DBA. It is absorbed by the spray from the containment atmosphere. To enhance the iodine absorption capacity of the spray during recirculation from the sump, the spray solution is adjusted to an alkaline pH that promotes iodine hydrolysis, in which iodine is converted to nonvolatile forms.

The NaTB is stored in baskets in the containment. The initial quench spray is acidic since it is a boric acid solution from the Refueling Water Storage Tank (RWST). As the initial spray solution, and subsequently the recirculation solution, comes in contact with the NaTB, the NaTB dissolves, raising the pH of the sump solution. The final pH of the containment sump water after a DBA is alkaline. Control of the containment sump water pH minimizes the evolution of iodine as well as the occurrence of chloride and caustic stress corrosion on mechanical systems and components exposed to the fluid.

Beaver Valley Units 1 and 2 B 3.6.8 - 1 Revision 20

Containment Sump pH Control System B 3.6.8 BASES APPLICABLE The Containment Sump pH Control System is essential to the removal of SAFETY airborne iodine within containment following a DBA (Refs. 3 and 4).

ANALYSES Quench spray consists of a boric acid solution with a spray pH as low as 4.6. As indicated in Standard Review Plan (SRP), Section 6.5.2, Rev 2, Containment Spray as A Fission Product Cleanup System, fresh sprays (i.e., sprays with no dissolved iodine) are effective at scrubbing elemental iodine and thus a spray additive is unnecessary during the initial injection phase when the spray solution is being drawn from the RWST. As described in the SRP, research has shown that elemental iodine can be scrubbed from the atmosphere with borated water, even at low pH.

Since long-term use of a plain boric acid spray could increase the potential for elemental iodine re-evolution during the recirculation phase of the LOCA, the equilibrium sump solution pH is increased by adding NaTB. Regulatory Guide 1.183 guidance indicates that if the sump water pH is 7 or greater, then a licensee does not need to evaluate re-evolution of iodines for dose consequences. In accordance with the current licensing basis, the dose analysis need not address iodine re-evolution if the sump water pH of 7 or greater is achieved well within 16 hours1.851852e-4 days 0.00444 hours 2.645503e-5 weeks 6.088e-6 months after the LOCA and is maintained for the duration of the accident. The Containment Sump pH Control System provides a passive safeguard with six baskets of NaTB located in the containment. The basket contents dissolve as the sump fills, raising pH to the required value and maintaining it at or above that value throughout the accident.

The Containment Sump pH Control System satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii).

LCO The Containment Sump pH Control System is necessary to reduce the release of radioactive material to the environment in the event of a DBA.

To be considered OPERABLE, the six sodium tetraborate storage baskets must be in place and intact (i.e., having no relevant component removed, destroyed or damaged such that the basket cannot perform its function), collectively contain 188 cubic feet of sodium tetraborate (Unit 1) and 292 cubic feet of sodium tetraborate (Unit 2) and be capable of providing the required pH adjustment.

Beaver Valley Units 1 and 2 B 3.6.8 - 2 Revision 20

Containment Sump pH Control System B 3.6.8 BASES APPLICABILITY In MODES 1, 2, 3, and 4, a DBA could cause a release of radioactive material to containment requiring the operation of the Containment Sump pH Control System. The Containment Sump pH Control System assists in reducing the iodine fission product inventory prior to release to the environment.

In MODES 5 and 6, the probability and consequences of these events are reduced due to the pressure and temperature limitations in these MODES. Thus, the Containment Sump pH Control System is not required to be OPERABLE in MODE 5 or 6.

ACTIONS A.1 If the Containment Sump pH Control System is inoperable, it must be restored to OPERABLE within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . The pH adjustment of the recirculation spray solution for corrosion protection and iodine removal is reduced in this condition. The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time takes into account that the condition which caused the inoperable system would most likely allow this passive system to continue to provide some capability for pH adjustment and iodine removal, the Containment Spray System would still be available and would remove some iodine from the containment atmosphere in the event of a DBA, and the low probability of the worst case DBA occurring during this period.

B.1 and B.2 If the Containment Sump pH Control System cannot be restored to OPERABLE status within the required Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and to MODE 5 within 84 hours9.722222e-4 days 0.0233 hours 1.388889e-4 weeks 3.1962e-5 months . The allowed Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging plant systems. The extended interval to reach MODE 5 allows 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months for restoration of the Containment Sump pH Control System in MODE 3 and 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months to reach MODE 5. This is reasonable when considering the reduced pressure and temperature conditions in MODE 3 for the release of radioactive material from the Reactor Coolant System.

Beaver Valley Units 1 and 2 B 3.6.8 - 3 Revision 20

Containment Sump pH Control System B 3.6.8 BASES SURVEILLANCE SR 3.6.8.1 REQUIREMENTS This SR provides visual verification that the six sodium tetraborate storage baskets are in place and intact and collectively contain 188 cubic feet of sodium tetraborate (Unit 1) and 292 cubic feet of sodium tetraborate (Unit 2). This amount of NaTB is sufficient to ensure that the recirculation solution following a LOCA is at the correct pH level. No upper limit for quantity of NaTB is specified because pH values calculated assuming the baskets are filled to capacity demonstrated acceptable pH values. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.6.8.2 This SR verifies via sampling that the sodium tetraborate contained in the NaTB storage baskets provides the minimum required buffering ability for containment sump borated water. The maximum required buffering ability of the NaTB contained in the storage baskets is not required to be verified because the pH values calculated assuming the baskets are filled to capacity with high density NaTB under minimum boric acid conditions demonstrated acceptable pH values. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. UFSAR, Section 6.4 (Unit 1).

2. UFSAR, Sections 6.2.2 and 6.5 (Unit 2).

3. UFSAR, Chapter 14 (Unit 1).

4. UFSAR, Chapter 15 (Unit 2).

Beaver Valley Units 1 and 2 B 3.6.8 - 4 Revision 29

MSSVs B 3.7.1 B 3.7 PLANT SYSTEMS B 3.7.1 Main Steam Safety Valves (MSSVs)

BASES BACKGROUND The primary purpose of the MSSVs is to provide overpressure protection for the secondary system. The MSSVs also provide protection against overpressurizing the reactor coolant pressure boundary (RCPB) by providing a heat sink for the removal of energy from the Reactor Coolant System (RCS) if the preferred heat sink, provided by the Condenser Circulating Water System and Atmospheric Dump Valves, are not available.

Five MSSVs are located on each main steam header, outside containment, upstream of the main steam isolation valves, as described in UFSAR, Section 10.3.1 (Unit 1) and Section 10.3.2 (Unit 2) (Ref. 1).

The specified valve lift settings and design relieving capacities are in accordance with the requirements of Section III of the ASME Boiler and Pressure Code, 1971 Edition (Unit 1 and Unit 2) and Winter 1972 Addenda (Unit 2). The total design relieving capacity for all valves on all of the steam lines is 12.8 x 106 lbs/hr (Unit 1) and 12.7 x 106 lbs/hr (Unit 2) which is approximately 98% (Unit 1) and 97% (Unit 2) of the total secondary steam flow of 13.1 x 106 lbs/hr at 100% RATED THERMAL POWER. The MSSV design includes staggered setpoints, according to Table 3.7.1-2a (Unit 1) and Table 3.7.1-2b (Unit 2) in the accompanying LCO, so that only the needed valves will actuate. Staggered setpoints reduce the potential for valve chattering that is due to steam pressure insufficient to fully open all valves following a turbine initiated reactor trip.

The above capacity (98% or 97% as applicable of rated flow) is sufficient capacity such that main steam pressure does not exceed 110% of the steam generator shell-side design pressure (the maximum pressure allowed by the ASME B&PV Code) for the worst-case loss-of-heat-sink event. This requirement is verified by analysis.

APPLICABLE The design basis for the MSSVs comes from Reference 2 and its SAFETY purpose is to limit the secondary system pressure to 110% of design ANALYSES pressure for any anticipated operational occurrence (AOO) or accident considered in the Design Basis Accident (DBA) and transient analysis.

The events that challenge the relieving capacity of the MSSVs, and thus RCS pressure, are those characterized as decreased heat removal events, which are presented in UFSAR, Section 14.1 (Unit 1) and Section 15.2 (Unit 2) (Ref. 3). Of these, the full power turbine trip without steam dump is the limiting AOO. This event also terminates normal feedwater flow to the steam generators.

Beaver Valley Units 1 and 2 B 3.7.1 - 1 Revision 0

MSSVs B 3.7.1 BASES APPLICABLE SAFETY ANALYSES (continued)

The safety analysis demonstrates that the transient response for turbine trip occurring from full power without a direct reactor trip presents no hazard to the integrity of the RCS or the Main Steam System. One turbine trip analysis is performed assuming primary system pressure control via operation of the pressurizer relief valves and spray. This analysis demonstrates that the DNB design basis is met. Another analysis is performed assuming no primary system pressure control, but crediting reactor trip on high pressurizer pressure and operation of the pressurizer safety valves. This analysis demonstrates that RCS integrity is maintained by showing that the maximum RCS pressure does not exceed 110% of the design pressure. All cases analyzed demonstrate that the MSSVs maintain Main Steam System integrity by limiting the maximum steam pressure to less than 110% of the steam generator design pressure.

In addition to the decreased heat removal events, reactivity insertion events may also challenge the relieving capacity of the MSSVs. The uncontrolled rod cluster control assembly (RCCA) bank withdrawal at power event is characterized by an increase in core power and steam generation rate until reactor trip occurs when either the Overtemperature T or Power Range Neutron Flux-High setpoint is reached. Steam flow to the turbine will not increase from its initial value for this event. The increased heat transfer to the secondary side causes an increase in steam pressure and may result in opening of the MSSVs prior to reactor trip, assuming no credit for operation of the atmospheric or condenser steam dump valves. The UFSAR Section 14.1 (Unit 1) and Section 15.1 (Unit 2) safety analysis of the RCCA bank withdrawal at power event for a range of initial core power levels demonstrates that the MSSVs are capable of preventing secondary side overpressurization for this AOO.

The UFSAR safety analyses discussed above assume that all of the MSSVs for each steam generator are OPERABLE. If there are inoperable MSSV(s), it is necessary to limit the primary system power during steady-state operation and AOOs to a value that does not result in exceeding the combined steam flow capacity of the turbine (if available) and the remaining OPERABLE MSSVs. The required limitation on primary system power necessary to prevent secondary system overpressurization may be determined by system transient analyses or conservatively arrived at by a simple heat balance calculation. In some circumstances it is necessary to limit the primary side heat generation that can be achieved during an AOO by reducing the setpoint of the Power Range Neutron Flux-High reactor trip function. For example, if more than one MSSV on a single steam generator is inoperable, an uncontrolled RCCA bank withdrawal at power event occurring from a partial power level may result in an increase in reactor power that Beaver Valley Units 1 and 2 B 3.7.1 - 2 Revision 0

MSSVs B 3.7.1 BASES APPLICABLE SAFETY ANALYSES (continued) exceeds the combined steam flow capacity of the turbine and the remaining OPERABLE MSSVs. Thus, for multiple inoperable MSSVs on the same steam generator it is necessary to prevent this power increase by lowering the Power Range Neutron Flux-High setpoint to an appropriate value. When the Moderator Temperature Coefficient (MTC) is positive, the reactor power may increase above the initial value during an RCS heatup event (e.g., turbine trip). Thus, for any number of inoperable MSSVs, it is necessary to reduce the trip setpoint if a positive MTC may exist at partial power conditions.

The MSSVs are assumed to have two active and one passive failure modes. The active failure modes are spurious opening, and failure to reclose once opened. The passive failure mode is failure to open upon demand.

The MSSVs satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).

LCO The accident analysis requires that five MSSVs per steam generator be OPERABLE to provide overpressure protection for design basis transients occurring at 100.6% RTP. The LCO requires that five MSSVs per steam generator be OPERABLE in compliance with Reference 2, and the DBA analysis.

The OPERABILITY of the MSSVs is defined as the ability to open upon demand within the setpoint tolerances, to relieve steam generator overpressure, and reseat when pressure has been reduced. The OPERABILITY of the MSSVs is determined by periodic surveillance testing in accordance with the INSERVICE TESTING PROGRAM.

This LCO provides assurance that the MSSVs will perform their designed safety functions to mitigate the consequences of accidents that could result in a challenge to the RCPB, or Main Steam System integrity.

APPLICABILITY In MODES 1, 2, and 3, five MSSVs per steam generator are required to be OPERABLE to prevent main steam overpressurization.

In MODES 4 and 5, there are no credible transients requiring the MSSVs.

The steam generators are not normally used for heat removal in MODES 5 and 6, and thus cannot be overpressurized; there is no requirement for the MSSVs to be OPERABLE in these MODES.

Beaver Valley Units 1 and 2 B 3.7.1 - 3 Revision 34

MSSVs B 3.7.1 BASES ACTIONS The ACTIONS are modified by a Note indicating that separate Condition entry is allowed for each MSSV.

With one or more MSSVs inoperable, action must be taken so that the available MSSV relieving capacity meets Reference 2 requirements.

Operation with less than all five MSSVs OPERABLE for each steam generator is permissible, if THERMAL POWER is limited to the relief capacity of the remaining MSSVs. This is accomplished by restricting THERMAL POWER so that the energy transfer to the most limiting steam generator is not greater than the available relief capacity in that steam generator.

A.1 In the case of only a single inoperable MSSV on one or more steam generators when the Moderator Temperature Coefficient is not positive, a reactor power reduction alone is sufficient to limit primary side heat generation such that overpressurization of the secondary side is precluded for any RCS heatup event. Furthermore, for this case there is sufficient total steam flow capacity provided by the turbine and remaining OPERABLE MSSVs to preclude overpressurization in the event of an increased reactor power due to reactivity insertion, such as in the event of an uncontrolled RCCA bank withdrawal at power. Therefore, Required Action A.1 requires an appropriate reduction in reactor power within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months .

The maximum THERMAL POWER corresponding to the heat removal capacity of the remaining OPERABLE MSSVs is determined via a conservative heat balance calculation as discussed below, with an appropriate allowance for calorimetric power uncertainty.

The maximum THERMAL POWER corresponding to the heat removal capacity of the remaining OPERABLE MSSVs is determined by the governing heat transfer relationship from the equation q = mh, where q is the heat input from the primary side, m is the steam mass flow rate, and h is the heat of vaporization at the steam relief pressure assuming no subcooled feedwater. For each steam generator, at a specified pressure, the maximum allowable power level is determined as follows:

Maximum Allowable Power Level (100/Q) (wshfgN) / K where:

Q = Nominal NSSS power rating of the plant (including reactor coolant pump heat), MWt K = Conversion factor, 947.82 (Btu/sec)/MWt Beaver Valley Units 1 and 2 B 3.7.1 - 4 Revision 0

MSSVs B 3.7.1 BASES ACTIONS (continued) ws = Minimum total steam flow rate capability of the OPERABLE MSSVs on any one steam generator at the highest OPERABLE MSSV opening pressure, including tolerance and accumulation, as appropriate, lbm/sec. For example, if the maximum number of inoperable MSSVs on any one steam generator is one, then ws should be a summation of the capacity of the OPERABLE MSSVs at the highest OPERABLE MSSV operating pressure, excluding the highest capacity MSSV. If the maximum number of inoperable MSSVs per steam generator is three, then ws should be a summation of the capacity of the OPERABLE MSSVs at the highest OPERABLE MSSV operating pressure, excluding the three highest capacity MSSVs.

hfg = Heat of vaporization at the highest MSSV opening pressure, including tolerance and accumulation as appropriate, Btu/lbm.

N = Number of loops in the plant.

For use in determining the % RTP in Required Action A.1, the Maximum NSSS Power calculated above is reduced by 2% RTP to account for calorimetric power uncertainty. This is a conservative value that bounds the uncertainties associated with both the feedwater flow venturis and the Leading Edge Flow Meter.

B.1 and B.2 In the case of multiple inoperable MSSVs on one or more steam generators, with a reactor power reduction alone there may be insufficient total steam flow capacity provided by the turbine and remaining OPERABLE MSSVs to preclude overpressurization in the event of an increased reactor power due to reactivity insertion, such as in the event of an uncontrolled RCCA bank withdrawal at power. Furthermore, for a single inoperable MSSV on one or more steam generators when the Moderator Temperature Coefficient is positive the reactor power may increase as a result of an RCS heatup event such that flow capacity of the remaining OPERABLE MSSVs is insufficient. The 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Completion Time for Required Action B.1 is consistent with A.1. An additional 32 hours3.703704e-4 days 0.00889 hours 5.291005e-5 weeks 1.2176e-5 months is allowed in Required Action B.2 to reduce the Power Range Neutron Flux-High reactor trip setpoints. The Completion Time of 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months is based on a reasonable time to correct the MSSV inoperability, the time required to perform the power reduction, operating experience to reset all channels of a protective function, and on the low probability of the occurrence of a transient that could result in steam generator overpressure during this period.

Beaver Valley Units 1 and 2 B 3.7.1 - 5 Revision 0

MSSVs B 3.7.1 BASES ACTIONS (continued)

The maximum THERMAL POWER corresponding to the heat removal capacity of the remaining OPERABLE MSSVs is determined via a conservative heat balance calculation as discussed above, with an appropriate allowance for Nuclear Instrumentation System trip channel uncertainties.

To determine the Table 3.7.1-1 Maximum Allowable Power for Required Actions B.1 and B.2 (% RTP), the calculated Maximum NSSS Power is reduced by 9% RTP to account for Nuclear Instrumentation System trip channel uncertainties. An additional conservatism is employed by setting the values equal to the most conservative between the two units, this being the Unit 1 values.

Required Action B.2 is modified by a Note, indicating that the Power Range Neutron Flux-High reactor trip setpoint reduction is only required in MODE 1. In MODES 2 and 3 the reactor protection system trips specified in LCO 3.3.1, "Reactor Trip System Instrumentation," provide sufficient protection.

The allowed Completion Times are reasonable based on operating experience to accomplish the Required Actions in an orderly manner without challenging unit systems.

C.1 and C.2 If the Required Actions are not completed within the associated Completion Time, or if one or more steam generators have 4 inoperable MSSVs, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months , and in MODE 4 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

SURVEILLANCE SR 3.7.1.1 REQUIREMENTS This SR verifies the OPERABILITY of the MSSVs by the verification of each MSSV lift setpoint in accordance with the INSERVICE TESTING PROGRAM and the ASME Code (Ref. 4) requirements.

Beaver Valley Units 1 and 2 B 3.7.1 - 6 Revision 34

MSSVs B 3.7.1 BASES SURVEILLANCE REQUIREMENTS (continued)

The ASME Code specifies the activities and frequencies necessary to satisfy the requirements. Table 3.7.1-2a (Unit 1) and Table 3.7.1-2b (Unit 2) specify the required setpoint tolerance for OPERABILITY; however, the valves are reset to +/- 1% during the Surveillance to allow for drift. The lift settings correspond to ambient conditions of the valve at nominal operating temperature and pressure.

This SR is modified by a Note that allows entry into and operation in MODE 3 prior to performing the SR. The MSSVs may be either bench tested or tested in situ at hot conditions using an assist device to simulate lift pressure. If the MSSVs are not tested at hot conditions, the lift setting pressure shall be corrected to ambient conditions of the valve at operating temperature and pressure.

REFERENCES 1. UFSAR, Section 10.3.1 (Unit 1) and Section 10.3.2 (Unit 2).

2. ASME, Boiler and Pressure Vessel Code,Section III, Article NC-7000, Class 2 Components.

3. U FSAR, Section 14.1 (Unit 1) and Section 15.2 (Unit 2).

4. ASME code for Operation and Maintenance of Nuclear Power Plants.

Beaver Valley Units 1 and 2 B 3.7.1 - 7 Revision 0

MSIVs B 3.7.2 B 3.7 PLANT SYSTEMS B 3.7.2 Main Steam Isolation Valves (MSIVs)

BASES BACKGROUND Unit 1 is designed with main steam trip valves, main steam non-return check valves, and main steam trip bypass valves. The main steam trip valves perform similar functions as the Unit 2 MSIVs and will be herein referred to as MSIVs. The MSIVs isolate steam flow from the secondary side of the steam generators following a high energy line break (HELB).

MSIV closure terminates flow from the unaffected (intact) steam generators.

One MSIV is located in each main steam line outside, but close to, containment. The MSIVs are downstream from the main steam safety valves (MSSVs) and auxiliary feedwater (AFW) pump turbine steam supply, to prevent MSSV and AFW steam supply isolation from the steam generators by MSIV closure. Closing the MSIVs isolates each steam generator from the others, and isolates the turbine, Steam Bypass System, and other auxiliary steam supplies from the steam generators.

The MSIVs close on a main steam isolation signal generated by either a Containment Pressure - Intermediate High High, Steam Line Pressure -

Negative Rate - High, or Steam Line Pressure - Low function. For Unit 1, the MSIVs fail closed on loss of control air pressure. For Unit 2, the MSIVs fail closed on loss of control or actuation power.

Isolation of the main steam lines provides protection in the event of a steam line break (SLB) inside or outside containment. Rapid isolation of the steam lines will limit the steam break accident to the blowdown from one steam generator (SG), at most. For an SLB upstream of the MSIVs, inside or outside of containment, closure of the MSIVs limits the accident to the blowdown from only the affected SG. For an SLB downstream of the MSIVs, closure of the MSIVs terminates the accident as soon as the steam lines depressurize. For Unit 1, the main steam non-return check valves are designed to automatically prevent reverse flow of steam in the case of accidental pressure reduction in any steam generator or its piping. If a steam line breaks between a non-return valve and a steam generator, the affected steam generator continues to blowdown while the non-return valve in the line prevents significant blowdown from the other steam generators. For Unit 2, which does not have main steam non-return check valves, steam line isolation will also mitigate the effects of a feed line break and ensures a source of steam for the turbine driven AFW pump during a feed line break.

Beaver Valley Units 1 and 2 B 3.7.2 - 1 Revision 0

MSIVs B 3.7.2 BASES BACKGROUND (continued)

Each MSIV has an MSIV bypass valve. Although these bypass valves are normally closed, they receive the same emergency closure signal as do their associated MSIVs. The MSIVs may also be actuated manually.

A description of the MSIVs is found in the UFSAR, Section 10.3 (Ref. 1).

APPLICABLE The design basis of the MSIVs is established by the containment analysis SAFETY for the large SLB inside containment, discussed in the UFSAR, ANALYSES Chapter 14 (Unit 1) and Section 6.2 (Unit 2) (Ref. 2). It is also affected by the accident analysis of the SLB events presented in the UFSAR, Section 14.2.5.1 (Unit 1) and Section 15.1.5 (Unit 2) (Ref. 3). The design precludes the blowdown of more than one steam generator, assuming a single active component failure (e.g., the failure of one MSIV to close on demand).

The limiting case for the containment analysis is the SLB inside containment, with offsite power available, and failure of the main steam non-return check valve (Unit 1) or the MSIV (Unit 2) on the affected steam generator to close. At lower powers, the steam generator inventory and pressure are at their maximum, maximizing the analyzed mass and energy release to the containment. Due to reverse flow and failure of the main steam non-return check valve (Unit 1) or the MSIV (Unit 2) to close, the additional mass and energy in the steam headers downstream from the other MSIVs contribute to the total release. With the most reactive rod cluster control assembly assumed stuck in the fully withdrawn position, there is an increased possibility that the core will become critical and return to power. The core is ultimately shut down by the boric acid injection delivered by the Emergency Core Cooling System.

The accident analysis compares several different SLB events against different acceptance criteria. The large SLB outside containment upstream of the MSIV is limiting for offsite dose, although a break in this short section of main steam header has a very low probability. The large SLB at hot zero power is the limiting case for a return to power event.

The analysis includes scenarios with offsite power available, and with a loss of offsite power following turbine trip. With offsite power available, the reactor coolant pumps continue to circulate coolant through the steam generators, maximizing the Reactor Coolant System cooldown. With a loss of offsite power, the response of mitigating systems is delayed.

Significant single failures considered include failure of an MSIV to close.

Beaver Valley Units 1 and 2 B 3.7.2 - 2 Revision 0

MSIVs B 3.7.2 BASES APPLICABLE SAFETY ANALYSES (continued)

The MSIVs serve only a safety function and remain open during power operation. These valves operate under the following situations:

a. An HELB inside containment. In order to maximize the mass and energy release into containment, the analysis assumes that the MSIV in the affected steam generator remains open. For this accident scenario, steam is discharged into containment from all steam generators until the remaining MSIVs close. After MSIV closure, steam is discharged into containment only from the affected steam generator and from the residual steam in the main steam header downstream of the closed MSIVs in the unaffected loops.

Closure of the MSIVs isolates the break from the unaffected steam generators.

b. A break outside of containment and upstream from the MSIVs is not a containment pressurization concern. The uncontrolled blowdown of more than one steam generator must be prevented to limit the potential for uncontrolled RCS cooldown and positive reactivity addition. Closure of the MSIVs isolates the break and limits the blowdown to a single steam generator.

c. A break downstream of the MSIVs will be isolated by the closure of the MSIVs.

d. Following a steam generator tube rupture, closure of the MSIVs isolates the ruptured steam generator from the intact steam generators to minimize radiological releases.

e. For Unit 2, the MSIVs are also utilized during other events such as a feedwater line break. This event is less limiting so far as MSIV OPERABILITY is concerned.

The MSIVs satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).

LCO This LCO requires that three MSIVs in the steam lines be OPERABLE.

The MSIVs are considered OPERABLE when the isolation times are within limits, and they close on a manual and automatic isolation actuation signal.

This LCO provides assurance that the MSIVs will perform their design safety function to mitigate the consequences of accidents that could result in offsite exposures comparable to the limits specified in Regulatory Guide 1.183 (Ref. 4).

Beaver Valley Units 1 and 2 B 3.7.2 - 3 Revision 0

MSIVs B 3.7.2 BASES APPLICABILITY The MSIVs must be OPERABLE in MODE 1, and in MODES 2 and 3 except when closed and de-activated, when there is significant mass and energy in the RCS and steam generators. When the MSIVs are closed, they are already performing the safety function.

In MODE 4 the steam generator energy is low and the MSIVs are not required to support the safety analysis due to the low probability of a design basis accident.

In MODE 5 or 6, the steam generators do not contain much energy because their temperature is below the boiling point of water; therefore, the MSIVs are not required for isolation of potential high energy secondary system pipe breaks in these MODES.

ACTIONS A.1 With one MSIV inoperable in MODE 1, action must be taken to restore OPERABLE status within 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months . Some repairs to the MSIV can be made with the unit hot. The 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months Completion Time is reasonable, considering the low probability of an accident occurring during this time period that would require a closure of the MSIVs.

The 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months Completion Time is greater than that allowed for most containment isolation valves because the MSIVs are valves that isolate a closed system penetrating containment. These valves differ from other containment isolation valves in that the closed system provides an additional means for containment isolation.

B.1 If the MSIV cannot be restored to OPERABLE status within 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months , the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in MODE 2 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and Condition C would be entered. The Completion Times are reasonable, based on operating experience, to reach MODE 2 and to close the MSIVs in an orderly manner and without challenging unit systems.

C.1 and C.2 Condition C is modified by a Note indicating that separate Condition entry is allowed for each MSIV.

Since the MSIVs are required to be OPERABLE in MODES 2 and 3, the inoperable MSIVs may either be restored to OPERABLE status or closed.

When closed, the MSIVs are already in the position required by the assumptions in the safety analysis.

Beaver Valley Units 1 and 2 B 3.7.2 - 4 Revision 0

MSIVs B 3.7.2 BASES ACTIONS (continued)

The 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months Completion Time is consistent with that allowed in Condition A.

For inoperable MSIVs that cannot be restored to OPERABLE status within the specified Completion Time, but are closed, the inoperable MSIVs must be verified on a periodic basis to be closed. This is necessary to ensure that the assumptions in the safety analysis remain valid. The 7 day Completion Time is reasonable, based on engineering judgment, in view of MSIV status indications available in the control room, and other administrative controls, to ensure that these valves are in the closed position.

D.1 and D.2 If the MSIVs cannot be restored to OPERABLE status or are not closed within the associated Completion Time, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed at least in MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months , and in MODE 4 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from MODE 2 conditions in an orderly manner and without challenging unit systems.

SURVEILLANCE SR 3.7.2.1 REQUIREMENTS This SR verifies that MSIV closure time is within the limit specified in the Licensing Requirements Manual (Ref. 5). The MSIV total response time (signal generation plus MSIV closure time) is assumed in the accident analyses. The MSIVs should not be tested at power due to the risk of a valve closure when the unit is generating power. As MSIVs are not typically tested at power, they are exempt from the ASME Code (Ref. 6) requirements during operation in MODE 1 or 2.

The Frequency is in accordance with the INSERVICE TESTING PROGRAM.

This test is allowed to be conducted in MODE 3 with the unit at operating temperature and pressure. This SR is modified by a Note that allows entry into and operation in MODE 3 prior to performing the SR.

Beaver Valley Units 1 and 2 B 3.7.2 - 5 Revision 34

MSIVs B 3.7.2 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.7.2.2 This SR verifies that each MSIV can close on an actual or simulated automatic and manual actuation signal. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. UFSAR, Section 10.3.

2. UFSAR, Chapter 14 (Unit 1) and Section 6.2 (Unit 2).

3. UFSAR, Section 14.2.5.1 (Unit 1) and Section 15.1.5 (Unit 2).

4. Regulatory Guide 1.183, July 2000.

5. Licensing Requirements Manual (LRM) for BVPS Unit 1 and Unit 2.

6. ASME code for Operation and Maintenance of Nuclear Power Plants.

Beaver Valley Units 1 and 2 B 3.7.2 - 6 Revision 29

MFIVs and MFRVs and MFRV Bypass Valves B 3.7.3 B 3.7 PLANT SYSTEMS B 3.7.3 Main Feedwater Isolation Valves (MFIVs) and Main Feedwater Regulation Valves (MFRVs) and MFRV Bypass Valves BASES BACKGROUND The MFIVs isolate main feedwater (MFW) flow to the secondary side of the steam generators following a high energy line break (HELB). The safety related function of the MFRVs is to provide the second isolation of MFW flow to the secondary side of the steam generators following an HELB. Closure of the MFIVs or MFRVs and MFRV bypass valves terminates flow to the steam generators, terminating the event for feedwater line breaks (FWLBs) occurring upstream of the MFIVs or MFRVs. The consequences of events occurring in the main steam lines or in the MFW lines downstream from the MFIVs will be mitigated by their closure. Closure of the MFIVs or MFRVs and MFRV bypass valves, effectively terminates the addition of feedwater to an affected steam generator, limiting the mass and energy release for steam line breaks (SLBs) or FWLBs inside containment, and reducing the cooldown effects for SLBs.

The MFIVs isolate the nonsafety related portions from the safety related portions of the system. In the event of a secondary side pipe rupture inside containment, the valves limit the quantity of high energy fluid that enters containment through the break, and provide a pressure boundary for the controlled addition of auxiliary feedwater (AFW) to the intact loops.

One MFIV and one MFRV and MFRV bypass valve, are located on each MFW line, outside of containment. The MFIVs and MFRVs are located upstream of the AFW injection point so that AFW may be supplied to the steam generators following MFIV or MFRV closure. The piping volume from these valves to the steam generators must be accounted for in calculating mass and energy releases, and refilled prior to AFW reaching the steam generator following either an SLB or FWLB.

The MFIVs and MFRVs and MFRV bypass valves close on receipt of a safety injection or steam generator water level - high high signal. The MFRVs will also close on receipt of a Tavg - Low coincident with reactor trip (P-4). They may also be actuated manually. In addition to the MFIVs and the MFRVs and MFRV bypass valves, a check valve outside containment is available. The check valve provides the first pressure boundary for the addition of AFW to the intact loop and prevents backflow in the feedwater line should a break occur upstream of the valve.

A description of the MFIVs and MFRVs is found in the UFSAR, Section 10.3.5 (Unit 1) and Section 10.4.7 (Unit 2) (Ref. 1).

Beaver Valley Units 1 and 2 B 3.7.3 - 1 Revision 0

MFIVs and MFRVs and MFRV Bypass Valves B 3.7.3 BASES APPLICABLE The design basis of the MFIVs and MFRVs is established by the analyses SAFETY for the large SLB. It is also influenced by the accident analysis for the ANALYSES large FWLB. Closure of the MFIVs or MFRVs and MFRV bypass valves, are relied on to terminate a SLB for core response analysis and excess feedwater event upon the receipt of a steam generator water level - high high signal.

Failure of an MFIV, MFRV, or the MFRV bypass valves to close following an SLB or FWLB can result in additional mass being delivered to the steam generators, contributing to cooldown. This failure also results in additional mass and energy releases following a SLB or FWLB event.

The MFIVs and MFRVs satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).

LCO This LCO ensures that the MFIVs, MFRVs, and the MFRV bypass valves will isolate MFW flow to the steam generators, following an FWLB or main steam line break.

This LCO requires that three MFIVs and three MFRVs and MFRV bypass valves be OPERABLE. The MFIVs and MFRVs and the MFRV bypass valves are considered OPERABLE when isolation times are within limits and they close on an isolation actuation signal.

Failure to meet the LCO requirements can result in additional mass and energy being released to containment following an SLB or FWLB inside containment. A feedwater isolation signal on steam generator water level

- high high is relied on to terminate an excess feedwater flow event, failure to meet the LCO may result in the introduction of water into the main steam lines.

APPLICABILITY The MFIVs and MFRVs and the MFRV bypass valves must be OPERABLE whenever there is significant mass and energy in the Reactor Coolant System and steam generators. In MODES 1, 2, and 3, the MFIVs and MFRVs and the MFRV bypass valves are required to be OPERABLE to limit the amount of available fluid that could be added to containment in the case of a secondary system pipe break inside containment. When the valves are closed and de-activated or isolated by a closed manual valve, they are already performing their safety function.

In MODES 4, 5, and 6, steam generator energy is low. Therefore, the MFIVs, MFRVs, and the MFRV bypass valves are not required to be OPERABLE.

Beaver Valley Units 1 and 2 B 3.7.3 - 2 Revision 0

MFIVs and MFRVs and MFRV Bypass Valves B 3.7.3 BASES ACTIONS The ACTIONS Table is modified by a Note indicating that separate Condition entry is allowed for each valve.

A.1 and A.2 With one MFIV in one or more flow paths inoperable, action must be taken to restore the affected valves to OPERABLE status, or to close or isolate inoperable affected valves within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . When these valves are closed or isolated, they are performing their required safety function.

The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time takes into account the redundancy afforded by the remaining OPERABLE valves and the low probability of an event occurring during this time period that would require isolation of the MFW flow paths. The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time is reasonable, based on operating experience.

Inoperable MFIVs that are closed or isolated must be verified on a periodic basis that they are closed or isolated. This is necessary to ensure that the assumptions in the safety analysis remain valid. The 7 day Completion Time is reasonable, based on engineering judgment, in view of valve status indications available in the control room, and other administrative controls, to ensure that these valves are closed or isolated.

B.1 and B.2 With one MFRV in one or more flow paths inoperable, action must be taken to restore the affected valves to OPERABLE status, or to close or isolate inoperable affected valves within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . When these valves are closed or isolated, they are performing their required safety function.

The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time takes into account the redundancy afforded by the remaining OPERABLE valves and the low probability of an event occurring during this time period that would require isolation of the MFW flow paths. The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time is reasonable, based on operating experience.

Inoperable MFRVs, that are closed or isolated, must be verified on a periodic basis that they are closed or isolated. This is necessary to ensure that the assumptions in the safety analysis remain valid. The 7 day Completion Time is reasonable, based on engineering judgment, in view of valve status indications available in the control room, and other administrative controls to ensure that the valves are closed or isolated.

Beaver Valley Units 1 and 2 B 3.7.3 - 3 Revision 0

MFIVs and MFRVs and MFRV Bypass Valves B 3.7.3 BASES ACTIONS (continued)

C.1 and C.2 With one MFRV bypass valve in one or more flow paths inoperable, action must be taken to restore the affected valves to OPERABLE status, or to close or isolate inoperable affected valves within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . When these valves are closed or isolated, they are performing their required safety function.

The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time takes into account the redundancy afforded by the remaining OPERABLE valves and the low probability of an event occurring during this time period that would require isolation of the MFW flow paths. The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time is reasonable, based on operating experience.

Inoperable MFRV bypass valves that are closed or isolated must be verified on a periodic basis that they are closed or isolated. This is necessary to ensure that the assumptions in the safety analysis remain valid. The 7 day Completion Time is reasonable, based on engineering judgment, in view of valve status indications available in the control room, and other administrative controls, to ensure that these valves are closed or isolated.

D.1 With two inoperable in series valves in the same flow path, there may be no redundant system to operate automatically and perform the required safety function. The containment can be isolated with the failure of two valves in parallel in the same flow path. Under these conditions, affected valves in each flow path must be restored to OPERABLE status, or the affected flow path isolated within 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months . This action returns the system to the condition where at least one valve in each flow path is performing the required safety function. The 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months Completion Time is reasonable, based on operating experience, to complete the actions required to close the MFIV or MFRV, or otherwise isolate the affected flow path.

E.1 and E.2 If the MFIV(s) and MFRV(s) and the MFRV bypass valve(s) cannot be restored to OPERABLE status, or closed, or isolated within the associated Completion Time, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months , and in MODE 4 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

Beaver Valley Units 1 and 2 B 3.7.3 - 4 Revision 0

MFIVs and MFRVs and MFRV Bypass Valves B 3.7.3 BASES SURVEILLANCE SR 3.7.3.1 REQUIREMENTS This SR verifies that the closure time of each MFIV, MFRV, and MFRV bypass valve is within the limit(s) specified in the Licensing Requirements Manual (LRM) (Ref. 2). The total response times (signal generation plus valve closure time) are assumed in the SLB or FWLB accident analyses.

The Frequency for this SR is in accordance with the INSERVICE TESTING PROGRAM.

SR 3.7.3.2 This SR verifies that each MFIV, MFRV, and MFRV bypass valve can close on an actual or simulated actuation signal. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. UFSAR, Section 10.3.5 (Unit 1) and Section 10.4.7 (Unit 2).

2. Licensing Requirements Manual (LRM) for BVPS Unit 1 and Unit 2.

Beaver Valley Units 1 and 2 B 3.7.3 - 5 Revision 34

ADVs B 3.7.4 B 3.7 PLANT SYSTEMS B 3.7.4 Atmospheric Dump Valves (ADVs)

BASES BACKGROUND The ADV lines required OPERABLE include the three atmospheric relief valves (one per steam generator (SG)) and the associated block (isolation) valves and for Unit 2 only, one residual heat release valve and its block valve and individual SG isolation valves. The Unit 2 residual heat release valve and all its associated isolation valves are counted as one of the required ADV lines for Unit 2. As discussed in the UFSAR, Section 10.3 (Ref. 1), the atmospheric relief valves and the residual heat release valve provide a method of removing core decay heat and cooling the unit to Residual Heat Removal (RHR) System entry conditions should the preferred heat sink via the condenser steam dump valves not be available.

Each ADV line has a block valve. The block valves are normally open manual valves. The block valves can be used for isolating an ADV line if necessary. However, due to time constraints in the safety analysis, the ADV block valves must remain open for an ADV line to be considered OPERABLE. In addition to the block valve described above, the Unit 2 residual heat release valve has three normally open isolation valves (one for each SG). The individual SG isolation valves are used to isolate a faulted SG so the Unit 2 residual heat release valve can be used for accident mitigation. In order for the Unit 2 residual heat release valve ADV line to be OPERABLE, the individual SG isolation valves must be maintained open with the capability of being manually closed.

The Unit 1 ADVs are DC powered air operated valves utilizing a non-safety related air system. The Unit 1 ADVs can normally be operated from the control room. However, in order to meet the assumptions of the operational assessment used to evaluate single failure concerns, the Unit 1 ADVs must be capable of being operated locally as well as from the control room in order to be considered OPERABLE.

The Unit 2 ADVs have an electro-hydraulic operator that can be operated from the control room. Each Unit 2 atmospheric relief valve is powered by the same emergency AC train power. The Unit 2 residual heat release valve is powered by the other emergency AC train. In order to meet the assumptions of the applicable safety analysis, the Unit 2 ADVs (including the residual heat release valve) must be capable of being operated locally as well as from the control room in order to be considered OPERABLE.

Beaver Valley Units 1 and 2 B 3.7.4 - 1 Revision 0

ADVs B 3.7.4 BASES BACKGROUND (continued)

The ADVs have a non-safety related automatic pressure control capability. However, the only function of the ADVs required by the safety analyses (and this Technical Specification) is the ability to cool down the plant following a Design Basis Accident (DBA).

APPLICABLE In the accident analysis presented in the UFSAR (Ref. 2), the ADVs may SAFETY be used by the operator to cool down the unit to RHR entry conditions for ANALYSES accidents accompanied by a loss of offsite power.

The design bases of the ADVs are established by the capability to cool the unit to RHR System entry conditions. For the recovery from a design basis steam generator tube rupture (SGTR) accident, the operator is required to perform a limited cooldown to establish adequate subcooling as a necessary step to terminate the primary to secondary break flow into the faulted steam generator. The time required to terminate the primary to secondary break flow for the design basis SGTR accident is more critical than the time required to cool down to RHR System entry conditions for this event and for other Design Basis Accidents (DBAs).

Thus, the SGTR is the limiting event for the ADVs.

For Unit 1, three ADVs with associated flow paths and isolation valves are required OPERABLE. Due to the design of the Unit 1 residual heat release valve, it can not be isolated from a SG with a ruptured tube.

Therefore, the Unit 1 residual heat release valve is not used to mitigate a SGTR due to the dose requirements of the accident analysis. The requirement for three OPERABLE ADV lines provides assurance that a single active failure of one ADV line or a single active failure of the instrument air supply will not prevent the mitigation of a SGTR accident.

The Unit 1 operational assessment used to evaluate the single failures described above also assumes that one ADV is lost to the faulted SG. In the case where the instrument air supply is available and an active failure of one of the remaining ADVs is assumed, the operational assessment assumes the remaining ADV is operated from the control room to successfully mitigate the SGTR accident. In the case where the active failure is a loss of instrument air, and ADV operation is delayed, the operational assessment assumes the two remaining ADVs are operated by local manual control to successfully mitigate the SGTR accident.

Therefore, the Unit 1 ADVs must be capable of both remote and local manual operation to be considered OPERABLE. The Unit 1 operational assessment does not include a specific time to manually unblock an ADV.

Therefore, the Unit 1 ADV block valves must remain open for the ADV lines to be considered OPERABLE.

Beaver Valley Units 1 and 2 B 3.7.4 - 2 Revision 0

ADVs B 3.7.4 BASES APPLICABLE SAFETY ANALYSES (continued)

For Unit 2, four ADVs with associated flow paths and isolation valves are required OPERABLE to satisfy the SGTR accident analysis assumptions of a single active failure and loss of offsite power. Requiring four Unit 2 ADVs OPERABLE assures that two ADVs will remain OPERABLE for the SGTR analysis overfill case (i.e., one ADV lost to the faulted SG and one ADV lost to a single active failure). Additionally, requiring four Unit 2 ADVs OPERABLE assures that three ADVs will remain OPERABLE for the SGTR radiological dose case. The radiological dose case includes the loss of one ADV as a single active failure (i.e., the ADV on the faulted SG fails open).

The Unit 2 SGTR analysis requires that two ADVs (overfill case) or three ADVs (bounding dose case) remain OPERABLE to mitigate the accident within the assumed time frame. All other radiological dose cases only require two ADVs, since a longer cooldown does not have as great an impact on SGTR doses as a failed open ADV on the faulted SG.

Furthermore, in order to assure the SGTR accident can be mitigated within the Unit 2 analysis requirements, the ADVs must be capable of both remote and local manual operation. In addition, the Unit 2 safety analysis does not include additional time to manually unisolate a blocked ADV. Therefore, an ADV line with a closed block valve is considered inoperable. The Unit 2 safety analysis does account for the time it takes to manually isolate the faulted SG from the Unit 2 residual heat release valve so that the ADV line can be used to meet the accident analysis requirements. Therefore, the individual normally open SG isolation valves associated with the Unit 2 residual heat release valve must also be maintained open with the capability of being manually closed for the Unit 2 residual heat release valve ADV line to be OPERABLE.

The ADVs are equipped with block valves in the event an ADV spuriously fails to open or fails to close during use. The ADVs, as well as the RHRV, at each unit may pass some amount of steam leakage, since the SGTR radiological analyses for BVPS-1 and BVPS-2 include a steam flow margin factor. Such leakage may pass through the Main Steam Safety Valves, as well. TS 3.7.1 OPERABILITY of the MSSVs is not affected, since these valves are not discussed or credited in SGTR accident mitigation. Any observed steam leakage would have to be measurable on the installed Main Steam Flow System instruments (above instrument accuracy) to be considered significant.

The ADVs satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).

Beaver Valley Units 1 and 2 B 3.7.4 - 3 Revision 9

ADVs B 3.7.4 BASES LCO The LCO requires three Unit 1 ADV lines and four Unit 2 ADV lines to be OPERABLE. The ADV lines required OPERABLE include the three atmospheric relief valves (one per SG) and the associated block (isolation) valves and for Unit 2 only, one residual heat release valve and its block valve and individual SG isolation valves. The Unit 2 residual heat release valve and all its associated isolation valves are counted as one ADV line for Unit 2. The number of ADV lines required OPERABLE is consistent with each Units design and the safety analyses requirements described above.

An OPERABLE ADV line is capable of providing controlled relief of the main steam flow and capable of fully opening and closing. In order to be OPERABLE, the ADVs (including the Unit 2 residual heat release valve) must be capable of remote manual and local manual operation. Also, the block valve associated with each ADV line must be open for the line to be considered OPERABLE. In addition to the above requirements, the three individual SG isolation valves associated with Unit 2 residual heat release valve must be open and capable of being manually closed for the residual heat release valve ADV line to be considered OPERABLE.

The block valves associated with each ADV line must be OPERABLE to isolate a failed open ADV line. In addition, the three individual SG isolation valves associated with the Unit 2 residual heat release valve ADV line must be OPERABLE to enable a faulted SG to be isolated from the residual heat release valve ADV line.

Failure to meet the LCO could result in the inability to cool the unit under the limiting accident conditions within the time limit assumed in the applicable safety analyses described above.

APPLICABILITY In MODES 1, 2, and 3, and in MODE 4, when steam generator is being relied upon for heat removal, the ADVs are required to be OPERABLE.

In MODE 5 or 6, an SGTR is not a credible event.

ACTIONS A.1 With one required ADV line inoperable, action must be taken to restore OPERABLE status within 7 days. The 7 day Completion Time allows for the redundant capability afforded by the remaining OPERABLE ADV lines, a nonsafety grade backup in the condenser steam dump valves, and MSSVs.

Beaver Valley Units 1 and 2 B 3.7.4 - 4 Revision 9

ADVs B 3.7.4 BASES ACTIONS (continued)

B.1 With two or more ADV lines inoperable, action must be taken to restore all but one ADV line to OPERABLE status. Since the block valve can be closed to isolate an ADV, some repairs may be possible with the unit at power. The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time is reasonable to repair inoperable ADV lines, based on the availability of the condenser steam dump valves and MSSVs, and the low probability of an event occurring during this period that would require the ADV lines.

C.1 and C.2 If the ADV lines cannot be restored to OPERABLE status within the associated Completion Time, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months , and in MODE 4, without reliance upon steam generator for heat removal, within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . In this condition, the unit utilizes RHR for cooling. Therefore, operation may continue with one or more ADV lines inoperable because the RCS cooling function required to mitigate a SGTR event would be accomplished by the RHR System.

The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

SURVEILLANCE SR 3.7.4.1 REQUIREMENTS To perform a controlled cooldown of the RCS, the ADVs must be able to be opened and throttled through their full range. This SR ensures that the ADVs are tested through a full control cycle at least once per fuel cycle.

The requirement to stroke the valve through the full range of operation may be accomplished by remote manual control. In addition, this Surveillance must also verify the capability to locally operate each ADV.

The verification of local operation does not require that the ADV be stroked through the full range of travel (i.e., if the valve is stroked full open and closed by remote manual operation, the capability to operate the ADV locally may be verified by observing valve stem movement). The ADVs must be capable of both remote and local manual operation in order to be considered OPERABLE. Performance of inservice testing or use of an ADV during a unit cooldown may satisfy this requirement. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

Beaver Valley Units 1 and 2 B 3.7.4 - 5 Revision 29

ADVs B 3.7.4 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.7.4.2 The function of the block valve is to isolate a failed open ADV. Cycling the block valve closed and open demonstrates its capability to perform this function. Performance of maintenance or other testing that results in cycling these valves including the use of the block valve during unit cooldown may satisfy this requirement. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.7.4.3 The function of the individual SG isolation valves associated with the Unit 2 residual heat release valve is to isolate the residual heat release valve from a SG with a ruptured tube. Isolating the SG with a ruptured tube minimizes the resulting dose when the residual heat release valve is used for SGTR accident mitigation. Cycling these isolation valves closed and open demonstrates the capability to perform this function.

Performance of maintenance or other testing that results in cycling these valves, including the use of the isolation valve during unit cooldown may satisfy this requirement. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

The Surveillance is modified by a Note that states the Surveillance is only applicable to Unit 2. The Note is necessary because the corresponding Unit 1 residual heat release valve is not required OPERABLE by LCO 3.7.4. Only the Unit 2 residual heat release valve is required OPERABLE by LCO 3.7.4. This is because Unit 2 requires the additional relief capacity provided by this valve for accident mitigation and the Unit 2 residual heat release valve has individual SG isolation valves that allow it to be isolated from a faulted SG so it can be used for accident mitigation.

REFERENCES 1. UFSAR, Section 10.3.

2. UFSAR, Section 14 (Unit 1) and UFSAR Section 15 (Unit 2).

Beaver Valley Units 1 and 2 B 3.7.4 - 6 Revision 29

AFW System B 3.7.5 B 3.7 PLANT SYSTEMS B 3.7.5 Auxiliary Feedwater (AFW) System BASES BACKGROUND The AFW System automatically supplies feedwater to the steam generators (SGs) to remove decay heat from the Reactor Coolant System upon the loss of normal feedwater supply.

The AFW System consists of two motor driven pumps and one steam turbine driven pump configured into three trains. The AFW System design is such that it can perform its function following a total loss of normal feedwater and the single failure of an AFW pump. Any two of the three AFW pumps are capable of supplying the required feedwater flow assumed in the accident analyses. The pumps are equipped with independent recirculation lines to prevent pump operation against a closed system. Each motor driven AFW pump is powered from an independent Class 1E power supply and each pump feeds all three SGs.

The steam turbine driven AFW pump receives steam from a minimum of two main steam lines upstream of the main steam isolation valves. Each of the steam feed lines will supply 100% of the steam requirements for the turbine driven AFW pump. For Unit 1, the turbine driven AFW pump steam feed lines from each of the three main steam lines combine to form one supply header. The single header then splits into two parallel paths with one Train "A" operated and one Train "B" operated isolation valve on each pathway. The two parallel paths then combine into one header which supplies steam to the turbine driven AFW pump. For Unit 2, the turbine driven AFW pump steam feed lines from each of the three main steam lines contain two in-line series solenoid operated isolation valves.

Downstream of the series isolation valves, the three lines combine to form one main header. The main header then supplies the turbine driven AFW pump. Although the turbine driven pump in each Unit is capable of receiving the required steam supply from any one of the three main steam lines, only two steam feed lines are required OPERABLE.

The flow path from the primary plant demineralized water storage tank (PPDWST) (WT-TK-10 (Unit 1) and 2FWE-TK210 (Unit 2)) to the SGs consists of individual supply lines to each of the three AFW pumps. Each motor driven AFW pump is connected to its train related supply header.

In addition, for Unit 1, each motor driven AFW pump has the ability to be aligned to the opposite train header. The turbine driven pump can also be aligned to either the Train "A" or "B" supply header.

Beaver Valley Units 1 and 2 B 3.7.5 - 1 Revision 0

AFW System B 3.7.5 BASES BACKGROUND (continued)

The Train "A" and "B" supply headers branch out to each SG feedwater line via three normally open remotely operated valves arranged in parallel flow paths. The individual Train "A" and "B" supply header flow paths are then combined into one common feedwater line injection header for each SG. The common feedwater injection headers each contain a check valve. Each common feedwater injection header supplies a separate SG via the normal feedwater header downstream of the feedwater isolation valves.

The SGs function as a heat sink for core decay heat. The heat load is dissipated by releasing steam to the atmosphere from the SGs via the main steam safety valves (MSSVs) or atmospheric dump valves (ADVs).

If the main condenser is available, steam may be released via the steam dump valves.

The AFW System is capable of supplying feedwater to the SGs during normal unit startup, shutdown, and hot standby conditions.

During a normal plant cooldown, one pump at full flow is sufficient to remove decay heat and cool the unit to residual heat removal (RHR) entry conditions. Thus, the requirement for diversity in motive power sources for the AFW System is met.

The AFW System is designed to supply sufficient water to the SG(s) to remove decay heat with SG pressure at the setpoint of the MSSVs.

Subsequently, the AFW System supplies sufficient water to cool the unit to RHR entry conditions, with steam released through the ADVs.

The AFW System actuates automatically on SG water level - low low by the ESFAS (LCO 3.3.2). The system also actuates on Undervoltage -

RCP bus (turbine driven AFW pump only), safety injection, and trip of all running MFW pumps (motor driven AFW pumps only).

The AFW System is discussed in the UFSAR, Section 10.3.5.2.2 (Unit 1) and Section 10.4.9 (Unit 2) (Ref. 1).

APPLICABLE The AFW System mitigates the consequences of any event with loss of SAFETY normal feedwater.

ANALYSES The design basis of the AFW System is to supply water to the SG to remove decay heat and other residual heat by delivering at least the minimum required flow rate to the SGs at pressures corresponding to the lowest MSSV set pressure plus 1%.

Beaver Valley Units 1 and 2 B 3.7.5 - 2 Revision 0

AFW System B 3.7.5 BASES APPLICABLE SAFETY ANALYSES (continued)

In addition, the AFW System must supply enough makeup water to replace the SG secondary inventory lost as the unit cools to MODE 4 conditions. Sufficient AFW flow must also be available to account for flow losses such as pump recirculation and line breaks.

The limiting Design Basis Accident (DBA) for the AFW System are loss of normal feedwater and feedwater line break.

For the loss of normal feedwater and feedwater line break, the analyses are performed assuming loss of offsite power coincident with reactor trip.

The limiting single active failure is the failure of the turbine driven AFW pump, which requires both remaining motor driven AFW pumps to be OPERABLE.

The AFW System design is such that it can perform its function following a feedwater line break (FWLB) between the MFW isolation valves and containment, combined with a loss of offsite power following turbine trip, and a single active failure of an AFW pump. Sufficient flow would be delivered to the two intact SGs by the two remaining AFW pumps. No pump runout occurs due to the cavitating venturis. Two motor driven pumps or one motor driven pump combined with the turbine driven pump can deliver the design bases flows to the intact SGs during a FWLB.

There are two distinct flows that must be delivered during a FWLB. They are prior to fault isolation (i.e., during the first 15 minutes) and subsequent to fault isolation via operator action. Any two of the three AFW pumps are capable of supplying the flows required prior and subsequent to fault isolation.

The AFW System design is such that it can perform its function following a total loss of normal feedwater. Any two of the three AFW pumps are capable of supplying the required flows to the three intact SGs during this event.

With one feedwater injection header inoperable, an insufficient number of SGs are available to meet the feedline break analysis. This analysis assumes AFW flow will be provided to the two remaining intact feedwater lines. Should a feedline break occur on one of the OPERABLE feedwater headers with one feedwater injection header already inoperable, the plant could no longer meet its safety analysis.

The ESFAS automatically actuates the AFW turbine driven pump and associated power operated valves and controls when required to ensure an adequate feedwater supply to the SGs during loss of power. Power operated valves are provided for each AFW line to control the AFW flow to each SG.

Beaver Valley Units 1 and 2 B 3.7.5 - 3 Revision 0

AFW System B 3.7.5 BASES APPLICABLE SAFETY ANALYSES (continued)

The AFW System satisfies the requirements of Criterion 3 of 10 CFR 50.36(c)(2)(ii).

LCO This LCO provides assurance that the AFW System will perform its design safety function to mitigate the consequences of accidents that could result in overpressurization of the reactor coolant pressure boundary. Three AFW pumps in three trains are required to be OPERABLE to ensure the availability of decay heat removal capability for all events accompanied by a loss of offsite power and a single failure.

This is accomplished by powering two of the pumps from independent emergency buses. The third AFW pump is powered by a different means, a steam driven turbine supplied with steam from a source that is not isolated by closure of the MSIVs.

In addition, the LCO requires three feedwater injection headers to be OPERABLE. The common feedwater line injection headers must be OPERABLE to ensure the required AFW trains have the capability of providing flow to all three SGs.

The AFW System is configured into three trains. The AFW System is considered OPERABLE when the components and flow paths required to provide redundant AFW flow to the steam generators are OPERABLE.

OPERABILITY of the three feedwater trains shall consist of:

a. One motor driven AFW pump with a flow path from the PPDWST to each feedwater line injection header via the Train "A" supply header.

b. One motor driven AFW pump with a flow path from the PPDWST to each feedwater line injection header via the Train "B" supply header.

c. One turbine driven AFW pump capable of being powered from two steam supplies with a flow path from the PPDWST to each feedwater line injection header via the designated train supply header. Only two out of three steam supply lines to the turbine driven pump must be OPERABLE to provide the required redundancy.

The piping, valves, instrumentation, and controls in the required flow paths also are required to be OPERABLE.

Beaver Valley Units 1 and 2 B 3.7.5 - 4 Revision 0

AFW System B 3.7.5 BASES LCO (continued)

The LCO is modified by a Note indicating that one AFW train, which includes a motor driven pump and the required feedwater injection header(s), are required to be OPERABLE in MODE 4. One motor driven AFW train and the feedwater injection header(s) required to support flow to the SG(s) being relied on for decay heat removal are sufficient in MODE 4. The other AFW trains and injection headers are not required OPERABLE in this MODE. This is because of the reduced heat removal requirements and short period of time in MODE 4 during which the AFW is required and the insufficient steam available in MODE 4 to power the turbine driven AFW pump.

APPLICABILITY In MODES 1, 2, and 3, the AFW System is required to be OPERABLE in the event that it is called upon to function when the MFW is lost. In addition, the AFW System is required to supply enough makeup water to replace the steam generator secondary inventory, lost as the unit cools to MODE 4 conditions.

In MODE 4 the AFW System may be used for heat removal via the steam generators.

In MODE 5 or 6, the steam generators are not normally used for heat removal, and the AFW System is not required.

ACTIONS A Note prohibits the application of LCO 3.0.4.b to an inoperable AFW train when entering MODE 1. There is an increased risk associated with entering MODE 1 with an AFW train inoperable and the provisions of LCO 3.0.4.b, which allow entry into a MODE or other specified condition in the Applicability with the LCO not met after performance of a risk assessment addressing inoperable systems and components, should not be applied in this circumstance.

A.1 If the turbine driven AFW train is inoperable due to one inoperable steam supply in MODE 1, 2, or 3, or if a turbine driven pump is inoperable for any reason while in MODE 3 immediately following refueling, action must be taken to restore the inoperable equipment to an OPERABLE status within 7 days. The 7 day Completion Time is reasonable, based on the following reasons:

a. For the inoperability of the turbine driven AFW pump due to one inoperable steam supply in MODE 1, 2, or 3, the 7 day Completion Time is reasonable since there is a redundant steam supply line for the turbine driven pump and the turbine driven train is still capable of performing its specified function.

Beaver Valley Units 1 and 2 B 3.7.5 - 5 Revision 0

AFW System B 3.7.5 BASES ACTIONS (continued)

b. For the inoperability of a turbine driven AFW pump while in MODE 3 immediately subsequent to a refueling, the 7 day Completion Time is reasonable due to the minimal decay heat levels in this situation.

c. For both the inoperability of the turbine driven pump due to one inoperable steam supply and an inoperable turbine driven AFW pump while in MODE 3 immediately following a refueling outage, the 7 day Completion Time is reasonable due to the availability of redundant OPERABLE motor driven AFW pumps, and due to the low probability of an event requiring the use of the turbine driven AFW pump.

The second Completion Time for Required Action A.1 establishes a limit on the maximum time allowed for any combination of Conditions to be inoperable during any continuous failure to meet this LCO.

The 10 day Completion Time provides a limitation time allowed in this specified Condition after discovery of failure to meet the LCO. This limit is considered reasonable for situations in which Conditions A and B are entered concurrently. The AND connector between 7 days and 10 days dictates that both Completion Times apply simultaneously, and the more restrictive must be met.

Condition A is modified by a Note which limits the applicability of the Condition for an inoperable turbine driven AFW pump in MODE 3 to when the unit has not entered MODE 2 following a refueling. Condition A allows one AFW train to be inoperable for 7 days vice the 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time in Condition B. This longer Completion Time is based on the reduced decay heat following refueling and prior to the reactor being critical.

B.1 and B.2 With one of the required AFW trains (pump or flow path) inoperable in MODE 1, 2, or 3 for reasons other than Condition A, action must be taken to realign OPERABLE AFW pumps to separate train supply headers within 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months (if both train supply headers are OPERABLE) and to restore the AFW train to OPERABLE status within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . This Condition includes the loss of two required steam supply lines to the turbine driven AFW pump. Required Action B.1 to realign the OPERABLE pumps to separate supply headers preserves train separation and enhances system reliability. The two hours allowed for this Action is reasonable based on operating experience to perform the specified task. The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time is reasonable, based on redundant capabilities afforded by the AFW System, time needed for repairs, and the low probability of a DBA occurring during this time period.

Beaver Valley Units 1 and 2 B 3.7.5 - 6 Revision 0

AFW System B 3.7.5 BASES ACTIONS (continued)

Required Action B.1 is modified by a Note indicating that the Required Action is only applicable if both supply headers are OPERABLE.

With one inoperable AFW pump, the remaining two AFW pumps will be aligned to separate redundant headers capable of supplying flow to each steam generator.

A realistic analysis of a loss of normal feedwater event demonstrates that one motor driven AFW pump will maintain sufficient steam generator inventory to provide a secondary heat sink and prevent the RCS from exceeding applicable pressure and temperature limits.

For Unit 1, the licensing basis has changed to a requirement for two of three AFW pumps to meet the flow requirements for the limiting DBAs.

This change was necessitated by the installation of cavitating venturis in the AFW injection paths. The venturis protect the AFW pumps from runout conditions and allow for flow to be directed to the intact steam generators during a FWLB. Cavitating venturis in each individual injection path to the steam generators ensure that sufficient flow will be delivered to the two intact steam generators during a FWLB. Since no single failures are assumed to occur while in an Action Condition, adequate flow can be supplied by the two OPERABLE AFW pumps. Based on this, the Completion Time of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months for one inoperable AFW pump continues to remain applicable. This change to the Unit 1 licensing basis is consistent with the original licensing basis for Unit 2.

The second Completion Time for Required Action B.2 establishes a limit on the maximum time allowed for any combination of Conditions to be inoperable during any continuous failure to meet this LCO.

The 10 day Completion Time provides a limitation time allowed in this specified Condition after discovery of failure to meet the LCO. This limit is considered reasonable for situations in which Conditions A and B are entered concurrently. The AND connector between 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months and 10 days dictates that both Completion Times apply simultaneously, and the more restrictive must be met.

C.1 and C.2 With one of the required motor driven AFW trains (pump or flow path) inoperable in MODE 1, 2, or 3, and the turbine driven AFW train inoperable due to one inoperable steam supply in MODE 1, 2, or 3, action must be taken to restore the affected equipment to OPERABLE status within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . In this condition, the AFW System may no longer be able to meet the required flow to the SGs assumed in the safety analysis (i.e., from two AFW pumps). Even assuming no further single active Beaver Valley Units 1 and 2 B 3.7.5 - 7 Revision 0

AFW System B 3.7.5 BASES ACTIONS (continued) failures when in this Condition, the accident (a FLB or MSLB) could result in the loss of the remaining steam supply to the turbine driven AFW pump. Therefore, only a single OPERABLE AFW pump may be left to mitigate the accident.

The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time is reasonable, based on the redundant OPERABLE steam supply to the turbine driven AFW pump, the availability of the remaining OPERABLE motor driven AFW pump, and the low probability of an event occurring that would require the inoperable steam supply to be available for the turbine driven AFW pump.

D.1 and D.2 When Required Action A.1, B.1, B.2, C.1, or C.2 cannot be completed within the required Completion Time, or

If two AFW trains are inoperable in MODE 1, 2, or 3 for reasons other than Condition C, or

If one or two feedwater injection headers are inoperable in MODE 1, 2, or 3, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months , and in MODE 4 within 18 hours2.083333e-4 days 0.005 hours 2.97619e-5 weeks 6.849e-6 months .

The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

In MODE 4 with two AFW trains inoperable, operation is allowed to continue because only one motor driven pump AFW train is required in accordance with the Note that modifies the LCO. If a motor driven AFW pump is not available in MODE 4 and the SG(s) are relied on for decay heat removal then Condition F is applicable. However, in MODE 4, two RHR loops may be used for decay heat removal in lieu of the SG(s) consistent with the requirements of LCO 3.4.6, "RCS Loops - MODE 4."

In MODE 4, with one or two feedwater injection headers inoperable, operation is allowed to continue because the remaining OPERABLE injection header(s) provide a flow path to the SG(s) relied on for decay heat removal. Additionally, in MODE 4, the RHR loops may be used in lieu of or to supplement the SG(s) for decay heat removal consistent with the requirements of LCO 3.4.6, "RCS Loops - MODE 4."

Beaver Valley Units 1 and 2 B 3.7.5 - 8 Revision 0

AFW System B 3.7.5 BASES ACTIONS (continued)

E.1 If all three AFW trains or if all three feedwater injection headers are inoperable in MODE 1, 2, or 3, the unit is in a seriously degraded condition with no safety related means for conducting a cooldown, and only limited means for conducting a cooldown with nonsafety related equipment. In such a condition, the unit should not be subjected to a reduction in MODE that could increase the likelihood of the AFW System being required to support heat removal. The seriousness of this condition requires that action be started immediately to restore one AFW train to OPERABLE status with the capability of providing flow to the steam generator(s).

Required Action E.1 is modified by a Note indicating that all required MODE changes are suspended until one AFW train is restored to OPERABLE status with the capability of providing flow to the steam generator(s). In this case, LCO 3.0.3 is not applicable because it could force the unit into a less safe condition.

F.1 In MODE 4, either the reactor coolant pumps or the RHR loops can be used to provide forced circulation. This is addressed in LCO 3.4.6, "RCS Loops - MODE 4." With one required AFW train or with the required feedwater injection header(s) inoperable, action must be taken to immediately restore the inoperable train to OPERABLE status with the capability of providing flow to the steam generator(s). The immediate Completion Time is consistent with LCO 3.4.6.

SURVEILLANCE For the following AFW Surveillance Requirements (SRs), constant REQUIREMENTS communications shall be established and maintained between the control room and the auxiliary feed pump room while any normal AFW pump discharge valve is closed during surveillance testing.

SR 3.7.5.1 Verifying the correct alignment for manual, power operated, and automatic valves in the AFW System water and steam supply flow paths provides assurance that the proper flow paths will exist for AFW operation. Completing verification includes re-verifying these requirements by a second and independent operator. This SR does not apply to valves that are locked, sealed, or otherwise secured in position, since they are verified to be in the correct position prior to locking, sealing, or securing. This SR also does not apply to valves that cannot Beaver Valley Units 1 and 2 B 3.7.5 - 9 Revision 0

AFW System B 3.7.5 BASES SURVEILLANCE REQUIREMENTS (continued) be inadvertently misaligned, such as check valves. This Surveillance does not require any testing or valve manipulation; rather, it involves verification that those valves capable of being mispositioned are in the correct position.

The SR is modified by a Note that states one or more AFW trains may be considered OPERABLE during alignment and operation for steam generator level control, if it is capable of being manually (i.e., remotely or locally, as appropriate) realigned to the AFW mode of operation, provided it is not otherwise inoperable. This exception allows the system to be out of its normal standby alignment and temporarily incapable of automatic initiation without declaring the train(s) inoperable. Since AFW may be used during startup, shutdown, hot standby operations, and hot shutdown operations for steam generator level control, and these manual operations are an accepted function of the AFW System, OPERABILITY (i.e., the intended safety function) continues to be maintained.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.7.5.2 Verifying that each AFW pump's developed head at the flow test point is greater than or equal to the required developed head ensures that AFW pump performance has not degraded during the cycle. The term "required developed head" refers to the value that is assumed in the AFW safety analysis for developed head at a flow point. This value for required developed head at a flow point is defined as the Minimum Operating Point (MOP) in the INSERVICE TESTING PROGRAM. Flow and differential head are normal test parameters of centrifugal pump performance required by the ASME Code (Ref 2). Because it is undesirable to introduce cold AFW into the steam generators while they are operating, this testing is normally performed on recirculation flow. For Unit 1, the recirculation flow rate is assumed to be a fixed value since the recirculation line flow resistance remains constant. For Unit 2, the recirculation flow rate is adjusted to a specific value. This test confirms one point on the pump design curve and is indicative of overall performance. Such inservice tests confirm component OPERABILITY, trend performance, and detect incipient failures by indicating abnormal performance. Performance of inservice testing as discussed in the ASME Code (Ref. 2) and the INSERVICE TESTING PROGRAM satisfies this requirement.

This SR is modified by a Note indicating that the SR should be deferred until suitable test conditions are established for testing the turbine driven AFW pump. This deferral is required because there is insufficient steam pressure to perform the test.

Beaver Valley Units 1 and 2 B 3.7.5 - 10 Revision 34

AFW System B 3.7.5 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.7.5.3 This SR verifies that AFW can be delivered to the appropriate steam generator in the event of any accident or transient that generates an ESFAS, by demonstrating that each automatic valve in the flow path actuates to its correct position on an actual or simulated actuation signal.

This Surveillance is not required for valves that are locked, sealed, or otherwise secured in the required position under administrative controls.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

The SR is modified by two Notes. Note 1 states one or more AFW trains may be considered OPERABLE during alignment and operation for steam generator level control, if it is capable of being manually (i.e., remotely or locally, as appropriate) realigned to the AFW mode of operation, provided it is not otherwise inoperable. This exception allows the system to be out of its normal standby alignment and temporarily incapable of automatic initiation without declaring the train(s) inoperable. Since AFW may be used during startup, shutdown, hot standby operations, and hot shutdown operations for steam generator level control, and these manual operations are an accepted function of the AFW System, OPERABILITY (i.e., the intended safety function) continues to be maintained. Note 2 indicates the SR is not required to be met in MODE 4 when the steam generator(s) are relied upon for heat removal. In MODE 4, the heat removal requirements are less such that more time is available for operator action to manually initiate AFW if necessary.

SR 3.7.5.4 This SR verifies the AFW pumps will start in the event of any accident or transient that generates an ESFAS by demonstrating each AFW pump starts automatically on an actual or simulated actuation signal in MODES 1, 2, and 3. In MODE 4, the required pump's autostart feature is not required. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

Beaver Valley Units 1 and 2 B 3.7.5 - 11 Revision 29

AFW System B 3.7.5 BASES SURVEILLANCE REQUIREMENTS (continued)

This SR is modified by three Notes. Note 1 indicates the SR be deferred until suitable test conditions are established for testing the turbine driven AFW pump. This deferral is required because there is insufficient steam pressure to perform the test. Note 2 states that one or more AFW trains may be considered OPERABLE during alignment and operation for steam generator level control, if it is capable of being manually (i.e., remotely or locally, as appropriate) realigned to the AFW mode of operation, provided it is not otherwise inoperable. This exception allows the system to be out of its normal standby alignment and temporarily incapable of automatic initiation without declaring the train(s) inoperable. Since AFW may be used during startup, shutdown, hot standby operations, and hot shutdown operations for steam generator level control, and these manual operations are an accepted function of the AFW System. OPERABILITY (i.e., the intended safety function) continues to be maintained. Note 3 indicates the SR is not required to be met in MODE 4 when steam generator(s) are relied upon for heat removal. In MODE 4, the heat removal requirements are less such that more time is available for operator action to manually initiate AFW if necessary.

SR 3.7.5.5 This SR verifies the AFW is properly aligned by verifying the flow paths from the PPDWST (WT-TK-10 (Unit 1) and 2FWE-TK210 (Unit 2)) to each steam generator prior to entering MODE 2 after more than 30 cumulative days in any combination of MODE 5 or 6 or defueled.

OPERABILITY of AFW flow paths must be verified before sufficient core heat is generated that would require the operation of the AFW System during a subsequent shutdown. The Frequency is reasonable, based on engineering judgement and other administrative controls that ensure flow paths remain OPERABLE. To further ensure AFW System alignment, flow path OPERABILITY is verified following extended outages to determine no misalignment of valves has occurred. This SR ensures the flow path from the PPDWST to the steam generators is properly aligned.

REFERENCES 1. UFSAR, Section 10.3.5.2.2 (Unit 1) and Section 10.4.9 (Unit 2).

2. ASME code for Operation and Maintenance of Nuclear Power Plants.

Beaver Valley Units 1 and 2 B 3.7.5 - 12 Revision 0

PPDWST B 3.7.6 B 3.7 PLANT SYSTEMS B 3.7.6 Primary Plant Demineralized Water Storage Tank (PPDWST)

BASES BACKGROUND The PPDWST provides a safety grade source of water to the steam generators for removing decay and sensible heat from the Reactor Coolant System (RCS). The PPDWST provides a passive flow of water, by gravity, to the Auxiliary Feedwater (AFW) System (LCO 3.7.5). The steam produced is released to the atmosphere by the main steam safety valves or the atmospheric dump valves. The AFW pumps operate with recirculation to the PPDWST to ensure a minimum pump flow is maintained.

Because the PPDWST is a principal component in removing residual heat from the RCS, it is designed to withstand earthquakes and other natural phenomena, including missiles that might be generated by natural phenomena. The PPDWST is designed to Seismic Category I to ensure availability of the feedwater supply. Feedwater is also available from alternate sources.

A description of the PPDWST is found in the UFSAR, Section 10.3.5.2.2 (Unit 1) and Section 10.4.9 (Unit 2) (Ref. 1).

APPLICABLE The auxiliary feedwater pumps are normally aligned to take suction from SAFETY the PPDWST. The PPDWST provides cooling water to remove decay ANALYSES heat and to cool down the unit. Since the Engineered Safety Feature (ESF) design function requires that sufficient feedwater be available during transient and accident conditions to place the unit in a safe shutdown condition, the limiting event for the condensate volume is a loss of offsite power (LOOP) transient. In the event of a LOOP, the PPDWST inventory must be available to maintain the unit in MODE 3 for 9 hours1.041667e-4 days 0.0025 hours 1.488095e-5 weeks 3.4245e-6 months with steam discharge to the atmosphere and with no reactor coolant pumps in operation. The minimum usable volume conservatively bounds the analysis value. The minimum usable volume may be appropriately increased to account for measurement uncertainties.

The PPDWST satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii).

Beaver Valley Units 1 and 2 B 3.7.6 - 1 Revision 0

PPDWST B 3.7.6 BASES LCO The PPDWST level required is equivalent to a usable volume of 130,000 gallons, which is based on maintaining the unit in MODE 3 for 9 hours1.041667e-4 days 0.0025 hours 1.488095e-5 weeks 3.4245e-6 months with steam discharge to the atmosphere and with no reactor coolant pumps in operation following a LOOP and subsequent reactor trip from full power.

The OPERABILITY of the PPDWST is determined by maintaining the tank level at or above the minimum required level.

APPLICABILITY In MODES 1, 2, and 3, and in MODE 4, when steam generator is being relied upon for heat removal, the PPDWST is required to be OPERABLE.

In MODE 5 or 6, the PPDWST is not required because the AFW System is not required.

ACTIONS A.1 and A.2 If the PPDWST is not OPERABLE, the OPERABILITY of the backup supply (i.e., river/service water systems) should be verified by administrative means within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months and once every 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months thereafter.

OPERABILITY of the backup water supply must include verification that the flow paths from the backup water supply to the AFW pumps are OPERABLE. The PPDWST must be restored to OPERABLE status within 7 days, because the backup supply may be performing this function in addition to its normal functions. The 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Completion Time is reasonable, based on operating experience, to verify the OPERABILITY of the backup water supply. Additionally, verifying the backup water supply every 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is adequate to ensure the backup water supply continues to be available. The 7 day Completion Time is reasonable, based on an OPERABLE backup water supply being available, and the low probability of an event occurring during this time period requiring the PPDWST.

B.1 and B.2 If the PPDWST cannot be restored to OPERABLE status within the associated Completion Time, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months , and in MODE 4, without reliance on the steam generator for heat removal, within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

Beaver Valley Units 1 and 2 B 3.7.6 - 2 Revision 0

PPDWST B 3.7.6 BASES SURVEILLANCE SR 3.7.6.1 REQUIREMENTS This SR verifies the PPDWST contains the required usable volume of cooling water. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. UFSAR, Section 10.3.5.2.2 (Unit 1) and Section 10.4.9 (Unit 2).

Beaver Valley Units 1 and 2 B 3.7.6 - 3 Revision 29

CCW System B 3.7.7 B 3.7 PLANT SYSTEMS B 3.7.7 Component Cooling Water (CCW) System BASES BACKGROUND The CCW System, which is commonly referred to as the Primary Component Cooling Water System for Unit 2, provides a heat sink for the removal of process and operating heat from components during normal operation. The CCW System serves as a barrier to the release of radioactive byproducts between potentially radioactive systems and the Service Water System, and thus to the environment.

The CCW System consists of two 100% capacity, cooling water trains.

Each train shares common piping headers and may be cross-tied during normal operation. The CCW System consists of three 100% capacity pumps, heat exchangers, and associated surge tank (Unit 1 utilizes one surge tank common for both trains). UFSAR, Section 9.4 (Unit 1) and Section 9.2.2.1 (Unit 2) (Ref. 1) lists the required flows for the various equipment cooled by the CCW System. The largest primary CCW heat load occurs during unit cooldown when the Residual Heat Removal (RHR) System is initially placed in operation. With the service water temperature at its maximum limit, two CCW pumps and two CCW heat exchangers can transfer the design heat loads from all components served. During most operating conditions, however, only one CCW pump is necessary to transfer the heat loads. One CCW pump motor is powered from one of the two emergency 4,160 V switchgear buses and a second CCW pump motor is powered from the other bus. The third CCW pump motor, which is not normally connected to either of the buses can be manually connected to either. Additional information on the design and operation of the CCW System, along with a list of the components served, is presented in Reference 1.

APPLICABLE The CCW System serves no Design Basis Accident (DBA) loss of coolant SAFETY accident (LOCA) mitigation function and is not a system which functions ANALYSES to mitigate the failure of or presents a challenge to the integrity of a fission product barrier. The CCW System has redundant components to ensure performance of the cooling function in the event of a single failure. The principal function of the CCW System is the removal of decay heat from the reactor via the RHR System. The RHR System does not perform a DBA mitigation function. The CCW System is not required in short term accident scenarios to provide cooling water to mitigate the consequences of DBAs. The CCW System, however, is used to supply the RHR heat exchangers, in long term DBA scenarios, with cooling water to cool the unit from RHR entry conditions to Cold Shutdown. The time required for cooldown is a function of the number of CCW and RHR trains operating, Beaver Valley Units 1 and 2 B 3.7.7 - 1 Revision 0

CCW System B 3.7.7 BASES APPLICABLE SAFETY ANALYSES (continued) the auxiliary CCW System heat loads (other than RHR), and the service water temperature. The CCW System has been identified in the probabilistic safety assessment as significant to public health and safety.

The CCW System satisfies Criterion 4 of 10 CFR 50.36 (c) (2) (ii).

LCO The CCW trains are independent of each other to the degree that each has separate controls and power supplies. Should the need arise to cooldown the unit, two trains of CCW must be OPERABLE. At least one CCW train will operate assuming the worst case single active failure occurs coincident with a loss of offsite power.

A CCW train is considered OPERABLE when:

a. The pump and associated surge tank are OPERABLE and

b. The associated piping, valves, heat exchanger, and instrumentation and controls required to perform the required function are OPERABLE.

Each CCW train is considered OPERABLE if it is operating or if it can be placed in service manually.

APPLICABILITY In MODES 1, 2, 3, and 4, the CCW System is a normally operating system. In MODE 4, the CCW System must be prepared to perform its Reactor Coolant System heat removal function, which is achieved by cooling the RHR heat exchanger.

In MODE 5 or 6, the OPERABILITY requirements of the CCW System are determined by the systems it supports.

ACTIONS A.1 Required Action A.1 is modified by a Note indicating that the applicable Conditions and Required Actions of LCO 3.4.6, "RCS Loops - MODE 4,"

be entered if an inoperable CCW train results in an inoperable RHR loop.

This is an exception to LCO 3.0.6 and ensures the proper actions are taken for these components.

If one CCW train is inoperable, action must be taken to restore it to OPERABLE status within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . In this Condition, the remaining OPERABLE CCW train is adequate to perform the heat removal function.

The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time is reasonable, based on the redundant capabilities afforded by the OPERABLE train.

Beaver Valley Units 1 and 2 B 3.7.7 - 2 Revision 0

CCW System B 3.7.7 BASES ACTIONS (continued)

B.1 and B.2 If the CCW train cannot be restored to OPERABLE status within the associated Completion Time, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and in MODE 5 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

C.1 Condition C applies to two inoperable CCW trains. Condition C is modified by a Note that states the Condition is only applicable in MODE 4 with inadequate CCW flow to the RHR heat exchangers to support the required decay heat removal needed to maintain the unit in MODE 5. In addition, the Actions are modified by a Note that states LCO 3.0.3 and all other LCO Actions requiring a MODE change from MODE 4 to MODE 5 are suspended until adequate CCW flow to the RHR heat exchangers is established to maintain the unit in MODE 5.

With two inoperable CCW trains, LCO 3.0.3 would be applicable in MODES 1, 2, and 3 and result in the plant being placed in MODE 4.

However, without adequate RHR decay heat removal capability, transitioning to MODE 5 from MODE 4 in accordance with LCO 3.0.3 may not be possible. In this case, Condition C would be applicable in MODE 4 and would replace LCO 3.0.3 for two inoperable CCW trains. Condition C provides more appropriate Actions than LCO 3.0.3 for reaching MODE 5 when the required RHR cooling capacity is not available. If adequate RHR decay heat removal capability is available to transition from MODE 4 to MODE 5, Condition C would not be applicable and the requirements of LCO 3.0.3 would be applied until the plant reached MODE 5.

With two CCW trains inoperable and inadequate CCW flow to the RHR heat exchangers to support the required decay heat removal function, action must be initiated immediately to restore one CCW train to OPERABLE status. The action and Completion Time are reasonable, considering the required decay heat removal capacity to maintain the unit in MODE 5 is not available and the other systems available in MODE 4 to safely remove decay heat until adequate cooling capacity is restored to place and maintain the unit in MODE 5.

Beaver Valley Units 1 and 2 B 3.7.7 - 3 Revision 7

CCW System B 3.7.7 BASES SURVEILLANCE SR 3.7.7.1 REQUIREMENTS This SR is modified by a Note indicating the isolation of the CCW flow to individual components may render those components inoperable but does not affect the OPERABILITY of the CCW System.

Verifying the correct alignment for manual, power operated, and automatic valves in the CCW flow path to the RHR heat exchangers provides assurance the proper flow paths exist for CCW operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position, since these valves are verified to be in the correct position prior to locking, sealing, or securing. This SR also does not apply to valves that cannot be inadvertently misaligned, such as check valves.

This Surveillance does not require any testing or valve manipulation; rather, it involves verification that those valves capable of being mispositioned are in the correct position.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. UFSAR, Section 9.4 (Unit 1) and Section 9.2.2.1 (Unit 2).

Beaver Valley Units 1 and 2 B 3.7.7 - 4 Revision 29

SWS B 3.7.8 B 3.7 PLANT SYSTEMS B 3.7.8 Service Water System (SWS)

BASES BACKGROUND The SWS, which is commonly referred to as the Reactor Plant River Water System for Unit 1, provides a heat sink for the removal of process and operating heat from safety related components during a Design Basis Accident (DBA) or transient. During normal operation, and a normal shutdown, the SWS also provides this function for various safety related and nonsafety related components. The safety related function is covered by this LCO.

The SWS consists of two 100% capacity, safety related, cooling water trains. There are three 100% capacity main SWS pumps capable of taking suction from the Ohio River at the intake structure supplying the two trains. For Unit 1, one SWS pump is normally operated to supply the quantity of water needed for the essential cooling requirements for all operating conditions. For Unit 2, two SWS pumps are normally operated concurrently to supply the quantity of water needed for the essential cooling requirements for all operating conditions. One SWS pump motor is powered from one of the two emergency 4,160 V switchgear buses and a second SWS pump motor is powered from the other bus. The third SWS pump motor, which is not normally connected to either of the buses can be manually connected to either. The SWS provides cooling water to such loads as the Diesel Generator Cooling System heat exchangers, the Recirculation Spray System heat exchangers, control room emergency cooling coils, charging pump lube oil coolers, and component cooling water heat exchangers. In addition, the SWS provides a source of emergency makeup water to the Auxiliary Feedwater System. Only one of three SWS pumps is needed to provide the cooling for the minimum number of components required for safe shutdown following a DBA. In the event of a DBA or transient, initiating a containment isolation phase B signal, the SWS is designed to supply sufficient cooling water to safely shutdown the unit, assuming any single active component failure coincident with a loss of offsite power (LOOP).

Additional information about the design and operation of the SWS, along with a list of the components served, is presented in the UFSAR, Section 9.9 (Unit 1) and Section 9.2.1 (Unit 2) (Ref. 1).

APPLICABLE The design basis of the SWS is for one SWS train to provide cooling to SAFETY safety related components, required for safe shutdown, following a DBA.

ANALYSES These components are listed in Reference 1. The SWS is designed to perform its function with a single failure of any active component, assuming a LOOP. The SWS, in conjunction with the Component Beaver Valley Units 1 and 2 B 3.7.8 - 1 Revision 0

SWS B 3.7.8 BASES APPLICABLE SAFETY ANALYSES (continued)

Cooling Water (CCW) System, also cools the unit from residual heat removal (RHR) entry conditions to Cold Shutdown during normal and post accident operations (Reference 2). The time required for this evolution is a function of the number of CCW and RHR System trains that are operating.

The SWS satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii).

LCO Two SWS trains are required to be OPERABLE to provide the required redundancy to ensure the system functions to remove post accident heat loads, assuming the worst case single active failure occurs coincident with the loss of offsite power.

An SWS train is considered OPERABLE during MODES 1, 2, 3, and 4 when:

a. The pump is OPERABLE and

b. The associated piping, valves, and instrumentation and controls required to perform the safety related function are OPERABLE.

APPLICABILITY In MODES 1, 2, 3, and 4, the SWS is a normally operating system that is required to support the OPERABILITY of the equipment serviced by the SWS and required to be OPERABLE in these MODES.

In MODES 5 and 6, the OPERABILITY requirements of the SWS are determined by the systems it supports.

ACTIONS A.1 If one SWS train is inoperable, action must be taken to restore it to OPERABLE status within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . In this Condition, the remaining OPERABLE SWS train is adequate to perform the heat removal function.

However, the overall reliability is reduced because a single failure in the OPERABLE SWS train could result in loss of SWS function. Required Action A.1 is modified by two Notes. The first Note indicates the applicable Conditions and Required Actions of LCO 3.8.1, "AC Sources -

Operating," should be entered if an inoperable SWS train results in an inoperable emergency diesel generator. The second Note indicates the applicable Conditions and Required Actions of LCO 3.4.6, "RCS Loops -

MODE 4," should be entered if an inoperable SWS train results in an inoperable decay heat removal train. This is an exception to LCO 3.0.6 and ensures the proper actions are taken for these components. The Beaver Valley Units 1 and 2 B 3.7.8 - 2 Revision 0

SWS B 3.7.8 BASES ACTIONS (continued) 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time is based on the redundant capabilities afforded by the OPERABLE train, and the low probability of a DBA occurring during this time period.

B.1 and B.2 If the SWS train cannot be restored to OPERABLE status within the associated Completion Time, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and in MODE 5 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months .

The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

C.1 Condition C applies to two inoperable SWS trains. Condition C is modified by a Note that states the Condition is only applicable in MODE 4 with inadequate SWS flow to the CCW heat exchangers to support the required decay heat removal needed to maintain the unit in MODE 5. In addition, the Actions are modified by a Note that states LCO 3.0.3 and all other LCO Actions requiring a MODE change from MODE 4 to MODE 5 are suspended until adequate SWS flow to the CCW heat exchangers is established to maintain the unit in MODE 5.

With two inoperable SWS trains, LCO 3.0.3 would be applicable in MODES 1, 2, and 3 and result in the plant being placed in MODE 4.

However, without adequate RHR decay heat removal capability, transitioning to MODE 5 from MODE 4 in accordance with LCO 3.0.3 may not be possible. In this case, Condition C would be applicable in MODE 4 and would replace LCO 3.0.3 for two inoperable SWS trains. Condition C provides a more appropriate Action than LCO 3.0.3 for reaching MODE 5 when the required RHR cooling capacity is not available. If adequate RHR decay heat removal capability is available to transition from MODE 4 to MODE 5, Condition C would not be applicable and the requirements of LCO 3.0.3 would be applied until the plant reached MODE 5.

With two SWS trains inoperable and inadequate SWS flow to the CCW heat exchangers to support the required decay heat removal function by the RHR System, action must be initiated immediately to restore one SWS train to OPERABLE status. The action and Completion Time are reasonable, considering the required decay heat removal capacity to maintain the unit in MODE 5 is not available and the other systems available in MODE 4 to safely remove decay heat until adequate cooling capacity is restored to place and maintain the unit in MODE 5.

Beaver Valley Units 1 and 2 B 3.7.8 - 3 Revision 7

SWS B 3.7.8 BASES SURVEILLANCE SR 3.7.8.1 REQUIREMENTS This SR is modified by a Note indicating that the isolation of the SWS components or systems may render those components inoperable, but does not affect the OPERABILITY of the SWS.

Verifying the correct alignment for manual, power operated, and automatic valves in the SWS flow path provides assurance that the proper flow paths exist for SWS operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position, since they are verified to be in the correct position prior to being locked, sealed, or secured. This SR does not require any testing or valve manipulation; rather, it involves verification that those valves capable of being mispositioned are in the correct position. This SR does not apply to valves that cannot be inadvertently misaligned, such as check valves.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.7.8.2 This SR verifies proper automatic operation of the SWS valves on an actual or simulated actuation signal. The SWS is a normally operating system that cannot be fully actuated as part of normal testing. This Surveillance is not required for valves that are locked, sealed, or otherwise secured in the required position under administrative controls.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.7.8.3 This SR verifies proper automatic operation of the SWS pumps on an actual or simulated actuation signal. The SWS is a normally operating system that cannot be fully actuated as part of normal testing during normal operation. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. UFSAR, Section 9.9 (Unit 1) and Section 9.2.1 (Unit 2).

2. UFSAR, Section 9.3 (Unit 1) and Section 5.4.7 (Unit 2).

Beaver Valley Units 1 and 2 B 3.7.8 - 4 Revision 29

UHS B 3.7.9 B 3.7 PLANT SYSTEMS B 3.7.9 Ultimate Heat Sink (UHS)

BASES BACKGROUND The UHS provides a heat sink for processing and operating heat from safety related components during a transient or accident, as well as during normal operation. This is done by utilizing the Service Water System (SWS), which is commonly referred to as the Reactor Plant River Water System for Unit 1. SWS, as used throughout this Bases, applies to both the Unit 2 SWS and the Unit 1 Reactor Plant River Water System.

The UHS for BVPS is the Ohio River as discussed in UFSAR, Section 9.9 (Unit 1) and Section 9.2.5 (Unit 2) (Ref. 1). The two principal functions of the UHS are the dissipation of residual heat after reactor shutdown, and dissipation of residual heat after an accident.

The UHS and the SWS have interfaces at the SWS intake structure and the outfall structure. The SWS inlet water temperature is unaffected by the SWS heat loads, because the outfall structure is located sufficiently downstream of the intake structures to prevent recirculation. Therefore, SWS temperatures (at the intake structure or inlet header piping) can be used to verify the required UHS temperature. The basic performance requirements are that a 30 day supply of water be available, and that the design basis temperatures of safety related equipment not be exceeded.

Additional information on the design and operation of the system, along with a list of components served, can be found in Reference 1.

APPLICABLE The UHS is the sink for heat removed from the reactor core following all SAFETY accidents and anticipated operational occurrences in which the unit is ANALYSES cooled down and placed on residual heat removal (RHR) operation.

The operating limits are based on conservative heat transfer analyses for the worst case LOCA. Reference 1 provides the details of the assumptions used in the analysis, which include worst expected meteorological conditions, conservative uncertainties when calculating decay heat, and worst case single active failure (e.g., single failure of a manmade structure). The UHS is designed in accordance with Regulatory Guide 1.27 (Ref. 2), as addressed in the UFSAR, which requires a 30 day supply of cooling water in the UHS.

The UHS satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii).

Beaver Valley Units 1 and 2 B 3.7.9 - 1 Revision 0

UHS B 3.7.9 BASES LCO The UHS is required to be OPERABLE and is considered OPERABLE if it is capable of providing a sufficient volume of water at or below the maximum temperature that would allow the SWS to operate for at least 30 days following the design basis LOCA without the loss of net positive suction head (NPSH), and without exceeding the maximum design temperature of the equipment served by the SWS. To meet this condition, the average UHS temperature should not exceed 90°F (Unit 1) and 89°F (Unit 2) and the level should not fall below 654 ft mean sea level at the intake structure during normal unit operation.

APPLICABILITY In MODES 1, 2, 3, and 4, the UHS is required to support the OPERABILITY of the equipment serviced by the UHS and required to be OPERABLE in these MODES.

In MODE 5 or 6, the OPERABILITY requirements of the UHS are determined by the systems it supports.

ACTIONS A.1 and A.2 If either the UHS temperature or level requirements are not met, the UHS is inoperable and the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and in MODE 5 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months .

The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

SURVEILLANCE SR 3.7.9.1 REQUIREMENTS This SR verifies adequate long term (30 day) cooling can be maintained.

The specified level also ensures sufficient NPSH is available to operate the SWS pumps. This SR verifies the UHS water level is 654 ft mean sea level at the intake structure. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.7.9.2 This SR verifies the SWS is available to cool the required loads during maximum accident or normal design heat loads for 30 days following a Design Basis Accident. This SR verifies the average water temperature Beaver Valley Units 1 and 2 B 3.7.9 - 2 Revision 29

UHS B 3.7.9 BASES SURVEILLANCE REQUIREMENTS (continued) of the UHS is 90°F (Unit 1) and 89°F (Unit 2). The UHS temperature can be determined from SWS temperature indicators at the intake structure or on inlet piping headers. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. UFSAR, Section 9.9 (Unit 1) and Section 9.2.5 (Unit 2).

2. Regulatory Guide 1.27 (Unit 2) and Safety Guide 27 (Unit 1).

Beaver Valley Units 1 and 2 B 3.7.9 - 3 Revision 29

CREVS B 3.7.10 B 3.7 PLANT SYSTEMS B 3.7.10 Control Room Emergency Ventilation System (CREVS)

BASES BACKGROUND The Control Room Emergency Ventilation System (CREVS) provides a protected environment from which occupants can control the unit following an uncontrolled release of radioactivity.

BVPS has a common control room envelope (CRE) for Unit 1 and Unit 2.

The CREVS consists of pressurization fan subsystems, the CRE isolation subsystems, and a CRE boundary that limits the inleakage of unfiltered air.

The CRE is the area within the confines of the CRE boundary that contains the spaces that control room occupants inhabit to control the unit during normal and accident conditions. This area encompasses the control room, and may encompass other non-critical areas to which frequent personnel access or continuous occupancy is not necessary in the event of an accident. The CRE is protected during normal operation, natural events, and accident conditions. The CRE boundary is the combination of walls, floor, roof, ducting, doors, penetrations and equipment that physically form the CRE. The OPERABILITY of the CRE boundary must be maintained to ensure that the inleakage of unfiltered air into the CRE will not exceed the inleakage assumed in the licensing basis analysis of design basis accident (DBA) consequences to CRE occupants. The CRE and its boundary are defined in the Control Room Envelope Habitability Program.

There are three CREVS pressurization fan subsystems, one (Unit 1) and two (Unit 2). The pressurization fan subsystems draw filtered outside air into the CRE.

The CRE isolation subsystems isolate the Unit 1 and Unit 2 normal air intake and exhaust penetration flow paths by closing at least one of the two series isolation dampers in each of the four penetration flow paths.

Closure of both units' intake and exhaust isolation dampers may be initiated by an isolation signal from either unit. However, the operation of the intake and exhaust dampers at each unit is dependent upon the availability of that unit's power sources. The isolation subsystem of a CREVS train consists of all 4 isolation dampers in that train (2 per unit).

Both the Unit 1 and Unit 2 isolation dampers associated with a train are required OPERABLE for an OPERABLE CREVS train. The isolation subsystem is OPERABLE for a unit when the associated Unit 1 and Unit 2 dampers are capable of closing on that unit's required isolation signals or the damper(s) are secured closed.

Beaver Valley Units 1 and 2 B 3.7.10 - 1 Revision 7

CREVS B 3.7.10 BASES BACKGROUND (continued)

The CREVS pressurization fan subsystem located on the Unit 1 side of the combined control room consists of one manually started pressurization fan and filter subsystem that provides filtered air to pressurize the CRE. The Unit 1 pressurization fan subsystem filter consists of a prefilter, an activated charcoal adsorber section for removal of gaseous activity (principally iodines), a high efficiency particulate air (HEPA) filter, and one of the two 100% capacity Unit 1 fans. Only one of the two Unit 1 fans is required for an OPERABLE CREVS train.

The CREVS pressurization fan subsystems located on the Unit 2 side of the CRE consists of two automatically started redundant train related subsystems that draw in outside air through filters to provide filtered air to pressurize the CRE. Each pressurization fan subsystem filter consists of a moisture separator, a HEPA filter, an activated charcoal adsorber, a second HEPA filter, and a fan. A second bank of HEPA filters follows the adsorber section to collect carbon fines and provide backup in case of failure of the main HEPA filter.

For both units, ductwork, heaters, valves or dampers, and instrumentation also form part of the system.

Unit 1 can credit any two of the three available CREVS pressurization fan subsystems to meet the LCO requirement for two OPERABLE CREVS trains. However, Unit 2 can only credit the Unit 2 specific pressurization fan subsystems to meet the LCO requirement for two OPERABLE CREVS trains.

The CREVS is an emergency system, parts of which may also operate during normal unit operations in the standby mode of operation. Upon receipt of a CREVS actuating signal(s), normal unfiltered outside air supply and exhaust dampers to the CRE are closed and (for Unit 2 only) a pressurization fan subsystem is initiated and the emergency air supply damper in the operating CREVS train is opened to bring in outside air through filters to pressurize the CRE. The Unit 1 pressurization fan subsystem is manually placed in service if required. The air continues to be recirculated within the CRE by the Control Room Emergency Air Cooling System (CREACS) (LCO 3.7.11) both during normal operation and during CREVS operation.

Pressurization of the CRE minimizes infiltration of unfiltered air through the CRE boundary from all the surrounding areas adjacent to the CRE boundary. A single CREVS train operating at a flow rate of 800 to 1000 cfm will pressurize the CRE to maintain a positive pressure relative to the outside atmosphere. The CREVS operation in maintaining the CRE habitable is discussed in UFSAR, Section 9.13 (Unit 1) and Section 9.4 (Unit 2) (Ref. 1).

Beaver Valley Units 1 and 2 B 3.7.10 - 2 Revision 7

CREVS B 3.7.10 BASES BACKGROUND (continued)

Redundant CREVS trains are required OPERABLE to ensure the pressurization and filtration function can be accomplished should one train fail. Normally open isolation dampers are arranged in series pairs so that the failure of one damper to shut will not result in a breach of isolation. The CREVS is designed in accordance with Seismic Category I requirements.

The CREVS is designed to maintain a habitable environment in the CRE for 30 days of continuous occupancy after a Design Basis Accident (DBA) without exceeding 5 rem total effective dose equivalent (TEDE). This limitation is consistent with the requirements of General Design Criteria 19 of Appendix "A", 10 CFR 50 and 10 CFR 50.67.

The CREVS is automatically actuated by a containment isolation phase B (CIB) signal or a control room area high radiation signal. In addition, the CREVS can be actuated manually. The OPERABILITY requirements for the CREVS instrumentation are specified in LCO 3.3.7, "CREVS Actuation Instrumentation."

CREVS does not have automatic detection and isolation for hazardous chemicals or smoke. Refer to Applicable Safety Analyses for a discussion of the design basis of CREVS with regard to these events.

APPLICABLE The CREVS components are arranged in redundant, safety related SAFETY ventilation trains. The location of most components and ducting within ANALYSES the CRE helps to minimize air in leakage and ensures an adequate supply of filtered air to all areas requiring access. The CREVS provides airborne radiological protection for the CRE occupants, as demonstrated by the CRE habitability analyses for the most limiting DBAs: loss of coolant accident (LOCA), control rod ejection accident (CREA), and main steam line break (MSLB) accident, presented in the UFSAR, Chapter 14 (Unit 1) and Chapter 15 (Unit 2) (Ref. 2). CRE isolation and operation of CREVS was not credited in other DBAs.

The worst case single active failure of a component of the CREVS, assuming a loss of offsite power, does not impair the ability of the system to perform its design function.

The LOCA accident analysis assumes an automatic isolation of the CRE normal ventilation system following a CIB signal and subsequent manual initiation of a CREVS pressurization fan subsystem for filtered makeup and pressurization of the CRE. Although the CIB signal will automatically start one of the two Unit 2 CREVS pressurization fan subsystems, a Beaver Valley Units 1 and 2 B 3.7.10 - 3 Revision 7

CREVS B 3.7.10 BASES APPLICABLE SAFETY ANALYSES (continued) 30 minute delay to allow for manual initiation of a CREVS pressurization fan subsystem is specifically assumed in the analysis to permit the use of the Unit 1 CREVS pressurization fan subsystem which requires manual operator action to place in service (Ref. 3). The CREA and the MSLB accident analyses assume manual initiation of the emergency pressurization mode of operation of CRE ventilation (i.e., CRE ventilation isolation, filtered makeup and pressurization), within 30 minutes after the accident.

Although the CRE occupant dose calculations for the limiting DBAs (i.e.,

LOCA, CREA, and MSLB) assume that the CRE is pressurized in 30 minutes of the accident by manually actuating a pressurization fan subsystem, the specification conservatively requires automatic actuation of a Unit 2 CREVS pressurization fan subsystem.

The current safety analyses do not assume the control room area radiation monitors provide a CREVS actuation signal for any DBA.

However, requirements for the automatic initiation of CREVS (both isolation and pressurization fan subsystems) on high radiation are retained in the Technical Specifications in case this automatic function is required to support the assumptions of a fuel handling accident analysis for the movement of recently irradiated fuel (i.e., fuel that has occupied part of a critical reactor core within the previous 100 hours0.00116 days 0.0278 hours 1.653439e-4 weeks 3.805e-5 months ) or the movement of fuel over recently irradiated fuel consistent with the guidance of NUREG-1431 (Ref. 4).

An automatic start time delay is included in the initiation circuitry of the Unit 2 CREVS pressurization fan subsystems. The basis for this time delay includes the following considerations:

1. The delay times prevent loading of the pressurization fans onto the emergency busses until after the emergency diesel generator load sequencing is completed.

2. The pressurization fan delay times are staggered to ensure only one fan will be operating.

3. A pressurization fan is started early to minimize dose to the operators.

4. The delay times are selected such that sufficient time will be available for the manual initiation of a pressurization fan subsystem within 30 minutes after an accident should a pressurization fan fail to start.

Beaver Valley Units 1 and 2 B 3.7.10 - 4 Revision 7

CREVS B 3.7.10 BASES APPLICABLE SAFETY ANALYSES (continued)

An evaluation of all chemical hazards from onsite, offsite, and transportation sources has determined that the probability of a hazardous chemical spill resulting in unacceptable exposures was less than NRC design basis criteria. As a result, the plant design basis as described in BVPS Unit 2 UFSAR, Section 2.2.3.1.2 and 6.4.4.2 (Ref. 5) does not postulate any hazardous chemical release events. Therefore, physical provisions for protection against hazardous chemicals are not required and CRE inleakage of hazardous chemicals would be limited by the inleakage rate established for radiological events. If a hazardous chemical release were identified to be onsite, the CRE would be manually isolated to minimize CRE inleakage as a defense in depth measure, by closing all supply and exhaust dampers and verifying that CREVS is not in operation. Technical Specification Amendment No. 233 (Unit 1) and No. 115 (Unit 2) (Ref. 6) removed the control room chlorine detection system. In addition, Amendment No. 257 (Unit 1) and No. 139 (Unit 2)

(Ref. 7) which removed the bottled air pressurization system, confirmed that the ability to manually isolate the CRE is sufficient to justify removal of these systems with respect to hazardous chemical events.

In the event of a fire outside the control room, the CRE would be manually isolated to minimize CRE inleakage. If the ability of CRE occupants to remain in the control room is compromised, then remote shutdown locations are available. Therefore, no quantitative limits for CRE inleakage of smoke have been established. Technical Specification Amendment No. 257 (Unit 1) and No. 139 (Unit 2) (Ref. 7) which removed the bottled air pressurization system, confirmed that the ability to manually isolate the CRE in combination with availability of self-contained breathing apparatus is sufficient to justify removal of the system with respect to a smoke event. Therefore, a smoke challenge will not result in the inability of the CRE occupants to control the reactor either from the control room or from the remote shutdown panels.

The CREVS satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii).

LCO Two CREVS trains including the associated train related inlet and exhaust isolation dampers are required to be OPERABLE to ensure that at least one train is available if a single active failure disables the other train. A combination of two out of three CREVS pressurization fan subsystems from either Unit 1 or Unit 2 satisfies the LCO requirement for Unit 1. Only the Unit 2 CREVS pressurization fan subsystems may be used to satisfy the LCO requirement for Unit 2.

Beaver Valley Units 1 and 2 B 3.7.10 - 5 Revision 7

CREVS B 3.7.10 BASES LCO (continued)

The OPERABILITY of CREVS ensures that the CRE will remain habitable with respect to potential radiation hazards for operations personnel during and following all credible accident conditions. The OPERABILITY of this system is based on limiting the radiation exposure to personnel occupying the CRE to 5 rem TEDE. This limitation is consistent with the requirements of General Design Criteria 19 of Appendix "A", 10 CFR 50 and 10 CFR 50.67. Total system failure, such as from a loss of all ventilation trains or from an inoperable CRE boundary, could result in exceeding these dose limits in the event of a large radioactive release.

Each CREVS train is considered OPERABLE when the individual components necessary to limit CRE occupant exposure are OPERABLE.

A CREVS train is OPERABLE when the associated:

a. Fan is OPERABLE (including required automatic start capability for Unit 2 fans),

b. HEPA filters and charcoal adsorbers are not excessively restricting flow, and are capable of performing their filtration functions, and

c. Heater, prefilter (Unit 1), moisture separator (Unit 2), ductwork, valves, and dampers are OPERABLE (i.e., capable of supporting pressurization of the CRE when a CREVS train is actuated). This includes:

1) In MODES 1, 2, 3, and 4, the series normal air intake and exhaust isolation dampers for both units must be OPERABLE and capable of automatic closure on a CIB actuation signal. The series normal air intake and exhaust isolation dampers for both units may also be considered OPERABLE when secured in a closed position with power removed.

2) During fuel assembly movement involving recently irradiated fuel assemblies, the series normal air intake and exhaust isolation dampers for both units must be OPERABLE and capable of automatic initiation by a control room high radiation signal. The series air intake and exhaust isolation dampers for both units may also be considered OPERABLE when secured in a closed position with power removed.

LCO 3.3.7, "CREVS Actuation Instrumentation," contains the OPERABILITY, ACTION, and Surveillance Requirements for the CREVS actuating instrumentation.

Beaver Valley Units 1 and 2 B 3.7.10 - 6 Revision 7

CREVS B 3.7.10 BASES LCO (continued)

In order for the CREVS trains to be considered OPERABLE, the CRE boundary must be maintained such that the CRE occupant dose from a large radioactive release does not exceed the calculated dose in the licensing basis consequence analyses for DBAs, and that CRE occupants are protected from hazardous chemicals and smoke.

The LCO is modified by a Note allowing the CRE boundary to be opened intermittently under administrative controls. This Note only applies to openings in the CRE boundary that can be rapidly restored to the design condition, such as doors, hatches, floor plugs, and access panels. For entry and exit through doors, the administrative control of the opening is performed by the person(s) entering or exiting the area. For other openings (hatches, access panels, floor plugs, etc.), these controls should be proceduralized and consist of stationing a dedicated individual at the opening who is in continuous communication with the operators in the CRE. This individual will have a method to rapidly close the opening and to restore the CRE boundary to a condition equivalent to the design condition when a need for CRE isolation is indicated. If the above conditions for utilizing the LCO Note cannot be met, then Action B should be entered.

APPLICABILITY In MODES 1, 2, 3, 4, and during the movement of recently irradiated fuel assemblies (i.e., fuel that has occupied part of a critical reactor core within the previous 100 hours0.00116 days 0.0278 hours 1.653439e-4 weeks 3.805e-5 months ) and the movement of fuel assemblies over recently irradiated fuel assemblies, the CREVS is required to be OPERABLE to ensure that the CRE will remain habitable during and following a DBA.

In MODES 5 and 6, when no fuel movement involving recently irradiated fuel is taking place, there are no requirements for CREVS OPERABILITY consistent with the safety analyses assumptions applicable in these MODES. A fuel handling accident (FHA) involving non-recently irradiated fuel will result in radiation exposure, to personnel occupying the CRE, that is within the guideline values specified in 10 CFR 50.67 without any reliance on the requirements of this Specification to limit personnel exposure.

This LCO is applicable during movement of recently irradiated fuel assemblies (i.e., fuel that has occupied part of a critical reactor core within the previous 100 hours0.00116 days 0.0278 hours 1.653439e-4 weeks 3.805e-5 months ) and during movement of fuel assemblies over recently irradiated fuel assemblies. During fuel movement involving recently irradiated fuel there is a potential for a limiting FHA for which the requirements of this Specification may be necessary to limit radiation exposure to personnel occupying the CRE to within the requirements of Beaver Valley Units 1 and 2 B 3.7.10 - 7 Revision 7

CREVS B 3.7.10 BASES APPLICABILITY (continued) 10 CFR 50.67. Although the movement of recently irradiated fuel is not currently permitted, these requirements are retained in the Technical Specifications in case the CREVS is necessary to support the assumptions of a safety analysis for fuel movement involving recently irradiated fuel, consistent with the guidance of Reference 4.

ACTIONS A.1 When one required CREVS train is inoperable for reasons other than an inoperable CRE boundary (this action includes one or more of the associated train related series isolation dampers inoperable), action must be taken to restore it to OPERABLE status within 7 days. In this Condition, the remaining OPERABLE CREVS train (including the associated train of isolation dampers) is adequate to perform the CRE occupant radiation protection function. However, the overall reliability is reduced because a failure in the OPERABLE CREVS train could result in loss of CREVS function. The 7 day Completion Time is based on the low probability of a DBA occurring during this time, and the ability of the remaining train to provide the required safety function.

B.1, B.2, and B.3 If the unfiltered inleakage of potentially contaminated air past the CRE boundary and into the CRE can result in CRE occupant radiological dose greater than the calculated dose of the licensing basis analyses of DBA consequences (allowed to be up to 5 rem TEDE), or inadequate protection of CRE occupants from hazardous chemicals or smoke, the CRE boundary is inoperable. As discussed in the Applicable Safety Analyses section, the current licensing basis identifies that CRE inleakage limits for hazardous chemicals and smoke are not necessary to protect CRE occupants; therefore, the limit established for radiological events is the limiting value for determining entry into Condition B for an inoperable CRE boundary. Actions must be taken to restore an OPERABLE CRE boundary within 90 days.

During the period that the CRE boundary is considered inoperable, action must be initiated to implement mitigating actions to lessen the effect on CRE occupants from the potential hazards of a radiological or chemical event or a challenge from smoke. Actions must be taken within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months to verify that in the event of a DBA, the mitigating actions will ensure that CRE occupant radiological exposures will not exceed the calculated dose of the licensing basis analyses of DBA consequences, and that the CRE occupants are protected from hazardous chemicals and smoke. These Beaver Valley Units 1 and 2 B 3.7.10 - 8 Revision 7

CREVS B 3.7.10 BASES ACTIONS (continued) mitigating actions (i.e., actions that are taken to offset the consequences of the inoperable CRE boundary) should be preplanned for implementation upon entry into the condition, regardless of whether entry is intentional or unintentional. The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time is reasonable based on the low probability of a DBA occurring during this time period, and the use of mitigating actions. The 90 day Completion Time is reasonable based on the determination that the mitigating actions will ensure protection of CRE occupants within analyzed limits while limiting the probability that CRE occupants will have to implement protective measures that may adversely affect their ability to control the reactor and maintain it in a safe shutdown condition in the event of a DBA. In addition, the 90 day Completion Time is a reasonable time to diagnose, plan and possibly repair, and test most problems with the CRE boundary.

C.1 and C.2 In MODE 1, 2, 3, or 4, if the inoperable CREVS train or the CRE boundary cannot be restored to OPERABLE status within the required Completion Time the unit must be placed in a MODE that minimizes accident risk. To achieve this status, the unit must be placed in at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months , and in MODE 5 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

D.1 and D.2 During fuel movement involving recently irradiated fuel assemblies, if an inoperable CREVS train cannot be restored to OPERABLE status within the required Completion Time, the OPERABLE CREVS train must immediately be placed in the emergency pressurization mode of operation. This action requires the CRE ventilation isolation dampers to be closed and the CRE to be pressurized by the operating CREVS train.

This action ensures that the remaining train is OPERABLE, that no failures preventing automatic actuation will occur, and that any active failure would be readily detected.

An alternative action is to immediately suspend activities that could result in a release of radioactivity that might require isolation of the CRE. This involves suspending movement of recently irradiated fuel assemblies and suspending movement of fuel assemblies over recently irradiated fuel assemblies. This places the unit in a condition that minimizes the accident risk. This does not preclude the movement of fuel to a safe position.

Beaver Valley Units 1 and 2 B 3.7.10 - 9 Revision 7

CREVS B 3.7.10 BASES ACTIONS (continued)

E.1 During fuel movement involving recently irradiated fuel assemblies, if two required CREVS trains are inoperable or with one or more required CREVS trains inoperable due to an inoperable CRE boundary, action must be taken immediately to suspend activities that could result in a release of radioactivity that might require isolation of the CRE. Two inoperable trains also include the conditions of one or more inoperable series isolation dampers in both trains or one or more inoperable series isolation dampers in one train and the opposite CREVS train inoperable.

This Action involves suspending movement of recently irradiated fuel assemblies and suspending movement of fuel assemblies over recently irradiated fuel assemblies. This places the unit in a condition that minimizes the accident risk. This Action does not preclude the movement of fuel to a safe position.

F.1 If both required CREVS trains are inoperable in MODES 1, 2, 3, or 4 for reasons other than an inoperable CRE boundary (i.e., Condition B) the CREVS may not be capable of performing the intended function and the unit is in a condition outside the accident analyses. Two inoperable trains also include the conditions of one or more inoperable series isolation dampers in both trains or one or more inoperable series isolation dampers in one train and the opposite CREVS train inoperable. In this condition, Specification 3.0.3 must be entered immediately.

SURVEILLANCE SR 3.7.10.1 REQUIREMENTS Standby systems should be checked periodically to ensure that they function properly. As the environment and normal operating conditions on this system are not severe, testing each train once every month provides an adequate check of this system. The CREVS fan and filter flow path is operated for 15 minutes by initiating flow through the HEPA filter and charcoal adsorber train with heaters operating to ensure that they function properly. This Surveillance does not require that the CRE be isolated in order to verify fan and filter flow path functionality. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

Beaver Valley Units 1 and 2 B 3.7.10 - 10 Revision 29

CREVS B 3.7.10 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.7.10.2 This SR verifies that the required CREVS testing is performed in accordance with the Ventilation Filter Testing Program (VFTP). The VFTP includes testing the performance of the HEPA filter, charcoal adsorber efficiency, minimum flow rate, and the physical properties of the activated charcoal. Specific test Frequencies and additional information are discussed in detail in the VFTP.

SR 3.7.10.3 This SR verifies that each CREVS train operates as required on an actual or simulated containment isolation phase B actuation signal (only required in MODES 1, 2, 3, and 4) and control room high radiation actuation signal (only required for fuel movement involving recently irradiated fuel). The actuation testing includes verification that each train of series air intake and exhaust isolation dampers for both units close to isolate the CRE from the outside atmosphere. In addition, for Unit 2, the automatic start (following a time delay) of each CREVS pressurization fan subsystem supplying air to pressurize the CRE through the HEPA filters and charcoal adsorber banks is verified. For Unit 1, an automatic start of the CREVS pressurization fan subsystem is not required since the Unit 1 subsystem is placed in service by manual operator action.

LCO 3.3.7, "CREVS Actuation Instrumentation," contains the OPERABILITY requirements including the Applicability, ACTION, and Surveillance Requirements for the CREVS actuating instrumentation.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.7.10.4 This SR verifies the OPERABILITY of the CRE boundary by testing for unfiltered air inleakage past the CRE boundary and into the CRE. The details of the testing are specified in the Control Room Envelope Habitability Program.

The CRE is considered habitable when the radiological dose to CRE occupants calculated in the licensing basis analyses of DBA consequences is no more than 5 rem TEDE. This SR verifies that the unfiltered air inleakage into the CRE is no greater than the flow rate assumed in the licensing basis analyses of DBA consequences. When unfiltered air inleakage is greater than the assumed flow rate, Condition B Beaver Valley Units 1 and 2 B 3.7.10 -11 Revision 29

CREVS B 3.7.10 BASES SURVEILLANCE REQUIREMENTS (continued) must be entered. Required Action B.3 allows time to restore the CRE boundary to OPERABLE status provided mitigating actions can ensure that the CRE remains within the licensing basis habitability limits for the occupants following an accident. Compensatory measures are discussed in Regulatory Guide 1.196, Section C.2.7.3, (Ref. 8) which endorses, with exceptions, NEI 99-03, Section 8.4 and Appendix F (Ref. 9). These compensatory measures may also be used as mitigating actions as required by Required Action B.2. Temporary analytical methods may also be used as compensatory measures to restore OPERABILITY (Ref. 10).

Options for restoring the CRE boundary to OPERABLE status include changing the licensing basis DBA consequence analysis, repairing the CRE boundary, or a combination of these actions. Depending upon the nature of the problem and the corrective action, a full scope inleakage test may not be necessary to establish that the CRE boundary has been restored to OPERABLE status.

REFERENCES 1. UFSAR, Section 9.13 (Unit 1) and Sections 6.4 and 9.4 (Unit 2).

2. UFSAR, Section 14 (Unit 1) and Chapter 15 (Unit 2).

3. UFSAR Table 14.1-1A (Unit 1) and UFSAR Table 15.0-13 (Unit 2).

4. NUREG-1431, Rev. 2, Standard Technical Specifications for Westinghouse Plants.

5. UFSAR, Sections 2.2.3.1.2 and 6.4.4.2 (Unit 2).

6. Amendment No. 233 (Unit 1) and Amendment No. 115 (Unit 2),

September 7, 2000.

7. Amendment No. 257 (Unit 1) and Amendment No. 139 (Unit 2),

September 10, 2003.

8. Regulatory Guide 1.196.

9. NEI 99-03, "Control Room Habitability Assessment," June 2001.

10. Letter from Eric J. Leeds (NRC) to James W. Davis (NEI) dated January 30, 2004, "NEI Draft White Paper, Use of Generic Letter 91-18 Process and Alternative Source Terms in the Context of Control Room Habitability." (ADAMS Accession No. ML040300694).

Beaver Valley Units 1 and 2 B 3.7.10 -12 Revision 26

CREACS B 3.7.11 B 3.7 PLANT SYSTEMS B 3.7.11 Control Room Emergency Air Cooling System (CREACS)

BASES BACKGROUND The Control Room Emergency Air Cooling System (CREACS) provides

1) a control room heat removal function following isolation of the control room, and 2) control room atmosphere purge capability for the combined units main control room. The heat removal function ensures that the control equipment qualification is maintained following isolation of the control room. The purge function is necessary to limit the dose received by control room personnel following certain design basis accidents (DBAs). Each unit has its own CREACS. Each units CREACS consists of a single ventilation air intake and two independent and redundant trains consisting of river/service water emergency cooling coils, ventilation ducts, fans and fan controls. However, the CREACS trains share common ventilation ductwork and normal air inlet and exhaust flow paths.

The CREACS heat removal function is discussed in the UFSAR, Section 9.13 (Unit 1) and Section 9.4 (Unit 2) (Ref. 1). The CREACS control room atmosphere purge function is discussed in the UFSAR, Table 14.1-1A (Unit 1) and Table 15.0-13 (Unit 2) (Ref. 2).

The CREACS is an emergency system, parts of which operate during normal unit operations. A single train of CREACS on each unit is capable of maintaining its side of the combined control room at the equipment design limit of 120°F. A single train of CREACS from either unit is capable of providing adequate control room atmosphere purge capability to meet either units DBA requirements.

APPLICABLE The design basis of the CREACS heat removal function is to provide SAFETY emergency air cooling for the control room to maintain the temperature ANALYSES within the equipment design limit for a mild environment (120°F) following certain DBAs when the control room is isolated. The CREACS also provides an atmosphere purge function for the control room following certain DBAs. Only manual actuation is credited for both CREACS functions at each unit.

The CREACS components are arranged in redundant, safety related trains. A single active failure of a component of the CREACS, with a loss of offsite power, does not impair the ability of the system to perform its design function. The CREACS is designed in accordance with Seismic Category I requirements.

During normal and emergency control room operation, the control room air cooling is usually maintained by the non safety related air conditioning equipment which is integral to the control room ventilation systems.

Beaver Valley Units 1 and 2 B 3.7.11 - 1 Revision 26

CREACS B 3.7.11 BASES APPLICABLE SAFETY ANALYSES (continued)

During emergency operation when the control room is isolated, the safety related CREACS is manually initiated to provide air cooling to maintain the temperature 120°F when the normal non safety related air conditioning becomes unavailable. The CREACS is capable of removing sensible and latent heat loads from the control room, which include consideration of equipment heat loads to ensure equipment OPERABILITY. The CREACS heat removal function is only required following post-DBA isolation of the control room (when control room isolation is required to meet radiological dose analysis requirements) and the normal non safety related air conditioning equipment is unavailable.

The heat removal function of CREACS is credited in DBAs for MODES 1, 2, 3, and 4 (e.g., the loss of coolant accident (LOCA), the main steam line break (MSLB) and control rod ejection DBAs for both units require control room isolation). Since neither unit requires control room isolation (and hence the control room heat function of CREACS) to meet its fuel handling accident (FHA) DBA nor requires control room isolation following any other DBA in MODES 5 and 6 (e.g., waste gas tank rupture DBA), the heat removal function of CREACS is not required in MODES 5 and 6 or during fuel movement involving non-recently irradiated fuel.

The design basis of the CREACS control room ventilation purge function ensures the capability to manually purge the air from the control room for selected DBAs to ensure acceptable dose consequences to the control room personnel following a DBA.

For both Unit 1 and Unit 2, the MSLB and steam generator tube rupture (SGTR) accident analyses credit a manually initiated 30 minute control room ventilation purge at a flow rate of 16,200 cfm after the accident sequence is complete and the environmental release has been terminated. Also for Unit 1 only, the FHA analysis for fuel movement involving non-recently irradiated fuel credits a manually initiated 30 minute control room ventilation purge at a flow rate of 16,200 cfm after the accident sequence is complete and the environmental release has been terminated. The dose consequence analyses assume that for the MSLB, the SGTR, and the Unit 1 FHA, control room purge is initiated at T=24 hours, T=8 hours and T=2 hours after accident initiation, respectively.

Only Unit 1 requires the purge function of CREACS during fuel movement involving non-recently irradiated fuel. Therefore, the purge function of CREACS is required for Unit 1 during fuel movement involving non-recently irradiated fuel. Thus, the control room ventilation purge functions of CREACS are credited in DBAs for MODES 1, 2, 3, and 4 at both units, and for fuel movement involving non-recently irradiated fuel assemblies at Unit 1.

Beaver Valley Units 1 and 2 B 3.7.11 - 2 Revision 0

CREACS B 3.7.11 BASES APPLICABLE SAFETY ANALYSES (continued)

This LCO is also applicable for both units during movement of recently irradiated fuel assemblies (i.e., fuel that has occupied part of a critical reactor core within the previous 100 hours0.00116 days 0.0278 hours 1.653439e-4 weeks 3.805e-5 months ) and during movement of fuel assemblies over recently irradiated fuel assemblies. The requirement for recently irradiated fuel assemblies is included because there is a potential for a limiting FHA for which the requirements of this Specification may be necessary to limit radiation exposure to personnel occupying the control room to within the requirements of 10 CFR 50.67. Although the movement of recently irradiated fuel is not currently permitted for either unit, the requirements for both the temperature control and purge functions are retained in the Technical Specifications in case the CREACS functions are necessary to support the assumptions of a safety analysis for fuel movement involving recently irradiated fuel, consistent with the guidance of NUREG-1431 (Ref. 3).

The CREACS satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii).

LCO The Unit 1 FHA analysis does not require control room isolation to limit the dose to control room personnel to within the required limits.

Therefore, a Note modifying the LCO requirement is included to clarify that the Unit 1 CREACS heat removal function is not required OPERABLE to support fuel movement involving non-recently irradiated fuel. Only the purge function of the Unit 1 CREACS is required to support fuel movement involving non-recently irradiated fuel as only the purge function is required in the Unit 1 accident analysis to limit dose. The Note is only applicable to Unit 1 because operation of the Unit 2 CREACS is not required by the Unit 2 FHA analysis for fuel movement involving non-recently irradiated fuel. Therefore, operation of the Unit 2 CREACS is not required to limit the dose to control room personnel from a FHA involving non-recently irradiated fuel.

Two trains of the CREACS are required to be OPERABLE to ensure that at least one is available, assuming a single failure disabling the other train. Total system failure of the heat removal function could result in the equipment operating temperature exceeding limits in the event of an accident. Total system failure of the control room atmosphere purge function could result in exceeding a dose of 5 rem TEDE to the control room operator in the event of a large radioactive release following a MSLB, SGTR, or a Unit 1 FHA.

Beaver Valley Units 1 and 2 B 3.7.11 - 3 Revision 0

CREACS B 3.7.11 BASES LCO (continued)

With regard to the control room atmospheric purge function only, the LCO requirement for two OPERABLE CREACS trains may be met by crediting OPERABLE Unit 1 train(s) for Unit 2 and crediting OPERABLE Unit 2 train(s) for Unit 1. The control room atmospheric purge flow requirements for each unit are the same and the control room envelope is common.

Therefore, the purge flow assumed in the DBA analysis may be accomplished by the manual initiation of a CREACS train from either unit.

The CREACS is considered to be OPERABLE when the individual components necessary to maintain the control room temperature 120°F (when the control room is isolated) and to provide the control room ventilation purge function at the required flow rate are OPERABLE in two trains. These components include the river/service water emergency cooling coils, necessary ductwork and associated dampers, fans, and associated fan controls. The capability to manually operate the components of the CREACS is all that is required for OPERABILITY. In addition, the CREACS must be OPERABLE to the extent that air circulation necessary for the required temperature control can be maintained.

APPLICABILITY CREACS must be OPERABLE in MODES 1, 2, 3, and 4 at either unit and during fuel movement involving recently irradiated fuel (i.e., fuel that has occupied part of a critical reactor core within the previous 100 hours0.00116 days 0.0278 hours 1.653439e-4 weeks 3.805e-5 months ) at either unit. The CREACS ensures that control room temperatures will not exceed equipment operational requirements and that the control room ventilation is capable of purging the control room atmosphere after a DBA to maintain dose within the limit.

For Unit 1 only, during movement of non-recently irradiated fuel assemblies and during movement of fuel assemblies over non-recently irradiated fuel assemblies, the ventilation purge function of CREACS must be OPERABLE. The Unit 1 temperature control function of CREACS is not required OPERABLE during fuel movement involving non-recently irradiated fuel because the Unit 1 FHA analysis does not require control room isolation to limit dose.

CREACS is not required in MODES 5 or 6 at either unit during no fuel movement nor is it required during fuel movement involving non-recently irradiated fuel movement at Unit 2.

Beaver Valley Units 1 and 2 B 3.7.11 - 4 Revision 0

CREACS B 3.7.11 BASES ACTIONS A.1 With one CREACS train inoperable, action must be taken to restore OPERABLE status within 30 days. In this Condition, the remaining OPERABLE CREACS train is adequate to maintain the control room temperature 120°F when the control room is isolated and provide the required control room atmosphere purge function. However, the overall reliability is reduced because a single failure in the OPERABLE CREACS train could result in loss of CREACS function. The 30 day Completion Time is based on the low probability of an event requiring control room isolation or purge, the consideration that the remaining train can provide the required protection, and that alternate safety or nonsafety related means of cooling the control room air and of purging the control room atmosphere are available.

B.1 and B.2 In MODE 1, 2, 3, or 4, if the inoperable CREACS train cannot be restored to OPERABLE status within the required Completion Time, the unit must be placed in a MODE that minimizes the risk. To achieve this status, the unit must be placed in at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months , and in MODE 5 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

C.1 and C.2 Condition C is modified by two Notes indicating the applicability of this Condition to each unit. Note 1 states that the Condition is only applicable to Unit 1 during movement of irradiated fuel assemblies and fuel assemblies over irradiated fuel assemblies. Note 2 states that this Condition is only applicable to Unit 2 during movement of recently irradiated fuel assemblies and fuel assemblies over recently irradiated fuel assemblies. If the inoperable CREACS train cannot be restored to OPERABLE status within the required Completion Time, the OPERABLE CREACS train must be placed in operation immediately. This action requires that the OPERABLE CREACS ventilation fan be in service and circulating control room air, and if the heat removal function is required by the LCO, with river/service water being supplied to the emergency cooling coils. This action ensures the remaining train is OPERABLE and active failures will be readily detected.

An alternative to Required Action C.1 is to immediately suspend activities that present a potential for releasing radioactivity that might require isolation of the control room or a purge of the control room atmosphere.

Beaver Valley Units 1 and 2 B 3.7.11 - 5 Revision 0

CREACS B 3.7.11 BASES ACTIONS (continued)

This involves suspending movement of irradiated fuel assemblies and suspending movement of fuel assemblies over irradiated fuel assemblies.

This places the unit in a condition that minimizes accident risk. This does not preclude the movement of fuel to a safe position.

D.1 Condition D is modified by two Notes indicating the applicability of this Condition to each unit. Note 1 states that the Condition is only applicable to Unit 1 during movement of irradiated fuel assemblies and fuel assemblies over irradiated fuel assemblies. Note 2 states that this Condition is only applicable to Unit 2 during movement of recently irradiated fuel assemblies and fuel assemblies over recently irradiated fuel assemblies. With two CREACS trains inoperable, action must be taken immediately to suspend activities that could result in a release of radioactivity that might require isolation of the control room or a purge of the control room atmosphere. This involves suspending movement of irradiated fuel assemblies and suspending movement of fuel assemblies over irradiated fuel assemblies. This places the unit in a condition that minimizes risk. This does not preclude the movement of fuel to a safe position.

E.1 If both CREACS trains are inoperable in MODE 1, 2, 3, or 4, the control room CREACS may not be capable of performing its intended function.

Therefore, LCO 3.0.3 must be entered immediately.

SURVEILLANCE SR 3.7.11.1 REQUIREMENTS This SR verifies the heat removal capability of the system is sufficient to remove the required heat load to maintain the control room temperature within the equipment design limit ( 120°F). The verification of the CREACS heat removal capability consists of a combination of river/service water flow measurement, fan performance, and mechanical cleaning and inspections of the river/service water cooling coils.

This SR also verifies the control room atmosphere purge capability of the system is sufficient to remove air from the control room for the DBAs that require a control room purge to limit dose. The control room purge capability is verified by assuring each train of CREACS can be aligned to purge the control room atmosphere and can achieve the required purge flow rate of 16,200 cfm. This part of the SR may be accomplished by Beaver Valley Units 1 and 2 B 3.7.11 - 6 Revision 0

CREACS B 3.7.11 BASES SURVEILLANCE REQUIREMENTS (continued) measuring fan performance during normal system alignment to verify the fan's capability to purge the control room at the required flow rate. The ability of the required dampers to be aligned for a control room purge can be verified by observing partial movement of the dampers. Realignment of the CREACS to the purge mode of operation and measuring the actual purge flow rate is not required to satisfy this SR. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. UFSAR, Section 9.13 (Unit 1) and Section 9.4 (Unit 2).

2. UFSAR, Table 14.1-1A (Unit 1) and Table 15.0-13 (Unit 2).

3. NUREG-1431, Rev. 2, Standard Technical Specifications for Westinghouse Plants.

Beaver Valley Units 1 and 2 B 3.7.11 - 7 Revision 29

SLCRS B 3.7.12 B 3.7 PLANT SYSTEMS B 3.7.12 Supplemental Leak Collection and Release System (SLCRS)

BASES BACKGROUND SLCRS filters airborne radioactivity from the containment building (Unit 1 only) and the fuel building (both Units) following a fuel handling accident involving recently irradiated fuel. This ensures that, prior to release to the environment, the exhaust from these areas in the event of a fuel handling accident is limited to radioactive releases within 10 CFR 50.67 (Ref. 1) limits. For Unit 1, the SLCRS train consists of a prefilter, an activated charcoal adsorber section for removal of gaseous activity (principally iodines), a high efficiency particulate air (HEPA) filter, and a filter exhaust fan. Ductwork, valves or dampers, and instrumentation also form part of the system. For Unit 2, the SLCRS train consists of a heater, a demister, a HEPA filter, an activated charcoal adsorber section for removal of gaseous activity (principally iodines), and a filter exhaust fan. Ductwork, valves or dampers, and instrumentation also form part of the system, as well as demisters functioning to reduce the relative humidity of the air stream. For Unit 2 only, a second bank of HEPA filters follows the adsorber section to collect carbon fines and provides a backup in case the main HEPA filter bank fails. The downstream HEPA filter is not credited in the accident analysis, but serves to collect charcoal fines, and to back up the upstream HEPA filter should it develop a leak.

The SLCRS is discussed in References 2 and 3. The SLCRS may be used for normal, as well as post accident, atmospheric cleanup functions.

During normal operation, the SLCRS provides ventilation to the areas it serves.

APPLICABLE During fuel handling operations, the postulated event that results in the SAFETY most severe radiological consequences is a fuel handling accident ANALYSES (Ref. 4). The limiting fuel handling accident analyzed in Reference 4, includes dropping a single irradiated fuel assembly and handling tool (conservatively estimated at 2500 pounds) directly onto another irradiated fuel assembly resulting in both assemblies being damaged. The analysis assumes a 100 hour0.00116 days 0.0278 hours 1.653439e-4 weeks 3.805e-5 months decay time prior to moving irradiated fuel.

The applicable limits for offsite and control room dose from a fuel handling accident are specified in 10 CFR 50.67. Standard Review Plan, Section 15.0.1, Rev 0 (Ref. 5) provides an additional offsite dose criteria of 6.3 rem total effective dose equivalent (TEDE) for fuel handling accidents.

Beaver Valley Units 1 and 2 B 3.7.12 - 1 Revision 0

SLCRS B 3.7.12 BASES APPLICABLE SAFETY ANALYSES (continued)

The water level requirements of LCO 3.7.15, "Fuel Storage Pool Water Level," in conjunction with a minimum decay time of 100 hours0.00116 days 0.0278 hours 1.653439e-4 weeks 3.805e-5 months prior to irradiated fuel movement, ensure the resulting offsite and control room dose from the limiting fuel handling accident is within the limits required by 10 CFR 50.67 and within the acceptance criteria of Reference 5 without the need for containment and fuel building closure or filtration.

Therefore, the SLCRS requirements contained in LCO 3.7.12 are only applicable during refueling operations involving recently irradiated fuel (i.e., fuel that has occupied part of a critical reactor core within the previous 100 hours0.00116 days 0.0278 hours 1.653439e-4 weeks 3.805e-5 months ). Current requirements based on the decay time of the fuel prevent the movement of recently irradiated fuel. However, the requirements for SLCRS are retained in the Technical Specifications in case these requirements are necessary to support fuel movement involving recently irradiated fuel consistent with the guidance of NUREG-1431 (Ref. 6).

The SLCRS satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii).

LCO This LCO limits the consequences of a fuel handling accident involving recently irradiated fuel in the containment (Unit 1 only) and the fuel storage pool (both units) by limiting the potential escape paths for fission product radioactivity. One train of the SLCRS exhausting from the fuel building and/or for Unit 1, the containment is required to be OPERABLE and in operation during fuel movement involving recently irradiated fuel with the required area exhaust flow discharging through the SLCRS HEPA filters and charcoal adsorbers. This ensures that air, prior to release to the environment, is being filtered during fuel movement within the fuel storage pool and/or, for Unit 1 only, during fuel movement within the containment when required in accordance with LCO 3.9.3.c.3.

System failure could result in the atmospheric release from SLCRS exceeding 10 CFR 50.67 limits in the event of a fuel handling accident involving recently irradiated fuel. The SLCRS is considered OPERABLE when individual components ensure the radioactivity released in the areas of the containment (Unit 1 only) and the fuel building is filtered through the SLCRS and that fuel building doors are closed.

A SLCRS train is considered OPERABLE when its associated:

a. Fan is OPERABLE,

b. HEPA filter and charcoal adsorbers are not excessively restricting flow, and are capable of performing their filtration functions, and

c. Heater (Unit 2 only), demister (Unit 2 only), ductwork, valves, and dampers are OPERABLE and air flow can be maintained.

Beaver Valley Units 1 and 2 B 3.7.12 - 2 Revision 29

SLCRS B 3.7.12 BASES LCO (continued)

The SLCRS is considered in operation whenever the required area(s) exhaust flow is discharging through at least one train of the SLCRS HEPA filters and charcoal adsorbers. The LCO is modified by a Note allowing the fuel building boundary to be opened intermittently under administrative controls. For entry and exit through doors, the administrative control of the opening is performed by the person(s) entering or exiting the area. For other openings, these controls consist of stationing a dedicated individual at the opening who is in continuous communication with the control room. This individual will have a method to rapidly close the opening when fuel building isolation is required to support SLCRS operation.

As clarified in the LCO 3.7.14 NOTE, applicable to Unit 2 only, Specification 3.7.12 applies to the fuel cask area when a fuel assembly is in the cask area during the installation phase of the Unit 2 rerack project.

APPLICABILITY When required in accordance with LCO 3.9.3.c.3 (for Unit 1), one train of SLCRS is required to be OPERABLE and in operation to alleviate the consequences of a fuel handling accident inside containment. This Applicability applies only to Unit 1 in accordance with the provisions of LCO 3.9.3, "Containment Penetrations" when the Containment Purge and Exhaust System penetrations are open coincident with fuel movement involving recently irradiated fuel assemblies (i.e., fuel that has occupied part of a critical reactor core within the previous 100 hours0.00116 days 0.0278 hours 1.653439e-4 weeks 3.805e-5 months ) within containment.

During movement of recently irradiated fuel assemblies (i.e., fuel that has occupied part of a critical reactor core within the previous 100 hours0.00116 days 0.0278 hours 1.653439e-4 weeks 3.805e-5 months ) within the fuel storage pool or during movement of fuel assemblies over recently irradiated fuel assemblies within the fuel storage pool, one train of SLCRS is required to be OPERABLE and in operation to alleviate the consequences of a potential fuel handling accident.

Since SLCRS is not credited in any existing DBA analysis applicable in MODES 1, 2, 3, 4, 5, and 6 the SLCRS is not required to be OPERABLE in these MODES (except as required to support fuel movement involving recently irradiated fuel assemblies described above).

ACTIONS A.1 A Note modifies Condition A since this Condition is only applicable to Unit 1. Only Unit 1 relies on SLCRS to filter the exhaust from the containment building to mitigate a fuel handling accident involving the movement of recently irradiated fuel.

Beaver Valley Units 1 and 2 B 3.7.12 - 3 Revision 16

SLCRS B 3.7.12 BASES ACTIONS (continued)

This Condition is only applicable when a Unit 1 SLCRS train is required OPERABLE and in operation in accordance with the provision of the containment penetrations LCO requirement 3.9.3.c.3. If the required SLCRS train is inoperable or not in operation, the requirements of LCO 3.9.3 are not met. Immediate action must be taken to place the unit in a condition in which LCO 3.9.3 does not apply. The applicable Conditions and Required Actions of LCO 3.9.3, "Containment Penetrations" must be entered immediately. The Required Actions of LCO 3.9.3 provide the appropriate precautions, for this condition, to preclude a fuel handling accident involving recently irradiated fuel inside containment for which the SLCRS train is required.

B.1 and B.2 A Note indicating that LCO 3.0.3 does not apply modifies Required Action B.1 and B.2.

With SLCRS inoperable or not in operation the requirements of the LCO cannot be met during fuel movement involving recently irradiated fuel within the fuel storage pool. Immediate action must be taken to place the unit in a condition in which the LCO does not apply. Immediate action must be taken to suspend movement of recently irradiated fuel assemblies and the movement of fuel assemblies over recently irradiated fuel assemblies in the fuel storage pool. This will preclude a fuel handling accident involving recently irradiated fuel. The requirements of this action do not preclude the movement of fuel assemblies to a safe position.

If fuel movement involving recently irradiated fuel takes place in MODES 1, 2, 3, or 4, LCO 3.0.3 is applicable. However, fuel movement is independent of reactor operation. Therefore, a plant shutdown in accordance with LCO 3.0.3 is not required if this Required Action is not met.

SURVEILLANCE SR 3.7.12.1 REQUIREMENTS This SR requires verification that the required portion (fuel building exhaust or containment exhaust (Unit 1)) of the SLCRS train is in operation with the required area exhaust flow discharging through the SLCRS HEPA filters and charcoal adsorbers. Verification includes operation of fans, alignment of dampers, and discharge flow paths from the fuel building or containment (Unit 1 only). The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

Beaver Valley Units 1 and 2 B 3.7.12 - 4 Revision 29

SLCRS B 3.7.12 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.7.12.2 This SR verifies that the required SLCRS testing is performed in accordance with the Ventilation Filter Testing Program (VFTP). The VFTP includes testing HEPA filter performance, charcoal adsorbers efficiency, minimum system flow rate, and the physical properties of the activated charcoal (general use and following specific operations).

Specific test Frequencies and additional information are discussed in detail in the VFTP.

SR 3.7.12.3 This SR verifies the integrity of the fuel building enclosure. The ability of the fuel building to maintain negative pressure with respect to potentially uncontaminated adjacent areas is periodically tested to verify proper function of the SLCRS. During fuel movement involving recently irradiated fuel assemblies in the fuel storage pool, the SLCRS must be OPERABLE and in operation. To ensure performance during a fuel handling accident the fuel pool storage area must be maintained at a negative pressure relative to atmospheric pressure during system operation. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

A Note that states this Surveillance is only required to be met during fuel movement involving recently irradiated fuel assemblies within the fuel storage pool modifies this SR. This Note is necessary as the Unit 1 SLCRS is also required in accordance with LCO 3.9.3.c.3 during fuel movement involving recently irradiated fuel inside containment. As SR 3.7.12.3 has nothing to do with fuel movement inside containment, it is not required in order to confirm the OPERABILITY of a Unit 1 SLCRS train for compliance with LCO 3.9.3.c.3.

REFERENCES 1. 10 CFR 50.67.

2. UFSAR, Section 6.6 (Unit 1) and Section 6.5.3.2 (Unit 2).

3. UFSAR, Section 9.13.2 (Unit 1) and Section 9.4 (Unit 2).

4. UFSAR Section 14.2.1 (Unit 1) and Section 15.7.4 (Unit 2).

5. NUREG-0800, Section 15.0.1, Rev 0.

Beaver Valley Units 1 and 2 B 3.7.12 - 5 Revision 29

SLCRS B 3.7.12 BASES REFERENCES (continued)

6. NUREG-1431, Rev. 2, Standard Technical Specifications for Westinghouse Plants.

Beaver Valley Units 1 and 2 B 3.7.12 - 6 Revision 29

Secondary Specific Activity B 3.7.13 B 3.7 PLANT SYSTEMS B 3.7.13 Secondary Specific Activity BASES BACKGROUND Activity in the secondary coolant results from steam generator tube outleakage from the Reactor Coolant System (RCS). Under steady state conditions, the activity is primarily iodines with relatively short half lives and, thus, indicates current conditions. During transients, I-131 spikes have been observed as well as increased releases of some noble gases.

Other fission product isotopes, as well as activated corrosion products in lesser amounts, may also be found in the secondary coolant.

A limit on secondary coolant specific activity during power operation minimizes releases to the environment because of normal operation, anticipated operational occurrences, and accidents.

This limit is lower than the activity value that might be expected from a 150 gallons per day steam generator tube leak (LCO 3.4.13, "RCS Operational LEAKAGE") of primary coolant at the limit of 0.35 Ci/gm DOSE EQUIVALENT I-131 (LCO 3.4.16, "RCS Specific Activity"). The steam line failure is assumed to result in the release of the iodine activity contained in the steam generator inventory, the feedwater, and the reactor coolant LEAKAGE.

Operating a unit at the allowable primary and secondary coolant specific activity limits will result in exposures within the 10 CFR 50.67 (Ref. 1) total effective dose equivalent (TEDE) limits, as supplemented by Regulatory Guide 1.183 (Ref. 3).

APPLICABLE The accident analysis of the main steam line break (MSLB), as discussed SAFETY in the UFSAR, Chapter 14 (Unit 1) and Chapter 15 (Unit 2) (Ref. 2)

ANALYSES assumes the initial secondary coolant specific activity to have a radioactive isotope concentration of 0.10 Ci/gm DOSE EQUIVALENT I-131. This assumption is used in the analysis for determining the radiological consequences of the postulated accident. The accident analysis, based on this and other assumptions, shows that the radiological consequences of an MSLB do not exceed the 10 CFR 50.67 (Ref. 1) TEDE limits, as supplemented by Regulatory Guide 1.183 (Ref. 3).

The MSLB accident analysis assumes a total release of iodine activity in the steam generator connected to the failed steam line. In addition, a portion of the iodine activity in the remaining steam generators is also released via the steaming process due to assumption of loss of offsite Beaver Valley Units 1 and 2 B 3.7.13 - 1 Revision 0

Secondary Specific Activity B 3.7.13 BASES APPLICABLE SAFETY ANALYSES (continued) power. With the loss of offsite power, the remaining steam generators are utilized for core decay heat removal by venting steam to the atmosphere through the MSSVs and steam generator atmospheric dump valves (ADVs). The Auxiliary Feedwater System supplies the necessary makeup to the steam generators. Venting continues until the reactor coolant temperature and pressure have decreased sufficiently for the Residual Heat Removal System to complete the cooldown.

In the evaluation of the radiological consequences of this accident, the activity released from the steam generator connected to the failed steam line is assumed to be released directly to the environment. The unaffected steam generator is assumed to discharge steam and any entrained activity through the MSSVs and ADVs during the event. Since no credit is taken in the analysis for activity plateout or retention, the resultant radiological consequences represent a conservative estimate of the potential integrated dose due to the postulated steam line failure.

Secondary specific activity limits satisfy Criterion 2 of 10 CFR 50.36(c)(2)(ii).

LCO As indicated in the Applicable Safety Analyses, the specific activity of the secondary coolant is required to be 0.10 Ci/gm DOSE EQUIVALENT I-131 to limit the radiological consequences of a Design Basis Accident (DBA) to within the required limits (Ref. 1 and Ref. 3).

Monitoring the specific activity of the secondary coolant ensures that when secondary specific activity limits are exceeded, appropriate actions are taken in a timely manner to place the unit in an operational MODE that would minimize the radiological consequences of a DBA.

APPLICABILITY In MODES 1, 2, 3, and 4, the limits on secondary specific activity apply due to the potential for secondary steam releases to the atmosphere.

In MODES 5 and 6, the primary to secondary LEAKAGE is minimal.

Therefore, monitoring of secondary specific activity is not required.

Beaver Valley Units 1 and 2 B 3.7.13 - 2 Revision 0

Secondary Specific Activity B 3.7.13 BASES ACTIONS A.1 and A.2 DOSE EQUIVALENT I-131 exceeding the allowable value in the secondary coolant, is an indication of a problem in the RCS and contributes to increased post accident doses. If the secondary specific activity is not within limits, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months , and in MODE 5 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

SURVEILLANCE SR 3.7.13.1 REQUIREMENTS This SR verifies that the secondary specific activity is within the limits of the accident analysis. A gamma isotopic analysis of the secondary coolant, which determines DOSE EQUIVALENT I-131, confirms the validity of the safety analysis assumptions as to the source terms in post accident releases. It also serves to identify and trend any unusual isotopic concentrations that might indicate changes in reactor coolant activity or LEAKAGE. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. 10 CFR 50.67.

2. UFSAR, Chapter 14 (Unit 1) and Chapter 15 (Unit 2).

3. Regulatory Guide 1.183, July 2000.

Beaver Valley Units 1 and 2 B 3.7.13 - 3 Revision 29

Spent Fuel Pool Storage B 3.7.14 B 3.7 PLANT SYSTEMS B 3.7.14 Spent Fuel Pool Storage BASES BACKGROUND The spent fuel storage racks contain storage locations for 1627 fuel assemblies (Unit 1) and 1088 fuel assemblies when the spent fuel storage pool contains only Boraflex racks or 1690 fuel assemblies when the spent fuel storage pool contains only Metamic racks (Unit 2). The racks are designed to store Westinghouse 17X17 fuel assemblies with nominal enrichment up to 5.0 weight percent.

For Unit 1, the spent fuel storage racks are divided into three regions with different fuel burnup-enrichment limits associated with each region. Fuel assemblies may be stored in any location, as specified in Table 3.7.14-1A, provided the fuel burnup-enrichment combinations are within the limits specified for the associated storage rack region in the accompanying LCO.

For Unit 1, the spent fuel storage racks are constructed, in part, from a boron carbide and aluminum-composite material with the trade name "Boral." The Boral material provides a neutron absorbing function to maintain the stored fuel in a subcritical condition. Therefore, soluble boron is not required in the Unit 1 spent fuel pool to maintain the spent fuel rack multiplication factor, keff , 0.95 when the fuel assemblies are stored in the correct fuel pool location in accordance with the accompanying LCO and no fuel movement is in progress (i.e., the pool is in a static condition). The fact that soluble boron concentration is not required to maintain the Unit 1 spent fuel rack multiplication factor, keff ,

0.95 is confirmed in Holtec Report HI-92791 (Ref. 1). However, a boron concentration is maintained in the Unit 1 spent fuel pool to provide negative reactivity for postulated accident conditions (i.e., a misplaced fuel assembly resulting from fuel movement) consistent with the guidelines of ANSI 16.1-1975 (Ref. 2) and the April 1978 NRC letter (Ref. 3). The required Unit 1 spent fuel pool boron concentration for a reactivity excursion due to accident conditions is 1050 ppm.

Safe operation of the Unit 1 spent fuel pool with no movement of assemblies may therefore be achieved (without reliance on soluble boron) by controlling the location of each stored fuel assembly in accordance with the accompanying LCO.

Beaver Valley Units 1 and 2 B 3.7.14 - 1 Revision 16

Spent Fuel Pool Storage B 3.7.14 BASES BACKGROUND (continued)

Boraflex Racks For Unit 2, spent fuel storage is dictated by four different storage configurations associated with fuel burnup, enrichment, decay, interface and Integral Fuel Burnable Absorber (IFBA) requirements. Fuel assemblies must be stored in the configurations specified in Table 3.7.14-1B or Specification 4.3.1.1.e.

For Unit 2, new or partially spent fuel assemblies within the limits of Table 3.7.14-1B may be allowed unrestrictive storage in the fuel storage racks.

New or partially spent fuel assemblies not within the limits of Table 3.7.14-1B will be stored in compliance with Specification 4.3.1.1.e, Reference 4.

In the first Unit 2 configuration, designated as All-Cell, Westinghouse 17x17 standard fuel assemblies can be stored in a repeating 2x2 matrix of storage cells where all the assemblies have nominal enrichments less than or equal to 1.856 w/o U-235. Fuel assemblies with initial nominal enrichments greater than 1.856 w/o U-235 must satisfy a minimum burnup requirement as shown in Table 3.7.14-1B, to be eligible for storage in this configuration.

In the second Unit 2 configuration, designated as 3x3, Westinghouse 17x17 standard fuel assemblies can be stored in a repeating 3x3 matrix of storage cells with eight storage cell locations forming a ring of depleted fuel assemblies that surround a fuel assembly with initial nominal enrichment up to 5.0 w/o. The depleted fuel assemblies for this configuration must have an initial nominal enrichment of less than or equal to 1.194 w/o U-235, or satisfy a minimum burnup requirement for higher initial enrichments as shown in Reference 4 for this configuration.

The burnup requirements for the depleted assemblies in this configuration can be reduced by crediting decay time.

In the third Unit 2 configuration, designated as 1-out-of-4 5.0 w/o at 15,000 MWD/MTU, Westinghouse 17x17 standard fuel assemblies can be stored in a repeating 2x2 matrix of storage cells with a fuel assembly having an initial nominal enrichment of up to 5.0 w/o U-235 and a burnup of at least 15,000 MWD/MTU occupying one storage cell location and depleted fuel assemblies occupying the three remaining locations. The depleted fuel assemblies for this configuration must have an initial nominal enrichment of less than or equal to 1.569 w/o U-235, or satisfy a minimum burnup requirement for higher initial enrichments as shown in Reference 4 for this configuration.

Beaver Valley Units 1 and 2 B 3.7.14 - 2 Revision 16

Spent Fuel Pool Storage B 3.7.14 BASES BACKGROUND (continued)

In the fourth Unit 2 configuration, designated as 1-out-of-4 3.85 w/o with IFBA, Westinghouse 17x17 standard fuel assemblies can be stored in a repeating 2x2 matrix of storage cells with a fuel assembly having nominal initial enrichment up to 3.85 w/o U-235 occupying one of the four storage cell locations and depleted fuel assemblies occupying the three remaining locations. The depleted fuel assemblies for this configuration must have an initial nominal enrichment of less than or equal to 1.279 w/o U-235, or satisfy a minimum burnup requirement for higher initial enrichments as shown in Reference 4 for this configuration. The fresh fuel assembly must have an initial nominal enrichment of less than or equal to 3.85 w/o U-235, or must contain a minimum number of IFBA pins for higher initial enrichments as shown in Reference 4 for this configuration. The IFBA stack in the fresh assemblies must be at least 120 inches long and have a nominal loading of at least 1.5X to meet the requirements.

For Unit 2, the interfaces between these four configurations must be maintained such that only the depleted assemblies from each of the configurations are located along the interface. Using the depleted assemblies at the interface precludes locating the more highly reactive assemblies (fresh or 15,000 MWD/MTU) next to each other where the configurations meet. Each configuration has its own requirements for its depleted assemblies, which are identified in Reference 4. In the case of the All-Cell configuration, all of the assemblies are depleted and, therefore, can be located at the interface with any of the other configurations.

For Unit 2, spent fuel racks have been analyzed in accordance with the methodology contained and documented in Reference 4. This methodology ensures the spent fuel rack multiplication factor, keff, is 0.95 as recommended by the April 1978 NRC letter (Ref. 3) and ANSI/ANS-57.2-1983 (Ref. 6). The codes, methods, and techniques contained in the methodology are used to satisfy this keff criterion.

The four storage configurations for the Unit 2 spent fuel storage racks are analyzed for a range of initial assembly enrichment up to 5.0 w/o utilizing credit for burnup, burnable absorbers, decay time and soluble boron, to ensure keff is maintained 0.95, including uncertainties, tolerances, and accident conditions. The Unit 2 spent fuel storage pool keff is maintained

< 1.0, including uncertainties and tolerances on a 95/95 probability/confidence level, without crediting soluble boron.

Therefore, the safe operation of the Unit 2 spent fuel storage pool with no movement of assemblies necessitates both the storage requirements of this Specification as well as the fuel pool boron concentration requirements of LCO 3.7.16 be met.

Beaver Valley Units 1 and 2 B 3.7.14 - 3 Revision 21

Spent Fuel Pool Storage B 3.7.14 BASES BACKGROUND (continued)

Metamic Racks For Unit 2, the spent fuel storage racks are constructed, in part, from a boron carbide and aluminum-composite material with the trade name "Metamic." The Metamic material provides a neutron absorbing function to maintain the stored fuel in a subcritical condition. The criticality analysis, documented in Holtec Report HI-2084175 (Ref. 5),

demonstrates that the effective neutron multiplication factor (keff) is less than 1.0 with the storage racks fully loaded with fuel of the highest anticipated reactivity and the pool flooded with unborated water at a temperature corresponding to the highest reactivity. The criticality analysis also demonstrates that keff is less than or equal to 0.95 with the storage racks fully loaded with fuel of the highest anticipated reactivity and the pool flooded with borated water at a temperature corresponding to the highest reactivity. In addition, soluble boron is required in the Unit 2 spent fuel storage pool to provide negative reactivity for postulated accident conditions (i.e., a misplaced fuel assembly resulting from fuel movement) consistent with the guidelines of the April 1978 NRC letter (Ref. 3) and ANSI/ANS-57.2-1983 (Ref. 6).

Therefore, as was the case for the Boraflex racks, the safe operation of the Unit 2 spent fuel storage pool with no movement of assemblies necessitates that both the storage requirements of this Specification as well as the fuel pool boron concentration requirements of LCO 3.7.16 be met.

For the Unit 2 high-density Metamic racks, fuel storage locations are dictated by three different regions in each rack, associated with fuel type group (enriched blankets, natural blankets, or no blankets), enrichment, and burnup. Fuel assemblies must be characterized based on these three parameters, and stored in the regions specified in Table 3.7.14-1C (enriched blankets), Table 3.7.14-1D (natural blankets), Table 3.7.14-1E (no blankets), and Specification 4.3.1.1.e. In addition to the information provided in these specifications, details about the different fuel type groups and figures illustrating the storage location regions are provided in Reference 5.

Beaver Valley Units 1 and 2 B 3.7.14 - 4 Revision 16

Spent Fuel Pool Storage B 3.7.14 BASES APPLICABLE The hypothetical accidents can only take place during or as a result of the SAFETY movement of an assembly (Ref. 7). For these accident occurrences, the ANALYSES presence of soluble boron in the spent fuel storage pool (controlled by LCO 3.7.16, "Fuel Storage Pool Boron Concentration") prevents criticality in the spent fuel storage pool. By closely controlling the movement of each assembly and by checking the location of each assembly after movement, the time period for potential accidents may be limited to a small fraction of the total operating time. Conformance with the applicable spent fuel storage pool criticality analyses is assured through compliance with the accompanying LCO and refueling procedures.

For Unit 1, during the remaining time period with no potential for accidents, the operation may be under the auspices of the accompanying LCO without reliance on soluble boron.

For Unit 2, however, when no potential for an accident exists, safe operation of the spent fuel storage pool must include the boron concentration within the limit specified in LCO 3.7.16 as well as the fuel being stored in accordance with LCO 3.7.14. The boron concentration specified in LCO 3.7.16, as well as the storage requirements of LCO 3.7.14, are necessary to meet the requirement to maintain keff 0.95 in the Unit 2 spent fuel storage pool under normal (i.e., static) conditions.

Operation within the storage requirements of LCO 3.7.14 with no soluble boron in the Unit 2 spent fuel storage pool maintains keff < 1.0, including uncertainties and tolerances on a 95/95 probability/confidence level. In accordance with Reference 4, the interface boundaries between the various storage requirement configurations of the Boraflex racks are maintained such that only the depleted assemblies are at the boundary.

In accordance with Reference 5, this restriction is not applicable to the assemblies stored in the Metamic racks.

The configuration of fuel assemblies in the fuel storage pool satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).

LCO For Unit 1, the restrictions on the placement of fuel assemblies within the spent fuel pool, in accordance with Table 3.7.14-1A, in the accompanying LCO, ensures the keff of the spent fuel storage pool will always remain 0.95, assuming the pool to be flooded with unborated water.

Boraflex Racks For Unit 2, operation within the storage requirements specified in Table 3.7.14-1B of the accompanying LCO or Specification 4.3.1.1.e, with no soluble boron in the spent fuel storage pool would only maintain keff < 1.0, including uncertainties and tolerances on a 95/95 probability/confidence Beaver Valley Units 1 and 2 B 3.7.14 - 5 Revision 16

Spent Fuel Pool Storage B 3.7.14 BASES LCO (continued) level. Therefore, Unit 2 must also maintain the spent fuel storage pool boron concentration within the limit specified in LCO 3.7.16, in order to meet the requirement to maintain keff 0.95.

Metamic Racks For Unit 2 storage of fuel in the Metamic racks, required locations are dictated by three different regions in each rack, associated with fuel type group (enriched blankets, natural blankets, or no blankets), enrichment, and burnup. Fuel assemblies must be characterized based on these three parameters, and stored in the regions specified in Table 3.7.14-1C (enriched blankets), Table 3.7.14-1D (natural blankets), Table 3.7.14-1E (no blankets), and Specification 4.3.1.1.e.

For Unit 2, storage of fuel in the Metamic racks within the storage requirements specified in LCO 3.7.14 and Specification 4.3.1.1.e, with no soluble boron in the spent fuel storage pool, would only maintain keff

< 1.0, including uncertainties and tolerances on a 95/95 probability/confidence level. Therefore, Unit 2 must also maintain the spent fuel storage pool boron concentration within the limit specified in LCO 3.7.16, in order to meet the requirement to maintain keff 0.95.

For Unit 2, Specification 4.3.1.1.e contains a requirement that two empty rows of storage cells shall exist between the fuel assemblies stored in a Boraflex rack and the fuel assemblies stored in an adjacent Metamic rack in the fuel storage pool. The need for the two empty rows is to ensure that the fuel in the two types of racks is neutronically decoupled during the installation phase of the reracking project. In order to also resolve a potential seismic interaction issue between the two different types of racks, the two empty rows of storage cells must either both be in the Boraflex rack or may consist of a single empty row in each type of rack.

This spacing requirement does not need to be imposed on fuel in racks adjacent to the same type of rack.

The LCO is modified by a Note, applicable to Unit 2 only, stating that the Technical Specification requirements applicable to the fuel storage pool are also applicable to the fuel cask area when a fuel assembly is in the fuel cask area during the installation phase of the Unit 2 reracking project.

Beaver Valley Units 1 and 2 B 3.7.14 - 6 Revision 16

Spent Fuel Pool Storage B 3.7.14 BASES APPLICABILITY This LCO applies whenever any fuel assembly is stored in the fuel storage pool (also referred to in several locations within the specifications as the spent fuel storage pool or the spent fuel pool).

ACTIONS A.1 Required Action A.1 is modified by a Note indicating that LCO 3.0.3 does not apply.

When the configuration of fuel assemblies stored in the spent fuel storage pool is not in accordance with Table 3.7.14-1A for Unit 1 and the LCO for Unit 2, the immediate action is to initiate action to make the necessary fuel assembly movement(s) to bring the configuration into compliance with Table 3.7.14-1A for Unit 1 and LCO 3.7.14 for Unit 2.

The Required Actions are modified by a Note that takes exception to LCO 3.0.3. If unable to move irradiated fuel assemblies while in MODE 5 or 6, LCO 3.0.3 would not be applicable. If unable to move irradiated fuel assemblies while in MODE 1, 2, 3, or 4, the action is independent of reactor operation. Therefore, inability to move fuel assemblies is not sufficient reason to require a reactor shutdown.

SURVEILLANCE SR 3.7.14.1 REQUIREMENTS This SR verifies by administrative means that the initial enrichment and burnup of the fuel assembly is in accordance with Table 3.7.14-1A for Unit 1, and in accordance with the requirements of LCO 3.7.14 for Unit 2.

Verification by administrative means may be accomplished through fuel receipt records for new fuel or burnup analysis as necessary in accordance with refueling procedures. The Frequency of prior to storing a fuel assembly ensures that fuel assemblies are stored within the configurations analyzed in the spent fuel criticality analyses.

Beaver Valley Units 1 and 2 B 3.7.14 - 7 Revision 16

Spent Fuel Pool Storage B 3.7.14 BASES REFERENCES 1. Holtec Report HI-92791, Rev. 6, "Spent Fuel Pool Modification For Increased Storage Capacity, Beaver Valley Power Station Unit 1,"

April 1992 as supplemented by Letter to the NRC (License Change Request No. 202, Supplement 1, Spent Fuel Pool Rerack) dated June 28, 1993, and as further supplemented by calculation 8700-DMC-3664, Rev. 0.

2. ANSI 16.1-1975 (ANS-8.1), Nuclear Criticality Safety In Operations With Fissionable Materials Outside Reactors.

3. NRC Letter to All Power Reactor Licensees from B. K. Grimes, "OT Position for Review and Acceptance of Spent Fuel Storage and Handling Applications," April 14, 1978.

4. WCAP-16518-P, "Beaver Valley Unit 2 Spent Fuel Rack Criticality Analysis," Revision 2, July 2007.

5. Holtec Report HI-2084175, Revision 8, "Licensing Report for Beaver Valley Unit 2 Rerack," as submitted to the NRC in support of License Amendment No. 173, Unit 2 Fuel Storage Pool Rerack.

6. ANSI/ANS-57.2-1983, "Design Requirements for Light Water Reactor Spent Fuel Storage Facilities at Nuclear Power Stations."

7. UFSAR Section 14 (Unit 1) and UFSAR Section 15 (Unit 2).

Beaver Valley Units 1 and 2 B 3.7.14 - 8 Revision 17

Fuel Storage Pool Water Level B 3.7.15 B 3.7 PLANT SYSTEMS B 3.7.15 Fuel Storage Pool Water Level BASES BACKGROUND The minimum water level in the fuel storage pool meets the assumptions of iodine decontamination factors following a fuel handling accident (FHA). The specified water level shields and minimizes the general area dose when the storage racks are filled to their maximum capacity. The water also provides shielding during the movement of spent fuel.

A general description of the fuel storage pool design is given in the UFSAR, Section 9.12 (Unit 1) and Section 9.1.2 (Unit 2) (Ref. 1). A description of the Spent Fuel Pool Cooling and Cleanup System is given in the UFSAR, Section 9.5 (Unit 1) and Section 9.1.3 (Unit 2) (Ref. 2).

The assumptions of the FHA are given in the UFSAR, Section 14.2.1 (Unit 1) and Section 15.7.4 (Unit 2) (Ref. 3).

APPLICABLE The minimum water level in the fuel storage pool meets the assumptions SAFETY of the FHA described in Regulatory Guide 1.183 (Ref. 4). The resultant ANALYSES offsite and control room doses are within the 10 CFR 50.67 (Ref. 5) and Reference 4 limits.

According to Reference 3, there is 23 ft of water between the top of the damaged fuel bundle and the fuel pool surface during a FHA. With 23 ft of water, the decontamination factors of Reference 4 can be used directly.

In practice, this LCO preserves this assumption for the bulk of the fuel in the storage racks. In the case of a single bundle dropped and lying horizontally on top of the spent fuel racks, however, there may be < 23 ft of water above the top of the fuel bundle and the surface, indicated by the width of the bundle. To offset this small nonconservatism, the analysis assumes that the maximum number of postulated fuel rods fail. This number of failed fuel rods is based on the worse case postulated fuel drop height occurring in the containment building. The postulated fuel drop height in the fuel building is significantly less than the postulated fuel drop height in the containment building.

The FHA in the storage pool is described in Reference 3. With a minimum water level of 23 feet and a minimum decay time of 100 hours0.00116 days 0.0278 hours 1.653439e-4 weeks 3.805e-5 months prior to fuel handling, the analyses demonstrate that the offsite and control room doses are maintained within the limits established in References 4 and 5.

The fuel storage pool water level satisfies Criteria 2 and 3 of 10 CFR 50.36(c)(2)(ii).

Beaver Valley Units 1 and 2 B 3.7.15 - 1 Revision 0

Fuel Storage Pool Water Level B 3.7.15 BASES LCO The fuel storage pool water level is required to be 23 ft over the top of irradiated fuel assemblies seated in the storage racks. The specified water level preserves the assumptions of the fuel handling accident analysis (Ref. 3). As such, it is the minimum required for fuel movement within the fuel storage pool.

As clarified in the LCO 3.7.14 NOTE, applicable to Unit 2 only, Specification 3.7.15 applies to the fuel cask area when a fuel assembly is in the cask area during the installation phase of the Unit 2 rerack project.

APPLICABILITY This LCO applies during movement of irradiated fuel assemblies in the fuel storage pool and during movement of fuel assemblies over irradiated fuel assemblies in the fuel storage pool, since the potential for a release of fission products exists.

ACTIONS Condition A is modified by a Note indicating that LCO 3.0.3 does not apply. If moving irradiated fuel assemblies while in MODE 5 or 6, LCO 3.0.3 would not specify any action. If moving irradiated fuel assemblies while in MODES 1, 2, 3, and 4, the fuel movement is independent of reactor operations. Therefore, inability to suspend movement of irradiated fuel assemblies is not sufficient reason to require a reactor shutdown.

A.1 When the initial conditions for prevention of an accident cannot be met, steps should be taken to preclude the accident from occurring. When the fuel storage pool water level is lower than the required level, the movement of irradiated fuel assemblies in the fuel storage pool is immediately suspended to a safe position. This action effectively precludes the occurrence of a fuel handling accident. This does not preclude movement of a fuel assembly to a safe position.

A.2 When the fuel storage pool water level is lower than the required level, the movement of non-irradiated fuel assemblies over irradiated fuel assemblies in the fuel storage pool is immediately suspended to a safe position. This action effectively precludes the occurrence of a fuel handling accident. This does not preclude movement of a fuel assembly to a safe position.

Beaver Valley Units 1 and 2 B 3.7.15 - 2 Revision 16

Fuel Storage Pool Water Level B 3.7.15 BASES SURVEILLANCE SR 3.7.15.1 REQUIREMENTS This SR verifies sufficient fuel storage pool water is available in the event of a fuel handling accident. The water level in the fuel storage pool must be checked periodically. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

In addition to verifying the storage pool level at the Frequency specified in the Surveillance Frequency Control Program, during refueling operations, with the transfer tube open, the level in the fuel storage pool is in equilibrium with the refueling cavity, and the level in the refueling cavity is checked daily in accordance with SR 3.9.6.1.

REFERENCES 1. UFSAR, Section 9.12 (Unit 1) and Section 9.1.2 (Unit 2).

2. UFSAR, Section 9.5 (Unit 1) and Section 9.1.3 (Unit 2).

3. UFSAR, Section 14.2.1 (Unit 1) and Section 15.7.4 (Unit 2).

4. Regulatory Guide 1.183, July 2000.

5. 10 CFR 50.67.

Beaver Valley Units 1 and 2 B 3.7.15 - 3 Revision 29

Fuel Storage Pool Boron Concentration B 3.7.16 B 3.7 PLANT SYSTEMS B 3.7.16 Fuel Storage Pool Boron Concentration BASES BACKGROUND The spent fuel storage racks contain storage locations for 1627 fuel assemblies (Unit 1) and 1088 fuel assemblies when the spent fuel storage pool contains only Boraflex racks or 1690 fuel assemblies when the spent fuel storage pool contains only Metamic racks (Unit 2). The racks are designed to store Westinghouse 17X17 fuel assemblies with nominal enrichment up to 5.0 weight percent.

For Unit 1, the spent fuel storage racks are divided into three regions with different fuel burnup-enrichment limits associated with each region. Fuel assemblies may be stored in any location, as specified in Table 3.7.14-1A, provided the fuel burnup-enrichment combinations are within the limits specified for the associated storage rack region in LCO 3.7.14, "Spent Fuel Assembly Storage."

For Unit 1, the spent fuel storage racks are constructed, in part, from a boron carbide and aluminum-composite material with the trade name "Boral." The Boral material provides a neutron absorbing function that helps to maintain the stored fuel in a subcritical condition. Therefore, soluble boron is not required in the Unit 1 spent fuel pool to maintain the spent fuel rack multiplication factor, keff , 0.95 when the fuel assemblies are stored in the correct fuel pool location in accordance with LCO 3.7.14 and no fuel movement is in progress (i.e., the pool is in a static condition).

The fact that soluble boron concentration is not required to maintain the Unit 1 spent fuel rack multiplication factor, keff , 0.95 is confirmed in Holtec Report HI-92791 (Ref. 1). However, a boron concentration is maintained in the Unit 1 spent fuel pool to provide negative reactivity for postulated accident conditions (i.e., a misplaced fuel assembly resulting from fuel movement) consistent with the guidelines of ANSI 16.1-1975 (Ref. 2) and the April 1978 NRC letter (Ref. 3). The required Unit 1 spent fuel pool boron concentration for a reactivity excursion due to accident conditions is 1050 ppm.

Safe operation of the Unit 1 spent fuel pool with no movement of assemblies may therefore be achieved (without reliance on soluble boron) by controlling the location of each stored fuel assembly in accordance with LCO 3.7.14. However, prior to fuel movement and during movement of fuel assemblies it is necessary to perform SR 3.7.16.1 to assure the required boron concentration is available until fuel movement is finished and a verification is complete that assures fuel assemblies are stored in accordance with LCO 3.7.14.

Beaver Valley Units 1 and 2 B 3.7.16 - 1 Revision 16

Fuel Storage Pool Boron Concentration B 3.7.16 BASES BACKGROUND (continued)

Boraflex Racks For Unit 2, the Boraflex spent fuel racks have been analyzed in accordance with the methodology contained and documented in Reference 4. This methodology ensures the spent fuel rack multiplication factor, keff, is 0.95 as recommended by the April 1978 NRC letter (Ref. 3) and ANSI/ANS-57.2-1983 (Ref. 6). The codes, methods, and techniques contained in the methodology are used to satisfy this keff criterion.

The four storage configurations for the Unit 2 Boraflex spent fuel storage racks are analyzed for a range of initial assembly enrichment up to 5.0 w/o utilizing credit for burnup, burnable absorbers, decay time and soluble boron, to ensure keff is maintained 0.95, including uncertainties, tolerances, and accident conditions.

Metamic Racks For Unit 2, the Metamic spent fuel racks have been analyzed in accordance with the methodology contained and documented in Reference 5. This methodology ensures the spent fuel rack multiplication factor, keff, is 0.95 as recommended by the April 1978 NRC letter (Ref. 3) and ANSI/ANS-57.2-1983 (Ref. 6). The codes, methods, and techniques contained in the methodology are used to satisfy this keff criterion.

The three storage regions for the Unit 2 Metamic spent fuel storage racks are analyzed for a range of initial assembly enrichment up to 5.0 w/o utilizing credit for burnup, to ensure keff is maintained 0.95, including uncertainties, tolerances, and accident conditions. The three fuel storage location regions are described in Specification 4.3.1.1.e, and in Reference 5.

The soluble boron concentration required to maintain keff 0.95 in the Unit 2 spent fuel storage pool under normal conditions has been determined for when the spent fuel storage pool contains only Boraflex racks (Ref. 4) and when the spent fuel storage pool contains only Metamic racks (Ref. 5). When the spent fuel storage pool contains only Boraflex racks the required concentration is 450 ppm. When the spent fuel storage pool contains only Metamic racks the required concentration is 495 ppm. For conservatism, 495 ppm is specified in Specification 4.3.1.1.c.

Beaver Valley Units 1 and 2 B 3.7.16 - 2 Revision 21

Fuel Storage Pool Boron Concentration B 3.7.16 BASES BACKGROUND (continued)

A spent fuel storage pool boron concentration of 2000 ppm ensures no credible boron dilution event will result in keff exceeding 0.95. Safe operation of the Unit 2 spent fuel storage pool with either type of rack requires the specified fuel pool boron concentration be maintained at all times when fuel assemblies are stored in the spent fuel storage pool.

Therefore, for Unit 2, SR 3.7.16.1 is applicable whenever fuel assemblies are stored in the spent fuel storage pool with either type of rack.

During refueling, the water volume in the spent fuel storage pool, the transfer canal, the refueling canal, the refueling cavity, and the reactor vessel form a single mass. As a result, the soluble boron concentration is relatively the same in each of these volumes.

APPLICABLE The most limiting reactivity excursion event evaluated in the spent fuel SAFETY pool criticality analyses (for both Unit 1 and 2) is a misplaced new fuel ANALYSES assembly with the highest permissible U-235 enrichment (5.0 weight percent).

For Unit 1, the amount of soluble boron required to maintain the spent fuel rack multiplication factor, keff, 0.95 with the worst case misplaced new fuel assembly is approximately 400 ppm. The 1050 ppm boron concentration specified in the Unit 1 LCO conservatively assures keff is maintained within the limit for the worst case misplaced assembly accident. The Unit 1 boron concentration requirement of 1050 ppm includes a conservative margin of 600 ppm with a 50 ppm allowance for uncertainties.

Boraflex Racks For Unit 2, with only Boraflex racks, the amount of soluble boron required to maintain the spent fuel storage rack multiplication factor, keff, 0.95 with the worst case misplaced new fuel assembly is 837 ppm.

Metamic Racks For Unit 2, with only Metamic racks the amount of soluble boron required to maintain the spent fuel storage rack multiplication factor, keff, 0.95 for the worst case accident, i.e., a misplaced new fuel assembly in the outer row of the rack in a Region 2 location, is 1212 ppm.

When the spent fuel storage pool contains a combination of racks, the amount of soluble boron required to maintain the spent fuel storage rack multiplication factor, keff, 0.95 with the worst case misplaced new fuel assembly is conservatively specified as 1212 ppm.

Beaver Valley Units 1 and 2 B 3.7.16 - 3 Revision 16

Fuel Storage Pool Boron Concentration B 3.7.16 BASES APPLICABLE SAFETY ANALYSES (continued)

For either type of rack, the 2000 ppm limit specified in the Unit 2 LCO conservatively assures keff is maintained within the limit for the worst case misplaced fuel assembly accident. In addition, the 2000 ppm limit specified in the Unit 2 LCO ensures no credible boron dilution event will reduce the boron concentration below the 495 ppm required during normal non-accident conditions to maintain keff 0.95 for either type of rack.

The concentration of dissolved boron in the fuel storage pool satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).

LCO The fuel storage pool boron concentration is required to be 1050 ppm (Unit 1) and 2000 ppm (Unit 2). The specified concentration of dissolved boron in the fuel storage pool preserves the assumptions used in the analyses of the potential criticality accidents as discussed in the UFSAR (Ref. 7). In addition, for Unit 2, soluble boron is credited to maintain keff 0.95 during normal operating conditions whenever fuel is stored in the spent fuel storage pool.

As clarified in the LCO 3.7.14 Note, applicable to Unit 2 only, Specification 3.7.16 applies to the fuel cask area when a fuel assembly is in the cask area during the installation phase of the Unit 2 rerack project.

APPLICABILITY For Unit 1 this LCO applies whenever fuel assemblies are stored in the spent fuel storage pool, until a complete spent fuel storage pool verification has been performed following the last movement of fuel assemblies in the spent fuel storage pool. This LCO does not apply to Unit 1 following the verification, since the verification would confirm that there are no misloaded fuel assemblies. With no further fuel assembly movements in progress, there is no potential for a misloaded fuel assembly or a dropped fuel assembly.

For Unit 2 this LCO applies whenever fuel assemblies are stored in the spent fuel storage pool to ensure keff is maintained 0.95 during normal operation as well as for potential criticality accident scenarios.

ACTIONS A.1, A.2.1, and A.2.2 The Required Actions are modified by a Note indicating that LCO 3.0.3 does not apply.

Beaver Valley Units 1 and 2 B 3.7.16 - 4 Revision 16

Fuel Storage Pool Boron Concentration B 3.7.16 BASES ACTIONS (continued)

In addition, Required Action A.2.2 is modified by a Note that states Required Action A.2.2 is only applicable to Unit 1. The Action is restricted to Unit 1 because Unit 1 does not credit soluble boron during normal (non-accident) conditions to ensure keff is maintained 0.95.

When the concentration of boron in the fuel storage pool is less than required, immediate action must be taken to preclude the occurrence of an accident or to mitigate the consequences of an accident in progress.

This is most efficiently achieved by immediately suspending the movement of fuel assemblies. Action is also initiated to restore the boron concentration simultaneously with suspending movement of fuel assemblies. Alternatively, for Unit 1 only, beginning a verification of the fuel storage pool fuel locations, to ensure proper locations of the fuel, can be performed. However, prior to resuming movement of fuel assemblies, the concentration of boron must be restored. This does not preclude movement of a fuel assembly to a safe position.

The Required Actions are modified by a Note that takes exception to LCO 3.0.3. If the LCO is not met while moving irradiated fuel assemblies in MODE 5 or 6, LCO 3.0.3 would not be applicable. If moving irradiated fuel assemblies while in MODE 1, 2, 3, or 4, the fuel movement is independent of reactor operation. Therefore, inability to suspend movement of fuel assemblies is not sufficient reason to require a reactor shutdown.

SURVEILLANCE SR 3.7.16.1 REQUIREMENTS This SR verifies that the concentration of boron in the fuel storage pool is within the required limit. As long as this SR is met, the analyzed accidents are fully addressed. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

For Unit 1 the Surveillance must be performed within the specified Frequency prior to initiating fuel movement and must continue to be performed at the specified Frequency until fuel movement is finished and a verification is complete that assures fuel assemblies are stored in accordance with LCO 3.7.14.

For Unit 2 the Surveillance must be performed within the specified Frequency whenever fuel assemblies are stored in the spent fuel storage pool.

Beaver Valley Units 1 and 2 B 3.7.16 - 5 Revision 29

Fuel Storage Pool Boron Concentration B 3.7.16 BASES REFERENCES 1. Holtec Report HI-92791, Rev. 6, "Spent Fuel Pool Modification For Increased Storage Capacity, Beaver Valley Power Station Unit 1,"

April 1992 as supplemented by Letter to the NRC (License Change Request No. 202, Supplement 1, Spent Fuel Pool Rerack) dated June 28, 1993, and as further supplemented by calculation 8700-DMC-3664, Rev. 0.

2. ANSI 16.1-1975 (ANS-8.1), Nuclear Criticality Safety In Operations With Fissionable Materials Outside Reactors.

3. NRC Letter to All Power Reactor Licensees from B. K. Grimes, "OT Position for Review and Acceptance of Spent Fuel Storage and Handling Applications," April 14, 1978.

4. WCAP-16518-P, Beaver Valley Unit 2 Spent Fuel Rack Criticality Analysis, Revision 2, July 2007.

5. Holtec Report HI-2084175, Revision 8, "Licensing Report for Beaver Valley Unit 2 Rerack," as submitted to the NRC in support of License Amendment 173, Unit 2 Fuel Storage Pool Rerack.

6. ANSI/ANS-57.2-1983, "Design Requirements for Light Water Reactor Spent Fuel Storage Facilities at Nuclear Power Stations."

7. UFSAR Sections 3.3.2.7 and 9.12.2.2 (Unit 1) and UFSAR Sections 4.3.2.6 and 9.1.2 (Unit 2).

Beaver Valley Units 1 and 2 B 3.7.16 - 6 Revision 17

AC Sources - Operating B 3.8.1 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.1 AC Sources - Operating BASES BACKGROUND The unit Class 1E AC Electrical Power Distribution System AC sources consist of the offsite power sources (preferred power sources, normal and alternate(s)), and the onsite standby power sources (Train A and Train B diesel generators (DGs)). As discussed in Reference 1, the design of the AC electrical power system provides independence and redundancy to ensure an available source of power to the Engineered Safety Feature (ESF) systems.

The onsite Class 1E AC Distribution System is divided into redundant load groups (trains) so that the loss of any one group does not prevent the minimum safety functions from being performed. Each train has connections to one required offsite power source and a single DG.

Offsite power is supplied to the switchyard from several 345kV and 138kV transmission lines. From the switchyard(s), two electrically and physically separated circuits provide AC power, through step down station service transformers, to the 4.16 kV ESF buses. A detailed description of the offsite power network and the circuits to the Class 1E ESF buses is found in the UFSAR, Chapter 8 (Ref. 2).

An offsite circuit consists of all breakers, transformers, switches, interrupting devices, cabling, and controls required to transmit power from the offsite transmission network to the onsite Class 1E ESF bus(es).

The onsite standby power source for each 4.16 kV ESF bus is a dedicated DG. DGs 1-1 for Unit 1 and 2-1 for Unit 2 and 1-2 for Unit 1 and 2-2 for Unit 2 are dedicated to ESF buses AE and DF, respectively.

A DG starts automatically on a safety injection (SI) signal (i.e., low pressurizer pressure, steamline pressure - low, manual, or high containment pressure signals) or on an undervoltage signal (refer to LCO 3.3.5, "Loss of Power (LOP) Diesel Generator (DG) Start and Bus Separation Instrumentation"). After the DG has started, it will automatically tie to its respective bus after offsite power is tripped as a consequence of ESF bus undervoltage or degraded voltage, independent of or coincident with an SI signal. The DGs will also start and operate in the standby mode without tying to the ESF bus on an SI signal alone.

Following the trip of offsite power, an undervoltage signal strips nonpermanent loads from the ESF bus. When the DG is tied to the ESF bus, loads are then sequentially connected to its respective ESF bus by the automatic load sequencer timer(s). The sequencing logic controls the permissive and starting signals to motor breakers to prevent overloading the DG by automatic load application.

Beaver Valley Units 1 and 2 B 3.8.1 - 1 Revision 0

AC Sources - Operating B 3.8.1 BASES BACKGROUND (continued)

The sequence timer(s) provide a time delay for the individual component to close its breaker to the associated emergency electrical bus. Each component is sequenced onto the emergency bus by an initiating signal.

Improper loading sequence may cause the emergency bus to become inoperable. The Unit 1 sequence timers are provided for each train of ESF components and may affect individual components and the associated DG. The Unit 2 sequence timers affect individual components and the associated DG.

In the event of a loss of unit and system power, the ESF electrical loads are automatically connected to the DGs in sufficient time to provide for safe reactor shutdown and to mitigate the consequences of a Design Basis Accident (DBA) such as a loss of coolant accident (LOCA).

Certain required unit loads are returned to service in a predetermined sequence in order to prevent overloading the DG in the process. Within 1 minute (Reference 2) after the initiating signal is received, all loads needed to recover the unit or maintain it in a safe condition are returned to service.

Ratings for Bus AE Train A and Bus DF Train B DGs satisfy the requirements of Reference 3. The continuous service rating of each DG is for Unit 1 2600 kW and for Unit 2 4238 kW with a 2850 kW (Unit 1) and 4535 kW (Unit 2) allowable for up to 2000 hours0.0231 days 0.556 hours 0.00331 weeks 7.61e-4 months per year. The ESF loads that are powered from the 4.16 kV ESF buses are listed in Reference 2.

APPLICABLE The initial conditions of DBA and transient analyses in the UFSAR, SAFETY Chapter 6 (Ref. 4) and Reference 5 assume ESF systems are ANALYSES OPERABLE. The AC electrical power sources are designed to provide sufficient capacity, capability, redundancy, and reliability to ensure the availability of necessary power to ESF systems so that the fuel, Reactor Coolant System (RCS), and containment design limits are not exceeded.

These limits are discussed in more detail in the Bases for Section 3.2, Power Distribution Limits; Section 3.4, Reactor Coolant System (RCS);

and Section 3.6, Containment Systems.

The OPERABILITY of the AC electrical power sources is consistent with the initial assumptions of the Accident analyses and is based upon meeting the design basis of the unit. This results in maintaining at least one train of the onsite or offsite AC sources OPERABLE during Accident conditions in the event of:

a. An assumed loss of all offsite power or all onsite AC power and Beaver Valley Units 1 and 2 B 3.8.1 - 2 Revision 0

AC Sources - Operating B 3.8.1 BASES APPLICABLE SAFETY ANALYSES (continued)

b. A worst case single failure.

The AC sources satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).

LCO Two qualified circuits between the offsite transmission network and the onsite Class 1E Electrical Power System and separate and independent DGs for each train ensure availability of the required power to shut down the reactor and maintain it in a safe shutdown condition after an anticipated operational occurrence (AOO) or a postulated DBA.

Qualified offsite circuits are those that are described in the UFSAR and are part of the licensing basis for the unit.

In addition, required automatic load sequence timer(s) must be OPERABLE.

Each offsite circuit must be capable of maintaining rated frequency and voltage, and accepting required loads during an accident, while connected to the ESF buses.

During normal plant operation, electrical power for the onsite circuits comes from either the main generator through 22 kV to 4.36 kV unit station service transformers or from the two independent offsite 138 kV buses through 138 kV to 4.36 kV system station service transformers.

The secondary windings of the transformers are connected to four separate 4.16 kV normal buses, A, B, C and D. Buses A and D provide power for the two redundant Class 1E 4.16 kV emergency buses AE and DF, respectively. During plant shutdown, the emergency buses receive power from the system station service transformers, or may receive power from the unit station service transformers by backfeeding the main transformer. Automatic and manual transfer capabilities to the system station service transformers are available when the offsite source(s) are required to be OPERABLE.

Each DG must be capable of starting, accelerating to nominal speed and voltage, and connecting to its respective ESF bus on detection of bus undervoltage. This will be accomplished within 10 seconds from the time the signal is received by the DG starting circuit. Each DG must also be capable of accepting required loads within the assumed loading sequence intervals, and continue to operate until offsite power can be restored to the ESF buses. These capabilities are required to be met from a variety of initial conditions such as DG in standby with the engine hot and DG in standby with the engine at ambient conditions. Additional Beaver Valley Units 1 and 2 B 3.8.1 - 3 Revision 0

AC Sources - Operating B 3.8.1 BASES LCO (continued)

DG capabilities must be demonstrated to meet required Surveillance, e.g., capability of the DG to revert to standby status on an Emergency Core Cooling Systems (ECCS) signal while operating in parallel test mode for Unit 2 only.

Proper sequencing of loads, including tripping of nonessential loads, is a required function for DG OPERABILITY.

The AC sources in one train must be separate and independent (to the extent possible) of the AC sources in the other train. For the DGs, electrical separation and independence are complete.

For the offsite AC sources, separation and independence are to the extent practical. A circuit that is not connected to an ESF bus is required to have OPERABLE fast transfer capability to align that circuit to its associated ESF bus.

APPLICABILITY The AC sources and sequencer timer(s) are required to be OPERABLE in MODES 1, 2, 3, and 4 to ensure that:

a. Acceptable fuel design limits and reactor coolant pressure boundary limits are not exceeded as a result of AOOs or abnormal transients and

b. Adequate core cooling is provided and containment OPERABILITY and other vital functions are maintained in the event of a postulated DBA.

The AC power requirements for MODES 5 and 6 are covered in LCO 3.8.2, "AC Sources - Shutdown."

ACTIONS A Note prohibits the application of LCO 3.0.4.b to an inoperable DG.

There is an increased risk associated with entering a MODE or other specified condition in the Applicability with an inoperable DG and the provisions of LCO 3.0.4.b, which allow entry into a MODE or other specified condition in the Applicability with the LCO not met after performance of a risk assessment addressing inoperable systems and components, should not be applied in this circumstance.

Beaver Valley Units 1 and 2 B 3.8.1 - 4 Revision 0

AC Sources - Operating B 3.8.1 BASES ACTIONS (continued)

Requirements for applying the 14 day DG Completion Time The ACTION Conditions for inoperable AC sources provide a 14 day Completion Time when one DG is inoperable. The 14 day Completion Time includes the normal 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time which is not risk informed, followed by an 11 day extension period that is based on a plant specific risk analysis performed to establish the overall Completion Time (Ref 12).

As a defense in depth measure, when the option of an extended Completion Time (i.e., a time beyond the normal 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months ) for a DG is exercised, alternate AC (AAC) power will be provided with capability of supplying safe shutdown loads during a station blackout without the need for rescheduling of safety system operation in the unaffected unit. For unplanned DG outages, capability to supply AAC power will be available upon entering the Completion Time extension (i.e., by 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months into the Completion Time). For outages planned to exceed an initial 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time, AAC power will be provided within one hour of entering the Action Condition for an inoperable DG. In any event, if AAC power of the required capacity is not available after entering the extended Completion Time (after 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months into the Completion Time), the actions of Required Action G become applicable (i.e., Be in MODE 3 in 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and be in MODE 5 in 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months ).

The following criteria would apply to any AAC source used as a defense in depth measure:

1. An AAC power source may be of a temporary or permanent nature and would not be required to satisfy Class 1E requirements.

2. Dynamic effects of an AAC power source failure (GDC-4 events) would not adversely affect safety related plant equipment.

3. An AAC power source would not be required to be protected against natural phenomena (GDC-2 events) or abnormal environmental or dynamic effects (GDC-4 events).

4. An AAC power source would be capable of starting and carrying designated loads required for safe shutdown, including maintaining adequate voltage and frequency such that performance of powered equipment is acceptable.

Beaver Valley Units 1 and 2 B 3.8.1 - 5 Revision 29

AC Sources - Operating B 3.8.1 BASES ACTIONS (continued)

Prior to relying on its availability, a temporary AAC power source would be determined to be available by: (1) starting the AAC source and verifying proper operation; (2) verifying that sufficient fuel is available onsite to support 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months of operation; and (3) ensuring that the AAC source is in the correct electrical alignment to supply power to designated safe shutdown loads. Subsequently, when not in operation, a status check for availability will also be performed once every 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . This check consists of: (1) verifying the AAC source is mechanically and electrically ready for operation; (2) verifying that sufficient fuel is available onsite to support 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months of operation; and (3) ensuring that the AAC source is in the correct electrical alignment to supply power to designated safe shutdown loads.

Prior to relying on its availability, a permanent AAC power source would be determined to be available by starting the AAC source and verifying proper operation. In addition, initial and periodic testing, surveillance, and maintenance conform to NUMARC 87-00, Revision 1, Appendix B, "Alternate AC Power Criteria" guidelines. The guidelines include provisions for quarterly functional testing, timed starts and load capacity testing on a fuel cycle basis, surveillance and maintenance consistent with manufacturers recommendations, and initial testing of capability to power required shutdown equipment within the necessary time.

A.1 To ensure a highly reliable power source remains with one offsite circuit inoperable, it is necessary to verify the OPERABILITY of the remaining required offsite circuit on a more frequent basis. Since the Required Action only specifies "perform," a failure of SR 3.8.1.1 acceptance criteria does not result in a Required Action not met. However, if a second required circuit fails SR 3.8.1.1, the second offsite circuit is inoperable, and Condition C, for two offsite circuits inoperable, is entered.

A.2 Required Action A.2, which only applies if the train cannot be powered from an offsite source, is intended to provide assurance that an event coincident with a single failure of the associated DG will not result in a complete loss of safety function of critical redundant required features.

These redundant required features are those that are assumed to function to mitigate an accident, coincident with a loss of offsite power, in the safety analyses, such as the Emergency Core Cooling System and Auxiliary Feedwater System. These redundant required features do not include monitoring requirements, such as Post Accident Monitoring and Remote Shutdown. These features are powered from the redundant AC electrical power train.

Beaver Valley Units 1 and 2 B 3.8.1 - 6 Revision 25

AC Sources - Operating B 3.8.1 BASES ACTIONS (continued)

A single motor driven auxiliary feedwater (AFW) pump does not provide sufficient flow to meet the most limiting accident analysis assumptions.

Two out of the three AFW pumps are necessary to assure sufficient flow to meet the accident analyses. Therefore, in order to ensure the AFW safety function is maintained, the turbine driven AFW pump must be considered a redundant required feature for the purposes of this Required Action.

For Unit 2 only, the Train "B" (RHR) ADV cannot provide sufficient steam relief capacity in a prompt enough manner to meet the most limiting accident analysis assumptions upon the onset of a Steam Generator (SG)

Tube Rupture until the ruptured SG is isolated from the Train B ADV flow path. Therefore, in order to ensure the ADV steam relief safety function is maintained for the purpose of preventing SG overfill with the "A" train offsite circuit inoperable, the three Train "A" ADVs must be considered a redundant required feature for the purposes of this Required Action.

When determining if the required redundant feature(s) are available, as specified in this Required Action, the Train "A" ADVs are only required to be capable of local manual operation.

The Completion Time for Required Action A.2 is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." In this Required Action, the Completion Time only begins on discovery that both:

a. The train has no offsite power supplying its loads and

b. A required feature on the other train is inoperable.

If at any time during the existence of Condition A (one offsite circuit inoperable) a redundant required feature subsequently becomes inoperable, this Completion Time begins to be tracked.

Discovering no offsite power to one train of the onsite Class 1E Electrical Power Distribution System coincident with one or more inoperable required support or supported features, or both, that are associated with the other train that has offsite power, results in starting the Completion Times for the Required Action. Twenty-four hours is acceptable because it minimizes risk while allowing time for restoration before subjecting the unit to transients associated with shutdown.

The remaining OPERABLE offsite circuit and DGs are adequate to supply electrical power to Train A and Train B of the onsite Class 1E Distribution System. The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time takes into account the component OPERABILITY of the redundant counterpart to the inoperable required feature. Additionally, the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time takes into account the capacity and capability of the remaining AC sources, a reasonable time for repairs, and the low probability of a DBA occurring during this period.

Beaver Valley Units 1 and 2 B 3.8.1 - 7 Revision 25

AC Sources - Operating B 3.8.1 BASES ACTIONS (continued)

A.3 According to Regulatory Guide 1.93 (Ref. 6), operation may continue in Condition A for a period that should not exceed 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . With one offsite circuit inoperable, the reliability of the offsite system is degraded, and the potential for a loss of offsite power is increased, with attendant potential for a challenge to the unit safety systems. In this Condition, however, the remaining OPERABLE offsite circuit and DGs are adequate to supply electrical power to the onsite Class 1E Distribution System.

The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time takes into account the capacity and capability of the remaining AC sources, a reasonable time for repairs, and the low probability of a DBA occurring during this period.

The second Completion Time for Required Action A.3 establishes a limit on the maximum time allowed for any combination of required AC power sources to be inoperable during any single contiguous occurrence of failing to meet the LCO. The following discussion and the 17 day Completion Time stated in the Action Condition assume the extended 14 day DG Completion Time is applied (see the requirements for applying the extended DG Completion Time discussed at the beginning of the Actions section of the Bases). If the Normal 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months DG Completion Time is applied, the limiting Completion Time for not meeting the LCO discussed below would be 144 hours0.00167 days 0.04 hours 2.380952e-4 weeks 5.4792e-5 months (72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months plus 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months ) instead of 17 days (72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months plus 14 days).

If Condition A is entered while, for instance, a DG is inoperable and that DG is subsequently returned OPERABLE, the LCO may already have been not met for up to 14 days. This could lead to a total of 17 days, since initial failure to meet the LCO, to restore the offsite circuit. At this time, a DG could again become inoperable, the circuit restored OPERABLE, and an additional 14 days (for a total of 31 days) allowed prior to complete restoration of the LCO. The 17 day Completion Time provides a limit on the time allowed in a specified condition after discovery of failure to meet the LCO. This limit is considered reasonable for situations in which Conditions A and B are entered concurrently. The "AND" connector between the 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months and 17 day Completion Times means that both Completion Times apply simultaneously, and the more restrictive Completion Time must be met.

As in Required Action A.2, the Completion Time allows for an exception to the normal "time zero" for beginning the allowed outage time "clock."

This will result in establishing the "time zero" at the time that the LCO was initially not met, instead of at the time Condition A was entered.

Beaver Valley Units 1 and 2 B 3.8.1 - 8 Revision 13

AC Sources - Operating B 3.8.1 BASES ACTIONS (continued)

B.1 To ensure a highly reliable power source remains with an inoperable DG, it is necessary to verify the availability of the offsite circuits on a more frequent basis. Since the Required Action only specifies "perform," a failure of SR 3.8.1.1 acceptance criteria does not result in a Required Action being not met. However, if a circuit fails to pass SR 3.8.1.1, it is inoperable. Upon offsite circuit inoperability, additional Conditions and Required Actions must then be entered.

B.2 Required Action B.2 is intended to provide assurance that a loss of offsite power, during the period that a DG is inoperable, does not result in a complete loss of safety function of critical redundant required features.

Redundant required feature failures consist of inoperable features associated with a train, redundant to the train that has an inoperable DG.

A single motor-driven AFW pump does not provide sufficient flow to meet the most limiting accident analysis assumptions. Two out of the three AFW pumps are necessary to assure sufficient flow to meet the accident analyses. Therefore, in order to ensure the AFW safety function is maintained, the turbine-driven AFW pump must be considered a redundant required feature for the purposes of this Required Action.

For Unit 2 only, the Train "B" (RHR) ADV cannot provide sufficient steam relief capacity in a prompt enough manner to meet the most limiting accident analysis assumptions upon the onset of a Steam Generator (SG)

Tube Rupture until the ruptured SG is isolated from the Train B ADV flow path. Therefore, in order to ensure the ADV steam relief safety function is maintained for the purpose of preventing SG overfill with the "A" train DG inoperable, the three Train "A" ADVs must be considered a redundant required feature for the purposes of this Required Action. When determining if the required redundant feature(s) are available, as specified in this Required Action, the Train "A" ADVs are only required to be capable of local manual operation.

The Completion Time for Required Action B.2 is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." In this Required Action, the Completion Time only begins on discovery that both:

Beaver Valley Units 1 and 2 B 3.8.1 - 9 Revision 25

AC Sources - Operating B 3.8.1 BASES ACTIONS (continued)

a. An inoperable DG exists and

b. A required feature on the other train (Train A or Train B) is inoperable.

If at any time during the existence of this Condition (one DG inoperable) a required feature subsequently becomes inoperable, this Completion Time would begin to be tracked.

Discovering one required DG inoperable coincident with one or more inoperable required support or supported features, or both, that are associated with the OPERABLE DG, results in starting the Completion Time for the Required Action. Four hours from the discovery of these events existing concurrently is Acceptable because it minimizes risk while allowing time for restoration before subjecting the unit to transients associated with shutdown.

In this Condition, the remaining OPERABLE DG and offsite circuits are adequate to supply electrical power to the onsite Class 1E Distribution System. Thus, on a component basis, single failure protection for the required feature's function may have been lost; however, function has not been lost. The 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Completion Time takes into account the OPERABILITY of the redundant counterpart to the inoperable required feature. Additionally, the 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Completion Time takes into account the capacity and capability of the remaining AC sources, a reasonable time for repairs, and the low probability of a DBA occurring during this period.

B.3.1 and B.3.2 Required Action B.3.1 provides an allowance to avoid unnecessary testing of OPERABLE DG. If it can be determined that the cause of the inoperable DG does not exist on the OPERABLE DG, SR 3.8.1.2 does not have to be performed. Examples of these activities, which do not require performance of SR 3.8.1.2 for the OPERABLE DG, include testing, preplanned preventative maintenance, and individual testable components. If the cause of inoperability exists on another DG, the other DG would be declared inoperable upon discovery and Condition E of LCO 3.8.1 would be entered. Once the failure is repaired, the common cause failure no longer exists, and Required Action B.3.1 is satisfied. If the cause of the initial inoperable DG cannot be confirmed not to exist on the remaining DG, performance of SR 3.8.1.2 suffices to provide assurance of continued OPERABILITY of that DG.

Beaver Valley Units 1 and 2 B 3.8.1 - 10 Revision 13

AC Sources - Operating B 3.8.1 BASES ACTIONS (continued)

In the event the inoperable DG is restored to OPERABLE status prior to completing either B.3.1 or B.3.2, the plant corrective action program will continue to evaluate the common cause possibility. This continued evaluation, however, is no longer under the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months constraint imposed while in Condition B.

According to Generic Letter 84-15 (Ref. 7), 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months is reasonable to confirm that the OPERABLE DG(s) is not affected by the same problem as the inoperable DG.

B.4 In Condition B, the remaining OPERABLE DG and offsite circuits are adequate to supply electrical power to the onsite Class 1E Distribution System. The 14 day Completion Time is risk informed and based on a plant specific risk analysis and includes the normal 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time which is not risk informed. The Completion Time also takes into account the capacity and capability of the remaining AC sources, a reasonable time for repairs, and the low probability of a DBA occurring during this period. The Completion Time specified for Required Action B.4 is the extended 14 day DG Completion Time (see the requirements for applying the extended DG Completion Time discussed at the beginning of the Actions section of the Bases). If the requirements for the 14 day Completion Time are not met, the normal 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time applies. If the 14 day Completion Time is applied, and if at any time during this extended Completion Time the requirements for using the 14 day Completion Time are not met, the 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time becomes applicable unless the 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time has expired, in which case the shutdown requirements of Required Action G would apply.

The second Completion Time for Required Action B.4 establishes a limit on the maximum time allowed for any combination of required AC power sources to be inoperable during any single contiguous occurrence of failing to meet the LCO. The following discussion and the Completion Times specified for Required Action B.4 assume the extended 14 day DG Completion Time is applied (see the requirements for applying the extended DG Completion Time discussed at the beginning of the Actions section of the Bases). If the normal 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months DG Completion Time is applied, the limiting Completion Time for not meeting the LCO discussed below would be 144 hours0.00167 days 0.04 hours 2.380952e-4 weeks 5.4792e-5 months (72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months plus 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months ) instead of 17 days (72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months plus 14 days).

Beaver Valley Units 1 and 2 B 3.8.1 - 11 Revision 13

AC Sources - Operating B 3.8.1 BASES ACTIONS (continued)

If Condition B is entered while, for instance, an offsite circuit is inoperable and that circuit is subsequently restored OPERABLE, the LCO may already have been not met for up to 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . This could lead to a total of 17 days, since initial failure to meet the LCO, to restore the DG. At this time, an offsite circuit could again become inoperable, the DG restored OPERABLE, and an additional 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months (for a total of 20 days) allowed prior to complete restoration of the LCO. The 17 day Completion Time provides a limit on time allowed in a specified condition after discovery of failure to meet the LCO. This limit is considered reasonable for situations in which Conditions A and B are entered concurrently. The "AND" connector between the 14 day and 17 day Completion Times means that both Completion Times apply simultaneously, and the more restrictive Completion Time must be met.

As in Required Action B.2, the Completion Time allows for an exception to the normal "time zero" for beginning the allowed time "clock." This will result in establishing the "time zero" at the time that the LCO was initially not met, instead of at the time Condition B was entered.

C.1 and C.2 Required Action C.1, which applies when two offsite circuits are inoperable, is intended to provide assurance that an event with a coincident single failure will not result in a complete loss of redundant required features. These redundant required features are those that are assumed to function to mitigate an accident, coincident with a loss of offsite power, in the safety analyses, such as the Emergency Core Cooling System and Auxiliary Feedwater System. These redundant required features do not include monitoring requirements, such as Post Accident Monitoring and Remote Shutdown. These features are powered from redundant AC safety trains. The Completion Time for this failure of redundant required features is reduced to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months from that allowed for one train without offsite power (Required Action A.2). The rationale for the reduction to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is that Regulatory Guide 1.93 (Ref. 6) allows a Completion Time of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months for two required offsite circuits inoperable, based upon the assumption that two complete safety trains are OPERABLE. When a concurrent redundant required feature failure exists, this assumption is not the case, and a shorter Completion Time of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is appropriate.

The Completion Time for Required Action C.1 is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." In this Required Action the Completion Time only begins on discovery that both:

a. All required offsite circuits are inoperable and

b. A required feature is inoperable.

Beaver Valley Units 1 and 2 B 3.8.1 - 12 Revision 25

AC Sources - Operating B 3.8.1 BASES ACTIONS (continued)

If at any time during the existence of Condition C (two offsite circuits inoperable) a required feature becomes inoperable, this Completion Time begins to be tracked.

According to Regulatory Guide 1.93 (Ref. 6), operation may continue in Condition C for a period that should not exceed 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . This level of degradation means that the offsite electrical power system does not have the capability to effect a safe shutdown and to mitigate the effects of an accident; however, the onsite AC sources have not been degraded. This level of degradation generally corresponds to a total loss of the immediately accessible offsite power sources.

Because of the normally high availability of the offsite sources, this level of degradation may appear to be more severe than other combinations of two AC sources inoperable that involve one or more DGs inoperable.

However, two factors tend to decrease the severity of this level of degradation:

a. The configuration of the redundant AC electrical power system that remains available is not susceptible to a single bus or switching failure and

b. The time required to detect and restore an unavailable offsite power source is generally much less than that required to detect and restore an unavailable onsite AC source.

With both of the required offsite circuits inoperable, sufficient onsite AC sources are available to maintain the unit in a safe shutdown condition in the event of a DBA or transient. In fact, a simultaneous loss of offsite AC sources, a LOCA, and a worst case single failure were postulated as a part of the design basis in the safety analysis. Thus, the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time provides a period of time to effect restoration of one of the offsite circuits commensurate with the importance of maintaining an AC electrical power system capable of meeting its design criteria.

According to Reference 6, with the available offsite AC sources, two less than required by the LCO, operation may continue for 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . If two offsite sources are restored within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , unrestricted operation may continue. If only one offsite source is restored within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , power operation continues in accordance with Condition A.

Beaver Valley Units 1 and 2 B 3.8.1 - 13 Revision 13

AC Sources - Operating B 3.8.1 BASES ACTIONS (continued)

D.1 and D.2 Pursuant to LCO 3.0.6, the Distribution System ACTIONS would not be entered even if all AC sources to it were inoperable, resulting in de-energization. Therefore, the Required Actions of Condition D are modified by a Note to indicate that when Condition D is entered with no AC source to any train, the Conditions and Required Actions for LCO 3.8.9, "Distribution Systems - Operating," must be immediately entered. This allows Condition D to provide requirements for the loss of one offsite circuit and one DG, without regard to whether a train is de-energized. LCO 3.8.9 provides the appropriate restrictions for a de-energized train.

According to Regulatory Guide 1.93 (Ref. 6), operation may continue in Condition D for a period that should not exceed 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months .

In Condition D, individual redundancy is lost in both the offsite electrical power system and the onsite AC electrical power system. Since power system redundancy is provided by two diverse sources of power, however, the reliability of the power systems in this Condition may appear higher than that in Condition C (loss of both required offsite circuits). This difference in reliability is offset by the susceptibility of this power system configuration to a single bus or switching failure. The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Completion Time takes into account the capacity and capability of the remaining AC sources, a reasonable time for repairs, and the low probability of a DBA occurring during this period.

E.1 With Train A and Train B DGs inoperable, there are no remaining standby AC sources. Thus, with an assumed loss of offsite electrical power, insufficient standby AC sources are available to power the minimum required ESF functions. Since the offsite electrical power system is the only source of AC power for this level of degradation, the risk associated with continued operation for a very short time could be less than that associated with an immediate controlled shutdown (the immediate shutdown could cause grid instability, which could result in a total loss of AC power). Since any inadvertent generator trip could also result in a total loss of offsite AC power, however, the time allowed for continued operation is severely restricted. The intent here is to avoid the risk associated with an immediate controlled shutdown and to minimize the risk associated with this level of degradation.

According to Reference 6, with both DGs inoperable, operation may continue for a period that should not exceed 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months .

Beaver Valley Units 1 and 2 B 3.8.1 - 14 Revision 13

AC Sources - Operating B 3.8.1 BASES ACTIONS (continued)

F.1.1, F.1.2, and F.2 Condition F is entered any time a required sequence timer(s) becomes inoperable. Required Action F.1.1 requires that action be taken immediately to place the affected component (ESF equipment) in a condition where it can not be automatically loaded to its emergency bus.

Required Action F.1.1 provides assurance that the DG loading sequence will not be adversely affected by the inoperable sequence timer(s) (i.e.,

the component will not be loaded onto an emergency bus at an incorrect time). Therefore, rendering a component with an inoperable sequence timer(s) incapable of loading to the emergency bus prevents a possible overload condition. Required Action F.1.2 requires that the appropriate Condition and Required Actions associated with the affected individual component(s) made inoperable by the inoperable sequence timer(s) be applied immediately. Thus, Required Actions F.1.1 and F.1.2 serve to isolate the affected component(s) from the emergency bus and assure the appropriate remedial measures for the affected component(s) are taken in a timely manner. Required Action F.2 provides an alternative option to Required Actions F.1.1 and F.1.2. Required Action F.2 simply requires that the associated DG be immediately declared inoperable.

A Note modifies Condition F. The Note states that separate Condition entry is allowed for each inoperable sequence timer(s) for a DG.

G.1 and G.2 If the inoperable AC electric power sources cannot be restored to OPERABLE status within the required Completion Time, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and to MODE 5 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging plant systems.

H.1 Condition H corresponds to a level of degradation in which all redundancy in the AC electrical power supplies has been lost. At this severely degraded level, any further losses in the AC electrical power system will cause a loss of function. Therefore, no additional time is justified for continued operation. The unit is required by LCO 3.0.3 to commence a controlled shutdown.

Beaver Valley Units 1 and 2 B 3.8.1 - 15 Revision 13

AC Sources - Operating B 3.8.1 BASES SURVEILLANCE The AC sources are designed to permit inspection and testing of all REQUIREMENTS important areas and features, especially those that have a standby function, as discussed in Reference 8. Periodic component tests are supplemented by extensive functional tests during refueling outages (under simulated accident conditions). The SRs for demonstrating the OPERABILITY of the DGs are in accordance with the recommendations of Reference 3, Regulatory Guide 1.108 (Ref. 9), and Regulatory Guide 1.137 (Ref. 10), as addressed in the UFSAR.

Where the SRs discussed herein specify voltage and frequency tolerances, the following is applicable. The minimum steady state output voltage for Unit 1 is 4106 V and for Unit 2 is 3994 V. The SR value bands specified for voltage and frequency for each Unit are analysis values, except for the frequency values of 58.8 Hz to 61.2 Hz specified for Unit 1 in SRs 3.8.1.2 and 3.8.1.8. These Unit 1 Frequency tolerances are Regulatory Guide 1.9 recommendations.

NOTE: The voltage and frequency values specified in each SR need to be reduced or increased, as appropriate, to account for measurement uncertainties.

The specified maximum steady state output voltage of 4368 V is equal to the maximum operating voltage specified for 4000 V motors. It ensures that for a lightly loaded distribution system, the voltage at the terminals of 4000 V motors is no more than the maximum rated operating voltages.

NOTE: The kW and power factor requirements specified in the SRs are indicated values.

SR 3.8.1.1 This SR ensures proper circuit continuity for the offsite AC electrical power supply to the onsite distribution network and availability of offsite AC electrical power. The breaker alignment verifies that each breaker is in its correct position to ensure that distribution buses and loads are connected to their preferred power source, and that appropriate independence of offsite circuits is maintained. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.8.1.2 The SR helps to ensure the availability of the standby electrical power supply to mitigate DBAs and transients and to maintain the unit in a safe shutdown condition.

Beaver Valley Units 1 and 2 B 3.8.1 - 16 Revision 29

AC Sources - Operating B 3.8.1 BASES SURVEILLANCE REQUIREMENTS (continued)

To minimize the wear on moving parts that do not get lubricated when the engine is not running, the SR is modified by Note 1 to indicate that all DG starts for this Surveillance may be preceded by an engine prelube period and followed by a warmup period prior to loading.

For the purpose of SR 3.8.1.2 testing, the DGs are started from standby conditions. Standby conditions for a DG mean that the diesel engine coolant and oil are being continuously circulated and temperature is being maintained consistent with manufacturer recommendations. Barring of the engine may be performed prior to DG start without invalidating SR for starting from standby conditions.

In order to reduce stress and wear on diesel engines, some manufacturers recommend a modified start in which the starting speed of DGs is limited, warmup is limited to this lower speed, and the DGs are gradually accelerated to synchronous speed prior to loading. These start procedures are the intent of Note 2, which is only applicable when such modified start procedures are recommended by the manufacturer.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.8.1.3 This Surveillance verifies that the DGs are capable of synchronizing with the offsite electrical system and accepting loads equivalent to the continuous duty rating of the DG. A minimum run time of 60 minutes is required to stabilize engine temperatures, while minimizing the time that the DG is connected to the offsite source.

Although no power factor requirements are established by this SR, the DG is normally operated at a power factor between 0.8 lagging and 1.0.

The 0.8 value is the design rating of the machine, while the 1.0 is an operational limitation to ensure circulating currents are minimized. The load band is provided to avoid routine overloading of the DG. Routine overloading may result in more frequent teardown inspections in accordance with vendor recommendations in order to maintain DG OPERABILITY.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

Beaver Valley Units 1 and 2 B 3.8.1 - 17 Revision 29

AC Sources - Operating B 3.8.1 BASES SURVEILLANCE REQUIREMENTS (continued)

This SR is modified by four Notes. Note 1 indicates that diesel engine runs for this Surveillance may include gradual loading, as recommended by the manufacturer so that mechanical stress and wear on the diesel engine are minimized. Note 2 states that momentary transients, because of changing bus loads, do not invalidate this test. Similarly, momentary power factor transients outside the normal operating range do not invalidate the test. Note 3 indicates that this Surveillance should be conducted on only one DG at a time in order to avoid common cause failures that might result from offsite circuit or grid perturbations. Note 4 stipulates a prerequisite requirement for performance of this SR. A successful DG start must precede this test to credit satisfactory performance.

SR 3.8.1.4.1 and SR 3.8.1.4.2 For Unit 1, this SR provides verification that the inventory of fuel oil in the day tank in combination with the engine mounted tank is greater than or equal to the required fuel oil inventory. The required Unit 1 inventory is expressed as an equivalent usable volume in gallons and is selected to ensure the DG can operate for more than 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months at full load plus 10%.

For Unit 2, this SR provides verification that the inventory of fuel oil in the day tank is greater than or equal to the required fuel oil inventory. The required Unit 2 inventory is expressed as an equivalent usable volume in gallons and is selected to ensure adequate fuel oil for a minimum of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months of DG operation at full load plus 10%.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The SRs are modified by Notes that specify the applicable unit.

SR 3.8.1.5.1 and SR 3.8.1.5.2 Microbiological fouling is a major cause of fuel oil degradation. There are numerous bacteria that can grow in fuel oil and cause fouling, but all must have a water environment in order to survive. Removal of water from these fuel oil tanks eliminates the necessary environment for bacterial survival. This is the most effective means of controlling microbiological fouling. In addition, it eliminates the potential for water entrainment in the fuel oil during DG operation. Water may come from any of several sources, including condensation, ground water, rain water, contaminated fuel oil, and breakdown of the fuel oil by bacteria. Frequent checking for and removal of accumulated water minimizes fouling and provides data regarding the watertight integrity of the fuel oil system. This SR is for Beaver Valley Units 1 and 2 B 3.8.1 - 18 Revision 29

AC Sources - Operating B 3.8.1 BASES SURVEILLANCE REQUIREMENTS (continued) preventative maintenance. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The presence of water does not necessarily represent failure of this SR, provided the accumulated water is removed during the performance of this Surveillance.

SR 3.8.1.6 This Surveillance demonstrates that each required fuel oil transfer pump (only one pump required per DG) operates and transfers fuel oil from its associated storage tank to its associated day tank. This is required to support continuous operation of standby power sources. This Surveillance provides assurance that the fuel oil transfer pump is OPERABLE, the fuel oil piping system is intact, the fuel delivery piping is not obstructed, and the controls and control systems for fuel transfer systems are OPERABLE.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.8.1.7 Transfer of each 4.16 kV ESF bus power supply from the unit circuit to the system offsite circuit demonstrates the OPERABILITY of the alternate circuit distribution network to power the shutdown loads. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.8.1.8 Each DG is provided with an engine overspeed trip to prevent damage to the engine. Recovery from the transient caused by the loss of a large load could cause diesel engine overspeed, which, if excessive, might result in a trip of the engine. This Surveillance demonstrates the DG load response characteristics and capability to reject the largest single load without exceeding predetermined frequency and while maintaining a specified margin to the overspeed trip. The single load for each DG is as follows: For Unit 1 615 kW with a frequency limit of 66.2 Hz (993 RPM).

For Unit 2 825 kW with a frequency limit of 64.4 Hz (552 RPM). This Surveillance may be accomplished by either:

Beaver Valley Units 1 and 2 B 3.8.1 - 19 Revision 29

AC Sources - Operating B 3.8.1 BASES SURVEILLANCE REQUIREMENTS (continued)

a. Tripping the DG output breaker or tripping the emergency feeder breaker with the DG carrying greater than or equal to its associated single largest post-accident load while paralleled to offsite power, or

b. Tripping its associated single largest post-accident load with the DG solely supplying the bus.

Consistent with the recommendations of Reference 11, the load rejection test is acceptable if the increase in diesel speed does not exceed 75% of the difference between synchronous speed and the overspeed trip setpoint, or 15% above synchronous speed, whichever is lower.

The time, voltage, and frequency tolerances specified in this SR are derived from Reference 3 recommendations for response during load sequence intervals. The 3 and 4 seconds specified are equal to 60% and 80%, respectively, of a typical 5 second load sequence interval associated with sequencing of the largest load. The voltage and frequency specified are consistent with the design range of the equipment powered by the DG. SR 3.8.1.8.a corresponds to the maximum frequency excursion, while SR 3.8.1.8.b and SR 3.8.1.8.c are steady state voltage and frequency values to which the system must recover following load rejection. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

This SR is modified by two Notes. The reason for Note 1 is that during operation with the reactor critical, performance of this SR could cause perturbations to the electrical distribution systems that could challenge continued steady state operation and, as a result, unit safety systems.

This restriction from normally performing the Surveillance in MODE 1 or 2 is further amplified to allow the Surveillance to be performed for the purpose of reestablishing OPERABILITY (e.g. post work testing following corrective maintenance, corrective modification, deficient or incomplete surveillance testing, and other unanticipated OPERABILITY concerns) provided an assessment determines plant safety is maintained or enhanced. This assessment shall, as a minimum, consider the potential outcomes and transients associated with a failed Surveillance, a successful Surveillance, and a perturbation of the offsite or onsite system when they are tied together or operated independently for the Surveillance; as well as the operator procedures available to cope with these outcomes. These shall be measured against the avoided risk of a plant shutdown and startup to determine that plant safety is maintained or enhanced when the Surveillance is performed in MODE 1 or 2. Risk insights or deterministic methods may be used for this assessment.

Credit may be taken for unplanned events that satisfy this SR.

Beaver Valley Units 1 and 2 B 3.8.1 - 20 Revision 29

AC Sources - Operating B 3.8.1 BASES SURVEILLANCE REQUIREMENTS (continued)

Note 2 ensures that the DG is tested under load conditions that are as close to design basis conditions as possible. When synchronized with offsite power, testing should be performed at a power factor of 0.89.

This power factor is representative of the actual inductive loading a DG would see under design basis accident conditions. Under certain conditions, however, Note 2 allows the surveillance to be conducted at a power factor other than 0.89. These conditions may occur, for example, when the grid voltage is such that the DG excitation levels needed to obtain a power factor of 0.89 are in excess of those recommended for the DG. In cases such as this, the power factor shall be maintained as close as practicable to 0.89 without exceeding any applicable limits.

SR 3.8.1.9 This Surveillance demonstrates that DG noncritical protective functions (e.g., high jacket water temperature if they exist) are bypassed on a loss of voltage emergency start signal. The noncritical trips are bypassed during DBAs and provide an alarm on an abnormal engine condition.

This alarm provides the operator with sufficient time to react appropriately. The DG availability to mitigate the DBA is more critical than protecting the engine against minor problems that are not immediately detrimental to emergency operation of the DG.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

The SR is modified by a Note. The reason for the Note is that performing the Surveillance would remove a required DG from service. This restriction from normally performing the Surveillance in MODE 1 or 2 is further amplified to allow the Surveillance to be performed for the purpose of reestablishing OPERABILITY (e.g. post work testing following corrective maintenance, corrective modification, deficient or incomplete surveillance testing, and other unanticipated OPERABILITY concerns) provided an assessment determines plant safety is maintained or enhanced. This assessment shall, as a minimum, consider the potential outcomes and transients associated with a failed Surveillance, a successful Surveillance, and a perturbation of the offsite or onsite system when they are tied together or operated independently for the Surveillance; as well as the operator procedures available to cope with these outcomes. These shall be measured against the avoided risk of a plant shutdown and startup to determine that plant safety is maintained or enhanced when the Surveillance is performed in MODE 1 or 2. Risk insights or deterministic methods may be used for this assessment.

Credit may be taken for unplanned events that satisfy this SR.

Beaver Valley Units 1 and 2 B 3.8.1 - 21 Revision 29

AC Sources - Operating B 3.8.1 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.8.1.10 This Surveillance demonstrates that the DGs can start and run continuously at or near full load conditions for not less than 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months . The Surveillance requires that each DG be run for 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months loaded from a minimum of the calculated accident load for Unit 1, and the continuous duty rating of the DG for Unit 2, up to a maximum loading of the 2000 hour0.0231 days 0.556 hours 0.00331 weeks 7.61e-4 months rating for each DG. Additionally, the Surveillance requires that each DG be run for the remainder of the 8-hour requirement loaded to the equivalent of the continuous duty rating of the DG. The required run duration of 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months is consistent with the recommendations of IEEE Standard 387-1995 (Ref. 13). The DG starts for this Surveillance can be performed either from standby or hot conditions. The provisions for prelubricating and warmup, discussed in SR 3.8.1.2, and for gradual loading, discussed in SR 3.8.1.3, are applicable to this SR.

The load band is provided to avoid routine overloading of the DG.

Routine overloading may result in more frequent teardown inspections in accordance with vendor recommendations in order to maintain DG OPERABILITY.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

This Surveillance is modified by three Notes. Note 1 provides an allowance such that momentary transients due to changing bus loads do not invalidate this test. The allowance provided by Note 1 includes the transition between the required load ranges specified in SR 3.8.1.10 part a and part b. Similarly, momentary power factor transients outside of the power factor required range will not invalidate the test.

The reason for Note 2 is that during operation with the reactor critical, performance of this Surveillance could cause perturbations to the electrical distribution systems that could challenge continued steady state operation and, as a result, unit safety systems. This restriction from normally performing the Surveillance in MODE 1 or 2 is further amplified to allow the Surveillance to be performed for the purpose of reestablishing OPERABILITY (e.g., post work testing following corrective maintenance, corrective modification, deficient or incomplete surveillance testing, and other unanticipated OPERABILITY concerns) provided an assessment determines plant safety is maintained or enhanced. This assessment shall, as a minimum, consider the potential outcomes and transients Beaver Valley Units 1 and 2 B 3.8.1 - 22 Revision 29

AC Sources - Operating B 3.8.1 BASES SURVEILLANCE REQUIREMENTS (continued) associated with a failed Surveillance, a successful Surveillance, and a perturbation of the offsite or onsite system when they are tied together or operated independently for the Surveillance; as well as the operator procedures available to cope with these outcomes. These shall be measured against the avoided risk of a plant shutdown and startup to determine that plant safety is maintained or enhanced when the Surveillance is performed in MODE 1 or 2. Risk insights or deterministic methods may be used for this assessment. Credit may be taken for unplanned events that satisfy this SR.

Note 3 ensures that the DG is tested under load conditions that are as close to design basis conditions as possible. When synchronized with offsite power, testing should be performed at a power factor of 0.89.

This power factor is representative of the actual inductive loading a DG would see under design basis accident conditions. Under certain conditions, however, Note 3 allows the Surveillance to be conducted at a power factor other than 0.89. These conditions may occur, for example, when the grid voltage is such that the DG excitation levels needed to obtain a power factor of 0.89 are in excess of those recommended for the DG. In cases such as this, the power factor shall be maintained close as practicable to 0.89 without exceeding any applicable limits.

SR 3.8.1.11 Consistent with the recommendations of Regulatory Guide 1.108 (Ref. 9),

paragraph 2.a.(6), this Surveillance ensures that the manual synchronization and load transfer from the DG to the offsite source can be made. For Unit 1, the Surveillance also verifies that the DG proceeds through its normal shutdown sequence after transferring its load. For Unit 2, the Surveillance verifies that the DG can be returned to ready to load status when offsite power is restored. It also ensures that the autostart logic is reset to allow the Unit 2 DG to reload if a subsequent loss of offsite power occurs. The Unit 2 DG is considered to be in ready to load status when the DG is at nominal speed and voltage, the output breaker is open and can receive an autoclose signal on bus undervoltage, and the load sequence timer(s) are reset.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

Beaver Valley Units 1 and 2 B 3.8.1 - 23 Revision 29

AC Sources - Operating B 3.8.1 BASES SURVEILLANCE REQUIREMENTS (continued)

This SR is modified by a Note. The reason for the Note is that performing the Surveillance would remove a required offsite circuit from service, perturb the electrical distribution system, and challenge safety systems. This restriction from normally performing the Surveillance in MODE 1, 2, 3, or 4 is further amplified to allow the Surveillance to be performed for the purpose of reestablishing OPERABILITY (e.g., post work testing following corrective maintenance, corrective modification, deficient or incomplete surveillance testing, and other unanticipated OPERABILITY concerns) provided an assessment determines plant safety is maintained or enhanced. This assessment shall, as a minimum, consider the potential outcomes and transients associated with a failed Surveillance, a successful Surveillance, and a perturbation of the offsite or onsite system when they are tied together or operated independently for the Surveillance; as well as the operator procedures available to cope with these outcomes. These shall be measured against the avoided risk of a plant shutdown and startup to determine that plant safety is maintained or enhanced when the Surveillance is performed in MODE 1, 2, 3, or 4. Risk insights or deterministic methods may be used for this assessment. Credit may be taken for unplanned events that satisfy this SR.

SR 3.8.1.12 For the Unit 2 DGs, demonstration of the test mode override ensures that the DG availability under accident conditions will not be compromised as the result of testing and the DG will automatically reset to ready to load operation if a LOCA actuation signal is received during operation in the test mode. Ready to load operation is defined as the DG running at nominal speed and voltage with the DG output breaker open. These provisions for automatic switchover are consistent with the recommendations of IEEE-308 (Ref. 11), paragraph 6.2.6(2).

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

This SR is modified by two Notes. Note 1 states that the SR is applicable to Unit 2 only. The reason for Note 2 is that performing the Surveillance may perturb the electrical distribution system, and challenge safety systems. This restriction from normally performing the Surveillance in MODE 1, 2, 3, or 4 is further amplified to allow portions of the Surveillance to be performed for the purpose of reestablishing OPERABILITY (e.g., post work testing following corrective maintenance, Beaver Valley Units 1 and 2 B 3.8.1 - 24 Revision 29

AC Sources - Operating B 3.8.1 BASES SURVEILLANCE REQUIREMENTS (continued) corrective modification, deficient or incomplete surveillance testing, and other unanticipated OPERABILITY concerns) provided an assessment determines plant safety is maintained or enhanced. This assessment shall, as a minimum, consider the potential outcomes and transients associated with a failed partial Surveillance, a successful partial Surveillance, and a perturbation of the offsite or onsite system when they are tied together or operated independently for the partial Surveillance; as well as the operator procedures available to cope with these outcomes.

These shall be measured against the avoided risk of a plant shutdown and startup to determine that plant safety is maintained or enhanced when portions of the Surveillance are performed in MODE 1, 2, 3, or 4.

Risk insights or deterministic methods may be used for the assessment.

Credit may be taken for unplanned events that satisfy this SR.

SR 3.8.1.13 Under accident with loss of offsite power conditions loads are sequentially connected to the bus by the automatic load sequence timer(s). The sequencing logic controls the permissive and starting signals to motor breakers to prevent overloading of the DGs due to high motor starting currents. The verification that each automatic load sequence time is within +/- 10% of the required value ensures that sufficient time exists for the DG to restore frequency and voltage prior to applying the next load and that safety analysis assumptions regarding ESF equipment time delays are not violated. Reference 2 provides a summary of the automatic loading of ESF buses.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

This SR is modified by a Note. The reason for the Note is that performing the Surveillance would remove a required offsite circuit from service, perturb the electrical distribution system, and challenge safety systems.

This restriction from normally performing the Surveillance in MODE 1, 2, 3, or 4 is further amplified to allow the Surveillance to be performed for the purpose of reestablishing OPERABILITY (e.g., post work testing following corrective maintenance, corrective modification, deficient or incomplete surveillance testing, and other unanticipated OPERABILITY concerns) provided an assessment determines plant safety is maintained or enhanced. This assessment shall, as a minimum, consider the potential outcomes and transients associated with a failed Surveillance, a successful Surveillance, and a perturbation of the offsite or onsite system Beaver Valley Units 1 and 2 B 3.8.1 - 25 Revision 29

AC Sources - Operating B 3.8.1 BASES SURVEILLANCE REQUIREMENTS (continued) when they are tied together or operated independently for the Surveillance; as well as the operator procedures available to cope with these outcomes. These shall be measured against the avoided risk of a plant shutdown and startup to determine that plant safety is maintained or enhanced when the Surveillance is performed in MODE 1, 2, 3, or 4.

Risk insights or deterministic methods may be used for this assessment.

Credit may be taken for unplanned events that satisfy this SR.

SR 3.8.1.14 In the event of a DBA coincident with a loss of offsite power, the DGs are required to supply the necessary power to ESF systems so that the fuel, RCS, and containment design limits are not exceeded.

This Surveillance demonstrates the DG operation during a loss of offsite power actuation test signal in conjunction with an ESF actuation signal.

The requirement to verify the connection and power supply of permanent and autoconnected loads is intended to satisfactorily show the relationship of these loads to the DG loading logic. In certain circumstances, many of these loads cannot actually be connected or loaded without undue hardship or potential for undesired operation. For instance, Emergency Core Cooling Systems (ECCS) injection valves are not desired to be stroked open, or high pressure injection systems are not capable of being operated at full flow.

In lieu of actual demonstration of connection and loading of loads, testing that adequately shows the capability of the DG system to perform these functions is acceptable. This testing may include any series of sequential, overlapping, or total steps so that the entire connection and loading sequence is verified.

The 10 second start requirement supports the assumptions of the design basis accident analyses described in the UFSAR (Ref. 5). The 10 second timing requirement begins when the DG start signal is received by the DG start circuit and does not include the time it takes the instrumentation to detect a loss of voltage on the emergency busses.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

Beaver Valley Units 1 and 2 B 3.8.1 - 26 Revision 29

AC Sources - Operating B 3.8.1 BASES SURVEILLANCE REQUIREMENTS (continued)

This SR is modified by two Notes. The reason for Note 1 is to minimize wear on the DGs during testing. For the purpose of this testing, the DGs must be started from standby conditions, that is, with the engine coolant and oil continuously circulated and temperature maintained consistent with manufacturer recommendations for DGs. Barring of the engine may be performed prior to DG start without invalidating the requirement for starting from standby conditions. The reason for Note 2 is that the performance of the Surveillance would remove a required offsite circuit from service, perturb the electrical distribution system, and challenge safety systems. This restriction from normally performing the Surveillance in MODE 1, 2, 3, or 4 is further amplified to allow portions of the Surveillance to be performed for the purpose of reestablishing OPERABILITY (e.g., post work testing following corrective maintenance, corrective modification, deficient or incomplete surveillance testing, and other unanticipated OPERABILITY concerns) provided an assessment determines plant safety is maintained or enhanced. This assessment shall, as a minimum, consider the potential outcomes and transients associated with a failed partial Surveillance, a successful partial Surveillance, and a perturbation of the offsite or onsite system when they are tied together or operated independently for the partial Surveillance; as well as the operator procedures available to cope with these outcomes.

These shall be measured against the avoided risk of a plant shutdown and startup to determine that plant safety is maintained or enhanced when portions of the Surveillance are performed in MODE 1, 2, 3, or 4.

Risk insights or deterministic methods may be used for the assessment.

Credit may be taken for unplanned events that satisfy this SR.

SR 3.8.1.15 This Surveillance demonstrates that the DG starting independence has not been compromised. Also, this Surveillance demonstrates that each engine can achieve proper speed within the specified time when the DGs are started simultaneously.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

This SR is modified by two Notes. Note 1 states that the SR is applicable to Unit 2 only. The reason for the second Note is to minimize wear on the DG during testing. For the purpose of this testing, the DGs must be started from standby conditions, that is, with the engine coolant and oil continuously circulated and temperature maintained consistent with manufacturer recommendations. Barring of the engine may be performed prior to DG start without invalidating the requirement for starting from standby conditions.

Beaver Valley Units 1 and 2 B 3.8.1 - 27 Revision 29

AC Sources - Operating B 3.8.1 BASES REFERENCES 1. Unit 1 UFSAR Appendix 1A, "1971 AEC General Design Criteria Conformance" and Unit 2 UFSAR Section 3.1, "Conformance with U. S. Nuclear Regulatory Commission General Design Criteria.

2. UFSAR, Chapter 8.

3. Regulatory Guide 1.9, UFSAR Section 8.5 for Unit 1 and UFSAR Chapter 1.8 - 1 for Unit 2.

4. UFSAR, Chapter 6.

5. UFSAR, Chapter 14 for Unit 1 and Chapter 15 for Unit 2.

6. Regulatory Guide 1.93, Rev. 0, December 1974.

7. Generic Letter 84-15, "Proposed Staff Actions to Improve and Maintain Diesel Generator Reliability," July 2, 1984.

8. Unit 1 UFSAR Appendix 1A, "1971 AEC General Design Criteria Conformance" and Unit 2 UFSAR Section 3.1, "Conformance with U. S. Nuclear Regulatory Commission General Design Criteria."

9. Regulatory Guide 1.108, Rev. 1, August 1977 (Unit 2).

10. Regulatory Guide 1.137, Rev. 1, October 1979 (Unit 2).

11. IEEE Standard 308 Unit 1-1971 and Unit 2-1974.

12. License Amendment Nos. 268 (Unit 1) and 150 (Unit 2) and associated NRC Safety Evaluation Report issued September 29, 2005.

13. IEEE Standard 387-1995.

Beaver Valley Units 1 and 2 B 3.8.1 - 28 Revision 29

AC Sources - Shutdown B 3.8.2 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.2 AC Sources - Shutdown BASES BACKGROUND A description of the AC sources is provided in the Bases for LCO 3.8.1, "AC Sources - Operating."

APPLICABLE The OPERABILITY of the minimum AC sources during MODES 5 and 6 SAFETY and during movement of irradiated fuel assemblies or movement of fuel ANALYSES assemblies over irradiated fuel assemblies for Unit 1 (which includes recently irradiated fuel) and during movement of recently irradiated fuel assemblies or movement of fuel assemblies over recently irradiated fuel assemblies for Unit 2 ensure that:

a. The unit can be maintained in the shutdown or refueling condition for extended periods,

b. Sufficient instrumentation and control capability is available for monitoring and maintaining the unit status, and

c. Adequate AC electrical power is provided to mitigate events postulated during shutdown, such as a fuel handling accident.

The current fuel handling accident safety analysis does not rely on the automatic actuation of any systems or components to mitigate the accident. Furthermore, the current fuel handling accident analysis does not assume isolation or filtration to mitigate the event. However, in order to limit the control room dose following a fuel handling accident, Unit 1 must purge the control room atmosphere for 30 minutes following termination of the release (2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months after the accident). The required Unit 1 purge is a manual action for which the Technical Specifications require power (LCO 3.8.2) and ventilation system (LCO 3.7.11)

OPERABILITY when moving any irradiated fuel assemblies or fuel assemblies over any irradiated fuel assemblies. The Unit 1 requirement to purge the control room after a fuel handling accident involving any type of irradiated fuel is the reason for the difference in the fuel movement applicability for each unit in LCO 3.8.2 and LCO 3.7.11.

Although not a specific assumption of the safety analyses, this Specification requires that the DG automatically start, connect to the emergency bus, and automatically sequence the required loads. This capability in conjunction with the loss of voltage relays required OPERABLE by LCO 3.3.5, "Loss of Power (LOP) DG Start and Bus Separation Instrumentation," assures that a reliable source of AC power Beaver Valley Units 1 and 2 B 3.8.2 - 1 Revision 0

AC Sources - Shutdown B 3.8.2 BASES APPLICABLE SAFETY ANALYSES (continued) is promptly available in the event offsite power is lost. In addition, this capability provides automatic protection against degraded voltage conditions (via the degraded voltage sensing relays required OPERABLE in LCO 3.3.5) that could damage equipment required to maintain the unit in a safe shutdown condition. Therefore, the prompt availability of reliable backup emergency power provides additional assurance that the unit can be maintained in a safe shutdown condition in the event the grid becomes unstable.

Current requirements based on the decay time of the fuel prevent the movement of recently irradiated fuel (i.e., fuel that has occupied part of a critical reactor core within the previous 100 hours0.00116 days 0.0278 hours 1.653439e-4 weeks 3.805e-5 months ). However, the Technical Specifications continue to address fuel movement involving recently irradiated fuel to support requirements for isolation or filtration that may be necessary to mitigate a fuel handling accident involving recently irradiated fuel. The retention of requirements within the Technical Specifications, in case the requirements are necessary to support fuel movement involving recently irradiated fuel, is consistent with the guidance of Reference 1.

In general, when the unit is shut down, the Technical Specifications requirements ensure that the unit has the capability to mitigate the consequences of postulated accidents. However, assuming a single failure and concurrent loss of all offsite or all onsite power is not required.

The rationale for this is based on the fact that many Design Basis Accidents (DBAs) that are analyzed in MODES 1, 2, 3, and 4 have no specific analyses in MODES 5 and 6. Worst case bounding events are deemed not credible in MODES 5 and 6 because the energy contained within the reactor pressure boundary, reactor coolant temperature and pressure, and the corresponding stresses result in the probabilities of occurrence being significantly reduced or eliminated, and in minimal consequences. These deviations from DBA analysis assumptions and design requirements during shutdown conditions are allowed by the LCO for required systems.

During MODES 1, 2, 3, and 4, various deviations from the analysis assumptions and design requirements are allowed within the Required Actions. This allowance is in recognition that certain testing and maintenance activities must be conducted provided an acceptable level of risk is not exceeded. During MODES 5 and 6, performance of a significant number of required testing and maintenance activities is also required. In MODES 5 and 6, the activities are generally planned and administratively controlled. Relaxations from MODE 1, 2, 3, and 4 LCO requirements are acceptable during shutdown modes based on:

Beaver Valley Units 1 and 2 B 3.8.2 - 2 Revision 0

AC Sources - Shutdown B 3.8.2 BASES APPLICABLE SAFETY ANALYSES (continued)

a. The fact that time in an outage is limited. This is a risk prudent goal as well as a utility economic consideration.

b. Requiring appropriate compensatory measures for certain conditions. These may include administrative controls, reliance on systems that do not necessarily meet typical design requirements applied to systems credited in operating MODE analyses, or both.

c. Prudent utility consideration of the risk associated with multiple activities that could affect multiple systems.

d. Maintaining, to the extent practical, the ability to perform required functions (even if not meeting MODE 1, 2, 3, and 4 OPERABILITY requirements) with systems assumed to function during an event.

In the event of an accident during shutdown, this LCO ensures the capability to support systems necessary to avoid immediate difficulty, assuming either a loss of all offsite power or a loss of all onsite diesel generator (DG) power.

The AC sources satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).

LCO One offsite circuit capable of supplying the onsite Class 1E power distribution subsystem(s) of LCO 3.8.10, "Distribution Systems -

Shutdown," ensures that all required loads are powered from offsite power. An OPERABLE DG, associated with the distribution system train required to be OPERABLE by LCO 3.8.10, ensures a diverse power source is available to provide electrical power support, assuming a loss of the offsite circuit. Together, OPERABILITY of the required offsite circuit and DG ensures the availability of sufficient AC sources to operate the unit in a safe manner and to mitigate the consequences of postulated events during shutdown (e.g., fuel handling accidents involving irradiated fuel (Unit 1) and recently irradiated fuel (Unit 2)).

The qualified offsite circuit must be capable of maintaining nominal frequency and voltage, and accepting required loads during an accident, while connected to the Engineered Safety Feature (ESF) bus(es).

Qualified offsite circuits are those that are described in the UFSAR and are part of the licensing basis for the unit.

During normal plant operation, electrical power for the onsite circuits comes from either the main generator through 22 kV to 4.36 kV unit station service transformers or from the two independent offsite 138 kV buses through 138 kV to 4.36 kV system station service transformers.

Beaver Valley Units 1 and 2 B 3.8.2 - 3 Revision 0

AC Sources - Shutdown B 3.8.2 BASES LCO (continued)

The secondary windings of the transformers are connected to four separate 4.16 kV normal buses, A, B, C, and D. Buses A and D provide power for the two redundant Class 1E 4.16 kV emergency buses AE and DF, respectively. During plant shutdown, the emergency buses receive power from the system station service transformers, or may receive power from the unit station service transformers by backfeeding the main transformer.

The DG must be capable of starting, accelerating to nominal speed and voltage, and connecting to its respective ESF bus on detection of bus undervoltage. This sequence must be accomplished within 10 seconds.

The 10 second timing requirement begins when the DG start signal is received by the DG start circuit and does not include the time it takes the instrumentation to detect a loss of voltage on the emergency busses. The DG must be capable of accepting required loads within the assumed loading sequence intervals, and continue to operate until offsite power can be restored to the ESF buses. These capabilities are required to be met from a variety of initial conditions such as DG in standby with the engine hot and DG in standby at ambient conditions.

Proper sequencing of required loads, including tripping of nonessential loads, is a required function for DG OPERABILITY.

It is acceptable for trains to be cross tied during shutdown conditions, allowing a single offsite power circuit to supply all required trains.

APPLICABILITY The AC sources required to be OPERABLE in MODES 5 and 6 and during movement of irradiated fuel or movement of fuel assemblies over irradiated fuel assemblies for Unit 1 (which includes recently irradiated fuel) and during movement of recently irradiated fuel assemblies or movement of fuel assemblies over recently irradiated fuel assemblies for Unit 2 provide assurance that:

a. Systems to provide adequate coolant inventory makeup are available for the irradiated fuel assemblies in the core,

b. Systems needed to mitigate a fuel handling accident involving irradiated fuel (Unit 1) and recently irradiated fuel (i.e., fuel that has occupied part of a critical reactor core within the previous 100 hours0.00116 days 0.0278 hours 1.653439e-4 weeks 3.805e-5 months (Unit 2) are available,

c. Systems necessary to mitigate the effects of events that can lead to core damage during shutdown are available, and Beaver Valley Units 1 and 2 B 3.8.2 - 4 Revision 4

AC Sources - Shutdown B 3.8.2 BASES APPLICABILITY (continued)

d. Instrumentation and control capability is available for monitoring and maintaining the unit in a cold shutdown condition or refueling condition.

The AC power requirements for MODES 1, 2, 3, and 4 are covered in LCO 3.8.1.

ACTIONS LCO 3.0.3 is not applicable while in MODE 5 or 6. However, since fuel assembly movement can occur in MODE 1, 2, 3, or 4, the ACTIONS have been modified by a Note stating that LCO 3.0.3 is not applicable. If moving fuel assemblies while in MODE 5 or 6, LCO 3.0.3 would not specify any action. If moving fuel assemblies while in MODE 1, 2, 3, or 4, the fuel movement is independent of reactor operations. Entering LCO 3.0.3, while in MODE 1, 2, 3, or 4 would require the unit to be shutdown unnecessarily.

A.1 An offsite circuit would be considered inoperable if it were not available to the necessary portions of the electrical power distribution subsystem(s).

One train with offsite power available may be capable of supporting sufficient required features to allow continuation of CORE ALTERATIONS and fuel movement. By the allowance of the option to declare required features inoperable, with no offsite power available, appropriate restrictions will be implemented in accordance with the affected required features LCO's ACTIONS.

A.2.1, A.2.2, A.2.3, A.2.4, A.2.5, B.1, B.2, B.3, B.4, and B.5 With the offsite circuit not available to all required trains, the option would still exist to declare all required features inoperable. Since this option may involve undesired administrative efforts, the allowance for sufficiently conservative actions is made. With the required DG inoperable, the minimum required diversity of AC power sources is not available. It is, therefore, required to suspend CORE ALTERATIONS, movement of fuel assemblies, and operations involving positive reactivity additions that could result in loss of required SDM (MODE 5) or boron concentration (MODE 6). Suspending positive reactivity additions that could result in failure to meet the minimum SDM or boron concentration limit is required to assure continued safe operation.

Beaver Valley Units 1 and 2 B 3.8.2 - 5 Revision 0

AC Sources - Shutdown B 3.8.2 BASES ACTIONS (continued)

Introduction of coolant inventory must be from sources that have a boron concentration greater than what would be required in the RCS for minimum SDM or refueling boron concentration. This may result in an overall reduction in RCS boron concentration, but provides acceptable margin to maintaining subcritical operation. Introduction of temperature changes including temperature increases when operating with a positive MTC must also be evaluated to ensure they do not result in a loss of required SDM.

Suspension of these activities does not preclude completion of actions to establish a safe conservative condition. These actions minimize the probability or the occurrence of postulated events. It is further required to immediately initiate action to restore the required AC sources and to continue this action until restoration is accomplished in order to provide the necessary AC power to the unit safety systems.

The Completion Time of immediately is consistent with the required times for actions requiring prompt attention. The restoration of the required AC electrical power sources should be completed as quickly as possible in order to minimize the time during which the unit safety systems may be without sufficient power.

Pursuant to LCO 3.0.6, the Distribution System's ACTIONS would not be entered even if all AC sources to it are inoperable, resulting in de-energization. Therefore, the Required Actions of Condition A are modified by a Note to indicate that when Condition A is entered with no AC power to any required ESF bus, the ACTIONS for LCO 3.8.10 must be immediately entered. This Note allows Condition A to provide requirements for the loss of the offsite circuit, whether or not a train is de-energized. LCO 3.8.10 would provide the appropriate restrictions for the situation involving a de-energized train.

SURVEILLANCE SR 3.8.2.1 REQUIREMENTS SR 3.8.2.1 requires the SRs from LCO 3.8.1 that are necessary for ensuring the OPERABILITY of the AC sources in other than MODES 1, 2, 3, and 4. SR 3.8.1.7 is not required to be met since power is normally supplied by the offsite circuit. SR 3.8.1.12 is not required to be met because the required OPERABLE DG(s) is not required to undergo periods of being synchronized to the offsite circuit. SR 3.8.1.15 is excepted because starting independence is not required with the DG(s) that is not required to be operable.

Beaver Valley Units 1 and 2 B 3.8.2 - 6 Revision 0

AC Sources - Shutdown B 3.8.2 BASES SURVEILLANCE REQUIREMENTS (continued)

This SR is modified by three Notes. The reason for Note 1 is to preclude requiring the OPERABLE DG(s) from being paralleled with the offsite power network or otherwise rendered inoperable during performance of SRs, and to preclude deenergizing a required 4160 V ESF bus or disconnecting a required offsite circuit during performance of SRs. With limited AC sources available, a single event could compromise both the required circuit and the DG. It is the intent that these SRs must still be capable of being met, but actual performance is not required during periods when the DG and offsite circuit is required to be OPERABLE. Refer to the corresponding Bases for LCO 3.8.1 for a discussion of each SR.

Note 2 limits the scope of the requirement to verify the automatic load sequencing functions. The Note recognizes that the majority of equipment automatically sequenced on the emergency bus is not required to assure safe operation of the plant in shutdown MODES. The Note limits the verifications required by SR 3.8.1.13 and SR 3.8.1.14 to those loads required in the Applicable MODES of LCO 3.8.2. The required loads are the loads required OPERABLE by Technical Specifications and loads necessary to support the OPERABILITY of the loads required OPERABLE by Technical Specifications. Prior to entry into MODE 4, the verifications required by SR 3.8.1.13 and SR 3.8.1.14 must be complete for all loads required in MODES 1, 2, 3, and 4 in accordance with SR 3.0.4.

Note 3 clarifies the requirements of SR 3.8.1.14 such that only the DG response to the loss of offsite power must be verified to confirm OPERABILITY in the shutdown conditions addressed by LCO 3.8.2. No ESF (i.e., safety injection) actuation of the DG is required to be verified during the shutdown conditions addressed by LCO 3.8.2. Note 3 does not preclude the verification of ESF actuations and is only intended to clarify that an ESF actuation is not required to confirm DG or emergency bus OPERABILITY during the shutdown conditions addressed by LCO 3.8.2.

REFERENCES 1. NUREG-1431, "Standard Technical Specifications for Westinghouse Plants," Rev. 2, April 2001.

Beaver Valley Units 1 and 2 B 3.8.2 - 7 Revision 0

Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.3 Diesel Fuel Oil, Lube Oil, and Starting Air BASES BACKGROUND A required Unit 2 diesel generator (DG) is provided with a storage tank having a fuel oil capacity sufficient to operate that diesel for a period of 7 days while the DG is supplying maximum post loss of coolant accident load demand discussed in Reference 1. Unit 1's fuel oil requirement provides three and one-half days of inventory for the associated storage tank. The maximum load demand is calculated using the assumption one DG is operated at full load for 7 days. This onsite fuel oil capacity is sufficient to operate the DGs for longer than the time to replenish the onsite supply from outside sources.

Fuel oil is transferred from storage tank to day tank by either of two transfer pumps associated with each storage tank. Redundancy of pumps and piping precludes the failure of one pump, or the rupture of any pipe, valve or tank to result in the loss of more than one DG. All outside tanks and piping are located underground.

For proper operation of the standby DGs, it is necessary to ensure the proper quality of the fuel oil. Regulatory Guide 1.137 (Ref. 2) addresses the recommended fuel oil practices as supplemented by Reference 3.

The fuel oil properties governed by these SRs are the water and sediment content, the kinematic viscosity, specific gravity (or API gravity), and impurity level.

The DG lubrication system is designed to provide sufficient lubrication to permit proper operation of its associated DG under all loading conditions.

The system is required to circulate the lube oil to the diesel engine working surfaces and to remove excess heat generated by friction during operation. The required lube oil inventory for each DG is sufficient to ensure 7 days of continuous operation. This supply is sufficient to allow the operator to replenish lube oil from outside sources.

Each DG has an air start system with adequate capacity for five successive start attempts on the DG without recharging the air start receiver(s). For Unit 1, the required air start capacity for each DG is met with two out of three air tanks in one of the two air banks at the specified air pressure. For Unit 2, one out of the two air banks (consisting of a single air tank) supplies sufficient volume at the specified pressure to meet the required capacity for each DG.

Beaver Valley Units 1 and 2 B 3.8.3 - 1 Revision 0

Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES APPLICABLE The initial conditions of Design Basis Accident (DBA) and transient SAFETY analyses in the UFSAR, Chapter 6 (Ref. 4), and in Reference 5, ANALYSES assume Engineered Safety Feature (ESF) systems are OPERABLE. The DGs are designed to provide sufficient capacity, capability, redundancy, and reliability to ensure the availability of necessary power to ESF systems so that fuel, Reactor Coolant System and containment design limits are not exceeded. These limits are discussed in more detail in the Bases for Section 3.2, Power Distribution Limits; Section 3.4, Reactor Coolant System (RCS); and Section 3.6, Containment Systems.

Since diesel fuel oil, lube oil, and the air start subsystem support the operation of the standby AC power sources, they satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).

LCO Stored diesel fuel oil is required to have sufficient supply for 7 days of full load operation for Unit 2 DGs. Unit 1 DGs have a three and one-half day supply at a full load operation. It is also required to meet specific standards for quality. Additionally, sufficient lubricating oil supply must be available to ensure the capability to operate at full load for the required days. This requirement, in conjunction with an ability to obtain replacement supplies within the required days, supports the availability of DGs required to shut down the reactor and to maintain it in a safe condition for an anticipated operational occurrence (AOO) or a postulated DBA with loss of offsite power. DG day tank and (engine mounted tank for Unit 1 only) fuel requirements, as well as transfer capability from the storage tank to the day tank, are addressed in LCO 3.8.1, "AC Sources -

Operating," and LCO 3.8.2, "AC Sources - Shutdown."

The starting air system is required to have a minimum capacity for five successive DG start attempts without recharging the air start receivers.

APPLICABILITY The AC sources (LCO 3.8.1 and LCO 3.8.2) are required to ensure the availability of the required power to shut down the reactor and maintain it in a safe shutdown condition after an AOO or a postulated DBA. Since stored diesel fuel oil, lube oil, and the starting air subsystem support LCO 3.8.1 and LCO 3.8.2, stored diesel fuel oil, lube oil, and starting air are required to be within limits when the associated DG is required to be OPERABLE.

Beaver Valley Units 1 and 2 B 3.8.3 - 2 Revision 0

Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES ACTIONS The ACTIONS Table is modified by a Note indicating that separate Condition entry is allowed for each DG. This is acceptable, since the Required Actions for each Condition provide appropriate compensatory actions for each inoperable DG subsystem. Complying with the Required Actions for one inoperable DG subsystem may allow for continued operation, and subsequent inoperable DG subsystem(s) are governed by separate Condition entry and application of associated Required Actions.

A.1 In this Condition, the 7 day fuel oil supply for a DG is not available for Unit 2. In this condition, the three and one-half day fuel oil supply for a DG is not available for Unit 1. However, the Condition is restricted to fuel oil level reductions that maintain at least a 6 day supply for Unit 2 and a three day supply for Unit 1. These circumstances may be caused by events, such as full load operation required after an inadvertent start while at minimum required level, or feed and bleed operations, which may be necessitated by increasing particulate levels or any number of other oil quality degradations. This restriction allows sufficient time for obtaining the requisite replacement volume and performing the analyses required prior to addition of fuel oil to the tank. A period of 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months is considered sufficient to complete restoration of the required level prior to declaring the DG inoperable. This period is acceptable based on the remaining capacity ( 6 days for Unit 2 and a three day supply for Unit 1), the fact that procedures will be initiated to obtain replenishment, and the low probability of an event during this brief period.

B.1 With lube oil inventory < 330 gal, sufficient lubricating oil to support 7 days of continuous DG operation at full load conditions may not be available. However, the Condition is restricted to lube oil volume reductions that maintain at least a 6 day supply. This restriction allows sufficient time to obtain the requisite replacement volume. A period of 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months is considered sufficient to complete restoration of the required volume prior to declaring the DG inoperable. This period is acceptable based on the remaining capacity ( 6 days), the low rate of usage, the fact that procedures will be initiated to obtain replenishment, and the low probability of an event during this brief period.

C.1 This Condition is entered as a result of a failure to meet the acceptance criterion of SR 3.8.3.3. Normally, trending of particulate levels allows sufficient time to correct high particulate levels prior to reaching the limit of acceptability. Poor sample procedures (bottom sampling),

Beaver Valley Units 1 and 2 B 3.8.3 - 3 Revision 0

Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES ACTIONS (continued) contaminated sampling equipment, and errors in laboratory analysis can produce failures that do not follow a trend. Since the presence of particulates does not mean failure of the fuel oil to burn properly in the diesel engine, and particulate concentration is unlikely to change significantly between Surveillance Frequency intervals, and proper engine performance has been recently demonstrated (within 92 days), it is prudent to allow a brief period prior to declaring the associated DG inoperable. The 7 day Completion Time allows for further evaluation, resampling and re-analysis of the DG fuel oil.

D.1 With the new fuel oil properties defined in the Bases for SR 3.8.3.3 not within the required limits, a period of 30 days is allowed for restoring the stored fuel oil properties. This period provides sufficient time to test the stored fuel oil to determine that the new fuel oil, when mixed with previously stored fuel oil, remains acceptable, or to restore the stored fuel oil properties. This restoration may involve feed and bleed procedures, filtering, or combinations of these procedures. Even if a DG start and load was required during this time interval and the fuel oil properties were outside limits, there is a high likelihood that the DG would still be capable of performing its intended function.

E.1 With starting air receiver pressure < 165 psig for Unit 1 and < 380 psig for Unit 2, sufficient capacity for five successive DG start attempts does not exist. However, as long as the receiver pressure is 125 psig for Unit 1 and 285 psig for Unit 2, there is adequate capacity for at least one start attempt, and the DG can be considered OPERABLE while the air receiver pressure is restored to the required limit. A period of 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months is considered sufficient to complete restoration to the required pressure prior to declaring the DG inoperable. This period is acceptable based on the remaining air start capacity, the fact that most DG starts are accomplished on the first attempt, and the low probability of an event during this brief period.

F.1 With a Required Action and associated Completion Time not met, or one or more DG's fuel oil, lube oil, or starting air subsystem not within limits for reasons other than addressed by Conditions A through E, the associated DG may be incapable of performing its intended function and must be immediately declared inoperable.

Beaver Valley Units 1 and 2 B 3.8.3 - 4 Revision 0

Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES SURVEILLANCE SR 3.8.3.1 REQUIREMENTS This SR provides verification that there is an adequate usable inventory of fuel oil in the storage tanks to support a DG's operation for three and one-half days for Unit 1 and 7 days for Unit 2. This is sufficient time to place the unit in a safe shutdown condition and to bring in replenishment fuel from an offsite location.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.8.3.2 This Surveillance ensures that sufficient lube oil inventory is available to support at least 7 days of full load operation for each DG. The required inventory for each DG is confirmed by verifying that a lube oil volume of 330 gallons (six 55 gallon oil drums) is available, in storage, for each DG.

This required inventory is in addition to the lube oil in the DG sump required to maintain the manufacturer's recommended minimum sump level. If necessary to meet the required inventory, credit may be taken for lube oil in the DG sump above the manufacturer's recommended minimum sump level to supplement the required storage volume. The 330 gal requirement is based on the DG manufacturer consumption values for the run time of the DG. Implicit in this SR is the requirement to verify the capability to transfer the lube oil from its storage location to the DG, when the DG lube oil sump does not hold adequate inventory for 7 days of full load operation without the level reaching the manufacturer recommended minimum level.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.8.3.3 The tests of fuel oil prior to addition to the storage tanks (listed below) are a means of determining whether new fuel oil is of the appropriate grade and has not been contaminated with substances that would have an immediate, detrimental impact on diesel engine combustion. If results from these tests are within acceptable limits, the fuel oil may be added to the storage tanks without concern for contaminating the entire volume of fuel oil in the storage tanks. These tests are to be conducted prior to adding the new fuel to the storage tank(s), but in no case is the time between receipt of new fuel and conducting the tests to exceed 31 days.

The tests, limits, and applicable ASTM Standards for the tests identified in TS 5.5.9, Diesel Fuel Oil Testing Program, are as follows:

Beaver Valley Units 1 and 2 B 3.8.3 - 5 Revision 29

Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES SURVEILLANCE REQUIREMENTS (continued)

a. Sample the new fuel oil in accordance with ASTM D4057-81 (Ref. 6),

b. Verify in accordance with the tests specified in ASTM D1298-80 (Ref. 6) that the sample has an absolute specific gravity at 60/60°F of 0.83 and 0.89 or an API gravity at 60°F of 27 degrees and 39 degrees or an API gravity of within 0.3 degrees at 60°F, or a specific gravity of within 0.0016 at 60/60°F when compared to the supplier's certificate,

c. Verify in accordance with the tests specified in ASTM D975-81 (Ref. 6), a flash point of 125°F; and, if gravity was not determined by a comparison with the suppliers certification, a kinematic viscosity at 40°C of 1.9 centistokes and 4.1 centistokes;

d. Verify that the new fuel oil has water and sediment content of less than or equal to 0.05% when tested in accordance with ASTM D1796-83 (Ref. 6).

Failure to meet any of the above limits is cause for rejecting the new fuel oil, but does not represent a failure to meet the LCO concern since the fuel oil is not added to the storage tanks.

Within 31 days following the initial new fuel oil sample, the fuel oil is analyzed to establish that the other properties specified in Table 1 of ASTM D975-81 (Ref. 7) are met for new fuel oil when tested in accordance with ASTM D975-81 (Ref. 6), except that the analysis for sulfur may be performed in accordance with ASTM D1552-79 (Ref. 6) or ASTM D2622-82 (Ref. 6). The 31 day period is acceptable because the fuel oil properties of interest, even if they were not within stated limits, would not have an immediate effect on DG operation. This Surveillance ensures the availability of high quality fuel oil for the DGs.

Fuel oil degradation during long term storage shows up as an increase in particulate, due mostly to oxidation. The presence of particulate does not mean the fuel oil will not burn properly in a diesel engine. The particulate can cause fouling of filters and fuel oil injection equipment, however, which can cause engine failure.

Particulate concentrations should be determined in accordance with ASTM D2276-78, Method A (Ref. 6). This method involves a gravimetric determination of total particulate concentration in the fuel oil and has a limit of 10 mg/l. It is acceptable to obtain a field sample for subsequent laboratory testing in lieu of field testing. Stored fuel oil volume is contained in more than one tank (i.e., day tanks and storage tanks); each tank is considered and tested separately.

Beaver Valley Units 1 and 2 B 3.8.3 - 6 Revision 1

Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES SURVEILLANCE REQUIREMENTS (continued)

The Frequency of this test takes into consideration fuel oil degradation trends that indicate that particulate concentration is unlikely to change significantly between Frequency intervals.

SR 3.8.3.4 This Surveillance ensures that, without the aid of the refill compressor, sufficient air start capacity for each DG is available. The system design requirements provide for a minimum of five engine start cycles without recharging. A start cycle is defined by the DG vendor, but usually is measured in terms of time (seconds of cranking) or engine cranking speed. The pressure specified in this SR is intended to reflect the lowest value at which the five starts can be accomplished. The air receiver volume that ensures the required air start capacity is met, at the specified pressures, consists of the following:

For Unit 1, two out of three air tanks in one of the two air banks for each DG, and For Unit 2, one out of the two air banks (consisting of a single air tank) for each DG.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.8.3.5 Microbiological fouling is a major cause of fuel oil degradation. There are numerous bacteria that can grow in fuel oil and cause fouling, but all must have a water environment in order to survive. Removal of water from the fuel storage tanks eliminates the necessary environment for bacterial survival. This is the most effective means of controlling microbiological fouling. In addition, it eliminates the potential for water entrainment in the fuel oil during DG operation. Water may come from any of several sources, including condensation, ground water, rain water, and contaminated fuel oil, and from breakdown of the fuel oil by bacteria.

Frequent checking for and removal of accumulated water minimizes fouling and provides data regarding the watertight integrity of the fuel oil system. This SR is for preventative maintenance. The presence of water does not necessarily represent failure of this SR, provided the accumulated water is removed during performance of the Surveillance.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

Beaver Valley Units 1 and 2 B 3.8.3 - 7 Revision 29

Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES REFERENCES 1. UFSAR, Section 9.14.4 for Unit 1 and Section 9.5.4 for Unit 2.

2. Regulatory Guide 1.137.

3. UFSAR Section 9.14.6 for Unit 1 and UFSAR Section 9.5.4 for Unit 2.

4. UFSAR, Chapter 6.

5. UFSAR, Chapter 14 for Unit 1 and Chapter 15 for Unit 2.

6. ASTM Standards: D4057-81, D1298-80, D975-81, D1796-83, D1552-79, D2622-82, and D2276-78, Method A.

7. ASTM Standards, D975-81, Table 1.

Beaver Valley Units 1 and 2 B 3.8.3 - 8 Revision 1

DC Sources - Operating B 3.8.4 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.4 DC Sources - Operating BASES BACKGROUND The station DC electrical power system provides the AC emergency power system with control power. It also provides both motive and control power to selected safety related equipment and preferred AC vital bus power (via inverters). As described by Reference 1, the DC electrical power system is designed to have sufficient independence, redundancy, and testability to perform its safety functions, assuming a single failure.

The DC electrical power system also conforms to the recommendations of Regulatory Guide 1.6 (Ref. 2) and IEEE-308 (Ref. 3) as addressed in the UFSAR.

The 125 VDC electrical power system consists of two independent and redundant safety related Class 1E DC electrical power subsystems (Train A and Train B). Each subsystem consists of two 125 VDC batteries (each battery 100% capacity for that portion of the subsystem),

the associated battery charger(s) for each battery, and all the associated control equipment and interconnecting cabling.

For Unit 1, the required battery banks are Banks 1-1 and 1-3 on the orange bus and Banks 1-2 and 1-4 on the purple bus. The Unit 1 battery chargers are designated 1-1 and 1-3 on the orange bus and 1-2 and 1-4 on the purple bus. The Unit 1 battery chargers designated 1-1, 1-2, 1-3, and 1-4 are each comprised of two redundant chargers, designated as 1-1A and 1-1B, 1-2A and 1-2B, 1-3A and 1-3B and 1-4A and 1-4B. Each of these redundant chargers can supply the full range of required loads for the 125 VDC bus. Only one of the two redundant battery chargers associated with each battery bank is required to be operable.

The required Unit 2 battery banks are Banks 2-1 and 2-3 on the orange bus and Banks 2-2 and 2-4 on the purple bus. The Unit 2 battery chargers are designated 2-1 and 2-3 on the orange bus and 2-2 and 2-4 on the purple bus. In addition, for Unit 2, spare chargers (2-7 and 2-9) are also provided. Spare battery chargers 2-7 and 2-9 are each fully qualified as a substitute for a primary battery charger. For Unit 2, one safety switch is provided for each DC bus to provide a backup method for battery charging and bus supply if the primary charger is out of service.

This is discussed in the UFSAR, Section 8.3.2.1 (Ref 4).

For Unit 1 and Unit 2, a spare charger that is fully qualified as described in the UFSAR and that meets applicable surveillance requirements, may be substituted as an operable charger.

During normal operation, the 125 VDC load is powered from the battery chargers with the batteries floating on the system. In case of loss of normal power to the battery charger, the DC load is automatically powered from the station batteries.

Beaver Valley Units 1 and 2 B 3.8.4 - 1 Revision 27

DC Sources - Operating B 3.8.4 BASES BACKGROUND (continued)

The Train A and Train B DC electrical power subsystems provide the control power for its associated Class 1E AC power load group, 4.16 kV switchgear, and 480 V load centers. The DC electrical power subsystems also provide DC electrical power to the inverters, which in turn power the AC vital buses.

The DC power distribution system is described in more detail in Bases for LCO 3.8.9, "Distribution System - Operating," and LCO 3.8.10, "Distribution Systems - Shutdown."

Each 125 VDC battery is separately housed in a ventilated room apart from its charger and distribution centers. Each subsystem is located in an area separated physically and electrically from the other subsystem to ensure that a single failure in one subsystem does not cause a failure in a redundant subsystem. There is no sharing between redundant Class 1E subsystems, such as batteries, battery chargers, or distribution panels.

Each battery has adequate storage capacity to meet the duty cycle(s) discussed in Reference 4. The battery is designed with additional capacity above that required by the design duty cycle to allow for temperature variations and other factors.

The batteries for Train A and Train B DC electrical power subsystems are sized to produce required capacity at 80% of nameplate rating, corresponding to warranted capacity at end of life cycles and the 100%

design demand. The minimum design voltage limit for each battery cell is 1.84 volts for batteries 1-1, 1-2, 2-1, 2-2, 2-3, and 2-4 and 1.864 volts for batteries 1-3 and 1-4.

Based on battery sizing calculations, a 5% design margin is maintained for the Enersys 2GN-13 model batteries (2-3 and 2-4) and a 2% design margin is maintained for the Enersys 2GN-21 model batteries (1-1, 1-2, 2-1, and 2-2). This margin is reserved for the batteries listed above in accordance with the battery vendor recommendations and NRC commitment in order to use the value of 2 amps float current to determine a fully charged battery (Ref. 9).

The battery cells are of flooded lead acid construction with a nominal specific gravity of 1.215. This specific gravity corresponds to an open circuit battery voltage of approximately 124 V for a 60 cell battery (i.e.,

cell voltage of 2.07 volts per cell (Vpc)). The open circuit voltage is the voltage maintained when there is no charging or discharging. Optimal long term performance, however, is obtained by maintaining a float voltage 2.25 Vpc. This provides adequate over-potential, which limits the formation of lead sulfate and self discharge. The nominal float voltage of 2.25 Vpc corresponds to a total float voltage output of 135 V for a 60 cell battery as discussed in Reference 4.

Beaver Valley Units 1 and 2 B 3.8.4 - 2 Revision 29

DC Sources - Operating B 3.8.4 BASES BACKGROUND (continued)

Each Train A and Train B DC electrical power subsystem battery charger has ample power output capacity for the steady state operation of connected loads required during normal operation, while at the same time maintaining its battery bank fully charged. Each battery charger also has sufficient excess capacity to restore the battery from the design minimum charge to its fully charged state within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months while supplying normal steady state loads discussed in Reference 4.

The battery charger is normally in the float-charge mode. Float-charge is the condition in which the charger is supplying the connected loads and the battery cells are receiving adequate current to optimally charge the battery. This assures the internal losses of a battery are overcome and the battery is maintained in a fully charged state.

When desired, the charger can be placed in the equalize mode. The equalize mode is at a higher voltage than the float mode and charging current is correspondingly higher. The battery charger is operated in the equalize mode after a battery discharge or for routine maintenance.

Following a battery discharge, the battery recharge characteristic accepts current at the current limit of the battery charger (if the discharge was significant, e.g., following a battery service test) until the battery terminal voltage approaches the charger voltage setpoint. Charging current then reduces exponentially during the remainder of the recharge cycle. Lead-calcium batteries have recharge efficiencies of greater than 95%, so once at least 105% of the ampere-hours discharged have been returned, the battery capacity would be restored to the same condition as it was prior to the discharge. This can be monitored by direct observation of the exponentially decaying charging current or by evaluating the amp-hours discharged from the battery and amp-hours returned to the battery.

APPLICABLE The initial conditions of Design Basis Accident (DBA) and transient SAFETY analyses in the UFSAR, Chapter 6 (Ref. 5) and Reference 6, assume ANALYSES that Engineered Safety Feature (ESF) systems are OPERABLE. The DC electrical power system provides normal and emergency DC electrical power for the DGs, emergency auxiliaries, and control and switching during all MODES of operation.

The OPERABILITY of the DC sources is consistent with the initial assumptions of the accident analyses and is based upon meeting the design basis of the unit. This includes maintaining the DC sources OPERABLE during accident conditions in the event of:

a. An assumed loss of all offsite AC power or all onsite AC power and

b. A worst-case single failure.

The DC sources satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).

Beaver Valley Units 1 and 2 B 3.8.4 - 3 Revision 27

DC Sources - Operating B 3.8.4 BASES LCO The DC electrical power subsystems, each subsystem consisting of two batteries, battery charger for each battery and the corresponding control equipment and interconnecting cabling supplying power to the associated bus within the train are required to be OPERABLE to ensure the availability of the required power to shut down the reactor and maintain it in a safe condition after an anticipated operational occurrence (AOO) or a postulated DBA. Loss of any train DC electrical power subsystem does not prevent the minimum safety function from being performed (Ref. 4).

An OPERABLE DC electrical power subsystem requires all required batteries and respective chargers to be operating and connected to the associated DC bus(es).

APPLICABILITY The DC electrical power sources are required to be OPERABLE in MODES 1, 2, 3, and 4 to ensure safe unit operation and to ensure that:

a. Acceptable fuel design limits and reactor coolant pressure boundary limits are not exceeded as a result of AOOs or abnormal transients and

b. Adequate core cooling is provided, and containment integrity and other vital functions are maintained in the event of a postulated DBA.

The DC electrical power requirements for MODES 5 and 6 are addressed in the Bases for LCO 3.8.5, "DC Sources - Shutdown."

ACTIONS A.1, A.2, and A.3 Condition A represents one train with one or two battery chargers inoperable (e.g., the voltage limit of SR 3.8.4.1 is not maintained). The ACTIONS provide a tiered time response that focuses on returning the battery to the fully charged state and restoring a fully qualified charger to OPERABLE status in a reasonable time period. Required Action A.1 requires that the battery terminal voltage be restored to greater than or equal to the minimum established float voltage within 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months . The minimum established float voltage, measured at the battery terminals, is 2.13 volts per cell multiplied by the number of connected cells. The required number of connected cells is established in the battery sizing calculations (Ref. 10 through 17). The 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months limit provides for returning the inoperable charger to OPERABLE status or providing an alternate means of restoring battery terminal voltage to greater than or equal to the minimum established float voltage. Restoring the battery terminal voltage to greater than or equal to the minimum established float voltage provides Beaver Valley Units 1 and 2 B 3.8.4 - 4 Revision 29

DC Sources - Operating B 3.8.4 BASES ACTIONS (continued) reasonable assurance that, within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months , the battery will be restored to its fully charged condition (Required Action A.2) from any discharge that might have occurred due to the charger inoperability.

A discharged battery having terminal voltage of at least the minimum established float voltage indicates that the battery is on the exponential charging current portion (the second part) of its recharge cycle. The time to return a battery to its fully charged state under this condition is simply a function of the amount of the previous discharge and the recharge characteristic of the battery. Thus there is reasonable assurance of fully recharging the battery within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months , avoiding a premature shutdown with its own attendant risk.

If established battery terminal float voltage cannot be restored to greater than or equal to the minimum established float voltage within 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months , and the charger is not operating in the current-limiting mode, a faulty charger is indicated. A faulty charger that is incapable of maintaining established battery terminal float voltage does not provide assurance that it can revert to and operate properly in the current limit mode that is necessary during the recovery period following a battery discharge event that the DC system is designed for.

If the charger is operating in the current limit mode after 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months that is an indication that the battery is partially discharged and its capacity margins will be reduced. The time to return the battery to its fully charged condition in this case is a function of the battery charger capacity, the amount of loads on the associated DC system, the amount of the previous discharge, and the recharge characteristic of the battery. The charge time can be extensive, and there is not adequate assurance that it can be recharged within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months (Required Action A.2).

Required Action A.2 requires that the battery float current be verified as less than or equal to 2 amps. This indicates that, if the battery had been discharged as the result of the inoperable battery charger, it has now been fully recharged. If at the expiration of the initial 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months period the battery float current is not less than or equal to 2 amps this indicates there may be additional battery problems and the battery must be declared inoperable.

Required Action A.3 limits the restoration time for the inoperable battery charger to 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . This action is applicable if an alternate means of restoring battery terminal voltage to greater than or equal to the minimum established float voltage has been used (e.g., balance of plant non-Class 1E battery charger). The 72-hour Completion Time reflects a reasonable time to effect restoration of the qualified battery charger to OPERABLE Beaver Valley Units 1 and 2 B 3.8.4 - 5 Revision 23

DC Sources - Operating B 3.8.4 BASES ACTIONS (continued) status. In addition, the 72-hour Completion Time takes into account the capacity and capability of the remaining DC sources, and the low probability of a DBA occurring during this period.

B.1 Condition B represents one train with one or two batteries inoperable.

With one or two batteries inoperable, the DC bus is being supplied by the OPERABLE battery charger. Any event that results in a loss of the AC bus supporting the battery charger will also result in loss of DC to that train. Recovery of the AC bus, especially if it is due to a loss of offsite power, will be hampered by the fact that many of the components necessary for the recovery (e.g., diesel generator control and field flash, AC load shed and diesel generator output circuit breakers, etc.) likely rely upon the batteries. In addition the energization transients of any DC loads that are beyond the capability of the battery charger and normally require the assistance of the batteries will not be able to be brought online. The 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months limit allows sufficient time to effect restoration of an inoperable battery given that the majority of the conditions that lead to battery inoperability (e.g., loss of battery charger, battery cell voltage less than 2.07 V, etc.) are identified in Specifications 3.8.4, 3.8.5, and 3.8.6 together with additional specific Completion Times.

C.1 Condition C represents one train with a loss of ability to completely respond to an event, and a potential loss of ability to remain energized during normal operation. It is therefore, imperative that the operator's attention focus on stabilizing the unit, minimizing the potential for complete loss of DC power to the affected train. The 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months limit is consistent with the allowed time for an inoperable DC distribution system train.

If one of the required DC electrical power subsystems is inoperable for reasons other than Condition A or B (e.g., inoperable battery charger and associated inoperable battery), the remaining DC electrical power subsystem has the capacity to support a safe shutdown and to mitigate an accident condition. Since a subsequent worst-case single failure could, however, result in the loss of minimum necessary DC electrical subsystems to mitigate a worst case accident, continued power operation should not exceed 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months . The 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months Completion Time is based on Regulatory Guide 1.93 (Ref. 7) and reflects a reasonable time to assess unit status as a function of the inoperable DC electrical power subsystem and, if the DC electrical power subsystem is not restored to OPERABLE status, to prepare to effect an orderly and safe unit shutdown.

Beaver Valley Units 1 and 2 B 3.8.4 - 6 Revision 0

DC Sources - Operating B 3.8.4 BASES ACTIONS (continued)

D.1 and D.2 If the inoperable DC electrical power subsystem cannot be restored to OPERABLE status within the required Completion Time, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and to MODE 5 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging plant systems. The Completion Time to bring the unit to MODE 5 is consistent with the time recommended in Regulatory Guide 1.93 (Ref. 7).

SURVEILLANCE SR 3.8.4.1 REQUIREMENTS Verifying battery terminal voltage while on float charge helps to ensure the effectiveness of the battery chargers, which support the ability of the batteries to perform their intended function. Float charge is the condition in which the charger is supplying the continuous charge required to overcome the internal losses of a battery and maintain the battery in a fully charged state while supplying the continuous steady state loads of the associated DC subsystem. On float charge, battery cells will receive adequate current to optimally charge the battery. The voltage requirements are based on the nominal design voltage of the battery and are consistent with the minimum float voltage, measured at the battery terminals, established by the battery manufacturer (i.e., 2.13 volts per cell multiplied by the number of connected cells). This voltage maintains the battery plates in a condition that supports maintaining the grid life (expected to be approximately 20 years). The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.8.4.2 This SR verifies the design capacity of the battery chargers. According to Regulatory Guide 1.32 (Ref. 8), the battery charger supply is recommended to be based on the largest combined demands of the various steady state loads and the charging capacity to restore the battery from the design minimum charge state to the fully charged state, irrespective of the status of the unit during these demand occurrences.

The minimum required amperes and duration ensure that these requirements can be satisfied.

Beaver Valley Units 1 and 2 B 3.8.4 - 7 Revision 29

DC Sources - Operating B 3.8.4 BASES SURVEILLANCE REQUIREMENTS (continued)

This SR provides two options. One option requires that each battery charger be capable of supplying 100 amps at the minimum established float voltage for 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months . The ampere requirements are based on the output rating of the chargers. The voltage requirements are based on the charger voltage level after a response to a loss of AC power. The charger voltage requires a minimum output of 140 volts. The 4-hour time period is sufficient for the charger temperature to have stabilized. The minimum established float voltage, measured at the battery terminals, is 2.13 volts per cell multiplied by the number of connected cells.

The other option requires that each battery charger be capable of recharging the battery after a service test coincident with supplying the largest combined demands of the various continuous steady state loads (irrespective of the status of the plant during which these demands occur). This level of loading may not normally be available following the battery service test and will need to be supplemented with additional loads. The duration for this test may be longer than the charger sizing criteria since the battery recharge is affected by float voltage, temperature, and the exponential decay in charging current. The battery is recharged when the measured charging current is 2 amps.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.8.4.3 A battery service test is a special test of the battery capability, as found, to satisfy the design requirements (battery duty cycle) of the DC electrical power system. The discharge rate and test length should correspond to the design duty cycle of 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months , using actual or simulated emergency loads as specified in Reference 4.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

This SR is modified by two Notes. Note 1 allows the performance of a modified performance discharge test in lieu of a service test.

Beaver Valley Units 1 and 2 B 3.8.4 - 8 Revision 29

DC Sources - Operating B 3.8.4 BASES SURVEILLANCE REQUIREMENTS (continued)

The reason for Note 2 is that performing the Surveillance would perturb the electrical distribution system and challenge safety systems. Credit may be taken for unplanned events that satisfy this SR.

REFERENCES 1. Unit 1 UFSAR Appendix 1A, "1971 AEC General Design Criteria Conformance" and Unit 2 UFSAR Section 3.1, "Conformance with U. S. Nuclear Regulatory Commission General Design Criteria."

2. Safety Guide 6 (Unit 1) and Regulatory Guide 1.6, March 10, 1971 (Unit 2).

3. IEEE-308-1971 for Unit 1 and 1974 for Unit 2.

4. UFSAR, Chapter 8.

5. UFSAR, Chapter 6.

6. UFSAR, Chapter 14 for Unit 1 and Chapter 15 for Unit 2.

7. Regulatory Guide 1.93, December 1974.

8. Regulatory Guide 1.32, February 1977.

9. NRC Regulatory Commitment documented in FENOC Letter L 162, "Supplement to License Amendment Request Nos. 296 and 169, Improved Standard Technical Specification Conversion," dated December 7, 2006.

10. 8700-E-201, DC System Management BAT-1-1/BAT-CHG1-1.

11. 8700-E-202, DC System Management BAT-1-2/BAT-CHG1-2.

12. 8700-E-203, DC System Management BAT-1-3/BAT-CHG1-3.

13. 8700-E-204, DC System Management BAT-1-4/BAT-CHG1-4.

14. 10080-E-201, DC System Management BAT-2-1/BAT-CHG2-1.

15. 10080-E-202, DC System Management BAT-2-2/BAT-CHG2-2.

16. 10080-E-203, DC System Management BAT-2-3/BAT-CHG2-3.

17. 10080-E-204, DC System Management BAT-2-4/BAT-CHG2-4.

Beaver Valley Units 1 and 2 B 3.8.4 - 9 Revision 29

DC Sources - Shutdown B 3.8.5 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.5 DC Sources - Shutdown BASES BACKGROUND A description of the DC sources is provided in the Bases for LCO 3.8.4, "DC Sources - Operating."

APPLICABLE The initial conditions of Design Basis Accident (DBA) and transient SAFETY analyses in the UFSAR, Chapter 6 (Ref. 1) and Reference 2, assume that ANALYSES Engineered Safety Feature systems are OPERABLE. The DC electrical power system provides normal and emergency DC electrical power for the diesel generators, emergency auxiliaries, and control and switching during all MODES of operation.

The OPERABILITY of the DC subsystems is consistent with the initial assumptions of the accident analyses and the requirements for the supported systems' OPERABILITY.

The OPERABILITY of the minimum DC electrical power sources during MODES 5 and 6 and during movement of irradiated fuel assemblies or movement of fuel assemblies over irradiated fuel assemblies for Unit 1 or movement of recently irradiated fuel assemblies or movement of fuel assemblies over recently irradiated fuel assemblies for Unit 2 ensure that:

a. The unit can be maintained in the shutdown or refueling condition for extended periods,

b. Sufficient instrumentation and control capability is available for monitoring and maintaining the unit status, and

c. Adequate DC electrical power is provided to mitigate events postulated during shutdown, such as a fuel handling accident involving handling irradiated fuel. For Unit 2 only, due to radioactive decay, DC electrical power is only required to mitigate fuel handling accidents involving handling recently irradiated fuel (i.e., fuel that has occupied part of a critical reactor core within the previous 100 hours0.00116 days 0.0278 hours 1.653439e-4 weeks 3.805e-5 months . In future discussions, the term fuel assemblies will include "irradiated" and "recently irradiated" as applicable for each unit.

In general, when the unit is shut down, the Technical Specifications requirements ensure that the unit has the capability to mitigate the consequences of postulated accidents. However, assuming a single failure and concurrent loss of all offsite or all onsite power is not required.

The rationale for this is based on the fact that many DBAs that are Beaver Valley Units 1 and 2 B 3.8.5 - 1 Revision 0

DC Sources - Shutdown B 3.8.5 BASES APPLICABLE SAFETY ANALYSES (continued) analyzed in MODES 1, 2, 3, and 4 have no specific analyses in MODES 5 and 6 because the energy contained within the reactor pressure boundary, reactor coolant temperature and pressure, and the corresponding stresses result in the probabilities of occurrence being significantly reduced or eliminated, and in minimal consequences. These deviations from DBA analysis assumptions and design requirements during shutdown conditions are allowed by the LCO for required systems.

The shutdown Technical Specification requirements are designed to ensure that the unit has the capability to mitigate the consequences of certain postulated accidents. Worst case DBAs which are analyzed for operating MODES are generally viewed not to be a significant concern during shutdown MODES due to the lower energies involved. The Technical Specifications therefore require a lesser complement of electrical equipment to be available during shutdown than is required during operating MODES. More recent work completed on the potential risks associated with shutdown, however, have found significant risk associated with certain shutdown evolutions. As a result, in addition to the requirements established in the Technical Specifications, the industry has adopted NUMARC 91-06, "Guidelines for Industry Actions to Assess Shutdown Management," as an Industry initiative to manage shutdown tasks and associated electrical support to maintain risk at an acceptable low level. This may require the availability of additional equipment beyond that required by the shutdown Technical Specifications.

The DC sources satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).

LCO The DC electrical power subsystem, the required subsystem consisting of two batteries, one battery charger per battery, and the corresponding control equipment and interconnecting cabling within the train, is required to be OPERABLE to support one train of the distribution systems required OPERABLE by LCO 3.8.10, "Distribution Systems - Shutdown." This ensures the availability of sufficient DC electrical power sources to operate the unit in a safe manner and to mitigate the consequences of postulated events during shutdown (e.g., fuel handling accidents involving handling fuel).

Beaver Valley Units 1 and 2 B 3.8.5 - 2 Revision 0

DC Sources - Shutdown B 3.8.5 BASES APPLICABILITY The DC electrical power sources required to be OPERABLE in MODES 5 and 6, and during movement of fuel assemblies, provide assurance that:

a. Required features to provide adequate coolant inventory makeup are available for the irradiated fuel assemblies in the core,

b. Required features needed to mitigate a fuel handling accident involving handling fuel are available,

c. Required features necessary to mitigate the effects of events that can lead to core damage during shutdown are available, and

d. Instrumentation and control capability is available for monitoring and maintaining the unit in a cold shutdown condition or refueling condition.

The DC electrical power requirements for MODES 1, 2, 3, and 4 are covered in LCO 3.8.4.

ACTIONS LCO 3.0.3 is not applicable while in MODE 5 or 6. However, since irradiated fuel assembly movement can occur in MODE 1, 2, 3, or 4, the ACTIONS have been modified by a Note stating that LCO 3.0.3 is not applicable. If moving irradiated fuel assemblies while in MODE 5 or 6, LCO 3.0.3 would not specify any action. If moving fuel assemblies while in MODE 1, 2, 3, or 4, the fuel movement is independent of reactor operations. Entering LCO 3.0.3, while in MODE 1, 2, 3, or 4 would require the unit to be shutdown unnecessarily.

A.1, A.2.1, A.2.2, A.2.3, A.2.4, and A.2.5 By allowing the option to declare required features inoperable with the associated DC power source(s) inoperable, appropriate restrictions will be implemented in accordance with the affected required features LCO ACTIONS. In many instances this option may involve undesired administrative efforts. Therefore, the allowance for sufficiently conservative actions is made (i.e., to suspend CORE ALTERATIONS, movement of fuel assemblies, and operations involving positive reactivity additions) that could result in loss of required shutdown margin (SDM)

(MODE 5) or boron concentration (MODE 6). Suspending positive reactivity additions that could result in failure to meet the minimum SDM or boron concentration limit is required to assure continued safe operation. Introduction of coolant inventory must be from sources that have a boron concentration greater than what would be required in the Reactor Coolant System (RCS) for minimum SDM or refueling boron concentration. This may result in an overall reduction in RCS boron concentration, but provides acceptable margin to maintaining Beaver Valley Units 1 and 2 B 3.8.5 - 3 Revision 0

DC Sources - Shutdown B 3.8.5 BASES ACTIONS (continued) subcritical operation. Introduction of temperature changes including temperature increases when operating with a positive MTC must also be evaluated to ensure they do not result in a loss of required SDM.

Suspension of these activities shall not preclude completion of actions to establish a safe conservative condition. These actions minimize probability of the occurrence of postulated events. It is further required to immediately initiate action to restore the required DC electrical power subsystem and to continue this action until restoration is accomplished in order to provide the necessary DC electrical power to the unit safety systems.

The Completion Time of immediately is consistent with the required times for actions requiring prompt attention. The restoration of the required DC electrical power subsystem should be completed as quickly as possible in order to minimize the time during which the unit safety systems may be without sufficient power.

SURVEILLANCE SR 3.8.5.1 REQUIREMENTS SR 3.8.5.1 requires performance of all Surveillances required by SR 3.8.4.1 through SR 3.8.4.3. Therefore, see the corresponding Bases for LCO 3.8.4 for a discussion of each SR.

This SR is modified by a Note. The reason for the Note is to preclude requiring the OPERABLE DC sources from being discharged below their capability to provide the required power supply or otherwise rendered inoperable during the performance of SRs. It is the intent that these SRs must still be capable of being met, but actual performance is not required.

REFERENCES 1. UFSAR, Chapter 6.

2. UFSAR, Chapter 14 for Unit 1 and Chapter 15 for Unit 2.

Beaver Valley Units 1 and 2 B 3.8.5 - 4 Revision 0

Battery Parameters B 3.8.6 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.6 Battery Parameters BASES BACKGROUND This LCO delineates the limits on battery float current as well as electrolyte temperature, level, and float voltage for the DC power subsystem batteries. A discussion of these batteries and their OPERABILITY requirements is provided in the Bases for LCO 3.8.4, "DC Sources - Operating," and LCO 3.8.5, "DC Sources - Shutdown." In addition to the limitations of this Specification, the Battery Monitoring and Maintenance Program also implements a program specified in Specification 5.5.13 for monitoring various battery parameters that is based on the recommendations of IEEE Standard 450-1995, "IEEE Recommended Practice For Maintenance, Testing, And Replacement Of Vented Lead-Acid Batteries For Stationary Applications" (Ref. 3).

The battery cells are of flooded lead acid construction with a nominal specific gravity of 1.215. This specific gravity corresponds to an open circuit battery voltage of approximately 124 V for 60 cell battery (i.e., cell voltage of 2.07 volts per cell (Vpc)). The open circuit voltage is the voltage maintained when there is no charging or discharging. Optimal long term performance, however, is obtained by maintaining a float voltage 2.25 Vpc. This provides adequate over-potential which limits the formation of lead sulfate and self discharge. The nominal float voltage of 2.25 Vpc corresponds to a total float voltage output of 135 V for a 60 cell battery as discussed in the UFSAR, Chapter 8 (Ref. 5).

APPLICABLE The initial conditions of Design Basis Accident (DBA) and transient SAFETY analyses in the UFSAR, Chapter 6 (Ref. 1) and Reference 2, assume that ANALYSES Engineered Safety Feature systems are OPERABLE. The DC electrical power system provides normal and emergency DC electrical power for the DGs, emergency auxiliaries, and control and switching during all MODES of operation.

The OPERABILITY of the DC subsystems is consistent with the initial assumptions of the accident analyses and is based upon meeting the design basis of the unit. This includes maintaining at least one train of DC sources OPERABLE during accident conditions, in the event of:

a. An assumed loss of all offsite AC power or all onsite AC power and

b. A worst-case single failure.

Battery parameters satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).

Beaver Valley Units 1 and 2 B 3.8.6 - 1 Revision 0

Battery Parameters B 3.8.6 BASES LCO Battery parameters must remain within acceptable limits to ensure availability of the required DC power to shut down the reactor and maintain it in a safe condition after an anticipated operational occurrence or a postulated DBA. Battery parameter limits are conservatively established, allowing continued DC electrical system function even with limits not met. Additional preventative maintenance, testing, and monitoring performed in accordance with the Battery Monitoring and Maintenance Program is conducted as specified in Specification 5.5.13.

APPLICABILITY The battery parameters are required solely for the support of the associated DC electrical power subsystems. Therefore, battery parameter limits are only required when the DC power source is required to be OPERABLE. Refer to the Applicability discussion in Bases for LCO 3.8.4 and LCO 3.8.5.

ACTIONS A.1, A.2, and A.3 With one or more cells in one or more batteries in one train < 2.07 V, the battery cell is degraded. Within 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months verification of the required battery charger OPERABILITY is made by monitoring the battery terminal voltage (SR 3.8.4.1) and of the overall battery state of charge by monitoring the battery float charge current (SR 3.8.6.1). This assures that there is still sufficient battery capacity to perform the intended function. Therefore, the affected battery is not required to be considered inoperable solely as a result of one or more cells in one or more batteries < 2.07 V, and continued operation is permitted for a limited period up to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months .

Since the Required Actions only specify "perform," a failure of SR 3.8.4.1 or SR 3.8.6.1 acceptance criteria does not result in this Required Action not met. However, if one of the SRs is failed the appropriate Condition(s),

depending on the cause of the failures, is entered. If SR 3.8.6.1 is failed then there is not assurance that there is still sufficient battery capacity to perform the intended function and the battery must be declared inoperable immediately.

B.1 and B.2 One or more batteries in one train with float current > 2 amps indicates that a partial discharge of the battery capacity has occurred. This may be due to a temporary loss of a battery charger or possibly due to one or more battery cells in a low voltage condition reflecting some loss of capacity. Within 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months verification of the required battery charger OPERABILITY is made by monitoring the battery terminal voltage. If the terminal voltage is found to be less than the minimum established float Beaver Valley Units 1 and 2 B 3.8.6 - 2 Revision 0

Battery Parameters B 3.8.6 BASES ACTIONS (continued) voltage there are two possibilities, the battery charger is inoperable or is operating in the current limit mode. Condition A addresses charger inoperability. If the charger is operating in the current limit mode after 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months that is an indication that the battery has been substantially discharged and likely cannot perform its required design functions. The time to return the battery to its fully charged condition in this case is a function of the battery charger capacity, the amount of loads on the associated DC system, the amount of the previous discharge, and the recharge characteristic of the battery. The charge time can be extensive, and there is not adequate assurance that it can be recharged within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months (Required Action B.2). The battery must therefore be declared inoperable.

If the float voltage is found to be satisfactory but there are one or more battery cells with float voltage less than 2.07 V, the associated "OR" statement in Condition F is applicable and the battery must be declared inoperable immediately. If float voltage is satisfactory and there are no cells less than 2.07 V there is reasonable assurance that, within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months , the battery will be restored to its fully charged condition (Required Action B.2) from any discharge that might have occurred due to a temporary loss of the battery charger.

A discharged battery with float voltage (the charger setpoint) across its terminals indicates that the battery is on the exponential charging current portion (the second part) of its recharge cycle. The time to return a battery to its fully charged state under this condition is simply a function of the amount of the previous discharge and the recharge characteristic of the battery. Thus there is reasonable assurance of fully recharging the battery within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months , avoiding a premature shutdown with its own attendant risk.

If the condition is due to one or more cells in a low voltage condition but still greater than 2.07 V and float voltage is found to be satisfactory, this is not indication of a substantially discharged battery and 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is a reasonable time prior to declaring the battery inoperable.

Since Required Action B.1 only specifies "perform," a failure of SR 3.8.4.1 acceptance criteria does not result in the Required Action not met.

However, if SR 3.8.4.1 is failed, the appropriate Condition(s), depending on the cause of the failure, is entered.

Beaver Valley Units 1 and 2 B 3.8.6 - 3 Revision 0

Battery Parameters B 3.8.6 BASES ACTIONS (continued)

C.1, C.2, and C.3 With one or more batteries in one train with one or more cells electrolyte level above the top of the plates, but below the minimum established design limits, the battery still retains sufficient capacity to perform the intended function. Therefore, the affected battery is not required to be considered inoperable solely as a result of electrolyte level not met. In accordance with Required Action C.3, the minimum established design limits for electrolyte level (i.e., minimum level indication mark) must be re-established within 31 days. Condition C is modified by a Note that requires the completion of Required Action C.2 if the electrolyte level was found below the top of the plates. In this case, the visual inspection for leakage specified in Required Action C.2 must be performed prior to exiting Condition C even if the electrolyte level is restored to greater than or equal to the minimum established design limit.

With electrolyte level below the top of the plates there is a potential for dryout and plate degradation. Required Actions C.1 and C.2 address this potential (as well as provisions in Specification 5.5.13, Battery Monitoring and Maintenance Program). They are modified by a Note that indicates they are only applicable if electrolyte level is below the top of the plates.

Within 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months level is required to be restored to above the top of the plates. The Required Action C.2 requirement to verify that there is no leakage by visual inspection and the Specification 5.5.13.b item to initiate action to equalize and test in accordance with manufacturer's recommendation are taken from Annex D of IEEE Standard 450-1995.

The visual inspection and requirements of Specification 5.5.13.b are typically performed following the restoration of the electrolyte level to above the top of the plates. Based on the results of the manufacturer's recommended testing the batteries may have to be declared inoperable and the affected cells replaced.

D.1 With one or more batteries in one train with pilot cell temperature less than the minimum established design limit of 50°F, 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is allowed to restore the temperature to within limits. A low electrolyte temperature limits the current and power available. Since the battery is sized with margin, while battery capacity is degraded, sufficient capacity exists to perform the intended function and the affected battery is not required to be considered inoperable solely as a result of the pilot cell temperature not met.

Beaver Valley Units 1 and 2 B 3.8.6 - 4 Revision 0

Battery Parameters B 3.8.6 BASES ACTIONS (continued)

E.1 With one or more batteries in redundant trains with battery parameters not within limits there is not sufficient assurance that battery capacity has not been affected to the degree that the batteries can still perform their required function, given that redundant batteries are involved. With redundant batteries involved this potential could result in a total loss of function on multiple systems that rely upon the batteries. The longer Completion Times specified for battery parameters on non-redundant batteries not within limits are therefore not appropriate, and the parameters must be restored to within limits on at least one train within 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months .

F.1 With one or more batteries with any battery parameter outside the allowances of the Required Actions for Condition A, B, C, D, or E, sufficient capacity to supply the maximum expected load requirement is not assured and the corresponding battery must be declared inoperable.

Additionally, discovering one or more batteries in one train with one or more battery cells float voltage less than 2.07 V and float current greater than 2 amps indicates that the battery capacity may not be sufficient to perform the intended functions. The battery must therefore be declared inoperable immediately.

SURVEILLANCE SR 3.8.6.1 REQUIREMENTS Verifying battery float current while on float charge is used to determine the state of charge of the battery. Float charge is the condition in which the charger is supplying the continuous charge required to overcome the internal losses of a battery and maintain the battery in a charged state.

The float current requirements are based on the float current indicative of a charged battery. Use of float current to determine the state of charge of the battery is consistent with IEEE-450 (Ref. 3). The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

This SR is modified by a Note that states the float current requirement is not required to be met when battery terminal voltage is less than the minimum established float voltage of SR 3.8.4.1. When this float voltage is not maintained the Required Actions of LCO 3.8.4 ACTION A are being taken, which provide the necessary and appropriate verifications of the battery condition. Furthermore, the float current limit of 2 amps is established based on the nominal float voltage value and is not directly applicable when this voltage is not maintained.

Beaver Valley Units 1 and 2 B 3.8.6 - 5 Revision 29

Battery Parameters B 3.8.6 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.8.6.2 and SR 3.8.6.5 Optimal long term battery performance is obtained by maintaining a float voltage greater than or equal to the minimum established design limits provided by the battery manufacturer. The minimum established float voltage, measured at the battery terminals, is 2.13 volts per cell multiplied by the number of connected cells. This provides adequate over-potential, which limits the formation of lead sulfate and self discharge, which could eventually render the battery inoperable. Float voltages in this range or less, but greater than 2.07 Vpc, are addressed in Specification 5.5.13.

SRs 3.8.6.2 and 3.8.6.5 require verification that the cell float voltages are equal to or greater than the short term absolute minimum voltage of 2.07 V. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.8.6.3 The limit specified for electrolyte level (i.e., minimum level indication mark) ensures that the plates suffer no physical damage and maintains adequate electron transfer capability. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.8.6.4 This Surveillance verifies that the pilot cell temperature is greater than or equal to the minimum established design limit (i.e., 50°F). Pilot cell electrolyte temperature is maintained above this temperature to assure the battery can provide the required current and voltage to meet the design requirements. Temperatures lower than assumed in battery sizing calculations act to inhibit or reduce battery capacity. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.8.6.6 A battery performance discharge test is a test of constant current capacity of a battery, normally done in the as found condition, after having been in service, to detect any change in the capacity determined by the acceptance test. The test is intended to determine overall battery degradation due to age and usage.

Beaver Valley Units 1 and 2 B 3.8.6 - 6 Revision 29

Battery Parameters B 3.8.6 BASES SURVEILLANCE REQUIREMENTS (continued)

Either the battery performance discharge test or the modified performance discharge test is acceptable for satisfying SR 3.8.6.6; however, only the modified performance discharge test may be used to satisfy the battery service test requirements of SR 3.8.4.3.

A modified discharge test is a test of the battery capacity and its ability to provide a high rate, short duration load (usually the highest rate of the duty cycle). This will often confirm the battery's ability to meet the critical period of the load duty cycle, in addition to determining its percentage of rated capacity. Initial conditions for the modified performance discharge test should be identical to those specified for a service test.

It may consist of just two rates; for instance the one minute rate for the battery or the largest current load of the duty cycle, followed by the test rate employed for the performance test, both of which envelope the duty cycle of the service test. Since the ampere-hours removed by a one minute discharge represents a very small portion of the battery capacity, the test rate can be changed to that for the performance test without compromising the results of the performance discharge test. The battery terminal voltage for the modified performance discharge test must remain above the minimum battery terminal voltage specified in the battery service test for the duration of time equal to that of the service test.

The acceptance criteria for this Surveillance are consistent with IEEE-450 (Ref. 3) and IEEE-485 (Ref. 4). These references recommend that the battery be replaced if its capacity is below 80% of the manufacturer's rating. A capacity of 80% shows that the battery rate of deterioration is increasing, even if there is ample capacity to meet the load requirements.

Furthermore, the battery is sized to meet the assumed duty cycle loads when the battery design capacity reaches this 80% limit.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. If the battery shows degradation, or if the battery has reached 85% of its expected life, the Surveillance Frequency is reduced to 18 months. Degradation is indicated, according to IEEE-450 (Ref. 3), when the battery capacity drops by more than 10%

relative to its capacity on the previous performance test or when it is 10% below the manufacturer's rating. These Frequencies are consistent with the recommendations in IEEE-450 (Ref. 3).

This SR is modified by a Note. The reason for the Note is that performing the Surveillance would perturb the electrical distribution system and challenge safety systems. Credit may be taken for unplanned events that satisfy this SR.

Beaver Valley Units 1 and 2 B 3.8.6 - 7 Revision 29

Battery Parameters B 3.8.6 BASES REFERENCES 1. UFSAR, Chapter 6.

2. UFSAR, Chapter 14 for Unit 1 and Chapter 15 for Unit 2.

3. IEEE-450-1995.

4. IEEE-485-1983, June 1983.

5. UFSAR, Chapter 8 (Unit 2).

Beaver Valley Units 1 and 2 B 3.8.6 - 8 Revision 0

Inverters - Operating B 3.8.7 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.7 Inverters - Operating BASES BACKGROUND The inverters are the preferred source of power for the AC vital buses because of the stability and reliability they achieve. The function of the inverter is to provide AC electrical power to the vital buses. The inverters can be powered from an internal AC source/rectifier, a battery charger or from the station battery. The battery chargers have sufficient capacity to supply the required vital bus loads and may be used in lieu of the internal rectified AC source to power inverters. However, inverters with backup power available from the station battery provide the required uninterruptible power source for the instrumentation and controls for the Reactor Protective System (RPS) and the Engineered Safety Feature Actuation System (ESFAS). Specific details on inverters and their operating characteristics are found in the UFSAR, Chapter 8 (Ref. 1).

APPLICABLE The initial conditions of Design Basis Accident (DBA) and transient SAFETY analyses in the UFSAR, Chapter 6 (Ref. 2) and Reference 3, ANALYSES assume Engineered Safety Feature systems are OPERABLE. The inverters are designed to provide the required capacity, capability, redundancy, and reliability to ensure the availability of necessary power to the RPS and ESFAS instrumentation and controls so that the fuel, Reactor Coolant System, and containment design limits are not exceeded. These limits are discussed in more detail in the Bases for Section 3.2, Power Distribution Limits; Section 3.4, Reactor Coolant System (RCS); and Section 3.6, Containment Systems.

The OPERABILITY of the inverters is consistent with the initial assumptions of the accident analyses and is based on meeting the design basis of the unit. This includes maintaining required AC vital buses OPERABLE during accident conditions in the event of:

a. An assumed loss of all offsite AC electrical power or all onsite AC electrical power and

b. A worst case single failure.

Inverters are a part of the distribution system and, as such, satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).

Beaver Valley Units 1 and 2 B 3.8.7 - 1 Revision 0

Inverters - Operating B 3.8.7 BASES LCO The inverters ensure the availability of AC electrical power for the systems instrumentation required to shut down the reactor and maintain it in a safe condition after an anticipated operational occurrence (AOO) or a postulated DBA.

Maintaining the required inverters OPERABLE ensures that the redundancy incorporated into the design of the RPS and ESFAS instrumentation and controls is maintained. The four inverters (two per train) ensure an uninterruptible supply of AC electrical power to the AC vital buses even if the 4.16 kV safety buses are de-energized.

OPERABLE inverters require the associated vital bus to be powered by the inverter with output voltage within tolerances, and power input to the inverter from a 125 VDC station battery. Alternatively, power supply may be a battery charger or from an internal AC source via rectifier as long as the station battery is available as the uninterruptible power supply.

This LCO is modified by a Note that allows one inverter to be disconnected from a battery for 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , if the vital bus is powered from a Class 1E constant voltage transformer or inverter using internal AC source during the period and all other inverters are OPERABLE. This allows an equalizing charge to be placed on one battery. Under certain conditions, if the inverters were not disconnected, the resulting voltage condition might damage the inverter. These provisions minimize the loss of equipment that would occur in the event of a loss of offsite power. The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months time period for the allowance minimizes the time during which a loss of offsite power could result in the loss of equipment energized from the affected AC vital bus while taking into consideration the time required to perform an equalizing charge on the battery bank.

The intent of this Note is to limit the number of inverters that may be disconnected. Only the inverter associated with the single battery undergoing an equalizing charge may be disconnected. All other inverters must be aligned to their associated batteries, regardless of the number of inverters or unit design.

APPLICABILITY The inverters are required to be OPERABLE in MODES 1, 2, 3, and 4 to ensure that:

a. Acceptable fuel design limits and reactor coolant pressure boundary limits are not exceeded as a result of AOOs or abnormal transients and Beaver Valley Units 1 and 2 B 3.8.7 - 2 Revision 0

Inverters - Operating B 3.8.7 BASES APPLICABILITY (continued)

b. Adequate core cooling is provided, and containment OPERABILITY and other vital functions are maintained in the event of a postulated DBA.

Inverter requirements for MODES 5 and 6 are covered in the Bases for LCO 3.8.8, "Inverters - Shutdown."

ACTIONS A.1 With a required inverter inoperable, its associated AC vital bus becomes inoperable until it is re-energized from its Class 1E constant voltage source transformer or inverter using internal AC source or battery charger.

For this reason a Note has been included in Condition A requiring the entry into the Conditions and Required Actions of LCO 3.8.9, "Distribution Systems - Operating." This ensures that the vital bus is re-energized within 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months .

Required Action A.1 allows 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months to fix the inoperable inverter and return it to service. The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months limit is based upon engineering judgment, taking into consideration the time required to repair an inverter and the additional risk to which the unit is exposed because of the inverter inoperability. This has to be balanced against the risk of an immediate shutdown, along with the potential challenges to safety systems such a shutdown might entail. When the AC vital bus is powered from a source other than an inverter with battery backup, it is relying upon interruptible AC electrical power sources (offsite and onsite). The uninterruptible inverter source to the AC vital buses is the preferred source for powering instrumentation trip setpoint devices.

B.1 and B.2 If the inoperable devices or components cannot be restored to OPERABLE status within the required Completion Time, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and to MODE 5 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging plant systems.

Beaver Valley Units 1 and 2 B 3.8.7 - 3 Revision 0

Inverters - Operating B 3.8.7 BASES SURVEILLANCE SR 3.8.7.1 REQUIREMENTS This Surveillance verifies that the inverters are functioning properly with all required circuit breakers closed and AC vital buses energized from the inverter. The verification of correct voltage output ensures that the required power is readily available for the instrumentation of the RPS and ESFAS connected to the AC vital buses. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. UFSAR, Chapter 8.

2. UFSAR, Chapter 6.

3. UFSAR, Chapter 14 for Unit 1 and Chapter 15 for Unit 2.

Beaver Valley Units 1 and 2 B 3.8.7 - 4 Revision 29

Inverters - Shutdown B 3.8.8 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.8 Inverters - Shutdown BASES BACKGROUND A description of the inverters is provided in the Bases for LCO 3.8.7, "Inverters - Operating."

APPLICABLE The initial conditions of Design Basis Accident (DBA) and transient SAFETY analyses in the UFSAR, Chapter 6 (Ref. 1) and Reference 2, assume ANALYSES Engineered Safety Feature systems are OPERABLE. The DC to AC inverters are designed to provide the required capacity, capability, redundancy, and reliability to ensure the availability of necessary power to the Reactor Protective System and Engineered Safety Features Actuation System instrumentation and controls so that the fuel, Reactor Coolant System, and containment design limits are not exceeded.

The OPERABILITY of the inverters is consistent with the initial assumptions of the accident analyses and the requirements for the supported systems' OPERABILITY.

The OPERABILITY of the minimum inverters to each AC vital bus during MODES 5 and 6 and during fuel movement ensures that:

a. The unit can be maintained in the shutdown or refueling condition for extended periods,

b. Sufficient instrumentation and control capability is available for monitoring and maintaining the unit status, and

c. Adequate power is available to mitigate events postulated during shutdown, such as a fuel handling accident involving handling irradiated fuel or movement of fuel assemblies over irradiated fuel assemblies for Unit 1 or movement of recently irradiated fuel assemblies or movement of fuel assemblies over recently irradiated fuel assemblies for Unit 2. For Unit 2 only, due to radioactive decay, the inverters are only required to mitigate fuel handling accidents involving handling recently irradiated fuel (i.e., fuel that has occupied part of a critical reactor core within the previous 100 hours0.00116 days 0.0278 hours 1.653439e-4 weeks 3.805e-5 months .

In future discussions, the term fuel assemblies will include "irradiated" and "recently irradiated" as applicable for each unit.

In general, when the unit is shut down, the Technical Specifications requirements ensure that the unit has the capability to mitigate the consequences of postulated accidents. However, assuming a single failure and concurrent loss of all offsite or all onsite power is not required.

Beaver Valley Units 1 and 2 B 3.8.8 - 1 Revision 0

Inverters - Shutdown B 3.8.8 BASES APPLICABLE SAFETY ANALYSES (continued)

The rationale for this is based on the fact that many DBAs that are analyzed in MODES 1, 2, 3, and 4 have no specific analyses in MODES 5 and 6 because the energy contained within the reactor pressure boundary, reactor coolant temperature and pressure, and the corresponding stresses result in the probabilities of occurrence being significantly reduced or eliminated, and in minimal consequences. These deviations from DBA analysis assumptions and design requirements during shutdown conditions are allowed by the LCO for required systems.

The shutdown Technical Specification requirements are designed to ensure that the unit has the capability to mitigate the consequences of certain postulated accidents. Worst case DBAs which are analyzed for operating MODES are generally viewed not to be a significant concern during shutdown MODES due to the lower energies involved. The Technical Specifications therefore require a lesser complement of electrical equipment to be available during shutdown than is required during operating MODES. More recent work completed on the potential risks associated with shutdown, however, have found significant risk associated with certain shutdown evolutions. As a result, in addition to the requirements established in the Technical Specifications, the industry has adopted NUMARC 91-06, "Guidelines for Industry Actions to Assess Shutdown Management," as an Industry initiative to manage shutdown tasks and associated electrical support to maintain risk at an acceptable low level. This may require the availability of additional equipment beyond that required by the shutdown Technical Specifications.

The inverters were previously identified as part of the distribution system and, as such, satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).

LCO The inverters ensure the availability of electrical power for the instrumentation for systems required to shut down the reactor and maintain it in a safe condition after an anticipated operational occurrence or a postulated DBA. The inverters with battery backup power provide uninterruptible supply of AC electrical power to the AC vital buses even if the 4.16 kV safety buses are de-energized. OPERABILITY of the inverters require that the AC vital bus be powered by the inverter. This ensures the availability of sufficient inverter power sources to operate the unit in a safe manner and to mitigate the consequences of postulated events during shutdown (e.g., fuel handling accidents involving handling fuel).

Beaver Valley Units 1 and 2 B 3.8.8 - 2 Revision 0

Inverters - Shutdown B 3.8.8 BASES APPLICABILITY The inverters required to be OPERABLE in MODES 5 and 6 and during movement of fuel assemblies provide assurance that:

a. Systems to provide adequate coolant inventory makeup are available for the irradiated fuel in the core,

b. Systems needed to mitigate a fuel handling accident involving handling fuel are available,

c. Systems necessary to mitigate the effects of events that can lead to core damage during shutdown are available, and

d. Instrumentation and control capability is available for monitoring and maintaining the unit in a cold shutdown condition or refueling condition.

Inverter requirements for MODES 1, 2, 3, and 4 are covered in LCO 3.8.7.

ACTIONS LCO 3.0.3 is not applicable while in MODE 5 or 6. However, since irradiated fuel assembly movement can occur in MODE 1, 2, 3, or 4, the ACTIONS have been modified by a Note stating that LCO 3.0.3 is not applicable. If moving fuel assemblies while in MODE 5 or 6, LCO 3.0.3 would not specify any action. If moving fuel assemblies while in MODE 1, 2, 3, or 4, the fuel movement is independent of reactor operations.

Entering LCO 3.0.3, while in MODE 1, 2, 3, or 4 would require the unit to be shutdown unnecessarily.

A.1, A.2.1, A.2.2, A.2.3, A.2.4, and A.2.5 If two trains are required by LCO 3.8.10, "Distribution Systems -

Shutdown," the remaining OPERABLE Inverters may be capable of supporting sufficient required features to allow continuation of CORE ALTERATIONS, fuel movement, and operations with a potential for positive reactivity additions. By the allowance of the option to declare required features inoperable with the associated inverter(s) inoperable, appropriate restrictions will be implemented in accordance with the affected required features LCOs' Required Actions. In many instances, this option may involve undesired administrative efforts. Therefore, the allowance for sufficiently conservative actions is made (i.e., to suspend CORE ALTERATIONS, movement of fuel assemblies, and operations involving positive reactivity additions) that could result in loss of required SDM (MODE 5) or boron concentration (MODE 6). Suspending positive Beaver Valley Units 1 and 2 B 3.8.8 - 3 Revision 0

Inverters - Shutdown B 3.8.8 BASES ACTIONS (continued) reactivity additions that could result in failure to meet the minimum SDM or boron concentration limit is required to assure continued safe operation. Introduction of coolant inventory must be from sources that have a boron concentration greater than what would be required in the RCS for minimum SDM or refueling boron concentration. This may result in an overall reduction in RCS boron concentration, but provides acceptable margin to maintaining subcritical operation. Introduction of temperature changes including temperature increases when operating with a positive MTC must also be evaluated to ensure they do not result in a loss of required SDM.

Suspension of these activities shall not preclude completion of actions to establish a safe conservative condition. These actions minimize the probability of the occurrence of postulated events. It is further required to immediately initiate action to restore the required inverters and to continue this action until restoration is accomplished in order to provide the necessary inverter power to the unit safety systems.

The Completion Time of immediately is consistent with the required times for actions requiring prompt attention. The restoration of the required inverters should be completed as quickly as possible in order to minimize the time the unit safety systems may be without power or powered from a constant voltage source transformer.

SURVEILLANCE SR 3.8.8.1 REQUIREMENTS This Surveillance verifies that the inverters are functioning properly with all required circuit breakers closed and AC vital buses energized from the inverter. The verification of correct voltage output ensures that the required power is readily available for the instrumentation connected to the AC vital buses. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. UFSAR, Chapter 6.

2. UFSAR, Chapter 14 for Unit 1 and Chapter 15 for Unit 2.

Beaver Valley Units 1 and 2 B 3.8.8 - 4 Revision 29

Distribution Systems - Operating B 3.8.9 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.9 Distribution Systems - Operating BASES BACKGROUND The onsite Class 1E AC, DC, and AC vital bus electrical power distribution systems are divided by train into two redundant and independent AC, DC, and AC vital bus electrical power distribution subsystems.

The AC electrical power subsystem for each train consists of a primary Engineered Safety Feature (ESF) 4.16 kV bus and secondary 480 V buses and load centers. Each 4.16 kV ESF bus has at least one separate and independent offsite source of power as well as a dedicated onsite diesel generator (DG) source. Each 4.16 kV ESF bus is normally connected to a unit source. After a loss of the unit power source to a 4.16 kV ESF bus, a transfer to the system offsite source is accomplished by utilizing a time delayed bus undervoltage relay. If all offsite sources are unavailable, the onsite emergency DG supplies power to the 4.16 kV ESF bus. Control power for the 4.16 kV ESF breakers is supplied from the Class 1E batteries. Additional description of this system may be found in the Bases for LCO 3.8.1, "AC Sources - Operating," and the Bases for LCO 3.8.4, "DC Sources - Operating."

The secondary AC electrical power distribution subsystem for each train includes the safety related buses and load centers shown in Table B 3.8.9-1.

The 120 VAC vital buses are arranged in two load groups per train and are normally powered from the inverters. The alternate power supply for the vital buses are Class 1E constant voltage source transformers powered from the same train as the associated inverter, and its use is governed by LCO 3.8.7, "Inverters - Operating." Each constant voltage source transformer is powered from a Class 1E AC bus.

The DC electrical power distribution subsystem consists of 125 V bus(es).

The list of all required DC and vital AC distribution buses is presented in Table B 3.8.9-1.

Beaver Valley Units 1 and 2 B 3.8.9 - 1 Revision 0

Distribution Systems - Operating B 3.8.9 BASES APPLICABLE The initial conditions of Design Basis Accident (DBA) and transient SAFETY analyses in the UFSAR, Chapter 6 (Ref. 1), and in Reference 2, ANALYSES assume ESF systems are OPERABLE. The AC, DC, and AC vital bus electrical power distribution systems are designed to provide sufficient capacity, capability, redundancy, and reliability to ensure the availability of necessary power to ESF systems so that the fuel, Reactor Coolant System, and containment design limits are not exceeded. These limits are discussed in more detail in the Bases for Section 3.2, Power Distribution Limits; Section 3.4, Reactor Coolant System (RCS); and Section 3.6, Containment Systems.

The OPERABILITY of the AC, DC, and AC vital bus electrical power distribution systems is consistent with the initial assumptions of the accident analyses and is based upon meeting the design basis of the unit.

This includes maintaining power distribution systems OPERABLE during accident conditions in the event of:

a. An assumed loss of all offsite power or all onsite AC electrical power and

b. A worst case single failure.

The distribution systems satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).

LCO The required power distribution subsystems listed in Table B 3.8.9-1 ensure the availability of AC, DC, and AC vital bus electrical power for the systems required to shut down the reactor and maintain it in a safe condition after an anticipated operational occurrence (AOO) or a postulated DBA. The AC, DC, and AC vital bus electrical power distribution subsystems are required to be OPERABLE.

Maintaining the Train A and Train B AC, DC, and AC vital bus electrical power distribution subsystems OPERABLE ensures that the redundancy incorporated into the design of ESF is not defeated. Therefore, a single failure within any system or within the electrical power distribution subsystems will not prevent safe shutdown of the reactor.

OPERABLE AC electrical power distribution subsystems require the associated buses and load centers to be energized to their correct voltages. OPERABLE DC electrical power distribution subsystems require the associated buses and distribution panels to be energized to their correct voltage from either the associated battery or charger.

OPERABLE vital bus electrical power distribution subsystems require the associated buses to be energized to their correct voltage from the associated inverter via inverted DC voltage, inverter using internal AC source, or Class 1E constant voltage transformer.

Beaver Valley Units 1 and 2 B 3.8.9 - 2 Revision 0

Distribution Systems - Operating B 3.8.9 BASES LCO (continued)

In addition, tie breakers between redundant safety related AC, DC, and AC vital bus power distribution subsystems, if they exist, must be open.

This prevents any electrical malfunction in any power distribution subsystem from propagating to the redundant subsystem, that could cause the failure of a redundant subsystem and a loss of essential safety function(s). If any tie breakers are closed, the affected redundant electrical power distribution subsystems are considered inoperable. This applies to the onsite, safety related redundant electrical power distribution subsystems. It does not, however, preclude redundant Class 1E 4.16 kV buses from being powered from the same offsite circuit.

APPLICABILITY The electrical power distribution subsystems are required to be OPERABLE in MODES 1, 2, 3, and 4 to ensure that:

a. Acceptable fuel design limits and reactor coolant pressure boundary limits are not exceeded as a result of AOOs or abnormal transients and

b. Adequate core cooling is provided, and containment OPERABILITY and other vital functions are maintained in the event of a postulated DBA.

Electrical power distribution subsystem requirements for MODES 5 and 6 are covered in the Bases for LCO 3.8.10, "Distribution Systems -

Shutdown."

ACTIONS A.1 With one or more Train A and B required AC buses and load centers (except AC vital buses), in one train inoperable and a loss of function has not occurred, the remaining AC electrical power distribution subsystems are capable of supporting the minimum safety functions necessary to shut down the reactor and maintain it in a safe shutdown condition, assuming no single failure. The overall reliability is reduced, however, because a single failure in the remaining power distribution subsystems could result in the minimum required ESF functions not being supported. Therefore, the required AC buses and load centers must be restored to OPERABLE status within 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months .

Condition A worst scenario is one train without AC power (i.e., no power from the unit and system station service transformers to the train and the associated DG inoperable). In this Condition, the unit is more vulnerable to a complete loss of AC power. It is, therefore, imperative that the unit Beaver Valley Units 1 and 2 B 3.8.9 - 3 Revision 0

Distribution Systems - Operating B 3.8.9 BASES ACTIONS (continued) operator's attention be focused on minimizing the potential for loss of power to the remaining train by stabilizing the unit, and on restoring power to the affected train. The 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months time limit before requiring a unit shutdown in this Condition is acceptable because of:

a. The potential for decreased safety if the unit operator's attention is diverted from the evaluations and actions necessary to restore power to the affected train, to the actions associated with taking the unit to shutdown within this time limit and

b. The potential for an event in conjunction with a single failure of a redundant component in the train with AC power.

The second Completion Time for Required Action A.1 establishes a limit on the maximum time allowed for any combination of required distribution subsystems to be inoperable during any single contiguous occurrence of failing to meet the LCO. If Condition A is entered while, for instance, a DC bus is inoperable and subsequently restored OPERABLE, the LCO may already have been not met for up to 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months . This could lead to a total of 10 hours1.157407e-4 days 0.00278 hours 1.653439e-5 weeks 3.805e-6 months , since initial failure of the LCO, to restore the AC distribution system. At this time, a DC circuit could again become inoperable, and AC distribution restored OPERABLE. This could continue indefinitely.

The Completion Time allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." This will result in establishing the "time zero" at the time the LCO was initially not met, instead of the time Condition A was entered. The 16 hour1.851852e-4 days 0.00444 hours 2.645503e-5 weeks 6.088e-6 months Completion Time is an acceptable limitation on this potential to fail to meet the LCO indefinitely.

Required Action A.1 is modified by a Note that requires the applicable Conditions and Required Actions of LCO 3.8.4, "DC Sources - Operating,"

to be entered for DC trains made inoperable by inoperable power distribution subsystems. This is an exception to LCO 3.0.6 and ensures the proper actions are taken for these components. Inoperability of a distribution system can result in loss of charging power to batteries and eventual loss of DC power. This Note ensures that the appropriate attention is given to restoring charging power to batteries, if necessary, after loss of distribution systems.

Beaver Valley Units 1 and 2 B 3.8.9 - 4 Revision 0

Distribution Systems - Operating B 3.8.9 BASES ACTIONS (continued)

B.1 With one or more AC vital buses inoperable, and a loss of function has not yet occurred, the remaining OPERABLE AC vital buses are capable of supporting the minimum safety functions necessary to shut down the unit and maintain it in the safe shutdown condition. Overall reliability is reduced, however, since an additional single failure could result in the minimum required ESF functions not being supported. Therefore, the required AC vital bus must be restored to OPERABLE status within 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months by powering the bus from the associated inverter via inverted DC, inverter using internal AC source, or Class 1E constant voltage transformer.

Condition B represents one or more AC vital buses without power; potentially both the DC source and the associated AC source are nonfunctioning. In this situation, the unit is significantly more vulnerable to a complete loss of all noninterruptible power. It is, therefore, imperative that the operator's attention focus on stabilizing the unit, minimizing the potential for loss of power to the remaining vital buses and restoring power to the affected vital bus.

This 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months limit is more conservative than Completion Times allowed for the vast majority of components that are without adequate vital AC power.

Taking exception to LCO 3.0.2 for components without adequate vital AC power, that would have the Required Action Completion Times shorter than 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months if declared inoperable, is acceptable because of:

a. The potential for decreased safety by requiring a change in unit conditions (i.e., requiring a shutdown) and not allowing stable operations to continue,

b. The potential for decreased safety by requiring entry into numerous Applicable Conditions and Required Actions for components without adequate vital AC power and not providing sufficient time for the operators to perform the necessary evaluations and actions for restoring power to the affected train, and

c. The potential for an event in conjunction with a single failure of a redundant component.

The 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months Completion Time takes into account the importance to safety of restoring the AC vital bus to OPERABLE status, the redundant capability afforded by the other OPERABLE vital buses, and the low probability of a DBA occurring during this period.

Beaver Valley Units 1 and 2 B 3.8.9 - 5 Revision 0

Distribution Systems - Operating B 3.8.9 BASES ACTIONS (continued)

The second Completion Time for Required Action B.1 establishes a limit on the maximum allowed for any combination of required distribution subsystems to be inoperable during any single contiguous occurrence of failing to meet the LCO. If Condition B is entered while, for instance, an AC bus is inoperable and subsequently returned OPERABLE, the LCO may already have been not met for up to 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months . This could lead to a total of 10 hours1.157407e-4 days 0.00278 hours 1.653439e-5 weeks 3.805e-6 months , since initial failure of the LCO, to restore the vital bus distribution system. At this time, an AC train could again become inoperable, and vital bus distribution restored OPERABLE. This could continue indefinitely.

This Completion Time allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." This will result in establishing the "time zero" at the time the LCO was initially not met, instead of the time Condition B was entered. The 16 hour1.851852e-4 days 0.00444 hours 2.645503e-5 weeks 6.088e-6 months Completion Time is an acceptable limitation on this potential to fail to meet the LCO indefinitely.

C.1 With one or more DC buses inoperable, and a loss of function has not yet occurred, the remaining DC electrical power distribution subsystems are capable of supporting the minimum safety functions necessary to shut down the reactor and maintain it in a safe shutdown condition, assuming no single failure. The overall reliability is reduced, however, because a single failure in the remaining DC electrical power distribution subsystem could result in the minimum required ESF functions not being supported.

Therefore, the required DC buses must be restored to OPERABLE status within 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months by powering the bus from the associated battery or charger.

Condition C represents one or more DC buses without adequate DC power; potentially both with the battery significantly degraded and the associated charger nonfunctioning. In this situation, the unit is significantly more vulnerable to a complete loss of all DC power. It is, therefore, imperative that the operator's attention focus on stabilizing the unit, minimizing the potential for loss of power to the remaining trains and restoring power to the affected train.

This 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months limit is more conservative than Completion Times allowed for the vast majority of components that would be without power. Taking exception to LCO 3.0.2 for components without adequate DC power, which would have Required Action Completion Times shorter than 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months , is acceptable because of:

Beaver Valley Units 1 and 2 B 3.8.9 - 6 Revision 0

Distribution Systems - Operating B 3.8.9 BASES ACTIONS (continued)

a. The potential for decreased safety by requiring a change in unit conditions (i.e., requiring a shutdown) while allowing stable operations to continue,

b. The potential for decreased safety by requiring entry into numerous applicable Conditions and Required Actions for components without DC power and not providing sufficient time for the operators to perform the necessary evaluations and actions for restoring power to the affected train, and

c. The potential for an event in conjunction with a single failure of a redundant component.

The 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months Completion Time for DC buses is consistent with Regulatory Guide 1.93 (Ref. 3). The second Completion Time for Required Action C.1 establishes a limit on the maximum time allowed for any combination of required distribution subsystems to be inoperable during any single contiguous occurrence of failing to meet the LCO. If Condition C is entered while, for instance, an AC bus is inoperable and subsequently returned OPERABLE, the LCO may already have been not met for up to 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months . This could lead to a total of 10 hours1.157407e-4 days 0.00278 hours 1.653439e-5 weeks 3.805e-6 months , since initial failure of the LCO, to restore the DC distribution system. At this time, an AC train could again become inoperable, and DC distribution restored OPERABLE. This could continue indefinitely.

This Completion Time allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." This will result in establishing the "time zero" at the time the LCO was initially not met, instead of the time Condition C was entered. The 16 hour1.851852e-4 days 0.00444 hours 2.645503e-5 weeks 6.088e-6 months Completion Time is an acceptable limitation on this potential to fail to meet the LCO indefinitely.

D.1 and D.2 If the inoperable distribution subsystem cannot be restored to OPERABLE status within the required Completion Time, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and to MODE 5 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging plant systems.

Beaver Valley Units 1 and 2 B 3.8.9 - 7 Revision 0

Distribution Systems - Operating B 3.8.9 BASES ACTIONS (continued)

E.1 Condition E corresponds to a level of degradation in the electrical power distribution system that causes a required safety function to be lost.

When more than one inoperable electrical power distribution subsystem results in the loss of a required function, the plant is in a condition outside the accident analysis. Therefore, no additional time is justified for continued operation. LCO 3.0.3 must be entered immediately to commence a controlled shutdown.

SURVEILLANCE SR 3.8.9.1 REQUIREMENTS This Surveillance verifies that the required AC, DC, and AC vital bus electrical power distribution systems are functioning properly, with the correct circuit breaker alignment. The correct breaker alignment ensures the appropriate separation and independence of the electrical divisions is maintained, and the appropriate voltage is available to each required bus.

The verification of correct voltage availability on the buses ensures that the required voltage is readily available for motive as well as control functions for critical system loads connected to these buses. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. UFSAR, Chapter 6.

2. UFSAR, Chapter 14 for Unit 1 and Chapter 15 for Unit 2.

3. Regulatory Guide 1.93, December 1974.

Beaver Valley Units 1 and 2 B 3.8.9 - 8 Revision 29

Distribution Systems - Operating B 3.8.9 Table B 3.8.9-1 (page 1 of 1)

AC and DC Electrical Power Distribution Systems Unit 1 Only Unit 2 Only (Orange) (Purple) (Orange) (Purple)

TYPE VOLTAGE TRAIN A* TRAIN B* TRAIN A* TRAIN B*

AC 4160 V 1AE 1DF 2AE 2DF emergency buses 480 V 1N 1P 2N 2P DC buses 125 V 1-1 1-2 2-1 2-2 1-3 1-4 2-3 2-4 AC vital 120 V I II I II buses III IV III IV

Each train of the AC and DC electrical power distribution systems is a subsystem.

Beaver Valley Units 1 and 2 B 3.8.9 - 9 Revision 1

Distribution Systems - Shutdown B 3.8.10 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.10 Distribution Systems - Shutdown BASES BACKGROUND A description of the AC, DC, and AC vital bus electrical power distribution systems is provided in the Bases for LCO 3.8.9, "Distribution Systems -

Operating."

APPLICABLE The initial conditions of Design Basis Accident and transient analyses in SAFETY the UFSAR, Chapter 6 (Ref. 1) and Reference 2, assume Engineered ANALYSES Safety Feature (ESF) systems are OPERABLE. The AC, DC, and AC vital bus electrical power distribution systems are designed to provide sufficient capacity, capability, redundancy, and reliability to ensure the availability of necessary power to ESF systems so that the fuel, Reactor Coolant System, and containment design limits are not exceeded.

The OPERABILITY of the AC, DC, and AC vital bus electrical power distribution system is consistent with the initial assumptions of the accident analyses and the requirements for the supported systems' OPERABILITY.

The OPERABILITY of the minimum AC, DC, and AC vital bus electrical power distribution subsystems during MODES 5 and 6, and during movement of irradiated fuel assemblies or movement of fuel assemblies over irradiated fuel assemblies for Unit 1 or movement of recently irradiated fuel assemblies or movement of fuel assemblies over recently irradiated fuel assemblies for Unit 2 ensure that:

a. The unit can be maintained in the shutdown or refueling condition for extended periods,

b. Sufficient instrumentation and control capability is available for monitoring and maintaining the unit status, and

c. Adequate power is provided to mitigate events postulated during shutdown, such as a fuel handling accident involving handling irradiated fuel (Unit 1). For Unit 2 only, due to radioactive decay, AC and DC electrical power is only required to mitigate fuel handling accidents involving handling recently irradiated fuel (i.e., fuel that has occupied part of a critical reactor core within the previous 100 hours0.00116 days 0.0278 hours 1.653439e-4 weeks 3.805e-5 months ). In future discussions, the term fuel assemblies will include "irradiated" and "recently irradiated" as applicable for each unit.

The AC and DC electrical power distribution systems satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).

Beaver Valley Units 1 and 2 B 3.8.10 - 1 Revision 0

Distribution Systems - Shutdown B 3.8.10 BASES LCO Various combinations of subsystems, equipment, and components are required OPERABLE by other LCOs, depending on the specific plant condition. Implicit in those requirements is the required OPERABILITY of necessary support required features. This LCO explicitly requires energization of the portions of the electrical distribution system necessary to support OPERABILITY of required systems, equipment, and components - all specifically addressed in each LCO and implicitly required via the definition of OPERABILITY.

Maintaining these portions of the distribution system energized ensures the availability of sufficient power to operate the unit in a safe manner to mitigate the consequences of postulated events during shutdown (e.g.,

fuel handling accidents involving handling fuel).

APPLICABILITY The AC and DC electrical power distribution subsystems required to be OPERABLE in MODES 5 and 6, and during movement of fuel assemblies, provide assurance that:

a. Systems to provide adequate coolant inventory makeup are available for the irradiated fuel in the core,

b. Systems needed to mitigate a fuel handling accident involving handling fuel are available,

c. Systems necessary to mitigate the effects of events that can lead to core damage during shutdown are available, and

d. Instrumentation and control capability is available for monitoring and maintaining the unit in a cold shutdown condition and refueling condition.

The AC, DC, and AC vital bus electrical power distribution subsystems requirements for MODES 1, 2, 3, and 4 are covered in LCO 3.8.9.

ACTIONS LCO 3.0.3 is not applicable while in MODE 5 or 6. However, since irradiated fuel assembly movement can occur in MODE 1, 2, 3, or 4, the ACTIONS have been modified by a Note stating that LCO 3.0.3 is not applicable. If moving irradiated fuel assemblies while in MODE 5 or 6, LCO 3.0.3 would not specify any action. If moving irradiated fuel assemblies while in MODE 1, 2, 3, or 4, the fuel movement is independent of reactor operations. Entering LCO 3.0.3, while in MODE 1, 2, 3, or 4 would require the unit to be shutdown unnecessarily.

Beaver Valley Units 1 and 2 B 3.8.10 - 2 Revision 0

Distribution Systems - Shutdown B 3.8.10 BASES ACTIONS (continued)

A.1, A.2.1, A.2.2, A.2.3, A.2.4, A.2.5, and A.2.6 Although redundant required features may require redundant trains of electrical power distribution subsystems to be OPERABLE, one OPERABLE distribution subsystem train may be capable of supporting sufficient required features to allow continuation of CORE ALTERATIONS and fuel movement. By allowing the option to declare required features associated with an inoperable distribution subsystem inoperable, appropriate restrictions are implemented in accordance with the affected distribution subsystem LCO's Required Actions. In many instances, this option may involve undesired administrative efforts. Therefore, the allowance for sufficiently conservative actions is made (i.e., to suspend CORE ALTERATIONS, movement of fuel assemblies, and operations involving positive reactivity additions that could result in loss of required SDM (MODE 5) or boron concentration (MODE 6). Suspending positive reactivity additions that could result in failure to meet the minimum SDM or boron concentration limit is required to assure continued safe operation. Introduction of coolant inventory must be from sources that have a boron concentration greater than what would be required in the RCS for minimum SDM or refueling boron concentration. This may result in an overall reduction in RCS boron concentration, but provides acceptable margin to maintaining subcritical operation. Introduction of temperature changes including temperature increases when operating with a positive MTC must also be evaluated to ensure they do not result in a loss of required SDM.

Suspension of these activities does not preclude completion of actions to establish a safe conservative condition. These actions minimize the probability of the occurrence of postulated events. It is further required to immediately initiate action to restore the required AC and DC electrical power distribution subsystems and to continue this action until restoration is accomplished in order to provide the necessary power to the unit safety systems.

Notwithstanding performance of the above conservative Required Actions, a required residual heat removal (RHR) subsystem may be inoperable. In this case, Required Actions A.2.1 through A.2.5 do not adequately address the concerns relating to coolant circulation and heat removal. Pursuant to LCO 3.0.6, the RHR ACTIONS would not be entered. Therefore, Required Action A.2.6 is provided to direct declaring RHR inoperable, which results in taking the appropriate RHR actions.

The Completion Time of immediately is consistent with the required times for actions requiring prompt attention. The restoration of the required distribution subsystems should be completed as quickly as possible in order to minimize the time the unit safety systems may be without power.

Beaver Valley Units 1 and 2 B 3.8.10 - 3 Revision 0

Distribution Systems - Shutdown B 3.8.10 BASES SURVEILLANCE SR 3.8.10.1 REQUIREMENTS This Surveillance verifies that the required AC, DC, and AC vital bus electrical power distribution subsystems are functioning properly, with all the required buses energized. The verification of correct voltage availability on the buses ensures that the required power is readily available for motive as well as control functions for critical system loads connected to these buses. The Surveillance Frequency is Controlled under the Surveillance Frequency Control Program.

REFERENCES 1. UFSAR, Chapter 6.

2. UFSAR, Chapter 14 for Unit 1 and Chapter 15 for Unit 2.

Beaver Valley Units 1 and 2 B 3.8.10 - 4 Revision 29

Boron Concentration B 3.9.1 B 3.9 REFUELING OPERATIONS B 3.9.1 Boron Concentration BASES BACKGROUND The limit on the boron concentrations of the Reactor Coolant System (RCS), the refueling canal, and the refueling cavity during refueling ensures that the reactor remains subcritical during MODE 6. Refueling boron concentration is the soluble boron concentration in the coolant in each of these volumes having direct access to the reactor core during refueling.

The soluble boron concentration offsets the core reactivity and is measured by chemical analysis of a representative sample of the coolant in each of the volumes. The refueling boron concentration limit is specified in the COLR. Plant procedures ensure the specified boron concentration maintains an overall core reactivity of keff 0.95 during fuel handling, with control rods and fuel assemblies assumed to be in the most adverse configuration (least negative reactivity) allowed by plant procedures.

GDC 26 of 10 CFR 50, Appendix A, requires that two independent reactivity control systems of different design principles be provided (Ref. 1). One of these systems must be capable of holding the reactor core subcritical under cold conditions. The Chemical and Volume Control System (CVCS) is the system capable of maintaining the reactor subcritical in cold conditions by maintaining the boron concentration.

The reactor is brought to shutdown conditions before beginning operations to open the reactor vessel for refueling. After the RCS is cooled and depressurized and the vessel head is unbolted, the head is slowly removed from the refueling cavity. The refueling canal and the refueling cavity are then flooded with borated water from the refueling water storage tank through the open reactor vessel by gravity feeding or by the use of the Low Head Safety Injection System pumps.

The pumping action of the Residual Heat Removal (RHR) System in the RCS and the natural circulation due to thermal driving heads in the reactor vessel and refueling cavity mix the added concentrated boric acid with the water in the refueling canal. The RHR System is in operation during refueling (see LCO 3.9.4, "Residual Heat Removal (RHR) and Coolant Circulation - High Water Level," and LCO 3.9.5, "Residual Heat Removal (RHR) and Coolant Circulation - Low Water Level") to provide forced circulation in the RCS and assist in maintaining the boron concentrations in the RCS, the refueling canal, and the refueling cavity above the COLR limit.

Beaver Valley Units 1 and 2 B 3.9.1 - 1 Revision 0

Boron Concentration B 3.9.1 BASES APPLICABLE During refueling operations, the reactivity condition of the core is SAFETY controlled by isolating unborated water sources and maintaining the ANALYSES required refueling boron concentration in the RCS. The boron concentration specified in the COLR for MODE 6 is an operating restriction necessary to maintain at least a 5% k/k margin of safety during refueling. The resulting core reactivity is conservative for MODE 6.

The boron concentration limit specified in the COLR is based on the core reactivity at the beginning of each fuel cycle (the end of refueling) and includes an uncertainty allowance.

The required boron concentration and the plant refueling procedures that verify the correct fuel loading plan (including full core mapping) ensure that the keff of the core will remain 0.95 during the refueling operation.

Hence, at least a 5% k/k margin of safety is established during refueling.

During refueling, the water volume in the spent fuel pool, the transfer canal, the refueling canal, the refueling cavity, and the reactor vessel form a single mass. As a result, the soluble boron concentration is relatively the same in each of these volumes.

The RCS boron concentration satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).

LCO The LCO requires that a minimum boron concentration be maintained in the RCS, the refueling canal, and the refueling cavity while in MODE 6.

The boron concentration limit specified in the COLR ensures that a core keff of 0.95 is maintained during fuel handling operations. Violation of the LCO could lead to an inadvertent criticality during MODE 6.

APPLICABILITY This LCO is applicable in MODE 6 to ensure that the fuel in the reactor vessel will remain subcritical. The required boron concentration ensures a keff 0.95. Above MODE 6, LCO 3.1.1, "SHUTDOWN MARGIN (SDM)," ensures that an adequate amount of negative reactivity is available to shut down the reactor and maintain it subcritical.

The Applicability is modified by a Note. The Note states that the limits on boron concentration are only applicable to the refueling canal and the refueling cavity when those volumes are connected (hydraulically coupled) to the RCS. When the refueling canal and the refueling cavity are isolated from the RCS, no potential path for boron dilution exists.

Beaver Valley Units 1 and 2 B 3.9.1 - 2 Revision 0

Boron Concentration B 3.9.1 BASES ACTIONS A.1 and A.2 Continuation of CORE ALTERATIONS or positive reactivity additions (including actions to reduce boron concentration) is contingent upon maintaining the unit in compliance with the LCO. If the boron concentration of any coolant volume in the RCS, the refueling canal, or the refueling cavity is less than its limit, all operations involving CORE ALTERATIONS or positive reactivity additions must be suspended immediately.

Suspension of CORE ALTERATIONS and positive reactivity additions shall not preclude moving a component to a safe position. Operations that individually add limited positive reactivity (e.g. temperature fluctuations from inventory addition or temperature control fluctuations),

but when combined with all other operations affecting core reactivity (e.g., intentional boration) result in overall net negative reactivity addition, are not precluded by this action.

A.3 In addition to immediately suspending CORE ALTERATIONS and positive reactivity additions, boration to restore the concentration must be initiated immediately.

In determining the required combination of boration flow rate and concentration, no unique Design Basis Event must be satisfied. The only requirement is to restore the boron concentration to its required value as soon as possible. In order to raise the boron concentration as soon as possible, the operator should begin boration with the best source available for unit conditions.

Once actions have been initiated, they must be continued until the boron concentration is restored. The restoration time depends on the amount of boron that must be injected to reach the required concentration.

SURVEILLANCE SR 3.9.1.1 REQUIREMENTS This SR ensures that the coolant boron concentration in the RCS, and connected portions of the refueling canal and the refueling cavity, is within the COLR limits. The boron concentration of the coolant in each required volume is determined periodically by chemical analysis. Prior to reconnecting portions of the refueling canal or the refueling cavity to the RCS, this SR must be met per SR 3.0.1. If any dilution activity has occurred while the cavity or canal were disconnected from the RCS, this SR ensures the correct boron concentration prior to communication with the RCS.

Beaver Valley Units 1 and 2 B 3.9.1 - 3 Revision 0

Boron Concentration B 3.9.1 BASES SURVEILLANCE REQUIREMENTS (continued)

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. Unit 1 UFSAR, Appendix 1A, "1971 AEC General Design Criteria Conformance." Unit 2 UFSAR, Section 3.1, "Conformance with NRC General Design Criteria."

Beaver Valley Units 1 and 2 B 3.9.1 - 4 Revision 29

Nuclear Instrumentation B 3.9.2 B 3.9 REFUELING OPERATIONS B 3.9.2 Nuclear Instrumentation BASES BACKGROUND The source range neutron flux monitors are used during refueling operations to monitor the core reactivity condition. The installed or primary source range neutron flux monitors are part of the Nuclear Instrumentation System (NIS). These detectors are located external to the reactor vessel and detect neutrons leaking from the core.

The primary source range neutron flux monitors are boron-based detectors operating in the proportional region of the gas filled detector characteristic curve. The detectors monitor the neutron flux in counts per second. The instrument range covers six decades of neutron flux (1E+6 cps). The detectors also provide continuous visual indication in the control room. The NIS is designed in accordance with the criteria presented in Reference 1.

In addition to the primary source range monitors described above, alternate source range monitors may be used to meet the LCO requirement. The alternate monitors may be either installed spare detectors or portable monitors with sufficient sensitivity to adequately monitor reactivity changes in the core during refueling operations.

APPLICABLE Two OPERABLE source range neutron flux monitors (primary or SAFETY alternate) are required to provide a signal to alert the operator to ANALYSES unexpected changes in core reactivity. The Technical Specifications require that unborated water sources be isolated in MODES 4, 5, and 6.

The requirement to isolate unborated water sources is considered to preclude a boron dilution accident. Therefore, no boron dilution accident analysis is necessary for these MODES.

The source range neutron flux monitors satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).

LCO This LCO requires that two source range neutron flux monitors be OPERABLE to ensure that redundant monitoring capability is available to detect changes in core reactivity. The LCO may be met by using any combination of primary or alternate source range monitors. To be OPERABLE, each monitor must provide continuous visual indication in the control room.

Beaver Valley Units 1 and 2 B 3.9.2 - 1 Revision 35

Nuclear Instrumentation B 3.9.2 BASES APPLICABILITY In MODE 6, the source range neutron flux monitors must be OPERABLE to determine changes in core reactivity. There are no other direct means available to check core reactivity levels. In MODES 2, 3, 4, and 5, the primary source range detectors and circuitry are also required to be OPERABLE by LCO 3.3.1, "Reactor Trip System (RTS) Instrumentation."

In addition, one source range detector is required to be OPERABLE in MODES 3, 4, and 5 when all rods are fully inserted and without rod withdrawal capability by LCO 3.3.8, "Boron Dilution Detection Instrumentation."

ACTIONS A.1 and A.2 With only one source range neutron flux monitor OPERABLE, redundancy has been lost. Since these instruments are the only direct means of monitoring core reactivity conditions, CORE ALTERATIONS and introduction of coolant into the RCS with boron concentration less than required to meet the minimum boron concentration of LCO 3.9.1 must be suspended immediately. Suspending positive reactivity additions that could result in failure to meet the minimum boron concentration limit is required to assure continued safe operation. Introduction of coolant inventory must be from sources that have a boron concentration greater than that which would be required in the RCS for minimum refueling boron concentration. This may result in an overall reduction in RCS boron concentration, but provides acceptable margin to maintaining subcritical operation. Performance of Required Action A.1 shall not preclude completion of movement of a component to a safe position.

B.1 With no source range neutron flux monitor OPERABLE, action to restore a monitor to OPERABLE status shall be initiated immediately. Once initiated, action shall be continued until a source range neutron flux monitor is restored to OPERABLE status.

B.2 With no source range neutron flux monitor OPERABLE, there are no direct means of detecting changes in core reactivity. However, since CORE ALTERATIONS and positive reactivity additions are not to be made (as specified in Required Actions A.1 and A.2), the core reactivity condition is stabilized until the source range neutron flux monitors are OPERABLE. This stabilized condition is determined by performing SR 3.9.1.1 to ensure that the required boron concentration exists.

Beaver Valley Units 1 and 2 B 3.9.2 - 2 Revision 0

Nuclear Instrumentation B 3.9.2 BASES ACTIONS (continued)

The Completion Time of once per 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is sufficient to obtain and analyze a reactor coolant sample for boron concentration and ensures that unplanned changes in boron concentration would be identified. The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Frequency is reasonable, considering the low probability of a change in core reactivity during this time period.

SURVEILLANCE SR 3.9.2.1 REQUIREMENTS SR 3.9.2.1 is the performance of a CHANNEL CHECK, which is a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that the two indication channels should be consistent with core conditions. Changes in fuel loading and core geometry can result in significant differences between source range channels, but each channel should be consistent with its local conditions.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.9.2.2 SR 3.9.2.2 is the performance of a CHANNEL CALIBRATION. This SR is modified by a Note stating that neutron detectors are excluded from the CHANNEL CALIBRATION. The calibration method for neutron detectors is specified in the Bases of LCO 3.3.1, "Reactor Trip System (RTS)

Instrumentation." The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. Unit 1 and Unit 2 UFSAR Section 7.

Beaver Valley Units 1 and 2 B 3.9.2 - 3 Revision 29

Containment Penetrations B 3.9.3 B 3.9 REFUELING OPERATIONS B 3.9.3 Containment Penetrations BASES BACKGROUND During movement of fuel involving recently irradiated fuel assemblies within containment, a release of fission product radioactivity within containment will be restricted from escaping to the environment when the LCO requirements are met. In MODES 1, 2, 3, and 4, restricting the release of radioactivity from containment is accomplished by maintaining containment OPERABLE as described in LCO 3.6.1, "Containment." In MODE 6, the potential for containment pressurization as a result of an accident is not likely; therefore, requirements to isolate the containment from the outside atmosphere can be less stringent. The LCO requirements are referred to as "containment closure" rather than "containment OPERABILITY." Containment closure means that all potential escape paths are closed or capable of being closed. Since there is no potential for containment pressurization, the Appendix J leakage criteria and tests are not required.

The containment serves to contain fission product radioactivity that may be released from the reactor core following an accident, such that offsite radiation exposures are maintained within the requirements of 10 CFR 50.67. Additionally, the containment provides radiation shielding from the fission products that may be present in the containment atmosphere following accident conditions.

The containment equipment hatch, which is part of the containment pressure boundary, provides a means for moving large equipment and components into and out of containment. During movement of fuel involving recently irradiated fuel assemblies within containment, the equipment hatch must be held in place by at least four bolts. Good engineering practice dictates that the bolts required by this LCO be approximately equally spaced.

The containment air locks, which are also part of the containment pressure boundary, provide a means for personnel access during MODES 1, 2, 3, and 4 unit operation in accordance with LCO 3.6.2, "Containment Air Locks." Each air lock has a door at both ends. The doors are normally interlocked to prevent simultaneous opening when containment OPERABILITY is required. During periods of unit shutdown when containment closure is not required, the door interlock mechanism may be disabled, allowing both doors of an air lock to remain open for extended periods when frequent containment entry is necessary. During movement of recently irradiated fuel assemblies or the movement of fuel assemblies over recently irradiated fuel assemblies within containment, containment closure is required; therefore, the door interlock mechanism may remain disabled, but one air lock door must always remain closed.

Beaver Valley Units 1 and 2 B 3.9.3 - 1 Revision 0

Containment Penetrations B 3.9.3 BASES BACKGROUND (continued)

The requirements for containment penetration closure ensure that a release of fission product radioactivity within containment will be restricted to within regulatory limits.

The Containment Purge and Exhaust System includes a 42 inch purge penetration and a 42 inch exhaust penetration. During MODES 1, 2, 3, and 4, the two valves in each of the purge and exhaust penetrations are secured in the closed position. The Containment Purge and Exhaust System is not subject to a Specification in MODE 5.

In MODE 6, the Containment Purge and Exhaust System is used for containment ventilation.

The radiation monitors associated with the Unit 1 Containment Purge and Exhaust System are not mounted in a seismically qualified ventilation duct. Therefore, Unit 1 can not credit containment isolation when necessary to mitigate the radiological consequences of a design bases fuel handling accident. Unit 1 must rely on filtration of the purge exhaust by an OPERABLE Supplemental Leak Collection and Release System (SLCRS) filter train.

The Unit 2 Containment Purge and Exhaust System credits containment isolation when necessary to mitigate the radiological consequences of a design bases fuel handling accident. The limit placed on the containment purge and exhaust flow (7500 cfm) ensures the Unit 2 purge and exhaust isolation valves close before any radioactivity is released from containment.

The other containment penetrations that provide direct access from containment atmosphere to outside atmosphere must be isolated on at least one side. Isolation may be achieved by an OPERABLE automatic isolation valve, or by a manual isolation valve, blind flange, or equivalent.

Functionally equivalent isolation methods must be approved by an engineering evaluation and may include use of a material that can provide a temporary, atmospheric pressure, ventilation barrier for the other containment penetrations during recently irradiated fuel movements and the movement of fuel assemblies over recently irradiated fuel assemblies (Reference 1).

Beaver Valley Units 1 and 2 B 3.9.3 - 2 Revision 0

Containment Penetrations B 3.9.3 BASES APPLICABLE During refueling operations, the postulated event that results in the most SAFETY severe radiological consequences is a fuel handling accident (Ref. 2).

ANALYSES The limiting fuel handling accident analyzed in Reference 2, includes dropping a single irradiated fuel assembly and handling tool (conservatively estimated at 2500 pounds) directly onto another irradiated fuel assembly resulting in both assemblies being damaged. The analysis assumes a 100 hour0.00116 days 0.0278 hours 1.653439e-4 weeks 3.805e-5 months decay time prior to moving irradiated fuel.

The applicable limits for offsite and control room dose from a fuel handling accident are specified in 10 CFR 50.67. Standard Review Plan, Section 15.0.1, Rev 0 (Ref. 3) provides an additional offsite dose criteria of 6.3 rem total effective dose equivalent (TEDE) for fuel handling accidents.

The water level requirements of LCO 3.9.6, "Refueling Cavity Water Level," in conjunction with a minimum decay time of 100 hours0.00116 days 0.0278 hours 1.653439e-4 weeks 3.805e-5 months prior to irradiated fuel movement, ensure that the resulting offsite and control room dose from the limiting fuel handling accident is within the limits required by 10 CFR 50.67 and within the acceptance criteria of Reference 3 without the need for containment closure.

Therefore, the containment closure requirements of LCO 3.9.3, "Containment Penetrations," are only applicable during refueling operations involving recently irradiated fuel (i.e., fuel that has occupied part of a critical reactor core within the previous 100 hours0.00116 days 0.0278 hours 1.653439e-4 weeks 3.805e-5 months ). Current requirements based on the decay time of the fuel prevent the movement of recently irradiated fuel. However, the requirements for containment closure are retained in the Technical Specifications in case these requirements are necessary to support fuel movement involving recently irradiated fuel consistent with the guidance of Reference 4.

Containment penetrations satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).

LCO This LCO limits the consequences of a fuel handling accident involving handling recently irradiated fuel in containment by limiting the potential escape paths for fission product radioactivity released within containment.

The LCO requires any penetration providing direct access from the containment atmosphere to the outside atmosphere to be closed except for the OPERABLE containment purge and exhaust penetrations which may be open if the exhaust airflow is lined up to an OPERABLE SLCRS train (Unit 1) or capable of being closed by an OPERABLE Containment Purge and Exhaust Isolation System (Unit 2).

For Unit 2, an OPERABLE Containment Purge and Exhaust Isolation System includes purge and exhaust valves that isolate within the required time and a purge exhaust flow that is within the required limit. The Unit 2 Beaver Valley Units 1 and 2 B 3.9.3 - 3 Revision 0

Containment Penetrations B 3.9.3 BASES LCO (continued) purge and exhaust valve isolation time and purge exhaust flow requirements provide assurance that, in the event of a limiting fuel handling accident, the purge and exhaust penetrations will be isolated prior to the resulting radioactivity being released from containment.

For the OPERABLE containment purge and exhaust penetrations for Unit 2, this LCO ensures that these penetrations are isolable by the Containment Purge and Exhaust Isolation System and for Unit 1 that the purge exhaust is lined up to an OPERABLE SLCRS train when moving recently irradiated fuel and during movement of fuel assemblies over recently irradiated fuel assemblies. The OPERABILITY requirements for this LCO ensure that the Unit 2 automatic purge and exhaust valve closure times specified in the Licensing Requirements Manual (LRM) can be achieved and, therefore, meet the assumptions used in the safety analysis to ensure that releases through the valves are prevented, or for Unit 1, that the releases are filtered such that radiological doses are within the acceptance limit.

APPLICABILITY The containment penetration requirements are applicable during movement of recently irradiated fuel assemblies or the movement of fuel assemblies over recently irradiated fuel assemblies within containment because this is when there is a potential for the limiting fuel handling accident. In MODES 1, 2, 3, and 4, containment penetration requirements are addressed by LCO 3.6.1, "Containment Operability" and LCO 3.6.3, "Containment Isolation Valves." In MODES 5 and 6, when movement of irradiated fuel assemblies within containment is not being conducted, the potential for a fuel handling accident does not exist.

Additionally, due to radioactive decay, a fuel handling accident that does not involve recently irradiated fuel (i.e., fuel that has occupied part of a critical reactor core within the previous 100 hours0.00116 days 0.0278 hours 1.653439e-4 weeks 3.805e-5 months ) will result in doses that are well within the guideline values specified in 10 CFR 50.67 even without containment closure capability. Therefore, under these conditions no requirements are placed on containment penetration status.

Although movement of recently irradiated fuel is not currently permitted, the requirements for containment closure are retained in the Technical Specifications in case these requirements are necessary to support fuel movement involving recently irradiated fuel consistent with the guidance of Reference 4.

Beaver Valley Units 1 and 2 B 3.9.3 - 4 Revision 0

Containment Penetrations B 3.9.3 BASES ACTIONS A.1 and A.2 If the containment equipment hatch, air locks, or any containment penetration that provides direct access from the containment atmosphere to the outside atmosphere is not in the required status, including the Unit 2 Containment Purge and Exhaust Isolation System not capable of automatic actuation when the purge and exhaust valves are open or the Unit 1 purge exhaust not lined up to an OPERABLE SLCRS train, the unit must be placed in a condition where the isolation or filtration function is not needed. This is accomplished by immediately suspending movement of recently irradiated fuel assemblies and the movement of any fuel assemblies over recently irradiated fuel assemblies within containment.

Performance of these actions shall not preclude completion of movement of a component to a safe position.

SURVEILLANCE SR 3.9.3.1 REQUIREMENTS The Surveillance requires that the Unit 2 containment purge exhaust flow rate be verified to be 7500 cfm. The Surveillance is necessary to verify the Containment Purge and Exhaust Isolation System is OPERABLE.

LCO 3.9.3.c.2 requires that the containment purge and exhaust penetrations are capable of being isolated by an OPERABLE Containment Purge and Exhaust Isolation System. Verifying the purge exhaust flow is within the limit provides assurance that, in the event of a limiting fuel handling accident, the purge and exhaust penetrations will be isolated prior to the resulting radioactivity being released from containment.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

The Surveillance is modified by two Notes that specify the Surveillance is only applicable to Unit 2 and that the Surveillance is only required to be met when the containment purge and exhaust is operating in accordance with LCO 3.9.3.c.2. The Surveillance is only applicable to Unit 2 because Unit 1 does not credit purge and exhaust isolation and instead relies on filtration of the purge exhaust flow.

SR 3.9.3.2 This Surveillance demonstrates that each of the containment penetrations required to be in its closed position is in that position. The Surveillance on the open Unit 2 purge and exhaust valves will demonstrate that the Beaver Valley Units 1 and 2 B 3.9.3 - 5 Revision 29

Containment Penetrations B 3.9.3 BASES SURVEILLANCE REQUIREMENTS (continued) valves are not blocked from closing and that each valve operator has motive power, which will ensure that each valve is capable of being closed by an OPERABLE automatic containment purge and exhaust isolation signal. The Surveillance on the open Unit 1 purge and exhaust valves will confirm that the purge exhaust is lined up to an OPERABLE SLCRS filtration train.

This Surveillance ensures that a postulated fuel handling accident involving handling recently irradiated fuel that releases fission product radioactivity within the containment will not result in a release of significant fission product radioactivity to the environment in excess of those recommended by Standard Review Plan Section 15.0.1 (Reference 3). The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.9.3.3 This Surveillance demonstrates that each Unit 2 containment purge and exhaust valve actuates to its isolation position on manual initiation and on an actual or simulated high radiation signal. The Frequency maintains consistency with other similar ESFAS instrumentation and valve testing requirements that ensure the valves are capable of closing after a postulated fuel handling accident involving handling recently irradiated fuel to limit a release of fission product radioactivity from the containment.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

The SR is modified by two Notes stating that this Surveillance is only applicable to Unit 2 and that this Surveillance is not required to be met for valves in isolated penetrations. The LCO provides the option to close penetrations in lieu of requiring automatic actuation capability. The Surveillance is not applicable to Unit 1 because Unit 1 does not credit purge and exhaust isolation and relies on filtration instead.

Beaver Valley Units 1 and 2 B 3.9.3 - 6 Revision 29

Containment Penetrations B 3.9.3 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.9.3.4 The Surveillance requires that the Unit 2 containment purge and exhaust valve isolation time be verified within the limit. The required isolation time for the containment purge and exhaust valves is specified in the LRM.

The Surveillance is necessary to verify the Containment Purge and Exhaust Isolation System is OPERABLE. LCO 3.9.3.c.2 requires that the containment purge and exhaust penetrations are capable of being isolated by an OPERABLE Containment Purge and Exhaust Isolation System. Verifying the purge and exhaust valve isolation time is within the limit provides assurance that, in the event of a limiting fuel handling accident, the purge and exhaust penetrations will be isolated prior to the resulting radioactivity being released from containment.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

The Surveillance is modified by two Notes that specify the Surveillance is only applicable to Unit 2 and that the Surveillance is only required to be met when the containment purge and exhaust is operating in accordance with LCO 3.9.3.c.2. The Surveillance is only applicable to Unit 2 because Unit 1 does not credit purge and exhaust isolation and instead relies on filtration of the purge exhaust flow.

REFERENCES 1. GPU Nuclear Safety Evaluation SE-0002000-001, Rev. 0, May 20, 1988.

2. UFSAR, Section 14.2.1 (Unit 1) and UFSAR, Section 15.7.4 (Unit 2).

3. NUREG-0800, Section 15.0.1, Rev. 0, July 2000.

4. NUREG-1431, "Standard Technical Specifications for Westinghouse Plants," Rev. 2, April 2001.

Beaver Valley Units 1 and 2 B 3.9.3 - 7 Revision 29

RHR and Coolant Circulation - High Water Level B 3.9.4 B 3.9 REFUELING OPERATIONS B 3.9.4 Residual Heat Removal (RHR) and Coolant Circulation - High Water Level BASES BACKGROUND The purpose of the RHR System in MODE 6 is to remove decay heat and sensible heat from the Reactor Coolant System (RCS), as required by GDC 34, to provide mixing of borated coolant and to prevent boron stratification (Ref. 1). Heat is removed from the RCS by circulating reactor coolant through the RHR heat exchanger(s), where the heat is transferred to the Component Cooling Water System. The coolant is then returned to the RCS via the RCS cold leg(s). Operation of the RHR System for normal cooldown or decay heat removal is manually accomplished from the control room. The heat removal rate is adjusted by controlling the flow of reactor coolant through the RHR heat exchanger(s) and the bypass. Mixing of the reactor coolant is maintained by this continuous circulation of reactor coolant through the RHR System.

APPLICABLE If the reactor coolant temperature is not maintained below 200°F, boiling SAFETY of the reactor coolant could result. This could lead to a loss of coolant in ANALYSES the reactor vessel. Additionally, boiling of the reactor coolant could lead to a reduction in boron concentration in the coolant due to boron plating out on components near the areas of the boiling activity. The loss of reactor coolant and the reduction of boron concentration in the reactor coolant would eventually challenge the integrity of the fuel cladding, which is a fission product barrier. One train of the RHR System is required to be operational in MODE 6, with the water level 23 ft above the top of the reactor vessel flange, to prevent this challenge. The LCO does permit the RHR pump to be removed from operation for short durations, under the condition that the boron concentration is not diluted. This conditional stopping of the RHR pump does not result in a challenge to the fission product barrier.

The RHR System satisfies Criterion 4 of 10 CFR 50.36(c)(2)(ii).

LCO Only one RHR loop is required for decay heat removal in MODE 6, with the water level 23 ft above the top of the reactor vessel flange. Only one RHR loop is required to be OPERABLE, because the volume of water above the reactor vessel flange provides backup decay heat removal capability. At least one RHR loop must be OPERABLE and in operation to provide:

a. Removal of decay heat,

b. Mixing of borated coolant to minimize the possibility of criticality, and

c. Indication of reactor coolant temperature.

Beaver Valley Units 1 and 2 B 3.9.4 - 1 Revision 0

RHR and Coolant Circulation - High Water Level B 3.9.4 BASES LCO (continued)

An OPERABLE RHR loop includes an RHR pump, a heat exchanger, valves, piping, instruments, and controls to ensure an OPERABLE flow path and to determine the RCS temperature. The normal recirculation flow path starts in one of the RCS hot legs and is returned to the RCS cold legs.

The LCO is modified by two Notes. Notes 1 and 2 allow the required operating RHR loop to be removed from operation for up to 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months per 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months period or up to 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months per 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months period, provided no operations are permitted that would dilute the RCS boron concentration by the introduction of coolant into the RCS with boron concentration less than required to meet the minimum boron concentration of LCO 3.9.1. Boron concentration reduction with coolant at boron concentrations less than required to assure the RCS boron concentration is maintained is prohibited because uniform concentration distribution cannot be ensured without forced circulation. The one hour allowance permits operations such as core mapping or alterations in the vicinity of the reactor vessel hot leg nozzles and RCS to RHR isolation valve testing. The four hour allowance is used solely for the performance of ultrasonic inservice inspection inside the reactor vessel nozzles. During the time the RHR is not in operation, decay heat is removed by natural convection to the large mass of water in the refueling cavity.

APPLICABILITY One RHR loop must be OPERABLE and in operation in MODE 6, with the water level 23 ft above the top of the reactor vessel flange, to provide decay heat removal. The 23 ft water level was selected because it corresponds to the 23 ft requirement established for fuel movement in LCO 3.9.6, "Refueling Cavity Water Level." Requirements for the RHR System in other MODES are covered by LCOs in Section 3.4, Reactor Coolant System (RCS). RHR loop requirements in MODE 6 with the water level < 23 ft are located in LCO 3.9.5, "Residual Heat Removal (RHR) and Coolant Circulation - Low Water Level."

ACTIONS RHR loop requirements are met by having one RHR loop OPERABLE and in operation, except as permitted in the Notes to the LCO.

A.1 If RHR loop requirements are not met, there will be no forced circulation to provide mixing to establish uniform boron concentrations. Suspending positive reactivity additions that could result in failure to meet the minimum boron concentration limit is required to assure continued safe operation. Introduction of coolant inventory must be from sources that have a boron concentration greater than what would be required in the Beaver Valley Units 1 and 2 B 3.9.4 - 2 Revision 0

RHR and Coolant Circulation - High Water Level B 3.9.4 BASES ACTIONS (continued)

RCS for minimum refueling boron concentration. This may result in an overall reduction in RCS boron concentration, but provides acceptable margin to maintaining subcritical operation.

A.2 If RHR loop requirements are not met, actions shall be taken immediately to suspend loading of irradiated fuel assemblies in the core. With no forced circulation cooling, decay heat removal from the core occurs by natural convection to the heat sink provided by the water above the core.

A minimum refueling water level of 23 ft above the reactor vessel flange provides an adequate available heat sink. Suspending any operation that would increase decay heat load, such as loading a fuel assembly, is a prudent action under this condition.

A.3 If RHR loop requirements are not met, actions shall be initiated and continued in order to satisfy RHR loop requirements. With the unit in MODE 6 and the refueling water level 23 ft above the top of the reactor vessel flange, corrective actions shall be initiated immediately.

A.4, A.5, A.6.1, and A.6.2 If no RHR is in operation, the following actions must be taken:

a. The equipment hatch must be closed and secured with four bolts,

b. One door in each installed air lock must be closed, and

c. Each penetration providing direct access from the containment atmosphere to the outside atmosphere must be either closed by a manual or automatic isolation valve, blind flange, or equivalent, or verified to be capable of being closed by an OPERABLE Containment Purge and Exhaust Isolation System. The safety function of the Containment Purge and Exhaust Isolation System required for OPERABILITY of the system in order to satisfy Action A.6.2 consists of the capability to close at least one isolation valve in each penetration by either automatic actuation on high radiation or manually from the control room.

With RHR loop requirements not met, the potential exists for the coolant to boil and release radioactive gas to the containment atmosphere.

Performing the actions described above ensures that all containment penetrations are either closed or can be closed so that the dose limits are not exceeded.

Beaver Valley Units 1 and 2 B 3.9.4 - 3 Revision 0

RHR and Coolant Circulation - High Water Level B 3.9.4 BASES ACTIONS (continued)

The Completion Time of 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months allows fixing of most RHR problems and is reasonable, based on the low probability of the coolant boiling in that time.

SURVEILLANCE SR 3.9.4.1 REQUIREMENTS This Surveillance verifies that the RHR loop is circulating reactor coolant at the specified flow rate of 3,000 gpm. The verification of the specified flow rate provides additional assurance of adequate forced circulation and mixing of the RCS during operations involving the addition of coolant into the RCS with a boron concentration that is less than required to maintain the required SHUTDOWN MARGIN.

The Surveillance is modified by a Note that specifies the conditions under which the Surveillance is required to be met. The Note states that the Surveillance is only required to be met prior to the start of (i.e., within an hour before) and during operations that cause the introduction of coolant into the RCS with boron concentration less than that required to meet the minimum required boron concentration of LCO 3.9.1. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.9.4.2 This Surveillance demonstrates that the RHR loop is in operation and circulating reactor coolant. Verification includes flow rate, temperature, or pump status monitoring, which help ensure that forced flow is providing heat removal and to prevent thermal and boron stratification in the core.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. Unit 1 UFSAR, Appendix 1A, "1971 AEC General Design Criteria Conformance." Unit 2 UFSAR, Section 3.1, "Conformance with NRC General Design Criteria."

Beaver Valley Units 1 and 2 B 3.9.4 - 4 Revision 29

RHR and Coolant Circulation - Low Water Level B 3.9.5 B 3.9 REFUELING OPERATIONS B 3.9.5 Residual Heat Removal (RHR) and Coolant Circulation - Low Water Level BASES BACKGROUND The purpose of the RHR System in MODE 6 is to remove decay heat and sensible heat from the Reactor Coolant System (RCS), as required by GDC 34, to provide mixing of borated coolant, and to prevent boron stratification (Ref. 1). Heat is removed from the RCS by circulating reactor coolant through the RHR heat exchangers where the heat is transferred to the Component Cooling Water System. The coolant is then returned to the RCS via the RCS cold leg(s). Operation of the RHR System for normal cooldown decay heat removal is manually accomplished from the control room. The heat removal rate is adjusted by controlling the flow of reactor coolant through the RHR heat exchanger(s) and the bypass lines. Mixing of the reactor coolant is maintained by this continuous circulation of reactor coolant through the RHR System.

APPLICABLE If the reactor coolant temperature is not maintained below 200°F, boiling SAFETY of the reactor coolant could result. This could lead to a loss of coolant in ANALYSES the reactor vessel. Additionally, boiling of the reactor coolant could lead to a reduction in boron concentration in the coolant due to the boron plating out on components near the areas of the boiling activity. The loss of reactor coolant and the reduction of boron concentration in the reactor coolant will eventually challenge the integrity of the fuel cladding, which is a fission product barrier. Two trains of the RHR System are required to be OPERABLE, and one train in operation, in order to prevent this challenge.

The RHR System satisfies Criterion 4 of 10 CFR 50.36(c)(2)(ii).

LCO In MODE 6, with the water level < 23 ft above the top of the reactor vessel flange, both RHR loops must be OPERABLE. Additionally, one loop of RHR must be in operation in order to provide:

a. Removal of decay heat,

b. Mixing of borated coolant to minimize the possibility of criticality, and

c. Indication of reactor coolant temperature.

This LCO is modified by two Notes. Note 1 permits the RHR pumps to be removed from operation for 15 minutes when switching from one train to another.

Beaver Valley Units 1 and 2 B 3.9.5 - 1 Revision 0

RHR and Coolant Circulation - Low Water Level B 3.9.5 BASES LCO (continued)

The circumstances for stopping both RHR pumps are to be limited to situations when the outage time is short and the core outlet temperature is maintained > 10 degrees F below saturation temperature. The Note prohibits boron dilution or draining operations when RHR forced flow is stopped.

Note 2 allows one RHR loop to be inoperable for a period of 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months provided the other loop is OPERABLE and in operation. Prior to declaring the loop inoperable, consideration should be given to the existing plant configuration. This consideration should include that the core time to boil is short, there is no draining operation to further reduce RCS water level and that the capability exists to inject borated water into the reactor vessel. This permits surveillance tests to be performed on the inoperable loop during a time when these tests are safe and possible.

An OPERABLE RHR loop consists of an RHR pump, a heat exchanger, valves, piping, instruments and controls to ensure an OPERABLE flow path and to determine the RCS temperature. The normal recirculation flow path starts in one of the RCS hot legs and is returned to the RCS cold legs.

Both RHR pumps may be aligned to the refueling water storage tank to support draining the refueling cavity or for performance of required testing.

APPLICABILITY Two RHR loops are required to be OPERABLE, and one RHR loop must be in operation in MODE 6, with the water level < 23 ft above the top of the reactor vessel flange, to provide decay heat removal. Requirements for the RHR System in other MODES are covered by LCOs in Section 3.4, Reactor Coolant System (RCS). RHR loop requirements in MODE 6 with the water level 23 ft are located in LCO 3.9.4, "Residual Heat Removal (RHR) and Coolant Circulation - High Water Level."

Beaver Valley Units 1 and 2 B 3.9.5 - 2 Revision 0

RHR and Coolant Circulation - Low Water Level B 3.9.5 BASES ACTIONS A.1 and A.2 If less than the required number of RHR loops are OPERABLE, action shall be immediately initiated and continued until the RHR loop is restored to OPERABLE status and to operation or until 23 ft of water level is established above the reactor vessel flange. When the water level is 23 ft above the reactor vessel flange, the Applicability changes to that of LCO 3.9.4, and only one RHR loop is required to be OPERABLE and in operation. An immediate Completion Time is necessary for an operator to initiate corrective actions.

B.1 If no RHR loop is in operation, there will be no forced circulation to provide mixing to establish uniform boron concentrations. Suspending positive reactivity additions that could result in failure to meet the minimum boron concentration limit is required to assure continued safe operation. Introduction of coolant inventory must be from sources that have a boron concentration greater than what would be required in the RCS for minimum refueling boron concentration. This may result in an overall reduction in RCS boron concentration, but provides acceptable margin to maintaining subcritical operation.

B.2 If no RHR loop is in operation, actions shall be initiated immediately, and continued, to restore one RHR loop to operation. Since the unit is in Conditions A and B concurrently, the restoration of two OPERABLE RHR loops and one operating RHR loop should be accomplished expeditiously.

B.3, B.4, B.5.1, and B.5.2 If no RHR is in operation, the following actions must be taken:

a. The equipment hatch must be closed and secured with four bolts,

b. One door in each installed air lock must be closed, and

c. Each penetration providing direct access from the containment atmosphere to the outside atmosphere must be either closed by a manual or automatic isolation valve, blind flange, or equivalent, or verified to be capable of being closed by an OPERABLE Containment Purge and Exhaust Isolation System. The safety function of the Containment Purge and Exhaust Isolation System required for OPERABILITY of the system in order to satisfy Beaver Valley Units 1 and 2 B 3.9.5 - 3 Revision 0

RHR and Coolant Circulation - Low Water Level B 3.9.5 BASES LCO (continued)

Action B.5.2 consists of the capability to close at least one isolation valve in each penetration by either automatic actuation on high radiation or manually from the control room.

With RHR loop requirements not met, the potential exists for the coolant to boil and release radioactive gas to the containment atmosphere.

Performing the actions stated above ensures that all containment penetrations are either closed or can be closed so that the dose limits are not exceeded.

The Completion Time of 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months allows fixing of most RHR problems and is reasonable, based on the low probability of the coolant boiling in that time.

SURVEILLANCE SR 3.9.5.1 REQUIREMENTS This Surveillance verifies that the RHR loop is circulating reactor coolant at the specified flow rate of 3,000 gpm. The verification of the specified flow rate provides additional assurance of adequate forced circulation and mixing of the RCS during operations involving the addition of coolant into the RCS with a boron concentration that is less than required to maintain the required SHUTDOWN MARGIN.

The Surveillance is modified by a Note that specifies the conditions under which the Surveillance is required to be met. The Note states that the Surveillance is only required to be met prior to the start of (i.e., within an hour before) and during operations that cause the introduction of coolant into the RCS with boron concentration less than that required to meet the minimum required boron concentration of LCO 3.9.1. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.9.5.2 This Surveillance verifies that the RHR loop is circulating reactor coolant at the specified flow rate of 1,000 gpm. The verification of the specified flow rate provides additional assurance of adequate forced circulation of the RCS when the RCS water level is more than three feet below the reactor vessel flange.

The Surveillance is modified by a Note that specifies the conditions under which the Surveillance is required to be met. The Note states that the Surveillance is only required to be met when RCS water level is > three Beaver Valley Units 1 and 2 B 3.9.5 - 4 Revision 29

RHR and Coolant Circulation - Low Water Level B 3.9.5 BASES SURVEILLANCE REQUIREMENTS (continued) feet below the reactor vessel flange. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.9.5.3 This Surveillance demonstrates that one RHR loop is in operation and circulating reactor coolant. Verification includes flow rate, temperature, or pump status monitoring, which help ensure that forced flow is providing heat removal and to prevent thermal and boron stratification in the core.

In addition, during operation of the RHR loop with the water level in the vicinity of the reactor vessel nozzles, the RHR pump suction requirements must be met. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.9.5.4 Verification that the required pump is OPERABLE ensures that an additional RHR pump can be placed in operation, if needed, to maintain decay heat removal and reactor coolant circulation. Verification is performed by verifying proper breaker alignment and power available to the required pump. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

This SR is modified by a Note that states the SR is not required to be performed until 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months after a required pump is not in operation.

REFERENCES 1. Unit 1 UFSAR, Appendix 1A, "1971 AEC General Design Criteria Conformance." Unit 2 UFSAR, Section 3.1, "Conformance with NRC General Design Criteria."

Beaver Valley Units 1 and 2 B 3.9.5 - 5 Revision 29

Refueling Cavity Water Level B 3.9.6 B 3.9 REFUELING OPERATIONS B 3.9.6 Refueling Cavity Water Level BASES BACKGROUND The movement of irradiated fuel assemblies or the movement of any fuel assemblies over irradiated fuel assemblies within containment requires a minimum water level of 23 ft above the top of the reactor vessel flange.

During refueling, this maintains sufficient water level in the refueling canal, fuel transfer canal, and refueling cavity. Sufficient water is necessary to retain iodine fission product activity in the water in the event of a fuel handling accident (Refs. 1 and 2). Sufficient iodine activity would be retained to limit offsite doses and the control room dose from the accident to within the limits of 10 CFR 50.67 (Ref. 4), as provided by the guidance of Reference 3.

APPLICABLE During movement of irradiated fuel assemblies or the movement of any SAFETY fuel assemblies over irradiated fuel assemblies, the water level in the ANALYSES refueling canal and the refueling cavity is an initial condition design parameter in the analysis of a fuel handling accident in containment, as postulated by Regulatory Guide 1.183 (Ref. 1). A minimum water level of 23 ft allows a decontamination factor of 200 (Appendix B of Ref. 1) to be used in the accident analysis for iodine.

The fuel handling accident analysis inside containment is described in Reference 2. With a minimum water level of 23 ft and a minimum decay time of 100 hours0.00116 days 0.0278 hours 1.653439e-4 weeks 3.805e-5 months prior to fuel handling, the analysis and test programs demonstrate that the iodine release due to a postulated fuel handling accident is adequately captured by the water and offsite doses and the control room dose are maintained within allowable limits (Refs. 2 and 4).

Refueling cavity water level satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).

LCO A minimum refueling cavity water level of 23 ft above the reactor vessel flange is required to ensure that the radiological consequences of a postulated fuel handling accident inside containment are within acceptable limits, as provided by the guidance of References 3 and 4.

Beaver Valley Units 1 and 2 B 3.9.6 - 1 Revision 0

Refueling Cavity Water Level B 3.9.6 BASES APPLICABILITY LCO 3.9.6 is applicable when moving irradiated fuel assemblies or when moving any fuel assemblies over irradiated fuel assemblies within containment. The LCO minimizes the possibility of a fuel handling accident in containment that is beyond the assumptions of the safety analysis. If irradiated fuel assemblies are not present in containment, there can be no significant radioactivity release as a result of a postulated fuel handling accident. Requirements for fuel handling accidents in the spent fuel pool are covered by LCO 3.7.15, "Fuel Storage Pool Water Level."

ACTIONS A.1 and A.2 With a water level of < 23 ft above the top of the reactor vessel flange, all operations involving moving irradiated fuel assemblies or moving fuel assemblies over irradiated fuel assemblies within the containment shall be suspended immediately to ensure that a fuel handling accident cannot occur.

The suspension of fuel movement shall not preclude completion of movement of a component to a safe position.

SURVEILLANCE SR 3.9.6.1 REQUIREMENTS Verification of a minimum water level of 23 ft above the top of the reactor vessel flange ensures that the design basis for the analysis of the postulated fuel handling accident during refueling operations is met.

Water at the required level above the top of the reactor vessel flange limits the consequences of damaged fuel rods that are postulated to result from a fuel handling accident inside containment (Ref. 2).

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. Regulatory Guide 1.183, July 2000.

2. UFSAR, Section 14.2.1 (Unit 1) and UFSAR, Section 15.7.4 (Unit 2).

3. NUREG-0800, Section 15.0.1.

4. 10 CFR 50.67.

Beaver Valley Units 1 and 2 B 3.9.6 - 2 Revision 29

L-20-051, Technical Specification Bases, Revision 37, Reactor Coolant System (RCS) (Part 2 of 2)

Text

Navigation menu

Search