ML020700231

From kanterella
Jump to navigation Jump to search

Part 1 of 10, North Anna Power Station, Units 1 & 2 Proposed Improved Technical Specifications Comments on Draft Safety Evaluation, Certified Improved Technical Specifications (ITS) & Bases & Proposed License Conditions
ML020700231
Person / Time
Site: North Anna  Dominion icon.png
Issue date: 02/22/2002
From: Hartz L
Virginia Electric & Power Co (VEPCO)
To:
Document Control Desk, Office of Nuclear Reactor Regulation
References
02-053, CM/RAB R0, TAC MB0799, TAC MB0800
Download: ML020700231 (192)
v  d  e


Text

VIRGINIA ELECTRIC AND POWER COMPANY RICHMOND, VIRGINIA 23261 February 22, 2002 U.S. Nuclear Regulatory Commission Serial No.: 02-053 Attention: Document Control Desk CM/RAB RO Washington, D.C. 20555-0001 Docket Nos.: 50-338 50-339 License Nos.: NPF-4 NPF-7 Gentlemen:

VIRGINIA ELECTRIC AND POWER COMPANY (DOMINION)

NORTH ANNA POWER STATION UNITS I AND 2 PROPOSED IMPROVED TECHNICAL SPECIFICATIONS COMMENTS ON DRAFT SAFETY EVALUATION, CERTIFIED ITS AND BASES, AND PROPOSED LICENSE CONDITIONS This letter transmits our comments on the NRC's draft Safety Evaluation (SE) for the conversion of the North Anna Power Station (NAPS) Units 1 and 2 current Technical Specifications (CTS) to the Improved Technical Specifications (ITS). The NRC transmitted the draft SE in a letter dated January 24, 2002 (TAC Nos. MB0799 and MB0800).

This letter also transmits a complete copy of the ITS and Bases, through Revision 17, to facilitate issuance of the conversion. The remaining changes that are being prepared to respond to recent NRC requests will be submitted as they are completed.

In the conversion to ITS, Dominion committed to relocate certain requirements from the CTS to licensee-controlled documents. To make this commitment enforceable in accordance with an NRC request, it is requested that the following be added to the Additional Conditions section of the license:

This amendment authorizes the relocation of certain Technical Specification requirements to licensee-controlled documents. Implementation of this amendment shall include the relocation of these technical specification requirements to the appropriate documents, as described in Table R, which is attached to the staffs Safety Evaluation enclosed with this amendment.

Also, as part of the conversion to ITS, Dominion is adopting numerous new and revised Surveillance Requirements (SRs). In order to facilitate implementation of these SRs, it is requested that the following additional license condition be issued to define the schedule for performance of the new and revised SRs during or after the implementation of ITS:

The schedule for the performance of new and revised Surveillance Requirements (SRs) shall be as follows:

For SRs that are new in this amendment, the first performance is due at the end of the first surveillance interval that begins on the date of implementation of this amendment.

For SRs that existed prior to this amendment whose intervals of performance are being reduced, the first reduced surveillance interval begins upon completion of the first surveillance performed after implementation of this amendment.

For SRs that existed prior to this amendment that have modified acceptance criteria, the first performance subject to the modified accepatance criteria is due at the end of the first surveillance interval that began on the date the surveillance was last performed prior to the implementation of this amendment.

For SRs that existed prior to this amendment whose intervals of performance are being extended, the first extended surveillance interval begins upon completion of the last surveillance performed prior to implementation of this amendment.

If you have any further questions or require additional information, please contact us.

Very truly yours, Leslie N. Hartz Vice President - Nuclear Engineering Attachment Commitments made in this letter: None

cc: U.S. Nuclear Regulatory Commission Region II Sam Nunn Atlanta Federal Center 61 Forsyth Street, SW Suite 23T85 Atlanta, Georgia 30303-8931 Mr. Tommy Le U.S. Nuclear Regulatory Commission One White Flint North 11555 Rockville Pike Mail Stop 12 H4 Rockville, MD 20852-2738 Mr. M. J. Morgan NRC Senior Resident Inspector North Anna Power Station Commissioner (w/o attachments)

Bureau of Radiological Health 1500 East Main Street Suite 240 Richmond, VA 23218 Mr. J. E. Reasor, Jr. (w/o attachments)

Old Dominion Electric Cooperative Innsbrook Corporate Center 4201 Dominion Blvd.

Suite 300 Glen Allen, Virginia 23060

SN: 02-053 Docket Nos.: 50-338/339

Subject:

Proposed ITS - Comments on Draft SE COMMONWEALTH OF VIRGINIA )

)

COUNTY OF HENRICO )

The foregoing document was acknowledged before me, in and for the County and Commonwealth aforesaid, today by Leslie N. Hartz, who is Vice President - Nuclear Engineering, of Virginia Electric and Power Company. She has affirmed before me that she is duly authorized to execute and file the foregoing document in behalf of that Company, and that the statements in the document are true to the best of her knowledge and belief.

Acknowledged before me this 22nd day of February, 2002.

My Commission Expires: March 31, 2004.

'Notary Public (SEAL)

Refueling Cavity Water Level B 3.9.7 BASES APPLICABILITY LCO 3.9.7 is applicable when moving irradiated fuel assemblies within containment. The LCO minimizes the possibility of a fuel handling accident in containment that is beyond the assumptions of the safety analysis. If irradiated fuel assemblies are not present in containment, there can be no significant radioactivity release as a result of a postulated fuel handling accident. Requirements for fuel handling accidents in the spent fuel pool are covered by LCO 3.7.16, "Fuel Storage Pool Water Level."

ACTIONS A.1 With a water level of < 23 ft above the top of the reactor vessel flange, all operations involving movement of irradiated fuel assemblies within the containment shall be suspended immediately to ensure that a fuel handling accident cannot occur.

The suspension of fuel movement shall not preclude completion of movement of a component to a safe position.

SURVEILLANCE SR 3.9.7.1 REQUIREMENTS Verification of a minimum water level of 23 ft above the top of the reactor vessel flange ensures that the design basis for the analysis of the postulated fuel handling accident during refueling operations is met. Water at the required level above the top of the reactor vessel flange limits the consequences of damaged fuel rods that are postulated to result from a fuel handling accident inside containment (Ref. 2).

The Frequency of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is based on engineering judgment and is considered adequate in view of the large volume of water and the normal procedural controls of valve positions, which make significant unplanned level changes unlikely.

REFERENCES 1. Regulatory Guide 1.25, March 23, 1972.

2. UFSAR, Section 15.4.7.
3. 10 CFR 100.10.

North Anna Units 1 and 2 B 3.9.7-2 Revision 0, 04/02/02

Refueling Cavity Water Level B 3.9.7 B 3.9 REFUELING OPERATIONS B 3.9.7 Refueling Cavity Water Level BASES BACKGROUND The movement of irradiated fuel assemblies within containment requires a minimum water level of 23 ft above the top of the reactor vessel flange. During refueling, this maintains sufficient water level in the containment, refueling canal, fuel transfer canal, refueling cavity, and spent fuel pool. Sufficient water is necessary to retain iodine fission product activity in the water in the event of a fuel handling accident (Refs. 1 and 2). Sufficient iodine activity would be retained to limit offsite doses from the accident to well below 10 CFR 100 limits.

APPLICABLE During movement of irradiated fuel assemblies, the water SAFETY ANALYSES level in the refueling canal and the refueling cavity is an initial condition design parameter in the analysis of a fuel handling accident in containment, as postulated by Regulatory Guide 1.25 (Ref. 1). A minimum water level of 23 ft (Regulatory Position C.1.c of Ref. 1) allows a decontamination factor of 100 (Regulatory Position C.1.g of Ref. 1) to be used in the accident analysis for iodine. This relates to the assumption that 99% of the total iodine released from the pellet to cladding gap of all the dropped fuel assembly rods is retained by the refueling cavity water. The fuel pellet to cladding gap is assumed to contain 10% of the total fuel rod iodine inventory (Ref. 1).

The fuel handling accident analysis inside containment is described in Reference 2. With a minimum water level of 23 ft, the analysis and test programs demonstrate that the iodine release due to a postulated fuel handling accident is adequately captured by the water and offsite doses are maintained within allowable limits (Ref. 3).

Refueling cavity water level satisfies Criterion 2 of 10 CFR 50.36(c) (2) (ii).

LCO A minimum refueling cavity water level of 23 ft above the reactor vessel flange is required to ensure that the radiological consequences of a postulated fuel handling accident inside containment are within acceptable limits.

North Anna Units 1 and 2 B 3.9.7-1 Revision 0, 04/02/02

RHR and Coolant Circulation-Low Water Level B 3.9.6 BASES ACTIONS B.3, B.4, B.5.1, and B.5.2 (continued) above ensures that all containment penetrations are either closed or can be closed so that the dose limits are not exceeded.

The Completion Time of 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> allows fixing of most RHR problems and is reasonable, based on the low probability of the coolant boiling in that time.

SURVEILLANCE SR 3.9.6.1 REQUIREMENTS This Surveillance demonstrates that one RHR loop is in operation and circulating reactor coolant. The flow rate is determined by the flow rate necessary to provide sufficient decay heat removal capability and to prevent thermal and boron stratification in the core. In addition, during operation of the RHR loop with the water level lowered to the level of the reactor vessel nozzles, the RHR pump net positive suction head requirements must be met. The Frequency of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is sufficient, considering the flow, temperature, pump control, and alarm indications available to the operator for monitoring the RHR System in the control room.

SR 3.9.6.2 Verification that the required pump is OPERABLE ensures that an additional RCS or RHR pump can be placed in operation, if needed, to maintain decay heat removal and reactor coolant circulation. Verification is performed by verifying proper breaker alignment and power available to the required pump.

The Frequency of 7 days is considered reasonable in view of other administrative controls available and has been shown to be acceptable by operating experience.

The SR is modified by a Note that states the SR is not required to be performed until 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> after a required pump is not in operation.

REFERENCES 1. UFSAR, Section 5.5.4.

North Anna Units 1 and 2 B 3.9.6-4 Revision 0, 04/02/02

RHR and Coolant Circulation-Low Water Level B 3.9.6 BASES ACTIONS A.1 and A.2 (continued) or until Ž 23 ft of water level is established above the reactor vessel flange. When the water level is Ž 23 ft above the reactor vessel flange, the Applicability changes to that of LCO 3.9.5, and only one RHR loop is required to be OPERABLE and in operation. An immediate Completion Time is necessary for an operator to initiate corrective actions.

B.1 If no RHR loop is in operation, there will be no forced circulation to provide mixing to establish uniform boron concentrations. Reduced boron concentrations cannot occur by the addition of water with a lower boron concentration than that contained in the RCS, because all of the unborated water sources are isolated.

B.2 If no RHR loop is in operation, actions shall be initiated immediately, and continued, to restore one RHR loop to operation. Since the unit is in Conditions A and B concurrently, the restoration of two OPERABLE RHR loops and one operating RHR loop should be accomplished expeditiously.

B.3, B.4, B.5.1, and B.5.2 If no RHR is in operation, the following actions must be taken:

a. the equipment hatch or equipment hatch cover must be closed and secured with at least four bolts;
b. one door in each installed air lock must be closed; and
c. each penetration providing direct access from the containment atmosphere to the outside atmosphere must be either closed by a manual or automatic isolation valve, blind flange, or equivalent, or verified to be capable of being closed by an OPERABLE Containment Purge and Exhaust Isolation system.

With RHR loop requirements not met, the potential exists for the coolant to boil and release radioactive gas to the containment atmosphere. Performing the actions described (continued)

North Anna Units 1 and 2 B 3.9.6-3 Revision 0, 04/02/02

RHR and Coolant Circulation-Low Water Level B 3.9.6 BASES LCO b. Mixing of borated coolant to minimize the possibility of (continued) criticality; and

c. Indication of reactor coolant temperature.

This LCO is modified by two Notes. Note 1 permits the RHR pumps to be removed from operation for

  • 15 minutes when switching from one train to another. The circumstances for stopping both RHR pumps are to be limited to situations when the outage time is short and the core outlet temperature is maintained > 10OF below saturation temperature. The Note prohibits boron dilution or draining operations when RHR forced flow is stopped. Note 2 allows one RHR loop to be inoperable for a period of 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> provided the other loop is OPERABLE and in operation. Prior to declaring the loop inoperable, consideration should be given to the existing unit configuration. This consideration should include that the core time to boil is short, there is no draining operation to further reduce RCS water level and that the capability exists to inject borated water into the reactor vessel. This permits surveillance tests to be performed on the inoperable loop during a time when these tests are safe and possible.

An OPERABLE RHR loop consists of an RHR pump, a heat exchanger, valves, piping, instruments and controls to ensure an OPERABLE flow path and to determine the RHR discharge temperature. The flow path starts in one of the RCS hot legs and is returned to at least one of the RCS cold legs.

APPLICABILITY Two RHR loops are required to be OPERABLE, and one RHR loop must be in operation in MODE 6, with the water level < 23 ft above the top of the reactor vessel flange, to provide decay heat removal. Requirements for the RHR System in other MODES are covered by LCOs in Section 3.4, Reactor Coolant System (RCS). RHR loop requirements in MODE 6 with the water level

Ž 23 ft are located in LCO 3.9.5, "Residual Heat Removal (RHR) and Coolant Circulation-High Water Level."

ACTIONS A.1 and A.2 If less than the required number of RHR loops are OPERABLE, action shall be immediately initiated and continued until the RHR loop is restored to OPERABLE status and to operation (continued)

North Anna Units 1 and 2 B 3.9.6-2 Revision 0, 04/02/02

RHR and Coolant Circulation-Low Water Level B 3.9.6 B 3.9 REFUELING OPERATIONS B 3.9.6 Residual Heat Removal (RHR) and Coolant Circulation-Low Water Level BASES BACKGROUND The purpose of the RHR System in MODE 6 is to remove decay heat and sensible heat from the Reactor Coolant System (RCS) to provide mixing of borated coolant, and to prevent boron stratification (Ref. 1). Heat is removed from the RCS by circulating reactor coolant through the RHR heat exchangers where the heat is transferred to the Component Cooling Water System. The coolant is then returned to the RCS via the RCS cold leg(s). Operation of the RHR System for normal cooldown decay heat removal is manually accomplished from the control room. The heat removal rate is adjusted by controlling the flow of reactor coolant through the RHR heat exchanger(s) and the bypass lines. Mixing of the reactor coolant is maintained by this continuous circulation of reactor coolant through the RHR System.

APPLICABLE If the reactor coolant temperature is not maintained below SAFETY ANALYSES 200'F, boiling of the reactor coolant could result. This could lead to a loss of coolant in the reactor vessel.

Additionally, boiling of the reactor coolant could lead to a reduction in boron concentration in the coolant due to the boron plating out on components near the areas of the boiling activity. The loss of reactor coolant and the reduction of boron concentration in the reactor coolant will eventually challenge the integrity of the fuel cladding, which is a fission product barrier. Two trains of the RHR System are required to be OPERABLE, and one train in operation, in order to prevent this challenge.

The RHR System satisfies Criterion 4 of 10 CFR 50.36(c) (2) (ii).

LCO In MODE 6, with the water level < 23 ft above the top of the reactor vessel flange, both RHR loops must be OPERABLE.

Additionally, one loop of RHR must be in operation in order to provide:

a. Removal of decay heat; (continued)

North Anna Units 1 and 2 B 3.9.6-1 Revision 0, 04/02/02

RHR and Coolant Circulation-High Water Level B 3.9.5 BASES ACTIONS A.4, A.5, A.6.1, and A.6.2 (continued)

c. each penetration providing direct access from the containment atmosphere to the outside atmosphere must be either closed by a manual or automatic isolation valve, blind flange, or equivalent, or verified to be capable of being closed by an OPERABLE Containment Purge and Exhaust Isolation system.

With RHR loop requirements not met, the potential exists for the coolant to boil and release radioactive gas to the containment atmosphere. Performing the actions described above ensures that all containment penetrations are either closed or can be closed so that the dose limits are not exceeded.

The Completion Time of 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> allows fixing of most RHR problems and is reasonable, based on the low probability of the coolant boiling in that time.

SURVEILLANCE SR 3.9.5.1 REQUIREMENTS This Surveillance demonstrates that the RHR loop is in operation and circulating reactor coolant. The flow rate is determined by the flow rate necessary to provide sufficient decay heat removal capability and to prevent thermal and boron stratification in the core. The Frequency of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is sufficient, considering the flow, temperature, pump control, and alarm indications available to the operator in the control room for monitoring the RHR System.

REFERENCES 1. UFSAR, Section 5.5.4.

North Anna Units 1 and 2 B 3.9.5-4 Revision 0, 04/02/02

RHR and Coolant Circulation-High Water Level B 3.9.5 BASES ACTIONS RHR loop requirements are met by having one RHR loop OPERABLE and in operation, except as permitted in the Note to the LCO.

A.1 If RHR loop requirements are not met, there will be no forced circulation to provide mixing to establish uniform boron concentrations. Suspending positive reactivity additions that could result in failure to meet the minimum boron concentration limit is required to assure continued safe operation. Introduction of coolant inventory must be from sources that have a boron concentration greater than what would be required in the RCS for minimum refueling boron concentration. This may result in an overall reduction in RCS boron concentration, but provides acceptable margin to maintaining subcritical operation.

A.2 If RHR loop requirements are not met, actions shall be taken immediately to suspend loading of irradiated fuel assemblies in the core. With no forced circulation cooling, decay heat removal from the core occurs by natural convection to the heat sink provided by the water above the core. A minimum refueling water level of 23 ft above the reactor vessel flange provides an adequate available heat sink. Suspending any operation that would increase decay heat load, such as loading a fuel assembly, is a prudent action under this condition.

A.3 If RHR loop requirements are not met, actions shall be initiated and continued in order to satisfy RHR loop requirements. With the unit in MODE 6 and the refueling water level Ž 23 ft above the top of the reactor vessel flange, corrective actions shall be initiated immediately.

A.4, A.5, A.6.1, and A.6.2 If LCO 3.9.5 is not met, the following actions must be taken:

a. the equipment hatch or equipment hatch cover must be closed and secured with at least four bolts;
b. one door in each installed air lock must be closed; and (continued)

North Anna Units 1 and 2 B 3.9.5-3 Revision 0, 04/02/02

RHR and Coolant Circulation-High Water Level B 3.9.5 BASES LCO OPERABLE, because the volume of water above the reactor (continued) vessel flange provides backup decay heat removal capability.

At least one RHR loop must be OPERABLE and in operation to provide:

a. Removal of decay heat;
b. Mixing of borated coolant to minimize the possibility of criticality; and
c. Indication of reactor coolant temperature.

An OPERABLE RHR loop includes an RHR pump, a heat exchanger, valves, piping, instruments, and controls to ensure an OPERABLE flow path and to determine the RHR discharge temperature. The flow path starts in one of the RCS hot legs and is returned to at least one of the RCS cold legs.

The LCO is modified by a Note that allows the required operating RHR loop to be removed from operation for up to 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> per 8 hour9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> period, provided no operations are permitted that would dilute the RCS boron concentration by introduction of coolant into the RCS with boron concentration less than required to meet the minimum boron concentration of LCO 3.9.1. Boron concentration reduction with coolant at boron concentrations less than required to assure the RCS boron concentration is maintained is prohibited because uniform concentration distribution cannot be ensured without forced circulation. This permits operations such as core mapping or alterations in the vicinity of the reactor vessel hot leg nozzles and RCS to RHR isolation valve testing. During this 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> period, decay heat is removed by natural convection to the large mass of water in the refueling cavity.

APPLICABILITY One RHR loop must be OPERABLE and in operation in MODE 6, with the water level Ž 23 ft above the top of the reactor vessel flange, to provide decay heat removal. The 23 ft water level was selected because it corresponds to the 23 ft requirement established for fuel movement in LCO 3.9.7, "Refueling Cavity Water Level." Requirements for the RHR System in other MODES are covered by LCOs in Section 3.4, Reactor Coolant System (RCS). RHR loop requirements in MODE 6 with the water level < 23 ft are located in LCO 3.9.6, "Residual Heat Removal (RHR) and Coolant Circulation-Low Water Level."

North Anna Units 1 and 2 B 3.9.5-2 Revision 0, 04/02/02

RHR and Coolant Circulation-High Water Level B 3.9.5 B 3.9 REFUELING OPERATIONS B 3.9.5 Residual Heat Removal (RHR) and Coolant Circulation-High Water Level BASES BACKGROUND The purpose of the RHR System in MODE 6 is to remove decay heat and sensible heat from the Reactor Coolant System (RCS) to provide mixing of borated coolant and to prevent boron stratification (Ref. 1). Heat is removed from the RCS by circulating reactor coolant through the RHR heat exchanger(s), where the heat is transferred to the Component Cooling Water System. The coolant is then returned to the RCS via the RCS cold leg(s). Operation of the RHR System for normal cooldown or decay heat removal is manually accomplished from the control room. The heat removal rate is adjusted by controlling the flow of reactor coolant through the RHR heat exchanger(s) and the bypass. Mixing of the reactor coolant is maintained by this continuous circulation of reactor coolant through the RHR System.

APPLICABLE If the reactor coolant temperature is not maintained below SAFETY ANALYSES 200'F, boiling of the reactor coolant could result. This could lead to a loss of coolant in the reactor vessel.

Additionally, boiling of the reactor coolant could lead to a reduction in boron concentration in the coolant due to boron plating out on components near the areas of the boiling activity. The loss of reactor coolant and the reduction of boron concentration in the reactor coolant would eventually challenge the integrity of the fuel cladding, which is a fission product barrier. One train of the RHR System is required to be operational in MODE 6, with the water level

Ž 23 ft above the top of the reactor vessel flange, to prevent this challenge. The LCO does permit removal of the RHR loop from operation for short durations, under the condition that the boron concentration is not diluted. This conditional removal from operation of the RHR loop does not result in a challenge to the fission product barrier.

The RHR System satisfies Criterion 4 of 10 CFR 50.36(c) (2)(ii).

LCO Only one RHR loop is required for decay heat removal in MODE 6, with the water level Ž 23 ft above the top of the reactor vessel flange. Only one RHR loop is required to be (continued)

North Anna Units 1 and 2 B 3.9.5-1 Revision 0, 04/02/02

Intentionally Blank Containment Penetrations B 3.9.4 BASES SURVEILLANCE SR 3.9.4.1 (continued)

REQUIREMENTS closing. Also the Surveillance will demonstrate that each valve operator has motive power, which will ensure that each valve is capable of being manually closed.

The Surveillance is performed every 7 days during movement of recently irradiated fuel assemblies within containment.

The Surveillance interval is selected to be commensurate with the normal duration of time to complete fuel handling operations. A surveillance before the start of refueling operations will provide two or three surveillance verifications during the applicable period for this LCO. As such, this Surveillance ensures that a postulated fuel handling accident involving handling recently irradiated fuel that releases fission product radioactivity within the containment will not result in a release of significant fission product radioactivity to the environment in excess of those recommended by Standard Review Plan 15.7.4 (Ref. 2).

SR 3.9.4.2 This Surveillance demonstrates that each containment purge and exhaust valve actuates to its isolation position on manual initiation. The 18 month Frequency maintains consistency with other similar valve testing requirements.

This Surveillance performed during MODE 6 will ensure that the valves are capable of being closed after a postulated fuel handling accident involving handling recently irradiated fuel to limit a release of fission product radioactivity from the containment. The SR is modified by a Note stating that this Surveillance is not required to be met for valves in isolated penetrations. The LCO provides the option to close penetrations in lieu of requiring manual initiation capability.

REFERENCES 1. UFSAR, Section 15.4.7.

2. NUREG-0800, Rev. 2, July 1981.

North Anna Units 1 and 2 B 3.9.4-5 Revision 0, 04/02/02

Containment Penetrations B 3.9.4 BASES LCO accident occur inside containment, one personnel air lock (continued) door will be closed following an evacuation of the containment.

APPLICABILITY The containment penetration requirements are applicable during movement of recently irradiated fuel assemblies within containment because this is when there is a potential for the limiting fuel handling accident. In MODES 1, 2, 3, and 4, containment penetration requirements are addressed by LCO 3.6.1. In MODES 5 and 6, when movement of irradiated fuel assemblies within containment is not being conducted, the potential for a fuel handling accident does not exist.

Additionally, due to radioactive decay, a fuel handling accident involving handling recently irradiated fuel (i.e.,

fuel that has occupied part of a critical reactor core within a time frame established by analysis. The term recently is defined as all irradiated fuel assemblies, until analysis is performed to determine a specific time.) will result in doses that are well within the guideline values specified in 10 CFR 100 even without containment closure capability.

Therefore, under these conditions no requirements are placed on containment penetration status.

ACTIONS A.1 If the containment equipment hatch, air locks, or any containment penetration that provides direct access from the containment atmosphere to the outside atmosphere is not in the required status, including the Containment Purge and Exhaust Isolation System not capable of manual actuation when the purge and exhaust valves are open, the unit must be placed in a condition where the isolation function is not needed. This is accomplished by immediately suspending movement of recently irradiated fuel assemblies within containment. Performance of these actions shall not preclude completion of movement of a component to a safe position.

SURVEILLANCE SR 3.9.4.1 REQUIREMENTS This Surveillance demonstrates that each of the containment penetrations required to be in its closed position is in that position. The Surveillance on the open purge and exhaust valves will demonstrate that the valves are not blocked from (continued)

North Anna Units 1 and 2 B 3.9.4-4 Revision 0, 04/02/02

Containment Penetrations B 3.9.4 BASES APPLICABLE (Ref. 1). Fuel handling accidents, analyzed in Reference 2, SAFETY ANALYSES involve dropping a single irradiated fuel assembly and (continued) handling tool. The requirements of LCO 3.9.7, "Refueling Cavity Water Level," in conjunction with a minimum decay time of 100 hours0.00116 days <br />0.0278 hours <br />1.653439e-4 weeks <br />3.805e-5 months <br /> prior to movement of recently irradiated fuel with containment closure capability or movement of fuel that has not been recently irradiated without containment closure capability ensures that the release of fission product radioactivity, subsequent to a fuel handling accident, results in doses that are well within the guideline values specified in 10 CFR 100. Standard Review Plan, Section 15.7.4, Rev. 1 (Ref. 2), defines "well within" 10 CFR 100 to be 25% or less of the 10 CFR 100 values. The acceptance limits for offsite radiation exposure will be 25%

of 10 CFR 100 values or the NRC staff approved licensing basis (e.g., a specified fraction of 10 CFR 100 limits).

Containment penetrations satisfy Criterion 3 of 10 CFR

50. 36(c) (2) (ii).

LCO This LCO limits the consequences of a fuel handling accident involving handling recently irradiated fuel in containment by limiting the potential escape paths for fission product radioactivity released within containment. The LCO requires any penetration providing direct access from the containment atmosphere to the outside atmosphere to be closed except for the OPERABLE containment purge and exhaust penetrations and containment personnel air locks. For the OPERABLE containment purge and exhaust penetrations, this LCO ensures that these penetrations are isolable by a containment purge and exhaust isolation valve.

The LCO is modified by a Note allowing penetration flow paths with direct access from the containment atmosphere to the outside atmosphere to be unisolated under administrative controls. Administrative controls ensure that 1) appropriate personnel are aware of the open status of the penetration flow path during movement of recently irradiated fuel assemblies within containment, and 2) specified individuals are designated and readily available to isolate the flow path in the event of a fuel handling accident.

The containment personnel air lock doors may be open during movement of recently irradiated fuel in the containment provided that one door is capable of being closed in the event of a fuel handling accident. Should a fuel handling (continued)

North Anna Units 1 and 2 B 3.9.4-3 Revision 0, 04/02/02

Containment Penetrations B 3.9.4 BASES BACKGROUND replaced by a temporary hatch plate. While the temporary (continued) hatch plate is installed, there is only one air lock by which to enter containment. The LCO only applies to containment air locks that are installed. Each air lock has a door at both ends. The doors are normally interlocked to prevent simultaneous opening when containment OPERABILITY is required. During periods of unit shutdown when containment closure is not required, the door interlock mechanism may be disabled, allowing both doors of an air lock to remain open for extended periods when frequent containment entry is necessary. During movement of recently irradiated fuel assemblies within containment, containment closure is required; therefore, the door interlock mechanism may remain disabled, but one air lock door must always remain capable of being closed.

The requirements for containment penetration closure ensure that a release of fission product radioactivity within containment will be restricted to within regulatory limits.

The Containment Purge and Exhaust System includes a 36 inch purge penetration and a 36 inch exhaust penetration. During MODES 1, 2, 3, and 4, the two valves in each of the purge and exhaust flow paths are secured in the closed position. The Containment Purge and Exhaust System is not subject to a Specification in MODE 5.

In MODE 6, large air exchanges are necessary to conduct refueling operations. The 36 inch purge system is used for this purpose.

The containment penetrations that provide direct access from containment atmosphere to outside atmosphere must be isolated on at least one side. Isolation may be achieved by an OPERABLE automatic isolation valve, or by a manual isolation valve, blind flange, or equivalent. Equivalent isolation methods must be approved and may include use of a material that can provide a temporary, atmospheric pressure, ventilation barrier for the other containment penetrations during recently irradiated fuel movements.

APPLICABLE During movement of irradiated fuel assemblies within SAFETY ANALYSES containment, the most severe radiological consequences result from a fuel handling accident involving handling recently irradiated fuel. The fuel handling accident is a postulated event that involves damage to irradiated fuel (continued)

North Anna Units 1 and 2 B 3.9.4-2 Revision 0, 04/02/02

Containment Penetrations B 3.9.4 B 3.9 REFUELING OPERATIONS B 3.9.4 Containment Penetrations BASES BACKGROUND During movement of recently irradiated fuel assemblies within containment, a release of fission product radioactivity within containment will be restricted from escaping to the environment when the LCO requirements are met. In MODES 1, 2, 3, and 4, this is accomplished by maintaining containment OPERABLE as described in LCO 3.6.1, "Containment." In MODE 6, the potential for containment pressurization as a result of an accident is not likely; therefore, requirements to isolate the containment from the outside atmosphere can be less stringent. The LCO requirements are referred to as "containment closure" rather than "containment OPERABILITY." Containment closure means that all potential escape paths are closed or capable of being closed. Since there is no potential for containment pressurization, the Appendix J leakage criteria and tests are not required.

The containment serves to contain fission product radioactivity that may be released from the reactor core following an accident, such that offsite radiation exposures are maintained well within the requirements of 10 CFR 100.

Additionally, the containment provides radiation shielding from the fission products that may be present in the containment atmosphere following accident conditions.

The containment equipment hatch, which is part of the containment pressure boundary, provides a means for moving large equipment and components into and out of containment.

During movement of recently irradiated fuel assemblies within containment, the equipment hatch must be held in place by at least four bolts. Good engineering practice dictates that the bolts required by this LCO be approximately equally spaced.

The containment air locks, which are also part of the containment pressure boundary, provide a means for personnel access during MODES 1, 2, 3, and 4 unit operation in accordance with LCO 3.6.2, "Containment Air Locks." One of the containment air locks is an integral part of the containment equipment hatch. During refueling the air lock that is part of the containment equipment hatch is typically (continued)

North Anna Units 1 and 2 B 3.9.4-1 Revision 0, 04/02/02

Intentionally Blank Nuclear Instrumentation B 3.9.3 BASES ACTIONS B.2 (continued)

The Completion Time of once per 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is sufficient to obtain and analyze a reactor coolant sample for boron concentration and ensures that unplanned changes in boron concentration would be identified. The 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> Frequency is reasonable, considering the low probability of a change in core reactivity during this time period.

SURVEILLANCE SR 3.9.3.1 REQUIREMENTS SR 3.9.3.1 is the performance of a CHANNEL CHECK, which is a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that the two indication channels should be consistent with core conditions. Changes in fuel loading and core geometry can result in significant differences between source range channels, but each channel should be consistent with its local conditions.

The Frequency of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is consistent with the CHANNEL CHECK Frequency specified similarly for the same instruments in LCO 3.3.1.

SR 3.9.3.2 SR 3.9.3.2 is the performance of a CHANNEL CALIBRATION every 18 months. This SR is modified by a Note stating that neutron detectors are excluded from the CHANNEL CALIBRATION. The CHANNEL CALIBRATION for the source range neutron flux monitors consists of obtaining the detector plateau or preamp discriminator curves, evaluating those curves, and comparing the curves to the manufacturer's data. The 18 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a unit outage. Operating experience has shown these components usually pass the Surveillance when performed at the 18 month Frequency.

REFERENCES 1. UFSAR, Chapter 3.

2. UFSAR, Chapter 15.

North Anna Units 1 and 2 B 3.9.3-3 Revision 0, 04/02/02

Nuclear Instrumentation B 3.9.3 BASES APPLICABILITY In MODE 6, the source range neutron flux monitors must be OPERABLE to determine changes in core reactivity. There are no other direct means available to check core reactivity levels. In MODES 2, 3, 4, and 5, these same installed source range detectors and circuitry are also required to be OPERABLE by LCO 3.3.1, "Reactor Trip System (RTS)

Instrumentation."

ACTIONS A.1 and A.2 With only one source range neutron flux monitor OPERABLE, redundancy has been lost. Since these instruments are the only direct means of monitoring core reactivity conditions, CORE ALTERATIONS and introduction of coolant into the RCS with boron concentration less than required to meet the minimum boron concentration of LCO 3.9.1 must be suspended immediately. Suspending positive reactivity additions that could result in failure to meet the minimum boron concentration limit is required to assure continued safe operation. Introduction of coolant inventory must be from sources that have a boron concentration greater than that what would be required in the RCS for minimum refueling boron concentration. This may result in an overall reduction in RCS boron concentration, but provides acceptable margin to maintaining subcritical operations. Performance of Required Action A.1 shall not preclude completion of movement of a component to a safe position.

B.1 With no source range neutron flux monitor OPERABLE, action to restore a monitor to OPERABLE status shall be initiated immediately. Once initiated, action shall be continued until a source range neutron flux monitor is restored to OPERABLE status.

B.2 With no source range neutron flux monitor OPERABLE, there are no direct means of detecting changes in core reactivity.

However, since CORE ALTERATIONS and positive reactivity additions are not to be made, the core reactivity condition is stabilized until the source range neutron flux monitors are OPERABLE. This stabilized condition is determined by performing SR 3.9.1.1 to ensure that the required boron concentration exists.

(continued)

North Anna Units 1 and 2 B 3.9.3-2 Revision 0, 04/02/02

Nuclear Instrumentation B 3.9.3 B 3.9 REFUELING OPERATIONS B 3.9.3 Nuclear Instrumentation BASES BACKGROUND The source range neutron flux monitors are used during refueling operations to monitor the core reactivity condition. The installed source range neutron flux monitors are part of the Nuclear Instrumentation System (NIS). These detectors are located external to the reactor vessel and detect neutrons leaking from the core.

The installed source range neutron flux monitors are BF3 detectors operating in the proportional region of the gas filled detector characteristic curve. The detectors monitor the neutron flux in counts per second. The instrument range covers six decades of neutron flux (1E+6 cps). The detectors also provide continuous visual indication and an audible alarm in the control room to alert operators to a possible dilution accident. The NIS is designed in accordance with the criteria presented in Reference 1.

APPLICABLE Two OPERABLE source range neutron flux monitors are required SAFETY ANALYSES to provide a signal to alert the operator to unexpected changes in core reactivity such as with a boron dilution accident (Ref. 2) or an improperly loaded fuel assembly. The need for a safety analysis for an uncontrolled boron dilution accident is eliminated by isolating all unborated water sources as required by LCO 3.9.2, "Primary Grade Water Flow Path Isolation Valves-MODE 6."

The source range neutron flux monitors satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).

LCO This LCO requires that two source range neutron flux monitors be OPERABLE to ensure that redundant monitoring capability is available to detect changes in core reactivity.

North Anna Units 1 and 2 B 3.9.3-1 Revision 0, 04/02/02

Intentionally Blank Primary Grade Water Flow Path Isolation Valves-MODE 6 B 3.9.2 BASES ACTIONS A.3 (continued)

Due to the potential of having diluted the boron concentration of the reactor coolant, SR 3.9.1.1 (verification of boron concentration) must be performed to demonstrate that the required boron concentration exists.

The Completion Time of 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> is sufficient to obtain and analyze a reactor coolant sample for boron concentration.

SURVEILLANCE SR 3.9.2.1 REQUIREMENTS These valves are to be locked, sealed, or otherwise secured closed to isolate possible dilution paths. The likelihood of a significant reduction in the boron concentration during MODE 6 operations is remote due to the large mass of borated water in the refueling cavity and the fact that the primary grade water flow paths are isolated, precluding a dilution.

The boron concentration is checked every 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> during MODE 6 under SR 3.9.1.1. The Frequency is based on verifying that the isolation valves are locked, sealed, or otherwise secured within 15 minutes following a boron dilution or makeup activity. This Frequency is based on engineering judgment and is considered reasonable in view of other administrative controls that will ensure that the valve opening is an unlikely possibility.

REFERENCES 1. UFSAR, Section 15.2.4.

North Anna Units 1 and 2 B 3.9.2-3 Revision 0, 04/02/02

Primary Grade Water Flow Path Isolation Valves-MODE 6 B 3.9.2 BASES LCO The LCO is modified by a Note which allows the primary grade (continued) water flow path isolation valves to be opened under administrative control for planned boron dilution or makeup activities.

APPLICABILITY In MODE 6, this LCO is applicable to prevent an inadvertent boron dilution event by ensuring isolation of primary grade water flow paths to the RCS.

In MODES 3, 4, and 5, LCO 3.1.8, Primary Grade Water Flow Path Isolation Valves, requires the primary grade water flow paths to the RCS to be isolated to prevent an inadvertent boron dilution.

In MODES I and 2, the boron dilution accident was analyzed and was found to be capable of being mitigated.

ACTIONS A.1 Continuation of CORE ALTERATIONS is contingent upon maintaining the unit in compliance with this LCO. With any valve used to isolate primary grade water flow paths not locked, sealed or otherwise secured in the closed position, all operations involving CORE ALTERATIONS must be suspended immediately. The Completion Time of "immediately" for performance of Required Action A.1 shall not preclude completion of movement of a component to a safe position.

Condition A has been modified by a Note to require that Required Action A.3 be completed whenever Condition A is entered.

A.2 Preventing inadvertent dilution of the reactor coolant boron concentration is dependent on maintaining the primary grade water flow path isolation valves secured closed. Locking, sealing, or securing the valves in the closed position ensures that the valves cannot be inadvertently opened. The Completion Time of 15 minutes provides sufficient time to close, lock, seal, or otherwise secure the flow path isolation valve.

North Anna Units 1 and 2 B 3.9.2-2 Revision 0, 04/02/02

Primary Grade Water Flow Path Isolation Valves-MODE 6 B 3.9.2 B 3.9 REFUELING OPERATIONS B 3.9.2 Primary Grade Water Flow Path Isolation Valves-MODE 6 BASES BACKGROUND During MODE 6 operations, the isolation valves for primary grade water flow paths that are connected to the Reactor Coolant System (RCS) must be closed to prevent unplanned boron dilution of the reactor coolant. The isolation valves must be locked, sealed or otherwise secured in the closed position.

The Chemical and Volume Control System is capable of supplying borated and unborated water to the RCS through various flow paths. Since a positive reactivity addition made by uncontrolled reduction of the boron concentration is inappropriate during MODE 6, isolation of all primary grade water flow paths prevents an unplanned boron dilution.

APPLICABLE The possibility of an inadvertent boron dilution event SAFETY ANALYSES (Ref. 1) occurring during MODE 6 refueling operations is precluded by adherence to this LCO, which requires that primary grade water flow paths be isolated. Closing the required valves during refueling operations prevents the flow of unborated water to the filled portion of the RCS. The valves are used to isolate primary grade water flow paths.

These valves have the potential to indirectly allow dilution of the RCS boron concentration in MODE 6. By isolating primary grade water flow paths, a safety analysis for an uncontrolled boron dilution accident is not required for MODE 6.

The RCS boron concentration satisfies Criterion 2 of 10 CFR 50.36(c) (2) (ii).

LCO This LCO requires that flow paths to the RCS from primary grade water sources be isolated to prevent unplanned boron dilution during MODE 6 and thus avoid a reduction in SDM.

For Unit 1, primary grade water flow paths may be isolated from the RCS by closing valve 1-CH-217 or 1-CH-220, I-CH-241, FCV-1114B and FCV-1113B. For Unit 2, primary grade water flow paths may be isolated from the RCS by closing valve 2-CH-140, or 2-CH-160, 2-CH-156, FCV-2114B, and FCV-2113B.

(continued)

North Anna Units 1 and 2 B 3.9.2-1 Revision 0, 04/02/02

Boron Concentration B 3.9.1 BASES ACTIONS A.3 (continued)

Once actions have been initiated, they must be continued until the boron concentration is restored. The restoration time depends on the amount of boron that must be injected to reach the required concentration.

SURVEILLANCE SR 3.9.1.1 REQUIREMENTS This SR ensures that the coolant boron concentration in the RCS, and connected portions of the refueling canal and the refueling cavity, is within the COLR limits. The boron concentration of the coolant in each required volume is determined periodically by chemical analysis. Prior to re-connecting portions of the refueling canal or the refueling cavity to the RCS, this SR must be met per SR 3.0.1. If any dilution activity has occurred while the cavity or canal were disconnected from the RCS, this SR ensures the correct boron concentration prior to communication with the RCS.

A minimum Frequency of once every 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> is a reasonable amount of time to verify the boron concentration of representative samples. The Frequency is based on operating experience, which has shown 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> to be adequate.

REFERENCES 1. UFSAR, Section 3.1.22.

North Anna Units 1 and 2 B 3.9.1-4 Revision 0, 04/02/02

Boron Concentration B 3.9.1 BASES APPLICABILITY LCO 3.1.1, "SHUTDOWN MARGIN (SDM)" ensures that an adequate (continued) amount of negative reactivity is available to shut down the reactor and maintain it subcritical.

The applicability is modified by a Note. The Note states that the limits on boron concentration are only applicable to the refueling canal and refueling cavity when those volumes are connected to the RCS. When the refueling canal and refueling cavity are isolated from the RCS, no potential path for boron dilution exists.

ACTIONS A.1 and A.2 Continuation of CORE ALTERATIONS or positive reactivity additions (including actions to reduce boron concentration) is contingent upon maintaining the unit in compliance with the LCO. If the boron concentration of any coolant volume in the RCS, the refueling canal, or the refueling cavity is less than its limit, all operations involving CORE ALTERATIONS or positive reactivity additions must be suspended immediately.

Suspension of CORE ALTERATIONS and positive reactivity additions shall not preclude moving a component to a safe position. Operations that individually add limited positive reactivity (e.g., temperature fluctuations from inventory addition or temperature control fluctuations), but when combined with all other operations affecting core reactivity (e.g., intentional boration) result in overall net negative reactivity addition, are not precluded by this action.

A.3 In addition to immediately suspending CORE ALTERATIONS and positive reactivity additions, boration to restore the concentration must be initiated immediately.

In determining the required combination of boration flow rate and concentration, no unique Design Basis Event must be satisfied. The only requirement is to restore the boron concentration to its required value as soon as possible. In order to raise the boron concentration as soon as possible, the operator should begin boration with the best source available for unit conditions.

(continued)

North Anna Units 1 and 2 B 3.9.1-3 Revision 0, 04/02/02

Boron Concentration B 3.9.1 BASES BACKGROUND refueling (see LCO 3.9.5, "Residual Heat Removal (RHR) and (continued) Coolant Circulation-High Water Level," and LCO 3.9.6, "Residual Heat Removal (RHR) and Coolant Circulation-Low Water Level") to provide forced circulation in the RCS and assist in maintaining the boron concentrations in the RCS, the refueling canal, and the refueling cavity above the COLR limit.

APPLICABLE During refueling operations, the reactivity condition of the SAFETY ANALYSES core is established to protect against inadvertent positive reactivity addition and is conservative for MODE 6. The boron concentration limit specified in the COLR is based on the core reactivity at the beginning of each fuel cycle (the end of refueling) and includes an uncertainty allowance.

The required boron concentration and the plant refueling procedures that verify the correct fuel loading plan (including full core mapping) ensure that the keff of the core will remain

  • 0.95 during the refueling operation.

Hence, at least a 5% Ak/k margin of safety is established during refueling.

During refueling, the water volume in the spent fuel pool, the transfer canal, the refueling canal, the refueling cavity, and the reactor vessel form a single mass. As a result, the soluble boron concentration is relatively the same in each of these volumes.

The RCS boron concentration satisfies Criterion 2 of 10 CFR 50.36(c) (2) (i i).

LCO The LCO requires that a minimum boron concentration be maintained in the RCS, the refueling canal, and the refueling cavity while in MODE 6. The boron concentration limit specified in the COLR ensures that a core keff of

  • 0.95 is maintained during fuel handling operations.

Violation of the LCO could lead to an inadvertent criticality during MODE 6.

APPLICABILITY This LCO is applicable in MODE 6 to ensure that the fuel in the reactor vessel will remain subcritical. The required boron concentration ensures a keff

  • 0.95. Above MODE 6, (continued)

North Anna Units 1 and 2 B 3.9. 1-2 Revision 0, 04/02/02

Boron Concentration B 3.9.1 B 3.9 REFUELING OPERATIONS B 3.9.1 Boron Concentration BASES BACKGROUND The limit on the boron concentrations of the Reactor Coolant System (RCS), the refueling canal, and the refueling cavity during refueling ensures that the reactor remains subcritical during MODE 6. Refueling boron concentration is the soluble boron concentration in the coolant in each of these volumes having direct access to the reactor core during refueling.

The soluble boron concentration offsets the core reactivity and is measured by chemical analysis of a representative sample of the coolant in each of the volumes. The refueling boron concentration limit is specified in the COLR. Plant procedures ensure the specified boron concentration in order to maintain an overall core reactivity of keff

  • 0.95 during fuel handling, with control rods and fuel assemblies assumed to be in the most adverse configuration (least negative reactivity) allowed by plant procedures.

GDC 26 requires that two independent reactivity control systems of different design principles be provided (Ref. 1).

One of these systems must be capable of holding the reactor core subcritical under cold conditions. The Chemical and Volume Control System (CVCS) is the system capable of maintaining the reactor subcritical in cold conditions by maintaining the boron concentration.

The reactor is brought to shutdown conditions before beginning operations to open the reactor vessel for refueling. After the RCS is cooled and depressurized and the vessel head is unbolted, the head is slowly removed to form the refueling cavity. The refueling canal and the refueling cavity are then flooded with borated water from the Refueling Water Storage Tank through the open reactor vessel by gravity feeding or by the use of the Low Head Safety Injection System pumps.

The pumping action of the Residual Heat Removal (RHR) System in the RCS and the natural circulation due to thermal driving heads in the reactor vessel and refueling cavity mix the added concentrated boric acid with the water in the refueling canal. The RHR System is in operation during (continued)

North Anna Units 1 and 2 B 3.9.1i-1 Revision 0, 04/02/02

Distribution Systems-Shutdown B 3.8.10 BASES ACTIONS A.1, A.2.1, A.2.2, A.2.3, A.2.4, and A.2.5 (continued)

Notwithstanding performance of the above conservative Required Actions, a required residual heat removal (RHR) subsystem may be inoperable. In this case, Required Actions A.2.1 through A.2.4 do not adequately address the concerns relating to coolant circulation and heat removal. Pursuant to LCO 3.0.6, the RHR ACTIONS would not be entered.

Therefore, Required Action A.2.5 is provided to direct declaring RHR inoperable, which results in taking the appropriate RHR actions.

The Completion Time of immediately is consistent with the required times for actions requiring prompt attention. The restoration of the required distribution subsystems should be completed as quickly as possible in order to minimize the time the unit safety systems may be without power.

SURVEILLANCE SR 3.8.10.1 REQUIREMENTS This Surveillance verifies that the required AC, DC, and AC vital bus electrical power distribution subsystems are functioning properly, with all the buses energized. The verification of proper voltage availability on the buses ensures that the required power is readily available for motive as well as control functions for critical system loads connected to these buses. The 7 day Frequency takes into account the capability of the electrical power distribution subsystems, and other indications available in the control room that alert the operator to subsystem malfunctions.

REFERENCES 1. UFSAR, Chapter 6.

2. UFSAR, Chapter 15.

North Anna Units 1 and 2 B 3.8.10-4 Revision 0, 04/02/02

Distribution Systems-Shutdown B 3.8.10 BASES APPLICABILITY The AC, DC, and AC vital bus electrical power distribution (continued) subsystems requirements for MODES 1, 2, 3, and 4 are covered in LCO 3.8.9.

ACTIONS A.1, A.2.1, A.2.2, A.2.3, A.2.4, and A.2.5 Although redundant required features may require redundant trains of electrical power distribution subsystems to be OPERABLE, one OPERABLE distribution subsystem train may be capable of supporting sufficient required features to allow continuation of CORE ALTERATIONS and recently irradiated fuel movement. By allowing the option to declare required features associated with an inoperable distribution subsystem inoperable, appropriate restrictions are implemented in accordance with the affected distribution subsystem LCO's Required Actions. In many instances, this option may involve undesired administrative efforts.

Therefore, the allowance for sufficiently conservative actions is made (i.e., to suspend CORE ALTERATIONS, movement of recently irradiated fuel assemblies, and operations involving positive reactivity additions) that could result in loss of required SDM (MODE 5) or boron concentration (MODE 6). Suspending positive reactivity additions that could result in failure to meet the minimum SDM or boron concentration limit is required to assure continued safe operation. Introduction of coolant inventory must be from sources that have a boron concentration greater than what would be required in the RCS for minimum SDM or refueling boron concentration. This may result in an overall reduction in RCS boron concentration, but provides acceptable margin to maintaining subcritical operation. Introduction of temperature changes including temperature increases when operating with a positive MTC must also be evaluated to ensure they do not result in a loss of required SDM.

Suspension of these activities does not preclude completion of actions to establish a safe conservative condition. These actions minimize the probability of the occurrence of postulated events. It is further required to immediately initiate action to restore the required AC and DC electrical power distribution subsystems and to continue this action until restoration is accomplished in order to provide the necessary power to the unit safety systems.

(continued)

North Anna Units I and 2 B 3.8. 10-3 Revision 0, 04/02/02

Distribution Systems-Shutdown B 3.8.10 BASES APPLICABLE The AC and DC electrical power distribution systems satisfy SAFETY ANALYSES Criterion 3 of 10 CFR 50.36(c)(2)(ii).

(continued)

LCO Various combinations of subsystems, equipment, and components are required OPERABLE by other LCOs, depending on the specific unit condition. Implicit in those requirements is the required OPERABILITY of necessary support required features. This LCO explicitly requires energization of the portions of the electrical distribution system necessary to support OPERABILITY of required systems, equipment, and components-all specifically addressed in each LCO and implicitly required via the definition of OPERABILITY.

Maintaining these portions of the distribution system energized ensures the availability of sufficient power to operate the unit in a safe manner to mitigate the consequences of postulated events during shutdown (e.g.,

fuel handling accidents involving handling recently irradiated fuel).

APPLICABILITY The AC and DC electrical power distribution subsystems required to be OPERABLE in MODES 5 and 6, and during movement of recently irradiated fuel assemblies, provide assurance that:

a. Systems to provide adequate coolant inventory makeup are available for the irradiated fuel in the core;
b. Systems needed to mitigate a fuel handling accident involving handling recently irradiated fuel (i.e., fuel that has occupied part of a critical core within a time frame established by analysis. The term recently is defined as all irradiated fuel assemblies, until analysis is performed to determine a specific time frame.) are available;
c. Systems necessary to mitigate the effects of events that can lead to core damage during shutdown are available; and
d. Instrumentation and control capability is available for monitoring and maintaining the unit in a cold shutdown condition and refueling condition.

North Anna Units 1 and 2 B 3.8. 10-2 Revision 0, 04/02/02

Distribution Systems-Shutdown B 3.8.10 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.10 Distribution Systems-Shutdown BASES BACKGROUND A description of the AC, DC, and AC vital bus electrical power distribution systems is provided in the Bases for LCO 3.8.9, "Distribution Systems-Operating."

APPLICABLE The initial conditions of Design Basis Accident and SAFETY ANALYSES transient analyses in the UFSAR, Chapter 6 (Ref. 1) and Chapter 15 (Ref. 2), assume Engineered Safety Feature (ESF) systems are OPERABLE. The AC, DC, and AC vital bus electrical power distribution systems are designed to provide sufficient capacity, capability, redundancy, and reliability to ensure the availability of necessary power to ESF systems so that the fuel, Reactor Coolant System, and containment design limits are not exceeded.

The OPERABILITY of the AC, DC, and AC vital bus electrical power distribution system is consistent with the initial assumptions of the accident analyses and the requirements for the supported systems' OPERABILITY.

The OPERABILITY of the minimum AC, DC, and AC vital bus electrical power distribution subsystems during MODES 5 and 6, and during movement of recently irradiated fuel assemblies ensures that:

a. The unit can be maintained in the shutdown or refueling condition for extended periods;
b. Sufficient instrumentation and control capability is available for monitoring and maintaining the unit status; and
c. Adequate power is provided to mitigate events postulated during shutdown, such as a fuel handling accident involving handling recently irradiated fuel. Due to radioactive decay, the AC and DC electrical power is only required to mitigate fuel handling accidents involving handling recently irradiated fuel. (i.e., fuel that has occupied part of a critical core within a time frame established by analysis. The term recently is defined as all irradiated fuel assemblies, until analysis is performed to determine a specific time frame.)

North Anna Units 1 and 2 B 3.8. 10-1 Revision 0, 04/02/02

Intentionally Blank Distribution Systems-Operating B 3.8.9 Table B 3.8.9-1 (page 1 of 1)

AC and DC Electrical Power Distribution Systems TRAIN H* TRAIN J*

TYPE VOLTAGE Unit 1 Unit 2 Unit 1 Unit 2 AC emergency 4160 V ESF Bus ESF Bus buses 1H 2H 1J 2J 480 V Load Centers Load Centers 1H 2H i 2J IHI 2H1 I1l 2J1 DC buses 125 V Bus 1-I 2-1 Bus 1-III 2-111 Bus 1-II 2-11 Bus 1-IV 2-1V AC vital 120 V Bus 1-1 2-1 Bus 1-3 2-3 buses Bus 1-2 2-2 Bus 1-4 2-4

  • Each train of the AC and DC electrical power distribution systems is a subsystem.

North Anna Units 1 and 2 B 3.8.9-11 Revision 0, 04/02/02

Distribution Systems-Operating B 3.8.9 BASES SURVEILLANCE SR 3.8.9.1 (continued)

REQUIREMENTS alignment. The correct breaker alignment ensures the appropriate separation and independence of the electrical divisions is maintained, and the appropriate voltage is available to each required bus. The verification of proper voltage availability on the buses ensures that the required voltage is readily available for motive as well as control functions for critical system loads connected to these buses. The 7 day Frequency takes into account the redundant capability of the AC, DC, and AC vital bus electrical power distribution subsystems, and other indications available in the control room that alert the operator to subsystem malfunctions.

REFERENCES 1. UFSAR, Chapter 6.

2. UFSAR, Chapter 15.
3. Regulatory Guide 1.93, December 1974.

North Anna Units 1 and 2 B 3.8.9-10 Revision 0, 04/02/02

Distribution Systems-Operating B 3.8.9 BASES ACTIONS D.1 (continued)

Emergency Ventilation System," and LCO 3.7.12, "Emergency Core Cooling System Pump Room Exhaust Air Cleanup System,"

are followed.

E.1 With one or more required LCO 3.8.9.b DC electrical power distribution subsystem(s) inoperable, the shared component(s) on the other unit is not capable of operating.

In this condition, the associated shared component is declared inoperable immediately. SW, MCR/ESGR EVS, and Auxiliary Building central exhaust system are shared systems. The associated Conditions or Required Actions of LCO 3.7.8, 3.7.10, and 3.7.12 are followed.

F.1 and F.2 If the inoperable LCO 3.8.9.a distribution subsystem cannot be restored to OPERABLE status within the required Completion Time, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and to MODE 5 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

G.1 Condition G corresponds to a level of degradation in the electrical power distribution system that causes a required safety function to be lost. When more than one inoperable LCO 3.8.9.a electrical power distribution subsystem results in the loss of a required function, the unit is in a condition outside the accident analysis. Therefore, no additional time is justified for continued operation.

LCO 3.0.3 must be entered immediately to commence a controlled shutdown.

SURVEILLANCE SR 3.8.9.1 REQUIREMENTS This Surveillance verifies that the required AC, DC, and AC vital bus electrical power distribution systems are functioning properly, with the correct circuit breaker (continued)

North Anna Units 1 and 2 B 3.8.9-9 Revision 0, 04/02/02

Distribution Systems-Operating B 3.8.9 BASES ACTIONS C.1 (continued)

b. The potential for decreased safety by requiring entry into numerous applicable Conditions and Required Actions for components without DC power and not providing sufficient time for the operators to perform the necessary evaluations and actions for restoring power to the affected train; and
c. The potential for an event in conjunction with a single failure of a redundant component.

The 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> Completion Time for DC buses is consistent with Regulatory Guide 1.93 (Ref. 3).

The second Completion Time for Required Action C.1 establishes a limit on the maximum time allowed for any combination of required distribution subsystems to be inoperable during any single contiguous occurrence of failing to meet the LCO. If Condition C is entered while, for instance, an AC bus is inoperable and subsequently returned OPERABLE, the LCO may already have been not met for up to 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />. This could lead to a total of 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br />, since initial failure of the LCO, to restore the DC distribution system. At this time, an AC train could again become inoperable, and DC distribution restored OPERABLE. This could continue indefinitely.

This Completion Time allows for an exception to the normal "time zero" for beginning the allowed outage time "clock."

This will result in establishing the "time zero" at the time the LCO was initially not met, instead of the time Condition C was entered. The 16 hour1.851852e-4 days <br />0.00444 hours <br />2.645503e-5 weeks <br />6.088e-6 months <br /> Completion Time is an acceptable limitation on this potential to fail to meet the LCO indefinitely.

D.1 With one or more required LCO 3.8.9.b AC electrical power distribution subsystem(s) inoperable, the shared component(s) on the other unit is not capable of operating.

In this condition, the associated shared component is declared inoperable immediately. SW, MCR/ESGR EVS, and Auxiliary Building central exhaust system are shared systems. The associated Conditions or Required Actions of LCO 3.7.8, "Service Water System," LCO 3.7.10, "MCR/ESGR (continued)

North Anna Units 1 and 2 B 3.8.9-8 Revision 0, 04/02/02

Distribution Systems-Operating B 3.8.9 BASES ACTIONS B.1 (continued)

This Completion Time allows for an exception to the normal "time zero" for beginning the allowed outage time "clock."

This will result in establishing the "time zero" at the time the LCO was initially not met, instead of the time Condition B was entered. The 16 hour1.851852e-4 days <br />0.00444 hours <br />2.645503e-5 weeks <br />6.088e-6 months <br /> Completion Time is an acceptable limitation on this potential to fail to meet the LCO indefinitely.

C.1 With one or more LCO 3.8.9.a DC buses inoperable and a loss of function has not yet occurred, the remaining DC electrical power distribution subsystems are capable of supporting the minimum safety functions necessary to shut down the reactor and maintain it in a safe shutdown condition, assuming no single failure. The overall reliability is reduced, however, because a single failure in the remaining DC electrical power distribution subsystem could result in the minimum required ESF functions not being supported. Therefore, the DC bus(es) must be restored to OPERABLE status within 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> by powering the bus(es) from the associated battery or charger.

Condition C represents one or more DC buses without adequate DC power; potentially both with the battery significantly degraded and the associated charger nonfunctioning. In this situation, the unit is significantly more vulnerable to a complete loss of all DC power. It is, therefore, imperative that the operator's attention focus on stabilizing the unit, minimizing the potential for loss of power to the remaining trains and restoring power to the affected train.

This 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> limit is more conservative than Completion Times allowed for the vast majority of components that would be without power. Taking exception to LCO 3.0.2 for components without adequate DC power, which would have Required Action Completion Times shorter than 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />, is acceptable because of:

a. The potential for decreased safety by requiring a change in unit conditions (i.e., requiring a shutdown) while allowing stable operations to continue; (continued)

North Anna Units 1 and 2 B 3.8.9-7 Revision 0, 04/02/02

Distribution Systems-Operating B 3.8.9 BASES ACTIONS B.1 (continued) the operator's attention focus on stabilizing the unit, minimizing the potential for loss of power to the remaining vital buses and restoring power to the affected vital bus.

This 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> limit is more conservative than Completion Times allowed for the vast majority of components that are without adequate vital AC power. Taking exception to LCO 3.0.2 for components without adequate vital AC power, that would have the Required Action Completion Times shorter than 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> if declared inoperable, is acceptable because of:

a. The potential for decreased safety by requiring a change in unit conditions (i.e., requiring a shutdown) and not allowing stable operations to continue;
b. The potential for decreased safety by requiring entry into numerous applicable Conditions and Required Actions for components without adequate vital AC power and not providing sufficient time for the operators to perform the necessary evaluations and actions for restoring power to the affected train; and
c. The potential for an event in conjunction with a single failure of a redundant component.

The 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> Completion Time takes into account the importance to safety of restoring the AC vital bus to OPERABLE status, the redundant capability afforded by the other OPERABLE vital buses, and the low probability of a DBA occurring during this period.

The second Completion Time for Required Action B.1 establishes a limit on the maximum allowed for any combination of required distribution subsystems to be inoperable during any single contiguous occurrence of failing to meet the LCO. If Condition B is entered while, for instance, an AC bus is inoperable and subsequently returned OPERABLE, the LCO may already have been not met for up to 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />. This could lead to a total of 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br />, since initial failure of the LCO, to restore the vital bus distribution system. At this time, an AC train could again become inoperable, and vital bus distribution restored OPERABLE. This could continue indefinitely.

(continued)

North Anna Units 1 and 2 B 3.8.9-6 Revision 0, 04/02/02

Distribution Systems-Operating B 3.8.9 BASES ACTIONS A.1 (continued) 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />. This could lead to a total of 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br />, since initial failure of the LCO, to restore the AC distribution system. At this time, a DC circuit could again become inoperable, and AC distribution restored OPERABLE. This could continue indefinitely.

The Completion Time allows for an exception to the normal "time zero" for beginning the allowed outage time "clock."

This will result in establishing the "time zero" at the time the LCO was initially not met, instead of the time Condition A was entered. The 16 hour1.851852e-4 days <br />0.00444 hours <br />2.645503e-5 weeks <br />6.088e-6 months <br /> Completion Time is an acceptable limitation on this potential to fail to meet the LCO indefinitely.

Required Action A.1 is modified by a Note that requires the applicable Conditions and Required Actions of LCO 3.8.4, "DC Sources-Operating," to be entered for DC train(s) made inoperable power distribution subsystem(s). This is an exception to LCO 3.0.6 and ensures the proper actions are taken for these components. Inoperability of a distribution system can result in loss of charging power to batteries and eventual loss of DC power. This Note ensures that appropriate attention is given to restoring charging power to batteries, if necessary, after loss of distribution systems.

B.1 With one or more LCO 3.8.9.a AC vital buses inoperable and a loss of function has not yet occurred, the remaining OPERABLE AC vital buses are capable of supporting the minimum safety functions necessary to shut down the unit and maintain it in the safe shutdown condition. Overall reliability is reduced, however, since an additional single failure could result in the minimum required ESF functions not being supported. Therefore, the required AC vital bus must be restored to OPERABLE status within 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> by powering the bus from the associated inverter via inverted DC, or constant voltage transformer.

Condition B represents one or more AC vital buses without power; potentially both the DC source and the associated AC source are nonfunctioning. In this situation, the unit is significantly more vulnerable to a complete loss of all noninterruptible power. It is, therefore, imperative that (continued)

North Anna Units 1 and 2 B 3.8.9-5 Revision 0, 04/02/02

Distribution Systems-Operating B 3.8.9 BASES APPLICABILITY Electrical power distribution subsystem requirements for (continued) MODES 5 and 6 are covered in the Bases for LCO 3.8.10, "Distribution Systems-Shutdown."

ACTIONS A.1 With one or more LCO 3.8.9.a AC electrical power distribution subsystem(s) inoperable, the minimum safety functions can still be accomplished, assuming no single failure, as long as one set of redundant required equipment (AC buses and load centers) supporting each safety function remains energized to their proper voltages. Redundant required equipment is listed in Table B 3.8.9-1. The overall reliability is reduced, however, because a single failure in the remaining power distribution subsystems could result in the minimum required ESF functions not being supported.

Therefore, the required AC buses and load centers must be restored to OPERABLE status within 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />.

Condition A worst scenario is one train without AC power (i.e., no offsite power to the train and the associated EDG inoperable). In this Condition, the unit is more vulnerable to a complete loss of AC power. It is, therefore, imperative that the unit operator's attention be focused on minimizing the potential for loss of power to the remaining train by stabilizing the unit, and on restoring power to the affected train. The 8 hour9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> time limit before requiring a unit shutdown in this Condition is acceptable because of:

a. The potential for decreased safety if the unit operator's attention is diverted from the evaluations and actions necessary to restore power to the affected train, to the actions associated with taking the unit to shutdown within this time limit; and
b. The potential for an event in conjunction with a single failure of a redundant component in the train with AC power.

The second Completion Time for Required Action A.1 establishes a limit on the maximum time allowed for any combination of required distribution subsystems to be inoperable during any single contiguous occurrence of failing to meet the LCO. If Condition A is entered while, for instance, a DC bus is inoperable and subsequently restored OPERABLE, the LCO may already have been not met for up to (continued)

North Anna Units 1 and 2 B 3.8.9-4 Revision 0, 04/02/02

Distribution Systems-Operating B 3.8.9 BASES LCO anticipated operational occurrence (AOO) or a postulated (continued) DBA. The AC, DC, and AC vital bus electrical power distribution subsystems are required to be OPERABLE.

Maintaining the Train H and Train J AC, DC, and AC vital bus electrical power distribution subsystems OPERABLE ensures that the redundancy incorporated into the design of ESF is not defeated. Therefore, a single failure within any system or within the electrical power distribution subsystems will not prevent safe shutdown of the reactor.

OPERABLE AC electrical power distribution subsystems require the associated buses and load centers to be energized to their proper voltages. OPERABLE DC electrical power distribution subsystems require the associated buses to be energized to their proper voltage from either the associated battery or charger. OPERABLE vital bus electrical power distribution subsystems require the associated buses to be energized to their proper voltage from the associated inverter via inverted DC voltage, or constant voltage transformer.

In addition, tie breakers between redundant safety related AC, DC, and AC vital bus power distribution subsystems, if they exist, must be open. This prevents any electrical malfunction in any power distribution subsystem from propagating to the redundant subsystem, that could cause the failure of a redundant subsystem and a loss of essential safety function(s). If any tie breakers are closed, the affected redundant electrical power distribution subsystems are considered inoperable. This applies to the onsite, safety related redundant electrical power distribution subsystems. It does not, however, preclude redundant Class 1E 4.16 kV buses from being powered from the same offsite circuit.

APPLICABILITY The electrical power distribution subsystems are required to be OPERABLE in MODES 1, 2, 3, and 4 to ensure that:

a. Acceptable fuel design limits and reactor coolant pressure boundary limits are not exceeded as a result of AOOs or abnormal transients; and
b. Adequate core cooling is provided, and containment OPERABILITY and other vital functions are maintained in the event of a postulated DBA.

(continued)

North Anna Units 1 and 2 B 3.8.9-3 Revision 0, 04/02/02

Distribution Systems-Operating B 3.8.9 BASES BACKGROUND For the other unit, one AC and DC bus on that unit is needed (continued) to support operation of each required Service Water (SW) pump, Main Control Room (MCR)/Emergency Switchgear Room (ESGR) Emergency Ventilation System (EVS) fan, and Auxiliary Building central exhaust fan. SW, MCR/ESGR EVS, and Auxiliary Building central exhaust system are shared systems.

The list of all required distribution buses is presented in Table B 3.8.9-1.

APPLICABLE The initial conditions of Design Basis Accident (DBA) and SAFETY ANALYSES transient analyses in the UFSAR, Chapter 6 (Ref. 1), and in the UFSAR, Chapter 15 (Ref. 2), assume ESF systems are OPERABLE. The AC, DC, and AC vital bus electrical power distribution systems are designed to provide sufficient capacity, capability, redundancy, and reliability to ensure the availability of necessary power to ESF systems so that the fuel, Reactor Coolant System, and containment design limits are not exceeded. These limits are discussed in more detail in the Bases for Section 3.2, Power Distribution Limits; Section 3.4, Reactor Coolant System (RCS); and Section 3.6, Containment Systems.

The OPERABILITY of the AC, DC, and AC vital bus electrical power distribution systems is consistent with the initial assumptions of the accident analyses and is based upon meeting the design basis of the unit. This includes maintaining power distribution systems OPERABLE during accident conditions in the event of:

a. An assumed loss of all offsite power or all onsite AC electrical power; and
b. A worst case single failure.

The distribution systems satisfy Criterion 3 of 10 CFR 50.36(c) (2) (ii).

LCO The required power distribution subsystems listed in Table B 3.8.9-1 ensure the availability of AC, DC, and AC vital bus electrical power for the systems required to shut down the reactor and maintain it in a safe condition after an (continued)

North Anna Units 1 and 2 B 3.8.9-2 Revision 0, 04/02/02

Distribution Systems-Operating B 3.8.9 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.9 Distribution Systems-Operating BASES BACKGROUND The onsite Class 1E AC, DC, and AC vital bus electrical power distribution systems are divided by train into two redundant and independent AC, DC, and AC vital bus electrical power distribution subsystems.

The AC electrical power subsystem for each train consists of a primary Engineered Safety Feature (ESF) 4.16 kV bus and secondary 480 V buses and load centers. Each 4.16 kV ESF bus has at least one separate and independent offsite source of power as well as a dedicated onsite emergency diesel generator (EDG) source. Unit 1 has a normal offsite source and an alternate offsite source. Transfer to the alternate offsite source is a manual operation. Unit 2 has a normal offsite source, and no alternate source. In the event of a loss of offsite power, the EDGs for the affected buses will start and load. The EDGs for Unit 1 will continue to run until (a) the safety bus is transferred to the alternate offsite source, or (b) the normal offsite source is restored. The Unit 2 EDGs will continue to run until the normal offside source is restored. If offsite sources are unavailable, the onsite EDG supplies power to the 4.16 kV ESF bus. Control power for the 4.16 kV breakers is supplied from the Class 1E batteries. Additional description of this system may be found in the Bases for LCO 3.8.1, "AC Sources-Operating," and the Bases for LCO 3.8.4, "DC Sources-Operating."

The secondary AC electrical power distribution subsystem for each train includes the safety related buses and load centers shown in Table B 3.8.9-1.

The 120 VAC vital buses are arranged in two load groups per train and are normally powered from the inverters. The alternate power supply for the vital buses are constant voltage source transformers powered from the same train as the associated inverter, and its use is governed by LCO 3.8.7, "Inverters-Operating." Each constant voltage source transformer is powered from a Class 1E AC bus.

There are two independent 125 VDC electrical power distribution subsystems for each train.

(continued)

North Anna Units 1 and 2 B 3.8.9-1 Revision 0, 04/02/02

Inverters-Shutdown B 3.8.8 BASES SURVEILLANCE SR 3.8.8.1 REQUIREMENTS This Surveillance verifies that the inverters are functioning properly with all required circuit breakers closed and AC vital buses energized from the inverter. The verification of proper voltage output ensures that the required power is readily available for the instrumentation connected to the AC vital buses. The 7 day Frequency takes into account the redundant capability of the inverters and other indications available in the control room that alert the operator to inverter malfunctions.

REFERENCES 1. UFSAR, Chapter 6.

2. UFSAR, Chapter 15.

North Anna Units 1 and 2 B 3.8.8-4 Revision 0, 04/02/02

Inverters-Shutdown B 3.8.8 BASES ACTIONS A.1, A.2.1, A.2.2, A.2.3, and A.2.4 The required OPERABLE Inverters are capable of supporting sufficient required features to allow continuation of CORE ALTERATIONS, recently irradiated fuel movement, and operations with a potential for positive reactivity additions. By the allowance of the option to declare required features inoperable with the associated inverter(s) inoperable, appropriate restrictions will be implemented in accordance with the affected required features LCOs' Required Actions. In many instances, this option may involve undesired administrative efforts. Therefore, the allowance for sufficiently conservative actions is made (i.e., to suspend CORE ALTERATIONS, movement of recently irradiated fuel assemblies, and operations involving positive reactivity additions) that could result in loss of required SDM (MODE 5) or boron concentration (MODE 6). Suspending positive reactivity additions that could result in failure to meet the minimum SDM or boron concentration limit is required to assure continued safe operation. Introduction of coolant inventory must be from sources that have a boron concentration greater than what would be required in the RCS for minimum SDM or refueling boron concentration. This may result in an overall reduction in RCS boron concentration, but provides acceptable margin to maintaining subcritical operation. Introduction of temperature changes including temperature increases when operating with a positive MTC must also be evaluated to ensure they do not result in a loss of required SDM.

Suspension of these activities shall not preclude completion of actions to establish a safe conservative condition. These actions minimize the probability of the occurrence of postulated events. It is further required to immediately initiate action to restore the required inverters and to continue this action until restoration is accomplished in order to provide the necessary inverter power to the unit safety systems.

The Completion Time of immediately is consistent with the required times for actions requiring prompt attention. The restoration of the required inverters should be completed as quickly as possible in order to minimize the time the unit safety systems may be without power or powered from a constant voltage source transformer.

North Anna Units 1 and 2 B 3.8.8-3 Revision 0, 04/02/02

Inverters-Shutdown B 3.8.8 BASES APPLICABLE The inverters were previously identified as part of the SAFETY ANALYSES distribution system and, as such, satisfy Criterion 3 of (continued) 10 CFR 50.36(c) (2) (ii).

LCO The required inverter(s) ensure the availability of electrical power for the instrumentation for systems required to shut down the reactor and maintain it in a safe condition after an anticipated operational occurrence or a postulated DBA. The battery powered inverters provide uninterruptible supply of AC electrical power to the AC vital buses even if the 4.16 kV safety buses are de-energized. OPERABILITY of the inverters requires that the AC vital bus be powered by the inverter. This ensures the availability of sufficient inverter power sources to operate the unit in a safe manner and to mitigate the consequences of postulated events during shutdown (e.g., fuel handling accidents involving handling recently irradiated fuel).

APPLICABILITY The inverters required to be OPERABLE in MODES 5 and 6 and during movement of recently irradiated fuel assemblies provide assurance that:

a. Systems to provide adequate coolant inventory makeup are available for the irradiated fuel in the core;
b. Systems needed to mitigate a fuel handling accident involving handling recently irradiated fuel (i.e., fuel that has occupied part of a critical core within a time frame established by analysis. The term recently is defined as all irradiated fuel assemblies, until analysis is performed to determine a specific time frame.) are available;
c. Systems necessary to mitigate the effects of events that can lead to core damage during shutdown are available; and
d. Instrumentation and control capability is available for monitoring and maintaining the unit in a cold shutdown condition or refueling condition.

Inverter requirements for MODES 1, 2, 3, and 4 are covered in LCO 3.8.7.

North Anna Units 1 and 2 B 3.8.8-2 Revision 0, 04/02/02

I nverters-Shutdown B 3.8.8 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.8 Inverters-Shutdown BASES BACKGROUND A description of the inverters is provided in the Bases for LCO 3.8.7, "Inverters-Operating."

APPLICABLE The initial conditions of Design Basis Accident (DBA) and SAFETY ANALYSES transient analyses in the UFSAR, Chapter 6 (Ref. 1) and Chapter 15 (Ref. 2), assume Engineered Safety Feature systems are OPERABLE. The DC to AC inverters are designed to provide the required capacity, capability, redundancy, and reliability to ensure the availability of necessary power to the Reactor Trip System and Engineered Safety Features Actuation System instrumentation and controls so that the fuel, Reactor Coolant System, and containment design limits are not exceeded.

The OPERABILITY of the inverters is consistent with the initial assumptions of the accident analyses and the requirements for the supported systems' OPERABILITY.

The OPERABILITY of the minimum inverters to each AC vital bus during MODES 5 and 6 ensures that:

a. The unit can be maintained in the shutdown or refueling condition for extended periods;
b. Sufficient instrumentation and control capability is available for monitoring and maintaining the unit status; and
c. Adequate power is available to mitigate events postulated during shutdown, such as a fuel handling accident involving handling recently irradiated fuel. Due to radioactive decay, the inverter(s) are only required to mitigate fuel handling accidents involving handling recently irradiated fuel. (i.e., fuel that has occupied part of a critical core within a time frame established by analysis. The term recently is defined as all irradiated fuel assemblies, until analysis is performed to determine a specific time frame.)

North Anna Units 1 and 2 B 3.8.8-1 Revision 0, 04/02/02

Inverters-Operati ng B 3.8.7 BASES ACTIONS B.1 and B.2 (continued) least MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and to MODE 5 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />.

The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

SURVEILLANCE SR 3.8.7.1 REQUIREMENTS This Surveillance verifies that the inverters are functioning properly with all required circuit breakers closed and AC vital buses energized from the inverter. The verification of proper voltage output ensures that the required power is readily available for the instrumentation of the RTS and ESFAS connected to the AC vital buses. The 7 day Frequency takes into account the redundant capability of the inverters and other indications available in the control room that alert the operator to inverter malfunctions.

REFERENCES 1. UFSAR, Chapter 8.

2. UFSAR, Chapter 6.
3. UFSAR, Chapter 15.

North Anna Units 1 and 2 B 3.8.7-4 Revision 0, 04/02/02

Inverters-Operating B 3.8.7 BASES APPLICABILITY The inverters are required to be OPERABLE in MODES 1, 2, 3, and 4 to ensure that:

a. Acceptable fuel design limits and reactor coolant pressure boundary limits are not exceeded as a result of AOOs or abnormal transients; and
b. Adequate core cooling is provided, and containment OPERABILITY and other vital functions are maintained in the event of a postulated DBA.

Inverter requirements for MODES 5 and 6 are covered in the Bases for LCO 3.8.8, "Inverters-Shutdown."

ACTIONS A.1 With a required inverter inoperable, its associated AC vital bus becomes inoperable until it is re-energized from its constant voltage source transformer.

For this reason a Note has been included in Condition A requiring the entry into the Conditions and Required Actions of LCO 3.8.9, "Distribution Systems-Operating." This ensures that the vital bus is re-energized within 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />.

Required Action A.1 allows 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to fix the inoperable inverter and return it to service. The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> limit is based upon engineering judgment, taking into consideration the time required to repair an inverter and the additional risk to which the unit is exposed because of the inverter inoperability. This has to be balanced against the risk of an immediate shutdown, along with the potential challenges to safety systems such a shutdown might entail. When the AC vital bus is powered from its constant voltage source, it is relying upon interruptible AC electrical power sources (offsite and onsite). The uninterruptible inverter source to the AC vital buses is the preferred source for powering instrumentation trip setpoint devices.

B.1 and B.2 If the inoperable devices or components cannot be restored to OPERABLE status within the required Completion Time, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at (continued)

North Anna Units 1 and 2 B 3.8.7-3 Revision 0, 04/02/02

Inverters-Operating B 3.8.7 BASES LCO The inverters ensure the availability of AC electrical power for the systems instrumentation required to shut down the reactor and maintain it in a safe condition after an anticipated operational occurrence (AOO) or a postulated DBA.

Maintaining the required inverters OPERABLE ensures that the redundancy incorporated into the design of the RPS and ESFAS instrumentation and controls is maintained. The four inverters (two per train) ensure an uninterruptible supply of AC electrical power to the AC vital buses even if the 4.16 kV safety buses are de-energized.

OPERABLE inverters require the associated vital bus to be powered by the inverter with output voltage within tolerances, and power input to the inverter from a 125 VDC station battery. Alternatively, power supply may be from a battery charger as long as the station battery is available as the uninterruptible power supply.

This LCO is modified by a Note that allows one inverter to be disconnected from its associated battery for : 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, if the vital bus is powered from a constant voltage transformer and all other inverters are OPERABLE. This allows an equalizing charge to be placed on the associated battery. If the inverters were not disconnected, the resulting voltage condition might damage the inverters. These provisions minimize the loss of equipment that would occur in the event of a loss of offsite power. The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> time period for the allowance minimizes the time during which a loss of offsite power could result in the loss of equipment energized from the affected AC vital bus while taking into consideration the time required to perform an equalizing charge on the battery bank.

The intent of this Note is to limit the number of inverters that may be disconnected. Only those inverters associated with the single battery undergoing an equalizing charge may be disconnected. All other inverters must be aligned to their associated batteries, regardless of the number of inverters or unit design.

North Anna Units 1 and 2 B 3.8.7-2 Revision 0, 04/02/02

Inverters-Operati ng B 3.8.7 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.7 Inverters-Operating BASES BACKGROUND The inverters are the preferred source of power for the AC vital buses because of the stability and reliability they achieve. The function of the inverter is to provide AC electrical power to the vital buses. The inverters can be powered from a battery charger or from the station battery.

The station battery provides an uninterruptible power source for the instrumentation and controls for the Reactor Trip System (RTS) and the Engineered Safety Feature Actuation System (ESFAS). Specific details on inverters and their operating characteristics are found in the UFSAR, Chapter 8 (Ref. 1).

APPLICABLE The initial conditions of Design Basis Accident (DBA) and SAFETY ANALYSES transient analyses in the UFSAR, Chapter 6 (Ref. 2) and Chapter 15 (Ref. 3), assume Engineered Safety Feature systems are OPERABLE. The inverters are designed to provide the required capacity, capability, redundancy, and reliability to ensure the availability of necessary power to the RTS and ESFAS instrumentation and controls so that the fuel, Reactor Coolant System, and containment design limits are not exceeded. These limits are discussed in more detail in the Bases for Section 3.2, Power Distribution Limits; Section 3.4, Reactor Coolant System (RCS); and Section 3.6, Containment Systems.

The OPERABILITY of the inverters is consistent with the initial assumptions of the accident analyses and is based on meeting the design basis of the unit. This includes maintaining required AC vital buses OPERABLE during accident conditions in the event of:

a. An assumed loss of all offsite AC electrical power or all onsite AC electrical power; and
b. A worst case single failure.

Inverters are a part of the distribution system and, as such, satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).

North Anna Units 1 and 2 B 3.8.7-1 Revision 0, 04/02/02

Intentionally Blank Battery Cell Parameters B 3.8.6 BASES REFERENCES 1. UFSAR, Chapter 6.

2. UFSAR, Chapter 15.
3. IEEE-450-1980.

North Anna Units 1 and 2 B 3.8.6-7 Revision 0, 04/02/02

Battery Cell Parameters B 3.8.6 BASES SURVEILLANCE Table 3.8.6-1 (continued)

REQUIREMENTS The Category C limits specified for electrolyte level (above the top of the plates and not overflowing) ensure that the plates suffer no physical damage and maintain adequate electron transfer capability. The Category C limits for float voltage is based on IEEE-450 (Ref. 3), which states that a cell voltage of 2.07 V or below, under float conditions and not caused by elevated temperature of the cell, indicates internal cell problems and may require cell replacement.

The Category C limit of average specific gravity Ž 1.195 is based on manufacturer recommendations (0.020 below the manufacturer recommended fully charged, nominal specific gravity). In addition to that limit, it is required that the specific gravity for each connected cell must be no less than 0.020 below the average of all connected cells. This limit ensures that the effect of a highly charged or new cell does not mask overall degradation of the battery.

The footnotes to Table 3.8.6-1 are applicable to Category A, B, and C specific gravity. Footnote (b) to Table 3.8.6-1 requires the above mentioned correction for electrolyte level and temperature, with the exception that level correction is not required when Station battery charging current is < 2 amps on float charge. This current provides, in general, an indication of overall battery condition.

Because of specific gravity gradients that are produced during the recharging process, delays of several days may occur while waiting for the specific gravity to stabilize. A stabilized charger current is an acceptable alternative to specific gravity measurement for determining the state of charge. This phenomenon is discussed in IEEE-450 (Ref. 3).

Footnote (c) to Table 3.8.6-1 allows the float charge current to be used as an alternate to specific gravity for up to 7 days following a Station battery recharge. Within 7 days, each connected cell's specific gravity must be measured to confirm the state of charge. Following a minor battery recharge (such as equalizing charge that does not follow a deep discharge) specific gravity gradients are not significant, and confirming measurements may be made in less than 7 days.

North Anna Units I and 2 B 3.8.6-6 Revision 0, 04/02/02

Battery Cell Parameters B 3.8.6 BASES SURVEILLANCE Table 3.8.6-1 (continued)

REQUIREMENTS The Category A limit specified for float voltage is Ž 2.13 V per cell. This value is based on the recommendations of IEEE-450 (Ref. 3), which states that prolonged operation of cells < 2.13 V can reduce the life expectancy of cells.

The Category A limit specified for specific gravity for each pilot cell is Ž 1.200 (0.015 below the manufacturer fully charged nominal specific gravity or a battery charging current that had stabilized at a low value). This value is characteristic of a charged cell with adequate capacity.

According to IEEE-450 (Ref. 3), the specific gravity readings are based on a temperature of 770 F (25 0 C).

The specific gravity readings are corrected for actual electrolyte temperature and level. For each 3°F (1.67°C) above 77°F (25°C), 1 point (0.001) is added to the reading; 1 point is subtracted for each 3°F below 770 F. The specific gravity of the electrolyte in a cell increases with a loss of water due to electrolysis or evaporation.

Category B defines the normal parameter limits for each connected cell. The term "connected cell" excludes any battery cell that may be jumpered out.

The Category B limits specified for electrolyte level and float voltage are the same as those specified for Category A and have been discussed above. The Category B limit specified for specific gravity for each connected cell is

Ž 1.195 (0.020 below the manufacturer fully charged, nominal specific gravity) with the average of all connected cells

> 1.205 (0.010 below the manufacturer fully charged, nominal specific gravity). These values are based on manufacturer's recommendations. The minimum specific gravity value required for each cell ensures that the effects of a highly charged or newly installed cell will not mask overall degradation of the battery.

Category C defines the limits for each connected cell. These values, although reduced, provide assurance that sufficient capacity exists to perform the intended function and maintain a margin of safety. When any battery parameter is outside the Category C limits, the assurance of sufficient capacity described above no longer exists, and the battery must be declared inoperable.

(continued)

North Anna Units 1 and 2 B 3.8.6-5 Revision 0, 04/02/02

Battery Cell Parameters B 3.8.6 BASES SURVEILLANCE SR 3.8.6.2 (continued)

REQUIREMENTS consistent with IEEE-450 (Ref. 3), which recommends special inspections following a severe discharge or overcharge, to ensure that no significant degradation of the battery occurs as a consequence of such discharge or overcharge.

SR 3.8.6.3 This Surveillance verification that the average temperature of representative cells of the Station batteries is > 60 0 F, is consistent with a recommendation of IEEE-450 (Ref. 3),

that states that the temperature of electrolytes in representative cells should be determined on a quarterly basis.

Lower than normal temperatures act to inhibit or reduce battery capacity. This SR ensures that the operating temperatures remain within an acceptable operating range.

This limit is based on manufacturer recommendations.

Table 3.8.6-1 This table delineates the limits on electrolyte level, float voltage, and specific gravity for three different categories. The meaning of each category is discussed below.

Category A defines the normal parameter limit for each designated pilot cell in each battery. The cells selected as pilot cells are those whose level, voltage, and electrolyte specific gravity approximate the state of charge of the entire battery.

The Category A limits specified for electrolyte level are based on manufacturer recommendations and are consistent with the guidance in IEEE-450 (Ref. 3), with the extra

, inch allowance above the high water level indication for operating margin to account for temperatures and charge effects. In addition to this allowance, footnote a to Table 3.8.6-1 permits the electrolyte level to be above the specified maximum level during equalizing charge, provided it is not overflowing. These limits ensure that the plates suffer no physical damage, and that adequate electron transfer capability is maintained in the event of transient conditions. IEEE-450 (Ref. 3) recommends that electrolyte level readings should be made only after the battery has been at float charge for at least 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />.

(continued)

North Anna Units 1 and 2 B 3.8.6-4 Revision 0, 04/02/02

Battery Cell Parameters B 3.8.6 BASES ACTIONS A.1, A.2, and A.3 (continued)

Continued operation is only permitted for 31 days before battery cell parameters must be restored to within Category A and B limits. With the consideration that, while battery capacity is degraded, sufficient capacity exists to perform the intended function and to allow time to fully restore the battery cell parameters to normal limits, this time is acceptable prior to declaring the battery inoperable.

B.1 With one or more batteries with one or more battery cell parameters outside the Category C limit for any connected cell, sufficient capacity to supply the maximum expected load requirement is not assured and the corresponding DC electrical power subsystem or EDG DC system must be declared inoperable. Additionally, other potentially extreme conditions, such as not completing the Required Actions of Condition A within the required Completion Time or average electrolyte temperature of representative cells falling below 60°F for the Station batteries, are also cause for immediately declaring the associated DC electrical power subsystem inoperable. Representative cells will consist of at least 10 cells.

SURVEILLANCE SR 3.8.6.1 REQUIREMENTS This SR verifies that Category A battery cell parameters are consistent with IEEE-450 (Ref. 3), which recommends regular battery inspections (at least one per month) including voltage, specific gravity, and electrolyte level of pilot cells.

SR 3.8.6.2 The quarterly inspection of specific gravity and voltage is consistent with IEEE-450 (Ref. 3). In addition, within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> of a battery discharge < 110 V or a battery overcharge > 150 V, the battery must be demonstrated to meet Category B limits. Transients, such as motor starting transients, which may momentarily cause battery voltage to drop to

  • 110 V, do not constitute a battery discharge provided the battery terminal voltage and float current return to pre-transient values. This inspection is also (continued)

North Anna Units 1 and 2 B 3.8.6-3 Revision 0, 04/02/02

Battery Cell Parameters B 3.8.6 BASES APPLICABILITY The battery cell parameters are required solely for the support of the associated DC electrical power subsystem(s) and EDG DC system(s). Therefore, the battery is only required when the DC power source is required to be OPERABLE.

Refer to the Applicability discussion in Bases for LCO 3.8.4 and LCO 3.8.5.

ACTIONS A.1, A.2, and A.3 With one or more cells in one or more batteries not within limits (i.e., Category A limits not met, Category B limits not met, or Category A and B limits not met) but within the Category C limits specified in Table 3.8.6-1 in the accompanying LCO, the battery is degraded but there is still sufficient capacity to perform the intended function.

Therefore, the affected battery is not required to be considered inoperable solely as a result of Category A or B limits not met and operation is permitted for a limited period.

The pilot cell electrolyte level and float voltage are required to be verified to meet the Category C limits within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> (Required Action A.1). This check will provide a quick indication of the status of the remainder of the battery cells. One hour provides time to inspect the electrolyte level and to confirm the float voltage of the pilot cells. One hour is considered a reasonable amount of time to perform the required verification.

Verification that the Category C limits are met (Required Action A.2) provides assurance that during the time needed to restore the parameters to the Category A and B limits, the battery is still capable of performing its intended function. A period of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is allowed to complete the initial verification because specific gravity measurements must be obtained for each connected cell. Taking into consideration both the time required to perform the required verification and the assurance that the battery cell parameters are not severely degraded, this time is considered reasonable. The verification is repeated at 7 day intervals until the parameters are restored to Category A or B limits. This periodic verification is consistent with the normal Frequency of pilot cell Surveillances.

(continued)

North Anna Units I and 2 B 3.8.6-2 Revision 0, 04/02/02

Battery Cell Parameters B 3.8.6 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.6 Battery Cell Parameters BASES BACKGROUND This LCO delineates the limits on electrolyte temperature, level, float voltage, and specific gravity for the Station and EDG batteries. A discussion of these batteries and their OPERABILITY requirements is provided in the Bases for LCO 3.8.4, "DC Sources-Operating," and LCO 3.8.5, "DC Sources-Shutdown."

APPLICABLE The initial conditions of Design Basis Accident (DBA) and SAFETY ANALYSES transient analyses in the UFSAR, Chapter 6 (Ref. 1) and Chapter 15 (Ref. 2), assume Engineered Safety Feature systems are OPERABLE. The DC electrical power system provides normal and emergency DC electrical power for the emergency auxiliaries, and control and switching during all MODES of operation. The EDG DC electrical power system consists of the battery, battery charger, and interconnecting cabling supplying power to the associated EDG components to supply the required DC voltage to allow the EDG to perform the required safety function.

The OPERABILITY of the DC subsystems is consistent with the initial assumptions of the accident analyses and is based upon meeting the design basis of the unit. This includes maintaining at least one train of DC sources OPERABLE during accident conditions, in the event of:

a. An assumed loss of all offsite AC power or all onsite AC power; and
b. A worst case single failure.

Battery cell parameters satisfy the Criterion 3 of 10 CFR 50.36(c) (2) (ii).

LCO Battery cell parameters must remain within acceptable limits to ensure availability of the required DC power to shut down the reactor and maintain it in a safe condition after an anticipated operational occurrence or a postulated DBA.

Electrolyte limits are conservatively established, allowing continued DC electrical system function even with Category A and B limits not met.

North Anna Units 1 and 2 B 3.8.6-1 Revision 0, 04/02/02

DC Sources-Shutdown B 3.8.5 BASES ACTIONS B.1 (continued)

With the required EDG's DC system inoperable, the EDG is not OPERABLE and the applicable Conditions and Required Actions of LCO 3.8.2, "AC Sources-Shutdown," must be entered immediately.

SURVEILLANCE SR 3.8.5.1 REQUIREMENTS SR 3.8.5.1 requires performance of all Surveillances required by SR 3.8.4.1 through SR 3.8.4.9. Therefore, see the corresponding Bases for LCO 3.8.4 for a discussion of each SR.

This SR is modified by a Note. The reason for the Note is to preclude requiring the required OPERABLE DC sources or EDG DC system from being discharged below their capability to provide the required power supply or otherwise rendered inoperable during the performance of SRs. It is the intent that these SRs must still be capable of being met, but actual performance is not required.

REFERENCES 1. UFSAR, Chapter 6.

2. UFSAR, Chapter 15.

North Anna Units 1 and 2 B 3.8.5-4 Revision 0, 04/02/02

DC Sources-Shutdown B 3.8.5 BASES APPLICABILITY The DC electrical power and EDG DC system requirements for (continued) MODES 1, 2, 3, and 4 are covered in LCO 3.8.4.

ACTIONS A.1, A.2.1, A.2.2ý A.2.3, and A.2.4 The train with DC power available may be capable of supporting sufficient systems to allow continuation of CORE ALTERATIONS and recently irradiated fuel movement. By allowing the option to declare required features inoperable with the associated DC power source(s) inoperable, appropriate restrictions will be implemented in accordance with the affected required features LCO ACTIONS. In many instances, this option may involve undesired administrative efforts. Therefore, the allowance for sufficiently conservative actions is made (i.e., to suspend CORE ALTERATIONS, movement of recently irradiated fuel assemblies, and operations involving positive reactivity additions) that could result in loss of required SDM (MODE 5) or boron concentration (MODE 6). Suspending positive reactivity additions that could result in failure to meet the minimum SDM or boron concentration limit is required to assure continued safe operation. Introduction of coolant inventory must be from sources that have a boron concentration greater than what would be required in the RCS for minimum SDM or refueling boron concentration. This may result in an overall reduction in RCS boron concentration, but provides acceptable margin to maintaining subcritical operation. Introduction of temperature changes including temperature increases when operating with a positive MTC must also be evaluated to ensure they do not result in a loss of required SDM.

Suspension of these activities shall not preclude completion of actions to establish a safe conservative condition. These actions minimize probability of the occurrence of postulated events. It is further required to immediately initiate action to restore the required DC electrical power subsystems and to continue this action until restoration is accomplished in order to provide the necessary DC electrical power to the unit safety systems.

The Completion Time of immediately is consistent with the required times for actions requiring prompt attention. The restoration of the required DC electrical power subsystems should be completed as quickly as possible in order to minimize the time during which the unit safety systems may be without sufficient power.

North Anna Units 1 and 2 B 3.8.5-3 Revision 0, 04/02/02

DC Sources-Shutdown B 3.8.5 BASES APPLICABLE The DC sources satisfy Criterion 3 of 10 CFR SAFETY ANALYSES 50.36(c)(2)(ii).

(continued)

LCO The DC electrical power subsystem(s), each subsystem consisting of two batteries, one battery charger per battery, and the corresponding control equipment and interconnecting cabling within the train, are required to be OPERABLE to support required trains of the distribution systems required OPERABLE by LCO 3.8.10, "Distribution Systems-Shutdown." The EDG DC system, consisting of a battery, battery charger, and the corresponding control equipment and interconnection cabling for the EDG, are required to be OPERABLE to support the EDG required by LCO 3.8.2, "AC Sources-Shutdown." This ensures the availability of sufficient DC electrical power sources to operate the unit in a safe manner and to mitigate the consequences of postulated events during shutdown (e.g.,

fuel handling accidents involving handling recently irradiated fuel).

APPLICABILITY The DC electrical power sources and EDG DC system required to be OPERABLE in MODES 5 and 6, and during movement of recently irradiated fuel assemblies, provide assurance that:

a. Required features to provide adequate coolant inventory makeup are available for the recently irradiated fuel assemblies in the core;
b. Required features needed to mitigate a fuel handling accident involving handling recently irradiated fuel (i.e., fuel that has occupied part of a critical reactor core within a time frame established by analysis. The term recently is defined as all irradiated fuel assemblies, until analysis is performed to determine a specific time frame.) are available;
c. Required features necessary to mitigate the effects of events that can lead to core damage during shutdown are available; and
d. Instrumentation and control capability is available for monitoring and maintaining the unit in a cold shutdown condition or refueling condition.

North Anna Units 1 and 2 B 3.8.5-2 Revision 0, 04/02/02

DC Sources-Shutdown B 3.8.5 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.5 DC Sources-Shutdown BASES BACKGROUND A description of the DC sources is provided in the Bases for LCO 3.8.4, "DC Sources-Operating."

APPLICABLE The initial conditions of Design Basis Accident and SAFETY ANALYSES transient analyses in the UFSAR, Chapter 6 (Ref. 1) and Chapter 15 (Ref. 2), assume that Engineered Safety Feature systems are OPERABLE. The DC electrical power system provides normal and emergency DC electrical power for the emergency auxiliaries and control and switching during all MODES of operation. The EDG DC system provides power for the required EDG as described in LCO 3.8.2, "AC Sources-Shutdown."

The OPERABILITY of the DC subsystems is consistent with the initial assumptions of the accident analyses and the requirements for the supported systems' OPERABILITY.

The OPERABILITY of the minimum DC electrical power sources during MODES 5 and 6 and during movement of recently irradiated fuel assemblies ensures that:

a. The unit can be maintained in the shutdown or refueling condition for extended periods;
b. Sufficient instrumentation and control capability is available for monitoring and maintaining the unit status; and
c. Adequate DC electrical power is provided to mitigate events postulated during shutdown, such as a fuel handling accident involving handling recently irradiated fuel. Due to radioactive decay, DC electrical power is only required to mitigate fuel handling accidents involving handling recently irradiated fuel. (i.e., fuel that has occupied part of a critical reactor core within a time frame established by analysis. The term recently is defined as all irradiated fuel assemblies, until analysis is performed to determine a specific time frame.)

North Anna Units 1 and 2 B 3.8.5-1 Revision 0, 04/02/02

Intentionally Blank DC Sources-Operating B 3.8.4 BASES REFERENCES 1. UFSAR, Chapter 3.

2. Safety Guide 6, March 10, 1971.
3. IEEE-308-1971.
4. UFSAR, Chapter 8.
5. IEEE-485-1983, June 1983.
6. UFSAR, Chapter 6.
7. UFSAR, Chapter 15.
8. Regulatory Guide 1.93, December 1974.
9. IEEE-450-1987.
10. Regulatory Guide 1.32, February 1977.
11. Regulatory Guide 1.129, December 1974.

North Anna Units 1 and 2 B 3.8-4-11 Revision 0, 04/02/02

DC Sources-Operating B 3.8.4 BASES SURVEILLANCE SR 3.8.4.9 (continued)

REQUIREMENTS The acceptance criteria for this Surveillance are consistent with IEEE-450 (Ref. 9) and IEEE-485 (Ref. 5). These references recommend that the battery be replaced if its capacity is below 80% of the manufacturer's rating. A capacity of 80% shows that the battery rate of deterioration is increasing, even if there is ample capacity to meet the load requirements.

The Surveillance Frequency for this test is normally 60 months. If the battery shows degradation, or if the battery has reached 85% of its expected life, the Surveillance Frequency is reduced to 18 months. Degradation is indicated, according to IEEE-450 (Ref. 9), when the battery capacity drops by more than 10% relative to its capacity on the previous performance test or when it is

Ž 10% below the manufacturer's rating. The 60 month Frequency is consistent with the recommendations in IEEE-450 (Ref. 9) and the 18 month Frequency is consistent with operating experience.

This SR is modified by a Note. The reason for the Note is that performing the Surveillance would perturb the electrical distribution system and challenge safety systems for the Station batteries. This restriction from normally performing the Surveillance in MODE 1, 2, 3, or 4 is further amplified to allow portions of the Surveillance to be performed for the purpose of reestablishing OPERABILITY (e.g., post work testing following corrective maintenance, corrective modification, deficient or incomplete surveillance testing, and other unanticipated OPERABILITY concerns) provided an assessment determines unit safety is maintained or enhanced. This assessment shall, as a minimum, consider the potential outcomes and transients associated with a failed partial Surveillance, a successful partial Surveillance, and a perturbation of the offsite or onsite system when they are tied together or operated independently for the partial Surveillance; as well as the operator procedures available to cope with these outcomes. These shall be measured against the avoided risk of the unit shutdown and startup to determine that unit safety is maintained or enhanced when portions of the Surveillance are performed in MODE 1, 2, 3, or 4. Risk insights or deterministic methods may be used for this assessment.

North Anna Units 1 and 2 B 3.8.4-10 Revision 0, 04/02/02

DC Sources-Operating B 3.8.4 BASES SURVEILLANCE SR 3.8.4.8 (continued)

REQUIREMENTS the modified performance discharge test must remain above the minimum battery terminal voltage specified in the battery service test for the duration of time equal to that of the service test.

Note 2 allows the performance discharge test in lieu of the service test once per 60 months.

The reason for Note 3 is that performing the Surveillance on the Station batteries would perturb the electrical distribution system and challenge safety systems. This restriction from normally performing the Surveillance in MODE 1, 2, 3, or 4 is further amplified to allow portions of the Surveillance to be performed for the purpose of reestablishing OPERABILITY (e.g., post work testing following corrective maintenance, corrective modification, deficient or incomplete surveillance testing, and other unanticipated OPERABILITY concerns) provided an assessment determines unit safety is maintained or enhanced. This assessment shall, as a minimum, consider the potential outcomes and transients associated with a failed partial Surveillance, a successful partial Surveillance, and a perturbation of the offsite or onsite system when they are tied together or operated independently for the partial Surveillance; as well as the operator procedures available to cope with these outcomes. These shall be measured against the avoided risk of the unit shutdown and startup to determine that unit safety is maintained or enhanced when portions of the Surveillance are performed in MODE 1, 2, 3, or 4. Risk insights or deterministic methods may be used for this assessment.

SR 3.8.4.9 A battery performance discharge test for Station and EDG batteries is a test of constant current capacity of a battery to detect any change in the capacity determined by the acceptance test. The test is intended to determine overall battery degradation due to age and usage.

A battery modified performance discharge test is described in the Bases for SR 3.8.4.8. Either the battery performance discharge test or the modified performance discharge test is acceptable for satisfying SR 3.8.4.9.

(continued)

North Anna Units 1 and 2 B 3.8.4-9 Revision 0, 04/02/02

DC Sources-Operating B 3.8.4 BASES SURVEILLANCE SR 3.8.4.6 and SR 3.8.4.7 (continued)

REQUIREMENTS charger for the Station batteries is required to be tested to the same criteria as the normal charger if it is to be used as a substitute charger.

The Surveillance Frequency for SR 3.8.4.7 is acceptable given the EDG must not be required to be OPERABLE during the performance of the required test.

SR 3.8.4.8 A Station battery service test is a special test of battery capability, as found, to satisfy the design requirements (battery duty cycle) of the DC electrical power system. The discharge rate and test length should correspond to the design duty cycle requirements as specified in Reference 4.

The Surveillance Frequency of 18 months is consistent with the recommendations of Regulatory Guide 1.32 (Ref. 10) and Regulatory Guide 1.129 (Ref. 11), which state that the battery service test should be performed during refueling operations or at some other outage, with intervals between tests, not to exceed 18 months.

This SR is modified by three Notes. Note 1 allows the performance of a modified performance discharge test in lieu of a service test.

A modified performance discharge test is a test of the battery capacity and its ability to provide a high rate, short duration load (usually the highest rate of the duty cycle). This will confirm the battery's ability to meet the critical period of the load duty cycle, in addition to determining its percentage of rated capacity. Initial conditions for the modified performance discharge test should be identical to those specified for a service test.

It may consist of just two rates; for instance, the one minute rate published for the battery or the largest current load of the duty cycle, followed by the test rate employed for the performance test, both of which envelope the duty cycle of the service test. Since the ampere-hours removed by a one minute discharge represents a very small portion of the battery capacity, the test rate can be changed to that for the performance test without compromising the results of the performance discharge test. The battery terminal voltage for (continued)

North Anna Units 1 and 2 B 3.8.4-8 Revision 0, 04/02/02

DC Sources-Operating B 3.8.4 BASES SURVEILLANCE SR 3.8.4.3 (continued)

REQUIREMENTS battery performance. The presence of physical damage or deterioration does not necessarily represent a failure of this SR, provided an evaluation determines that the physical damage or deterioration does not affect the OPERABILITY of the battery (its ability to perform its design function).

SR 3.8.4.4 and SR 3.8.4.5 Station and EDG battery visual inspection and resistance measurements of intercell, interrack, intertier, and terminal connections provide an indication of physical damage or abnormal deterioration that could indicate degraded battery condition. The anticorrosion material is used to help ensure good electrical connections and to reduce terminal deterioration. The visual inspection for corrosion is not intended to require removal of and inspection under each terminal connection. The removal of visible corrosion is a preventive maintenance SR.

SR 3.8.4.6 and SR 3.8.4.7 SR 3.8.4.6 requires that each Station battery charger be capable of supplying Ž 270 amps and Ž 125 V for Ž 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />.

These requirements are based on the design capacity of the chargers (Ref. 4). According to Regulatory Guide 1.32 (Ref. 10), the battery charger supply is required to be based on the largest combined demands of the various steady state loads and the charging capacity to restore the battery from the design minimum charge state to the fully charged state, irrespective of the status of the unit during these demand occurrences. The minimum required amperes and duration ensures that these requirements can be satisfied.

SR 3.8.4.7 requires that each EDG battery charger be capable of supplying Ž 10 amps and Ž 125 V for Ž 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />. These values are based on the design requirements of the charger.

The Surveillance Frequency for SR 3.8.4.6 is acceptable, given the unit conditions required to perform the test and the other administrative controls existing to ensure adequate charger performance during these 18 month intervals. In addition, this Frequency is intended to be consistent with expected fuel cycle lengths. The spare (continued)

North Anna Units 1 and 2 B 3.8.4-7 Revision 0, 04/02/02

DC Sources-Operating B 3.8.4 BASES ACTIONS D.1 (continued)

LCO 3.7.10, "MCR/ESGR Emergency Ventilation Systems," and LCO 3.7.12, "Emergency Core Cooling System Pump Room Exhaust Air Cleanup System," are followed.

SURVEILLANCE SR 3.8.4.1 REQUIREMENTS For Station and EDG batteries, verifying battery terminal voltage while on float charge for the batteries helps to ensure the effectiveness of the charging system and the ability of the batteries to perform their intended function.

Float charge is the condition in which the charger is supplying the continuous charge required to overcome the internal losses of a battery (or battery cell) and maintain the battery (or a battery cell) in a fully charged state. The voltage requirements are based on the nominal design voltage of the battery and are consistent with the initial voltages assumed in the battery sizing calculations. The 7 day Frequency is consistent with manufacturer recommendations and IEEE-450 (Ref. 9).

SR 3.8.4.2 Visual inspection of both Station and EDG batteries to detect corrosion of the battery cells and connections, or measurement of the resistance of each intercell, interrack, intertier, and terminal connection, provides an indication of physical damage or abnormal deterioration that could potentially degrade battery performance.

The presence of visible corrosion does not necessarily represent a failure of this SR provided visible corrosion is removed during performance of SR 3.8.4.4.

The Surveillance Frequency for these inspections, which can detect conditions that can cause power losses due to resistance heating, is 92 days. This Frequency is considered acceptable based on operating experience related to detecting corrosion trends.

SR 3.8.4.3 Visual inspection of the battery cells, cell plates, and battery racks provides an indication of physical damage or abnormal deterioration that could potentially degrade (continued)

North Anna Units 1 and 2 B 3.8.4-6 Revision 0, 04/02/02

DC Sources-Operating B 3.8.4 BASES ACTIONS A.1 (continued) entry into Condition A. Since a subsequent worst case single failure would, however, result in the complete loss of the remaining 125 VDC electrical power subsystems with attendant loss of ESF functions, continued power operation should not exceed 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />. The 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> Completion Time is based on Regulatory Guide 1.93 (Ref. 8) and reflects a reasonable time to assess unit status as a function of the inoperable DC electrical power subsystem and, if the DC electrical power subsystem is not restored to OPERABLE status, to prepare to effect an orderly and safe unit shutdown.

B.1 and B.2 If the inoperable DC electrical power subsystem cannot be restored to OPERABLE status within the required Completion Time, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and to MODE 5 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. The Completion Time to bring the unit to MODE 5 is consistent with the time required in Regulatory Guide 1.93 (Ref. 8).

C.1 Condition C represents the loss of the ability of the EDG DC system (e.g., inoperable battery charger or inoperable battery) to supply necessary power to the associated EDG. In this condition, the associated EDG is immediately declared inoperable and the associated Conditions or Required Actions of LCO 3.8.1 are followed.

D.1 Condition D represents the loss of one or more required LCO 3.8.4.c DC electrical power subsystem(s) needed to support the operation of required shared components on the other unit. SW, MCR/ESGR EVS, and Auxiliary Building central exhaust system are shared systems. In this condition, the associated required shared components are declared inoperable immediately. The associated Conditions or Required Actions of LCO 3.7.8, "Service Water System,"

(continued)

North Anna Units 1 and 2 B 3.8.4-5 Revision 0, 04/02/02

DC Sources-Operating B 3.8.4 BASES LCO and Auxiliary Building central exhaust fan. SW, MCR/ESGR (continued) EVS, and Auxiliary Building central exhaust system are shared systems.

APPLICABILITY The DC electrical power sources are required to be OPERABLE in MODES 1, 2, 3, and 4 to ensure safe unit operation and to ensure that:

a. Acceptable fuel design limits and reactor coolant pressure boundary limits are not exceeded as a result of AOOs or abnormal transients; and
b. Adequate core cooling is provided, and containment integrity and other vital functions are maintained in the event of a postulated DBA.

The EDG DC system is required to be OPERABLE in MODES 1, 2, 3, and 4 to ensure the OPERABILITY of the associated EDG in accordance with LCO 3.8.1. In MODES 5 or 6, the OPERABILITY requirements of the EDG DC system are determined by the EDGs that they support in accordance with LCO 3.8.2.

The DC electrical power requirements for MODES 5 and 6 are addressed in the Bases for LCO 3.8.5, "DC Sources-Shutdown."

ACTIONS A.1 Condition A represents one train with a loss of ability to completely respond to an event, and a potential loss of ability to remain energized during normal operation. It is, therefore, imperative that the operator's attention focus on stabilizing the unit, minimizing the potential for complete loss of DC power to the affected train. The 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> limit is consistent with the allowed time for an inoperable DC distribution system train.

If one of the required LCO 3.8.4.a DC electrical power subsystems is inoperable (e.g., inoperable battery, inoperable battery charger(s), or inoperable battery charger and associated inoperable battery), the remaining LCO 3.8.4.a DC electrical power subsystem has the capacity to support a safe shutdown and to mitigate an accident condition. For the Station batteries, a spare battery charger may be substituted for the normal charger without (continued)

North Anna Units 1 and 2 B 3.8.4-4 Revision 0, 04/02/02

DC Sources-Operating B 3.8.4 BASES APPLICABLE The OPERABILITY of the DC sources is consistent with the SAFETY ANALYSES initial assumptions of the accident analyses and is based (continued) upon meeting the design basis of the unit. This includes maintaining the DC sources OPERABLE during accident conditions in the event of:

a. An assumed loss of all offsite AC power or all onsite AC power; and
b. A worst case single failure.

The OPERABILITY of the EDG DC electrical power system ensures the EDG may perform its required safety function.

The DC sources satisfy Criterion 3 of 10 CFR 50.36(c) (2)(ii).

LCO The DC electrical power subsystems, each subsystem consisting of two batteries, battery charger for each battery and the corresponding control equipment and interconnecting cabling supplying power to the associated bus within the train are required to be OPERABLE to ensure the availability of the required power to shut down the reactor and maintain it in a safe condition after an anticipated operational occurrence (AOO) or a postulated DBA. Loss of any train DC electrical power subsystem does not prevent the minimum safety function from being performed (Ref. 4).

The EDG DC electrical power system consists of the battery, battery charger, and interconnecting cabling to supply the required DC voltage to allow the associated EDG components to perform the required safety function.

An OPERABLE DC electrical power subsystem requires all required batteries and respective chargers to be operating and connected to the associated DC bus(es).

Additionally, the unit's electrical sources must include DC sources from the other unit that are required to support the SW, MCR/ESGR EVS, or Auxiliary Building central exhaust system safety functions. Control power for breakers and electrical power for solenoid operated valves are examples of support systems required to be OPERABLE that are needed for the operation of each required SW pump, MCR/ESGR EVS fan, (continued)

North Anna Units 1 and 2 B 3.8.4-3 Revision 0, 04/02/02

DC Sources-Operating B 3.8.4 BASES BACKGROUND Each 125 VDC battery is separately housed in a ventilated (continued) room apart from its charger and distribution centers. Each subsystem is located in an area separated physically and electrically from the other subsystem to ensure that a single failure in one subsystem does not cause a failure in a redundant subsystem. There is no sharing between redundant Class 1E subsystems, such as batteries, battery chargers, or distribution panels.

The criteria for sizing large lead storage batteries are defined in IEEE-485 (Ref. 5).

Each Train H and Train J DC electrical power subsystem has ample power output capacity for the steady state operation of connected loads required during normal operation, while at the same time maintaining its battery bank fully charged.

Each battery charger also has sufficient capacity to restore the battery from the design minimum charge to its fully charged state within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> while supplying normal steady state loads discussed in the UFSAR, Chapter 8 (Ref. 4).

The EDG DC electrical power system consists of the battery, battery charger, and interconnecting cabling to supply the required DC voltage to allow the associated EDG components to perform the required safety function.

For the other unit, control power for breakers and electrical power for solenoid operated valves that are needed to support operation of each required Service Water (SW) pump, Main Control Room (MCR)/Emergency Switchgear Room (ESGR) Emergency Ventilation System (EVS) fan, and Auxiliary Building central exhaust fan. SW, MCR/ESGR EVS, and Auxiliary Building central exhaust system are shared systems.

APPLICABLE The initial conditions of Design Basis Accident (DBA) and SAFETY ANALYSES transient analyses in the UFSAR, Chapter 6 (Ref. 6), and in the UFSAR, Chapter 15 (Ref. 7), assume that Engineered Safety Feature (ESF) systems are OPERABLE. The DC electrical power system provides normal and emergency DC electrical power for the emergency auxiliaries and control and switching during all MODES of operation.

(continued)

North Anna Units 1 and 2 B 3.8.4-2 Revision 0, 04/02/02

DC Sources-Operating B 3.8.4 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.4 DC Sources-Operating BASES BACKGROUND The station DC electrical power system provides the AC emergency power system with control power. It also provides both motive and control power to selected safety related equipment and preferred AC vital bus power (via inverters).

As required by Reference 1, the DC electrical power system is designed to have sufficient independence, redundancy, and testability to perform its safety functions, assuming a single failure. The DC electrical power system also conforms to the recommendations of Safety Guide 6 (Ref. 2) and IEEE-308 (Ref. 3).

The 125 VDC electrical power system consists of two independent and redundant safety related Class 1E DC electrical power subsystems (Train H and Train J). Each subsystem consists of two 125 VDC batteries, the associated battery charger(s) for each battery, and all the associated control equipment and interconnecting cabling. A spare battery charger is installed on each train and can be substituted for either of the train's chargers.

During normal operation, the 125 VDC load is powered from the battery chargers with the batteries floating on the system. In case of loss of normal power to the battery charger, the DC load is automatically powered from the station batteries.

The Train H and Train J DC electrical power subsystems provide the control power for its associated Class 1E AC power load group, 4.16 kV switchgear, and 480 V load centers. The DC electrical power subsystems also provide DC electrical power to the inverters, which in turn power the AC vital buses.

The DC power distribution system is described in more detail in Bases for LCO 3.8.9, "Distribution Systems-Operating,"

and LCO 3.8.10, "Distribution Systems-Shutdown."

Each battery has adequate storage capacity to carry the required load continuously for at least 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />.

(continued)

North Anna Units 1 and 2 B 3.8.4-1 Revision 0, 04/02/02

Intentionally Blank Diesel Fuel Oil and Starting Air B 3.8.3 BASES REFERENCES 7. ASTM Standards, D975, Table 1, 1974.

(continued)

North Anna Units 1 and 2 B 3.8.3-9 Revision 0, 04/02/02

Diesel Fuel Oil and Starting Air B 3.8.3 BASES SURVEILLANCE SR 3.8.3.3 (continued)

REQUIREMENTS R 150 psig. The pressure specified in this SR is intended to reflect the lowest value at which more than one start can be accomplished.

The 31 day Frequency takes into account the capacity, capability, redundancy, and diversity of the AC sources and other indications available in the control room, including alarms, to alert the operator to below normal air start pressure.

SR 3.8.3.4 Microbiological fouling is a major cause of fuel oil degradation. There are numerous bacteria that can grow in fuel oil and cause fouling, but all must have a water environment in order to survive. Removal of water from the fuel storage tanks once every 92 days eliminates the necessary environment for bacterial survival. This is the most effective means of controlling microbiological fouling.

In addition, it eliminates the potential for water entrainment in the fuel oil during EDG operation. Water may come from any of several sources, including condensation, ground water, rain water, and contaminated fuel oil, and from breakdown of the fuel oil by bacteria. Frequent checking for and removal of accumulated water minimizes fouling and provides data regarding the watertight integrity of the fuel oil system. The Surveillance Frequencies are established by Regulatory Guide 1.137 (Ref. 2). This SR is for preventive maintenance. The presence of water does not necessarily represent failure of this SR, provided the accumulated water is removed during performance of the Surveillance.

REFERENCES 1. UFSAR, Section 9.5.4.2.

2. Regulatory Guide 1.137.
3. ANSI N195-1976, Appendix B.
4. UFSAR, Chapter 6.
5. UFSAR, Chapter 15.
6. ASTM Standards: D4057-88; D975-83; D4176-86; D1552-88; D2622-82; D2276, Method A.

North Anna Units 1 and 2 B 3.8.3-8 Revision 0, 04/02/02

Diesel Fuel Oil and Starting Air B 3.8.3 BASES SURVEILLANCE SR 3.8.3.2 (continued)

REQUIREMENTS Failure to meet any of the above limits is cause for rejecting the new fuel oil, but does not represent a failure to meet the LCO concern since the fuel oil is not added to the storage tanks.

Within 31 days following the initial new fuel oil sample, the fuel oil is analyzed to establish that the other properties specified in Table 1 of ASTM D975-89a (Ref. 7) are met for new fuel oil when tested in accordance with ASTM D975-83 (Ref. 6), except that the analysis for sulfur may be performed in accordance with ASTM D1552-88 (Ref. 6) or ASTM D2622-82 (Ref. 6). The 31 day period is acceptable because the fuel oil properties of interest, even if they were not within stated limits, would not have an immediate effect on EDG operation. This Surveillance ensures the availability of high quality fuel oil for the EDGs.

Fuel oil degradation during long term storage shows up as an increase in particulate, due mostly to oxidation. The presence of particulate does not mean the fuel oil will not burn properly in a diesel engine. The particulate can cause fouling of filters and fuel oil injection equipment, however, which can cause engine failure.

Particulate concentrations should be determined in accordance with ASTM D2276-83, Method A (Ref. 6). This method involves a gravimetric determination of total particulate concentration in the fuel oil and has a limit of 10 mg/l. It is acceptable to obtain a field sample for subsequent laboratory testing in lieu of field testing. Each tank is considered and tested separately.

The Frequency of this test takes into consideration fuel oil degradation trends that indicate that particulate concentration is unlikely to change significantly between Frequency intervals.

SR 3.8.3.3 This Surveillance ensures that, without the aid of the refill compressor, sufficient air start capacity for each EDG is available. The system design requirements were verified for a minimum of five engine start cycles without recharging. A start cycle is measured in terms of time (seconds of cranking). One air start subsystem is (continued)

North Anna Units 1 and 2 B 3.8.3-7 Revision 0, 04/02/02

Diesel Fuel Oil and Starting Air B 3.8.3 BASES SURVEILLANCE SR 3.8.3.1 REQUIREMENTS This SR provides verification that there is an adequate inventory of fuel oil in the storage tanks to support two EDGs' operation for 7 days at full load. The 7 day period is sufficient time to place the unit in a safe shutdown condition and to bring in replenishment fuel from an offsite location.

The 31 day Frequency is adequate to ensure that a sufficient supply of fuel oil is available, since low level alarms are provided and unit operators would be aware of any large uses of fuel oil during this period.

SR 3.8.3.2 The tests listed below are a means of determining whether new fuel oil is of the appropriate grade and has not been contaminated with substances that would have an immediate, detrimental impact on diesel engine combustion. If results from these tests are within acceptable limits, the fuel oil may be added to the storage tanks without concern for contaminating the entire volume of fuel oil in the storage tanks. These tests are to be conducted prior to adding the new fuel to the storage tank(s), but in no case is the time between receipt of new fuel and conducting the tests to exceed 31 days. The tests, limits, and applicable ASTM Standards are as follows:

a. Sample the new fuel oil in accordance with ASTM D4057-88 (Ref. 6);
b. Verify in accordance with the tests specified in ASTM D975-83 (Ref. 6) that the sample has an absolute specific gravity at 60/60'F of Ž 0.83 and
  • 0.89 or an API gravity at 60OF of Ž 270 and : 390, a kinematic viscosity at 100OF of Ž 1.9 centistokes and
  • 4.1 centistokes, and a flash point of > 125 0 F; and
c. Verify that the new fuel oil is checked for water and sediment in accordance with the Diesel Fuel Oil Testing Program.

(continued)

North Anna Units 1 and 2 B 3.8.3-6 Revision 0, 04/02/02

Diesel Fuel Oil and Starting Air B 3.8.3 BASES ACTIONS C.1 (continued)

Completion Time allows for further evaluation, resampling and re-analysis of the EDG fuel oil stored in the below ground tanks.

D.1 With the new fuel oil properties defined in the Bases for SR 3.8.3.2 not within the required limits, a period of 30 days is allowed for restoring the stored fuel oil properties. This period provides sufficient time to test the stored fuel oil to determine that the new fuel oil, when mixed with previously stored fuel oil, remains acceptable, or to restore the stored fuel oil properties. This restoration may involve feed and bleed procedures, filtering, or combinations of these procedures. Even if an EDG start and load was required during this time interval and the fuel oil properties were outside limits, there is a high likelihood that the EDG would still be capable of performing its intended function.

E.1 With the one required starting air receiver pressure

< 175 psig, sufficient capacity for several EDG start attempts does not exist. However, as long as the receiver pressure is > 150 psig, there is adequate capacity for at least one start attempt, and the EDG can be considered OPERABLE while the air receiver pressure is restored to the required limit. A period of 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> is considered sufficient to complete restoration to the required pressure prior to declaring the EDG inoperable. This period is acceptable based on the remaining air start capacity, the fact that most EDG starts are accomplished on the first attempt, and the low probability of an event during this brief period.

F.1 With a Required Action and associated Completion Time not met, or one or more EDG's fuel oil or the required starting air subsystem not within limits for reasons other than addressed by Conditions A through E, the associated EDG(s) may be incapable of performing its intended function and must be immediately declared inoperable. Only one starting air subsystem is required.

North Anna Units 1 and 2 B 3.8.3-5 Revision 0, 04/02/02

Diesel Fuel Oil and Starting Air B 3.8.3 BASES ACTIONS A.1, A.2, A.3, and A.4 (continued) restored within limits in 7 days. This time is considered reasonable based on the required maintenance and the requirements provided by the Required Actions.

B.1 In this Condition, the 7 day fuel oil supply is not available. The EDG fuel oil transfer pumps are aligned so that the lead pump for each EDG takes suction on the

'A' tank. The backup pumps are aligned to take suction on the

'B' tank. However, the Condition is restricted to fuel oil level reductions that maintain at least a 6 day supply.

These circumstances may be caused by events, such as full load operation required after an inadvertent start while at minimum required level, or feed and bleed operations, which may be necessitated by increasing particulate levels or any number of other oil quality degradations. This restriction allows sufficient time for obtaining the requisite replacement volume and performing the analyses required prior to addition of fuel oil to the tank. A period of 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> is considered sufficient to complete restoration of the required level prior to declaring the EDG inoperable.

This period is acceptable based on the remaining capacity

(> 6 days), the fact that procedures will be initiated to obtain replenishment, and the low probability of an event during this brief period. This Condition applies for reasons other than Condition A.

C.1 This Condition is entered as a result of a failure to meet the acceptance criterion of SR 3.8.3.2. Normally, trending of particulate levels allows sufficient time to correct high particulate levels prior to reaching the limit of acceptability. Poor sample procedures (bottom sampling),

contaminated sampling equipment, and errors in laboratory analysis can produce failures that do not follow a trend.

Since the presence of particulates does not mean failure of the fuel oil to burn properly in the diesel engine, and particulate concentration is unlikely to change significantly between Surveillance Frequency intervals, and proper engine performance has been recently demonstrated (within 31 days), it is prudent to allow a brief period prior to declaring the associated EDG inoperable. The 7 day (continued)

North Anna Units 1 and 2 B 3.8.3-4 Revision 0, 04/02/02

Diesel Fuel Oil and Starting Air B 3.8.3 BASES APPLICABILITY LCO 3.8.2, stored diesel fuel oil and starting air are (continued) required to be within limits when the EDG(s) is required to be OPERABLE.

All four EDGs (two per unit) are normally associated with both tanks which make up the fuel oil storage system. All EDGs that are required to be OPERABLE are associated with the fuel oil storage system. The determination of which EDGs are required to be OPERABLE is based on the requirements of LCO 3.8.1, "AC Sources-Operating," and LCO 3.8.2, "AC Sources-Shutdown."

ACTIONS The ACTIONS Table is modified by a Note indicating that separate Condition entry is allowed for each EDG. This is acceptable, since the Required Actions for each Condition provide appropriate compensatory actions for each inoperable EDG subsystem. Complying with the Required Actions for one inoperable EDG subsystem may allow for continued operation, and subsequent inoperable EDG subsystem(s) are governed by separate Condition entry and application of associated Required Actions.

A.1, A.2, A.3, and A.4 In this Condition, an underground fuel oil storage tank is not within limits for the purpose of tank repair or inspection. Every ten years a fuel oil tank must be inspected for integrity under the requirements of ASME Code,Section XI. Because both tanks are the source of fuel oil for all EDGs on both units, a dual unit outage would be required in order to provide the necessary time to complete the required maintenance or inspection. Prior to removal of the tank for repairs or inspection, verify 50,000 gallons of replacement fuel oil is available offsite and transportation is available to deliver that volume of fuel oil within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />. Restrictions are placed on the remaining fuel oil storage tank and the 210,000-gallon above ground tank. Under this Condition, verification of the redundant fuel oil tank is required to confirm the required minimum amount of diesel fuel oil. In addition, the above ground tank, used to supply make up to the underground tanks, is required to be verified to contain the minimum level corresponding to 100,000 gallons. Verifications of onsite fuel oil are required on a 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> frequency to ensure an adequate source of fuel oil to the EDGs remains available. The underground fuel oil tank that is being inspected or repaired must be (continued)

North Anna Units 1 and 2 B 3.8.3-3 Revision 0, 04/02/02

Diesel Fuel Oil and Starting Air B 3.8.3 BASES APPLICABLE containment design limits are not exceeded. These limits are SAFETY ANALYSES discussed in more detail in the Bases for Section 3.2, Power (continued) Distribution Limits; Section 3.4, Reactor Coolant System (RCS); and Section 3.6, Containment Systems.

The DBA and transient analyses assume the operation of one EDG associated with the unit on which an accident is postulated to occur and the operation of one EDG on the unit which is unaffected by the accident to support shared systems. LCO 3.8.1 requires two EDGs to be OPERABLE and one EDG from the other unit to be OPERABLE. However, only sufficient fuel oil to operate one EDG and one EDG on the other unit is required to satisfy the assumptions of the DBA and transient analysis and to support EDG OPERABILITY.

Since diesel fuel oil and the air start subsystem support the operation of the standby AC power sources, they satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).

LCO Stored diesel fuel oil is required to have sufficient supply for 7 days of full load operation for two EDGs. It is also required to meet specific standards for quality. This requirement, in conjunction with an ability to obtain replacement supplies within 2 days, supports the availability of EDGs required to shut down the reactor and to maintain it in a safe condition for an anticipated operational occurrence (AOO) or a postulated DBA with loss of offsite power. EDG day tank fuel requirements, as well as transfer capability from the storage tank to the day tank, are addressed in LCO 3.8.1, "AC Sources-Operating," and LCO 3.8.2, "AC Sources-Shutdown."

One air start subsystem is required to ensure EDG OPERABILITY. The required starting air subsystem receiver is required to have a minimum of 175 psig to provide the EDG with more than one start attempt without recharging the air start receivers.

APPLICABILITY The AC sources (LCO 3.8.1 and LCO 3.8.2) are required to ensure the availability of the required power to shut down the reactor and maintain it in a safe shutdown condition after an AOO or a postulated DBA. Since stored diesel fuel oil and the starting air subsystem support LCO 3.8.1 and (continued)

North Anna Units 1 and 2 B 3.8.3-2 Revision 0, 04/02/02

Diesel Fuel Oil and Starting Air B 3.8.3 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.3 Diesel Fuel Oil and Starting Air BASES BACKGROUND The fuel oil storage system has sufficient capacity to operate two EDGs for a period of 7 days with each supplying the maximum post loss of coolant accident load demand discussed in the UFSAR, Section 9.5.4.2 (Ref. 1). This onsite fuel oil capacity is sufficient to operate the EDGs for longer than the time to replenish the onsite supply from outside sources.

The fuel oil storage system consists of two underground tanks. Fuel oil is transferred from an underground tank to each EDG day tank by a lead fuel oil transfer pump. An additional underground tank and fuel oil transfer pump is associated with each EDG day tank to provide a redundant subsystem. Independent level switches on the day tank operate the lead and backup fuel oil transfer subsystems.

All outside tanks, pumps, and piping are located underground or in a missile protected area.

For proper operation of the standby EDGs, it is necessary to ensure the proper quality of the fuel oil. Regulatory Guide 1.137 (Ref. 2) addresses the recommended fuel oil practices as supplemented by ANSI N195 (Ref. 3). The fuel oil properties governed by these SRs are the water and sediment content, the kinematic viscosity, specific gravity (or API gravity), and impurity level.

Each EDG has an air start system that contains two separate and independent subsystems. Normally, each subsystem is aligned to provide starting air to the associated EDG. Each subsystem consists of a receiver and a compressor. Only one air start subsystem is required for the EDG to be considered OPERABLE.

APPLICABLE The initial conditions of Design Basis Accident (DBA) and SAFETY ANALYSES transient analyses in the UFSAR, Chapter 6 (Ref. 4), and in the UFSAR, Chapter 15 (Ref. 5), assume Engineered Safety Feature (ESF) systems are OPERABLE. The EDGs are designed to provide sufficient capacity, capability, redundancy, and reliability to ensure the availability of necessary power to ESF systems so that fuel, Reactor Coolant System and (continued)

North Anna Units 1 and 2 B 3.8.3-1 Revision 0, 04/02/02

AC Sources-Shutdown B 3.8.2 BASES ACTIONS A.2.1, A.2.2, A.2.3, A.2.4, B.1, B.2, B.3, and B.4 (continued) any required ESF bus, the ACTIONS for LCO 3.8.10 must be immediately entered. This Note allows Condition A to provide requirements for the loss of the offsite circuit, whether or not a train is de-energized. LCO 3.8.10 would provide the appropriate restrictions for the situation involving a de-energized train.

SURVEILLANCE SR 3.8.2.1 REQUIREMENTS SR 3.8.2.1 requires the SRs from LCO 3.8.1 that are necessary for ensuring the OPERABILITY of the AC sources in other than MODES 1, 2, 3, and 4. SR 3.8.1.8 is not required to be met since only one offsite circuit is required to be OPERABLE. SR 3.8.1.10, SR 3.8.1.11, SR 3.8.1.12, SR 3.8.1.16, and SR 3.8.1.17 are not required because the ESF actuation signals are not required to be OPERABLE. These SRs are not required to be met because the required OPERABLE EDG and sequencing timing relays are not required to be OPERABLE because no ESF loads are assumed to be powered from the emergency bus by the safety analyses. SR 3.8.1.18 is excepted because starting independence is not required with the EDG(s) that is not required to be OPERABLE.

This SR is modified by a Note. The reason for this Note is to preclude requiring the required OPERABLE EDG(s) from being paralleled with the offsite power network or otherwise rendered inoperable during performance of SRs, and to preclude de-energizing a required 4160 V ESF bus or disconnecting a required offsite circuit during performance of SRs. With limited AC sources available, a single event could compromise both the required circuit and the EDG. It is the intent that these SRs must still be capable of being met, but actual performance is not required during periods when the EDG and offsite circuit is required to be OPERABLE. Refer to the corresponding Bases for LCO 3.8.1 for a discussion of each SR.

REFERENCES None.

North Anna Units 1 and 2 B 3.8.2-6 Revision 0, 04/02/02

AC Sources-Shutdown B 3.8.2 BASES ACTIONS A.2.1, A.2.2, A.2.3, A.2.4, B.1, B.2, B.3, and B.4 (continued)

With the offsite circuit not available to all required trains, the option would still exist to declare all required features inoperable. Since this option may involve undesired administrative efforts, the allowance for sufficiently conservative actions is made. With the required EDG inoperable, the minimum required diversity of AC power sources is not available. It is, therefore, required to suspend CORE ALTERATIONS, movement of recently irradiated fuel assemblies, and operations involving positive reactivity additions that could result in loss of required SDM (MODE 5) or boron concentration (MODE 6). Suspending positive reactivity additions that could result in failure to meet the minimum SDM or boron concentration limit is required to assure continued safe operation. Introduction of coolant inventory must be from sources that have a boron concentration greater than what would be required in the RCS for minimum SDM or refueling boron concentration. This may result in an overall reduction in RCS boron concentration, but provides acceptable margin to maintaining subcritical operation. Introduction of temperature changes including temperature increases when operating with a positive MTC must also be evaluated to ensure they do not result in a loss of required SDM.

Suspension of these activities does not preclude completion of actions to establish a safe conservative condition. These actions minimize the probability or the occurrence of postulated events. It is further required to immediately initiate action to restore the required AC sources and to continue this action until restoration is accomplished in order to provide the necessary AC power to the unit safety systems.

The Completion Time of immediately is consistent with the required times for actions requiring prompt attention. The restoration of the required AC electrical power sources should be completed as quickly as possible in order to minimize the time during which the unit safety systems may be without sufficient power.

Pursuant to LCO 3.0.6, the Distribution System's ACTIONS would not be entered even if all AC sources to it are inoperable, resulting in de-energization. Therefore, the Required Actions of Condition A are modified by a Note to indicate that when Condition A is entered with no AC power to (continued)

North Anna Units 1 and 2 B 3.8.2-5 Revision 0, 04/02/02

AC Sources-Shutdown B 3.8.2 BASES LCO It is acceptable for trains to be cross tied during shutdown (continued) conditions, allowing a single offsite power circuit to supply all required trains.

APPLICABILITY The AC sources required to be OPERABLE in MODES 5 and 6 and during movement of recently irradiated fuel assemblies provide assurance that:

a. Systems to provide adequate coolant inventory makeup are available for the irradiated fuel assemblies in the core;
b. Systems needed to mitigate a fuel handling accident involving handling recently irradiated fuel (i.e., fuel that has occupied part of a critical reactor core within a time frame established by analysis. The term recently is defined as all irradiated fuel assemblies, until analysis is performed to determine a specific time frame.) are available;
c. Systems necessary to mitigate the effects of events that can lead to core damage during shutdown are available; and
d. Instrumentation and control capability is available for monitoring and maintaining the unit in a cold shutdown condition or refueling condition.

The AC power requirements for MODES 1, 2, 3, and 4 are covered in LCO 3.8.1.

ACTIONS A.1 An offsite circuit would be considered inoperable if it were not available to the necessary portions of the electrical power distribution subsystem(s). One train with offsite power available may be capable of supporting sufficient required features to allow continuation of CORE ALTERATIONS and recently irradiated fuel movement. By the allowance of the option to declare required features inoperable, with no offsite power available, appropriate restrictions will be implemented in accordance with the affected required features LCO's ACTIONS.

North Anna Units 1 and 2 B 3.8.2-4 Revision 0, 04/02/02

AC Sources-Shutdown B 3.8.2 BASES LCO powered from offsite power. An OPERABLE EDG, associated with (continued) the distribution system trains required to be OPERABLE by LCO 3.8.10, ensures a diverse power source is available to provide electrical power support, assuming a loss of the offsite circuit. Together, OPERABILITY of the required offsite circuit and EDG ensures the availability of sufficient AC sources to operate the unit in a safe manner and to mitigate the consequences of postulated events during shutdown (e.g., fuel handling accidents involving handling recently irradiated fuel).

The qualified offsite circuit must be capable of maintaining rated frequency and voltage, and accepting required loads during an accident, while connected to the Engineered Safety Feature (ESF) bus(es). Qualified offsite circuits are those that are described in the UFSAR and are part of the licensing basis for the unit.

Offsite circuits consist of 34.5 kV buses 3, 4, and 5 supplying the Reserve Station Service Transformer(s) (RSST) which feed the transfer buses. The D, E, and F transfer buses supply the onsite electrical power to the four emergency buses for the two units. Unit 1 emergency bus H is fed through the F transfer bus from the C RSST. Unit 1 emergency bus J is fed through the D transfer bus from the A RSST.

Unit 1 station service bus 1B can be an alternate feed for Unit 1 H emergency bus, while Unit I J bus may be fed from Unit 2 station service bus 2B. Unit 2 emergency bus H is fed through the E transfer bus from the B RSST. Unit 2 emergency bus J is fed through the F transfer bus from the C RSST. The RSSTs can be fed by any 34.5 kV bus (3, 4, or 5) provided RSSTs A and B are fed from a different 34.5 kV bus than RSST C.

The EDG must be capable of starting, accelerating to rated speed and voltage, and connecting to its respective ESF bus on detection of bus undervoltage or degraded voltage. The EDG must be capable of accepting required loads within the assumed loading sequence intervals, and continue to operate until offsite power can be restored to the ESF bus. These capabilities are required to be met from a variety of initial conditions such as EDG in standby with the engine hot and the EDG in standby at ambient conditions.

Proper sequencing of loads is a required function for EDG OPERABILITY.

(continued)

North Anna Units 1 and 2 B 3.8.2-3 Revision 0, 04/02/02

AC Sources-Shutdown B 3.8.2 BASES APPLICABLE minimal consequences. These deviations from DBA analysis SAFETY ANALYSES assumptions and design requirements during shutdown (continued) conditions are allowed by the LCO for required systems.

During MODES 1, 2, 3, and 4, various deviations from the analysis assumptions and design requirements are allowed within the Required Actions. This allowance is in recognition that certain testing and maintenance activities must be conducted provided an acceptable level of risk is not exceeded. During MODES 5 and 6, performance of a significant number of required testing and maintenance activities is also required. In MODES 5 and 6, the activities are generally planned and administratively controlled.

Relaxations from MODE 1, 2, 3, and 4 LCO requirements are acceptable during shutdown modes based on:

a. The fact that time in an outage is limited. This is a risk prudent goal as well as a utility economic consideration.
b. Requiring appropriate compensatory measures for certain conditions. These may include administrative controls, reliance on systems that do not necessarily meet typical design requirements applied to systems credited in operating MODE analyses, or both.
c. Prudent utility consideration of the risk associated with multiple activities that could affect multiple systems.
d. Maintaining, to the extent practical, the ability to perform required functions (even if not meeting MODE 1, 2, 3, and 4 OPERABILITY requirements) with systems assumed to function during an event.

In the event of an accident during shutdown, this LCO ensures the capability to support systems necessary to avoid immediate difficulty, assuming either a loss of all offsite power or a loss of all onsite emergency diesel generator (EDG) power.

The AC sources satisfy Criterion 3 of 10 CFR 50.36(c) (2) (ii).

LCO One offsite circuit capable of supplying the onsite Class 1E power distribution subsystem(s) of LCO 3.8.10, "Distribution Systems-Shutdown," ensures that all required loads are (continued)

North Anna Units 1 and 2 B 3.8.2-2 Revision 0, 04/02/02

AC Sources-Shutdown B 3.8.2 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.2 AC Sources-Shutdown BASES BACKGROUND A description of the AC sources is provided in the Bases for LCO 3.8.1, "AC Sources-Operating."

APPLICABLE The OPERABILITY of the minimum AC sources during MODES 5 SAFETY ANALYSES and 6 and during movement of recently irradiated fuel assemblies ensures that:

a. The unit can be maintained in the shutdown or refueling condition for extended periods;
b. Sufficient instrumentation and control capability is available for monitoring and maintaining the unit status; and
c. Adequate AC electrical power is provided to mitigate events postulated during shutdown, such as a fuel handling accident involving handling recently irradiated fuel. Due to radioactive decay, AC electrical power is only required to mitigate fuel handling accident involving handling recently irradiated fuel. (i.e., fuel that has occupied part of a critical reactor core within a time frame established by analysis. The term recently is defined as all irradiated fuel assemblies, until analysis is performed to determine a specific time frame.)

In general, when the unit is shut down, the Technical Specifications requirements ensure that the unit has the capability to mitigate the consequences of postulated accidents. However, assuming a single failure and concurrent loss of all offsite or all onsite power is not required. The rationale for this is based on the fact that many Design Basis Accidents (DBAs) that are analyzed in MODES 1, 2, 3, and 4 have no specific analyses in MODES 5 and 6. Worst case bounding events are deemed not credible in MODES 5 and 6 because the energy contained within the reactor pressure boundary, reactor coolant temperature and pressure, and the corresponding stresses result in the probabilities of occurrence being significantly reduced or eliminated, and in (continued)

North Anna Units 1 and 2 B 3.8.2-1 Revision 0, 04/02/02

Intentionally Blank AC Sources-Operati ng B 3.8.1 BASES REFERENCES 8. Regulatory Guide 1.108, Rev. 1, August 1977.

(continued)

9. Regulatory Guide 1.137, Rev. 1, October 1979.
10. ASME Code for Operation and Maintenance of Nuclear Power Plants.
11. IEEE Standard 308-1971.
12. Technical Requirements Manual.

North Anna Units 1 and 2 B 3.8. 1-37 Revision 0, 04/02/02

AC Sources-Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.17 (continued)

REQUIREMENTS consider the potential outcomes and transients associated with a failed partial Surveillance, a successful partial Surveillance, and a perturbation of the offsite or onsite system when they are tied together or operated independently for the partial Surveillance; as well as the operator procedures available to cope with these outcomes. These shall be measured against the avoided risk of the unit shutdown and startup to determine that unit safety is maintained or enhanced when portions of the Surveillance are performed in MODE 1, 2, 3, or 4. Risk insights or deterministic methods may be used for this assessment.

SR 3.8.1.18 This Surveillance demonstrates that the EDG starting independence has not been compromised. Also, this Surveillance demonstrates that each engine can achieve proper speed within the specified time when the EDGs are started simultaneously.

The 10 year Frequency is consistent with the recommendations of Regulatory Guide 1.108 (Ref. 8).

This SR is modified by a Note. The reason for the Note is to minimize wear on the EDG during testing. For the purpose of this testing, the EDGs must be started from standby conditions, that is, with the engine coolant and oil continuously circulated and temperature maintained consistent with manufacturer recommendations.

REFERENCES 1. UFSAR, Chapter 3.

2. UFSAR, Chapter 8.
3. Safety Guide 9, March 1971.
4. UFSAR, Chapter 6.
5. UFSAR, Chapter 15.
6. Regulatory Guide 1.93, Rev. 0, December 1974.
7. Generic Letter 84-15, "Proposed Staff Actions to Improve and Maintain Diesel Generator Reliability,"

July 2, 1984.

North Anna Units 1 and 2 B 3.8. 1-36 Revision 0, 04/02/02

AC Sources-Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.16 (continued)

REQUIREMENTS of a unit shutdown and startup to determine that unit safety is maintained or enhanced when the Surveillance is performed in MODE 1, 2, 3, or 4. Risk insights or deterministic methods may be used for this assessment.

SR 3.8.1.17 In the event of a DBA coincident with a loss of offsite power, the EDGs are required to supply the necessary power to ESF systems so that the fuel, RCS, and containment design limits are not exceeded.

This Surveillance demonstrates the EDG operation, as discussed in the Bases for SR 3.8.1.10, during a loss of offsite power actuation test signal in conjunction with an ESF actuation signal. In lieu of actual demonstration of connection and loading of loads, testing that adequately shows the capability of the EDG system to perform these functions is acceptable. This testing may include any series of sequential, overlapping, or total steps so that the entire connection and loading sequence is verified.

The Frequency of 18 months takes into consideration unit conditions required to perform the Surveillance and is intended to be consistent with an expected fuel cycle length of 18 months.

This SR is modified by two Notes. The reason for Note 1 is to minimize wear and tear on the EDGs during testing. For the purpose of this testing, the EDGs must be started from standby conditions, that is, with the engine coolant and oil continuously circulated and temperature maintained consistent with manufacturer recommendations for EDGs. The reason for Note 2 is that the performance of the Surveillance would remove a required offsite circuit from service, perturb the electrical distribution system, and challenge safety systems. This restriction from normally performing the Surveillance in MODE 1, 2, 3, or 4 is further amplified to allow portions of the Surveillance to be performed for the purpose of reestablishing OPERABILITY (e.g., post work testing following corrective maintenance, corrective modification, deficient or incomplete surveillance testing, and other unanticipated OPERABILITY concerns) provided an assessment determines unit safety is maintained or enhanced. This assessment shall, as a minimum, (continued)

North Anna Units 1 and 2 B 3.8.1-35 Revision 0, 04/02/02

AC Sources-Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.15 (continued)

REQUIREMENTS is maintained or enhanced when the Surveillance is performed in MODE 1, 2, 3, or 4. Risk insights or deterministic methods may be used for this assessment.

SR 3.8.1.16 Under accident conditions, with a loss of offsite power, safety injection, containment spray, or recirculation spray, loads are sequentially connected to the bus by the automatic load sequencing timing relays. The sequencing timing relays control the permissive and starting signals to motor breakers to prevent overloading of the EDGs due to high motor starting currents. The load sequence time interval tolerances, listed in the Technical Requirements Manual (Ref. 12), ensure that sufficient time exists for the EDG to restore frequency and voltage prior to applying the next load and that safety analysis assumptions regarding ESF equipment time delays are not violated. Reference 2 provides a summary of the automatic loading of ESF buses.

The Frequency of 18 months is consistent with the recommendations of Regulatory Guide 1.108 (Ref. 8),

paragraph 2.a.(2), takes into consideration unit conditions required to perform the Surveillance, and is intended to be consistent with expected fuel cycle lengths.

This SR is modified by a Note. The reason for the Note is that performing the Surveillance would remove a required offsite circuit from service, perturb the electrical distribution system, and challenge safety systems. This restriction from normally performing the Surveillance in MODE 1, 2, 3, or 4 is further amplified to allow the Surveillance to be performed for the purpose of reestablishing OPERABILITY (e.g., post work testing following corrective maintenance, corrective modification, deficient or incomplete surveillance testing, and other unanticipated OPERABILITY concerns) provided an assessment determines unit safety is maintained or enhanced. This assessment shall, as a minimum, consider the potential outcomes and transients associated with a failed Surveillance, a successful Surveillance, and a perturbation of the offsite or onsite system when they are tied together or operated independently for the Surveillance; as well as the operator procedures available to cope with these outcomes. These shall be measured against the avoided risk (continued)

North Anna Units 1 and 2 B 3.8.1-34 Revision 0, 04/02/02

AC Sources-Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.14 (continued)

REQUIREMENTS do not invalidate this test. Note 2 allows all EDG starts to be preceded by an engine prelube period to minimize wear and tear on the diesel during testing.

SR 3.8.1.15 Consistent with the recommendations of Regulatory Guide 1.108 (Ref. 8), paragraph 2.a.(6), this Surveillance ensures that the manual synchronization and load transfer from the EDG to the offsite source can be made and the EDG can be returned to ready to load status when offsite power is restored. It also ensures that the autostart logic is reset to allow the EDG to reload if a subsequent loss of offsite power occurs. The EDG is considered to be in ready to load status when the EDG is at rated speed and voltage, the output breaker is open and can receive an autoclose signal on bus undervoltage, and the load sequencing timing relays are reset. EDG loading of the emergency bus is limited to normal energized loads.

The Frequency of 18 months is consistent with the recommendations of Regulatory Guide 1.108 (Ref. 8),

paragraph 2.a.(6), and takes into consideration unit conditions required to perform the Surveillance.

This SR is modified by a Note. The reason for the Note is that performing the Surveillance would remove a required offsite circuit from service, perturb the electrical distribution system, and challenge safety systems. This restriction from normally performing the Surveillance in MODE 1, 2, 3, or 4 is further amplified to allow the Surveillance to be performed for the purpose of reestablishing OPERABILITY (e.g., post work testing following corrective maintenance, corrective modification, deficient or incomplete surveillance testing, and other unanticipated OPERABILITY concerns) provided an assessment determines unit safety is maintained or enhanced. This assessment shall, as a minimum, consider the potential outcomes and transients associated with a failed Surveillance, a successful Surveillance, and a perturbation of the offsite or onsite system when they are tied together or operated independently for the Surveillance; as well as the operator procedures available to cope with these outcomes. These shall be measured against the avoided risk of a unit shutdown and startup to determine that unit safety (continued)

North Anna Units 1 and 2 B 3.8.1-33 Revision 0, 04/02/02

AC Sources-Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.13 (continued)

REQUIREMENTS be used for this assessment. Note 3 ensures that the EDG is tested under load conditions that are as close to design basis conditions as possible. When synchronized with offsite power, testing should be performed at a power factor of

  • 0.9. This power factor is representative of the actual inductive loading an EDG would see under design basis accident conditions. Under certain conditions, however, Note 3 allows the surveillance to be conducted at a power factor other than
  • 0.9. These conditions occur when grid voltage is high, and the additional field excitation needed to get the power factor to
  • 0.9 results in voltages on the emergency busses that are too high. Under these conditions, the power factor should be maintained as close as practicable to 0.9 while still maintaining acceptable voltage limits on the emergency busses. In other circumstances, the grid voltage may be such that the EDG excitation levels needed to obtain a power factor of 0.9 may not cause unacceptable voltages on the emergency busses, but the excitation levels are in excess of those recommended for the EDG. In such cases, the power factor shall be maintained as close as practicable to 0.9 without exceeding the EDG excitation limits.

SR 3.8.1.14 This Surveillance demonstrates that the diesel engine can restart from a hot condition, such as subsequent to shutdown from normal Surveillances, and achieve the required voltage and frequency within 10 seconds. The 10 second time is derived from the requirements of the accident analysis to respond to a design basis large break LOCA. The 18 month Frequency is consistent with the recommendations of Regulatory Guide 1.108 (Ref. 8), paragraph 2.a.(5).

This SR is modified by two Notes. Note 1 ensures that the test is performed with the diesel sufficiently hot. The load band is provided to avoid routine overloading of the EDG.

Routine overloads may result in more frequent teardown inspections in accordance with vendor recommendations in order to maintain EDG OPERABILITY. The requirement that the diesel has operated for at least 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> at full load conditions, or after operating temperatures reach a stabilized state, prior to performance of this Surveillance is based on manufacturer recommendations for achieving hot conditions. Momentary transients due to changing bus loads (continued)

North Anna Units 1 and 2 B 3.8.1-32 Revision 0, 04/02/02

AC Sources-Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.13 (continued)

REQUIREMENTS of the continuous duty rating and the remainder of the time at a load equivalent from 90% to 100% of the continuous duty rating of the EDG. The EDG starts for this Surveillance can be performed either from standby or hot conditions. The provisions for prelubricating and warmup, discussed in SR 3.8.1.2, and for gradual loading, discussed in SR 3.8.1.3, are applicable to this SR.

The load band is provided to avoid routine overloading of the EDG. Routine overloading may result in more frequent teardown inspections in accordance with vendor recommendations in order to maintain EDG OPERABILITY.

The 18 month Frequency is consistent with the recommendations of Regulatory Guide 1.108 (Ref. 8),

paragraph 2.a.(3), takes into consideration unit conditions required to perform the Surveillance, and is intended to be consistent with expected fuel cycle lengths.

This Surveillance is modified by three Notes. Note 1 states that momentary transients due to changing bus loads do not invalidate this test. Similarly, momentary power factor transients above the power factor limit will not invalidate the test. The reason for Note 2 is that during operation with the reactor critical, performance of this Surveillance could cause perturbations to the electrical distribution systems that could challenge continued steady state operation and, as a result, unit safety systems. This restriction from normally performing the Surveillance in MODE 1 or 2 is further amplified to allow the Surveillance to be performed for the purpose of reestablishing OPERABILITY (e.g., post work testing following corrective maintenance, corrective modification, deficient or incomplete surveillance testing, and other unanticipated OPERABILITY concerns) provided an assessment determines unit safety is maintained or enhanced.

This assessment shall, as a minimum, consider the potential outcomes and transients associated with a failed Surveillance, a successful Surveillance, and a perturbation of the offsite or onsite system when they are tied together or operated independently for the Surveillance; as well as the operator procedures available to cope with these outcomes. These shall be measured against the avoided risk of a unit shutdown and startup to determine that unit safety is maintained or enhanced when the Surveillance is performed in MODE 1 or 2. Risk insights or deterministic methods may (continued)

North Anna Units 1 and 2 B 3.8. 1-31 Revision 0, 04/02/02

AC Sources-Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.12 (continued)

REQUIREMENTS during DBAs and provide an alarm on an abnormal engine condition. This alarm provides the operator with sufficient time to react appropriately. The EDG availability to mitigate the DBA is more critical than protecting the engine against minor problems that are not immediately detrimental to emergency operation of the EDG.

The 18 month Frequency is based on engineering judgment, taking into consideration unit conditions required to perform the Surveillance, and is intended to be consistent with expected fuel cycle lengths. Operating experience has shown that these components usually pass the SR when performed at the 18 month Frequency. Therefore, the Frequency was concluded to be acceptable from a reliability standpoint.

This SR is modified by a Note. The reason for the Note is that performing the Surveillance would remove a required EDG from service. This restriction from normally performing the Surveillance in MODE 1 or 2 is further amplified to allow the Surveillance to be performed for the purpose of reestablishing OPERABILITY (e.g., post work testing following corrective maintenance, corrective modification, deficient or incomplete surveillance testing, and other unanticipated OPERABILITY concerns) provided an assessment determines unit safety is maintained or enhanced. This assessment shall, as a minimum, consider the potential outcomes and transients associated with a failed Surveillance, a successful Surveillance, and a perturbation of the offsite or onsite system when they are tied together or operated independently for the Surveillance; as well as the operator procedures available to cope with these outcomes. These shall be measured against the avoided risk of a unit shutdown and startup to determine that unit safety is maintained or enhanced when the Surveillance is performed in MODE 1 or 2. Risk insights or deterministic methods may be used for this assessment.

SR 3.8.1.13 Regulatory Guide 1.108 (Ref. 8), paragraph 2.a.(3), provides an acceptable method to demonstrate once per 18 months that the EDGs can start and run continuously at full load capability for an interval of not less than 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />,

Ž2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> of which is at a load equivalent from 105% to 110%

(continued)

North Anna Units 1 and 2 B 3.8.1-30 Revision 0, 04/02/02

AC Sources-Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.11 (continued)

REQUIREMENTS components usually pass the SR when performed at the 18 month Frequency. Therefore, the Frequency was concluded to be acceptable from a reliability standpoint.

This SR is modified by two Notes. The reason for Note 1 is to minimize wear and tear on the EDGs during testing. For the purpose of this testing, the EDGs must be started from standby conditions, that is, with the engine coolant and oil continuously circulated and temperature maintained consistent with manufacturer recommendations. The reason for Note 2 is that during operation with the reactor critical, performance of this Surveillance could cause perturbations to the electrical distribution systems that could challenge continued steady state operation and, as a result, unit safety systems. This restriction from normally performing the Surveillance in MODE 1 or 2 is further amplified to allow portions of the Surveillance to be performed for the purpose of reestablishing OPERABILITY (e.g., post work testing following corrective maintenance, corrective modification, deficient or incomplete surveillance testing, and other unanticipated OPERABILITY concerns) provided an assessment determines unit safety is maintained or enhanced.

This assessment shall, as a minimum, consider the potential outcomes and transients associated with a failed partial Surveillance, a successful partial Surveillance, and a perturbation of the offsite or onsite system when they are tied together or operated independently for the partial Surveillance; as well as the operator procedures available to cope with these outcomes. These shall be measured against the avoided risk of the unit shutdown and startup to determine that unit safety is maintained or enhanced when portions of the Surveillance are performed in MODE 1 or 2.

Risk insights or deterministic methods may be used for this assessment.

SR 3.8.1.12 This Surveillance demonstrates that EDG noncritical protective functions (e.g., high jacket water temperature) are bypassed on actual or simulated signals from an ESF actuation, a loss of voltage, or a loss of voltage signal concurrent with an ESF actuation test signal, and critical protective functions (engine overspeed and generator differential current) trip the EDG to ayert substantial damage to the EDG unit. The noncritical trips are bypassed (continued)

North Anna Units 1 and 2 B 3.8.1-29 Revision 0, 04/02/02

AC Sources-Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.10 (continued)

REQUIREMENTS assessment determines unit safety is maintained or enhanced.

This assessment shall, as a minimum, consider the potential outcomes and transients associated with a failed partial Surveillance, a successful partial Surveillance, and a perturbation of the offsite or onsite system when they are tied together or operated independently for the partial Surveillance; as well as the operator procedures available to cope with these outcomes. These shall be measured against the avoided risk of the unit shutdown and startup to determine that unit safety is maintained or enhanced when portions of the Surveillance are performed in MODE 1, 2, 3, or 4. Risk insights or deterministic methods may be used for this assessment.

SR 3.8.1.11 This Surveillance demonstrates that the EDG automatically starts and achieves the required voltage and frequency within the specified time (10 seconds) from the design basis actuation signal (LOCA signal) and operates for Ž 5 minutes.

The 5 minute period provides sufficient time to demonstrate stability. SR 3.8.1.11.d and SR 3.8.1.11.e ensure that permanently connected loads and emergency loads are energized from the offsite electrical power system on an ESF signal without loss of offsite power.

The requirement to verify the connection of permanent and autoconnected loads is intended to satisfactorily show the relationship of these loads to the EDG loading logic. In certain circumstances, many of these loads cannot actually be connected or loaded without undue hardship or potential for undesired operation. For instance, ECCS injection valves are not desired to be stroked open, or high pressure injection systems are not capable of being operated at full flow. In lieu of actual demonstration of connection and loading of loads, testing that adequately shows the capability of the EDG system to perform these functions is acceptable. This testing may include any series of sequential, overlapping, or total steps so that the entire connection and loading sequence is verified.

The Frequency of 18 months takes into consideration unit conditions required to perform the Surveillance and is intended to be consistent with the expected fuel cycle lengths. Operating experience has shown that these (continued)

North Anna Units 1 and 2 B 3.8.1-28 Revision 0, 04/02/02

AC Sources-Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.10 (continued)

REQUIREMENTS The EDG autostart time of 10 seconds is derived from requirements of the accident analysis to respond to a design basis large break LOCA. The Surveillance should be continued for a minimum of 5 minutes in order to demonstrate that all starting transients have decayed and stability is achieved.

The requirement to verify the connection and power supply of permanent and autoconnected loads is intended to satisfactorily show the relationship of these loads to the EDG loading logic. In certain circumstances, many of these loads cannot actually be connected or loaded without undue hardship or potential for undesired operation. For instance, Emergency Core Cooling Systems (ECCS) injection valves are not desired to be stroked open, or high pressure injection systems are not capable of being operated at full flow, and not desired to be realigned to the ECCS mode of operation. In lieu of actual demonstration of connection and loading of loads, testing that adequately shows the capability of the EDG systems to perform these functions is acceptable. This testing may include any series of sequential, overlapping, or total steps so that the entire connection and loading sequence is verified.

The Frequency of 18 months is consistent with the recommendations of Regulatory Guide 1.108 (Ref. 8),

paragraph 2.a.(1), takes into consideration unit conditions required to perform the Surveillance, and is intended to be consistent with expected fuel cycle lengths.

This SR is modified by two Notes. The reason for Note 1 is to minimize wear and tear on the EDGs during testing. For the purpose of this testing, the EDGs must be started from standby conditions, that is, with the engine coolant and oil continuously circulated, as required, and temperature maintained consistent with manufacturer recommendations. The reason for Note 2 is that performing the Surveillance would remove a required offsite circuit from service, perturb the electrical distribution system, and challenge safety systems. This restriction from normally performing the Surveillance in MODE 1, 2, 3, or 4 is further amplified to allow portions of the Surveillance to be performed for the purpose of reestablishing OPERABILITY (e.g., post work testing following corrective maintenance, corrective modification, deficient or incomplete surveillance testing, and other unanticipated OPERABILITY concerns) provided an (continued)

North Anna Units 1 and 2 B 3.8. 1-27 Revision 0, 04/02/02

AC Sources-Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.9 (continued)

REQUIREMENTS the EDG. SR 3.8.1.9.a corresponds to the maximum frequency excursion, while SR 3.8.1.9.b and SR 3.8.1.9.c are steady state voltage and frequency values to which the system must recover following load rejection. The 18 month Frequency is consistent with the recommendation of Regulatory Guide 1.108 (Ref. 8).

This SR is modified by a Note. The Note ensures that the EDG is tested under load conditions that are as close to design basis conditions as possible. When synchronized with offsite power, testing should be performed at a power factor of

  • 0.9. This power factor is representative of the actual inductive loading an EDG would see under design basis accident conditions. Under certain conditions, however, the Note allows the surveillance to be conducted at a power factor other than
  • 0.9. These conditions occur when grid voltage is high, and the additional field excitation needed to get the power factor to
  • 0.9 results in voltages on the emergency busses that are too high. Under these conditions, the power factor should be maintained as close as practicable to 0.9 while still maintaining acceptable voltage limits on the emergency busses. In other circumstances, the grid voltage may be such that the EDG excitation levels needed to obtain a power factor of 0.9 may not cause unacceptable voltages on the emergency busses, but the excitation levels are in excess of those recommended for the EDG. In such cases, the power factor shall be maintained as close as practicable to 0.9 without exceeding the EDG excitation limits.

SR 3.8.1.10 Consistent with the recommendations of Regulatory Guide 1.108 (Ref. 8), paragraph 2.a.(1), this Surveillance demonstrates the as designed operation of the standby power sources during loss of the offsite source. This test verifies all actions encountered from the loss of offsite power, including shedding of the nonessential loads and energization of the emergency buses and respective loads from the EDG. It further demonstrates the capability of the EDG to automatically achieve the required voltage and frequency within the specified time.

(continued)

North Anna Units 1 and 2 B 3.8. 1-26 Revision 0, 04/02/02

AC Sources-Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.8 (continued)

REQUIREMENTS system when they are tied together or operated independently for the Surveillance; as well as the operator procedures available to cope with these outcomes. These shall be measured against the avoided risk of a unit shutdown and startup to determine that unit safety is maintained or enhanced when the Surveillance is performed in MODE 1 or 2.

Risk insights or deterministic methods may be used for this assessment.

SR 3.8.1.9 Each EDG is provided with an engine overspeed trip to prevent damage to the engine. Recovery from the transient caused by the loss of a large load could cause diesel engine overspeed, which, if excessive, might result in a trip of the engine.

This Surveillance demonstrates the EDG load response characteristics and capability to reject the largest single load without exceeding predetermined voltage and frequency and while maintaining a specified margin to the overspeed trip. For this unit, the single load for each EDG is 610 kW.

This Surveillance may be accomplished by:

a. Tripping the EDG output breaker with the EDG carrying greater than or equal to its associated single largest post-accident load while paralleled to offsite power, or while solely supplying the bus; or
b. Tripping its associated single largest post-accident load with the EDG solely supplying the bus.

As required by IEEE-308 (Ref. 11), the load rejection test is acceptable if the increase in diesel speed does not exceed 75% of the difference between synchronous speed and the overspeed trip setpoint, or 15% above synchronous speed, whichever is lower.

The time, voltage, and frequency tolerances specified in this SR are derived from Safety Guide 9 (Ref. 3) recommendations for response during load sequence intervals.

The 3 seconds specified is equal to 60% of a typical 5 second load sequence interval associated with sequencing of the largest load. The voltage and frequency specified are consistent with the design range of the equipment powered by (continued)

North Anna Units 1 and 2 B 3.8. 1-25 Revision 0, 04/02/02

AC Sources-Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.6 (continued)

REQUIREMENTS The 92 day Frequency corresponds to the testing requirements of pumps as contained in the ASME Code (Ref. 10). The fuel oil transfer system is such that the pumps must be started manually in order to maintain an adequate volume of fuel in the day tank during or following EDG testing, and a 92 day Frequency is appropriate.

SR 3.8.1.7 See SR 3.8.1.2.

SR 3.8.1.8 Transfer of each 4.16 kV ESF bus power supply from the normal offsite circuit to the alternate offsite circuit demonstrates the OPERABILITY of the alternate circuit distribution network to power the shutdown loads for Unit 1 only. The 18 month Frequency of the Surveillance is based on engineering judgment, taking into consideration the unit conditions required to perform the Surveillance, and is intended to be consistent with expected fuel cycle lengths.

Operating experience has shown that these components usually pass the SR when performed at the 18 month Frequency.

Therefore, the Frequency was concluded to be acceptable from a reliability standpoint.

This SR is modified by two Notes. Note 1 states that the SR is applicable to Unit 1 only. The SR is not applicable to Unit 2 because it does not have an alternate offsite feed for the emergency buses. The reason for Note 2 is that, during operation with the reactor critical, performance of this SR could cause perturbations to the electrical distribution systems that could challenge continued steady state operation and, as a result, unit safety systems. This restriction from normally performing the Surveillance in MODE 1 or 2 is further amplified to allow the Surveillance to be performed for the purpose of reestablishing OPERABILITY (e.g., post work testing following corrective maintenance, corrective modification, deficient or incomplete surveillance testing, and other unanticipated OPERABILITY concerns) provided an assessment determines unit safety is maintained or enhanced. This assessment shall, as a minimum, consider the potential outcomes and transients associated with a failed Surveillance, a successful Surveillance, and a perturbation of the offsite or onsite (continued)

North Anna Units 1 and 2 B 3.8.1-24 Revision 0, 04/02/02

AC Sources-Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.4 REQUIREMENTS (continued) This SR provides verification that the level of fuel oil in the day tank is at or above the level which is required. The level is expressed as an equivalent volume in gallons, and is selected to ensure adequate fuel oil for a minimum of I hour of EDG operation at full load plus 10%.

The 31 day Frequency is adequate to assure that a sufficient supply of fuel oil is available, since low level alarms are provided and operators would be aware of any large uses of fuel oil during this period.

SR 3.8.1.5 Microbiological fouling is a major cause of fuel oil degradation. There are numerous bacteria that can grow in fuel oil and cause fouling, but all must have a water environment in order to survive. Removal of water from the fuel oil day tanks once every 92 days eliminates the necessary environment for bacterial survival. This is the most effective means of controlling microbiological fouling.

In addition, it eliminates the potential for water entrainment in the fuel oil during EDG operation. Water may come from any of several sources, including condensation, ground water, rain water, contaminated fuel oil, and breakdown of the fuel oil by bacteria. Frequent checking for and removal of accumulated water minimizes fouling and provides data regarding the watertight integrity of the fuel oil system. The Surveillance Frequencies are consistent with the recommendations of Regulatory Guide 1.137 (Ref. 9). This SR is for preventative maintenance. The presence of water does not necessarily represent failure of this SR, provided the accumulated water is removed during the performance of this Surveillance.

SR 3.8.1.6 This Surveillance demonstrates that each required fuel oil transfer pump operates and transfers fuel oil from its associated storage tank to its associated day tank. This is required to support continuous operation of standby power sources. This Surveillance provides assurance that the fuel oil transfer pump is OPERABLE, the fuel oil piping system is intact, the fuel delivery piping is not obstructed, and the controls and control systems for fuel transfer systems are OPERABLE.

(continued)

North Anna Units 1 and 2 B 3.8.1-23 Revision 0, 04/02/02

AC Sources-Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.2 and SR 3.8.1.7 (continued)

REQUIREMENTS The 31 day Frequency for SR 3.8.1.2 and the 184 day Frequency for SR 3.8.1.7 are acceptable based on operating experience. These Frequencies provide adequate assurance of EDG OPERABILITY, while minimizing degradation resulting from testing.

SR 3.8.1.3 This Surveillance verifies that the EDGs are capable of synchronizing with the offsite electrical system and accepting loads greater than or equal to the equivalent of 90% to 100% of continuous rating (2500 to 2600 kW). A minimum run time of 60 minutes is required to stabilize engine temperatures, while minimizing the time that the EDG is connected to the offsite source.

Although no power factor requirements are established by this SR, the EDG is normally operated at a power factor between 0.8 lagging and 1.0. The 0.8 value is the design rating of the machine, while the 1.0 is an operational limitation to ensure circulating currents are minimized. The load band is provided to avoid routine overloading of the EDG. Routine overloading may result in more frequent teardown inspections in accordance with vendor recommendations in order to maintain EDG OPERABILITY.

The 31 day Frequency for this Surveillance is acceptable based on operating experience.

This SR is modified by four Notes. Note 1 indicates that diesel engine runs for this Surveillance may include gradual loading, as recommended by the manufacturer, so that mechanical stress and wear on the diesel engine are minimized. Note 2 states that momentary transients, because of changing bus loads, do not invalidate this test.

Similarly, momentary power factor transients above the limit do not invalidate the test. Note 3 indicates that this Surveillance should be conducted on only one EDG at a time in order to avoid common cause failures that might result from offsite circuit or grid perturbations. Note 4 stipulates a prerequisite requirement for performance of this SR. A successful EDG start must precede this test to credit satisfactory performance.

North Anna Units 1 and 2 B 3.8.1-22 Revision 0, 04/02/02

AC Sources-Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.2 and SR 3.8.1.7 (continued)

REQUIREMENTS To minimize the wear on moving parts that do not get lubricated when the engine is not running, these SRs are modified by a Note (Note 1 for SR 3.8.1.2) to indicate that all EDG starts for these Surveillances may be preceded by an engine prelube period and followed by a warmup period prior to loading.

For the purposes of SR 3.8.1.2 and SR 3.8.1.7 testing, the EDGs are started from standby conditions. Standby conditions for an EDG mean that the diesel engine coolant and oil are being continuously circulated, as required, and temperature is being maintained consistent with manufacturer recommendations.

In order to reduce stress and wear on diesel engines, the manufacturer recommends a modified start in which the starting speed of EDGs is limited, warmup is limited to this lower speed, and the EDGs are gradually accelerated to synchronous speed prior to loading. These start procedures are the intent of Note 2.

SR 3.8.1.7 requires that, at a 184 day Frequency, the EDG starts from standby conditions and achieves required voltage and frequency within 10 seconds. The 10 second start requirement supports the assumptions of the design basis LOCA analysis in the UFSAR, Chapter 15 (Ref. 5).

The 10 second start requirement is not applicable to SR 3.8.1.2 (see Note 2) when a modified start procedure as described above is used. If a modified start is not used, the 10 second start requirement of SR 3.8.1.7 applies.

Since SR 3.8.1.7 requires a 10 second start, it is more restrictive than SR 3.8.1.2, and it may be performed in lieu of SR 3.8.1.2.

In addition to the SR requirements, the time for the EDG to reach steady state operation, unless the modified EDG start method is employed, is periodically monitored and the trend evaluated to identify degradation of governor and voltage regulator performance.

(continued)

North Anna Units 1 and 2 B 3.8. 1-21 Revision 0, 04/02/02

AC Sources-Operating B 3.8.1 BASES SURVEILLANCE OPERABILITY of the EDGs are in accordance with the REQUIREMENTS recommendations of Safety Guide 9 (Ref. 3), Regulatory (continued) Guide 1.108 (Ref. 8), and Regulatory Guide 1.137 (Ref. 9),

as addressed in the UFSAR.

Where the SRs discussed herein specify voltage and frequency tolerances, the following is applicable. The minimum steady state output voltage of 3740 V is 90% of the nominal 4160 V output voltage. This value, which is specified in ANSI C84.1 (Ref. 10), allows for voltage drop to the terminals of 4000 V motors whose minimum operating voltage is specified as 90% or 3600 V. It also allows for voltage drops to motors and other equipment down through the 120 V level where minimum operating voltage is also usually specified as 90%

of name plate rating. The specified maximum steady state output voltage of 4580 V is equal to the maximum operating voltage specified for 4000 V motors. It ensures that for a lightly loaded distribution system, the voltage at the terminals of 4000 V motors is no more than the maximum rated operating voltages. The specified minimum and maximum frequencies of the EDG are 59.5 Hz and 60.5 Hz, respectively. These values are < +/-1% of the 60 Hz nominal frequency and are derived from the safety analysis assumptions for operation of ECCS pump criteria.

SR 3.8.1.1 This SR ensures proper circuit continuity for the offsite AC electrical power supply to the onsite distribution network and availability of offsite AC electrical power. The breaker alignment verifies that each breaker is in its correct position to ensure that distribution buses and loads are connected to the preferred or alternate power sources for Unit 1 or the preferred power source for Unit 2, and that appropriate independence of offsite circuits is maintained.

The 7 day Frequency is adequate since breaker position is not likely to change without the operator being aware of it and because its status is displayed in the control room.

SR 3.8.1.2 and SR 3.8.1.7 These SRs help to ensure the availability of the standby electrical power supply to mitigate DBAs and transients and to maintain the unit in a safe shutdown condition.

(continued)

North Anna Units 1 and 2 B 3.8. 1-20 Revision 0, 04/02/02

AC Sources-Operating B 3.8.1 BASES ACTIONS K.1 and K.2 (continued)

The STRs provide a time delay for the individual component to close its breaker to the associated emergency electrical bus. Each component is sequenced onto the emergency bus by an initiating signal. Required Action K.2 provides for the immediate isolation of the component(s) ability to automatically load on an emergency electrical bus with an inoperable STR. This provides an assurance that the component will not be loaded onto an emergency bus at an incorrect time. Improper loading sequence may cause the emergency bus to become inoperable. Rendering a component with an inoperable STR incapable of loading to the emergency bus prevents a possible overload condition. Required Action K.2.2 provides an alternative option for isolating the component with an inoperable STR from the emergency bus by allowing the associated EDG to be declared inoperable.

L.1 and L.2 If the inoperable AC electric power sources cannot be restored to OPERABLE status within the required Completion Time, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and to MODE 5 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

M.1 Condition M corresponds to a level of degradation in which all redundancy in the AC electrical power supplies has been lost. At this severely degraded level, any further losses in the AC electrical power system will cause a loss of function.

Therefore, no additional time is justified for continued operation. The unit is required by LCO 3.0.3 to commence a controlled shutdown.

SURVEILLANCE The AC sources are designed to permit inspection and testing REQUIREMENTS of all important areas and features, especially those that have a standby function, in accordance with GDC 18 (Ref. 1).

Periodic component tests are supplemented by extensive functional tests during refueling outages (under simulated accident conditions). The SRs for demonstrating the (continued)

North Anna Units 1 and 2 B 3.8.1-19 Revision 0, 04/02/02

AC Sources-Operating B 3.8.1 BASES ACTIONS I.1 (continued) of AC power for this level of degradation, the risk associated with continued operation for a very short time could be less than that associated with an immediate controlled shutdown (the immediate shutdown could cause grid instability, which could result in a total loss of AC power).

Since any inadvertent generator trip could also result in a total loss of offsite AC power, however, the time allowed for continued operation is severely restricted. The intent here is to avoid the risk associated with an immediate controlled shutdown and to minimize the risk associated with this level of degradation.

According to Reference 6, with both EDGs inoperable, operation may continue for a period that should not exceed 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />.

J.1 With two LCO 3.8.1.c required EDGs inoperable, as many as two required shared and potentially required components have no remaining standby AC sources. Thus, with an assumed loss of offsite power condition, the required shared components powered from the other unit would be significantly degraded.

Therefore, the required shared component would immediately be declared inoperable and LCOs 3.7.8, 3.7.10, and 3.7.12 would provide the appropriate restrictions.

K.1 and K.2 Condition K is modified by a Note indicating that separate Condition entry is allowed for each inoperable sequencing timing relay.

Condition K is entered any time a required sequencing timing relay (STR) becomes inoperable. Required Action K.1 directs the entry into the Required Actions and Completion Times associated for the individual component served by the inoperable relay. The instrumentation signals that provide the actuation are governed by LCO 3.3.2, "Engineered Safety Features Actuation System Instrumentation" for safety injection (SI), Containment Spray (Containment Depressurization Actuation (CDA)) and LCO 3.3.5, "Loss of Power (LOP) Emergency Diesel Generator (EDG) Start Instrumentation" for the LOP.

(continued)

North Anna Units 1 and 2 B 3.8. 1-18 Revision 0, 04/02/02

AC Sources-Operating B 3.8.1 BASES ACTIONS G.1 and G.2 (continued)

According to Reference 6, with the available offsite AC sources, two less than required by the LCO, operation may continue for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. If two offsite sources are restored within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, unrestricted operation may continue. If only one offsite source is restored within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, power operation continues in accordance with Condition A.

H.1 and H.2 Pursuant to LCO 3.0.6, the Distribution System ACTIONS would not be entered even if all AC sources to it were inoperable, resulting in de-energization. Therefore, the Required Actions of Condition H are modified by a Note to indicate that when Condition H is entered with no AC source to any train, the Conditions and Required Actions for LCO 3.8.9, "Distribution Systems-Operating," must be immediately entered. This allows Condition H to provide requirements for the loss of one offsite circuit and one EDG, without regard to whether a train is de-energized. LCO 3.8.9 provides the appropriate restrictions for a de-energized train.

According to Regulatory Guide 1.93 (Ref. 6), operation may continue in Condition H for a period that should not exceed 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />.

In Condition H, individual redundancy is lost in both the offsite electrical power system and the onsite AC electrical power system. Since power system redundancy is provided by two diverse sources of power, however, the reliability of the power systems in this Condition may appear higher than that in Condition G (loss of both required offsite circuits). This difference in reliability is offset by the susceptibility of this power system configuration to a single bus or switching failure. The 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> Completion Time takes into account the capacity and capability of the remaining AC sources, a reasonable time for repairs, and the low probability of a DBA occurring during this period.

I.1 With Train H and Train J EDGs inoperable, there are no remaining standby AC sources. Thus, with an assumed loss of offsite electrical power, insufficient standby AC sources are available to power the minimum required ESF functions.

Since the offsite electrical power system is the only source (continued)

North Anna Units 1 and 2 B 3.8. 1-17 Revision 0, 04/02/02

AC Sources-Operating B 3.8.1 BASES ACTIONS G.1 and G.2 (continued)

If at any time during the existence of Condition G (two offsite circuits inoperable) a required feature becomes inoperable, this Completion Time begins to be tracked.

According to Regulatory Guide 1.93 (Ref. 6), operation may continue in Condition G for a period that should not exceed 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. This level of degradation means that the offsite electrical power system does not have the capability to effect a safe shutdown and to mitigate the effects of an accident; however, the onsite AC sources have not been degraded. This level of degradation generally corresponds to a total loss of the immediately accessible offsite power sources.

Because of the normally high availability of the offsite sources, this level of degradation may appear to be more severe than other combinations of two AC sources inoperable that involve one or more EDGs inoperable. However, two factors tend to decrease the severity of this level of degradation:

a. The configuration of the redundant AC electrical power system that remains available is not susceptible to a single bus or switching failure; and
b. The time required to detect and restore an unavailable offsite power source is generally much less than that required to detect and restore an unavailable onsite AC source.

With both of the required offsite circuits inoperable, sufficient onsite AC sources are available to maintain the unit in a safe shutdown condition in the event of a DBA or transient. In fact, a simultaneous loss of offsite AC sources, a LOCA, and a worst case single failure were postulated as a part of the design basis in the safety analysis. Thus, the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Completion Time provides a period of time to effect restoration of one of the offsite circuits commensurate with the importance of maintaining an AC electrical power system capable of meeting its design criteria.

(continued)

North Anna Units 1 and 2 B 3.8. 1-16 Revision 0, 04/02/02

AC Sources-Operating B 3.8.1 BASES ACTIONS F.1 and F.2 (continued) status. If during the 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> Completion Time of F.1 or F.2, the AAC DG and this unit's EDG are return to OPERABLE status, Condition F is exited and AOT is restricted by the Completion Time tracked in Condition E. If the AAC DG or one or more of this unit's EDG(s) becomes inoperable at sometime after the initial EDG inoperability, Condition F requires the restoration of the AAC DG and this unit's EDG(s) within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> or the supported shared component must be declared inoperable and LCOs 3.7.8, 3.7.10, and 3.7.12 provides the appropriate restrictions.

The 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> Completion Time is considered reasonable and takes into account the assumption in the probabilistic safety analysis (PSA) for potential core damage frequency.

G.1 and G.2 Required Action G.1, which applies when two offsite circuits are inoperable, is intended to provide assurance that an event with a coincident single failure will not result in a complete loss of redundant required safety functions. The Completion Time for this failure of redundant required features is reduced to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> from that allowed for one train without offsite power (Required Action A.2). The rationale for the reduction to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is that Regulatory Guide 1.93 (Ref. 6) allows a Completion Time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> for two required offsite circuits inoperable, based upon the assumption that two complete safety trains are OPERABLE.

When a concurrent redundant required feature failure exists, this assumption is not the case, and a shorter Completion Time of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is appropriate. These features are powered from redundant AC safety trains.

The Completion Time for Required Action G.1 is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." In this Required Action the Completion Time only begins on discovery that both:

a. All required offsite circuits are inoperable; and
b. A required feature is inoperable.

(continued)

North Anna Units 1 and 2 B 3.8.1-15 Revision 0, 04/02/02

AC Sources-Operating B 3.8.1 BASES ACTIONS E.1, E.2, and E.3 (continued)

The remaining OPERABLE offsite circuits and EDGs that power the required shared components are adequate to support the SW, MCR/ESGR EVS, or Auxiliary Building central exhaust system Functions. The 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> Completion Time takes into account the component OPERABILITY of the remaining shared components, a reasonable time for repairs, and the low probability of a DBA occurring during this period.

Operation may continue in Condition E for a period of 14 days. With one EDG inoperable on the other unit supplying electrical power to a required shared component, the reliability of the respective Function is degraded. The potential for the loss of EDGs to the other required shared components is increased, with the attendant potential for a challenge to respective Function.

The required EDG must be returned to OPERABLE status within 14 days, or the support function for the associated shared component is considered inoperable. At that time, the required shared component must be declared inoperable and the appropriate Conditions of the LCOs 3.7.8, 3.7.10, and 3.7.12 must be entered. The 14 day Completion Time takes into account the capacity and capability of the remaining AC sources providing electrical power to the required shared components, a reasonable time for repairs and the low probability of a DBA occurring during this period of time.

F.1 and F.2 To ensure a highly reliable electrical power source remains available when one EDG is inoperable that is required to support a required shared component on the other unit, Condition F is established to monitor the OPERABILITY of the AAC DG and the LCO 3.8.1.b EDGs. Condition F is entered any time an EDG that is required to support a required shared component that receives its electrical power from the other unit becomes inoperable and the Required Actions and Completion Times are followed. Concurrently, if the AAC DG or one or more of this unit's EDG(s) is inoperable, or become inoperable, in addition to the Required Actions of Condition E, Required Actions F.1 and F.2 limit the time the EDG may be out of service to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. If the AAC DG or this unit's EDG(s) is inoperable when the other unit's EDG becomes inoperable, the AOT is limited to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, unless the AAC DG and this unit's EDG(s) are returned to OPERABLE (continued)

North Anna Units 1 and 2 B 3.8.1-14 Revision 0, 04/02/02

AC Sources-Operating B 3.8.1 BASES ACTIONS E.1, E.2, and E.3 (continued)

To ensure a highly reliable power source remains with an inoperable EDG, it is necessary to verify the availability of the required offsite circuits on a more frequent basis.

Since the Required Action only specifies "perform," a failure of SR 3.8.1.1 acceptance criteria does not result in a Required Action being not met. Required Action E.1 verifies the OPERABILITY of the required offsite sources within an hour of the inoperability and every 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> thereafter. However, if a circuit fails to pass SR 3.8.1.1, it is inoperable. Upon offsite circuit inoperability, additional Conditions and Required Actions must be entered.

Required Action E.2 is intended to provide assurance that a loss of offsite power, during the period that an EDG is inoperable, does not result in a complete loss of the SW, MCR/ESGR EVS, or Auxiliary Building central exhaust system Functions.

The Completion Time for Required Action E.2 is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." In this Required Action, the Completion Time only begins on discovery that both:

a. The required shared component with an inoperable EDG; and
b. A required shared component(s) in the same system is inoperable.

If at any time during the existence of Condition E (one EDG inoperable on the other unit needed to supply electrical power for a required shared component) another required shared component subsequently becomes inoperable, this Completion Time begins to be tracked.

Discovering an EDG on the other unit that supports a required shared component and an additional required shared component inoperable, results in starting the Completion Times for the Required Action. Four hours is acceptable because it minimizes risk while allowing time for restoration before subjecting the unit to transients associated with shutdown.

(continued)

North Anna Units 1 and 2 B 3.8. 1-13 Revision 0, 04/02/02

AC Sources-Operating B 3.8.1 BASES ACTIONS D.1, D.2 and D.3 (continued)

If at any time during the existence of Condition D (one offsite circuit inoperable on the other unit needed to supply electrical power for a required shared component) another required shared component in the same system subsequently becomes inoperable, this Completion Time begins to be tracked.

Discovering no offsite power on the other unit that supports a required shared component and an additional required shared component in the same system inoperable, results in starting the Completion Times for the Required Action.

Twenty-four hours is acceptable because it minimizes risk while allowing time for restoration before subjecting the unit to transients associated with shutdown.

The remaining OPERABLE offsite circuits and EDGs that power the required shared components are adequate to support the SW, MCR/ESGR EVS, and Auxiliary Building central exhaust system Functions. The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Completion Time takes into account the component OPERABILITY of the remaining shared component(s), a reasonable time for repairs, and the low probability of a DBA occurring during this period.

Operation may continue in Condition D for a period of 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. With one offsite circuit inoperable on the other unit supplying electrical power to a required shared component, the reliability of the SW, MCR/ESGR EVS, and Auxiliary Building central exhaust system Functions are degraded. The potential for the loss of offsite power to the other required shared components is increased, with the attendant potential for a challenge to SW, MCR/ESGR EVS, and Auxiliary Building central exhaust system Functions.

The required offsite circuit must be returned to OPERABLE status within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, or the support function for the associated shared component is considered inoperable. At that time, the required shared component must be declared inoperable and the appropriate Conditions of the LCO 3.7.8, "Service Water System," LCO 3.7.10, "MCR/ESGR Emergency Ventilation System," and LCO 3.7.12, "Emergency Core Cooling System (ECCS) Pump Room Exhaust Air Cleanup System," must be entered. The 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> Completion Time takes into account the capacity and capability of the remaining AC sources providing electrical power to the required shared components, a reasonable time for repairs and the low probability of a DBA occurring during this period of time.

North Anna Units 1 and 2 B 3.8. 1-12 Revision 0, 04/02/02

AC Sources-Operating B 3.8.1 BASES ACTIONS C.1 and C.2 (continued) is exited and AOT is restricted by the Completion Time tracked in Condition B. If the AAC DG or one or more of the other unit's EDG(s) becomes inoperable at sometime after the initial EDG inoperability, Condition C requires the restoration of the EDG or the AAC DG and the other unit's EDG(s) within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> or Condition L is required to be entered.

The 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> Completion Time is considered reasonable and takes into account the assumption in the probabilistic safety analysis (PSA) for potential core damage frequency.

D.1, D.2, and D.3 Condition D is modified by a Note indicating that separate Condition entry is allowed for each offsite circuit on the other unit that provides electrical power to required shared components.

To provide the necessary electrical power for the SW, MCR/ESGR EVS, and Auxiliary Building central exhaust functions for a unit, AC electrical sources of both units may be required to be OPERABLE. Action D is entered for one or more inoperable offsite circuit(s) on the other unit that is necessary to support required shared components. These shared components are the SW pump(s), MCR/ESGR fan(s), and Auxiliary Building central exhaust fan(s). Required Action D.1 verifies the OPERABILITY of the remaining required offsite sources within an hour of the inoperability and every 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> thereafter. Since the Required Action only specifies "perform," a failure of the SR 3.8.1.1 acceptance criteria does not result in a Required Action not met.

The Completion Time for Required Action D.2 is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." In this Required Action, the Completion Time only begins on discovery that both:

a. The required shared component has no offsite power; and
b. A required shared component(s) in the same system is inoperable.

(continued)

North Anna Units 1 and 2 B 3.8.1-11 Revision 0, 04/02/02

AC Sources-Operating B 3.8.1 BASES ACTIONS B.4 (continued)

The second Completion Time for Required Action B.4 establishes a limit on the maximum time allowed for any combination of required AC power sources to be inoperable during any single contiguous occurrence of failing to meet the LCO. If Condition B is entered while, for instance, an offsite circuit is inoperable and that circuit is subsequently restored OPERABLE, the LCO may already have been not met for up to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. This could lead to a total of 17 days, since initial failure to meet the LCO, to restore the EDG. At this time, an offsite circuit could again become inoperable, the EDG restored OPERABLE, and an additional 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> (for a total of 20 days) allowed prior to complete restoration of the LCO. The 17 day Completion Time provides a limit on time allowed in a specified condition after discovery of failure to meet the LCO. This limit is considered reasonable for situations in which Conditions A and B are entered concurrently. The "AND" connector between the 14 day and 17 day Completion Times means that both Completion Times apply simultaneously, and the more restrictive Completion Time must be met.

As in Required Action B.2, the Completion Time allows for an exception to the normal "time zero" for beginning the allowed time "clock." This will result in establishing the "time zero" at the time that the LCO was initially not met, instead of at the time Condition B was entered.

C.1 and C.2 To ensure a highly reliable electrical power source remains available when one EDG is inoperable, Condition C is established to monitor the OPERABILITY of the AAC DG and the other unit's EDGs. Condition B is entered any time an EDG becomes inoperable and the Required Actions and Completion Times are followed. Concurrently, if the AAC DG or one or more of the other unit's EDG(s) is inoperable, or become inoperable, in addition to the Required Actions of Condition B, Required Actions C.1 and C.2 limit the time the EDG may be out of service to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. If the AAC DG or the other unit's EDG(s) is inoperable when the EDG becomes inoperable, the allowed outage time (AOT) is limited to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, unless the AAC DG and the other unit's EDG(s) are returned to OPERABLE status. If during the 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> Completion Time of C.1 or C.2, the AAC DG and the other unit's EDG(s) are returned to OPERABLE status, Condition C (continued)

North Anna Units 1 and 2 B 3.8.1i-10 Revision 0, 04/02/02

AC Sources-Operating B 3.8.1 BASES ACTIONS B.2 (continued) basis, single failure protection for the required feature's function may have been lost; however, function has not been lost. The 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> Completion Time takes into account the OPERABILITY of the redundant counterpart to the inoperable required feature. Additionally, the 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> Completion Time takes into account the capacity and capability of the remaining AC sources, a reasonable time for repairs, and the low probability of a DBA occurring during this period.

B.3.1 and B.3.2 Required Action B.3.1 provides an allowance to avoid unnecessary testing of the OPERABLE EDG. If it can be determined that the cause of the inoperable EDG does not exist on the OPERABLE EDG, SR 3.8.1.2 does not have to be performed. If the cause of inoperability exists on the other EDG, the other EDG would be declared inoperable upon discovery and Condition I of LCO 3.8.1 would be entered.

Once the failure is repaired, the common cause failure no longer exists, and Required Action B.3.1 is satisfied. If the cause of the initial inoperable EDG cannot be confirmed not to exist on the remaining EDG, performance of SR 3.8.1.2 suffices to provide assurance of continued OPERABILITY of that EDG.

In the event the inoperable EDG is restored to OPERABLE status prior to completing either B.3.1 or B.3.2, the plant corrective action program will continue to evaluate the common cause possibility, including the other unit's EDGs.

This continued evaluation, however, is no longer under the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> constraint imposed while in Condition B.

According to Generic Letter 84-15 (Ref. 7), 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is reasonable to confirm that the OPERABLE EDG is not affected by the same problem as the inoperable EDG.

B.4 In Condition B, the remaining OPERABLE EDG, offsite circuits, AAC DG, and the other unit's EDGs are adequate to supply electrical power to the onsite Class 1E Distribution System. The 14 day Completion Time takes into account the capacity and capability of the remaining AC sources, a reasonable time for repairs, and the low probability of a DBA occurring during this period.

(continued)

North Anna Units 1 and 2 B 3.8. 1-9 Revision 0, 04/02/02

AC Sources-Operating B 3.8.1 BASES ACTIONS B.1 (continued)

Action being not met. However, if a circuit fails to pass SR 3.8.1.1, it is inoperable. Upon offsite circuit inoperability, additional Conditions and Required Actions must then be entered.

B.2 Required Action B.2 is intended to provide assurance that a loss of offsite power, during the period that an EDG is inoperable, does not result in a complete loss of safety function of critical systems. These features are designed with redundant safety related trains. Redundant required feature failures consist of inoperable features associated with a train, redundant to the train that has an inoperable EDG.

The Completion Time for Required Action B.2 is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." In this Required Action, the Completion Time only begins on discovery that both:

a. An inoperable EDG exists; and
b. A required feature on the other train (Train H or Train J) is inoperable.

If at any time during the existence of this Condition (one EDG inoperable) a required feature subsequently becomes inoperable, this Completion Time would begin to be tracked.

Discovering one required EDG inoperable coincident with one or more inoperable required support or supported features, or both, that are associated with the OPERABLE EDG, results in starting the Completion Time for the Required Action.

Four hours from the discovery of these events existing concurrently is acceptable because it minimizes risk while allowing time for restoration before subjecting the unit to transients associated with shutdown.

In this Condition, the remaining OPERABLE EDG and offsite circuits are adequate to supply electrical power to the onsite Class IE Distribution System. Thus, on a component (continued)

North Anna Units 1 and 2 B 3.8.1-8 Revision 0, 04/02/02

AC Sources-Operating B 3.8.1 BASES ACTIONS A.3 (continued)

The second Completion Time for Required Action A.3 establishes a limit on the maximum time allowed for any combination of required AC power sources to be inoperable during any single contiguous occurrence of failing to meet the LCO. If Condition A is entered while, for instance, an EDG is inoperable and that EDG is subsequently returned OPERABLE, the LCO may already have been not met for up to 14 days. This could lead to a total of 17 days, since initial failure to meet the LCO, to restore the offsite circuit. At this time, an EDG could again become inoperable, the circuit restored OPERABLE, and an additional 14 days (for a total of 31 days) allowed prior to complete restoration of the LCO.

The 17 day Completion Time provides a limit on the time allowed in a specified condition after discovery of failure to meet the LCO. This limit is considered reasonable for situations in which Conditions A and B are entered concurrently. The "AND" connector between the 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> and 17 day Completion Times means that both Completion Times apply simultaneously, and the more restrictive Completion Time must be met.

As in Required Action A.2, the Completion Time allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." This will result in establishing the "time zero" at the time that the LCO was initially not met, instead of at the time Condition A was entered.

B.1 Condition B is entered for an inoperable EDG and requires the OPERABILITY of additional electrical sources for the allowed Completion Time of 14 days. The additional electrical sources required to be OPERABLE are the Alternate AC (AAC) diesel generator (DG) (Station Black Out (SBO) diesel generator), and both EDGs of the other unit. If any of these additional sources are inoperable at the time an EDG becomes inoperable, or become inoperable with an EDG in Condition B, Condition C must also be entered for the inoperable EDG.

To ensure a highly reliable power source remains with an inoperable EDG, it is necessary to verify the availability of the offsite circuits on a more frequent basis. Since the Required Action only specifies "perform," a failure of SR 3.8.1.1 acceptance criteria does not result in a Required (continued)

North Anna Units 1 and 2 B 3.8.1-7 Revision 0, 04/02/02

AC Sources-Operating B 3.8.1 BASES ACTIONS A.2 (continued)

b. A required feature on the other train is inoperable.

If at any time during the existence of Condition A (one offsite circuit inoperable) a redundant required feature subsequently becomes inoperable, this Completion Time begins to be tracked.

Discovering no offsite power to one train of the onsite Class 1E Electrical Power Distribution System coincident with one or more inoperable required support or supported features, or both, that are associated with the other train that has offsite power, results in starting the Completion Times for the Required Action. Twenty-four hours is acceptable because it minimizes risk while allowing time for restoration before subjecting the unit to transients associated with shutdown.

The remaining OPERABLE offsite circuit and EDGs are adequate to supply electrical power to Train H and Train J of the onsite Class 1E Distribution System. The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Completion Time takes into account the component OPERABILITY of the redundant counterpart to the inoperable required feature.

Additionally, the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Completion Time takes into account the capacity and capability of the remaining AC sources, a reasonable time for repairs, and the low probability of a DBA occurring during this period.

A.3 According to Regulatory Guide 1.93 (Ref. 6), operation may continue in Condition A for a period that should not exceed 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. With one offsite circuit inoperable, the reliability of the offsite system is degraded, and the potential for a loss of offsite power is increased, with attendant potential for a challenge to the unit safety systems. In this Condition, however, the remaining OPERABLE offsite circuit and EDGs are adequate to supply electrical power to the onsite Class 1E Distribution System.

The 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> Completion Time takes into account the capacity and capability of the remaining AC sources, a reasonable time for repairs, and the low probability of a DBA occurring during this period.

(continued)

North Anna Units 1 and 2 B 3.8. 1-6 Revision 0, 04/02/02

AC Sources-Operating B 3.8.1 BASES APPLICABILITY The AC sources and sequencing timing relays are required to be OPERABLE in MODES 1, 2, 3, and 4 to ensure that:

a. Acceptable fuel design limits and reactor coolant pressure boundary limits are not exceeded as a result of AOOs or abnormal transients; and
b. Adequate core cooling is provided and containment OPERABILITY and other vital functions are maintained in the event of a postulated DBA.

The AC power requirements for MODES 5 and 6 are covered in LCO 3.8.2, "AC Sources-Shutdown."

ACTIONS A.1 To ensure a highly reliable power source remains with one offsite circuit inoperable, it is necessary to verify the OPERABILITY of the remaining required offsite circuit(s) on a more frequent basis. Since the Required Action only specifies "perform," a failure of SR 3.8.1.1 acceptance criteria does not result in a Required Action not met.

However, if a second required circuit fails SR 3.8.1.1, the second offsite circuit is inoperable, and Condition G, for two offsite circuits inoperable, is entered.

A.2 Required Action A.2, which only applies if the train cannot be powered from an offsite source, is intended to provide assurance that an event coincident with a single failure of the associated EDG will not result in a complete loss of safety function of critical redundant required features.

These features are powered from the redundant AC electrical power trains.

The Completion Time for Required Action A.2 is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." In this Required Action, the Completion Time only begins on discovery that both:

a. The train has no offsite power supplying its loads; and (continued)

North Anna Units 1 and 2 B 3.8.1-5 Revision 0, 04/02/02

AC Sources-Operating B 3.8.1 BASES LCO Offsite circuits consist of 34.5 kV buses 3, 4, and 5 (continued) supplying the Reserve Station Service Transformer(s) (RSST) which feed the transfer buses. The D, E, and F transfer buses supply the onsite electrical power to the four emergency buses for the two units. Unit 1 emergency bus H is fed through the F transfer bus from the C RSST. Unit 1 emergency bus J is fed through the D transfer bus from the A RSST.

Unit 1 station service bus 1B can be an alternate feed for Unit I H emergency bus, while Unit 1 J bus may be fed from Unit 2 station service bus 2B. Unit 2 emergency bus H is fed through the E transfer bus from the B RSST. Unit 2 emergency bus J is fed through the F transfer bus from the C RSST. The RSSTs can be fed by any 34.5 kV bus (3, 4, or 5) provided RSSTs A and B are fed from a different 34.5 kV bus than RSST C. Specific breaker nomenclature for individual circuits may be obtained from drawings in the UFSAR, Chapter 8 (Ref. 2).

Each EDG must be capable of starting, accelerating to rated speed and voltage, and connecting to its respective ESF bus on detection of bus undervoltage or degraded voltage. This will be accomplished within 10 seconds. Each EDG must also be capable of accepting required loads within the assumed loading sequence intervals, and continue to operate until offsite power can be restored to the ESF buses. These capabilities are required to be met from a variety of initial conditions such as EDG in standby with the engine hot and EDG in standby with the engine at ambient conditions. Additional EDG capabilities must be demonstrated to meet required Surveillances.

Proper sequencing of loads is a required function for EDG OPERABILITY.

The other unit's offsite circuit(s) and EDG(s) are required to be OPERABLE to support the SW, MCR/ESGR ventilation, and Auxiliary Building central exhaust functions needed for this unit. These functions share components, pump or fans, which are electrically powered from both units.

The AC sources in one train must be separate and independent (to the extent possible) of the AC sources in the other train. For the EDGs, separation and independence are complete.

For the offsite AC sources, separation and independence are to the extent practical.

North Anna Units 1 and 2 B 3.8. 1-4 Revision 0, 04/02/02

AC Sources-Operating B 3.8.1 BASES APPLICABLE The initial conditions of DBA and transient analyses in the SAFETY ANALYSES UFSAR, Chapter 6 (Ref. 4) and Chapter 15 (Ref. 5), assume ESF systems are OPERABLE. The AC electrical power sources are designed to provide sufficient capacity, capability, redundancy, and reliability to ensure the availability of necessary power to ESF systems so that the fuel, Reactor Coolant System (RCS), and containment design limits are not exceeded. These limits are discussed in more detail in the Bases for Section 3.2, Power Distribution Limits; Section 3.4, Reactor Coolant System (RCS); and Section 3.6, Containment Systems.

The OPERABILITY of the AC electrical power sources is consistent with the initial assumptions of the accident analyses and is based upon meeting the design basis of the unit. This results in maintaining at least one train of the onsite or offsite AC sources OPERABLE during accident conditions in the event of:

a. An assumed loss of all offsite power or all onsite AC power; and
b. A worst case single failure.

The AC sources satisfy Criterion 3 of 10 CFR 50.36(c) (2) (ii).

LCO Two qualified circuits between the offsite transmission network and the onsite Class 1E Electrical Power System and separate and independent EDGs for each train ensure availability of the required power to shut down the reactor and maintain it in a safe shutdown condition after an anticipated operational occurrence (AOO) or a postulated DBA.

Qualified offsite circuits are those that are described in the UFSAR and are part of the licensing basis for the unit.

In addition, the automatic load sequencing timing relays must be OPERABLE.

Each offsite circuit must be capable of maintaining rated frequency and voltage, and accepting required loads during an accident, while connected to the ESF buses.

(continued)

North Anna Units 1 and 2 B 3.8. 1-3 Revision 0, 04/02/02

AC Sources-Operating B 3.8.1 BASES BACKGROUND connected loads and all automatically connected loads, via (continued) the load sequencing timing relays, needed to recover the unit or maintain it in a safe condition are energized.

The onsite standby power source for each 4.16 kV ESF bus is a dedicated EDG. EDGs H and J are dedicated to ESF buses H and J, respectively. An EDG starts automatically on a safety injection (SI) signal (i.e., low pressurizer pressure or high containment pressure signals) or on an ESF bus degraded voltage or undervoltage signal (refer to LCO 3.3.5, "Loss of Power (LOP) Emergency Diesel Generator (EDG) Start Instrumentation"). After the EDG has started, it will automatically tie to its respective bus after offsite power is tripped as a consequence of ESF bus undervoltage or degraded voltage, independent of or coincident with an SI signal. The EDGs will also start and operate in the standby mode without tying to the ESF bus on an SI signal or a momentary undervoltage condition. Following the trip of offsite power, an undervoltage signal strips nonpermanent loads from the ESF bus. When the EDG is tied to the ESF bus, loads are then sequentially connected to their respective ESF bus by the sequencing timing relays. The specific ESF equipment's sequencing timer controls the permissive and starting signals to motor breakers to prevent overloading the EDG by automatic load application.

In the event of a loss of preferred power, the ESF electrical loads are automatically connected to the EDGs in sufficient time to provide for safe reactor shutdown and to mitigate the consequences of a Design Basis Accident (DBA) such as a loss of coolant accident (LOCA).

Certain required unit loads are returned to service in a predetermined sequence in order to prevent overloading the EDG in the process. After the initiating signal is received, all loads needed to recover the unit or maintain it in a safe condition are returned to service.

Ratings for Train H and Train J EDGs satisfy the requirements of Safety Guide 9 (Ref. 3). The continuous service rating of each EDG is 2750 kW with 3000 kW allowable for up to 2000 hours0.0231 days <br />0.556 hours <br />0.00331 weeks <br />7.61e-4 months <br /> per year. The ESF loads that are powered from the 4.16 kV ESF buses are listed in Reference 2.

North Anna Units 1 and 2 B 3.8. 1-2 Revision 0, 04/02/02

AC Sources-Operating B 3.8.1 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.1 AC Sources-Operating BASES BACKGROUND The unit Class 1E AC Electrical Power Distribution System AC sources consist of the offsite power sources (preferred power sources, normal and alternate(s)), and the onsite standby power sources (Train A(H) and Train B(J) emergency diesel generators (EDGs)). As required by GDC 17 (Ref. 1),

the design of the AC electrical power system provides independence and redundancy to ensure an available source of power to the Engineered Safety Feature (ESF) systems.

Additionally, the unit's electrical sources must include electrical sources from the other unit that are required to support the Service Water (SW), Main Control Room (MCR)/Emergency Switchgear Room (ESGR) Emergency Ventilation System (EVS), or Auxiliary Building central exhaust system safety functions. This requirement could include both of the other unit's offsite circuits and EDGs for this unit.

The onsite Class 1E AC Distribution System is divided into redundant load groups (trains) so that the loss of any one group does not prevent the minimum safety functions from being performed. Each train has connections to one preferred offsite power source and a single EDG.

Offsite power is supplied to the switchyard from the transmission network by several different transmission lines. From the switchyard, two electrically and physically separated circuits provide AC power, through reserve station service transformers (RSSTs), to the 4.16 kV ESF buses. A detailed description of the offsite power network and the circuits to the Class 1E ESF buses is found in the UFSAR, Chapter 8 (Ref. 2).

An offsite circuit consists of all breakers, transformers, switches, interrupting devices, cabling, and controls required to transmit power from the offsite transmission network to the onsite Class 1E ESF bus(es).

Certain required unit loads are energized in a predetermined sequence in order to prevent overloading the transformer supplying offsite power to the onsite Class 1E Distribution System. After the initiating signal is received, permanently (continued)

North Anna Units 1 and 2 B 3.8.1-1 Revision 0, 04/02/02

Intentionally Blank Spent Fuel Pool Storage B 3.7.18 BASES ACTIONS A.1 Required Action A.1 is modified by a Note indicating that LCO 3.0.3 does not apply.

When the configuration of fuel assemblies stored in the spent fuel storage pool is not in accordance with Figure 3.7.18-1 and Figure 3.7.18-2, the immediate action is to initiate action to make the necessary fuel assembly movement(s) to bring the configuration into compliance with the LCO.

If unable to move irradiated fuel assemblies while in MODE 5 or 6, LCO 3.0.3 would not be applicable. If unable to move irradiated fuel assemblies while in MODE 1, 2, 3, or 4, the action is independent of reactor operation. Therefore, inability to move fuel assemblies is not sufficient reason to require a reactor shutdown.

SURVEILLANCE SR 3.7.18.1 REQUIREMENTS This SR verifies by a combination of visual inspection and administrative means that the initial enrichment and burnup of the fuel assembly is in accordance with Figure 3.7.18-1 and the fuel assembly storage location is in accordance with Figure 3.7.18-2.

REFERENCES 1. UFSAR, Section 9.1.2.

2. UFSAR, Section 4.3.2.7.
3. UFSAR, Section 3.1.53.

North Anna Units I and 2 B 3.7. 18-3 Revision 0, 04/02/02

Spent Fuel Pool Storage B 3.7.18 BASES APPLICABLE pool geometry (Ref. 2). There are three basic acceptance SAFETY ANALYSES criteria which ensure conformance with the design bases (continued) (Ref. 3). They are:

a. keff < 1.0 assuming no soluble boron in the fuel storage pool,
b. A soluble boron concentration sufficient to ensure keff < 0.95, and
c. An additional amount of soluble boron sufficient to offset the maximum reactivity effects of postulated accidents and to account for the uncertainty in the computed reactivity of fuel assemblies.

The postulated accidents considered when determining the required fuel storage pool arrangement and minimum boron concentration are the misloading of a fuel assembly, an increase in fuel storage pool temperature, and boron dilution. Analyses have shown that a combination of the fuel storage pool geometric arrangement and the amount of boron required by the LCO is sufficient to ensure that the most limiting misloading of a fuel assembly results in a keff < 0.95.

The configuration of fuel assemblies in the fuel storage pool satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).

LCO The restrictions on the placement of fuel assemblies within the spent fuel pool, in accordance with Figures 3.7.18-1 and 3.7.18-2, in the accompanying LCO, ensures the keff of the spent fuel storage pool will always remain < 1.0.

Figure 3.7.18-1 is used to determine if a fuel assembly is acceptable for storage without use of a fuel assembly matrix. Based on the initial enrichment and burnup, a fuel assembly may be stored without using a fuel assembly matrix, or must be stored in a high or low reactivity location of a fuel assembly matrix. Figure 3.7.18-2 describes the fuel assembly matrix storage configuration. These storage restrictions, when combined with the fuel storage pool boron concentration limit in LCO 3.7.17, ensure that the fuel storage pool keff meets the limits in Section 4.3, "Design Features."

APPLICABILITY This LCO applies whenever any fuel assembly is stored in the fuel storage pool.

North Anna Units 1 and 2 B 3.7. 18-2 Revision 0, 04/02/02

Spent Fuel Pool Storage B 3.7.18 B 3.8 PLANT SYSTEMS B 3.7.18 Spent Fuel Pool Storage BASES BACKGROUND The fuel storage pool contains racks which hold the fuel assemblies. The arrangement of the fuel assemblies in the fuel racks can be used to limit the interaction of the fuel assemblies and the resulting reactivity of the fuel in the fuel storage pool. The geometrical arrangement is based on classifying fuel assemblies as "high reactivity" or "low reactivity" based on the burnup and initial enrichment of the fuel assemblies. A 5 x 5 fuel location matrix is employed with acceptable locations for high and low reactivity fuel assemblies. Fuel assemblies may also be stored in fuel locations not associated with a storage matrix if the assemblies meet certain requirements.

Storing the fuel assemblies in the locations required by the LCO ensures a fuel storage pool keff < 1.0 for normal conditions. In addition, the water in the spent fuel storage pool contains soluble boron, which results in large subcriticality margins under normal operating conditions.

However, the NRC guidelines assume accident conditions, such as loss of all soluble boron or misloading of a fuel assembly. In these cases, the subcriticality margin is allowed to be smaller, but in all cases must be less than 1.0. This subcriticality margin is maintained by storing the fuel assemblies as described in the LCO and by the use of soluble boron in the fuel storage pool water as required by LCO 3.7.17, "Fuel Storage Pool Boron Concentration." The accident analyses assume the presence of soluble boron under accident conditions, such as the misloading of a fuel assembly into a location not allowed by LCO 3.7.18, a loss of cooling to the fuel storage pool resulting in a temperature increase of the fuel storage pool water, or a dilution of the boron dissolved in the fuel storage pool.

A general description of the fuel storage pool design is given in the UFSAR, Section 9.1.2 (Ref. 1).

APPLICABLE Criticality of the fuel assemblies in the fuel storage pool SAFETY ANALYSES racks is prevented by the design of the rack and by administrative controls related to fuel storage pool boron concentration, fuel assembly burnup credit, and fuel storage (continued)

North Anna Units 1 and 2 B 3.7.18-1 Revision 0, 04/02/02

Intentionally Blank Fuel Storage Pool Boron Concentration B 3.7.17 BASES ACTIONS A.1 and A.2 (continued) of fuel assemblies. The concentration of boron is restored simultaneously with suspending movement of fuel assemblies.

Prior to resuming movement of fuel assemblies, the concentration of boron must be restored to within limit.

This does not preclude movement of a fuel assembly to a safe position.

If the LCO is not met while moving irradiated fuel assemblies in MODE 5 or 6, LCO 3.0.3 would not be applicable. If moving irradiated fuel assemblies while in MODE 1, 2, 3, or 4, the fuel movement is independent of reactor operation.

Therefore, inability to suspend movement of fuel assemblies is not sufficient reason to require a reactor shutdown.

SURVEILLANCE SR 3.7.17.1 REQUIREMENTS This SR verifies that the concentration of boron in the fuel storage pool is within the required limit. As long as this SR is met, the analyzed accidents are fully addressed. The 7 day Frequency is appropriate because no major replenishment of pool water is expected to take place over such a short period of time.

REFERENCES 1. UFSAR, Section 9.1.2.

2. UFSAR, Section 4.3.2.7.
3. UFSAR, Section 3.1.53.

North Anna Units 1 and 2 B 3.7.17-3 Revision 0, 04/02/02

Fuel Storage Pool Boron Concentration B 3.7.17 BASES APPLICABLE The postulated accidents considered when determining the SAFETY ANALYSES required fuel storage pool boron concentration are the (continued) misloading of a fuel assembly, an increase in fuel storage pool temperature, and boron dilution. Analyses have shown that the amount of boron required by the LCO is sufficient to ensure that the most limiting misloading of a fuel assembly results in a keff < 0.95. The boron concentration limit also accommodates decreases in water density due to temperature increases in the fuel storage pool. Analyses have also shown that there is sufficient time to detect and mitigate a boron dilution event prior to exceeding the design basis of keff < 0.95. The fuel storage pool analyses do not credit the Boraflex neutron absorbing material in the fuel storage pool racks.

The concentration of dissolved boron in the fuel storage pool satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).

LCO The fuel storage pool boron concentration is required to be

Ž 2600 ppm. The specified concentration of dissolved boron in the fuel storage pool preserves the assumptions used in the analyses which take credit for soluble boron and for fuel loading restrictions based on fuel enrichment and burnup.

The fuel loading restrictions are described in LCO 3.7.18.

The fuel storage pool boron concentration limit, when combined with fuel burnup and geometry limits in LCO 3.7.18, ensures that the fuel storage pool keff meets the limits in Section 4.3, "Design Features."

APPLICABILITY This LCO applies whenever fuel assemblies are stored in the spent fuel storage pool. The required boron concentration ensures that the keff limits in Section 4.3 are met when fuel is stored in the fuel storage pool.

ACTIONS A.1 and A.2 The Required Actions are modified by a Note indicating that LCO 3.0.3 does not apply.

When the concentration of boron in the fuel storage pool is less than required, immediate action must be taken to preclude the occurrence of an accident or to mitigate the consequences of an accident in progress. This is most efficiently achieved by immediately suspending the movement (continued)

North Anna Units 1 and 2 B 3.7.17-2 Revision 0, 04/02/02

Fuel Storage Pool Boron Concentration B 3.7.17 B 3.7 PLANT SYSTEMS B 3.7.17 Fuel Storage Pool Boron Concentration BASES BACKGROUND The water in the spent fuel storage pool contains soluble boron, which results in large subcriticality margins under normal operating conditions. However, the NRC guidelines assume accident conditions, such as loss of all soluble boron or misloading of a fuel assembly. In these cases, the subcriticality margin is allowed to be smaller, but in all cases must be less than 1.0. This subcriticality margin is maintained by storing the fuel assemblies in the fuel storage pool in a geometry which limits the reactivity of the fuel assemblies and by the use of soluble boron in the fuel storage pool water. The required geometry for fuel assembly storage in the fuel storage pool is described in LCO 3.7.18, "Spent Fuel Pool Storage." The accident analyses assume the presence of soluble boron under accident conditions, such as the misloading of a fuel assembly into a location not allowed by LCO 3.7.18, a loss of cooling to the fuel storage pool resulting in a temperature increase of the fuel storage pool water, or a dilution of the boron dissolved in the fuel storage pool.

A general description of the fuel storage pool design is given in the UFSAR, Section 9.1.2 (Ref. 1).

APPLICABLE Criticality of the fuel assemblies in the fuel storage pool SAFETY ANALYSES racks is prevented by the design of the rack and by administrative controls related to fuel storage pool boron concentration, fuel assembly burnup credit, and fuel storage pool geometry (Ref. 2). There are three basic acceptance criteria which ensure conformance with the design bases (Ref. 3). They are:

a. keff < 1.0 assuming no soluble boron in the fuel storage pool,
b. A soluble boron concentration sufficient to ensure keff < 0.95, and
c. An additional amount of soluble boron sufficient to offset the maximum reactivity effects of postulated accidents and to account for the uncertainty in the computed reactivity of fuel assemblies.

North Anna Units 1 and 2 B 3.7.17-1 Revision 0, 04/02/02

Intentionally Blank Fuel Storage Pool Water Level B 3.7.16 BASES SURVEILLANCE SR 3.7.16.1 (continued)

REQUIREMENTS During refueling operations, the level in the fuel storage pool is in equilibrium with the refueling canal, and the level in the refueling canal is checked daily in accordance with SR 3.9.7.1.

REFERENCES 1. UFSAR, Section 9.1.2.

2. UFSAR, Section 9.1.3.
3. UFSAR, Section 15.4.5.
4. Regulatory Guide 1.25.
5. 10 CFR 100.11.

North Anna Units I and 2 B 3.7. 16-3 Revision 0, 04/02/02

Fuel Storage Pool Water Level B 3.7.16 BASES LCO The fuel storage pool water level is required to be Ž 23 ft over the top of irradiated fuel assemblies seated in the storage racks. The specified water level preserves the assumptions of the fuel handling accident analysis (Ref. 3).

As such, it is the minimum required for fuel storage and movement within the fuel storage pool.

APPLICABILITY This LCO applies during movement of irradiated fuel assemblies in the fuel storage pool, since the potential for a release of fission products exists.

ACTIONS A.1 Required Action A.1 is modified by a Note indicating that LCO 3.0.3 does not apply.

When the initial conditions for prevention of an accident cannot be met, steps should be taken to preclude the accident from occurring. When the fuel storage pool water level is lower than the required level, the movement of irradiated fuel assemblies in the fuel storage pool is immediately suspended to a safe position. This action effectively precludes the occurrence of a fuel handling accident. This does not preclude movement of a fuel assembly to a safe position.

If moving irradiated fuel assemblies while in MODE 5 or 6, LCO 3.0.3 would not specify any action. If moving irradiated fuel assemblies while in MODES 1, 2, 3, and 4, the fuel movement is independent of reactor operations. Therefore, inability to suspend movement of irradiated fuel assemblies is not sufficient reason to require a reactor shutdown.

SURVEILLANCE SR 3.7.16.1 REQUIREMENTS This SR verifies sufficient fuel storage pool water is available in the event of a fuel handling accident. The water level in the fuel storage pool must be checked periodically.

The 7 day Frequency is appropriate because the volume in the pool is normally stable. Water level changes are controlled by plant procedures and are acceptable based on operating experience.

(continued)

North Anna Units 1 and 2 B 3.7.16-2 Revision 0, 04/02/02

Fuel Storage Pool Water Level B 3.7.16 B 3.7 PLANT SYSTEMS B 3.7.16 Fuel Storage Pool Water Level BASES BACKGROUND The minimum water level in the fuel storage pool meets the assumptions of iodine decontamination factors following a fuel handling accident. The specified water level shields and minimizes the general area dose when the storage racks are filled to their maximum capacity. The water also provides shielding during the movement of spent fuel.

A general description of the fuel storage pool design is given in the UFSAR, Section 9.1.2 (Ref. 1). A description of the Spent Fuel Pool Cooling and Cleanup System is given in the UFSAR, Section 9.1.3 (Ref. 2). The assumptions of the fuel handling accident are given in the UFSAR, Section 15.4.5 (Ref. 3).

APPLICABLE The minimum water level in the fuel storage pool meets the SAFETY ANALYSES assumptions of the fuel handling accident described in Regulatory Guide 1.25 (Ref. 4). The resultant 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> thyroid dose per person at the exclusion area boundary is within the 10 CFR 100 (Ref. 5) limits.

According to Reference 4, there is 23 ft of water between the top of the damaged fuel bundle and the fuel pool surface during a fuel handling accident. With 23 ft of water, the assumptions of Reference 4 can be used directly. In practice, this LCO preserves this assumption for the bulk of the fuel in the storage racks. In the case of a single bundle dropped and lying horizontally on top of the spent fuel racks, however, there may be < 23 ft of water above the top of the fuel bundle and the surface, indicated by the width of the bundle. To offset this small nonconservatism, the analysis assumes that all fuel rods fail, although analysis shows that only the first few rows fail from a hypothetical maximum drop.

The fuel storage pool water level satisfies Criteria 2 and 3 of 10 CFR 50.36(c)(2)(ii).

North Anna Units 1 and 2 B 3.7.16-1 Revision 0, 04/02/02

Intentionally Blank FBVS B 3.7.15 BASES ACTIONS A.1 (continued) taken immediately to suspend movement of recently irradiated fuel assemblies in the fuel building. This does not preclude the movement of fuel to a safe position.

SURVEILLANCE SR 3.7.15.1 REQUIREMENTS This SR verifies the integrity of the fuel building enclosure. The ability of the fuel building to maintain negative pressure with respect to potentially uncontaminated adjacent areas is periodically tested to verify proper function of the FBVS. The FBVS is designed to maintain a slight negative pressure in the fuel building, to prevent unfiltered LEAKAGE. The FBVS is designed to maintain a

  • -0.125 inches water gauge with respect to atmospheric pressure. The Frequency of 18 months is consistent with the guidance provided in NUREG-0800, Section 6.5.1 (Ref. 5).

REFERENCES 1. UFSAR, Section 9.4.5.

2. UFSAR, Section 15.4.5.
3. Regulatory Guide 1.25.
4. 10 CFR 50, Appendix A, GDC-19.
5. NUREG-0800, Section 6.5.1, Rev. 2, July 1981.

North Anna Units 1 and 2 B 3.7. 15-3 Revision 0, 04/02/02

FBVS B 3.7.15 BASES LCO The FBVS is required to be OPERABLE and at least one fan in operation. Total system failure could result in the atmospheric release from the fuel building exceeding the 10 CFR 50, Appendix A, GDC-19 (Ref. 4) limits in the event of a fuel handling accident involving handling recently irradiated fuel.

The FBVS is considered OPERABLE when the individual components are OPERABLE. The FBVS is considered OPERABLE when at least one fan is OPERABLE, the associated FBVS ductwork, valves, and dampers are OPERABLE, and air circulation can be maintained.

The LCO is modified by a Note allowing the fuel building boundary to be opened intermittently under administrative controls. For entry and exit through doors the administrative control of the opening is performed by the person(s) entering or exiting the area. For other openings, these controls consist of stationing a dedicated individual at the opening who is in continuous communication with the control room. This individual will have a method to rapidly close the opening when a need for fuel building isolation is indicated.

APPLICABILITY During movement of recently irradiated fuel in the fuel handling area, the FBVS is required to be OPERABLE to alleviate the consequences of a fuel handling accident.

ACTIONS LCO 3.0.3 is not applicable while in MODE 5 or 6. However, since irradiated fuel assembly movement can occur in MODE 1, 2, 3, or 4, the ACTIONS have been modified by a Note stating that LCO 3.0.3 is not applicable. If moving irradiated fuel assemblies while in MODE 5 or 6, LCO 3.0.3 would not specify any action. If moving irradiated fuel assemblies while in MODE 1, 2, 3, or 4, the fuel movement is independent of reactor operations. Entering LCO 3.0.3 while in MODE 1, 2, 3, or 4, would require the unit to be shutdown unnecessarily.

A.1 When the FBVS is inoperable or not in operation during movement of recently irradiated fuel assemblies in the fuel building, action must be taken to place the unit in a condition in which the LCO does not apply. Action must be (continued)

North Anna Units 1 and 2 B 3.7.15-2 Revision 0, 04/02/02

FBVS B 3.7.15 B 3.7 PLANT SYSTEMS B 3.7.15 Fuel Building Ventilation System (FBVS)

BASES BACKGROUND The FBVS discharges airborne radioactive particulates from the area of the fuel pool following a fuel handling accident.

The FBVS, in conjunction with other normally operating systems, also provides environmental control of temperature and humidity in the fuel pool area.

The FBVS consists of ductwork, valves and dampers, instrumentation, and two redundant fans.

The FBVS, which may also be operated during normal plant operations, discharges air from the fuel building.

The FBVS is discussed in the UFSAR, Sections 9.4.5 and 15.4.5 (Refs. 1 and 2, respectively) because it may be used for normal, as well as post accident functions.

APPLICABLE The FBVS design basis is established by the consequences of SAFETY ANALYSES the limiting Design Basis Accident (DBA), which is a fuel handling accident involving handling recently irradiated fuel. The analysis of the fuel handling accident, given in Reference 2, assumes that all fuel rods in an assembly are damaged. The DBA analysis of the fuel handling accident assumes that the FBVS is functional with one fan operating.

The amount of fission products available for release from the fuel building is determined for a fuel handling accident. Due to radioactive decay, FBVS is only required to be OPERABLE during fuel handling accidents involving handling recently irradiated fuel (i.e., fuel that has occupied part of a critical reactor core within a time frame established by analysis. The term recently is defined as all irradiated fuel assemblies, until analysis is performed to determine a specific time). These assumptions and the analysis follow the guidance provided in Regulatory Guide 1.25 (Ref. 3).

The fuel handling accident analysis for the fuel building assumes all of the radioactive material available for release is discharged from the fuel building by the FBVS.

The FBVS satisfies Criterion 3 of the 10 CFR 50.36(c) (2) (ii).

North Anna Units 1 and 2 B 3.7.15-1 Revision 0, 04/02/02

Intentionally Blank MCR/ESGR EVS-During Movement of Recently Irradiated Fuel Assemblies B 3.7.14 BASES SURVEILLANCE SR 3.7.14.1 (continued)

REQUIREMENTS filters from humidity in the ambient air. Each required train must be operated for Ž 10 continuous hours with the heaters energized. The 31 day Frequency is based on the reliability of the equipment and the two train redundancy availability.

SR 3.7.14.2 This SR verifies that the required MCR/ESGR EVS testing is performed in accordance with the Ventilation Filter Testing Program (VFTP). The VFTP includes testing the performance of the demister filter, HEPA filter, charcoal adsorber efficiency, minimum and maximum flow rate, and the physical properties of the activated charcoal. Specific test Frequencies and additional information are discussed in detail in the VFTP.

SR 3.7.14.3 This SR verifies, by pressurizing the MCR/ESGR envelope, the integrity of the MCR/ESGR envelope, and the assumed inleakage rates of the potentially contaminated air. The MCR/ESGR envelope positive pressure, with respect to potentially contaminated adjacent areas, is periodically tested to verify proper functioning of the MCR/ESGR EVS.

During the emergency mode of operation, the MCR/ESGR EVS is designed to pressurize the MCR/ESGR envelope Ž 0.04 inches water gauge positive pressure with respect to adjacent areas in order to prevent unfiltered inleakage. The MCR/ESGR EVS is designed to maintain this positive pressure with one train at a makeup flow rate of Ž 900 cfm and

  • 1100 cfm. The Frequency of 18 months on a STAGGERED TEST BASIS is consistent with the guidance provided in NUREG-0800 (Ref. 3).

REFERENCES 1. UFSAR, Section 6.4.

2. 10 CFR 50, Appendix A.
3. NUREG-0800, Rev. 2, July 1981.
4. UFSAR, Chapter 15.

North Anna Units 1 and 2 B 3.7.14-5 Revision 0, 04/02/02

MCR/ESGR EVS-During Movement of Recently Irradiated Fuel Assemblies B 3.7.14 BASES APPLICABILITY During movement of recently irradiated fuel assemblies, the (continued) MCR/ESGR EVS must be OPERABLE to respond to the release from a fuel handling accident involving handling recently irradiated fuel. The MCR/ESGR EVS is only required to be OPERABLE during fuel handling involving handling recently irradiated fuel (i.e., fuel that has occupied part of a critical reactor core within a time frame established by analysis. The term recently is defined as all irradiated fuel assemblies, until analysis is performed to determine a specific time), due to radioactive decay.

ACTIONS A.1 When one required MCR/ESGR EVS train is inoperable, action must be taken to restore OPERABLE status within 7 days. In this Condition, the remaining required OPERABLE MCR/ESGR EVS train is adequate to perform the MCR/ESGR envelope protection function. However, the overall reliability is reduced because a single failure in the required OPERABLE MCR/ESGR EVS train could result in loss of MCR/ESGR EVS function. The 7 day Completion Time is based on the low probability of a DBA occurring during this time period, and ability of the remaining trains to provide the required capability.

B.1 and B.2 During movement of recently irradiated fuel assemblies, if the required inoperable MCR/ESGR EVS train cannot be restored to OPERABLE status within the required Completion Time or two required MCR/ESGR EVS trains are inoperable, action must be taken to immediately suspend activities that could result in a release of radioactivity that might require isolation of the MCR/ESGR envelope. This places the unit in a condition that minimizes risk. This does not preclude the movement of fuel to a safe position.

SURVEILLANCE SR 3.7.14.1 REQUIREMENTS Standby systems should be checked periodically to ensure that they function properly. As the environment and normal operating conditions on the MCR/ESGR EVS are not too severe, testing each required train once every month provides an adequate check of this system. Monthly heater operations dry out any moisture accumulated in the charcoal and HEPA (continued)

North Anna Units 1 and 2 B 3.7.14-4 Revision 0, 04/02/02

MCR/ESGR EVS-During Movement of Recently Irradiated Fuel Assemblies B 3.7.14 BASES LCO Two independent and redundant MCR/ESGR EVS trains are required to be OPERABLE to ensure that at least one is available assuming a single failure disables the other train. Total system failure could result in exceeding the control room operator dose limits of 10 CFR 50, Appendix A, GDC-19 (Ref. 2), and NUREG-0800, Section 6.4 (Ref. 3), in the event of a large radioactive release.

The MCR/ESGR EVS-During Movement of Recently Irradiated Fuel Assemblies is considered OPERABLE when the individual components necessary to limit operator exposure are OPERABLE in the two required trains of the MCR/ESGR EVS-During Movement of Recently Irradiated Fuel Assemblies.

An MCR/ESGR EVS train is OPERABLE when the associated:

a. Fan is OPERABLE;
b. Demister filters, HEPA filters and charcoal adsorbers are not excessively restricting flow, and are capable of performing their filtration functions; and
c. Heater, ductwork, valves, and dampers are OPERABLE, and air flow can be maintained.

The MCR/ESGR EVS is shared by Unit 1 and Unit 2.

In addition, the MCR/ESGR boundary must be maintained, including the integrity of the walls, floors, ceilings, ductwork, and access doors.

The LCO is modified by a Note allowing the MCR/ESGR boundary to be opened intermittently under administrative controls.

For entry and exit through doors the administrative control of the opening is performed by the person(s) entering or exiting the area. For other openings, these controls consist of stationing a dedicated individual at the opening who is in continuous communication with the control room. This individual will have a method to rapidly close the opening when a need for MCR/ESGR isolation is indicated.

APPLICABILITY During movement of recently irradiated fuel assemblies, MCR/ESGR EVS-During Movement of Recently Irradiated Fuel Assemblies must be OPERABLE to control operator exposure during and following a DBA.

(continued)

North Anna Units 1 and 2 B 3.7.14-3 Revision 0, 04/02/02

MCR/ESGR EVS-During Movement of Recently Irradiated Fuel Assemblies B 3.7.14 BASES BACKGROUND buildup on the HEPA filters and adsorbers. Both the demister (continued) and heater are important to the effectiveness of the HEPA filters and charcoal adsorbers.

Pressurization of the MCR/ESGR envelope prevents infiltration of unfiltered air from the surrounding areas of the envelope.

A single train of the MCR/ESGR EVS will pressurize the MCR/ESGR envelope to Ž 0.04 inches water gauge. The MCR/ESGR EHS operation in maintaining the MCR/ESGR envelope habitable is discussed in the UFSAR, Section 6.4 (Ref. 1).

Redundant MCR/ESGR EVS supply trains provide the required pressurization and filtration should an excessive pressure drop develop across the other filter train. Normally closed isolation dampers are arranged in series pairs so that the failure of one damper to open will not result in an inability of the system to perform the function based on the presence of the redundant train. The MCR/ESGR EHS is designed in accordance with Seismic Category I requirements.

The MCR/ESGR EHS is designed to maintain the control room environment for 30 days of continuous occupancy after a DBA without exceeding the control room operator dose limits of 10 CFR 50, Appendix A, GDC-19 (Ref. 2), and NUREG-0800, Section 6.4 (Ref. 3).

APPLICABLE The MCR/ESGR EVS components are arranged in redundant, SAFETY ANALYSES safety related ventilation trains. The location of most components and ducting within the MCR/ESGR envelope ensures an adequate supply of filtered air to all areas requiring access. The MCR/ESGR EHS provides airborne radiological protection for the control room operators, as demonstrated by the control room accident dose analyses for the most limiting design basis accident fission product release presented in the UFSAR, Chapter 15 (Ref. 4).

The worst case single active failure of a component of the MCR/ESGR EVS, assuming a loss of offsite power, does not impair the ability of the system to perform its design function.

The MCR/ESGR EVS-During Movement of Recently Irradiated Fuel Assemblies satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii).

North Anna Units 1 and 2 B 3.7.14-2 Revision 0, 04/02/02

MCR/ESGR EVS-During Movement of Recently Irradiated Fuel Assemblies B 3.7.14 B 3.7 PLANT SYSTEMS B 3.7.14 Main Control Room/Emergency Switchgear Room (MCR/ESGR) Emergency Ventilation System (EVS)-During Movement of Recently Irradiated Fuel Assemblies BASES BACKGROUND The MCR/ESGR Emergency Habitability System (EHS) provides a protected environment from which operators can control the unit following an uncontrolled release of radioactivity. The MCR/ESGR EHS consists of the MCR/ESGR bottled air system (LCO 3.7.13) and the MCR/ESGR EVS (LCO 3.7.10 and LCO 3.7.14).

The MCR/ESGR EVS consists of four independent, redundant trains that can filter and recirculate air inside the MCR/ESGR envelope, or supply filtered air to the MCR/ESGR envelope. Each train consists of a heater, demister filter, a high efficiency particulate air (HEPA) filter, an activated charcoal adsorber section for removal of gaseous activity (principally iodines), and a fan. Ductwork, valves and dampers, and instrumentation also form part of the system. One EVS train is capable of performing the safety function, supplying filtered air for pressurization. Two of the four EVS trains are required for independence and redundancy.

In case of a Design Basis Accident (DBA) during movement of recently irradiated fuel assemblies, normal air supply to and exhaust from the MCR/ESGR envelope is manually isolated, and airflow from the bottled air banks is manually actuated to maintain a positive pressure in the MCR/ESGR envelope.

The MCR/ESGR envelope consists of the MCR, ESGRs, computer rooms, logic rooms, instrument rack rooms, air conditioning rooms, battery rooms, the MCR toilet, and the stairwell behind the MCR. Approximately 60 minutes after actuation of the MCR/ESGR bottled air system, a single MCR/ESGR EVS train is manually actuated to provide filtered outside air to the MCR/ESGR envelope through HEPA filters and charcoal adsorbers for pressurization. The demisters remove any entrained water droplets present in the air, to prevent excessive moisture loading of the HEPA filters and charcoal adsorbers. Continuous operation of each train for at least 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> per month, with the heaters on, reduces moisture (continued)

North Anna Units 1 and 2 B 3.7.14-1 Revision 0, 04/02/02

Intentionally Blank MCR/ESGR Bottled Air System B 3.7.13 BASES REFERENCES 1. UFSAR, Section 6.4.

2. 10 CFR 50, Appendix A.
3. NUREG-0800, Rev. 2, July 1981.
4. UFSAR, Chapter 15.

North Anna Units 1 and 2 B 3.7.13-7 Revision 0, 04/02/02

MCR/ESGR Bottled Air System B 3.7.13 BASES SURVEILLANCE SR 3.7.13.2 REQUIREMENTS (continued) This SR verifies that the proper number of MCR/ESGR air bottles are in service, with one bank of 51 air bottles in each required train. This SR requires verification that each bottled air bank manual valve not locked, sealed, or otherwise secured and required to be open during accident conditions is open. This SR helps to ensure that the bottled air banks required to be OPERABLE to pressurize the MCR/ESGR boundary are in service. The 31 day Frequency is based on engineering judgment and was chosen to provide added assurance of the correct positions. This SR does not apply to valves that are locked, sealed, or otherwise secured in the open position, since these were verified to be in the correct position prior to locking, sealing, or securing.

SR 3.7.13.3 This SR verifies that each required MCR/ESGR bottled air system train actuates by verifying the flow path is opened and that the normal air supply to and exhaust from the MCR/ESGR envelope is isolated on an actual or simulated actuation signal. The Frequency of 18 months is consistent with performing this test on a refueling interval basis.

SR 3.7.13.4 This SR verifies, by pressurizing the MCR/ESGR envelope, the integrity of the MCR/ESGR envelope, and the assumed inleakage rates of the potentially contaminated air. The MCR/ESGR envelope positive pressure, with respect to potentially contaminated adjacent areas, is periodically tested to verify proper functioning of the MCR/ESGR bottled air system. During the emergency mode of operation, the MCR/ESGR bottled air system is designed to pressurize the MCR/ESGR envelope to Ž 0.05 inches water gauge positive pressure with respect to adjacent areas in order to prevent unfiltered inleakage. The MCR/ESGR bottled air system is designed to maintain this positive pressure with two trains for at least 60 minutes at a makeup flow rate of Ž 340 cfm.

Testing two trains at a time at the Frequency of 18 months on a STAGGERED TEST BASIS is consistent with the guidance provided in NUREG-0800 (Ref. 3).

North Anna Units 1 and 2 B 3.7. 13-6 Revision 0, 04/02/02

MCR/ESGR Bottled Air System B 3.7.13 BASES ACTIONS C.1 (continued) entry into the condition. The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Completion Time is reasonable based on the low probability of a DBA occurring during this time period, and the use of compensatory measures. The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Completion Time is a typically reasonable time to diagnose, plan, restore, and possibly repair, and test most problems with the MCR/ESGR bottled air system, such as repressurizing the system after an inadvertent actuation.

D.1 and D.2 In MODE 1, 2, 3, or 4, if the inoperable required MCR/ESGR bottled air system trains or the inoperable MCR/ESGR boundary cannot be restored to OPERABLE status within the required Completion Time, the unit must be placed in a MODE that minimizes accident risk. To achieve this status, the unit must be placed in at least MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />, and in MODE 5 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

E.1 and E.2 During movement of recently irradiated fuel assemblies, if the required inoperable MCR/ESGR bottled air system train cannot be restored to OPERABLE status within the required Completion Time or two or more required MCR/ESGR bottled air system trains are inoperable, action must be taken to immediately suspend activities that could result in a release of radioactivity that might require isolation of the MCR/ESGR envelope. This places the unit in a condition that minimizes risk. This does not preclude the movement of fuel to a safe position.

SURVEILLANCE SR 3.7.13.1 REQUIREMENTS This SR verifies that each required MCR/ESGR bottled air bank is at the proper pressure. This ensures that when combined with the required number of OPERABLE air bottles, the minimum required air flow will be maintained to ensure the required MCR/ESGR envelope pressurization for approximately 60 minutes when the MCR/ESGR bottled air system is actuated. The 31 day Frequency is based on engineering judgement.

North Anna Units 1 and 2 B 3.7.13-5 Revision 0, 04/02/02

MCR/ESGR Bottled Air System B 3.7.13 BASES ACTIONS A.1 When one required MCR/ESGR bottled air system train is inoperable, action must be taken to restore OPERABLE status within 7 days. In this Condition, the remaining required OPERABLE MCR/ESGR bottled air system trains are adequate to perform the MCR/ESGR envelope protection function. However, the overall reliability is reduced because a single failure in one of the remaining required OPERABLE trains could result in loss of MCR/ESGR bottled air system function. The 7 day Completion Time is based on the low probability of a DBA occurring during this time period, and ability of the remaining trains to provide the required capability.

B.1 If the MCR/ESGR boundary is inoperable in MODE 1, 2, 3, or 4, the MCR/ESGR bottled air system cannot perform its intended function. Actions must be taken to restore an OPERABLE MCR/ESGR boundary within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. During the period that the MCR/ESGR boundary is inoperable, appropriate compensatory measures (consistent with the intent of GDC 19) should be utilized to protect control room operators from potential hazards such as radioactive contamination.

Preplanned measures should be available to address these concerns for intentional and unintentional entry into the condition. The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Completion Time is reasonable based on the low probability of a DBA occurring during this time period, and the use of compensatory measures. The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Completion Time is a typically reasonable time to diagnose, plan, and possibly repair, and test most problems with the MCR/ESGR boundary.

C.1 When two or more required trains of the MCR/ESGR bottled air system are inoperable in MODE 1, 2, 3, or 4 for reasons other than an inoperable MCR/ESGR boundary (i.e., Condition B),

action must be taken to restore at least two of the required MCR/ESGR bottled air system trains to OPERABLE status within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. During the period that two or more required trains of the MCR/ESGR bottled air system are inoperable, appropriate compensatory measures (consistent with the intent of GDC 19) should be utilized to protect control room operators from potential hazards such as radioactive contamination. Preplanned measures should be available to address these concerns for intentional and unintentional (continued)

North Anna Units 1 and 2 B 3.7.13-4 Revision 0, 04/02/02

MCR/ESGR Bottled Air System B 3.7.13 BASES LCO The MCR/ESGR bottled air system is considered OPERABLE when (continued) the individual components necessary to limit operator exposure are OPERABLE in the three required trains of the MCR/ESGR bottled air system.

A MCR/ESGR bottled air system train is OPERABLE when:

a. One OPERABLE bottled air bank of 51 bottles is in service;
b. A flow path, including associated valves and piping, is OPERABLE; and
c. The common exhaust header is OPERABLE.

The MCR/ESGR bottled air system trains are shared by Unit 1 and Unit 2.

In addition, the MCR/ESGR boundary must be maintained, including the integrity of the walls, floors, ceilings, ductwork, and access doors.

The LCO is modified by a Note allowing the MCR/ESGR boundary to be opened intermittently under administrative controls.

For entry and exit through doors the administrative control of the opening is performed by the person(s) entering or exiting the area. For other openings, these controls consist of stationing a dedicated individual at the opening who is in continuous communication with the control room. This individual will have a method to rapidly close the opening when a need for MCR/ESGR isolation is indicated.

APPLICABILITY In MODES 1, 2, 3, and 4, and during movement of recently irradiated fuel assemblies, MCR/ESGR bottled air system must be OPERABLE to control operator exposure during and following a DBA.

During movement of recently irradiated fuel assemblies, the MCR/ESGR bottled air system must be OPERABLE to respond to the release from a fuel handling accident involving handling recently irradiated fuel. The MCR/ESGR bottled air system is only required to be OPERABLE during fuel handling involving handling recently irradiated fuel (i.e., fuel that has occupied part of a critical reactor core within a time frame established by analysis. The term recently is defined as all irradiated fuel assemblies, until analysis is performed to determine a specific time), due to radioactive decay.

North Anna Units 1 and 2 B 3.7.13-3 Revision 0, 04/02/02

MCR/ESGR Bottled Air System B 3.7.13 BASES BACKGROUND Pressurization of the MCR/ESGR envelope prevents (continued) infiltration of unfiltered air from the surrounding areas of the envelope.

Two trains of the MCR/ESGR bottled air system will pressurize the MCR/ESGR envelope to Ž 0.05 inches water gauge. The MCR/ESGR EHS operation in maintaining the MCR/ESGR envelope habitable is discussed in the UFSAR, Section 6.4 (Ref. 1).

The MCR/ESGR EHS is designed in accordance with Seismic Category I requirements.

The MCR/ESGR EHS is designed to maintain the MCR/ESGR envelope environment for 30 days of continuous occupancy after a DBA without exceeding the control room operator dose limits of 10 CFR 50, Appendix A, GDC-19 (Ref. 2), and NUREG-0800, Section 6.4 (Ref. 3).

APPLICABLE The MCR/ESGR bottled air system is arranged in redundant, SAFETY ANALYSES safety related trains providing pressurized air from the required bottled air banks to maintain a habitable environment in the MCR/ESGR envelope.

The MCR/ESGR EHS provides airborne radiological protection for the control room operators, as demonstrated by the control room accident dose analyses for the most limiting design basis accident fission product release presented in the UFSAR, Chapter 15 (Ref. 4).

The worst case single active failure of a component of the MCR/ESGR bottled air system, assuming a loss of offsite power, does not impair the ability of the system to perform its design function.

The MCR/ESGR bottled air system satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii).

LCO Three independent and redundant MCR/ESGR bottled air system trains are required to be OPERABLE to ensure that at least two are available assuming a single failure disables one train. Total system failure could result in exceeding the control room operator dose limits of 10 CFR 50, Appendix A, GDC-19 (Ref. 2), and NUREG-0800, Section 6.4 (Ref. 3), in the event of a large radioactive release.

(continued)

North Anna Units 1 and 2 B 3.7.13-2 Revision 0, 04/02/02

MCR/ESGR Bottled Air System B 3.7.13 B 3.7 PLANT SYSTEMS B 3.7.13 Main Control Room/Emergency Switchgear Room (MCR/ESGR) Bottled Air System BASES BACKGROUND The MCR/ESGR Emergency Habitability System (EHS) provides a protected environment from which operators can control the unit following an uncontrolled release of radioactivity. The MCR/ESGR EHS consists of the MCR/ESGR bottled air system (LCO 3.7.13) and the MCR/ESGR Emergency Ventilation System (EVS) (LCO 3.7.10 and LCO 3.7.14).

The MCR/ESGR bottled air system consists of four trains of bottled air lined up to provide air to the MCR/ESGR envelope when the system actuates. The air is provided via four trains which feed a common header, supplying air to the Unit 1 and Unit 2 ESGRs. The header is also capable of being aligned to supply air directly to the MCR. Each train is provided air by one of the bottled air banks. Unit 1 and Unit 2 each provide two trains of bottled air. Two bottled air trains are capable of providing dry air of breathing quality to maintain a positive interior pressure in the MCR/ESGR envelope for Unit 1 and Unit 2 for a period of one hour following a Design Basis Accident (DBA).

In MODES 1, 2, 3, or 4, upon receipt of the actuating signal(s), normal air supply to and exhaust from the MCR/ESGR envelope is isolated, the two LCO 3.7.10.a trains of MCR/ESGR EVS actuate to recirculate air, and airflow from the bottled air banks maintains a positive pressure in the MCR/ESGR envelope. In case of a Fuel Handling Accident (FHA) during movement of recently irradiated fuel assemblies, automatic actuation of bottled air is not required, and no train of MCR/ESGR EVS is required to recirculate air. The MCR/ESGR envelope consists of the MCR, ESGRs, computer rooms, logic rooms, instrument rack rooms, air conditioning rooms, battery rooms, the MCR toilet, and the stairwell behind the MCR. Approximately 60 minutes after actuation of the MCR/ESGR bottled air system, a single MCR/ESGR EVS train is manually actuated to provide filtered outside air to the MCR/ESGR envelope through high efficiency particulate air (HEPA) filters and charcoal adsorbers for pressurization.

(continued)

North Anna Units 1 and 2 R 3.7.13-1 Revision 0, 04/02/02

Intentionally Blank ECCS PREACS B 3.7.12 BASES REFERENCES 2. UFSAR, Section 15.4.

(continued)

3. Regulatory Guide 1.52 (Rev. 2).
4. 10 CFR 50, Appendix A.
5. NUREG-0800, Rev. 2, July 1981.

North Anna Units 1 and 2 B 3.7.12-7 Revision 0, 04/02/02

ECCS PREACS B 3.7.12 BASES SURVEILLANCE SR 3.7.12.2 (continued)

REQUIREMENTS manually through the filters in case of a DBA requiring their use. The 31 day Frequency is based on the known reliability of equipment and the two train redundancy available.

SR 3.7.12.3 This SR verifies that the required ECCS PREACS testing is performed in accordance with the Ventilation Filter Testing Program (VFTP). The VFTP includes testing HEPA filter performance, charcoal adsorbers efficiency, minimum system flow rate, and the physical properties of the activated charcoal (general use and following specific operations).

Specific test Frequencies and additional information are discussed in detail in the VFTP.

SR 3.7.12.4 This SR verifies that Safeguards Area exhaust flow for the operating Safeguards Area fan is diverted through the filters on an actual or simulated actuation signal. The 18 month Frequency is consistent with that specified in Reference 3.

SR 3.7.12.5 This SR verifies the integrity of the ECCS pump room enclosure. The ability of the ECCS pump room to maintain a negative pressure, with respect to potentially uncontaminated adjacent areas, is periodically tested in a qualitative manner to verify proper functioning of each train of the ECCS PREACS. During the post accident mode of operation, the ECCS PREACS is designed to maintain a slight negative pressure in the ECCS pump room, with respect to adjacent areas, to prevent unfiltered LEAKAGE. A single train of ECCS PREACS is designed to maintain a negative pressure relative to adjacent areas. The Frequency of 18 months is consistent with the guidance provided in NUREG-0800, Section 6.5.1 (Ref. 5).

This test is conducted with the tests for filter penetration; thus, an 18 month Frequency on a STAGGERED TEST BASIS is consistent with that specified in Reference 3.

REFERENCES 1. UFSAR, Section 9.4.

North Anna Units 1 and 2 B 3.7.12-6 Revision 0, 04/02/02

ECCS PREACS B 3.7.12 BASES ACTIONS B.1 (continued) protect control room operators from potential hazards such as radioactive contamination. Preplanned measures should be available to address these concerns for intentional and unintentional entry into the condition. The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Completion Time is reasonable based on the low probability of a DBA occurring during this time period, and the use of compensatory measures. The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Completion Time is a typically reasonable time to diagnose, plan and possibly repair, and test most problems with the ECCS pump room boundary.

C.1 and C.2 If the ECCS PREACS train(s) or ECCS pump room boundary cannot be restored to OPERABLE status within the associated Completion Time, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />, and in MODE 5 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

SURVEILLANCE SR 3.7.12.1 REQUIREMENTS Standby systems should be checked periodically to ensure that they function properly. As the environment and normal operating conditions on this system are not severe, testing each train once a month provides an adequate check on this system. Monthly heater operations dry out any moisture that may have accumulated in the charcoal and HEPA filters from humidity in the ambient air. The system must be operated

Ž 10 continuous hours with the heaters energized. The 31 day Frequency is based on the known reliability of equipment and the two train redundancy available.

SR 3.7.12.2 This SR verifies that Safeguards Area exhaust flow and Auxiliary Building Central Exhaust subsystem flow, when actuated from the control room, diverts flow through the Auxiliary Building HEPA filter and charcoal adsorber assembly for the operating train. Exhaust flow is diverted (continued)

North Anna Units 1 and 2 B 3.7. 12-5 Revision 0, 04/02/02

ECCS PREACS B 3.7.12 BASES LCO The LCO is modified by a Note allowing the ECCS pump room (continued) boundary openings not open by design to be opened intermittently under administrative controls. For entry and exit through doors the administrative control of the opening is performed by the person(s) entering or exiting the area.

For other openings, these controls consist of stationing a dedicated individual at the opening who is in continuous communication with the control room. This individual will have a method to rapidly close the opening when a need for ECCS pump room isolation is indicated.

APPLICABILITY In MODES 1, 2, 3, and 4, the ECCS PREACS is required to be OPERABLE consistent with the OPERABILITY requirements of the ECCS.

In MODE 5 or 6, the ECCS PREACS is not required to be OPERABLE since the ECCS is not required to be OPERABLE.

ACTIONS A.1 With one ECCS PREACS train inoperable, action must be taken to restore OPERABLE status within 7 days. During this time, the remaining OPERABLE train is adequate to perform the ECCS PREACS function.

The 7 day Completion Time is appropriate because the risk contribution is less than that for the ECCS (72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> Completion Time), and this system is not a direct support system for the ECCS. The 7 day Completion Time is based on the low probability of a Design Basis Accident (DBA) occurring during this time period, and ability of the remaining train to provide the required capability.

Concurrent failure of two ECCS PREACS trains would result in the loss of functional capability; therefore, LCO 3.0.3 must be entered immediately.

B.1 If the ECCS pump room boundary is inoperable, the ECCS PREACS trains cannot perform their intended functions. Actions must be taken to restore an OPERABLE ECCS pump room boundary within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. During the period that the ECCS pump room boundary is inoperable, appropriate compensatory measures consistent with the intent of GDC 19 should be utilized to (continued)

North Anna Units 1 and 2 B 3.7.12-4 Revision 0, 04/02/02

ECCS PREACS B 3.7.12 BASES LCO Two redundant trains of the ECCS PREACS are required to be OPERABLE to ensure that at least one is available. Total system failure could result in exceeding the control room operator dose limits of 10 CFR 50, Appendix A, GDC-19 (Ref. 4), and NUREG-0800, Section 6.4 (Ref. 5).

ECCS PREACS is considered OPERABLE when the individual components necessary to maintain the ECCS pump room filtration are OPERABLE in both trains.

An ECCS PREACS train is considered OPERABLE when its associated:

a. Safeguards Area exhaust fan is OPERABLE;
b. One Auxiliary Building HEPA filter and charcoal adsorber assembly (shared with the other unit) is OPERABLE;
c. One Auxiliary Building Central exhaust system fan (shared with other unit) is OPERABLE;
d. Controls for the Auxiliary Building Central exhaust system filter and bypass dampers (shared with the other unit) are OPERABLE;
e. HEPA filter and charcoal adsorbers are not excessively restricting flow, and are capable of performing their filtration functions; and
f. Ductwork, valves, and dampers are OPERABLE.

The Auxiliary Building Central Exhaust subsystem may be removed from service (e.g., tag out fans, open ductwork, etc.), in order to perform required testing and maintenance.

The Auxiliary Building Central Exhaust subsystem is OPERABLE in this condition if it can be restored to service and perform its function within 60 minutes following an accident.

In addition, the required Safeguards Area and charging pump cubicle boundaries for charging pumps not isolated from the Reactor Coolant System must be maintained, including the integrity of the walls, floors, ceilings, ductwork, and access doors, except for those openings which are left open by design, including charging pump ladder wells.

(continued)

North Anna Units 1 and 2 B 3.7.12-3 Revision 0, 04/02/02

ECCS PREACS B 3.7.12 BASES BACKGROUND Building General area exhaust, fuel building exhaust, (continued) decontamination building exhaust, and containment purge exhaust.

One Safeguards Area exhaust fan is normally operating and dampers are aligned to bypass the HEPA filters and charcoal adsorbers. During emergency operations, the ECCS PREACS dampers are realigned to begin filtration. Upon receipt of the actuating Engineered Safety Feature Actuation System signal(s), normal air discharges from the Safeguards Area room are diverted through the filter banks. Two Auxiliary Building Central Exhaust fans are normally operating. Air discharges from the Auxiliary Building Central Exhaust area are manually diverted through the filter banks. Required Safeguards Area and Auxiliary Building Central Exhaust area fans are manually actuated if they are not already operating. The prefilters remove any large particles in the air to prevent excessive loading of the HEPA filters and charcoal adsorbers.

The ECCS PREACS is discussed in the UFSAR, Section 9.4 (Ref. 1) and it may be used for normal, as well as post accident, atmospheric cleanup functions. The primary purpose of the heaters is to maintain the relative humidity at an acceptable level during normal operations, generally consistent with iodine removal efficiencies per Regulatory Guide 1.52 (Ref. 3). The heaters are not required for post-accident conditions.

APPLICABLE The design basis of the ECCS PREACS is established by the SAFETY ANALYSES large break LOCA. The system evaluation assumes ECCS leakage outside containment, such as safety injection pump leakage, during the recirculation mode. In such a case, the system limits radioactive release to within the control room operator dose limits of 10 CFR 50, Appendix A, GDC-19 (Ref. 4), and NUREG-0800, Section 6.4 (Ref. 5). The analysis of the effects and consequences of a large break LOCA is presented in Reference 2. The ECCS PREACS also may actuate following a small break LOCA, in those cases where the ECCS goes into the recirculation mode of long term cooling, to clean up releases of smaller leaks, such as from valve stem packing. The analyses assume the filtration by the ECCS PREACS does not begin for 60 minutes following an accident.

The ECCS PREACS satisfies Criterion 3 of 10 CFR 50.36(c) (2) (ii).

North Anna Units 1 and 2 B 3.7. 12-2 Revision 0, 04/02/02

ECCS PREACS B 3.7.12 B 3.7 PLANT SYSTEMS B 3.7.12 Emergency Core Cooling System (ECCS) Pump Room Exhaust Air Cleanup System (PREACS)

BASES BACKGROUND The ECCS PREACS filters air from the area of the active ECCS components during the recirculation phase of a loss of coolant accident (LOCA). The ECCS PREACS, in conjunction with other normally operating systems, also provides environmental control of temperature in the ECCS pump room areas.

The ECCS PREACS consists of two subsystems, the Safeguards Area Ventilation subsystem and the Auxiliary Building Central Exhaust subsystem. There are two redundant trains in the Safeguards Area Ventilation subsystem. Each train of the Safeguards Area Ventilation subsystem consists of one Safeguards Area exhaust fan, prefilter, and high efficiency particulate air (HEPA) filter and charcoal adsorber assembly for removal of gaseous activity (principally iodines)

(shared with the other unit), and controls for the Safeguards Area exhaust filter and bypass dampers. Ductwork, valves or dampers, and instrumentation also form part of the subsystem. The subsystem automatically initiates filtered ventilation of the safeguards pump room following receipt of a Containment Hi-Hi signal from the affected unit.

The Auxiliary Building Central exhaust subsystem consists of the following: three redundant central area exhaust fans (shared with other unit), two redundant filter banks consisting of HEPA filter and charcoal adsorber assembly for removal of gaseous activity (principally iodines) (shared with the other unit), and two redundant trains of controls for the Auxiliary Building Central exhaust subsystem filter and bypass dampers (shared with the other unit). Ductwork, valves or dampers, and instrumentation also form part of the subsystem. The subsystem initiates filtered ventilation of the charging pump cubicles following manual actuation.

The Auxiliary Building filter banks are shared by the Safeguards Area Ventilation subsystem and the Auxiliary Building Central Exhaust subsystem. Either Auxiliary Building filter bank may be aligned to either ECCS PREACS train. These filter banks are also used by the Auxiliary (continued)

North Anna Units 1 and 2 B 3.7. 12-1 Revision 0, 04/02/02

MCR/ESGR ACS B 3.7.11 BASES ACTIONS C.1 and C.2 (continued)

An alternative to Required Action C.1 is to immediately suspend activities that present a potential for releasing radioactivity that might require isolation of the MCR/ESGR envelope. This places the unit in a condition that minimizes accident risk. This does not preclude the movement of fuel to a safe position.

D.1 During movement of recently irradiated fuel assemblies, with less than 100% of the MCR/ESGR ACS cooling equivalent to a single OPERABLE MCR/ESGR ACS subsystem available, action must be taken immediately to suspend activities that could result in a release of radioactivity that might require isolation of the MCR/ESGR envelope. This places the unit in a condition that minimizes risk. This does not preclude the movement of fuel to a safe position.

E.1 With less than 100% of the MCR/ESGR ACS cooling equivalent to a single OPERABLE MCR/ESGR ACS subsystem available in MODE 1, 2, 3, or 4, the MCR/ESGR ACS may not be capable of performing its intended function. Therefore, LCO 3.0.3 must be entered immediately.

SURVEILLANCE SR 3.7.11.1 REQU IREMENTS This SR verifies that the heat removal capability of any one of the three chillers for the unit is sufficient to remove the heat load assumed in the safety analyses in the MCR/ESGR envelope. This SR consists of a combination of testing and calculations. The 18 month on a STAGGERED TEST BASIS Frequency is appropriate since significant degradation of the MCR/ESGR ACS is slow and is not expected over this time period.

REFERENCES 1. UFSAR, Section 9.4.

North Anna Units 1 and 2 B 3.7.11-4 Revision 0, 04/02/02

MCR/ESGR ACS B 3.7.11 BASES ACTIONS A.1 (continued) is reduced because a single failure in the OPERABLE MCR/ESGR ACS subsystem could result in loss of MCR/ESGR ACS function.

The 30 day Completion Time is based on the low probability of an event requiring MCR/ESGR envelope isolation, the consideration that the remaining subsystem can provide the required protection, and that alternate safety or nonsafety related cooling means are available.

The LCO requires the OPERABILITY of a number of independent components. Due to the redundancy of subsystems and the diversity of components, the inoperability of one active component in a subsystem does not render the MCR/ESGR ACS incapable of performing its function. Neither does the inoperability of two different components, each in a different subsystem, necessarily result in a loss of function for the MCR/ESGR ACS (e.g., an inoperable chiller in one subsystem, and an inoperable air handler in the other). This allows increased flexibility in unit operations under circumstances when components in opposite subsystems are inoperable.

B.1 and B.2 In MODE 1, 2, 3, or 4, if the inoperable MCR/ESGR ACS subsystem cannot be restored to OPERABLE status within the required Completion Time, the unit must be placed in a MODE that minimizes the risk. To achieve this status, the unit must be placed in at least MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />, and in MODE 5 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

C.1 and C.2 During movement of recently irradiated fuel, if the required inoperable MCR/ESGR ACS subsystems cannot be restored to OPERABLE status within the required Completion Time, the OPERABLE MCR/ESGR ACS subsystem must be placed in operation immediately. This action ensures that the remaining subsystem is OPERABLE and that active failures will be readily detected.

(continued)

North Anna Units 1 and 2 B 3.7.11-3 Revision 0, 04/02/02

MCR/ESGR ACS B 3.7.11 BASES APPLICABLE The MCR/ESGR ACS satisfies Criterion 3 of 10 CFR SAFETY ANALYSES 50.36(c)(2)(ii).

(continued)

LCO Two independent and redundant subsystems of the MCR/ESGR ACS, providing cooling to the unit ESGR and associated portion of the MCR, are required to be OPERABLE to ensure that at least one is available, assuming a single failure disabling the other subsystem. Total system failure could result in the equipment operating temperature exceeding limits in the event of an accident.

The MCR/ESGR ACS is considered to be OPERABLE when the individual components necessary to cool the MCR/ESGR envelope air are OPERABLE in both required subsystems. Each subsystem consists of two air handling units (one for the MCR and one for the ESGR), one chiller, valves, piping, instrumentation and controls. The two subsystems provide air temperature cooling to the portion of the MCR/ESGR envelope associated with the unit. In addition, the MCR/ESGR ACS must be operable to the extent that air circulation can be maintained.

APPLICABILITY In MODES 1, 2, 3, and 4, and during movement of recently irradiated fuel assemblies, the MCR/ESGR ACS must be OPERABLE to ensure that the MCR/ESGR envelope temperature will not exceed equipment operational requirements following isolation of the MCR/ESGR envelope. The MCR/ESGR ACS is only required to be OPERABLE during fuel handling involving handling recently irradiated fuel (i.e., fuel that has occupied part of a critical reactor core within a time frame established by analysis. The term recently is defined as all irradiated fuel assemblies, until analysis is performed to determine a specific time), due to radioactive decay.

ACTIONS A.1 With one or more required MCR/ESGR ACS subsystem inoperable, and at least 100% of the MCR/ESGR ACS cooling equivalent to a single OPERABLE MCR/ESGR ACS subsystem available, action must be taken to restore OPERABLE status within 30 days. In this Condition, the remaining OPERABLE MCR/ESGR ACS subsystem is adequate to maintain the MCR/ESGR envelope temperature within limits. However, the overall reliability (continued)

North Anna Units 1 and 2 B 3.7.11-2 Revision 0, 04/02/02

MCR/ESGR ACS B 3.7.11 B 3.7 PLANT SYSTEMS B 3.7.11 Main Control Room/Emergency Switchgear Room (MCR/ESGR) Air Conditioning System (ACS)

BASES BACKGROUND The MCR/ESGR ACS provides cooling for the MCR/ESGR envelope following isolation of the MCR/ESGR envelope. The MCR/ESGR ACS also provides cooling for the MCR/ESGR envelope during routine unit operation.

The MCR/ESGR ACS consists of two independent and redundant subsystems that provide cooling of MCR/ESGR envelope air.

Each subsystem consists of two air handling units (one for the MCR and one for the ESGR), one chiller in one subsystem and two chillers in the other, valves, piping, instrumentation, and controls to provide for MCR/ESGR envelope cooling. One subsystem has one chiller, the other has two chillers, either of which can be used by that subsystem, but which are not electrically independent from each other.

The MCR/ESGR ACS is an emergency system, parts of which may also operate during normal unit operations. A single subsystem will provide the required cooling to maintain the MCR/ESGR envelope within design limits. The MCR/ESGR ACS operation in maintaining the MCR/ESGR envelope temperature is discussed in the UFSAR, Section 9.4 (Ref. 1).

APPLICABLE The design basis of the MCR/ESGR ACS is to maintain the SAFETY ANALYSES MCR/ESGR envelope temperature within limits for 30 days of continuous occupancy after a DBA.

The MCR/ESGR ACS components are arranged in redundant, safety related subsystems. During emergency operation, the MCR/ESGR ACS maintains the temperature within design limits.

A single active failure of a component of the MCR/ESGR ACS, with a loss of offsite power, does not impair the ability of the system to perform its design function. The MCR/ESGR ACS is designed in accordance with Seismic Category I requirements. The MCR/ESGR ACS is capable of removing sensible and latent heat loads from the MCR/ESGR envelope, which include consideration of equipment heat loads and personnel occupancy requirements, to ensure equipment OPERABILITY.

(continued)

North Anna Units 1 and 2 B 3.7.11-1 Revision 0, 04/02/02

MCR/ESGR EVS-MODES 1, 2, 3, and 4 B 3.7.10 BASES SURVEILLANCE SR 3.7.10.2 REQUIREMENTS (continued) This SR verifies that the required MCR/ESGR EVS testing is performed in accordance with the Ventilation Filter Testing Program (VFTP). The VFTP includes testing the performance of the demister filter, HEPA filter, charcoal adsorber efficiency, minimum and maximum flow rate, and the physical properties of the activated charcoal. Specific test Frequencies and additional information are discussed in detail in the VFTP.

SR 3.7.10.3 This SR verifies that each LCO 3.7.10.a MCR/ESGR EVS train starts and operates on an actual or simulated actuation signal. The Frequency of 18 months is consistent with performing this test on a refueling interval basis.

SR 3.7.10.4 This SR verifies, by pressurizing the MCR/ESGR envelope, the integrity of the MCR/ESGR envelope, and the assumed inleakage rates of the potentially contaminated air. The MCR/ESGR envelope positive pressure, with respect to potentially contaminated adjacent areas, is periodically tested to verify proper functioning of the MCR/ESGR EVS.

During the emergency mode of operation, the MCR/ESGR EVS is designed to pressurize the MCR/ESGR envelope Ž 0.04 inches water gauge positive pressure with respect to adjacent areas in order to prevent unfiltered inleakage. The MCR/ESGR EVS is designed to maintain this positive pressure with one train at a makeup flow rate of Ž 900 cfm and

  • 1100 cfm. The Frequency of 18 months on a STAGGERED TEST BASIS is consistent with the guidance provided in NUREG-0800 (Ref. 4).

REFERENCES 1. UFSAR, Section 6.4.

2. UFSAR, Chapter 15.
3. 10 CFR 50, Appendix A.
4. NUREG-0800, Rev. 2, July 1981.

North Anna Units 1 and 2 B 3.7.10-6 Revision 0, 04/02/02

MCR/ESGR EVS-MODES 1, 2, 3, and 4 B 3.7.10 BASES ACTIONS B.1 (continued) the use of compensatory measures. The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Completion Time is a typically reasonable time to diagnose, plan, and possibly repair, and test most problems with the MCR/ESGR boundary.

C.1 and C.2 In MODE 1, 2, 3, or 4, if the inoperable required MCR/ESGR EVS train or the inoperable MCR/ESGR boundary cannot be restored to OPERABLE status within the required Completion Time, the unit must be placed in a MODE that minimizes accident risk. To achieve this status, the unit must be placed in at least MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />, and in MODE 5 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

D.1 When two or more required LCO 3.7.10.a or LCO 3.7.10.b MCR/ESGR EVS trains are inoperable in MODE 1, 2, 3, or 4 for reasons other than an inoperable MCR/ESGR boundary (i.e.,

Condition B), the MCR/ESGR EVS may not be capable of performing the intended function and the unit is in a condition outside the accident analyses. Therefore, LCO 3.0.3 must be entered immediately.

SURVEILLANCE SR 3.7.10.1 REQUIREMENTS Standby systems should be checked periodically to ensure that they function properly. As the environment and normal operating conditions on the MCR/ESGR EVS are not too severe, testing each required train once every month provides an adequate check of this system. Monthly heater operations dry out any moisture accumulated in the charcoal and HEPA filters from humidity in the ambient air. Each required train must be operated for Ž 10 continuous hours with the heaters energized. The 31 day Frequency is based on the reliability of the equipment and the two train redundancy availability.

North Anna Units 1 and 2 B 3.7.10-5 Revision 0, 04/02/02

MCR/ESGR EVS-MODES 1, 2, 3, and 4 B 3.7.10 BASES LCO In addition, the MCR/ESGR boundary must be maintained, (continued) including the integrity of the walls, floors, ceilings, ductwork, and access doors.

The LCO is modified by a Note allowing the MCR/ESGR boundary to be opened intermittently under administrative controls.

For entry and exit through doors the administrative control of the opening is performed by the person(s) entering or exiting the area. For other openings, these controls consist of stationing a dedicated individual at the opening who is in continuous communication with the control room. This individual will have a method to rapidly close the opening when a need for MCR/ESGR isolation is indicated.

APPLICABILITY In MODES 1, 2, 3, and 4, MCR/ESGR EVS must be OPERABLE to control operator exposure during and following a DBA.

ACTIONS A.1 When one required LCO 3.7.10.a or LCO 3.7.10.b MCR/ESGR EVS train is inoperable, action must be taken to restore OPERABLE status within 7 days. In this Condition, the remaining required OPERABLE MCR/ESGR EVS trains are adequate to perform the MCR/ESGR envelope protection function.

However, the overall reliability is reduced because a single failure in the required OPERABLE EVS trains could result in loss of MCR/ESGR EVS function. The 7 day Completion Time is based on the low probability of a DBA occurring during this time period, and ability of the remaining trains to provide the required capability.

B.1 If the MCR/ESGR boundary is inoperable in MODE 1, 2, 3, or 4, the MCR/ESGR EVS cannot perform its intended function.

Actions must be taken to restore an OPERABLE MCR/ESGR boundary within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. During the period that the MCR/ESGR boundary is inoperable, appropriate compensatory measures (consistent with the intent of GDC 19) should be utilized to protect control room operators from potential hazards such as radioactive contamination. Preplanned measures should be available to address these concerns for intentional and unintentional entry into the condition. The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Completion Time is reasonable based on the low probability of a DBA occurring during this time period, and (continued)

North Anna Units 1 and 2 B 3.7.10-4 Revision 0, 04/02/02

MCR/ESGR EVS-MODES 1, 2, 3, and 4 B 3.7.10 BASES APPLICABLE by the control room accident dose analyses for the most SAFETY ANALYSES limiting design basis accident fission product release (continued) presented in the UFSAR, Chapter 15 (Ref. 2).

The worst case single active failure of a component of the MCR/ESGR EVS, assuming a loss of offsite power, does not impair the ability of the system to perform its design function.

The MCR/ESGR EVS-MODES 1, 2, 3, and 4 satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii).

LCO Two independent and redundant MCR/ESGR EVS trains and one other unit independent and redundant MCR/ESGR EVS train are required to be OPERABLE to ensure that at least one train automatically actuates to filter recirculated air in the MCR/ESGR envelope, and at least one train is available to pressurize and to provide filtered air to the MCR/ESGR envelope, assuming a single failure disables one of the two required OPERABLE trains that automatically actuate, or disables the other unit train. Total system failure could result in exceeding the control room operator dose limits of 10 CFR 50, Appendix A, GDC-19 (Ref. 3), and NUREG-0800, Section 6.4 (Ref. 4), in the event of a large radioactive release.

The MCR/ESGR EVS-MODES 1, 2, 3, and 4 is considered OPERABLE when the individual components necessary to limit operator exposure are OPERABLE in the three required trains of the MCR/ESGR EVS-MODES 1, 2, 3, and 4, which include one other unit train.

An MCR/ESGR EVS train is OPERABLE when the associated:

a. Fan is OPERABLE;
b. Demister filters, HEPA filters and charcoal adsorbers are not excessively restricting flow, and are capable of performing their filtration functions; and
c. Heater, ductwork, valves, and dampers are OPERABLE, and air flow can be maintained.

The MCR/ESGR EVS is shared by Unit 1 and Unit 2.

(continued)

North Anna Units 1 and 2 B 3.7.10-3 Revision 0, 04/02/02

MCR/ESGR EVS-MODES 1, 2, 3, and 4 B 3.7.10 BASES BACKGROUND adsorbers for pressurization. The demisters remove any (continued) entrained water droplets present, to prevent excessive moisture loading of the HEPA filters and charcoal adsorbers.

Continuous operation of each train for at least 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> per month, with the heaters on, reduces moisture buildup on the HEPA filters and adsorbers. Both the demister and heater are important to the effectiveness of the HEPA filters and charcoal adsorbers.

Pressurization of the MCR/ESGR envelope prevents infiltration of unfiltered air from the surrounding areas of the envelope.

A single train of the MCR/ESGR EVS will pressurize the MCR/ESGR envelope to Ž 0.04 inches water gauge. The MCR/ESGR EHS operation in maintaining the MCR/ESGR envelope habitable is discussed in the UFSAR, Section 6.4 (Ref. 1).

Redundant MCR/ESGR EVS supply and recirculation trains provide the required pressurization and filtration should an excessive pressure drop develop across the other filter train. Normally closed isolation dampers are arranged in series pairs so that the failure of one damper to open will not result in an inability of the system to perform the function based on the presence of the redundant train. The MCR/ESGR EHS is designed in accordance with Seismic Category I requirements. The actuation signal will only start the LCO 3.7.10.a MCR/ESGR EVS trains. Requiring both LCO 3.7.10.a MCR/ESGR EVS trains provides redundancy, assuring that at least one train starts in recirculation when the actuation signal is received.

The MCR/ESGR EHS is designed to maintain the control room environment for 30 days of continuous occupancy after a DBA without exceeding the control room operator dose limits of 10 CFR 50, Appendix A, GDC-19 (Ref. 3), and NUREG-0800, Section 6.4 (Ref. 4).

APPLICABLE The MCR/ESGR EVS components are arranged in redundant, SAFETY ANALYSES safety related ventilation trains. The location of most components and ducting within the MCR/ESGR envelope ensures an adequate supply of filtered air to all areas requiring access. The MCR/ESGR EHS provides airborne radiological protection for the control room operators, as demonstrated (continued)

North Anna Units 1 and 2 B 3.7.10-2 Revision 0, 04/02/02

MCR/ESGR EVS-MODES 1, 2, 3, and 4 B 3.7.10 B 3.7 PLANT SYSTEMS B 3.7.10 Main Control Room/Emergency Switchgear Room (MCR/ESGR) Emergency Ventilation System (EVS)-MODES 1, 2, 3, and 4 BASES BACKGROUND The MCR/ESGR Emergency Habitability System (EHS) provides a protected environment from which operators can control the unit following an uncontrolled release of radioactivity. The MCR/ESGR EHS consists of the MCR/ESGR bottled air system (LCO 3.7.13) and the MCR/ESGR EVS (LCO 3.7.10 and LCO 3.7.14).

The MCR/ESGR EVS consists of four redundant trains that can filter and recirculate air inside the MCR/ESGR envelope, or supply filtered air to the MCR/ESGR envelope. The two independent and redundant unit MCR/ESGR EVS trains can actuate automatically in recirculation. Either of these trains can also be aligned to provide filtered outside air for pressurization when appropriate. One train from the other unit is required for redundancy, and can be manually actuated to provide filtered outside air or to recirculate and filter air approximately 60 minutes after the event.

Each train consists of a heater, demister filter, a high efficiency particulate air (HEPA) filter, an activated charcoal adsorber section for removal of gaseous activity (principally iodines), and a fan. Ductwork, valves, dampers, and instrumentation also form part of the system. Two EVS trains are capable of performing the safety function, one supplying outside filtered air for pressurization, one filtering recirculated air. Two LCO 3.7.10.a trains and one LCO 3.7.10.b train are required for independence and redundancy.

Upon receipt of the actuating signal(s), normal air supply to and exhaust from the MCR/ESGR envelope is isolated, the two LCO 3.7.10.a trains of MCR/ESGR EVS actuate to recirculate air, and airflow from the bottled air banks maintains a positive pressure in the MCR/ESGR envelope. The MCR/ESGR envelope consists of the MCR, ESGRs, computer rooms, logic rooms, instrument rack rooms, air conditioning rooms, battery rooms, the MCR toilet, and the stairwell behind the MCR. Approximately 60 minutes after actuation of the MCR/ESGR bottled air system, a single MCR/ESGR EVS train is manually actuated to provide filtered outside air to the MCR/ESGR envelope through HEPA filters and charcoal (continued)

North Anna Units 1 and 2 B 3.7.10-1 Revision 0, 04/02/02

UHS B 3.7.9 BASES SURVEILLANCE SR 3.7.9.2 REQUIREMENTS (continued) This SR verifies that the SW System is available with the maximum accident or normal design heat loads for 30 days following a Design Basis Accident. The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Frequency is based on operating experience related to trending of the parameter variations during the applicable MODES. This SR verifies that the average water temperature of the Service Water Reservoir is

REFERENCES 1. UFSAR, Section 9.2.

2. Regulatory Guide 1.27, March, 1974.

North Anna Units 1 and 2 B 3.7.9-4 Revision 0, 04/02/02

UHS B 3.7.9 BASES LCO The UHS is required to be OPERABLE. The UHS is considered OPERABLE if it contains a sufficient volume of water at or below the maximum temperature that would allow the SW System to operate for at least 30 days following the design basis LOCA without the loss of net positive suction head (NPSH),

and without exceeding the maximum design temperature of the equipment served by the SW System. To meet this condition, the Service Water Reservoir temperature should not exceed 95 0 F and the level should not fall below 313 ft mean sea level during normal unit operation.

APPLICABILITY In MODES 1, 2, 3, and 4, the UHS is required to support the OPERABILITY of the equipment serviced by the UHS and required to be OPERABLE in these MODES.

In MODE 5 or 6, the OPERABILITY requirements of the UHS are determined by the systems it supports.

ACTIONS A.1 and A.2 If the UHS is inoperable, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and in MODE 5 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />.

The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

SURVEILLANCE SR 3.7.9.1 REQUIREMENTS This SR verifies that adequate long term (30 day) cooling can be maintained. The specified level also ensures that sufficient NPSH is available to operate the SW pumps. The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Frequency is based on operating experience related to trending of the parameter variations during the applicable MODES. This SR verifies that the Service Water Reservoir water level is Ž 313 ft mean sea level, USGS datum.

North Anna Units 1 and 2 B 3.7.9-3 Revision 0, 04/02/02

UHS B 3.7.9 BASES BACKGROUND a cooling pond for condenser circulating water. To improve (continued) the thermal performance of the lake, it has been divided by a series of dikes and canals into two parts. The larger, referred to as the North Anna Reservoir, is 9600 acres. The smaller part, called the waste heat treatment facility, is 3400 acres. When the North Anna Reservoir is used by the SW System, water is withdrawn from the North Anna Reservoir and discharged to the waste heat treatment facility, though it is possible to discharge water to the Service Water Reservoir.

The two sources of water are independent, and each has separate, redundant supply and discharge headers. The only common points are the main redundant supply and discharge headers in the service building where distribution to the components takes place. These common headers are encased in concrete.

Additional information on the design and operation of the system, along with a list of components served, can be found in Reference 1.

APPLICABLE The UHS is the sink for heat removed from the reactor core SAFETY ANALYSES following all accidents and anticipated operational occurrences in which the unit is cooled down and placed on residual heat removal (RHR) operation. Its maximum post accident heat load occurs in the first hour after a design basis LOCA. During this time, the Recirculation Spray (RS) subsystems have started to remove the core decay heat.

The operating limits are based on conservative heat transfer analyses for the worst case LOCA. The analyses provide the details of the assumptions used in the analysis, which include worst expected meteorological conditions, conservative uncertainties when calculating decay heat, and the worst case single active failure (e.g., single failure of an EDG). The UHS is designed in accordance with the Regulatory Guide 1.27 (Ref. 2) requirement for a 30 day supply of cooling water in the UHS.

The UHS satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii).

North Anna Units 1 and 2 B 3.7.9-2 Revision 0, 04/02/02

UHS B 3.7.9 B 3.7 PLANT SYSTEMS B 3.7.9 Ultimate Heat Sink (UHS)

BASES BACKGROUND The UHS provides a heat sink for processing and operating heat from safety related components during a transient or accident, as well as during normal operation. This is done by utilizing the Service Water (SW) System.

The ultimate heat sink is the Service Water Reservoir and its associated retaining structures, and is the normal source of service water for Units 1 and 2.

The Service Water Reservoir is located approximately 500 ft.

south of the station site area. The Service Water Reservoir is adequate to provide sufficient cooling to permit simultaneous safe shutdown and cooldown of both units, and then maintain them in a safe-shutdown condition. Further, in the event of a design basis loss of coolant accident (LOCA) in one unit concurrent with a loss of offsite power to both units, the Service Water Reservoir is designed to provide sufficient water inventory to supply post-LOCA loads on one unit and shutdown and cooldown loads on the other unit and maintain them in a safe-shutdown condition for at least 30 days without makeup. After 30 days, makeup to the Service Water Reservoir is provided from the North Anna Reservoir as necessary to maintain cooling water inventory, ensuring a continued cooling capability. The Service Water Reservoir spray system is designed for operation of two units based on the occurrence of a LOCA on one unit with cooldown of the non-accident unit and simultaneous loss of offsite power to both units.

The two principal functions of the UHS are the dissipation of residual heat after reactor shutdown, and dissipation of residual heat after an accident.

The North Anna Reservoir provides a backup source of service water using the auxiliary SW pumps, and can provide makeup water to the Service Water Reservoir using the Circulating Water screen wash pumps, but is not credited for the DBA. The Lake Anna Dam impounds a lake with a surface area of 13,000 acres and 305,000 acre-ft. of storage, at its normal stage elevation of 250 ft., along the channel of the North Anna River. The lake is normally used by the power station as (continued)

North Anna Units 1 and 2 B 3.7.9-1 Revision 0, 04/02/02

Intentionally Blank SW System B 3.7.8 BASES SURVEILLANCE SR 3.7.8.1 (continued)

REQUIREMENTS valve manipulation; rather, it involves verification that those valves capable of being mispositioned are in the correct position. This SR does not apply to valves that cannot be inadvertently misaligned, such as check valves.

The 31 day Frequency is based on engineering judgment, is consistent with the procedural controls governing valve operation, and ensures correct valve positions.

SR 3.7.8.2 This SR verifies proper automatic operation of the SW System valves on an actual or simulated actuation signal. The SW System is a normally operating system that cannot be fully actuated as part of normal testing. This Surveillance is not required for valves that are locked, sealed, or otherwise secured in the required position under administrative controls. The 18 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a unit outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. Operating experience has shown that these components usually pass the Surveillance when performed at the 18 month Frequency. Therefore, the Frequency is acceptable from a reliability standpoint.

SR 3.7.8.3 This SR verifies proper automatic operation of the SW pumps on an actual or simulated actuation signal. The SW System is a normally operating system that cannot be fully actuated as part of normal testing during normal operation. The 18 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a unit outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. Operating experience has shown that these components usually pass the Surveillance when performed at the 18 month Frequency.

Therefore, the Frequency is acceptable from a reliability standpoint.

REFERENCES 1. UFSAR, Section 9.2.1.

2. UFSAR, Section 6.2.2.
3. UFSAR, Section 5.5.4.

North Anna Units 1 and 2 B 3.7.8-7 Revision 0, 04/02/02

SW System B 3.7.8 BASES ACTIONS D.1 and D.2 (continued)

If the SW pumps or loop cannot be restored to OPERABLE status within the associated Completion Time, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and in MODE 5 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />.

The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

E.1 and E.2 If two SW loops are inoperable for reasons other than only two SW pumps being OPERABLE, the SW System cannot perform the safety function. With two SW loops inoperable, the CC System and, consequently, the Residual Heat Removal (RHR) System have no heat sink and are inoperable. Twelve hours is allowed to enter MODE 4, in which the Steam Generators can be used for decay heat removal to maintain reactor temperature.

Twelve hours is reasonable, based on operating experience, to reach MODE 4 from full power conditions in an orderly manner and without challenging unit systems. The unit may then remain in MODE 4 until a method to further cool the units becomes available, but actions to determine a method and cool the unit to a condition outside of the Applicability must be initiated within one hour and continued in a reasonable manner and without delay until the unit is brought to MODE 5.

SURVEILLANCE SR 3.7.8.1 REQUIREMENTS This SR is modified by a Note indicating that the isolation of the SW System components or systems may render those components inoperable, but does not affect the OPERABILITY of the SW System.

Verifying the correct alignment for manual, power operated, and automatic valves in the SW System flow path provides assurance that the proper flow paths exist for SW System operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position, since they are verified to be in the correct position prior to being locked, sealed, or secured. This SR does not require any testing or (continued)

North Anna Units 1 and 2 B 3.7.8-6 Revision 0, 04/02/02

SW System B 3.7.8 BASES ACTIONS C.1 (continued)

If one SW loop is inoperable for reasons other than Condition A, action must be taken to restore the loop to OPERABLE status.

In this Condition, the remaining OPERABLE SW loop is adequate to perform the heat removal function. However, the overall reliability is reduced because a single failure in the OPERABLE SW loop could result in loss of SW System function. The inoperable SW loop is required to be restored to OPERABLE status within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> unless the criteria for a 7 day Completion Time are met, as stated in the 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> Completion Time Note. The 7 day Completion Time applies if the three criteria in the 7 day Completion Time Note are met.

The first criterion in the 7 day Completion Time Note states that the 7 day Completion Time is only applicable if the inoperability of one SW loop is part of SW System upgrades.

Service Water System upgrades include modification and maintenance activities associated with the installation of new discharge headers and spray arrays, mechanical and chemical cleaning of SW System piping and valves, pipe repair and replacement, valve repair and replacement, installation of corrosion mitigation measures and inspection of and repairs to buried piping interior coatings and pump or valve house components. The second criterion in the 7 day Completion Time Note states that the 7 day Completion Time is only applicable if three SW pumps are OPERABLE from initial Condition entry, including one SW pump being allowed to not have automatic start capability. The third criterion in the 7 day Completion Time Note states that the 7 day Completion Time is only applicable if two auxiliary SW pumps are OPERABLE from initial Condition entry. The 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> and 7 day Completion Times are both based on the redundant capabilities afforded by the OPERABLE loop, and the low probability of a DBA occurring during this time period. The 7 day Completion Time also credits the redundant capabilities afforded by three OPERABLE SW pumps (one without automatic start capability) and two OPERABLE auxiliary SW pumps.

North Anna Units 1 and 2 B 3.7.8-5 Revision 0, 04/02/02

SW System B 3.7.8 BASES APPLICABILITY In MODES 1, 2, 3, and 4, the SW System is a normally operating system that is required to support the OPERABILITY of the equipment serviced by the SW System and required to be OPERABLE in these MODES.

In MODES 5 and 6, the OPERABILITY requirements of the SW System are determined by the systems it supports.

ACTIONS A.1 If one SW pump is inoperable, the flow resistance of the system must be adjusted within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> by throttling component cooling water heat exchanger flows to ensure that design flows to the RS System heat exchangers are achieved following an accident. The required resistance is obtained by throttling SW flow through the CC heat exchangers. In this configuration, a single failure disabling a SW pump would not result in loss of the SW System function.

B.1 and B.2 If one or more SW System loops are inoperable due to only two SW pumps being OPERABLE, the flow resistance of the system must be adjusted within one hour to ensure that design flows to the RS System heat exchangers are achieved if no additional failures occur following an accident. The required resistance is obtained by throttling SW flow through the CC heat exchangers. Two SW pumps aligned to one loop or one SW pump aligned to each loop is capable of performing the safety function if CC heat exchanger flow is properly throttled. However, overall reliability is reduced because a single failure disabling a SW pump could result in loss of the SW System function. The one hour time reflects the need to minimize the time that two pumps are inoperable and CC heat exchanger flow is not properly throttled, but is a reasonable time based on the low probability of a DBA occurring during this time period. Restoring one SW pump to OPERABLE status within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> together with the throttling ensures that design flows to the RS System heat exchangers are achieved following an accident. The required resistance is obtained by throttling SW flow through the CC heat exchangers. In this configuration, a single failure disabling a SW pump would not result in loss of the SW System function.

North Anna Units 1 and 2 B 3.7.8-4 Revision 0, 04/02/02

SW System B 3.7.8 BASES APPLICABLE The SW System satisfies Criterion 3 of 10 CFR SAFETY ANALYSES 50.36(c)(2)(ii).

(continued)

LCO Two SW loops are required to be OPERABLE to provide the required redundancy to ensure that the system functions to remove post accident heat loads, assuming that the worst case single active failure occurs coincident with the loss of offsite power.

A SW loop is considered OPERABLE during MODES 1, 2, 3, and 4 when:

a. Either a.1 Two SW pumps are OPERABLE in an OPERABLE flow path; or a.2 One SW pump is OPERABLE in an OPERABLE flow path provided two SW pumps are OPERABLE in the other loop and SW flow to the CC heat exchangers is throttled; and
b. Three spray arrays are OPERABLE in an OPERABLE flow path; and
c. The associated piping, valves, and instrumentation and controls required to perform the safety related function are OPERABLE.

For two SW loops to be considered OPERABLE during MODES 1, 2, 3, and 4, the following conditions must also be met in order to provide protection for a single active failure of the actuation circuitry:

a. With one SW pump operating on each SW loop, the operating pumps have opposite train designations; and
b. With one of the four spray arrays on each SW loop inoperable, the inoperable spray arrays have opposite train designations.

A required valve directing flow to a spray array, bypass line, or other component is considered OPERABLE if it is capable of automatically moving to its safety position or if it is administratively placed in its safety position.

North Anna Units 1 and 2 B 3.7.8-3 Revision 0, 04/02/02

Retrieved from "https://kanterella.com/w/index.php?title=ML020700231&oldid=2710442"